57634d0 chore: radicle.garden → radicle.xyz — radicle-infra

modified .sops.yaml

@@ -6,10 +6,10 @@ seys:

   - &erik    age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm
   - &seed    age1jemy54kqt4xgglg5f3g3sda5tndsqhjynvdugpy0yknefnw69u7qwymfj4
 creation_rules:
   - path_regex: os/host/xyz/seed/sops/[^/]+\.(bin|json|yaml)$
   - path_regex: os/host/seed/sops/[^/]+\.(bin|json|yaml|env)$
     key_groups:
     - age:
       - *lorenz
       - *fintan
       - *erik
       - *seed
 \ No newline at end of file
       - *seed

modified README.md

@@ -15,7 +15,7 @@ Flake input:

 nix flake lock --update-input radicle
 ```
 Then the following option should be changed in `os/host/xyz/seed/radicle.nix`:
 Then the following option should be changed in `os/host/seed/radicle.nix`:
 ```nix
 {pkgs, ...}: {

@@ -29,5 +29,5 @@ local machine does not match the username of your account on the target machine.

 Also, note that you may have to get permission to be added as a user first:
 ```
 HOST=seed.radicle.xyz nixos-rebuild switch --target-host "${USER}@${HOST}" --build-host "${USER}@${HOST}" --use-remote-sudo --flake ".#${HOST}"
 HOST=seed.radicle.xyz; nixos-rebuild switch --target-host "${USER}@${HOST}" --build-host "${USER}@${HOST}" --use-remote-sudo --flake .
 ```

modified flake.nix

@@ -156,7 +156,7 @@

     in
       result;
   in {
     nixosConfigurations."seed.radicle.xyz" = host (import ./os/host/xyz/seed);
     nixosConfigurations.seed = host (import ./os/host/seed);
     devShells.${system}.default = pkgs.mkShell {
       inherit (self.checks.${system}.pre-commit) shellHook;

added os/host/seed/default.nix

@@ -0,0 +1,127 @@

 {
   self,
   config,
   pkgs,
   lib,
   modulesPath,
   ...
 }: {
   imports = [
     ../../mixin/kmscon.nix
     ../../mixin/nix.nix
     ../../mixin/motd.nix
     ../../mixin/sops.nix
     ../../mixin/users.nix
     ./ssh.nix
     ./tor.nix
     ./radicle.nix
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
   systemd.network.enable = true;
   fileSystems =
     (builtins.listToAttrs (map
       ({
         subvol,
         mountpoint ? "/${subvol}",
       }: {
         name = mountpoint;
         value = {
           device = "/dev/disk/by-uuid/e55dc01e-ecab-4cd2-ad08-e773615f36fd";
           fsType = "btrfs";
           options = ["compress=zstd" "discard=async" "noatime" "subvol=${subvol}"];
         };
       }) [
         {
           mountpoint = "/";
           subvol = "root";
         }
         {subvol = "home";}
         {subvol = "nix";}
       ]))
     // {
       "/boot" = {
         device = "/dev/disk/by-uuid/5d17c66f-46fc-484d-be63-b21786e61af9";
         fsType = "ext2";
       };
     };
   boot = {
     kernel.sysctl."net.ipv4.ip_forward" = 1;
     loader.grub = {
       enable = true;
       efiSupport = false;
       device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_30473871";
     };
     initrd.availableKernelModules = [
       "ata_piix"
       "uhci_hcd"
       "virtio_pci"
       "sr_mod"
       "virtio_blk"
       "ahci"
       "xhci_pci"
       "virtio_scsi"
       "sd_mod"
     ];
   };
   networking = {
     hostName = "seed";
     domain = "radicle.xyz";
     useNetworkd = true;
     useDHCP = false;
     firewall = {
       allowedTCPPorts = [
 # ssh
 # http
 # https
 # radicle-node
       ];
       allowedUDPPorts = [
 # http3
       ];
     };
   };
   time.timeZone = "UTC";
   i18n.defaultLocale = "en_US.UTF-8";
   environment.systemPackages = with pkgs; [
     coreutils-full
     dmidecode
     exfat
     libvirt
     lshw
     lsof
     nfs-utils
     utillinux
     which
     config.boot.kernelPackages.perf
   ];
   services = {
     accounts-daemon.enable = true;
     resolved.enable = true;
     nginx.enable = true;
   };
   networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
   nixpkgs.hostPlatform = "x86_64-linux";
   security = {
     acme = {
       defaults.email = "team@radicle.xyz";
       acceptTerms = true;
     };
     sudo.wheelNeedsPassword = false;
   };
 }

added os/host/seed/radicle.nix

@@ -0,0 +1,58 @@

 {
   config,
   pkgs,
   ...
 }: {
   fileSystems."/var/lib/radicle" = {
     device = "/dev/disk/by-id/scsi-0HC_Volume_30473554";
     fsType = "ext4";
     options = ["discard" "defaults"];
   };
   services.radicle = {
     enable = true;
     package = pkgs.radicle-node-1_2;
     privateKeyFile = "/etc/ssh/ssh_host_ed25519_key";
     publicKey = "/etc/ssh/ssh_host_ed25519_key.pub";
     settings = {
       node = {
         alias = config.networking.fqdn;
         externalAddresses = [
           "${config.networking.fqdn}:8776"
         ];
         peers = {
           type = "dynamic";
           target = 8;
         };
         db.journalMode = "wal";
         workers = 32;
         relay = "always";
         onion = {
           mode = "proxy";
           address = "127.0.0.1:9050";
         };
       };
       web.pinned.repositories = [
         "rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5"
         "rad:z371PVmDHdjJucejRoRYJcDEvD5pp"
         "rad:z4V1sjrXqjvFdnCUbxPFqd5p4DtH5"
         "rad:z3TajuiHXifEDEX4qbJxe8nXr9ufi"
         "rad:z3trNYnLWS11cJWC6BbxDs5niGo82"
         "rad:z6cFWeWpnZNHh9rUW8phgA3b5yGt"
         "rad:z39mP9rQAaGmERfUMPULfPUi473tY"
         "rad:zwTxygwuz5LDGBq255RA2CbNGrz8"
         "rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE"
         "rad:z4D5UCArafTzTQpDZNQRuqswh3ury"
       ];
     };
     httpd = {
       enable = true;
       nginx = {
         addSSL = true;
         enableACME = true;
         serverName = config.networking.fqdn;
       };
     };
   };
 }

added os/host/seed/sops/ssh.yaml

@@ -0,0 +1,44 @@

 ssh:
     key: ENC[AES256_GCM,data:KjPrmSW5uIZ8BZqfM710+x0U5KiPRjwyX9VWbRoxfG3mpcesN1hQm2tUCuSmBk7e0HttuHI0sVX4lv6jcAG5pH8wWTISyOIytzOToZnO17gKU4T2P4dufly0+94PJAmeuMUlNJBTxDLbUIM1rxwatfdKpGEW6NT/0ki0Jwpm6kfc2oUsVsj/YvrBgdzjRR2wligdj9LlNR51Q52vwFEWBqKsOiJFoXaYANV4nH/2Bvtpt9K+ky+0ekUf5Pfacs5wHoUt0pnjCo1hZlR4IZrXyvktzHTlB1IRM2xAXJMTycOcvqedBwWZRnzPm1JOXKoKBBk1jvBlOblO8RCYvSawnMeJuLBuq79IrtKrkmdtXBIU85sCGr/Eur9CRclcCBUOHreNI6jsIxDUYtVUrnqwBuI4C/cZwwqkkGVeAn5OKAXoMOvJyTeadvoX4sK0Jiw/yZpWleBy8v0qZ/YMwryYEhUxu26QcL8ymMPl98k2xtYBr1qpcCHbwzNYA1TU2siCmXcYseLAERSTNy8nK4MbclZ68bOvyazIBIdCr5R7nNl33r3p1eEBLKmpr7bn56b2O+IyGMRE0VQvPSsB,iv:wbmX5MPvrZKehE1lNCoL1V0y6i87uS6VVNJ4ijpOPgc=,tag:/82F0SLAfy9DdWEIHB1vLQ==,type:str]
 sops:
     age:
         - recipient: age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQXU3d3cxVEFaRm9ROTlC
             bHE4VUREamJkMnZveWFxem9ZTnY0SGRtRFZZCk5tbTNXWWZITVZPdzRlNGNnV1pk
             T2xhUzUySk5vN2NDY0JVclFwUFM0ZTgKLS0tIG5Pd29Fazk3SFdCWGJ5NlVqaXQ3
             WUE0RjVPSDhwYk1KZDhHU0ZXZ3ZtK28KxrvCTc/tOh+sBlIDx//X+kkKt9bWnU6Y
             /wctm5gK+D3Bkol+l4hfAPmvn2GU34lEoZkOEBA2IhHTLZzNc7+vjw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aFdoRXNHcmR0ekI1ZytN
             VytjdGhlNjZqZFZQd3hyWWZnS1BoRmZmN1c0Ckx3cWFhVnFZT0VtU1R4RGJjcmZi
             T0RETWtVMFVRNTVOMWQ2aVFnY2NGdFkKLS0tIE85bmRPVjBZenIxenk5cWtvT0Q5
             UUdkekZQMVpVYlhudVBteTM3NTdONjgKruh5uLD5cikj6Wx2NvZyduazhl7wRkWP
 MJxRjMhbmYY0vsa9oJ0xN1LFcpV6tVr7n8D1GapsJwO6bcETwfT8A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZExEc2lsY1RCVmM2eElu
             OGozMjJEb29UdkJ6RXNtSytFQ1hlZUx5R0VVCkFaMmRlTGd3UnBBNVJNOFdVWG54
             MkRIc25yVWRMdTdoN01qQTZUTTN4R0EKLS0tIFR2MlRCd2N5SXd6UDVCNC8wekhv
             SG9IVlh5eU9jNHFWWSttenFBUG96RDQKzVuI9+WuiCbfQuYsW9uysI9Qs6XqpEXa
             gSmaNseJoDtlOVocYRE0EkOy9JhaCih1CwZqrByIfgBUG9g2y3VdNQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1jemy54kqt4xgglg5f3g3sda5tndsqhjynvdugpy0yknefnw69u7qwymfj4
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzODc1YUd2QUNxcko1R3ow
             ZG1IejJHb2oySk1EQzNDbTdzRnoyWmxZbGtnCmZvNDdJNDlZTDVuR2dsN1ZlZFl3
             MXpqNU52ek5jbUVaZHdmWGVSSlNOOWcKLS0tIHZHR1pXU1p0Z3JWQ1pSbE82SW14
             ZXZGT2UzRzlXVElaazhRY3RHbXE4MFUKGirCy5kdGzxXgjis6tYKi6JoTI0H16al
             Pic4ZAIO6U6H+Q39hobW/gAl9wU7s+pf3fxrzJRI1twIQNPa3zc2rQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-05-19T22:10:45Z"
     mac: ENC[AES256_GCM,data:/Nj6F8rt20KcRFjRiOcxAFNgms6nT08V4w+EU5E7l/CY+KFLrffn+lV/wwLDrMR1m8frdSOPNMayO2V2v9D8dXbXmdVPfb+/AqOU3RTT5cAJ60ZCtoiXIxVtj3Z0QeXpNMA0QvS0h9O9C7KBXf53T2WPxLVKausHwHqyUIWCQjc=,iv:ZaF/0DPy5h7tbigqDHgQvHb+5PzGB8WsdX7MxY4vX9k=,tag:+JDo+a8P9rpGZ+Bsy++dkg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

added os/host/seed/ssh.nix

@@ -0,0 +1,33 @@

 {
   pkgs,
   config,
   lib,
   ...
 }: {
   services = {
     openssh = {
       enable = true;
       settings = {
         PasswordAuthentication = false;
       };
       hostKeys = [
         {
           path = "/etc/ssh/ssh_host_ed25519_key";
           type = "ed25519";
         }
       ];
     };
     sshguard.enable = true;
   };
   sops = {
     age.sshKeyPaths = map (x: x.path) config.services.openssh.hostKeys;
     secrets = {
       "ssh/key".sopsFile = ./sops/ssh.yaml;
     };
   };
   environment.etc."ssh/ssh_host_ed25519_key.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXpC2X07TCIslR907omxrk6J+K3p0rGOMaJAHe1K2i3 ${config.networking.fqdn}";
 }

added os/host/seed/tor.nix

@@ -0,0 +1,6 @@

 {
   services.tor = {
     enable = true;
     client.enable = true;
   };
 }

deleted os/host/xyz/seed/default.nix

@@ -1,127 +0,0 @@

 {
   self,
   config,
   pkgs,
   lib,
   modulesPath,
   ...
 }: {
   imports = [
     ../../../mixin/kmscon.nix
     ../../../mixin/nix.nix
     ../../../mixin/motd.nix
     ../../../mixin/sops.nix
     ../../../mixin/users.nix
     ./ssh.nix
     ./tor.nix
     ./radicle.nix
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
   systemd.network.enable = true;
   fileSystems =
     (builtins.listToAttrs (map
       ({
         subvol,
         mountpoint ? "/${subvol}",
       }: {
         name = mountpoint;
         value = {
           device = "/dev/disk/by-uuid/e55dc01e-ecab-4cd2-ad08-e773615f36fd";
           fsType = "btrfs";
           options = ["compress=zstd" "discard=async" "noatime" "subvol=${subvol}"];
         };
       }) [
         {
           mountpoint = "/";
           subvol = "root";
         }
         {subvol = "home";}
         {subvol = "nix";}
       ]))
     // {
       "/boot" = {
         device = "/dev/disk/by-uuid/5d17c66f-46fc-484d-be63-b21786e61af9";
         fsType = "ext2";
       };
     };
   boot = {
     kernel.sysctl."net.ipv4.ip_forward" = 1;
     loader.grub = {
       enable = true;
       efiSupport = false;
       device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_30473871";
     };
     initrd.availableKernelModules = [
       "ata_piix"
       "uhci_hcd"
       "virtio_pci"
       "sr_mod"
       "virtio_blk"
       "ahci"
       "xhci_pci"
       "virtio_scsi"
       "sd_mod"
     ];
   };
   networking = {
     hostName = "seed";
     domain = "radicle.xyz";
     useNetworkd = true;
     useDHCP = false;
     firewall = {
       allowedTCPPorts = [
 # ssh
 # http
 # https
 # radicle-node
       ];
       allowedUDPPorts = [
 # http3
       ];
     };
   };
   time.timeZone = "UTC";
   i18n.defaultLocale = "en_US.UTF-8";
   environment.systemPackages = with pkgs; [
     coreutils-full
     dmidecode
     exfat
     libvirt
     lshw
     lsof
     nfs-utils
     utillinux
     which
     config.boot.kernelPackages.perf
   ];
   services = {
     accounts-daemon.enable = true;
     resolved.enable = true;
     nginx.enable = true;
   };
   networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
   nixpkgs.hostPlatform = "x86_64-linux";
   security = {
     acme = {
       defaults.email = "team@radicle.xyz";
       acceptTerms = true;
     };
     sudo.wheelNeedsPassword = false;
   };
 }

deleted os/host/xyz/seed/radicle.nix

@@ -1,58 +0,0 @@

 {
   config,
   pkgs,
   ...
 }: {
   fileSystems."/var/lib/radicle" = {
     device = "/dev/disk/by-id/scsi-0HC_Volume_30473554";
     fsType = "ext4";
     options = ["discard" "defaults"];
   };
   services.radicle = {
     enable = true;
     package = pkgs.radicle-node-1_2;
     privateKeyFile = "/etc/ssh/ssh_host_ed25519_key";
     publicKey = "/etc/ssh/ssh_host_ed25519_key.pub";
     settings = {
       node = {
         alias = config.networking.fqdn;
         externalAddresses = [
           "${config.networking.fqdn}:8776"
         ];
         peers = {
           type = "dynamic";
           target = 8;
         };
         db.journalMode = "wal";
         workers = 32;
         relay = "always";
         onion = {
           mode = "proxy";
           address = "127.0.0.1:9050";
         };
       };
       web.pinned.repositories = [
         "rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5"
         "rad:z371PVmDHdjJucejRoRYJcDEvD5pp"
         "rad:z4V1sjrXqjvFdnCUbxPFqd5p4DtH5"
         "rad:z3TajuiHXifEDEX4qbJxe8nXr9ufi"
         "rad:z3trNYnLWS11cJWC6BbxDs5niGo82"
         "rad:z6cFWeWpnZNHh9rUW8phgA3b5yGt"
         "rad:z39mP9rQAaGmERfUMPULfPUi473tY"
         "rad:zwTxygwuz5LDGBq255RA2CbNGrz8"
         "rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE"
         "rad:z4D5UCArafTzTQpDZNQRuqswh3ury"
       ];
     };
     httpd = {
       enable = true;
       nginx = {
         addSSL = true;
         enableACME = true;
         serverName = config.networking.fqdn;
       };
     };
   };
 }

deleted os/host/xyz/seed/sops/ssh.yaml

@@ -1,44 +0,0 @@

 ssh:
     key: ENC[AES256_GCM,data:KjPrmSW5uIZ8BZqfM710+x0U5KiPRjwyX9VWbRoxfG3mpcesN1hQm2tUCuSmBk7e0HttuHI0sVX4lv6jcAG5pH8wWTISyOIytzOToZnO17gKU4T2P4dufly0+94PJAmeuMUlNJBTxDLbUIM1rxwatfdKpGEW6NT/0ki0Jwpm6kfc2oUsVsj/YvrBgdzjRR2wligdj9LlNR51Q52vwFEWBqKsOiJFoXaYANV4nH/2Bvtpt9K+ky+0ekUf5Pfacs5wHoUt0pnjCo1hZlR4IZrXyvktzHTlB1IRM2xAXJMTycOcvqedBwWZRnzPm1JOXKoKBBk1jvBlOblO8RCYvSawnMeJuLBuq79IrtKrkmdtXBIU85sCGr/Eur9CRclcCBUOHreNI6jsIxDUYtVUrnqwBuI4C/cZwwqkkGVeAn5OKAXoMOvJyTeadvoX4sK0Jiw/yZpWleBy8v0qZ/YMwryYEhUxu26QcL8ymMPl98k2xtYBr1qpcCHbwzNYA1TU2siCmXcYseLAERSTNy8nK4MbclZ68bOvyazIBIdCr5R7nNl33r3p1eEBLKmpr7bn56b2O+IyGMRE0VQvPSsB,iv:wbmX5MPvrZKehE1lNCoL1V0y6i87uS6VVNJ4ijpOPgc=,tag:/82F0SLAfy9DdWEIHB1vLQ==,type:str]
 sops:
     age:
         - recipient: age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQXU3d3cxVEFaRm9ROTlC
             bHE4VUREamJkMnZveWFxem9ZTnY0SGRtRFZZCk5tbTNXWWZITVZPdzRlNGNnV1pk
             T2xhUzUySk5vN2NDY0JVclFwUFM0ZTgKLS0tIG5Pd29Fazk3SFdCWGJ5NlVqaXQ3
             WUE0RjVPSDhwYk1KZDhHU0ZXZ3ZtK28KxrvCTc/tOh+sBlIDx//X+kkKt9bWnU6Y
             /wctm5gK+D3Bkol+l4hfAPmvn2GU34lEoZkOEBA2IhHTLZzNc7+vjw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aFdoRXNHcmR0ekI1ZytN
             VytjdGhlNjZqZFZQd3hyWWZnS1BoRmZmN1c0Ckx3cWFhVnFZT0VtU1R4RGJjcmZi
             T0RETWtVMFVRNTVOMWQ2aVFnY2NGdFkKLS0tIE85bmRPVjBZenIxenk5cWtvT0Q5
             UUdkekZQMVpVYlhudVBteTM3NTdONjgKruh5uLD5cikj6Wx2NvZyduazhl7wRkWP
 MJxRjMhbmYY0vsa9oJ0xN1LFcpV6tVr7n8D1GapsJwO6bcETwfT8A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZExEc2lsY1RCVmM2eElu
             OGozMjJEb29UdkJ6RXNtSytFQ1hlZUx5R0VVCkFaMmRlTGd3UnBBNVJNOFdVWG54
             MkRIc25yVWRMdTdoN01qQTZUTTN4R0EKLS0tIFR2MlRCd2N5SXd6UDVCNC8wekhv
             SG9IVlh5eU9jNHFWWSttenFBUG96RDQKzVuI9+WuiCbfQuYsW9uysI9Qs6XqpEXa
             gSmaNseJoDtlOVocYRE0EkOy9JhaCih1CwZqrByIfgBUG9g2y3VdNQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1jemy54kqt4xgglg5f3g3sda5tndsqhjynvdugpy0yknefnw69u7qwymfj4
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzODc1YUd2QUNxcko1R3ow
             ZG1IejJHb2oySk1EQzNDbTdzRnoyWmxZbGtnCmZvNDdJNDlZTDVuR2dsN1ZlZFl3
             MXpqNU52ek5jbUVaZHdmWGVSSlNOOWcKLS0tIHZHR1pXU1p0Z3JWQ1pSbE82SW14
             ZXZGT2UzRzlXVElaazhRY3RHbXE4MFUKGirCy5kdGzxXgjis6tYKi6JoTI0H16al
             Pic4ZAIO6U6H+Q39hobW/gAl9wU7s+pf3fxrzJRI1twIQNPa3zc2rQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-05-19T22:10:45Z"
     mac: ENC[AES256_GCM,data:/Nj6F8rt20KcRFjRiOcxAFNgms6nT08V4w+EU5E7l/CY+KFLrffn+lV/wwLDrMR1m8frdSOPNMayO2V2v9D8dXbXmdVPfb+/AqOU3RTT5cAJ60ZCtoiXIxVtj3Z0QeXpNMA0QvS0h9O9C7KBXf53T2WPxLVKausHwHqyUIWCQjc=,iv:ZaF/0DPy5h7tbigqDHgQvHb+5PzGB8WsdX7MxY4vX9k=,tag:+JDo+a8P9rpGZ+Bsy++dkg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

deleted os/host/xyz/seed/ssh.nix

@@ -1,33 +0,0 @@

 {
   pkgs,
   config,
   lib,
   ...
 }: {
   services = {
     openssh = {
       enable = true;
       settings = {
         PasswordAuthentication = false;
       };
       hostKeys = [
         {
           path = "/etc/ssh/ssh_host_ed25519_key";
           type = "ed25519";
         }
       ];
     };
     sshguard.enable = true;
   };
   sops = {
     age.sshKeyPaths = map (x: x.path) config.services.openssh.hostKeys;
     secrets = {
       "ssh/key".sopsFile = ./sops/ssh.yaml;
     };
   };
   environment.etc."ssh/ssh_host_ed25519_key.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXpC2X07TCIslR907omxrk6J+K3p0rGOMaJAHe1K2i3 ${config.networking.fqdn}";
 }

deleted os/host/xyz/seed/tor.nix

@@ -1,6 +0,0 @@

 {
   services.tor = {
     enable = true;
     client.enable = true;
   };
 }