Update greatyamada services

hosts/greatyamada/services/_port-definitions.nix

@@ -0,0 +1,21 @@
+{
+  adguardhome-dns = 53;
+  adguardhome-http = 3001;
+  coturn-turn = 3478;
+  coturn-turn-alt = 3479;
+  coturn-minimum = 49192;
+  coturn-maximum = 49200;
+  forgejo-http = 3000;
+  inv-sig-helper = 12999;
+  invidious-http = 3002;
+  matrix-http = 8008;
+  matrix-https = 8448;
+  matrix-bridges-http = 8088;
+  mautrix-whatsapp = 29318;
+  minecraft = 13914;
+  nginx-https = 443;
+  ntfy-http = 2586;
+  postgresql = 5432;
+  radicale-http = 5232;
+  wireguard = 51820;
+}

hosts/greatyamada/services/adguardhome.nix

@@ -0,0 +1,49 @@
+{ ... }:
+let
+  portDefinitions = import ./_port-definitions.nix;
+  nginxLocalServiceConfig = import ./nginx-local-config.nix;
+in {
+  networking.firewall.allowedTCPPorts = [ portDefinitions.adguardhome-dns ];
+  networking.firewall.allowedUDPPorts = [ portDefinitions.adguardhome-dns ];
+  services = {
+    adguardhome = {
+      enable = true;
+      allowDHCP = true;
+      port = portDefinitions.adguardhome-http;
+      mutableSettings = true;
+      settings = {
+        http = {
+          address = "127.0.0.1:${toString portDefinitions.adguardhome-http}";
+          session_ttl = "1440h";
+        };
+        dns = {
+          bind_hosts = [ "0.0.0.0" ];
+          port = portDefinitions.adguardhome-dns;
+          anonymize_client_ip = false;
+          ratelimit = 0;
+          upstream_dns = [ "https://dns10.quad9.net/dns-query" ];
+          bootstrap_dns =
+            [ "9.9.9.10" "149.112.112.10" "2620:fe::10" "2620:fe::fe:10" ];
+        };
+        dhcp = {
+          enabled = true;
+          interface_name = "enp5s0";
+          local_domain_name = "lan";
+          dhcpv4 = {
+            gateway_ip = "10.0.0.254";
+            subnet_mask = "255.255.255.0";
+            range_start = "10.0.0.10";
+            range_end = "10.0.0.199";
+            lease_duration = 86400;
+            icmp_timeout_msec = 1000;
+          };
+        };
+      };
+    };
+    nginx.virtualHosts."dns.rcia.dev" = {
+      locations."/".proxyPass =
+        "http://127.0.0.1:${toString portDefinitions.adguardhome-http}";
+      extraConfig = nginxLocalServiceConfig;
+    };
+  };
+}

hosts/greatyamada/services/ddclient.nix

@@ -6,6 +6,10 @@
     protocol = "cloudflare";
     zone = "rcia.dev";
     passwordFile = "/run/secrets/cloudflare_api_token";
-    domains = [ "@" "*" ];"
+    domains = [ "@" "*" ];
+  };
+  sops.secrets."cloudflare/api_token" = {
+    path = "/run/secrets/cloudflare_api_token";
+    owner = "root";
   };
 }

hosts/greatyamada/services/default.nix

@@ -1,12 +1,15 @@
 { ... }: {
   imports = [
-    ./nginx.nix
+    ./acme.nix
+    ./ddclient.nix
     ./forgejo.nix
-    ./invidious.nix
+    ./invidious
     ./jellyfin.nix
+    ./minecraft
+    ./nginx.nix
     ./postgresql.nix
     ./radicale.nix
+    ./wireguard.nix
   ];
-  # TODO: adguardhome matrix matrix-second minecraft terraria factorio coturn mautrix-whatsapp wireguard
   # paperlessngx
 }

hosts/greatyamada/services/forgejo.nix

@@ -1,11 +1,12 @@
-{ lib, pkgs, ... }:
+{ pkgs, ... }:
 let
   forgejoConfigPath = "/var/lib/forgejo/custom/conf";
+  portDefinitions = import ./_port-definitions.nix;
   arrayToSecrets = elements:
-    builtins.listToAttrs (map (x: {
+    builtins.listToAttrs (map (key: {
-      name = "forgejo/" + x;
+      name = "forgejo/${key}";
       value = {
-        path = "${forgejoConfigPath}/" + x;
+        path = "${forgejoConfigPath}/${key}";
         owner = "forgejo";
       };
     }) elements);
@@ -13,36 +14,34 @@ in {
   services = {
     forgejo = {
       enable = true;
+      package = pkgs.forgejo;
+      database = {
+        type = "postgres";
+        port = portDefinitions.postgresql;
+        passwordFile = "${forgejoConfigPath}/database_password";
+      };
+      secrets = {
+        server.LFS_JWT_SECRET = "${forgejoConfigPath}/lfs_jwt_secret";
+        security = {
+          INTERNAL_TOKEN = "${forgejoConfigPath}/internal_token";
+          SECRET_KEY = "${forgejoConfigPath}/secret_key";
+        };
+        oauth2.JWT_SECRET = "${forgejoConfigPath}/oauth2_jwt_secret";
+      };
       settings = {
         server = {
           DOMAIN = "git.rcia.dev";
           ROOT_URL = "https://git.rcia.dev";
-          HTTP_PORT = 3000;
+          HTTP_PORT = portDefinitions.forgejo-http;
           DISABLE_SSH = true;
           LFS_START_SERVER = true;
-          LFS_JWT_SECRET = "";
-          LFS_JWT_SECRET_URI = "file://${forgejoConfigPath}/lfs_jwt_secret";
-        };
-        database = {
-          type = "postgres";
-          passwordFile = "${forgejoConfigPath}/database_password";
-        };
-        security = {
-          INSTALL_LOCK = true;
-          INTERNAL_TOKEN = lib.mkForce "";
-          INTERNAL_TOKEN_URI = "file://${forgejoConfigPath}/internal_token";
-          SECRET_KEY = lib.mkForce "";
-          SECRET_KEY_URI = "file://${forgejoConfigPath}/secret_key";
-        };
-        oauth2 = {
-          JWT_SECRET = lib.mkForce "";
-          JWT_SECRET_URI = "file://${forgejoConfigPath}/oauth2_jwt_secret";
         };
+        security = { INSTALL_LOCK = true; };
       };
     };
     nginx.virtualHosts."git.rcia.dev" = {
       locations."/" = {
-        proxyPass = "http://127.0.0.1:3000";
+        proxyPass = "http://127.0.0.1:${toString portDefinitions.forgejo-http}";
         clientMaxBodySize = "200M";
       };
     };

hosts/greatyamada/services/invidious/default.nix

@@ -0,0 +1,10 @@
+{ ... }: {
+  imports = [ ./invidious.nix ./inv-sig-helper.nix ];
+  users = {
+    groups.invidious = { };
+    users.invidious = {
+      group = "invidious";
+      isSystemUser = true;
+    };
+  };
+}

hosts/greatyamada/services/invidious/inv-sig-helper.nix

@@ -0,0 +1,83 @@
+{ pkgs, ... }:
+let portDefinitions = import ../_port-definitions.nix;
+in {
+  environment.systemPackages = with pkgs; [ inv-sig-helper ];
+  systemd.services.inv-sig-helper = {
+    enable = true;
+    after = [ "syslog.target" "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      User = "invidious";
+      Group = "invidious";
+      ExecStart =
+        "${pkgs.inv-sig-helper}/bin/inv_sig_helper_rust --tcp 127.0.0.1:${
+          toString portDefinitions.inv-sig-helper
+        }";
+      Restart = "always";
+      RestartSec = "2s";
+      Type = "simple";
+      WorkingDirectory = "/tmp";
+      BindPaths = "/tmp";
+      CapabilityBoundingSet = [
+        "~CAP_SETUID CAP_SETGID CAP_SETPCAP"
+        "~CAP_SYS_ADMIN"
+        "~CAP_SYS_PTRACE"
+        "~CAP_CHOWN CAP_FSETID CAP_SETFCAP"
+        "~CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER"
+        "~CAP_NET_ADMIN"
+        "~CAP_SYS_MODULE"
+        "~CAP_SYS_RAWIO"
+        "~CAP_SYS_TIME"
+        "~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE"
+        "~CAP_KILL"
+        "~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW"
+        "~CAP_SYSLOG"
+        "~CAP_SYS_NICE CAP_SYS_RESOURCE"
+        "~CAP_MAC_ADMIN CAP_MAC_OVERRIDE"
+        "~CAP_SYS_BOOT"
+        "~CAP_LINUX_IMMUTABLE"
+        "~CAP_IPC_LOCK"
+        "~CAP_SYS_CHROOT"
+        "~CAP_BLOCK_SUSPEND"
+        "~CAP_LEASE"
+        "~CAP_SYS_PACCT"
+        "~CAP_SYS_TTY_CONFIG"
+        "~CAP_WAKE_ALARM"
+      ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProcSubset = "pid";
+      ProtectControlGroups = true;
+      ProtectHome = "tmpfs";
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      RemoveIPC = true;
+      RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
+      RestrictNamespaces = true;
+      RestrictSUIDSGID = true;
+      RestrictRealtime = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "~@clock"
+        "~@debug"
+        "~@module"
+        "~@mount"
+        "~@raw-io"
+        "~@reboot"
+        "~@swap"
+        "~@privileged"
+        "~@resources"
+        "~@cpu-emulation"
+        "~@obsolete"
+      ];
+    };
+  };
+}

hosts/greatyamada/services/invidious/invidious.nix

@@ -1,9 +1,13 @@
 { ... }:
-let nginxLocalServiceConfig = import ./nginx-local-config.nix;
+let
+  nginxLocalServiceConfig = import ./nginx-local-config.nix;
+  ports = import ../_port-definitions.nix;
 in {
   services = {
     invidious = {
       enable = true;
+      port = ports.invidious-http;
+      extraSettingsFile = "/var/lib/invidious/extra_configuration";
       settings = {
         check_tables = true;
         db.user = "invidious";
@@ -15,6 +19,7 @@ in {
           quality = "dash";
           volume = 20;
         };
+        signature_server = "localhost:${toString ports.inv-sig-helper}";
       };
       database = {
         createLocally = false;
@@ -23,7 +28,9 @@ in {
       hmacKeyFile = "/var/lib/invidious/hmac_key";
     };
     nginx.virtualHosts."iv.rcia.dev" = {
-      locations."/" = { proxyPass = "http://127.0.0.1:3000"; };
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString ports.invidious-http}";
+      };
       extraConfig = nginxLocalServiceConfig;
     };
   };
@@ -36,5 +43,9 @@ in {
       path = "/var/lib/invidious/hmac_key";
       owner = "invidious";
     };
+    "invidious/extra_secrets" = {
+      path = "/var/lib/invidious/extra_configuration";
+      owner = "invidious";
+    };
   };
 }

hosts/greatyamada/services/jellyfin.nix

@@ -1,17 +1,17 @@
-{ pkgs, ... }:
+{ ... }:
 let
-  jellyfinPath = "/mnt/Datos/jellyfin/";
+  jellyfinPath = "/mnt/Datos/jellyfin";
   nginxLocalServiceConfig = import ./nginx-local-config.nix;
+  portDefinitions = import ./_port-definitions.nix;
 in {
   services = {
     jellyfin = {
       enable = true;
-      configDir = jellyfinPath + "config/";
+      dataDir = "${jellyfinPath}/data/";
-      dataDir = jellyfinPath + "data/";
     };
     nginx.virtualHosts."jellyfin.rcia.dev" = {
       locations."/" = {
-        proxyPass = "http://127.0.0.1:8096";
+        proxyPass = "http://127.0.0.1:${portDefinitions.jellyfin-http}";
         clientMaxBodySize = "10M";
       };
       extraConfig = nginxLocalServiceConfig;

hosts/greatyamada/services/matrix-internal.nix

@@ -1,14 +0,0 @@
-{ }: {
-  containers.matrix-bridges = {
-    autoStart = true;
-    config = { config, pkgs }: {
-      services.matrix-synapse = {
-        enable = true;
-        settings = {
-          server_name = "matrix-int.rcia.dev";
-          listeners = [ { } ];
-        };
-      };
-    };
-  };
-}

hosts/greatyamada/services/matrix/coturn.nix

@@ -1,41 +0,0 @@
-{ pkgs, ... }: {
-  services.coturn = {
-    enable = true;
-    realm = "rcia.dev";
-    min-port = 49152;
-    max-port = 49200;
-    use-auth-secret = true;
-    static-auth-secret-file = "/run/turnserver/auth_secret"
-    extraConfig = ''
-      syslog
-      no-rfc5780
-      no-stun-backward-compatibility
-      response-origin-only-with-rfc5780 
-      denied-peer-ip=10.0.0.0-10.255.255.255
-      denied-peer-ip=192.168.0.0-192.168.255.255
-      denied-peer-ip=172.16.0.0-172.31.255.255
-      no-multicast-peers
-      denied-peer-ip=0.0.0.0-0.255.255.255
-      denied-peer-ip=100.64.0.0-100.127.255.255
-      denied-peer-ip=127.0.0.0-127.255.255.255
-      denied-peer-ip=169.254.0.0-169.254.255.255
-      denied-peer-ip=192.0.0.0-192.0.0.255
-      denied-peer-ip=192.0.2.0-192.0.2.255
-      denied-peer-ip=192.88.99.0-192.88.99.255
-      denied-peer-ip=198.18.0.0-198.19.255.255
-      denied-peer-ip=198.51.100.0-198.51.100.255
-      denied-peer-ip=203.0.113.0-203.0.113.255
-      denied-peer-ip=240.0.0.0-255.255.255.255
-      allowed-peer-ip=10.0.0.1
-      allowed-peer-ip=10.10.0.1
-      allowed-peer-ip=10.10.0.2
-      allowed-peer-ip=10.10.0.3
-      user-quota=16
-      total-quota=128
-    '';
-  };
-  sops.secrets."coturn/static_auth_secret" = {
-    path = "/run/turnserver/auth_secret";
-    owner = "turnserver";
-  };
-}

hosts/greatyamada/services/matrix/default.nix

@@ -1 +0,0 @@
-{ ... }: { imports = [ ./coturn.nix ./synapse.nix ]; }

hosts/greatyamada/services/matrix/synapse.nix

@@ -1,50 +0,0 @@
-{ pkgs, ... }:
-let dataDir = "/mnt/Datos/synapse";
-in {
-  services.matrix-synapse = {
-    enable = true;
-    settings = {
-      server_name = "rcia.dev";
-      listeners = [{
-        port = 8008;
-        bind_addresses = [ "synapse" ];
-        tls = false;
-        type = http;
-        x_forwarded = true;
-        resources = [{
-          names = [ "client" "federation" ];
-          compress = false;
-        }];
-      }];
-      media_store_path = dataDir + "/media_store";
-      max_upload_size = "100M";
-      enable_registration = false;
-      report_stats = true;
-      signing_key_path = "/var/lib/matrix-synapse/matrix.rcia.dev.signing.key";
-      turn_user_lifetime = "1h";
-      turn_uris = [ "turn:rcia.dev:3478" "turn:rcia.dev:3479" ];
-    };
-  };
-  nginx.virtualHosts."matrix.rcia.dev" = {
-    locations = {
-      "/" = { proxyPass = "http://127.0.0.1:8008/_matrix/static"; };
-      "/_matrix" = {
-        proxyPass = "http://127.0.0.1:8008";
-        recommendedProxySettings = true;
-        clientMaxBodySize = "200M";
-      };
-    };
-    # Federation
-    listen = [{
-      port = 8448;
-      ssl = true;
-      extraParameters = [ "default_server" ];
-    }];
-  };
-  sops.secrets = {
-    "matrix/secrets" = {
-      path = "/var/lib/matrix-synapse/secrets";
-      owner = "matrix-synapse";
-    };
-  };
-}

hosts/greatyamada/services/minecraft/data-directory.nix

@@ -1 +0,0 @@
-"/minecraft"

hosts/greatyamada/services/minecraft/default.nix

@@ -28,18 +28,14 @@ let
   serverIcon = ./server-icon.png;
 
 in {
-  imports = [ ./plugins ];
   services.minecraft-server = {
-    enable = true;
+    enable = false;
-    package = pkgs.papermc.override {
+    package = pkgs.papermc;
-      mcVersion = "1.20.6";
-      buildNum = "147";
-    };
     declarative = true;
     eula = true;
     openFirewall = true;
     jvmOpts =
-      "-Xms4G -Xmx4G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true";
+      "-Xms6G -Xmx6G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true";
     serverProperties = {
       difficulty = "hard";
       enable-rcon = false;
@@ -48,12 +44,12 @@ in {
       hide-online-players = true;
       motd = "NixOS server";
       online-mode = true;
-      pvp = false;
+      pvp = true;
       server-port = 13914;
       spawn-protection = 0;
       white-list = true;
     };
-    dataDir = import ./data-directory.nix;
+    dataDir = "/minecraft";
   };
   # Overriden to have a non-declarative whitelist
   systemd.services.minecraft-server.preStart = lib.mkForce ''

hosts/greatyamada/services/minecraft/plugins/default.nix

@@ -1,4 +0,0 @@
-{ pkgs, ... }: {
-  environment.systemPackages = with pkgs;
-    [ (callPackage ./packages/essentialsx.nix { }) ];
-}

hosts/greatyamada/services/minecraft/plugins/packages/essentialsx.nix

@@ -1,24 +0,0 @@
-{ config, lib, stdenv, fetchurl }:
-
-stdenv.mkDerivation rec {
-  pname = "EssentialsX";
-  version = "2.20.1";
-
-  src = fetchurl {
-    url =
-      "https://github.com/EssentialsX/Essentials/releases/download/${version}/EssentialsX-${version}.jar";
-    hash = "sha256-gC6jC9pGDKRZfoGJJYFpM8EjsI2BJqgU+sKNA6Yb9UI=";
-  };
-
-  unpackPhase = ":";
-
-  installPhase = ''
-    ln -sf EssentialsX-${version}.jar $out
-  '';
-
-  meta = {
-    description = "The modern Essentials suite for Spigot and Paper.";
-    homepage = "https://essentialsx.net/";
-    license = lib.licenses.gpl3Plus;
-  };
-}

hosts/greatyamada/services/nginx.nix

@@ -4,15 +4,7 @@
     virtualHosts = {
       "rcia.dev" = {
         forceSSL = true;
-        locations = {
+        locations."/" = { root = /var/www/public; };
-          "/" = { root = /var/www/public; };
-          "/profile_picture" = { };
-        };
-      };
-      "ichi-prod.rcia.dev" = {
-        locations."/" = {
-            proxyPass = "http://127.0.0.1:3000";
-        }
       };
     };
   };

hosts/greatyamada/services/ntfy.nix

@@ -0,0 +1,20 @@
+{ ... }:
+let ports = import ./_port-definitions.nix;
+in {
+  services = {
+    ntfy-sh = {
+      enable = true;
+      settings = {
+        base-url = "https://ntfy.rcia.dev";
+        auth-file = "/etc/ntfy-users.db";
+        auth-default-access = "deny-all";
+      };
+    };
+    nginx.virtualHosts."ntfy.rcia.dev" = {
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString ports.ntfy-http}";
+        recommendedProxySettings = true;
+      };
+    };
+  };
+}

hosts/greatyamada/services/postgresql.nix

@@ -1 +1,8 @@
-{ lib, pkgs, ... }: { services.postgresql = { enable = true; }; }
+{ ... }:
+let portDefinitions = import ./_port-definitions.nix;
+in {
+  services.postgresql = {
+    enable = true;
+    settings.port = portDefinitions.postgresql;
+  };
+}

hosts/greatyamada/services/radicale.nix

@@ -1,13 +1,15 @@
 { ... }:
 let
-  radicalePath = "/mnt/Datos/radicale";
   nginxLocalServiceConfig = import ./nginx-local-config.nix;
+  portDefinitions = import ./_port-definitions.nix;
+  radicalePath = "/mnt/Datos/radicale";
 in {
   services = {
     radicale = {
       enable = true;
       settings = {
-        server.hosts = [ "127.0.0.1:5232" ];
+        server.hosts =
+          [ "127.0.0.1:${toString portDefinitions.radicale-http}" ];
         auth = {
           type = "htpasswd";
           htpasswd_filename = "/etc/radicale/users";
@@ -17,7 +19,10 @@ in {
       };
     };
     nginx.virtualHosts."radicale.rcia.dev" = {
-      locations."/" = { proxyPass = "http://127.0.0.1:5232"; };
+      locations."/" = {
+        proxyPass =
+          "http://127.0.0.1:${toString portDefinitions.radicale-http}";
+      };
       extraConfig = nginxLocalServiceConfig;
     };
   };

hosts/greatyamada/services/wireguard.nix

@@ -0,0 +1,34 @@
+{ ... }:
+let portDefinitions = import ./_port-definitions.nix;
+in {
+  networking = {
+    firewall.allowedUDPPorts = [ portDefinitions.wireguard ];
+    wireguard = {
+      enable = true;
+      interfaces.wg0 = {
+        ips = [ 10.10.0.1/24 ];
+        peers = [{
+          allowedIPs = [ 10.10.0.2/32 ];
+          name = "Note9";
+          publicKey = "Y5A5iv0ukg1TQMcIdtXd+bmDxtrqHCuoEhYRmBqwkFY=";
+          presharedKeyFile = "/run/secrets/preshared_keys_note9";
+        }];
+        postSetup =
+          "iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE";
+        postShutdown =
+          "iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE";
+        privateKeyFile = "/run/secrets/wg_private_key";
+      };
+    };
+  };
+  sops.secrets = {
+    "wireguard/private_key" = {
+      path = "/run/secrets/wg_private_key";
+      user = "root";
+    };
+    "wireguard/preshared_keys/note9" = {
+      path = "/run/secrets/preshared_keys_note9";
+      user = "root";
+    };
+  };
+}