[initssh] add iproute2

I'll remove this later

.gitea/workflows/flake-check.yml

@@ -1,9 +1,8 @@
-name: "Evaluate Hydra Jobs"
+name: "Check flake syntax"
 on:
-  pull_request:
   push:
 jobs:
-  eval-hydra-jobs:
+  flake-check:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
@@ -11,5 +10,5 @@ jobs:
       run: |
         apt update -y
         apt install sudo -y        
-    - uses: cachix/install-nix-action@v27
-    - run: nix eval --no-update-lock-file --accept-flake-config .\#hydraJobs
+    - uses: cachix/install-nix-action@v30
+    - run: nix flake check --no-update-lock-file --accept-flake-config .

.gitignore

@@ -3,3 +3,7 @@
 *.log
 result
 *.qcow2
+.direnv/
+book/
+fanny-efi-vars.fd
+nix-store-overlay.img

README.md

@@ -1,44 +1,20 @@
 # malobeo infrastructure
 
-this repository nxios configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner.
-
-the file structure is based on this [blog post](https://samleathers.com/posts/2022-02-03-my-new-network-and-deploy-rs.html)
-
-## hosts
-
-#### durruti
-- nixos-container running on dedicated hetzner server
-- login via ```ssh -p 222 malobeo@5.9.153.217```
-- if rebuild switch fails due to biglock do ```mount -o remount,rw /nix/var/nix/db```
-- currently is running tasklist in detached tmux session
-  - [x] make module with systemd service out of that
-
-## creating a new host
-
-### setting up filesystem
-currently nixos offers no declarative way of setting up filesystems and partitions. that means this has to be done manually for every new host. [to make it as easy as possible we can use this guide to setup an encrypted zfs filesystem](https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/Root%20on%20ZFS.html)
-
-*we could create a shell script out of that*
+this repository contains nixos configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner.
 
 ### deploying configuration
 
-#### local deployment
-``` shell
-nixos-rebuild switch --use-remote-sudo
-```
+hosts are deployed automatically from master. The [hydra build server](https://hydra.dynamicdiscord.de/jobset/malobeo/infrastructure) will build new commits and on success, hosts will periodically pull those changes.
+Big changes (like updating flake lock) could be commited to the staging branch first. [Hydra builds staging seperate](https://hydra.dynamicdiscord.de/jobset/malobeo/staging), and on success you can merge into master.
 
-#### remote deployment
+### deploy fresh host
+if you want to deploy a completly new host refer to [docs](https://docs.malobeo.org/anleitung/create.html)
 
-you need the hostname and ip address of the host:
-``` shell
- nixos-rebuild switch --flake .#<hostname> --target-host root@<ip_address> --build-host localhost
-```
-
-in this case 'localhost' is used as buildhost which can be usefull if the target host is low systemresources
+### testing configuration
 
+refer to https://docs.malobeo.org/anleitung/microvm.html#testing-microvms-locally
 
 ## development
-
 ### requirements
 we use flake based configurations for our hosts. if you want to build configurations on you own machine you have to enable flakes first by adding the following to your *configuration.nix* or *nix.conf*
 ``` nix
@@ -55,77 +31,13 @@ a development shell with the correct environment can be created by running ```ni
 If you're using direnv you can add flake support by following those steps: [link](https://nixos.wiki/wiki/Flakes#Direnv_integration)
 
 ### build a configuration
-
 to build a configuration run the following command (replace ```<hostname>``` with the actual hostname):
 
 ``` shell
 nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
 ```
 
-### building raspberry image
-
-for the raspberry it is possible to build the whole configuration as an sd-card image which then can be flashed directly. more information about building arm on nixos can be found [here](https://nixos.wiki/wiki/NixOS_on_ARM).
-
-to be able to build the image you need to enable qemu emulation on the machine you are building with. therefore it is necessary to add the following to your configuration.nix:
-
-``` nix
-boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-```
-
-then you can build the image with:
-
-``` shell
-nix build .#nixosConfigurations.rpi1_base_image.config.system.build.sdImage
-```
-
-### run a configuration as vm
-
-to run a vm we have to build it first using the following command (replace ```<hostname>``` with the actual hostname):
-
-``` shell
-nix build .#nixosConfigurations.<hostname>.config.system.build.vm
-```
-
-afterwards run the following command to start the vm:
-
-``` shell
-./result/bin/run-<hostname>-vm
-```
-
 ### documentation
 
-for documentation we currently just use README.md files.
-
-the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser.
-the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```.
-
-## todos...
-
-#### infrastructure
-* [ ] host a local wiki with public available information about the space, for example:
-  * [ ] how to use coffe machine
-  * [ ] how to turn on/off electricity
-  * [ ] how to use beamer
-  * [ ] how to buecher ausleihen
-  * ...
-* [x] host some pad (codimd aka hedgedoc)
-* [ ] some network fileshare for storing the movies and streaming them within the network
-* [x] malobeo network infrastructure rework
-  * [x] request mulvad acc
-  * [x] remove freifunk, use openwrt with mulvad configured
-* [ ] evaluate imposing solutions
-    * [ ] pdfarranger
-
-#### external services
-we want to host two services that need a bit more resources, this is a booking system for the room itself and a library system.
-- [x] analyse best way to include our stuff into external nixOs server
-  - [x] writing some module that is included by the server
-  - [x] directly use nixOs container on host
-  - [x] combination of both (module that manages nginx blabla + nixOs container for the services
-
-#### bots&progrmaming
-* [ ] create telegram bot automatically posting tuesday events
-* [x] create webapp/interface replacing current task list pad
-  * could be a simple form for every tuesday
-  * [x] element bot should send updates if some tasks are not filled out
-
+documentation is automatically build from master and can be found here: docs.malobeo.org  
+locally you can run documentation using ```nix run .#docs``` or ```nix run .#docsDev```

doc/.gitignore

@@ -0,0 +1 @@
+book

doc/book.toml

@@ -0,0 +1,6 @@
+[book]
+authors = ["ahtlon"]
+language = "de"
+multilingual = false
+src = "src"
+title = "Malobeo Infrastruktur Dokumentation"

doc/src/Index.md

@@ -0,0 +1,43 @@
+# malobeo infrastructure
+
+this repository contains nixos configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner.
+
+### deploying configuration
+
+hosts are deployed automatically from master. The [hydra build server](https://hydra.dynamicdiscord.de/jobset/malobeo/infrastructure) will build new commits and on success, hosts will periodically pull those changes.
+Big changes (like updating flake lock) could be commited to the staging branch first. [Hydra builds staging seperate](https://hydra.dynamicdiscord.de/jobset/malobeo/staging), and on success you can merge into master.
+
+### deploy fresh host
+if you want to deploy a completly new host refer to [docs](https://docs.malobeo.org/anleitung/create.html)
+
+### testing configuration
+
+refer to https://docs.malobeo.org/anleitung/microvm.html#testing-microvms-locally
+
+## development
+### requirements
+we use flake based configurations for our hosts. if you want to build configurations on you own machine you have to enable flakes first by adding the following to your *configuration.nix* or *nix.conf*
+``` nix
+nix.extraOptions = ''
+  experimental-features = nix-command flakes
+'';
+```
+
+More information about flakes can be found [here](https://nixos.wiki/wiki/Flakes)
+
+### dev shell
+a development shell with the correct environment can be created by running ```nix develop ```
+
+If you're using direnv you can add flake support by following those steps: [link](https://nixos.wiki/wiki/Flakes#Direnv_integration)
+
+### build a configuration
+to build a configuration run the following command (replace ```<hostname>``` with the actual hostname):
+
+``` shell
+nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
+```
+
+### documentation
+
+documentation is automatically build from master and can be found here: docs.malobeo.org  
+locally you can run documentation using ```nix run .#docs``` or ```nix run .#docsDev```

doc/src/SUMMARY.md

@@ -0,0 +1,24 @@
+# Summary
+
+- [Index](./Index.md)
+    - [Info]()
+        - [Aktuelle Server]()
+            - [Durruti](./server/durruti.md)
+            - [Lucia](./server/lucia.md)
+        - [Hardware]()
+        - [Netzwerk]()
+        - [Seiten]()
+            - [Website](./server/website.md)
+            - [musik](./projekte/musik.md)
+        - [TODO](./todo.md)
+        - [Modules]()
+            - [Initrd-ssh](./module/initssh.md)
+            - [Disks](./module/disks.md)
+    - [How-to]()
+        - [Create New Host](./anleitung/create.md)
+        - [Sops](./anleitung/sops.md)            
+        - [MaloVPN](./anleitung/wireguard.md)
+        - [Updates](./anleitung/updates.md)
+        - [Rollbacks](./anleitung/rollback.md)
+        - [MicroVM](./anleitung/microvm.md)
+        - [Update Nextcloud](./anleitung/update_nextcloud.md)

doc/src/anleitung/create.md

@@ -0,0 +1,23 @@
+# Create host with nixos-anywhere
+We use a nixos-anywhere wrapper script to deploy new hosts.
+The wrapper script takes care of copying persistent host keys before calling nixos-anywhere.
+
+To accomplish that boot the host from a nixos image and setup a root password.
+``` bash
+sudo su
+passwd
+```
+
+After that get the hosts ip using `ip a` and start deployment from your own machine:
+
+``` bash
+# from infrastrucutre repository root dir:
+nix develop .#
+remote-install hostname 10.0.42.23
+```
+
+# Testing Disko
+Testing disko partitioning is working quite well. Just run the following and check the datasets in the vm:
+```bash
+nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko
+```

doc/src/anleitung/microvm.md

@@ -0,0 +1,102 @@
+### Declaring a MicroVM
+
+The hosts nixosSystems modules should be declared using the ```makeMicroVM``` helper function.
+Use durruti as orientation:
+``` nix
+    modules = makeMicroVM "durruti" "10.0.0.5" [
+      ./durruti/configuration.nix
+    ];
+```
+
+"durruti" is the hostname.  
+"10.0.0.5" is the IP assigned to its tap interface.  
+
+### Testing MicroVMs locally
+MicroVMs can be built and run easily on your localhost for development.  
+We provide the script ```run-vm``` to handle stuff like development (dummy) secrets, sharing directories, ect. easily.
+Usage examples:
+``` bash
+# run without args to get available options and usage info
+run-vm
+
+# run nextcloud locally with dummy secrets
+run-vm nextcloud --dummy-secrets
+
+# share a local folder as /var/lib dir so that nextcloud application data stays persistent between boots
+mkdir /tmp/nextcloud
+run-vm nextcloud --dummy-secrets --varlib /tmp/nextcloud
+
+# enable networking to provide connectivity between multiple vms
+# for that the malobeo hostBridge must be enabled on your host
+# this example deploys persistent grafana on overwatch and fetches metrics from infradocs
+mkdir overwatch
+run-vm overwatch --networking --varlib /tmp/overwatch
+run-vm infradocs --networking
+```
+
+
+
+### Fully deploy microvms on local host
+In order to test persistent microvms locally we need to create them using the ```microvm``` command.  
+This is necessary to be able to mount persistent /etc and /var volumes on those hosts.  
+Do the following:
+
+Prepare your host by including `microvm.nixosModules.host` in your `flake.nix` [Microvm Docs](https://astro.github.io/microvm.nix/host.html)
+
+
+```bash
+# go into our repo and start the default dev shell (or use direnv)
+nix develop .#
+
+# create a microvm on your host (on the example of durruti)
+sudo microvm -c durruti -f git+file:///home/username/path/to/infrastructure/repo
+
+# start the vm
+sudo systemctl start microvm@durruti.service
+
+# this may fail, if so we most probably need to create /var /etc manually, then restart
+sudo mkdir -p /var/lib/microvms/durruti/{var,etc}
+
+# now you can for example get the rsa host key from /var/lib/microvms/durruti/etc/ssh/
+
+# alternatively u can run the vm in interactive mode (maybe stop the microvm@durruti.service first)
+microvm -r durruti
+
+# after u made changes to the microvm update and restart the vm 
+microvm -uR durruti
+
+# deleting the vm again:
+sudo systemctl stop microvm@durruti.service
+sudo systemctl stop microvm-virtiofsd@durruti.service
+sudo rm -rf /var/lib/microvms/durruti
+```
+
+
+### Host Setup
+
+#### Network Bridge
+To provide network access to the VMs a bridge interface needs to be created on your host.
+For that:
+- Add the infrastructure flake as input to your hosts flake  
+- Add ```inputs.malobeo.nixosModules.malobeo``` to your hosts imports
+- enable the host bridge: ```services.malobeo.microvm.enableHostBridge = true;```
+
+If you want to provide Internet access to the VM it is necessary to create a nat.
+This could be done like this:
+``` nix
+networking.nat = {
+  enable = true;
+  internalInterfaces = [ "microvm" ];
+  externalInterface = "eth0"; #change to your interface name
+};
+```
+#### Auto Deploy VMs
+By default no MicroVMs will be initialized on the host - this should be done using the microvm commandline tool.
+But since we want to always deploy certain VMs it can be configured using the ```malobeo.microvm.deployHosts``` option.
+VMs configured using this option will be initialized and autostarted at boot.
+Updating still needs to be done imperative, or by enabling autoupdates.nix
+
+The following example would init and autostart durruti and gitea:
+``` nix
+malobeo.microvm.deployHosts = [ "durruti" "gitea" ];
+```

doc/src/anleitung/rollback.md

@@ -0,0 +1 @@
+# Rollbacks

doc/src/anleitung/sops.md

@@ -0,0 +1,35 @@
+# Sops
+
+## How to add admin keys
+- Git:
+    - Generate gpg key
+    - Add public key to `./machines/secrets/keys/users/`
+    - Write the fingerprint of the gpg key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $FINGERPRINT`
+
+- Age:
+    - Generate age key for Sops:   
+      ```
+      $ mkdir -p ~/.config/sops/age
+      $ age-keygen -o ~/.config/sops/age/keys.txt
+      ```
+      or to convert an ssh ed25519 key to an age key
+      ```
+      $ mkdir -p ~/.config/sops/age
+      $ nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
+      ```
+    - Get public key using `$ age-keygen -y ~/.config/sops/age/keys.txt`
+    - Write public key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $PUBKEY`
+
+- Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to
+
+- `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml`
+
+## How to add host keys
+If a new host is created we have to add its age keys to the sops config.
+Do the following:
+```bash
+# ssh into the host and run:
+nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+# create new host with the output of that command in /machines/.sops.yaml
+```
+

doc/src/anleitung/update_nextcloud.md

@@ -0,0 +1,16 @@
+### Updating nextcloud
+
+## Updating the draggable patch
+
+The draggable patch is a one line patch found in the deck repo under `src/components/cards/CardItem.vue`   
+Direct link: https://git.dynamicdiscord.de/ahtlon/deck/commit/77cbcf42ca80dd32e450839f02faca2e5fed3761   
+
+The easiest way to apply is
+1. Sync the repo with remote https://github.com/nextcloud/deck/tree/main
+2. Checkout the stable branch for the nextcloud version you need
+  - example `git checkout stable31`
+3. Apply the patch using `git cherry-pick bac32ace61e7e1e01168f9220cee1d24ce576d5e`
+4. Start a nix-shell with `nix-shell -p gnumake krankerl php84Packages.composer php nodejs_24`
+5. run `krankerl package`
+6. upload the archive at "./build/artifacts/deck.tar.gz" to a file storage (ask Ahtlon for access to the storj s3 or use own)
+7. Change url and sha in the nextcloud configuration.nix `deck = pkgs.fetchNextcloudApp {};`

doc/src/anleitung/updates.md

@@ -0,0 +1,11 @@
+# Updates
+## Nextcloud
+Update nextcloud to a new major version:
+- create state directories: `mkdir /tmp/var /tmp/data`
+- run vm state dirs to initialize state `sudo run-vm nextcloud --dummy-secrets --networking --var /tmp/var --data /tmp/data`
+- Update lock file `nix flake update --commit-lock-file`
+- Change services.nextcloud.package to the next version (do not skip major version upgrades)
+- change custom `extraApps` to the new version
+- TEST!
+- run vm again, it should successfully upgrade nextcloud from old to new version
+- run vm state dirs to initialize state `sudo run-vm nextcloud --dummy-secrets --networking --var /tmp/var --data /tmp/data`

doc/src/anleitung/wireguard.md

@@ -0,0 +1,55 @@
+# MaloVPN
+Running in the cloud. To let a host access the VPN you need to do the following:
+- generate a wireguard keypair
+- add the host to ./machines/modules/malobeo/peers.nix
+- enable the malovpn module on the host
+
+
+## Generate Wireguard keys
+Enter nix shell for wg commands `nix-shell -p wireguard-tools` 
+```bash
+umask 077
+wg genkey > wg.private
+wg pubkey < wg.private > wg.pub
+```
+Now you have a private/public keypair. Add the private key to the hosts sops secrets if you like.
+## Add host to peers.nix
+peers.nix is a central 'registry' of all the hosts in the vpn. Any host added here will be added to the vpn servers peerlist allowing it to access the VPN. This allows us to controll who gets access by this repository.  
+
+- Add your host to /machines/modules/malobeo/peers.nix  
+- Set the role to "client"
+- choose a ip address as 'address' that is not taken already
+- set allowedIPs as the others, except we want to limit this host to only access certain peers
+- Add your public Key here as string  
+
+After that commit your changes and either open a PR or push directly to master  
+Example:  
+```nix
+"celine" = {
+  role = "client";
+  address = [ "10.100.0.2/24" ];
+  allowedIPs = [ "10.100.0.0/24" ];
+  publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
+};
+```
+
+## Enable MaloVPN on Host
+Either you configure wireguard manually or use the malobeo vpn module  
+The 'name' must match your hosts name in peers.nix:
+
+```nix
+sops.secrets.private_key = {};
+
+imports = [
+  malobeo.nixosModules.malobeo.vpn
+];
+
+services.malobeo.vpn = {
+  enable = true;
+  name = "celine";
+  privateKeyFile = config.sops.secrets.private_key.path;
+};
+```
+
+After a rebuild-switch you should be able to ping the vpn server 10.100.0.1.
+If the peers.nix file just was commited shortly before it may take a while till the vpn server updated its peerlist. 

doc/src/module/disks.md

@@ -0,0 +1,117 @@
+# Disks
+The disks module can be used by importing `inputs.self.nixosModules.malobeo.disko`
+
+
+#### `let cfg = malobeo.disks`
+
+#### `cfg.enable` (bool)
+- **Type:** `bool`
+- **Default:** `false`
+- **Description:**  
+  Enables the disk creation process using the `disko` tool. Set to `true` to initialize disk setup.
+
+#### `cfg.hostId` (string)
+- **Type:** `string`
+- **Default:** `""`
+- **Description:**  
+  The host ID used for ZFS disks. This ID should be generated using a command like `head -c4 /dev/urandom | od -A none -t x4`.
+
+#### `cfg.encryption` (bool)
+- **Type:** `bool`
+- **Default:** `true`
+- **Description:**  
+  Determines if encryption should be enabled. Set to `false` to disable encryption for testing purposes.
+
+#### `cfg.devNodes` (string)
+- **Type:** `string`
+- **Default:** `"/dev/disk/by-id/"`
+- **Description:**  
+  Specifies where the disks should be mounted from.  
+  - Use `/dev/disk/by-id/` for general systems.
+  - Use `/dev/disk/by-path/` for VMs.
+  - For more information on disk name conventions, see [OpenZFS FAQ](https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html#selecting-dev-names-when-creating-a-pool-linux).
+
+#### `let cfg = malobeo.disks.root`
+#### `cfg.disk0` (string)
+- **Type:** `string`
+- **Default:** `""`
+- **Description:**  
+  The device name (beginning after `/dev/` e.g., `sda`) for the root filesystem.
+
+#### `cfg.disk1` (string)
+- **Type:** `string`
+- **Default:** `""`
+- **Description:**  
+  The device name (beginning after `/dev/` e.g., `sdb`) for the optional mirror disk of the root filesystem.
+
+#### `cfg.swap` (string)
+- **Type:** `string`
+- **Default:** `"8G"`
+- **Description:**  
+  Size of the swap partition on `disk0`. This is applicable only for the root disk configuration.
+
+#### `cfg.reservation` (string)
+- **Type:** `string`
+- **Default:** `"20GiB"`
+- **Description:**  
+  The ZFS reservation size for the root pool.
+
+#### `cfg.mirror` (bool)
+- **Type:** `bool`
+- **Default:** `false`
+- **Description:**  
+  Whether to configure a mirrored ZFS root pool. Set to `true` to mirror the root filesystem across `disk0` and `disk1`.
+
+#### `let cfg = malobeo.disks.storage`
+#### `cfg.enable` (bool)
+- **Type:** `bool`
+- **Default:** `false`
+- **Description:**  
+  Enables the creation of an additional storage pool. Set to `true` to create the storage pool.
+
+#### `cfg.disks` (list of strings)
+- **Type:** `listOf string`
+- **Default:** `[]`
+- **Description:**  
+  A list of device names without /dev/ prefix  (e.g., `sda`, `sdb`) to include in the storage pool.  
+  Example: `["disks/by-id/ata-ST16000NE000-2RW103_ZL2P0YSZ"]`.
+
+#### `cfg.reservation` (string)
+- **Type:** `string`
+- **Default:** `"20GiB"`
+- **Description:**  
+  The ZFS reservation size for the storage pool.
+
+#### `cfg.mirror` (bool)
+- **Type:** `bool`
+- **Default:** `false`
+- **Description:**  
+  Whether to configure a mirrored ZFS storage pool. Set to `true` to mirror the storage pool.
+
+## Example Configuration
+
+```nix
+{
+  options.malobeo.disks = {
+    enable = true;
+    hostId = "abcdef01";
+    encryption = true;
+    devNodes = "/dev/disk/by-id/";
+    
+    root = {
+      disk0 = "sda";
+      disk1 = "sdb";
+      swap = "8G";
+      reservation = "40GiB";
+      mirror = true;
+    };
+    
+    storage = {
+      enable = true;
+      disks = [ "sdc" "sdd" "disks/by-uuid/sde" ];
+      reservation = "100GiB";
+      mirror = false;
+    };
+  };
+}
+```

doc/src/module/initssh.md

@@ -0,0 +1,29 @@
+# Initrd-ssh
+The initssh module can be used by importing `inputs.self.nixosModules.malobeo.initssh`
+
+#### `let cfg = malobeo.initssh`
+
+## cfg.enable   
+Enable the initssh module
+
+*Default*
+false
+
+
+## cfg.authorizedKeys
+Authorized keys for the initrd ssh
+
+*Default*
+`[ ]`
+
+
+## cfg.ethernetDrivers
+
+Ethernet drivers to load in the initrd.   
+Run ` lspci -k | grep -iA4 ethernet `
+
+*Default:*
+` [ ] `
+
+*Example:*
+`[ "r8169" ]`

doc/src/projekte/musik.md

@@ -0,0 +1 @@
+# musik

doc/src/server/durruti.md

@@ -0,0 +1,2 @@
+# Durruti
+Hetzner Server

doc/src/server/lucia.md

@@ -0,0 +1,2 @@
+# Lucia
+Lokaler Raspberry Pi 3

doc/src/server/website.md

@@ -0,0 +1,7 @@
+#Website
+
+hosted on uberspace  
+runs malobeo.org(wordpress) and forum.malobeo.org(phpbb)  
+access via ssh with public key or password  
+Files under /var/www/virtual/malobeo/html
+

doc/src/todo.md

@@ -0,0 +1,32 @@
+# TODO
+- [ ] Dieses wiki schreiben
+#### infrastructure
+* [ ] host a local wiki with public available information about the space, for example:
+  * [ ] how to use coffe machine
+  * [ ] how to turn on/off electricity
+  * [ ] how to use beamer
+  * [ ] how to buecher ausleihen
+  * ...
+- [x] host a local wiki with infrastructure information
+* [x] host some pad (codimd aka hedgedoc)
+* [ ] some network fileshare for storing the movies and streaming them within the network
+  - Currently developed in the 'fileserver' branch
+    - NFSV4 based
+* [x] malobeo network infrastructure rework
+  * [x] request mulvad acc
+  * [x] remove freifunk, use openwrt with mulvad configured
+* [ ] evaluate imposing solutions
+    * [ ] pdfarranger
+
+#### external services
+we want to host two services that need a bit more resources, this is a booking system for the room itself and a library system.
+- [x] analyse best way to include our stuff into external nixOs server
+  - [x] writing some module that is included by the server
+  - [x] directly use nixOs container on host
+  - [x] combination of both (module that manages nginx blabla + nixOs container for the services
+
+#### bots&progrmaming
+* [ ] create telegram bot automatically posting tuesday events
+* [x] create webapp/interface replacing current task list pad
+  * could be a simple form for every tuesday
+  * [x] element bot should send updates if some tasks are not filled out

flake.lock

@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746728054,
+        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "ff442f5d1425feb86344c028298548024f21256d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "latest",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "ep3-bs": {
       "inputs": {
         "nixpkgs": [
@@ -21,6 +42,24 @@
         "url": "https://git.dynamicdiscord.de/kalipso/ep3-bs.nix"
       }
     },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -28,16 +67,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1726989464,
-        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
+        "lastModified": 1748226808,
+        "narHash": "sha256-GaBRgxjWO1bAQa8P2+FDxG4ANBVhjnSjBms096qQdxo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
+        "rev": "83665c39fa688bd6a1f7c43cf7997a70f6a109f9",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-24.05",
+        "ref": "release-25.05",
         "repo": "home-manager",
         "type": "github"
       }
@@ -61,13 +100,35 @@
         "type": "github"
       }
     },
+    "microvm": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "spectrum": "spectrum"
+      },
+      "locked": {
+        "lastModified": 1748260747,
+        "narHash": "sha256-V3ONd70wm55JxcUa1rE0JU3zD+Cz7KK/iSVhRD7lq68=",
+        "owner": "astro",
+        "repo": "microvm.nix",
+        "rev": "b6c5dfc2a1c7614c94fd2c5d2e8578fd52396f3b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "astro",
+        "repo": "microvm.nix",
+        "type": "github"
+      }
+    },
     "nixlib": {
       "locked": {
-        "lastModified": 1729386149,
-        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
         "type": "github"
       },
       "original": {
@@ -84,11 +145,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729472750,
-        "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
+        "lastModified": 1747663185,
+        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
+        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
         "type": "github"
       },
       "original": {
@@ -99,11 +160,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1729742320,
-        "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
+        "lastModified": 1747900541,
+        "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
+        "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06",
         "type": "github"
       },
       "original": {
@@ -129,29 +190,13 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1729357638,
-        "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1729665710,
-        "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=",
+        "lastModified": 1748190013,
+        "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d",
+        "rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
         "type": "github"
       },
       "original": {
@@ -163,47 +208,49 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1729449015,
-        "narHash": "sha256-Gf04dXB0n4q0A9G5nTGH3zuMGr6jtJppqdeljxua1fo=",
+        "lastModified": 1748162331,
+        "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "89172919243df199fe237ba0f776c3e3e3d72367",
+        "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "ep3-bs": "ep3-bs",
         "home-manager": "home-manager",
         "mfsync": "mfsync",
+        "microvm": "microvm",
         "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "sops-nix": "sops-nix",
         "tasklist": "tasklist",
-        "utils": "utils_3"
+        "utils": "utils_3",
+        "zineshop": "zineshop"
       }
     },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        ]
       },
       "locked": {
-        "lastModified": 1729695320,
-        "narHash": "sha256-Fm4cGAlaDwekQvYX0e6t0VjT6YJs3fRXtkyuE4/NzzU=",
+        "lastModified": 1747603214,
+        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d089e742fb79259b9c4dd9f18e9de1dd4fa3c1ec",
+        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
         "type": "github"
       },
       "original": {
@@ -212,6 +259,22 @@
         "type": "github"
       }
     },
+    "spectrum": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1746869549,
+        "narHash": "sha256-BKZ/yZO/qeLKh9YqVkKB6wJiDQJAZNN5rk5NsMImsWs=",
+        "ref": "refs/heads/main",
+        "rev": "d927e78530892ec8ed389e8fae5f38abee00ad87",
+        "revCount": 862,
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -257,6 +320,36 @@
         "type": "github"
       }
     },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "tasklist": {
       "inputs": {
         "nixpkgs": [
@@ -264,11 +357,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729717517,
-        "narHash": "sha256-Gul0Zqy0amouh8Hs8BL/DIKFYD6BmdTo4H8+5K5+mTo=",
+        "lastModified": 1760981884,
+        "narHash": "sha256-ASFWbOhuB6i3AKze5sHCvTM+nqHIuUEZy9MGiTcdZxA=",
         "ref": "refs/heads/master",
-        "rev": "610269a14232c2888289464feb5227e284eef336",
-        "revCount": 27,
+        "rev": "b67eb2d778a34c0dceb91a236b390fe493aa3465",
+        "revCount": 32,
         "type": "git",
         "url": "https://git.dynamicdiscord.de/kalipso/tasklist"
       },
@@ -315,14 +408,14 @@
     },
     "utils_3": {
       "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
       },
       "locked": {
-        "lastModified": 1726560853,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -330,6 +423,45 @@
         "repo": "flake-utils",
         "type": "github"
       }
+    },
+    "utils_4": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "zineshop": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": "utils_4"
+      },
+      "locked": {
+        "lastModified": 1751462005,
+        "narHash": "sha256-vhr2GORiXij3mL+QIfnL0sKSbbBIglw1wnHWNmFejiA=",
+        "ref": "refs/heads/master",
+        "rev": "f505fb17bf1882cc3683e1e252ce44583cbe58ce",
+        "revCount": 155,
+        "type": "git",
+        "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -3,11 +3,15 @@
 
   inputs = {
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
     mfsync.url = "github:k4lipso/mfsync";
+    microvm.url = "github:astro/microvm.nix";
+    microvm.inputs.nixpkgs.follows = "nixpkgs";
+    disko.url = "github:nix-community/disko/latest";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
 
     utils = {
       url = "github:numtide/flake-utils";
@@ -18,6 +22,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    zineshop = {
+      url = "git+https://git.dynamicdiscord.de/kalipso/zineshop";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     ep3-bs = {
       url = "git+https://git.dynamicdiscord.de/kalipso/ep3-bs.nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -29,7 +38,7 @@
     };
 
     home-manager=  {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager/release-25.05";
       inputs = {
         nixpkgs.follows = "nixpkgs";
       };

machines/.sops.yaml

@@ -5,25 +5,100 @@
 keys:
   - &admin_kalipso c4639370c41133a738f643a591ddbc4c3387f1fb
   - &admin_kalipso_dsktp aef8d6c7e4761fc297cda833df13aebb1011b5d4
+  - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
   - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
   - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
-  - &machine_durruti 4095412245b6efc14cf92ca25911def5a4218567
+  - &machine_durruti age1tc6aqmcl74du56d04wsz6mzp83n9990krzu4kuam2jqu8fx6kqpq038xuz
+  - &machine_infradocs age1tesz7xnnq9e58n5qwjctty0lw86gzdzd5ke65mxl8znyasx3nalqe4x6yy
+  - &machine_overwatch age1hq75x3dpnfqat9sgtfjf8lep49qvkdgza3xwp7ugft3kd74pdfnqfsmmdn
+  - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
+  - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk
+  - &machine_nextcloud age1g084sl230x94mkd2wq92s03mw0e8mnpjdjfx9uzaxw6psm8neyzqqwpnqe
+  #this dummy key is used for testing.
+  - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
 creation_rules:
+  #provide fake secrets in a dummy.yaml file for each host
+  - path_regex: '.*dummy\.yaml$'
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *machine_dummy
+      - *admin_atlan
   - path_regex: moderatio/secrets/secrets.yaml$
     key_groups:
     - pgp:
       - *admin_kalipso
       - *admin_kalipso_dsktp
       - *machine_moderatio
+      age:
+      - *admin_atlan
   - path_regex: lucia/secrets.yaml$
     key_groups:
     - pgp:
       - *admin_kalipso
       - *admin_kalipso_dsktp
       - *machine_lucia
+      age:
+      - *admin_atlan
   - path_regex: durruti/secrets.yaml$
     key_groups:
     - pgp:
       - *admin_kalipso
       - *admin_kalipso_dsktp
+      age:
       - *machine_durruti
+      - *admin_atlan
+  - path_regex: vpn/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *machine_vpn
+      - *admin_atlan
+  - path_regex: fanny/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *machine_fanny
+      - *admin_atlan
+  - path_regex: testvm/disk.key
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
+  - path_regex: bakunin/disk.key
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
+  - path_regex: nextcloud/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
+      - *machine_nextcloud
+  - path_regex: overwatch/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
+  - path_regex: .*/secrets/.*
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan

machines/bakunin/configuration.nix

@@ -0,0 +1,101 @@
+{ config, pkgs, inputs, ... }:
+
+let
+  sshKeys = import ../ssh_keys.nix;
+in
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      #./hardware-configuration.nix
+      ../modules/xserver.nix
+      ../modules/sshd.nix
+      ../modules/autoupdate.nix
+      inputs.self.nixosModules.malobeo.disko
+      inputs.self.nixosModules.malobeo.initssh
+      inputs.self.nixosModules.malobeo.users
+    ];
+
+  malobeo.autoUpdate = {
+    enable = true;
+    url = "https://hydra.dynamicdiscord.de";
+    project = "malobeo";
+    jobset = "infrastructure";
+    cacheurl = "https://cache.dynamicdiscord.de";
+  };
+
+  malobeo.disks = {
+    enable = true;
+    hostId = "a3c3102f";
+    root = {
+      disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ";
+    };
+  };
+
+  malobeo.initssh = {
+    enable = true;
+    authorizedKeys = sshKeys.admins;
+    ethernetDrivers = ["r8169"];
+  };
+
+  malobeo.users.malobeo = true;
+
+  hardware.sane.enable = true; #scanner support
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  users.users.malobeo = {
+    packages = with pkgs; [
+      firefox
+      thunderbird
+      telegram-desktop
+      tor-browser-bundle-bin
+      keepassxc
+      libreoffice
+      gimp
+      inkscape
+      kdePackages.okular
+      element-desktop
+      chromium
+      mpv
+      vlc
+      simple-scan
+    ];
+  };
+
+  services.tor = {
+    enable = true;
+    client.enable = true;
+  };
+
+  services.printing.enable = true;
+  services.printing.drivers = [
+    (pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
+    pkgs.gutenprint
+    pkgs.gutenprintBin
+    pkgs.brlaser
+    pkgs.brgenml1lpr 
+    pkgs.brgenml1cupswrapper
+  ];
+
+  # needed for printing drivers
+  nixpkgs.config.allowUnfree = true; 
+
+  services.acpid.enable = true;
+
+  networking.hostName = "bakunin";
+  networking.networkmanager.enable = true;
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    systemWide = true;
+  };
+
+
+  time.timeZone = "Europe/Berlin";
+  system.stateVersion = "23.05"; # Do.. Not.. Change..
+}
+

machines/bakunin/disk.key

@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:2/tfkG7SwWNpnqgkFkmUqbAJBF2eN/lfZCK/9VsZag==,iv:Sps+ZIQGveS/zumjVE8VFfVTlNwQJ093eMDndlne2nU=,tag:lW8xcz43jj1XPV6M/0e11g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRU003cys0d0d4MXFmVVVH\ndDg1eHZpVjFMeDBGL3JQcjB5a0luSVRaSWtnCmxNOEUyZ2oybkNLdm12ZTVmNUpo\nVCtUem44bXA2dGhURGdyRWxKdUF6OVkKLS0tIDdVbUt2eGVHMHBzOEt6QnRpOXZF\nVWFEUFloRXpIUGJxblpaNUNuTjlLbDQKQii2qUIl72d02D3P0oTDHZQT1srSk6jS\n89XSBy6ND9vP0tGXcZ4a7jghO0Q1OVNe1fm6Ez41lKOuUu77hgOAWg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-01-14T16:40:57Z",
+		"mac": "ENC[AES256_GCM,data:M8l4a2SbBikF/tEtGx4ZY13eK3ffM70aUCDYo4ljgTAtQEbGLx1SJM/mrFW325LycFMNOerWhXyipbXPZPw2VfnSJ9dz+bQ53xK7Mpf/bOZs5aQZJpJ1/MJh6lkmR/zPeQXhE08WsyJ1rCRqAfygau2CqdV8ujY5li3jIIDQMcQ=,iv:lJZhTjJAxSky9MrzYldkJOG0dCIzkv4IE3ZKzxgUxvo=,tag:t/grczWX+0sDcsHC5SCd/A==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-01-14T16:40:08Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/S6LvVBsznEqLZbT/UAom1KmfmA3swxAJnQ5tl/vnnix6\nvzs4KSFGZMOQZihEKC/M/og8qTCvlUFBAUMkYLgX+8ehZeZwnnH9V8EDGDIyoWXE\n6AIHP9Ur6yk62gHqmfHlMxFG2A9/A4a+mOvxyKKPDK/AYG0PBaSVMkM6cp7efWwe\n7C6m4BpPRU+3NsNKy/4FkWt9xoFy82K89FqUGC8oZOQW1q+fS7ZIhmnTzzApwILy\n5Y77yBnpPECDYNZdH097bZli6KGWob7aXJ431gyw2OMVQHFb0DlQbKxemo9eWpIr\nnXu2FYrY2D7YxXBGQvXTuNQD3BuvrccOgWAmmi852C1gVVKV+egeOBRq2RYPl6+j\n8TBaNzl0rcvaoWeTJGR142pR9ht9B3aGzXcvCsciZo3SjYyt31J0huzPfv4Dakfn\nyY8BvOaNfugjx0aS6BOZgZiOPlBer86/0FKX469QQAnqL0LRoPyjn53JYUdPdI+s\nCI2WuVynSl7ItiwoKkJK0lgBm0oMhpSiGOC4Z2Bkk2xdpiuXUdMcP6m8OlG9ldCs\n0KrWubh9Ne6CP7etvTkwqWvMuSpCuheToIQ0rp8j21/YdCFX5LpxA3+em0t9M7Is\nV4ZoLnqA2KjI\n=4+Yl\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-01-14T16:40:08Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//c/UkuZRpJM5sH1snP8Kidek6nHgC11hUaY1G15a5ap1D\nn9cMIn4xUdfCAN/DoNiE14NzeTDQyawmIV1ZmrYZzItFdNgunf1r9jQNa3EqcWfE\norJS2RwWDrsw7tmx0wyenr9BLefMGJYaJ6Rd7J3j8sXL7aT+SbNw27mmVbYrJiFJ\nYh2usIsxDu2C+dCeTb3J9sKK6F96IbNnj/2Sx8AGYsIQvcpwloCRrnjiEa+hrEBn\nj1I6U4B/NjRGv20PAR1OnQ2OhKVL5UgTJgNKWCLdvGVOQnqJgDNUrrNEBY19wDQL\nQzJEzL21aiyF+8BB3IrtQlntmAIMcUUHTpqIols9rpVJl54yiK1mQ3UqTQPQ2+gd\nu2gtjXXk3FMnVzaI33ZMcxENGHy/+ZdZMfY70/EwJpRvneHTsLr3Z/bHUxavSYdL\nQqbeWLUm7a2/pnOl5JKa9asKYaNBNdmzO/YVgQNhLQzFtHJ9riVN7Ro+S2bocN9Z\npHGCCISAdMDyuFC7aSngnZEwE4NACbQEc8Udu+YCAUIeeBaPI/QWu3n61fZrkxR7\nmik9uJdXnMzKpmNGVQbPurifykDA6Bsqakn69AZQIPyxMtEDBV+pDX0yy3tI5D12\nhksuXSC7fpV/4BsZWKczK9fpDUJMDTFajSSVrSKb4nr2hk49IAZX9rhgbiHmT1LS\nWAHa5YGYUMkVQc59J3uhAjuSckWA/7R7oMhIrL5e/vnnHVR5zFW/auHkDytzZ0d0\nbGdrIRZh81C+yxB1pSJvlUnIWbYnpqhaH3xL+8yARpGZMNi595x0EJM=\n=8puy\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

machines/bakunin/hardware-configuration.nix

@@ -8,46 +8,42 @@
     [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "ums_realtek" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "rpool/nixos/root";
-      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
+boot.initrd.luks.devices = {
+root = {
+device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
+preLVM = true;
+allowDiscards = true;
+};
 };
 
-  fileSystems."/home" =
-    { device = "rpool/nixos/home";
-      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
+      fsType = "btrfs";
     };
 
   fileSystems."/boot" =
-    { device = "bpool/nixos/root";
-      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
-    };
-
-  fileSystems."/boot/efis/ata-ST250LT003-9YG14C_W041QXCA-part1" =
-    { device = "/dev/disk/by-uuid/A0D1-00C1";
+    { device = "/dev/disk/by-uuid/402B-2026";
       fsType = "vfat";
     };
 
-  fileSystems."/boot/efi" =
-    { device = "/boot/efis/ata-ST250LT003-9YG14C_W041QXCA-part1";
-      fsType = "none";
-      options = [ "bind" ];
-    };
-
-  swapDevices = [ ];
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
+    ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
 
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

machines/configuration.nix

@@ -1,77 +0,0 @@
-{ self
-, nixpkgs-unstable
-, nixpkgs
-, sops-nix
-, inputs
-, nixos-hardware
-, home-manager
-, ...
-}:
-let
-  nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
-  nixosSystemUnstable = nixpkgs-unstable.lib.makeOverridable nixpkgs-unstable.lib.nixosSystem;
-
-  baseModules = [
-    # make flake inputs accessiable in NixOS
-    { _module.args.inputs = inputs; }
-    {
-      imports = [
-        ({ pkgs, ... }: {
-          nix = {
-            extraOptions = ''
-              experimental-features = nix-command flakes
-            '';
-
-            settings = {
-              substituters = [
-                "https://cache.dynamicdiscord.de"
-                "https://cache.nixos.org/"
-              ];
-              trusted-public-keys = [
-                "cache.dynamicdiscord.de:DKueZicqi2NhJJXz9MYgUbiyobMs10fTyHCgAUibRP4="
-              ];
-              trusted-users = [ "root" "@wheel" ];
-            };
-          };
-        })
-
-        sops-nix.nixosModules.sops
-      ];
-    }
-  ];
-  defaultModules = baseModules;
-in
-{
-  moderatio = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputs;
-    modules = defaultModules ++ [
-      ./moderatio/configuration.nix
-    ];
-  };
-
-  louise = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputs;
-    modules = defaultModules ++ [
-      ./louise/configuration.nix
-    ];
-  };
-
-  durruti = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputs;
-    modules = defaultModules ++ [
-      ./durruti/configuration.nix
-    ];
-  };
-
-  lucia = nixosSystem {
-    system = "aarch64-linux";
-    specialArgs.inputs = inputs;
-    modules = defaultModules ++ [
-      ./lucia/configuration.nix
-      ./lucia/hardware_configuration.nix
-    ];
-  };
-}

machines/durruti/configuration.nix

@@ -1,15 +1,11 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, self, lib, pkgs, inputs, ... }:
 
 with lib;
 
 {
-  sops.defaultSopsFile = ./secrets.yaml;
-
-  boot.isContainer = true;
   networking = {
     hostName = mkDefault "durruti";
     useDHCP = false;
-    nameservers = [ "1.1.1.1" ];
   };
 
   networking.firewall.allowedTCPPorts = [ 8080 ];
@@ -21,57 +17,23 @@ with lib;
   ];
 
   imports = [
-    inputs.ep3-bs.nixosModules.ep3-bs
+    self.nixosModules.malobeo.metrics
     inputs.tasklist.nixosModules.malobeo-tasklist
+
     ../modules/malobeo_user.nix
     ../modules/sshd.nix
     ../modules/minimal_tools.nix
-    ../modules/autoupdate.nix
   ];
 
-  malobeo.autoUpdate = {
+  malobeo.metrics = {
     enable = true;
-    url = "https://hydra.dynamicdiscord.de";
-    project = "malobeo";
-    jobset = "infrastructure";
-    cacheurl = "https://cache.dynamicdiscord.de";
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
   };
 
   services.malobeo-tasklist.enable = true;
 
-  services.ep3-bs = {
-    enable = true;
-    in_production = true;
-    favicon = ./circle-a.png;
-    logo = ./malobeo.png;
-
-    mail = {
-      type = "smtp-tls";
-      address = "dynamicdiscorddresden@systemli.org";
-      host = "mail.systemli.org";
-      user = "dynamicdiscorddresden@systemli.org";
-      passwordFile = config.sops.secrets.ep3bsMail.path;
-      auth = "plain";
-    };
-
-
-    database = {
-      user = "malodbuser";
-      passwordFile = config.sops.secrets.ep3bsDb.path;
-    };
-  };
-
-  sops.secrets.ep3bsDb = {
-    owner = config.services.ep3-bs.user;
-    key = "ep3bsDb";
-  };
-
-  sops.secrets.ep3bsMail = {
-    owner = config.services.ep3-bs.user;
-    key = "ep3bsMail";
-  };
-
-
   system.stateVersion = "22.11"; # Did you read the comment?
 }
 

machines/durruti/documentation.nix

@@ -0,0 +1,24 @@
+{ config, self, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."_" = {
+      listen = [ 
+        { addr = "0.0.0.0"; port = 9000; } 
+      ];
+      root = "${self.packages.x86_64-linux.docs}/share/doc";
+      extraConfig = ''
+        proxy_buffering off;
+        proxy_cache off;
+        proxy_http_version 1.1; 
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+      '';
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 9000 ];
+}

machines/durruti/host_config.nix

@@ -33,17 +33,72 @@ in
       }
     ];
 
+    services.nginx.virtualHosts."docs.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+        '';
+      };
+    };
+
+    services.nginx.virtualHosts."cloud.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+        '';
+      };
+    };
+
+    services.nginx.virtualHosts."grafana.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+        '';
+      };
+    };
+
     services.nginx.virtualHosts."tasklist.malobeo.org" = {
       forceSSL = true;
       enableACME= true;
-      locations."/".proxyPass = "http://${cfg.host_ip}:8080";
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+        '';
+      };
     };
 
-    services.nginx.virtualHosts."booking.dynamicdiscord.de" = {
+
+    services.nginx.virtualHosts."zines.malobeo.org" = {
       forceSSL = true;
       enableACME= true;
-      locations."/".proxyPass = "http://${cfg.host_ip}:80";
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+          client_body_in_file_only clean;
+          client_body_buffer_size 32K;
+          
+          client_max_body_size 50M;
+          
+          sendfile on;
+          send_timeout 300s;
+        '';
+      };
     };
 
+    services.nginx.virtualHosts."status.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.12";
+        extraConfig = ''
+        '';
+      };
+    };
   };
 }

machines/durruti/secrets.yaml

@@ -1,72 +0,0 @@
-hello: ENC[AES256_GCM,data:MKKsvoFlHX6h4qazxcjl/RE1ZsK64G926k4hgFW3AkoJgXO1QXmTaRG7ZBgS8A==,iv:hoFbcNRkge24xJfLZJH651jB4NnXCjYAdTrirkans+4=,tag:68AyEHamlGxdmSJGkTGbsA==,type:str]
-ep3bsDb: ENC[AES256_GCM,data:Z4ZYRaV/eCkaW5Ma+88hbl1o8qsI7PANrIHXoLdIOqIGFLPt7dw=,iv:BCVM+PeGm2NRcvBBy0kId1iVOD/uoiVKKBDA03p0QFM=,tag:CMypO3RLOhvHdVG5YvWewg==,type:str]
-ep3bsMail: ENC[AES256_GCM,data:rZhRb/+gs0Lm8Gdi2P2FMe15A344b88TRg==,iv:hEIG2CBcMslg3hmH3ST3bu6tmes01jncQ3V7h5KcuhA=,tag:XAHdMAlVZNyMdp4TznWDQQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2024-06-26T10:07:26Z"
-    mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
-    pgp:
-        - created_at: "2024-06-26T10:06:21Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQGMA5HdvEwzh/H7AQv8D3vncBeC4Kq+Vzk6XOMV6gRRGOZp+w2e/055sZ40IUu+
-            43Yi5giVL0I7PZkZD787LNiKy6kTcI6D9tJIp9YSMRVJb4x8oDJWS8NbVZZOUCwT
-            d9KYaMO6hN8VobhUKsu7uAKCrgVzPWrWPNmZPvwZ6pxL+cBFK2W/GEvQsXvaELUc
-            5mNlB4k5S9oG4ZMli3WWhVJRMZgdjGWDKiFVGCSenEkhua/5TUUefV8urf1IBjoN
-            MB8TPwsm3PBEG6/zrfXls/7Zhbv7mtl1uB9nWBC9M4EL9euzC83X+IiFAlThpoPu
-            eylOhEkAq60tQglk2SRsdFpHvEwaijqSKL0ieDQjvLxLNCdtCQS3yM21S4SkfRvv
-            pDGQROqjhtgZSF7MZqD67mA9tMwYGlZLfkzjpYrErbG6G4xYGO2ZODPNZ4FH/2Zf
-            Yf9xpAd0/m4mmg+py041nas8lgJzOXn5mKIxX/kLkV1U/ccrZXB9DTsWbuRVxh3W
-            CZTzgT0VdZWd88cUcYIR0lgBz0vCxDRgyPhc3B3ivoOHBisoBWbYURv+6rYE84Qs
-            6nDtCt4fUqrfKqnw1b++L1II+QjEBkhawOWNbqE9AxESOLAVwkn4cCOqeWDP8DBq
-            OBN3luBRDDAj
-            =+dua
-            -----END PGP MESSAGE-----
-          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2024-06-26T10:06:21Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA98TrrsQEbXUARAAmj8h6g8Knwg5c/Ugfxcb4nuWuLydyzNZpKJ9YcQ4VTAo
-            HA38lHH79JbnIoZ9kvxHzUONBLfnW3KekomUdmj1a2DjWllnsIOH8/16JCpFPXbx
-            hcWQFLxXzJcUEbVfONih4Zmb/2OTzSYoDjNzGaBJUx6x3AwJ0jTzCTxF9WIU1ieh
-            9u+ovry7bcHPTn3RS0gQPGRx9gN0A8OSPScKpvz2CRtUA2Uzs0/fIe3NbKQSj6g3
-            rZYityYC7uFoE792dkJ3rG9GZneIwWB8sp1remHyRhxaRN4YNPKmje/Pe/fe7sxQ
-            lWPmW4wa2uSI7/2PAkIjafoDmnpaLxQ+qY9hXobpL7OlyAuA+Sy8Ns2z6nXfPSSj
-            fQE4OS3hhUStv7PdVVvlH6JVGZK/cJOjOX0lF69A5R5XKQlasRq/t5CKBjxDWnb1
-            2bb3YavIUKWbf/DdlGNb9aKeiYX4RsaMbdc6vU5EOp69S66dF5l5W6+EDLICQEdl
-            TRNxzofVqjroeQeK9xFd+SXHVwnU9FGPr9cN7803/r17hONDxfL7o7cL1sKfX1tC
-            3nRqV3fxSfosz19jmIDu/6lqvJhBBQ8zQeKz/yWxUKowP6WUNAWsMWC7w89Ie1vA
-            UOy+xO0epIGLJSRU5YBNr9z7854NATnxRWRTya+CyFAgPVoBUxd/+2CjlkUeQWnS
-            WAELWSqQ4zsAryLhEqSWVg6nwSDCIvF/U56/vIacXwoKMqLYra5gxV78cCU6gcMt
-            08O8qM7cxHy5tGzTm6LQZvXTb8W6ybcPvPw695TirUjq9zYVnaT2lmQ=
-            =7OG0
-            -----END PGP MESSAGE-----
-          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2024-06-26T10:06:21Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA1kR3vWkIYVnAQ//RZM4ifHThNFNV6pTCGKHdkF7BMHB4gv7BBkXT9cWTGcf
-            XxH3tH/kFPBSoWWfmtmHbN1bw77vpKda2lLHyOETGCusOFwuFe0+cz7sWStnf/T6
-            GVoaCRljhRxlXS2PY9gSG5fLi1uUjmCn9EshdCQdz1ix46kgSe17I+UJYRxi9r4U
-            e1R0ky4md8tLGGXg2cz1z48+kS7QX6TA1L5jjrW6MEa5ld2wywXD1g7UKpaP6QAc
-            B5xo4G+6zZNYk6x5i0NJ4EJalyyEXBvJDgsFzW4luqBGjMU2zLkq5VTQjssCbp6l
-            aE1ZZtMJYDa3IdEV/gEIF7/WmODMopO2hfTWFCx9fZ2cp0gK2d6ffo7vum4WkAMv
-            FjsbRLCmoZrlwD+/y38Hru2Ok/2cDF+QiEHq0cx+XMjgRrV6vCYrg67kOGjXZ+0v
-            eZMPGo5506cp/0cbo6eIoG9XzdNirp9mXQHMBb47/dETr+mBAyVzImuHJVmUgXlK
-            0nScCjrE2BPfsphMlQKMV007znA8QB65wEuoQ9QWTfgUfxVqzqJxdnFHKSSKAciU
-            fxAJTGN2RnbBDcehvch+QZAnIHznz3c+2WKetmFMpymqL1OKQKjhnEFewOK8rXKM
-            cEFRo1BOMkaccBBFHt/A/IQJt2+RuADbkxI9rPqPU9iPi3Ts4jFqfNzZp+m+ADHS
-            WAGHQuVbo0oQ5RLEOMPheNbr2eL+uyuMLMNsv41G4Mr+lSjN2/KvBoMQEQvpPasG
-            HDYyoe7JdYbVs+08h465+L+cbi0LzaBUxTm44GliJXVbrz6eqy6lRto=
-            =GiUe
-            -----END PGP MESSAGE-----
-          fp: 4095412245b6efc14cf92ca25911def5a4218567
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

machines/fanny/configuration.nix

@@ -0,0 +1,231 @@
+{ inputs, config, ... }:
+let
+  sshKeys = import ../ssh_keys.nix;
+  peers = import ../modules/malobeo/peers.nix;
+in
+{
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets.wg_private = {};
+  sops.secrets.shop_auth = {};
+
+  imports =
+    [ # Include the results of the hardware scan.
+      #./hardware-configuration.nix
+      ../modules/sshd.nix
+      ../modules/minimal_tools.nix
+      ../modules/autoupdate.nix
+      inputs.self.nixosModules.malobeo.vpn
+      inputs.self.nixosModules.malobeo.initssh
+      inputs.self.nixosModules.malobeo.disko
+      inputs.self.nixosModules.malobeo.microvm
+      inputs.self.nixosModules.malobeo.metrics
+      inputs.self.nixosModules.malobeo.users
+      inputs.self.nixosModules.malobeo.backup
+    ];
+
+    virtualisation.vmVariantWithDisko = {
+      virtualisation = {
+        memorySize =  4096; 
+        cores = 3;
+      };
+    };
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
+  malobeo.autoUpdate = {
+    enable = true;
+    url = "https://hydra.dynamicdiscord.de";
+    project = "malobeo";
+    jobset = "infrastructure";
+    cacheurl = "https://cache.dynamicdiscord.de";
+  };
+
+  malobeo.backup = {
+    enable = true;
+    snapshots = [ "storage/encrypted" "zroot/encrypted/var" ];
+  };
+
+  nix = {
+    settings.experimental-features = [ "nix-command" "flakes" ];
+    #always update microvms
+    extraOptions = ''
+      tarball-ttl = 0
+    '';
+  };
+
+  malobeo.users = {
+    malobeo = true;
+    admin = true;
+    backup = true;
+  };
+
+  malobeo.disks = {
+    enable = true;
+    hostId = "a3c3101f";
+    root = {
+      disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381";
+    };
+    storage = {
+      enable = true;
+      disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"];
+      mirror = true;
+    };
+  };
+
+  systemd.tmpfiles.rules = [ 
+    "L /var/lib/microvms/data - - - - /data/microvms"
+    "d /data/microvms 0755 root root" #not needed for real host?
+    ];
+
+  malobeo.initssh = {
+    enable = true;
+    authorizedKeys = sshKeys.admins;
+    ethernetDrivers = ["r8169"];
+    zfsExtraPools = [ "storage" ];
+  };
+
+  boot.initrd = {
+    availableKernelModules = [ "wireguard" ];
+    systemd = {
+      enable = true;
+      network = {
+        enable = true;
+        netdevs."30-wg-initrd" = {
+          netdevConfig = {
+            Kind = "wireguard";
+            Name = "wg-initrd";
+          };
+          wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
+          wireguardPeers = [{
+            AllowedIPs = peers.fanny-initrd.allowedIPs;
+            PublicKey = peers.fanny-initrd.publicKey;
+            Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
+            PersistentKeepalive = 25;
+          }];
+        };
+        networks."30-wg-initrd" = {
+          name = "wg-initrd";
+          addresses = [{ Address = peers.fanny-initrd.address; }];
+        };
+      };
+    };
+  };
+
+  boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";
+
+  services.malobeo.vpn = {
+    enable = true;
+    name = "fanny";
+    privateKeyFile = config.sops.secrets.wg_private.path;
+  };
+
+  services.malobeo.microvm.enableHostBridge = true;
+  services.malobeo.microvm.deployHosts = [ 
+    "overwatch" 
+    "infradocs" 
+    "nextcloud" 
+    "durruti" 
+    "zineshop"
+  ];
+
+  networking = {
+    nat = {
+      enable = true;
+      externalInterface = "enp1s0";
+      internalInterfaces = [ "microvm" ];
+    };
+
+    firewall = {
+      allowedTCPPorts = [ 80 ];
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."docs.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.0.0.11:9000";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."cloud.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.0.0.13";
+        extraConfig = ''
+          proxy_set_header Host $host;
+          client_max_body_size 10G;
+        '';
+      };
+    };
+
+    virtualHosts."grafana.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.0.0.14";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."tasklist.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.0.0.5:8080";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."zines.malobeo.org" = {
+      # created with: nix-shell --packages apacheHttpd --run 'htpasswd -B -c foo.txt malobeo'
+      # then content of foo.txt put into sops
+      # basicAuthFile = config.sops.secrets.shop_auth.path;
+      locations."/" = {
+        proxyPass = "http://10.0.0.15:8080";
+        extraConfig = ''
+          proxy_set_header Host $host;
+
+          client_body_in_file_only clean;
+          client_body_buffer_size 32K;
+          
+          client_max_body_size 50M;
+          
+          sendfile on;
+          send_timeout 300s;
+        '';
+      };
+    };
+  };
+
+  services.tor = {
+    enable = true;
+    client.enable = true;
+  };
+
+  # needed for printing drivers
+  nixpkgs.config.allowUnfree = true; 
+
+  services.acpid.enable = true;
+
+  networking.hostName = "fanny";
+  networking.networkmanager.enable = true;
+
+  virtualisation.vmVariant.virtualisation.graphics = false;
+
+  time.timeZone = "Europe/Berlin";
+  system.stateVersion = "23.05"; # Do.. Not.. Change..
+
+  sops.secrets.shop_auth = {
+    owner = config.services.nginx.user;
+    group = config.services.nginx.group;
+  };
+}
+

machines/fanny/dummy.yaml

@@ -0,0 +1,68 @@
+wg_private: ENC[AES256_GCM,data:YEmIfgtyHE9msYijva0Ye2w7shVmYBPZ3mcKRF7Cy20xa6yHEUQ0kC2OWnM=,iv:ouK6fHcrxrEtsmiPmtCz9Ca8Ec1algOifrgZSBNHi74=,tag:524e/SQt++hwVyeWruCsLg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIVnB0dDdQT0tNSUJDSlhx
+            QVFoVTZlb01MbVBwM2V2MGdGZFJTWm1FTW5nCkN5V0Y5MEp4K2FiU0xNVlRQM2xN
+            SFJEWFFwTGhQWWwzNjlFN3NiakNBMnMKLS0tIE9MRHdnVHVYTG5rR1lGazdlK0Nv
+            cmZiN0R5OW9vaitZb0JIa2srdmNMRjAKYlL4e8hfB0YuVNLM65yyvvCKl6EAF6E5
+            YkAidAO5MY/wo1SDFQMeDub0Uso1QuNexYUZt7kzotvuPOzgywUORA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZ25EdmdWVjAwWGhiVDRa
+            cU9saUxnSXVDN0NodzI3aXMrTDZRc1FOUUJZCmh6V3lhS1FER2lyMzk5eU1XbXVh
+            b3JFQ05GdEZTNVFTdFJjN3dTN2xBaXMKLS0tIG15YlVvVHZ5c2pYVmZCaktwRXFx
+            NjJ5cFdTVS9NZmVWMjcrcHo2WDZEZDgKiDwkuUn90cDmidwYGZBb5qp+4R1HafV0
+            vMQfjT9GrwB5K/O1GumOmvbzLNhvO2vRZJhfVHzyHLzQK64abQgF5Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-19T22:46:09Z"
+    mac: ENC[AES256_GCM,data:eU3SIqAGrgbO2tz4zH1tgYcif7oe5j+/wmdYl2xXXI+D6IhiKrTJGvzE3rd3ElEpb+Bg0UQId952U2Ut0yPTfxGLtdlbJA66CmhLAksByoJ8lOXUcp/qDyA4yMRSuwYG2v7uF2crvue9fyRfZ7hl7abE/Q7Z2UjOKqhSZC5cO3U=,iv:NmCVvtBWZRzhpr5nMLy+98VuQZWoUms7xFSxq8PMvBA=,tag:UWjA7oqoNWh4wb0myNg7FA==,type:str]
+    pgp:
+        - created_at: "2025-01-19T22:45:26Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv/fLoi/LsDTN6tDdw0rWQg1iG/6oFFxcYO44XU2vCd13Ql
+            okvR1ZtvXtnM/FwTboK2KjxahkuAbapXXEvfWJ2W+d2L38aYxCPe/ryQhjrUP/jJ
+            4IjFSa5R6oWca9i5Apue5In71ACzGCF/v2oyNAF4fSDX7Q+YKOMiwaDatfOAKp5v
+            JlkcfIq6WBR+gKZsTCfLunURNJoKu7jz35OUJDmzyZl9u/xV0ENveQxaKa3hj87s
+            hb7RGXqph6WWhigy+rtTqYQNjycRDHuspb2GgGE5N7OYteZo/XxA3tDz2EWVCYx+
+            g8aEEvxHK3qEIcWbgmbKXNPNSH/CG1XQFaUhdSnkg5lMJsBuYToeNsPTS0o866k1
+            wmoiI3nT2KtnV2SeR3UUMNDqSDl5unLgBCrbDi0m3Sqt9ubjCfuOYN2T19WvAMZx
+            CwB33mVAevPy4Qs5IjPad1WtiaUFulkfJFd1iCM9dhA0RDxbIJRaVGCjqnaE4lW4
+            yP25uKoEUSitgr5nLk000lgBQBkE3obMFZ+DPoNaqupremevGJ71LyjJhXwgzQvk
+            7pwQXBZWybBFFcH7wDurSIJMqE1KP24Krshm7aR9yVNd3mEz7v2T5pbUywTP8H1I
+            TkFpiaZ7OG8G
+            =VXoo
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-19T22:45:26Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUARAAmhiwA8S+wZ0wiyIJwmRyLMWj3Xm95dTnEoeZmJ2I3O4g
+            0szCKLdW8eUWrjZML09ByPYXQINkuyUR+g72+/ALEr9F587GxWDdMwcwLSlIYlX0
+            3GwnJ7ACv/uTZjK24AXno3TkffPQy+rRQwXkpmUz7CMCeH/WRmVtf1LFUuxgbcrj
+            Kmx9x52dn+ae5JOeMkEu4t8lAtI1pv1JRPnm6RIqK2N7VBRGjiD9SiyJiwLqV2GN
+            7N+vepFhbBKPzt+CFpnPWnFePb+TtQmAdJVULedlFPLcJGsPMloEXSuunK2eKveB
+            Vj1NO80i8PEVup02IlEabp+H7eYV8wZOviAJ7HGVhpw6kxD1tqO98KeSFfhuqbul
+            ijaeF2COgf9lioR6Y8T+RhTqeEZK85U/OGXgiM7MdTdYQV9BrY5nR5XSYIrK6zl9
+            TlS24DdM/Sd2939o+wdtgpm0FNQjW3WwA3n2QE/rqjQ6z2pyCTH16yRalAgHKNk/
+            B3uDGxIO5ua6xZwPzFrOB7uKggB8W/lx1eyAT53Lv7MTRp9PW6mm+NoVkNIzmCYa
+            5G2Y/bluKRt39O6UuSVrN8YLcyYCC+xYUfQf4Lr6/CwZ/XbgMTYm29+IgkOkgoS0
+            UxPcmXUgxi98lu5IhdIwWTNtaWEvT9adwmd3bxebWgDmUvK5QxAc7BYUnGIe+C7S
+            WAHA1m5OEQrNFLKGTSha/K20cDAoV2f4IAykRRWD3zieBAP3rzsIv78mgrMBIWP6
+            z1L41UXlBToKfcw8TI9XKIlYId/asI7mR+bqT3oLSdni8qr32VpRjZ0=
+            =MPBp
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

machines/fanny/hardware-configuration.nix

@@ -0,0 +1,49 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+boot.initrd.luks.devices = {
+root = {
+device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
+preLVM = true;
+allowDiscards = true;
+};
+};
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/402B-2026";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

machines/fanny/secrets.yaml

@@ -0,0 +1,70 @@
+wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
+shop_cleartext: ENC[AES256_GCM,data:sifpX/R6JCcNKgwN2M4Dbflgnfs5CqB8ez5fULPohuFS6k36BLemWzEk,iv:1lRYausj7V/53sfSO9UnJ2OC/Si94JXgIo81Ld74BE8=,tag:5osQU/67bvFeUGA90BSiIA==,type:str]
+shop_auth: ENC[AES256_GCM,data:0NDIRjmGwlSFls12sCb5OlgyGTCHpPQIjycEJGhYlZsWKhEYXV2u3g1RHMkF8Ny913jarjf0BgwSq5pBD9rgPL9t8X8=,iv:3jgCv/Gg93Mhdm4eYzwF9QrK14QL2bcC4wwSajCA88o=,tag:h8dhMK46hABv9gYW4johkA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZFBYMHMzTFRMLzhCbnBE
+            MXkreklWSUVOckl5OTJ0VzlWS2tIOFBRRVVJCk90OXJoMHQza0hTSGt5VUphNjY1
+            MkFrTHQwTHJNSGZjT2JOYXJLWExwQTQKLS0tIHlTeVgvRlU0MXA3cUl2OE9tYUls
+            TStjbTBkMTNOcHBja0JRYUdvSWJUN00KtOPBH8xZy/GD9Ua3H6jisoluCR+UzaeE
+            pAWM9Y6Gn6f7jv2BPKVTaWsyrafsYP7cDabQe2ancAuuKvkng/jrEw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhc282T2VVamFGcG1Ub3hp
+            S1VwKzVsWW1sRXczZnRNdkxDWE5Sd0hhVUJRCkovNGZ1ZlN0c1VyMXV0WThJMGFi
+            QVM3WW5Eam81dWpGaFd3bm80TmtQSlUKLS0tIFFSUy9SYWdKeE5KWk0yZld5dDYy
+            QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP
+            SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-14T10:34:55Z"
+    mac: ENC[AES256_GCM,data:vcDXtTi0bpqhHnL6XanJo+6a8f5LAE628HazDVaNO34Ll3eRyhi95eYGXQDDkVk2WUn9NJ5oCMPltnU82bpLtskzTfQDuXHaPZJq5gtOuMH/bAKrY0dfShrdyx71LkA4AFlcI1P5hchpbyY1FK3iqe4D0miBv+Q8lCMgQMVrfxI=,iv:1lMzH899K0CnEtm16nyq8FL/aCkSYJVoj7HSKCyUnPg=,tag:mEbkmFNg5VZtSKqq80NrCw==,type:str]
+    pgp:
+        - created_at: "2025-02-11T18:32:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQwAmorRyo7mguHQxATRRuKstaXertmyz2AhKFr1Kr880vBJ
+            ODjEKmkH77wIpOnZjOYrx7j2JWosoJ1KgsUUh4VlAPM3O6cXVwqDucu1d8O/HzK3
+            RPuPfTKDr/lKl7QyQCx5lQuxE1/qn88D/g/fMQYu3NAVJa7acpTdSsfyo9nZ3QMb
+            ly6YEyGDc/IhBy5igc7bIWy1o+XATmyUxA+jZVMLiBKhetogMC507Eq71tUCMEht
+            CItRoFFPeoCzC8JPjpQNQmXoe5WDv3hzWpUBRJgjScYz3JuEfakbsAnzrPc41Mga
+            yPhSPYPBtHlEt+DntW9i/CFLEJ+I0V+uz3gnNtNdHTIIe2AZbGympjZldZThldb3
+            Tupo7ep6VQgi+hG37wLmQdvSVWR8lVJDMvOmV9xZqdFYfQdBr2gewTT6Y2QCc8GZ
+            HBtJASlpIbydd/rtLtaTwtdOz64g+F5Vw/6T3ciyExt6RCoPALqZCoyzQnvnQm7e
+            JPPauAs8BH8ejoDlJYjK0lgBBMSJTZ2xlGYh4wG8zmGtGok2wvXYy+DeqlXuCIy6
+            7Xu4BLTL9eOZZo0sPR+RQfYbII0zMIc2fPBtU2c2z89YOTI44FI0BVbTlhLIIXXz
+            NJMDln08MWwr
+            =hhKC
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-02-11T18:32:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ//cBdyq4JxOhU9t7Z9iWAp2DRObgv7HMbhIXh1351wuzA7
+            Fe0Kqcoo/ekCkIPrLZOC5z4CMjXwOCPSncMMm5vK5ibixTlX9446+Hv7AQ1vq2Nt
+            2daL8ZzpCeCJmi07Vyp72/NJOZYa6YY/gFiiRw044lNLFS//b0sYkipne5COjvca
+            I7BxWCpGwLLWZ7LNKhg6i0at+0AqEdBDiwSE7jfeY6IL9tPOIqmBxYIWMbiAkPMd
+            /nK8PVPrt41NkJkuxfjXcYowJRcJmAYHGiRUQaAkUZyRQxmolbLwwJ+/CVYxv5Kk
+            hN5QvT82z5I8gK5LXrt3ZGEcC9dADkRSQr/qcWQT+CEnsGZi8b0unwUZZruDVb7d
+            eIwICaXu62gH/mlJN1z/J5jEciwQtC9Eh932x5qY3sdtd6Gm7/EHTf9NJ9Zg3gTk
+            nfytwpfUmtJO/bI5RvYSUkXkU6CLY6bqRW12+YrsAP+vDITYcLVEJGt7jrXDFto2
+            Z9rlywZsQiZhLrzi1UImCTthcceI6Hd7l3TOYV84gMxdahBo3FLKnoZRK2I7ukGq
+            Wi0KjajcsJ6LBUCCpMg/tW+TT8/+66QY9BDzcv/hBdRc4lCKNeKDwwGFPSFZCcib
+            uyT8UB6iUYVMiNSHRqdGGcH0NwH45Oe2g9nF/lrJ0vYw1toN3WSpEc5v/Nch8DbS
+            WAE3DazXQgd4UQ19q+5cC+L5POWcAjgWpZlRwBXBRdeOKFDF9maCPL6MpfMm6XG1
+            /JNfzhipjL5OXgJgK7iUFJlH9AuD18g/by7yID0bTsg2fkfLglwjfm8=
+            =Sdch
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

machines/fanny/secrets/disk.key

@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:H0oMKUXc6C28tHMwSgsppcdfYKEknPIIWGq3Mwk=,iv:lExcGcA4bvwKtqeeG4KS87mWlPBtCSSpOunJMZcQG+Y=,tag:F6Pke7woX/odRT7SMJwVbw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdlQwRFZLZUtGamszckt6\nNmFoZmk3U1JpM3V6MkNZc2Iwd0VlTDJpekNvCkMzVm1qNEYyNEZmQ1o0TG1LRmpP\ncUhiWlB5ZTdjZnBHQUxVblA2V2s4WVEKLS0tIDhiUUdla09WRmR6RWZnbE5XRDAv\nWVV0WW9wMWsrcjdsdkF3NHgxMVFmRDQKeUAVQU/M1DGfAmee6CFvyTr8RkRBWjYk\nK9ceXyJSojHktwr/Xllm1mMm6H2lPbzba/JAyt99YVTD8xO056vu/g==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-22T18:09:45Z",
+		"mac": "ENC[AES256_GCM,data:5IGtFkE5sGjXJXlXkPdN4e15gxh6QB/z1X5A0149koG3fvOPnoLPEU+DGx1qj9Z/8vilJat1hk7qIBalMPMCn2/T1PIV45Hpvih/kNoszkFMQ9r0EsZMgXgSJClHSg1JaiCiC3LvjsIWHDoESwVx3fqos1ClOLtrzKwptCEUp2Q=,iv:15QS1AwpuUr+EMw5YQe8ogb1Y58nQh4WcFjtzuWtcUQ=,tag:vL9cZRdsPCqaTw42pzRfOw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-02-22T18:08:13Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/WtqMo4CAW5VEqo4vEL7Lj9Z/OY1h0zPF/bdkc9u6x7IP\ngqH60j9iF3n4ae717c4eKf59iN4+4tDk51qb1XdBOw1scn6rTai6KCnqNhiGeZF9\ndKsCZG5LxdbGkEFFw0Q+6W+gV6MiGlD4SBiKpjAsGVGcn42wygfTzpFRRA2Pmlev\nAGSUs5TDmi1IqQsvzYBMBM9+6sdsKhpRalXGS0gFz+wYGPFlK4E1rd6CBKRYEWtw\nm4kRe0nA2Sk4XhVZ39nPtR9rxrhB+d+Qq7AHIqD75SoY8vI+o3UyJ5Cee5MAmMcd\nn0EG24OeThF2p4lZw0iuUgtefqkc21/MoojYP6tfS7s0vGcq9iFjZ8PgUv3IKfrZ\n9EwresYfvhKbocZj2ywPK7iavFCYmqpTzbloGkO0AVfmHpWZRpxneOaGruCwFmGg\nF3qBVTcBSBDF972KDvm/TbKV5NQmRAZuXTrTBh6vgmVcaLN8LTLP3xRQlY28Ng2P\nY5l/5sZ1CGvhfv+G/24n0lgBF7I8pMTfsUEttzPONEY3pRaYyprYxdDlutHI2Kzp\nl0oPBs19rCSn79avQr5fE0mIvqJCoB5HVPkUDjNTaMNSJAywjQEWNITh2GszRTku\nBDvnzA2VnVww\n=aFlN\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-02-22T18:08:13Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//bap7Q1HvJJ2KjVMhklTaQ2LG+TITzh0jvaRSXlXG+u5a\n//iWLTov8CH6s6e5I/T7FtslIcBVmyUX9vL9tCgVNMHy0RVG9mmykS0z5/9GY1tY\nEDcOOINQwrmuhWFHvc+9hzKEbLH7heR3ljMw9ouzBgFjEUdhFKJCIW9xrY3a45ue\nwBfaVj0tPNFMq/f/Zu5dDvw6gmYp9ziSMh3GwLNnMBmQDgdSjZJWQr+oa7KKSOM4\nu8ogeqP5Yyf7vDj1he+9TJpG8fdE68boYban9t9rfnyf0cRW7oHkpkwPtKvn9U4c\n4Tbl1RUqfHsTpHX+rxP8w/zgaLbrc0hJO1zxXeeQTOlS/0S1+i5n3pINFwzNXNBE\nIHgIpqOKabfpDFsL/DMIdNQZyr/iD4gHjzSeQPdyd0/4dbFMKPsVzA3JomE9z8NW\nRXz9Htb4Z4fybcPDOLxPkyM0qsEtdfb11U5l7IKuq+2ED5zOFxl+qhZrFz7vY1R7\nyaIM70HUeVCT7p0KZmWgtzjhafI8kTS2Qd7VjIF4Y721rB2opqaOKaCWjp4eeYI2\nE/TGivgRl57KgSF8Y8ucoC6ndsxwgJ4dYt3fos09Rbv1qFrlJftyD7m2kOXnPx5N\n5/2R4h3tiYQqGm727bjTjmGUtxToum3rY4sO0y38Woc+4BK3h/gj3AMir8DI7MfS\nWAE+yxIZH8y+c93zkZy34mEHafc6zPFD3QWuzbXzMGP+EMn710zaWmrVV1X3oLKW\n8lFB5sEX+BJaDgISOG7vgypNA+HtWZnRcB1CnzxboADE+HVAU3d+Bpg=\n=rfB5\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

machines/fanny/secrets/initrd_ed25519_key

@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:dsb1hdpeoH1Rc4Cz10cZMlAKL//GRUKQbTXvGuRcVqMtRVkmiVZonogj1FdpIFOY8m3zIuJKLpQp9i/RuWanRaThyOA4Mqo82N0MTkco0mwLfRhxqA2EbRv1dPgytVQvdNgSrnZI1FXtsQumPgO4KvifwaCG+Wu050NhPDC2Xt8i1U1TyMTkTigk2CKYaYgo+D9xSsA9ymjFUQgvnTn10t3di7cUJi3rBoEiZeOK/EAg1Y3h53AZ4p9SyG1kBflTvtE1NbIZNBYAiFkJNbIhT+Dw67Qv2Uso6oxL/I64IDOljMQz2874wZqpAL1w7W671KdlGtq0murjQ5Sg+g8RYseA1NVmTY7BCaGagNQuU6Ab0BSSdzIuDkH14BL1zGgprCqP0CE8WeWdUzCx5qud9emF24d+VvRKIiawTArSBe34VMnRq05OTKdmtwGZom7kbhD20c1/pwhytiJpzSE08iKy9cYGPGfirNJaxhT7z9XqSoECUg2XPI7Deh75PqoxM8pATLtOtOLp2cYSr2vSrqADMXzmR2M9ixEj,iv:RQH+e6ZADH2XMPqBeuHhMhHiksQg2iR4NUnYhD3pj7w=,tag:wJByTCrYf4cKxJaD2eTCMQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOS9jMmZoNWxrRTl6aVFu\nSW9oTTVkV3NiSGpDTDJNT3dmUWNmSURCYkZ3CnZJNFNEVTNWNEpvcS9NRjFTdExy\na0NNeTByblA3T0JFRXJacHlFTmRPcEEKLS0tIDJCa05LZHo2Rk9xek5Ec1hDODNQ\nOEs1Sk5YbTNHZGFtcmpqaDFKdzRpUVEKiUhTrGp4rXW3hHd8HueZ5v31CXpMACFT\nTq2OaVXUW7yTLFO2E405hQH2ZLS7KzkXeHmA4MZfbsq0ZkriXp956A==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-25T16:42:28Z",
+		"mac": "ENC[AES256_GCM,data:iJS4wLJwJZRUozNBUBxL8wYOneGI1Et3r9+DtIs3JrQLEKV16n2SeRP0jRFyCO7VNkxyjnjXJwe0/GVbxtQbVCuDFaCWVpj4xNiEH3wMeuydU96E2QgHaWJGvhyj5e/5o3GO85DeF2ueFCa9DQKtTIWH1xPfqJwtZC2PGH5Uqyo=,iv:/TpULYHxSgFfMQyv715jLVY37AhSY/qh1Zn00UN8oOw=,tag:XrOn8ZpgWFYtSjatXn8sxA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-02-22T18:08:12Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/dMSVIuM4gsG06tcN0NvWQgZUO6E8u2M3k3kUU/xk9bem\nSJFtHluWx26V6F08PP5AoDQ1R5Z1RhP7w3JDjVyscb0WuUzDFVTbJLpuPJIX+MOe\nhz8OqLatn24+fK4eMnQFbTELYRPEKicMmoJrFaTXdUOLkynWtxijzRlCif8J1u3e\nqj2fSfPd4SI9ERiGo5MBtHA9A6nwQvboMdnlGvvlAxFF26QL0xqu8jUdllfJ5IT0\n7y3vbGixV/M29MKzt+cJk7Wnb2y5UaZdelsDmxmm4FrIxHaQrAb/kIMiwf6zVCwh\nZFvNwcAPirduvxpcjOV99mJQ3v02mWo/p4Ey3PCwRb1tQYRxiMf7IJ/eAspmiI/9\nwK/2c6ehtBVXlw738JjA+WP36u+5S7CrvzNk6RLd0y76aNvGB6ZCT4rGm1B2DfR5\nguP+RJGcMFzhv55hQNCNUHZ2jvhLvDvSaCjlOaJZBC62gCygtlDqaLtagIO6RwKR\nJdatJCEjio5yD7x1d7PY0lgBVlbkXk8K3e5CN4RdLyoZStShW3uC6dCUGG1OJzPE\n0mfW5y683CcpMATeucHROtTxxrmp+BT5CyP9eBA/CrmTAJVMaWYM/Tb3+nE4Feal\nKlamR+tLaZdj\n=9/53\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-02-22T18:08:12Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9FH3RHkKEo88HEAXYPfJ3tjctUrn6Y1muzgyilfa9R7OC\nBNdSyXP8qU9FaIEEO9cwXKY6hB30l/b42RwL2HS5MWlNZTXZO9XCjV4VpmkIy88y\nkVhxdb2QbGQSBqmfyc9GOvI2LN3jIAE5fy5GuDREKRJPfVJu6x7IbC4j3tT+3Szq\nzOTF+ZfuUlM7FDzt4vAvP2LeOZxYKCg1va6ne7rtXsry9cIotP7fTqm0xPLZ/K+2\n/+HhC2585GdUXratqod1VfUPGyvdyhrn6WV+BAvUA8O8LYO5ZIkgz16vp60XNZEA\nCkjy/kiSlMorHiy7/ZtWHwWPNQbGxVJ/u6XurgzreDT4H5FvfyzvdKTz7IGYNYfZ\nvwMtQDEd3ToP6QUyNGfpZ5eRGb3I+8xNOd3z3XIXYGFYAOPHriGXMA8Y1g21f+c8\nz0QxXXDNXlTt6qdpumfgF/d/UCFJZeuP2t+mVnnp/gkK6yKZlUHD8L8XjkgumxB+\nvFFKOpPbrO+H+L375xZp9OJTINF5QTFkrmT/jPoexCkx9koxNhM0vIKEFE7+gFsW\n5GKQqz0n1HQgbFfdm2Jk7WQqY8r0weGedalYzkfDPlbS0AdCB9Llk/vwu5Tf+hcX\nIMbph8ZwKLzld9MzEplhHwBZ/Gz0Upp1IYj5Ifr50EnlHjBJ+Z8xXWKshJ/6UerS\nWAEiuOmlWRFGWRM5EdrXwh0/dj+ZyXG7unsv+jpNXjOE8eznaH4Kd9/PEmxazbFX\nJ1gtX6JFy+HXID2DJmXng6NxCzPWpo6prAH9IbMebNVQMzbl03Dtyec=\n=WoeJ\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

machines/fanny/secrets/initrd_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFRuQZweX3r9QQmAFo6oYY9zvrf9V3EIJOl6kFMgyLm kalipso@fanny-initrd

machines/fanny/secrets/ssh_host_ed25519_key

@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:16SwZ4RZ89+TvwPVgEg+96PmNd63Oai1GnrRipLkxQmzfeAkQvs78emYUEVT/ouAnRFQRNagbhjA4nmfTTq1xGz1u8bacjk1ny1ckd2FmkEOQ7Ry181h8UE61rZP3c8yra2WCgOcsL22oUxUMhg6iswJqEKLImi3cmJ+hASPTc6L3vlZLcP3Vx6FEbDMGrVtfpHEliSicB/rkAOnjVHmxHmVRjx1AI7jfAjCoBGnLwI9X2XREGay9H8Kt36HIhlXA9dK+xkl6WdtkllHIHe3OYHqwd730g+1htMAWtHmyI/DPLLJG48pzITnKv3cQ3aaziUWJGa89WGnBuzxP8ZOagpnC1/wQi1WTR7d/4JYoslz06fCt1ouGT4ttDFh/YqbV0hcXqkASbUnnixicBaYeVrwvSkYvlbwToZ6L+Jc+eqQRrTKXxs5pIZ4qkvImDp85v3U1bDxXT+qhpK9hasmgBqgM9GYjgw8Um/imr9HqDp9ztRsij87mRW/l47vUhxRjrAWpv+J0OlptUIpRiLv,iv:7x+dTHtSbcc47X/ZGz/bcnOxkGDDBu33ZgNrOD1FwDA=,tag:B6s1Jt1KFCitya9oAKvp9w==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYlgxeXQzNmtEZXZXNytp\nTnRTRi9nRHJ2bEdPVGhPMzdMY1lPOUpGckFFCkJkL3BVSWlIZ1dBVUliemFWNXl4\ndU9DamhTRUp0aGVwamhWUUZJd3dUREkKLS0tIFNkaGNzc1R5aGxxZWV2QytaRFIw\ndC81MDR5SUlESnNQRlhuR3doTWhYL28KMIMs9mPwVuFr5cEvO6goqf3zQALSO5BB\nrY0C8TfkHLvV57999U9kfyLO7Sm0R/RGS4IinQSCRQWEeR+qLxnEWQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-25T16:43:40Z",
+		"mac": "ENC[AES256_GCM,data:dZJc0aqSD7dhe4Egih3z8QHIbwYDCGYU0DaOczkqHd/yMdcVNrNrcIR6yshArqCLl9jj5Zw3fIO75X09mvuvUCyszbjQyzSmTACp7K3skHuDRJ/yh5vaw6XNeJ3w26Dimfd0WfL1XC519DW532icrDiy2lCZ1qdcYwpqQUBKM/Q=,iv:4vx48jXxKLDOKfK6yYJWW28UaKl+EyqjeRAzV0WayEk=,tag:oO4cAVAv7N5aDAmK5V84mw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-02-22T18:08:12Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+P8Y3rBJAAI2orY71hRSpCAJo/x4CUColQZf9xK4ZgYQ3\neW/15avJVso26mYiZJsTPaEczJ89igYKDrf8Ewi8NNNTmse/BO+BG8KX13QOSWKb\ngiRXMl6zpQwH/cmCXvUrDczjcUaG3vMpcWClfd3lfjEStVEzNB+OKCuRLxhKGYPn\n3HZ3Ypa97ei8uHMKbnloGigUouVKVCCLIqyrJCybQ2+UkOMzcMJpO96RMooWQOUJ\nU+0rLS2s3r8UnwQjEcedEITlmiTlZkTrUnUylcc22v3yVJh3UExCcoVWShqPUE2j\nJv667rq1EblbIzn/8vyMXxOoSYmrLJ+hgh6OXio5bbMUwd/7m6Zz2jEeTXbJi20/\nEl2V0Lu4pTWXhXxh+Y0MIdh2tHMGGWmHBk650e0M/JbnchxK5+9GblWkfzMV8scX\nPpDScHH+cqNPIsvtq/aYGSv5o2u5JfndEuW16cWU99mgYvX7rwwbRbI1zWVX5o9o\nQ6dqJGZEbtE0QilOKxiI0lYBTrDySzaWLTAngd3myVMvFBQ/K6VL7mXwJvDYgOcJ\nxHIExrd191e5eLr5MGQAzXaVietENN27aEDPw5WV9bmXoAKp/4muJnfOB/wBSjCw\nlutnbF0yLg==\n=MqvI\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-02-22T18:08:12Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//UvOmGlNKLrRg5fXmc/paHF7YVFCGuBa0epuiVsVkS6NX\nQoa57oBJS0y22/dh/fb8Nu7/bMpa9XpPwfgzqhi7+5V/y51lvAIKmrYqNTnGdKB1\na9aiX0yxK0d5Yh0RK+9/2Q+369152mZXx+9Oj3SM8396bcfvTFX4jbhGdnKPqalW\nB1OO8HfYFAu4yl11uVD5cHSdhvXKJOa/GZPkb3TK2kicUdNX3HnZJ3PPGrkOy2EU\nuwFOIVIdNp2MUDFW+V2Nso/NiGcR96uKk5ZhGJaYrXjDDMNHyoLWc0d8wEg3n1Vw\nXOSNLmkSFY39ExKRWu8sijSyZIYN+Ul4t4WdO1Puop01xGTfAkYVQOLC+H4unu3q\ngboyNZCSuZXgG02B8ph/tLlAQ78d70YAf0nxkvzQB6TTNfQ4nyp8QnUJDkwaAnvl\nxDqDDhJBjlfIpqNLT23caKqgt1hSLv3Gcb486D8ZC+6nNuefCsxop82FaUMvL1uf\nWPMcAxMyv4REO8l9V5CDn1+6i+iPyN/Mo+hpwco+sYNZMlSs9PcNKILWZg1gv6q1\nU04IyEPym9VkI1jFte4dsljlp3C2R+l1Ikv5OB6dNpnnMVnTgkDwE0vqvsSTIwbS\nYvFoWBAsRlHMFLLfA6QjRyZpWemHBjrpaqBbIJEkZQnKM1IWdIg6cGOx+mFo1MzS\nVgEePpJj/PECZpH9PQPlv/FrkHa7zC/Fi0BOPposmuQgOUTq3sA5TLYNqPOH2Yn9\nHeQCGXpIeM08Pa3BOQRWDYM2vZPZpf3cBB7VK9zmcGEdE3NZxoBG\n=p1XC\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

machines/fanny/secrets/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc root@fanny

machines/hosts.nix

@@ -0,0 +1,83 @@
+{ ... }:
+
+{
+  malobeo = {
+    hosts = {
+      louise = {
+        type = "host";
+      };
+
+      bakunin = {
+        type = "host";
+      };
+
+      fanny = {
+        type = "host";
+      };
+
+      lucia = {
+        type = "rpi";
+      };
+
+      durruti = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.5";
+          mac = "52:DA:0D:F9:EF:F9";
+        };
+      };
+
+      vpn = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.10";
+          mac = "D0:E5:CA:F0:D7:E6";
+        };
+      };
+
+      infradocs = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.11";
+          mac = "D0:E5:CA:F0:D7:E7";
+        };
+      };
+
+      uptimekuma = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.12";
+          mac = "D0:E5:CA:F0:D7:E8";
+        };
+      };
+
+      nextcloud = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.13";
+          mac = "D0:E5:CA:F0:D7:E9";
+        };
+      };
+
+      overwatch = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.14";
+          mac = "D0:E5:CA:F0:D7:E0";
+        };
+      };
+
+      zineshop = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.15";
+          mac = "D0:E5:CA:F0:D7:F1";
+        };
+      };
+
+      testvm = {
+        type = "host";
+      };
+    };
+  };
+}

machines/infradocs/configuration.nix

@@ -0,0 +1,27 @@
+{ self, config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  networking = {
+    hostName = mkDefault "infradocs";
+    useDHCP = false;
+  };
+
+  imports = [
+    inputs.malobeo.nixosModules.malobeo.metrics
+    ../durruti/documentation.nix
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+  ];
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+

machines/louise/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, inputs, ... }:
 
 {
   imports =
@@ -9,6 +9,7 @@
       ../modules/sshd.nix
       ../modules/minimal_tools.nix
       ../modules/autoupdate.nix
+      inputs.self.nixosModules.malobeo.printing
     ];
 
   malobeo.autoUpdate = {
@@ -35,7 +36,7 @@
       libreoffice
       gimp
       inkscape
-      okular
+      kdePackages.okular
       element-desktop
       chromium
       mpv
@@ -50,6 +51,8 @@
   };
 
   services.printing.enable = true;
+  services.malobeo.printing.enable = true;
+
   services.printing.drivers = [
     (pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
     pkgs.gutenprint
@@ -67,17 +70,13 @@
   networking.hostName = "louise";
   networking.networkmanager.enable = true;
 
-  sound.enable = true;
-  hardware.pulseaudio = {
-    enable = true;
-    zeroconf.discovery.enable = true;
-    extraConfig = ''
-      load-module module-zeroconf-discover
-    '';
-  };
-
-  services.avahi = {
+  security.rtkit.enable = true;
+  services.pipewire = {
     enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    systemWide = true;
   };
 
 

machines/lucia/configuration.nix

@@ -6,6 +6,7 @@ in
 {
   imports =
     [ # Include the results of the hardware scan.
+      ./hardware_configuration.nix
       ../modules/malobeo_user.nix
     ];
 
@@ -14,20 +15,12 @@ in
 
   services.openssh.enable = true;
   services.openssh.ports = [ 22 ];
-  services.openssh.passwordAuthentication = false;
+  services.openssh.settings.PasswordAuthentication = false;
   services.openssh.settings.PermitRootLogin = "prohibit-password";
   users.users.root.openssh.authorizedKeys.keys = sshKeys.admins;
 
   # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
   boot.loader.grub.enable = false;
-  boot.loader.raspberryPi.enable = false;
-  boot.loader.raspberryPi.version = 3;
-  boot.loader.raspberryPi.uboot.enable = true;
-  boot.loader.raspberryPi.firmwareConfig = ''
-    dtparam=audio=on
-    hdmi_ignore_edid_audio=1
-    audio_pwm_mode=2
-  '';
 
   # Enables the generation of /boot/extlinux/extlinux.conf
   boot.loader.generic-extlinux-compatible.enable = true;
@@ -39,14 +32,9 @@ in
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
 
-  # hardware audio support:
-  sound.enable = true;
-
   services = {
 
-
   dokuwiki.sites."wiki.malobeo.org" = {
-    enable = true;
         #acl = "* @ALL 8";  # everyone can edit using this config
     # note there is a users file at
     # /var/lib/dokuwiki/<wiki-name>/users.auth.php
@@ -198,7 +186,7 @@ in
 
   services.avahi = {
     enable = true;
-    nssmdns = true;
+    nssmdns4 = true;
     publish = {
       enable = true;
       addresses = true;

machines/lucia/dummy.yaml

@@ -0,0 +1,70 @@
+hello: ENC[AES256_GCM,data:ehp7eckur8THsbnSUcFYobA2SVDORUpqBcPTWC6/EvunlZbihaJoDoSfSh4Itg==,iv:nEHRg9TfYVdmJgrBs62Tek/3JhwFz8BMKHph4ThUqA8=,tag:1h2DSiOk4khxhRc7YX9ljg==,type:str]
+njala_api_key: ENC[AES256_GCM,data:vGH79aN2m1rZ0278ydoCQ0U5393HL0AZlajTVWcRbD+/V7QREN7ROW2LrdVK95I0cxobmJQ=,iv:vMpFTwWkC0R1/J9fZaks7c0G1Vj64/ryRkN5EgpWCdU=,tag:g2MJADBrJYTbmj2bhUQ8UA==,type:str]
+wireguard_private: ENC[AES256_GCM,data:T4c0qdFZdrwRU9i+nzAdg4ePEVXyeG4e/zNyn8G9Kd//Fwu1woNhQiyDuAo=,iv:VGPCSeU+RqjUdUlLA+RaCXQZK6AMdE4BwOdxM3whwaM=,tag:pXOwj3zxuFRpv2TInjISuw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArU0lpUjBadHc2c1lPMUtv
+            dmtqRTd0OEd6TnJrQjJaaFFaMjQ0MWlONEJZClBrdVNMb2xhK2RXRzlmN2dmTzZk
+            SStWSzVGbWdqNEFpMnc3RFdpYWNEcTQKLS0tIDY0SlBvcmJ5RjFKTHQyN3lpSEZ2
+            Z3hTOHN2VWVPMENVS1YzR0Z6Y0MxZmMKf0K43yWL7DE15wqEWb6Z0xsQ3nb1Ybyi
+            0gKxb3hTeoWJnJug3hWyeAJvAJ4pzaA5v8PonnSIJK4UxBUnr+5nGw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIa0pnOGFlYU5OenJvWGhl
+            TjFhU0NyWmprRDY3ZWIrRHdmSVBMS3pER3dZCmVQdlVYQ0pFRTBwZXQ1Z1V5ODVK
+            dkREdEpsYk1MMm5kZU1hUEJYRWZDVjAKLS0tIHdsUjJTaURjaGErclJadTF0clhh
+            aStSbDZ6NWtFZ2NrNHY1a29DTmo4bGcKfZZjFA2j5RgMf0crK8TV67iVizzmXvBR
+            6tePJuCePnNDOoZ7WV5YThxYOPSTI1QvfEvcC1qo7l3Kca9jdkkfbQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-19T22:46:57Z"
+    mac: ENC[AES256_GCM,data:GIRj11bDZi38RobJvGoOf5geN42gaGk3294EvB21M/Y+lAsDOUUUbU1fQbBPRUsYvA/lyuHMQWRORTdy0LdjN9ejzwcuev8+j4i6A1zwPSmjIL2+Jp2pBqQj0F6th27hECJlh0wK3vU/aNcccRJP9kEgRME+7FS5uYw9r+ZPJWk=,iv:CUgdVr1b3O4niYTSFokA9uWR3ceiU+6qo+3N+K1BZ3Q=,tag:AERU8MZWHqVsZ+zbT27WIg==,type:str]
+    pgp:
+        - created_at: "2025-01-19T22:46:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQwAqm3KeXNDFMwVoz9qIIqtNHR+KIcdvdRTlG0GA5BEBiHp
+            hSGkyK/Ni3GGX0WYU5Cf85Id/eEoxqDqDd9kX6MSZK3LBnH+hFy4JiSPENVpmwfQ
+            eONaMwdfwI+/5ZfquVj/AApTXZ8ENhdBzLTuAfIa2hGPDwwkajzkVIg18TZOvKG6
+            f2wiEpnSOVHKnPcGhI1dGxN9TqqN74IUoPhThRzQ79l9RcTEZVClos9IPOhaPfk0
+            TvcBQez3G5Mn8W+s7kg4rl7g6XRZqjcaOuNwopB0x+Dx+alZExsTR6A+1Gf+29a+
+            ELwQYg2mkKUi48vrcKXxz+OMhW7V7wuXQIjLP4jULc7LI3ShRP8z4QKy7asOVRBh
+            XPjxRJ2RcTtEHYUoW3guzoZGSiPW/ex2fcupwaSRDG2GQ/ImiB5dmXSaG2va1MbX
+            z93Ej7Gy2IURglWCK29v4mJiqtDzq8/GNztT7zezHxyUAjjuJ59qXzFF/MQPibxY
+            p3dTfkNNrTqrCQnrFa8k0lgBtKmvz/HO3eCguXVMNgOt+BmfZbJqq+AD8HKYNxaM
+            W0A+9WRmYXcOEUqfaoX9IE9LhgqDd/xgpW4CujUZrXRYgf4IokSm/MFAD/ZnoxKm
+            n2My3wf5PCNd
+            =oUOe
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-19T22:46:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ/9HD1muIaf8us6XE5hGfrXuy5axFeJNBtc8igo/OP3jCam
+            M2pjwDNIX3EjsgrK2WYo43Xt7aHW5bqnP+d1faLXJ3I0cMia3XxSLmaKswQRrBSi
+            P00ew43kBSx0Smwixf5zCSCzBpWrtOXI8monO8xYLtRnSpfKBf/4kc2gQiuAxByd
+            fxdE/x1et0XXiK038KgHMnYdOIvMTGcpymoSDHk0bDw+ruBqG93cmzOkT4Oc5CsF
+            oeFN83ku1cGFQr58hUhJ1q5eUTK/lDEVYElGJ2n0pGxThYyrUz3SIzZu3Jbxgs/Q
+            2Xok4KsNPEbY2VKz/d3nrwbg2S3VF/CHl9sKxoFK8g3WcEE+HO7BFqvz901H+aUJ
+            5mN7stKSs5pViDHusv3Kv2+eT2fPJ4lPU2IEvXkCt3jjB/G0UDz+t6Qn1Wr8PPcO
+            8u+QafpILgYTK7QOF88GYstq8iWOWHlN9VKFYfqHMGWkrMtnGRWCbXsNmg7lKh6D
+            MtdvROsESVDKtydZwBpoQ4ILLROhkoL+eOMzFOgc/i4PWFlva2RBuRnZQNlieq/R
+            9aYpGsZbD+YYGjQKhlwwakpWK5XOoqqSh6Fv6Qzonu2Y++Zf9c9zpe+LINlUhxEY
+            AA1YnxbqvVJCqoBuq5avAd0fivhFDes0OmR7jLZzluotgwUePwBOVGo5l2ow/03S
+            WAGO2443OWOfbmTi/mq1C/8It1WAkC70XSQbff9pHLd4pRA6XgjMXbJ8+5X0FXRM
+            H5nWOAaO4Dp6SnccT3Q9zytkm+lXdJL6Rou3PkmP4JBvU535bNv5a3k=
+            =732R
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

machines/lucia/secrets.yaml

@@ -1,71 +1,81 @@
 hello: ENC[AES256_GCM,data:3VuyuX7MaLSmor4W22F3FUCGp8SUq4pE6z5nuiZenH07+zEeMAllVCP6g/j1fQ==,iv:A3Oh99AchsmrkMEb4ZRSIigb8Cr+3WlQtsgyZJGpLY8=,tag:TOHF9BaydkRD6cJAndryTg==,type:str]
 njala_api_key: ENC[AES256_GCM,data:qXGngMJaAOk2Gb8B4nwMTht9Vp/OEhGmKS5vh1kpi0MyqcsmwuwpWuUz+RWD6NDFn2w/35M=,iv:lsZyCrmcT1xJcLjzK4zkcRYmbKUeLUFYZ7oDfCVJV8c=,tag:WK+aF3XGBRDQuvL87Qdusw==,type:str]
+wireguard_private: ENC[AES256_GCM,data:ZxGbYLQKvrPibLpId+xbvqphlcgm/U5Se9XMS4FogmY4HfJnh9Y4Ja/x20I=,iv:PnZjiyKk1XuIq5/NLtOdWh20ytDEMYM7LJqmCoSrD0s=,tag:CZErG28Lo3aiQGovxEeZtA==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
-    age: []
-    lastmodified: "2023-10-24T15:09:51Z"
-    mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str]
-    pgp:
-        - created_at: "2023-10-24T14:42:18Z"
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
           enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaVZQT1U3cXp4NHVSb2lh
+            RWRUcjlGY1RtNVNFT3dMSWFaZHJGcC8ybzFFClhhT2RPRHZwbWNSQzdSay8wc0h5
+            NHVUN082U0lhcWF2MnNTaXQ2Q0trRk0KLS0tIHJrNmdEdUI5YVRqck8vejRrVHZ4
+            aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3
+            f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-14T18:10:54Z"
+    mac: ENC[AES256_GCM,data:DPQsRraMAvoezHsA7uM8q8sEevnZRnpU1vydEL72r6KJj12dT58KXCTuUeNgD+320LE1i83k6HLdM9C/+uniu73Ba5JSwglLLDBkZpfsdCde0aqkGjQd/RF/0Vb8ZbE/KCCCMVOjT6hX6RSDSEujoRMY26n1CWYtPeivqpWb5NY=,iv:TarRTCyPRoyQEb3qoXAJcOYtrTtftyZO4ahkyTZT8qU=,tag:A0kqa1szfk6Z5etivjB/lA==,type:str]
+    pgp:
+        - created_at: "2024-11-14T13:02:46Z"
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQGMA5HdvEwzh/H7AQwAqFy6FthlG4of1IYE42baCy6AHhnCxTKN5i0/ZYXtxz/T
-            xWTAKEXPlbhT4AMGdIvIbEf7od4Pr7xxrxERkHVn1rkHxqjF+bjFw9J2xRXJvilw
-            L4pWMKXoJOiuGeNwJfzOVMx2yar6NiFmA3HvFyCASIQeCh3v+cyEDvbdnJoUyHRJ
-            /f/VnQFSIM4YXvLMqkKXgE0ZnbZc+vNnZkAG2qbz65fB/zdOPQZkVYCbnVKLwiBd
-            eoDth5WbuPnYbK5Vp9wkOPr6KqjM1KN+Kx/ErZ36Ldd2ePk11dCf9O4cE1HcCOmb
-            mdnFleX4hbMH2bFCpt7HoJql7QsTodx2bX1wnLA+uUVrV5QcT74C/0yAYHhBELez
-            cE0gZ+th9l2tOCaCBBMQUa8EfoQD3hEnOmebOMcWoUQdkyKk5SlLeCVsuWKvbidh
-            3Vvw7jINCTH06jPCWSewSBuTdPiAPJ+4CQ8DWXC7A4luFvJM09HX8h859VDEHA9a
-            FCou1ZTWmQEHbDw1DPw70lgBv35pPduQjSfgM71YwgHFtHDdTfWTbzCBoaDfKvj2
-            XWSevuyOKiinaiYd4jPK6srFyX3Horg1QvVzl3dvNC3o29lrzETSTFoUx75KdluT
-            WxGMHNWqN7NS
-            =XZkW
+            hQGMA5HdvEwzh/H7AQv/QepkThVCOMoRZRtHSHEjEriFfp9QS2ZrlgM0p67TtzU3
+            edAPqxNq8jGeW7/1FRAwIHGTit9FueL/GRUOVsepbryJMt4ndhybuPdpuEaKeQYv
+            aZLw3XA5FB7maMKFOl59wqoWNrY+d02lXIbLEafUjrL94/p1IEqQd5a/Ze244yXI
+            V1ty93i6Wmu5N5uf67bfiY00ObAEU+L4QepLHuJvcP2lWU0zvxnPdDqwv+47R1xB
+            aJX2G3Vv6QRnpUYL81a8R4E9u9GGH0TwJdaFqQwsVgW1XJdCsAaB5wriqEWX5HOJ
+            513plEpkBSSlZo/9/lUSHK79jP92DfKvGMxw4t35UULzsJVbCIkM/TzBK0Ruq7Bf
+            2rQO1nkF9lqXqPK7ORAkdXX3foHcM474f3w5nCSSlPia5jn7y58Npd9m1za4lOPF
+            rQxHCJ7OSJ6KOsXhDi7cmMfjIfn6cUj5wT685LbjrftYPh95R2lK/ViwfhMQkJb9
+            lCUqJj/7N6UuSDdnHXKg0lgBV5k+ARqh904rR7GTpSdDuSVMVdy9mUGni5V6xTNn
+            2IyJzWlvxbUumdh7SVBV5HRjG/sOcmlQtsw2fT21CCFg/n6AdCMgRbtYDoX5OOJc
+            qkz9uKEGrGjb
+            =wPkW
             -----END PGP MESSAGE-----
           fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2023-10-24T14:42:18Z"
-          enc: |
+        - created_at: "2024-11-14T13:02:46Z"
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA98TrrsQEbXUAQ//XRoesGtcKw0RNs30FfKgpG/qNVRh4eJTeb1AP7YO9nKA
-            WWuZnomu8aDDKiP+why4Cl4raSb2LqTaDAIbeTzw902BeOlIXl6VO5oIWpgC4IQT
-            iOMUOTQ6XG4O8xcphItIthc71kpUl34xfWU/Gz67cRj/BSlws26sJ09lH5zZIpcW
-            1NNPLQKF6KiJ1MY9rTkq9I6EHbaIh6AcBW4buq9x+qASoU1Blp1OgA9m6O9HjQcH
-            X/PKnYv1bm6OxYsMBujXnFnde3c+qfL5w1e4a7pyMu8EthAYLPbm+WT2+H1RJooN
-            0+M3tBBjtK6emm7qgNt2vyeIYa5L5XSFYAyPfteKZ7tsT1IHgg3cY/3trchq7w7q
-            D10fGzfw1rP79yI9vY3oQLi4APhAq/RYpFywZJ+qyE+KiDaIzBdhU14NKRdOluaF
-            apw5ZpNwD77E6lU5lLdjO4TjaMXjEuytzhmOHF+CrZJN/4c21K3PflnzRRLmcXIf
-            OY+TPWPBKqg9aXIhx+5tGu3OTmrvRuBsoforZrhHqzYZJygliD4w/D0HpcMfxrJ/
-            y/iFzwqikikvfkF3FTiTwiFSLOo8G+rCA2TiSLqM6eklAGtzqgrgggnNVDstgiHz
-            DuXHOdzt9pn3DQHb3Z+kEd8p9TEykQrVr6mcW8scvW3iZ6XBbSoxUDY2W14gNMHS
-            WAFbpyIyM0JV36DifyFLFuPNF+ZFexnD1/2rzSw5dmDh8Pou9KZnoRGirXbOIFBf
-            MwFQRonyDxw8zcMFGhXRmNbfqOE9ImnvkW2pNjYJSuBW4LSGaG8OHx0=
-            =2A7P
+            hQIMA98TrrsQEbXUARAArYZZpOEC9sZ4Bgbtie8snwYjhcJiLxcmaODcx0ai24vC
+            FOdxKrgxlHeiBV3e+xD0Mdc51waXpRW7Ah6ctyqRreDXXCsYx9RTjkxqbGQTKexU
+            OAzvi7qPkmZBzDagNeJXjAMc3Z9uPFTxO0c1degnv0S40dns4sZ50sjGz8Dg6DmX
+            HC1ZANIpCmJVd+BFC9MxWQFSP1oswzwIxAmM/8d3aXGJLUQsfFbZXTPaKB5+Llmu
+            Y/yGK4zwcq0PR+YNw9d1lfQD01coLcqNh0cnxW3/DzSnKdpLnr/HeH7K6NivUNOs
+            58E4iKJgopZZofbIKrHTPik/ZfovCTwPHo0o/m9G2sDB5Y++OJBDcjyD9BC5OEzg
+            JW+4rG3dir5cUxJhgM8ZNZUiLcKWSfVo+Xh1RI12Huz4PpZ6dWSpuPxWFBQUZSfp
+            epIUII1u1cKiep8JK5ZUF3k6LzET6ORzzYpY5qGtSEVMLMxLvPK+ECOI1BTHc53Y
+            GoBPVRdp2Bs0QZuvwiNSd3wKRMoVh8v/8+RSCGRR6pzCfvTp3X4zGfnCUVO9krzG
+            ukZJ+eQVUnmywewmYuFH/USN34mqRk6UTkVmw4sgy4bqcV26xSeMCbLAVBoV7dR8
+            a35kyxrs2MIsu9/SuW8zSdfZd0sBhDIEgzQqT7fO1KQQCDJyjBTzjloVSoE4TSXS
+            WAE7lEhifj43H/jshtyaIgM8UpdFmBtEj9BmsX2jeS5XiZsIbIJbCsmPWYdd4XQ0
+            m5M8KCUEMDXeVCygKieefCyboUSNOk1gdRmnIRcqJ/r8fxmHqZgn2ko=
+            =DC78
             -----END PGP MESSAGE-----
           fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2023-10-24T14:42:18Z"
-          enc: |
+        - created_at: "2024-11-14T13:02:46Z"
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7zVLR7VUDPbAQ/+O/+BPNT3PxzN85kpL6xXfyCf337Ay5gwhJOg5k3JyEwO
-            2L1eZncGZHkdeExxgfqWF1yAPvE7vXltikTVp3V+htHoNL8kck8obII/HptVUCrU
-            VjFm41kEoWQ9DLXIhmppqBC0hWVkLjCDEXcD5HqtAxt2yKENSFr3pEnFl3vgoHTA
-            2TpzC/l2kC24hzk+es54I0sCd3N1LEXC/mBUmptnsZfIcgGdVOWZSGabHg5Mo464
-            qc02MYa2Tjuo5svlHGv8bgpQgsIfuB0CcirLMH3FYwKkYHZ7a6KBZj9DwNlM1BYL
-            m9eIC6+R57utfV+zgvIaQVDVJgFT74/ffgEYNiX2FRWi0ri6gb4ybf8qX+/m8ZOi
-            KDgpATMIr0Lw85lQ2mQmvt7aeULJTl85pE1ihXLu6+pGEQR/48WeRu8OVMU/QHQF
-            rRWoJu2kabdlBkYXBBGPN2qGRe/TWWHRm0G7mTnXkoN2idRkodJcVwM8Mvstc5Yx
-            3AAb4asl+4xusXNqe+V4ZrkzdnVoFs8RRZyH1QyoqJ79S5uZqOkYObiiJ+wWtahZ
-            emvN8nhNIr9+WdDFSZYNx+TQTUTFMefcEaTXpPzmUn/nENrvkbXiaVSSmIYQ4YZh
-            1vyiW1W6IZwjXI/aR6P2C1Jrj42WCm+cDXCwKZC1sMRqgkxQBIVukQzAHkyFJknS
-            WAF/TWfXG2S6mnWFKn3cixifUI3pBp+EtYy/CjL7uNBIUQ3EHEbvS5AboSCmgRC7
-            wLzHshawAMmJ/bD/jT4wWD0w+NGDzSF8D4b/Ee0LP7R70noS61+s6xo=
-            =NnkE
+            hQIMA7zVLR7VUDPbAQ//S/8UshLDL5DW0+DXMGL7u/ug/sgCbSM60PvzT3hwAvyL
+            3mR6CycERSeXuYM67fLIa66WiSFGB1aqEsI1oqPL6W8AwjtGHDKSPhJC8W+9NosB
+            OypoV6VppHiDxB2uJvQl7VNnT8d2x6IWdG0bq9NKxCg+6lorw8bky0907qQ/6+hg
+            2eWI0wPcJR2zIEm5JdNvuyK5k03QPKbTd8aVTeYHZq3JiXF3NZmQHCngdI0iH7SN
+            +QI/p1d/aiyCc+5Ow+Zy5YzPWb22PIROLIH+wJsGxbiJtQJmiKMNQg/YJ/SsCrMI
+            ViI80R6bkZ/J9hCN2reTTJXl9uc7PgptLAfMlT2N+DHLRoKQOR+e3xMX3vZO9CK0
+            R8v0wXPs3NGCBdITu+EPT4twtkjJz31PhqL7crFzm/x4BLiKuNzep+Na4TLMBv3J
+            pVdjc6yen8bYvVickLP/hrVIvflkaMdUncWmS2lNZKP9G2BuGMna9Dp4jC1kWWYW
+            608MXgORINmwog2lovxFJGOtq500gcbeYO+LrluULk00/nw27DPkGeD8wkmFMF+m
+            c3dhA6zn62nLsUmiU4Bfo92uhxBW/hAF5Fp+RVwA9ptvDdBO7gY6FEZitEXs/rGl
+            64RAmFuDmv/WDE87pfBQdlZ7Y1HkO6CLwtfg50Ka8eoemX6sP0GSYHUqbs8M4jnS
+            WAEnR1KMQNVdTqhFzBa/TqnUm+oVtZSVrAPSIEgEjhA4WesmGqmcJwJFaQW39Omu
+            8zLfZcfdVUuFKyIijXNliG0ryq1uxmWcEl8ePRzjAAzVTRAILNtZzVY=
+            =8HBK
             -----END PGP MESSAGE-----
           fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

machines/moderatio/configuration.nix

@@ -1,92 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, ... }:
-
-{
-  services.acpid.enable = true;
-
-  boot.kernelPackages = pkgs.linuxPackages_5_4;
-  services.xserver.videoDrivers = [ "intel" ];
-  services.xserver.deviceSection = ''
-    Option "DRI" "2"
-    Option "TearFree" "true"
-  '';
-
-  zramSwap.enable = true;
-  zramSwap.memoryPercent = 150;
-
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ./zfs.nix
-
-      ../modules/xserver.nix
-      ../modules/malobeo_user.nix
-      ../modules/sshd.nix
-      ../modules/minimal_tools.nix
-    ];
-
-  users.users.malobeo = {
-    packages = with pkgs; [
-      firefox
-      thunderbird
-    ];
-  };
-
-  networking.hostName = "moderatio"; # Define your hostname.
-  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
-
-  # Set your time zone.
-  time.timeZone = "Europe/Berlin";
-
-  # Select internationalisation properties.
-  # i18n.defaultLocale = "en_US.UTF-8";
-  # console = {
-  #   font = "Lat2-Terminus16";
-  #   keyMap = "us";
-  #   useXkbConfig = true; # use xkbOptions in tty.
-  # };
-
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
-
-  # Enable sound.
-  sound.enable = true;
-  hardware.pulseaudio.enable = true;
-
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
-  #   enable = true;
-  #   enableSSHSupport = true;
-  # };
-
-  # List services that you want to enable:
-
-  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  # Copy the NixOS configuration file and link it from the resulting system
-  # (/run/current-system/configuration.nix). This is useful in case you
-  # accidentally delete configuration.nix.
-  # system.copySystemConfiguration = true;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.05"; # Did you read the comment?
-
-}
-

machines/moderatio/zfs.nix

@@ -1,34 +0,0 @@
-{ config, pkgs, ... }:
-
-{ boot.supportedFilesystems = [ "zfs" ];
-  networking.hostId = "ae749b82";
-  #boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
-boot.loader.efi.efiSysMountPoint = "/boot/efi";
-boot.loader.efi.canTouchEfiVariables = false;
-boot.loader.generationsDir.copyKernels = true;
-boot.loader.grub.efiInstallAsRemovable = true;
-boot.loader.grub.enable = true;
-boot.loader.grub.version = 2;
-boot.loader.grub.copyKernels = true;
-boot.loader.grub.efiSupport = true;
-boot.loader.grub.zfsSupport = true;
-boot.loader.grub.extraPrepareConfig = ''
-  mkdir -p /boot/efis
-  for i in  /boot/efis/*; do mount $i ; done
-
-  mkdir -p /boot/efi
-  mount /boot/efi
-'';
-boot.loader.grub.extraInstallCommands = ''
-ESP_MIRROR=$(mktemp -d)
-cp -r /boot/efi/EFI $ESP_MIRROR
-for i in /boot/efis/*; do
- cp -r $ESP_MIRROR/EFI $i
-done
-rm -rf $ESP_MIRROR
-'';
-boot.loader.grub.devices = [
-      "/dev/disk/by-id/ata-ST250LT003-9YG14C_W041QXCA"
-    ];
-users.users.root.initialHashedPassword = "$6$PmoyhSlGGT6SI0t0$.cFsLyhtO1ks1LUDhLjG0vT44/NjuWCBrv5vUSXqwrU5WpaBvvthnLp0Dfwfyd6Zcdx/4izDcjQAgEWs4QdzW0";
-}

machines/modules/disko/default.nix

@@ -0,0 +1,283 @@
+{config, inputs, lib, ...}:
+let 
+  cfg = config.malobeo.disks;
+in
+{
+  imports = [inputs.disko.nixosModules.disko];
+  options.malobeo.disks = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable disko disk creation";
+    };
+    hostId = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+      description = "Host ID for zfs disks, generate with 'head -c4 /dev/urandom | od -A none -t x4'";
+    };
+    encryption = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Allows encryption to be disabled for testing";
+    };
+    devNodes = lib.mkOption {
+      type = lib.types.str;
+      default = "/dev/disk/by-id/";
+      description = ''
+        where disks should be mounted from
+        https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html#selecting-dev-names-when-creating-a-pool-linux
+        use "/dev/disk/by-path/" for vm's
+      '';
+    };
+    root = {
+      disk0 = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        description = "name ab /dev für root dateisystem";
+      };
+      disk1 = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        description = "name ab /dev für eventuellen root mirror";
+      };
+      swap = lib.mkOption {
+        type = lib.types.str;
+        default = "8G";
+        description = "size of swap partition (only disk0)";
+      };
+      reservation = lib.mkOption {
+        type = lib.types.str;
+        default = "20GiB";
+        description = "zfs reservation";
+      };
+      mirror = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "mirror zfs root pool";
+      };
+    };
+    storage = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Enable storage pool";
+      };
+      disks = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        description = "name ab /dev/ für storage pool";
+        example = "ata-ST16000NE000-2RW103_ZL2P0YSZ";
+      };
+      reservation = lib.mkOption {
+        type = lib.types.str;
+        default = "20GiB";
+        description = "zfs reservation";
+      };
+      mirror = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "mirror zfs storage pool";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.hostId = cfg.hostId;
+    disko.devices = {
+      disk = lib.mkMerge [
+        {
+          ssd0 = lib.mkIf (cfg.root.disk0 != "") {
+            type = "disk";
+            device = "/dev/${cfg.root.disk0}";
+            content = {
+              type = "gpt";
+              partitions = {
+                ESP = {
+                  size = "1024M";
+                  type = "EF00";
+                  content = {
+                    type = "filesystem";
+                    format = "vfat";
+                    mountpoint = "/boot";
+                    mountOptions = [ "umask=0077" ];
+                  };
+                };
+                encryptedSwap = lib.mkIf cfg.encryption {
+                  size = cfg.root.swap;
+                  content =  {
+                    type = "swap";
+                    randomEncryption = true;
+                  };
+                };
+                zfs = {
+                  size = "100%";
+                  content = {
+                    type = "zfs";
+                    pool = "zroot";
+                  };
+                };
+              };
+            };
+          };
+          ssd1 = lib.mkIf (cfg.root.disk1 != "") {
+            type = "disk";
+            device = "/dev/${cfg.root.disk1}";
+            content = {
+              type = "gpt";
+              partitions = {
+                zfs = {
+                  size = "100%";
+                  content = {
+                    type = "zfs";
+                    pool = "zroot";
+                  };
+                };
+              };
+            };
+          };
+        }
+        (lib.mkIf cfg.storage.enable (
+          lib.mkMerge (
+            map (diskname: {
+              "${diskname}" = {
+                type = "disk";
+                device = "/dev/${diskname}";
+                content = {
+                  type = "gpt";
+                  partitions = {
+                    zfs = {
+                      size = "100%";
+                      content = {
+                        type = "zfs";
+                        pool = "storage";
+                      };
+                    };
+                  };
+                };
+              };
+            }) cfg.storage.disks
+          )
+        ))
+      ];
+
+      zpool = {
+        zroot = {
+          type = "zpool";
+          mode = lib.mkIf cfg.root.mirror "mirror";
+          # Workaround: cannot import 'zroot': I/O error in disko tests
+          options.cachefile = "none";
+          rootFsOptions = {
+            mountpoint = "none";
+            xattr = "sa";         # für microvm virtiofs mount
+            acltype = "posixacl"; # für microvm virtiofs mount 
+            compression = "zstd";
+            "com.sun:auto-snapshot" = "false";
+          };
+
+          datasets = {
+            encrypted = {
+              type = "zfs_fs";
+              options = {
+                mountpoint = "none";
+                encryption = lib.mkIf cfg.encryption "aes-256-gcm";
+                keyformat = lib.mkIf cfg.encryption "passphrase";
+                keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
+              };
+              # use this to read the key during boot
+              postCreateHook = lib.mkIf cfg.encryption ''
+                zfs set keylocation="prompt" zroot/encrypted;
+              '';
+            };
+            "encrypted/root" = {
+              type = "zfs_fs";
+              mountpoint = "/";
+              options.mountpoint = "legacy";
+            };
+            "encrypted/var" = {
+              type = "zfs_fs";
+              mountpoint = "/var";
+              options.mountpoint = "legacy";
+            };
+            "encrypted/etc" = {
+              type = "zfs_fs";
+              mountpoint = "/etc";
+              options.mountpoint = "legacy";
+            };
+            "encrypted/home" = {
+              type = "zfs_fs";
+              mountpoint = "/home";
+              options.mountpoint = "legacy";
+            };
+            "encrypted/nix" = {
+              type = "zfs_fs";
+              mountpoint = "/nix";
+              options.mountpoint = "legacy";
+            };
+            reserved = {
+              # for cow delete if pool is full
+              options = {
+                canmount = "off";
+                mountpoint = "none";
+                reservation = "${cfg.root.reservation}";
+              };
+              type = "zfs_fs";
+            };
+          };
+        };
+
+        storage = lib.mkIf cfg.storage.enable {
+          type = "zpool";
+          mode = lib.mkIf (cfg.storage.mirror) "mirror";
+          rootFsOptions = { 
+            mountpoint = "none";
+            xattr = "sa";         # für microvm virtiofs mount
+            acltype = "posixacl"; # für microvm virtiofs mount 
+          };
+          datasets = {
+            encrypted = {
+              type = "zfs_fs";
+              options = {
+                mountpoint = "none";
+                encryption = lib.mkIf cfg.encryption "aes-256-gcm";
+                keyformat = lib.mkIf cfg.encryption "passphrase";
+                keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
+              };
+              # use this to read the key during boot
+              postCreateHook = lib.mkIf cfg.encryption ''
+                zfs set keylocation="prompt" storage/encrypted;
+              '';
+            };
+            "encrypted/data" = {
+              type = "zfs_fs";
+              mountpoint = "/data";
+              options.mountpoint = "legacy";
+            };
+            "encrypted/data/microvms" = {
+              type = "zfs_fs";
+              mountpoint = "/data/microvms";
+              options.mountpoint = "legacy";
+            };
+            reserved = {
+              # for cow delete if pool is full
+              options = {
+                canmount = "off";
+                mountpoint = "none";
+                reservation = "${cfg.storage.reservation}";
+              };
+              type = "zfs_fs";
+            };
+          };
+        };
+      };
+    };
+
+    boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
+
+    fileSystems."/".neededForBoot = true;
+    fileSystems."/etc".neededForBoot = true;
+    fileSystems."/boot".neededForBoot = true;
+    fileSystems."/var".neededForBoot = true;
+    fileSystems."/home".neededForBoot = true;
+    fileSystems."/nix".neededForBoot = true;
+  };
+}

machines/modules/host_builder.nix

@@ -0,0 +1,258 @@
+{ self
+, nixpkgs-unstable
+, nixpkgs
+, sops-nix
+, inputs
+, hosts
+, ...
+}:
+let
+  pkgs = nixpkgs.legacyPackages."x86_64-linux";
+in
+rec {
+  nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
+  nixosSystemUnstable = nixpkgs-unstable.lib.makeOverridable nixpkgs-unstable.lib.nixosSystem;
+
+  baseModules = [
+    # make flake inputs accessiable in NixOS
+    { _module.args.inputs = inputs; }
+    {
+      imports = [
+        ({ pkgs, ... }: {
+          nix = {
+            extraOptions = ''
+              experimental-features = nix-command flakes
+            '';
+
+            settings = {
+              substituters = [
+                "https://cache.dynamicdiscord.de"
+                "https://cache.nixos.org/"
+              ];
+              trusted-public-keys = [
+                "cache.dynamicdiscord.de:DKueZicqi2NhJJXz9MYgUbiyobMs10fTyHCgAUibRP4="
+              ];
+              trusted-users = [ "root" "@wheel" ];
+            };
+          };
+        })
+
+        sops-nix.nixosModules.sops
+      ];
+    }
+  ];
+  defaultModules = baseModules;
+
+  makeMicroVM = hostName: ipv4Addr: macAddr: modules: [
+    {
+      microvm = {
+        hypervisor = "cloud-hypervisor";
+        mem = 2560;
+        shares = [
+          {
+            source = "/nix/store";
+            mountPoint = "/nix/.ro-store";
+            tag = "store";
+            proto = "virtiofs";
+            socket = "store.socket";
+          }
+          {
+            source = "/var/lib/microvms/${hostName}/etc";
+            mountPoint = "/etc";
+            tag = "etc";
+            proto = "virtiofs";
+            socket = "etc.socket";
+          }
+          {
+            source = "/var/lib/microvms/${hostName}/var";
+            mountPoint = "/var";
+            tag = "var";
+            proto = "virtiofs";
+            socket = "var.socket";
+          }
+          {
+            source = "/var/lib/microvms/data/${hostName}";
+            mountPoint = "/data";
+            tag = "data";
+            proto = "virtiofs";
+            socket = "microdata.socket";
+          }
+        ];
+
+        interfaces = [
+          {
+            type = "tap";
+            id = "vm-${hostName}";
+            mac = "${macAddr}";
+          }
+        ];
+      };
+
+      systemd.network.enable = true;
+      
+      systemd.network.networks."20-lan" = {
+        matchConfig.Type = "ether";
+        networkConfig = {
+          Address = [ "${ipv4Addr}/24" ];
+          Gateway = "10.0.0.1";
+          DNS = ["1.1.1.1"];
+          DHCP = "no";
+        };
+      };
+    }
+  ] ++ defaultModules ++ modules;
+
+  inputsMod = inputs // { malobeo = self; };
+
+
+  vmMicroVMOverwrites = hostname: options: {
+    microvm = rec {
+      mem = pkgs.lib.mkForce 4096;
+      hypervisor = pkgs.lib.mkForce "qemu";
+      socket = pkgs.lib.mkForce null;
+
+
+      #needed for hosts that deploy imperative microvms (for example fanny)
+      writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store";
+      volumes = pkgs.lib.mkIf options.writableStore [ {
+        image = "nix-store-overlay.img";
+        mountPoint = writableStoreOverlay;
+        size = 2048;
+      } ];
+
+      shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [
+        {
+          tag = "ro-store";
+          source = "/nix/store";
+          mountPoint = "/nix/.ro-store";
+        }
+      ] ++ pkgs.lib.optionals (options.varPath != "") [
+        {
+          source = "${options.varPath}";
+          securityModel = "mapped";
+          mountPoint = "/var";
+          tag = "var";
+        }
+      ] ++ pkgs.lib.optionals (options.dataPath != "") [
+        {
+          source = "${options.dataPath}";
+          securityModel = "mapped";
+          mountPoint = "/data";
+          tag = "data";
+        }
+      ]);
+
+      interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
+        type = "user";
+        id = "eth0";
+        mac = "02:23:de:ad:be:ef";
+      }]);
+
+      #if networking is disabled forward port 80 to still have access to webservices
+      forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [
+        { from = "host"; host.port = options.fwdPort; guest.port = 80; }
+      ]);
+
+    };
+
+    fileSystems = {
+      "/".fsType = pkgs.lib.mkForce "tmpfs";
+
+      # prometheus uses a memory mapped file which doesnt seem supported by 9p shares
+      # therefore we mount a tmpfs inside the datadir
+      "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce {
+        fsType = pkgs.lib.mkForce "tmpfs";
+      });
+    };
+
+    boot.isContainer = pkgs.lib.mkForce false;
+    services.timesyncd.enable = false;
+    users.users.root.password = "";
+    services.getty.helpLine = ''
+      Log in as "root" with an empty password.
+      Use "reboot" to shut qemu down.
+    '';
+  };
+
+  vmDiskoOverwrites = {
+    boot.initrd = {
+      secrets = pkgs.lib.mkForce {};
+      network.ssh.enable = pkgs.lib.mkForce false;
+    };
+
+    malobeo.disks.enable = pkgs.lib.mkForce false;
+    networking.hostId = "a3c3101f";
+  };
+
+  vmSopsOverwrites = host: {
+    sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml;
+
+    environment.etc = {
+      devHostKey = {
+        source = ../secrets/devkey_ed25519;
+        mode = "0600";
+      };
+    };
+
+    services.openssh.hostKeys = [{
+      path = "/etc/devHostKey";
+      type = "ed25519";
+    }];
+  };
+
+  vmNestedMicroVMOverwrites = host: sopsDummy: {
+
+    microvm.vms = pkgs.lib.mkForce (
+    let
+      # Map the values to each hostname to then generate an Attrset using listToAttrs
+      mapperFunc = name: { inherit name; value = {
+        specialArgs.inputs = inputsMod;
+        specialArgs.self = self;
+        config = {
+          imports = (makeMicroVM "${name}" 
+                                 "${hosts.malobeo.hosts.${name}.network.address}"
+                                 "${hosts.malobeo.hosts.${name}.network.mac}" [
+            ../${name}/configuration.nix     
+            (vmMicroVMOverwrites name { 
+              withNetworking = true; 
+              varPath = ""; 
+              dataPath = "";
+              writableStore = false; })
+            (if sopsDummy then (vmSopsOverwrites name) else {})
+          ]);
+        };
+      }; };
+    in
+    builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts));
+  };
+
+  buildVM = host: networking: sopsDummy: disableDisko: varPath: dataPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
+      modules = [
+          (vmMicroVMOverwrites host { 
+            withNetworking = networking; 
+            varPath = "${varPath}"; 
+            dataPath = "${dataPath}"; 
+            writableStore = writableStore;
+            fwdPort = fwdPort; })
+          (if sopsDummy then (vmSopsOverwrites host) else {})
+          (if disableDisko then vmDiskoOverwrites else {})
+        ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [
+          inputs.microvm.nixosModules.microvm
+        ] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [
+          (vmNestedMicroVMOverwrites host sopsDummy)
+      ];
+    });
+
+  buildHost = hosts: (builtins.mapAttrs (host: settings: nixosSystem {
+    system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux";
+    specialArgs.inputs = inputsMod;
+    specialArgs.self = self;
+    modules = (if (settings.type != "microvm") then
+      defaultModules ++ [ ../${host}/configuration.nix ]
+      else
+      makeMicroVM "${host}" "${settings.network.address}" "${settings.network.mac}" [
+        inputs.microvm.nixosModules.microvm
+        ../${host}/configuration.nix
+      ]);
+  }) hosts);
+}

machines/modules/malobeo/backup.nix

@@ -0,0 +1,102 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let 
+  cfg = config.malobeo.backup;
+  hostToCommand = (hostname: datasetNames: 
+    (map (dataset:  { 
+      name = "${hostname}_${dataset.sourceDataset}";
+      value = { 
+        inherit hostname; 
+        inherit (dataset) sourceDataset targetDataset;
+      }; 
+    } ) datasetNames));
+  peers = import ./peers.nix;
+
+  enableSnapshots = cfg.snapshots != null;
+  enableBackups = cfg.hosts != null;
+in
+{
+  options.malobeo.backup = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable sanoid/syncoid based backup functionality";
+    };
+
+    snapshots = mkOption {
+      type = types.nullOr (types.listOf types.str);
+      default = null;
+      description = "Automatic snapshots will be created for the given datasets";
+    };
+
+    hosts = mkOption {
+      default = null;
+      type = types.nullOr (types.attrsOf (types.listOf (types.submodule {
+        options = {
+          sourceDataset = mkOption {
+            type = types.str;
+            description = "The source that needs to be backed up";
+          };
+          targetDataset = mkOption {
+            type = types.str;
+            description = "The target dataset where the backup should be stored";
+          };
+        };
+      })));
+      description = ''
+          Hostname with list of datasets to backup. This option should be defined on hosts that will store backups.
+
+          It is necessary to add the machines that get backed up to known hosts.
+          This can be done for example systemwide using 
+          programs.ssh.knownHosts."10.100.0.101" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc";
+          Or set it for the syncoid user directly.
+        '';
+    };
+
+    sshKey = mkOption {
+      default = null;
+      type = types.nullOr types.str;
+      description = "Set path to ssh key used for pull backups. Otherwise default key is used";
+    };
+  };
+  
+  config = mkIf (cfg.enable) {
+    services.sanoid = mkIf (enableSnapshots) {
+      enable = true;
+  
+      templates."default" = {
+        hourly = 24;
+        daily = 30; #keep 30 daily snapshots
+        monthly = 6; #keep 6 monthly backups
+        yearly = 0;
+  
+        autosnap = true; #take snapshots automatically
+        autoprune = true; #delete old snapshots
+      };
+  
+      datasets = builtins.listToAttrs (map (name: { inherit name; value = {
+        useTemplate = [ "default" ];
+        recursive = true;
+      }; }) cfg.snapshots);
+    };
+
+    services.syncoid = mkIf (enableBackups) {
+      enable = true;
+      sshKey = cfg.sshKey;
+  
+      commonArgs = [
+        "--no-sync-snap"
+      ];
+  
+      interval = "*-*-* 04:15:00";
+  
+      commands = builtins.mapAttrs (name: value: {
+        source = "backup@${peers.${value.hostname}.address}:${value.sourceDataset}";
+        target = "${value.targetDataset}";
+        sendOptions = "w";
+        recvOptions = "\"\"";
+        recursive = true;
+      })(builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs hostToCommand cfg.hosts))));
+    };
+  };
+}

machines/modules/malobeo/initssh.nix

@@ -0,0 +1,73 @@
+{ config, lib, pkgs, ... }:
+let 
+  cfg = config.malobeo.initssh;
+  inherit (config.networking) hostName;
+
+in
+{
+  options.malobeo.initssh = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable initrd-ssh";
+    };
+    authorizedKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Authorized keys for the initrd ssh";
+    };
+    ethernetDrivers = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
+      example = "r8169";
+    };
+    zfsExtraPools = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Name or GUID of extra ZFS pools that you wish to import during boot.";
+    };
+  };
+  
+  config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
+    boot = {
+      loader.systemd-boot.enable = true;
+      loader.efi.canTouchEfiVariables = true;
+      supportedFilesystems = [ "vfat" "zfs" ];
+      zfs = {
+        forceImportAll = true;
+        requestEncryptionCredentials = true;
+        extraPools = cfg.zfsExtraPools;
+      };
+      initrd = {
+        availableKernelModules = cfg.ethernetDrivers;
+        systemd = {
+          initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ]; 
+          enable = true;
+          network.enable = true;
+        };
+        network.ssh = {
+          enable = true;
+          port = 222;
+          authorizedKeys = cfg.authorizedKeys;
+          hostKeys = [ "/etc/ssh/initrd" ];
+        };
+        secrets = {
+          "/etc/ssh/initrd" = "/etc/ssh/initrd";
+        };
+        systemd.services.zfs-remote-unlock = {
+          description = "Prepare for ZFS remote unlock";
+          wantedBy = ["initrd.target"];
+          after = ["systemd-networkd.service"];
+          path = with pkgs; [ zfs ];
+          serviceConfig.Type = "oneshot";
+          script = ''
+            zpool import storage
+            echo "zfs load-key -a; killall zfs; systemctl default" >> /var/empty/.profile
+          '';
+        };
+      };
+      kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
+    };
+  };
+}

machines/modules/malobeo/metrics.nix

@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+let 
+  cfg = config.malobeo.metrics;
+in
+{
+  options.malobeo.metrics = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable sharing metrics";
+    };
+    enablePromtail = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Enable sharing logs";
+    };
+    logNginx = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Share nginx logs";
+    };
+    lokiHost = lib.mkOption {
+      type = lib.types.str;
+      default = "10.0.0.14";
+      description = "Address of loki host";
+    };
+  };
+  
+  config = lib.mkIf (cfg.enable) {
+
+    networking.firewall.allowedTCPPorts = [ 9002 ];
+
+    services.prometheus = {
+      exporters = {
+        node = {
+          enable = true;
+          enabledCollectors = [ "systemd" "processes" ];
+          port = 9002;
+        };
+      };
+    };
+
+    services.promtail = {
+      enable = cfg.enablePromtail;
+      configFile = import ./promtail_config.nix { 
+        lokiAddress = cfg.lokiHost;
+        logNginx = cfg.logNginx;
+        config = config;
+        pkgs = pkgs;
+      };
+    };
+
+    users.users.promtail.extraGroups = [ "systemd-journal" ] ++ (lib.optionals cfg.logNginx [ "nginx" ]) ;
+
+  };
+}

machines/modules/malobeo/microvm_host.nix

@@ -0,0 +1,135 @@
+{ config, self, lib, inputs, options, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.malobeo.microvm;
+in
+{
+  options = {
+    services.malobeo.microvm = {
+      enableHostBridge = mkOption {
+        default = false;
+        type = types.bool;
+        description = lib.mdDoc "Setup bridge device for microvms.";
+      };
+
+      enableHostBridgeUnstable = mkOption {
+        default = false;
+        type = types.bool;
+        description = lib.mdDoc "Setup bridge device for microvms.";
+      };
+
+      deployHosts = mkOption {
+        default = [];
+        type = types.listOf types.str;
+        description = ''
+          List hostnames of MicroVMs that should be automatically initializes and autostart
+        '';
+      };
+    };
+  };
+
+
+  imports = [
+    inputs.microvm.nixosModules.host
+  ];
+
+  config = { 
+    assertions = [
+      {
+        assertion = !(cfg.enableHostBridgeUnstable && cfg.enableHostBridge);
+        message = ''
+          Only enableHostBridge or enableHostBridgeUnstable! Not Both!
+        '';
+      }
+    ];
+
+    systemd.network = mkIf (cfg.enableHostBridge || cfg.enableHostBridgeUnstable) {
+      enable = true;
+      # create a bride device that all the microvms will be connected to
+      netdevs."10-microvm".netdevConfig = {
+        Kind = "bridge";
+        Name = "microvm";
+      };
+
+      networks."10-microvm" = {
+        matchConfig.Name = "microvm";
+        networkConfig = {
+          DHCPServer = true;
+          IPv6SendRA = true;
+        };
+        addresses = if cfg.enableHostBridgeUnstable then [
+          { Address = "10.0.0.1/24"; }
+        ] else [
+          { Address = "10.0.0.1/24"; }
+        ];
+      };
+
+      # connect the vms to the bridge
+      networks."11-microvm" = {
+        matchConfig.Name = "vm-*";
+        networkConfig.Bridge = "microvm";
+      };
+    }; 
+
+    microvm.vms = 
+    let
+      # Map the values to each hostname to then generate an Attrset using listToAttrs
+      mapperFunc = name: { inherit name; value = {
+          # Host build-time reference to where the MicroVM NixOS is defined
+          # under nixosConfigurations
+          flake = inputs.malobeo; 
+          # Specify from where to let `microvm -u` update later on
+          updateFlake = "git+https://git.dynamicdiscord.de/kalipso/infrastructure";
+        }; };
+    in
+    builtins.listToAttrs (map mapperFunc cfg.deployHosts);
+
+    systemd.services = builtins.foldl' (services: name: services // {
+      "microvm-update@${name}" = {
+        description = "Update MicroVMs automatically";
+        after = [ "network-online.target" ];
+        wants = [ "network-online.target" ];
+        unitConfig.ConditionPathExists = "/var/lib/microvms/${name}";
+        serviceConfig = {
+          LimitNOFILE = "1048576";
+          Type = "oneshot";
+        };
+        path = with pkgs; [ nix git ];
+        environment.HOME = config.users.users.root.home;
+        script = ''
+          /run/current-system/sw/bin/microvm -Ru ${name}
+        '';
+      };
+
+      "microvm-init-dirs@${name}" = {
+        description = "Initialize microvm directories";
+        after = [ "zfs-mount.service" ];
+        wantedBy = [ "microvm@${name}.service" ];
+        unitConfig.ConditionPathExists = "!/var/lib/microvms/${name}/.is_initialized";
+        serviceConfig = {
+          Type = "oneshot";
+        };
+        script = ''
+          mkdir -p /var/lib/microvms/${name}/var
+          mkdir -p /var/lib/microvms/${name}/etc
+          mkdir -p /var/lib/microvms/data/${name}
+          touch /var/lib/microvms/${name}/.is_initialized
+        '';
+      };
+    }) {} (cfg.deployHosts);
+
+    systemd.timers = builtins.foldl' (timers: name: timers // {
+    "microvm-update-${name}" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Unit = "microvm-update@${name}.service";
+        # three times per hour
+        OnCalendar = "*:0,20,40:00";
+        Persistent = true;
+      };
+    };
+  }) {} (cfg.deployHosts);
+  };
+}

machines/modules/malobeo/peers.nix

@@ -0,0 +1,61 @@
+{
+  "vpn" = {
+    role = "server";
+    publicIp = "5.9.153.217";
+    address = "10.100.0.1";
+    allowedIPs = [ "10.100.0.0/24" ];
+    listenPort = 51821;
+    publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
+    persistentKeepalive = 25;
+  };
+
+  "celine" = {
+    role = "client";
+    address = "10.100.0.2";
+    allowedIPs = [ "10.100.0.2/32" ];
+    publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
+  };
+
+  "desktop" = {
+    role = "client";
+    address = "10.100.0.3";
+    allowedIPs = [ "10.100.0.3/32" ];
+    publicKey = "FtY2lcdWcw+nvtydOOUDyaeh/xkaqHA8y9GXzqU0Am0=";
+  };
+
+  "atlan-pc" = {
+    role = "client";
+    address = "10.100.0.5";
+    allowedIPs = [ "10.100.0.5/32" ];
+    publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
+  };
+
+  "hetzner" = {
+    role = "client";
+    address = "10.100.0.6";
+    allowedIPs = [ "10.100.0.6/32" ];
+    publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ=";
+  };
+
+  "fanny" = {
+    role = "client";
+    address = "10.100.0.101";
+    allowedIPs = [ "10.100.0.101/32" ];
+    publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
+  };
+
+  "fanny-initrd" = {
+    role = "client";
+    address = "10.100.0.102";
+    allowedIPs = [ "10.100.0.102/32" ];
+    #TODO: UPDATE
+    publicKey = "h1A2yt7OQ5EJIilC8tQg203u27o6J6/c+Kd/pZ4UWAY=";
+  };
+
+  "backup0" = {
+    role = "client";
+    address = "10.100.0.20";
+    allowedIPs = [ "10.100.0.20/32" ];
+    publicKey = "Pp55Jg//jREzHdbbIqTXc9N7rnLZIFw904qh6NLrACE=";
+  };
+}

machines/modules/malobeo/printing.nix

@@ -0,0 +1,122 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let 
+  cfg = config.services.malobeo.printing;
+  driverFile = pkgs.writeTextDir "share/cups/model/konicaminoltac258.ppd" (builtins.readFile ../KOC658UX.ppd);
+
+  defaultPpdOptions = {
+    PageSize = "A4";
+    SelectColor = "Grayscale";
+    Finisher = "FS534";
+    SaddleUnit = "SD511";
+    Model = "C258";
+    InputSlot = "Tray1";
+    TextPureBlack = "On";
+    PhotoPureBlack = "On";
+    GraphicPureBlack = "On";
+  };
+
+in
+{
+  options.services.malobeo.printing = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Setup malobeo printers";
+    };
+  };
+  
+  config = mkIf (cfg.enable) {
+    services.printing.enable = true;
+    services.printing.drivers = [
+      driverFile
+    ];
+
+    hardware.printers.ensurePrinters = [ 
+      {
+        name = "KonicaDefault";
+        model = "konicaminoltac258.ppd";
+        location = "Zine Workshop";
+        deviceUri = "ipp://192.168.1.42/ipp";
+        ppdOptions = defaultPpdOptions;
+      }
+      {
+        name = "KonicaBooklet";
+        model = "konicaminoltac258.ppd";
+        location = "Zine Workshop";
+        deviceUri = "ipp://192.168.1.42/ipp";
+        ppdOptions = defaultPpdOptions // {
+          Fold = "Stitch";
+          Staple = "None";
+        };
+      }
+      {
+        name = "KonicaPostcard";
+        model = "konicaminoltac258.ppd";
+        location = "Zine Workshop";
+        deviceUri = "ipp://192.168.1.42/ipp";
+        ppdOptions = defaultPpdOptions // {
+          Fold = "None";
+          Staple = "None";
+          InputSlot = "BypassTray";
+          MediaType = "Thick4";
+          KMDuplex = "1Sided";
+        };
+      }
+    ];
+  };
+}
+
+/*
+ALL AVAILABE OPTIONS:
+
+PaperSources/Paper Source Unit: *None LU207 LU302 PC110 PC114 PC115 PC110+LU302 PC115+LU207 PC115+LU302 PC210 PC214 PC215 PC210+LU302 PC215+LU207 PC215+LU302 PC410 PC414 PC415 PC410+LU302 PC415+LU207 PC415+LU302
+Finisher/Finisher: None FS533 *FS534 JS506 FS536 FS537 FS537+JS602
+KOPunch/Punch Unit: *None PK519 PK519-3 PK519-4 PK519-SWE4 PK520 PK520-3 PK520-4 PK520-SWE4 PK523 PK523-3 PK523-4 PK523-SWE4
+ZFoldPunch/Z-Fold Unit: *None ZU609
+CoverSheetFeeder/Post Inserter: *None PI507
+SaddleUnit/Saddle Kit: None *SD511 SD512
+PrinterHDD/Hard Disk: None *HDD
+AdvancedFunctionCover/Advanced Function(Cover Mode): *Disable Enable
+Model/Model: C658 C558 C458 C368 C308 *C258 C287 C227 C266 C226
+Collate/Collate: False *True
+InputSlot/Paper Tray: AutoSelect *Tray1 Tray2 Tray3 Tray4 LCT ManualFeed
+MediaType/Paper Type: *Plain Plain(2nd) Thick1 Thick1(2nd) Thick1Plus Thick1Plus(2nd) Thick2 Thick2(2nd) Thick3 Thick3(2nd) Thick4 Thick4(2nd) Thin Envelope Transparency Color SingleSidedOnly TAB Letterhead Special Recycled Recycled(2nd) User1 User1(2nd) User2 User2(2nd) User3 User3(2nd) User4 User4(2nd) User5 User5(2nd) User6 User6(2nd) PrinterDefault UserCustomType1 UserCustomType1(2nd) UserCustomType2 UserCustomType2(2nd) UserCustomType3 UserCustomType3(2nd) UserCustomType4 UserCustomType4(2nd) UserCustomType5 UserCustomType5(2nd) UserCustomType6 UserCustomType6(2nd) UserCustomType7 UserCustomType7(2nd) UserCustomType8 UserCustomType8(2nd) UserCustomType9 UserCustomType9(2nd) UserCustomType10 UserCustomType10(2nd) UserCustomType11 UserCustomType11(2nd) UserCustomType12 UserCustomType12(2nd) UserCustomType13 UserCustomType13(2nd) UserCustomType14 UserCustomType14(2nd) UserCustomType15 UserCustomType15(2nd) UserCustomType16 UserCustomType16(2nd) UserCustomType17 UserCustomType17(2nd) UserCustomType18 UserCustomType18(2nd) UserCustomType19 UserCustomType19(2nd)
+PageSize/Paper Size: A3 *A4 A5 A6 B4 B5 B6 SRA3 220mmx330mm 12x18 Tabloid Legal Letter Statement 8x13 8.5x13 8.5x13.5 8.25x13 8.125x13.25 Executive 8K 16K EnvISOB5 EnvC4 EnvC5 EnvC6 EnvChou3 EnvChou4 EnvYou3 EnvYou4 EnvKaku1 EnvKaku2 EnvKaku3 EnvDL EnvMonarch Env10 JapanesePostCard 4x6_PostCard A3Extra A4Extra A5Extra B4Extra B5Extra TabloidExtra LetterExtra StatementExtra LetterTab-F A4Tab-F
+Offset/Offset: *False True
+OutputBin/Output Tray: *Default Tray1 Tray2 Tray3 Tray4
+Binding/Binding Position: *LeftBinding TopBinding RightBinding
+KMDuplex/Print Type: 1Sided *2Sided
+Combination/Combination: *None Booklet
+Staple/Staple: *None 1StapleAuto(Left) 1StapleZeroLeft 1Staple(Right) 2Staples
+Punch/Punch: *None 2holes 3holes 4holes
+Fold/Fold: None *Stitch HalfFold TriFold ZFold1 ZFold2
+FrontCoverPage/Front Cover: None *Printed Blank
+FrontCoverTray/Front Cover Tray: None Tray1 Tray2 Tray3 Tray4 LCT *BypassTray
+BackCoverPage/Back Cover: *None Printed Blank
+BackCoverTray/Back Cover Tray: *None Tray1 Tray2 Tray3 Tray4 LCT BypassTray
+PIFrontCover/Front Cover from Post Inserter: *None PITray1 PITray2
+PIBackCover/Back Cover from Post Inserter: *None PITray1 PITray2
+TransparencyInterleave/Transparency Interleave: *None Blank
+OHPOpTray/Interleave Tray: *None Tray1 Tray2 Tray3 Tray4 LCT
+WaitMode/Output Method: *None ProofMode
+SelectColor/Select Color: Auto Color *Grayscale
+GlossyMode/Glossy Mode: *False True
+OriginalImageType/Color Settings: *Document Photo DTP Web CAD
+AutoTrapping/Auto Trapping: *False True
+BlackOverPrint/Black Over Print: *Off Text TextGraphic
+TextColorMatching/Color Matching (Text): *Auto Vivid Photo Colorimetric
+TextPureBlack/Pure Black (Text): *Auto Off On
+TextScreen/Screen (Text): *Auto Gradation Resolution HighResolution
+PhotoColorMatching/Color Matching (Photo): *Auto Vivid Photo Colorimetric
+PhotoPureBlack/Pure Black (Photo): *Auto Off On
+PhotoScreen/Screen (Photo): *Auto Gradation Resolution HighResolution
+PhotoSmoothing/Smoothing (Photo): *Auto None Dark Medium Light
+GraphicColorMatching/Color Matching (Graphic): *Auto Vivid Photo Colorimetric
+GraphicPureBlack/Pure Black (Graphic): *Auto Off On
+GraphicScreen/Screen (Graphic): *Auto Gradation Resolution HighResolution
+GraphicSmoothing/Smoothing (Graphic): *Auto None Dark Medium Light
+TonerSave/Toner Save: *False True
+String4Pt/Edge Enhancement: *False True
+
+*/

machines/modules/malobeo/promtail_config.nix

@@ -0,0 +1,49 @@
+{ logNginx, lokiAddress, config, pkgs, ... }:
+
+let
+  basecfg = ''
+    server:
+      http_listen_port: 9080
+      grpc_listen_port: 0
+    
+    positions:
+      filename: /tmp/positions.yaml
+    
+    clients:
+      - url: http://${lokiAddress}:3100/loki/api/v1/push
+  '';
+
+  withNginx = ''
+    scrape_configs:
+      - job_name: journal
+        journal:
+          max_age: 12h
+          labels:
+            job: systemd-journal
+            host: ${config.networking.hostName}
+        relabel_configs:
+          - source_labels: ["__journal__systemd_unit"]
+            target_label: "unit"
+      - job_name: nginx
+        static_configs:
+        - targets:
+            - localhost
+          labels:
+            job: nginx
+            __path__: /var/log/nginx/*log
+  '';
+
+  withoutNginx = ''
+    scrape_configs:
+      - job_name: journal
+        journal:
+          max_age: 12h
+          labels:
+            job: systemd-journal
+            host: ${config.networking.hostName}
+        relabel_configs:
+          - source_labels: ["__journal__systemd_unit"]
+            target_label: "unit"
+  '';
+in
+pkgs.writeText "promtailcfg.yaml" (if logNginx then ''${basecfg}${withNginx}'' else ''${basecfg}${withoutNginx}'')

machines/modules/malobeo/users.nix

@@ -0,0 +1,101 @@
+{config, lib, pkgs, inputs, ...}:
+let 
+  cfg = config.malobeo.users;
+  sshKeys = import ( inputs.self + /machines/ssh_keys.nix);
+  inherit (config.networking) hostName; 
+in
+{
+  options.malobeo.users = {
+    malobeo = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable malobeo user, defaults to on, ";
+    };
+    admin = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable admin user, defaults to on to prevent lockouts, passwordless sudo access";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "enable backup user, ";
+    };
+  };
+  config = lib.mkMerge [
+    (lib.mkIf cfg.malobeo {
+      users.users.malobeo = {
+        isNormalUser = true;
+        description = "malobeo user, password and ssh access, no root";
+        extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ];
+        openssh.authorizedKeys.keys = sshKeys.admins;
+        hashedPassword = "$y$j9T$39oJwpbFDeETiyi9TjZ/2.$olUdnIIABp5TQSOzoysuEsomn2XPyzwVlM91ZsEkIz1";
+      };
+      environment.systemPackages = with pkgs; [];
+    })
+    (lib.mkIf cfg.admin {
+      users.users.admin = {
+        isNormalUser = true;
+        description = "admin user, passwordless sudo access, only ssh";
+        hashedPassword = null;
+        openssh.authorizedKeys.keys = sshKeys.admins;
+        extraGroups = [ "networkmanager" ];
+      };
+      environment.systemPackages = with pkgs; [];
+      nix.settings.trusted-users = [ "admin" ];
+      security.sudo.extraRules = [
+        {
+          users = [ "admin" ];
+          commands = [
+            {
+              command = "ALL";
+              options = [ "NOPASSWD" ];
+            }
+          ];
+        }
+      ];
+    })
+    (lib.mkIf cfg.backup {
+      users.users.backup = {
+        isNormalUser = true;
+        hashedPassword = null;
+        openssh.authorizedKeys.keys = sshKeys.backup;
+        description = "backup user for pull style backups, can only use zfs commands";
+      };
+      environment.systemPackages = with pkgs; [];
+      security.sudo.extraRules = [
+        {
+          users = [ "backup" ];
+          commands = [
+            {
+              command = "/run/current-system/sw/bin/zfs";
+              options = [ "NOPASSWD" ];
+            }
+            {
+              command = "/run/current-system/sw/bin/zpool";
+              options = [ "NOPASSWD" ];
+            }
+          ];
+        }
+      ];
+    })
+    {
+      users.mutableUsers = false;
+      services.openssh.hostKeys = [
+        {
+          path = "/etc/ssh/${hostName}";
+          type = "ssh-ed25519"; 
+        }
+      ];
+      sops.age.sshKeyPaths = [ "/etc/ssh/${hostName}" ];
+      environment.systemPackages = with pkgs; [
+        nix-output-monitor
+        vim
+        htop
+        wget
+        git
+        pciutils
+      ];
+    }
+  ];
+}

machines/modules/malobeo/wireguard.nix

@@ -0,0 +1,101 @@
+{ config, self, lib, inputs, options, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.malobeo.vpn;
+  peers = import ./peers.nix;
+  myPeer = if cfg.name == "" then peers.${config.networking.hostName} else peers.${cfg.name};
+
+  peerList = builtins.filter (peer: peer.role != myPeer.role) (builtins.attrValues peers);
+  peerListWithEndpoint = map (host:
+    if host.role == "server" then
+      host // { endpoint = "${host.publicIp}:${builtins.toString host.listenPort}"; }
+    else
+      host
+  ) peerList;
+  filteredPeerlist = map (host: builtins.removeAttrs host [ 
+    "role" 
+    "address" 
+    "listenPort" 
+    "publicIp" 
+  ] ) peerListWithEndpoint;
+in
+{
+  options = {
+    services.malobeo.vpn = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = lib.mdDoc "Setup wireguard to access malobeo maintainance vpn";
+      };
+
+      autostart = mkOption {
+        default = true;
+        type = types.bool;
+        description = lib.mdDoc "whether to autostart vpn interface on boot";
+      };
+
+      name = mkOption {
+        default = "";
+        type = types.str;
+        description = ''
+          Name of the host in peers.nix, if empty uses hostname
+        '';
+      };
+
+      privateKeyFile = mkOption {
+        default = "";
+        type = types.str;
+        description = ''
+          Path to private key
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable { 
+    assertions = [
+      {
+        assertion = !(myPeer.role != "client" && myPeer.role != "server");
+        message = ''
+          VPN Role must be either client or server, nothing else!
+        '';
+      }
+    ];
+    
+    boot.kernel.sysctl."net.ipv4.ip_forward" = mkIf (myPeer.role == "server") 1;
+
+    networking.wg-quick = {
+      interfaces = {
+        malovpn = {
+          mtu = 1340; #seems to be necessary to proxypass nginx traffic through vpn
+          address = [ "${myPeer.address}/24" ];
+          autostart = cfg.autostart;
+          listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;
+
+          # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+          # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+          postUp = mkIf (myPeer.role == "server") ''
+            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
+          '';
+
+          # This undoes the above command
+          postDown = mkIf (myPeer.role == "server") ''
+            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
+          '';
+
+          privateKeyFile = cfg.privateKeyFile;
+
+          peers = filteredPeerlist;
+        };
+      };
+    };
+
+    #networking.nat = mkIf (myPeer.role == "server"){
+    #  enable = true;
+    #  internalInterfaces = [ "microvm" ];
+    #  externalInterface = "eth0"; #change to your interface name
+    #};
+  };
+}

machines/modules/malobeo_user.nix

@@ -6,7 +6,7 @@ in
 {
   users.users.malobeo = {
     isNormalUser = true;
-    extraGroups = [ "wheel" "pulse-access" "scanner" "lp" ];
+    extraGroups = [ "pipewire" "wheel" "pulse-access" "scanner" "lp" ];
     openssh.authorizedKeys.keys = sshKeys.admins;
     initialPassword = "test";
   };

machines/modules/sshd.nix

@@ -6,7 +6,7 @@ in
 {
   services.openssh.enable = true;
   services.openssh.ports = [ 22 ];
-  services.openssh.passwordAuthentication = false;
+  services.openssh.settings.PasswordAuthentication = false;
   services.openssh.settings.PermitRootLogin = "no";
   users.users.root.openssh.authorizedKeys.keys = sshKeys.admins;
 }

machines/modules/xserver.nix

@@ -7,7 +7,6 @@
       xterm.enable = false;
       cinnamon.enable = true;
     };
-
-    displayManager.defaultSession = "cinnamon";
   };
+  services.displayManager.defaultSession = "cinnamon";
 }

machines/nextcloud/configuration.nix

@@ -0,0 +1,78 @@
+{ config, self, lib, pkgs,  ... }:
+
+with lib;
+
+{
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets = {
+    nextcloudAdminPass = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+  };
+
+  networking = {
+    hostName = mkDefault "nextcloud";
+    useDHCP = false;
+  };
+
+  imports = [
+    self.nixosModules.malobeo.metrics
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+    ../modules/minimal_tools.nix
+    ../modules/autoupdate.nix
+  ];
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud31;
+    hostName = "cloud.malobeo.org";
+    config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
+    maxUploadSize = "10G";
+    datadir = "/data/services/nextcloud/";
+    database.createLocally = true;
+    config.dbtype = "pgsql";
+    configureRedis = true;
+    caching = {
+      redis = true;
+      apcu = true;
+    };
+    extraAppsEnable = true;
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms;
+      appointments = pkgs.fetchNextcloudApp {
+        sha256 = "sha256-ls1rLnsX7U9wo2WkEtzhrvliTcWUl6LWXolE/9etJ78=";
+        url = "https://github.com/SergeyMosin/Appointments/raw/refs/tags/v2.4.3/build/artifacts/appstore/appointments.tar.gz";
+        license = "agpl3Plus";
+      };
+      deck = pkgs.fetchNextcloudApp {
+        sha256 = "sha256-1sqDmJpM9SffMY2aaxwzqntdjdcUaRySyaUDv9VHuiE=";
+        url = "https://link.storjshare.io/raw/jw7pf6gct34j3pcqvlq6ddasvdwq/mal/deck.tar.gz";
+        license = "agpl3Plus";
+      };
+    };
+    settings = {
+      trusted_domains = ["10.0.0.13"];
+      trusted_proxies = [ "10.0.0.1" ];
+      "maintenance_window_start" = "1";
+      "default_phone_region" = "DE";
+    };
+    phpOptions = {
+      "realpath_cache_size" = "0";
+      "opcache.interned_strings_buffer" = "32";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+

machines/nextcloud/dummy.yaml

@@ -0,0 +1,68 @@
+nextcloudAdminPass: ENC[AES256_GCM,data:4GvCg7g=,iv:3m2Vh86WzrVR7BG0xlNwRE9ebIGLWbVdcxoYC9x7dXo=,tag:t2bWTVlw9rHSVnkXW8ZTFQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbTYrcUV3Wk0xSDM1Mm0w
+            TkoxZHBFUXFBSC80YzkwV3paWGpRaFY2WndZClh1c0xmNWpWMjFXOS9OYU9OU2Mx
+            c3NEREczaDkvNC90eERwb0RKUlNZemsKLS0tIEp1VWZISXZoWFNuRC9mVE1JUmc3
+            bUNFd2dyRGludFQ3MzdiRzFTcXUwWlkKFGd8Uvfu2W1LejgQFpF162JnVmfPxAuX
+            IQ3oopYXUBM3QqCXGLTY3DBffD4WZ4AXyGLsfUtwn3kcvjQ85ewidw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraEtDblNxMGY0NlhzcDdM
+            RFo2VGI1UFE4eVdZdDZ5ZTNKRUFCRWFHOWdBCkRBaGk2WmYxK2ovbHQrSGl3akVp
+            TUhxck83Q1NVQy9VU0lXOEVraGtOZ1UKLS0tIDYxS0hHSW1nZW9hOTFJNCtheU1x
+            ZXk2b1RVd1FoYk4xTGxKQ1cxZmVJalkKkC5XckyrgwfqaeVq+OjNCzAtKKiCf7Q9
+            sC9ZMlPoOAm8xpLEpWgNooOBa04YsDEe9XgN8S0HrVxt/NHlnS5+ow==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-19T22:23:37Z"
+    mac: ENC[AES256_GCM,data:ZVMA4qgliSASQ0LtuedU4pybVwJA0x4vdSlOspsTF22s9DjRbG2tA7PpxTqDBGliBqS4w5J6Rqp3OSF7zddZ23GOz72sOZv0WY5YGeYxIltT7RWSMRkhkwXoM8Pf3BOYCZ4Gy8zaMVnbwbhHZ9LZI6wulh19SDKBV965moUW+Z0=,iv:tmz8C1kGUZq8gfzTHoaU/8RfrT5ohLqA11H42l7TEv0=,tag:E3AV6t2bbKASeVI2G3kNYA==,type:str]
+    pgp:
+        - created_at: "2025-01-19T22:23:26Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQwAsbbUEzSg7iETqT40w/+qjJ+iuHUeeZ+NFMPVVedbLuZX
+            /gPPSJ3JSx3wxJke+QPX/OUiRxXwGBZ5yg7CDoc+RrrdaavazuOUGISL38KPQiin
+            TmUq4nY6nWjMqHPSaQ+NiGxRpIErCQCUx6YEdi4YgHhf9J4KEg0f7ueR5wWlfzx4
+            c7pXkEubFpPy4v45mh8sYXOQTa2yt2keprJ6iqmfL/HKnCJf1TBFxJAvwnPuKDfe
+            npvE4Pk5hcoKjFQNsqpnz7Etc8XfAYXSCXSLKfSaZNSeXQRhE1lHLH9OPnC46li7
+            Dw6SPW0/4MTJrg08JvrNeogQ1QohLT4mkfAnASVUUeGFaF7UhztVoodqMsG8kuhD
+            LtmYv625h3j/QqshpFPGe8nJG1DziE4YHngxvgToIC+6+Q2x47ciulpimlpt6b6w
+            s+mGEVlJLSoJMd9jwE53PMXteBYKWgSEL7osj1V5KIJDFSgwfjYEngCkuyxjf8e3
+            uYxb1WEadSyLhW8xnoyE0lYB6WI8m6j2Ls9TFG7kKtQqrnVSZd2nsKk/5wPVIAXO
+            nrMtb4Q88PLM1eusiLgCs592owKHoWVYqBRpi79EBlnGZwmTfDQzTsQlL7aQCbIo
+            kBI1swNH3g==
+            =K/IK
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-19T22:23:26Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ/7BGOQn8xVX9IOFHnUXKdiw/+fcXHu0L7CLuhcEfpZRJNI
+            vIbztLTH5gT59SkS07cIEcYWqERO+gjK6pZLCxmYO/c15YDWCv1PtS4YHZAET+ow
+            YHzBTZDq2k+pV/cTbUtJgGYOxuqkqUtflyGZSQM+NjSXu4In83u+nwkEaKSxcaWt
+            q9rrYVkBUiika2FYtyehoCoDuyJzNmfGhZ9CPJaUzrSzuRLQZy6Hdg8TDPTzGqi4
+            awo53eOdsEpNu1AQ5rnJ19RFLU63IQlwEnApnXZZ+AX8J2//KgLOcAqjo5skJuN1
+            EJBh4DjfmOdCCN3uRccNiDn9YYrPP5Jl3jfnkMUQ2gVEE/c5ib84hvjc+y9Eh1jJ
+            s2JqhfX+ccV5kuva1q1CuTUCHQVEKahJAvghl77JQjtUY6Lf+5QLeKbchUnwxaIN
+            v6MwZmdCwBJOS40SnA+Ft2g9psho4MIPXtu4DR4t5VWvhrmw2cl7TCffQslWETxE
+            267PHQegcO40skEOYwkLSv7PWycL3YUg/EfPuElAobqlM45UQA/lcC5seV0WvEPB
+            Lj+Pk8stY3LZ5wpblmmA72PyJhTq7ghsPvxlyRByHIS8v94gu5Zasbi63WGmxgPA
+            mt/M/HIQEf2XOOKuJnGJ3yDwLTAHAgFa0jlIgvt4gkuhm5ibcHLmedBh4ecRNfDS
+            VgFA4UwqUKN1XYTWOvT1vlxE9UE+dgVO0QNMX8yw1ivmL2eyPUk8HtIpKbuDLFIC
+            iKwHMtUIW/q7UPmfKLRbDumimG/290GXxN24ouiN8AR0dCXK9oor
+            =EsRn
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

machines/nextcloud/secrets.yaml

@@ -0,0 +1,68 @@
+nextcloudAdminPass: ENC[AES256_GCM,data:es9hhtCcqBqPbV2L,iv:Kyq5kqao0uaMPs0GeRkJT9OWYSZfImBXngg51k0uQ0M=,tag:zN/u90/j4rmdo0HtY+cF9w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPT3ZxNEpRVktDWG9BR0Rv
+            ZUZQTkJwQ0pSblNvTkFOT3BBdjVaSzJhVzBvCnVWc2xRUjBnRFFXSDgxczRMSFMy
+            WFdaMGo4eE13b0RkZkphN2MvOUZtRmcKLS0tIDFHZU9tNjBNa0sveUYzN2dmYnM1
+            aDd0UlpMR3RNd3BDMmhqNmxhTFRoUlkK6Pni+cswKIU94WkP/fg5fzSmx/fhXjjl
+            mRG2o4ALCqcOxAxHBrKJppUCLjUgKG53wPF/jlIzkvbwHwnqVMfYsQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g084sl230x94mkd2wq92s03mw0e8mnpjdjfx9uzaxw6psm8neyzqqwpnqe
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRK2o2K2tPTFcvbXRkZ0lq
+            bS9ZOUc3dG1JeERZYVNsc3k3RjcxQ0RsdkRJCkx1VFhBQXRDOElqakJ0eTd3NEJX
+            b0JxOUtSOGJWeXlqdE5DdC9qNHA2N1UKLS0tIEFiQ3ZQM0NOaXRhUHBjVFhRMFk4
+            VjBFeldXS1p0Zk1uSk02aHpJd3BPOHcKvCmnK/KttB4RgnID/fj2KOdjvNnV3EWU
+            B9mW4yxbEqhoxtu+GFD3eR/8SvMPEsHl9xorT/ZygMG7hAzedSukWw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-26T20:00:50Z"
+    mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str]
+    pgp:
+        - created_at: "2025-03-05T08:24:30Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv+Lr4ISzvM/IEkckNhOOYAeZ0XCJ3JviSwT5wh3nd5u7ZJ
+            tXdLgLwGvFs0gXBf/R2kAoyEMyFziP3dqehvrjwTipuj/5lLdw73X9kddGkGOeQK
+            EDq2+cW3ufuukpyRq+o4lJjMmbwQuqvhqeVOxohQ677e1Xy8q6DorfwOgEgHegK1
+            t1H/DlVHritv54mPjr9hx0fZ5Auow17wteKD71KD/Y4s9JNB0DghcHAGiwYZzL7U
+            aFBY0itZyeJwH7rmFJDTQ+N+595t8dguTS/V1J0SKrIynMXVgTo6dpX10lSRubYe
+            9TQRMO3bmnsdPlmVJ7SlCkcc8blpHSgeQYdaZgPjDmbs+cuAkUMBnR/aEFXIX5IC
+            lohDRX5Vd7dUfVl5CiPNbG8hnvcp2lg7CUBV46fVQ5ZJ73jW1+1Bk3hxGdLklLlF
+            N3hLzBBUpF8U0mvGMXJYX2gQKivRurIoLHZgmjQTjhA1uBfhTI3ktyLABz04dt7I
+            OQYOlpsAZ/qnxbt+37LD0lgBz5XoHDuGNS2nnVQnuvtzt69GDP8mR1QXnhZedTrM
+            kDxxTXV7tMIbqw55tr+qVVG4H8QGy1xat3LSTIxoMmz0MmkyjQhApPN2ipwjyNof
+            X0Aw9hmAZV52
+            =A/yB
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-03-05T08:24:30Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ//UtocoQPpMZL71RyjSnJFZq1NT4H5KxbcvQb4LtPBbanK
+            /gPja40wOWXy/3plCHuZYQ/mR69k9URgwD6/0RSSmCCuVp/+FPbK3UbMYyTOtYBr
+            wKnq9eRP8URK6LINJMcNHzfQtgvTcBclJSY1kLfUVjl2RV2NqXVa6+B1sHJdse8A
+            5NyJ/VNRRrNDtNnmIaIHPFUBySVKLqiXeex4gFNy02IcwwSiFZnBt/ReaFjZQTGE
+            TKfyohQF4V4/e35wvhbqWSFYZmWHCwW94gnwTwnlEO/H/NvbNUNDSYL6WwrIFF7+
+            h/tP7nWbBxNqSByHGQuJnKSysndwUuSMuH+uj+uYdJDn1L1VEoErfAZcRSsDAz1Z
+            BVkEaPJM6ZmRM48up5eHQtPG2rklmoFw/O/bPd9QUWJ/ZRu2gcY8aLGczHygaq6W
+            gvZTCPrke7XZTd9S3mAcdlJ2iAYuKY4AmGqfmXbd7mRZXP3DQkRaA/IwCCNJVmhX
+            um5MbCa17I9Uwh58NBmDuejLcmJDWL5jLmN6S86t3k3jKxwaX56SRwAD92klMdQq
+            8UX2dkUkwnnI+YjfOEeLGDAT655TsejpE97JKjI/m39Pwnn+MrDEfNDHhfjX+9QC
+            5k+fiP7yWc7hG3A7jt5vEadazPgDeqy0q7jbmTPtmdieqBs71P3j19l3VKAU8ZnS
+            WAGz21MFYjhESmU7fqhTyVE9Dsd4GqyB+ZSa8hHj2ISaOi0QQ9JXjjtQhkDGlsB4
+            /PrjZhyqd62wHS075YV1B9YqOhC1nAkC+s9mj9CrWIeH2JMOSK9EUyI=
+            =5u7o
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

machines/overwatch/configuration.nix

@@ -0,0 +1,146 @@
+{ config, self, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  networking = {
+    hostName = mkDefault "overwatch";
+    useDHCP = false;
+  };
+
+  imports = [
+    self.nixosModules.malobeo.metrics
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+    ./printer_module.nix
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 80 3100 ];
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = false;
+    lokiHost = "10.0.0.14";
+  };
+
+  services.grafana = {
+    enable = true;
+    settings.server = {
+      domain = "grafana.malobeo.org";
+      http_port = 2342;
+      http_addr = "127.0.0.1";
+    };
+
+    provision.datasources.settings = {
+      apiVersion = 1;
+
+      datasources = [
+        {
+          name = "loki";
+          type = "loki";
+          access = "proxy";
+          uid = "eeakiack8nqwwc";
+          url = "http://localhost:3100";
+          editable = false;
+        }
+        {
+          name = "prometheus";
+          type = "prometheus";
+          access = "proxy";
+          uid = "feakib1gq7ugwc";
+          url = "http://localhost:9001";
+          editable = false;
+
+        }
+      ];
+    };
+
+    provision.dashboards.settings = {
+      apiVersion = 1;
+      providers = [{
+        name = "default";
+        options.path = ./dashboards;
+      }];
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts.${config.services.grafana.settings.server.domain} = {
+      locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+          proxyWebsockets = true;
+
+      extraConfig = ''
+        proxy_set_header Host $host;
+      '';
+    };
+      };
+  };
+  
+  printer_scraping.enable = true;
+
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+
+    scrapeConfigs = [
+      {
+        job_name = "overwatch";
+        static_configs = [{
+          targets = [ "127.0.0.1:9002" ];
+        }];
+      }
+      {
+        job_name = "printer";
+        static_configs = [{
+          targets = [ "127.0.0.1:9091" ];
+        }];
+      }
+      {
+        job_name = "durruti";
+        static_configs = [{
+          targets = [ "10.0.0.5:9002" ];
+        }];
+      }
+      {
+        job_name = "infradocs";
+        static_configs = [{
+          targets = [ "10.0.0.11:9002" ];
+        }];
+      }
+      {
+        job_name = "nextcloud";
+        static_configs = [{
+          targets = [ "10.0.0.13:9002" ];
+        }];
+      }
+      {
+        job_name = "zineshop";
+        static_configs = [{
+          targets = [ "10.0.0.15:9002" ];
+        }];
+      }
+      {
+        job_name = "fanny";
+        static_configs = [{
+          targets = [ "10.0.0.1:9002" ];
+        }];
+      }
+      # add vpn - check how to reach it first. most probably 10.100.0.1
+    ];
+  };
+
+  services.loki = {
+    enable = true;
+    configFile = ./loki.yaml;
+  };
+
+  users.users.promtail.extraGroups = [ "nginx" "systemd-journal" ];
+
+
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+

machines/overwatch/loki.yaml

@@ -0,0 +1,60 @@
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+  grpc_listen_port: 9096
+  log_level: info
+  grpc_server_max_concurrent_streams: 1000
+
+common:
+  instance_addr: 127.0.0.1
+  path_prefix: /tmp/loki
+  storage:
+    filesystem:
+      chunks_directory: /tmp/loki/chunks
+      rules_directory: /tmp/loki/rules
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+query_range:
+  results_cache:
+    cache:
+      embedded_cache:
+        enabled: true
+        max_size_mb: 100
+
+schema_config:
+  configs:
+    - from: 2020-10-24
+      store: tsdb
+      object_store: filesystem
+      schema: v13
+      index:
+        prefix: index_
+        period: 24h
+
+pattern_ingester:
+  enabled: true
+  metric_aggregation:
+    loki_address: localhost:3100
+
+ruler:
+  alertmanager_url: http://localhost:9093
+
+frontend:
+  encoding: protobuf
+
+# By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
+# analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
+#
+# Statistics help us better understand how Loki is used, and they show us performance
+# levels for most users. This helps us prioritize features and documentation.
+# For more information on what's sent, look at
+# https://github.com/grafana/loki/blob/main/pkg/analytics/stats.go
+# Refer to the buildReport method to see what goes into a report.
+#
+# If you would like to disable reporting, uncomment the following lines:
+analytics:
+  reporting_enabled: false

machines/overwatch/printer_module.nix

@@ -0,0 +1,33 @@
+{config, lib, pkgs, ...}:
+{
+  options.printer_scraping = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable the script to pull data from the printer";
+    };
+    timer = lib.mkOption {
+      type = lib.types.str;
+      default = "1m";
+      description = "systemd timer for script execution";
+    };
+  };
+
+  config = lib.mkIf config.printer_scraping.enable {
+    systemd.services."printer-scraping" = {
+      description = "Pull printer stats and upload to influxdb";
+      serviceConfig.Type = "oneshot";
+      path = with pkgs; [yq jq curl bash];
+      script = "bash ${./pull_info.sh}";
+    };
+    systemd.timers."printer-scraping" = {
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnBootSec = "5s";
+        OnUnitActiveSec = config.printer_scraping.timer;
+        Unit = "printer-scraping.service";
+      };
+    };
+    services.prometheus.pushgateway.enable = true; #Im not dealing with influx
+  };
+}

machines/overwatch/promtail.yaml

@@ -0,0 +1,29 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: http://10.0.0.13:3100/loki/api/v1/push
+
+  
+scrape_configs:
+  - job_name: journal
+    journal:
+      max_age: 12h
+      labels:
+        job: systemd-journal
+        host: overwatch
+    relabel_configs:
+      - source_labels: ["__journal__systemd_unit"]
+        target_label: "unit"
+  - job_name: nginx
+    static_configs:
+    - targets:
+        - localhost
+      labels:
+        job: nginx
+        __path__: /var/log/nginx/*log
+

machines/overwatch/pull_info.sh

@@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+set -eo pipefail
+for command in "jq" "xq" "grep" "curl" "sed"
+do
+    if ! command -v $command >/dev/null 2>&1
+    then
+        echo "$command could not be found"
+        exit 1
+    fi
+done
+#Functions---------------
+get_cookie () {
+    if [[ $1 == "-d" ]]; then
+        cookie=$(cat request_example_1.txt)
+    else
+        cookie=$(curl -s -D - -X GET http://192.168.1.42/wcd/index.html)
+    fi
+
+    exitCode="$?"
+    if [[ $exitCode == "7" ]];
+    then
+        echo "Server offline"
+        exit 0
+    elif [[ $exitCode != "0" ]];
+    then 
+        echo "Something went wrong"
+        exit 1
+    fi
+
+    cookie=$(echo "$cookie" | grep Set-Cookie | grep -oP "ID=\K[^.]+" )
+    if [[ $cookie == "" ]]
+    then
+        echo "No cookie got!"
+        exit 1
+    fi
+}
+get_values () {
+    local path="$1"
+    local -n keys=$2
+    local name="$3"
+
+    local_system_counter_data=$(echo "$system_counter_data" | jq "$path | .[]")
+    for key in "${keys[@]}";
+    do 
+        value=$(echo "$local_system_counter_data" | 
+        jq "select(.Type==\"$key\") | .Count" | 
+        sed 's/"//g'
+        )
+        valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
+    done
+}
+get_values_DeviceStatus () {
+    local -n keys=$1
+    local name="$2"
+
+    local_system_counter_data=$(echo "$system_counter_data" | jq ".MFP.Common.DeviceStatus")
+    for key in "${keys[@]}";
+    do 
+        value=$(echo "$local_system_counter_data" | 
+        jq ".$key" | 
+        sed 's/"//g'
+        )
+        valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
+    done
+
+}
+get_values_consumables () {
+    local -n keys=$1
+    local name="$2"
+
+    local_system_consumables_data=$(echo "$system_consumables_data" | jq ".[] |.DeviceInfo.ConsumableList.Consumable | .[]")
+    for key in "${keys[@]}";
+    do 
+        value=$(
+            echo "$local_system_consumables_data" | 
+            jq "select(.Name==\"$key\") | .CurrentLevel.LevelPer" | 
+            sed 's/"//g'
+            )
+        valueStore=$(echo "$valueStore"; echo "$name"_"${key//[^a-zA-Z_-]/_}" "$value")
+    done
+}
+#End Functions----------
+
+#Variables-----------------------
+system_counter_DeviceStatus_keys=("ScanStatus" "PrintStatus" "Processing" "NetworkErrorStatus" "KmSaasgw" "HddMirroringErrorStatus")
+system_counter_TotalCounter_keys=("Total" "DuplexTotal" "Document" "Paper" "TotalLarge" "PrintPageTotal" "PaperSizeA3" "PaperSizeA4" "PaperSizeB4" "PaperSizeB5" "PaperSizeOther" "Nin12in1" "PaperTypeNormal" "PaperTypeOther")
+system_counter_FullColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_BlackCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_DoubleColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_CopyCounter_keys=("BwTotal" "FullColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
+system_counter_PrintCounter_keys=("BwTotal" "FullColorTotal" "BiColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
+system_counter_ScanFaxCounter_keys=("DocumentReadTotal" "DocumentReadLarge" "FaxReceive" "FaxSend")
+system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit")
+#End Variables-------------
+
+echo "Getting cookie"
+get_cookie "$@"
+
+echo "Start extracting info from system_counter"
+if [[ $1 == "-d" ]]; then
+    system_counter_data=$(cat system_counter.xml |xq)
+else
+    system_counter_data=$(curl -s -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=$cookie" |xq)
+fi
+
+get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.FullColorCounterList.FullColorCounter" system_counter_FullColorCounter_keys FullColorCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.BlackCounterList.BlackCounter" system_counter_BlackCounter_keys BlackCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.DoubleColorCounterList.DoubleColorCounter" system_counter_DoubleColorCounter_keys DoubleColorCounter
+
+get_values ".MFP.Count.UserCounterInfo.CopyCounterList.CopyCounter" system_counter_CopyCounter_keys CopyCounter
+
+get_values ".MFP.Count.UserCounterInfo.ScanFaxCounterList.ScanFaxCounter" system_counter_ScanFaxCounter_keys ScanFaxCounter
+
+get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus
+
+echo "Start extracting info from system_consumables"
+if [[ $1 == "-d" ]]; then
+    system_consumables_data=$(cat system_consumables.xml |xq)
+else
+    system_consumables_data=$(curl -s -X GET http://192.168.1.42/wcd/system_consumable.xml -H "Cookie: ID=$cookie" |xq)
+fi
+
+get_values_consumables system_consumables_base_keys Consumables
+
+echo "Sending data to prometheus-pushgateway..."
+
+echo "$valueStore" | curl -s --data-binary @- http://localhost:9091/metrics/job/printer
+echo "Success!"
+exit 0

machines/overwatch/secrets.yaml

@@ -0,0 +1,59 @@
+grafana_admin: ENC[AES256_GCM,data:c+ZnOyxSXrG4eiK8ETKHheadiSz98LLHYwxb,iv:Ut2qFD2p6OmKDWjLMjFxyISxzTdJpZpgIB7obW5bgkY=,tag:HdayzjXQ1Zc7w9ITLzKLxA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxN1VURXJuMENJV1Z2eEtS
+            bUR2cTNmNUdhU1B4SHZNMW9KRDV2dW5VNmlNCjdmYXpZb05mMEdPdjN4c0VWOUhV
+            RW4vV05CMno1MmJmYzdESjN5MFVFcjQKLS0tIDNxTE1KaW1EVGhtOEQwWXZndk53
+            bFBCMExGdEdMb2Z0TzF0Yk02MUpkN0kKIUm9iUvU/xu1Xl6yoYSVGcIXKnGsp/D/
+            RjVQ7tgJIbrupubny/fg4v2sz5HOs5uzmEq4ZKgBWrBeMPss4gYstA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-22T00:51:32Z"
+    mac: ENC[AES256_GCM,data:TEEyPmVxIJxC49hDqDbwzTZZ/tNymFr0dMvWn6DRli70Kp5XXNCLTpicAbiFh3WoyzbDpN/5c2yxVNGjhB8nXgKpCZdffdONMY6eSCpPbblYwJS7hNsjW+u2wysSFPDAk5apwbNXJcKnlI1tBcGQRHlym9ShSw6fT7K7afWYWqo=,iv:583DWNug8yNF/vZZN4btT6P1yUa0b1UN4frvAX4UKv0=,tag:YI5KIAe5P5Bx0TZU4wG8ag==,type:str]
+    pgp:
+        - created_at: "2025-01-22T00:51:09Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv+PxajhJgXHcxwJ7Mk0gjqFV0dGmNJ1m0eY3gPyIS38GSB
+            Rjto1zUd6EARu1GnxSrVrSZYlQaL6x3l2DuFIP7mtymvlFrmhiAoDz/si0zlzsJp
+            WZyQZdepnt9FyYJAwTzbmfVdpZDYajuMI38byMJqzUhS7SEOsPwiU1KRoTHcf4se
+            2E+9v8OwTVT2UoDxyiVJuDAA+K+Jh2RjHk3p/uVnZDqqQpI9UAI8LrCpun9uALpH
+            +29wyhkCZ9RIHU7nDQNVvwHkbYCyRUwR44bciSwITpjp7GuZCcZvzSSimPktkC9q
+            VZkHA6rHgHgcu6mnMfpP0+j4gB0dU0t4hGF41klV3YpEGfYcFIsKV10lfa6aMNmW
+            08RuLdCtnQyplYhgBm1zQvYHJsIuwK9s1B2dz3Z8l3o2eg8AqFuIL+MlZOvf5A/2
+            MOXffyXbOM5Dhy7DdUckTOYYfwWe1mStw3vx3I3mAFzuOOR7HQuzlc9Bf1oxh36T
+            6e/qOijjPPqkLeR2mufo0lgBBFTQFt2jVvMo1lrCB8Amj4yj/4noXTzglkYTYBKs
+            S513kUdhAGtWoNrqcItOYAn/gl+CPGY2Op3tJBVCWM6aT/KO6M/LPJ7wiQk2zlOL
+            pp7SnCKvv9eQ
+            =N+uj
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-22T00:51:09Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ//fm/TcxgsAMY6P8jvOQMcRBmjjVwfLP1UTTnkRUa36Mmn
+            2V9619zsH1dzTp0gUVV8mvIKUtpz2nCBTZBJw803wW9KorxW6f4e3+mIWelZT5WM
+            sLcQPFWAYKDVnSfk5j8kRSmpM6k2xFRB9DTEMIyFH9PZL99Fztp2hjTn553YTQOo
+            pdw+AMzgptYQghW/Pl/32wXHwCO+bL8tyk62VIQO13l3tX83oSslXNkFzNQYt3jv
+            xXFUaQEGD/1lFLeFnIuJZzfjWt6n0fShJboUcuk/ZIcYdwrbG0pyLLoBoObSRQtG
+            t+7VpWpfl3rnk822SU9z9YcaMNy9HD3Kz9Qh0BRQiN3scCMzm1LyzlXLqlc/gPiq
+            JyCxy98vJXIxmlLQZpDFfTMe3xsc8jSsHI6av+wEFKGEJAOUkDtRYvLfZdgDTfiB
+            XTAhQ3ixnlBxdZZ9DjBXyVfM8q9iB8bggFi7g2SjO32LKhXRFUqZR+avddCyKR/V
+            hRpWjDRn+eX2tl7LPawvX6tIow3aZiezkMVyeRXfcZCvpicq64b80LrYR+JJUfJE
+            vxHaekKImrdJ9ocii0wW91ZmESJwL6m5lt3ZsCY5GTlEDt4wBse5uhj48mtuK8sh
+            g8uQMKp7SiiCtV5a6O1SQLDJeAt6VCcRyudLToO9S4gwrGXNPcGxsHj07XAN2PHS
+            WAE6wUhufXfpa8UgSWy7fmEZt4L03XlRfC7bm/ycwaFww3A7w4+B1gkW6gOon6sy
+            nOyIxUZfU6abZWKzH+OIuViKH7xPiULDy75gEmkRHjKu5BiC3Tx0eO4=
+            =+PPr
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

machines/secrets/devkey_ed25519

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwgAAAJgdrbX3Ha21
+9wAAAAtzc2gtZWQyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwg
+AAAECaQfylNoG/uN8fozvq3loBLWQ3gIKPOGnZpwyHUlAMO2meyBkJbC8RMkqhl/tAUoIt
+pSePyGKhyL5J7ArxxRTCAAAADmthbGlwc29AY2VsaW5lAQIDBAUGBw==
+-----END OPENSSH PRIVATE KEY-----

machines/secrets/devkey_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmeyBkJbC8RMkqhl/tAUoItpSePyGKhyL5J7ArxxRTC kalipso@celine

machines/secrets/keys/hosts/durruti.asc

@@ -1,28 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBAAAAAABEADh28tGiUsmPPbsQYKSi9WiI4UCPO4qd7hEoER34Ku5w+kpy1MI
-ymJHNlZODjrjvznRidyYt+1vpED941LawzsujBV7pSfIBY0cQWYTbF/euuQFJYxN
-sBLG4kek5IhdnIsav2f7fMv6Rhfkau7p20AYkWUkpoUxBJTxixIkxrO90ODSzMMe
-tLI9MnqPcMASy6dbAGKXSABaYi9bwggIgyYHNaXThEuEAWPMPMMj8Wlo0H0X/B9O
-UEOHSA4N3TBKJXuDhsKgUo6ADLAA5op+YG+JtAdvdjW0XxtDamLkkrEx/fsYWsn2
-LjiX7z6cCQjYy+GG6LV82cavyF9sBAs8kEl4AVXVYsaB0g99rpY91EYLAD2Ddh4d
-lHPwPVQ52Ht3QeEPAsqeXRh+gZOp/xx6EJXXaH7aorXoWlbUFcCnTTEFAM0HibZg
-ChZEX+pl9RxdPeIwU4kd9LxNygDwp4YhdJzbcpHkp7RrkHJHgmAxUEVCxZfw/P2c
-GDIBHQSS4FZ5PIhh+aejYCo4BrisGuAjwlaH26BRNraM8EImaLwLuQZ1TOWm97tI
-BEI0JFscrTi2RSPgDCg1Cu78ocbcpqC3cRclXzRohvp83NpWnAQFCAdNaTttQsio
-lQTXxmJlaeo/0vHAN+Llukchh6sFzzNP3v4B8vLvdXkE3s5XYxJungblTwARAQAB
-zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQWRHe9aQhhWcCGw8CGQEAALRQEABVEYsIn5zGV84caxE/LXN7
-7nDsUEyo3lCetStM7JT7uDdMl5t33pUAIbm4gv6/BrvVZ6pBtPfTrVrTKKDornKJ
-VU/tKims+CbnuPUIbOmuXcPbQIa/IF4WVop8XJTzMOSW636/eH1D2VTLI8Jmw35s
-qDmqx72hISUBGCszTJkThp8xUFMW5NcJc6zGB9I4vdac6Sf6yuZqmdfDm0MzcvmA
-tDASc6ZLeffPkJxUA+x2WouAYkfdV1CdVS6ob6owrSza/T+wQ3DgzO5AVZ31HXTa
-gDkVIBgdZYR2H8IaaTetb4m2+SgdXr7s9WCOR2i8DiSKpnUAJKoVIOl6pBd13jCu
-PHQzkKq6kqn4bRYCZil3fKDB90mVDIyixJJCt//VA5y9Tgggp9o7a+l35I9hCJ2F
-6AYtpfXkTbI9wqmk33TJX2litqqPZkhEERv25UDvnZ7Mm0my9QXJZ1Fp1nRLIKZg
-VABDS/wIB1QHtOldDLMeRD7Fnrnjgnyuk4/HmCem0wFDPHDo/ppa2QtCUk1xxywu
-fa7hs/oDVUMsofpDm6Ls4IgFXbSD9GUTDdB+UvZi5vITaZ1f1QLcrShhSUHkLIpc
-65Fj79r9cdHKdUhnM2+pTuVM6Az3huMkZ+abgjSHWSni2njowRUd2P7pG+ZhaUk3
-Rj7jxxXh1KQ7X8Rbbce8Mg==
-=sb6Z
------END PGP PUBLIC KEY BLOCK-----

machines/secrets/keys/hosts/lucia.asc

@@ -1,28 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBAAAAAABEAChmMEXC6TjRtYAHk6CsrnP0LFd1vOuH4+QSalj9fCaCpYVEStP
-u9EtW2DK8kSBdo8DAngzsMFt9PoSLcPcB00s9R6EACVuOn8nTVkyYtO/8hWJVexI
-G3SB/u2a+MYC2QEtw3Exzleexx3EkZywAzGWzJXpajMbGsfvssXl96xb7jxrxdNv
-Msx9t2RJGADSG6Vx1+A5UmFwITkGpn6wjvQXLvkim4ZHRzX588vgz/IdJ6yqOeeV
-v0VyVNTPfXkDO2urxRgZ5TG9wE5v9OKFofooR5T1rB/khW2jMoqavLWeRVCqVpmp
-MQ8VMkJzEoP7RX7vAAgCbVrTe55sMmXa9gtXo50wz6lHYHnepff6FuquS7szH7Ja
-lRnvx6CR1FwWIGhef/kxmNQKr2Mt3V7riFmv0bkR8ttI5uyGposeWfY1T6iJfxic
-duIYXrV11T6fWOEUh80aRz+8E46LFv4sGZjTOvHWrnetKNweuOC9/yaSDkEr35sM
-xVffS0wNGclhxl860qBCbhG/X7YYZs5sFHsRnsb7rvTCP8LtGhrjybE/b4WuGRCU
-rEftVOBe4NSwlsdmRVl5Cyk/ZkJncrUwlaH6laCjBfldQcdxAHzdzPZQhOmBaLkF
-1l0EpteSbEsi3CS2rkkriSsZ+nZwaccTa6+B6twrRmGvcBrZXlsugsdDSQARAQAB
-zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQvNUtHtVQM9sCGw8CGQEAAGIaEAAoWuyjinNk8ovTAH+TjKWK
-UD4WXwt5OJ8l3FJPpecZbhTaBrRdlLzY1tlKzwd8c69QVOoqk83Rv4Fep9b8EFQ5
-U2bTtXLm/wINSetjf6vlLYxEPNKVzGtk8ejw32NPnJVsGeXNazlcJaR2jRW4kMcj
-A2b8aeUKxnLaoZYiCLZGvyvuB7oj/nIX7iuaIDHKR9oVyQOekeYlg9R92wKCZDiF
-1USoknPO2cSYFZpDM6tmIjkOoEgnwEZqzwI7q5dXz/mqp86XeMJWFkyTRhPT6Hiu
-iS/5wDsFJi7wgl4Jr6bBWFaHeBVSTJIwkoahxpM/qVYAYINgLO9erxMkmX5lRzxs
-NC3LsqQ+L5Isx96AXaZWf+IOYgN8nB3bsQqvlqbvMIUE3wkxg7oeNzDzvgxQM/Tf
-AC6zYHiGrs7WS6+ojx2flJnWA7mrOllimv5pTTUBtA7gh1JN9aUzzBjvF0LlzN1O
-DLyxu1PsIazI1eklUm0ljyOoqBnOrDZoC4Kz70pguDGDvipCAJWjG9SjXDwXGAA0
-sUhnebh2HPZYj73xDIrbgkg+79n6U5UuewUFwDQfE8VFDp62s1s9haCRUKU6uwiL
-i31OKOkDcYSyx/3/VvaT3lT247VERDw/5yVYrrhQwxS4WSabX8gz6qfKB4bi/HVs
-lX2duwzSRzuytZCKKG+fdA==
-=VTby
------END PGP PUBLIC KEY BLOCK-----

machines/secrets/keys/hosts/moderatio.asc

@@ -1,28 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBAAAAAABEACm+W5sGSC25OtlwQdOBCSfX2DnPuk5abjxY5HMIv3MnySouXpW
-L3VoE6Irur9lZwfKrXaUweJPJHVo/Sfknh9GSBCW6yFFcGZ5nNx/QNdbfjOSaUw2
-0BkW1CYRVcLIKSHpepbTDHBxgKaCYsmupptFQ0Nzx19PPMV/WBqrkSlEpDJyq9y6
-cTaGulRKWBVDytMFmibhGlqpfEI8bzrxaeGTqiRTZJqL3zDDi2afDt1kJeCXKd32
-XOywDZgB5CinY3qsR45ftC6mZ5fV+ex3M/Uc4YJiVgwg6GlSdiYW9Mqf4koqpLCq
-Xq3ztEo9FjFen7KmAcLstFmzY3fAXGIJzb0CfvVrM32wsdC6NRDINdMBmrOeKXT7
-g45n0LOdCFr4AOKyABqMudbKrgF9txHt549oaQ0wHCy1nStji1OpbhdpCKDFKPnl
-ojG1Nur9DPRFmQ01I3KIjvCrf8J+CgI5YVwOr+m5Zw3i/b0qd+9R/8oAmzhhuyt7
-kckSVTCjNzsDgjjOa8FVQJremTdkQuWOlx0HxC3aQdSoPxOfpeUhybfttNpvUuta
-5EbsiS/PJfzMOtZDG++naKO/xGJDiaYDhW1ZeGI2fOFUm4RYHqCFES32XF4ygpGq
-wz2bZNKKSf4lxoD1+SBqOyd1eN3u8GmX8OgUB3TpgEuQb/XL31zDKCZ7pwARAQAB
-zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQj5s8BYqm1MICGw8CGQEAACMDEAAFko8JYC1zGt5rFKokXGbs
-K331UHReN02QpdL8fhMt0Rqoh1FKt8Sr8lzCLPNOnlgxSG5lXmA3dFfWAnFrNw5T
-1u1oU0sB+CiekyWXJxTASur1g3DtLv6qA19Uw4i9bu57LK5E0ycoI3RnR+YbDri0
-psPNP01x7NBO42O71rnBypGbCPXnLOAaKq+ISCN+XCZBkmjKhcWJlg5DJfUGCEdr
-DCKi/1j5mgs8H3sUrc5Y4gLz3BWuypAGWhQr/KDAcmCm/u0ZfzVyrxw50eMuzeF7
-GfePPI70nXjUlywuFUFg7EWlCT6sRtZf+o4jkXcwGpZLx2/rdZ9J2I4VmYakBVpA
-2OQwi47YAFe1wz+nsF3fImuGQdHu0x0sFLbuJaSJCOVYhMcZhskRygqqI+wEvDF1
-i7SYzi5Xt7rJrSaqGhAzlg1Cc8wzMhoCE/IU5Hd55OtbvRwZ2JKH+UAl/L9Qizqy
-AM7nSrUjA5p4H09PMuKGmCEcZDKpH2huAeqmtGQ626edE2WNduE2jCdAIcN263PX
-1+TIe4IRLhtmTKqfJgbzrt0cSIAsuvI8s78ehsP2eNANdkQjzBAaEiOo75G/g+sd
-tWl8gxOhrPKkb07KqcPEfXq4QYk7kV+pWuA2yMiTX5A+oy8gVFBxUp+zbjYeRuW8
-cpHyvbDvdnQ5LGNC/v0rdA==
-=Rmch
------END PGP PUBLIC KEY BLOCK-----

machines/ssh_keys.nix

@@ -3,5 +3,10 @@
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfDz5teTvRorVtpMj7i3pffD8W4Dn3Aiqre5L4WZq8Wc4bh2OjabGnIcDWpeToKf38n5m0d95OkIbARJwFN7KlbuQbmnIJ5n6pUj/zzRQ3dQTeSsUjkvdbSXVvTcDczMWwLixc/UKP1DMbiLHz5ZSywPTSH2l40lg74q7tSFGBwMy8uy4tsdp2d2sUIDfpvgGj3Pq+zkQHWyFR5BYyCLDfJMTQvGO0bEsbRIDOjkH8YVni46ds6sQKMgc+L2vPo8S3neFZBQRlERVRvIAzdLiBWqGkiw4YgWQA8ocTfWp9DVzW+BZiatc34+AX3KtLEF1Oz76YsKjBttSQL4myUucuskz2Bs7UYvAsDFlWyiJ43ayZNzvG63m1UVsAoq84IhNYsdkPhd+G1rtnG0KxPVAtn7RkAGt8t7ObU+6xWayHcpSteNeE+QyH9nNmJcXNNKfoOeP4vHUBrBTeURafw527yuZDOYknJmg3O+nkeGseIgBYgq/As4+dD6vhp03Y5chjU4/FC6nEjsGPRdfe2RZx+0cqJkLgdd1paGByUfPfaUKykw4TsCUAiDucRwBjU32MLslUbyzeEkjzOJzOD5Frif3jZZLxaNP2QcHRbTiiKkdn+WFJmjr3BdC60pm7hqvmDxl0UZcz9hDv3wZUALUc92TQXnWc8GicKdpQgRYDRQ== kalipso@c3d2.de"
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxgcjNOYbza3+RfANFDXy7HXNRFlkpDOAcGyB7MKshiVlbPByWRSjfZa0BeRNjpeCd8QkIodKUzqYOCOrc8ad3kiNbdLRcDz57A5xSLD3ynakoWJo0AmJjT3Ta1JJj8inNwwykR0ig5//SrtsZb9HkWJDAF017MokM2r8AWPE1QzcQdh93kojXcgTHrJHzEqgKbEGDEk37f1RvZG4umEFeqdK2FvS5isPa7P9X7hyyoDC8bvEy7xfaDrToJAoXon6r79taxH8UWIvy//xsU0NBLYK2eE4RQe2AjF6Ri+CybI6y1SsHOvyh4nNKWlfUOEL6UnIulRn/LXFOKCJi7xuoTeJXS0+w1DNEuiGosVNXPSKbUm/eDBVnb8Iyep9wmygSZayN82xL5lRlG3Mn45ttecqfm2SJkmduBA5qXcTdDPe/lXTZaVO9tbiIcJfUgd3ttEu2+6YjLn74D965PlovzvR6EhbVUZ8IkOAt4VmuTkXIdm8SCS7jzhsiKeUXoZ4rfa375zi79SIPuIkoMasj6d16wcYOeFIUIMFFccfQ9jQjr9NTSXC2dd7sfbI9I9mF7eRQSsUdSwpP8WH1b+M1MxTbdhEUdPwpOLviTTIuk8E8K8DQDZIcOOh38mCDpyoh02nwfRxlyoYVsKAHIQH02dHTvYEa3/pMsRwGc9W1Ow== kalipso@desktop"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de"
+   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos"
+ ];
+ backup = [
+  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIGryhnXdmbGObONG88K+c9zeduMrwtoLHwzMDZg3UXB+Cnq2FXWOrlLZxA+95VUgHpyGZiykJmzeWrKhldDlDeGGd8QCCLeuliiOgXADTYjWaVfhd+6arPZrK2VtqqsguvH40gW1xfoGAOmAT4WFnxWxIaEip0V2u6NOoKTiH9I3bz2Qe4lfJvPXig+XwCXcukXd6XUkDFYDpiw8XNV3X7pqTus5d2RYR97bAhIYZZQ6h50ZpTY8N0lFh4RY5yfx8BhxJW3tfoi9uZvVuPx7dGPsZsSniENFPMNz3UwHGitTJMr4088cJrAGgd5lyFuLouiHiM2JMGA0wx9wWTbWJEwTLaTVQK9gSJf857ndV2zCh9vKlfko4w9bQgqxKg4U/mY8dXX1E7D51nD2ci8Ed+ZG+NEneFLyZhLsD82GkBY+YovA+4xm/pcx+hBhlyqGNxI8v+Jh+JhEyD/ZLgJfq3ZMbGIGsTiDwZ2flLLxImHHEoDoT6PHU6hDhPDJu560="
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPP4s6qNKwtu2l5DRKU/Xo6lMRztqNw/MOVsKx58kUE8 root@silizium"
  ];
 }

machines/testvm/configuration.nix

@@ -0,0 +1,59 @@
+{ config, pkgs, inputs, ... }:
+let
+  sshKeys = import ../ssh_keys.nix;
+in
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      #./hardware-configuration.nix
+      ../modules/malobeo_user.nix
+      ../modules/sshd.nix
+      ../modules/minimal_tools.nix
+      inputs.self.nixosModules.malobeo.initssh
+      inputs.self.nixosModules.malobeo.disko
+    ];
+
+
+  boot.initrd.systemd.enable = true;
+  boot.loader.systemd-boot.enable = true;
+  malobeo.initssh = {
+    enable = true;
+    authorizedKeys = sshKeys.admins;
+    ethernetDrivers = ["virtio_net"];
+  };
+
+  malobeo.disks = {
+    enable = true;
+    encryption = false;
+    hostId = "83abc8cb";
+    devNodes = "/dev/disk/by-path/";
+    root = {
+      disk0 = "disk/by-path/pci-0000:04:00.0";
+      swap = "1G";
+      reservation = "1G";
+      mirror = false;
+    };
+    storage = {
+      enable = true;
+      disks = ["disk/by-path/pci-0000:08:00.0" "disk/by-path/pci-0000:09:00.0"];
+      reservation = "1G";
+      mirror = true;
+    };
+  };
+
+  boot.initrd.kernelModules = ["virtio_blk" "zfs" "virtio_console" "virtio_pci" "virtio" "virtio_net"];
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  # needed for printing drivers
+  nixpkgs.config.allowUnfree = true; 
+
+  services.acpid.enable = true;
+
+  networking.hostName = "testvm";
+  networking.networkmanager.enable = true;
+
+  time.timeZone = "Europe/Berlin";
+  system.stateVersion = "23.05"; # Do.. Not.. Change..
+}
+

machines/testvm/disk.key

@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:GH71ek6+a++P9sDUjO0IPojdU1epX98wcTqmoEgsu0j+,iv:LysgsJdPDvKOUz7l0IyV58QHN2RHvHP14bt1p4571NM=,tag:1WrqC3S+Z6bkE2d76RYtXA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOVI3b1dBa2d5SElHcFdq\nVHZwWlpIU3NpYm8zQnY3aVhOVkxnU1pkZUJNCkJ6bzhqdU5EVy9Wa0creXJHZ1pu\nbkRPVTR1K0o0dmlYbGVIbVRiWjFyL1kKLS0tIHl0aFpUYy9hWmpsNUFoY2JpWUhL\nalluN1RRSTBNUlprZWFISlFoUExXUXMKaULQKgVLNfHX8m0Ac1YhcbM/yhioyNCu\na1AUDjBmruKL9ngqz9Dwzxx0sJJOIFKMdYMVn9uQfui/XCHewO6uRw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-12-31T02:35:20Z",
+		"mac": "ENC[AES256_GCM,data:7K8G7ZFaA7wT0lwujkuJP0HL8WW0m/IkMjgFU9ikWe/GVZMlFDWTafaRNLxdBHNhHwilM8suH2z0P36Xae6pReh47PpID5JS8NC1V38fzww5qW74eFkHq3Pu8HRWb66u7zA/LiyOcEQgtrdP1zbnfmHUgakyNluSn7W1gOtsfxw=,iv:l65AiYn7ETRySF1Wr9nOUk9Fd1I4VGqd/zZbqkCyxYA=,tag:TeVyRa8aN6hIn3iIKPPvbQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-12-31T02:35:05Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/ZITVtnQl5xO2XLTTaNAZ50WhHkVV1G9H2TyxO0NbaUPj\nbo7LdbuB/+cv3wpg5oy5VpWW/JLElqizxbrE5gzQCzorwGE7lpKW0XQubofW8t9l\n+6k9UFXxyfVQJHwcIbexYfL2UhN62eSzzxPiKYVyNw4oM9ySeU+MCeCiv0omLUPg\nWSdOH4q1QYkRGJO8db7KlJSdvCoVjyEiCaLwKdWnPk5pbC+U7wp75fPdFwmzBchc\np9TXKeFF8dVGI7DKuGXA7lBm4ZzgSt4wNdZmc7mvTrTInaDVFA/ptbAfhh2/hNEx\npOijlXbc8ARKAhuLASPy6j37Nm2QdNm/8dl5x6eA7Sx7FcO8qV38Q//V4/DZZddJ\nT3NLC4tWLglpdyFX7H0zmZ+jQOLGJHorwzO+NgSOEj3N4venHYvJyI+vwVGjVCjQ\n1tZUIxGMx5iu959PinvlvBYI7oeKITPLyo8pRRx2EaA+UEBR2f3y+R0bTiBhChKM\nieUIVIK/fbvhdXhwwfRe0lgBm05hL/Vmdbal9QU8o/HIPeGTNitaqLQ59Ets7qm4\nf2FhHaOMO0YaDPtCNBGbRh/mEWH8tjhnI1sLJg/0rR9sOQ/oCzzIYILogIkm3ueE\notFqp95QQPVA\n=P16c\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2024-12-31T02:35:05Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//fAGV0oLuiwL4TmQnrHF88ixvZ/HghKI9k/5zlORIdoaR\na1w6U32coX8HpEfcqON45ZQWSCFtlizlmL55jb1ugXFY/bS+KECO8XaMDhHXNkB/\ndfeCmASvqIlFkl/X3YeD2FhHa3ZlcS93x0duJ+oo18WIErkNuECOL7hwkh+m5YfS\nWtW9Z3J51qfS5S6ctdm9vKcYSrgTkADsyVQp9GqxO3xZGpWudGWDaK0gVBX5wk5t\n1uKhDpnIZdFZ42N5Oy/UqXF5pfEQ0OwxlOS8VMleq1wEPc/DPVku23HRSReS0k7x\nuVeFZpaOfe22ncgI4TVQln8JT0+ZPeAwqBn6LWp0XnPnQdkyE79ARMPqBTPN/6Pn\nFkVpInBVukVJ1AiGpHHxESPtiKoMUZpE+k3WG2dRFWmaON+n0kR4VFpOju3apxTH\n8RGN+Uyn6MswNOZDKoDjlVtkcwgJgar/KwxXNlF7BU3/KMDEBf1UHuQE58Y2eBsC\nI85AEpbskEeOu+MF1SNJkdx/BR+lUaR6ax+dVzOIwxLyyDoCGg4SEoL1Hh1nNRth\nxRZnYfN3FBGv3FnvpaCbfbBDLLkWxzst5HRjp+v2lyPM4eVtyvYPGdfYM5FK1den\nXVawulE3cjM786/Z7X2IK5IDzrvo8nIs/Keg2YqnZe0UgM3XFCoYnwxi2Rev1J3S\nWAHTBs22q/cEk3SLlfzLyqWochY33gI6fC2amOvC5HNhcs7vr6CF1W44d3Yx6WCO\npqxY9jmc4gVWeBLZV/d9T95qLwOQK7L1/tokdbggQcEXFOqpvPzm5pc=\n=qp/h\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

machines/uptimekuma/configuration.nix

@@ -0,0 +1,36 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  networking = {
+    hostName = mkDefault "uptimekuma";
+    useDHCP = false;
+  };
+
+  imports = [
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 80 ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."status.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3001";
+        extraConfig = ''
+        '';
+      };
+
+    };
+  };
+
+  services.uptime-kuma = {
+    enable = true;
+  };
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+

machines/vpn/configuration.nix

@@ -0,0 +1,95 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets.wg_private = {};
+
+  networking = {
+    hostName = mkDefault "vpn";
+    useDHCP = false;
+    nameservers = [ "1.1.1.1" ];
+    firewall = {
+      allowedUDPPorts = [ 51821 ];
+      allowedTCPPorts = [ 80 ];
+    };
+  };
+
+  imports = [
+    inputs.self.nixosModules.malobeo.vpn
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+    ../modules/minimal_tools.nix
+  ];
+
+  services.malobeo.vpn = {
+    enable = true;
+    name = "vpn";
+    privateKeyFile = config.sops.secrets.wg_private.path;
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."docs.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."cloud.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."grafana.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."tasklist.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."zines.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Authorization $http_authorization;  # Pass the Authorization header
+          proxy_pass_header Authorization;
+
+          client_body_in_file_only clean;
+          client_body_buffer_size 32K;
+          
+          client_max_body_size 50M;
+          
+          sendfile on;
+          send_timeout 300s;
+        '';
+      };
+    };
+  };
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+

machines/vpn/dummy.yaml

@@ -0,0 +1,68 @@
+wg_private: ENC[AES256_GCM,data:s+dZfKCfrdZnFKhmCl7u1LRzR5dMflJumh1uVQ5Dktb5teohxDo0zlOR7KE=,iv:N9WSEzGonWNkqix8yaImhvrxpcAEJraWEcTrXORASow=,tag:pKgOmtKJ933FEKZVDHCWWQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMFk2bzE3OG9VR0VqOTIz
+            UEQySS9SUnRmMDFqVTg1dks3WTZvbE13VGxVCitHVE1SVlBlYkZwejNlWWNMTVhF
+            M2EzSFRmS3lFd1VPMHRpMjhtMVgyVDQKLS0tIGJObk1kcWlaeUhveHdrY1BEQkh4
+            WTJua1FvNFFtMDFGWE9ZaW9wWFoxcncKlYHjkzlUj+rBPmXK/jj9XCUoGrQ4vBXH
+            ZTItzrbCI30juPjy6dJ0ffZF2ILvJLUdwurz4lZFybNuUjhE2sAY+A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5S1dhZUVpT3NMaGR4eEhV
+            dUxvUGVvMUtPbWhEQnpJd3Y1YTBYbm1QMTBVCmpQbkhvM3VWV2MvcmY2RVhVOWdy
+            MVZxK201bmcwVHlwUlFnb0p5eGFNNGsKLS0tIDlrc1ErS0NiRUJ0UFZnNHNNSk9m
+            U2xLQVhoS2NxNUVvcGZBYW9VVkZNOUEKeCpijhxpkAxCB9/iIQmek03mj7b14sqs
+            CuGKgoeq7C6eG1PK3I8MzGplQMyCpEFQ+33KMj0vGwktpv/eVzC8/w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-19T22:47:26Z"
+    mac: ENC[AES256_GCM,data:DiriXLPnm+08q1Jp1YxjEdsJzFiewQxgu1JDdevo9aGdkq92Xu8cnSxLzWUkh8bEDx4uhjOXvZd3PSU9rWiTh899U3Ou99NiSOgR1+wr5ouR20viCZqIe86YqoZlLJnYs2dlZDhL+ggwFqYJ5wfWbq7OauIVEEdnM/57RyNI2qM=,iv:lwOJi4pVGGHn7+CGq7jAHorOTFtl7ONzzV35ec1uEsg=,tag:DhjloWlsGqM579NafaERIw==,type:str]
+    pgp:
+        - created_at: "2025-01-19T21:35:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQwAoO2gRS+Vwu+5KZ4V2ReXPcjFcEUb6aoYe8PNUhjBu0yE
+            hs4lhWGy53BdupQ+cyxk0U+L6UhOjTfIAYE9emqTDlF5OImN/379j9NfiPe/K0/8
+            ylSOuzNgVmTpsXlHGaXE2wk0ADp1P9mZUwbJ5vHCtm+ZFe5HCuTrB61drIU0fEYw
+            NVCaARK/IRn5eAlPCjPuW1mhKP+3HNGMQszqCRKMU5kLZPzjqsHmEITSFJ5bVtAu
+            fLRtF8SyJpHgvyw1AH1IX6I+/lrDRQro0oD/0LcC1Nay9n86WIWhA/VbotyFCkI2
+            gZtV0IQq05mxO11DycgxlDLQk6nqiqDDjWv/8kj23HnQ3BAO6SXLKhHWq9rH8EOX
+            wkee7RHc09GWNcGL93YMkjIHWJyitphpU/NtTmEpTptzry5vPfittPaZ+zU+MF8G
+            REyft2X9Aj7UWcL1w3kbX9BDWuxImcirWWCShHakSrzAlpuIoXVQA6MCl6/Jr2Ve
+            lLx3lDX+BiSpU01zY32q0lgBOGcSEcRVXTiYO00EoJbIiEMwqm1aAXQzaCvhCCpP
+            54NsNzZ4eoGL0DmioKwzLbv1CpIJs3w0k6StfOtTCPKdlL99k24Z8GyJ44UnkhCe
+            V32jGc/yCong
+            =OZSD
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-19T21:35:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUARAAhnd9Z1gekp4XWw+gcWK5j9mXWP7XS/FGNXmmCUBKec1j
+            zXzMJjG1YZyCYmqj3XGFMFwg2Ex6pBPoOTzOL2VOGd9mZvHjh0MGtuUopg1GprE7
+            NoyrYlV2UikyBSzVlsvykyNCYWfEt0uDotnGIK0NXYzfWfqgw+ImAH/PvNRY4nIB
+            wxI/Ze100ITAN7Dop9d6MFUZbrYKZTMsO8w5Z7TWHRPzFWH//XZjY7UpxvNVP1oJ
+            RXqqo2I97P0c6H7s17+xw6ZjyE0Qoin1gq4XSMHc4l8o+3D7fWecoTLxcjma5gvY
+            SMVCYeSrI2kc8DJ2RVeXdDlEP7SS3bwPNaE4Tklxv1rE+CUuYQ1X6dkPVKnKLfRS
+            Lwy614LDAarZmvXc3jPgFkpG+grE80PAStzOze0eWyZA/oCAI3/CS+yaeBAI4viz
+            UEkNmCMTZu1eXyIurC/suTOdq4nehGlD/2F8EKU+Y/6f6J2wHUJdvLjNxOuAOHd0
+            lGSu61gt/b2PFy/aHqFgQaZCPUMJ8UfK8JQ66zOIUW3HzsXOsvVqo/8DMQRIw7/z
+            3tZ43LPjmIeCRFwPfbIbeThoZmq1SPejkzadxDEwD3U0YAiblBJ2E+AyEDiKqP/N
+            D+NRN5Ta0ySAmGOyYgDES8QDDBQGA4cSZak7pMidCrSbAagNyYNg3Qrowc0aG93S
+            WAFD/Q4EtOdM6kveLdbDkPX/bAiCFwhzSCtDVkLAPxfrkw/a+az6emPWmImML5FT
+            to3vvXendrd9+u6uSNK5acuwzW2cW8GM4gLC90+p/kRFJukiGJbl400=
+            =6Gw4
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

machines/vpn/secrets.yaml

@@ -0,0 +1,68 @@
+wg_private: ENC[AES256_GCM,data:uuBYbOTiThZYiNetM+FOLFVMr/HII9otG4FvN5YvuRErvNjgmAYxVncV71k=,iv:Sy3HAEcALod2pL4IZ/GSjVybLAviOoO+DsW8OROzgTg=,tag:hynRmiilafVzWCjx2Xoxhw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBua1FUY1pZamY5R1ExOC8r
+            cUU4VE9VVUJjeEdXNEJnMUM5WEtUL0E2NWhZCm5xTXZ2WnhFcXRGVkdQNHlTcDBC
+            cTlySDcxaGJXOFl0UWJ6RlYzekdJaU0KLS0tIEo1RmVIZG9mOGpJM2NlOEQyKzNG
+            a0FsVGh6TlBBWG5qNTBFWVVWb3U2ZUEKp6Rfi5h1j9+nosARUcuVFUDLajaHf5SK
+            PFDpyy+n1msB4E+Yuku6ySxyf58TqPvy/JnVA7Nhkmir7IngIdfX1w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT2hGalZFaktoUHdJRXJy
+            dlg0NVZxNSsvV0VsQndOV2VqZHJzcnI3cFEwCmg0eHl0djNpcmVSaHlEM2h0R2dm
+            QzRveGlpbldYeFFQdmVHSlVtU1FhcGsKLS0tIHFnZ0xyaDRidE5naElnNWNOZmM2
+            RUpHanJrOUx1endqRytjOW9VV1dLQ1UKcS6MhvTHTn+3sCh/wrMDw4z5aYHmKbER
+            n/doy/gDtIWeIlw9TPNdCtOu/P/atNnrjvpTDCU1i+H86fODFmu5zw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-17T22:01:22Z"
+    mac: ENC[AES256_GCM,data:ctpzk2gUHSLThmZpRFwIBKX+SfwKt8/V8AWQbPnoBqJ9KwuHcRKkkT2yEMx3l2qKUy7DgrqRXhSVGbF57poXC9nshyjXMrrjMQA4PBB7a3SAwgpcX6j+aEx0xIt8GTUVxcn0xDvbP9xJ+adeACLUvkE+a4EB1jtdsL/iacxlv5Y=,iv:Zw+sG7oXmPRGa2jWc+mloGMBq6CnDQgz5x7ke5paeW8=,tag:RtfGmrSt8U8Je7Dq9FQGTg==,type:str]
+    pgp:
+        - created_at: "2024-12-19T15:09:08Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv/bueAXskPGUYQwlmujEEdjh2o3yGxTScqCEwYbghRPbf+
+            a59WXJMtIkOCxRF0bkyfoKLudJJeWRteBfN3aqdUKtFqr4g7PfavLmipRaqm1cmJ
+            EswakDt4raLx2C4HAyZvaab4fzA592tqpGU5RBRmwtkxjfCL0bY6zV/FHmk7NzYg
+            RAaEChpaUGXSTmwDiXJn1FJ1QwOSTlKm0ccoUbB1MSHi8A3LqH0lEHPqq5mb3Yhx
+            XIvOKPTZ+ODX9duLOQrAPWAfOShcyjd8SAA+uygJ7PYnXeN9HpuROcl4WEB1mpKa
+            h2AGwtUpOC9tpqKJ3kueBUePpsSHM9s1qmeImItSycFHzlB/hnuFQFndhV6I2yaP
+            lDs/Vpsfoeq3/ufR4Cajqwd7Q6dRGmf71/Sk6QhjXZQapGRcIfGWlOMcHn/z+ura
+            PPn2EtTxkgzp9G8ksOdTzIoriM7RmosC7N1BgSpw+vRUXn4dNhHN4h9LcR9XsX0u
+            lUJXfAc5DOl0bkpJ0y1B0lgBldvxchsMsg4RS2GNhIs20gjMfFLs4eRlcXU8Yps5
+            HizBAKW5frOePfzVM+GD30IstOd/pJPYrRCzg7Ym1oY/+IZTLfK/7MW2bvtP5IJy
+            LN6uk4NCOKwA
+            =Mdnc
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2024-12-19T15:09:08Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ//bvRwMD4xzEq9wihdYG/XHb72Y8RYzHLA1/okH0Kfe9wW
+            DomZhwi/VPoLf8RWTZfa0/S1PnPyOZdfEP46ZM2WSksNydMidqY7fOuFYxTI5cRG
+            javuZjAH0ZyMMG3J+Y+zzFCFRMBT8n5yDtv+bDbi1T16SJj0gpYW2IIEglOudPVl
+            vDM6bqHD5UefHtxhYGRnPaxqenLxCoNYq4DAx8+8DoIj7RTg4+rjrglW16G7KU5n
+            t7acEiD+J0fXeQM7bLTYuiI0gSkaftSuQ1GVEDgw6M80pSdWfrqE5xue+8t3MPDA
+            UGQGjXxG4ykOV5Wggs3EjOVkscgmQxWJgMYNanCZJEy36WWlzPnG59O1kiXW+6AQ
+            TCy4ZXb3SyUJ1kSoI9pJ3PSaADaID9rDgIn+IkIfY0E+QVrw9qL4qN0rqISx++EW
+            XOBucRspIqcXzFGikuz4yIwLBWVAqGhr5iKge8FVjBPVUX+JPgJjFw25fAFZkkds
+            mJDAkbzJh6iALxSIoj++kPIw+f4xQXKPPPLJiJzpuWAcZJiA3WM10iakGyuKmYPL
+            qVgwo1hXOVODwbkBvztJOGIMqMXNLQP9A45kpNjFuyPn8WcignmvoFXtGbr9BtCY
+            sZAZrDFw/JxVLVPSM3duKC6R8r8MQfp1ZNVLU9fMzqfReu+6gD5biESM+rnYC4TS
+            WAGB3htm92PRqdsJnDrgO8kzi9fHNxo0htj9fmo8ipNY+eeLfrAW6ocqPMBzCuyf
+            3EbF+PS9PRg0lHyjkBC2pF6PD8DHVL/2OTSpWOZdp8FCqogZg7e7dMI=
+            =vQSV
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

machines/zineshop/configuration.nix

@@ -0,0 +1,34 @@
+{ self, config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  networking = {
+    hostName = mkDefault "zineshop";
+    useDHCP = false;
+  };
+
+  imports = [
+    inputs.malobeo.nixosModules.malobeo.metrics
+    inputs.malobeo.nixosModules.malobeo.printing
+    inputs.zineshop.nixosModules.zineshop
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+  ];
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
+  services.printing.enable = true;
+  services.malobeo.printing.enable = true;
+
+  services.zineshop.enable = true;
+  networking.firewall.allowedTCPPorts = [ 8080 ];
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+

outputs.nix

@@ -4,6 +4,7 @@
 , nixpkgs-unstable
 , nixos-generators
 , sops-nix
+, microvm
 , ...
 } @inputs:
 
@@ -13,17 +14,111 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
   let
     pkgs-unstable = nixpkgs-unstable.legacyPackages."${system}";
     pkgs = nixpkgs.legacyPackages."${system}";
+
+    hosts = import ./machines/hosts.nix ( inputs // { inherit inputs; self = self; });
+    utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; hosts = hosts; });
   in
   {
-    devShells.default = pkgs.callPackage ./shell.nix {
-      inherit (sops-nix.packages."${pkgs.system}") sops-import-keys-hook ssh-to-pgp sops-init-gpg-key;
-    };
-  })) // rec {
-    nixosConfigurations = import ./machines/configuration.nix (inputs // {
-      inherit inputs;
-    });
+    devShells.default =
+    let
+      sops = sops-nix.packages."${pkgs.system}";
+      microvmpkg = microvm.packages."${pkgs.system}";
+      installed = builtins.attrNames self.legacyPackages."${pkgs.system}".scripts;
+    in
+    pkgs.mkShell {
+      sopsPGPKeyDirs = [
+        "./machines/secrets/keys/hosts"
+        "./machines/secrets/keys/users"
+      ];
     
-    nixosModules.malobeo = import ./machines/durruti/host_config.nix;
+      nativeBuildInputs = [
+        sops.ssh-to-pgp
+        sops.sops-import-keys-hook
+        sops.sops-init-gpg-key
+        pkgs.sops
+        pkgs.age
+        pkgs.python313Packages.grip
+        pkgs.mdbook
+        pkgs.ssh-to-age
+        microvmpkg.microvm
+      ];
+
+      packages = builtins.map (pkgName: self.legacyPackages."${pkgs.system}".scripts.${pkgName}) installed;
+      shellHook = ''echo "Available scripts: ${builtins.concatStringsSep " " installed}"'';
+    };
+
+    legacyPackages = {
+      scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
+      scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
+      scripts.add-host-keys = pkgs.writeShellScriptBin "add-host-keys" (builtins.readFile ./scripts/add_new_host_keys.sh);
+      scripts.run-vm = self.packages.${system}.run-vm;
+    };
+
+    vmBuilder = utils.buildVM;
+
+    packages = {
+      docs = pkgs.stdenv.mkDerivation {
+        name = "malobeo-docs";
+        phases = [ "buildPhase" ];
+        buildInputs = [ pkgs.mdbook ];
+      
+        inputs = pkgs.lib.sourceFilesBySuffices ./doc/. [ ".md" ".toml" ];
+      
+        buildPhase = ''
+          dest=$out/share/doc
+          mkdir -p $dest
+          cp -r --no-preserve=all $inputs/* ./
+          mdbook build
+          ls
+          cp -r ./book/* $dest
+        '';
+      };
+
+      run-vm = pkgs.writeShellScriptBin "run-vm"  (builtins.readFile ./scripts/run-vm.sh);
+    };
+
+    apps = {
+      docs = {
+        type = "app";
+        program = builtins.toString (pkgs.writeShellScript "docs" ''
+          ${pkgs.xdg-utils}/bin/xdg-open "${self.packages.${system}.docs}/share/doc/index.html"
+        '');
+      };
+
+
+      docsDev = {
+        type = "app";
+        program = builtins.toString (pkgs.writeShellScript "docs" ''
+          echo "needs to run from infrastuctre root folder"
+          ${pkgs.mdbook}/bin/mdbook serve --open ./doc
+        '');
+      };
+
+      run-vm = {
+        type = "app";
+        program = "${self.packages.${system}.run-vm}/bin/run-vm";
+      };
+    };
+
+  })) // (
+  let
+    hosts = import ./machines/hosts.nix ( inputs // { inherit inputs; self = self; });
+    utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; hosts = hosts; });
+  in
+  {
+    nixosConfigurations = utils.buildHost hosts.malobeo.hosts;
+
+    nixosModules.malobeo = {
+      host.imports = [ ./machines/durruti/host_config.nix ];
+      microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ];
+      vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
+      initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
+      metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];
+      disko.imports = [ ./machines/modules/disko ];
+      users.imports = [ ./machines/modules/malobeo/users.nix ];
+      backup.imports = [ ./machines/modules/malobeo/backup.nix ];
+      printing.imports = [ ./machines/modules/malobeo/printing.nix ];
+    };
 
     hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
       let
@@ -36,4 +131,4 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
       nixpkgs.lib.mapAttrs getBuildEntry self.nixosConfigurations
 
       );
-}
+})

scripts/add_new_host_keys.sh

@@ -0,0 +1,57 @@
+set -o errexit
+#set -o pipefail
+
+if [ ! -e flake.nix ]
+    then
+    echo "flake.nix not found. Searching down."
+    while [ ! -e flake.nix ]
+        do
+        if [ $PWD = "/" ]
+            then
+            echo "Found root. Aborting."
+            exit 1
+            else
+            cd ..
+        fi
+    done
+fi
+
+read -p "Enter new host name: " hostname
+
+if [ "$hostname" = "" ]; then exit 0
+fi
+
+pwpath="machines/$hostname/secrets"
+hostkey="ssh_host_ed25519_key"
+initrdkey="initrd_ed25519_key"
+
+mkdir -p "$pwpath"
+cd "$pwpath"
+
+# Generate SSH keys
+ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
+ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
+wg genkey > wg.private
+publickey=$(cat wg.private | wg pubkey)
+
+#encrypt the private keys
+sops -e -i ./$hostkey
+sops -e -i ./$initrdkey
+sops -e -i ./wg.private
+
+#generate encryption key
+tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
+sops -e -i ./disk.key
+
+# Info
+echo
+echo "Hier ist der age public key für sops etc:"
+echo "$(ssh-to-age -i ./"$hostkey".pub)"
+echo
+echo "Hier ist der wireguard pubkey für das gerät"
+echo "$publickey"
+echo 
+echo "Hier ist eine reproduzierbare mac-addresse:"
+echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
+
+exit 0

scripts/remote-install-encrypt.sh

@@ -0,0 +1,68 @@
+set -o errexit
+set -o pipefail
+
+if [ $# -lt 2 ]; then
+  echo
+  echo "Install NixOS to the host system with secrets and encryption"
+  echo "Usage: $0 <hostname> <ip> (user)"
+  exit 1
+fi
+
+if [ ! -e flake.nix ]
+    then
+    echo "flake.nix not found. Searching down."
+    while [ ! -e flake.nix ]
+        do
+        if [ $PWD = "/" ]
+            then
+            echo "Found root. Aborting."
+            exit 1
+            else
+            cd ..
+        fi
+    done
+fi
+
+hostname=$1
+ipaddress=$2
+pwpath="machines/$hostname/secrets"
+hostkey="ssh_host_ed25519_key"
+initrdkey="initrd_ed25519_key"
+
+# Create a temporary directory
+temp=$(mktemp -d)
+
+# Function to cleanup temporary directory on exit
+cleanup() {
+  rm -rf "$temp"
+}
+trap cleanup EXIT
+
+# Create the directory where sshd expects to find the host keys
+install -d -m755 "$temp/etc/ssh/"
+install -d -m755 "$temp/etc/wireguard/"
+
+##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
+diskKey=$(sops -d $pwpath/disk.key)
+echo "$diskKey" > /tmp/secret.key
+
+sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
+
+sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
+
+sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
+# # Set the correct permissions so sshd will accept the key
+chmod 600 "$temp/etc/ssh/$hostname"
+chmod 600 "$temp/etc/ssh/initrd"
+
+# Install NixOS to the host system with our secrets and encription
+# optional --build-on-remote
+if [ $# = 3 ]
+  then
+  nix run github:numtide/nixos-anywhere -- --extra-files "$temp"   \
+ --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname $3@$ipaddress
+
+else
+nix run github:numtide/nixos-anywhere -- --extra-files "$temp"   \
+ --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
+fi

scripts/run-vm.sh

@@ -0,0 +1,82 @@
+usage() {
+    echo "Usage: run-vm <hostname> [--networking] [--dummy-secrets] [--no-disko]"
+    echo "ATTENTION: This script must be run from the flakes root directory"
+    echo "--networking setup interfaces. requires root and hostbridge enabled on the host"
+    echo "--dummy-secrets run vm with dummy sops secrets"
+    echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny"
+    echo "--writable-store enables writable store. necessary for host with nested imperative microvms like fanny"
+    echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate"
+    echo "--data path to directory that should be shared as /data"
+    echo "--fwd-port forwards the given port to port 80 on vm"
+    exit 1
+}
+
+# check at least one arg was given
+if [ "$#" -lt 1 ]; then
+    usage
+fi
+
+HOSTNAME=$1
+
+# Optionale Argumente
+NETWORK=false
+DUMMY_SECRETS=false
+NO_DISKO=false
+RW_STORE=false
+VAR_PATH=""
+DATA_PATH=""
+FWD_PORT=0
+
+# check argws
+shift
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        --networking) NETWORK=true ;;
+        --dummy-secrets) DUMMY_SECRETS=true ;;
+        --no-disko) NO_DISKO=true ;;
+        --writable-store) RW_STORE=true ;;
+        --var) 
+          if [[ -n "$2" && ! "$2" =~ ^- ]]; then
+              VAR_PATH="$2"
+              shift
+          else
+              echo "Error: --var requires a non-empty string argument."
+              usage
+          fi
+          ;;
+        --data) 
+          if [[ -n "$2" && ! "$2" =~ ^- ]]; then
+              DATA_PATH="$2"
+              shift
+          else
+              echo "Error: --data requires a non-empty string argument."
+              usage
+          fi
+          ;;
+        --fwd-port) 
+          if [[ -n "$2" && ! "$2" =~ ^- ]]; then
+              FWD_PORT="$2"
+              shift
+          else
+              echo "Error: --var requires a non-empty string argument."
+              usage
+          fi
+          ;;
+        *) echo "Unknown argument: $1"; usage ;;
+    esac
+    shift
+done
+echo "starting host $HOSTNAME"
+echo "enable networking: $NETWORK"
+echo "deploy dummy secrets: $DUMMY_SECRETS"
+echo "disable disko and initrd secrets: $NO_DISKO"
+echo "use writable store: $RW_STORE"
+if [ -n "$VAR_PATH" ]; then
+  echo "sharing var directory: $VAR_PATH"
+fi
+
+if [ -n "$DATA_PATH" ]; then
+  echo "sharing data directory: $DATA_PATH"
+fi
+
+nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" \"$DATA_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner"

scripts/unlock-boot.sh

@@ -0,0 +1,42 @@
+set -o errexit
+set -o pipefail
+
+sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T"
+hostname=$1
+
+if [ ! -e flake.nix ]
+    then
+    echo "flake.nix not found. Searching down."
+    while [ ! -e flake.nix ]
+        do
+        if [ $PWD = "/" ]
+            then
+            echo "Found root. Aborting."
+            exit 1
+            else
+            cd ..
+        fi
+    done
+fi
+
+diskkey=$(sops -d machines/$hostname/secrets/disk.key)
+
+echo
+if [ $# = 1 ]
+    then
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
+
+elif [ $# = 2 ]
+    then
+    ip=$2
+    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
+    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
+    
+else
+    echo
+    echo "Unlock the root disk on a remote host."
+    echo "Usage: $0 <hostname> [ip]"
+    echo "If an IP is not provided, the hostname will be used as the IP address."
+    exit 1
+fi

shell.nix

@@ -1,22 +0,0 @@
-{ mkShell
-, sops-import-keys-hook
-, ssh-to-pgp
-, sops-init-gpg-key
-, sops
-, pkgs
-}:
-
-mkShell {
-  sopsPGPKeyDirs = [
-    "./machines/secrets/keys/hosts"
-    "./machines/secrets/keys/users"
-  ];
-
-  nativeBuildInputs = [
-    ssh-to-pgp
-    sops-import-keys-hook
-    sops-init-gpg-key
-    sops
-    pkgs.python310Packages.grip
-  ];
-}