fix merge conflict with tree-dir script

provision/hosts/kestrel/configuration.nix

@@ -62,13 +62,6 @@
       backup.enable = true;
       ssh.enable = true;
       terminal.enable = true;
-      wireguard-client = {
-        enable = true;
-        privateKeyFile = "/run/agenix/wireguard/kestrel";
-        address = [ "192.168.3.3/24" ];
-        publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=";
-        endpoint = "66.218.43.87";
-      };
     };
   };
 }

provision/hosts/osprey/configuration.nix

@@ -8,13 +8,23 @@
 
   # Set networking options
   networking.hostName = "osprey"; 
-  networking.firewall.checkReversePath = "loose";
+  networking.firewall.checkReversePath = false;
   networking.firewall.enable = false;
 
   # Enable docker 
-  virtualisation.docker.enable = true;
+  virtualisation.containers.enable = true;
+  virtualisation = {
+    podman = {
+      enable = true;
+      dockerCompat = true;
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
   
   environment.systemPackages = with pkgs; [
+    docker-compose
+    podman-tui
+    dive
   ];
 
   # Modules 
@@ -39,13 +49,6 @@
     system = {
       ssh.enable = true;
       terminal.enable = true;
-      #wireguard-client = {
-      #  enable = true;
-      #  privateKeyFile = "/run/agenix/wireguard/kestrel";
-      #  address = [ "192.168.3.3/24" ];
-      #  publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=";
-      #  endpoint = "66.218.43.87";
-      #};
     };
   };
 }

provision/hosts/torus/wireguard-server.nix

@@ -57,6 +57,11 @@
           publicKey = "CDoy/XI8FRQV/ySHigLWG2tpWVw8hgEZXRQCEE3qYHQ=";
           allowedIPs = [ "192.168.3.4/32" ];
         }
+        {
+          # Osprey 
+          publicKey = "mhOhkQMF4IxvJbd2FweGlwo7HCNCXupMxlnt1QQFyHg=";
+          allowedIPs = [ "192.168.3.5/32" ];
+        }
         # More peers can be added here.
       ];
     };

provision/modules/system/default.nix

@@ -1,4 +1,4 @@
 { ... }:
 {
-  imports = [ ./backup.nix ./ssh.nix ./terminal.nix ./wireguard-client.nix ];
+  imports = [ ./backup.nix ./ssh.nix ./terminal.nix ];
 }

provision/modules/system/wireguard-client.nix

@@ -1,42 +0,0 @@
-{ config, lib, pkgs, user, ... }:
-
-let cfg = config.modules.system.wireguard-client;
-
-in {
-  options.modules.system.wireguard-client = with lib; {
-    enable = lib.mkEnableOption "wireguard-client";
-    privateKeyFile = lib.mkOption { type = with types; str; };
-    address = lib.mkOption { type = with types; listOf str; };
-    publicKey = lib.mkOption { type = with types; str; };
-    endpoint = lib.mkOption { type = with types; str; };
-    autostart = lib.mkOption {
-      type = with types; bool;
-      default = false;
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    # Create qr code for phones with:
-    # qrencode -t ansiutf8 < myfile_here
-    environment.systemPackages = with pkgs; [ 
-      qrencode # Command-line utility for generating QR codes from text or data.
-    ];
-    networking.firewall = {
-      allowedUDPPorts = [ 51820 ];
-    };
-    networking.wg-quick.interfaces = {
-      wg0 = {
-        address = cfg.address;
-        listenPort = 51820; 
-        privateKeyFile = cfg.privateKeyFile;
-        autostart = cfg.autostart;
-        peers = [{
-            publicKey = cfg.publicKey;
-            allowedIPs = [ "0.0.0.0/0" "::/0" ];
-            endpoint = "${cfg.endpoint}:51820"; 
-            persistentKeepalive = 25;
-        }];
-      };
-    };
-  };
-}

provision/secrets/borg/torus/password.age

@@ -1,11 +1,12 @@
 age-encryption.org/v1
--> ssh-ed25519 6UNP1Q 6s8KZWviujiW5OuQpyOTC+cI5xf+70yqRihTs3w4TSQ
+-> ssh-ed25519 Fz/sQw BG3gSzOt4NnYg4tvUrpHyDN5YxAmhTqCQl9mg8VahQ8
-CHKfAquKUQOvZ00wNgrA/F65406jpqGqcbbjXVlEz3Y
+pT7jHwgWqED0EhSW4u/2IAk9sic7EsBH/kuLCMz2S/Q
--> ssh-ed25519 Fz/sQw L7IS/yJc0K/gwLGdPN/KTSi3DQth7MPCqu4kGEkjhHk
+-> ssh-ed25519 47GzQA iX0HbkZepBtkECohQAdQUKmIr99gbqRjsR5sludsz28
-JlKbG6mkp+lqLxvrW/MTZ5cJpMijUurn/knLlCNC9lI
+Dc2uPbvI5TEH/smYEhD9iKfV4d6m77YbI0KtCBDj4Tw
--> ssh-ed25519 47GzQA b0EozU39H/+85A2YA+mlIqV8W/Z38Qz3jzmQ2+4paAk
+-> ssh-ed25519 wcI7nQ 1v2XY19GWty042MUE7CqNeS1dfoHnyU29oXqk2OLBSU
-3VOuwAthzHh8bf5M50qxt9mnlvnH1P8pgb6yA7PXnUw
+GV6pwIQNwBIh53jPzCvbj3JC9pm2iNJ7ffaL6IoqqTc
--> ssh-ed25519 wcI7nQ xH7nDxAYCLwIOgkoTRrGazV6EU1HJDpB/c0AoQiSehA
+-> ssh-ed25519 QjdSCg duJJHlktHXdvVPmJ8dnbcyfsF0zg8qtkfgS1zuEnBxg
-jIv44e1FWCz7d5vZodYktUYJgVEbIE472K1UEMquaKE
+a4gkKxb0V3M0rR2dvI/bNAp3JdqYhwTfgcbsUMlafLY
---- 0YRStYFEOyTVnAy+WpjGXxQSGYqAYT+QPUx2pJUBCX0
+--- bCY9SZh/uILKWC+HIDGGvtRekgd/SrkDrjsqenlYy4Q
-~¢-Á“=<š²ÃîPÖ´K?fÊ
–÷ž–)´ZŸMcÚKÝ6lt°UXÉVìúÄû×)
+P·´tåf>
+Ú»’]ýÛg«º,Ô›<C394>Ç3@:<3A>I!Š”CL”0˱§UÖR¤Em5(bÄ

provision/secrets/git/gitea-runner-1.age

@@ -1,10 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 Fz/sQw uRPe6lrPzIntOBzSYR+zM2xBihHCAsdOtix9L9221FI
+-> ssh-ed25519 Fz/sQw 3n93xKLbFY/g/clYcBKPBrXZMs22ZZSEDZNa0FtnkQY
-6i0DsOZhZdi0ZmKJAuG9xEX7dtK5+daGule506UNsRQ
+7kDjgpkzOS+v819wglrjBfLx7zsHQeToib2/oV/vD3w
--> ssh-ed25519 47GzQA etB0mmw8g4t0mfzBEv6Dr6V9IdoJegAjgbOY/t3M9ik
+-> ssh-ed25519 47GzQA VCWmJ3Nb/XBXN7V2irLUkPVtavhYOjxNhdGPKiC19kU
-FgN9DrAotYJ2rvvEh80+Wp5BxoEHe3W4LgCLld0G9v8
+8m33nbUrsi8Ll9Q+Q2N2wS2vA2g8g4+sc1wQAfZVJ7U
--> ssh-ed25519 wcI7nQ a3seigr8UNpEeUil+OSbf5RyjArSm03ygNw5AjtJYQ0
+-> ssh-ed25519 wcI7nQ uYBJuDWlBMWCi0eWMIwr4F4jvtNok199e3MrCE/r/RE
-Sc9J4LQI9kFUFDzFjLS8Zwo9Z/HTawBsrv4qRxftwMg
+7OKUuehbj1RGAJsam7VhdS3kmk7z4ubzNdp69L40R+E
---- sGLvBOkszi11u/ukhK9iQ/FYHuqW52UXIY9kswVF7Tk
+-> ssh-ed25519 QjdSCg 5nBn7wJf2BktrIwod7bpGNBo5mWenrEnumWNvn1phC8
-SºaÈòüÜ2ðMÍ$õã7<C3A3>Ö´ßVÙÑ2³Ü)|QˆŽØÂC›<rP¤iMëú<8û³7?¹ßB¾Ú8(
+95UfxJZCBblIZDdjzqqLn3t/sLAgPn2ToMhg8FQxDN4
-"A_}é÷øM¤tLÿ
+--- QUWYQ9sUG/C9NqiQISqYKDZtiIlmZF+zz9ZPvzIFQEs
+tå·ô-ùÌKÎ)¡¿?KwHÎd,Q<>`g»§£ÐÒ‘ßÌÐsçR5E^ï×¾/AÂò}CIúÿ ˆf¥}y2DiU?IÞê

provision/secrets/nextcloud/password.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 Fz/sQw D8xp6P6CIlU1vp9NDDgC5P8648GY4jNedSaZ++uTfVw
+-> ssh-ed25519 Fz/sQw U/E6jppAIUVsHeNS+kZjGZpTkNWmFRqCGZ2Q4eZtuV0
-/qXd2ktfWuBt0sPfaiwSpKVGShsxNmKQoKIhAFrQyQU
+2Y1fAiosaW9aq/7892yfvmC4eKRUZZJXEl/tzh6vOao
--> ssh-ed25519 47GzQA WxEhnZCbakh30S7mh8UpVe4X6J4eJrF8mvePNKpQvyU
+-> ssh-ed25519 47GzQA PJsonbWNJFfI+TVau5vk9mBJlXm5GTvizkQpgH33dSA
-qIFyNn+oLOxld71MtVvdRPqWXfJXhWeIrwJeSuNwRT0
+z3doq6ckb3+dLffGbPwiGWjhCf/krVU2VzG9H4eSAHI
--> ssh-ed25519 wcI7nQ DTTaJCs7AaIn9llD9YOtpdUdHA1Eo9XcQvjPgGEjbUw
+-> ssh-ed25519 wcI7nQ Mw8nEI2WoA3lgK4d8ZdBhHV+K5RmafaJ+ygwNhP+fSI
-A4/HJuQ/kUGYEu1DvmpOPkaTqsTVZcAfiFd7nghKzYo
+KIhu5YbH+svR6mQyJZxYOSe+ggds0lt5rogunvpVmxk
---- TXBkDRWLUw4eisc3Hgqy4ukZrUdbXdGn5+aa8gsBlzU
+-> ssh-ed25519 QjdSCg QRLyWUjRnLM0ruEEq59pskNklcYhyc+V2lfAk2dWDis
-¸HÛ'nƒKt/}Øà}C½õØØ<C398>úù¥õí{†¨¦ÿZÌ÷{»
dó
+6qF8EcTLGoWSPzQGvm5dRNqgKZ7Wo8yrt0ldmnSHdhQ
+--- ZJgYQlKGRKpBfLgMZDerqv/Fu76qiUfoGZoDrCj89pA
+[çÌÃy]$?xû¡MÎqT@ë×éƒ7ÆÀD›`‡×GMÎ¥öò

provision/secrets/secrets.nix

@@ -2,28 +2,25 @@ let
   kestrel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2iE16XVkriD0x6GhnqmvGDA1qNBibvHVIi5xY+c7Iu";
   torus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN71z5g6QyCn5Go0Wm+NOSF4f22xOOCvtIA3IM4KzSpG";
   bulwark = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG52QybtJrt0KU7iJGyiBBoDCcd0AXoy+wFi+9fBsopk";
-  systems = [ kestrel torus bulwark ];
+  osprey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpYnahS9+WKJrM3ZpjZlMLL5V7iwJJqZml337VuG7Jq";
-
+  systems = [ kestrel torus bulwark osprey ];
-  tstarr_kestrel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINr2BUUToMswbAbxZMXarl2pQEomM+jADyZbEK31VGu/";
-  tstarr_torus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhxsVgd8DH8c0zckjMUxSJrTimU709JLCgDGBMFoNxQ";
-  tstarr_osprey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQEjr+yK4zdnV9kBUMo9fopsJbvF+TfQlVQexBCwuwB";
-  users = [ tstarr_kestrel tstarr_torus tstarr_osprey ];
 in
 {
-  "git/github_personal.age".publicKeys = users ++ systems;
+  "git/github_personal.age".publicKeys = systems;
-  "emu/switch/prod.keys.age".publicKeys = users ++ systems;
+  "emu/switch/prod.keys.age".publicKeys = systems;
-  "emu/switch/title.keys.age".publicKeys = users ++ systems;
+  "emu/switch/title.keys.age".publicKeys = systems;
-  "wireguard/kestrel.age".publicKeys = users ++ systems;
+  "wireguard/kestrel.age".publicKeys = systems;
   "wireguard/torus.age".publicKeys = systems;
   "wireguard/bulwark.age".publicKeys = systems;
+  "wireguard/osprey.age".publicKeys = systems;
   "git/gitea-runner-1.age".publicKeys = systems;
   "nextcloud/password.age".publicKeys = systems;
-  "ssh/kestrel/id_ed25519.age".publicKeys = [ tstarr_kestrel ] ++ systems;
+  "ssh/kestrel/id_ed25519.age".publicKeys = systems;
-  "ssh/kestrel/id_ed25519.pub.age".publicKeys = users ++ systems;
+  "ssh/kestrel/id_ed25519.pub.age".publicKeys = systems;
-  "ssh/torus/id_ed25519.age".publicKeys = [ tstarr_torus ] ++ systems;
+  "ssh/torus/id_ed25519.age".publicKeys = systems;
-  "ssh/torus/id_ed25519.pub.age".publicKeys = users ++ systems;
+  "ssh/torus/id_ed25519.pub.age".publicKeys = systems;
-  "borg/torus/password.age".publicKeys = [ tstarr_torus ] ++ systems;
+  "borg/torus/password.age".publicKeys = systems;
-  "borg/rsync/id_rsa.age".publicKeys = users ++ systems;
+  "borg/rsync/id_rsa.age".publicKeys = systems;
-  "borg/rsync/id_rsa.pub.age".publicKeys = users ++ systems;
+  "borg/rsync/id_rsa.pub.age".publicKeys = systems;
 }
 

provision/secrets/wireguard/kestrel.age

@@ -1,15 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 c/r/0Q 2KtEwngUw7ZA/rEEaXHMwRC9JZcWrIrmdDlP0lN9tS0
+-> ssh-ed25519 Fz/sQw Fi2RHxetJDTbBO1nZcIcwCe2GAsjbCrkVTzDaLg+CgM
-ZAKUTyCKtf2EVG6qhSWn8aXUkNfAXgrMBwUiLWx7iOA
+8KasJpb49p15aFGkFhwWlUX9P+cspgymiqFibx0NnzQ
--> ssh-ed25519 6UNP1Q 3AG6l3q1Hgv4Cj7z2a31b3g9AW1sowV71em9QSZnD2A
+-> ssh-ed25519 47GzQA kybHzwPjEBZfb3o0kMFywIdOMN2gp1ULsUTWq06CXkQ
-+Q8/nr1yz6nZviV7srRTW0LnoNrYxW1x7gjhZwvvmOo
+u6uDwPazPlCr8SLwAbcKU5LHTy3p2Q7xt//Z1Rw14SQ
--> ssh-ed25519 oOIlAg RPVxwWRbDSOpyRD34uPX8vQYzOKwbc/6WQ3miIpsWnc
+-> ssh-ed25519 wcI7nQ NiYTvuwjv+YAWwW6ohRTJLITn3SrZR7Zzlkbcp/PASE
-QQfR/w+kh8/6WIUogDlX/iL4Y2Idw8hOQOEUHQgTwes
+Id4ZAgGPup+WK8lM8C5Lr7q5JW2ZTC6qXKdwaH6XbR0
--> ssh-ed25519 Fz/sQw u2KqeUEobIWwbKT61etUYeY2LFRk6l8EYJ5dnuvmDDI
+-> ssh-ed25519 QjdSCg VpfqjyL4Z2Hpiv2JniFkIz5k+/xbl1rt8xarnl3GqXA
-bCpGnuJf+qPG+f2N04zATwngB6nwJDMSpz8mFUfkawU
+qqiJA81XDkKAM8KQ2EfIPSNYvbB6Pbr0CyFveKX+1KU
--> ssh-ed25519 47GzQA e3x/3uULmh7FLg6eiATdvbG/kUfrCKOHrph1tw0HRk0
+--- Qk+p/x0TX5hogF3axpJdVOH4MObNWFqnaqjfNnK+fZA
-jOVO2Irq1NxzzK+O2Lo4/bip9IFqvvzi+bIaD8Z0rqs
+³£RF*l[Ò½ºÜ&#lïÎÈ©”}ªüŠÂf»OþÃr<C383>EgÔÌnÓ”Ú_½{·Šv¸^ŒD0c¥ÍîÜ5{Fû=™j  $íå:^:ûLt“
--> ssh-ed25519 wcI7nQ RIgZP4y5FqqmUJDc/emKdO2laRHxNer+db+TgbybLVA
-K61Q/TxQtX30Z2m3N0sHBHqBIuH7Q0QHmWVwMxthAMM
---- dlNFmAoD84TcOlyWRGjvx29SPHaC7FGiYgrJkQAsOMg
-©rÁº+{œŸè ¡Ó¶¥Æ£¨yUD ?Ò¶û%MϤó‘ã
¿†ùÝB®NÎyË'mÊ
óVÄ–ãV¸¦þ&«­é&ïs¦Œ®«2@H<>

provision/secrets/wireguard/osprey.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 Fz/sQw heCEJ6I0xPvCLJx4TZaPbWPt7AZykhepJLs8klh2Ils
+fyE9BhLKz7YmmaT3TG1mtfIjSPcRNQzVYZTPTEDRGJ8
+-> ssh-ed25519 47GzQA cHdgndEhwg6MVzr4mbyEo+ckrLvqpHOc45yrHpqvD10
+ZjQmviiQX4/VFx49CTyfzivn+5WgM3g/7pz68HTbhw0
+-> ssh-ed25519 wcI7nQ LguHluWUFXrd4D44dEr4aSxMVkCEFs/D/3u0NEUqh3c
+0xyzDGUR58Smt+sYRWM3Yq2wGAcBTqq0OrBHXDioQfE
+-> ssh-ed25519 QjdSCg 4fQJbeGytS/OjPhnaKWRxPPgSMzNk3cFw9JrOPrVoyY
+3xAWyy0UC3FFhHqOB8jhAlvru9v3aXo6LtolcWGRZ2o
+--- Q2x+hYNux0SIDmcTBs20wdUjB6Y3hj80GQomMnIXWiM
+ðe‹Àãyðãýîâë²€BœwrVMÒ½ë™ÏYØÄrsómü=3,NÞïèƃêàr£ÇB¡”¾Õl1x8ž>5Á„áçÐZü§

resources/wireguard/adjudicator.conf

@@ -8,4 +8,4 @@ PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
 # restrict this to the wireguard subnet if you don't want to route everything to the tunnel
 AllowedIPs = 0.0.0.0/0, ::/0
 # ip and port of the peer
-Endpoint = 66.218.43.87:51820
+Endpoint = 1.2.3.4:51820

resources/wireguard/bulwark.conf

@@ -8,4 +8,4 @@ PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
 # restrict this to the wireguard subnet if you don't want to route everything to the tunnel
 AllowedIPs = 0.0.0.0/0, ::/0
 # ip and port of the peer
-Endpoint = 66.218.43.87:51820
+Endpoint = 1.2.3.4:51820

resources/wireguard/kestrel.conf

@@ -7,4 +7,4 @@ PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
 # restrict this to the wireguard subnet if you don't want to route everything to the tunnel
 AllowedIPs = 0.0.0.0/0, ::/0
 # ip and port of the peer
-Endpoint = 66.218.43.87:51820
+Endpoint = 1.2.3.4:51820

resources/wireguard/osprey.conf

@@ -0,0 +1,10 @@
+[Interface]
+# your own IP on the wireguard network
+Address = 192.168.3.5/24
+PrivateKey = <replace with secret>
+[Peer]
+PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
+# restrict this to the wireguard subnet if you don't want to route everything to the tunnel
+AllowedIPs = 0.0.0.0/0, ::/0
+# ip and port of the peer
+Endpoint = 1.2.3.4:51820