41 changed files with 515 additions and 716 deletions
--- a/.envrc
+++ b/.envrc
@ -1,2 +1 @@
 use flake
 export NH_FLAKE=$(expand_path .)
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,3 @@
-.DS_Store
+secrets
-secrets/gpg-secret
+ops/home/.gcroots
-secrets/id_ed25519-nix-builder
+.direnv
 .direnv
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,18 +0,0 @@
 keys:
  - &sierpinski age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
  # host keys
  - &synchronicity-ii age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
  - &watchtower age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
  - &tears age1c0jmesk8x3rjqq8elrvdnmz9w2d35u7mkvfeerwv5wtjqqrnt9as9q6tqj
 creation_rules:
  - path_regex: secrets/restic.env$
    key_groups:
      - age:
          - *sierpinski
          - *tears
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini|bin)$
    key_groups:
      - age:
          - *sierpinski
          - *synchronicity-ii
          - *watchtower
--- a/README.md
+++ b/README.md
@ -1,19 +1,15 @@
-# Infra Reference
+# Nix Infra Config
 Using [colmena](https://github.com/zhaofengli/colmena)
-## Host Overview
+## Hosts
-### nix-darwin
+- `penrose`: macOS/nix-darwin desktop
 - `penrose`: *Mac Mini M1*
 - `sierpinski`: *MacBook Air M4*
 ### colmena
 - `synchronicity-ii`: Rented high-reliability/low-cost server
 - `tears`: x86 Headless desktop for heavy workloads
 - `watchtower`: *ThinkCentre M75q Gen 2 Tiny*; Home server
 ### offline
 - `bloodletting`: Main server / technogothic.net
 - `sierpinski`: macOS/nix-darwin laptop
 - `watchtower`: Home server
-## Manual setup on blank system/migrations
+### Manual setup on blank system/migrations
-### bloodletting:
+bloodletting:
- `nh os switch --target-host root@bloodletting -H bloodletting` - deploy config
+- `colmena apply` - deploy config
 - `passwd` - set user passwords
 - rsync state:
  - `/var/lib`:
@ -34,20 +30,15 @@
    - `prosody`
  - `/home/ftp`  
-### penrose/sierpinski:
+penrose/sierpinski:
- `nh darwin switch` - deploy config
+- `darwin-rebuild switch --flake .` - deploy config
- `age-plugin-se keygen | tee (tty) | tail -n1 >> ~/Library/Application\ Support/sops/age/keys.txt` - generate a private key using the Apple Secure Enclave. Make sure to add it to `.sops.yaml`.
+
- `sops updatekeys` - re-encrypt secrets after adding new keys.
+[Last commit which includes BSPWM configs](https://git.lain.faith/sorceress/nix-infra/commit/e60bbd7f41bdb4456319637f38a25425b6f5fef7)
 ### Rsyncd Modules
 Modded minecraft instance rsync modules can be accessed through `mc-[modpack]@bloodletting::mc-[modpack]` with `--rsh=ssh`
-### Updating Mastodon
+### Updating mastodon
 ```sh
 cd common/pkgs/mastodon && ./update.sh --owner AgathaSorceress --rev <commit hash>
 ```
 [Last commit which includes BSPWM configs](https://git.lain.faith/sorceress/nix-infra/commit/e60bbd7f41bdb4456319637f38a25425b6f5fef7)
 ### Common Pitfalls
 - Run `sudo ssh tears` if remote builds are failing. This is likely caused by a hidden "Host key verification failed" error.
--- a/common/fragments/bin.nix
+++ b/common/fragments/bin.nix
@ -1,21 +1,10 @@
-{ config, ... }:
+{ ... }: {
 {
  imports = [ ../../common/services/bin.nix ];
  services.bin = {
    enable = true;
    address = "0.0.0.0";
    port = 6162;
    textUploadLimit = 64;
  };
  services.nginx.virtualHosts."thermalpaste.technogothic.net" = {
    useACMEHost = "technogothic.net";
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://localhost:6162";
      proxyWebsockets = true;
      extraConfig = "client_max_body_size ${toString config.services.bin.textUploadLimit}M;";
    };
  };
 }
--- a/common/fragments/bittorrent.nix
+++ b/common/fragments/bittorrent.nix
@ -1,96 +1,65 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
-  sops.secrets."gluetun.env" = {
+  system.fsPackages = with pkgs; [
-    sopsFile = ../../secrets/gluetun.env;
+    gocryptfs
-    format = "dotenv";
+    cifs-utils
-  };
+  ];
-  virtualisation.oci-containers.containers =
+  systemd.mounts = [
    let
      QBITTORRENT_WEBUI_PORT = "8080";
    in
    {
-      "gluetun" = {
+      after = [ "network.target" ];
-        image = "qmcgaw/gluetun:latest";
+      what = "//library.technogothic.net/backup";
-        autoStart = true;
+      where = "/mnt/library-raw";
-        volumes = [
+      type = "cifs";
-          "/var/lib/gluetun:/gluetun"
+      options = "gid=users,file_mode=0664,dir_mode=0775";
-          "/etc/localtime:/etc/localtime:ro"
+      mountConfig.EnvironmentFile = "/var/lib/secrets/hetzner-env";
-        ];
+    }
-        ports = [
+    {
-          "127.0.0.1:${QBITTORRENT_WEBUI_PORT}:8080"
+      what = "/mnt/library-raw";
-          "100.64.0.1:${QBITTORRENT_WEBUI_PORT}:8080"
+      where = "/mnt/library";
-        ];
+      type = "fuse.gocryptfs";
-        environment = {
+      options = "allow_other,passfile=/var/lib/secrets/gocryptfs-pass";
-          VPN_SERVICE_PROVIDER = "protonvpn";
+      wantedBy = [ "multi-user.target" ];
-          VPN_TYPE = "openvpn";
+    }
-          VPN_PORT_FORWARDING = "on";
+  ];
          SERVER_COUNTRIES = "Germany, Netherlands";
          PORT_FORWARD_ONLY = "on";
          VPN_PORT_FORWARDING_UP_COMMAND = "/bin/sh -c '/usr/bin/wget -O- --retry-connrefused --post-data \"json={\\\"listen_port\\\":{{PORTS}}}\" http://localhost:${QBITTORRENT_WEBUI_PORT}/api/v2/app/setPreferences 2>&1'";
        };
        environmentFiles = [ config.sops.secrets."gluetun.env".path ];
        extraOptions = [
          "--cap-add=NET_ADMIN"
          "--device=/dev/net/tun"
        ];
      };
      "qbittorrent" = {
        image = "lscr.io/linuxserver/qbittorrent:latest";
        autoStart = true;
        dependsOn = [ "gluetun" ];
        volumes = [
          "/var/lib/qbittorrent:/config"
          "/mnt/library:/downloads"
          "/etc/localtime:/etc/localtime:ro"
        ];
        environment = {
          PUID = "1000";
          PGID = "1000";
          WEBUI_PORT = QBITTORRENT_WEBUI_PORT;
        };
        extraOptions = [
          "--network=container:gluetun"
        ];
      };
      "qui" = {
        image = "ghcr.io/autobrr/qui:latest";
        autoStart = true;
        dependsOn = [ "qbittorrent" ];
        volumes = [
          "/var/lib/qui:/config"
          "/mnt/library:/data/torrents"
        ];
        ports = [
          "100.64.0.1:7476:7476"
        ];
      };
    };
-  sops.secrets.qbittorrent-pass = { };
+  virtualisation.oci-containers.containers = {
-  systemd.services.qbittorrent-prometheus-exporter = {
+    "qbittorrent" = {
-    wantedBy = [ "multi-user.target" ];
+      image = "dyonr/qbittorrentvpn";
-    after = [ "network.target" ];
+      autoStart = true;
-
+      volumes = [
-    serviceConfig = {
+        "/var/lib/qbittorrent:/config"
-      Type = "simple";
+        "/mnt/library:/downloads"
-      ExecStart = "${pkgs.prometheus-qbittorrent-exporter}/bin/qbit-exp";
+      ];
-      Restart = "always";
+      environment = {
-
+        VPN_TYPE = "wireguard";
-      Environment = [
+        LAN_NETWORK = "10.21.0.0/16,10.42.0.0/24,100.64.0.0/24";
-        "EXPORTER_PORT=9006"
+      };
-        "QBITTORRENT_USERNAME=Agatha"
+      ports = [ "8080:8080" ];
-        "QBITTORRENT_PASSWORD_FILE=${config.sops.secrets.qbittorrent-pass.path}"
+      extraOptions = [
-        "QBITTORRENT_BASE_URL=http://localhost:8080"
+        "--cap-add=NET_ADMIN"
        "--device=/dev/net/tun"
        "--privileged"
      ];
    };
  };
  # Jellyfin
  services.jellyfin = {
    enable = true;
    openFirewall = true;
  };
  environment.systemPackages = with pkgs; [
    jellyfin
    jellyfin-web
    jellyfin-ffmpeg
  ];
  # SMB Share
  services.samba = {
    enable = true;
    openFirewall = true;
    settings.global = {
-      "server string" = "Synchronicity-II";
+      "server string" = "Watchtower";
      "guest account" = "nobody";
      "map to guest" = "bad user";
    };
@ -101,4 +70,15 @@
      "guest ok" = "yes";
    };
  };
  services.prowlarr = {
    enable = true;
    openFirewall = true;
  };
  services.radarr = {
    enable = true;
    openFirewall = true;
    user = "root";
  };
 }
--- a/common/fragments/grafana.nix
+++ b/common/fragments/grafana.nix
@ -14,13 +14,37 @@
    };
  };
-  services.nginx.virtualHosts."grafana.technogothic.net" = {
+  networking.firewall.allowedTCPPorts = [ config.services.grafana.settings.server.http_port ];
    useACMEHost = "technogothic.net";
    forceSSL = true;
-    locations."/" = {
+  services.prometheus = {
-      proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
+    enable = true;
-      proxyWebsockets = true;
+    port = 9001;
-    };
+    retentionTime = "365d";
    scrapeConfigs = [
      {
        job_name = "bloodletting";
        static_configs = [
          { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }
        ];
      }
      {
        job_name = "nginx";
        static_configs = [
          { targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ]; }
        ];
      }
      {
        job_name = "telegraf";
        static_configs = [
          { targets = [ config.services.telegraf.extraConfig.outputs.prometheus_client.listen ]; }
        ];
      }
      {
        job_name = "process";
        static_configs = [
          { targets = [ "localhost:${toString config.services.prometheus.exporters.process.port}" ]; }
        ];
      }
    ];
  };
 }
--- a/common/fragments/graphical/darwin.nix
+++ b/common/fragments/graphical/darwin.nix
@ -20,10 +20,6 @@
    trusted-users = [ "@admin" ];
  };
  users.users.agatha.packages = with pkgs; [
    age-plugin-se
  ];
  # Needed for the nix-darwin environment even if zsh is not used.
  programs.zsh.enable = true;
--- a/common/fragments/graphical/default.nix
+++ b/common/fragments/graphical/default.nix
@ -4,18 +4,21 @@
  # User packages
  users.users.agatha.packages = with pkgs; [
    android-tools
    broot
    colmena
    exiftool
    ffmpeg
    file
    flac
    hyperfine
    just
    magic-wormhole
    neofetch
    nil
    nixd
    pfetch
    pridefetch
    rink
    sshfs
    whois
    wireguard-tools
    yt-dlp
--- a/common/fragments/headscale.nix
+++ b/common/fragments/headscale.nix
@ -1,4 +1,3 @@
 { config, ... }:
 {
  services.headscale = {
    enable = true;
@ -12,17 +11,6 @@
        ]; # AdGuard Public DNS
        base_domain = "thorns.home.arpa";
      };
      taildrop.enabled = true;
    };
  };
  services.nginx.virtualHosts."hs.technogothic.net" = {
    useACMEHost = "technogothic.net";
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://localhost:${toString config.services.headscale.port}";
      proxyWebsockets = true;
    };
  };
 }
--- a/common/fragments/home-assistant.nix
+++ b/common/fragments/home-assistant.nix
@ -1,4 +1,3 @@
 { config, pkgs, ... }:
 {
  networking.firewall.allowedTCPPorts = [
    8123
@ -51,19 +50,9 @@
      WIFI_IFACE = "wlp2s0";
      SHARE_METHOD = "none";
      SSID = "Agatha-Isolated-Network";
      # TODO: Replace placeholder password after switching to sops-nix
      PASSPHRASE = "nCvKNgRH5L5DFBR4JULP3GHbDuk9XLfT";
    };
  };
  networking.networkmanager.unmanaged = [ "wlp2s0" ];
  # TODO: Rotate password
  # Hack around linux-wifi-hotspot's lack of secret management
  sops.secrets.create-ap-pass = { };
  sops.templates."create-ap.conf".content = ''
    PASSPHRASE=${config.sops.placeholder.create-ap-pass}
  ''
  + pkgs.lib.generators.toKeyValue { } config.services.create_ap.settings;
  systemd.services.create_ap.serviceConfig.ExecStart =
    pkgs.lib.mkForce "${pkgs.linux-wifi-hotspot}/bin/create_ap --config ${
      config.sops.templates."create-ap.conf".path
    }";
 }
--- a/common/fragments/media.nix
+++ b/common/fragments/media.nix
@ -1,36 +0,0 @@
 { pkgs, config, ... }:
 {
  # Jellyfin
  services.jellyfin = {
    enable = true;
    openFirewall = true;
  };
  environment.systemPackages = with pkgs; [
    jellyfin
    jellyfin-web
    jellyfin-ffmpeg
  ];
  services.prowlarr = {
    enable = true;
    openFirewall = true;
  };
  sops.secrets.jellyfin-token = {
    sopsFile = ../../secrets/jellyfin-exporter.env;
    format = "dotenv";
  };
  virtualisation.oci-containers.containers."jellyfin-prometheus-exporter" = {
    image = "rebelcore/jellyfin-exporter:latest";
    autoStart = true;
    ports = [
      "127.0.0.1:9007:9594"
    ];
    environmentFiles = [ config.sops.secrets.jellyfin-token.path ];
    entrypoint = "/bin/sh";
    cmd = [
      "-c"
      "/bin/jellyfin_exporter --jellyfin.address=http://100.64.0.6:8096 --jellyfin.token=$JELLYFIN_TOKEN --collector.activity"
    ];
  };
 }
--- a/common/fragments/prometheus_exporters.nix
+++ b/common/fragments/prometheus_exporters.nix
@ -1,23 +1,6 @@
 { config, ... }:
 {
  # Enable Prometheus exporters
  services.prometheus = {
    enable = true;
    port = 9001;
    retentionTime = "365d";
    scrapeConfigs =
      let
        input = job_name: host: {
          inherit job_name;
          static_configs = [
            { targets = [ host ]; }
          ];
        };
      in
      [
        (input "node" "localhost:${toString config.services.prometheus.exporters.node.port}")
        (input "nginx" "localhost:${toString config.services.prometheus.exporters.nginx.port}")
        (input "process" "localhost:${toString config.services.prometheus.exporters.process.port}")
      ];
    exporters = {
      node = {
        enable = true;
@ -50,4 +33,18 @@
      };
    };
  };
  services.telegraf = {
    enable = true;
    extraConfig = {
      inputs.x509_cert = {
        sources = [ "https://technogothic.net:443" ];
        interval = "10m";
      };
      outputs.prometheus_client = {
        listen = "localhost:9004";
        metric_version = 2;
      };
    };
  };
 }
--- a/common/fragments/restic.nix
+++ b/common/fragments/restic.nix
@ -1,27 +1,18 @@
-{ config, ... }:
+{ config, ... }: {
 {
  sops.secrets.restic-pass = { };
  sops.templates."restic.env".content = ''
    RESTIC_REST_USERNAME=agatha
    RESTIC_REST_PASSWORD=${config.sops.placeholder.restic-pass}
  '';
  services.restic.backups.${config.networking.hostName} = {
    initialize = true;
    repository = "rest:http://10.20.1.2:8000/${config.networking.hostName}/";
-    passwordFile = config.sops.secrets.restic-pass.path;
+    passwordFile = "/var/lib/secrets/restic-password";
-    environmentFile = config.sops.templates."restic.env".path;
+    environmentFile = "/var/lib/secrets/restic-env";
    timerConfig = {
      OnCalendar = "*-*-* 20:00"; # Daily at 20:00
      Persistent = true;
    };
-    paths = [
+    paths = [ "/home/agatha" "/mnt/hdd" ];
      "/home/agatha"
      "/mnt/hdd"
    ];
    exclude = [
      ".Trash*"
      ".gradle"
@ -54,12 +45,9 @@
      "lost+found"
    ];
-    pruneOpts = [
+    pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 12" ];
      "--keep-daily 7"
      "--keep-weekly 5"
      "--keep-yearly 12"
    ];
  };
-  systemd.timers."restic-backups-${config.networking.hostName}".after = [ "network-online.target" ];
+  systemd.timers."restic-backups-${config.networking.hostName}".after =
    [ "network-online.target" ];
 }
--- a/common/fragments/sops.nix
+++ b/common/fragments/sops.nix
@ -1,13 +0,0 @@
 {
  sops = {
    defaultSopsFile = ../../secrets/secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets = {
      hurricane-tokens = {
        sopsFile = ../../secrets/hurricane-tokens.env;
        format = "dotenv";
      };
    };
  };
 }
--- a/common/fragments/storage.nix
+++ b/common/fragments/storage.nix
@ -1,30 +0,0 @@
 { pkgs, config, ... }:
 {
  sops.secrets.gocryptfs-pass = { };
  sops.secrets."hetzner.env" = {
    sopsFile = ../../secrets/hetzner.env;
    format = "dotenv";
  };
  system.fsPackages = with pkgs; [
    gocryptfs
    cifs-utils
  ];
  systemd.mounts = [
    {
      after = [ "network.target" ];
      what = "//library.technogothic.net/backup";
      where = "/mnt/library-raw";
      type = "cifs";
      options = "uid=1000,gid=users,file_mode=0664,dir_mode=0775";
      mountConfig.EnvironmentFile = config.sops.secrets."hetzner.env".path;
    }
    {
      what = "/mnt/library-raw";
      where = "/mnt/library";
      type = "fuse.gocryptfs";
      options = "allow_other,passfile=${config.sops.secrets.gocryptfs-pass.path}";
      wantedBy = [ "multi-user.target" ];
    }
  ];
 }
--- a/common/fragments/virt.nix
+++ b/common/fragments/virt.nix
@ -23,7 +23,7 @@
      ];
  };
-  hardware.graphics.enable = true;
+  hardware.opengl.enable = true;
  virtualisation.spiceUSBRedirection.enable = true;
  services.openssh.settings.X11Forwarding = true;
--- a/common/home_manager/common.nix
+++ b/common/home_manager/common.nix
@ -54,38 +54,9 @@
        };
      };
      jujutsu = {
        enable = true;
        settings = {
          inherit (config.home-manager.users.agatha.programs.git.settings) user;
          signing = {
            backend = "ssh";
            behavior = "own";
          };
          ui.default-command = "log";
          ui.diff-editor = ":builtin";
          template-aliases = {
            "format_short_signature(signature)" = "signature.name()";
          };
          revset-aliases = {
            "closest_pushable(to)" =
              "heads(::to & mutable() & ~description(exact:\"\") & (~empty() | merges()))";
          };
          aliases.tug = [
            "bookmark"
            "move"
            "--from"
            "heads(::@ & bookmarks())"
            "--to"
            "closest_pushable(@)"
          ];
        };
      };
      delta = {
        enable = true;
        enableGitIntegration = true;
        enableJujutsuIntegration = true;
        options = {
          blame-format = "{timestamp:<15} {author:<18.18} {commit:<8}";
          file-modified-label = "modified:";
--- a/common/services/bin.nix
+++ b/common/services/bin.nix
@ -1,16 +1,9 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 with lib;
-let
+let cfg = config.services.bin;
-  cfg = config.services.bin;
+in {
 in
 {
  options = {
    services.bin = {
      enable = mkEnableOption "Pastebin";
@ -61,10 +54,11 @@ in
      serviceConfig = {
        Type = "simple";
-        Environment = ''BIN_LIMITS={form="${toString cfg.textUploadLimit} MiB"}'';
+        Environment =
-        ExecStart = "${
+          ''BIN_LIMITS={form="${toString cfg.textUploadLimit} MiB"}'';
-          pkgs.callPackage ../../common/pkgs/bin.nix { }
+        ExecStart = "${pkgs.bin}/bin/bin -a ${toString cfg.address} -b ${
-        }/bin/bin -a ${toString cfg.address} -b ${toString cfg.binaryUploadLimit} -p ${toString cfg.port} -u ${toString cfg.upload}";
+            toString cfg.binaryUploadLimit
          } -p ${toString cfg.port} -u ${toString cfg.upload}";
        WorkingDirectory = "/var/lib/bin_rs";
        Restart = "always";
      };
--- a/flake.lock
+++ b/flake.lock
@ -21,7 +21,46 @@
        "type": "github"
      }
    },
    "colmena": {
      "inputs": {
        "flake-compat": "flake-compat",
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
        "stable": "stable"
      },
      "locked": {
        "lastModified": 1685370160,
        "narHash": "sha256-7EAZtvHZBN4CFbUWznQicGL/g2+A/9w5JUl88xWmxkI=",
        "owner": "AgathaSorceress",
        "repo": "colmena",
        "rev": "f279530ba0ca33f30fc3ae386ae5487e8d926460",
        "type": "github"
      },
      "original": {
        "owner": "AgathaSorceress",
        "repo": "colmena",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1650374568,
        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1668681692,
@ -38,6 +77,21 @@
      }
    },
    "flake-utils": {
      "locked": {
        "lastModified": 1659877975,
        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@ -113,8 +167,8 @@
    },
    "mms": {
      "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
        "nix": "nix",
        "nixpkgs": [
          "nixpkgs"
@ -329,6 +383,7 @@
    "root": {
      "inputs": {
        "ccase": "ccase",
        "colmena": "colmena",
        "home-manager": "home-manager",
        "matrix-ril100": "matrix-ril100",
        "mms": "mms",
@ -336,28 +391,23 @@
        "nixpkgs": "nixpkgs_3",
        "nixpkgs-darwin": "nixpkgs-darwin",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix",
        "url-eater": "url-eater",
        "vampysite": "vampysite"
      }
    },
-    "sops-nix": {
+    "stable": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1768863606,
+        "lastModified": 1669735802,
-        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
+        "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=",
-        "owner": "Mic92",
+        "owner": "NixOS",
-        "repo": "sops-nix",
+        "repo": "nixpkgs",
-        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
+        "rev": "731cc710aeebecbf45a258e977e8b68350549522",
        "type": "github"
      },
      "original": {
-        "owner": "Mic92",
+        "owner": "NixOS",
-        "repo": "sops-nix",
+        "ref": "nixos-22.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
--- a/flake.nix
+++ b/flake.nix
@ -16,11 +16,6 @@
      inputs.nixpkgs.follows = "nixpkgs-darwin";
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    mms = {
      url = "github:mkaito/nixos-modded-minecraft-servers";
      inputs.nixpkgs.follows = "nixpkgs";
@ -36,6 +31,12 @@
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    # Latest colmena + prettier loading icons
    colmena = {
      url = "github:AgathaSorceress/colmena";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    ccase = {
      url = "github:rutrum/ccase";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -48,28 +49,15 @@
      nixpkgs-darwin,
      home-manager,
      nix-darwin,
      sops-nix,
      mms,
      url-eater,
      matrix-ril100,
      colmena,
      vampysite,
      ccase,
      ...
    }:
    let
      supportedSystems = [
        "x86_64-linux"
        "aarch64-linux"
        "x86_64-darwin"
        "aarch64-darwin"
      ];
      forEachSupportedSystem =
        f:
        nixpkgs.lib.genAttrs supportedSystems (
          system:
          f {
            pkgs = import nixpkgs { inherit system; };
          }
        );
      mkOverlays = system: config: [
        (final: prev: {
          vampysite = vampysite.packages.${system}.default;
@ -79,76 +67,224 @@
          # Unstable packages
          unstable = import nixpkgs-unstable { inherit system config; };
        })
        colmena.overlay
      ];
      darwinpkgs = import nixpkgs-darwin rec {
        system = "aarch64-darwin";
        config.allowUnfree = true;
        overlays = mkOverlays system config;
      };
      x86pkgs = import nixpkgs rec {
        system = "x86_64-linux";
        config.allowUnfree = true;
        overlays = mkOverlays system config;
      };
    in
    {
      colmena = {
        network = {
          description = "Agatha's Nix Infra";
          nixpkgs = import nixpkgs rec {
            system = "x86_64-linux";
            config.allowUnfree = true;
            overlays = mkOverlays system config;
          };
          nodeNixpkgs.synchronicity = import nixpkgs rec {
            system = "aarch64-linux";
            config.allowUnfree = true;
            overlays = mkOverlays system config;
          };
        };
        bloodletting = {
          imports = [
            ./common
            ./common/linux-specific.nix
            ./hosts/bloodletting/configuration.nix
            (import "${home-manager}/nixos")
            mms.module
          ];
          deployment = {
            targetUser = "root";
            targetHost = "technogothic.net";
            tags = [ "prod" ];
            keys = {
              "nyandroid-token" = {
                keyCommand = [
                  "cat"
                  "./secrets/nyandroid-token"
                ];
                destDir = "/var/lib/secrets/";
              };
              "hurricane-tokens" = {
                keyCommand = [
                  "cat"
                  "./secrets/hurricane-tokens"
                ];
                destDir = "/var/lib/secrets/";
              };
              "mc-status-bot-env" = {
                keyCommand = [
                  "cat"
                  "./secrets/mc-status-bot-env"
                ];
                destDir = "/var/lib/secrets";
              };
              "ril100-bot-secrets" = {
                keyCommand = [
                  "cat"
                  "./secrets/ril100-bot-secrets"
                ];
                destDir = "/var/lib/matrix-ril100";
                name = ".env";
              };
            };
          };
        };
        synchronicity = {
          imports = [
            ./common
            ./common/linux-specific.nix
            ./hosts/synchronicity/configuration.nix
            (import "${home-manager}/nixos")
          ];
          deployment = {
            targetUser = "root";
            targetHost = "synchronicity";
            tags = [ "prod" ];
            keys = {
              "nyandroid-token" = {
                keyCommand = [
                  "cat"
                  "./secrets/nyandroid-token"
                ];
                destDir = "/var/lib/secrets/";
              };
              "hurricane-tokens" = {
                keyCommand = [
                  "cat"
                  "./secrets/hurricane-tokens"
                ];
                destDir = "/var/lib/secrets/";
              };
            };
          };
        };
        watchtower = {
          imports = [
            ./common
            ./common/linux-specific.nix
            ./hosts/watchtower/configuration.nix
            (import "${home-manager}/nixos")
          ];
          deployment = {
            targetUser = "root";
            targetHost = "watchtower";
            tags = [
              "prod"
              "home"
            ];
            keys = {
              "hetzner-env" = {
                keyCommand = [
                  "cat"
                  "./secrets/hetzner-env"
                ];
                destDir = "/var/lib/secrets/";
              };
              "gocryptfs-pass" = {
                keyCommand = [
                  "cat"
                  "./secrets/gocryptfs-pass"
                ];
                destDir = "/var/lib/secrets/";
              };
            };
          };
        };
        tears = {
          imports = [
            ./common
            ./common/linux-specific.nix
            ./hosts/tears/configuration.nix
            (import "${home-manager}/nixos")
            url-eater.nixosModules.default
          ];
          deployment = {
            targetUser = "root";
            targetHost = "tears";
            tags = [ "home" ];
            allowLocalDeployment = true;
            keys = {
              "restic-password" = {
                keyCommand = [
                  "cat"
                  "./secrets/restic-password"
                ];
                destDir = "/var/lib/secrets/";
              };
              "restic-env" = {
                keyCommand = [
                  "cat"
                  "./secrets/restic-env"
                ];
                destDir = "/var/lib/secrets/";
              };
            };
          };
        };
      };
      darwinConfigurations."penrose" = nix-darwin.lib.darwinSystem {
-        pkgs = darwinpkgs;
+        pkgs = import nixpkgs-darwin rec {
          system = "aarch64-darwin";
          config.allowUnfree = true;
          overlays = mkOverlays system config;
        };
        modules = [
          ./common
          ./hosts/penrose/configuration.nix
          (import "${home-manager}/nix-darwin")
        ];
      };
      darwinConfigurations."sierpinski" = nix-darwin.lib.darwinSystem {
-        pkgs = darwinpkgs;
+        pkgs = import nixpkgs-darwin rec {
          system = "aarch64-darwin";
          config.allowUnfree = true;
          overlays = mkOverlays system config;
        };
        modules = [
          ./common
          ./hosts/sierpinski/configuration.nix
          (import "${home-manager}/nix-darwin")
        ];
      };
-      nixosConfigurations."bloodletting" = nixpkgs.lib.nixosSystem {
+      devShells =
-        pkgs = x86pkgs;
+        let
-        modules = [
+          patchedColmena =
-          ./hosts/bloodletting/configuration.nix
+            system:
-          (import "${home-manager}/nixos")
+            let
-          sops-nix.nixosModules.sops
+              pkgs = import nixpkgs { inherit system; };
-          mms.module
+            in
-        ];
+            pkgs.mkShell {
-      };
+              buildInputs = [
-      nixosConfigurations."synchronicity-ii" = nixpkgs.lib.nixosSystem {
+                (pkgs.writeShellScriptBin "colmena" ''
-        pkgs = x86pkgs;
+                  ${colmena.defaultPackage.${system}}/bin/colmena --disable-emoji $@
-        modules = [
+                '')
-          ./hosts/synchronicity/configuration.nix
+              ];
-          (import "${home-manager}/nixos")
+            };
-          sops-nix.nixosModules.sops
+        in
        ];
      };
      nixosConfigurations."watchtower" = nixpkgs.lib.nixosSystem {
        pkgs = x86pkgs;
        modules = [
          ./hosts/watchtower/configuration.nix
          (import "${home-manager}/nixos")
          sops-nix.nixosModules.sops
        ];
      };
      nixosConfigurations."tears" = nixpkgs.lib.nixosSystem {
        pkgs = x86pkgs;
        modules = [
          ./hosts/tears/configuration.nix
          (import "${home-manager}/nixos")
        ];
      };
      devShells = forEachSupportedSystem (
        { pkgs }:
        with pkgs;
        {
-          default = mkShell {
+          "x86_64-linux".default = patchedColmena "x86_64-linux";
-            buildInputs = [
+          "aarch64-darwin".default = patchedColmena "aarch64-darwin";
-              nh
+          "x86_64-darwin".default = patchedColmena "x86_64-darwin";
-              sops
+        };
            ];
          };
        }
      );
    };
 }
--- a/hosts/bloodletting/configuration.nix
+++ b/hosts/bloodletting/configuration.nix
@ -7,9 +7,10 @@
 {
  imports = [
    ./hardware-configuration.nix
-    ../../common
+    ../../common/fragments/bin.nix
    ../../common/linux-specific.nix
    ../../common/fragments/fail2ban.nix
    ../../common/fragments/grafana.nix
    ../../common/fragments/headscale.nix
    ../../common/fragments/hedgedoc.nix
    ../../common/fragments/mastodon-ebooks.nix
    ../../common/fragments/mastodon.nix
@ -19,15 +20,15 @@
    ../../common/fragments/minecraft.nix
    ../../common/fragments/nyandroid.nix
    ../../common/fragments/postgres.nix
-    ../../common/fragments/prometheus.nix
+    ../../common/fragments/prometheus_exporters.nix
    ../../common/fragments/prosody.nix
    ../../common/fragments/sops.nix
    ../../common/fragments/vsftpd.nix
    ../../common/home_manager/common.nix
  ];
  nixpkgs.overlays = [
    (final: prev: {
      bin = final.callPackage ../../common/pkgs/bin.nix { };
      agatha-mastodon = final.callPackage ../../common/pkgs/mastodon/default.nix { };
    })
  ];
@ -107,7 +108,7 @@
      "*.argent.technogothic.net"
    ];
    dnsProvider = "hurricane";
-    credentialsFile = config.sops.secrets.hurricane-tokens.path;
+    credentialsFile = "/var/lib/secrets/hurricane-tokens";
    group = "nginx";
  };
@ -181,6 +182,27 @@
      globalRedirect = "technogothic.net";
    };
    virtualHosts."grafana.technogothic.net" = {
      useACMEHost = "technogothic.net";
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:2342";
        proxyWebsockets = true;
      };
    };
    virtualHosts."thermalpaste.technogothic.net" = {
      useACMEHost = "technogothic.net";
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:6162";
        proxyWebsockets = true;
        extraConfig = "client_max_body_size ${toString config.services.bin.textUploadLimit}M;";
      };
    };
    virtualHosts."ftp.technogothic.net" = {
      useACMEHost = "technogothic.net";
      forceSSL = true;
@ -236,6 +258,16 @@
      };
    };
    virtualHosts."hs.technogothic.net" = {
      useACMEHost = "technogothic.net";
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString config.services.headscale.port}";
        proxyWebsockets = true;
      };
    };
    virtualHosts."jellyfin.technogothic.net" = {
      useACMEHost = "technogothic.net";
      forceSSL = true;
--- a/hosts/penrose/configuration.nix
+++ b/hosts/penrose/configuration.nix
@ -1,14 +1,10 @@
 {
-  imports = [
+  imports = [ ../../common/fragments/graphical/darwin.nix ];
    ../../common
    ../../common/fragments/graphical/darwin.nix
  ];
  nixpkgs.hostPlatform = "aarch64-darwin";
-  home-manager.users.agatha.programs = rec {
+  home-manager.users.agatha.programs = {
    git.signing.key = "/Users/agatha/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/4286cbdb09fc1738081e8f7996a0b984.pub";
    jujutsu.settings.signing.key = git.signing.key;
  };
  system.stateVersion = 6;
--- a/hosts/sierpinski/configuration.nix
+++ b/hosts/sierpinski/configuration.nix
@ -1,14 +1,10 @@
 {
-  imports = [
+  imports = [ ../../common/fragments/graphical/darwin.nix ];
    ../../common
    ../../common/fragments/graphical/darwin.nix
  ];
  nixpkgs.hostPlatform = "aarch64-darwin";
-  home-manager.users.agatha.programs = rec {
+  home-manager.users.agatha.programs = {
    git.signing.key = "/Users/agatha/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/0082ebb800203877650324946262cf51.pub";
    jujutsu.settings.signing.key = git.signing.key;
  };
  system.stateVersion = 6;
--- a/hosts/synchronicity/configuration.nix
+++ b/hosts/synchronicity/configuration.nix
@ -6,20 +6,11 @@
  imports = [
    ./hardware-configuration.nix
    ./networking.nix
    ./monitoring.nix
    ../../common
    ../../common/linux-specific.nix
    ../../common/fragments/bin.nix
    ../../common/fragments/bittorrent.nix
    ../../common/fragments/grafana.nix
    ../../common/fragments/headscale.nix
    ../../common/fragments/prometheus.nix
    ../../common/fragments/sops.nix
    ../../common/fragments/storage.nix
    ../../common/home_manager/common.nix
  ];
-  networking.hostName = "synchronicity-ii";
+  networking.hostName = "synchronicity";
  # Enable networking
  networking.networkmanager.enable = true;
@ -57,12 +48,11 @@
  security.acme.defaults.email = "letsencrypt@technogothic.net";
  security.acme.certs."technogothic.net" = {
-    domain = "*.technogothic.net";
+    domain = "hs.technogothic.net";
    extraDomainNames = [
      "technogothic.net"
    ];
    dnsProvider = "hurricane";
-    credentialsFile = config.sops.secrets.hurricane-tokens.path;
+    credentialsFile = "/var/lib/secrets/hurricane-tokens";
    group = "nginx";
  };
@ -82,6 +72,16 @@
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."hs.technogothic.net" = {
      useACMEHost = "technogothic.net";
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString config.services.headscale.port}";
        proxyWebsockets = true;
      };
    };
  };
  # This value determines the NixOS release from which the default
@ -90,5 +90,5 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "25.11"; # Did you read the comment?
+  system.stateVersion = "25.05"; # Did you read the comment?
 }
--- a/hosts/synchronicity/hardware-configuration.nix
+++ b/hosts/synchronicity/hardware-configuration.nix
@ -6,20 +6,9 @@
    efiInstallAsRemovable = true;
    device = "nodev";
  };
-  fileSystems."/boot" = {
+  fileSystems."/boot" = { device = "/dev/disk/by-uuid/F5B8-26D6"; fsType = "vfat"; };
-    device = "/dev/disk/by-uuid/7A0A-7539";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
    fsType = "vfat";
  };
  boot.initrd.availableKernelModules = [
    "ata_piix"
    "uhci_hcd"
    "xen_blkfront"
    "vmw_pvscsi"
  ];
  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = {
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
    device = "/dev/sda1";
    fsType = "ext4";
  };
 }
--- a/hosts/synchronicity/monitoring.nix
+++ b/hosts/synchronicity/monitoring.nix
@ -1,30 +0,0 @@
 { config, ... }:
 {
  services.prometheus.scrapeConfigs =
    let
      input = job_name: host: {
        inherit job_name;
        static_configs = [
          { targets = [ host ]; }
        ];
      };
    in
    [
      (input "telegraf" "localhost${config.services.telegraf.extraConfig.outputs.prometheus_client.listen}")
      (input "qbittorrent" "localhost:9006")
    ];
  services.telegraf = {
    enable = true;
    extraConfig = {
      inputs.x509_cert = {
        sources = [ "https://technogothic.net:443" ];
        interval = "10m";
      };
      outputs.prometheus_client = {
        listen = ":9004";
        metric_version = 2;
      };
    };
  };
 }
--- a/hosts/synchronicity/networking.nix
+++ b/hosts/synchronicity/networking.nix
@ -1,11 +1,9 @@
-{ lib, ... }:
+{ lib, ... }: {
 {
  # This file was populated at runtime with the networking
  # details gathered from the active system.
  networking = {
-    nameservers = [
+    nameservers = [ "8.8.8.8"
-      "8.8.8.8"
+ ];
    ];
    defaultGateway = "172.31.1.1";
    defaultGateway6 = {
      address = "fe80::1";
@ -16,39 +14,20 @@
    interfaces = {
      eth0 = {
        ipv4.addresses = [
-          {
+          { address="157.180.21.190"; prefixLength=32; }
            address = "77.42.21.227";
            prefixLength = 32;
          }
        ];
        ipv6.addresses = [
-          {
+          { address="2a01:4f9:c013:cf97::1"; prefixLength=64; }
-            address = "2a01:4f9:c012:5901::1";
+{ address="fe80::9000:6ff:fe46:85f6"; prefixLength=64; }
            prefixLength = 64;
          }
          {
            address = "fe80::9000:7ff:fe07:64f5";
            prefixLength = 64;
          }
        ];
        ipv4.routes = [
          {
            address = "172.31.1.1";
            prefixLength = 32;
          }
        ];
        ipv6.routes = [
          {
            address = "fe80::1";
            prefixLength = 128;
          }
        ];
        ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
        ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
      };
    };
  };
  services.udev.extraRules = ''
-    ATTR{address}=="92:00:07:07:64:f5", NAME="eth0"
+    ATTR{address}=="92:00:06:46:85:f6", NAME="eth0"
  '';
 }
--- a/hosts/tears/configuration.nix
+++ b/hosts/tears/configuration.nix
@ -1,8 +1,6 @@
 {
  imports = [
    ./hardware-configuration.nix
    ../../common
    ../../common/linux-specific.nix
    ../../common/fragments/graphical
    ../../common/fragments/virt.nix
    ../../common/home_manager/common.nix
--- a/hosts/tears/hardware-configuration.nix
+++ b/hosts/tears/hardware-configuration.nix
@ -1,31 +1,21 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, modulesPath, ... }:
  config,
  lib,
  modulesPath,
  ...
 }:
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules =
-    "thunderbolt"
+    [ "thunderbolt" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
    "xhci_pci"
    "ahci"
    "usbhid"
    "usb_storage"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  boot.initrd.systemd = {
    enable = true;
-    emergencyAccess = "$2b$05$eOIXFST5/9G6vAFIZDLGfuJV7CV1B26YmRMAFRstyRHwvBNFSN6Im";
+    emergencyAccess =
      "$2b$05$eOIXFST5/9G6vAFIZDLGfuJV7CV1B26YmRMAFRstyRHwvBNFSN6Im";
  };
  boot.supportedFilesystems = [ "ntfs" ];
@ -52,12 +42,10 @@
    fsType = "btrfs";
  };
-  swapDevices = [
+  swapDevices = [{
-    {
+    device = "/var/lib/swapfile";
-      device = "/var/lib/swapfile";
+    size = 8 * 1024;
-      size = 8 * 1024;
+  }];
    }
  ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@ -69,10 +57,11 @@
  # networking.interfaces.wlp7s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode =
    lib.mkDefault config.hardware.enableRedistributableFirmware;
-  hardware.graphics = {
+  hardware.opengl = {
    enable = true;
-    enable32Bit = true;
+    driSupport32Bit = true;
  };
 }
--- a/hosts/watchtower/configuration.nix
+++ b/hosts/watchtower/configuration.nix
@ -1,24 +1,17 @@
 {
  imports = [
    ./hardware-configuration.nix
    ./monitoring.nix
    ../../common
    ../../common/fragments/home-assistant.nix
    ../../common/fragments/media.nix
    ../../common/fragments/prometheus.nix
    ../../common/fragments/sops.nix
    ../../common/fragments/sponsorblock.nix
    ../../common/fragments/storage.nix
    ../../common/home_manager/common.nix
-    ../../common/linux-specific.nix
+    ../../common/fragments/bittorrent.nix
    ../../common/fragments/home-assistant.nix
    ../../common/fragments/sponsorblock.nix
  ];
  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
-  boot.initrd.luks.devices."luks-081780bd-f005-4394-bbf2-3e5d9aab3c7d".device =
+  boot.initrd.luks.devices."luks-081780bd-f005-4394-bbf2-3e5d9aab3c7d".device = "/dev/disk/by-uuid/081780bd-f005-4394-bbf2-3e5d9aab3c7d";
    "/dev/disk/by-uuid/081780bd-f005-4394-bbf2-3e5d9aab3c7d";
  networking.hostName = "watchtower";
--- a/hosts/watchtower/monitoring.nix
+++ b/hosts/watchtower/monitoring.nix
@ -1,14 +0,0 @@
 {
  services.prometheus.scrapeConfigs =
    let
      input = job_name: host: {
        inherit job_name;
        static_configs = [
          { targets = [ host ]; }
        ];
      };
    in
    [
      (input "jellyfin" "localhost:9007")
    ];
 }
--- a/ops/home/push
+++ b/ops/home/push
@ -0,0 +1,5 @@
 #!/usr/bin/env nix-shell
 #! nix-shell -p colmena -i bash
 set -e
 colmena apply $@
--- a/secrets/frq-friend-fedi-data.toml.bin
+++ b/secrets/frq-friend-fedi-data.toml.bin
@ -1,22 +0,0 @@
 {
 	"data": "ENC[AES256_GCM,data:sYrv8xVojM6mU4l+4HHtwuF/XLlJD6rQW5BxmKDhPybS1CommEIYjzIOFkXPv7V3mCgrbDOZJntqX3xlZtoonO6/Ug6kOIeAL28hDBEDMVIsRV7jM377nR9QHa+dBEg8UNR8e+9Uaq8+6OcZJeuB8V6VTrAT8jEqwGR42Xx26QBgP6Ez07QbCIxAF0RPQXLIFHSKp0DFHMnmTxvSTm6TP2P3149W9EQE6cy6Jj5YTrqrHu7+Q532Z+DDFqx+JdWZDkQjrzBPSuM05WBawoVNsxcuYb9YLzrZjNszsRHQOrKZVH9fhTGwmy9H088zur6cTcQD,iv:OwGJM41AkivKWawZ1f3Pf6uWBJxSsPf+M/hIimrVBv8=,tag:vHg59RSTh8Jem9A4z/8p4g==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBN2FUN2Rn\nblhrUDJ4a1BtK1QySHJsWlJUcVFQckR1SUh0dWxPdmtYTU1CbgpRemxYZHRlMWps\nZ1NMZWU2cmducWd0Q1hHMmd6V3NHSHRFbThvcy9ROHljCi0tLSBiR1RlZ1hTMFBN\nMGEzelIvVHdrSTI0TmtvS3FqaVZQdnFKM1FCNTd5YzB3Cnlx1Dqj+SRHv9AkagDg\noEWwz/UlU3qQLb/KGAZjWxZ9a1SyYiHix9L9yg7KaiYcZDaD1SpqSehEijqbhVEn\nFBk=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RnJUdHBDMWNFYzk0WmlV\nZjM4eDhwZHd0b3p1Yk9qakVjajVRQVpRL0EwCloxRFBnM3pXd015MFBOYWZBTmVl\nRlRqNWxsWE01Q3F5TUZ6RjU2ajVpM0kKLS0tIDZZYU13UEF4Mk9xRkZCZEc5RkY4\nb2p6YW5mcENOWGJzOFlJdURCc2pqa0EKQOP0X7Oc74hkeODFjbg+EbtRNRkAd3is\ntaSJJoDLYLGnO3ZXPgJ2BZo87AivQqAeC476HXXPzG4ekxJ4SNgcwQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5VEdlc3p1N1ZtckpVUEoy\nOGpJeWt0amdRS2pPcGJkeUJEL1kyWVFEUldNCjZtT2M1QXAwdWJVRkNhdHF4bWl2\ncHdISWR4ZVVUbzVCYnZXRnZRcnNJK00KLS0tIDFJODJVOHhVai9qZUFWdkRyMlk3\nQU5Ed3NZRU5CVUZGM1VUb0Fibzg4WHcKFrZADMcpvosNqGpaqSQSWgGHbcfJUVi9\nb4iiWEB9xtkidNrZ2ir7C5kXUDmEskE0idBcs36oQJ+5jgcoy+vVdQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2026-02-02T16:53:43Z",
 		"mac": "ENC[AES256_GCM,data:CK1T/TlJwmikmdJzjn6UrtbmFLSLL/B8rHONwRsnOwLSt0Y8g/5BJlI67pc42gtqdEbpSDpxfztr0gat7tm5xvfo8lTWWafqOw8Hj343/ya1LLJKlq0ScSo+liFdrJhPXXwHn6T9dlnJQwmrYTZc6isjj4nwFaReOFre/NgBFzI=,iv:EdjoWJri/TGU+Zf3eR8PF4+FwBx8hzTikrMx6Hga7dw=,tag:3F2+vQksjK+zzEuO/JPomg==,type:str]",
 		"version": "3.11.0"
 	}
 }
--- a/secrets/gluetun.env
+++ b/secrets/gluetun.env
@ -1,12 +0,0 @@
 OPENVPN_USER=ENC[AES256_GCM,data:UC3zqZEHTUKDdEHz6MxLZZJHLbg=,iv:zS3m3pRnYdlaQ3MAJR11hljNf7kqM8fz1yx9pfnmIe8=,tag:l+dSfGV1AmvaRBHogYZk3A==,type:str]
 OPENVPN_PASSWORD=ENC[AES256_GCM,data:0fnjaHdfHDmiOOXg0uZhk1lPTs84GFK/Va9PGnD8i2Y=,iv:GmhmknF0iG9q13XRLyq6ePtUdL/PzBMQi8XGEKWHuV4=,tag:/BTJpz/I9qdY1nJaWud9Yg==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBN0lyTGFk\nZC9jZ0FTaGc4cmdJYXlzd1Z3US9iMnhhYzM4Umc1ZkZ2Rmt1TwphdUhxWStDdWl5\nNitnME9JSEFzWGdKRTlUdEVmeWJYUXJ0TWt3cEFCN1dnCi0tLSBreW1XSDFIdmZL\naWNxQ2FFYk8rU0N4R2ZoQmdVUXlKQ1dMV2xFcmNUYWFNCsDqGgYvv2aTQAGLh9pv\n7X98iUcgOzLzsLnRpOiN77Bt9MnCBs6F3M+TgIP/hKdACsJz3q1Qoi1AsQCtqQhl\nkA4=\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
 sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZUo1UjFGbHo3UjlUOHlt\nQ1VHRjBNTjJjb1U4RXZHcnpKVWRoVTZveVdjCnZZNUIxK0hyOGl3OHBma05lU1Ir\nY3grVTdHMUp1cUZoZDVseWhDYU0rQWMKLS0tIFYrTFpoaGJET216dms0M0IrdU44\nMStUcTJzbmp1S0VwUyt5MjVTSE1QbEkKrTWRGYyPgnBZavXg5yQqi9ld2wsLW5ki\n92aKUZFOOs1leJrNAz+lJVExL1EiMWsE6FsZZjN7w/oAzISA6EdvqQ==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
 sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUjNTdU1XaHcyNWFmV1py\nd2tFeHdqMEJNalpNeXlHU0tMNTE3UWFIdlNRCmhNWDBIWjhYQWtIMUI2V1ZFeDVE\nY0ZILzlHYnAvRlZBWnpUY1pic1RBN3MKLS0tIFVQajlpY1FWUjZteTlpZE9YZkVs\ncHdXUE1sb3lsMDA5TlN6dHR1Nk4rMDQKhvfWogysSIBPrEAX2yQQjB40lE3abPtI\n4DKl90WKufpR/vVGPioTQkZN8NnXDpB/r29WHM0pjV9+2iQa/zHsjA==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
 sops_lastmodified=2026-01-28T12:21:41Z
 sops_mac=ENC[AES256_GCM,data:cfsq2NkLUkGehYvdUZuljE4UnVNs81SRFn+F02W0va38EPZputP40ALk3rCDg3t9l8EtVQzqh/MT40xZgLVUTJNJDhbzxKcAPM6hqCEWAaITZfDqace2XoPqlnw4WqLg1OD8CwLMQA4Insob37HKJj+Vk10ev56qJhQrB1rrDpQ=,iv:0QiWC9auK412G4SFwNr2tjzPHKrba+7ZPL5epwrVivw=,tag:fPSetTZ3ax5iCPhWvP58eQ==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.11.0
--- a/secrets/hetzner.env
+++ b/secrets/hetzner.env
@ -1,12 +0,0 @@
 USER=ENC[AES256_GCM,data:oHuOPKkNXQ==,iv:dLtmqNIswKrhyTRkI2R9Y2yqsdL5fRxxzhvn4CHWZIY=,tag:FuK4FLk8JQFYS5zDt8MSOw==,type:str]
 PASSWD=ENC[AES256_GCM,data:325dtEyGtdPFB87fDZeDhA==,iv:Wqpec+WnjNqyii/NzK2zcx05/9NWatpQnKnqxYRWuM4=,tag:HKiffdbZ8NnOvymyVcvlgg==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBd3dZRm5p\nNGFSOExRRHBxanZjZFI1MEtGYVEvNDlucDNRQ3MyVjFrald4MwppcGRLa1BjSWRE\nemVZVGlYNElSSEFsTFJMWkdrRy9nNFMxdUtWUUJlQ3FFCi0tLSAwTUFtQkVxNGVa\nb2xlZVhzTWE3QXNTYlRlQStodFpXUWNEVU4wbE9UR0xrCsH58NmBHr4myvf9QjeG\nmzm1I5xJfIeHIBMERtcQyRlHhRzcOtHQ5kvlitng9oCaxmlbkBj41YqQHnJrdb6G\nS+c=\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
 sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TllzU2RpZHkrdmVCYXVu\nVWI5NXExajRxZFlVeG14cUE4QnRrRTZQWVNRCmlBNWxDOC8rekRRd2tFaDlOaC8z\nSXROdlF6ZnNXNkFIWFNaTW5NbVdMQ1EKLS0tIDFia1ZtZTZpN241cHhsMTBmSlRO\na2FwZjIwUW03SysxWGEySEtkOE5adzQKtbOlmgsNLpw/v0xQGYO++2I/jvFpKq9M\nKkYRbx6DpxAGjOGjE9MbcGABaQOY2Q9Jmx8exoUzK1dnpLWSyfwAhg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
 sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGU1JydjBTYnJpSmVxeVBa\nMUlSeGQ1YjVMYVVMdU9TekI1Q1F1V3VOSlNvCk03czE5bjZyT3RNK3RLNjdYbFdZ\neE94UmFJMEpxanN5OVk4RExUclU2RU0KLS0tIGpEeHJyMFRoSmY3V2RjUkVDblNJ\ndWFzbWRZclp4Q3BSY0thNFlYbHJoRGcKxpNqauGsxCSfa7qkRj5eum5h7HkAQMRP\niGkm1UGwToB2AvfwiH5J/Wk0ppQfWph9yMlk11fXBFIBYH2ZpU855A==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
 sops_lastmodified=2026-01-26T12:35:08Z
 sops_mac=ENC[AES256_GCM,data:OTcYnAlgD9RDnMvBqVMMKQXxeVhk6dzgBRBocctgNYHWl9b5BNkViYNJqqUpU83fBOWLit7x5T5tK4sG++FjEsnuXjdMV4+/u3nODI3GNBxuIzn+v65wyagHnLwqWZiORKOfx6301m+kqDunO1lExnSMsSfno3vUbnhaUisRuls=,iv:6pIr8ud2WPyF7D/YeewnDzPT0csoXC1IQlsNTknjly8=,tag:0hjDU8uMgzuQ7cRtdq7btA==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.11.0
--- a/secrets/hurricane-tokens.env
+++ b/secrets/hurricane-tokens.env
@ -1,11 +0,0 @@
 HURRICANE_TOKENS=ENC[AES256_GCM,data:wUBal5xSVjfe81pY3nw6WXNah8sGEiWmLz6FLk5Elan4JgPw70Q3+SiKlyo6IsyIMQ1GTgIkRu5wP8ijZV4sEi1emZzE0qPxYx8=,iv:ZJLRj0zFBfg0va+MC4OMUESXBEYw7tGZjBLWw/buRek=,tag:A0507C0hZ10wiMK8S7eALw==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBbGRTeXdh\nY2RLaXAvVTJwbGhMWFFCNjVUR0VCeDNHS28xVXFobjViWXJlSApoZzNnMmdHdENh\nOXRVeWt0RmoyL0lEY0h5a2N2cG84emFOdlNkdkoybEdNCi0tLSBFQWtROUF6eExl\neTFDZUErc3lScjJXRFZINE8rTjE5NXVJd0ZDUGNwS1hBCjGca3mxgf3e+V3dHLfu\n3+lLIPUVhrSqdyvS3blaW7pNosjjgJIOme6C0iV78vB5qvnF1U1W3DhKEfQaYRm0\n2PU=\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
 sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWkZpaUJXZXlOZ3UydUF0\nTUZCRFhxcG9ndXFrc3J5U2VGRkZDT2tLSlZvCmN6Z3pQS29iamZIS2ZpbkI3c1M0\nMmZwbEhsSDY0VjNKeXkrZ2U5b3l4NFEKLS0tIG9jbUprMDF6ekE2ZVFCWEJ4SDkz\nNkpKeThmS0RiNG42bko5N0ZDT0JmVTQKDmiaRvZzTEP+FV5Cu0wdAq72ZTLO70nA\nCgcxktWG3vOW1tjcc2brMICiCBC1wKPg6AAxQTU7txGjWm1MA7cjPg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
 sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSFpwSEJheWo0RE5EZVVT\nNjAvd1l1WEwySkpNVzF0N2ZFVHhjZ0NoT2xZCjB6NWFWMytwNk4zZjFEZXE5OVpW\nVytweEdoVkZVYzBabm9IeHFPZC9DU28KLS0tIGx0eW1KUmJkVkc4a3owTmxpMmVL\nRTdCMTdWZXFLUWZtTUoxdG8xTzNVaUkKNbcqCB/7wNXfbNLvKTJ2XwHZmgAqVdbB\nLxSkLWp5ecdKfa1eK1I/NcWT2p6P9dWjRqYF1VzAxN51vv4FJ0ljUg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
 sops_lastmodified=2026-01-21T15:46:31Z
 sops_mac=ENC[AES256_GCM,data:ZPwm9aNsY0m95Db2BiwFTsybthS2SZPdS37uesTZEX77gnBt79UE55z3kaP66a5F2PUiUuEBMDC+Rl44qSOL67fWbUqmFPKQMz4U463oerAvCB9K5W9ZZai+EC9cia073ScmrC+4xrJ2OrIYqxA+WoKz+oUXU7SkDUy9Zll2eJw=,iv:du+q9lOlAySVWf8BbFPBydYL9geuPjOvRVmpq8E7whM=,tag:V2A+V35LCmfMHRT7wXgGzA==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.11.0
--- a/secrets/jellyfin-exporter.env
+++ b/secrets/jellyfin-exporter.env
@ -1,11 +0,0 @@
 JELLYFIN_TOKEN=ENC[AES256_GCM,data:kgmwncy5qY+twVSaRoox4jJBFJMsyjszzTIu2Kw/ZMQ=,iv:jb1fmXurYQ6rtmFfnIP3ogG6J460ZWMCy2W82alW1MA=,tag:eE5CZAWns0r+jyB4IMJwOg==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBK0MvZHY2\nd2RMalE3Z3BYM2FxdHZaZXdDNXpEWUV4OFRqT01yc0htQUVYbgpneUh3M2xWNS8x\nT2FCQytLZEJXYjJpZEIza0xiNWs0ZzBwbWhqVHVWU2tvCi0tLSBWdGZxK1RZZmEw\nL1NJOHJpZG4vS29UTVBDcXcwek41bW83WGFka3dwRmlzCqzxY9vWt8VYLi8JmO+p\nrspbb9hw+oNNw9wdn5THamhbV4DK8WRxTveS2uWqxQ8k5+jY19necfEsMFkKIVrZ\nhWY=\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
 sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBITURBU1Z1ZVNQSC9KcFdG\nazdoVWpLSUczN283SFE2Qy9Ua29nSGp0dkFrCk45TnBFMmtSWG1ROEpLcFFqVm03\nTHo0WG0wYVllczBpNnoxTkpSNWpNblEKLS0tIEdwbnBLVHlrT0VIOUx0VUQ5SDht\nU283U2d6SkEzeEFSUEtrdGgyM1dGSzQKywaFsova8F2h2+5ZnO0UGi4hYQW0F0sb\n/51wf7zM+9OR4REh1zx9jREgjmYLv3y17t82zFhXp9UIhKhtou5Tpg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
 sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEM1NTbHJtS25oQWpsNXNy\naUljQnU4N2s1WlN2aXBpY3I4TWxsWFBXRUFFCk11QTRaVmk0RllROXN6WEdvaStO\nN3VuYUJWVnFlampYeFpGR2hNYm1CelkKLS0tIEZ3czh1RUxhRE9MdnRsbXIzNDZl\naHNKbGx2RGdtZ0NkL2xMeHhRRDVUK1UKpp88f8DY5Dy++OL6m+MSb4TOuJZg4iTn\ndzQxTkgYoH3wyRxG4xzcylQjZ4YHgCNkem00B2+UwtXPgqug6d37Ww==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
 sops_lastmodified=2026-01-30T13:09:12Z
 sops_mac=ENC[AES256_GCM,data:Ux9+Hc0bGvu3M24VHnHeEjGG9zrxVe9zoWrQuDuafTbvQLd7xUCtTHwEuQtqMVMYH2iegInJoJbXlQfFdW7vQ5sZx/zU2qk8uZDO6EutaWde8W29PXlPP4NaVuNOJQJmhLxEDH3RjY38MVH3o8ZvV0e+Fa4Str8o6toU1SZGQAs=,iv:XEainseudNbPqv9fecTclMMLcMVD5mOEempOWrh7SP0=,tag:S9G1HG0SSJjDJhq7r6r+LA==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.11.0
--- a/secrets/mc-status-bot.env
+++ b/secrets/mc-status-bot.env
@ -1,14 +0,0 @@
 MATRIX_PROVIDER=ENC[AES256_GCM,data:w9e4AVywyz5giGv6bI0+FxZL2w17aZf+Y3BUiA==,iv:NDFxHRu0JjVYszRQjMru+pZbqOaCk9GNPu/OHyZLZsA=,tag:edY1V+z6oOr5caLYDJTAeQ==,type:str]
 MATRIX_ACCESS_TOKEN=ENC[AES256_GCM,data:POqd/0mHLn+lWGpISwTsqSTZ8QWMPL6hm095+hoTgGUXdReoUbVTSmk4IWTIflaOJQ==,iv:dMbxqDjXMIRRM/egVrywPC8HclnSc+Ukm4EkdztarfA=,tag:yJdrycQ+3GzsWYJvXVOhyQ==,type:str]
 MATRIX_ROOM_ID=ENC[AES256_GCM,data:7fTgkDxadXxOi/nJAEtMWghwJoPflTxgOSyLL6d4l7dy9xWCHaI=,iv:MAyCZbBxTj2v/j9Q+/7d/FqMLYk6tPYy+5EqZpB9h6k=,tag:0E79zEFKm31YrWjCpmiaLQ==,type:str]
 SERVER_ADDRESS=ENC[AES256_GCM,data:wVuImYmCmG55nnPhKKX7ubpzYq0k,iv:PFYhzPR0f3k1ZVOlYMxMKYCJh3Oo42RXSRv2VvLnx7g=,tag:pFdGL0mckAg0N/IJz0n6/w==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBeE1jeXBQ\ncVMvM0dCVGdacEpvempETGtoelUzNHovWW9UalMveGNzZlBTVwpqQ29EWVdKNldM\nRnlhNTh3NHppNER0dG5KL3FLd3dlakZIZkJzMXhwTGxNCi0tLSB1cWgyMzZ5SXY1\nZG9FNUlJQk9uaWxRb2w2dnl1SFNZYkVEZ0lYdmlubzBnCjQwFtsRwjsX+9b5VXoR\nu3/ZIfJpIZkYf8c5Ob/m8HyNSL9oPrNuMiksxf4IriXkfSbd+w6hvBY6breG2YIj\n8xM=\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
 sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnaFRFZmVBeHhWOERmTjY2\nR2Y1NWVIanh6S2F5N2ExU1dIa0htYXBjRXpnCllLTFJVZ09PdktyNU4velNZeUU3\nV1A2ZkFnckRVOEFTSXFFdUdWbStEcTQKLS0tIGM4MUh5d0NzRVd0ZSsrZXA3ZkRB\ndHlyWkRvaHhIL3JkUUJnU1ZJY2tvNGMKPcjIbW2sNIuDrewO9svoHGJWizB4sp/w\nBzYZbGwIfKdbPHvSyveOd7r19EgW32CaczepCkayiPbGXjgZvjKyVQ==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
 sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6S3lFNDFhZjdXZXJXYkZP\nclFBMEdZU09QdGQwYjhzekxVNnFRY1BCM2hzCisySkdBUWp2OXBmRWNBTXdydmo1\nWjBabG1IR1l4ZUVJNEpQY3BleWg0TTgKLS0tIHZhT2ZEenJsbkpYSE9IeXloOUtN\nM3VLZmpTc1d3d2hyd1VGY3JkVzhpRzQKsGIQlZQ8SUzTXUoVQFXWROKhDhMnO9E3\nrNXMOgaBgKtBX/heASJz+c+v+LJA6LEXUD8QHpJtfwwaYccLf9Xz5g==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
 sops_lastmodified=2026-02-02T17:00:58Z
 sops_mac=ENC[AES256_GCM,data:HarL1bLMnY+wnEA8iBwuRcGZrNUlopfYVEd99rFHk7ftKnFo4ipPsnshlE8bLqu5Jghp/+n5YYLkAC4vkIAUvbLj+yWQf1ImoJlGg4HvoIyNUbA1xCNlFjH5Y151h8jWLpYoemQpvQThC6hmNZkNR/bewUGvaL644OCJpDTqyzw=,iv:MSJI8Q4P3AI4XNrsPIao9jsf7f85A9ubxy0KmdPoKh0=,tag:4ri2+WTvseqNcVDTB15mFg==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.11.0
--- a/secrets/nyandroid-token.env
+++ b/secrets/nyandroid-token.env
@ -1,11 +0,0 @@
 NYANDROID_TOKEN=ENC[AES256_GCM,data:La7tY2dCZfXaxxo3RH3rghGJ244Gc2txt6Ja6lHbxNDJFpbAv01Evx+J3KFEs0EYMjclWWFOV3SZLy8=,iv:iLSQGVUKWwe3PMdkfuY3yVk0Z32AONJDZZXdl6G+hFU=,tag:YhJEZDqgJtD4lyVZmSEnDA==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBbmJzMTgw\nWjMzci9YaWhRejh5RTRLUXE5b0tkem9aT09nTWFMUXVyY3lySgo1cjZySTlvSG5G\nQnRQSXlYd2hyRGgxN0wrUzF0cG9MaG9COTM4dElFMFBrCi0tLSB2M1RUeWNHanN0\nNEVMYk04S0xjODAxbVhRU2JJWGFBTWRoMFRjMDZuZXZzCvEF4C5VB+G3ITku+e65\ncal5hgGMjvX9M9PZ4t1VvLo9i/4LZyAgmn2Jb4G9H3wBrA4uak+sB5uVG8hu+4Ru\nfHg=\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
 sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjNWxaQUcyNGFzcTdwYklP\nRmVzc2xUVXNOOUxwc3JrRGxVNW1qb0FncXc4CkZuL1hOS0dVa053NVRJZDBXYkND\nZ1FQYkVkRmNNdERwWW9taHZPYkxBVDQKLS0tIDFlZjMwZk1BN2N3MGhzcnExVy93\nTU5WSWJLZjFoM25JcUFaQkduTmFjU1EKEsNlMgtF3i6qD1WNaiCTu/tnvOrsAVZn\n+Mq8hb/WRJryUdBNDhnM5Acps2EUU9pm9LarU0XLYBRodw2fnvzrVQ==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
 sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUnhXYWIxeFlUQlRkVmFk\ndUREdkgrWG9PK1UvUFBpeS9KSlNqVHNVOEJvCmdKZUdGVVgveEtxdUdIZFBlaTNB\nSmc5aFRtZnc2dFhwcTlTUTA0WE1TMTgKLS0tIG9LYS9SWk51ZysyOGlvVUNsVzJw\nWUV6ZTMzM1BCbW0rMlIxQUFNbXFuZVEKWHG457bR2rEZ0EZV+IdSFVdN/4Zx+VOQ\n/EvoN2qcSk3FNIT+PaXnxIiCSpepZYfJMyFlHAeEi+EaazSwZ7p9qA==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
 sops_lastmodified=2026-02-02T16:58:30Z
 sops_mac=ENC[AES256_GCM,data:lHDUN2Ndk6cFcMcFvtxCVCAuQNiMQPk4rxI9Nh8vAlzHhdCdgvYquI9EPn7dtMhRHDPE3t7dj/6qVMvUDHLTJtcn2xXkvBi9ZfgUY3Halu2Ib/Fux0faGE5DdKOfOHbQGS6CHM+MUuK6LL/LWN2+c6zIW8cO0VI2t537ry0jq7o=,iv:04gwhK+6gKz5j/JUPLYfNszpWnTK/HZs8zSi9BAvqc0=,tag:5zaCYPJdWQRdaXTRv4Go8A==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.11.0
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -1,38 +0,0 @@
 gocryptfs-pass: ENC[AES256_GCM,data:9kNFGfTBdOGoXDfSQmnrkihnXmF2Qx0U,iv:lzPqXHbniTsltqWAsCaYgrS4UyZAskEX/nm6/IsbZ2k=,tag:kaou32kM5YCqoOHDQWT2Ow==,type:str]
 restic-pass: ENC[AES256_GCM,data:URCa2YXY103XnZmyY0Wp5RrzHPj5MvCvDcRurtfDPMU=,iv:0XvodvaSV3AkbDnXqHhRbvt1IcB0goeQBClwwzdxH7Q=,tag:huH+5YPARPAueMNmzI3Aig==,type:str]
 create-ap-pass: ENC[AES256_GCM,data:iIq0ZUCWKYKZWNmvTjon0D8HkzxL9iqX5rJj6VBkkwI=,iv:KGkYVwErmb5ra+HTv6MAgOW0Fs8vWx/Kz8PWD4Xx9I8=,tag:GOtcKfSe+61SGoh1PRGNWg==,type:str]
 qbittorrent-pass: ENC[AES256_GCM,data:J5m9y2pX5oI6ziIkhlMXXgszDum+rfQFfAQoImawW48=,iv:FqOYreDUX0CATPugra/dTlx2yMS4UMN0o8NesueRu3k=,tag:neKoHJhwdUdl/2mJKWkslg==,type:str]
 sops:
    age:
        - recipient: age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBcnY1MnB3
            VzY2KzkxcE5OT2FMMTM5TTgzeERTS2U2VTJqZE8vYTNiQnJKTApvN2o1Uk9VRHQy
            L1ROby9XSkFnTUxmUFhKNkJKVXFibndBSnNIRytIU1BzCi0tLSBCZExiWXJUSE44
            ZDh0UmowV2g3T0pUVGt1NnozNTV1ZDc4YkQ1K1hQVkFzChq8BRi5mt5nRcD/ZF+F
            YsmVYHxxL573oJD06MvSFpT26dNEUaqWblUP1NnI26Qa2b/K6n8eWR6ADqW0nPIl
            7uI=
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJYVNuZzJmYWVNTlhveE5l
            U3VuUnRVd0NYMEkvTG1QR0pTREZHT21lSGprClBQaUhMSWJpakwyWVprcXZsSGU1
            d0tLblZYS1g2KzhLaXQzaHhIeUs3dEEKLS0tIEVYWWg3RWM0UFJScU85NG9kN3ZG
            c2RGbkpCa3g3N2Jock5vellXZEpldXcKowC4myqPJsS2dweypyWvol6o3WsAW9qD
            6NfVtXdj52+Whr+/tHUJ1J2mkKZonSCfbpmKh/JYOINln6xgnDtbIw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRjAybHJDMEQ3TXpkSnlC
            NkhlTVRFdzJxaHdDeWNCOHpZUWtXMy80cFdNCjZDRC9OR0xnOS91QjdYMXFuRE10
            ZUtpQjRaeVhodFdTcWp0WmVBa1lpbVEKLS0tIEtmWUxiZDJ0djl0Tk9YbVlLcUZN
            RGtjY1V6U2tla3ZaS09haXYrYUNrVDgK0e3UVPshSTB7kwYzm4uVUDif2PwiIGg4
            Qb4P3L13Lg6tT0a1SBEs2gedbNVcWyA0YgGTWouWvZIhBmSCOvHYVQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-30T13:08:33Z"
    mac: ENC[AES256_GCM,data:uLkpRbQSwRY9JWXMeoTspoZHKyCaIwkCYzUE+R3Uwooft2VuvaPOQ+n9R9XpK4QWWKGQ86iRSBAhqX0Zc0xuvtMDZBIdjI1968U5JFSQoRI5Y68byQw+AayI+j/wrC4K/OPly/ain0soiHbtBh8WmHpSVGk+gVSrnHNgeLXMtxw=,iv:BVOYNlLGqTNRQB134ETNsLmkHO7eSiVimAqF2fHoC2Y=,tag:bqYoeCmGtzwL33BK6Q+U8w==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
`@ -1,2 +1 @@`
	`use flake`	`use flake`
	`export NH_FLAKE=$(expand_path .)`