[fanny] setup initrd wireguard

[initssh] load all zfs keys
[printer-scraping] This should work now
2025-11-15 13:12:29 +01:00 · 2025-11-15 13:12:29 +01:00 · 2025-10-29 12:16:48 +01:00 · 2025-10-27 12:04:27 +01:00 · 2025-10-25 22:39:21 +02:00 · 2025-10-25 22:16:38 +02:00
70 changed files with 32397 additions and 749 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@ result
 .direnv/
 book/
 fanny-efi-vars.fd
+nix-store-overlay.img
--- a/README.md
+++ b/README.md
@@ -1,44 +1,20 @@
 # malobeo infrastructure

-this repository nxios configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner.
-
-the file structure is based on this [blog post](https://samleathers.com/posts/2022-02-03-my-new-network-and-deploy-rs.html)
-
-## hosts
-
-#### durruti
- nixos-container running on dedicated hetzner server
- login via ```ssh -p 222 malobeo@dynamicdiscord.de```
- if rebuild switch fails due to biglock do ```mount -o remount,rw /nix/var/nix/db```
- currently is running tasklist in detached tmux session
-  - [x] make module with systemd service out of that
-
-## creating a new host
-
-### setting up filesystem
-currently nixos offers no declarative way of setting up filesystems and partitions. that means this has to be done manually for every new host. [to make it as easy as possible we can use this guide to setup an encrypted zfs filesystem](https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/Root%20on%20ZFS.html)
-
-*we could create a shell script out of that*
+this repository contains nixos configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner.

 ### deploying configuration

-#### local deployment
-``` shell
-nixos-rebuild switch --use-remote-sudo
-```
+hosts are deployed automatically from master. The [hydra build server](https://hydra.dynamicdiscord.de/jobset/malobeo/infrastructure) will build new commits and on success, hosts will periodically pull those changes.
+Big changes (like updating flake lock) could be commited to the staging branch first. [Hydra builds staging seperate](https://hydra.dynamicdiscord.de/jobset/malobeo/staging), and on success you can merge into master.

-#### remote deployment
+### deploy fresh host
+if you want to deploy a completly new host refer to [docs](https://docs.malobeo.org/anleitung/create.html)

-you need the hostname and ip address of the host:
-``` shell
- nixos-rebuild switch --flake .#<hostname> --target-host root@<ip_address> --build-host localhost
-```
-
-in this case 'localhost' is used as buildhost which can be usefull if the target host is low systemresources
+### testing configuration

+refer to https://docs.malobeo.org/anleitung/microvm.html#testing-microvms-locally

 ## development
-
 ### requirements
 we use flake based configurations for our hosts. if you want to build configurations on you own machine you have to enable flakes first by adding the following to your *configuration.nix* or *nix.conf*
 ``` nix
@@ -55,46 +31,13 @@ a development shell with the correct environment can be created by running ```ni
 If you're using direnv you can add flake support by following those steps: [link](https://nixos.wiki/wiki/Flakes#Direnv_integration)

 ### build a configuration
-
 to build a configuration run the following command (replace ```<hostname>``` with the actual hostname):

 ``` shell
 nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
 ```

-### building raspberry image
-
-for the raspberry it is possible to build the whole configuration as an sd-card image which then can be flashed directly. more information about building arm on nixos can be found [here](https://nixos.wiki/wiki/NixOS_on_ARM).
-
-to be able to build the image you need to enable qemu emulation on the machine you are building with. therefore it is necessary to add the following to your configuration.nix:
-
-``` nix
-boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-```
-
-then you can build the image with:
-
-``` shell
-nix build .#nixosConfigurations.rpi1_base_image.config.system.build.sdImage
-```
-
-### run a configuration as vm
-
-to run a vm we have to build it first using the following command (replace ```<hostname>``` with the actual hostname):
-
-``` shell
-nix build .#nixosConfigurations.<hostname>.config.system.build.vm
-```
-
-afterwards run the following command to start the vm:
-
-``` shell
-./result/bin/run-<hostname>-vm
-```
-
 ### documentation

-for documentation we currently just use README.md files.
-
-the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser.
-the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```.
+documentation is automatically build from master and can be found here: docs.malobeo.org  
+locally you can run documentation using ```nix run .#docs``` or ```nix run .#docsDev```
--- a/doc/src/Index.md
+++ b/doc/src/Index.md
@@ -1 +1,43 @@
-# Index
+# malobeo infrastructure
+
+this repository contains nixos configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner.
+
+### deploying configuration
+
+hosts are deployed automatically from master. The [hydra build server](https://hydra.dynamicdiscord.de/jobset/malobeo/infrastructure) will build new commits and on success, hosts will periodically pull those changes.
+Big changes (like updating flake lock) could be commited to the staging branch first. [Hydra builds staging seperate](https://hydra.dynamicdiscord.de/jobset/malobeo/staging), and on success you can merge into master.
+
+### deploy fresh host
+if you want to deploy a completly new host refer to [docs](https://docs.malobeo.org/anleitung/create.html)
+
+### testing configuration
+
+refer to https://docs.malobeo.org/anleitung/microvm.html#testing-microvms-locally
+
+## development
+### requirements
+we use flake based configurations for our hosts. if you want to build configurations on you own machine you have to enable flakes first by adding the following to your *configuration.nix* or *nix.conf*
+``` nix
+nix.extraOptions = ''
+  experimental-features = nix-command flakes
+'';
+```
+
+More information about flakes can be found [here](https://nixos.wiki/wiki/Flakes)
+
+### dev shell
+a development shell with the correct environment can be created by running ```nix develop ```
+
+If you're using direnv you can add flake support by following those steps: [link](https://nixos.wiki/wiki/Flakes#Direnv_integration)
+
+### build a configuration
+to build a configuration run the following command (replace ```<hostname>``` with the actual hostname):
+
+``` shell
+nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
+```
+
+### documentation
+
+documentation is automatically build from master and can be found here: docs.malobeo.org  
+locally you can run documentation using ```nix run .#docs``` or ```nix run .#docsDev```
--- a/doc/src/SUMMARY.md
+++ b/doc/src/SUMMARY.md
@@ -21,3 +21,4 @@
        - [Updates](./anleitung/updates.md)
        - [Rollbacks](./anleitung/rollback.md)
        - [MicroVM](./anleitung/microvm.md)
+        - [Update Nextcloud](./anleitung/update_nextcloud.md)
--- a/doc/src/anleitung/create.md
+++ b/doc/src/anleitung/create.md
@@ -1,47 +1,19 @@
-# Create host with disko-install
-How to use disko-install is described here: https://github.com/nix-community/disko/blob/master/docs/disko-install.md
---
-Here are the exact steps to get bakunin running:  
-First create machines/hostname/configuration.nix  
-Add hosts nixosConfiguration in machines/configurations.nix  
-Boot nixos installer on the Machine.  
+# Create host with nixos-anywhere
+We use a nixos-anywhere wrapper script to deploy new hosts.
+The wrapper script takes care of copying persistent host keys before calling nixos-anywhere.
+
+To accomplish that boot the host from a nixos image and setup a root password.
 ``` bash
-# establish network connection
-wpa_passphrase "network" "password" > wpa.conf
-wpa_supplicant -B -i wlp3s0 -c wpa.conf
-ping 8.8.8.8
-# if that works continue
+sudo su
+passwd
+```

-# generate a base hardware config
-nixos-generate-config --root /tmp/config --no-filesystems
+After that get the hosts ip using `ip a` and start deployment from your own machine:

-# get the infra repo
-nix-shell -p git
-git clone https://git.dynamicdiscord.de/kalipso/infrastructure
-cd infrastructure
-
-# add the new generated hardware config (and import in hosts configuration.nix)
-cp /tmp/config/etc/nixos/hardware-configuration.nix machines/bakunin/
-
-# check which harddrive we want to install the system on
-lsblk #choose harddrive, in this case /dev/sda
-
-# run nixos-install on that harddrive
-sudo nix --extra-experimental-features flakes --extra-experimental-features nix-command run 'github:nix-community/disko/latest#disko-install' -- --flake .#bakunin --disk main /dev/sda
-
-# this failed with out of memory
-# running again showed: no disk left on device
-# it seems the usb stick i used for flashing is way to small
-# it is only 
-# with a bigger one (more than 8 gig i guess) it should work
-# instead the disko-install tool i try the old method - first partitioning using disko and then installing the system
-# for that i needed to adjust ./machines/modules/disko/btrfs-laptop.nix and set the disk to "/dev/sda"
-
-sudo nix --extra-experimental-features "flakes nix-command" run 'github:nix-community/disko/latest' -- --mode format --flake .#bakunin
-
-# failed with no space left on device.
-# problem is lots of data is written to the local /nix/store which is mounted on tmpfs in ram
-# it seems that a workaround could be modifying the bootable stick to contain a swap partition to extend tmpfs storage
+``` bash
+# from infrastrucutre repository root dir:
+nix develop .#
+remote-install hostname 10.0.42.23
 ```

 # Testing Disko
@@ -49,18 +21,3 @@ Testing disko partitioning is working quite well. Just run the following and che
 ```bash
 nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko
 ```
-
-Only problem is that encryption is not working, so it needs to be commented out. For testing host fanny the following parts in ```./machines/modules/disko/fanny.nix``` need to be commented out(for both pools!):
-```nix
-datasets = {
-  encrypted = {
-    options = {
-      encryption = "aes-256-gcm"; #THIS ONE
-      keyformat = "passphrase"; #THIS ONE
-      keylocation = "file:///tmp/root.key"; #THIS ONE
-    };
-    # use this to read the key during boot
-     postCreateHook = '' #THIS ONE 
-       zfs set keylocation="prompt" "zroot/$name"; #THIS ONE 
-     ''; #THIS ONE 
-```
--- a/doc/src/anleitung/microvm.md
+++ b/doc/src/anleitung/microvm.md
@@ -12,13 +12,31 @@ Use durruti as orientation:
 "10.0.0.5" is the IP assigned to its tap interface.  

 ### Testing MicroVMs locally
-MicroVMs can be built and run easily on your local host, but they are not persistent!
-For durruti for example this is done by:
+MicroVMs can be built and run easily on your localhost for development.  
+We provide the script ```run-vm``` to handle stuff like development (dummy) secrets, sharing directories, ect. easily.
+Usage examples:
 ``` bash
-nix run .\#durruti-vm
+# run without args to get available options and usage info
+run-vm
+
+# run nextcloud locally with dummy secrets
+run-vm nextcloud --dummy-secrets
+
+# share a local folder as /var/lib dir so that nextcloud application data stays persistent between boots
+mkdir /tmp/nextcloud
+run-vm nextcloud --dummy-secrets --varlib /tmp/nextcloud
+
+# enable networking to provide connectivity between multiple vms
+# for that the malobeo hostBridge must be enabled on your host
+# this example deploys persistent grafana on overwatch and fetches metrics from infradocs
+mkdir overwatch
+run-vm overwatch --networking --varlib /tmp/overwatch
+run-vm infradocs --networking
 ```

-### Testing persistent microvms
+
+
+### Fully deploy microvms on local host
 In order to test persistent microvms locally we need to create them using the ```microvm``` command.  
 This is necessary to be able to mount persistent /etc and /var volumes on those hosts.  
 Do the following:
--- a/doc/src/anleitung/update_nextcloud.md
+++ b/doc/src/anleitung/update_nextcloud.md
@@ -0,0 +1,16 @@
+### Updating nextcloud
+
+## Updating the draggable patch
+
+The draggable patch is a one line patch found in the deck repo under `src/components/cards/CardItem.vue`   
+Direct link: https://git.dynamicdiscord.de/ahtlon/deck/commit/77cbcf42ca80dd32e450839f02faca2e5fed3761   
+
+The easiest way to apply is
+1. Sync the repo with remote https://github.com/nextcloud/deck/tree/main
+2. Checkout the stable branch for the nextcloud version you need
+  - example `git checkout stable31`
+3. Apply the patch using `git cherry-pick bac32ace61e7e1e01168f9220cee1d24ce576d5e`
+4. Start a nix-shell with `nix-shell -p gnumake krankerl php84Packages.composer php nodejs_24`
+5. run `krankerl package`
+6. upload the archive at "./build/artifacts/deck.tar.gz" to a file storage (ask Ahtlon for access to the storj s3 or use own)
+7. Change url and sha in the nextcloud configuration.nix `deck = pkgs.fetchNextcloudApp {};`
--- a/doc/src/anleitung/updates.md
+++ b/doc/src/anleitung/updates.md
@@ -1 +1,11 @@
 # Updates
+## Nextcloud
+Update nextcloud to a new major version:
+- create state directories: `mkdir /tmp/var /tmp/data`
+- run vm state dirs to initialize state `sudo run-vm nextcloud --dummy-secrets --networking --var /tmp/var --data /tmp/data`
+- Update lock file `nix flake update --commit-lock-file`
+- Change services.nextcloud.package to the next version (do not skip major version upgrades)
+- change custom `extraApps` to the new version
+- TEST!
+- run vm again, it should successfully upgrade nextcloud from old to new version
+- run vm state dirs to initialize state `sudo run-vm nextcloud --dummy-secrets --networking --var /tmp/var --data /tmp/data`
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1730135292,
-        "narHash": "sha256-CI27qHAbc3/tIe8sb37kiHNaeCqGxNimckCMj0lW5kg=",
+        "lastModified": 1746728054,
+        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "ab58501b2341bc5e0fc88f2f5983a679b075ddf5",
+        "rev": "ff442f5d1425feb86344c028298548024f21256d",
        "type": "github"
      },
      "original": {
@@ -67,16 +67,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1733951536,
-        "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
+        "lastModified": 1748226808,
+        "narHash": "sha256-GaBRgxjWO1bAQa8P2+FDxG4ANBVhjnSjBms096qQdxo=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
+        "rev": "83665c39fa688bd6a1f7c43cf7997a70f6a109f9",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-24.11",
+        "ref": "release-25.05",
        "repo": "home-manager",
        "type": "github"
      }
@@ -109,11 +109,11 @@
        "spectrum": "spectrum"
      },
      "locked": {
-        "lastModified": 1734041466,
-        "narHash": "sha256-51bhaMe8BZuNAStUHvo07nDO72wmw8PAqkSYH4U31Yo=",
+        "lastModified": 1748260747,
+        "narHash": "sha256-V3ONd70wm55JxcUa1rE0JU3zD+Cz7KK/iSVhRD7lq68=",
        "owner": "astro",
        "repo": "microvm.nix",
-        "rev": "3910e65c3d92c82ea41ab295c66df4c0b4f9e7b3",
+        "rev": "b6c5dfc2a1c7614c94fd2c5d2e8578fd52396f3b",
        "type": "github"
      },
      "original": {
@@ -124,11 +124,11 @@
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1733620091,
-        "narHash": "sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s=",
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
        "type": "github"
      },
      "original": {
@@ -145,11 +145,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733965598,
-        "narHash": "sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM=",
+        "lastModified": 1747663185,
+        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "d162ffdf0a30f3d19e67df5091d6744ab8b9229f",
+        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
        "type": "github"
      },
      "original": {
@@ -160,11 +160,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1733861262,
-        "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
+        "lastModified": 1747900541,
+        "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
+        "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06",
        "type": "github"
      },
      "original": {
@@ -192,11 +192,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1733759999,
-        "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
+        "lastModified": 1748190013,
+        "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
+        "rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
        "type": "github"
      },
      "original": {
@@ -208,16 +208,16 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1733808091,
-        "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=",
+        "lastModified": 1748162331,
+        "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e",
+        "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -235,7 +235,8 @@
        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix",
        "tasklist": "tasklist",
-        "utils": "utils_3"
+        "utils": "utils_3",
+        "zineshop": "zineshop"
      }
    },
    "sops-nix": {
@@ -245,11 +246,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733965552,
-        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
+        "lastModified": 1747603214,
+        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
+        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
        "type": "github"
      },
      "original": {
@@ -261,11 +262,11 @@
    "spectrum": {
      "flake": false,
      "locked": {
-        "lastModified": 1733308308,
-        "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
+        "lastModified": 1746869549,
+        "narHash": "sha256-BKZ/yZO/qeLKh9YqVkKB6wJiDQJAZNN5rk5NsMImsWs=",
        "ref": "refs/heads/main",
-        "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
-        "revCount": 792,
+        "rev": "d927e78530892ec8ed389e8fae5f38abee00ad87",
+        "revCount": 862,
        "type": "git",
        "url": "https://spectrum-os.org/git/spectrum"
      },
@@ -334,6 +335,21 @@
        "type": "github"
      }
    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "tasklist": {
      "inputs": {
        "nixpkgs": [
@@ -341,11 +357,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1736184101,
-        "narHash": "sha256-HAX+TkDXzyNp6SAsKwjNFql7KzAtxximpQSv+GmP8KQ=",
+        "lastModified": 1760981884,
+        "narHash": "sha256-ASFWbOhuB6i3AKze5sHCvTM+nqHIuUEZy9MGiTcdZxA=",
        "ref": "refs/heads/master",
-        "rev": "9cdab949f44301553e3817cf1f38287ad947e00c",
-        "revCount": 28,
+        "rev": "b67eb2d778a34c0dceb91a236b390fe493aa3465",
+        "revCount": 32,
        "type": "git",
        "url": "https://git.dynamicdiscord.de/kalipso/tasklist"
      },
@@ -407,6 +423,45 @@
        "repo": "flake-utils",
        "type": "github"
      }
+    },
+    "utils_4": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "zineshop": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": "utils_4"
+      },
+      "locked": {
+        "lastModified": 1751462005,
+        "narHash": "sha256-vhr2GORiXij3mL+QIfnL0sKSbbBIglw1wnHWNmFejiA=",
+        "ref": "refs/heads/master",
+        "rev": "f505fb17bf1882cc3683e1e252ce44583cbe58ce",
+        "revCount": 155,
+        "type": "git",
+        "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -3,7 +3,7 @@

  inputs = {
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -22,6 +22,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    zineshop = {
+      url = "git+https://git.dynamicdiscord.de/kalipso/zineshop";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    ep3-bs = {
      url = "git+https://git.dynamicdiscord.de/kalipso/ep3-bs.nix";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -33,7 +38,7 @@
    };

    home-manager=  {
-      url = "github:nix-community/home-manager/release-24.11";
+      url = "github:nix-community/home-manager/release-25.05";
      inputs = {
        nixpkgs.follows = "nixpkgs";
      };
--- a/machines/.sops.yaml
+++ b/machines/.sops.yaml
@@ -8,10 +8,24 @@ keys:
  - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
  - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
  - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
-  - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
+  - &machine_durruti age1tc6aqmcl74du56d04wsz6mzp83n9990krzu4kuam2jqu8fx6kqpq038xuz
+  - &machine_infradocs age1tesz7xnnq9e58n5qwjctty0lw86gzdzd5ke65mxl8znyasx3nalqe4x6yy
+  - &machine_overwatch age1hq75x3dpnfqat9sgtfjf8lep49qvkdgza3xwp7ugft3kd74pdfnqfsmmdn
  - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
-  - &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
+  - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk
+  - &machine_nextcloud age1g084sl230x94mkd2wq92s03mw0e8mnpjdjfx9uzaxw6psm8neyzqqwpnqe
+  #this dummy key is used for testing.
+  - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
 creation_rules:
+  #provide fake secrets in a dummy.yaml file for each host
+  - path_regex: '.*dummy\.yaml$'
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *machine_dummy
+      - *admin_atlan
  - path_regex: moderatio/secrets/secrets.yaml$
    key_groups:
    - pgp:
@@ -59,13 +73,6 @@ creation_rules:
      - *admin_kalipso_dsktp
      age:
      - *admin_atlan
-  - path_regex: fanny/disk.key
-    key_groups:
-    - pgp:
-      - *admin_kalipso
-      - *admin_kalipso_dsktp
-      age:
-      - *admin_atlan
  - path_regex: bakunin/disk.key
    key_groups:
    - pgp:
@@ -73,3 +80,25 @@ creation_rules:
      - *admin_kalipso_dsktp
      age:
      - *admin_atlan
+  - path_regex: nextcloud/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
+      - *machine_nextcloud
+  - path_regex: overwatch/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
+  - path_regex: .*/secrets/.*
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
--- a/machines/bakunin/configuration.nix
+++ b/machines/bakunin/configuration.nix
@@ -8,12 +8,11 @@ in
    [ # Include the results of the hardware scan.
      #./hardware-configuration.nix
      ../modules/xserver.nix
-      ../modules/malobeo_user.nix
      ../modules/sshd.nix
-      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
      inputs.self.nixosModules.malobeo.disko
      inputs.self.nixosModules.malobeo.initssh
+      inputs.self.nixosModules.malobeo.users
    ];

  malobeo.autoUpdate = {
@@ -38,6 +37,8 @@ in
    ethernetDrivers = ["r8169"];
  };

+  malobeo.users.malobeo = true;
+
  hardware.sane.enable = true; #scanner support

  nix.settings.experimental-features = [ "nix-command" "flakes" ];
@@ -52,7 +53,7 @@ in
      libreoffice
      gimp
      inkscape
-      okular
+      kdePackages.okular
      element-desktop
      chromium
      mpv
--- a/machines/configuration.nix
+++ b/machines/configuration.nix
@@ -1,179 +0,0 @@
-{ self
-, nixpkgs-unstable
-, nixpkgs
-, sops-nix
-, inputs
-, microvm
-, nixos-hardware
-, home-manager
-, ...
-}:
-let
-  nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
-  nixosSystemUnstable = nixpkgs-unstable.lib.makeOverridable nixpkgs-unstable.lib.nixosSystem;
-
-  baseModules = [
-    # make flake inputs accessiable in NixOS
-    { _module.args.inputs = inputs; }
-    {
-      imports = [
-        ({ pkgs, ... }: {
-          nix = {
-            extraOptions = ''
-              experimental-features = nix-command flakes
-            '';
-
-            settings = {
-              substituters = [
-                "https://cache.dynamicdiscord.de"
-                "https://cache.nixos.org/"
-              ];
-              trusted-public-keys = [
-                "cache.dynamicdiscord.de:DKueZicqi2NhJJXz9MYgUbiyobMs10fTyHCgAUibRP4="
-              ];
-              trusted-users = [ "root" "@wheel" ];
-            };
-          };
-        })
-        sops-nix.nixosModules.sops
-        microvm.nixosModules.microvm
-      ];
-    }
-  ];
-  defaultModules = baseModules;
-
-  makeMicroVM = hostName: ipv4Addr: macAddr: modules: [
-    {
-      microvm = {
-        hypervisor = "cloud-hypervisor";
-        mem = 2560;
-        shares = [
-          {
-            source = "/nix/store";
-            mountPoint = "/nix/.ro-store";
-            tag = "store";
-            proto = "virtiofs";
-            socket = "store.socket";
-          }
-          {
-            source = "/var/lib/microvms/${hostName}/etc";
-            mountPoint = "/etc";
-            tag = "etc";
-            proto = "virtiofs";
-            socket = "etc.socket";
-          }
-          {
-            source = "/var/lib/microvms/${hostName}/var";
-            mountPoint = "/var";
-            tag = "var";
-            proto = "virtiofs";
-            socket = "var.socket";
-          }
-        ];
-
-        interfaces = [
-          {
-            type = "tap";
-            id = "vm-${hostName}";
-            mac = "${macAddr}";
-          }
-        ];
-      };
-      
-      systemd.network.enable = true;
-      
-      systemd.network.networks."20-lan" = {
-        matchConfig.Type = "ether";
-        networkConfig = {
-          Address = [ "${ipv4Addr}/24" ];
-          Gateway = "10.0.0.1";
-          DNS = ["1.1.1.1"];
-          DHCP = "no";
-        };
-      };
-    }
-  ] ++ defaultModules ++ modules;
-
-  inputsMod = inputs // { malobeo = self; };
-in
-{
-  louise = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputs;
-    modules = defaultModules ++ [
-      ./louise/configuration.nix
-    ];
-  };
-
-  bakunin = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputs;
-    modules = defaultModules ++ [
-      ./bakunin/configuration.nix
-      inputs.disko.nixosModules.disko
-    ];
-  };
-
-  lucia = nixosSystem {
-    system = "aarch64-linux";
-    specialArgs.inputs = inputs;
-    modules = defaultModules ++ [
-      ./lucia/configuration.nix
-      ./lucia/hardware_configuration.nix
-    ];
-  };
-
-  fanny = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputsMod;
-    modules = defaultModules ++ [
-      self.nixosModules.malobeo.vpn
-      ./fanny/configuration.nix
-    ];
-  };
-
-  durruti = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputs;
-    specialArgs.self = self;
-    modules = makeMicroVM "durruti" "10.0.0.5" "52:DA:0D:F9:EF:F9" [
-      ./durruti/configuration.nix
-    ];
-  };
-
-  vpn = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputs;
-    specialArgs.self = self;
-    modules = makeMicroVM "vpn" "10.0.0.10" "D0:E5:CA:F0:D7:E6" [
-      self.nixosModules.malobeo.vpn
-      ./vpn/configuration.nix
-    ];
-  };
-
-  infradocs = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputs;
-    specialArgs.self = self;
-    modules = makeMicroVM "infradocs" "10.0.0.11" "D0:E5:CA:F0:D7:E7" [
-      self.nixosModules.malobeo.vpn
-      ./infradocs/configuration.nix
-    ];
-  };
-
-  uptimekuma = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputs;
-    specialArgs.self = self;
-    modules = makeMicroVM "uptimekuma" "10.0.0.12" "D0:E5:CA:F0:D7:E8" [
-      ./uptimekuma/configuration.nix
-    ];
-  };
-
-  testvm = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputs;
-    specialArgs.self = self;
-    modules = defaultModules ++ [ ./testvm ];
-  };
-}
--- a/machines/durruti/configuration.nix
+++ b/machines/durruti/configuration.nix
@@ -1,14 +1,11 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, self, lib, pkgs, inputs, ... }:

 with lib;

 {
-  sops.defaultSopsFile = ./secrets.yaml;
-
  networking = {
    hostName = mkDefault "durruti";
    useDHCP = false;
-    nameservers = [ "1.1.1.1" ];
  };

  networking.firewall.allowedTCPPorts = [ 8080 ];
@@ -20,16 +17,21 @@ with lib;
  ];

  imports = [
-    inputs.ep3-bs.nixosModules.ep3-bs
+    self.nixosModules.malobeo.metrics
    inputs.tasklist.nixosModules.malobeo-tasklist

-    ./documentation.nix
-
    ../modules/malobeo_user.nix
    ../modules/sshd.nix
    ../modules/minimal_tools.nix
  ];

+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
  services.malobeo-tasklist.enable = true;

  system.stateVersion = "22.11"; # Did you read the comment?
--- a/machines/durruti/host_config.nix
+++ b/machines/durruti/host_config.nix
@@ -43,6 +43,54 @@ in
      };
    };

+    services.nginx.virtualHosts."cloud.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+        '';
+      };
+    };
+
+    services.nginx.virtualHosts."grafana.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+        '';
+      };
+    };
+
+    services.nginx.virtualHosts."tasklist.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+        '';
+      };
+    };
+
+
+    services.nginx.virtualHosts."zines.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+          client_body_in_file_only clean;
+          client_body_buffer_size 32K;
+          
+          client_max_body_size 50M;
+          
+          sendfile on;
+          send_timeout 300s;
+        '';
+      };
+    };
+
    services.nginx.virtualHosts."status.malobeo.org" = {
      forceSSL = true;
      enableACME= true;
@@ -52,17 +100,5 @@ in
        '';
      };
    };
-
-    services.nginx.virtualHosts."tasklist.malobeo.org" = {
-      forceSSL = true;
-      enableACME= true;
-      locations."/".proxyPass = "http://${cfg.host_ip}:8080";
-    };
-
-    services.nginx.virtualHosts."booking.dynamicdiscord.de" = {
-      forceSSL = true;
-      enableACME= true;
-      locations."/".proxyPass = "http://${cfg.host_ip}:80";
-    };
  };
 }
--- a/machines/durruti/secrets.yaml
+++ b/machines/durruti/secrets.yaml
@@ -1,70 +0,0 @@
-hello: ENC[AES256_GCM,data:MKKsvoFlHX6h4qazxcjl/RE1ZsK64G926k4hgFW3AkoJgXO1QXmTaRG7ZBgS8A==,iv:hoFbcNRkge24xJfLZJH651jB4NnXCjYAdTrirkans+4=,tag:68AyEHamlGxdmSJGkTGbsA==,type:str]
-ep3bsDb: ENC[AES256_GCM,data:Z4ZYRaV/eCkaW5Ma+88hbl1o8qsI7PANrIHXoLdIOqIGFLPt7dw=,iv:BCVM+PeGm2NRcvBBy0kId1iVOD/uoiVKKBDA03p0QFM=,tag:CMypO3RLOhvHdVG5YvWewg==,type:str]
-ep3bsMail: ENC[AES256_GCM,data:rZhRb/+gs0Lm8Gdi2P2FMe15A344b88TRg==,iv:hEIG2CBcMslg3hmH3ST3bu6tmes01jncQ3V7h5KcuhA=,tag:XAHdMAlVZNyMdp4TznWDQQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEay9wZGM5elhUd2RqVFdJ
-            aHFhRVNiY0lzZEZzSkVvcVlMT1FmMXN4YzNrCkE3SnprNUJ6Ty9hUGZhbzNEVit4
-            THpoUnMyNmQ2Q3Z0SlR6cDFzeE9BaDAKLS0tIHFpbFJadTdtb2s2T2hmMWFBTlBV
-            azZzNXBTRVFoUGtJaGpPdzlDNVpYcjAKd/9v8gn3jbMEK+UPipI8cIufCoWwWfS/
-            kI9zLws/jtjhRZLNHJaXWz7CjAEwKA+6NOQA3pwZaeS1QKwSmeRdZA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc1o2eTlFc1l4YjVOUHdM
-            S1F2RG9PQWwyd2VYSmJmVzE4cWNSSEt5WUJZCjlwaWNJWFNHNnZkUVBwdVJUbVNi
-            WjdYZ2dENVIydWw4WHJmckF0ZjRLWXMKLS0tIDRsNXNSRnZkVzFkSHpDSWgrSEhv
-            bjBqRlYzcGIvNzhLbjdUbmFhMkU2RXMKsgkwNqQeP40boqriANQg13YKKwMz9iTZ
-            Vw1wYVeQmo4En7c4yAztqBriVoTNsbWkkvGw0P4z37B+6ll8kdEMSQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-26T10:07:26Z"
-    mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
-    pgp:
-        - created_at: "2024-12-19T15:09:01Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQGMA5HdvEwzh/H7AQv+K+G7MhXO0RlQENydEstPcMV5vAgkzL06kiN3wXpeOPmj
-            2gwdNcbOLtcXV8a4mH6xGZPkKOV8xjkybp7Myicll6YDs+4Uw3qRTUmCyZ0BC2Wc
-            WDrTMz/lCx1gZGVa99KgHaLmALhZbEO/R08qW52Xkwmcvg1GdM22RtB12L+c8JPB
-            +RR/pLR4UCTfN21uS2CJ33bJnAayfi+s/maGYsElZkH/zoPtDBxF/ntk7g/xeN13
-            Jymg1Ofmjm8JT0FPe8RE7Er/qXlxsG46GVj964chCtljz3NgL76tgC207E8CLUJq
-            rVqGKU0PO6h924uNmVON+JI1CeyCsjejsFOGaS8kOEAwEgCoeICqiqkTbtUCU21K
-            4C7J3mFwhAL+F2IueOY8NZxEV4tMJoY6JZ8c8wtM4Gl6JePlkFRX8LhuO/Bw2VJ9
-            cuGlkIIg3pA94U6Hql7LwLZbIkquI7SWGx7IHOhk/4qtCUlEn4t40JdN4PbA0bz2
-            Cde3+6zFOkX0m1BXkj4f0lgBIOfcPsXmY8ho4isVd9+v7arbE2WSZ6IBG75cx0a1
-            4LYx3QWTLlujiDIc5arhBgpB2ceO8lFTARnoLLqG6y1T+w6UNoVHQZ4n987SpWkk
-            EKQxUDnO8Nvb
-            =1PHB
-            -----END PGP MESSAGE-----
-          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2024-12-19T15:09:01Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA98TrrsQEbXUARAAhfUKm9iR11pU0U44IDfwa7NRRurim8GOPX4FWwJJORNL
-            q85xGM0jA/k8JRsOdsjfHb4/khHtG8cl+t09nEBxTeeb7mKdiOXfsxrvHEf6qeUw
-            F/DQGoaxk+ISXW4iMcV0CPYciLb7kSHCqVFovmmTGlI9fMXryKl3UpP/nzzz9Zk2
-            5cXLmbQqeQVsp17Dw5x7rglkTlx8+W7Z1tDHlHrycxzh6LYpJ7QX54EHM8JgMjw/
-            WREO0qnJMt6C0qp8e3KWhYhMHIidM3WexJR9ixBICxevy0QwvNult0ryOZMc+nTY
-            48sXxCTebnLspiFBS5OsagGxNgwMixydfKv0ci8E7FyB84jwq7XriiQRzYfzU/6L
-            wEPapKrXno0F7wyiiesl/HKdLkOujFIhAl7P1ZNHQLcDuzDCqSo2xd7dbUsbPLcR
-            BUNcfc0VK3TEJks1lXkO5C1PeYEy+NgsJnEQ2lrnAbmKDxpH6qOA2KSGh12uZnHp
-            7kk/hRclVnygkcQc6j71eOyprQms2VjU6fVy2dED+ucjvogrceWWSUkuP6GQEqZV
-            bPhLxpMMw6cIWcTLZIEqLRQv9EqibIFEohkUh9A2TL7XxPb6MEhsRXKTsmMqzdiH
-            /xUwxH3w0w8CrEheVvxGxQi7B4XWC9jHGN+KvJGisrLeGpl/wJ8NKcqOSasB4fLS
-            WAHQxsAnNtNj5rV/BQJHr8lvX+ebJkMpCEBmIdQUeX4WVegr3HkDF34EWoqVfzV2
-            T0ZUaCXNI+tdmvJji9MPd1ZFrTgF5XuFjQxMP1uPI6gannH9InvBXvY=
-            =5AlZ
-            -----END PGP MESSAGE-----
-          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -1,23 +1,42 @@
 { inputs, config, ... }:
 let
  sshKeys = import ../ssh_keys.nix;
+  peers = import ../modules/malobeo/peers.nix;
 in
 {
  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets.wg_private = {};
+  sops.secrets.shop_auth = {};

  imports =
    [ # Include the results of the hardware scan.
      #./hardware-configuration.nix
-      ../modules/malobeo_user.nix
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
+      inputs.self.nixosModules.malobeo.vpn
      inputs.self.nixosModules.malobeo.initssh
      inputs.self.nixosModules.malobeo.disko
      inputs.self.nixosModules.malobeo.microvm
+      inputs.self.nixosModules.malobeo.metrics
+      inputs.self.nixosModules.malobeo.users
+      inputs.self.nixosModules.malobeo.backup
    ];

+    virtualisation.vmVariantWithDisko = {
+      virtualisation = {
+        memorySize =  4096; 
+        cores = 3;
+      };
+    };
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
  malobeo.autoUpdate = {
    enable = true;
    url = "https://hydra.dynamicdiscord.de";
@@ -26,7 +45,24 @@ in
    cacheurl = "https://cache.dynamicdiscord.de";
  };

-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  malobeo.backup = {
+    enable = true;
+    snapshots = [ "storage/encrypted" "zroot/encrypted/var" ];
+  };
+
+  nix = {
+    settings.experimental-features = [ "nix-command" "flakes" ];
+    #always update microvms
+    extraOptions = ''
+      tarball-ttl = 0
+    '';
+  };
+
+  malobeo.users = {
+    malobeo = true;
+    admin = true;
+    backup = true;
+  };

  malobeo.disks = {
    enable = true;
@@ -35,17 +71,50 @@ in
      disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381";
    };
    storage = {
+      enable = true;
      disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"];
      mirror = true;
    };
  };

+  systemd.tmpfiles.rules = [ 
+    "L /var/lib/microvms/data - - - - /data/microvms"
+    "d /data/microvms 0755 root root" #not needed for real host?
+    ];
+
  malobeo.initssh = {
    enable = true;
    authorizedKeys = sshKeys.admins;
    ethernetDrivers = ["r8169"];
  };

+  boot.initrd = {
+    availableKernelModules = [ "wireguard" ];
+    systemd = {
+      enable = true;
+      network = {
+        enable = true;
+        netdevs."30-wg-initrd" = {
+          netdevConfig = {
+            Kind = "wireguard";
+            Name = "wg-initrd";
+          };
+          wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
+          wireguardPeers = [{
+            AllowedIPs = peers.fanny-initrd.allowedIPs;
+            PublicKey = peers.fanny-initrd.publicKey;
+            Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
+            PersistentKeepalive = 25;
+          }];
+        };
+        networks."30-wg-initrd" = {
+          name = "wg-initrd";
+          addresses = [{ Address = peers.fanny-initrd.address; }];
+        };
+      };
+    };
+  };
+
  services.malobeo.vpn = {
    enable = true;
    name = "fanny";
@@ -53,9 +122,21 @@ in
  };

  services.malobeo.microvm.enableHostBridge = true;
-  services.malobeo.microvm.deployHosts = [ "infradocs" ];
+  services.malobeo.microvm.deployHosts = [ 
+    "overwatch" 
+    "infradocs" 
+    "nextcloud" 
+    "durruti" 
+    "zineshop"
+  ];

  networking = {
+    nat = {
+      enable = true;
+      externalInterface = "enp1s0";
+      internalInterfaces = [ "microvm" ];
+    };
+
    firewall = {
      allowedTCPPorts = [ 80 ];
    };
@@ -67,6 +148,55 @@ in
      locations."/" = {
        proxyPass = "http://10.0.0.11:9000";
        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."cloud.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.0.0.13";
+        extraConfig = ''
+          proxy_set_header Host $host;
+          client_max_body_size 10G;
+        '';
+      };
+    };
+
+    virtualHosts."grafana.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.0.0.14";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."tasklist.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.0.0.5:8080";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."zines.malobeo.org" = {
+      # created with: nix-shell --packages apacheHttpd --run 'htpasswd -B -c foo.txt malobeo'
+      # then content of foo.txt put into sops
+      # basicAuthFile = config.sops.secrets.shop_auth.path;
+      locations."/" = {
+        proxyPass = "http://10.0.0.15:8080";
+        extraConfig = ''
+          proxy_set_header Host $host;
+
+          client_body_in_file_only clean;
+          client_body_buffer_size 32K;
+          
+          client_max_body_size 50M;
+          
+          sendfile on;
+          send_timeout 300s;
        '';
      };
    };
@@ -89,5 +219,10 @@ in

  time.timeZone = "Europe/Berlin";
  system.stateVersion = "23.05"; # Do.. Not.. Change..
+
+  sops.secrets.shop_auth = {
+    owner = config.services.nginx.user;
+    group = config.services.nginx.group;
+  };
 }

--- a/machines/fanny/disk.key
+++ b/machines/fanny/disk.key
@@ -1,31 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:1I8fN241VOaW4GaNUe/OVr+1HQKmtYL1GSuIfsE=,iv:aHdgEUj5QhusEavG9mVgtTQ4uqLJD2ozQ/kVVtFakYY=,tag:JJUbt4kgpa4hVD3HjLXGOg==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUGpORk5zWXU1OVpqc2hT\nVW5PYlNLT3lKQVpTdCtMT1M3YlZ3Uno5bVJjCkJXR3I2Y3lDT0dJNThCcDN1NXYr\nK3VucjRKU0dac3BtQmV5ZFdrZXkrS1EKLS0tIGRGMGxDM0ZGbzVPTnJQK01GS3VW\nRHpJQWZLU1lrRS9ScXM0L0dyTjhGTGsKJEYq5vKxxYBAgkqUEkBwESur0reNIDPb\nK3rtflNi3dUYYZdLFNFV5rQX5q8aDnM6fO/zYPkzfBn7Ewq3jbBIIg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-01-05T19:35:48Z",
-		"mac": "ENC[AES256_GCM,data:z7elJ0+3r0bWc/H6h4rI36xC7Uj0NS04VssjPDNVZM17LeN4ansSOfcOKPaUMziV/z5Aq8RVLROR+FImzxBZGaZm37frCoN1OP3WjeDnP6AsoY9dY+S/aYmErVEsQEIi8T4RAdQP2c3BUt1oKZ9Nki2pu3IBRabBlFhaTI0bspc=,iv:8Nn8r9ancHwBJOaJSsv8Vj3s+d0UvRmKIeCDNzx1qRg=,tag:BSO2yu70H2wjen3BCGC4Gw==,type:str]",
-		"pgp": [
-			{
-				"created_at": "2025-01-05T19:32:11Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+JpNwP+BLJf4+0pSr17TToviCo0yWmcaP1dIUqClBSoDO\nI3ZzqHdImAj4QgExif2zsuzz1+WC+sjvFqEmX5pBKza/e30qCZirkelz9mzc0mhG\nLhTzfhqC6fLbV5f+pDp6N40ommu+LX1pIz6nViCUjqBdnAkCb+tqLU4eQJQqVmlz\n7BToLsvYomPK1nJ6f4rt1nTR9wkBI68AYM/K0SgCJXjwj1LpZ/+3yElkiCqZ9uZB\n1jrDKX+QPySlZ7OERL70UT7Eh8DTUNzFnozvliBnyxe00wwiiucCgrC94TmaKCmh\ni/FOdS6Izm3QwcWB0eMCX6GQBvlUWpjSz5xF4+YODJe9tGNz/sNxpk6B8xG5NuG2\n61nohMHoml6X3Z9dOwu/Svl+eS8SV/r278W/F9miE8YeayyLlPxHF3DXjd6WeDhZ\n20NExQUJYIRf6w/XQPQZ+E39NkIHxz8v+P29ncmSsRPWS6d2MK0Yj+UW0vT0u1vJ\n+lAs24xYofbu5tmBbnK10lgBrZMXDJM2nQbKMKSkVVjzbzmOe5jzMBxuWLX+ykeI\npaj32wQDWvfBqLPH1Kwvy5nqHvy375jPZ7RTzT7W0d4jKQf7xapbi4CEepHHfxCF\nD0HIEi8RUlXJ\n=KVUJ\n-----END PGP MESSAGE-----",
-				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
-			},
-			{
-				"created_at": "2025-01-05T19:32:11Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUARAAqowFMavIniFheNvt03EH1iEn64xNmExotYcDt2L0bR39\nXQdLvg7cJ/Jh7EuZ44mHTs21mpbYIlygMs6kimqQ8iO30vGTEcn5bt/eUEoGHciM\nYVHktWNR81ZgjvKCcmTUK3ld+DMKmg2BABr4auUOYLu4ToSnFb1fv+fvZG0D3iQs\nm6LJuafH+4utM16Vnkp9+ziY/ieMPYfbOFuSFq0UWxGK9P+koSYVGnYhH55Lksyf\nBb/esEGCY671/Jl/qHw8so4TELeRsW/v/xAcNqbE1Msdeas7WJy/B6WqXQgK/Y+J\nPsyZ2XHKhPRitN77/eDJXVBi0mKBTE/RCzDzMYxKA7IQm28v8+u+wpdCajewnyF4\ns2HACaYs/TWRpIUzqxRlznc0nMpk8xUaeVb0N7nrtSDEBF8ETOGOcPk1AmdKMR4M\nsy0vu+K2oJ9L7e/o1ntpejKHN7t2Lzq+CvszBYKmyw/KgxeqY0hx4cJTUDsdgLjI\nMTrs6bySVXDyRaw3rHo7OvA+5c8dLfnWJd1R78nZTx89CYCvjJeMo7PNvN6C9HxK\nJoCOCnZo6a3j4NqJvXD5GNqGSP6m1lqBRWYQUIhWaOfz8aTY1Z3EXX0/4tv5C+A/\nknhc694ujtmBXio4XgDIrSz3jr9G8+ZLvig88xV12HTJfsatypQdHVIZj08EeR/S\nWAG872Q/DVD/aDmhaOlq/o/QBoEyrnJdkRHT9NX8iBboQ81wezfJxWUWlWyHaXVq\n5YBLFQvQAZLz3h05EBkMOiS2dHUa8OnNImj8txnCePAlcUdv7LIVxHA=\n=9APA\n-----END PGP MESSAGE-----",
-				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
-			}
-		],
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.2"
-	}
-}
--- a/machines/fanny/dummy.yaml
+++ b/machines/fanny/dummy.yaml
@@ -0,0 +1,68 @@
+wg_private: ENC[AES256_GCM,data:YEmIfgtyHE9msYijva0Ye2w7shVmYBPZ3mcKRF7Cy20xa6yHEUQ0kC2OWnM=,iv:ouK6fHcrxrEtsmiPmtCz9Ca8Ec1algOifrgZSBNHi74=,tag:524e/SQt++hwVyeWruCsLg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIVnB0dDdQT0tNSUJDSlhx
+            QVFoVTZlb01MbVBwM2V2MGdGZFJTWm1FTW5nCkN5V0Y5MEp4K2FiU0xNVlRQM2xN
+            SFJEWFFwTGhQWWwzNjlFN3NiakNBMnMKLS0tIE9MRHdnVHVYTG5rR1lGazdlK0Nv
+            cmZiN0R5OW9vaitZb0JIa2srdmNMRjAKYlL4e8hfB0YuVNLM65yyvvCKl6EAF6E5
+            YkAidAO5MY/wo1SDFQMeDub0Uso1QuNexYUZt7kzotvuPOzgywUORA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZ25EdmdWVjAwWGhiVDRa
+            cU9saUxnSXVDN0NodzI3aXMrTDZRc1FOUUJZCmh6V3lhS1FER2lyMzk5eU1XbXVh
+            b3JFQ05GdEZTNVFTdFJjN3dTN2xBaXMKLS0tIG15YlVvVHZ5c2pYVmZCaktwRXFx
+            NjJ5cFdTVS9NZmVWMjcrcHo2WDZEZDgKiDwkuUn90cDmidwYGZBb5qp+4R1HafV0
+            vMQfjT9GrwB5K/O1GumOmvbzLNhvO2vRZJhfVHzyHLzQK64abQgF5Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-19T22:46:09Z"
+    mac: ENC[AES256_GCM,data:eU3SIqAGrgbO2tz4zH1tgYcif7oe5j+/wmdYl2xXXI+D6IhiKrTJGvzE3rd3ElEpb+Bg0UQId952U2Ut0yPTfxGLtdlbJA66CmhLAksByoJ8lOXUcp/qDyA4yMRSuwYG2v7uF2crvue9fyRfZ7hl7abE/Q7Z2UjOKqhSZC5cO3U=,iv:NmCVvtBWZRzhpr5nMLy+98VuQZWoUms7xFSxq8PMvBA=,tag:UWjA7oqoNWh4wb0myNg7FA==,type:str]
+    pgp:
+        - created_at: "2025-01-19T22:45:26Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv/fLoi/LsDTN6tDdw0rWQg1iG/6oFFxcYO44XU2vCd13Ql
+            okvR1ZtvXtnM/FwTboK2KjxahkuAbapXXEvfWJ2W+d2L38aYxCPe/ryQhjrUP/jJ
+            4IjFSa5R6oWca9i5Apue5In71ACzGCF/v2oyNAF4fSDX7Q+YKOMiwaDatfOAKp5v
+            JlkcfIq6WBR+gKZsTCfLunURNJoKu7jz35OUJDmzyZl9u/xV0ENveQxaKa3hj87s
+            hb7RGXqph6WWhigy+rtTqYQNjycRDHuspb2GgGE5N7OYteZo/XxA3tDz2EWVCYx+
+            g8aEEvxHK3qEIcWbgmbKXNPNSH/CG1XQFaUhdSnkg5lMJsBuYToeNsPTS0o866k1
+            wmoiI3nT2KtnV2SeR3UUMNDqSDl5unLgBCrbDi0m3Sqt9ubjCfuOYN2T19WvAMZx
+            CwB33mVAevPy4Qs5IjPad1WtiaUFulkfJFd1iCM9dhA0RDxbIJRaVGCjqnaE4lW4
+            yP25uKoEUSitgr5nLk000lgBQBkE3obMFZ+DPoNaqupremevGJ71LyjJhXwgzQvk
+            7pwQXBZWybBFFcH7wDurSIJMqE1KP24Krshm7aR9yVNd3mEz7v2T5pbUywTP8H1I
+            TkFpiaZ7OG8G
+            =VXoo
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-19T22:45:26Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUARAAmhiwA8S+wZ0wiyIJwmRyLMWj3Xm95dTnEoeZmJ2I3O4g
+            0szCKLdW8eUWrjZML09ByPYXQINkuyUR+g72+/ALEr9F587GxWDdMwcwLSlIYlX0
+            3GwnJ7ACv/uTZjK24AXno3TkffPQy+rRQwXkpmUz7CMCeH/WRmVtf1LFUuxgbcrj
+            Kmx9x52dn+ae5JOeMkEu4t8lAtI1pv1JRPnm6RIqK2N7VBRGjiD9SiyJiwLqV2GN
+            7N+vepFhbBKPzt+CFpnPWnFePb+TtQmAdJVULedlFPLcJGsPMloEXSuunK2eKveB
+            Vj1NO80i8PEVup02IlEabp+H7eYV8wZOviAJ7HGVhpw6kxD1tqO98KeSFfhuqbul
+            ijaeF2COgf9lioR6Y8T+RhTqeEZK85U/OGXgiM7MdTdYQV9BrY5nR5XSYIrK6zl9
+            TlS24DdM/Sd2939o+wdtgpm0FNQjW3WwA3n2QE/rqjQ6z2pyCTH16yRalAgHKNk/
+            B3uDGxIO5ua6xZwPzFrOB7uKggB8W/lx1eyAT53Lv7MTRp9PW6mm+NoVkNIzmCYa
+            5G2Y/bluKRt39O6UuSVrN8YLcyYCC+xYUfQf4Lr6/CwZ/XbgMTYm29+IgkOkgoS0
+            UxPcmXUgxi98lu5IhdIwWTNtaWEvT9adwmd3bxebWgDmUvK5QxAc7BYUnGIe+C7S
+            WAHA1m5OEQrNFLKGTSha/K20cDAoV2f4IAykRRWD3zieBAP3rzsIv78mgrMBIWP6
+            z1L41UXlBToKfcw8TI9XKIlYId/asI7mR+bqT3oLSdni8qr32VpRjZ0=
+            =MPBp
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/machines/fanny/secrets.yaml
+++ b/machines/fanny/secrets.yaml
@@ -1,68 +1,70 @@
 wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
+shop_cleartext: ENC[AES256_GCM,data:sifpX/R6JCcNKgwN2M4Dbflgnfs5CqB8ez5fULPohuFS6k36BLemWzEk,iv:1lRYausj7V/53sfSO9UnJ2OC/Si94JXgIo81Ld74BE8=,tag:5osQU/67bvFeUGA90BSiIA==,type:str]
+shop_auth: ENC[AES256_GCM,data:0NDIRjmGwlSFls12sCb5OlgyGTCHpPQIjycEJGhYlZsWKhEYXV2u3g1RHMkF8Ny913jarjf0BgwSq5pBD9rgPL9t8X8=,iv:3jgCv/Gg93Mhdm4eYzwF9QrK14QL2bcC4wwSajCA88o=,tag:h8dhMK46hABv9gYW4johkA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
-        - recipient: age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
+        - recipient: age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTmdrV1IyM2hldloxM3Zh
-            cGVIZmtCZ0FLTEQxcFBLaVh0VXUwNWVGR1hBCnJ6SHpzckh5VVduM0Z2dkh2WHdy
-            WGxRV0JFZTdqcWgzUFlSZkowZElJd2MKLS0tIGxYL0orSVdmZzJBSEIvRUNDUVlK
-            RWFLOWp4TVJBM3llS0lmQlBUQ2ZQNkUKEz/dXR0tkVeyC9Oxai5gZEAhRImdL1FL
-            2LdVRiCt3MqR9wtfw1/pR7166Bx8nLIN42uWh2YU5j0/0rXNq+I6Qg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZFBYMHMzTFRMLzhCbnBE
+            MXkreklWSUVOckl5OTJ0VzlWS2tIOFBRRVVJCk90OXJoMHQza0hTSGt5VUphNjY1
+            MkFrTHQwTHJNSGZjT2JOYXJLWExwQTQKLS0tIHlTeVgvRlU0MXA3cUl2OE9tYUls
+            TStjbTBkMTNOcHBja0JRYUdvSWJUN00KtOPBH8xZy/GD9Ua3H6jisoluCR+UzaeE
+            pAWM9Y6Gn6f7jv2BPKVTaWsyrafsYP7cDabQe2ancAuuKvkng/jrEw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQW5OU2FiNStkazFRRHBK
-            U2kzNkpWRDVQTDBkTFFNWnREcjh6NlhmRnhZCkxMYlZhcUlGUnN3QWFzbVkyYlpX
-            eWZaOUxsUCtZYmx0U29ZckFaMjNLTFEKLS0tIExxV0REL3MwUTZpMkgxYlZMc0JS
-            cTNEYTBGT3VRaDI1eUhucnd5d2JhTWMKNZlkUjxX2QTFoiCWPzz62jz4kK8d5rW/
-            MJ1w69Qve7lsUAg74YlFF7i/yYSZZkHoRMs92lRmq3lHlbK6aaUMTw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhc282T2VVamFGcG1Ub3hp
+            S1VwKzVsWW1sRXczZnRNdkxDWE5Sd0hhVUJRCkovNGZ1ZlN0c1VyMXV0WThJMGFi
+            QVM3WW5Eam81dWpGaFd3bm80TmtQSlUKLS0tIFFSUy9SYWdKeE5KWk0yZld5dDYy
+            QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP
+            SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-14T12:41:07Z"
-    mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str]
+    lastmodified: "2025-04-14T10:34:55Z"
+    mac: ENC[AES256_GCM,data:vcDXtTi0bpqhHnL6XanJo+6a8f5LAE628HazDVaNO34Ll3eRyhi95eYGXQDDkVk2WUn9NJ5oCMPltnU82bpLtskzTfQDuXHaPZJq5gtOuMH/bAKrY0dfShrdyx71LkA4AFlcI1P5hchpbyY1FK3iqe4D0miBv+Q8lCMgQMVrfxI=,iv:1lMzH899K0CnEtm16nyq8FL/aCkSYJVoj7HSKCyUnPg=,tag:mEbkmFNg5VZtSKqq80NrCw==,type:str]
    pgp:
-        - created_at: "2025-01-14T12:32:13Z"
+        - created_at: "2025-02-11T18:32:49Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hQGMA5HdvEwzh/H7AQv/YM4JBfaFngZt0SmMP3fBCodQXWnWMjy5VYoTOKKaOfG8
-            5GRTf+o1stsru3EKImh5PTqniRO6UH+/DOKBY8zHsy9lXojGka3uPJRKv7JUD5YO
-            8NjlHwwg+jcQN/qtrWc+1D69zR1aO/6yxfgujL3r/fJ4reqtSNfkVYVy2lEcw2ZN
-            zhlN+fBxZCyHyUTKLcXrG7Fg8BRudjwBnIsBTLAVFkWg0bnlq38vicGpF5CHsRjA
-            cTPq2D9ev888WKHcjFcXYqxeKkXkqBuOOMlCHQyJCv8HHfA/GY+pBQfiVmvSt77O
-            /MA8hVYl8G4tRFsbUdZzqtPbAsLy30w1e9dpsD2M6tD55V2RNUCrznB2lo0uXZ24
-            9MUnad+NQdntbe5B2OBUF/MNKZ9/tC+B9pBm7Tx3rxSELytGuQF11x4EyLwn+Ict
-            iBBV5P3RiulxLW6MbDs+7JPILfcMfg6e8q+GY1dnIPZrs8Qf5W60FxbOYYiMvJ9k
-            UtnZAixVdlpkAsQz/t630lgBX9DLYjEVgaxC+zqtRjfHkoyvGIac6cgHDX/fBs7p
-            Woud0RbwffhOhaIF47Z2W4UPfn5Mtcu63fQpjCM9urk9asaRPeNDTeEYVjqSZD6N
-            J+o9dahBHvIF
-            =GKm4
+            hQGMA5HdvEwzh/H7AQwAmorRyo7mguHQxATRRuKstaXertmyz2AhKFr1Kr880vBJ
+            ODjEKmkH77wIpOnZjOYrx7j2JWosoJ1KgsUUh4VlAPM3O6cXVwqDucu1d8O/HzK3
+            RPuPfTKDr/lKl7QyQCx5lQuxE1/qn88D/g/fMQYu3NAVJa7acpTdSsfyo9nZ3QMb
+            ly6YEyGDc/IhBy5igc7bIWy1o+XATmyUxA+jZVMLiBKhetogMC507Eq71tUCMEht
+            CItRoFFPeoCzC8JPjpQNQmXoe5WDv3hzWpUBRJgjScYz3JuEfakbsAnzrPc41Mga
+            yPhSPYPBtHlEt+DntW9i/CFLEJ+I0V+uz3gnNtNdHTIIe2AZbGympjZldZThldb3
+            Tupo7ep6VQgi+hG37wLmQdvSVWR8lVJDMvOmV9xZqdFYfQdBr2gewTT6Y2QCc8GZ
+            HBtJASlpIbydd/rtLtaTwtdOz64g+F5Vw/6T3ciyExt6RCoPALqZCoyzQnvnQm7e
+            JPPauAs8BH8ejoDlJYjK0lgBBMSJTZ2xlGYh4wG8zmGtGok2wvXYy+DeqlXuCIy6
+            7Xu4BLTL9eOZZo0sPR+RQfYbII0zMIc2fPBtU2c2z89YOTI44FI0BVbTlhLIIXXz
+            NJMDln08MWwr
+            =hhKC
            -----END PGP MESSAGE-----
          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2025-01-14T12:32:13Z"
+        - created_at: "2025-02-11T18:32:49Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hQIMA98TrrsQEbXUARAAmD4PfLpRVUXTo5yyS9LSs5vmEvnCmNc0ad4Oiv7YAxhs
-            W7SCKHq2zOfGIeZZHP0wjRnJELwMCVLy4dVo/slDHCiy8T4MZXaYR04ZaJJ+OHrF
-            e5xxAA6FjipufvxgRZvLhDj+g+RaX2TuxdL9gFSVS81rvEpSRDnydt2O/6G4SGBR
-            GO5b176eMerrqOqRLL5Ou4b6oitagvRwZzOXQ+YonKZz3STlyXRMgWxeFTDK9T/q
-            yYOwPVAOU1jhYzUjHNAYCp3CH4ERScrO7AwomAWH+Fe48WRbg2ebdqRnuv/Vl4PM
-            wc5DQcCIIIIENMGIYOzUo1KrfQlevzXF/mbgAgo/uVuRl3Y3lCRAcZBQOtUCF5Ap
-            FhsO87EMXlZWj3bv08f21t3hQztfuaHIqFpCbSIGgmiE9cAY0cOtCYpJfCYdV7iT
-            cOElJgYRbAsAbFC9wTQWEvwIxrgnCIrkCg1bzP5KNLG1K+ae5J7qN77qeTQw2/ul
-            QDDUUNnzjes562t+/xFLQa/bust1Y8pAYn1s1LEBol1hLX4Igonlkw303UPjZOI2
-            MyH5hOh0hNUReuOpHpre/pYquE8Dd27XKAHfJsSd3ZLJG5+1Msw23lIsptgovNrB
-            5VRvPj8WPojiDHqN27kt/IuayN3TeoJFjmAjkoFjlyKTcs+b6cDkxUw3LcP+6NjS
-            WAHQI0pWTa5zD8UPow4DHxteP4jW/6ddBfJ1Vz1scqKMXYvxFkRqZvn3uAJOtcuw
-            CgQ4CXE43n4G7g5gvWl6ZFW8tdXR7Sw+USnHR/9oS9fV0rHcxxDFEfE=
-            =9FN4
+            hQIMA98TrrsQEbXUAQ//cBdyq4JxOhU9t7Z9iWAp2DRObgv7HMbhIXh1351wuzA7
+            Fe0Kqcoo/ekCkIPrLZOC5z4CMjXwOCPSncMMm5vK5ibixTlX9446+Hv7AQ1vq2Nt
+            2daL8ZzpCeCJmi07Vyp72/NJOZYa6YY/gFiiRw044lNLFS//b0sYkipne5COjvca
+            I7BxWCpGwLLWZ7LNKhg6i0at+0AqEdBDiwSE7jfeY6IL9tPOIqmBxYIWMbiAkPMd
+            /nK8PVPrt41NkJkuxfjXcYowJRcJmAYHGiRUQaAkUZyRQxmolbLwwJ+/CVYxv5Kk
+            hN5QvT82z5I8gK5LXrt3ZGEcC9dADkRSQr/qcWQT+CEnsGZi8b0unwUZZruDVb7d
+            eIwICaXu62gH/mlJN1z/J5jEciwQtC9Eh932x5qY3sdtd6Gm7/EHTf9NJ9Zg3gTk
+            nfytwpfUmtJO/bI5RvYSUkXkU6CLY6bqRW12+YrsAP+vDITYcLVEJGt7jrXDFto2
+            Z9rlywZsQiZhLrzi1UImCTthcceI6Hd7l3TOYV84gMxdahBo3FLKnoZRK2I7ukGq
+            Wi0KjajcsJ6LBUCCpMg/tW+TT8/+66QY9BDzcv/hBdRc4lCKNeKDwwGFPSFZCcib
+            uyT8UB6iUYVMiNSHRqdGGcH0NwH45Oe2g9nF/lrJ0vYw1toN3WSpEc5v/Nch8DbS
+            WAE3DazXQgd4UQ19q+5cC+L5POWcAjgWpZlRwBXBRdeOKFDF9maCPL6MpfMm6XG1
+            /JNfzhipjL5OXgJgK7iUFJlH9AuD18g/by7yID0bTsg2fkfLglwjfm8=
+            =Sdch
            -----END PGP MESSAGE-----
          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
    unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.4
--- a/machines/fanny/secrets/disk.key
+++ b/machines/fanny/secrets/disk.key
@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:H0oMKUXc6C28tHMwSgsppcdfYKEknPIIWGq3Mwk=,iv:lExcGcA4bvwKtqeeG4KS87mWlPBtCSSpOunJMZcQG+Y=,tag:F6Pke7woX/odRT7SMJwVbw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdlQwRFZLZUtGamszckt6\nNmFoZmk3U1JpM3V6MkNZc2Iwd0VlTDJpekNvCkMzVm1qNEYyNEZmQ1o0TG1LRmpP\ncUhiWlB5ZTdjZnBHQUxVblA2V2s4WVEKLS0tIDhiUUdla09WRmR6RWZnbE5XRDAv\nWVV0WW9wMWsrcjdsdkF3NHgxMVFmRDQKeUAVQU/M1DGfAmee6CFvyTr8RkRBWjYk\nK9ceXyJSojHktwr/Xllm1mMm6H2lPbzba/JAyt99YVTD8xO056vu/g==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-22T18:09:45Z",
+		"mac": "ENC[AES256_GCM,data:5IGtFkE5sGjXJXlXkPdN4e15gxh6QB/z1X5A0149koG3fvOPnoLPEU+DGx1qj9Z/8vilJat1hk7qIBalMPMCn2/T1PIV45Hpvih/kNoszkFMQ9r0EsZMgXgSJClHSg1JaiCiC3LvjsIWHDoESwVx3fqos1ClOLtrzKwptCEUp2Q=,iv:15QS1AwpuUr+EMw5YQe8ogb1Y58nQh4WcFjtzuWtcUQ=,tag:vL9cZRdsPCqaTw42pzRfOw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-02-22T18:08:13Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/WtqMo4CAW5VEqo4vEL7Lj9Z/OY1h0zPF/bdkc9u6x7IP\ngqH60j9iF3n4ae717c4eKf59iN4+4tDk51qb1XdBOw1scn6rTai6KCnqNhiGeZF9\ndKsCZG5LxdbGkEFFw0Q+6W+gV6MiGlD4SBiKpjAsGVGcn42wygfTzpFRRA2Pmlev\nAGSUs5TDmi1IqQsvzYBMBM9+6sdsKhpRalXGS0gFz+wYGPFlK4E1rd6CBKRYEWtw\nm4kRe0nA2Sk4XhVZ39nPtR9rxrhB+d+Qq7AHIqD75SoY8vI+o3UyJ5Cee5MAmMcd\nn0EG24OeThF2p4lZw0iuUgtefqkc21/MoojYP6tfS7s0vGcq9iFjZ8PgUv3IKfrZ\n9EwresYfvhKbocZj2ywPK7iavFCYmqpTzbloGkO0AVfmHpWZRpxneOaGruCwFmGg\nF3qBVTcBSBDF972KDvm/TbKV5NQmRAZuXTrTBh6vgmVcaLN8LTLP3xRQlY28Ng2P\nY5l/5sZ1CGvhfv+G/24n0lgBF7I8pMTfsUEttzPONEY3pRaYyprYxdDlutHI2Kzp\nl0oPBs19rCSn79avQr5fE0mIvqJCoB5HVPkUDjNTaMNSJAywjQEWNITh2GszRTku\nBDvnzA2VnVww\n=aFlN\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-02-22T18:08:13Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//bap7Q1HvJJ2KjVMhklTaQ2LG+TITzh0jvaRSXlXG+u5a\n//iWLTov8CH6s6e5I/T7FtslIcBVmyUX9vL9tCgVNMHy0RVG9mmykS0z5/9GY1tY\nEDcOOINQwrmuhWFHvc+9hzKEbLH7heR3ljMw9ouzBgFjEUdhFKJCIW9xrY3a45ue\nwBfaVj0tPNFMq/f/Zu5dDvw6gmYp9ziSMh3GwLNnMBmQDgdSjZJWQr+oa7KKSOM4\nu8ogeqP5Yyf7vDj1he+9TJpG8fdE68boYban9t9rfnyf0cRW7oHkpkwPtKvn9U4c\n4Tbl1RUqfHsTpHX+rxP8w/zgaLbrc0hJO1zxXeeQTOlS/0S1+i5n3pINFwzNXNBE\nIHgIpqOKabfpDFsL/DMIdNQZyr/iD4gHjzSeQPdyd0/4dbFMKPsVzA3JomE9z8NW\nRXz9Htb4Z4fybcPDOLxPkyM0qsEtdfb11U5l7IKuq+2ED5zOFxl+qhZrFz7vY1R7\nyaIM70HUeVCT7p0KZmWgtzjhafI8kTS2Qd7VjIF4Y721rB2opqaOKaCWjp4eeYI2\nE/TGivgRl57KgSF8Y8ucoC6ndsxwgJ4dYt3fos09Rbv1qFrlJftyD7m2kOXnPx5N\n5/2R4h3tiYQqGm727bjTjmGUtxToum3rY4sO0y38Woc+4BK3h/gj3AMir8DI7MfS\nWAE+yxIZH8y+c93zkZy34mEHafc6zPFD3QWuzbXzMGP+EMn710zaWmrVV1X3oLKW\n8lFB5sEX+BJaDgISOG7vgypNA+HtWZnRcB1CnzxboADE+HVAU3d+Bpg=\n=rfB5\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}
--- a/machines/fanny/secrets/initrd_ed25519_key
+++ b/machines/fanny/secrets/initrd_ed25519_key
@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:dsb1hdpeoH1Rc4Cz10cZMlAKL//GRUKQbTXvGuRcVqMtRVkmiVZonogj1FdpIFOY8m3zIuJKLpQp9i/RuWanRaThyOA4Mqo82N0MTkco0mwLfRhxqA2EbRv1dPgytVQvdNgSrnZI1FXtsQumPgO4KvifwaCG+Wu050NhPDC2Xt8i1U1TyMTkTigk2CKYaYgo+D9xSsA9ymjFUQgvnTn10t3di7cUJi3rBoEiZeOK/EAg1Y3h53AZ4p9SyG1kBflTvtE1NbIZNBYAiFkJNbIhT+Dw67Qv2Uso6oxL/I64IDOljMQz2874wZqpAL1w7W671KdlGtq0murjQ5Sg+g8RYseA1NVmTY7BCaGagNQuU6Ab0BSSdzIuDkH14BL1zGgprCqP0CE8WeWdUzCx5qud9emF24d+VvRKIiawTArSBe34VMnRq05OTKdmtwGZom7kbhD20c1/pwhytiJpzSE08iKy9cYGPGfirNJaxhT7z9XqSoECUg2XPI7Deh75PqoxM8pATLtOtOLp2cYSr2vSrqADMXzmR2M9ixEj,iv:RQH+e6ZADH2XMPqBeuHhMhHiksQg2iR4NUnYhD3pj7w=,tag:wJByTCrYf4cKxJaD2eTCMQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOS9jMmZoNWxrRTl6aVFu\nSW9oTTVkV3NiSGpDTDJNT3dmUWNmSURCYkZ3CnZJNFNEVTNWNEpvcS9NRjFTdExy\na0NNeTByblA3T0JFRXJacHlFTmRPcEEKLS0tIDJCa05LZHo2Rk9xek5Ec1hDODNQ\nOEs1Sk5YbTNHZGFtcmpqaDFKdzRpUVEKiUhTrGp4rXW3hHd8HueZ5v31CXpMACFT\nTq2OaVXUW7yTLFO2E405hQH2ZLS7KzkXeHmA4MZfbsq0ZkriXp956A==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-25T16:42:28Z",
+		"mac": "ENC[AES256_GCM,data:iJS4wLJwJZRUozNBUBxL8wYOneGI1Et3r9+DtIs3JrQLEKV16n2SeRP0jRFyCO7VNkxyjnjXJwe0/GVbxtQbVCuDFaCWVpj4xNiEH3wMeuydU96E2QgHaWJGvhyj5e/5o3GO85DeF2ueFCa9DQKtTIWH1xPfqJwtZC2PGH5Uqyo=,iv:/TpULYHxSgFfMQyv715jLVY37AhSY/qh1Zn00UN8oOw=,tag:XrOn8ZpgWFYtSjatXn8sxA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-02-22T18:08:12Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/dMSVIuM4gsG06tcN0NvWQgZUO6E8u2M3k3kUU/xk9bem\nSJFtHluWx26V6F08PP5AoDQ1R5Z1RhP7w3JDjVyscb0WuUzDFVTbJLpuPJIX+MOe\nhz8OqLatn24+fK4eMnQFbTELYRPEKicMmoJrFaTXdUOLkynWtxijzRlCif8J1u3e\nqj2fSfPd4SI9ERiGo5MBtHA9A6nwQvboMdnlGvvlAxFF26QL0xqu8jUdllfJ5IT0\n7y3vbGixV/M29MKzt+cJk7Wnb2y5UaZdelsDmxmm4FrIxHaQrAb/kIMiwf6zVCwh\nZFvNwcAPirduvxpcjOV99mJQ3v02mWo/p4Ey3PCwRb1tQYRxiMf7IJ/eAspmiI/9\nwK/2c6ehtBVXlw738JjA+WP36u+5S7CrvzNk6RLd0y76aNvGB6ZCT4rGm1B2DfR5\nguP+RJGcMFzhv55hQNCNUHZ2jvhLvDvSaCjlOaJZBC62gCygtlDqaLtagIO6RwKR\nJdatJCEjio5yD7x1d7PY0lgBVlbkXk8K3e5CN4RdLyoZStShW3uC6dCUGG1OJzPE\n0mfW5y683CcpMATeucHROtTxxrmp+BT5CyP9eBA/CrmTAJVMaWYM/Tb3+nE4Feal\nKlamR+tLaZdj\n=9/53\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-02-22T18:08:12Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9FH3RHkKEo88HEAXYPfJ3tjctUrn6Y1muzgyilfa9R7OC\nBNdSyXP8qU9FaIEEO9cwXKY6hB30l/b42RwL2HS5MWlNZTXZO9XCjV4VpmkIy88y\nkVhxdb2QbGQSBqmfyc9GOvI2LN3jIAE5fy5GuDREKRJPfVJu6x7IbC4j3tT+3Szq\nzOTF+ZfuUlM7FDzt4vAvP2LeOZxYKCg1va6ne7rtXsry9cIotP7fTqm0xPLZ/K+2\n/+HhC2585GdUXratqod1VfUPGyvdyhrn6WV+BAvUA8O8LYO5ZIkgz16vp60XNZEA\nCkjy/kiSlMorHiy7/ZtWHwWPNQbGxVJ/u6XurgzreDT4H5FvfyzvdKTz7IGYNYfZ\nvwMtQDEd3ToP6QUyNGfpZ5eRGb3I+8xNOd3z3XIXYGFYAOPHriGXMA8Y1g21f+c8\nz0QxXXDNXlTt6qdpumfgF/d/UCFJZeuP2t+mVnnp/gkK6yKZlUHD8L8XjkgumxB+\nvFFKOpPbrO+H+L375xZp9OJTINF5QTFkrmT/jPoexCkx9koxNhM0vIKEFE7+gFsW\n5GKQqz0n1HQgbFfdm2Jk7WQqY8r0weGedalYzkfDPlbS0AdCB9Llk/vwu5Tf+hcX\nIMbph8ZwKLzld9MzEplhHwBZ/Gz0Upp1IYj5Ifr50EnlHjBJ+Z8xXWKshJ/6UerS\nWAEiuOmlWRFGWRM5EdrXwh0/dj+ZyXG7unsv+jpNXjOE8eznaH4Kd9/PEmxazbFX\nJ1gtX6JFy+HXID2DJmXng6NxCzPWpo6prAH9IbMebNVQMzbl03Dtyec=\n=WoeJ\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}
--- a/machines/fanny/secrets/initrd_ed25519_key.pub
+++ b/machines/fanny/secrets/initrd_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFRuQZweX3r9QQmAFo6oYY9zvrf9V3EIJOl6kFMgyLm kalipso@fanny-initrd
--- a/machines/fanny/secrets/ssh_host_ed25519_key
+++ b/machines/fanny/secrets/ssh_host_ed25519_key
@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:16SwZ4RZ89+TvwPVgEg+96PmNd63Oai1GnrRipLkxQmzfeAkQvs78emYUEVT/ouAnRFQRNagbhjA4nmfTTq1xGz1u8bacjk1ny1ckd2FmkEOQ7Ry181h8UE61rZP3c8yra2WCgOcsL22oUxUMhg6iswJqEKLImi3cmJ+hASPTc6L3vlZLcP3Vx6FEbDMGrVtfpHEliSicB/rkAOnjVHmxHmVRjx1AI7jfAjCoBGnLwI9X2XREGay9H8Kt36HIhlXA9dK+xkl6WdtkllHIHe3OYHqwd730g+1htMAWtHmyI/DPLLJG48pzITnKv3cQ3aaziUWJGa89WGnBuzxP8ZOagpnC1/wQi1WTR7d/4JYoslz06fCt1ouGT4ttDFh/YqbV0hcXqkASbUnnixicBaYeVrwvSkYvlbwToZ6L+Jc+eqQRrTKXxs5pIZ4qkvImDp85v3U1bDxXT+qhpK9hasmgBqgM9GYjgw8Um/imr9HqDp9ztRsij87mRW/l47vUhxRjrAWpv+J0OlptUIpRiLv,iv:7x+dTHtSbcc47X/ZGz/bcnOxkGDDBu33ZgNrOD1FwDA=,tag:B6s1Jt1KFCitya9oAKvp9w==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYlgxeXQzNmtEZXZXNytp\nTnRTRi9nRHJ2bEdPVGhPMzdMY1lPOUpGckFFCkJkL3BVSWlIZ1dBVUliemFWNXl4\ndU9DamhTRUp0aGVwamhWUUZJd3dUREkKLS0tIFNkaGNzc1R5aGxxZWV2QytaRFIw\ndC81MDR5SUlESnNQRlhuR3doTWhYL28KMIMs9mPwVuFr5cEvO6goqf3zQALSO5BB\nrY0C8TfkHLvV57999U9kfyLO7Sm0R/RGS4IinQSCRQWEeR+qLxnEWQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-25T16:43:40Z",
+		"mac": "ENC[AES256_GCM,data:dZJc0aqSD7dhe4Egih3z8QHIbwYDCGYU0DaOczkqHd/yMdcVNrNrcIR6yshArqCLl9jj5Zw3fIO75X09mvuvUCyszbjQyzSmTACp7K3skHuDRJ/yh5vaw6XNeJ3w26Dimfd0WfL1XC519DW532icrDiy2lCZ1qdcYwpqQUBKM/Q=,iv:4vx48jXxKLDOKfK6yYJWW28UaKl+EyqjeRAzV0WayEk=,tag:oO4cAVAv7N5aDAmK5V84mw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-02-22T18:08:12Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+P8Y3rBJAAI2orY71hRSpCAJo/x4CUColQZf9xK4ZgYQ3\neW/15avJVso26mYiZJsTPaEczJ89igYKDrf8Ewi8NNNTmse/BO+BG8KX13QOSWKb\ngiRXMl6zpQwH/cmCXvUrDczjcUaG3vMpcWClfd3lfjEStVEzNB+OKCuRLxhKGYPn\n3HZ3Ypa97ei8uHMKbnloGigUouVKVCCLIqyrJCybQ2+UkOMzcMJpO96RMooWQOUJ\nU+0rLS2s3r8UnwQjEcedEITlmiTlZkTrUnUylcc22v3yVJh3UExCcoVWShqPUE2j\nJv667rq1EblbIzn/8vyMXxOoSYmrLJ+hgh6OXio5bbMUwd/7m6Zz2jEeTXbJi20/\nEl2V0Lu4pTWXhXxh+Y0MIdh2tHMGGWmHBk650e0M/JbnchxK5+9GblWkfzMV8scX\nPpDScHH+cqNPIsvtq/aYGSv5o2u5JfndEuW16cWU99mgYvX7rwwbRbI1zWVX5o9o\nQ6dqJGZEbtE0QilOKxiI0lYBTrDySzaWLTAngd3myVMvFBQ/K6VL7mXwJvDYgOcJ\nxHIExrd191e5eLr5MGQAzXaVietENN27aEDPw5WV9bmXoAKp/4muJnfOB/wBSjCw\nlutnbF0yLg==\n=MqvI\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-02-22T18:08:12Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//UvOmGlNKLrRg5fXmc/paHF7YVFCGuBa0epuiVsVkS6NX\nQoa57oBJS0y22/dh/fb8Nu7/bMpa9XpPwfgzqhi7+5V/y51lvAIKmrYqNTnGdKB1\na9aiX0yxK0d5Yh0RK+9/2Q+369152mZXx+9Oj3SM8396bcfvTFX4jbhGdnKPqalW\nB1OO8HfYFAu4yl11uVD5cHSdhvXKJOa/GZPkb3TK2kicUdNX3HnZJ3PPGrkOy2EU\nuwFOIVIdNp2MUDFW+V2Nso/NiGcR96uKk5ZhGJaYrXjDDMNHyoLWc0d8wEg3n1Vw\nXOSNLmkSFY39ExKRWu8sijSyZIYN+Ul4t4WdO1Puop01xGTfAkYVQOLC+H4unu3q\ngboyNZCSuZXgG02B8ph/tLlAQ78d70YAf0nxkvzQB6TTNfQ4nyp8QnUJDkwaAnvl\nxDqDDhJBjlfIpqNLT23caKqgt1hSLv3Gcb486D8ZC+6nNuefCsxop82FaUMvL1uf\nWPMcAxMyv4REO8l9V5CDn1+6i+iPyN/Mo+hpwco+sYNZMlSs9PcNKILWZg1gv6q1\nU04IyEPym9VkI1jFte4dsljlp3C2R+l1Ikv5OB6dNpnnMVnTgkDwE0vqvsSTIwbS\nYvFoWBAsRlHMFLLfA6QjRyZpWemHBjrpaqBbIJEkZQnKM1IWdIg6cGOx+mFo1MzS\nVgEePpJj/PECZpH9PQPlv/FrkHa7zC/Fi0BOPposmuQgOUTq3sA5TLYNqPOH2Yn9\nHeQCGXpIeM08Pa3BOQRWDYM2vZPZpf3cBB7VK9zmcGEdE3NZxoBG\n=p1XC\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}
--- a/machines/fanny/secrets/ssh_host_ed25519_key.pub
+++ b/machines/fanny/secrets/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc root@fanny
--- a/machines/hosts.nix
+++ b/machines/hosts.nix
@@ -0,0 +1,83 @@
+{ ... }:
+
+{
+  malobeo = {
+    hosts = {
+      louise = {
+        type = "host";
+      };
+
+      bakunin = {
+        type = "host";
+      };
+
+      fanny = {
+        type = "host";
+      };
+
+      lucia = {
+        type = "rpi";
+      };
+
+      durruti = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.5";
+          mac = "52:DA:0D:F9:EF:F9";
+        };
+      };
+
+      vpn = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.10";
+          mac = "D0:E5:CA:F0:D7:E6";
+        };
+      };
+
+      infradocs = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.11";
+          mac = "D0:E5:CA:F0:D7:E7";
+        };
+      };
+
+      uptimekuma = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.12";
+          mac = "D0:E5:CA:F0:D7:E8";
+        };
+      };
+
+      nextcloud = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.13";
+          mac = "D0:E5:CA:F0:D7:E9";
+        };
+      };
+
+      overwatch = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.14";
+          mac = "D0:E5:CA:F0:D7:E0";
+        };
+      };
+
+      zineshop = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.15";
+          mac = "D0:E5:CA:F0:D7:F1";
+        };
+      };
+
+      testvm = {
+        type = "host";
+      };
+    };
+  };
+}
--- a/machines/infradocs/configuration.nix
+++ b/machines/infradocs/configuration.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, ... }:
+{ self, config, lib, pkgs, inputs, ... }:

 with lib;

@@ -6,15 +6,22 @@ with lib;
  networking = {
    hostName = mkDefault "infradocs";
    useDHCP = false;
-    nameservers = [ "1.1.1.1" ];
  };

  imports = [
+    inputs.malobeo.nixosModules.malobeo.metrics
    ../durruti/documentation.nix
    ../modules/malobeo_user.nix
    ../modules/sshd.nix
  ];

+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
  system.stateVersion = "22.11"; # Did you read the comment?
 }

--- a/machines/louise/configuration.nix
+++ b/machines/louise/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, inputs, ... }:

 {
  imports =
@@ -9,6 +9,7 @@
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
+      inputs.self.nixosModules.malobeo.printing
    ];

  malobeo.autoUpdate = {
@@ -35,7 +36,7 @@
      libreoffice
      gimp
      inkscape
-      okular
+      kdePackages.okular
      element-desktop
      chromium
      mpv
@@ -50,6 +51,8 @@
  };

  services.printing.enable = true;
+  services.malobeo.printing.enable = true;
+
  services.printing.drivers = [
    (pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
    pkgs.gutenprint
--- a/machines/lucia/configuration.nix
+++ b/machines/lucia/configuration.nix
@@ -6,6 +6,7 @@ in
 {
  imports =
    [ # Include the results of the hardware scan.
+      ./hardware_configuration.nix
      ../modules/malobeo_user.nix
    ];

@@ -34,7 +35,6 @@ in
  services = {

  dokuwiki.sites."wiki.malobeo.org" = {
-    enable = true;
        #acl = "* @ALL 8";  # everyone can edit using this config
    # note there is a users file at
    # /var/lib/dokuwiki/<wiki-name>/users.auth.php
--- a/machines/lucia/dummy.yaml
+++ b/machines/lucia/dummy.yaml
@@ -0,0 +1,70 @@
+hello: ENC[AES256_GCM,data:ehp7eckur8THsbnSUcFYobA2SVDORUpqBcPTWC6/EvunlZbihaJoDoSfSh4Itg==,iv:nEHRg9TfYVdmJgrBs62Tek/3JhwFz8BMKHph4ThUqA8=,tag:1h2DSiOk4khxhRc7YX9ljg==,type:str]
+njala_api_key: ENC[AES256_GCM,data:vGH79aN2m1rZ0278ydoCQ0U5393HL0AZlajTVWcRbD+/V7QREN7ROW2LrdVK95I0cxobmJQ=,iv:vMpFTwWkC0R1/J9fZaks7c0G1Vj64/ryRkN5EgpWCdU=,tag:g2MJADBrJYTbmj2bhUQ8UA==,type:str]
+wireguard_private: ENC[AES256_GCM,data:T4c0qdFZdrwRU9i+nzAdg4ePEVXyeG4e/zNyn8G9Kd//Fwu1woNhQiyDuAo=,iv:VGPCSeU+RqjUdUlLA+RaCXQZK6AMdE4BwOdxM3whwaM=,tag:pXOwj3zxuFRpv2TInjISuw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArU0lpUjBadHc2c1lPMUtv
+            dmtqRTd0OEd6TnJrQjJaaFFaMjQ0MWlONEJZClBrdVNMb2xhK2RXRzlmN2dmTzZk
+            SStWSzVGbWdqNEFpMnc3RFdpYWNEcTQKLS0tIDY0SlBvcmJ5RjFKTHQyN3lpSEZ2
+            Z3hTOHN2VWVPMENVS1YzR0Z6Y0MxZmMKf0K43yWL7DE15wqEWb6Z0xsQ3nb1Ybyi
+            0gKxb3hTeoWJnJug3hWyeAJvAJ4pzaA5v8PonnSIJK4UxBUnr+5nGw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIa0pnOGFlYU5OenJvWGhl
+            TjFhU0NyWmprRDY3ZWIrRHdmSVBMS3pER3dZCmVQdlVYQ0pFRTBwZXQ1Z1V5ODVK
+            dkREdEpsYk1MMm5kZU1hUEJYRWZDVjAKLS0tIHdsUjJTaURjaGErclJadTF0clhh
+            aStSbDZ6NWtFZ2NrNHY1a29DTmo4bGcKfZZjFA2j5RgMf0crK8TV67iVizzmXvBR
+            6tePJuCePnNDOoZ7WV5YThxYOPSTI1QvfEvcC1qo7l3Kca9jdkkfbQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-19T22:46:57Z"
+    mac: ENC[AES256_GCM,data:GIRj11bDZi38RobJvGoOf5geN42gaGk3294EvB21M/Y+lAsDOUUUbU1fQbBPRUsYvA/lyuHMQWRORTdy0LdjN9ejzwcuev8+j4i6A1zwPSmjIL2+Jp2pBqQj0F6th27hECJlh0wK3vU/aNcccRJP9kEgRME+7FS5uYw9r+ZPJWk=,iv:CUgdVr1b3O4niYTSFokA9uWR3ceiU+6qo+3N+K1BZ3Q=,tag:AERU8MZWHqVsZ+zbT27WIg==,type:str]
+    pgp:
+        - created_at: "2025-01-19T22:46:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQwAqm3KeXNDFMwVoz9qIIqtNHR+KIcdvdRTlG0GA5BEBiHp
+            hSGkyK/Ni3GGX0WYU5Cf85Id/eEoxqDqDd9kX6MSZK3LBnH+hFy4JiSPENVpmwfQ
+            eONaMwdfwI+/5ZfquVj/AApTXZ8ENhdBzLTuAfIa2hGPDwwkajzkVIg18TZOvKG6
+            f2wiEpnSOVHKnPcGhI1dGxN9TqqN74IUoPhThRzQ79l9RcTEZVClos9IPOhaPfk0
+            TvcBQez3G5Mn8W+s7kg4rl7g6XRZqjcaOuNwopB0x+Dx+alZExsTR6A+1Gf+29a+
+            ELwQYg2mkKUi48vrcKXxz+OMhW7V7wuXQIjLP4jULc7LI3ShRP8z4QKy7asOVRBh
+            XPjxRJ2RcTtEHYUoW3guzoZGSiPW/ex2fcupwaSRDG2GQ/ImiB5dmXSaG2va1MbX
+            z93Ej7Gy2IURglWCK29v4mJiqtDzq8/GNztT7zezHxyUAjjuJ59qXzFF/MQPibxY
+            p3dTfkNNrTqrCQnrFa8k0lgBtKmvz/HO3eCguXVMNgOt+BmfZbJqq+AD8HKYNxaM
+            W0A+9WRmYXcOEUqfaoX9IE9LhgqDd/xgpW4CujUZrXRYgf4IokSm/MFAD/ZnoxKm
+            n2My3wf5PCNd
+            =oUOe
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-19T22:46:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ/9HD1muIaf8us6XE5hGfrXuy5axFeJNBtc8igo/OP3jCam
+            M2pjwDNIX3EjsgrK2WYo43Xt7aHW5bqnP+d1faLXJ3I0cMia3XxSLmaKswQRrBSi
+            P00ew43kBSx0Smwixf5zCSCzBpWrtOXI8monO8xYLtRnSpfKBf/4kc2gQiuAxByd
+            fxdE/x1et0XXiK038KgHMnYdOIvMTGcpymoSDHk0bDw+ruBqG93cmzOkT4Oc5CsF
+            oeFN83ku1cGFQr58hUhJ1q5eUTK/lDEVYElGJ2n0pGxThYyrUz3SIzZu3Jbxgs/Q
+            2Xok4KsNPEbY2VKz/d3nrwbg2S3VF/CHl9sKxoFK8g3WcEE+HO7BFqvz901H+aUJ
+            5mN7stKSs5pViDHusv3Kv2+eT2fPJ4lPU2IEvXkCt3jjB/G0UDz+t6Qn1Wr8PPcO
+            8u+QafpILgYTK7QOF88GYstq8iWOWHlN9VKFYfqHMGWkrMtnGRWCbXsNmg7lKh6D
+            MtdvROsESVDKtydZwBpoQ4ILLROhkoL+eOMzFOgc/i4PWFlva2RBuRnZQNlieq/R
+            9aYpGsZbD+YYGjQKhlwwakpWK5XOoqqSh6Fv6Qzonu2Y++Zf9c9zpe+LINlUhxEY
+            AA1YnxbqvVJCqoBuq5avAd0fivhFDes0OmR7jLZzluotgwUePwBOVGo5l2ow/03S
+            WAGO2443OWOfbmTi/mq1C/8It1WAkC70XSQbff9pHLd4pRA6XgjMXbJ8+5X0FXRM
+            H5nWOAaO4Dp6SnccT3Q9zytkm+lXdJL6Rou3PkmP4JBvU535bNv5a3k=
+            =732R
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/machines/modules/KOC658UX.ppd
+++ b/machines/modules/KOC658UX.ppd
--- a/machines/modules/disko/btrfs-laptop.nix
+++ b/machines/modules/disko/btrfs-laptop.nix
@@ -1,63 +0,0 @@
-{ config, self, inputs, ... }:
-
-{
-  imports = [
-    inputs.disko.nixosModules.disko
-  ];
-
-  # https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix
-  disko.devices = {
-    disk = {
-      main = {
-        type = "disk";
-        # When using disko-install, we will overwrite this value from the commandline
-        device = "/dev/disk/by-id/some-disk-id";
-        content = {
-          type = "gpt";
-          partitions = {
-            ESP = {
-              size = "512M";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-                mountOptions = [ "umask=0077" ];
-              };
-            };
-            luks = {
-              size = "100%";
-              content = {
-                type = "luks";
-                name = "crypted";
-                passwordFile = /tmp/secret.key; # Interactive
-                content = {
-                  type = "btrfs";
-                  extraArgs = [ "-f" ];
-                  subvolumes = {
-                    "/root" = {
-                      mountpoint = "/";
-                      mountOptions = [ "compress=zstd" "noatime" ];
-                    };
-                    "/home" = {
-                      mountpoint = "/home";
-                      mountOptions = [ "compress=zstd" "noatime" ];
-                    };
-                    "/nix" = {
-                      mountpoint = "/nix";
-                      mountOptions = [ "compress=zstd" "noatime" ];
-                    };
-                    "/swap" = {
-                      mountpoint = "/.swapvol";
-                      swap.swapfile.size = "20M";
-                    };
-                  };
-                };
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}
--- a/machines/modules/disko/default.nix
+++ b/machines/modules/disko/default.nix
@@ -102,7 +102,7 @@ in
                    mountOptions = [ "umask=0077" ];
                  };
                };
-                encryptedSwap = {
+                encryptedSwap = lib.mkIf cfg.encryption {
                  size = cfg.root.swap;
                  content =  {
                    type = "swap";
@@ -252,6 +252,11 @@ in
              mountpoint = "/data";
              options.mountpoint = "legacy";
            };
+            "encrypted/data/microvms" = {
+              type = "zfs_fs";
+              mountpoint = "/data/microvms";
+              options.mountpoint = "legacy";
+            };
            reserved = {
              # for cow delete if pool is full
              options = {
--- a/machines/modules/host_builder.nix
+++ b/machines/modules/host_builder.nix
@@ -0,0 +1,258 @@
+{ self
+, nixpkgs-unstable
+, nixpkgs
+, sops-nix
+, inputs
+, hosts
+, ...
+}:
+let
+  pkgs = nixpkgs.legacyPackages."x86_64-linux";
+in
+rec {
+  nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
+  nixosSystemUnstable = nixpkgs-unstable.lib.makeOverridable nixpkgs-unstable.lib.nixosSystem;
+
+  baseModules = [
+    # make flake inputs accessiable in NixOS
+    { _module.args.inputs = inputs; }
+    {
+      imports = [
+        ({ pkgs, ... }: {
+          nix = {
+            extraOptions = ''
+              experimental-features = nix-command flakes
+            '';
+
+            settings = {
+              substituters = [
+                "https://cache.dynamicdiscord.de"
+                "https://cache.nixos.org/"
+              ];
+              trusted-public-keys = [
+                "cache.dynamicdiscord.de:DKueZicqi2NhJJXz9MYgUbiyobMs10fTyHCgAUibRP4="
+              ];
+              trusted-users = [ "root" "@wheel" ];
+            };
+          };
+        })
+
+        sops-nix.nixosModules.sops
+      ];
+    }
+  ];
+  defaultModules = baseModules;
+
+  makeMicroVM = hostName: ipv4Addr: macAddr: modules: [
+    {
+      microvm = {
+        hypervisor = "cloud-hypervisor";
+        mem = 2560;
+        shares = [
+          {
+            source = "/nix/store";
+            mountPoint = "/nix/.ro-store";
+            tag = "store";
+            proto = "virtiofs";
+            socket = "store.socket";
+          }
+          {
+            source = "/var/lib/microvms/${hostName}/etc";
+            mountPoint = "/etc";
+            tag = "etc";
+            proto = "virtiofs";
+            socket = "etc.socket";
+          }
+          {
+            source = "/var/lib/microvms/${hostName}/var";
+            mountPoint = "/var";
+            tag = "var";
+            proto = "virtiofs";
+            socket = "var.socket";
+          }
+          {
+            source = "/var/lib/microvms/data/${hostName}";
+            mountPoint = "/data";
+            tag = "data";
+            proto = "virtiofs";
+            socket = "microdata.socket";
+          }
+        ];
+
+        interfaces = [
+          {
+            type = "tap";
+            id = "vm-${hostName}";
+            mac = "${macAddr}";
+          }
+        ];
+      };
+
+      systemd.network.enable = true;
+      
+      systemd.network.networks."20-lan" = {
+        matchConfig.Type = "ether";
+        networkConfig = {
+          Address = [ "${ipv4Addr}/24" ];
+          Gateway = "10.0.0.1";
+          DNS = ["1.1.1.1"];
+          DHCP = "no";
+        };
+      };
+    }
+  ] ++ defaultModules ++ modules;
+
+  inputsMod = inputs // { malobeo = self; };
+
+
+  vmMicroVMOverwrites = hostname: options: {
+    microvm = rec {
+      mem = pkgs.lib.mkForce 4096;
+      hypervisor = pkgs.lib.mkForce "qemu";
+      socket = pkgs.lib.mkForce null;
+
+
+      #needed for hosts that deploy imperative microvms (for example fanny)
+      writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store";
+      volumes = pkgs.lib.mkIf options.writableStore [ {
+        image = "nix-store-overlay.img";
+        mountPoint = writableStoreOverlay;
+        size = 2048;
+      } ];
+
+      shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [
+        {
+          tag = "ro-store";
+          source = "/nix/store";
+          mountPoint = "/nix/.ro-store";
+        }
+      ] ++ pkgs.lib.optionals (options.varPath != "") [
+        {
+          source = "${options.varPath}";
+          securityModel = "mapped";
+          mountPoint = "/var";
+          tag = "var";
+        }
+      ] ++ pkgs.lib.optionals (options.dataPath != "") [
+        {
+          source = "${options.dataPath}";
+          securityModel = "mapped";
+          mountPoint = "/data";
+          tag = "data";
+        }
+      ]);
+
+      interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
+        type = "user";
+        id = "eth0";
+        mac = "02:23:de:ad:be:ef";
+      }]);
+
+      #if networking is disabled forward port 80 to still have access to webservices
+      forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [
+        { from = "host"; host.port = options.fwdPort; guest.port = 80; }
+      ]);
+
+    };
+
+    fileSystems = {
+      "/".fsType = pkgs.lib.mkForce "tmpfs";
+
+      # prometheus uses a memory mapped file which doesnt seem supported by 9p shares
+      # therefore we mount a tmpfs inside the datadir
+      "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce {
+        fsType = pkgs.lib.mkForce "tmpfs";
+      });
+    };
+
+    boot.isContainer = pkgs.lib.mkForce false;
+    services.timesyncd.enable = false;
+    users.users.root.password = "";
+    services.getty.helpLine = ''
+      Log in as "root" with an empty password.
+      Use "reboot" to shut qemu down.
+    '';
+  };
+
+  vmDiskoOverwrites = {
+    boot.initrd = {
+      secrets = pkgs.lib.mkForce {};
+      network.ssh.enable = pkgs.lib.mkForce false;
+    };
+
+    malobeo.disks.enable = pkgs.lib.mkForce false;
+    networking.hostId = "a3c3101f";
+  };
+
+  vmSopsOverwrites = host: {
+    sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml;
+
+    environment.etc = {
+      devHostKey = {
+        source = ../secrets/devkey_ed25519;
+        mode = "0600";
+      };
+    };
+
+    services.openssh.hostKeys = [{
+      path = "/etc/devHostKey";
+      type = "ed25519";
+    }];
+  };
+
+  vmNestedMicroVMOverwrites = host: sopsDummy: {
+
+    microvm.vms = pkgs.lib.mkForce (
+    let
+      # Map the values to each hostname to then generate an Attrset using listToAttrs
+      mapperFunc = name: { inherit name; value = {
+        specialArgs.inputs = inputsMod;
+        specialArgs.self = self;
+        config = {
+          imports = (makeMicroVM "${name}" 
+                                 "${hosts.malobeo.hosts.${name}.network.address}"
+                                 "${hosts.malobeo.hosts.${name}.network.mac}" [
+            ../${name}/configuration.nix     
+            (vmMicroVMOverwrites name { 
+              withNetworking = true; 
+              varPath = ""; 
+              dataPath = "";
+              writableStore = false; })
+            (if sopsDummy then (vmSopsOverwrites name) else {})
+          ]);
+        };
+      }; };
+    in
+    builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts));
+  };
+
+  buildVM = host: networking: sopsDummy: disableDisko: varPath: dataPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
+      modules = [
+          (vmMicroVMOverwrites host { 
+            withNetworking = networking; 
+            varPath = "${varPath}"; 
+            dataPath = "${dataPath}"; 
+            writableStore = writableStore;
+            fwdPort = fwdPort; })
+          (if sopsDummy then (vmSopsOverwrites host) else {})
+          (if disableDisko then vmDiskoOverwrites else {})
+        ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [
+          inputs.microvm.nixosModules.microvm
+        ] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [
+          (vmNestedMicroVMOverwrites host sopsDummy)
+      ];
+    });
+
+  buildHost = hosts: (builtins.mapAttrs (host: settings: nixosSystem {
+    system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux";
+    specialArgs.inputs = inputsMod;
+    specialArgs.self = self;
+    modules = (if (settings.type != "microvm") then
+      defaultModules ++ [ ../${host}/configuration.nix ]
+      else
+      makeMicroVM "${host}" "${settings.network.address}" "${settings.network.mac}" [
+        inputs.microvm.nixosModules.microvm
+        ../${host}/configuration.nix
+      ]);
+  }) hosts);
+}
--- a/machines/modules/malobeo/backup.nix
+++ b/machines/modules/malobeo/backup.nix
@@ -0,0 +1,102 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let 
+  cfg = config.malobeo.backup;
+  hostToCommand = (hostname: datasetNames: 
+    (map (dataset:  { 
+      name = "${hostname}_${dataset.sourceDataset}";
+      value = { 
+        inherit hostname; 
+        inherit (dataset) sourceDataset targetDataset;
+      }; 
+    } ) datasetNames));
+  peers = import ./peers.nix;
+
+  enableSnapshots = cfg.snapshots != null;
+  enableBackups = cfg.hosts != null;
+in
+{
+  options.malobeo.backup = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable sanoid/syncoid based backup functionality";
+    };
+
+    snapshots = mkOption {
+      type = types.nullOr (types.listOf types.str);
+      default = null;
+      description = "Automatic snapshots will be created for the given datasets";
+    };
+
+    hosts = mkOption {
+      default = null;
+      type = types.nullOr (types.attrsOf (types.listOf (types.submodule {
+        options = {
+          sourceDataset = mkOption {
+            type = types.str;
+            description = "The source that needs to be backed up";
+          };
+          targetDataset = mkOption {
+            type = types.str;
+            description = "The target dataset where the backup should be stored";
+          };
+        };
+      })));
+      description = ''
+          Hostname with list of datasets to backup. This option should be defined on hosts that will store backups.
+
+          It is necessary to add the machines that get backed up to known hosts.
+          This can be done for example systemwide using 
+          programs.ssh.knownHosts."10.100.0.101" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc";
+          Or set it for the syncoid user directly.
+        '';
+    };
+
+    sshKey = mkOption {
+      default = null;
+      type = types.nullOr types.str;
+      description = "Set path to ssh key used for pull backups. Otherwise default key is used";
+    };
+  };
+  
+  config = mkIf (cfg.enable) {
+    services.sanoid = mkIf (enableSnapshots) {
+      enable = true;
+  
+      templates."default" = {
+        hourly = 24;
+        daily = 30; #keep 30 daily snapshots
+        monthly = 6; #keep 6 monthly backups
+        yearly = 0;
+  
+        autosnap = true; #take snapshots automatically
+        autoprune = true; #delete old snapshots
+      };
+  
+      datasets = builtins.listToAttrs (map (name: { inherit name; value = {
+        useTemplate = [ "default" ];
+        recursive = true;
+      }; }) cfg.snapshots);
+    };
+
+    services.syncoid = mkIf (enableBackups) {
+      enable = true;
+      sshKey = cfg.sshKey;
+  
+      commonArgs = [
+        "--no-sync-snap"
+      ];
+  
+      interval = "*-*-* 04:15:00";
+  
+      commands = builtins.mapAttrs (name: value: {
+        source = "backup@${peers.${value.hostname}.address}:${value.sourceDataset}";
+        target = "${value.targetDataset}";
+        sendOptions = "w";
+        recvOptions = "\"\"";
+        recursive = true;
+      })(builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs hostToCommand cfg.hosts))));
+    };
+  };
+}
--- a/machines/modules/malobeo/initssh.nix
+++ b/machines/modules/malobeo/initssh.nix
@@ -56,7 +56,7 @@ in
          path = with pkgs; [ zfs ];
          serviceConfig.Type = "oneshot";
          script = ''
-            echo "systemctl default" >> /var/empty/.profile
+            echo "zfs load-key -a; killall zfs; systemctl default" >> /var/empty/.profile
          '';
        };
      };
--- a/machines/modules/malobeo/metrics.nix
+++ b/machines/modules/malobeo/metrics.nix
@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+let 
+  cfg = config.malobeo.metrics;
+in
+{
+  options.malobeo.metrics = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable sharing metrics";
+    };
+    enablePromtail = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Enable sharing logs";
+    };
+    logNginx = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Share nginx logs";
+    };
+    lokiHost = lib.mkOption {
+      type = lib.types.str;
+      default = "10.0.0.14";
+      description = "Address of loki host";
+    };
+  };
+  
+  config = lib.mkIf (cfg.enable) {
+
+    networking.firewall.allowedTCPPorts = [ 9002 ];
+
+    services.prometheus = {
+      exporters = {
+        node = {
+          enable = true;
+          enabledCollectors = [ "systemd" "processes" ];
+          port = 9002;
+        };
+      };
+    };
+
+    services.promtail = {
+      enable = cfg.enablePromtail;
+      configFile = import ./promtail_config.nix { 
+        lokiAddress = cfg.lokiHost;
+        logNginx = cfg.logNginx;
+        config = config;
+        pkgs = pkgs;
+      };
+    };
+
+    users.users.promtail.extraGroups = [ "systemd-journal" ] ++ (lib.optionals cfg.logNginx [ "nginx" ]) ;
+
+  };
+}
--- a/machines/modules/malobeo/microvm_host.nix
+++ b/machines/modules/malobeo/microvm_host.nix
@@ -62,7 +62,7 @@ in
        addresses = if cfg.enableHostBridgeUnstable then [
          { Address = "10.0.0.1/24"; }
        ] else [
-          { addressConfig.Address = "10.0.0.1/24"; }
+          { Address = "10.0.0.1/24"; }
        ];
      };

@@ -102,6 +102,22 @@ in
          /run/current-system/sw/bin/microvm -Ru ${name}
        '';
      };
+
+      "microvm-init-dirs@${name}" = {
+        description = "Initialize microvm directories";
+        after = [ "zfs-mount.service" ];
+        wantedBy = [ "microvm@${name}.service" ];
+        unitConfig.ConditionPathExists = "!/var/lib/microvms/${name}/.is_initialized";
+        serviceConfig = {
+          Type = "oneshot";
+        };
+        script = ''
+          mkdir -p /var/lib/microvms/${name}/var
+          mkdir -p /var/lib/microvms/${name}/etc
+          mkdir -p /var/lib/microvms/data/${name}
+          touch /var/lib/microvms/${name}/.is_initialized
+        '';
+      };
    }) {} (cfg.deployHosts);

    systemd.timers = builtins.foldl' (timers: name: timers // {
--- a/machines/modules/malobeo/peers.nix
+++ b/machines/modules/malobeo/peers.nix
@@ -2,7 +2,7 @@
  "vpn" = {
    role = "server";
    publicIp = "5.9.153.217";
-    address = [ "10.100.0.1/24" ];
+    address = "10.100.0.1";
    allowedIPs = [ "10.100.0.0/24" ];
    listenPort = 51821;
    publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
@@ -11,29 +11,51 @@

  "celine" = {
    role = "client";
-    address = [ "10.100.0.2/24" ];
+    address = "10.100.0.2";
    allowedIPs = [ "10.100.0.2/32" ];
    publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
  };

  "desktop" = {
    role = "client";
-    address = [ "10.100.0.3/24" ];
+    address = "10.100.0.3";
    allowedIPs = [ "10.100.0.3/32" ];
    publicKey = "FtY2lcdWcw+nvtydOOUDyaeh/xkaqHA8y9GXzqU0Am0=";
  };

  "atlan-pc" = {
    role = "client";
-    address = [ "10.100.0.5/24" ];
+    address = "10.100.0.5";
    allowedIPs = [ "10.100.0.5/32" ];
    publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
  };

+  "hetzner" = {
+    role = "client";
+    address = "10.100.0.6";
+    allowedIPs = [ "10.100.0.6/32" ];
+    publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ=";
+  };
+
  "fanny" = {
    role = "client";
-    address = [ "10.100.0.101/24" ];
+    address = "10.100.0.101";
    allowedIPs = [ "10.100.0.101/32" ];
    publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
  };
+
+  "fanny-initrd" = {
+    role = "client";
+    address = "10.100.0.102";
+    allowedIPs = [ "10.100.0.102/32" ];
+    #TODO: UPDATE
+    publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
+  };
+
+  "backup0" = {
+    role = "client";
+    address = "10.100.0.20";
+    allowedIPs = [ "10.100.0.20/32" ];
+    publicKey = "Pp55Jg//jREzHdbbIqTXc9N7rnLZIFw904qh6NLrACE=";
+  };
 }
--- a/machines/modules/malobeo/printing.nix
+++ b/machines/modules/malobeo/printing.nix
@@ -0,0 +1,122 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let 
+  cfg = config.services.malobeo.printing;
+  driverFile = pkgs.writeTextDir "share/cups/model/konicaminoltac258.ppd" (builtins.readFile ../KOC658UX.ppd);
+
+  defaultPpdOptions = {
+    PageSize = "A4";
+    SelectColor = "Grayscale";
+    Finisher = "FS534";
+    SaddleUnit = "SD511";
+    Model = "C258";
+    InputSlot = "Tray1";
+    TextPureBlack = "On";
+    PhotoPureBlack = "On";
+    GraphicPureBlack = "On";
+  };
+
+in
+{
+  options.services.malobeo.printing = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Setup malobeo printers";
+    };
+  };
+  
+  config = mkIf (cfg.enable) {
+    services.printing.enable = true;
+    services.printing.drivers = [
+      driverFile
+    ];
+
+    hardware.printers.ensurePrinters = [ 
+      {
+        name = "KonicaDefault";
+        model = "konicaminoltac258.ppd";
+        location = "Zine Workshop";
+        deviceUri = "ipp://192.168.1.42/ipp";
+        ppdOptions = defaultPpdOptions;
+      }
+      {
+        name = "KonicaBooklet";
+        model = "konicaminoltac258.ppd";
+        location = "Zine Workshop";
+        deviceUri = "ipp://192.168.1.42/ipp";
+        ppdOptions = defaultPpdOptions // {
+          Fold = "Stitch";
+          Staple = "None";
+        };
+      }
+      {
+        name = "KonicaPostcard";
+        model = "konicaminoltac258.ppd";
+        location = "Zine Workshop";
+        deviceUri = "ipp://192.168.1.42/ipp";
+        ppdOptions = defaultPpdOptions // {
+          Fold = "None";
+          Staple = "None";
+          InputSlot = "BypassTray";
+          MediaType = "Thick4";
+          KMDuplex = "1Sided";
+        };
+      }
+    ];
+  };
+}
+
+/*
+ALL AVAILABE OPTIONS:
+
+PaperSources/Paper Source Unit: *None LU207 LU302 PC110 PC114 PC115 PC110+LU302 PC115+LU207 PC115+LU302 PC210 PC214 PC215 PC210+LU302 PC215+LU207 PC215+LU302 PC410 PC414 PC415 PC410+LU302 PC415+LU207 PC415+LU302
+Finisher/Finisher: None FS533 *FS534 JS506 FS536 FS537 FS537+JS602
+KOPunch/Punch Unit: *None PK519 PK519-3 PK519-4 PK519-SWE4 PK520 PK520-3 PK520-4 PK520-SWE4 PK523 PK523-3 PK523-4 PK523-SWE4
+ZFoldPunch/Z-Fold Unit: *None ZU609
+CoverSheetFeeder/Post Inserter: *None PI507
+SaddleUnit/Saddle Kit: None *SD511 SD512
+PrinterHDD/Hard Disk: None *HDD
+AdvancedFunctionCover/Advanced Function(Cover Mode): *Disable Enable
+Model/Model: C658 C558 C458 C368 C308 *C258 C287 C227 C266 C226
+Collate/Collate: False *True
+InputSlot/Paper Tray: AutoSelect *Tray1 Tray2 Tray3 Tray4 LCT ManualFeed
+MediaType/Paper Type: *Plain Plain(2nd) Thick1 Thick1(2nd) Thick1Plus Thick1Plus(2nd) Thick2 Thick2(2nd) Thick3 Thick3(2nd) Thick4 Thick4(2nd) Thin Envelope Transparency Color SingleSidedOnly TAB Letterhead Special Recycled Recycled(2nd) User1 User1(2nd) User2 User2(2nd) User3 User3(2nd) User4 User4(2nd) User5 User5(2nd) User6 User6(2nd) PrinterDefault UserCustomType1 UserCustomType1(2nd) UserCustomType2 UserCustomType2(2nd) UserCustomType3 UserCustomType3(2nd) UserCustomType4 UserCustomType4(2nd) UserCustomType5 UserCustomType5(2nd) UserCustomType6 UserCustomType6(2nd) UserCustomType7 UserCustomType7(2nd) UserCustomType8 UserCustomType8(2nd) UserCustomType9 UserCustomType9(2nd) UserCustomType10 UserCustomType10(2nd) UserCustomType11 UserCustomType11(2nd) UserCustomType12 UserCustomType12(2nd) UserCustomType13 UserCustomType13(2nd) UserCustomType14 UserCustomType14(2nd) UserCustomType15 UserCustomType15(2nd) UserCustomType16 UserCustomType16(2nd) UserCustomType17 UserCustomType17(2nd) UserCustomType18 UserCustomType18(2nd) UserCustomType19 UserCustomType19(2nd)
+PageSize/Paper Size: A3 *A4 A5 A6 B4 B5 B6 SRA3 220mmx330mm 12x18 Tabloid Legal Letter Statement 8x13 8.5x13 8.5x13.5 8.25x13 8.125x13.25 Executive 8K 16K EnvISOB5 EnvC4 EnvC5 EnvC6 EnvChou3 EnvChou4 EnvYou3 EnvYou4 EnvKaku1 EnvKaku2 EnvKaku3 EnvDL EnvMonarch Env10 JapanesePostCard 4x6_PostCard A3Extra A4Extra A5Extra B4Extra B5Extra TabloidExtra LetterExtra StatementExtra LetterTab-F A4Tab-F
+Offset/Offset: *False True
+OutputBin/Output Tray: *Default Tray1 Tray2 Tray3 Tray4
+Binding/Binding Position: *LeftBinding TopBinding RightBinding
+KMDuplex/Print Type: 1Sided *2Sided
+Combination/Combination: *None Booklet
+Staple/Staple: *None 1StapleAuto(Left) 1StapleZeroLeft 1Staple(Right) 2Staples
+Punch/Punch: *None 2holes 3holes 4holes
+Fold/Fold: None *Stitch HalfFold TriFold ZFold1 ZFold2
+FrontCoverPage/Front Cover: None *Printed Blank
+FrontCoverTray/Front Cover Tray: None Tray1 Tray2 Tray3 Tray4 LCT *BypassTray
+BackCoverPage/Back Cover: *None Printed Blank
+BackCoverTray/Back Cover Tray: *None Tray1 Tray2 Tray3 Tray4 LCT BypassTray
+PIFrontCover/Front Cover from Post Inserter: *None PITray1 PITray2
+PIBackCover/Back Cover from Post Inserter: *None PITray1 PITray2
+TransparencyInterleave/Transparency Interleave: *None Blank
+OHPOpTray/Interleave Tray: *None Tray1 Tray2 Tray3 Tray4 LCT
+WaitMode/Output Method: *None ProofMode
+SelectColor/Select Color: Auto Color *Grayscale
+GlossyMode/Glossy Mode: *False True
+OriginalImageType/Color Settings: *Document Photo DTP Web CAD
+AutoTrapping/Auto Trapping: *False True
+BlackOverPrint/Black Over Print: *Off Text TextGraphic
+TextColorMatching/Color Matching (Text): *Auto Vivid Photo Colorimetric
+TextPureBlack/Pure Black (Text): *Auto Off On
+TextScreen/Screen (Text): *Auto Gradation Resolution HighResolution
+PhotoColorMatching/Color Matching (Photo): *Auto Vivid Photo Colorimetric
+PhotoPureBlack/Pure Black (Photo): *Auto Off On
+PhotoScreen/Screen (Photo): *Auto Gradation Resolution HighResolution
+PhotoSmoothing/Smoothing (Photo): *Auto None Dark Medium Light
+GraphicColorMatching/Color Matching (Graphic): *Auto Vivid Photo Colorimetric
+GraphicPureBlack/Pure Black (Graphic): *Auto Off On
+GraphicScreen/Screen (Graphic): *Auto Gradation Resolution HighResolution
+GraphicSmoothing/Smoothing (Graphic): *Auto None Dark Medium Light
+TonerSave/Toner Save: *False True
+String4Pt/Edge Enhancement: *False True
+
+*/
--- a/machines/modules/malobeo/promtail_config.nix
+++ b/machines/modules/malobeo/promtail_config.nix
@@ -0,0 +1,49 @@
+{ logNginx, lokiAddress, config, pkgs, ... }:
+
+let
+  basecfg = ''
+    server:
+      http_listen_port: 9080
+      grpc_listen_port: 0
+    
+    positions:
+      filename: /tmp/positions.yaml
+    
+    clients:
+      - url: http://${lokiAddress}:3100/loki/api/v1/push
+  '';
+
+  withNginx = ''
+    scrape_configs:
+      - job_name: journal
+        journal:
+          max_age: 12h
+          labels:
+            job: systemd-journal
+            host: ${config.networking.hostName}
+        relabel_configs:
+          - source_labels: ["__journal__systemd_unit"]
+            target_label: "unit"
+      - job_name: nginx
+        static_configs:
+        - targets:
+            - localhost
+          labels:
+            job: nginx
+            __path__: /var/log/nginx/*log
+  '';
+
+  withoutNginx = ''
+    scrape_configs:
+      - job_name: journal
+        journal:
+          max_age: 12h
+          labels:
+            job: systemd-journal
+            host: ${config.networking.hostName}
+        relabel_configs:
+          - source_labels: ["__journal__systemd_unit"]
+            target_label: "unit"
+  '';
+in
+pkgs.writeText "promtailcfg.yaml" (if logNginx then ''${basecfg}${withNginx}'' else ''${basecfg}${withoutNginx}'')
--- a/machines/modules/malobeo/users.nix
+++ b/machines/modules/malobeo/users.nix
@@ -0,0 +1,101 @@
+{config, lib, pkgs, inputs, ...}:
+let 
+  cfg = config.malobeo.users;
+  sshKeys = import ( inputs.self + /machines/ssh_keys.nix);
+  inherit (config.networking) hostName; 
+in
+{
+  options.malobeo.users = {
+    malobeo = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable malobeo user, defaults to on, ";
+    };
+    admin = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable admin user, defaults to on to prevent lockouts, passwordless sudo access";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "enable backup user, ";
+    };
+  };
+  config = lib.mkMerge [
+    (lib.mkIf cfg.malobeo {
+      users.users.malobeo = {
+        isNormalUser = true;
+        description = "malobeo user, password and ssh access, no root";
+        extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ];
+        openssh.authorizedKeys.keys = sshKeys.admins;
+        hashedPassword = "$y$j9T$39oJwpbFDeETiyi9TjZ/2.$olUdnIIABp5TQSOzoysuEsomn2XPyzwVlM91ZsEkIz1";
+      };
+      environment.systemPackages = with pkgs; [];
+    })
+    (lib.mkIf cfg.admin {
+      users.users.admin = {
+        isNormalUser = true;
+        description = "admin user, passwordless sudo access, only ssh";
+        hashedPassword = null;
+        openssh.authorizedKeys.keys = sshKeys.admins;
+        extraGroups = [ "networkmanager" ];
+      };
+      environment.systemPackages = with pkgs; [];
+      nix.settings.trusted-users = [ "admin" ];
+      security.sudo.extraRules = [
+        {
+          users = [ "admin" ];
+          commands = [
+            {
+              command = "ALL";
+              options = [ "NOPASSWD" ];
+            }
+          ];
+        }
+      ];
+    })
+    (lib.mkIf cfg.backup {
+      users.users.backup = {
+        isNormalUser = true;
+        hashedPassword = null;
+        openssh.authorizedKeys.keys = sshKeys.backup;
+        description = "backup user for pull style backups, can only use zfs commands";
+      };
+      environment.systemPackages = with pkgs; [];
+      security.sudo.extraRules = [
+        {
+          users = [ "backup" ];
+          commands = [
+            {
+              command = "/run/current-system/sw/bin/zfs";
+              options = [ "NOPASSWD" ];
+            }
+            {
+              command = "/run/current-system/sw/bin/zpool";
+              options = [ "NOPASSWD" ];
+            }
+          ];
+        }
+      ];
+    })
+    {
+      users.mutableUsers = false;
+      services.openssh.hostKeys = [
+        {
+          path = "/etc/ssh/${hostName}";
+          type = "ssh-ed25519"; 
+        }
+      ];
+      sops.age.sshKeyPaths = [ "/etc/ssh/${hostName}" ];
+      environment.systemPackages = with pkgs; [
+        nix-output-monitor
+        vim
+        htop
+        wget
+        git
+        pciutils
+      ];
+    }
+  ];
+}
--- a/machines/modules/malobeo/wireguard.nix
+++ b/machines/modules/malobeo/wireguard.nix
@@ -70,7 +70,7 @@ in
      interfaces = {
        malovpn = {
          mtu = 1340; #seems to be necessary to proxypass nginx traffic through vpn
-          address = myPeer.address;
+          address = [ "${myPeer.address}/24" ];
          autostart = cfg.autostart;
          listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;

--- a/machines/nextcloud/configuration.nix
+++ b/machines/nextcloud/configuration.nix
@@ -0,0 +1,78 @@
+{ config, self, lib, pkgs,  ... }:
+
+with lib;
+
+{
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets = {
+    nextcloudAdminPass = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+  };
+
+  networking = {
+    hostName = mkDefault "nextcloud";
+    useDHCP = false;
+  };
+
+  imports = [
+    self.nixosModules.malobeo.metrics
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+    ../modules/minimal_tools.nix
+    ../modules/autoupdate.nix
+  ];
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud31;
+    hostName = "cloud.malobeo.org";
+    config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
+    maxUploadSize = "10G";
+    datadir = "/data/services/nextcloud/";
+    database.createLocally = true;
+    config.dbtype = "pgsql";
+    configureRedis = true;
+    caching = {
+      redis = true;
+      apcu = true;
+    };
+    extraAppsEnable = true;
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms;
+      appointments = pkgs.fetchNextcloudApp {
+        sha256 = "sha256-ls1rLnsX7U9wo2WkEtzhrvliTcWUl6LWXolE/9etJ78=";
+        url = "https://github.com/SergeyMosin/Appointments/raw/refs/tags/v2.4.3/build/artifacts/appstore/appointments.tar.gz";
+        license = "agpl3Plus";
+      };
+      deck = pkgs.fetchNextcloudApp {
+        sha256 = "sha256-1sqDmJpM9SffMY2aaxwzqntdjdcUaRySyaUDv9VHuiE=";
+        url = "https://link.storjshare.io/raw/jw7pf6gct34j3pcqvlq6ddasvdwq/mal/deck.tar.gz";
+        license = "agpl3Plus";
+      };
+    };
+    settings = {
+      trusted_domains = ["10.0.0.13"];
+      trusted_proxies = [ "10.0.0.1" ];
+      "maintenance_window_start" = "1";
+      "default_phone_region" = "DE";
+    };
+    phpOptions = {
+      "realpath_cache_size" = "0";
+      "opcache.interned_strings_buffer" = "32";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/machines/nextcloud/dummy.yaml
+++ b/machines/nextcloud/dummy.yaml
@@ -0,0 +1,68 @@
+nextcloudAdminPass: ENC[AES256_GCM,data:4GvCg7g=,iv:3m2Vh86WzrVR7BG0xlNwRE9ebIGLWbVdcxoYC9x7dXo=,tag:t2bWTVlw9rHSVnkXW8ZTFQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbTYrcUV3Wk0xSDM1Mm0w
+            TkoxZHBFUXFBSC80YzkwV3paWGpRaFY2WndZClh1c0xmNWpWMjFXOS9OYU9OU2Mx
+            c3NEREczaDkvNC90eERwb0RKUlNZemsKLS0tIEp1VWZISXZoWFNuRC9mVE1JUmc3
+            bUNFd2dyRGludFQ3MzdiRzFTcXUwWlkKFGd8Uvfu2W1LejgQFpF162JnVmfPxAuX
+            IQ3oopYXUBM3QqCXGLTY3DBffD4WZ4AXyGLsfUtwn3kcvjQ85ewidw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraEtDblNxMGY0NlhzcDdM
+            RFo2VGI1UFE4eVdZdDZ5ZTNKRUFCRWFHOWdBCkRBaGk2WmYxK2ovbHQrSGl3akVp
+            TUhxck83Q1NVQy9VU0lXOEVraGtOZ1UKLS0tIDYxS0hHSW1nZW9hOTFJNCtheU1x
+            ZXk2b1RVd1FoYk4xTGxKQ1cxZmVJalkKkC5XckyrgwfqaeVq+OjNCzAtKKiCf7Q9
+            sC9ZMlPoOAm8xpLEpWgNooOBa04YsDEe9XgN8S0HrVxt/NHlnS5+ow==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-19T22:23:37Z"
+    mac: ENC[AES256_GCM,data:ZVMA4qgliSASQ0LtuedU4pybVwJA0x4vdSlOspsTF22s9DjRbG2tA7PpxTqDBGliBqS4w5J6Rqp3OSF7zddZ23GOz72sOZv0WY5YGeYxIltT7RWSMRkhkwXoM8Pf3BOYCZ4Gy8zaMVnbwbhHZ9LZI6wulh19SDKBV965moUW+Z0=,iv:tmz8C1kGUZq8gfzTHoaU/8RfrT5ohLqA11H42l7TEv0=,tag:E3AV6t2bbKASeVI2G3kNYA==,type:str]
+    pgp:
+        - created_at: "2025-01-19T22:23:26Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQwAsbbUEzSg7iETqT40w/+qjJ+iuHUeeZ+NFMPVVedbLuZX
+            /gPPSJ3JSx3wxJke+QPX/OUiRxXwGBZ5yg7CDoc+RrrdaavazuOUGISL38KPQiin
+            TmUq4nY6nWjMqHPSaQ+NiGxRpIErCQCUx6YEdi4YgHhf9J4KEg0f7ueR5wWlfzx4
+            c7pXkEubFpPy4v45mh8sYXOQTa2yt2keprJ6iqmfL/HKnCJf1TBFxJAvwnPuKDfe
+            npvE4Pk5hcoKjFQNsqpnz7Etc8XfAYXSCXSLKfSaZNSeXQRhE1lHLH9OPnC46li7
+            Dw6SPW0/4MTJrg08JvrNeogQ1QohLT4mkfAnASVUUeGFaF7UhztVoodqMsG8kuhD
+            LtmYv625h3j/QqshpFPGe8nJG1DziE4YHngxvgToIC+6+Q2x47ciulpimlpt6b6w
+            s+mGEVlJLSoJMd9jwE53PMXteBYKWgSEL7osj1V5KIJDFSgwfjYEngCkuyxjf8e3
+            uYxb1WEadSyLhW8xnoyE0lYB6WI8m6j2Ls9TFG7kKtQqrnVSZd2nsKk/5wPVIAXO
+            nrMtb4Q88PLM1eusiLgCs592owKHoWVYqBRpi79EBlnGZwmTfDQzTsQlL7aQCbIo
+            kBI1swNH3g==
+            =K/IK
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-19T22:23:26Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ/7BGOQn8xVX9IOFHnUXKdiw/+fcXHu0L7CLuhcEfpZRJNI
+            vIbztLTH5gT59SkS07cIEcYWqERO+gjK6pZLCxmYO/c15YDWCv1PtS4YHZAET+ow
+            YHzBTZDq2k+pV/cTbUtJgGYOxuqkqUtflyGZSQM+NjSXu4In83u+nwkEaKSxcaWt
+            q9rrYVkBUiika2FYtyehoCoDuyJzNmfGhZ9CPJaUzrSzuRLQZy6Hdg8TDPTzGqi4
+            awo53eOdsEpNu1AQ5rnJ19RFLU63IQlwEnApnXZZ+AX8J2//KgLOcAqjo5skJuN1
+            EJBh4DjfmOdCCN3uRccNiDn9YYrPP5Jl3jfnkMUQ2gVEE/c5ib84hvjc+y9Eh1jJ
+            s2JqhfX+ccV5kuva1q1CuTUCHQVEKahJAvghl77JQjtUY6Lf+5QLeKbchUnwxaIN
+            v6MwZmdCwBJOS40SnA+Ft2g9psho4MIPXtu4DR4t5VWvhrmw2cl7TCffQslWETxE
+            267PHQegcO40skEOYwkLSv7PWycL3YUg/EfPuElAobqlM45UQA/lcC5seV0WvEPB
+            Lj+Pk8stY3LZ5wpblmmA72PyJhTq7ghsPvxlyRByHIS8v94gu5Zasbi63WGmxgPA
+            mt/M/HIQEf2XOOKuJnGJ3yDwLTAHAgFa0jlIgvt4gkuhm5ibcHLmedBh4ecRNfDS
+            VgFA4UwqUKN1XYTWOvT1vlxE9UE+dgVO0QNMX8yw1ivmL2eyPUk8HtIpKbuDLFIC
+            iKwHMtUIW/q7UPmfKLRbDumimG/290GXxN24ouiN8AR0dCXK9oor
+            =EsRn
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/machines/nextcloud/secrets.yaml
+++ b/machines/nextcloud/secrets.yaml
@@ -0,0 +1,68 @@
+nextcloudAdminPass: ENC[AES256_GCM,data:es9hhtCcqBqPbV2L,iv:Kyq5kqao0uaMPs0GeRkJT9OWYSZfImBXngg51k0uQ0M=,tag:zN/u90/j4rmdo0HtY+cF9w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPT3ZxNEpRVktDWG9BR0Rv
+            ZUZQTkJwQ0pSblNvTkFOT3BBdjVaSzJhVzBvCnVWc2xRUjBnRFFXSDgxczRMSFMy
+            WFdaMGo4eE13b0RkZkphN2MvOUZtRmcKLS0tIDFHZU9tNjBNa0sveUYzN2dmYnM1
+            aDd0UlpMR3RNd3BDMmhqNmxhTFRoUlkK6Pni+cswKIU94WkP/fg5fzSmx/fhXjjl
+            mRG2o4ALCqcOxAxHBrKJppUCLjUgKG53wPF/jlIzkvbwHwnqVMfYsQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g084sl230x94mkd2wq92s03mw0e8mnpjdjfx9uzaxw6psm8neyzqqwpnqe
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRK2o2K2tPTFcvbXRkZ0lq
+            bS9ZOUc3dG1JeERZYVNsc3k3RjcxQ0RsdkRJCkx1VFhBQXRDOElqakJ0eTd3NEJX
+            b0JxOUtSOGJWeXlqdE5DdC9qNHA2N1UKLS0tIEFiQ3ZQM0NOaXRhUHBjVFhRMFk4
+            VjBFeldXS1p0Zk1uSk02aHpJd3BPOHcKvCmnK/KttB4RgnID/fj2KOdjvNnV3EWU
+            B9mW4yxbEqhoxtu+GFD3eR/8SvMPEsHl9xorT/ZygMG7hAzedSukWw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-26T20:00:50Z"
+    mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str]
+    pgp:
+        - created_at: "2025-03-05T08:24:30Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv+Lr4ISzvM/IEkckNhOOYAeZ0XCJ3JviSwT5wh3nd5u7ZJ
+            tXdLgLwGvFs0gXBf/R2kAoyEMyFziP3dqehvrjwTipuj/5lLdw73X9kddGkGOeQK
+            EDq2+cW3ufuukpyRq+o4lJjMmbwQuqvhqeVOxohQ677e1Xy8q6DorfwOgEgHegK1
+            t1H/DlVHritv54mPjr9hx0fZ5Auow17wteKD71KD/Y4s9JNB0DghcHAGiwYZzL7U
+            aFBY0itZyeJwH7rmFJDTQ+N+595t8dguTS/V1J0SKrIynMXVgTo6dpX10lSRubYe
+            9TQRMO3bmnsdPlmVJ7SlCkcc8blpHSgeQYdaZgPjDmbs+cuAkUMBnR/aEFXIX5IC
+            lohDRX5Vd7dUfVl5CiPNbG8hnvcp2lg7CUBV46fVQ5ZJ73jW1+1Bk3hxGdLklLlF
+            N3hLzBBUpF8U0mvGMXJYX2gQKivRurIoLHZgmjQTjhA1uBfhTI3ktyLABz04dt7I
+            OQYOlpsAZ/qnxbt+37LD0lgBz5XoHDuGNS2nnVQnuvtzt69GDP8mR1QXnhZedTrM
+            kDxxTXV7tMIbqw55tr+qVVG4H8QGy1xat3LSTIxoMmz0MmkyjQhApPN2ipwjyNof
+            X0Aw9hmAZV52
+            =A/yB
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-03-05T08:24:30Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ//UtocoQPpMZL71RyjSnJFZq1NT4H5KxbcvQb4LtPBbanK
+            /gPja40wOWXy/3plCHuZYQ/mR69k9URgwD6/0RSSmCCuVp/+FPbK3UbMYyTOtYBr
+            wKnq9eRP8URK6LINJMcNHzfQtgvTcBclJSY1kLfUVjl2RV2NqXVa6+B1sHJdse8A
+            5NyJ/VNRRrNDtNnmIaIHPFUBySVKLqiXeex4gFNy02IcwwSiFZnBt/ReaFjZQTGE
+            TKfyohQF4V4/e35wvhbqWSFYZmWHCwW94gnwTwnlEO/H/NvbNUNDSYL6WwrIFF7+
+            h/tP7nWbBxNqSByHGQuJnKSysndwUuSMuH+uj+uYdJDn1L1VEoErfAZcRSsDAz1Z
+            BVkEaPJM6ZmRM48up5eHQtPG2rklmoFw/O/bPd9QUWJ/ZRu2gcY8aLGczHygaq6W
+            gvZTCPrke7XZTd9S3mAcdlJ2iAYuKY4AmGqfmXbd7mRZXP3DQkRaA/IwCCNJVmhX
+            um5MbCa17I9Uwh58NBmDuejLcmJDWL5jLmN6S86t3k3jKxwaX56SRwAD92klMdQq
+            8UX2dkUkwnnI+YjfOEeLGDAT655TsejpE97JKjI/m39Pwnn+MrDEfNDHhfjX+9QC
+            5k+fiP7yWc7hG3A7jt5vEadazPgDeqy0q7jbmTPtmdieqBs71P3j19l3VKAU8ZnS
+            WAGz21MFYjhESmU7fqhTyVE9Dsd4GqyB+ZSa8hHj2ISaOi0QQ9JXjjtQhkDGlsB4
+            /PrjZhyqd62wHS075YV1B9YqOhC1nAkC+s9mj9CrWIeH2JMOSK9EUyI=
+            =5u7o
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/machines/overwatch/configuration.nix
+++ b/machines/overwatch/configuration.nix
@@ -0,0 +1,146 @@
+{ config, self, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  networking = {
+    hostName = mkDefault "overwatch";
+    useDHCP = false;
+  };
+
+  imports = [
+    self.nixosModules.malobeo.metrics
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+    ./printer_module.nix
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 80 3100 ];
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = false;
+    lokiHost = "10.0.0.14";
+  };
+
+  services.grafana = {
+    enable = true;
+    settings.server = {
+      domain = "grafana.malobeo.org";
+      http_port = 2342;
+      http_addr = "127.0.0.1";
+    };
+
+    provision.datasources.settings = {
+      apiVersion = 1;
+
+      datasources = [
+        {
+          name = "loki";
+          type = "loki";
+          access = "proxy";
+          uid = "eeakiack8nqwwc";
+          url = "http://localhost:3100";
+          editable = false;
+        }
+        {
+          name = "prometheus";
+          type = "prometheus";
+          access = "proxy";
+          uid = "feakib1gq7ugwc";
+          url = "http://localhost:9001";
+          editable = false;
+
+        }
+      ];
+    };
+
+    provision.dashboards.settings = {
+      apiVersion = 1;
+      providers = [{
+        name = "default";
+        options.path = ./dashboards;
+      }];
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts.${config.services.grafana.settings.server.domain} = {
+      locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+          proxyWebsockets = true;
+
+      extraConfig = ''
+        proxy_set_header Host $host;
+      '';
+    };
+      };
+  };
+  
+  printer_scraping.enable = true;
+
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+
+    scrapeConfigs = [
+      {
+        job_name = "overwatch";
+        static_configs = [{
+          targets = [ "127.0.0.1:9002" ];
+        }];
+      }
+      {
+        job_name = "printer";
+        static_configs = [{
+          targets = [ "127.0.0.1:9091" ];
+        }];
+      }
+      {
+        job_name = "durruti";
+        static_configs = [{
+          targets = [ "10.0.0.5:9002" ];
+        }];
+      }
+      {
+        job_name = "infradocs";
+        static_configs = [{
+          targets = [ "10.0.0.11:9002" ];
+        }];
+      }
+      {
+        job_name = "nextcloud";
+        static_configs = [{
+          targets = [ "10.0.0.13:9002" ];
+        }];
+      }
+      {
+        job_name = "zineshop";
+        static_configs = [{
+          targets = [ "10.0.0.15:9002" ];
+        }];
+      }
+      {
+        job_name = "fanny";
+        static_configs = [{
+          targets = [ "10.0.0.1:9002" ];
+        }];
+      }
+      # add vpn - check how to reach it first. most probably 10.100.0.1
+    ];
+  };
+
+  services.loki = {
+    enable = true;
+    configFile = ./loki.yaml;
+  };
+
+  users.users.promtail.extraGroups = [ "nginx" "systemd-journal" ];
+
+
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/machines/overwatch/dashboards/main.json
+++ b/machines/overwatch/dashboards/main.json
--- a/machines/overwatch/dashboards/node_full.json
+++ b/machines/overwatch/dashboards/node_full.json
--- a/machines/overwatch/loki.yaml
+++ b/machines/overwatch/loki.yaml
@@ -0,0 +1,60 @@
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+  grpc_listen_port: 9096
+  log_level: info
+  grpc_server_max_concurrent_streams: 1000
+
+common:
+  instance_addr: 127.0.0.1
+  path_prefix: /tmp/loki
+  storage:
+    filesystem:
+      chunks_directory: /tmp/loki/chunks
+      rules_directory: /tmp/loki/rules
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+query_range:
+  results_cache:
+    cache:
+      embedded_cache:
+        enabled: true
+        max_size_mb: 100
+
+schema_config:
+  configs:
+    - from: 2020-10-24
+      store: tsdb
+      object_store: filesystem
+      schema: v13
+      index:
+        prefix: index_
+        period: 24h
+
+pattern_ingester:
+  enabled: true
+  metric_aggregation:
+    loki_address: localhost:3100
+
+ruler:
+  alertmanager_url: http://localhost:9093
+
+frontend:
+  encoding: protobuf
+
+# By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
+# analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
+#
+# Statistics help us better understand how Loki is used, and they show us performance
+# levels for most users. This helps us prioritize features and documentation.
+# For more information on what's sent, look at
+# https://github.com/grafana/loki/blob/main/pkg/analytics/stats.go
+# Refer to the buildReport method to see what goes into a report.
+#
+# If you would like to disable reporting, uncomment the following lines:
+analytics:
+  reporting_enabled: false
--- a/machines/overwatch/printer_module.nix
+++ b/machines/overwatch/printer_module.nix
@@ -0,0 +1,33 @@
+{config, lib, pkgs, ...}:
+{
+  options.printer_scraping = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable the script to pull data from the printer";
+    };
+    timer = lib.mkOption {
+      type = lib.types.str;
+      default = "1m";
+      description = "systemd timer for script execution";
+    };
+  };
+
+  config = lib.mkIf config.printer_scraping.enable {
+    systemd.services."printer-scraping" = {
+      description = "Pull printer stats and upload to influxdb";
+      serviceConfig.Type = "oneshot";
+      path = with pkgs; [yq jq curl bash];
+      script = "bash ${./pull_info.sh}";
+    };
+    systemd.timers."printer-scraping" = {
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnBootSec = "5s";
+        OnUnitActiveSec = config.printer_scraping.timer;
+        Unit = "printer-scraping.service";
+      };
+    };
+    services.prometheus.pushgateway.enable = true; #Im not dealing with influx
+  };
+}
--- a/machines/overwatch/promtail.yaml
+++ b/machines/overwatch/promtail.yaml
@@ -0,0 +1,29 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: http://10.0.0.13:3100/loki/api/v1/push
+
+  
+scrape_configs:
+  - job_name: journal
+    journal:
+      max_age: 12h
+      labels:
+        job: systemd-journal
+        host: overwatch
+    relabel_configs:
+      - source_labels: ["__journal__systemd_unit"]
+        target_label: "unit"
+  - job_name: nginx
+    static_configs:
+    - targets:
+        - localhost
+      labels:
+        job: nginx
+        __path__: /var/log/nginx/*log
+
--- a/machines/overwatch/pull_info.sh
+++ b/machines/overwatch/pull_info.sh
@@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+set -eo pipefail
+for command in "jq" "xq" "grep" "curl" "sed"
+do
+    if ! command -v $command >/dev/null 2>&1
+    then
+        echo "$command could not be found"
+        exit 1
+    fi
+done
+#Functions---------------
+get_cookie () {
+    if [[ $1 == "-d" ]]; then
+        cookie=$(cat request_example_1.txt)
+    else
+        cookie=$(curl -s -D - -X GET http://192.168.1.42/wcd/index.html)
+    fi
+
+    exitCode="$?"
+    if [[ $exitCode == "7" ]];
+    then
+        echo "Server offline"
+        exit 0
+    elif [[ $exitCode != "0" ]];
+    then 
+        echo "Something went wrong"
+        exit 1
+    fi
+
+    cookie=$(echo "$cookie" | grep Set-Cookie | grep -oP "ID=\K[^.]+" )
+    if [[ $cookie == "" ]]
+    then
+        echo "No cookie got!"
+        exit 1
+    fi
+}
+get_values () {
+    local path="$1"
+    local -n keys=$2
+    local name="$3"
+
+    local_system_counter_data=$(echo "$system_counter_data" | jq "$path | .[]")
+    for key in "${keys[@]}";
+    do 
+        value=$(echo "$local_system_counter_data" | 
+        jq "select(.Type==\"$key\") | .Count" | 
+        sed 's/"//g'
+        )
+        valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
+    done
+}
+get_values_DeviceStatus () {
+    local -n keys=$1
+    local name="$2"
+
+    local_system_counter_data=$(echo "$system_counter_data" | jq ".MFP.Common.DeviceStatus")
+    for key in "${keys[@]}";
+    do 
+        value=$(echo "$local_system_counter_data" | 
+        jq ".$key" | 
+        sed 's/"//g'
+        )
+        valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
+    done
+
+}
+get_values_consumables () {
+    local -n keys=$1
+    local name="$2"
+
+    local_system_consumables_data=$(echo "$system_consumables_data" | jq ".[] |.DeviceInfo.ConsumableList.Consumable | .[]")
+    for key in "${keys[@]}";
+    do 
+        value=$(
+            echo "$local_system_consumables_data" | 
+            jq "select(.Name==\"$key\") | .CurrentLevel.LevelPer" | 
+            sed 's/"//g'
+            )
+        valueStore=$(echo "$valueStore"; echo "$name"_"${key//[^a-zA-Z_-]/_}" "$value")
+    done
+}
+#End Functions----------
+
+#Variables-----------------------
+system_counter_DeviceStatus_keys=("ScanStatus" "PrintStatus" "Processing" "NetworkErrorStatus" "KmSaasgw" "HddMirroringErrorStatus")
+system_counter_TotalCounter_keys=("Total" "DuplexTotal" "Document" "Paper" "TotalLarge" "PrintPageTotal" "PaperSizeA3" "PaperSizeA4" "PaperSizeB4" "PaperSizeB5" "PaperSizeOther" "Nin12in1" "PaperTypeNormal" "PaperTypeOther")
+system_counter_FullColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_BlackCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_DoubleColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_CopyCounter_keys=("BwTotal" "FullColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
+system_counter_PrintCounter_keys=("BwTotal" "FullColorTotal" "BiColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
+system_counter_ScanFaxCounter_keys=("DocumentReadTotal" "DocumentReadLarge" "FaxReceive" "FaxSend")
+system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit")
+#End Variables-------------
+
+echo "Getting cookie"
+get_cookie "$@"
+
+echo "Start extracting info from system_counter"
+if [[ $1 == "-d" ]]; then
+    system_counter_data=$(cat system_counter.xml |xq)
+else
+    system_counter_data=$(curl -s -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=$cookie" |xq)
+fi
+
+get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.FullColorCounterList.FullColorCounter" system_counter_FullColorCounter_keys FullColorCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.BlackCounterList.BlackCounter" system_counter_BlackCounter_keys BlackCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.DoubleColorCounterList.DoubleColorCounter" system_counter_DoubleColorCounter_keys DoubleColorCounter
+
+get_values ".MFP.Count.UserCounterInfo.CopyCounterList.CopyCounter" system_counter_CopyCounter_keys CopyCounter
+
+get_values ".MFP.Count.UserCounterInfo.ScanFaxCounterList.ScanFaxCounter" system_counter_ScanFaxCounter_keys ScanFaxCounter
+
+get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus
+
+echo "Start extracting info from system_consumables"
+if [[ $1 == "-d" ]]; then
+    system_consumables_data=$(cat system_consumables.xml |xq)
+else
+    system_consumables_data=$(curl -s -X GET http://192.168.1.42/wcd/system_consumable.xml -H "Cookie: ID=$cookie" |xq)
+fi
+
+get_values_consumables system_consumables_base_keys Consumables
+
+echo "Sending data to prometheus-pushgateway..."
+
+echo "$valueStore" | curl -s --data-binary @- http://localhost:9091/metrics/job/printer
+echo "Success!"
+exit 0
--- a/machines/overwatch/secrets.yaml
+++ b/machines/overwatch/secrets.yaml
@@ -0,0 +1,59 @@
+grafana_admin: ENC[AES256_GCM,data:c+ZnOyxSXrG4eiK8ETKHheadiSz98LLHYwxb,iv:Ut2qFD2p6OmKDWjLMjFxyISxzTdJpZpgIB7obW5bgkY=,tag:HdayzjXQ1Zc7w9ITLzKLxA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxN1VURXJuMENJV1Z2eEtS
+            bUR2cTNmNUdhU1B4SHZNMW9KRDV2dW5VNmlNCjdmYXpZb05mMEdPdjN4c0VWOUhV
+            RW4vV05CMno1MmJmYzdESjN5MFVFcjQKLS0tIDNxTE1KaW1EVGhtOEQwWXZndk53
+            bFBCMExGdEdMb2Z0TzF0Yk02MUpkN0kKIUm9iUvU/xu1Xl6yoYSVGcIXKnGsp/D/
+            RjVQ7tgJIbrupubny/fg4v2sz5HOs5uzmEq4ZKgBWrBeMPss4gYstA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-22T00:51:32Z"
+    mac: ENC[AES256_GCM,data:TEEyPmVxIJxC49hDqDbwzTZZ/tNymFr0dMvWn6DRli70Kp5XXNCLTpicAbiFh3WoyzbDpN/5c2yxVNGjhB8nXgKpCZdffdONMY6eSCpPbblYwJS7hNsjW+u2wysSFPDAk5apwbNXJcKnlI1tBcGQRHlym9ShSw6fT7K7afWYWqo=,iv:583DWNug8yNF/vZZN4btT6P1yUa0b1UN4frvAX4UKv0=,tag:YI5KIAe5P5Bx0TZU4wG8ag==,type:str]
+    pgp:
+        - created_at: "2025-01-22T00:51:09Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv+PxajhJgXHcxwJ7Mk0gjqFV0dGmNJ1m0eY3gPyIS38GSB
+            Rjto1zUd6EARu1GnxSrVrSZYlQaL6x3l2DuFIP7mtymvlFrmhiAoDz/si0zlzsJp
+            WZyQZdepnt9FyYJAwTzbmfVdpZDYajuMI38byMJqzUhS7SEOsPwiU1KRoTHcf4se
+            2E+9v8OwTVT2UoDxyiVJuDAA+K+Jh2RjHk3p/uVnZDqqQpI9UAI8LrCpun9uALpH
+            +29wyhkCZ9RIHU7nDQNVvwHkbYCyRUwR44bciSwITpjp7GuZCcZvzSSimPktkC9q
+            VZkHA6rHgHgcu6mnMfpP0+j4gB0dU0t4hGF41klV3YpEGfYcFIsKV10lfa6aMNmW
+            08RuLdCtnQyplYhgBm1zQvYHJsIuwK9s1B2dz3Z8l3o2eg8AqFuIL+MlZOvf5A/2
+            MOXffyXbOM5Dhy7DdUckTOYYfwWe1mStw3vx3I3mAFzuOOR7HQuzlc9Bf1oxh36T
+            6e/qOijjPPqkLeR2mufo0lgBBFTQFt2jVvMo1lrCB8Amj4yj/4noXTzglkYTYBKs
+            S513kUdhAGtWoNrqcItOYAn/gl+CPGY2Op3tJBVCWM6aT/KO6M/LPJ7wiQk2zlOL
+            pp7SnCKvv9eQ
+            =N+uj
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-22T00:51:09Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ//fm/TcxgsAMY6P8jvOQMcRBmjjVwfLP1UTTnkRUa36Mmn
+            2V9619zsH1dzTp0gUVV8mvIKUtpz2nCBTZBJw803wW9KorxW6f4e3+mIWelZT5WM
+            sLcQPFWAYKDVnSfk5j8kRSmpM6k2xFRB9DTEMIyFH9PZL99Fztp2hjTn553YTQOo
+            pdw+AMzgptYQghW/Pl/32wXHwCO+bL8tyk62VIQO13l3tX83oSslXNkFzNQYt3jv
+            xXFUaQEGD/1lFLeFnIuJZzfjWt6n0fShJboUcuk/ZIcYdwrbG0pyLLoBoObSRQtG
+            t+7VpWpfl3rnk822SU9z9YcaMNy9HD3Kz9Qh0BRQiN3scCMzm1LyzlXLqlc/gPiq
+            JyCxy98vJXIxmlLQZpDFfTMe3xsc8jSsHI6av+wEFKGEJAOUkDtRYvLfZdgDTfiB
+            XTAhQ3ixnlBxdZZ9DjBXyVfM8q9iB8bggFi7g2SjO32LKhXRFUqZR+avddCyKR/V
+            hRpWjDRn+eX2tl7LPawvX6tIow3aZiezkMVyeRXfcZCvpicq64b80LrYR+JJUfJE
+            vxHaekKImrdJ9ocii0wW91ZmESJwL6m5lt3ZsCY5GTlEDt4wBse5uhj48mtuK8sh
+            g8uQMKp7SiiCtV5a6O1SQLDJeAt6VCcRyudLToO9S4gwrGXNPcGxsHj07XAN2PHS
+            WAE6wUhufXfpa8UgSWy7fmEZt4L03XlRfC7bm/ycwaFww3A7w4+B1gkW6gOon6sy
+            nOyIxUZfU6abZWKzH+OIuViKH7xPiULDy75gEmkRHjKu5BiC3Tx0eO4=
+            =+PPr
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/machines/secrets/devkey_ed25519
+++ b/machines/secrets/devkey_ed25519
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwgAAAJgdrbX3Ha21
+9wAAAAtzc2gtZWQyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwg
+AAAECaQfylNoG/uN8fozvq3loBLWQ3gIKPOGnZpwyHUlAMO2meyBkJbC8RMkqhl/tAUoIt
+pSePyGKhyL5J7ArxxRTCAAAADmthbGlwc29AY2VsaW5lAQIDBAUGBw==
+-----END OPENSSH PRIVATE KEY-----
--- a/machines/secrets/devkey_ed25519.pub
+++ b/machines/secrets/devkey_ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmeyBkJbC8RMkqhl/tAUoItpSePyGKhyL5J7ArxxRTC kalipso@celine
--- a/machines/secrets/keys/hosts/durruti.asc
+++ b/machines/secrets/keys/hosts/durruti.asc
@@ -1,28 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBAAAAAABEADh28tGiUsmPPbsQYKSi9WiI4UCPO4qd7hEoER34Ku5w+kpy1MI
-ymJHNlZODjrjvznRidyYt+1vpED941LawzsujBV7pSfIBY0cQWYTbF/euuQFJYxN
-sBLG4kek5IhdnIsav2f7fMv6Rhfkau7p20AYkWUkpoUxBJTxixIkxrO90ODSzMMe
-tLI9MnqPcMASy6dbAGKXSABaYi9bwggIgyYHNaXThEuEAWPMPMMj8Wlo0H0X/B9O
-UEOHSA4N3TBKJXuDhsKgUo6ADLAA5op+YG+JtAdvdjW0XxtDamLkkrEx/fsYWsn2
-LjiX7z6cCQjYy+GG6LV82cavyF9sBAs8kEl4AVXVYsaB0g99rpY91EYLAD2Ddh4d
-lHPwPVQ52Ht3QeEPAsqeXRh+gZOp/xx6EJXXaH7aorXoWlbUFcCnTTEFAM0HibZg
-ChZEX+pl9RxdPeIwU4kd9LxNygDwp4YhdJzbcpHkp7RrkHJHgmAxUEVCxZfw/P2c
-GDIBHQSS4FZ5PIhh+aejYCo4BrisGuAjwlaH26BRNraM8EImaLwLuQZ1TOWm97tI
-BEI0JFscrTi2RSPgDCg1Cu78ocbcpqC3cRclXzRohvp83NpWnAQFCAdNaTttQsio
-lQTXxmJlaeo/0vHAN+Llukchh6sFzzNP3v4B8vLvdXkE3s5XYxJungblTwARAQAB
-zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQWRHe9aQhhWcCGw8CGQEAALRQEABVEYsIn5zGV84caxE/LXN7
-7nDsUEyo3lCetStM7JT7uDdMl5t33pUAIbm4gv6/BrvVZ6pBtPfTrVrTKKDornKJ
-VU/tKims+CbnuPUIbOmuXcPbQIa/IF4WVop8XJTzMOSW636/eH1D2VTLI8Jmw35s
-qDmqx72hISUBGCszTJkThp8xUFMW5NcJc6zGB9I4vdac6Sf6yuZqmdfDm0MzcvmA
-tDASc6ZLeffPkJxUA+x2WouAYkfdV1CdVS6ob6owrSza/T+wQ3DgzO5AVZ31HXTa
-gDkVIBgdZYR2H8IaaTetb4m2+SgdXr7s9WCOR2i8DiSKpnUAJKoVIOl6pBd13jCu
-PHQzkKq6kqn4bRYCZil3fKDB90mVDIyixJJCt//VA5y9Tgggp9o7a+l35I9hCJ2F
-6AYtpfXkTbI9wqmk33TJX2litqqPZkhEERv25UDvnZ7Mm0my9QXJZ1Fp1nRLIKZg
-VABDS/wIB1QHtOldDLMeRD7Fnrnjgnyuk4/HmCem0wFDPHDo/ppa2QtCUk1xxywu
-fa7hs/oDVUMsofpDm6Ls4IgFXbSD9GUTDdB+UvZi5vITaZ1f1QLcrShhSUHkLIpc
-65Fj79r9cdHKdUhnM2+pTuVM6Az3huMkZ+abgjSHWSni2njowRUd2P7pG+ZhaUk3
-Rj7jxxXh1KQ7X8Rbbce8Mg==
-=sb6Z
-----END PGP PUBLIC KEY BLOCK-----
--- a/machines/secrets/keys/hosts/lucia.asc
+++ b/machines/secrets/keys/hosts/lucia.asc
@@ -1,28 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBAAAAAABEAChmMEXC6TjRtYAHk6CsrnP0LFd1vOuH4+QSalj9fCaCpYVEStP
-u9EtW2DK8kSBdo8DAngzsMFt9PoSLcPcB00s9R6EACVuOn8nTVkyYtO/8hWJVexI
-G3SB/u2a+MYC2QEtw3Exzleexx3EkZywAzGWzJXpajMbGsfvssXl96xb7jxrxdNv
-Msx9t2RJGADSG6Vx1+A5UmFwITkGpn6wjvQXLvkim4ZHRzX588vgz/IdJ6yqOeeV
-v0VyVNTPfXkDO2urxRgZ5TG9wE5v9OKFofooR5T1rB/khW2jMoqavLWeRVCqVpmp
-MQ8VMkJzEoP7RX7vAAgCbVrTe55sMmXa9gtXo50wz6lHYHnepff6FuquS7szH7Ja
-lRnvx6CR1FwWIGhef/kxmNQKr2Mt3V7riFmv0bkR8ttI5uyGposeWfY1T6iJfxic
-duIYXrV11T6fWOEUh80aRz+8E46LFv4sGZjTOvHWrnetKNweuOC9/yaSDkEr35sM
-xVffS0wNGclhxl860qBCbhG/X7YYZs5sFHsRnsb7rvTCP8LtGhrjybE/b4WuGRCU
-rEftVOBe4NSwlsdmRVl5Cyk/ZkJncrUwlaH6laCjBfldQcdxAHzdzPZQhOmBaLkF
-1l0EpteSbEsi3CS2rkkriSsZ+nZwaccTa6+B6twrRmGvcBrZXlsugsdDSQARAQAB
-zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQvNUtHtVQM9sCGw8CGQEAAGIaEAAoWuyjinNk8ovTAH+TjKWK
-UD4WXwt5OJ8l3FJPpecZbhTaBrRdlLzY1tlKzwd8c69QVOoqk83Rv4Fep9b8EFQ5
-U2bTtXLm/wINSetjf6vlLYxEPNKVzGtk8ejw32NPnJVsGeXNazlcJaR2jRW4kMcj
-A2b8aeUKxnLaoZYiCLZGvyvuB7oj/nIX7iuaIDHKR9oVyQOekeYlg9R92wKCZDiF
-1USoknPO2cSYFZpDM6tmIjkOoEgnwEZqzwI7q5dXz/mqp86XeMJWFkyTRhPT6Hiu
-iS/5wDsFJi7wgl4Jr6bBWFaHeBVSTJIwkoahxpM/qVYAYINgLO9erxMkmX5lRzxs
-NC3LsqQ+L5Isx96AXaZWf+IOYgN8nB3bsQqvlqbvMIUE3wkxg7oeNzDzvgxQM/Tf
-AC6zYHiGrs7WS6+ojx2flJnWA7mrOllimv5pTTUBtA7gh1JN9aUzzBjvF0LlzN1O
-DLyxu1PsIazI1eklUm0ljyOoqBnOrDZoC4Kz70pguDGDvipCAJWjG9SjXDwXGAA0
-sUhnebh2HPZYj73xDIrbgkg+79n6U5UuewUFwDQfE8VFDp62s1s9haCRUKU6uwiL
-i31OKOkDcYSyx/3/VvaT3lT247VERDw/5yVYrrhQwxS4WSabX8gz6qfKB4bi/HVs
-lX2duwzSRzuytZCKKG+fdA==
-=VTby
-----END PGP PUBLIC KEY BLOCK-----
--- a/machines/secrets/keys/hosts/moderatio.asc
+++ b/machines/secrets/keys/hosts/moderatio.asc
@@ -1,28 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBAAAAAABEACm+W5sGSC25OtlwQdOBCSfX2DnPuk5abjxY5HMIv3MnySouXpW
-L3VoE6Irur9lZwfKrXaUweJPJHVo/Sfknh9GSBCW6yFFcGZ5nNx/QNdbfjOSaUw2
-0BkW1CYRVcLIKSHpepbTDHBxgKaCYsmupptFQ0Nzx19PPMV/WBqrkSlEpDJyq9y6
-cTaGulRKWBVDytMFmibhGlqpfEI8bzrxaeGTqiRTZJqL3zDDi2afDt1kJeCXKd32
-XOywDZgB5CinY3qsR45ftC6mZ5fV+ex3M/Uc4YJiVgwg6GlSdiYW9Mqf4koqpLCq
-Xq3ztEo9FjFen7KmAcLstFmzY3fAXGIJzb0CfvVrM32wsdC6NRDINdMBmrOeKXT7
-g45n0LOdCFr4AOKyABqMudbKrgF9txHt549oaQ0wHCy1nStji1OpbhdpCKDFKPnl
-ojG1Nur9DPRFmQ01I3KIjvCrf8J+CgI5YVwOr+m5Zw3i/b0qd+9R/8oAmzhhuyt7
-kckSVTCjNzsDgjjOa8FVQJremTdkQuWOlx0HxC3aQdSoPxOfpeUhybfttNpvUuta
-5EbsiS/PJfzMOtZDG++naKO/xGJDiaYDhW1ZeGI2fOFUm4RYHqCFES32XF4ygpGq
-wz2bZNKKSf4lxoD1+SBqOyd1eN3u8GmX8OgUB3TpgEuQb/XL31zDKCZ7pwARAQAB
-zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQj5s8BYqm1MICGw8CGQEAACMDEAAFko8JYC1zGt5rFKokXGbs
-K331UHReN02QpdL8fhMt0Rqoh1FKt8Sr8lzCLPNOnlgxSG5lXmA3dFfWAnFrNw5T
-1u1oU0sB+CiekyWXJxTASur1g3DtLv6qA19Uw4i9bu57LK5E0ycoI3RnR+YbDri0
-psPNP01x7NBO42O71rnBypGbCPXnLOAaKq+ISCN+XCZBkmjKhcWJlg5DJfUGCEdr
-DCKi/1j5mgs8H3sUrc5Y4gLz3BWuypAGWhQr/KDAcmCm/u0ZfzVyrxw50eMuzeF7
-GfePPI70nXjUlywuFUFg7EWlCT6sRtZf+o4jkXcwGpZLx2/rdZ9J2I4VmYakBVpA
-2OQwi47YAFe1wz+nsF3fImuGQdHu0x0sFLbuJaSJCOVYhMcZhskRygqqI+wEvDF1
-i7SYzi5Xt7rJrSaqGhAzlg1Cc8wzMhoCE/IU5Hd55OtbvRwZ2JKH+UAl/L9Qizqy
-AM7nSrUjA5p4H09PMuKGmCEcZDKpH2huAeqmtGQ626edE2WNduE2jCdAIcN263PX
-1+TIe4IRLhtmTKqfJgbzrt0cSIAsuvI8s78ehsP2eNANdkQjzBAaEiOo75G/g+sd
-tWl8gxOhrPKkb07KqcPEfXq4QYk7kV+pWuA2yMiTX5A+oy8gVFBxUp+zbjYeRuW8
-cpHyvbDvdnQ5LGNC/v0rdA==
-=Rmch
-----END PGP PUBLIC KEY BLOCK-----
--- a/machines/ssh_keys.nix
+++ b/machines/ssh_keys.nix
@@ -5,4 +5,8 @@
   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de"
   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos"
 ];
+ backup = [
+  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIGryhnXdmbGObONG88K+c9zeduMrwtoLHwzMDZg3UXB+Cnq2FXWOrlLZxA+95VUgHpyGZiykJmzeWrKhldDlDeGGd8QCCLeuliiOgXADTYjWaVfhd+6arPZrK2VtqqsguvH40gW1xfoGAOmAT4WFnxWxIaEip0V2u6NOoKTiH9I3bz2Qe4lfJvPXig+XwCXcukXd6XUkDFYDpiw8XNV3X7pqTus5d2RYR97bAhIYZZQ6h50ZpTY8N0lFh4RY5yfx8BhxJW3tfoi9uZvVuPx7dGPsZsSniENFPMNz3UwHGitTJMr4088cJrAGgd5lyFuLouiHiM2JMGA0wx9wWTbWJEwTLaTVQK9gSJf857ndV2zCh9vKlfko4w9bQgqxKg4U/mY8dXX1E7D51nD2ci8Ed+ZG+NEneFLyZhLsD82GkBY+YovA+4xm/pcx+hBhlyqGNxI8v+Jh+JhEyD/ZLgJfq3ZMbGIGsTiDwZ2flLLxImHHEoDoT6PHU6hDhPDJu560="
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPP4s6qNKwtu2l5DRKU/Xo6lMRztqNw/MOVsKx58kUE8 root@silizium"
+ ];
 }
--- a/machines/testvm/configuration.nix
+++ b/machines/testvm/configuration.nix
--- a/machines/uptimekuma/configuration.nix
+++ b/machines/uptimekuma/configuration.nix
@@ -6,7 +6,6 @@ with lib;
  networking = {
    hostName = mkDefault "uptimekuma";
    useDHCP = false;
-    nameservers = [ "1.1.1.1" ];
  };

  imports = [
--- a/machines/vpn/configuration.nix
+++ b/machines/vpn/configuration.nix
@@ -17,6 +17,7 @@ with lib;
  };

  imports = [
+    inputs.self.nixosModules.malobeo.vpn
    ../modules/malobeo_user.nix
    ../modules/sshd.nix
    ../modules/minimal_tools.nix
@@ -34,9 +35,58 @@ with lib;
      locations."/" = {
        proxyPass = "http://10.100.0.101";
        extraConfig = ''
+          proxy_set_header Host $host;
        '';
      };
+    };

+    virtualHosts."cloud.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."grafana.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."tasklist.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."zines.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Authorization $http_authorization;  # Pass the Authorization header
+          proxy_pass_header Authorization;
+
+          client_body_in_file_only clean;
+          client_body_buffer_size 32K;
+          
+          client_max_body_size 50M;
+          
+          sendfile on;
+          send_timeout 300s;
+        '';
+      };
    };
  };

--- a/machines/vpn/dummy.yaml
+++ b/machines/vpn/dummy.yaml
@@ -0,0 +1,68 @@
+wg_private: ENC[AES256_GCM,data:s+dZfKCfrdZnFKhmCl7u1LRzR5dMflJumh1uVQ5Dktb5teohxDo0zlOR7KE=,iv:N9WSEzGonWNkqix8yaImhvrxpcAEJraWEcTrXORASow=,tag:pKgOmtKJ933FEKZVDHCWWQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMFk2bzE3OG9VR0VqOTIz
+            UEQySS9SUnRmMDFqVTg1dks3WTZvbE13VGxVCitHVE1SVlBlYkZwejNlWWNMTVhF
+            M2EzSFRmS3lFd1VPMHRpMjhtMVgyVDQKLS0tIGJObk1kcWlaeUhveHdrY1BEQkh4
+            WTJua1FvNFFtMDFGWE9ZaW9wWFoxcncKlYHjkzlUj+rBPmXK/jj9XCUoGrQ4vBXH
+            ZTItzrbCI30juPjy6dJ0ffZF2ILvJLUdwurz4lZFybNuUjhE2sAY+A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5S1dhZUVpT3NMaGR4eEhV
+            dUxvUGVvMUtPbWhEQnpJd3Y1YTBYbm1QMTBVCmpQbkhvM3VWV2MvcmY2RVhVOWdy
+            MVZxK201bmcwVHlwUlFnb0p5eGFNNGsKLS0tIDlrc1ErS0NiRUJ0UFZnNHNNSk9m
+            U2xLQVhoS2NxNUVvcGZBYW9VVkZNOUEKeCpijhxpkAxCB9/iIQmek03mj7b14sqs
+            CuGKgoeq7C6eG1PK3I8MzGplQMyCpEFQ+33KMj0vGwktpv/eVzC8/w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-19T22:47:26Z"
+    mac: ENC[AES256_GCM,data:DiriXLPnm+08q1Jp1YxjEdsJzFiewQxgu1JDdevo9aGdkq92Xu8cnSxLzWUkh8bEDx4uhjOXvZd3PSU9rWiTh899U3Ou99NiSOgR1+wr5ouR20viCZqIe86YqoZlLJnYs2dlZDhL+ggwFqYJ5wfWbq7OauIVEEdnM/57RyNI2qM=,iv:lwOJi4pVGGHn7+CGq7jAHorOTFtl7ONzzV35ec1uEsg=,tag:DhjloWlsGqM579NafaERIw==,type:str]
+    pgp:
+        - created_at: "2025-01-19T21:35:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQwAoO2gRS+Vwu+5KZ4V2ReXPcjFcEUb6aoYe8PNUhjBu0yE
+            hs4lhWGy53BdupQ+cyxk0U+L6UhOjTfIAYE9emqTDlF5OImN/379j9NfiPe/K0/8
+            ylSOuzNgVmTpsXlHGaXE2wk0ADp1P9mZUwbJ5vHCtm+ZFe5HCuTrB61drIU0fEYw
+            NVCaARK/IRn5eAlPCjPuW1mhKP+3HNGMQszqCRKMU5kLZPzjqsHmEITSFJ5bVtAu
+            fLRtF8SyJpHgvyw1AH1IX6I+/lrDRQro0oD/0LcC1Nay9n86WIWhA/VbotyFCkI2
+            gZtV0IQq05mxO11DycgxlDLQk6nqiqDDjWv/8kj23HnQ3BAO6SXLKhHWq9rH8EOX
+            wkee7RHc09GWNcGL93YMkjIHWJyitphpU/NtTmEpTptzry5vPfittPaZ+zU+MF8G
+            REyft2X9Aj7UWcL1w3kbX9BDWuxImcirWWCShHakSrzAlpuIoXVQA6MCl6/Jr2Ve
+            lLx3lDX+BiSpU01zY32q0lgBOGcSEcRVXTiYO00EoJbIiEMwqm1aAXQzaCvhCCpP
+            54NsNzZ4eoGL0DmioKwzLbv1CpIJs3w0k6StfOtTCPKdlL99k24Z8GyJ44UnkhCe
+            V32jGc/yCong
+            =OZSD
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-19T21:35:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUARAAhnd9Z1gekp4XWw+gcWK5j9mXWP7XS/FGNXmmCUBKec1j
+            zXzMJjG1YZyCYmqj3XGFMFwg2Ex6pBPoOTzOL2VOGd9mZvHjh0MGtuUopg1GprE7
+            NoyrYlV2UikyBSzVlsvykyNCYWfEt0uDotnGIK0NXYzfWfqgw+ImAH/PvNRY4nIB
+            wxI/Ze100ITAN7Dop9d6MFUZbrYKZTMsO8w5Z7TWHRPzFWH//XZjY7UpxvNVP1oJ
+            RXqqo2I97P0c6H7s17+xw6ZjyE0Qoin1gq4XSMHc4l8o+3D7fWecoTLxcjma5gvY
+            SMVCYeSrI2kc8DJ2RVeXdDlEP7SS3bwPNaE4Tklxv1rE+CUuYQ1X6dkPVKnKLfRS
+            Lwy614LDAarZmvXc3jPgFkpG+grE80PAStzOze0eWyZA/oCAI3/CS+yaeBAI4viz
+            UEkNmCMTZu1eXyIurC/suTOdq4nehGlD/2F8EKU+Y/6f6J2wHUJdvLjNxOuAOHd0
+            lGSu61gt/b2PFy/aHqFgQaZCPUMJ8UfK8JQ66zOIUW3HzsXOsvVqo/8DMQRIw7/z
+            3tZ43LPjmIeCRFwPfbIbeThoZmq1SPejkzadxDEwD3U0YAiblBJ2E+AyEDiKqP/N
+            D+NRN5Ta0ySAmGOyYgDES8QDDBQGA4cSZak7pMidCrSbAagNyYNg3Qrowc0aG93S
+            WAFD/Q4EtOdM6kveLdbDkPX/bAiCFwhzSCtDVkLAPxfrkw/a+az6emPWmImML5FT
+            to3vvXendrd9+u6uSNK5acuwzW2cW8GM4gLC90+p/kRFJukiGJbl400=
+            =6Gw4
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/machines/zineshop/configuration.nix
+++ b/machines/zineshop/configuration.nix
@@ -0,0 +1,34 @@
+{ self, config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  networking = {
+    hostName = mkDefault "zineshop";
+    useDHCP = false;
+  };
+
+  imports = [
+    inputs.malobeo.nixosModules.malobeo.metrics
+    inputs.malobeo.nixosModules.malobeo.printing
+    inputs.zineshop.nixosModules.zineshop
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+  ];
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
+  services.printing.enable = true;
+  services.malobeo.printing.enable = true;
+
+  services.zineshop.enable = true;
+  networking.firewall.allowedTCPPorts = [ 8080 ];
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/outputs.nix
+++ b/outputs.nix
@@ -14,6 +14,9 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
  let
    pkgs-unstable = nixpkgs-unstable.legacyPackages."${system}";
    pkgs = nixpkgs.legacyPackages."${system}";
+
+    hosts = import ./machines/hosts.nix ( inputs // { inherit inputs; self = self; });
+    utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; hosts = hosts; });
  in
  {
    devShells.default =
@@ -34,17 +37,25 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
        sops.sops-init-gpg-key
        pkgs.sops
        pkgs.age
-        pkgs.python310Packages.grip
+        pkgs.python313Packages.grip
        pkgs.mdbook
+        pkgs.ssh-to-age
        microvmpkg.microvm
      ];
+
      packages = builtins.map (pkgName: self.legacyPackages."${pkgs.system}".scripts.${pkgName}) installed;
      shellHook = ''echo "Available scripts: ${builtins.concatStringsSep " " installed}"'';
    };
+
    legacyPackages = {
      scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
      scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
+      scripts.add-host-keys = pkgs.writeShellScriptBin "add-host-keys" (builtins.readFile ./scripts/add_new_host_keys.sh);
+      scripts.run-vm = self.packages.${system}.run-vm;
    };
+
+    vmBuilder = utils.buildVM;
+
    packages = {
      docs = pkgs.stdenv.mkDerivation {
        name = "malobeo-docs";
@@ -62,68 +73,51 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
          cp -r ./book/* $dest
        '';
      };
-    } //

-    builtins.foldl'
-    (result: host:
-      let
-        inherit (self.nixosConfigurations.${host}) config;
-      in
-      result // {
-        # boot any machine in a microvm
-        "${host}-vm" = (self.nixosConfigurations.${host}.extendModules {
-          modules = [{
-            microvm = {
-              mem = pkgs.lib.mkForce 4096;
-              hypervisor = pkgs.lib.mkForce "qemu";
-              socket = pkgs.lib.mkForce null;
-              shares = pkgs.lib.mkForce [{
-                tag = "ro-store";
-                source = "/nix/store";
-                mountPoint = "/nix/.ro-store";
-              }];
-              interfaces = pkgs.lib.mkForce [{
-                type = "user";
-                id = "eth0";
-                mac = "02:23:de:ad:be:ef";
-              }];
+      run-vm = pkgs.writeShellScriptBin "run-vm"  (builtins.readFile ./scripts/run-vm.sh);
    };
-            boot.isContainer = pkgs.lib.mkForce false;
-            users.users.root.password = "";
-            fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs";
-            services.getty.helpLine = ''
-              Log in as "root" with an empty password.
-              Use "reboot" to shut qemu down.
-            '';
-          }] ++ pkgs.lib.optionals (! config ? microvm) [
-            microvm.nixosModules.microvm
-          ];
-        }).config.microvm.declaredRunner;
-    })
-    { }
-    (builtins.attrNames self.nixosConfigurations);

    apps = {
      docs = {
        type = "app";
        program = builtins.toString (pkgs.writeShellScript "docs" ''
+          ${pkgs.xdg-utils}/bin/xdg-open "${self.packages.${system}.docs}/share/doc/index.html"
+        '');
+      };
+
+
+      docsDev = {
+        type = "app";
+        program = builtins.toString (pkgs.writeShellScript "docs" ''
+          echo "needs to run from infrastuctre root folder"
          ${pkgs.mdbook}/bin/mdbook serve --open ./doc
        '');
      };
+
+      run-vm = {
+        type = "app";
+        program = "${self.packages.${system}.run-vm}/bin/run-vm";
+      };
    };

-  })) // rec {
-    nixosConfigurations = import ./machines/configuration.nix (inputs // {
-      inherit inputs;
-      self = self;
-    });
+  })) // (
+  let
+    hosts = import ./machines/hosts.nix ( inputs // { inherit inputs; self = self; });
+    utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; hosts = hosts; });
+  in
+  {
+    nixosConfigurations = utils.buildHost hosts.malobeo.hosts;

    nixosModules.malobeo = {
      host.imports = [ ./machines/durruti/host_config.nix ];
      microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ];
      vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
      initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
+      metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];
      disko.imports = [ ./machines/modules/disko ];
+      users.imports = [ ./machines/modules/malobeo/users.nix ];
+      backup.imports = [ ./machines/modules/malobeo/backup.nix ];
+      printing.imports = [ ./machines/modules/malobeo/printing.nix ];
    };

    hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
@@ -137,4 +131,4 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
      nixpkgs.lib.mapAttrs getBuildEntry self.nixosConfigurations

      );
-}
+})
--- a/scripts/add_new_host_keys.sh
+++ b/scripts/add_new_host_keys.sh
@@ -0,0 +1,51 @@
+set -o errexit
+#set -o pipefail
+
+if [ ! -e flake.nix ]
+    then
+    echo "flake.nix not found. Searching down."
+    while [ ! -e flake.nix ]
+        do
+        if [ $PWD = "/" ]
+            then
+            echo "Found root. Aborting."
+            exit 1
+            else
+            cd ..
+        fi
+    done
+fi
+
+read -p "Enter new host name: " hostname
+
+if [ "$hostname" = "" ]; then exit 0
+fi
+
+pwpath="machines/$hostname/secrets"
+hostkey="ssh_host_ed25519_key"
+initrdkey="initrd_ed25519_key"
+
+mkdir -p "$pwpath"
+cd "$pwpath"
+
+# Generate SSH keys
+ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
+ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
+
+#encrypt the private keys
+sops -e -i ./$hostkey
+sops -e -i ./$initrdkey
+
+#generate encryption key
+tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
+sops -e -i ./disk.key
+
+# Info
+echo
+echo "Hier ist der age public key für sops etc:"
+echo "$(ssh-to-age -i ./"$hostkey".pub)"
+echo
+echo "Hier ist eine reproduzierbare mac-addresse:"
+echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
+
+exit 0
--- a/scripts/remote-install-encrypt.sh
+++ b/scripts/remote-install-encrypt.sh
@@ -25,6 +25,9 @@ fi

 hostname=$1
 ipaddress=$2
+pwpath="machines/$hostname/secrets"
+hostkey="ssh_host_ed25519_key"
+initrdkey="initrd_ed25519_key"

 # Create a temporary directory
 temp=$(mktemp -d)
@@ -38,11 +41,12 @@ trap cleanup EXIT
 # Create the directory where sshd expects to find the host keys
 install -d -m755 "$temp/etc/ssh/"

-diskKey=$(sops -d machines/$hostname/disk.key)
+diskKey=$(sops -d $pwpath/disk.key)
 echo "$diskKey" > /tmp/secret.key

-ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
-ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""
+sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
+
+sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"

 # # Set the correct permissions so sshd will accept the key
 chmod 600 "$temp/etc/ssh/$hostname"
--- a/scripts/run-vm.sh
+++ b/scripts/run-vm.sh
@@ -0,0 +1,82 @@
+usage() {
+    echo "Usage: run-vm <hostname> [--networking] [--dummy-secrets] [--no-disko]"
+    echo "ATTENTION: This script must be run from the flakes root directory"
+    echo "--networking setup interfaces. requires root and hostbridge enabled on the host"
+    echo "--dummy-secrets run vm with dummy sops secrets"
+    echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny"
+    echo "--writable-store enables writable store. necessary for host with nested imperative microvms like fanny"
+    echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate"
+    echo "--data path to directory that should be shared as /data"
+    echo "--fwd-port forwards the given port to port 80 on vm"
+    exit 1
+}
+
+# check at least one arg was given
+if [ "$#" -lt 1 ]; then
+    usage
+fi
+
+HOSTNAME=$1
+
+# Optionale Argumente
+NETWORK=false
+DUMMY_SECRETS=false
+NO_DISKO=false
+RW_STORE=false
+VAR_PATH=""
+DATA_PATH=""
+FWD_PORT=0
+
+# check argws
+shift
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        --networking) NETWORK=true ;;
+        --dummy-secrets) DUMMY_SECRETS=true ;;
+        --no-disko) NO_DISKO=true ;;
+        --writable-store) RW_STORE=true ;;
+        --var) 
+          if [[ -n "$2" && ! "$2" =~ ^- ]]; then
+              VAR_PATH="$2"
+              shift
+          else
+              echo "Error: --var requires a non-empty string argument."
+              usage
+          fi
+          ;;
+        --data) 
+          if [[ -n "$2" && ! "$2" =~ ^- ]]; then
+              DATA_PATH="$2"
+              shift
+          else
+              echo "Error: --data requires a non-empty string argument."
+              usage
+          fi
+          ;;
+        --fwd-port) 
+          if [[ -n "$2" && ! "$2" =~ ^- ]]; then
+              FWD_PORT="$2"
+              shift
+          else
+              echo "Error: --var requires a non-empty string argument."
+              usage
+          fi
+          ;;
+        *) echo "Unknown argument: $1"; usage ;;
+    esac
+    shift
+done
+echo "starting host $HOSTNAME"
+echo "enable networking: $NETWORK"
+echo "deploy dummy secrets: $DUMMY_SECRETS"
+echo "disable disko and initrd secrets: $NO_DISKO"
+echo "use writable store: $RW_STORE"
+if [ -n "$VAR_PATH" ]; then
+  echo "sharing var directory: $VAR_PATH"
+fi
+
+if [ -n "$DATA_PATH" ]; then
+  echo "sharing data directory: $DATA_PATH"
+fi
+
+nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" \"$DATA_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner"
--- a/scripts/unlock-boot.sh
+++ b/scripts/unlock-boot.sh
@@ -2,7 +2,7 @@ set -o errexit
 set -o pipefail

 sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T"
-HOSTNAME=$1
+hostname=$1

 if [ ! -e flake.nix ]
    then
@@ -19,21 +19,19 @@ if [ ! -e flake.nix ]
    done
 fi

+diskkey=$(sops -d machines/$hostname/secrets/disk.key)
+
 echo
 if [ $# = 1 ]
    then
-    diskkey=$(sops -d machines/$HOSTNAME/disk.key)
-    echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #storage
-
-    echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data

 elif [ $# = 2 ]
    then
-    diskkey=$(sops -d machines/$HOSTNAME/disk.key)
-    IP=$2
-    echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #storage
-
-    echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root
+    ip=$2
+    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
+    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
    
 else
    echo
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFRuQZweX3r9QQmAFo6oYY9zvrf9V3EIJOl6kFMgyLm kalipso@fanny-initrd`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc root@fanny`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmeyBkJbC8RMkqhl/tAUoItpSePyGKhyL5J7ArxxRTC kalipso@celine`