resilio: update to unstable module

Currently this pins `rslsync`'s group ID using https://github.com/NixOS/nixpkgs/pull/350055

.gitea/workflows/flake.yaml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14
+      - uses: DeterminateSystems/nix-installer-action@b92f66560d6f97d6576405a7bae901ab57e72b6a # v15
       - uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
       - name: lint
         run: |

flake.lock

@@ -34,11 +34,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729826725,
+        "lastModified": 1731153869,
-        "narHash": "sha256-w3WNlYxqWYsuzm/jgFPyhncduoDNjot28aC8j39TW0U=",
+        "narHash": "sha256-3Ftf9oqOypcEyyrWJ0baVkRpvQqroK/SVBFLvU3nPuc=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "7840909b00fbd5a183008a6eb251ea307fe4a76e",
+        "rev": "5c74ab862c8070cbf6400128a1b56abb213656da",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729942962,
+        "lastModified": 1731060864,
-        "narHash": "sha256-xzt7tb4YUw6VZXSCGw4sukirJSfYsIcFyvmhK5KMiKw=",
+        "narHash": "sha256-aYE7oAYZ+gPU1mPNhM0JwLAQNgjf0/JK1BF1ln2KBgk=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "58cd832497f9c87cb4889744b86aba4284fd0474",
+        "rev": "5e40e02978e3bd63c2a6a9fa6fa8ba0e310e747f",
         "type": "github"
       },
       "original": {
@@ -113,11 +113,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729894599,
+        "lastModified": 1730837930,
-        "narHash": "sha256-nL9nzNE5/re/P+zOv7NX6bRm5e+DeS1HIufQUJ01w20=",
+        "narHash": "sha256-0kZL4m+bKBJUBQse0HanewWO0g8hDdCvBhudzxgehqc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "93435d27d250fa986bfec6b2ff263161ff8288cb",
+        "rev": "2f607e07f3ac7e53541120536708e824acccfaa8",
         "type": "github"
       },
       "original": {
@@ -128,11 +128,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1729068498,
+        "lastModified": 1730403150,
-        "narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=",
+        "narHash": "sha256-W1FH5aJ/GpRCOA7DXT/sJHFpa5r8sq2qAUncWwRZ3Gg=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "e337457502571b23e449bf42153d7faa10c0a562",
+        "rev": "0d09341beeaa2367bac5d718df1404bf2ce45e6f",
         "type": "github"
       },
       "original": {
@@ -144,11 +144,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1729742320,
+        "lastModified": 1730919458,
-        "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
+        "narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
+        "rev": "e1cc1f6483393634aee94514186d21a4871e78d7",
         "type": "github"
       },
       "original": {
@@ -159,11 +159,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1729691686,
+        "lastModified": 1730963269,
-        "narHash": "sha256-BAuPWW+9fa1moZTU+jFh+1cUtmsuF8asgzFwejM4wac=",
+        "narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "32e940c7c420600ef0d1ef396dc63b04ee9cad37",
+        "rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc",
         "type": "github"
       },
       "original": {
@@ -175,11 +175,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1730411648,
+        "lastModified": 1730867498,
-        "narHash": "sha256-peNkSyOkRzR2nEi3s86xGV/6eMwO1yxRidSdItaQ+Nw=",
+        "narHash": "sha256-Ce3a1w7Qf+UEPjVJcXxeSiWyPMngqf1M2EIsmqiluQw=",
-        "rev": "6c3f1f46fd7ce56f6949ca6f6c124a62a8740222",
+        "rev": "9240e11a83307a6e8cf2254340782cba4aa782fd",
         "type": "tarball",
-        "url": "https://gitea.hillion.co.uk/api/v1/repos/JakeHillion/nixpkgs/archive/6c3f1f46fd7ce56f6949ca6f6c124a62a8740222.tar.gz"
+        "url": "https://gitea.hillion.co.uk/api/v1/repos/JakeHillion/nixpkgs/archive/9240e11a83307a6e8cf2254340782cba4aa782fd.tar.gz"
       },
       "original": {
         "type": "tarball",

hosts/merlin.rig.ts.hillion.co.uk/default.nix

@@ -0,0 +1,75 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ./disko.nix
+    ./hardware-configuration.nix
+  ];
+
+  config = {
+    system.stateVersion = "24.05";
+
+    networking.hostName = "merlin";
+    networking.domain = "rig.ts.hillion.co.uk";
+
+    boot.loader.systemd-boot.enable = true;
+    boot.loader.efi.canTouchEfiVariables = true;
+
+    boot.kernelParams = [
+      "ip=dhcp"
+
+      # zswap
+      "zswap.enabled=1"
+      "zswap.compressor=zstd"
+      "zswap.max_pool_percent=20"
+    ];
+    boot.initrd = {
+      availableKernelModules = [ "igc" ];
+      network.enable = true;
+      clevis = {
+        enable = true;
+        useTang = true;
+        devices = {
+          "disk0-crypt".secretFile = "/data/disk_encryption.jwe";
+        };
+      };
+    };
+
+    boot.kernelPackages = pkgs.linuxPackages_latest;
+
+    custom.defaults = true;
+    custom.locations.autoServe = true;
+    custom.impermanence.enable = true;
+
+    custom.users.jake.password = true;
+    security.sudo.wheelNeedsPassword = lib.mkForce true;
+
+    # Networking
+    networking = {
+      interfaces.enp171s0.name = "eth0";
+      interfaces.enp172s0.name = "eth1";
+    };
+    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
+
+    networking.firewall = {
+      trustedInterfaces = [ "tailscale0" ];
+      allowedTCPPorts = lib.mkForce [
+        22 # SSH
+      ];
+      allowedUDPPorts = lib.mkForce [ ];
+      interfaces = {
+        eth0 = {
+          allowedTCPPorts = lib.mkForce [ ];
+          allowedUDPPorts = lib.mkForce [ ];
+        };
+      };
+    };
+
+    ## Tailscale
+    age.secrets."tailscale/merlin.rig.ts.hillion.co.uk".file = ../../secrets/tailscale/merlin.rig.ts.hillion.co.uk.age;
+    services.tailscale = {
+      enable = true;
+      authKeyFile = config.age.secrets."tailscale/merlin.rig.ts.hillion.co.uk".path;
+    };
+  };
+}

hosts/merlin.rig.ts.hillion.co.uk/disko.nix

@@ -0,0 +1,70 @@
+{
+  disko.devices = {
+    disk = {
+      disk0 = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+
+            disk0-crypt = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "disk0-crypt";
+                settings = {
+                  allowDiscards = true;
+                };
+
+                content = {
+                  type = "btrfs";
+
+                  subvolumes = {
+                    "/data" = {
+                      mountpoint = "/data";
+                      mountOptions = [ "compress=zstd" "ssd" ];
+                    };
+                    "/nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = [ "compress=zstd" "ssd" ];
+                    };
+                  };
+                };
+              };
+            };
+
+            swap = {
+              size = "64G";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+                discardPolicy = "both";
+              };
+            };
+          };
+        };
+      };
+    };
+
+    nodev = {
+      "/" = {
+        fsType = "tmpfs";
+        mountOptions = [
+          "mode=755"
+          "size=100%"
+        ];
+      };
+    };
+  };
+}

hosts/merlin.rig.ts.hillion.co.uk/hardware-configuration.nix

@@ -0,0 +1,28 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp171s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp172s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp173s0f0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/merlin.rig.ts.hillion.co.uk/system

@@ -0,0 +1 @@
+x86_64-linux

hosts/microserver.home.ts.hillion.co.uk/default.nix

@@ -45,12 +45,9 @@
     networking.firewall.interfaces = {
       "eth0" = {
         allowedUDPPorts = [
-          5353 # HomeKit
         ];
         allowedTCPPorts = [
-          1400 # HA Sonos
           7654 # Tang
-          21063 # HomeKit
         ];
       };
     };

hosts/phoenix.st.ts.hillion.co.uk/default.nix

@@ -90,7 +90,7 @@ in
         in
         builtins.map (mkFolder) folderNames;
     };
-    services.resilio.directoryRoot = "/${zpool_name}/users/jake/sync";
+    services.resilio.directoryRoot = "/${zpool_name}/sync";
 
     ## Chia
     age.secrets."chia/farmer.key" = {

hosts/phoenix.st.ts.hillion.co.uk/hardware-configuration.nix

@@ -67,7 +67,6 @@
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp201s0f3u2u3.useDHCP = lib.mkDefault true;
   # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
   # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
   # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;

hosts/router.home.ts.hillion.co.uk/default.nix

@@ -229,6 +229,8 @@
                   { hostname = "sodium"; hw-address = "d8:3a:dd:c3:d6:2b"; }
                   { hostname = "gendry"; hw-address = "18:c0:4d:35:60:1e"; }
                   { hostname = "phoenix"; hw-address = "a8:b8:e0:04:17:a5"; }
+                  { hostname = "merlin"; hw-address = "b0:41:6f:13:20:14"; }
+                  { hostname = "stinger"; hw-address = "7c:83:34:be:30:dd"; }
                 ]);
               }
               {

hosts/stinger.pop.ts.hillion.co.uk/default.nix

@@ -0,0 +1,84 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ./disko.nix
+    ./hardware-configuration.nix
+  ];
+
+  config = {
+    system.stateVersion = "24.05";
+
+    networking.hostName = "stinger";
+    networking.domain = "pop.ts.hillion.co.uk";
+
+    boot.loader.systemd-boot.enable = true;
+    boot.loader.efi.canTouchEfiVariables = true;
+
+    boot.kernelParams = [
+      "ip=dhcp"
+
+      # zswap
+      "zswap.enabled=1"
+      "zswap.compressor=zstd"
+      "zswap.max_pool_percent=20"
+    ];
+    boot.initrd = {
+      availableKernelModules = [ "r8169" ];
+      network.enable = true;
+      clevis = {
+        enable = true;
+        useTang = true;
+        devices = {
+          "disk0-crypt".secretFile = "/data/disk_encryption.jwe";
+        };
+      };
+    };
+
+    custom.defaults = true;
+    custom.locations.autoServe = true;
+    custom.impermanence.enable = true;
+
+    hardware = {
+      bluetooth.enable = true;
+    };
+
+    # Networking
+    networking = {
+      interfaces.enp1s0.name = "eth0";
+      vlans = {
+        iot = {
+          id = 2;
+          interface = "eth0";
+        };
+      };
+    };
+    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
+
+    networking.firewall = {
+      trustedInterfaces = [ "tailscale0" ];
+      allowedTCPPorts = lib.mkForce [
+        22 # SSH
+      ];
+      allowedUDPPorts = lib.mkForce [ ];
+      interfaces = {
+        eth0 = {
+          allowedTCPPorts = lib.mkForce [
+            1400 # HA Sonos
+            21063 # HomeKit
+          ];
+          allowedUDPPorts = lib.mkForce [
+            5353 # HomeKit
+          ];
+        };
+      };
+    };
+
+    ## Tailscale
+    age.secrets."tailscale/stinger.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/stinger.pop.ts.hillion.co.uk.age;
+    services.tailscale = {
+      enable = true;
+      authKeyFile = config.age.secrets."tailscale/stinger.pop.ts.hillion.co.uk".path;
+    };
+  };
+}

hosts/stinger.pop.ts.hillion.co.uk/disko.nix

@@ -0,0 +1,70 @@
+{
+  disko.devices = {
+    disk = {
+      disk0 = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+
+            disk0-crypt = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "disk0-crypt";
+                settings = {
+                  allowDiscards = true;
+                };
+
+                content = {
+                  type = "btrfs";
+
+                  subvolumes = {
+                    "/data" = {
+                      mountpoint = "/data";
+                      mountOptions = [ "compress=zstd" "ssd" ];
+                    };
+                    "/nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = [ "compress=zstd" "ssd" ];
+                    };
+                  };
+                };
+              };
+            };
+
+            swap = {
+              size = "64G";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+                discardPolicy = "both";
+              };
+            };
+          };
+        };
+      };
+    };
+
+    nodev = {
+      "/" = {
+        fsType = "tmpfs";
+        mountOptions = [
+          "mode=755"
+          "size=100%"
+        ];
+      };
+    };
+  };
+}

hosts/stinger.pop.ts.hillion.co.uk/hardware-configuration.nix

@@ -0,0 +1,28 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s20f0u2.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/stinger.pop.ts.hillion.co.uk/system

@@ -0,0 +1 @@
+x86_64-linux

modules/backups/default.nix

@@ -2,7 +2,7 @@
 
 {
   imports = [
-    ./git.nix
+    ./git/default.nix
     ./homeassistant.nix
     ./matrix.nix
   ];

modules/backups/git/default.nix

@@ -15,9 +15,9 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    age.secrets."git/git_backups_ecdsa".file = ../../secrets/git/git_backups_ecdsa.age;
+    age.secrets."git/git_backups_ecdsa".file = ../../../secrets/git/git_backups_ecdsa.age;
-    age.secrets."git/git_backups_remotes".file = ../../secrets/git/git_backups_remotes.age;
+    age.secrets."git/git_backups_remotes".file = ../../../secrets/git/git_backups_remotes.age;
-    age.secrets."git-backups/restic/128G".file = ../../secrets/restic/128G.age;
+    age.secrets."git-backups/restic/128G".file = ../../../secrets/restic/128G.age;
 
     systemd.services.backup-git = {
       description = "Git repo backup service.";

modules/backups/git/id_ecdsa.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIc3WVROMCifYtqHRWf5gZAOQFdpbcSYOC0JckKzUVM5sGdXtw3VXNiVqY3npdMizS4e1V8Hh77UecD3q9CLkMA= backups-git@nixos

modules/backups/homeassistant.nix

@@ -14,9 +14,21 @@ in
       owner = "hass";
       group = "hass";
     };
+    age.secrets."backups/homeassistant/restic/1.6T" = {
+      file = ../../secrets/restic/1.6T.age;
+      owner = "postgres";
+      group = "postgres";
+    };
 
     services = {
-      restic.backups."homeassistant" = {
+      postgresqlBackup = {
+        enable = true;
+        compression = "none"; # for better diffing
+        databases = [ "homeassistant" ];
+      };
+
+      restic.backups = {
+        "homeassistant-config" = {
           user = "hass";
           timerConfig = {
             OnCalendar = "03:00";
@@ -28,6 +40,19 @@ in
             config.services.home-assistant.configDir
           ];
         };
+        "homeassistant-database" = {
+          user = "postgres";
+          timerConfig = {
+            OnCalendar = "03:00";
+            RandomizedDelaySec = "60m";
+          };
+          repository = "rest:https://restic.ts.hillion.co.uk/1.6T";
+          passwordFile = config.age.secrets."backups/homeassistant/restic/1.6T".path;
+          paths = [
+            "${config.services.postgresqlBackup.location}/homeassistant.sql"
+          ];
+        };
+      };
     };
   };
 }

modules/defaults.nix

@@ -4,6 +4,7 @@
   options.custom.defaults = lib.mkEnableOption "defaults";
 
   config = lib.mkIf config.custom.defaults {
+    hardware.enableAllFirmware = true;
     nix = {
       settings.experimental-features = [ "nix-command" "flakes" ];
       settings = {

modules/dns.nix

@@ -50,6 +50,10 @@ in
                 pop = {
                   li = "100.106.87.35";
                   sodium = "100.87.188.4";
+                  stinger = "100.117.89.126";
+                };
+                rig = {
+                  merlin = "100.69.181.56";
                 };
                 st = {
                   phoenix = "100.92.37.106";
@@ -79,6 +83,10 @@ in
                 pop = {
                   li = "fd7a:115c:a1e0::e701:5723";
                   sodium = "fd7a:115c:a1e0::3701:bc04";
+                  stinger = "fd7a:115c:a1e0::8401:597e";
+                };
+                rig = {
+                  merlin = "fd7a:115c:a1e0::8d01:b538";
                 };
                 st = {
                   phoenix = "fd7a:115c:a1e0::6901:256a";

modules/impermanence.nix

@@ -50,10 +50,18 @@ in
       path = lib.mkOverride 999 "/data/chia";
     };
 
+    services.resilio = lib.mkIf config.services.resilio.enable {
+      directoryRoot = lib.mkOverride 999 "${cfg.base}/sync";
+    };
+
     services.plex = lib.mkIf config.services.plex.enable {
       dataDir = lib.mkOverride 999 "/data/plex";
     };
 
+    services.home-assistant = lib.mkIf config.services.home-assistant.enable {
+      configDir = lib.mkOverride 999 "/data/home-assistant";
+    };
+
     environment.persistence = lib.mkMerge [
       {
         "${cfg.base}/system" = {

modules/locations.nix

@@ -22,7 +22,7 @@ in
           authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
           downloads = "phoenix.st.ts.hillion.co.uk";
           gitea = "boron.cx.ts.hillion.co.uk";
-          homeassistant = "microserver.home.ts.hillion.co.uk";
+          homeassistant = "stinger.pop.ts.hillion.co.uk";
           mastodon = "";
           matrix = "boron.cx.ts.hillion.co.uk";
           prometheus = "boron.cx.ts.hillion.co.uk";

modules/resilio.nix

@@ -1,9 +1,12 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, nixpkgs-unstable, ... }:
 
 let
   cfg = config.custom.resilio;
 in
 {
+  imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ];
+  disabledModules = [ "services/networking/resilio.nix" ];
+
   options.custom.resilio = {
     enable = lib.mkEnableOption "resilio";
 

modules/services/tang.nix

@@ -15,6 +15,8 @@ in
         "138.201.252.214/32"
         "10.64.50.26/32"
         "10.64.50.27/32"
+        "10.64.50.28/32"
+        "10.64.50.29/32"
       ];
     };
   };

secrets/secrets.nix

@@ -24,12 +24,14 @@ let
             pop = {
               li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li";
               sodium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr root@sodium";
+              stinger = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID28NGGSaK1OtpQkQnYqSZWSahX25uboiHwhsYQoKKbL root@stinger";
             };
-            terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; };
+            rig = { merlin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN99UrXe3puoW0Jr1bSPRHL6ImLZD9A9sXeE54JFggIC root@merlin"; };
             st = { phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBPQcp9MzabvwbViNmILVNfipMUnwV+5okRfhOuV7+Mt root@phoenix"; };
             storage = {
               theon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN59psLVu3/sQORA4x3p8H3ei8MCQlcwX5T+k3kBeBMf root@theon";
             };
+            terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; };
           };
         };
       };
@@ -42,10 +44,11 @@ in
 {
   # User Passwords
   "passwords/jake.age".publicKeys = jake_users ++ [
-    ts.terminals.jakehillion.gendry
     ts.home.router
     ts.lt.be
+    ts.rig.merlin
     ts.st.phoenix
+    ts.terminals.jakehillion.gendry
   ];
 
   # Tailscale Pre-Auth Keys
@@ -53,10 +56,12 @@ in
   "tailscale/boron.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.boron ];
   "tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
   "tailscale/li.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.li ];
+  "tailscale/merlin.rig.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.rig.merlin ];
   "tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.microserver ];
   "tailscale/phoenix.st.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
   "tailscale/router.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.router ];
   "tailscale/sodium.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.sodium ];
+  "tailscale/stinger.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.stinger ];
   "tailscale/theon.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.theon ];
 
   # WiFi Environment Files
@@ -84,11 +89,11 @@ in
   "matrix/matrix.hillion.co.uk/syncv3_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
 
   # Backups Secrets
-  "restic/128G.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.cx.boron ts.home.microserver ];
+  "restic/128G.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.cx.boron ts.pop.stinger ];
   "restic/128G-wasabi.env.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
   "restic/128G-backblaze.env.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
 
-  "restic/1.6T.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.home.router ];
+  "restic/1.6T.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.home.router ts.pop.stinger ];
   "restic/1.6T-wasabi.env.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
   "restic/1.6T-backblaze.env.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
 
@@ -130,7 +135,7 @@ in
   "gitea/actions/boron.age".publicKeys = jake_users ++ [ ts.cx.boron ];
 
   # HomeAssistant Secrets
-  "homeassistant/secrets.yaml.age".publicKeys = jake_users ++ [ ts.home.microserver ];
+  "homeassistant/secrets.yaml.age".publicKeys = jake_users ++ [ ts.pop.stinger ];
 
   # Web certificates
   "certs/hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];

secrets/tailscale/merlin.rig.ts.hillion.co.uk.age

@@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-rsa JSzstA
+Vj60ZJQry8CORPuKGalgBn5TNyPZ8124gjq7oRCZXWLWQxsG/7CYJgNW7rqIWI35
+QECakNvQz4GfbnKAa8XLQVlKXQow4FeY3M0UPoXdha1udhgdvk4IA9HjrGaCU+xK
+NabjYDyHMcg004V2l4a72GZF6YEgqnZLFQff2xiYQ6dTisloMq560n4ZC7SXBkuw
+oAS73wenS+3TQb80j4+4E/7+QmQlEcaAo7MZMLE8Oa8EraTxU4E2l1QCFNvdNLrg
+19xqiZXMDgMMOmuz+bkrtsNRMd/2fmguWe6Te1JXAAQkNKtFCswgrp62yVg8VH9K
+stJMT9M3h2YkJGcmUNUw5cjUJE1ByA/NW/QLSHXMUqNvStPTZQC5WvaeMcRnktxR
+z5KcpvT5xPFbanTd1E94ix2m3I0S9153WoXalzhr/dpJkR4WokVgUHdVDWCtxMPz
+hT8SAjlsqRY/ONKdTXoiuP+XT4BSLN1zkiziLC5IYvLWAw3Ha2/+gbfOweppxgLO
+TetT2v83mmSboUIiDr62XaRnx6IBQnXMC5ojC88Ts1p/P75RTWIeO6tScY5+DdSa
+mFvvl5HAZrJ8K9IAjasff8Uywor799sRVXesZ5xNEVFjeBzY21GgPXsWL5QQ+sB8
+tCxWqBVrG1/4ZT9yNznpQFKrMpnvOXySzo/3X3rkG7k
+-> ssh-rsa GxPFJQ
+gqtoNF2H7yYBWLLNN7vqLf72a15FJXOnWCOehy/otuCHuxkyp7GWI2o0IYbf00LC
+ztVCAnMG55hqm0aApzh3+2B55kzLLWlZ41z7J0Zv7euZCaiONIxn/5MeNKIKH3xq
+BbKBHAFwtsPrNVWg1T6pCI0DESJRgFsi6wtybcCrnY4B2zb7/YxHM1lBGWkB5Bzh
+T6GGN0mSLKI8XyWRDGkXVA96oqRgbMEnQo7SpWcJJ+bvFIZjXsJP7Dfj3ZI76Qwv
++jcDTGDogpezIop9hssULyl3S84lkb2UBNJgXFAaONOSoUDZ7CqDdbHTA6ZRl+NI
+8rUMZ40ksPdWhRV3zpUn2w
+-> ssh-rsa K9mW1w
+b/kL9nAgHGDs6bodtMBT363Mq8FrTKOISajIYB0v2gvc3fiEeFv2BPsy81QfiD7v
+gmtS0huJs+T/oan/M2Uznt2XfuQVZ3m0Snx0gDR0FEFCUa8f41djGQoxO9+LABp2
+1C9VFxlytGMtBnU+/9ZyeLdJL5BCRdYRuXe3lOixG2N6we++JjCLFsrXjBNLvZHb
+d2LzvybVbgkXHx47lrbJRVT31z1zlM8XAvGq1reGkADlaIDqkaWu5f5zLjWwO+do
+KaL0/DuojOOyLqLJmMseOiH/qGue0KL0HFrxsz452xBSZZKFFmidi4Mh9UdJBG8L
+jNHOOJV8OvJRYZt0wWu8Gg
+-> ssh-ed25519 6tJ2Ww YESYsdZhznbNHdjzq2hp43u3iRsm2Jw7BEPARsgM/HY
+fIlB0707w3zq2pXV5BndEeg95Mr0EeyOsdQr3nHdpxo
+--- xMvjiEEiIGADQMIvMPyykndxIvX517CVarOFBr8CJR4
+Ó‰¸¯B\¿üŠÛ)UÍÎö´ÞàÌ¢ï§Éx¸£¡ãnT<6E>“2†ŠU,§ùËsÝ|Oö4e¼Ñ
eÅ=1àù ê2`6Õðµ°(xR%"ÿu¼$r›<72>§GμµTu:
X

secrets/tailscale/stinger.pop.ts.hillion.co.uk.age

@@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-rsa JSzstA
+T80Ll0LkBPpkTCjsez+zE4FzosiZYcyd/u1sarG1g9tmTIkjhwMKLYjfYPHbZfKx
+1lua7fZWeLZhKKHy8nDbOLgKC4sqrTxl/zopjywzp+1dSKm8ZtjWDk+uvrBY0gNk
+G8c9yip7lnSGBB6rzDnCFgHfYXZJ93YMcGxNMVPrPKzW9YSbCacCh3fRCRxYE9rY
+7ewLMuac3Ti/7DsrnFQUY8RHMqAz9hGMMXXXq1da5OXdGgf4l6LMurSZQKE3BmNI
+vKwYrdVBQvql02nunB1h0PdhG8tdAwVOXtUi6zTlH4irwweoQBEvny+v44JDp5vl
+tchI3X1BOHisTBCno1DXlLPjrcabVLfm1nQ8NDnscDoWjgmtaFhLtI6yDBO3328t
+zzwLGTZi8ABzSowP2GtVvfDYxCjrNaKXa5rc6Ip9C98vJ6N3ZGlC7yXLet7hHiuI
+1Evr9fMgXXdGIDxBdQDSFAQmIj4lrSnnzAj08gMdsKFdxG3xN9Y2ZeymT3AZ3bBQ
+sS3KfFHy05uENSak+NBGU8YifUymq/U3/Yg2vZF4rVaGewC24pONbiFTQl58KEt8
+T8LRoQNmuqpVXpj4vPgQ4nEO+8Y8i8aq3d1bqnm2+jMa5KKLmil2ilVzjbKJ9nzC
+ZmsRSYv1hLC/r6lBp8ICa9Pe6XzYpgl3/FaPqc/Mdj4
+-> ssh-rsa GxPFJQ
+rWXbLajz8BnDwc0HyWoO49lrC2sjBJq+UDWerQnCKJjWfTKpDZr1t8/Z7jWQifTm
+J2fG+nZ94M76QaPXDsEZCCHooXvcAfvAuoDfURVTXM7IIAwH3hl1esz+v/sIVV3Z
+AWaXSiJBe6k84HC4Kz8+Tv6J955nusAm9Lxso3dTfT9Uvf9D+iRV8OxejZSJVwEA
+lvU9Fh3U5+9CRPu5B4Ec67ShAHA7NWEzdM4KoNORLyADuQQ/LJv8LBbNMe14GWxc
+eLrp+X1UJ8R2NspdlLdLJdAJIR/OZRS89RPPzVMo5+WeglrOBEUDrFdNIkVpOGLR
+/EgxwNZkRKy+1zLZNICTaw
+-> ssh-rsa K9mW1w
+f20zvTnXg7X0rUVE4KRFZBffQFE+m8LvqHxCVuRikGg2H/xB4chKdLUJpTj1AR/I
+c8TW1+KpUSoqNMN6NBGe//YCXPnLEgGwXIp/8+e3JoPVG0JELwAGN5nU6iLmhWzH
+ya7upzNnRAGXhSJThRPQfDGbJAIOhhwhSVmOke6umf49xmyZ+/K6i+vtDhYTJhrA
+NJ9GBebKEFeZmn2bvoWUZV5ZE2jZZ0l+f5gjLw+e8+STEgq7kg/vPLLRDVhs5VYV
+mlRqmCJw2FO0+VJwxaHmVxlf8dKVC/woKNLxvrM1dkSIUKt5v7kZnrwlpSH8SoJ+
+HHvU7VZdU3Gvz7XqQLp0PQ
+-> ssh-ed25519 IrNzWQ +cAZF1BJiJGsWcB5Ss2QMxb4u2DiksWVgyCMVERppE0
+4ztuTfGdvFKhUh26r8baU2nP9tWobaV7Yi6kpILs6VM
+--- 0iwk2L+KkUhW4e4wKOgLiU7YsWEXsKC+cJNPJiXvWAA
+¸×zšÝœË[ajF…b<E280A6> ¢ÌA¹–MÍt?“…r<14>Ìi_¹Øã
[ö¸ªeŸ>(Ö9ÑN§
ÿžž:›U™Bidžë
®~#yrßè<C39F>Õ¿ˆš[îKñŒm¬