Skip keepalive for now

Swapped out for amd gpu on nr200p

.sops.yaml

@@ -0,0 +1,65 @@
+keys:
+  - &admin_users:
+    - &caperren       age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648
+  - &systems:
+    - &personal:
+      - &cap_slim7    age1a5aqj3jr3rqpjet9a7y077ak0ymstjjdnyfgn5m2ad4l2yuxr4aqym7d3d
+      - &cap_nr200p   age1g45zy9m5g4e20cjejgd3x40722rlddgkmhtddrl8wyf63kt5kg7s9ke390
+    - &apollo:
+      - &cap_apollo_n01 age1ljcy90uwlfngc7vqwlf2x2ckgsdfg90c0r9yvjzpl90jkwf9g48q2leudt
+      - &cap_apollo_n02 age1vl9q7u0jkzjpdqrmg4flvz2f7gyn05luv4ka60hu5l8yn4m6rujquhyc2p
+    - &cluster:
+      - &cap_clust_01 age1649y4antwgfe4fu02eppnx5gr0yc3g4lj4kwd6v9guxgxgj06y9qk7l4wl
+      - &cap_clust_02 age1k085uuy4fv9rfpy0ne6zl9fq0j05a4fykqe26psx2ngxqrcxcu5sksxa9u
+      - &cap_clust_03 age1tpeqfhc4n7swpgzx6qfdfxanx0uqh7nksr7eksnvjea70n8vaf5sntxu2l
+      - &cap_clust_04 age1pux20jlyzdexztdmm3lelzn2mslxhuahae4wjy74hkxfytslsfpqj708e2
+      - &cap_clust_05 age1f5039syajzz75s9lkdzwnv2dsvlcp69puuaucgwt05sqjdl7hels25nsfr
+      - &cap_clust_06 age19m6f3xtkdf3gwxqxgp9w9gyla4hk24f85l2tyjx6dxu0akzux3cs657dhz
+      - &cap_clust_07 age1en6vdtxspam9s3nmsyfrcrxzrzu4t9v72ztqyekpzsc35rd06a2sza7ehw
+      - &cap_clust_08 age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r
+      - &cap_clust_09 age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp
+creation_rules:
+  - path_regex: users/caperren/secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+          - *caperren
+          - *cap_slim7
+          - *cap_nr200p
+  - path_regex: secrets/default.yaml$
+    key_groups:
+      - age:
+          - *caperren
+          - *cap_slim7
+          - *cap_nr200p
+          - *cap_apollo_n01
+          - *cap_apollo_n02
+          - *cap_clust_01
+          - *cap_clust_02
+          - *cap_clust_03
+          - *cap_clust_04
+          - *cap_clust_05
+          - *cap_clust_06
+          - *cap_clust_07
+          - *cap_clust_08
+          - *cap_clust_09
+  - path_regex: secrets/cluster.yaml$
+    key_groups:
+      - age:
+          - *caperren
+          - *cap_slim7
+          - *cap_nr200p
+          - *cap_clust_01
+          - *cap_clust_02
+          - *cap_clust_03
+          - *cap_clust_04
+          - *cap_clust_05
+          - *cap_clust_06
+          - *cap_clust_07
+          - *cap_clust_08
+          - *cap_clust_09
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+          - *caperren
+          - *cap_slim7
+          - *cap_nr200p

README.md

@@ -1,4 +1,9 @@
 # nixos-configs
 
+## Miscellaneous Notes
+- To generate the sops age key for a new host
+  - `nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'`
+- Update keys after adding new host or personal key
+  - `sops updatekeys <file>`
 ## Misc references used
 * https://github.com/XNM1/linux-nixos-hyprland-config-dotfiles/tree/main

flake.nix

@@ -5,8 +5,13 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
 
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     home-manager = {
-      url = "github:nix-community/home-manager";
+      url = "github:nix-community/home-manager/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
@@ -15,6 +20,7 @@
     {
       self,
       nixpkgs,
+      sops-nix,
       home-manager,
       nixos-hardware,
       ...
@@ -22,75 +28,111 @@
     {
       nixosConfigurations.cap-clust-01 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
         modules = [
           ./hosts/cap-clust-01/configuration.nix
+          sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.default
         ];
       };
       nixosConfigurations.cap-clust-02 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
         modules = [
           ./hosts/cap-clust-02/configuration.nix
+          sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.default
         ];
       };
       nixosConfigurations.cap-clust-03 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
         modules = [
           ./hosts/cap-clust-03/configuration.nix
+          sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.default
         ];
       };
       nixosConfigurations.cap-clust-04 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
         modules = [
           ./hosts/cap-clust-04/configuration.nix
+          sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.default
         ];
       };
       nixosConfigurations.cap-clust-05 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
         modules = [
           ./hosts/cap-clust-05/configuration.nix
+          sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.default
         ];
       };
       nixosConfigurations.cap-clust-06 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
         modules = [
           ./hosts/cap-clust-06/configuration.nix
+          sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.default
         ];
       };
       nixosConfigurations.cap-clust-07 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
         modules = [
           ./hosts/cap-clust-07/configuration.nix
+          sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.default
         ];
       };
       nixosConfigurations.cap-clust-08 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
         modules = [
           ./hosts/cap-clust-08/configuration.nix
+          sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.default
         ];
       };
       nixosConfigurations.cap-clust-09 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
         modules = [
           ./hosts/cap-clust-09/configuration.nix
+          sops-nix.nixosModules.sops
+          inputs.home-manager.nixosModules.default
+        ];
+      };
+
+      nixosConfigurations.cap-apollo-n01 = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
+        modules = [
+          ./hosts/cap-apollo-n01/configuration.nix
+          sops-nix.nixosModules.sops
+          inputs.home-manager.nixosModules.default
+        ];
+      };
+      nixosConfigurations.cap-apollo-n02 = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
+        modules = [
+          ./hosts/cap-apollo-n02/configuration.nix
+          sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.default
         ];
       };
 
       nixosConfigurations.cap-slim7 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
-        specialArgs = {
+        specialArgs = { inherit inputs; };
-          inherit inputs;
-        };
         modules = [
           ./hosts/cap-slim7/configuration.nix
+          sops-nix.nixosModules.sops
           inputs.home-manager.nixosModules.default
           nixos-hardware.nixosModules.lenovo-legion-16arha7
         ];
@@ -98,9 +140,11 @@
 
       nixosConfigurations.cap-nr200p = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
         modules = [
           ./hosts/cap-nr200p/configuration.nix
           inputs.home-manager.nixosModules.default
+          sops-nix.nixosModules.sops
         ];
       };
     };

hosts/cap-apollo-n01/configuration.nix

@@ -0,0 +1,28 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    # Hardware Scan
+    ./hardware-configuration.nix
+
+    # Users
+    ../../users/apollo-admin/apollo-admin.nix
+
+    # System Configuration
+    ../../modules/system/cpu-intel.nix
+    ../../modules/system/fonts.nix
+    ../../modules/system/home-manager-settings.nix
+    ../../modules/system/internationalization.nix
+    ../../modules/system/networking.nix
+    ../../modules/system/nix-settings.nix
+    ../../modules/system/security.nix
+    ../../modules/system/systemd-boot.nix
+
+    # Application Groups
+    ../../modules/application-groups/system-utilities-cluster.nix
+    ../../modules/application-groups/virtualization.nix
+  ];
+
+  networking.hostName = "cap-apollo-n01";
+
+
+}

hosts/cap-apollo-n01/hardware-configuration.nix

@@ -0,0 +1,31 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "uhci_hcd" "hpsa" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/1fa744fd-82d2-4997-a757-28ae96461a96";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/F57E-AA2D";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/cap-apollo-n02/configuration.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    # Hardware Scan
+    ./hardware-configuration.nix
+
+    # Host Groups
+    ../../modules/host-groups/apollo-2000.nix
+
+  ];
+
+  networking.hostName = "cap-apollo-n02";
+}

hosts/cap-apollo-n02/hardware-configuration.nix

@@ -0,0 +1,31 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "uhci_hcd" "hpsa" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/71e4a38f-1e1e-4ebb-8e7a-a9489aa61f55";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/4A99-55C6";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/cap-clust-03/configuration.nix

@@ -8,7 +8,7 @@
     ../../modules/host-groups/cluster.nix
 
     # Application Groups
-    ../../modules/application-groups/k3s-primary.nix
+    ../../modules/application-groups/k3s-secondary.nix
   ];
 
   networking.hostName = "cap-clust-03";

hosts/cap-clust-04/configuration.nix

@@ -9,4 +9,6 @@
   ];
 
   networking.hostName = "cap-clust-04";
+
+
 }

hosts/cap-clust-05/configuration.nix

@@ -9,4 +9,6 @@
   ];
 
   networking.hostName = "cap-clust-05";
+
+
 }

hosts/cap-clust-06/configuration.nix

@@ -9,4 +9,6 @@
   ];
 
   networking.hostName = "cap-clust-06";
+
+
 }

hosts/cap-clust-07/configuration.nix

@@ -9,4 +9,6 @@
   ];
 
   networking.hostName = "cap-clust-07";
+
+
 }

hosts/cap-clust-08/configuration.nix

@@ -9,4 +9,6 @@
   ];
 
   networking.hostName = "cap-clust-08";
+
+
 }

hosts/cap-clust-09/configuration.nix

@@ -9,4 +9,6 @@
   ];
 
   networking.hostName = "cap-clust-09";
+
+
 }

hosts/cap-nr200p/configuration.nix

@@ -21,7 +21,7 @@
     ../../modules/system/cpu-amd.nix
     ../../modules/system/desktop.nix
     ../../modules/system/fonts.nix
-    ../../modules/system/gpu-nvidia.nix
+    ../../modules/system/gpu-amd.nix
     ../../modules/system/home-manager-settings.nix
     ../../modules/system/hyprland.nix
     ../../modules/system/internationalization.nix

modules/application-groups/k3s-primary.nix

@@ -1,9 +1,11 @@
 { config, pkgs, ... }:
 {
+  sops.secrets.k3s_token.sopsFile = ../../secrets/cluster.yaml;
+
   services.k3s = {
     enable = true;
     role = "server";
-    token = "forinitialtestingonly";
+    tokenFile = config.sops.secrets.k3s_token.path;
     clusterInit = true;
   };
 }

modules/application-groups/k3s-secondary.nix

@@ -1,9 +1,11 @@
 { config, pkgs, ... }:
 {
+  sops.secrets.k3s_token.sopsFile = ../../secrets/cluster.yaml;
+
   services.k3s = {
     enable = true;
     role = "server"; # Or "agent" for worker only nodes
-    token = "forinitialtestingonly";
+    tokenFile = config.sops.secrets.k3s_token.path;
     serverAddr = "https://cap-clust-01:6443";
   };
 }

modules/application-groups/system-utilities-cluster.nix

@@ -18,6 +18,7 @@
     nmap
     nvtopPackages.full
     pciutils
+    screen
     unzip
     usbutils
     util-linux

modules/application-groups/system-utilities.nix

@@ -38,6 +38,7 @@
     kitty
     swappy
     lf
+    mesa-demos
     minicom
     ncdu
     networkmanager
@@ -51,6 +52,7 @@
     rpiboot
     s-tui
     scrcpy
+    screen
     speedcrunch
     streamdeck-ui
     stress

modules/host-groups/apollo-2000.nix

@@ -0,0 +1,130 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    # Users
+    ../../users/apollo-admin/apollo-admin.nix
+
+    # System Configuration
+    ../../modules/system/cpu-intel.nix
+    ../../modules/system/fonts.nix
+    ../../modules/system/home-manager-settings.nix
+    ../../modules/system/internationalization.nix
+    ../../modules/system/networking.nix
+    ../../modules/system/nix-settings.nix
+    ../../modules/system/security.nix
+    ../../modules/system/systemd-boot.nix
+
+    # Application Groups
+    ../../modules/application-groups/system-utilities-cluster.nix
+    ../../modules/application-groups/virtualization.nix
+  ];
+
+  time.timeZone = "America/Los_Angeles";
+
+  sops.secrets = {
+    "ssh/ilouser/id_rsa" = {
+      sopsFile = ../../secrets/default.yaml;
+      path = "/root/.ssh/ilo_id_rsa";
+      restartUnits = [ "hpe-silent-fans.service" ];
+    };
+    "ssh/ilouser/id_rsa_pub" = {
+      sopsFile = ../../secrets/default.yaml;
+      path = "/root/.ssh/ilo_id_rsa.pub";
+    };
+  };
+
+  systemd = {
+#    services.hpe-ilo-keepalive = {
+#      enable = true;
+#      after = [
+#        "network.target"
+#        "hpe-silent-fans.service"
+#      ];
+#      wantedBy = [ "multi-user.target" ];
+#      description = "Maintains ilo ssh session via sending periodic command";
+#
+#      serviceConfig = {
+#        Type = "simple";
+#        ExecStart = ''${pkgs.screen}/bin/screen -S ilofansession -X stuff "fan info^M"'';
+#      };
+#
+#      path = with pkgs; [
+#        bash
+#        config.programs.ssh.package
+#        screen
+#      ];
+#
+#      startAt = "*:0/5";
+#    };
+    services.hpe-silent-fans = {
+      enable = true;
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      description = "Lowers fan speeds by using ilo over ssh to manually set fan parameters";
+
+      serviceConfig = {
+        Type = "simple";
+        ExecStartPre = ''${pkgs.coreutils}/bin/sleep 30'';
+        ExecStart = "${pkgs.writeShellScript "hpe-silent-fans.sh" ''
+          set -e
+
+          SCREEN_NAME=ilofansession
+
+          SSH_USER=ilouser
+          SSH_HOST=cap-apollo-ilo02
+          SSH_KEY=/root/.ssh/ilo_id_rsa
+          SSH_OPTIONS="-o KexAlgorithms=diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 -o PubkeyAcceptedKeyTypes=+ssh-rsa -o HostKeyAlgorithms=ssh-rsa -o StrictHostKeyChecking=no"
+
+          # Create screen session
+          screen -dmS $SCREEN_NAME
+
+          # Make initial iLO connection
+          screen -S $SCREEN_NAME -X stuff "ssh -i $SSH_KEY -t $SSH_USER@$SSH_HOST $SSH_OPTIONS^M"
+
+          sleep 5
+
+          ##### Tune pid for all non-segmented fans
+          for sensor in 1 2 3 4 5 6 7 9 10 11 12 13 14 15 16 17 18 19 20 21 26 28 29 30 31 32 38 40 41; do
+            screen -S $SCREEN_NAME -X stuff "fan pid $sensor lo 1600^M"
+            sleep 0.5
+          done
+
+          ##### Tune pid for segmented fans
+          for sensor in 8 22 23 24 25 27 39; do
+            screen -S $SCREEN_NAME -X stuff "fan a $sensor 0 0 16 41 16 25^M"
+            sleep 0.5
+          done
+
+          ##### Set minimum for fan group
+          screen -S $SCREEN_NAME -X stuff "fan p 0 min 16^M"
+        ''}";
+
+      };
+
+      path = with pkgs; [
+        bash
+        config.programs.ssh.package
+        coreutils
+        screen
+      ];
+    };
+
+    #    timers.hpe-ilo-keepalive = {
+    #      wantedBy = [ "timers.target" ];
+    #      timerConfig = {
+    #        OnBootSec = "5m";
+    #        OnCalendar = "*-*-* *:0/5:00";
+    #        Unit = "hpe-ilo-keepalive.service";
+    #      };
+    #    };
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "25.11"; # Did you read the comment?
+}

modules/system/cpu-intel.nix

@@ -0,0 +1,4 @@
+{ config, lib, ... }:
+{
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

modules/system/home-manager-settings.nix

@@ -1,5 +1,11 @@
-{ config, pkgs, ... }:
+{ inputs, ... }:
 {
-    home-manager.useGlobalPkgs = true;
+  home-manager = {
-    home-manager.backupFileExtension = "bkp";
+    useGlobalPkgs = true;
+    backupFileExtension = "bkp";
+    sharedModules = [
+      inputs.sops-nix.homeManagerModules.sops
+    ];
+  };
+
 }

modules/system/security.nix

@@ -1,5 +1,15 @@
 { pkgs, config, ... }:
 {
+  environment.systemPackages = with pkgs; [
+    sops
+    age
+  ];
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+    defaultSopsFile = ../../secrets/default.yaml;
+  };
+
   security.sudo = {
     enable = true;
     extraRules = [

secrets/cluster.yaml

@@ -0,0 +1,115 @@
+k3s_token: ENC[AES256_GCM,data:UANQ7DzasppB8ZPtGY9wR9lhU+VpTjJE,iv:cvEiUt7zG4Joyd1gkaqi848ES7aPf7VoYc4zDwLKEDQ=,tag:j4EU/srhEL0+nQGhETuerA==,type:str]
+sops:
+    age:
+        - recipient: age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTWNzM0RMMXpDZnZHSEFz
+            U01jN1FPTFJ6YzBMQlhQMEpSZ0NTNCtteWk4CmhyU1ZTeE1wMzAxRWszS0NKeVpL
+            dmw3TGlvdG80TVVXUWVTYTVHMzcwajgKLS0tIFMraXVmTS9zSkFzRGZjZlhzR1lj
+            eDRubW5hWnQzdjVzRytWTW44Y2xoU2MKA2yvOK0DfKSj6U7094a9+4t7E6nFGD+5
+            p8XlMAkroS8RhdwBi//xn5I05/iJMKJikaeclvsNlvLV5b/GkCE3nw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a5aqj3jr3rqpjet9a7y077ak0ymstjjdnyfgn5m2ad4l2yuxr4aqym7d3d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5RzZSTFNPMkprTk00SjBv
+            WTdvcVFuU0hPZ2hteWsrOXp3TTlGdXBvb1FRCjlCbitacFJpV1l3YXMvU0xMMm5Q
+            TjJwR3JtQk9Rbmc1S2J5OVF0WXBRQ1EKLS0tIHBHdzFlN21FZHFoRjc3cHlSZ2FK
+            YnBOOU5Bejl6MjB6MDliZWpPeTdFRncKRXH8gKhKVcSxja+dhIrPBNeeV8rJatSJ
+            +ZlHQL3109Ya/V6Aq9AtEypmLld9Ech7AGMCePNLYvc6DYkDE9bJDA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g45zy9m5g4e20cjejgd3x40722rlddgkmhtddrl8wyf63kt5kg7s9ke390
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2eFE4bWRPQitrVDN4Y21J
+            TUJyd214L1JMazNiUzJEb29FTmRORkJmR1QwCjIrVzZ5WllDbGNCd1c0Q09XVDFm
+            UjhudDNCZ1BWSmpmbHkvWjROMnpkb3cKLS0tIFhzdlpiTFRPMFM5Nm1DcVN3djVB
+            SWZtVWNvRVdweWVxZVlQL1k1QVdESXMKc6OdFAyEvxhf5xyBFfiZajgUkwlfMMMJ
+            4KqoZGTmh+4GTedJDAKClKce1TEQTKrf1ePP+5HhcSKOoPTolMh/Sw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1649y4antwgfe4fu02eppnx5gr0yc3g4lj4kwd6v9guxgxgj06y9qk7l4wl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUUt4ZCtrU2djKzRkN2h2
+            bHpVSk15M2lTVjRrTi9aVmpETjV3UUN6TWlrCk5rdytrYWoxTmJDQmJITVRMa0ZV
+            UGc3dzhsQlM3T29BenY4VlRqbmdvd2sKLS0tIE9HVmxBMnZOMnUvdFcyNGRjTm1o
+            V29UVXRKWUhERkYwZ0NsOUZna1ErcWsK3ya1FW0WPKrZ4gMVx9M1eAgj6lQiv++M
+            TSZmVJfUMyV1OATtg3MSDFqsppN/i7+aQAP2D0G1fzG30/1qYwCsHA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1k085uuy4fv9rfpy0ne6zl9fq0j05a4fykqe26psx2ngxqrcxcu5sksxa9u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUVpUW5CTEFGUVlSeVJa
+            QVNpUE9uaFV0eWxyQjhjcUFXOTVqN1JwTm1vCmE5dmVuZnFpeWRXbnh4V0J6eHF2
+            R3l5ZFhTSitzSnFYbXEvbGoyY2R6WFEKLS0tIEwwWWcydmhPdW1wL083NVJncmF3
+            U3lPYm9EZFRUWVhualFNZHhVU1JlQzgKsc4y+hfdGB3WW+NpzvA0RH54Zc46j3zt
+            2Pak/SdxiMnHfF0cw9EP/xrGJ15IUUWvDmRu+om0fEMjg+OBOKLXXQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tpeqfhc4n7swpgzx6qfdfxanx0uqh7nksr7eksnvjea70n8vaf5sntxu2l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmamp3Uk40ZGRJQW1MUVJS
+            SUlabWx3Zkd1b0xLMFQ5Y3hUelk1RU1HYW5FCnQ4bG5qRnhQRnlmTm13WXdYUWg5
+            ZUVvRlRaN0NSSWhJV002N2pBL28yQXcKLS0tIEQ3bmJnUHNEUThvM2MvQUlDaUV3
+            ZXd2T1RmM0l4YzZKaGkrRXc4VXBRVnMKnCp42FU0vQOb9VN/+DbsmNHvZc8lH+Rh
+            skZvMvTHgpMWTdhHYFWub+CIXZfUrJfy/vSWBvDw6c81r4p1l+Jyfw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1pux20jlyzdexztdmm3lelzn2mslxhuahae4wjy74hkxfytslsfpqj708e2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNHNsYjJoTlhRcUJ5UnZw
+            eU9tVW9zVW5XRFR2ZUNaKzlieUNmdDNCS1JFCjVJaGoxdFArU09GMXpYMVdZaVk0
+            TXpKUHo1cEdXZnpCNXpyRHJnYmRldWMKLS0tIFBnSktZWmp3M2NJbVAwTy94bnVx
+            YVlwaEZ0Z09aNFo0OCt1dUxpYzdiZEUKDHKAZYVC9ON48i9p5DZDopgm9afSg069
+            m3mq5d+aBZIrnSdwgIuvyPJH+L8clIUXcJ47QH9ML/4MsFk+d4xvpA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1f5039syajzz75s9lkdzwnv2dsvlcp69puuaucgwt05sqjdl7hels25nsfr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bm15TmhpRXg5V05qWmRn
+            UExicGhXZ0ZWNUxPTUM3OEV2U1JveGRUQ1RVCkpaMXZwVUxiT0pQRkFFSjBMRnFw
+            RnJJalBrSTR5V3IvUnU2a2hWSmM0ajAKLS0tIDJ6ZWpiVlBBdDBxWnhZT2lyRi81
+            dCtqV1ZwQVlHWFgvTkN4eTZmSG5XMzgKKAPm8crJXBvCAIgTCcpLBi74Fq/AT7Uo
+            SREKHWpC3pLtNyfgHuEhm3lCYmyZyxTsZFd/2ezAjqtQZAf29EEUjg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19m6f3xtkdf3gwxqxgp9w9gyla4hk24f85l2tyjx6dxu0akzux3cs657dhz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbVhvQlZDWXhmMXpnaDBk
+            YUFwMkhwRDlkMXhjS1NJSVR3QWhBNDY2c0VFCklMaTBaKzQvRjdLQjFlelpkY2Ra
+            R0E3NjNVV1pPOG02WnhLdHhqRytPdlkKLS0tIFBFQlpWL0FEUWNGOThzNW1RdG9S
+            V2lSdVpweWZKM3VYZ01hclV4ZENZbTQKMQ3/EZk82q4oGnFJb49+X5uQzuTji8qV
+            K61/vy40g/1f8wgpJwjvGCHx7VyzsBp4lhXiLODMIW6ubp5kAU4r9A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1en6vdtxspam9s3nmsyfrcrxzrzu4t9v72ztqyekpzsc35rd06a2sza7ehw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVVJSRmZucDc1Vk5HZ0py
+            NS9BcDlLRkpyYitmd0hZdlVOaFgxS3JyR1ZJCkVBajVBTjlWamNMNFYza2xWaitx
+            V2loazBmaE5kVWRoVWwvR2NQa3Mwb1EKLS0tIFZYNGNRc00rUGlDT2tGUFlCcDc3
+            aFB3SmpjVFVBc3lPWmMyM29URHpaUzQKguiKNjvJayezQ2tAqmFSgA8tY/6tx1Pb
+            OeB5cBtSyXfdZhL8HGYAqiIph9zbO3NId7icJsZ11YTW6XHHr1P7gw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1aDJ5UkM1WENoUDZOUld3
+            ZXpTdWJjQzVhNEI4RGs4UlhyVytBcmcwbUdBCkxhNnlzSm5yS21zVVNoSmc3VmJF
+            REE1YXpFSWtPcVhzMnFGckpLZUxQR2cKLS0tIE5DWGFKNUxRZnpFNGpMS0xxVVhq
+            OWIwRXBXMmxHN09pZVcyNElQZVhFWUUKAN0Yd2/RB0ZjE0BGZnVY+bCSEQXVpZrS
+            DwsxXlldtJLVebLxthPaXcPI4UmUFYSPFYWDPijjxQ7gbRYnOsV1eA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaVNQeVd3c0JKakhEWWE0
+            ZDNjUitGaUVxM3h0UjF4Z2ZVR0w2L2xKTlRzCjhVVERodmpFVXF6Tnp5N011Tk9J
+            TVR2akpwRlBKOEs0T3loa0p1cGU5c1EKLS0tIEh5TGYrZ0c3MjQ0bDlsb3J6UGls
+            VWRsQy9BeU1rTmUxd0xwZHA2MjMrZmcKPI2g7B4Ylmbq1Z6WHAhdDx43oB/OeIKY
+            MKpwZ985JUrxwwiM0UC9DfNYaM9ScUf4l3qHFPHjh+N899rf7nW3zA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-13T09:05:22Z"
+    mac: ENC[AES256_GCM,data:Jg/J4ulZtAI7Kfeb8/ccmG3hV+2TF/5kTcwNRr6llVORVBZ0cGeJz5TvhqwHsSf3TRwgzS50RHWtbJ//TadWrYbf+EInV92mT+ybVO/p6ek0jiqRV9Kto697YnjjtMG1uJcIazWhShT4UTg6PNlAtRzBA3759tnw2aj0hCNH9QE=,iv:hu1m3GdLiwyVZDrlh/p63hGCaJgXIHuVnxzPKskj9Io=,tag:NW+d9m+eTgkb9Uea5aurSw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

secrets/default.yaml

@@ -0,0 +1,136 @@
+ssh:
+    ilouser:
+        id_rsa: ENC[AES256_GCM,data:BuoM1E1pf9srSfWWV+bIy9H/JAQIMsucJv8T+Sky6HgSsR1WLdOX8pYJSVukuMMisSBG8DJiGy7PgzqeZohrFbkaHpc7gI0S3+803pZQjILzs9kEIrpTzqb+i5UgGPNn7Q9Rk2Etm7UlQAaUSLZg1XfCWV421YeTDFnM42bLy8Lhpb5J/GyP4iYJN5osmlQdjUbzR4wWaYIofWHjTqbNo0yNdMTDPf/bVDw+/34Xx/Xcvc90KtbO/k/gWpOam/Mq/jMoaA0IcZu7p6pu3WWFlilkeBtLefLo8nDEGi13hT2KxrB89npTNWWXf4sejQxkZgp8x1FxA8LH9v6vRunvdBRNTw/JjmtxaF8vKfjd2oxaKztLA8NROYQRpavqv6/NGlyBCU+yncq/E5dl51t7BwDwpSUvYvVEP20qH1JBKtiyuHlLOTOwTJtigOE3EuNxuEViz56Q0tVpQOcPQuSRmwdOg8hMZx/HnaDv52JVxeQHdF8jpzz3E3noB1AbRIAb84XXWVo2QLxFb8W8t5ta5cdOq/Pqte5PNXfT+2pjBIOlfg5mzA9kjH4QOZaO7zBbMj/ZD480gZY+kUMgeXgOtoLSZCPvdBbSjd7Lsd7xYbZSk6m4jOtvbTzpaFX8ZIT4ompC/+G84t3HyxE+UUeBip7mTeOJBCc1WjguKSzdBMmYZUxJAGMmWJ+TQDZSFu2m7bMmLGTgya5isqtcqGN5cGcICxIfOVfuoJ5T6vO3t2ZdUuV2U4+gfCYhtEZbsT/lhgRC0NlMWBhowCRpzhowYLHHGqmUfl5M+JTCAOS1QDmZvaGVc8BC0WWkc+162NGME1D+GRolHF44TfB5IuTQ1cfrv+VvK4DIsEslleAMCxqHPPQPGpCTcCNfe/3Yylkl/Pmogas2P8Q1fyGVTZCsS2G5wugptt8AdfdM+tvmqzlyponw3lNKe+mj1ehunJ8V93ea95cdmVikM6OLykzSrbxsejX8EgIQ0BChAFly38ot7YcmqgfqABCGeiYwOnL/90EuRmYRaMuUihbiRVzGPd5oc0OKDj5xdM2Eq/VRaODCFuhmwK5eLHB3tGab2Bin/8VGZkpWjQsd3H/UYRfPpJqjnhI3/dxD619ouZPfsTfQCVnBaZMYVKzpmeb3geNMeV1h8cDxNsAk85nAnG6RUF7xlqmgF6yUZ/vFtjUq/vCoNHsKvS5sSy73LPXljrVvZyG2K9P6dfTR4n8yYGJCoj95ahCAD4djsr9ylRzj1YTFQ7XdZGxw3GML7rmzuMS/Kk0qMKNYSlS9ru0yIL2baZmntjUKjcl0qigzO74bi3TxyoylmxXA2/80AcRU/fWi0t9g9aTJmuVztPiRQpCLsDzSS/xTjriwThx6v7tgmVwO05SdlBQ5Fk6R1nOsC+4X35l2f6pWJ91nlkfimJM3mY/MZDxWusfgXcS3SBswj59n7zX7AwykcX6/XHVWg91EfB6sRUZyHWsMxwn+i/P5aoIiO43leCD9KX5T0KjRAxa0DG092zM6pRaKEJWeBXTgcFTS5AQdMLVlt5GBHBHw2Slr6SMsUo7A1ycJqP7nw+YdLje86h4edfvbAtowhaBT3WPFoxbtAoBWqkYPgTGs/AiKRsfjecypuCm52bz8VTiw8laRkYFO0nqyYZBm4u2BbVODS6Ji9ZxNpjN/NIDh/5ffhQ611iwL2xgob/yFrjqaRyzPx1DXseMO+Lc0TMEhdSVGG9i8fTJXN8VasDDHxWCQD/ZSyERGCqIDc1+pZBjwABiECsDtQy3DI+oQ3UEPLOFHGS95Kc5+KKij3ptvf61o2J6XKEUY0jqv+puNvmjz7jqsNBY+S524G+06zzcvXsUnWQ3o1lOseFDSl4ZV+a2GiRA+AHj5gSKXTNVUMDsEu7E+4Sg1WVFKLw4KgZ0KubHYQYz56QLojv2TUL3NrK1mUfdn9jeJ01L+CIMTVjz+4UjVI/AZJA370Le01pl0ZMxaFRa0fep1Pa6MikTS7SO8NBtTtbOI2Dt/hBrXpzbicfRU/2pNJ8hEn9in0eXkZ3h0/nHm5J/OrrbVOdvQK9RkF9J0sdgmLtnAxdQjKK7r8Tg17q4vefFRtTEFPz1hV8sOrNXJZc3GRnvINE/7CVYdBQZuq7Bqze9WS+Yqzo2Z7T+cgpLTThBWlL7uGRsNcOdxQOctvoHCDFMV+9+QSH9Cc55Jdbd1T/clludubmyCJLvd5+25haXtRNSivJ/qB/ZbaZq/1PrJw2rl9XuiTczVrG/5Gwpz7a7PVrP8ydIEoTAglMdr9WICKl2cqHo1+k7HOFZluJAugNTV5aRwCvb6roKXsENH6TE68RuiYI8GXD/AzrY86TADCZroeQ+arLW+UuDqQfsnJ6MM02NcSOriAqTbwikGSzNIwkOiuZmwc5Y1pVqe1pyVDf5gN6Q=,iv:IDe6vkBvgAzfxee+/odkLk1TLZRghVEf8hqH2r3+V9I=,tag:OFCA57fQjQxc+CT9DOq+VA==,type:str]
+        id_rsa_pub: ENC[AES256_GCM,data:hYdf7KifFqkHDa8UF1zvhirc2AkrYpL2VrmV2IJjHzzgbrJxshdA629mTXwXwXORbLwNcMpRR7DFLyHCRDu5cWsxluZ04rNU9sJFmL+6pPUonaa4Wc+9z5VysV8UItY/BZ/5mOMQ2ph/wMQ3pkFnBD58vOFOYsmZ7OCir5dQZfm8GdGDX76bOlOI/CAg/LtwFveHK4trY3EUkxbJQ1soZdpm7ML/7bDN52klaS/EEgwk+FJrNAcm8M+N3kMSZoJyJW7c1OG81d4G84tryt2fa7s2HGT79IX6h4wI0GGu+bl87MgmFC48KdvjPdWowfh2QxkphSLduYQ4ss4EQYgJrmkQznQtt67acCFxNrEyE5psSMQPXtgAbwV94xeqtc+QHzmjHAwICTzk7Q4sFF85cDV54ZyoQDYdfubjpJ6mdE65dftN2eYD/5ywdTq09vRpnlh24PTrp7nn4H+Yddakv5KGhQOnj0p6JHNytXEClmiqxANrsYyhKvZe9gS+5w1RIcrsv9dHr5uL7Q==,iv:PQiVjFf2LlOKa6i7V/DcxYU54m/AbJGwTwUmA9asKI4=,tag:y27R0sMuOno0Al9iD3+MsQ==,type:str]
+sops:
+    age:
+        - recipient: age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5OURyTktBK0tLUFNvK3JV
+            cGZ0a1BNOUgyZHgvZlNEM091Z01pdlNWcHdrCjRyV2Vlamk1SGNGa2lOZjFZUlZW
+            NXlSaFRuUkVkV2ZWcm51N1ozbGp1Zk0KLS0tIFA3TmNueE5hSGxwZVlXeW9mOXZG
+            bWxNZVphblFnV3J2RnBnRjhIV1psTUkKvuHFAmPg7AgSgpSv3cRDDSYRRiG2pWIv
+            qs3gUknD2QAuo1dBGol6p3lzvuGNYaBLML9tgCgN60Y66RVHR1zEVA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a5aqj3jr3rqpjet9a7y077ak0ymstjjdnyfgn5m2ad4l2yuxr4aqym7d3d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1a2FqYXZpWmRrVEhhazF2
+            akl3RjErZDc1TVZNZnBCQ3F1a2szUTB1bUVzCkJSV2F1RUNvR3FldmxnbEsyejB6
+            QU9xTTlud1BrVW1WQ0RCbFRhVCtiRW8KLS0tIG9UeTg3d0pUOUswaUdWdGVscHNM
+            NEZFUS9sNVJXSllNdXhRWDFYKzg0ZFkK1jEL736B5stLQw6BLxJmm8Z98uvD2qGZ
+            O98ByT6SrjQnYnr/8u0qY7dQ71ThzB5v3LSrk8/x06CzLmpAYgc6IQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g45zy9m5g4e20cjejgd3x40722rlddgkmhtddrl8wyf63kt5kg7s9ke390
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbjh3YkhPd1o3M0h4bkhY
+            dS9QV203STh5OTF0Y3k2VEdFaFYwQmJNL3lBCkg4UnN2NW82a2F0a28zQ2h6Tng2
+            ckkrb1AyMUZ0UDM3ZDgvd2FWSTlCTmsKLS0tIGc0ckd1NW1Tc04zOUZhRjlwYmMx
+            NktCNXd3WE04VzgyczdNVVZ4Z0FIbk0K3999tMUUAerQhWeIST5W9v9sahnl/bub
+            Wh2wQPSC6pN6t60CMrs4N5NgXhXG6KADiWi9oMwR18RAqwQTRVKRzg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljcy90uwlfngc7vqwlf2x2ckgsdfg90c0r9yvjzpl90jkwf9g48q2leudt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmb2ZIQlpNRmZaczlGMWFT
+            aVZWYmJ4RWxJYkJ1YkJhYkV4c1pKZGVESzFvCjh0d0RPUHNSQThLQ29vTzloRGJI
+            cnNQMXpTVUs3NjUzeGtGbTFDMUE3azgKLS0tIHM4cS9GUi9XUXNITTJsakxxOXhk
+            U3hNMjNQNHhhTTRTZk9EV05FMEtlSlEK3zLfM19AjFadzWzcTbvmUwQnL0yG8A6K
+            JMNzwbUvPqLIBxniTuSNRHceCcyPvs4vnCRDQPeEIHV6r1dGMV90Gw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vl9q7u0jkzjpdqrmg4flvz2f7gyn05luv4ka60hu5l8yn4m6rujquhyc2p
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3TWN6WEM4WkFqKzFoVkZi
+            K2hnd2JzczY2YStKcDZjd1RPNGlRVklQL1U0Cmo1VTNkWnVQY2tSNzRBY3JrMW9x
+            Smx4STlKMzJGQUdrMmpXVCtYekZmWU0KLS0tIE1ycnR1MTVvMUgvcko2VlM0NEUy
+            Nk1vSWtQWlJWVlNIZEUyOEc5ZS80QjgKqyFL4+3Oqx92nDGJ/D8/+RkPmHZ5R9Yv
+            HXlyUrO+tmbSU5JkBO7tSZ9Ho89Imwf8b6r76ZozHOjpmhSL5RBvfg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1649y4antwgfe4fu02eppnx5gr0yc3g4lj4kwd6v9guxgxgj06y9qk7l4wl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3S0pSVFdiMzBFaFZReEhY
+            eVFWNzc4eno5Zm1ScEpSUHNmeWVkaTdjQnlzCnZoS3hjeGlyUmd3U1lnc0xOUGVP
+            OXFweG5YTGV0NDZucWpuZ1lybG43dEEKLS0tIDk2NVZHUEtScklSQlZBQ0ZCMFZ4
+            N21xTTZpRm81cGM5elVWNnk5NU5PTGcKhfvVyHzhH9A1NDoyHwBAxHy5Dj8brkt5
+            280NVHI33SQ+R3mgdAcFB34jJW25ntq9Jd7f8V0FeqelGCzHttMy1A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1k085uuy4fv9rfpy0ne6zl9fq0j05a4fykqe26psx2ngxqrcxcu5sksxa9u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaVHhXYnhkTjdPT0xqbE1D
+            LzliRGZzQWpiUFdmbE9LZktLN21GbUp5Y0U0CnAwTFlRN3M5OFpKNUNJNTlERVl0
+            MysvREhWdkZLOWdPODh2dXZlclRHMlUKLS0tIDF6c3pUUEh6bk5YeDJob0Rham1S
+            TlF5ZVp1Z21DU0hUdFJLMGNIRnVxZE0KGl0PT9mmCu+8yf2K7ADpeALk4xNG/Xld
+            IG1zlOPvAmmApoNKOx4FOlBVO8MAX922WsUgX6OSyw8U0PjdRn4rKQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tpeqfhc4n7swpgzx6qfdfxanx0uqh7nksr7eksnvjea70n8vaf5sntxu2l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3MGJTd2cxRG5MNkJSdXBo
+            bXNuZXdPUDZjZC84S0g3N1ZENzIvWWVOaFN3Cmxpb08wSExqaTNQQ1RROGU4bk9h
+            K2lXMDhuVGpWa0NXOGlXMkxaMzZyWkEKLS0tIDUvckRYWXFhdW1wdUZlL083ZFhH
+            TFJtcEdFS2pPcHN4bjd1a3QwcktXTzgKy7mTdf495H9solOwE8qJgQQXg+4HYYoF
+            6ytA/0bA+UlDeziHS4opnlooXcyQ6isMUoi9+F3GlrDaS9NZx+v5vA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1pux20jlyzdexztdmm3lelzn2mslxhuahae4wjy74hkxfytslsfpqj708e2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeEVoR2dscEg3Mlk5WlBP
+            UHFvR2RUTTh2Zm1UcStncEUxVnRwamM4eXdvCkdWbWcwajFXdkI3S1pkT01sZkoz
+            U2pYdDJ1Wmw3V1prWUh5TVhCSUtlK1kKLS0tIG5XUjhMak45UzlXek5vTDZMN3Nv
+            d1JJc3FvZjJadTVUSXJzWVQ3ckxQSVUKQ8Bw9tQdlgrH+e4QrkFhx9AVz7F6asDZ
+            rblgfXuYh+rnoDsuMh6gUciA9WDXBmlPgs09ny4T29T9uGwLjPnitw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1f5039syajzz75s9lkdzwnv2dsvlcp69puuaucgwt05sqjdl7hels25nsfr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1TndrMmZMOG5tT1FnWmgr
+            OGlxek5ndGxFOFdmbXhKTFZidzRGS1NVWWhVCjNFK2U5bTM1OXhKcTV0Q3F6bG5U
+            T0xnYTloZStMbTBFTFovdHlBU2s2eTQKLS0tIEY2emp4ZVVDbzhLbGxuOUx5VG1G
+            R1B1VldGM3BONUoxUVpDeGhBK1orQXcKPHvqPhOE7j687dBQlfuTdsLIr7t8HzX+
+            IWOkgUe9Lu+ruHmx0FbDsLlqJZbZOVisaWGD7CEm4Ku1ZnOSejFZcw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19m6f3xtkdf3gwxqxgp9w9gyla4hk24f85l2tyjx6dxu0akzux3cs657dhz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1K2x6VWx5TUJTcDdEbExr
+            V0t2VkdOV3NuUC9nUStZM3JwdmRqdThyUWtzCnFlTm13OFVlL205L0dPVzVrRlVh
+            b3BTTEFwcHlrL204alNlU2N0aExjVW8KLS0tIEQ5ZWpCeTMwNmpjcGl1WmtQdkNU
+            TVJBMjlNaWtHMlMzd3ViaGVpMERPVncKh7czaPxra9mRidJgrfaT0QWFU7d1li4e
+            60tD8Gkaoshs0KjQt6Vs2OrW5cJhMkBnUv7kulEEvn+ouukZOz4jTw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1en6vdtxspam9s3nmsyfrcrxzrzu4t9v72ztqyekpzsc35rd06a2sza7ehw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsbnFqcnE2bjNqVmJlVmNR
+            b2huRnVITTJOU3J2bE43d1V3VzZiRUc0cVZnCmRoTU5YZWQ3TmdZN3A0WUQxZHJr
+            Tjd4d3FkNHpPSThBemc5STR4VXEvRG8KLS0tIGdSZFgvL2c4MTB2eml0dWtWQVVV
+            YkJJT294RWRsaHlrYThuQ2RMa3pERkkK0G9ShhLOZVVjGinlUyk/sc9OjWmukLgR
+            JNTFWAePS/k1O/bO4Myxc9wX4R9UrZOpG/Q6v66ilNOApWD7i/2eBw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUUJzYVBzLzlWc2QzUitS
+            M3JrSGUxcXV2NlA4Q2lDVGpCU0NnZTY2Q0RVCmZ0Tmp0M2FMUVcvY1JrQmoyNk9B
+            VDFqUUlQMVJ3L3JoaE5ISDV0YU5ydTQKLS0tIGRjM2ZxUzRMRGxzL0ZBR0F2Ti9Y
+            Tnp0djVFV0hPTkJGYXJSTWRHdkUzWVEK2bWcz9/qrHjAO0FWzjwsuBnZMm42XzKl
+            h1tQwqF7A3jdcezZXYmOn5R1nJX5NTXLySgPZapvOhrPmuHZk4UULQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJUHlzOEtpUnFoU0VmNmpl
+            TDgwdVAzeENBd3dvY2U3TFVkSy96Mi8rVERjCmhaU0hpeUR2cjh3ckNKVWNtaTRG
+            STRpaHFGWmU5TjRFWEhabWZTaC9FMk0KLS0tIHBsN3BxNXRIQ2ptNHZjQ0tlZ2Ro
+            YWttOHNEeDFTemh2OFEvNGNOZmkzeEUKL9yGY1L35y+ZIFyTFKyvgIirWSGe5lkT
+            jYAPmt/RJmskzNBQdo3KGnPKqpVK5nEBUwmzKVre4AOOSTYJ4ER+0g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-31T05:09:48Z"
+    mac: ENC[AES256_GCM,data:VP4URW/zRZFa4A3Q0gVzs06Zre+GzT3DNcrYxOcktgR1ooyvCjPE6l5t3Jf2LvVanSuBfIQMP7w67OcBar89QqGjn38E6V/U5Lyj7hHF9AtqNd/3l3P91xt+69UBOEqhZI0oASrTA3MKAZVeg6kWtU7YWajPH0PVxOsxMHeD9g4=,iv:LciFXM9JdXwmR56dgO6OskfcGauy8Q5gYIKZH2sES90=,tag:VJbexnwD+N1mGzADfXhp7g==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

users/apollo-admin/apollo-admin.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, ... }:
+let
+  sshCaperrenDesktopPubkey = builtins.readFile ../caperren/pubkeys/cap-nr200p.pub;
+  sshCaperrenLaptopPubkey = builtins.readFile ../caperren/pubkeys/cap-slim7.pub;
+in
+{
+  users.users.apollo-admin = {
+    initialPassword = "changeme";
+    isNormalUser = true;
+    description = "Cluster Admin";
+    extraGroups = [
+      "docker"
+      "networkmanager"
+      "wheel"
+    ];
+    openssh.authorizedKeys.keys = [
+      sshCaperrenDesktopPubkey
+      sshCaperrenLaptopPubkey
+    ];
+  };
+
+  home-manager.users.apollo-admin = {
+    home.username = "apollo-admin";
+    home.homeDirectory = "/home/apollo-admin";
+    home.stateVersion = "25.05";
+
+    home.packages = with pkgs; [ ];
+
+    programs.bash.enable = true;
+
+    programs.git = {
+      enable = true;
+      settings.user = {
+        name = "Corwin Perren";
+        email = "caperren@gmail.com";
+      };
+
+    };
+
+    programs.kitty = {
+      enable = true;
+      font.name = "JetBrains Mono";
+    };
+  };
+}