Initial commit

.envrc

@@ -0,0 +1 @@
+use_flake

.gitignore

@@ -0,0 +1,2 @@
+.direnv/
+result

.sops.yaml

@@ -0,0 +1,20 @@
+keys:
+  # People
+  # TODO: Add @ruru (I was not able to find a current gpg key @e1mo)
+  - &e1mo 0x6D617FD0A85BAADA
+  - &leona 0xD5B08ADFC75E3605
+  - &n0emis 0xE0262A773B824745
+
+  # Servers
+  - &shirley age14ysl953378r2vvy7ft3gwce9xp83pr6wypf5lgx2yjwx2lxra5qs6j8eqe
+creation_rules:
+  - path_regex: secrets\/all\/*
+    key_groups:
+      - pgp: [ *e1mo, *leona, *n0emis ]
+        age:
+        - *shirley
+  - path_regex: secrets\/shirley\/*
+    key_groups:
+      - pgp: [ *e1mo, *leona, *n0emis ]
+        age:
+        - *shirley

README.md

@@ -0,0 +1,78 @@
+# chaos-jetzt nixfiles
+
+NixOS configuration for the [chaos.jetzt] project. They are very much work in progress
+
+## (Migration) TODOs
+
+- [mumble-web](https://github.com/johni0702/mumble-web), possibly adding [mumble-web-proxy](https://github.com/johni0702/mumble-web-proxy/) on top
+  - Both need to be packaged for Nix
+- [Dokuwiki](https://www.dokuwiki.org/dokuwiki)
+  - NixOS module exists: `services.dokuwiki`
+  - Data migration
+  - Migrate away from SSO
+- [freescout-helpdesk](https://github.com/freescout-helpdesk)
+  - @e1mo is already working on a nix package + NixOS module for their private nixfiles
+  - Migrate away from SSO
+  - Data migration
+- [Matrix synapse](https://github.com/matrix-org/synapse) + [element-web](https://github.com/vector-im/element-web)
+  - Data migration (synapse)
+  - Migrate away from SSO (synapse)
+- [maubot github](https://github.com/maubot/github)
+  - Not packaged for nix
+  - Ditch it?
+- [pretix](https://github.com/pretix/pretix)
+  - Not aware of nix packaging
+  - Not really used
+  - Maybe skip it (for now) and use the instance of another space?
+
+## Development setup
+
+These nixfiles are built using nix flakes. See [here][nix-install] for nix installation instructions and the [nixos.wiki page on flakes][nix-flakes]. [colmena] is used for deployment, secret management is done using the [sops] based [sops-nix].
+The later two (colmena and sops) are available via a `devShell`, defined in the flake, which can be invoked using `nix develop`. [nix-direnv] can also be used in order to automatically create the respective shell upon entering these nixfiles.
+
+## Deployment
+
+[colmena] is used for deployment:
+
+```bash
+# Build all hosts
+colmena build
+# Build specific host(s)
+colmena build --on host-a,host-b
+
+# Deploy all hosts in test mode (activate config but do not add it to the bootloader menu)
+colmena apply test
+
+# Deploy specific host (actiavte config and use it at the next boot (switch goal))
+colmena apply --on host-a
+
+# A VM of the host can be built using plain nix build
+
+nix build .\#nixosConfigurations.host-a.config.system.build.vmWithBootloader
+```
+
+**Note on VMs**: Since the secrets are decrypted for each servers ssh key, the secrets setup will fail.
+
+## Secrets
+
+Secrets are managed using [sops-nix] which is based on [sops]. All secrets are stored in the `secrets/` folder. The `.sops.yaml` configuration file contains information on who has (a) access to keys and (b) which servers can decrypt which keys.
+
+A servers private key can be derived from it's ssh key using [ssh-to-age], generated during initial installation:
+
+```bash
+# Only ed25519 keys can be converted using ssh-to-age
+ssh-keyscan -t ed25519 shirley.net.chaos.jetzt | nix shell nixpkgs#ssh-to-age -c ssh-to-age
+# Or from the host (using legacy nix-shell)
+cat /etc/ssh/ssh_host_ed25519_key.pub | nix-shell -p ssh-to-age --run ssh-to-age
+```
+
+When users or servers get added or removed, the secret files need to be updated using `sops updatekeys`. Since this can not be called on all files, `find secrets -type f -exec sops updatekeys {} \;` may be used for convenience.
+
+[chaos.jetzt]: https://chaos.jetzt/
+[nix-flakes]: https://nixos.wiki/wiki/Flakes
+[nix-install]: https://nixos.org/download.html#download-nix
+[colmena]: https://github.com/zhaofengli/colmena
+[sops]: https://github.com/mozilla/sops
+[sops-nix]: https://github.com/Mic92/sops-nix
+[nix-direnv]: https://github.com/nix-community/nix-direnv
+[ssh-to-age]: https://github.com/Mic92/ssh-to-age

common/default.nix

@@ -0,0 +1,86 @@
+{ config, lib, pkgs, nixpkgs, ... }: {
+  imports = [
+    ./users.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    htop
+    vim
+    tmux
+    rsync
+    curl
+    wget
+    bat
+    fd
+    ripgrep
+  ];
+
+  nix = {
+    package = pkgs.nixVersions.stable;
+    settings.auto-optimise-store = lib.mkDefault true;
+    settings.trusted-users = [ "root" "@wheel" ];
+    registry.nixpkgs.flake = nixpkgs;
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 7d";
+    };
+  };
+  documentation.nixos.enable = false;
+  console.keyMap = "de";
+  time.timeZone = "Europe/Berlin";
+  i18n = {
+    defaultLocale = "de_DE.UTF-8";
+    extraLocaleSettings.LC_MESSAGES = "en_US.UTF-8";
+  };
+  networking.domain = "net.chaos.jetzt";
+  networking.firewall = {
+    logRefusedConnections = false;
+    enable = true;
+    allowedTCPPorts = (lib.optionals (config.services.nginx.enable) [ 80 443 ])
+      ++ config.services.openssh.ports;
+  };
+
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "no";
+    passwordAuthentication = false;
+    kbdInteractiveAuthentication = false;
+  };
+  # That way we can't forget to disable the access logs for each individual website
+  services.nginx.appendHttpConfig = ''
+    access_log off;
+  '';
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme+${config.networking.hostName}@chaos.jetzt";
+    defaults.webroot = "/var/lib/acme/acme-challenge";
+  };
+
+  sops = {
+    defaultSopsFile = lib.mkDefault (../secrets + ("/" + config.networking.hostName) + "/secrets.yaml");
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
+
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+
+  users.motd = ''
+    ##### #####
+    ####   ####    _____ _                         ___      _       _
+    ###     ###   /  __ \ |                       |_  |    | |     | |
+    ##   #   ##   | /  \/ |__   __ _  ___  ___      | | ___| |_ ___| |_
+    #   ###   #   | |   | '_ \ / _` |/ _ \/ __|     | |/ _ \ __|_  / __|
+    #    #    #   | \__/\ | | | (_| | (_) \__ \_/\__/ /  __/ |_ / /| |_
+    #         #    \____/_| |_|\__,_|\___/|___(_)____/ \___|\__/___|\__|
+    ##       ##
+    ##  # #  ##
+    #  ## ##  #        ${config.networking.fqdn}
+    #  ## ##  #
+    # ####### #
+  '';
+}

common/users.nix

@@ -0,0 +1,44 @@
+{ config, ... }:
+{
+  sops.secrets."root_user_password" = {
+    format = "yaml";
+    sopsFile = ../secrets/all/secrets.yaml;
+    neededForUsers = true;
+  };
+
+  users.mutableUsers = false;
+  users.users = {
+    root.passwordFile = config.sops.secrets."root_user_password".path;
+    e1mo = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBfbb4m4o89EumFjE8ichX03CC/mWry0JYaz91HKVJPb e1mo"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID9x/kL2fFqQSEyFvdEgiM2UKYAZyV1oct9alS6mweVa e1mo (ssh_0x6D617FD0A85BAADA)"
+      ];
+    };
+    leona = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN9nTU+lsrfp+uLo1IvMEIi64m6ke0FmfZ6FxBgmKXp leona@leona.is"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkvy9P1Qweq1kykgn3IWIBWe/v/dTNAx+hd9i2aKe1O openpgp:0xCACA6CB6"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDR9Kp84lHQRnaWU6gd8MHppZD3pQCI2TCeGF/kHm/A/kqADWqtTWjnD5ad1ZhOTSThCF35VGH3ICdnSCHh0uAHV7eK3GDjhxdrIJHY/WiubEpQJcS5OX/qTEn6QrPDIAZy2ykdHX7XrNWDGOlxpTjkPpHJmmDIQTZn/mMADuhVhIm03aFyVbUxpHSU+v7N8yxV5RehIw0RTy+qSjWcthDgTGPjPk1a2sElNVbsgF4VhqpdUfzG0BQCqr+zPDbeH66+gumDPXC5Pw4NQB596UWPDKaQv7juzveiPTpIjhTfpoWBjCmexGPbSYecXNee61NXe6HsGrGLtw/pRLEYVYH0ecU/b0A7TGd2gznKBgvk8xXoxkqHbDPoCPqC3moPD3BwCXTGNi6DBDAquC/Ho266AgZ+z83mP7TuDJmZ/F4f/glbb2hdZ6ITDS7Dvd+jGlw6UXlKeZThHOy+B1c9at4FeyQs6JBd4P5RwekUCF45gk0RfRu1+HE3YOXbN1s1DRXJs689DaBzTbD9rhROEjZgNT/m0VxC6w2i6WRvxcEvy+wL4HyJxdSK0MMVhZJza4MOB7qLvIq8z3L9kLDrKh6R49m+LsH7NCS9gh0wAH17E2cImSoX4IiRemn39oKZTplAwvvaGNXOmH/SqeZlGpYOL9Yn9nE5mC10/5In/KIZMQ== openpgp:0xF5B75815"
+      ];
+    };
+    n0emis = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9 n0emis@n0emis.eu"
+      ];
+    };
+    ruru = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMSH41EwxyxnsqDUIRxnhpl+CmvMftPRJK/CVJgft+gGurZ9X5KUeKiMPy7hCe/BAnsduhYTk452vV5JSAN0tj0c0RzDjUrM+Z+XdkRSpwKeI97QxTJADBVmxun2Y2msgnxa4eQX2J4xBqI94ogfuBKM3xKpu9IPu3ozmhSJSR1uI7MoFZpmd10Eqw5uWSld8ZjotcOibhIVisZkqIRF6OjkVDFOmeA8GqRCUa5XB24c8iUknfo1nxSednCMy+Q0tIb44+HdBhSOqSMEvDXg26PNk9sg087nOQggG8GEt1pUHmoNox528pz/UdRPl0P4bn26kIte0MGSpCjcIjYrCy6h+bXgbr6sGY47LEeyGzNDUftXA8uZzULKQLJl1IogExPZHh2JXmNKlWxlkMPGEO+BwG1uWvqDidJ8DksenWAeSDu/qhpppA56FrWHvrkok7cZCQyQfx17iZGgzI4fiYxZZDVaieLooC5S5NlpLTI2/jXyIsvcmzdX6CI0hbLhNjrlutILxvdeKuUWe7yQLeGYeYdyVj7KiA4l5f+qqVLBnzh1i/jJe6sBTTJGHUFc3TJm1p0jEkbQ9Zz/BfOc25bIzwXYbsC0dDh+b19hzrwLuzXcc2tCMIBtbmpnic+A/Gt/WuOROBApcRw5F/Ymrdrx7SwmuRL2pztkMN+Pa3jQ== linus@3-Anaklet"
+      ];
+    };
+  };
+}

flake.lock

@@ -0,0 +1,80 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "id": "flake-utils",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1669411043,
+        "narHash": "sha256-LfPd3+EY+jaIHTRIEOUtHXuanxm59YKgUacmSzaqMLc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "5dc7114b7b256d217fe7752f1614be2514e61bb8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-22_05": {
+      "locked": {
+        "lastModified": 1668908668,
+        "narHash": "sha256-oimCE4rY7Btuo/VYmA8khIyTHSMV7qUWTpz9w8yc9LQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b68a6a27adb452879ab66c0eaac0c133e32823b2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-22.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-22_05": "nixpkgs-22_05"
+      },
+      "locked": {
+        "lastModified": 1668915833,
+        "narHash": "sha256-7VYPiDJZdGct8Nl3kKhg580XZfoRcViO+zUGPkfBsqM=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "f72e050c3ef148b1131a0d2df55385c045e4166b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,63 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = inputs@{ self, nixpkgs, sops-nix, flake-utils }: let
+    overlay = import ./packages;
+    pkgs = import nixpkgs {
+      system = "x86_64-linux";
+      overlays = [ overlay ];
+    };
+    defaultModules = [
+      sops-nix.nixosModules.sops
+      ./common/default.nix
+      {
+        nixpkgs.overlays = [ overlay ];
+        _module.args = {
+          inherit nixpkgs;
+          # TODO: Change when going to production
+          # Not sure if this is the best way to do this
+          baseDomain = "dev.chaos.jetzt";
+        };
+      }
+    ];
+  in {
+    nixosConfigurations = {
+      shirley = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = defaultModules ++ [
+          ./hosts/shirley/configuration.nix
+        ];
+      };
+    };
+
+    colmena = {
+      meta.nixpkgs = import nixpkgs {
+        system = "x86_64-linux";
+      };
+      defaults = { name, ... }: {
+        deployment = {
+          # TODO: It'd probably be nice to derive that from the host-configured fqdn
+          targetHost = "${name}.net.chaos.jetzt";
+          targetUser = null;
+        };
+      };
+    } // builtins.mapAttrs (name: host: {
+      nixpkgs = { inherit (host.config.nixpkgs) system; };
+      imports = host._module.args.modules;
+    }) self.nixosConfigurations;
+
+    devShells.x86_64-linux.default = pkgs.mkShell {
+      buildInputs = with pkgs; [ sops colmena ];
+    };
+
+    overlays.default = overlay;
+    legacyPackages.x86_64-linux = pkgs;
+
+  };
+}

hosts/shirley/configuration.nix

@@ -0,0 +1,36 @@
+{ lib, pkgs, config, baseDomain, ... }: {
+  imports = [
+    ./hardware-config.nix
+    ./mumble.nix
+  ];
+
+  system.stateVersion = "23.05";
+  networking.hostName = "shirley";
+  # Fallback / for the monitoring v(x)lan
+  networking.useDHCP = true;
+
+  # We need to configure IPv6 statically, and if we start with that we can just also do it for IPv4
+  networking.interfaces.ens3.useDHCP = false;
+  networking.interfaces.ens3.ipv4.addresses = [ { address = "94.130.107.245"; prefixLength = 32; } ];
+  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:c0c:83eb::1"; prefixLength = 64; } ];
+  networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
+  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+  networking.nameservers = [ "213.133.98.98" "213.133.99.99" "213.133.100.100" ];
+
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts.${baseDomain} = {
+      default = true;
+      enableACME = true;
+      forceSSL = true;
+      # TODO: Change this to be deployed by some sort of CI + rsync so we don't need to always update the package version
+      locations."/".root = pkgs.chaos-jetzt-website-pelican;
+    };
+  };
+}

hosts/shirley/hardware-config.nix

@@ -0,0 +1,43 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/75529c3e-9af0-46ca-8893-bc4052f68e1a";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens10.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/shirley/mumble.nix

@@ -0,0 +1,29 @@
+{ config, baseDomain, lib, ... }: {
+
+  sops.secrets."murmur/registry_password".owner = "murmur";
+  security.acme.certs."mumble.${baseDomain}" = {
+    group = "murmur";
+    reloadServices = [ "murmur.service" ];
+  };
+
+  services.murmur = let
+    sslDir = config.security.acme.certs."mumble.${baseDomain}".directory;
+  in {
+    enable = true;
+    openFirewall = true;
+    sslCa = "${sslDir}/chain.pem";
+    sslKey = "${sslDir}/key.pem";
+    sslCert = "${sslDir}/fullchain.pem";
+    welcometext = "Welcome on the ${baseDomain}-mumble server. Enjoy your stay!";
+    bandwidth = 128000;
+    registerName = baseDomain;
+    registerUrl = "https://${baseDomain}/";
+    registerPassword = "$MURMURD_REGISTRATION_PASSWORD";
+    registerHostname = baseDomain;
+    environmentFile = config.sops.secrets."murmur/registry_password".path;
+    extraConfig = ''
+      # To "randomize" user IP Adresses in logs
+      obfuscate=true
+    '';
+  };
+}

packages/default.nix

@@ -0,0 +1,24 @@
+final: prev:
+{
+  chaos-jetzt-website-pelican = final.stdenv.mkDerivation {
+    name = "chaos-jetzt-website-pelican";
+
+    src = prev.fetchFromGitHub {
+      owner = "chaos-jetzt";
+      repo = "website_pelican";
+      rev = "89b1020678886a07446ac98db275a6db995c53ec";
+      hash = "sha256-T3MSxMshlH3nFOttajDdacWGi1g+TkhjFlr+MjQlb/4=";
+    };
+    installTargets = "build";
+    buildFlags = [
+      "publish"
+    ];
+    installPhase = "
+      cp -r public/ $out/
+    ";
+    buildInputs = with final.python3Packages; [
+      pelican
+      markdown
+    ];
+  };
+}

secrets/all/secrets.yaml

@@ -0,0 +1,55 @@
+#ENC[AES256_GCM,data:yZuJDeNL04htjQK/wCi7tDFzkeurKNWtMcX3YO4ZTIjksZBDMG7/mvAEuVeL5ffWa+faIs/uM1cATaRm4JVDCai5fWR7S2//TRUHAhkDbSYIZHDjFUFGqpWd8T7WVT53TPtX,iv:n1zrjd/QCFNXfYbnaeZviUfeDq+x0Z8skkkcS/dP86o=,tag:2sn+f3m2PH3BIKt4qrqVSw==,type:comment]
+root_user_password: ENC[AES256_GCM,data:hzwnpYfDNN46Hahf8Vlr01AotR6zuUDqFz/z/XxWx+i3G1p4j03stuKmB//wQSF45T8b+Iuh7PMOrCgwwtRyJVVYnm4q2m2xin+pHQ+/ecr5NgNx6XzsU03DtLLORTCzV4XE4DcMZHQA1g==,iv:bN3hgWYiGGkSIyixZdEt8q41GINlIeO/c/Z0CcAzFik=,tag:Y7xf5NQcvfJaoWYbx88eeA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14ysl953378r2vvy7ft3gwce9xp83pr6wypf5lgx2yjwx2lxra5qs6j8eqe
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dEdFZXVINmI2YTZHWnVM
+            NVREK3lSbFB2b01KYVBMTEpJcEpDOEFzVXpBCmNPdk5Fd2tFcVdSZmFHbk9NVHFv
+            L3NmNktjZWpNbVdqSmh6bGdBWWZRSHcKLS0tICtSTGRQSzFFWHFaRWxReS9QU3BI
+            REtURzRrZ1phZFhicCs1OFhsYkpHdDAK6+PpCcZkk2RN0AtdzEdamADncYHsZ1Cg
+            qynxxBpAyc7xaJX7RQAxuZSEH05sKJ/no5ap+tFyofxc6qJayg31vA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-11-27T21:53:46Z"
+    mac: ENC[AES256_GCM,data:8rzaM8lDGLwwMbgcqaB3zj73l3mV0OFeshrHGRVw+akk9ipz0WKnhKHPGbGcaktWd61cg52/F2Fz573PWHthqoI/v0NJc7bpOKG3HreKyJyJ5AbZ+eFYrSLSNKaOXvKmwWHRMnFASOd97QaSYxQaHCDhQObf0XBXEnRktX9NtXs=,iv:j5E/YS1yI/Tgqq9Dio/b7EKrPwcJFBnVDtry91suym0=,tag:Hev9lYgsMxKFxcfozX+VdA==,type:str]
+    pgp:
+        - created_at: "2022-11-27T01:42:46Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DOnsoj685gdcSAQdAfObqsRYcqS3ajTXsyhchzoclYXtc8RY+s3eig5nL4Vsw
+            FjgYcICzqSwxskBWxPTC+wE5sZFWtpQgQC7iBW9kMrM3tyOLHiAWiYUj6Slowb4T
+            0l4BUqFYYiGO0U6odYapCo9X4jeTwovV1NEne7UQHoUMLy73d4wcAwxDqFOFbW7T
+            pfkKSunmpkeYaJVwpqFh/jkPNIZzXF/21vPXMWTjQDJfUjl2kf5CWjpf1WaA7YTJ
+            =jWsU
+            -----END PGP MESSAGE-----
+          fp: "0x6D617FD0A85BAADA"
+        - created_at: "2022-11-27T01:42:46Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D/2siLyjns28SAQdANLVNXn+mLHefaf8++uArNCSxYdreGR/wbNTOUROjHUIw
+            QlO5BemuANtiOVje50wh7Z1blYmVimu3B8GhLWgfoEb2XkOH08UK/ngUrU6nQtyl
+            0l4BsBum3yQvasUmzFKdqx6932h6NPNHxhF92kTspnCiNgWZTuaR+xq5Q62I9CUp
+            ntZAjIkVmD/Zlblg5sLz1c4dtRMkt385pyDJirneMWYcw2EetH+frhdNRwYMwE4W
+            =Kk5a
+            -----END PGP MESSAGE-----
+          fp: "0xD5B08ADFC75E3605"
+        - created_at: "2022-11-27T01:42:46Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D6iFd6webPCUSAQdAD4eqSFTnqARe7eET9LSFhLM7W0gjPrKxGR/2+egbfAkw
+            rqXJkIRpRnp0Qa65i46X992a0cv+zzXhYlS25Ve3c0onM2JOZ17JD1SfOdU1H2l8
+            0l4BysZauzbFSu9B7m1ooVxRZZAhVWq5ISbej9sCpiZ6pZURNAQOvyrizgZAXPMW
+            gscWMUt+jNXPFU9zhsYB8sMw2sqzv8O3nYgWQ/F1IQyqWCBRiUMUquKDuz0qZkWd
+            =Gc4R
+            -----END PGP MESSAGE-----
+          fp: "0xE0262A773B824745"
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

secrets/shirley/secrets.yaml

@@ -0,0 +1,55 @@
+murmur:
+    registry_password: ENC[AES256_GCM,data:jgMmirQNhwTQZMyfbbbJku9JDqxtuKepIIpbiloX0qnUnytu1vvjFkGZH5dag/e/EDHszqkALNlUZz7wdlxZn3QDDlv0rQITJtsp,iv:aLIPiHDGC4vNXfNgqR852/jbChv2uu5q0Yy9I4ej5ts=,tag:cy4rs+YCglNKEaq+3arfow==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14ysl953378r2vvy7ft3gwce9xp83pr6wypf5lgx2yjwx2lxra5qs6j8eqe
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEWTgxaWtDa0wxZjUvbjZl
+            dXdTWGVFSEExMjZUbXR3SDlWL1lVbXBvNFVrCkE4cmdzODRjK3ZPUGhPd3NvK0Vi
+            YU1KWDcwQzRLLzhGMHpsbHNpTXJHOFkKLS0tIHpBOWh1SkNrSGxYdU5kcnMzN0xN
+            SmhVYUl6a0RFNUtnTGo4S3hGSmJVM1kK9I/qqZXJZAncX5ypv3J/VbC81ugFyCPQ
+            0a1GOwxQU8NG2VYhyLIUuxEiM/Xi4F1dIt/2A9x6r9xf3anT/pQLlA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-11-26T23:55:22Z"
+    mac: ENC[AES256_GCM,data:ec3JBflxNEo9aHsben5oXb4FlCZzNGh6u6Xc+oa1TFL6rpL2qmOErT8RMkvzij49cz2hLEHMWbiD12fPO2sU/ZHjck7G+dvyRphavEsflzRmLWMj8k7SZR6e/UZIhwcBx15uQndbKhTTSH5EMtiH3Kq+HDNPgAtG6fFQLjNJWk8=,iv:3Od/41rv8YOXdq6uNUcRUtEdFuO4HL9xAtcGRrw6OQ4=,tag:JpVVVveJZfLQteBOOFndCg==,type:str]
+    pgp:
+        - created_at: "2022-11-27T01:42:41Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DOnsoj685gdcSAQdAfd5WjaVver30W/+mLzXe3TrzafrtnEvSkFF4i9WUk2sw
+            CrodsBhVaQ7eeVgYC4E+WYkcCUtZutu8sFWHXHeLv4MKQk1QESjvWbahOjfDOxm6
+            0l4B+bgPdVsNyQDMeHbLoyN5XpNUUOZviLAzpGDsawTNSXBeb6UPxnMI6JTpWfFU
+            J1XdA7X7T82zC0dzR1jyXVaJQjSTM8/luCD4HGN6wFXKK3FQzNBg8eI/P+JNSS3i
+            =JH3B
+            -----END PGP MESSAGE-----
+          fp: "0x6D617FD0A85BAADA"
+        - created_at: "2022-11-27T01:42:41Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D/2siLyjns28SAQdA70ZeRS3+4ObvIupaiH6T1aB/YnteeRKdVuKlfwp/kBIw
+            ff0pcDD2Mk+q0Wi7ydbMSGle9KmDfEAYQezg3HHj7H5HD5Navd0GthBac+LnDTjU
+            0l4BcLhkodpQO5hu4+7nBXrh9cuZvovImxGwYImnWJYqO7tBPaYF8Dbou9e+PiQh
+            Q4wOx03Jq+YY8SPO4li0DHSVf3JmUF6NBY7fA1yKkPb4y1JNksHfubAOjpGoV2YT
+            =fepQ
+            -----END PGP MESSAGE-----
+          fp: "0xD5B08ADFC75E3605"
+        - created_at: "2022-11-27T01:42:41Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D6iFd6webPCUSAQdAHBFUxEGTQTnsmD8jYHBvbUmppGOPFF9AGPJo68mcH3Uw
+            ORFO7ThT3Wi0ocZwK9ZmE8AUZeOhgm6T2PJpPLfMV8gYw5WcCBoL5uSAZFcyyiR8
+            0l4B7LT9IxjzGxx5TPztSUuEcUEwFHGR4lwlqIjNP3SxS/fBlpgh3nBveU1SKsn7
+            2LHQXzN3oe4wLi22st3VYFyK/yDH3/WkrYFT0/Kqw5A9RRbRIxI5URuIgDtyR9Vi
+            =KMfp
+            -----END PGP MESSAGE-----
+          fp: "0xE0262A773B824745"
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3