aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--machines/nixos/x86_64-linux/rivendell.nix1
-rw-r--r--machines/nixos/x86_64-linux/synology-vm.nix21
-rw-r--r--modules/backups.nix210
-rw-r--r--modules/default.nix2
-rw-r--r--modules/nas-client.nix84
-rw-r--r--profiles/git-server.nix2
-rw-r--r--profiles/restic-backup.nix66
-rw-r--r--secrets/cloudflare-nginx.age12
-rw-r--r--secrets/do/host-ed25519-key.agebin611 -> 611 bytes
-rw-r--r--secrets/do/wireguard.age12
-rw-r--r--secrets/forgejo-fastmail.agebin339 -> 339 bytes
-rw-r--r--secrets/keycloak-db-password.age13
-rw-r--r--secrets/nas_client.agebin364 -> 474 bytes
-rw-r--r--secrets/restic-pw.age9
-rw-r--r--secrets/restic_password.age7
-rw-r--r--secrets/rivendell/wireguard.agebin367 -> 367 bytes
-rw-r--r--secrets/secrets.nix8
-rw-r--r--secrets/ssh-remote-builder.age17
-rw-r--r--secrets/vm-synology/wireguard.age13
19 files changed, 115 insertions, 362 deletions
diff --git a/machines/nixos/x86_64-linux/rivendell.nix b/machines/nixos/x86_64-linux/rivendell.nix
index e2f03b4..f0f43a9 100644
--- a/machines/nixos/x86_64-linux/rivendell.nix
+++ b/machines/nixos/x86_64-linux/rivendell.nix
@@ -15,6 +15,7 @@
../../../profiles/home-manager.nix
../../../profiles/keycloak.nix
../../../profiles/remote-unlock.nix
+ ../../../profiles/restic-backup.nix
../../../profiles/server.nix
];
diff --git a/machines/nixos/x86_64-linux/synology-vm.nix b/machines/nixos/x86_64-linux/synology-vm.nix
index 1b9b7e7..a905be5 100644
--- a/machines/nixos/x86_64-linux/synology-vm.nix
+++ b/machines/nixos/x86_64-linux/synology-vm.nix
@@ -37,27 +37,6 @@
networking.useDHCP = lib.mkDefault true;
systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
- my.modules.nas-client = {
- enable = true;
- volumes = {
- data = {
- server = "192.168.1.68";
- remotePath = "backups";
- mountPoint = "/data/backups";
- uid = adminUser.uid;
- };
- };
- };
-
- my.modules.backups = {
- enable = true;
- passwordFile = config.age.secrets.restic_password.path;
- remote = {
- googleProjectId = "fcuny-infra";
- googleCredentialsFile = config.age.secrets.restic_gcs_credentials.path;
- };
- };
-
users.users.builder = {
openssh.authorizedKeys.keys = [
# my personal key
diff --git a/modules/backups.nix b/modules/backups.nix
deleted file mode 100644
index 78b3144..0000000
--- a/modules/backups.nix
+++ /dev/null
@@ -1,210 +0,0 @@
-# Some examples for how to use this module
-#
-# Host with media files - backup /media only locally
-# my.modules.backups = {
-# enable = true;
-# passwordFile = config.age.secrets.restic_password.path
-# local.paths = [ "/media" "/home" "/var/lib/important" ];
-# remote.paths = [ "/home" "/var/lib/important" ]; # Excludes /media
-# };
-#
-# Another example - different exclusions for local vs remote
-# my.modules.backups = {
-# enable = true;
-# passwordFile = config.age.secrets.restic_password.path
-# local.paths = [ "/home" "/var/cache/downloads" ];
-# local.exclude = [ "*.tmp" ];
-# remote.paths = [ "/home" ]; # Skip cache directory for remote
-# remote.exclude = [ "*.tmp" "*.log" ]; # More aggressive exclusions for remote
-# };
-{
- pkgs,
- config,
- lib,
- ...
-}:
-let
- cfg = config.my.modules.backups;
-
- # Helper scripts for easy backup access
- restic-local = pkgs.writeShellScriptBin "restic-local" ''
- export RESTIC_REPOSITORY="${cfg.localBasePath}/${config.networking.hostName}"
- export RESTIC_PASSWORD_FILE="${cfg.passwordFile}"
- exec ${pkgs.restic}/bin/restic "$@"
- '';
-
- restic-remote = pkgs.writeShellScriptBin "restic-remote" ''
- export RESTIC_REPOSITORY="${cfg.remoteBaseRepository}:/${config.networking.hostName}/"
- export RESTIC_PASSWORD_FILE="${cfg.passwordFile}"
- ${lib.optionalString (cfg.remote.environmentFile != null) ''
- source ${cfg.remote.environmentFile}
- ''}
- exec ${pkgs.restic}/bin/restic "$@"
- '';
-
- # Common backup options shared between local and remote
- backupOptions = {
- paths = lib.mkOption {
- type = lib.types.listOf lib.types.str;
- default = [ ];
- description = "Paths to backup";
- example = [
- "/home"
- "/var/lib/important-data"
- ];
- };
-
- exclude = lib.mkOption {
- type = lib.types.listOf lib.types.str;
- default = [ ];
- description = "Paths to exclude from backup";
- example = [
- "*.tmp"
- "/var/cache"
- ];
- };
-
- extraBackupArgs = lib.mkOption {
- type = lib.types.listOf lib.types.str;
- default = [
- "--exclude-caches"
- "--compression=max"
- ];
- description = "Additional arguments to pass to restic backup";
- };
-
- pruneOpts = lib.mkOption {
- type = lib.types.listOf lib.types.str;
- default = [
- "--keep-daily 7"
- "--keep-weekly 4"
- "--keep-monthly 3"
- ];
- description = "Pruning options for old backups";
- };
-
- timerConfig = lib.mkOption {
- type = lib.types.attrs;
- default = {
- OnCalendar = "daily";
- RandomizedDelaySec = "5m";
- };
- description = "Systemd timer configuration";
- };
- };
-in
-{
- options.my.modules.backups = {
- enable = lib.mkEnableOption "backups";
-
- passwordFile = lib.mkOption {
- type = lib.types.str;
- default = config.age.secrets.restic_password.path;
- description = "Path to file containing restic repository password";
- example = "/run/secrets/restic-password";
- };
-
- localBasePath = lib.mkOption {
- type = lib.types.str;
- default = "/data/backups";
- description = "Base path for local backup repositories";
- example = "/mnt/backup-drive/backups";
- };
-
- remoteBaseRepository = lib.mkOption {
- type = lib.types.str;
- default = "gs:fcuny-infra-backups";
- description = "Base repository URL for remote backups";
- example = "s3:my-backup-bucket";
- };
-
- local = backupOptions;
-
- remote = backupOptions // {
- timerConfig = lib.mkOption {
- type = lib.types.attrs;
- default = {
- OnCalendar = "daily";
- # No randomized delay for remote to avoid overlap with local
- };
- description = "Systemd timer configuration for remote backups";
- };
-
- googleProjectId = lib.mkOption {
- type = lib.types.nullOr lib.types.str;
- default = "fcuny-infra";
- description = "Google Cloud project ID for GCS backups";
- example = "my-backup-project";
- };
-
- googleCredentialsFile = lib.mkOption {
- type = lib.types.nullOr lib.types.str;
- default = config.age.secrets.restic_gcs_credentials.path;
- description = "Path to Google Cloud service account credentials file";
- example = "/run/secrets/gcs-credentials";
- };
-
- environmentFile = lib.mkOption {
- type = lib.types.nullOr lib.types.path;
- default =
- if cfg.remote.googleProjectId != null && cfg.remote.googleCredentialsFile != null then
- pkgs.writeText "restic-gcs-env" ''
- GOOGLE_PROJECT_ID=${cfg.remote.googleProjectId}
- GOOGLE_APPLICATION_CREDENTIALS=${cfg.remote.googleCredentialsFile}
- ''
- else
- null;
- description = "Environment file for remote backup authentication";
- };
- };
-
- helpers = lib.mkOption {
- type = lib.types.bool;
- default = true;
- description = "Install helper scripts (restic-local, restic-remote)";
- };
- };
-
- config = lib.mkIf cfg.enable {
- environment.systemPackages = [
- pkgs.restic
- ]
- ++ lib.optionals cfg.helpers [
- restic-local
- restic-remote
- ];
-
- services.restic.backups = lib.mkMerge [
- # Local backup configuration - only if paths are specified
- (lib.mkIf (cfg.local.paths != [ ]) {
- local = {
- initialize = true;
- repository = "${cfg.localBasePath}/${config.networking.hostName}";
- passwordFile = cfg.passwordFile;
- paths = cfg.local.paths;
- exclude = cfg.local.exclude;
- extraBackupArgs = cfg.local.extraBackupArgs;
- timerConfig = cfg.local.timerConfig;
- pruneOpts = cfg.local.pruneOpts;
- };
- })
-
- # Remote backup configuration - only if paths are specified
- (lib.mkIf (cfg.remote.paths != [ ]) {
- remote = {
- initialize = true;
- repository = "${cfg.remoteBaseRepository}:/${config.networking.hostName}/";
- passwordFile = cfg.passwordFile;
- paths = cfg.remote.paths;
- exclude = cfg.remote.exclude;
- extraBackupArgs = cfg.remote.extraBackupArgs;
- timerConfig = cfg.remote.timerConfig;
- pruneOpts = cfg.remote.pruneOpts;
- }
- // lib.optionalAttrs (cfg.remote.environmentFile != null) {
- environmentFile = toString cfg.remote.environmentFile;
- };
- })
- ];
- };
-}
diff --git a/modules/default.nix b/modules/default.nix
index 756d704..d6d7b65 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,10 +1,8 @@
{ ... }:
{
imports = [
- ./backups.nix
./home-manager.nix
./host-config.nix
- ./nas-client.nix
./ssh.nix
./user.nix
];
diff --git a/modules/nas-client.nix b/modules/nas-client.nix
deleted file mode 100644
index fe0952e..0000000
--- a/modules/nas-client.nix
+++ /dev/null
@@ -1,84 +0,0 @@
-{
- config,
- lib,
- pkgs,
- ...
-}:
-
-let
- cfg = config.my.modules.nas-client;
-in
-{
- options.my.modules.nas-client = with lib; {
- enable = mkEnableOption "NAS client";
-
- volumes = mkOption {
- type = types.attrsOf (
- types.submodule {
- options = {
- server = mkOption {
- type = types.str;
- example = "nas";
- description = "Hostname of the server to connect to.";
- };
- remotePath = mkOption {
- type = types.str;
- example = "data";
- description = "Remote path on the NAS to mount.";
- };
- mountPoint = mkOption {
- type = types.str;
- description = "Local directory where the volume will be mounted.";
- };
- uid = mkOption {
- type = types.int;
- default = 1000;
- description = "User ID for mounted files.";
- };
- gid = mkOption {
- type = types.int;
- default = 1000;
- description = "Group ID for mounted files.";
- };
- options = mkOption {
- type = types.str;
- default = "rw";
- description = "Additional mount options.";
- };
- };
- }
- );
- default = { };
- description = "NAS volumes to mount.";
- };
- };
-
- config = lib.mkIf cfg.enable {
- boot.kernelModules = [
- "cifs"
- "cmac"
- "sha256"
- ];
-
- # this is required to get the credentials options to work
- environment.systemPackages = [ pkgs.cifs-utils ];
-
- systemd.mounts = lib.mapAttrsToList (name: volume: {
- description = "Mount for NAS volume ${name}";
- what = "//${volume.server}/${volume.remotePath}";
- where = volume.mountPoint;
- unitConfig = {
- # This ensures it uses mount.cifs
- Type = "cifs";
- };
- type = "cifs"; # Explicitly specify CIFS type otherwise we ran into issues when using the credentials file option
- options = "credentials=${config.age.secrets.nas_client_credentials.path},uid=${toString volume.uid},gid=${toString volume.gid},${volume.options}";
- }) cfg.volumes;
-
- systemd.automounts = lib.mapAttrsToList (name: volume: {
- description = "Automount for NAS volume ${name}";
- where = volume.mountPoint;
- wantedBy = [ "multi-user.target" ];
- }) cfg.volumes;
- };
-}
diff --git a/profiles/git-server.nix b/profiles/git-server.nix
index 6c18ab0..327bbbb 100644
--- a/profiles/git-server.nix
+++ b/profiles/git-server.nix
@@ -65,4 +65,6 @@
root-desc = "source code of my various projects";
};
};
+
+ services.restic.backups.local.paths = [ "/var/lib/gitolite/repositories" ];
}
diff --git a/profiles/restic-backup.nix b/profiles/restic-backup.nix
new file mode 100644
index 0000000..be65da6
--- /dev/null
+++ b/profiles/restic-backup.nix
@@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+let
+ restic-local = pkgs.writeShellScriptBin "restic-local" ''
+ export RESTIC_REPOSITORY="/data/backups/${config.networking.hostName}"
+ export RESTIC_PASSWORD_FILE="${config.age.secrets.restic-local-pw.path}"
+ exec ${pkgs.restic}/bin/restic "$@"
+ '';
+in
+{
+ age = {
+ secrets = {
+ restic-local-pw = {
+ file = ../secrets/restic-pw.age;
+ };
+ nas-client = {
+ file = ../secrets/nas_client.age;
+ };
+ };
+ };
+
+ boot.kernelModules = [
+ "cifs"
+ "cmac"
+ "sha256"
+ ];
+
+ environment.systemPackages = [
+ pkgs.cifs-utils
+ pkgs.restic
+ restic-local
+ ];
+
+ systemd.mounts = [
+ {
+ description = "Mount for NAS volume";
+ what = "//192.168.1.68/backups";
+ where = "/data/backups/";
+ unitConfig = {
+ Type = "cifs";
+ };
+ type = "cifs";
+ options = "credentials=${config.age.secrets.nas-client.path},uid=1000,gid=1000,rw";
+ }
+ ];
+ systemd.automounts = [
+ {
+ description = "Automount for NAS volume backups";
+ where = "/data/backups";
+ wantedBy = [ "multi-user.target" ];
+ }
+ ];
+
+ services.restic = {
+ backups = {
+ local = {
+ paths = [ ];
+ passwordFile = config.age.secrets.restic-local-pw.path;
+ repository = "/data/backups/${config.networking.hostName}";
+ initialize = true;
+ timerConfig.OnCalendar = "*-*-* *:00:00";
+ timerConfig.RandomizedDelaySec = "5m";
+ extraBackupArgs = [ ];
+ };
+ };
+ };
+}
diff --git a/secrets/cloudflare-nginx.age b/secrets/cloudflare-nginx.age
index 3dca56c..223f5a8 100644
--- a/secrets/cloudflare-nginx.age
+++ b/secrets/cloudflare-nginx.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 pFjJaA +Maktlw6LU3Bmir2ZYgsQl3ZDyMEtPrmHUlDS46Gi28
-TWxwW0jy/h8yRkc1Xs0BH1ewxMkpoXr+ZRzrjA9GF5I
--> ssh-ed25519 8Nmf6A 40zr4HRlxGAVLSAro6NLdr8LuvPK32sQ1bg+T/w8RA0
-wfBo2G8g3aInqz/Y37TmXeuX5s+FQAF4b8xaH/qSzBg
---- T/EYbeMye/m7IoqUm4n7cUGtbOClaxY/MMY7zLMtOT0
-?4BJS7YHum<w2Zo})"qwJN&Dy \ No newline at end of file
+-> ssh-ed25519 pFjJaA +DQXHEd8gCVRAxfFOyviaAQb77mlavC/gXpjLKmp4UY
+axtftBxKlDVAIshVpcgDfDf1GpwIb4P7KRn0pNwjrhY
+-> ssh-ed25519 8Nmf6A LGX7dma79uy2cwKHid4ifHdDxf9GlYnK0kIVIzlhECw
+ouZigorzxEx+BbkbElk6RFlHCECrItejNqfMzjyr8MM
+--- RhSuIz18cWaUImJoXGF6MbyGFBYN4CDqyLQptcIXNcY
+?v26b-9&!<\^fSzЖa9QD:x њ3%1_$֝E:|" \ No newline at end of file
diff --git a/secrets/do/host-ed25519-key.age b/secrets/do/host-ed25519-key.age
index ef10a90..bcc607b 100644
--- a/secrets/do/host-ed25519-key.age
+++ b/secrets/do/host-ed25519-key.age
Binary files differ
diff --git a/secrets/do/wireguard.age b/secrets/do/wireguard.age
index 19dfb0e..0ad78aa 100644
--- a/secrets/do/wireguard.age
+++ b/secrets/do/wireguard.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 pFjJaA Y0Rjr5u2uGI790/JvO7VoQSxF2KpS67e3ff0s1pXj3A
-7Lk30Dwsa9TfbxtEpZFWeDSRPRN66IXu2mFCWaXZIsA
--> ssh-ed25519 8Nmf6A n76CvLiAh4fjWtRx/DPRJUeazkUMxQ0Oc2qSGj0fDgk
-D7ULUEBjuzmUTzIEC8bzet7SJMJC0cHYgQoil8Q3/3c
---- o9Qerf9m8XuzxQ1GzPZVumNlE4kBZzABb4PbriMXeNQ
-̛%U/:"|X8(0S~zoO:4?Y?!H$ls~ \ No newline at end of file
+-> ssh-ed25519 pFjJaA dKGQ5U9m7BHp+6dnAjJdMHbVbK7azzVjQsC4yto/7Xw
+P8T7WR5DOk8nQ0hswiQD1HEqA0GZf8Mhofewk9rdmdk
+-> ssh-ed25519 8Nmf6A 9IbBrqy8PfYiD0YOd8Ts+kAjZ1PU/uUDCd48snWGFH8
+8z3hjQeAtyRrgPf6a5RrJ3kBrLZJmy8ezf6GdriNu6o
+--- VbnBjQpe8CyHx8cNIOhxYegXLcloG5ZhpvCSqxiUJ0o
+ݧ7fB o~}G5&6YSIfwg +la++(-LeCғjb& \ No newline at end of file
diff --git a/secrets/forgejo-fastmail.age b/secrets/forgejo-fastmail.age
index ddb69f1..ab2855b 100644
--- a/secrets/forgejo-fastmail.age
+++ b/secrets/forgejo-fastmail.age
Binary files differ
diff --git a/secrets/keycloak-db-password.age b/secrets/keycloak-db-password.age
index 21a1a7e..a14cdd5 100644
--- a/secrets/keycloak-db-password.age
+++ b/secrets/keycloak-db-password.age
@@ -1,7 +1,8 @@
age-encryption.org/v1
--> ssh-ed25519 pFjJaA u7eibDVH1zLVbZkW2/cJcKfHwUvSjAL41nhZ8lb/TF8
-fQ1C/6A7G2sOmS3YyORQ0tJgmgxSkZFdq+LmkJuLuh4
--> ssh-ed25519 Y5h84Q ymkfeS/fq1BfAievpj2UstwWSSW+IRCqXfuPy8zX92Y
-wSd280jyTsOOAxxkBhNrHQ6xfd/RjcIWH0QP9RtEJeY
---- RoXe7h0yyYK/QAdlKQp2ucIK2lsaxmb9tbxZ0DU61kw
-k_Q``cQb)'IuCuNl6+^CZ2 \ No newline at end of file
+-> ssh-ed25519 pFjJaA qZ/I4tvWyS6XoRUVCuSsd3fGD4VKVL7RFUwkNExbemk
+FPa9m2xBQjXzSMDn5txSAhSEeiT0NFmNi5kHzgG7nhg
+-> ssh-ed25519 Y5h84Q IaNvL/dJHx00hW4MiF5shPDoa/asnrgTCKN0G/f7Xi8
+7eR987Gs3gt8c3m7r19d5cKN/DghK7G8cxG9Hgfor0E
+--- 6fP8Wi/hDa1zePylVJnHlPLMJVml9k/UDQpEJjjeYn8
+>AUe\`є̑cbV,
+T/m` \ No newline at end of file
diff --git a/secrets/nas_client.age b/secrets/nas_client.age
index f24a6ed..c247020 100644
--- a/secrets/nas_client.age
+++ b/secrets/nas_client.age
Binary files differ
diff --git a/secrets/restic-pw.age b/secrets/restic-pw.age
new file mode 100644
index 0000000..9f61ede
--- /dev/null
+++ b/secrets/restic-pw.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 pFjJaA Dl11IfO7+y/UqrH+R4JpP7wlM1HmcQ7nkYEVWUN7f3o
+3m7BE09I0pA+USqkGKVbdc9ukQOssl0ujrD+JZTRe/4
+-> ssh-ed25519 qRUWSw +NRfckPgYNoEmha9sLTPxdRWD9tFQjBUxooh6q6w4CM
+qcNPFLtl0BckH29QvkQVArdQRBA2KgsjIYw5arNzcHI
+-> ssh-ed25519 Y5h84Q /hHI2sEG3aF1FfmZv9ZiyvviiPNMJ9PEKvATTXq+2HM
+AkjRVszoUYMSQ7SRB5tqX8Ry2ITVRrCouh0ox+/+0XY
+--- /k62z7Hh89vIIwETAGvBlV8C2WGQaEh8EKMS99zEKKg
+mXj*"c|ȯ~>4=wO@נ_6-.LFY \ No newline at end of file
diff --git a/secrets/restic_password.age b/secrets/restic_password.age
deleted file mode 100644
index 8db89a5..0000000
--- a/secrets/restic_password.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 pFjJaA 5KWfhxNk3FAF68Iry4yvyPIxF5AfDvPZUj4paHQGBQA
-j/TPillAQNbuqvaudO2SRH+wRmJlcwwrW5cGKBHk3bw
--> ssh-ed25519 qRUWSw AHkeUh1rsr6ddoH9Z3g+mG6rmHPMIstn+Ln6dRr/eS8
-PsVdJkliyr0OhtLwmtnfzR1s8N+oMHpToGkq6l5UGPo
---- cf9ExBbs2M12iIrTMUengqVgLKJD00nhPaLVbCVGN4I
-W!o˛&lTƁ&NğTv*s[ź bT+; \ No newline at end of file
diff --git a/secrets/rivendell/wireguard.age b/secrets/rivendell/wireguard.age
index e9c7308..8bfadf0 100644
--- a/secrets/rivendell/wireguard.age
+++ b/secrets/rivendell/wireguard.age
Binary files differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 658da54..5184454 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,17 +22,15 @@ in
users.fcuny
hosts.do
];
- "restic_password.age".publicKeys = [
- users.fcuny
- hosts.vm-synology
- ];
- "restic_gcs_credentials.age".publicKeys = [
+ "restic-pw.age".publicKeys = [
users.fcuny
hosts.vm-synology
+ hosts.rivendell
];
"nas_client.age".publicKeys = [
users.fcuny
hosts.vm-synology
+ hosts.rivendell
];
# this is the SSH key we use to access the remote builder.
"ssh-remote-builder.age".publicKeys = [
diff --git a/secrets/ssh-remote-builder.age b/secrets/ssh-remote-builder.age
index d10ac6d..3e660bb 100644
--- a/secrets/ssh-remote-builder.age
+++ b/secrets/ssh-remote-builder.age
@@ -1,9 +1,10 @@
age-encryption.org/v1
--> ssh-ed25519 pFjJaA 84O2SPCUx+QVlQmLN7fdDmfgClYXHvYcUuKTQVIVaxY
-eBnck8bhHN7xvpogTjciztNrgaiwfTrygF2R2LgmZ6Q
--> ssh-ed25519 qRUWSw oh0qeksN0bzOADFq79bzRFPHvgJIysWrKIin+aJonko
-Cb052NA2jRTpmp7J4ubCGEn9NWdcHXQtDmZik5gCDm0
--> ssh-ed25519 E2Yu8Q 0NCgJMvW+YFdKNWPvec05WRi63/adKvyrisyqW59JB0
-lE99gvBokfXkwKmluCtoy4hbh8Jk/k5WPDs0WHccYoM
---- 8d0KnB6sOB92oKS4jEDMsJ+q/R+kw7YSLOhLz1vKA2w
-k)?OB6*C[?W꡻eր\Eɟ9&d2:w{vxZ#!n-Pq VMѣݝkr*x[dd0tz8(\/gW;6~}` i~ڥsWKތ?.㲹ʲTRBf+NJH )oX`(Bݗ 0MCx%ҕغ(ز;JLԾP-oƛ#tgAjR@{+\7߇= Id?Ԙ?4QB<٬'#[pc@ۧtb4<i-m@aU`^bX៤`B`bݭOKUA0^+D'? zMPԀׯٴgcuㇷ \ No newline at end of file
+-> ssh-ed25519 pFjJaA f+QPq3MqYfaFrMgsrGtir9rNe5k8MJsRByeNT8o4hW4
+dMcvqqLG8VznxadAeF56TRmT+xrebvbBkHrgv4gTelc
+-> ssh-ed25519 qRUWSw HiNIr+2ufCzCho/pvRQyzEYd2uP+TSsESPRIN/Xg9kQ
+tbd5FVMy/4fSteWnGU1CAw+JQuXw3WXFHyslLS+S4pE
+-> ssh-ed25519 E2Yu8Q nEaTi1Pyd8sIlp8p5x276PYvCO5RFsyrBr4uToU5FhQ
+EKanWRphHfAm06DXLnjbc+h3u3csVAzBTI2XuEKEuPI
+--- akqoYTMHP3s4vH8YHho2GH6JP+fAA0nrlBMn7XP5dC8
+M{t5½z'j.G Ǘ'u\TY$aswjX(v/=o ͸iN#azXhgqvSbTO1X_OW `IhA }6ܭsvG j<~%RN.7p(Fg`W`~p%祿21ID_ɖ\\koꦽ=36}kJ??NBh['k'I;_Mj5Ɯ|J[yRܔFzt2<RϿ4bFw<ދ<~3O@mP}/='sʗKRq.GAΎ@ kޯ:ϸIȓcFw C 6GLm혮d|t
+BK3qvR_Og \ No newline at end of file
diff --git a/secrets/vm-synology/wireguard.age b/secrets/vm-synology/wireguard.age
index b1a1384..9bed555 100644
--- a/secrets/vm-synology/wireguard.age
+++ b/secrets/vm-synology/wireguard.age
@@ -1,8 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 pFjJaA +fvsiaJMb18gU/QCaD9yHhOO+2XKznzOrYW2sX/NwE0
-iBLuUNGccw/rU294GUPW42LsK7x8tCLmD0Hlb9Jy1+E
--> ssh-ed25519 qRUWSw 6DQndWls6IHZCXuTBJDoEQ/M7Z1Ahr61oJviPP02Ln8
-18nr/YXPC1II3eV2Qdj5kSYPa+WeyXL3k6zJ9g10rl8
---- KP/xhZkn1tNxbRanbGzryFXwEgdGj9UJWGWeYF0uuOA
-]2`v >ջpgo9j
-"yvBh.D:GW\]`G Stnx0ūa \ No newline at end of file
+-> ssh-ed25519 pFjJaA 4q+hhi7RJKC7M0TiNn+iQRLMVwyW9LP7Hjv9irTnI3A
+yme4y61h8b7soGwdGRoCqVRwBPABa70gw0oTcujtPHs
+-> ssh-ed25519 qRUWSw 8GMvd+DRBQsL79Q4dWnAm3YoyTHDn4u+shOitVNdlSE
+cDQmmVpnY52Q51/G4BFXDmtKaHGOSZIk5sY2K0/vRSs
+--- /Nt/g8t+Igt4cvDY1ZR5UkUrIPEsMv8UZyYl1lmxSK0
+e,Ϛ@iG"{dSq9zbN4.M ӻhpΖ/q2 h[wT/ \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 06:54:06 +0000