i don't know if this should be used

Since only passing though the ssh dir doesn't work, the host would be polluted by all the other hosts writing to etc

doc/src/SUMMARY.md

@@ -11,10 +11,13 @@
             - [Website](./server/website.md)
             - [musik](./projekte/musik.md)
         - [TODO](./todo.md)
+        - [Modules]()
+            - [Initrd-ssh](./module/initssh.md)
+            - [Disks](./module/disks.md)
     - [How-to]()
         - [Create New Host](./anleitung/create.md)
         - [Sops](./anleitung/sops.md)            
-        - [Wireguard](./anleitung/wireguard.md)
+        - [MaloVPN](./anleitung/wireguard.md)
         - [Updates](./anleitung/updates.md)
         - [Rollbacks](./anleitung/rollback.md)
         - [MicroVM](./anleitung/microvm.md)

doc/src/anleitung/microvm.md

@@ -44,6 +44,9 @@ sudo mkdir -p /var/lib/microvms/durruti/{var,etc}
 # alternatively u can run the vm in interactive mode (maybe stop the microvm@durruti.service first)
 microvm -r durruti
 
+#if you get an error like "Error booting VM: VmBoot(DeviceManager(CreateVirtioFs(VhostUserConnect)))", try starting the virtio service manually
+sudo systemctl start microvm-virtiofsd@{host}.service
+
 # after u made changes to the microvm update and restart the vm 
 microvm -uR durruti
 

doc/src/anleitung/sops.md

@@ -23,3 +23,13 @@
 - Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to
 
 - `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml`
+
+## How to add host keys
+If a new host is created we have to add its age keys to the sops config.
+Do the following:
+```bash
+# ssh into the host and run:
+nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+# create new host with the output of that command in /machines/.sops.yaml
+```
+

doc/src/anleitung/wireguard.md

@@ -1,11 +1,55 @@
-# Wireguard
-Running on the raspberry pi  
+# MaloVPN
+Running in the cloud. To let a host access the VPN you need to do the following:
+- generate a wireguard keypair
+- add the host to ./machines/modules/malobeo/peers.nix
+- enable the malovpn module on the host
 
-- Create new keys
-    - Enter nix shell for wg commands `nix-shell -p wireguard-tools` 
-    - New private key `wg genkey > secrets/keys/wireguard/example.key` 
-    - Encrypt with `sops -e -i secrets/keys/wireguard/example.key`
-        - commit keys only after encrypting
-    - Decrypt to stdout `sops -d secrets/keys/wireguard/example.key`
-    - Decrypt for use on a client `sops -d secrets/keys/wireguard/private.key > /tmp/private.key`
-    - Display public key `sops -d secrets/keys/wireguard/example.key | wg pubkey`
+
+## Generate Wireguard keys
+Enter nix shell for wg commands `nix-shell -p wireguard-tools` 
+```bash
+umask 077
+wg genkey > wg.private
+wg pubkey < wg.private > wg.pub
+```
+Now you have a private/public keypair. Add the private key to the hosts sops secrets if you like.
+## Add host to peers.nix
+peers.nix is a central 'registry' of all the hosts in the vpn. Any host added here will be added to the vpn servers peerlist allowing it to access the VPN. This allows us to controll who gets access by this repository.  
+
+- Add your host to /machines/modules/malobeo/peers.nix  
+- Set the role to "client"
+- choose a ip address as 'address' that is not taken already
+- set allowedIPs as the others, except we want to limit this host to only access certain peers
+- Add your public Key here as string  
+
+After that commit your changes and either open a PR or push directly to master  
+Example:  
+```nix
+"celine" = {
+  role = "client";
+  address = [ "10.100.0.2/24" ];
+  allowedIPs = [ "10.100.0.0/24" ];
+  publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
+};
+```
+
+## Enable MaloVPN on Host
+Either you configure wireguard manually or use the malobeo vpn module  
+The 'name' must match your hosts name in peers.nix:
+
+```nix
+sops.secrets.private_key = {};
+
+imports = [
+  malobeo.nixosModules.malobeo.vpn
+];
+
+services.malobeo.vpn = {
+  enable = true;
+  name = "celine";
+  privateKeyFile = config.sops.secrets.private_key.path;
+};
+```
+
+After a rebuild-switch you should be able to ping the vpn server 10.100.0.1.
+If the peers.nix file just was commited shortly before it may take a while till the vpn server updated its peerlist. 

doc/src/module/disks.md

@@ -0,0 +1,117 @@
+# Disks
+The disks module can be used by importing `inputs.self.nixosModules.malobeo.disko`
+
+
+#### `let cfg = malobeo.disks`
+
+#### `cfg.enable` (bool)
+- **Type:** `bool`
+- **Default:** `false`
+- **Description:**  
+  Enables the disk creation process using the `disko` tool. Set to `true` to initialize disk setup.
+
+#### `cfg.hostId` (string)
+- **Type:** `string`
+- **Default:** `""`
+- **Description:**  
+  The host ID used for ZFS disks. This ID should be generated using a command like `head -c4 /dev/urandom | od -A none -t x4`.
+
+#### `cfg.encryption` (bool)
+- **Type:** `bool`
+- **Default:** `true`
+- **Description:**  
+  Determines if encryption should be enabled. Set to `false` to disable encryption for testing purposes.
+
+#### `cfg.devNodes` (string)
+- **Type:** `string`
+- **Default:** `"/dev/disk/by-id/"`
+- **Description:**  
+  Specifies where the disks should be mounted from.  
+  - Use `/dev/disk/by-id/` for general systems.
+  - Use `/dev/disk/by-path/` for VMs.
+  - For more information on disk name conventions, see [OpenZFS FAQ](https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html#selecting-dev-names-when-creating-a-pool-linux).
+
+#### `let cfg = malobeo.disks.root`
+#### `cfg.disk0` (string)
+- **Type:** `string`
+- **Default:** `""`
+- **Description:**  
+  The device name (beginning after `/dev/` e.g., `sda`) for the root filesystem.
+
+#### `cfg.disk1` (string)
+- **Type:** `string`
+- **Default:** `""`
+- **Description:**  
+  The device name (beginning after `/dev/` e.g., `sdb`) for the optional mirror disk of the root filesystem.
+
+#### `cfg.swap` (string)
+- **Type:** `string`
+- **Default:** `"8G"`
+- **Description:**  
+  Size of the swap partition on `disk0`. This is applicable only for the root disk configuration.
+
+#### `cfg.reservation` (string)
+- **Type:** `string`
+- **Default:** `"20GiB"`
+- **Description:**  
+  The ZFS reservation size for the root pool.
+
+#### `cfg.mirror` (bool)
+- **Type:** `bool`
+- **Default:** `false`
+- **Description:**  
+  Whether to configure a mirrored ZFS root pool. Set to `true` to mirror the root filesystem across `disk0` and `disk1`.
+
+#### `let cfg = malobeo.disks.storage`
+#### `cfg.enable` (bool)
+- **Type:** `bool`
+- **Default:** `false`
+- **Description:**  
+  Enables the creation of an additional storage pool. Set to `true` to create the storage pool.
+
+#### `cfg.disks` (list of strings)
+- **Type:** `listOf string`
+- **Default:** `[]`
+- **Description:**  
+  A list of device names without /dev/ prefix  (e.g., `sda`, `sdb`) to include in the storage pool.  
+  Example: `["disks/by-id/ata-ST16000NE000-2RW103_ZL2P0YSZ"]`.
+
+#### `cfg.reservation` (string)
+- **Type:** `string`
+- **Default:** `"20GiB"`
+- **Description:**  
+  The ZFS reservation size for the storage pool.
+
+#### `cfg.mirror` (bool)
+- **Type:** `bool`
+- **Default:** `false`
+- **Description:**  
+  Whether to configure a mirrored ZFS storage pool. Set to `true` to mirror the storage pool.
+
+## Example Configuration
+
+```nix
+{
+  options.malobeo.disks = {
+    enable = true;
+    hostId = "abcdef01";
+    encryption = true;
+    devNodes = "/dev/disk/by-id/";
+    
+    root = {
+      disk0 = "sda";
+      disk1 = "sdb";
+      swap = "8G";
+      reservation = "40GiB";
+      mirror = true;
+    };
+    
+    storage = {
+      enable = true;
+      disks = [ "sdc" "sdd" "disks/by-uuid/sde" ];
+      reservation = "100GiB";
+      mirror = false;
+    };
+  };
+}
+```

doc/src/module/initssh.md

@@ -0,0 +1,29 @@
+# Initrd-ssh
+The initssh module can be used by importing `inputs.self.nixosModules.malobeo.initssh`
+
+#### `let cfg = malobeo.initssh`
+
+## cfg.enable   
+Enable the initssh module
+
+*Default*
+false
+
+
+## cfg.authorizedKeys
+Authorized keys for the initrd ssh
+
+*Default*
+`[ ]`
+
+
+## cfg.ethernetDrivers
+
+Ethernet drivers to load in the initrd.   
+Run ` lspci -k | grep -iA4 ethernet `
+
+*Default:*
+` [ ] `
+
+*Example:*
+`[ "r8169" ]`

flake.lock

@@ -341,11 +341,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729717517,
-        "narHash": "sha256-Gul0Zqy0amouh8Hs8BL/DIKFYD6BmdTo4H8+5K5+mTo=",
+        "lastModified": 1736184101,
+        "narHash": "sha256-HAX+TkDXzyNp6SAsKwjNFql7KzAtxximpQSv+GmP8KQ=",
         "ref": "refs/heads/master",
-        "rev": "610269a14232c2888289464feb5227e284eef336",
-        "revCount": 27,
+        "rev": "9cdab949f44301553e3817cf1f38287ad947e00c",
+        "revCount": 28,
         "type": "git",
         "url": "https://git.dynamicdiscord.de/kalipso/tasklist"
       },

machines/.sops.yaml

@@ -8,8 +8,9 @@ keys:
   - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
   - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
   - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
-  - &machine_durruti 4095412245b6efc14cf92ca25911def5a4218567
-  - &machine_vpn age136npxupcslnv5hnhvph2gwj8efz8jvgtfuy9lelrgpwrkg0kfppsa6s8v3
+  - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
+  - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
+  - &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
 creation_rules:
   - path_regex: moderatio/secrets/secrets.yaml$
     key_groups:
@@ -32,8 +33,8 @@ creation_rules:
     - pgp:
       - *admin_kalipso
       - *admin_kalipso_dsktp
-      - *machine_durruti
       age:
+      - *machine_durruti
       - *admin_atlan
   - path_regex: vpn/secrets.yaml$
     key_groups:
@@ -43,7 +44,29 @@ creation_rules:
       age:
       - *machine_vpn
       - *admin_atlan
-  - path_regex: secrets/keys/wireguard/.*
+  - path_regex: fanny/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *machine_fanny
+      - *admin_atlan
+  - path_regex: testvm/disk.key
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
+  - path_regex: fanny/disk.key
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
+  - path_regex: bakunin/disk.key
     key_groups:
     - pgp:
       - *admin_kalipso

machines/bakunin/configuration.nix

@@ -1,5 +1,8 @@
-{ config, pkgs, ... }:
+{ config, pkgs, inputs, ... }:
 
+let
+  sshKeys = import ../ssh_keys.nix;
+in
 {
   imports =
     [ # Include the results of the hardware scan.
@@ -9,6 +12,8 @@
       ../modules/sshd.nix
       ../modules/minimal_tools.nix
       ../modules/autoupdate.nix
+      inputs.self.nixosModules.malobeo.disko
+      inputs.self.nixosModules.malobeo.initssh
     ];
 
   malobeo.autoUpdate = {
@@ -19,7 +24,19 @@
     cacheurl = "https://cache.dynamicdiscord.de";
   };
 
-  boot.loader.systemd-boot.enable = true;
+  malobeo.disks = {
+    enable = true;
+    hostId = "a3c3102f";
+    root = {
+      disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ";
+    };
+  };
+
+  malobeo.initssh = {
+    enable = true;
+    authorizedKeys = sshKeys.admins;
+    ethernetDrivers = ["r8169"];
+  };
 
   hardware.sane.enable = true; #scanner support
 

machines/bakunin/disk.key

@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:2/tfkG7SwWNpnqgkFkmUqbAJBF2eN/lfZCK/9VsZag==,iv:Sps+ZIQGveS/zumjVE8VFfVTlNwQJ093eMDndlne2nU=,tag:lW8xcz43jj1XPV6M/0e11g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRU003cys0d0d4MXFmVVVH\ndDg1eHZpVjFMeDBGL3JQcjB5a0luSVRaSWtnCmxNOEUyZ2oybkNLdm12ZTVmNUpo\nVCtUem44bXA2dGhURGdyRWxKdUF6OVkKLS0tIDdVbUt2eGVHMHBzOEt6QnRpOXZF\nVWFEUFloRXpIUGJxblpaNUNuTjlLbDQKQii2qUIl72d02D3P0oTDHZQT1srSk6jS\n89XSBy6ND9vP0tGXcZ4a7jghO0Q1OVNe1fm6Ez41lKOuUu77hgOAWg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-01-14T16:40:57Z",
+		"mac": "ENC[AES256_GCM,data:M8l4a2SbBikF/tEtGx4ZY13eK3ffM70aUCDYo4ljgTAtQEbGLx1SJM/mrFW325LycFMNOerWhXyipbXPZPw2VfnSJ9dz+bQ53xK7Mpf/bOZs5aQZJpJ1/MJh6lkmR/zPeQXhE08WsyJ1rCRqAfygau2CqdV8ujY5li3jIIDQMcQ=,iv:lJZhTjJAxSky9MrzYldkJOG0dCIzkv4IE3ZKzxgUxvo=,tag:t/grczWX+0sDcsHC5SCd/A==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-01-14T16:40:08Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/S6LvVBsznEqLZbT/UAom1KmfmA3swxAJnQ5tl/vnnix6\nvzs4KSFGZMOQZihEKC/M/og8qTCvlUFBAUMkYLgX+8ehZeZwnnH9V8EDGDIyoWXE\n6AIHP9Ur6yk62gHqmfHlMxFG2A9/A4a+mOvxyKKPDK/AYG0PBaSVMkM6cp7efWwe\n7C6m4BpPRU+3NsNKy/4FkWt9xoFy82K89FqUGC8oZOQW1q+fS7ZIhmnTzzApwILy\n5Y77yBnpPECDYNZdH097bZli6KGWob7aXJ431gyw2OMVQHFb0DlQbKxemo9eWpIr\nnXu2FYrY2D7YxXBGQvXTuNQD3BuvrccOgWAmmi852C1gVVKV+egeOBRq2RYPl6+j\n8TBaNzl0rcvaoWeTJGR142pR9ht9B3aGzXcvCsciZo3SjYyt31J0huzPfv4Dakfn\nyY8BvOaNfugjx0aS6BOZgZiOPlBer86/0FKX469QQAnqL0LRoPyjn53JYUdPdI+s\nCI2WuVynSl7ItiwoKkJK0lgBm0oMhpSiGOC4Z2Bkk2xdpiuXUdMcP6m8OlG9ldCs\n0KrWubh9Ne6CP7etvTkwqWvMuSpCuheToIQ0rp8j21/YdCFX5LpxA3+em0t9M7Is\nV4ZoLnqA2KjI\n=4+Yl\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-01-14T16:40:08Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//c/UkuZRpJM5sH1snP8Kidek6nHgC11hUaY1G15a5ap1D\nn9cMIn4xUdfCAN/DoNiE14NzeTDQyawmIV1ZmrYZzItFdNgunf1r9jQNa3EqcWfE\norJS2RwWDrsw7tmx0wyenr9BLefMGJYaJ6Rd7J3j8sXL7aT+SbNw27mmVbYrJiFJ\nYh2usIsxDu2C+dCeTb3J9sKK6F96IbNnj/2Sx8AGYsIQvcpwloCRrnjiEa+hrEBn\nj1I6U4B/NjRGv20PAR1OnQ2OhKVL5UgTJgNKWCLdvGVOQnqJgDNUrrNEBY19wDQL\nQzJEzL21aiyF+8BB3IrtQlntmAIMcUUHTpqIols9rpVJl54yiK1mQ3UqTQPQ2+gd\nu2gtjXXk3FMnVzaI33ZMcxENGHy/+ZdZMfY70/EwJpRvneHTsLr3Z/bHUxavSYdL\nQqbeWLUm7a2/pnOl5JKa9asKYaNBNdmzO/YVgQNhLQzFtHJ9riVN7Ro+S2bocN9Z\npHGCCISAdMDyuFC7aSngnZEwE4NACbQEc8Udu+YCAUIeeBaPI/QWu3n61fZrkxR7\nmik9uJdXnMzKpmNGVQbPurifykDA6Bsqakn69AZQIPyxMtEDBV+pDX0yy3tI5D12\nhksuXSC7fpV/4BsZWKczK9fpDUJMDTFajSSVrSKb4nr2hk49IAZX9rhgbiHmT1LS\nWAHa5YGYUMkVQc59J3uhAjuSckWA/7R7oMhIrL5e/vnnHVR5zFW/auHkDytzZ0d0\nbGdrIRZh81C+yxB1pSJvlUnIWbYnpqhaH3xL+8yARpGZMNi595x0EJM=\n=8puy\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

machines/configuration.nix

@@ -56,11 +56,11 @@ let
             socket = "store.socket";
           }
           {
-            source = "/var/lib/microvms/${hostName}/etc";
+            source = "/var/lib/microvms/test/etc/";
             mountPoint = "/etc";
-            tag = "etc";
+            tag = "etcssh";
             proto = "virtiofs";
-            socket = "etc.socket";
+            socket = "etcssh.socket";
           }
           {
             source = "/var/lib/microvms/${hostName}/var";
@@ -93,6 +93,8 @@ let
       };
     }
   ] ++ defaultModules ++ modules;
+
+  inputsMod = inputs // { malobeo = self; };
 in
 {
   louise = nixosSystem {
@@ -109,17 +111,24 @@ in
     modules = defaultModules ++ [
       ./bakunin/configuration.nix
       inputs.disko.nixosModules.disko
-      ./modules/disko/btrfs-laptop.nix
+    ];
+  };
+
+  lucia = nixosSystem {
+    system = "aarch64-linux";
+    specialArgs.inputs = inputs;
+    modules = defaultModules ++ [
+      ./lucia/configuration.nix
+      ./lucia/hardware_configuration.nix
     ];
   };
 
   fanny = nixosSystem {
     system = "x86_64-linux";
-    specialArgs.inputs = inputs;
+    specialArgs.inputs = inputsMod;
     modules = defaultModules ++ [
+      self.nixosModules.malobeo.vpn
       ./fanny/configuration.nix
-      inputs.disko.nixosModules.disko
-      ./modules/disko/fanny.nix
     ];
   };
 
@@ -142,12 +151,29 @@ in
     ];
   };
 
-  lucia = nixosSystem {
-    system = "aarch64-linux";
+  infradocs = nixosSystem {
+    system = "x86_64-linux";
     specialArgs.inputs = inputs;
-    modules = defaultModules ++ [
-      ./lucia/configuration.nix
-      ./lucia/hardware_configuration.nix
+    specialArgs.self = self;
+    modules = makeMicroVM "infradocs" "10.0.0.11" "D0:E5:CA:F0:D7:E7" [
+      self.nixosModules.malobeo.vpn
+      ./infradocs/configuration.nix
     ];
   };
+
+  uptimekuma = nixosSystem {
+    system = "x86_64-linux";
+    specialArgs.inputs = inputs;
+    specialArgs.self = self;
+    modules = makeMicroVM "uptimekuma" "10.0.0.12" "D0:E5:CA:F0:D7:E8" [
+      ./uptimekuma/configuration.nix
+    ];
+  };
+
+  testvm = nixosSystem {
+    system = "x86_64-linux";
+    specialArgs.inputs = inputs;
+    specialArgs.self = self;
+    modules = defaultModules ++ [ ./testvm ];
+  };
 }

machines/durruti/documentation.nix

@@ -8,6 +8,15 @@
         { addr = "0.0.0.0"; port = 9000; } 
       ];
       root = "${self.packages.x86_64-linux.docs}/share/doc";
+      extraConfig = ''
+        proxy_buffering off;
+        proxy_cache off;
+        proxy_http_version 1.1; 
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+      '';
     };
   };
 

machines/durruti/host_config.nix

@@ -36,7 +36,21 @@ in
     services.nginx.virtualHosts."docs.malobeo.org" = {
       forceSSL = true;
       enableACME= true;
-      locations."/".proxyPass = "http://${cfg.host_ip}:9000";
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+        '';
+      };
+    };
+
+    services.nginx.virtualHosts."status.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.12";
+        extraConfig = ''
+        '';
+      };
     };
 
     services.nginx.virtualHosts."tasklist.malobeo.org" = {

machines/durruti/secrets.yaml

@@ -7,75 +7,64 @@ sops:
     azure_kv: []
     hc_vault: []
     age:
+        - recipient: age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEay9wZGM5elhUd2RqVFdJ
+            aHFhRVNiY0lzZEZzSkVvcVlMT1FmMXN4YzNrCkE3SnprNUJ6Ty9hUGZhbzNEVit4
+            THpoUnMyNmQ2Q3Z0SlR6cDFzeE9BaDAKLS0tIHFpbFJadTdtb2s2T2hmMWFBTlBV
+            azZzNXBTRVFoUGtJaGpPdzlDNVpYcjAKd/9v8gn3jbMEK+UPipI8cIufCoWwWfS/
+            kI9zLws/jtjhRZLNHJaXWz7CjAEwKA+6NOQA3pwZaeS1QKwSmeRdZA==
+            -----END AGE ENCRYPTED FILE-----
         - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOTV0VC92aGo0ZFU1RE84
-            LzJxWUh0MzYrSWJZYldVMTdsMlJ6RkI2WURNCmFVT1ZtMitOSzYySW1RMkE5aDUw
-            bEI2Z3ZhbUdaM2R5eVpkYVlrZks3dW8KLS0tIHFEdWZ2UmREeFl2Q0d0c0lVTGxm
-            SnZxRUcyaUY0QnRtVmdnYW9acmxTWmMKfLb2wgBcQC0Ay34wBvTenZW1jVvDH7aV
-            45+5NzmkhIQRNkKWgRfpT9EQ9cRJz3l7ZYoVgJe8qBhwH64lBqUiqw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc1o2eTlFc1l4YjVOUHdM
+            S1F2RG9PQWwyd2VYSmJmVzE4cWNSSEt5WUJZCjlwaWNJWFNHNnZkUVBwdVJUbVNi
+            WjdYZ2dENVIydWw4WHJmckF0ZjRLWXMKLS0tIDRsNXNSRnZkVzFkSHpDSWgrSEhv
+            bjBqRlYzcGIvNzhLbjdUbmFhMkU2RXMKsgkwNqQeP40boqriANQg13YKKwMz9iTZ
+            Vw1wYVeQmo4En7c4yAztqBriVoTNsbWkkvGw0P4z37B+6ll8kdEMSQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-06-26T10:07:26Z"
     mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
     pgp:
-        - created_at: "2024-11-14T13:03:00Z"
+        - created_at: "2024-12-19T15:09:01Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQGMA5HdvEwzh/H7AQwAhcsRc3mCqKgUFym0W5lTN6j5xg+o0PF31ZQ3qqkO3b5+
-            nIPH8Ee7nrcfRCM2AV+TReaZ2qfP4TdU5j00F5977H5UM+UULFM+FSGcY63rkp80
-            1U1ZzxbzTwV5mil8dx3dmENMgFpKy0J2MatPdR5bu/z0o7sLty1DUq9hiQOTfM3F
-            u1mfmY37YewMBmxlzDJ3Z5+lslRJUqa3Ho9atjYhwxZTYgh9QQtnm8kRjNM/HKpQ
-            sDAWu9JXit33WwHayxUFWZ5syiwsbFxAelrZnluW3KiKu3v+9VO7X6dJsrrIB6Xt
-            j/mJhwkwJ39xHD/eQqMJsdAum8Pgxi40XjD6wJvmIhYz1y8Lbymanb+6U+fJk71V
-            ZLsbk+sR1Jkh+L3NV+UGlMusgQuxcE2xQjNMEbpzk1xXsFFz+QxVxx6HZp8xRh4v
-            M8L2LkiZp5w8iij+uJ+k0ovu4XH2Bf/2myhabfRrk5bPZbweH/bJOxChIgf/b/ZP
-            FdfHGP0KlJe+jMGY3j7c0lgB9k2vyvYTHaAOcQoe/HdKNvueMMYDIzxLZ6sXsn+z
-            jhdW9FxM9g2ZOStq1Mwjzvb8rJCAFQH0s/3yHZY7rveaI88Z3G11i97D3OME2yAx
-            bxCHPCFfvmX/
-            =3wBJ
+            hQGMA5HdvEwzh/H7AQv+K+G7MhXO0RlQENydEstPcMV5vAgkzL06kiN3wXpeOPmj
+            2gwdNcbOLtcXV8a4mH6xGZPkKOV8xjkybp7Myicll6YDs+4Uw3qRTUmCyZ0BC2Wc
+            WDrTMz/lCx1gZGVa99KgHaLmALhZbEO/R08qW52Xkwmcvg1GdM22RtB12L+c8JPB
+            +RR/pLR4UCTfN21uS2CJ33bJnAayfi+s/maGYsElZkH/zoPtDBxF/ntk7g/xeN13
+            Jymg1Ofmjm8JT0FPe8RE7Er/qXlxsG46GVj964chCtljz3NgL76tgC207E8CLUJq
+            rVqGKU0PO6h924uNmVON+JI1CeyCsjejsFOGaS8kOEAwEgCoeICqiqkTbtUCU21K
+            4C7J3mFwhAL+F2IueOY8NZxEV4tMJoY6JZ8c8wtM4Gl6JePlkFRX8LhuO/Bw2VJ9
+            cuGlkIIg3pA94U6Hql7LwLZbIkquI7SWGx7IHOhk/4qtCUlEn4t40JdN4PbA0bz2
+            Cde3+6zFOkX0m1BXkj4f0lgBIOfcPsXmY8ho4isVd9+v7arbE2WSZ6IBG75cx0a1
+            4LYx3QWTLlujiDIc5arhBgpB2ceO8lFTARnoLLqG6y1T+w6UNoVHQZ4n987SpWkk
+            EKQxUDnO8Nvb
+            =1PHB
             -----END PGP MESSAGE-----
           fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2024-11-14T13:03:00Z"
+        - created_at: "2024-12-19T15:09:01Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA98TrrsQEbXUAQ//eBqaTG6/KiQFfEMog839q+nukWh3SHSnhCDyCAhdqKA3
-            Q9FSroIYEOMwE9SYkNC9T0/pf/ZmRuPBpx09b+q+1df4FLdajgpEbg1CyWnw7fyR
-            731vYt5hvN7PVtBGs842BcEvYwKVG33HTadi53l+pjDURpHGLWLbURiqchGrXpPn
-            o6rih4ueE0TmLHGugGKIr7n/XgH4xpsr/wFLQCnCaVATXdS1Tk86bTeu0HybmPlG
-            dw4TZrTSO7uq2GyczIC81HnLPisZ1w+7R0m58kV0FGFoDZIwczW46J/h3NLsjO0t
-            4zKV1oJUpCANalDCRBhf5RRatw/OzTgVHnpuGyaoAtWGyZpeQi2ntoEvFb3eWAc3
-            NMjc2bqamZEdfnBOmPILqRKINm60DkpiI7behY3oV178bWcp3iWsyA4biL0O0pf4
-            FXbW29zHnEr86wTlJmJIC5sGkNNtu0dNFAKuzKjAel9sVor183WkJk8NAgaaI/pD
-            pQV+l0ClexXGIW7p931Sn7u2JmXeNJM+yqRz5lDWMLakxygW2h4HDI8NOIS7xvP1
-            Ip3a5bGctGEVmAK9MEhcRIGcP7Aoacj7iZVg9bnac4HCX3wnnGjLDNL+XDzfmfUB
-            M48YUoDS1CSjlcTbgIaL3HeX84EYcoQdRjwRcI3pVpPkJTpi/t2I+/2tOP92sm7S
-            WAHfIeh3niCzrQa//nwdAEQq+7YrDCDia7SSxDDrRM+/LTaQacoo9SuaHuEANZ/P
-            +x7rrZsnQq8UBpnd+dQCyxipQvwmjtp9N5xKcragt1LdH4M+Q/qoSIo=
-            =4vnh
+            hQIMA98TrrsQEbXUARAAhfUKm9iR11pU0U44IDfwa7NRRurim8GOPX4FWwJJORNL
+            q85xGM0jA/k8JRsOdsjfHb4/khHtG8cl+t09nEBxTeeb7mKdiOXfsxrvHEf6qeUw
+            F/DQGoaxk+ISXW4iMcV0CPYciLb7kSHCqVFovmmTGlI9fMXryKl3UpP/nzzz9Zk2
+            5cXLmbQqeQVsp17Dw5x7rglkTlx8+W7Z1tDHlHrycxzh6LYpJ7QX54EHM8JgMjw/
+            WREO0qnJMt6C0qp8e3KWhYhMHIidM3WexJR9ixBICxevy0QwvNult0ryOZMc+nTY
+            48sXxCTebnLspiFBS5OsagGxNgwMixydfKv0ci8E7FyB84jwq7XriiQRzYfzU/6L
+            wEPapKrXno0F7wyiiesl/HKdLkOujFIhAl7P1ZNHQLcDuzDCqSo2xd7dbUsbPLcR
+            BUNcfc0VK3TEJks1lXkO5C1PeYEy+NgsJnEQ2lrnAbmKDxpH6qOA2KSGh12uZnHp
+            7kk/hRclVnygkcQc6j71eOyprQms2VjU6fVy2dED+ucjvogrceWWSUkuP6GQEqZV
+            bPhLxpMMw6cIWcTLZIEqLRQv9EqibIFEohkUh9A2TL7XxPb6MEhsRXKTsmMqzdiH
+            /xUwxH3w0w8CrEheVvxGxQi7B4XWC9jHGN+KvJGisrLeGpl/wJ8NKcqOSasB4fLS
+            WAHQxsAnNtNj5rV/BQJHr8lvX+ebJkMpCEBmIdQUeX4WVegr3HkDF34EWoqVfzV2
+            T0ZUaCXNI+tdmvJji9MPd1ZFrTgF5XuFjQxMP1uPI6gannH9InvBXvY=
+            =5AlZ
             -----END PGP MESSAGE-----
           fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2024-11-14T13:03:00Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA1kR3vWkIYVnAQ//UfsG62+53p9PyXN+c6hoMg+MqWxjvia9kHvjE3Q3bcO+
-            KVYqD8CszyTwiTV0RoTWddyiZwZHKkH/ymTtnNafG6NVo3XrYpRmO7SxmVMm1BIt
-            HrBCdQkLDQOzqbeKBV9bGqO3xHKLEu0vwFkEdpWpNrjkKZfYQ8SjE/6vTJRPeBxx
-            Z++g8540vZtB0V2YzKStJJ8LcsU+3j1/+NlUJZamXUGT4AnxH3atWuKqC39CZAU6
-            0iHxKEcHcQYPAmvTqtxTH0ELIaRYBIRlzCs0MVjmmfVyaeJOZGyd32vikQMUCrf/
-            EvThUCnq3+qCNjLlp1tQbLJV4B6ptAuj6uns2Z9Xmj1j4nFgUKvsc1MPnuSQsOnM
-            tLF0qsVvunvLbHXhb/Z4uDaNMst8jWEGhk52QYCZ6pgq1zoN63tOAxD+HK12KSYQ
-            emcDTjGqLTxe2dTiFMHlOkmTk/unEJXI1rJEalBaLqzDFg2tS6I1swQKG115wUfv
-            COHQtmbWmwIMtcl0q/QHfSyc+jPVHoadj6ZZFS1iL9Er/zx1nuD5ybkHntQdO0Gb
-            YwfyLzhFQ4gKgDiXwHdjYmHeDnXI9mrH3Cypcc/I8WV96cMnuKQBrD7V3NKpjFMS
-            CaLMVDQqwMoGi+Xi8Ve5oRCa/qt5UEpL1CZZUxNNE11ggPYI22ecKjegdIlGuWHS
-            WAE4FsZZNLt+RWZxIW0iTP0BzDuCMQFkismL0YyDI18g1dG/sl43+ecd6F9yoWYP
-            sXjR3gwbASdHHXeYFAxbPX3Q/XT+SQzOAFigPhD0LUFRX2Cf/Q2yu34=
-            =FLuF
-            -----END PGP MESSAGE-----
-          fp: 4095412245b6efc14cf92ca25911def5a4218567
     unencrypted_suffix: _unencrypted
     version: 3.8.1

machines/fanny/configuration.nix

@@ -1,6 +1,11 @@
-{ config, pkgs, ... }:
-
+{ inputs, config, ... }:
+let
+  sshKeys = import ../ssh_keys.nix;
+in
 {
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets.wg_private = {};
+
   imports =
     [ # Include the results of the hardware scan.
       #./hardware-configuration.nix
@@ -8,6 +13,9 @@
       ../modules/sshd.nix
       ../modules/minimal_tools.nix
       ../modules/autoupdate.nix
+      inputs.self.nixosModules.malobeo.initssh
+      inputs.self.nixosModules.malobeo.disko
+      inputs.self.nixosModules.malobeo.microvm
     ];
 
   malobeo.autoUpdate = {
@@ -18,10 +26,52 @@
     cacheurl = "https://cache.dynamicdiscord.de";
   };
 
-  boot.loader.systemd-boot.enable = true;
-
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
+  malobeo.disks = {
+    enable = true;
+    hostId = "a3c3101f";
+    root = {
+      disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381";
+    };
+    storage = {
+      disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"];
+      mirror = true;
+    };
+  };
+
+  malobeo.initssh = {
+    enable = true;
+    authorizedKeys = sshKeys.admins;
+    ethernetDrivers = ["r8169"];
+  };
+
+  services.malobeo.vpn = {
+    enable = true;
+    name = "fanny";
+    privateKeyFile = config.sops.secrets.wg_private.path;
+  };
+
+  services.malobeo.microvm.enableHostBridge = true;
+  services.malobeo.microvm.deployHosts = [ "infradocs" ];
+
+  networking = {
+    firewall = {
+      allowedTCPPorts = [ 80 ];
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."docs.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.0.0.11:9000";
+        extraConfig = ''
+        '';
+      };
+    };
+  };
+
   services.tor = {
     enable = true;
     client.enable = true;
@@ -33,7 +83,6 @@
   services.acpid.enable = true;
 
   networking.hostName = "fanny";
-  networking.hostId = "1312acab";
   networking.networkmanager.enable = true;
 
   virtualisation.vmVariant.virtualisation.graphics = false;

machines/fanny/disk.key

@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:1I8fN241VOaW4GaNUe/OVr+1HQKmtYL1GSuIfsE=,iv:aHdgEUj5QhusEavG9mVgtTQ4uqLJD2ozQ/kVVtFakYY=,tag:JJUbt4kgpa4hVD3HjLXGOg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUGpORk5zWXU1OVpqc2hT\nVW5PYlNLT3lKQVpTdCtMT1M3YlZ3Uno5bVJjCkJXR3I2Y3lDT0dJNThCcDN1NXYr\nK3VucjRKU0dac3BtQmV5ZFdrZXkrS1EKLS0tIGRGMGxDM0ZGbzVPTnJQK01GS3VW\nRHpJQWZLU1lrRS9ScXM0L0dyTjhGTGsKJEYq5vKxxYBAgkqUEkBwESur0reNIDPb\nK3rtflNi3dUYYZdLFNFV5rQX5q8aDnM6fO/zYPkzfBn7Ewq3jbBIIg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-01-05T19:35:48Z",
+		"mac": "ENC[AES256_GCM,data:z7elJ0+3r0bWc/H6h4rI36xC7Uj0NS04VssjPDNVZM17LeN4ansSOfcOKPaUMziV/z5Aq8RVLROR+FImzxBZGaZm37frCoN1OP3WjeDnP6AsoY9dY+S/aYmErVEsQEIi8T4RAdQP2c3BUt1oKZ9Nki2pu3IBRabBlFhaTI0bspc=,iv:8Nn8r9ancHwBJOaJSsv8Vj3s+d0UvRmKIeCDNzx1qRg=,tag:BSO2yu70H2wjen3BCGC4Gw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-01-05T19:32:11Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+JpNwP+BLJf4+0pSr17TToviCo0yWmcaP1dIUqClBSoDO\nI3ZzqHdImAj4QgExif2zsuzz1+WC+sjvFqEmX5pBKza/e30qCZirkelz9mzc0mhG\nLhTzfhqC6fLbV5f+pDp6N40ommu+LX1pIz6nViCUjqBdnAkCb+tqLU4eQJQqVmlz\n7BToLsvYomPK1nJ6f4rt1nTR9wkBI68AYM/K0SgCJXjwj1LpZ/+3yElkiCqZ9uZB\n1jrDKX+QPySlZ7OERL70UT7Eh8DTUNzFnozvliBnyxe00wwiiucCgrC94TmaKCmh\ni/FOdS6Izm3QwcWB0eMCX6GQBvlUWpjSz5xF4+YODJe9tGNz/sNxpk6B8xG5NuG2\n61nohMHoml6X3Z9dOwu/Svl+eS8SV/r278W/F9miE8YeayyLlPxHF3DXjd6WeDhZ\n20NExQUJYIRf6w/XQPQZ+E39NkIHxz8v+P29ncmSsRPWS6d2MK0Yj+UW0vT0u1vJ\n+lAs24xYofbu5tmBbnK10lgBrZMXDJM2nQbKMKSkVVjzbzmOe5jzMBxuWLX+ykeI\npaj32wQDWvfBqLPH1Kwvy5nqHvy375jPZ7RTzT7W0d4jKQf7xapbi4CEepHHfxCF\nD0HIEi8RUlXJ\n=KVUJ\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-01-05T19:32:11Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUARAAqowFMavIniFheNvt03EH1iEn64xNmExotYcDt2L0bR39\nXQdLvg7cJ/Jh7EuZ44mHTs21mpbYIlygMs6kimqQ8iO30vGTEcn5bt/eUEoGHciM\nYVHktWNR81ZgjvKCcmTUK3ld+DMKmg2BABr4auUOYLu4ToSnFb1fv+fvZG0D3iQs\nm6LJuafH+4utM16Vnkp9+ziY/ieMPYfbOFuSFq0UWxGK9P+koSYVGnYhH55Lksyf\nBb/esEGCY671/Jl/qHw8so4TELeRsW/v/xAcNqbE1Msdeas7WJy/B6WqXQgK/Y+J\nPsyZ2XHKhPRitN77/eDJXVBi0mKBTE/RCzDzMYxKA7IQm28v8+u+wpdCajewnyF4\ns2HACaYs/TWRpIUzqxRlznc0nMpk8xUaeVb0N7nrtSDEBF8ETOGOcPk1AmdKMR4M\nsy0vu+K2oJ9L7e/o1ntpejKHN7t2Lzq+CvszBYKmyw/KgxeqY0hx4cJTUDsdgLjI\nMTrs6bySVXDyRaw3rHo7OvA+5c8dLfnWJd1R78nZTx89CYCvjJeMo7PNvN6C9HxK\nJoCOCnZo6a3j4NqJvXD5GNqGSP6m1lqBRWYQUIhWaOfz8aTY1Z3EXX0/4tv5C+A/\nknhc694ujtmBXio4XgDIrSz3jr9G8+ZLvig88xV12HTJfsatypQdHVIZj08EeR/S\nWAG872Q/DVD/aDmhaOlq/o/QBoEyrnJdkRHT9NX8iBboQ81wezfJxWUWlWyHaXVq\n5YBLFQvQAZLz3h05EBkMOiS2dHUa8OnNImj8txnCePAlcUdv7LIVxHA=\n=9APA\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

machines/fanny/secrets.yaml

@@ -0,0 +1,68 @@
+wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTmdrV1IyM2hldloxM3Zh
+            cGVIZmtCZ0FLTEQxcFBLaVh0VXUwNWVGR1hBCnJ6SHpzckh5VVduM0Z2dkh2WHdy
+            WGxRV0JFZTdqcWgzUFlSZkowZElJd2MKLS0tIGxYL0orSVdmZzJBSEIvRUNDUVlK
+            RWFLOWp4TVJBM3llS0lmQlBUQ2ZQNkUKEz/dXR0tkVeyC9Oxai5gZEAhRImdL1FL
+            2LdVRiCt3MqR9wtfw1/pR7166Bx8nLIN42uWh2YU5j0/0rXNq+I6Qg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQW5OU2FiNStkazFRRHBK
+            U2kzNkpWRDVQTDBkTFFNWnREcjh6NlhmRnhZCkxMYlZhcUlGUnN3QWFzbVkyYlpX
+            eWZaOUxsUCtZYmx0U29ZckFaMjNLTFEKLS0tIExxV0REL3MwUTZpMkgxYlZMc0JS
+            cTNEYTBGT3VRaDI1eUhucnd5d2JhTWMKNZlkUjxX2QTFoiCWPzz62jz4kK8d5rW/
+            MJ1w69Qve7lsUAg74YlFF7i/yYSZZkHoRMs92lRmq3lHlbK6aaUMTw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-14T12:41:07Z"
+    mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str]
+    pgp:
+        - created_at: "2025-01-14T12:32:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv/YM4JBfaFngZt0SmMP3fBCodQXWnWMjy5VYoTOKKaOfG8
+            5GRTf+o1stsru3EKImh5PTqniRO6UH+/DOKBY8zHsy9lXojGka3uPJRKv7JUD5YO
+            8NjlHwwg+jcQN/qtrWc+1D69zR1aO/6yxfgujL3r/fJ4reqtSNfkVYVy2lEcw2ZN
+            zhlN+fBxZCyHyUTKLcXrG7Fg8BRudjwBnIsBTLAVFkWg0bnlq38vicGpF5CHsRjA
+            cTPq2D9ev888WKHcjFcXYqxeKkXkqBuOOMlCHQyJCv8HHfA/GY+pBQfiVmvSt77O
+            /MA8hVYl8G4tRFsbUdZzqtPbAsLy30w1e9dpsD2M6tD55V2RNUCrznB2lo0uXZ24
+            9MUnad+NQdntbe5B2OBUF/MNKZ9/tC+B9pBm7Tx3rxSELytGuQF11x4EyLwn+Ict
+            iBBV5P3RiulxLW6MbDs+7JPILfcMfg6e8q+GY1dnIPZrs8Qf5W60FxbOYYiMvJ9k
+            UtnZAixVdlpkAsQz/t630lgBX9DLYjEVgaxC+zqtRjfHkoyvGIac6cgHDX/fBs7p
+            Woud0RbwffhOhaIF47Z2W4UPfn5Mtcu63fQpjCM9urk9asaRPeNDTeEYVjqSZD6N
+            J+o9dahBHvIF
+            =GKm4
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-14T12:32:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUARAAmD4PfLpRVUXTo5yyS9LSs5vmEvnCmNc0ad4Oiv7YAxhs
+            W7SCKHq2zOfGIeZZHP0wjRnJELwMCVLy4dVo/slDHCiy8T4MZXaYR04ZaJJ+OHrF
+            e5xxAA6FjipufvxgRZvLhDj+g+RaX2TuxdL9gFSVS81rvEpSRDnydt2O/6G4SGBR
+            GO5b176eMerrqOqRLL5Ou4b6oitagvRwZzOXQ+YonKZz3STlyXRMgWxeFTDK9T/q
+            yYOwPVAOU1jhYzUjHNAYCp3CH4ERScrO7AwomAWH+Fe48WRbg2ebdqRnuv/Vl4PM
+            wc5DQcCIIIIENMGIYOzUo1KrfQlevzXF/mbgAgo/uVuRl3Y3lCRAcZBQOtUCF5Ap
+            FhsO87EMXlZWj3bv08f21t3hQztfuaHIqFpCbSIGgmiE9cAY0cOtCYpJfCYdV7iT
+            cOElJgYRbAsAbFC9wTQWEvwIxrgnCIrkCg1bzP5KNLG1K+ae5J7qN77qeTQw2/ul
+            QDDUUNnzjes562t+/xFLQa/bust1Y8pAYn1s1LEBol1hLX4Igonlkw303UPjZOI2
+            MyH5hOh0hNUReuOpHpre/pYquE8Dd27XKAHfJsSd3ZLJG5+1Msw23lIsptgovNrB
+            5VRvPj8WPojiDHqN27kt/IuayN3TeoJFjmAjkoFjlyKTcs+b6cDkxUw3LcP+6NjS
+            WAHQI0pWTa5zD8UPow4DHxteP4jW/6ddBfJ1Vz1scqKMXYvxFkRqZvn3uAJOtcuw
+            CgQ4CXE43n4G7g5gvWl6ZFW8tdXR7Sw+USnHR/9oS9fV0rHcxxDFEfE=
+            =9FN4
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

machines/infradocs/configuration.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  networking = {
+    hostName = mkDefault "infradocs";
+    useDHCP = false;
+    nameservers = [ "1.1.1.1" ];
+  };
+
+  imports = [
+    ../durruti/documentation.nix
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+  ];
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+

machines/modules/disko/default.nix

@@ -0,0 +1,278 @@
+{config, inputs, lib, ...}:
+let 
+  cfg = config.malobeo.disks;
+in
+{
+  imports = [inputs.disko.nixosModules.disko];
+  options.malobeo.disks = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable disko disk creation";
+    };
+    hostId = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+      description = "Host ID for zfs disks, generate with 'head -c4 /dev/urandom | od -A none -t x4'";
+    };
+    encryption = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Allows encryption to be disabled for testing";
+    };
+    devNodes = lib.mkOption {
+      type = lib.types.str;
+      default = "/dev/disk/by-id/";
+      description = ''
+        where disks should be mounted from
+        https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html#selecting-dev-names-when-creating-a-pool-linux
+        use "/dev/disk/by-path/" for vm's
+      '';
+    };
+    root = {
+      disk0 = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        description = "name ab /dev für root dateisystem";
+      };
+      disk1 = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        description = "name ab /dev für eventuellen root mirror";
+      };
+      swap = lib.mkOption {
+        type = lib.types.str;
+        default = "8G";
+        description = "size of swap partition (only disk0)";
+      };
+      reservation = lib.mkOption {
+        type = lib.types.str;
+        default = "20GiB";
+        description = "zfs reservation";
+      };
+      mirror = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "mirror zfs root pool";
+      };
+    };
+    storage = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Enable storage pool";
+      };
+      disks = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        description = "name ab /dev/ für storage pool";
+        example = "ata-ST16000NE000-2RW103_ZL2P0YSZ";
+      };
+      reservation = lib.mkOption {
+        type = lib.types.str;
+        default = "20GiB";
+        description = "zfs reservation";
+      };
+      mirror = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "mirror zfs storage pool";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.hostId = cfg.hostId;
+    disko.devices = {
+      disk = lib.mkMerge [
+        {
+          ssd0 = lib.mkIf (cfg.root.disk0 != "") {
+            type = "disk";
+            device = "/dev/${cfg.root.disk0}";
+            content = {
+              type = "gpt";
+              partitions = {
+                ESP = {
+                  size = "1024M";
+                  type = "EF00";
+                  content = {
+                    type = "filesystem";
+                    format = "vfat";
+                    mountpoint = "/boot";
+                    mountOptions = [ "umask=0077" ];
+                  };
+                };
+                encryptedSwap = {
+                  size = cfg.root.swap;
+                  content =  {
+                    type = "swap";
+                    randomEncryption = true;
+                  };
+                };
+                zfs = {
+                  size = "100%";
+                  content = {
+                    type = "zfs";
+                    pool = "zroot";
+                  };
+                };
+              };
+            };
+          };
+          ssd1 = lib.mkIf (cfg.root.disk1 != "") {
+            type = "disk";
+            device = "/dev/${cfg.root.disk1}";
+            content = {
+              type = "gpt";
+              partitions = {
+                zfs = {
+                  size = "100%";
+                  content = {
+                    type = "zfs";
+                    pool = "zroot";
+                  };
+                };
+              };
+            };
+          };
+        }
+        (lib.mkIf cfg.storage.enable (
+          lib.mkMerge (
+            map (diskname: {
+              "${diskname}" = {
+                type = "disk";
+                device = "/dev/${diskname}";
+                content = {
+                  type = "gpt";
+                  partitions = {
+                    zfs = {
+                      size = "100%";
+                      content = {
+                        type = "zfs";
+                        pool = "storage";
+                      };
+                    };
+                  };
+                };
+              };
+            }) cfg.storage.disks
+          )
+        ))
+      ];
+
+      zpool = {
+        zroot = {
+          type = "zpool";
+          mode = lib.mkIf cfg.root.mirror "mirror";
+          # Workaround: cannot import 'zroot': I/O error in disko tests
+          options.cachefile = "none";
+          rootFsOptions = {
+            mountpoint = "none";
+            xattr = "sa";         # für microvm virtiofs mount
+            acltype = "posixacl"; # für microvm virtiofs mount 
+            compression = "zstd";
+            "com.sun:auto-snapshot" = "false";
+          };
+
+          datasets = {
+            encrypted = {
+              type = "zfs_fs";
+              options = {
+                mountpoint = "none";
+                encryption = lib.mkIf cfg.encryption "aes-256-gcm";
+                keyformat = lib.mkIf cfg.encryption "passphrase";
+                keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
+              };
+              # use this to read the key during boot
+              postCreateHook = lib.mkIf cfg.encryption ''
+                zfs set keylocation="prompt" zroot/encrypted;
+              '';
+            };
+            "encrypted/root" = {
+              type = "zfs_fs";
+              mountpoint = "/";
+              options.mountpoint = "legacy";
+            };
+            "encrypted/var" = {
+              type = "zfs_fs";
+              mountpoint = "/var";
+              options.mountpoint = "legacy";
+            };
+            "encrypted/etc" = {
+              type = "zfs_fs";
+              mountpoint = "/etc";
+              options.mountpoint = "legacy";
+            };
+            "encrypted/home" = {
+              type = "zfs_fs";
+              mountpoint = "/home";
+              options.mountpoint = "legacy";
+            };
+            "encrypted/nix" = {
+              type = "zfs_fs";
+              mountpoint = "/nix";
+              options.mountpoint = "legacy";
+            };
+            reserved = {
+              # for cow delete if pool is full
+              options = {
+                canmount = "off";
+                mountpoint = "none";
+                reservation = "${cfg.root.reservation}";
+              };
+              type = "zfs_fs";
+            };
+          };
+        };
+
+        storage = lib.mkIf cfg.storage.enable {
+          type = "zpool";
+          mode = lib.mkIf (cfg.storage.mirror) "mirror";
+          rootFsOptions = { 
+            mountpoint = "none";
+            xattr = "sa";         # für microvm virtiofs mount
+            acltype = "posixacl"; # für microvm virtiofs mount 
+          };
+          datasets = {
+            encrypted = {
+              type = "zfs_fs";
+              options = {
+                mountpoint = "none";
+                encryption = lib.mkIf cfg.encryption "aes-256-gcm";
+                keyformat = lib.mkIf cfg.encryption "passphrase";
+                keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
+              };
+              # use this to read the key during boot
+              postCreateHook = lib.mkIf cfg.encryption ''
+                zfs set keylocation="prompt" storage/encrypted;
+              '';
+            };
+            "encrypted/data" = {
+              type = "zfs_fs";
+              mountpoint = "/data";
+              options.mountpoint = "legacy";
+            };
+            reserved = {
+              # for cow delete if pool is full
+              options = {
+                canmount = "off";
+                mountpoint = "none";
+                reservation = "${cfg.storage.reservation}";
+              };
+              type = "zfs_fs";
+            };
+          };
+        };
+      };
+    };
+
+    boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
+
+    fileSystems."/".neededForBoot = true;
+    fileSystems."/etc".neededForBoot = true;
+    fileSystems."/boot".neededForBoot = true;
+    fileSystems."/var".neededForBoot = true;
+    fileSystems."/home".neededForBoot = true;
+    fileSystems."/nix".neededForBoot = true;
+  };
+}

machines/modules/disko/fanny.nix

@@ -1,150 +0,0 @@
-{
-  disko.devices = {
-    disk = {
-      ssd = {
-        type = "disk";
-        device = "/dev/sda";
-        content = {
-          type = "gpt";
-          partitions = {
-            ESP = {
-              size = "1024M";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-                mountOptions = [ "umask=0077" ];
-              };
-            };
-            encryptedSwap = {
-              size = "8G"; #set to 100M for testing
-              content =  {
-                type = "swap";
-                randomEncryption = true;
-              };
-            };
-            zfs = {
-              size = "100%";
-              content = {
-                type = "zfs";
-                pool = "zroot";
-              };
-            };
-          };
-        };
-      };
-
-      hdd0 = {
-        type = "disk";
-        device = "/dev/sdb";
-        content = {
-          type = "gpt";
-          partitions = {
-            zfs = {
-              size = "100%";
-              content = {
-                type = "zfs";
-                pool = "storage";
-              };
-            };
-          };
-        };
-      };
-
-      hdd1 = {
-        type = "disk";
-        device = "/dev/sdc";
-        content = {
-          type = "gpt";
-          partitions = {
-            zfs = {
-              size = "100%";
-              content = {
-                type = "zfs";
-                pool = "storage";
-              };
-            };
-          };
-        };
-      };
-    };
-
-    zpool = {
-      zroot = {
-        type = "zpool";
-        mode = "";
-        # Workaround: cannot import 'zroot': I/O error in disko tests
-        options.cachefile = "none";
-        rootFsOptions = {
-          mountpoint = "none";
-          compression = "zstd";
-          "com.sun:auto-snapshot" = "false";
-        };
-
-        datasets = {
-          encrypted = {
-            type = "zfs_fs";
-            options = {
-              mountpoint = "none";
-              encryption = "aes-256-gcm";
-              keyformat = "passphrase";
-              keylocation = "file:///tmp/root.key";
-            };
-            # use this to read the key during boot
-            postCreateHook = ''
-              zfs set keylocation="prompt" "zroot/$name";
-            '';
-          };
-          "encrypted/root" = {
-            type = "zfs_fs";
-            mountpoint = "/";
-          };
-          "encrypted/var" = {
-            type = "zfs_fs";
-            mountpoint = "/var";
-          };
-          "encrypted/etc" = {
-            type = "zfs_fs";
-            mountpoint = "/etc";
-          };
-          "encrypted/home" = {
-            type = "zfs_fs";
-            mountpoint = "/home";
-          };
-          "encrypted/nix" = {
-            type = "zfs_fs";
-            mountpoint = "/nix";
-          };
-        };
-      };
-
-      storage = {
-        type = "zpool";
-        mode = "mirror";
-        rootFsOptions = { mountpoint = "none"; };
-
-        datasets = {
-          encrypted = {
-            type = "zfs_fs";
-            options = {
-              mountpoint = "none";
-              encryption = "aes-256-gcm";
-              keyformat = "passphrase";
-              keylocation = "file:///tmp/storage.key";
-            };
-
-            # use this to read the key during boot
-            postCreateHook = ''
-              zfs set keylocation="prompt" "zroot/$name";
-            '';
-          };
-          "encrypted/data" = {
-            type = "zfs_fs";
-            mountpoint = "/data";
-          };
-        };
-      };
-    };
-  };
-}

machines/modules/malobeo/initssh.nix

@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+let 
+  cfg = config.malobeo.initssh;
+  inherit (config.networking) hostName;
+
+in
+{
+  options.malobeo.initssh = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable initrd-ssh";
+    };
+    authorizedKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Authorized keys for the initrd ssh";
+    };
+    ethernetDrivers = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
+      example = "r8169";
+    };
+  };
+  
+  config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
+    boot = {
+      loader.systemd-boot.enable = true;
+      loader.efi.canTouchEfiVariables = true;
+      supportedFilesystems = [ "vfat" "zfs" ];
+      zfs = {
+        forceImportAll = true;
+        requestEncryptionCredentials = true;
+        
+      };
+      initrd = {
+        availableKernelModules = cfg.ethernetDrivers;
+        systemd = {
+          enable = true;
+          network.enable = true;
+        };
+        network.ssh = {
+          enable = true;
+          port = 222;
+          authorizedKeys = cfg.authorizedKeys;
+          hostKeys = [ "/etc/ssh/initrd" ];
+        };
+        secrets = {
+          "/etc/ssh/initrd" = "/etc/ssh/initrd";
+        };
+        systemd.services.zfs-remote-unlock = {
+          description = "Prepare for ZFS remote unlock";
+          wantedBy = ["initrd.target"];
+          after = ["systemd-networkd.service"];
+          path = with pkgs; [ zfs ];
+          serviceConfig.Type = "oneshot";
+          script = ''
+            echo "systemctl default" >> /var/empty/.profile
+          '';
+        };
+      };
+      kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
+    };
+  };
+}

machines/modules/malobeo/peers.nix

@@ -6,19 +6,34 @@
     allowedIPs = [ "10.100.0.0/24" ];
     listenPort = 51821;
     publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
+    persistentKeepalive = 25;
+  };
+
+  "celine" = {
+    role = "client";
+    address = [ "10.100.0.2/24" ];
+    allowedIPs = [ "10.100.0.2/32" ];
+    publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
+  };
+
+  "desktop" = {
+    role = "client";
+    address = [ "10.100.0.3/24" ];
+    allowedIPs = [ "10.100.0.3/32" ];
+    publicKey = "FtY2lcdWcw+nvtydOOUDyaeh/xkaqHA8y9GXzqU0Am0=";
+  };
+
+  "atlan-pc" = {
+    role = "client";
+    address = [ "10.100.0.5/24" ];
+    allowedIPs = [ "10.100.0.5/32" ];
+    publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
   };
 
   "fanny" = {
     role = "client";
-    address = [ "10.100.0.2/24" ];
-    allowedIPs = [ "10.100.0.0/24" ];
-    publicKey = "hF8H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
-  };
-
-  "test" = {
-    role = "client";
-    address = [ "10.100.0.3/24" ];
-    allowedIPs = [ "10.100.0.0/24" ];
-    publicKey = "hF7H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
+    address = [ "10.100.0.101/24" ];
+    allowedIPs = [ "10.100.0.101/32" ];
+    publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
   };
 }

machines/modules/malobeo/wireguard.nix

@@ -30,6 +30,12 @@ in
         description = lib.mdDoc "Setup wireguard to access malobeo maintainance vpn";
       };
 
+      autostart = mkOption {
+        default = true;
+        type = types.bool;
+        description = lib.mdDoc "whether to autostart vpn interface on boot";
+      };
+
       name = mkOption {
         default = "";
         type = types.str;
@@ -58,10 +64,14 @@ in
       }
     ];
     
+    boot.kernel.sysctl."net.ipv4.ip_forward" = mkIf (myPeer.role == "server") 1;
+
     networking.wg-quick = {
       interfaces = {
         malovpn = {
+          mtu = 1340; #seems to be necessary to proxypass nginx traffic through vpn
           address = myPeer.address;
+          autostart = cfg.autostart;
           listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;
 
           # This allows the wireguard server to route your traffic to the internet and hence be like a VPN

machines/modules/malobeo_user.nix

@@ -6,7 +6,7 @@ in
 {
   users.users.malobeo = {
     isNormalUser = true;
-    extraGroups = [ "wheel" "pulse-access" "scanner" "lp" ];
+    extraGroups = [ "pipewire" "wheel" "pulse-access" "scanner" "lp" ];
     openssh.authorizedKeys.keys = sshKeys.admins;
     initialPassword = "test";
   };

machines/secrets/keys/wireguard/private.key

@@ -1,31 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:MJnybSouJW9QcWks/6fBgYXhM1zREa76FDVh0vGF9LwffY4ceLMQpOsFXEN7,iv:z0H0r6VSXy92uiS9bGXL5KxqiA3jqAiAgAH5KMxppsE=,tag:RKwFFHgv+tnIlKRTyV68Ww==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRlRzcldvSVkxV3VSeDBF\nRG9KK2NzYmtPWXE3a1JPN3NMRlJtbnJML0hzCmNTT0JFMTR6SDl0WVNBNk50VmdZ\nYi9pQU9FQW9qQ3NZdTM5T3FDcjNUQXMKLS0tIEpBcFhtbFMrbWlRYVdPSXpYM0xp\neW5MZ3dOYmphYXk2Tjh2Rk8xOGRkSGMKOLVuj75jqZeZ0SS1iHDRLONLbJ/UQXfO\nEN1ZhYXq7u5s+wKidmGoFVHWFAxM0O3kXaAQAHws4ttP0v6YqeSuBg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2024-11-14T18:24:30Z",
-		"mac": "ENC[AES256_GCM,data:1sVhca19IbHJUv+qfkn+cJXjYIaXLX12S9N3QvDUoeUSTT4m2GxArKjvKJSpmc3KZCbOwpF1TObHjDs88pqsCxkzl7J9TSu4EgESRfSUy0lRhIveN/38wvEGI/0yNZXwFisB0nNpPbwAUp4JUZnfcqihlDINbVCw7mzVShHlnvU=,iv:J7/9uhlisRJUkqEFeO9aBRX5rgv0392DCuF5Yu1a5gI=,tag:sd0eoBkxns2pitnMZWvPzQ==,type:str]",
-		"pgp": [
-			{
-				"created_at": "2024-11-14T18:24:30Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/cFzlEwHCdmrKutzeJHOVANtF93aunkV89avpcjNtxjKJ\nzWeDrxZPIhApRsS0Q5kvuYbplwJbDPDbQlDeRsAzZbGVzXisDEYVSLbSEDX253fV\npDoD3MdBU/syMus0x7gSulT288Ije5lY76kBoqrzzsDG1RbHHeQMBP4hrLrFdQhh\nlCtjXJHMPlxR+bsTLhmKFUl6UWA22QeevhIU2VSTU7ROgcE6qRAknJLVVhTBhHmB\nkm2JpTQuM6Vhq+zIYDgLegV2fOiOW9O6ONsUt5N/jQYFSj2T4WL5Wnix/bxVg6vL\nkAto2cO1GsRBRH994AUWq4h5dwYWUCafYkXMILCQmMy81YftAPiAoCTUBsc6DSJ1\nV+gr4G3wLetwY2DdM8HN2Cru49PI923aOtKztjX8+r/w22RZl99INY5F/RP6NAYA\nLCEdw9LlW6Ctct1B6JU+JlCdJ/FW2Q9RMazw9wF4ZCg0AfqC/tLW9ETZF0cRYmA5\nH9LJJIxjNyizlGoJ7p780lgBDNBJD2v3ST5ESJ9TctQLS2XBWHtgskW1rPaCxrVX\nrgE/0PUnqxofOLofu4ktKOxtutYOqyVeP6Tvr0TLLEjwikgZ92LxqMx5dW6h46rL\nUjGuKKBz7FyA\n=UMiq\n-----END PGP MESSAGE-----",
-				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
-			},
-			{
-				"created_at": "2024-11-14T18:24:30Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//eu/1ioAXlJ2Po2xQ8xQ4HYTQqsMF0lWijN3kv4cH1w+W\nvnQRjB86do4L4DnZz66DDbjHClauLNeuDkYL1ejvetMtENp7KKT8LRJCH4X53eko\ngw6xAYXA8X6e3shM6eFOYIW97pbGQSlfzuh7IbAPZjEuV2ov67sxmWkd9ZJPxw+E\nn2dd/mxw96NM76o8WclwL/W1qrrIqydCJiBtqL09I2z9j9bJ4AxMWTB0kjpJZK4U\nNo5Hk6OwL3C6a3q0xfO0DIb3fy5O7VSwl7AuiRjGxclqy4mH+L9DBS0ONMjguTlo\n+yGZoJi7vaWNvVVW0U9RBEJyCjX6iYje5/gWlWXaMlyIubuOGFy5iXQOSMXk6589\niNcz+ouGAvK6Jy19zo+SQtvmUki+SSRGEzUbx85R13Hz3E5TTlq7wONsgZE4EqqM\ny/6OMCGOvHOzJyWMdKCJ+7DzWzKyQNGWco57hczX74iPGhlH7XfNa3Q0292qziT5\nVFnONWGgN7PLa6rJXOAsxPNlgH5Qbdi2XBgBso8rlAYUXTmKtK/5cDN3rDtRbzgX\nVDu64snQJvGOEKwgv/UXybMRe8OocuCW6zFQDjJMaRtEsg2LP2FjVaYzLhDyuDJ6\ntAIoxWMaMSxgGJkd/E45dOQq/oWBVTFKD8ECGORNOy4RCUMs2LHDbhesvo/PzvbS\nWAFsQZCvjXPe+YZmIuMt7MfgX8d/NhGTtGOaNfX3D+orBuhzWmIAAvlAwMrxorFb\ngayWLO7mYRDUw45uudFzJYql+QLGuvcrFP5BYjY5wk17u6cYYQzlNxs=\n=Qlcg\n-----END PGP MESSAGE-----",
-				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
-			}
-		],
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
-	}
-}

machines/testvm/default.nix

@@ -0,0 +1,59 @@
+{ config, pkgs, inputs, ... }:
+let
+  sshKeys = import ../ssh_keys.nix;
+in
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      #./hardware-configuration.nix
+      ../modules/malobeo_user.nix
+      ../modules/sshd.nix
+      ../modules/minimal_tools.nix
+      inputs.self.nixosModules.malobeo.initssh
+      inputs.self.nixosModules.malobeo.disko
+    ];
+
+
+  boot.initrd.systemd.enable = true;
+  boot.loader.systemd-boot.enable = true;
+  malobeo.initssh = {
+    enable = true;
+    authorizedKeys = sshKeys.admins;
+    ethernetDrivers = ["virtio_net"];
+  };
+
+  malobeo.disks = {
+    enable = true;
+    encryption = false;
+    hostId = "83abc8cb";
+    devNodes = "/dev/disk/by-path/";
+    root = {
+      disk0 = "disk/by-path/pci-0000:04:00.0";
+      swap = "1G";
+      reservation = "1G";
+      mirror = false;
+    };
+    storage = {
+      enable = true;
+      disks = ["disk/by-path/pci-0000:08:00.0" "disk/by-path/pci-0000:09:00.0"];
+      reservation = "1G";
+      mirror = true;
+    };
+  };
+
+  boot.initrd.kernelModules = ["virtio_blk" "zfs" "virtio_console" "virtio_pci" "virtio" "virtio_net"];
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  # needed for printing drivers
+  nixpkgs.config.allowUnfree = true; 
+
+  services.acpid.enable = true;
+
+  networking.hostName = "testvm";
+  networking.networkmanager.enable = true;
+
+  time.timeZone = "Europe/Berlin";
+  system.stateVersion = "23.05"; # Do.. Not.. Change..
+}
+

machines/testvm/disk.key

@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:GH71ek6+a++P9sDUjO0IPojdU1epX98wcTqmoEgsu0j+,iv:LysgsJdPDvKOUz7l0IyV58QHN2RHvHP14bt1p4571NM=,tag:1WrqC3S+Z6bkE2d76RYtXA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOVI3b1dBa2d5SElHcFdq\nVHZwWlpIU3NpYm8zQnY3aVhOVkxnU1pkZUJNCkJ6bzhqdU5EVy9Wa0creXJHZ1pu\nbkRPVTR1K0o0dmlYbGVIbVRiWjFyL1kKLS0tIHl0aFpUYy9hWmpsNUFoY2JpWUhL\nalluN1RRSTBNUlprZWFISlFoUExXUXMKaULQKgVLNfHX8m0Ac1YhcbM/yhioyNCu\na1AUDjBmruKL9ngqz9Dwzxx0sJJOIFKMdYMVn9uQfui/XCHewO6uRw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-12-31T02:35:20Z",
+		"mac": "ENC[AES256_GCM,data:7K8G7ZFaA7wT0lwujkuJP0HL8WW0m/IkMjgFU9ikWe/GVZMlFDWTafaRNLxdBHNhHwilM8suH2z0P36Xae6pReh47PpID5JS8NC1V38fzww5qW74eFkHq3Pu8HRWb66u7zA/LiyOcEQgtrdP1zbnfmHUgakyNluSn7W1gOtsfxw=,iv:l65AiYn7ETRySF1Wr9nOUk9Fd1I4VGqd/zZbqkCyxYA=,tag:TeVyRa8aN6hIn3iIKPPvbQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-12-31T02:35:05Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/ZITVtnQl5xO2XLTTaNAZ50WhHkVV1G9H2TyxO0NbaUPj\nbo7LdbuB/+cv3wpg5oy5VpWW/JLElqizxbrE5gzQCzorwGE7lpKW0XQubofW8t9l\n+6k9UFXxyfVQJHwcIbexYfL2UhN62eSzzxPiKYVyNw4oM9ySeU+MCeCiv0omLUPg\nWSdOH4q1QYkRGJO8db7KlJSdvCoVjyEiCaLwKdWnPk5pbC+U7wp75fPdFwmzBchc\np9TXKeFF8dVGI7DKuGXA7lBm4ZzgSt4wNdZmc7mvTrTInaDVFA/ptbAfhh2/hNEx\npOijlXbc8ARKAhuLASPy6j37Nm2QdNm/8dl5x6eA7Sx7FcO8qV38Q//V4/DZZddJ\nT3NLC4tWLglpdyFX7H0zmZ+jQOLGJHorwzO+NgSOEj3N4venHYvJyI+vwVGjVCjQ\n1tZUIxGMx5iu959PinvlvBYI7oeKITPLyo8pRRx2EaA+UEBR2f3y+R0bTiBhChKM\nieUIVIK/fbvhdXhwwfRe0lgBm05hL/Vmdbal9QU8o/HIPeGTNitaqLQ59Ets7qm4\nf2FhHaOMO0YaDPtCNBGbRh/mEWH8tjhnI1sLJg/0rR9sOQ/oCzzIYILogIkm3ueE\notFqp95QQPVA\n=P16c\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2024-12-31T02:35:05Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//fAGV0oLuiwL4TmQnrHF88ixvZ/HghKI9k/5zlORIdoaR\na1w6U32coX8HpEfcqON45ZQWSCFtlizlmL55jb1ugXFY/bS+KECO8XaMDhHXNkB/\ndfeCmASvqIlFkl/X3YeD2FhHa3ZlcS93x0duJ+oo18WIErkNuECOL7hwkh+m5YfS\nWtW9Z3J51qfS5S6ctdm9vKcYSrgTkADsyVQp9GqxO3xZGpWudGWDaK0gVBX5wk5t\n1uKhDpnIZdFZ42N5Oy/UqXF5pfEQ0OwxlOS8VMleq1wEPc/DPVku23HRSReS0k7x\nuVeFZpaOfe22ncgI4TVQln8JT0+ZPeAwqBn6LWp0XnPnQdkyE79ARMPqBTPN/6Pn\nFkVpInBVukVJ1AiGpHHxESPtiKoMUZpE+k3WG2dRFWmaON+n0kR4VFpOju3apxTH\n8RGN+Uyn6MswNOZDKoDjlVtkcwgJgar/KwxXNlF7BU3/KMDEBf1UHuQE58Y2eBsC\nI85AEpbskEeOu+MF1SNJkdx/BR+lUaR6ax+dVzOIwxLyyDoCGg4SEoL1Hh1nNRth\nxRZnYfN3FBGv3FnvpaCbfbBDLLkWxzst5HRjp+v2lyPM4eVtyvYPGdfYM5FK1den\nXVawulE3cjM786/Z7X2IK5IDzrvo8nIs/Keg2YqnZe0UgM3XFCoYnwxi2Rev1J3S\nWAHTBs22q/cEk3SLlfzLyqWochY33gI6fC2amOvC5HNhcs7vr6CF1W44d3Yx6WCO\npqxY9jmc4gVWeBLZV/d9T95qLwOQK7L1/tokdbggQcEXFOqpvPzm5pc=\n=qp/h\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

machines/uptimekuma/configuration.nix

@@ -0,0 +1,37 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  networking = {
+    hostName = mkDefault "uptimekuma";
+    useDHCP = false;
+    nameservers = [ "1.1.1.1" ];
+  };
+
+  imports = [
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 80 ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."status.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3001";
+        extraConfig = ''
+        '';
+      };
+
+    };
+  };
+
+  services.uptime-kuma = {
+    enable = true;
+  };
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+

machines/vpn/configuration.nix

@@ -10,6 +10,10 @@ with lib;
     hostName = mkDefault "vpn";
     useDHCP = false;
     nameservers = [ "1.1.1.1" ];
+    firewall = {
+      allowedUDPPorts = [ 51821 ];
+      allowedTCPPorts = [ 80 ];
+    };
   };
 
   imports = [
@@ -24,6 +28,18 @@ with lib;
     privateKeyFile = config.sops.secrets.wg_private.path;
   };
 
+  services.nginx = {
+    enable = true;
+    virtualHosts."docs.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+        '';
+      };
+
+    };
+  };
+
   system.stateVersion = "22.11"; # Did you read the comment?
 }
 

machines/vpn/secrets.yaml

@@ -5,63 +5,63 @@ sops:
     azure_kv: []
     hc_vault: []
     age:
-        - recipient: age136npxupcslnv5hnhvph2gwj8efz8jvgtfuy9lelrgpwrkg0kfppsa6s8v3
+        - recipient: age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3R3RYWGZTOHIrK29rSGVs
-            UFBvaDFNWGd0dTd2K0JTaXV4WldobjVPMzJnCjc2em4rUmY0R3VON29HZXRneHF5
-            STh4VUxXcTlOcG81ZCtueVBTbnd3a3cKLS0tIEdEVElSMkxGcnF5a1pPbU5qblNB
-            YVdJRkVpeGZJTENMK3B6NCtHb1RqTnMKgmSZxCJIPM/J4AS81gYB2oNovj8p3KmX
-            b9fzYGoRmYURB61qHcbWU7i6/ejGpntd5uGzpAER+Wncr5DuupoZfw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBua1FUY1pZamY5R1ExOC8r
+            cUU4VE9VVUJjeEdXNEJnMUM5WEtUL0E2NWhZCm5xTXZ2WnhFcXRGVkdQNHlTcDBC
+            cTlySDcxaGJXOFl0UWJ6RlYzekdJaU0KLS0tIEo1RmVIZG9mOGpJM2NlOEQyKzNG
+            a0FsVGh6TlBBWG5qNTBFWVVWb3U2ZUEKp6Rfi5h1j9+nosARUcuVFUDLajaHf5SK
+            PFDpyy+n1msB4E+Yuku6ySxyf58TqPvy/JnVA7Nhkmir7IngIdfX1w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SkZSdHJtR1gxRnVOR3Zo
-            VEZPc25WZ0srRG9GcncyOG43MUJrOU1GT2trCldOVXVENldpOStIRkFVQUtVaXc5
-            Vm1iNnlJcDZQUDBPWDJFcjNiMGZ4SlUKLS0tIGxjN2tRNVMwdUJtUWsyWkRSYmlw
-            bmM5Qi9SRzVjdHU2N3hrRHBMTU5xc0kKYE16ox+fLiqI2/WRigwyl9/vsSJk4Vmm
-            ePZSOKoo2iwS+ZxXDUlbzZHUX0Y1hsAHkgA60mtzWUL/lFPj9S2SJQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT2hGalZFaktoUHdJRXJy
+            dlg0NVZxNSsvV0VsQndOV2VqZHJzcnI3cFEwCmg0eHl0djNpcmVSaHlEM2h0R2dm
+            QzRveGlpbldYeFFQdmVHSlVtU1FhcGsKLS0tIHFnZ0xyaDRidE5naElnNWNOZmM2
+            RUpHanJrOUx1endqRytjOW9VV1dLQ1UKcS6MhvTHTn+3sCh/wrMDw4z5aYHmKbER
+            n/doy/gDtIWeIlw9TPNdCtOu/P/atNnrjvpTDCU1i+H86fODFmu5zw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-12-17T22:01:22Z"
     mac: ENC[AES256_GCM,data:ctpzk2gUHSLThmZpRFwIBKX+SfwKt8/V8AWQbPnoBqJ9KwuHcRKkkT2yEMx3l2qKUy7DgrqRXhSVGbF57poXC9nshyjXMrrjMQA4PBB7a3SAwgpcX6j+aEx0xIt8GTUVxcn0xDvbP9xJ+adeACLUvkE+a4EB1jtdsL/iacxlv5Y=,iv:Zw+sG7oXmPRGa2jWc+mloGMBq6CnDQgz5x7ke5paeW8=,tag:RtfGmrSt8U8Je7Dq9FQGTg==,type:str]
     pgp:
-        - created_at: "2024-12-17T21:55:28Z"
+        - created_at: "2024-12-19T15:09:08Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQGMA5HdvEwzh/H7AQwAnjxmm6LjOUNUEhGwkDiK06StK5fg3EXaNN0V/GA8aEcl
-            2FAJ2EC66epPJQ0pMbBiuXrQI3tawGUkEL+J2Qm51qGpz7bVafbjUrRPDuOqO9Sl
-            kyxe9732u9NUKDofBAnwkv4paAHnFvJqUGpYIhnKuzVFgMjitKD4Lj/EkGsEjW+A
-            rS8B2C+8aUcxR6f8xxPui2pAKH7R95bQKsJHmpN9HOTkHd/0P8GJJI0F6rwPPnUD
-            3YHsPzsvAXIvQadFyRzyz9Mfd47FuXG8DQYQdGQHem4s9QxSFrU8tG2CdFg6crd/
-            huRf3BdbKptAV9E7N+z9UJudloK7pAEz1wI8cDrYm37EkeQ+Y3E7Ncl3twMuBhxO
-            b/6qs2sN6L4vGhyUPOqgdThcTLoi3W7VV59Zk21U3WqZcna+Vv4x50UdYrQdygsm
-            XQKVBkGLfC3WQEgl+xVtZynerlpAD3qMKdXb6hdAaar0AiNSQoNoubmMOPSK40Mt
-            rRc+8LLB1NxNdk/d6vjl0lgBQuTc/FjB64jeiBlj3ymU4EfVRwL233+yIwk4VW5T
-            gJCLYIwIEbGvs6NBM0HB1RlxEPKGG6cZeHjhq2mLVR1ICRoAVMG9oq0V563wlrBq
-            peNxBxsI8SA1
-            =Irv5
+            hQGMA5HdvEwzh/H7AQv/bueAXskPGUYQwlmujEEdjh2o3yGxTScqCEwYbghRPbf+
+            a59WXJMtIkOCxRF0bkyfoKLudJJeWRteBfN3aqdUKtFqr4g7PfavLmipRaqm1cmJ
+            EswakDt4raLx2C4HAyZvaab4fzA592tqpGU5RBRmwtkxjfCL0bY6zV/FHmk7NzYg
+            RAaEChpaUGXSTmwDiXJn1FJ1QwOSTlKm0ccoUbB1MSHi8A3LqH0lEHPqq5mb3Yhx
+            XIvOKPTZ+ODX9duLOQrAPWAfOShcyjd8SAA+uygJ7PYnXeN9HpuROcl4WEB1mpKa
+            h2AGwtUpOC9tpqKJ3kueBUePpsSHM9s1qmeImItSycFHzlB/hnuFQFndhV6I2yaP
+            lDs/Vpsfoeq3/ufR4Cajqwd7Q6dRGmf71/Sk6QhjXZQapGRcIfGWlOMcHn/z+ura
+            PPn2EtTxkgzp9G8ksOdTzIoriM7RmosC7N1BgSpw+vRUXn4dNhHN4h9LcR9XsX0u
+            lUJXfAc5DOl0bkpJ0y1B0lgBldvxchsMsg4RS2GNhIs20gjMfFLs4eRlcXU8Yps5
+            HizBAKW5frOePfzVM+GD30IstOd/pJPYrRCzg7Ym1oY/+IZTLfK/7MW2bvtP5IJy
+            LN6uk4NCOKwA
+            =Mdnc
             -----END PGP MESSAGE-----
           fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2024-12-17T21:55:28Z"
+        - created_at: "2024-12-19T15:09:08Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA98TrrsQEbXUARAAh8JxMTVSBb4XcejACSSV32vOTj5b78JnZ0N2nVR/qlwW
-            NC+Qu/a3m+vOsJRyfwd3+EBozF7oRWvCG5WZxUgK1CTXm9QAeHLm+k0DZBjpS7LV
-            K3jLN5Bpu7asfqvXonwAt/c3ESJ7QeWPU98LzjKSPNwXfLM3bYmEQIt/JVF2nVll
-            +W4t/+1qG2T5+dKInZb49AY9nWS+SZeCUIIa739IL61ifEv4vi69wsi1CSWq10mp
-            Ibb56lCjCq2r44Vv1/Db2rm3rDz9mTQgvRAL0sTsGGsl34N9GbeROLxg+WF0m6Tr
-            rcMTthM/TcDQj4AbF7HItaNgUH04HNOjNUjf4aLpx3QiEvQ2KBpDfaUknSPAp++Y
-            9j7nANC6U9XU1qDOE/+Ui4KfngBYs6XFd8cLLwaZoaHb23BLmK1z12AV0sFhG/bC
-            fPmYXN9Nv2aKELPNcq0pEBMu5aQer14ddCbCUt3KfwzwcQkpYcB/PoXpFBNGTxls
-            4JkYY98FwALEYJH8LRlfMzoACNR4xzRF8c8IQCE+mCdKUXoxhxzRSQ/IrwOorQkr
-            HCBvoOLrSbsNRDExtCo7YhxFrtP4TaBodMpSK1zsvaixZWyBYylG4ilkU7XmIAHN
-            4+eijX6avdfAwD7dihKvAToXSrwUZAeTwjh67SlMFSI7ocAQUmXGIxX8ilD1lwzS
-            WAGLipgRLgyaZ4i8BQSFVDPXxJv2JGAqtwdfs3NAdKF4ULTPebfI7c9gZ9f//IgH
-            hmSdKuI52BZRqjCuTAC+LyjLbLJu+cj8LAXc5Rw96yTvLEGeHt+1x64=
-            =ou4t
+            hQIMA98TrrsQEbXUAQ//bvRwMD4xzEq9wihdYG/XHb72Y8RYzHLA1/okH0Kfe9wW
+            DomZhwi/VPoLf8RWTZfa0/S1PnPyOZdfEP46ZM2WSksNydMidqY7fOuFYxTI5cRG
+            javuZjAH0ZyMMG3J+Y+zzFCFRMBT8n5yDtv+bDbi1T16SJj0gpYW2IIEglOudPVl
+            vDM6bqHD5UefHtxhYGRnPaxqenLxCoNYq4DAx8+8DoIj7RTg4+rjrglW16G7KU5n
+            t7acEiD+J0fXeQM7bLTYuiI0gSkaftSuQ1GVEDgw6M80pSdWfrqE5xue+8t3MPDA
+            UGQGjXxG4ykOV5Wggs3EjOVkscgmQxWJgMYNanCZJEy36WWlzPnG59O1kiXW+6AQ
+            TCy4ZXb3SyUJ1kSoI9pJ3PSaADaID9rDgIn+IkIfY0E+QVrw9qL4qN0rqISx++EW
+            XOBucRspIqcXzFGikuz4yIwLBWVAqGhr5iKge8FVjBPVUX+JPgJjFw25fAFZkkds
+            mJDAkbzJh6iALxSIoj++kPIw+f4xQXKPPPLJiJzpuWAcZJiA3WM10iakGyuKmYPL
+            qVgwo1hXOVODwbkBvztJOGIMqMXNLQP9A45kpNjFuyPn8WcignmvoFXtGbr9BtCY
+            sZAZrDFw/JxVLVPSM3duKC6R8r8MQfp1ZNVLU9fMzqfReu+6gD5biESM+rnYC4TS
+            WAGB3htm92PRqdsJnDrgO8kzi9fHNxo0htj9fmo8ipNY+eeLfrAW6ocqPMBzCuyf
+            3EbF+PS9PRg0lHyjkBC2pF6PD8DHVL/2OTSpWOZdp8FCqogZg7e7dMI=
+            =vQSV
             -----END PGP MESSAGE-----
           fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
     unencrypted_suffix: _unencrypted

outputs.nix

@@ -40,6 +40,8 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
     };
 
     packages = {
+      remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
+      boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
       docs = pkgs.stdenv.mkDerivation {
         name = "malobeo-docs";
         phases = [ "buildPhase" ];
@@ -113,12 +115,11 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
     });
 
     nixosModules.malobeo = {
-      imports = [
-        ./machines/durruti/host_config.nix
-      ];
-
+      host.imports = [ ./machines/durruti/host_config.nix ];
       microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ];
       vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
+      initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
+      disko.imports = [ ./machines/modules/disko ];
     };
 
     hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (

scripts/remote-install-encrypt.sh

@@ -0,0 +1,47 @@
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if [ $# -lt 2 ]; then
+  echo
+  echo "Install NixOS to the host system with secrets and encryption"
+  echo "Usage: $0 <hostname> <ip> (user)"
+  exit 1
+fi
+
+hostname=$1
+ipaddress=$2
+
+# Create a temporary directory
+temp=$(mktemp -d)
+
+# Function to cleanup temporary directory on exit
+cleanup() {
+  rm -rf "$temp"
+}
+trap cleanup EXIT
+
+# Create the directory where sshd expects to find the host keys
+install -d -m755 "$temp/etc/ssh/"
+
+diskKey=$(sops -d machines/$hostname/disk.key)
+echo "$diskKey" > /tmp/secret.key
+
+ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
+ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""
+
+# # Set the correct permissions so sshd will accept the key
+chmod 600 "$temp/etc/ssh/$hostname"
+chmod 600 "$temp/etc/ssh/initrd"
+
+# Install NixOS to the host system with our secrets and encription
+# optional --build-on-remote
+if [ $# = 3 ]
+  then
+  nix run github:numtide/nixos-anywhere -- --extra-files "$temp"   \
+ --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname $3@$ipaddress
+
+else
+nix run github:numtide/nixos-anywhere -- --extra-files "$temp"   \
+ --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
+fi

scripts/unlock-boot.sh

@@ -0,0 +1,30 @@
+set -o errexit
+set -o pipefail
+
+sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T"
+HOSTNAME=$1
+
+echo
+diskkey=$(sops -d machines/$HOSTNAME/disk.key)
+
+if [ $# = 1 ]
+    then
+    echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #storage
+
+    echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root
+
+elif [ $# = 2 ]
+    then
+    IP=$2
+    
+    echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #storage
+
+    echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root
+
+else
+    echo
+    echo "Unlock the root disk on a remote host."
+    echo "Usage: $0 <hostname> [ip]"
+    echo "If an IP is not provided, the hostname will be used as the IP address."
+    exit 1
+fi