From 50a18fc9a12fbc8d26a49ed620c96396d9c72278 Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Wed, 1 Mar 2023 00:12:08 +0100
Subject: [PATCH 01/10] hosts/checkmate: init

---
 hosts/checkmate/default.nix                | 21 +++++++++++++
 hosts/checkmate/hardware-configuration.nix | 12 ++++++++
 hosts/checkmate/system.nix                 | 34 ++++++++++++++++++++++
 hosts/default.nix                          |  1 +
 4 files changed, 68 insertions(+)
 create mode 100644 hosts/checkmate/default.nix
 create mode 100644 hosts/checkmate/hardware-configuration.nix
 create mode 100644 hosts/checkmate/system.nix

diff --git a/hosts/checkmate/default.nix b/hosts/checkmate/default.nix
new file mode 100644
index 0000000..228c31b
--- /dev/null
+++ b/hosts/checkmate/default.nix
@@ -0,0 +1,21 @@
+tools: {
+  ssh.id = with tools.dns; {
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINImnMfEzUBU5qiuu05DMPrddTGypOtr+cL1/yQN2GFn";
+    hostNames = subResolve "checkmate" "node";
+  };
+
+  interfaces = {
+    primary = {
+      addr = "10.0.243.198";
+      addrPublic = "152.67.73.164";
+      link = "ens3";
+    };
+  };
+
+  enterprise = {
+    subdomain = "node";
+  };
+
+  arch = "x86_64";
+  nixos = import ./system.nix;
+}
diff --git a/hosts/checkmate/hardware-configuration.nix b/hosts/checkmate/hardware-configuration.nix
new file mode 100644
index 0000000..d20bddd
--- /dev/null
+++ b/hosts/checkmate/hardware-configuration.nix
@@ -0,0 +1,12 @@
+{ modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+  fileSystems."/boot" = { device = "/dev/disk/by-partlabel/boot"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/disk/by-partlabel/rootfs"; fsType = "xfs"; };
+  swapDevices = [ { device = "/dev/disk/by-partlabel/swap"; } ];
+}
diff --git a/hosts/checkmate/system.nix b/hosts/checkmate/system.nix
new file mode 100644
index 0000000..3a06dc9
--- /dev/null
+++ b/hosts/checkmate/system.nix
@@ -0,0 +1,34 @@
+{ aspect, inputs, hosts, ... }:
+
+{
+  imports =
+    [
+      # Hardware
+      ./hardware-configuration.nix
+
+      inputs.agenix.nixosModules.age
+
+      aspect.modules.sss
+    ]
+    ++ aspect.sets.server;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "checkmate";
+  networking.nameservers = [ hosts.VEGAS.interfaces.vstub.addr ];
+
+  time.timeZone = "Europe/Zurich";
+
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  services.openssh.enable = true;
+
+  system.stateVersion = "21.11";
+
+}
+
diff --git a/hosts/default.nix b/hosts/default.nix
index 426072a..fb4ffac 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -6,6 +6,7 @@ in with tools.dns; {
   VEGAS = import ./VEGAS tools;
   prophet = import ./prophet tools;
   soda = import ./soda tools;
+  checkmate = import ./checkmate tools;
 
   # Non-NixOS machine metadata
   AnimusAlpha = let hostNames = [ "alpha.animus.com" "animus.com" ]; in {

From f6311ec7c4bf671dc3d6a231e1b0a954a88e63a4 Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Wed, 1 Mar 2023 01:02:41 +0100
Subject: [PATCH 02/10] cluster/services/wireguard: add checkmate to host mesh

---
 cluster/services/wireguard/default.nix             | 13 ++++++++++++-
 cluster/services/wireguard/mesh-keys/checkmate.age | 12 ++++++++++++
 secrets.nix                                        |  1 +
 3 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 cluster/services/wireguard/mesh-keys/checkmate.age

diff --git a/cluster/services/wireguard/default.nix b/cluster/services/wireguard/default.nix
index cae81a8..50b6114 100644
--- a/cluster/services/wireguard/default.nix
+++ b/cluster/services/wireguard/default.nix
@@ -14,12 +14,23 @@ in
 {
   vars = {
     mesh = {
+      checkmate = config.links.mesh-node-checkmate.extra;
       VEGAS = config.links.mesh-node-VEGAS.extra;
       prophet = config.links.mesh-node-prophet.extra;
     };
     inherit meshNet;
   };
   links = {
+    mesh-node-checkmate = {
+      ipv4 = getExtAddr hosts.checkmate;
+      extra = {
+        meshIp = "10.1.1.32";
+        inherit meshNet;
+        pubKey = "fZMB9CDCWyBxPnsugo3Uxm/TIDP3VX54uFoaoC0bP3U=";
+        privKeyFile = ./mesh-keys/checkmate.age;
+        extraRoutes = [];
+      };
+    };
     mesh-node-VEGAS = {
       ipv4 = getExtAddr hosts.VEGAS;
       extra = {
@@ -43,7 +54,7 @@ in
   };
   services.wireguard = {
     nodes = {
-      mesh = [ "VEGAS" "prophet" ];
+      mesh = [ "checkmate" "VEGAS" "prophet" ];
     };
     nixos = {
       mesh = ./mesh.nix;
diff --git a/cluster/services/wireguard/mesh-keys/checkmate.age b/cluster/services/wireguard/mesh-keys/checkmate.age
new file mode 100644
index 0000000..0276227
--- /dev/null
+++ b/cluster/services/wireguard/mesh-keys/checkmate.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A rE85lK37XeM803mXkugmTjfAp3LNqKy2yuGGbY4IOAM
+nDielwqyuaW72OKiUBgFPWK45aZhh768+MskQ5+vhUs
+-> ssh-ed25519 5/zT0w QxXHVLpk2qeXjO8c3a0cQ1oKk3fUn9+yIoHAK1hLYgQ
+d4s/F2ck8Z4AsCQReghxj+M0JjBYKoMpfU+K21AzwFg
+-> ssh-ed25519 TCgorQ lqg5aPJuj5NPEAgAaw52lwpQ++eWPxO4BITdpLKoZFg
+KS0kRB2K/+/+U2xfr2VE09XdjVvIflTweU93Vy7Okr8
+-> ?).-grease =%LA 5cVQvduw
+gs9TPdbaRJVf50LDiUdlg7Vr4LUfg2Kj2bPAbN2f2z4LKDnSbWHkJ6B3EfOMDxTN
+KmX8mGCi7QBGOfb1EY3h5cDgteBXiLN4aLh6kpCe0F3/DQ
+--- vLjmBMfCrvOuF1ww5UcHQAmBUo0LgIuJKcNEDlOCZ3g
+ß&„îd!¾Žqƒ©H<oÄžˆ×“5çå±ƒÐ±Ý0&Ÿýâ¬»¯3~Ù´ð5Œ§Ž÷Ñ¡“Ko)å6³üWÜ°‹
\ No newline at end of file
diff --git a/secrets.nix b/secrets.nix
index 5c1ec48..7dd8f86 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -24,6 +24,7 @@ in with hosts;
   "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/wireguard/mesh-keys/checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
   "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
   "secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];

From cbd4f79a4593bbc411c35d60cfe56d0f23d7333b Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Wed, 1 Mar 2023 02:01:57 +0100
Subject: [PATCH 03/10] cluster/services/patroni: add checkmate to etcd nodes

---
 cluster/services/patroni/default.nix | 3 +--
 cluster/services/patroni/etcd.nix    | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/cluster/services/patroni/default.nix b/cluster/services/patroni/default.nix
index 367c2cc..a490000 100644
--- a/cluster/services/patroni/default.nix
+++ b/cluster/services/patroni/default.nix
@@ -18,7 +18,6 @@ in
   vars.patroni = {
     etcdNodes = lib.genAttrs cfg.nodes.etcd (name: config.links."patroni-etcd-node-peer-${name}");
     etcdNodesClient = lib.genAttrs cfg.nodes.etcd (name: config.links."patroni-etcd-node-client-${name}");
-    etcdExtraNodes = [ "fly=http://10.1.1.151:2380" ];
     passwords = {
       PATRONI_REPLICATION_PASSWORD = ./passwords/replication.age;
       PATRONI_SUPERUSER_PASSWORD = ./passwords/superuser.age;
@@ -35,7 +34,7 @@ in
   services.patroni = {
     nodes = {
       worker = [ "VEGAS" "prophet" ];
-      etcd = [ "VEGAS" "prophet" ];
+      etcd = [ "checkmate" "VEGAS" "prophet" ];
       haproxy = [ "VEGAS" "prophet" ];
     };
     nixos = {
diff --git a/cluster/services/patroni/etcd.nix b/cluster/services/patroni/etcd.nix
index e26bc18..94dc9fb 100644
--- a/cluster/services/patroni/etcd.nix
+++ b/cluster/services/patroni/etcd.nix
@@ -12,7 +12,7 @@ in
   services.etcd = {
     enable = true;
     dataDir = "/srv/storage/private/etcd";
-    initialCluster = (map mkMember cluster.config.services.patroni.nodes.etcd) ++ vars.patroni.etcdExtraNodes;
+    initialCluster = map mkMember cluster.config.services.patroni.nodes.etcd;
     listenPeerUrls = lib.singleton vars.patroni.etcdNodes.${vars.hostName}.url;
     listenClientUrls = lib.singleton vars.patroni.etcdNodesClient.${vars.hostName}.url;
   };

From 006ef68577c265407f4d9d17e225bc676f117a8f Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Wed, 1 Mar 2023 19:59:17 +0100
Subject: [PATCH 04/10] cluster/services/patroni: give etcd some more time to
 start

---
 cluster/services/patroni/etcd.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cluster/services/patroni/etcd.nix b/cluster/services/patroni/etcd.nix
index 94dc9fb..bb4b6fd 100644
--- a/cluster/services/patroni/etcd.nix
+++ b/cluster/services/patroni/etcd.nix
@@ -20,6 +20,7 @@ in
     # run on any architecture
     environment.ETCD_UNSUPPORTED_ARCH = pkgs.go.GOARCH;
     serviceConfig = {
+      TimeoutStartSec = "900s";
       RestartSec = "5s";
       Restart = "on-failure";
     };

From dad0c983e888b525c74c0228e2fe590fbb5cd4b8 Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Wed, 1 Mar 2023 21:51:49 +0100
Subject: [PATCH 05/10] hosts/checkmate: add hyprspace

---
 hosts/checkmate/default.nix         |   6 ++++++
 hosts/checkmate/system.nix          |   1 +
 secrets.nix                         |   1 +
 secrets/hyprspace-key-checkmate.age | Bin 0 -> 660 bytes
 4 files changed, 8 insertions(+)
 create mode 100644 secrets/hyprspace-key-checkmate.age

diff --git a/hosts/checkmate/default.nix b/hosts/checkmate/default.nix
index 228c31b..863ae03 100644
--- a/hosts/checkmate/default.nix
+++ b/hosts/checkmate/default.nix
@@ -12,6 +12,12 @@ tools: {
     };
   };
 
+  hypr = {
+    id = "12D3KooWL84sAtq1QTYwb7gVbhSNX5ZUfVt4kgYKz8pdif1zpGUh";
+    addr = "10.100.3.32";
+    listenPort = 995;
+  };
+
   enterprise = {
     subdomain = "node";
   };
diff --git a/hosts/checkmate/system.nix b/hosts/checkmate/system.nix
index 3a06dc9..e6338dc 100644
--- a/hosts/checkmate/system.nix
+++ b/hosts/checkmate/system.nix
@@ -8,6 +8,7 @@
 
       inputs.agenix.nixosModules.age
 
+      aspect.modules.hyprspace
       aspect.modules.sss
     ]
     ++ aspect.sets.server;
diff --git a/secrets.nix b/secrets.nix
index 7dd8f86..1e59e56 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -41,6 +41,7 @@ in with hosts;
   "secrets/hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hydra-s3.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "secrets/hyprspace-key-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
   "secrets/hyprspace-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/hyprspace-key-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
   "secrets/keycloak-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
diff --git a/secrets/hyprspace-key-checkmate.age b/secrets/hyprspace-key-checkmate.age
new file mode 100644
index 0000000000000000000000000000000000000000..19a490c819be0ee453e3e6aa01f207f8f3eb993c
GIT binary patch
literal 660
zcmZ9|L2J`s007W=lbm)KUc5wh99^2GUz>Ok(<E)0bW5_NX_i~sd?snyrcKkPi7<tE
z^0c8|oT57_sO;cL8G;uPm1zY*@UX)`@SuppgQCvse!+uhIWPlztuX0FUeH?%LI)e;
zNah?m9J(23=K#PdbXfw09F6K#KOk0vMpB9luWh+;pZ9gRVon&6<2k<|SYSwH0WoQ>
zB8`x1Ql-en+A@~M6<92Eld=%z%(kV9DP7Q%&|&a#wVKTz*8rAk*%)nGqJ-r=%@_2+
z5a1$BHCK;J(N{DeEp(P);@bf)#C0`5xEQmeNRTnZ#+Y&_(Ft5p>!zF#9Z%8;8JeTf
zN~@U;c>1`eF-{OFC||b%v*2->0dlHtnG=&>y^81?dM)mklA<_vD2qv(CZixdClKp^
zB-ySjXmmcDuvDn%ts-#Jnp7F#1|88C@J2k2TK~1P7e^T<gw_zEWR-1{%1sYlLx^6d
zY?1`*+CG2+?${EqRtDXHkTnb;8H`H#8oNZOkg<j3R4#H0TF=GEd`S)qGKoP0sS+ha
zk?NS0fSR}zE2ddd!?Bf<CE!;Y97||0WK_>F6eN?$psc6Tw$2U;%_a`qcHLP32E$R+
zwoIn6R@UgFAF~tjJ(@%2-xhm6w_Y8jv-;f`;maKVXFvG%?9-*`iQ<E=#Hqf2&pSLk
zefvy)w4L4j_;>Nfi_XnQ^S7k6;QE#M+J<}3eNRIF`L#Fd)yrF<w)gtoFa7b4rMbQO
p&Xb4K-0$gb>S{Y%=bwJo@89{beRBQ#bboetv@w(0#MWPW{{U*}>|_7{

literal 0
HcmV?d00001


From d3e71fc2cfb31d28d34e6e51435ab5208ad77a9f Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Wed, 1 Mar 2023 22:37:16 +0100
Subject: [PATCH 06/10] cluster/services/monitoring: add checkmate to
 monitoring clients

---
 cluster/services/monitoring/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cluster/services/monitoring/default.nix b/cluster/services/monitoring/default.nix
index 98e3188..0523889 100644
--- a/cluster/services/monitoring/default.nix
+++ b/cluster/services/monitoring/default.nix
@@ -9,7 +9,7 @@
   };
   services.monitoring = {
     nodes = {
-      client = [ "VEGAS" "prophet" ];
+      client = [ "checkmate" "VEGAS" "prophet" ];
     };
     nixos = {
       client = ./client.nix;

From 5830db1c194c4f4511234eeba2f849ee0b08e2ed Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Wed, 1 Mar 2023 22:37:51 +0100
Subject: [PATCH 07/10] cluster/services/websites: add checkmate to hosts

---
 cluster/services/websites/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cluster/services/websites/default.nix b/cluster/services/websites/default.nix
index 85c6380..6d12a71 100644
--- a/cluster/services/websites/default.nix
+++ b/cluster/services/websites/default.nix
@@ -1,7 +1,7 @@
 {
   services.websites = {
     nodes = {
-      host = [ "VEGAS" "prophet" ];
+      host = [ "checkmate" "VEGAS" "prophet" ];
     };
     nixos = {
       host = ./host.nix;

From ea12ce8b31e0097fdcc52770ce1fdaa250ccf955 Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Wed, 1 Mar 2023 22:40:16 +0100
Subject: [PATCH 08/10] cluster/services/nginx: add checkmate to hosts

---
 cluster/services/nginx/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cluster/services/nginx/default.nix b/cluster/services/nginx/default.nix
index fa27013..a27752b 100644
--- a/cluster/services/nginx/default.nix
+++ b/cluster/services/nginx/default.nix
@@ -1,6 +1,6 @@
 {
   services.nginx = {
-    nodes.host = [ "VEGAS" "prophet" ];
+    nodes.host = [ "checkmate" "VEGAS" "prophet" ];
     nixos.host = [ ./nginx.nix ];
   };
 }

From b854cfdde4bb4e3cfbf202f10367160dcc232513 Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Wed, 1 Mar 2023 22:45:23 +0100
Subject: [PATCH 09/10] cluster/services/acme-client: add checkmate to hosts

---
 cluster/services/acme-client/default.nix |  2 +-
 cluster/services/dns/pdns-api-key.age    | 28 +++++++++++++-----------
 secrets.nix                              |  2 +-
 3 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/cluster/services/acme-client/default.nix b/cluster/services/acme-client/default.nix
index 5a0e0cd..5645123 100644
--- a/cluster/services/acme-client/default.nix
+++ b/cluster/services/acme-client/default.nix
@@ -1,6 +1,6 @@
 {
   services.acme-client = {
-    nodes.client = [ "VEGAS" "prophet" ];
+    nodes.client = [ "checkmate" "VEGAS" "prophet" ];
     nixos.client = ./client.nix;
   };
 }
diff --git a/cluster/services/dns/pdns-api-key.age b/cluster/services/dns/pdns-api-key.age
index 3e90f17..65abafe 100644
--- a/cluster/services/dns/pdns-api-key.age
+++ b/cluster/services/dns/pdns-api-key.age
@@ -1,14 +1,16 @@
 age-encryption.org/v1
--> ssh-ed25519 NO562A 1bb8hrQQunFIVGRUkg9QrAKof4tAAV8D1KRavicuaFY
-y6X5aiD66+jBrfA9u3k3UrWQSEAd9yadLa0j2LgS9GY
--> ssh-ed25519 5/zT0w Ke3Ymtxr2Kvp4piYChcTfBxNnBO4MlYPxVMNqC6z5X4
-CHzxDO2LIUHNjCr4O3hkA/9MSD6LXD3YUQVhtCKp3So
--> ssh-ed25519 d3WGuA qPlzxEKYYe7QYBhsQuO/MI5IikwqjXVZutQL23aq2WQ
-esQyjMbfaWYmtg9CAcHY/WJnsPZiZPITufIQ5TkGzEc
--> ssh-ed25519 6YMlxg YajTOEPRSF/oMzlU4D0DC7DiBL22OxLBNTUN77wMwRY
-RNZFOE7KV6UffoFUTcdnfrgz6wptvkvkZfR7H3GKs0g
--> hI!f;r}-grease |@)
-PVxV1yo85W0ceDE3nuYqdfYoRIQkwyp1VK1WIkxQjBMIs5kIx0Fw+WjdHT6wv/HH
-Xh+qLqlgBfehoy28KZ52gsNRlDHN
---- +rOxrlTfSf4+mvHe8WZB1+xT0Jo/YxzEbEbIyOpLOS0
-4´éì	·†É. ß„þÞÄp—ûZ¨¶ïO)üB~¬ac£ˆTv†•Ú{_¥…UÛÜÕÄÖÄ8=U¶P¹î0¾a"A¾TV…„Ür1Ôèn¦NÜé{7¦À¥HòdþÏîu×çïðÚHgæe{{0d²ëM‹Xy›ÐóÁ™^4RWoÌm¾çzßç–-)Jö9!7.ÏoÑƒÒŠ®9ôe+a´&+‰‡]z}Îº4R×çš‚)ñÕŠ[ž4¯ûAÖÀ±Oã3D/¯’X¿Ä@7ýÁTRÀÒµç6Âã€]‹/	ß½$ê_Hàj‰w°ØØK(ýá“¦9npŽ;HõhbÞÚ2€›ÇYw;W‘æÄ0‚I6¿¾
\ No newline at end of file
+-> ssh-ed25519 NO562A L8hpKYttTvdcgFE0dutUUaUE8PFJ6vL1pUtf9qyrG3s
+pWu4g9K6JIIRqstPodUEKrAKtPFJ6zanBK6N64jMw18
+-> ssh-ed25519 5/zT0w m1YXyS/RJEtc79mY39jfierPxzP/Tj11VfJA2VjFtB8
+5VeWMX7EQ3d+z4M8Nc2uRbrhr37KbSJsKOSAAIsyVqk
+-> ssh-ed25519 TCgorQ ITq5QOMfdpJNpXv7EH3FXaZvUyfCMbeEfAZwq27YAl4
+fHVxtu2wwQDylXFFUgmEwIoTGrltKeSqgYvVdIl/UVs
+-> ssh-ed25519 d3WGuA 9NGFoevYhPhU6tu88PplKtBrw/wP6ESfhAmRe9nV01s
+dBqxeoIv1KGANbooK1s0Lr6c7khJN1nnfua6rFyV78E
+-> ssh-ed25519 6YMlxg oPkKqmsaV95qpewGlWcoaXqTJt2feAmH6TL3CqzymxI
+NMC1SRCdbGtrd+jsCZTz8Dwaf4TFT/JoV8Twih2iDMw
+-> =|z4N-grease
+03zbvyP3U5X8meDamKgLoK8UQe4nFi8e4ycdkPyacFTHk9vp+y4cI2vnEtAz
+--- xEJd9gIQxtWG43mtFiuhZWPb7ajMIYNeA/8MMuFpe2s
+‰Ìóû	uä·u'T­€²Ùv<•	/_ÞßhïÙZº'ß!þ@ìkL%#ÃŠ—Ö‘²@MFdo9Ù‡Ò2 ú/´ù—nV[}—kÇ#úÓÛ©Nà¤‚Ž>{¨Q4Ÿ|‚àv*AôíøR…nÆmi!q¸š©Ü?ÈÚç÷›òHÏ7(È9è¤jÜ`^l6ðM-²>¹À„q[œ…_
+_G‘}3è)ÿõ6k‘òq¾ôš’/p„Ü2bˆæ™¤>wŸú?>|ÙÂÎ©ÂÜÛôkÆ]AnŠžüŠ†Øë‰Ž^W&Œœ¼c÷CURQLz÷	º» ïó˜=”~‘Fo¹«©öî ÃÞ@(ó¹&Ó‰a,QÒ°F	ª}æP
\ No newline at end of file
diff --git a/secrets.nix b/secrets.nix
index 1e59e56..b17c593 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -7,7 +7,7 @@ in with hosts;
   "cluster/services/dns/pdns-admin-oidc-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/dns/pdns-admin-salt.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ checkmate VEGAS prophet ];
   "cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/hercules-ci-multi-agent/secrets/hci-cache-config.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/hercules-ci-multi-agent/secrets/hci-cache-credentials-prophet.age".publicKeys = max ++ map systemKeys [ prophet ];

From d47b328971e2d31581b910769556fb172fe0e327 Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Wed, 1 Mar 2023 23:03:11 +0100
Subject: [PATCH 10/10] hosts/checkmate: enable zram

---
 hosts/checkmate/system.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hosts/checkmate/system.nix b/hosts/checkmate/system.nix
index e6338dc..f90913c 100644
--- a/hosts/checkmate/system.nix
+++ b/hosts/checkmate/system.nix
@@ -29,6 +29,9 @@
 
   services.openssh.enable = true;
 
+  zramSwap.enable = true;
+  zramSwap.algorithm = "zstd";
+
   system.stateVersion = "21.11";
 
 }