Pocket ID config.

Keys for sparky reinstall.
Update flake.
2025-11-04 11:04:33 +00:00 · 2025-11-04 11:04:20 +00:00 · 2025-11-04 10:26:18 +00:00 · 2025-11-04 10:22:11 +00:00 · 2025-11-04 09:39:45 +00:00 · 2025-11-04 09:39:23 +00:00
9 changed files with 192 additions and 123 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,7 +2,7 @@ keys:
  - &admin_ppetru age1df9ukkmg9yn9cjeheq9m6wspa420su8qarmq570rdvf2de3rl38saqauwn
  - &server_zippy age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac
  - &server_chilly age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp
-  - &server_sparky age10zxwwufrf5uu9cv9p9znse2ftfm74q9ce893us6cnvxjc7e3ypcqy709dy
+  - &server_sparky age14aml5s3sxksa8qthnt6apl3pu6egxyn0cz7pdzzvp2yl6wncad0q56udyj
  - &server_stinky age1me78u46409q9ez6fj0qanrfffc5e9kuq7n7uuvlljfwwc2mdaezqmyzxhx
  - &server_beefy age1cs8uqj243lspyp042ueu5aes4t3azgyuaxl9au70ggrl2meulq4sgqpc7y
  - &server_alo_cloud_1 age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z
--- a/common/nfs-services-server.nix
+++ b/common/nfs-services-server.nix
@@ -103,11 +103,14 @@ in
    ] ++ (lib.forEach cfg.standbys (standby: {
        "replicate-services-to-${standby}" = {
          description = "Replicate /persist/services to ${standby}";
-          path = [ pkgs.btrfs-progs pkgs.openssh pkgs.coreutils pkgs.findutils pkgs.gnugrep ];
+          path = [ pkgs.btrfs-progs pkgs.openssh pkgs.coreutils pkgs.findutils pkgs.gnugrep pkgs.curl ];

          script = ''
            set -euo pipefail

+            START_TIME=$(date +%s)
+            REPLICATION_SUCCESS=0
+
            SSH_KEY="/persist/root/.ssh/btrfs-replication"
            if [ ! -f "$SSH_KEY" ]; then
              echo "ERROR: SSH key not found at $SSH_KEY"
@@ -134,11 +137,13 @@ in
                 ssh -i "$SSH_KEY" -o StrictHostKeyChecking=accept-new root@${standby} \
                 "btrfs receive /persist/services-standby"; then
                echo "Incremental send completed successfully"
+                REPLICATION_SUCCESS=1
              else
                echo "Incremental send failed (likely missing parent on receiver), falling back to full send"
                btrfs send "$SNAPSHOT_PATH" | \
                  ssh -i "$SSH_KEY" -o StrictHostKeyChecking=accept-new root@${standby} \
                  "btrfs receive /persist/services-standby"
+                REPLICATION_SUCCESS=1
              fi
            else
              # First snapshot, do full send
@@ -146,10 +151,28 @@ in
              btrfs send "$SNAPSHOT_PATH" | \
                ssh -i "$SSH_KEY" -o StrictHostKeyChecking=accept-new root@${standby} \
                "btrfs receive /persist/services-standby"
+              REPLICATION_SUCCESS=1
            fi

-            # Cleanup old snapshots on sender (keep last 24 hours = 288 snapshots at 5min intervals)
-            find /persist -maxdepth 1 -name 'services@*' -mmin +1440 -exec btrfs subvolume delete {} \;
+            # Cleanup old snapshots on sender (keep last 10 snapshots, sorted by name/timestamp)
+            ls -1d /persist/services@* 2>/dev/null | sort | head -n -10 | xargs -r btrfs subvolume delete
+
+            # Calculate metrics
+            END_TIME=$(date +%s)
+            DURATION=$((END_TIME - START_TIME))
+            SNAPSHOT_COUNT=$(ls -1d /persist/services@* 2>/dev/null | wc -l)
+
+            # Push metrics to Prometheus pushgateway
+            cat <<METRICS | curl --data-binary @- http://pushgateway.service.consul:9091/metrics/job/nfs_replication/instance/${standby}
+            # TYPE nfs_replication_last_success_timestamp gauge
+            nfs_replication_last_success_timestamp $END_TIME
+            # TYPE nfs_replication_duration_seconds gauge
+            nfs_replication_duration_seconds $DURATION
+            # TYPE nfs_replication_snapshot_count gauge
+            nfs_replication_snapshot_count $SNAPSHOT_COUNT
+            # TYPE nfs_replication_success gauge
+            nfs_replication_success $REPLICATION_SUCCESS
+            METRICS
          '';

          serviceConfig = {
--- a/common/nfs-services-standby.nix
+++ b/common/nfs-services-standby.nix
@@ -39,26 +39,27 @@ in
      noCheck = true;
    };

-    # Cleanup old snapshots on standby (keep last 4 hours for HA failover)
+    # Cleanup old snapshots on standby (keep last 10 snapshots)
    systemd.services.cleanup-services-standby-snapshots = {
      description = "Cleanup old btrfs snapshots in services-standby";
-      path = [ pkgs.btrfs-progs pkgs.findutils pkgs.coreutils ];
+      path = [ pkgs.btrfs-progs pkgs.findutils pkgs.coreutils pkgs.curl ];
      script = ''
        set -euo pipefail

-        # Keep at least 2 hours of snapshots (24 snapshots at 5min intervals)
-        MIN_KEEP=24
+        # Cleanup old snapshots on standby (keep last 10 snapshots, sorted by name/timestamp)
+        ls -1d /persist/services-standby/services@* 2>/dev/null | sort | head -n -10 | xargs -r btrfs subvolume delete || true

-        # Count existing snapshots
-        count=$(find /persist/services-standby -maxdepth 1 -name 'services@*' -type d | wc -l)
+        # Calculate metrics
+        CLEANUP_TIME=$(date +%s)
+        SNAPSHOT_COUNT=$(ls -1d /persist/services-standby/services@* 2>/dev/null | wc -l)

-        # Only delete old snapshots if we have more than the minimum
-        if [ $count -gt $MIN_KEEP ]; then
-          # Delete snapshots older than 4 hours
-          find /persist/services-standby -maxdepth 1 -name 'services@*' -mmin +240 -exec btrfs subvolume delete {} \; || true
-        else
-          echo "Only $count snapshots found, keeping all (minimum: $MIN_KEEP)"
-        fi
+        # Push metrics to Prometheus pushgateway
+        cat <<METRICS | curl --data-binary @- http://pushgateway.service.consul:9091/metrics/job/nfs_standby_cleanup/instance/$(hostname)
+        # TYPE nfs_standby_snapshot_count gauge
+        nfs_standby_snapshot_count $SNAPSHOT_COUNT
+        # TYPE nfs_standby_cleanup_last_run_timestamp gauge
+        nfs_standby_cleanup_last_run_timestamp $CLEANUP_TIME
+        METRICS
      '';
      serviceConfig = {
        Type = "oneshot";
--- a/flake.lock
+++ b/flake.lock
@@ -62,11 +62,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1761420385,
-        "narHash": "sha256-bfBSmKNHry6L/NGBmdymmEA5P/XLzuLDRw2kqaHDsLc=",
+        "lastModified": 1761938838,
+        "narHash": "sha256-0gvCxO8/jpfN1vFeAd0gM07wIUuRkcXgDxeQk0o4Duw=",
        "owner": "nix-community",
        "repo": "browser-previews",
-        "rev": "c5eae237f38310ed4c9bea0f6c19e0fe04ad61ef",
+        "rev": "9f9fbff0aa9d628e737ea36286d343518153effc",
        "type": "github"
      },
      "original": {
@@ -125,11 +125,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1760701190,
-        "narHash": "sha256-y7UhnWlER8r776JsySqsbTUh2Txf7K30smfHlqdaIQw=",
+        "lastModified": 1761899396,
+        "narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "3a9450b26e69dcb6f8de6e2b07b3fc1c288d85f5",
+        "rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998",
        "type": "github"
      },
      "original": {
@@ -153,11 +153,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1761647152,
-        "narHash": "sha256-zuciw00Auu3tNquWiznfIVxgVZepLsaIqC7cwC1+GQ4=",
+        "lastModified": 1762083251,
+        "narHash": "sha256-ZK8w1vsvWHKHVdf+p2TRuUTjtH6uM+zEZmLa2bv+h8A=",
        "owner": "nix-community",
        "repo": "ethereum.nix",
-        "rev": "7046ba564c47d7cb298493175ea3c3e9b1186c2e",
+        "rev": "59693a43a8754ead13fed0d0705fb182df5ac508",
        "type": "github"
      },
      "original": {
@@ -218,11 +218,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1760948891,
-        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
+        "lastModified": 1762040540,
+        "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
+        "rev": "0010412d62a25d959151790968765a70c436598b",
        "type": "github"
      },
      "original": {
@@ -732,11 +732,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1761451000,
-        "narHash": "sha256-qBJL6xEIjqYq9zOcG2vf2nPTeVBppNJzvO0LuQWMwMo=",
+        "lastModified": 1762055842,
+        "narHash": "sha256-Pu1v3mlFhRzZiSxVHb2/i/f5yeYyRNqr0RvEUJ4UgHo=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "ed6b293161b378a7368cda38659eb8d3d9a0dac4",
+        "rev": "359ff6333a7b0b60819d4c20ed05a3a1f726771f",
        "type": "github"
      },
      "original": {
@@ -747,11 +747,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1760958188,
-        "narHash": "sha256-2m1S4jl+GEDtlt2QqeHil8Ny456dcGSKJAM7q3j/BFU=",
+        "lastModified": 1762179181,
+        "narHash": "sha256-T4+TNfXlF/gHbcNCC2HY7sMGBKgqNzyYeMBWmcbH7/o=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "d6645c340ef7d821602fd2cd199e8d1eed10afbc",
+        "rev": "256770618502d2eda892af3ae91da5e386ce9586",
        "type": "github"
      },
      "original": {
@@ -763,11 +763,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1761468971,
-        "narHash": "sha256-vY2OLVg5ZTobdroQKQQSipSIkHlxOTrIF1fsMzPh8w8=",
+        "lastModified": 1761999846,
+        "narHash": "sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "78e34d1667d32d8a0ffc3eba4591ff256e80576e",
+        "rev": "3de8f8d73e35724bf9abef41f1bdbedda1e14a31",
        "type": "github"
      },
      "original": {
@@ -779,11 +779,11 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1754788789,
-        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
+        "lastModified": 1761765539,
+        "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
+        "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc",
        "type": "github"
      },
      "original": {
@@ -809,11 +809,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1761349956,
-        "narHash": "sha256-tH3wHnOJms+U4k/rK2Nn1RfBrhffX92jLP/2VndSn0w=",
+        "lastModified": 1761880412,
+        "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "02f2cb8e0feb4596d20cc52fda73ccee960e3538",
+        "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386",
        "type": "github"
      },
      "original": {
@@ -825,11 +825,11 @@
    },
    "nixpkgs-unstable_2": {
      "locked": {
-        "lastModified": 1761373498,
-        "narHash": "sha256-Q/uhWNvd7V7k1H1ZPMy/vkx3F8C13ZcdrKjO7Jv7v0c=",
+        "lastModified": 1762111121,
+        "narHash": "sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "6a08e6bb4e46ff7fcbb53d409b253f6bad8a28ce",
+        "rev": "b3d51a0365f6695e7dd5cdf3e180604530ed33b4",
        "type": "github"
      },
      "original": {
@@ -865,11 +865,11 @@
        "systems": "systems_5"
      },
      "locked": {
-        "lastModified": 1761657569,
-        "narHash": "sha256-2D4Tw5Vp52RU5amnBvq0/z+zgZqafwl4bhg8dJBBjXI=",
+        "lastModified": 1762207388,
+        "narHash": "sha256-+FvGHB57ZuJIYbI35qcyGsxhvKdeKlX7AomVD6M5sIg=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "03c0dabb9a63f52bc2ebf571f3755720df1ca81e",
+        "rev": "de1760ddfd3e67aa5d2251d7df9e6bad30c36692",
        "type": "github"
      },
      "original": {
@@ -888,11 +888,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1760652422,
-        "narHash": "sha256-C88Pgz38QIl9JxQceexqL2G7sw9vodHWx1Uaq+NRJrw=",
+        "lastModified": 1761730856,
+        "narHash": "sha256-t1i5p/vSWwueZSC0Z2BImxx3BjoUDNKyC2mk24krcMY=",
        "owner": "NuschtOS",
        "repo": "search",
-        "rev": "3ebeebe8b6a49dfb11f771f761e0310f7c48d726",
+        "rev": "e29de6db0cb3182e9aee75a3b1fd1919d995d85b",
        "type": "github"
      },
      "original": {
--- a/hosts/sparky/default.nix
+++ b/hosts/sparky/default.nix
@@ -5,20 +5,15 @@
    ../../common/global
    ../../common/cluster-member.nix
    ../../common/nomad-worker.nix
-    ../../common/nfs-services-standby.nix
    ./hardware.nix
  ];

  diskLayout = {
-    mainDiskDevice = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_250GB_S4EUNF0MA33640P";
+    mainDiskDevice = "/dev/disk/by-id/nvme-KIOXIA-EXCERIA_with_Heatsink_SSD_84GF7016FA4S";
    #keyDiskDevice = "/dev/disk/by-id/usb-Intenso_Micro_Line_22080777660468-0:0";
    keyDiskDevice = "/dev/sda";
  };

  networking.hostName = "sparky";
-  services.tailscaleAutoconnect.authkey = "tskey-auth-kBCKN7QNv411CNTRL-n5Td7Jw7h3TAjubEeLmy1THy33JvD9JnM";
-
-  nfsServicesStandby.replicationKeys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHyTKsMCbwCIlMcC/aopgz5Yfx/Q9QdlWC9jzMLgYFAV root@zippy-replication"
-  ];
+  services.tailscaleAutoconnect.authkey = "tskey-auth-k6VC79UrzN11CNTRL-rvPmd4viyrQ261ifCrfTrQve7c2FesxrG";
 }
--- a/hosts/zippy/default.nix
+++ b/hosts/zippy/default.nix
@@ -25,6 +25,5 @@

  nfsServicesServer.standbys = [
    "c1"
-    "sparky"
  ];
 }
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@@ -4,92 +4,92 @@ sops:
        - recipient: age1df9ukkmg9yn9cjeheq9m6wspa420su8qarmq570rdvf2de3rl38saqauwn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cU1JS1VOWGF6aC9VaTZ0
-            UzFuUklwTUxEUy9LdUhxaEhRWkZ4VHRNWkNnCituRXNieW5WcUR6MmM2OW1ha3E3
-            NXNuMWMvcnUvZ2ZZYnhzSnR3dUxIWXcKLS0tIEJXdENxbXVhZ3l0M0oyZGladUdU
-            MTU3RS81SnlwZW81a2JQQVhYa0FwZkEKPvwH91RMG6t5Uwztp5rTjThYCh8lkIEe
-            LevB8nj5HmlLWYhVdrl/P78DHkbDb2jZrmsbh14cbMx+Z7Z3a1SMQw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WExPaEtTdEljYkF1ZUQw
+            UHhRNDJZb2wydWVUaXFmR213SjJsNDFKU0FjCnJ3Tk1yZDZkU3orcHZ2UDY3elRi
+            WW9FMXU0cDNjV3QrOWo3MVB0UzMwakUKLS0tIEhQVldBVWhmR0k0WW9jTE0xc2ZW
+            RWp4ZjlVN0FWaURlRHNONDhXdmJpS1EKZVXYyFRFD9KdyWuMoQytkQk4VxpBRyAV
+            lF4FA99wjGMhHFNQExnqYYLYtFkA18/SB6pkneOjdhIvEr0IFLJEqg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiR0FyemxNeFBlbFM2TGgr
-            WjFxemZXQjdrdmxuZjc1V0NBZjcyTTNsTlZJClAyS3ZmdmJIdmJqb3dUYU1TSEdn
-            aW9Lc3RnbWNkTGpnRlVuZmhpaXZHeW8KLS0tIDdnNHZ2dlFLSUFUSTBySDBneXBr
-            TmRYdFBQT1ZDZ0NGMnkyQU1LWmtSSVUKJz1v/z97cBXvAqvkDnSM7Jp5lK/BtvY/
-            sf7V1Gqg5XEE678rAFT/O+vpaniHevr47bt89bKOVCFb3FaheAmgbA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZ29wdk1aOHZJYWFjaG9v
+            RGxsek95QmtrZS9xRWdKMFdLSHZ3NmlZRGxzCnBvRXZkYnkxdkhJWkY0Ukg1M0dE
+            dWc3QWtCdkV5Ymd4MkxhZWl0ZDNCZXcKLS0tIGMrVWtNNWtscm9STUN1aHVZc2Ny
+            Vm1oaFFTbTBpRWxuR3gxbUZ0YkZieVkKdaSSXrDzAUGkj3w8/YcFZaJTiUUEbJdw
+            GjuLz7bxX8+HQvhSbu6/KCwG6R4j1eO5Zg1w0wYtyeUOV1HfZEGQog==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArWktWbk4rMlQwa3ZrNjVv
-            WkRTSWVIVFltbUJVeCt6dnE0WFROYldqSkRFCjJPa2dWN0h3alg4NnVIVFRUUEc2
-            WjNzb3lObFRWUG12RjNFMTZJVlYrNUkKLS0tIFZLMFV6cXo0bFVNVWFlYnNUVXl6
-            VUphbmpLL2FDcjB6WVFySkw1QTJIYWsKriG/2kyw63mjnWBkyKMRKqqf82ZYYIMy
-            TJ6Zuls71RmxTh0WRVFF5/iOoL1YmD2uOeYwwM+Kc8itzBj5vZxGOQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIMGpibmNRUDRFaFVOTDB4
+            RVdTc1RrTmRPb0dlZGlpcGxuRlJ1L2w5MVVBCi9HdXNGZmdSaVZsQWRoa2RpVDNV
+            OXBtS0pwYnhjS2hCUk10UUtwam4zMWcKLS0tIFV0dVpQNGpSOEVoZnE5OGpCZkxa
+            MFMxSG95dmJncGJzR29mQkVzNjFIQUEKrJ0MDTBmiwiAaLt7CJ1pjlxuFvZJuRkR
+            EuLYOYLdVaxgZ442io5OE7wme0P4LLcxSAreDG84GVs67JHvsFE89g==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age10zxwwufrf5uu9cv9p9znse2ftfm74q9ce893us6cnvxjc7e3ypcqy709dy
+        - recipient: age14aml5s3sxksa8qthnt6apl3pu6egxyn0cz7pdzzvp2yl6wncad0q56udyj
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsbnArTnU3WUU4MmFWOEVx
-            M2ZiZkJjUTBIb3NHSFo3N3l3dDhzZTdZTjM0CkJxWi9nVHZDVTBTaUhLME1LeVF3
-            dlRuWWJTUUgrU3l3aHhiWFJyT1ZQRFUKLS0tIHhRVFV3Y3ZXRWdoc1lkYTJWK0tk
-            Ni94RkZQak1nbVl0TmZ2SnVGQTFQVFkKaSe+6pTXj+YxZvl2fUflrobjblr7sFse
-            kpJziK/UYVvp8FsOoBYdqyfNyi+yCn+J2q+EfDlgHHCipvNm7/Q/lQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucHdSNGNyRkVITmNDVkpx
+            QVFKK0VucFNSMnNqSGRFRmRoRWpsZ0srUUhrCkwwY2pDSkJ0aGlqc3U3ZXNJUVl0
+            bXZMSVg3bDhaK3d1MTBnL1BQVUhkMUkKLS0tIDdxSk1DMVpsbnI1QlFnNEFJYXRD
+            RTNxYUxlUGxsM1NvekZ4R1hQVE9KMk0KocfE75DTfQMj/RsznOdeF82aO8WwO4HD
+            1xakOM2FHoHi60Q5uOWzfGtz0i+R4ue9hafa5Esn01TOjc3qWSlW3A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1me78u46409q9ez6fj0qanrfffc5e9kuq7n7uuvlljfwwc2mdaezqmyzxhx
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSa0NRY3JLZjQ4L215QTdF
-            clVtWE5ZMHVFSEE2U1E4dUI3Vk5hNGQrakF3CmQwRFNKWFNVOE1zRWpHQ3g4czdz
-            MkV6cFB0UjFBM0xaeFNBNExBc1BsTk0KLS0tIGtCSHdHZ0FoVndBS0xpbHg4S1NL
-            QVF6KzdmSnVEcUxUa2xReU9OY1JHRzgKShY79DAGVzlN5a3DmKVeb35eaQ6esIcJ
-            KPUyYjezvnnmU/HC10Ft3Dlw1m6foWbL2BqgvuYscTtN58cWWrtH3Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTEhiSDZvZTg3ZWxJRXlu
+            a0ozOXRVL2lia054SkNLc2tEYmlZUCt1NW1JCkorK0hub1pLQTE0QThEUDRDWXJV
+            YWtGamNxMTFIYjVDT2RqTXh0Z2hVTjAKLS0tIGxoRTAwc3FKVVNSQndtbTZmc3BR
+            QnMrK2lMT25tR1ErV2xvS01JWWswVUEKtrGaLETMfY2D8qmgml/fgGxkvQLoiMTP
+            l3a7Y6kwutuzRnmW1tnWv7yoPbTn+BDwfOwBcnesl2x0aJ5iLUKruA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1cs8uqj243lspyp042ueu5aes4t3azgyuaxl9au70ggrl2meulq4sgqpc7y
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NTg1eXp5ZGZkbmUzdjhG
-            RzZaMnJmZ2h0MmEyOVpVTzR4QUFQbVpHOTM0CjJmaFUzcjRnUEVZcitDQ0VGUUQ5
-            eDVRcDRZNVh6cUZsWktmMnM1UHBFTjAKLS0tIHE4QWZPZEpuZUQ3OE55OWlVMk9t
-            eTBUZHFTcElOMk5LQ1lHUUJVQUtGSGcKh+51nVjiyGQ9GbBPBDEy7QgPDJ1V8uK/
-            rihPxs6KkvwUPHaoPQdgv5tCfIf4VIxEcSM4peST9iuLZdw2pThAHQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqMFJ1bzQxWjlZTmF6eEl0
+            d3VVd0VsbGZGdDBKRG9uNEhaMThmWmpuQ1hFClA1aDhwRU1Pb2pibGh6T0pqdmlq
+            S3cxM0wyWWlCL3U5TjV4Vkg4blRsUVkKLS0tIENnYk5GbmZWbFo4cElON1Z0ZVlv
+            ZDdsci9rcG5Wc2V0NlQ3MWx1cFF4dUkKumFT4xtjGDBGK+/SV27Dh/vyGMJAEZNo
+            9gTmVLfR9vXVAXUdOMcqgo7Nl4OJCS4HrDxvVCoER/bVoQVRiPzuXw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyOFkrb1JiU1F4cVlOOGhn
-            alFzemVlMTdqL3dXMzBZSkptUEx6Zi9WV0RzCnM5L0dMcG9uRjd3amhycHJkSmFS
-            NzUxYm50SDA4K1NnUEFNNjZueUoyYmsKLS0tIG1FQ3NQQm9jTEdkSytxQ2RKNmVO
-            RjdoTUMvSDVIZlFJU0RaQTVLRERzTk0KBofmLU596Ij5FMAo2CZ/H0xl7Oe/0xxj
-            3baiF/IEJ1JrhrQnd/+UEermMb5T6caj8rbryybmSzb33JV+DBylOw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCM2E5a2lsZGJzRnk5N3Rr
+            bWRwRlI2c0c4NzBNdEVqMGZFWTZtNDlvSzJFCmFPM05XbndsazRGWEw3Zy83dldm
+            eXhEZUZQZWk5bVNwaEk5SDRka0NOWjAKLS0tIHNvZ016Rjh5bmYwRUxyRWRydFpI
+            Z0NHYjFzem55bVNORGlVbVNxR2psc2cK6JpNZwznwgl61d/W9g+48/894TQRe4gJ
+            nl4oDwRPbZwJZgdAKQVfTTujB0QbWpJc24mDGD4I4CydqTKwy6FN3A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wwufz86tm3auxn6pn27c47s8rvu7en58rk00nghtaxsdpw0gya6qj6qxdt
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCeEQybTlXaFoxNmtGUXFs
-            aG9zQStLTXIydlJQaWowbnhUQjlza2dPVTFjCnZzdEZGbGF4ckN6SlVLSGVKQmdM
-            UFI3WGJtK2U4aE0zMmpGYnFMVFRUU0kKLS0tIEZsazliSExnTWlKRWRlek1La2oy
-            dmZ6dEFJNy9wYjBVbzc3dnFJc2ZGYXMK4dVqqtiKABFm4EfTPAVGU4PvpU8S5DqW
-            PDayS5ta4XPeE0U7rxGrKTnFtd9SGlZH46/JIJj95mjZEwqJD/dGkQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlK1A1eVdRQThQUHdqbHdk
+            b1MyMlBJUFluTm13ZWwwc1RNbThFZUMrNXhzCnRPTVhPSzUzM0VtaUVJbFl5Wllj
+            NUlndzc3Yzhjd1JSb3czajI3UmRDZ1kKLS0tIE03M1hab1MxU0I2VExBWlh2TnJC
+            eGRXRTlsWmlpenJrVkMxakJZVTV0cE0KMQCKscSLnCu3NsurFFiDaUGjJbyIAwd0
+            HTutCiuPYVI4zznQ3RZDBeO5L6a/twXxMRTePUCwOkRNWRWpzR9nxg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1jy7pe4530s8w904wtvrmpxvteztqy5ewdt92a7y3lq87sg9jce5qxxuydt
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NXFiUVJnMU4xNXBza0Rp
-            NG01Tk9GblpqcVNQVkUvc29sNlVnKzd4STM4CjFZMG55c1VZUEgzbWVtZE1jTmYz
-            eVZETm56MXQrbVNKeE94bWFIK09Vc1UKLS0tIHk4T3ZJTXVJUzFULzBiemxCNW8w
-            SVE3UnRJdDFOYXV1SU5hc0pJa2wrNFUK2b0PpYfHbDOi50eq3pSJngdaP4DLKwqR
-            sggB0M0ztRARE/uTQkGtQv1hxvjrahZCaoV3MvLAGlEq+YgmMMMPfQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VEJmMWlnemFGNExWYUI4
+            QWRwRktwODNvSmlEcGJORHNlQXNVeXVpbFNrCms0QUFNdDlrNjMxazU1UTcwc2JF
+            RC9JUnJsWmgyc01zZU9JQmxuM3V6STQKLS0tIGxQZGFsZ0pNTjQ3QW1sS0E2Y2RM
+            aVVrNW1BNXQ5UDk1UEtVVWJPNHpwUFUKcArFPFknBj8ss1lD38YtMaB06L/ASeu5
+            u4ff0rTDx237snaSFg5RIJ+6uxX16p5ODg3xOYGOMkDeuTLdl2bg3A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRzN3UlpvbTlrSG9Na3FM
-            QVBjVGV3cVZhbjVacDBFTEFXK05IM2FUOHhNCklJbWx1bGZmR1NIQ0dkaUlraWl1
-            UThTbmZSc243UllKOTJPZlJTYldBdFUKLS0tIExnRFBSN2lIWklKcW8wZ3BjWWUv
-            U25jb0UxY2U0YTkzNTNiWFd2Vmt6OEEK5LlRKtvtxDMEyCNrKkHH7YxVM6ZPt00F
-            z0dwvmcB7DfOTzOnbXMwf6A/NAV/u4kXuZWGXLYFeso/c2kBlaQuUA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArWTNkaFlrQkJHRnd4cTBw
+            N3dnTXk3SlJkQkZDdWpLcEpNQ2Z2RHZoVjBJCjBaK1MzbzdaaXluR1dFaFFNaGEx
+            VTNrVU0yeG9KQkhqUkYxU3VBM0E0R1UKLS0tIDJHek9vVldSZGN0M0c0UHcySGhk
+            Z2RoZno4bmhidytlL2ZmNWUzNTcwcVEKXvgaO8Uo0R+Kc8lizLtVxmTi0W5XHjYw
+            7evdCHQHmFl0vg/bGOJBmcTUhioJv06D0LR3XMl9I6ufXDNaT/NHxw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-04-04T09:34:06Z"
    mac: ENC[AES256_GCM,data:YIcRrsPparPfPaI2+MLlKsxu7M19H8nndOsrDLuh/5BXzIZNiuTIWyvxODyhI745rDwlibO+7Q0QctanhTl4+IzGaYtuY4i+rb+3dzBMpcdT2VAbtCHHxcltWeanRGFq2K3WM2tbnQCERst5kejfn0Razjq3UU5vNwfBsdJMwGc=,iv:izDxy0ufVnH8ImkZIngcYhGuj0PGpLqBD/ZDvQyE+5I=,tag:oYBUEQS52pr09h5OvOadNg==,type:str]
--- a/secrets/sparky.yaml
+++ b/secrets/sparky.yaml
@@ -4,20 +4,20 @@ sops:
        - recipient: age1df9ukkmg9yn9cjeheq9m6wspa420su8qarmq570rdvf2de3rl38saqauwn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdHVtQ3hHSjVuRkxRMklO
-            NEJjeERFUDBMRkVTTGVGTTJIR1lwM25kZWpRCitlUFIvUTVPUloreEFIWjIvT1dL
-            S2hBY2NUWHdxOVhRejU0eUpZa1FMY00KLS0tIEZ3bDRIdlQzaVQ5U0kyRjYyeUor
-            c1M2V2J1Q2R3alI3b3NoYk5SK1AzKzgKbOhSxwTpLr7wwbN+nY4aK+6WmpofBxNX
-            CEaEBz98KTTrSQ9Qvm1+/yep95l7i0HPQGdGwCRNKdvUoXzk1KalpQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtSjhXazlWd3YwNVFKVkw4
+            dDMydVFCN1lLeUJOWkxuSGJ1a0srNm9PaWswCm8yZ3hiOWFHUlAzNVRrck53OElD
+            b056YmV4S2NtNnEzRkpnRVNEblV5blkKLS0tIG1ramoya3RHV1FJZGlFU2ZSeUtS
+            KzJlbEsvYWlXaHhEQU5oOS9HaDdYSDAKvlhKgi4Pf8xVB5MnO33GWYg313mRdUGu
+            kFCs5b1N96x9JOS7zgnM0AKDY8IPBSe33tmDqtYygwPdkOys1PmZkw==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age10zxwwufrf5uu9cv9p9znse2ftfm74q9ce893us6cnvxjc7e3ypcqy709dy
+        - recipient: age14aml5s3sxksa8qthnt6apl3pu6egxyn0cz7pdzzvp2yl6wncad0q56udyj
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZb2oyd1ZGR2FXVFlhT2d3
-            NFVlU3VlR1BEWFRyTDBYZFFlQjZxUXVyK240CkdLRmk5M01ZTloyREtwQ3hpRkxZ
-            RDRKYVlRVFVLYzVSenU3THhFc0ZrdjgKLS0tIG1iMWh1TTZIZDEwazVKY1g3NXg0
-            NFRKemkwcnBxR0NIbXBGcm8xejdUMjgKOAGxkrvtvf7Y9W5BteL12HuUWA/d5Bah
-            wVoeBK21Zxz/GodBpVCuDnJ5DwM3c+7O3jnvtTShIW00evDhJIvcvA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTVovQld2RkRxaW90b3lR
+            NGFtbWVLZUNHdnlZVWkrL1RXUHBVeGdvSDJrClJmSmZRZmdjcy8rNnJBVmVUWDZq
+            M2lPbDBhT0Y0NkJ5a1FNYnU3Zkl0TkEKLS0tIGxqM2h2TDB2akl4ODlYY042R1Z4
+            ZVJWN3pZelFJR0Jid3JseEZKVFZtYmsKmKXQRjnghuF/s9z2Xk98sFvxic91fGa2
+            V7IGmpqAYQV3jJ1G4cjJxtpidQ6fLCqlnR+sq+y8+dT+LN7i+Zbnnw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-10-19T17:33:13Z"
    mac: ENC[AES256_GCM,data:IwEyBr/I7BJa0gWZ494dCT0ogyP2PbnUg5fLOn15vZAHIyYtTB3dI3gV5Lx7oPdqOPlI61MsShIYBnk0uBChpNu6O4oiGUfwvBfegzlDyHHERLx+S7nZpcwmf/3JoNXwq0f2OtOu8nA6Q1V4gVjFFNWUCAh5cq106vG1awsQkn0=,iv:j+JcVtKz2RfyWu55dUeJJTRK6prB9DGLvcjiAAdVySM=,tag:Pg5sKiLzYUFoN9Duu+nF0w==,type:str]
--- a/services/pocket-id.hcl
+++ b/services/pocket-id.hcl
@@ -0,0 +1,51 @@
+job "pocket-id" {
+  datacenters = ["alo"]
+
+  group "app" {
+    network {
+      port "http" {
+        to = 1411
+      }
+    }
+
+    task "server" {
+      driver = "docker"
+
+      config {
+        image = "ghcr.io/pocket-id/pocket-id:v1"
+        ports = ["http"]
+        volumes = [
+          "/data/services/pocket-id:/app/data",
+        ]
+      }
+
+      env {
+        APP_URL = "https://pocket-id.v.paler.net"
+        TRUST_PROXY = "true"
+        MAXMIND_LICENSE_KEY = "${var.maxmind_license_key}"
+        PUID = "1000"
+        PGID = "1000"
+      }
+
+      resources {
+        cpu = 500
+        memory = 512
+      }
+
+      service {
+        name = "pocket-id"
+        port = "http"
+
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.pocket-id.entryPoints=websecure",
+        ]
+      }
+    }
+  }
+}
+
+variable "maxmind_license_key" {
+  type = string
+  default = "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"
+}
Author	SHA1	Message	Date
Petru Paler	520a417316	Pocket ID config.	2025-11-04 11:04:33 +00:00
Petru Paler	88ed5360ca	Keys for sparky reinstall.	2025-11-04 11:04:20 +00:00
Petru Paler	392d40def3	Update flake.	2025-11-04 10:26:18 +00:00
Petru Paler	5ef4d832fb	Only keep 10 snapshots, and push metrics.	2025-11-04 10:22:11 +00:00
Petru Paler	49afc0c084	Remove standby from sparky.	2025-11-04 09:39:45 +00:00
Petru Paler	b2c82ceaa8	Don't replicate to sparky for now.	2025-11-04 09:39:23 +00:00