ci: run nix flake check instead of building whole systems #2

+11

.sops.yaml

··· 1 1 + # NOTE: Additions/deletions _MUST_ be synchronized with age_from_1password.nu! 2 2 + keys: 3 3 + - &leah "age1lh4sn2s9gxj2s3naqdl4wpmz3uhpd3p8l0jfy6k5hu6cu34uyygsdwadd5" 4 4 + - &focaccia "age1wtr58sze4sxjjzq9jmsq7ztkvkjakvnfzuqzn025p92htz7zsdesjpc2c8" 5 5 + 6 6 + creation_rules: 7 7 + - path_regex: systems/focaccia/secrets/[^/]+\.(yaml|json|env|ini)$ 8 8 + key_groups: 9 9 + - age: 10 10 + - *leah 11 11 + - *focaccia

+43

age_from_1password.nu

··· 1 1 + #!/usr/bin/env nix-shell 2 2 + #!nix-shell -p nushell ssh-to-age -i nu 3 3 + 4 4 + #============================================================================== 5 5 + # SOPS w/ Age helper for retrieving my 1Password secret keys on the fly 6 6 + # 7 7 + # Because I am a very lazy person and don't like to watch out for the 8 8 + # implications of storing my SSH keys on mobile devices that may hypothetically 9 9 + # be seized at any second, I'm storing all my private keys with 1Password. 10 10 + # 11 11 + # Now, should you do this? For convenience, *maybe*? For maximum security? 12 12 + # Definitely not. Go use a Yubikey or something. I'm just not a fan of 13 13 + # keeping a metal dongle on my person this entire time. I'll probably just 14 14 + # write out my master passphrase in my last will or something so people 15 15 + # I trust can actually regain access to all my stuff in case something goes 16 16 + # awry. Just in case. 17 17 + #============================================================================== 18 18 + 19 19 + # 1Password UUIDs of my private keys. 20 20 + # 21 21 + # I feel *somewhat* safe to make this globally visible since you do 22 22 + # need to sign in with my 1Password account to actually access them, 23 23 + # and if you ever get to that point, my security has already been defeated. 24 24 + # 25 25 + # All of these should be Ed25519. 26 26 + # 27 27 + # NOTE: Additions/deletions _MUST_ be synchronized with .sops.yaml! 28 28 + let items = [ 29 29 + # Main SSH key 30 30 + "bkk3jg6qjnwyymb6gjiopczlba" 31 31 + ] 32 32 + 33 33 + # Make sure to sign in first. 34 34 + # Does nothing if already signed in 35 35 + ^op signin 36 36 + 37 37 + $items 38 38 + | par-each { |item| 39 39 + ^op read $"op://Development/($item)/private key?ssh-format=openssh" 40 40 + | ^ssh-to-age -private-key 41 41 + } 42 42 + | str join "\n" 43 43 +

-26

configuration.nix

··· 1 1 - { config, ... }: { 2 2 - imports = [ 3 3 - ./hardware-configuration.nix 4 4 - ./networking.nix # generated at runtime by nixos-infect 5 5 - 6 6 - ]; 7 7 - 8 8 - networking.hostName = "focaccia"; 9 9 - 10 10 - #boot.kernelParams = [ "ip=1.2.3.4::1.2.3.1:255.255.255.192:myhostname:enp35s0:off" ]; 11 11 - #networking = { 12 12 - # useDHCP = false; 13 13 - # interfaces."enp35s0" = { 14 14 - # ipv4.addresses = [{ address = "1.2.3.4"; prefixLength = 26; }]; 15 15 - # ipv6.addresses = [{ address = "2a01:xx:xx::1"; prefixLength = 64; }]; 16 16 - # }; 17 17 - # defaultGateway = "1.2.3.1"; 18 18 - # defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; }; 19 19 - #}; 20 20 - 21 21 - networking.firewall.allowedTCPPorts = [8000] ++ config.services.openssh.ports; 22 22 - 23 23 - #services.openssh = { 24 24 - # enable = true; 25 25 - #}; 26 26 - }

+144 -1

flake.lock

··· 125 125 "type": "github" 126 126 } 127 127 }, 128 128 + "flake-utils_2": { 129 129 + "inputs": { 130 130 + "systems": "systems_5" 131 131 + }, 132 132 + "locked": { 133 133 + "lastModified": 1731533236, 134 134 + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", 135 135 + "owner": "numtide", 136 136 + "repo": "flake-utils", 137 137 + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", 138 138 + "type": "github" 139 139 + }, 140 140 + "original": { 141 141 + "owner": "numtide", 142 142 + "repo": "flake-utils", 143 143 + "type": "github" 144 144 + } 145 145 + }, 128 146 "ghostty": { 129 147 "inputs": { 130 148 "flake-compat": "flake-compat_2", ··· 148 166 "owner": "pluiedev", 149 167 "ref": "edge", 150 168 "repo": "ghostty", 169 169 + "type": "github" 170 170 + } 171 171 + }, 172 172 + "gomod2nix": { 173 173 + "inputs": { 174 174 + "flake-utils": "flake-utils_2", 175 175 + "nixpkgs": [ 176 176 + "tangled", 177 177 + "nixpkgs" 178 178 + ] 179 179 + }, 180 180 + "locked": { 181 181 + "lastModified": 1763982521, 182 182 + "narHash": "sha256-ur4QIAHwgFc0vXiaxn5No/FuZicxBr2p0gmT54xZkUQ=", 183 183 + "owner": "nix-community", 184 184 + "repo": "gomod2nix", 185 185 + "rev": "02e63a239d6eabd595db56852535992c898eba72", 186 186 + "type": "github" 187 187 + }, 188 188 + "original": { 189 189 + "owner": "nix-community", 190 190 + "repo": "gomod2nix", 151 191 "type": "github" 152 192 } 153 193 }, ··· 408 448 "nix-index-database": "nix-index-database", 409 449 "nixos-generators": "nixos-generators", 410 450 "nixos-hardware": "nixos-hardware", 411 411 - "nixpkgs": "nixpkgs_2" 451 451 + "nixpkgs": "nixpkgs_2", 452 452 + "sops-nix": "sops-nix", 453 453 + "tangled": "tangled", 454 454 + "tranquil-pds": "tranquil-pds" 412 455 } 413 456 }, 414 457 "rust-overlay": { ··· 503 546 "type": "github" 504 547 } 505 548 }, 549 549 + "sops-nix": { 550 550 + "inputs": { 551 551 + "nixpkgs": [ 552 552 + "nixpkgs" 553 553 + ] 554 554 + }, 555 555 + "locked": { 556 556 + "lastModified": 1768481291, 557 557 + "narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=", 558 558 + "owner": "Mic92", 559 559 + "repo": "sops-nix", 560 560 + "rev": "e085e303dfcce21adcb5fec535d65aacb066f101", 561 561 + "type": "github" 562 562 + }, 563 563 + "original": { 564 564 + "owner": "Mic92", 565 565 + "repo": "sops-nix", 566 566 + "type": "github" 567 567 + } 568 568 + }, 569 569 + "sqlite-lib-src": { 570 570 + "flake": false, 571 571 + "locked": { 572 572 + "lastModified": 1706631843, 573 573 + "narHash": "sha256-bJoMjirsBjm2Qk9KPiy3yV3+8b/POlYe76/FQbciHro=", 574 574 + "type": "tarball", 575 575 + "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip" 576 576 + }, 577 577 + "original": { 578 578 + "type": "tarball", 579 579 + "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip" 580 580 + } 581 581 + }, 506 582 "systems": { 507 583 "locked": { 508 584 "lastModified": 1681028828, ··· 561 637 "owner": "nix-systems", 562 638 "repo": "default", 563 639 "type": "github" 640 640 + } 641 641 + }, 642 642 + "systems_5": { 643 643 + "locked": { 644 644 + "lastModified": 1681028828, 645 645 + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 646 646 + "owner": "nix-systems", 647 647 + "repo": "default", 648 648 + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 649 649 + "type": "github" 650 650 + }, 651 651 + "original": { 652 652 + "owner": "nix-systems", 653 653 + "repo": "default", 654 654 + "type": "github" 655 655 + } 656 656 + }, 657 657 + "tangled": { 658 658 + "inputs": { 659 659 + "actor-typeahead-src": [], 660 660 + "flake-compat": [], 661 661 + "gomod2nix": "gomod2nix", 662 662 + "htmx-src": [], 663 663 + "htmx-ws-src": [], 664 664 + "ibm-plex-mono-src": [], 665 665 + "indigo": [], 666 666 + "inter-fonts-src": [], 667 667 + "lucide-src": [], 668 668 + "nixpkgs": [ 669 669 + "nixpkgs" 670 670 + ], 671 671 + "sqlite-lib-src": "sqlite-lib-src" 672 672 + }, 673 673 + "locked": { 674 674 + "lastModified": 1768561232, 675 675 + "narHash": "sha256-LcsRiuLkT4vof4prMOxR8TCEkAL5XU8yAkJeRoBKX8A=", 676 676 + "ref": "refs/heads/master", 677 677 + "rev": "2403bf5e0aba49b48e8384467b31ed84268196ae", 678 678 + "shallow": true, 679 679 + "type": "git", 680 680 + "url": "https://tangled.org/tangled.org/core" 681 681 + }, 682 682 + "original": { 683 683 + "shallow": true, 684 684 + "type": "git", 685 685 + "url": "https://tangled.org/tangled.org/core" 686 686 + } 687 687 + }, 688 688 + "tranquil-pds": { 689 689 + "inputs": { 690 690 + "nixpkgs": [ 691 691 + "nixpkgs" 692 692 + ] 693 693 + }, 694 694 + "locked": { 695 695 + "lastModified": 1768063083, 696 696 + "narHash": "sha256-n4wojr8uD3FgNRUfvUZzLw8w3K5UA7zq/T13c7h7ANs=", 697 697 + "ref": "refs/heads/main", 698 698 + "rev": "32fee7a7fff8493b78ca078a840b5819718f297d", 699 699 + "revCount": 133, 700 700 + "type": "git", 701 701 + "url": "https://tangled.org/lewis.moe/bspds-sandbox" 702 702 + }, 703 703 + "original": { 704 704 + "rev": "32fee7a7fff8493b78ca078a840b5819718f297d", 705 705 + "type": "git", 706 706 + "url": "https://tangled.org/lewis.moe/bspds-sandbox" 564 707 } 565 708 }, 566 709 "treefmt-nix": {

+27

flake.nix

··· 51 51 url = "github:nix-community/nixos-generators"; 52 52 inputs.nixpkgs.follows = "nixpkgs"; 53 53 }; 54 54 + 55 55 + sops-nix = { 56 56 + url = "github:Mic92/sops-nix"; 57 57 + inputs.nixpkgs.follows = "nixpkgs"; 58 58 + }; 59 59 + 60 60 + tangled = { 61 61 + url = "git+https://tangled.org/tangled.org/core?shallow=1"; 62 62 + inputs = { 63 63 + nixpkgs.follows = "nixpkgs"; 64 64 + 65 65 + # We don't need any of these 66 66 + flake-compat.follows = ""; 67 67 + indigo.follows = ""; 68 68 + htmx-src.follows = ""; 69 69 + htmx-ws-src.follows = ""; 70 70 + lucide-src.follows = ""; 71 71 + inter-fonts-src.follows = ""; 72 72 + actor-typeahead-src.follows = ""; 73 73 + ibm-plex-mono-src.follows = ""; 74 74 + }; 75 75 + }; 76 76 + 77 77 + tranquil-pds = { 78 78 + url = "git+https://tangled.org/lewis.moe/bspds-sandbox?rev=32fee7a7fff8493b78ca078a840b5819718f297d"; 79 79 + inputs.nixpkgs.follows = "nixpkgs"; 80 80 + }; 54 81 }; 55 82 56 83 outputs =

+39 -2

systems/focaccia/configuration.nix

··· 1 1 + { 2 2 + inputs, 3 3 + ... 4 4 + }: 1 5 { 2 6 imports = [ 3 7 ../common.nix 4 8 ./hardware-configuration.nix 5 9 ./networking.nix 6 10 ../../modules/nixos/hysteria.nix 11 11 + inputs.tangled.nixosModules.knot 12 12 + inputs.sops-nix.nixosModules.sops 13 13 + ./pds.nix 7 14 ]; 8 15 9 16 networking = { ··· 28 35 home = "/home/leah"; 29 36 30 37 openssh.authorizedKeys.keys = [ 31 31 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbsavGX9rGRx5R+7ovLn+r7D/w3zkbqCik4bS31moSz" 38 38 + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINcpWY17MNJBx56APRSvLOfUjHllXn9gY/cV51JaLoh6" 32 39 ]; 33 40 }; 34 41 ··· 44 51 }; 45 52 46 53 users.users.root.openssh.authorizedKeys.keys = [ 47 47 - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbsavGX9rGRx5R+7ovLn+r7D/w3zkbqCik4bS31moSz'' 54 54 + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbsavGX9rGRx5R+7ovLn+r7D/w3zkbqCik4bS31moSz" 48 55 ]; 49 56 50 57 boot.kernel.sysctl = { ··· 73 80 }; 74 81 }; 75 82 }; 83 83 + 84 84 + # Reverse proxy 85 85 + services.caddy = { 86 86 + enable = true; 87 87 + email = "srv@acc.pluie.me"; 88 88 + virtualHosts."pds.pluie.me" = { 89 89 + extraConfig = '' 90 90 + reverse_proxy :11037 91 91 + ''; 92 92 + }; 93 93 + virtualHosts."knot.pluie.me" = { 94 94 + extraConfig = '' 95 95 + reverse_proxy :8964 96 96 + ''; 97 97 + }; 98 98 + }; 99 99 + 100 100 + services.tangled.knot = { 101 101 + enable = true; 102 102 + openFirewall = false; 103 103 + 104 104 + stateDir = "/var/lib/tangled-knot"; 105 105 + server = { 106 106 + listenAddr = "0.0.0.0:8964"; 107 107 + internalListenAddr = "127.0.0.1:4698"; 108 108 + owner = "did:plc:e4f33w5yt2m54tq6vsagpwiu"; 109 109 + hostname = "knot.pluie.me"; 110 110 + }; 111 111 + }; 112 112 + 76 113 }

+99

systems/focaccia/pds.nix

··· 1 1 + { 2 2 + # inputs, 3 3 + config, 4 4 + # lib, 5 5 + # pkgs, 6 6 + ... 7 7 + }: 8 8 + { 9 9 + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 10 10 + sops.secrets.bluesky-pds = { 11 11 + sopsFile = ./secrets/bluesky-pds.env; 12 12 + format = "dotenv"; 13 13 + }; 14 14 + 15 15 + # TODO: replace with tranquil PDS once i had more time 16 16 + services.bluesky-pds = { 17 17 + enable = true; 18 18 + environmentFiles = [ config.sops.secrets.bluesky-pds.path ]; 19 19 + settings = { 20 20 + PDS_HOSTNAME = "pds.pluie.me"; 21 21 + PDS_PORT = 11037; 22 22 + }; 23 23 + }; 24 24 + 25 25 + # services.postgresql = { 26 26 + # enable = true; 27 27 + # authentication = '' 28 28 + # host all postgres samehost trust 29 29 + # ''; 30 30 + # ensureDatabases = [ "pds" ]; 31 31 + # }; 32 32 + 33 33 + # users.users.pds = { 34 34 + # group = "pds"; 35 35 + # isSystemUser = true; 36 36 + # }; 37 37 + 38 38 + # users.groups.pds = { }; 39 39 + 40 40 + # systemd.services.tranquil-pds = { 41 41 + # description = "Tranquil PDS"; 42 42 + 43 43 + # after = [ "network-online.target" ]; 44 44 + # wants = [ "network-online.target" ]; 45 45 + # wantedBy = [ "multi-user.target" ]; 46 46 + 47 47 + # serviceConfig = { 48 48 + # ExecStart = 49 49 + # lib.getExe' inputs.tranquil-pds.packages.${pkgs.stdenv.hostPlatform.system}.default 50 50 + # "tranquil-pds"; 51 51 + 52 52 + # Environment = lib.mapAttrsToList (k: v: "${k}=${toString v}") { 53 53 + # PDS_HOSTNAME = "pds.pluie.me"; 54 54 + # SERVER_HOST = "127.0.0.1"; 55 55 + # SERVER_PORT = 11037; 56 56 + # DATABASE_URL = "postgres://postgres:postgres@localhost:5432/pds"; 57 57 + # }; 58 58 + 59 59 + # EnvironmentFile = [ config.sops.secrets.tranquil-pds.path ]; 60 60 + # User = "pds"; 61 61 + # Group = "pds"; 62 62 + # StateDirectory = "pds"; 63 63 + # StateDirectoryMode = "0755"; 64 64 + # Restart = "always"; 65 65 + 66 66 + # # Hardening 67 67 + # RemoveIPC = true; 68 68 + # # CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; 69 69 + # NoNewPrivileges = true; 70 70 + # PrivateDevices = true; 71 71 + # ProtectClock = true; 72 72 + # ProtectKernelLogs = true; 73 73 + # ProtectControlGroups = true; 74 74 + # ProtectKernelModules = true; 75 75 + # PrivateMounts = true; 76 76 + # SystemCallArchitectures = [ "native" ]; 77 77 + # MemoryDenyWriteExecute = false; # required by V8 JIT 78 78 + # RestrictNamespaces = true; 79 79 + # RestrictSUIDSGID = true; 80 80 + # ProtectHostname = true; 81 81 + # LockPersonality = true; 82 82 + # ProtectKernelTunables = true; 83 83 + # RestrictAddressFamilies = [ 84 84 + # "AF_UNIX" 85 85 + # "AF_INET" 86 86 + # "AF_INET6" 87 87 + # ]; 88 88 + # RestrictRealtime = true; 89 89 + # DeviceAllow = [ "" ]; 90 90 + # ProtectSystem = "strict"; 91 91 + # ProtectProc = "invisible"; 92 92 + # ProcSubset = "pid"; 93 93 + # ProtectHome = true; 94 94 + # PrivateUsers = true; 95 95 + # PrivateTmp = true; 96 96 + # UMask = "0077"; 97 97 + # }; 98 98 + # }; 99 99 + }

+11

systems/focaccia/secrets/bluesky-pds.env

··· 1 1 + PDS_JWT_SECRET=ENC[AES256_GCM,data:j+fIFm9mTzZmGYmqFl5WG8SEP9G2t9VGivd7Xr/CsBY=,iv:Nc3F7PMbDp1AaQ3Y21SVwSI2MKaDE6hy99BGgZVLjGA=,tag:7198yKpl3iWLwQOlb/BNkQ==,type:str] 2 2 + PDS_ADMIN_PASSWORD=ENC[AES256_GCM,data:zxaNpbCXkyYOT6rnxdXK7NBJ//tAR4ZBes7L607MaW8=,iv:j8J59JH879HVls01qXenprrSica4jLR4xW5r1dEy654=,tag:4PwaijN6/aTiFingb8ykFw==,type:str] 3 3 + PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=ENC[AES256_GCM,data:iD/cSlJGPkpYaUlkzcl5rdAmF36YyIo8gvFVngTb2UANZFUg/pq9qhWoh4U0EbHnjbrQVQw7Mv6ltoFq61oVBw==,iv:k/LSB1/G+QbgBDuM4M3InzvZfI4U8YGxrZm0SBnGHkk=,tag:mQOtL2ZiOI4vKke9pv/sRw==,type:str] 4 4 + sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeFVIRm1lckRhKzkzZ0Rs\nUmNpMDh3ditkL3o3cTAzUi9RcW1TaEdoTlVnCmpZamMyb1Irc0dYRWdVem84YWRk\nN0R5cnh6WXhvd3dOdmgxb1A5NDZ4alkKLS0tIHd5bGFPUEtCUDdUNUsrMVl0allS\nL2FOOWRYeEkrTWc5MklLY3BRVGwzYzAKDbCFUNiw7qlmI21NiCYHqf3q2BjKUOuV\nKXO8ccEkPmmOwP/b2mqlsWsQNo8iGRqpoAgz1GJ5TQop/u9QP3rRkA==\n-----END AGE ENCRYPTED FILE-----\n 5 5 + sops_age__list_0__map_recipient=age1lh4sn2s9gxj2s3naqdl4wpmz3uhpd3p8l0jfy6k5hu6cu34uyygsdwadd5 6 6 + sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArcklib1I1eWZvT3UyeFR1\nN05DeHorUHdhRnhMdlFSUEw2TTF3UGVEZFFNCmcyZWI5Z2RVYlJnSkxHNnhDdENP\nVDVqTGlMNGowN2pMUjNjVTN1RENFU1EKLS0tIGw2U0EzckRnYjRTS0JoaVpvN05x\nWnc2UURmZExtemJYL2RjTm0rZkRBZWsKut1/Aeay31L4D1pUm/k7rWOWGFlJL+zz\nt/qqRbDQhvBaUBSal1xM7hELJbcZwAwH2x4xHcy1rMFyWVurMc/Rnw==\n-----END AGE ENCRYPTED FILE-----\n 7 7 + sops_age__list_1__map_recipient=age1wtr58sze4sxjjzq9jmsq7ztkvkjakvnfzuqzn025p92htz7zsdesjpc2c8 8 8 + sops_lastmodified=2026-01-16T21:28:17Z 9 9 + sops_mac=ENC[AES256_GCM,data:GBGmWfc8Vf6cDNX3C1+CWs5VOquwyOqDgfG5l2ciGYXwcNcwyjmWmHyhb7e3MkaxZespb7vn2FjOxFmDBZAJX7PoFe5XTDDvTpDPc02KN5cbilcdkbj7tppIYTaoa+QTX3/Vy43mTsFnD0DrZgi4niJc3IKJwRTDpmeigw+otp0=,iv:7LgaTaLBLM/I8sfHjWm6ve6ZB+oA1Xnxe/m22hV+uLQ=,tag:hb13g+eXLjYpx440S4Jv/A==,type:str] 10 10 + sops_unencrypted_suffix=_unencrypted 11 11 + sops_version=3.11.0

+19

systems/focaccia/secrets/tranquil-pds.env

··· 1 1 + JWT_SECRET=ENC[AES256_GCM,data:541+zhzilGnokp4FPa2sgAQf69pYTsvrCJzO7YA7IrI=,iv:2efoLLQ3Y4voEHRcIv42MWb9X6yVccpo4AVqOKiQ1eg=,tag:n88PqhcoMvc3TBNYsT2vOg==,type:str] 2 2 + DPOP_SECRET=ENC[AES256_GCM,data:9PXTgjJIDdYl5WKuVl/iC7vbOUUiXMzB3qfcB/baeHI=,iv:19ZkOeGA9dknU6OlmD58K8iaUjDY1MlAGOKuyop6RQ8=,tag:WEClGenSAUk6UMmJsrbFsg==,type:str] 3 3 + MASTER_KEY=ENC[AES256_GCM,data:4mG75YaQOsE2jIN2jjeM2e6EYZNymNNyrSxiTp+BGUabcpIJY8gqR8SJfAJhMAsVE5vuwRMafiEX3o1iX+T/Ug==,iv:7TnjnPBrI2dtDvVioM8fRqgBIWYc9SnVnGXkNc4mYjI=,tag:GFzVZ9vs87sFvCq4t5bU8Q==,type:str] 4 4 + S3_ENDPOINT=ENC[AES256_GCM,data:kYgUqN41tt5cyYXPGMYqbDcsdybULR6TO6TqactUsM27z2I=,iv:os++rHvHDan/nWg5WB7liZUKyWRs9PqQ/0WOgCG2qYU=,tag:S/bDXvG/Kd/5tnnThGJVBw==,type:str] 5 5 + S3_BUCKET=ENC[AES256_GCM,data:XPwx,iv:m9AaTv7Y67zXHBuKvFVPZO6XjfAie7qLQi3ZMVq/JN0=,tag:4MV5sMLoL4Jips6oIF6LSw==,type:str] 6 6 + AWS_ACCESS_KEY_ID=ENC[AES256_GCM,data:wb4VbEwWZOWNn/nO0sMwu6jUD9c=,iv:HDn6qMEjQ3qjRsVMBnIqXfZ6R+u6tvQAtPs02QSAXGg=,tag:7rrmmYBXDOE/GiY+SRSOyw==,type:str] 7 7 + AWS_SECRET_ACCESS_KEY=ENC[AES256_GCM,data:za1WkqB3ONCZRlJvcD/Javro0oGSpBa/7E9g4GtcFrL5Ef9wIDdf5w==,iv:+pOS+5VBUevUT87D1gIkwMHTiafFoTDA0Esip2D135s=,tag:pJ56v/BikKpRw+D0iNT9Uw==,type:str] 8 8 + #ENC[AES256_GCM,data:ijngQOCRL/Z1TNU3+d1GhepidIbO08sY2ZbPWV94G/9f2qEyElC89XrD4U7jMd1Y/O/e,iv:UKQxnqSoUQuJ5frQj9TS/+w4AVdLAs/Za7/e2gCOjTU=,tag:BkwmSxONocjl7jcZD4siEQ==,type:comment] 9 9 + INVITE_CODE_REQUIRED=ENC[AES256_GCM,data:WmTt3A==,iv:MxsP7j6JW+be92byD4TKujnIDVZ1cfb3f2WJj55+oyw=,tag:ZTXKQ5P37BkkdRWSV5FIDg==,type:str] 10 10 + #ENC[AES256_GCM,data:PIWNrLzuxx18+HP7h6hyf/g6DfXEfp7iH8IXmA==,iv:bfevAkO62VxGkdgiP2d7ATX7/Eqz7e7jCCQ/7C1H9dA=,tag:DjrrPzkVmiaMWrwDXc+TXA==,type:comment] 11 11 + PDS_AGE_ASSURANCE_OVERRIDE=ENC[AES256_GCM,data:Pg==,iv:oErlmO6hnM8qxaKckKEIOfu2Qd+D5xqqRUk9/LSbk94=,tag:Z9YGhBQTEVwKV6ftqVuN8A==,type:str] 12 12 + sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeFVIRm1lckRhKzkzZ0Rs\nUmNpMDh3ditkL3o3cTAzUi9RcW1TaEdoTlVnCmpZamMyb1Irc0dYRWdVem84YWRk\nN0R5cnh6WXhvd3dOdmgxb1A5NDZ4alkKLS0tIHd5bGFPUEtCUDdUNUsrMVl0allS\nL2FOOWRYeEkrTWc5MklLY3BRVGwzYzAKDbCFUNiw7qlmI21NiCYHqf3q2BjKUOuV\nKXO8ccEkPmmOwP/b2mqlsWsQNo8iGRqpoAgz1GJ5TQop/u9QP3rRkA==\n-----END AGE ENCRYPTED FILE-----\n 13 13 + sops_age__list_0__map_recipient=age1lh4sn2s9gxj2s3naqdl4wpmz3uhpd3p8l0jfy6k5hu6cu34uyygsdwadd5 14 14 + sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArcklib1I1eWZvT3UyeFR1\nN05DeHorUHdhRnhMdlFSUEw2TTF3UGVEZFFNCmcyZWI5Z2RVYlJnSkxHNnhDdENP\nVDVqTGlMNGowN2pMUjNjVTN1RENFU1EKLS0tIGw2U0EzckRnYjRTS0JoaVpvN05x\nWnc2UURmZExtemJYL2RjTm0rZkRBZWsKut1/Aeay31L4D1pUm/k7rWOWGFlJL+zz\nt/qqRbDQhvBaUBSal1xM7hELJbcZwAwH2x4xHcy1rMFyWVurMc/Rnw==\n-----END AGE ENCRYPTED FILE-----\n 15 15 + sops_age__list_1__map_recipient=age1wtr58sze4sxjjzq9jmsq7ztkvkjakvnfzuqzn025p92htz7zsdesjpc2c8 16 16 + sops_lastmodified=2026-01-16T21:28:02Z 17 17 + sops_mac=ENC[AES256_GCM,data:jL4Mn2igySD+fQ3ugrlcc2NUY/EN9vdukkWMM7pkpKb/hPY9CMpOoAMu62ZYwcOkJq2lGhW+80ZUxshNPPvpUn+LRgQXz64XpDjn6sXrRXJgPb+CnbM6egRQsAeFI/M1L4d3/3nSKslVQCqYrt4MBF5X/FDGeFV4MReuYtytDK8=,iv:iqSynPjysmQQGfSF8IfGvqPR0YNI6qKfOv8qwyHJoz4=,tag:fJyRHaQ5vOZWXRc59fx6Yw==,type:str] 18 18 + sops_unencrypted_suffix=_unencrypted 19 19 + sops_version=3.11.0

+4 -1

systems/laptop.nix

··· 122 122 123 123 # Redirect all traffic through proxy 124 124 networking.proxy.allProxy = "http://127.0.0.1:2080"; 125 125 - nix.settings.impure-env = [ "all_proxy=http://127.0.0.1:2080" ]; 125 125 + nix.settings.impure-env = [ 126 126 + "all_proxy=http://127.0.0.1:2080" 127 127 + "GOPROXY=https://goproxy.cn" 128 128 + ]; 126 129 127 130 # Make the auto upgrade mechanism upgrade to the correct specialization 128 131 # so that proxies don't just randomly break the next day