flake.lock: Update

Flake lock file updates:

• Updated input 'agenix-rekey':
    'github:oddlama/agenix-rekey/69ed7833c0e4e6a677a20894d8f12876b9e2bedb?narHash=sha256-cCtleJZQY5eWPYRGl5x63BZ2rfOik4pLveCveH%2BtmvM%3D' (2025-08-06)
  → 'github:oddlama/agenix-rekey/c71fc00630b9da7b4c61be4ec20b183990da4cda?narHash=sha256-ITukwc/nWVjn8bEZ/iBMAhbuwHFnm%2BzfP%2BC6UyFiFrA%3D' (2025-09-05)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/ba6fab29768007e9f2657014a6e134637100c57d?narHash=sha256-kUb5hehaikfUvoJDEc7ngiieX88TwWX/bBRX9Ar6Tac%3D' (2025-09-03)
  → 'github:NixOS/nixos-hardware/11b2a10c7be726321bb854403fdeec391e798bf0?narHash=sha256-PtT7ix43ss8PONJ1VJw3f6t2yAoGH%2Bq462Sn8lrmWmk%3D' (2025-09-05)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/0e6684e6c5755325f801bda1751a8a4038145d7d?narHash=sha256-6tooT142NLcFjt24Gi4B0G1pgWLvfw7y93sYEfSHlLI%3D' (2025-09-03)
  → 'github:NixOS/nixpkgs/fe83bbdde2ccdc2cb9573aa846abe8363f79a97a?narHash=sha256-PLoSjHRa2bUbi1x9HoXgTx2AiuzNXs54c8omhadyvp0%3D' (2025-09-04)

flake.lock

@@ -38,11 +38,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1754492276,
-        "narHash": "sha256-cCtleJZQY5eWPYRGl5x63BZ2rfOik4pLveCveH+tmvM=",
+        "lastModified": 1757085451,
+        "narHash": "sha256-ITukwc/nWVjn8bEZ/iBMAhbuwHFnm+zfP+C6UyFiFrA=",
         "owner": "oddlama",
         "repo": "agenix-rekey",
-        "rev": "69ed7833c0e4e6a677a20894d8f12876b9e2bedb",
+        "rev": "c71fc00630b9da7b4c61be4ec20b183990da4cda",
         "type": "github"
       },
       "original": {
@@ -71,11 +71,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753216019,
-        "narHash": "sha256-zik7WISrR1ks2l6T1MZqZHb/OqroHdJnSnAehkE0kCk=",
+        "lastModified": 1755946532,
+        "narHash": "sha256-POePremlUY5GyA1zfbtic6XLxDaQcqHN6l+bIxdT5gc=",
         "owner": "hyprwm",
         "repo": "aquamarine",
-        "rev": "be166e11d86ba4186db93e10c54a141058bdce49",
+        "rev": "81584dae2df6ac79f6b6dae0ecb7705e95129ada",
         "type": "github"
       },
       "original": {
@@ -131,11 +131,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1749105467,
-        "narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=",
+        "lastModified": 1756719547,
+        "narHash": "sha256-N9gBKUmjwRKPxAafXEk1EGadfk2qDZPBQp4vXWPHINQ=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "6bc76b872374845ba9d645a2f012b764fecd765f",
+        "rev": "125ae9e3ecf62fb2c0fd4f2d894eb971f1ecaed2",
         "type": "github"
       },
       "original": {
@@ -213,11 +213,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755519972,
-        "narHash": "sha256-bU4nqi3IpsUZJeyS8Jk85ytlX61i4b0KCxXX9YcOgVc=",
+        "lastModified": 1756733629,
+        "narHash": "sha256-dwWGlDhcO5SMIvMSTB4mjQ5Pvo2vtxvpIknhVnSz2I8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "4073ff2f481f9ef3501678ff479ed81402caae6d",
+        "rev": "a5c4f2ab72e3d1ab43e3e65aa421c6f2bd2e12a1",
         "type": "github"
       },
       "original": {
@@ -229,11 +229,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1755874650,
-        "narHash": "sha256-ClHCtrzwU6TIfK0qOzAsfPY4swrpbZ8SwUpBpVwphaY=",
+        "lastModified": 1756083905,
+        "narHash": "sha256-UqYGTBgI5ypGh0Kf6zZjom/vABg7HQocB4gmxzl12uo=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "6fafa0409ad451b90db466f900b7549a1890bf1a",
+        "rev": "b655eaf16d4cbec9c3472f62eee285d4b419a808",
         "type": "github"
       },
       "original": {
@@ -332,11 +332,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1754487366,
-        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
+        "lastModified": 1756770412,
+        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
+        "rev": "4524271976b625a4a605beefd893f270620fd751",
         "type": "github"
       },
       "original": {
@@ -517,11 +517,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755928099,
-        "narHash": "sha256-OILVkfhRCm8u18IZ2DKR8gz8CVZM2ZcJmQBXmjFLIfk=",
+        "lastModified": 1756679287,
+        "narHash": "sha256-Xd1vOeY9ccDf5VtVK12yM0FS6qqvfUop8UQlxEB+gTQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "4a44fb9f7555da362af9d499817084f4288a957f",
+        "rev": "07fc025fe10487dd80f2ec694f1cd790e752d0e8",
         "type": "github"
       },
       "original": {
@@ -576,11 +576,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754305013,
-        "narHash": "sha256-u+M2f0Xf1lVHzIPQ7DsNCDkM1NYxykOSsRr4t3TbSM4=",
+        "lastModified": 1755678602,
+        "narHash": "sha256-uEC5O/NIUNs1zmc1aH1+G3GRACbODjk2iS0ET5hXtuk=",
         "owner": "hyprwm",
         "repo": "hyprgraphics",
-        "rev": "4c1d63a0f22135db123fc789f174b89544c6ec2d",
+        "rev": "157cc52065a104fc3b8fa542ae648b992421d1c7",
         "type": "github"
       },
       "original": {
@@ -605,11 +605,11 @@
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1755883465,
-        "narHash": "sha256-/yviTS9piazXoZAmnN0dXnYjDAFvooBnzJfPw2Gi30Y=",
+        "lastModified": 1756977414,
+        "narHash": "sha256-Hz5S4fILpYd1smWDZ+uLYjHgW22v6JS/04j15I4cFZE=",
         "owner": "hyprwm",
         "repo": "Hyprland",
-        "rev": "0d45b277d6c750377b336034b8adc53eae238d91",
+        "rev": "4e785d12a91117cd5b255052799d1a051d9976c0",
         "type": "github"
       },
       "original": {
@@ -635,11 +635,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755183521,
-        "narHash": "sha256-wrP8TM2lb2x0+PyTc7Uc3yfVBeIlYW7+hFeG14N9Cr8=",
+        "lastModified": 1756806479,
+        "narHash": "sha256-+RLX4BmuMw4c97npsBcjjEuy+s83POX9Yp8Nkj499lA=",
         "owner": "hyprwm",
         "repo": "hyprland-plugins",
-        "rev": "c1ddebb423acc7c88653c04de5ddafee64dac89a",
+        "rev": "b8d6d369618078b2dbb043480ca65fe3521f273b",
         "type": "github"
       },
       "original": {
@@ -782,11 +782,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754481650,
-        "narHash": "sha256-6u6HdEFJh5gY6VfyMQbhP7zDdVcqOrCDTkbiHJmAtMI=",
+        "lastModified": 1756117388,
+        "narHash": "sha256-oRDel6pNl/T2tI+nc/USU9ZP9w08dxtl7hiZxa0C/Wc=",
         "owner": "hyprwm",
         "repo": "hyprutils",
-        "rev": "df6b8820c4a0835d83d0c7c7be86fbc555f1f7fd",
+        "rev": "b2ae3204845f5f2f79b4703b441252d8ad2ecfd0",
         "type": "github"
       },
       "original": {
@@ -807,11 +807,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1751897909,
-        "narHash": "sha256-FnhBENxihITZldThvbO7883PdXC/2dzW4eiNvtoV5Ao=",
+        "lastModified": 1755184602,
+        "narHash": "sha256-RCBQN8xuADB0LEgaKbfRqwm6CdyopE1xIEhNc67FAbw=",
         "owner": "hyprwm",
         "repo": "hyprwayland-scanner",
-        "rev": "fcca0c61f988a9d092cbb33e906775014c61579d",
+        "rev": "b3b0f1f40ae09d4447c20608e5a4faf8bf3c492d",
         "type": "github"
       },
       "original": {
@@ -906,11 +906,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1755330281,
-        "narHash": "sha256-aJHFJWP9AuI8jUGzI77LYcSlkA9wJnOIg4ZqftwNGXA=",
+        "lastModified": 1757103352,
+        "narHash": "sha256-PtT7ix43ss8PONJ1VJw3f6t2yAoGH+q462Sn8lrmWmk=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "3dac8a872557e0ca8c083cdcfc2f218d18e113b0",
+        "rev": "11b2a10c7be726321bb854403fdeec391e798bf0",
         "type": "github"
       },
       "original": {
@@ -946,11 +946,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1754725699,
-        "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=",
+        "lastModified": 1756266583,
+        "narHash": "sha256-cr748nSmpfvnhqSXPiCfUPxRz2FJnvf/RjJGvFfaCsM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054",
+        "rev": "8a6d5427d99ec71c64f0b93d45778c889005d9c2",
         "type": "github"
       },
       "original": {
@@ -978,11 +978,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1753579242,
-        "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
+        "lastModified": 1754788789,
+        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
+        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
         "type": "github"
       },
       "original": {
@@ -993,11 +993,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1755615617,
-        "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",
+        "lastModified": 1756787288,
+        "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "20075955deac2583bb12f07151c2df830ef346b4",
+        "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1",
         "type": "github"
       },
       "original": {
@@ -1008,11 +1008,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1755704039,
-        "narHash": "sha256-gKlP0LbyJ3qX0KObfIWcp5nbuHSb5EHwIvU6UcNBg2A=",
+        "lastModified": 1757020766,
+        "narHash": "sha256-PLoSjHRa2bUbi1x9HoXgTx2AiuzNXs54c8omhadyvp0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9cb344e96d5b6918e94e1bca2d9f3ea1e9615545",
+        "rev": "fe83bbdde2ccdc2cb9573aa846abe8363f79a97a",
         "type": "github"
       },
       "original": {
@@ -1078,11 +1078,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754416808,
-        "narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=",
+        "lastModified": 1755960406,
+        "narHash": "sha256-RF7j6C1TmSTK9tYWO6CdEMtg6XZaUKcvZwOCD2SICZs=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864",
+        "rev": "e891a93b193fcaf2fc8012d890dc7f0befe86ec2",
         "type": "github"
       },
       "original": {
@@ -1100,11 +1100,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755879220,
-        "narHash": "sha256-2KZl6cU5rzEwXKMW369kLTzinJXXkF3TRExA6qEeVbc=",
+        "lastModified": 1755960406,
+        "narHash": "sha256-RF7j6C1TmSTK9tYWO6CdEMtg6XZaUKcvZwOCD2SICZs=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "3ff4596663c8cbbffe06d863ee4c950bce2c3b78",
+        "rev": "e891a93b193fcaf2fc8012d890dc7f0befe86ec2",
         "type": "github"
       },
       "original": {
@@ -1143,11 +1143,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1755887038,
-        "narHash": "sha256-HoEMwFfR3rwNxwJjFCbj3rfW8k6EabHuMJAZOwsT95c=",
+        "lastModified": 1756051653,
+        "narHash": "sha256-JJkQliqI7zn+esLnKQP82eQEuolNz8IELm/BYGPTvEw=",
         "ref": "refs/heads/master",
-        "rev": "9e47b557087ebde3a30c9f97189d110c29d144fd",
-        "revCount": 40,
+        "rev": "01cf200f61946ac9f259f9163933ea1749cb3531",
+        "revCount": 41,
         "type": "git",
         "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
       },
@@ -1290,11 +1290,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755934250,
-        "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=",
+        "lastModified": 1756662192,
+        "narHash": "sha256-F1oFfV51AE259I85av+MAia221XwMHCOtZCMcZLK2Jk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5",
+        "rev": "1aabc6c05ccbcbf4a635fb7a90400e44282f61c4",
         "type": "github"
       },
       "original": {
@@ -1349,11 +1349,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753633878,
-        "narHash": "sha256-js2sLRtsOUA/aT10OCDaTjO80yplqwOIaLUqEe0nMx0=",
+        "lastModified": 1755354946,
+        "narHash": "sha256-zdov5f/GcoLQc9qYIS1dUTqtJMeDqmBmo59PAxze6e4=",
         "owner": "hyprwm",
         "repo": "xdg-desktop-portal-hyprland",
-        "rev": "371b96bd11ad2006ed4f21229dbd1be69bed3e8a",
+        "rev": "a10726d6a8d0ef1a0c645378f983b6278c42eaa0",
         "type": "github"
       },
       "original": {

flake.nix

@@ -113,10 +113,10 @@
     }:
     flake-parts.lib.mkFlake { inherit inputs; } {
       imports = [
-        inputs.agenix-rekey.flakeModule
         inputs.pre-commit-hooks.flakeModule
         inputs.nix-topology.flakeModule
         inputs.treefmt-nix.flakeModule
+        ./nix/agenix-rekey.nix
         ./nix/devshell.nix
         ./nix/hosts.nix
       ];

hosts/common.nix

@@ -6,17 +6,24 @@
 }:
 {
   imports = [
-    inputs.agenix.nixosModules.age
+    inputs.agenix.nixosModules.default
+    inputs.agenix-rekey.nixosModules.default
     inputs.home-manager.nixosModules.home-manager
     ../modules/nixos
     ../modules/nixos/impermanence.nix
   ];
 
+  age.rekey = {
+    masterIdentities = [ ../secrets/yubikey-nix-primary.pub ];
+    storageMode = "local";
+    generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.networking.hostName}";
+    localStorageDir = inputs.self.outPath + "/secrets/rekeyed/${config.networking.hostName}";
+  };
+
   nixpkgs = {
     config.allowUnfree = true;
     overlays = [
       inputs.agenix.overlays.default
-      (import ../overlays/default.nix)
       (final: prev: {
         unstable = import inputs.nixpkgs-unstable {
           config = {
@@ -25,6 +32,7 @@
           system = final.system;
         };
       })
+      (import ../overlays/default.nix)
     ];
   };
 

hosts/library/ai.nix

@@ -1,13 +1,12 @@
 {
-  inputs,
   config,
   pkgs,
   ...
 }:
 
 {
-  age.secrets."files/services/open-webui/envfile" = {
-    file = "${inputs.secrets}/files/services/open-webui/envfile.age";
+  age.secrets.open-webui-env = {
+    rekeyFile = ./secrets/open-webui-env.age;
   };
 
   services.open-webui = {
@@ -30,7 +29,7 @@
         OPENID_PROVIDER_URL = "https://auth.vimium.com/oauth2/openid/${clientId}/.well-known/openid-configuration";
         OPENID_REDIRECT_URI = "${publicUrl}/oauth/oidc/callback";
       };
-    environmentFile = config.age.secrets."files/services/open-webui/envfile".path;
+    environmentFile = config.age.secrets.open-webui-env.path;
   };
 
   modules.services.borgmatic.directories = [

hosts/library/default.nix

@@ -17,6 +17,8 @@
 
   nixpkgs.hostPlatform = "x86_64-linux";
 
+  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
+
   boot = {
     loader.systemd-boot.enable = true;
     loader.efi.canTouchEfiVariables = true;

hosts/library/secrets/open-webui-env.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA AqHsJTdBE6LT9QJK7Dek6b3zA/PaqAmma7uRdKHdQQym
+KMB+yq8M+eej5pg7MHFBqzYhQhVnrPpTevDVo1RZn5Q
+-> m;#M[T-grease > G>`e0C&G OS
+ichBG8145Jl9vthZfVHcznJmi+c81HHZfd7UGzdfP7TR1wp9ub6IXiqK9KRe7ga7
+N3osvWzwiwCI5oN0NA
+--- ILq3bk5+xuZ4CV7J/rQkYBMz5wG2dHzn+G+cvEqUSRw
+j
+<EFBFBD><EFBFBD>X<EFBFBD>+<2B><>r<EFBFBD><1E><>j<EFBFBD><6A><EFBFBD>ZW<16><>p<EFBFBD><70><EFBFBD>k<EFBFBD>%ǗxdC5mͧ '[<5B><>w<EFBFBD>x<EFBFBD>雸<EFBFBD>#<23><><EFBFBD>O<18><14>7<EFBFBD>bC'8<><38>3<EFBFBD>b<EFBFBD>{_<>%_<><5F>s&<26><><EFBFBD>ѹrr<72><07><><EFBFBD>,
+5L8<EFBFBD>yC<EFBFBD>O<EFBFBD>6o<EFBFBD><EFBFBD><EFBFBD>k}<7D><17>_<EFBFBD><5F>i<EFBFBD>m<EFBFBD>u3|<7C>f	5<><35>5<EFBFBD><35>A<EFBFBD>V<EFBFBD>><3E>
+<2B><><EFBFBD><EFBFBD>E=<3D><><11><>E<EFBFBD><45><EFBFBD>aE<61>-<2D>Ԑ^<5E><>Q<EFBFBD><51>j<EFBFBD><6A><EFBFBD><EFBFBD>7<EFBFBD>6P<36><50>b<EFBFBD><62>E8*4߄

hosts/library/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBP+SH4lzFTE29y9HfjkaO7Ino5OqEws5UXcnBFoo76C

hosts/odyssey/default.nix

@@ -50,6 +50,17 @@
     capSysAdmin = true;
   };
 
+  environment.systemPackages = with pkgs; [
+    yubikey-manager
+    age-plugin-yubikey
+  ];
+
+  services.udev.packages = with pkgs; [
+    libfido2
+  ];
+
+  services.pcscd.enable = true;
+
   modules = {
     hardware.presonus-studio.enable = true;
     services = {

hosts/vps1/README.md

@@ -6,8 +6,8 @@ VPS hosted in OVH.
 
 ## Specs
 
-- CPU - ??
-- Memory - ??
+- CPU - 4 vCores
+- Memory - 4 GB
 
 ### Disks
 

hosts/vps1/default.nix

@@ -12,6 +12,7 @@
     ./matrix.nix
     ./nginx.nix
     ./photoprism.nix
+    ./vaultwarden.nix
     ../server.nix
   ];
 
@@ -19,6 +20,8 @@
     hostPlatform = "x86_64-linux";
   };
 
+  age.rekey.hostPubkey = ./ssh_host_ed25519_key.pub;
+
   networking = {
     hostId = "08bf6db3";
     firewall = {

hosts/vps1/kanidm.nix

@@ -6,14 +6,27 @@
 let
   baseDomain = "vimium.com";
   domain = "auth.${baseDomain}";
+
+  mkRandomSecret = {
+    generator.script = "alnum";
+    mode = "440";
+    group = "kanidm";
+  };
 in
 {
+  age.secrets.kanidm-admin-password = mkRandomSecret;
+  age.secrets.kanidm-idm-admin-password = mkRandomSecret;
+
+  age.secrets.kanidm-oauth2-gitea = mkRandomSecret;
+  age.secrets.kanidm-oauth2-open-webui = mkRandomSecret;
+  age.secrets.kanidm-oauth2-vaultwarden = mkRandomSecret;
+
   services.kanidm =
     let
       uri = "https://${domain}";
     in
     {
-      package = pkgs.unstable.kanidm;
+      package = pkgs.unstable.kanidmWithSecretProvisioning;
       enableClient = true;
       enableServer = true;
       clientSettings = {
@@ -28,8 +41,91 @@ in
         tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
         version = "2";
       };
+      provision = {
+        enable = true;
+        adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
+        idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
+
+        persons.jordan = {
+          displayName = "Jordan Holt";
+          legalName = "Jordan Holt";
+          mailAddresses = [
+            "jordan@vimium.com"
+          ];
+          groups = [
+            "gitea_admins"
+            "gitea_users"
+            "jellyfin_admins"
+            "jellyfin_users"
+            "open-webui_admins"
+            "open-webui_users"
+            "vaultwarden_users"
+          ];
+        };
+
+        groups."gitea_admins" = { };
+        groups."gitea_users" = { };
+        systems.oauth2.gitea = {
+          displayName = "Gitea";
+          originUrl = "https://git.vimium.com/user/oauth2/Vimium/callback";
+          originLanding = "https://git.vimium.com/";
+          basicSecretFile = config.age.secrets.kanidm-oauth2-gitea.path;
+          scopeMaps."gitea_users" = [
+            "openid"
+            "email"
+            "profile"
+          ];
+          allowInsecureClientDisablePkce = true;
+          preferShortUsername = true;
+          claimMaps.groups = {
+            joinType = "array";
+            valuesByGroup."gitea_admins" = [ "admin" ];
+          };
+        };
+
+        groups."jellyfin_admins" = { };
+        groups."jellyfin_users" = { };
+
+        groups."open-webui_admins" = { };
+        groups."open-webui_users" = { };
+        systems.oauth2.open-webui = {
+          displayName = "Open WebUI";
+          originUrl = "https://chat.ai.vimium.com/oauth/oidc/callback";
+          originLanding = "https://chat.ai.vimium.com/";
+          basicSecretFile = config.age.secrets.kanidm-oauth2-open-webui.path;
+          scopeMaps."open-webui_users" = [
+            "openid"
+            "email"
+            "profile"
+          ];
+          allowInsecureClientDisablePkce = true;
+          claimMaps.groups = {
+            joinType = "array";
+            valuesByGroup."open-webui_admins" = [ "admin" ];
+          };
+        };
+
+        groups."vaultwarden_users" = { };
+        systems.oauth2.vaultwarden = {
+          displayName = "Vaultwarden";
+          originUrl = "https://vaultwarden.vimium.com/identity/connect/oidc-signin";
+          originLanding = "https://vaultwarden.vimium.com/";
+          basicSecretFile = config.age.secrets.kanidm-oauth2-vaultwarden.path;
+          scopeMaps."vaultwarden_users" = [
+            "openid"
+            "email"
+            "profile"
+          ];
+        };
+      };
     };
 
+  # LDAP server binds to tailscale network interface
+  systemd.services.kanidm = {
+    requires = [ "tailscaled.service" ];
+    after = [ "tailscaled.service" ];
+  };
+
   services.nginx.virtualHosts = {
     "${domain}" = {
       useACMEHost = "${domain}";

hosts/vps1/matrix.nix

@@ -51,6 +51,14 @@ let
       domain = serverName;
     };
   };
+  proxyConfig = ''
+    proxy_set_header        Host $host;
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto $scheme;
+    proxy_set_header        X-Forwarded-Host $host;
+    proxy_set_header        X-Forwarded-Server $host;
+  '';
 in
 {
   networking.firewall.allowedTCPPorts = [
@@ -100,14 +108,11 @@ in
       locations = {
         "/" = {
           proxyPass = "http://localhost:8008";
-          extraConfig = ''
-            proxy_set_header X-Forwarded-For $remote_addr;
-          '';
+          extraConfig = proxyConfig;
         };
         "/_matrix" = {
           proxyPass = "http://localhost:8008";
-          extraConfig = ''
-            proxy_set_header X-Forwarded-For $remote_addr;
+          extraConfig = proxyConfig + ''
             client_max_body_size 50M;
           '';
         };

hosts/vps1/nginx.nix

@@ -164,15 +164,6 @@ in
           root = "/var/www/pki.vimium.com";
         };
       };
-      "suhailhussain.com" = {
-        forceSSL = true;
-        enableACME = true;
-        serverAliases = [ "www.suhailhussain.com" ];
-        extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
-        locations."/" = {
-          root = "/var/www/suhailhussain.com";
-        };
-      };
       "vimium.com" = {
         default = true;
         forceSSL = true;

hosts/vps1/secrets/vaultwarden-env.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA A+JTQrgN4xxrQpLhyMtfq82/26DwsudKmxyE8gx9PlJU
+oZjXRvr2mza+28asKcXzSDU0em5edPpazk5dOLXrvZ8
+-> )z\cT7C|-grease v>P/r|O s\(zEXaF Q ,!Y2g+NM
+ZAEVPuF8OEWWNKFP+7IUrpaDydZDAFCRnj1vOdGiBf6BzgbicAAmIF4XgBQqpE5M
+JoCzgjdKB1kLOQB2PWRfJ02L93/zFQXm
+--- vcFS71G0ZZ1bU8dKgMmLMv5sUIi/TYjOu41EuDpJyXw
+:<3A><><15><><EFBFBD><7F>!<21>-<<11><1E>:<3A><><EFBFBD><EFBFBD>rg?<3F>N-i<><69><EFBFBD>?<3F>d<EFBFBD>Z2h<32>3<EFBFBD><0C>]

hosts/vps1/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII9NBbTqjs709LTRgeBV306s3SI7WuQMbor195QprBFc

hosts/vps1/vaultwarden.nix

@@ -0,0 +1,78 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (lib)
+    mkForce
+    ;
+  baseDomain = "vimium.com";
+  domain = "vaultwarden.${baseDomain}";
+in
+{
+  age.secrets.vaultwarden-env = {
+    rekeyFile = ./secrets/vaultwarden-env.age;
+    mode = "0440";
+    group = "vaultwarden";
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "sqlite";
+    backupDir = "/var/cache/vaultwarden-backup";
+    config = {
+      dataFolder = mkForce "/var/lib/vaultwarden";
+      useSysLog = true;
+      webVaultEnabled = true;
+
+      rocketPort = 8222;
+
+      ssoEnabled = true;
+      ssoOnly = true;
+      ssoAuthority = "https://auth.vimium.com/oauth2/openid/vaultwarden";
+      ssoClientId = "vaultwarden";
+      signupsAllowed = false;
+      passwordIterations = 1000000;
+      invitationsAllowed = true;
+      invitationOrgName = "Vimium";
+      domain = "https://${domain}";
+    };
+    environmentFile = config.age.secrets.vaultwarden-env.path;
+  };
+
+  services.nginx.virtualHosts = {
+    "${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = mkForce "/var/lib/vaultwarden";
+  systemd.services.vaultwarden.serviceConfig = {
+    StateDirectory = mkForce "vaultwarden";
+    RestartSec = "60";
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/vaultwarden";
+      user = "vaultwarden";
+      group = "vaultwarden";
+      mode = "0700";
+    }
+  ];
+
+  environment.persistence."/state".directories = [
+    {
+      directory = config.services.vaultwarden.backupDir;
+      user = "vaultwarden";
+      group = "vaultwarden";
+      mode = "0700";
+    }
+  ];
+}

nix/agenix-rekey.nix

@@ -0,0 +1,29 @@
+{
+  inputs,
+  ...
+}:
+{
+  imports = [
+    inputs.agenix-rekey.flakeModule
+  ];
+
+  perSystem =
+    { config, ... }:
+    {
+      agenix-rekey.nixosConfigurations = inputs.self.nixosConfigurations;
+      devshells.default = {
+        commands = [
+          {
+            inherit (config.agenix-rekey) package;
+            help = "Edit, generate, and rekey secrets";
+          }
+        ];
+        env = [
+          {
+            name = "AGENIX_REKEY_ADD_TO_GIT";
+            value = "true";
+          }
+        ];
+      };
+    };
+}

overlays/default.nix

@@ -31,6 +31,8 @@ lib.mapAttrs (
     else
       # Namespaced package sets in regular attrsets.
       prev.${name} // value
+  else if name == "vaultwarden" then
+    final.callPackage value { rustPlatform = final.unstable.rustPlatform; }
   else
     final.callPackage value { }
 ) pkgs

pkgs/vaultwarden/package.nix

@@ -0,0 +1,65 @@
+{
+  lib,
+  stdenv,
+  callPackage,
+  rustPlatform,
+  fetchFromGitHub,
+  nixosTests,
+  pkg-config,
+  openssl,
+  libiconv,
+  dbBackend ? "sqlite",
+  libmysqlclient,
+  libpq,
+}:
+
+let
+  webvault = callPackage ./webvault.nix { };
+in
+
+rustPlatform.buildRustPackage rec {
+  pname = "vaultwarden";
+  version = "git-" + builtins.substring 0 7 src.rev;
+
+  src = fetchFromGitHub {
+    owner = "dani-garcia";
+    repo = "vaultwarden";
+    rev = "a2ad1dc7c3d28834749d4b14206838d795236c27";
+    sha256 = "sha256-6Qmp/Uv8hdKuL9e3tPMKgNq1ZdvRQbzM65ifmS2Z3UY=";
+  };
+
+  cargoHash = "sha256-F7we9rurJ7srz54lsuSrdoIZpkGE+4ncW3+wjEwaD7M=";
+
+  # used for "Server Installed" version in admin panel
+  env.VW_VERSION = version;
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    openssl
+  ]
+  ++ lib.optionals stdenv.hostPlatform.isDarwin [
+    libiconv
+  ]
+  ++ lib.optional (dbBackend == "mysql") libmysqlclient
+  ++ lib.optional (dbBackend == "postgresql") libpq;
+
+  buildFeatures = dbBackend;
+
+  passthru = {
+    inherit webvault;
+    tests = nixosTests.vaultwarden;
+    updateScript = callPackage ./update.nix { };
+  };
+
+  meta = with lib; {
+    description = "Unofficial Bitwarden compatible server written in Rust";
+    homepage = "https://github.com/dani-garcia/vaultwarden";
+    changelog = "https://github.com/dani-garcia/vaultwarden/releases/tag/${version}";
+    license = licenses.agpl3Only;
+    maintainers = with maintainers; [
+      dotlambda
+      SuperSandro2000
+    ];
+    mainProgram = "vaultwarden";
+  };
+}

pkgs/vaultwarden/webvault.nix

@@ -0,0 +1,83 @@
+{
+  lib,
+  buildNpmPackage,
+  fetchFromGitHub,
+  nixosTests,
+  python3,
+  vaultwarden,
+}:
+
+let
+  version = "2025.8.0";
+
+  bw_web_builds = fetchFromGitHub {
+    owner = "dani-garcia";
+    repo = "bw_web_builds";
+    rev = "v${version}";
+    hash = "sha256-93acGKO3Fq81M1wKPvIynvkTFXPQXypcMb+c4aEtxJc=";
+  };
+
+in
+buildNpmPackage rec {
+  pname = "vaultwarden-webvault";
+  inherit version;
+
+  src = fetchFromGitHub {
+    owner = "vaultwarden";
+    repo = "vw_web_builds";
+    rev = bw_web_builds.rev;
+    hash = "sha256-u51EP4I+bUcTeMqfzx1gbZMxpjalt3bpK3QGp5QEpYU=";
+  };
+
+  npmDepsHash = "sha256-wi7ZDgGKXrtueLob5OVNKCpnzC00UW9zo8KwuoyL1Bo=";
+
+  postPatch = ''
+    ln -s ${bw_web_builds}/{patches,resources} ..
+  '';
+
+  nativeBuildInputs = [
+    python3
+  ];
+
+  makeCacheWritable = true;
+
+  env = {
+    ELECTRON_SKIP_BINARY_DOWNLOAD = "1";
+    npm_config_build_from_source = "true";
+  };
+
+  npmRebuildFlags = [
+    # FIXME one of the esbuild versions fails to download @esbuild/linux-x64
+    "--ignore-scripts"
+  ];
+
+  npmBuildScript = "dist:oss:selfhost";
+
+  npmBuildFlags = [
+    "--workspace"
+    "apps/web"
+  ];
+
+  npmFlags = [ "--legacy-peer-deps" ];
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/share/vaultwarden
+    mv apps/web/build $out/share/vaultwarden/vault
+    runHook postInstall
+  '';
+
+  passthru = {
+    inherit bw_web_builds;
+    tests = nixosTests.vaultwarden;
+  };
+
+  meta = with lib; {
+    description = "Integrates the web vault into vaultwarden";
+    homepage = "https://github.com/dani-garcia/bw_web_builds";
+    changelog = "https://github.com/dani-garcia/bw_web_builds/releases/tag/v${version}";
+    platforms = platforms.all;
+    license = licenses.gpl3Plus;
+    inherit (vaultwarden.meta) maintainers;
+  };
+}

secrets/generated/vps1/kanidm-admin-password.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA A54fi3eKkgTq6VOnMm2ze+aHVpJ0NNsqT+w7nvYoznbM
+t/dRpZzqO/mX7iHLxbvzVxdmTECkRFPA5jmYfZwbMR0
+-> O_h4MVE-grease {- v~ 05B3
+Clwo0RqQmOGC24XDUIA+4MfDLlWnc3SjR8Kk0Wokqf6R5QFobU4
+--- loq7Xutgff/pptwqLMmjVA1uZwtDE1z6wsORzSgY80w
+"<22>2<EFBFBD>Q<EFBFBD>`D<> $<24>N<EFBFBD><4E><<3C><><EFBFBD>.<2E><05>=5<><35>8<EFBFBD>%g<><67>E<EFBFBD><45>l[T<>I<>y

secrets/generated/vps1/kanidm-idm-admin-password.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA Aul2Rho3PfWaREBYYJr5FpyV5+eQ18GY5DT1dB9QcAH8
+wDHmswR1WRsqCrqRv6imy2oeo+FP3Z1kDpWvr/IzcUY
+-> 4-grease x K>#G$!
+WbQ2yy2Pkkn0BYBR+y0tPLCFTN6cKEYGEp4B+nagPf42XONM3Q4ewp5UJF25rAiJ
+LsUecsY7dvX1n9HAz6uBwMm6Xt4
+--- iPJfeOsee5HmeCB5NRHSPIywjhUrjdhsoEx9aTxbrZs
+^ɽ$jFP	<09><>@<40><><EFBFBD>銿[|<7C><04><>N<>p2<11><><EFBFBD><EFBFBD>|[<5B><>I>><3E>%f<><66><EFBFBD><EFBFBD>֧<EFBFBD>l<EFBFBD>W<EFBFBD>!Av`<60><>2<EFBFBD><32><EFBFBD>8<>jVff<>J<1F><>

secrets/generated/vps1/kanidm-oauth2-gitea.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA A5Gj5hu1YQbUrm3IK35oDUHhnohr594lykadF+Smf+LB
+grnVZatvY80rTTQR8bZphg/25aa1cKJYUGh+jYGqi7A
+-> 0-grease 6#aWp kp fD7ks3KL -)qyQ
+FH1L4t8VAxZIOeP6bPJV3qdaBXPXGkuroABtMs7D88WzHduNjBoETZH47zekRDVM
+BAGAdcqSHuGyCp7EA4lgttN/vfA+8fAbcit/p98TTiGQbXZ4YYg
+--- KB5apFUmA/vu8OLpReNzr2zeDyig5NZ8iBXdy5XDbXM
+<EFBFBD><EFBFBD><EFBFBD>ԝrŧ)N<>S<EFBFBD><53>8<EFBFBD>X<12>s<><73><EFBFBD><EFBFBD>G<EFBFBD>x<EFBFBD>q<EFBFBD>%<25><><EFBFBD><1B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Co<43>
+<EFBFBD>S6<EFBFBD><EFBFBD>ܐ<EFBFBD>L\U<><55><EFBFBD>z<<3C>H<EFBFBD>\<5C>a<EFBFBD>;Q%<25><17>

secrets/generated/vps1/kanidm-oauth2-open-webui.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA Ah6buspw/yLQJuiyWr0t3Phy+U3HhRY2t0SofqISzHmJ
+pVYmmBoqXD9l55DUIad9D/0h/vhXmeMauK+xaBpX0cM
+-> M)*gn$-grease _b3%6l sH|2-zq P%h
+CWIfvXf9R5QvRXzv8wv+vB8nXLk0eTxy/htCUSm2ujjw
+--- 1t/2tU8qFo9C2yH3ZtsZIp8ZMNEjrecLh2HkDVnKTx4
+<EFBFBD>\eP<65><50>,<2C><><EFBFBD>t<EFBFBD><74>V<EFBFBD>x<EFBFBD><78><EFBFBD><EFBFBD><EFBFBD><EFBFBD>A<>Ke<4B>}<7D><><EFBFBD>\]<5D>
+<EFBFBD><EFBFBD><EFBFBD>`<<3C><>b;yG<><47><EFBFBD><EFBFBD>

secrets/rekeyed/library/0a21efefa75a30ace89a3b082e980952-open-webui-env.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 QjbOZQ uJRXV06taQiHq9Um5E2FNNYo5oZP4M1mmY3OBRK7NSk
+4rcF2AJ5hsnTM1yUD37yWYtU2E7zAzHBKNVagfRgVGQ
+-> z[Ud1L%*-grease ]j 7_ ?+5
+pVP4JA8o5o5kWHoxuttfOdd2GLhCiANBrdbNXWhe7fMZy74Gsj0IX7caHcL/rNkM
+p/DF/V4Y5QUvgQ5y7F95tc36uvNzmcsKaKauk3yIdzp6+9nuu+hQ6Qbvr0liWkuR
+0pQB
+--- LeXXxszTuVoj2OE6m3yPEQe6hsQAFZkhPVXpspa40vo
+.G<><47><EFBFBD>7m<17><>m=<3D>2v<32><76><EFBFBD>ɼ<EFBFBD>[<5B><><EFBFBD>.ο'ro<72><6F><EFBFBD>9k<>Ny<4E>T<EFBFBD>uB<75><42>lnkJ]<5D>=N^3	QJ<51>:7]<5D>Y<EFBFBD><59>G<EFBFBD><47>R<EFBFBD><06><><EFBFBD>t<><74><EFBFBD>cN<63>S<7F>v<EFBFBD><76>w<EFBFBD>w`fT<16><>jڸ<6A><DAB8><EFBFBD><EFBFBD>͂X<CD82><58><EFBFBD><EFBFBD>4<EFBFBD>`<60>o<EFBFBD><6F>(<28><>K<EFBFBD>^<5E><>I3<7F>gP<67><03><>7<7F>r`V<*<2A><>9<05>ya	<09>P<EFBFBD>J<EFBFBD><4A><0B>䩏<EFBFBD>ѳ<EFBFBD>i6<69>T<EFBFBD><54>><1D>n<EFBFBD>"Qz<51><7A>`<60><><EFBFBD>|<7C><>;冼<><E586BC><14><><EFBFBD><EFBFBD>)<29>>܁ <0B><><EFBFBD>E<EFBFBD>1<EFBFBD><1A><15>NKJ<>ej<65>I<EFBFBD>

secrets/rekeyed/vps1/80ea265ad53ef54ed48c4e1d842774b1-kanidm-admin-password.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA OQXbnkBzK8DL7wJkbHWo/XUlLQHjBEVu1xMzmhB78Xc
+vGcN1v+YxXidGs7Z3hvZypklIZVF1/J6DZpx8JId/hw
+-> mfI^2]-grease ,
+2C8Bs6nnhfatjdqc/Wc
+--- tuwRBOHiF0e6lgo4bK4Ui+bjjuTf5uZJgDJnpqf1seU
+<EFBFBD>J<EFBFBD>\g<>;<1B><><EFBFBD><EFBFBD>V<0B><>qFNq[7<><37>l<EFBFBD><6C><EFBFBD><EFBFBD>f<EFBFBD><66><EFBFBD>w	<09>㝯<EFBFBD><E39DAF>i|RDL<44>R#<23><>%u-A1<41><31>–<><10>=<3D>A<EFBFBD><41><EFBFBD><EFBFBD>W<>c

secrets/rekeyed/vps1/87759af7d4ddc9e7d805487478d2f53e-vaultwarden-env.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA Tyyx5kyLTN9MI+Bc66Rh7RbQ+qZF0S5Y2HCTvUFRqBo
+lzPjwPDXjg8ioc4XAJewTDdzXN5QO3BeGbTVxGW1B0U
+-> *-grease >|vs MPFf.c. nm=m ^
+OHDKbCO9uIoRv9Ar2kbIENz1NLY8iUlzmV07SouSJcxNWyEAqsVzxAkLsIeQKYn5
+XbtjLv88wHhf2w
+--- 7kHTJevOeZdsk2v9qP1V7wL4/Qz8wmFgoQiPMcx56WU
+<EFBFBD>L<EFBFBD><EFBFBD>ȼam<EFBFBD><EFBFBD><EFBFBD><EFBFBD>w<EFBFBD>B]<5D><>
+<EFBFBD><EFBFBD>m<EFBFBD>ھځ<EFBFBD><EFBFBD>Od<EFBFBD><EFBFBD>L%<25>P<EFBFBD><50>I<EFBFBD><49>'<27>X<EFBFBD><58><ko<6B>>OF<4F>j<EFBFBD>8<EFBFBD><38><EFBFBD>8s<>[<5B>(<28><>C<EFBFBD>lTd<><64><EFBFBD>H<14>[9<><39> <20><>$A<>l<EFBFBD>Pf<50>}<7D><>jCo]`<60><><EFBFBD><EFBFBD>nݢ<6E>jw*<16>Y<EFBFBD><i<>MO<4D><4F>D<18><><08>[!T#<23><>ȕX<C895>ق<EFBFBD>K<EFBFBD>X<EFBFBD>-<2D><><EFBFBD>{f<>$%<11><><EFBFBD><EFBFBD>g<>T}<7D><>k<EFBFBD>R1<52>Q?<3F><>?٭Q<D9AD><51>h<EFBFBD>W<EFBFBD> e<><65>||z<><7A>Xe<58>rD3\';<06>j<>F<><46><EFBFBD>hY
+<EFBFBD><16>R<EFBFBD>H1<48><0B>Rꑱ/*w	<09>	3ǷY"<22>{<7B><><EFBFBD>LN<1D>s"<22><1F><>7B<37>

secrets/rekeyed/vps1/a8f9724475694d2a470fc175c5a6d38e-kanidm-idm-admin-password.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA XbDvpING9Qe/x3sNWrqn2vqEw2SvgP79ApCrJTTGuiM
+cOaoXvYgPH7egMF1MT4gtaMHnoHWgeKeEjkwCoOQf74
+-> y''zjcK-grease J y ,CxRN3
+2kaqVO6qm24DPq5fhEN+AM+hPvW3VPHKlzuMy8SLeW/3um8bXNmFdxwzfkDoFSf3
+viYrDFmlY7+RTFt6JADBs67eYlQblBgZwTo
+--- NwBzcAYM5hOyvIsRVLYH8ez6gn8Z3yxmX8Tfz1hETz0
+<EFBFBD>g<EFBFBD>><3E>@<40><><EFBFBD>l<EFBFBD><6C>g<EFBFBD>[<5B>Rٽ<52><D9BD><EFBFBD><EFBFBD>Xv<58><76>9ߵ"<22><>\<5C>hۺU<DBBA>y<EFBFBD><79><EFBFBD><EFBFBD>4ܞO<DC9E><4F> =z<><7A>xB<78>@DzIJ<49><1F><>O<EFBFBD><4F><EFBFBD><EFBFBD><EFBFBD>M<EFBFBD><4D>LH<

secrets/rekeyed/vps1/d4527fa57d6907c78335cdabd3e84d46-kanidm-oauth2-open-webui.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA VsJu05NEZogLfeKJ8f9PiUH9RZn2RKJ+/FYOTzUOIyY
+Zd5ze/ijrlRs948f6fhCR+IN6uXpck6ejMlpyGugOfQ
+-> z+o-grease +J< ey N"
+uAedOA+JGje0EKhTuQJj+RDh98H6dqryAUe7nC2iF6t7wAT1NHFLWWfRqw3nNtMb
+Cb0pH7hECmbW0vygVD67NusZOvleB2RHng
+--- KcTuAfeh0NIBLRmtXZFlbsAAmH9Eu2KmswfZzWgaeZ8
+<EFBFBD><EFBFBD>9E<EFBFBD>QުF<EFBFBD>`i<><69><1B>o<EFBFBD><6F>~<7E><08>/<2F>V<*{<7B>'A~<7E>n0<><17><0B><>'@<40>K<EFBFBD><4B><<3C>xǽ'AJMFN<46><4E><18>#<23>$C܊=$ZH<5A>A<06>

secrets/rekeyed/vps1/fca01dd09f0ae4a1ffdc7a24a884ae5a-kanidm-oauth2-vaultwarden.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA lN4CAdRzmrQqTaI75QwSyhPF34tXWvnyT3EF+wYp5H0
+z9b9Rm/zk4PHrw35EeLtx4Gyp6Nlv55SWM/OxuuqOcA
+-> CJNg-grease ^p}Pf r@D 94/&
+eM0eWh2/4FSBoFvqSvVI
+--- y0Tsd45+A1Q8XwnUee6RZJPkYiazusnxYkmBeHqru0E
+W`.)"<22>(<28><><EFBFBD>Ys<59><1F><><EFBFBD><EFBFBD>r<EFBFBD><72><EFBFBD>0<EFBFBD>“ <20><>r<EFBFBD>g<>Y<EFBFBD><59><EFBFBD>6<EFBFBD>P=;[Y<><59><EFBFBD>&<26>
b<>R<EFBFBD><52>6Wv<57><1B>Ǡ<EFBFBD><C7A0>Æs<C386>&<26><><EFBFBD>=U

secrets/yubikey-nix-primary.pub

@@ -0,0 +1,7 @@
+#       Serial: 24187788, Slot: 1
+#         Name: YubiKey Nix Primary
+#      Created: Mon, 25 Aug 2025 21:00:00 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1qwwyem3502gqenzet20xdpjnuhhv2cezvzk590jdta9wqkw48p8gj7n4x96
+AGE-PLUGIN-YUBIKEY-13SFHZQVZDDFHVHQGGYPC3