···

       
8
       
8
       
 
       
  inherit (self.inputs) agenix;

     

       
9
       
9
       
 
       


     

       
10
       
10
       
 
       
  cfg = config.local.fragment.agenix;

     

       
11
       
11
       
-
       


     

       
12
       
12
       
-
       
  all-secrets = import ../../secrets;

     

       
13
       
11
       
 
       
in

     

       
14
       
12
       
 
       
{

     

       
15
       
13
       
 
       
  options.local.fragment.agenix.enable = lib.mkEnableOption ''

     
···

       
19
       
17
       
 
       
  imports = [ agenix.homeManagerModules.default ];

     

       
20
       
18
       
 
       


     

       
21
       
19
       
 
       
  config = lib.mkIf cfg.enable {

     

       
22
       
22
       
-
       
    age.secrets = all-secrets.home-manager;

     

       
23
       
20
       
 
       
    # This allows us to decrypt user space secrets without having to use a

     

       
24
       
21
       
 
       
    # passwordless ssh key as you cannot interact with age in the service.

     

       
25
       
22
       
 
       
    age.identityPaths = [ "${config.home.homeDirectory}/.ssh/id_home_manager" ];

     

···

       
12
       
12
       
 
       
{

     

       
13
       
13
       
 
       
  options.local.fragment.git.enable = lib.mkEnableOption ''

     

       
14
       
14
       
 
       
    Git related

     

       
15
       
15
       
-
       


     

       
16
       
16
       
-
       
    Depends on:

     

       
17
       
17
       
-
       
    - `agenix` fragment: Need for GPG key and GitGuardian API key

     

       
18
       
15
       
 
       
  '';

     

       
19
       
16
       
 
       


     

       
20
       
17
       
 
       
  config = lib.mkIf cfg.enable {

     
···

       
104
       
101
       
 
       
        shl = "stash list";

     

       
105
       
102
       
 
       
        sha = "stash apply";

     

       
106
       
103
       
 
       
        shp = "stash pop";

     

       
107
       
107
       
-
       
      };

     

       
108
       
108
       
-
       


     

       
109
       
109
       
-
       
      hooks = {

     

       
110
       
110
       
-
       
        git-guardian = pkgs.writeShellScript "git-guardian" ''

     

       
111
       
111
       
-
       
          export GITGUARDIAN_API_KEY="$(cat ${config.age.secrets.api-gitguardian.path})"

     

       
112
       
112
       
-
       
          ${lib.getExe' pkgs.ggshield "ggshield"} secret scan pre-commit "$@"

     

       
113
       
113
       
-
       
        '';

     

       
114
       
104
       
 
       
      };

     

       
115
       
105
       
 
       


     

       
116
       
106
       
 
       
      extraConfig = {

     

···

       
142
       
142
       
 
       
      };

     

       
143
       
143
       
 
       
    };

     

       
144
       
144
       
 
       


     

       
145
       
145
       
+
       
    age.secrets.api-wakatime.file = ../../secrets/api-wakatime.age;

     

       
146
       
146
       
+
       
    age.secrets.api-wakapi.file = ../../secrets/api-wakapi.age;

     

       
145
       
147
       
 
       
    programs.wakatime = {

     

       
146
       
148
       
 
       
      enable = true;

     

       
147
       
149
       
 
       
      apiKeyFile = secrets.api-wakapi.path;

     

···

       
25
       
25
       
 
       
    home.sessionPath = [ "${config.home.sessionVariables.CARGO_HOME}/bin" ];

     

       
26
       
26
       
 
       


     

       
27
       
27
       
 
       
    # cargo config

     

       
28
       
28
       
+
       
    age.secrets.api-crates-io.file = ../../secrets/api-crates-io.age;

     

       
28
       
29
       
 
       
    home.file."${config.home.sessionVariables.CARGO_HOME}/config.toml".source =

     

       
29
       
30
       
 
       
      let

     

       
30
       
31
       
 
       
        clang = lib.getExe pkgs.llvmPackages.clang;

     

···

       
10
       
10
       
 
       


     

       
11
       
11
       
 
       
let

     

       
12
       
12
       
 
       
  inherit (self.inputs) agenix;

     

       
13
       
13
       
-
       


     

       
14
       
14
       
-
       
  all-secrets = import ../../secrets;

     

       
15
       
13
       
 
       
in

     

       
16
       
14
       
 
       
{

     

       
17
       
15
       
 
       
  imports = [

     

       
18
       
16
       
 
       
    agenix.homeManagerModules.default

     

       
19
       
17
       
 
       
    {

     

       
20
       
20
       
-
       
      age.secrets = all-secrets.home-manager;

     

       
21
       
18
       
 
       
      # This allows us to decrypt user space secrets without having to use a

     

       
22
       
19
       
 
       
      # passwordless ssh key as you cannot interact with age in the service.

     

       
23
       
20
       
 
       
      age.identityPaths = [ "${config.home.homeDirectory}/.ssh/id_home_manager" ];

     

···

       
10
       
10
       
 
       
  inherit (self.inputs) agenix;

     

       
11
       
11
       
 
       


     

       
12
       
12
       
 
       
  cfg = config.local.fragment.agenix;

     

       
13
       
13
       
-
       
  all-secrets = import ../../secrets;

     

       
14
       
13
       
 
       
in

     

       
15
       
14
       
 
       
{

     

       
16
       
15
       
 
       
  imports = [

     
···

       
26
       
25
       
 
       


     

       
27
       
26
       
 
       
  config = lib.mkIf cfg.enable {

     

       
28
       
27
       
 
       
    assertions = [

     

       
29
       
29
       
-
       
      { assertion = config.services.openssh.enable; message = "`agenix` fragement depends on `openssh` program"; }

     

       
28
       
28
       
+
       
      { assertion = config.services.openssh.enable; message = "`agenix` fragment depends on `openssh` program"; }

     

       
30
       
29
       
 
       
    ];

     

       
31
       
30
       
 
       


     

       
32
       
31
       
 
       
    age = {

     
···

       
35
       
34
       
 
       
      # be located on luks protected partitions.

     

       
36
       
35
       
 
       
      # identityPaths = [ ];

     

       
37
       
36
       
 
       


     

       
38
       
38
       
-
       
      secrets = all-secrets.nixos;

     

       
37
       
37
       
+
       
      # Secrets are defined in the fragments that use it

     

       
38
       
38
       
+
       
      # secrets = ...;

     

       
39
       
39
       
 
       
    };

     

       
40
       
40
       
 
       
  };

     

       
41
       
41
       
 
       
}

     

···

       
17
       
17
       
 
       
    Backup related

     

       
18
       
18
       
 
       
  '';

     

       
19
       
19
       
 
       


     

       
20
       
20
       
-
       
  # TODO: fix module

     

       
21
       
21
       
-
       
  config.assertions = lib.optional cfg.enable { assertion = false; message = "module is broken"; };

     

       
22
       
22
       
-
       
  config.services.restic.backups = lib.mkIf cfg.enable {

     

       
23
       
23
       
-
       
    # Backup documents and repos code

     

       
24
       
24
       
-
       
    google-drive = {

     

       
25
       
25
       
-
       
      repository = "rclone:googledrive:/Backups/${hostname}";

     

       
26
       
26
       
-
       
      passwordFile = secrets.backup-restic-key.path;

     

       
27
       
27
       
-
       
      rcloneConfigFile = secrets.backup-rclone-googledrive.path;

     

       
28
       
28
       
-
       
      initialize = true;

     

       
29
       
20
       
 
       


     

       
30
       
30
       
-
       
      paths = [

     

       
31
       
31
       
-
       
        "/home/${mainUsername}/Documents"

     

       
32
       
32
       
-
       
        # Equivalent of `~/Development` but needs extra handling as explained below

     

       
33
       
33
       
-
       
        "/home/${mainUsername}/.local/backup/repos"

     

       
34
       
34
       
-
       
      ];

     

       
21
       
21
       
+
       
  config = lib.mkIf cfg.enable {

     

       
22
       
22
       
+
       
    # TODO: fix module

     

       
23
       
23
       
+
       
    assertions = [{ assertion = false; message = "module is broken"; }];

     

       
35
       
24
       
 
       


     

       
36
       
36
       
-
       
      # Extra handling for Development folder to respect `.gitignore` files.

     

       
37
       
37
       
-
       
      #

     

       
38
       
38
       
-
       
      # Backup folder should be stored somewhere to avoid changing ctimes

     

       
39
       
39
       
-
       
      # which would cause otherwise unchanged files to be backed up again.

     

       
40
       
40
       
-
       
      # Since `--link-dest` is used, file contents won't be duplicated on disk.

     

       
41
       
41
       
-
       
      backupPrepareCommand = ''

     

       
42
       
42
       
-
       
        # Remove stale Restic locks

     

       
43
       
43
       
-
       
        ${lib.getExe pkgs.restic} unlock || true

     

       
25
       
25
       
+
       
    age.secrets.backup-restic-key.file = ../../secrets/backup/restic-key.age;

     

       
26
       
26
       
+
       
    age.secrets.backup-rclone-google-drive.file = ../../secrets/backup/rclone-googledrive.age;

     

       
44
       
27
       
 
       


     

       
45
       
45
       
-
       
        ${lib.getExe pkgs.rsync} \

     

       
46
       
46
       
-
       
          ${"\\" /* Archive mode and delete files that are not in the source directory. `--mkpath` is like `mkdir`'s `-p` option */}

     

       
47
       
47
       
-
       
          --archive --delete --mkpath \

     

       
48
       
48
       
-
       
          ${"\\" /* `:-` operator uses .gitignore files as exclude patterns */}

     

       
49
       
49
       
-
       
          --filter=':- .gitignore' \

     

       
50
       
50
       
-
       
          ${"\\" /* Exclude nixpkgs repository because they have some weird symlink test files that break rsync */}

     

       
51
       
51
       
-
       
          --exclude 'nixpkgs' \

     

       
52
       
52
       
-
       
          ${"\\" /* Hardlink files to avoid taking up more space */}

     

       
53
       
53
       
-
       
          --link-dest=/home/${mainUsername}/Development \

     

       
54
       
54
       
-
       
          /home/${mainUsername}/Development/ /home/${mainUsername}/.local/backup/repos

     

       
55
       
55
       
-
       
      '';

     

       
28
       
28
       
+
       
    services.restic.backups = {

     

       
29
       
29
       
+
       
      # Backup documents and repos code

     

       
30
       
30
       
+
       
      google-drive = {

     

       
31
       
31
       
+
       
        repository = "rclone:googledrive:/Backups/${hostname}";

     

       
32
       
32
       
+
       
        passwordFile = secrets.backup-restic-key.path;

     

       
33
       
33
       
+
       
        rcloneConfigFile = secrets.backup-rclone-googledrive.path;

     

       
34
       
34
       
+
       
        initialize = true;

     

       
35
       
35
       
+
       


     

       
36
       
36
       
+
       
        paths = [

     

       
37
       
37
       
+
       
          "/home/${mainUsername}/Documents"

     

       
38
       
38
       
+
       
          # Equivalent of `~/Development` but needs extra handling as explained below

     

       
39
       
39
       
+
       
          "/home/${mainUsername}/.local/backup/repos"

     

       
40
       
40
       
+
       
        ];

     

       
41
       
41
       
+
       


     

       
42
       
42
       
+
       
        # Extra handling for Development folder to respect `.gitignore` files.

     

       
43
       
43
       
+
       
        #

     

       
44
       
44
       
+
       
        # Backup folder should be stored somewhere to avoid changing ctimes

     

       
45
       
45
       
+
       
        # which would cause otherwise unchanged files to be backed up again.

     

       
46
       
46
       
+
       
        # Since `--link-dest` is used, file contents won't be duplicated on disk.

     

       
47
       
47
       
+
       
        backupPrepareCommand = ''

     

       
48
       
48
       
+
       
          # Remove stale Restic locks

     

       
49
       
49
       
+
       
          ${lib.getExe pkgs.restic} unlock || true

     

       
50
       
50
       
+
       


     

       
51
       
51
       
+
       
          ${lib.getExe pkgs.rsync} \

     

       
52
       
52
       
+
       
            ${"\\" /* Archive mode and delete files that are not in the source directory. `--mkpath` is like `mkdir`'s `-p` option */}

     

       
53
       
53
       
+
       
            --archive --delete --mkpath \

     

       
54
       
54
       
+
       
            ${"\\" /* `:-` operator uses .gitignore files as exclude patterns */}

     

       
55
       
55
       
+
       
            --filter=':- .gitignore' \

     

       
56
       
56
       
+
       
            ${"\\" /* Exclude nixpkgs repository because they have some weird symlink test files that break rsync */}

     

       
57
       
57
       
+
       
            --exclude 'nixpkgs' \

     

       
58
       
58
       
+
       
            ${"\\" /* Hardlink files to avoid taking up more space */}

     

       
59
       
59
       
+
       
            --link-dest=/home/${mainUsername}/Development \

     

       
60
       
60
       
+
       
            /home/${mainUsername}/Development/ /home/${mainUsername}/.local/backup/repos

     

       
61
       
61
       
+
       
        '';

     

       
56
       
62
       
 
       


     

       
57
       
57
       
-
       
      pruneOpts = [

     

       
58
       
58
       
-
       
        "--keep-daily 7"

     

       
59
       
59
       
-
       
        "--keep-weekly 5"

     

       
60
       
60
       
-
       
        "--keep-yearly 10"

     

       
61
       
61
       
-
       
      ];

     

       
63
       
63
       
+
       
        pruneOpts = [

     

       
64
       
64
       
+
       
          "--keep-daily 7"

     

       
65
       
65
       
+
       
          "--keep-weekly 5"

     

       
66
       
66
       
+
       
          "--keep-yearly 10"

     

       
67
       
67
       
+
       
        ];

     

       
62
       
68
       
 
       


     

       
63
       
69
       
 
       


     

       
64
       
64
       
-
       
      # TODO: fix config

     

       
65
       
65
       
-
       
      timerConfig = null;

     

       
66
       
66
       
-
       
      # timerConfig = {

     

       
67
       
67
       
-
       
      #   OnCalendar = "00:05";

     

       
68
       
68
       
-
       
      #   RandomizedDelaySec = "5h";

     

       
69
       
69
       
-
       
      # };

     

       
70
       
70
       
-
       
    };

     

       
70
       
70
       
+
       
        # TODO: fix config

     

       
71
       
71
       
+
       
        timerConfig = null;

     

       
72
       
72
       
+
       
        # timerConfig = {

     

       
73
       
73
       
+
       
        #   OnCalendar = "00:05";

     

       
74
       
74
       
+
       
        #   RandomizedDelaySec = "5h";

     

       
75
       
75
       
+
       
        # };

     

       
76
       
76
       
+
       
      };

     

       
71
       
77
       
 
       


     

       
72
       
72
       
-
       
    # Backup documents and large files

     

       
73
       
73
       
-
       
    archaic-bak = {

     

       
74
       
74
       
-
       
      repository = "/run/media/${mainUsername}/ArchaicBak/Backups/${hostname}";

     

       
75
       
75
       
-
       
      passwordFile = secrets.backup-restic-key.path;

     

       
76
       
76
       
-
       
      initialize = true;

     

       
78
       
78
       
+
       
      # Backup documents and large files

     

       
79
       
79
       
+
       
      archaic-bak = {

     

       
80
       
80
       
+
       
        repository = "/run/media/${mainUsername}/ArchaicBak/Backups/${hostname}";

     

       
81
       
81
       
+
       
        passwordFile = secrets.backup-restic-key.path;

     

       
82
       
82
       
+
       
        initialize = true;

     

       
77
       
83
       
 
       


     

       
78
       
78
       
-
       
      # this would fix issue that folder is created as root

     

       
79
       
79
       
-
       
      # but we cannot access the backup key

     

       
80
       
80
       
-
       
      user = config.local.user.username;

     

       
84
       
84
       
+
       
        # this would fix issue that folder is created as root

     

       
85
       
85
       
+
       
        # but we cannot access the backup key

     

       
86
       
86
       
+
       
        user = config.local.user.username;

     

       
81
       
87
       
 
       


     

       
82
       
82
       
-
       
      paths = [ "/home/${mainUsername}/Documents" ];

     

       
88
       
88
       
+
       
        paths = [ "/home/${mainUsername}/Documents" ];

     

       
83
       
89
       
 
       


     

       
84
       
84
       
-
       
      # Should only be ran manually when the backup Disk is attached

     

       
85
       
85
       
-
       
      timerConfig = null;

     

       
90
       
90
       
+
       
        # Should only be ran manually when the backup Disk is attached

     

       
91
       
91
       
+
       
        timerConfig = null;

     

       
92
       
92
       
+
       
      };

     

       
86
       
93
       
 
       
    };

     

       
87
       
94
       
 
       
  };

     

       
88
       
95
       
 
       
}

     

···

       
9
       
9
       
 
       
  inherit (self.inputs) srvos agenix tangled;

     

       
10
       
10
       
 
       
  inherit (self.nixosModules) mindustry-server;

     

       
11
       
11
       
 
       


     

       
12
       
12
       
-
       
  all-secrets = import ../../secrets;

     

       
13
       
13
       
-
       


     

       
14
       
12
       
 
       
  ext-if = "eth0";

     

       
15
       
13
       
 
       
  external-ip = "91.99.55.74";

     

       
16
       
14
       
 
       
  external-netmask = 27;

     
···

       
54
       
52
       
 
       
  ];

     

       
55
       
53
       
 
       


     

       
56
       
54
       
 
       
  config = {

     

       
57
       
57
       
-
       
    age.secrets = all-secrets.deploy;

     

       
58
       
58
       
-
       


     

       
59
       
55
       
 
       
    boot.loader.grub.enable = true;

     

       
60
       
56
       
 
       
    boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "ext4" ];

     

       
61
       
57
       
 
       


     
···

       
100
       
96
       
 
       


     

       
101
       
97
       
 
       
    services.tailscale.enable = true;

     

       
102
       
98
       
 
       


     

       
99
       
99
       
+
       
    age.secrets.pds-env.file = ../../secrets/pds-env.age;

     

       
103
       
100
       
 
       
    services.pds = {

     

       
104
       
101
       
 
       
      enable = true;

     

       
105
       
102
       
 
       
      package = upkgs.bluesky-pds;

     
···

       
112
       
109
       
 
       
      };

     

       
113
       
110
       
 
       


     

       
114
       
111
       
 
       
      environmentFiles = [

     

       
115
       
115
       
-
       
        config.age.secrets.pds-config.path

     

       
112
       
112
       
+
       
        config.age.secrets.pds-env.path

     

       
116
       
113
       
 
       
      ];

     

       
117
       
114
       
 
       
    };

     

       
118
       
115
       
 
       


     

···

       
1
       
1
       
-
       
age-encryption.org/v1

     

       
2
       
2
       
-
       
-> X25519 QjkxfMP9vtiSZ+Y/7jkOURnuAdVCtQ/Rt1FAalv9Ijs

     

       
3
       
3
       
-
       
f4YwmiPs/u9A0x0tQ6UNK0697l6E6FrGhmyLJOZGsmI

     

       
4
       
4
       
-
       
-> ssh-ed25519 SmMcWg 7U9uVnJECX84xjSV1v18pzIb7GDd1zjaLNWfx1SWFBI

     

       
5
       
5
       
-
       
QZq9+tEJOh9C6XOiZdg4ISE8qt6Dzw9ABKZd6XAwZkk

     

       
6
       
6
       
-
       
-> ssh-ed25519 Q8rMFA wSgLP9znMedYlvWIJUmm9crT6nmItaxH2ajilON45gE

     

       
7
       
7
       
-
       
LqWiMQ4wJVVdUQZKXrJINFvVfQAK51vd0F4ENQgnZ7Y

     

       
8
       
8
       
-
       
--- iGtdwVDXIMUcgytMAUDg0hvcI2mJpupSIrhEaZZxi18

     

       
9
       
9
       
-
       
�k�UR�H��Jr�e���]�$��U����DT���\9;`
o\<N�f�N���K�M�!'���������;���}߯�L���۟:v����@׫�X/�
     

···

       
1
       
1
       
-
       
age-encryption.org/v1

     

       
2
       
2
       
-
       
-> X25519 P02aVaHZQ2qXu3isJo+EYi3l+8ah016KyFnmSMYZjzk

     

       
3
       
3
       
-
       
LhVoE334CQuJQkX983mH6HH7zr1UWe3xc+Mz6O0FzDk

     

       
4
       
4
       
-
       
-> ssh-ed25519 SmMcWg n8gZ++y3KQag3oTL/57CX+/X1wRvDT88hKxVE0CxRVQ

     

       
5
       
5
       
-
       
Ntsbw27gg3qsnCsx0myrsp08Er+KDL2okMI5wsC5NPU

     

       
6
       
6
       
-
       
-> ssh-ed25519 Q8rMFA fiOu3mPZzZDRNCKERYeqiVt4dcR1Jbzk0BUF0h2bPCM

     

       
7
       
7
       
-
       
97jBhXpNGD/p6VmfOZJWn+XMdZlKv/OqbVwfUuha1Qc

     

       
8
       
8
       
-
       
--- Q1AjMGJdUTSjfkYBSiZBrh5ra7rhfSKW/+f4daXP1iU

     

       
9
       
9
       
-
       
J��n�AL�����g
<�7�En��kM�tk�����c*���L��P�R���M�P��::%�x��������x��V<$�M���\�4�r����6g�r���]
     

···

       
1
       
1
       
-
       
{

     

       
2
       
2
       
-
       
  nixos = {

     

       
3
       
3
       
-
       
    backup-rclone-googledrive.file = ./backup/rclone-googledrive.age;

     

       
4
       
4
       
-
       
    backup-restic-key.file = ./backup/restic-key.age;

     

       
5
       
5
       
-
       
  };

     

       
6
       
6
       
-
       


     

       
7
       
7
       
-
       
  home-manager = {

     

       
8
       
8
       
-
       
    api-crates-io.file = ./api-crates-io.age;

     

       
9
       
9
       
-
       
    api-digital-ocean.file = ./api-digital-ocean.age;

     

       
10
       
10
       
-
       
    api-gitguardian.file = ./api-gitguardian.age;

     

       
11
       
11
       
-
       
    api-wakatime.file = ./api-wakatime.age;

     

       
12
       
12
       
-
       
    api-wakapi.file = ./api-wakapi.age;

     

       
13
       
13
       
-
       
  };

     

       
14
       
14
       
-
       


     

       
15
       
15
       
-
       
  deploy = {

     

       
16
       
16
       
-
       
    # Defines `PDS_JWT_SECRET`, `PDS_ADMIN_PASSWORD`,

     

       
17
       
17
       
-
       
    # `PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX`, `PDS_EMAIL_SMTP_URL` and

     

       
18
       
18
       
-
       
    # `PDS_EMAIL_FROM_ADDRESS`

     

       
19
       
19
       
-
       
    pds-config.file = ./pds-env.age;

     

       
20
       
20
       
-
       
  };

     

       
21
       
21
       
-
       


     

       
22
       
22
       
-
       
  none = {

     

       
23
       
23
       
-
       
    pgp-ca5e.file = ./pgp-ca5e.age;

     

       
24
       
24
       
-
       
    ssh-uxgi.file = ./ssh-uxgi.age;

     

       
25
       
25
       
-
       
  };

     

       
26
       
26
       
-
       
}

     

···

       
7
       
7
       
 
       
in

     

       
8
       
8
       
 
       
{

     

       
9
       
9
       
 
       
  # Used in NixOS config

     

       
10
       
10
       
-
       
  "backup/rclone-googledrive.age".publicKeys = nixos;

     

       
11
       
11
       
-
       
  "backup/restic-key.age".publicKeys = nixos;

     

       
10
       
10
       
+
       
  "backup-rclone-googledrive.age".publicKeys = nixos;

     

       
11
       
11
       
+
       
  "backup-restic-key.age".publicKeys = nixos;

     

       
12
       
12
       
 
       


     

       
13
       
13
       
 
       
  # Used in Home Manager

     

       
14
       
14
       
 
       
  "api-crates-io.age".publicKeys = home-manager;

     

       
15
       
15
       
-
       
  "api-digital-ocean.age".publicKeys = home-manager;

     

       
16
       
16
       
-
       
  "api-gitguardian.age".publicKeys = home-manager;

     

       
17
       
15
       
 
       
  "api-wakatime.age".publicKeys = home-manager;

     

       
18
       
16
       
 
       
  "api-wakapi.age".publicKeys = home-manager;

     

       
19
       
17
       
 
       


     

       
18
       
18
       
+
       
  # Used in server deployment

     

       
19
       
19
       
+
       


     

       
20
       
20
       
+
       
  # Defines `PDS_JWT_SECRET`, `PDS_ADMIN_PASSWORD`, `PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX`, `PDS_EMAIL_SMTP_URL`, `PDS_EMAIL_FROM_ADDRESS`.

     

       
20
       
21
       
 
       
  "pds-env.age".publicKeys = deploy;

     

       
21
       
22
       
 
       


     

       
22
       
23
       
 
       
  # Not used in config but useful