Merge branch 'staging'

if we need to restore from backup this is necessary since db state from
zfs snapshots might be corrupted

flake.lock

@@ -67,11 +67,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748226808,
+        "lastModified": 1763992789,
-        "narHash": "sha256-GaBRgxjWO1bAQa8P2+FDxG4ANBVhjnSjBms096qQdxo=",
+        "narHash": "sha256-WHkdBlw6oyxXIra/vQPYLtqY+3G8dUVZM8bEXk0t8x4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "83665c39fa688bd6a1f7c43cf7997a70f6a109f9",
+        "rev": "44831a7eaba4360fb81f2acc5ea6de5fde90aaa3",
         "type": "github"
       },
       "original": {
@@ -109,11 +109,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1748260747,
+        "lastModified": 1764549796,
-        "narHash": "sha256-V3ONd70wm55JxcUa1rE0JU3zD+Cz7KK/iSVhRD7lq68=",
+        "narHash": "sha256-Mswg665P92EoHkBwCwPr/7bdnj04g2Qfb+t02ZEYTHA=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "b6c5dfc2a1c7614c94fd2c5d2e8578fd52396f3b",
+        "rev": "030d055e877cc13d7525b39f434150226d5e4482",
         "type": "github"
       },
       "original": {
@@ -145,11 +145,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747663185,
+        "lastModified": 1764234087,
-        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
+        "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
+        "rev": "032a1878682fafe829edfcf5fdfad635a2efe748",
         "type": "github"
       },
       "original": {
@@ -160,11 +160,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1747900541,
+        "lastModified": 1764440730,
-        "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=",
+        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06",
+        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
         "type": "github"
       },
       "original": {
@@ -192,11 +192,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1748190013,
+        "lastModified": 1764517877,
-        "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
+        "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
+        "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c",
         "type": "github"
       },
       "original": {
@@ -208,16 +208,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1748162331,
+        "lastModified": 1764522689,
-        "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
+        "narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
+        "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -246,11 +246,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747603214,
+        "lastModified": 1764483358,
-        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
         "type": "github"
       },
       "original": {
@@ -262,11 +262,11 @@
     "spectrum": {
       "flake": false,
       "locked": {
-        "lastModified": 1746869549,
+        "lastModified": 1759482047,
-        "narHash": "sha256-BKZ/yZO/qeLKh9YqVkKB6wJiDQJAZNN5rk5NsMImsWs=",
+        "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
         "ref": "refs/heads/main",
-        "rev": "d927e78530892ec8ed389e8fae5f38abee00ad87",
+        "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
-        "revCount": 862,
+        "revCount": 996,
         "type": "git",
         "url": "https://spectrum-os.org/git/spectrum"
       },
@@ -357,11 +357,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743458889,
+        "lastModified": 1760981884,
-        "narHash": "sha256-eVTtsCPio3Wj/g/gvKTsyjh90vrNsmgjzXK9jMfcboM=",
+        "narHash": "sha256-ASFWbOhuB6i3AKze5sHCvTM+nqHIuUEZy9MGiTcdZxA=",
         "ref": "refs/heads/master",
-        "rev": "b61466549e2687628516aa1f9ba73f251935773a",
+        "rev": "b67eb2d778a34c0dceb91a236b390fe493aa3465",
-        "revCount": 30,
+        "revCount": 32,
         "type": "git",
         "url": "https://git.dynamicdiscord.de/kalipso/tasklist"
       },
@@ -450,11 +450,11 @@
         "utils": "utils_4"
       },
       "locked": {
-        "lastModified": 1751462005,
+        "lastModified": 1764942243,
-        "narHash": "sha256-vhr2GORiXij3mL+QIfnL0sKSbbBIglw1wnHWNmFejiA=",
+        "narHash": "sha256-P02Zm0VAON9SqRxqe6h5vfxgpCBYeiz5JPWGIn6KFFg=",
         "ref": "refs/heads/master",
-        "rev": "f505fb17bf1882cc3683e1e252ce44583cbe58ce",
+        "rev": "f56b7eb6887b7e0fecae4a1f4c1311392eebad8d",
-        "revCount": 155,
+        "revCount": 156,
         "type": "git",
         "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
       },

flake.nix

@@ -3,7 +3,7 @@
 
   inputs = {
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";

machines/bakunin/configuration.nix

@@ -48,7 +48,7 @@ in
       firefox
       thunderbird
       telegram-desktop
-      tor-browser-bundle-bin
+      tor-browser
       keepassxc
       libreoffice
       gimp

machines/durruti/host_config.nix

@@ -49,6 +49,10 @@ in
       locations."/" = {
         proxyPass = "http://10.0.0.10";
         extraConfig = ''
+          client_max_body_size 10G;
+          client_body_timeout 3600s;
+          send_timeout 3600s;
+          fastcgi_buffers 64 4K;
         '';
       };
     };

machines/fanny/configuration.nix

@@ -1,6 +1,7 @@
 { inputs, config, ... }:
 let
   sshKeys = import ../ssh_keys.nix;
+  peers = import ../modules/malobeo/peers.nix;
 in
 {
   sops.defaultSopsFile = ./secrets.yaml;
@@ -85,8 +86,42 @@ in
     enable = true;
     authorizedKeys = sshKeys.admins;
     ethernetDrivers = ["r8169"];
+    zfsExtraPools = [ "storage" ];
   };
 
+  boot.initrd = {
+    availableKernelModules = [ "wireguard" ];
+    # postMountCommands = ''
+    #   ip address flush dev wg-initrd
+    #   ip link set dev wg-initrd down
+    # '';
+    systemd = {
+      enable = true;
+      network = {
+        enable = true;
+        netdevs."30-wg-initrd" = {
+          netdevConfig = {
+            Kind = "wireguard";
+            Name = "wg-initrd";
+          };
+          wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
+          wireguardPeers = [{
+            AllowedIPs = peers.vpn.allowedIPs;
+            PublicKey = peers.vpn.publicKey;
+            Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
+            PersistentKeepalive = 25;
+          }];
+        };
+        networks."30-wg-initrd" = {
+          name = "wg-initrd";
+          addresses = [{ Address = "${peers.fanny-initrd.address}/24"; }];
+        };
+      };
+    };
+  };
+
+  boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";
+
   services.malobeo.vpn = {
     enable = true;
     name = "fanny";
@@ -130,7 +165,10 @@ in
         proxyPass = "http://10.0.0.13";
         extraConfig = ''
           proxy_set_header Host $host;
-          client_max_body_size 10G;
+          client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize};
+          client_body_timeout 3600s;
+          send_timeout 3600s;
+          fastcgi_buffers 64 4K;
         '';
       };
     };

machines/louise/configuration.nix

@@ -31,7 +31,7 @@
       firefox
       thunderbird
       telegram-desktop
-      tor-browser-bundle-bin
+      tor-browser
       keepassxc
       libreoffice
       gimp

machines/modules/malobeo/initssh.nix

@@ -22,6 +22,11 @@ in
       description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
       example = "r8169";
     };
+    zfsExtraPools = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Name or GUID of extra ZFS pools that you wish to import during boot.";
+    };
   };
   
   config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
@@ -32,35 +37,43 @@ in
       zfs = {
         forceImportAll = true;
         requestEncryptionCredentials = true;
-        
+        extraPools = cfg.zfsExtraPools;
       };
       initrd = {
         availableKernelModules = cfg.ethernetDrivers;
         systemd = {
+          initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ]; 
           enable = true;
           network.enable = true;
+          services."stopInitVpn" = {
+            description = "stop init vpn";
+            wantedBy = [
+              "initrd.target"
+            ];
+            after = [
+              "zfs.target"
+            ];
+            serviceConfig.StandardOutput = "journal+console";
+            script = ''
+              networkctl down wg-initrd
+            '';
+            serviceConfig.Type = "oneshot";
+      };
         };
-        network.ssh = {
+        network = {
-          enable = true;
+          flushBeforeStage2 = true;
-          port = 222;
+          ssh = {
-          authorizedKeys = cfg.authorizedKeys;
+            enable = true;
-          hostKeys = [ "/etc/ssh/initrd" ];
+            port = 222;
+            authorizedKeys = cfg.authorizedKeys;
+            hostKeys = [ "/etc/ssh/initrd" ];
+          };
         };
         secrets = {
           "/etc/ssh/initrd" = "/etc/ssh/initrd";
         };
-        systemd.services.zfs-remote-unlock = {
-          description = "Prepare for ZFS remote unlock";
-          wantedBy = ["initrd.target"];
-          after = ["systemd-networkd.service"];
-          path = with pkgs; [ zfs ];
-          serviceConfig.Type = "oneshot";
-          script = ''
-            echo "systemctl default" >> /var/empty/.profile
-          '';
-        };
       };
       kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
     };
   };
-}
+}

machines/modules/malobeo/peers.nix

@@ -44,6 +44,14 @@
     publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
   };
 
+  "fanny-initrd" = {
+    role = "client";
+    address = "10.100.0.102";
+    allowedIPs = [ "10.100.0.102/32" ];
+    #TODO: UPDATE
+    publicKey = "h1A2yt7OQ5EJIilC8tQg203u27o6J6/c+Kd/pZ4UWAY=";
+  };
+
   "backup0" = {
     role = "client";
     address = "10.100.0.20";

machines/nextcloud/configuration.nix

@@ -31,9 +31,13 @@ with lib;
     lokiHost = "10.0.0.14";
   };
 
+  services.postgresqlBackup = {
+    enable = true;
+  };
+
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud31;
+    package = pkgs.nextcloud32;
     hostName = "cloud.malobeo.org";
     config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
     maxUploadSize = "10G";
@@ -48,14 +52,9 @@ with lib;
     extraAppsEnable = true;
     extraApps = {
       inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms;
-      appointments = pkgs.fetchNextcloudApp {
-        sha256 = "sha256-ls1rLnsX7U9wo2WkEtzhrvliTcWUl6LWXolE/9etJ78=";
-        url = "https://github.com/SergeyMosin/Appointments/raw/refs/tags/v2.4.3/build/artifacts/appstore/appointments.tar.gz";
-        license = "agpl3Plus";
-      };
       deck = pkgs.fetchNextcloudApp {
-        sha256 = "sha256-1sqDmJpM9SffMY2aaxwzqntdjdcUaRySyaUDv9VHuiE=";
+        sha256 = "sha256-epjwIANb6vTNx9KqaG6jZc14YPoFMBTCj+/c9JHcWkA=";
-        url = "https://link.storjshare.io/raw/jw7pf6gct34j3pcqvlq6ddasvdwq/mal/deck.tar.gz";
+        url = "https://link.storjshare.io/raw/jvrl62dakd6htpyxohjkiiqiw5ma/mal/deck32.tar.gz";
         license = "agpl3Plus";
       };
     };

machines/overwatch/pull_info.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-set -o pipefail
+set -eo pipefail
 for command in "jq" "xq" "grep" "curl" "sed"
 do
     if ! command -v $command >/dev/null 2>&1
@@ -13,7 +13,7 @@ get_cookie () {
     if [[ $1 == "-d" ]]; then
         cookie=$(cat request_example_1.txt)
     else
-        cookie=$(curl -D - -X GET http://192.168.1.42/wcd/index.html)
+        cookie=$(curl -s -D - -X GET http://192.168.1.42/wcd/index.html)
     fi
 
     exitCode="$?"
@@ -93,15 +93,14 @@ system_counter_ScanFaxCounter_keys=("DocumentReadTotal" "DocumentReadLarge" "Fax
 system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit")
 #End Variables-------------
 
-echo "Start getting cookie"
+echo "Getting cookie"
 get_cookie "$@"
-echo "Cookie got"
 
-echo "Start extract from system_counter"
+echo "Start extracting info from system_counter"
 if [[ $1 == "-d" ]]; then
     system_counter_data=$(cat system_counter.xml |xq)
 else
-    system_counter_data=$(curl -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=\"$cookie\"" |xq)
+    system_counter_data=$(curl -s -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=$cookie" |xq)
 fi
 
 get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter
@@ -118,19 +117,17 @@ get_values ".MFP.Count.UserCounterInfo.ScanFaxCounterList.ScanFaxCounter" system
 
 get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus
 
-echo "Stop extract from system_counter"
+echo "Start extracting info from system_consumables"
-echo
-echo "Start extract from system_consumables"
 if [[ $1 == "-d" ]]; then
     system_consumables_data=$(cat system_consumables.xml |xq)
 else
-    system_consumables_data=$(curl -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=\"$cookie\"")
+    system_consumables_data=$(curl -s -X GET http://192.168.1.42/wcd/system_consumable.xml -H "Cookie: ID=$cookie" |xq)
 fi
 
 get_values_consumables system_consumables_base_keys Consumables
 
-echo "Stop extract from system_consumables"
+echo "Sending data to prometheus-pushgateway..."
 
-echo "$valueStore" | curl --data-binary @- http://localhost:9091/metrics/job/printer
+echo "$valueStore" | curl -s --data-binary @- http://localhost:9091/metrics/job/printer
 echo "Success!"
-exit 0
+exit 0

machines/vpn/configuration.nix

@@ -45,6 +45,10 @@ with lib;
         proxyPass = "http://10.100.0.101";
         extraConfig = ''
           proxy_set_header Host $host;
+          client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize};
+          client_body_timeout 3600s;
+          send_timeout 3600s;
+          fastcgi_buffers 64 4K;
         '';
       };
     };

scripts/add_new_host_keys.sh

@@ -31,10 +31,13 @@ cd "$pwpath"
 # Generate SSH keys
 ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
 ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
+wg genkey > wg.private
+publickey=$(cat wg.private | wg pubkey)
 
 #encrypt the private keys
 sops -e -i ./$hostkey
 sops -e -i ./$initrdkey
+sops -e -i ./wg.private
 
 #generate encryption key
 tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
@@ -45,6 +48,9 @@ echo
 echo "Hier ist der age public key für sops etc:"
 echo "$(ssh-to-age -i ./"$hostkey".pub)"
 echo
+echo "Hier ist der wireguard pubkey für das gerät"
+echo "$publickey"
+echo 
 echo "Hier ist eine reproduzierbare mac-addresse:"
 echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
 

scripts/remote-install-encrypt.sh

@@ -40,7 +40,9 @@ trap cleanup EXIT
 
 # Create the directory where sshd expects to find the host keys
 install -d -m755 "$temp/etc/ssh/"
+install -d -m755 "$temp/etc/wireguard/"
 
+##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
 diskKey=$(sops -d $pwpath/disk.key)
 echo "$diskKey" > /tmp/secret.key
 
@@ -48,6 +50,7 @@ sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
 
 sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
 
+sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
 # # Set the correct permissions so sshd will accept the key
 chmod 600 "$temp/etc/ssh/$hostname"
 chmod 600 "$temp/etc/ssh/initrd"

scripts/unlock-boot.sh

@@ -24,14 +24,16 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
 echo
 if [ $# = 1 ]
     then
-    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
+    ssh $sshoptions root@$hostname-initrd "zpool import -a"
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
     echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
 
 elif [ $# = 2 ]
     then
     ip=$2
-    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
+    ssh $sshoptions root@$ip "zpool import -a"
-    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
+    echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted" 
+    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
     
 else
     echo