From d16d72592137bd9df18c00f34e59a9cd753cb97a Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Thu, 27 Nov 2025 11:08:09 -0800
Subject: rename synology-vm to bree

---
 machines/nixos/x86_64-linux/bree.nix        | 61 ++++++++++++++++++++
 machines/nixos/x86_64-linux/rivendell.nix   |  7 ---
 machines/nixos/x86_64-linux/synology-vm.nix | 87 -----------------------------
 secrets/bree/wireguard.age                  |  7 +++
 secrets/secrets.nix                         | 13 ++---
 secrets/vm-synology/wireguard.age           |  7 ---
 6 files changed, 74 insertions(+), 108 deletions(-)
 create mode 100644 machines/nixos/x86_64-linux/bree.nix
 delete mode 100644 machines/nixos/x86_64-linux/synology-vm.nix
 create mode 100644 secrets/bree/wireguard.age
 delete mode 100644 secrets/vm-synology/wireguard.age

diff --git a/machines/nixos/x86_64-linux/bree.nix b/machines/nixos/x86_64-linux/bree.nix
new file mode 100644
index 0000000..7c8a661
--- /dev/null
+++ b/machines/nixos/x86_64-linux/bree.nix
@@ -0,0 +1,61 @@
+{
+  lib,
+  adminUser,
+  config,
+  ...
+}:
+{
+  imports = [
+    ../../../profiles/cgroups.nix
+    ../../../profiles/defaults.nix
+    ../../../profiles/disk/basic-vm.nix
+    ../../../profiles/home-manager.nix
+    ../../../profiles/server.nix
+  ];
+
+  age.secrets.wireguard.file = ../../../secrets/bree/wireguard.age;
+
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.systemd-boot.enable = true;
+
+  networking.hostName = "bree";
+  networking.useDHCP = lib.mkDefault true;
+  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
+
+  networking.wireguard = {
+    enable = true;
+    interfaces.wg0 = {
+      ips = [ "10.100.0.40/32" ];
+      listenPort = 51871;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          # argonath
+          publicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w=";
+          allowedIPs = [ "10.100.0.51/32" ];
+          endpoint = "157.230.146.234:51871";
+          persistentKeepalive = 25;
+        }
+        {
+          # rivendell
+          publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
+          allowedIPs = [ "10.100.0.60/32" ];
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  networking.firewall.trustedInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ 51871 ];
+
+  home-manager = {
+    users.${adminUser.name} = {
+      imports = [
+        ../../../home/profiles/minimal.nix
+      ];
+    };
+  };
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
diff --git a/machines/nixos/x86_64-linux/rivendell.nix b/machines/nixos/x86_64-linux/rivendell.nix
index e07e876..1e7abcf 100644
--- a/machines/nixos/x86_64-linux/rivendell.nix
+++ b/machines/nixos/x86_64-linux/rivendell.nix
@@ -53,13 +53,6 @@
       listenPort = 51871;
       privateKeyFile = config.age.secrets.wireguard.path;
       peers = [
-        {
-          # digital ocean droplet
-          publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
-          allowedIPs = [ "10.100.0.50/32" ];
-          endpoint = "165.232.158.110:51871";
-          persistentKeepalive = 25;
-        }
         {
           # argonath
           publicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w=";
diff --git a/machines/nixos/x86_64-linux/synology-vm.nix b/machines/nixos/x86_64-linux/synology-vm.nix
deleted file mode 100644
index 600312d..0000000
--- a/machines/nixos/x86_64-linux/synology-vm.nix
+++ /dev/null
@@ -1,87 +0,0 @@
-{
-  lib,
-  adminUser,
-  config,
-  ...
-}:
-{
-  imports = [
-    ../../../profiles/cgroups.nix
-    ../../../profiles/defaults.nix
-    ../../../profiles/disk/basic-vm.nix
-    ../../../profiles/home-manager.nix
-    ../../../profiles/server.nix
-  ];
-
-  age = {
-    secrets = {
-      restic_gcs_credentials = {
-        file = ../../../secrets/restic_gcs_credentials.age;
-      };
-      restic_password = {
-        file = ../../../secrets/restic_password.age;
-      };
-      nas_client_credentials = {
-        file = ../../../secrets/nas_client.age;
-      };
-      wireguard = {
-        file = ../../../secrets/vm-synology/wireguard.age;
-      };
-    };
-  };
-
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.systemd-boot.enable = true;
-
-  networking.hostName = "synology-vm";
-  networking.useDHCP = lib.mkDefault true;
-  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
-
-  users.users.builder = {
-    openssh.authorizedKeys.keys = [
-      # my personal key
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
-      # remote builder ssh key
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
-    ];
-    isNormalUser = true;
-    group = "nogroup";
-  };
-
-  nix.settings.trusted-users = [ "builder" ];
-
-  networking.wireguard = {
-    enable = true;
-    interfaces.wg0 = {
-      ips = [ "10.100.0.40/32" ];
-      listenPort = 51871;
-      privateKeyFile = config.age.secrets.wireguard.path;
-      peers = [
-        {
-          publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
-          allowedIPs = [ "10.100.0.0/24" ];
-          endpoint = "165.232.158.110:51871";
-          persistentKeepalive = 25;
-        }
-        {
-          # rivendell
-          publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
-          allowedIPs = [ "10.100.0.0/24" ];
-          persistentKeepalive = 25;
-        }
-      ];
-    };
-  };
-
-  networking.firewall.allowedUDPPorts = [ 51871 ];
-
-  home-manager = {
-    users.${adminUser.name} = {
-      imports = [
-        ../../../home/profiles/minimal.nix
-      ];
-    };
-  };
-
-  system.stateVersion = "23.11"; # Did you read the comment?
-}
diff --git a/secrets/bree/wireguard.age b/secrets/bree/wireguard.age
new file mode 100644
index 0000000..b12c816
--- /dev/null
+++ b/secrets/bree/wireguard.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 pFjJaA zk/q9O4FfhQKjzVrL1zK0h97Vu2vPgrfhlFSJyvrClA
+txm5lizEGN7VH+wWI2+6TjpGRPK3g5UnsSNrDPIshQ4
+-> ssh-ed25519 qRUWSw 0pqNpcBK9h8JCh906PB5zN4kuJs6yV3q1/75Gibg+T4
+FLYhwYz72hazErOZBVqUaLNW7M+zHXWCWZo5zQ7jQFk
+--- jqpYy1uh4q4KN7BaiBRFdTRssZ429m1FL4lrLHl1xmM
+áÎqˆ°RpÙ[õ•	x}Aü.†aB«€°<†qEïíìðB×@Ò^åQ³sÅ?üF¢äb•ÐsõÎ[„äZ`R²4%	dÖŒšþX5
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 2639a8c..a4092c6 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,7 +1,7 @@
 let
   hosts = {
-    vm-synology = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKZAKlqOU6bSuMaaZAsYJdZnmNASWuIbbrrOjB6yGb8 root@vm-synology";
-    mba = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLQTIPZraE+jpMqGkh8yUhNFzRJbMarX5Mky3nETw6c root@mba-m2";
+    bree = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKZAKlqOU6bSuMaaZAsYJdZnmNASWuIbbrrOjB6yGb8";
+    mba = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLQTIPZraE+jpMqGkh8yUhNFzRJbMarX5Mky3nETw6c";
     rivendell = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd";
     argonath = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHi9jHqRjpMzXlznTXi4nEtlRlFfyIzB6Ur9A+HDfFoq";
   };
@@ -18,20 +18,19 @@ in
 
   "restic-pw.age".publicKeys = [
     users.fcuny
-    hosts.vm-synology
+    hosts.bree
     hosts.rivendell
   ];
 
   "nas_client.age".publicKeys = [
     users.fcuny
-    hosts.vm-synology
+    hosts.bree
     hosts.rivendell
   ];
 
   # this is the SSH key we use to access the remote builder.
   "ssh-remote-builder.age".publicKeys = [
     users.fcuny
-    hosts.vm-synology
     hosts.mba
   ];
 
@@ -66,9 +65,9 @@ in
     hosts.rivendell
   ];
 
-  "vm-synology/wireguard.age".publicKeys = [
+  "bree/wireguard.age".publicKeys = [
     users.fcuny
-    hosts.vm-synology
+    hosts.bree
   ];
 
   "rivendell/wireguard.age".publicKeys = [
diff --git a/secrets/vm-synology/wireguard.age b/secrets/vm-synology/wireguard.age
deleted file mode 100644
index b12c816..0000000
--- a/secrets/vm-synology/wireguard.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 pFjJaA zk/q9O4FfhQKjzVrL1zK0h97Vu2vPgrfhlFSJyvrClA
-txm5lizEGN7VH+wWI2+6TjpGRPK3g5UnsSNrDPIshQ4
--> ssh-ed25519 qRUWSw 0pqNpcBK9h8JCh906PB5zN4kuJs6yV3q1/75Gibg+T4
-FLYhwYz72hazErOZBVqUaLNW7M+zHXWCWZo5zQ7jQFk
---- jqpYy1uh4q4KN7BaiBRFdTRssZ429m1FL4lrLHl1xmM
-áÎqˆ°RpÙ[õ•	x}Aü.†aB«€°<†qEïíìðB×@Ò^åQ³sÅ?üF¢äb•ÐsõÎ[„äZ`R²4%	dÖŒšþX5
\ No newline at end of file
-- 
cgit v1.2.3