From 8acdce99df32743b3d6db9ef364011d907afd2ce Mon Sep 17 00:00:00 2001
From: Ryan Lahfa <federez-infra@lahfa.xyz>
Date: Mon, 12 Feb 2024 04:57:07 +0100
Subject: [PATCH] Init infrastructure

Benjamin, I hate you.

Signed-off-by: Ryan Lahfa <federez-infra@lahfa.xyz>
---
 .envrc                           |   1 +
 README.md                        |   0
 bootstrap/iso.nix                |  14 ++++
 default.nix                      |  15 ++++
 disks/ext4.nix                   |  33 ++++++++
 hive.nix                         | 128 +++++++++++++++++++++++++++++++
 npins/default.nix                |  47 ++++++++++++
 npins/sources.json               |  35 +++++++++
 profiles/element.nix             |  15 ++++
 profiles/irc-bot.nix             |  53 +++++++++++++
 profiles/keycloak.nix            |  34 ++++++++
 profiles/matrix-server.nix       |  77 +++++++++++++++++++
 profiles/sysadmin.nix            |  28 +++++++
 profiles/telegram-bot.nix        |  32 ++++++++
 profiles/vaultwarden.nix         |  31 ++++++++
 profiles/vm.nix                  |  23 ++++++
 provision-anywhere.sh            |  14 ++++
 pubkeys/raito.keys               |   3 +
 secrets/matrix-shared-secret.age | Bin 0 -> 893 bytes
 secrets/mautrix-telegram.age     | Bin 0 -> 1205 bytes
 secrets/secrets.nix              |  18 +++++
 secrets/vaultwarden-secrets.age  | Bin 0 -> 877 bytes
 shell.nix                        |   1 +
 23 files changed, 602 insertions(+)
 create mode 100644 .envrc
 create mode 100644 README.md
 create mode 100644 bootstrap/iso.nix
 create mode 100644 default.nix
 create mode 100644 disks/ext4.nix
 create mode 100644 hive.nix
 create mode 100644 npins/default.nix
 create mode 100644 npins/sources.json
 create mode 100644 profiles/element.nix
 create mode 100644 profiles/irc-bot.nix
 create mode 100644 profiles/keycloak.nix
 create mode 100644 profiles/matrix-server.nix
 create mode 100644 profiles/sysadmin.nix
 create mode 100644 profiles/telegram-bot.nix
 create mode 100644 profiles/vaultwarden.nix
 create mode 100644 profiles/vm.nix
 create mode 100755 provision-anywhere.sh
 create mode 100644 pubkeys/raito.keys
 create mode 100644 secrets/matrix-shared-secret.age
 create mode 100644 secrets/mautrix-telegram.age
 create mode 100644 secrets/secrets.nix
 create mode 100644 secrets/vaultwarden-secrets.age
 create mode 100644 shell.nix

diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..1d953f4
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use nix
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..e69de29
diff --git a/bootstrap/iso.nix b/bootstrap/iso.nix
new file mode 100644
index 0000000..426fafb
--- /dev/null
+++ b/bootstrap/iso.nix
@@ -0,0 +1,14 @@
+{ pkgs, modulesPath, lib, ... }: {
+  imports = [
+    "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
+  ];
+  # Use the latest Linux kernel
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  # Exclude ZFS.
+  boot.supportedFilesystems = lib.mkForce [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "ntfs" "cifs" "bcachefs" ];
+
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    ../pubkeys/raito.keys
+  ];
+}
+
diff --git a/default.nix b/default.nix
new file mode 100644
index 0000000..8cd059d
--- /dev/null
+++ b/default.nix
@@ -0,0 +1,15 @@
+{ src ? import ./npins, pkgs ? import src.nixpkgs {} }:
+{
+  shell = pkgs.mkShell {
+    buildInputs = [
+      pkgs.colmena
+      pkgs.npins
+      pkgs.gitFull
+      (pkgs.callPackage "${src.agenix}/pkgs/agenix.nix" { })
+    ];
+  };
+
+  bootstrapIso = (pkgs.nixos [
+    (import ./bootstrap/iso.nix)
+  ]).config.system.build.isoImage;
+}
diff --git a/disks/ext4.nix b/disks/ext4.nix
new file mode 100644
index 0000000..c5a2cf2
--- /dev/null
+++ b/disks/ext4.nix
@@ -0,0 +1,33 @@
+{ disk ? "/dev/sda", ... }:
+{
+  disko.devices = {
+    disk = {
+      ${disk} = {
+        device = "${disk}";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              end = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/hive.nix b/hive.nix
new file mode 100644
index 0000000..7283d36
--- /dev/null
+++ b/hive.nix
@@ -0,0 +1,128 @@
+let
+  src = import ./npins;
+  pkgs = import src.nixpkgs { };
+  disko = (import src.disko { inherit (pkgs) lib; });
+  diskConfig = import ./disks/ext4.nix {
+    inherit (pkgs) lib;
+  };
+in
+{
+  meta = {
+    nixpkgs = src.nixpkgs;
+  };
+
+  defaults = { pkgs, ... }: {
+    imports = [
+      ./profiles/sysadmin.nix
+      "${src.agenix}/modules/age.nix"
+      (disko.config diskConfig)
+    ];
+
+    security.acme.defaults.email = "monitoring@federez.net";
+    security.acme.acceptTerms = true;
+
+    systemd.network.enable = true;
+    networking.useDHCP = false;
+    services.openssh.enable = true;
+
+    # Mot de passe classique qu'on trouvera dans le "trousseau" legacy.
+    users.users.root.initialHashedPassword = "$y$j9T$RoSZj8ezgR7cI8Le6xqwW/$0BI6G1Nqy/G0g0sNhQhyEedqoHsEyMFVjQgc3TPqE.4";
+    system.stateVersion = "24.05";
+    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
+    time.timeZone = "Europe/Paris";
+  };
+
+  estragon = { name, nodes, ... }: {
+    deployment.tags = [ "matrix" ];
+    deployment.targetHost = "estragon.federez.net";
+    systemd.network.links."10-wan" = {
+      matchConfig.MACAddress = "BC:24:11:5C:A4:5A";
+      linkConfig.Name = "wan";
+    };
+    systemd.network.networks."10-wan" = {
+      matchConfig.Name = "wan";
+      address = [
+        "172.17.8.227/22"
+      ];
+      routes = [
+        {
+          routeConfig = {
+            Gateway = "172.17.11.254";
+          };
+        }
+      ];
+      linkConfig.RequiredForOnline = "routable";
+    };
+
+    networking.hostName = name;
+
+    imports = [
+      ./profiles/vm.nix
+      ./profiles/matrix-server.nix
+      ./profiles/element.nix
+      ./profiles/telegram-bot.nix
+      ./profiles/irc-bot.nix
+    ];
+  };
+
+  wagon = { name, nodes, ... }: {
+    deployment.tags = [ "vaultwarden" "pass" "passwords" ];
+    deployment.targetHost = "wagon.federez.net";
+    networking.hostName = name;
+
+    systemd.network.links."10-wan" = {
+      matchConfig.MACAddress = "BC:24:11:EA:6C:0B";
+      linkConfig.Name = "wan";
+    };
+    systemd.network.networks."10-wan" = {
+      matchConfig.Name = "wan";
+      address = [
+        "172.17.8.228/22"
+      ];
+      routes = [
+        {
+          routeConfig = {
+            Gateway = "172.17.11.254";
+          };
+        }
+      ];
+      linkConfig.RequiredForOnline = "routable";
+    };
+
+    imports = [
+      ./profiles/vm.nix
+      ./profiles/vaultwarden.nix
+    ];
+  };
+
+  lagon = { name, nodes, ... }: {
+    deployment.tags = [ "keycloak" ];
+    deployment.targetHost = "lagon.federez.net";
+    networking.hostName = name;
+
+    systemd.network.links."10-wan" = {
+      matchConfig.MACAddress = "BC:24:11:7F:19:60";
+      linkConfig.Name = "wan";
+    };
+    systemd.network.networks."10-wan" = {
+      matchConfig.Name = "wan";
+      address = [
+        "172.17.8.229/22"
+      ];
+      routes = [
+        {
+          routeConfig = {
+            Gateway = "172.17.11.254";
+          };
+        }
+      ];
+      linkConfig.RequiredForOnline = "routable";
+    };
+
+    imports = [
+      ./profiles/vm.nix
+      ./profiles/keycloak.nix
+    ];
+  };
+
+}
diff --git a/npins/default.nix b/npins/default.nix
new file mode 100644
index 0000000..4a7c372
--- /dev/null
+++ b/npins/default.nix
@@ -0,0 +1,47 @@
+# Generated by npins. Do not modify; will be overwritten regularly
+let
+  data = builtins.fromJSON (builtins.readFile ./sources.json);
+  version = data.version;
+
+  mkSource = spec:
+    assert spec ? type; let
+      path =
+        if spec.type == "Git" then mkGitSource spec
+        else if spec.type == "GitRelease" then mkGitSource spec
+        else if spec.type == "PyPi" then mkPyPiSource spec
+        else if spec.type == "Channel" then mkChannelSource spec
+        else builtins.throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = path; };
+
+  mkGitSource = { repository, revision, url ? null, hash, ... }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null then
+      (builtins.fetchTarball {
+        inherit url;
+        sha256 = hash; # FIXME: check nix version & use SRI hashes
+      })
+    else assert repository.type == "Git"; builtins.fetchGit {
+      url = repository.url;
+      rev = revision;
+      # hash = hash;
+    };
+
+  mkPyPiSource = { url, hash, ... }:
+    builtins.fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkChannelSource = { url, hash, ... }:
+    builtins.fetchTarball {
+      inherit url;
+      sha256 = hash;
+    };
+in
+if version == 3 then
+  builtins.mapAttrs (_: mkSource) data.pins
+else
+  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
diff --git a/npins/sources.json b/npins/sources.json
new file mode 100644
index 0000000..f8f1c56
--- /dev/null
+++ b/npins/sources.json
@@ -0,0 +1,35 @@
+{
+  "pins": {
+    "agenix": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "ryantm",
+        "repo": "agenix"
+      },
+      "branch": "main",
+      "revision": "417caa847f9383e111d1397039c9d4337d024bf0",
+      "url": "https://github.com/ryantm/agenix/archive/417caa847f9383e111d1397039c9d4337d024bf0.tar.gz",
+      "hash": "0g240g51w62r7j67dcc73xkdnhd26nk07043qsqqavl5mbh40swy"
+    },
+    "disko": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "disko"
+      },
+      "branch": "master",
+      "revision": "d07de570ba05cec2807d058daaa044f6955720c7",
+      "url": "https://github.com/nix-community/disko/archive/d07de570ba05cec2807d058daaa044f6955720c7.tar.gz",
+      "hash": "18rli5h2xmzbbwambrcrg7r22vp0rmnjm55mcqc00n3fq5kscsqy"
+    },
+    "nixpkgs": {
+      "type": "Channel",
+      "name": "nixos-unstable-small",
+      "url": "https://releases.nixos.org/nixos/unstable-small/nixos-24.05pre583100.bdc57436da85/nixexprs.tar.xz",
+      "hash": "1ds8jv7wn5dx5s725jkzk6dk3j54kbhjl7aabc4y45v1m7bp9s3r"
+    }
+  },
+  "version": 3
+}
\ No newline at end of file
diff --git a/profiles/element.nix b/profiles/element.nix
new file mode 100644
index 0000000..2fbf25e
--- /dev/null
+++ b/profiles/element.nix
@@ -0,0 +1,15 @@
+{ pkgs, ... }: 
+let
+  clientConfig."m.homeserver".base_url = "https://matrix.federez.net";
+in
+{
+  services.nginx.virtualHosts."element.federez.net" = {
+    enableACME = true;
+    forceSSL = true;
+    root = pkgs.element-web.override {
+      conf = {
+        default_server_config = clientConfig; # see `clientConfig` from the snippet above.
+      };
+    };
+  };
+}
diff --git a/profiles/irc-bot.nix b/profiles/irc-bot.nix
new file mode 100644
index 0000000..3557ac9
--- /dev/null
+++ b/profiles/irc-bot.nix
@@ -0,0 +1,53 @@
+{ ... }: {
+services.matrix-appservice-irc = {
+  enable = true;
+  registrationUrl = "http://localhost:8009";
+
+  settings = {
+    homeserver.url = "https://matrix.federez.net";
+    homeserver.domain = "federez.net";
+
+    ircService.servers."irc.rezosup.org" = {
+      name = "RezoSup";
+      port = 6667;
+      # ssl = true;
+    #  botConfig = {
+    #    enabled = true;
+    #    nick = "FederezMatrix";
+    #    username = "federezmatrix";
+    #  };
+      dynamicChannels = {
+        enabled = true;
+        createAlias = true;
+        # published = true;
+        aliasTemplate = "#irc_$CHANNEL";
+      };
+
+      matrixClients = {
+        userTemplate = "@irc_$NICK";
+      };
+      ircClients = {
+        nickTemplate = "$LOCALPART[m]";
+        allowNickChanges = true;
+      };
+
+      membershipLists = {
+        enabled = true;
+        global = {
+          ircToMatrix = {
+            initial = true;
+            incremental = true;
+          };
+          matrixToIrc = {
+            initial = true;
+            incremental = true;
+          };
+        };
+      };
+    };
+    logging = {
+      level = "debug";
+    };
+  };
+};
+}
diff --git a/profiles/keycloak.nix b/profiles/keycloak.nix
new file mode 100644
index 0000000..bb8e1f3
--- /dev/null
+++ b/profiles/keycloak.nix
@@ -0,0 +1,34 @@
+{ config, ... }: {
+  # age.secrets.keycloak-password-file.file = ../secrets/keycloak-password-file.age;
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    virtualHosts."sso.federez.net" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/".proxyPass = "http://127.0.0.1:8080";
+    };
+  };
+
+  services.keycloak = {
+    enable = true;
+    database = {
+      createLocally = true;
+      passwordFile = "/etc/secrets/keycloak-password";
+    };
+    settings = {
+      proxy = "edge";
+      http-host = "127.0.0.1";
+      http-port = 8080;
+      hostname = "sso.federez.net";
+    };
+  };
+
+
+}
diff --git a/profiles/matrix-server.nix b/profiles/matrix-server.nix
new file mode 100644
index 0000000..9a90b3e
--- /dev/null
+++ b/profiles/matrix-server.nix
@@ -0,0 +1,77 @@
+{ pkgs, lib, config, ... }:
+let
+  fqdn = "matrix.federez.net";
+  baseUrl = "https://${fqdn}";
+in {
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.postgresql.enable = true;
+  services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
+    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+    CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+      TEMPLATE template0
+      LC_COLLATE = "C"
+      LC_CTYPE = "C";
+  '';
+
+  environment.systemPackages = [ pkgs.matrix-synapse ];
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "${fqdn}" = {
+        enableACME = true;
+        forceSSL = true;
+        # It's also possible to do a redirect here or something else, this vhost is not
+        # needed for Matrix. It's recommended though to *not put* element
+        # here, see also the section about Element.
+        locations."/".extraConfig = ''
+          return 404;
+        '';
+        # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
+        # *must not* be used here.
+        locations."/_matrix".proxyPass = "http://[::1]:8008";
+        # Forward requests for e.g. SSO and password-resets.
+        locations."/_synapse/client".proxyPass = "http://[::1]:8008";
+      };
+    };
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    settings.server_name = "federez.net";
+    # The public base URL value must match the `base_url` value set in `clientConfig` above.
+    # The default value here is based on `server_name`, so if your `server_name` is different
+    # from the value of `fqdn` above, you will likely run into some mismatched domain names
+    # in client applications.
+    settings.public_baseurl = baseUrl;
+    settings.app_service_config_files = [
+      "/var/lib/matrix-synapse/telegram-registration.yaml"
+      "/var/lib/matrix-synapse/irc-registration.yml"
+    ];
+    settings.listeners = [
+      { port = 8008;
+        bind_addresses = [ "::1" ];
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [ {
+          names = [ "client" "federation" ];
+          compress = true;
+        } ];
+      }
+    ];
+    extraConfigFiles = [
+      config.age.secrets.matrix-shared-secret.path
+    ];
+  };
+
+  age.secrets.matrix-shared-secret = {
+    file = ../secrets/matrix-shared-secret.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+}
diff --git a/profiles/sysadmin.nix b/profiles/sysadmin.nix
new file mode 100644
index 0000000..ebdcb44
--- /dev/null
+++ b/profiles/sysadmin.nix
@@ -0,0 +1,28 @@
+{ ... }: {
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    ../pubkeys/raito.keys
+  ];
+
+  users.ldap.daemon = {
+    enable = false;
+    extraConfig = ''
+      # The location at which the LDAP server(s) should be reachable.
+      uri ldaps://ldap.federez.net
+      uri ldaps://ldap-ro.federez.net
+       
+      # The search base that will be used for all queries.
+      base dc=federez,dc=net
+       
+      base passwd cn=Utilisateurs,dc=federez,dc=net
+      base shadow cn=Utilisateurs,dc=federez,dc=net
+      base group ou=posix,ou=groups,dc=federez,dc=net
+       
+      # The LDAP protocol version to use.
+      ldap_version 3
+       
+      # The DN to bind with for normal lookups.
+      binddn cn=nssauth,ou=service-users,dc=federez,dc=net
+      bindpw ********TOP-SECRET-PASSWORD-THAT-MUST-BE-CHANGED-FOR-A-VALID-ONE********
+    '';
+  };
+}
diff --git a/profiles/telegram-bot.nix b/profiles/telegram-bot.nix
new file mode 100644
index 0000000..194fc8c
--- /dev/null
+++ b/profiles/telegram-bot.nix
@@ -0,0 +1,32 @@
+{ config, lib, ... }: {
+  systemd.services.mautrix-telegram.serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/mautrix-telegram";
+  age.secrets.mautrix-telegram.file = ../secrets/mautrix-telegram.age;
+  services.mautrix-telegram = {
+    enable = true;
+    environmentFile = config.age.secrets.mautrix-telegram.path;
+    settings = {
+      appservice = {
+        id = "telegram_cute";
+        bot_username = "telegram";
+        bot_displayname = "Telegram";
+        bot_avatar = "mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX";
+      };
+      homeserver = {
+        address = "https://matrix.federez.net";
+        domain = "federez.net";
+      };
+      bridge = {
+        username_template = "telegram_{userid}";
+        alias_template = "telegram_{groupname}";
+        displayname_template = "{displayname}";
+
+        permissions = {
+          "*" = "relaybot";
+          "federez.net" = "full";
+          "@raitobezarius:federez.net" = "admin";
+          "@bsomers:resel.fr" = "admin";
+        };
+      };
+    };
+  };
+}
diff --git a/profiles/vaultwarden.nix b/profiles/vaultwarden.nix
new file mode 100644
index 0000000..1c20d6e
--- /dev/null
+++ b/profiles/vaultwarden.nix
@@ -0,0 +1,31 @@
+{ config, ... }: {
+  age.secrets.vaultwarden-secrets.file = ../secrets/vaultwarden-secrets.age;
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    virtualHosts."vault.federez.net" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:8222";
+    };
+  };
+  services.vaultwarden = {
+    enable = true;
+    environmentFile = config.age.secrets.vaultwarden-secrets.path;
+    config = {
+      DOMAIN = "https://vault.federez.net";
+      SIGNUPS_ALLOWED = false;
+
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8222;
+
+      ROCKET_LOG = "critical";
+    };
+  };
+}
diff --git a/profiles/vm.nix b/profiles/vm.nix
new file mode 100644
index 0000000..4d3c05c
--- /dev/null
+++ b/profiles/vm.nix
@@ -0,0 +1,23 @@
+{ ... }: {
+  imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
+
+  boot.loader.systemd-boot.enable = true;
+
+  boot.initrd.kernelModules =
+    [ "virtio_balloon" "virtio_console" "virtio_rng" ];
+
+  boot.initrd.availableKernelModules = [
+    "9p"
+    "9pnet_virtio"
+    "ata_piix"
+    "nvme"
+    "sr_mod"
+    "uhci_hcd"
+    "virtio_blk"
+    "virtio_mmio"
+    "virtio_net"
+    "virtio_pci"
+    "virtio_scsi"
+    "xhci_pci"
+  ];
+}
diff --git a/provision-anywhere.sh b/provision-anywhere.sh
new file mode 100755
index 0000000..32538dc
--- /dev/null
+++ b/provision-anywhere.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -ex
+
+NODE=$1
+
+DISKO_SCRIPT=$(colmena eval -E "{ nodes, ... }: nodes.\"$NODE\".config.system.build.diskoScript" --show-trace | tr -d '"')
+DISKO_SCRIPT_DRV=$(colmena eval -E "{ nodes, ... }: nodes.\"$NODE\".config.system.build.diskoScript.drvPath" --show-trace | tr -d '"')
+
+nix-store -r $DISKO_SCRIPT_DRV
+
+NIXOS_SYSTEM=$(colmena eval -E "{ nodes, ... }: nodes.\"$NODE\".config.system.build.toplevel")
+colmena build --on "$NODE" --verbose
+echo $NIXOS_SYSTEM $DISKO_SCRIPT
+echo nix run github:nix-community/nixos-anywhere -- -s $DISKO_SCRIPT $NIXOS_SYSTEM "root@$NODE.federez.net" --no-reboot
diff --git a/pubkeys/raito.keys b/pubkeys/raito.keys
new file mode 100644
index 0000000..7a717dd
--- /dev/null
+++ b/pubkeys/raito.keys
@@ -0,0 +1,3 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU
diff --git a/secrets/matrix-shared-secret.age b/secrets/matrix-shared-secret.age
new file mode 100644
index 0000000000000000000000000000000000000000..793750b810c2bde705bd069486d6ecb3168f9f9a
GIT binary patch
literal 893
zcmZ9Jz02Hm0D%3dAQ^;8r&8raboqHEm(M$tVlE$d`M6w?H<w(3Ah~>B-Z#l5xm=Q^
zlMb~*2f;<`A`V(mR|{_u6?7?14lZ3paIiX9gjYnnyo-Oq!}C0D6bysRE4!jj^6b^T
zjNoPj4X+NWDjo(tN)V&TVAk@aLk~vPOrWiiyp20UmL*cFe5|m`t~QoMJ>IT4pR$fU
z+pgvwR1`adl9-*Ln|O*59CGkve$l4cJ~$B+qpdAHPA8oRobfrWtlU9bT8ykgoHJu1
z^C+1&mePqDGD88N^*x@sh=r>y9c?fTn4G-IbyQeKcB+>)AB7d-0i}(Y8MG}7*(<@O
zNr=YUs6jI>ilXLwYy$GBFwu^Js?e9&*ei&<D&%?2v5X!1Xg1yM`(+bDQ+JMY`=ru6
zHZeC|%rCuCsC^hWP{Ge&pMNCUQmqspXg@%7yjk{!Ln7v=VoJVHLP(LsD3K>+8m{uf
z40v<m09vCLVrQf%UQ2p6-jXIjyj@>l9ltPfX{85K%o0*2#PA5(23*iH45hdZGjqyd
zzOS`*7L4%uQSZhco1bJ<6i@v<L9}CarDi%(vO8A=1Y3q;C_=HC^MS~u9;&Ne+wf~x
zYqi69?en*AbI?3(aGYl{hOK>a2|(jF=`Pk}wb_VlhwUf_V_<it(~0a==@?QHB(qp5
zcof$`YfN5<${{(#Yqw7-8ez~4K+{4J*<)(;e;T4sD3u=I0V6mTMtZR=xM9CY7t)$?
zMNU#UkwzRFwziorFmQ$9&|(VcBLZ__at$KTBQ;n$rYWxt#_(c!3QNgo68B=0BMWFa
z91hG~wxnV!<LA+dYKnQ0;X2^g`ySYNDRsCRk(}C6A{ipkooBKO7e9e+yb+MtS%2%S
zs=l0_-u(3N^~+y;_1rfD>e}5WumAa7c;UUDuAE+a>xs+vF5Y(EeJb4k^$>aI?f&sQ
zS5)-<!N1R%e|+}BZ#Ulje)P-Dv-*|CKDzg@;H<8{^uy-Xw+|+--~RRI``0di`1{i@
XK6q_`pWglPgTJpn{O8i={qz3;oM|)B

literal 0
HcmV?d00001

diff --git a/secrets/mautrix-telegram.age b/secrets/mautrix-telegram.age
new file mode 100644
index 0000000000000000000000000000000000000000..9628e15a757077a7a81528b478cd21f112373187
GIT binary patch
literal 1205
zcmZ9JYmCzb0Duo6dM-#p!f_-R*<s{W=bqhe9-el)wcW1W);+p)Jf!W`b!*pd?bfdI
zNR*R@JOY7$5)_RA!W|&t2r(KI6%-H8yBH2J1{DKn1dO0~K<)(n!yo^Af4}7W=zPwS
zlUT(lR|~TAjI89Xn%!jSG^;9a$z>fNX!n|tI_%Cs=30`-L@*p8$TDel#ECpX(j?{(
zQYp6RE7t%)E7d(l!iS-<DFDHGK`Ur=1O&rmm`51AR?_%1pc4@uPaE|@RtShVfYtQ}
zHbte)f|BxMgo%#C+M@}B^a^#j=HRJHv6ON#V$`nlVn~WGu$oEwR7aSGf<jH;x<g{b
z!x5fr+(wk_<*3ty*=3wlNFE`5gah;iy|zX)!zC(8xnPr$8939(0R|7}M9f`<G&W}K
zRsu}BRkG?Rm{e?b6IBWWgog%|3}g!c?G#l`p>Z@{QamI?IjRt@NnE!x&4oa_AW1$Q
zanqRSO%~BmB!$3o&Qx~fa9=7+I~xsDB*UC7NP*s5sS&DG`2>_K1$eqd;GPQGi16tO
z?+Ci_It)lTfCQ^(xuKf)sFuOFLc?kE$r=jCs?h-QENz#RxELXEO-BF~m9uoB2(g?-
z=xDT_kZS({gt9fmA2%h!)dnv`U|1kA9gMp49L1!F2elu(wQ4%S5@w302-V<iF1Bdx
zcEt^M*oD=@o`w-By6dV^q&2JC&*%6qK`>DfUmCQLNY+Ms!!8(WXOVc6sI&uJ5Xref
zw#I4|JnK;dI`w~>E#~z^A+u8Pt5q+kCMh~@H{9i{J*3)_s7z#0K~M7CqDJJk0;3rY
z+2pLlGz)5py1kMY;EGYr`0|xTOhIXl1*m+44u(_h2m=-v$Yilt%ngx`;S!%=5GRSN
z8K)D1XshAXRS$=ADF(|0t>JWli`p5&v|z^VmeB)~d^f(G5SvE#Un{i?A#?n<UQP*1
zzM3-a-KIADiEnz&U+K&JD9$6jvp$&j(!K@N)!uH$@tIHFXtVELbRjl-r^R7;>*Af^
z?eB~ppSx<!z2*h~$k_1pS#z1Ty(b^qw|c#p-g9Gl%h`291EG;uW^R<6m!|f248J<I
z^nTl6%g~OS<GqtN-4{k)>+N`UBDVkXy0?!yrakh;U+zCXMxGviejByZ(mDIRsq^>U
zS=@Z;$mTQGmxV$n2AZDR#m|>prZr!^ySlH{TD&0NUASRDB9AW~VrB$yPLDnYmp|-_
zj<2sA>glm|Ej;%#h;*6vCb(N)e7zK!{DQh{ap9`#*H6&Kj*f|6q|LLKU4xO6;=wj>
zXQ{u(y?pG{cTH0!M%YWN{JPqEaK*g|WNUoQivCXX=bHvLd^9jT>B``oTJ_8zaCqwJ
zG3&&eS68m`BCAGD%r^pCk^84>+tn+rllzY@8sBnYtZ(}F%dY+X`0hni$NQh&HqYA_
z8SHZQPaoK`_Aqg%dTdEAnm+ebW=rdfk76fU&#%3Fq&)r`{@F3f{pas@oB1!L%#I5O
RR*vHShkxok>%YkV@GosA)+zu1

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..63cb505
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,18 @@
+let
+  readKeyFile = keyFile: builtins.filter (x: x != [] && x != "") (builtins.split "\n" (builtins.readFile keyFile));
+  estragon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBS1xp/2n5q4u4kDerkXQClnD1xeS6qrj0regbJwjktB root@estragon";
+  wagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqBgXGbnPPmDHrn05Fr3X66cmgP6zvnMtPL21d4ebfh root@wagon";
+  lagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8fiqJw9RvVVQghG0OVKsXAkBcWox4JsozfxToLAiIK root@lagon";
+  # Add yourself.
+  raito = readKeyFile ../pubkeys/raito.keys;
+
+  matrix-admins = raito;
+  vaultwarden-admins = raito;
+  keycloak-admins = raito;
+in
+  {
+    "matrix-shared-secret.age".publicKeys = [ estragon ] ++ matrix-admins;
+    "mautrix-telegram.age".publicKeys = [ estragon ] ++ matrix-admins;
+    "vaultwarden-secrets.age".publicKeys = [ wagon ] ++ vaultwarden-admins;
+    "keycloak-password-file.age".publicKeys = [ lagon ] ++ keycloak-admins;
+  }
diff --git a/secrets/vaultwarden-secrets.age b/secrets/vaultwarden-secrets.age
new file mode 100644
index 0000000000000000000000000000000000000000..ba8875475a80daee531f299a1f48a6f87fd75f72
GIT binary patch
literal 877
zcmZ9}z02ct0KoAZyul2&I6T8WV(%uQ^pd`$X%;a_+dN5{q<Q=0#ao&t{k3UcnqQk&
z5aB=(Z}5=A<rc*kJh(-4P!OC1C*elHm(9V&K^%O*!|7S>FZjUsyMkdaOxLJ6oOW4y
zCqob~`&jR_&hfbIg~5O%`*cUD$e~nqz(Og)FpHCkzxC<_r`w9MgL)#yYQC*(j^J<t
z$gmz)7KV=<sRe^jz}>};>5`Koh*NUGhBlW-5+yp&ZcckBipuCpL&sHTk8EzCVS0%+
zxdsYJj(89HJ|eYBC?s>javWWvXylhXn8w4QU7J9c10zw!5!adyx01VUGsm_W<uB5M
zl{zsa)i_?qG7X(m6q(8%2+;Dvf-zOwvyuVDwNb9D^H}u#QZ1)-V$5sIFhEv-`2kO2
zBF|lhB>HeNNH$xKC%I~+#4$^;+hAsmnHh*`M_GbR!Rtw~*JQ8*K1SsW;mFoS_ps2X
zmY_AjEuz%#+iD!Pu!Lw3c70iBXuVMavdQq%ajz1{jbeG@9s?X(?NF2?g+{New)CPY
z5e|rWS&OU5kngvAzSn2*+Uzb@DqSykxF}yR^UbQ^Sc98KDWWlzWhD^u<`T?#xMzha
z7;|fQRr~5KURK&#>p&IBgo!vK4+CQ|OURrCLhhdwN~sbtr3fdQXJl)-j)29$Z3S-N
zO|1p1mAmnlZ3tyE#+U0|svyxbmm?iO-Hrq8d5zF%YRPmGnQ<FW(+M8Uqpo0jPElBg
z3!hyt&=kme3Ej~M-&rF7F`O?&H$yo*_yUlbHKNi=oE-ZHYScATBQUZdN_8aJ<2Ban
z^*Td|FJY!`DL)~E(O4(D;FN5VomI|~Nih_|zI+h}sf{xb`~8u1?TPZ?zh|F5rmk~8
ze|3J7`sZwaPkHa9%kRJb;2q|>{Ne47wEGX=di#Z^z`y+bkI$HAf8Tg^@8vIEdAGTK
zUwWkeMf~{7t+UHJfBtap{_326^V^%(w*TFJv3KLalLw#NecJjz-FoBk>&D%WUw!}E
GFaHNkoiI57

literal 0
HcmV?d00001

diff --git a/shell.nix b/shell.nix
new file mode 100644
index 0000000..82fb296
--- /dev/null
+++ b/shell.nix
@@ -0,0 +1 @@
+(import ./default.nix {}).shell