1c085a7 radicle.{xyz → dev,network} — radicle-infra

modified README.md

@@ -4,13 +4,13 @@ Easing the deployment of Radicle seed nodes with the magic of Nix 🌱 ➕ ❄

 ## Deployment
 Then to deploy to the target, for example `seed.radicle.xyz`, use the following
 Then to deploy to the target, for example `seed.radicle.dev`, use the following
 command. You might have to adjust the value of `$USER` if the username on your
 local machine does not match the username of your account on the target machine.
 Also, note that you may have to get permission to be added as a user first:
 ```
 HOST=seed.radicle.xyz; nixos-rebuild switch --target-host "${USER}@${HOST}" --build-host "${USER}@${HOST}" --use-remote-sudo --flake .
 HOST=seed.radicle.dev; nixos-rebuild switch --target-host "${USER}@${HOST}" --build-host "${USER}@${HOST}" --use-remote-sudo --flake .
 ```
 ### Overlays

@@ -32,7 +32,7 @@ Then the following option should be changed in `os/mixin/radicle.nix`:

 ## DNS
 The radicle.xyz. zone is configured via [DNSControl].
 The `radicle.{community,dev,network,xyz}` zones are configured via [DNSControl].
 Previewing and pushing changes requires a [Cloudflare API Token] in the environment at `CLOUDFLARE_API_TOKEN`.
 In `/dns`:

modified dns/dnsconfig.js

@@ -15,9 +15,6 @@ D("radicle.xyz", REG_NONE, DnsProvider(DSP_CLOUDFLARE),

     CNAME("toot", "vip.masto.host."),
     TXT("_atproto", "\"did=did:plc:h3rhdktoagtwfu452cjyw3df\""),
     // Migadu
     MX("@", 10, "aspmx1.migadu.com."),
     MX("@", 20, "aspmx2.migadu.com."),

@@ -37,6 +34,12 @@ D("radicle.xyz", REG_NONE, DnsProvider(DSP_CLOUDFLARE),

     // Google Search Console
     TXT("@", "\"google-site-verification=UkriKVl03GNNPh5ERcdOgc2UYd2bBqHg9sklcBcReaU\""),
     // Bluesky
     TXT("_atproto", "\"did=did:plc:h3rhdktoagtwfu452cjyw3df\""),
     // GitHub
     TXT("_gh-radicle-dev-o", "\"4e6be9a82e\""),
     PTR("b._dns-sd._udp", "radicle.xyz."),
     PTR("lb._dns-sd._udp", "radicle.xyz."),

@@ -69,12 +72,6 @@ D("radicle.xyz", REG_NONE, DnsProvider(DSP_CLOUDFLARE),

     TXT("rosa._radicle-node._tcp", "\"nid=z6Mkmqogy2qEM2ummccUthFEaaHvyYmYBYh3dbe9W4ebScxo\""),
     CNAME("search", "search.radicle.garden."),
     CNAME("releases", "public.r2.dev.", CF_PROXY_ON),
     A("seed", "65.108.87.205"),
     AAAA("seed", "2a01:4f9:c011:b666::1"),
     SSHFP("seed", 4, 2, "ac7db28d3d05c52f3e2d67adca4654ce6766a1e8d7b6fab4c03b25ab435a613d"),

@@ -88,13 +85,19 @@ D("radicle.xyz", REG_NONE, DnsProvider(DSP_CLOUDFLARE),

     ALIAS("metrics", "seed"),
     ALIAS("vault", "seed"),
     // LOC("seed", "60 20 36.488 N 25 01 48.587 E 46m 10m 100m 100m"),
     PTR("_radicle-node._tcp", "seed._radicle-node._tcp.radicle.xyz."),
     SRV("seed._radicle-node._tcp", 32767, 32767, 8776, "seed.radicle.xyz."),
     SRV("seed._radicle-node._tcp", 32767, 32767, 58776, "seed.radicle.xyz."),
     TXT("seed._radicle-node._tcp", "\"nid=z6MksmpU5b1dS7oaqF2bHXhQi1DWy2hB7Mh9CuN7y1DN6QSz\""),
     CNAME("search", "search.radicle.garden."),
     CNAME("releases", "public.r2.dev.", CF_PROXY_ON),
     NS("bootstrap", "seed"),

@@ -103,6 +106,14 @@ D("radicle.xyz", REG_NONE, DnsProvider(DSP_CLOUDFLARE),

 D("radicle.dev", REG_NONE, DnsProvider(DSP_CLOUDFLARE),
     AAAA("@", "100::", CF_PROXY_ON),
     AAAA("desktop", "100::", CF_PROXY_ON),
     CNAME("docs", "radicle.dev."),
     CNAME("www", "radicle.dev."),
     CNAME("toot", "vip.masto.host."),
     // Migadu

@@ -123,13 +134,46 @@ D("radicle.dev", REG_NONE, DnsProvider(DSP_CLOUDFLARE),

     // Google Search Console
     TXT("@", "\"google-site-verification=r8cK7DIKc0RWNAOBhyHmfOb9FSwrCKiZs2JQ6cLOuK4\""),
     // Bluesky
     TXT("_atproto", "\"did=did:plc:h3rhdktoagtwfu452cjyw3df\""),
     // GitHub
     TXT("_gh-radicle-dev-o", "\"05261552ed\""),
     A("blackhole", "192.0.2.1"),
     PTR("b._dns-sd._udp", "radicle.dev."),
     PTR("lb._dns-sd._udp", "radicle.dev."),
     PTR("_services._dns-sd._udp", "_radicle-node._tcp.radicle.dev."),
     A("seed", "65.108.87.205"),
     AAAA("seed", "2a01:4f9:c011:b666::1"),
     SSHFP("seed", 4, 2, "ac7db28d3d05c52f3e2d67adca4654ce6766a1e8d7b6fab4c03b25ab435a613d"),
     SSHFP("seed", 4, 1, "9033b89019264dbad5a744057166a5e1b7af92f7"),
     ALIAS("attic", "seed"),
     ALIAS("files", "seed"),
     ALIAS("grafana", "seed"),
     ALIAS("logs", "seed"),
     ALIAS("loki", "seed"),
     ALIAS("metrics", "seed"),
     ALIAS("vault", "seed"),
     PTR("_radicle-node._tcp", "seed._radicle-node._tcp.radicle.dev."),
     SRV("seed._radicle-node._tcp", 32767, 32767, 8776, "seed.radicle.dev."),
     SRV("seed._radicle-node._tcp", 32767, 32767, 58776, "seed.radicle.dev."),
     TXT("seed._radicle-node._tcp", "\"nid=z6MksmpU5b1dS7oaqF2bHXhQi1DWy2hB7Mh9CuN7y1DN6QSz\""),
 );
 D("radicle.network", REG_NONE, DnsProvider(DSP_CLOUDFLARE),
     AAAA("@", "100::", CF_PROXY_ON),
     TXT("_gh-radicle-dev-o", "\"eed4033e97\""),
     // Migadu
     MX("@", 10, "aspmx1.migadu.com."),
     MX("@", 20, "aspmx2.migadu.com."),

@@ -154,10 +198,34 @@ D("radicle.network", REG_NONE, DnsProvider(DSP_CLOUDFLARE),

     PTR("lb._dns-sd._udp", "radicle.network."),
     PTR("_services._dns-sd._udp", "_radicle-node._tcp.radicle.network."),
     A("iris", "95.217.156.6"),
     AAAA("iris", "2a01:4f9:c010:dfaa::1"),
     SSHFP("iris", 4, 1, "1ffe43af8f30c34373515fa24f1b9fe69532a9d5"),
     SSHFP("iris", 4, 2, "715ce29a1ccdd7088b9fb40949ca186e736ff6d711163689560ffe54252c9d43"),
     PTR("_radicle-node._tcp", "iris._radicle-node._tcp.radicle.network."),
     SRV("iris._radicle-node._tcp", 32767, 32767, 8776, "iris.radicle.network."),
     SRV("iris._radicle-node._tcp", 32767, 32767, 58776, "iris.radicle.network."),
     TXT("iris._radicle-node._tcp", "\"nid=z6MkrLMMsiPWUcNPHcRajuMi9mDfYckSoJyPwwnknocNYPm7\""),
     A("rosa", "5.161.85.124"),
     AAAA("rosa", "2a01:4ff:f0:abd3::1"),
     SSHFP("rosa", 4, 1, "6ee4b941f49ece1601e238344f088f5a83712b91"),
     SSHFP("rosa", 4, 2, "e2364a3e0f7728eaa53d40543f15e7c23409fe06e5b08c55d8f63ee00e963b0b"),
     PTR("_radicle-node._tcp", "rosa._radicle-node._tcp.radicle.network."),
     SRV("rosa._radicle-node._tcp", 32767, 32767, 8776, "rosa.radicle.network."),
     SRV("rosa._radicle-node._tcp", 32767, 32767, 58776, "rosa.radicle.network."),
     TXT("rosa._radicle-node._tcp", "\"nid=z6Mkmqogy2qEM2ummccUthFEaaHvyYmYBYh3dbe9W4ebScxo\""),
     CNAME("search", "search.radicle.garden."),
     NS("bootstrap", "seed.radicle.xyz."),
     NS("bootstrap", "seed.radicle.dev."),
     A("blackhole", "192.0.2.1"),
 );

@@ -184,4 +252,6 @@ D("radicle.community", REG_NONE, DnsProvider(DSP_CLOUDFLARE),

     // Google Search Console
     TXT("@", "\"google-site-verification=UEvCt4qHEQtB1ql2LREQumXpl291d6ajUm70A3g_j94\""),
     A("blackhole", "192.0.2.1"),
 );

modified flake.nix

@@ -153,9 +153,9 @@

       result;
   in {
     nixosConfigurations = {
       seed = host (import ./os/host/seed);
       iris = host (import ./os/host/iris);
       rosa = host (import ./os/host/rosa);
       "seed.radicle.dev" = host (import ./os/host/dev/seed);
       "iris.radicle.network" = host (import ./os/host/network/iris);
       "rosa.radicle.network" = host (import ./os/host/network/rosa);
     };
     devShells.${system}.default = pkgs.mkShell {

added os/host/dev/seed/attic.nix

@@ -0,0 +1,48 @@

 {config, ...}: let
   domain = "attic.radicle.dev";
   port = 54862;
   secret = "atticd.env";
 in {
   sops.secrets.${secret} = {
     sopsFile = ./sops/atticd.env;
     format = "dotenv";
   };
   services = {
     atticd = {
       enable = true;
       environmentFile = config.sops.secrets.${secret}.path;
       settings = {
         listen = "127.0.0.1:${builtins.toString port}";
         storage = {
           bucket = "radicle-attic";
           type = "s3";
           region = "eu-central";
           endpoint = "https://hel1.your-objectstorage.com";
         };
         garbage-collection.interval = "48 hours";
         api-endpoint = "https://${domain}/";
       };
     };
     nginx.virtualHosts.${domain} = {
       enableACME = true;
       forceSSL = true;
       serverName = domain;
       locations."/" = {
         proxyPass = "http://127.0.0.1:${builtins.toString port}";
         extraConfig = ''
           client_max_body_size 512m;
         '';
       };
     };
     nginx.virtualHosts."attic.radicle.xyz" = {
       enableACME = true;
       forceSSL = true;
       globalRedirect = domain;
       redirectCode = 302;
     };
   };
 }

added os/host/dev/seed/bootstrap/addresses.sql

@@ -0,0 +1,12 @@

 select json_object(a1.node, json_group_array (a2.value))
 from
 	           addresses a1
 	inner join addresses a2 using (node)
 where
 	a1.banned = false and
 	a1.type != 'onion' and
 	unixepoch() - (a1.last_success / 1000) < (60 * 60 * 24 * 7)
 group by a1.node

added os/host/dev/seed/bootstrap/default.nix

@@ -0,0 +1,48 @@

 {
   pkgs,
   config,
   inputs,
   ...
 }: {
   systemd = {
     services.radicle-bootstrap = {
       serviceConfig.Type = "oneshot";
       script = ''
         cat "${./addresses.sql}" | sqlite3 "/var/lib/radicle/node/node.db" | \
           jq --slurp add | \
           jq \
             --raw-output \
             --arg serviceName "_radicle-node.tcp" \
             --from-file "${./zone.jq}" \
             > "/etc/knot/dns-sd.zone"
         knotc -b zone-reload "bootstrap.radicle.network"
       '';
       wants = ["knot.service"];
       requires = ["knot.service"];
       path = with pkgs; [
         jq
         sqlite
         knot-dns
       ];
     };
     timers.radicle-bootstrap = {
       timerConfig = {
         OnCalendar = "*:0/5";
         RandomizedDelaySec = "1min";
         Unit = "radicle-bootstrap.service";
       };
       wantedBy = ["timers.target"];
     };
   };
   services.nginx.virtualHosts."bootstrap.radicle.network" = {
     enableACME = true;
     forceSSL = true;
     serverName = "bootstrap.radicle.network";
     root = "/var/www/bootstrap.radicle.network";
     locations."/".extraConfig = ''
       add_header 'Access-Control-Allow-Origin' '*';
       autoindex on;
     '';
   };
 }

added os/host/dev/seed/bootstrap/zone.jq

@@ -0,0 +1,22 @@

 to_entries
 | .[]
 | .key as $nid
 | "_radicle-node._tcp" as $serviceName
 | "\($nid).\($serviceName)" as $name
 | [
     "\($serviceName) PTR \($name)",
     "\($name) TXT \"nid=\($nid)\"",
     "\($name) TXT \"version=1\"",
     "\($name) TXT \"network=main\"",
     (.value
      | unique
      | to_entries[]
      | .key as $weight
      | (.value | capture("(?<host>[^:]+):(?<port>[0-9]+)"))
      | "\($nid).\($serviceName) SRV 0 \($weight) \(.port) \(.host)."),
      ""
 ]
 | .[]

added os/host/dev/seed/default.nix

@@ -0,0 +1,106 @@

 {
   self,
   config,
   pkgs,
   lib,
   modulesPath,
   ...
 }: {
   imports = [
     ../../../mixin/cache.nix
     ../../../mixin/common.nix
     ../../../mixin/kmscon.nix
     ../../../mixin/nix.nix
     ../../../mixin/motd.nix
     ../../../mixin/sops.nix
     ../../../mixin/users.nix
     ./attic.nix
     ./knot.nix
     ./ssh.nix
     ./tor.nix
     ./radicle.nix
     ./grafana.nix
     ./victorialogs.nix
     ./files.nix
     ./bootstrap
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
   systemd.network.networks."10-hetzner".address = [
     # IPv6 address is statically configured, see Hetzner dashboard.
     "2a01:4f9:c011:b666::1/128"
   ];
   fileSystems =
     (builtins.listToAttrs (map
       ({
         subvol,
         mountpoint ? "/${subvol}",
       }: {
         name = mountpoint;
         value = {
           device = "/dev/disk/by-uuid/e55dc01e-ecab-4cd2-ad08-e773615f36fd";
           fsType = "btrfs";
           options = ["compress=zstd" "discard=async" "noatime" "subvol=${subvol}"];
         };
       }) [
         {
           mountpoint = "/";
           subvol = "root";
         }
         {subvol = "home";}
         {subvol = "nix";}
       ]))
     // {
       "/boot" = {
         device = "/dev/disk/by-uuid/5d17c66f-46fc-484d-be63-b21786e61af9";
         fsType = "ext2";
       };
     };
   boot = {
     loader.grub = {
       enable = true;
       efiSupport = false;
       device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_30473871";
     };
     initrd.availableKernelModules = [
       "ata_piix"
       "uhci_hcd"
       "virtio_pci"
       "sr_mod"
       "virtio_blk"
       "ahci"
       "xhci_pci"
       "virtio_scsi"
       "sd_mod"
     ];
   };
   networking = {
     domain = "radicle.dev";
     hostName = "seed";
     useDHCP = false;
     firewall = {
       allowedTCPPorts = [
 # ssh
 # http
 # https
 # grafana
 # radicle-node
       ];
       allowedUDPPorts = [
 # http3
       ];
     };
   };
   networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
 }

added os/host/dev/seed/files.nix

@@ -0,0 +1,70 @@

 let
   name = {
     xyz = "files.radicle.xyz";
     dev = "files.radicle.dev";
   };
 in {
   fileSystems."/var/www/${name.dev}" = {
     device = "/dev/disk/by-id/scsi-0HC_Volume_30083854";
     fsType = "ext4";
     options = ["discard" "defaults"];
   };
   services.nginx.virtualHosts.${name.xyz} = {
     globalRedirect = name.dev;
     redirectCode = 302;
     enableACME = true;
     forceSSL = true;
     serverName = name.xyz;
     extraConfig = ''
       add_header 'Access-Control-Allow-Origin' '*';
     '';
   };
   services.nginx.virtualHosts.${name.dev} = {
     root = "/var/www/${name.dev}";
     extraConfig = ''
       add_header 'Access-Control-Allow-Origin' '*';
       autoindex on;
     '';
     enableACME = true;
     forceSSL = true;
     serverName = name.dev;
   };
   users.users = {
     rudolfs = {
       isNormalUser = true;
       createHome = true;
       home = "/home/rudolfs";
       description = "Rudolfs";
       uid = 1003;
       openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPueml1FxzjvwbD7vRZfwoaoyuxLy0L+WLBwSNiVoJe5"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTYHe+FdhR0YUTPfl26z6nxnDO1+R+/fjYH4IpnH4qC" # recovered from files.radicle.xyz
       ];
     };
     lars = {
       isNormalUser = true;
       createHome = true;
       home = "/home/lars";
       description = "Lars";
       uid = 1005;
       openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBppC96N69P8CxDm1jJhcutHLKWxJG4ew4R5b1A4WgKs"
       ];
     };
     levitte = {
       isNormalUser = true;
       createHome = true;
       home = "/home/levitte";
       description = "Richard Levitte";
       uid = 1006;
       openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxmgD3GmoPY/y9LZy51e5V4pTS87EPjKhOt8yQXUuW6"
       ];
     };
   };
 }

added os/host/dev/seed/grafana.nix

@@ -0,0 +1,42 @@

 {
   config,
   pkgs,
   ...
 }: let
   domain = "grafana.radicle.dev";
   port = 3000;
 in {
   services = {
     grafana = {
       enable = true;
       settings = {
         server = {
           http_addr = "127.0.0.1";
           http_port = port;
           domain = domain;
         };
       };
     };
     nginx.virtualHosts.${domain} = {
       enableACME = true;
       forceSSL = true;
       serverName = domain;
       locations."/" = {
         proxyPass = "http://127.0.0.1:${builtins.toString port}";
         extraConfig = ''
           client_max_body_size 512m;
           proxy_set_header Host ${domain};
           proxy_set_header Origin https://${domain};
         '';
       };
     };
     nginx.virtualHosts."grafana.radicle.xyz" = {
       enableACME = true;
       forceSSL = true;
       globalRedirect = domain;
       redirectCode = 302;
     };
   };
 }

added os/host/dev/seed/knot.nix

@@ -0,0 +1,201 @@

 {
   pkgs,
   config,
   inputs,
   ...
 }: let
   writeZone = name: text: pkgs.writeText "${name}.zone" text;
   acme = domain: ns:
     writeZone "_acme-challenge.${domain}" ''
       $TTL 600
       @ IN SOA _acme-challenge.${domain}. ${ns}. 2024060801 7200 3600 86400 3600
         IN NS  ${ns}.
     '';
   update = domain: ns:
     writeZone "${domain}" ''
       $TTL 600
       @ IN SOA ${domain}. ${ns}. 2024060801 7200 3600 86400 3600
         IN NS  ${ns}
     '';
   path = ./. + "/zone";
 in {
   environment.etc."knot/common.zone".source = ./zone/common.zone;
   environment.etc."knot/secondaries.zone".source = ./zone/secondaries.zone;
   environment.etc."knot/bootstrap.radicle.network.zone".text = ''
     $TTL 3600
     @ SOA ns1 lorenz\.leutgeb.radicle.dev. 2025101002 14400 3600 1209600 3600
     $INCLUDE common.zone
     $INCLUDE dns-sd.zone
   '';
   networking.firewall = let
     dns = [53];
   in {
     allowedTCPPorts = dns;
     allowedUDPPorts = dns;
   };
   services = {
     knot = {
       enable = true;
       settings = {
         server = {
           listen = [
             "65.108.87.205" # Hetzner
             "2a01:4f9:c011:b666::1" # Hetzner
           ];
           automatic-acl = true;
         };
         remote = [
           {
             id = "slave.dns.he.net";
             address = ["2001:470:600::2" "216.218.133.2"];
           }
           {
             id = "ns1.he.net";
             address = [
               # NOTE: Looks like ns1.he.net prefers to receive zone updates via IPv4?
               # "2001:470:100::2"
               "216.218.130.2"
             ];
           }
           {
             id = "ns2.afraid.org";
             address = [
               "69.65.50.192"
               # NOTE: afraid.org seems to only pull and allow our A, but not AAAA records.
               #"2001:1850:1:5:800::6b"
             ];
           }
           {
             id = "puck.nether.net";
             address = [
               "2602:fe55:5::5"
               # NOTE: Only our IPv6 is allowlisted on their end.
               #"204.42.254.5"
             ];
           }
           {
             id = "1984.is";
             address = "93.95.224.6";
           }
           {
             id = "quad9";
             address = ["2620:fe::fe" "2620:fe::9" "9.9.9.9" "149.112.112.112"];
           }
           {
             id = "hetzner";
             address = [
               "213.239.242.238"
               "213.133.100.103"
               "193.47.99.3"
               "2a01:4f8:0:a101::a:1"
               "2a01:4f8:0:1::5ddc:2"
               "2001:67c:192c::add:a3"
             ];
           }
         ];
         remotes = [
           {
             id = "notify";
             remote = [
               "ns1.he.net"
               "ns2.afraid.org"
               "puck.nether.net"
               "1984.is"
               "hetzner"
             ];
           }
           {
             id = "transfer";
             remote = [
               "slave.dns.he.net"
               "ns2.afraid.org"
               "puck.nether.net"
               "1984.is"
               "hetzner"
             ];
           }
         ];
         log = [
           {
             target = "syslog";
             any = "debug";
           }
         ];
         acl = [
           {
             id = "transfer";
             action = [
               "query"
               "transfer"
             ];
             remote = "transfer";
           }
           /*
           {
             id = "acme";
             action = "update";
             key = "acme";
           }
           */
         ];
         mod-rrl = [
           {
             id = "default";
             rate-limit = 500;
             slip = 2;
           }
         ];
         mod-dnsproxy = [
           {
             id = "default";
             remote = "quad9";
             fallback = true;
           }
         ];
         template = [
           {
             id = "default";
             semantic-checks = "on";
             global-module = [
               "mod-rrl/default"
             ];
             zonefile-load = "difference-no-serial";
             zonefile-sync = "-1";
             journal-content = "all";
           }
           {
             id = "primary";
             acl = [
               "transfer"
             ];
           }
         ];
         zone = [
           {
             file = "/etc/knot/bootstrap.zone";
             domain = "bootstrap.radicle.network";
             template = "primary";
             dnssec-signing = true;
           }
         ];
       };
     };
   };
 }

added os/host/dev/seed/radicle.nix

@@ -0,0 +1,28 @@

 {
   config,
   pkgs,
   lib,
   ...
 }: {
   imports = [
     ../../../mixin/radicle.nix
     ../../../mixin/radicle-stats.nix
   ];
   fileSystems."/var/lib/radicle" = {
     device = "/dev/disk/by-id/scsi-0HC_Volume_30473554";
     fsType = "ext4";
     options = ["discard" "defaults"];
   };
   services.radicle = {
     httpd.nginx.serverAliases = ["seed.radicle.xyz"];
     settings = {
       fetch.signedReferences.featureLevel.minimum = "parent";
       node.externalAddresses = lib.mkAfter [
         "seedradanrg2oje34eyidx4z63gpuakgaedaetvt7xxw5whv6qnexmid.onion:58776"
       ];
     };
   };
 }

added os/host/dev/seed/sops/README.md

@@ -0,0 +1,7 @@

 # attic
 Generated according to <https://docs.attic.rs/admin-guide/deployment/nixos.html>:
 ```
 echo "ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=\"$(nix run nixpkgs#openssl -- genrsa -traditional 4096 | base64 -w0)\"" | sops --input-type dotenv --output-type dotenv --encrypt --filename-override atticd.env /dev/stdin > atticd.env
 ```

added os/host/dev/seed/sops/atticd.env

@@ -0,0 +1,15 @@

 AWS_ACCESS_KEY_ID=ENC[AES256_GCM,data:wYeacjBaA8cNHLn2/WFH5kDyGQxaGg==,iv:pxAQ5Xspo1Ypc9C6L4ForarorsjcYPCaR43BY95EMPo=,tag:yogfcwbFXTFdSTAmk/vSWw==,type:str]
 AWS_SECRET_ACCESS_KEY=ENC[AES256_GCM,data:kMO1htvj8LO6XaSlu9cKOa9q68zw+xy5EFKdFih40IKaU0WXDo4zDGeV,iv:a+4IYJzq93++bLhTCRKslFRD/68aefFhIrs6wCf5CwM=,tag:amBQyEcQht7EglyeVOhEXQ==,type:str]
 ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=ENC[AES256_GCM,data:JyilKU3oo0mZ0X6mH6vUd2mK9bxSlsWJfEQs5ZIdFK9FduQRsvx+G4nAXKLJaY8yqspiS0YEoXwsVtY49ldWEh4qNocHw3K/oCBk5FLT9BTi+yKnAhxLb2h4kDB7L6NaIjPwMBkMuESXxrd0mdbStXwJYI1t9Xm3ylW2AW8YkBORbZKGcmwS4iA5K3ssRas1HOJBS6JIMuEDYBaUSEHnDTccmbLZ6yR53ubFM9u1hxYxPaf+HUvEXz0jeCtLvJKL3CYIKdhIcOKwAU64COc9lpFlTuFz7f3GaVfZQNBMAgciKnJjybXeS11Cwp30Qe0h46NFMhVfQmf91Ko4JONBOfH8cWowEfT8boGwb2EXZB979nnLiMJC808OhABVo69L4UPqtIZZgsIGe6ImQWtM5x9yAT+SJOpTgZzEOzDXwzROcWC0bIEpgFucyG1aiqUvOd9Kf51Xffx4wxbtHYfgTR+Cwl8HpT5PuOrg2L2beeoFhtpnBASE4E4B6wlzV7l0OyQS8RP/ZitftjkDFE9A+R6vY7Q19auVxS8TGL7/q2OLFGvIPdW8uYNZ4oEWOzv1XCgzLsX2w6bLVhCL3STafCioPH4ApsgV4Kj6a9uvf5mgvI7Oo05PemnPjG3XFRrYxS6HVDFZyR29JTnQJkDT6k6JlUfhI3+SQ5ARxHxTIR5c1KAgzw4kZSsw8LKnZ9D0VqNBSyaxzPKdh9mh86bgEJLkCtXB2RsVb0fZ1Pwrzyjnqu9rH21FRFhRkSnImjloZzB2u5gaEYoddwBeMUMmxUD30QOpotjPhCwV4CGg0DERyQjgK3GJFSXsLl1ZI5xfSyWjlAGNHszCywxP4WPbiOj4i/y61DOOIuD35OiTSyK6Ujgo5gRUrLJ6Xme9EMaZV/UrknsiQln4fflEF1Ff6Pj7ilznsLIpb5/XW3rJqTRKdCyArwRxKqvUmL50UXMzyk2YJizIhCmQbuIcqQkpWq7lzog0RELbQPwmTtT3XkrZ+TyI/dRvnBY49+Fcl0iFTf5h2dJ8jjxB5R2rzEcfW7S8NCB5m501Ncb7SXsj/R8SW5x7ekuHvQX1XvP4EjM7aA9HQCIzVZoni6kOs1yow4TLc1dKTWglYejyFUFM2k+XpOB/TWb+XoSdr9pDP8jlyF6GOQHW+f5aXbC6s7LgYRI6ZfPJgk/8L+KGjLBtrmIXUaC1eLASoYf/l4qllEOsP91uPxHExxR6hxtJvznEGRryfL3nQE5UPDNDKAusP4ruPuy4pfekwK8EeMtuExrEBLjwCZfVKSXA6KMWwB5H8vb9d9YyCICZXRvqVAmOQDJ6LcLAALx+JlkBhiDvbsn61Hsg6aa5ftXoO8kxblMv88P4eVjU2rTF1QmO3ooGPz0FJCnd0jDsCQMfBizTNhnInrk6McCVy7nVQp7qhiUSn2CPPcg0Fw1g9arK5uTzve43EbtjRxm13JTLUcNNmRv4+8rSUT6MaK4SYCt/sMtYasG8g60/qeZ+UG6Yx5m56CHjS1COmf7frN9ark/6qlj9VmHwSc/zAJLPEWCHyNrYnwys8uAXHYXoQgUWK+fJw3YGIhcwLlDQ5cj3vv43tpC3aw3R0hkVR60PuajqmGYk92ZcKAYTp5VL1HVjkDiRzRobDydrYG9tieNu9WvgS2ky5NQ0xSnpp0IWdB1T/NuDriIjBW6PiX+xlC97BdFIRRnhPiGuNozm+i+kMoOlp0EQ7pfwPF6ga5Ymm0xAcX33IyTt1QFQak6JRdKgskFUr1BO6/LPnY16ItIGomn09pxdKuQm+kEPqgU9Evk3mcOyrijG4AXQqRHw+tlSCwJutrCx0/zaRQnZf/CBk80oRfL+gtGFnjoCgoQ4XkWPXIqLK9wF240ltMu8zAWSp/PqM8Uhc5TwBAzB+j820TNybpIdR+riJwr/h28e6ZW+HGW0bI95CmoBELBbxGzftpxGkeiQodSVf4RzEyPuqsgdNQ0XHyku+68LmvnJ1ENDsyWRkkWNFjW4qnpJMvkrvzvLlrXLHjAqYKj/SgzGOCcuH1v+BZtoVENn8u8+hoWg3iBMq6N9Su5xy5VM88nP3ukcdDYB+4nZ+MCO6Sl0tfOxDSsFEz2Le3zsrzgL43We/CpdAU3UMMHqn/sLgc4e7dYh5/1JLGiin+fBLd68BlVVovmjJTaWEZDjin4GSlvL5+70dH5Po3U42JH6QUPcWEmMSuqRcgb9jLzpzc+iORJE4Y1rJjQocFFteDruz2E2YD4wCEeOqVqhHnXCnli3u4Eab91Xkkpq5DXKUhsdnCmugtaeYw4mbVFbXOGxHPU6KIovoe3m5Ly3tzbV+9ylKLQg5Ndjat3jfhOLaSww8S5l25M8SKjnXMP6AiEX6R7wnddzankoCG97qoM/3GLuWOPX5nhedOQq4BgC0SILVUTYfbQRlCPLNoAFHDYNjBHoORoAZZ+I+BUNnEAdzp/wjpzZk5+zLd/RkKvrBgJVF6bsMkAYak0ybf5C4++22fPND4ooOFDBAo3ATb1ZIcCmaVipfGbiOK8mFZjCBweNBUWb2kS0poRvBxvmWkdnO4RpjbElFfc3Tr9jVBNwnTihak5n69+7t5fKdadogJb1iGzK7JF7HLssyDu2WgVa+ye6e+6re7Q3X+rNgCjjslTa6SGs3oRT61L6cSAiBSr8Lmra79Yt+Ovj9xVTROfdhocPZhlWDClQHsWkQGS7hL7G7GX45Js6e3l6/OlU0/dm+ogO8Rje0SlRUcSVy8jz/c6nEArjy22iFBQtKP0Qjm2dxvHRbqXIbD5yFn3LGOgsgz5cjd9dJmXRs0aqTIkQcvM8LOdvX8dgFr8yrtRfpJ8t1/3hwjGFvexCSlNHZVODglMfeeETy6gbVXTbq6YkyT0w3rXtcruVC/LlOSdT4D9To2nbAmx+3sensyBpK3eDirhkVBteHfEjhV2dZzKTcW1N7XgsNwh3MBnWBrUMqQED92D1S5Zn62mFXZVr60QNT5hUBTp+UlEJTtyQopsTnsueGlwOO5n8CJWS007mWFV7B9Ok3idE4SM68Qt63BBHAshXLiWMdEHaJ5ww6J70hVYGDx5UoiRq7QncvCf7Tx688p7Q57sjczFuj7J2T4IxcjSLQ3F5em6bSTdl7dn0faJCMwxA5OStZ3FhrwBqq6DJW4MSj+tYxQAJRtj98N34dQyMKn4n9mUmdhLHAJuqnVBqNnRBt32UfSXOd0vmylX8bF5jK62fNaj9KKo/t4X7IRzpkPi6xOCSo2zlulfiAek0n7UIRm2w6O4t0PiKB6PflHVdUiIa4bVli9fLVb5EIbsb1MoO/f89yVbcLIaOBrVKOndhC+rzCM00Ln9rdgIq2qY6Lkc1DYnW8Io1lFiHy4yKbt8IacM7GqF26lxp8WlvEjRx6eHiPY/EOZeTDagp1pqS8gEv6Gsc8Hc2+uvKIKmcTEvxzJ6iB6TOMzhaaXk5GpfMT0C11jp2QnNtlaNNmNODXq3DMpQQcZUXXrT3pgP7gZLGxpeJ3bKxiNIQ/aHw6navg6d5f5RJDNCykzcbs05092zEMb/d/cYaIAfn5LwJNz21a/xKx1UkByLA64iLrrF91ypAy1QbgPLY2DX3jkhNLwXggEhE6w5m26K+K0byPM8qzYDom0tz+Cv7LSkZi3nYaOwnqlRQo3brimajHQZkGtUTZ8BVpQeQZ82wXG0KLZTJQWnvrYtjRBnkQznO+J3jS6jkJNym/L849qSzM+ECBLJdg9OnSaLzRChBJgjfCyAQN+EvDVIfoxnnsTLuDwbu2An0LOa10MJIiF5aZ4ti2e8FTvTJQ1PPlazH+gkMa9tsRRIt21sTbXuEyIMf4RFlnr9O+06gm4KUQ48ToHYcsJuEuJAU1Wd/H37vjdZYsTaFEAOfW6iigWDFCJ7B9xLNH1K6ILHDx/MD6wiiGt8BKgErXITM1hV1EDH8CPo7SCYm3kzjG32T1+pxWHeJuC6OXeHeFMg3FRlbBCs4iHGqtmE8xdPxxPJe3isbqsqI53ceed/hTfdtVKtsE+Y0AILL99rGzw2Kb97yFSBH/U3W8JreUSuhSHPX/A1XHwHtd9GUpD60Pd8Q/e0RYRUI4Y08xYvx/yjDt7tdRae9DIUzEpj13gTUW8lQCt3CKYydazHinAQ9ps6psmCR0vDdmFdxHkiZJ7VWatUICMlHpwpvgaKm1tWWryn2SmVee36bxoFUndBDKbEDjlc9hoY+szSmAHnWT+jiC5dgM2jztTqcqxnwfM06IB7b2QQbd8Aq8cgZyolKtgeiDzLBzNoMPxj9rXo7BWokEdacvTAV5l+MEJLpFR7XWPWHYzva4ig0w2Uy/az0auAmcmBlZdQXaYH2NnkwaLX4Q7S4zGXKIGi7/2Ww1E4bT+rlJZJ8XlxJejYrFo2FrjYgo42WQqdVHlRMZeY1Bp1czNKMV7cGKdRso5gbrIXAPXs8k7lZwa1l2r7sJmJBKg++Bv2eTGUHl15kkpbO6rTCQIt0gSKbR9nERzpqoMXIFItnu5LrWrCdsn8OPXjPxOLqJDztX1NAt5Cv2Ca4y0bCIyqZ0IaiFXpQiYfHQAwW2qPOaj+DUezGyuh7JKW0WtNySPnb4fjxAlbTSb0pkCpPk72U2nzobn87A+CzSAH4ZR5UcvNRGTiYJCElAIJLYZb18E4gDhoa0+gxSSiMXt74DlkTLGpOB0KTBIam1shblLZUANmUodwRoOcUHn5rF+5Loz3JKLB6HZZUsp5Kzih2yYYywh+J6dIn+KIWQ5sq0EPfR/wP6tcOGxukjeeLmquIuY6ZY99mD2aJfMJ82Ck3P5BYnDjwP/tZl6jLYHDU79ViZ4ibtWgNWuVgdvRfegxiLEgv2rlEVrQ76adjUtvXDooZx9Kz1g2X4UKwLoqXzpXPuUwHHGZGOpeZBrJRcDCb3jWPmbKIGqUzhhvXTIyymEgNyVvtByNxc92F6yex1RbgtsD7o2ExsL4PPPbxwDsOgtT1wIpvEmCoISkHuS6uilIlD5BAPuSYhuen3WnNsIEhM/r5u+uFtjf2Reim6PG2cHwBWy4MThwNZ7CMQE5sXH3I0qOogQqgFuzHRUgOk02wNAi1HxSTx6dmvOcWBAR6JsxSd1QbKPa1vWRsG7XNe5d8KNamn4JEDhXtRH8a1DQH30dPpIDGYxMV+AcbJ2dbRkB0ehJoz5VZqbDr03Fbt2jkFp+0QMUyPr7VxDuaw3grLQL2tbhEF48ZFGNhn97mob06jaQyBFQMOy33hyEU2AJkZdZsb2QLh1bmT44D5GkLH804mPbSBdVr2TGYsZqF9tlT5kOIkLvg7bLQIEqpo0ykOjr1c22N+qCQaehnN9ZfKn2KaprPqz/1JpcvrglT0hmkLmRvjAxmlHdjHmhKvp6r0qFcxYfWOgDVtXFMNKM46jd6Jnl/DYYJjbb9To2AjP1/IQazcB+aIsjz/Yll46Tw4zCqohlXbCny7rWap+Gns8IYKb+VHzcsAiOU5A8/ZVASRUO4L0URfUsTmgy9zIslbOgaQa991S8KDCVPH4D2Qledqi5oWyj+MaHbX9PVIBxXqLVXwDFkLS3qbRcS8DTcjhV5tIW1fNaePmRvZF+TCPLsRSwvlTGyw2zVg2EQLmTHiv79q+xYLYs4nTYJUaENEVq8aisCLFgiF3/iN9n/Rc0z/jvSrR5nEFNjUFTLUhruWBWSNj1ruMGMRjVTXcOKip/vEp8fVb2EoOdWt4po2KYr9x2WkcCQIXlYn363aOqTlmzR6Oo=,iv:c1JfPUkfHPSL1BGdQBx49C/H9i+w/+W2RZdYYzVFe3M=,tag:5z6b2SgxzvS3wzpjhI+FEg==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aXdySHF3WEVvOEJtSkhw\nYS9WL0VWa3d1cjF2OEFRZHo4U28wdExsOFVrCjlLczc0NjR1SUh0SG82NnpmdUcw\nTUp1Y3RqelRlMU43VVM4S0FQeW1TSE0KLS0tICtxNVI5Wk5qL08wNS85ZGQrcHor\nQmhQT28wN2M5eFhxRVJsSDU5SE5IQjAKzBP+0Bz5eTSksZVtcm0cQcy+gdRuFZo6\nmbG46bAD/qljCYY/fh9UBo0obAL2Dzk5DxlR9apv3QDrWxkZAhckMw==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l
 sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaTlNaDkrWnhMR0lVdTFV\nRkU2THgzVEt1N3hBb1pTSW1vc0VFQjBqSjBNCnhqM1RTc2xsUDhpc0dvMjE5M0Ja\nemdwYjBhK3k1YlZwTGNZZE9qcHYxSlkKLS0tIDF5SGVrVm40L1pRUFplaDBrNXB2\nMVczVWdMdEhvZ3BtaE5veE90VjRDMVkK3/I0ymsAJF+4B7rF2bfKnGtLkUYDQBA/\n42cnzqE2vbyZUKID/hnAaSAjsT+T4sQ/3P/UyKQVBPwfaZquTfDfaw==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy
 sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5aytrNUFrTUxua2p4YUpz\neCtNWFp0WEZ4UkZ5a2h2NEU2RkR0aHUyRlVNCnplMy9RWXhXL3BWQ2pudWxiNk1C\nQTJYWmZ0U0wrVnRHcm8vSmVmTFVyZGsKLS0tIFRZVFBpQ3RvU0FtMGhkSHg5K0E1\nUlFqV3ZtTDMzSXhQOHFwb2RQMXJjR0EKbbZKum0xP2OomoJ7O4SYgejEbc6wGskG\n4yZUojl/MO1QRtR1tzoJBuUOQ3/KDnvouotMd4rMpx8Nh0zyXuXY3Q==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_2__map_recipient=age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm
 sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLZXRFclBTRmlzcGtpS2VZ\nZTRuSTJSOUpuUXpNbHltczV1N0RtTFFMd1NFCktvTGhrc0RJbGorOENKVjE0Mno5\nVDVnYlFNc3hHVHJkMlM4b24vMG9hWVkKLS0tIE1HZ05Qb2tpbzVNRDJjTk9VS2Ux\nWWFIVklQSGxuV3RvOUdVQTFOaEplcmcKfp3CC0Aj94vSEHwG1v9/fYrx/O0uA2k/\nRtwZfYnqAUeFbUKAi9ttF1bJNAuTjdA5JSKwmjcaJtE8a4oHyTLWQw==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_3__map_recipient=age1jemy54kqt4xgglg5f3g3sda5tndsqhjynvdugpy0yknefnw69u7qwymfj4
 sops_lastmodified=2025-06-05T10:03:06Z
 sops_mac=ENC[AES256_GCM,data:nhnq7QeH9PoHrTHI8arecxgjd62nneAe+GGQ4e2wR4LFLx8QXSNTnNIEH9SAmESqRtnK+lTR0Fd8LdMcKBP8u0bgDfDWtMM7Pkk659OyuJjqyNw+BGbFamHPOWesOJBaeMkETbiSQ9RiOBW4E+y6FUDMTg5N34TBIUilFpwp2kI=,iv:KjKcELRosjglTMNCsE06iEUJINL6EMMpZ43wLaP/12o=,tag:jjt0tWPHwe8DAGiP5UOtNw==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2

added os/host/dev/seed/sops/ssh.yaml

@@ -0,0 +1,44 @@

 ssh:
     key: ENC[AES256_GCM,data:KjPrmSW5uIZ8BZqfM710+x0U5KiPRjwyX9VWbRoxfG3mpcesN1hQm2tUCuSmBk7e0HttuHI0sVX4lv6jcAG5pH8wWTISyOIytzOToZnO17gKU4T2P4dufly0+94PJAmeuMUlNJBTxDLbUIM1rxwatfdKpGEW6NT/0ki0Jwpm6kfc2oUsVsj/YvrBgdzjRR2wligdj9LlNR51Q52vwFEWBqKsOiJFoXaYANV4nH/2Bvtpt9K+ky+0ekUf5Pfacs5wHoUt0pnjCo1hZlR4IZrXyvktzHTlB1IRM2xAXJMTycOcvqedBwWZRnzPm1JOXKoKBBk1jvBlOblO8RCYvSawnMeJuLBuq79IrtKrkmdtXBIU85sCGr/Eur9CRclcCBUOHreNI6jsIxDUYtVUrnqwBuI4C/cZwwqkkGVeAn5OKAXoMOvJyTeadvoX4sK0Jiw/yZpWleBy8v0qZ/YMwryYEhUxu26QcL8ymMPl98k2xtYBr1qpcCHbwzNYA1TU2siCmXcYseLAERSTNy8nK4MbclZ68bOvyazIBIdCr5R7nNl33r3p1eEBLKmpr7bn56b2O+IyGMRE0VQvPSsB,iv:wbmX5MPvrZKehE1lNCoL1V0y6i87uS6VVNJ4ijpOPgc=,tag:/82F0SLAfy9DdWEIHB1vLQ==,type:str]
 sops:
     age:
         - recipient: age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQXU3d3cxVEFaRm9ROTlC
             bHE4VUREamJkMnZveWFxem9ZTnY0SGRtRFZZCk5tbTNXWWZITVZPdzRlNGNnV1pk
             T2xhUzUySk5vN2NDY0JVclFwUFM0ZTgKLS0tIG5Pd29Fazk3SFdCWGJ5NlVqaXQ3
             WUE0RjVPSDhwYk1KZDhHU0ZXZ3ZtK28KxrvCTc/tOh+sBlIDx//X+kkKt9bWnU6Y
             /wctm5gK+D3Bkol+l4hfAPmvn2GU34lEoZkOEBA2IhHTLZzNc7+vjw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aFdoRXNHcmR0ekI1ZytN
             VytjdGhlNjZqZFZQd3hyWWZnS1BoRmZmN1c0Ckx3cWFhVnFZT0VtU1R4RGJjcmZi
             T0RETWtVMFVRNTVOMWQ2aVFnY2NGdFkKLS0tIE85bmRPVjBZenIxenk5cWtvT0Q5
             UUdkekZQMVpVYlhudVBteTM3NTdONjgKruh5uLD5cikj6Wx2NvZyduazhl7wRkWP
 MJxRjMhbmYY0vsa9oJ0xN1LFcpV6tVr7n8D1GapsJwO6bcETwfT8A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZExEc2lsY1RCVmM2eElu
             OGozMjJEb29UdkJ6RXNtSytFQ1hlZUx5R0VVCkFaMmRlTGd3UnBBNVJNOFdVWG54
             MkRIc25yVWRMdTdoN01qQTZUTTN4R0EKLS0tIFR2MlRCd2N5SXd6UDVCNC8wekhv
             SG9IVlh5eU9jNHFWWSttenFBUG96RDQKzVuI9+WuiCbfQuYsW9uysI9Qs6XqpEXa
             gSmaNseJoDtlOVocYRE0EkOy9JhaCih1CwZqrByIfgBUG9g2y3VdNQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1jemy54kqt4xgglg5f3g3sda5tndsqhjynvdugpy0yknefnw69u7qwymfj4
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzODc1YUd2QUNxcko1R3ow
             ZG1IejJHb2oySk1EQzNDbTdzRnoyWmxZbGtnCmZvNDdJNDlZTDVuR2dsN1ZlZFl3
             MXpqNU52ek5jbUVaZHdmWGVSSlNOOWcKLS0tIHZHR1pXU1p0Z3JWQ1pSbE82SW14
             ZXZGT2UzRzlXVElaazhRY3RHbXE4MFUKGirCy5kdGzxXgjis6tYKi6JoTI0H16al
             Pic4ZAIO6U6H+Q39hobW/gAl9wU7s+pf3fxrzJRI1twIQNPa3zc2rQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-05-19T22:10:45Z"
     mac: ENC[AES256_GCM,data:/Nj6F8rt20KcRFjRiOcxAFNgms6nT08V4w+EU5E7l/CY+KFLrffn+lV/wwLDrMR1m8frdSOPNMayO2V2v9D8dXbXmdVPfb+/AqOU3RTT5cAJ60ZCtoiXIxVtj3Z0QeXpNMA0QvS0h9O9C7KBXf53T2WPxLVKausHwHqyUIWCQjc=,iv:ZaF/0DPy5h7tbigqDHgQvHb+5PzGB8WsdX7MxY4vX9k=,tag:+JDo+a8P9rpGZ+Bsy++dkg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

added os/host/dev/seed/sops/tor_hs_ed25519_secret_key.bin.json

@@ -0,0 +1,27 @@

 {
 	"data": "ENC[AES256_GCM,data:D/cXb6sOPsORZM/Zsdk5FfRBRhHGD/SGaezAoVpVl/5lolA7AMaqSCqy4Qz4F81SIqN1hjUIxUIdlGXNVs1640zmI/s8PzyWGg/M5KDTtfTYq3b36L2woLx61k1Awue2,iv:mUiXQYno3B3hISYGHFMN9nqPQcLkpoxEI7LkVSBsmgw=,tag:D81gC3RnwNtlR9crZXQ77Q==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTS8zc21zMktFc2VHRGlx\naVp5R2JnMGhyUjBHbW8ycERhcWlsdFFxeVNZCjczRkc0QTduTWNZRnlxaGFEazFR\nTTN5QnpMTFdVdm9IUWlqalR2QXFKRXcKLS0tIDE2eVRtbm1wVGtWc3kvcnZwM0JU\nUXlQcUh0N25KMUJmUWpWLzh6cnorRnMK2343WqgXGCD0YnQPS0yY65m3MfofI4qj\nPlJ55ZMEUeM5mDkCoIyrucG55yfqgETA6EhQsHenA7R8NvNOqnWSAg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDNStPM2dHaSs0ekVEVHp5\nNFM3Sy9rUktiV2Q2bUI5a201WEVHQXk3RUY4CjZYVnFUdnBCQnkvdU9JV0NNM0Zm\nS2haeHY2Sld1UGh3dWtrNDUwZXNGY28KLS0tIHh2bDVtVTBsMno0RGpuOXhnS2pv\nVWlqTE85Tzk2OXpLRVdOWXh6YXUra3MKsmotAB7ZzUEhHrnw7ArvFaZETU7NMZ1s\nqAlJuc5aDRJ5UFGRFhUUIeGcnpUHFItRbvlAinatBQRKx93aWVsVBQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsTW1KclQ0SDlEZzdsb0ow\nVkIyYTFsWTZwOUpvNkJxYkczREt0bUVlZTBFCmhsNC9iZEdjaDNYL0tYOTZmc1l4\ndGJEbDRDTzVyQkNyL1hLTDZYSDRwUGMKLS0tIElQV01RRmFSaU9FT1Y5WGFoV2Iv\nQ0Jlb0hUdkJOUys2cGZxMWJMQjZNeHcKeuteT806HhwPE9aZF2CdILD+71foI8SC\n+uyGazxIQ917W/C0x60t4CrSSJdsCcEA2TKdw+v0vYfkQ1Rzdy3F4A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1jemy54kqt4xgglg5f3g3sda5tndsqhjynvdugpy0yknefnw69u7qwymfj4",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcU04bFVhQWphM0hXblNR\nRk1YOVlYYmVGTGVtSzJqVGZpYS9OY0duNjMwCjZ6a001bUlPakpyd3FXQ3R3VHk5\nT3dTeW9NaUhQVE5uQmFjZXJmTDh0SWMKLS0tIHUwbkY4RnJiUnFVbjNFbjF3bElx\nMnY2TjFXUUNoVHNIaE9tUHFJQXRZaTgK70bsEg5J4J83O57wBOSnAZr61iuIAnLA\nrdp7hd3+qZlGEVqznKa3OVXoOTqBABZCXJEptiGXwVN520+7mirHdw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-06-16T14:35:25Z",
 		"mac": "ENC[AES256_GCM,data:AmaR8zuJzLuKSc58awn4A4oVi0mzWs9pATfK5xztix9CeBW7H8vWphTYXMLdyYGZMSmVXlDTRli2yEDpZf9sRRD9JDfL5Bf+pMGKfMqLyoFvGkZGbrOn7YqhHusHSZgQsECe2nFjsEYm5MEQ4CJjcoUtM9mn/EltBsqprbohyEA=,iv:8QEyiTaN1WoOADJEOXeai3vxTK6xLhduxdZKZtfr0yw=,tag:2EXpIi+lSWsw7N6pQnZy1A==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
 }

added os/host/dev/seed/ssh.nix

@@ -0,0 +1,14 @@

 {
   pkgs,
   config,
   lib,
   ...
 }: {
   imports = [
     ../../../mixin/ssh.nix
   ];
   sops.secrets ."ssh/key".sopsFile = ./sops/ssh.yaml;
   environment.etc."ssh/ssh_host_ed25519_key.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXpC2X07TCIslR907omxrk6J+K3p0rGOMaJAHe1K2i3 ${config.networking.fqdn}";
 }

added os/host/dev/seed/tor.nix

@@ -0,0 +1,6 @@

 let
   secret = "tor/hs_ed25519_secret_key";
 in {
   imports = [../../../mixin/tor.nix];
   sops.secrets.${secret}.sopsFile = ./sops/tor_hs_ed25519_secret_key.bin.json;
 }

added os/host/dev/seed/victorialogs.nix

@@ -0,0 +1,22 @@

 {
   config,
   pkgs,
   systemSettings,
   userSettings,
   ...
 }: {
   # Default port: 9428
   services = {
     victorialogs = {
       enable = true;
       extraOptions = [
         "-retentionPeriod=14d"
       ];
     };
     journald.upload = {
       enable = true;
       settings.Upload.URL = "http://localhost:9428/insert/journald";
     };
   };
 }

added os/host/dev/seed/zone/common.zone

@@ -0,0 +1,17 @@

 $TTL 3600
 @	CAA	0 issue "letsencrypt.org"
 	NS	seed.radicle.dev
 	A	65.108.87.205
 	AAAA	2a01:4f9:c011:b666::1
 *	A	65.108.87.205
 	AAAA	2a01:4f9:c011:b666::1
 b._dns-sd._udp		86400 PTR bootstrap.radicle.network.
 db._dns-sd._udp		86400 PTR bootstrap.radicle.network.
 lb._dns-sd._udp		86400 PTR bootstrap.radicle.network.
 _services._dns-sd._udp	86400 PTR _radicle-node._tcp

added os/host/dev/seed/zone/secondaries.zone

@@ -0,0 +1,17 @@

 @	NS	ns2.he.net.
 	NS	ns3.he.net.
 	NS	ns4.he.net.
 	NS	ns5.he.net.
 	NS	ns1.afraid.org.
 	NS	ns2.afraid.org.
 	NS	ns0.1984.is.
 	NS	ns1.1984.is.
 	NS	ns2.1984.is.
 	NS	ns1.1984hosting.com.
 	NS	ns2.1984hosting.com.
 	NS	ns1.first-ns.de.
 	NS	robotns2.second-ns.de.
 	NS	robotns3.second-ns.de.

deleted os/host/iris/default.nix

@@ -1,56 +0,0 @@

 {
   self,
   config,
   pkgs,
   lib,
   modulesPath,
   ...
 }: {
   imports = [
     ../../mixin/cache.nix
     ../../mixin/common.nix
     ../../mixin/disk-config.nix
     ../../mixin/kmscon.nix
     ../../mixin/motd.nix
     ../../mixin/nix.nix
     ../../mixin/sops.nix
     ../../mixin/users.nix
     ./ssh.nix
     ./radicle.nix
     ./tor.nix
     (modulesPath + "/installer/scan/not-detected.nix")
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
   systemd.network.networks."10-hetzner".address = [
     # IPv6 address is statically configured, see Hetzner dashboard.
     "2a01:4f9:c010:dfaa::1/128"
   ];
   boot.loader.grub = {
     efiSupport = true;
     efiInstallAsRemovable = true;
   };
   networking = {
     hostName = "iris";
     useDHCP = false;
     firewall = {
       allowedTCPPorts = [
 # ssh
 # http
 # https
 # radicle-node
       ];
       allowedUDPPorts = [
 # http3
       ];
     };
   };
   networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
 }

deleted os/host/iris/radicle.nix

@@ -1,25 +0,0 @@

 {
   config,
   pkgs,
   lib,
   ...
 }: {
   imports = [
     ../../mixin/radicle.nix
     ../../mixin/radicle-permissive.nix
     ../../mixin/radicle-stats.nix
   ];
   fileSystems."/var/lib/radicle" = {
     device = "/dev/disk/by-id/scsi-0HC_Volume_34062081";
     fsType = "btrfs";
     options = ["discard=async" "noatime" "compress=zstd"];
   };
   services.radicle = {
     httpd.nginx.serverAliases = ["seed.radicle.garden"];
     settings.node.externalAddresses = lib.mkAfter [
       "irisradizskwweumpydlj4oammoshkxxjur3ztcmo7cou5emc6s5lfid.onion:58776"
     ];
   };
 }

deleted os/host/iris/sops/ssh.yaml

@@ -1,44 +0,0 @@

 ssh:
     key: ENC[AES256_GCM,data:qhDBCiAIp2OFCgx74ZczyV9JAoswo5b67I2F9RPvuzmKQfMZWCL4uiLspvp8XDbVVdRwKDm8y/1Zq4lWhA+VuhlHcuHRZpcly8v8N8qpSvKfJmxHmv4vyPu5WYsOXFoIvJfgm3+2WIgO373AQGWhN/cr6AZU1aC9HqiU2WNrQmYLUXaMMfJGOaHFZGhkxv23kFG2t4+PkLRBBa6T4vli+CHGxZJ0l854Zif3BG6JnlVyHOSdG96NN1wBm2abUkPBotC1aXqSC9fsAoJYTL/z4adysZS9ppL/cg0DSEl49ZIeOX+Hqknvps6TpUr3TpwLWaBvjYrwviJ/PqVWMl6/yeDPGf/HyioMvjkBg7Ge73N6Uk+lGfZRy7epbVGHgJ2Gvp4NgxEb2senPP7VWXgZNJjPF8Ffj2/fvHjN6FDLrRN8d07ieLX4SSRA8900ymF6AjXEH0+6dGINfUycQCSwyr9134wgzhHmJ0/C/3dqo2odVK5f/F+50VTqm0yVBHAPb1KYb9XG7M4MEXX+gD72,iv:aSiLcHQJ1Wi7xImyZrfHgNjn/NPYxJO/JsnXOklR/EM=,tag:22/rGg4+Aoc9/JGEGPvv6w==,type:str]
 sops:
     age:
         - recipient: age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSm1EU0xhS29ILzFRTEdM
             WkE2d2hjRzdQZnRKSGY0TzVtT1gzNk1KcjMwCjdWdkozUnhCQ0NFZDdzeTRyOW9J
             WFlXSDlURXByU3RkYmRQQitGV2Z6dlkKLS0tIE1xQVd4MkhQV3V2T0RKSjQzVU9D
             WmIwbmVJQjQ5aTBLOXJBbXZvWFlUYmsKajXB1Tumzzy9CNQOjlPqIs1FEGe8qsKX
 Z8U9KUPjdi29yuX+XGsXEdpR8rQtYFdsSTJPbOT+ScnTzQnFu7wLg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwMElhWU9tMnQ2WkppcTdM
             dWUvUEIyNWdmQnhEa0s3VUgrRHBzNXZDVVhnClR5ekhVK1RPb1dJSmtJcWpjYnpM
             TVRkdEd3SElteXIvdmdvN3VTZFRoeE0KLS0tIGpNTVZER1FLSk9SNUx6RVhwdzNU
             Z0Q5a1VaU3ZMbnJIam51YXJ0em5yUEEKGFh+fOAsldm7MZlmpBqDoAb5f0pGepPS
             a/5VTbYL5JPr8IfOHfO/t4N0+WY2g1HbcaeCd5i6+5eskMJWtug80Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvS3MzZVUxR2tSb2VhTHF0
             ZmR1blRrdnFhNnhBM3FOZk1qU2FZVnBrc1drCmJkSlQzYmVmaDd2Vy9mUFY5bWEz
             YVRRa280Z05hanloSURLQXdlNVVYa2MKLS0tIGlQZFEzbnZCZDdKZjlGYVhNaVlF
             a0lNWVFNMm85WUd0ZHV6SUV3dU9OUEUKLOWPfkzH4WtrB7O9P8fM4zL2ouJ+MIG5
             wBescvN0R7Vd0l7hd+xc1bjLZHsSaYCMf43qUMOhoRxFnZPpsEJyPQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1m9vcrmqxqcghkk2672wpngwxsj5dk2807kmdze4r05nz7p3pue2s6djkm6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4S0tqb3VrQWVWenpHdExR
             VW9RYWUvOStIK0F0ZUh2N1cxOC9GM04wOTFVCkQ2TGwwSk5aVERiZlJHRVlTdUlC
             V2RPbis4Z3h4c3NRamF6d3h4WjlvNDgKLS0tIEFraVpjaHhVeXpQSStYL3BLWTBZ
             T0ZsRjkvdTlsUGpvNDFwTVZ5VGZSbTAKirlzErl2fjEr/KQ38EC4USHXe5Dt29t1
             BPKEJAPzwqbEOjDWob4RwdC94cCl5zmDDol9i+25a6kMdAhUSjuefw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-06-15T15:33:40Z"
     mac: ENC[AES256_GCM,data:vOmCAQvSa0dtAyilamxLfITPeggt4MLEsLgwox4OQ4VtMtVxS3qVKQsO24bl1g2g+iHydTAjtrXwdTDA7IwL2YDixqOaDD64stZgJViBoOcrEK4solgRPdvZpppRTDxVVM8aNmSuJs44GXZtnMBSEGFAs4NVahKR/nJDLbrdd3Y=,iv:dBg4X7ptthYxPGUjjCbbJYrigu+yta2ceU7ccKaGEgo=,tag:hWUjV+L8Z629HygRLgFBMA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

deleted os/host/iris/sops/tor_hs_ed25519_secret_key.bin.json

@@ -1,27 +0,0 @@

 {
 	"data": "ENC[AES256_GCM,data:/ShKCOAvKDgKZCJO9uoZx/ML+IJe+uVfB0Pu2JJ9CPwiaBa9VOh5mZ4XW4eS7JLASWEPmuphJ5hnyV3ggw7Q1z7gxmLO0I6PMG1fg1Aa0lPwN9I+7iu62mkGvyeZ+fWw,iv:pjMDpnhmtcaORc3xQEfjbdMCQO+uUi4zqd/JYqhXu/U=,tag:pqFrnfPtExB+6CHgcVMeCw==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZlRpaDgwcjA2Z001bTZE\nelBVMjVRTkYyaEhEa0hWUmsrYzFHcnJrcG1vClk2NGI0aHpBQllMSVh3alFhVkZy\nOG1qUFVSSWY2TGJQaGFqVzdBZ0o3NlkKLS0tIGplbThwWnI3M3JMSDhVSitrZFg0\nTCtQMzJ1Tjd5eDRJNnZGamFHbVpoMUUKlrU5GFXKNyzdSOqva+dMhR5JVwgMIwqT\nofzCYT5DO0EkP+xy/J2wjZfFv3dIfL4KI2Deld9mXCSD4WpEg0Ts5Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKOVJ4WC9CSUtYcm9mZWNN\nMElGYlZUQlc3OEQrd1JvK2pnT1AwMGc4VnljCnVaV0hBWnZGRGVDNGtJeE9obWtK\nNmdRb0lycVA4RS9ORWNkTzl6UzVWNEEKLS0tIFk2RkNzSkl4WllQSXRFRWxOQTFW\nUkxLYWRBNWVtNjEweTFiY1FDMnF0OWMKlT7li07yS3G0ec7JQmMaHIDlcEUJG0+9\nuJkxaPI8xD7W4DBd9o1SzIPodALBqyDCUVRXPjYVySM1bvEXZPppfw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdEdUYStNQWVZS3M2ZE5m\nMXZBbXZSM0ZRTHBpcklGS3FFcTJWcmZrWGdJCndNUW5ZbkhYcHFKQTFWdUVSYi8r\neitVSG9ubTY5em5YSHQxQU5KOFlITm8KLS0tIGhhOTM2TUZZY3VnL0Z5elA0UXk4\nd0RFV0xlRTk5VkZxVmd4MlZpbjRvaDAK3r7njwWJQKXOAL50+2YGP6+2B2Sn1RtZ\nllL4conesw7fysPCc1CJ2slCwd85pWxUGEaE934wiVOQv2hArZiszw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1m9vcrmqxqcghkk2672wpngwxsj5dk2807kmdze4r05nz7p3pue2s6djkm6",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSGszUmNIUm0yNjRNeGE0\nUExJOHllbU5hSG9oOWJsdTNWV2JqSDhKRzJBClo3RGdWWDQvdnFZU0c4Q0hCUis3\nMG4rMVJtc3JlWTJzZGVYQkV0Rm4zOUUKLS0tIEc4dTRiMHRVdzFPUURzTVZGYmJk\nRmdwbFdWNHg1NThFZjJpQUpVbldubGMK/NaiPU7hews4kGVIfw7UFpGiz5UHHGZd\nDu4R2B2CqRetgR/BadBnUstcWerycK04wEYhX0tdb6Qo4jb4PfayaQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-06-16T21:24:05Z",
 		"mac": "ENC[AES256_GCM,data:8N/FxxettpYvbQ3MRFYrL1pyUYRfZjx6TEhLl6yOxjCv3u2Ww9zepgXgtIpgWkIj3BhmQvvJmYEL2zr2jLRWevpCuuQvKOZ/EwnHN2iJCz0ayDIqr4epkSjDVsmGofhfbJn6+QX1sA4SNNFNxJBkOLcA9W5mCb4adcq6t/KRmnk=,iv:muZ/n5Ysv5+0dXc1Sf/R/4Au0h+dBQtPyseuU6Nq7n0=,tag:SbBQgy7VW0Ry4DnniUuy/Q==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
 }

deleted os/host/iris/ssh.nix

@@ -1,14 +0,0 @@

 {
   pkgs,
   config,
   lib,
   ...
 }: {
   imports = [
     ../../mixin/ssh.nix
   ];
   sops.secrets."ssh/key".sopsFile = ./sops/ssh.yaml;
   environment.etc."ssh/ssh_host_ed25519_key.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILCHL/pbyjZ8Mm1esh6rXe5x/QSDzPUtiR0RZMhRqPoe ${config.networking.fqdn}";
 }

deleted os/host/iris/tor.nix

@@ -1,6 +0,0 @@

 let
   secret = "tor/hs_ed25519_secret_key";
 in {
   imports = [../../mixin/tor.nix];
   sops.secrets.${secret}.sopsFile = ./sops/tor_hs_ed25519_secret_key.bin.json;
 }

added os/host/network/iris/default.nix

@@ -0,0 +1,57 @@

 {
   self,
   config,
   pkgs,
   lib,
   modulesPath,
   ...
 }: {
   imports = [
     ../../../mixin/cache.nix
     ../../../mixin/common.nix
     ../../../mixin/disk-config.nix
     ../../../mixin/kmscon.nix
     ../../../mixin/motd.nix
     ../../../mixin/nix.nix
     ../../../mixin/sops.nix
     ../../../mixin/users.nix
     ./ssh.nix
     ./radicle.nix
     ./tor.nix
     (modulesPath + "/installer/scan/not-detected.nix")
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
   systemd.network.networks."10-hetzner".address = [
     # IPv6 address is statically configured, see Hetzner dashboard.
     "2a01:4f9:c010:dfaa::1/128"
   ];
   boot.loader.grub = {
     efiSupport = true;
     efiInstallAsRemovable = true;
   };
   networking = {
     domain = "radicle.network";
     hostName = "iris";
     useDHCP = false;
     firewall = {
       allowedTCPPorts = [
 # ssh
 # http
 # https
 # radicle-node
       ];
       allowedUDPPorts = [
 # http3
       ];
     };
   };
   networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
 }

added os/host/network/iris/radicle.nix

@@ -0,0 +1,26 @@

 {
   config,
   pkgs,
   lib,
   ...
 }: {
   imports = [
     ../../../mixin/radicle.nix
     ../../../mixin/radicle-permissive.nix
     ../../../mixin/radicle-stats.nix
   ];
   fileSystems."/var/lib/radicle" = {
     device = "/dev/disk/by-id/scsi-0HC_Volume_34062081";
     fsType = "btrfs";
     options = ["discard=async" "noatime" "compress=zstd"];
   };
   services.radicle = {
     httpd.nginx.serverAliases = ["seed.radicle.garden" "iris.radicle.xyz" "iris.radicle.network"];
     settings.node.externalAddresses = lib.mkAfter [
       "iris.radicle.xyz:58776"
       "irisradizskwweumpydlj4oammoshkxxjur3ztcmo7cou5emc6s5lfid.onion:58776"
     ];
   };
 }

added os/host/network/iris/sops/ssh.yaml

@@ -0,0 +1,44 @@

 ssh:
     key: ENC[AES256_GCM,data:qhDBCiAIp2OFCgx74ZczyV9JAoswo5b67I2F9RPvuzmKQfMZWCL4uiLspvp8XDbVVdRwKDm8y/1Zq4lWhA+VuhlHcuHRZpcly8v8N8qpSvKfJmxHmv4vyPu5WYsOXFoIvJfgm3+2WIgO373AQGWhN/cr6AZU1aC9HqiU2WNrQmYLUXaMMfJGOaHFZGhkxv23kFG2t4+PkLRBBa6T4vli+CHGxZJ0l854Zif3BG6JnlVyHOSdG96NN1wBm2abUkPBotC1aXqSC9fsAoJYTL/z4adysZS9ppL/cg0DSEl49ZIeOX+Hqknvps6TpUr3TpwLWaBvjYrwviJ/PqVWMl6/yeDPGf/HyioMvjkBg7Ge73N6Uk+lGfZRy7epbVGHgJ2Gvp4NgxEb2senPP7VWXgZNJjPF8Ffj2/fvHjN6FDLrRN8d07ieLX4SSRA8900ymF6AjXEH0+6dGINfUycQCSwyr9134wgzhHmJ0/C/3dqo2odVK5f/F+50VTqm0yVBHAPb1KYb9XG7M4MEXX+gD72,iv:aSiLcHQJ1Wi7xImyZrfHgNjn/NPYxJO/JsnXOklR/EM=,tag:22/rGg4+Aoc9/JGEGPvv6w==,type:str]
 sops:
     age:
         - recipient: age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSm1EU0xhS29ILzFRTEdM
             WkE2d2hjRzdQZnRKSGY0TzVtT1gzNk1KcjMwCjdWdkozUnhCQ0NFZDdzeTRyOW9J
             WFlXSDlURXByU3RkYmRQQitGV2Z6dlkKLS0tIE1xQVd4MkhQV3V2T0RKSjQzVU9D
             WmIwbmVJQjQ5aTBLOXJBbXZvWFlUYmsKajXB1Tumzzy9CNQOjlPqIs1FEGe8qsKX
 Z8U9KUPjdi29yuX+XGsXEdpR8rQtYFdsSTJPbOT+ScnTzQnFu7wLg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwMElhWU9tMnQ2WkppcTdM
             dWUvUEIyNWdmQnhEa0s3VUgrRHBzNXZDVVhnClR5ekhVK1RPb1dJSmtJcWpjYnpM
             TVRkdEd3SElteXIvdmdvN3VTZFRoeE0KLS0tIGpNTVZER1FLSk9SNUx6RVhwdzNU
             Z0Q5a1VaU3ZMbnJIam51YXJ0em5yUEEKGFh+fOAsldm7MZlmpBqDoAb5f0pGepPS
             a/5VTbYL5JPr8IfOHfO/t4N0+WY2g1HbcaeCd5i6+5eskMJWtug80Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvS3MzZVUxR2tSb2VhTHF0
             ZmR1blRrdnFhNnhBM3FOZk1qU2FZVnBrc1drCmJkSlQzYmVmaDd2Vy9mUFY5bWEz
             YVRRa280Z05hanloSURLQXdlNVVYa2MKLS0tIGlQZFEzbnZCZDdKZjlGYVhNaVlF
             a0lNWVFNMm85WUd0ZHV6SUV3dU9OUEUKLOWPfkzH4WtrB7O9P8fM4zL2ouJ+MIG5
             wBescvN0R7Vd0l7hd+xc1bjLZHsSaYCMf43qUMOhoRxFnZPpsEJyPQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1m9vcrmqxqcghkk2672wpngwxsj5dk2807kmdze4r05nz7p3pue2s6djkm6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4S0tqb3VrQWVWenpHdExR
             VW9RYWUvOStIK0F0ZUh2N1cxOC9GM04wOTFVCkQ2TGwwSk5aVERiZlJHRVlTdUlC
             V2RPbis4Z3h4c3NRamF6d3h4WjlvNDgKLS0tIEFraVpjaHhVeXpQSStYL3BLWTBZ
             T0ZsRjkvdTlsUGpvNDFwTVZ5VGZSbTAKirlzErl2fjEr/KQ38EC4USHXe5Dt29t1
             BPKEJAPzwqbEOjDWob4RwdC94cCl5zmDDol9i+25a6kMdAhUSjuefw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-06-15T15:33:40Z"
     mac: ENC[AES256_GCM,data:vOmCAQvSa0dtAyilamxLfITPeggt4MLEsLgwox4OQ4VtMtVxS3qVKQsO24bl1g2g+iHydTAjtrXwdTDA7IwL2YDixqOaDD64stZgJViBoOcrEK4solgRPdvZpppRTDxVVM8aNmSuJs44GXZtnMBSEGFAs4NVahKR/nJDLbrdd3Y=,iv:dBg4X7ptthYxPGUjjCbbJYrigu+yta2ceU7ccKaGEgo=,tag:hWUjV+L8Z629HygRLgFBMA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

added os/host/network/iris/sops/tor_hs_ed25519_secret_key.bin.json

@@ -0,0 +1,27 @@

 {
 	"data": "ENC[AES256_GCM,data:/ShKCOAvKDgKZCJO9uoZx/ML+IJe+uVfB0Pu2JJ9CPwiaBa9VOh5mZ4XW4eS7JLASWEPmuphJ5hnyV3ggw7Q1z7gxmLO0I6PMG1fg1Aa0lPwN9I+7iu62mkGvyeZ+fWw,iv:pjMDpnhmtcaORc3xQEfjbdMCQO+uUi4zqd/JYqhXu/U=,tag:pqFrnfPtExB+6CHgcVMeCw==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZlRpaDgwcjA2Z001bTZE\nelBVMjVRTkYyaEhEa0hWUmsrYzFHcnJrcG1vClk2NGI0aHpBQllMSVh3alFhVkZy\nOG1qUFVSSWY2TGJQaGFqVzdBZ0o3NlkKLS0tIGplbThwWnI3M3JMSDhVSitrZFg0\nTCtQMzJ1Tjd5eDRJNnZGamFHbVpoMUUKlrU5GFXKNyzdSOqva+dMhR5JVwgMIwqT\nofzCYT5DO0EkP+xy/J2wjZfFv3dIfL4KI2Deld9mXCSD4WpEg0Ts5Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKOVJ4WC9CSUtYcm9mZWNN\nMElGYlZUQlc3OEQrd1JvK2pnT1AwMGc4VnljCnVaV0hBWnZGRGVDNGtJeE9obWtK\nNmdRb0lycVA4RS9ORWNkTzl6UzVWNEEKLS0tIFk2RkNzSkl4WllQSXRFRWxOQTFW\nUkxLYWRBNWVtNjEweTFiY1FDMnF0OWMKlT7li07yS3G0ec7JQmMaHIDlcEUJG0+9\nuJkxaPI8xD7W4DBd9o1SzIPodALBqyDCUVRXPjYVySM1bvEXZPppfw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdEdUYStNQWVZS3M2ZE5m\nMXZBbXZSM0ZRTHBpcklGS3FFcTJWcmZrWGdJCndNUW5ZbkhYcHFKQTFWdUVSYi8r\neitVSG9ubTY5em5YSHQxQU5KOFlITm8KLS0tIGhhOTM2TUZZY3VnL0Z5elA0UXk4\nd0RFV0xlRTk5VkZxVmd4MlZpbjRvaDAK3r7njwWJQKXOAL50+2YGP6+2B2Sn1RtZ\nllL4conesw7fysPCc1CJ2slCwd85pWxUGEaE934wiVOQv2hArZiszw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1m9vcrmqxqcghkk2672wpngwxsj5dk2807kmdze4r05nz7p3pue2s6djkm6",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSGszUmNIUm0yNjRNeGE0\nUExJOHllbU5hSG9oOWJsdTNWV2JqSDhKRzJBClo3RGdWWDQvdnFZU0c4Q0hCUis3\nMG4rMVJtc3JlWTJzZGVYQkV0Rm4zOUUKLS0tIEc4dTRiMHRVdzFPUURzTVZGYmJk\nRmdwbFdWNHg1NThFZjJpQUpVbldubGMK/NaiPU7hews4kGVIfw7UFpGiz5UHHGZd\nDu4R2B2CqRetgR/BadBnUstcWerycK04wEYhX0tdb6Qo4jb4PfayaQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-06-16T21:24:05Z",
 		"mac": "ENC[AES256_GCM,data:8N/FxxettpYvbQ3MRFYrL1pyUYRfZjx6TEhLl6yOxjCv3u2Ww9zepgXgtIpgWkIj3BhmQvvJmYEL2zr2jLRWevpCuuQvKOZ/EwnHN2iJCz0ayDIqr4epkSjDVsmGofhfbJn6+QX1sA4SNNFNxJBkOLcA9W5mCb4adcq6t/KRmnk=,iv:muZ/n5Ysv5+0dXc1Sf/R/4Au0h+dBQtPyseuU6Nq7n0=,tag:SbBQgy7VW0Ry4DnniUuy/Q==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
 }

added os/host/network/iris/ssh.nix

@@ -0,0 +1,14 @@

 {
   pkgs,
   config,
   lib,
   ...
 }: {
   imports = [
     ../../../mixin/ssh.nix
   ];
   sops.secrets."ssh/key".sopsFile = ./sops/ssh.yaml;
   environment.etc."ssh/ssh_host_ed25519_key.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILCHL/pbyjZ8Mm1esh6rXe5x/QSDzPUtiR0RZMhRqPoe ${config.networking.fqdn}";
 }

added os/host/network/iris/tor.nix

@@ -0,0 +1,6 @@

 let
   secret = "tor/hs_ed25519_secret_key";
 in {
   imports = [../../../mixin/tor.nix];
   sops.secrets.${secret}.sopsFile = ./sops/tor_hs_ed25519_secret_key.bin.json;
 }

added os/host/network/rosa/default.nix

@@ -0,0 +1,57 @@

 {
   self,
   config,
   pkgs,
   lib,
   modulesPath,
   ...
 }: {
   imports = [
     ../../../mixin/cache.nix
     ../../../mixin/common.nix
     ../../../mixin/disk-config.nix
     ../../../mixin/kmscon.nix
     ../../../mixin/motd.nix
     ../../../mixin/nix.nix
     ../../../mixin/sops.nix
     ../../../mixin/users.nix
     ./ssh.nix
     ./radicle.nix
     ./tor.nix
     (modulesPath + "/installer/scan/not-detected.nix")
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
   systemd.network.networks."10-hetzner".address = [
     # IPv6 address is statically configured, see Hetzner dashboard.
     "2a01:4ff:f0:abd3::1/128"
   ];
   boot.loader.grub = {
     efiSupport = true;
     efiInstallAsRemovable = true;
   };
   networking = {
     domain = "radicle.network";
     hostName = "rosa";
     useDHCP = false;
     firewall = {
       allowedTCPPorts = [
 # ssh
 # http
 # https
 # radicle-node
       ];
       allowedUDPPorts = [
 # http3
       ];
     };
   };
   networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
 }

added os/host/network/rosa/radicle.nix

@@ -0,0 +1,26 @@

 {
   config,
   pkgs,
   lib,
   ...
 }: {
   imports = [
     ../../../mixin/radicle.nix
     ../../../mixin/radicle-permissive.nix
     ../../../mixin/radicle-stats.nix
   ];
   fileSystems."/var/lib/radicle" = {
     device = "/dev/disk/by-id/scsi-0HC_Volume_100506310";
     fsType = "btrfs";
     options = ["discard=async" "noatime" "compress=zstd"];
   };
   services.radicle = {
     httpd.nginx.serverAliases = ["ash.radicle.garden" "rosa.radicle.xyz" "rosa.radicle.network"];
     settings.node.externalAddresses = lib.mkAfter [
       "rosa.radicle.xyz:58776"
       "rosarad5bxgdlgjnzzjygnsxrwxmoaj4vn7xinlstwglxvyt64jlnhyd.onion:58776"
     ];
   };
 }

added os/host/network/rosa/sops/ssh.yaml

@@ -0,0 +1,44 @@

 ssh:
     key: ENC[AES256_GCM,data:9McivwROwytP+vM3VsrGja2Vo2WWYi9i3jWPEsE1CarT/pdhjhFu+e3WZwhBE76JKXBsUe5fXb1LLb3iZv1u7vPzKd3qH/aoxCsYfiNoEjndrIAVWG11i5Z4tfpRjEDrcNL3L9OGSYXHCGhTvGF+0EXZJGT4JzQRkD0CR85cvuR9BUzcCfNHJHzIrVPBAc4YFnja+TjCWPoL0K89sfEoZ6fmRsVKEan7Z8wrykFUK2NhmHCSdYSiTHUxMwegwLdPlIkSpV9L4ZT/4drbWmNsbjcgVPG3e1n9OqGXqAlpS1tZoC9rO56Ha2t1Pu5WZNH94ExCPVCZhjS2R2wFmdnUL7T6ehCjw3u99dCLHnmJm7p1er9Wv70iE1+WINq+kenqDvjHdpPOOer2IPwvCpdX16dw1cpaRC4ThdcO/5JNot1I8S0+wWwX2oErAUiz6YEClDjuG33yZJmQDyJFl2i8Hv/b8gGQHnuqOL3II2Ud57cs6E85CPCVOC8AkOPUSJktlMg3ZNX9zU2+XsrGFQA8,iv:6sRajQ2l+YJ7P+M2cUxp3n/am0UB8/OC2CVIxiSIcUo=,tag:tMAi8OKwgZtyh5bscWPNPQ==,type:str]
 sops:
     age:
         - recipient: age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZm5Za1RlNmNzRnBjVDVo
             OHVUN2RSQU5QNmlncHp5VWI2WmZDc3dORUhNCnNHTHBua3JYUVhIN2NPNjUwZEMr
             ZlN6VnVacmpjTjAxWFJtSzN2YzZFYVkKLS0tIFBnMHA5Z1lBaDY4am1EMEZMcUdz
             a2JhT2MyeDNXa2ZuU3IrZ0p4citCUjQK8IlbOuXzo+vORmttF50ZH2OCqwUQ5Ktp
             BgjALcViNT+2O+s4O+j/T78rmbesRwMfTqKZwOKgwV0OXkJ/v5oEtg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0Y2NCMk9LdVVoN1RkMEt2
             WjVkTFhDb2l5RnMwdnh1bFAxU2dUdlRySXdZCkk1VVlGWWRVdTFYek55MFFJMmhK
             QW1rUDBMcTVaQlhTZnFxZU1QT25aUDAKLS0tIFc2SjhZTkRqSHo1SFNidVRPS29X
             Y2NRYWtrQy9kQXJuWW55RVQ5TGF1RVEKjzTxU3mGp56T65TbxdPFHCaN+TMZIii9
             /5wtmHgnmVXo2aMCN2nwNmjXGwqd9nHRYbZF3LgMMYPCEs0NfUHE7Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbFVyL1F6ejZsSlg0czdq
             WHo1Ym9ZOGh0VHR4akRiaDRmMDhpZGwyV25VCnRvd1g1eXEyQ28wMnRiaVcrUlNl
             NjRxRUgxZWV1OXYvcFBqRlRWUFIwOGcKLS0tIFYvTGc5RzdhU2N0LzBLZm96ejZ0
             TGdvVytPRDJkN0JBY1ZjazVaU3RXSkEK2M65hrhfZnaigR3QMKj2VcJw8fwCdWN5
             aeRxoVkml23GWXyyYsf5jgIObKiOswiIbA/15FpeLqkea+dQOPQ52A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1edrvqxxahlt760rnnq990m2hmeezh4gzl538e2zg5j2axnd37vaqcp0x49
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJL29DT0JsaVNaLzBYaUNr
             eXRYQmJERUdFOVh5dFltM3E3QlhCbFRIUlc0CjNxQnZzRlVYU1dQYXJtTEg0WXZD
             RE5NbGFybCsrR3VsOGJlTUttSmo5RkEKLS0tIHpGbUJuOVZ4TFhQVHNPZ2RDQzVE
             Mkk4YTFLU0xZa0duS3FHWEQ5U3d5WEEK4jkV6IKUOYdbABLXzL3ry78iAPCQ135S
             uCLO2extw+cvjJCTohyfhtsqCNX1Df37HPl1zQqpkKafByOAEsfF3w==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-06-15T15:34:45Z"
     mac: ENC[AES256_GCM,data:gbfrOmn+a+PbsB73kt73oqAU0G5rJi3af5Tywv0gSF9buA7zFh8pudFt0CpNIYQjzjqo+GgWaGH8A81A9slfDRduX/Y1XwPLGLae4k2M5jOMRlQvwQXzH01EdbpbRLfJqonrKq61iC7QgXTWM5RuUWAhnZBlhsPpQwfDszpzXIg=,iv:4biq+3GOLebhcMpohPeZrrOZ1iUTnXBK/zaD2j4NE9o=,tag:Y1YWuJ8/qxjvby+CD12UXg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

added os/host/network/rosa/sops/tor_hs_ed25519_secret_key.bin.json

@@ -0,0 +1,27 @@

 {
 	"data": "ENC[AES256_GCM,data:j99AWR4KoUEytey0+upZfvA7Edh6gqiVl2qoGxmDiGQxHqjdwSZcPAlD0j1+HTC9GM2p2CJRQyIQW+NlDUvjuP1SS46Ii3JwZIREXJxQpykbjKTFttQuUfZKB16Fiql5,iv:19I1cxJI+Ahyc8DLQuyRAQs0HLZmuc7VrstW4xmLqR0=,tag:HSX/28+OnznN4SjAiYle0g==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGeUgxTlM2c3BlOTdjVG1U\nQjlZalNkWC9UQk1mRzFsQ0psZk9hTGh4bEh3CkxTb0NhT2JvMHJRWHNGRks2MjI1\nSXdQbWdXMDdPeGkwd0o3UTkzMVh1b2MKLS0tIHJLTzlkbVJBVjhKS2xTK2VIeCtq\nK0NzcTFhZVM3cWNPNXc1RFpmdk9VdWsKD9fyFi9j2H7GxNxO37hWSPbMT15vgRIr\n9e5caKVk6AZ/6tHLuhklZVAPU22FkmdxmSw3PE5gFrXDtlU7RsYYVg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSTBRRDdoeFV5VHdMYWZQ\nSktLOWxpRFZpVStWdVFrRXp0U3NlK1cvNlh3CjV0YVNyV3R1UysvbGp0TGsvZ3Mv\naXFVbFJUeGxwNlhLQkgvWkFWd00zdlUKLS0tIGlGQVl4SUxySWRGK01Nc2JZdEYy\nUHJJaHdIYk5sUnJvR3lLVytNVTM4NEkK2VE88iRZb7djWm0ySyxOIIASuuRNIcLZ\nLaEcW3JoOKcpqQsBANsgxLfA7VYfmc5uSWGSwq/OKnr89JB7gvuD4Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWHRVZ0cyMnlEZFltMG12\nNi9ybnlBTkZHOW1hL2s5emFVRUpNUkVxWEVVCnVxRnloOFcrZ1FjMmNCN0x2U3ZJ\nNjJtcDQzRk80djBaZjFwZndHQ0pveWMKLS0tIHZWdjFhMy9rSkFUN3p6bC8rN2pT\nWS9rRVZCdzJWbG5PTWFSZlJhSGIyQU0KZAvNOHu2R2lg8yIsT3P3rQIhnJYh1GkT\ncCm9vTm0e2UdGrCFbOsKouLNUySowsYwNQxyYCfzGCy8zcxWgbjNvQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1edrvqxxahlt760rnnq990m2hmeezh4gzl538e2zg5j2axnd37vaqcp0x49",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQ21PRVBxWk4yV2dRSXNm\nQ2M4L0xzZ2pCRllTY1RPWEo1N0trMVdJQURzCjhRT0JPYjRxUm9xbStUT1VqSXNj\nU2ZsTDVma0dYSTVsdE5GeDhDOFNzQzQKLS0tIDF6S3RLSlVXL3dpcTNVS0l6enRt\nWnEvYmhXcTBKb0UwY2RyOG9wU0trWUkKP4Myb4824yQA8E7nmoqJ8MeuLQiZeP7a\nBnq1lTYbi5V4ZbjOvNKsuHczp/UZbFZa1LVDfqzWdaJhaS3Zs8W4Yg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-06-16T21:25:01Z",
 		"mac": "ENC[AES256_GCM,data:ofQNg1OeKSn6KvIiwDJljEEi57yUdgtwcLUqNQxc6kIqMl7Rik6aSDPHzLX3x4L8CB/etE6XoylU9iHkO+ze5qQAheLjfVl6OZDC/x1XQ+XjCqJ5+530TbwV0xG1YhzoWvULtoxFb4+7nmEBGAd3sS3BfVpI9DF4mKYmnJd43FA=,iv:ynuVLkia1TR8wBEM++prEh5fFPIOK5CzXmkuEwp9ykI=,tag:dUumfBA6TTsuu+H2M2AAgQ==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
 }

added os/host/network/rosa/ssh.nix

@@ -0,0 +1,14 @@

 {
   pkgs,
   config,
   lib,
   ...
 }: {
   imports = [
     ../../../mixin/ssh.nix
   ];
   sops.secrets."ssh/key".sopsFile = ./sops/ssh.yaml;
   environment.etc."ssh/ssh_host_ed25519_key.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3IXeH6/VO4oBUB7rr0TMfJyChcSINlZUrShC05fLf4 ${config.networking.fqdn}";
 }

added os/host/network/rosa/tor.nix

@@ -0,0 +1,6 @@

 let
   secret = "tor/hs_ed25519_secret_key";
 in {
   imports = [../../../mixin/tor.nix];
   sops.secrets.${secret}.sopsFile = ./sops/tor_hs_ed25519_secret_key.bin.json;
 }

deleted os/host/rosa/default.nix

@@ -1,56 +0,0 @@

 {
   self,
   config,
   pkgs,
   lib,
   modulesPath,
   ...
 }: {
   imports = [
     ../../mixin/cache.nix
     ../../mixin/common.nix
     ../../mixin/disk-config.nix
     ../../mixin/kmscon.nix
     ../../mixin/motd.nix
     ../../mixin/nix.nix
     ../../mixin/sops.nix
     ../../mixin/users.nix
     ./ssh.nix
     ./radicle.nix
     ./tor.nix
     (modulesPath + "/installer/scan/not-detected.nix")
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
   systemd.network.networks."10-hetzner".address = [
     # IPv6 address is statically configured, see Hetzner dashboard.
     "2a01:4ff:f0:abd3::1/128"
   ];
   boot.loader.grub = {
     efiSupport = true;
     efiInstallAsRemovable = true;
   };
   networking = {
     hostName = "rosa";
     useDHCP = false;
     firewall = {
       allowedTCPPorts = [
 # ssh
 # http
 # https
 # radicle-node
       ];
       allowedUDPPorts = [
 # http3
       ];
     };
   };
   networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
 }

deleted os/host/rosa/radicle.nix

@@ -1,25 +0,0 @@

 {
   config,
   pkgs,
   lib,
   ...
 }: {
   imports = [
     ../../mixin/radicle.nix
     ../../mixin/radicle-permissive.nix
     ../../mixin/radicle-stats.nix
   ];
   fileSystems."/var/lib/radicle" = {
     device = "/dev/disk/by-id/scsi-0HC_Volume_100506310";
     fsType = "btrfs";
     options = ["discard=async" "noatime" "compress=zstd"];
   };
   services.radicle = {
     httpd.nginx.serverAliases = ["ash.radicle.garden"];
     settings.node.externalAddresses = lib.mkAfter [
       "rosarad5bxgdlgjnzzjygnsxrwxmoaj4vn7xinlstwglxvyt64jlnhyd.onion:58776"
     ];
   };
 }

deleted os/host/rosa/sops/ssh.yaml

@@ -1,44 +0,0 @@

 ssh:
     key: ENC[AES256_GCM,data:9McivwROwytP+vM3VsrGja2Vo2WWYi9i3jWPEsE1CarT/pdhjhFu+e3WZwhBE76JKXBsUe5fXb1LLb3iZv1u7vPzKd3qH/aoxCsYfiNoEjndrIAVWG11i5Z4tfpRjEDrcNL3L9OGSYXHCGhTvGF+0EXZJGT4JzQRkD0CR85cvuR9BUzcCfNHJHzIrVPBAc4YFnja+TjCWPoL0K89sfEoZ6fmRsVKEan7Z8wrykFUK2NhmHCSdYSiTHUxMwegwLdPlIkSpV9L4ZT/4drbWmNsbjcgVPG3e1n9OqGXqAlpS1tZoC9rO56Ha2t1Pu5WZNH94ExCPVCZhjS2R2wFmdnUL7T6ehCjw3u99dCLHnmJm7p1er9Wv70iE1+WINq+kenqDvjHdpPOOer2IPwvCpdX16dw1cpaRC4ThdcO/5JNot1I8S0+wWwX2oErAUiz6YEClDjuG33yZJmQDyJFl2i8Hv/b8gGQHnuqOL3II2Ud57cs6E85CPCVOC8AkOPUSJktlMg3ZNX9zU2+XsrGFQA8,iv:6sRajQ2l+YJ7P+M2cUxp3n/am0UB8/OC2CVIxiSIcUo=,tag:tMAi8OKwgZtyh5bscWPNPQ==,type:str]
 sops:
     age:
         - recipient: age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZm5Za1RlNmNzRnBjVDVo
             OHVUN2RSQU5QNmlncHp5VWI2WmZDc3dORUhNCnNHTHBua3JYUVhIN2NPNjUwZEMr
             ZlN6VnVacmpjTjAxWFJtSzN2YzZFYVkKLS0tIFBnMHA5Z1lBaDY4am1EMEZMcUdz
             a2JhT2MyeDNXa2ZuU3IrZ0p4citCUjQK8IlbOuXzo+vORmttF50ZH2OCqwUQ5Ktp
             BgjALcViNT+2O+s4O+j/T78rmbesRwMfTqKZwOKgwV0OXkJ/v5oEtg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0Y2NCMk9LdVVoN1RkMEt2
             WjVkTFhDb2l5RnMwdnh1bFAxU2dUdlRySXdZCkk1VVlGWWRVdTFYek55MFFJMmhK
             QW1rUDBMcTVaQlhTZnFxZU1QT25aUDAKLS0tIFc2SjhZTkRqSHo1SFNidVRPS29X
             Y2NRYWtrQy9kQXJuWW55RVQ5TGF1RVEKjzTxU3mGp56T65TbxdPFHCaN+TMZIii9
             /5wtmHgnmVXo2aMCN2nwNmjXGwqd9nHRYbZF3LgMMYPCEs0NfUHE7Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbFVyL1F6ejZsSlg0czdq
             WHo1Ym9ZOGh0VHR4akRiaDRmMDhpZGwyV25VCnRvd1g1eXEyQ28wMnRiaVcrUlNl
             NjRxRUgxZWV1OXYvcFBqRlRWUFIwOGcKLS0tIFYvTGc5RzdhU2N0LzBLZm96ejZ0
             TGdvVytPRDJkN0JBY1ZjazVaU3RXSkEK2M65hrhfZnaigR3QMKj2VcJw8fwCdWN5
             aeRxoVkml23GWXyyYsf5jgIObKiOswiIbA/15FpeLqkea+dQOPQ52A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1edrvqxxahlt760rnnq990m2hmeezh4gzl538e2zg5j2axnd37vaqcp0x49
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJL29DT0JsaVNaLzBYaUNr
             eXRYQmJERUdFOVh5dFltM3E3QlhCbFRIUlc0CjNxQnZzRlVYU1dQYXJtTEg0WXZD
             RE5NbGFybCsrR3VsOGJlTUttSmo5RkEKLS0tIHpGbUJuOVZ4TFhQVHNPZ2RDQzVE
             Mkk4YTFLU0xZa0duS3FHWEQ5U3d5WEEK4jkV6IKUOYdbABLXzL3ry78iAPCQ135S
             uCLO2extw+cvjJCTohyfhtsqCNX1Df37HPl1zQqpkKafByOAEsfF3w==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-06-15T15:34:45Z"
     mac: ENC[AES256_GCM,data:gbfrOmn+a+PbsB73kt73oqAU0G5rJi3af5Tywv0gSF9buA7zFh8pudFt0CpNIYQjzjqo+GgWaGH8A81A9slfDRduX/Y1XwPLGLae4k2M5jOMRlQvwQXzH01EdbpbRLfJqonrKq61iC7QgXTWM5RuUWAhnZBlhsPpQwfDszpzXIg=,iv:4biq+3GOLebhcMpohPeZrrOZ1iUTnXBK/zaD2j4NE9o=,tag:Y1YWuJ8/qxjvby+CD12UXg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

deleted os/host/rosa/sops/tor_hs_ed25519_secret_key.bin.json

@@ -1,27 +0,0 @@

 {
 	"data": "ENC[AES256_GCM,data:j99AWR4KoUEytey0+upZfvA7Edh6gqiVl2qoGxmDiGQxHqjdwSZcPAlD0j1+HTC9GM2p2CJRQyIQW+NlDUvjuP1SS46Ii3JwZIREXJxQpykbjKTFttQuUfZKB16Fiql5,iv:19I1cxJI+Ahyc8DLQuyRAQs0HLZmuc7VrstW4xmLqR0=,tag:HSX/28+OnznN4SjAiYle0g==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGeUgxTlM2c3BlOTdjVG1U\nQjlZalNkWC9UQk1mRzFsQ0psZk9hTGh4bEh3CkxTb0NhT2JvMHJRWHNGRks2MjI1\nSXdQbWdXMDdPeGkwd0o3UTkzMVh1b2MKLS0tIHJLTzlkbVJBVjhKS2xTK2VIeCtq\nK0NzcTFhZVM3cWNPNXc1RFpmdk9VdWsKD9fyFi9j2H7GxNxO37hWSPbMT15vgRIr\n9e5caKVk6AZ/6tHLuhklZVAPU22FkmdxmSw3PE5gFrXDtlU7RsYYVg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSTBRRDdoeFV5VHdMYWZQ\nSktLOWxpRFZpVStWdVFrRXp0U3NlK1cvNlh3CjV0YVNyV3R1UysvbGp0TGsvZ3Mv\naXFVbFJUeGxwNlhLQkgvWkFWd00zdlUKLS0tIGlGQVl4SUxySWRGK01Nc2JZdEYy\nUHJJaHdIYk5sUnJvR3lLVytNVTM4NEkK2VE88iRZb7djWm0ySyxOIIASuuRNIcLZ\nLaEcW3JoOKcpqQsBANsgxLfA7VYfmc5uSWGSwq/OKnr89JB7gvuD4Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWHRVZ0cyMnlEZFltMG12\nNi9ybnlBTkZHOW1hL2s5emFVRUpNUkVxWEVVCnVxRnloOFcrZ1FjMmNCN0x2U3ZJ\nNjJtcDQzRk80djBaZjFwZndHQ0pveWMKLS0tIHZWdjFhMy9rSkFUN3p6bC8rN2pT\nWS9rRVZCdzJWbG5PTWFSZlJhSGIyQU0KZAvNOHu2R2lg8yIsT3P3rQIhnJYh1GkT\ncCm9vTm0e2UdGrCFbOsKouLNUySowsYwNQxyYCfzGCy8zcxWgbjNvQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1edrvqxxahlt760rnnq990m2hmeezh4gzl538e2zg5j2axnd37vaqcp0x49",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQ21PRVBxWk4yV2dRSXNm\nQ2M4L0xzZ2pCRllTY1RPWEo1N0trMVdJQURzCjhRT0JPYjRxUm9xbStUT1VqSXNj\nU2ZsTDVma0dYSTVsdE5GeDhDOFNzQzQKLS0tIDF6S3RLSlVXL3dpcTNVS0l6enRt\nWnEvYmhXcTBKb0UwY2RyOG9wU0trWUkKP4Myb4824yQA8E7nmoqJ8MeuLQiZeP7a\nBnq1lTYbi5V4ZbjOvNKsuHczp/UZbFZa1LVDfqzWdaJhaS3Zs8W4Yg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-06-16T21:25:01Z",
 		"mac": "ENC[AES256_GCM,data:ofQNg1OeKSn6KvIiwDJljEEi57yUdgtwcLUqNQxc6kIqMl7Rik6aSDPHzLX3x4L8CB/etE6XoylU9iHkO+ze5qQAheLjfVl6OZDC/x1XQ+XjCqJ5+530TbwV0xG1YhzoWvULtoxFb4+7nmEBGAd3sS3BfVpI9DF4mKYmnJd43FA=,iv:ynuVLkia1TR8wBEM++prEh5fFPIOK5CzXmkuEwp9ykI=,tag:dUumfBA6TTsuu+H2M2AAgQ==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
 }

deleted os/host/rosa/ssh.nix

@@ -1,14 +0,0 @@

 {
   pkgs,
   config,
   lib,
   ...
 }: {
   imports = [
     ../../mixin/ssh.nix
   ];
   sops.secrets."ssh/key".sopsFile = ./sops/ssh.yaml;
   environment.etc."ssh/ssh_host_ed25519_key.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3IXeH6/VO4oBUB7rr0TMfJyChcSINlZUrShC05fLf4 ${config.networking.fqdn}";
 }

deleted os/host/rosa/tor.nix

@@ -1,6 +0,0 @@

 let
   secret = "tor/hs_ed25519_secret_key";
 in {
   imports = [../../mixin/tor.nix];
   sops.secrets.${secret}.sopsFile = ./sops/tor_hs_ed25519_secret_key.bin.json;
 }

deleted os/host/seed/attic.nix

@@ -1,42 +0,0 @@

 {config, ...}: let
   domain = "attic.radicle.xyz";
   port = 54862;
   secret = "atticd.env";
 in {
   sops.secrets.${secret} = {
     sopsFile = ./sops/atticd.env;
     format = "dotenv";
   };
   services = {
     atticd = {
       enable = true;
       environmentFile = config.sops.secrets.${secret}.path;
       settings = {
         listen = "127.0.0.1:${builtins.toString port}";
         storage = {
           bucket = "radicle-attic";
           type = "s3";
           region = "eu-central";
           endpoint = "https://hel1.your-objectstorage.com";
         };
         garbage-collection.interval = "48 hours";
         api-endpoint = "https://${domain}/";
       };
     };
     nginx.virtualHosts.${domain} = {
       enableACME = true;
       forceSSL = true;
       serverName = domain;
       locations."/" = {
         proxyPass = "http://127.0.0.1:${builtins.toString port}";
         extraConfig = ''
           client_max_body_size 512m;
         '';
       };
     };
   };
 }

deleted os/host/seed/bootstrap/addresses.sql

@@ -1,12 +0,0 @@

 select json_object(a1.node, json_group_array (a2.value))
 from
 	           addresses a1
 	inner join addresses a2 using (node)
 where
 	a1.banned = false and
 	a1.type != 'onion' and
 	unixepoch() - (a1.last_success / 1000) < (60 * 60 * 24 * 7)
 group by a1.node

deleted os/host/seed/bootstrap/default.nix

@@ -1,48 +0,0 @@

 {
   pkgs,
   config,
   inputs,
   ...
 }: {
   systemd = {
     services.radicle-bootstrap = {
       serviceConfig.Type = "oneshot";
       script = ''
         cat "${./addresses.sql}" | sqlite3 "/var/lib/radicle/node/node.db" | \
           jq --slurp add | \
           jq \
             --raw-output \
             --arg serviceName "_radicle-node.tcp" \
             --from-file "${./zone.jq}" \
             > "/etc/knot/dns-sd.zone"
         knotc -b zone-reload "bootstrap.radicle.xyz"
       '';
       wants = ["knot.service"];
       requires = ["knot.service"];
       path = with pkgs; [
         jq
         sqlite
         knot-dns
       ];
     };
     timers.radicle-bootstrap = {
       timerConfig = {
         OnCalendar = "*:0/5";
         RandomizedDelaySec = "1min";
         Unit = "radicle-bootstrap.service";
       };
       wantedBy = ["timers.target"];
     };
   };
   services.nginx.virtualHosts."bootstrap.radicle.xyz" = {
     enableACME = true;
     forceSSL = true;
     serverName = "bootstrap.radicle.xyz";
     root = "/var/www/bootstrap.radicle.xyz";
     locations."/".extraConfig = ''
       add_header 'Access-Control-Allow-Origin' '*';
       autoindex on;
     '';
   };
 }

deleted os/host/seed/bootstrap/zone.jq

@@ -1,22 +0,0 @@

 to_entries
 | .[]
 | .key as $nid
 | "_radicle-node._tcp" as $serviceName
 | "\($nid).\($serviceName)" as $name
 | [
     "\($serviceName) PTR \($name)",
     "\($name) TXT \"nid=\($nid)\"",
     "\($name) TXT \"version=1\"",
     "\($name) TXT \"network=main\"",
     (.value
      | unique
      | to_entries[]
      | .key as $weight
      | (.value | capture("(?<host>[^:]+):(?<port>[0-9]+)"))
      | "\($nid).\($serviceName) SRV 0 \($weight) \(.port) \(.host)."),
      ""
 ]
 | .[]

deleted os/host/seed/default.nix

@@ -1,105 +0,0 @@

 {
   self,
   config,
   pkgs,
   lib,
   modulesPath,
   ...
 }: {
   imports = [
     ../../mixin/cache.nix
     ../../mixin/common.nix
     ../../mixin/kmscon.nix
     ../../mixin/nix.nix
     ../../mixin/motd.nix
     ../../mixin/sops.nix
     ../../mixin/users.nix
     ./attic.nix
     ./knot.nix
     ./ssh.nix
     ./tor.nix
     ./radicle.nix
     ./grafana.nix
     ./victorialogs.nix
     ./files.nix
     ./bootstrap
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
   systemd.network.networks."10-hetzner".address = [
     # IPv6 address is statically configured, see Hetzner dashboard.
     "2a01:4f9:c011:b666::1/128"
   ];
   fileSystems =
     (builtins.listToAttrs (map
       ({
         subvol,
         mountpoint ? "/${subvol}",
       }: {
         name = mountpoint;
         value = {
           device = "/dev/disk/by-uuid/e55dc01e-ecab-4cd2-ad08-e773615f36fd";
           fsType = "btrfs";
           options = ["compress=zstd" "discard=async" "noatime" "subvol=${subvol}"];
         };
       }) [
         {
           mountpoint = "/";
           subvol = "root";
         }
         {subvol = "home";}
         {subvol = "nix";}
       ]))
     // {
       "/boot" = {
         device = "/dev/disk/by-uuid/5d17c66f-46fc-484d-be63-b21786e61af9";
         fsType = "ext2";
       };
     };
   boot = {
     loader.grub = {
       enable = true;
       efiSupport = false;
       device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_30473871";
     };
     initrd.availableKernelModules = [
       "ata_piix"
       "uhci_hcd"
       "virtio_pci"
       "sr_mod"
       "virtio_blk"
       "ahci"
       "xhci_pci"
       "virtio_scsi"
       "sd_mod"
     ];
   };
   networking = {
     hostName = "seed";
     useDHCP = false;
     firewall = {
       allowedTCPPorts = [
 # ssh
 # http
 # https
 # grafana
 # radicle-node
       ];
       allowedUDPPorts = [
 # http3
       ];
     };
   };
   networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
 }

deleted os/host/seed/files.nix

@@ -1,56 +0,0 @@

 let
   name = "files.radicle.xyz";
 in {
   fileSystems."/var/www/${name}" = {
     device = "/dev/disk/by-id/scsi-0HC_Volume_30083854";
     fsType = "ext4";
     options = ["discard" "defaults"];
   };
   services.nginx.virtualHosts.${name} = {
     root = "/var/www/${name}";
     extraConfig = ''
       add_header 'Access-Control-Allow-Origin' '*';
       autoindex on;
     '';
     enableACME = true;
     forceSSL = true;
     serverName = name;
   };
   users.users = {
     rudolfs = {
       isNormalUser = true;
       createHome = true;
       home = "/home/rudolfs";
       description = "Rudolfs";
       uid = 1003;
       openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPueml1FxzjvwbD7vRZfwoaoyuxLy0L+WLBwSNiVoJe5"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTYHe+FdhR0YUTPfl26z6nxnDO1+R+/fjYH4IpnH4qC" # recovered from files.radicle.xyz
       ];
     };
     lars = {
       isNormalUser = true;
       createHome = true;
       home = "/home/lars";
       description = "Lars";
       uid = 1005;
       openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBppC96N69P8CxDm1jJhcutHLKWxJG4ew4R5b1A4WgKs"
       ];
     };
     levitte = {
       isNormalUser = true;
       createHome = true;
       home = "/home/levitte";
       description = "Richard Levitte";
       uid = 1006;
       openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxmgD3GmoPY/y9LZy51e5V4pTS87EPjKhOt8yQXUuW6"
       ];
     };
   };
 }

deleted os/host/seed/grafana.nix

@@ -1,35 +0,0 @@

 {
   config,
   pkgs,
   ...
 }: let
   domain = "grafana.radicle.xyz";
   port = 3000;
 in {
   services = {
     grafana = {
       enable = true;
       settings = {
         server = {
           http_addr = "127.0.0.1";
           http_port = port;
           domain = domain;
         };
       };
     };
     nginx.virtualHosts.${domain} = {
       enableACME = true;
       forceSSL = true;
       serverName = domain;
       locations."/" = {
         proxyPass = "http://127.0.0.1:${builtins.toString port}";
         extraConfig = ''
           client_max_body_size 512m;
           proxy_set_header Host ${domain};
           proxy_set_header Origin https://${domain};
         '';
       };
     };
   };
 }

deleted os/host/seed/knot.nix

@@ -1,201 +0,0 @@

 {
   pkgs,
   config,
   inputs,
   ...
 }: let
   writeZone = name: text: pkgs.writeText "${name}.zone" text;
   acme = domain: ns:
     writeZone "_acme-challenge.${domain}" ''
       $TTL 600
       @ IN SOA _acme-challenge.${domain}. ${ns}. 2024060801 7200 3600 86400 3600
         IN NS  ${ns}.
     '';
   update = domain: ns:
     writeZone "${domain}" ''
       $TTL 600
       @ IN SOA ${domain}. ${ns}. 2024060801 7200 3600 86400 3600
         IN NS  ${ns}
     '';
   path = ./. + "/zone";
 in {
   environment.etc."knot/common.zone".source = ./zone/common.zone;
   environment.etc."knot/secondaries.zone".source = ./zone/secondaries.zone;
   environment.etc."knot/bootstrap.radicle.xyz.zone".text = ''
     $TTL 3600
     @ SOA ns1 lorenz\.leutgeb.radicle.xyz. 2025101002 14400 3600 1209600 3600
     $INCLUDE common.zone
     $INCLUDE dns-sd.zone
   '';
   networking.firewall = let
     dns = [53];
   in {
     allowedTCPPorts = dns;
     allowedUDPPorts = dns;
   };
   services = {
     knot = {
       enable = true;
       settings = {
         server = {
           listen = [
             "65.108.87.205" # Hetzner
             "2a01:4f9:c011:b666::1" # Hetzner
           ];
           automatic-acl = true;
         };
         remote = [
           {
             id = "slave.dns.he.net";
             address = ["2001:470:600::2" "216.218.133.2"];
           }
           {
             id = "ns1.he.net";
             address = [
               # NOTE: Looks like ns1.he.net prefers to receive zone updates via IPv4?
               # "2001:470:100::2"
               "216.218.130.2"
             ];
           }
           {
             id = "ns2.afraid.org";
             address = [
               "69.65.50.192"
               # NOTE: afraid.org seems to only pull and allow our A, but not AAAA records.
               #"2001:1850:1:5:800::6b"
             ];
           }
           {
             id = "puck.nether.net";
             address = [
               "2602:fe55:5::5"
               # NOTE: Only our IPv6 is allowlisted on their end.
               #"204.42.254.5"
             ];
           }
           {
             id = "1984.is";
             address = "93.95.224.6";
           }
           {
             id = "quad9";
             address = ["2620:fe::fe" "2620:fe::9" "9.9.9.9" "149.112.112.112"];
           }
           {
             id = "hetzner";
             address = [
               "213.239.242.238"
               "213.133.100.103"
               "193.47.99.3"
               "2a01:4f8:0:a101::a:1"
               "2a01:4f8:0:1::5ddc:2"
               "2001:67c:192c::add:a3"
             ];
           }
         ];
         remotes = [
           {
             id = "notify";
             remote = [
               "ns1.he.net"
               "ns2.afraid.org"
               "puck.nether.net"
               "1984.is"
               "hetzner"
             ];
           }
           {
             id = "transfer";
             remote = [
               "slave.dns.he.net"
               "ns2.afraid.org"
               "puck.nether.net"
               "1984.is"
               "hetzner"
             ];
           }
         ];
         log = [
           {
             target = "syslog";
             any = "debug";
           }
         ];
         acl = [
           {
             id = "transfer";
             action = [
               "query"
               "transfer"
             ];
             remote = "transfer";
           }
           /*
           {
             id = "acme";
             action = "update";
             key = "acme";
           }
           */
         ];
         mod-rrl = [
           {
             id = "default";
             rate-limit = 500;
             slip = 2;
           }
         ];
         mod-dnsproxy = [
           {
             id = "default";
             remote = "quad9";
             fallback = true;
           }
         ];
         template = [
           {
             id = "default";
             semantic-checks = "on";
             global-module = [
               "mod-rrl/default"
             ];
             zonefile-load = "difference-no-serial";
             zonefile-sync = "-1";
             journal-content = "all";
           }
           {
             id = "primary";
             acl = [
               "transfer"
             ];
           }
         ];
         zone = [
           {
             file = "/etc/knot/bootstrap.zone";
             domain = "bootstrap.radicle.xyz";
             template = "primary";
             dnssec-signing = true;
           }
         ];
       };
     };
   };
 }

deleted os/host/seed/radicle.nix

@@ -1,24 +0,0 @@

 {
   config,
   pkgs,
   lib,
   ...
 }: {
   imports = [
     ../../mixin/radicle.nix
     ../../mixin/radicle-stats.nix
   ];
   fileSystems."/var/lib/radicle" = {
     device = "/dev/disk/by-id/scsi-0HC_Volume_30473554";
     fsType = "ext4";
     options = ["discard" "defaults"];
   };
   services.radicle.settings = {
     fetch.signedReferences.featureLevel.minimum = "parent";
     node.externalAddresses = lib.mkAfter [
       "seedradanrg2oje34eyidx4z63gpuakgaedaetvt7xxw5whv6qnexmid.onion:58776"
     ];
   };
 }

deleted os/host/seed/sops/README.md

@@ -1,7 +0,0 @@

 # attic
 Generated according to <https://docs.attic.rs/admin-guide/deployment/nixos.html>:
 ```
 echo "ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=\"$(nix run nixpkgs#openssl -- genrsa -traditional 4096 | base64 -w0)\"" | sops --input-type dotenv --output-type dotenv --encrypt --filename-override atticd.env /dev/stdin > atticd.env
 ```

deleted os/host/seed/sops/atticd.env

@@ -1,15 +0,0 @@

 AWS_ACCESS_KEY_ID=ENC[AES256_GCM,data:wYeacjBaA8cNHLn2/WFH5kDyGQxaGg==,iv:pxAQ5Xspo1Ypc9C6L4ForarorsjcYPCaR43BY95EMPo=,tag:yogfcwbFXTFdSTAmk/vSWw==,type:str]
 AWS_SECRET_ACCESS_KEY=ENC[AES256_GCM,data:kMO1htvj8LO6XaSlu9cKOa9q68zw+xy5EFKdFih40IKaU0WXDo4zDGeV,iv:a+4IYJzq93++bLhTCRKslFRD/68aefFhIrs6wCf5CwM=,tag:amBQyEcQht7EglyeVOhEXQ==,type:str]
 ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=ENC[AES256_GCM,data:JyilKU3oo0mZ0X6mH6vUd2mK9bxSlsWJfEQs5ZIdFK9FduQRsvx+G4nAXKLJaY8yqspiS0YEoXwsVtY49ldWEh4qNocHw3K/oCBk5FLT9BTi+yKnAhxLb2h4kDB7L6NaIjPwMBkMuESXxrd0mdbStXwJYI1t9Xm3ylW2AW8YkBORbZKGcmwS4iA5K3ssRas1HOJBS6JIMuEDYBaUSEHnDTccmbLZ6yR53ubFM9u1hxYxPaf+HUvEXz0jeCtLvJKL3CYIKdhIcOKwAU64COc9lpFlTuFz7f3GaVfZQNBMAgciKnJjybXeS11Cwp30Qe0h46NFMhVfQmf91Ko4JONBOfH8cWowEfT8boGwb2EXZB979nnLiMJC808OhABVo69L4UPqtIZZgsIGe6ImQWtM5x9yAT+SJOpTgZzEOzDXwzROcWC0bIEpgFucyG1aiqUvOd9Kf51Xffx4wxbtHYfgTR+Cwl8HpT5PuOrg2L2beeoFhtpnBASE4E4B6wlzV7l0OyQS8RP/ZitftjkDFE9A+R6vY7Q19auVxS8TGL7/q2OLFGvIPdW8uYNZ4oEWOzv1XCgzLsX2w6bLVhCL3STafCioPH4ApsgV4Kj6a9uvf5mgvI7Oo05PemnPjG3XFRrYxS6HVDFZyR29JTnQJkDT6k6JlUfhI3+SQ5ARxHxTIR5c1KAgzw4kZSsw8LKnZ9D0VqNBSyaxzPKdh9mh86bgEJLkCtXB2RsVb0fZ1Pwrzyjnqu9rH21FRFhRkSnImjloZzB2u5gaEYoddwBeMUMmxUD30QOpotjPhCwV4CGg0DERyQjgK3GJFSXsLl1ZI5xfSyWjlAGNHszCywxP4WPbiOj4i/y61DOOIuD35OiTSyK6Ujgo5gRUrLJ6Xme9EMaZV/UrknsiQln4fflEF1Ff6Pj7ilznsLIpb5/XW3rJqTRKdCyArwRxKqvUmL50UXMzyk2YJizIhCmQbuIcqQkpWq7lzog0RELbQPwmTtT3XkrZ+TyI/dRvnBY49+Fcl0iFTf5h2dJ8jjxB5R2rzEcfW7S8NCB5m501Ncb7SXsj/R8SW5x7ekuHvQX1XvP4EjM7aA9HQCIzVZoni6kOs1yow4TLc1dKTWglYejyFUFM2k+XpOB/TWb+XoSdr9pDP8jlyF6GOQHW+f5aXbC6s7LgYRI6ZfPJgk/8L+KGjLBtrmIXUaC1eLASoYf/l4qllEOsP91uPxHExxR6hxtJvznEGRryfL3nQE5UPDNDKAusP4ruPuy4pfekwK8EeMtuExrEBLjwCZfVKSXA6KMWwB5H8vb9d9YyCICZXRvqVAmOQDJ6LcLAALx+JlkBhiDvbsn61Hsg6aa5ftXoO8kxblMv88P4eVjU2rTF1QmO3ooGPz0FJCnd0jDsCQMfBizTNhnInrk6McCVy7nVQp7qhiUSn2CPPcg0Fw1g9arK5uTzve43EbtjRxm13JTLUcNNmRv4+8rSUT6MaK4SYCt/sMtYasG8g60/qeZ+UG6Yx5m56CHjS1COmf7frN9ark/6qlj9VmHwSc/zAJLPEWCHyNrYnwys8uAXHYXoQgUWK+fJw3YGIhcwLlDQ5cj3vv43tpC3aw3R0hkVR60PuajqmGYk92ZcKAYTp5VL1HVjkDiRzRobDydrYG9tieNu9WvgS2ky5NQ0xSnpp0IWdB1T/NuDriIjBW6PiX+xlC97BdFIRRnhPiGuNozm+i+kMoOlp0EQ7pfwPF6ga5Ymm0xAcX33IyTt1QFQak6JRdKgskFUr1BO6/LPnY16ItIGomn09pxdKuQm+kEPqgU9Evk3mcOyrijG4AXQqRHw+tlSCwJutrCx0/zaRQnZf/CBk80oRfL+gtGFnjoCgoQ4XkWPXIqLK9wF240ltMu8zAWSp/PqM8Uhc5TwBAzB+j820TNybpIdR+riJwr/h28e6ZW+HGW0bI95CmoBELBbxGzftpxGkeiQodSVf4RzEyPuqsgdNQ0XHyku+68LmvnJ1ENDsyWRkkWNFjW4qnpJMvkrvzvLlrXLHjAqYKj/SgzGOCcuH1v+BZtoVENn8u8+hoWg3iBMq6N9Su5xy5VM88nP3ukcdDYB+4nZ+MCO6Sl0tfOxDSsFEz2Le3zsrzgL43We/CpdAU3UMMHqn/sLgc4e7dYh5/1JLGiin+fBLd68BlVVovmjJTaWEZDjin4GSlvL5+70dH5Po3U42JH6QUPcWEmMSuqRcgb9jLzpzc+iORJE4Y1rJjQocFFteDruz2E2YD4wCEeOqVqhHnXCnli3u4Eab91Xkkpq5DXKUhsdnCmugtaeYw4mbVFbXOGxHPU6KIovoe3m5Ly3tzbV+9ylKLQg5Ndjat3jfhOLaSww8S5l25M8SKjnXMP6AiEX6R7wnddzankoCG97qoM/3GLuWOPX5nhedOQq4BgC0SILVUTYfbQRlCPLNoAFHDYNjBHoORoAZZ+I+BUNnEAdzp/wjpzZk5+zLd/RkKvrBgJVF6bsMkAYak0ybf5C4++22fPND4ooOFDBAo3ATb1ZIcCmaVipfGbiOK8mFZjCBweNBUWb2kS0poRvBxvmWkdnO4RpjbElFfc3Tr9jVBNwnTihak5n69+7t5fKdadogJb1iGzK7JF7HLssyDu2WgVa+ye6e+6re7Q3X+rNgCjjslTa6SGs3oRT61L6cSAiBSr8Lmra79Yt+Ovj9xVTROfdhocPZhlWDClQHsWkQGS7hL7G7GX45Js6e3l6/OlU0/dm+ogO8Rje0SlRUcSVy8jz/c6nEArjy22iFBQtKP0Qjm2dxvHRbqXIbD5yFn3LGOgsgz5cjd9dJmXRs0aqTIkQcvM8LOdvX8dgFr8yrtRfpJ8t1/3hwjGFvexCSlNHZVODglMfeeETy6gbVXTbq6YkyT0w3rXtcruVC/LlOSdT4D9To2nbAmx+3sensyBpK3eDirhkVBteHfEjhV2dZzKTcW1N7XgsNwh3MBnWBrUMqQED92D1S5Zn62mFXZVr60QNT5hUBTp+UlEJTtyQopsTnsueGlwOO5n8CJWS007mWFV7B9Ok3idE4SM68Qt63BBHAshXLiWMdEHaJ5ww6J70hVYGDx5UoiRq7QncvCf7Tx688p7Q57sjczFuj7J2T4IxcjSLQ3F5em6bSTdl7dn0faJCMwxA5OStZ3FhrwBqq6DJW4MSj+tYxQAJRtj98N34dQyMKn4n9mUmdhLHAJuqnVBqNnRBt32UfSXOd0vmylX8bF5jK62fNaj9KKo/t4X7IRzpkPi6xOCSo2zlulfiAek0n7UIRm2w6O4t0PiKB6PflHVdUiIa4bVli9fLVb5EIbsb1MoO/f89yVbcLIaOBrVKOndhC+rzCM00Ln9rdgIq2qY6Lkc1DYnW8Io1lFiHy4yKbt8IacM7GqF26lxp8WlvEjRx6eHiPY/EOZeTDagp1pqS8gEv6Gsc8Hc2+uvKIKmcTEvxzJ6iB6TOMzhaaXk5GpfMT0C11jp2QnNtlaNNmNODXq3DMpQQcZUXXrT3pgP7gZLGxpeJ3bKxiNIQ/aHw6navg6d5f5RJDNCykzcbs05092zEMb/d/cYaIAfn5LwJNz21a/xKx1UkByLA64iLrrF91ypAy1QbgPLY2DX3jkhNLwXggEhE6w5m26K+K0byPM8qzYDom0tz+Cv7LSkZi3nYaOwnqlRQo3brimajHQZkGtUTZ8BVpQeQZ82wXG0KLZTJQWnvrYtjRBnkQznO+J3jS6jkJNym/L849qSzM+ECBLJdg9OnSaLzRChBJgjfCyAQN+EvDVIfoxnnsTLuDwbu2An0LOa10MJIiF5aZ4ti2e8FTvTJQ1PPlazH+gkMa9tsRRIt21sTbXuEyIMf4RFlnr9O+06gm4KUQ48ToHYcsJuEuJAU1Wd/H37vjdZYsTaFEAOfW6iigWDFCJ7B9xLNH1K6ILHDx/MD6wiiGt8BKgErXITM1hV1EDH8CPo7SCYm3kzjG32T1+pxWHeJuC6OXeHeFMg3FRlbBCs4iHGqtmE8xdPxxPJe3isbqsqI53ceed/hTfdtVKtsE+Y0AILL99rGzw2Kb97yFSBH/U3W8JreUSuhSHPX/A1XHwHtd9GUpD60Pd8Q/e0RYRUI4Y08xYvx/yjDt7tdRae9DIUzEpj13gTUW8lQCt3CKYydazHinAQ9ps6psmCR0vDdmFdxHkiZJ7VWatUICMlHpwpvgaKm1tWWryn2SmVee36bxoFUndBDKbEDjlc9hoY+szSmAHnWT+jiC5dgM2jztTqcqxnwfM06IB7b2QQbd8Aq8cgZyolKtgeiDzLBzNoMPxj9rXo7BWokEdacvTAV5l+MEJLpFR7XWPWHYzva4ig0w2Uy/az0auAmcmBlZdQXaYH2NnkwaLX4Q7S4zGXKIGi7/2Ww1E4bT+rlJZJ8XlxJejYrFo2FrjYgo42WQqdVHlRMZeY1Bp1czNKMV7cGKdRso5gbrIXAPXs8k7lZwa1l2r7sJmJBKg++Bv2eTGUHl15kkpbO6rTCQIt0gSKbR9nERzpqoMXIFItnu5LrWrCdsn8OPXjPxOLqJDztX1NAt5Cv2Ca4y0bCIyqZ0IaiFXpQiYfHQAwW2qPOaj+DUezGyuh7JKW0WtNySPnb4fjxAlbTSb0pkCpPk72U2nzobn87A+CzSAH4ZR5UcvNRGTiYJCElAIJLYZb18E4gDhoa0+gxSSiMXt74DlkTLGpOB0KTBIam1shblLZUANmUodwRoOcUHn5rF+5Loz3JKLB6HZZUsp5Kzih2yYYywh+J6dIn+KIWQ5sq0EPfR/wP6tcOGxukjeeLmquIuY6ZY99mD2aJfMJ82Ck3P5BYnDjwP/tZl6jLYHDU79ViZ4ibtWgNWuVgdvRfegxiLEgv2rlEVrQ76adjUtvXDooZx9Kz1g2X4UKwLoqXzpXPuUwHHGZGOpeZBrJRcDCb3jWPmbKIGqUzhhvXTIyymEgNyVvtByNxc92F6yex1RbgtsD7o2ExsL4PPPbxwDsOgtT1wIpvEmCoISkHuS6uilIlD5BAPuSYhuen3WnNsIEhM/r5u+uFtjf2Reim6PG2cHwBWy4MThwNZ7CMQE5sXH3I0qOogQqgFuzHRUgOk02wNAi1HxSTx6dmvOcWBAR6JsxSd1QbKPa1vWRsG7XNe5d8KNamn4JEDhXtRH8a1DQH30dPpIDGYxMV+AcbJ2dbRkB0ehJoz5VZqbDr03Fbt2jkFp+0QMUyPr7VxDuaw3grLQL2tbhEF48ZFGNhn97mob06jaQyBFQMOy33hyEU2AJkZdZsb2QLh1bmT44D5GkLH804mPbSBdVr2TGYsZqF9tlT5kOIkLvg7bLQIEqpo0ykOjr1c22N+qCQaehnN9ZfKn2KaprPqz/1JpcvrglT0hmkLmRvjAxmlHdjHmhKvp6r0qFcxYfWOgDVtXFMNKM46jd6Jnl/DYYJjbb9To2AjP1/IQazcB+aIsjz/Yll46Tw4zCqohlXbCny7rWap+Gns8IYKb+VHzcsAiOU5A8/ZVASRUO4L0URfUsTmgy9zIslbOgaQa991S8KDCVPH4D2Qledqi5oWyj+MaHbX9PVIBxXqLVXwDFkLS3qbRcS8DTcjhV5tIW1fNaePmRvZF+TCPLsRSwvlTGyw2zVg2EQLmTHiv79q+xYLYs4nTYJUaENEVq8aisCLFgiF3/iN9n/Rc0z/jvSrR5nEFNjUFTLUhruWBWSNj1ruMGMRjVTXcOKip/vEp8fVb2EoOdWt4po2KYr9x2WkcCQIXlYn363aOqTlmzR6Oo=,iv:c1JfPUkfHPSL1BGdQBx49C/H9i+w/+W2RZdYYzVFe3M=,tag:5z6b2SgxzvS3wzpjhI+FEg==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aXdySHF3WEVvOEJtSkhw\nYS9WL0VWa3d1cjF2OEFRZHo4U28wdExsOFVrCjlLczc0NjR1SUh0SG82NnpmdUcw\nTUp1Y3RqelRlMU43VVM4S0FQeW1TSE0KLS0tICtxNVI5Wk5qL08wNS85ZGQrcHor\nQmhQT28wN2M5eFhxRVJsSDU5SE5IQjAKzBP+0Bz5eTSksZVtcm0cQcy+gdRuFZo6\nmbG46bAD/qljCYY/fh9UBo0obAL2Dzk5DxlR9apv3QDrWxkZAhckMw==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l
 sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaTlNaDkrWnhMR0lVdTFV\nRkU2THgzVEt1N3hBb1pTSW1vc0VFQjBqSjBNCnhqM1RTc2xsUDhpc0dvMjE5M0Ja\nemdwYjBhK3k1YlZwTGNZZE9qcHYxSlkKLS0tIDF5SGVrVm40L1pRUFplaDBrNXB2\nMVczVWdMdEhvZ3BtaE5veE90VjRDMVkK3/I0ymsAJF+4B7rF2bfKnGtLkUYDQBA/\n42cnzqE2vbyZUKID/hnAaSAjsT+T4sQ/3P/UyKQVBPwfaZquTfDfaw==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy
 sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5aytrNUFrTUxua2p4YUpz\neCtNWFp0WEZ4UkZ5a2h2NEU2RkR0aHUyRlVNCnplMy9RWXhXL3BWQ2pudWxiNk1C\nQTJYWmZ0U0wrVnRHcm8vSmVmTFVyZGsKLS0tIFRZVFBpQ3RvU0FtMGhkSHg5K0E1\nUlFqV3ZtTDMzSXhQOHFwb2RQMXJjR0EKbbZKum0xP2OomoJ7O4SYgejEbc6wGskG\n4yZUojl/MO1QRtR1tzoJBuUOQ3/KDnvouotMd4rMpx8Nh0zyXuXY3Q==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_2__map_recipient=age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm
 sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLZXRFclBTRmlzcGtpS2VZ\nZTRuSTJSOUpuUXpNbHltczV1N0RtTFFMd1NFCktvTGhrc0RJbGorOENKVjE0Mno5\nVDVnYlFNc3hHVHJkMlM4b24vMG9hWVkKLS0tIE1HZ05Qb2tpbzVNRDJjTk9VS2Ux\nWWFIVklQSGxuV3RvOUdVQTFOaEplcmcKfp3CC0Aj94vSEHwG1v9/fYrx/O0uA2k/\nRtwZfYnqAUeFbUKAi9ttF1bJNAuTjdA5JSKwmjcaJtE8a4oHyTLWQw==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_3__map_recipient=age1jemy54kqt4xgglg5f3g3sda5tndsqhjynvdugpy0yknefnw69u7qwymfj4
 sops_lastmodified=2025-06-05T10:03:06Z
 sops_mac=ENC[AES256_GCM,data:nhnq7QeH9PoHrTHI8arecxgjd62nneAe+GGQ4e2wR4LFLx8QXSNTnNIEH9SAmESqRtnK+lTR0Fd8LdMcKBP8u0bgDfDWtMM7Pkk659OyuJjqyNw+BGbFamHPOWesOJBaeMkETbiSQ9RiOBW4E+y6FUDMTg5N34TBIUilFpwp2kI=,iv:KjKcELRosjglTMNCsE06iEUJINL6EMMpZ43wLaP/12o=,tag:jjt0tWPHwe8DAGiP5UOtNw==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2

deleted os/host/seed/sops/ssh.yaml

@@ -1,44 +0,0 @@

 ssh:
     key: ENC[AES256_GCM,data:KjPrmSW5uIZ8BZqfM710+x0U5KiPRjwyX9VWbRoxfG3mpcesN1hQm2tUCuSmBk7e0HttuHI0sVX4lv6jcAG5pH8wWTISyOIytzOToZnO17gKU4T2P4dufly0+94PJAmeuMUlNJBTxDLbUIM1rxwatfdKpGEW6NT/0ki0Jwpm6kfc2oUsVsj/YvrBgdzjRR2wligdj9LlNR51Q52vwFEWBqKsOiJFoXaYANV4nH/2Bvtpt9K+ky+0ekUf5Pfacs5wHoUt0pnjCo1hZlR4IZrXyvktzHTlB1IRM2xAXJMTycOcvqedBwWZRnzPm1JOXKoKBBk1jvBlOblO8RCYvSawnMeJuLBuq79IrtKrkmdtXBIU85sCGr/Eur9CRclcCBUOHreNI6jsIxDUYtVUrnqwBuI4C/cZwwqkkGVeAn5OKAXoMOvJyTeadvoX4sK0Jiw/yZpWleBy8v0qZ/YMwryYEhUxu26QcL8ymMPl98k2xtYBr1qpcCHbwzNYA1TU2siCmXcYseLAERSTNy8nK4MbclZ68bOvyazIBIdCr5R7nNl33r3p1eEBLKmpr7bn56b2O+IyGMRE0VQvPSsB,iv:wbmX5MPvrZKehE1lNCoL1V0y6i87uS6VVNJ4ijpOPgc=,tag:/82F0SLAfy9DdWEIHB1vLQ==,type:str]
 sops:
     age:
         - recipient: age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQXU3d3cxVEFaRm9ROTlC
             bHE4VUREamJkMnZveWFxem9ZTnY0SGRtRFZZCk5tbTNXWWZITVZPdzRlNGNnV1pk
             T2xhUzUySk5vN2NDY0JVclFwUFM0ZTgKLS0tIG5Pd29Fazk3SFdCWGJ5NlVqaXQ3
             WUE0RjVPSDhwYk1KZDhHU0ZXZ3ZtK28KxrvCTc/tOh+sBlIDx//X+kkKt9bWnU6Y
             /wctm5gK+D3Bkol+l4hfAPmvn2GU34lEoZkOEBA2IhHTLZzNc7+vjw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aFdoRXNHcmR0ekI1ZytN
             VytjdGhlNjZqZFZQd3hyWWZnS1BoRmZmN1c0Ckx3cWFhVnFZT0VtU1R4RGJjcmZi
             T0RETWtVMFVRNTVOMWQ2aVFnY2NGdFkKLS0tIE85bmRPVjBZenIxenk5cWtvT0Q5
             UUdkekZQMVpVYlhudVBteTM3NTdONjgKruh5uLD5cikj6Wx2NvZyduazhl7wRkWP
 MJxRjMhbmYY0vsa9oJ0xN1LFcpV6tVr7n8D1GapsJwO6bcETwfT8A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZExEc2lsY1RCVmM2eElu
             OGozMjJEb29UdkJ6RXNtSytFQ1hlZUx5R0VVCkFaMmRlTGd3UnBBNVJNOFdVWG54
             MkRIc25yVWRMdTdoN01qQTZUTTN4R0EKLS0tIFR2MlRCd2N5SXd6UDVCNC8wekhv
             SG9IVlh5eU9jNHFWWSttenFBUG96RDQKzVuI9+WuiCbfQuYsW9uysI9Qs6XqpEXa
             gSmaNseJoDtlOVocYRE0EkOy9JhaCih1CwZqrByIfgBUG9g2y3VdNQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1jemy54kqt4xgglg5f3g3sda5tndsqhjynvdugpy0yknefnw69u7qwymfj4
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzODc1YUd2QUNxcko1R3ow
             ZG1IejJHb2oySk1EQzNDbTdzRnoyWmxZbGtnCmZvNDdJNDlZTDVuR2dsN1ZlZFl3
             MXpqNU52ek5jbUVaZHdmWGVSSlNOOWcKLS0tIHZHR1pXU1p0Z3JWQ1pSbE82SW14
             ZXZGT2UzRzlXVElaazhRY3RHbXE4MFUKGirCy5kdGzxXgjis6tYKi6JoTI0H16al
             Pic4ZAIO6U6H+Q39hobW/gAl9wU7s+pf3fxrzJRI1twIQNPa3zc2rQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-05-19T22:10:45Z"
     mac: ENC[AES256_GCM,data:/Nj6F8rt20KcRFjRiOcxAFNgms6nT08V4w+EU5E7l/CY+KFLrffn+lV/wwLDrMR1m8frdSOPNMayO2V2v9D8dXbXmdVPfb+/AqOU3RTT5cAJ60ZCtoiXIxVtj3Z0QeXpNMA0QvS0h9O9C7KBXf53T2WPxLVKausHwHqyUIWCQjc=,iv:ZaF/0DPy5h7tbigqDHgQvHb+5PzGB8WsdX7MxY4vX9k=,tag:+JDo+a8P9rpGZ+Bsy++dkg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

deleted os/host/seed/sops/tor_hs_ed25519_secret_key.bin.json

@@ -1,27 +0,0 @@

 {
 	"data": "ENC[AES256_GCM,data:D/cXb6sOPsORZM/Zsdk5FfRBRhHGD/SGaezAoVpVl/5lolA7AMaqSCqy4Qz4F81SIqN1hjUIxUIdlGXNVs1640zmI/s8PzyWGg/M5KDTtfTYq3b36L2woLx61k1Awue2,iv:mUiXQYno3B3hISYGHFMN9nqPQcLkpoxEI7LkVSBsmgw=,tag:D81gC3RnwNtlR9crZXQ77Q==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTS8zc21zMktFc2VHRGlx\naVp5R2JnMGhyUjBHbW8ycERhcWlsdFFxeVNZCjczRkc0QTduTWNZRnlxaGFEazFR\nTTN5QnpMTFdVdm9IUWlqalR2QXFKRXcKLS0tIDE2eVRtbm1wVGtWc3kvcnZwM0JU\nUXlQcUh0N25KMUJmUWpWLzh6cnorRnMK2343WqgXGCD0YnQPS0yY65m3MfofI4qj\nPlJ55ZMEUeM5mDkCoIyrucG55yfqgETA6EhQsHenA7R8NvNOqnWSAg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDNStPM2dHaSs0ekVEVHp5\nNFM3Sy9rUktiV2Q2bUI5a201WEVHQXk3RUY4CjZYVnFUdnBCQnkvdU9JV0NNM0Zm\nS2haeHY2Sld1UGh3dWtrNDUwZXNGY28KLS0tIHh2bDVtVTBsMno0RGpuOXhnS2pv\nVWlqTE85Tzk2OXpLRVdOWXh6YXUra3MKsmotAB7ZzUEhHrnw7ArvFaZETU7NMZ1s\nqAlJuc5aDRJ5UFGRFhUUIeGcnpUHFItRbvlAinatBQRKx93aWVsVBQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsTW1KclQ0SDlEZzdsb0ow\nVkIyYTFsWTZwOUpvNkJxYkczREt0bUVlZTBFCmhsNC9iZEdjaDNYL0tYOTZmc1l4\ndGJEbDRDTzVyQkNyL1hLTDZYSDRwUGMKLS0tIElQV01RRmFSaU9FT1Y5WGFoV2Iv\nQ0Jlb0hUdkJOUys2cGZxMWJMQjZNeHcKeuteT806HhwPE9aZF2CdILD+71foI8SC\n+uyGazxIQ917W/C0x60t4CrSSJdsCcEA2TKdw+v0vYfkQ1Rzdy3F4A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1jemy54kqt4xgglg5f3g3sda5tndsqhjynvdugpy0yknefnw69u7qwymfj4",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcU04bFVhQWphM0hXblNR\nRk1YOVlYYmVGTGVtSzJqVGZpYS9OY0duNjMwCjZ6a001bUlPakpyd3FXQ3R3VHk5\nT3dTeW9NaUhQVE5uQmFjZXJmTDh0SWMKLS0tIHUwbkY4RnJiUnFVbjNFbjF3bElx\nMnY2TjFXUUNoVHNIaE9tUHFJQXRZaTgK70bsEg5J4J83O57wBOSnAZr61iuIAnLA\nrdp7hd3+qZlGEVqznKa3OVXoOTqBABZCXJEptiGXwVN520+7mirHdw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-06-16T14:35:25Z",
 		"mac": "ENC[AES256_GCM,data:AmaR8zuJzLuKSc58awn4A4oVi0mzWs9pATfK5xztix9CeBW7H8vWphTYXMLdyYGZMSmVXlDTRli2yEDpZf9sRRD9JDfL5Bf+pMGKfMqLyoFvGkZGbrOn7YqhHusHSZgQsECe2nFjsEYm5MEQ4CJjcoUtM9mn/EltBsqprbohyEA=,iv:8QEyiTaN1WoOADJEOXeai3vxTK6xLhduxdZKZtfr0yw=,tag:2EXpIi+lSWsw7N6pQnZy1A==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
 }

deleted os/host/seed/ssh.nix

@@ -1,14 +0,0 @@

 {
   pkgs,
   config,
   lib,
   ...
 }: {
   imports = [
     ../../mixin/ssh.nix
   ];
   sops.secrets ."ssh/key".sopsFile = ./sops/ssh.yaml;
   environment.etc."ssh/ssh_host_ed25519_key.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXpC2X07TCIslR907omxrk6J+K3p0rGOMaJAHe1K2i3 ${config.networking.fqdn}";
 }

deleted os/host/seed/tor.nix

@@ -1,6 +0,0 @@

 let
   secret = "tor/hs_ed25519_secret_key";
 in {
   imports = [../../mixin/tor.nix];
   sops.secrets.${secret}.sopsFile = ./sops/tor_hs_ed25519_secret_key.bin.json;
 }

deleted os/host/seed/victorialogs.nix

@@ -1,22 +0,0 @@

 {
   config,
   pkgs,
   systemSettings,
   userSettings,
   ...
 }: {
   # Default port: 9428
   services = {
     victorialogs = {
       enable = true;
       extraOptions = [
         "-retentionPeriod=14d"
       ];
     };
     journald.upload = {
       enable = true;
       settings.Upload.URL = "http://localhost:9428/insert/journald";
     };
   };
 }

deleted os/host/seed/zone/common.zone

@@ -1,17 +0,0 @@

 $TTL 3600
 @	CAA	0 issue "letsencrypt.org"
 	NS	seed.radicle.xyz
 	A	65.108.87.205
 	AAAA	2a01:4f9:c011:b666::1
 *	A	65.108.87.205
 	AAAA	2a01:4f9:c011:b666::1
 b._dns-sd._udp		86400 PTR bootstrap.radicle.xyz.
 db._dns-sd._udp		86400 PTR bootstrap.radicle.xyz.
 lb._dns-sd._udp		86400 PTR bootstrap.radicle.xyz.
 _services._dns-sd._udp	86400 PTR _radicle-node._tcp

deleted os/host/seed/zone/secondaries.zone

@@ -1,17 +0,0 @@

 @	NS	ns2.he.net.
 	NS	ns3.he.net.
 	NS	ns4.he.net.
 	NS	ns5.he.net.
 	NS	ns1.afraid.org.
 	NS	ns2.afraid.org.
 	NS	ns0.1984.is.
 	NS	ns1.1984.is.
 	NS	ns2.1984.is.
 	NS	ns1.1984hosting.com.
 	NS	ns2.1984hosting.com.
 	NS	ns1.first-ns.de.
 	NS	robotns2.second-ns.de.
 	NS	robotns3.second-ns.de.

modified os/mixin/common.nix

@@ -7,7 +7,6 @@

   i18n.defaultLocale = "en_US.UTF-8";
   networking = {
     domain = "radicle.xyz";
     useNetworkd = true;
   };