nixos: Add working container VM (w/ vaultwarden)

Also improve IPv6 addressing / routing

flake.lock

@@ -166,11 +166,11 @@
     },
     "nixpkgs-mine": {
       "locked": {
-        "lastModified": 1653750319,
+        "lastModified": 1653784487,
-        "narHash": "sha256-V4rzHt2NxGPghmVBy3XA68f2Fisygcil8a/bf/xQ4J0=",
+        "narHash": "sha256-retweVtK4ysHALFjTlbYUHgmkR9bw02AbG0t+i9eo2o=",
         "owner": "devplayer0",
         "repo": "nixpkgs",
-        "rev": "b29604b752136d79c27ba7d0849fe38469302102",
+        "rev": "1f7c3482f34ff13f2916d43bad928375b9fca268",
         "type": "github"
       },
       "original": {
@@ -182,11 +182,11 @@
     },
     "nixpkgs-mine-stable": {
       "locked": {
-        "lastModified": 1653750790,
+        "lastModified": 1653784518,
-        "narHash": "sha256-3QxjU8oJyRDRCK6tHl7AeG4GDqWDJSuFL7hfaMojp04=",
+        "narHash": "sha256-Rc9WxxdC58B37MS+1Qivh/5/lfoVDYXC3AEe71WpAbQ=",
         "owner": "devplayer0",
         "repo": "nixpkgs",
-        "rev": "edab7137ddaa8022f28ecd4a2b26f5515e7de67c",
+        "rev": "976da39305ddbae9a339d63de0dd0bdbc8671e27",
         "type": "github"
       },
       "original": {
@@ -198,11 +198,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1653504306,
+        "lastModified": 1653733789,
-        "narHash": "sha256-bqjEskV+/tqOQqSEaCu4e6uWZ0F7ekBiMR16xpn4V0k=",
+        "narHash": "sha256-VIYazYCWNvcFNns2XQkHx/mVmCZ3oebZv8W2LS1gLQE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6efc186e6079ff3f328a2497ff3d36741ac60f6e",
+        "rev": "d1086907f56c5a6c33c0c2e8dc9f42ef6988294f",
         "type": "github"
       },
       "original": {

lib.nix

@@ -3,7 +3,7 @@ let
   inherit (builtins) length match replaceStrings elemAt mapAttrs head split;
   inherit (lib)
     genAttrs mapAttrs' mapAttrsToList filterAttrsRecursive nameValuePair types
-    mkOption mkOverride mkForce mergeEqualOption optional;
+    mkOption mkOverride mkForce mkIf mergeEqualOption optional hasPrefix;
   inherit (lib.flake) defaultSystems;
 in
 rec {
@@ -89,17 +89,20 @@ rec {
 
   networkdAssignment = iface: a: {
     matchConfig.Name = iface;
-    address = [ "${a.ipv4.address}/${toString a.ipv4.mask}" "${a.ipv6.address}/${toString a.ipv6.mask}" ];
+    address =
+      [ "${a.ipv4.address}/${toString a.ipv4.mask}" ] ++
+      (optional (a.ipv6.iid == null) "${a.ipv6.address}/${toString a.ipv6.mask}");
     gateway =
       (optional (a.ipv4.gateway != null) a.ipv4.gateway) ++
       (optional (a.ipv6.gateway != null) a.ipv6.gateway);
     networkConfig = {
-      IPv6AcceptRA = a.ipv6.gateway == null;
+      IPv6AcceptRA = a.ipv6.gateway == null || a.ipv6.iid != null;
       # NOTE: LLDP emission / reception is ignored on bridge interfaces
       LLDP = true;
       EmitLLDP = "customer-bridge";
     };
     ipv6AcceptRAConfig = {
+      Token = mkIf (a.ipv6.iid != null) "static:${a.ipv6.iid}";
       UseDNS = true;
       UseDomains = true;
     };
@@ -153,14 +156,31 @@ rec {
     filterOpts = filterAttrsRecursive (_: v: v != null);
   };
 
-  colonyDomain = "test.int.nul.ie";
+  colony = rec {
-  # Shouldn't need this hopefully (IPv6 RA)
+    domain = "test.int.nul.ie";
-  colonyDNS = {
+    # Shouldn't need this hopefully (IPv6 RA)
-    domains = [ colonyDomain ];
+    dns = {
-    dns = [
+      domains = [ domain ];
-      "10.100.0.1"
+      dns = [
-      "2a0e:97c0:4d1:0::1"
+        "10.100.0.1"
-    ];
+        "2a0e:97c0:4d1:0::1"
+      ];
+    };
+    prefixes = {
+      all = {
+        v4 = "10.100.0.0/16";
+        v6 = "2a0e:97c0:4d0:bbb0::/60";
+      };
+      base.v6 = "2a0e:97c0:4d0:bbb0::/64";
+      vms = {
+        v4 = "10.100.1.0/24";
+        v6 = "2a0e:97c0:4d0:bbb1::/64";
+      };
+      ctrs = {
+        v4 = "10.100.2.0/24";
+        v6 = "2a0e:97c0:4d0:bbb2::/64";
+      };
+    };
   };
   sshKeyFiles = {
     me = .keys/me.pub;

nixos/boxes/colony/default.nix

@@ -11,7 +11,10 @@
         altNames = [ "vm" ];
         ipv4.address = "10.100.0.2";
         #ipv6.address = "2a0e:97c0:4d1:0::2";
-        ipv6.address = "2a0e:97c0:4d0:bbb0::2";
+        ipv6 = rec {
+          iid = "::2";
+          address = "2a0e:97c0:4d0:bbb0${iid}";
+        };
       };
       vms = {
         ipv4 = {
@@ -31,7 +34,7 @@
       {
         imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
 
-        networking.domain = lib.my.colonyDomain;
+        networking.domain = lib.my.colony.domain;
 
         boot.kernelParams = [ "intel_iommu=on" ];
         boot.loader.systemd-boot.configurationLimit = 20;
@@ -88,7 +91,7 @@
               };
 
               "80-vms" = mkMerge [
-                (networkdAssignment "base" assignments.vms)
+                (networkdAssignment "vms" assignments.vms)
                 {
                   networkConfig = {
                     IPv6AcceptRA = mkForce false;
@@ -101,7 +104,17 @@
                   ipv6Prefixes = [
                     {
                       #ipv6PrefixConfig.Prefix = "2a0e:97c0:4d1:1::/64";
-                      ipv6PrefixConfig.Prefix = "2a0e:97c0:4d0:bbb1::/64";
+                      ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.vms.v6;
+                    }
+                  ];
+                  routes = map (r: { routeConfig = r; }) [
+                    {
+                      Gateway = allAssignments.shill.internal.ipv4.address;
+                      Destination = lib.my.colony.prefixes.ctrs.v4;
+                    }
+                    {
+                      Gateway = allAssignments.shill.internal.ipv6.address;
+                      Destination = lib.my.colony.prefixes.ctrs.v6;
                     }
                   ];
                 }
@@ -145,14 +158,8 @@
           server.enable = true;
 
           firewall = {
-            trustedInterfaces = [ "base" ];
+            trustedInterfaces = [ "base" "vms" ];
           };
-
-          #containers = {
-          #  instances.vaultwarden = {
-          #    networking.bridge = "virtual";
-          #  };
-          #};
         };
       };
   };

nixos/boxes/colony/vms/default.nix

@@ -1,12 +1,31 @@
 {
   imports = [
     ./estuary
+    ./shill
   ];
 
   nixos.systems.colony.configuration = { lib, pkgs, config, systems, ... }:
   let
+    inherit (lib) mkMerge;
+
     wanBDF =
       if config.my.build.isDevVM then "00:02.0" else "01:00.0";
+
+    vmLVM = vm: lv: {
+      "${lv}" = {
+        backend = {
+          driver = "host_device";
+          filename = "/dev/ssds/vm-${vm}-${lv}";
+          # It appears this needs to be set on the backend _and_ the format
+          discard = "unmap";
+        };
+        format = {
+          driver = "raw";
+          discard = "unmap";
+        };
+        frontend = "virtio-blk";
+      };
+    };
   in
   {
     systemd = {
@@ -28,40 +47,52 @@
 
     my = {
       vms = {
-        instances.estuary = {
+        instances = {
-          uuid = "59f51efb-7e6d-477b-a263-ed9620dbc87b";
+          estuary = {
-          networks.base.mac = "52:54:00:ab:f1:52";
+            uuid = "59f51efb-7e6d-477b-a263-ed9620dbc87b";
-          drives = {
+            networks.base.mac = "52:54:00:ab:f1:52";
-            installer = {
+            drives = {
-              backend = {
+              # TODO: Split into separate LVs
-                driver = "file";
+              disk = {
-                filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos.iso";
+                backend = {
-                read-only = "on";
+                  driver = "host_device";
-              };
+                  filename = "/dev/ssds/vm-estuary";
-              format.driver = "raw";
+                  # It appears this needs to be set on the backend _and_ the format
-              frontend = "ide-cd";
+                  discard = "unmap";
-              frontendOpts = {
+                };
-                bootindex = 1;
+                format = {
-              };
+                  driver = "raw";
-            };
+                  discard = "unmap";
-            disk = {
+                };
-              backend = {
+                frontend = "virtio-blk";
-                driver = "host_device";
-                filename = "/dev/ssds/vm-estuary";
-                # It appears this needs to be set on the backend _and_ the format
-                discard = "unmap";
-              };
-              format = {
-                driver = "raw";
-                discard = "unmap";
-              };
-              frontend = "virtio-blk";
-              frontendOpts = {
-                bootindex = 0;
               };
             };
+            hostDevices."${wanBDF}" = { };
+          };
+          shill = {
+            uuid = "e34569ec-d24e-446b-aca8-a3b27abc1f9b";
+            networks.vms.mac = "52:54:00:85:b3:b1";
+            drives = mkMerge [
+              (vmLVM "shill" "esp")
+              (vmLVM "shill" "nix")
+              (vmLVM "shill" "persist")
+              {
+                installer = {
+                  backend = {
+                    driver = "file";
+                    filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos.iso";
+                    read-only = "on";
+                  };
+                  format.driver = "raw";
+                  frontend = "ide-cd";
+                  frontendOpts = {
+                    bootindex = 1;
+                  };
+                };
+                esp.frontendOpts.bootindex = 0;
+              }
+            ];
           };
-          hostDevices."${wanBDF}" = { };
         };
       };
     };

nixos/boxes/colony/vms/estuary/default.nix

@@ -25,7 +25,7 @@
 
         config = mkMerge [
           {
-            networking.domain = lib.my.colonyDomain;
+            networking.domain = lib.my.colony.domain;
 
             boot.kernelParams = [ "console=ttyS0,115200n8" ];
             fileSystems = {
@@ -94,7 +94,26 @@
                     ipv6Prefixes = [
                       {
                         #ipv6PrefixConfig.Prefix = "2a0e:97c0:4d1:0::/64";
-                        ipv6PrefixConfig.Prefix = "2a0e:97c0:4d0:bbb0::/64";
+                        ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.base.v6;
+                      }
+                    ];
+                    routes = map (r: { routeConfig = r; }) [
+                      {
+                        Gateway = allAssignments.colony.internal.ipv4.address;
+                        Destination = lib.my.colony.prefixes.vms.v4;
+                      }
+                      {
+                        Gateway = allAssignments.colony.internal.ipv6.address;
+                        Destination = lib.my.colony.prefixes.vms.v6;
+                      }
+
+                      {
+                        Gateway = allAssignments.colony.internal.ipv4.address;
+                        Destination = lib.my.colony.prefixes.ctrs.v4;
+                      }
+                      {
+                        Gateway = allAssignments.colony.internal.ipv6.address;
+                        Destination = lib.my.colony.prefixes.ctrs.v6;
                       }
                     ];
                   }
@@ -138,7 +157,7 @@
                       iifname wan meta l4proto { udp, tcp } th dport domain redirect to :5353
                     }
                     chain postrouting {
-                      ip saddr 10.100.0.0/16 masquerade
+                      ip saddr ${lib.my.colony.prefixes.all.v4} masquerade
                     }
                   }
                 '';

nixos/boxes/colony/vms/estuary/dns.nix

@@ -21,9 +21,7 @@ in
         ];
         allowFrom = [
           "127.0.0.0/8" "::1/128"
-          "10.100.0.0/16" "2a0e:97c0:4d1::/48"
+          lib.my.colony.prefixes.all.v4 lib.my.colony.prefixes.all.v6
-          # TODO: Remove when moving to proper net!
-          "2a0e:97c0:4d0::/48"
         ];
       };
       forwardZones = genAttrs authZones (_: "127.0.0.1:5353");

nixos/boxes/colony/vms/shill/containers/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./vaultwarden.nix
+  ];
+}

nixos/boxes/colony/vms/shill/containers/vaultwarden.nix

@@ -1,11 +1,23 @@
 {
   nixos.systems.vaultwarden = {
     system = "x86_64-linux";
-    nixpkgs = "unstable";
+    nixpkgs = "mine";
 
-    configuration = { lib, config, ... }:
+    assignments = {
+      internal = {
+        name = "vaultwarden-ctr";
+        ipv4.address = "10.100.2.2";
+        ipv6 = rec {
+          iid = "::2";
+          address = "2a0e:97c0:4d0:bbb2${iid}";
+        };
+      };
+    };
+
+    configuration = { lib, config, assignments, ... }:
     let
       inherit (lib) mkMerge mkIf mkForce;
+      inherit (lib.my) networkdAssignment;
 
       vwData = "/var/lib/vaultwarden";
       vwSecrets = "vaultwarden.env";
@@ -17,16 +29,28 @@
             server.enable = true;
 
             secrets = {
-              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHoWhafCkLVggsO24fFWm3nmkY5t23GHbBafBVGijbQ";
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILakffcjRp6h6lxSOADOsTK5h2MCkt8hKDv0cvchM7iw";
               files."${vwSecrets}" = {};
             };
 
             firewall = {
               tcp.allowed = [ 80 3012 ];
             };
+
+            tmproot.persistence.config.directories = [
+              {
+                directory = vwData;
+                user = config.users.users.vaultwarden.name;
+                group = config.users.groups.vaultwarden.name;
+              }
+            ];
+          };
+
+          systemd = {
+            services.vaultwarden.serviceConfig.StateDirectory = mkForce "vaultwarden";
+            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
           };
 
-          systemd.services.vaultwarden.serviceConfig.StateDirectory = mkForce "vaultwarden";
           services = {
             vaultwarden = {
               enable = true;
@@ -43,13 +67,6 @@
           };
         }
         (mkIf config.my.build.isDevVM {
-          my.tmproot.persistence.config.directories = [
-            {
-              directory = vwData;
-              user = config.users.users.vaultwarden.name;
-              group = config.users.groups.vaultwarden.name;
-            }
-          ];
           virtualisation = {
             forwardPorts = [
               { from = "host"; host.port = 8080; guest.port = 80; }

nixos/boxes/colony/vms/shill/default.nix

@@ -0,0 +1,109 @@
+{
+  imports = [ ./containers ];
+
+  nixos.systems.shill = {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+
+    assignments = {
+      internal = {
+        name = "shill-vm";
+        altNames = [ "ctr" ];
+        ipv4.address = "10.100.1.2";
+        ipv6 = rec {
+          iid = "::2";
+          address = "2a0e:97c0:4d0:bbb1${iid}";
+        };
+      };
+      ctrs = {
+        ipv4 = {
+          address = "10.100.2.1";
+          gateway = null;
+        };
+        ipv6.address = "2a0e:97c0:4d0:bbb2::1";
+      };
+    };
+
+    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
+      let
+        inherit (lib) mkIf mkMerge mkForce;
+        inherit (lib.my) networkdAssignment;
+      in
+      {
+        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
+
+        config = mkMerge [
+          {
+            networking.domain = lib.my.colony.domain;
+
+            boot.kernelParams = [ "console=ttyS0,115200n8" ];
+            fileSystems = {
+              "/boot" = {
+                device = "/dev/disk/by-label/ESP";
+                fsType = "vfat";
+              };
+              "/nix" = {
+                device = "/dev/vdb";
+                fsType = "ext4";
+              };
+              "/persist" = {
+                device = "/dev/vdc";
+                fsType = "ext4";
+                neededForBoot = true;
+              };
+            };
+
+            systemd.network = {
+              links = {
+                "10-vms" = {
+                  matchConfig.MACAddress = "52:54:00:85:b3:b1";
+                  linkConfig.Name = "vms";
+                };
+              };
+              netdevs."25-ctrs".netdevConfig = {
+                Name = "ctrs";
+                Kind = "bridge";
+              };
+
+              networks = {
+                "80-vms" = networkdAssignment "vms" assignments.internal;
+                "80-ctrs" = mkMerge [
+                  (networkdAssignment "ctrs" assignments.ctrs)
+                  {
+                    networkConfig = {
+                      IPv6AcceptRA = mkForce false;
+                      IPv6SendRA = true;
+                    };
+                    ipv6SendRAConfig = {
+                      DNS = [ allAssignments.estuary.internal.ipv6.address ];
+                      Domains = [ config.networking.domain ];
+                    };
+                    ipv6Prefixes = [
+                      {
+                        ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.ctrs.v6;
+                      }
+                    ];
+                  }
+                ];
+              };
+            };
+
+            my = {
+              secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWi6iEcpKdWPiHPgQEeVVKfB3yWNXQbXbr8IXYL+6Cw";
+              server.enable = true;
+
+              firewall = {
+                trustedInterfaces = [ "vms" "ctrs" ];
+              };
+
+              containers = {
+                instances.vaultwarden = {
+                  networking.bridge = "ctrs";
+                };
+              };
+            };
+          }
+        ];
+      };
+  };
+}

nixos/default.nix

@@ -102,6 +102,7 @@ let
       ipv6 = {
         address = mkOpt' str null "IPv6 address.";
         mask = mkOpt' ints.u8 64 "Network mask.";
+        iid = mkOpt' (nullOr str) null "SLAAC static address.";
         gateway = mkOpt' (nullOr str) null "IPv6 gateway.";
       };
     };

nixos/installer.nix

@@ -52,8 +52,11 @@
             };
           };
 
-          # Will be set dynamically
+          networking = {
-          networking.hostName = "";
+            # Will be set dynamically
+            hostName = "";
+            useNetworkd = false;
+          };
 
           # This should be overridden by whatever boot mechanism is used
           fileSystems."/" = mkDefault {

nixos/modules/containers.nix

@@ -10,6 +10,40 @@ let
   devVMKeyPath = "/run/dev.key";
   ctrProfiles = n: "/nix/var/nix/profiles/per-container/${n}";
 
+  dummyReady = pkgs.runCommandCC "dummy-sd-ready" {
+    buildInputs = [ pkgs.systemd ];
+    passAsFile = [ "code" ];
+    code = ''
+      #include <stdio.h>
+      #include <signal.h>
+      #include <unistd.h>
+      #include <systemd/sd-daemon.h>
+
+      void handler(int signum) {
+        exit(0);
+      }
+
+      int main() {
+        // systemd sends this to PID 1 for an "orderly shutdown"
+        signal(SIGRTMIN+3, handler);
+
+        int ret =
+          sd_notifyf(0, "READY=1\n"
+            "STATUS=Dummy container, please deploy for real!\n"
+            "MAINPID=%lu",
+            (unsigned long)getpid());
+        if (ret <= 0) {
+          fprintf(stderr, "sd_notify() returned %d\n", ret);
+          return ret == 0 ? -1 : ret;
+        }
+
+        pause();
+        return 0;
+      };
+    '';
+  } ''
+    $CC -o "$out" -x c -lsystemd "$codePath"
+  '';
   dummyProfile = pkgs.writeTextFile {
     name = "dummy-init";
     executable = true;
@@ -19,10 +53,7 @@ let
       #!${pkgs.runtimeShell}
       ${pkgs.iproute2}/bin/ip link set dev host0 up
 
-      while true; do
+      exec ${dummyReady}
-        echo "This is a dummy, please deploy the real container!"
-        ${pkgs.coreutils}/bin/sleep 5
-      done
     '';
   };
 
@@ -185,6 +216,7 @@ in
           reload =
           # `switch-to-configuration test` switches config without trying to update bootloader
           ''
+            # TODO: This still breaks on first deploy over the dummy...
             [ -e "${system}"/bin/switch-to-configuration ] && \
               systemd-run --pipe --machine ${n} -- "${containerSystem}"/bin/switch-to-configuration test
           '';
@@ -250,13 +282,9 @@ in
           Virtualization = "container";
         };
         networkConfig = {
-          DHCP = "yes";
           LLDP = true;
           EmitLLDP = "customer-bridge";
         };
-        dhcpConfig = {
-          UseTimezone = true;
-        };
       };
 
       # If the host is a dev VM

nixos/modules/vms.nix

@@ -113,7 +113,7 @@ let
         threads = mkOpt' ints.unsigned 1 "Number of threads per core.";
       };
       memory = mkOpt' ints.unsigned 1024 "Amount of RAM (mebibytes).";
-      vga = mkOpt' str "qxl" "VGA card type.";
+      vga = mkOpt' str "virtio" "VGA card type.";
       spice.enable = mkBoolOpt' true "Whether to enable SPICE.";
       networks = mkOpt' (attrsOf (submodule netOpts)) { } "Networks to attach VM to.";
       drives = mkOpt' (attrsOf (submodule driveOpts)) { } "Drives to attach to VM.";

secrets/user-passwd.txt.age

@@ -1,15 +1,16 @@
 age-encryption.org/v1
--> ssh-ed25519 SKXJUw HNKr/VHMm2Tm3zXJy/hiWFT/HwMrs5dzi+JSdfe/3wE
+-> ssh-ed25519 SKXJUw WuE37itEkLwXXidFy5KSirx2nHJrMSv2s1QtdWX8SFQ
-NH/28Nkeij6o3h63Fu/h2dgI8b6spZ0dMKp/yUfTCq4
++hQkpae7pD8CddccW/EkXdM9PwLvR9ExhfiMSpDrmR4
--> ssh-ed25519 B9K/XQ it45NurDEjYL5dAVJsJmi+MlIHKSpP2Lj7Fij5/ziUs
+-> ssh-ed25519 B9K/XQ dcFFZZW7YmoIE9t4f5q75Fiydok4dlFvMhUe4AL0glo
-1vKMO+h6aMAWDQDWwKrT0PwDhw90mk7x7uf27CCz27s
+VNmnLMMyPMmeaRS9TCve0jFLoOsMOjFinERzbCYb5VU
--> ssh-ed25519 LLxJog aAmssC1kqweHP1TEtkVurusq1AqIc8t7HZ7A7hjRtAw
+-> ssh-ed25519 b6YMqg rzXuWZ70pstFv91Pc9rEzX6zQoP7EzFbaVqLztzeDEg
-lDbexbeib25DPuFiObs+1PQgu1WPG8a/P01QD6tO1f8
+FfdsqfWrWhVp69Y06kMdJLki4SZcsTfQgpGkOV8OEWY
--> X25519 lcKREBQdELTzOpxRXMJa5J9stI9u3tZJdAHGW2LC8W4
+-> ssh-ed25519 Lqn0Yw w34t0WrHrI0X9YPiKuqtA/g4nb5u+MUR5IMhxax94GA
-7c+kF11czGa7DEq3+ZJW+iSLcU/XKn+YJlciQzLwP64
+om8lmlCa7b5dFTHgTWkfG0JQlo7SGuOsMKWV+ZyZODo
--> y251}dI-grease
+-> X25519 /D+YDNaHuzjd1qfUVGSzMv/Gme3c7EfnAReZwijNrHU
-zIIT0zZ1oHhvxwQtUM6JsvhIqbQ0fRz5YFJMrxkwk8FDwgIyoKHQhVWNYmFDWhEs
+Mq8c561BFjPNpevYYxZoQlXyukWoJ/FqHMygRVIa8L4
-K0QD0scV1HUGGAJdMoePqHw
+-> K#M-grease
---- a2PYkwWrS0NFhoL/0IgmuvKRjkORQrotG+RKXVtXeiI
+cqBqOMKVvx0kDafiKK3izbQO2jJWDt0cw1z7iIlO2HQcDyrymtIkwiUcZ0DnjCO8
-t<>6<EFBFBD><36>!<21>,ޟo.<2E>n<EFBFBD>7J<02><>K`<60><1D>a<EFBFBD>i.<05><>c<EFBFBD>>$<>W<EFBFBD><57>>"8<03><><r4Y'{<7B><><EFBFBD>O"B<><42><EFBFBD><06>yg
+0GP/yJXOxwzP/L7+
-P&<26>
+--- 9euRtnfRLtKp2uI4YFGFJNNIvn8+YtQ8Ugoki23oSAQ
+<EFBFBD>

secrets/vaultwarden.env.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 LLxJog eSRhmFeLs7fG7lPZ44XaMw1j98q/P9LQt/5Memro+EU
+-> ssh-ed25519 Lqn0Yw VmwYgZn0wfCPNmwMot88E5HIt5KQDOQI6ylzQ5WJeg0
-Z5TWxKcZVYJhM6K7cxJV+zUjkYiHb6l2pLx+yCYU2/8
+qxaprd2nOEmNjq5uMfN/SG3VYOANsl1mgB0o/7T+2Ek
--> X25519 YKwo3Qc5evINbdfZwikjAX0xX1tVmzdcHKD3S26u6WE
+-> X25519 8JIr+LQxrTRS4E9EyLFKSB/0J207foeHRDhWjLVOZEw
-apofL5khdAzIXR/8EQhbOK8wyR/XC9xRjPb4D+yvNpU
+evAK6VTgfMucDrQL2zRu4CI52gIK/TNXH2Tx0iYEMVM
--> {|n)k`|=-grease
+-> <"8l}KO-grease
-9UNdvH8XaUfMKexmVOSLAFqX3hrNvcn76wlY49E5RE247+gMRINSSt6iFqoCQLFi
+Rd7ooeg76wEs9x+a5HhTFlS5Y+RK7wZK1SUdI4SknztHMjMwO/FC/w
-utHb9c5Rkp813qlNmqJVCX2Ye9VLLMi4Zw
+--- 7c/+kShXCtzYStmGvEF/XzrLiE/LpSHX4g1whtZEBYk
---- 4JWdZtLMWoV8ALYYT/WNBgZhjToxibIVWZhWDUn9Zjw
+<EFBFBD>~O,<2C><>4<><34>H&b<>9]-<2D>SK<>-<2D><><EFBFBD><EFBFBD>l<EFBFBD><6C><EFBFBD>^<5E><><EFBFBD><EFBFBD>DJ<44><1D>6a<36><61>Â-<2D>ɠ)<29>	<09><>X<EFBFBD>:N<11><><EFBFBD><EFBFBD>Ԭ<EFBFBD>#<23><><EFBFBD>~<1E><>&<26>i{<7B><><EFBFBD><EFBFBD>pU+Ϸ<>U<EFBFBD><55>w>b<><62><EFBFBD>:N/R
-<12><>
2<>ο(dW<64><57>b<EFBFBD><62><EFBFBD><EFBFBD><EFBFBD>*<05><02><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>}<7D>ĐT<C490>6<EFBFBD>ךi<17>W<EFBFBD><57>S<EFBFBD>R<EFBFBD><52><EFBFBD>vbd<62>Lwh3<68><33>i<14><>vV?صc<D8B5>#<23><><EFBFBD>sbK<62>(pR"I<10><><05>d<EFBFBD><64><EFBFBD>E9<45><39>M