Initial redoubt in-situ fixes

.sops.yaml

@@ -6,6 +6,7 @@
 #   nix-shell -p ssh-to-age --run 'ssh-to-age -i ~/.ssh/id_ed25519.pub'
 keys:
   - &system_bastion age1up8uth9hwtd9gup3v32l8dypdarj77s2lysm8js8w8mwa80rk4ds76ke6d
+  - &system_redoubt age1ftcr6legvdxc2yn2zedqqsxaax3wedxqw5ad2k2f0m4vprfc3u9sgxty7t
   - &system_fortress age1fraz2lnnqtcxnu6tnjy4f7y9tuc0fnqekzmdynnhtt0h8a230v5qddpxdu
   - &system_blockhouse age14j6ns297c49wx5d8jddctfmek0kvn8rvw3y03nw3pankc03dlpuqhvvy7c
   - &system_living_room age1kmt2khucyvscmwvrjnt0v90zggttuap9utx7rw54g9amhtrkzdlq94fe4j

flake.nix

@@ -57,9 +57,20 @@
         "profiles/base.nix"
       ];
 
-      # Allows for remote deployment via
-      # nixos-rebuild -L switch --flake .?submodules=1#HOSTNAME --target-host USER@HOSTNAME
-      #nix.settings.require-sigs = false;
+      boot.loader.grub.enable = false;
+      boot.loader.generic-extlinux-compatible.enable = true;
+
+      fileSystems = {
+        "/" = {
+          device = "/dev/disk/by-label/NIXOS_SD";
+          fsType = "ext4";
+        };
+
+        "/boot/firmware" = {
+          device = "/dev/disk/by-label/FIRMWARE";
+          fsType = "vfat";
+        };
+      };
     }];
 
     # TODO: Surely a better way, no?
@@ -290,8 +301,7 @@
             sops.defaultSopsFile = ./secrets.yaml;
           }
 
-          ./nixos/features/openssh-server.nix
-          ./users/lauren_lagarde/lauren_lagarde.nix
+          ./systems/redoubt/configuration.nix
 
           sops-nix.nixosModules.sops
           home-manager.nixosModules.home-manager

sdcard.sh

@@ -0,0 +1,6 @@
+if [[ -z "$1" ]]; then
+  echo "You must specify a nixosConfigurations target!"
+  exit
+fi
+
+nixos-rebuild build-image --image-variant sd-card --flake ".#$1"

systems/redoubt/.sops.yaml

@@ -0,0 +1,12 @@
+keys:
+  - &system_redoubt age1ftcr6legvdxc2yn2zedqqsxaax3wedxqw5ad2k2f0m4vprfc3u9sgxty7t
+  - &system_ll_latitude age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz
+  - &yubikey_lauren_primary 5F78261B65C565041662A3B7FF8FC3C735BD4A51
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+      - pgp:
+          - *yubikey_lauren_primary
+        age:
+          - *system_redoubt
+          - *system_ll_latitude

systems/redoubt/configuration.nix

@@ -1,4 +1,4 @@
-{ ... }: {
+{ lib, ... }: {
   imports = [
     # Core Features
     ../../nixos/features/base.nix
@@ -31,6 +31,8 @@
   ##############################################################################
   # Services
 
+  services.smartd.enable = lib.mkForce false;
+
   virtualisation.oci-containers.backend = "docker";
   virtualisation.oci-containers.containers = {
     dozzle = {
@@ -53,8 +55,8 @@
   ##############################################################################
   # Tinc
 
-  sops.secrets."dotspace/fortress/keys/tinc/rsa_key.priv" = { sopsFile = ./secrets.yaml; };
-  sops.secrets."dotspace/fortress/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; };
+  sops.secrets."dotspace/redoubt/keys/tinc/rsa_key.priv" = { sopsFile = ./secrets.yaml; };
+  sops.secrets."dotspace/redoubt/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; };
 
   systemd.network.networks."90-tinc" = {
     matchConfig.Name = "tinc.dotspace";
@@ -64,7 +66,7 @@
 
   services.tinc.networks.dotspace = {
     name = "fortress";
-    ed25519PrivateKeyFile = "/run/secrets/dotspace/fortress/keys/tinc/ed25519_key.priv";
+    ed25519PrivateKeyFile = "/run/secrets/dotspace/redoubt/keys/tinc/ed25519_key.priv";
 
     chroot = false;
     settings.ConnectTo = [ "stronghold" ];

systems/redoubt/secrets.yaml

@@ -0,0 +1,51 @@
+dotspace:
+    redoubt:
+        keys:
+            tinc:
+                ed25519_key.priv: ENC[AES256_GCM,data:A1Mj99Mn5m/2scHWJMDk27mfskIJVuIoEC2F/1R/Kg/Dpfl2lMaO9hBeMkGq2Bq3aYvMQBxhioXhE81XSb6Q2cXtvKlAvFjURJ9zQgW8JBEnP19lmgI97d7pGW+nobuLB7x3Edstw1FQBgSSlGqjhMTw3DTkTL6C8Sp1JqQrPRrO4yDojGAqBtNQk5yf/hfnTIUiIjkCSIGphGAj8+YpK9LlwYd6BNWsKx5XmsErTC7M+5Qjzj+qS0sPtS2KaByHeBSRUCKKSg==,iv:hvy2IqDDr7dxu7bBJysSddWlFFE2aQkFynBNzgaupXI=,tag:9PGAbG8TY0dULcCXYOw7Rw==,type:str]
+                rsa_key.priv: ENC[AES256_GCM,data:EtpCozVaDnTse0lqZLpfP9k7/ofzP/86hLIvdwzh4DuIjuL8t9o743jPLO9NzX/xs8RxSuxoZ+5oyYFGqSVv9EaegbHolqyEKimKGr2I3B7V/V5NFmvq86WSpd5Qe5TTw9iabdLlXJTYiUrMcSiU/TsKLHr8SD9Uh7EMyQqx8++cVGdUIIZvxJMkN5lz+IGBmHbeRg/qTkkITG0kpE5GhXamMIaIYgWmGDtN/aHArMfoE6ztn9m7Zqa35gjZLCTeD+0Nb8SCB+E0wH1RiAJz/n14xfnOqdQNVqNckVAj1ZRO6QKKbKvm77mDYIKSTJxYV9VfjpuU3xHQI+2zQRHeGSYGiw2iDeSpfms1o3D3Qx3DI4OKzooCCO0aEnIy93QCD1VOQQhi+0RtHgshibGNlOUiicvwv24Ql/b3joKXZyiNw+iAoiFiuPGNG4w8O7M97vjZsj7ZFdyOioNTJh9HqDxPhKZxQMB+A7R6J9CfRSNYTQNrHseK5DBoe0mjeT9as6cbaPEPTEUu7IalyZwNTddGEcCMRnGRtS1M2ZGPTfwuO/izDeP+JscI5S69GBSraHlbnD0zXbGSLRtUYPwkVu60QpiJdHrUqpGdj9ob66GMjvoydKAsDtucXsvR0jpubc60LQl9xG8gsA+vFzxIw+tBzarvSAO/nJSKIQUGLs8wakuxtQCWoywFrfe1Fzshnz4w6tHIDTolR8lRZPDiTysuF3gHWOEiEiAOp0b5zHeCqBP26JlmwfnRuJ6VLBv14f61dcI3uwBxdPUmUg85f3w/Dik6So0fxd8tA1bkHAlvFY/rBJcxaSBjmf88cDjBERq3i4a0iJoSjnB2Q3j/F1SRiuDQa/u5LXDJqCEPfbxnNAlp5MTmE8CfWFdnbKg7nJ6vig8HBXo2SaJ1hWCDAFmAhp7FKMa7lOjGcjRxEWO80q0dkgTY48wyN3rrEmgriDEHXDlnx+BIGeaJ09T/0YV5LzpwvF7R4AhbTfBmkGVSzhK2MZGdzfhiXufsA9yAWi+wfYQmYXcLL8tBR9P8Pqa0Vq3XNKZ7qanCQQRcSeEmWMdsDEGbHz9EdOwQ3RezzaErJyaCPr2O3EZu1MAJ6l9sSiqXsKVyL9ji0YTlWY7zFo/cfLYJKKzbqiFimUdoh2fQV/zUgDuoFLy5lvJ5z++qmD0XTezCM8cclBItaGnRSwJvB3QLWVbNMsNrJXhmSv5j2ziP2oVNz07LmVtqW/T1oAlyyaotxMtSA/8z+ual7PxHNXRhVfcHBNGX7myEgKKmJaC7verfUBiOd3sbOlod1rtKNtDOGPphcoXNNb9GDnKNHNm71BSkiyZ4BdmcGkPh94o4uhUaEpgjFfnH+8nyxIQSOuK/LqzHc4CXOkURsIIk5xYQo/CrPJOhu3WgmeFGyei3VnvEUU6c50SJvCbHMIIyzmDy0MwZNxj50HQrdQfh1Rfwr6FXXh/6/Kn8tDuro/wgUB2tFkUiWD4XUPDYJM9gxurKLGo6KTWByvpx2QKjEJ13HwVi030YUXe3owbSGc0dw+kNs2yO7/hzi+VRdBh5JDpQyCQ2WwjV4frvu+sQjcnjspwa8pqO9KGEmAr5eS6D2LSukna4md9ffFulDdyLjzozIy7l+5e2CWmMelvmhuP7r/w5+qYCKRd6pclUDky0M3a4svX+F92tHaeEtLQv/DV3ZrC0BW49yhZkYnq1xBeGRXEf/MDRYMnBA+8E3gk17qzdV3XhYvk/7UKHIqkI8yYpm0e+HOJo9dC1wefHZMn2y3RFnF/cR77A7Bq2qYzbNN+2oiXLT/o36SlDAtYZV4FMOOS7TVmSP6uKMuUjcoY/pBX1ZYvzE08HCLkXzGUUD31Gl7b9p/zWTchfiNQfipnxycAQrBwND5g7b0Z14yNRsY2tUcyYzOKzQ7j+Odh0RwejS1QXvZ0qXdtUKScRs4Tb8ZeftTXCjYq1ZgQTr9D/Tk1Dggc7OPPM6OhkuZHxd39JTtKmLMf97OHXzt3VUabivPYrvdm3+ucXFferM8r9geOWuMXNO6BSi7YQ+HP+SmeOwbWSEEyLGO8EHcLgMAe/P667ZeWlVGiJgE4I7SS45U729JgESWYS2HWEeWa5/d1H99vylw8PrYwRogKhsh6s+Bft0jRZY7AjA7oH3FeX53byc8SWnnGcKaGGfM/QbOP7I0WU0eXFDgRUFCIuaMWAsGAI1Uh3hqI7Ef3kLvhsXbjlM6tTyG/HVqxPCaKcA+rS07ogLyi6UCzyyDyFtwY9bI1VyNJ+L6e2Lq1qQ+K1mp/WP1HVoAJoTHRKkAnxLlLSK/famPhLZo9W/+biggihQQ3FCRpD1czy4gLoyvTDwuZ92NpJW8yMC2d0xsko7I1SOAUN12sY9RvGAnNJYzsS3eGwlHR396fWv+Cj83nWivD+3IOAHd5cvDlQplfmNQCVZH51x4InEfI5Qrm27iuAUGI+hUS7+Ies5z3t1ZXg9vAtm20lgpeJFWt3GAtRE2PBCnlwmxO2DnfUtIqL6BCD47b1S77fGMrcfNtXrCr47J272XexYTjvgqScsi5xURNW5OPz8Yqnb4XvmEr7EhgaPeOfGbMR4EBMEzw4o+1lHEWUwsHtCYuDb1k0ZsjC69yl28ihH1KRRPtj3lwsxj1H/NuPmsfScT9Vyh9ruXNwr5JMf9OCjBv7pTpJV9jpwDI+fCunvcq70nvDQcJH8zdVdAkbPlokT/vBUG04r4ZL3qkPTs+I783R46PiuQbXNDuevNrq5UMaBS6cgkytaAqeMzk3WnxYujwrIoqMSI7zqGMJO3Fc/w+DI3ON/XpH/LmF93/AUI9O5hiN5sd1tLcqZqZMhayzSPaRGjymUFj7zt1a2qASgYeiErThT3yhZnijjxM1fiu4rKABRX6b7hf4q8ZVHZJF5iwH+S0p3k3YuR6qTMbQR9LNvFNz6I9y+YBj5lPeqc8Z239cJNbqqpG/2ei3CJfgeScduG13eHzqLxV8NBcDR3mVade9s4W4Q4XsWb24ejgRsmaBA+/FlY/NW2HO6EMZ/goKnekEeOeLUx5+bSZS9OsO1PFEXc9pGI+jlPDzWWOKKMvAZySmVu0qcrtKryEtS8W6/I+kEc3T4I5Yb9HZduCtf5tJVWnkP2otJ2BWJLul7hHAebInmsnJfGCaLXBwqqXQ0zTfpotsxeS2xvEK3BBW+hfKpAFMK0ViXYfaqLO7zUpJUmg38J+ISS8jrn2wb6ns/831ZXf0VVCQRzceQj5MCqMroBMj/yyXke9ggDIPysXXngLpVtxsE+80DR0pCfU+eiaOLGAWPLOTi2BulkS6nAjodz2R/szpkUfkAGIpHybNQe3gZItIrtArWVoW8d8fq3dARZuMuaRFisToCT0EB7dY/XCnBCWc5gsPFr7s8ZCp4q9ygg+xHN0p5S66Iw6nu8S6c0JQHoYMDq2+ACyIcb4wHiAe9JYKZsZUUdjPDiZ1S/rkAplN+rTxpEGfwSxs45LL4PkoQE2SXAezD7o9NXarqKY9QsEL6d5buwWN59GkBjQTQWCVSqCEim1+V+jjYgaJ6S/BYqNpVIGY1Y5Wlwp1ri4RGjIGc70aZC7iv0dTtFP7/5sKtbZ6ByeLRbE03nwloBUAzUGJQwX3r3cFtIny264PLPf9uMe+heEl62OceZJ3IuuWu5oLA7EohT327ArS94k/ZV4UovEPHddh58i+D+XYAeeVhsaodqGGnjR+Omzhrf0MACLqiu+5h9JdqmIiUjcrFEmBiMCWK31asJIXUnEgREEXLc7xAFm87LrjqR73ZRUkeDpxeBvgtpqx3L73XhqAgM7lHaxITA/ECHzwM7K6WJ9ztrt4qnqhcR4xpofXXlfZusVM5n+8LKGY/71XOXJxJl+QEW4AfrkWqCmOvL51QLqMKAz5VNZZXri1PPd0OFYoA1rm/nY0zsymDVVrtzaB8UuULRF4Jg+KgmpFnsJgkwIYp54ijLUFq149cfY4Pi1P7QWLDqgSf5i8xIYnrUpc1zDyvNR0MLevrAm43a37D53LHb83OZdJt/sz2xmWdUyXwvcxBjdRYaKjpzoj61x119Mq/SIpJQ0KVQhsuvqqu1cR8yGF5kgyaVU2oYLnPtMczdomSSW+fQP0osXg26z24P7iYe5A/FmJ+q/SzmS2tiyN8TzZhT1WN1Jq1eHZT2ScQQi6STXyrq28y+bnvJ4iEYL9FQdVvWsgHGd/0qOhuOjaa7VTCWfVFpZ8dwxF+N9fkqHBfk5xlLgVbYmSzG8iHr2rdRg+WY+zWo/0+oEqn6pmE266ByQENPM7GL4k8vtNNqI=,iv:0Re9wGN/HyePQyLUV2wZUDWFcKmpzJQMEZCTfmYwNoE=,tag:9Kakq55ORx2QGNpgT9EeqQ==,type:str]
+sops:
+    age:
+        - recipient: age1ftcr6legvdxc2yn2zedqqsxaax3wedxqw5ad2k2f0m4vprfc3u9sgxty7t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaU1pPZEQ5L2VkWGpKQjlN
+            M1hmOEgxYkdnTHE4VUN4U2ZtOGU5dGdHUUJZCm9uWUVKWHAxMURqNldNUVc0YW81
+            cHVYTFcyN09jbXkvYnBVYmhvdjlFQUUKLS0tIExvZmFZTzE4VWJKY0N1MG5XTysy
+            ZGNuTFBvK2hrR3BXUlE5Y09IUk1LU1kKhdpXMrrPlQiq6X4OFPLCNZvIc3j0bi7K
+            En/IRlCLkPiJ0PKXqH2fpxu7N00bGut8AIUmjBEygIFNVdoV9BlWAg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNWmhaVXhtM0Z1M3g2OCts
+            WmRjb2Z3TC9vUmtIUDRadUVGZmZ5MXF2SFVrCks0d1c1eGN4U3Y0cGpQVFhXTTNI
+            aUxkY2xVdVMvODRDQm5yeEVDdHZ6ZkkKLS0tIE1hVFJYYlI5SWtYZkFzL3FRVEhx
+            UUczRzJzTGRLRGdEaGV3YWM5MDQ0TE0Kv4/L+U4q09yVrjdobqi/BrNTWqq49Frz
+            vZ9GHgHCy851Sa5cUG+pcE4qInhoZWwF+6PeCMtn4cwQMYluuRPC6w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-10T18:09:45Z"
+    mac: ENC[AES256_GCM,data:HyDoctR7+KBnZBp8GLYuCgfusrbTvqlWmToPbBO1B7g+OnaozCMf/IK7HIVJ7MgN40mZwjoZ2sw8wtVxDjKFQ5RStgWVM/hGcNDCpLfKFe+I5qjAKnROM9XeKzUd6RLq8uCdGPpPbM0jV0x3BXEcZaxMfqDt1ySJWYAY1VvtO9o=,iv:SlSRYwHjt+dcfM68hHL4Cw5VjXtTDxxpx+75FkFpRM8=,tag:tvyH6lr2jF9eZ1siv+DuKw==,type:str]
+    pgp:
+        - created_at: "2025-08-10T17:57:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA9BR1U1EkAnnAQ/9Eo6n04z60Jvj3MMYl1E0Q6Dyf6ZA9Y5X2hC3Yg/6lHQP
+            LliKAM8CwZ0RFeslg9fPyVO2WiYqF033UVmCVwXW1cTl/q83gpe/8ypVtxFJZJ9i
+            M0tFlaJPRHnw7acD1mIMjn6+NTv2NnKE0UsW+MbZvVZx1M6qCWyiJeETxIB0sevk
+            hbX7ZqDeOaMDWUztpDQ0fXx1TilEfAN5ud7qd5WsJhhoi9vU/VygfB+wBScMPJ4H
+            ycwNOSwcWAyqOIsLs3h9oxiOCIxnuKw6DUXhKM2xhDcI6neT4IoazrKYyUn6ZQd8
+            y7hziA+kFiwPnvTfA3rEn3/a92MV+0jvVgxMeWOr1Iw7xCD2Lg9QbkxNlxlMyGzK
+            Giw/uHU8gH5xhL4pkFz7q8FFkpl/0xnP4iwwb+XSNlzljJtTIpBEGddEX/oF9nPO
+            lb2jeDdBScQjUIF5txbe5kvMjqyzKuqCJUJwfZAYPURY0McONVG4kPrerVfvt+vz
+            Hv4qLwLJiNoyiQ2Emdi368hy3o+ERthLATdb9VUpQTr2TM+Jx7LNmevAO8G9Xxe/
+            VhADFCd/slkIdql7GZuLDwSxnB5c1O5VkCMAAd4HHNzgaXaRKyLwLWo2DBkp5gYE
+            ASoA1SuK5RwAS6MemojhsX9wJdXnfPevMWVn4Jm3Gu8u8B4M4SzIQ9FklglID9TS
+            XgHaHxqOOa3B6fvN/82nCpxwe6baVSg8WHQxd/El7fb7v52Nm949fjt+1mly8hUc
+            PMYWL2SuFianFbe4jyq5HGMiZis7obfb6BOLV5T68jesH3bPbAWjaU8b9+hF/Mo=
+            =yuNu
+            -----END PGP MESSAGE-----
+          fp: 5F78261B65C565041662A3B7FF8FC3C735BD4A51
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2