[lucia] rm wireguard cfg

[vpn] init
[modules] add missing import
2024-12-16 22:01:04 +01:00 · 2024-12-16 22:00:52 +01:00 · 2024-12-16 22:00:20 +01:00 · 2024-12-16 22:00:05 +01:00 · 2024-12-16 20:32:37 +01:00 · 2024-12-16 20:32:31 +01:00
47 changed files with 1492 additions and 429 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,5 @@
 *.log
 result
 *.qcow2
 .direnv/
 book/
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ the file structure is based on this [blog post](https://samleathers.com/posts/20
 #### durruti
 - nixos-container running on dedicated hetzner server
- login via ```ssh -p 222 malobeo@5.9.153.217```
+- login via ```ssh -p 222 malobeo@dynamicdiscord.de```
 - if rebuild switch fails due to biglock do ```mount -o remount,rw /nix/var/nix/db```
 - currently is running tasklist in detached tmux session
  - [x] make module with systemd service out of that
@@ -98,34 +98,3 @@ for documentation we currently just use README.md files.
 the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser.
 the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```.
 ## todos...
 #### infrastructure
 * [ ] host a local wiki with public available information about the space, for example:
  * [ ] how to use coffe machine
  * [ ] how to turn on/off electricity
  * [ ] how to use beamer
  * [ ] how to buecher ausleihen
  * ...
 * [x] host some pad (codimd aka hedgedoc)
 * [ ] some network fileshare for storing the movies and streaming them within the network
 * [x] malobeo network infrastructure rework
  * [x] request mulvad acc
  * [x] remove freifunk, use openwrt with mulvad configured
 * [ ] evaluate imposing solutions
    * [ ] pdfarranger
 #### external services
 we want to host two services that need a bit more resources, this is a booking system for the room itself and a library system.
 - [x] analyse best way to include our stuff into external nixOs server
  - [x] writing some module that is included by the server
  - [x] directly use nixOs container on host
  - [x] combination of both (module that manages nginx blabla + nixOs container for the services
 #### bots&progrmaming
 * [ ] create telegram bot automatically posting tuesday events
 * [x] create webapp/interface replacing current task list pad
  * could be a simple form for every tuesday
  * [x] element bot should send updates if some tasks are not filled out
--- a/doc/.gitignore
+++ b/doc/.gitignore
@@ -0,0 +1 @@
 book
--- a/doc/book.toml
+++ b/doc/book.toml
@@ -0,0 +1,6 @@
 [book]
 authors = ["ahtlon"]
 language = "de"
 multilingual = false
 src = "src"
 title = "Malobeo Infrastruktur Dokumentation"
--- a/doc/src/Index.md
+++ b/doc/src/Index.md
@@ -0,0 +1 @@
 # Index
--- a/doc/src/SUMMARY.md
+++ b/doc/src/SUMMARY.md
@@ -0,0 +1,20 @@
 # Summary
 - [Index](./Index.md)
    - [Info]()
        - [Aktuelle Server]()
            - [Durruti](./server/durruti.md)
            - [Lucia](./server/lucia.md)
        - [Hardware]()
        - [Netzwerk]()
        - [Seiten]()
            - [Website](./server/website.md)
            - [musik](./projekte/musik.md)
        - [TODO](./todo.md)
    - [How-to]()
        - [Create New Host](./anleitung/create.md)
        - [Sops](./anleitung/sops.md)            
        - [Wireguard](./anleitung/wireguard.md)
        - [Updates](./anleitung/updates.md)
        - [Rollbacks](./anleitung/rollback.md)
        - [MicroVM](./anleitung/microvm.md)
--- a/doc/src/anleitung/create.md
+++ b/doc/src/anleitung/create.md
@@ -0,0 +1,66 @@
 # Create host with disko-install
 How to use disko-install is described here: https://github.com/nix-community/disko/blob/master/docs/disko-install.md
 ---
 Here are the exact steps to get bakunin running:  
 First create machines/hostname/configuration.nix  
 Add hosts nixosConfiguration in machines/configurations.nix  
 Boot nixos installer on the Machine.  
 ``` bash
 # establish network connection
 wpa_passphrase "network" "password" > wpa.conf
 wpa_supplicant -B -i wlp3s0 -c wpa.conf
 ping 8.8.8.8
 # if that works continue
 # generate a base hardware config
 nixos-generate-config --root /tmp/config --no-filesystems
 # get the infra repo
 nix-shell -p git
 git clone https://git.dynamicdiscord.de/kalipso/infrastructure
 cd infrastructure
 # add the new generated hardware config (and import in hosts configuration.nix)
 cp /tmp/config/etc/nixos/hardware-configuration.nix machines/bakunin/
 # check which harddrive we want to install the system on
 lsblk #choose harddrive, in this case /dev/sda
 # run nixos-install on that harddrive
 sudo nix --extra-experimental-features flakes --extra-experimental-features nix-command run 'github:nix-community/disko/latest#disko-install' -- --flake .#bakunin --disk main /dev/sda
 # this failed with out of memory
 # running again showed: no disk left on device
 # it seems the usb stick i used for flashing is way to small
 # it is only 
 # with a bigger one (more than 8 gig i guess) it should work
 # instead the disko-install tool i try the old method - first partitioning using disko and then installing the system
 # for that i needed to adjust ./machines/modules/disko/btrfs-laptop.nix and set the disk to "/dev/sda"
 sudo nix --extra-experimental-features "flakes nix-command" run 'github:nix-community/disko/latest' -- --mode format --flake .#bakunin
 # failed with no space left on device.
 # problem is lots of data is written to the local /nix/store which is mounted on tmpfs in ram
 # it seems that a workaround could be modifying the bootable stick to contain a swap partition to extend tmpfs storage
 ```
 # Testing Disko
 Testing disko partitioning is working quite well. Just run the following and check the datasets in the vm:
 ```bash
 nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko
 ```
 Only problem is that encryption is not working, so it needs to be commented out. For testing host fanny the following parts in ```./machines/modules/disko/fanny.nix``` need to be commented out(for both pools!):
 ```nix
 datasets = {
  encrypted = {
    options = {
      encryption = "aes-256-gcm"; #THIS ONE
      keyformat = "passphrase"; #THIS ONE
      keylocation = "file:///tmp/root.key"; #THIS ONE
    };
    # use this to read the key during boot
     postCreateHook = '' #THIS ONE 
       zfs set keylocation="prompt" "zroot/$name"; #THIS ONE 
     ''; #THIS ONE 
 ```
--- a/doc/src/anleitung/microvm.md
+++ b/doc/src/anleitung/microvm.md
@@ -0,0 +1,81 @@
 ### Declaring a MicroVM
 The hosts nixosSystems modules should be declared using the ```makeMicroVM``` helper function.
 Use durruti as orientation:
 ``` nix
    modules = makeMicroVM "durruti" "10.0.0.5" [
      ./durruti/configuration.nix
    ];
 ```
 "durruti" is the hostname.  
 "10.0.0.5" is the IP assigned to its tap interface.  
 ### Testing MicroVMs locally
 MicroVMs can be built and run easily on your local host, but they are not persistent!
 For durruti for example this is done by:
 ``` bash
 nix run .\#durruti-vm
 ```
 ### Testing persistent microvms
 In order to test persistent microvms locally we need to create them using the ```microvm``` command.  
 This is necessary to be able to mount persistent /etc and /var volumes on those hosts.  
 Do the following:
 ```bash
 # go into our repo and start the default dev shell (or us direnv)
 nix develop .#
 # create a microvm on your host (on the example of durruti)
 sudo microvm -c durruti -f git+file:///home/username/path/to/infrastructure/repo
 # start the vm
 sudo systemctl start microvm@durruti.serivce
 # this may fail, if so we most probably need to create /var /etc manually, then restart
 sudo mkdir /var/lib/microvms/durruti/{var, etc}
 # now you can for example get the rsa host key from /var/lib/microvms/durruti/etc/ssh/
 # alternatively u can run the vm in interactive mode (maybe stop the microvm@durruti.service first)
 microvm -r durruti
 # after u made changes to the microvm update and restart the vm 
 microvm -uR durruti
 # deleting the vm again:
 sudo systemctl stop microvm@durruti.service
 sudo systemctl stop microvm-virtiofsd@durruti.service
 sudo rm -rf /var/lib/microvms/durruti
 ```
 ### Host Setup
 #### Network Bridge
 To provide network access to the VMs a bridge interface needs to be created on your host.
 For that:
 - Add the infrastructure flake as input to your hosts flake  
 - Add ```inputs.malobeo.nixosModules.malobeo``` to your hosts imports
 - enable the host bridge: ```services.malobeo.microvm.enableHostBridge = true;```
 If you want to provide Internet access to the VM it is necessary to create a nat.
 This could be done like this:
 ``` nix
 networking.nat = {
  enable = true;
  internalInterfaces = [ "microvm" ];
  externalInterface = "eth0"; #change to your interface name
 };
 ```
 #### Auto Deploy VMs
 By default no MicroVMs will be initialized on the host - this should be done using the microvm commandline tool.
 But since we want to always deploy certain VMs it can be configured using the ```malobeo.microvm.deployHosts``` option.
 VMs configured using this option will be initialized and autostarted at boot.
 Updating still needs to be done imperative, or by enabling autoupdates.nix
 The following example would init and autostart durruti and gitea:
 ``` nix
 malobeo.microvm.deployHosts = [ "durruti" "gitea" ];
 ```
--- a/doc/src/anleitung/rollback.md
+++ b/doc/src/anleitung/rollback.md
@@ -0,0 +1 @@
 # Rollbacks
--- a/doc/src/anleitung/sops.md
+++ b/doc/src/anleitung/sops.md
@@ -0,0 +1,25 @@
 # Sops
 ## How to add admin keys
 - Git:
    - Generate gpg key
    - Add public key to `./machines/secrets/keys/users/`
    - Write the fingerprint of the gpg key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $FINGERPRINT`
 - Age:
    - Generate age key for Sops:   
      ```
      $ mkdir -p ~/.config/sops/age
      $ age-keygen -o ~/.config/sops/age/keys.txt
      ```
      or to convert an ssh ed25519 key to an age key
      ```
      $ mkdir -p ~/.config/sops/age
      $ nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
      ```
    - Get public key using `$ age-keygen -y ~/.config/sops/age/keys.txt`
    - Write public key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $PUBKEY`
 - Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to
 - `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml`
--- a/doc/src/anleitung/updates.md
+++ b/doc/src/anleitung/updates.md
@@ -0,0 +1 @@
 # Updates
--- a/doc/src/anleitung/wireguard.md
+++ b/doc/src/anleitung/wireguard.md
@@ -0,0 +1,11 @@
 # Wireguard
 Running on the raspberry pi  
 - Create new keys
    - Enter nix shell for wg commands `nix-shell -p wireguard-tools` 
    - New private key `wg genkey > secrets/keys/wireguard/example.key` 
    - Encrypt with `sops -e -i secrets/keys/wireguard/example.key`
        - commit keys only after encrypting
    - Decrypt to stdout `sops -d secrets/keys/wireguard/example.key`
    - Decrypt for use on a client `sops -d secrets/keys/wireguard/private.key > /tmp/private.key`
    - Display public key `sops -d secrets/keys/wireguard/example.key | wg pubkey`
--- a/doc/src/projekte/musik.md
+++ b/doc/src/projekte/musik.md
@@ -0,0 +1 @@
 # musik
--- a/doc/src/server/durruti.md
+++ b/doc/src/server/durruti.md
@@ -0,0 +1,2 @@
 # Durruti
 Hetzner Server
--- a/doc/src/server/lucia.md
+++ b/doc/src/server/lucia.md
@@ -0,0 +1,2 @@
 # Lucia
 Lokaler Raspberry Pi 3
--- a/doc/src/server/website.md
+++ b/doc/src/server/website.md
@@ -0,0 +1,7 @@
 #Website
 hosted on uberspace  
 runs malobeo.org(wordpress) and forum.malobeo.org(phpbb)  
 access via ssh with public key or password  
 Files under /var/www/virtual/malobeo/html
--- a/doc/src/todo.md
+++ b/doc/src/todo.md
@@ -0,0 +1,32 @@
 # TODO
 - [ ] Dieses wiki schreiben
 #### infrastructure
 * [ ] host a local wiki with public available information about the space, for example:
  * [ ] how to use coffe machine
  * [ ] how to turn on/off electricity
  * [ ] how to use beamer
  * [ ] how to buecher ausleihen
  * ...
 - [x] host a local wiki with infrastructure information
 * [x] host some pad (codimd aka hedgedoc)
 * [ ] some network fileshare for storing the movies and streaming them within the network
  - Currently developed in the 'fileserver' branch
    - NFSV4 based
 * [x] malobeo network infrastructure rework
  * [x] request mulvad acc
  * [x] remove freifunk, use openwrt with mulvad configured
 * [ ] evaluate imposing solutions
    * [ ] pdfarranger
 #### external services
 we want to host two services that need a bit more resources, this is a booking system for the room itself and a library system.
 - [x] analyse best way to include our stuff into external nixOs server
  - [x] writing some module that is included by the server
  - [x] directly use nixOs container on host
  - [x] combination of both (module that manages nginx blabla + nixOs container for the services
 #### bots&progrmaming
 * [ ] create telegram bot automatically posting tuesday events
 * [x] create webapp/interface replacing current task list pad
  * could be a simple form for every tuesday
  * [x] element bot should send updates if some tasks are not filled out
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,26 @@
 {
  "nodes": {
    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1730135292,
        "narHash": "sha256-CI27qHAbc3/tIe8sb37kiHNaeCqGxNimckCMj0lW5kg=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "ab58501b2341bc5e0fc88f2f5983a679b075ddf5",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "latest",
        "repo": "disko",
        "type": "github"
      }
    },
    "ep3-bs": {
      "inputs": {
        "nixpkgs": [
@@ -21,6 +42,24 @@
        "url": "https://git.dynamicdiscord.de/kalipso/ep3-bs.nix"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -28,16 +67,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1726989464,
+        "lastModified": 1733951536,
-        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
+        "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
+        "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-24.05",
+        "ref": "release-24.11",
        "repo": "home-manager",
        "type": "github"
      }
@@ -61,13 +100,35 @@
        "type": "github"
      }
    },
    "microvm": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ],
        "spectrum": "spectrum"
      },
      "locked": {
        "lastModified": 1734041466,
        "narHash": "sha256-51bhaMe8BZuNAStUHvo07nDO72wmw8PAqkSYH4U31Yo=",
        "owner": "astro",
        "repo": "microvm.nix",
        "rev": "3910e65c3d92c82ea41ab295c66df4c0b4f9e7b3",
        "type": "github"
      },
      "original": {
        "owner": "astro",
        "repo": "microvm.nix",
        "type": "github"
      }
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1729386149,
+        "lastModified": 1733620091,
-        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+        "narHash": "sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
+        "rev": "f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b",
        "type": "github"
      },
      "original": {
@@ -84,11 +145,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1729472750,
+        "lastModified": 1733965598,
-        "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
+        "narHash": "sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
+        "rev": "d162ffdf0a30f3d19e67df5091d6744ab8b9229f",
        "type": "github"
      },
      "original": {
@@ -99,11 +160,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1729742320,
+        "lastModified": 1733861262,
-        "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
+        "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
+        "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
        "type": "github"
      },
      "original": {
@@ -129,29 +190,13 @@
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1729357638,
        "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1729665710,
+        "lastModified": 1733759999,
-        "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=",
+        "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d",
+        "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
        "type": "github"
      },
      "original": {
@@ -163,25 +208,27 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1729449015,
+        "lastModified": 1733808091,
-        "narHash": "sha256-Gf04dXB0n4q0A9G5nTGH3zuMGr6jtJppqdeljxua1fo=",
+        "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "89172919243df199fe237ba0f776c3e3e3d72367",
+        "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "disko": "disko",
        "ep3-bs": "ep3-bs",
        "home-manager": "home-manager",
        "mfsync": "mfsync",
        "microvm": "microvm",
        "nixos-generators": "nixos-generators",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2",
@@ -195,15 +242,14 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1729695320,
+        "lastModified": 1733965552,
-        "narHash": "sha256-Fm4cGAlaDwekQvYX0e6t0VjT6YJs3fRXtkyuE4/NzzU=",
+        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "d089e742fb79259b9c4dd9f18e9de1dd4fa3c1ec",
+        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
        "type": "github"
      },
      "original": {
@@ -212,6 +258,22 @@
        "type": "github"
      }
    },
    "spectrum": {
      "flake": false,
      "locked": {
        "lastModified": 1733308308,
        "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
        "ref": "refs/heads/main",
        "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
        "revCount": 792,
        "type": "git",
        "url": "https://spectrum-os.org/git/spectrum"
      },
      "original": {
        "type": "git",
        "url": "https://spectrum-os.org/git/spectrum"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
@@ -257,6 +319,21 @@
        "type": "github"
      }
    },
    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "tasklist": {
      "inputs": {
        "nixpkgs": [
@@ -315,14 +392,14 @@
    },
    "utils_3": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
      },
      "locked": {
-        "lastModified": 1726560853,
+        "lastModified": 1731533236,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -3,11 +3,15 @@
  inputs = {
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    mfsync.url = "github:k4lipso/mfsync";
    microvm.url = "github:astro/microvm.nix";
    microvm.inputs.nixpkgs.follows = "nixpkgs";
    disko.url = "github:nix-community/disko/latest";
    disko.inputs.nixpkgs.follows = "nixpkgs";
    utils = {
      url = "github:numtide/flake-utils";
@@ -29,7 +33,7 @@
    };
    home-manager=  {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager/release-24.11";
      inputs = {
        nixpkgs.follows = "nixpkgs";
      };
--- a/machines/.sops.yaml
+++ b/machines/.sops.yaml
@@ -5,6 +5,7 @@
 keys:
  - &admin_kalipso c4639370c41133a738f643a591ddbc4c3387f1fb
  - &admin_kalipso_dsktp aef8d6c7e4761fc297cda833df13aebb1011b5d4
  - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
  - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
  - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
  - &machine_durruti 4095412245b6efc14cf92ca25911def5a4218567
@@ -15,15 +16,28 @@ creation_rules:
      - *admin_kalipso
      - *admin_kalipso_dsktp
      - *machine_moderatio
      age:
      - *admin_atlan
  - path_regex: lucia/secrets.yaml$
    key_groups:
    - pgp:
      - *admin_kalipso
      - *admin_kalipso_dsktp
      - *machine_lucia
      age:
      - *admin_atlan
  - path_regex: durruti/secrets.yaml$
    key_groups:
    - pgp:
      - *admin_kalipso
      - *admin_kalipso_dsktp
      - *machine_durruti
      age:
      - *admin_atlan
  - path_regex: secrets/keys/wireguard/.*
    key_groups:
    - pgp:
      - *admin_kalipso
      - *admin_kalipso_dsktp
      age:
      - *admin_atlan
--- a/machines/bakunin/configuration.nix
+++ b/machines/bakunin/configuration.nix
@@ -0,0 +1,83 @@
 { config, pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      #./hardware-configuration.nix
      ../modules/xserver.nix
      ../modules/malobeo_user.nix
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
    ];
  malobeo.autoUpdate = {
    enable = true;
    url = "https://hydra.dynamicdiscord.de";
    project = "malobeo";
    jobset = "infrastructure";
    cacheurl = "https://cache.dynamicdiscord.de";
  };
  boot.loader.systemd-boot.enable = true;
  hardware.sane.enable = true; #scanner support
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  users.users.malobeo = {
    packages = with pkgs; [
      firefox
      thunderbird
      telegram-desktop
      tor-browser-bundle-bin
      keepassxc
      libreoffice
      gimp
      inkscape
      okular
      element-desktop
      chromium
      mpv
      vlc
      simple-scan
    ];
  };
  services.tor = {
    enable = true;
    client.enable = true;
  };
  services.printing.enable = true;
  services.printing.drivers = [
    (pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
    pkgs.gutenprint
    pkgs.gutenprintBin
    pkgs.brlaser
    pkgs.brgenml1lpr 
    pkgs.brgenml1cupswrapper
  ];
  # needed for printing drivers
  nixpkgs.config.allowUnfree = true; 
  services.acpid.enable = true;
  networking.hostName = "bakunin";
  networking.networkmanager.enable = true;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    systemWide = true;
  };
  time.timeZone = "Europe/Berlin";
  system.stateVersion = "23.05"; # Do.. Not.. Change..
 }
--- a/machines/moderatio/hardware-configuration.nix
+++ b/machines/moderatio/hardware-configuration.nix
@@ -8,46 +8,42 @@
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "ums_realtek" "sd_mod" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-  boot.initrd.kernelModules = [ ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" =
+boot.initrd.luks.devices = {
-    { device = "rpool/nixos/root";
+root = {
-      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
+device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
 preLVM = true;
 allowDiscards = true;
 };
 };
-  fileSystems."/home" =
+  fileSystems."/" =
-    { device = "rpool/nixos/home";
+    { device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
-      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
+      fsType = "btrfs";
    };
  fileSystems."/boot" =
-    { device = "bpool/nixos/root";
+    { device = "/dev/disk/by-uuid/402B-2026";
      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
    };
  fileSystems."/boot/efis/ata-ST250LT003-9YG14C_W041QXCA-part1" =
    { device = "/dev/disk/by-uuid/A0D1-00C1";
      fsType = "vfat";
    };
-  fileSystems."/boot/efi" =
+  swapDevices =
-    { device = "/boot/efis/ata-ST250LT003-9YG14C_W041QXCA-part1";
+    [ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
-      fsType = "none";
+    ];
      options = [ "bind" ];
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/configuration.nix
+++ b/machines/configuration.nix
@@ -40,16 +40,61 @@ let
    }
  ];
  defaultModules = baseModules;
-in
+
  makeMicroVM = hostName: ipv4Addr: modules: [
    inputs.microvm.nixosModules.microvm
    {
-  moderatio = nixosSystem {
+      microvm = {
-    system = "x86_64-linux";
+        hypervisor = "cloud-hypervisor";
-    specialArgs.inputs = inputs;
+        mem = 2560;
-    modules = defaultModules ++ [
+        shares = [
-      ./moderatio/configuration.nix
+          {
            source = "/nix/store";
            mountPoint = "/nix/.ro-store";
            tag = "store";
            proto = "virtiofs";
            socket = "store.socket";
          }
          {
            source = "/var/lib/microvms/${hostName}/etc";
            mountPoint = "/etc";
            tag = "etc";
            proto = "virtiofs";
            socket = "etc.socket";
          }
          {
            source = "/var/lib/microvms/${hostName}/var";
            mountPoint = "/var";
            tag = "var";
            proto = "virtiofs";
            socket = "var.socket";
          }
        ];
        interfaces = [
          {
            type = "tap";
            id = "vm-${hostName}";
            mac = "02:00:00:00:00:01";
          }
        ];
      };
      systemd.network.enable = true;
      systemd.network.networks."20-lan" = {
        matchConfig.Type = "ether";
        networkConfig = {
          Address = [ "${ipv4Addr}/24" ];
          Gateway = "10.0.0.1";
          DNS = ["1.1.1.1"];
          DHCP = "no";
        };
      };
    }
  ] ++ defaultModules ++ modules;
 in
 {
  louise = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
@@ -58,14 +103,45 @@ in
    ];
  };
-  durruti = nixosSystem {
+  bakunin = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
    modules = defaultModules ++ [
      ./bakunin/configuration.nix
      inputs.disko.nixosModules.disko
      ./modules/disko/btrfs-laptop.nix
    ];
  };
  fanny = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
    modules = defaultModules ++ [
      ./fanny/configuration.nix
      inputs.disko.nixosModules.disko
      ./modules/disko/fanny.nix
    ];
  };
  durruti = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
    specialArgs.self = self;
    modules = makeMicroVM "durruti" "10.0.0.5" [
      ./durruti/configuration.nix
    ];
  };
  vpn = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
    specialArgs.self = self;
    modules = makeMicroVM "vpn" "10.0.0.10" [
      self.nixosModules.malobeo
      ./vpn/configuration.nix
    ];
  };
  lucia = nixosSystem {
    system = "aarch64-linux";
    specialArgs.inputs = inputs;
--- a/machines/durruti/configuration.nix
+++ b/machines/durruti/configuration.nix
@@ -5,7 +5,6 @@ with lib;
 {
  sops.defaultSopsFile = ./secrets.yaml;
  boot.isContainer = true;
  networking = {
    hostName = mkDefault "durruti";
    useDHCP = false;
@@ -23,55 +22,16 @@ with lib;
  imports = [
    inputs.ep3-bs.nixosModules.ep3-bs
    inputs.tasklist.nixosModules.malobeo-tasklist
    ./documentation.nix
    ../modules/malobeo_user.nix
    ../modules/sshd.nix
    ../modules/minimal_tools.nix
    ../modules/autoupdate.nix
  ];
  malobeo.autoUpdate = {
    enable = true;
    url = "https://hydra.dynamicdiscord.de";
    project = "malobeo";
    jobset = "infrastructure";
    cacheurl = "https://cache.dynamicdiscord.de";
  };
  services.malobeo-tasklist.enable = true;
  services.ep3-bs = {
    enable = true;
    in_production = true;
    favicon = ./circle-a.png;
    logo = ./malobeo.png;
    mail = {
      type = "smtp-tls";
      address = "dynamicdiscorddresden@systemli.org";
      host = "mail.systemli.org";
      user = "dynamicdiscorddresden@systemli.org";
      passwordFile = config.sops.secrets.ep3bsMail.path;
      auth = "plain";
    };
    database = {
      user = "malodbuser";
      passwordFile = config.sops.secrets.ep3bsDb.path;
    };
  };
  sops.secrets.ep3bsDb = {
    owner = config.services.ep3-bs.user;
    key = "ep3bsDb";
  };
  sops.secrets.ep3bsMail = {
    owner = config.services.ep3-bs.user;
    key = "ep3bsMail";
  };
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/machines/durruti/documentation.nix
+++ b/machines/durruti/documentation.nix
@@ -0,0 +1,15 @@
 { config, self, ... }:
 {
  services.nginx = {
    enable = true;
    virtualHosts."_" = {
      listen = [ 
        { addr = "0.0.0.0"; port = 9000; } 
      ];
      root = "${self.packages.x86_64-linux.docs}/share/doc";
    };
  };
  networking.firewall.allowedTCPPorts = [ 9000 ];
 }
--- a/machines/durruti/host_config.nix
+++ b/machines/durruti/host_config.nix
@@ -33,6 +33,12 @@ in
      }
    ];
    services.nginx.virtualHosts."docs.malobeo.org" = {
      forceSSL = true;
      enableACME= true;
      locations."/".proxyPass = "http://${cfg.host_ip}:9000";
    };
    services.nginx.virtualHosts."tasklist.malobeo.org" = {
      forceSSL = true;
      enableACME= true;
@@ -44,6 +50,5 @@ in
      enableACME= true;
      locations."/".proxyPass = "http://${cfg.host_ip}:80";
    };
  };
 }
--- a/machines/durruti/secrets.yaml
+++ b/machines/durruti/secrets.yaml
@@ -6,66 +6,75 @@ sops:
    gcp_kms: []
    azure_kv: []
    hc_vault: []
-    age: []
+    age:
        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOTV0VC92aGo0ZFU1RE84
            LzJxWUh0MzYrSWJZYldVMTdsMlJ6RkI2WURNCmFVT1ZtMitOSzYySW1RMkE5aDUw
            bEI2Z3ZhbUdaM2R5eVpkYVlrZks3dW8KLS0tIHFEdWZ2UmREeFl2Q0d0c0lVTGxm
            SnZxRUcyaUY0QnRtVmdnYW9acmxTWmMKfLb2wgBcQC0Ay34wBvTenZW1jVvDH7aV
            45+5NzmkhIQRNkKWgRfpT9EQ9cRJz3l7ZYoVgJe8qBhwH64lBqUiqw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-06-26T10:07:26Z"
    mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
    pgp:
-        - created_at: "2024-06-26T10:06:21Z"
+        - created_at: "2024-11-14T13:03:00Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQGMA5HdvEwzh/H7AQv8D3vncBeC4Kq+Vzk6XOMV6gRRGOZp+w2e/055sZ40IUu+
+            hQGMA5HdvEwzh/H7AQwAhcsRc3mCqKgUFym0W5lTN6j5xg+o0PF31ZQ3qqkO3b5+
-            43Yi5giVL0I7PZkZD787LNiKy6kTcI6D9tJIp9YSMRVJb4x8oDJWS8NbVZZOUCwT
+            nIPH8Ee7nrcfRCM2AV+TReaZ2qfP4TdU5j00F5977H5UM+UULFM+FSGcY63rkp80
-            d9KYaMO6hN8VobhUKsu7uAKCrgVzPWrWPNmZPvwZ6pxL+cBFK2W/GEvQsXvaELUc
+            1U1ZzxbzTwV5mil8dx3dmENMgFpKy0J2MatPdR5bu/z0o7sLty1DUq9hiQOTfM3F
-            5mNlB4k5S9oG4ZMli3WWhVJRMZgdjGWDKiFVGCSenEkhua/5TUUefV8urf1IBjoN
+            u1mfmY37YewMBmxlzDJ3Z5+lslRJUqa3Ho9atjYhwxZTYgh9QQtnm8kRjNM/HKpQ
-            MB8TPwsm3PBEG6/zrfXls/7Zhbv7mtl1uB9nWBC9M4EL9euzC83X+IiFAlThpoPu
+            sDAWu9JXit33WwHayxUFWZ5syiwsbFxAelrZnluW3KiKu3v+9VO7X6dJsrrIB6Xt
-            eylOhEkAq60tQglk2SRsdFpHvEwaijqSKL0ieDQjvLxLNCdtCQS3yM21S4SkfRvv
+            j/mJhwkwJ39xHD/eQqMJsdAum8Pgxi40XjD6wJvmIhYz1y8Lbymanb+6U+fJk71V
-            pDGQROqjhtgZSF7MZqD67mA9tMwYGlZLfkzjpYrErbG6G4xYGO2ZODPNZ4FH/2Zf
+            ZLsbk+sR1Jkh+L3NV+UGlMusgQuxcE2xQjNMEbpzk1xXsFFz+QxVxx6HZp8xRh4v
-            Yf9xpAd0/m4mmg+py041nas8lgJzOXn5mKIxX/kLkV1U/ccrZXB9DTsWbuRVxh3W
+            M8L2LkiZp5w8iij+uJ+k0ovu4XH2Bf/2myhabfRrk5bPZbweH/bJOxChIgf/b/ZP
-            CZTzgT0VdZWd88cUcYIR0lgBz0vCxDRgyPhc3B3ivoOHBisoBWbYURv+6rYE84Qs
+            FdfHGP0KlJe+jMGY3j7c0lgB9k2vyvYTHaAOcQoe/HdKNvueMMYDIzxLZ6sXsn+z
-            6nDtCt4fUqrfKqnw1b++L1II+QjEBkhawOWNbqE9AxESOLAVwkn4cCOqeWDP8DBq
+            jhdW9FxM9g2ZOStq1Mwjzvb8rJCAFQH0s/3yHZY7rveaI88Z3G11i97D3OME2yAx
-            OBN3luBRDDAj
+            bxCHPCFfvmX/
-            =+dua
+            =3wBJ
            -----END PGP MESSAGE-----
          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2024-06-26T10:06:21Z"
+        - created_at: "2024-11-14T13:03:00Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA98TrrsQEbXUARAAmj8h6g8Knwg5c/Ugfxcb4nuWuLydyzNZpKJ9YcQ4VTAo
+            hQIMA98TrrsQEbXUAQ//eBqaTG6/KiQFfEMog839q+nukWh3SHSnhCDyCAhdqKA3
-            HA38lHH79JbnIoZ9kvxHzUONBLfnW3KekomUdmj1a2DjWllnsIOH8/16JCpFPXbx
+            Q9FSroIYEOMwE9SYkNC9T0/pf/ZmRuPBpx09b+q+1df4FLdajgpEbg1CyWnw7fyR
-            hcWQFLxXzJcUEbVfONih4Zmb/2OTzSYoDjNzGaBJUx6x3AwJ0jTzCTxF9WIU1ieh
+            731vYt5hvN7PVtBGs842BcEvYwKVG33HTadi53l+pjDURpHGLWLbURiqchGrXpPn
-            9u+ovry7bcHPTn3RS0gQPGRx9gN0A8OSPScKpvz2CRtUA2Uzs0/fIe3NbKQSj6g3
+            o6rih4ueE0TmLHGugGKIr7n/XgH4xpsr/wFLQCnCaVATXdS1Tk86bTeu0HybmPlG
-            rZYityYC7uFoE792dkJ3rG9GZneIwWB8sp1remHyRhxaRN4YNPKmje/Pe/fe7sxQ
+            dw4TZrTSO7uq2GyczIC81HnLPisZ1w+7R0m58kV0FGFoDZIwczW46J/h3NLsjO0t
-            lWPmW4wa2uSI7/2PAkIjafoDmnpaLxQ+qY9hXobpL7OlyAuA+Sy8Ns2z6nXfPSSj
+            4zKV1oJUpCANalDCRBhf5RRatw/OzTgVHnpuGyaoAtWGyZpeQi2ntoEvFb3eWAc3
-            fQE4OS3hhUStv7PdVVvlH6JVGZK/cJOjOX0lF69A5R5XKQlasRq/t5CKBjxDWnb1
+            NMjc2bqamZEdfnBOmPILqRKINm60DkpiI7behY3oV178bWcp3iWsyA4biL0O0pf4
-            2bb3YavIUKWbf/DdlGNb9aKeiYX4RsaMbdc6vU5EOp69S66dF5l5W6+EDLICQEdl
+            FXbW29zHnEr86wTlJmJIC5sGkNNtu0dNFAKuzKjAel9sVor183WkJk8NAgaaI/pD
-            TRNxzofVqjroeQeK9xFd+SXHVwnU9FGPr9cN7803/r17hONDxfL7o7cL1sKfX1tC
+            pQV+l0ClexXGIW7p931Sn7u2JmXeNJM+yqRz5lDWMLakxygW2h4HDI8NOIS7xvP1
-            3nRqV3fxSfosz19jmIDu/6lqvJhBBQ8zQeKz/yWxUKowP6WUNAWsMWC7w89Ie1vA
+            Ip3a5bGctGEVmAK9MEhcRIGcP7Aoacj7iZVg9bnac4HCX3wnnGjLDNL+XDzfmfUB
-            UOy+xO0epIGLJSRU5YBNr9z7854NATnxRWRTya+CyFAgPVoBUxd/+2CjlkUeQWnS
+            M48YUoDS1CSjlcTbgIaL3HeX84EYcoQdRjwRcI3pVpPkJTpi/t2I+/2tOP92sm7S
-            WAELWSqQ4zsAryLhEqSWVg6nwSDCIvF/U56/vIacXwoKMqLYra5gxV78cCU6gcMt
+            WAHfIeh3niCzrQa//nwdAEQq+7YrDCDia7SSxDDrRM+/LTaQacoo9SuaHuEANZ/P
-            08O8qM7cxHy5tGzTm6LQZvXTb8W6ybcPvPw695TirUjq9zYVnaT2lmQ=
+            +x7rrZsnQq8UBpnd+dQCyxipQvwmjtp9N5xKcragt1LdH4M+Q/qoSIo=
-            =7OG0
+            =4vnh
            -----END PGP MESSAGE-----
          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2024-06-26T10:06:21Z"
+        - created_at: "2024-11-14T13:03:00Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA1kR3vWkIYVnAQ//RZM4ifHThNFNV6pTCGKHdkF7BMHB4gv7BBkXT9cWTGcf
+            hQIMA1kR3vWkIYVnAQ//UfsG62+53p9PyXN+c6hoMg+MqWxjvia9kHvjE3Q3bcO+
-            XxH3tH/kFPBSoWWfmtmHbN1bw77vpKda2lLHyOETGCusOFwuFe0+cz7sWStnf/T6
+            KVYqD8CszyTwiTV0RoTWddyiZwZHKkH/ymTtnNafG6NVo3XrYpRmO7SxmVMm1BIt
-            GVoaCRljhRxlXS2PY9gSG5fLi1uUjmCn9EshdCQdz1ix46kgSe17I+UJYRxi9r4U
+            HrBCdQkLDQOzqbeKBV9bGqO3xHKLEu0vwFkEdpWpNrjkKZfYQ8SjE/6vTJRPeBxx
-            e1R0ky4md8tLGGXg2cz1z48+kS7QX6TA1L5jjrW6MEa5ld2wywXD1g7UKpaP6QAc
+            Z++g8540vZtB0V2YzKStJJ8LcsU+3j1/+NlUJZamXUGT4AnxH3atWuKqC39CZAU6
-            B5xo4G+6zZNYk6x5i0NJ4EJalyyEXBvJDgsFzW4luqBGjMU2zLkq5VTQjssCbp6l
+            0iHxKEcHcQYPAmvTqtxTH0ELIaRYBIRlzCs0MVjmmfVyaeJOZGyd32vikQMUCrf/
-            aE1ZZtMJYDa3IdEV/gEIF7/WmODMopO2hfTWFCx9fZ2cp0gK2d6ffo7vum4WkAMv
+            EvThUCnq3+qCNjLlp1tQbLJV4B6ptAuj6uns2Z9Xmj1j4nFgUKvsc1MPnuSQsOnM
-            FjsbRLCmoZrlwD+/y38Hru2Ok/2cDF+QiEHq0cx+XMjgRrV6vCYrg67kOGjXZ+0v
+            tLF0qsVvunvLbHXhb/Z4uDaNMst8jWEGhk52QYCZ6pgq1zoN63tOAxD+HK12KSYQ
-            eZMPGo5506cp/0cbo6eIoG9XzdNirp9mXQHMBb47/dETr+mBAyVzImuHJVmUgXlK
+            emcDTjGqLTxe2dTiFMHlOkmTk/unEJXI1rJEalBaLqzDFg2tS6I1swQKG115wUfv
-            0nScCjrE2BPfsphMlQKMV007znA8QB65wEuoQ9QWTfgUfxVqzqJxdnFHKSSKAciU
+            COHQtmbWmwIMtcl0q/QHfSyc+jPVHoadj6ZZFS1iL9Er/zx1nuD5ybkHntQdO0Gb
-            fxAJTGN2RnbBDcehvch+QZAnIHznz3c+2WKetmFMpymqL1OKQKjhnEFewOK8rXKM
+            YwfyLzhFQ4gKgDiXwHdjYmHeDnXI9mrH3Cypcc/I8WV96cMnuKQBrD7V3NKpjFMS
-            cEFRo1BOMkaccBBFHt/A/IQJt2+RuADbkxI9rPqPU9iPi3Ts4jFqfNzZp+m+ADHS
+            CaLMVDQqwMoGi+Xi8Ve5oRCa/qt5UEpL1CZZUxNNE11ggPYI22ecKjegdIlGuWHS
-            WAGHQuVbo0oQ5RLEOMPheNbr2eL+uyuMLMNsv41G4Mr+lSjN2/KvBoMQEQvpPasG
+            WAE4FsZZNLt+RWZxIW0iTP0BzDuCMQFkismL0YyDI18g1dG/sl43+ecd6F9yoWYP
-            HDYyoe7JdYbVs+08h465+L+cbi0LzaBUxTm44GliJXVbrz6eqy6lRto=
+            sXjR3gwbASdHHXeYFAxbPX3Q/XT+SQzOAFigPhD0LUFRX2Cf/Q2yu34=
-            =GiUe
+            =FLuF
            -----END PGP MESSAGE-----
          fp: 4095412245b6efc14cf92ca25911def5a4218567
    unencrypted_suffix: _unencrypted
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -0,0 +1,44 @@
 { config, pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      #./hardware-configuration.nix
      ../modules/malobeo_user.nix
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
    ];
  malobeo.autoUpdate = {
    enable = true;
    url = "https://hydra.dynamicdiscord.de";
    project = "malobeo";
    jobset = "infrastructure";
    cacheurl = "https://cache.dynamicdiscord.de";
  };
  boot.loader.systemd-boot.enable = true;
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  services.tor = {
    enable = true;
    client.enable = true;
  };
  # needed for printing drivers
  nixpkgs.config.allowUnfree = true; 
  services.acpid.enable = true;
  networking.hostName = "fanny";
  networking.hostId = "1312acab";
  networking.networkmanager.enable = true;
  virtualisation.vmVariant.virtualisation.graphics = false;
  time.timeZone = "Europe/Berlin";
  system.stateVersion = "23.05"; # Do.. Not.. Change..
 }
--- a/machines/fanny/hardware-configuration.nix
+++ b/machines/fanny/hardware-configuration.nix
@@ -0,0 +1,49 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
 boot.initrd.luks.devices = {
 root = {
 device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
 preLVM = true;
 allowDiscards = true;
 };
 };
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/402B-2026";
      fsType = "vfat";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/louise/configuration.nix
+++ b/machines/louise/configuration.nix
@@ -67,17 +67,13 @@
  networking.hostName = "louise";
  networking.networkmanager.enable = true;
-  sound.enable = true;
+  security.rtkit.enable = true;
-  hardware.pulseaudio = {
+  services.pipewire = {
    enable = true;
    zeroconf.discovery.enable = true;
    extraConfig = ''
      load-module module-zeroconf-discover
    '';
  };
  services.avahi = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    systemWide = true;
  };
--- a/machines/lucia/configuration.nix
+++ b/machines/lucia/configuration.nix
@@ -14,20 +14,12 @@ in
  services.openssh.enable = true;
  services.openssh.ports = [ 22 ];
-  services.openssh.passwordAuthentication = false;
+  services.openssh.settings.PasswordAuthentication = false;
  services.openssh.settings.PermitRootLogin = "prohibit-password";
  users.users.root.openssh.authorizedKeys.keys = sshKeys.admins;
  # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
  boot.loader.grub.enable = false;
  boot.loader.raspberryPi.enable = false;
  boot.loader.raspberryPi.version = 3;
  boot.loader.raspberryPi.uboot.enable = true;
  boot.loader.raspberryPi.firmwareConfig = ''
    dtparam=audio=on
    hdmi_ignore_edid_audio=1
    audio_pwm_mode=2
  '';
  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = true;
@@ -39,12 +31,8 @@ in
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # hardware audio support:
  sound.enable = true;
  services = {
  dokuwiki.sites."wiki.malobeo.org" = {
    enable = true;
    #acl = "* @ALL 8";  # everyone can edit using this config
@@ -198,7 +186,7 @@ in
  services.avahi = {
    enable = true;
-    nssmdns = true;
+    nssmdns4 = true;
    publish = {
      enable = true;
      addresses = true;
--- a/machines/lucia/secrets.yaml
+++ b/machines/lucia/secrets.yaml
@@ -1,71 +1,81 @@
 hello: ENC[AES256_GCM,data:3VuyuX7MaLSmor4W22F3FUCGp8SUq4pE6z5nuiZenH07+zEeMAllVCP6g/j1fQ==,iv:A3Oh99AchsmrkMEb4ZRSIigb8Cr+3WlQtsgyZJGpLY8=,tag:TOHF9BaydkRD6cJAndryTg==,type:str]
 njala_api_key: ENC[AES256_GCM,data:qXGngMJaAOk2Gb8B4nwMTht9Vp/OEhGmKS5vh1kpi0MyqcsmwuwpWuUz+RWD6NDFn2w/35M=,iv:lsZyCrmcT1xJcLjzK4zkcRYmbKUeLUFYZ7oDfCVJV8c=,tag:WK+aF3XGBRDQuvL87Qdusw==,type:str]
 wireguard_private: ENC[AES256_GCM,data:ZxGbYLQKvrPibLpId+xbvqphlcgm/U5Se9XMS4FogmY4HfJnh9Y4Ja/x20I=,iv:PnZjiyKk1XuIq5/NLtOdWh20ytDEMYM7LJqmCoSrD0s=,tag:CZErG28Lo3aiQGovxEeZtA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
-    age: []
+    age:
-    lastmodified: "2023-10-24T15:09:51Z"
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
    mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str]
    pgp:
        - created_at: "2023-10-24T14:42:18Z"
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaVZQT1U3cXp4NHVSb2lh
            RWRUcjlGY1RtNVNFT3dMSWFaZHJGcC8ybzFFClhhT2RPRHZwbWNSQzdSay8wc0h5
            NHVUN082U0lhcWF2MnNTaXQ2Q0trRk0KLS0tIHJrNmdEdUI5YVRqck8vejRrVHZ4
            aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3
            f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-14T18:10:54Z"
    mac: ENC[AES256_GCM,data:DPQsRraMAvoezHsA7uM8q8sEevnZRnpU1vydEL72r6KJj12dT58KXCTuUeNgD+320LE1i83k6HLdM9C/+uniu73Ba5JSwglLLDBkZpfsdCde0aqkGjQd/RF/0Vb8ZbE/KCCCMVOjT6hX6RSDSEujoRMY26n1CWYtPeivqpWb5NY=,iv:TarRTCyPRoyQEb3qoXAJcOYtrTtftyZO4ahkyTZT8qU=,tag:A0kqa1szfk6Z5etivjB/lA==,type:str]
    pgp:
        - created_at: "2024-11-14T13:02:46Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQGMA5HdvEwzh/H7AQwAqFy6FthlG4of1IYE42baCy6AHhnCxTKN5i0/ZYXtxz/T
+            hQGMA5HdvEwzh/H7AQv/QepkThVCOMoRZRtHSHEjEriFfp9QS2ZrlgM0p67TtzU3
-            xWTAKEXPlbhT4AMGdIvIbEf7od4Pr7xxrxERkHVn1rkHxqjF+bjFw9J2xRXJvilw
+            edAPqxNq8jGeW7/1FRAwIHGTit9FueL/GRUOVsepbryJMt4ndhybuPdpuEaKeQYv
-            L4pWMKXoJOiuGeNwJfzOVMx2yar6NiFmA3HvFyCASIQeCh3v+cyEDvbdnJoUyHRJ
+            aZLw3XA5FB7maMKFOl59wqoWNrY+d02lXIbLEafUjrL94/p1IEqQd5a/Ze244yXI
-            /f/VnQFSIM4YXvLMqkKXgE0ZnbZc+vNnZkAG2qbz65fB/zdOPQZkVYCbnVKLwiBd
+            V1ty93i6Wmu5N5uf67bfiY00ObAEU+L4QepLHuJvcP2lWU0zvxnPdDqwv+47R1xB
-            eoDth5WbuPnYbK5Vp9wkOPr6KqjM1KN+Kx/ErZ36Ldd2ePk11dCf9O4cE1HcCOmb
+            aJX2G3Vv6QRnpUYL81a8R4E9u9GGH0TwJdaFqQwsVgW1XJdCsAaB5wriqEWX5HOJ
-            mdnFleX4hbMH2bFCpt7HoJql7QsTodx2bX1wnLA+uUVrV5QcT74C/0yAYHhBELez
+            513plEpkBSSlZo/9/lUSHK79jP92DfKvGMxw4t35UULzsJVbCIkM/TzBK0Ruq7Bf
-            cE0gZ+th9l2tOCaCBBMQUa8EfoQD3hEnOmebOMcWoUQdkyKk5SlLeCVsuWKvbidh
+            2rQO1nkF9lqXqPK7ORAkdXX3foHcM474f3w5nCSSlPia5jn7y58Npd9m1za4lOPF
-            3Vvw7jINCTH06jPCWSewSBuTdPiAPJ+4CQ8DWXC7A4luFvJM09HX8h859VDEHA9a
+            rQxHCJ7OSJ6KOsXhDi7cmMfjIfn6cUj5wT685LbjrftYPh95R2lK/ViwfhMQkJb9
-            FCou1ZTWmQEHbDw1DPw70lgBv35pPduQjSfgM71YwgHFtHDdTfWTbzCBoaDfKvj2
+            lCUqJj/7N6UuSDdnHXKg0lgBV5k+ARqh904rR7GTpSdDuSVMVdy9mUGni5V6xTNn
-            XWSevuyOKiinaiYd4jPK6srFyX3Horg1QvVzl3dvNC3o29lrzETSTFoUx75KdluT
+            2IyJzWlvxbUumdh7SVBV5HRjG/sOcmlQtsw2fT21CCFg/n6AdCMgRbtYDoX5OOJc
-            WxGMHNWqN7NS
+            qkz9uKEGrGjb
-            =XZkW
+            =wPkW
            -----END PGP MESSAGE-----
          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2023-10-24T14:42:18Z"
+        - created_at: "2024-11-14T13:02:46Z"
-          enc: |
+          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA98TrrsQEbXUAQ//XRoesGtcKw0RNs30FfKgpG/qNVRh4eJTeb1AP7YO9nKA
+            hQIMA98TrrsQEbXUARAArYZZpOEC9sZ4Bgbtie8snwYjhcJiLxcmaODcx0ai24vC
-            WWuZnomu8aDDKiP+why4Cl4raSb2LqTaDAIbeTzw902BeOlIXl6VO5oIWpgC4IQT
+            FOdxKrgxlHeiBV3e+xD0Mdc51waXpRW7Ah6ctyqRreDXXCsYx9RTjkxqbGQTKexU
-            iOMUOTQ6XG4O8xcphItIthc71kpUl34xfWU/Gz67cRj/BSlws26sJ09lH5zZIpcW
+            OAzvi7qPkmZBzDagNeJXjAMc3Z9uPFTxO0c1degnv0S40dns4sZ50sjGz8Dg6DmX
-            1NNPLQKF6KiJ1MY9rTkq9I6EHbaIh6AcBW4buq9x+qASoU1Blp1OgA9m6O9HjQcH
+            HC1ZANIpCmJVd+BFC9MxWQFSP1oswzwIxAmM/8d3aXGJLUQsfFbZXTPaKB5+Llmu
-            X/PKnYv1bm6OxYsMBujXnFnde3c+qfL5w1e4a7pyMu8EthAYLPbm+WT2+H1RJooN
+            Y/yGK4zwcq0PR+YNw9d1lfQD01coLcqNh0cnxW3/DzSnKdpLnr/HeH7K6NivUNOs
-            0+M3tBBjtK6emm7qgNt2vyeIYa5L5XSFYAyPfteKZ7tsT1IHgg3cY/3trchq7w7q
+            58E4iKJgopZZofbIKrHTPik/ZfovCTwPHo0o/m9G2sDB5Y++OJBDcjyD9BC5OEzg
-            D10fGzfw1rP79yI9vY3oQLi4APhAq/RYpFywZJ+qyE+KiDaIzBdhU14NKRdOluaF
+            JW+4rG3dir5cUxJhgM8ZNZUiLcKWSfVo+Xh1RI12Huz4PpZ6dWSpuPxWFBQUZSfp
-            apw5ZpNwD77E6lU5lLdjO4TjaMXjEuytzhmOHF+CrZJN/4c21K3PflnzRRLmcXIf
+            epIUII1u1cKiep8JK5ZUF3k6LzET6ORzzYpY5qGtSEVMLMxLvPK+ECOI1BTHc53Y
-            OY+TPWPBKqg9aXIhx+5tGu3OTmrvRuBsoforZrhHqzYZJygliD4w/D0HpcMfxrJ/
+            GoBPVRdp2Bs0QZuvwiNSd3wKRMoVh8v/8+RSCGRR6pzCfvTp3X4zGfnCUVO9krzG
-            y/iFzwqikikvfkF3FTiTwiFSLOo8G+rCA2TiSLqM6eklAGtzqgrgggnNVDstgiHz
+            ukZJ+eQVUnmywewmYuFH/USN34mqRk6UTkVmw4sgy4bqcV26xSeMCbLAVBoV7dR8
-            DuXHOdzt9pn3DQHb3Z+kEd8p9TEykQrVr6mcW8scvW3iZ6XBbSoxUDY2W14gNMHS
+            a35kyxrs2MIsu9/SuW8zSdfZd0sBhDIEgzQqT7fO1KQQCDJyjBTzjloVSoE4TSXS
-            WAFbpyIyM0JV36DifyFLFuPNF+ZFexnD1/2rzSw5dmDh8Pou9KZnoRGirXbOIFBf
+            WAE7lEhifj43H/jshtyaIgM8UpdFmBtEj9BmsX2jeS5XiZsIbIJbCsmPWYdd4XQ0
-            MwFQRonyDxw8zcMFGhXRmNbfqOE9ImnvkW2pNjYJSuBW4LSGaG8OHx0=
+            m5M8KCUEMDXeVCygKieefCyboUSNOk1gdRmnIRcqJ/r8fxmHqZgn2ko=
-            =2A7P
+            =DC78
            -----END PGP MESSAGE-----
          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2023-10-24T14:42:18Z"
+        - created_at: "2024-11-14T13:02:46Z"
-          enc: |
+          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA7zVLR7VUDPbAQ/+O/+BPNT3PxzN85kpL6xXfyCf337Ay5gwhJOg5k3JyEwO
+            hQIMA7zVLR7VUDPbAQ//S/8UshLDL5DW0+DXMGL7u/ug/sgCbSM60PvzT3hwAvyL
-            2L1eZncGZHkdeExxgfqWF1yAPvE7vXltikTVp3V+htHoNL8kck8obII/HptVUCrU
+            3mR6CycERSeXuYM67fLIa66WiSFGB1aqEsI1oqPL6W8AwjtGHDKSPhJC8W+9NosB
-            VjFm41kEoWQ9DLXIhmppqBC0hWVkLjCDEXcD5HqtAxt2yKENSFr3pEnFl3vgoHTA
+            OypoV6VppHiDxB2uJvQl7VNnT8d2x6IWdG0bq9NKxCg+6lorw8bky0907qQ/6+hg
-            2TpzC/l2kC24hzk+es54I0sCd3N1LEXC/mBUmptnsZfIcgGdVOWZSGabHg5Mo464
+            2eWI0wPcJR2zIEm5JdNvuyK5k03QPKbTd8aVTeYHZq3JiXF3NZmQHCngdI0iH7SN
-            qc02MYa2Tjuo5svlHGv8bgpQgsIfuB0CcirLMH3FYwKkYHZ7a6KBZj9DwNlM1BYL
+            +QI/p1d/aiyCc+5Ow+Zy5YzPWb22PIROLIH+wJsGxbiJtQJmiKMNQg/YJ/SsCrMI
-            m9eIC6+R57utfV+zgvIaQVDVJgFT74/ffgEYNiX2FRWi0ri6gb4ybf8qX+/m8ZOi
+            ViI80R6bkZ/J9hCN2reTTJXl9uc7PgptLAfMlT2N+DHLRoKQOR+e3xMX3vZO9CK0
-            KDgpATMIr0Lw85lQ2mQmvt7aeULJTl85pE1ihXLu6+pGEQR/48WeRu8OVMU/QHQF
+            R8v0wXPs3NGCBdITu+EPT4twtkjJz31PhqL7crFzm/x4BLiKuNzep+Na4TLMBv3J
-            rRWoJu2kabdlBkYXBBGPN2qGRe/TWWHRm0G7mTnXkoN2idRkodJcVwM8Mvstc5Yx
+            pVdjc6yen8bYvVickLP/hrVIvflkaMdUncWmS2lNZKP9G2BuGMna9Dp4jC1kWWYW
-            3AAb4asl+4xusXNqe+V4ZrkzdnVoFs8RRZyH1QyoqJ79S5uZqOkYObiiJ+wWtahZ
+            608MXgORINmwog2lovxFJGOtq500gcbeYO+LrluULk00/nw27DPkGeD8wkmFMF+m
-            emvN8nhNIr9+WdDFSZYNx+TQTUTFMefcEaTXpPzmUn/nENrvkbXiaVSSmIYQ4YZh
+            c3dhA6zn62nLsUmiU4Bfo92uhxBW/hAF5Fp+RVwA9ptvDdBO7gY6FEZitEXs/rGl
-            1vyiW1W6IZwjXI/aR6P2C1Jrj42WCm+cDXCwKZC1sMRqgkxQBIVukQzAHkyFJknS
+            64RAmFuDmv/WDE87pfBQdlZ7Y1HkO6CLwtfg50Ka8eoemX6sP0GSYHUqbs8M4jnS
-            WAF/TWfXG2S6mnWFKn3cixifUI3pBp+EtYy/CjL7uNBIUQ3EHEbvS5AboSCmgRC7
+            WAEnR1KMQNVdTqhFzBa/TqnUm+oVtZSVrAPSIEgEjhA4WesmGqmcJwJFaQW39Omu
-            wLzHshawAMmJ/bD/jT4wWD0w+NGDzSF8D4b/Ee0LP7R70noS61+s6xo=
+            8zLfZcfdVUuFKyIijXNliG0ryq1uxmWcEl8ePRzjAAzVTRAILNtZzVY=
-            =NnkE
+            =8HBK
            -----END PGP MESSAGE-----
          fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db
    unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
--- a/machines/moderatio/configuration.nix
+++ b/machines/moderatio/configuration.nix
@@ -1,92 +0,0 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, ... }:
 {
  services.acpid.enable = true;
  boot.kernelPackages = pkgs.linuxPackages_5_4;
  services.xserver.videoDrivers = [ "intel" ];
  services.xserver.deviceSection = ''
    Option "DRI" "2"
    Option "TearFree" "true"
  '';
  zramSwap.enable = true;
  zramSwap.memoryPercent = 150;
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./zfs.nix
      ../modules/xserver.nix
      ../modules/malobeo_user.nix
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
    ];
  users.users.malobeo = {
    packages = with pkgs; [
      firefox
      thunderbird
    ];
  };
  networking.hostName = "moderatio"; # Define your hostname.
  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # Select internationalisation properties.
  # i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  #   useXkbConfig = true; # use xkbOptions in tty.
  # };
  # Enable CUPS to print documents.
  # services.printing.enable = true;
  # Enable sound.
  sound.enable = true;
  hardware.pulseaudio.enable = true;
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.05"; # Did you read the comment?
 }
--- a/machines/moderatio/zfs.nix
+++ b/machines/moderatio/zfs.nix
@@ -1,34 +0,0 @@
 { config, pkgs, ... }:
 { boot.supportedFilesystems = [ "zfs" ];
  networking.hostId = "ae749b82";
  #boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
 boot.loader.efi.efiSysMountPoint = "/boot/efi";
 boot.loader.efi.canTouchEfiVariables = false;
 boot.loader.generationsDir.copyKernels = true;
 boot.loader.grub.efiInstallAsRemovable = true;
 boot.loader.grub.enable = true;
 boot.loader.grub.version = 2;
 boot.loader.grub.copyKernels = true;
 boot.loader.grub.efiSupport = true;
 boot.loader.grub.zfsSupport = true;
 boot.loader.grub.extraPrepareConfig = ''
  mkdir -p /boot/efis
  for i in  /boot/efis/*; do mount $i ; done
  mkdir -p /boot/efi
  mount /boot/efi
 '';
 boot.loader.grub.extraInstallCommands = ''
 ESP_MIRROR=$(mktemp -d)
 cp -r /boot/efi/EFI $ESP_MIRROR
 for i in /boot/efis/*; do
 cp -r $ESP_MIRROR/EFI $i
 done
 rm -rf $ESP_MIRROR
 '';
 boot.loader.grub.devices = [
      "/dev/disk/by-id/ata-ST250LT003-9YG14C_W041QXCA"
    ];
 users.users.root.initialHashedPassword = "$6$PmoyhSlGGT6SI0t0$.cFsLyhtO1ks1LUDhLjG0vT44/NjuWCBrv5vUSXqwrU5WpaBvvthnLp0Dfwfyd6Zcdx/4izDcjQAgEWs4QdzW0";
 }
--- a/machines/modules/disko/btrfs-laptop.nix
+++ b/machines/modules/disko/btrfs-laptop.nix
@@ -0,0 +1,63 @@
 { config, self, inputs, ... }:
 {
  imports = [
    inputs.disko.nixosModules.disko
  ];
  # https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        # When using disko-install, we will overwrite this value from the commandline
        device = "/dev/disk/by-id/some-disk-id";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "512M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            luks = {
              size = "100%";
              content = {
                type = "luks";
                name = "crypted";
                passwordFile = /tmp/secret.key; # Interactive
                content = {
                  type = "btrfs";
                  extraArgs = [ "-f" ];
                  subvolumes = {
                    "/root" = {
                      mountpoint = "/";
                      mountOptions = [ "compress=zstd" "noatime" ];
                    };
                    "/home" = {
                      mountpoint = "/home";
                      mountOptions = [ "compress=zstd" "noatime" ];
                    };
                    "/nix" = {
                      mountpoint = "/nix";
                      mountOptions = [ "compress=zstd" "noatime" ];
                    };
                    "/swap" = {
                      mountpoint = "/.swapvol";
                      swap.swapfile.size = "20M";
                    };
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/machines/modules/disko/fanny.nix
+++ b/machines/modules/disko/fanny.nix
@@ -0,0 +1,141 @@
 {
  disko.devices = {
    disk = {
      ssd = {
        type = "disk";
        device = "/dev/sda";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "1024M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
      hdd0 = {
        type = "disk";
        device = "/dev/sdb";
        content = {
          type = "gpt";
          partitions = {
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "storage";
              };
            };
          };
        };
      };
      hdd1 = {
        type = "disk";
        device = "/dev/sdc";
        content = {
          type = "gpt";
          partitions = {
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "storage";
              };
            };
          };
        };
      };
    };
    zpool = {
      zroot = {
        type = "zpool";
        mode = "";
        # Workaround: cannot import 'zroot': I/O error in disko tests
        options.cachefile = "none";
        rootFsOptions = {
          compression = "zstd";
          "com.sun:auto-snapshot" = "false";
        };
        datasets = {
          encrypted = {
            type = "zfs_fs";
            options = {
              mountpoint = "none";
              encryption = "aes-256-gcm";
              keyformat = "passphrase";
              keylocation = "file:///tmp/root.key";
            };
            # use this to read the key during boot
            postCreateHook = ''
              zfs set keylocation="prompt" "zroot/$name";
            '';
          };
          "encrypted/root" = {
            type = "zfs_fs";
            mountpoint = "/";
          };
          "encrypted/var" = {
            type = "zfs_fs";
            mountpoint = "/var";
          };
          "encrypted/etc" = {
            type = "zfs_fs";
            mountpoint = "/etc";
          };
          "encrypted/home" = {
            type = "zfs_fs";
            mountpoint = "/home";
          };
          "encrypted/nix" = {
            type = "zfs_fs";
            mountpoint = "/nix";
          };
        };
      };
      storage = {
        type = "zpool";
        mode = "mirror";
        datasets = {
          encrypted = {
            type = "zfs_fs";
            options = {
              mountpoint = "none";
              encryption = "aes-256-gcm";
              keyformat = "passphrase";
              keylocation = "file:///tmp/storage.key";
            };
            # use this to read the key during boot
            postCreateHook = ''
              zfs set keylocation="prompt" "zroot/$name";
            '';
          };
          "encrypted/data" = {
            type = "zfs_fs";
            mountpoint = "/data";
          };
        };
      };
    };
  };
 }
--- a/machines/modules/malobeo/microvm_host.nix
+++ b/machines/modules/malobeo/microvm_host.nix
@@ -0,0 +1,119 @@
 { config, self, lib, inputs, options, pkgs, ... }:
 with lib;
 let
  cfg = config.services.malobeo.microvm;
 in
 {
  options = {
    services.malobeo.microvm = {
      enableHostBridge = mkOption {
        default = false;
        type = types.bool;
        description = lib.mdDoc "Setup bridge device for microvms.";
      };
      enableHostBridgeUnstable = mkOption {
        default = false;
        type = types.bool;
        description = lib.mdDoc "Setup bridge device for microvms.";
      };
      deployHosts = mkOption {
        default = [];
        type = types.listOf types.str;
        description = ''
          List hostnames of MicroVMs that should be automatically initializes and autostart
        '';
      };
    };
  };
  imports = [
    inputs.microvm.nixosModules.host
  ];
  config = { 
    assertions = [
      {
        assertion = !(cfg.enableHostBridgeUnstable && cfg.enableHostBridge);
        message = ''
          Only enableHostBridge or enableHostBridgeUnstable! Not Both!
        '';
      }
    ];
    systemd.network = mkIf (cfg.enableHostBridge || cfg.enableHostBridgeUnstable) {
      enable = true;
      # create a bride device that all the microvms will be connected to
      netdevs."10-microvm".netdevConfig = {
        Kind = "bridge";
        Name = "microvm";
      };
      networks."10-microvm" = {
        matchConfig.Name = "microvm";
        networkConfig = {
          DHCPServer = true;
          IPv6SendRA = true;
        };
        addresses = if cfg.enableHostBridgeUnstable then [
          { Address = "10.0.0.1/24"; }
        ] else [
          { addressConfig.Address = "10.0.0.1/24"; }
        ];
      };
      # connect the vms to the bridge
      networks."11-microvm" = {
        matchConfig.Name = "vm-*";
        networkConfig.Bridge = "microvm";
      };
    }; 
    microvm.vms = 
    let
      # Map the values to each hostname to then generate an Attrset using listToAttrs
      mapperFunc = name: { inherit name; value = {
          # Host build-time reference to where the MicroVM NixOS is defined
          # under nixosConfigurations
          flake = inputs.malobeo; 
          # Specify from where to let `microvm -u` update later on
          updateFlake = "git+https://git.dynamicdiscord.de/kalipso/infrastructure";
        }; };
    in
    builtins.listToAttrs (map mapperFunc cfg.deployHosts);
    systemd.services = builtins.foldl' (services: name: services // {
      "microvm-update@${name}" = {
        description = "Update MicroVMs automatically";
        after = [ "network-online.target" ];
        wants = [ "network-online.target" ];
        unitConfig.ConditionPathExists = "/var/lib/microvms/${name}";
        serviceConfig = {
          LimitNOFILE = "1048576";
          Type = "oneshot";
        };
        path = with pkgs; [ nix git ];
        environment.HOME = config.users.users.root.home;
        script = ''
          /run/current-system/sw/bin/microvm -Ru ${name}
        '';
      };
    }) {} (cfg.deployHosts);
    systemd.timers = builtins.foldl' (timers: name: timers // {
    "microvm-update-${name}" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        Unit = "microvm-update@${name}.service";
        # three times per hour
        OnCalendar = "*:0,20,40:00";
        Persistent = true;
      };
    };
  }) {} (cfg.deployHosts);
  };
 }
--- a/machines/modules/malobeo/peers.nix
+++ b/machines/modules/malobeo/peers.nix
@@ -0,0 +1,24 @@
 {
  "vpn" = {
    role = "server";
    publicIp = "5.9.153.217";
    ips = [ "10.100.0.1/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
    listenPort = 51821;
    publicKey = "";
  };
  "fanny" = {
    role = "client";
    ips = [ "10.100.0.2/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
    publicKey = "";
  };
  "test" = {
    role = "client";
    ips = [ "10.100.0.3/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
    publicKey = "";
  };
 }
--- a/machines/modules/malobeo/wireguard.nix
+++ b/machines/modules/malobeo/wireguard.nix
@@ -0,0 +1,85 @@
 { config, self, lib, inputs, options, pkgs, ... }:
 with lib;
 let
  cfg = config.services.malobeo.vpn;
  peers = import ./peers.nix;
  myPeer = peers.${cfg.name};
  peerList = builtins.filter (peer: peer.role != myPeer.role) (builtins.attrValues peers);
  peerListWithEndpoint = map (host:
    if host.role == "server" then
      host // { endpoint = "${host.publicIp}:${builtins.toString host.listenPort}"; }
    else
      host
  ) peerList;
  filteredPeerlist = map (host: builtins.removeAttrs host [ "role" "ips" "listenPort" "publicIp" ] ) peerListWithEndpoint;
 in
 {
  options = {
    services.malobeo.vpn = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = lib.mdDoc "Setup wireguard to access malobeo maintainance vpn";
      };
      name = mkOption {
        default = "";
        type = types.str;
        description = ''
          Name of the host in peers.nix
        '';
      };
      privateKey = mkOption {
        default = "";
        type = types.str;
        description = ''
          Path to private key
        '';
      };
    };
  };
  imports = [
    inputs.microvm.nixosModules.host
  ];
  config = mkIf cfg.enable { 
    assertions = [
      #{
      #  assertion = !(myPeer != "client" && cfg.role != "server");
      #  message = ''
      #    VPN Role must be either client or server, nothing else!
      #  '';
      #}
    ];
    networking.wireguard = {
      enable = true;
      interfaces = {
        wg0 = {
          ips = myPeer.ips;
          listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;
          # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
          # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
          postSetup = mkIf (myPeer.role == "server") ''
            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
          '';
          # This undoes the above command
          postShutdown = mkIf (myPeer.role == "server") ''
            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
          '';
          privateKey = cfg.privateKey;
          peers = filteredPeerlist;
        };
      };
    };
  };
 }
--- a/machines/modules/sshd.nix
+++ b/machines/modules/sshd.nix
@@ -6,7 +6,7 @@ in
 {
  services.openssh.enable = true;
  services.openssh.ports = [ 22 ];
-  services.openssh.passwordAuthentication = false;
+  services.openssh.settings.PasswordAuthentication = false;
  services.openssh.settings.PermitRootLogin = "no";
  users.users.root.openssh.authorizedKeys.keys = sshKeys.admins;
 }
--- a/machines/modules/xserver.nix
+++ b/machines/modules/xserver.nix
@@ -7,7 +7,6 @@
      xterm.enable = false;
      cinnamon.enable = true;
    };
    displayManager.defaultSession = "cinnamon";
  };
  services.displayManager.defaultSession = "cinnamon";
 }
--- a/machines/secrets/keys/wireguard/private.key
+++ b/machines/secrets/keys/wireguard/private.key
@@ -0,0 +1,31 @@
 {
 	"data": "ENC[AES256_GCM,data:MJnybSouJW9QcWks/6fBgYXhM1zREa76FDVh0vGF9LwffY4ceLMQpOsFXEN7,iv:z0H0r6VSXy92uiS9bGXL5KxqiA3jqAiAgAH5KMxppsE=,tag:RKwFFHgv+tnIlKRTyV68Ww==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRlRzcldvSVkxV3VSeDBF\nRG9KK2NzYmtPWXE3a1JPN3NMRlJtbnJML0hzCmNTT0JFMTR6SDl0WVNBNk50VmdZ\nYi9pQU9FQW9qQ3NZdTM5T3FDcjNUQXMKLS0tIEpBcFhtbFMrbWlRYVdPSXpYM0xp\neW5MZ3dOYmphYXk2Tjh2Rk8xOGRkSGMKOLVuj75jqZeZ0SS1iHDRLONLbJ/UQXfO\nEN1ZhYXq7u5s+wKidmGoFVHWFAxM0O3kXaAQAHws4ttP0v6YqeSuBg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-14T18:24:30Z",
 		"mac": "ENC[AES256_GCM,data:1sVhca19IbHJUv+qfkn+cJXjYIaXLX12S9N3QvDUoeUSTT4m2GxArKjvKJSpmc3KZCbOwpF1TObHjDs88pqsCxkzl7J9TSu4EgESRfSUy0lRhIveN/38wvEGI/0yNZXwFisB0nNpPbwAUp4JUZnfcqihlDINbVCw7mzVShHlnvU=,iv:J7/9uhlisRJUkqEFeO9aBRX5rgv0392DCuF5Yu1a5gI=,tag:sd0eoBkxns2pitnMZWvPzQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-11-14T18:24:30Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/cFzlEwHCdmrKutzeJHOVANtF93aunkV89avpcjNtxjKJ\nzWeDrxZPIhApRsS0Q5kvuYbplwJbDPDbQlDeRsAzZbGVzXisDEYVSLbSEDX253fV\npDoD3MdBU/syMus0x7gSulT288Ije5lY76kBoqrzzsDG1RbHHeQMBP4hrLrFdQhh\nlCtjXJHMPlxR+bsTLhmKFUl6UWA22QeevhIU2VSTU7ROgcE6qRAknJLVVhTBhHmB\nkm2JpTQuM6Vhq+zIYDgLegV2fOiOW9O6ONsUt5N/jQYFSj2T4WL5Wnix/bxVg6vL\nkAto2cO1GsRBRH994AUWq4h5dwYWUCafYkXMILCQmMy81YftAPiAoCTUBsc6DSJ1\nV+gr4G3wLetwY2DdM8HN2Cru49PI923aOtKztjX8+r/w22RZl99INY5F/RP6NAYA\nLCEdw9LlW6Ctct1B6JU+JlCdJ/FW2Q9RMazw9wF4ZCg0AfqC/tLW9ETZF0cRYmA5\nH9LJJIxjNyizlGoJ7p780lgBDNBJD2v3ST5ESJ9TctQLS2XBWHtgskW1rPaCxrVX\nrgE/0PUnqxofOLofu4ktKOxtutYOqyVeP6Tvr0TLLEjwikgZ92LxqMx5dW6h46rL\nUjGuKKBz7FyA\n=UMiq\n-----END PGP MESSAGE-----",
 				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
 			},
 			{
 				"created_at": "2024-11-14T18:24:30Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//eu/1ioAXlJ2Po2xQ8xQ4HYTQqsMF0lWijN3kv4cH1w+W\nvnQRjB86do4L4DnZz66DDbjHClauLNeuDkYL1ejvetMtENp7KKT8LRJCH4X53eko\ngw6xAYXA8X6e3shM6eFOYIW97pbGQSlfzuh7IbAPZjEuV2ov67sxmWkd9ZJPxw+E\nn2dd/mxw96NM76o8WclwL/W1qrrIqydCJiBtqL09I2z9j9bJ4AxMWTB0kjpJZK4U\nNo5Hk6OwL3C6a3q0xfO0DIb3fy5O7VSwl7AuiRjGxclqy4mH+L9DBS0ONMjguTlo\n+yGZoJi7vaWNvVVW0U9RBEJyCjX6iYje5/gWlWXaMlyIubuOGFy5iXQOSMXk6589\niNcz+ouGAvK6Jy19zo+SQtvmUki+SSRGEzUbx85R13Hz3E5TTlq7wONsgZE4EqqM\ny/6OMCGOvHOzJyWMdKCJ+7DzWzKyQNGWco57hczX74iPGhlH7XfNa3Q0292qziT5\nVFnONWGgN7PLa6rJXOAsxPNlgH5Qbdi2XBgBso8rlAYUXTmKtK/5cDN3rDtRbzgX\nVDu64snQJvGOEKwgv/UXybMRe8OocuCW6zFQDjJMaRtEsg2LP2FjVaYzLhDyuDJ6\ntAIoxWMaMSxgGJkd/E45dOQq/oWBVTFKD8ECGORNOy4RCUMs2LHDbhesvo/PzvbS\nWAFsQZCvjXPe+YZmIuMt7MfgX8d/NhGTtGOaNfX3D+orBuhzWmIAAvlAwMrxorFb\ngayWLO7mYRDUw45uudFzJYql+QLGuvcrFP5BYjY5wk17u6cYYQzlNxs=\n=Qlcg\n-----END PGP MESSAGE-----",
 				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"
 	}
 }
--- a/machines/ssh_keys.nix
+++ b/machines/ssh_keys.nix
@@ -3,5 +3,6 @@
   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfDz5teTvRorVtpMj7i3pffD8W4Dn3Aiqre5L4WZq8Wc4bh2OjabGnIcDWpeToKf38n5m0d95OkIbARJwFN7KlbuQbmnIJ5n6pUj/zzRQ3dQTeSsUjkvdbSXVvTcDczMWwLixc/UKP1DMbiLHz5ZSywPTSH2l40lg74q7tSFGBwMy8uy4tsdp2d2sUIDfpvgGj3Pq+zkQHWyFR5BYyCLDfJMTQvGO0bEsbRIDOjkH8YVni46ds6sQKMgc+L2vPo8S3neFZBQRlERVRvIAzdLiBWqGkiw4YgWQA8ocTfWp9DVzW+BZiatc34+AX3KtLEF1Oz76YsKjBttSQL4myUucuskz2Bs7UYvAsDFlWyiJ43ayZNzvG63m1UVsAoq84IhNYsdkPhd+G1rtnG0KxPVAtn7RkAGt8t7ObU+6xWayHcpSteNeE+QyH9nNmJcXNNKfoOeP4vHUBrBTeURafw527yuZDOYknJmg3O+nkeGseIgBYgq/As4+dD6vhp03Y5chjU4/FC6nEjsGPRdfe2RZx+0cqJkLgdd1paGByUfPfaUKykw4TsCUAiDucRwBjU32MLslUbyzeEkjzOJzOD5Frif3jZZLxaNP2QcHRbTiiKkdn+WFJmjr3BdC60pm7hqvmDxl0UZcz9hDv3wZUALUc92TQXnWc8GicKdpQgRYDRQ== kalipso@c3d2.de"
   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxgcjNOYbza3+RfANFDXy7HXNRFlkpDOAcGyB7MKshiVlbPByWRSjfZa0BeRNjpeCd8QkIodKUzqYOCOrc8ad3kiNbdLRcDz57A5xSLD3ynakoWJo0AmJjT3Ta1JJj8inNwwykR0ig5//SrtsZb9HkWJDAF017MokM2r8AWPE1QzcQdh93kojXcgTHrJHzEqgKbEGDEk37f1RvZG4umEFeqdK2FvS5isPa7P9X7hyyoDC8bvEy7xfaDrToJAoXon6r79taxH8UWIvy//xsU0NBLYK2eE4RQe2AjF6Ri+CybI6y1SsHOvyh4nNKWlfUOEL6UnIulRn/LXFOKCJi7xuoTeJXS0+w1DNEuiGosVNXPSKbUm/eDBVnb8Iyep9wmygSZayN82xL5lRlG3Mn45ttecqfm2SJkmduBA5qXcTdDPe/lXTZaVO9tbiIcJfUgd3ttEu2+6YjLn74D965PlovzvR6EhbVUZ8IkOAt4VmuTkXIdm8SCS7jzhsiKeUXoZ4rfa375zi79SIPuIkoMasj6d16wcYOeFIUIMFFccfQ9jQjr9NTSXC2dd7sfbI9I9mF7eRQSsUdSwpP8WH1b+M1MxTbdhEUdPwpOLviTTIuk8E8K8DQDZIcOOh38mCDpyoh02nwfRxlyoYVsKAHIQH02dHTvYEa3/pMsRwGc9W1Ow== kalipso@desktop"
   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de"
   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos"
 ];
 }
--- a/machines/vpn/configuration.nix
+++ b/machines/vpn/configuration.nix
@@ -0,0 +1,28 @@
 { config, lib, pkgs, inputs, ... }:
 with lib;
 {
  #sops.defaultSopsFile = ./secrets.yaml;
  networking = {
    hostName = mkDefault "vpn";
    useDHCP = false;
    nameservers = [ "1.1.1.1" ];
  };
  imports = [
    ../modules/malobeo_user.nix
    ../modules/sshd.nix
    ../modules/minimal_tools.nix
  ];
  services.malobeo.vpn = {
    enable = true;
    name = "vpn";
    privateKey = "somepath";
  };
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/machines/vpn/wireguard.nix
+++ b/machines/vpn/wireguard.nix
@@ -0,0 +1,73 @@
 {config, pkgs, ...}:
 {
  sops.secrets.wireguard_private = {};
  # enable NAT
  networking.nat.enable = true;
  networking.nat.externalInterface = "eth0";
  networking.nat.internalInterfaces = [ "wg0" ];
  networking.firewall = {
    allowedUDPPorts = [ 51820 ];
  };
  networking.wireguard.enable = true;
  networking.wireguard.interfaces = {
    # "wg0" is the network interface name. You can name the interface arbitrarily.
    wg0 = {
      # Determines the IP address and subnet of the server's end of the tunnel interface.
      ips = [ "10.100.0.1/24" ];
      # The port that WireGuard listens to. Must be accessible by the client.
      listenPort = 51820;
      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
      # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
      postSetup = ''
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
      '';
      # This undoes the above command
      postShutdown = ''
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
      '';
      # Path to the private key file.
      #
      # Note: The private key can also be included inline via the privateKey option,
      # but this makes the private key world-readable; thus, using privateKeyFile is
      # recommended.
      privateKey = config.sops.secrets.wireguard_private.path;
      peers = [
        # List of allowed peers.
        { # Feel free to give a meaningfull name
          # Public key of the peer (not a file path).
          publicKey = "SfokXbgmvSmodgPFoVHjwmHE3nriQ3OTQ+hISU/3eW4=";
          # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
          allowedIPs = [ "10.100.0.2/32" ];
        }
      ];
    };
  };
  #sops.secrets.wireguard_host = {};
  #sops.secrets.mullvad_secret = {};
  #networking.wg-quick.interfaces = {
  #  wg0 = {
  #    address = [ "50.100.0.2/24" ];
  #    privateKeyFile = "/home/kalipso/.config/wireguard-keys/private";
  #    peers = [
  #      {
  #        publicKey = "Anme1N482rGSZ14wqtZQbzUHvX4oFhoVct0d187H0iM=";
  #        allowedIPs = [ "50.100.0.0/24" ];
  #        endpoint = "5.9.153.217:51820";
  #      }
  #    ];
  #  };
 }
--- a/outputs.nix
+++ b/outputs.nix
@@ -4,6 +4,7 @@
 , nixpkgs-unstable
 , nixos-generators
 , sops-nix
 , microvm
 , ...
 } @inputs:
@@ -15,15 +16,107 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
    pkgs = nixpkgs.legacyPackages."${system}";
  in
  {
-    devShells.default = pkgs.callPackage ./shell.nix {
+    devShells.default =
-      inherit (sops-nix.packages."${pkgs.system}") sops-import-keys-hook ssh-to-pgp sops-init-gpg-key;
+    let
      sops = sops-nix.packages."${pkgs.system}";
      microvmpkg = microvm.packages."${pkgs.system}";
    in
    pkgs.mkShell {
      sopsPGPKeyDirs = [
        "./machines/secrets/keys/hosts"
        "./machines/secrets/keys/users"
      ];
      nativeBuildInputs = [
        sops.ssh-to-pgp
        sops.sops-import-keys-hook
        sops.sops-init-gpg-key
        pkgs.sops
        pkgs.age
        pkgs.python310Packages.grip
        pkgs.mdbook
        microvmpkg.microvm
      ];
    };
    packages = {
      docs = pkgs.stdenv.mkDerivation {
        name = "malobeo-docs";
        phases = [ "buildPhase" ];
        buildInputs = [ pkgs.mdbook ];
        inputs = pkgs.lib.sourceFilesBySuffices ./doc/. [ ".md" ".toml" ];
        buildPhase = ''
          dest=$out/share/doc
          mkdir -p $dest
          cp -r --no-preserve=all $inputs/* ./
          mdbook build
          ls
          cp -r ./book/* $dest
        '';
      };
    } //
    builtins.foldl'
    (result: host:
      let
        inherit (self.nixosConfigurations.${host}) config;
      in
      result // {
        # boot any machine in a microvm
        "${host}-vm" = (self.nixosConfigurations.${host}.extendModules {
          modules = [{
            microvm = {
              mem = pkgs.lib.mkForce 4096;
              hypervisor = pkgs.lib.mkForce "qemu";
              socket = pkgs.lib.mkForce null;
              shares = pkgs.lib.mkForce [{
                tag = "ro-store";
                source = "/nix/store";
                mountPoint = "/nix/.ro-store";
              }];
              interfaces = pkgs.lib.mkForce [{
                type = "user";
                id = "eth0";
                mac = "02:23:de:ad:be:ef";
              }];
            };
            boot.isContainer = pkgs.lib.mkForce false;
            users.users.root.password = "";
            fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs";
            services.getty.helpLine = ''
              Log in as "root" with an empty password.
              Use "reboot" to shut qemu down.
            '';
          }] ++ pkgs.lib.optionals (! config ? microvm) [
            microvm.nixosModules.microvm
          ];
        }).config.microvm.declaredRunner;
    })
    { }
    (builtins.attrNames self.nixosConfigurations);
    apps = {
      docs = {
        type = "app";
        program = builtins.toString (pkgs.writeShellScript "docs" ''
          ${pkgs.mdbook}/bin/mdbook serve --open ./doc
        '');
      };
    };
  })) // rec {
    nixosConfigurations = import ./machines/configuration.nix (inputs // {
      inherit inputs;
      self = self;
    });
-    nixosModules.malobeo = import ./machines/durruti/host_config.nix;
+    nixosModules.malobeo.imports = [
      ./machines/durruti/host_config.nix
      ./machines/modules/malobeo/microvm_host.nix
      ./machines/modules/malobeo/wireguard.nix
    ];
    hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
      let
--- a/shell.nix
+++ b/shell.nix
@@ -1,22 +0,0 @@
 { mkShell
 , sops-import-keys-hook
 , ssh-to-pgp
 , sops-init-gpg-key
 , sops
 , pkgs
 }:
 mkShell {
  sopsPGPKeyDirs = [
    "./machines/secrets/keys/hosts"
    "./machines/secrets/keys/users"
  ];
  nativeBuildInputs = [
    ssh-to-pgp
    sops-import-keys-hook
    sops-init-gpg-key
    sops
    pkgs.python310Packages.grip
  ];
 }
Author	SHA1	Message	Date
kalipso	f44205921c	[lucia] rm wireguard cfg All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m39s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m47s Details	2024-12-16 22:01:04 +01:00
kalipso	17d2eeedc4	[vpn] init	2024-12-16 22:00:52 +01:00
kalipso	2d198600c9	[modules] add missing import	2024-12-16 22:00:20 +01:00
kalipso	69ea381036	[modules] init vpn	2024-12-16 22:00:05 +01:00
ahtlon	96e48dc35e	forgot a line	2024-12-16 20:32:37 +01:00
ahtlon	0954c1f5e1	Documentation for wireguard key creation	2024-12-16 20:32:31 +01:00
ahtlon	5653c38d6a	add secrets	2024-12-16 20:23:04 +01:00
ahtlon	2350272185	add wireguard module from wiki and prepare sops	2024-12-16 20:23:04 +01:00
kalipso	9cc3912cbe	[nixpkgs] 24.05 -> 24.11 All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m31s Details	2024-12-13 14:10:43 +01:00
kalipso	3cfd0a2283	[machines] switch PulseAudio to Pipewire	2024-12-13 14:08:51 +01:00
kalipso	b57827c86e	[lucia] rm deprecated boot.loader.raspberryPi needs to be fixed still according to https://github.com/NixOS/nixpkgs/pull/241534	2024-12-13 14:08:51 +01:00
kalipso	5119209392	[machines] remove sound.enable = true;	2024-12-13 14:08:51 +01:00
kalipso	1ff2f2b4ca	[nixpkgs] 24.05 -> 24.11	2024-12-13 14:08:49 +01:00
kalipso	34c008c05b	[docs] add local persistent microvm usage All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m39s Details	2024-12-11 12:52:55 +01:00
kalipso	40f3ce8522	[nix] output vm packages for each host this now runs any host as microvm. it removes shared directories for microvms so no manuall setup is needed (expect you want persistence). i took it from c3d2, thanks guys for the inspiration <3 https://gitea.c3d2.de/c3d2/nix-config/src/branch/master/packages.nix	2024-12-11 12:36:59 +01:00
kalipso	72ab98e6b7	[nixpkgs] update microvm All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m31s Details	2024-12-11 12:06:50 +01:00
kalipso	2458a275ca	[microvms] fix #39 Microvms are not persistent	2024-12-11 12:06:50 +01:00
kalipso	307e68a1ca	[nix] fix devshell	2024-12-11 12:06:50 +01:00
kalipso	62afc684db	[doc] add basic microvm documentation	2024-12-11 12:06:50 +01:00
kalipso	73893438cb	[docs] add vmWithDisko documentation All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m2s Details	2024-12-11 11:56:55 +01:00
kalipso	6932f8507a	[fanny] setup disko drive layout	2024-12-11 11:56:41 +01:00
kalipso	59e10c3eea	[fanny] init All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m32s Details	2024-12-10 17:27:14 +01:00
kalipso	551b07375b	[docs] WIP add host creation using disko All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 6m16s Details	2024-12-03 00:08:42 +01:00
kalipso	42f83603df	[bakunin] ignore hardware conf till we generated proper one All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m29s Details Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m17s Details	2024-11-26 14:08:13 +01:00
kalipso	c0207dad33	[nixpkgs] fix typo All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m50s Details Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m26s Details	2024-11-26 13:22:52 +01:00
kalipso	f61ea6ce5c	[bakunin] add disko device Some checks failed Evaluate Hydra Jobs / eval-hydra-jobs (push) Failing after 1m4s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Failing after 50s Details	2024-11-26 13:14:36 +01:00
kalipso	cfdbb58663	[bakunin] init	2024-11-26 13:02:44 +01:00
kalipso	b39a9398f0	[microvm] fix typo All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m25s Details	2024-11-26 12:58:45 +01:00
kalipso	ad2edf017a	[nixpkgs] update All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m36s Details	2024-11-23 12:54:59 +01:00
kalipso	f922105b2f	[durruti] disable ep3bs All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m48s Details its not used yet anyways	2024-11-23 12:51:03 +01:00
kalipso	e759346756	[durruti] disable autoupdate microvms get updated by the host	2024-11-23 12:50:36 +01:00
kalipso	e5e3433df0	[microvm] automatic update from master every 20mins All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m47s Details	2024-11-23 12:30:29 +01:00
kalipso	c54d27bceb	[microvm] update flake from master All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m55s Details	2024-11-21 16:40:56 +01:00
kalipso	9a3135d339	[readme] rm durruti ip All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m57s Details	2024-11-21 16:19:03 +01:00
kalipso	054076e683	Merge remote-tracking branch 'origin' into documentation All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m20s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m51s Details	2024-11-21 16:09:04 +01:00
kalipso	d212728676	[microvm] differentiate between stable and unstable nixpkgs Some checks failed Evaluate Hydra Jobs / eval-hydra-jobs (push) Has been cancelled Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Failing after 14m32s Details	2024-11-21 16:07:42 +01:00
kalipso	28bf68098c	[microvm] Fix conditionals within module finally i hope....	2024-11-21 16:07:42 +01:00
kalipso	2961a96860	[microvm] mv mkIf down one layer	2024-11-21 16:07:42 +01:00
kalipso	7d825731bd	[docs] update microvm docu	2024-11-21 16:07:42 +01:00
kalipso	3fe5b8da20	[microvm] separate enableHostBridge from deployHosts	2024-11-21 16:07:42 +01:00
kalipso	1bafdec4ab	[microvm] fix errors within module still checking if list is empty does not work as expected -.-	2024-11-21 16:07:42 +01:00
kalipso	7b1bce6dc8	[microvm] fix type	2024-11-21 16:07:42 +01:00
kalipso	02c1e307ed	[microvm] fix comparision	2024-11-21 16:07:42 +01:00
kalipso	26cc4b245e	[microvm] add microvm deployment option to host	2024-11-21 16:07:42 +01:00
kalipso	d6d449d1d8	[doc] add basic microvm documentation	2024-11-21 16:07:42 +01:00
kalipso	af881b8996	[docs] fix docs app exec format error	2024-11-21 16:07:42 +01:00
kalipso	d2e97448f7	[microvm] differentiate between stable and unstable nixpkgs All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m47s Details	2024-11-21 15:59:00 +01:00
kalipso	84fef37dc7	[microvm] Fix conditionals within module finally i hope....	2024-11-21 15:59:00 +01:00
kalipso	bdd13a204f	[microvm] mv mkIf down one layer	2024-11-21 15:59:00 +01:00
kalipso	d0ed65d13a	[docs] update microvm docu	2024-11-21 15:59:00 +01:00
kalipso	873a4f3831	[microvm] separate enableHostBridge from deployHosts	2024-11-21 15:59:00 +01:00
kalipso	64dbe6bb84	[microvm] fix errors within module still checking if list is empty does not work as expected -.-	2024-11-21 15:59:00 +01:00
kalipso	ca8e0cffda	[microvm] fix type	2024-11-21 15:59:00 +01:00
kalipso	1dc140ad9f	[microvm] fix comparision	2024-11-21 15:59:00 +01:00
kalipso	3f4c7350c2	[microvm] add microvm deployment option to host	2024-11-21 15:59:00 +01:00
kalipso	efffa450d4	[microvm] share read only nix store this reduces build times drastically	2024-11-21 15:59:00 +01:00
kalipso	dbdf817d79	[doc] add basic microvm documentation	2024-11-21 15:59:00 +01:00
kalipso	2cdfe8c999	[docs] fix docs app exec format error	2024-11-21 15:59:00 +01:00
kalipso	03f03e86e4	[microvm] put vm creation into function	2024-11-21 15:59:00 +01:00
kalipso	1aeb1c2ab9	[microvm] rm duplicate option	2024-11-21 15:59:00 +01:00
kalipso	d012f7cb5a	[microvm] split module files	2024-11-21 15:59:00 +01:00
kalipso	5498418d06	[microvm] setup network, allow adding bridge interface to host	2024-11-21 15:59:00 +01:00
kalipso	ee7ee52c3f	[durruti] make durruti microvm Networking still needs to be done but the vm boots using ```nix run .\#nixosConfigurations.durruti.config.microvm.declaredRunner```	2024-11-21 15:59:00 +01:00
kalipso	f91e515ce2	[nixpkgs] add microvm.nix	2024-11-21 15:59:00 +01:00
kalipso	370d975dbb	[durruti] add docs.malobeo.org to host_config All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m7s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 4m7s Details	2024-11-19 15:23:07 +01:00
kalipso	048e0653a5	[durruti] serve docs on port 9000 All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m45s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m35s Details	2024-11-19 15:17:28 +01:00
kalipso	b9cddb0bae	[microvm] share read only nix store this reduces build times drastically	2024-11-19 15:10:13 +01:00
kalipso	05087d9fa6	[durruti] WIP add documentation.nix	2024-11-19 14:11:54 +01:00
ahtlon	47d386d81a	Fix docs about updating keys	2024-11-19 14:11:54 +01:00
ahtlon	3f469c09f0	Add documentation describing how to add keys to sops	2024-11-19 14:11:54 +01:00
kalipso	65f9fda381	[sops] updatekeys for ahtlon	2024-11-19 14:11:54 +01:00
ahtlon	73e3742af5	Add atlan's sops and ssh pubkeys	2024-11-19 14:11:54 +01:00
kalipso	63c36f6add	[microvm] put vm creation into function All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m14s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m44s Details	2024-11-19 13:31:09 +01:00
kalipso	be194e4293	[microvm] rm duplicate option Some checks failed Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m39s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Failing after 13m12s Details	2024-11-19 13:03:47 +01:00
kalipso	edb9dcb28b	[microvm] split module files All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m0s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 4m10s Details	2024-11-19 12:59:11 +01:00
kalipso	05ec7004ad	[microvm] setup network, allow adding bridge interface to host All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m19s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m20s Details	2024-11-18 22:55:03 +01:00
Ahtlon	a71061e24e	Merge pull request 'Add atlan's sops and ssh pubkeys' (#27 ) from sops into master All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m51s Details Reviewed-on: #27	2024-11-14 18:36:21 +01:00
ahtlon	b3d74f5f39	Fix docs about updating keys All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m5s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m33s Details	2024-11-14 18:31:36 +01:00
ahtlon	3cb8423485	Add documentation describing how to add keys to sops	2024-11-14 17:56:56 +01:00
kalipso	d1afbe9f14	[durruti] make durruti microvm All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m18s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 2m56s Details Networking still needs to be done but the vm boots using ```nix run .\#nixosConfigurations.durruti.config.microvm.declaredRunner```	2024-11-14 14:37:02 +01:00
kalipso	807d2007fa	[nixpkgs] add microvm.nix	2024-11-14 14:36:32 +01:00
kalipso	88dad0193b	[sops] updatekeys for ahtlon All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m14s Details Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m18s Details	2024-11-14 14:03:42 +01:00
ahtlon	2a66f7ae29	Add atlan's sops and ssh pubkeys All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m52s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m1s Details	2024-11-13 20:58:58 +01:00
kalipso	29567efb99	[nixpkgs] update All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m46s Details	2024-11-08 11:59:53 +01:00
kalipso	ca4db0ad5c	Revert "[doc] Init dokumentation mit mdbook + grobes inhaltsverzeichnis" All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m29s Details This reverts commit `753c44a875`.	2024-10-29 18:20:45 +01:00
ahtlon	753c44a875	[doc] Init dokumentation mit mdbook + grobes inhaltsverzeichnis All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m51s Details	2024-10-29 18:16:37 +01:00
Ahtlon	0eeb9bc131	doc/src/SUMMARY.md aktualisiert	2024-10-29 18:16:37 +01:00
Ahtlon	142277879a	Added temporary information about website host	2024-10-29 18:16:37 +01:00
ahtlon	4ecd2139a9	todo bearbeitet	2024-10-29 18:16:37 +01:00
kalipso	e73105bc66	[doc] add app doc to serve doc 'nix run .#doc' will open documentaion in browser and update on filechange	2024-10-29 18:16:37 +01:00
kalipso	38a7d58ef6	[doc] add doc package this can be used for hosting later on	2024-10-29 18:16:37 +01:00
kalipso	6a185a54bc	[doc] mv files into /doc	2024-10-29 18:16:37 +01:00
ahtlon	4334f6bec2	[doc] Todo aus readme verschieben	2024-10-29 18:16:37 +01:00
ahtlon	fad4f72c0b	[doc] Init leere seiten	2024-10-29 18:16:37 +01:00
ahtlon	8e0f846e54	[doc] Init dokumentation mit mdbook + grobes inhaltsverzeichnis	2024-10-29 18:16:35 +01:00
kalipso	29fa4eda1e	[nixpkgs] update All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 4m18s Details Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m28s Details	2024-10-29 10:59:07 +01:00
ahtlon	e57cc9dbe6	moderatio entfernt All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 2m25s Details Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m38s Details	2024-10-26 20:37:04 +02:00
ahtlon	2da812fecd	mehrere warnungen gefixt	2024-10-26 20:31:54 +02:00
ahtlon	8ff71f14dc	add direnv to gitignore All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m53s Details	2024-10-26 20:19:03 +02:00