think.greaterchiangmai.com is running on ramus

2025-12-06 11:26:18 +07:00
parent 6a4eeeb34b
commit b89e62b727
27 changed files with 1100 additions and 1 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -44,9 +44,24 @@
          ./machines
          ./routers
          ./inventories
+          ./overlays
+          ./tests
          ./modules/clan/flake-module.nix
          ./modules/nixos/flake-module.nix
        ];
+        perSystem =
+          { pkgs, system, ... }:
+          {
+            _module.args.pkgs = import inputs.nixpkgs {
+              inherit system;
+              overlays = [
+                inputs.self.overlays.packagesOverlay
+              ];
+              config = { };
+            };
+            packages.think = pkgs.think-gtcm;
+            packages.think-be = pkgs.think-backend-gtcm;
+          };
      }
    );
 }
--- a/machines/b4l/configuration.nix
+++ b/machines/b4l/configuration.nix
@@ -19,4 +19,18 @@
  services.nginx.virtualHosts."${config.networking.fqdn}" = {
    enableACME = true;
  };
+
+  clan.core.vars.generators.acme = {
+    share = true;
+    files.email.secret = false;
+
+    prompts.email = {
+      type = "line";
+      description = "Email for ACME registeration";
+    };
+
+    script = ''
+      cat $prompts/email > $out/email
+    '';
+  };
 }
--- a/machines/ramus/configuration.nix
+++ b/machines/ramus/configuration.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ self, config, ... }:
 {
  system.stateVersion = "25.11";
  nixpkgs.hostPlatform = {
@@ -12,4 +12,24 @@

  clan.core.sops.defaultGroups = [ "admins" ];
  clan.core.networking.targetHost = "root@[${config.clan.core.vars.generators.zerotier.files.zerotier-ip.value}]";
+
+  clan.core.vars.generators.acme = {
+    share = true;
+    files.email.secret = false;
+
+    prompts.email = {
+      type = "line";
+      description = "Email for ACME registeration";
+    };
+
+    script = ''
+      cat $prompts/email > $out/email
+    '';
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+
+  security.acme.acceptTerms = true;
+
+  imports = [ ./think-greater-chiangmai.nix ];
 }
--- a/machines/ramus/think-greater-chiangmai.nix
+++ b/machines/ramus/think-greater-chiangmai.nix
@@ -0,0 +1,136 @@
+{ self, config, ... }:
+let
+  commonSettings = {
+    APP_NAME = "Laravel";
+    APP_ENV = "local";
+    APP_KEY._secret = config.clan.core.vars.generators.greaterchiangmai.files.app_key.path;
+    APP_DEBUG = "false";
+    APP_URL = "http://localhost";
+
+    DB_CONNECTION = "mysql";
+    DB_HOST = "localhost";
+    DB_PORT = 3306;
+    DB_DATABASE = "thinkgtcm";
+    DB_USERNAME = "gtcm";
+
+    R2_ACCESS_KEY_ID = config.clan.core.vars.generators.greaterchiangmai-s3.files.access_key_id.value;
+    R2_SECRET_ACCESS_KEY._secret =
+      config.clan.core.vars.generators.greaterchiangmai-s3.files.secret_access_key.path;
+    R2_REGION = config.clan.core.vars.generators.greaterchiangmai-s3.files.region.value;
+    R2_BUCKET = config.clan.core.vars.generators.greaterchiangmai-s3.files.bucket.value;
+    R2_ENDPOINT = config.clan.core.vars.generators.greaterchiangmai-s3.files.endpoint.value;
+
+    LOG_CHANNEL = "stack";
+    LOG_LEVEL = "debug";
+
+    FILESYSTEM_DISK = "local";
+
+    BROADCAST_DRIVER = "log";
+    CACHE_DRIVER = "file";
+    QUEUE_CONNECTION = "sync";
+    SESSION_DRIVER = "file";
+    SESSION_LIFETIME = 120;
+
+    MEMCACHED_HOST = "127.0.0.1";
+
+    REDIS_HOST = "127.0.0.1";
+    REDIS_PORT = 6379;
+
+    UPLOAD_MAX_FILESIZE = "5000M";
+    POST_MAX_SIZE = "5000M";
+
+    TEST_LOCAL = true;
+  };
+
+  baseDomain = "greaterchiangmai.com";
+  domain = "think.${baseDomain}";
+  domainBackend = "think-backend.${baseDomain}";
+in
+{
+  imports = [
+    self.nixosModules.think-gtcm
+    self.nixosModules.think-backend-gtcm
+  ];
+  nixpkgs.overlays = [ self.overlays.packagesOverlay ];
+
+  clan.core.vars.generators.greaterchiangmai = {
+    files = {
+      app_key = {
+        secret = true;
+        owner = config.services.think-greaterchiangmai.user;
+        group = config.services.think-greaterchiangmai.group;
+      };
+    };
+
+    prompts = {
+      app_key.persist = true;
+    };
+
+    script = ''
+      cat $prompts/app_key > $out/app_key
+    '';
+  };
+
+  clan.core.vars.generators.greaterchiangmai-s3 = {
+    files = {
+      access_key_id.secret = false;
+      secret_access_key = {
+        secret = true;
+        owner = config.services.think-greaterchiangmai.user;
+        group = config.services.think-greaterchiangmai.group;
+      };
+      endpoint.secret = false;
+      region.secret = false;
+      bucket.secret = false;
+    };
+
+    prompts = {
+      access_key_id.persist = true;
+      secret_access_key.persist = true;
+      endpoint.persist = true;
+      region.persist = true;
+      bucket.persist = true;
+    };
+
+    script = ''
+      cat $prompts/access_key_id > $out/access_key_id
+      cat $prompts/secret_access_key > $out/secret_access_key
+      cat $prompts/endpoint > $out/endpoint
+      cat $prompts/region > $out/region
+      cat $prompts/bucket > $out/bucket
+    '';
+  };
+
+  services.think-greaterchiangmai = {
+    enable = true;
+    domain = domain;
+    settings = commonSettings;
+  };
+  services.think-backend-greaterchiangmai = {
+    enable = true;
+    domain = domainBackend;
+    settings = commonSettings;
+  };
+
+  security.acme.certs = {
+    "${domain}" = {
+      email = config.clan.core.vars.generators.acme.files.email.value;
+      webroot = "/var/lib/acme/acme-challenge/${domain}";
+    };
+    "${domainBackend}" = {
+      email = config.clan.core.vars.generators.acme.files.email.value;
+      webroot = "/var/lib/acme/acme-challenge/${domainBackend}";
+    };
+  };
+
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    useACMEHost = domain;
+    acmeRoot = config.security.acme.certs.${domain}.webroot;
+  };
+  services.nginx.virtualHosts.${domainBackend} = {
+    forceSSL = true;
+    useACMEHost = domainBackend;
+    acmeRoot = config.security.acme.certs.${domainBackend}.webroot;
+  };
+}
--- a/modules/nixos/flake-module.nix
+++ b/modules/nixos/flake-module.nix
@@ -3,5 +3,11 @@
    common = {
      imports = [ ./common.nix ];
    };
+    think-gtcm = {
+      imports = [ ./think-gtcm.nix ];
+    };
+    think-backend-gtcm = {
+      imports = [ ./think-backend-gtcm.nix ];
+    };
  };
 }
--- a/modules/nixos/think-backend-gtcm.nix
+++ b/modules/nixos/think-backend-gtcm.nix
@@ -0,0 +1,292 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.think-backend-greaterchiangmai;
+  think-backend-gtcm = pkgs.think-backend-gtcm.override { dataDir = cfg.dataDir; };
+  defaultUser = "gtcm";
+  defaultGroup = "gtcm";
+
+  php = pkgs.php83;
+
+  artisan-be = pkgs.writeScriptBin "gtcm-be" ''
+    #! ${pkgs.runtimeShell}
+    cd ${think-backend-gtcm}
+    sudo() {
+      if [[ "$USER" != ${cfg.user} ]]; then
+        exec /run/wrappers/bin/sudo -u ${cfg.user} "$@"
+      else
+        exec "$@"
+      fi
+    }
+    sudo ${lib.getExe php} artisan "$@"
+  '';
+
+in
+{
+  options.services.think-backend-greaterchiangmai = {
+    enable = lib.mkEnableOption "To enable think.greaterchiangmai.com";
+
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/think-backend.greaterchiangmai.com";
+      description = ''A place where to store states'';
+    };
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = defaultUser;
+      description = "User account under which this runs.";
+    };
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = defaultGroup;
+      defaultText = "${defaultGroup}";
+      description = "Group under which the website runs.";
+    };
+
+    package = lib.mkPackageOption pkgs "think-backend-gtcm" { };
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      default = "think-backend.greaterchiangmai.com";
+      example = "forum.example.com";
+      description = "Domain to serve on.";
+    };
+
+    settings = lib.mkOption {
+      type =
+        with lib.types;
+        attrsOf (
+          nullOr (
+            either
+              (oneOf [
+                bool
+                int
+                port
+                path
+                str
+              ])
+              (submodule {
+                options = {
+                  _secret = lib.mkOption {
+                    type = nullOr str;
+                    description = ''
+                      The path to a file containing the value the
+                      option should be set to in the final
+                      configuration file.
+                    '';
+                  };
+                };
+              })
+          )
+        );
+      default = { };
+      description = ''
+        Options for settings environment variables
+      '';
+      example = lib.literalExpression ''
+        {
+          APP_NAME = "Laravel";
+          APP_ENV = "local";
+          APP_KEY = "key";
+          APP_DEBUG = true;
+          APP_URL = "http://localhost";
+
+          LOG_CHANNEL = "stack";
+          LOG_DEPRECATIONS_CHANNEL = "null";
+          LOG_LEVEL = "debug";
+
+          DB_CONNECTION = "mysql";
+          DB_HOST = "127.0.0.1";
+          DB_PORT = "3306";
+          DB_DATABASE = "laravel";
+          DB_USERNAME = "root";
+          DB_PASSWORD = "";
+        }
+      '';
+    };
+
+  };
+  config = lib.mkIf cfg.enable {
+    users.users.${cfg.user} = lib.mkForce {
+      isSystemUser = true;
+      home = cfg.dataDir;
+      createHome = true;
+      homeMode = "755";
+      group = cfg.group;
+    };
+    users.groups.${cfg.group} = { };
+
+    services.phpfpm.pools.think-backend-gtcm = {
+      inherit (cfg) user group;
+      phpPackage = php;
+      settings = {
+        "listen.owner" = config.services.nginx.user;
+        "listen.group" = config.services.nginx.group;
+        "listen.mode" = "0600";
+        "pm" = lib.mkDefault "dynamic";
+        "pm.max_children" = lib.mkDefault 10;
+        "pm.max_requests" = lib.mkDefault 500;
+        "pm.start_servers" = lib.mkDefault 2;
+        "pm.min_spare_servers" = lib.mkDefault 1;
+        "pm.max_spare_servers" = lib.mkDefault 3;
+      };
+      phpOptions = ''
+        error_log = syslog
+        log_errors = on
+      '';
+    };
+
+    environment.systemPackages = [
+      artisan-be
+    ];
+
+    services.think-backend-greaterchiangmai.settings = {
+      APP_SERVICES_CACHE = lib.mkDefault "${cfg.dataDir}/cache/services.php";
+      APP_PACKAGES_CACHE = lib.mkDefault "${cfg.dataDir}/cache/packages.php";
+      APP_CONFIG_CACHE = lib.mkDefault "${cfg.dataDir}/cache/config.php";
+      APP_ROUTES_CACHE = lib.mkDefault "${cfg.dataDir}/cache/routes-v7.php";
+      APP_EVENTS_CACHE = lib.mkDefault "${cfg.dataDir}/cache/events.php";
+    };
+
+    systemd.services.think-backend-gtcm-setup = {
+      description = "think-backend.greaterchiangmai installation";
+      requiredBy = [ "phpfpm-think-backend-gtcm.service" ];
+      before = [ "phpfpm-think-backend-gtcm.service" ];
+      requires = [ "mysql.service" ];
+      after = [ "mysql.service" ];
+      serviceConfig = {
+        type = "oneshot";
+        RemainAfterExit = true;
+        User = cfg.user;
+        UMask = 77;
+        WorkingDirectory = "${think-backend-gtcm}";
+        RuntimeDirectory = "think-backend-gtcm/cache";
+        RuntimeDirectoryMode = 700;
+      };
+      path = [ pkgs.replace-secret ];
+      script =
+        let
+          isSecret = v: lib.isAttrs v && v ? _secret && lib.isString v._secret;
+          gtcmEnvVars = lib.generators.toKeyValue {
+            mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" {
+              mkValueString =
+                v:
+                with builtins;
+                if isInt v then
+                  toString v
+                else if isString v then
+                  v
+                else if true == v then
+                  "true"
+                else if false == v then
+                  "false"
+                else if isSecret v then
+                  hashString "sha256" v._secret
+                else
+                  throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty { }) v}";
+            };
+          };
+          secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.settings);
+          mkSecretReplacement = file: ''
+            replace-secret ${
+              lib.escapeShellArgs [
+                (builtins.hashString "sha256" file)
+                file
+                "${cfg.dataDir}/.env"
+              ]
+            }
+          '';
+          secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
+          filteredConfig = lib.converge (lib.filterAttrsRecursive (
+            _: v:
+            !lib.elem v [
+              { }
+              null
+            ]
+          )) cfg.settings;
+          gtcmEnv = pkgs.writeText "gtcm-be.env" (gtcmEnvVars filteredConfig);
+        in
+        ''
+          # error handling
+          set -euo pipefail
+
+          # create .env file
+          install -T -m 0600 -o ${cfg.user} ${gtcmEnv} "${cfg.dataDir}/.env"
+          ${secretReplacements}
+          if ! grep 'APP_KEY=base64:' "${cfg.dataDir}/.env" >/dev/null; then
+            sed -i 's/APP_KEY=/APP_KEY=base64:/' "${cfg.dataDir}/.env"
+          fi
+
+          # migrate & seed db
+          ${lib.getExe php} artisan key:generate --force
+          ${lib.getExe php} artisan migrate --force
+          ${lib.getExe php} artisan config:cache
+        '';
+    };
+
+    systemd.tmpfiles.rules = [
+      "d ${cfg.dataDir}                            0710 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/cache                      0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/public                     0750 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/public/uploads             0750 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage                    0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/app                0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/fonts              0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/framework          0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/framework/cache    0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/framework/sessions 0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/framework/views    0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/logs               0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/uploads            0700 ${cfg.user} ${cfg.group} - -"
+    ];
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+
+    services.nginx = {
+      enable = true;
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedBrotliSettings = true;
+      recommendedProxySettings = true;
+      virtualHosts."${cfg.domain}" = {
+        root = "${think-backend-gtcm}/public";
+        locations = {
+          "/" = {
+            index = "index.php";
+            tryFiles = "$uri $uri/ /index.php?$query_string";
+          };
+          "~ \\.php$".extraConfig = ''
+            fastcgi_pass unix:${config.services.phpfpm.pools."think-backend-gtcm".socket};
+          '';
+          "~ \\.(js|css|gif|png|ico|jpg|jpeg)$" = {
+            extraConfig = "expires 365d;";
+          };
+        };
+      };
+    };
+
+    services.mysql = {
+      enable = true;
+      package = lib.mkForce pkgs.mariadb;
+      ensureDatabases = [ cfg.settings.DB_DATABASE ];
+      ensureUsers = [
+        {
+          name = cfg.settings.DB_USERNAME;
+          ensurePermissions = {
+            "${cfg.settings.DB_DATABASE}.*" = "ALL PRIVILEGES";
+          };
+        }
+      ];
+    };
+  };
+}
--- a/modules/nixos/think-gtcm.nix
+++ b/modules/nixos/think-gtcm.nix
@@ -0,0 +1,295 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.think-greaterchiangmai;
+  think-gtcm = pkgs.think-gtcm.override { dataDir = cfg.dataDir; };
+  defaultUser = "gtcm";
+  defaultGroup = "gtcm";
+
+  php = pkgs.php83;
+
+  artisan = pkgs.writeScriptBin "gtcm" ''
+    #! ${pkgs.runtimeShell}
+    cd ${think-gtcm}
+    sudo() {
+      if [[ "$USER" != ${cfg.user} ]]; then
+        exec /run/wrappers/bin/sudo -u ${cfg.user} "$@"
+      else
+        exec "$@"
+      fi
+    }
+    sudo ${lib.getExe php} artisan "$@"
+  '';
+
+in
+{
+  options.services.think-greaterchiangmai = {
+    enable = lib.mkEnableOption "To enable think.greaterchiangmai.com";
+
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/think.greaterchiangmai.com";
+      description = ''A place where to store states'';
+    };
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = defaultUser;
+      description = "User account under which this runs.";
+    };
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = defaultGroup;
+      defaultText = "${defaultGroup}";
+      description = "Group under which the website runs.";
+    };
+
+    package = lib.mkPackageOption pkgs "think-gtcm" { };
+
+    packageBackend = lib.mkPackageOption pkgs "think-backend-gtcm" { };
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      default = "think.greaterchiangmai.com";
+      example = "forum.example.com";
+      description = "Domain to serve on.";
+    };
+
+    settings = lib.mkOption {
+      type =
+        with lib.types;
+        attrsOf (
+          nullOr (
+            either
+              (oneOf [
+                bool
+                int
+                port
+                path
+                str
+              ])
+              (submodule {
+                options = {
+                  _secret = lib.mkOption {
+                    type = nullOr str;
+                    description = ''
+                      The path to a file containing the value the
+                      option should be set to in the final
+                      configuration file.
+                    '';
+                  };
+                };
+              })
+          )
+        );
+      default = { };
+      description = ''
+        Options for settings environment variables
+      '';
+      example = lib.literalExpression ''
+        {
+          APP_NAME = "Laravel";
+          APP_ENV = "local";
+          APP_KEY = "key";
+          APP_DEBUG = true;
+          APP_URL = "http://localhost";
+
+          LOG_CHANNEL = "stack";
+          LOG_DEPRECATIONS_CHANNEL = "null";
+          LOG_LEVEL = "debug";
+
+          DB_CONNECTION = "mysql";
+          DB_HOST = "127.0.0.1";
+          DB_PORT = "3306";
+          DB_DATABASE = "laravel";
+          DB_USERNAME = "root";
+          DB_PASSWORD = "";
+        }
+      '';
+    };
+
+  };
+  config = lib.mkIf cfg.enable {
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      home = cfg.dataDir;
+      createHome = true;
+      homeMode = "755";
+      group = cfg.group;
+    };
+    users.groups.${cfg.group} = { };
+
+    services.phpfpm.pools.think-gtcm = {
+      inherit (cfg) user group;
+      phpPackage = php;
+      settings = {
+        "listen.owner" = config.services.nginx.user;
+        "listen.group" = config.services.nginx.group;
+        "listen.mode" = "0600";
+        "pm" = lib.mkDefault "dynamic";
+        "pm.max_children" = lib.mkDefault 10;
+        "pm.max_requests" = lib.mkDefault 500;
+        "pm.start_servers" = lib.mkDefault 2;
+        "pm.min_spare_servers" = lib.mkDefault 1;
+        "pm.max_spare_servers" = lib.mkDefault 3;
+      };
+      phpOptions = ''
+        error_log = syslog
+        log_errors = on
+      '';
+    };
+
+    environment.systemPackages = [
+      artisan
+    ];
+
+    services.think-greaterchiangmai.settings = {
+      APP_SERVICES_CACHE = lib.mkDefault "${cfg.dataDir}/cache/services.php";
+      APP_PACKAGES_CACHE = lib.mkDefault "${cfg.dataDir}/cache/packages.php";
+      APP_CONFIG_CACHE = lib.mkDefault "${cfg.dataDir}/cache/config.php";
+      APP_ROUTES_CACHE = lib.mkDefault "${cfg.dataDir}/cache/routes-v7.php";
+      APP_EVENTS_CACHE = lib.mkDefault "${cfg.dataDir}/cache/events.php";
+    };
+
+    systemd.services.think-gtcm-setup = {
+      description = "think.greaterchiangmai installation";
+      requiredBy = [ "phpfpm-think-gtcm.service" ];
+      before = [ "phpfpm-think-gtcm.service" ];
+      requires = [ "mysql.service" ];
+      after = [ "mysql.service" ];
+      serviceConfig = {
+        type = "oneshot";
+        RemainAfterExit = true;
+        User = cfg.user;
+        UMask = 77;
+        WorkingDirectory = "${think-gtcm}";
+        RuntimeDirectory = "think-gtcm/cache";
+        RuntimeDirectoryMode = 700;
+      };
+      path = [ pkgs.replace-secret ];
+      script =
+        let
+          isSecret = v: lib.isAttrs v && v ? _secret && lib.isString v._secret;
+          gtcmEnvVars = lib.generators.toKeyValue {
+            mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" {
+              mkValueString =
+                v:
+                with builtins;
+                if isInt v then
+                  toString v
+                else if isString v then
+                  v
+                else if true == v then
+                  "true"
+                else if false == v then
+                  "false"
+                else if isSecret v then
+                  hashString "sha256" v._secret
+                else
+                  throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty { }) v}";
+            };
+          };
+          secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.settings);
+          mkSecretReplacement = file: ''
+            replace-secret ${
+              lib.escapeShellArgs [
+                (builtins.hashString "sha256" file)
+                file
+                "${cfg.dataDir}/.env"
+              ]
+            }
+          '';
+          secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
+          filteredConfig = lib.converge (lib.filterAttrsRecursive (
+            _: v:
+            !lib.elem v [
+              { }
+              null
+            ]
+          )) cfg.settings;
+          gtcmEnv = pkgs.writeText "gtcm.env" (gtcmEnvVars filteredConfig);
+        in
+        ''
+          # error handling
+          set -euo pipefail
+
+          # create .env file
+          install -T -m 0600 -o ${cfg.user} ${gtcmEnv} "${cfg.dataDir}/.env"
+          ${secretReplacements}
+          if ! grep 'APP_KEY=base64:' "${cfg.dataDir}/.env" >/dev/null; then
+            sed -i 's/APP_KEY=/APP_KEY=base64:/' "${cfg.dataDir}/.env"
+          fi
+
+          # migrate & seed db
+          ${lib.getExe php} artisan key:generate --force
+          ${lib.getExe php} artisan migrate --force
+          ${lib.getExe php} artisan config:cache
+        '';
+    };
+
+    systemd.tmpfiles.rules = [
+      "d ${cfg.dataDir}                            0710 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/cache                      0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/public                     0750 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/public/uploads             0750 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage                    0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/app                0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/fonts              0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/framework          0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/framework/cache    0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/framework/sessions 0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/framework/views    0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/logs               0700 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.dataDir}/storage/uploads            0700 ${cfg.user} ${cfg.group} - -"
+    ];
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+
+    services.nginx = {
+      enable = true;
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedBrotliSettings = true;
+      recommendedProxySettings = true;
+      virtualHosts."${cfg.domain}" = {
+        root = "${think-gtcm}/public";
+        locations = {
+          "/" = {
+            index = "index.php";
+            tryFiles = "$uri $uri/ /index.php?$query_string";
+          };
+
+          "~ \\.php$".extraConfig = ''
+            fastcgi_pass unix:${config.services.phpfpm.pools."think-gtcm".socket};
+          '';
+          "~ \\.(js|css|gif|png|ico|jpg|jpeg)$" = {
+            extraConfig = "expires 365d;";
+          };
+        };
+      };
+    };
+
+    services.mysql = {
+      enable = true;
+      package = pkgs.mariadb;
+      ensureDatabases = [ cfg.settings.DB_DATABASE ];
+      ensureUsers = [
+        {
+          name = cfg.settings.DB_USERNAME;
+          ensurePermissions = {
+            "${cfg.settings.DB_DATABASE}.*" = "ALL PRIVILEGES";
+          };
+        }
+      ];
+    };
+  };
+}
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  flake.overlays = {
+    packagesOverlay = import ../pkgs/overlay.nix;
+  };
+}
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -0,0 +1,4 @@
+final: prev: {
+  think-gtcm = final.callPackage ./think-gtcm.nix { };
+  think-backend-gtcm = final.callPackage ./think-backend-gtcm.nix { php = final.php83; };
+}
--- a/pkgs/think-backend-gtcm.nix
+++ b/pkgs/think-backend-gtcm.nix
@@ -0,0 +1,32 @@
+{
+  fetchgit,
+  php,
+  dataDir ? "/var/lib/think-backend-gtcm",
+}:
+let
+  repoSrc = fetchgit {
+    url = "https://git.b4l.co.th/newedge/think-greaterchiangmai";
+    rev = "7c17aa78436538241c09fc7d633904d3c063011e";
+    hash = "sha256-GDx0+PmuCXC+UPtsvsocCZQiTPcnOZEzJI17sxrVv7Q=";
+  };
+  src = "${repoSrc}/think-backend.greaterchiangmai.com";
+in
+php.buildComposerProject2 (finalAttrs: {
+  pname = "think-backend-gtcm";
+  version = "1.0.0";
+
+  inherit src;
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out
+    cp -R * $out
+    rm -rf $out/storage
+    ln -s ${dataDir}/.env $out/.env
+    ln -s ${dataDir}/storage $out/storage
+    runHook postInstall
+  '';
+
+  composerStrictValidation = false;
+  vendorHash = "sha256-eXm1x3E9KHWojaT2RU4inMdZqQVcWdLCKlvzhOlIZrc=";
+})
--- a/pkgs/think-gtcm.nix
+++ b/pkgs/think-gtcm.nix
@@ -0,0 +1,32 @@
+{
+  fetchgit,
+  php,
+  dataDir ? "/var/lib/think-gtcm",
+}:
+let
+  repoSrc = fetchgit {
+    url = "https://git.b4l.co.th/newedge/think-greaterchiangmai";
+    rev = "7c17aa78436538241c09fc7d633904d3c063011e";
+    hash = "sha256-GDx0+PmuCXC+UPtsvsocCZQiTPcnOZEzJI17sxrVv7Q=";
+  };
+  src = "${repoSrc}/think.greaterchiangmai.com";
+in
+php.buildComposerProject2 (finalAttrs: {
+  pname = "think-gtcm";
+  version = "1.0.0";
+
+  inherit src;
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out
+    cp -R * $out
+    rm -rf $out/storage
+    ln -s ${dataDir}/.env $out/.env
+    ln -s ${dataDir}/storage $out/storage
+    runHook postInstall
+  '';
+
+  composerStrictValidation = false;
+  vendorHash = "sha256-QV3hR3U3GwCqrCRxfkazmJwDpO1vFyMfA6YqUb4bjMI=";
+})
--- a/tests/default.nix
+++ b/tests/default.nix
@@ -0,0 +1,16 @@
+{ self, ... }:
+{
+  perSystem =
+    { pkgs, ... }:
+    {
+      checks =
+        let
+          checkArgs = {
+            inherit pkgs self;
+          };
+        in
+        {
+          think-gtcm = import ./tests/think-gtcm.nix checkArgs;
+        };
+    };
+}
--- a/tests/lib.nix
+++ b/tests/lib.nix
@@ -0,0 +1,18 @@
+test:
+# These arguments are provided by `flake.nix` on import, see checkArgs
+{ pkgs, self }:
+let
+  inherit (pkgs) lib;
+  # this imports the nixos library that contains our testing framework
+  nixos-lib = import (pkgs.path + "/nixos/lib") { };
+in
+(nixos-lib.runTest {
+  hostPkgs = pkgs;
+  # This speeds up the evaluation by skipping evaluating documentation (optional)
+  defaults.documentation.enable = lib.mkDefault false;
+  # This makes `self` available in the NixOS configuration of our virtual machines.
+  # This is useful for referencing modules or packages from your own flake
+  # as well as importing from other flakes.
+  node.specialArgs = { inherit self; };
+  imports = [ test ];
+}).config.result
--- a/tests/tests/think-gtcm.nix
+++ b/tests/tests/think-gtcm.nix
@@ -0,0 +1,102 @@
+(import ../lib.nix) {
+  name = "think-gtcm";
+  nodes =
+    let
+      settings = {
+
+        DB_CONNECTION = "mysql";
+        DB_HOST = "localhost";
+        DB_PORT = 3306;
+        DB_DATABASE = "thinkgtcm";
+        DB_USERNAME = "gtcm";
+        DB_PASSWORD = "";
+
+        APP_NAME = "Laravel";
+        APP_ENV = "local";
+        APP_DEBUG = "false";
+        APP_URL = "http://localhost";
+
+        LOG_CHANNEL = "stack";
+        LOG_LEVEL = "debug";
+
+        BROADCAST_DRIVER = "log";
+        CACHE_DRIVER = "file";
+        FILESYSTEM_DISK = "local";
+        QUEUE_CONNECTION = "sync";
+        SESSION_DRIVER = "file";
+        SESSION_LIFETIME = "120";
+
+        MEMCACHED_HOST = "127.0.0.1";
+
+        REDIS_HOST = "127.0.0.1";
+        REDIS_PASSWORD = "null";
+        REDIS_PORT = "6379";
+
+        MAIL_MAILER = "smtp";
+        MAIL_HOST = "mailpit";
+        MAIL_PORT = "1025";
+        MAIL_USERNAME = "null";
+        MAIL_PASSWORD = "null";
+        MAIL_ENCRYPTION = "null";
+        MAIL_FROM_ADDRESS = "hello@example.com";
+
+        AWS_DEFAULT_REGION = "us-east-1";
+        AWS_USE_PATH_STYLE_ENDPOINT = "false";
+
+        PUSHER_PORT = 443;
+        PUSHER_SCHEME = "https";
+        PUSHER_APP_CLUSTER = "mt1";
+
+        UPLOAD_MAX_FILESIZE = "5000M";
+        POST_MAX_SIZE = "5000M";
+
+        TEST_LOCAL = "false";
+      };
+    in
+    {
+      gtcm1 =
+        { self, ... }:
+        {
+          nixpkgs.overlays = [ self.overlays.packagesOverlay ];
+          imports = [ self.nixosModules.think-gtcm ];
+          services.think-greaterchiangmai = {
+            enable = true;
+            settings = settings // {
+              APP_SERVICES_CACHE = "/run/think-gtcm/cache/services.php";
+              APP_PACKAGES_CACHE = "/run/think-gtcm/cache/packages.php";
+              APP_CONFIG_CACHE = "/run/think-gtcm/cache/config.php";
+              APP_ROUTES_CACHE = "/run/think-gtcm/cache/routes-v7.php";
+              APP_EVENTS_CACHE = "/run/think-gtcm/cache/events.php";
+            };
+          };
+        };
+      backend1 =
+        { self, ... }:
+        {
+          nixpkgs.overlays = [ self.overlays.packagesOverlay ];
+          imports = [ self.nixosModules.think-backend-gtcm ];
+          services.think-backend-greaterchiangmai = {
+            enable = true;
+            settings = settings // {
+              APP_SERVICES_CACHE = "/run/think-backend-gtcm/cache/services.php";
+              APP_PACKAGES_CACHE = "/run/think-backend-gtcm/cache/packages.php";
+              APP_CONFIG_CACHE = "/run/think-backend-gtcm/cache/config.php";
+              APP_ROUTES_CACHE = "/run/think-backend-gtcm/cache/routes-v7.php";
+              APP_EVENTS_CACHE = "/run/think-backend-gtcm/cache/events.php";
+            };
+          };
+        };
+    };
+  # This is the test code that will check if our service is running correctly:
+  testScript = ''
+    start_all()
+
+    gtcm1.wait_for_unit("phpfpm-think-gtcm")
+    gtcm1.wait_for_open_port(80)
+    output = gtcm1.succeed("curl localhost")
+
+    backend1.wait_for_unit("phpfpm-think-backend-gtcm")
+    backend1.wait_for_open_port(80)
+    output = backend1.succeed("curl localhost")
+  '';
+}
--- a/vars/per-machine/ramus/greaterchiangmai-s3/access_key_id/value
+++ b/vars/per-machine/ramus/greaterchiangmai-s3/access_key_id/value
@@ -0,0 +1 @@
+OR2B5S75FZ59MD19SRR0
--- a/vars/per-machine/ramus/greaterchiangmai-s3/bucket/value
+++ b/vars/per-machine/ramus/greaterchiangmai-s3/bucket/value
@@ -0,0 +1 @@
+greaterchiangmai
--- a/vars/per-machine/ramus/greaterchiangmai-s3/endpoint/value
+++ b/vars/per-machine/ramus/greaterchiangmai-s3/endpoint/value
@@ -0,0 +1 @@
+fsn1.your-objectstorage.com
--- a/vars/per-machine/ramus/greaterchiangmai-s3/region/value
+++ b/vars/per-machine/ramus/greaterchiangmai-s3/region/value
@@ -0,0 +1 @@
+fsn1
--- a/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/groups/admins
+++ b/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/groups/admins
@@ -0,0 +1 @@
+../../../../../../sops/groups/admins
--- a/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/machines/ramus
+++ b/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/machines/ramus
@@ -0,0 +1 @@
+../../../../../../sops/machines/ramus
--- a/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/secret
+++ b/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/secret
@@ -0,0 +1,50 @@
+{
+	"data": "ENC[AES256_GCM,data:S1TJMu2gZ7hYElZJls8de+apoI+uRPgYjCvN2VDZFX6iCp7WovmJcA==,iv:h4MzIeuoxnn8HTGyr30YoApGLW7UBYCO7sCvMKq7DiY=,tag:J0feK8Mf57vQgaIaJN4ccQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age134vt63pjqpd0m7702fyn8vhdlzyj2deqc2q78sp9uw9052kxsgwq6d25ez",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5dFVYa1lBNXAzTURmb2pU\nRmhQZ2JjcllyZkQvR3EzVXFUNllsZDRSQlI0CnhDbFVmU2Z3Nm1vOW1MSFRpNFNR\nOHFUYmVyT3k4eExKZktjMDQxZXMwWUEKLS0tIHVud3hOeFdhRzJPQnNRYVNER0M2\neW1Oa1ZCMzg5dTJOY042VTlrS1cwUzQKri7DRDV8MDkmpQ6ji6q6d+3XvcLlzqGW\nYWuQTXctNtgkAbNvJXaR5MIl6Y7yR6L2T38IPQfqups+miT9jxmDBw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age17d4qt0n9edq57tgcqyk8eu5mrendl59yt6z2y3a4vkq7el8krqtq6lq28g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEV1lpeFAzZjVmNGYxWEps\nWDBScUZCRVVyWlRwZzFvRWhvaU9XRGs3aGd3Cmc3V3NrbjZrL3Vzclpubkp4cUZi\nT0k3ODk0VXpoN3dJRHRsYUFPQU1IQ28KLS0tICtqT3E2WFpUQUpYVFJ3UFBscjVj\nM1UzQTNNcDJ5akloNWduZEROaEo0MUkKkXa5n45LJnwcC4+ww9XdYvHZHNDw1R9W\npYzwhAz+lNt5BAagxgPXyqjk1Z3tUrCDsAq+heeoYiX3UddPTmAY3g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1egztkqupggjcpy4g9tfwq6kqeh3ljw7enzhx4l53hjge73wmdscqy5qwfp",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNmhNaHRlWEErbW8zQjJu\nTE1SVFAxMGhvU1ZlU2hHck9RaFVCTnIvdkNrClFEMk5wU1JjNW1oZjZCU0dXeXc4\nNHJkOHJGWFIyWGhYN1NzeDRIMHp4ZWsKLS0tIGNwOGp4ZTJiWHVjdG9ma2tXSGwx\nTUdCZFhhdzRibWdtSXg0RVZ0SkMzYXcK48wgvcKMHljIqYQp7RpkJDg9Rl4csJS9\n/fW3j3Ie6EipdlJqtvS1+LdtYZSBuJm7zORiuol/iGlXMCEvfw1Jog==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1fido2-hmac1qqpf43tgcfjm048lsqskvq34w2t4uvrm5qy6m2eg6zjj82ctca8wctgpczxvj0q4y6337uhvsxdh5j86k9h9ymautpvv2759ucwnef75ez7pa7fpkddklp40mxk2tedsp74359g0kefn5rsq0x0yss6cu4yd0h06up0rp08t6yc4l0hfa9y8jn5fkx6nk0hjhz06ykwv0fyxe7z42q683jy0",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IGZpZG8yLWhtYWMgQUFJIHNqYkVDaXNC\ndXlGNGlIT0h4STVYeldhSzVuVmpZMjMvOUNqYnZrc3lJRDAgQVEgd0l6SlBCVW1v\neDl5N0lHYmVrajZzVzVTYjd4WVdNVjZoZVlkUEtmVXlMdyBIdmtoczF0dmhxL1py\nS1hsc0ErckdoVVB0bE02RGdCNW5raERXT1ZJMTkzNjRGNHd2T3ZSTVYrKzZlbEll\nVTZKc2JVN1B2SzRuNkpaekhwSWJQaFZVQQpadUxyK1A1d3dQUXRPS2x4U3l4SlpB\nT2s0TklUd2ZVZnB4U2ZQWWtVTS9NCi0tLSBQSGU4Q3docmRsU2RFaXh4NkFDRGta\najNud3hBd2ttNm5ZWVl2WlE4eUhVCttjnItGsd5GHFDDPL2ItUNoKbOkjdnE7OKA\nUArOm9TjFvUScNml5eoXnQ2mAZjJYnGxdxg+gWQX29ZnWQtMf4g=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1fido2-hmac1qqprw0vfpc8wzsu78quc777kmee54ln6nnsjrnrhl7nr33eh4kvkksqp05qqxj4kgfzrmrugrsvg7skx6ghh3q9xc0x0agthtkvy25d9eq7eklta5wf7s30hexkuyl5546rdz9ffa5tawlp5yweqkgccntw0ny540n2am3cqw3luhxkfmrp63kwr6mwplhr9u26wll48x0n3k5f60c7hg9a3",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IGZpZG8yLWhtYWMgQUFJIGJMdmZPSkMy\nV2d1K3NsOEhMZG5DbnRQVzhuNlFqL0RwVldMVXo5ZVlEQ2MgQVEgZlFBRFNyWkNS\nRDJQaUJ3WWowTEcwaTk0Z0tiRHpQNmhkMTJZUlZHbHlEMCBtMzE5bzVQb1JmZkpy\nY0orbEs2RzBSVXA3UmZYZkRRanNnc2pHSnJjK1pLVmZOWGR4d0IwZjh1YXlkakRx\nTm5EMXR3ZjNHWGl0Ty8rcHpQbkcxRTZmZwpVbzhtWWYyVkVKMU8yU2l4Qmd2S0Fo\neHNTQ0RBSGZCY0x0TnVsQTliMlJzCi0tLSBrM2h3K00zRDBoVXZmcWdacEpKRVlG\ncU85UVUzT3V2a2JySmMvZ2hsMVQ0Cuftyp9Ufwnu/ukn+FtpneEDkGL+t/p8nyk7\nbQeAgazV1ugIQkTabP29CLiIbxz9DWdqwbBh+/kO0EvX6Z1kyZ0=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1fido2-hmac1qqpyewum3q8dfcumfgec8nn958aec9f4q9aqy0k06kw5kq27d6fdqdgp0p7y4ru3n5xk90u747xevxa2af3v37e85j9g3axrmw5hdwdfh0wz22hut5vrafxsx26a7vh8fjwkymz3ramfgvvu4detztu075kmpr8l9ydqda0rnjwatdwmfgswg849p37astvld98s3nleeq575azlwc2hhpuh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IGZpZG8yLWhtYWMgQUFJIDJiMk53aVND\nTVc1eWJTQ0g0VlVvQ2RSM01NTlp5eGJMcWR5Ym1Zdzc5Z3cgQVEgZUh4S2o1R2RE\nV0svbnErTmxodXE2bUxJK3lla2lvajB3OXVwZHJtcHU5dyBKU3I4WFJnK3BOQXl0\nZDh5NTB5ZFlteFJIM2FVTVp5cmNyRXZqL1V0c0l6L0tSb0c5ZU9jbmRXMTIwb2c1\nQjZsREgzWUxaOXBUd2pQK2NncDZuUmZkZwpDQlJ3UnRnZG9ueDRXTlY1RTZ6VWRV\ndXg0YnBQT0VMQlJDbW4zeUVFcFhRCi0tLSBvMUw0WXRwRzJMT3lIVEkzMVl3RzBO\nd0pqdmdTVWpqTnd1a0JnT2RFaHZnClM3hxods/5D8p/URVeUBaQWzfJk83LNbfC0\nw0J1xYwjS/eLpcM8mLl/iis0xvrpNyGhh4iHS9U0xraio+37KJA=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hlzrpqqgndcthq5m5yj9egfgyet2fzrxwa6ynjzwx2r22uy6m3hqr3rd06",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBseUlWZjdnWGFsNUdRR0xx\ncm5XSi9zRDk4ck8zNWxwT3R0MjRxY0dNUFFNCm5NSXV4LzVEaGU0VTBBek9WaXBR\nangxU0xoY1RIaXhiM3ZEZ0lVMUR0UzgKLS0tIE1RMGtlamhkbFYzbGl0Rjc5VXQv\nTkRmVDR4aUl4SVpSMWxjaGNKK1NXaEkKtbiv7giW8dhpjluM3JBWFYZJn2TqEQNY\nCgHXR7o4qaG67UmGpUTqxxNIpWBtI5JFiqoy2wIdOolQZ70qxfQ7Yg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1sg0rvgyetdcqw7j2x983fh69kdkvqsngpe5x36e5920qa7fze3cqhj4wgx",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwekdoekt3akovTVZVVzV5\nQ3lNU05ET2dmUmRsb0dhSXlXemhPVCtGbVRRCndUWnRyVytPdzRMOVhjZzZiSlNw\nU1pLZmZhMDZGVVFhL3NJMTZjVTc1V2sKLS0tIEdtaHIra0ttdEJzUS9oTkQ4alNK\nUjRwZUdneDBSd2I5eTdSaE9TaGxla0kKk8PiulG3FCWt3YDRBB4Z5ORQF2qWnpuL\nsq5wtcFl8UpJj2/2ODLdH3mzYxc4jAg47LS4R3ThgJlhrsmr2vgAeQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1swlyyk2rzvevqawyeekv75nx2dz34zpe3xqhkqme26gcgeavy4dqrfpcd8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMa2UrOEkrbWNseEJKNEVt\nZ0dFREhTbC9ta1V3bEZDT2tJZ2x4TlVpbFhJClBJUmJJVmZxSkdsakJsMG8zNUVW\nMEdCR1YyMWtqL25zRjd4VDlIdi9DaXcKLS0tIGpBc1FxMWlDMklIeGNUSDhDYkd5\nZXduYXVkaUg5SjhCb21QaUhEK1JyMTgK40uiFSmA/D1e5XomI+H8/RjrcDS+ovK+\nYf8q1xOzNy1Mpmwke4p4Q4M30CNeutw6Ga1w2saC1oi7et+q59R+RQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vphy2sr6uw4ptsua3gh9khrm2cqyt65t46tusmt44z98qa7q6ymq6prrdl",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VTVwejViQmowSW5YdlMv\nc2NHUEdLbmhoNlkzckVublJUR2ZuNHZRRGtZCmwrQTBuN1p6NjIzM25idWY2bTdM\nQlRsWFNiUkoyWFdWQ21VdGlqbTBudEEKLS0tIGQ4TFJsSnFlblcvM3dXalM5dG95\nWjRzeHd2LzJtUWkzSzNMTlV0SGZxZjgK+5TtNMzFyLJvKpFm1H6PeRlZ2dUSZMZf\nNWEliC0jv2AnHFow9cttBKQKl/dWFjFY+UukUjyIPr9l8rHQQrJPBw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-27T05:03:18Z",
+		"mac": "ENC[AES256_GCM,data:vqadLc/VzXgsKF2dGZYY/OvKiZ7FsaUFVcAPMEHU3El33ojbWvJHNpAKXD9RgP4yLto5lkUCNkyOoTM0OEz++iDVQg3FfRu+sRa3wiKBh5jMJTrjhdziyQGbFGtF97AUvrhLUEGPTL15gUEuFZbeDiPBBhwhyuu5covBLzY23Go=,iv:r/VJsUMA/jOM7pBFoTJzQAJ6ZXZaVGTi/RduN5kXbKs=,tag:IzgzqaVYpPaPWGkPKsOdQA==,type:str]",
+		"version": "3.11.0"
+	}
+}
--- a/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/users/kurogeek
+++ b/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/users/kurogeek
@@ -0,0 +1 @@
+../../../../../../sops/users/kurogeek
--- a/vars/per-machine/ramus/greaterchiangmai/app_key/groups/admins
+++ b/vars/per-machine/ramus/greaterchiangmai/app_key/groups/admins
@@ -0,0 +1 @@
+../../../../../../sops/groups/admins
--- a/vars/per-machine/ramus/greaterchiangmai/app_key/machines/ramus
+++ b/vars/per-machine/ramus/greaterchiangmai/app_key/machines/ramus
@@ -0,0 +1 @@
+../../../../../../sops/machines/ramus
--- a/vars/per-machine/ramus/greaterchiangmai/app_key/secret
+++ b/vars/per-machine/ramus/greaterchiangmai/app_key/secret
@@ -0,0 +1,50 @@
+{
+	"data": "ENC[AES256_GCM,data:FrklrOhsZqUqWEJ5BA7daE4ZEXQ3DJkTcH3bcP8sdPKGPF2fWcoe906xs+XYhR6sNhmS,iv:j+TrVt+SvKzsUChUoaDdcCyeIhtgCRQdAkUXLwoqzZo=,tag:GU6yx9aqElKYqQWeg+iHRg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age134vt63pjqpd0m7702fyn8vhdlzyj2deqc2q78sp9uw9052kxsgwq6d25ez",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaHdaWUZiZ1NmZno4VUhq\nOU0rdkl5R3VWL2NJR1VOV0xYbXV1ZWdrNFU4CmxvdWdkcHV4ZmNNWVdBd0E2MU1S\nUWdCeGRqamZnN0Exa1Z1R1dEMS9xUmcKLS0tIHV0QTZ2VzBjemZaWFFOOHFEY1gz\nbEo5ckZUc3NGUXJYNzRGaytXMGRkTUkKP/hLrBUxP2BAXaS0JmcGKOWb/jUDg9BK\nj2RP5jl9wyL90Dz+ndMsAtGfGuuq352FG4J9wnn8fdTQdiHrh9pjtg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age17d4qt0n9edq57tgcqyk8eu5mrendl59yt6z2y3a4vkq7el8krqtq6lq28g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbytVemhiaVBkL0o2TXNp\nUmRuR2RVYjNTVFZ4VXM1YzZOMFVEN0ZKcHhjCkVycTdsSGwvN2tZTE5lSnVnLzd1\nd252UUV6Mzk0Q3lQd1hFeXN5TmpyRFEKLS0tIDVId0hCVEQ4aVJsR3FMaENmajFm\nbW5SSGhNd0ZEYjVnQzIwMStuUU9IT2MKIFCX5CRNi5bbHytTfmXUXls8IG2x9nBn\nOw6atFk/O7kZNq5Quwk74wFykT3h/1S/Tlz2eZA7rUgF7Pqai0XpLg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1egztkqupggjcpy4g9tfwq6kqeh3ljw7enzhx4l53hjge73wmdscqy5qwfp",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5bTVxQ1ZkWlhBZkxiWE9m\nQm9xekc0cUF2OW9MaFZVSlJRUEpTOU1lZEQwClA3WUdzengyNWQrUml6ZlNrelBX\nK25Pc2dpNUVvNGo1eGhOVTZhSnlocmsKLS0tIEpYU0dweHdJVHk3YU1aZnVtZTFl\nNTdDbEhzL1pyUDR2OUhxUDV0T01kQ1EKihsOo/CvahfHQJnA4q3VOYsQI2OnhdBZ\nDW1Lwm/n50Ju8OPH8FLbJs+YhXUGicnolWvCjP4MYX9/eY+lXMek4w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1fido2-hmac1qqpf43tgcfjm048lsqskvq34w2t4uvrm5qy6m2eg6zjj82ctca8wctgpczxvj0q4y6337uhvsxdh5j86k9h9ymautpvv2759ucwnef75ez7pa7fpkddklp40mxk2tedsp74359g0kefn5rsq0x0yss6cu4yd0h06up0rp08t6yc4l0hfa9y8jn5fkx6nk0hjhz06ykwv0fyxe7z42q683jy0",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IGZpZG8yLWhtYWMgQUFJIHp6bzZ0QWVz\nY2hGV0lqR1p1OHJWbHVjb3M1V1phSEhNanhHM2s3V3FIaEUgQVEgd0l6SlBCVW1v\neDl5N0lHYmVrajZzVzVTYjd4WVdNVjZoZVlkUEtmVXlMdyBIdmtoczF0dmhxL1py\nS1hsc0ErckdoVVB0bE02RGdCNW5raERXT1ZJMTkzNjRGNHd2T3ZSTVYrKzZlbEll\nVTZKc2JVN1B2SzRuNkpaekhwSWJQaFZVQQo5aFo1VTBGdXhXSHJlMnlzUjRWd0xa\nY0VQWGdqdFR5TExURHdhOHVFamdVCi0tLSBJa0RMMWNLQmJ6Y1BZTlllN1l3YVBE\nbmlCNC9mVVk1aE5td0NHQ2tER0Q4CnqBm+ck8LH3L0xQZ8N7SiZNv8DVk/nodLKS\ncGY2yJ3Mp1YkP0zSPEnDSN72aEJLKk5lUb++vPJM/mPlNW9LnU8=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1fido2-hmac1qqprw0vfpc8wzsu78quc777kmee54ln6nnsjrnrhl7nr33eh4kvkksqp05qqxj4kgfzrmrugrsvg7skx6ghh3q9xc0x0agthtkvy25d9eq7eklta5wf7s30hexkuyl5546rdz9ffa5tawlp5yweqkgccntw0ny540n2am3cqw3luhxkfmrp63kwr6mwplhr9u26wll48x0n3k5f60c7hg9a3",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IGZpZG8yLWhtYWMgQUFJIFBaV0prTU1C\nMDdhZkJ1bDBwT3pyM085cHY5OGpRbXRwenFiTnA4d2JEWEUgQVEgZlFBRFNyWkNS\nRDJQaUJ3WWowTEcwaTk0Z0tiRHpQNmhkMTJZUlZHbHlEMCBtMzE5bzVQb1JmZkpy\nY0orbEs2RzBSVXA3UmZYZkRRanNnc2pHSnJjK1pLVmZOWGR4d0IwZjh1YXlkakRx\nTm5EMXR3ZjNHWGl0Ty8rcHpQbkcxRTZmZwpjS0ZnbndqQ1lUOXV5RVJDU002K3RX\ndnlNNHFMZXZkMS9WZ1ZsM3VGY0JRCi0tLSBodVRjUURKSThxN1B5RVhiWFFjeUh4\nYTZ4Z1Byb3VzWDR3b1kzajYrcTFNCqG/9SHNfZUi1Qq+dAzUIHfyXnnwzsZ552yF\noHndHC0dXLOkRWMfDagvMSnKlMSZi8Y8dV52YQrcRPjFeLi/1Wo=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1fido2-hmac1qqpyewum3q8dfcumfgec8nn958aec9f4q9aqy0k06kw5kq27d6fdqdgp0p7y4ru3n5xk90u747xevxa2af3v37e85j9g3axrmw5hdwdfh0wz22hut5vrafxsx26a7vh8fjwkymz3ramfgvvu4detztu075kmpr8l9ydqda0rnjwatdwmfgswg849p37astvld98s3nleeq575azlwc2hhpuh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IGZpZG8yLWhtYWMgQUFJIHhQcDUvK1NY\nQkdHMGxZZUpTTUZTOU1sTmk0RzcydTljbjJwVDdUalRwWEUgQVEgZUh4S2o1R2RE\nV0svbnErTmxodXE2bUxJK3lla2lvajB3OXVwZHJtcHU5dyBKU3I4WFJnK3BOQXl0\nZDh5NTB5ZFlteFJIM2FVTVp5cmNyRXZqL1V0c0l6L0tSb0c5ZU9jbmRXMTIwb2c1\nQjZsREgzWUxaOXBUd2pQK2NncDZuUmZkZwp3T1o4a291ZlFBS0JKeHpxUHdhaFlr\nSytONTNNVEJ2SlJuS1FYRUh5T0NJCi0tLSBybzZXWmdDSjZaamxXU0VWK01MRmpr\ncU5wMWdkbjdON0dNd2Vkcis1VWw0CmjgMsd3l/GgRk68+2LeziHjZwEx9SsMZb+O\nn6ZhyW5lRGxdl18/OKeVIkkwColYLSX9juElDh9SsXkeKjC8Z+g=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hlzrpqqgndcthq5m5yj9egfgyet2fzrxwa6ynjzwx2r22uy6m3hqr3rd06",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTazVRNG4xdzN3YmRrZzFG\nangyWWxlWmFpODBPN1BnL2J0d0x1N015Z0NrClR1NVkza21OczdkMGkwSFBTWVJG\nR3Z5N2FZcDlxVDVPR1JjcTV2Rklob0UKLS0tIEErNjg2eE96UVZBek5QL1p4VmN2\nSWxWbTZNN0JkUW1XOVYyZSs0R3JFRTAKYpp5LGQIkDS3GWz7AZ3gLLd6YMhfUsll\n9iT4zKQ2ib40bQtRfYvCo5eFXHj1BJrPFtishfspdzByX03eYwg5PA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1sg0rvgyetdcqw7j2x983fh69kdkvqsngpe5x36e5920qa7fze3cqhj4wgx",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNzFEODdNWDRMUi90MHZX\nd2ErbFplVkdMNDV5ZHVJQlZSNHg1Y3FqL1F3CnVMVktDWllVeGJZNnJHM3VIRlMy\nTjNPZjNGdk5TY3hYdmNrVVZob2srSlkKLS0tIFlMVU5ZSDhIZ1VqN1REbTB6dG1n\naUZ1U0UyRi9yY2dNTWl4WVZnZXk5STQKyimXHdozwSCJnYvdciMqiYHhVappCaAn\nCGzPUGikDK+WZj+wBrecl8wkLrCy/RwN/LZQTkj3owj3WUAGkLqg2Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1swlyyk2rzvevqawyeekv75nx2dz34zpe3xqhkqme26gcgeavy4dqrfpcd8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFRkNuNmc1S0ZIWUpkdmJP\nSkhaTFdoSHpVOGR4TmZET2w0cjJRbkl3TW5RCk9Uc0RPQ3pZcmFiM3lwQWd5YS9K\naFZHOG9ZZU03WEdYNmIxU2lZUTRjZjQKLS0tIFpZQjRvVTBsRVpJQVZHaWY0cTZF\nTG1PdjlkbWRsQ0txT05XSFJDMmVTV2MKaXkWVtyJowmWVYqsSg/Y9MD1FXBI3tfI\nWAwqsreW6FeDbNbYwGZ/+848CDAtKnCepO+0VNhx6QfF6YKP9Fji7w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vphy2sr6uw4ptsua3gh9khrm2cqyt65t46tusmt44z98qa7q6ymq6prrdl",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxU29QdkJZTG9HeUlUOG5x\nZFZ6ZFZiWHlnZlRVZlV5TnVTU2pMMlg1T2lzCnh4dHJmbkl5Y0lkMU1qVUdINzEx\nc1pFK09yMHlPZDVWc29ZQjNDclZBU1kKLS0tIFc5c1lIRWhwYy9VK3kvS2F4ZENK\nWVY1dWs3ZmdJcTJFQmFqQ1NvQ3pHczQKGg8HfFSUbGamKeDgA69ACvxCyPgIcywV\nbQvu04Bkxxf4chOna+cxYDbMAa49IDHQwFHF9XKyIZKshJcyp6WmVg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-27T05:03:17Z",
+		"mac": "ENC[AES256_GCM,data:J8XJzKU9uID+klDDCsDMPrV8aDEdC5ENXlZEAy8pSKcnNYM5bQk8QylnEIydlmbwOMISScGfBA2EqnKtDSX3dOn2Yray2iUj82z23+/ewyOYXfMH5NY2ne4Cf9J3TJG/UwTSz+i09v0p9dTsQBCzRWU3SyQS1I5TPkXJFjJbnto=,iv:FqowVcZ1GEqEnyzKcKB+1LgBZhAffJH4V+KjyMHsxyo=,tag:BVfAoPoaufX37fhYmoATRQ==,type:str]",
+		"version": "3.11.0"
+	}
+}
--- a/vars/per-machine/ramus/greaterchiangmai/app_key/users/kurogeek
+++ b/vars/per-machine/ramus/greaterchiangmai/app_key/users/kurogeek
@@ -0,0 +1 @@
+../../../../../../sops/users/kurogeek
--- a/vars/shared/acme/email/value
+++ b/vars/shared/acme/email/value
@@ -0,0 +1 @@
+contact@lmvhaus.com