From 63561c9fab5d767a3fa8ad11c857630c353b0fe1 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Fri, 13 Feb 2026 13:14:13 +0100 Subject: [PATCH 01/29] Update vars via generator pki-root-ca for machine crocus --- vars/shared/pki-root-ca/ca.crt/value | 30 +++++++++++++++++++++++ vars/shared/pki-root-ca/ca.key/secret | 22 +++++++++++++++++ vars/shared/pki-root-ca/ca.key/users/rpqt | 1 + 3 files changed, 53 insertions(+) create mode 100644 vars/shared/pki-root-ca/ca.crt/value create mode 100644 vars/shared/pki-root-ca/ca.key/secret create mode 120000 vars/shared/pki-root-ca/ca.key/users/rpqt diff --git a/vars/shared/pki-root-ca/ca.crt/value b/vars/shared/pki-root-ca/ca.crt/value new file mode 100644 index 0000000..2d6cdc1 --- /dev/null +++ b/vars/shared/pki-root-ca/ca.crt/value @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFDzCCAvegAwIBAgIUUPinyxUfxwhxvzVh9az7rsYIVuYwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMQ2xhbiBSb290IENBMB4XDTI2MDIxMzEyMTQwOVoXDTM2 +MDIxMTEyMTQwOVowFzEVMBMGA1UEAwwMQ2xhbiBSb290IENBMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAwxyooscyb3wqayzJZ6//S8Hd2C2esJ2gii39 ++iEqfV3AXJC1TEm1bgydZ8DGByzbBl4HqvDuElG3a0uEOVZN1GO40KhF4qeusIwr +8giobb+9z5V2BUjWWmAYR/rc14zLFm1hc4dOsXgw8j6AJn25NM9DtmAOTotcGoI8 +tkxAvgqK834bVldTGjhRzEpkkueu+hyqXHiPoRcRSySCxFcGmXOcG69YwpZdXRS8 +2qlLy60QjRTb/kk0wPYA26CCb9Mk63+MOu1afnkyQ1RJTzZiMm5sENxQqnFgKx5u +qzsrmyVY21GDNKoUnNRl/cSD7ZYN44FBhL4PKvK7WmWv8t727hubpHRn3jKCkZzH +RQCXHL/POaYz6ydtkVzzpuzXoo+mt7JatWPLPfSZZJG7z36lkVXUQFmz2i7ODKs/ +LTMAJGGMDzT5zilBIH0eQi50AgybxbY2/tpfADfFVEV85P5vzU3CrjN1wJlRdWe5 +nO2yIygjESgoLUnNM60xkFmLCR74u0i7C+5lUCUjLCi+uKV57TBa+vW8WgtRBVTj +0tf3WLa5U1baXNj4oQI3EFc8XnZ0PUbfWZrsN6SPmYDNuxiAi1R+fUpZwNEMnfS3 +C1Baja/ubz9AHCB+a/q+0Zp2r37ghUjHuyKxbTjIKwmw728l46B36ktQDhne/Jsu +Bwphyu8CAwEAAaNTMFEwHQYDVR0OBBYEFAvrpB+eefpZNDIwa4sf3T/3w+u/MB8G +A1UdIwQYMBaAFAvrpB+eefpZNDIwa4sf3T/3w+u/MA8GA1UdEwEB/wQFMAMBAf8w +DQYJKoZIhvcNAQELBQADggIBABohD3mrad2sGPbgw76j8zjmgNefA+yTVrruQna/ +KZyVL5A7tU1wMWkORViVfW9kApzegXXn9d36sURM5KSb+YB/xdcnKqDSsVGSltMA +YWyEORWqm8kCe3X8sNG0gHNwaxWeZk6uD8LsfTvy2TdegsQSjaNt92HiaQ0vipgP +qN/cRRIdHnMWfbnj1MXb1XDfC7V/o/k5Mfrr944zUi7m/tfh9pat2GqxWAXWLs26 +qtTCv6i92bQXo4R7mjEpDM6K6RqlzUgkeooKEyQ1LSYFl3EG3lAeno5a/+cmuz2f +Mk57aycu29CtJTWY2CMwj5lkzKUDalTbBb/LN40mbVXZLhprxprLYy0nuMq+i5kV +ckuswmR47Uz2+EljzTeR952dZqySBIzZh6o0X5NsBTlD/YaBA32TTa7w1lNd2FGs +oKZ+9E4qdx/jdRsH/cL4O+G8ISl4mYt7Nv6xB3PkiWdte/1zs8sb+3e2rA2nRpsK +uH9uyI9UcJhWU/P3trPC3EE6tKsS1Xwrih7YZ1xgYit37EEhVOpGPPvV8UkNWO3N +RlRZp21vC6Q28AmvorDMBmCcdMpTLBkLIbpYikg7NF7wdd/VUxxu4T1z2VInTWPq +T08+6n8liyTVBf9cHE2eyaXkclo4qlh4o9B0F5slJ1/C+9IadQMhQqQr6o+XFX52 +APqo +-----END CERTIFICATE----- diff --git a/vars/shared/pki-root-ca/ca.key/secret b/vars/shared/pki-root-ca/ca.key/secret new file mode 100644 index 0000000..01fa940 --- /dev/null +++ b/vars/shared/pki-root-ca/ca.key/secret @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:kMAW03OcbK3Ux4PBVU0s/7yH+p3l+doR+66YuUZDDuR+5gloZ6Nso98h1nTJkDSbQydlO1kaUJp6BcGsv4i5whrp7qnEryrlyAB1nM5mMcDcKfl4E1N6fOcSYhcCf1/G+bcKvi+qO8loFLIiSsRkM61+2YzuQogOzaGHHbwwo8LhPuWIDQMed76ST+OUvAuyE43heZBFeX3L57JTmreTDnoDM/PzuJ7pcmuJ93hBud0ognAU20WTMEoWjBeI9bw4jPJQwSVvMZpynkxzYRXXPpl1XEDjOkCBn50KmgCVNh63ov3dsrjvIZBRkFREfhHDmITcakyMu2O+BmRQAWx00sVRbBdBYYdpcix7/4lqPYhbBD4u+vdIWJPJaVUFa30CoTlPIf0YCByMsCNm8LmONjNqqUBE58zWCvC4qSpZbAtdar2ymuhoHBKYDLTSFQif7lXc9c5XXyBby0aQ0S1pVw1YLNWUjsrHqwZSokzNZH4QrcwyFs4FM0GYgI0df6dod0LwtoyIkBKZiV3ujxWPNyWlBxQLbywqUgm15Ww6NSEGKXqfs73yBzbJBAB9xasKja5CziRe+rdNqjdEyCqHHVSZXwKsYLbeQ802TmgyNi87avzHyp2ZfKb3nXCJRLBFI0tzBH3RQr25S1m3TWXCakJsX3Dtl03b011uYX1wu0BR1KSM/EUc/tj2GYd74QUpkE88xsZrW422xTzowk9VXZ0QsKfry41Wvf1ARaIhV8nsJ7Ash6wkqGWzoS5YmwG4TIsyhsodpkYoy52O0Ud9sOS6h75CuMNdTq7DZb4QYjkEw9yrDzn1kyW5CD1xRqxdI14yaq6fgOhAqRNr1R7zLbtXR5JRqtr7OFoKzxGt7gQ5wA8dH07mCqcX37UcBrZ6R3wRX7/blKjNaqaks4q/xL9jdhjJSUvYZlhqYxaM9IVl7OOgYWAkwnjYVlvmLDoBYscXR+XlXZeo8n7kaltGTCDFTNxIhgD8PkCkwFe176DJOFOn6t4VNc4/1cB+zmit0UeRY0xPwqISNDhzBTwXbZfNpD9K9M+b5p9STDo3RSYMcD6D7BhCwLcAHg5F3Nsfiqcr7RSLchLUU875PYtkX1MXjnUsU4S2frfJgHd2tdwQjysPz5p8paBboyIKSJ8ILkAOwRYD3EPoYnF0eaBw0fdJ5RCWnzTWg9ItWaPkRbQHuyIH/BOa3F0+oVp9mAG2i3i2ApMrXFe2PB/LqMSV2siYJ5nHS2pxs0SmSz3RU3/AgQ9r2oqIEvEI94y9YN0wd3tW4zJ30kCEnoqMrzdw5zMr978T/WZZKYTaMpcmwnTKmupYAcNVxk6N5uhHnvR5jfT0/b8X7rmitt5tAI/ICP7LYRCq4FbGVExEsPg9kb48XMWZK904Aocv89JEPbAhzoKNAgyPiqGWUSmQqvnnX3PJ7ayFRBXiGBD0nxtpUjqWJSKG3X/SFGFctHWmPaKy0r/o7sdwLav62ZTyPYbgBu2Sn95UGHQbi/rZJJDH9t1cFnuEzKp0IKTIHn9k+0V8YNdQoBjU99zIu+KGa785VAaaWnSioDxbY8icQSKynvj4svMwVZcNBJbkGmwV12u6dwyU0gaeR0ZvNHPEnXJy7bDYH1ykXxjA65ZXGE0055QJHCz5QteewkRptonPnrbpuPx1GpQ2WM4s29eAPXfcwVCSqLaRdX8xjZPtvqnCy+cFEHTtccC8nkSwF+yy52042uRjvL4+SOPAspZaZpuytag7bgrtJdle2eS2uic7ZQ9t31zeg40UQaHJgSFteg4KUxk9urFr0T+cvx2UWG6a8nvq6QuGOvghqGD6HSSPC8E0Gq5Bvxq+WTOlLfPGuw2p8fqlNrt8HjehG8jEkUftX0OL3QGU7+kJlQo5tj6vTHbExHV2aDmpE+WmQxVaBrnOgezamfgoj/Lrf6b8uNvIfE7j6ZqblBdqIj6xGCgv3gl0eSF1fNwOB+hbQRfhb+f3hbkB3ChTbMAnFwHpUuFTkxmRm/yL/P/myxASA4auSTEpQK3vh4ZJBmr0mwIPqrD2hWitZkobLh6VS1XQRzfs05XSuJjeR6Fv1YBKwWsw9ocs+4iiCfkl2N+stEMWrkjTYGAHaPRi4JcyPXRDfts1AE/GRHimrE42MmJxEf2e7DX6oQ+1qwATHDOVFvXUVf9Bf8epCefrauGuhRra9ExJjwG5N1UurvhXCbOZ2L1f7zbVXGBRU1FCzUvoy6+fSf0TTO6256fgryTa2s+Vw+zyodw2EkckObkcI+UflhN2DpyiR7bGAxDDwf8OLQLqgmZJBz0kY4Av5da+ndOElndukHPDBlthb19GQErGBmlXqKUNXo+atYeicsCIyW3T2Rv3VHNZYHvapAh2nud4HUide7q0W75MKZBHf7vwscLj0ryLyQeSbZjCWAuwAk1Sd/XyJjOR/CLJgO8D60Rg0Bq3+vyGFB1BbK0Omt0VM2QxSnvFDtqAZ4wrvK846BpNZ3SV7SbrRgFDY2l0+Sdk0EScKoPJQZkRf/9XlK2tz03CnNruNqiRQ7WNFN3WOzdY2ieRxUtEpPuW55DNIrGYXn5PqeoexYOMXGBGGIrPEAA/iw46t7biUJjMAQhhQ9CrsKpBCK/8kX/IeokhmoYMCI0zAoc7wPwhd/JUfoH9TgZCM0/3Fd7zn7qazzP2WzCxTk3ylNpp/WO/AdAIaiHWOg1v/y2BVaSc7pqKBi8OENS/K8/OnZERmbJwihAFbWnDPwfFruEfhAdXiylEQqJlHHKxm0QPdj498jiZU2GU5OiOYKhNFgUkuiqeLv6tzgSRTLfw+ExP1slhCeR491Cp7KQFcTux9DXCG3wT3wHR0zTE94fzluAfHw6qQub12XRyt3PshX262XUlkcxdjW+EgXsr8Pz2mhqzuTblR5cnu92mnZ3xa/YNDwNGmjXFvSCjI231Obwd/dMlSJY1a55tQCbd2UHCsurqyU3rkcMFDG03mmjus7h0Z79+ca16ZDf6gUPKeflIS3UhcMYur/6ireFcySEsM8lp9gQ1SG++cE+Ytw5trg+x1sK0kBOdIDFKcqOpgWHvG4/Kanxgghf+YOe2Am5bX8DEISXgd2hgXcf3MRJAVYuFN1TQJ6vH6TYdKijfmSlrlr/pv+sC+x2uu4ghD1QGT0u20GJLP2CiHYdhUyUSPqqt7fZEuhiONNBW31ihAz2wFY01RXzie7L1cGaa/8ITLVkYgSvV1WfK58UCEkxPs5/wZBSp62hstyv6YsyLOPY8mpoTJ2bOiJaGuM0AFkvFrV3CUWf4ufBS4u6fnAWgBz5RQCUEjNNY4Tj+d0tgAWh7CCg3MQXWC/biYJdOZxiR6ci0W4/vlKxIfSVntslz99fITDCeiaxoFth9FEjvd0L4Oibq8tuFe6inesX86r3oxkO6NWajTpFQ9BdDA6T0q9Rva05gwyws+CvtpskmT/C/VGdyhJdqVNfE4l4aII8vvgqzeSL2wSAMavdqGlWFl6gAUvUzbHLdPsByXU378IVnKBf+hdFhRqLi+lAN+UV/3GUA8zaFGjezS6U599bEKQJ9738BBiovRFRKdsRkhujL+nzpYAo6j+HvCRVcXiVflNf5Y+gxxAhGM3rPiikn+42/Wq4wkboT0tw4s9mblvysWRA4whkD+PK005lR4Z7tG3q9EVaFWR1AMbL4yOcPaMrEI1cCpMADOiOhnoy9W/BPSUtbiTjl8t/nXjP7p958ZWOTUbnejfop+DpDCMN0mIWZiNFMc/vVcVwDO3biBI9ojMc9JQJtI7dTydZ7hWBtoLcliyC/LrWmuyTidjJp/e5ZlRNp0rtZI8WKDcrUx9/7MhtHQxQbLK7Xm5whv9s5mWN0SXAO8QiugRukXbJGLbCpCpjcvm9pVK8eYwFvnGqPOCXGNu4POfamIGA40JxZMBY6f9YhmlW7wpubxE6DxNLlReKDKdCdrNML/Qc72njfxNgzIMnXO60mZxv+y4fp2TwstvXqr/F5f1VdXfDJKcLNRHP54jnX8Gd7JDVOgbCnqCMckaVSbFAGh7hIWW6YlICnfVPE2DM62ZEho4gEWTlx5n7DxzxWaaWzoPDn71CdQ+DGMFZpB8gwu8Co6p52IAUlsl3e3chotV5IXNWkcw0+gK1208SUJlQDVBhbhLp3bDrbH1339FHfYPeA4BPbaS/FCOPWPyRx2mjs93K2HCFMc5UZHBbOrEHpQu/aPartAtmlSLdVHwNSsX9UuTls4eM0txJM8NpE+EhdqesnqInuw4TbMAOMnhtnvTvP6o8jrZ2QVREPbHxE9D570QWVC8f4qxGIlUhO+1xMLMrB/8f3e2FsDlvRAiljvn4CgDgyPAVSTTU=,iv:gngc8PdaRrW5SBY0RfoudOuA6imMkExe8GprFWy6768=,tag:SpFj9mRQ3bybkk36XUx0HA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOeFFVUytUc0NZbU4xcU1M\ndXJLbkdBQUpqdERDUCtaUzI5cHovMjFFemdBCmljVFNaTzhTOXQvMHZrSXJyZFdI\nTWdpejJUNEpTK2JBS2FsQjBKTGp3d2cKLS0tIGQ0aXdXTGY2U3VVeCtFV1ZnUjJj\nbThyMGpNbzdBMVpFcjJYOEwwYk5XTVkK37Kjkrxms2ZGcf9/zmYLjLt0O32KnXub\nBJadqjShMPTJibr9kAADZRu8ftNg6fe/DxrpI72xZ2Dxh63CrXkpQg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeGF2NWdj\nVU9wREdLbmEzbTNMTWRHZ2xHcFduckZhN3pmeGozVVFPdzBMMApCTmxIb1FWcm5R\ndlFsZ3d6YVdUL0tLY21sOHNUa3V3bldzR2o1ckNMNTJrCi0tLSAzYUVidnJVWTYr\nT1BlK3Rkd0pFdkx3cTA5N1AybHhNamtsdWhWWWZYVmFBCo0V5+2avN9vru0+Mc7s\nGGflBNDiLTq3WQzY1h452CFymnUZ6vhRAOwUNrn2p+GXXbw9ORMLfoOImnd0QF5M\n6mM=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBazZTRXk4\nRUw1RjhsM1FtcVV2SlJQU0hiMHlXc0VrMGZyWmU3TU1YZWcycApoK3paV1JKVXVI\nM0xIVmt5SGZzWGhsd3VyZFZUeHZPSTdhcFlmTTl1NmNNCi0tLSBoaDVYYUpaRk8y\nZlcxOXBackhudGJQN3M1dk83TUZsb25nbnN2OXpWbGVNCpsC8lMzW1H0AAkskefB\nuEMztZfB4cSIOsLc7g1j8+gJzG4JRCwnOpCQUBki+/dn9+QWtfloubhi4UiU/MNE\nnFs=\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-02-13T12:14:13Z", + "mac": "ENC[AES256_GCM,data:PGQMGBUfcqA35ozYpK6FDUZZ3uz/CcOB0hOMzWWhpNIkiCgavcd656i5yGzQN1i+M/U+5TaoE2ACuCSThxu9IJhIFBxvnD6Afm5ElnDMyu3vLj7m860ZoX2luYSozegBtprtxGq/SJenxT1g8UzSrZsNidfsAQzUuBZUw+zeAxQ=,iv:69l0WtwazDJuxv/eWNoOA7XVzwSFNJtbsUdxNyja0PQ=,tag:sTtJkIbAEK2hZ4l7i9yTFg==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/shared/pki-root-ca/ca.key/users/rpqt b/vars/shared/pki-root-ca/ca.key/users/rpqt new file mode 120000 index 0000000..825a187 --- /dev/null +++ b/vars/shared/pki-root-ca/ca.key/users/rpqt @@ -0,0 +1 @@ +../../../../../sops/users/rpqt \ No newline at end of file From 075f041e76f30aee6f4c489c51fd07ede60e8b60 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Wed, 18 Feb 2026 00:24:31 +0100 Subject: [PATCH 02/29] Update vars via generator yggdrasil for machine crocus --- .../crocus/yggdrasil/address/value | 1 + .../yggdrasil/privateKey/machines/crocus | 1 + .../crocus/yggdrasil/privateKey/secret | 26 +++++++++++++++++++ .../crocus/yggdrasil/privateKey/users/rpqt | 1 + .../crocus/yggdrasil/publicKey/value | 1 + 5 files changed, 30 insertions(+) create mode 100644 vars/per-machine/crocus/yggdrasil/address/value create mode 120000 vars/per-machine/crocus/yggdrasil/privateKey/machines/crocus create mode 100644 vars/per-machine/crocus/yggdrasil/privateKey/secret create mode 120000 vars/per-machine/crocus/yggdrasil/privateKey/users/rpqt create mode 100644 vars/per-machine/crocus/yggdrasil/publicKey/value diff --git a/vars/per-machine/crocus/yggdrasil/address/value b/vars/per-machine/crocus/yggdrasil/address/value new file mode 100644 index 0000000..7cb62d0 --- /dev/null +++ b/vars/per-machine/crocus/yggdrasil/address/value @@ -0,0 +1 @@ +200:bcfc:9787:29b9:46e0:e75d:a912:dfdc \ No newline at end of file diff --git a/vars/per-machine/crocus/yggdrasil/privateKey/machines/crocus b/vars/per-machine/crocus/yggdrasil/privateKey/machines/crocus new file mode 120000 index 0000000..efe6fd0 --- /dev/null +++ b/vars/per-machine/crocus/yggdrasil/privateKey/machines/crocus @@ -0,0 +1 @@ +../../../../../../sops/machines/crocus \ No newline at end of file diff --git a/vars/per-machine/crocus/yggdrasil/privateKey/secret b/vars/per-machine/crocus/yggdrasil/privateKey/secret new file mode 100644 index 0000000..cfd26a0 --- /dev/null +++ b/vars/per-machine/crocus/yggdrasil/privateKey/secret @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:kI+6b6efVIQxILGMZri9D0sLGd9RqKhQ+BgEdPW2msz1VDDfTD5ujwDWLpyAi62blLK1pdWNVlH8mkPyjzFysakl3Th3JIhM4Tf8/ouS+XrrwSQ3oJKL54XhosbsTR9gEZV/qOTN7czc6FsUaC/Try6bvOA/A/8=,iv:3ekA2ni6NLHA0w9NrdimiZ730yXqQPS/OxJNmcSKPS4=,tag:QS7fhPTHgyLJFkLvBV2A7A==,type:str]", + "sops": { + "age": [ + { + "recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZU1lxZDlRcXBjbnZHU0RF\nRHFHc084eXFFa1NqdjhSdUI5MllUMFlOdFRzCkVLK2VYUldtUmdtSmM2cjlNSmRx\nbjZVMjFMbVZuQ1NFL1FleWx3SkdGazgKLS0tIEdVNk1vZU9nU042R29FSXc1T3Y5\neXhmOTE4b0hFK09PRjl4Qm1wU2o3eWMKYvCqty1pm60sfCxc13N6VHF7RBWZuXDO\nKPJkNwzgpZuA8llHV6gioBBUu4Nx2WmyMVytCTfff7St1m6Jf91lNA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1OTcyNEp3K0F4MGx0bzI5\nb0IyM0xCWDdDVWxrc09La3gxaU92OVUyblNBCnVFQXhIZGFIYkVMd2EwMlhtMkhz\nTmY0enU4TXlXNTB5L1RJcXZkSHJLOFkKLS0tIExNdVJrMnRaOU0yVWhxM2FUN1F6\nUzhiWitQQkFneENwSnR4cFJEcmlQazQKVH1MFHAPlgJiGbVtn3bOkr/NgOwhIO7j\nR2Gm2yyl08MImKSEiyYZRYkGG1hfkNMgHPXJ9+9V2j9tWkFGLtWWsQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBKzBLa3Zo\naEx0SjFGMWFVTzRCMHRubURBOUw1Zzl3N2dpd2M1bGtVK0JQRgpWWlNBNDJSQ1Rk\nbVQrblJRaTJOd0hxM1M0ZFV3bmg0OFZIV1JQTG45VTdBCi0tLSBkZllmNFRONXNZ\nQkRTU01FTFlLRkw3b1pHOVoxcm02Z0tMd1Z5dENCRis0CoAw3NGAAUoY7ZpI6msM\nr3WzJbT0UFVUt8FhT1XVZIEMpnfeoNDTQX8BZjpmvzNIJrr9ThOdRw9+2Xl1C4BY\nQ/c=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBb3JEd0Zo\nQlFlQmFVV2JzcTZzR21NRjNmcWtHajlFVi8vZUd2M1RtbHV4Qgo2SGtLbUpwaVRw\nN3Zteis4MTI3NHRpZFFJN1NWRUY4Qmk1cHhlS25IcGNnCi0tLSBod2xJTFZPVVlQ\nNm85VWR0d3BPdHFJeCtIRjRzYmJ6YlNXUlBxcnR5VjVrCvnUMHkW+NF1KpAGVDo/\nqd2w4iLB3xT1PspdwdHtiZEVUg3vfs2jOcNG8wagG0o2C5WP/RHkOJJJAc85n2A9\njlg=\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-02-17T23:24:31Z", + "mac": "ENC[AES256_GCM,data:3eU4qSDIYEILKX9S0i3+P/9gfMkeIufde7nL9M6BSkRzotC89b5+aEXN9XEQRs5fUpTkwZKy/mO6nKAL+9YIcJyyaJCb1p4gM+671ot9M91zMTUZhiUgiuJ5MoDmYNpI8My7RneLhxpzVeiYmifwbiPXzlZ57NOqpY6+rg2i1Oc=,iv:i8f+ycxEo4/MOgkt1jNzvgI/wm68YLGmmLYC4hVuuu8=,tag:QfLfP7iXCJU4odJWvvf2Mw==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/crocus/yggdrasil/privateKey/users/rpqt b/vars/per-machine/crocus/yggdrasil/privateKey/users/rpqt new file mode 120000 index 0000000..c6af5c7 --- /dev/null +++ b/vars/per-machine/crocus/yggdrasil/privateKey/users/rpqt @@ -0,0 +1 @@ +../../../../../../sops/users/rpqt \ No newline at end of file diff --git a/vars/per-machine/crocus/yggdrasil/publicKey/value b/vars/per-machine/crocus/yggdrasil/publicKey/value new file mode 100644 index 0000000..f8a64a3 --- /dev/null +++ b/vars/per-machine/crocus/yggdrasil/publicKey/value @@ -0,0 +1 @@ +a181b43c6b235c8f8c512b769011b9e94d09f48be83c66dbfd6ac32289c42ced \ No newline at end of file From 7710b7ea5ff1af9b95aa96dc4b295e67495569af Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Wed, 18 Feb 2026 00:24:31 +0100 Subject: [PATCH 03/29] Update vars via generator yggdrasil for machine genepi --- .../genepi/yggdrasil/address/value | 1 + .../yggdrasil/privateKey/machines/genepi | 1 + .../genepi/yggdrasil/privateKey/secret | 26 +++++++++++++++++++ .../genepi/yggdrasil/privateKey/users/rpqt | 1 + .../genepi/yggdrasil/publicKey/value | 1 + 5 files changed, 30 insertions(+) create mode 100644 vars/per-machine/genepi/yggdrasil/address/value create mode 120000 vars/per-machine/genepi/yggdrasil/privateKey/machines/genepi create mode 100644 vars/per-machine/genepi/yggdrasil/privateKey/secret create mode 120000 vars/per-machine/genepi/yggdrasil/privateKey/users/rpqt create mode 100644 vars/per-machine/genepi/yggdrasil/publicKey/value diff --git a/vars/per-machine/genepi/yggdrasil/address/value b/vars/per-machine/genepi/yggdrasil/address/value new file mode 100644 index 0000000..72157f1 --- /dev/null +++ b/vars/per-machine/genepi/yggdrasil/address/value @@ -0,0 +1 @@ +200:b839:2d6f:3dad:adab:e104:26e2:f12b \ No newline at end of file diff --git a/vars/per-machine/genepi/yggdrasil/privateKey/machines/genepi b/vars/per-machine/genepi/yggdrasil/privateKey/machines/genepi new file mode 120000 index 0000000..342fa08 --- /dev/null +++ b/vars/per-machine/genepi/yggdrasil/privateKey/machines/genepi @@ -0,0 +1 @@ +../../../../../../sops/machines/genepi \ No newline at end of file diff --git a/vars/per-machine/genepi/yggdrasil/privateKey/secret b/vars/per-machine/genepi/yggdrasil/privateKey/secret new file mode 100644 index 0000000..05e63f4 --- /dev/null +++ b/vars/per-machine/genepi/yggdrasil/privateKey/secret @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:bIKBciiM10WbEpzbldavVX6cmkh5Yop9aLemaHe0ru3mkv+LtgQQmgx2HRhRev9nKsFP+AryLw2AG1NkqywOpML/00kyLW/Szpk75d5QGRqb4fcgFqZPlk68ZvzclEipTXz7U36kH4/hQQUlFjOolFDO/ZUlL1o=,iv:Keybak5p/IIxSx0Pmdl8UsyGeLmqE+Bbq8ep0roKw8M=,tag:BPBgdr1Ra7kXQvd/1H9cog==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaWpDWXNwdFNxelRoRC9m\nSnFSUE95NlFxcjlPVEIzd1lnRzV3ZDR2bldVCnhIUHUwSktWQnVLVXNURXZTNWtY\nYUtpb0ZjMkxSK0xLMFlmWEQ5Sm9HRTQKLS0tIHp4RkJLaGkwVHVRSURXUG9mQ3FJ\nMGRTcW1IZE9TQnQ5aWQxYTlYOGJ3M3MKzyijmGTWuEKfFjpM/OK+DbhOsjoIPPDG\n+6IDTPlHysE2XVAS6+S9PyAuekcDQsuKMcNvbgNfnUzeSTeN8pVoqw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5S3IxWEZSMkJHYzFkdnUx\nUk1SSER3RnpNTG1oTGFrNzN0eVBxUThaOUZJCkhQQ0x6TlQxNjYyYzhzc1QrUWdq\nd2pSQi9LQ3pZOEM4Qnk5Z2RCU05RNVkKLS0tIEdhMjEzcVhkMFFZR2puY1Z5SmQv\nc2xDZTZVQlh1QnZGZVE3bSswYjJBMDQKvj4mZsJ6scXi33UL/IQWrbt0nMWuHjFH\nfXp+d3KU3HTKaY5NNBhEpdv5ajQLv/jiDgl+uFNc6K5Uw+Y1YOkB1A==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdzJHNEF5\nWEk1ZktOWWo2dzhCTkNCeUh6QzlZdUdIVkJtdXhCcEMyVlRtMwpDUEphckY1aHZ4\nc2ROUlVrOXFCcFV5NC9pbGN6QzYrUkNOUTZrbDJSeEswCi0tLSBSdDVGTlE0M2lV\nb21oa2tDMytkUkhILzErbjl5QUE5UGx0bGJyZldQRzRRCs0jyJcAGYYEzCbRXLtY\n3rE0hoaKUy5HZoCE5HdqEOKM4VDM+gcGWPqWGPjZ+vFTIIyseQ0oL2vuwzXnZNqy\nxIU=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBcVJvaWdj\nMitBOTBwWWcxT0E2bjRqMzhLdFRmOThyTERoMW5TenVXZUZIWApGM3I3clJMLzM5\nWEVEVUl4Rml4NGRVeC9RZ1BqUkNaZWtJeEhueUtXQXRrCi0tLSA3OVEvUjdWREo4\naU94eElLZU4xTk5JaFo3SHluQzdiVWVLemc4QXMzSno0Cpl1pZMC0qvGsif17hfr\n3GCaNs9S1ZnfyBBhV2MiiJP2NzPIdKAN/Ffk47O4i+YOKuUOC6lmpG/tenPfM9rp\n710=\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-02-17T23:24:31Z", + "mac": "ENC[AES256_GCM,data:zUDegtpDih83bli8jYbr91YrGNApPcWEN+XRmxw/zXf0x9wuwB2BRe6wm8QBxvXQLSR1tOWRMMO0K0A5QcP/53WtIKMekxSqcPfPykLtbIcTDDeQv1ze+Kr3ZRCz71hUs6xR9zTnasPWaw5IUb1r9fenhZFC7E01y6RBsXTXAdI=,iv:69C+JRec57zi7r9hH5a9Tjw4wWS07q4jDSPkUH8NeVs=,tag:odKNzOnQ62jnexFLsgbs5g==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/genepi/yggdrasil/privateKey/users/rpqt b/vars/per-machine/genepi/yggdrasil/privateKey/users/rpqt new file mode 120000 index 0000000..c6af5c7 --- /dev/null +++ b/vars/per-machine/genepi/yggdrasil/privateKey/users/rpqt @@ -0,0 +1 @@ +../../../../../../sops/users/rpqt \ No newline at end of file diff --git a/vars/per-machine/genepi/yggdrasil/publicKey/value b/vars/per-machine/genepi/yggdrasil/publicKey/value new file mode 100644 index 0000000..79523fe --- /dev/null +++ b/vars/per-machine/genepi/yggdrasil/publicKey/value @@ -0,0 +1 @@ +a3e369486129292a0f7dec8e876a385fb05a77087e7fbf66db37285d7f400546 \ No newline at end of file From e120cc55829dc2371f7ddc3f3c7a21a0085c8c72 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Wed, 18 Feb 2026 00:24:31 +0100 Subject: [PATCH 04/29] Update vars via generator yggdrasil for machine haze --- vars/per-machine/haze/yggdrasil/address/value | 1 + .../haze/yggdrasil/privateKey/machines/haze | 1 + .../haze/yggdrasil/privateKey/secret | 26 +++++++++++++++++++ .../haze/yggdrasil/privateKey/users/rpqt | 1 + .../haze/yggdrasil/publicKey/value | 1 + 5 files changed, 30 insertions(+) create mode 100644 vars/per-machine/haze/yggdrasil/address/value create mode 120000 vars/per-machine/haze/yggdrasil/privateKey/machines/haze create mode 100644 vars/per-machine/haze/yggdrasil/privateKey/secret create mode 120000 vars/per-machine/haze/yggdrasil/privateKey/users/rpqt create mode 100644 vars/per-machine/haze/yggdrasil/publicKey/value diff --git a/vars/per-machine/haze/yggdrasil/address/value b/vars/per-machine/haze/yggdrasil/address/value new file mode 100644 index 0000000..4926826 --- /dev/null +++ b/vars/per-machine/haze/yggdrasil/address/value @@ -0,0 +1 @@ +207:cb45:ba54:e034:aa2d:2678:78f0:8d89 \ No newline at end of file diff --git a/vars/per-machine/haze/yggdrasil/privateKey/machines/haze b/vars/per-machine/haze/yggdrasil/privateKey/machines/haze new file mode 120000 index 0000000..db9551a --- /dev/null +++ b/vars/per-machine/haze/yggdrasil/privateKey/machines/haze @@ -0,0 +1 @@ +../../../../../../sops/machines/haze \ No newline at end of file diff --git a/vars/per-machine/haze/yggdrasil/privateKey/secret b/vars/per-machine/haze/yggdrasil/privateKey/secret new file mode 100644 index 0000000..cd2dfc1 --- /dev/null +++ b/vars/per-machine/haze/yggdrasil/privateKey/secret @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:tE6OIDrELRsApanZR7SyQBC8Z8TAeItYexc0NnIJkdkh6LIyU2aPLUrjVuEa1baY6cvkzHsqL4OY3DpGP0faU6HGhUid2OemsKW8fpI3T6BlMSSpDlCX39EdDdLrxdzqZjzh0F/fW1WB7y7D+2cwbHvfFMDeHWs=,iv:CCKWyej7Eo/CjVA4iIa4hhdPjgFmTBPxOoLjDx5nGUU=,tag:tjDJ1TPpmm/RY6KZYl7oQw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLWkcwWTJHUnNRcGdybFdp\nbHJRbWd3c3djTnNMRjEyTFI3TjlpekN5Z3lrCnlrRzFlc3JUSFlORytHUkxVN3Ru\ncHJtZTFFWnFaanZ6R0dQUm5uTXhYMG8KLS0tIEpjdlFoSms0V3JzNHd4S1NjZ25i\nWmd1b1ZhNDRUUTFEMzNCajN2eUNpOGMKzsr4t0yCnU2MPJqvMyTmVVqU1XzHinF2\n3wu/tiCgpjSKCgPPsoIirEF5rfXSS4jh2KsWvnwt5ZALmikaILNkvw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxb1V5TDh2b2pETFVSVVlo\nSVIvZ3pTakpvU1VUU2NKaitHeFlsUnpvcHhFClBNYUF6cGU0SkNkd2J0QVZpQ3lp\nUWFrUmNxeFQzdzE0Y3NoMGMyWVBTZ0UKLS0tIFd1M1BsVVBYQ0R5NjRXUElDMUhD\na2dQTVVVRFdZT054Z0Y0dk4yS2RGR00KRHX8oCXsN8cyaxzBD2+o4IFkdPm6u3kB\njU3h60izyACbPi0SMEC9uRlXw9HIdRgDLRP/jCvlNLR5tYsE7xJJbA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBZzU5dmJK\nWW9ESUZ2THZYNFFsdW14My80blRqQ1RFajArRHEvWU5WZ3ZGdAp6N2ZVSitZVXNY\ncHhNbit3SzQ4MVRWZzlDRGcxNVVRK0gxT1I4NWFtYU53Ci0tLSBMM2Q4VVdPVE1u\ncTI4dTAzM0V6ZTUwOTRXd0tVeWNjeUJIRlBOblFQVm5rCr9WDyfDy0e4C/jNe437\nQkb5OmekYz3XxirIFy9RFZO2Qr6fkXipl9eEO9QygGalp9uqBfLvcbni7NhiaqaV\nrWo=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBckVxeDE0\nMTNEL2lkSFg3Q0E4ZmJUTFlRZFcwUGZuWFlyUzVNUGhWaVQzdwpRVFRZN3g4REtn\nNi9yWm5KN0VWZlNNQVlncUtvUDRiaHpiOHEyODRwVFFRCi0tLSBiZDEzQU5LcTVG\nWllpRjBEcWVsbmYydzk3bGdKeCtvZlV3Sm0yRVJQNEVvCsSlCr5Ga1S36E96YeGj\nR/QwN4vcsZ0Tr7A7tOfhwjtsgIaXZDP7TG6r49sOjKDbnl8kOfsvf+5DcD+C5Dug\noNM=\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-02-17T23:24:31Z", + "mac": "ENC[AES256_GCM,data:yAreEIfr9Jbg0U2Z52edEbi4k3HlGCg5gQRa/mLviwDE9WZQrrYxAQfqYi+PayqUblJUBhFSnprnw+G0e5PskidtqHAvf27KD8V43rh7FSu323zEKdRvvSNOwnnTE68BTSDg42D6F6ZTcJvG3GDAK9BAZ9LcxpiOOuA/ucUt6t8=,iv:UHp6XfCepzwXTwPGwjc06BJrSZ1OnTjq5rbaXym5K4o=,tag:JbyUgVmf3bFfmvjRSpQkjg==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/haze/yggdrasil/privateKey/users/rpqt b/vars/per-machine/haze/yggdrasil/privateKey/users/rpqt new file mode 120000 index 0000000..c6af5c7 --- /dev/null +++ b/vars/per-machine/haze/yggdrasil/privateKey/users/rpqt @@ -0,0 +1 @@ +../../../../../../sops/users/rpqt \ No newline at end of file diff --git a/vars/per-machine/haze/yggdrasil/publicKey/value b/vars/per-machine/haze/yggdrasil/publicKey/value new file mode 100644 index 0000000..2605e36 --- /dev/null +++ b/vars/per-machine/haze/yggdrasil/publicKey/value @@ -0,0 +1 @@ +0134ba45ab1fcb55d2d987870f7276645fef037ff87ef639954353c98098d435 \ No newline at end of file From f51f62c17024f0da66f1d06535107eb2059a2fe6 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Wed, 18 Feb 2026 00:24:31 +0100 Subject: [PATCH 05/29] Update vars via generator yggdrasil for machine verbena --- .../verbena/yggdrasil/address/value | 1 + .../yggdrasil/privateKey/machines/verbena | 1 + .../verbena/yggdrasil/privateKey/secret | 26 +++++++++++++++++++ .../verbena/yggdrasil/privateKey/users/rpqt | 1 + .../verbena/yggdrasil/publicKey/value | 1 + 5 files changed, 30 insertions(+) create mode 100644 vars/per-machine/verbena/yggdrasil/address/value create mode 120000 vars/per-machine/verbena/yggdrasil/privateKey/machines/verbena create mode 100644 vars/per-machine/verbena/yggdrasil/privateKey/secret create mode 120000 vars/per-machine/verbena/yggdrasil/privateKey/users/rpqt create mode 100644 vars/per-machine/verbena/yggdrasil/publicKey/value diff --git a/vars/per-machine/verbena/yggdrasil/address/value b/vars/per-machine/verbena/yggdrasil/address/value new file mode 100644 index 0000000..49eb5c2 --- /dev/null +++ b/vars/per-machine/verbena/yggdrasil/address/value @@ -0,0 +1 @@ +200:b038:ab12:ac69:8675:7e47:41f4:12f4 \ No newline at end of file diff --git a/vars/per-machine/verbena/yggdrasil/privateKey/machines/verbena b/vars/per-machine/verbena/yggdrasil/privateKey/machines/verbena new file mode 120000 index 0000000..e061a4c --- /dev/null +++ b/vars/per-machine/verbena/yggdrasil/privateKey/machines/verbena @@ -0,0 +1 @@ +../../../../../../sops/machines/verbena \ No newline at end of file diff --git a/vars/per-machine/verbena/yggdrasil/privateKey/secret b/vars/per-machine/verbena/yggdrasil/privateKey/secret new file mode 100644 index 0000000..a4acea5 --- /dev/null +++ b/vars/per-machine/verbena/yggdrasil/privateKey/secret @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:/cPvDa1fhhS9vpFYP67v0oa+TvIt3QH+fbOwvJg6FzVRNBZsYYkr6G0VfAasOBIqF54cR+oIRyigdw0f2xb619r21Jp7uIf3BKaeot3GPQTwoPhSaajUewK9h4eW0r5itd3L+KFqkR8yJInmPxEEhgxudwVnI9M=,iv:X1ZDPludtnetHafh0/+QXnqxBoOvFqtPORde0jbhTDA=,tag:g84u0nrRNFJUUotXg0K4nw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObTdRTFhyeWpYaHkwTFcz\nYnNxQnNCcmdENFFnZ3VXYVFVOTZJL0ZmbFQwClZOcUprMnVGM1dtdWxqcTNuYUdW\nTEZxSzgxT1N6a0lzMlNqQzVCTWdxL0UKLS0tIFFST2dOdTJnYjlPZlZFWEdDOGhx\nZ1VmVndRai9wSUxBV2ltbW0wNE0vREkKV/IOHCUplWwHWpbqUq0irUwFt+aJNude\nCW76/ckxu/mG3/aXNOQKYdqgOrb+D/syEen1Nw/tGlLNXuMAnraLSA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTUVxbDZGTlBTVENMWUdT\nWExNaUhkSitwWHZURDJTU0Q1NEhVNE1wR2hJCnhWVFNUYlNUS3owZFRhaC9ncnE5\nUnVOM2dNN0hMMkh0RXN0R1A1dHl3V3cKLS0tIEVmbWx5VnZ2NVo4UWcwdG9jWm1N\nby9RVkRJV2U4akhtT0VXN1ZZdWpXS1EKMzzKcykAeI/YqOvKn7UEfgKrjQ7U/bWq\nJa41VGAur8j9ywhpd6awdxySbFpKAu7F1NMMtXFS1rNYHiBpW38ljA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBK1Yybkpa\nNm1TcTRBbzA0RjhBN0g5bkJRUytkS0hkWk5iYnZ4UUVoTmFIRgpOV3lYb21BZ2Ey\nWGJFakJzR3VCNFkzZ0VOcnVHZHBXWnVBa3hEMkdzQWlJCi0tLSBDa054V1VZWnZQ\nNFFLK01lUm5CYm84Ym5QUGF1bGZwYmt3Yzd1SXZpTDlnCrdVytMtD1dD6fF0jwqx\nXcJ/vHiVa8LQYLdpBGRIuGirFoDic8Vb9tDLdtPbHRX0h7XyDzifJNw6cnC0JhoX\nA+M=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBMk80WFlz\nY282eE5meUhrRVZES3VpYnk5UVgzMUJOcmdmcEFkVUw0YVlnSApVMm9pVjZ2UUZx\nYjhHa1pneGpvQW9CbWlTbG1NdTVFN3pUSFpYcXlPbWtZCi0tLSB0bVdoWmtKd1dN\nNUFma2psR2JDcGhVWTNrcmkzZjUxSXgwaW5ENW54RmpFCk100PSYPkGbLZqSLagP\noOE3P0DlsMMB8v01TnCfoKZN1NGIzUYL2+3tL4+jkvpwbB1bUcaR3apVdH4+YE7G\n0N0=\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-02-17T23:24:31Z", + "mac": "ENC[AES256_GCM,data:tXA3XmiPFCvn4S9zoMqE7BdKzJqi8ZCy4FELXj5o04QGEvZXEeQmZkUrl9GGdx1gGJAVQtcsVSrLVPneWOlx5dSojvZzIayKasIo5lEbMueMd6fumw4JDhGOe0oUCnVnNbQ0jjH6L8H0Jy68QI0UQUEJ23EQkB+QZv6QmkQ6eEI=,iv:jGIDVNYZ7y2Pd6Cj4cyI4+Z1Mz2ZrUWi5MkiLCuH+NY=,tag:detXUr9NC2jluxc5b8MRpw==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/verbena/yggdrasil/privateKey/users/rpqt b/vars/per-machine/verbena/yggdrasil/privateKey/users/rpqt new file mode 120000 index 0000000..c6af5c7 --- /dev/null +++ b/vars/per-machine/verbena/yggdrasil/privateKey/users/rpqt @@ -0,0 +1 @@ +../../../../../../sops/users/rpqt \ No newline at end of file diff --git a/vars/per-machine/verbena/yggdrasil/publicKey/value b/vars/per-machine/verbena/yggdrasil/publicKey/value new file mode 100644 index 0000000..0aab494 --- /dev/null +++ b/vars/per-machine/verbena/yggdrasil/publicKey/value @@ -0,0 +1 @@ +a7e3aa76a9cb3cc540dc5f05f685e73e70943ba56e42c5d338ce609d68ffff9d \ No newline at end of file From 8117fdf4a326842b5f67043572880f8205a076b9 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Wed, 18 Feb 2026 01:35:35 +0100 Subject: [PATCH 06/29] Update vars via generator cert-vaultwarden for machine verbena --- .../verbena/cert-vaultwarden/.validation-hash | 1 + .../cert-vaultwarden/vaultwarden.crt/value | 30 ++++++++++ .../vaultwarden.fullchain.crt/value | 60 +++++++++++++++++++ .../vaultwarden.key/machines/verbena | 1 + .../cert-vaultwarden/vaultwarden.key/secret | 26 ++++++++ .../vaultwarden.key/users/rpqt | 1 + 6 files changed, 119 insertions(+) create mode 100644 vars/per-machine/verbena/cert-vaultwarden/.validation-hash create mode 100644 vars/per-machine/verbena/cert-vaultwarden/vaultwarden.crt/value create mode 100644 vars/per-machine/verbena/cert-vaultwarden/vaultwarden.fullchain.crt/value create mode 120000 vars/per-machine/verbena/cert-vaultwarden/vaultwarden.key/machines/verbena create mode 100644 vars/per-machine/verbena/cert-vaultwarden/vaultwarden.key/secret create mode 120000 vars/per-machine/verbena/cert-vaultwarden/vaultwarden.key/users/rpqt diff --git a/vars/per-machine/verbena/cert-vaultwarden/.validation-hash b/vars/per-machine/verbena/cert-vaultwarden/.validation-hash new file mode 100644 index 0000000..8914acd --- /dev/null +++ b/vars/per-machine/verbena/cert-vaultwarden/.validation-hash @@ -0,0 +1 @@ +c7b4dbcaaa1232fc4e0124cce4a87cb2736504cebb6f26db953633cb4c82510b \ No newline at end of file diff --git a/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.crt/value b/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.crt/value new file mode 100644 index 0000000..a5ca6a5 --- /dev/null +++ b/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.crt/value @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFHTCCAwWgAwIBAgIUPGyLkSQH2pexGMl0O7DqwbvnvoYwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMQ2xhbiBSb290IENBMB4XDTI2MDIxODAwMzUzNVoXDTI3 +MDIxODAwMzUzNVowGjEYMBYGA1UEAwwPdmF1bHR3YXJkZW4udmFsMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr4s1qeegu0v+ZaNmP9JSZPy/Ru/bpELR +fFmXkRKVjYH1X0mSjFrBodOepEXjGYL/94n7EKzxGAGSbs5B31cgZ//doDCtb4Kb +pwvvEJQn3AfAuVWAAEhy/gM3LIw77Xxbzn6oL7anZmTri2tMObdeJiZz9FcO+FUP +HewoPpZYQl8LJ92EhPOS2oLK0Ir4/eSvyhwef1wBzibGtMs4sXiHZKFXGwfuk8e7 +NX6fgl5ITT55TnDFnrRWV4gw8HVUrmWDzpx5Fkh3T0RcZ9IQC/K0Pohj0+g2Rm3e +roVlonu6R6c0CF4o07r+AU6Pe3gWhb+IRjzhmYS90K1WDDzrJ4D77QcJMbHeBkJG +K1DCWc6X3GN4CpZtr2ygDsL/3R0+5DPQuNhubylL6DNGR9Esks5Raz1Rw9fp4YEn +q8sJrlBp0HcYelnXSNACfrmZI2huiI1yUu3oN092jjgKAORhvkRFXyxbKQ2MDrzs +F1yMzJcsWPl4v7dcAuIlAR3aR4m9iWFp4MOh72/zyICLtM20rDmKFFEqj6Ya7IRI +luQ9FwIYFsSnro6tPXLQyLn/29vSVEyNZHKBgd8C7Og9VjbJL2jg13vYo22l8C/b +wu6PBwPzy45eeqrjyQWYJ1jHTF93vQm+wLFM2lQCJTCwILjuqAMKGIIClPDpcOAu +K3maiqxmy0UCAwEAAaNeMFwwGgYDVR0RBBMwEYIPdmF1bHR3YXJkZW4udmFsMB0G +A1UdDgQWBBQsSQOTS3UvS+CQnGwSQtRCCBfTAzAfBgNVHSMEGDAWgBQL66Qfnnn6 +WTQyMGuLH90/98PrvzANBgkqhkiG9w0BAQsFAAOCAgEAc11c69iFBHM6EKqZl7yc +XB8AidXYZtTMGLq3LRUCWmTz3q57PEfdRbCnC816E96ykOv82eAFrd5znyncrMXj +jvvah6iddWkJIIMsaeF2kK37qFhRoMWaYdnqOG10m9XfQPbuykNz5v7AcjXKvB28 +Dns1hzXn4Fiu8zZLX0gqU4wE7b5FQ0KGACHwR+2odx1ZpktgOdtrXsLczxRhLY9H +G6i2w0R8jq+1W6YT1ggHdldIY1nY/zm4hKyrRPyvvcfxwXOCcHOe8BA9j4Agu0jp +yCOSHdw7wt+hVkvp4+NcZSdDGZz0BGbqBUE8B0JZbm87ykqAB07vHjAw6RqyDaBH +FfFj9jZttsHO5VDQSg8RPcxgQXsouIn17X1CTRR5rbR8QcHlSyuzSKLQphFwqCHL +T5nH8DjSn9xpSBMzITVD2vb3PfZW6iIVQ0mGDOJFlswCALywLVuUrOpKE5q6vRnl +vcNew3qJ/oXJZXA3un99dJmzKFSvQPasQA2NcLmdtMeVjqQExF0kZi49AFRUwmIu +ZKf7bMcAC/1Ic/n+kcgbPoFpew5WEGccc6gErKYzQK9QQBU5n1v45LvKQVZfh8QE +TMAC2+uMcZ/Il2m/XuP2RkXectw4zbgb5760MwRIWJ2cRjy79x9z6s5dUJCs/Nti +whPdQ0YihdvztzgZuKhM5NA= +-----END CERTIFICATE----- diff --git a/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.fullchain.crt/value b/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.fullchain.crt/value new file mode 100644 index 0000000..3d1f467 --- /dev/null +++ b/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.fullchain.crt/value @@ -0,0 +1,60 @@ +-----BEGIN CERTIFICATE----- +MIIFHTCCAwWgAwIBAgIUPGyLkSQH2pexGMl0O7DqwbvnvoYwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMQ2xhbiBSb290IENBMB4XDTI2MDIxODAwMzUzNVoXDTI3 +MDIxODAwMzUzNVowGjEYMBYGA1UEAwwPdmF1bHR3YXJkZW4udmFsMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr4s1qeegu0v+ZaNmP9JSZPy/Ru/bpELR +fFmXkRKVjYH1X0mSjFrBodOepEXjGYL/94n7EKzxGAGSbs5B31cgZ//doDCtb4Kb +pwvvEJQn3AfAuVWAAEhy/gM3LIw77Xxbzn6oL7anZmTri2tMObdeJiZz9FcO+FUP +HewoPpZYQl8LJ92EhPOS2oLK0Ir4/eSvyhwef1wBzibGtMs4sXiHZKFXGwfuk8e7 +NX6fgl5ITT55TnDFnrRWV4gw8HVUrmWDzpx5Fkh3T0RcZ9IQC/K0Pohj0+g2Rm3e +roVlonu6R6c0CF4o07r+AU6Pe3gWhb+IRjzhmYS90K1WDDzrJ4D77QcJMbHeBkJG +K1DCWc6X3GN4CpZtr2ygDsL/3R0+5DPQuNhubylL6DNGR9Esks5Raz1Rw9fp4YEn +q8sJrlBp0HcYelnXSNACfrmZI2huiI1yUu3oN092jjgKAORhvkRFXyxbKQ2MDrzs +F1yMzJcsWPl4v7dcAuIlAR3aR4m9iWFp4MOh72/zyICLtM20rDmKFFEqj6Ya7IRI +luQ9FwIYFsSnro6tPXLQyLn/29vSVEyNZHKBgd8C7Og9VjbJL2jg13vYo22l8C/b +wu6PBwPzy45eeqrjyQWYJ1jHTF93vQm+wLFM2lQCJTCwILjuqAMKGIIClPDpcOAu +K3maiqxmy0UCAwEAAaNeMFwwGgYDVR0RBBMwEYIPdmF1bHR3YXJkZW4udmFsMB0G +A1UdDgQWBBQsSQOTS3UvS+CQnGwSQtRCCBfTAzAfBgNVHSMEGDAWgBQL66Qfnnn6 +WTQyMGuLH90/98PrvzANBgkqhkiG9w0BAQsFAAOCAgEAc11c69iFBHM6EKqZl7yc +XB8AidXYZtTMGLq3LRUCWmTz3q57PEfdRbCnC816E96ykOv82eAFrd5znyncrMXj +jvvah6iddWkJIIMsaeF2kK37qFhRoMWaYdnqOG10m9XfQPbuykNz5v7AcjXKvB28 +Dns1hzXn4Fiu8zZLX0gqU4wE7b5FQ0KGACHwR+2odx1ZpktgOdtrXsLczxRhLY9H +G6i2w0R8jq+1W6YT1ggHdldIY1nY/zm4hKyrRPyvvcfxwXOCcHOe8BA9j4Agu0jp +yCOSHdw7wt+hVkvp4+NcZSdDGZz0BGbqBUE8B0JZbm87ykqAB07vHjAw6RqyDaBH +FfFj9jZttsHO5VDQSg8RPcxgQXsouIn17X1CTRR5rbR8QcHlSyuzSKLQphFwqCHL +T5nH8DjSn9xpSBMzITVD2vb3PfZW6iIVQ0mGDOJFlswCALywLVuUrOpKE5q6vRnl +vcNew3qJ/oXJZXA3un99dJmzKFSvQPasQA2NcLmdtMeVjqQExF0kZi49AFRUwmIu +ZKf7bMcAC/1Ic/n+kcgbPoFpew5WEGccc6gErKYzQK9QQBU5n1v45LvKQVZfh8QE +TMAC2+uMcZ/Il2m/XuP2RkXectw4zbgb5760MwRIWJ2cRjy79x9z6s5dUJCs/Nti +whPdQ0YihdvztzgZuKhM5NA= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFDzCCAvegAwIBAgIUUPinyxUfxwhxvzVh9az7rsYIVuYwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMQ2xhbiBSb290IENBMB4XDTI2MDIxMzEyMTQwOVoXDTM2 +MDIxMTEyMTQwOVowFzEVMBMGA1UEAwwMQ2xhbiBSb290IENBMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAwxyooscyb3wqayzJZ6//S8Hd2C2esJ2gii39 ++iEqfV3AXJC1TEm1bgydZ8DGByzbBl4HqvDuElG3a0uEOVZN1GO40KhF4qeusIwr +8giobb+9z5V2BUjWWmAYR/rc14zLFm1hc4dOsXgw8j6AJn25NM9DtmAOTotcGoI8 +tkxAvgqK834bVldTGjhRzEpkkueu+hyqXHiPoRcRSySCxFcGmXOcG69YwpZdXRS8 +2qlLy60QjRTb/kk0wPYA26CCb9Mk63+MOu1afnkyQ1RJTzZiMm5sENxQqnFgKx5u +qzsrmyVY21GDNKoUnNRl/cSD7ZYN44FBhL4PKvK7WmWv8t727hubpHRn3jKCkZzH +RQCXHL/POaYz6ydtkVzzpuzXoo+mt7JatWPLPfSZZJG7z36lkVXUQFmz2i7ODKs/ +LTMAJGGMDzT5zilBIH0eQi50AgybxbY2/tpfADfFVEV85P5vzU3CrjN1wJlRdWe5 +nO2yIygjESgoLUnNM60xkFmLCR74u0i7C+5lUCUjLCi+uKV57TBa+vW8WgtRBVTj +0tf3WLa5U1baXNj4oQI3EFc8XnZ0PUbfWZrsN6SPmYDNuxiAi1R+fUpZwNEMnfS3 +C1Baja/ubz9AHCB+a/q+0Zp2r37ghUjHuyKxbTjIKwmw728l46B36ktQDhne/Jsu +Bwphyu8CAwEAAaNTMFEwHQYDVR0OBBYEFAvrpB+eefpZNDIwa4sf3T/3w+u/MB8G +A1UdIwQYMBaAFAvrpB+eefpZNDIwa4sf3T/3w+u/MA8GA1UdEwEB/wQFMAMBAf8w +DQYJKoZIhvcNAQELBQADggIBABohD3mrad2sGPbgw76j8zjmgNefA+yTVrruQna/ +KZyVL5A7tU1wMWkORViVfW9kApzegXXn9d36sURM5KSb+YB/xdcnKqDSsVGSltMA +YWyEORWqm8kCe3X8sNG0gHNwaxWeZk6uD8LsfTvy2TdegsQSjaNt92HiaQ0vipgP +qN/cRRIdHnMWfbnj1MXb1XDfC7V/o/k5Mfrr944zUi7m/tfh9pat2GqxWAXWLs26 +qtTCv6i92bQXo4R7mjEpDM6K6RqlzUgkeooKEyQ1LSYFl3EG3lAeno5a/+cmuz2f +Mk57aycu29CtJTWY2CMwj5lkzKUDalTbBb/LN40mbVXZLhprxprLYy0nuMq+i5kV +ckuswmR47Uz2+EljzTeR952dZqySBIzZh6o0X5NsBTlD/YaBA32TTa7w1lNd2FGs +oKZ+9E4qdx/jdRsH/cL4O+G8ISl4mYt7Nv6xB3PkiWdte/1zs8sb+3e2rA2nRpsK +uH9uyI9UcJhWU/P3trPC3EE6tKsS1Xwrih7YZ1xgYit37EEhVOpGPPvV8UkNWO3N +RlRZp21vC6Q28AmvorDMBmCcdMpTLBkLIbpYikg7NF7wdd/VUxxu4T1z2VInTWPq +T08+6n8liyTVBf9cHE2eyaXkclo4qlh4o9B0F5slJ1/C+9IadQMhQqQr6o+XFX52 +APqo +-----END CERTIFICATE----- diff --git a/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.key/machines/verbena b/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.key/machines/verbena new file mode 120000 index 0000000..e061a4c --- /dev/null +++ b/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.key/machines/verbena @@ -0,0 +1 @@ +../../../../../../sops/machines/verbena \ No newline at end of file diff --git a/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.key/secret b/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.key/secret new file mode 100644 index 0000000..623be90 --- /dev/null +++ b/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.key/secret @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:4j/3/vbFpZTiYvgyKHUOsz2eB3xZI0MN0Pe2Wx5BH7+mldTGjRlBtzEWkbGVlDrl1MxwUJEy79nIAidX4b26ToxII8y7/bxmg7JFks8m8bRAh78Ct+g52gvlXBNjtkaQi12/HiWEJJymO/DlzH8F7eJmsgcPKsbhw9PgLvM4zZJkZyTRKaePlM6L456wFxI1A3/4Yw5U2jN+Z4JmcNMyWXiwFtoyciz4p4PEZhmfniIpOs9mK545QHpgKLRNl9ufMkDkUHLbHWOCXJTsUt5cnOXZqEHH0IpNMW75i7Cal0y/KsmpSwqfhqgJEaz/Bdz0KipGecU4CWCEyxNkcFld8NONKRxcyFfNGbDzLwjJNrZFfWrTdPp7HcSgKV3SV2fRPUmoE7/mLQMOtQF0FGztG+nUiv1dVCT+DxNu3sXIF+irMvbiOL1SdfiGTn0PW4Sa94r+dm5G9Usr1Xt4HW72h062vhBMa/GDX7Jg2KG5JNgS+CwE8Vq7DQxMxmXa+kZGfDSyaaZI7QvL05tvoBfmBxSHXKfewPH9+lnoM6X8un28a1EiyCwXm9bi0+sIwvZLTJQR5Qa81jcIv3jETXMO75hYPfYu/crP4JvoUTWouRxtJt2wj0af0ai0oT8CaQXxv5MYT4frAx2ZcP4ZhtAAhF3A9iUOdNJIKN9DSAyfRa8YFzLTUbOwTsdyCM8ZC/C70EsFIJOkxlh7Su7vos1TJB7CvYkcrTYU+3XT8ygCw1iog+kof/3kvD+jl3CKg0BYj0mSjlKwQBPjbz3bcNxZ/ckkHvW7Ty1YBBmrbfy360GfWrkruwElkfvdQuOE76l3YNE6UA2nczOZZyRdVBY0kQiU4H4/KoLjkbv/B0SxoA5QIuCs8utmu1qMUNGmJiKT1t3/87ip8XS4JLH6iY1bT4jInT0mabZpIcIwg4qw/fJTGcc5rmC+KqAG9+uWQPjIsSpfOt8O7HAfw2C6Gd8srOtTLvhFP2lP61liwGFEq/fYFE1cXfrPtZL2XU2IwLV8SGRAaO0zcpdOtM234HF80YTUAtaUSPM3KG9MYaHJZlDZNQQ6yVGEeYQXZcWzJsJ9a8APOPODGoBESrWihSRQY1WzBq2KUspMzQZ8P854k8ZsuvSp1a2nWbrIC0XQ/esL0S4Vlt0aJLJbkMt6HKXFFQus1HV1AQ7TNZ4/S9G9oFi/ZOxplVLpnbBFHOksbv66envAqkgARMJJzaj3n/af1qzm4K7GTfHm9mxL1pVP8XRvg/8YWzxEPhHXa1gXhkV0oKBsxb8ECOk1MuFLwfcWLYZeAgXkOJ8LUBa7anHULPPuZbpV7QNv2W46cvrXnYPrm4j1701y5WL27/1B4OGUQaZeSx0KJJm0kOWS8lEIEZCcsWM+gehnGar7exv+IWQHc97QRrunDGomO3b98Nnh3kV12ZNl7QguKeGMyMLtfSoV9bXHvVhuzw8GBtYs2P+658tZZmqI8jC9/q3/FtmnyNYLOKTbI/m2FuekFS8eh/gNYsp4OWwkFiCweE72e851gi8TuynExQf56g+s+i8s0GD6AF58WJnI0O7/vQUXBMtIsOftzOAUVLZiBrIKcsXqwBJW4axAnbPA0I5aY4khelVrN7Cg6i0b8ApOf3kQNW3qkzyIeGbe4+yDy0V4vkk/eV1+NFl7IbsNp+nBprh3ks5PDrm3DM2vxZ7lKx52xvgirUZkiPymmIkgxMd5R6nyeIEe92lXlETcpNDQEOgVZRLMleKjJosivxIeiH95hLq9B3QZ5NZl0YgYTElMvZtMkFKLjb5HHyaKOFH3GJOhim5HqVTE9o4PmT+51YFkGxA5GXf9GKldQ5KFu/UhqsxQ2U03NWHohjqDd6oLMkKXYN67J8v5WCCXMMZq25nZKfMPwSWoPke29AzQpIpNGCIfYoHSv8ZDFI4TolSSyuCXS262jqcVGPw/U3V4SVoNDKxl1iDVqywNy3Zxh1P7QnCC8iz6Z2edpND5DUVUCBTG7u3yn11tYdwznpgr0luj7zfjcOQ09qTECGcjhe2aMfFuybcwGOw5MuGvhPBZyOJDAccau+/VpC4fyghJCLWk1RDo+O0wy+dosTG1mDJPGEZKlC5iN9I6PC1/u9p0jQXH1S+tcSBIzxyYo15wAwWgVn3us+OJzJyadu5oT7HrAXcTJ3v1J1uWZGRuE2Ye1VSPXqTFHGvKmYKegIB1GJhXsmIjpWBHTfa+7rM7nvR4CzCxdX7v0LKCI9sgXf33xrenw1+Wbl0hx6c1H3jTmHYLcvWpMT2aGoZ5Mp6BK4ZzkBQwfu69sne6GiAjgupMCM2F/ahGNALj1oXQilBhWkxKaUzS57yLsexKPw6VzTbnhbZJyHvw4w+oQGRzEJ+1dQbD2EmOf/agBNRFNKKELUeoVKKbhMSiTmo38h2miM1AhsqJK3nKpLgXmhdkauDLBYB4yElMtbM3Jnzy/xezCjmrvR1CiJplJyJoC1+Q+buNbFCibo06Fpjq58RQ4p+xMPDI1+b0i/lKNR/Krmeah9X6h7gBqadbVjQ0H5qKu2tArCZDH3Tm62iQpCwRy6OYnvRJx93snSGWeH7SoDxFbzi75SWwabiIZE0S/VGgvixBIy1yqx4KlrHYH0LaxSnrMnuqyRrLXO+y+fUn04fgqeX6EyIvOav5rvxZfLjUkwsF90i1mUF0anoEEgDUUGMSjx+w0aL6bBHNg6RY5SW8CF77oAICios9LuntzPfxnMaglN9dz/4Y+AwiVtLREzQVYMMvBo05nNCHc5BvQRi01YNkt7Tq8SJTqlGwMDqn4fE3++kDTmMVZW4f0x6C01L9iK8V1yM5GhRZicLEOJOcFX9miCCWBAh8jpIY2WdHvU5gccDF+bQ4/NuwDRpgePDHC+Yn0KawdW/64i730kpYCCElEQ88v+ju22rMUs2t5zYQYlrD2GlLHrszFkkS15yOhf4jBOAxzOZaiGTm9cStIVVVIPlxE5L/bsDxWWjkvCAfMZqTY4QQ762fgo2liGWXCyLy2/tfOaUFjOjJvXLJlVeBiEcKDrBfppYA4Xbvk6QKtEpyvP2u9HxonRd6PDZuNqhzuyZQyKb7RZ16tKyiPYjIK0saEsM63rFXBMIa8hTm06sfHX3MRiQNd+i5DxietfanSDSAU6zBIqip+4WZi6t8pLjnTB+qJrN/bWBnX31pjWeO80PPfH6tVfnTcjCbsJb2dvGMzO3sIkjs9ZA8y7MHBItvOXtejdnRJL8e5bwt/p2MsTO0Xnj+Gz7XPTk0eJxC2/BvbaOm9EgqxqKIsH7rl+sspnwVRDpP3BSpdt18pBZH2a7QpssgTIg/ap77iIem1Tvct5pW5bSIpM9t3bt4cdCajdVF7HEo4FQj/YCBjC4IfImm1rIyDK5swvaTCSd9pqtCrHMYK/PPQW1brs9q49ak/rotfkxJBI0VHbCwRG7RV6Si5UyRy/m4b5un8wkLmXuaByBqhaJVugpqkhWaLgWTcXz3cCoY64ON4sc1C8W6QUlf3Qc3Cf8dy/1U4vsX4H1TACvFqXHG+3RkHi9n382lsU98jlbmiua/YNXypGayYMM2Zi2SiD4JDc6JDISdQgXjGu2rl+PvBEF4KC34pQnAmFcAPtDOu0ROkPUuzQjQ0XTkDfxlT3GdIz31z66wUtsVduP0rLmEs6AKAj4xyrGnHE38zp7mmBm/o31DSNvwzeIVxWJtSoJ1NWPHCxA/EfZObR8fcR+AgaaEHlQeUPZ1/9vO8f/+G13z2U3b+AKwY9qu88U7jt+H9FbMbg8LtX6R5EDyv1siYoP34yfg462fk+Fu/y1LSV7z1Zm5Gzh0f26F+VXw0b7tmey5/CJcXouuHBCvBFNyO+5gFGrEk29Ls9fr1Qpk4gvOa0480ush5IDO11CNqW5ixNd9cPSARpmoFMdz312CkBAdZSKTbEOJaxJOxxRrXXG78pIXNdAIO8ox7+ibfRQ+OTxIqrJwGFhAVQhseeM7t9pObYrqoCam4fiGTxP4XerkxdrH4yuld0C/63sMxmCku/e4Pzw53tUf4sccV2FrxvOHNeJXxsMzOS6m8Mv4gQrPaQNi3fHKQ+H7QwtExVakw/06yI8bm9zQU37GYlWRqN0Va8BxXhN/wyzztcHcX0kffp7+rVmdBP8uyDLlPnxIAHMPmF6Jp65cjzy9bFIlq0wLmT42U3pSKe8zRtiWdAk+JtXXuWL8IaTyGkO95/aogpbIZm+gFmGkV2IYxXWqURDcuBk7mA1YtdaApGxtbnJVm5zWvDbvxqN+lanqFy580HWSrkP22V07xbqRVh6y9UCeLJnAdTRKiI9sTXFNj2ejz1CfjD6t623S1i6u46E=,iv:hV44A6dAxW8cwR4i3f5Qv2rXG95yBE7A5cp4v+C60no=,tag:7s3RXi26FK1Bn7cZNiVWNA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTWmw0dHA5R01ud3BZS05F\nTWhuUmRKNHh1eXFCV1FYeTNXWkkrNEFYL1F3CmY0K1dQcWdrQjM4aHVDT0JpRlp2\nMDgwSzBYOEplNU5NcEV3eWFRRFNCUW8KLS0tIGpaT2VZNUw0UG0yaVJpa1BNeVNz\nY1d4NGV1UUI2K0N4UVh3a3VxR25USEEKU9O5qGxNBu7PmOQoGgK9DA9sHmF8iDdG\nKoFGNm7PxPogiyyH2cYGuuTECE/jl/688G0OxLiDcnRQXX8NoRqhOg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNnJBakYvZy9aMkFWUWE3\nQkZTZUpUNzBtSVdMR0JsVE5aTWNENkM4ZncwCitYMFNtREFDR3RzUFNPcy9hSDRK\nZDZSa1l2cGVvcWpUM1pGTlFiWGVZVWsKLS0tIHkrV2JkRnI5c2dwUC9Nei8waFZ5\nS1VTR2dIZjdObDltaHBnYlJkSWo5NjQKG40vnJsRChUqxUOQAlDR8g1CUijYnmLL\nYLC7OokA235Xk12/f4Sj80JtXn7JeA6n1frW1ACYOqmqMbe0PcVhQA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdmUrcUgy\nR0hQSkRrQWk0NWNYTHZHVXhRdjVjd0p6OUNsRTFGVzg3S05CagpadUdDV2tVMW5S\neHlJbGVqOEw3bTBiSjVqUHpDaCtOd00vR2dxd1dCb0c4Ci0tLSBxdVFaakVtcVFh\nMHMzQU0reTI0bUFqKzQyYnRUbFJoNTlNcmtEMXVwSnpZCiZ1gkpzeWcz8L0pfyG3\n5SYetkATbEUyh5gDn31SeGFNuCc+pPISZigRwsgVAxQ3rwwIaBCnMxQ/y1QwpJBL\nmzQ=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdmhiNkFz\nbXg0N21ITXdzRzRhUDB1RTYvY213WXN6Vnk3OWwvZnVQYVBuNQpWL1laK2JCY2w3\ncEJXVjhVMlVyenBrS2FxdmVVZW9SUDI3MjhtT0MzUHVNCi0tLSBrOUJzMzN1Y1F4\nMXdtdkU1bXdnNWtUNTk4czNJT0pRcEl5VkNyS2ZhSHBjCl+VgcQHlDgLH069CsYb\n27u51g3DWShK2qMQ2yXx3GlNAYpbelx+DH7xX0YmwyU7/7+mKFpY5OhDUr1f7qdM\nFq0=\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-02-18T00:35:35Z", + "mac": "ENC[AES256_GCM,data:FVZ3oejgz6wz6rxWkHFP1k+Wk/k2eksfsOdUM7+K3W4bi/5KIBVxLBOd7P7YSr2sq3sBpORNw98Btn7m1KgLZBFqS0FrmscIQOUkUwQ+SMAaMGM3e/uR92Z40w9XyYhzDTMAz8uzGS+p23pJwxeVILCC5Hlvk+JRv+DGLASPKHA=,iv:qwQcHE1cut7F5hr+OqMJE9xy/SnHwIA1V74W+WuBUdg=,tag:DISIGMdDxTSpJMkX+Yjadw==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.key/users/rpqt b/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.key/users/rpqt new file mode 120000 index 0000000..c6af5c7 --- /dev/null +++ b/vars/per-machine/verbena/cert-vaultwarden/vaultwarden.key/users/rpqt @@ -0,0 +1 @@ +../../../../../../sops/users/rpqt \ No newline at end of file From ea82989372d4378eb77f5e57bb3ab95c5a88d482 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Thu, 19 Feb 2026 00:42:39 +0100 Subject: [PATCH 07/29] update flake inputs --- flake.lock | 58 +++++++++++++++++++++++++++--------------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/flake.lock b/flake.lock index a19a3d2..76468fc 100644 --- a/flake.lock +++ b/flake.lock @@ -40,11 +40,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1770649721, - "narHash": "sha256-4syGZZIi6sYvstH4d9+uoWai2JZclf+1xahZjr08/P0=", + "lastModified": 1770977370, + "narHash": "sha256-3lmK48dISCz4dzxflQVvV2GBIw76+qRve7l4IKX8J44=", "ref": "refs/heads/main", - "rev": "c976a9743f9a4ea6e0915ef17c6a6ddb0652dce1", - "revCount": 12867, + "rev": "0517fbfa50dd02abc834c928769cfdaaf43498c9", + "revCount": 12952, "type": "git", "url": "https://git.clan.lol/clan/clan-core" }, @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1770409579, - "narHash": "sha256-reWzIb3dxJnLcwBEuT6khzEDvCiBCVTiqBR9C4vH/jg=", - "rev": "5065ddc67a7009fb81a29f43aa056b2a4552ed96", + "lastModified": 1770580383, + "narHash": "sha256-fEpF46+YO+jz4X+kahCbgLpRzWRB8wlPiw3lzDcWFpI=", + "rev": "f6d0b3d4685c9f44e2c4f479e8fcac17ea923abb", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/5065ddc67a7009fb81a29f43aa056b2a4552ed96.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/f6d0b3d4685c9f44e2c4f479e8fcac17ea923abb.tar.gz" }, "original": { "type": "tarball", @@ -106,11 +106,11 @@ "treefmt-nix": "treefmt-nix_3" }, "locked": { - "lastModified": 1770621819, - "narHash": "sha256-2lc95nmYS9nic05NfuXyYTqsJqcPXNrDTqJd/nwoT2s=", + "lastModified": 1770747313, + "narHash": "sha256-/v/FZ22F3xDWf4hRMP5Tts1E+CCclMG7Sxjybv1HnG8=", "owner": "Mic92", "repo": "direnv-instant", - "rev": "03b6fe502b6f9247aaf5df9dbab6eb102bce43ed", + "rev": "33a67336f5ec810ffaf84c723b70301534533752", "type": "github" }, "original": { @@ -271,11 +271,11 @@ ] }, "locked": { - "lastModified": 1770654520, - "narHash": "sha256-mg5WZMIPGsFu9MxSrUcuJUPMbfMsF77el5yb/7rc10k=", + "lastModified": 1770975156, + "narHash": "sha256-bPKv7BcIOGp4R1Q3hKhiD2CT3+7D6ibNIaJfEJdeOzo=", "owner": "nix-community", "repo": "home-manager", - "rev": "6c4fdbe1ad198fac36c320fd45c5957324a80b8e", + "rev": "de4cfffc98f43ab8ba90739b56991f068f9e9018", "type": "github" }, "original": { @@ -316,11 +316,11 @@ ] }, "locked": { - "lastModified": 1770184146, - "narHash": "sha256-DsqnN6LvXmohTRaal7tVZO/AKBuZ02kPBiZKSU4qa/k=", + "lastModified": 1770922915, + "narHash": "sha256-6J/JoK9iL7sHvKJcGW2KId2agaKv1OGypsa7kN+ZBD4=", "owner": "nix-darwin", "repo": "nix-darwin", - "rev": "0d7874ef7e3ba02d58bebb871e6e29da36fa1b37", + "rev": "6c5a56295d2a24e43bcd8af838def1b9a95746b2", "type": "github" }, "original": { @@ -378,11 +378,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1770631810, - "narHash": "sha256-b7iK/x+zOXbjhRqa+XBlYla4zFvPZyU5Ln2HJkiSnzc=", + "lastModified": 1770882871, + "narHash": "sha256-nw5g+xl3veea+maxJ2/81tMEA/rPq9aF1H5XF35X+OE=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "2889685785848de940375bf7fea5e7c5a3c8d502", + "rev": "af04cb78aa85b2a4d1c15fc7270347e0d0eda97b", "type": "github" }, "original": { @@ -410,11 +410,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1770562336, - "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", + "lastModified": 1770841267, + "narHash": "sha256-9xejG0KoqsoKEGp2kVbXRlEYtFFcDTHjidiuX8hGO44=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d6c71932130818840fc8fe9509cf50be8c64634f", + "rev": "ec7c70d12ce2fc37cb92aff673dcdca89d187bae", "type": "github" }, "original": { @@ -492,11 +492,11 @@ ] }, "locked": { - "lastModified": 1770526836, - "narHash": "sha256-xbvX5Ik+0inJcLJtJ/AajAt7xCk6FOCrm5ogpwwvVDg=", + "lastModified": 1770683991, + "narHash": "sha256-xVfPvXDf9QN3Eh9dV+Lw6IkWG42KSuQ1u2260HKvpnc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "d6e0e666048a5395d6ea4283143b7c9ac704720d", + "rev": "8b89f44c2cc4581e402111d928869fe7ba9f7033", "type": "github" }, "original": { @@ -512,11 +512,11 @@ ] }, "locked": { - "lastModified": 1770603164, - "narHash": "sha256-2jJNzobNvy307k/FJxDWR6aO6FmClILFdA78CzdW9zY=", + "lastModified": 1770891763, + "narHash": "sha256-Ojjyo+W6hjRwvMjqlVuUnht9HzkCDfKJUL5A9zl1KcQ=", "owner": "nix-community", "repo": "srvos", - "rev": "aa7bed2868237fad33b5ba12fca8f4f7a4dc07c5", + "rev": "6c9ab8473c11c6ab113aa61b86595cbd5ec8aed7", "type": "github" }, "original": { From 836816c7a7f1deefc8be1483ac4906ddc84a341e Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Thu, 19 Feb 2026 00:42:39 +0100 Subject: [PATCH 08/29] update flake inputs --- flake.lock | 76 +++++++++++++++++++++++++++--------------------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/flake.lock b/flake.lock index 76468fc..0642fdc 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1770625627, - "narHash": "sha256-mjQp38qba98jsSVPCdLHPbIt+KSPECTGfq04qrDie/s=", + "lastModified": 1771244661, + "narHash": "sha256-SMPAkwTSsSkRktu2alihmOQvWdJ99Hy+oNFEnQrrSEI=", "owner": "nix-community", "repo": "buildbot-nix", - "rev": "9104e3d8c1e63238e4c64f53c90c5eb1fd67268b", + "rev": "cb4a75cc61446177491b00332285bfd6e57d5d8f", "type": "github" }, "original": { @@ -40,11 +40,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1770977370, - "narHash": "sha256-3lmK48dISCz4dzxflQVvV2GBIw76+qRve7l4IKX8J44=", + "lastModified": 1771457652, + "narHash": "sha256-FOquRYuE76l0vEYzMZNjsH7egD62nLW2foZ6azTBd/Q=", "ref": "refs/heads/main", - "rev": "0517fbfa50dd02abc834c928769cfdaaf43498c9", - "revCount": 12952, + "rev": "ea3e53509d04b60a3cc20608aae771eea426f773", + "revCount": 13076, "type": "git", "url": "https://git.clan.lol/clan/clan-core" }, @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1770580383, - "narHash": "sha256-fEpF46+YO+jz4X+kahCbgLpRzWRB8wlPiw3lzDcWFpI=", - "rev": "f6d0b3d4685c9f44e2c4f479e8fcac17ea923abb", + "lastModified": 1771211199, + "narHash": "sha256-1JHyii0rZzm9oyTgSxhW3v/t5XPEzqov+QN8bRUkxnk=", + "rev": "541e221be610c7e89a190ab2167d866a67cb815a", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/f6d0b3d4685c9f44e2c4f479e8fcac17ea923abb.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/541e221be610c7e89a190ab2167d866a67cb815a.tar.gz" }, "original": { "type": "tarball", @@ -106,11 +106,11 @@ "treefmt-nix": "treefmt-nix_3" }, "locked": { - "lastModified": 1770747313, - "narHash": "sha256-/v/FZ22F3xDWf4hRMP5Tts1E+CCclMG7Sxjybv1HnG8=", + "lastModified": 1771225960, + "narHash": "sha256-JnMhZ4HrpBzzDY6pDCsDXrlljhW+Y/bwlC7lG8ExUMo=", "owner": "Mic92", "repo": "direnv-instant", - "rev": "33a67336f5ec810ffaf84c723b70301534533752", + "rev": "36f1e18aebf51392347ea05b3d69bb2ab9540523", "type": "github" }, "original": { @@ -127,11 +127,11 @@ ] }, "locked": { - "lastModified": 1769524058, - "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", + "lastModified": 1771355198, + "narHash": "sha256-89m5VKxIs8QNiIvLsxHu5NpyhDsoXTtoN801IAurnW4=", "owner": "nix-community", "repo": "disko", - "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", + "rev": "92fceb111901a6f13e81199be4fab95fce86a5c9", "type": "github" }, "original": { @@ -147,11 +147,11 @@ ] }, "locked": { - "lastModified": 1769524058, - "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", + "lastModified": 1771355198, + "narHash": "sha256-89m5VKxIs8QNiIvLsxHu5NpyhDsoXTtoN801IAurnW4=", "owner": "nix-community", "repo": "disko", - "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", + "rev": "92fceb111901a6f13e81199be4fab95fce86a5c9", "type": "github" }, "original": { @@ -271,11 +271,11 @@ ] }, "locked": { - "lastModified": 1770975156, - "narHash": "sha256-bPKv7BcIOGp4R1Q3hKhiD2CT3+7D6ibNIaJfEJdeOzo=", + "lastModified": 1771422582, + "narHash": "sha256-xK5kl3OBZaF1VwziVMX+SZ2LT9Fbu5o8vRDt78uR7no=", "owner": "nix-community", "repo": "home-manager", - "rev": "de4cfffc98f43ab8ba90739b56991f068f9e9018", + "rev": "b3ccd4bb262f4e6d3248b46cede92b90c4a42094", "type": "github" }, "original": { @@ -316,11 +316,11 @@ ] }, "locked": { - "lastModified": 1770922915, - "narHash": "sha256-6J/JoK9iL7sHvKJcGW2KId2agaKv1OGypsa7kN+ZBD4=", + "lastModified": 1771371916, + "narHash": "sha256-G14VTfmzzRYxAhtEBNanQgCNA++Cv0/9iV4h/lkqX9U=", "owner": "nix-darwin", "repo": "nix-darwin", - "rev": "6c5a56295d2a24e43bcd8af838def1b9a95746b2", + "rev": "aff4c008cec17d6a6760949df641ca0ea9179cac", "type": "github" }, "original": { @@ -378,11 +378,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1770882871, - "narHash": "sha256-nw5g+xl3veea+maxJ2/81tMEA/rPq9aF1H5XF35X+OE=", + "lastModified": 1771423359, + "narHash": "sha256-yRKJ7gpVmXbX2ZcA8nFi6CMPkJXZGjie2unsiMzj3Ig=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "af04cb78aa85b2a4d1c15fc7270347e0d0eda97b", + "rev": "740a22363033e9f1bb6270fbfb5a9574067af15b", "type": "github" }, "original": { @@ -410,11 +410,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1770841267, - "narHash": "sha256-9xejG0KoqsoKEGp2kVbXRlEYtFFcDTHjidiuX8hGO44=", + "lastModified": 1771369470, + "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ec7c70d12ce2fc37cb92aff673dcdca89d187bae", + "rev": "0182a361324364ae3f436a63005877674cf45efb", "type": "github" }, "original": { @@ -492,11 +492,11 @@ ] }, "locked": { - "lastModified": 1770683991, - "narHash": "sha256-xVfPvXDf9QN3Eh9dV+Lw6IkWG42KSuQ1u2260HKvpnc=", + "lastModified": 1771166946, + "narHash": "sha256-UFc4lfGBr+wJmwgDGJDn1cVD6DTr0/8TdronNUiyXlU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "8b89f44c2cc4581e402111d928869fe7ba9f7033", + "rev": "2d0cf89b4404529778bc82de7e42b5754e0fe4fa", "type": "github" }, "original": { @@ -512,11 +512,11 @@ ] }, "locked": { - "lastModified": 1770891763, - "narHash": "sha256-Ojjyo+W6hjRwvMjqlVuUnht9HzkCDfKJUL5A9zl1KcQ=", + "lastModified": 1771207491, + "narHash": "sha256-08s9LKq9Et4y9r6FSJLJUnRCyJHZMauAIok45ulQo0k=", "owner": "nix-community", "repo": "srvos", - "rev": "6c9ab8473c11c6ab113aa61b86595cbd5ec8aed7", + "rev": "434ed3900e9a7b23638da97ebe16ab0e0be7fef5", "type": "github" }, "original": { From aa14063a6f708e269c04d6500a7da97ca8ed4efc Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Fri, 20 Feb 2026 00:15:59 +0100 Subject: [PATCH 09/29] Update vars via generator openssh-cert (machine: crocus) --- vars/per-machine/crocus/openssh-cert/.validation-hash | 2 +- .../crocus/openssh-cert/ssh.id_ed25519-cert.pub/value | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vars/per-machine/crocus/openssh-cert/.validation-hash b/vars/per-machine/crocus/openssh-cert/.validation-hash index e971f15..899a184 100644 --- a/vars/per-machine/crocus/openssh-cert/.validation-hash +++ b/vars/per-machine/crocus/openssh-cert/.validation-hash @@ -1 +1 @@ -243132bdc5136706ee224d98a96529e443dfb8fd086cc6202f30d95f6911060f \ No newline at end of file +39b3fb090811dacf823dfc4ee24df16908cb7fc3ab6464be0695c3ad894ff5dd \ No newline at end of file diff --git a/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value index 4e8e3b5..f6590e9 100644 --- a/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value +++ b/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value @@ -1 +1 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIBKcszb0YlcYG5GLTntOGpMyse+FxISKTdn3pVoJAzC5AAAAIOtUFcEICj2NcZZPcfl+JCCaDfmCxQtLytGH0eoFNL4UAAAAAAAAAAAAAAACAAAABmNyb2N1cwAAABcAAAATY3JvY3VzLmhvbWUucnBxdC5mcgAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGE7R12pfvRSXsS8MwMkp57fuc+N2wc4VcXAYwo/eJJ7AAAAUwAAAAtzc2gtZWQyNTUxOQAAAECy8llQ6XQHRjjOTz/Le+Af6bW/lCq8ruJHPW8vh6tc2e9HFM7pWePxVeF0bCwWZ5IRNkvwjgfdbKMZG599racJ nixbld@haze +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAILnYAntyfcuzPEYqi7sUWCwscLI3xSq4tVdyu4nZUHVSAAAAIOtUFcEICj2NcZZPcfl+JCCaDfmCxQtLytGH0eoFNL4UAAAAAAAAAAAAAAACAAAABmNyb2N1cwAAACUAAAATY3JvY3VzLmhvbWUucnBxdC5mcgAAAApjcm9jdXMudmFsAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQDvuQ0DBrsQBlPyEE1JAmHoAICE00itTneW+DcZpSAScq42wLVOzKCD2shaeYnlDC/I7eIKT27fNWqaNUZnligU= nixbld@haze From 70eb2772fa7681f68870a84bf4e670418e5b6f40 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Fri, 20 Feb 2026 00:20:59 +0100 Subject: [PATCH 10/29] Update vars via generator openssh-cert (machine: genepi) --- vars/per-machine/genepi/openssh-cert/.validation-hash | 2 +- .../genepi/openssh-cert/ssh.id_ed25519-cert.pub/value | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vars/per-machine/genepi/openssh-cert/.validation-hash b/vars/per-machine/genepi/openssh-cert/.validation-hash index 02779a2..0305b02 100644 --- a/vars/per-machine/genepi/openssh-cert/.validation-hash +++ b/vars/per-machine/genepi/openssh-cert/.validation-hash @@ -1 +1 @@ -03d96c6ed6a59594bf0faa06dfcb7d7959628eba37fb4c35f6c95803edc23b90 \ No newline at end of file +6549cb20efa183d27063cd91f145f3b775928e4d62fff1337105be8c6ce1c2f9 \ No newline at end of file diff --git a/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value index 9219ad7..17c84bc 100644 --- a/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value +++ b/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value @@ -1 +1 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIHcv5O9kZ5PjMVSVvmRNK1FQIQ3fsx5I/bq/nVHEbdg7AAAAIFwq0inZe4DX4DuJx/vbfjG5XLZ46MnBXjipdHgD9LBgAAAAAAAAAAAAAAACAAAABmdlbmVwaQAAABcAAAATZ2VuZXBpLmhvbWUucnBxdC5mcgAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGE7R12pfvRSXsS8MwMkp57fuc+N2wc4VcXAYwo/eJJ7AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEBUtVWziAfc5PzYezSlbAXfFXLP1KoPYHPUtFaon0Fu14j3+RhKC7nylUgvGCOm46dTq+S9YoDZ3SqlwxwyD4cL nixbld@haze +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIIZkTwEkKh4kKztKXYgnXFk9LpKriuSZiqaPFU1yQpDAAAAAIFwq0inZe4DX4DuJx/vbfjG5XLZ46MnBXjipdHgD9LBgAAAAAAAAAAAAAAACAAAABmdlbmVwaQAAACUAAAATZ2VuZXBpLmhvbWUucnBxdC5mcgAAAApnZW5lcGkudmFsAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQPvCedCbEJjokP9dArckGmjVFgMgazG8ZNU2mxzB28zYCLVC5wyUKFDeEKhmqwuuijxSR1W8msY3VzS/n+hcFww= nixbld@haze From 7ccdd389c3ccb3dad9087fc015e1f09e1257487c Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Fri, 20 Feb 2026 00:21:23 +0100 Subject: [PATCH 11/29] Update vars via generator openssh-cert (machine: haze) --- vars/per-machine/haze/openssh-cert/.validation-hash | 2 +- .../per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vars/per-machine/haze/openssh-cert/.validation-hash b/vars/per-machine/haze/openssh-cert/.validation-hash index 15f8ff2..8048fd9 100644 --- a/vars/per-machine/haze/openssh-cert/.validation-hash +++ b/vars/per-machine/haze/openssh-cert/.validation-hash @@ -1 +1 @@ -5c9d0944c4f6abc9765b12a4c4eebca296ec914fd8ee4e4691b9c40fbdef57b7 \ No newline at end of file +b77968fdaacc331514465610e92b9371832f71678c0bc5e20d1e5cf1c1688d10 \ No newline at end of file diff --git a/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value index ddf64bf..1bfe10b 100644 --- a/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value +++ b/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value @@ -1 +1 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAICBUNOo7T8sn7F094li17lssJOCdixjDhLO6eGlO72ZwAAAAIIyNC2sn5m7m52r4kVZqg0T7abqdz5xh/blU3cYtHKAEAAAAAAAAAAAAAAACAAAABGhhemUAAAAVAAAAEWhhemUuaG9tZS5ycHF0LmZyAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQHVWtdcrv4w8xc/YSAJmGkulkMfr3QOdEEGBZLeARu15To31xtScc4U5WhMstZRu9rWBoVENaUIuo0poRvHT/Ak= nixbld@haze +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAINl/ucaK/wgb3OMmKkEvX5r9aLE5HbaWvP2R6Dekla9FAAAAIIyNC2sn5m7m52r4kVZqg0T7abqdz5xh/blU3cYtHKAEAAAAAAAAAAAAAAACAAAABGhhemUAAAAhAAAAEWhhemUuaG9tZS5ycHF0LmZyAAAACGhhemUudmFsAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQCOXATjCU/275ZcCboB4XyzD37MYUgmFHWiD9zQcHfEbXEb3C8HZ2f6vcbf0mrbE98JqXgNTT4s1/eNDBha0xQw= nixbld@haze From db88b019266ac01c6764611e3e8959f2fa0bbdc2 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Fri, 20 Feb 2026 00:21:28 +0100 Subject: [PATCH 12/29] Update vars via generator openssh-cert (machine: verbena) --- vars/per-machine/verbena/openssh-cert/.validation-hash | 2 +- .../verbena/openssh-cert/ssh.id_ed25519-cert.pub/value | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vars/per-machine/verbena/openssh-cert/.validation-hash b/vars/per-machine/verbena/openssh-cert/.validation-hash index e0bfa42..9b69b24 100644 --- a/vars/per-machine/verbena/openssh-cert/.validation-hash +++ b/vars/per-machine/verbena/openssh-cert/.validation-hash @@ -1 +1 @@ -ac6a5c1a1f92820a01374e2f28f5e230bc28104313a3c01c5bfa91ee112805e5 \ No newline at end of file +e0640fc500aeb0783a6dbd62023b34f4031acdf1238884ca128cbd2077e75a07 \ No newline at end of file diff --git a/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value index 8b9264c..00800d1 100644 --- a/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value +++ b/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value @@ -1 +1 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIERlRW05oWOKBoc6WXhIbkMsu/GGjZ7GtsDWGbilP6FQAAAAIOFmER+Rjwzfr/GLrD3kItVEEdhPTIjUFgSbhNOJtNJVAAAAAAAAAAAAAAACAAAAB3ZlcmJlbmEAAAAYAAAAFHZlcmJlbmEuaG9tZS5ycHF0LmZyAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQN93JKKLUpCkdj2D2wHbhn8MK3JH0PMUuQqBLUqK29+YlRlPZI9ZesKK0JsAnraDLyn7UEg7cyt0cXRkCPfcqwc= /tmp/vars-ifid6s0y/in/openssh/ssh.id_ed25519.pub +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAINZCMJMJoc63iSQbIhzqjU3VKIgqJr/R0H4uDutqGnJ9AAAAIOFmER+Rjwzfr/GLrD3kItVEEdhPTIjUFgSbhNOJtNJVAAAAAAAAAAAAAAACAAAAB3ZlcmJlbmEAAAAnAAAAFHZlcmJlbmEuaG9tZS5ycHF0LmZyAAAAC3ZlcmJlbmEudmFsAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQEto0sOMAzQIhEPE9xQn/RBKeIHqILjhVCsnYUkMS2sBpynSuKmy/N84QEu1niFpUSLDOG/oAoKFhnT2SKclsw4= /tmp/vars-pkcwwxy9/in/openssh/ssh.id_ed25519.pub From f2d3774eb8856065d2c17df0c45a1c7196bf0943 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Mon, 23 Feb 2026 16:04:16 +0100 Subject: [PATCH 13/29] Update vars via generator openssh-cert (machine: crocus) --- vars/per-machine/crocus/openssh-cert/.validation-hash | 2 +- .../crocus/openssh-cert/ssh.id_ed25519-cert.pub/value | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vars/per-machine/crocus/openssh-cert/.validation-hash b/vars/per-machine/crocus/openssh-cert/.validation-hash index 899a184..27875cb 100644 --- a/vars/per-machine/crocus/openssh-cert/.validation-hash +++ b/vars/per-machine/crocus/openssh-cert/.validation-hash @@ -1 +1 @@ -39b3fb090811dacf823dfc4ee24df16908cb7fc3ab6464be0695c3ad894ff5dd \ No newline at end of file +d7ce396c3933efa71c43fc23777632fe71a76eddca5bac12cda44da89a563fe0 \ No newline at end of file diff --git a/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value index f6590e9..d83ca15 100644 --- a/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value +++ b/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value @@ -1 +1 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAILnYAntyfcuzPEYqi7sUWCwscLI3xSq4tVdyu4nZUHVSAAAAIOtUFcEICj2NcZZPcfl+JCCaDfmCxQtLytGH0eoFNL4UAAAAAAAAAAAAAAACAAAABmNyb2N1cwAAACUAAAATY3JvY3VzLmhvbWUucnBxdC5mcgAAAApjcm9jdXMudmFsAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQDvuQ0DBrsQBlPyEE1JAmHoAICE00itTneW+DcZpSAScq42wLVOzKCD2shaeYnlDC/I7eIKT27fNWqaNUZnligU= nixbld@haze +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAICAF61MvGxNOdslLdzhl9OYAJnGGkuYqcg5TqZALNNO8AAAAIOtUFcEICj2NcZZPcfl+JCCaDfmCxQtLytGH0eoFNL4UAAAAAAAAAAAAAAACAAAABmNyb2N1cwAAAA4AAAAKY3JvY3VzLnZhbAAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGE7R12pfvRSXsS8MwMkp57fuc+N2wc4VcXAYwo/eJJ7AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDHYdd9h6zVwR7ty+XFjqUu/nLNfqVJUdSjlukIPO2npThQNI2xXLjl2dwZrkYttQOc0bMZEegF+oqy46hWn2ML nixbld@haze From aa8f862d31d9383d42cf0b5094d655f3bad63d41 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Mon, 23 Feb 2026 16:10:13 +0100 Subject: [PATCH 14/29] Update vars via generator openssh-cert (machine: genepi) --- vars/per-machine/genepi/openssh-cert/.validation-hash | 2 +- .../genepi/openssh-cert/ssh.id_ed25519-cert.pub/value | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vars/per-machine/genepi/openssh-cert/.validation-hash b/vars/per-machine/genepi/openssh-cert/.validation-hash index 0305b02..7cb170b 100644 --- a/vars/per-machine/genepi/openssh-cert/.validation-hash +++ b/vars/per-machine/genepi/openssh-cert/.validation-hash @@ -1 +1 @@ -6549cb20efa183d27063cd91f145f3b775928e4d62fff1337105be8c6ce1c2f9 \ No newline at end of file +704b7b54a3f6c8e1e067d1d67af0e6196ab9e7ade3c2e1cdf39d453fd752f8a2 \ No newline at end of file diff --git a/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value index 17c84bc..3320d28 100644 --- a/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value +++ b/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value @@ -1 +1 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIIZkTwEkKh4kKztKXYgnXFk9LpKriuSZiqaPFU1yQpDAAAAAIFwq0inZe4DX4DuJx/vbfjG5XLZ46MnBXjipdHgD9LBgAAAAAAAAAAAAAAACAAAABmdlbmVwaQAAACUAAAATZ2VuZXBpLmhvbWUucnBxdC5mcgAAAApnZW5lcGkudmFsAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQPvCedCbEJjokP9dArckGmjVFgMgazG8ZNU2mxzB28zYCLVC5wyUKFDeEKhmqwuuijxSR1W8msY3VzS/n+hcFww= nixbld@haze +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAID4xVT4K4Mw+2Set7g+coIBqDBDqsqXq5OwHMLiFUnFiAAAAIFwq0inZe4DX4DuJx/vbfjG5XLZ46MnBXjipdHgD9LBgAAAAAAAAAAAAAAACAAAABmdlbmVwaQAAAA4AAAAKZ2VuZXBpLnZhbAAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGE7R12pfvRSXsS8MwMkp57fuc+N2wc4VcXAYwo/eJJ7AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDvZueTkncYe9h3rvLvHBfMpfphv/tQpmd6K53XnfyGwIjOX5E4PILvS97jFOBVVHceN509i+W4Po6YwM+uMdMF nixbld@haze From bc2f8af3e3cc2d287a3e33621581493ebcf978e9 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Mon, 23 Feb 2026 16:10:16 +0100 Subject: [PATCH 15/29] Update vars via generator openssh-cert (machine: haze) --- vars/per-machine/haze/openssh-cert/.validation-hash | 2 +- .../per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vars/per-machine/haze/openssh-cert/.validation-hash b/vars/per-machine/haze/openssh-cert/.validation-hash index 8048fd9..fafd47a 100644 --- a/vars/per-machine/haze/openssh-cert/.validation-hash +++ b/vars/per-machine/haze/openssh-cert/.validation-hash @@ -1 +1 @@ -b77968fdaacc331514465610e92b9371832f71678c0bc5e20d1e5cf1c1688d10 \ No newline at end of file +844ed45e8887837a0fa5bd564758b2098109ab422767c60cbdf740c78d960535 \ No newline at end of file diff --git a/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value index 1bfe10b..65d7959 100644 --- a/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value +++ b/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value @@ -1 +1 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAINl/ucaK/wgb3OMmKkEvX5r9aLE5HbaWvP2R6Dekla9FAAAAIIyNC2sn5m7m52r4kVZqg0T7abqdz5xh/blU3cYtHKAEAAAAAAAAAAAAAAACAAAABGhhemUAAAAhAAAAEWhhemUuaG9tZS5ycHF0LmZyAAAACGhhemUudmFsAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQCOXATjCU/275ZcCboB4XyzD37MYUgmFHWiD9zQcHfEbXEb3C8HZ2f6vcbf0mrbE98JqXgNTT4s1/eNDBha0xQw= nixbld@haze +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIEmKeRdbl6QKhHAA9mzI79WMt6U8ngxk86yjXaXWDV+sAAAAIIyNC2sn5m7m52r4kVZqg0T7abqdz5xh/blU3cYtHKAEAAAAAAAAAAAAAAACAAAABGhhemUAAAAMAAAACGhhemUudmFsAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQJwbZa47wtCyzKfQq+nka3hwYbr4P6+Q9d9o1vjVC6//CR22DKyDG9p5UxI2e+ENluWPiQfAL3GkcIHwCkcu9Ak= nixbld@haze From e65f20346d9c87bdb1df3a2e04261a333dcebaec Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Mon, 23 Feb 2026 16:10:20 +0100 Subject: [PATCH 16/29] Update vars via generator openssh-cert (machine: verbena) --- vars/per-machine/verbena/openssh-cert/.validation-hash | 2 +- .../verbena/openssh-cert/ssh.id_ed25519-cert.pub/value | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vars/per-machine/verbena/openssh-cert/.validation-hash b/vars/per-machine/verbena/openssh-cert/.validation-hash index 9b69b24..80d0d05 100644 --- a/vars/per-machine/verbena/openssh-cert/.validation-hash +++ b/vars/per-machine/verbena/openssh-cert/.validation-hash @@ -1 +1 @@ -e0640fc500aeb0783a6dbd62023b34f4031acdf1238884ca128cbd2077e75a07 \ No newline at end of file +6d643cfba149ef8921d79addc498840481413011bf9382f39e9ca340fb9b3a12 \ No newline at end of file diff --git a/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value index 00800d1..a4967e4 100644 --- a/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value +++ b/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value @@ -1 +1 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAINZCMJMJoc63iSQbIhzqjU3VKIgqJr/R0H4uDutqGnJ9AAAAIOFmER+Rjwzfr/GLrD3kItVEEdhPTIjUFgSbhNOJtNJVAAAAAAAAAAAAAAACAAAAB3ZlcmJlbmEAAAAnAAAAFHZlcmJlbmEuaG9tZS5ycHF0LmZyAAAAC3ZlcmJlbmEudmFsAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQEto0sOMAzQIhEPE9xQn/RBKeIHqILjhVCsnYUkMS2sBpynSuKmy/N84QEu1niFpUSLDOG/oAoKFhnT2SKclsw4= /tmp/vars-pkcwwxy9/in/openssh/ssh.id_ed25519.pub +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIPNzq7CFDqSHBuZXQXTrR4YaFFkriI3aEoVUgL3dvh0nAAAAIOFmER+Rjwzfr/GLrD3kItVEEdhPTIjUFgSbhNOJtNJVAAAAAAAAAAAAAAACAAAAB3ZlcmJlbmEAAAAPAAAAC3ZlcmJlbmEudmFsAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQEdcCA4/otpbuZL19qLnPk3q256H/hY/1ANipPO6pWwDHuVcA/BpVFVH5FeEo2NImhqCe3rMjrE0QunRR5f/GgU= /tmp/vars-onynbkk2/in/openssh/ssh.id_ed25519.pub From a81b6d7343ee4f70cddc52fab58fb215127cb6ad Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Mon, 23 Feb 2026 23:14:50 +0100 Subject: [PATCH 17/29] Update vars via generator user-password-rpqt (machine: crocus) --- .../user-password-hash/machines/crocus | 1 + .../user-password-hash/secret | 26 +++++++++++++++++++ .../user-password-hash/users/rpqt | 1 + .../user-password-rpqt/user-password/secret | 22 ++++++++++++++++ .../user-password/users/rpqt | 1 + 5 files changed, 51 insertions(+) create mode 120000 vars/per-machine/crocus/user-password-rpqt/user-password-hash/machines/crocus create mode 100644 vars/per-machine/crocus/user-password-rpqt/user-password-hash/secret create mode 120000 vars/per-machine/crocus/user-password-rpqt/user-password-hash/users/rpqt create mode 100644 vars/per-machine/crocus/user-password-rpqt/user-password/secret create mode 120000 vars/per-machine/crocus/user-password-rpqt/user-password/users/rpqt diff --git a/vars/per-machine/crocus/user-password-rpqt/user-password-hash/machines/crocus b/vars/per-machine/crocus/user-password-rpqt/user-password-hash/machines/crocus new file mode 120000 index 0000000..efe6fd0 --- /dev/null +++ b/vars/per-machine/crocus/user-password-rpqt/user-password-hash/machines/crocus @@ -0,0 +1 @@ +../../../../../../sops/machines/crocus \ No newline at end of file diff --git a/vars/per-machine/crocus/user-password-rpqt/user-password-hash/secret b/vars/per-machine/crocus/user-password-rpqt/user-password-hash/secret new file mode 100644 index 0000000..e6fd470 --- /dev/null +++ b/vars/per-machine/crocus/user-password-rpqt/user-password-hash/secret @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:iTLYp5ai+sYaQwbT2OyItwbcpnR9m0iE2i3Psl1zafEAQgDrBsmQ3lOsuFqAre2hGVLfSuoGDCb+DTnsKLCidk/9qyFLGSUuBf6VTNoConMq1mDRfxhKPaI/jegXbVA80E2bcmyyprYaNg==,iv:LTWTnlQhWkw3CGm+Ot3dnF2g1hYL/jpcDA8m4YQyLts=,tag:k/JImbzjKHnii4gW3/QNTw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWUZMNVBlQ3I1NEJpSnJi\nVmt6cC9oV1Y2b1VhZlB0T21Ka2FmajNRa1JVCkl2VDBZSDNnN3AwMVozYTBiN2NF\ndUErbk40dElHbFg4eGErNDFFUFk2WWcKLS0tIExQT3FHT1N2ZEdhNU00dlNiSXZm\nc1V5c05zQUh1TWhrUUpZUDRUbjhURjAKOHUV58Le0H0hqDDOAYMcw3RLuY4V9mKu\nUrPl5hXX9hp/VAuUgWDFMZVQQ8QsK8cwrZ2UFA7dZkQ7d43B+RCCjQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZajRsSVZCZWVleVBTY1Js\nVnlLNytQUEUyN0o3SkdNT3lxWlBtbndha1dFCkR6NG4yd3BVcmRPR1A2QkFySUsz\nSnVYTHorWU5qVWdsSjUyd0dUVXNNRDgKLS0tIHdvUmJtZDZpRi9ZSmFuOWdMMHFn\neFlpZ20zZ1E4M3RDOU9zcCtBSDlNQWcKE9hSZNOjonXkDw3UgkCpb3g47a6W7hJA\nkqvWJq2OXe5Gx243edOX/nHKtesxDKUWWPJo6KKhr1QfvJtfZaNPvA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBa0tYQzQv\nL3NRU1NaNTJvb2pvS1k5dGhQRzRhRkJnU0x1VFJBcjdzdTNWbwpjbEdCUGRJTktS\nMlhXT2RTbHV5cHBCQkhhdmVMcWExVVNwOGFlOHdnZGI4Ci0tLSBQNjJXRmxDbGhX\nVnhSUktWMlh1OTZ1Y3lxQW9VVDN4dUlzRnRIV2tMUVM4CtISjtbRhpNXqHXMHB+q\nSRE/sVeZbtCBrzwIH5PhBLmnDZcFQTC5WBVSUg+AkqUoUw1gdTuLi9dwNho08V4n\n9rs=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBaytuQzh6\nN05rUWFNV3JjZGIzbGFoWnpwYkNEYVdYSkM5Ry9sSmtHNW9VbgoxempnVlo0Mno4\ndHpiRHhKRmR2b2NhenZlU1Y2OUJXYVZuWk1uUGVDK040Ci0tLSA4NisrNlV2TzRv\nUVM5eGtsUkF1c2tmNFQ4K2NGTjNnaXJrUVZOcWhxREdzCk0bHmd2iAe2wK2AjPXw\nDz+ac3xmUuffDogJp0Ako+73jyEfGIxxfKiC9r5XpiVpOqeaEaLmLcp1WnuHC59K\n4mk=\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-02-23T22:14:50Z", + "mac": "ENC[AES256_GCM,data:uZSs9GsGnc46ZpUSH1R9snULRKhPGBTj85Jn3yOSvZFN6JjV7imTU9xS0opLqdrOPHN3VsbCilOWwQ+1/5rF3GDZrTQosAgSh0bVZJAorcdjA+CYdC90aQUcUx9qt449IE2vbRaBLwGL7TWVD1dx6Yn5knX1TUsNlxvwjmDr0wA=,iv:Il+DcwkYG6Wkeegv4UZmhUsVEd2jUQMXui0oov18bx8=,tag:+lDYf55ZCwE6mGBu5CR/Zg==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/crocus/user-password-rpqt/user-password-hash/users/rpqt b/vars/per-machine/crocus/user-password-rpqt/user-password-hash/users/rpqt new file mode 120000 index 0000000..c6af5c7 --- /dev/null +++ b/vars/per-machine/crocus/user-password-rpqt/user-password-hash/users/rpqt @@ -0,0 +1 @@ +../../../../../../sops/users/rpqt \ No newline at end of file diff --git a/vars/per-machine/crocus/user-password-rpqt/user-password/secret b/vars/per-machine/crocus/user-password-rpqt/user-password/secret new file mode 100644 index 0000000..883a52d --- /dev/null +++ b/vars/per-machine/crocus/user-password-rpqt/user-password/secret @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:WljOTaqWeokVZBaGy/iKaZ07ifkXnjfqtG4m/qxmvGg=,iv:4F0UNuO2zvX9LKFfXCHt3xgU40R0ESWqzZs2VuJ+Qh0=,tag:L3XBFiV3vIn2E1y5CCyiIg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Snd3SU50WFFzYjJjRzQ1\nSFM4MlNURXhoT3pvM2J4aGNLVGdwZnVkaXhBCjJkOXRaODZpVnA5MXR4S1hJbUZa\nN04yZXNXcEpmWmd3VmxpaGtnS21tWVkKLS0tIEtRTmY5RUJ6MmhoWHFST2J1YkMz\nbmYxTGhCMkRudzNLamcvTERjK0ZlTFEKjK0cQPJoFEgt8kOk2LXAKH0T8r7g571F\nnVXnl5RHmelbmk2Dz6iCRVpkwQXZoXgouknhPlSYHS5tx/SAz2aKyg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdlFiUjdr\nbHZhcURzYTBGN0ZTaWdwZ3RtZFZQVWhHYTM3Y3FseUViZDBWUgplRzJsaU9uVDJX\nYXZHRG9aVUZiZUljMTk3RXRSWVJLRE42TFV5RXFZZW1zCi0tLSBNbUdYcU1sVStP\ndDZPRHpmMXBVcnpTQm9wZTZqUzhCNndleEFXZnduSkUwCpABTEBuVjrAvyQD/wPi\n+R8gfb2AiqDQAAEjdf60KRc9W/968f+E0l/dKRs/EhWNO5ypQdIBsYV1lsPQjPAo\nIjM=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBM3NDL0s1\nMW9odm1ML0Y1dTl5RUpaY2l1MVVFZzU0UW9EMVFlV0dUenpqZApMMGkxU3I0c05G\nMkVGUFF4TTd3WTlSc0JZVk5YMm5aUStwNHJLQWw1RkpNCi0tLSBxNWdPNUdLWVBQ\nR2NCYlNlZnJONVluL2g0b1V0TEVSOGI4bG9kT1JWMUY0ChQRkl4yfJk/BFQGFLYB\ng6hQnwTqkpL5Y4SlRvB+DN+IK6IPARDGYp29yAgR+ALYj7G95AXYK7jWTk1xRzLG\ndB8=\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-02-23T22:14:49Z", + "mac": "ENC[AES256_GCM,data:Ja82a4+hW2Nggco+Wfy05ea/1E+YZtt+tLjqBIr6FTkKZ31thsOW0IcJSQ81Z7NW9TG4Cb6TvxhPnxoIKMOdZZiW53+Wf2xHjPY15W13SxYIqiM5OVv00iHPLzXf3PxM0AREMu3E+TLF6SnbZEdYgx+Gvy0iCj0I41hskg8z3sQ=,iv:0qEC0c/ADCwWnuIkiNS3UgeOTFtAmM8BXmtvUoorpfY=,tag:rYsVDt1x+206iWCEznn+7A==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/crocus/user-password-rpqt/user-password/users/rpqt b/vars/per-machine/crocus/user-password-rpqt/user-password/users/rpqt new file mode 120000 index 0000000..c6af5c7 --- /dev/null +++ b/vars/per-machine/crocus/user-password-rpqt/user-password/users/rpqt @@ -0,0 +1 @@ +../../../../../../sops/users/rpqt \ No newline at end of file From 4caca847ceb8b01251af0564c31efa22f28f8eda Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 18/29] desktop: add loupe and evince --- nixosModules/desktop.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixosModules/desktop.nix b/nixosModules/desktop.nix index 8ab690a..ee67522 100644 --- a/nixosModules/desktop.nix +++ b/nixosModules/desktop.nix @@ -7,6 +7,8 @@ pkgs.ghostty pkgs.libreoffice pkgs.nautilus + pkgs.loupe + pkgs.evince ]; fonts.packages = [ From c42152df9dde49fcdc1b65bf03244b3d5dc6f623 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 19/29] clan: migrate admin module to sshd --- clan/flake-module.nix | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/clan/flake-module.nix b/clan/flake-module.nix index 44cdbb5..5e1745f 100644 --- a/clan/flake-module.nix +++ b/clan/flake-module.nix @@ -13,17 +13,6 @@ "age-plugin-yubikey" ]; - clan.inventory.instances."rpqt-admin" = { - module.input = "clan-core"; - module.name = "admin"; - roles.default.tags.server = { }; - roles.default.machines.haze = { }; - roles.default.settings.allowedKeys = { - rpqt_haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze"; - nixbld_haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyNC2sn5m7m52r4kVZqg0T7abqdz5xh/blU3cYtHKAE nixbld@haze"; - }; - }; - clan.inventory.instances."sshd" = { module.input = "clan-core"; module.name = "sshd"; @@ -35,6 +24,10 @@ certificate.searchDomains = [ "home.rpqt.fr" ]; + authorizedKeys = { + rpqt_haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze"; + nixbld_haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyNC2sn5m7m52r4kVZqg0T7abqdz5xh/blU3cYtHKAE nixbld@haze"; + }; }; roles.client.tags.all = { }; From 0a5ea690b5580310be37aaa2e3c374c67f9f4033 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 20/29] zerotier: use IP addresses from infra --- clan/network.nix | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/clan/network.nix b/clan/network.nix index 8c9e3d0..8c06bd1 100644 --- a/clan/network.nix +++ b/clan/network.nix @@ -2,13 +2,11 @@ { clan.inventory.instances.zerotier = { roles.controller.machines.crocus = { }; - roles.moon.machines.crocus = { - settings = { - stableEndpoints = [ - "116.203.18.122" - "2a01:4f8:1c1e:e415::/64" - ]; - }; + roles.moon.machines.crocus.settings = { + stableEndpoints = [ + self.infra.machines.crocus.ipv4 + self.infra.machines.crocus.ipv6 + ]; }; roles.peer.tags."all" = { }; }; From 3bcd5df16e53a95bc9ffa16b58dd523608bd38d8 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 21/29] clan: use yggdrasil --- clan/network.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/clan/network.nix b/clan/network.nix index 8c06bd1..8b66dc0 100644 --- a/clan/network.nix +++ b/clan/network.nix @@ -1,5 +1,9 @@ { self, ... }: { + clan.inventory.instances.yggdrasil = { + roles.default.tags.all = { }; + }; + clan.inventory.instances.zerotier = { roles.controller.machines.crocus = { }; roles.moon.machines.crocus.settings = { From f07e337a51cf3ae87c07079d4099be283c7e8e02 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 22/29] clan: init vaultwarden service --- clanServices/flake-module.nix | 2 ++ clanServices/vaultwarden.nix | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 clanServices/vaultwarden.nix diff --git a/clanServices/flake-module.nix b/clanServices/flake-module.nix index 138d0f4..6bef516 100644 --- a/clanServices/flake-module.nix +++ b/clanServices/flake-module.nix @@ -4,4 +4,6 @@ ./coredns/flake-module.nix ./prometheus/flake-module.nix ]; + + clan.modules."@rpqt/vaultwarden" = ./vaultwarden.nix; } diff --git a/clanServices/vaultwarden.nix b/clanServices/vaultwarden.nix new file mode 100644 index 0000000..16c60b6 --- /dev/null +++ b/clanServices/vaultwarden.nix @@ -0,0 +1,33 @@ +{ + _class = "clan.service"; + manifest.name = "vaultwarden"; + manifest.description = "Bitwarden-compatible password manager"; + manifest.exports.out = [ "endpoints" ]; + + roles.default = { + perInstance = + { + meta, + mkExports, + ... + }: + let + host = "vaultwarden.${meta.domain}"; + in + { + exports = mkExports { + endpoints.hosts = [ host ]; + }; + + nixosModule = { + services.vaultwarden = { + enable = true; + domain = host; + configureNginx = true; + }; + + clan.core.state.vaultwarden.folders = [ "/var/lib/vaultwarden" ]; + }; + }; + }; +} From c385e8cdfbb2e855ad94ec13bae24e0468392ee0 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 23/29] vaultwarden: migrate to clan service --- clan/flake-module.nix | 5 +++++ machines/verbena/configuration.nix | 1 - nixosModules/vaultwarden.nix | 18 ------------------ 3 files changed, 5 insertions(+), 19 deletions(-) delete mode 100644 nixosModules/vaultwarden.nix diff --git a/clan/flake-module.nix b/clan/flake-module.nix index 5e1745f..db9595d 100644 --- a/clan/flake-module.nix +++ b/clan/flake-module.nix @@ -175,4 +175,9 @@ roles.worker.machines.verbena = { }; }; + clan.inventory.instances.vaultwarden = { + module.input = "self"; + module.name = "@rpqt/vaultwarden"; + roles.default.machines.verbena = { }; + }; } diff --git a/machines/verbena/configuration.nix b/machines/verbena/configuration.nix index f68c616..c42e87c 100644 --- a/machines/verbena/configuration.nix +++ b/machines/verbena/configuration.nix @@ -5,7 +5,6 @@ self.nixosModules.nextcloud self.nixosModules.gitea self.nixosModules.forgejo - self.nixosModules.vaultwarden self.inputs.srvos.nixosModules.server diff --git a/nixosModules/vaultwarden.nix b/nixosModules/vaultwarden.nix deleted file mode 100644 index 4ae455f..0000000 --- a/nixosModules/vaultwarden.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - config, - ... -}: -{ - services.vaultwarden = { - enable = true; - domain = "vaultwarden.val"; - configureNginx = true; - }; - - services.nginx.virtualHosts.${config.services.vaultwarden.domain} = { - enableACME = true; - }; - - security.acme.certs.${config.services.vaultwarden.domain}.server = - "https://ca.val/acme/acme/directory"; -} From eb80f8089c4d0d0e1e70f6aa00a479a0583b5a04 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 24/29] clan: migrate certificate service to pki --- clan/network.nix | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/clan/network.nix b/clan/network.nix index 8b66dc0..71c8429 100644 --- a/clan/network.nix +++ b/clan/network.nix @@ -35,16 +35,9 @@ }; }; - clan.inventory.instances.certificates = { - module.name = "certificates"; - module.input = "clan-core"; - - roles.ca.machines.verbena = { - settings.acmeEmail = "admin@rpqt.fr"; - settings.tlds = [ "val" ]; - }; + clan.inventory.instances.pki = { + module.name = "pki"; roles.default.tags.all = { }; - roles.default.settings.acmeEmail = "admin@rpqt.fr"; }; # Temporarily patched version of clan-core/coredns for AAAA records support From 1dec333f3f5b94cfeea403e27fa256403207b776 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 25/29] clan: import @shallerclan/dns service --- clanServices/dns.nix | 310 ++++++++++++++++++++++++++++++++++ clanServices/flake-module.nix | 2 + 2 files changed, 312 insertions(+) create mode 100644 clanServices/dns.nix diff --git a/clanServices/dns.nix b/clanServices/dns.nix new file mode 100644 index 0000000..c05f20f --- /dev/null +++ b/clanServices/dns.nix @@ -0,0 +1,310 @@ +{ ... }: +{ + _class = "clan.service"; + manifest.name = "dns"; + manifest.categories = [ "Network" ]; + manifest.description = "Clan-internal DNS and service exposure"; + manifest.readme = '' + # How it works + + Every dns-request from a clan machine lands at systemd-resolved and it resolves (forwards) requests with the following priority: + + 1. /etc/hosts file + 2. Local authority nameserver (if tld is ''${config.clan.core.settings.domain}) + 3. Configured system's dns-servers e.g. `networking.nameservers` + + The local authority nameserver is configured to answer requests only from localhost and it hosts the zonefile for the clan domain. + + For external requests, the server role must be deployed/configured. + + # Usage + + ```nix + # clan.nix + inventory.instances.dns = { + module.input = "self"; + module.name = "@schallerclan/dns"; + + roles.server = { + tags = [ "serve_dns" ]; + extraModules = [ modules/blocky.nix ]; + + machines."myMachine01" = {}; + }; + + roles.default.machines."myMachine01".settings = { + records = { + A = [ + "203.0.113.1" # www + "10.0.0.1" # wireguard + "100.0.0.1" # tailscale + ]; + AAAA = [ + "2001:db8::1" # www + "fc00::1" # wireguard + "fd00::1" # tailscale + "400::1" # mycelium + "200::1" # yggdrasil + ]; + }; + }; + + roles.default.machines."myMachine02".settings = { + records = { + A = [ + "203.0.113.2" # www + "10.0.0.2" # wireguard + "100.0.0.2" # tailscale + ]; + AAAA = [ + "2001:db8::2" # www + "fc00::2" # wireguard + "fd00::2" # tailscale + "400::2" # mycelium + "200::2" # yggdrasil + ]; + }; + + services = [ "foo" ]; + }; + }; + ``` + + The example will result into the following records, in the zonefile: + + ``` + myMachine01.clan A 203.0.113.1 + myMachine01.clan A 10.0.0.1 + myMachine01.clan A 100.0.0.1 + myMachine01.clan AAAA 2001:db8::1 + myMachine01.clan AAAA fd00::1 + myMachine01.clan AAAA fc00::1 + myMachine01.clan AAAA 400::1 + myMachine01.clan AAAA 200::1 + + myMachine02.clan A 203.0.113.2 + myMachine02.clan A 10.0.0.2 + myMachine02.clan A 100.0.0.2 + myMachine02.clan AAAA 2001:db8::2 + myMachine02.clan AAAA fd00::2 + myMachine02.clan AAAA fc00::2 + myMachine02.clan AAAA 400::2 + myMachine02.clan AAAA 200::2 + + foo.clan A 203.0.113.2 + foo.clan A 10.0.0.2 + foo.clan A 100.0.0.2 + foo.clan AAAA 2001:db8::2 + foo.clan AAAA fd00::2 + foo.clan AAAA fc00::2 + foo.clan AAAA 400::2 + foo.clan AAAA 200::2 + ``` + ''; + + roles.default = { + description = '' + Machines in this role will take part in dns. + + Machines will + - register their hostname with the configured records + - register their `settings.services` with the configured records + - be able to resolve all records locally + ''; + + interface = + { lib, ... }: + { + options = with lib.types; { + records = lib.mkOption { + type = attrsOf (coercedTo str (s: [ s ]) (listOf str)); + default = { }; + description = '' + DNS records for the machine and all its services. + + Technically, no restrictions on which dns records can be used. But + intended for A and AAAA records. + ''; + example = { + A = [ + "203.0.113.2" # www + "10.0.0.2" # wireguard + "100.0.0.2" # tailscale + ]; + AAAA = [ + "2001:db8::2" # www + "fd28:387a:6e:df00::2" # wireguard + "fd7a:115c:a1e0::2" # tailscale + "400::2" # mycelium + "200::2" # yggdrasil + ]; + }; + }; + + services = lib.mkOption { + type = listOf str; + default = [ ]; + description = '' + Service endpoints this host exposes (without TLD). Each entry will be resolved to .''${config.clan.core.settings.domain}. + ''; + }; + }; + }; + + perInstance = + { roles, settings, ... }: + { + nixosModule = + { + lib, + config, + pkgs, + ... + }: + { + networking.nameservers = [ "[::1]:1053#${config.clan.core.settings.domain}" ]; + + services.resolved.domains = [ "~${config.clan.core.settings.domain}" ]; + + services.unbound = { + enable = true; + + # https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html + settings = { + server = { + port = 1053; + verbosity = 2; + interface = [ + "127.0.0.1" + "::1" + ]; + access-control = [ + "127.0.0.0/8 allow" + "::0/64 allow" + ]; + do-not-query-localhost = false; + domain-insecure = [ "${config.clan.core.settings.domain}." ]; + }; + + auth-zone = [ + { + name = config.clan.core.settings.domain; + zonefile = "${pkgs.writeTextFile ( + let + nsRecords = lib.lists.concatLists ( + # ↓ this machine + lib.lists.forEach (lib.attrsToList settings.records) ( + record: lib.lists.forEach record.value (value: "ns ${record.name} ${value}") + ) + ); + + machineRecords = lib.lists.concatLists ( + lib.lists.forEach (lib.attrNames roles.default.machines) ( + machine: + lib.lists.concatLists ( + lib.lists.forEach (lib.attrsToList roles.default.machines.${machine}.settings.records) ( + record: lib.lists.forEach record.value (value: "${machine} ${record.name} ${value}") + ) + ) + ) + ); + + serviceRecords = lib.lists.concatLists ( + lib.lists.forEach (lib.attrNames roles.default.machines) ( + machine: + lib.lists.concatLists ( + lib.lists.forEach roles.default.machines.${machine}.settings.services ( + service: + lib.lists.concatLists ( + lib.lists.forEach (lib.attrsToList roles.default.machines.${machine}.settings.records) ( + record: lib.lists.forEach record.value (value: "${service} ${record.name} ${value} ; ${machine}") + ) + ) + ) + ) + ) + ); + in + { + name = "db.${config.clan.core.settings.domain}.zone"; + text = lib.strings.concatStringsSep "\n\n" [ + '' + $ORIGIN ${config.clan.core.settings.domain}. + $TTL 3600 + @ IN SOA ns admin 1 7200 3600 1209600 3600 + @ IN NS ns + '' + (lib.strings.concatStringsSep "\n" nsRecords) + (lib.strings.concatStringsSep "\n" machineRecords) + (lib.strings.concatStringsSep "\n" serviceRecords) + ]; + } + )}"; + } + ]; + }; + }; + }; + }; + }; + + roles.server = { + description = '' + Additional role upon `roles.default`. + + Machines in this role will serve [blocky](https://0xerr0r.github.io/blocky/latest/) as a dns server on port 53, including all dns records in the default role. + + For blocky (dns server) configuration, make a new file at e.g. `modules/blocky.nix` and include it with `roles.server.extraModules [ modules/blocky.nix ];` + + ```nix + # modules/blocky.nix + { + # https://0xerr0r.github.io/blocky/latest/configuration + services.blocky.settings = { + # ... + }; + } + ``` + + With `systemctl status blocky.service` check, if blocky was configured correctly. + ''; + + perInstance = { + nixosModule = + { lib, config, ... }: + { + networking.firewall.allowedTCPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; + + services.resolved.enable = false; + services.blocky = { + enable = true; + settings = { + upstreams.groups.default = lib.mkDefault [ + # quad9 + "9.9.9.9" + "149.112.112.112" + "2620:fe::fe" + "2620:fe::9" + # cloudflare + "1.1.1.1" + "1.0.0.1" + "2606:4700:4700::1111" + "2606:4700:4700::1001" + ]; + + conditional.mapping = { + ${config.clan.core.settings.domain} = "tcp+udp:[::1]:1053"; + }; + }; + }; + }; + }; + }; + + perMachine = { + nixosModule = { + services.tailscale.extraUpFlags = [ "--accept-dns=false" ]; + }; + }; +} diff --git a/clanServices/flake-module.nix b/clanServices/flake-module.nix index 6bef516..2a428e5 100644 --- a/clanServices/flake-module.nix +++ b/clanServices/flake-module.nix @@ -6,4 +6,6 @@ ]; clan.modules."@rpqt/vaultwarden" = ./vaultwarden.nix; + + clan.modules."@schallerclan/dns" = ./dns.nix; } From cc02c1077b4e81959620e6731cf36511b47ee644 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 26/29] clan: migrate from coredns to shallerclan/dns --- clan/network.nix | 45 ++++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/clan/network.nix b/clan/network.nix index 71c8429..46bfdd5 100644 --- a/clan/network.nix +++ b/clan/network.nix @@ -40,33 +40,36 @@ roles.default.tags.all = { }; }; - # Temporarily patched version of clan-core/coredns for AAAA records support - clan.inventory.instances.coredns = { - module.name = "@rpqt/coredns"; + clan.inventory.instances.dns = { module.input = "self"; + module.name = "@schallerclan/dns"; - roles.default.tags.all = { }; - roles.server.machines.verbena = { - settings.ip = "fd28:387a:90:c400::1"; - settings.dnsPort = 53; - }; - roles.server.machines.crocus = { - settings.ip = "fd28:387a:90:c400:6db2:dfc3:c376:9956"; - }; - roles.server.settings = { - tld = "val"; + roles.server.tags = [ "dns" ]; + roles.default.tags = [ "all" ]; + + roles.default.machines."verbena".settings = { + records = { + AAAA = [ + "200:b038:ab12:ac69:8675:7e47:41f4:12f4" # yggdrasil + ]; + }; + services = [ "vaultwarden" ]; }; - roles.default.machines.verbena.settings = { - ip = "fd28:387a:90:c400::1"; - services = [ - "ca" - "vaultwarden" - ]; + roles.default.machines."crocus".settings = { + records = { + AAAA = [ + "200:bcfc:9787:29b9:46e0:e75d:a912:dfdc" # yggdrasil + ]; + }; }; - roles.default.machines.genepi.settings = { - ip = "fd28:387a:90:c400:ab23:3d38:a148:f539"; # FIXME: IPv4 expected (A record) + roles.default.machines."genepi".settings = { + records = { + AAAA = [ + "200:b839:2d6f:3dad:adab:e104:26e2:f12b" # yggdrasil + ]; + }; services = [ "actual" "assistant" From 0869a058c4d2d09948865d43b912cb998e6c785b Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 27/29] machines/haze: remove unused tailscale option --- machines/haze/configuration.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/machines/haze/configuration.nix b/machines/haze/configuration.nix index 514b199..d2a0b09 100644 --- a/machines/haze/configuration.nix +++ b/machines/haze/configuration.nix @@ -84,7 +84,6 @@ wheelNeedsPassword = false; }; - services.tailscale.useRoutingFeatures = "client"; services.displayManager.autoLogin = { enable = true; From fd8ce4e8b8ce664265eb70ba3bfb8ca8c40ca4c9 Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 28/29] clan: remove home.rpqt.fr ssh certificates --- clan/flake-module.nix | 9 --------- 1 file changed, 9 deletions(-) diff --git a/clan/flake-module.nix b/clan/flake-module.nix index db9595d..2cf52fe 100644 --- a/clan/flake-module.nix +++ b/clan/flake-module.nix @@ -21,21 +21,12 @@ self.nixosModules.hardened-ssh-server ]; roles.server.settings = { - certificate.searchDomains = [ - "home.rpqt.fr" - ]; authorizedKeys = { rpqt_haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze"; nixbld_haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyNC2sn5m7m52r4kVZqg0T7abqdz5xh/blU3cYtHKAE nixbld@haze"; }; }; - roles.client.tags.all = { }; - roles.client.settings = { - certificate.searchDomains = [ - "home.rpqt.fr" - ]; - }; }; clan.inventory.instances.user-rpqt = { From a895d32b60bdc07095e64c4e888585a82da87adf Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 29/29] clan: tag verbena to serve DNS --- clan/machines.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/clan/machines.nix b/clan/machines.nix index 8910a89..6866557 100644 --- a/clan/machines.nix +++ b/clan/machines.nix @@ -22,6 +22,7 @@ tags = [ "garage" "server" + "dns" ]; }; };