update forgejo CI runner over VPN

- allow disabling IPv4 or v6 (both enabled by default)
- allow specifying interface (defaults to eth0)

infra/common/nixos/hardware.nix

@@ -1,62 +1,84 @@
-{ modulesPath, ... }:
+{ config, lib, ... }:
 
+let
+  inherit (lib) mkIf mkMerge;
+
+in
 {
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  config = mkMerge [
+    {
+      boot.loader = {
+        systemd-boot.enable = true;
+        efi.canTouchEfiVariables = true;
+      };
+    }
 
-  boot = {
+    (mkIf config.fediversityVm.isQemuVm {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
 
-    initrd = {
+      boot.initrd = {
-      availableKernelModules = [
+        availableKernelModules = [
-        "ata_piix"
+          "ata_piix"
-        "uhci_hcd"
+          "uhci_hcd"
-        "virtio_pci"
+          "sd_mod"
-        "virtio_scsi"
+          "sr_mod"
-        "sd_mod"
-        "sr_mod"
-      ];
-      kernelModules = [ "dm-snapshot" ];
-    };
-  };
 
-  disko.devices.disk.main = {
+          # from `/profiles/qemu-guest.nix`
-    device = "/dev/sda";
+          "virtio_net"
-    type = "disk";
+          "virtio_pci"
+          "virtio_mmio"
+          "virtio_blk"
+          "virtio_scsi"
+          "9p"
+          "9pnet_virtio"
+        ];
+        kernelModules = [
+          "dm-snapshot"
 
-    content = {
+          # from `/profiles/qemu-guest.nix`
-      type = "gpt";
+          "virtio_balloon"
+          "virtio_console"
+          "virtio_rng"
+          "virtio_gpu"
+        ];
+      };
 
-      partitions = {
+      disko.devices.disk.main = {
-        MBR = {
+        device = "/dev/sda";
-          priority = 0;
+        type = "disk";
-          size = "1M";
-          type = "EF02";
-        };
 
-        ESP = {
+        content = {
-          priority = 1;
+          type = "gpt";
-          size = "500M";
-          type = "EF00";
-          content = {
-            type = "filesystem";
-            format = "vfat";
-            mountpoint = "/boot";
-          };
-        };
 
-        root = {
+          partitions = {
-          priority = 2;
+            MBR = {
-          size = "100%";
+              priority = 0;
-          content = {
+              size = "1M";
-            type = "filesystem";
+              type = "EF02";
-            format = "ext4";
+            };
-            mountpoint = "/";
+
+            ESP = {
+              priority = 1;
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+
+            root = {
+              priority = 2;
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
           };
         };
       };
-    };
+    })
-  };
+  ];
 }

infra/common/nixos/networking.nix

@@ -1,7 +1,7 @@
 { config, lib, ... }:
 
 let
-  inherit (lib) mkDefault;
+  inherit (lib) mkDefault mkIf mkMerge;
 
 in
 {
@@ -11,53 +11,49 @@ in
       settings.PasswordAuthentication = false;
     };
 
-    networking = {
+    networking = mkMerge [
-      hostName = config.fediversityVm.name;
+      {
-      domain = config.fediversityVm.domain;
+        hostName = config.fediversityVm.name;
+        domain = config.fediversityVm.domain;
 
-      ## REVIEW: Do we actually need that, considering that we have static IPs?
+        ## REVIEW: Do we actually need that, considering that we have static IPs?
-      useDHCP = mkDefault true;
+        useDHCP = mkDefault true;
 
-      interfaces = {
+        nameservers = [
-        eth0 = {
+          "95.215.185.6"
-          ipv4 = {
+          "95.215.185.7"
-            addresses = [
+          "2a00:51c0::5fd7:b906"
-              {
+          "2a00:51c0::5fd7:b907"
-                inherit (config.fediversityVm.ipv4) address prefixLength;
+        ];
-              }
+
-            ];
+        firewall.enable = false;
-          };
+        nftables = {
-          ipv6 = {
+          enable = true;
-            addresses = [
+          rulesetFile = ./nftables-ruleset.nft;
-              {
-                inherit (config.fediversityVm.ipv6) address prefixLength;
-              }
-            ];
-          };
         };
-      };
+      }
 
-      defaultGateway = {
+      ## IPv4
-        address = config.fediversityVm.ipv4.gateway;
+      (mkIf config.fediversityVm.ipv4.enable {
-        interface = "eth0";
+        interfaces.${config.fediversityVm.ipv4.interface}.ipv4.addresses = [
-      };
+          { inherit (config.fediversityVm.ipv4) address prefixLength; }
-      defaultGateway6 = {
+        ];
-        address = config.fediversityVm.ipv6.gateway;
+        defaultGateway = {
-        interface = "eth0";
+          address = config.fediversityVm.ipv4.gateway;
-      };
+          interface = config.fediversityVm.ipv4.interface;
+        };
+      })
 
-      nameservers = [
+      ## IPv6
-        "95.215.185.6"
+      (mkIf config.fediversityVm.ipv6.enable {
-        "95.215.185.7"
+        interfaces.${config.fediversityVm.ipv6.interface}.ipv6.addresses = [
-        "2a00:51c0::5fd7:b906"
+          { inherit (config.fediversityVm.ipv6) address prefixLength; }
-        "2a00:51c0::5fd7:b907"
+        ];
-      ];
+        defaultGateway6 = {
-
+          address = config.fediversityVm.ipv6.gateway;
-      firewall.enable = false;
+          interface = config.fediversityVm.ipv6.interface;
-      nftables = {
+        };
-        enable = true;
+      })
-        rulesetFile = ./nftables-ruleset.nft;
+    ];
-      };
-    };
   };
 }

infra/common/options.nix

@@ -89,6 +89,17 @@ in
     };
 
     ipv4 = {
+      enable = mkOption {
+        default = true;
+      };
+
+      interface = mkOption {
+        description = ''
+          The interface that carries the machine's IPv4 network.
+        '';
+        default = "eth0";
+      };
+
       address = mkOption {
         description = ''
           The IP address of the machine, version 4. It will be injected as a
@@ -114,6 +125,17 @@ in
     };
 
     ipv6 = {
+      enable = mkOption {
+        default = true;
+      };
+
+      interface = mkOption {
+        description = ''
+          The interface that carries the machine's IPv6 network.
+        '';
+        default = "eth0";
+      };
+
       address = mkOption {
         description = ''
           The IP address of the machine, version 6. It will be injected as a
@@ -153,5 +175,13 @@ in
         this for testing machines, as it is a security hole for so many reasons.
       '';
     };
+
+    isQemuVm = mkOption {
+      description = ''
+        Whether the machine is a QEMU VM. This will import all the necessary
+        things.
+      '';
+      default = true;
+    };
   };
 }

infra/common/resource.nix

@@ -34,8 +34,8 @@ in
   ## should go into the `./nixos` subdirectory.
   nixos.module = {
     imports = [
-      (import "${agenix}/modules/age.nix")
+      "${agenix}/modules/age.nix"
-      (import "${disko}/module.nix")
+      "${disko}/module.nix"
       ./options.nix
       ./nixos
     ];

infra/flake-part.nix

@@ -155,6 +155,10 @@ let
 
 in
 {
+  # NOTE: `forgejo-ci`, being a physical machine and not a Proxmox VM, gets
+  # custom treatment.
+  imports = [ ./forgejo-ci/flake-part.nix ];
+
   ## - Each normal or test machine gets a NixOS configuration.
   ## - Each normal or test machine gets a VM options entry.
   ## - Each normal machine gets a deployment.

infra/forgejo-ci/configuration.nix

@@ -0,0 +1,76 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib) mkDefault mkForce;
+
+in
+{
+  imports = [
+    ../common/options.nix
+    ../common/nixos
+    ./forgejo-actions-runner.nix
+  ];
+
+  fediversityVm = {
+    name = "forgejo-ci";
+    domain = "procolix.com";
+
+    ipv4 = {
+      interface = "enp1s0f0";
+      address = "192.168.201.65";
+      prefixLength = 24;
+      gateway = "192.168.201.1";
+    };
+    ipv6.enable = false;
+
+    # Most Procolix machines are QEMU VMs so the options are tailored to them by
+    # default. `forgejo-ci` is not, so we need to explicitly disable them.
+    isQemuVm = false;
+  };
+
+  networking = {
+    nftables.enable = mkForce false;
+    hostId = "1d6ea552";
+  };
+
+  hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
+
+  boot = {
+    ## In an initial version, we used `mkForce` to remove QEMU VM-specific
+    ## kernel modules. This is a terrible idea as it will also remove other
+    ## kernel modules, for instance the ones added for ZFS.
+    initrd = {
+      availableKernelModules = [
+        "ahci"
+        "xhci_pci"
+        "ehci_pci"
+        "nvme"
+        "megaraid_sas"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ "kvm-intel" ];
+  };
+
+  fileSystems."/" = {
+    device = "rpool/root";
+    fsType = "zfs";
+  };
+
+  fileSystems."/home" = {
+    device = "rpool/home";
+    fsType = "zfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/50B2-DD3F";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+}

infra/forgejo-ci/flake-part.nix

@@ -0,0 +1,55 @@
+{ lib, inputs, ... }:
+
+## NOTE: Hackish solution mostly taken from `../common/resource.nix`.
+## Eventually, `forgejo-ci` should move to a datacentre somewhere and this code
+## should be integrated with the code for other machines (in particular VMs).
+
+let
+  inherit (lib) attrValues elem;
+  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
+  inherit (lib.strings) removeSuffix;
+
+  secretsPrefix = ../../secrets;
+  secrets = import (secretsPrefix + "/secrets.nix");
+  keys = import ../../keys;
+  hostPublicKey = keys.systems.forgejo-ci;
+
+  sources = import ../../npins;
+in
+{
+  nixops4Deployments.forgejo-ci =
+    { providers, ... }:
+    {
+      providers.local = inputs.nixops4.modules.nixops4Provider.local;
+
+      resources.forgejo-ci = {
+        type = providers.local.exec;
+        imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
+
+        ssh = {
+          host = "192.168.201.65";
+          opts = "-i ~/.ssh/procolix-id_rsa";
+          hostPublicKey = hostPublicKey;
+        };
+
+        nixpkgs = inputs.nixpkgs;
+
+        nixos.module = {
+          imports = with sources; [
+            "${agenix}/modules/age.nix"
+            "${disko}/module.nix"
+            ./configuration.nix
+          ];
+
+          age.secrets = concatMapAttrs (
+            name: secret:
+            optionalAttrs (elem hostPublicKey secret.publicKeys) ({
+              ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
+            })
+          ) secrets;
+
+          users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+        };
+      };
+    };
+}

infra/forgejo-ci/forgejo-actions-runner.nix

@@ -0,0 +1,44 @@
+{ pkgs, config, ... }:
+
+{
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+
+    instances.default = {
+      enable = true;
+
+      name = config.networking.fqdn;
+      url = "https://git.fediversity.eu";
+      tokenFile = config.age.secrets.forgejo-runner-token.path;
+
+      settings = {
+        log.level = "info";
+        runner = {
+          file = ".runner";
+          capacity = 1;
+          timeout = "3h";
+          insecure = false;
+          fetch_timeout = "5s";
+          fetch_interval = "2s";
+        };
+      };
+
+      ## This runner supports Docker (with a default Ubuntu image) and native
+      ## modes. In native mode, it contains a few default packages.
+      labels = [
+        "docker:docker://node:16-bullseye"
+        "native:host"
+      ];
+
+      hostPackages = with pkgs; [
+        bash
+        git
+        nix
+        nodejs
+      ];
+    };
+  };
+
+  ## For the Docker mode of the runner.
+  virtualisation.docker.enable = true;
+}

keys/contributors/procolix

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2

keys/systems/forgejo-ci.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A

machines/dev/fedi201/fedipanel.nix

@@ -4,10 +4,12 @@
 }:
 let
   name = "panel";
+  sources = import ../../../npins;
 in
 {
   imports = [
     (import ../../../panel { }).module
+    (import "${sources.home-manager}/nixos")
   ];
 
   security.acme = {

machines/machines.md

@@ -7,9 +7,10 @@ Currently, this repository keeps track of the following VMs:
 
 Machine | Proxmox | Description
 --------|---------|-------------
-[`fedi200`](./fedi200) | fediversity | Testing machine for Hans
+[`fedi200`](./dev/fedi200) | fediversity | Testing machine for Hans
-[`fedi201`](./fedi201) | fediversity | FediPanel
+[`fedi201`](./dev/fedi201) | fediversity | FediPanel
-[`vm02116`](./vm02116) | procolix | Forgejo
+[`vm02116`](./dev/vm02116) | procolix | Forgejo
-[`vm02187`](./vm02187) | procolix | Wiki
+[`vm02187`](./dev/vm02187) | procolix | Wiki
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 
 This table excludes all machines with names starting with `test`.

machines/machines.md.sh

@@ -32,11 +32,12 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
     description=$(echo "$vmOptions" | jq -r ".$machine.description" | head -n 1)
 
     # shellcheck disable=SC2016
-    printf '[`%s`](./%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
+    printf '[`%s`](./dev/%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
   fi
 done
 
 cat <<\EOF
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 
 This table excludes all machines with names starting with `test`.
 EOF

npins/sources.json

@@ -96,6 +96,19 @@
       "url": "https://github.com/hercules-ci/gitignore.nix/archive/637db329424fd7e46cf4185293b9cc8c88c95394.tar.gz",
       "hash": "02wxkdpbhlm3yk5mhkhsp3kwakc16xpmsf2baw57nz1dg459qv8w"
     },
+    "home-manager": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "home-manager"
+      },
+      "branch": "master",
+      "submodules": false,
+      "revision": "863842639722dd12ae9e37ca83bcb61a63b36f6c",
+      "url": "https://github.com/nix-community/home-manager/archive/863842639722dd12ae9e37ca83bcb61a63b36f6c.tar.gz",
+      "hash": "0rw9n8d4v87pzlmw7ws15f0sldb51fd9528skpbzmrzl4pinsgij"
+    },
     "htmx": {
       "type": "GitRelease",
       "repository": {

panel/nix/configuration.nix

@@ -2,6 +2,7 @@
   config,
   pkgs,
   lib,
+  inputs,
   ...
 }:
 let
@@ -145,6 +146,19 @@ in
         NixOps4 from the package's npins-based code, we will have to do with
         this workaround.
       '';
+      default =
+        let
+          sources = import ../../npins;
+          inherit (import sources.flake-inputs) import-flake load-flake;
+          inherit
+            (import-flake {
+              src = ../../.;
+            })
+            inputs
+            ;
+          inherit (inputs) nixops4;
+        in
+        (load-flake nixops4).packages.${pkgs.system}.default;
     };
 
     deployment = {

secrets/forgejo-email-password.age

@@ -1,18 +1,25 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A ZyJtpgzBrA3WFa1+uiNLZieP6GAqYzAtjmUkgbqKwyA
+-> ssh-ed25519 Jpc21A ResZtR29w6WdlH3antEbqljYpGQw2wCnnoAy3TcMmHo
-TeO/ghRNVJQrdeFAvgQITC6MC7x7IHDtFYqHVloVfAQ
+Cdesc1l2bbIzxp4LYO+hokedMH68VKd0QEybGNoN2Ys
--> ssh-ed25519 BAs8QA zIfPuCmSZyosDfWvL6A5DstWeBORDkjqb6Hxjx2dYgE
+-> ssh-ed25519 BAs8QA s7UNgS7n/lJsxqZGXiJbL30pGiRSmlrxyOcuAU9vcFM
-Nq/YU6oDlIC+ROtM2P5aBeF6iJsxUbrU2LnLDRux35Y
+3nZSD9TNNgAS9M7D4o/DqANSqk4yLzbOPUMh5pgnlgM
--> ssh-ed25519 ofQnlg dm1bj8BJxD1MpFqdDkfDL4wWV7mjmb51hVqkk2uRfwE
+-> ssh-ed25519 ofQnlg 8HrnbX07z8pi5oiWex6X60kU9z+fGb68JL7l/Flepwo
-N7Bwhw1agAbNGaF57VmFKwIWeUibaYRSu2Ke1ZlXPLQ
+R++l/fsSOk/GbGu3YFL01fYtWNMHrpZeVFqh4QDV9Rs
--> ssh-ed25519 COspvA /DYoVVG4SOFgrIbMvEP0U7QpX6VK9otJVBYrj4I0dlo
+-> ssh-ed25519 COspvA +PjYkhDUrT7PI/qHfhvcI5OpRHtfEts8QqWK2qd7cg4
-5EWys6IcMgrwW2p5fFeJEgDqandyiS1RzMvqGsN1X0I
+z5dZ5w3YLvqgd9RazAeYfsp9rMZz0B+W+9klVpcY7Ts
--> ssh-ed25519 2XrTgw YW5gzijsL1oRa5vQ3PY+8o3iNZIji1BZfB9dGcg9QHA
+-> ssh-ed25519 2XrTgw xILuugvgvcmshmqC+/lqkf9IqNY3b7mOtXKc+Z8Ku1A
-0WWu3F1Rpo9mi4YU2r3Jydr6Fg7bqWMuTtMJOEOj3NU
+GshKwp0q2kDkJNtsCJR+PpwArp8WwiURkDtVi0uxP5U
--> ssh-ed25519 awJeHA 8xl0RpXAJ7X5pe6qzDKXHJvMnjYEN85BS+maFytsSDQ
+-> ssh-ed25519 awJeHA 7hTDqzk1w2n4kvdP4aWZYMZw8YoGlYuHecySb3OzJmA
-MQYrdbh7w7TwGk2Wivja8acQYkmYZ2YWMkE/YA/5K3g
+Oiw8iALr6iDW2UtPrb2u4enGuCE/uSXsFY9YMF8mB8o
--> ssh-ed25519 Fa25Dw koR3KjKzS3Uei58I68qYkgxE0ifhIXKTblpD4cFAVhQ
+-> ssh-rsa pO5rrg
-X7mQgsMY02VHyxJUVN5ml/QRVTjBDm7BD4w0g3Jwmq4
+trQE/sebd+vMTz27qp33muYRVsxj41CTuaA11VQFUlQkNAmP52ohOsWPTMNOOw5m
---- E6iHgNV3cjQrhNcZa6uqUwvGxf0ouNZpPXhet3Vicrw
+/M01CXFTELTtwTpcj7R83MZmTvJ0MRVmrVxMVNzsBIyPI+WhYsWQXxIffcG2MB+O
-…ïò”F


Q/Gíù°ʤT]‘ns&[›ýëú&œæ
+cfIqySBhDGCWYGfWijsNX2YR6S2f3xPlHYdmFzn7HMPCf4UZKV6aksK62AFrGIHZ
-Q(6pòM$È™ü Çõ
+pJzW+NganSuweLC0oScP2v15Fhfq+EjYTzhXq2q/3bQX/CByq5XYmktiMJVCe35f
+vOb5PHfcQm0sXgT6PzkuOfREjk7prf1tXiWQ5Pb/GBNkpqLoNjzRBXr4ErtAMYGX
+ZPz+eiV2GHYTkkb3LPcHiA
+-> ssh-ed25519 Fa25Dw LMeOXTGtLX2qqQt24CTTnRf4fBSZhWakrbcjPgRlmyo
+A0/9Lyy6/Pvwr9GObYThmF51xinYxDrdhsCEd+v69yU
+--- Bgi/Hbp5OjBJFbMTYE0l+5s/xUaduh1tpXGqanQV56I
+ã®b#
+[Fã®Ö—!‰˜™Ôôr`¹ïªSúËÑ%P—‹ÜbxõùÞýDZãÄç·»õ

secrets/forgejo-runner-token.age

@@ -1,15 +1,25 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A N/T7HaInZ13IlJfzeli5nRz5pdBQETO6D1P8X42IHRw
+-> ssh-ed25519 Jpc21A 5YVZwmmsBW1XCtm6gEVErkkNdLxoYtR/i7I4T79WQQI
-q431ZtsodQ9NgcWTjmS0Kx4ATwVFp2nkm+MHe7aXTZU
+v8JQJN1I3BDP+8XhezeVAVl/Cc6jvKPYlwiT3+O5x3w
--> ssh-ed25519 BAs8QA +VUHgmz2oNG6L1FgZy3uGVMs6qUGirFHK8Ts2ghNLHs
+-> ssh-ed25519 BAs8QA K9vO+kokOiKg5XHvTbIdSeC+WPTLHP/r5TQ2ySs3AHY
-sjQu78xqM6KLmRiYd2o2uK/PjYLnyZihzVoCV7qKBX4
+gSXsyZraT3pPxSURXohpkR44ZuUHP2aXfmfMNqbZnZA
--> ssh-ed25519 ofQnlg cBfd95Ir33ggt1J1P2TkFRULr2uYPVuyrQ5XpjBxEW0
+-> ssh-ed25519 ofQnlg S+31bIhRpPG2ijrYd6RVDtPLoiH7FtREh+7upM1B6mU
-TWFVHboXr95cFm5yjQ7gn7hjbSmVBfB/9dldsoga/9Q
+7YILiVq3nZ5+XMmXi5KhsnzQRZdI2Fum21/v7tfGBhM
--> ssh-ed25519 COspvA RMW9FlDmiQUu7cg0fKir55VqrDRCoYVVZMOcMHyrMj8
+-> ssh-ed25519 COspvA kIiX95UPzbeOHBeLXPfahesfFpU2zlg0pAhsxJd1pWc
-qeXkWdKFJN7APgYh7AjyJLeQI2CAEaGAcXiVaBaOJwY
+aIZp2xv+JpKMj0mSVy3kU98Pvu3IPns+Yvz4aq0yhFA
--> ssh-ed25519 2XrTgw BRobowRWZ9giVL2dFyGvzzF7gyWUQd1ounMQBtsM/lM
+-> ssh-ed25519 2XrTgw joBq+DOUf944z/RpN3554eAb5EItlQbpEdpYMPtlVC0
-dFyli2skTgzVWGVolLG2GuGNh/Xu3IaJsznOkcWqKGc
+qyUb1c0g9OlAOkTTj+oMpn8I3oI4D4czhdnJ4oA3d80
--> ssh-ed25519 awJeHA Cu7fiv+SL71oho/xoJMw/Lztf4WkNKmImVS/8xyLiTo
+-> ssh-ed25519 awJeHA +bt39LTdJLhq4NG4T2wAS5PDSgYAYyNIpYgRO5lhvFk
-3sB/t0squi1crjHFBaN6btrvGUeWaKfmGa7yxREvy2o
+LbJOrKxtnOuMHRxQTtTYGJSnwuNCooFOawJU/xhnquw
---- SqPDTJ/XV26nNG1ib5phNNRdQi5+Wk0cxhqUr1ygjGw
+-> ssh-rsa pO5rrg
-Æt”OÊá<C3A1>âåYöª¶^´Iõ×U<C397>j†ë!
k‹Y.<2E>^<5E>}Xúôæ¡3¿ÖŽ"kE×íšú¾‹s¥,0l+¾ýn‡;fW®‹
+cbw33rxD0P5OyfBjH1PwqSdN6DmhKyDZ8+JbJjs6hqblx1M2DX754POfMmOkQNBX
+hbCFc2jtLAU598rFwWBewfO4X4C/mT7JDHHN3WK1T8rq35QBN35rfIdNqjYQttt2
+mZ1KDtBKg3+FRkc7F9VL1SwsYkhnW1dz1esb6J1bnAxXHFQEwAX3F30O7to4c7my
+5t5bjJHPDuMZvNCWy8H5eA/AIuXZ5/OOA5z5lpWhtp+hNyVjWukrYr/PacdA5n9n
+gAm8z6fsEhdGkM9AK+P29lYFvWOnkzOtQ6bzSEHCSvxZcZ922n+grLmuUtMvMPo7
+bozXzZfCG7//SgxKdbE5TQ
+-> ssh-ed25519 8FIE3Q COBr0dcOY+LseUEl8pe2CzGVHZ1+h21s/qlGwoSwIRU
+Ea1XvW4QAXnd4L1t4TiAwb3m2wbLvcEcB8UowilQTVs
+--- X2cdDTgAGKfqFu1oaaDJWCWzNBw0q/BTy9rIIxuryTg
+
+5Ïo—›Õ²s<C2B2> W	éœs,âEÎ=§kÂ-ˆ	:œ»)Jq_¿)®™¶4ŽQ@Í6ôý<C3B4>ø­Âz)e´Ðµ.¹RYQo8ö:*8•

secrets/panel-secret-key.age

@@ -1,17 +1,24 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A 98RNGhrNW+Pg5EeQ6wOgRNaPqauBrI0hnUGDyCpFsQ4
+-> ssh-ed25519 Jpc21A jDwFNrgZFlr0NojhQG+XBUso4hjbt8wDFe8AuUPftxA
-5ZCq4vkp6N9/KR4Uf0e9MtNM1SHD3Pr97B31or6y8Xc
+tHxEq9WjiGbrzWR/rapRoG5boC+y1Xowb7fvVW5pBZA
--> ssh-ed25519 BAs8QA znlRV7zbTUMsnDY/TiNgeCaqzi87jL/r/5dhc7bJ7hw
+-> ssh-ed25519 BAs8QA u8A7ObeEXsrSdGVgOG7skzzLmGV2UEPea1kZ0FklwEs
-9pwl5mcmbHaO39jmiuOkaC9mpyiS3xQSCd7q17gH6OU
+ugU7+p3G/fYYNuKhSt+awRRuXr3/ipjmdWs2e5e2Z4s
--> ssh-ed25519 ofQnlg Wr8M7IpBjvNatOlfmRodoHicPjSjyMVqkC+R+18SYjk
+-> ssh-ed25519 ofQnlg vv8dTQSE1NZESo1UIkcO0TUsRewrpRE4lJnpFjOZWTY
-Th18PUYoo1TvP+d+6aXLvipsm3QPW+DKQSv8rJqeblk
+L68EVIrYN5PDcPkFno/GxTsypX8KQGXadlOzwW5/Zqo
--> ssh-ed25519 COspvA spxBYfEWDeKhaSsufZ4GDtIMKz8XznD4kS7Zjb4BLFU
+-> ssh-ed25519 COspvA rqop2NDM8qLfhJ5MGvlQ506QgI3SCi9qGedobVIlQHM
-B2wT7+bXgWezmUIj0mpVPPjKOoIj7cDH16uvW4ujbss
+LRYrRrcN7M+5lWJf94UzRp9cN4DQZz1uA/iO21hXE6s
--> ssh-ed25519 2XrTgw lY+t4jvdSgZ5ZKMemAN0u32fPUAraaGu+ExMEsR/c0w
+-> ssh-ed25519 2XrTgw BCLSRgucfM3ltMCwegAZg6E8kFWio5QlZdzGsT1jqAQ
-KfOBcGrhIztEnKKmsv6ZD6K9TleZRgIRWbOlG8Tcvaw
+yWjKvTMVGXNG2mUhtCHpV27qzCH9Fpe8XdSQ+u7KdS0
--> ssh-ed25519 awJeHA 1VVLZa0l8LX79LqZqlYRfXmKVIi9zpLcoysi0NQ3L0o
+-> ssh-ed25519 awJeHA RbA0+BGjjtqFwAKgyU8iP1jMUjQAlG6jJHWjwR1UulA
-m79gHUkQ87zFoB8Awlcxt2GrCMrwr5KSfyiSqa6kEko
+Xa875rmo9GxLvSxMhI8bSCPLinPnUeUCSzRqSweQPCg
--> ssh-ed25519 kXy85Q uaEXsQeApgXqzWZRL0AtsPqjt5qOWxoQjN1Keiii1Ds
+-> ssh-rsa pO5rrg
-LtHUNkV3n/jgeAcEIyq03z84KKa5qQoAo1aaJeK6Duk
+pObun3kWV04r9bhEdAdDnsLKDgADeFlmIWitIpgpMMlukar8M4IpIaYu9dqnK7+C
---- 6s4nA95ds+3slR3QtHQmAkTEBNlSOQusQzjaY/3M5Ds
+3zJvG9xQux8YuC0WRfJ+uPw+iBhbOzj7M9n9l5yP0DnwpJUlIvboVwBShW4QQcmd
-tÑ:ƒX‚´¯=χ´ù8€OoùxþÔ;ì“ÀyIý²ˆµÌˆõêJ/oW0Ô¼; x–$£tŠœ‡,7£-aý
+xyFhub2vL30axY3cX8hvJ/3cF8MXqoxiGWDjHbTHdLYWhA9o+IBQ9d3T6X+LvKjG
+UEIywXl07eYVpa2qfhBaWwSxeByYsO8dMEZIbGZXkM7nF+lxJe6vdoNxUk+lluJA
+fSsZFIde1AKHfCTQJOxEA0D2sYoz7UzLmNXy7Wimxzqr8m0yJpFlZf37/T1ULIlI
+RWshHM3ZhGp+w/BYrd1jmw
+-> ssh-ed25519 kXy85Q EMXeFt7NlW8BJB+8qdOm5M4jlB0emZ42M1iZXQ/XfXw
+CA0fvjAzaePbWxBD4ZDTlpWfhhU4qS7pb55eILxHKfo
+--- nmxNGml+BsgdlEr0gEdfsqoqFJoqTA96dtpkZlVRW4c
+MþÌ=EŠ!!rY)çð”r‘¢(Ž]¡²Sð!¢îpWÝñJg><1F><>g‚Ë`MÔ$ÛC½Ìź68¶=¸Áá‘yh1

secrets/secrets.nix

@@ -26,7 +26,7 @@ concatMapAttrs
     {
       forgejo-database-password = [ vm02116 ];
       forgejo-email-password = [ vm02116 ];
-      forgejo-runner-token = [ ];
+      forgejo-runner-token = [ forgejo-ci ];
       panel-secret-key = [ fedi201 ];
       panel-ssh-key = [ fedi201 ];
       wiki-basicauth-htpasswd = [ vm02187 ];

secrets/wiki-password.age

@@ -1,17 +1,24 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A TUGMeCK5ZehSdtfH2xpEEvMp4jZxJ2fTogXSkcf6blg
+-> ssh-ed25519 Jpc21A yis+v3hv2Q3Wu8Jb4X+HRwb28R2/+lgnhltvcKIHwkw
-BY6cKeB3MV84KvYThJsU0TSW5kMUJpbVVvccVtwtEIg
+Q+P+9kehHjGwxCVPOhwR/1m3UxXhapd/96rG+z8ovEc
--> ssh-ed25519 BAs8QA 9LgEP0N4MF4uEXLXGWRLgJzC9llYpKiP2lwAgN0ObxA
+-> ssh-ed25519 BAs8QA ZqxQcoGjvF0fFt/8VBxdHr0ex/1NvbJoYLvo+LLSzgU
-cOI90Sc2ORgvFZD2I+oYcRa1Y47X2tuvFFqqKFo78nk
+1140B/QYORymambC5KscfAVDai/3WvkDotaz2IR/K9o
--> ssh-ed25519 ofQnlg LYTsntB2zI1EJ8yyYOH6BvHXEOv+zX7QYrd7leXPeDA
+-> ssh-ed25519 ofQnlg YjNRDvCvvKIup9cOBoYjML97LOHGQwHvxw1fkZIjkm0
-uqhuPl2udjxDMIdMd88xpQuAZ/QMXSLgxOeOhHyTjW8
+q1DsXV6ymegnmGWlZHIRAlHa7E88Z+IgvTuRm3VJ5S8
--> ssh-ed25519 COspvA geel/7vCPHmBT6Sg0bTqeUV4rA/i6w0NvFjGk8rF/VA
+-> ssh-ed25519 COspvA LbsIVCJCA3c6XumBNavBfIMlC+6uUzJG7Wd8UDfsmGo
-8eIF+oWuM+16j1n//ndImjTPxPYqZ56WA8K5uybMbTo
+yD4u7VBe+3hX3RswOn9a5UwaONEeItWP47waPjKb8LE
--> ssh-ed25519 2XrTgw uCKoYMidpNwfo2YDb2jyjONZvExK2wrZXXvv+ywrCCA
+-> ssh-ed25519 2XrTgw lFi8xHU0crEaghwDjJpCrrNCijkbqzACpd2+/5xK+1k
-X0E+2LuftCF3oAHp8z18WRZePAYt6tEYjnNAgMmfUNo
+et+pCsjEz+5rnjj1WOgc8Dwlg0ck8oe2EvfzrnjoNcs
--> ssh-ed25519 awJeHA 4cTdqU2X1gXyFxMHGHPgUq9g8XUM8sgbNa/NMl2GZmI
+-> ssh-ed25519 awJeHA yboqkh1SdMrGYYPBXusJo3umpnQm/Q+QJhLfS+sR+EE
-J7cWCuKrf+r/nE0FjGj/DQDv7hBqbn0NidjY2m1mwGw
+zuP5fDLsgSQURKeL1XGqKN1cciuZ04pEao2i/j2Vs4E
--> ssh-ed25519 dgBsjw gyI/oiqvAzqxtism9yCygXYLZzCynTdAlPBcwZhryCw
+-> ssh-rsa pO5rrg
-pKCMRUv6dsH/cS2Tm/gU0mxH6TsF6UGj0Fx4BNvYv9o
+hdO6FkD9Yeqanl0UDitgurFbc0wLdrSW7hzhVZZDLytpFqa/t7rfbw4fApDk40Rh
---- MBLz1UcLi1SCQ2+tA1Zmv+2ZEiw0Ag2C4/gk7lzqJ0Q
+nLXY3lyODQXbQhQs1Em7vOCe8GB+GbavMyVYhjfi/BCuSJMgJGK8/UzR9HeN1YbZ
-Ú<EFBFBD>©ËƒŽ£Ð Ó1–ÁÞ™òȲ=HK€Ÿ?G	§g
=R!Ì”2›t+Ü€!“ɈUGÞ¶±ïôM°?ö<02>OÉÀÅÊ
+wrgBTY+UytJ8bXDE1LfQkHlNKTpP/yjcUzqbNsm545Gq8OngPG2ifeekAbjZcbU+
+tQu9OZtlSPyY4iHUyjRxQwJ62tnCHbYRjo/in4okRzvOndGgp7/lfKh4f3LghGfn
+6DDhiXJH+6rSbKkiNYmsYMN+mMkbkxjdHykNQbFti3QPQfeLcn1XSXufZs5ssinD
+jX5wsenyRa//n56AGRqcZg
+-> ssh-ed25519 dgBsjw sRm5Ez3e60xHRB15zWQpEA2lWrb2AODW/mMWOnVdZxY
+eZISu6W98T2K3YJKboDDqyXFDExYJH7X2aGSSrqjMSo
+--- PNoaSG+EcEWYTe132jgDp1tzheVJ4CoTO1JadJNl+ys
+ýy£3¿
ä™Mª¤3àñ<C2A0>W4AHµ¤ŠM;ŽÜÆã<>UëëÛÂ[ôoÝÂØì-<o>¿JcËòf;PV£û

secrets/wiki-smtp-password.age

@@ -1,17 +1,24 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A EvnCvH6ER6Pied87i9okxBLCx38fNP1fX3wMziJ5PXI
+-> ssh-ed25519 Jpc21A 0hWJNdYeZFhEnJcFiD1W5krZxVEtWaAD4ZKJyxBIdBE
-b7vN/9pxRWuUrug/bkZIZD+2wSplAGLK+ayO+YYDlCs
+4eG7o98vK4xbDEy0CsUmZEzHMzK4mgzDUzzV/AobDWU
--> ssh-ed25519 BAs8QA I7dMk+pvKe/bNkIr98muyaOKqTdBitIdrRr5bVN3+DA
+-> ssh-ed25519 BAs8QA W/o3cy32vI+BFCILY9xjay2t7f7uAxh06AvfUzMaeFE
-5D5IGeF6rqF+HNSdDZE/gj0DPHISR3Tzj3Fystm++04
+XbAbxRz0ZoswQgKPjLx2QVRvrw9kyriV3VzivfdoQfs
--> ssh-ed25519 ofQnlg 3XMrmWBHw6+xfYIn8fZ44ryp1dHS7qVTK0cTJZGjXV0
+-> ssh-ed25519 ofQnlg d+XF0AW3mOO6dKhft64qWMHQabJPf7SDMPJFel7OhxU
-PxuU0/w27wW/335mteby+kNTr83K6SrjvNEsxBFHOEI
+T69zZPCqGQcqmYAhPbfSTlILKAvyidpiMXdkFNga2cQ
--> ssh-ed25519 COspvA 5yfMt71p+fx9aIT8ubgsHZa9XEJE6trsOOqgC0VxxBY
+-> ssh-ed25519 COspvA J+xJTOeqSnDCNOVju0o3HzERXzdBofSXcPwx2gqLn3E
-dEIuIERcnw6dFb7IMmdzM5b4ySmdg7qtR50X5gQTd+8
+NPwlFYqSQIR4rHjtU2Hq3Tow46qdOsV1SKY4kDUeTDc
--> ssh-ed25519 2XrTgw ZpXWuF2jRWpxlK9HuYZoZyN144cvaNZubVuLBUEq5kc
+-> ssh-ed25519 2XrTgw Hrj6eUq9vi8Uvr3tdLuuVVhzfwPinG9q/css1S/WAUs
-692sos5focQy0TnUfvz+cLktK2a6tyNS8AWbuDgb4/c
+4ZLxMRHPUM0x9+427Q7yWdfUmW6hnWc8dTk0hFpUUP0
--> ssh-ed25519 awJeHA ZXx69b4ZvWbwtwnSFjK031mIpK8lDN1nwxq0N+FgREY
+-> ssh-ed25519 awJeHA HRYlq6QYcUaCqc/ekwT8ILSvrHLKps1oGT4UfRyV9ik
-f7GrJm2N908qtPEYY8T22JGhfWHXbUTAdRuEFHGLOKo
+1VHocNj2v/yGzJ/049xhsN9lm0Lxil51UZAffENpInU
--> ssh-ed25519 dgBsjw mD/FfN+J2djG/3hR98oPHznAhTyVz5Z8jnJNlQXzWSo
+-> ssh-rsa pO5rrg
-KULWl9PeO3qwbUNQJix/Zr07l9lsBhPZTR6aeOiyx0M
+QXeBCrTcTy67vTQC7L8tYh5Jv7cQ+M2USX6RS0RhNjDEtlBKRTtt9PXWZq6bDH/H
---- EUYAk4OeiL39nwZ7YIlLucUMfBghaegrtgqH+sOUEfI
+CphGI3xIHH+iu5vP/oL7fSsT6AEnutIbtMqBJV9/8DR2NrAfFhiLbA3Id44EluSx
--È<>6Q‡äŸ‡7á·™B+Òpûµe³úµ({<ˆ8í‡My|³¿]˜Ãk¾h:žæ
ZŒ§ãde#Äüúû>3„“€K‘<4B>b¨éÀ¬á®øq^uG
+FB1pcV8P0EqII8+Cd1HR2A6VqUxjZzhg9xssElWbDcece9dthmu1LscmIOp1hbhg
+4GCvVnvxjaMEVN34D9qXRAwG7w4m/VuvdlfYL46otUdM6zhQkH+mKxT0TTLTy62O
+rJY1YeeGYHErAlbqDJf0I+VEoj+6saxAZR/W6cXkFAXd4556TpQS47L2bWRSwoPq
+dGCALCedU3zVPb9ovT638A
+-> ssh-ed25519 dgBsjw qKBEKoxuHqVsyxGpm6Ke01LP1X1mST5vgDQJYftjchQ
+15UKAQ01eG80B11+pG/mb8SlfEo5qImeaivOih2zu9c
+--- KwCQlD9c1srN1usEKZIQr2THHOku0KzN3BLT6iqlUkU
+ïÚ•ô#ØpìnÕì¾Ô@õì³€ìðz

RÓjÞáêd‡¡ÑHÍ–u #¥Ï±&6<>NPygA‚>ƒU.<fÏ£ZQíÁ¾DŸîÚ¤ETák~9©ï0