added panoptes-root

.sops.yaml

@@ -2,7 +2,12 @@ keys:
   - &john-p14s age1f6drjusg866yscj8029tk4yfpgecklrvezldm02ankm6h8nnwu5s2u6ahy
   - &john-pc age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
 creation_rules:
-  - path_regex: secrets.yaml$
+  - path_regex: \.yaml$
+    key_groups:
+    - age:
+      - *john-p14s
+      - *john-pc
+  - path_regex: \.json$
     key_groups:
     - age:
       - *john-p14s

flake.nix

@@ -7,7 +7,7 @@
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    _1password-shell-plugins.url = "github:1Password/shell-plugins";
+    # _1password-shell-plugins.url = "github:1Password/shell-plugins";
     nixgl = {
       url = "github:nix-community/nixGL";
       inputs.nixpkgs.follows = "nixpkgs";

homeManagerModules/default.nix

@@ -11,7 +11,8 @@
     ./vscode.nix
 
     ../nixosModules/options.nix
-    inputs._1password-shell-plugins.hmModules.default
+    # inputs._1password-shell-plugins.hmModules.default
+    # Commented out because it tries to configure fish shell which we don't use
   ];
 
   nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
@@ -91,15 +92,15 @@
   # Let Home Manager install and manage itself.
   programs.home-manager.enable = true;
 
-  # https://developer.1password.com/docs/cli/shell-plugins/nix/
-  programs._1password-shell-plugins = lib.mkIf config._1password {
-    # enable 1Password shell plugins for bash, zsh, and fish shell
-    enable = true;
-    # the specified packages as well as 1Password CLI will be
-    # automatically installed and configured to use shell plugins
-    # https://developer.1password.com/docs/cli/shell-plugins
-    plugins = with pkgs; [ gh ];
-  };
+  # # https://developer.1password.com/docs/cli/shell-plugins/nix/
+  # programs._1password-shell-plugins = lib.mkIf config._1password {
+  #   # enable 1Password shell plugins for bash, zsh, and fish shell
+  #   enable = true;
+  #   # the specified packages as well as 1Password CLI will be
+  #   # automatically installed and configured to use shell plugins
+  #   # https://developer.1password.com/docs/cli/shell-plugins
+  #   plugins = with pkgs; [ gh ];
+  # };
   home.file.".config/1Password/ssh/agent.toml" = lib.mkIf config._1password {
     # https://developer.1password.com/docs/ssh/agent/config
     text = ''

homeManagerModules/ghostty.nix

@@ -5,9 +5,11 @@
   };
   
   # nixGL is now provided as a flake input
-  nixGL.packages = nixgl.packages.${pkgs.system};
-  nixGL.defaultWrapper = "mesa";
-  nixGL.installScripts = [ "mesa" ];
+  targets.genericLinux.nixGL = {
+    packages = nixgl.packages.${pkgs.system};
+    defaultWrapper = "mesa";
+    installScripts = [ "mesa" ];
+  };
 
   programs.ghostty = lib.mkIf (config.enableShell && config.graphical.ghostty) {
     enable = true;
@@ -19,7 +21,7 @@
       font-family = "Source Code Pro";
       # theme = "idleToes";
       # theme = "CGA";
-      theme = "catppuccin-mocha";
+      theme = "Catppuccin Mocha";
       # theme = "CobaltNext";
       # clipboard-read = "allow";
       copy-on-select = true;

homeManagerModules/git.nix

@@ -3,19 +3,19 @@
   programs.git = lib.mkMerge [
     {
       enable = true;
-      extraConfig = {
+      settings = {
         credential.helper = "store --file ~/.git-credentials";
         init.defaultBranch = "main";
         push.autoSetupRemote = true;
       };
     }
     (lib.mkIf (config.profile == "personal") {
-      userName = "John Lancaster";
-      userEmail = "32917998+jsl12@users.noreply.github.com";
+      settings.user.name = "John Lancaster";
+      settings.user.email = "32917998+jsl12@users.noreply.github.com";
     })
     (lib.mkIf (config.profile == "work") {
-      userName = "John Lancaster";
-      userEmail = "john.lancaster@crowncastle.com";
+      settings.user.name = "John Lancaster";
+      settings.user.email = "john.lancaster@crowncastle.com";
     })
   ];
 }

homeManagerModules/restic/resticprofile.nix

@@ -59,6 +59,7 @@ in {
           rp schedule --all
         '')
         (pkgs.writeShellScriptBin "rp-test" "rp run-schedule backup@default --dry-run")
+        (pkgs.writeShellScriptBin "rp-test" "rp run-schedule backup@default --dry-run")
       ];
       xdg.configFile."resticprofile/profiles.yaml".source = yamlFormat.generate "profiles" {
         version = "2";

homeManagerModules/shell.nix

@@ -37,10 +37,10 @@
       ] ++ lib.optional config._1password "1password";
     };
     shellAliases.ls = "${pkgs.eza}/bin/eza -lgos type --no-time";
-    initContent = lib.mkIf config._1password '' 
-      if [ -f "${config.home.homeDirectory}/.config/op/plugins.sh" ]; then
-        source ${config.home.homeDirectory}/.config/op/plugins.sh
-      fi
-    '';
+    # initContent = lib.mkIf config._1password '' 
+    #   if [ -f "${config.home.homeDirectory}/.config/op/plugins.sh" ]; then
+    #     source ${config.home.homeDirectory}/.config/op/plugins.sh
+    #   fi
+    # '';
   };
 }

homeManagerModules/sops.nix

@@ -12,10 +12,36 @@ in
     age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
     defaultSopsFile = ../keys/secrets.yaml;
     defaultSopsFormat = "yaml";
+    
+    secrets."api/gmail_client_secret" = { };
+
+    templates."gmail_creds" = {
+      content = ''
+        {
+            "installed": {
+                "client_id": "499012320469-vtml6emu6bmujpsj9lud2b44jqu7h26j.apps.googleusercontent.com",
+                "project_id": "python-apis-423500",
+                "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+                "token_uri": "https://oauth2.googleapis.com/token",
+                "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+                "client_secret": "${config.sops.placeholder."api/gmail_client_secret"}",
+                "redirect_uris": [
+                    "http://localhost"
+                ]
+            }
+        }
+      '';
+      path = "${config.xdg.configHome}/sops-nix/gmail_api_credentials.json";
+    };
   };
+
+  home.sessionVariables = {
+    GMAIL_CREDS_PATH = "${config.xdg.configHome}/sops-nix/gmail_api_credentials.json";
+  };
+
   home.packages = with pkgs; [
     (writeShellScriptBin "edit-secrets" ''
-      sops --config ${sopsConfigPath} ${sopsSecretsPath}
+      ${sops}/bin/sops --config ${sopsConfigPath} ${sopsSecretsPath}
     '')
     sops
     age

homeManagerModules/ssh.nix

@@ -16,10 +16,18 @@
           hostname = "192.168.1.110";
           user = "root";
         };
+        "hermes" = {
+          hostname = "192.168.1.150";
+          user = "root";
+        };
         "panoptes" = {
           hostname = "192.168.1.107";
           user = "panoptes";
         };
+        "panoptes-root" = {
+          hostname = "192.168.1.107";
+          user = "root";
+        };
         "pve5070" = {
           hostname = "192.168.1.130";
           user = "root";

keys/secrets.yaml

@@ -1,15 +1,7 @@
 restic_password:
     john_ubuntu: ENC[AES256_GCM,data:Q4lUaFFDgoK9k4kQj7hSVKaFDGW0T+6V+OpFU5R528R3EKM7YJMgcFX+sK3mWl9XA4/6E1GeINpIqOpx+FP5Cf/8qt9sXBXCmXXSYdA4IH3RS6a1NkcIVjsTMvpn4q/fslCeYN4LB+r4pBGmdca105miqVun8J69cZGwjZ+wuxrMAP+mdnHdSUPycjNWJJzmEa3waQsygAi4A5cAN5sigOPBxe2pCTh/FEKoTgWmzHGJvcjrzuL6wNOpQrkMWwTsHCtbe9dyMP/fQpoBgYDT4W9Rd4XHhbrooje+g3x48EL1rkRIVVNRavpRUih/mjcdJGzzJ6jZmLLcc1f7SZIKZht7f+ZcdZl3rKQB+WanZgK/KAgKBRCrbIk2eeBZwkcRSw5kmGFU7x0azdIipJYj+3KHHQS5S2VW4j2tQG74xK3qaNJcSMjpKmdI1dHcPf0x2ILaDDV9Ts0H4GTOB2zO9iGy7x2tdPd4tugxxk5rr5rphTZL3lgUf0Ri/qMkJh9I8CsjUdvRycHeIEUZPmEVaIqJC2jrd2pBslis5VWD/6PHQBCob07d1fcpIYox4YXM3GcLg3OxiD8nZ7DTzGRMhciZtTKKWbBT8qzPud4ZQvDkT5l+XOpeM13wXFIMa13CwOzYeyWjycED0VQ/i3XRw9+9lg3cosfxaPdaFtv4MjV7Od62G/UJw3OxaQOHM2y24N+Q0pSBoTdDAFwDCH/kcqZji6ZrVTu4Rad8opcILJJcqC+pjegDvBtUdDz+G3/dFiS6m8RYIRb7qB5yEX/lCgzlECmRS2XP8uraNJ5NN8rtk0gdBtaI9/78YyAjLLGkjIcIR4uJA5buCZBR9jIdqf4f52fowbx18VPrwFXN2mYX6mPsKbDmaz0ILHq/I9n8bS/KM7gIQmTw/RAUwnmL4IRu8zHn6nmIqj6d8AkjYx7s6pG8OF8LgfhqZT7tdPKCd+n/HnYn1fZGSw26zHzPd4nKnVV1e3NYvX6CVwVycerGs9elOKtOI8GsrWYyXzJbfC+nWxbHKI/t6sxyzTBrHPR4r6l/CchQF+SfBs5aELKExe7h325qBB2y6EFdkbxTj1tPGqxttp9xJB1LUyNtwsEAkpD44JNqPxZCYHQbeVE3Oo3TYtRUSVWREc1WNIsfSG/anScYUhDEah9YyIdiG+O71QqegunusLoxmpF2rQtx7shtAvJV3skDBB0tFDoQyIV+yPo7kPV0D7Ig+Ba+mk5ASJrT9DXZ53Q2CCTLAuslU4MP7g22RX8rU3s2hFJq8m7wvMwpqa9Tr6O38i1wX4PhG1VRMM8EIlMQnLWWKmni6NbOYiRxFYJMioxH5SyE4ODQYXy5YIuLoRsX8VR6UqJ1GZb7sJf3M1aPOFOHzTN9hnziTRRe1KCMoBrAghrqhvL1VRr9X5PYMxnjBh6o0d5YTN0WOGD2iEVbCzqxFXcxQZBBp4KyNAAhFhGNw8WUp/rVoyCYn7+OEYFspY4FmGMTYhvxbq5LEptXeQgOP2ggBkqsw8sYP9oj1cb4kzBNv8M7nR9kM1EqvZpFV47phoTbBeMY4DZOJodkASFVM5/7ijWy/M9rtWMFMCXKURKkAQJRFADs0KqMJ5osnFFnubX7vKgK736XXF4+wIQuuHqEsYDZ90ftInxq8sYRnb2FZ0EV4yc8qqnz++fjwrAA5EV+zhL6l6hum1zL8JkUJ1ICKZ905If6nIeoul8MY3B1Cz4W+osN2Wtl8OeJ2t3iZx3wk/unVa8uDZH1owu47He68e2V8vpYxOaW4/hLyy/XuL5DukETrhRjC+7GbEaKaCwoA2UwAdqU,iv:N8ek+tp16WiZgjTDxXb0CRXH+MbLsl/oZ/OwcOoVRO0=,tag:uIzCSX0R/EObF/RdWxj64w==,type:str]
-hello: ENC[AES256_GCM,data:g/YDwjNQLs4pFRzFO3nwcbmeJd6tMLNNhhnSsAFyOQ8U8yjjUoCReDvrqpqBXIP1T9B80qyBVzxBY2bAYg==,iv:YdiJdG1ZjA95DGArtfaF1E8LomqW6oHCLmoSLQvwP+k=,tag:/ipWczAvhcjw5Jv7nvMF8A==,type:str]
-example_key: ENC[AES256_GCM,data:cLLYEiJbKg60ANK/h+kG,iv:1yrJt5JhbDP/9/Wb2l93fjwQF1hxERnxjPZ6qF4S/Bw=,tag:wbboaGylFJRSj4/TB+RCZg==,type:str]
-#ENC[AES256_GCM,data:c0Ay18GCW/gowNHmF67TMg==,iv:T+FN8xaVilVSETMQztl6lmpLqnGiyrXhJvWsO+dBdd0=,tag:1D6TkngB116dOeCAX85djg==,type:comment]
-example_array:
-    - ENC[AES256_GCM,data:yUJ7p5VfyQUANjbuz48=,iv:XTGb97tMV3mkPwNyKetSflLLlE31g9UgMPcelMPpNZ0=,tag:j5muB72Ogc/gtenvsWvpbQ==,type:str]
-    - ENC[AES256_GCM,data:8eQ2clCNBxPfdycPMOo=,iv:C9iT+wJH9ENJShNYo3IGceRwHyrlU6LUE7jpc+72KOw=,tag:YTbZqYJVMUoTRqD2ujTOvg==,type:str]
-example_number: ENC[AES256_GCM,data:LhABh/RtBsdKAg==,iv:JGYFnixDNZUIRKJcuaenvO8D60T+Jvx/R7SWxbIPXsM=,tag:+1b/aj3x1yfQZ2j4OM5dcg==,type:float]
-example_booleans:
-    - ENC[AES256_GCM,data:pGnelw==,iv:KAayJZ8px4Qupv0NfapSQ6valrVKndEtCb3U4MTmK/U=,tag:lkl+zBgkEMbFQjNssxYQjg==,type:bool]
-    - ENC[AES256_GCM,data:Vqqfp2w=,iv:SC1DS7G9/lHYtA6PPRbVsi/ZhyNUYvRjXxHIqCxqEPA=,tag:9hv6F1rP7xSd08KCKkuiLQ==,type:bool]
+api:
+    gmail_client_secret: ENC[AES256_GCM,data:du2gEY5TQIwpUEvJKDWKY3noLRGeiKek4IMwPUusVx8NMys=,iv:hIYi1xQYf6+hDhK0pNprBYu6wXwRH2yOTwQg6pzQa0A=,tag:sqmQ5GCkKbHpIy2R+Y5G/A==,type:str]
 sops:
     age:
         - recipient: age1f6drjusg866yscj8029tk4yfpgecklrvezldm02ankm6h8nnwu5s2u6ahy
@@ -30,7 +22,7 @@ sops:
             Mms2UEhFSU82UWR5Z1VvU25qenJUQm8KtQeZDIfJIczm1l8ql/WmVEf8KI9dg0vw
             9rNSjtBkEttVd21zUSOziG4513abllE8NFTkAc1z3HacuXpHTBnd5A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-29T00:12:59Z"
-    mac: ENC[AES256_GCM,data:5dQiEDyfeIYJt/l1wWH8y5cQm7+PqnUDwezCmyP7nvXs0z1lupYOHV62L5hqeQb7AELi4TriOokra4XdhHfr/QnI9capnYV6qTQrfvBE0EKsUQlxTmE6EnnTQuOWQy1iL8XgM3toEIH2mW2QNwme9k3fF/gGA8bL9t0+OEYGasU=,iv:kVDSFTHQG95rDfkp8sWJnxRQ5Wd9BjfPEzmuMm+alY0=,tag:3KFmBgW6pEEBFkOa14brDw==,type:str]
+    lastmodified: "2025-08-03T17:03:22Z"
+    mac: ENC[AES256_GCM,data:c3rcMHTRxbnpQoW5eLn0X1aCL1v2ft05UTcHaCuGiCaF3b/loVjEQr30pepBgR07PSleTIi375Y0Rj8ik8Ot3j+Zl5BR32bEtqf6gcWwz6oSmeORDrJS15698d7/avJl82/EC0ZN77j+fcdkWZrCJHb47HGfRxKl9L5HbyWasA4=,iv:g3d3C571uYpTTFixYZg+ztg8jTdof1g6Hb5gtRvpRkk=,tag:8kAxrUwUVeWvpYjWMDE+AA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

nixosModules/scripts.nix

@@ -12,5 +12,6 @@ in
       nix flake update --flake $FLAKE --impure
       sudo nixos-rebuild switch --flake $FLAKE#${hostName} --impure
     '')
+    (pkgs.writeShellScriptBin "test-dns" (builtins.readFile ../scripts/test-dns.sh))
   ];
 }

scripts/test-dns.sh

@@ -0,0 +1,110 @@
+#!/usr/bin/env bash
+
+# Function to test DNS resolution for a subdomain
+test_subdomain() {
+    local subdomain="$1"
+    local fqdn="${subdomain}.john-stream.com"
+    
+    echo "========================================"
+    echo "Testing DNS for: $fqdn"
+    echo "========================================"
+    echo ""
+
+    # Test panoptes
+    echo "📍 Testing: panoptes"
+    result=$(dig @panoptes "$fqdn" +short +time=2 +tries=1 2>&1)
+    if [ -n "$result" ]; then
+        echo "   ✅ Resolved to: $result"
+        dig @panoptes "$fqdn" +noall +answer +time=2 +tries=1 | sed 's/^/      /'
+    else
+        echo "   ❌ Failed to resolve"
+    fi
+    echo ""
+    
+    # Test CoreDNS (192.168.1.107)
+    echo "📍 Testing: 192.168.1.107 (CoreDNS)"
+    result=$(dig @192.168.1.107 "$fqdn" +short +time=2 +tries=1 2>&1)
+    if [ -n "$result" ]; then
+        echo "   ✅ Resolved to: $result"
+        dig @192.168.1.107 "$fqdn" +noall +answer +time=2 +tries=1 | sed 's/^/      /'
+    else
+        echo "   ❌ Failed to resolve"
+    fi
+    echo ""
+    
+    # Test Cloudflare DNS (1.1.1.1)
+    echo "📍 Testing: 1.1.1.1 (Cloudflare DNS)"
+    result=$(dig @1.1.1.1 "$fqdn" +short +time=2 +tries=1 2>&1)
+    if [ -n "$result" ]; then
+        echo "   ✅ Resolved to: $result"
+        dig @1.1.1.1 "$fqdn" +noall +answer +time=2 +tries=1 | sed 's/^/      /'
+    else
+        echo "   ❌ Failed to resolve"
+    fi
+    echo ""
+}
+
+# Function to check SSL certificate for the domain
+check_ssl_cert() {
+    local subdomain="$1"
+    local fqdn="${subdomain}.john-stream.com"
+    
+    echo "========================================"
+    echo "SSL Certificate Check for: $fqdn"
+    echo "========================================"
+    echo ""
+    
+    # Check if openssl is available
+    if ! command -v openssl &> /dev/null; then
+        echo "❌ openssl command not found. Please install openssl to check SSL certificates."
+        return 1
+    fi
+    
+    # Try to fetch SSL certificate information
+    echo "📍 Fetching SSL certificate information..."
+    cert_info=$(echo | openssl s_client -servername "$fqdn" -connect "$fqdn:443" 2>/dev/null | openssl x509 -noout -text 2>/dev/null)
+    
+    if [ -z "$cert_info" ]; then
+        echo "   ❌ Failed to retrieve SSL certificate. The domain may not be accessible via HTTPS."
+        return 1
+    fi
+    
+    # Extract and display key certificate information
+    echo "   ✅ SSL certificate found!"
+    echo ""
+    
+    # Get certificate details
+    cert_details=$(echo | openssl s_client -servername "$fqdn" -connect "$fqdn:443" 2>/dev/null | openssl x509 -noout -subject -issuer -dates 2>/dev/null)
+    
+    echo "📋 Certificate Details:"
+    echo "$cert_details" | sed 's/^/   /'
+    echo ""
+    
+    # Check certificate expiration
+    expiry_date=$(echo | openssl s_client -servername "$fqdn" -connect "$fqdn:443" 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
+    
+    if [ -n "$expiry_date" ]; then
+        expiry_epoch=$(date -d "$expiry_date" +%s 2>/dev/null)
+        current_epoch=$(date +%s)
+        days_until_expiry=$(( ($expiry_epoch - $current_epoch) / 86400 ))
+        
+        if [ $days_until_expiry -lt 0 ]; then
+            echo "⚠️  Certificate Status: EXPIRED ($days_until_expiry days ago)"
+        elif [ $days_until_expiry -lt 30 ]; then
+            echo "⚠️  Certificate Status: Expiring soon ($days_until_expiry days remaining)"
+        else
+            echo "✅ Certificate Status: Valid ($days_until_expiry days remaining)"
+        fi
+    fi
+    echo ""
+}
+
+# Test the subdomain
+if [ -z "$1" ]; then
+    echo "Usage: $0 <subdomain>"
+    echo "Example: $0 appdaemon"
+    exit 1
+fi
+
+test_subdomain "$1"
+check_ssl_cert "$1"