From 10131d58be8584a2a473e8138364503fae3d3200 Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Sun, 17 Jul 2022 09:36:29 +0800 Subject: [PATCH] secrets: replace agenix with sops and sops-nix --- .editorconfig | 2 +- .gitattributes | 1 + .sops.yaml | 14 ++++ README.adoc | 3 +- flake.lock | 61 +++++++++++------- flake.nix | 9 ++- .../tasks/backup-archive/borg-ssh-key.pub | 1 - .../tasks/backup-archive/borgbase-ssh-key.pub | 1 + .../nixos/tasks/backup-archive/default.nix | 34 ++++++---- secrets/README.adoc | 4 +- secrets/archive/borg-patterns | Bin 1926 -> 0 bytes secrets/archive/borg-patterns-local | Bin 2255 -> 0 bytes secrets/archive/borg-ssh-key | Bin 938 -> 0 bytes secrets/archive/key | Bin 1740 -> 0 bytes secrets/archive/password | Bin 951 -> 0 bytes secrets/backup-archive.yaml | 47 ++++++++++++++ secrets/secrets.nix | 25 ------- shell.nix | 2 +- 18 files changed, 133 insertions(+), 71 deletions(-) create mode 100644 .gitattributes create mode 100644 .sops.yaml delete mode 100644 modules/nixos/tasks/backup-archive/borg-ssh-key.pub create mode 100644 modules/nixos/tasks/backup-archive/borgbase-ssh-key.pub delete mode 100644 secrets/archive/borg-patterns delete mode 100644 secrets/archive/borg-patterns-local delete mode 100644 secrets/archive/borg-ssh-key delete mode 100644 secrets/archive/key delete mode 100644 secrets/archive/password create mode 100644 secrets/backup-archive.yaml delete mode 100644 secrets/secrets.nix diff --git a/.editorconfig b/.editorconfig index 70d85025..d583a75d 100644 --- a/.editorconfig +++ b/.editorconfig @@ -4,6 +4,6 @@ root = true end_of_line = lf insert_final_newline = true -[*.nix] +[*.{nix,yaml,json}] indent_style = space indent_size = 2 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 00000000..24c6b39b --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.yaml diff=sopsfilter diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 00000000..3e503f48 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,14 @@ +keys: + - &foo-dogsquared 8FCE86932583783E515B6FE55F2B001E20ED3763 + - &foo-dogsquared-age age1say65zc678yc03tx4zexp20c9gvskvwrm4390j4x2jkepn97duhq9ptuj9 + - &ni age1dm9xugju4q5gx0zty8ckw655ea904c64gv9qw9fn3lu507ck8uzsag59y8 +creation_rules: + - path_regex: hosts/ni/secrets/[^/]+\.(yaml|json)$ + age: *ni + - path_regex: secrets/[^/]+\.(yaml|json)$ + key_groups: + - age: + - *foo-dogsquared-age + - *ni + pgp: + - *foo-dogsquared diff --git a/README.adoc b/README.adoc index a265aba0..936e8f1d 100644 --- a/README.adoc +++ b/README.adoc @@ -134,8 +134,7 @@ For more information, see the link:./modules/README.adoc[related documentation]. * link:./pkgs/[`./pkgs/`] contains my custom packages. It is exported in the flakes at `outputs.packages` compiled through various systems. -* link:./secrets/[`./secrets/`] contains my secrets managed with link:https://github.com/ryantm/agenix[agenix]. -footnote:[It is advised you should minimize SSH keys with passphrases since it is annoying to reenter passwords every time.] +* link:./secrets/[`./secrets/`] contains my secrets managed with link:https://github.com/mozilla/sops[sops] and link:https://github.com/Mic92/sops-nix[sops-nix]. * link:./shells/[`./shells/`] contains my development shells for interacting with the usual type of projects. Setting this up can bring benefits outside of NixOS (unless you're interacting with projects with any OpenGL-related stuff). diff --git a/flake.lock b/flake.lock index 38b3db27..d36ddb6a 100644 --- a/flake.lock +++ b/flake.lock @@ -1,25 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1652712410, - "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=", - "owner": "ryantm", - "repo": "agenix", - "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "base16-schemes": { "flake": false, "locked": { @@ -348,6 +328,22 @@ "type": "github" } }, + "nixpkgs-22_05": { + "locked": { + "lastModified": 1657399715, + "narHash": "sha256-7YX+I8FP3/iJTRs33VhIbdx91YWlZQf8zaEEeM97964=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "0ad6eae04953060dff8ba28af158799c3e13878d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { "lastModified": 1657837635, @@ -390,7 +386,6 @@ }, "root": { "inputs": { - "agenix": "agenix", "devshell": "devshell", "dotfiles": "dotfiles", "emacs-overlay": "emacs-overlay", @@ -404,7 +399,8 @@ "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nur": "nur", - "rust-overlay": "rust-overlay" + "rust-overlay": "rust-overlay", + "sops-nix": "sops-nix" } }, "rust-overlay": { @@ -430,6 +426,27 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-22_05": "nixpkgs-22_05" + }, + "locked": { + "lastModified": 1657695756, + "narHash": "sha256-5eeq7Itk9gMK6E5u3IrooFd3KswlheIO/L2Cs7Wwj9k=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "912514e60a6e0227d6a2e0ecc8524752337fcde2", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1652372896, diff --git a/flake.nix b/flake.nix index ae21e366..58314211 100644 --- a/flake.nix +++ b/flake.nix @@ -41,8 +41,8 @@ nixos-generators.inputs.nixpkgs.follows = "nixpkgs"; # Managing your secrets. - agenix.url = "github:ryantm/agenix"; - agenix.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; # Easy access to development environments. devshell.url = "github:numtide/devshell"; @@ -119,10 +119,10 @@ # Only use imports as minimally as possible with the absolute # requirements of a host. imports = [ - inputs.agenix.nixosModules.age inputs.home-manager.nixosModules.home-manager inputs.nix-ld.nixosModules.nix-ld inputs.nur.nixosModules.nur + inputs.sops-nix.nixosModules.sops ]; # Bleeding edge, baybee! @@ -139,7 +139,6 @@ # All of the important flakes will be included. nixpkgs.flake = nixpkgs; home-manager.flake = inputs.home-manager; - agenix.flake = inputs.agenix; nur.flake = inputs.nur; guix-overlay.flake = inputs.guix-overlay; nixos-generators.flake = inputs.nixos-generators; @@ -201,7 +200,7 @@ lib'.modulesToList (lib'.filesToAttr ./modules/home-manager); home-manager.extraSpecialArgs = { inherit inputs system self; }; - # Enabling some things for agenix. + # Enabling some things for sops. programs.gnupg.agent = { enable = true; enableSSHSupport = true; diff --git a/modules/nixos/tasks/backup-archive/borg-ssh-key.pub b/modules/nixos/tasks/backup-archive/borg-ssh-key.pub deleted file mode 100644 index 10c413ac..00000000 --- a/modules/nixos/tasks/backup-archive/borg-ssh-key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1IdisweU/qW+Np36K1WoR+RsPSyG6JcLNp96m1rDWx foo-dogsquared@ni diff --git a/modules/nixos/tasks/backup-archive/borgbase-ssh-key.pub b/modules/nixos/tasks/backup-archive/borgbase-ssh-key.pub new file mode 100644 index 00000000..6346e33c --- /dev/null +++ b/modules/nixos/tasks/backup-archive/borgbase-ssh-key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFOZzSBe/YHUfpCKfKM7BC60i3t2K3euiw2P6VEfe7kI Borgbase backup diff --git a/modules/nixos/tasks/backup-archive/default.nix b/modules/nixos/tasks/backup-archive/default.nix index 83d96a5a..a1a56137 100644 --- a/modules/nixos/tasks/backup-archive/default.nix +++ b/modules/nixos/tasks/backup-archive/default.nix @@ -10,7 +10,7 @@ let doInit = true; encryption = { mode = "repokey-blake2"; - passCommand = "cat ${config.age.secrets.borg-password.path}"; + passCommand = "cat ${config.sops.secrets.borg-password.path}"; }; extraCreateArgs = lib.concatStringsSep " " (builtins.map (patternFile: "--patterns-from ${patternFile}") patterns); @@ -41,11 +41,17 @@ in { lib.mkEnableOption "backup setup with BorgBackup"; config = lib.mkIf cfg.enable { - age.secrets.borg-password.file = lib.getSecret "archive/password"; - age.secrets.borg-patterns.file = lib.getSecret "archive/borg-patterns"; - age.secrets.borg-patterns-local.file = - lib.getSecret "archive/borg-patterns-local"; - age.secrets.borg-ssh-key.file = lib.getSecret "archive/borg-ssh-key"; + sops.secrets = let + getKey = key: { + inherit key; + sopsFile = lib.getSecret "backup-archive.yaml"; + }; in { + borg-patterns-home = getKey "borg-patterns/home"; + borg-patterns-etc = getKey "borg-patterns/etc"; + borg-patterns-keys = getKey "borg-patterns/keys"; + borg-ssh-key = getKey "ssh-key"; + borg-password = getKey "password"; + }; fileSystems."/mnt/external-storage" = { device = "/dev/disk/by-uuid/665A391C5A38EB07"; @@ -92,8 +98,9 @@ in { services.borgbackup.jobs = { local-archive = borgJobCommonSetting { patterns = [ - config.age.secrets.borg-patterns-local.path - config.age.secrets.borg-patterns.path + config.sops.secrets.borg-patterns-home.path + config.sops.secrets.borg-patterns-etc.path + config.sops.secrets.borg-patterns-keys.path ]; } // { doInit = false; @@ -104,8 +111,9 @@ in { local-external-drive = borgJobCommonSetting { patterns = [ - config.age.secrets.borg-patterns-local.path - config.age.secrets.borg-patterns.path + config.sops.secrets.borg-patterns-home.path + config.sops.secrets.borg-patterns-etc.path + config.sops.secrets.borg-patterns-keys.path ]; } // { doInit = false; @@ -115,17 +123,17 @@ in { }; remote-borgbase = borgJobCommonSetting { - patterns = [ config.age.secrets.borg-patterns.path ]; + patterns = [ config.sops.secrets.borg-patterns-home.path ]; } // { repo = "r6o30viv@r6o30viv.repo.borgbase.com:repo"; startAt = "daily"; - environment.BORG_RSH = "ssh -i ${config.age.secrets.borg-ssh-key.path}"; + environment.BORG_RSH = "ssh -i ${config.sops.secrets.borg-ssh-key.path}"; }; }; programs.ssh.extraConfig = '' Host *.repo.borgbase.com - IdentityFile ${config.age.secrets.borg-ssh-key.path} + IdentityFile ${config.sops.secrets.borg-ssh-key.path} ''; }; } diff --git a/secrets/README.adoc b/secrets/README.adoc index aff0d253..42d69f63 100644 --- a/secrets/README.adoc +++ b/secrets/README.adoc @@ -2,4 +2,6 @@ :toc: My secret files in public! -This is managed through link:https://github.com/ryantm/agenix[agenix] (thus, uses the link:https://github.com/FiloSottile/age[age encryption tool]). +All hail secret management tools! + +In my case, this is managed by link:https://github.com/mozilla/sops[sops] and link:https://github.com/Mic92/sops-nix[sops-nix] for integrating it with my NixOS setup. diff --git a/secrets/archive/borg-patterns b/secrets/archive/borg-patterns deleted file mode 100644 index 5dee39c9d088bfcccbbb895df66703a587f7bebf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1926 zcmZ9~`BxJM0>E*#Dl|kztAdI)YE>i)$z*c+gqk~6vE3H=49@gEy{gJ=m^S-As38S(SFZ8%MJRTro;4!V#mt-V$%2F7_3}HPx5%iYIWnl_(IHO6i zMiu3INGF@?RdC{VT<8zbSQMV{1yd+9Ea7muYO5-Q=_QpU3Xx>Q0&8%@CTFJ8T9sGN z9;v}5)XMZS0AEllk;qx01P`@(Nu?|*@FS{VsV9Lrlu02f!je={Y8I*qm}XNb;JCHa z?e)5nm{P{^CfznaWDWU}ZkETv*82T6C7$w16>{%L&17}h!$w9Z90DD7F)ZhB#Y#Vg zn4$uoo5{zVL>%|Wv|!v3r7S_cUtMaX=`}_^VKl<3fRrEL3WGKTBLZ=u$A-XiFcNi{ znQkeEW9I^C*GSE%*TmdnhB6@Y@JXG*tw!(|V(|pxM4BgwBXPNo!h@WMRUG7s1?+@d z3DXcuOr8{gpjDrW0JuVKX6Zp6%;Yice2qAfaByKT2ng63r${|gb4WFDkC!2ir-MXN zYZM4rercMWba`Y#GZ0DnG^9V}!<{5QkSZmhR1`4MNH?X5+X*+87CG50rAdQJaL5fP z{eqNTrn99{7tTVW>L5p99I3^80WczFq;)J+lw#XNzC=uoI>Y>E3dI~O32uSHfGP}N z1{LKE$qX=CPSZ&d0XL2Ky#64FfPbt9hHz0x!%0aEC;@?nN}ikonLbgF85pUVIk*!R zGboOVg(87U%v|b9BryYENV-Kj0T`St^CaBqnJxFrtJ^1_5q^c$5WE zGQ)nCL>ZHUa70DHSeOE%kWAuF!mR&4Ni10o_%$p4T*6>}XQMj}zg5nD)M_1-qnWN&z9a>jsl~r-dj=dKCkVk)$*E2OVMi=2Xec=e&rWg+Yd#3S@VF|#l5=@KHE}%C{KPjq|5wWsV-snEL|iroB)fIyWqTcWG?EzPW^PW4;`n^7zBHzSiPRn*`cplyNaI zr@ZsZ?G8%sRQ_0%x4vrawC&a1t9HCmoqw&U^>W_I>`f=;9xkEYuF5a#_#h4a>+=~| zQ>+aS7!$L0cgxVp$he{M&++^87xlh@IwW&-mvQaYwZ&g$ZX7CmQu|ZOpK4#y(Xs^t zy^gPmle2IIJzsQhOy;P-sXgh5*EXaN$fmT4eS7Fs3tll8FI_N|fA!LtuRM?;$Nq?U zb<6#i^oAKmQ$sEWHMJh}{=Vx-TeFex&Bb@0$#QdYZhT)C|MgtP{JYY&!mU#;)IP2V zAD+@R>DO5$AJ%(nU+uVba#vBT^U{Ojz*w*;eez4LFm}5A<3KxFoNw51qNe@S^x(%c z<=2-qcXV32LW)LKEr0sS3FLx#LBt|k7iwA7FVn6m51dr)W_Zo0zp=|_gZm;I7Vmug3$~jyzf`PTyPZCMZ20z>MDC7WJ)SY_ zY9|Lf#&3Q8>E+>}B>c_Iao=v*nNvR#=#dtj{;_FzDzckCdY^8>s`$cY?W_9p(=K#M Ua{&38A0CbQt*7f-bYj#00JuN{>i_@% diff --git a/secrets/archive/borg-patterns-local b/secrets/archive/borg-patterns-local deleted file mode 100644 index 0e394a454104dca87ed7db72f4a318ce12210f6f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2255 zcmZ9|`CE*O0svr1mWU)mma)?`HQy}Fj1KPX`%Lpq-)zS=`!_SqzEpE8Ehx&ZjirrSEooq<(k|BVF;n?I1 z3yx&L`SYyoSdWm8x2i387Da{;@ng(%Z4`;41H38%3(X^&K)u_ljf~@eukk@8gw!Kg zW}L{LAZH5W5{MdAJj2Qt5YQYGjq8=l03F4`HzA2MGKZ>+bNbWmk)Q+MfD9eQ=(XEO za;3@5XMjS9k)YNwkV=V#$z76 zHVF+FlF1k)Hi=cBNn*CrME-_E3Zzo7qFgGOUcdx2HWHpr<`{7{G91U`Q*?N`E&&JQ zB@l-Fy(SWJT^cgNz@{NhTr^hA=K=tnK%+8=poii}5R!-8y zEFK{N<|x$^l3pYw3R&v!HJ8DJwUZH63YUZ=vUmmnO%cDhK+3>Q{nHF~Psg)`vzRwP$|r8`J^t{IQP`OAgYD3%RPCxcwH z)TvVHrK-3nyqztxi_I#Nni1#JnT%qz+2j5H%?i4_(+K`(kWG{ zWi}e#hN1eSP$+~tk?9~y++HC+hQa|NF(SD~z)`>)J555+3an8got2tEr^>~AqQ9>D zGQ^qwTrjR%FOKLh%x7e69AYZmW3y%yKEF|F82h$xcka%o;ct>7fs5-F?r*IKdGw}e zxcuEw-%=EX2c9Asjb!K0O(1RcRtr_W_x$kYcS(o5=#l*kyB@c8Pc6H>zxCRUduEw% z%}`rT=vr*|%w-|hSdD!NVzUpwtz)$D*kM9WcF2VVm;ljeWs!VS^{kYojW6<^->%8O zTOeq`@oUm(rF$Z3C!fn0*|*(zXJUBW=;?sG;p6k?{nhy_=J=P0?m2Vz>@NOEv>{a( zluHN20Ri#UW2b5++-ky%H)MmV)%`8A-|D)qcM$^lp~dkZ*6!VsI;Syv6C(fS`mVy- zPI5%S8%w~f;;NX+NhiYpYRYN+dSraK^;SCS<6tKqqFCc)SIgY1{i_LgBJx_K(e&g_z@EIXjdRwEnFcyUthxa7e|JlLKOqs$4ZY2etR86Q8%z^9W znYPm4w#fmb6R$Lva8Idoz8yG<(CW6^Av*BN{b1UnmW!f0OLKz`qA?A73t8z92esL_S$||fK zxDOof_Zg@lu3a(^k(btp`cFL;s9llT@P4{JG>^P{pR#O6#L?j zAFuSg3WBqL2Rsb_y?-eS3O$=CBK zvoDq0?_r&6q~bUKEJvM4`h)0u=)snO9^RVYD7*qy|Mln{;yc#MSCXe}n^!Zu_et8q z8F1jblFSVmkrlO#6A1IiZ}#O>bjN%NTHZ=Gv~6trQ_=B79d&<2QQwbqzAjyAx7@jO zBy`BsoZ6DL3Vw1HnD>FaLp!u>W-rF3PIFNsEM2zfFs^F~aB1(wu1|L#{Q#~_U*fCJ z4%pYHz?nue0%Hd#FBYYb=eAt^eCA^{Uov02in_kK!$qtxS zuJ@n6Mkn1mw!5wOcRvkmSrxl#^yTu+lb$g8jNa;R*W&tS#}j=wWqH?p5Ga+K?!7;{ zy&>&1D0_Qx->X5x{}O#du5CH# zNKUN{o2Ja$PP@TA;P@p_P}f@@S{-Zp$J0fF>4V6`oE?D;uN3$-vYk08Ro8v@ev^C& zn2Q6N8V$)tIaKJd`v^wiKx0KPqzIkZOX$c(|6o0En3-g`fq1eJw=547u9XayZ`_I diff --git a/secrets/archive/borg-ssh-key b/secrets/archive/borg-ssh-key deleted file mode 100644 index 9ae30bcb3f2ab863b93c5426158cb1491145224a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 938 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTSa`rAwO;<=Yun5j5 z^9b?EO-XkSNU1Q(t4c34$xaL{EGY1Cj4JggG;&Id@GT4T$mS{waElC0_6bQd39z(C zw$#t?Dez4*^VcrPOi6XoFR=_r3M|btN)IqCE=ISlBs1H%&`}}T)YU04BP`9|*(l6C ztu!FO#Wc#x$s#p4IjGps+{4?b$i*enGBVlK)tAfL*Ucp*&m+UV$kR8%DcR5{ILs?g zyCgTqDatI*)Hx|x+ceFh($zS`(GlIYV55vAUq^*h|J2|-^PC*-{M5uGmt0TJve3%3 zNTYIBbF-r4AdirsJnce9{d{LnCr_@Fs_;bff{IEnw}>paV$S}s#$4rvWky-W{@x{N zLCIXYy1EK}`Q@1v`T>Rd+2t02rQYTxfktKeJ}xQ6`GtY`1$h~1IeBG{l^O0nN#$JA z-&uFpy*~VV}|6g_{>B`R@#|E!J5v$j8`SefbF5{a}peX+K z-WBGxa#mMfdc2zd?&PjtX6v`_Tyn{Glm3<;X-61MA6Kd0UR`*!eUr!nr;QuFEdRGM zS%c&K^$$<({7BlIw2~>Zs)#XNVO?FVFaJfpZR=-ExV_9z;K2oTwde_xKK-qJ)bYG^ ztwUcRf4RvYi-INDW=g-B)?GZ8liZxo%O!m0V8dFeqtid0T%tG8WmlD1Ps+9YJXyXe zxBO*2EoQAv)S7lJ^`+t4pSLn)3o34?+{zYrwe*U@>pZV5_UmH4 zG3*P=Wie!x`g8rg4K3912 zVdqaBjb~XORymk_YiRNdZT(lcn)jPpGlDj-Nx!heM zD*^=(*h^sT$_odgEw3R}U)U#*3PW0JOHnJ;p?%ekQC?E#DB3DTHgVgp-5>CMyUqr$wW$kq)i%%1*C*B6_?e5CUr<+;j1%A zlryU(!T|12nxhE@&M=5Ji%IEZ)X0lcA}5wKiD?Z@!H8ZC8_T(L98vgUA&V*?QhJy` zNa%LUgHqjm&5U{M{2-7@+W6rF#M%v6lTBu-AS4E{2C|Cdj4+!Ct3yV$O(P|}d_5lL z88S@JPbNG89bRjci2Mi_QE@OBPejE!&{a_(7I|tTxHl`Q@XgmSyW5pOfpVI#xm>jp z&TfU3YQhL9B8WBQwrN;MBk{#GiGUSS<8pI`O7Re_mU71v8WO^#4iZ91M4~{#I2mw5 zBB>{AOC!c|Ep3v++SGgvMPS;m0ysY|2}NyUPA!XBtrAcvN-H7(6U5J!M}kV&iF+uO zfz&2gjO8JAFA>kMm`~@ldm&cljM$~P1w@6JXe=DWv}s*3sesZkxdNT9xixT_2m(?U zgyH-E8F5+t4T@srL{JWRogAEXq@Q(0bI#AgS6!k^;S9e!bVI zj|ZY@MWQ@eA#%HHQafx%!~s+~U!$q8q+SJpFi0pZcAs3H#kerbus#${_6{aUZd2%=4q^Cn1txCE#dS~ zL0TtC+YNphp7QfU;gn6`XQC7tV_A-=cm3~MgF_HZ5}p(R{H`jJ4b=gzGG3Twg;s+P zO3Q>P+#51NPFWy^^W!8Mqd?z(X95ABLbA>X8nNmrtwLHJ1w~;mim6bqF|Kn)xP*ez znK6sd<)?8KPuNC|M^>&rm@79sfGte%Y%-@up_NaL%O3n{=**+-7iw0t3>{x2hU-Fz zp?Uq9#_zAT^}an6{q2F%<69f29-Dqe70TgGrU-axIU;XIzbk}&Gefe2zxTEH5Rnt-4+TwV(^V5*IV|Q_X zEV_AQ+trQwB2~V+Wk&Kq(Xz1uYxCM6_JN1GSMm2hKQO20{BqYT&4;|58%ipEyddIl zPaeM86e%UIH_LuW3UB@d2&occb#=!lP^umj??99gl&CjoE&0fBGZm77^@m-AT zgMUPXKbOa|K6V0&>FJ%wCULBy)x5t?k;5APYsLyIrsS!6M8`3xaFIgO773gpX~C+ zPCb2k26=Y4|I@n@XMj_6==kdeKX>Fl`5CqV=Pk~RR5c6^pIdX`hdXcmDa7nPw#@jV zbn#8st*6>=efjQPh>?jF diff --git a/secrets/archive/password b/secrets/archive/password deleted file mode 100644 index 1d3b34aa4172a1d3b07e92f62335b7ab1b07f3db..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 951 zcmZY6J?rCi0Kjo?P>vuDx*iyC(Tg?BL(>LCNYdt^%|r9pB%qjolKz^c$uDi5+TeV{ z4dT5CS8;K05bpjsIE(lOTwPqeK{yY``U*aL`9>g}q*Z*r)@=r>Pv9BgJ%LO zNfUB5BUtp%szNrP_E_~(b8ZfO3`X7wNPfdvY_z-@>ao}uo^GycxoW{EtPs6O#O4xs zNyb*br<_9T6nd$!*qThj6rpVRGE>SVQKZeSrdg4T0hEbgnEBh?AdR>hdb7IqIH{=F zxVNUX#(@(n7mhz3C^tYT(j`kKC1u%dt}vNHPuW7wuIUk4-JBJn%h2YOF)y`pt66Rs z)F#SSd%3RtvtC}1#->d;bP;-b$WV4=nj%luk!gjr)Ddl^YDE|DdWAVe z4}rM60>l7wNLhU~2G_OSlzOT+jLPysX(aKq5leO0oHPbI30-lkg~Fyw0Xm$8$e9Dm zSS@{S9S*p{g-4ve#L?=iV!q|`a;m=uHatYOiGH`*?Np^rlu%?@5II#z8X!9Lvg1!% z!3!wbh0BXNz17;RpiUern^*EMl=m*A9z#fkz?989nJ3bs=y_wy2JsiHEs0CWbXmch%76oHWn%sx-2r9SxGq)>IrT z|Fz|t&Bq_Cub)o9IgOeW;c+F(Lf39oov6FZz7h;*n8;)@K|u_tJ!9;;V;o3j;l2J= zo-ZDu(V{Cm<=U+Trtw>WuVdti^5)y`{Ybli{qpPMkG}f0dpfV*c=h1^?=N2dPQCl} v { } }: pkgs.mkShell { - packages = with pkgs; [ asciidoctor git git-crypt nixfmt rnix-lsp ]; + packages = with pkgs; [ asciidoctor age git nixpkgs-fmt rnix-lsp sops ]; }