kleine fehler behoben

erstmal statisches mounten --es fehlt die disk uuid
erstelle nfs user
2024-10-26 20:16:19 +02:00 · 2024-10-26 19:56:46 +02:00 · 2024-10-26 19:33:49 +02:00 · 2024-10-26 19:08:14 +02:00
42 changed files with 464 additions and 1218 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -4,4 +4,3 @@
 result
 *.qcow2
 .direnv/
 book/
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ the file structure is based on this [blog post](https://samleathers.com/posts/20
 #### durruti
 - nixos-container running on dedicated hetzner server
- login via ```ssh -p 222 malobeo@dynamicdiscord.de```
+- login via ```ssh -p 222 malobeo@5.9.153.217```
 - if rebuild switch fails due to biglock do ```mount -o remount,rw /nix/var/nix/db```
 - currently is running tasklist in detached tmux session
  - [x] make module with systemd service out of that
@@ -98,3 +98,34 @@ for documentation we currently just use README.md files.
 the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser.
 the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```.
 ## todos...
 #### infrastructure
 * [ ] host a local wiki with public available information about the space, for example:
  * [ ] how to use coffe machine
  * [ ] how to turn on/off electricity
  * [ ] how to use beamer
  * [ ] how to buecher ausleihen
  * ...
 * [x] host some pad (codimd aka hedgedoc)
 * [ ] some network fileshare for storing the movies and streaming them within the network
 * [x] malobeo network infrastructure rework
  * [x] request mulvad acc
  * [x] remove freifunk, use openwrt with mulvad configured
 * [ ] evaluate imposing solutions
    * [ ] pdfarranger
 #### external services
 we want to host two services that need a bit more resources, this is a booking system for the room itself and a library system.
 - [x] analyse best way to include our stuff into external nixOs server
  - [x] writing some module that is included by the server
  - [x] directly use nixOs container on host
  - [x] combination of both (module that manages nginx blabla + nixOs container for the services
 #### bots&progrmaming
 * [ ] create telegram bot automatically posting tuesday events
 * [x] create webapp/interface replacing current task list pad
  * could be a simple form for every tuesday
  * [x] element bot should send updates if some tasks are not filled out
--- a/doc/.gitignore
+++ b/doc/.gitignore
@@ -1 +0,0 @@
 book
--- a/doc/book.toml
+++ b/doc/book.toml
@@ -1,6 +0,0 @@
 [book]
 authors = ["ahtlon"]
 language = "de"
 multilingual = false
 src = "src"
 title = "Malobeo Infrastruktur Dokumentation"
--- a/doc/src/Index.md
+++ b/doc/src/Index.md
@@ -1 +0,0 @@
 # Index
--- a/doc/src/SUMMARY.md
+++ b/doc/src/SUMMARY.md
@@ -1,19 +0,0 @@
 # Summary
 - [Index](./Index.md)
    - [Info]()
        - [Aktuelle Server]()
            - [Durruti](./server/durruti.md)
            - [Lucia](./server/lucia.md)
        - [Hardware]()
        - [Netzwerk]()
        - [Seiten]()
            - [Website](./server/website.md)
            - [musik](./projekte/musik.md)
        - [TODO](./todo.md)
    - [How-to]()
        - [Create New Host](./anleitung/create.md)
        - [Sops](./anleitung/sops.md)            
        - [Updates](./anleitung/updates.md)
        - [Rollbacks](./anleitung/rollback.md)
        - [MicroVM](./anleitung/microvm.md)
--- a/doc/src/anleitung/create.md
+++ b/doc/src/anleitung/create.md
@@ -1,66 +0,0 @@
 # Create host with disko-install
 How to use disko-install is described here: https://github.com/nix-community/disko/blob/master/docs/disko-install.md
 ---
 Here are the exact steps to get bakunin running:  
 First create machines/hostname/configuration.nix  
 Add hosts nixosConfiguration in machines/configurations.nix  
 Boot nixos installer on the Machine.  
 ``` bash
 # establish network connection
 wpa_passphrase "network" "password" > wpa.conf
 wpa_supplicant -B -i wlp3s0 -c wpa.conf
 ping 8.8.8.8
 # if that works continue
 # generate a base hardware config
 nixos-generate-config --root /tmp/config --no-filesystems
 # get the infra repo
 nix-shell -p git
 git clone https://git.dynamicdiscord.de/kalipso/infrastructure
 cd infrastructure
 # add the new generated hardware config (and import in hosts configuration.nix)
 cp /tmp/config/etc/nixos/hardware-configuration.nix machines/bakunin/
 # check which harddrive we want to install the system on
 lsblk #choose harddrive, in this case /dev/sda
 # run nixos-install on that harddrive
 sudo nix --extra-experimental-features flakes --extra-experimental-features nix-command run 'github:nix-community/disko/latest#disko-install' -- --flake .#bakunin --disk main /dev/sda
 # this failed with out of memory
 # running again showed: no disk left on device
 # it seems the usb stick i used for flashing is way to small
 # it is only 
 # with a bigger one (more than 8 gig i guess) it should work
 # instead the disko-install tool i try the old method - first partitioning using disko and then installing the system
 # for that i needed to adjust ./machines/modules/disko/btrfs-laptop.nix and set the disk to "/dev/sda"
 sudo nix --extra-experimental-features "flakes nix-command" run 'github:nix-community/disko/latest' -- --mode format --flake .#bakunin
 # failed with no space left on device.
 # problem is lots of data is written to the local /nix/store which is mounted on tmpfs in ram
 # it seems that a workaround could be modifying the bootable stick to contain a swap partition to extend tmpfs storage
 ```
 # Testing Disko
 Testing disko partitioning is working quite well. Just run the following and check the datasets in the vm:
 ```bash
 nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko
 ```
 Only problem is that encryption is not working, so it needs to be commented out. For testing host fanny the following parts in ```./machines/modules/disko/fanny.nix``` need to be commented out(for both pools!):
 ```nix
 datasets = {
  encrypted = {
    options = {
      encryption = "aes-256-gcm"; #THIS ONE
      keyformat = "passphrase"; #THIS ONE
      keylocation = "file:///tmp/root.key"; #THIS ONE
    };
    # use this to read the key during boot
     postCreateHook = '' #THIS ONE 
       zfs set keylocation="prompt" "zroot/$name"; #THIS ONE 
     ''; #THIS ONE 
 ```
--- a/doc/src/anleitung/microvm.md
+++ b/doc/src/anleitung/microvm.md
@@ -1,81 +0,0 @@
 ### Declaring a MicroVM
 The hosts nixosSystems modules should be declared using the ```makeMicroVM``` helper function.
 Use durruti as orientation:
 ``` nix
    modules = makeMicroVM "durruti" "10.0.0.5" [
      ./durruti/configuration.nix
    ];
 ```
 "durruti" is the hostname.  
 "10.0.0.5" is the IP assigned to its tap interface.  
 ### Testing MicroVMs locally
 MicroVMs can be built and run easily on your local host, but they are not persistent!
 For durruti for example this is done by:
 ``` bash
 nix run .\#durruti-vm
 ```
 ### Testing persistent microvms
 In order to test persistent microvms locally we need to create them using the ```microvm``` command.  
 This is necessary to be able to mount persistent /etc and /var volumes on those hosts.  
 Do the following:
 ```bash
 # go into our repo and start the default dev shell (or us direnv)
 nix develop .#
 # create a microvm on your host (on the example of durruti)
 sudo microvm -c durruti -f git+file:///home/username/path/to/infrastructure/repo
 # start the vm
 sudo systemctl start microvm@durruti.serivce
 # this may fail, if so we most probably need to create /var /etc manually, then restart
 sudo mkdir /var/lib/microvms/durruti/{var, etc}
 # now you can for example get the rsa host key from /var/lib/microvms/durruti/etc/ssh/
 # alternatively u can run the vm in interactive mode (maybe stop the microvm@durruti.service first)
 microvm -r durruti
 # after u made changes to the microvm update and restart the vm 
 microvm -uR durruti
 # deleting the vm again:
 sudo systemctl stop microvm@durruti.service
 sudo systemctl stop microvm-virtiofsd@durruti.service
 sudo rm -rf /var/lib/microvms/durruti
 ```
 ### Host Setup
 #### Network Bridge
 To provide network access to the VMs a bridge interface needs to be created on your host.
 For that:
 - Add the infrastructure flake as input to your hosts flake  
 - Add ```inputs.malobeo.nixosModules.malobeo``` to your hosts imports
 - enable the host bridge: ```services.malobeo.microvm.enableHostBridge = true;```
 If you want to provide Internet access to the VM it is necessary to create a nat.
 This could be done like this:
 ``` nix
 networking.nat = {
  enable = true;
  internalInterfaces = [ "microvm" ];
  externalInterface = "eth0"; #change to your interface name
 };
 ```
 #### Auto Deploy VMs
 By default no MicroVMs will be initialized on the host - this should be done using the microvm commandline tool.
 But since we want to always deploy certain VMs it can be configured using the ```malobeo.microvm.deployHosts``` option.
 VMs configured using this option will be initialized and autostarted at boot.
 Updating still needs to be done imperative, or by enabling autoupdates.nix
 The following example would init and autostart durruti and gitea:
 ``` nix
 malobeo.microvm.deployHosts = [ "durruti" "gitea" ];
 ```
--- a/doc/src/anleitung/rollback.md
+++ b/doc/src/anleitung/rollback.md
@@ -1 +0,0 @@
 # Rollbacks
--- a/doc/src/anleitung/sops.md
+++ b/doc/src/anleitung/sops.md
@@ -1,25 +0,0 @@
 # Sops
 ## How to add admin keys
 - Git:
    - Generate gpg key
    - Add public key to `./machines/secrets/keys/users/`
    - Write the fingerprint of the gpg key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $FINGERPRINT`
 - Age:
    - Generate age key for Sops:   
      ```
      $ mkdir -p ~/.config/sops/age
      $ age-keygen -o ~/.config/sops/age/keys.txt
      ```
      or to convert an ssh ed25519 key to an age key
      ```
      $ mkdir -p ~/.config/sops/age
      $ nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
      ```
    - Get public key using `$ age-keygen -y ~/.config/sops/age/keys.txt`
    - Write public key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $PUBKEY`
 - Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to
 - `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml`
--- a/doc/src/anleitung/updates.md
+++ b/doc/src/anleitung/updates.md
@@ -1 +0,0 @@
 # Updates
--- a/doc/src/projekte/musik.md
+++ b/doc/src/projekte/musik.md
@@ -1 +0,0 @@
 # musik
--- a/doc/src/server/durruti.md
+++ b/doc/src/server/durruti.md
@@ -1,2 +0,0 @@
 # Durruti
 Hetzner Server
--- a/doc/src/server/lucia.md
+++ b/doc/src/server/lucia.md
@@ -1,2 +0,0 @@
 # Lucia
 Lokaler Raspberry Pi 3
--- a/doc/src/server/website.md
+++ b/doc/src/server/website.md
@@ -1,7 +0,0 @@
 #Website
 hosted on uberspace  
 runs malobeo.org(wordpress) and forum.malobeo.org(phpbb)  
 access via ssh with public key or password  
 Files under /var/www/virtual/malobeo/html
--- a/doc/src/todo.md
+++ b/doc/src/todo.md
@@ -1,32 +0,0 @@
 # TODO
 - [ ] Dieses wiki schreiben
 #### infrastructure
 * [ ] host a local wiki with public available information about the space, for example:
  * [ ] how to use coffe machine
  * [ ] how to turn on/off electricity
  * [ ] how to use beamer
  * [ ] how to buecher ausleihen
  * ...
 - [x] host a local wiki with infrastructure information
 * [x] host some pad (codimd aka hedgedoc)
 * [ ] some network fileshare for storing the movies and streaming them within the network
  - Currently developed in the 'fileserver' branch
    - NFSV4 based
 * [x] malobeo network infrastructure rework
  * [x] request mulvad acc
  * [x] remove freifunk, use openwrt with mulvad configured
 * [ ] evaluate imposing solutions
    * [ ] pdfarranger
 #### external services
 we want to host two services that need a bit more resources, this is a booking system for the room itself and a library system.
 - [x] analyse best way to include our stuff into external nixOs server
  - [x] writing some module that is included by the server
  - [x] directly use nixOs container on host
  - [x] combination of both (module that manages nginx blabla + nixOs container for the services
 #### bots&progrmaming
 * [ ] create telegram bot automatically posting tuesday events
 * [x] create webapp/interface replacing current task list pad
  * could be a simple form for every tuesday
  * [x] element bot should send updates if some tasks are not filled out
--- a/flake.lock
+++ b/flake.lock
@@ -1,26 +1,5 @@
 {
  "nodes": {
    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1730135292,
        "narHash": "sha256-CI27qHAbc3/tIe8sb37kiHNaeCqGxNimckCMj0lW5kg=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "ab58501b2341bc5e0fc88f2f5983a679b075ddf5",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "latest",
        "repo": "disko",
        "type": "github"
      }
    },
    "ep3-bs": {
      "inputs": {
        "nixpkgs": [
@@ -42,24 +21,6 @@
        "url": "https://git.dynamicdiscord.de/kalipso/ep3-bs.nix"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -67,16 +28,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1733951536,
+        "lastModified": 1726989464,
-        "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
+        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
+        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-24.11",
+        "ref": "release-24.05",
        "repo": "home-manager",
        "type": "github"
      }
@@ -100,35 +61,13 @@
        "type": "github"
      }
    },
    "microvm": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ],
        "spectrum": "spectrum"
      },
      "locked": {
        "lastModified": 1734041466,
        "narHash": "sha256-51bhaMe8BZuNAStUHvo07nDO72wmw8PAqkSYH4U31Yo=",
        "owner": "astro",
        "repo": "microvm.nix",
        "rev": "3910e65c3d92c82ea41ab295c66df4c0b4f9e7b3",
        "type": "github"
      },
      "original": {
        "owner": "astro",
        "repo": "microvm.nix",
        "type": "github"
      }
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1733620091,
+        "lastModified": 1729386149,
-        "narHash": "sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s=",
+        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b",
+        "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
        "type": "github"
      },
      "original": {
@@ -145,11 +84,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733965598,
+        "lastModified": 1729472750,
-        "narHash": "sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM=",
+        "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "d162ffdf0a30f3d19e67df5091d6744ab8b9229f",
+        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
        "type": "github"
      },
      "original": {
@@ -160,11 +99,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1733861262,
+        "lastModified": 1729742320,
-        "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
+        "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
+        "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
        "type": "github"
      },
      "original": {
@@ -190,13 +129,29 @@
        "type": "github"
      }
    },
-    "nixpkgs-unstable": {
+    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1733759999,
+        "lastModified": 1729357638,
-        "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
+        "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
+        "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1729665710,
        "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d",
        "type": "github"
      },
      "original": {
@@ -208,27 +163,25 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1733808091,
+        "lastModified": 1729449015,
-        "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=",
+        "narHash": "sha256-Gf04dXB0n4q0A9G5nTGH3zuMGr6jtJppqdeljxua1fo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e",
+        "rev": "89172919243df199fe237ba0f776c3e3e3d72367",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "disko": "disko",
        "ep3-bs": "ep3-bs",
        "home-manager": "home-manager",
        "mfsync": "mfsync",
        "microvm": "microvm",
        "nixos-generators": "nixos-generators",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2",
@@ -242,14 +195,15 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ]
+        ],
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1733965552,
+        "lastModified": 1729695320,
-        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
+        "narHash": "sha256-Fm4cGAlaDwekQvYX0e6t0VjT6YJs3fRXtkyuE4/NzzU=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
+        "rev": "d089e742fb79259b9c4dd9f18e9de1dd4fa3c1ec",
        "type": "github"
      },
      "original": {
@@ -258,22 +212,6 @@
        "type": "github"
      }
    },
    "spectrum": {
      "flake": false,
      "locked": {
        "lastModified": 1733308308,
        "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
        "ref": "refs/heads/main",
        "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
        "revCount": 792,
        "type": "git",
        "url": "https://spectrum-os.org/git/spectrum"
      },
      "original": {
        "type": "git",
        "url": "https://spectrum-os.org/git/spectrum"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
@@ -319,21 +257,6 @@
        "type": "github"
      }
    },
    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "tasklist": {
      "inputs": {
        "nixpkgs": [
@@ -392,14 +315,14 @@
    },
    "utils_3": {
      "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_3"
      },
      "locked": {
-        "lastModified": 1731533236,
+        "lastModified": 1726560853,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -3,15 +3,11 @@
  inputs = {
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    mfsync.url = "github:k4lipso/mfsync";
    microvm.url = "github:astro/microvm.nix";
    microvm.inputs.nixpkgs.follows = "nixpkgs";
    disko.url = "github:nix-community/disko/latest";
    disko.inputs.nixpkgs.follows = "nixpkgs";
    utils = {
      url = "github:numtide/flake-utils";
@@ -33,7 +29,7 @@
    };
    home-manager=  {
-      url = "github:nix-community/home-manager/release-24.11";
+      url = "github:nix-community/home-manager/release-24.05";
      inputs = {
        nixpkgs.follows = "nixpkgs";
      };
--- a/machines/.sops.yaml
+++ b/machines/.sops.yaml
@@ -5,7 +5,6 @@
 keys:
  - &admin_kalipso c4639370c41133a738f643a591ddbc4c3387f1fb
  - &admin_kalipso_dsktp aef8d6c7e4761fc297cda833df13aebb1011b5d4
  - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
  - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
  - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
  - &machine_durruti 4095412245b6efc14cf92ca25911def5a4218567
@@ -16,21 +15,15 @@ creation_rules:
      - *admin_kalipso
      - *admin_kalipso_dsktp
      - *machine_moderatio
      age:
      - *admin_atlan
  - path_regex: lucia/secrets.yaml$
    key_groups:
    - pgp:
      - *admin_kalipso
      - *admin_kalipso_dsktp
      - *machine_lucia
      age:
      - *admin_atlan
  - path_regex: durruti/secrets.yaml$
    key_groups:
    - pgp:
      - *admin_kalipso
      - *admin_kalipso_dsktp
      - *machine_durruti
      age:
      - *admin_atlan
--- a/machines/bakunin/configuration.nix
+++ b/machines/bakunin/configuration.nix
@@ -1,83 +0,0 @@
 { config, pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      #./hardware-configuration.nix
      ../modules/xserver.nix
      ../modules/malobeo_user.nix
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
    ];
  malobeo.autoUpdate = {
    enable = true;
    url = "https://hydra.dynamicdiscord.de";
    project = "malobeo";
    jobset = "infrastructure";
    cacheurl = "https://cache.dynamicdiscord.de";
  };
  boot.loader.systemd-boot.enable = true;
  hardware.sane.enable = true; #scanner support
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  users.users.malobeo = {
    packages = with pkgs; [
      firefox
      thunderbird
      telegram-desktop
      tor-browser-bundle-bin
      keepassxc
      libreoffice
      gimp
      inkscape
      okular
      element-desktop
      chromium
      mpv
      vlc
      simple-scan
    ];
  };
  services.tor = {
    enable = true;
    client.enable = true;
  };
  services.printing.enable = true;
  services.printing.drivers = [
    (pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
    pkgs.gutenprint
    pkgs.gutenprintBin
    pkgs.brlaser
    pkgs.brgenml1lpr 
    pkgs.brgenml1cupswrapper
  ];
  # needed for printing drivers
  nixpkgs.config.allowUnfree = true; 
  services.acpid.enable = true;
  networking.hostName = "bakunin";
  networking.networkmanager.enable = true;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    systemWide = true;
  };
  time.timeZone = "Europe/Berlin";
  system.stateVersion = "23.05"; # Do.. Not.. Change..
 }
--- a/machines/bakunin/hardware-configuration.nix
+++ b/machines/bakunin/hardware-configuration.nix
@@ -1,49 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
 boot.initrd.luks.devices = {
 root = {
 device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
 preLVM = true;
 allowDiscards = true;
 };
 };
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/402B-2026";
      fsType = "vfat";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/configuration.nix
+++ b/machines/configuration.nix
@@ -40,61 +40,16 @@ let
    }
  ];
  defaultModules = baseModules;
  makeMicroVM = hostName: ipv4Addr: modules: [
    inputs.microvm.nixosModules.microvm
    {
      microvm = {
        hypervisor = "cloud-hypervisor";
        mem = 2560;
        shares = [
          {
            source = "/nix/store";
            mountPoint = "/nix/.ro-store";
            tag = "store";
            proto = "virtiofs";
            socket = "store.socket";
          }
          {
            source = "/var/lib/microvms/${hostName}/etc";
            mountPoint = "/etc";
            tag = "etc";
            proto = "virtiofs";
            socket = "etc.socket";
          }
          {
            source = "/var/lib/microvms/${hostName}/var";
            mountPoint = "/var";
            tag = "var";
            proto = "virtiofs";
            socket = "var.socket";
          }
        ];
        interfaces = [
          {
            type = "tap";
            id = "vm-${hostName}";
            mac = "02:00:00:00:00:01";
          }
        ];
      };
      systemd.network.enable = true;
      systemd.network.networks."20-lan" = {
        matchConfig.Type = "ether";
        networkConfig = {
          Address = [ "${ipv4Addr}/24" ];
          Gateway = "10.0.0.1";
          DNS = ["1.1.1.1"];
          DHCP = "no";
        };
      };
    }
  ] ++ defaultModules ++ modules;
 in
 {
  moderatio = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
    modules = defaultModules ++ [
      ./moderatio/configuration.nix
    ];
  };
  louise = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
@@ -103,32 +58,10 @@ in
    ];
  };
  bakunin = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
    modules = defaultModules ++ [
      ./bakunin/configuration.nix
      inputs.disko.nixosModules.disko
      ./modules/disko/btrfs-laptop.nix
    ];
  };
  fanny = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
    modules = defaultModules ++ [
      ./fanny/configuration.nix
      inputs.disko.nixosModules.disko
      ./modules/disko/fanny.nix
    ];
  };
  durruti = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
-    specialArgs.self = self;
+    modules = defaultModules ++ [
    modules = makeMicroVM "durruti" "10.0.0.5" [
      ./durruti/configuration.nix
    ];
  };
--- a/machines/durruti/configuration.nix
+++ b/machines/durruti/configuration.nix
@@ -5,6 +5,7 @@ with lib;
 {
  sops.defaultSopsFile = ./secrets.yaml;
  boot.isContainer = true;
  networking = {
    hostName = mkDefault "durruti";
    useDHCP = false;
@@ -22,16 +23,55 @@ with lib;
  imports = [
    inputs.ep3-bs.nixosModules.ep3-bs
    inputs.tasklist.nixosModules.malobeo-tasklist
    ./documentation.nix
    ../modules/malobeo_user.nix
    ../modules/sshd.nix
    ../modules/minimal_tools.nix
    ../modules/autoupdate.nix
  ];
  malobeo.autoUpdate = {
    enable = true;
    url = "https://hydra.dynamicdiscord.de";
    project = "malobeo";
    jobset = "infrastructure";
    cacheurl = "https://cache.dynamicdiscord.de";
  };
  services.malobeo-tasklist.enable = true;
  services.ep3-bs = {
    enable = true;
    in_production = true;
    favicon = ./circle-a.png;
    logo = ./malobeo.png;
    mail = {
      type = "smtp-tls";
      address = "dynamicdiscorddresden@systemli.org";
      host = "mail.systemli.org";
      user = "dynamicdiscorddresden@systemli.org";
      passwordFile = config.sops.secrets.ep3bsMail.path;
      auth = "plain";
    };
    database = {
      user = "malodbuser";
      passwordFile = config.sops.secrets.ep3bsDb.path;
    };
  };
  sops.secrets.ep3bsDb = {
    owner = config.services.ep3-bs.user;
    key = "ep3bsDb";
  };
  sops.secrets.ep3bsMail = {
    owner = config.services.ep3-bs.user;
    key = "ep3bsMail";
  };
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/machines/durruti/documentation.nix
+++ b/machines/durruti/documentation.nix
@@ -1,15 +0,0 @@
 { config, self, ... }:
 {
  services.nginx = {
    enable = true;
    virtualHosts."_" = {
      listen = [ 
        { addr = "0.0.0.0"; port = 9000; } 
      ];
      root = "${self.packages.x86_64-linux.docs}/share/doc";
    };
  };
  networking.firewall.allowedTCPPorts = [ 9000 ];
 }
--- a/machines/durruti/host_config.nix
+++ b/machines/durruti/host_config.nix
@@ -33,12 +33,6 @@ in
      }
    ];
    services.nginx.virtualHosts."docs.malobeo.org" = {
      forceSSL = true;
      enableACME= true;
      locations."/".proxyPass = "http://${cfg.host_ip}:9000";
    };
    services.nginx.virtualHosts."tasklist.malobeo.org" = {
      forceSSL = true;
      enableACME= true;
@@ -50,5 +44,6 @@ in
      enableACME= true;
      locations."/".proxyPass = "http://${cfg.host_ip}:80";
    };
  };
 }
--- a/machines/durruti/secrets.yaml
+++ b/machines/durruti/secrets.yaml
@@ -6,75 +6,66 @@ sops:
    gcp_kms: []
    azure_kv: []
    hc_vault: []
-    age:
+    age: []
        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOTV0VC92aGo0ZFU1RE84
            LzJxWUh0MzYrSWJZYldVMTdsMlJ6RkI2WURNCmFVT1ZtMitOSzYySW1RMkE5aDUw
            bEI2Z3ZhbUdaM2R5eVpkYVlrZks3dW8KLS0tIHFEdWZ2UmREeFl2Q0d0c0lVTGxm
            SnZxRUcyaUY0QnRtVmdnYW9acmxTWmMKfLb2wgBcQC0Ay34wBvTenZW1jVvDH7aV
            45+5NzmkhIQRNkKWgRfpT9EQ9cRJz3l7ZYoVgJe8qBhwH64lBqUiqw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-06-26T10:07:26Z"
    mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
    pgp:
-        - created_at: "2024-11-14T13:03:00Z"
+        - created_at: "2024-06-26T10:06:21Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQGMA5HdvEwzh/H7AQwAhcsRc3mCqKgUFym0W5lTN6j5xg+o0PF31ZQ3qqkO3b5+
+            hQGMA5HdvEwzh/H7AQv8D3vncBeC4Kq+Vzk6XOMV6gRRGOZp+w2e/055sZ40IUu+
-            nIPH8Ee7nrcfRCM2AV+TReaZ2qfP4TdU5j00F5977H5UM+UULFM+FSGcY63rkp80
+            43Yi5giVL0I7PZkZD787LNiKy6kTcI6D9tJIp9YSMRVJb4x8oDJWS8NbVZZOUCwT
-            1U1ZzxbzTwV5mil8dx3dmENMgFpKy0J2MatPdR5bu/z0o7sLty1DUq9hiQOTfM3F
+            d9KYaMO6hN8VobhUKsu7uAKCrgVzPWrWPNmZPvwZ6pxL+cBFK2W/GEvQsXvaELUc
-            u1mfmY37YewMBmxlzDJ3Z5+lslRJUqa3Ho9atjYhwxZTYgh9QQtnm8kRjNM/HKpQ
+            5mNlB4k5S9oG4ZMli3WWhVJRMZgdjGWDKiFVGCSenEkhua/5TUUefV8urf1IBjoN
-            sDAWu9JXit33WwHayxUFWZ5syiwsbFxAelrZnluW3KiKu3v+9VO7X6dJsrrIB6Xt
+            MB8TPwsm3PBEG6/zrfXls/7Zhbv7mtl1uB9nWBC9M4EL9euzC83X+IiFAlThpoPu
-            j/mJhwkwJ39xHD/eQqMJsdAum8Pgxi40XjD6wJvmIhYz1y8Lbymanb+6U+fJk71V
+            eylOhEkAq60tQglk2SRsdFpHvEwaijqSKL0ieDQjvLxLNCdtCQS3yM21S4SkfRvv
-            ZLsbk+sR1Jkh+L3NV+UGlMusgQuxcE2xQjNMEbpzk1xXsFFz+QxVxx6HZp8xRh4v
+            pDGQROqjhtgZSF7MZqD67mA9tMwYGlZLfkzjpYrErbG6G4xYGO2ZODPNZ4FH/2Zf
-            M8L2LkiZp5w8iij+uJ+k0ovu4XH2Bf/2myhabfRrk5bPZbweH/bJOxChIgf/b/ZP
+            Yf9xpAd0/m4mmg+py041nas8lgJzOXn5mKIxX/kLkV1U/ccrZXB9DTsWbuRVxh3W
-            FdfHGP0KlJe+jMGY3j7c0lgB9k2vyvYTHaAOcQoe/HdKNvueMMYDIzxLZ6sXsn+z
+            CZTzgT0VdZWd88cUcYIR0lgBz0vCxDRgyPhc3B3ivoOHBisoBWbYURv+6rYE84Qs
-            jhdW9FxM9g2ZOStq1Mwjzvb8rJCAFQH0s/3yHZY7rveaI88Z3G11i97D3OME2yAx
+            6nDtCt4fUqrfKqnw1b++L1II+QjEBkhawOWNbqE9AxESOLAVwkn4cCOqeWDP8DBq
-            bxCHPCFfvmX/
+            OBN3luBRDDAj
-            =3wBJ
+            =+dua
            -----END PGP MESSAGE-----
          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2024-11-14T13:03:00Z"
+        - created_at: "2024-06-26T10:06:21Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA98TrrsQEbXUAQ//eBqaTG6/KiQFfEMog839q+nukWh3SHSnhCDyCAhdqKA3
+            hQIMA98TrrsQEbXUARAAmj8h6g8Knwg5c/Ugfxcb4nuWuLydyzNZpKJ9YcQ4VTAo
-            Q9FSroIYEOMwE9SYkNC9T0/pf/ZmRuPBpx09b+q+1df4FLdajgpEbg1CyWnw7fyR
+            HA38lHH79JbnIoZ9kvxHzUONBLfnW3KekomUdmj1a2DjWllnsIOH8/16JCpFPXbx
-            731vYt5hvN7PVtBGs842BcEvYwKVG33HTadi53l+pjDURpHGLWLbURiqchGrXpPn
+            hcWQFLxXzJcUEbVfONih4Zmb/2OTzSYoDjNzGaBJUx6x3AwJ0jTzCTxF9WIU1ieh
-            o6rih4ueE0TmLHGugGKIr7n/XgH4xpsr/wFLQCnCaVATXdS1Tk86bTeu0HybmPlG
+            9u+ovry7bcHPTn3RS0gQPGRx9gN0A8OSPScKpvz2CRtUA2Uzs0/fIe3NbKQSj6g3
-            dw4TZrTSO7uq2GyczIC81HnLPisZ1w+7R0m58kV0FGFoDZIwczW46J/h3NLsjO0t
+            rZYityYC7uFoE792dkJ3rG9GZneIwWB8sp1remHyRhxaRN4YNPKmje/Pe/fe7sxQ
-            4zKV1oJUpCANalDCRBhf5RRatw/OzTgVHnpuGyaoAtWGyZpeQi2ntoEvFb3eWAc3
+            lWPmW4wa2uSI7/2PAkIjafoDmnpaLxQ+qY9hXobpL7OlyAuA+Sy8Ns2z6nXfPSSj
-            NMjc2bqamZEdfnBOmPILqRKINm60DkpiI7behY3oV178bWcp3iWsyA4biL0O0pf4
+            fQE4OS3hhUStv7PdVVvlH6JVGZK/cJOjOX0lF69A5R5XKQlasRq/t5CKBjxDWnb1
-            FXbW29zHnEr86wTlJmJIC5sGkNNtu0dNFAKuzKjAel9sVor183WkJk8NAgaaI/pD
+            2bb3YavIUKWbf/DdlGNb9aKeiYX4RsaMbdc6vU5EOp69S66dF5l5W6+EDLICQEdl
-            pQV+l0ClexXGIW7p931Sn7u2JmXeNJM+yqRz5lDWMLakxygW2h4HDI8NOIS7xvP1
+            TRNxzofVqjroeQeK9xFd+SXHVwnU9FGPr9cN7803/r17hONDxfL7o7cL1sKfX1tC
-            Ip3a5bGctGEVmAK9MEhcRIGcP7Aoacj7iZVg9bnac4HCX3wnnGjLDNL+XDzfmfUB
+            3nRqV3fxSfosz19jmIDu/6lqvJhBBQ8zQeKz/yWxUKowP6WUNAWsMWC7w89Ie1vA
-            M48YUoDS1CSjlcTbgIaL3HeX84EYcoQdRjwRcI3pVpPkJTpi/t2I+/2tOP92sm7S
+            UOy+xO0epIGLJSRU5YBNr9z7854NATnxRWRTya+CyFAgPVoBUxd/+2CjlkUeQWnS
-            WAHfIeh3niCzrQa//nwdAEQq+7YrDCDia7SSxDDrRM+/LTaQacoo9SuaHuEANZ/P
+            WAELWSqQ4zsAryLhEqSWVg6nwSDCIvF/U56/vIacXwoKMqLYra5gxV78cCU6gcMt
-            +x7rrZsnQq8UBpnd+dQCyxipQvwmjtp9N5xKcragt1LdH4M+Q/qoSIo=
+            08O8qM7cxHy5tGzTm6LQZvXTb8W6ybcPvPw695TirUjq9zYVnaT2lmQ=
-            =4vnh
+            =7OG0
            -----END PGP MESSAGE-----
          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2024-11-14T13:03:00Z"
+        - created_at: "2024-06-26T10:06:21Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA1kR3vWkIYVnAQ//UfsG62+53p9PyXN+c6hoMg+MqWxjvia9kHvjE3Q3bcO+
+            hQIMA1kR3vWkIYVnAQ//RZM4ifHThNFNV6pTCGKHdkF7BMHB4gv7BBkXT9cWTGcf
-            KVYqD8CszyTwiTV0RoTWddyiZwZHKkH/ymTtnNafG6NVo3XrYpRmO7SxmVMm1BIt
+            XxH3tH/kFPBSoWWfmtmHbN1bw77vpKda2lLHyOETGCusOFwuFe0+cz7sWStnf/T6
-            HrBCdQkLDQOzqbeKBV9bGqO3xHKLEu0vwFkEdpWpNrjkKZfYQ8SjE/6vTJRPeBxx
+            GVoaCRljhRxlXS2PY9gSG5fLi1uUjmCn9EshdCQdz1ix46kgSe17I+UJYRxi9r4U
-            Z++g8540vZtB0V2YzKStJJ8LcsU+3j1/+NlUJZamXUGT4AnxH3atWuKqC39CZAU6
+            e1R0ky4md8tLGGXg2cz1z48+kS7QX6TA1L5jjrW6MEa5ld2wywXD1g7UKpaP6QAc
-            0iHxKEcHcQYPAmvTqtxTH0ELIaRYBIRlzCs0MVjmmfVyaeJOZGyd32vikQMUCrf/
+            B5xo4G+6zZNYk6x5i0NJ4EJalyyEXBvJDgsFzW4luqBGjMU2zLkq5VTQjssCbp6l
-            EvThUCnq3+qCNjLlp1tQbLJV4B6ptAuj6uns2Z9Xmj1j4nFgUKvsc1MPnuSQsOnM
+            aE1ZZtMJYDa3IdEV/gEIF7/WmODMopO2hfTWFCx9fZ2cp0gK2d6ffo7vum4WkAMv
-            tLF0qsVvunvLbHXhb/Z4uDaNMst8jWEGhk52QYCZ6pgq1zoN63tOAxD+HK12KSYQ
+            FjsbRLCmoZrlwD+/y38Hru2Ok/2cDF+QiEHq0cx+XMjgRrV6vCYrg67kOGjXZ+0v
-            emcDTjGqLTxe2dTiFMHlOkmTk/unEJXI1rJEalBaLqzDFg2tS6I1swQKG115wUfv
+            eZMPGo5506cp/0cbo6eIoG9XzdNirp9mXQHMBb47/dETr+mBAyVzImuHJVmUgXlK
-            COHQtmbWmwIMtcl0q/QHfSyc+jPVHoadj6ZZFS1iL9Er/zx1nuD5ybkHntQdO0Gb
+            0nScCjrE2BPfsphMlQKMV007znA8QB65wEuoQ9QWTfgUfxVqzqJxdnFHKSSKAciU
-            YwfyLzhFQ4gKgDiXwHdjYmHeDnXI9mrH3Cypcc/I8WV96cMnuKQBrD7V3NKpjFMS
+            fxAJTGN2RnbBDcehvch+QZAnIHznz3c+2WKetmFMpymqL1OKQKjhnEFewOK8rXKM
-            CaLMVDQqwMoGi+Xi8Ve5oRCa/qt5UEpL1CZZUxNNE11ggPYI22ecKjegdIlGuWHS
+            cEFRo1BOMkaccBBFHt/A/IQJt2+RuADbkxI9rPqPU9iPi3Ts4jFqfNzZp+m+ADHS
-            WAE4FsZZNLt+RWZxIW0iTP0BzDuCMQFkismL0YyDI18g1dG/sl43+ecd6F9yoWYP
+            WAGHQuVbo0oQ5RLEOMPheNbr2eL+uyuMLMNsv41G4Mr+lSjN2/KvBoMQEQvpPasG
-            sXjR3gwbASdHHXeYFAxbPX3Q/XT+SQzOAFigPhD0LUFRX2Cf/Q2yu34=
+            HDYyoe7JdYbVs+08h465+L+cbi0LzaBUxTm44GliJXVbrz6eqy6lRto=
-            =FLuF
+            =GiUe
            -----END PGP MESSAGE-----
          fp: 4095412245b6efc14cf92ca25911def5a4218567
    unencrypted_suffix: _unencrypted
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -1,44 +0,0 @@
 { config, pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      #./hardware-configuration.nix
      ../modules/malobeo_user.nix
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
    ];
  malobeo.autoUpdate = {
    enable = true;
    url = "https://hydra.dynamicdiscord.de";
    project = "malobeo";
    jobset = "infrastructure";
    cacheurl = "https://cache.dynamicdiscord.de";
  };
  boot.loader.systemd-boot.enable = true;
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  services.tor = {
    enable = true;
    client.enable = true;
  };
  # needed for printing drivers
  nixpkgs.config.allowUnfree = true; 
  services.acpid.enable = true;
  networking.hostName = "fanny";
  networking.hostId = "1312acab";
  networking.networkmanager.enable = true;
  virtualisation.vmVariant.virtualisation.graphics = false;
  time.timeZone = "Europe/Berlin";
  system.stateVersion = "23.05"; # Do.. Not.. Change..
 }
--- a/machines/louise/configuration.nix
+++ b/machines/louise/configuration.nix
@@ -67,13 +67,17 @@
  networking.hostName = "louise";
  networking.networkmanager.enable = true;
-  security.rtkit.enable = true;
+  sound.enable = true;
-  services.pipewire = {
+  hardware.pulseaudio = {
    enable = true;
    zeroconf.discovery.enable = true;
    extraConfig = ''
      load-module module-zeroconf-discover
    '';
  };
  services.avahi = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    systemWide = true;
  };
--- a/machines/lucia/configuration.nix
+++ b/machines/lucia/configuration.nix
@@ -7,6 +7,7 @@ in
  imports =
    [ # Include the results of the hardware scan.
      ../modules/malobeo_user.nix
      ./file_server.nix
    ];
  sops.defaultSopsFile = ./secrets.yaml;
@@ -14,12 +15,20 @@ in
  services.openssh.enable = true;
  services.openssh.ports = [ 22 ];
-  services.openssh.settings.PasswordAuthentication = false;
+  services.openssh.passwordAuthentication = false;
  services.openssh.settings.PermitRootLogin = "prohibit-password";
  users.users.root.openssh.authorizedKeys.keys = sshKeys.admins;
  # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
  boot.loader.grub.enable = false;
  boot.loader.raspberryPi.enable = false;
  boot.loader.raspberryPi.version = 3;
  boot.loader.raspberryPi.uboot.enable = true;
  boot.loader.raspberryPi.firmwareConfig = ''
    dtparam=audio=on
    hdmi_ignore_edid_audio=1
    audio_pwm_mode=2
  '';
  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = true;
@@ -31,8 +40,12 @@ in
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # hardware audio support:
  sound.enable = true;
  services = {
  dokuwiki.sites."wiki.malobeo.org" = {
    enable = true;
    #acl = "* @ALL 8";  # everyone can edit using this config
@@ -186,7 +199,7 @@ in
  services.avahi = {
    enable = true;
-    nssmdns4 = true;
+    nssmdns = true;
    publish = {
      enable = true;
      addresses = true;
--- a/machines/lucia/file_server.nix
+++ b/machines/lucia/file_server.nix
@@ -0,0 +1,36 @@
 {
  #automount mit udisks2
    #siehe udevadm monitor
    #bash-script?
    #user-oder root mount
  #systemd-automount villeicht
    fileSystems = {
      "/mnt/extHdd0" = {               #statisches mounten ist am einfachsten aber kein hotplug möglich
        device = "/dev/disk/by-uuid/"; #noch ausfüllen
        fsType = "ext4";               #zfs wäre hier cool
        options = [ "users" "nofail" ];
      };
      "/exports/extHdd0" = {
        device = "/mnt/extHdd0";
        fsType = "none";
      };
    };
    users.groups = { nfs = {gid = 1003; }; }; #erstelle nfs user und gruppe für isolation
    users.users.nfs = {
      isSystemUser = true;
      group = "nfs";
      uid = 1003;
    };
    users.users.malobeo.extraGroups = [ "nfs" ];
    systemd.tmpfiles.rules = [ "d /export 0775 nfs nfs -" ]; #erstelle nfs ordner
    services.nfs.server = {
      enable = true;
      exports = ''
        /export 192.168.1.0/24(ro, nohide, no_subtree_check, async, all_squash, anonuid=1003, anongid=1003)
      '';
    };
    networking.firewall.allowedTCPPorts = [ 2049 ]; #wir benutzen NfsV4 hoffentlich
 }
--- a/machines/lucia/secrets.yaml
+++ b/machines/lucia/secrets.yaml
@@ -5,75 +5,66 @@ sops:
    gcp_kms: []
    azure_kv: []
    hc_vault: []
-    age:
+    age: []
        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaVZQT1U3cXp4NHVSb2lh
            RWRUcjlGY1RtNVNFT3dMSWFaZHJGcC8ybzFFClhhT2RPRHZwbWNSQzdSay8wc0h5
            NHVUN082U0lhcWF2MnNTaXQ2Q0trRk0KLS0tIHJrNmdEdUI5YVRqck8vejRrVHZ4
            aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3
            f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-10-24T15:09:51Z"
    mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str]
    pgp:
-        - created_at: "2024-11-14T13:02:46Z"
+        - created_at: "2023-10-24T14:42:18Z"
-          enc: |-
+          enc: |
            -----BEGIN PGP MESSAGE-----
-            hQGMA5HdvEwzh/H7AQv/QepkThVCOMoRZRtHSHEjEriFfp9QS2ZrlgM0p67TtzU3
+            hQGMA5HdvEwzh/H7AQwAqFy6FthlG4of1IYE42baCy6AHhnCxTKN5i0/ZYXtxz/T
-            edAPqxNq8jGeW7/1FRAwIHGTit9FueL/GRUOVsepbryJMt4ndhybuPdpuEaKeQYv
+            xWTAKEXPlbhT4AMGdIvIbEf7od4Pr7xxrxERkHVn1rkHxqjF+bjFw9J2xRXJvilw
-            aZLw3XA5FB7maMKFOl59wqoWNrY+d02lXIbLEafUjrL94/p1IEqQd5a/Ze244yXI
+            L4pWMKXoJOiuGeNwJfzOVMx2yar6NiFmA3HvFyCASIQeCh3v+cyEDvbdnJoUyHRJ
-            V1ty93i6Wmu5N5uf67bfiY00ObAEU+L4QepLHuJvcP2lWU0zvxnPdDqwv+47R1xB
+            /f/VnQFSIM4YXvLMqkKXgE0ZnbZc+vNnZkAG2qbz65fB/zdOPQZkVYCbnVKLwiBd
-            aJX2G3Vv6QRnpUYL81a8R4E9u9GGH0TwJdaFqQwsVgW1XJdCsAaB5wriqEWX5HOJ
+            eoDth5WbuPnYbK5Vp9wkOPr6KqjM1KN+Kx/ErZ36Ldd2ePk11dCf9O4cE1HcCOmb
-            513plEpkBSSlZo/9/lUSHK79jP92DfKvGMxw4t35UULzsJVbCIkM/TzBK0Ruq7Bf
+            mdnFleX4hbMH2bFCpt7HoJql7QsTodx2bX1wnLA+uUVrV5QcT74C/0yAYHhBELez
-            2rQO1nkF9lqXqPK7ORAkdXX3foHcM474f3w5nCSSlPia5jn7y58Npd9m1za4lOPF
+            cE0gZ+th9l2tOCaCBBMQUa8EfoQD3hEnOmebOMcWoUQdkyKk5SlLeCVsuWKvbidh
-            rQxHCJ7OSJ6KOsXhDi7cmMfjIfn6cUj5wT685LbjrftYPh95R2lK/ViwfhMQkJb9
+            3Vvw7jINCTH06jPCWSewSBuTdPiAPJ+4CQ8DWXC7A4luFvJM09HX8h859VDEHA9a
-            lCUqJj/7N6UuSDdnHXKg0lgBV5k+ARqh904rR7GTpSdDuSVMVdy9mUGni5V6xTNn
+            FCou1ZTWmQEHbDw1DPw70lgBv35pPduQjSfgM71YwgHFtHDdTfWTbzCBoaDfKvj2
-            2IyJzWlvxbUumdh7SVBV5HRjG/sOcmlQtsw2fT21CCFg/n6AdCMgRbtYDoX5OOJc
+            XWSevuyOKiinaiYd4jPK6srFyX3Horg1QvVzl3dvNC3o29lrzETSTFoUx75KdluT
-            qkz9uKEGrGjb
+            WxGMHNWqN7NS
-            =wPkW
+            =XZkW
            -----END PGP MESSAGE-----
          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2024-11-14T13:02:46Z"
+        - created_at: "2023-10-24T14:42:18Z"
-          enc: |-
+          enc: |
            -----BEGIN PGP MESSAGE-----
-            hQIMA98TrrsQEbXUARAArYZZpOEC9sZ4Bgbtie8snwYjhcJiLxcmaODcx0ai24vC
+            hQIMA98TrrsQEbXUAQ//XRoesGtcKw0RNs30FfKgpG/qNVRh4eJTeb1AP7YO9nKA
-            FOdxKrgxlHeiBV3e+xD0Mdc51waXpRW7Ah6ctyqRreDXXCsYx9RTjkxqbGQTKexU
+            WWuZnomu8aDDKiP+why4Cl4raSb2LqTaDAIbeTzw902BeOlIXl6VO5oIWpgC4IQT
-            OAzvi7qPkmZBzDagNeJXjAMc3Z9uPFTxO0c1degnv0S40dns4sZ50sjGz8Dg6DmX
+            iOMUOTQ6XG4O8xcphItIthc71kpUl34xfWU/Gz67cRj/BSlws26sJ09lH5zZIpcW
-            HC1ZANIpCmJVd+BFC9MxWQFSP1oswzwIxAmM/8d3aXGJLUQsfFbZXTPaKB5+Llmu
+            1NNPLQKF6KiJ1MY9rTkq9I6EHbaIh6AcBW4buq9x+qASoU1Blp1OgA9m6O9HjQcH
-            Y/yGK4zwcq0PR+YNw9d1lfQD01coLcqNh0cnxW3/DzSnKdpLnr/HeH7K6NivUNOs
+            X/PKnYv1bm6OxYsMBujXnFnde3c+qfL5w1e4a7pyMu8EthAYLPbm+WT2+H1RJooN
-            58E4iKJgopZZofbIKrHTPik/ZfovCTwPHo0o/m9G2sDB5Y++OJBDcjyD9BC5OEzg
+            0+M3tBBjtK6emm7qgNt2vyeIYa5L5XSFYAyPfteKZ7tsT1IHgg3cY/3trchq7w7q
-            JW+4rG3dir5cUxJhgM8ZNZUiLcKWSfVo+Xh1RI12Huz4PpZ6dWSpuPxWFBQUZSfp
+            D10fGzfw1rP79yI9vY3oQLi4APhAq/RYpFywZJ+qyE+KiDaIzBdhU14NKRdOluaF
-            epIUII1u1cKiep8JK5ZUF3k6LzET6ORzzYpY5qGtSEVMLMxLvPK+ECOI1BTHc53Y
+            apw5ZpNwD77E6lU5lLdjO4TjaMXjEuytzhmOHF+CrZJN/4c21K3PflnzRRLmcXIf
-            GoBPVRdp2Bs0QZuvwiNSd3wKRMoVh8v/8+RSCGRR6pzCfvTp3X4zGfnCUVO9krzG
+            OY+TPWPBKqg9aXIhx+5tGu3OTmrvRuBsoforZrhHqzYZJygliD4w/D0HpcMfxrJ/
-            ukZJ+eQVUnmywewmYuFH/USN34mqRk6UTkVmw4sgy4bqcV26xSeMCbLAVBoV7dR8
+            y/iFzwqikikvfkF3FTiTwiFSLOo8G+rCA2TiSLqM6eklAGtzqgrgggnNVDstgiHz
-            a35kyxrs2MIsu9/SuW8zSdfZd0sBhDIEgzQqT7fO1KQQCDJyjBTzjloVSoE4TSXS
+            DuXHOdzt9pn3DQHb3Z+kEd8p9TEykQrVr6mcW8scvW3iZ6XBbSoxUDY2W14gNMHS
-            WAE7lEhifj43H/jshtyaIgM8UpdFmBtEj9BmsX2jeS5XiZsIbIJbCsmPWYdd4XQ0
+            WAFbpyIyM0JV36DifyFLFuPNF+ZFexnD1/2rzSw5dmDh8Pou9KZnoRGirXbOIFBf
-            m5M8KCUEMDXeVCygKieefCyboUSNOk1gdRmnIRcqJ/r8fxmHqZgn2ko=
+            MwFQRonyDxw8zcMFGhXRmNbfqOE9ImnvkW2pNjYJSuBW4LSGaG8OHx0=
-            =DC78
+            =2A7P
            -----END PGP MESSAGE-----
          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2024-11-14T13:02:46Z"
+        - created_at: "2023-10-24T14:42:18Z"
-          enc: |-
+          enc: |
            -----BEGIN PGP MESSAGE-----
-            hQIMA7zVLR7VUDPbAQ//S/8UshLDL5DW0+DXMGL7u/ug/sgCbSM60PvzT3hwAvyL
+            hQIMA7zVLR7VUDPbAQ/+O/+BPNT3PxzN85kpL6xXfyCf337Ay5gwhJOg5k3JyEwO
-            3mR6CycERSeXuYM67fLIa66WiSFGB1aqEsI1oqPL6W8AwjtGHDKSPhJC8W+9NosB
+            2L1eZncGZHkdeExxgfqWF1yAPvE7vXltikTVp3V+htHoNL8kck8obII/HptVUCrU
-            OypoV6VppHiDxB2uJvQl7VNnT8d2x6IWdG0bq9NKxCg+6lorw8bky0907qQ/6+hg
+            VjFm41kEoWQ9DLXIhmppqBC0hWVkLjCDEXcD5HqtAxt2yKENSFr3pEnFl3vgoHTA
-            2eWI0wPcJR2zIEm5JdNvuyK5k03QPKbTd8aVTeYHZq3JiXF3NZmQHCngdI0iH7SN
+            2TpzC/l2kC24hzk+es54I0sCd3N1LEXC/mBUmptnsZfIcgGdVOWZSGabHg5Mo464
-            +QI/p1d/aiyCc+5Ow+Zy5YzPWb22PIROLIH+wJsGxbiJtQJmiKMNQg/YJ/SsCrMI
+            qc02MYa2Tjuo5svlHGv8bgpQgsIfuB0CcirLMH3FYwKkYHZ7a6KBZj9DwNlM1BYL
-            ViI80R6bkZ/J9hCN2reTTJXl9uc7PgptLAfMlT2N+DHLRoKQOR+e3xMX3vZO9CK0
+            m9eIC6+R57utfV+zgvIaQVDVJgFT74/ffgEYNiX2FRWi0ri6gb4ybf8qX+/m8ZOi
-            R8v0wXPs3NGCBdITu+EPT4twtkjJz31PhqL7crFzm/x4BLiKuNzep+Na4TLMBv3J
+            KDgpATMIr0Lw85lQ2mQmvt7aeULJTl85pE1ihXLu6+pGEQR/48WeRu8OVMU/QHQF
-            pVdjc6yen8bYvVickLP/hrVIvflkaMdUncWmS2lNZKP9G2BuGMna9Dp4jC1kWWYW
+            rRWoJu2kabdlBkYXBBGPN2qGRe/TWWHRm0G7mTnXkoN2idRkodJcVwM8Mvstc5Yx
-            608MXgORINmwog2lovxFJGOtq500gcbeYO+LrluULk00/nw27DPkGeD8wkmFMF+m
+            3AAb4asl+4xusXNqe+V4ZrkzdnVoFs8RRZyH1QyoqJ79S5uZqOkYObiiJ+wWtahZ
-            c3dhA6zn62nLsUmiU4Bfo92uhxBW/hAF5Fp+RVwA9ptvDdBO7gY6FEZitEXs/rGl
+            emvN8nhNIr9+WdDFSZYNx+TQTUTFMefcEaTXpPzmUn/nENrvkbXiaVSSmIYQ4YZh
-            64RAmFuDmv/WDE87pfBQdlZ7Y1HkO6CLwtfg50Ka8eoemX6sP0GSYHUqbs8M4jnS
+            1vyiW1W6IZwjXI/aR6P2C1Jrj42WCm+cDXCwKZC1sMRqgkxQBIVukQzAHkyFJknS
-            WAEnR1KMQNVdTqhFzBa/TqnUm+oVtZSVrAPSIEgEjhA4WesmGqmcJwJFaQW39Omu
+            WAF/TWfXG2S6mnWFKn3cixifUI3pBp+EtYy/CjL7uNBIUQ3EHEbvS5AboSCmgRC7
-            8zLfZcfdVUuFKyIijXNliG0ryq1uxmWcEl8ePRzjAAzVTRAILNtZzVY=
+            wLzHshawAMmJ/bD/jT4wWD0w+NGDzSF8D4b/Ee0LP7R70noS61+s6xo=
-            =8HBK
+            =NnkE
            -----END PGP MESSAGE-----
          fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db
    unencrypted_suffix: _unencrypted
--- a/machines/moderatio/configuration.nix
+++ b/machines/moderatio/configuration.nix
@@ -0,0 +1,92 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, ... }:
 {
  services.acpid.enable = true;
  boot.kernelPackages = pkgs.linuxPackages_5_4;
  services.xserver.videoDrivers = [ "intel" ];
  services.xserver.deviceSection = ''
    Option "DRI" "2"
    Option "TearFree" "true"
  '';
  zramSwap.enable = true;
  zramSwap.memoryPercent = 150;
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./zfs.nix
      ../modules/xserver.nix
      ../modules/malobeo_user.nix
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
    ];
  users.users.malobeo = {
    packages = with pkgs; [
      firefox
      thunderbird
    ];
  };
  networking.hostName = "moderatio"; # Define your hostname.
  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # Select internationalisation properties.
  # i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  #   useXkbConfig = true; # use xkbOptions in tty.
  # };
  # Enable CUPS to print documents.
  # services.printing.enable = true;
  # Enable sound.
  sound.enable = true;
  hardware.pulseaudio.enable = true;
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.05"; # Did you read the comment?
 }
--- a/machines/moderatio/hardware-configuration.nix
+++ b/machines/moderatio/hardware-configuration.nix
@@ -8,42 +8,46 @@
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "ums_realtek" "sd_mod" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
 boot.initrd.luks.devices = {
 root = {
 device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
 preLVM = true;
 allowDiscards = true;
 };
 };
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
+    { device = "rpool/nixos/root";
-      fsType = "btrfs";
+      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
    };
  fileSystems."/home" =
    { device = "rpool/nixos/home";
      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
    };
  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/402B-2026";
+    { device = "bpool/nixos/root";
      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
    };
  fileSystems."/boot/efis/ata-ST250LT003-9YG14C_W041QXCA-part1" =
    { device = "/dev/disk/by-uuid/A0D1-00C1";
      fsType = "vfat";
    };
-  swapDevices =
+  fileSystems."/boot/efi" =
-    [ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
+    { device = "/boot/efis/ata-ST250LT003-9YG14C_W041QXCA-part1";
-    ];
+      fsType = "none";
      options = [ "bind" ];
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/moderatio/zfs.nix
+++ b/machines/moderatio/zfs.nix
@@ -0,0 +1,34 @@
 { config, pkgs, ... }:
 { boot.supportedFilesystems = [ "zfs" ];
  networking.hostId = "ae749b82";
  #boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
 boot.loader.efi.efiSysMountPoint = "/boot/efi";
 boot.loader.efi.canTouchEfiVariables = false;
 boot.loader.generationsDir.copyKernels = true;
 boot.loader.grub.efiInstallAsRemovable = true;
 boot.loader.grub.enable = true;
 boot.loader.grub.version = 2;
 boot.loader.grub.copyKernels = true;
 boot.loader.grub.efiSupport = true;
 boot.loader.grub.zfsSupport = true;
 boot.loader.grub.extraPrepareConfig = ''
  mkdir -p /boot/efis
  for i in  /boot/efis/*; do mount $i ; done
  mkdir -p /boot/efi
  mount /boot/efi
 '';
 boot.loader.grub.extraInstallCommands = ''
 ESP_MIRROR=$(mktemp -d)
 cp -r /boot/efi/EFI $ESP_MIRROR
 for i in /boot/efis/*; do
 cp -r $ESP_MIRROR/EFI $i
 done
 rm -rf $ESP_MIRROR
 '';
 boot.loader.grub.devices = [
      "/dev/disk/by-id/ata-ST250LT003-9YG14C_W041QXCA"
    ];
 users.users.root.initialHashedPassword = "$6$PmoyhSlGGT6SI0t0$.cFsLyhtO1ks1LUDhLjG0vT44/NjuWCBrv5vUSXqwrU5WpaBvvthnLp0Dfwfyd6Zcdx/4izDcjQAgEWs4QdzW0";
 }
--- a/machines/modules/disko/btrfs-laptop.nix
+++ b/machines/modules/disko/btrfs-laptop.nix
@@ -1,63 +0,0 @@
 { config, self, inputs, ... }:
 {
  imports = [
    inputs.disko.nixosModules.disko
  ];
  # https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        # When using disko-install, we will overwrite this value from the commandline
        device = "/dev/disk/by-id/some-disk-id";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "512M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            luks = {
              size = "100%";
              content = {
                type = "luks";
                name = "crypted";
                passwordFile = /tmp/secret.key; # Interactive
                content = {
                  type = "btrfs";
                  extraArgs = [ "-f" ];
                  subvolumes = {
                    "/root" = {
                      mountpoint = "/";
                      mountOptions = [ "compress=zstd" "noatime" ];
                    };
                    "/home" = {
                      mountpoint = "/home";
                      mountOptions = [ "compress=zstd" "noatime" ];
                    };
                    "/nix" = {
                      mountpoint = "/nix";
                      mountOptions = [ "compress=zstd" "noatime" ];
                    };
                    "/swap" = {
                      mountpoint = "/.swapvol";
                      swap.swapfile.size = "20M";
                    };
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/machines/modules/disko/fanny.nix
+++ b/machines/modules/disko/fanny.nix
@@ -1,141 +0,0 @@
 {
  disko.devices = {
    disk = {
      ssd = {
        type = "disk";
        device = "/dev/sda";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "1024M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
      hdd0 = {
        type = "disk";
        device = "/dev/sdb";
        content = {
          type = "gpt";
          partitions = {
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "storage";
              };
            };
          };
        };
      };
      hdd1 = {
        type = "disk";
        device = "/dev/sdc";
        content = {
          type = "gpt";
          partitions = {
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "storage";
              };
            };
          };
        };
      };
    };
    zpool = {
      zroot = {
        type = "zpool";
        mode = "";
        # Workaround: cannot import 'zroot': I/O error in disko tests
        options.cachefile = "none";
        rootFsOptions = {
          compression = "zstd";
          "com.sun:auto-snapshot" = "false";
        };
        datasets = {
          encrypted = {
            type = "zfs_fs";
            options = {
              mountpoint = "none";
              encryption = "aes-256-gcm";
              keyformat = "passphrase";
              keylocation = "file:///tmp/root.key";
            };
            # use this to read the key during boot
            postCreateHook = ''
              zfs set keylocation="prompt" "zroot/$name";
            '';
          };
          "encrypted/root" = {
            type = "zfs_fs";
            mountpoint = "/";
          };
          "encrypted/var" = {
            type = "zfs_fs";
            mountpoint = "/var";
          };
          "encrypted/etc" = {
            type = "zfs_fs";
            mountpoint = "/etc";
          };
          "encrypted/home" = {
            type = "zfs_fs";
            mountpoint = "/home";
          };
          "encrypted/nix" = {
            type = "zfs_fs";
            mountpoint = "/nix";
          };
        };
      };
      storage = {
        type = "zpool";
        mode = "mirror";
        datasets = {
          encrypted = {
            type = "zfs_fs";
            options = {
              mountpoint = "none";
              encryption = "aes-256-gcm";
              keyformat = "passphrase";
              keylocation = "file:///tmp/storage.key";
            };
            # use this to read the key during boot
            postCreateHook = ''
              zfs set keylocation="prompt" "zroot/$name";
            '';
          };
          "encrypted/data" = {
            type = "zfs_fs";
            mountpoint = "/data";
          };
        };
      };
    };
  };
 }
--- a/machines/modules/malobeo/microvm_host.nix
+++ b/machines/modules/malobeo/microvm_host.nix
@@ -1,119 +0,0 @@
 { config, self, lib, inputs, options, pkgs, ... }:
 with lib;
 let
  cfg = config.services.malobeo.microvm;
 in
 {
  options = {
    services.malobeo.microvm = {
      enableHostBridge = mkOption {
        default = false;
        type = types.bool;
        description = lib.mdDoc "Setup bridge device for microvms.";
      };
      enableHostBridgeUnstable = mkOption {
        default = false;
        type = types.bool;
        description = lib.mdDoc "Setup bridge device for microvms.";
      };
      deployHosts = mkOption {
        default = [];
        type = types.listOf types.str;
        description = ''
          List hostnames of MicroVMs that should be automatically initializes and autostart
        '';
      };
    };
  };
  imports = [
    inputs.microvm.nixosModules.host
  ];
  config = { 
    assertions = [
      {
        assertion = !(cfg.enableHostBridgeUnstable && cfg.enableHostBridge);
        message = ''
          Only enableHostBridge or enableHostBridgeUnstable! Not Both!
        '';
      }
    ];
    systemd.network = mkIf (cfg.enableHostBridge || cfg.enableHostBridgeUnstable) {
      enable = true;
      # create a bride device that all the microvms will be connected to
      netdevs."10-microvm".netdevConfig = {
        Kind = "bridge";
        Name = "microvm";
      };
      networks."10-microvm" = {
        matchConfig.Name = "microvm";
        networkConfig = {
          DHCPServer = true;
          IPv6SendRA = true;
        };
        addresses = if cfg.enableHostBridgeUnstable then [
          { Address = "10.0.0.1/24"; }
        ] else [
          { addressConfig.Address = "10.0.0.1/24"; }
        ];
      };
      # connect the vms to the bridge
      networks."11-microvm" = {
        matchConfig.Name = "vm-*";
        networkConfig.Bridge = "microvm";
      };
    }; 
    microvm.vms = 
    let
      # Map the values to each hostname to then generate an Attrset using listToAttrs
      mapperFunc = name: { inherit name; value = {
          # Host build-time reference to where the MicroVM NixOS is defined
          # under nixosConfigurations
          flake = inputs.malobeo; 
          # Specify from where to let `microvm -u` update later on
          updateFlake = "git+https://git.dynamicdiscord.de/kalipso/infrastructure";
        }; };
    in
    builtins.listToAttrs (map mapperFunc cfg.deployHosts);
    systemd.services = builtins.foldl' (services: name: services // {
      "microvm-update@${name}" = {
        description = "Update MicroVMs automatically";
        after = [ "network-online.target" ];
        wants = [ "network-online.target" ];
        unitConfig.ConditionPathExists = "/var/lib/microvms/${name}";
        serviceConfig = {
          LimitNOFILE = "1048576";
          Type = "oneshot";
        };
        path = with pkgs; [ nix git ];
        environment.HOME = config.users.users.root.home;
        script = ''
          /run/current-system/sw/bin/microvm -Ru ${name}
        '';
      };
    }) {} (cfg.deployHosts);
    systemd.timers = builtins.foldl' (timers: name: timers // {
    "microvm-update-${name}" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        Unit = "microvm-update@${name}.service";
        # three times per hour
        OnCalendar = "*:0,20,40:00";
        Persistent = true;
      };
    };
  }) {} (cfg.deployHosts);
  };
 }
--- a/machines/modules/sshd.nix
+++ b/machines/modules/sshd.nix
@@ -6,7 +6,7 @@ in
 {
  services.openssh.enable = true;
  services.openssh.ports = [ 22 ];
-  services.openssh.settings.PasswordAuthentication = false;
+  services.openssh.passwordAuthentication = false;
  services.openssh.settings.PermitRootLogin = "no";
  users.users.root.openssh.authorizedKeys.keys = sshKeys.admins;
 }
--- a/machines/modules/xserver.nix
+++ b/machines/modules/xserver.nix
@@ -7,6 +7,7 @@
      xterm.enable = false;
      cinnamon.enable = true;
    };
    displayManager.defaultSession = "cinnamon";
  };
  services.displayManager.defaultSession = "cinnamon";
 }
--- a/machines/ssh_keys.nix
+++ b/machines/ssh_keys.nix
@@ -3,6 +3,5 @@
   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfDz5teTvRorVtpMj7i3pffD8W4Dn3Aiqre5L4WZq8Wc4bh2OjabGnIcDWpeToKf38n5m0d95OkIbARJwFN7KlbuQbmnIJ5n6pUj/zzRQ3dQTeSsUjkvdbSXVvTcDczMWwLixc/UKP1DMbiLHz5ZSywPTSH2l40lg74q7tSFGBwMy8uy4tsdp2d2sUIDfpvgGj3Pq+zkQHWyFR5BYyCLDfJMTQvGO0bEsbRIDOjkH8YVni46ds6sQKMgc+L2vPo8S3neFZBQRlERVRvIAzdLiBWqGkiw4YgWQA8ocTfWp9DVzW+BZiatc34+AX3KtLEF1Oz76YsKjBttSQL4myUucuskz2Bs7UYvAsDFlWyiJ43ayZNzvG63m1UVsAoq84IhNYsdkPhd+G1rtnG0KxPVAtn7RkAGt8t7ObU+6xWayHcpSteNeE+QyH9nNmJcXNNKfoOeP4vHUBrBTeURafw527yuZDOYknJmg3O+nkeGseIgBYgq/As4+dD6vhp03Y5chjU4/FC6nEjsGPRdfe2RZx+0cqJkLgdd1paGByUfPfaUKykw4TsCUAiDucRwBjU32MLslUbyzeEkjzOJzOD5Frif3jZZLxaNP2QcHRbTiiKkdn+WFJmjr3BdC60pm7hqvmDxl0UZcz9hDv3wZUALUc92TQXnWc8GicKdpQgRYDRQ== kalipso@c3d2.de"
   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxgcjNOYbza3+RfANFDXy7HXNRFlkpDOAcGyB7MKshiVlbPByWRSjfZa0BeRNjpeCd8QkIodKUzqYOCOrc8ad3kiNbdLRcDz57A5xSLD3ynakoWJo0AmJjT3Ta1JJj8inNwwykR0ig5//SrtsZb9HkWJDAF017MokM2r8AWPE1QzcQdh93kojXcgTHrJHzEqgKbEGDEk37f1RvZG4umEFeqdK2FvS5isPa7P9X7hyyoDC8bvEy7xfaDrToJAoXon6r79taxH8UWIvy//xsU0NBLYK2eE4RQe2AjF6Ri+CybI6y1SsHOvyh4nNKWlfUOEL6UnIulRn/LXFOKCJi7xuoTeJXS0+w1DNEuiGosVNXPSKbUm/eDBVnb8Iyep9wmygSZayN82xL5lRlG3Mn45ttecqfm2SJkmduBA5qXcTdDPe/lXTZaVO9tbiIcJfUgd3ttEu2+6YjLn74D965PlovzvR6EhbVUZ8IkOAt4VmuTkXIdm8SCS7jzhsiKeUXoZ4rfa375zi79SIPuIkoMasj6d16wcYOeFIUIMFFccfQ9jQjr9NTSXC2dd7sfbI9I9mF7eRQSsUdSwpP8WH1b+M1MxTbdhEUdPwpOLviTTIuk8E8K8DQDZIcOOh38mCDpyoh02nwfRxlyoYVsKAHIQH02dHTvYEa3/pMsRwGc9W1Ow== kalipso@desktop"
   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de"
   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos"
 ];
 }
--- a/outputs.nix
+++ b/outputs.nix
@@ -4,7 +4,6 @@
 , nixpkgs-unstable
 , nixos-generators
 , sops-nix
 , microvm
 , ...
 } @inputs:
@@ -16,106 +15,15 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
    pkgs = nixpkgs.legacyPackages."${system}";
  in
  {
-    devShells.default =
+    devShells.default = pkgs.callPackage ./shell.nix {
-    let
+      inherit (sops-nix.packages."${pkgs.system}") sops-import-keys-hook ssh-to-pgp sops-init-gpg-key;
      sops = sops-nix.packages."${pkgs.system}";
      microvmpkg = microvm.packages."${pkgs.system}";
    in
    pkgs.mkShell {
      sopsPGPKeyDirs = [
        "./machines/secrets/keys/hosts"
        "./machines/secrets/keys/users"
      ];
      nativeBuildInputs = [
        sops.ssh-to-pgp
        sops.sops-import-keys-hook
        sops.sops-init-gpg-key
        pkgs.sops
        pkgs.age
        pkgs.python310Packages.grip
        pkgs.mdbook
        microvmpkg.microvm
      ];
    };
    packages = {
      docs = pkgs.stdenv.mkDerivation {
        name = "malobeo-docs";
        phases = [ "buildPhase" ];
        buildInputs = [ pkgs.mdbook ];
        inputs = pkgs.lib.sourceFilesBySuffices ./doc/. [ ".md" ".toml" ];
        buildPhase = ''
          dest=$out/share/doc
          mkdir -p $dest
          cp -r --no-preserve=all $inputs/* ./
          mdbook build
          ls
          cp -r ./book/* $dest
        '';
      };
    } //
    builtins.foldl'
    (result: host:
      let
        inherit (self.nixosConfigurations.${host}) config;
      in
      result // {
        # boot any machine in a microvm
        "${host}-vm" = (self.nixosConfigurations.${host}.extendModules {
          modules = [{
            microvm = {
              mem = pkgs.lib.mkForce 4096;
              hypervisor = pkgs.lib.mkForce "qemu";
              socket = pkgs.lib.mkForce null;
              shares = pkgs.lib.mkForce [{
                tag = "ro-store";
                source = "/nix/store";
                mountPoint = "/nix/.ro-store";
              }];
              interfaces = pkgs.lib.mkForce [{
                type = "user";
                id = "eth0";
                mac = "02:23:de:ad:be:ef";
              }];
            };
            boot.isContainer = pkgs.lib.mkForce false;
            users.users.root.password = "";
            fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs";
            services.getty.helpLine = ''
              Log in as "root" with an empty password.
              Use "reboot" to shut qemu down.
            '';
          }] ++ pkgs.lib.optionals (! config ? microvm) [
            microvm.nixosModules.microvm
          ];
        }).config.microvm.declaredRunner;
    })
    { }
    (builtins.attrNames self.nixosConfigurations);
    apps = {
      docs = {
        type = "app";
        program = builtins.toString (pkgs.writeShellScript "docs" ''
          ${pkgs.mdbook}/bin/mdbook serve --open ./doc
        '');
      };
    };
  })) // rec {
    nixosConfigurations = import ./machines/configuration.nix (inputs // {
      inherit inputs;
      self = self;
    });
-    nixosModules.malobeo.imports = [
+    nixosModules.malobeo = import ./machines/durruti/host_config.nix;
      ./machines/durruti/host_config.nix
      ./machines/modules/malobeo/microvm_host.nix
    ];
    hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
      let
--- a/shell.nix
+++ b/shell.nix
@@ -0,0 +1,22 @@
 { mkShell
 , sops-import-keys-hook
 , ssh-to-pgp
 , sops-init-gpg-key
 , sops
 , pkgs
 }:
 mkShell {
  sopsPGPKeyDirs = [
    "./machines/secrets/keys/hosts"
    "./machines/secrets/keys/users"
  ];
  nativeBuildInputs = [
    ssh-to-pgp
    sops-import-keys-hook
    sops-init-gpg-key
    sops
    pkgs.python310Packages.grip
  ];
 }
Author	SHA1	Message	Date
ahtlon	9a667c8bdc	kleine fehler behoben All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m48s Details	2024-10-26 20:16:19 +02:00
ahtlon	705d895f0e	erstmal statisches mounten --es fehlt die disk uuid All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m24s Details	2024-10-26 19:56:46 +02:00
ahtlon	cfc023f9b1	erstelle nfs user	2024-10-26 19:33:49 +02:00
ahtlon	1201f0fc53	erstelle exports ordner	2024-10-26 19:08:14 +02:00