From 5b2ca885979bf71c2043280708d2e781b4e87000 Mon Sep 17 00:00:00 2001 From: Noratrieb <48135649+Noratrieb@users.noreply.github.com> Date: Tue, 6 Aug 2024 22:12:16 +0200 Subject: [PATCH] high availability caddy this was a fucking nightmare. setting up the s3 storage plugin was painful, since caddy plugins are not nicely supported by the nix build yet. rip. oh well, i got it working. and it WORKS --- newinfra/nix/hive.nix | 3 +- newinfra/nix/modules/dns/noratrieb.dev.nix | 9 +- newinfra/nix/modules/garage/README.md | 9 ++ newinfra/nix/modules/ingress/base.Caddyfile | 17 +++ newinfra/nix/modules/ingress/caddy-build.nix | 116 ++++++++++++++++++ newinfra/nix/modules/ingress/default.nix | 64 ++++++---- newinfra/nix/secrets/caddy_s3_key_secret.age | Bin 0 -> 661 bytes .../nix/secrets/docker_registry_password.age | Bin 233 -> 233 bytes newinfra/nix/secrets/garage_secrets.age | Bin 795 -> 795 bytes newinfra/nix/secrets/hugochat_db_password.age | Bin 339 -> 339 bytes newinfra/nix/secrets/minio_env_file.age | 13 +- newinfra/nix/secrets/secrets.nix | 1 + newinfra/nix/secrets/wg_private_vps1.age | 8 +- newinfra/nix/secrets/wg_private_vps3.age | 8 +- newinfra/nix/secrets/wg_private_vps4.age | 9 +- newinfra/nix/secrets/wg_private_vps5.age | Bin 256 -> 256 bytes newinfra/nix/secrets/widetom_bot_token.age | Bin 272 -> 272 bytes newinfra/nix/secrets/widetom_config_toml.age | Bin 4006 -> 4006 bytes .../secrets-git-crypt/caddy_s3_key_secret | Bin 0 -> 141 bytes 19 files changed, 209 insertions(+), 48 deletions(-) create mode 100644 newinfra/nix/modules/ingress/base.Caddyfile create mode 100644 newinfra/nix/modules/ingress/caddy-build.nix create mode 100644 newinfra/nix/secrets/caddy_s3_key_secret.age create mode 100644 newinfra/secrets-git-crypt/caddy_s3_key_secret diff --git a/newinfra/nix/hive.nix b/newinfra/nix/hive.nix index 09bd1ef..32829d6 100644 --- a/newinfra/nix/hive.nix +++ b/newinfra/nix/hive.nix @@ -29,7 +29,7 @@ wg = { privateIP = "10.0.0.1"; publicKey = "5tg3w/TiCuCeKIBJCd6lHUeNjGEA76abT1OXnhNVyFQ="; - peers = [ "vps3" "vps4" ]; + peers = [ "vps3" "vps4" "vps5" ]; }; }; vps3 = { @@ -142,6 +142,7 @@ ./modules/contabo ./modules/wg-mesh ./modules/ingress + ./modules/garage ./modules/podman # apps diff --git a/newinfra/nix/modules/dns/noratrieb.dev.nix b/newinfra/nix/modules/dns/noratrieb.dev.nix index 3c49bb3..40b6609 100644 --- a/newinfra/nix/modules/dns/noratrieb.dev.nix +++ b/newinfra/nix/modules/dns/noratrieb.dev.nix @@ -12,10 +12,15 @@ let vps2 = { A = [ "184.174.32.252" ]; }; + + combine = hosts: { + A = lib.lists.flatten (map (host: if builtins.hasAttr "A" host then host.A else [ ]) hosts); + AAAA = lib.lists.flatten (map (host: if builtins.hasAttr "AAAA" host then host.AAAA else [ ]) hosts); + }; in with hostsToDns; - # vps1 contains root noratrieb.dev - vps1 // { + # vps{1,3,4} contains root noratrieb.dev + combine [ vps1 vps3 vps4 ] // { SOA = { nameServer = "ns1.noratrieb.dev."; adminEmail = "void@noratrieb.dev"; diff --git a/newinfra/nix/modules/garage/README.md b/newinfra/nix/modules/garage/README.md index d049bb4..e1c57cb 100644 --- a/newinfra/nix/modules/garage/README.md +++ b/newinfra/nix/modules/garage/README.md @@ -8,6 +8,15 @@ | name | disk space | identifier | zone | | ---- | ---------- | ---------- | ----- | +| vps3 | 70GB | cabe | co-du | | vps3 | 100GB | 020bd | co-ka | | vps4 | 30GB | 41e40 | he-nu | | vps5 | 100GB | 848d8 | co-du | + +## buckets + +- `caddy-store`: Store for Caddy webservers + +## keys + +- `caddy`: `GK25e33d4ba20d54231e513b80` diff --git a/newinfra/nix/modules/ingress/base.Caddyfile b/newinfra/nix/modules/ingress/base.Caddyfile new file mode 100644 index 0000000..e429899 --- /dev/null +++ b/newinfra/nix/modules/ingress/base.Caddyfile @@ -0,0 +1,17 @@ +{ + email noratrieb@proton.me + auto_https disable_redirects + + storage s3 { + host "localhost:3900" + bucket "caddy-store" + # access_id ENV S3_ACCESS_ID + # secret_key ENV S3_SECRET_KEY + + insecure true + } +} + +http:// { + respond "This is an HTTPS-only server, silly you. Go to https:// instead." 418 +} diff --git a/newinfra/nix/modules/ingress/caddy-build.nix b/newinfra/nix/modules/ingress/caddy-build.nix new file mode 100644 index 0000000..e82302e --- /dev/null +++ b/newinfra/nix/modules/ingress/caddy-build.nix @@ -0,0 +1,116 @@ +# Copied from https://github.com/NixOS/nixpkgs/pull/259275 and updated. + +{ lib +, buildGoModule +, fetchFromGitHub +, gnused +, nixosTests +, caddy +, stdenv +, testers +, installShellFiles +, externalPlugins ? [ ] +, vendorHash ? "sha256-1Api8bBZJ1/oYk4ZGIiwWCSraLzK9L+hsKXkFtk6iVM=" +}: + +let + attrsToModules = attrs: + builtins.map ({ name, repo, version }: "${repo}") attrs; + attrsToSources = attrs: + builtins.map ({ name, repo, version }: "${repo}@${version}") attrs; +in +buildGoModule rec { + pname = "caddy"; + version = "2.8.4"; + + dist = fetchFromGitHub { + owner = "caddyserver"; + repo = "dist"; + rev = "v${version}"; + hash = "sha256-O4s7PhSUTXoNEIi+zYASx8AgClMC5rs7se863G6w+l0="; + }; + + src = fetchFromGitHub { + owner = "caddyserver"; + repo = "caddy"; + rev = "v${version}"; + hash = "sha256-CBfyqtWp3gYsYwaIxbfXO3AYaBiM7LutLC7uZgYXfkQ="; + }; + + inherit vendorHash; + + subPackages = [ "cmd/caddy" ]; + + ldflags = [ + "-s" + "-w" + "-X github.com/caddyserver/caddy/v2.CustomVersion=${version}" + ]; + + # matches upstream since v2.8.0 + tags = [ "nobadger" ]; + + nativeBuildInputs = [ gnused installShellFiles ]; + + modBuildPhase = '' + for module in ${builtins.toString (attrsToModules externalPlugins)}; do + sed -i "/standard/a _ \"$module\"" ./cmd/caddy/main.go + done + for plugin in ${builtins.toString (attrsToSources externalPlugins)}; do + go get $plugin + done + + go generate + go mod vendor + ''; + + modInstallPhase = '' + mv -t vendor go.mod go.sum + cp -r --reflink=auto vendor "$out" + ''; + + preBuild = '' + chmod -R u+w vendor + [ -f vendor/go.mod ] && mv -t . vendor/go.{mod,sum} + go generate + + for module in ${builtins.toString (attrsToModules externalPlugins)}; do + sed -i "/standard/a _ \"$module\"" ./cmd/caddy/main.go + done + ''; + + postInstall = '' + install -Dm644 ${dist}/init/caddy.service ${dist}/init/caddy-api.service -t $out/lib/systemd/system + + substituteInPlace $out/lib/systemd/system/caddy.service \ + --replace-fail "/usr/bin/caddy" "$out/bin/caddy" + substituteInPlace $out/lib/systemd/system/caddy-api.service \ + --replace-fail "/usr/bin/caddy" "$out/bin/caddy" + '' + lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) '' + # Generating man pages and completions fail on cross-compilation + # https://github.com/NixOS/nixpkgs/issues/308283 + + $out/bin/caddy manpage --directory manpages + installManPage manpages/* + + installShellCompletion --cmd caddy \ + --bash <($out/bin/caddy completion bash) \ + --fish <($out/bin/caddy completion fish) \ + --zsh <($out/bin/caddy completion zsh) + ''; + passthru.tests = { + inherit (nixosTests) caddy; + version = testers.testVersion { + command = "${caddy}/bin/caddy version"; + package = caddy; + }; + }; + + meta = with lib; { + homepage = "https://caddyserver.com"; + description = "Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS"; + license = licenses.asl20; + mainProgram = "caddy"; + maintainers = with maintainers; [ Br1ght0ne emilylange techknowlogick ]; + }; +} diff --git a/newinfra/nix/modules/ingress/default.nix b/newinfra/nix/modules/ingress/default.nix index e0a2704..ea925d1 100644 --- a/newinfra/nix/modules/ingress/default.nix +++ b/newinfra/nix/modules/ingress/default.nix @@ -1,7 +1,20 @@ -{ pkgs, nixpkgs-unstable, config, lib, name, website, slides, blog, ... }: +{ pkgs, config, lib, name, website, slides, blog, ... }: -let caddy = nixpkgs-unstable.caddy; in +let + caddy = pkgs.callPackage ./caddy-build.nix { + externalPlugins = [ + { + name = "certmagic-s3"; + repo = "github.com/noratrieb-mirrors/certmagic-s3"; + version = "e48519f95173e982767cbb881d49335b6a00a599"; + } + ]; + vendorHash = "sha256-KP9bYitM/Pocw4DxOXPVBigWh4IykNf8yKJiBlTFZmI="; + }; +in { + environment.systemPackages = [ caddy ]; + networking.firewall = { allowedTCPPorts = [ 80 # HTTP @@ -12,22 +25,17 @@ let caddy = nixpkgs-unstable.caddy; in ]; }; + age.secrets.caddy_s3_key_secret.file = ../../secrets/caddy_s3_key_secret.age; + + systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.caddy_s3_key_secret.path; services.caddy = { enable = true; package = caddy; configFile = pkgs.writeTextFile { name = "Caddyfile"; text = ( + builtins.readFile ./base.Caddyfile + '' - { - email nilstrieb@proton.me - auto_https disable_redirects - } - - http:// { - respond "This is an HTTPS-only server, silly you. Go to https:// instead." 418 - } - ${config.networking.hostName}.infra.noratrieb.dev { encode zstd gzip header -Last-Modified @@ -37,29 +45,33 @@ let caddy = nixpkgs-unstable.caddy; in inherit pkgs lib; }} file_server { - etag_file_extensions .sha256 - precompressed zstd gzip br + etag_file_extensions .sha256 + precompressed zstd gzip br } } ${ - if name == "vps1" then - builtins.readFile ./Caddyfile + '' - noratrieb.dev { - encode zstd gzip - header -Last-Modified - root * ${import ./caddy-static-prepare { - name = "website"; - src = website { inherit pkgs slides blog; }; - inherit pkgs lib; - }} - file_server { + if name == "vps1" || name == "vps3" || name == "vps4" then '' + noratrieb.dev { + encode zstd gzip + header -Last-Modified + root * ${import ./caddy-static-prepare { + name = "website"; + src = website { inherit pkgs slides blog; }; + inherit pkgs lib; + }} + file_server { etag_file_extensions .sha256 precompressed zstd gzip br - } - } + } + } '' else "" } + + ${ + if name == "vps1" then + builtins.readFile ./Caddyfile else "" + } '' ); checkPhase = '' diff --git a/newinfra/nix/secrets/caddy_s3_key_secret.age b/newinfra/nix/secrets/caddy_s3_key_secret.age new file mode 100644 index 0000000000000000000000000000000000000000..fb2c2a754db15c81cbefb5d9e6c296463d9f99ac GIT binary patch literal 661 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH^fe2KOjk(r&x}ac z4#)}5@=Eh5H8-}*&P^)yu1a$aDk^s?GfK`V2uw;Y4l;8s59Bg%wX`fMD$Vt=Ofm4u z&GO83$<4^pPERt)D^4piHgxpYHViSGDn5T$l&s*ijZ)9*LNi16%yU;{4afI^@AptOi$@5p>@3lq~4AA?Fq7fb&LXZ_@K z=dwh%?EH#M^D6Hgqd;`q%0kRtD;yP~yo#&bBP>FbqP$(R(y}v(qlzn1-Gg!+v&t&{ z^xX<`JwGIE1TU2=ni^8Gxr zv-7#uOZ6=&<=?kKly`aXUh#`nWHXc^|%i_CCt{ KF4L8x-dz9;hw7{V literal 0 HcmV?d00001 diff --git a/newinfra/nix/secrets/docker_registry_password.age b/newinfra/nix/secrets/docker_registry_password.age index 49979e75fc0f2d9a9c820f6a2d8e609204bb827e..954d1ddde8b1b76285c6896c863a73cdb961c5f4 100644 GIT binary patch delta 197 zcmaFK_>ysgPJLlsKweI6cD}obsZXI{Wx2LtVNz5`W}2B_Ntj1aVREiXm~%;Ks(XG& zHkY$!ai&>mN^Y=WXnMAGnrWVPgh{e?c~ORCQgEf2pR1FxQ@UGTpmVmVE0?aWu0mu+ zRYitTq;HyGd1+asS!J$~V@gs^fQMI*xqg9xhp&rwn4NZDxxT)ob|hE$`%;GWSMIzz z;r03LhD8UMCtVlY`Jn&6XFI8{V!S)}KKE^jJAKI0R90Q<+aH@VS;>Lrn^!LZ00PiV ADgXcg delta 197 zcmaFK_>ysgPJMEwS5%UViF;^La#(JqSy5(oWr|^Td9asru~V6GW{H!jVX?V!aZzrD zBbR=Zg;PX@Yf@@ddR0`EwriwMQl_z`k7uc2ctxQ>MOLu7XRV zPl-iQNVZvUUbhv=JNV!Pj diff --git a/newinfra/nix/secrets/garage_secrets.age b/newinfra/nix/secrets/garage_secrets.age index 4535b10a425d7f6514d6da0f25ec21f192dada6f..db044a1984dcc104cdb93894fa84e85265a8306e 100644 GIT binary patch delta 725 zcmbQuHk)mNPJKjRR;F{Av3qer~dS!Sd`xPePpdZn+UesXc5i%V!xdA?6jNUpg{SeZ|@evXSlAeXM4LUD11 zZfc5=si~o*LPV9Lb5x*0zJ6jsM3|v@N@;MVqi=1%(c|}pFv#Y*Ac&U?rT3%F6MMOkOnOQ|~a$A?8{6xgm~R1p)4v zp5@vmRhfPPE}q`yzOE@%J|$&E`Nqk)+BwMq70%ibX2D5mxfLdp;~B;43-Zj014=A% zgM)IMOB3@mQ#|zp!#ym@at)FqGLu{bO&zseQiCG1t18pEijBP^y?qKjih_cYO_B`! zoh?E=4V^PBEsTANi%f!j4MV)$QvD;f-CfJMbaizVGKzDGj4T5(jIvz=EPO4^)3r^5 zf`f94ybFypQbYYy{G$x((+ZL*lPk1Cxk{dL?>t;CRKMk1+a1Rl+<`G055z`Y*ep^P zyk>h{J&*0RGrg~lrOe1UYkn7%|HKc<>h^O@8D$-{|Ot4YxxbGpB?5}H#a!k zvQ@w8m5`_0o1{pExT6hs*Cd|2P<-QJ{qB9yB5$ufw&e6KJQXG@m2GTy)vR8diO+1q z_Zb{}-39YK7n|*6;c>nhQ@&+=+LJAQWp=Z&+-;s2^ltZGcJl1KpwpMvh}s8;>}c3< zeZvC3wru~W-&Q9@6*H?uuX@Ryzh~E`YsWVSMl)_Yq-P^-n>CNe?dSVhGtEw%ntI7x zAWMBmqoLfS)px!ZX{7spkL$9VcvFaFi3Z=P&U^kJrDr^Sv+4{BSKGyksEc8uhGOC` UqGQkTd$V`?1>C)H`>f~+0K>Z+5&!@I delta 725 zcmbQuHk)mNPJL#MzrVLpd8AvQwrOyIUr1(HMzV3RVMJuOcan#bk+FNWx3^QalXs45 zGFMPxV0e(FYoU)}fJ;?|zNLjvQm9W>xra}fuVZnAzn^hwv9^D5m7$MkD3`9CLUD11 zZfc5=si~o*LPV9Lb5x*$zn_7lm$R#Xu0>geOI5B*m7AqWxu!a*kv1 z#E;_Pm4*>+E-r=UL7s+w`c;u-u3mv5g-+&fe%acYCT8YA5!q#>rfKDl+IgN_6+s40 zY1su4<)ukceuf^75yhdNmaZ9r#vX+RhEYCQ`Chpd5rt8~7U_YL;~B;4%?k}&ozl!a zle10yf{aSNDowJ?EB#W+19O8dQ{9uD-AjW^Jaebho>ck)>OMU&Z&qVJ?mi*xJBJnqHf z{U|0z#yHG=P1%h1jU02h>-696d&lVN9JSs-^~53XWtOaN-n=(wWY2&5dujc`#WPjj zmU&;DV)g28^s4u2x;fo4Y~nt@e)Fh3`{bv?q@A{3Blpz)fc5p~S$kf$EhtX8%eXqX z`wzcdL~ugTqwqMj=Q00VR&+dn{<2ej^;@Cp=SGX-pQ_vZJneb=a9z;*zs&t7_si{f ztmW~(xkV&Ch3RW;RqRqt;~mB;-`l7?(|9x`f$!~}GYJuXmHm_1C3tT31#HfG$1f%S UciJ-d;B_ZO_GtvDYS!6+& z0hf73WnPw3a6!JgrC*tWXI7v^X?SL!L6LD|E#y>o$m0vLZ1%(Dx2&ld+*2U#fej4e zZ3_O)>b~{Ms}j4km$i1n;(|xF)P1@kyHRO+gY%aSaht=I+=|_|xFGfKFWJfL-vd)h z7S7x?JGaN*NzO!bYK*^B(N;eGmhgF(gM?SvZ}2tMJQ@?(R^70Rahv7FDB*|8SIqb^ Hd%Xz&R?d8n delta 304 zcmcc2beU;_PJNz%MS8l4PjX43Nq%HWqEonbrIVL;nNwv!S!k+hnxChqhr3Tu0ncF zMtE{$a*~CiepzLazISShM?i66Za|@hWol@$QFvCOQ+-yMfklb2ivbtsy8~UC>z3WQ znl|qGEvEQNB=7>`oT0!ZSq#$9WSP6b>IHU9{$t$>$4*z zcdI|$^15*F{g1atHfW}|d2BD|a(c4hm)J~ZHin0@Y!7@af5>t&Lc@6j$DHJSZ*M7n KRxuBcIST+&g@jcA diff --git a/newinfra/nix/secrets/minio_env_file.age b/newinfra/nix/secrets/minio_env_file.age index e257c84..8c5e8e2 100644 --- a/newinfra/nix/secrets/minio_env_file.age +++ b/newinfra/nix/secrets/minio_env_file.age @@ -1,8 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 qM6TYg 5dnvDdUqtCoJo4RYNTpIw4ckH0um6E50ZcOs08ZZLig -6hwjJMNit300VZhBeID7kdV8NJBbZg/3bq8vHO8R9i8 --> ssh-ed25519 XzACZQ g+vhR2tRcQHZ/8Ud0oDxA0a+d1+dyNMVi21GbNRXrx0 -6kYx9RQYfuqvEfm3qpSp9oKXktJccqQoYEvI+SEhEqg ---- 1Z17ztzvaWForsjjcF72J0/bdSmZCqEuScxEQ22V6xo -G}7[ES݌ aOONlTGN_ -!H@ѬM6^$۲o@څuMY;(8++ϐMlQamG|Y \ No newline at end of file +-> ssh-ed25519 qM6TYg Jtt9cLPGha9Qs5gEuKSwU3E1bNMhrjlHtnj/I3dKqW0 +0iDfPorED8lq0Rc5LVDNWID7l2F+AnmeEr7Yik/OC44 +-> ssh-ed25519 XzACZQ Q9WpNGn/k35J0/LzGAlcf1ktN2/VG3nZdpfMbJXAnWw +bl2Pasbxmb6LNbWiZrEVBQ99gYYC5Md6kdvIt4VAf7k +--- +B0f8ilJGkB7Qj+BdzeKfW6HRl9yzMd+iT4sOAmJI5Y +\ȁ'ZtbJ7AL⛣&C+LMnhІ]R; ԆJHKO7B\(QmΒU>r4"XhIdcE6G_oN \ No newline at end of file diff --git a/newinfra/nix/secrets/secrets.nix b/newinfra/nix/secrets/secrets.nix index 174ab60..3d82c2e 100644 --- a/newinfra/nix/secrets/secrets.nix +++ b/newinfra/nix/secrets/secrets.nix @@ -11,6 +11,7 @@ in "hugochat_db_password.age".publicKeys = [ vps1 ]; "minio_env_file.age".publicKeys = [ vps1 vps3 ]; "garage_secrets.age".publicKeys = [ vps1 vps3 vps4 vps5 ]; + "caddy_s3_key_secret.age".publicKeys = [ vps1 vps3 vps4 vps5 ]; "wg_private_vps1.age".publicKeys = [ vps1 ]; "wg_private_vps3.age".publicKeys = [ vps3 ]; "wg_private_vps4.age".publicKeys = [ vps4 ]; diff --git a/newinfra/nix/secrets/wg_private_vps1.age b/newinfra/nix/secrets/wg_private_vps1.age index 07c8d4f..2137537 100644 --- a/newinfra/nix/secrets/wg_private_vps1.age +++ b/newinfra/nix/secrets/wg_private_vps1.age @@ -1,5 +1,5 @@ age-encryption.org/v1 --> ssh-ed25519 qM6TYg Q5X+l2POBANoYyo8HNMy89MLtpodzzN9prnQY71mSTE -X3MJesW3kfHCfCyvaWm22mOI8vSgP7JWlLugCXtiy+U ---- ZH3UZFDfQwZ+DIF3yFADfBKEv2K6k9DTCh5wLVnyaTs -i,1Ff [_+[ !>)ep'YAWg <^= (B)~eG \ No newline at end of file +-> ssh-ed25519 qM6TYg xCaglRQkcl1+kGIVjPEn+NlnrBUvcWLSH7MMPLXK9kU +78t/Z81+NaXQMW30EQH8WMhed6Lm77+atPTkBQbDMd0 +--- AsnraeejCWHj1iRI/1btRXI6tqdnBW4S+twfx35eNEI +61KqH\vélWIX{K;#S&g^.KQ8a7V:e)9Ќ!O \ No newline at end of file diff --git a/newinfra/nix/secrets/wg_private_vps3.age b/newinfra/nix/secrets/wg_private_vps3.age index 12dbf45..7a46f3d 100644 --- a/newinfra/nix/secrets/wg_private_vps3.age +++ b/newinfra/nix/secrets/wg_private_vps3.age @@ -1,5 +1,5 @@ age-encryption.org/v1 --> ssh-ed25519 XzACZQ nsIkJQw/lrrXChkpFc87upQ4pbGefolI36wqMOWZGAE -t49QoSdb2azGQlDBX5AyWMxCOt+ETpT7erp4WU5p2rQ ---- 4UbCHfpAfwiuRYsiN3HgdhbSLFBG05DxGCw55XT1IGg -Y Ǝ 2Rs Q4d I.KpPFthaɍRX \ No newline at end of file +-> ssh-ed25519 XzACZQ PAqPA1RpuXwjKCsn838qwsuRmuh8ES7BPiyCIFdhMmA +QIAC+dfBMSZwzHwcQpO1IyDPKwTvr/iG35PkrFOyzwE +--- zNejM9ypNWH1Bg1J1V4UCqMIyVP+gIV/mmgBaCfFCKk +y2yv0W}qYmhZ{B|t7,@6B_V80iaz9@j) \ No newline at end of file diff --git a/newinfra/nix/secrets/wg_private_vps4.age b/newinfra/nix/secrets/wg_private_vps4.age index c019915..fd64f80 100644 --- a/newinfra/nix/secrets/wg_private_vps4.age +++ b/newinfra/nix/secrets/wg_private_vps4.age @@ -1,5 +1,6 @@ age-encryption.org/v1 --> ssh-ed25519 51bcvA 9dYzUZSs/ilKHHRiuMgT6GEbtyBwWHAl8ycBcsvTQz0 -iq0ozCU1p1sekOH4qbxKxWezY2pyVM6LjhUuNpmTQx0 ---- wjCRFJISrIrpgosh7ZBNM1qR78BPmhVBBwFpaQc10oA -a~ue?'iIl C"w:\R) (.ե%*>p"uy4s>2 \ No newline at end of file +-> ssh-ed25519 51bcvA mJYJJnaKusYBpSL5qAokXISlrXkBZ0QPKZVPkiyKSnk +IAsX5+UPxhap7ehB9za8Q9aEfeA0Ypd4Tw7XiU4f2eM +--- VBlmFpr+g83UfZ4rftOkNzKL/ZxSxAi7/tBl4TMaln4 +m侒AWcNW-F6ȆyT=~kg%U ;Dݲi&[j+_ + \ No newline at end of file diff --git a/newinfra/nix/secrets/wg_private_vps5.age b/newinfra/nix/secrets/wg_private_vps5.age index ad4e00ad07154ee8dfb0cb4db78d4c07c97c9883..156b44e4edb92d851b50de1057534fc59a63a3f4 100644 GIT binary patch delta 220 zcmZo*YG9h6Q=eNEmKU6!>f-Ag85)*q=w)gU;O$mXo?H-asUJ~Pp6Xdyozu zz~yIJ=2?)NpX=!2lo4p)9}!V*TI!M!Sm^AYS{~->$fc{Rs}Shq zVUbgAnBinp80H<3lw#(X7HH{f>XlO&5agU*mF!Uz7V4K(>F$!2>B%+gs`=W>kykIv zFK~MKe*fXFfAcoA8m@?&`DJ<7Rqu*PJqcC&Yc024j_Uhu{@h6Tr_%;D2EU; X=K*b{ud<)xn^xtk7Cn8C6Ep(=f-+P0 delta 220 zcmZo*YG9h6Qy&y*rk_$(T9}vOk?E0I6`URsY?y22+e>|N*@n&waWfGEZTI}NN%cZNUs}NF< zUE=QOZtQ35l;r8?93JNBpQD{_nOhp@WbW(jZV-{HA6n>}pJ!s`W5HG2ajH79=%ra+ zXoTFsr9rwjM$=!`{I62kayc-!baH@VnMM9$J_fhqlZ^$O+FY$0B?XeM`r2&U;NgF( WjNzpkpWKwTE|CKV97MGL?*#xo15VHY diff --git a/newinfra/nix/secrets/widetom_bot_token.age b/newinfra/nix/secrets/widetom_bot_token.age index 7a4f13c8add052b5de98a0bdbea9a285bec23bf9..009e9f6f1f8272e54b680f4801fa741a52ddcff2 100644 GIT binary patch delta 236 zcmbQhG=XV?PQ7-DXO?4zc6wfLL~4$=VRCt{WwL=+QBIPhfmyPLQI>CkWpTcDS$GL_tBWS#U{NsWf>wIg?7PSsL)_gkj;oiLgom&Dc{MIdU+kV-1 o@~2P+#dduGt-Y5eF5T;$Y`S{g<^5Awn-|Bt{C~Q=I{Tv_0Q{m~cmMzZ delta 236 zcmbQhG=XV?PJL3Mg{gODmTP`Uab<3$afX*~p{KWxrLk*px<#0$p>cX?u9JJYk9Kjn z0av24MM$N;Z)s(+x4&b7S8iciK)Gi{re9V-WuktdMWSV7c~!Ybc~o&|D3`9Tu7YW~ ztFe!ZX=;8+lv9{no@Z5|Yp72~dWK_exqoJ@mehx&%1RMK`|KWmxH?>D(gp=ERBLzZXT9W&R5jt*-C~04m^Jxc~qF diff --git a/newinfra/nix/secrets/widetom_config_toml.age b/newinfra/nix/secrets/widetom_config_toml.age index 4d6b7a46860b2520bfcc9400e38d801725e5a240..273d1e16d9502028b7b12ab526f64cef67412fc7 100644 GIT binary patch delta 4000 zcmZ1`zf69DPJNkskWYb`g?6@opns~rrC(Keq+6(8pi7cdp=EMbQkI2NdTx?wMv0$c zHdmNqVN_slj=p(Vv2%K;S*WY2bCP$dXG&Uub5fe2TV%0?uZf9%kb6+30hg|>u7W|4 zn@Lu3g_(YUOQlIfaF|Phvw>@+U${ktNmhAIcA7`JS-qp7UtVyqTRzu$?G<80&1x5C z@U-{4emgQPwPLXnv&k%@+hsG(+s}Az9V2L5tn8Vl>+5P_+%ma7y~_AX;ljP^g#;~2 zK7aYKE`VX#J_Y7uJZyUGw_Id3j-7Ee5uDdKK~Q0;#ijR(57#BeIoB0R#xSV~`sJ(Y zZ2x#h=!@3jt1|U0eqP0TA68zUxuxWs@_NG;oeP@N>b5AoZ|O3xs8X6cyF2jG)8%XX zk7X}x$k~7J^&(cCJ1?*Lo%MR5C9gR5aevZ;*y;msZ)Z(3kM3gmvu@`5E8icoet73% ze&B#?t&8-l;^)c6;!eDC4+a)DuiLcL;~oDFxhZmTE3fQ39n7}MF0=m1*Ya0sem1A9 zw%*8FGi^oCT-i^tHI8#XPjtGRZQB2Bp(|hB4~D9!MfWFn9Zm56S2v&S_We7RuObE2 zMcr3*)(Bfo*s=J4Ud+S07kKtH&qGyn|_4g!sx@^vbt!(|I($5{7IzijPfxqo8kwTdlA1&-!xbF=y^V`@9nTD^p8!mOW{4=k2p zK60LGf3aS`b1Ch$_m@pwP?#^LhPuo_=e;v48r5hOK7vl`b!3{r>RGfqy?{ z@+j%nnmv7-uyRpB>U@D!lXh7DVdYxO)9}=86aPuemc!{y|Nq@|E>22ud?Pu z97@U`C7u&%wa-0&ic_xNZtwJUxxBo=9ZfrT>A5}I#GjybyZ%XpaK{~+Gwe^k%$TFG zTJ4KYXF~U8{y+AYW?tY3*Jf}Nw2D686mY?P|1#cv%4bY`H#~|u_@F-ES-gce&%W+o zCe;EL>I0%G=l$jh-d1PVvA$R0&wjtXTjHNL2mim_D3SBIW!99Z7D|PecKv&|?t@|E z$K(VDk&c4qm4CmAd8?+)Hha5&a`(nHimVS`YJa=?&8J)O>K};>DIJNyRp~d(C*M0g zPcUM|hX1Sdd*+tEsERFB3S2tpd;PVP<5vo&o%h`9nV6Bu^)BuCt*1sTFVE+x9Vk40 zWhuO46NRJHT-kEAKwu1_kJPP}cgyXu&Go&2_GO7m}Id{BJ8JYhvfp;v-&n2Sway5A`i;&&%pNV;EbH|29g~1gW53lF;2^xJ6 zm{Sq-m_`4_ao&d6rqLb~ZdkwF=Dfe6)UiyiyrKT=E#A_#d0+R=D-i37)@S{;tW!(# z*8#4ASqD12=Q+M_D%mM7;&rC2%dLIm0;4y!T``NkJjkA<)3r>JF@N{T9}$~9ofjeVtQmwCgkKvV@ZZQrk=G45y`rI9!?TzpM7rCyO&T1AcLe%Lo5=-nQo3R^hV;)U6)YTQZ4P?09=R&g;## zil>afvNu07?%S8Mf5)o1=Wc$QVJy)kdH(UqShfq^cBkI1_*=u(9ke{{c@ysqLo1Wx zY3mvDS6XIvDJ#lNeP{ajl1!NOLHRW~HQQfAad#{^yl|HVbL%d9i%pJ=A=N>p3xD1= z{?wxyAou%Ey4#B&{+Jb)?XK0&u+@9>*5{>t?y}m$*@BfS`_^~O?&6$LD)lR|mCXK%XoS8x4r z=U2_;o1|-HE5!3wy4yHbs;mE`#o;>^(%Db5Lnf8w6`2ZFncYn1s9F8sX3AWdtM$A0 zobT`n)s1j5?M^n6QR#I)C-bX${>;8VrOMOxzAxfm=-#l9V}G*B-zIw|&ILW{{IyX_ zzUD=B_TIe^$bX6})z^4R>hnZjp9jtpb-lZvIlSyHdzH2Qg~87){U<9VvuU_u4s(c@#l+nP)u9x5vC46(Yil%?! zx2&E+JH#thSw0-mbk%QTx;XK-aY}0U)5B&_?H60(SuQ&+nZ0lO(*CWte0O|w`z7LG zz3T0j`!TKW_nvC1dMW5#5ooNoXUh@mWs?jf?G$%qZN1fy9e>`?uKoP&yVhNqA!VIM zZr}FQKVL8X_sktV#Y@His&(JFZdj;QVsLEQ^f~(u?`)pX(-wX+aZADdbNl`sPg!&9 zO0Mx?VUy#}{;u6wckmzE{hw?l&pe%)-U;nntCjvK>T*r_qxS{3g)4&GSo05GUu{2Y zO~UHk(i0c5A7E2mb?<$olU1FE+uJ=EvVl=-6zU_|Aqi|4BU?>#qX&iawbd<od|NZAUWY zrx?w(eZO@|rQo~2PjXY+xyt@rX>iki&9ySzSG4^dN6~Xz_m}%S4m@dJm~%*Y^USk~ zg+JE2yk8b`M9E$0;M%vlbnEvl>n-WG`{xAl~BrVng#HJ^kkb>b;-Ljil1FHNFM-{J*>8{FPh2^>Pn5 zI4^m0EMI?}_rK|vUq4t?u%4TDD_FNB|Oad%Hh%+dAZjn9?AQ(^}Ql~-)pl8 z_u1TT$t^JTgny&N!N~OPz+YjL8-JTmR(ia0*PKr_Vrgv-j9lx@B@bnX2ycDbrrAE{ z`HtJRx8!f+Mm;Z@(j&3RR=&7-YkF5mXk`7-k8Cq-MfWX{dv{7?hswg||0=()KlFG? z?9-Opm-OFVUf^``&ISifxkKS45qTzSbQy#ftzW#vzvYmbnuqNmy1hIelHTJNe|0N7x((*D6rCHvC^ti z^)%yD|K%nH7Csx=TPx$!tEVig`!aj?u`-48*Ul}SYw|eQGD3FI!7w>H&fkAN?Jzi~ zc|WS~-O)0g#`S@mYag>sbJP@@?cAvSDm*fwyGS6Zu_JMZ)xYNl{qFUK79=<(EeI?>=un_ydF!vJ+2X0* z2Bp!m63>zr9lrN&#r)z`XY!Se1GJf5>{$CM&(!7p243EktP9LFJcWust8HcH@>|l> zv)jNxZOvWHzHO=;LAL(&uP<`2@5}C9&B_e4Q`tITL;N3_0NM-SN^1}6hZgF|=bWT&Yd%2PA?7^AkuBt1%Pt}JWeUS71QuJzF{e2p>$yuKF|K8r}Cis+PBh0~wkZBX`{J%h6+%fd7)ULsoZL}X%XrjX%eJ-fuI(A)mgH|Y&y%pQdp2d(&5Lbk zd8^su`(`N}KfSIYe}&y-rL~%;4or|yu8Ne9zv?jWE-!n$V;4)KY+du|vZIyHo>iXq z-?85DcXOrF%#ZVT)<1uJ#_`V{{@$m{++{B{m3Agr2x_1BKfxe;>VvwaH;+_nc}&*I z7Pg+^Aa*Y(W~yoO?B|wWUgRFPU2Xci{eHeO7xS*2{5Myb%q-=5FT6BmRbuDsw7}oD z&c2*orY58Da#Hf~^G-4SH~xMQSIb$ujdioy##K2V4qTdV7r3h^JNIU4{p&CBo6`*L zSnKcEaExPCu=*{ZbKmadJ$!Zg;1j*Mg3}L{{r}j|IBDZl*66im{ad~rD&EFoai_7q zTGjN{g;nlX-|Ka~3+>;?e_)SRy6S6X_Cz=2N D$(pkm delta 4000 zcmZ1`zf69DPJLjGlVxZ|eyV|6R#13&K}fJ~Rj_A>X<22GSA>VQflHEOYGrXwRf=|w z372DTQi_F3fSG%uajIoTVv%{ir=?4#d4ZFQSxR1jNnufyr)zLxs8f}(BbTnOu7Z1M zVvcEwVN{`|MR|p@NrqQ?X`)48fw6XKT7XHpzj>vHS$$+;NpO*8z6n?F=M>EuTG2c7 z_$u3&B7X%;I<4v$@-3%1c1I@~9oG4FaC%YnifxsT8GHNAUC7bfXYsq@ z4Ts%z_p?6peU_*vwzgi=-zC4mH#z!X!y|>YLKzXy1GL*LLw-msFO3OUar{kj#Po}? zCB;#PtYgIve`$33mc8|x^3mt>3hq6*c6sB)|AsbPQ?@zoRs5lsdw!1Tbud3&#=U&q1p6u6NvUm52e@gb%AC^oNi3}^gl^SgFp-RZ; z*q;7JR}7b{@Mv85?9*v}PbE&$S@y1BP|4nZhreIY)HS?Zn7@`M>&qv>UCwV=Bb&3l zzMcBgB$xi^`0Cee=dD@({Y}=JRsZiv!Zx|oxG4=eciL0V3qQRykK@(vJF(5vkL!5H zXhk>LZCyOe$nnPEg>L!(_XTm~F1xd=*3T?Ya`&l;Up5C`w?W2oMx}B zS6aq;=Xy`tUDM#Y>EAX!yjHoUWny+&;Dc|skL68}?a1~s3bC3v^VK`vetUMF%bUWk z{IICK)K|Y*+T6x8aN*lcGi_?yS8%*9{QkV>xaYf5=hvId{tn+aJEqh$pYQ(xu5T4e z4d>VORDFAMW1=~em;L%#sgKr}7KuncY_*zFJkzWG{efL_8_HN^Th542zjo^IqUw2n zBzfaL99@0LxaZWReOn%XT6p!zwwU8*7w2~gZQQo~ijuwm^0LKVvYt#|t)pWfw5KjT z&ch$S&S={8=RS?1_I8`!nf}<#bK$(TRrkX5e24qDSLM#lE)HLKJcU76Z2o=ORV9)? zCtke~S9RH}uJd}mrKCZ*(&}wV6LNc!V*)N8`~2b6z1fea?|NLbW-432^@VvW1R34$ zrr50#YdAhD@1*7BziZyi$ZYhPa;vX%mwpw^e^9<9$oYL;0Z;4NDHHa|$hYi!pEl$6)0AC( zvOC|t3y8S1*H~w=%NLQ=Q>NbWoXU7~?frc}d+ICFF5Nd@m$a@u?_8sV(Cek^KX^90 z_^3T^AK&BIm)mczx|y_IP;t^PyVm;O{!dl?Q+IBE^g-Jr)ZRyOrHG8xO`&Cmeipim z7neC_Cn!Fys%zSC;(M3ib4LEV4huG_~#3?e{Y;%g;}kq0cbsqwEeQ#rzZH{)d}B z9XUTQCceq1(eG~Y)L`+gEi=zZuRK*erB->i=C`b7wI6{yC#^SQU26Yce_3RrWBu*f z#pPzJbDo5Cp4SbK3CsLn;N`Z*!Zb}ez&2!DCDyS>wP&U@*MFUE`K|8eo>QOx zX}n%6mA}VWVa~&Pty4z7vtI^gd}EQ5x$^HzihJMmduBfq6VK)S^ifJMI`dQ_>qo}2 zy(c$Zy?4VUo%z}7e;ZRuJo@HytmgYNZ_}>Xeyh){-=!D(NVqFUr0b^JNg*aS12%oR z_olyH%Tx?69cD3zy>)wEqTL3c`rj{d)W0p$`co+(!}MeEl>4u(_x(HPZZl* zzq?}3oalRf<-;$=JE|^*Fw$?cI zy2lcZu&upK1#RCh?s~Z|i*+uCf&bV3*9@vrT1WG|s-CPiskvVB`d*o~@Jz+h^YZWN zMdpMq&E5HV*W0k&Kh{X3O};p3x4iwC#ZjeC8&_Z4&;IOkB7@;HNQc87{z zJLut7%D!AWlz)GHa?bV-8$`A!bQOHr>929<#Ao(RRrNQUmFJ%Gsob@yW_QGUQ=TvX z?{bH%{T}=K-jpW6;)J72u??ZmEmyxQW3k-0<)Uf*%o!Ep5%U)YZ2vR)YXoyw*|C2w z8{)4m`OtEZ_uhu&x>?^mk~q)%I=2rD7P#mGzlJLbJ8?B8gmC*8thVGPaFFF8+`m%NL|^jiP2jq~p- zEzQn+)X;SFp52wbrviS&bnUU6T5q!F&&~g3Nlqt@_f9ch=BK21@KTkpL9FUYIq$xW zYiB%_?K$h9V%5IEO7}rP;HxUZ*FRV9S2?S^O780P12MaAIX_|ku_Wbu>Dr%b;(mwm zHa(g#Lptr?zRSCRi5wNPfAx@c)nU`zRSQ1JJKTPKJJDG7gh5?xSDo1B<|AG+oRW`m z)~nBAoBqm8vv%1nd5MhY-}W7E_4~Y7UZCyaw@GXEo&LH1n(>l=GrHpbBgy=YxKVB($PKjiZixK+>cgXe>X~ThS!_hqRie4 z?`_sseU;Hr`$GTT1=AZlE^|z@oRD+gwQ53yPf+)wgdZCvP3Off30qe&$5nmH=8ojm zyQ|mPvB<2KWIeLC@tnBuzwO7*&nZmTT6;5OQ~u-f>#;ivs<>`h?@BC4FX@nub>jQR z=*!{QvVrNlPe#43yWS;T*^MVdH>%BLPsDcaKmV#8y1X@M7GL3ek7rum+L9mJ z%Q&LggP)7UKZ#10Tl`Hrv3bMp?NYo?j_U1FQ@^X5)bd*AoZhs3vsM*!wkuvaP*i6- z_v5+NwvEEF6QzqbU%yb9dSmy~6GneUM1_`~*-~nRmf?Yv0-m9!`+#;O(>i=X8;A%Oj>)FMj#D&9ZuQxwyHOoBv+8$!0&-H%`4= zn=P!*GF*4qWIFv^O1sG`sbfcfg#6y~%a_gV(1T-si~&WLmbh%`JiJWDE#PmWz|Os# z;yh2<#l6@+yGe=l?VI@KxX=yX`nGPKNq+k$_}1=Gm)XmH;aToN9!|Y=@&Vi3%P#6B z@g108H@l#0#x1GuO*3NdFNr(0_xkuUvXzt5bf0UvXo- z)ra@_Q;oC=UvZe^9+{RgquKw5L0g*8-t~uAeoor6^uKG-UBI*oBDcI!l})iE@BO3M(eh@2G?!d9Z@{3wqK#WGv&uy&X%3sAu;DSa~*3fJIk~= zjFai-?i=>WrS+c|nl-HaKIz7dJ-c~o7Y4cM&k)r+n=)xn>TFZTb2?H5x!D_xFJ0=D zjp@$gJh@f-ee}WlnfInF`sKdP!t{}th|23TTPB`T*9m#c|G&B3LFKPc=jvOMdw(^m zh)$U|x!{UVn}X3vL%Gzw=A4ysUyF2iJmPQ>|907;XzPS)jJNq$*FRgLvH!q&yU%4v1e)Loj_eKGsPF#XM#3gkTwa(qJ{G>gdPH$nR;mgg zzw!NTs_LFT9G3GP5=}3M_FvRI;3RSA${zKGmk0h|ZZL6M$#rVaamMdebLV%kR*Ck#DK3bLr@qZ00?UzcA3w;*tHoxGz(AHI|WwJbG&Zf1W z^5%9pMi@?N^kTHCP^#0o5U@M;v(AeDoAa(p8fm`lC|aYu%h|4ev1*6unz>(I*54CW zeA1w0HNC8%IOI-x{Y~Mehqq|V$cWtg-*<}4)eRS&RoC{_Y0REE`*{0})bm;4|HO4K z2gR(B+TB|FVbPtur_Zl#Qz+m2C42Vim&dL>T)Na_l8|Iqtk6Q?_ldK*pPV)Co}C(# zB&D>=X@g#UU+qHK)Pz@mw<g=~BI?1MCvj*h_r$&j@{-$j?qgmx zM}7sDQ;536s%i1EwooL^zq`%Twh@c!Jo{Qst3Qmq~`)3myxHMd;^056P0 AGXMYp literal 0 HcmV?d00001