From 0bc01cd2b1554bc2e0744b8d6b76a9734dad97b7 Mon Sep 17 00:00:00 2001
From: Joakim Repomaa <joakim.repomaa@mocoapp.com>
Date: Tue, 11 Feb 2025 22:15:44 +0200
Subject: [PATCH] use agenix

---
 flake.lock                          |  90 ++++++++++++++++++++++++++--
 flake.nix                           |   7 ++-
 hosts/freun.dev/default.nix         |   1 +
 hosts/freun.dev/secrets.nix         |  22 +++++++
 hosts/radish/packages.nix           |   5 ++
 modules/default.nix                 |   3 +-
 modules/services/gotosocial.nix     |   3 +-
 modules/services/grafana.nix        |   3 +-
 modules/services/hastebin.nix       |   3 +-
 modules/services/immich.nix         |  25 ++++++--
 modules/services/vaultwarden.nix    |   3 +-
 modules/services/webserver.nix      |   4 --
 modules/storage-box-mounts.nix      |   4 +-
 secrets/gotosocial.age              |  10 ++++
 secrets/hastebin-tokens.age         | Bin 0 -> 498 bytes
 secrets/immich.age                  | Bin 0 -> 504 bytes
 secrets/secrets.nix                 |  19 ++++++
 secrets/smtp-password.age           | Bin 0 -> 463 bytes
 secrets/storage-box-credentials.age | Bin 0 -> 475 bytes
 secrets/vaultwarden.age             | Bin 0 -> 661 bytes
 20 files changed, 182 insertions(+), 20 deletions(-)
 create mode 100644 hosts/freun.dev/secrets.nix
 create mode 100644 secrets/gotosocial.age
 create mode 100644 secrets/hastebin-tokens.age
 create mode 100644 secrets/immich.age
 create mode 100644 secrets/secrets.nix
 create mode 100644 secrets/smtp-password.age
 create mode 100644 secrets/storage-box-credentials.age
 create mode 100644 secrets/vaultwarden.age

diff --git a/flake.lock b/flake.lock
index 7694090..12bdf25 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,28 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1736955230,
+        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "auto-cpufreq": {
       "inputs": {
         "nixpkgs": [
@@ -51,6 +74,28 @@
         "type": "github"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -144,7 +189,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -162,7 +207,7 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1701680307,
@@ -180,7 +225,7 @@
     },
     "flake-utils_3": {
       "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -298,6 +343,27 @@
       }
     },
     "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
@@ -645,13 +711,14 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "auto-cpufreq": "auto-cpufreq",
         "commander-nvim": "commander-nvim",
         "flake-parts": "flake-parts",
         "gen-nvim": "gen-nvim",
         "gtrackmap": "gtrackmap",
         "hastebin": "hastebin",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
         "ketchup": "ketchup",
         "ksoloti-pr": "ksoloti-pr",
         "lanzaboote": "lanzaboote",
@@ -730,6 +797,21 @@
         "type": "github"
       }
     },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "vimpeccable": {
       "flake": false,
       "locked": {
diff --git a/flake.nix b/flake.nix
index 98eb3dd..0d90054 100644
--- a/flake.nix
+++ b/flake.nix
@@ -52,8 +52,12 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     ksoloti-pr.url = "github:repomaa/nixpkgs/pkg/ksoloti";
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
-  outputs = { flake-parts, nixpkgs, ... }@inputs:
+  outputs = { flake-parts, agenix, nixpkgs, ... }@inputs:
     flake-parts.lib.mkFlake { inherit inputs; } (
       let
         ssh.publicKeys.yubikey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLIUkESu5NnBi1M0+ZjYrkp6/rIFuwc3aguspf98jmOydNce6l65cnS3GRzc9oWx4lu11ahi87ZuE+pYV+gaHm4=";
@@ -74,6 +78,7 @@
               (writeShellScriptBin "evaluate" ''
                 ${nix}/bin/nix build --dry-run ".#nixosConfigurations.$1.config.system.build.toplevel" | ${nix-output-monitor}/bin/nom
               '')
+              agenix.packages.${pkgs.system}.default
             ];
           };
         };
diff --git a/hosts/freun.dev/default.nix b/hosts/freun.dev/default.nix
index b8b0088..bb55317 100644
--- a/hosts/freun.dev/default.nix
+++ b/hosts/freun.dev/default.nix
@@ -4,5 +4,6 @@
     ./hardware-configuration.nix
     ./configuration.nix
     ./services.nix
+    ./secrets.nix
   ];
 }
diff --git a/hosts/freun.dev/secrets.nix b/hosts/freun.dev/secrets.nix
new file mode 100644
index 0000000..b307c78
--- /dev/null
+++ b/hosts/freun.dev/secrets.nix
@@ -0,0 +1,22 @@
+{ lib, config, ... }:
+{
+  age.secrets = lib.listToAttrs
+    (
+      map (secret: { name = secret; value = { file = ../../secrets/${secret}.age; }; }) [
+        "gotosocial"
+        "hastebin-tokens"
+        "immich"
+        "storage-box-credentials"
+        "vaultwarden"
+      ]
+    ) // {
+    smtp-password = {
+      file = ../../secrets/smtp-password.age;
+      owner =
+        if (config.services.grafana.enable) then
+          config.systemd.services.grafana.serviceConfig.User
+        else
+          "root";
+    };
+  };
+}
diff --git a/hosts/radish/packages.nix b/hosts/radish/packages.nix
index ee44ac5..44ed17b 100644
--- a/hosts/radish/packages.nix
+++ b/hosts/radish/packages.nix
@@ -24,6 +24,11 @@
   };
 
   services = {
+    openssh = {
+      enable = true;
+      openFirewall = false;
+    };
+
     tailscale = {
       enable = true;
       useRoutingFeatures = "client";
diff --git a/modules/default.nix b/modules/default.nix
index 0b6b0f2..3473dc8 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,9 +1,10 @@
-{ ... }:
+{ inputs, ... }:
 {
   imports = [
     ./vlans.nix
     ./firewall.nix
     ./storage-box-mounts.nix
     ./services
+    inputs.agenix.nixosModules.default
   ];
 }
diff --git a/modules/services/gotosocial.nix b/modules/services/gotosocial.nix
index 5836536..3f003a4 100644
--- a/modules/services/gotosocial.nix
+++ b/modules/services/gotosocial.nix
@@ -1,6 +1,7 @@
 { config, lib, ... }:
 let
   cfg = config.modules.services.gotosocial;
+  secrets = config.age.secrets;
   domain = config.networking.domain;
   fqdn = "${cfg.subdomain}.${domain}";
   port = cfg.port;
@@ -24,7 +25,7 @@ in
   config = lib.mkIf cfg.enable {
     services.gotosocial = {
       enable = true;
-      environmentFile = "/var/secrets/gotosocial.env";
+      environmentFile = secrets.gotosocial.path;
       settings = {
         host = fqdn;
         account-domain = domain;
diff --git a/modules/services/grafana.nix b/modules/services/grafana.nix
index 1031873..844a7e1 100644
--- a/modules/services/grafana.nix
+++ b/modules/services/grafana.nix
@@ -1,6 +1,7 @@
 { lib, config, ... }:
 let
   cfg = config.modules.services.grafana;
+  secrets = config.age.secrets;
   fqdn = "${cfg.subdomain}.${config.networking.domain}";
 in
 {
@@ -40,7 +41,7 @@ in
           from_address = "noreply@freun.dev";
           from_name = "Vaultwarden";
           user = "noreply@freun.dev";
-          password = "$__file{/var/secrets/smtp-password}";
+          password = "$__file{${secrets.smtp-password.path}}";
         };
       };
     };
diff --git a/modules/services/hastebin.nix b/modules/services/hastebin.nix
index 5335773..d419152 100644
--- a/modules/services/hastebin.nix
+++ b/modules/services/hastebin.nix
@@ -1,6 +1,7 @@
 { lib, config, inputs, ... }:
 let
   cfg = config.services.hastebin;
+  secrets = config.age.secrets;
   fqdn = "${cfg.subdomain}.${config.networking.domain}";
 in
 {
@@ -33,7 +34,7 @@ in
           "jsx"
         ];
       };
-      auth_tokens_file = "/var/secrets/hastebin-tokens";
+      auth_tokens_file = secrets.hastebin-tokens.path;
     };
 
     modules.services.webserver = {
diff --git a/modules/services/immich.nix b/modules/services/immich.nix
index 09322cd..9f98dd5 100644
--- a/modules/services/immich.nix
+++ b/modules/services/immich.nix
@@ -1,6 +1,7 @@
 { pkgs, lib, config, ... }:
 let
   cfg = config.modules.services.immich;
+  secrets = config.age.secrets;
   fqdn = "${cfg.subdomain}.${config.networking.domain}";
 
   volumeServices = names: (
@@ -52,6 +53,13 @@ let
       { }
       services
   );
+
+  environment = {
+    TZ = cfg.timezone;
+    DB_USERNAME = "postgres";
+    POSTGRES_USER = environment.DB_USERNAME;
+    DB_DATABASE_NAME = "immich";
+  };
 in
 {
   options.modules.services.immich = {
@@ -59,6 +67,10 @@ in
     subdomain = lib.mkOption {
       type = lib.types.str;
     };
+    timezone = lib.mkOption {
+      type = lib.types.str;
+      default = "Europe/Helsinki";
+    };
     version = lib.mkOption {
       type = lib.types.str;
       default = "latest";
@@ -97,8 +109,9 @@ in
       virtualisation.oci-containers.containers = {
         "immich_machine_learning" = {
           image = "ghcr.io/immich-app/immich-machine-learning:${cfg.version}";
+          inherit environment;
           environmentFiles = [
-            "/var/secrets/immich.env"
+            secrets.immich.path
           ];
           volumes = [
             "immich_model_cache:/cache:rw"
@@ -113,9 +126,9 @@ in
         "immich_postgres" = {
           image = "registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0";
           environmentFiles = [
-            "/var/secrets/immich.env"
+            secrets.immich.path
           ];
-          environment = {
+          environment = environment // {
             POSTGRES_INITDB_ARGS = "--data-checksums";
           };
           volumes = [
@@ -131,8 +144,9 @@ in
 
         "immich_redis" = {
           image = "registry.hub.docker.com/library/redis:6.2-alpine";
+          inherit environment;
           environmentFiles = [
-            "/var/secrets/immich.env"
+            secrets.immich.path
           ];
           log-driver = "journald";
           extraOptions = [
@@ -143,8 +157,9 @@ in
 
         "immich_server" = {
           image = "ghcr.io/immich-app/immich-server:${cfg.version}";
+          inherit environment;
           environmentFiles = [
-            "/var/secrets/immich.env"
+            secrets.immich.path
           ];
           volumes = [
             "/etc/localtime:/etc/localtime:ro"
diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index f0ffa5a..6c1adcc 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -1,6 +1,7 @@
 { lib, config, ... }:
 let
   cfg = config.modules.services.vaultwarden;
+  secrets = config.age.secrets;
   fqdn = "${cfg.subdomain}.${config.networking.domain}";
   port = config.services.vaultwarden.config.ROCKET_PORT;
 in
@@ -23,7 +24,7 @@ in
     services.vaultwarden = {
       enable = true;
       dbBackend = "postgresql";
-      environmentFile = "/var/secrets/vaultwarden.env";
+      environmentFile = secrets.vaultwarden.path;
       config = {
         DOMAIN = "https://${fqdn}";
         DATABASE_URL = "postgres://%2Fvar%2Frun%2Fpostgresql/vaultwarden";
diff --git a/modules/services/webserver.nix b/modules/services/webserver.nix
index 1ce0bd3..9d84096 100644
--- a/modules/services/webserver.nix
+++ b/modules/services/webserver.nix
@@ -38,10 +38,6 @@ in
         type = lib.types.str;
         default = "hetzner";
       };
-      environmentFile = lib.mkOption {
-        type = lib.types.str;
-        default = "/var/secrets/lego";
-      };
     };
     vHosts = lib.mkOption {
       type = lib.types.attrsOf types.vhost;
diff --git a/modules/storage-box-mounts.nix b/modules/storage-box-mounts.nix
index 0f7bf2d..bd8a467 100644
--- a/modules/storage-box-mounts.nix
+++ b/modules/storage-box-mounts.nix
@@ -23,12 +23,14 @@ let
   };
 
   cfg = config.modules.storageBoxMounts;
+  secrets = config.age.secrets;
+
   mountOptions = { uid, gid, ... }: [
     "x-systemd.automount"
     "auto"
     "x-systemd.device-timeout=5s"
     "x-systemd.mount-timeout=5s"
-    "credentials=/var/secrets/storage-box-credentials"
+    "credentials=${secrets.storage-box-credentials.path}"
   ] ++ (
     if (uid != null) then [ "uid=${toString uid}" ] else [ ]
   ) ++ (
diff --git a/secrets/gotosocial.age b/secrets/gotosocial.age
new file mode 100644
index 0000000..8269d37
--- /dev/null
+++ b/secrets/gotosocial.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA j4E5QbHMQm/p5X87ADaDs3UXoYvK6kNOZN548Giiuxg
+SGiUy4u4wZEPV5HyREfyGnmi1pZUxxTLNvpvWbvLw6A
+-> ssh-ed25519 Zmk+Rw CKL/dmRt1uK8rXcL5/jvKVt8kbOMwbtD6QEszgkXjmU
+t64DTcIze3o+KTYm5xtAW7l7B7EntcCN1DsOgmJLLno
+-> ssh-ed25519 PT7ffg 0X40j5NfqTW0zDuJZTzJt0A96lzOMUqwiT8ePYHYRjM
+22724DDGthA6cyJhB/oquTRy1VEEw6/0YBdDov61m2k
+--- Somq6fnDd8OEprRrsbpy53fxyay1XL5TIgVa6KV2MJY
+L�ʿ�'���Hj­�
+#M��bu�%dK��������0���L/��*I/�����}�{���I��V�A
��.'��j�$
\ No newline at end of file
diff --git a/secrets/hastebin-tokens.age b/secrets/hastebin-tokens.age
new file mode 100644
index 0000000000000000000000000000000000000000..8dc925d8d2ae50949f48d4a0aaf721da15902275
GIT binary patch
literal 498
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7FZOqia#TolE2ykY
zD@zY7%=XPqsR%d9FN^ZlHuVh7Db8|@GRQS{DKIfC(k^fh^W`$q_AxXy2sJ1P^Nw;a
za5gYD35cjH^7jd{O!Nv(F^KZ>FwG0h%JVV{^F_BUDmPm@s9eD*DKR71Bhn<%GSMfZ
zxU$?i)HT>U%iTA}Ff!ZJCBVQZARsSGJ222A!+^`O$RIs1$=^LNG|;y^s=O$*$hgQc
z-Jq~IE3`P*uQ)l}*}UAtH#pCtv>e^GfDrSvv~-2c+{{Y<w2(a0sC3`#bT`9*fb^WG
z3jIRMf;`u}01uZkbA8ubbKjz5BMYv~plsjV0&Pp5^r)0Hi_lX2tX!kw%rMV@yddM$
z)Fi`-LYGP>|I)PJsB$h{U0sDzL(hs}=RzNsNDoW%iZH*(VE;hxh^PRgqEN%6;C$19
za_uDjQ1kG-bVsgj`d=hA{`;t*_H?f7g9dws(y4K`E9+GqORw(vRiL?GY1EYaNxQFh
zyY(3^-n-<&S<c$V^TuDIp3Xo1dRN9HmE_ysy;;Ke+&D~GpIl%3c<13iE}^?>P8r>t
QvM$+s>bkiv`Mnnb0EMcwxc~qF

literal 0
HcmV?d00001

diff --git a/secrets/immich.age b/secrets/immich.age
new file mode 100644
index 0000000000000000000000000000000000000000..29fb9bf8193078f3b525de1bff91e8e99761e828
GIT binary patch
literal 504
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7FZOqia#Tq2jLgU=
z_o>Vac1}-m4@izIbu`XOvPjA_j&e4&baM9&i>l0VD-W+K59Km(DKpLr$qWt%s0z(C
zD|bxFNe?Oy42()M^hz{05AY9833T>~%JNI`C`Y#~DmPm@s9YhtsMI^yEjcGUu+Y^Y
zDkRv`-8tJ)-!!r?)i0vlprk4|%*)gx$it|ls+`Nmt=!Yi*dibx#6{o9%eYYAAT`j~
zIXT?YKRl(<y)xOzrzF|j!pF<2(g5AIfDrSvv~-1Fzw#&#i`?uqXP;uT{BrYLv#e}=
z1ATwXV1wK;V<VH)tn9LIztBWimvXMs!jyo3oK$Vgu)H)cPbUupU(@2OB7;i9;&dNp
zzv8^KK*xgI;yh37j8HCJU0nr>vdXjq{UU!;$AD~uFh6IbM8C+OBL7O?6o0dD6JKK|
zH-iBG2$$sIFi)<QTGsY1kMNVne@;Gh=g8BEKl`qSi8=GSl-RbtR#kd&)bPy_;pct3
ziaqDZHJ`RPu*fm^V1UGmEq~lky5`QfDXQu*uc3a|%f3IguQM(j)2~^dpwzi{<?e4h
V4B}bKFRwgsz&eu2%2CZ(2mquQv%dfU

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..874f265
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,19 @@
+let
+  moco = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDRXRJUwX98l2Vl4bUZdyHGhLjlf1RGAA5VCa4dmEJdU";
+  jokke = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP0IGUXVtUChrWHMaHoGq4USQwviHR1v1CLeDztWshZ4";
+  users = [ moco jokke ];
+
+  apu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAZkIuXtpP9a9bHkBl+MJI//q3ClMqzx03Rd/Xe4rjc";
+  freun-dev = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvCSjIjipog1Xf9mPc683r5VSGSjVc8v1UZg5VrbbxM";
+  radish = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQ0fy4n3yyD64+g55eZazeI5g9FurJnlC6fRiOXbbks";
+
+  hosts = [ apu freun-dev radish ];
+in
+{
+  "gotosocial.age".publicKeys = users ++ [ freun-dev ];
+  "hastebin-tokens.age".publicKeys = users ++ [ freun-dev ];
+  "immich.age".publicKeys = users ++ [ freun-dev ];
+  "storage-box-credentials.age".publicKeys = users ++ [ freun-dev ];
+  "vaultwarden.age".publicKeys = users ++ [ freun-dev ];
+  "smtp-password.age".publicKeys = users ++ [ freun-dev ];
+}
diff --git a/secrets/smtp-password.age b/secrets/smtp-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..973eda1e3566a3975608c86a1096f09ee6b0f94c
GIT binary patch
literal 463
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7FZOqia#TpIbS+K|
zD%UU4H;u|Gk0^8XC=W_5C@Bax3C&DTjPNxp)=u%xN>3>ai{#1-F!ylxO!rK4k9128
z@C)&E@i8<v3^EEREOd@2%yG#}(JoKQOmZ)^2t>CnDmPm@s9eD`HQXoDQ9H0C$<MdK
zJ1I3h%fi*g$+Xb2D5)qU)U_bY!aK_;(>yT4IFu_TA}J%Ysv^n7+@mU|FfrZD(k#j`
zsnF5DIK$h?yfh%9Brl}cSU<EdI2+xzfDrSvv~&gUN<SYj*UXCWGUtq<wEQ6b;Joy*
z$n;<{{mk5o;&O{JW6wy-h@#LCk8-Xsx6H&ypWGl{pGX7qeE&?7@^BO9eE*EFWT&9q
zTr=-rLl6J-!fbbglx!|tU0nsQ0H=H(|Io;c(x@~;7mJLvGN-B}uYA)y?J@(mJR@&M
z)9_O762~+{*K95WhC82Dgv<Teci8fKVBq7bSO<l)^^-SDiu)u{6!)WKYTwId{)e9g
e9v*%F{F3MAYgg0uUJ1<H_FLijt5d1g;nM&qDW!@4

literal 0
HcmV?d00001

diff --git a/secrets/storage-box-credentials.age b/secrets/storage-box-credentials.age
new file mode 100644
index 0000000000000000000000000000000000000000..694f0d998a587ed3f7ece5119a84390172b3d5f4
GIT binary patch
literal 475
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7FZOqia#RS5ax%*g
zh|>3U$}Bf2$gnKZcMB^r4=$~AEi5)mOe;yNFbgOxHVAe#GU4*dFAu5o3QRJsEcJ2E
zP4p_yNH28__Rp<K^~+B-C@VM64mHd7F3I-rc15=>DmPm@s9Yh$HObJ+-_*?9tUSZS
zJli72)X*z5&BvfH(9_i2sVLAqKhV-F(#)^aIg%^Q$E_?a)Ul*8%{9n1%C*2husFM{
zG%L#@FSM-8yCfq!+pWmOz&|k}JP_TsfDrSvv~&fJ%EBU-d^4|H^W>6nlSqA!%)%r;
zqg2m`R3rD|jH0lLh|tmiQ_G<A3SX|M2$!k=1Lq`{+~P_T)7&txv~0hC!d(B-P}9P+
z$Wn8Ypxl7aNKb#)lyWXzU0sD>*HojFqSDI9U_-amtjG!{vk12UQ{Twsz~rJ*1HZsD
z-z=9*j}S|PoKP;WXrYbDF{>B!-46G<ug`a_{mtDdxs7@gJ+xQekG!#Y<&;Nr1LGd6
r`!l^**7~L6$iyd>91D~5p9wa8J<fVNO3|M|PI=2Yj%VL=PfY*-1sJBP

literal 0
HcmV?d00001

diff --git a/secrets/vaultwarden.age b/secrets/vaultwarden.age
new file mode 100644
index 0000000000000000000000000000000000000000..36a31dbcedabd08df749b8333fd4c6c48c629e0c
GIT binary patch
literal 661
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7FZOqia#RRRF-#69
zO-=L)3r%t^40bH9^zp7pH!k+8$T9RU39BkKElf`_^~((pcI0yL&53X+aB*}ojEo9S
zaxabwF3C>}_i*$saJR_MDo#uDPY#JJ@inwG@I|*RDmPm@s9d4cupl+D$~Dr*J0o8^
zudJ*vH9yTgrL54^)2}Gi*D$lPC@af9*WAd})sf5GIW@{H*{2}AG}|a7&B-&nG}qh3
zKRYDTJvhz8xzMD%%BRdD&D%R$I}qKrfDrSvv~-2Y9MdHCyu{43#K@#<v&cNJz#xlk
z_gqs~F9WlZ+?15Ek|f_U6T@r^H(#!lfUL+cKSK+X;G~d}ATP_(r1bF2eBWT#5EIv|
zL?ct9po|hrqoOdU%s?((U0sDp=MpbhPq#4rw2bVEK>w)Vti<GG!^%W6W4Dl;P@~)m
z3)j#T?cx&WVqdP6x09b++z(ta;bT_Wi{}Yt%Zg?k&9UEBRr;dP_5M`*2X9vXVBRNp
z<LT}v=LO>~B=M+g{S&WhsArh1wl8?y5q*ITAzLrC<aA{md9ldHh|4VcsEV0u%G=Wu
z{vCYlmz-N}R<kU8b6l^@|Cb&=uHBmTsZZ=q{A<;X<_@p;8h1Htmvpt|Dn60*@uJCD
z(UcwkO7fmm8E>fOkDeC2CG%3^)5i^a@0?%2zTj9J_qUY~+xT}aU*>Oo<9V98lgau3
zhb@b;9u>XxcX*-w?@1!3oG_=3O2en!t?KKq83oRZoOOodsP^6EpSgrg@@H1K>iJ8{
fmn}<tzjFVfEv9{eDs_LPl5Q7RM6cPqveFX(V-*Nh

literal 0
HcmV?d00001