58 changed files with 699 additions and 1361 deletions
--- a/.forgejo/workflows/update_websites.yaml
+++ b/.forgejo/workflows/update_websites.yaml
@ -1,41 +0,0 @@
-# The websites can sometimes cause issues when being built and deployed
-# This pipeline is to update the inputs from the server
-
-name: Update_Flake_Websites
-
-run-name: "[Update Flake Websites]"
-
-on:
-  workflow_dispatch:
-
-jobs:
-  update:
-    runs-on: nix
-
-    permissions:
-      # Give the default GITHUB_TOKEN write permission to commit and push the
-      # added or changed files to the repository.
-      contents: write
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.head_ref }}
-          token: ${{ secrets.PIPELINE_TOKEN }}
-      - run: nix flake update skynet_website_2003
-        shell: bash
-      - run: nix flake update skynet_website_2006
-        shell: bash
-      - run: nix flake update skynet_website_2016
-        shell: bash
-      - run: nix flake update skynet_website_2021
-        shell: bash
-      - run: nix flake update skynet_website_2023
-        shell: bash
-      - run: nix flake update skynet_website_2024
-        shell: bash
-      - run: nix flake update skynet_website
-        shell: bash
-      - uses: https://github.com/stefanzweifel/git-auto-commit-action@v5
-        with:
-          commit_message: "Updated flake for Websites"
--- a/ITD/Firewall_Rules.csv
+++ b/ITD/Firewall_Rules.csv
@ -44,6 +44,4 @@ SKYNET_FIREWALL_00032,Remove,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET0001
 SKYNET_FIREWALL_00033,Add,i24-06-04_017,Complete,All,-,193.1.99.91,SKYNET00017,8080,-,Websocket for admin panel on games management server
 ,Add,i24-07-15_112,Denied,193.1.99.75,-,-,-,22,-,Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet'
 SKYNET_FIREWALL_00034,Add,i25-01-26_075,Complete,All,-,193.1.99.91,SKYNET00017,-,23318-23325,Ports for Minecraft Bedrock on the main games server.
-SKYNET_FIREWALL_00035,Add,i25-02-14_114,Complete,193.1.99.75,SKYNET00008,193.1.96.165,SKYNET00012,22,-,Allow our forgejo runner to access and deploy to teh external server
-SKYNET_FIREWALL_00036,Add,i25-03-11_125,Complete,All,-,193.1.99.86,SKYNET00027,25,-,Email Filter
-SKYNET_FIREWALL_00037,Add,i25-03-30_018,Complete,All,-,193.1.99.91,SKYNET00017,27015/27016/27020,27015/27020,CSGO/TF2 Ports
+SKYNET_FIREWALL_00035,Add,i25-02-14_114,Complete,193.1.99.75,SKYNET00008,193.1.96.165,SKYNET00012,22,-,Allow our forgejo runner to access and deploy to teh external server
--- a/ITD/Server_Inventory.csv
+++ b/ITD/Server_Inventory.csv
@ -24,5 +24,4 @@ SKYNET00022,ultron,Active,193.1.99.084,Proxmox,VM Host
 SKYNET00023,optimus-test,Retired,193.1.99.085,Nixos,Testing flake for Pelecian
 SKYNET00024,optimus,Active,193.1.99.090,Nixos,Games server manager (replaced SKYNET00016)
 SKYNET00025,bumblebee,Active,193.1.99.091,Nixos,Game server - Minecraft (replaced SKYNET00017)
-SKYNET00026,vision,Active,193.1.99.085,Raspbian,Proxmox Qurom server
-SKYNET00027,mimi,Active,193.1.99.086,Proxmox-Mail-Gateway,Proxmox Mail Gateway
+SKYNET00027,vision,Active,193.1.99.085,Raspbian,Proxmox Qurom server
--- a/applications/_base.nix
+++ b/applications/_base.nix
@ -42,16 +42,6 @@ in {
        type = types.str;
        default = "${cfg.host.name}.skynet.ie";
      };
-      interface = mkOption {
-        type = types.str;
-        description = "Will most likely be ``eno1`` for physical servers.";
-        default = "eth0";
-      };
-      cidr = mkOption {
-        type = types.int;
-        description = "Most of our servers are /26, ";
-        default = 26;
-      };
    };
  };

@ -70,23 +60,6 @@ in {
      }
    ];

-    # use lix instead of nix
-    nix.package = pkgs.lixPackageSets.stable.lix;
-
-    # set
-    networking = {
-      hostName = cfg.host.name;
-      defaultGateway.interface = lib.mkForce cfg.host.interface;
-
-      # needs to have an address statically assigned
-      interfaces."${cfg.host.interface}".ipv4.addresses = [
-        {
-          address = cfg.host.ip;
-          prefixLength = cfg.host.cidr;
-        }
-      ];
-    };
-
    services.nginx = {
      virtualHosts = {
        # for every server unless explisitly defined redirect the ip to skynet.ie
--- a/applications/discord_t-800.nix
+++ b/applications/discord_t-800.nix
@ -1,32 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  inputs,
-  ...
-}:
-with lib; let
-  name = "discord_bot_t-800";
-  cfg = config.services.skynet."${name}";
-in {
-  imports = [
-    inputs.skynet_discord_bot_t-800.nixosModule."x86_64-linux"
-  ];
-
-  options.services.skynet."${name}" = {
-    enable = mkEnableOption "Logging Bot";
-  };
-
-  config = mkIf cfg.enable {
-    #backups = [ "/etc/silver_ul_ical/database.db" ];
-
-    age.secrets.discord_t-800_details.file = ../secrets/discord/t-800.age;
-
-    # this is what was imported
-    services.skynet_discord_bot_t-800 = {
-      enable = true;
-
-      env = config.age.secrets.discord_t-800_details.path;
-    };
-  };
-}
--- a/applications/dns/dns.nix
+++ b/applications/dns/dns.nix
@ -369,7 +369,7 @@ in {

      # piles of no valid RRSIG resolving 'com/DS/IN' errors
      extraOptions = ''
-        dnssec-validation auto;
+        dnssec-validation yes;
      '';

      # set the upstream dns servers
--- a/applications/email.nix
+++ b/applications/email.nix
@ -50,10 +50,6 @@ with lib; let
      account = "contact";
      members = ["committee"];
    }
-    {
-      account = "committee";
-      members = ["committee"];
-    }
    {
      account = "dbadmin";
      members = ["admin"];
@ -106,27 +102,13 @@ with lib; let
      require ["fileinto", "reject"];
      require "variables";
      require "regex";
-      require "subaddress";

      # this should be close to teh last step
      if allof (
-        address  :user ["To", "Cc"] ["${toString create_config_to}"],
+        address  :localpart ["To", "Cc"] ["${toString create_config_to}"],
        address  :domain ["To", "Cc"] "skynet.ie"
        ){
        if address :matches ["To", "Cc"] "*@skynet.ie" {
-          # handle spam reports specifically for teh service accounts in each users inbox
-          if address :matches ["From"] "postmaster@mimi.skynet.ie" {
-            fileinto :create "''${1}.Spam_Report";
-            stop;
-          }
-
-          # user+subdir
-          if address :matches ["To", "Cc"] "*+*@skynet.ie" {
-            fileinto :create "''${1}.''${2}";
-            stop;
-          }
-
-          # no detail, proceed normally
          if header :is "X-Spam" "Yes" {
            fileinto :create "''${1}.Junk";
            stop;
@ -136,13 +118,6 @@ with lib; let
          }
        }
      }
-
-      # handle spam Reports for general users
-      if address :matches ["From"] "postmaster@mimi.skynet.ie" {
-        fileinto :create "INBOX.Spam_Report";
-        stop;
-      }
-
      if allof (
        address  :localpart ["From"] ["${toString create_config_to}"],
        address  :domain ["From"] "skynet.ie"
@ -309,27 +284,13 @@ in {
    # set up dns record for it
    services.skynet.dns.records =
      [
+        # core record
        {
-          # This is the mail gateway, try to send all mail to it first
-          # Lower number = higher priority
-          record = "@";
-          r_type = "MX";
-          # the number is the priority in teh case of multiple mailservers
-          value = "5 mimi.${cfg.domain}.";
-        }
-        {
-          # this is the main email server
          record = "@";
          r_type = "MX";
          # the number is the priority in teh case of multiple mailservers
          value = "10 mail.${cfg.domain}.";
        }
-        {
-          record = "@";
-          r_type = "MX";
-          # the number is the priority in teh case of multiple mailservers
-          value = "10 lists.${cfg.domain}.";
-        }

        # basic one
        {
@ -337,11 +298,6 @@ in {
          r_type = "A";
          value = config.services.skynet.host.ip;
        }
-        {
-          record = "lists";
-          r_type = "A";
-          value = config.services.skynet.host.ip;
-        }
        #DNS config for K-9 Mail
        {
          record = "imap";
@ -470,12 +426,9 @@ in {

    mailserver = {
      enable = true;
-      stateVersion = 1;
-
      fqdn = "${cfg.sub}.${cfg.domain}";
      domains = [
        cfg.domain
-        "lists.skynet.ie"
      ];

      enableManageSieve = true;
@ -490,10 +443,6 @@ in {
      # 20MB max size
      messageSizeLimit = 20000000;

-      #      policydSPFExtraConfig = ''
-      #        skip_addresses = 193.1.99.86/32
-      #      '';
-
      ldap = {
        enable = true;
        uris = cfg.ldap.hosts;
@ -506,13 +455,13 @@ in {
        searchScope = "sub";

        dovecot = {
-          userFilter = "(skMail=%{user})";
+          userFilter = "(skMail=%u)";

          # can lock down how much space each user has access to from ldap
          userAttrs = "quotaEmail=quota_rule=*:bytes=%$,=quota_rule2=Trash:storage=+100M";

          # accept emails in, but only allow access to paid up members
-          passFilter = "(&(|${create_filter cfg.groups})(skMail=%{user}))";
+          passFilter = "(&(|${create_filter cfg.groups})(skMail=%u))";
        };

        postfix = {
@ -565,23 +514,14 @@ in {
    };

    # tune the spam filter
-    services.rspamd.locals = {
-      "multimap.conf" = {
-        text = ''
-          IP_WHITELIST {
-              type = "ip";
-              prefilter = true;
-              map = "/etc/rspamd/local.d/ip_whitelist.map";
-              action = "accept";
-          }
-        '';
-      };
-
-      "ip_whitelist.map" = {
-        text = ''
-          193.1.99.86
-        '';
-      };
-    };
+    /*
+    services.rspamd.extraConfig = ''
+      actions {
+        reject = null; # Disable rejects, default is 15
+        add_header = 7; # Add header when reaching this score
+        greylist = 4; # Apply greylisting when reaching this score
+      }
+    '';
+    */
  };
 }
--- a/applications/git/forgejo.nix
+++ b/applications/git/forgejo.nix
@ -70,7 +70,6 @@ in {
        locations."/" = {
          proxyPass = "http://localhost:${toString cfg.forgejo.port}";
          extraConfig = ''
-            add_header Content-Security-Policy "frame-ancestors 'self' https://silver.users.skynet.ie";
            client_max_body_size 1000M;
          '';
        };
@ -106,15 +105,6 @@ in {
          DEFAULT_ACTIONS_URL = "github";
        };

-        indexer = {
-          # Will consume more disk space, but we have plenty of that
-          REPO_INDEXER_ENABLED = true;
-        };
-
-        database = {
-          SQLITE_JOURNAL_MODE = "WAL";
-        };
-
        # Allow for signing off merge requests
        #        "repository.signing" = {
        #          SIGNING_KEY = "5B2DED0FE9F8627A";
--- a/applications/grafana.nix
+++ b/applications/grafana.nix
@ -49,8 +49,6 @@ in {
      domain = "${name}.skynet.ie";
      port = port;

-      settings.server.root_url = "https://${name}.skynet.ie";
-
      settings.security.admin_password = "$__file{${config.age.secrets.grafana_pw.path}}";

      provision = {
--- a/applications/proxmox-lxc.nix
+++ b/applications/proxmox-lxc.nix
@ -0,0 +1,96 @@
+/*
+Once https://github.com/NixOS/nixpkgs/pull/267764 is merged this can be removed
+*/
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; {
+  options.proxmoxLXC = {
+    enable = mkOption {
+      default = true;
+      type = types.bool;
+      description = lib.mdDoc "Whether to enable the Proxmox VE LXC module.";
+    };
+    privileged = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to enable privileged mounts
+      '';
+    };
+    manageNetwork = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to manage network interfaces through nix options
+        When false, systemd-networkd is enabled to accept network
+        configuration from proxmox.
+      '';
+    };
+    manageHostName = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to manage hostname through nix options
+        When false, the hostname is picked up from /etc/hostname
+        populated by proxmox.
+      '';
+    };
+  };
+
+  config = let
+    cfg = config.proxmoxLXC;
+  in
+    mkIf cfg.enable {
+      system.build.tarball = pkgs.callPackage ../../lib/make-system-tarball.nix {
+        storeContents = [
+          {
+            object = config.system.build.toplevel;
+            symlink = "none";
+          }
+        ];
+
+        contents = [
+          {
+            source = config.system.build.toplevel + "/init";
+            target = "/sbin/init";
+          }
+        ];
+
+        extraCommands = "mkdir -p root etc/systemd/network";
+      };
+
+      boot = {
+        isContainer = true;
+        loader.initScript.enable = true;
+      };
+
+      console.enable = true;
+
+      networking = mkIf (!cfg.manageNetwork) {
+        useDHCP = false;
+        useHostResolvConf = false;
+        useNetworkd = true;
+        # pick up hostname from /etc/hostname generated by proxmox
+        hostName = mkIf (!cfg.manageHostName) (mkForce "");
+      };
+
+      services.openssh = {
+        enable = mkDefault true;
+        startWhenNeeded = mkDefault true;
+      };
+
+      systemd = {
+        mounts = mkIf (!cfg.privileged) [
+          {
+            enable = false;
+            where = "/sys/kernel/debug";
+          }
+        ];
+        services."getty@".unitConfig.ConditionPathExists = ["" "/dev/%I"];
+      };
+    };
+}
--- a/applications/skynet.ie/old_site.nix
+++ b/applications/skynet.ie/old_site.nix
@ -9,6 +9,10 @@ with lib; {
  imports = [];

  config = {
+    services.skynet.acme.domains = [
+      "${year}.skynet.ie"
+    ];
+
    services.skynet.dns.records = [
      {
        record = year;
@ -23,28 +27,6 @@ with lib; {
          forceSSL = true;
          useACMEHost = "skynet";
          root = "${inputs."skynet_website_${year}".defaultPackage."x86_64-linux"}";
-          # Handle any of the old php sites
-          # https://stackoverflow.com/a/21911610
-          locations = {
-            "/" = {
-              index = "index.html index.htm index.php";
-              tryFiles = "$uri $uri.html $uri/ @extensionless-php";
-            };
-
-            "~ \\.php$" = {
-              extraConfig = ''
-                fastcgi_pass  unix:${config.services.phpfpm.pools.old_sites.socket};
-                fastcgi_index index.php;
-              '';
-              tryFiles = "$uri =404";
-            };
-
-            "@extensionless-php" = {
-              extraConfig = ''
-                rewrite ^(.*)$ $1.php last;
-              '';
-            };
-          };
        };
      };
    };
--- a/applications/skynet.ie/skynet.ie.nix
+++ b/applications/skynet.ie/skynet.ie.nix
@ -12,13 +12,9 @@ in {
  imports = [
    # import in past website versions, available at $year.skynet.ie
    # at teh end of teh year add it here
-    (import ./old_site.nix {year = "2024";})
    (import ./old_site.nix {year = "2023";})
-    (import ./old_site.nix {year = "2022";})
-    (import ./old_site.nix {year = "2016";})
-    (import ./old_site.nix {year = "2006";})
-    (import ./old_site.nix {year = "2003";})
-    (import ./old_site.nix {year = "1996";})
+    (import ./old_site.nix {year = "2017";})
+    (import ./old_site.nix {year = "2009";})
  ];

  options.services.skynet."${name}" = {
@ -27,8 +23,9 @@ in {

  config = mkIf cfg.enable {
    services.skynet.acme.domains = [
-      "*.skynet.ie"
-      "*.discord.skynet.ie"
+      "www.skynet.ie"
+      "discord.skynet.ie"
+      "public.skynet.ie"
    ];

    services.skynet.dns.records = [
@ -53,11 +50,6 @@ in {
        r_type = "CNAME";
        value = config.services.skynet.host.name;
      }
-      {
-        record = "*.discord";
-        r_type = "CNAME";
-        value = config.services.skynet.host.name;
-      }
    ];

    services.nginx = {
@ -86,16 +78,6 @@ in {
          useACMEHost = "skynet";
          locations."/".return = "307 https://discord.gg/mkuKJkCuyM";
        };
-        "compsoc.discord.skynet.ie" = {
-          forceSSL = true;
-          useACMEHost = "skynet";
-          locations."/".return = "307 https://discord.gg/mkuKJkCuyM";
-        };
-        "committee.discord.skynet.ie" = {
-          forceSSL = true;
-          useACMEHost = "skynet";
-          locations."/".return = "307 https://discord.gg/D6mbASJKxU";
-        };

        "public.skynet.ie" = {
          forceSSL = true;
@ -105,19 +87,5 @@ in {
        };
      };
    };
-
-    # Some old sites need a php pool running
-    services.phpfpm.pools.old_sites = {
-      user = "nobody";
-      settings = {
-        "pm" = "dynamic";
-        "listen.owner" = config.services.nginx.user;
-        "pm.max_children" = 5;
-        "pm.start_servers" = 2;
-        "pm.min_spare_servers" = 1;
-        "pm.max_spare_servers" = 3;
-        "pm.max_requests" = 500;
-      };
-    };
  };
 }
--- a/applications/skynet.ie/wiki.nix
+++ b/applications/skynet.ie/wiki.nix
@ -17,6 +17,11 @@ in {
  };

  config = mkIf cfg.enable {
+    services.skynet.acme.domains = [
+      "renew.skynet.ie"
+      "wiki.skynet.ie"
+    ];
+
    services.skynet.dns.records = [
      {
        record = "renew";
--- a/applications/skynet_users.nix
+++ b/applications/skynet_users.nix
@ -9,23 +9,6 @@ with lib; let
  name = "website_users";
  cfg = config.services.skynet."${name}";
  php_pool = name;
-
-  custom = domain: user: {
-    "${domain}" = {
-      forceSSL = true;
-      enableACME = true;
-      locations = {
-        "/" = {
-          alias = "/home/${user}/public_html/";
-          index = "index.html";
-          extraConfig = ''
-            autoindex on;
-          '';
-          tryFiles = "$uri$args $uri$args/ /index.html";
-        };
-      };
-    };
-  };
 in {
  imports = [
  ];
@ -101,46 +84,55 @@ in {
      phpEnv."PATH" = lib.makeBinPath [pkgs.php];
    };

-    services.nginx.virtualHosts = lib.mkMerge [
-      # main site
-      {
-        "*.users.skynet.ie" = {
-          forceSSL = true;
-          useACMEHost = "skynet";
-          serverName = "~^(?<user>.+)\.users\.skynet\.ie";
-
-          # username.users.skynet.ie/
-          # user goes:
-          #   chmod 711 ~
-          #   chmod -R 755 ~/public_html
-
-          locations = {
-            "/" = {
-              alias = "/home/$user/public_html/";
-              index = "index.html";
-              extraConfig = ''
-                autoindex on;
-              '';
-              tryFiles = "$uri$args $uri$args/ /index.html";
-            };
-
-            "~ ^(.+\\.php)(.*)$" = {
-              root = "/home/$user/public_html/";
-              index = "index.php";
-              extraConfig = ''
-                autoindex on;
-                fastcgi_split_path_info ^(.+\.php)(/.+)$;
-                fastcgi_pass unix:${config.services.phpfpm.pools.${php_pool}.socket};
-                include ${pkgs.nginx}/conf/fastcgi.conf;
-              '';
-              tryFiles = "$uri$args $uri$args/ /index.php";
-            };
+    services.nginx.virtualHosts = {
+      "outinul.ie" = {
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/" = {
+            alias = "/home/outinul/public_html/";
+            index = "index.html";
+            extraConfig = ''
+              autoindex on;
+            '';
+            tryFiles = "$uri$args $uri$args/ /index.html";
          };
        };
-      }
+      };
+      # main site
+      "*.users.skynet.ie" = {
+        forceSSL = true;
+        useACMEHost = "skynet";
+        serverName = "~^(?<user>.+)\.users\.skynet\.ie";

-      (custom "outinul.ie" "outinul")
-      (custom "www.outinul.ie" "outinul")
-    ];
+        # username.users.skynet.ie/
+        # user goes:
+        #   chmod 711 ~
+        #   chmod -R 755 ~/public_html
+
+        locations = {
+          "/" = {
+            alias = "/home/$user/public_html/";
+            index = "index.html";
+            extraConfig = ''
+              autoindex on;
+            '';
+            tryFiles = "$uri$args $uri$args/ /index.html";
+          };
+
+          "~ ^(.+\\.php)(.*)$" = {
+            root = "/home/$user/public_html/";
+            index = "index.php";
+            extraConfig = ''
+              autoindex on;
+              fastcgi_split_path_info ^(.+\.php)(/.+)$;
+              fastcgi_pass unix:${config.services.phpfpm.pools.${php_pool}.socket};
+              include ${pkgs.nginx}/conf/fastcgi.conf;
+            '';
+            tryFiles = "$uri$args $uri$args/ /index.php";
+          };
+        };
+      };
+    };
  };
 }
--- a/applications/sso.nix
+++ b/applications/sso.nix
@ -1,77 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}:
-with lib; let
-  name = "sso";
-  cfg = config.services.skynet."${name}";
-in {
-  imports = [
-  ];
-
-  options.services.skynet."${name}" = {
-    enable = mkEnableOption "Keycloak server";
-
-    datasource = {
-      name = mkOption {
-        type = types.str;
-      };
-
-      url = mkOption {
-        type = types.str;
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services.skynet.dns.records = [
-      {
-        record = "${name}";
-        r_type = "CNAME";
-        value = config.services.skynet.host.name;
-      }
-    ];
-
-    services.skynet.acme.domains = [
-      "${name}.skynet.ie"
-    ];
-
-    age.secrets.keycloak_pw.file = ../secrets/keycloak/pw.age;
-
-    services.nginx.virtualHosts = {
-      "${name}.skynet.ie" = {
-        forceSSL = true;
-        useACMEHost = "skynet";
-        locations = {
-          "/" = {
-            proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}/";
-          };
-        };
-      };
-    };
-
-    services.postgresql.enable = true;
-
-    services.keycloak = {
-      enable = true;
-
-      initialAdminPassword = "sharky_loves_sso";
-
-      database = {
-        type = "postgresql";
-        createLocally = true;
-
-        username = "keycloak";
-        passwordFile = config.age.secrets.keycloak_pw.path;
-      };
-
-      settings = {
-        hostname = "${name}.skynet.ie";
-        http-port = 38080;
-        proxy-headers = "xforwarded";
-        http-enabled = true;
-      };
-    };
-  };
-}
--- a/config/dns.nix
+++ b/config/dns.nix
@ -32,17 +32,6 @@
          value = "193.1.99.114";
          server = true;
        }
-        {
-          record = "mimi";
-          r_type = "A";
-          value = "193.1.99.86";
-          server = true;
-        }
-        {
-          record = "nuked";
-          r_type = "CNAME";
-          value = "neuromancer.skynet.ie.";
-        }
      ]
      # non skynet domains
      ++ [
--- a/config/users.nix
+++ b/config/users.nix
@ -55,11 +55,12 @@ in {
          "silver"
          "eoghanconlon73"
          "nanda"
-          "skyapples"
-          "generically"
+          "emily1999"
+          "dgr"
        ]
        # Committee - OCM
        ++ [
+          "skyapples"
          "eliza"
          "amymucko"
          "archiedms"
@ -68,7 +69,6 @@ in {
        # Committee - SISTEM
        ++ [
          "peace"
-          "milan"
        ]
        # Admins are part of Committee as well
        ++ cfg.admin
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -7,6 +7,11 @@
    # Return to using unstable once the current master is merged in
    # nixpkgs.url = "nixpkgs/nixos-unstable";

+    lix-module = {
+      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0.tar.gz";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    # utility stuff
    flake-utils.url = "github:numtide/flake-utils";
    agenix.url = "github:ryantm/agenix";
@ -27,12 +32,10 @@
    ### skynet backend ###
    ######################
    skynet_ldap_backend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_backend";
-    #    skynet_ldap_backend.url = "git+file:/_college/CompSoc/Skynet/ldap_backend?shallow=1";
    skynet_ldap_frontend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_frontend";
    skynet_website_wiki.url = "git+https://forgejo.skynet.ie/Skynet/wiki";
    skynet_website_games.url = "git+https://forgejo.skynet.ie/Skynet/website_games";
    skynet_discord_bot.url = "git+https://forgejo.skynet.ie/Skynet/discord-bot";
-    skynet_discord_bot_t-800.url = "git+https://forgejo.skynet.ie/Skynet/discord-bot-t-800";
    # for testing a local build
    # skynet_discord_bot.url = "git+file:/_college/CompSoc/Skynet/discord_bot?shallow=1";

@ -46,20 +49,19 @@
    #################

    # this should always point to teh current website
-    skynet_website.url = "git+https://forgejo.skynet.ie/Skynet/website_2023";
+    skynet_website.url = "git+https://forgejo.skynet.ie/Skynet/website_2017";

-    # past versions of the current website
-    skynet_website_2024.url = "git+https://forgejo.skynet.ie/Skynet/website_2023?ref=main&rev=8987e33cb709e7f2c30017e77edf9161b87d9885";
-    skynet_website_2023.url = "git+https://forgejo.skynet.ie/Skynet/website_2023?ref=main&rev=c4d61c753292bf73ed41b47b1607cfc92a82a191";
-    skynet_website_2022.url = "git+https://forgejo.skynet.ie/Skynet/website_2023?ref=2022&rev=687a0b1811987cfc27c2e6f5a625c4d59ef577c2";
+    # these are past versions of teh website
+    skynet_website_2023.url = "git+https://forgejo.skynet.ie/Skynet/website_2017?rev=c4d61c753292bf73ed41b47b1607cfc92a82a191";
+    # this is not 100% right since this is from teh archive from 2022 or so
+    skynet_website_2017.url = "git+https://forgejo.skynet.ie/Skynet/website_2017?rev=edd922c5b13fa1f520e8e265a3d6e4e189852b99";

-    skynet_website_2016.url = "git+https://forgejo.skynet.ie/Skynet/website_2016";
-    skynet_website_2006.url = "git+https://forgejo.skynet.ie/Skynet/website_2006";
-    skynet_website_2003.url = "git+https://forgejo.skynet.ie/Skynet/website_2003";
-    skynet_website_1996.url = "git+https://forgejo.skynet.ie/Skynet/website_1996";
+    # this is more of 2012 than 2009 but started in 2009
+    skynet_website_2009.url = "git+https://forgejo.skynet.ie/Skynet/website_2009";
  };

  nixConfig = {
+    bash-prompt-suffix = "[Skynet Dev] ";
    extra-substituters = "https://nix-cache.skynet.ie/skynet-cache";
    extra-trusted-public-keys = "skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo=";
  };
@ -77,7 +79,7 @@
    formatter.x86_64-linux = alejandra.defaultPackage."x86_64-linux";

    devShells.x86_64-linux.default = pkgs.mkShell {
-      name = "Skynet";
+      name = "Skynet build env";
      nativeBuildInputs = [
        pkgs.buildPackages.git
        colmena.defaultPackage."x86_64-linux"
@ -85,25 +87,14 @@
        pkgs.buildPackages.nmap
      ];
      buildInputs = [agenix.packages.x86_64-linux.default];
-      shellHook = ''export PROMPT_DIRTRIM=3; export PS1="[Skynet] \w:\$ "'';
+      shellHook = ''export EDITOR="${pkgs.nano}/bin/nano --nonewlines"; unset LD_LIBRARY_PATH;'';
    };

    colmena = {
      meta = {
        nixpkgs = import nixpkgs {
          system = "x86_64-linux";
-          overlays = [
-            (final: prev: {
-              inherit
-                (final.lixPackageSets.stable)
-                nixpkgs-review
-                nix-direnv
-                nix-eval-jobs
-                nix-fast-build
-                colmena
-                ;
-            })
-          ];
+          overlays = [];
        };
        specialArgs = {
          inherit inputs self;
--- a/machines/_base.nix
+++ b/machines/_base.nix
@ -11,14 +11,18 @@ with lib; let
  cfg = config.skynet;
 in {
  imports = [
-    # This is required for LXC to function properly
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+    # custom lxc mocule until the patch gets merged in
+    ../applications/proxmox-lxc.nix
+    # (modulesPath + "/virtualisation/proxmox-lxc.nix")

    # for the secrets
    inputs.agenix.nixosModules.default

    # base application config for all servers
    ../applications/_base.nix
+
+    #
+    inputs.lix-module.nixosModules.default
  ];

  options.skynet = {
@ -32,13 +36,7 @@ in {

  config = {
    # if its a lxc enable
-    proxmoxLXC = {
-      enable = cfg.lxc;
-      manageNetwork = true;
-      manageHostName = true;
-    };
-
-    age.secrets.root_pw.file = ../secrets/base/root_pass.age;
+    proxmoxLXC.enable = cfg.lxc;

    nix = {
      settings = {
@ -57,10 +55,10 @@ in {
      #        options = "--delete-older-than 30d";
      #      };

-      # to free up to 100GiB whenever there is less than 1GiB left
+      # to free up to 10GiB whenever there is less than 1GiB left
      extraOptions = ''
-        min-free = ${toString (1024 * 1024 * 1024 * 1)}
-        max-free = ${toString (1024 * 1024 * 1024 * 100)}
+        min-free = ${toString (1024 * 1024 * 1024)}
+        max-free = ${toString (1024 * 1024 * 1024 * 10)}
      '';
    };

@ -71,29 +69,23 @@ in {
      settings.PermitRootLogin = "prohibit-password";
    };

-    users = {
-      mutableUsers = false;
+    users.users.root = {
+      initialHashedPassword = "";

-      users.root = {
-        hashedPasswordFile = config.age.secrets.root_pw.path;
+      openssh.authorizedKeys.keys = [
+        # no obligation to have name attached to keys

-        openssh.authorizedKeys.keys = [
-          # no obligation to have name attached to keys
+        # Root account
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"

-          # Root account
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"
+        # CI/CD key
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key"

-          # CI/CD key
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key"
+        # Brendan Golden
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"

-          # Brendan Golden
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"
-
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"
-
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDxHpsApRyCvuP2ToGm46G308Og8lO7BYPuz+EqHVU5w esy root"
-        ];
-      };
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"
+      ];
    };

    # skynet-admin-linux will always be added, individual servers can override the groups option
@ -103,8 +95,6 @@ in {
      # every sever needs to be accessable over ssh for admin use at least
      firewall.allowedTCPPorts = [22];

-      resolvconf.useLocalResolver = false;
-      resolvconf.extraConfig = "name_servers='193.1.99.120 193.1.99.109'";
      # explisitly stating this is good
      defaultGateway = {
        address = "193.1.99.65";
@ -144,7 +134,6 @@ in {
      traceroute
      openldap
      screen
-      inetutils
    ];
  };
 }
--- a/machines/agentjones.nix
+++ b/machines/agentjones.nix
@ -21,7 +21,6 @@ Notes:    Used to have Agent Smith as a partner but it died (Ironically)
    ip = ip_pub;
    name = name;
    hostname = hostname;
-    interface = "eno1";
  };
 in {
  imports = [
@ -45,6 +44,19 @@ in {
  # keep the wired usb connection alive (front panel)
  # networking.interfaces.enp0s29u1u5u2.useDHCP = true;

+  networking.hostName = name;
+  # this has to be defined for any physical servers
+  # vms are defined by teh vm host
+  networking = {
+    defaultGateway.interface = lib.mkForce "eno1";
+    interfaces.eno1.ipv4.addresses = [
+      {
+        address = ip_pub;
+        prefixLength = 26;
+      }
+    ];
+  };
+
  # this server is teh firewall
  skynet_firewall = {
    # always good to know oneself
--- a/machines/ariia.nix
+++ b/machines/ariia.nix
@ -34,9 +34,7 @@ in {
    targetPort = 22;
    targetUser = null;

-    tags = [
-      #    "active-core"
-    ];
+    tags = ["active-core"];
  };

  services.skynet = {
--- a/machines/glados.nix
+++ b/machines/glados.nix
@ -26,6 +26,7 @@ Notes:    Each user has roughly 20gb os storage
  };
 in {
  imports = [
+    ../applications/git/gitlab.nix
    ../applications/git/forgejo.nix
    ../applications/git/forgejo_runner.nix
  ];
@ -41,6 +42,7 @@ in {
  services.skynet = {
    host = host;
    backup.enable = true;
+    gitlab.enable = true;
    forgejo.enable = true;
    forgejo_runner = {
      enable = true;
--- a/machines/kitt.nix
+++ b/machines/kitt.nix
@ -29,10 +29,8 @@ in {
    ../applications/ldap/server.nix
    ../applications/ldap/backend.nix
    ../applications/discord.nix
-    ../applications/discord_t-800.nix
    ../applications/bitwarden/vaultwarden.nix
    ../applications/bitwarden/bitwarden_sync.nix
-    ../applications/sso.nix
  ];

  deployment = {
@ -54,12 +52,7 @@ in {
    # private member services
    discord_bot.enable = true;

-    # for logging on our own discord
-    discord_bot_t-800.enable = true;
-
    # committee/admin services
    vaultwarden.enable = true;
-
-    sso.enable = true;
  };
 }
--- a/machines/neuromancer.nix
+++ b/machines/neuromancer.nix
@ -22,13 +22,25 @@ Notes:
    ip = ip_pub;
    name = name;
    hostname = hostname;
-    interface = "eno1";
  };
 in {
  imports = [
    ./hardware/RM007.nix
  ];

+  networking.hostName = name;
+  # this has to be defined for any physical servers
+  # vms are defined by teh vm host
+  networking = {
+    defaultGateway.interface = lib.mkForce "eno1";
+    interfaces.eno1.ipv4.addresses = [
+      {
+        address = ip_pub;
+        prefixLength = 26;
+      }
+    ];
+  };
+
  deployment = {
    targetHost = hostname;
    targetPort = 22;
--- a/machines/skynet.nix
+++ b/machines/skynet.nix
@ -23,8 +23,6 @@ Notes:    Does not host offical sites
    ip = ip_pub;
    name = name;
    hostname = hostname;
-    interface = "eth1";
-    cidr = 28;
  };
 in {
  imports = [
--- a/machines/vendetta.nix
+++ b/machines/vendetta.nix
@ -22,14 +22,14 @@ Notes:    Using the server that used to be called Earth
    ip = ip_pub;
    name = name;
    hostname = hostname;
-    # only required for physical servers
-    interface = "eno1";
  };
 in {
  imports = [
    ./hardware/RM002.nix
  ];

+  networking.hostName = name;
+
  deployment = {
    targetHost = ip_pub;
    targetPort = 22;
@ -38,6 +38,18 @@ in {
    tags = ["active-dns" "dns"];
  };

+  networking = {
+    # needs to have an address statically assigned
+
+    defaultGateway.interface = lib.mkForce "eno1";
+    interfaces.eno1.ipv4.addresses = [
+      {
+        address = "193.1.99.120";
+        prefixLength = 26;
+      }
+    ];
+  };
+
  services.skynet = {
    host = host;
    backup.enable = true;
--- a/secrets/backup/restic.age
+++ b/secrets/backup/restic.age
--- a/secrets/backup/restic_pw.age
+++ b/secrets/backup/restic_pw.age
@ -1,21 +1,20 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA kWC0Tr0nlHEelEzS9xAzZ5UwI1vTgeaBS+zQJCxHe1A
-dcVKgK28SA4abje/xfC2bqlDzrkThJh0hpsyCtfGPDM
-> ssh-ed25519 4PzZog H/hrMeDv4EmuSvR79vX7spZyF6t506ZKVHWHl4HN1wQ
-E4+skv4K1fTqG1cIbRqRr89Ti6D78wxEzap3Sl0UZU8
-> ssh-ed25519 dA0vRg SgmoRqftGwIG34Py02bfdEv2HlI6fPBiKmcBmz2VaiI
-DKzlODXbQf9xzUzJHlwtIZbGw3qG2ApfssEF1/nZe+Q
-> ssh-ed25519 5Nd93w Q8fxVcYwxbeXJzpKCOWH4/D3t8bWSUm9E4spASzIKnQ
-80fe2FiI+5OTojxu32OfFJwS3l/cMPr+5tErOr5wmcM
-> ssh-ed25519 q8eJgg zgw/JH1HOdTE38Cr/61gcGo6OruuFUCAUJ4wmNHSXWs
-l7ta9JGOwCZCjnfui2Zo3PVF+Ge/UoPL0xm5lZ0GGF8
-> ssh-ed25519 KVr8rw CcJymhaWM76X91C0ECPlZqaN2IARwxo1WMZRmlevnzA
-syAw8YySWxtDonZ5txKVNynCdziInCzy4u5kv6mH8PU
-> ssh-ed25519 fia1eQ 0ocrOjhQ+CEJK8Li3rDegYkMXkBpjAAStjgvVHGQx3Q
-YORVM3sEbE6PLVuwfMkxe9gYqTVVT7DGoG+kQcxaPiQ
-> ssh-ed25519 Km71ZA 9W2stpyr/9osFppfqBDjeDzZ6ltU+spmBoeWJ+I8sys
-C6DGgwvbwW0r1E3L6o7LUOnPo/n8Sl8tGzm3NlsXGcw
-> ssh-ed25519 3pl/Kw pm1noozCEdPbd4f8rkSD/gicvfWTEN1kvYp7TLb68Uo
-VH2XUbhIf4nYTmp6rkGt99RcI2xxa7F9QXmDp88r1CY
--- lNlQ5pwix455easITfJ8dztlPYg8Pi77sbAsOQF19dI
-‹#@3öá|ÈKíÛ%ké±xL,ò5°x/QTbz<04>ÆjÀ.”7ÿÏÇ-]‹2ñbùí_ ><16>éNëJamÀ¬^ë„áCðŒÒ]VvhÔ|<7C>ý¡¢D›Ì€"
+-> ssh-ed25519 V1pwNA mGy7a3SPHMxFaJ5S68jaRkPk16Ahxqp7C2YGnK6A4nM
+TrEf7fz6yY7G2HXNxhnM4v7QkVrR5D6vdh+eUVbWbdQ
+-> ssh-ed25519 4PzZog 5ixIvICVbbk2z8gqvodMAhCevBWdnfmpskWupnpMm04
+r33h6oeu1jQQGs3mP15xtbRq50FGpKwtbbqWbSTQ1jE
+-> ssh-ed25519 dA0vRg gUxwHHDBhxpYMxBE+UfTYJ4I8nY7cEdWG1XBSLLWtlY
+pNawroXlES4EyNZSUUiEPNy+WNdG9AnHnUl+7qLB5Os
+-> ssh-ed25519 5Nd93w AchMesYdEdLHtphyfCumqrdCRFABzNOEf7KfFgQWFAk
+Xnier5jnPDl9n8F5r/R4CjBoEvmwAJRLQWnoWoAudec
+-> ssh-ed25519 q8eJgg AgmUpmYT5z1qAFZ+uUY5a7huZ8Bhifs1ZuDBlg7ZJxU
+kgaKF9t8cEKBc715dNocxA3o+2dwpK8erRo42NzeP9A
+-> ssh-ed25519 KVr8rw AafFkG0axLsqGVs/k0DrzLFsKk4uXtqRbJIFhuAmj18
+shiQFq5ZznBovnNXWfTNvSVX/O1X47hK6g13P8r6xN4
+-> ssh-ed25519 fia1eQ AKbaMyAtdDHSpP5taXQQjaunzvO6yZuCOUjgV2+4iDc
+yDFZ54QNklvVHUD1AkiaQ0sntqiRxkMGZw9yos/IvcI
+-> ssh-ed25519 3pl/Kw KD86EfxdUwpfFW7wqf283Wmdw8o/qnVzXxTCrtNPsWI
+L1a9WXktp4a9s1GxF6O7VV14ZPQOp/VqwS286Dqa3Tk
+--- +jytGaOhLk0unuAlkbbtAFNde8Z+tKJ/3l3Y3tBgcFQ
+€¡VV÷õÍ7Pø=ñOý]àbZêëj§p¸QKaXIúµNl¢_vž
+ŠÐHsh3~<7E>F«ŒW/¿Ÿ<>ÝÌ ^áa\´¼Ô	#/¤Ú‡i[÷Üfbó¶•áúXøØ
--- a/secrets/base/root_pass.age
+++ b/secrets/base/root_pass.age
--- a/secrets/bitwarden/details.age
+++ b/secrets/bitwarden/details.age
--- a/secrets/bitwarden/id.age
+++ b/secrets/bitwarden/id.age
@ -1,21 +1,19 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA 79HhvqifubFk4bhlUPgKbgSplC41o8/uZV27eaeM0SA
-mSJ2rkmOlgXyQAXj6pbFoajxCwPzKDBUWRPXqvHrW+8
-> ssh-ed25519 4PzZog w+6c3JxUfEkgvDz7pq+451XSGC64TCNWau9zOGajpjQ
-mEdXqG+GpaYVj6ICYPkCyA9ZRNmMtNsxWNeOpYOhkF0
-> ssh-ed25519 dA0vRg Iy3bkGWSkMvk3wH05ETCFqZzUIc835XyJGHXlfmG2VI
-ShexjmkSwsEgHR3uj+sftcB49zbp2z40Mi7NN7VYcII
-> ssh-ed25519 5Nd93w TM6CtcmxkTqQTP5UVD/1HPijQhMQsYdPrknDREwxtFw
-+ld4GvbKQSKAUwMYzDSxtZqiN3OdnWlszYVzOrMbU0Q
-> ssh-ed25519 q8eJgg UgE7W6Lf/jdlSs2TpZNX2wRTY3iwQ1MzZE7zAN5Abz0
-oYf9iiAeoVg4RLYWEvw5xyGevxYQiiqELw/NLiBCZWI
-> ssh-ed25519 KVr8rw ZtAdKYXNsNCo7MzfBlQrax/sWItsFQtEo/tESJaviXs
-Njql6s/+QtIbBmsbMYllDxodpIaBnRaMoojap4jUVwQ
-> ssh-ed25519 fia1eQ nIgFm64i5MPK/GvKl35nnXOO4hoD6+mFzJsFeB/6ICw
-bJoDOMX3ek/5lVLeI1v99C24l4EwFcXIFAAlTMJb+Co
-> ssh-ed25519 Km71ZA sTHVMQlRs5/xewuUa6yFjuqCEqmWlekSwab0z4OWJRc
-ExJw8np5XfBSSLo4cwwYoDoi/GxSGKkTn5rcKdMmI34
-> ssh-ed25519 IzAMqA N6d6EYxr2LUzuHrH83h06JE5MGPcqdAMixJH3GZed0Q
-+dE0EBX7jPvMv2qMI3mIuiM9TrhFYQwwC/+Ta+DiCNY
--- g8A4+bzRE56xnD8tVagvXopX6VlcS5iJcOcKTxC0ZGk
-¦K!î¡'Ì_*ƒVŠEJÉ‡Ê?Ë{å¨&’Ø\Aùur¹AX¦wgzãÆ ¢XÃš¨z·¿ôØ¤eðøŠì²N0&ÛÉµ$à$&Éˆý:‰
+-> ssh-ed25519 V1pwNA +Bzh++C1+jxdz1VwwhxPpO3XWn8fy7bsP2wX4mlQ63A
+1GZxY76fwUOo/t/XeoCOEuxxq+oiU8+GDaasH7VTOkA
+-> ssh-ed25519 4PzZog lkqPlBejVuYcBQwAZX96296VjJqyz3Q7J7O7OzfSDmw
+x+bGIiw4SYhEePIkF5PLK6KK7EJ8Iay1oQIOJ18DtQY
+-> ssh-ed25519 dA0vRg o0tqstSEhdxxdu4Bu8T/r8al3XJpIHvXp7xe8YNbJgo
+m1OKX0L8Nn6ZrXI0Sk61fe8JIRbh+os7p0wzCMtdi6Y
+-> ssh-ed25519 5Nd93w pYmPUfDB3HfJZDPgNh4Vmdu3UlTimrX4+EtUzSONyw4
+C/URv/SZEtUlI2SBPNTfni4oI+bsYZ/Wq3xilcS6mMc
+-> ssh-ed25519 q8eJgg k5Ml805g9vQ5Wv3hozSCAq8EGzvczTfpssrOeBlB+GE
+IxRgNIg7Xi1RN9MthSqjsHoaLpsFWoUVd9f+ak9Qm08
+-> ssh-ed25519 KVr8rw 5YvUQVmarpS4FgsFI8EFLz8tucmvs3V3Q8I0hT9q1i8
+Lifm2EUWhv5hDU9mwkOu4fH8zyjEtGXW1qVBbC4dfvs
+-> ssh-ed25519 fia1eQ sSzTT/AeSH5y4vyKt1Vl0bnkT11ZXINQi/pGU+M3oh0
+Qm0ktboSsC0/+HBCIsOu2Oa+EAdT/DlStNLRpC+EOtw
+-> ssh-ed25519 IzAMqA DhHry81R6JO3xWujL4l3uOmtqvdmk40srcWuXCU03kg
+L4AWjbf1+bNXSMfBpC6DTKU1hvql+1mIRemeHZCFXos
+--- Jlkn7bKGiezveI2e56iV/3B08/z/JxsJxgyvgZ6WhN0
+·Ô|’s<E28099> ÆX#Ïâ”˜²?ÿWÔÊÆîÙº«Wñ(¡ßåˆ@†L[^tŒní‚ÃhGc÷¢Šæ\¿zž^¡><3E>¤üå^D{*.! b
--- a/secrets/bitwarden/secret.age
+++ b/secrets/bitwarden/secret.age
@ -1,21 +1,19 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA UWCmhr1Mj4BVH+0MJ2zBCRQMVYFK+eEp2AhdYTWSRiw
-EL7DlSXyemeZtJw+1SO+vSf2NGg/sPEz5r+p3OntrFo
-> ssh-ed25519 4PzZog HIqzyRkhsIgOgxBNZK1HBTBUIpHPDZEhIfo9zmXEqzU
-2m9H93js26tJJHwM4ce+8DH7oLf3zEBeQ3sT3zHpOP0
-> ssh-ed25519 dA0vRg 1W13Q5mX61EH31BM/FEk7l92Lo/5WuoMLo39wmwVjW4
-raNdTsgJcKlwqmBE+zVEjfL6VPyzHhcMpNrcl6Y6DmY
-> ssh-ed25519 5Nd93w 2gYsG5vFoosuvJo+O+eQscfyoLqYBxOReiT5kdV+bBE
-82ghrnctaXECGxn77VT6YfGPuDKwfh+dJ/+3/SBTA8Y
-> ssh-ed25519 q8eJgg vzSwKw4EzJksqujeJqfg+1YNM3sgp5Zw7Qld+XNS21Y
-65wJiSlqdjZm3Ps2Dg4DB0LzPLgwcYQvJgRvRkeblBw
-> ssh-ed25519 KVr8rw f2MjAAqmuw4UcgvjkRku9XX+SYqY6oAfgS1ayVDVa3Y
-m1nl/CW9GYaCyShT28JZdECirBJdfBoiK3V2tRBrj5o
-> ssh-ed25519 fia1eQ Zkvg9fYBubmg81c7NqEp9fRbSLm2WKVDil+DwnfuPlw
-NN+1CMVxAstqBT7qqAhL9whaEvyWgsNXgBOSWmjTqtA
-> ssh-ed25519 Km71ZA kfU2W/uwQORahVWcg1qYQ5Q2QhZnAkbzjv9As4fJfis
-w+rVDQ0oyLGqTT8yVr7mCOV+55dItAcALIa4ABw5bDI
-> ssh-ed25519 IzAMqA Ir8ygCowpY6f4egB9xqplPzP4mJFL1sh+JaQVZrtZEk
-y679U8nCE9L8seAvVypssgj2p7aZlIW2Q2TgQqHhpoU
--- Dh0JCQdTvVZYtwnzgqEl+WHxOTXmOzr4/TaHz45r+fc
-TÞý.¼0ôzY'”oaï.Èe-ßê%ñÕ5?(Ê|€ŽàuÌsýº;ÞìŒ*/Ë©Éw²Ð£0Vp–
+-> ssh-ed25519 V1pwNA ud7vkafWPnZmwU0gvby16a/lB4VVkUhVpqnwvkMdKig
+/PR7w91ONFOWIvObEKI+wD9XTxbjqQoMjlar9yqN8D0
+-> ssh-ed25519 4PzZog nttwEm+xO2qLIkb+FqRmDeqbdidUune5CdS9AvHCmUs
+raINPneffb9cQ6Zq3Jpwfz0MiIaTtoOI6s+1wB/S5t4
+-> ssh-ed25519 dA0vRg uuSSiAgzEPgfh+VqE2QfB+8fkJlnUJsffF5/3C4Ovx0
+1oFB/dDSQRpcETXb5IxYSqSG7oI8Y0i/myB6IaJqtUc
+-> ssh-ed25519 5Nd93w ZZA2ylM3mB4xjxMzLmrYNujWTcjVsgKRzIYVsmPSqXI
+30g14yh+pO4moRvnd9Xxe1/QQxmE2h2zHP9mqn8dULc
+-> ssh-ed25519 q8eJgg lkPUz5/vn10nmk03AeA1W/6fp3tfyrdLq+kgoR5Cjy0
+fHtjZtjYG18wWhhvZY3cn3FxxJiY41zQg16ltudBue8
+-> ssh-ed25519 KVr8rw E2OijEik9tPfGCeRe+XDV+tKHTOOxojVbG0esTKuLCk
+wXIOcUGlmF9GinF+Z81KQNiVACN2pthS1nwCK41IHMA
+-> ssh-ed25519 fia1eQ VIfFJCbkM8ZvKKXN3+ZjxXIgK2y9vHpFdQopX25kUAk
+utaTUdI2GBRxkDJT6qmxsdbGqjgSRP0ss4ZgQRQhQBM
+-> ssh-ed25519 IzAMqA WX0QlrMPSMMvv3KnbOedpKcQrarKBQLHRXThmvveGmU
+uz/jl2Ze8sdlCv5G6U1Dn5EiucQ1wlK4+/wwezX6jTI
+--- fLAcK+fEa833GdqAvbD+sIr2ViSHQat1WQgPook94Ag
+¬‹¬Á°xçšáI¯ê¿i*ÿÂXÊ|ÔŸ‹*Âž>€é!þK•‘GŸƒ£Ù7îoÍà)EU¡‰›7ÛU<C39B>ˆ<EFBFBD>
--- a/secrets/discord/t-800.age
+++ b/secrets/discord/t-800.age
--- a/secrets/discord/token.age
+++ b/secrets/discord/token.age
--- a/secrets/dns_certs.secret.age
+++ b/secrets/dns_certs.secret.age
--- a/secrets/dns_dnskeys.conf.age
+++ b/secrets/dns_dnskeys.conf.age
--- a/secrets/email/details.age
+++ b/secrets/email/details.age
@ -1,29 +1,25 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA sW9NG3ZnVZ7XN4iMceA+WNwEmGp5mB8fYRML4JMxTx4
-Ugwsmg4yXfq9YH99RoV2MymOyhHn+WEFbhSq3jOS+Jk
-> ssh-ed25519 4PzZog ncbPVDYkLeBV89U+YKVSGRyNDIdLDuN/YV9AiGcYfkY
-rifseFii9IZI6t2cDfhi1GXQQRngI8IM+3H8znbMA/0
-> ssh-ed25519 dA0vRg ZU44BDl8VU2ri+qNYEEj8GF4x4gGUQPnr6YlFA5itGk
-zV29wfmrtyxEU1JFEm5P7pfkWwzmNpXflfLRsyZ3vCA
-> ssh-ed25519 5Nd93w BCqKxqNscTU2iEm4h/78KCzMjRWtHlO3rwZZjq2lJFQ
-Y9yLQ33RvcO1g3a1q3w47Y0kgg1NZpdlYk34LrZ69mw
-> ssh-ed25519 q8eJgg lWbDTedbgvxvGpMPDWdrghAKO3duh85kaOR+7xsPd3E
-MzwcVM+gzJ/IApGVZNNM+RuYp7EKZyxCDjRkipL3aYU
-> ssh-ed25519 KVr8rw 8vJTA9ABfwuZyFwhFZD4n187b6gmq7zCLALqp56mFyw
-iQ4MtJ1YtYycFi8qCs4N0/nIXccaw2swi9yIvOLmVmA
-> ssh-ed25519 fia1eQ hZzB90WDGom3oaOlWlcBg8iAMAfbZGyosgFIa8AiTWI
-HekDEc26Y121KRtKLavDD1xKcaClVgn2tGPrgQYWQBo
-> ssh-ed25519 Km71ZA uunwnxdg7A6ZGTbV51r5XL/2hJN/VFIUas0TVxid0Xc
-zGx6iHfu+rZ9WbtIITtzDk0nzkFCeIRQpdRVoj7dj0E
-> ssh-ed25519 IzAMqA 17lTeNgkOhX6iOPix/YeKZyztDHYLu6OIjZOctANpmQ
-fu8VIba1ZNy3QvnVk3bPmCA1n6/dcB02epAs0GLb6zE
-> ssh-ed25519 uZzB3g I0QOJAnUor5hnoKDlFeSuW82o94zcWcs6VvKTq37lVo
-S6o+cem4L12E8V/DzbvL75azwrhLgZJXkxWXuCd4+Z4
-> ssh-ed25519 Hb0ipQ cEsppH2jMi71R0513L/vq7MaFYYWiRrWZKricdhW/H8
-IvRQejJ2AOQAeWUumh4an0LUSBJYMMnOIr9PU8FjYiA
-> ssh-ed25519 IzAMqA cL7V3gfdSkpHtkcDhaH0ATTWUzBir09Xhe91wlaGJ14
-GU8IQvHlwyBBONJKufQRwEr7nZy6y36XszV+E97VA94
--- Nq7IuDZY4GM8UBq0wdEnn/kZEJRdUlmqR75SlX75Q7w
-oÖT·¹ëjˆo¬çÅ(Rð«Z¹lðmÑ’&f¶›7;a8¦÷B£€ò|±û‹ù«Ó”B/l”ª
-îÉÐg#˜L’›ò†‰"‹Ù/* ¶,aÜ…ã€.f.QÄ
-Õ“¨oEÃM×V=å2ä¦q‘÷;IawkFØ\"	Ÿç±Q¾7$.`MûR§XúÛ°
+-> ssh-ed25519 V1pwNA rR7/KSP2skc5HZDN98g30IIXuNDJsghQWfyVF57glW0
+oSpYnVqLObrE/MQNHonzOmpGk/BcDyMxwPPQauUB8Zo
+-> ssh-ed25519 4PzZog bUKm5Fqx40JQ/8BdJvP15xQvIjwTAxuAqsoPIAyRDi0
+xGvp4hTdaiqD7cxjJTjmJHgehY8VCOVqvvXNIQoGrRU
+-> ssh-ed25519 dA0vRg Ty2EEwt35A8ZigOkVmYlLgXbMePI3WALtM1McsFtQnQ
+ygu01cCNYlaW9e0APNrDGPjfJE1KkNq1nqi5d6fwqm8
+-> ssh-ed25519 5Nd93w UwOXbO00n1/2pxpz98BZ7yIaEr1PXEvOg7F3Nl80yTY
+E2VbVQXngXUHUQlc2P6ebU0/anioRu/EZgpdf/N8/Q
+-> ssh-ed25519 q8eJgg 82IpLMlE/9Wp4fD8PHIiKsff9jJYJtoPF58xCnb6GAU
+Ip27egoy6jMgvvTRg6q5NXeTlv9EFhK9PM8rCFu8LhU
+-> ssh-ed25519 KVr8rw xEE59aHcuIIB/5pbH3bZuZQ7W2CDUCoyT6EmdOWiZ2s
+2uaA7Nx8DNbmGvY/ns/DRHZ1zTZ+JifkR4eVtSzCRd8
+-> ssh-ed25519 fia1eQ /YtGDHVjZTzDO7baOphkGvY0zCgElNT9UMpMhhjFCEw
+03+ungOpBCqgTj/kyH1hz1LWTHSlkZ6Qb0c4i9bwOZ0
+-> ssh-ed25519 IzAMqA kSa3Kbz9SyIe1pXTBi39RxVMi6QQV0rjAPgdbEmmJRA
+SO7M5B6LR1aZ8r7mFjFAF+Zl1tlsq3j/3/BVkSPWFcE
+-> ssh-ed25519 uZzB3g 1WjjfJ50NZO2C7qKp4WOtDHEUlkF0CFmiehMsY8/6Wk
+TP6FwDJp0nKd+FaB0tnZa9XoD8tQponT8wK2xZ/k/A4
+-> ssh-ed25519 Hb0ipQ vRwS9w7tO0yryHoip+sqbsD67lqXLD+6hJDNi9YClAU
+NiIy//77gNuQ9UJgvt1UPqD99QJzfbh4WFld7Ln0GtE
+-> ssh-ed25519 IzAMqA J5spaIE4OAKJsvd1hOy3M2cCbmAG0/9l0dsnKlZfxi4
+RT95kFe4vKr0HQVz+6Gfm7pat7HvSahle2zMhEaQ8DM
+--- ag6/92VREDBr8oQUKcFbj25qK4gcMdHa+ej3hf+igbc
+År:ºûÛÓfÆ)sºûß;Ë²fI[±g<'òª3rûÃrœõ’Åk×™‡âÝB™º+c‡WÌç|÷ä˜¨~ŒË”7ÓãªãÏµU<C2B5>}ì	ECò ýÊºžq!jÉ7¬Å1VŽ¥Î®<>SØ4ÿG8i9:™ßíHl9VµDmnvS¹Š
--- a/secrets/forgejo/runners/ssh.age
+++ b/secrets/forgejo/runners/ssh.age
--- a/secrets/forgejo/runners/token1.age
+++ b/secrets/forgejo/runners/token1.age
--- a/secrets/forgejo/runners/token2.age
+++ b/secrets/forgejo/runners/token2.age
@ -1,23 +1,21 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA Lw89KnIDDurZQ0UaqDS1utTrKCGXR+Uxs3od/5n09io
-1JECYcXRBNWwzoagvEKeoWoW2d8da15eWPfTD8nKqX0
-> ssh-ed25519 4PzZog LB5CnkEPX2RH8vWdD15KMs/qgNbw3e7G8qCV1CMf8kE
-pO77W91WR/8MRPLIuJrLk5ib9CPp7xHuUmTS8fmQ3KM
-> ssh-ed25519 dA0vRg QhtuGTY1MEpEjRahnU3WtON6Xda7y3HvGXpB3HcDfBk
-6sCAQhU4K2nQ5pMbGYY75TKUXxZ4BKHCb6sOHMAuNEA
-> ssh-ed25519 5Nd93w 2QcbhnmxOkTrRUMrHR4X3spMUnsLXN9DDnh49qFAYx0
-SD47vo7tOPWmvXR2wTj+BSsxJUqnlXOu8HlTEOExeC4
-> ssh-ed25519 q8eJgg 9TqmbSDG4KOl14FNZmZKFZ5Q/60K657phquz+qpIgyU
-odOvsccHqgXoC7WgKcFjJDm5it9ZGm5ifjU2pt5hQZ4
-> ssh-ed25519 KVr8rw w0fZq3VUrN8wi4UrhMUfrviUiaWl4Ol+tbTXN/urISs
-TY+dO2Z6TmN9DBPuo1vyxgeXbDcqZlRoP+Q1IN6O/ks
-> ssh-ed25519 fia1eQ 5Aqk1jkUQkomeBioV7LAPMzurJ1dHdYHbzLHXH7mrRQ
-j+7aPUOeJAI10FL4DjXKlYEkC25gM7TNy/X5vFk68+8
-> ssh-ed25519 Km71ZA S9le6/bZxnkPVuCLqiYc8VMk8LXlk0BVJUtJYc/CmB4
-DTjvS3wBo+RHy0klprrgKS1wYAMAkfzPkpw/ip7KwpE
-> ssh-ed25519 CqOTGQ xba3GuenbljaFEcgaX5UknPWjJSyQOMBaJSGk4VHZg4
-uzGnhgquJHT4+0zop9wNg6Fm8ka/9Ri1yPjw65VnGtA
-> ssh-ed25519 uZzB3g WaU+50ui82IQHobA1QB62WX7bnjgxSVy9LAGjYifuHI
-H0O4GIRchLil79zqim5v46RT8Xbu5zi0dKSRPiT6kHc
--- vg0SOy4LbcYEcxJMe6lbREFPPcxrRI/dJM7Lx3VC1rQ
-b–x‰â¯mVâ^hŽ0•Þúl@ƒ^Áôô–›ŸRy€ñS\rÈéÐÕµ;œ@™±t~U«YM)‚œÃAø?Æ²<C386>WË¹m,1I“
+-> ssh-ed25519 V1pwNA DmSENr+7db9t/epcMdOAjr2qt4rSHWopkuS3/xyz+xY
+ClfO4iYTReIp6jvUBqQutkXx4XRJ++u8EsspNdDZ8kw
+-> ssh-ed25519 4PzZog QzQ5iPiSSruoDS+PDNI+/6PnIYEnnFTvnrxK4W2ZK3Y
+iTETtsauc6clML06hoMr7kinsOirURTECfB/PzJaFT4
+-> ssh-ed25519 dA0vRg UCPTgYh2/8JTajlTIgvk64eKNNMHe4ZxIDILxIGAL18
+Qj0ZS/iNwusCONf9Rh05ftd4cHSmWz7bLZ8HHtQewMo
+-> ssh-ed25519 5Nd93w D/87p469o+CW9TOqQb4C+3a9+xRvZ4bzk7vr0wXhdRk
+E/uvMfpOPvWosWS4s18f+xmexQcpJ0NED1N35pL5IjI
+-> ssh-ed25519 q8eJgg pSW+R1LjAdCTL/ys1X93jSSC+ga1phB8iYqAJ1Ic0yw
+IFl+195woVbHjz23w3mxBPkjtbfke3C+jYacWWKOpio
+-> ssh-ed25519 KVr8rw KfPs+1IA7M7dYqkUW9vty+xl/8loMZDgVFee/ZR+F0M
+mTK9yjQR18aKfw/xEdfsnGXPKxqDi1bKPj2mLtB2Xg4
+-> ssh-ed25519 fia1eQ M7nASBk9cGmZmMHf115JAazAEx3tS+sIVB49KlXltWc
+YJ48iqVSJQooltbXvw+olKC4ZZt9a92TR2uQ0xROAPY
+-> ssh-ed25519 CqOTGQ CeIqatgAbFS8oNy3fOOJdIkLM0X9AwV2zbpQHcOcICM
+qAHOkFsbM5fTxcpLFz9Iz16MVBA1oVqlxUADrLxDRrA
+-> ssh-ed25519 uZzB3g eA/GpdA5UKoleGcq9BHwj59Hz86YX7oF3LoG6zZ1ogE
+sIs5D3s72gVGglG37S0eDLUTEzuy2U9Nbi03aOJ3W4c
+--- rkCxZNLeKI9HMNZnwiFRaL1AsIUYtXYJT/YyJ1UMRqc
+!VpÒ-p®<70>|ô†ùÞÞ_toüÎáUÈkÝïútÓ`˜@
¼ÞxzWÚº³•G<E280A2>üîF÷=Ë]i»YÌ;YOiéÌ}¤J™÷/Ö,
--- a/secrets/gitlab/db_pw.age
+++ b/secrets/gitlab/db_pw.age
@ -1,22 +1,20 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA eBmTDM8WFdWOVP2Le1Y4+CZOeSg7e4xcxz0eYuxUWkQ
-kXjJVAipfCM1Dp8bsbGK8oul9M0P6BLfR6uAC/MQEQI
-> ssh-ed25519 4PzZog Q8DfBkyfVx6p5mrG4yrg7KGJCDoNzWdK7p9p/01OsTM
-xEf80sJAlQXlIVngSZJWI/TNG+EXonJoR32duCOXByI
-> ssh-ed25519 dA0vRg 5BeYWRbucBHgT2idvjbvffbsx+74xbVRk05f2Qg0Cl4
-56nJgkCp46o0XbBCwcrF5pyEHnlbvZ37tfYbKVjxTOQ
-> ssh-ed25519 5Nd93w gL9Qox74O8yoM/a111CKQLaZDXkfwhrjth1PzaGrnTs
-F9uyWwr0VO+87bejL4vBsuLko9bHNS626IH5hyPBkoQ
-> ssh-ed25519 q8eJgg ql4rSMWPNB+MXNl4cUNC5TuJFYjRv6G6RvXqRLDdtHw
-vmJbCOvWOM31FScQQgZXSBNEYh7O08RD8ZO4TZtgu5U
-> ssh-ed25519 KVr8rw oE4h+ZaE+/VDLAuvBDsMmXSHDM89vgnFiomODKRGGU0
-j7Xh0YMOhNGhYnl8K1L+mhkuZqHV3oi0noVirHIV6sc
-> ssh-ed25519 fia1eQ guH1BFGIkSyaKjP5QTOLIYgtdMdrHTChZdv2uXD6qgY
-SHlvS6Xdzsld//ANiSDHbGMrBp4oUztRqRJyVaUw+no
-> ssh-ed25519 Km71ZA xP0F1MFUkOZ1yNdBbHj1+qA/E6xM6YJjcBccVkV3rlg
-A4JFqXV27j0yju5irMf3lBBQE3fIj7WHK9bzvxZhJxU
-> ssh-ed25519 uZzB3g Aikhv5OldExETFRpxoeTx5NoHsZJAm2TAzne9KBr8wM
-2BSDOfseGgPiHtAHWUIA/rp9uWAPdCvMsvWHRkkFPro
--- gYotGSlSz4Z/ZrzBWpDlP5Pv+Br8WKNrbibDsvAk1uo
-;×¾õÜKÄo"ˆC
-ëŒsçOs<EFBFBD>E&&JÄGÊ‹m">Åür€iÓ¦NlQsð.¼bìj8Kî4@îh¬òA”¤‡Öµ„Êµì½Á(ß³‘¡Y·ûÙ… ÛÇ<C39B>ºq±<71>üwU×<0C>ZŸ$L¿Ý\Z:³°¢ìK'"ŸÛ€Ä_ò‡ñú³\<5C>¢'¼·^˜Th;˜ü®{Üµ.<e‘
+-> ssh-ed25519 V1pwNA TtxqHD3bJI046SXF61CKfpDRI+HHTRpc/iznIMdQiUs
+WWgm2OdnPjj29tIrAMa2sJCNEaR2iTAl/hMfPLv2QoY
+-> ssh-ed25519 4PzZog 0I9h+D7DjRwupkHWDUKIxJlVBUWwbCTR1nx8UcEm6Xg
+NIYzimYGAo8ou93B/tzjmB1K7hu2tXy4XMRiwlDqI0k
+-> ssh-ed25519 dA0vRg 1U+1fUueu2k7FaY8GVN4BAbiF71OvKbGOC4oZ4mV3ko
+/fKxmEFW/L9A/1fDIteeTcz/SOv24HNct88oakdAkn0
+-> ssh-ed25519 5Nd93w IjwMC1ZruM915vwA+lExdIq/OFT/4SlWgwOm9xgUPAQ
+mOOTbPdcDjORB1GhS0m4/p3MA6TfHXzWXvAMzKhw/n0
+-> ssh-ed25519 q8eJgg mODUrCPf9GAix0jaPaKUs4ws1D9BM4huHbK2mst0SH4
+7qbxM/Wa9pMpB7TjQZgBojXR5qDJUBZvplsrI6EdSO0
+-> ssh-ed25519 KVr8rw ybBiUHmEOyesWxdTEa1LPwI5J/PQaxYi02QJCAuYyGA
+LoRQ15hQdVGLj9pJY3TabBFhtPGBvU+bnAa2dzrkOY4
+-> ssh-ed25519 fia1eQ Qu2RTOQiZY9i2SDs0NVlA1zcert0oFcFA3mXDDl59G0
+6akg1POXrvIrzITX6B8yTDw3cCqlxsD0k40mYnv5r/Y
+-> ssh-ed25519 uZzB3g xNdZ8eSTFQZ/RcrNR4BpedX2pfceZwPjvgt9Wd8rMwo
+kMxoKyE0bjXEZ9tNykOUMZ0uHkqdx///QJB5QnLRhcA
+--- 1DKMo46SYm7JlzFo3nZwtaK21TFmapfXqxXzxMXWb0Y
+8îé˜Ì‹}æš,æÛ^mmîH¿v`Ž#ð‘?0 «à¤Ð>Ù‘Xï¹;Î»åLÇV’8°=]Ô¬¢sEœˆéhÓâÉ‚Lè(ƒ`ÔýÇ"žZKîc¹1¼.|GØåóç??<3F>eÙÈp<C388>_èã™ËÁ‘¹ìÛ¤ÖÆ
+äá·ŽÏzéùë<>uPåqÏª9ªS«V¶évÆ~§I4õ
--- a/secrets/gitlab/ldap_pw.age
+++ b/secrets/gitlab/ldap_pw.age
@ -1,22 +1,19 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA dHoon26BhGIqe6TjYS7Q93OC2vhr64B7ofHzX8FiJxk
-EcH7j44+zOHBcJOw0AwpziXtUPxOH//MGacSa7rDNT0
-> ssh-ed25519 4PzZog CrrMq81Ep/Gm9qYcZjRJ1IpXtFGp/1XDfBCB6OSGbiY
-gJ+PFL0Sx7izMk54jJr3LPvfZ9DMQP5/FjAXkRw/mkc
-> ssh-ed25519 dA0vRg r5S3Fqlmqeeeu75r9COpp4mS07YWY0HP11zby9AjCyY
-DGkeIp0M6dIA4WM4KYVZiwalHjou6qzLOFUnksIPU2Q
-> ssh-ed25519 5Nd93w bm2DM8tuydnEqbcM7/aMgHtU/cnnfENGHgMgXPft414
-7bFV4Mx/gSaEM7+rJbqjjuod0U7tl8ODbK1+qY7gtmE
-> ssh-ed25519 q8eJgg 35Ce/4wweXHadDG1ryl1d53G7IxEOwOFQATYgC6WzBY
-5va0fHjZXbH/2ZAFioTcmyeFCid8vrgTFXK6wR/ranA
-> ssh-ed25519 KVr8rw dyfXPAGfWlbmjpiol87idweWsU/c1v4gwq18Y/4oZBo
-MiuhfBeQeMlHsi7hz0OgOiLIbFjeSaUoJ+xlIHkAmpY
-> ssh-ed25519 fia1eQ +GTfP3+0hcdmM9qtZvUw2bZ+32guClfXwRTfvOg5Tzc
-8gSAdoh1DRoiD6KTpm5F/hFvT02/3bf4ayD/dICjpTs
-> ssh-ed25519 Km71ZA g3doqjZJ0GP9PgkZ5l/ePPxI3gyvILvrQAx4En6r2kA
-O2lJGGq/LLsjtzwnfyUSD8Avw+5KbuNGd5XA8FwWJOw
-> ssh-ed25519 uZzB3g 79FGgQhIwzLPTKUBhv6RdT3RqBe+JRb3DYLPt5mAPDg
-gp9dUDfNPnhAX75SJhFxBmyNdaH8umAQcYzjBHkPEoo
--- XZ+0tCvAK9SgY5daynCjTqE5M0N3ip+wVIg8o/18AEs
-`ÁT6,NH]ÝÄåÒ‘ÿ*q»zíC«'‰€T
-#\ÔL‡b0zðB•«Æ
FÌ½H@	À†·ùs!"zêÁÖ«ë8Çj}Õí%ÐFEiÌ	ä…ŽB¬–fü@†A˜›JµÚq¨}cÀUC=Ä%s¢&lbpË€\<Ühx1K&ñ<>XÌ¥3Li˜¦¬|—Çý(_°Ô2©ËX’g
+-> ssh-ed25519 V1pwNA 2mRcx22kddqldRvOQY7i32z0sMwCuGlbCkJJ8vlJKDY
+aL+OgWP6uTute1b5dlPG5Tz12KHeFlCG/Su9+MBTceo
+-> ssh-ed25519 4PzZog 67PxsXDuqXhmcyvNAu2jZrDtd+XgUQnEakPw4pR150Y
+nOCZQmAhHCptlAz134hin/UKKpuIL+ueRJ7Kzhf5Aiw
+-> ssh-ed25519 dA0vRg tiN/eg2X6g4x6KndLJs6ze8i8brhXcsBqP1ZWq2s0T4
+1lx0Qqo81L12eIG4XfQUWYgpimEfgaPweZQ65GTHSaI
+-> ssh-ed25519 5Nd93w Iq6wxlnODEkmZaYpf1s3XxKmROa/JwXLdXOtCpXuM3g
+0oENjjsAh2c5tIHNEghw1TE50xRfU5yWHnZenYT2UgA
+-> ssh-ed25519 q8eJgg HrJ8YlZTp7YhRpKpv5ZBUbxv/777ATRtYzcbGH1JVhI
+Cytu763lKuwmLLUhFJo8VunzHxYn75YRLiN3vnhxyL0
+-> ssh-ed25519 KVr8rw s60G0Eusw0rEW3woOFeE++5C4vI8L6NOUXATml2egBo
+tPGsNcE3H9crSOCXCkktBzjRq5JyaGvgmx0ZIs3ehOQ
+-> ssh-ed25519 fia1eQ P7oFu5pYYdJu2fcqTYbKuENBWiFnNVQxg2N8QAXNVhg
+aZUyPG6FpfFo7GixaofYbCeajExpKFME6PBb6fTzk6s
+-> ssh-ed25519 uZzB3g hP2SPeZNhsmePX55N6g4Y8q2KIwRONPBEAqSp273Mzk
+y2c9S06vYQl9v0G/7IrbEx+kGv3DOnpz6+9+vo1o1wA
+--- 7prlMrCmXuXHtiD1+44Pg0LV05OvyIEF9fYkCiLEv1k
+_Á2¾":GËoã<01>‰*çë.TÀ5 .Ð(Nö£4OS6U1ø	ÅCáíµ§ÂÒcO§’á·[Qèýä¥ZÈäŒ#I›Ÿ1	<09>cÓ<>M;÷/~Ä`=ñ&²'ü?ºn}<7D>e#ž/°›µqó‘ ÎÛ±`xj¨¦¹hŠ:û¸?´Î¥Â/±æÜJ3 .‰ÞÿÀ+ÓOxkÑYâbkdÏ<64>¿Ï
--- a/secrets/gitlab/pw.age
+++ b/secrets/gitlab/pw.age
--- a/secrets/gitlab/runners/runner01.age
+++ b/secrets/gitlab/runners/runner01.age
--- a/secrets/gitlab/runners/runner02.age
+++ b/secrets/gitlab/runners/runner02.age
--- a/secrets/gitlab/secrets_db.age
+++ b/secrets/gitlab/secrets_db.age
--- a/secrets/gitlab/secrets_jws.age
+++ b/secrets/gitlab/secrets_jws.age
--- a/secrets/gitlab/secrets_otp.age
+++ b/secrets/gitlab/secrets_otp.age
--- a/secrets/gitlab/secrets_secret.age
+++ b/secrets/gitlab/secrets_secret.age
--- a/secrets/grafana/pw.age
+++ b/secrets/grafana/pw.age
@ -1,21 +1,19 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA sIoha/7vcAIuauOaV8gQA1spz0NZWfcc4rr2zgUP2k8
-+XELN1EFpMnDsVYgPnSaRm4qduSY+80RCfEFnBPCj/0
-> ssh-ed25519 4PzZog ffub2ZpZEkysUNemtue5UroJj+/Oxi+nIstX7/txi2w
-MsvvInOvekc27UTViomCZbeikTKm1vqTKsanOpeSQ8c
-> ssh-ed25519 dA0vRg ymDF91ZONYNjDV5Gktf0at2kUkfYbPSja9iWOqcBxVk
-gw7IgyRSVKfxeebADqYH7z+TZJcWIMS3g14U3FrDS7c
-> ssh-ed25519 5Nd93w n17TARvCsIOmSp0WjZQEczLCFsAVYf9lDlJDdZeqzFU
-gRRE87qCSiKevHShj1k0bw+kwOVblwhMGh94WRYdqIM
-> ssh-ed25519 q8eJgg 7ZJM3hSRIaQSpMnE594tD3qsufP0IwI5ngmitx/SW34
-Yibvj3cTOT6TOHSFBgeBwpXbGNFjeYs+oNjbfP3GRgc
-> ssh-ed25519 KVr8rw O8njcmXqC4uurmzk0MLECH/pVlVqA0dqM9uL00vKlls
-h1dhNulCkCc3O8GmNSt67dxK2XhibTJHxx2loo2Y26s
-> ssh-ed25519 fia1eQ NE6qJvq6AK7bIlbq7QSJqQwpGv6cgQFv/L/6MXOQUzI
-uk1G8a1cECFkjbt7bjcXOYQDHcTBCQwhyqcTg3pIC0o
-> ssh-ed25519 Km71ZA wQh+XFb10AF8fdeDGM3mMJG6N43ej48QML69Xa+xFHQ
-eDuMG3MT8EuzS+QCAHLUi1NhRWp67jJamSL5iUQKi9c
-> ssh-ed25519 IpLDOw wTE9a1YrhG1NqYTOBoihrNH3xt2fKOmGHvx5liEfeHM
-Rv9+kBZamBTDS8XGRaTsuUW/t6p5kYnbfNyyZY5n590
--- 2HVyulzZ1Z3kQSSDH6HN/mu8uT+u8yohmt0bpe/VNQw
-ŒM\$0ëÁgÄiºS¹mŠ¦‡lgÁJJ_yJª»ÓÀì<²¾.l<¹“‡cÁ<1E>~84•v¼ûG²´¹Pû$ª	Ë‰N°{ý5c
+-> ssh-ed25519 V1pwNA CGCG7vFUJ9hUdJWRax68aDpHZEREFnrjo3expN7oUTM
+/eCKERrmnmceosD45BENTxtoyLmjGmGVvxkGWAtCRyI
+-> ssh-ed25519 4PzZog DSUIoivSmbzN0AvKIPXhtjTBft9D9AaRioe6biuh6XQ
+XlV7xKGi2BY+sCgJCEiSB9AlpXFoQnbeIxKxNhPRetY
+-> ssh-ed25519 dA0vRg sYBG5Ld7lMw+cm5zUgVR9Bi8YVwDrRglII36Tj8Jfl8
+cQMY6UyMrRtfoU6mn0pg47Vf4DB2KcjwiRHEmvU/Rmg
+-> ssh-ed25519 5Nd93w H3k1nFMs8wkqsVKzGp3n4CE7MuyxJWRZ+xgSgDbnuzw
+2fff1rsfvE5NikWjF9gkvHuthgLKLOey3PebYG26yNs
+-> ssh-ed25519 q8eJgg UR21V4UAJ7/ALE7IcfMVYO3mD2jbanhBu1fj1iEjpBI
+8Yl7/sLlQmCvGJvKZt1B4lJMSnPt6gHi/k1u6Gm2sII
+-> ssh-ed25519 KVr8rw ur14/Gp1Z9ODFFVaUf50i4+ELKy9RHmsXjbaj5h9IGI
+FTZn1ZuBixaehBW3hnVjfXrt2m8co1KSp5aUTA+TRdg
+-> ssh-ed25519 fia1eQ 5bmpon54otL6GnIhyYT7CbLuCR8vk0td3kPBGxsSWCU
+PSngrN6yQODB/Vmu8ka3vvDv5DkShktyOWrhzC9K1LQ
+-> ssh-ed25519 rmrvjw J6YtkhTuDaUtc8LUp/zfvQD3LST00arsbe37bZw4nAY
+r3TDmtyB0Cc7Mx8EXb1yytvpF3+4//6cy4jkK+cWTls
+--- mSjAJK/sd2Qj4Ffuee/T5LTADcNLVTCcKL/4VlqZvd0
+RêÛÖU$ìòži‘ŸU«áXô¯Ís<C38D>ÁÓòñãfá—_âƒo/’&cØ&{*¶‡ÙŠ/äh¬Â\œßLµ[%®=,Qòqè
--- a/secrets/keycloak/pw.age
+++ b/secrets/keycloak/pw.age
@ -1,22 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 V1pwNA lV3ABJKTunaYK+s7681CNJBvp0JM/OhSSnkQ2pF5lGk
-VokFm+m3stF3HjebxOBmIiWTQqmBaSR+RiWQE6dMQJw
-> ssh-ed25519 4PzZog EDXgO1cHPd8xxDbmL/lunkG3McC4a/wzBlFe16ByHS0
-eTNXJMKNSCesEXT0XAuZEhhCyX7eumglnIJ/00y+WTk
-> ssh-ed25519 dA0vRg sKq17tK9/rB+VNTYQ/aoTzEcfzeMJTkN+a/Oz0+g9ks
-TNrHE3fFaAEMrrJ1264rh3UbJ8jBTxGSaeVPWzX3y3o
-> ssh-ed25519 5Nd93w UkQintKS9V/5QH4arHtPKPe33ktNhE4Jl7illmlNuXQ
-u0t1110eebk8SYm5e4jI+d1vOSvUCZRJGIqNZ/WmdPs
-> ssh-ed25519 q8eJgg uBJUJaR7prW8b/jjhXBjax5lVsnGYpifqZVqExVivyo
-hp2Y6RPzNaPZaX4sgOWVStdVWHe8taocUhToaojni4I
-> ssh-ed25519 KVr8rw /j1ASDGc0GM7/Rt6RgBj2u2rlARs+iJixYR2gGFvshU
-JRPezd9xI6o89hX74agVVLAtX1Lp7dgjkr5ndQfDjSw
-> ssh-ed25519 fia1eQ +NO/LIWFudIdovclnaX55jr/x52Rs4sHbP4jxepYHEk
-0ykDlD2um8a9gUea1JXrGfP6QsPV+DWIPqfD5cbvCCo
-> ssh-ed25519 Km71ZA lAJq3SkNxUWZcmwMWyWrCaCrzyjnJK2A4G2kysZdvGU
-wmxgYru5pzJkfkTP8CmI9z8GeqpJdgGO4BmbLWPJ4Jw
-> ssh-ed25519 IzAMqA 0yLa+jpL+6w8TvvbFM5IUUrpUncc8HLxuDjKM4t7mC8
-QeeibbBquSOjVimgtszMPTxzgsVUNui1euB4knkzwL0
--- K9L+f43VUTIuWWMG8Zuzw+27zIPe6l/ortS4i+XhdHc
-$sey^$"©™+ú¼Ó‚úôM;½¾’¢µxê¬?a2äý3þ/	k¸'NXÍiV¥´
¸"äòõ€,V°˜
-Ü@µº`GëÑ%
--- a/secrets/ldap/details.age
+++ b/secrets/ldap/details.age
--- a/secrets/ldap/pw.age
+++ b/secrets/ldap/pw.age
@ -1,27 +1,26 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA qDFD8i1k1rzDBYBtXj6sYiQdmfGhDfXS5vMcYRF32Gs
-7zO8QwPzrrqH6JPBRuasWwUw2/O1siBySFvHSp5j0n0
-> ssh-ed25519 4PzZog u2Eg6RB/AmN5GtU/d/WfaJPew8reKZnC8C8AZWVnYRY
-5tGVoNyuPKbCQSHnEy61rfuG59t1aEY1XQRJNmuj21E
-> ssh-ed25519 dA0vRg wkxiozefM16DTQAF7Ts74MP6R7jZ0FormDqg4SJkjzs
-ee9kJkSDUwm3feZhBcsUeWvG90Cy6X+qwuL/PpLSKHI
-> ssh-ed25519 5Nd93w LwnaKhjUgCrVDxj0G5WTwHuzjN+nWLApK8LBgXeJAxI
-WNicDBw71xFfnSn1R9f0XeAnGPHAfc0QCj9yjHk2Ra0
-> ssh-ed25519 q8eJgg fgH9K/UiFJaCiV/NPDu1RbkMMH6tumir0qhO0gfKGTs
-bycdxFG/VHcSbd1g9Ou36sZeTdUarIG5Hyn+Nji6MHk
-> ssh-ed25519 KVr8rw 1we04j3ymB7zbOJnarg67KzI/yMiQHr1ytBS8PxVywM
-Jjq2uJtOAn62PeTJX021zHgCd6yPkxRnSt4IFc/T6Xc
-> ssh-ed25519 fia1eQ 3ywHsF86PLUY5Vr4hE4DI62bsGgA3iU4QFEk9SvHWHU
-TvkQ/+gQJ3DXnvpD6U+jKS4EG6kIJa+nX08nUJFs1Wg
-> ssh-ed25519 Km71ZA IG4kxxGPSU/CvwDfTjlp1hUgmnzRqK+YCYTfd1qLgxA
-B3cTR3mZkipgVe9tdU4re/GYuSlSDdI6Bok7yHPhhOQ
-> ssh-ed25519 IzAMqA /eXLqE1/nW5vpiaCC+NH3ytm1XrjQPgKo2rR7igOyBE
-EUsEQWWTaS3uhOu/ayZNlwYw3vY7Rb2IeYl6QOelmY8
-> ssh-ed25519 uZzB3g 5SrR6ZP2zqFHCLeykkmpeR+Km4/4ml2AcPnOAxgpq1k
-BD5IXtf2/S+ME5mPHPu/yQVqQ02+aivLLV84fBSeq+Y
-> ssh-ed25519 Hb0ipQ 5z6PimjHhHU2bXtloaoYqcJk0/S/mrmXqs4u8TJjPnE
-2I+d+g8Xivns+fT9W9Ws6rYCcMXJamuZ+uBnXcukcFY
-> ssh-ed25519 IzAMqA ZwdALhB/2dqaFC4bSqgXNYPbN0hgUKdEmyNyDpDg3F8
-ukgzLa7A0bVryf4GEXtqbAU6uMlEiZC6ZYnNgIdbPAg
--- XF4TF6aDYrTOXdaLTJgns3ZMeVVCO4OO+LSIczz8vag
-nƒò<EFBFBD>¦ïXå~'
#žW¯Y!&œñXŠœ¬sRúBµÈ»‡g¹iƒGë–ÙÊ¶7}[myzuöägÀ]È_úÅ~°àïœ˜™:9uÍæ§Ò’(y.ÿv?r4<1A>eÓ:0?¤»ˆ7,‰Ï»„ŒK5†dÁµÎPš?4¡úÆ0S§3aÉ¬G¢]Iâ)»ŠR³†…ŠNƒ©Ÿðû!
+-> ssh-ed25519 V1pwNA gbttBwmYtq67vkhosksaN3pMFRD+yIZ9c3jkUqLjzwc
+sKzCx+fRVT08lE9SROuhsKk4umCokWSafCQtK6NzX3s
+-> ssh-ed25519 4PzZog 1n6kEJ2pIjIt1u6DUG2P0PL8s8k2316YnPR4cGLgW0I
+EFE4bJ9AkJFAITUIMUSVaFszK01rpffnzg2HXLSskFU
+-> ssh-ed25519 dA0vRg g9Xtgji4q1bjaGGiTqvBW9f/N9D2qZQimo9Wz8aNb10
+zj/0VlNRk3jX054Nu9hZGP+Vpx6YsBtxUTdjOOUyzUc
+-> ssh-ed25519 5Nd93w xwTEItzkfxNRvwPcncZGqUGeOpY3eSJSYP7vkhWjlmg
+sTTlm+WdWTTKfr+KTUVa5nLJAHv8UcsWJDXAuFqFZOY
+-> ssh-ed25519 q8eJgg Jj02qd+MlAOSGLWEsaosZtfo3f0zZyzdT0czSauQr3I
+aKHrwFMt4KvICBXm4fdt57ZaaGkilv1Eau7Y6TPB3ls
+-> ssh-ed25519 KVr8rw DKp/IrXZ3Cqh7b7coO22iDR/InZ5xY8iLcm1KFgUCSI
+YUQJ05y952NIoUeChUDcuvO9ku6S7qoBafRwSmCzLUk
+-> ssh-ed25519 fia1eQ w1p/K436VeeWLjTtxZAGeOl0oZWeE88C2OfAg4Vc6Vg
+eLcoL3kV2fhtZREEmgIEiX6ci05tU4PypX+WrRaoC4w
+-> ssh-ed25519 IzAMqA ItqYQQFlBcabTg8ydW0EEq9ZO7SamcZUGCtZUCAtSmo
+RvtyYRdWEmMhU6uA8WSFhuzow8CsXWZmyJR9m+CDo/g
+-> ssh-ed25519 uZzB3g gG0Ku+k9Ct8D7ZuHPsD9IZO0+O36jKps6QDYEyhYSy0
+4npr5UCPapsWmyANaX08JVVCmU3mpgD93kGWvEFP4F4
+-> ssh-ed25519 Hb0ipQ jO43lRL6JA0dLRfei2uR4xo7b+hKItvQmYEjauLEvkU
+3RuQqq+Z6V0qASF1EhtiDhn5MZ65sdmJ8hzebRmAlK8
+-> ssh-ed25519 IzAMqA 8q3O2zg4eX41Gbh8PSVTxy6ukc28PVvoIROkbKcJqV4
+bnS9VskRrWKZR0KDsh8elU4vhBXuZKV+7sj4Mx8QuXw
+--- 3yQiKJMfU9JyNxvcZLea+2FlHsoGWpaAeKQvMLE87uQ
+ÓªvK½ #\ÔñòQ';¼Â—W‹¼Áy¸:·%æ8]¡‹¹^÷ë|>ûÍJMF+!Zð2»<»‰¶@Ê2²6S?`Ð‘CŽÙèñ\Ë˜ôÅ„KÃŒb½ÍWÉžêJéÓ„£˜1Ì×âï±ÚªŒ'In%ÕAŒ˜;Û‘@¸±9L3ÏaÔYMIÂ`î<>nì;tr:÷.P„Ñ<E2809E>î
+×
--- a/secrets/nextcloud/pw.age
+++ b/secrets/nextcloud/pw.age
@ -1,21 +1,19 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA enzHbYyPDDgq9WliLne6mFBxUJcIGl2lO0EOob+smn0
-+p8zsbFpe5NkZ6ly3mzmwFzLPT6VPCOxCUCMbPzgZeM
-> ssh-ed25519 4PzZog hufrzwSjVHi5fI8vhFdqzuJOnabcVkP08RhocQcy2F8
-rkW1//bKw7PDEAsUqHR1RKmB8WJUmb64Tp7XpRgueJs
-> ssh-ed25519 dA0vRg u+TEdkFb1kcboFRD2lseVIgwxRPA2UHKKEuY0UAj9G8
-m5RFvFSrr8wJP/3FuUEY4unRHCdcGeNZGy0yd7TmAB4
-> ssh-ed25519 5Nd93w YZGOEyMxBYfiUzSbq+TL6IaZXlrclAFqwJ2ui0AeqQM
-L1cQpnMWh/1bI608iNQBQqAWtHuw0oAvew4kFaffM4E
-> ssh-ed25519 q8eJgg lGpgxRy5zmacWvhZFJMPArG9xrUaW2pWFDj9i9k68AA
-voaccSRi7JRvslMQb184V+GGhLGndfK0MyVy5WdXDVs
-> ssh-ed25519 KVr8rw +cDqGXb/EWa3u04LL7SvXUh/bCkkoql0RGNXiqhbVSk
-KxgfXCYOuUbUeuGW+bt/+VFC3vLZnKjaZte7tKVlai8
-> ssh-ed25519 fia1eQ AVGkBzg031Pye0QDxoQnw/D2bfaCPTJCTG4vtfZU0DY
-3ag9Cg7zlxLcNG0sN9VQfFQNrHnVOrEz4ayYApzy3Iw
-> ssh-ed25519 Km71ZA 60en2Z9LvPiEKb6CWbY8V/XO53ABXKOdC/wfk6aSiHI
-9E+Pt5I0nRzA7TRXwtEaHR6BsBP15xcQ8mr9kd66PrA
-> ssh-ed25519 YFaxCg L2D66ArXKuoZUdYRr5kycmRgs6EG1h1Z/fg+/TjZam8
-DJF4mVbgSqjJxHkhVUv+7e9vTnPtSa4zAa6N18z+CoE
--- fbOoRpYqRSR88ma5/QLdnhzDq91VJfGMapg6BTBl6tw
-œVQd¾Ê¾àqëòÆÔ¥Ã¸¡žgï¹ëÏ¦ñUëŸ¸)Ì?ÃÕÈb;v$V,“oÍxZ6<5A>›ø7ªT<14>ç˜Èš‹m<>:Xëè¸<
+-> ssh-ed25519 V1pwNA ZlR8h9qHUL9sOogTAS4jhOkSqgeWOMgrI2jpzZeB43E
+c1B+g2ke5kRtFZ1us5Sb8gxYdb7DUx5l1IzVAfbXxW4
+-> ssh-ed25519 4PzZog uPUS/whEnUBue936Q95LCG31yz987AGVTULqCLfQrSs
+cGgATnRDcpNJ7CRUkouyoDk80EYB/QgzkX5snfs2qjg
+-> ssh-ed25519 dA0vRg gabrxTdlYIjZWYnRMdID7aLu3hgHKmTG6RQHMMnsdjM
+HIKk6j8Cntw6/SAtbAjDTSDqXhRzItris/gcm3UQT2w
+-> ssh-ed25519 5Nd93w 9enbyAo/XabNmXWppWZWC0Do+6hwzjLPc/RgpFSsOkY
+tLBW23QTKZKYZ0nlJ1WDdqsu8u0vsyNoZ10qrk06p3E
+-> ssh-ed25519 q8eJgg 4Un1ZATrDODVT5Nr1qNkQzfhBeWcDkujxvFmXumHKl4
+MW1gkllR6yl4FiR/84jV04TgN/B4WEPbmrIWPVG7yKg
+-> ssh-ed25519 KVr8rw ld3Xw4y/UIN6RADoJt+2gwnMbcl7qC4sF2X/pJcdJjU
+8b3N70CMfQpXY01EjNxn4dZJ2PwbWG7JgYgfOlGfZT8
+-> ssh-ed25519 fia1eQ 5J0q5b+gAlELovtLXXTwr9jfhOl5L5SEy7+qRxUicCQ
+k4Xd1ypatsY4rFPAVZoA89V6NrnLxrIrWBhYCY0BEis
+-> ssh-ed25519 YFaxCg UgvKYVP36n85x6AaAIGysm9Kzl4TrMip9GTxVMRuWgM
+HuTioTpbARDViBacuvqHM2WDNvL+hDyDCb8YJW2uukE
+--- ig5Vtym6PTLi2FyPk/bdMBeQV8qICqxGONQGU2lGfxI
+z|^Ú<>¬~Á0‹ƒ]é|Ñ¸"ù¸¯¡Q<C2A1>zb§“¡"¢ª—ùú¸gm¸rëƒ<C3AB>u¤ð‰<C3B0>y±õÃe®ñÖëÚÁ¿$çËûc
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -6,7 +6,6 @@ let
  thenobrainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer";
  eliza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJaVEGPDxG/0gbYJovPB+tiODgBDUABlgc1OokmF3WA eliza-skynet";
  esy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINS2UR/o+nK8lNHHTj5I84ZAAp6P+ZhXqhedMfx0KHE4 <Skynet>";
-  esy_root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDxHpsApRyCvuP2ToGm46G308Og8lO7BYPuz+EqHVU5w esy root";

  users = [
    admin
@ -16,7 +15,6 @@ let
    thenobrainer
    eliza
    esy
-    esy_root
  ];

  agentjones = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHOxA3uYcqS5gTrG1hS8XXwehzQYAI2I4iULtU8cXft root@agentjones";
@ -33,7 +31,7 @@ let
  cadie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACcwg27wzzFVvzuTytcnzRmCfGkhULwlHJA/3BeVtgf root@cadie";
  marvin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAme2vuVpGYX4La/JtXm3zunsWNDP+SlGmBk/pWmYkH root@marvin";
  calculon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsmeBfh4Jw2GOL7Iyswzn4TVNzalDbxDgh7WuQotFxR root@calculon";
-  ariia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF/x7Zsp9jqxXxxRGLq7ng4HaiZ9o043Bwy4TFPXSs5S root@ariia";
+  ariia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4kV6W1/tP/nf2ZWNhRoV1mK04R4pS+c5vdsA1n5gpN root@ariia";
  optimus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFv0Hb4qfzXUll+Hct1NQOE0bCf0MpE24Cqskd8vAFyj root@optimus";
  bumblebee = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINF31tsOZTEpPFCu4wZvJjxxvgFhRpxvo9SKyDMNWHZu root@bumblebee";

@ -101,13 +99,8 @@ let
  bitwarden = [
    kitt
  ];
-
-  sso = [
-    kitt
-  ];
 in {
  # nix run github:ryantm/agenix -- -e secret1.age
-  "base/root_pass.age".publicKeys = users ++ systems;

  "dns_certs.secret.age".publicKeys = users ++ systems;
  "dns_dnskeys.conf.age".publicKeys = users ++ dns;
@ -139,8 +132,7 @@ in {
  "backup/restic_pw.age".publicKeys = users ++ restic;

  # discord bot and discord
-  "discord/token.age".publicKeys = users ++ discord;
-  "discord/t-800.age".publicKeys = users ++ discord;
+  "discord/token1.age".publicKeys = users ++ discord;

  # email stuff
  "email/details.age".publicKeys = users ++ ldap ++ discord;
@ -156,9 +148,6 @@ in {
  "bitwarden/secret.age".publicKeys = users ++ bitwarden;
  "bitwarden/details.age".publicKeys = users ++ bitwarden;

-  # Keycloak/sso
-  "keycloak/pw.age".publicKeys = users ++ sso;
-
  # grafana
  "grafana/pw.age".publicKeys = users ++ grafana;
 }
--- a/secrets/stream_ulfm.age
+++ b/secrets/stream_ulfm.age
--- a/secrets/wolves/details.age
+++ b/secrets/wolves/details.age