55 changed files with 1174 additions and 883 deletions
--- a/.forgejo/workflows/deploy.yaml
+++ b/.forgejo/workflows/deploy.yaml
@ -6,8 +6,6 @@ on:
    types:
      - completed
  push:
-    branches:
-      - 'main'
    paths:
      - applications/**/*
      - machines/**/*
@ -22,22 +20,18 @@ jobs:
    steps:
      - uses: actions/checkout@v4
      - run: nix fmt -- --check .
-      - run: nix --version

  #if: github.repository == 'Skynet/nixos'
  build:
    runs-on: nix
    steps:
      - uses: actions/checkout@v4
-      - run: nix develop -v
-#      - name: Archive Test Results
-#        if: always()
-#        run: sleep 100m
-#      - run: colmena build -v --on @active-dns
-#      - run: colmena build -v --on @active-core
-#      - run: colmena build -v --on @active
-#      - run: colmena build -v --on @active-ext
-#      - run: colmena build -v --on @active-gitlab
+      - run: nix develop
+      - run: colmena build -v --on @active-dns
+      - run: colmena build -v --on @active-core
+      - run: colmena build -v --on @active
+      - run: colmena build -v --on @active-ext
+      - run: colmena build -v --on @active-gitlab

  deploy_dns:
    runs-on: nix
--- a/.forgejo/workflows/deploy_forgejo.yaml
+++ b/.forgejo/workflows/deploy_forgejo.yaml
@ -1,12 +0,0 @@
-name: Update_Forgejo
-
-on:
-  workflow_dispatch:
-
-jobs:
-  deploy:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v4
-      - run: colmena apply -v --on @active-gitlab --show-trace
-        shell: bash
--- a/.forgejo/workflows/update_input.yaml
+++ b/.forgejo/workflows/update_input.yaml
@ -1,13 +1,11 @@
 name: Update_Flake

-run-name: "[Update Flake] ${{ inputs.input_to_update }}"
-
 on:
  workflow_dispatch:
    inputs:
      input_to_update:
        description: 'Flake input to update'
-        required: false
+        required: true
        type: string

 jobs:
@ -24,7 +22,7 @@ jobs:
        with:
          ref: ${{ github.head_ref }}
          token: ${{ secrets.PIPELINE_TOKEN }}
-      - run: nix flake update ${{ inputs.input_to_update }}
+      - run: nix flake lock --update-input "${{ inputs.input_to_update }}"
        shell: bash
      - uses: https://github.com/stefanzweifel/git-auto-commit-action@v5
        with:
--- a/ITD/Firewall_Rules.csv
+++ b/ITD/Firewall_Rules.csv
@ -41,5 +41,4 @@ SKYNET_FIREWALL_00029,Add,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8
 SKYNET_FIREWALL_00030,Add,i24-06-04_017,Complete,193.1.99.83,SKYNET00020,193.1.96.165,SKYNET00012,9000-9010,-,Metrics Collection
 SKYNET_FIREWALL_00031,Add,i24-06-04_017,Complete,All,-,193.1.99.83,SKYNET00020,"80, 443",-,Web interface for Metrics server
 SKYNET_FIREWALL_00032,Remove,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Had incorrectly opened 8080 on the main panel
-SKYNET_FIREWALL_00033,Add,i24-06-04_017,Complete,All,-,193.1.99.91,SKYNET00017,8080,-,Websocket for admin panel on games management server
-,Add,i24-07-15_112,Denied,193.1.99.75,-,-,-,22,-,Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet'
+SKYNET_FIREWALL_00033,Add,i24-06-04_017,Complete,All,-,193.1.99.91,SKYNET00017,8080,-,Websocket for admin panel on games management server
--- a/ITD/Server_Inventory.csv
+++ b/ITD/Server_Inventory.csv
@ -18,5 +18,4 @@ SKYNET00016,optimus,Active,193.1.99.90,Debian-12,Games server manager (replacing
 SKYNET00017,bumblebee,Active,193.1.99.91,Debian-12,Game server - Minecraft
 SKYNET00018,calculon,Active,193.1.99.82,Nixos-24.05,"Public Services such as binary cache, Open Governance and Keyserver"
 SKYNET00019,deepthought,Active,193.1.99.112,Nixos-24.05,Backup Test Server using restic
-SKYNET00020,ariia,Active,193.1.99.83,Nixos-24.05,"Metrics, Grafana and Prometheus"
-SKYNET00021,ash,Active,193.1.99.114,NA,Server Room Network access
+SKYNET00020,ariia,Active,193.1.99.83,Nixos-24.05,"Metrics, Grafana and Prometheus"
--- a/9
+++ b/9
@ -1,9 +0,0 @@
-MIT License
-
-Copyright (c) 2024 Skynet
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- a/applications/acme.nix
+++ b/applications/acme.nix
@ -32,9 +32,9 @@ in {

      defaults = {
        email = "admin_acme@skynet.ie";
-        credentialsFile = config.age.secrets.acme.path;
        # we use our own dns authorative server for verifying we own the domain.
        dnsProvider = "rfc2136";
+        credentialsFile = config.age.secrets.acme.path;
      };

      certs = {
--- a/applications/bitwarden/bitwarden-directory-connector-cli.nix
+++ b/applications/bitwarden/bitwarden-directory-connector-cli.nix
@ -0,0 +1,324 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.services.bitwarden-directory-connector-cli;
+in {
+  disabledModules = ["services/security/bitwarden-directory-connector-cli.nix"];
+
+  options.services.bitwarden-directory-connector-cli = {
+    enable = mkEnableOption "Bitwarden Directory Connector";
+
+    package = mkPackageOption pkgs "bitwarden-directory-connector-cli" {};
+
+    domain = mkOption {
+      type = types.str;
+      description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessible on.";
+      example = "https://vaultwarden.example.com";
+    };
+
+    user = mkOption {
+      type = types.str;
+      description = lib.mdDoc "User to run the program.";
+      default = "bwdc";
+    };
+
+    interval = mkOption {
+      type = types.str;
+      default = "*:0,15,30,45";
+      description = lib.mdDoc "The interval when to run the connector. This uses systemd's OnCalendar syntax.";
+    };
+
+    ldap = mkOption {
+      description = lib.mdDoc ''
+        Options to configure the LDAP connection.
+        If you used the desktop application to test the configuration you can find the settings by searching for `ldap` in `~/.config/Bitwarden\ Directory\ Connector/data.json`.
+      '';
+      default = {};
+      type = types.submodule ({
+        config,
+        options,
+        ...
+      }: {
+        freeformType = types.attrsOf (pkgs.formats.json {}).type;
+
+        config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
+
+        options = {
+          finalJSON = mkOption {
+            type = (pkgs.formats.json {}).type;
+            internal = true;
+            readOnly = true;
+            visible = false;
+          };
+
+          ssl = mkOption {
+            type = types.bool;
+            default = false;
+            description = lib.mdDoc "Whether to use TLS.";
+          };
+          startTls = mkOption {
+            type = types.bool;
+            default = false;
+            description = lib.mdDoc "Whether to use STARTTLS.";
+          };
+
+          hostname = mkOption {
+            type = types.str;
+            description = lib.mdDoc "The host the LDAP is accessible on.";
+            example = "ldap.example.com";
+          };
+
+          port = mkOption {
+            type = types.port;
+            default = 389;
+            description = lib.mdDoc "Port LDAP is accessible on.";
+          };
+
+          ad = mkOption {
+            type = types.bool;
+            default = false;
+            description = lib.mdDoc "Whether the LDAP Server is an Active Directory.";
+          };
+
+          pagedSearch = mkOption {
+            type = types.bool;
+            default = false;
+            description = lib.mdDoc "Whether the LDAP server paginates search results.";
+          };
+
+          rootPath = mkOption {
+            type = types.str;
+            description = lib.mdDoc "Root path for LDAP.";
+            example = "dc=example,dc=com";
+          };
+
+          username = mkOption {
+            type = types.str;
+            description = lib.mdDoc "The user to authenticate as.";
+            example = "cn=admin,dc=example,dc=com";
+          };
+        };
+      });
+    };
+
+    sync = mkOption {
+      description = lib.mdDoc ''
+        Options to configure what gets synced.
+        If you used the desktop application to test the configuration you can find the settings by searching for `sync` in `~/.config/Bitwarden\ Directory\ Connector/data.json`.
+      '';
+      default = {};
+      type = types.submodule ({
+        config,
+        options,
+        ...
+      }: {
+        freeformType = types.attrsOf (pkgs.formats.json {}).type;
+
+        config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
+
+        options = {
+          finalJSON = mkOption {
+            type = (pkgs.formats.json {}).type;
+            internal = true;
+            readOnly = true;
+            visible = false;
+          };
+
+          removeDisabled = mkOption {
+            type = types.bool;
+            default = true;
+            description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group.";
+          };
+
+          overwriteExisting = mkOption {
+            type = types.bool;
+            default = false;
+            description =
+              lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.";
+          };
+
+          largeImport = mkOption {
+            type = types.bool;
+            default = false;
+            description = lib.mdDoc "Enable if you are syncing more than 2000 users/groups.";
+          };
+
+          memberAttribute = mkOption {
+            type = types.str;
+            description = lib.mdDoc "Attribute that lists members in a LDAP group.";
+            example = "uniqueMember";
+          };
+
+          creationDateAttribute = mkOption {
+            type = types.str;
+            description = lib.mdDoc "Attribute that lists a user's creation date.";
+            example = "whenCreated";
+          };
+
+          useEmailPrefixSuffix = mkOption {
+            type = types.bool;
+            default = false;
+            description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email.";
+          };
+          emailPrefixAttribute = mkOption {
+            type = types.str;
+            description = lib.mdDoc "The attribute that contains the users username.";
+            example = "accountName";
+          };
+          emailSuffix = mkOption {
+            type = types.str;
+            description = lib.mdDoc "Suffix for the email, normally @example.com.";
+            example = "@example.com";
+          };
+
+          users = mkOption {
+            type = types.bool;
+            default = false;
+            description = lib.mdDoc "Sync users.";
+          };
+          userPath = mkOption {
+            type = types.str;
+            description = lib.mdDoc "User directory, relative to root.";
+            default = "ou=users";
+          };
+          userObjectClass = mkOption {
+            type = types.str;
+            description = lib.mdDoc "Class that users must have.";
+            default = "inetOrgPerson";
+          };
+          userEmailAttribute = mkOption {
+            type = types.str;
+            description = lib.mdDoc "Attribute for a users email.";
+            default = "mail";
+          };
+          userFilter = mkOption {
+            type = types.str;
+            description = lib.mdDoc "LDAP filter for users.";
+            example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)";
+            default = "";
+          };
+
+          groups = mkOption {
+            type = types.bool;
+            default = false;
+            description = lib.mdDoc "Whether to sync ldap groups into BitWarden.";
+          };
+          groupPath = mkOption {
+            type = types.str;
+            description = lib.mdDoc "Group directory, relative to root.";
+            default = "ou=groups";
+          };
+          groupObjectClass = mkOption {
+            type = types.str;
+            description = lib.mdDoc "A class that groups will have.";
+            default = "groupOfNames";
+          };
+          groupNameAttribute = mkOption {
+            type = types.str;
+            description = lib.mdDoc "Attribute for a name of group.";
+            default = "cn";
+          };
+          groupFilter = mkOption {
+            type = types.str;
+            description = lib.mdDoc "LDAP filter for groups.";
+            example = "(cn=sales)";
+            default = "";
+          };
+        };
+      });
+    };
+
+    secrets = {
+      ldap = mkOption {
+        type = types.str;
+        description = "Path to file that contains LDAP password for user in {option}`ldap.username";
+      };
+
+      bitwarden = {
+        client_path_id = mkOption {
+          type = types.str;
+          description = "Path to file that contains Client ID.";
+        };
+        client_path_secret = mkOption {
+          type = types.str;
+          description = "Path to file that contains Client Secret.";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.groups."${cfg.user}" = {};
+    users.users."${cfg.user}" = {
+      isSystemUser = true;
+      group = cfg.user;
+    };
+
+    systemd = {
+      timers.bitwarden-directory-connector-cli = {
+        description = "Sync timer for Bitwarden Directory Connector";
+        wantedBy = ["timers.target"];
+        after = ["network-online.target"];
+        timerConfig = {
+          OnCalendar = cfg.interval;
+          Unit = "bitwarden-directory-connector-cli.service";
+          Persistent = true;
+        };
+      };
+
+      services.bitwarden-directory-connector-cli = {
+        description = "Main process for Bitwarden Directory Connector";
+
+        environment = {
+          BITWARDENCLI_CONNECTOR_APPDATA_DIR = "/tmp";
+          BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true";
+        };
+
+        serviceConfig = {
+          Type = "oneshot";
+          User = "${cfg.user}";
+          PrivateTmp = true;
+          ExecStartPre = pkgs.writeShellScript "bitwarden_directory_connector-config" ''
+            set -eo pipefail
+
+            # create the config file
+            ${lib.getExe cfg.package} data-file
+            touch /tmp/data.json.tmp
+            chmod 600 /tmp/data.json{,.tmp}
+
+            ${lib.getExe cfg.package} config server ${cfg.domain}
+
+            # now login to set credentials
+            export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})"
+            export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})"
+            ${lib.getExe cfg.package} login
+
+            ${lib.getExe pkgs.jq} '.authenticatedAccounts[0] as $account
+              | .[$account].directoryConfigurations.ldap |= $ldap_data
+              | .[$account].directorySettings.organizationId |= $orgID
+              | .[$account].directorySettings.sync |= $sync_data' \
+              --argjson ldap_data ${escapeShellArg cfg.ldap.finalJSON} \
+              --arg orgID "''${BW_CLIENTID//organization.}" \
+              --argjson sync_data ${escapeShellArg cfg.sync.finalJSON} \
+              /tmp/data.json \
+              > /tmp/data.json.tmp
+
+            mv -f /tmp/data.json.tmp /tmp/data.json
+
+            # final config
+            ${lib.getExe cfg.package} config directory 0
+            ${lib.getExe cfg.package} config ldap.password --secretfile ${cfg.secrets.ldap}
+          '';
+
+          ExecStart = "${lib.getExe cfg.package} sync";
+        };
+      };
+    };
+  };
+
+  meta.maintainers = with maintainers; [Silver-Golden];
+}
--- a/applications/bitwarden/bitwarden_sync.nix
+++ b/applications/bitwarden/bitwarden_sync.nix
@ -6,7 +6,9 @@
 }: let
  user = "bwdc";
 in {
-  imports = [];
+  imports = [
+    ./bitwarden-directory-connector-cli.nix
+  ];

  options = {};

--- a/applications/discord.nix
+++ b/applications/discord.nix
@ -21,6 +21,7 @@ in {
    #backups = [ "/etc/silver_ul_ical/database.db" ];

    age.secrets.discord_token.file = ../secrets/discord/token.age;
+    age.secrets.discord_ldap.file = ../secrets/discord/ldap.age;
    age.secrets.discord_mail.file = ../secrets/email/details.age;
    age.secrets.discord_wolves.file = ../secrets/wolves/details.age;

@ -30,9 +31,12 @@ in {

      env = {
        discord = config.age.secrets.discord_token.path;
+        ldap = config.age.secrets.discord_ldap.path;
        mail = config.age.secrets.discord_mail.path;
        wolves = config.age.secrets.discord_wolves.path;
      };
+
+      discord.server = "689189992417067052";
    };
  };
 }
--- a/applications/dns/dns.nix
+++ b/applications/dns/dns.nix
@ -13,14 +13,11 @@
  current_date = self.lastModified;

  # this gets a list of all domains we have records for
-  domains = lib.lists.naturalSort (lib.lists.unique (
-    lib.lists.forEach records (x: x.domain)
-  ));
-
-  # get the ip's of our servers
-  servers = lib.lists.naturalSort (lib.lists.unique (
-    lib.lists.forEach (sort_records_a_server records) (x: x.value)
-  ));
+  domains = lib.lists.naturalSort (
+    lib.lists.unique (
+      lib.lists.forEach records (x: x.domain)
+    )
+  );

  domains_owned = [
    # for historic reasons we own this
@ -33,12 +30,9 @@

  # gets a list of records that match this type
  filter_records_type = records: r_type: builtins.filter (x: x.r_type == r_type) records;
-  # Get all the A records that are for servers (base record for them)
-  filter_records_a_server = records: builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type records "A");
-  # Every other A record
+  filter_records_server = records: builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type records "A");
  filter_records_a = records: builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type records "A");

-  # These functions are to get the final 3 digits of an IP address so we can use them for reverse pointer
  process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x);
  process_ptr_sub = record: {
    record = builtins.substring 9 3 record.record;
@ -47,49 +41,39 @@
  };
  ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip);

-  # filter and sort records so we cna group them in the right place later
-  sort_records_a_server = records: builtins.sort (a: b: a.record < b.record) (filter_records_a_server records);
+  sort_records_server = records: builtins.sort (a: b: a.record < b.record) (filter_records_server records);
  sort_records_a = records: builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) (filter_records_a records);
  sort_records_cname = records: builtins.sort (a: b: a.value < b.value) (filter_records_type records "CNAME");
  sort_records_ptr = records: builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type records "PTR"));
  sort_records_srv = records: builtins.sort (a: b: a.record < b.record) (filter_records_type records "SRV");

-  # a tad overkill but type guarding is useful
  max = x: y:
    assert builtins.isInt x;
    assert builtins.isInt y;
      if x < y
      then y
      else x;
-
-  # get teh max length of a list of strings
  max_len = records: lib.lists.foldr (a: b: (max a b)) 0 (lib.lists.forEach records (record: lib.strings.stringLength record.record));

-  # Now that we can get teh max lenth of a list of strings
-  # we can pad it out to the max len +1
-  # this is so that teh generated file is easier for a human to read
  format_records = records: let
    offset = (max_len records) + 1;
  in
    lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records;

-  # small function to add spaces until it reaches teh required length
+  # small function to trim it down a tad
  padString = text: length: fixedWidthString_post length " " text;

  # like lib.strings.fixedWidthString but postfix
-  # recursive function to extend a string up to a limit
  fixedWidthString_post = width: filler: str: let
    strw = lib.stringLength str;
    reqWidth = width - (lib.stringLength filler);
  in
-    # this is here because we were manually setting teh length, now max_len does that for us
    assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})";
      if strw == width
      then str
      else (fixedWidthString_post reqWidth filler str) + filler;

  # base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie)
-  # ";" are comments in this file
  get_config_file = (
    domain: records: ''
      $TTL 60  ; 1 minute
@ -110,7 +94,7 @@
      ; ------------------------------------------
      ; Server Names (A Records)
      ; ------------------------------------------
-      ${format_records (sort_records_a_server records)}
+      ${format_records (sort_records_server records)}

      ; ------------------------------------------
      ; A (non server names
@ -136,11 +120,13 @@
      ; SRV
      ; ------------------------------------------
      ${format_records (sort_records_srv records)}
+
+
    ''
  );

  # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse
-  # config for our reverse dns pointers (not properly working)
+  # config for our reverse dnspointers (not properly working)
  get_config_file_rev = (
    domain: ''
      $ORIGIN 64-64.99.1.193.in-addr.arpa.
@ -165,33 +151,31 @@
    ''
  );

-  # arrays  of teh two nameservers
-  nameserver_1 = ["193.1.99.109"];
-  nameserver_2 = ["193.1.99.120"];
+  # arrys  of teh two nameservers
+  tmp1 = ["193.1.99.109"];
+  tmp2 = ["193.1.99.120"];

  primaries = (
    if cfg.server.primary
    then
      # primary servers have no primaries (ones they listen to)
      []
-    else if builtins.elem cfg.server.ip nameserver_1
-    then nameserver_2
-    else nameserver_1
+    else if builtins.elem cfg.server.ip tmp1
+    then tmp2
+    else tmp1
  );

  secondaries = (
    if cfg.server.primary
    then
-      if builtins.elem cfg.server.ip nameserver_1
-      then nameserver_2
-      else nameserver_1
+      if builtins.elem cfg.server.ip tmp1
+      then tmp2
+      else tmp1
    else []
  );

  # small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router
-  # now limited explicitly to servers that we are administering
-  # See i24-09-30_050 for more information
-  create_cache_networks = map (x: "${toString x}/32") servers;
+  create_cache_networks = map (x: "193.1.99.${toString x}/32") (lib.lists.range 71 126);

  # standard function to create the etc file, pass in the text and domain and it makes it
  create_entry_etc_sub = domain: text: {
@ -203,19 +187,17 @@
      # The UNIX file mode bits
      mode = "0664";

-      # content of the file
      text = text;
    };
  };
+  # (text.owned "csn.ul.ie")

  # standard function to create the etc file, pass in the text and domain and it makes it
  create_entry_etc = domain: type: let
    domain_records = lib.lists.filter (x: x.domain == domain) records;
  in
-    # this is the main type of record that most folks are used to
    if type == "owned"
    then create_entry_etc_sub domain (get_config_file domain domain_records)
-    # reverse lookups allow for using an IP to find domains pointing to it
    else if type == "reverse"
    then create_entry_etc_sub domain (get_config_file_rev domain)
    else {};
@ -256,7 +238,7 @@
    */
    ++ builtins.concatLists (
      lib.attrsets.mapAttrsToList (
-        key: value: value.config.services.skynet.dns.records
+        key: value: value.config.services.skynet."${name}".records
      )
      nodes
    );
@ -347,7 +329,6 @@ in {
      group = "named";
    };

-    # basic but ensure teh dns ports are open
    networking.firewall = {
      allowedTCPPorts = [53];
      allowedUDPPorts = [53];
--- a/applications/email.nix
+++ b/applications/email.nix
@ -202,7 +202,7 @@ in {

  config = mkIf cfg.enable {
    services.skynet.backup.normal.backups = [
-      #"/var/vmail"
+      "/var/vmail"
      "/var/dkim"
    ];

--- a/applications/git/forgejo.nix
+++ b/applications/git/forgejo.nix
@ -76,12 +76,6 @@ in {
      };
    };

-    # for signing reasons
-    programs.gnupg.agent = {
-      enable = true;
-      enableSSHSupport = true;
-    };
-
    services.forgejo = {
      enable = true;
      package = pkgs.forgejo;
@ -98,21 +92,11 @@ in {

        # You can temporarily allow registration to create an admin user.
        service.DISABLE_REGISTRATION = true;
-
        # Add support for actions, based on act: https://github.com/nektos/act
-        actions = {
-          ENABLED = true;
-          DEFAULT_ACTIONS_URL = "github";
-        };
-
-        # Allow for signing off merge requests
-        #        "repository.signing" = {
-        #          SIGNING_KEY = "5B2DED0FE9F8627A";
-        #          SIGNING_NAME = "Skynet";
-        #          SIGNING_EMAIL = "forgejo@glados.skynet.ie";
-        #          MERGES = "always";
-        #        };
-
+        #          actions = {
+        #            ENABLED = true;
+        #            DEFAULT_ACTIONS_URL = "github";
+        #          };
        # Sending emails is completely optional
        # You can send a test email from the web UI at:
        # Profile Picture > Site Administration > Configuration >  Mailer Configuration
--- a/applications/git/forgejo_runner.nix
+++ b/applications/git/forgejo_runner.nix
@ -107,12 +107,6 @@ in {
      };
    };

-    boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
-    virtualisation.docker.enable = true;
-
-    # taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
-    virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
-
    # the actual runner
    services.gitea-actions-runner = {
      package = pkgs.forgejo-actions-runner;
@ -124,8 +118,8 @@ in {
        labels = [
          ## optionally provide native execution on the host:
          "nix:host"
-          "docker:docker://node:22-bookworm"
-          "ubuntu-latest:docker://node:22-bookworm"
+          "docker:docker://node:16-bullseye"
+          "ubuntu-latest:docker://node:16-bullseye"
        ];

        hostPackages = with pkgs; [
@ -134,24 +128,16 @@ in {
          coreutils
          curl
          gawk
-          git
+          gitMinimal
          gnused
          nodejs
          wget

-          # useful to have in path
-          jq
-          which
-          dpkg
-          zip
-          git-lfs
-
          # used in deployments
          inputs.colmena.defaultPackage."x86_64-linux"
          attic-client
-          lix
+          nix
          openssh
-          sudo
        ];
      };
    };
--- a/applications/git/gitlab_runner.nix
+++ b/applications/git/gitlab_runner.nix
@ -0,0 +1,123 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  name = "gitlab_runner";
+  cfg = config.services.skynet."${name}";
+in {
+  imports = [
+  ];
+
+  options.services.skynet."${name}" = {
+    enable = mkEnableOption "Skynet Gitlab Runner";
+
+    runner = {
+      name = mkOption {
+        type = types.str;
+      };
+
+      gitlab = mkOption {
+        default = "https://gitlab.skynet.ie";
+        type = types.str;
+      };
+
+      description = mkOption {
+        default = cfg.runner.name;
+        type = types.str;
+      };
+
+      docker = {
+        image = mkOption {
+          default = "alpine:latest";
+          type = types.str;
+        };
+
+        cleanup_dates = mkOption {
+          # https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS
+          # it will use a lot of storage so clear it daily, may change to hourly if required
+          default = "daily";
+          type = types.str;
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
+    environment.systemPackages = [
+      pkgs.gitlab-runner
+    ];
+
+    age.secrets.runner_01_nix.file = ../../secrets/gitlab/runners/runner01.age;
+    age.secrets.runner_02_general.file = ../../secrets/gitlab/runners/runner02.age;
+
+    boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
+    virtualisation.docker.enable = true;
+
+    # taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
+    virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
+
+    services.gitlab-runner = {
+      enable = true;
+
+      #      clear-docker-cache = {
+      #        enable = true;
+      #        dates = cfg.runner.docker.cleanup_dates;
+      #      };
+
+      services = {
+        # might make a function later to have multiple runners, might never need it though
+        runner_nix = {
+          cloneUrl = cfg.runner.gitlab;
+          description = "For Nix only";
+          registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
+          registrationConfigFile = config.age.secrets.runner_01_nix.path;
+          dockerImage = cfg.runner.docker.image;
+
+          # from https://nixos.wiki/wiki/Gitlab_runner
+          dockerVolumes = [
+            "/nix/store:/nix/store:ro"
+            "/nix/var/nix/db:/nix/var/nix/db:ro"
+            "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+          ];
+          dockerDisableCache = true;
+          preBuildScript = pkgs.writeScript "setup-container" ''
+            mkdir -p -m 0755 /nix/var/log/nix/drvs
+            mkdir -p -m 0755 /nix/var/nix/gcroots
+            mkdir -p -m 0755 /nix/var/nix/profiles
+            mkdir -p -m 0755 /nix/var/nix/temproots
+            mkdir -p -m 0755 /nix/var/nix/userpool
+            mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+            mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+            mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+            mkdir -p -m 0700 "$HOME/.nix-defexpr"
+            . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
+            ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-unstable nixpkgs
+            ${pkgs.nix}/bin/nix-channel --update nixpkgs
+            ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [lix cacert git openssh])}
+            nix --version
+          '';
+          environmentVariables = {
+            ENV = "/etc/profile";
+            USER = "root";
+            NIX_REMOTE = "daemon";
+            PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
+            NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
+          };
+          tagList = ["nix"];
+        };
+
+        runner_general = {
+          cloneUrl = cfg.runner.gitlab;
+          description = "General Runner";
+          registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
+          registrationConfigFile = config.age.secrets.runner_02_general.path;
+          dockerImage = cfg.runner.docker.image;
+        };
+      };
+    };
+  };
+}
--- a/applications/ldap/backend.nix
+++ b/applications/ldap/backend.nix
@ -40,6 +40,7 @@ in {
    #backups = [ "/etc/silver_ul_ical/database.db" ];

    age.secrets.ldap_details.file = ../../secrets/ldap/details.age;
+    age.secrets.ldap_discord.file = ../../secrets/discord/ldap.age;
    age.secrets.ldap_mail.file = ../../secrets/email/details.age;
    age.secrets.ldap_wolves.file = ../../secrets/wolves/details.age;

@ -68,6 +69,7 @@ in {
      # contains teh password in env form
      env = {
        ldap = config.age.secrets.ldap_details.path;
+        discord = config.age.secrets.ldap_discord.path;
        mail = config.age.secrets.ldap_mail.path;
        wolves = config.age.secrets.ldap_wolves.path;
      };
--- a/applications/nextcloud.nix
+++ b/applications/nextcloud.nix
@ -45,7 +45,6 @@ in {
    services.skynet.acme.domains = [
      domain
      "onlyoffice.${domain}"
-      "whiteboard.${domain}"
    ];

    services.skynet.dns.records = [
@ -59,18 +58,13 @@ in {
        r_type = "CNAME";
        value = config.services.skynet.host.name;
      }
-      #      {
-      #        record = "whiteboard.${cfg.domain.sub}";
-      #        r_type = "CNAME";
-      #        value = config.services.skynet.host.name;
-      #      }
    ];

    # /var/lib/nextcloud/data

    services.nextcloud = {
      enable = true;
-      package = pkgs.nextcloud30;
+      package = pkgs.nextcloud28;
      hostName = domain;
      https = true;

@ -84,8 +78,8 @@ in {

      appstoreEnable = true;

-      extraApps = {
-        inherit (config.services.nextcloud.package.packages.apps) richdocuments;
+      extraApps = with config.services.nextcloud.package.packages.apps; {
+        inherit forms groupfolders maps notes onlyoffice polls;
      };

      settings = {
@ -96,21 +90,10 @@ in {
      };
    };

-    #    environment.etc."nextcloud-whiteboard-secret".text = ''
-    #      JWT_SECRET_KEY=test123
-    #    '';
-    #
-    #    services.nextcloud-whiteboard-server = {
-    #      enable = true;
-    #      settings.NEXTCLOUD_URL = "https://nextcloud.skynet.ie";
-    #      secrets = ["/etc/nextcloud-whiteboard-secret"];
-    #    };
-
    nixpkgs.config.allowUnfree = true;
-    # impacted by https://github.com/NixOS  /nixpkgs/issues/352443
-    #    services.onlyoffice = {
-    #      enable = true;
-    #    };
+    services.onlyoffice = {
+      enable = true;
+    };

    services.nginx.virtualHosts = {
      ${domain} = {
@ -122,14 +105,6 @@ in {
        useACMEHost = "skynet";
        locations."/".proxyPass = "http://127.0.0.1:8000";
      };
-      #      "whiteboard.${domain}" = {
-      #        forceSSL = true;
-      #        useACMEHost = "skynet";
-      #        locations."/" = {
-      #          proxyPass = "http://localhost:3002";
-      #          proxyWebsockets = true;
-      #        };
-      #      };
    };
  };
 }
--- a/applications/nginx.nix
+++ b/applications/nginx.nix
@ -9,6 +9,8 @@
    recommendedGzipSettings = true;
    recommendedProxySettings = true;

+    statusPage = true;
+
    # give Nginx access to our certs
    group = "acme";
  };
--- a/applications/nix_cache/nix_cache.nix
+++ b/applications/nix_cache/nix_cache.nix
@ -15,6 +15,7 @@ https://docs.attic.rs/introduction.html
  lib,
  config,
  pkgs,
+  inputs,
  ...
 }:
 with lib; let
@ -22,6 +23,7 @@ with lib; let
  cfg = config.services.skynet."${name}";
 in {
  imports = [
+    inputs.attic.nixosModules.atticd
  ];

  options.services.skynet."${name}" = {
@ -51,7 +53,7 @@ in {
      enable = true;

      # Replace with absolute path to your credentials file
-      environmentFile = "/etc/atticd.env";
+      credentialsFile = "/etc/atticd.env";

      settings = {
        listen = "127.0.0.1:8080";
--- a/applications/skynet.ie/wiki.nix
+++ b/applications/skynet.ie/wiki.nix
@ -40,16 +40,7 @@ in {
        "wiki.skynet.ie" = {
          forceSSL = true;
          useACMEHost = "skynet";
-          root = "${inputs.skynet_website_wiki.defaultPackage."x86_64-linux"}";
-          # https://stackoverflow.com/a/38238001/11964934
-          extraConfig = ''
-            location / {
-              if ($request_uri ~ ^/(.*)\.html) {
-                return 302 /$1;
-              }
-              try_files $uri $uri.html $uri/ =404;
-            }
-          '';
+          root = "${inputs.skynet_website_renew.defaultPackage."x86_64-linux"}";
        };

        # redirect old links to the new wiki
--- a/applications/skynet_users.nix
+++ b/applications/skynet_users.nix
@ -85,20 +85,6 @@ in {
    };

    services.nginx.virtualHosts = {
-      "outinul.ie" = {
-        forceSSL = true;
-        enableACME = true;
-        locations = {
-          "/" = {
-            alias = "/home/outinul/public_html/";
-            index = "index.html";
-            extraConfig = ''
-              autoindex on;
-            '';
-            tryFiles = "$uri$args $uri$args/ /index.html";
-          };
-        };
-      };
      # main site
      "*.users.skynet.ie" = {
        forceSSL = true;
--- a/config/dns.nix
+++ b/config/dns.nix
@ -12,13 +12,6 @@
  config = {
    skynet.records =
      [
-        # wifi in server room
-        {
-          record = "ash";
-          r_type = "A";
-          value = "193.1.99.114";
-          server = true;
-        }
        {
          record = "optimus";
          r_type = "A";
--- a/config/users.nix
+++ b/config/users.nix
@ -1,11 +1,6 @@
-{
-  lib,
-  config,
-  ...
-}:
+{lib, ...}:
 with lib; let
  port_backend = "8087";
-  cfg = config.skynet.users;
 in {
  options.skynet = {
    users = {
@ -49,37 +44,30 @@ in {

  config.skynet = {
    users = {
-      committee = lib.lists.unique (
-        # Committee - Core
-        [
-          "silver"
-          "eoghanconlon73"
-          "nanda"
-          "emily1999"
-          "dgr"
-        ]
-        # Committee - OCM
-        ++ [
-          "sidhiel"
-          "skyapples"
-          "eliza"
-          "amymucko"
-          "archiedms"
-        ]
-        # Committee - SISTEM
-        ++ [
-          "peace"
-        ]
-        # Admins are part of Committee as well
-        ++ cfg.admin
-      );
+      committee = [
+        "silver"
+        "eoghanconlon73"
+        "sidhiel"
+        "maksimsger1"
+        "kaiden"
+        "pine"
+        "nanda"
+        "sourabh1805"
+        "kronsy"
+        "skyapples"
+        "emi05h"
+      ];
      admin = [
        "silver"
        "evanc"
+        "eoghanconlon73"
        "eliza"
        "esy"
      ];
-      trainee = [];
+      trainee = [
+        "milan"
+        "kronsy"
+      ];
      lifetime = [];
      banned = [];

--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -7,55 +7,91 @@
    # Return to using unstable once the current master is merged in
    # nixpkgs.url = "nixpkgs/nixos-unstable";

-    lix-module = {
-      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-1.tar.gz";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
    # utility stuff
    flake-utils.url = "github:numtide/flake-utils";
    agenix.url = "github:ryantm/agenix";
    arion.url = "github:hercules-ci/arion";
    alejandra = {
-      url = "github:kamadorueda/alejandra";
+      url = "github:kamadorueda/alejandra/3.0.0";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    colmena.url = "github:zhaofengli/colmena";
+    attic.url = github:zhaofengli/attic;

-    # we host our own
+    # email
+    # simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
    simple-nixos-mailserver = {
      inputs.nixpkgs.follows = "nixpkgs";
-      url = "git+https://forgejo.skynet.ie/Skynet/misc_nixos-mailserver";
+      type = "gitlab";
+      host = "gitlab.skynet.ie";
+      owner = "compsoc1%2Fskynet";
+      repo = "misc%2Fnixos-mailserver";
    };

-    ######################
-    ### skynet backend ###
-    ######################
-    skynet_ldap_backend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_backend";
-    skynet_ldap_frontend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_frontend";
-    skynet_website_wiki.url = "git+https://forgejo.skynet.ie/Skynet/wiki";
-    skynet_website_games.url = "git+https://forgejo.skynet.ie/Skynet/website_games";
-    skynet_discord_bot.url = "git+https://forgejo.skynet.ie/Skynet/discord-bot";
+    # account.skynet.ie
+    skynet_ldap_backend = {
+      type = "gitlab";
+      host = "gitlab.skynet.ie";
+      owner = "compsoc1%2Fskynet";
+      repo = "ldap%2Fbackend";
+    };
+    skynet_ldap_frontend = {
+      type = "gitlab";
+      host = "gitlab.skynet.ie";
+      owner = "compsoc1%2Fskynet";
+      repo = "ldap%2Ffrontend";
+    };
+    skynet_website_renew = {
+      type = "gitlab";
+      host = "gitlab.skynet.ie";
+      owner = "compsoc1%2Fskynet";
+      repo = "website%2Falumni-renew";
+    };
+    skynet_website_games = {
+      type = "gitlab";
+      host = "gitlab.skynet.ie";
+      owner = "compsoc1%2Fskynet";
+      repo = "website%2Fgames.skynet.ie";
+    };
+    skynet_discord_bot = {
+      type = "gitlab";
+      host = "gitlab.skynet.ie";
+      owner = "compsoc1%2Fskynet";
+      repo = "discord-bot";
+    };
+    compsoc_public = {
+      type = "gitlab";
+      host = "gitlab.skynet.ie";
+      owner = "compsoc1%2Fcompsoc";
+      repo = "presentations%2Fpresentations";
+    };

-    #####################
-    ### compsoc stuff ###
-    #####################
-    compsoc_public.url = "git+https://forgejo.skynet.ie/Computer_Society/presentations_compsoc";
-
-    #################
-    ### skynet.ie ###
-    #################
-
-    # this should always point to teh current website
-    skynet_website.url = "https://forgejo.skynet.ie/Skynet/website_2017/archive/main.tar.gz";
-
-    # these are past versions of teh website
-    skynet_website_2023.url = "https://forgejo.skynet.ie/Skynet/website_2017/archive/c4d61c753292bf73ed41b47b1607cfc92a82a191.tar.gz";
-    # this is not 100% right since this is from teh archive from 2022 or so
-    skynet_website_2017.url = "https://forgejo.skynet.ie/Skynet/website_2017/archive/edd922c5b13fa1f520e8e265a3d6e4e189852b99.tar.gz";
-
-    # this is more of 2012 than 2009 but started in 2009
-    skynet_website_2009.url = "https://forgejo.skynet.ie/Skynet/website_2009/archive/main.tar.gz";
+    # skynet.ie
+    skynet_website = {
+      type = "gitlab";
+      host = "gitlab.skynet.ie";
+      owner = "compsoc1%2Fskynet";
+      repo = "website%2F2017";
+    };
+    skynet_website_2023 = {
+      type = "gitlab";
+      host = "gitlab.skynet.ie";
+      owner = "compsoc1%2Fskynet";
+      repo = "website%2F2017";
+      rev = "c4d61c753292bf73ed41b47b1607cfc92a82a191";
+    };
+    skynet_website_2017 = {
+      type = "gitlab";
+      host = "gitlab.skynet.ie";
+      owner = "compsoc1%2Fskynet";
+      repo = "website%2F2017";
+    };
+    skynet_website_2009 = {
+      type = "gitlab";
+      host = "gitlab.skynet.ie";
+      owner = "compsoc1%2Fskynet";
+      repo = "website%2F2009";
+    };
  };

  nixConfig = {
--- a/machines/_base.nix
+++ b/machines/_base.nix
@ -20,9 +20,6 @@ in {

    # base application config for all servers
    ../applications/_base.nix
-
-    #
-    inputs.lix-module.nixosModules.default
  ];

  options.skynet = {
@ -120,20 +117,19 @@ in {
    # https://discourse.nixos.org/t/systemd-networkd-wait-online-934764-timeout-occurred-while-waiting-for-network-connectivity/33656/9
    systemd.network.wait-online.enable = false;

-    environment.systemPackages = with pkgs; [
+    environment.systemPackages = [
      # for flakes
-      git
-      git-lfs
+      pkgs.git
      # useful tools
-      ncdu_2
-      htop
-      nano
-      nmap
-      bind
-      zip
-      traceroute
-      openldap
-      screen
+      pkgs.ncdu_2
+      pkgs.htop
+      pkgs.nano
+      pkgs.nmap
+      pkgs.bind
+      pkgs.zip
+      pkgs.traceroute
+      pkgs.openldap
+      pkgs.screen
    ];
  };
 }
--- a/machines/wheatly.nix
+++ b/machines/wheatly.nix
@ -25,6 +25,7 @@ Notes:
  };
 in {
  imports = [
+    ../applications/git/gitlab_runner.nix
    ../applications/git/forgejo_runner.nix
  ];

@ -39,6 +40,12 @@ in {
  services.skynet = {
    host = host;
    backup.enable = true;
+
+    gitlab_runner = {
+      enable = true;
+      runner.name = "runner01";
+    };
+
    forgejo_runner.enable = true;
  };
 }
--- a/secrets/backup/restic.age
+++ b/secrets/backup/restic.age
--- a/secrets/backup/restic_pw.age
+++ b/secrets/backup/restic_pw.age
--- a/secrets/bitwarden/details.age
+++ b/secrets/bitwarden/details.age
--- a/secrets/bitwarden/id.age
+++ b/secrets/bitwarden/id.age
@ -1,19 +1,17 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA xqavLiNuEoc7Gn7MchvoSEC2RrsFDrf9MEGFYVf5vEs
-ZwOkERtRi8yxlZ6sUl+mzJ+YFw/h82vV0WzhRjQOTo0
-> ssh-ed25519 4PzZog eiC4yLeOytE1jTUaQDOxtVHsM2jJAvGLrI75XJXRCSA
-HJg+GqSKlXld1uB2WPTM28XEygsm3+4iObC7SCMWl8c
-> ssh-ed25519 dA0vRg rStUstoZRf0i7Ot/0Gn6zd1cQMQjDlLQ8ScEIM3XMXE
-PR2UGWuO5VOBVee3bndRxipU/m2ZRXMo0HQkX8pvTyk
-> ssh-ed25519 5Nd93w hn5Oo+ZoIG+UwAb/DUUJmkDcey35fG5WDBgbe494T2s
-TxUgeQb8UdxlowGV1/j2Tr7DTNqc6d56NGaFGZfeidQ
-> ssh-ed25519 q8eJgg vcWProg0hXGuIRVWXpFSzyS4Ei4YHSdq17A08avwCmI
-4iKGWyyGfCKEliEa/9r8y+D5LsyLglFvcUeXyzO+FCg
-> ssh-ed25519 KVr8rw 2kNscJDgyfKH6WrfSKWnX5dgRM0Kk7FztGhoJ89VUWw
-/biNgciz7/fDOyY6GfwEI57ESdUyRwmKaI4OG5pJs20
-> ssh-ed25519 fia1eQ lv06SnwwoBlmG4AVAeNpeIFgISkt6FktNuRq+P0eJgs
-VX8O0FYWrEyBVR13t8AkvIq1VpwFdkMX+wBUQHBzXPI
-> ssh-ed25519 IzAMqA b0DnkDgWeERguN/u9wgiBB1sbxHaMXmMZdPOJ14/UDg
-tmKw26Fs6iKbVq7BBK60UoQSjykp4BzLW59/ZbbD0hw
--- rR+hloCeC8YmoV34TBL7hLk/4CSfmYKwtAbmtUjHvKE
-<EFBFBD>7ü¶RHSIÎ”C#‡Ä/ù:öH•ôImId÷ëójkõlàa˜Ñlõb\ƒL¶²¬6Ø¥†/ôPÜ¢+cº÷’U‰MÅYt©
+-> ssh-ed25519 V1pwNA pcFat8+oFhOWSZyYBM1Ij11K5vLcrGSWGcopZTIUv3M
+NDNVRUQU3SqOPRm3N/rCMhf+DyMg21d9uAJkrqLrKcc
+-> ssh-ed25519 4PzZog xwjC1NO/yqurBivCPbTQgtsavmBmOcHMrjcB/W+wy0o
+zdFH8I0W4ItbKVlAW4mHIPNDPPlIwdSLnIIu/1kEXBs
+-> ssh-ed25519 5Nd93w ojB2kKZWtrcbf34sdYPNKIUJ65nGskCXU4wOq/SbH3A
+hhr/RyiTv0tFC/pvNHBFxFenHuVWpiW1hzVcyH8Iplo
+-> ssh-ed25519 q8eJgg DA1GO1/lDUAnFI9lPoOUQ1C33SHpNGVvqAF6aZCoLlU
+9Cyl198clJHzc/pYmOe3hMM4EZVi/EE6XjSlSnLeRdc
+-> ssh-ed25519 KVr8rw NNeHe1ExbX5I4CdibTc1772nJoiEHHcC5gs/t4v6/wE
+FeSYrhUeMxCWJ/DOmp66w+KJlhKnXCsBqCJ+lDGT1kM
+-> ssh-ed25519 fia1eQ yZVFUGXdWqNW1fnNRHTrBGN1WYoXemIkGdRwKPF613U
+k/7eulnPGaePxUzXtt9tHOfhOyhJlTT4pQ1KfhzTwfI
+-> ssh-ed25519 IzAMqA +TNjvQx4ee/T30kv/UyFu1rCf8aG71T8WUJj3WBnVzg
+3ooxsLz09cBO88/BRChFrMXpx7QjZVFfopgSEcxlfpw
+--- kRZI09vrkArnL0mRQaSvoY6bpH8OTV4nT8JbDzP8nWo
+î+<2B>ó
PçüÉ×:( ³8.Ðm(ªe+ÚigH ªWzqRvMø|¯–ý$ízâµ<×“í}Cˆ´{·)qõõ¬ÂAgþÑþ`¡á*Å
--- a/secrets/bitwarden/secret.age
+++ b/secrets/bitwarden/secret.age
@ -1,19 +1,17 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA LbYb1XP9bLe1lcsAfGwPkK2/r2+TnkkEgfS9fi1YKRo
-Z20C/zQluu+Qanf4d9GSj4pLirCyqJpa60H9hodMt5k
-> ssh-ed25519 4PzZog IFlhg/gbQpiMugcQZUHwfAnSvhxCwW67XmfSNmYOSQE
-nOp4xPFMvIhUH9OUVz8B3L8GI+Um2egjHV0FgmdNwwM
-> ssh-ed25519 dA0vRg OAmV1KiprjoIgOPHCYcme2uLiU1xEdohTWA5CiN0yG8
-4/LHk5LCGrpMISvpjfo7QuhnRrE3ycFGwGTQ1i6VaZE
-> ssh-ed25519 5Nd93w jv27aiNze8Nxp2ohY7NIRtZv5lBxAdKYGWdqWD12zU0
-E5Rk0r8To4B39UsaZavEkAZlIPiaXswsShMgsyNPMoY
-> ssh-ed25519 q8eJgg /o798N6b1KlQfMM9gQf48TF9V7nXORxW4SOpcpYCuhI
-RVYXWwZLFL6ZUjGbmXBzEj0+Pe2wpZFPIj5yH9kRIwY
-> ssh-ed25519 KVr8rw +N2w/8vvD7/uG3TMYb+9vml/vZhLkoS+03KEDlQWNhs
-Hne+3S6vVc5Sx7QJ+OCrPCt4s5usZ7B7WwusnFQLmSo
-> ssh-ed25519 fia1eQ PJYYKfL1GolRt90KC52dvUyZ/HjWRJm9vMTjBvrCOkQ
-Xc7SpT5TZLTOORLO3uE8tPXKx7thUwaJi3ixngLRljM
-> ssh-ed25519 IzAMqA AtoNahZ3dTQasdfP3wf7U1RJyx//Kt82e1TMSIkW6QA
-neLAeCvnsl4RDq2H1slZJ+5i3JErqy4aRGoscpRUi/0
--- W8B6kla08fEkl4Kpp+0eAHj7B1j3WYCDcuwJvAIEW58
-)8ýG(ž¶	ìò<C3AC><C3B2>žÛær_št¤Ö©zµ¥|>¢od…ð×ù6µø*0j»…r‚´ñTü«\*v^#‚
+-> ssh-ed25519 V1pwNA zomyV86JWdw5KWZz/hpIQ4L9VXEW4wTDqI4cLGsNsn0
+yy7TKiwisPKlQQUWOXCykxbYSrwE5eGKMNP8OBAUkO0
+-> ssh-ed25519 4PzZog A4x9YKQ/YCTglMRY7X7PVkqwkktO6R8yavKrrPvgFiY
+r2GUQPkQDBR7a9NGkEYhgE5XyWJUbNYPBYcGUMBmK70
+-> ssh-ed25519 5Nd93w pUJi0inWzU9zrNeE2JbFDMltBfMjIZV5e+aAvkX0pnc
+oE06oHbCZiy36XZiPrI3yeKWuD82XT9dF3WsqZTvIsg
+-> ssh-ed25519 q8eJgg 76Xais8jMd3AVu9fjnklTjoYA+4dLV7iYhw9E6djiy4
+gIGci/h85lVxQCpnzcmgi/8Ddef4JY7J1u1HOUkBGAg
+-> ssh-ed25519 KVr8rw aLuWLwlVKlfsRetAGXib+wyewtokiLiHpg5+6PWhEUE
+JE+Kn+1uxViDQj+8M1VvOqJ/wpIzNlsL9xM7grMt5yw
+-> ssh-ed25519 fia1eQ txZ0C5zd+2MTRH5sw6ORuxvuCGuxVmnD0opKvUMzRhs
+joVv8myJAWCZnSXZ1PzqxQdB2uTUrVzgITTU3ZIgHEw
+-> ssh-ed25519 IzAMqA Ns6XpHFkrBjofBVY6rXY9h/tQPadJ9RgaKKaUWjWsVo
+3Q/3v74wemS5/tglw6cefS8j/z/0vz1C/sDAPnf+0HA
+--- AK6Yp/Zk8mqKBt/zzp6bpGc54h/dyPWWv29bDuxURSU
+ÿ‹¶´Õùc©LËÊŒœÅbgåÏA8Ÿ¨à:â³œõk<–P“²N~X¢|‚èÜòTq±Ñô}Ztï.ôY<C3B4>>§
--- a/secrets/discord/ldap.age
+++ b/secrets/discord/ldap.age
@ -1,26 +1,24 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA 6NKUbOSUbwVjzW/ZUpl8qEiUTTegFlji4+tVJyqY3SE
-fRQvaKnLMkVBboTEriQpWlGY9VBAP3ppsEbAB2QTScs
-> ssh-ed25519 4PzZog mp/+b5LpB+DvRduqAZiKWqkZq6+tlyQgVTZz7Oge2Us
-OycqmZyDr3levWSfRFxypJOkITLDix0Q15Todya6BNc
-> ssh-ed25519 dA0vRg yp/4LvS9DbdatHFWFsP5qhH8CP8Bs0IjVSenUtG4+Xs
-hHiJEtl1ffYXltsJzuEMLGUl2i/i3pFzv4bjbx/cbOI
-> ssh-ed25519 5Nd93w BTngmy4NGLGKhC8lPos63QEVBKoQT82KswQ22EypcQQ
-OCnJMkOwwXQVbtCitUizXM4nynC6a1tiPSkm7MxulWA
-> ssh-ed25519 q8eJgg NaEjVcDBVICRgXuJchEdE4vg3qmkNmJAbDDxLq1fX0M
-YFwUmEPwJIik5YJ2SV5IAmqGlY+h24voJJlrBaoCBwA
-> ssh-ed25519 KVr8rw ZnyVITZFkuozEs/rbTdxXDQNS3Nggo+JkBL1Icht2SM
-B4jVVts5lK1kIlOWMl0eiN7TpsTeJZWIu7NqildxeGE
-> ssh-ed25519 fia1eQ kvzARRScl/eypC2a5cY66sXcH+TZqz4sYg4W/k9iJxQ
-Ga+4TVvXiQ6i5/+fgUQ3E5tJiLqdBsEsXjenXEpRV/A
-> ssh-ed25519 IzAMqA 5sizvlhLhAhAR1bViHJtRJ8fAIO56TAuLVSOwE177QE
-b9oJ8BC2xiBjvc3D0H0EF7bSNDlpvIidyBCTf04ndJI
-> ssh-ed25519 uZzB3g g9y66zNmQbqP6Rbhg2t06W3YOgy8DkRvJZbWVegT71s
-2dH7E76tDMrWQJbLPefyORP66iaPHQnSjwu8NCdSyJo
-> ssh-ed25519 Hb0ipQ azOzBLXfshInlFVpV0PzIBidL/VzA/+kKRXFFVD6ZF4
-iXBF/Wcv4KWo5qUXUlyimuo0l6aClKxOCtkm3MxAIBc
-> ssh-ed25519 IzAMqA EWitYyV8RsPIB6HEFE2OI/C1zcC6WfBEeDI62rGVmkk
-Bk9tdSqIjLjat21J2LM8RXAt9GwdQxYdfPzqDtCjunE
--- waY7j+HMEOdqEZs/TcLEhUY9gJs6ZSc51VNfuCmCxJ4
-Ý;dÙ9A‡vÔé±nq<“ê;TèáƒBØ‡$ÐGÌvï¯h
-»\^Žé§lÖ¯`š¼ÄÎ?l¸<0C>au~üÐ§×yâ[×šju²üvÂ;]!œ6Ëè±ãXIs4ÇŒ!Ù@ßÏ¶û¬‘|›úïª">eÈÿ[VVŠž´,ÿ5˜ý8N§¹Œh<04><>[ƒ×´ZD,zý&âñíó¡”õIØ>ŠØù¡<C3B9>|ÎézÉm
+-> ssh-ed25519 V1pwNA oKU5WHTVFbMzlj3VCOz8SK6HUXSMx/+O0GRBgrHz4SE
+UhAfuzpx+3pVzaADb8IboXPrVdjc+6nTBs58vl6UM5Y
+-> ssh-ed25519 4PzZog P8oILoh4jxjLWlJ/8P6ZFo3gVnPLf/5rCXKt+VNbwno
+Z2LPtqT7vxDVXo67vUE++kZsgR8EW/g5p6ukannudWk
+-> ssh-ed25519 5Nd93w SCPXtK32yRY9SHlXW37lWn5o3kVyGLvE25JC7OYrqgY
+jXDPZBtkFaQ0zrWQ+q4t7gPXdzH3FXxi/GoGQ6A5Xp8
+-> ssh-ed25519 q8eJgg c0Pm3CbI20Xx+ZDG21YFBBYcRXhm7XJtL4upmfQk7Sc
+zoj5rfYv0LlKNcqxPCEmgn7Q9fC/zglkacJ+RdRGFAA
+-> ssh-ed25519 KVr8rw dlnvbfFVgq8/fCJ+VVNt82McHYcCYOyej2q4Xw7lHQc
+7GvA1OChHOY8H+tNtBc7t0dGX0htnwru/xiOk22uz2g
+-> ssh-ed25519 fia1eQ WkNk6q+ujMGaMndfrj4RCUhE2UTkYze9Hj7iDueXqgE
+70nqJIlhPFLAUCt8p4c/GulYOCc45hvqKDFuh1TkaP0
+-> ssh-ed25519 IzAMqA 4ribVEiuHMHX7rZYHi6iiW/5BwvVvydrsBzlVgRjT14
+OaEvZPbPJKAbOySo/7DcIuwM7F8Lowa8mnYSkXmKMwA
+-> ssh-ed25519 uZzB3g HBpDQeuRn/7ST7n+K9V1O6uLNnbu6qinqrjO000lyDg
+ACVdyMFSsJgRcHxU85ns7RVTWlKTCRbUqkvgmSr/7CI
+-> ssh-ed25519 Hb0ipQ zThy7Iiq+mfgOic4F8FN94LfUvxqFM/k2Z3Qrs4NNUI
+E8HEerENg4ypEiV3PnvghUzBuL85SkWSBeEdQw7xUUo
+-> ssh-ed25519 IzAMqA hvEU3NLfxGsQkA1hlwkumtgEgscd0HRcBKHbavr22Ro
+omEGJ/nRcqeXRI8HQkWD1lnabodUNSipnmedtZjNyfA
+--- OeFgK+AG4MnUHFFRjJYmDKDonM8qNnGZ7sQzdv9GZK0
+³{J7¦¨bWþ")«û{Nð62þl”8íQ ¥A«ƒ
+-¤'qGr‡}ÁÖ¤‹#¸,	ŒB§°ÄÞž(Â~IÇm
/¬FŸ<12>>`°RœF+tC-p—û]Í¡#òù
Œm	|Yó7Ãˆã*„«+ô¼f{°×·úÝÆÊRô*X»UØl:ÉÏy²MÒã–;my9&ñ1Ëég ¬ßÀÓ‘î+1=¥ÜOÉ¥B˜I<CB9C>Ø6µÛ
--- a/secrets/discord/token.age
+++ b/secrets/discord/token.age
--- a/secrets/dns_certs.secret.age
+++ b/secrets/dns_certs.secret.age
@ -1,49 +1,47 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA 5xvtgxFvEOX/bVAOdBBF2Fyb0euGt95YjhOcfpGgHk4
-6oN4Xba0W5g/d3EX2aC4N6UFVf/oHGgdTxBcMbjIdHo
-> ssh-ed25519 4PzZog SjAcOftaZBEAAZ/P+Z9OTira4/QLSMRefC+JkQcf0G8
-zG0R3/r+PBjWj7WBABmHPXpqx18uLyuFMJKB2az9i2E
-> ssh-ed25519 dA0vRg k8fekPA7w/QFMVnDfCrpOlfv531/nw9tO7B0d+mWHiA
-jp+DndebWEdk9+wt/nvS0LfRsFf8T7+dMffWmx3tPw8
-> ssh-ed25519 5Nd93w dYe/tZ5qHoacI1IBa7yvDL/grZU7Lc40gU8boQY8Wj0
-eBs8fYre18RGW8+RH4J4AleG3kNpCZ0agAfcojSCy2Y
-> ssh-ed25519 q8eJgg 9UZdBq2oZ29U/kzeNOGn+q8RbkLbJwM0eSJHqSLV6Ek
-vqa610t5XxHiKBSf7veOc09ZFYW7EF1KpIbCpdCsegw
-> ssh-ed25519 KVr8rw 1CkykLAC3c615TDRlOeI4GHmqu0VT2kclWkr+DT9dSM
-0MyPNEmkHICQZxpKt0jBZpce13c+jn4WC7IJL4uWZHo
-> ssh-ed25519 fia1eQ OtFYStmc1y+yqYNaNgHxEheIIVykYAa/uR0dKS4xX3Y
-c2HYDyrD6Db3FNLP8tebLngtS2S8LHsmHovbofsUk3U
-> ssh-ed25519 /Gb5gQ rAc4CqbqdkIAFystL0rLqGNH56GrKxOBamqhiIFAY3c
-RR+NsZe0HQdQv6SgeIqy9IcIChXdvrsspNDBngW6Byw
-> ssh-ed25519 NtlN/A 93citgkp9Aj1LDK5UdzJqYVVYaWgt/Cc6yMJka+ccyY
-KTcyd/SygOLp4mPI1zGDTKCNT7LfVUw12Bw/qnTnMpE
-> ssh-ed25519 v2Y09A +fWNE2zU+lz5KGu2Ed2MHb9UXzJPUAUuBWilF/AS1Qo
-UVJWnAjRcD7X6iA/heoWdZTcsUS+1VMG5leIHxWZGNA
-> ssh-ed25519 XSrA6w fft3i85PNprS9QqQo2yKr3lx3qHuSVFeVYuT5Gtfyng
-lNOo2jQXvaMElQawI9x8vnQN5bnnNefEyYXD3YqwOwM
-> ssh-ed25519 DVzSig a5q+imjqWqTzyM3aU+UvvGv3wH3RLTPl+kva+qVSSFs
-Pobzi/5ZVyfGhVK4cMqvMqaAol9X4+P3hEaUeHdiacY
-> ssh-ed25519 uZzB3g B1D2S87+yPr66EikAqLw7s5pazfQeQUxAj4FFnk0nAE
-3lEw0t99aSGqkZdi+ILl3+s+JWRKpY4BHLXdrHfFxng
-> ssh-ed25519 CqOTGQ urZpNzMYvDnGR1UgjgrRYp06gKWcTEWUDjyb4fdDTD0
-7jeFeoMBitwGFQLSynYVyIYsEhHe7A8mdl65goiX5c8
-> ssh-ed25519 IzAMqA QmtcH5afcef4NMRX4AMrUHW1tCPGOlJ+gIhhDFkUCSY
-I4Yg8vgoYGcsV43qq04+nrhzMJ20eaQjOD4EJM0z2xw
-> ssh-ed25519 Hb0ipQ CO7nQSSKrmkQ/C6DuJxesIMJmm99eQytLzJ+3/Q38AI
-/kBnqeivoQLMaAA7nX0t4/UAvcOIchEu9bJWxIuUOV0
-> ssh-ed25519 3pl/Kw qUD++i8FGbEAuqa+/v6f664tlVTwHGYF3AmTo0cuZyA
-vjImiKQm0SHiuO7jZTKRg/3MKzDExfE+p9ZT2nHZr4M
-> ssh-ed25519 SqDBmA BGwTqAeEptBFRbwwVkHZWX+OKQpALqrPvA2+Cl356D4
-Gg69WAtr+AAfYT1G+WcTSIlCbNqS5DyxsZw81DaBSkk
-> ssh-ed25519 UE6fcQ 4JZzLWThfgJQSNDDtDp8ayM7N9o5tQ6PVwKMj28inC8
-RyEWRmMbuXezYZntsTdVIbjy/YEbrflqMpirdg08UVQ
-> ssh-ed25519 YFaxCg LTsikBkuBwOuc2qrnTAMVtRawZyBosZScefH8qWIqzQ
-aLiVK7XFI8iDRTCGH2yJnUpydjTp7NF1Ygok6D2Fo44
-> ssh-ed25519 elCEeg TKQKeAvY3kn5IuvHoS0SWtX647nEn1txDftt7pPQEG8
-OPAFqPGdSS3Ud+gFtMXG0shrXSmVrIBzvwc19Ac1NJQ
-> ssh-ed25519 8vZ9CQ NGLF9epPqcfbQWcbtMeYIcH0jAZMvO4P7UbKtl8lGRY
-ZJ5afGOI32OYBpWs6pe15z2IB+5xgO04/OsKp6ixT5o
-> ssh-ed25519 rmrvjw tfgMxvtTE2vv2qQJtQk1J+YV2UC/2iZSs0nvbVzV1Hc
-HW86DML/9MXoTs0WWn/zNi4Rh9SBhaHl2WC2bkiLbmw
--- Q4amxZgWmdHcf7aqav2TpKA8KX8B8ZHuBhzIcKwbFTs
-E¾ã™r<0F><\Å?ë @î}ËkRÕ(ƒù;È^3P–ÐJäO“ãSÜ‹Ø â`¶¦	sb?9ø¢¯Âÿx$ñû/<2F>ø~4ÊFŸv_¨þp4{5 GZ²f"’<<3C>x×"q‹ºbj¯:cTuWå>BÍ¶'<27>ã)/¥×]«ôÁÈëöà•wžÉK%þo	B*&Þ×«{\ZŒ•pë£KöŒƒ³Î¯k}ÏåíßÔ}P=Œ¸û·?<õ¬ºyB…‡sbŠ„<C5A0>ÿÑª%â$¢#"
+-> ssh-ed25519 V1pwNA Um8k62xQfUTDj8C2uQxdr96NUaLjukWQM5yzDKyW90c
+JiwqfZvGtjkx2UyOns3shdLkhOjnxyp9jEMGsgtVFhA
+-> ssh-ed25519 4PzZog Y7myy2+E0GGxudigs/ejtOUabVBNOIavuA+hfxApBl8
+tNnI8V2H68H4Rl7yLvPT7vFcF3zBEgunyJdHZR5pRI
+-> ssh-ed25519 5Nd93w EjOZVoDbJ/HZpL3KxqIi0dDvDRrZREOR5Gxtsu/qETo
+yLXSvQ46vg0O++bQUKx9PXH/vCWLpYAkqLGue7Zjzz4
+-> ssh-ed25519 q8eJgg VE5foMAIJxrF7E9a0INJMZ57iUUAXThqMcD1JQP+GFc
+qonLC+VctWN1Gh7TGTjwRDd2k7xirwndhvTBfDYbhq0
+-> ssh-ed25519 KVr8rw 3C9ikWuujEVCC4ciVUImhozN8JF9pADC/BkvzfyJZgE
+Sm2sH0W2/ilXe9nBaXcBr+k//N3htLMKxuNY/PE5pH8
+-> ssh-ed25519 fia1eQ c7DXyzxmlimzysAITeoJ/uZpiwvwpZyEE8OUaOZsHVk
+mpBnKteU2Elj9h0myNcVr6EC7p/Mvhv1PF5rdTQCQxw
+-> ssh-ed25519 /Gb5gQ o+gM7Ah4qpe7cndwNSqaHDsMcrdzyCKzM5eowSTdeGY
+chfpUPkmMuw2h2vrk9mpS/R4tMbV3hRIedxMjiwpjKw
+-> ssh-ed25519 NtlN/A WTNZAVvkf5+DzohU63Q9E1un3hTgnHlJhUsB47tilCo
+hzAqYw5BI0RSHafoDqf/0gsC2Ao6p0RywnB0ywRJlEw
+-> ssh-ed25519 v2Y09A f2AfFJBa2Z4DAWk0Q+02c0MRJqsY4uCyaQbdETWlj3M
+nzGicXSpX3ePk1wcXx9zn0LjD1zJ3m+hMwttne7ZQcY
+-> ssh-ed25519 XSrA6w pS8EsxTW2DxmNIseAXIZSlgl+GHvSZYlqu3ptttSf0s
+dgwMl7qTgBrRgy5nQo0tVGygHDuGLtOCTa+VKV0qUvI
+-> ssh-ed25519 DVzSig 4IVV8Eouy9g7D7Bm4+kR7C/WenXSRJ/LyEpi4etVVz8
+jevtHMcYxkII90eLLa0abp7sZouHYv34Y/Hh3uRLwtk
+-> ssh-ed25519 uZzB3g gS8fmDFZKdiB4I/E2lcuNADCrSafO/nfdWynlUBeNQ4
+D2UsbMklhDI6epY4S7zlyeWT6B8em8QZOW2m6xCu7Dc
+-> ssh-ed25519 yvS9bw J89yiWrxj+OyTCRz8nTVQwYYFjfMPSQ9YRreHbWetCY
+vx+SspyK+GAYHDWEvComBs9RaF7/OusNyumxJqulUl4
+-> ssh-ed25519 IzAMqA TErMgW9Bj/l9N3WAZ/WOwAEFeYieyCgAw5AhxozmJUY
+YcnB9vDoozUIcLEgi1vieNlZtcBZu784D3ieUVo4z1Y
+-> ssh-ed25519 Hb0ipQ JVqCZ+LmJV0Oa+hQVhnxn0icj5apL/D5wEa7ovyreAs
+Mgfclli+cvJ+6utfqCTjjwHdqIWJeFRSedminG9duVw
+-> ssh-ed25519 3pl/Kw 0KIvDRrDxzA7F7Gk9UmLCu/QG1CgxPKD0U3HYasmpGw
+ejGuEcMeMKO0ROgp4zgIx1orjfizSsKnkFpLlWImLIE
+-> ssh-ed25519 SqDBmA VfUmSzAEJlPxrzJ/bBVzqCMQStoyU38MsYP0xNFCY1Q
+3r7n8/LGveiHJ8C4UfcfVoG2wxofTwIKduxQXBWlEYM
+-> ssh-ed25519 UE6fcQ 1WD6yUAVxCfzjjl8wsehzJMGmJKFicn/5cGDxJBfQVQ
+BLNcPo+7qSR91bXb2A+doVrxFwuVEW+1j2ZpZC1V29Y
+-> ssh-ed25519 YFaxCg sOaoF1xjTiHc9Wo1f1Zk7EZuoJFK8GvpLe/9Ofbwrlk
+MPZ1AM6Nbu3fyijTSxBW0uyvdyF3EM4G24bKou1pdWI
+-> ssh-ed25519 elCEeg ZiGYDevzSY2L6YClsw9DALPsto6bTturc7sMsleAnkY
+2DP/GGO/Rfcn44urZa1xp4OtzIze9e1iJZIjWQTTVLc
+-> ssh-ed25519 8vZ9CQ U7ViISMwmHpvR3FWB9Pw/QtlrF2u5beitbnDS04hSFc
+ZebAfjK0qoQe3n9QJ6mP/9L/A1eu6BHT7eaTdhlJLbE
+-> ssh-ed25519 rmrvjw ptV34JwMY2JAK/LhYvM8u0CZ4FZXJUUbXsa98HRvLXs
+72jkFGbgqHoj/x/ctXRywhhHmgkhRoXPhXKcOvn9yVw
+--- 0gWQm5+bd+WmWs3PITuJ2GSfG2WnCtB3CFiaELSmc9Y
+8¾4FeÞÓVþXœÄÑ«¶nBãl‡Tt2ErDQ1÷³Ù`b~)þbÓûBŒ ðŸ<C3B0>u¶/Ç!úQŠ`Ãånû“X–Ë"<05>|ßßà0*~…=kÀg;v5z»IÑàÍRKV]¡s~X’‰hÎŸ›TMð<}.2*Ñ
¤rž×vR¸<H¨,À²‘	*Ùc6mÆž9ºrƒõ¶²?ÎÞ3Ði«wqœ=xê4ñ	FúÏ§êƒŠp”	4s¬)˜ÊJ¼Z®¤9-2åx©ÛüãÛzºÂl<>×
--- a/secrets/dns_dnskeys.conf.age
+++ b/secrets/dns_dnskeys.conf.age
--- a/secrets/email/details.age
+++ b/secrets/email/details.age
--- a/secrets/forgejo/runners/ssh.age
+++ b/secrets/forgejo/runners/ssh.age
--- a/secrets/forgejo/runners/token.age
+++ b/secrets/forgejo/runners/token.age
@ -1,19 +1,17 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA 8acWnck16a9QK194orAzlQgQKINum/cyUzJqO6i0rkg
-In2UpSbBR6QoTMTZR/GpZJN3x+5CK3hZcEvr5fORoOI
-> ssh-ed25519 4PzZog /YeuXUmWrWFohgOSEmUygaTax668bLZpYO2T7KXl8n8
-mgnBBIsPycR6RMhLk4HQei5xQLzVHiBHaooOzZdb4YA
-> ssh-ed25519 dA0vRg DidrxIBYvAfPkwNzQXy2+f6inafUafoX8cfUChA7l2Q
-/wfxyJAyrQ3Uycxwov+0b9pKKOxPP9mySRK5g4BzMnY
-> ssh-ed25519 5Nd93w i+oP7x/eHY/Roj4mdpOFHrBe5rxUL7/4617F4O3jPh8
-yTVD0dR3ljoUSv1qyuKcOvr1fMRm9C8YAZKKjURtCPk
-> ssh-ed25519 q8eJgg Y0yxgrLm9/E8nYBg6Yvd0GPbY7PwCJCumQ9CtgWFxxo
-9BfGPSP7pTTM8Dm9qXagKaw95hbqvvp7qsFkhQgQco4
-> ssh-ed25519 KVr8rw pXha2ebkoIFX9dMX3uRz+0rcbwcQ1mwPnLWp/wCzx10
-BQQ77pXJl75c6myecmKlEpqHtWB/rSdG6Pwpbxzcfbk
-> ssh-ed25519 fia1eQ gCgas1CqGNZ7n09J7iXOvh2xeGgoszn36ABZwiskBBw
-3a7WMN9aB6ZvwFyP98At9V9K99hD1vkvSJgnY16/JKY
-> ssh-ed25519 CqOTGQ DU1oon3RPo4MCdzigrM2+b3KnTzzTSG/WDSvtBaF1VE
-zwKaQnXT004dMojYFXPz9UERL4ULe7mPZ+vwlZMxFvY
--- FWICxx8MWe7awI8P5t0XsbA4Ye0zbxCdMbapTs325HI
-wûùÿŒ-”¥d!Ñ×=gŸ&ÜžH¬©ó?÷IçÛ’Úá•ªªêÏ<C3AA>Ò¢Ù„öLÒLË-<08>Ù¸ÏñU¿?	)ûVýJæb®éÄÎC
+-> ssh-ed25519 V1pwNA bGirG6sUND19fSIwyvtjS3RDjyNUc+kXmzRoN4P1bC8
+kPJr2S9BlGWWnoggce6dx1OR0/r57AB5Rcgz+qY0qKE
+-> ssh-ed25519 4PzZog iciiKCHhfK38SwvSPrdoMK7C250qTV5eBgv657iyKwU
+dEiSS1FuxEpovNAl1HPZk+MRCcjLGiKgTfpi5Ssi38M
+-> ssh-ed25519 5Nd93w FFgxLg0NNK6Op64FHu24sjaerv3jgDaPz6uKPi/A8AE
+ZvHbJ2K3T7CUJSrrpF9fMmP6FWCQ3i6m/5Fi2UNtbew
+-> ssh-ed25519 q8eJgg nVm1H/mbEsGt2O87i7VKUL5do6Rc7n5nvSilUtQ4cBU
+WWtsNbIatU5ZostueLntGgKD/nxcavZPheU9afRvbH0
+-> ssh-ed25519 KVr8rw Nnroz2PgUoJsd/frf+N+b7xdJDAzj3NsmJaogsIkYGk
+xX73tnCCYGBNA3BRjjPMn/IV+qwjIwEUk+IZbhCCfHY
+-> ssh-ed25519 fia1eQ GLYqWGKYKwkBRwQ7SxSnErmz1MFw5gPCexfap8VM9Rk
+Z+dIKhk+JH7W07diX1Abr/Deezkw8xGkzXQuYn1HfJI
+-> ssh-ed25519 yvS9bw Lwo77pDciewUZemyFc1EUboIlXFCBx3CY6BGuizach4
+AkWzgV1zRJzLtfRxkfhmd80EU8fW1w+5sxMAfWgdEMI
+--- ac6h3StxSHr+HFsyPIBPENQRcfKzXX8fzJlZ0MER/8c
+å¯ñ„üzwyCÉ>þÖ¸Æ\k¡±êu/<2F>óí{z§©€<>¢Õ®¼<C2AE>º<EFBFBD>ø£jDÇÐÒßã4õ{^mÃDsÝå¦žÂÎ#kiné“xo
--- a/secrets/gitlab/db_pw.age
+++ b/secrets/gitlab/db_pw.age
--- a/secrets/gitlab/ldap_pw.age
+++ b/secrets/gitlab/ldap_pw.age
@ -1,19 +1,17 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA aYjPUkjZHoQm86XHx3VbGswLy6VdKNaaHe3f3CGa1ls
-HMuWoZj4tY/nWj1nrgOxob1hJJD/mPD3kQnDgJJafeI
-> ssh-ed25519 4PzZog GojGaXIg5RK7WjJSCZxJksXvsm9TZTlbHITuksMivBY
-4oAuKXtJ4ksvusFX3OM3VpdzfArrglxJTN8kCdhIjrU
-> ssh-ed25519 dA0vRg AzGx90D7iz93gHtSvV5oIbBkwgQEpVY7DTRQIZ16IiQ
-GlMsor4NxuhHs1HJg62O3ZtPF6CHHFc46din6fm89G8
-> ssh-ed25519 5Nd93w oAyaZjUSGC9moA7pLR4+dzoKAggFuKUNMnRbn/fm2FQ
-eHa/2iLWrqv/pPXjgfxtk68MgBX6EYW1YWfs1kXkazU
-> ssh-ed25519 q8eJgg xBdXNLjZqKi2o+cbCXGdOOSFnlfPgaxjQb+IK60MYHw
-dxV3kTuaJ1ANFgRaYchwAa0kjGZHZ3POc/Wrw/per+w
-> ssh-ed25519 KVr8rw TR3AjhWy5K1ntzMx3mZZZWGYi7EvcWiFpTHyU/+pV3Q
-Y/xu0hrhaFZdO9YY8vINp3796HZ+LAL+QvBmIWmoS7A
-> ssh-ed25519 fia1eQ zF6CArF4sVXzIRenfDq7WHz06WXFdo7vMgD15NI/sR4
-m3sGJNMtAeY/yIq+D2nNncGNxX+KKXt0wCO1WMZmSTI
-> ssh-ed25519 uZzB3g pTocgT3gT7VHD7BWt+rGRIqUZYuh2G+1VeTJxyb7Xxs
-q5UYfrUVbgaqJCxWKegc0q0PvPR6AZ7AlI5ff4ePfjM
--- 9KS9xFBleYVsxyktikZ+TX9++1wqXmDBZxU3g7vwwLU
-<{r<>U/˜½Œ°ßR¦*°Jd)¥<>“»,#ø9ns!LsÈW#_ÙwÒ<77>¤äÃéÐMÃM‰Ãýð8sÏØ]ß•üƒ—8ð3ˆ¤7@·YNØçXlÿ¸æÜåºš¾Il^0p"aºMf«¬çG SÂdBŸ/»sêéÌ×,¡4!ãÌ<C3A3>rPÖ¢Ñ-Cáòky‚<H˜ƒÆ	ÞZì'
+-> ssh-ed25519 V1pwNA x1pwBhVm/KthEkGo+I95yIzv8A3kZze+KYmwKDZFBmE
+blUPnpuFaftdnZCdZVCIbay+d/XMVR8raF9cn0+FFDc
+-> ssh-ed25519 4PzZog r6D+Bx2eVeQD6lcd+6XYsmvExaxqJQUr8m/PrupzmTg
+Kglh8yHYc8dvQmUvn2hHV3B7OzPI9ClQEk2U0fjLuGo
+-> ssh-ed25519 5Nd93w gWJmZgxPsJm/T/gBHzRNZXHX4Qfhii/I/aJyuwy960Q
+zoj1RMphiFK7GySdSkFpd38s93NWAYs9oOWm44kOApg
+-> ssh-ed25519 q8eJgg Pyj5EFRrXh4E1kdUrg71nwG/QZb3HEd1meRQIO2x+iI
+QiFatsVgMKf5ABDoW28Ip6QhPavPGSwMkfHUHWgVdOE
+-> ssh-ed25519 KVr8rw IZ/LqiJ4Xho6a0pd03TQwD0DiFBz8fMIsF4zzA6BhGQ
+dA25Gq5xIXFcvZkI0Xu8YZJzxw7tQmZITAHjfs0gyzQ
+-> ssh-ed25519 fia1eQ HLpuVSNnosCH6jPmgc3sYmmExkitXnY7+QanxRCuOhg
+hOqar2lMqJrnMcvJ12vsu29pLsfNyL8v8Ze7a0ykztQ
+-> ssh-ed25519 uZzB3g fK6dbVNuYiADu4KKkDtb5nF0Oiq88r4OLWxtv9a1VGE
+YZVQs1+gn1G4K3sTFTZ21ZZgbYM/c+Sn2IHA7SpVgfk
+--- Kla1gxQ5C6NX/1dF6ClooiIhPVvnhnr1iRyvokrk3LI
+tÝÌ¨ dFŠÞøÓuc…ílIüM«<4D>“Ž<<3C>Mÿs×<73>7<04>ÔK	ˆ¥rõ“›<«÷—=ý<>‘¹¼TH¼
RìgCqTNÛZÛº}‰õjúù]˜6çøÓ3‹pò‡µï’Úó\Í’týÛ<>rWÃŽ%Œ¡10±þ<C2B1>#WCjG™Í¼“tÊÊv	‡>cYæm›úCR®…hUó²
--- a/secrets/gitlab/pw.age
+++ b/secrets/gitlab/pw.age
@ -1,20 +1,17 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA RT5AJD4kBHmv0pPNB9TASl4j8h4cIS418P3V9rUUjWs
-tupAAUlbIdszxHMO3T/LgFcl0LlyxnSmu2E7MWuCFDI
-> ssh-ed25519 4PzZog Vq8xPSUr64TjNwWY/5aV9tw2UqmCcflWphHQgl1qNmM
-WBWAJUfJ5+otsz5ubRqIMPvk5p0/h/yQhyg+sV41hBE
-> ssh-ed25519 dA0vRg Hkzhdyy2NueyE6zrVxzkXvPBzPiczjCYsT63XpqcSHY
-bP2gd7I43q9vjKdyvrxddxxlG9b3mRq+NS8gC6NXc78
-> ssh-ed25519 5Nd93w SLwM7TepNucy+RZJpEHm6ZffUInNzsNVqbqYz1QcGFo
-nnxkYPOQkHkDFIBOVoB0/96NblBpy3sBwSf4JHjQWMA
-> ssh-ed25519 q8eJgg GZpY0Ya99WQl+SaQ9+uROl00vRnQ7AKfAL7L/f2UEjc
-Ylvcy7f/6whLkWW8a9V7cFHQynznmoiK59d1KouN+nA
-> ssh-ed25519 KVr8rw dkq2lBd6MX7QwX7VLYoERu0TH1kl5mQps+oPtrwcUBc
-gAdFa9ycxKUDErboYQRgIs1B6QK9ExWLkl6bzwHjOcE
-> ssh-ed25519 fia1eQ PBbnQ2fhPW2GB5y8DpYAu9Kugb3sdWb86h0bSYwXRzc
-1HVvMRgb7c9V53ApEasPXetfBvsz9GSArJOxGtRXbMM
-> ssh-ed25519 uZzB3g BMRR0RZLtsSAzI1EsQzeeLx1JyCZ7QzhnGvn255rlyk
-jPWO8HsZFX2TGtRbxwHV6x2OWwbCJb+sPl45f0mAHp0
--- J1ejh1XpuAwFhOdWUga4WiJzgFmFdAgLpp2pe0K7cnA
-ÒEÐ·P¯s¬*ãÇw´€ÞâŽ²[	~Äž6H=].ú!C?‰#›$å5ëáóàAv<0C>	øEïý§asöxKñ‚d ÉV’Ñ¿·ï¹DQ¼×²$Ü;µé-S;‡ƒ%0Òï<C392>ÍËEˆ•œÛ‚•ŠÿR0äô¢ø½<C3B8>)ÐFéˆÒ)¦§ãb<C3A3>¦ê1åD¸	è›
-¡yÊª<ÙßñG®7Ð@åMú
+-> ssh-ed25519 V1pwNA a4NtEaRWmr9kaG//BjsnHUViki8x0BVOzhCxs+LPNUU
+rNnvjk9OL2dMhNtLlM/9fPwba0JKdF7Lgp8OrlPg0+w
+-> ssh-ed25519 4PzZog NzrMhIesa3mh17B0GY89q8LykrLZbs2ZbYYKpDui3iY
+R40VQvvVK+qkL7z+JYG3/GShIS0NgWhn+gQ5VCJ8/Lk
+-> ssh-ed25519 5Nd93w 07HrZszUf5f1EIpBU7cGyWx4FJes5NdEwzPBHENjWH8
+wkpbLH4QJxN+Vu3JTG5jlBLn3QRih4mC3vHKABuRil0
+-> ssh-ed25519 q8eJgg HYQ1pJ7UZ/wt/dzgaNOW+YCYV0JR9WjeTu1jtT8sNDg
+WDqCEkt/zXkLbYRnqqdGF4yKy0bVKO937BADdp1wcGk
+-> ssh-ed25519 KVr8rw gvJBgBa/1llkpO7b/Mu6EgdujBYOldYCln0wIsysyXs
+UlizPe1iqUaci6Qd9EGmpoV5BUjYCJ6BL5pOqBEoK3k
+-> ssh-ed25519 fia1eQ uHt487+wluXVQNoB+v7ED+VfUjedj6FPCvV3o5cjHyE
+tqMzgDKazDYe+79uftPwazyW/ao5sI+BbInU6MV36hs
+-> ssh-ed25519 uZzB3g rrVSIoiWI+BQcCozUmwV6AUI33bwNZS7q1PXZHp04W0
+WaRnO24QTA5GFexSQMe/U0Br//PNPt9OPIxWuM/vdb0
+--- 9CleuN83VCsUUIsMLbU8274FdYLcy0IWe57C7ffU8sE
+ŸRŒK{aØ ï:@ÏÑHËÂÐ;÷á¯½ oîhÙ¬Àû|wé‰PPq7fŠ{]Rï%Í‘rÎy±sëÐÛÉøPû%Î.äÄƒ-±5¢DOfuFÒ ÚL.F×ýj4ø—€À$Ã+Y)«f<ånëT¬ÔÑ	¹…^$QûÅ¸Ã°>¹¬vØDÎ0/Y÷}òŽUTlÊ>L³";Ÿà
--- a/secrets/gitlab/runners/runner01.age
+++ b/secrets/gitlab/runners/runner01.age
--- a/secrets/gitlab/runners/runner02.age
+++ b/secrets/gitlab/runners/runner02.age
--- a/secrets/gitlab/secrets_db.age
+++ b/secrets/gitlab/secrets_db.age
@ -1,20 +1,17 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA rEsQ/q9FmFkVdXfXfYG3zHN4KvXTfRmZBLEibdzbQBo
-fJSlFRK0Oi4OpGBf7Z65U5+OFu4+Ts8MqKe7B2G+gYM
-> ssh-ed25519 4PzZog aOPnUpH7F3AS6IauahbpQYYYSX7hSJcix2C1CgUsoi8
-h83ikYOIqng/YKfo2RJc9MwbdaKV0V3DFLj5socRi6A
-> ssh-ed25519 dA0vRg oK+zniCPQd3Hw/Bm1/cG6d0If6Wq7VVdxR1nrH/MHAQ
-c9Q6gyqil1XvTsl/QB9dpvYHa9Bi8bbfWNNfEx2wwo8
-> ssh-ed25519 5Nd93w B1mA5u9RHQ28ZopDLlJh8Z5Q530tJ9wjOzhMzsJSTUE
-KbCpkJ666a/dnnatT5QIcPbEOMP+dUkiMERcc9tRMvc
-> ssh-ed25519 q8eJgg ps+fnslUfJUthZB+bLXZdvwXgaM/Jsec5YVJiTZy6AU
-vpwxjfgKkieWlxSjWz+b6U0p16zJq4Q+NqO2zXISWbg
-> ssh-ed25519 KVr8rw sIxHbaWSfSZVoMIchJnvEPH0S1ZrSa0sS+Pa++yUZ1o
-3pn9e3IzOF0JxohMP424AFWw6IrCPm+fnS70cfnKZ1U
-> ssh-ed25519 fia1eQ XPBMusFIRQ2mqQgnYPpbn40heCrqiqa2P5tiq5H9fgY
-7T2S+TJ5jd7cfnCa9iWLaf2zUHG3YIUZFnt/ek3pHUk
-> ssh-ed25519 uZzB3g NxRK4Dsc4U7a3MPQoApPTNdybonx2RdXUGc61WB8l0I
-YHoL+K85aXdCTAm33Oc9d1/BD6xFXCHZ8uJCqqn8pQ0
--- BHDuf9Sxnh49jes8mUA6Rq2cTNqBxpsz51UZgL2np4c
-þC
<<3C>\ã2fkÛ×L+\¶‰éÿØ²µp‘&‹®6~<7E>Ø<àÌv¯sé<73>ærx§.ùO¢Y
-jÚEA-ýûyã&N2&M•<4D>ïn‚

4!c²™^$¬^;¿XJÁ@éFÿÍûf*²BIÉ<49>`g†e{„ÍGžËm<C38B>ý…ñ?U¨i«toažìŠ<!”3ä— <E28094>Ó›l1~2W7óC
+-> ssh-ed25519 V1pwNA 7I3aWhw7iw2mwJnswJkVfIQ246p80yB//uG+0sEyqTA
+adGO+PNHWVXIlDQKyxSPXvZH5XFONNNPr9iLeVq2OfA
+-> ssh-ed25519 4PzZog 1MB3obSvF4K2IHF8beEcTwZ6gisII/iXq7uGKsDK4GQ
+dVPFnOW0d/IuqNtrcLdr9AtNCWV4NYXTtVHHZS+kVHM
+-> ssh-ed25519 5Nd93w CNxhP+Y45tiXD7WvDbQgo7ejsWfBoq40SygJDhksCz8
+h3usonhy4UfpnSkuHw5pKEV1WS7IMvWqqd1Y6t8J1lo
+-> ssh-ed25519 q8eJgg yZ7BmDxy1tXK7q51r5oAFvhM9mQYHtexwOILnq/2BD8
+dKwf0oHUUiVBNQod8Zbvxn/YfMnhXNZbqo3Qv5uIdME
+-> ssh-ed25519 KVr8rw L3rQAswf0dc7Ok5AuTFlSl6fuOhcRNKI+donwmJj9B8
+BO7TsPdPqhxy8KfzPW0QU1qHWKd07fZSQ7TqS7+2ep0
+-> ssh-ed25519 fia1eQ aEskvIGIekFwG8z+jlK3VOlhhBGLYPsEnS/1w42cKg4
+phKYN4MjToHeljP1s4/gb42D4t6dlLnbyut24vBFjB8
+-> ssh-ed25519 uZzB3g lczlYBZbn3f39jfC1fp52EXXRYX3nDrQ2c7X1QlqbRU
+eBjI6305+Zigh8+3esXt+qbmJOVJIARVPA9ROeedtIk
+--- LOIDMgRcQ6CDPqWhDTSW0vzaTV6XggXW2/HDF2nB8fA
+jtFÞ©±\Ÿµþâà1¦1}Õ&QwÿwVÁNæG©z‹QS?Õ]êK£D:ÒKæ6ßó75GÙp·=ré‚ó‘<0E>›ýã«;$bN8Ô/F¹›V,ç!ŸÓJ¾¬%¡Q<C2A1>˜"²"=ozŠÔ”f‘<66>¼T€£¹ÔåØp“~Œ‚mZ„¶Ÿf÷Å¹TŽ2íå²ª½0_Ô~âôÿ¾¹ü<C2B9>š‡”
--- a/secrets/gitlab/secrets_jws.age
+++ b/secrets/gitlab/secrets_jws.age
--- a/secrets/gitlab/secrets_otp.age
+++ b/secrets/gitlab/secrets_otp.age
--- a/secrets/gitlab/secrets_secret.age
+++ b/secrets/gitlab/secrets_secret.age
--- a/secrets/grafana/pw.age
+++ b/secrets/grafana/pw.age
--- a/secrets/ldap/details.age
+++ b/secrets/ldap/details.age
--- a/secrets/ldap/pw.age
+++ b/secrets/ldap/pw.age
--- a/secrets/nextcloud/pw.age
+++ b/secrets/nextcloud/pw.age
@ -1,20 +1,17 @@
 age-encryption.org/v1
-> ssh-ed25519 V1pwNA wC7Nch41YKEjrwpf/sDR+SUWKm1porqP2DyQhz/MLh0
-Mu8NGcxWphZZLgb0F7h10EJGCPiontn6y2lWNSldNGw
-> ssh-ed25519 4PzZog 6H6fsEDq6xiIkmIy6gUUGL+Mm03HSEaSGnjel3EO8EU
-xzqv1RZijhQqeiWIFq7ReVzh2JLtBoo9HmZJ1VXrMPU
-> ssh-ed25519 dA0vRg UC9Vm0pLH8N9XGxKAZ/3Efe/9SRvx/rlxCYx0u5oljg
-gF4IFYdCIXfvPPrOsJFvGMf1PzrSyureKpOP66ZHB1Q
-> ssh-ed25519 5Nd93w 338ts/scFEwjZ+3f4Vcd8C9Q//E/ZGoSxIutAxKgpAo
-C0vs3fiisD9FsZ8gYJZj/I81mT3Psw3g1jN5ztyuDQ4
-> ssh-ed25519 q8eJgg eIHEYfE/50IRNy+gnNmqQD4jtVgJRla4ilAQp2gYfjE
-bFNJA6KPlBiZWrB5vjyTilXC+rkW+xqVSWcvHln9H/8
-> ssh-ed25519 KVr8rw Kq/0pxm2r136ezrKRugC1So2cIIx2VTShPv6WTc6m1E
-W7VrsPf9jkkxqndVjrFuGBwqJR3v4hwig7Fed9xJSAI
-> ssh-ed25519 fia1eQ 1sA1YfEKVatTzHV5Wd/tzqwRiIPUBQlfoKZkJpxRYig
-lLtPzvg8H0y+FpfGfF/Q5g1nCap1TgW2wipIKU+Q+WA
-> ssh-ed25519 YFaxCg zUYYpsC6BXvPRcIignITwUmvBhfhy9EnxFeCFg1niQk
-QcmAhpDajw2lJyttDX9kn+0bdugmYYifSl1esaa3xpU
--- 0sQ4g4YxMBe/VBe39F9ZfwVh9XEOHYHqgiX5oakBzPU
-¦cò±hðWÚp@å
‘
"L·<4C>åÒ[)’ØtŠ¼/<2F>+”MyÍä¾ò'
-‘8K¼ƒ[©m›}·qÿÈ1«{²µ¯]·OS%á™¯>»
+-> ssh-ed25519 V1pwNA rsxHHZv+xG+iJisNaFeX5WbKBhvjd4jntP7+peGvPUc
+r5WN+Sea6cecItEpql6KWiYiQL6NjIoC9LjGgH0fuZY
+-> ssh-ed25519 4PzZog /DJ29u2BYSSpk3GvrKStCQZJSGkCfIJ9Li4zQwuC3S8
+S243BTRk7bfOCmQRzy5+3StzgipYEUn5GazN+lmVRZw
+-> ssh-ed25519 5Nd93w CAau55luv9BjQeDY4zppvkn1KjqgE7IjAMVSac+Mmmc
+9W6PtfpUx1A0q5l4Ey0gT519Vs0qqD4c36iNDwlN0mI
+-> ssh-ed25519 q8eJgg zMdYGgPr7smwvTAIsgPjecuzjem3Lu3vEMrS37qvyiU
+rgm1RP21BDXYnARlxlpR7ANN4dN7BW1M10fRR9+K4pI
+-> ssh-ed25519 KVr8rw VB5vgPySOPVoZPoylXo+rprkWkUkdEfk84NWdGyQ5lM
+cxbbOQ4XpTbhHCa2p5mZ583A4JJfxGn+OMuMdhaB7iQ
+-> ssh-ed25519 fia1eQ 3t2LnYQB9vgsj0d+Z88aiyNsJRLlM/iGpv8Eg/NUyho
+Qq0zuWYCI3bYzmTSdc6TsTy8RfdeYqnlHVuQiKHly4M
+-> ssh-ed25519 YFaxCg a+E0mXvB794agVPpk2uCKl3UHzytGijvXW1LBzLJLk4
+VgqnvihuBnBuJ4JGx9Evu+gaKa7tE43Sg41K9rUs9/w
+--- hH0UWx2WXfw7HeDUfLAVfpKFwHpJR/fjJhbt1U8euIo
+úúþ¾5æŠˆáÐsä&±kG}Ê”Eé»'®àá~žÑ5?žAÁk\ ÖÌï’ü<12>òl24ùÚ¶#³ê:~‡zñÖ!8ÿÿ¹*PÝ°
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -1,7 +1,6 @@
 let
  admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin";
-  silver_laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWfVKls31yK1aZeAu5mCE+xycI9Kt3Xoj+gfvEonDg silver@helios";
-  silver_laptop_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOmm4CCnpT+tF7vecSrku0+7aDA1z3pQ+PDqZvoCynCR silver@aether";
+  silver_laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWfVKls31yK1aZeAu5mCE+xycI9Kt3Xoj+gfvEonDg NixOS Laptop";
  silver_desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico Desktop";
  thenobrainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer";
  eliza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJaVEGPDxG/0gbYJovPB+tiODgBDUABlgc1OokmF3WA eliza-skynet";
@ -10,7 +9,6 @@ let
  users = [
    admin
    silver_laptop
-    silver_laptop_2
    silver_desktop
    thenobrainer
    eliza
@ -23,7 +21,7 @@ let
  galatea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3Mke5YtaMkLvXJxJ3y7YAIEBesoJk3qJyJsnoLUWgW root@galatea";
  optimus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqYbbWy3WWtxvD96Hx+RfTx7fJPPirIEa5bOvUILi9r root@optimus";
  glados = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6go7ScvOga9vYqC5HglPfh2Nu8wQTpEKpvIZuMAZom root@glados";
-  wheatly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPlgCGtyvd3xwYg9ZNyjTJNB/LvUSJO01SzN8PGcDLP root@wheatly";
+  wheatly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEehcrWqZbTr4+do1ONE9Il/SayP0xXMvhozm845tonN root@wheatly";
  kitt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPble6JA2O/Wwv0Fztl/kiV0qj+QMjS+jTTj1Sz8k9xK root@kitt";
  gir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL2qk/e0QBqpTQ2xDjF7Cv4c92jJ53jW2fuu88hAF/u root@gir";
  neuromancer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFAs6lBJSUBRhtZO3zGKhEIlWvqnHFGAQuQ//9FdAn6 root@neuromancer";
@ -149,6 +147,7 @@ in {
  "backup/restic_pw.age".publicKeys = users ++ restic;

  # discord bot and discord
+  "discord/ldap.age".publicKeys = users ++ ldap ++ discord;
  "discord/token.age".publicKeys = users ++ discord;

  # email stuff
--- a/secrets/stream_ulfm.age
+++ b/secrets/stream_ulfm.age
--- a/secrets/wolves/details.age
+++ b/secrets/wolves/details.age