[user module] default enable users to prevent lockouts

also, add admin to trusted users

README.md

@@ -1,44 +1,20 @@
 # malobeo infrastructure
 
-this repository nxios configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner.
+this repository contains nixos configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner.
-
-the file structure is based on this [blog post](https://samleathers.com/posts/2022-02-03-my-new-network-and-deploy-rs.html)
-
-## hosts
-
-#### durruti
-- nixos-container running on dedicated hetzner server
-- login via ```ssh -p 222 malobeo@dynamicdiscord.de```
-- if rebuild switch fails due to biglock do ```mount -o remount,rw /nix/var/nix/db```
-- currently is running tasklist in detached tmux session
-  - [x] make module with systemd service out of that
-
-## creating a new host
-
-### setting up filesystem
-currently nixos offers no declarative way of setting up filesystems and partitions. that means this has to be done manually for every new host. [to make it as easy as possible we can use this guide to setup an encrypted zfs filesystem](https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/Root%20on%20ZFS.html)
-
-*we could create a shell script out of that*
 
 ### deploying configuration
 
-#### local deployment
+hosts are deployed automatically from master. The [hydra build server](https://hydra.dynamicdiscord.de/jobset/malobeo/infrastructure) will build new commits and on success, hosts will periodically pull those changes.
-``` shell
+Big changes (like updating flake lock) could be commited to the staging branch first. [Hydra builds staging seperate](https://hydra.dynamicdiscord.de/jobset/malobeo/staging), and on success you can merge into master.
-nixos-rebuild switch --use-remote-sudo
-```
 
-#### remote deployment
+### deploy fresh host
+if you want to deploy a completly new host refer to [docs](https://docs.malobeo.org/anleitung/create.html)
 
-you need the hostname and ip address of the host:
+### testing configuration
-``` shell
- nixos-rebuild switch --flake .#<hostname> --target-host root@<ip_address> --build-host localhost
-```
-
-in this case 'localhost' is used as buildhost which can be usefull if the target host is low systemresources
 
+refer to https://docs.malobeo.org/anleitung/microvm.html#testing-microvms-locally
 
 ## development
-
 ### requirements
 we use flake based configurations for our hosts. if you want to build configurations on you own machine you have to enable flakes first by adding the following to your *configuration.nix* or *nix.conf*
 ``` nix
@@ -55,46 +31,13 @@ a development shell with the correct environment can be created by running ```ni
 If you're using direnv you can add flake support by following those steps: [link](https://nixos.wiki/wiki/Flakes#Direnv_integration)
 
 ### build a configuration
-
 to build a configuration run the following command (replace ```<hostname>``` with the actual hostname):
 
 ``` shell
 nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
 ```
 
-### building raspberry image
-
-for the raspberry it is possible to build the whole configuration as an sd-card image which then can be flashed directly. more information about building arm on nixos can be found [here](https://nixos.wiki/wiki/NixOS_on_ARM).
-
-to be able to build the image you need to enable qemu emulation on the machine you are building with. therefore it is necessary to add the following to your configuration.nix:
-
-``` nix
-boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-```
-
-then you can build the image with:
-
-``` shell
-nix build .#nixosConfigurations.rpi1_base_image.config.system.build.sdImage
-```
-
-### run a configuration as vm
-
-to run a vm we have to build it first using the following command (replace ```<hostname>``` with the actual hostname):
-
-``` shell
-nix build .#nixosConfigurations.<hostname>.config.system.build.vm
-```
-
-afterwards run the following command to start the vm:
-
-``` shell
-./result/bin/run-<hostname>-vm
-```
-
 ### documentation
 
-for documentation we currently just use README.md files.
+documentation is automatically build from master and can be found here: docs.malobeo.org  
-
+locally you can run documentation using ```nix run .#docs``` or ```nix run .#docsDev```
-the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser.
-the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```.

doc/src/Index.md

@@ -1,26 +1,20 @@
 # malobeo infrastructure
 
-this repository nxios configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner.
+this repository contains nixos configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner.
-
-the file structure is based on this [blog post](https://samleathers.com/posts/2022-02-03-my-new-network-and-deploy-rs.html)
 
 ### deploying configuration
-#### local deployment
-``` shell
-nixos-rebuild switch --use-remote-sudo
-```
 
-#### remote deployment
+hosts are deployed automatically from master. The [hydra build server](https://hydra.dynamicdiscord.de/jobset/malobeo/infrastructure) will build new commits and on success, hosts will periodically pull those changes.
-you need the hostname and ip address of the host:
+Big changes (like updating flake lock) could be commited to the staging branch first. [Hydra builds staging seperate](https://hydra.dynamicdiscord.de/jobset/malobeo/staging), and on success you can merge into master.
-``` shell
- nixos-rebuild switch --flake .#<hostname> --target-host root@<ip_address> --build-host localhost
-```
 
-in this case 'localhost' is used as buildhost which can be usefull if the target host is low systemresources
+### deploy fresh host
+if you want to deploy a completly new host refer to [docs](https://docs.malobeo.org/anleitung/create.html)
 
+### testing configuration
+
+refer to https://docs.malobeo.org/anleitung/microvm.html#testing-microvms-locally
 
 ## development
-
 ### requirements
 we use flake based configurations for our hosts. if you want to build configurations on you own machine you have to enable flakes first by adding the following to your *configuration.nix* or *nix.conf*
 ``` nix
@@ -37,46 +31,13 @@ a development shell with the correct environment can be created by running ```ni
 If you're using direnv you can add flake support by following those steps: [link](https://nixos.wiki/wiki/Flakes#Direnv_integration)
 
 ### build a configuration
-
 to build a configuration run the following command (replace ```<hostname>``` with the actual hostname):
 
 ``` shell
 nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
 ```
 
-### building raspberry image
-
-for the raspberry it is possible to build the whole configuration as an sd-card image which then can be flashed directly. more information about building arm on nixos can be found [here](https://nixos.wiki/wiki/NixOS_on_ARM).
-
-to be able to build the image you need to enable qemu emulation on the machine you are building with. therefore it is necessary to add the following to your configuration.nix:
-
-``` nix
-boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-```
-
-then you can build the image with:
-
-``` shell
-nix build .#nixosConfigurations.rpi1_base_image.config.system.build.sdImage
-```
-
-### run a configuration as vm
-
-to run a vm we have to build it first using the following command (replace ```<hostname>``` with the actual hostname):
-
-``` shell
-nix build .#nixosConfigurations.<hostname>.config.system.build.vm
-```
-
-afterwards run the following command to start the vm:
-
-``` shell
-./result/bin/run-<hostname>-vm
-```
-
 ### documentation
 
-for documentation we currently just use README.md files.
+documentation is automatically build from master and can be found here: docs.malobeo.org  
-
+locally you can run documentation using ```nix run .#docs``` or ```nix run .#docsDev```
-the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser.
-the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```.

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746728054,
+        "lastModified": 1736864502,
-        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
+        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "ff442f5d1425feb86344c028298548024f21256d",
+        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
         "type": "github"
       },
       "original": {
@@ -67,11 +67,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747688870,
+        "lastModified": 1736373539,
-        "narHash": "sha256-ypL9WAZfmJr5V70jEVzqGjjQzF0uCkz+AFQF7n9NmNc=",
+        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d5f1f641b289553927b3801580598d200a501863",
+        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
         "type": "github"
       },
       "original": {
@@ -109,11 +109,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1753053388,
+        "lastModified": 1739104176,
-        "narHash": "sha256-T8R4/cTj/F3yvW/NzVFytkcfFwvyDiKZQoGBazCyclI=",
+        "narHash": "sha256-bNvtud2PUcbYM0i5Uq1v01Dcgq7RuhVKfjaSKkW2KRI=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "80bddbd51fda2c71d83449f5927e4d72a2eb0d89",
+        "rev": "d3a9b7504d420a1ffd7c83c1bb8fe57deaf939d2",
         "type": "github"
       },
       "original": {
@@ -145,11 +145,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1751903740,
+        "lastModified": 1737057290,
-        "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
+        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "032decf9db65efed428afd2fa39d80f7089085eb",
+        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
         "type": "github"
       },
       "original": {
@@ -160,11 +160,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1752666637,
+        "lastModified": 1738816619,
-        "narHash": "sha256-P8J72psdc/rWliIvp8jUpoQ6qRDlVzgSDDlgkaXQ0Fw=",
+        "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "d1bfa8f6ccfb5c383e1eba609c1eb67ca24ed153",
+        "rev": "2eccff41bab80839b1d25b303b53d339fbb07087",
         "type": "github"
       },
       "original": {
@@ -192,11 +192,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1752950548,
+        "lastModified": 1739020877,
-        "narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=",
+        "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c87b95e25065c028d31a94f06a62927d18763fdf",
+        "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
         "type": "github"
       },
       "original": {
@@ -208,11 +208,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1751274312,
+        "lastModified": 1739206421,
-        "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=",
+        "narHash": "sha256-PwQASeL2cGVmrtQYlrBur0U20Xy07uSWVnFup2PHnDs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674",
+        "rev": "44534bc021b85c8d78e465021e21f33b856e2540",
         "type": "github"
       },
       "original": {
@@ -245,11 +245,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1752544651,
+        "lastModified": 1739262228,
-        "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=",
+        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "2c8def626f54708a9c38a5861866660395bb3461",
+        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
         "type": "github"
       },
       "original": {
@@ -261,11 +261,11 @@
     "spectrum": {
       "flake": false,
       "locked": {
-        "lastModified": 1751265943,
+        "lastModified": 1733308308,
-        "narHash": "sha256-XoHSo6GEElzRUOYAEg/jlh5c8TDsyDESFIux3nU/NMc=",
+        "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
         "ref": "refs/heads/main",
-        "rev": "37c8663fab86fdb202fece339ef7ac7177ffc201",
+        "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
-        "revCount": 904,
+        "revCount": 792,
         "type": "git",
         "url": "https://spectrum-os.org/git/spectrum"
       },
@@ -341,11 +341,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743458889,
+        "lastModified": 1737548421,
-        "narHash": "sha256-eVTtsCPio3Wj/g/gvKTsyjh90vrNsmgjzXK9jMfcboM=",
+        "narHash": "sha256-gmlqJdC+v86vXc2yMhiza1mvsqh3vMfrEsiw+tV5MXg=",
         "ref": "refs/heads/master",
-        "rev": "b61466549e2687628516aa1f9ba73f251935773a",
+        "rev": "c5fff78c83959841ac724980a13597dcfa6dc26d",
-        "revCount": 30,
+        "revCount": 29,
         "type": "git",
         "url": "https://git.dynamicdiscord.de/kalipso/tasklist"
       },

machines/.sops.yaml

@@ -73,13 +73,6 @@ creation_rules:
       - *admin_kalipso_dsktp
       age:
       - *admin_atlan
-  - path_regex: fanny/disk.key
-    key_groups:
-    - pgp:
-      - *admin_kalipso
-      - *admin_kalipso_dsktp
-      age:
-      - *admin_atlan
   - path_regex: bakunin/disk.key
     key_groups:
     - pgp:
@@ -102,3 +95,10 @@ creation_rules:
       - *admin_kalipso_dsktp
       age:
       - *admin_atlan
+  - path_regex: .*/secrets/.*
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan

machines/bakunin/configuration.nix

@@ -8,12 +8,11 @@ in
     [ # Include the results of the hardware scan.
       #./hardware-configuration.nix
       ../modules/xserver.nix
-      ../modules/malobeo_user.nix
       ../modules/sshd.nix
-      ../modules/minimal_tools.nix
       ../modules/autoupdate.nix
       inputs.self.nixosModules.malobeo.disko
       inputs.self.nixosModules.malobeo.initssh
+      inputs.self.nixosModules.malobeo.users
     ];
 
   malobeo.autoUpdate = {
@@ -38,6 +37,8 @@ in
     ethernetDrivers = ["r8169"];
   };
 
+  malobeo.users.malobeo = true;
+
   hardware.sane.enable = true; #scanner support
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];

machines/fanny/configuration.nix

@@ -9,7 +9,6 @@ in
   imports =
     [ # Include the results of the hardware scan.
       #./hardware-configuration.nix
-      ../modules/malobeo_user.nix
       ../modules/sshd.nix
       ../modules/minimal_tools.nix
       ../modules/autoupdate.nix
@@ -18,6 +17,7 @@ in
       inputs.self.nixosModules.malobeo.disko
       inputs.self.nixosModules.malobeo.microvm
       inputs.self.nixosModules.malobeo.metrics
+      inputs.self.nixosModules.malobeo.users
     ];
 
     virtualisation.vmVariantWithDisko = {
@@ -50,6 +50,10 @@ in
     '';
   };
 
+  malobeo.users = {
+    malobeo = true;
+    admin = true;
+  };
 
   malobeo.disks = {
     enable = true;

machines/fanny/disk.key

@@ -1,31 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:1I8fN241VOaW4GaNUe/OVr+1HQKmtYL1GSuIfsE=,iv:aHdgEUj5QhusEavG9mVgtTQ4uqLJD2ozQ/kVVtFakYY=,tag:JJUbt4kgpa4hVD3HjLXGOg==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUGpORk5zWXU1OVpqc2hT\nVW5PYlNLT3lKQVpTdCtMT1M3YlZ3Uno5bVJjCkJXR3I2Y3lDT0dJNThCcDN1NXYr\nK3VucjRKU0dac3BtQmV5ZFdrZXkrS1EKLS0tIGRGMGxDM0ZGbzVPTnJQK01GS3VW\nRHpJQWZLU1lrRS9ScXM0L0dyTjhGTGsKJEYq5vKxxYBAgkqUEkBwESur0reNIDPb\nK3rtflNi3dUYYZdLFNFV5rQX5q8aDnM6fO/zYPkzfBn7Ewq3jbBIIg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-01-05T19:35:48Z",
-		"mac": "ENC[AES256_GCM,data:z7elJ0+3r0bWc/H6h4rI36xC7Uj0NS04VssjPDNVZM17LeN4ansSOfcOKPaUMziV/z5Aq8RVLROR+FImzxBZGaZm37frCoN1OP3WjeDnP6AsoY9dY+S/aYmErVEsQEIi8T4RAdQP2c3BUt1oKZ9Nki2pu3IBRabBlFhaTI0bspc=,iv:8Nn8r9ancHwBJOaJSsv8Vj3s+d0UvRmKIeCDNzx1qRg=,tag:BSO2yu70H2wjen3BCGC4Gw==,type:str]",
-		"pgp": [
-			{
-				"created_at": "2025-01-05T19:32:11Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+JpNwP+BLJf4+0pSr17TToviCo0yWmcaP1dIUqClBSoDO\nI3ZzqHdImAj4QgExif2zsuzz1+WC+sjvFqEmX5pBKza/e30qCZirkelz9mzc0mhG\nLhTzfhqC6fLbV5f+pDp6N40ommu+LX1pIz6nViCUjqBdnAkCb+tqLU4eQJQqVmlz\n7BToLsvYomPK1nJ6f4rt1nTR9wkBI68AYM/K0SgCJXjwj1LpZ/+3yElkiCqZ9uZB\n1jrDKX+QPySlZ7OERL70UT7Eh8DTUNzFnozvliBnyxe00wwiiucCgrC94TmaKCmh\ni/FOdS6Izm3QwcWB0eMCX6GQBvlUWpjSz5xF4+YODJe9tGNz/sNxpk6B8xG5NuG2\n61nohMHoml6X3Z9dOwu/Svl+eS8SV/r278W/F9miE8YeayyLlPxHF3DXjd6WeDhZ\n20NExQUJYIRf6w/XQPQZ+E39NkIHxz8v+P29ncmSsRPWS6d2MK0Yj+UW0vT0u1vJ\n+lAs24xYofbu5tmBbnK10lgBrZMXDJM2nQbKMKSkVVjzbzmOe5jzMBxuWLX+ykeI\npaj32wQDWvfBqLPH1Kwvy5nqHvy375jPZ7RTzT7W0d4jKQf7xapbi4CEepHHfxCF\nD0HIEi8RUlXJ\n=KVUJ\n-----END PGP MESSAGE-----",
-				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
-			},
-			{
-				"created_at": "2025-01-05T19:32:11Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUARAAqowFMavIniFheNvt03EH1iEn64xNmExotYcDt2L0bR39\nXQdLvg7cJ/Jh7EuZ44mHTs21mpbYIlygMs6kimqQ8iO30vGTEcn5bt/eUEoGHciM\nYVHktWNR81ZgjvKCcmTUK3ld+DMKmg2BABr4auUOYLu4ToSnFb1fv+fvZG0D3iQs\nm6LJuafH+4utM16Vnkp9+ziY/ieMPYfbOFuSFq0UWxGK9P+koSYVGnYhH55Lksyf\nBb/esEGCY671/Jl/qHw8so4TELeRsW/v/xAcNqbE1Msdeas7WJy/B6WqXQgK/Y+J\nPsyZ2XHKhPRitN77/eDJXVBi0mKBTE/RCzDzMYxKA7IQm28v8+u+wpdCajewnyF4\ns2HACaYs/TWRpIUzqxRlznc0nMpk8xUaeVb0N7nrtSDEBF8ETOGOcPk1AmdKMR4M\nsy0vu+K2oJ9L7e/o1ntpejKHN7t2Lzq+CvszBYKmyw/KgxeqY0hx4cJTUDsdgLjI\nMTrs6bySVXDyRaw3rHo7OvA+5c8dLfnWJd1R78nZTx89CYCvjJeMo7PNvN6C9HxK\nJoCOCnZo6a3j4NqJvXD5GNqGSP6m1lqBRWYQUIhWaOfz8aTY1Z3EXX0/4tv5C+A/\nknhc694ujtmBXio4XgDIrSz3jr9G8+ZLvig88xV12HTJfsatypQdHVIZj08EeR/S\nWAG872Q/DVD/aDmhaOlq/o/QBoEyrnJdkRHT9NX8iBboQ81wezfJxWUWlWyHaXVq\n5YBLFQvQAZLz3h05EBkMOiS2dHUa8OnNImj8txnCePAlcUdv7LIVxHA=\n=9APA\n-----END PGP MESSAGE-----",
-				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
-			}
-		],
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.2"
-	}
-}

machines/fanny/secrets/disk.key

@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:H0oMKUXc6C28tHMwSgsppcdfYKEknPIIWGq3Mwk=,iv:lExcGcA4bvwKtqeeG4KS87mWlPBtCSSpOunJMZcQG+Y=,tag:F6Pke7woX/odRT7SMJwVbw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdlQwRFZLZUtGamszckt6\nNmFoZmk3U1JpM3V6MkNZc2Iwd0VlTDJpekNvCkMzVm1qNEYyNEZmQ1o0TG1LRmpP\ncUhiWlB5ZTdjZnBHQUxVblA2V2s4WVEKLS0tIDhiUUdla09WRmR6RWZnbE5XRDAv\nWVV0WW9wMWsrcjdsdkF3NHgxMVFmRDQKeUAVQU/M1DGfAmee6CFvyTr8RkRBWjYk\nK9ceXyJSojHktwr/Xllm1mMm6H2lPbzba/JAyt99YVTD8xO056vu/g==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-22T18:09:45Z",
+		"mac": "ENC[AES256_GCM,data:5IGtFkE5sGjXJXlXkPdN4e15gxh6QB/z1X5A0149koG3fvOPnoLPEU+DGx1qj9Z/8vilJat1hk7qIBalMPMCn2/T1PIV45Hpvih/kNoszkFMQ9r0EsZMgXgSJClHSg1JaiCiC3LvjsIWHDoESwVx3fqos1ClOLtrzKwptCEUp2Q=,iv:15QS1AwpuUr+EMw5YQe8ogb1Y58nQh4WcFjtzuWtcUQ=,tag:vL9cZRdsPCqaTw42pzRfOw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-02-22T18:08:13Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/WtqMo4CAW5VEqo4vEL7Lj9Z/OY1h0zPF/bdkc9u6x7IP\ngqH60j9iF3n4ae717c4eKf59iN4+4tDk51qb1XdBOw1scn6rTai6KCnqNhiGeZF9\ndKsCZG5LxdbGkEFFw0Q+6W+gV6MiGlD4SBiKpjAsGVGcn42wygfTzpFRRA2Pmlev\nAGSUs5TDmi1IqQsvzYBMBM9+6sdsKhpRalXGS0gFz+wYGPFlK4E1rd6CBKRYEWtw\nm4kRe0nA2Sk4XhVZ39nPtR9rxrhB+d+Qq7AHIqD75SoY8vI+o3UyJ5Cee5MAmMcd\nn0EG24OeThF2p4lZw0iuUgtefqkc21/MoojYP6tfS7s0vGcq9iFjZ8PgUv3IKfrZ\n9EwresYfvhKbocZj2ywPK7iavFCYmqpTzbloGkO0AVfmHpWZRpxneOaGruCwFmGg\nF3qBVTcBSBDF972KDvm/TbKV5NQmRAZuXTrTBh6vgmVcaLN8LTLP3xRQlY28Ng2P\nY5l/5sZ1CGvhfv+G/24n0lgBF7I8pMTfsUEttzPONEY3pRaYyprYxdDlutHI2Kzp\nl0oPBs19rCSn79avQr5fE0mIvqJCoB5HVPkUDjNTaMNSJAywjQEWNITh2GszRTku\nBDvnzA2VnVww\n=aFlN\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-02-22T18:08:13Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//bap7Q1HvJJ2KjVMhklTaQ2LG+TITzh0jvaRSXlXG+u5a\n//iWLTov8CH6s6e5I/T7FtslIcBVmyUX9vL9tCgVNMHy0RVG9mmykS0z5/9GY1tY\nEDcOOINQwrmuhWFHvc+9hzKEbLH7heR3ljMw9ouzBgFjEUdhFKJCIW9xrY3a45ue\nwBfaVj0tPNFMq/f/Zu5dDvw6gmYp9ziSMh3GwLNnMBmQDgdSjZJWQr+oa7KKSOM4\nu8ogeqP5Yyf7vDj1he+9TJpG8fdE68boYban9t9rfnyf0cRW7oHkpkwPtKvn9U4c\n4Tbl1RUqfHsTpHX+rxP8w/zgaLbrc0hJO1zxXeeQTOlS/0S1+i5n3pINFwzNXNBE\nIHgIpqOKabfpDFsL/DMIdNQZyr/iD4gHjzSeQPdyd0/4dbFMKPsVzA3JomE9z8NW\nRXz9Htb4Z4fybcPDOLxPkyM0qsEtdfb11U5l7IKuq+2ED5zOFxl+qhZrFz7vY1R7\nyaIM70HUeVCT7p0KZmWgtzjhafI8kTS2Qd7VjIF4Y721rB2opqaOKaCWjp4eeYI2\nE/TGivgRl57KgSF8Y8ucoC6ndsxwgJ4dYt3fos09Rbv1qFrlJftyD7m2kOXnPx5N\n5/2R4h3tiYQqGm727bjTjmGUtxToum3rY4sO0y38Woc+4BK3h/gj3AMir8DI7MfS\nWAE+yxIZH8y+c93zkZy34mEHafc6zPFD3QWuzbXzMGP+EMn710zaWmrVV1X3oLKW\n8lFB5sEX+BJaDgISOG7vgypNA+HtWZnRcB1CnzxboADE+HVAU3d+Bpg=\n=rfB5\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

machines/fanny/secrets/initrd_ed25519_key

@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:dsb1hdpeoH1Rc4Cz10cZMlAKL//GRUKQbTXvGuRcVqMtRVkmiVZonogj1FdpIFOY8m3zIuJKLpQp9i/RuWanRaThyOA4Mqo82N0MTkco0mwLfRhxqA2EbRv1dPgytVQvdNgSrnZI1FXtsQumPgO4KvifwaCG+Wu050NhPDC2Xt8i1U1TyMTkTigk2CKYaYgo+D9xSsA9ymjFUQgvnTn10t3di7cUJi3rBoEiZeOK/EAg1Y3h53AZ4p9SyG1kBflTvtE1NbIZNBYAiFkJNbIhT+Dw67Qv2Uso6oxL/I64IDOljMQz2874wZqpAL1w7W671KdlGtq0murjQ5Sg+g8RYseA1NVmTY7BCaGagNQuU6Ab0BSSdzIuDkH14BL1zGgprCqP0CE8WeWdUzCx5qud9emF24d+VvRKIiawTArSBe34VMnRq05OTKdmtwGZom7kbhD20c1/pwhytiJpzSE08iKy9cYGPGfirNJaxhT7z9XqSoECUg2XPI7Deh75PqoxM8pATLtOtOLp2cYSr2vSrqADMXzmR2M9ixEj,iv:RQH+e6ZADH2XMPqBeuHhMhHiksQg2iR4NUnYhD3pj7w=,tag:wJByTCrYf4cKxJaD2eTCMQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOS9jMmZoNWxrRTl6aVFu\nSW9oTTVkV3NiSGpDTDJNT3dmUWNmSURCYkZ3CnZJNFNEVTNWNEpvcS9NRjFTdExy\na0NNeTByblA3T0JFRXJacHlFTmRPcEEKLS0tIDJCa05LZHo2Rk9xek5Ec1hDODNQ\nOEs1Sk5YbTNHZGFtcmpqaDFKdzRpUVEKiUhTrGp4rXW3hHd8HueZ5v31CXpMACFT\nTq2OaVXUW7yTLFO2E405hQH2ZLS7KzkXeHmA4MZfbsq0ZkriXp956A==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-25T16:42:28Z",
+		"mac": "ENC[AES256_GCM,data:iJS4wLJwJZRUozNBUBxL8wYOneGI1Et3r9+DtIs3JrQLEKV16n2SeRP0jRFyCO7VNkxyjnjXJwe0/GVbxtQbVCuDFaCWVpj4xNiEH3wMeuydU96E2QgHaWJGvhyj5e/5o3GO85DeF2ueFCa9DQKtTIWH1xPfqJwtZC2PGH5Uqyo=,iv:/TpULYHxSgFfMQyv715jLVY37AhSY/qh1Zn00UN8oOw=,tag:XrOn8ZpgWFYtSjatXn8sxA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-02-22T18:08:12Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/dMSVIuM4gsG06tcN0NvWQgZUO6E8u2M3k3kUU/xk9bem\nSJFtHluWx26V6F08PP5AoDQ1R5Z1RhP7w3JDjVyscb0WuUzDFVTbJLpuPJIX+MOe\nhz8OqLatn24+fK4eMnQFbTELYRPEKicMmoJrFaTXdUOLkynWtxijzRlCif8J1u3e\nqj2fSfPd4SI9ERiGo5MBtHA9A6nwQvboMdnlGvvlAxFF26QL0xqu8jUdllfJ5IT0\n7y3vbGixV/M29MKzt+cJk7Wnb2y5UaZdelsDmxmm4FrIxHaQrAb/kIMiwf6zVCwh\nZFvNwcAPirduvxpcjOV99mJQ3v02mWo/p4Ey3PCwRb1tQYRxiMf7IJ/eAspmiI/9\nwK/2c6ehtBVXlw738JjA+WP36u+5S7CrvzNk6RLd0y76aNvGB6ZCT4rGm1B2DfR5\nguP+RJGcMFzhv55hQNCNUHZ2jvhLvDvSaCjlOaJZBC62gCygtlDqaLtagIO6RwKR\nJdatJCEjio5yD7x1d7PY0lgBVlbkXk8K3e5CN4RdLyoZStShW3uC6dCUGG1OJzPE\n0mfW5y683CcpMATeucHROtTxxrmp+BT5CyP9eBA/CrmTAJVMaWYM/Tb3+nE4Feal\nKlamR+tLaZdj\n=9/53\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-02-22T18:08:12Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9FH3RHkKEo88HEAXYPfJ3tjctUrn6Y1muzgyilfa9R7OC\nBNdSyXP8qU9FaIEEO9cwXKY6hB30l/b42RwL2HS5MWlNZTXZO9XCjV4VpmkIy88y\nkVhxdb2QbGQSBqmfyc9GOvI2LN3jIAE5fy5GuDREKRJPfVJu6x7IbC4j3tT+3Szq\nzOTF+ZfuUlM7FDzt4vAvP2LeOZxYKCg1va6ne7rtXsry9cIotP7fTqm0xPLZ/K+2\n/+HhC2585GdUXratqod1VfUPGyvdyhrn6WV+BAvUA8O8LYO5ZIkgz16vp60XNZEA\nCkjy/kiSlMorHiy7/ZtWHwWPNQbGxVJ/u6XurgzreDT4H5FvfyzvdKTz7IGYNYfZ\nvwMtQDEd3ToP6QUyNGfpZ5eRGb3I+8xNOd3z3XIXYGFYAOPHriGXMA8Y1g21f+c8\nz0QxXXDNXlTt6qdpumfgF/d/UCFJZeuP2t+mVnnp/gkK6yKZlUHD8L8XjkgumxB+\nvFFKOpPbrO+H+L375xZp9OJTINF5QTFkrmT/jPoexCkx9koxNhM0vIKEFE7+gFsW\n5GKQqz0n1HQgbFfdm2Jk7WQqY8r0weGedalYzkfDPlbS0AdCB9Llk/vwu5Tf+hcX\nIMbph8ZwKLzld9MzEplhHwBZ/Gz0Upp1IYj5Ifr50EnlHjBJ+Z8xXWKshJ/6UerS\nWAEiuOmlWRFGWRM5EdrXwh0/dj+ZyXG7unsv+jpNXjOE8eznaH4Kd9/PEmxazbFX\nJ1gtX6JFy+HXID2DJmXng6NxCzPWpo6prAH9IbMebNVQMzbl03Dtyec=\n=WoeJ\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

machines/fanny/secrets/initrd_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFRuQZweX3r9QQmAFo6oYY9zvrf9V3EIJOl6kFMgyLm kalipso@fanny-initrd

machines/fanny/secrets/ssh_host_ed25519_key

@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:16SwZ4RZ89+TvwPVgEg+96PmNd63Oai1GnrRipLkxQmzfeAkQvs78emYUEVT/ouAnRFQRNagbhjA4nmfTTq1xGz1u8bacjk1ny1ckd2FmkEOQ7Ry181h8UE61rZP3c8yra2WCgOcsL22oUxUMhg6iswJqEKLImi3cmJ+hASPTc6L3vlZLcP3Vx6FEbDMGrVtfpHEliSicB/rkAOnjVHmxHmVRjx1AI7jfAjCoBGnLwI9X2XREGay9H8Kt36HIhlXA9dK+xkl6WdtkllHIHe3OYHqwd730g+1htMAWtHmyI/DPLLJG48pzITnKv3cQ3aaziUWJGa89WGnBuzxP8ZOagpnC1/wQi1WTR7d/4JYoslz06fCt1ouGT4ttDFh/YqbV0hcXqkASbUnnixicBaYeVrwvSkYvlbwToZ6L+Jc+eqQRrTKXxs5pIZ4qkvImDp85v3U1bDxXT+qhpK9hasmgBqgM9GYjgw8Um/imr9HqDp9ztRsij87mRW/l47vUhxRjrAWpv+J0OlptUIpRiLv,iv:7x+dTHtSbcc47X/ZGz/bcnOxkGDDBu33ZgNrOD1FwDA=,tag:B6s1Jt1KFCitya9oAKvp9w==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYlgxeXQzNmtEZXZXNytp\nTnRTRi9nRHJ2bEdPVGhPMzdMY1lPOUpGckFFCkJkL3BVSWlIZ1dBVUliemFWNXl4\ndU9DamhTRUp0aGVwamhWUUZJd3dUREkKLS0tIFNkaGNzc1R5aGxxZWV2QytaRFIw\ndC81MDR5SUlESnNQRlhuR3doTWhYL28KMIMs9mPwVuFr5cEvO6goqf3zQALSO5BB\nrY0C8TfkHLvV57999U9kfyLO7Sm0R/RGS4IinQSCRQWEeR+qLxnEWQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-25T16:43:40Z",
+		"mac": "ENC[AES256_GCM,data:dZJc0aqSD7dhe4Egih3z8QHIbwYDCGYU0DaOczkqHd/yMdcVNrNrcIR6yshArqCLl9jj5Zw3fIO75X09mvuvUCyszbjQyzSmTACp7K3skHuDRJ/yh5vaw6XNeJ3w26Dimfd0WfL1XC519DW532icrDiy2lCZ1qdcYwpqQUBKM/Q=,iv:4vx48jXxKLDOKfK6yYJWW28UaKl+EyqjeRAzV0WayEk=,tag:oO4cAVAv7N5aDAmK5V84mw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-02-22T18:08:12Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+P8Y3rBJAAI2orY71hRSpCAJo/x4CUColQZf9xK4ZgYQ3\neW/15avJVso26mYiZJsTPaEczJ89igYKDrf8Ewi8NNNTmse/BO+BG8KX13QOSWKb\ngiRXMl6zpQwH/cmCXvUrDczjcUaG3vMpcWClfd3lfjEStVEzNB+OKCuRLxhKGYPn\n3HZ3Ypa97ei8uHMKbnloGigUouVKVCCLIqyrJCybQ2+UkOMzcMJpO96RMooWQOUJ\nU+0rLS2s3r8UnwQjEcedEITlmiTlZkTrUnUylcc22v3yVJh3UExCcoVWShqPUE2j\nJv667rq1EblbIzn/8vyMXxOoSYmrLJ+hgh6OXio5bbMUwd/7m6Zz2jEeTXbJi20/\nEl2V0Lu4pTWXhXxh+Y0MIdh2tHMGGWmHBk650e0M/JbnchxK5+9GblWkfzMV8scX\nPpDScHH+cqNPIsvtq/aYGSv5o2u5JfndEuW16cWU99mgYvX7rwwbRbI1zWVX5o9o\nQ6dqJGZEbtE0QilOKxiI0lYBTrDySzaWLTAngd3myVMvFBQ/K6VL7mXwJvDYgOcJ\nxHIExrd191e5eLr5MGQAzXaVietENN27aEDPw5WV9bmXoAKp/4muJnfOB/wBSjCw\nlutnbF0yLg==\n=MqvI\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-02-22T18:08:12Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//UvOmGlNKLrRg5fXmc/paHF7YVFCGuBa0epuiVsVkS6NX\nQoa57oBJS0y22/dh/fb8Nu7/bMpa9XpPwfgzqhi7+5V/y51lvAIKmrYqNTnGdKB1\na9aiX0yxK0d5Yh0RK+9/2Q+369152mZXx+9Oj3SM8396bcfvTFX4jbhGdnKPqalW\nB1OO8HfYFAu4yl11uVD5cHSdhvXKJOa/GZPkb3TK2kicUdNX3HnZJ3PPGrkOy2EU\nuwFOIVIdNp2MUDFW+V2Nso/NiGcR96uKk5ZhGJaYrXjDDMNHyoLWc0d8wEg3n1Vw\nXOSNLmkSFY39ExKRWu8sijSyZIYN+Ul4t4WdO1Puop01xGTfAkYVQOLC+H4unu3q\ngboyNZCSuZXgG02B8ph/tLlAQ78d70YAf0nxkvzQB6TTNfQ4nyp8QnUJDkwaAnvl\nxDqDDhJBjlfIpqNLT23caKqgt1hSLv3Gcb486D8ZC+6nNuefCsxop82FaUMvL1uf\nWPMcAxMyv4REO8l9V5CDn1+6i+iPyN/Mo+hpwco+sYNZMlSs9PcNKILWZg1gv6q1\nU04IyEPym9VkI1jFte4dsljlp3C2R+l1Ikv5OB6dNpnnMVnTgkDwE0vqvsSTIwbS\nYvFoWBAsRlHMFLLfA6QjRyZpWemHBjrpaqBbIJEkZQnKM1IWdIg6cGOx+mFo1MzS\nVgEePpJj/PECZpH9PQPlv/FrkHa7zC/Fi0BOPposmuQgOUTq3sA5TLYNqPOH2Yn9\nHeQCGXpIeM08Pa3BOQRWDYM2vZPZpf3cBB7VK9zmcGEdE3NZxoBG\n=p1XC\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

machines/fanny/secrets/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc root@fanny

machines/modules/host_builder.nix

@@ -105,135 +105,135 @@ rec {
   inputsMod = inputs // { malobeo = self; };
 
 
-    vmMicroVMOverwrites = hostname: options: {
+  vmMicroVMOverwrites = hostname: options: {
-      microvm = rec {
+    microvm = rec {
-        mem = pkgs.lib.mkForce 4096;
+      mem = pkgs.lib.mkForce 4096;
-        hypervisor = pkgs.lib.mkForce "qemu";
+      hypervisor = pkgs.lib.mkForce "qemu";
-        socket = pkgs.lib.mkForce null;
+      socket = pkgs.lib.mkForce null;
 
 
-        #needed for hosts that deploy imperative microvms (for example fanny)
+      #needed for hosts that deploy imperative microvms (for example fanny)
-        writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store";
+      writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store";
-        volumes = pkgs.lib.mkIf options.writableStore [ {
+      volumes = pkgs.lib.mkIf options.writableStore [ {
-          image = "nix-store-overlay.img";
+        image = "nix-store-overlay.img";
-          mountPoint = writableStoreOverlay;
+        mountPoint = writableStoreOverlay;
-          size = 2048;
+        size = 2048;
-        } ];
+      } ];
 
-        shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [
+      shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [
-          {
+        {
-            tag = "ro-store";
+          tag = "ro-store";
-            source = "/nix/store";
+          source = "/nix/store";
-            mountPoint = "/nix/.ro-store";
+          mountPoint = "/nix/.ro-store";
-          }
+        }
-        ] ++ pkgs.lib.optionals (options.varPath != "") [
+      ] ++ pkgs.lib.optionals (options.varPath != "") [
-          {
+        {
-            source = "${options.varPath}";
+          source = "${options.varPath}";
-            securityModel = "mapped";
+          securityModel = "mapped";
-            mountPoint = "/var";
+          mountPoint = "/var";
-            tag = "var";
+          tag = "var";
-          }
+        }
-        ]);
+      ]);
 
-        interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
+      interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
-          type = "user";
+        type = "user";
-          id = "eth0";
+        id = "eth0";
-          mac = "02:23:de:ad:be:ef";
+        mac = "02:23:de:ad:be:ef";
-        }]);
+      }]);
 
-        #if networking is disabled forward port 80 to still have access to webservices
+      #if networking is disabled forward port 80 to still have access to webservices
-        forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [
+      forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [
-          { from = "host"; host.port = options.fwdPort; guest.port = 80; }
+        { from = "host"; host.port = options.fwdPort; guest.port = 80; }
-        ]);
+      ]);
 
-      };
-
-      fileSystems = {
-        "/".fsType = pkgs.lib.mkForce "tmpfs";
-
-        # prometheus uses a memory mapped file which doesnt seem supported by 9p shares
-        # therefore we mount a tmpfs inside the datadir
-        "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce {
-          fsType = pkgs.lib.mkForce "tmpfs";
-        });
-      };
-
-      boot.isContainer = pkgs.lib.mkForce false;
-      services.timesyncd.enable = false;
-      users.users.root.password = "";
-      services.getty.helpLine = ''
-        Log in as "root" with an empty password.
-        Use "reboot" to shut qemu down.
-      '';
     };
 
-    vmDiskoOverwrites = {
+    fileSystems = {
-      boot.initrd = {
+      "/".fsType = pkgs.lib.mkForce "tmpfs";
-        secrets = pkgs.lib.mkForce {};
-        network.ssh.enable = pkgs.lib.mkForce false;
-      };
 
-      malobeo.disks.enable = pkgs.lib.mkForce false;
+      # prometheus uses a memory mapped file which doesnt seem supported by 9p shares
-      networking.hostId = "a3c3101f";
+      # therefore we mount a tmpfs inside the datadir
-    };
+      "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce {
-
+        fsType = pkgs.lib.mkForce "tmpfs";
-    vmSopsOverwrites = host: {
-      sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml;
-
-      environment.etc = {
-        devHostKey = {
-          source = ../secrets/devkey_ed25519;
-          mode = "0600";
-        };
-      };
-
-      services.openssh.hostKeys = [{
-        path = "/etc/devHostKey";
-        type = "ed25519";
-      }];
-    };
-
-    vmNestedMicroVMOverwrites = host: sopsDummy: {
-
-      services.malobeo.microvm.deployHosts = pkgs.lib.mkForce [];
-      microvm.vms = 
-      let
-        # Map the values to each hostname to then generate an Attrset using listToAttrs
-        mapperFunc = name: { inherit name; value = {
-          specialArgs.inputs = inputsMod;
-          specialArgs.self = self;
-          config = {
-            imports = (makeMicroVM "${name}" 
-                                   "${hosts.malobeo.hosts.${name}.network.address}"
-                                   "${hosts.malobeo.hosts.${name}.network.mac}" [
-              ../${name}/configuration.nix     
-              (vmMicroVMOverwrites name { 
-                withNetworking = true; 
-                varPath = ""; 
-                writableStore = false; })
-              (if sopsDummy then (vmSopsOverwrites name) else {})
-            ]);
-          };
-        }; };
-      in
-      builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts);
-    };
-
-    buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
-        modules = [
-            (vmMicroVMOverwrites host { 
-              withNetworking = networking; 
-              varPath = "${varPath}"; 
-              writableStore = writableStore;
-              fwdPort = fwdPort; })
-            (if sopsDummy then (vmSopsOverwrites host) else {})
-            (if disableDisko then vmDiskoOverwrites else {})
-          ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [
-            inputs.microvm.nixosModules.microvm
-          ] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [
-            (vmNestedMicroVMOverwrites host sopsDummy)
-        ];
       });
+    };
+
+    boot.isContainer = pkgs.lib.mkForce false;
+    services.timesyncd.enable = false;
+    users.users.root.password = "";
+    services.getty.helpLine = ''
+      Log in as "root" with an empty password.
+      Use "reboot" to shut qemu down.
+    '';
+  };
+
+  vmDiskoOverwrites = {
+    boot.initrd = {
+      secrets = pkgs.lib.mkForce {};
+      network.ssh.enable = pkgs.lib.mkForce false;
+    };
+
+    malobeo.disks.enable = pkgs.lib.mkForce false;
+    networking.hostId = "a3c3101f";
+  };
+
+  vmSopsOverwrites = host: {
+    sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml;
+
+    environment.etc = {
+      devHostKey = {
+        source = ../secrets/devkey_ed25519;
+        mode = "0600";
+      };
+    };
+
+    services.openssh.hostKeys = [{
+      path = "/etc/devHostKey";
+      type = "ed25519";
+    }];
+  };
+
+  vmNestedMicroVMOverwrites = host: sopsDummy: {
+
+    services.malobeo.microvm.deployHosts = pkgs.lib.mkForce [];
+    microvm.vms = 
+    let
+      # Map the values to each hostname to then generate an Attrset using listToAttrs
+      mapperFunc = name: { inherit name; value = {
+        specialArgs.inputs = inputsMod;
+        specialArgs.self = self;
+        config = {
+          imports = (makeMicroVM "${name}" 
+                                 "${hosts.malobeo.hosts.${name}.network.address}"
+                                 "${hosts.malobeo.hosts.${name}.network.mac}" [
+            ../${name}/configuration.nix     
+            (vmMicroVMOverwrites name { 
+              withNetworking = true; 
+              varPath = ""; 
+              writableStore = false; })
+            (if sopsDummy then (vmSopsOverwrites name) else {})
+          ]);
+        };
+      }; };
+    in
+    builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts);
+  };
+
+  buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
+      modules = [
+          (vmMicroVMOverwrites host { 
+            withNetworking = networking; 
+            varPath = "${varPath}"; 
+            writableStore = writableStore;
+            fwdPort = fwdPort; })
+          (if sopsDummy then (vmSopsOverwrites host) else {})
+          (if disableDisko then vmDiskoOverwrites else {})
+        ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [
+          inputs.microvm.nixosModules.microvm
+        ] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [
+          (vmNestedMicroVMOverwrites host sopsDummy)
+      ];
+    });
 
   buildHost = hosts: (builtins.mapAttrs (host: settings: nixosSystem {
     system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux";

machines/modules/malobeo/users.nix

@@ -0,0 +1,63 @@
+{config, lib, pkgs, inputs, ...}:
+let 
+  cfg = config.malobeo.users;
+  sshKeys = import ( inputs.self + /machines/ssh_keys.nix);
+in
+{
+  options.malobeo.users = {
+    malobeo = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable malobeo user, defaults to on";
+    };
+    admin = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable admin user, defaults to on to prevent lockouts";
+    };
+  };
+  config = lib.mkMerge [
+    (lib.mkIf cfg.malobeo {
+      users.users.malobeo = {
+        isNormalUser = true;
+        description = "malobeo user, password and ssh access, no root";
+        extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ];
+        openssh.authorizedKeys.keys = sshKeys.admins;
+        hashedPassword = "$y$j9T$39oJwpbFDeETiyi9TjZ/2.$olUdnIIABp5TQSOzoysuEsomn2XPyzwVlM91ZsEkIz1";
+      };
+      environment.systemPackages = with pkgs; [];
+    })
+    (lib.mkIf cfg.admin {
+      users.users.admin = {
+        isNormalUser = true;
+        description = "admin user, passwordless sudo access, only ssh";
+        hashedPassword = null;
+        extraGroups = [ "networkmanager" ];
+      };
+      environment.systemPackages = with pkgs; [];
+      nix.settings.trusted-users = [ "admin" ];
+      security.sudo.extraRules = [
+        {
+          users = [ "admin" ];
+          commands = [
+            {
+              command = "ALL";
+              options = [ "NOPASSWD" ];
+            }
+          ];
+        }
+      ];
+    })
+    {
+      users.mutableUsers = false;
+      environment.systemPackages = with pkgs; [
+        nix-output-monitor
+        vim
+        htop
+        wget
+        git
+        pciutils
+      ];
+    }
+  ];
+}

machines/secrets/keys/hosts/durruti.asc

@@ -1,28 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBAAAAAABEADh28tGiUsmPPbsQYKSi9WiI4UCPO4qd7hEoER34Ku5w+kpy1MI
-ymJHNlZODjrjvznRidyYt+1vpED941LawzsujBV7pSfIBY0cQWYTbF/euuQFJYxN
-sBLG4kek5IhdnIsav2f7fMv6Rhfkau7p20AYkWUkpoUxBJTxixIkxrO90ODSzMMe
-tLI9MnqPcMASy6dbAGKXSABaYi9bwggIgyYHNaXThEuEAWPMPMMj8Wlo0H0X/B9O
-UEOHSA4N3TBKJXuDhsKgUo6ADLAA5op+YG+JtAdvdjW0XxtDamLkkrEx/fsYWsn2
-LjiX7z6cCQjYy+GG6LV82cavyF9sBAs8kEl4AVXVYsaB0g99rpY91EYLAD2Ddh4d
-lHPwPVQ52Ht3QeEPAsqeXRh+gZOp/xx6EJXXaH7aorXoWlbUFcCnTTEFAM0HibZg
-ChZEX+pl9RxdPeIwU4kd9LxNygDwp4YhdJzbcpHkp7RrkHJHgmAxUEVCxZfw/P2c
-GDIBHQSS4FZ5PIhh+aejYCo4BrisGuAjwlaH26BRNraM8EImaLwLuQZ1TOWm97tI
-BEI0JFscrTi2RSPgDCg1Cu78ocbcpqC3cRclXzRohvp83NpWnAQFCAdNaTttQsio
-lQTXxmJlaeo/0vHAN+Llukchh6sFzzNP3v4B8vLvdXkE3s5XYxJungblTwARAQAB
-zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQWRHe9aQhhWcCGw8CGQEAALRQEABVEYsIn5zGV84caxE/LXN7
-7nDsUEyo3lCetStM7JT7uDdMl5t33pUAIbm4gv6/BrvVZ6pBtPfTrVrTKKDornKJ
-VU/tKims+CbnuPUIbOmuXcPbQIa/IF4WVop8XJTzMOSW636/eH1D2VTLI8Jmw35s
-qDmqx72hISUBGCszTJkThp8xUFMW5NcJc6zGB9I4vdac6Sf6yuZqmdfDm0MzcvmA
-tDASc6ZLeffPkJxUA+x2WouAYkfdV1CdVS6ob6owrSza/T+wQ3DgzO5AVZ31HXTa
-gDkVIBgdZYR2H8IaaTetb4m2+SgdXr7s9WCOR2i8DiSKpnUAJKoVIOl6pBd13jCu
-PHQzkKq6kqn4bRYCZil3fKDB90mVDIyixJJCt//VA5y9Tgggp9o7a+l35I9hCJ2F
-6AYtpfXkTbI9wqmk33TJX2litqqPZkhEERv25UDvnZ7Mm0my9QXJZ1Fp1nRLIKZg
-VABDS/wIB1QHtOldDLMeRD7Fnrnjgnyuk4/HmCem0wFDPHDo/ppa2QtCUk1xxywu
-fa7hs/oDVUMsofpDm6Ls4IgFXbSD9GUTDdB+UvZi5vITaZ1f1QLcrShhSUHkLIpc
-65Fj79r9cdHKdUhnM2+pTuVM6Az3huMkZ+abgjSHWSni2njowRUd2P7pG+ZhaUk3
-Rj7jxxXh1KQ7X8Rbbce8Mg==
-=sb6Z
------END PGP PUBLIC KEY BLOCK-----

machines/secrets/keys/hosts/lucia.asc

@@ -1,28 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBAAAAAABEAChmMEXC6TjRtYAHk6CsrnP0LFd1vOuH4+QSalj9fCaCpYVEStP
-u9EtW2DK8kSBdo8DAngzsMFt9PoSLcPcB00s9R6EACVuOn8nTVkyYtO/8hWJVexI
-G3SB/u2a+MYC2QEtw3Exzleexx3EkZywAzGWzJXpajMbGsfvssXl96xb7jxrxdNv
-Msx9t2RJGADSG6Vx1+A5UmFwITkGpn6wjvQXLvkim4ZHRzX588vgz/IdJ6yqOeeV
-v0VyVNTPfXkDO2urxRgZ5TG9wE5v9OKFofooR5T1rB/khW2jMoqavLWeRVCqVpmp
-MQ8VMkJzEoP7RX7vAAgCbVrTe55sMmXa9gtXo50wz6lHYHnepff6FuquS7szH7Ja
-lRnvx6CR1FwWIGhef/kxmNQKr2Mt3V7riFmv0bkR8ttI5uyGposeWfY1T6iJfxic
-duIYXrV11T6fWOEUh80aRz+8E46LFv4sGZjTOvHWrnetKNweuOC9/yaSDkEr35sM
-xVffS0wNGclhxl860qBCbhG/X7YYZs5sFHsRnsb7rvTCP8LtGhrjybE/b4WuGRCU
-rEftVOBe4NSwlsdmRVl5Cyk/ZkJncrUwlaH6laCjBfldQcdxAHzdzPZQhOmBaLkF
-1l0EpteSbEsi3CS2rkkriSsZ+nZwaccTa6+B6twrRmGvcBrZXlsugsdDSQARAQAB
-zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQvNUtHtVQM9sCGw8CGQEAAGIaEAAoWuyjinNk8ovTAH+TjKWK
-UD4WXwt5OJ8l3FJPpecZbhTaBrRdlLzY1tlKzwd8c69QVOoqk83Rv4Fep9b8EFQ5
-U2bTtXLm/wINSetjf6vlLYxEPNKVzGtk8ejw32NPnJVsGeXNazlcJaR2jRW4kMcj
-A2b8aeUKxnLaoZYiCLZGvyvuB7oj/nIX7iuaIDHKR9oVyQOekeYlg9R92wKCZDiF
-1USoknPO2cSYFZpDM6tmIjkOoEgnwEZqzwI7q5dXz/mqp86XeMJWFkyTRhPT6Hiu
-iS/5wDsFJi7wgl4Jr6bBWFaHeBVSTJIwkoahxpM/qVYAYINgLO9erxMkmX5lRzxs
-NC3LsqQ+L5Isx96AXaZWf+IOYgN8nB3bsQqvlqbvMIUE3wkxg7oeNzDzvgxQM/Tf
-AC6zYHiGrs7WS6+ojx2flJnWA7mrOllimv5pTTUBtA7gh1JN9aUzzBjvF0LlzN1O
-DLyxu1PsIazI1eklUm0ljyOoqBnOrDZoC4Kz70pguDGDvipCAJWjG9SjXDwXGAA0
-sUhnebh2HPZYj73xDIrbgkg+79n6U5UuewUFwDQfE8VFDp62s1s9haCRUKU6uwiL
-i31OKOkDcYSyx/3/VvaT3lT247VERDw/5yVYrrhQwxS4WSabX8gz6qfKB4bi/HVs
-lX2duwzSRzuytZCKKG+fdA==
-=VTby
------END PGP PUBLIC KEY BLOCK-----

machines/secrets/keys/hosts/moderatio.asc

@@ -1,28 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBAAAAAABEACm+W5sGSC25OtlwQdOBCSfX2DnPuk5abjxY5HMIv3MnySouXpW
-L3VoE6Irur9lZwfKrXaUweJPJHVo/Sfknh9GSBCW6yFFcGZ5nNx/QNdbfjOSaUw2
-0BkW1CYRVcLIKSHpepbTDHBxgKaCYsmupptFQ0Nzx19PPMV/WBqrkSlEpDJyq9y6
-cTaGulRKWBVDytMFmibhGlqpfEI8bzrxaeGTqiRTZJqL3zDDi2afDt1kJeCXKd32
-XOywDZgB5CinY3qsR45ftC6mZ5fV+ex3M/Uc4YJiVgwg6GlSdiYW9Mqf4koqpLCq
-Xq3ztEo9FjFen7KmAcLstFmzY3fAXGIJzb0CfvVrM32wsdC6NRDINdMBmrOeKXT7
-g45n0LOdCFr4AOKyABqMudbKrgF9txHt549oaQ0wHCy1nStji1OpbhdpCKDFKPnl
-ojG1Nur9DPRFmQ01I3KIjvCrf8J+CgI5YVwOr+m5Zw3i/b0qd+9R/8oAmzhhuyt7
-kckSVTCjNzsDgjjOa8FVQJremTdkQuWOlx0HxC3aQdSoPxOfpeUhybfttNpvUuta
-5EbsiS/PJfzMOtZDG++naKO/xGJDiaYDhW1ZeGI2fOFUm4RYHqCFES32XF4ygpGq
-wz2bZNKKSf4lxoD1+SBqOyd1eN3u8GmX8OgUB3TpgEuQb/XL31zDKCZ7pwARAQAB
-zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQj5s8BYqm1MICGw8CGQEAACMDEAAFko8JYC1zGt5rFKokXGbs
-K331UHReN02QpdL8fhMt0Rqoh1FKt8Sr8lzCLPNOnlgxSG5lXmA3dFfWAnFrNw5T
-1u1oU0sB+CiekyWXJxTASur1g3DtLv6qA19Uw4i9bu57LK5E0ycoI3RnR+YbDri0
-psPNP01x7NBO42O71rnBypGbCPXnLOAaKq+ISCN+XCZBkmjKhcWJlg5DJfUGCEdr
-DCKi/1j5mgs8H3sUrc5Y4gLz3BWuypAGWhQr/KDAcmCm/u0ZfzVyrxw50eMuzeF7
-GfePPI70nXjUlywuFUFg7EWlCT6sRtZf+o4jkXcwGpZLx2/rdZ9J2I4VmYakBVpA
-2OQwi47YAFe1wz+nsF3fImuGQdHu0x0sFLbuJaSJCOVYhMcZhskRygqqI+wEvDF1
-i7SYzi5Xt7rJrSaqGhAzlg1Cc8wzMhoCE/IU5Hd55OtbvRwZ2JKH+UAl/L9Qizqy
-AM7nSrUjA5p4H09PMuKGmCEcZDKpH2huAeqmtGQ626edE2WNduE2jCdAIcN263PX
-1+TIe4IRLhtmTKqfJgbzrt0cSIAsuvI8s78ehsP2eNANdkQjzBAaEiOo75G/g+sd
-tWl8gxOhrPKkb07KqcPEfXq4QYk7kV+pWuA2yMiTX5A+oy8gVFBxUp+zbjYeRuW8
-cpHyvbDvdnQ5LGNC/v0rdA==
-=Rmch
------END PGP PUBLIC KEY BLOCK-----

outputs.nix

@@ -39,6 +39,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
         pkgs.age
         pkgs.python310Packages.grip
         pkgs.mdbook
+        pkgs.ssh-to-age
         microvmpkg.microvm
       ];
 
@@ -49,6 +50,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
     legacyPackages = {
       scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
       scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
+      scripts.add-host-keys = pkgs.writeShellScriptBin "add-host-keys" (builtins.readFile ./scripts/add_new_host_keys.sh);
       scripts.run-vm = self.packages.${system}.run-vm;
     };
 
@@ -113,6 +115,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
       initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
       metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];
       disko.imports = [ ./machines/modules/disko ];
+      users.imports = [ ./machines/modules/malobeo/users.nix ];
     };
 
     hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (

scripts/add_new_host_keys.sh

@@ -0,0 +1,51 @@
+set -o errexit
+#set -o pipefail
+
+if [ ! -e flake.nix ]
+    then
+    echo "flake.nix not found. Searching down."
+    while [ ! -e flake.nix ]
+        do
+        if [ $PWD = "/" ]
+            then
+            echo "Found root. Aborting."
+            exit 1
+            else
+            cd ..
+        fi
+    done
+fi
+
+read -p "Enter new host name: " hostname
+
+if [ "$hostname" = "" ]; then exit 0
+fi
+
+pwpath="machines/$hostname/secrets"
+hostkey="ssh_host_ed25519_key"
+initrdkey="initrd_ed25519_key"
+
+mkdir -p "$pwpath"
+cd "$pwpath"
+
+# Generate SSH keys
+ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
+ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
+
+#encrypt the private keys
+sops -e -i ./$hostkey
+sops -e -i ./$initrdkey
+
+#generate encryption key
+tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
+sops -e -i ./disk.key
+
+# Info
+echo
+echo "Hier ist der age public key für sops etc:"
+echo "$(ssh-to-age -i ./"$hostkey".pub)"
+echo
+echo "Hier ist eine reproduzierbare mac-addresse:"
+echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
+
+exit 0

scripts/remote-install-encrypt.sh

@@ -25,6 +25,9 @@ fi
 
 hostname=$1
 ipaddress=$2
+pwpath="machines/$hostname/secrets"
+hostkey="ssh_host_ed25519_key"
+initrdkey="initrd_ed25519_key"
 
 # Create a temporary directory
 temp=$(mktemp -d)
@@ -39,12 +42,13 @@ trap cleanup EXIT
 install -d -m755 "$temp/etc/ssh/"
 install -d -m755 "$temp/root/"
 
-diskKey=$(sops -d machines/$hostname/disk.key)
+diskKey=$(sops -d $pwpath/disk.key)
 echo "$diskKey" > /tmp/secret.key
 echo "$diskKey" > $temp/root/secret.key
 
-ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
+sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
-ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""
+
+sopd -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
 
 # # Set the correct permissions so sshd will accept the key
 chmod 600 "$temp/etc/ssh/$hostname"
@@ -60,4 +64,4 @@ if [ $# = 3 ]
 else
 nix run github:numtide/nixos-anywhere -- --extra-files "$temp"   \
  --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
-fi
+fi

scripts/unlock-boot.sh

@@ -2,7 +2,7 @@ set -o errexit
 set -o pipefail
 
 sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T"
-HOSTNAME=$1
+hostname=$1
 
 if [ ! -e flake.nix ]
     then
@@ -19,17 +19,17 @@ if [ ! -e flake.nix ]
     done
 fi
 
+diskkey=$(sops -d machines/$hostname/secrets/disk.key)
+
 echo
 if [ $# = 1 ]
     then
-    diskkey=$(sops -d machines/$HOSTNAME/disk.key)
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
-    echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root
 
 elif [ $# = 2 ]
     then
-    diskkey=$(sops -d machines/$HOSTNAME/disk.key)
+    ip=$2
-    IP=$2
+    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
-    echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root
     
 else
     echo
@@ -37,4 +37,4 @@ else
     echo "Usage: $0 <hostname> [ip]"
     echo "If an IP is not provided, the hostname will be used as the IP address."
     exit 1
-fi
+fi