switch to agenix for secrets

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "modules/secrets"]
-	path = modules/secrets
-	url = git@ssh.gitea.hillion.co.uk:JakeHillion/nixos-secrets.git

flake.lock

@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1665870395,
+        "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "a630400067c6d03c9b3e0455347dc8559db14288",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1668908668,
@@ -34,6 +54,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable"
       }

flake.nix

@@ -2,16 +2,20 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs?rev=b68a6a27adb452879ab66c0eaac0c133e32823b2";
     nixpkgs-unstable.url = "github:nixos/nixpkgs?rev=52b2ac8ae18bbad4374ff0dd5aeee0fdf1aea739";
+
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   description = "Hillion Nix flake";
 
-  outputs = { self, nixpkgs, nixpkgs-unstable }@inputs: {
+  outputs = { self, nixpkgs, nixpkgs-unstable, agenix }@inputs: {
     nixosConfigurations."vm.strangervm.ts.hillion.co.uk" = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       specialArgs = inputs;
       modules = [
         ./hosts/vm.strangervm.ts.hillion.co.uk/default.nix
+        agenix.nixosModule
         {
           system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
         }
@@ -23,6 +27,7 @@
       specialArgs = inputs;
       modules = [
         ./hosts/microserver.parents.ts.hillion.co.uk/default.nix
+        agenix.nixosModule
         {
           system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
         }
@@ -34,6 +39,7 @@
       specialArgs = inputs;
       modules = [
         ./hosts/microserver.home.ts.hillion.co.uk/default.nix
+        agenix.nixosModule
         {
           system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
         }

hosts/microserver.home.ts.hillion.co.uk/default.nix

@@ -1,26 +1,31 @@
 { config, pkgs, lib, ... }:
 
 {
-  system.stateVersion = "22.05";
+  config.system.stateVersion = "22.05";
 
-  networking.hostName = "microserver";
-  networking.domain = "home.ts.hillion.co.uk";
+  config.networking.hostName = "microserver";
+  config.networking.domain = "home.ts.hillion.co.uk";
 
   imports = [
     ../../modules/common/default.nix
-    ../../modules/secrets/tailscale/microserver.home.ts.hillion.co.uk.nix
   ];
 
-  tailscaleAdvertiseRoutes = "10.64.50.0/24,10.239.19.0/24";
+  # Networking
+  ## Tailscale
+  config.tailscaleAdvertiseRoutes = "10.64.50.0/24,10.239.19.0/24";
+  config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.home.ts.hillion.co.uk.age;
+  config.tailscalePreAuth = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
 
-  networking.vlans = {
+  ## Enable IoT VLAN
+  config.networking.vlans = {
     vlan2 = {
       id = 2;
       interface = "eth0";
     };
   };
 
-  boot.kernel.sysctl = {
+  ## Enable IP forwarding for Tailscale
+  config.boot.kernel.sysctl = {
     "net.ipv4.ip_forward" = true;
   };
 }

hosts/microserver.parents.ts.hillion.co.uk/default.nix

@@ -1,26 +1,30 @@
 { config, pkgs, lib, ... }:
 
 {
-  system.stateVersion = "22.05";
+  config.system.stateVersion = "22.05";
 
-  networking.hostName = "microserver";
-  networking.domain = "parents.ts.hillion.co.uk";
-
-  boot.loader.grub.enable = false;
-  boot.loader.raspberryPi = {
-    enable = true;
-    version = 4;
-  };
+  config.networking.hostName = "microserver";
+  config.networking.domain = "parents.ts.hillion.co.uk";
 
   imports = [
     ./hardware-configuration.nix
     ../../modules/common/default.nix
-    ../../modules/secrets/tailscale/microserver.parents.ts.hillion.co.uk.nix
   ];
 
-  tailscaleAdvertiseRoutes = "10.0.0.0/24";
+  config.boot.loader.grub.enable = false;
+  config.boot.loader.raspberryPi = {
+    enable = true;
+    version = 4;
+  };
 
-  boot.kernel.sysctl = {
+  # Networking
+  ## Tailscale
+  config.tailscaleAdvertiseRoutes = "10.0.0.0/24";
+  config.age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.parents.ts.hillion.co.uk.age;
+  config.tailscalePreAuth = config.age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".path;
+
+  ## Enable IP forwarding for Tailscale
+  config.boot.kernel.sysctl = {
     "net.ipv4.ip_forward" = true;
   };
 }

hosts/vm.strangervm.ts.hillion.co.uk/default.nix

@@ -1,34 +1,49 @@
 { config, pkgs, lib, ... }:
 
 {
-  system.stateVersion = "22.05";
+  config.system.stateVersion = "22.05";
 
-  networking.hostName = "vm";
-  networking.domain = "strangervm.ts.hillion.co.uk";
+  config.networking.hostName = "vm";
+  config.networking.domain = "strangervm.ts.hillion.co.uk";
 
   imports = [
     ../../modules/common/default.nix
     ../../modules/resilio/default.nix
     ../../modules/reverse-proxy/global.nix
-    ../../modules/secrets/resilio/encrypted.nix
-    ../../modules/secrets/tailscale/vm.strangervm.ts.hillion.co.uk.nix
     ./hardware-configuration.nix
   ];
 
-  boot.loader.grub = {
+  config.boot.loader.grub = {
     enable = true;
     device = "/dev/sda";
   };
 
-  networking.interfaces.ens18.ipv4.addresses = [{
+  ## Static Networking
+  config.networking.interfaces.ens18.ipv4.addresses = [{
     address = "10.72.164.3";
     prefixLength = 24;
   }];
-  networking.defaultGateway = "10.72.164.1";
+  config.networking.defaultGateway = "10.72.164.1";
+
+  ## Tailscale
+  config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age;
+  config.tailscalePreAuth = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path;
 
   ## Resilio Sync (Encrypted)
-  services.resilio.enable = true;
-  services.resilio.deviceName = "vm.strangervm";
-  services.resilio.directoryRoot = "/data/sync";
+  config.services.resilio.enable = true;
+  config.services.resilio.deviceName = "vm.strangervm";
+  config.services.resilio.directoryRoot = "/data/sync";
+
+  config.age.secrets."resilio/encrypted/dad".file = ../../secrets/resilio/encrypted/dad.age;
+  config.age.secrets."resilio/encrypted/projects".file = ../../secrets/resilio/encrypted/projects.age;
+  config.age.secrets."resilio/encrypted/resources".file = ../../secrets/resilio/encrypted/resources.age;
+  config.age.secrets."resilio/encrypted/sync".file = ../../secrets/resilio/encrypted/sync.age;
+
+  config.resilioFolders = [
+    { name = "dad"; secretFile = config.age.secrets."resilio/encrypted/dad".path; }
+    { name = "projects"; secretFile = config.age.secrets."resilio/encrypted/projects".path; }
+    { name = "resources"; secretFile = config.age.secrets."resilio/encrypted/resources".path; }
+    { name = "sync"; secretFile = config.age.secrets."resilio/encrypted/sync".path; }
+  ];
 }
 

modules/common/tailscale.nix

@@ -40,11 +40,8 @@
       # otherwise authenticate with tailscale
       ${tailscale}/bin/tailscale up \
         --login-server https://ts.hillion.co.uk/ \
-        --authkey ${config.tailscalePreAuth} \
+        --authkey "$(<${config.tailscalePreAuth})" \
         --advertise-routes "${config.tailscaleAdvertiseRoutes}"
     '';
   };
-
 }
-
-

modules/resilio/default.nix

@@ -1,6 +1,9 @@
 { pkgs, lib, config, ... }:
 
 {
+  imports = [ ./nixpkgs-pr125803-modules_services_networking_resilio.nix ];
+  disabledModules = [ "services/networking/resilio.nix" ];
+
   options.resilioFolders = lib.mkOption {
     type = with lib.types; uniq (listOf attrs);
     default = [ ];
@@ -8,9 +11,9 @@
 
   config.services.resilio.sharedFolders =
     let
-      mkFolder = name: secret: {
+      mkFolder = name: secretFile: {
         directory = "${config.services.resilio.directoryRoot}/${name}";
-        secret = "${secret}";
+        secretFile = "${secretFile}";
         knownHosts = [ ];
         searchLAN = true;
         useDHT = true;
@@ -19,6 +22,5 @@
         useTracker = true;
       };
     in
-    builtins.map (folder: mkFolder folder.name folder.secret) config.resilioFolders;
+    builtins.map (folder: mkFolder folder.name folder.secretFile) config.resilioFolders;
 }
-

modules/resilio/nixpkgs-pr125803-modules_services_networking_resilio.nix

@@ -0,0 +1,296 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.resilio;
+
+  resilioSync = pkgs.resilio-sync;
+
+  sharedFoldersRecord = map
+    (entry: {
+      dir = entry.directory;
+
+      use_relay_server = entry.useRelayServer;
+      use_tracker = entry.useTracker;
+      use_dht = entry.useDHT;
+
+      search_lan = entry.searchLAN;
+      use_sync_trash = entry.useSyncTrash;
+      known_hosts = entry.knownHosts;
+    })
+    cfg.sharedFolders;
+
+  configFile = pkgs.writeText "config.json" (builtins.toJSON ({
+    device_name = cfg.deviceName;
+    storage_path = cfg.storagePath;
+    listening_port = cfg.listeningPort;
+    use_gui = false;
+    check_for_updates = cfg.checkForUpdates;
+    use_upnp = cfg.useUpnp;
+    download_limit = cfg.downloadLimit;
+    upload_limit = cfg.uploadLimit;
+    lan_encrypt_data = cfg.encryptLAN;
+  } // optionalAttrs (cfg.directoryRoot != "") { directory_root = cfg.directoryRoot; }
+  // optionalAttrs cfg.enableWebUI {
+    webui = { listen = "${cfg.httpListenAddr}:${toString cfg.httpListenPort}"; } //
+      (optionalAttrs (cfg.httpLogin != "") { login = cfg.httpLogin; }) //
+      (optionalAttrs (cfg.httpPass != "") { password = cfg.httpPass; }) //
+      (optionalAttrs (cfg.apiKey != "") { api_key = cfg.apiKey; });
+  } // optionalAttrs (sharedFoldersRecord != [ ]) {
+    shared_folders = sharedFoldersRecord;
+  }));
+
+  sharedFoldersSecretFiles = map
+    (entry: {
+      dir = entry.directory;
+      secret_file =
+        if builtins.hasAttr "secret" entry then
+          toString
+            (pkgs.writeTextFile {
+              name = "secret-file";
+              text = entry.secret;
+            })
+        else
+          entry.secretFile;
+    })
+    cfg.sharedFolders;
+
+  runConfigPath = "/run/rslsync/config.json";
+
+  createConfig = pkgs.writeShellScriptBin "create-resilio-config" ''
+    ${pkgs.jq}/bin/jq \
+      '.shared_folders |= map(.secret = $ARGS.named[.dir])' \
+      ${
+        lib.concatMapStringsSep " \\\n  "
+        (entry: ''--arg '${entry.dir}' "$(cat '${entry.secret_file}')"'')
+        sharedFoldersSecretFiles
+      } \
+      <${configFile} \
+      >${runConfigPath}
+  '';
+
+in
+{
+  options = {
+    services.resilio = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          If enabled, start the Resilio Sync daemon. Once enabled, you can
+          interact with the service through the Web UI, or configure it in your
+          NixOS configuration.
+        '';
+      };
+
+      deviceName = mkOption {
+        type = types.str;
+        example = "Voltron";
+        default = config.networking.hostName;
+        description = ''
+          Name of the Resilio Sync device.
+        '';
+      };
+
+      listeningPort = mkOption {
+        type = types.int;
+        default = 0;
+        example = 44444;
+        description = ''
+          Listening port. Defaults to 0 which randomizes the port.
+        '';
+      };
+
+      checkForUpdates = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Determines whether to check for updates and alert the user
+          about them in the UI.
+        '';
+      };
+
+      useUpnp = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Use Universal Plug-n-Play (UPnP)
+        '';
+      };
+
+      downloadLimit = mkOption {
+        type = types.int;
+        default = 0;
+        example = 1024;
+        description = ''
+          Download speed limit. 0 is unlimited (default).
+        '';
+      };
+
+      uploadLimit = mkOption {
+        type = types.int;
+        default = 0;
+        example = 1024;
+        description = ''
+          Upload speed limit. 0 is unlimited (default).
+        '';
+      };
+
+      httpListenAddr = mkOption {
+        type = types.str;
+        default = "[::1]";
+        example = "0.0.0.0";
+        description = ''
+          HTTP address to bind to.
+        '';
+      };
+
+      httpListenPort = mkOption {
+        type = types.int;
+        default = 9000;
+        description = ''
+          HTTP port to bind on.
+        '';
+      };
+
+      httpLogin = mkOption {
+        type = types.str;
+        example = "allyourbase";
+        default = "";
+        description = ''
+          HTTP web login username.
+        '';
+      };
+
+      httpPass = mkOption {
+        type = types.str;
+        example = "arebelongtous";
+        default = "";
+        description = ''
+          HTTP web login password.
+        '';
+      };
+
+      encryptLAN = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Encrypt LAN data.";
+      };
+
+      enableWebUI = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable Web UI for administration. Bound to the specified
+          <literal>httpListenAddress</literal> and
+          <literal>httpListenPort</literal>.
+        '';
+      };
+
+      storagePath = mkOption {
+        type = types.path;
+        default = "/var/lib/resilio-sync/";
+        description = ''
+          Where BitTorrent Sync will store it's database files (containing
+          things like username info and licenses). Generally, you should not
+          need to ever change this.
+        '';
+      };
+
+      apiKey = mkOption {
+        type = types.str;
+        default = "";
+        description = "API key, which enables the developer API.";
+      };
+
+      directoryRoot = mkOption {
+        type = types.str;
+        default = "";
+        example = "/media";
+        description = "Default directory to add folders in the web UI.";
+      };
+
+      sharedFolders = mkOption {
+        default = [ ];
+        type = types.listOf (types.attrsOf types.anything);
+        example =
+          [{
+            secretFile = "/run/resilio-secret";
+            directory = "/home/user/sync_test";
+            useRelayServer = true;
+            useTracker = true;
+            useDHT = false;
+            searchLAN = true;
+            useSyncTrash = true;
+            knownHosts = [
+              "192.168.1.2:4444"
+              "192.168.1.3:4444"
+            ];
+          }];
+        description = ''
+          Shared folder list. If enabled, web UI must be
+          disabled. Secrets can be generated using <literal>rslsync
+          --generate-secret</literal>.
+
+          If you would like to be able to modify the contents of this
+          directories, it is recommended that you make your user a
+          member of the <literal>rslsync</literal> group.
+
+          Directories in this list should be in the
+          <literal>rslsync</literal> group, and that group must have
+          write access to the directory. It is also recommended that
+          <literal>chmod g+s</literal> is applied to the directory
+          so that any sub directories created will also belong to
+          the <literal>rslsync</literal> group. Also,
+          <literal>setfacl -d -m group:rslsync:rwx</literal> and
+          <literal>setfacl -m group:rslsync:rwx</literal> should also
+          be applied so that the sub directories are writable by
+          the group.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions =
+      [{
+        assertion = cfg.deviceName != "";
+        message = "Device name cannot be empty.";
+      }
+        {
+          assertion = cfg.enableWebUI -> cfg.sharedFolders == [ ];
+          message = "If using shared folders, the web UI cannot be enabled.";
+        }
+        {
+          assertion = cfg.apiKey != "" -> cfg.enableWebUI;
+          message = "If you're using an API key, you must enable the web server.";
+        }];
+
+    users.users.rslsync = {
+      description = "Resilio Sync Service user";
+      home = cfg.storagePath;
+      createHome = true;
+      uid = config.ids.uids.rslsync;
+      group = "rslsync";
+    };
+
+    users.groups.rslsync = { };
+
+    systemd.services.resilio = with pkgs; {
+      description = "Resilio Sync Service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = {
+        Restart = "on-abort";
+        UMask = "0002";
+        User = "rslsync";
+        RuntimeDirectory = "rslsync";
+        ExecStartPre = "${createConfig}/bin/create-resilio-config";
+        ExecStart = ''
+          ${resilioSync}/bin/rslsync --nodaemon --config ${runConfigPath}
+        '';
+      };
+    };
+  };
+}

modules/secrets

@@ -1 +0,0 @@
-Subproject commit 5e88b57ee4dbf292b74a52351dd87cddc12a2356

secrets/resilio/encrypted/dad.age

@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+fra+fnghZpOB7pNHZtIZU++VrJK7djkcsrhbMYK0j/yzg+tZoJPTrL2kdoYfq8Kf
+Bx9JOvgijsYz0YsFGcT6iFwhUDe78vYaImM/llyY/k2ROBcKN0hAov5NLw9uVWrm
+59sSWqDeW+suQxvl0haOOnI4nhKyhDxTYcfiZ3GUFwsTsDxPg6O2dW3lNUHCA1f3
++YP9v4zNmUbx3tUxOzrh9l16bXG6fCgI89A5zeIjOG2ZHLlhmfNWQxrTxc3weLen
+gZWUo+kYvrXpFLh3DhgAIxbHL2IPlxe11kBU2vSqpFdkKhEP8L5UuR/OOBN03AmS
+mu+pn5x/ooUY+/XmdCikJw
+-> ssh-rsa K9mW1w
+W7L543kmxGizZJ6kbatY7/VLBdqNwPwyjrF/hsmQX4QFaf+6ypbbfGrpfNoQAirm
+OZTSglaClk9WywRLoQVIz06TTBJ2SNY/G3F40U+LFXP86mS1DHtolmlII+2G661+
+4l+RrG+3UAlw06nfiEGC4I9WPUknhfzovuwUqjw+QxUTwxhXFQtpP4D8h5zLlH4L
+x3M+USLkd4yic2oa5VZOI7Z9btKu0pjwthwXzwQ7/u5jgueHrDQTTVE4RcUrz23z
+rg7T0yFYWdTc982qqfwOL5+7vW1/qDPuzC4bPfR0eP5//kjoEwcy9kjf3FS8Oyh/
+uJn2o8P0c2U0ivikrL24zQ
+-> ssh-ed25519 O0LMHg teYuQdr6A6jgWx8p1TVu3h0lzaFYKGYg9DS9tNKtgwg
+d/CaXfJrc5olFqfNIeK2xswUH5amf3UHoWmQRE5B5zk
+-> *B-grease ^ |r]NXO HF|Dv]
+SloMfb72CzxCf6/1NyFMG9EYqSlkhacGaBG5z4pMGNZNVcMzaIEfAPUAEC3PGab6
+gNfLRZB8zTGdcjQQt7eLyUjgvkT8qUwBVET4ruo/4Lw
+--- TWKw4+guoXj/1C4c86CAz7JxhaqapxO0f1SxiRB/WN4
+~™§%2»“åùƒô<C692>ô7²ì¹Ê[S'¹VJk€kô÷Ÿy	zŽÂU,¯}éìNDHéó.Øc8T>lbdÜÞú

secrets/resilio/encrypted/projects.age

@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+dBKzIJRjL9pRCCUy8S69/1SHnGX/KgTYNPkw9iooIS8DYiM6VGahCaEHnxxTkIdj
+vEiHksg/+9R+KJvpdZovgZxEcfAI9S4bQj8vDVtj+06mxpa4azPjDa/NXChyCIQZ
+niE3v3NZkq2lWTAROnsqPz9YMa8B0lqOy2rLwaIspgrMbp+wIXFcn4pFzCXZ3QfT
+/UEMAv/WStWhQhUPZ1P45MZ96GG6rdDGafuNiguEdA5dZka5Xcjmm+c95v7stbW9
+9iQLBxsUmEnwZSXzIpj0PCsbPS8AVLc+15LjNsHXRpWllaqrXCWiSPZiQvWwa5Wq
+BJtrNC599KMypYyREnxjqg
+-> ssh-rsa K9mW1w
+BTAPLIJh7WAyDQJHVjWPp8JsVPLV3osPSKRMMl4sap7qJ187XJsKZF24Tux5e9xp
+DJWlwSALPp58OSYz1LLd/PEkEc3bjsPPyTqY/wrI59qg+yA7OyQcyFbtcuX9Rud6
+iaQUVLycYpyPMsXtEtJwMT3kDdzN16W047c90KJRMwDfrBpu4z/cXzXUgkaCaL1J
+3PG5nRko1BO02uRcEH8gFnB262qCK++Q6YgcLlfMqFQ44JSMaDOgtdFfYQSJlRiz
+Ojz/8D4J84bFyAYAFs1hMXjTwEZYsYsx7o7yiI5SEMt8uWUyYbDdoJn1qwZJpD7c
+I7LsQ0WMkNAiYMD8MUOiCQ
+-> ssh-ed25519 O0LMHg jyNTrssITjFxDqLoVlQu5OxoeVfJoy8As5iQXo5pDR4
+3huGcWpwWv9puizHpO6rA6/Ra7bYt5gjRdhhUouc2QA
+-> x|\w&v-grease 4"UaLdml }eK6m9!I Hk|0=>
+oz3X79dKibtLGikLjVfh9qEFRswRnoBHlA
+--- 4ix6RjJR1MjaDv0ATtuqcLJkVrcwiLaFnNDXg+arMbU
+0Ù-ˆ³ó²ËŽM¤™§SÉVþò·…#$£q B<>yŒñ»ô»¾¿Ô†2™q^´wĵ-\¾?äGd» È–kCU•u

secrets/resilio/encrypted/resources.age

@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+SjA5Y37SoYBuyP/YizYXI8WgZclwl3OGKrh8LfaUBiqDYRwPW88cmMIGreozmYkL
+VhQAbp9lrRwZIKZNtqDRoQ7UIRleiWPJcnC3HA4e0u+lmnOS7W7m8impS0dTTiKb
+2Dk7tTClPtmaXE5Yrg1j6qNN6qJyZD1CaG/CYy6CpYqoW4TkfAgW/S211LHry4N2
+MIez2wfdgxjnT109vN2cCVxq7MuKr5NXoSIZuYmSp5xTnKn1vLKEHn8OIj6Asor9
+9ZgYlxT5t0D6NyNwc/snsBvqxuthbZKMhO+vvMYDj3p+GAdVjv2aP+5VIpQQmzYd
++FHFyR0n1XowO7doPrOBtw
+-> ssh-rsa K9mW1w
+vWJA8P2gINxeGNRq2N+Jl1aL/CcTGZB+OBXpwwU1+bYgvNAqgT1ds0TpnFsRfKv6
+qsCpVbwHT/vSGFjBFBxtPpaRgQ0724UFNWLQraaSbus+QF/AJYH7v2nvniYLQu0Q
+HcCiAH/eNaZN1q06f4KuYZv17HjIdBylx6ZXdxly9NhF0ici/76W+tm5DXE46nbL
+V/o5unyp7DulHJENNYvgAAGkUZ6kNwxszcKGNttAQcw98uuv2GsAtdIOhf7kZwBD
+VJrK6SJviOg7Vmfxxg1RmtpzPiNZbhMlbqGO0gsDyvv+PSqCIhzZPUpa1A3WJQif
+ElaEsIxJUyHaRG57xQ6Dbw
+-> ssh-ed25519 O0LMHg P25L/C3kBmOcIdxEcB5ytUx/VcLOevmQU1bkmhfq3Es
+Lu/nfNW2KrdxEH8GkDLP2uJeVZtsvTJ1Tg/opk7b9SI
+-> ([$:}-grease ) gV+ u?}?~7d
+s/exE/IO28p+H5AKjcyf9pFV2RDSbOqIfsGYsOkwbDZp6d5Vs34JDQYk5T0L5pjt
+kLJ3UlOcT8M1dtqUS4jD+2KwZg
+--- aLafue9z3QoZ2oWdVdhpV7aFIcgAYZa2tQ3IZM899N8
+I÷‹u-ÈjÌÙç‹*Ü[–¸’M‘LÂç:ó²|ÿ˜xž¾ĸO.+¢îÔ{ŽÇÿ<õ‰§o)R(ÓÍÎ

secrets/resilio/encrypted/sync.age

@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+EyV8Dbq3nrN+sEfwUJgiRMxJ/2Dnpz5FanTs1cIXcx6z4SX7IJqSx0LXfK+gFAfM
+FO0B63W61lSsP6kZBMpbhGZEis5bKnBuLOr/cnN4Q59Fy91lGFaQBJAuH1nTkT7q
+GPeyF1sGUSAhPECrFup2LC5ATqaHerIhd3AFgD22YUYacwtU4Fz3yOj6/xQBo+iH
+rNN8QFoPV16XJSNHD2B3eNtDi5ZTQjw3vbDInEmgPRrKK4HcUJBbbZjUleCJqTNR
+qCdMUUX869jcg56VdPGlqgTz2o8Qgw9kvMWNKoqeEQ4C2++7Sr22jxnOOAiQ+O5J
+I8bXDr/yuUpIpPbSmalFfg
+-> ssh-rsa K9mW1w
+JGAeR60Rr3G3IcI74ceWWToU5FpeQtfmIpOke0u24GUeC6/4aZUIsAEnk8SWNVXI
+Xz/fyt74CNDtiagixuXD0NfukueGSxjsj2vkR8ljTJQSGg208yQMEWXi8igkBX8k
+CBWIziRK5EDn+RHyedahbb6hH9A59uqVzFIi6wcIroQ7D70bT1mXoN+OEBYdJL8s
+squs+XckWrRy2WaZ1QMOx3brRb1C+gLOtMH7hEd8UsrXk9J9rk8PMEVShNSFugdr
+gT+WY8mMlmAoNBBfie0Rqu2GvQIT6mIKjMcVpPH03k04p1y00vCDtBo4O+xPbYpG
+8Vtpa6CTuwaJRnOERKotkA
+-> ssh-ed25519 O0LMHg mjtoCLVRLqwQuDzLISW6hmaddYV3geNRpvDT+Hnwkwg
+8N8uxUNr5UqJybTS/X+njC45jemDvesd9Q3I2wFUPoU
+-> {3hoY-grease 488;n<X
+JFOhghfl6DNKtV7Sr0pKyR1E0X4EobMn+fBxJMcJW9/ycQ8IKiJVC0EtszN2DBhi
++X4UEf1rseU8WuKpaEYVgfThz/NXWtIpn9bh7nnVdV1JCpYRsqM
+--- DyaOqfy9NgeumJwDhIxQvnZXXmM08y/+fMD/dDwOjQs
+K(l[ø̦aâ=ŸÕòO¤O¢òÏUe:;…=Í?<3F>c•<63>ñèYd›âœû  *DÅ…oh#æ¿/Ï7ñ’G7
æ…7Qç

secrets/resilio/plain/dad.age

@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+ftrFecRNOiAyTpVmu/oa5AJ0jyFvzm8QN057U9FdKKWkmvBWRqJW92mbSWwFEUfq
+r3Wc6DZIUdDGZQfHBaixEUUH3wrkaNLwrDlvhlqxI5BBK5zOcXU7bid9Jz8P5TWm
+q3Tg5m1DmYUTyuylKK7BXWqJyVJz+p7ARcuk/gbR0l2sr+HeLw+SKPt/P8qM9Gx/
+IZJiaY2PybDD9A94/t9J/ygnkoDiFgqerMVihN/Q2LTW6mod5SANlWvgCzak7pkJ
+rji+/6zwd1mCg4Z7Sdq1Dgrid0WmDgF/ITSJdyF7hVkA5fGPUsmKK8VQJe70qx0W
+CSmJqs4nRm+nuk2ltuFvgw
+-> ssh-rsa K9mW1w
+nqyx27ciexwk/oXos09pQfE+AW29coAqjtBlIAkK6dccWEed6+0H6t01wHPHcOsa
+Up7iuPSvTPxVlUmvq3ucje/sHTUhkUtxUblpnCeo/cXgqRw9zVC/JYwQKdWGK4SO
+iYKNYQf5kn1Lb+UyM0k5UfrlW0Jb54X56/RohpqtbBU8h7+pV/z9JkhJWjrVcQcC
+ggI3ozdTeSl1eq4h0X4NaV0GaNcWswfkt1XrwdESu+JeISxIepspQJws16ze6hm6
+qy/N5Dv87qj/TkCiX/VO1bcwiX0Ov3GzDFvox4Vppa3w5cTjqs5qWXOsh7R/cTAG
+KAmmnXAY8ePosdVBoAABsQ
+-> \}uDq}-grease
+/zbF6/hUJCRxa8DkbiRaQSDtqjqGxkSemr6GSQ
+--- lh7tNWkwV2WfG1fsvYc9aOgwDK67PZ/Ppbdt7xsTRSs
+²î$aÚ:x™)^ªRȹeâNµ´‰áð¬ØfÚWF.?Ñ­t뛂´Ü濲¶OU3ùk”ó/tãN§yúXM

secrets/resilio/plain/projects.age

@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+EOY7coZ/+zJfprLlvtrQDuRa/pyVbdkQGNSs89KiAwqL3kbKndC8RWiaNxqn6jBa
+5lCsywMkI1YrStHjRFGX7JObLnqmD3dKr6Us0U5tjY1NJnIOK15b6NDc26DuhImA
+TuobhD+bPCIh7qO/OW25yZ41JyJkK4HmjFsIQgM7vaY/FnH9YvRBAzwFLFzZ/+Ms
+9p2vRacWk8Jy0ccMRYYxkqPkBK6aeb5wVTKPgk38bMTQU2kju+z00vwq+9ALUKBI
+SKjhHHdSX9eMMaB0/oJitJ9q2pnpPE7ffR2ovBjjVlYmPbRvSG8xaEuVEZqgzWTT
+vDeY65p9QE9wh3nm+3pOIQ
+-> ssh-rsa K9mW1w
+nydcRo8zQgzZCLBVU78pwmBOV6nS8QWqu2PH2jltOi1kRKF6YtOdt0QM30KPaiE/
+lx+lCWwX8pexJqpH1liKCRg3KlaGskHBxMSDGs31SZkKWY8LiS+YgsnS662WkVDf
+0+lFUj7RiTMX/t3NRvNhbS5TWJbHt4/jOYmiS7lfnCiUsBXHWrPGeaNeJzol1kND
+CE174r13z3DHqQcAdxiXzDgkvzc0ae/5y/QgEWiJl31kBlG7the4CvOsls5gKpGb
+gSll/tsqFaYFU0WI7kz2FVyQ4c8Fj7QppiWmWToCgPIOcR2jIeengBOJiH/l8vsq
+A9shhz795oV2BfmSJAIAqg
+-> %pb0-grease
+D0lsv9hX1qZu+6d0N0ca3XvYyGcEEw
+--- Q3QEKd6N8xqQ/pQ785t5GmISJE9n9w6GPq5Do/EPjog
+NŠFu/Œ½!Å?kQ¤“½‹’…y¨¾‘<C2BE>,ýþœƒû¥Aß®µŠ
[„áA‘×åãÑ6ä_‚ÐÐ,óØÒ¸(<28>åƉ9¿

secrets/resilio/plain/sync.age

@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+HoMZCJb5Qw7B+PEoN/JfI1eANy+IdZLgeRztdI8nSNdRZCXEaASU5btZCnxY52c4
+vmi5U7+Pi2GYbd+SDmzVLVsR5ahHiA/fC4qXwhlRX22Hi5cOmRe62Nhv1TuXHx8Y
+B0fU2AzuB9CBperk3rGfB+x3I/eTnQH8C/qlk+DYdoMa3e3/n5KeJsb95wca1MAR
+vt5Ezeg/ymAOP0CDq+R3oc9XjrOiSmEiobLhkjSCCJ6ZwIDy1VGOJ8XheNKe1MRJ
+z6LuHJ4O9NYGh9lHUefDSz6ALzvesROvg4P9cpvrhm/8hEafxFH44g4hp07Opb4I
+yLwUMlCKX7AdkIZCqcUbgQ
+-> ssh-rsa K9mW1w
+omhDlQmW6hPf/qdk2PERmZAAUMVUn9xbLRxFzR5j115F9v1OmIYOIsZN9HK0PfCW
+7pw9U5vsYP9qYSAFLFS2KwltF51wsDHrpG1AOhsZLFl7GXBZ4b1HACsnJ6zL+9qI
+JyDxEtUkenMY310IfipLhUDDgof2GqxOZ4RTJk2OipNxhrkK3DNzgj0e3mueyf4y
+Vs4R6aieUacnpGCTAYcvOzD2axBsuYOKFdYtYvS0TdLeBhONVENETOUYBa36CfCv
+p7+aKH2wAxV28UxgnSxHSZH4lAycd7yBN0eyMdGEATkEAg0xeFAd2r6G09e6PK8B
+4BIY5xNEieJT4W5h2fbHug
+-> q-grease G[=d<9!: Ht`~
+EWsf
+--- SVb09q4frt7qij+DP411ao3cawiW46y02hbpr+nWXv4
+Ǒ·˜	ãËNûð¥bã½p™¾Ïƒ>»&¯ÿîÖ„íQ" ÚI/ãM›+°	þïrÒÿ“`6¯ïùqb

secrets/secrets.nix

@@ -0,0 +1,30 @@
+let
+  jake-gentoo = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw4lgH20nfuchDqvVf0YciqN0GnBw5hfh8KIun5z0P7wlNgVYnCyvPvdIlGf2Nt1z5EGfsMzMLhKDOZkcTMlhupd+j2Er/ZB764uVBGe1n3CoPeasmbIlnamZ12EusYDvQGm2hVJTGQPPp9nKaRxr6ljvTMTNl0KWlWvKP4kec74d28MGgULOPLT3HlAyvUymSULK4lSxFK0l97IVXLa8YwuL5TNFGHUmjoSsi/Q7/CKaqvNh+ib1BYHzHYsuEzaaApnCnfjDBNexHm/AfbI7s+g3XZDcZOORZn6r44dOBNFfwvppsWj3CszwJQYIFeJFuMRtzlC8+kyYxci0+FXHn jake@jake-gentoo";
+  jake-mbp = "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAyFsYYjLZ/wyw8XUbcmkk6OKt2IqLOnWpRE5gEvm3X0V4IeTOL9F4IL79h7FTsPvi2t9zGBL1hxeTMZHSGfrdWaMJkQp94gA1W30MKXvJ47nEVt0HUIOufGqgTTaAn4BHxlFUBUuS7UxaA4igFpFVoPJed7ZMhMqxg+RWUmBAkcgTWDMgzUx44TiNpzkYlG8cYuqcIzpV2dhGn79qsfUzBMpGJgkxjkGdDEHRk66JXgD/EtVasZvqp5/KLNnOpisKjR88UJKJ6/buV7FLVra4/0hA9JtH9e1ecCfxMPbOeluaxlieEuSXV2oJMbQoPP87+/QriNdi/6QuCHkMDEhyGw== jake@jake-mbp";
+  users = [ jake-gentoo jake-mbp ];
+
+  vm_strangervm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINb9mgyD/G3Rt6lvO4c0hoaVOlLE8e3+DUfAoB1RI5cy root@vm";
+  microserver_home = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver";
+  microserver_parents = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0cjjNQPnJwpu4wcYmvfjB1jlIfZwMxT+3nBusoYQFr root@microserver";
+  systems = [ vm_strangervm microserver_home microserver_parents ];
+in
+{
+  # Tailscale Pre-Auth Keys
+  "tailscale/vm.strangervm.ts.hillion.co.uk.age".publicKeys = users ++ [ vm_strangervm ];
+  "tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = users ++ [ microserver_home ];
+  "tailscale/microserver.parents.ts.hillion.co.uk.age".publicKeys = users ++ [ microserver_parents ];
+
+  # Resilio Sync Secrets
+  ## Encrypted Resilio Sync Secrets
+  "resilio/encrypted/dad.age".publicKeys = users ++ [ vm_strangervm ];
+  "resilio/encrypted/projects.age".publicKeys = users ++ [ vm_strangervm ];
+  "resilio/encrypted/resources.age".publicKeys = users ++ [ vm_strangervm ];
+  "resilio/encrypted/sync.age".publicKeys = users ++ [ vm_strangervm ];
+
+  ## Read/Write Resilio Sync Secrets
+  "resilio/plain/dad.age".publicKeys = users;
+  "resilio/plain/joseph.age".publicKeys = users;
+  "resilio/plain/projects.age".publicKeys = users;
+  "resilio/plain/resources.age".publicKeys = users;
+  "resilio/plain/sync.age".publicKeys = users;
+}

secrets/tailscale/microserver.parents.ts.hillion.co.uk.age

@@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+M7t0/nops8T1iC5ipnsX83JLB9DRDICDKoG9LNtICvQrmtU1vf613gh3L0BF2dCZ
+uEV5KMqiMVhEfnLEUIrzCKZY8u4UJK+u1r22PBbYtPASMIyUfvOZlxBeVpnu4vww
+t6R5bn7tyOurYQnG1E48jLFWcjDm+6klXQ0Id5m2qKFC7iTZJt1a1Ygb4QTQog/A
+nDR9HenfAQbkmfcuTyQyjUG9f6XcZAPSrFFvkVT7ML3Je+eiR74k6Zms5WTEMr1D
+gaXP8NSedix0BI4L1wesUnz/EeopaLaWgG+lcULyZWgDnI1fwm/JGEh4kd+KPkvp
+ilCDutczJ0uIZ4WM6KvY0g
+-> ssh-rsa K9mW1w
+ZnAkgsNDP7PQU6jI+y7BxTd+JgmEm8RsZi8rh3hvMMq1BDEZcUH2SHEZLWbCODVJ
+8zFm3+Nw/ctXC2XLQ6i8lLud0Y3PYvRH8pZJP90Eit8FvwD/55SRMACokt8UHlOX
+KFF1Y6ZcO14jvcY/srIfTFOggfWdmzZ+Slsl3huBRrwC/M/+RHU6B99ZiqZzPTn7
+dMW8uciCGfMXGNTiA91419ogxyFm24MklrgUdZx0FWWKgKzrfxCaeOrsw8zZWyvz
+abIHaL9DbiFbfxdL3ohrNtG4FKbiWHdOdt6ABB7WzQU/j3ZMptufmXSoZGJIXbhc
+8qN2rNl75U8yTAE9ja1E6g
+-> ssh-ed25519 aDuQXQ JiAPr+KpHfLkhiTO3XR8v63F1XejA3sF1lsV+98SGWI
+jwn99p/ZWF98cnkL5kASIrvkZyNjyUFgtl28Bs0Mr3g
+-> #8-grease o%Cb-BuJ r"nhX7[ !v``+iM9 |Xa
+4wlbPL/cpXMUFHxBZKLwrjr9xbBJf07DqwpCXWpSR0i56euM4kFH5hgRyOMTw3kv
+xsol0UWUchOFtBUGVo7QTxPDnvAzNL194rQNFvf5QKfQoXta5uUucp3r5Etyrq1J
+
+--- JpomvF5pXvZAeTjvhdbWqNs93vittfXt3TgsqaqCIjU
+ìmzøÉ8%¬q|e$n·8Å…<+â4Ê
ÍY|íLû å¸Kb<4B>'âÀjcëw㤷-<17>îqë¼´>™ Åb8r³HÁÁ@J2Ò(ߌªŒ!™

secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age

@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+kHFrJ4axleV7FixgIhIDnD30ZsPx2lPxKjfvwaajJzopnT1024A2O8zaxyAdTXq/
+PZEqQgp4m0YB9RDfculdLLfWzoP5TG29h4akUEi8WvUbv5LGrehXIqD+A/lHWX/n
+3iicmMf0QISjOwB41DyOXpeAWxfDWGwasCDAA/AdbvRx7//hXlrGcSYxjng2rbZ0
+7uJAU+paVJsJH6iRyDeSdX2FaSlBTxCQecYw91oo4wI1GJ/bXbddOU8X9qvElsLx
+zEkCKuB2vjQd2eRHgojaj6b6V0ca1QhrdhQmoV/EMRex6u6s5rsZDrjGoWN2bHTK
+8CfM4KJpWEl6DmED3nYIoA
+-> ssh-rsa K9mW1w
+KAdASttxvGRNKSMQbPTwi1ZtbU3zUUQg/0k/fjCud65NLkHWhs0wDKLgkkzImwjw
+7Fu0Tbt0dQUF4fqCyZkUUCEWNLpVg0SHGYXB6b8+GTuYQE/rwp1WwWawGkjo8dMV
+Mxr+AcmLiQvnMxtF/CBWc1bs4dnV+eJTK1vqrYZg8CXawhEiAkAYS/jb+t3UoJ8C
+79/1BEceCuzviQvI/Qdjv8uwtY/IyKLN1rXxZgEJUFxMMPrOwWLr6MwWJKrslsmA
+/FxkCitDcByrK8xlCn9RwB9DD7mmXU9ZswQPMm3wdmkBwAFMJ4uBXFIQyQZy/U9e
+CVKpzw3W1Hk9K5Av42dnIA
+-> ssh-ed25519 O0LMHg nezRfSbRAFmGWc8HQL4fjL+IlrdzbB03lJbrPgAURT0
+fdItbyDwt6wkvgSerpQGrC1KR3LnCbFJ35nznvypoIM
+-> Sg-grease %SO , Y
+C4Czm5OkYGbvOrRgndmUavPxhTjYWM1/lJ8gItLTsagkUYT0iGL1LMnCYusn+GG8
+jyBnFASgY1/l
+--- CYLiH0PKhGYBQLJhaS+msY/jEiL08cGCXqdo0zk5AGg
+kR¼ÔüÆ)ý+ëÁ®fÊHê8Ž†9®JæZ¦2¡r}¬âD¸ð>Ýá…Ç#ÕC…ò\U`c»sô¸Pã
»(ŒT¹ÂÄÅrxb«iEç§&–>