update flakes + address update issues #212
28
.sops.yaml
28
.sops.yaml
@ -13,21 +13,21 @@ keys:
|
||||
creation_rules:
|
||||
- path_regex: targets/.*/(terraform.tfstate|secrets.auto.tfvars.sops.json)$
|
||||
key_groups:
|
||||
- age:
|
||||
- *joerg
|
||||
- *lassulus
|
||||
- *dave
|
||||
- age:
|
||||
- *joerg
|
||||
- *lassulus
|
||||
- *dave
|
||||
- path_regex: targets/web01/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *joerg
|
||||
- *lassulus
|
||||
- *dave
|
||||
- *web01
|
||||
- age:
|
||||
- *joerg
|
||||
- *lassulus
|
||||
- *dave
|
||||
- *web01
|
||||
- path_regex: targets/web01-new/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *joerg
|
||||
- *lassulus
|
||||
- *dave
|
||||
- *web01
|
||||
- age:
|
||||
- *joerg
|
||||
- *lassulus
|
||||
- *dave
|
||||
- *web01
|
||||
|
||||
78
flake.lock
78
flake.lock
@ -29,11 +29,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1719797756,
|
||||
"narHash": "sha256-TGZthxgxLdT8boadFm6+MK7HZlIxN1u1V+x3hu+Fd8I=",
|
||||
"lastModified": 1720248892,
|
||||
"narHash": "sha256-r6HiSdc2IhKfKoSixH5fBMx8hWO/eoSUJJM71aeDbkE=",
|
||||
"owner": "Mic92",
|
||||
"repo": "buildbot-nix",
|
||||
"rev": "0b56574a5c823097771487d1bac952c3549fe9fb",
|
||||
"rev": "d1d3746aa7111f0f8bb2e48d5da9995356170249",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -48,7 +48,6 @@
|
||||
"flake-parts": [
|
||||
"flake-parts"
|
||||
],
|
||||
"nixos-generators": "nixos-generators",
|
||||
"nixos-images": "nixos-images",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
@ -59,11 +58,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720172904,
|
||||
"narHash": "sha256-TjJPIUYyoXZGNuBi0nooyr3nm8yyKeZQy6PLjXPFTSE=",
|
||||
"rev": "fb38516a867c1aa62eb9cc14aaf7903b13e1ae83",
|
||||
"lastModified": 1720449302,
|
||||
"narHash": "sha256-U9IHBt4SY90dtGqxeo27cEheRZa4C28hxNx4ScqteRU=",
|
||||
"rev": "d62f221309e7a92b2e637d59dca1e8e2bd017e45",
|
||||
"type": "tarball",
|
||||
"url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/fb38516a867c1aa62eb9cc14aaf7903b13e1ae83.tar.gz"
|
||||
"url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/d62f221309e7a92b2e637d59dca1e8e2bd017e45.tar.gz"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
@ -78,11 +77,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1718846788,
|
||||
"narHash": "sha256-9dtXYtEkmXoUJV+PGLqscqF7qTn4AIhAKpFWRFU2NYs=",
|
||||
"lastModified": 1720056646,
|
||||
"narHash": "sha256-BymcV4HWtx2VFuabDCM4/nEJcfivCx0S02wUCz11mAY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "e1174d991944a01eaaa04bc59c6281edca4c0e6e",
|
||||
"rev": "64679cd7f318c9b6595902b47d4585b1d51d5f9e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -144,31 +143,6 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-generators": {
|
||||
"inputs": {
|
||||
"nixlib": [
|
||||
"clan-core",
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"clan-core",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1718025593,
|
||||
"narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-generators",
|
||||
"rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-generators",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-images": {
|
||||
"inputs": {
|
||||
"nixos-stable": [
|
||||
@ -180,11 +154,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1718845599,
|
||||
"narHash": "sha256-HbQ0iKohKJC5grC95HNjLxGPdgsc/BJgoENDYNbzkLo=",
|
||||
"lastModified": 1720055024,
|
||||
"narHash": "sha256-c5rsiI1R7tnCDpcgfsa7ouSdn6wpctbme9TUp53CFyU=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-images",
|
||||
"rev": "c1e6a5f7b08f1c9993de1cfc5f15f838bf783b88",
|
||||
"rev": "f8650460d37d9d1820a93ebb7f0db5b6c3621946",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -220,16 +194,16 @@
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1719931832,
|
||||
"narHash": "sha256-0LD+KePCKKEb4CcPsTBOwf019wDtZJanjoKm1S8q3Do=",
|
||||
"lastModified": 1720444792,
|
||||
"narHash": "sha256-F8LHxZlSD6dT+U9T/3QgZlu1f528WQLycOI7vCz44Ys=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "0aeab749216e4c073cece5d34bc01b79e717c3e0",
|
||||
"rev": "dfaa8202e654f3cae750d937587a779d681a6906",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"ref": "master",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
@ -258,11 +232,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1719111739,
|
||||
"narHash": "sha256-kr2QzRrplzlCP87ddayCZQS+dhGW98kw2zy7+jUXtF4=",
|
||||
"lastModified": 1720321395,
|
||||
"narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "5e2e9421e9ed2b918be0a441c4535cfa45e04811",
|
||||
"rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -278,11 +252,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1719965291,
|
||||
"narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=",
|
||||
"lastModified": 1720400448,
|
||||
"narHash": "sha256-v7JVJ8H1PyH7/8EU72mz7wzxJ1OLE/h3NCqQyZ6ONjs=",
|
||||
"owner": "numtide",
|
||||
"repo": "srvos",
|
||||
"rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74",
|
||||
"rev": "21a3259985e3cddc455f64ad66d4a825b39934ad",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -313,11 +287,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1719887753,
|
||||
"narHash": "sha256-p0B2r98UtZzRDM5miGRafL4h7TwGRC4DII+XXHDHqek=",
|
||||
"lastModified": 1720436211,
|
||||
"narHash": "sha256-/cKXod0oGLl+vH4bKBZnTV3qxrw4jgOLnyQ8KXey5J8=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "bdb6355009562d8f9313d9460c0d3860f525bc6c",
|
||||
"rev": "6fc8bded78715cdd43a3278a14ded226eb3a239e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
||||
16
flake.nix
16
flake.nix
@ -7,7 +7,7 @@
|
||||
#};
|
||||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/master";
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
flake-compat.url = "github:edolstra/flake-compat";
|
||||
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||
@ -63,15 +63,16 @@
|
||||
}:
|
||||
{
|
||||
treefmt = {
|
||||
package = pkgs.treefmt.overrideAttrs (_old: {
|
||||
# https://github.com/numtide/treefmt/pull/325
|
||||
patches = [ ./treefmt-config.patch ];
|
||||
});
|
||||
projectRootFile = ".git/config";
|
||||
programs.terraform.enable = true;
|
||||
programs.shellcheck.enable = true;
|
||||
|
||||
programs.deno.enable = true;
|
||||
|
||||
programs.ruff.check = true;
|
||||
programs.ruff.format = true;
|
||||
programs.yamlfmt.enable = true;
|
||||
|
||||
settings.global.excludes = [
|
||||
# generated files
|
||||
"sops/*"
|
||||
@ -81,8 +82,9 @@
|
||||
"secrets.yaml"
|
||||
];
|
||||
|
||||
programs.nixfmt-rfc-style.enable = true;
|
||||
settings.formatter.nixfmt-rfc-style.excludes = [
|
||||
programs.nixfmt.enable = true;
|
||||
programs.nixfmt.package = pkgs.nixfmt-rfc-style;
|
||||
settings.formatter.nixfmt.excludes = [
|
||||
# generated files
|
||||
"node-env.nix"
|
||||
"node-packages.nix"
|
||||
|
||||
@ -1 +1,2 @@
|
||||
# shellcheck shell=bash
|
||||
use flake .#clan-merge
|
||||
|
||||
@ -1,120 +0,0 @@
|
||||
From dd2ccf4ff923757b81088e27e362e3fdb222c9d3 Mon Sep 17 00:00:00 2001
|
||||
From: Jade Lovelace <software@lfcode.ca>
|
||||
Date: Tue, 28 May 2024 16:36:25 +0200
|
||||
Subject: [PATCH] Add an immutable tarball link to archive download headers for
|
||||
Nix
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This allows `nix flake metadata` and nix in general to lock a *branch*
|
||||
tarball link in a manner that causes it to fetch the correct commit even
|
||||
if the branch is updated with a newer version.
|
||||
|
||||
For further context, Nix flakes are a feature that, among other things,
|
||||
allows for "inputs" that are "github:someuser/somerepo",
|
||||
"https://some-tarball-service/some-tarball.tar.gz",
|
||||
"sourcehut:~meow/nya" or similar. This feature allows our users to fetch
|
||||
tarballs of git-based inputs to their builds rather than using git to
|
||||
fetch them, saving significant download time.
|
||||
|
||||
There is presently no gitea or forgejo specific fetcher in Nix, and we
|
||||
don't particularly wish to have one. Ideally (as a developer on a Nix
|
||||
implementation myself) we could just use the generic tarball fetcher and
|
||||
not add specific forgejo support, but to do so, we need additional
|
||||
metadata to know which commit a given *branch* tarball represents, which
|
||||
is the purpose of the Link header added here.
|
||||
|
||||
The result of this patch is that a Nix user can specify `inputs.something.url =
|
||||
"https://forgejo-host/some/project/archive/main.tar.gz"` in flake.nix
|
||||
and get a link to some concrete tarball for the actual commit in the
|
||||
lock file, then when they run `nix flake update` in the future, they
|
||||
will get the latest commit in that branch.
|
||||
|
||||
Example of it working locally:
|
||||
|
||||
» nix flake metadata --refresh 'http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix'
|
||||
Resolved URL: http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix
|
||||
Locked URL: http://localhost:3000/api/v1/repos/jade/cats/archive/804ede182b6b66469b23ea4d21eece52766b7a06.tar.gz?dir=configs
|
||||
/nix&narHash=sha256-yP7KkDVfuixZzs0fsqhSETXFC0y8m6nmPLw2GrAMxKQ%3D
|
||||
Description: Computers with the nixos
|
||||
Path: /nix/store/s856c6yqghyan4v0zy6jj19ksv0q22nx-source
|
||||
Revision: 804ede182b6b66469b23ea4d21eece52766b7a06
|
||||
Last modified: 2024-05-02 00:48:32
|
||||
|
||||
For details on the header value, see:
|
||||
https://github.com/nixos/nix/blob/56763ff918eb308db23080e560ed2ea3e00c80a7/doc/manual/src/protocols/tarball-fetcher.md
|
||||
|
||||
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
|
||||
---
|
||||
routers/api/v1/repo/file.go | 6 ++++++
|
||||
routers/web/repo/repo.go | 6 ++++++
|
||||
tests/integration/api_repo_archive_test.go | 11 +++++++++++
|
||||
3 files changed, 23 insertions(+)
|
||||
|
||||
diff --git a/routers/api/v1/repo/file.go b/routers/api/v1/repo/file.go
|
||||
index 156033f58a..b7ad63af08 100644
|
||||
--- a/routers/api/v1/repo/file.go
|
||||
+++ b/routers/api/v1/repo/file.go
|
||||
@@ -319,6 +319,12 @@ func archiveDownload(ctx *context.APIContext) {
|
||||
func download(ctx *context.APIContext, archiveName string, archiver *repo_model.RepoArchiver) {
|
||||
downloadName := ctx.Repo.Repository.Name + "-" + archiveName
|
||||
|
||||
+ // Add nix format link header so tarballs lock correctly:
|
||||
+ // https://github.com/nixos/nix/blob/56763ff918eb308db23080e560ed2ea3e00c80a7/doc/manual/src/protocols/tarball-fetcher.md
|
||||
+ ctx.Resp.Header().Add("Link", fmt.Sprintf("<%s/archive/%s.tar.gz?rev=%s>; rel=\"immutable\"",
|
||||
+ ctx.Repo.Repository.APIURL(),
|
||||
+ archiver.CommitID, archiver.CommitID))
|
||||
+
|
||||
rPath := archiver.RelativePath()
|
||||
if setting.RepoArchive.Storage.MinioConfig.ServeDirect {
|
||||
// If we have a signed url (S3, object storage), redirect to this directly.
|
||||
diff --git a/routers/web/repo/repo.go b/routers/web/repo/repo.go
|
||||
index 71c582b5f9..bb6349658f 100644
|
||||
--- a/routers/web/repo/repo.go
|
||||
+++ b/routers/web/repo/repo.go
|
||||
@@ -484,6 +484,12 @@ func Download(ctx *context.Context) {
|
||||
func download(ctx *context.Context, archiveName string, archiver *repo_model.RepoArchiver) {
|
||||
downloadName := ctx.Repo.Repository.Name + "-" + archiveName
|
||||
|
||||
+ // Add nix format link header so tarballs lock correctly:
|
||||
+ // https://github.com/nixos/nix/blob/56763ff918eb308db23080e560ed2ea3e00c80a7/doc/manual/src/protocols/tarball-fetcher.md
|
||||
+ ctx.Resp.Header().Add("Link", fmt.Sprintf("<%s/archive/%s.tar.gz?rev=%s>; rel=\"immutable\"",
|
||||
+ ctx.Repo.Repository.APIURL(),
|
||||
+ archiver.CommitID, archiver.CommitID))
|
||||
+
|
||||
rPath := archiver.RelativePath()
|
||||
if setting.RepoArchive.Storage.MinioConfig.ServeDirect {
|
||||
// If we have a signed url (S3, object storage), redirect to this directly.
|
||||
diff --git a/tests/integration/api_repo_archive_test.go b/tests/integration/api_repo_archive_test.go
|
||||
index 57d3abfe84..340ff03961 100644
|
||||
--- a/tests/integration/api_repo_archive_test.go
|
||||
+++ b/tests/integration/api_repo_archive_test.go
|
||||
@@ -8,6 +8,7 @@
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
+ "regexp"
|
||||
"testing"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
@@ -39,6 +40,16 @@ func TestAPIDownloadArchive(t *testing.T) {
|
||||
assert.NoError(t, err)
|
||||
assert.Len(t, bs, 266)
|
||||
|
||||
+ // Must return a link to a commit ID as the "immutable" archive link
|
||||
+ linkHeaderRe := regexp.MustCompile(`<(?P<url>https?://.*/api/v1/repos/user2/repo1/archive/[a-f0-9]+\.tar\.gz.*)>; rel="immutable"`)
|
||||
+ m := linkHeaderRe.FindStringSubmatch(resp.Header().Get("Link"))
|
||||
+ assert.NotEmpty(t, m[1])
|
||||
+ resp = MakeRequest(t, NewRequest(t, "GET", m[1]).AddTokenAuth(token), http.StatusOK)
|
||||
+ bs2, err := io.ReadAll(resp.Body)
|
||||
+ assert.NoError(t, err)
|
||||
+ // The locked URL should give the same bytes as the non-locked one
|
||||
+ assert.EqualValues(t, bs, bs2)
|
||||
+
|
||||
link, _ = url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/archive/master.bundle", user2.Name, repo.Name))
|
||||
resp = MakeRequest(t, NewRequest(t, "GET", link.String()).AddTokenAuth(token), http.StatusOK)
|
||||
bs, err = io.ReadAll(resp.Body)
|
||||
--
|
||||
2.44.1
|
||||
|
||||
@ -1,8 +1,5 @@
|
||||
{ gitea }:
|
||||
|
||||
gitea.overrideAttrs (old: {
|
||||
patches = old.patches ++ [
|
||||
./0001-add-bot-check.patch
|
||||
./0001-Add-an-immutable-tarball-link-to-archive-download-he.patch
|
||||
];
|
||||
patches = old.patches ++ [ ./0001-add-bot-check.patch ];
|
||||
})
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
# shellcheck shell=bash
|
||||
source_up
|
||||
|
||||
watch_file flake-module.nix shell.nix default.nix
|
||||
|
||||
@ -1,64 +0,0 @@
|
||||
cryptsetup_key: ENC[AES256_GCM,data:79qOTOi4ftTmIWuc/7bFf3NXaa2Fs6mTUfji,iv:xq9HM2uB4rr75qeZEAh2pFvEDAtXdFhsrT/manI7RqM=,tag:iELo+UHSplsQWIK9aQ+uMw==,type:str]
|
||||
hetzner-storagebox-password: ENC[AES256_GCM,data:vmH1NlKTuEDGb1F3Ni0PSDk=,iv:0q3vngK4SvjjPVHTGTBmpU+bdBc7IyY90EL3zJsf+BQ=,tag:iWqmuT6IJgVG8yPT6YZzUQ==,type:str]
|
||||
hetzner-borgbackup-ssh: ENC[AES256_GCM,data:/x2bRdkv6Q7ymBmiedK0eV+FxKAS3R192KjReIvixLvPLOZFr9ajFy0mHSZiDjjzPn7vaP2/PI9/PWzGrkWeXv4MAbU9S8QvgUFPYbfUSQV2srSh1/UTl7rv0o2tw/LuCIbBivSu5d4xMWtHE4e/x50eWImG6e20q4+5ZF4hSXPGLmSayCGptbSq7JlgtcVNmTHFSdxPesGx7t50553nzU2ZoJxn9GDnhuVbSOmvhDpwaUYCDY/bGhmMpk32inzUxtPFacgz2JSygo3JCyWxervaE2OMd69fGI24F6cbqPV4ORWNymOnGGsFmMiTCyfKZjOVxhnBXAyeP444PE7MeNf6s2fFhAyV1M/mToa/ElYPHeJbY9t4bK0UPBXtral3vqMVNP6sYMzIPl0DBYsPeY71uEo5ctGJMum+AIhSulYzfTPq7IdPqo1NZGIXQbPb+8P+FZxUOEBm6imLdhG1DmL4Ji80yAPJ7w6Qgs7VoJPHdYTOOE+Z/s/1o52VUtGsSVergP8macRGHR432UIZjRvIxjdu7wvs7GLM,iv:af8J70mGekRpNCT15NjrYkgmoBQyTzBR866fRyrSmos=,tag:ZWLvsFQCFz72ih6UCDP2uA==,type:str]
|
||||
hetzner-borgbackup-passphrase: ENC[AES256_GCM,data:Stu8kYR+jP9aOjWz16/DhUTpxf4xwK8e7kJo,iv:rU6Gi0yoe7EBxQJ4wczDEjZG4GrB2mPmB1dD143HyeA=,tag:sSR3Do4vepb0vaMRhkj1Vw==,type:str]
|
||||
initrd_ssh_key: ENC[AES256_GCM,data:SpSX6RgnpgVkd3sL+mJx0Lk6RnagfxwO1cUKtbj4wxlJHpSsBnI6+tGJjssoCp38jHOPYZ4U0IE960ojjtXyBL/sF37Sw0E8uDGr0rL/wuuQmzhF3AC9VfuDOQNbe0pYTr7HldzIvbDRowIShxqbKfBVizkR1bxZkmHfDpMKE1gGivFLYeHC+gSVgTBtPEgDCx361+I103K2kCczu2VGnfmfc9ExrTO6/7ruj2DRjFLOaVmkXe896KjN+YpTTjT85gjEZJ75AGEUNKCNppQRkM0RpJBJyRunHmKqxh5VnFnlbiklsX2S5ev07G9oqIu0kZI6XduQjj/okB/4SeoY9QE6FOj6dRi2WSBNGpT9fBnV4i6bv2Z612ISXwO0GGfXQeWE4mA8QSaJ9oa/fnVFb7WolU9DISq8sYPc85VXVJGCFZ17DDVGK/capjveGErXnk6lJieBwArN5xEZfr/tPL15Q1DNdyYOJwiL1bODQwxYExpFu32XJ/ZMDiucWDXnEwJJf7WpThh0FiAZFzGAJ0b3SeJpuQvK6xXD,iv:w+YuoZMUswV9sw31PXFLKHbinRit9twPDqofeojVdZo=,tag:eCYSUX5EA/NTD3yIdTC7PA==,type:str]
|
||||
ssh_host_ed25519_key: ENC[AES256_GCM,data:68nXUeyy7xh/KKdd4ajdrkuzc54ZpnXhMpPjaDYtwMLlHja/O/t7g4IlVgLTKWwgMbr5/lAj04cEI99dAuoARaE+p4ldQeQNzPb7ZOPyRmSnBgO/qgtZoKNLaIX7q+Mwl+vsa2d2ZSHG8Fu7hzNIELWHQoaIFi782U+yKt2LHhahdVyY/FUPcymi0EtrwCqBHKSlEu+SXiwDXT4f+PCBtyaCJT4T4Mo2+TbERur9r9YOnKG2GEg46lDwTrr6FMya5K2WBks7AQwQ+rpoHCEy05tTg3GTJd8DypLhemrHMD7HeYzRf+HnVCyTngxmoquCD5/g9OM+fu63GIsnbGItWxREfjfzvODKuPaVCOat4mWQr1pLch1lcIkxQhU4EXg4LgHUMXFnQFrR8rvRT++YK1nRLB3w/lyvU4PAoocYlNR3G9JEClRnu4GH615ILEjXhyUZyAHIGx1+W7M6j4aGFhm3NOJWCTctaFd5r6uUeTqDpV757UzgHIR5lhtlfjeL41r3mmN09os/HpKt9EZ0,iv:+T4xz2xvyerO/ffW/YAKUkf5B/UVL8cUOl/ifWKIIx4=,tag:NTJklV5yqMT7uq0TvclhIA==,type:str]
|
||||
ssh_host_ed25519_key.pub: ENC[AES256_GCM,data:k5T5CX56wSm1DADOH47sGb1h65aPk3NSvQR6Rgu7ZzRrq4pF84ofaRMEJU5d9MHnb+Eg92jnibRNwKUH36e5c9PJXtU14aY2f7HzOCyVk7WXd8H0eOuOfzG5ICQ=,iv:CcqwTYnk1NkJpn9q1Rnz4ERxhhnn60h3sXqMd3ILTk4=,tag:LhAIzkeozvT4L7+vJ9ojnQ==,type:str]
|
||||
ssh_host_rsa_key: ENC[AES256_GCM,data:/f0EkmRbX9vSlhUmuJIAEJLs5R4ryxrtTN0hqcJlxTU9B0woh3pFK0GrXBbL1l5uvEQo2Vw2p7yeCqFch7ypfhBTRxD8IhWoc2l7trawhKa0bhhiQ8oQU47AW96ZCQHQx4h329PZBmFwjK31gtHoY3nkj862vWoFLucJs0yRkCVQJEgkjehO1KQbPU7PlYgUECPnpOgQW0wtGLSND20QyJyEQFSg0Vk7fWY6ycSiu+Piejg5MZVgdVofqEw/fEWyp0Za0P2SEyf0lyO8Ob/amObS1oHmLrb++bcOXl/BBqLPow+zx79juwmuFvhk/vZfeO1P04J83eg3f40s0HPP3g7SKjJTf0pYgdu3k3uXN3WsDWX0Tg3YfAxhKzIScM8gyrkCY4ju8fORGCRSzCddA1p1DvtsMAK5RmT6rSob3yS9nEYIlVUXeDsYGMtspoOd9vts0nS2QQ3VHIg27OYieixevzOtpCtyfogMIqMYgvwLlEzHt9Xi4uzFPxb5MQh0vt4PTy97pooCx0HHKYueMGeByZk2EMIVZzIBq1t3GEtj2bIiFIuAxPdU5odBCM29eJwBbwDw8Mngo/dF/HnDvx/AJ89wlbv1AtAqaIPPfQDUwdUJBhKW2rnKmef9E3oDiikhmDOq1UEAaf31NgrDL9nDrZ9nhHbkuL6Piets+jQ0yBCXVzP1ymHGqPAshlnYDSukAuZ8ByCPJr2p5LT09zYLyhtMMO04Qqcu7x8AMJ7Ha2iVgKDzukNcWEtNF5k2XmZ/lUidb7GZvdUsymkRxqAyZeWmP8DzjP7L+8LQhJhY4WixYsXQkVD8eTQyo+hHwQpM/j2XYwIaEOM/fEBvSVwR91U9J4ONqOD0SxIV/i9BoS472q3vjGbzQ1PyaNznvqBuL0WFfWVoUHNw+62LuOF57x6dhzy+et17xk5A4qmsQ2hScDLg6Ha4ygsGKbkLbFz+HQt7IUpIGAmN31ybtrkGR7Z973866njx7yLMFW4gR6bLgz/uNO55FNDLJ20YPSGtt6xoS2dDFfvJD9CTWaw7Z/kfGwjI/IEJgnFDNIEm3mIiM3f4O19m9EJy/ySXTYpTyGnRaEjz2DFIQiStNB+CmDuGgG4fTymFArGt2ieF+aB10E0pLJsZrV/62fRE37BXBuZWhCUshu1HfO9wkkooPunjqVN+5OqN+zgmi6nHzadlbnATK/dPcuBF6nA1wCQd/Y/qpFiYhy2NY1G3lG80/fUdwlTCYP+FFY4x+fxw4qh9J6XhNf1FFTcRpmrmhzjyjb6OvWCgdSRybBxzifTGaAWUde3UEpLHyZzd8Ag+etLwCcLBLeKPfVtfceqWYgkMp62zIXPZ5KZsDDQ8BN9JTMOEk93lL/vGmdXQhxioZ1NmA+Pi1dkSgDEDoUqZLL/FVrbsJ4v9WbpAexjcmKdVxJLCuzxzZKNfc8YeGc/xPgFRAC0BfTxGNkvKONIt6FGc7IF+lJze9HwDR5OLx+cFRhnGJjiw5OoguxRmMl5nzwFggmBCB1IZT4m6ADL8DaCw9RDjErmyz4wU5kROnGBLNgX6tWvYNStUFdIgSoXDAZxr5ArX4kpj93ls8rI+azvRHOATb5kLCS+N8JlyBQRjs22OGf/rjP5Tb7u857MSEy8TWtLwbt8PpL0Zg4h9pAzSgdZHPdVFMc/fZFOT8psVZn03jcsDETeya6uzMUHyBdGnbvbHrJ2y6MCbcWn8suacfBSANoicuhHXW1Kj8dNSpNYrD3xfHfU0s8ajR4HuG92GEGqV4NAb/IXXU5h14OH3bkt46dDABg3vV0bcunmtO8ReWcL4FKrehJU1ycfcgFMVGzxhOQObqWhCbWk3qS2YvUbK7ODzBFCqHUAwfJFNd1wnI+Ml7AjHdG+boFI07C6D0NX3mu1y9Mnns+9Ghr0kh30qeBux2hyz3jGjAy1qrhgbkyR6rBGEQoFz2iSueT867r4D5XPgIKeh8CR0ZkVMME2Z2DKpv3nfbKYZhXzAvQ8TYEueOvKT8f1zuDjcmo3x+GvVPYz1KntNKRrSN5pgPoQLiF1fHommEUAAXM90ysijUGw9K3w5FGrzd05ipcGRaUGb4bOglEezfzt3ODOoe5oW4P8LbnEu1I9GkoU7fDeNZJZ2ZrtL9zNpELo77daupcHt8Ytt6JwQaQcQXNmUcAgIg7sCet+063WES5jwDbR8UgZ5MYNC3Kca4zdI5Ki3ncWHecCtGKCNLeOTbSPb+iGzZI0Grb1pZXs2LfkU4Q2/GIPFF5lkDjPlXATuGh9SjR2xM8YQdYKBDjkMYITSdarjLPR51vGS+RgexJjFNNh3gY/qv8C0j1TUZ5C+FaT4H6A4KCJgo8Pb9hZsJ+hRM+yLDZeK3JUno1IckkLdBkB0E4s5l92ABg87AiTwHeYalQIJIb5mCaMOt4cu/0szWLvd32lmVHN08Xs9AapfG5StpAqSssx0/bbaPPdJW4D0ystMTit+SVvhwVqeGX+8LI0zVsJTzuJCUtfZosdOdThg9zjtYfQFChpogNUBu+4XD6ere02ihY4JvL8Souc2Rel9b/lB9bVAc9Vvq6YrqFsM0w1L1tkqG3TCZ2Mga3at04CP7wItDejmzkLPVEHm7OjuWtBEAl4vqUkV2bfkEzICQPwC6ugiTOQraJqXhlgWLPkBWsQBTxrMT5bnhPg5KvwjRbUXEHL5txqH8C/0EFsaU48Dg/y9CLq8ADIuTRE9R4tR63eOZ017ObkkQeNt76mq+S3DCTrvU+6qUNczLmi0BX5RWqNXJzD46KIEdjkQxr+NBCMC/QdVBdbt/orqNXpPqzVkgmLB4Uze6ppZ+64qWO/Ana7hVtb7cFv8MABIAFxII1y6DZAftA9kfZl1aL7JD4KLZVo9+PfKkH5Z4ZngRaNt2YAruqn0WmgwdPYoZTTCDgqxRfxsfh33LWYJQMV55Tc5UdDol1OpomUoKrNI+zOSeIvMO1C9tUupNjkWNlCEbwVSOqWh5tjMAtH1FSpZgAsqbxVvsYOsF8S/5TgdzMz7N9N4MoIdU2PEwLtOZAhMbTQR2iGIBGJQinFJvjPZGuYQF8+e29gDjRvEzOIuamwmuWtELfqmsFz346a8d/emZkMX8pyprt1afaX4xFfI8qFqm8Vj3Tx6Cd4ll7fQaWkNraPPetZBEKuuHnDfPAHzuYhgYKsIhxaMxkRfT+q7ihVdj6SgcLZRWxF2VyqwLKH6oKJljUso+FxQoY3SdF2bTSCGbIzKeLpej9NMq1rb8jLb1lI1weKY5Hg6cglt8UGSGvNY4qouh/9//Ab6dkEuEBwRvDgwC5a0y/wkGR8VQlsw0+17oudVhjbyv//8cPU8q+VSYrJ3QYJ63MjHAsu+5uukP0s2UuArzszROg2SdHGDdff5svZoG2hVptUgyGh8GlvTst7QDMIM+Wp/+Daer/7YUrqdIoOX+Por9u9++R+FLmnX/MGI3cV/TaeLEHVT6N/A8XtliicE1nWCcqvc+fwOg1WJIVkyyKRI1hPzVJudONOd54m5YKGxOIHNKNGSCu5i/K2Ft01tQMd7g3DcTGHiGys6cC+CkZvAFFXiOCvfhtAVqGKgbZxyJBzdUnkf6uqtP8TSP2+Ea8xUY2tq4Hg2FnC6sk6wuk9v5nE4e8XMyrYNWuZAiBeQ228ko6GOZyKaGxTqh2DQaFSvjNabtUbu5byiqdTySTvhTqV0HhruH1geb6VHNFiYAvV3dP5rIkCwIfRLyqHcNauOtgS+r+hKCg9vH7dFiQJugGzOvxM2yqi7762QCeMhaWAUxRR0m/x2dOymd8HKHUBY4fP7f6qExYE2l+yFbzms/KMaUyX9Ppspyhnw89b85fT1OsFhdphc4vzhN138YfXcOUQa4SjrCIO2D4/jrc46TlEh5byAucNSeX9da8PBE24vDl1vbMft9z/KK5dIRqbhb5TaSUgxUjfimbSaim9dh1jL94XPYmACy6EqYBIcKFNj9Ghw/J1e2xAnDs8S9HCCMiJHUUOCGTHFjpjq585iqasQvxPzccZfteXxObmOVrL7CjiiCY/+IuPnSoBvynPAW86Z7YLCYzx1yEgKcVbK0Q5qXJBjCQdqZ9/ySN0R9HSDW3m2+I6Q58sAMiU4hhzkIm/64GWAoJHqwZFX3aoJd4kYx0sgbWwvItn00UEmU6Q0AW2ZugV+95J3GRMuusq2IKdYOHFR+b538HWN8sk4nMKIRKaJDdFChBWmIF/ASDXwd29tM+nTHU/UNYTQTLp8J4JNtbbUbTADQ5Fy7xCiO0/UVZQju5iReJi0aqFZAHR6gSqMfWFEfISGjliCdt1Eo93YbBL+A66GgSgKX7vGWw0Q46yFzc0uQhfAIcwvT+wa5ZI6L50wJSr/TY1NF4prV/sTKRbeUGtOcO0MOpC1ToRxC+LTfmLYsxFBTg7uYFPDWOkHxwGkUTBCpDD5gs1PgAPekdJ5fiWVt1TdYqIuFexoe9+V,iv:zW+4q1dRbz8WYtDWoHXZMrdyBS+lbmgc/kLvaxluOKU=,tag:lg7uOWcUPXK1BCl6jVV7dg==,type:str]
|
||||
ssh_host_rsa_key.pub: ENC[AES256_GCM,data:Gqk5+cDBsYg84d5Y5vowhnPyGncW3bycpeZAsuclUbiET5z9nVzK2CT06ktQb+MHN8jytc7RfME0c2uk3lQxtFRqxmSYcE0fhM8Lg047eEIswRTYpW+54m2WQL4WYsfZorMRPiWEdt0m7l5dZAC7tOmplGo/ZJxtkhPmf8M142yYjoCgk5Fv24GQkuYh4tKwVYYfoVem1ALE64tl1PXT20uVzvq7kVUJ0Ge3UyEY1zLpg61O2N/3tQQ2FqlstulKHtXjwFkeERUhju7sIuL9VskHKwYbG2JJxlTY5XWMDFPU3Ey3VECsBwjxfcGspp8bP9KdNICsL8pSxkT/clKqkDY6AwW4/C8QXLsrijLbe4M9f9QK1KwunBBRj3nk0DXYySYrn++GyZJRPASyhALyBGf2cMNcbHhB+ARGqhxixUyCmXx+vDqvFe8SzuVGKXGm16uP02ZKgdUVwPByWFydqOISibtJiZxyEyWNCLKpYCiZMoZchZv5PZ/jdZe4kv5YBtK3SfNeyWxPijR5ye+JORPPhjBQJLtX5xtknWF/z2SmJu6iMIw4cjQvkNREVtGj/C2xsRPNhNeP+gpk0iy/VEWj6Mk/I2lI+23jbX1m/JElsj4ig/vnUOhZnI5FNvGjfavnTvVeKaXVAjnWk04rxF2zsxm5H91xSh6qUWe1fFBdgzG2KW4d69Kmi3I9zPo9p6GwqkKEHJdXd6KmLbSoPmfP22Gv6vYbFWl5NKKfPiimw+IXLAGyzz8gWHk7cLA4J9vGSiaxbdLkvbAbvdZJ9K97LmyYsFVzAuz75UbLqyGZysn18OceoSo3nTEiy/WCIjfXsKu95/lYOd6fycfDF+gpkp8ejw3C0JRiZ939CFpG/MrUpCQrgzz9xgKpcTy5w0yWt30naZGlVZ0kcAjv/Bd2X0ON/eEdBrq/MnJHaMDOuuVe9iA+lNVqhFMqEsemOUSJm7R1Ttug4PFdiaMYUg==,iv:9DD76j3rDz+KFw6BmC4mVfhfgadjCR1DXytfV6dKeHY=,tag:Z7Akx72UnALXIcdUIrYWpw==,type:str]
|
||||
harmonia-key: ENC[AES256_GCM,data:pZObqfbLogp0DYs47Tg2STKT9HptPSiP4sgcf31FD68PKSWhkgJbdY3gO/pfa0zsnvZTrAiljR8Ugh/x9z70T/XhjgZ/dIKqtcrGw0or9WPDmVzD4UHYm6iWR30MZLa9EBK0GFInlcSa/g==,iv:9HRnOaqP1iKMyyRX7evl6woZgfw9h4t7mBD98v/iBng=,tag:MQDio//aEOAOTVWlgADYDQ==,type:str]
|
||||
matrix-server-key: ENC[AES256_GCM,data:0148ezOFk8jX5KPQPCG0jQK9ajSfe/iOdUqlvys5/M8DrIwPXH9GzrkknwH+l8kF9ViTRDC/q5md8J2bj3/FBR/RW4rwjDrYx9cBEFm8wjHrywUlwON8kNKtj9ycJmXgtRyCrVGv7sBmODy0ZC5ZfWbhIQh6xWBkX2/rsSh4zwi/1PoHLpOO3u4=,iv:IwHPDi1E3R9LAY/seGpvx1U+N8mB9NMrUjLg4KMA1UA=,tag:pwRJ/CqkFN2eedrnMAaj2w==,type:str]
|
||||
registration-secret: ENC[AES256_GCM,data:EvPearZAxxb2irZFYgvy/tFA72h+IABuzwCbvy94IYR0eoHjuYw6GBde8CNUWG4SUiwyXJr4v438o/YThDhehsZ/cZFjg2o=,iv:ogN4/Iia5Zl95a3HP1KZoy86K8LyBFYw50cZUpkDNQo=,tag:5wU2OrNi7b5gWPfFZcGLjg==,type:str]
|
||||
gitea-buildbot-user: ENC[AES256_GCM,data:GsSP6YMfFoaYslLwceRh9OU6lNYUWQnpTi6Fazyxz/NF8bpy3wbYe+I8P1OlE50rpQ==,iv:ZFnFwXBXZc8c3Q60ZnG7WgcLXQNV9iUhjQxfu3w1lh0=,tag:6WlZkgwA4YY1C3VOEAx4Ww==,type:str]
|
||||
gitea-actions-runner: ENC[AES256_GCM,data:JKXAa7J1V3GH8lp3UtHTBmiezJlqxX1ItHLE7UcaIeNFQH8We2imaOMVftMpVCeXTpRX,iv:W9+4wH4asw3+w28i5om0OcJFHrABC85bhjhbgGWEs8E=,tag:Rf9XBeiEoJ1Pt8Z1TDIyJA==,type:str]
|
||||
merge-bot-gitea-token: ENC[AES256_GCM,data:ULHcaNSYJwMVeeEq4bSiRcVRuUkE9fFUV0AkWW1wM0yHQtD+dmo1GcQ=,iv:dujDWGZ+seoVN8Eez1w3tUuMpGeOHtNLMaa+f2hOpAo=,tag:WoDTsZegC6rrbh7ygWSk+A==,type:str]
|
||||
clan-bot-gitea-token: ENC[AES256_GCM,data:J+8AuAT50Xh4lKUWmigZQ/QBfNuaNKJDVuPj6jAOx06XZDwLEFtE8R8=,iv:8OGDcHbGfv6SOxe6+UBU7rTNgzYJYNJtUysSLao6H50=,tag:LxzSogjPBlxIrPcsgRU2Zw==,type:str]
|
||||
clan-bot-ssh-key: ENC[AES256_GCM,data:mQAzPbzFt/FIIEo5ThXINN2FXsRMrBs/+1x/p0jDbNGLYt2LdMuYXQFevlYAK59fObNn/U6y/dheqKjtkX6BdBTLJgUKXktsJSeudsZPZ1OMtvzL0xxgx5+8Q0R+Er7BZ4ZVMpc9rolNtUojU/9gWMCALcVXz7FqGTtAYe8SEWCYinO7oP4JmIjWYnJBfPKXwq79uRp3y6dUnRLOL1Q7hCo7qFttCSssTF6HT+NJBVeAQvQ5wnWlfu/T0b7n4HB3GKfkei8Sh1ydW9k3kjFA34balXfEp3C/HHmzZO2/RWdFf45NN7itVIZhw04nrmFIW6mXaqhgJk/us9aqWFeUTTPH+nIDQfRWzcDddxrb8ZJC+/znLzX06wP18fmCHfIffyYPKcMrNxS2BKFZabybombbTYGnRV0a4881bvQLD+ScOYavYpEUTDnOg7SRQCuyDm2TtRQ5+wSUQCosYg7vTKr3btM5sV8PgDti4ou0t7YSt9bbnXv0s8/jRT+x7X7gWtw1MspJ1dWhH+FpyoPwDC4fAqjfTdcCkBFc,iv:1i3W/KWJCVG4F5uFDBttRyG9Z3BdyRa6XlkrkPNWkXQ=,tag:FjqH1Sfo1+1ALuUWAvrjyg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqMjVzYUQ5N1R4d1ZNbnlu
|
||||
RlRMT3BCZXdoT3FTRlE3MDFzUUxIcStidGk4ClhmeHRDVUJyM1ErNWxaZ3hUTWFz
|
||||
RkFTK0dmNm4vZ0FXNnlXbzNCZHhkZFUKLS0tIFI5OWU0QytzdmRWSDBsV0xZZkFT
|
||||
emdIWmVJQnFKeEpEZzBwcmU3TzNDd3MKtn0T52DL+q1LN7KNlBU0qnsh2Osjgwhh
|
||||
dQn5njsoO0NZ5S/NHiSri7mWNrLji1eJAI9WxENy0yagpdgoT4L7gw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeHhZMlg5VlpCKzhuZkdD
|
||||
WFpaMXVzeTV5TlM2NEE5KzB1VDZac3A3Y1NNCjJ4eFpxODltdTlqZmw1RE9DTVJU
|
||||
ZmxMS3B2bGkyWUpkR3ptNXV5eEdSVTgKLS0tIHRuSHF0WU1OUFZjbUdWZHE2NUI0
|
||||
cHo4eGdaQXdxQ0xOaVpKam5jZllHMXMK8ZDeRJjhrDur0ou1f5fbMJHOWjG2DqNi
|
||||
UklTTKasabzT9X/wJCEpcm8inhQnJpX5F4mnLczBZyS1p3PmKZ6DgQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1vphy2sr6uw4ptsua3gh9khrm2cqyt65t46tusmt44z98qa7q6ymq6prrdl
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSXI1MHVWQmtPQksyaE9j
|
||||
TGxJbzJKTHFwVXVybTFRTTdtOUp0SG9BOEdnCjUrOFRrQ2dYc2VCR2E3NEE5TmQ3
|
||||
Y3h2VDNHcXlXSVJVWXZCcUFwK0dRMWcKLS0tIGJsNmtHaDhoNUhrL1o4OHNEYnhw
|
||||
RGk2NjlMS3doaG85N0h6VHg4Y1R0cEkKqkkyARc0Q+E9I98gYUfdmCiyAwSb/D9P
|
||||
VpFJNC9R3dHU1YR1O/4/qfsF9DbnvSPxxkgKsDiVjpClnHtLIzkiMg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTnIzWUJZVTNUSkVOT3Vo
|
||||
TU1WMU5QYzJ6a0hlUlJqNjJRVmQ3ZGZsZkRBCk9HL2JSY0JCVkNNQkhYL1Y4WHdY
|
||||
MWx3YjdmTGFlcVVLNWdhMldEc2kvWVkKLS0tIFAyRHR0NkNQaVJ0L21Tck5UcUU4
|
||||
TGk4dUlwcE9XWWIzZE1nQXdXcWY0V0kKJi5yXdrsEOP4Z8K6k/sPA7yadNPKQtzo
|
||||
Iyt//Y+Y7n55KwuO8Doogu42SiVTUhHDICM9lezQmcugFqCoh3Lk4A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-01T09:44:24Z"
|
||||
mac: ENC[AES256_GCM,data:jH1w5Xk9aAHQreykHiG9PMfljaWO5tm0rIWx1avLntbGVs7Ov1kIuAQ1U8otLMmjI3vA1QXGRMTJFoODqNEMxpBvER60dPPtkwkgnSYE1v9C88PFp3xBDeryrh4aLE9PKxZcY9kf9f7anZ8p1+FL7iYo25pDygD+bHvT/y+qM1k=,iv:L0oI5D5jq4n0x5KsveotGc91+M+Y7EVO6UIzLFfgW98=,tag:vTekW9SRjkdJkIJqcoXa5Q==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
@ -12,10 +12,6 @@ if [[ -z "${FLAKE_ATTR:-}" ]]; then
|
||||
echo "FLAKE_ATTR is not set"
|
||||
exit 1
|
||||
fi
|
||||
if [[ -z "${SOPS_SECRETS_FILE:-}" ]]; then
|
||||
echo "SOPS_SECRETS_FILE is not set"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
tmp=$(mktemp -d)
|
||||
trap 'rm -rf $tmp' EXIT
|
||||
@ -28,11 +24,11 @@ for keyname in ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_ed25519_key ssh_ho
|
||||
else
|
||||
umask 0177
|
||||
fi
|
||||
sops --extract '["'$keyname'"]' -d "$SOPS_SECRETS_FILE" > "$tmp/etc/ssh/$keyname"
|
||||
clan secrets get "$keyname" > "$tmp/etc/ssh/$keyname"
|
||||
done
|
||||
|
||||
umask 0177
|
||||
sops --extract '["initrd_ssh_key"]' -d "$SOPS_SECRETS_FILE" > "$tmp/var/lib/secrets/initrd_ssh_key"
|
||||
clan secrets get "initrd_ssh_key" > "$tmp/var/lib/secrets/initrd_ssh_key"
|
||||
# restore umask
|
||||
umask 0022
|
||||
|
||||
@ -40,7 +36,7 @@ ssh "root@$HOST" "modprobe dm-raid && modprobe dm-integrity"
|
||||
|
||||
nix run --refresh github:numtide/nixos-anywhere -- \
|
||||
--debug \
|
||||
--disk-encryption-keys /tmp/secret.key <(sops --extract '["cryptsetup_key"]' --decrypt "$SOPS_SECRETS_FILE") \
|
||||
--disk-encryption-keys /tmp/secret.key <(clan secrets get cryptsetup_key) \
|
||||
--extra-files "$tmp" \
|
||||
--flake "$FLAKE_ATTR" \
|
||||
"root@$HOST"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user