[nextcloud module] add wrapper example

Fix #67
[nextcloud] add some attributes
2025-01-29 11:20:12 +01:00 · 2025-01-28 12:19:53 +01:00 · 2025-01-25 01:21:05 +01:00 · 2025-01-24 18:56:20 +01:00 · 2025-01-24 18:42:31 +01:00 · 2025-01-24 18:30:51 +01:00
80 changed files with 28702 additions and 584 deletions
--- a/.gitea/workflows/eval-hydra-jobs.yml
+++ b/.gitea/workflows/eval-hydra-jobs.yml
@@ -1,9 +1,8 @@
-name: "Evaluate Hydra Jobs"
+name: "Check flake syntax"
 on:
-  pull_request:
  push:
 jobs:
-  eval-hydra-jobs:
+  flake-check:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
@@ -11,5 +10,5 @@ jobs:
      run: |
        apt update -y
        apt install sudo -y        
-    - uses: cachix/install-nix-action@v27
-    - run: nix eval --no-update-lock-file --accept-flake-config .\#hydraJobs
+    - uses: cachix/install-nix-action@v30
+    - run: nix flake check --no-update-lock-file --accept-flake-config .
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,5 @@
 result
 *.qcow2
 .direnv/
+book/
+fanny-efi-vars.fd
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ the file structure is based on this [blog post](https://samleathers.com/posts/20

 #### durruti
 - nixos-container running on dedicated hetzner server
- login via ```ssh -p 222 malobeo@5.9.153.217```
+- login via ```ssh -p 222 malobeo@dynamicdiscord.de```
 - if rebuild switch fails due to biglock do ```mount -o remount,rw /nix/var/nix/db```
 - currently is running tasklist in detached tmux session
  - [x] make module with systemd service out of that
@@ -98,34 +98,3 @@ for documentation we currently just use README.md files.

 the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser.
 the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```.
-
-## todos...
-
-#### infrastructure
-* [ ] host a local wiki with public available information about the space, for example:
-  * [ ] how to use coffe machine
-  * [ ] how to turn on/off electricity
-  * [ ] how to use beamer
-  * [ ] how to buecher ausleihen
-  * ...
-* [x] host some pad (codimd aka hedgedoc)
-* [ ] some network fileshare for storing the movies and streaming them within the network
-* [x] malobeo network infrastructure rework
-  * [x] request mulvad acc
-  * [x] remove freifunk, use openwrt with mulvad configured
-* [ ] evaluate imposing solutions
-    * [ ] pdfarranger
-
-#### external services
-we want to host two services that need a bit more resources, this is a booking system for the room itself and a library system.
- [x] analyse best way to include our stuff into external nixOs server
-  - [x] writing some module that is included by the server
-  - [x] directly use nixOs container on host
-  - [x] combination of both (module that manages nginx blabla + nixOs container for the services
-
-#### bots&progrmaming
-* [ ] create telegram bot automatically posting tuesday events
-* [x] create webapp/interface replacing current task list pad
-  * could be a simple form for every tuesday
-  * [x] element bot should send updates if some tasks are not filled out
-
--- a/doc/.gitignore
+++ b/doc/.gitignore
@@ -0,0 +1 @@
+book
--- a/doc/book.toml
+++ b/doc/book.toml
@@ -0,0 +1,6 @@
+[book]
+authors = ["ahtlon"]
+language = "de"
+multilingual = false
+src = "src"
+title = "Malobeo Infrastruktur Dokumentation"
--- a/doc/src/Index.md
+++ b/doc/src/Index.md
@@ -0,0 +1,82 @@
+# malobeo infrastructure
+
+this repository nxios configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner.
+
+the file structure is based on this [blog post](https://samleathers.com/posts/2022-02-03-my-new-network-and-deploy-rs.html)
+
+### deploying configuration
+#### local deployment
+``` shell
+nixos-rebuild switch --use-remote-sudo
+```
+
+#### remote deployment
+you need the hostname and ip address of the host:
+``` shell
+ nixos-rebuild switch --flake .#<hostname> --target-host root@<ip_address> --build-host localhost
+```
+
+in this case 'localhost' is used as buildhost which can be usefull if the target host is low systemresources
+
+
+## development
+
+### requirements
+we use flake based configurations for our hosts. if you want to build configurations on you own machine you have to enable flakes first by adding the following to your *configuration.nix* or *nix.conf*
+``` nix
+nix.extraOptions = ''
+  experimental-features = nix-command flakes
+'';
+```
+
+More information about flakes can be found [here](https://nixos.wiki/wiki/Flakes)
+
+### dev shell
+a development shell with the correct environment can be created by running ```nix develop ```
+
+If you're using direnv you can add flake support by following those steps: [link](https://nixos.wiki/wiki/Flakes#Direnv_integration)
+
+### build a configuration
+
+to build a configuration run the following command (replace ```<hostname>``` with the actual hostname):
+
+``` shell
+nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
+```
+
+### building raspberry image
+
+for the raspberry it is possible to build the whole configuration as an sd-card image which then can be flashed directly. more information about building arm on nixos can be found [here](https://nixos.wiki/wiki/NixOS_on_ARM).
+
+to be able to build the image you need to enable qemu emulation on the machine you are building with. therefore it is necessary to add the following to your configuration.nix:
+
+``` nix
+boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+```
+
+then you can build the image with:
+
+``` shell
+nix build .#nixosConfigurations.rpi1_base_image.config.system.build.sdImage
+```
+
+### run a configuration as vm
+
+to run a vm we have to build it first using the following command (replace ```<hostname>``` with the actual hostname):
+
+``` shell
+nix build .#nixosConfigurations.<hostname>.config.system.build.vm
+```
+
+afterwards run the following command to start the vm:
+
+``` shell
+./result/bin/run-<hostname>-vm
+```
+
+### documentation
+
+for documentation we currently just use README.md files.
+
+the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser.
+the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```.
--- a/doc/src/SUMMARY.md
+++ b/doc/src/SUMMARY.md
@@ -0,0 +1,23 @@
+# Summary
+
+- [Index](./Index.md)
+    - [Info]()
+        - [Aktuelle Server]()
+            - [Durruti](./server/durruti.md)
+            - [Lucia](./server/lucia.md)
+        - [Hardware]()
+        - [Netzwerk]()
+        - [Seiten]()
+            - [Website](./server/website.md)
+            - [musik](./projekte/musik.md)
+        - [TODO](./todo.md)
+        - [Modules]()
+            - [Initrd-ssh](./module/initssh.md)
+            - [Disks](./module/disks.md)
+    - [How-to]()
+        - [Create New Host](./anleitung/create.md)
+        - [Sops](./anleitung/sops.md)            
+        - [MaloVPN](./anleitung/wireguard.md)
+        - [Updates](./anleitung/updates.md)
+        - [Rollbacks](./anleitung/rollback.md)
+        - [MicroVM](./anleitung/microvm.md)
--- a/doc/src/anleitung/create.md
+++ b/doc/src/anleitung/create.md
@@ -0,0 +1,66 @@
+# Create host with disko-install
+How to use disko-install is described here: https://github.com/nix-community/disko/blob/master/docs/disko-install.md
+---
+Here are the exact steps to get bakunin running:  
+First create machines/hostname/configuration.nix  
+Add hosts nixosConfiguration in machines/configurations.nix  
+Boot nixos installer on the Machine.  
+``` bash
+# establish network connection
+wpa_passphrase "network" "password" > wpa.conf
+wpa_supplicant -B -i wlp3s0 -c wpa.conf
+ping 8.8.8.8
+# if that works continue
+
+# generate a base hardware config
+nixos-generate-config --root /tmp/config --no-filesystems
+
+# get the infra repo
+nix-shell -p git
+git clone https://git.dynamicdiscord.de/kalipso/infrastructure
+cd infrastructure
+
+# add the new generated hardware config (and import in hosts configuration.nix)
+cp /tmp/config/etc/nixos/hardware-configuration.nix machines/bakunin/
+
+# check which harddrive we want to install the system on
+lsblk #choose harddrive, in this case /dev/sda
+
+# run nixos-install on that harddrive
+sudo nix --extra-experimental-features flakes --extra-experimental-features nix-command run 'github:nix-community/disko/latest#disko-install' -- --flake .#bakunin --disk main /dev/sda
+
+# this failed with out of memory
+# running again showed: no disk left on device
+# it seems the usb stick i used for flashing is way to small
+# it is only 
+# with a bigger one (more than 8 gig i guess) it should work
+# instead the disko-install tool i try the old method - first partitioning using disko and then installing the system
+# for that i needed to adjust ./machines/modules/disko/btrfs-laptop.nix and set the disk to "/dev/sda"
+
+sudo nix --extra-experimental-features "flakes nix-command" run 'github:nix-community/disko/latest' -- --mode format --flake .#bakunin
+
+# failed with no space left on device.
+# problem is lots of data is written to the local /nix/store which is mounted on tmpfs in ram
+# it seems that a workaround could be modifying the bootable stick to contain a swap partition to extend tmpfs storage
+```
+
+# Testing Disko
+Testing disko partitioning is working quite well. Just run the following and check the datasets in the vm:
+```bash
+nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko
+```
+
+Only problem is that encryption is not working, so it needs to be commented out. For testing host fanny the following parts in ```./machines/modules/disko/fanny.nix``` need to be commented out(for both pools!):
+```nix
+datasets = {
+  encrypted = {
+    options = {
+      encryption = "aes-256-gcm"; #THIS ONE
+      keyformat = "passphrase"; #THIS ONE
+      keylocation = "file:///tmp/root.key"; #THIS ONE
+    };
+    # use this to read the key during boot
+     postCreateHook = '' #THIS ONE 
+       zfs set keylocation="prompt" "zroot/$name"; #THIS ONE 
+     ''; #THIS ONE 
+```
--- a/doc/src/anleitung/microvm.md
+++ b/doc/src/anleitung/microvm.md
@@ -0,0 +1,102 @@
+### Declaring a MicroVM
+
+The hosts nixosSystems modules should be declared using the ```makeMicroVM``` helper function.
+Use durruti as orientation:
+``` nix
+    modules = makeMicroVM "durruti" "10.0.0.5" [
+      ./durruti/configuration.nix
+    ];
+```
+
+"durruti" is the hostname.  
+"10.0.0.5" is the IP assigned to its tap interface.  
+
+### Testing MicroVMs locally
+MicroVMs can be built and run easily on your localhost for development.  
+We provide the script ```run-vm``` to handle stuff like development (dummy) secrets, sharing directories, ect. easily.
+Usage examples:
+``` bash
+# run without args to get available options and usage info
+run-vm
+
+# run nextcloud locally with dummy secrets
+run-vm nextcloud --dummy-secrets
+
+# share a local folder as /var/lib dir so that nextcloud application data stays persistent between boots
+mkdir /tmp/nextcloud
+run-vm nextcloud --dummy-secrets --varlib /tmp/nextcloud
+
+# enable networking to provide connectivity between multiple vms
+# for that the malobeo hostBridge must be enabled on your host
+# this example deploys persistent grafana on overwatch and fetches metrics from infradocs
+mkdir overwatch
+run-vm overwatch --networking --varlib /tmp/overwatch
+run-vm infradocs --networking
+```
+
+
+
+### Fully deploy microvms on local host
+In order to test persistent microvms locally we need to create them using the ```microvm``` command.  
+This is necessary to be able to mount persistent /etc and /var volumes on those hosts.  
+Do the following:
+
+Prepare your host by including `microvm.nixosModules.host` in your `flake.nix` [Microvm Docs](https://astro.github.io/microvm.nix/host.html)
+
+
+```bash
+# go into our repo and start the default dev shell (or use direnv)
+nix develop .#
+
+# create a microvm on your host (on the example of durruti)
+sudo microvm -c durruti -f git+file:///home/username/path/to/infrastructure/repo
+
+# start the vm
+sudo systemctl start microvm@durruti.service
+
+# this may fail, if so we most probably need to create /var /etc manually, then restart
+sudo mkdir -p /var/lib/microvms/durruti/{var,etc}
+
+# now you can for example get the rsa host key from /var/lib/microvms/durruti/etc/ssh/
+
+# alternatively u can run the vm in interactive mode (maybe stop the microvm@durruti.service first)
+microvm -r durruti
+
+# after u made changes to the microvm update and restart the vm 
+microvm -uR durruti
+
+# deleting the vm again:
+sudo systemctl stop microvm@durruti.service
+sudo systemctl stop microvm-virtiofsd@durruti.service
+sudo rm -rf /var/lib/microvms/durruti
+```
+
+
+### Host Setup
+
+#### Network Bridge
+To provide network access to the VMs a bridge interface needs to be created on your host.
+For that:
+- Add the infrastructure flake as input to your hosts flake  
+- Add ```inputs.malobeo.nixosModules.malobeo``` to your hosts imports
+- enable the host bridge: ```services.malobeo.microvm.enableHostBridge = true;```
+
+If you want to provide Internet access to the VM it is necessary to create a nat.
+This could be done like this:
+``` nix
+networking.nat = {
+  enable = true;
+  internalInterfaces = [ "microvm" ];
+  externalInterface = "eth0"; #change to your interface name
+};
+```
+#### Auto Deploy VMs
+By default no MicroVMs will be initialized on the host - this should be done using the microvm commandline tool.
+But since we want to always deploy certain VMs it can be configured using the ```malobeo.microvm.deployHosts``` option.
+VMs configured using this option will be initialized and autostarted at boot.
+Updating still needs to be done imperative, or by enabling autoupdates.nix
+
+The following example would init and autostart durruti and gitea:
+``` nix
+malobeo.microvm.deployHosts = [ "durruti" "gitea" ];
+```
--- a/doc/src/anleitung/rollback.md
+++ b/doc/src/anleitung/rollback.md
@@ -0,0 +1 @@
+# Rollbacks
--- a/doc/src/anleitung/sops.md
+++ b/doc/src/anleitung/sops.md
@@ -0,0 +1,35 @@
+# Sops
+
+## How to add admin keys
+- Git:
+    - Generate gpg key
+    - Add public key to `./machines/secrets/keys/users/`
+    - Write the fingerprint of the gpg key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $FINGERPRINT`
+
+- Age:
+    - Generate age key for Sops:   
+      ```
+      $ mkdir -p ~/.config/sops/age
+      $ age-keygen -o ~/.config/sops/age/keys.txt
+      ```
+      or to convert an ssh ed25519 key to an age key
+      ```
+      $ mkdir -p ~/.config/sops/age
+      $ nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
+      ```
+    - Get public key using `$ age-keygen -y ~/.config/sops/age/keys.txt`
+    - Write public key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $PUBKEY`
+
+- Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to
+
+- `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml`
+
+## How to add host keys
+If a new host is created we have to add its age keys to the sops config.
+Do the following:
+```bash
+# ssh into the host and run:
+nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+# create new host with the output of that command in /machines/.sops.yaml
+```
+
--- a/doc/src/anleitung/updates.md
+++ b/doc/src/anleitung/updates.md
@@ -0,0 +1 @@
+# Updates
--- a/doc/src/anleitung/wireguard.md
+++ b/doc/src/anleitung/wireguard.md
@@ -0,0 +1,55 @@
+# MaloVPN
+Running in the cloud. To let a host access the VPN you need to do the following:
+- generate a wireguard keypair
+- add the host to ./machines/modules/malobeo/peers.nix
+- enable the malovpn module on the host
+
+
+## Generate Wireguard keys
+Enter nix shell for wg commands `nix-shell -p wireguard-tools` 
+```bash
+umask 077
+wg genkey > wg.private
+wg pubkey < wg.private > wg.pub
+```
+Now you have a private/public keypair. Add the private key to the hosts sops secrets if you like.
+## Add host to peers.nix
+peers.nix is a central 'registry' of all the hosts in the vpn. Any host added here will be added to the vpn servers peerlist allowing it to access the VPN. This allows us to controll who gets access by this repository.  
+
+- Add your host to /machines/modules/malobeo/peers.nix  
+- Set the role to "client"
+- choose a ip address as 'address' that is not taken already
+- set allowedIPs as the others, except we want to limit this host to only access certain peers
+- Add your public Key here as string  
+
+After that commit your changes and either open a PR or push directly to master  
+Example:  
+```nix
+"celine" = {
+  role = "client";
+  address = [ "10.100.0.2/24" ];
+  allowedIPs = [ "10.100.0.0/24" ];
+  publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
+};
+```
+
+## Enable MaloVPN on Host
+Either you configure wireguard manually or use the malobeo vpn module  
+The 'name' must match your hosts name in peers.nix:
+
+```nix
+sops.secrets.private_key = {};
+
+imports = [
+  malobeo.nixosModules.malobeo.vpn
+];
+
+services.malobeo.vpn = {
+  enable = true;
+  name = "celine";
+  privateKeyFile = config.sops.secrets.private_key.path;
+};
+```
+
+After a rebuild-switch you should be able to ping the vpn server 10.100.0.1.
+If the peers.nix file just was commited shortly before it may take a while till the vpn server updated its peerlist. 
--- a/doc/src/module/disks.md
+++ b/doc/src/module/disks.md
@@ -0,0 +1,117 @@
+# Disks
+The disks module can be used by importing `inputs.self.nixosModules.malobeo.disko`
+
+
+#### `let cfg = malobeo.disks`
+
+#### `cfg.enable` (bool)
+- **Type:** `bool`
+- **Default:** `false`
+- **Description:**  
+  Enables the disk creation process using the `disko` tool. Set to `true` to initialize disk setup.
+
+#### `cfg.hostId` (string)
+- **Type:** `string`
+- **Default:** `""`
+- **Description:**  
+  The host ID used for ZFS disks. This ID should be generated using a command like `head -c4 /dev/urandom | od -A none -t x4`.
+
+#### `cfg.encryption` (bool)
+- **Type:** `bool`
+- **Default:** `true`
+- **Description:**  
+  Determines if encryption should be enabled. Set to `false` to disable encryption for testing purposes.
+
+#### `cfg.devNodes` (string)
+- **Type:** `string`
+- **Default:** `"/dev/disk/by-id/"`
+- **Description:**  
+  Specifies where the disks should be mounted from.  
+  - Use `/dev/disk/by-id/` for general systems.
+  - Use `/dev/disk/by-path/` for VMs.
+  - For more information on disk name conventions, see [OpenZFS FAQ](https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html#selecting-dev-names-when-creating-a-pool-linux).
+
+#### `let cfg = malobeo.disks.root`
+#### `cfg.disk0` (string)
+- **Type:** `string`
+- **Default:** `""`
+- **Description:**  
+  The device name (beginning after `/dev/` e.g., `sda`) for the root filesystem.
+
+#### `cfg.disk1` (string)
+- **Type:** `string`
+- **Default:** `""`
+- **Description:**  
+  The device name (beginning after `/dev/` e.g., `sdb`) for the optional mirror disk of the root filesystem.
+
+#### `cfg.swap` (string)
+- **Type:** `string`
+- **Default:** `"8G"`
+- **Description:**  
+  Size of the swap partition on `disk0`. This is applicable only for the root disk configuration.
+
+#### `cfg.reservation` (string)
+- **Type:** `string`
+- **Default:** `"20GiB"`
+- **Description:**  
+  The ZFS reservation size for the root pool.
+
+#### `cfg.mirror` (bool)
+- **Type:** `bool`
+- **Default:** `false`
+- **Description:**  
+  Whether to configure a mirrored ZFS root pool. Set to `true` to mirror the root filesystem across `disk0` and `disk1`.
+
+#### `let cfg = malobeo.disks.storage`
+#### `cfg.enable` (bool)
+- **Type:** `bool`
+- **Default:** `false`
+- **Description:**  
+  Enables the creation of an additional storage pool. Set to `true` to create the storage pool.
+
+#### `cfg.disks` (list of strings)
+- **Type:** `listOf string`
+- **Default:** `[]`
+- **Description:**  
+  A list of device names without /dev/ prefix  (e.g., `sda`, `sdb`) to include in the storage pool.  
+  Example: `["disks/by-id/ata-ST16000NE000-2RW103_ZL2P0YSZ"]`.
+
+#### `cfg.reservation` (string)
+- **Type:** `string`
+- **Default:** `"20GiB"`
+- **Description:**  
+  The ZFS reservation size for the storage pool.
+
+#### `cfg.mirror` (bool)
+- **Type:** `bool`
+- **Default:** `false`
+- **Description:**  
+  Whether to configure a mirrored ZFS storage pool. Set to `true` to mirror the storage pool.
+
+## Example Configuration
+
+```nix
+{
+  options.malobeo.disks = {
+    enable = true;
+    hostId = "abcdef01";
+    encryption = true;
+    devNodes = "/dev/disk/by-id/";
+    
+    root = {
+      disk0 = "sda";
+      disk1 = "sdb";
+      swap = "8G";
+      reservation = "40GiB";
+      mirror = true;
+    };
+    
+    storage = {
+      enable = true;
+      disks = [ "sdc" "sdd" "disks/by-uuid/sde" ];
+      reservation = "100GiB";
+      mirror = false;
+    };
+  };
+}
+```
--- a/doc/src/module/initssh.md
+++ b/doc/src/module/initssh.md
@@ -0,0 +1,29 @@
+# Initrd-ssh
+The initssh module can be used by importing `inputs.self.nixosModules.malobeo.initssh`
+
+#### `let cfg = malobeo.initssh`
+
+## cfg.enable   
+Enable the initssh module
+
+*Default*
+false
+
+
+## cfg.authorizedKeys
+Authorized keys for the initrd ssh
+
+*Default*
+`[ ]`
+
+
+## cfg.ethernetDrivers
+
+Ethernet drivers to load in the initrd.   
+Run ` lspci -k | grep -iA4 ethernet `
+
+*Default:*
+` [ ] `
+
+*Example:*
+`[ "r8169" ]`
--- a/doc/src/projekte/musik.md
+++ b/doc/src/projekte/musik.md
@@ -0,0 +1 @@
+# musik
--- a/doc/src/server/durruti.md
+++ b/doc/src/server/durruti.md
@@ -0,0 +1,2 @@
+# Durruti
+Hetzner Server
--- a/doc/src/server/lucia.md
+++ b/doc/src/server/lucia.md
@@ -0,0 +1,2 @@
+# Lucia
+Lokaler Raspberry Pi 3
--- a/doc/src/server/website.md
+++ b/doc/src/server/website.md
@@ -0,0 +1,7 @@
+#Website
+
+hosted on uberspace  
+runs malobeo.org(wordpress) and forum.malobeo.org(phpbb)  
+access via ssh with public key or password  
+Files under /var/www/virtual/malobeo/html
+
--- a/doc/src/todo.md
+++ b/doc/src/todo.md
@@ -0,0 +1,32 @@
+# TODO
+- [ ] Dieses wiki schreiben
+#### infrastructure
+* [ ] host a local wiki with public available information about the space, for example:
+  * [ ] how to use coffe machine
+  * [ ] how to turn on/off electricity
+  * [ ] how to use beamer
+  * [ ] how to buecher ausleihen
+  * ...
+- [x] host a local wiki with infrastructure information
+* [x] host some pad (codimd aka hedgedoc)
+* [ ] some network fileshare for storing the movies and streaming them within the network
+  - Currently developed in the 'fileserver' branch
+    - NFSV4 based
+* [x] malobeo network infrastructure rework
+  * [x] request mulvad acc
+  * [x] remove freifunk, use openwrt with mulvad configured
+* [ ] evaluate imposing solutions
+    * [ ] pdfarranger
+
+#### external services
+we want to host two services that need a bit more resources, this is a booking system for the room itself and a library system.
+- [x] analyse best way to include our stuff into external nixOs server
+  - [x] writing some module that is included by the server
+  - [x] directly use nixOs container on host
+  - [x] combination of both (module that manages nginx blabla + nixOs container for the services
+
+#### bots&progrmaming
+* [ ] create telegram bot automatically posting tuesday events
+* [x] create webapp/interface replacing current task list pad
+  * could be a simple form for every tuesday
+  * [x] element bot should send updates if some tasks are not filled out
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,26 @@
 {
  "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736864502,
+        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "latest",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
    "ep3-bs": {
      "inputs": {
        "nixpkgs": [
@@ -21,6 +42,24 @@
        "url": "https://git.dynamicdiscord.de/kalipso/ep3-bs.nix"
      }
    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -28,16 +67,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1726989464,
-        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
+        "lastModified": 1736373539,
+        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
+        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-24.05",
+        "ref": "release-24.11",
        "repo": "home-manager",
        "type": "github"
      }
@@ -61,13 +100,35 @@
        "type": "github"
      }
    },
+    "microvm": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "spectrum": "spectrum"
+      },
+      "locked": {
+        "lastModified": 1736905611,
+        "narHash": "sha256-eW6SfZRaOnOybBzhvEzu3iRL8IhwE0ETxUpnkErlqkE=",
+        "owner": "astro",
+        "repo": "microvm.nix",
+        "rev": "a18d7ba1bb7fd4841191044ca7a7f895ef2adf3b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "astro",
+        "repo": "microvm.nix",
+        "type": "github"
+      }
+    },
    "nixlib": {
      "locked": {
-        "lastModified": 1729386149,
-        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
        "type": "github"
      },
      "original": {
@@ -84,11 +145,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1729472750,
-        "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
+        "lastModified": 1737057290,
+        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
+        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
        "type": "github"
      },
      "original": {
@@ -99,11 +160,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1729742320,
-        "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
+        "lastModified": 1736978406,
+        "narHash": "sha256-oMr3PVIQ8XPDI8/x6BHxsWEPBRU98Pam6KGVwUh8MPk=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
+        "rev": "b678606690027913f3434dea3864e712b862dde5",
        "type": "github"
      },
      "original": {
@@ -129,29 +190,13 @@
        "type": "github"
      }
    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1729357638,
-        "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1729665710,
-        "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=",
+        "lastModified": 1737062831,
+        "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d",
+        "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c",
        "type": "github"
      },
      "original": {
@@ -163,25 +208,27 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1729449015,
-        "narHash": "sha256-Gf04dXB0n4q0A9G5nTGH3zuMGr6jtJppqdeljxua1fo=",
+        "lastModified": 1736916166,
+        "narHash": "sha256-puPDoVKxkuNmYIGMpMQiK8bEjaACcCksolsG36gdaNQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "89172919243df199fe237ba0f776c3e3e3d72367",
+        "rev": "e24b4c09e963677b1beea49d411cd315a024ad3a",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
+        "disko": "disko",
        "ep3-bs": "ep3-bs",
        "home-manager": "home-manager",
        "mfsync": "mfsync",
+        "microvm": "microvm",
        "nixos-generators": "nixos-generators",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2",
@@ -195,15 +242,14 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        ]
      },
      "locked": {
-        "lastModified": 1729695320,
-        "narHash": "sha256-Fm4cGAlaDwekQvYX0e6t0VjT6YJs3fRXtkyuE4/NzzU=",
+        "lastModified": 1737107480,
+        "narHash": "sha256-GXUE9+FgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "d089e742fb79259b9c4dd9f18e9de1dd4fa3c1ec",
+        "rev": "4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6",
        "type": "github"
      },
      "original": {
@@ -212,6 +258,22 @@
        "type": "github"
      }
    },
+    "spectrum": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1733308308,
+        "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
+        "ref": "refs/heads/main",
+        "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
+        "revCount": 792,
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
@@ -257,6 +319,21 @@
        "type": "github"
      }
    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "tasklist": {
      "inputs": {
        "nixpkgs": [
@@ -264,11 +341,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1729717517,
-        "narHash": "sha256-Gul0Zqy0amouh8Hs8BL/DIKFYD6BmdTo4H8+5K5+mTo=",
+        "lastModified": 1737548421,
+        "narHash": "sha256-gmlqJdC+v86vXc2yMhiza1mvsqh3vMfrEsiw+tV5MXg=",
        "ref": "refs/heads/master",
-        "rev": "610269a14232c2888289464feb5227e284eef336",
-        "revCount": 27,
+        "rev": "c5fff78c83959841ac724980a13597dcfa6dc26d",
+        "revCount": 29,
        "type": "git",
        "url": "https://git.dynamicdiscord.de/kalipso/tasklist"
      },
@@ -315,14 +392,14 @@
    },
    "utils_3": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
      },
      "locked": {
-        "lastModified": 1726560853,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -3,11 +3,15 @@

  inputs = {
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    mfsync.url = "github:k4lipso/mfsync";
+    microvm.url = "github:astro/microvm.nix";
+    microvm.inputs.nixpkgs.follows = "nixpkgs";
+    disko.url = "github:nix-community/disko/latest";
+    disko.inputs.nixpkgs.follows = "nixpkgs";

    utils = {
      url = "github:numtide/flake-utils";
@@ -29,7 +33,7 @@
    };

    home-manager=  {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager/release-24.11";
      inputs = {
        nixpkgs.follows = "nixpkgs";
      };
--- a/machines/.sops.yaml
+++ b/machines/.sops.yaml
@@ -5,25 +5,98 @@
 keys:
  - &admin_kalipso c4639370c41133a738f643a591ddbc4c3387f1fb
  - &admin_kalipso_dsktp aef8d6c7e4761fc297cda833df13aebb1011b5d4
+  - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
  - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
  - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
-  - &machine_durruti 4095412245b6efc14cf92ca25911def5a4218567
+  - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
+  - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
+  - &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
+  - &machine_nextcloud age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr
+  #this dummy key is used for testing.
+  - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
 creation_rules:
+  #provide fake secrets in a dummy.yaml file for each host
+  - path_regex: '.*dummy\.yaml$'
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *machine_dummy
+      - *admin_atlan
  - path_regex: moderatio/secrets/secrets.yaml$
    key_groups:
    - pgp:
      - *admin_kalipso
      - *admin_kalipso_dsktp
      - *machine_moderatio
+      age:
+      - *admin_atlan
  - path_regex: lucia/secrets.yaml$
    key_groups:
    - pgp:
      - *admin_kalipso
      - *admin_kalipso_dsktp
      - *machine_lucia
+      age:
+      - *admin_atlan
  - path_regex: durruti/secrets.yaml$
    key_groups:
    - pgp:
      - *admin_kalipso
      - *admin_kalipso_dsktp
+      age:
      - *machine_durruti
+      - *admin_atlan
+  - path_regex: vpn/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *machine_vpn
+      - *admin_atlan
+  - path_regex: fanny/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *machine_fanny
+      - *admin_atlan
+  - path_regex: testvm/disk.key
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
+  - path_regex: fanny/disk.key
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
+  - path_regex: bakunin/disk.key
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
+  - path_regex: nextcloud/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
+      - *machine_nextcloud
+  - path_regex: overwatch/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
--- a/machines/bakunin/configuration.nix
+++ b/machines/bakunin/configuration.nix
@@ -0,0 +1,100 @@
+{ config, pkgs, inputs, ... }:
+
+let
+  sshKeys = import ../ssh_keys.nix;
+in
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      #./hardware-configuration.nix
+      ../modules/xserver.nix
+      ../modules/malobeo_user.nix
+      ../modules/sshd.nix
+      ../modules/minimal_tools.nix
+      ../modules/autoupdate.nix
+      inputs.self.nixosModules.malobeo.disko
+      inputs.self.nixosModules.malobeo.initssh
+    ];
+
+  malobeo.autoUpdate = {
+    enable = true;
+    url = "https://hydra.dynamicdiscord.de";
+    project = "malobeo";
+    jobset = "infrastructure";
+    cacheurl = "https://cache.dynamicdiscord.de";
+  };
+
+  malobeo.disks = {
+    enable = true;
+    hostId = "a3c3102f";
+    root = {
+      disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ";
+    };
+  };
+
+  malobeo.initssh = {
+    enable = true;
+    authorizedKeys = sshKeys.admins;
+    ethernetDrivers = ["r8169"];
+  };
+
+  hardware.sane.enable = true; #scanner support
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  users.users.malobeo = {
+    packages = with pkgs; [
+      firefox
+      thunderbird
+      telegram-desktop
+      tor-browser-bundle-bin
+      keepassxc
+      libreoffice
+      gimp
+      inkscape
+      okular
+      element-desktop
+      chromium
+      mpv
+      vlc
+      simple-scan
+    ];
+  };
+
+  services.tor = {
+    enable = true;
+    client.enable = true;
+  };
+
+  services.printing.enable = true;
+  services.printing.drivers = [
+    (pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
+    pkgs.gutenprint
+    pkgs.gutenprintBin
+    pkgs.brlaser
+    pkgs.brgenml1lpr 
+    pkgs.brgenml1cupswrapper
+  ];
+
+  # needed for printing drivers
+  nixpkgs.config.allowUnfree = true; 
+
+  services.acpid.enable = true;
+
+  networking.hostName = "bakunin";
+  networking.networkmanager.enable = true;
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    systemWide = true;
+  };
+
+
+  time.timeZone = "Europe/Berlin";
+  system.stateVersion = "23.05"; # Do.. Not.. Change..
+}
+
--- a/machines/bakunin/disk.key
+++ b/machines/bakunin/disk.key
@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:2/tfkG7SwWNpnqgkFkmUqbAJBF2eN/lfZCK/9VsZag==,iv:Sps+ZIQGveS/zumjVE8VFfVTlNwQJ093eMDndlne2nU=,tag:lW8xcz43jj1XPV6M/0e11g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRU003cys0d0d4MXFmVVVH\ndDg1eHZpVjFMeDBGL3JQcjB5a0luSVRaSWtnCmxNOEUyZ2oybkNLdm12ZTVmNUpo\nVCtUem44bXA2dGhURGdyRWxKdUF6OVkKLS0tIDdVbUt2eGVHMHBzOEt6QnRpOXZF\nVWFEUFloRXpIUGJxblpaNUNuTjlLbDQKQii2qUIl72d02D3P0oTDHZQT1srSk6jS\n89XSBy6ND9vP0tGXcZ4a7jghO0Q1OVNe1fm6Ez41lKOuUu77hgOAWg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-01-14T16:40:57Z",
+		"mac": "ENC[AES256_GCM,data:M8l4a2SbBikF/tEtGx4ZY13eK3ffM70aUCDYo4ljgTAtQEbGLx1SJM/mrFW325LycFMNOerWhXyipbXPZPw2VfnSJ9dz+bQ53xK7Mpf/bOZs5aQZJpJ1/MJh6lkmR/zPeQXhE08WsyJ1rCRqAfygau2CqdV8ujY5li3jIIDQMcQ=,iv:lJZhTjJAxSky9MrzYldkJOG0dCIzkv4IE3ZKzxgUxvo=,tag:t/grczWX+0sDcsHC5SCd/A==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-01-14T16:40:08Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/S6LvVBsznEqLZbT/UAom1KmfmA3swxAJnQ5tl/vnnix6\nvzs4KSFGZMOQZihEKC/M/og8qTCvlUFBAUMkYLgX+8ehZeZwnnH9V8EDGDIyoWXE\n6AIHP9Ur6yk62gHqmfHlMxFG2A9/A4a+mOvxyKKPDK/AYG0PBaSVMkM6cp7efWwe\n7C6m4BpPRU+3NsNKy/4FkWt9xoFy82K89FqUGC8oZOQW1q+fS7ZIhmnTzzApwILy\n5Y77yBnpPECDYNZdH097bZli6KGWob7aXJ431gyw2OMVQHFb0DlQbKxemo9eWpIr\nnXu2FYrY2D7YxXBGQvXTuNQD3BuvrccOgWAmmi852C1gVVKV+egeOBRq2RYPl6+j\n8TBaNzl0rcvaoWeTJGR142pR9ht9B3aGzXcvCsciZo3SjYyt31J0huzPfv4Dakfn\nyY8BvOaNfugjx0aS6BOZgZiOPlBer86/0FKX469QQAnqL0LRoPyjn53JYUdPdI+s\nCI2WuVynSl7ItiwoKkJK0lgBm0oMhpSiGOC4Z2Bkk2xdpiuXUdMcP6m8OlG9ldCs\n0KrWubh9Ne6CP7etvTkwqWvMuSpCuheToIQ0rp8j21/YdCFX5LpxA3+em0t9M7Is\nV4ZoLnqA2KjI\n=4+Yl\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-01-14T16:40:08Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//c/UkuZRpJM5sH1snP8Kidek6nHgC11hUaY1G15a5ap1D\nn9cMIn4xUdfCAN/DoNiE14NzeTDQyawmIV1ZmrYZzItFdNgunf1r9jQNa3EqcWfE\norJS2RwWDrsw7tmx0wyenr9BLefMGJYaJ6Rd7J3j8sXL7aT+SbNw27mmVbYrJiFJ\nYh2usIsxDu2C+dCeTb3J9sKK6F96IbNnj/2Sx8AGYsIQvcpwloCRrnjiEa+hrEBn\nj1I6U4B/NjRGv20PAR1OnQ2OhKVL5UgTJgNKWCLdvGVOQnqJgDNUrrNEBY19wDQL\nQzJEzL21aiyF+8BB3IrtQlntmAIMcUUHTpqIols9rpVJl54yiK1mQ3UqTQPQ2+gd\nu2gtjXXk3FMnVzaI33ZMcxENGHy/+ZdZMfY70/EwJpRvneHTsLr3Z/bHUxavSYdL\nQqbeWLUm7a2/pnOl5JKa9asKYaNBNdmzO/YVgQNhLQzFtHJ9riVN7Ro+S2bocN9Z\npHGCCISAdMDyuFC7aSngnZEwE4NACbQEc8Udu+YCAUIeeBaPI/QWu3n61fZrkxR7\nmik9uJdXnMzKpmNGVQbPurifykDA6Bsqakn69AZQIPyxMtEDBV+pDX0yy3tI5D12\nhksuXSC7fpV/4BsZWKczK9fpDUJMDTFajSSVrSKb4nr2hk49IAZX9rhgbiHmT1LS\nWAHa5YGYUMkVQc59J3uhAjuSckWA/7R7oMhIrL5e/vnnHVR5zFW/auHkDytzZ0d0\nbGdrIRZh81C+yxB1pSJvlUnIWbYnpqhaH3xL+8yARpGZMNi595x0EJM=\n=8puy\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}
--- a/machines/moderatio/hardware-configuration.nix
+++ b/machines/moderatio/hardware-configuration.nix
@@ -8,46 +8,42 @@
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];

-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "ums_realtek" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "rpool/nixos/root";
-      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
-    };
+boot.initrd.luks.devices = {
+root = {
+device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
+preLVM = true;
+allowDiscards = true;
+};
+};

-  fileSystems."/home" =
-    { device = "rpool/nixos/home";
-      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
+      fsType = "btrfs";
    };

  fileSystems."/boot" =
-    { device = "bpool/nixos/root";
-      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
-    };
-
-  fileSystems."/boot/efis/ata-ST250LT003-9YG14C_W041QXCA-part1" =
-    { device = "/dev/disk/by-uuid/A0D1-00C1";
+    { device = "/dev/disk/by-uuid/402B-2026";
      fsType = "vfat";
    };

-  fileSystems."/boot/efi" =
-    { device = "/boot/efis/ata-ST250LT003-9YG14C_W041QXCA-part1";
-      fsType = "none";
-      options = [ "bind" ];
-    };
-
-  swapDevices = [ ];
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
+    ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;

+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/configuration.nix
+++ b/machines/configuration.nix
@@ -1,77 +0,0 @@
-{ self
-, nixpkgs-unstable
-, nixpkgs
-, sops-nix
-, inputs
-, nixos-hardware
-, home-manager
-, ...
-}:
-let
-  nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
-  nixosSystemUnstable = nixpkgs-unstable.lib.makeOverridable nixpkgs-unstable.lib.nixosSystem;
-
-  baseModules = [
-    # make flake inputs accessiable in NixOS
-    { _module.args.inputs = inputs; }
-    {
-      imports = [
-        ({ pkgs, ... }: {
-          nix = {
-            extraOptions = ''
-              experimental-features = nix-command flakes
-            '';
-
-            settings = {
-              substituters = [
-                "https://cache.dynamicdiscord.de"
-                "https://cache.nixos.org/"
-              ];
-              trusted-public-keys = [
-                "cache.dynamicdiscord.de:DKueZicqi2NhJJXz9MYgUbiyobMs10fTyHCgAUibRP4="
-              ];
-              trusted-users = [ "root" "@wheel" ];
-            };
-          };
-        })
-
-        sops-nix.nixosModules.sops
-      ];
-    }
-  ];
-  defaultModules = baseModules;
-in
-{
-  moderatio = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputs;
-    modules = defaultModules ++ [
-      ./moderatio/configuration.nix
-    ];
-  };
-
-  louise = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputs;
-    modules = defaultModules ++ [
-      ./louise/configuration.nix
-    ];
-  };
-
-  durruti = nixosSystem {
-    system = "x86_64-linux";
-    specialArgs.inputs = inputs;
-    modules = defaultModules ++ [
-      ./durruti/configuration.nix
-    ];
-  };
-
-  lucia = nixosSystem {
-    system = "aarch64-linux";
-    specialArgs.inputs = inputs;
-    modules = defaultModules ++ [
-      ./lucia/configuration.nix
-      ./lucia/hardware_configuration.nix
-    ];
-  };
-}
--- a/machines/durruti/configuration.nix
+++ b/machines/durruti/configuration.nix
@@ -1,15 +1,11 @@
-{ config, lib, pkgs, inputs, ... }:
+{ config, self, lib, pkgs, inputs, ... }:

 with lib;

 {
-  sops.defaultSopsFile = ./secrets.yaml;
-
-  boot.isContainer = true;
  networking = {
    hostName = mkDefault "durruti";
    useDHCP = false;
-    nameservers = [ "1.1.1.1" ];
  };

  networking.firewall.allowedTCPPorts = [ 8080 ];
@@ -21,57 +17,23 @@ with lib;
  ];

  imports = [
-    inputs.ep3-bs.nixosModules.ep3-bs
+    self.nixosModules.malobeo.metrics
    inputs.tasklist.nixosModules.malobeo-tasklist
+
    ../modules/malobeo_user.nix
    ../modules/sshd.nix
    ../modules/minimal_tools.nix
-    ../modules/autoupdate.nix
  ];

-  malobeo.autoUpdate = {
+  malobeo.metrics = {
    enable = true;
-    url = "https://hydra.dynamicdiscord.de";
-    project = "malobeo";
-    jobset = "infrastructure";
-    cacheurl = "https://cache.dynamicdiscord.de";
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
  };

  services.malobeo-tasklist.enable = true;

-  services.ep3-bs = {
-    enable = true;
-    in_production = true;
-    favicon = ./circle-a.png;
-    logo = ./malobeo.png;
-
-    mail = {
-      type = "smtp-tls";
-      address = "dynamicdiscorddresden@systemli.org";
-      host = "mail.systemli.org";
-      user = "dynamicdiscorddresden@systemli.org";
-      passwordFile = config.sops.secrets.ep3bsMail.path;
-      auth = "plain";
-    };
-
-
-    database = {
-      user = "malodbuser";
-      passwordFile = config.sops.secrets.ep3bsDb.path;
-    };
-  };
-
-  sops.secrets.ep3bsDb = {
-    owner = config.services.ep3-bs.user;
-    key = "ep3bsDb";
-  };
-
-  sops.secrets.ep3bsMail = {
-    owner = config.services.ep3-bs.user;
-    key = "ep3bsMail";
-  };
-
-
  system.stateVersion = "22.11"; # Did you read the comment?
 }

--- a/machines/durruti/documentation.nix
+++ b/machines/durruti/documentation.nix
@@ -0,0 +1,24 @@
+{ config, self, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."_" = {
+      listen = [ 
+        { addr = "0.0.0.0"; port = 9000; } 
+      ];
+      root = "${self.packages.x86_64-linux.docs}/share/doc";
+      extraConfig = ''
+        proxy_buffering off;
+        proxy_cache off;
+        proxy_http_version 1.1; 
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+      '';
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 9000 ];
+}
--- a/machines/durruti/host_config.nix
+++ b/machines/durruti/host_config.nix
@@ -33,17 +33,54 @@ in
      }
    ];

+    services.nginx.virtualHosts."docs.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+        '';
+      };
+    };
+
+    services.nginx.virtualHosts."cloud.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+        '';
+      };
+    };
+
+    services.nginx.virtualHosts."grafana.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+        '';
+      };
+    };
+
    services.nginx.virtualHosts."tasklist.malobeo.org" = {
      forceSSL = true;
      enableACME= true;
-      locations."/".proxyPass = "http://${cfg.host_ip}:8080";
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+        '';
+      };
    };

-    services.nginx.virtualHosts."booking.dynamicdiscord.de" = {
+    services.nginx.virtualHosts."status.malobeo.org" = {
      forceSSL = true;
      enableACME= true;
-      locations."/".proxyPass = "http://${cfg.host_ip}:80";
+      locations."/" = {
+        proxyPass = "http://10.0.0.12";
+        extraConfig = ''
+        '';
+      };
    };
-
  };
 }
--- a/machines/durruti/secrets.yaml
+++ b/machines/durruti/secrets.yaml
@@ -1,72 +0,0 @@
-hello: ENC[AES256_GCM,data:MKKsvoFlHX6h4qazxcjl/RE1ZsK64G926k4hgFW3AkoJgXO1QXmTaRG7ZBgS8A==,iv:hoFbcNRkge24xJfLZJH651jB4NnXCjYAdTrirkans+4=,tag:68AyEHamlGxdmSJGkTGbsA==,type:str]
-ep3bsDb: ENC[AES256_GCM,data:Z4ZYRaV/eCkaW5Ma+88hbl1o8qsI7PANrIHXoLdIOqIGFLPt7dw=,iv:BCVM+PeGm2NRcvBBy0kId1iVOD/uoiVKKBDA03p0QFM=,tag:CMypO3RLOhvHdVG5YvWewg==,type:str]
-ep3bsMail: ENC[AES256_GCM,data:rZhRb/+gs0Lm8Gdi2P2FMe15A344b88TRg==,iv:hEIG2CBcMslg3hmH3ST3bu6tmes01jncQ3V7h5KcuhA=,tag:XAHdMAlVZNyMdp4TznWDQQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2024-06-26T10:07:26Z"
-    mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
-    pgp:
-        - created_at: "2024-06-26T10:06:21Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQGMA5HdvEwzh/H7AQv8D3vncBeC4Kq+Vzk6XOMV6gRRGOZp+w2e/055sZ40IUu+
-            43Yi5giVL0I7PZkZD787LNiKy6kTcI6D9tJIp9YSMRVJb4x8oDJWS8NbVZZOUCwT
-            d9KYaMO6hN8VobhUKsu7uAKCrgVzPWrWPNmZPvwZ6pxL+cBFK2W/GEvQsXvaELUc
-            5mNlB4k5S9oG4ZMli3WWhVJRMZgdjGWDKiFVGCSenEkhua/5TUUefV8urf1IBjoN
-            MB8TPwsm3PBEG6/zrfXls/7Zhbv7mtl1uB9nWBC9M4EL9euzC83X+IiFAlThpoPu
-            eylOhEkAq60tQglk2SRsdFpHvEwaijqSKL0ieDQjvLxLNCdtCQS3yM21S4SkfRvv
-            pDGQROqjhtgZSF7MZqD67mA9tMwYGlZLfkzjpYrErbG6G4xYGO2ZODPNZ4FH/2Zf
-            Yf9xpAd0/m4mmg+py041nas8lgJzOXn5mKIxX/kLkV1U/ccrZXB9DTsWbuRVxh3W
-            CZTzgT0VdZWd88cUcYIR0lgBz0vCxDRgyPhc3B3ivoOHBisoBWbYURv+6rYE84Qs
-            6nDtCt4fUqrfKqnw1b++L1II+QjEBkhawOWNbqE9AxESOLAVwkn4cCOqeWDP8DBq
-            OBN3luBRDDAj
-            =+dua
-            -----END PGP MESSAGE-----
-          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2024-06-26T10:06:21Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA98TrrsQEbXUARAAmj8h6g8Knwg5c/Ugfxcb4nuWuLydyzNZpKJ9YcQ4VTAo
-            HA38lHH79JbnIoZ9kvxHzUONBLfnW3KekomUdmj1a2DjWllnsIOH8/16JCpFPXbx
-            hcWQFLxXzJcUEbVfONih4Zmb/2OTzSYoDjNzGaBJUx6x3AwJ0jTzCTxF9WIU1ieh
-            9u+ovry7bcHPTn3RS0gQPGRx9gN0A8OSPScKpvz2CRtUA2Uzs0/fIe3NbKQSj6g3
-            rZYityYC7uFoE792dkJ3rG9GZneIwWB8sp1remHyRhxaRN4YNPKmje/Pe/fe7sxQ
-            lWPmW4wa2uSI7/2PAkIjafoDmnpaLxQ+qY9hXobpL7OlyAuA+Sy8Ns2z6nXfPSSj
-            fQE4OS3hhUStv7PdVVvlH6JVGZK/cJOjOX0lF69A5R5XKQlasRq/t5CKBjxDWnb1
-            2bb3YavIUKWbf/DdlGNb9aKeiYX4RsaMbdc6vU5EOp69S66dF5l5W6+EDLICQEdl
-            TRNxzofVqjroeQeK9xFd+SXHVwnU9FGPr9cN7803/r17hONDxfL7o7cL1sKfX1tC
-            3nRqV3fxSfosz19jmIDu/6lqvJhBBQ8zQeKz/yWxUKowP6WUNAWsMWC7w89Ie1vA
-            UOy+xO0epIGLJSRU5YBNr9z7854NATnxRWRTya+CyFAgPVoBUxd/+2CjlkUeQWnS
-            WAELWSqQ4zsAryLhEqSWVg6nwSDCIvF/U56/vIacXwoKMqLYra5gxV78cCU6gcMt
-            08O8qM7cxHy5tGzTm6LQZvXTb8W6ybcPvPw695TirUjq9zYVnaT2lmQ=
-            =7OG0
-            -----END PGP MESSAGE-----
-          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2024-06-26T10:06:21Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA1kR3vWkIYVnAQ//RZM4ifHThNFNV6pTCGKHdkF7BMHB4gv7BBkXT9cWTGcf
-            XxH3tH/kFPBSoWWfmtmHbN1bw77vpKda2lLHyOETGCusOFwuFe0+cz7sWStnf/T6
-            GVoaCRljhRxlXS2PY9gSG5fLi1uUjmCn9EshdCQdz1ix46kgSe17I+UJYRxi9r4U
-            e1R0ky4md8tLGGXg2cz1z48+kS7QX6TA1L5jjrW6MEa5ld2wywXD1g7UKpaP6QAc
-            B5xo4G+6zZNYk6x5i0NJ4EJalyyEXBvJDgsFzW4luqBGjMU2zLkq5VTQjssCbp6l
-            aE1ZZtMJYDa3IdEV/gEIF7/WmODMopO2hfTWFCx9fZ2cp0gK2d6ffo7vum4WkAMv
-            FjsbRLCmoZrlwD+/y38Hru2Ok/2cDF+QiEHq0cx+XMjgRrV6vCYrg67kOGjXZ+0v
-            eZMPGo5506cp/0cbo6eIoG9XzdNirp9mXQHMBb47/dETr+mBAyVzImuHJVmUgXlK
-            0nScCjrE2BPfsphMlQKMV007znA8QB65wEuoQ9QWTfgUfxVqzqJxdnFHKSSKAciU
-            fxAJTGN2RnbBDcehvch+QZAnIHznz3c+2WKetmFMpymqL1OKQKjhnEFewOK8rXKM
-            cEFRo1BOMkaccBBFHt/A/IQJt2+RuADbkxI9rPqPU9iPi3Ts4jFqfNzZp+m+ADHS
-            WAGHQuVbo0oQ5RLEOMPheNbr2eL+uyuMLMNsv41G4Mr+lSjN2/KvBoMQEQvpPasG
-            HDYyoe7JdYbVs+08h465+L+cbi0LzaBUxTm44GliJXVbrz6eqy6lRto=
-            =GiUe
-            -----END PGP MESSAGE-----
-          fp: 4095412245b6efc14cf92ca25911def5a4218567
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -0,0 +1,144 @@
+{ inputs, config, ... }:
+let
+  sshKeys = import ../ssh_keys.nix;
+in
+{
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets.wg_private = {};
+
+  imports =
+    [ # Include the results of the hardware scan.
+      #./hardware-configuration.nix
+      ../modules/malobeo_user.nix
+      ../modules/sshd.nix
+      ../modules/minimal_tools.nix
+      ../modules/autoupdate.nix
+      inputs.self.nixosModules.malobeo.vpn
+      inputs.self.nixosModules.malobeo.initssh
+      inputs.self.nixosModules.malobeo.disko
+      inputs.self.nixosModules.malobeo.microvm
+      inputs.self.nixosModules.malobeo.metrics
+    ];
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
+  malobeo.autoUpdate = {
+    enable = true;
+    url = "https://hydra.dynamicdiscord.de";
+    project = "malobeo";
+    jobset = "infrastructure";
+    cacheurl = "https://cache.dynamicdiscord.de";
+  };
+
+  nix = {
+    settings.experimental-features = [ "nix-command" "flakes" ];
+    #always update microvms
+    extraOptions = ''
+      tarball-ttl = 0
+    '';
+  };
+
+
+  malobeo.disks = {
+    enable = true;
+    hostId = "a3c3101f";
+    root = {
+      disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381";
+    };
+    storage = {
+      disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"];
+      mirror = true;
+    };
+  };
+
+  malobeo.initssh = {
+    enable = true;
+    authorizedKeys = sshKeys.admins;
+    ethernetDrivers = ["r8169"];
+  };
+
+  services.malobeo.vpn = {
+    enable = true;
+    name = "fanny";
+    privateKeyFile = config.sops.secrets.wg_private.path;
+  };
+
+  services.malobeo.microvm.enableHostBridge = true;
+  services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" "durruti" ];
+  services.malobeo.microvm.client.nextcloud.enable = true;
+
+  networking = {
+    nat = {
+      enable = true;
+      externalInterface = "enp1s0";
+      internalInterfaces = [ "microvm" ];
+    };
+
+    firewall = {
+      allowedTCPPorts = [ 80 ];
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."docs.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.0.0.11:9000";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."cloud.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.0.0.13";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."grafana.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.0.0.14";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."tasklist.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.0.0.5:8080";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+  };
+
+  services.tor = {
+    enable = true;
+    client.enable = true;
+  };
+
+  # needed for printing drivers
+  nixpkgs.config.allowUnfree = true; 
+
+  services.acpid.enable = true;
+
+  networking.hostName = "fanny";
+  networking.networkmanager.enable = true;
+
+  virtualisation.vmVariant.virtualisation.graphics = false;
+
+  time.timeZone = "Europe/Berlin";
+  system.stateVersion = "23.05"; # Do.. Not.. Change..
+}
+
--- a/machines/fanny/disk.key
+++ b/machines/fanny/disk.key
@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:1I8fN241VOaW4GaNUe/OVr+1HQKmtYL1GSuIfsE=,iv:aHdgEUj5QhusEavG9mVgtTQ4uqLJD2ozQ/kVVtFakYY=,tag:JJUbt4kgpa4hVD3HjLXGOg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUGpORk5zWXU1OVpqc2hT\nVW5PYlNLT3lKQVpTdCtMT1M3YlZ3Uno5bVJjCkJXR3I2Y3lDT0dJNThCcDN1NXYr\nK3VucjRKU0dac3BtQmV5ZFdrZXkrS1EKLS0tIGRGMGxDM0ZGbzVPTnJQK01GS3VW\nRHpJQWZLU1lrRS9ScXM0L0dyTjhGTGsKJEYq5vKxxYBAgkqUEkBwESur0reNIDPb\nK3rtflNi3dUYYZdLFNFV5rQX5q8aDnM6fO/zYPkzfBn7Ewq3jbBIIg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-01-05T19:35:48Z",
+		"mac": "ENC[AES256_GCM,data:z7elJ0+3r0bWc/H6h4rI36xC7Uj0NS04VssjPDNVZM17LeN4ansSOfcOKPaUMziV/z5Aq8RVLROR+FImzxBZGaZm37frCoN1OP3WjeDnP6AsoY9dY+S/aYmErVEsQEIi8T4RAdQP2c3BUt1oKZ9Nki2pu3IBRabBlFhaTI0bspc=,iv:8Nn8r9ancHwBJOaJSsv8Vj3s+d0UvRmKIeCDNzx1qRg=,tag:BSO2yu70H2wjen3BCGC4Gw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-01-05T19:32:11Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+JpNwP+BLJf4+0pSr17TToviCo0yWmcaP1dIUqClBSoDO\nI3ZzqHdImAj4QgExif2zsuzz1+WC+sjvFqEmX5pBKza/e30qCZirkelz9mzc0mhG\nLhTzfhqC6fLbV5f+pDp6N40ommu+LX1pIz6nViCUjqBdnAkCb+tqLU4eQJQqVmlz\n7BToLsvYomPK1nJ6f4rt1nTR9wkBI68AYM/K0SgCJXjwj1LpZ/+3yElkiCqZ9uZB\n1jrDKX+QPySlZ7OERL70UT7Eh8DTUNzFnozvliBnyxe00wwiiucCgrC94TmaKCmh\ni/FOdS6Izm3QwcWB0eMCX6GQBvlUWpjSz5xF4+YODJe9tGNz/sNxpk6B8xG5NuG2\n61nohMHoml6X3Z9dOwu/Svl+eS8SV/r278W/F9miE8YeayyLlPxHF3DXjd6WeDhZ\n20NExQUJYIRf6w/XQPQZ+E39NkIHxz8v+P29ncmSsRPWS6d2MK0Yj+UW0vT0u1vJ\n+lAs24xYofbu5tmBbnK10lgBrZMXDJM2nQbKMKSkVVjzbzmOe5jzMBxuWLX+ykeI\npaj32wQDWvfBqLPH1Kwvy5nqHvy375jPZ7RTzT7W0d4jKQf7xapbi4CEepHHfxCF\nD0HIEi8RUlXJ\n=KVUJ\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2025-01-05T19:32:11Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUARAAqowFMavIniFheNvt03EH1iEn64xNmExotYcDt2L0bR39\nXQdLvg7cJ/Jh7EuZ44mHTs21mpbYIlygMs6kimqQ8iO30vGTEcn5bt/eUEoGHciM\nYVHktWNR81ZgjvKCcmTUK3ld+DMKmg2BABr4auUOYLu4ToSnFb1fv+fvZG0D3iQs\nm6LJuafH+4utM16Vnkp9+ziY/ieMPYfbOFuSFq0UWxGK9P+koSYVGnYhH55Lksyf\nBb/esEGCY671/Jl/qHw8so4TELeRsW/v/xAcNqbE1Msdeas7WJy/B6WqXQgK/Y+J\nPsyZ2XHKhPRitN77/eDJXVBi0mKBTE/RCzDzMYxKA7IQm28v8+u+wpdCajewnyF4\ns2HACaYs/TWRpIUzqxRlznc0nMpk8xUaeVb0N7nrtSDEBF8ETOGOcPk1AmdKMR4M\nsy0vu+K2oJ9L7e/o1ntpejKHN7t2Lzq+CvszBYKmyw/KgxeqY0hx4cJTUDsdgLjI\nMTrs6bySVXDyRaw3rHo7OvA+5c8dLfnWJd1R78nZTx89CYCvjJeMo7PNvN6C9HxK\nJoCOCnZo6a3j4NqJvXD5GNqGSP6m1lqBRWYQUIhWaOfz8aTY1Z3EXX0/4tv5C+A/\nknhc694ujtmBXio4XgDIrSz3jr9G8+ZLvig88xV12HTJfsatypQdHVIZj08EeR/S\nWAG872Q/DVD/aDmhaOlq/o/QBoEyrnJdkRHT9NX8iBboQ81wezfJxWUWlWyHaXVq\n5YBLFQvQAZLz3h05EBkMOiS2dHUa8OnNImj8txnCePAlcUdv7LIVxHA=\n=9APA\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}
--- a/machines/fanny/dummy.yaml
+++ b/machines/fanny/dummy.yaml
@@ -0,0 +1,68 @@
+wg_private: ENC[AES256_GCM,data:YEmIfgtyHE9msYijva0Ye2w7shVmYBPZ3mcKRF7Cy20xa6yHEUQ0kC2OWnM=,iv:ouK6fHcrxrEtsmiPmtCz9Ca8Ec1algOifrgZSBNHi74=,tag:524e/SQt++hwVyeWruCsLg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIVnB0dDdQT0tNSUJDSlhx
+            QVFoVTZlb01MbVBwM2V2MGdGZFJTWm1FTW5nCkN5V0Y5MEp4K2FiU0xNVlRQM2xN
+            SFJEWFFwTGhQWWwzNjlFN3NiakNBMnMKLS0tIE9MRHdnVHVYTG5rR1lGazdlK0Nv
+            cmZiN0R5OW9vaitZb0JIa2srdmNMRjAKYlL4e8hfB0YuVNLM65yyvvCKl6EAF6E5
+            YkAidAO5MY/wo1SDFQMeDub0Uso1QuNexYUZt7kzotvuPOzgywUORA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZ25EdmdWVjAwWGhiVDRa
+            cU9saUxnSXVDN0NodzI3aXMrTDZRc1FOUUJZCmh6V3lhS1FER2lyMzk5eU1XbXVh
+            b3JFQ05GdEZTNVFTdFJjN3dTN2xBaXMKLS0tIG15YlVvVHZ5c2pYVmZCaktwRXFx
+            NjJ5cFdTVS9NZmVWMjcrcHo2WDZEZDgKiDwkuUn90cDmidwYGZBb5qp+4R1HafV0
+            vMQfjT9GrwB5K/O1GumOmvbzLNhvO2vRZJhfVHzyHLzQK64abQgF5Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-19T22:46:09Z"
+    mac: ENC[AES256_GCM,data:eU3SIqAGrgbO2tz4zH1tgYcif7oe5j+/wmdYl2xXXI+D6IhiKrTJGvzE3rd3ElEpb+Bg0UQId952U2Ut0yPTfxGLtdlbJA66CmhLAksByoJ8lOXUcp/qDyA4yMRSuwYG2v7uF2crvue9fyRfZ7hl7abE/Q7Z2UjOKqhSZC5cO3U=,iv:NmCVvtBWZRzhpr5nMLy+98VuQZWoUms7xFSxq8PMvBA=,tag:UWjA7oqoNWh4wb0myNg7FA==,type:str]
+    pgp:
+        - created_at: "2025-01-19T22:45:26Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv/fLoi/LsDTN6tDdw0rWQg1iG/6oFFxcYO44XU2vCd13Ql
+            okvR1ZtvXtnM/FwTboK2KjxahkuAbapXXEvfWJ2W+d2L38aYxCPe/ryQhjrUP/jJ
+            4IjFSa5R6oWca9i5Apue5In71ACzGCF/v2oyNAF4fSDX7Q+YKOMiwaDatfOAKp5v
+            JlkcfIq6WBR+gKZsTCfLunURNJoKu7jz35OUJDmzyZl9u/xV0ENveQxaKa3hj87s
+            hb7RGXqph6WWhigy+rtTqYQNjycRDHuspb2GgGE5N7OYteZo/XxA3tDz2EWVCYx+
+            g8aEEvxHK3qEIcWbgmbKXNPNSH/CG1XQFaUhdSnkg5lMJsBuYToeNsPTS0o866k1
+            wmoiI3nT2KtnV2SeR3UUMNDqSDl5unLgBCrbDi0m3Sqt9ubjCfuOYN2T19WvAMZx
+            CwB33mVAevPy4Qs5IjPad1WtiaUFulkfJFd1iCM9dhA0RDxbIJRaVGCjqnaE4lW4
+            yP25uKoEUSitgr5nLk000lgBQBkE3obMFZ+DPoNaqupremevGJ71LyjJhXwgzQvk
+            7pwQXBZWybBFFcH7wDurSIJMqE1KP24Krshm7aR9yVNd3mEz7v2T5pbUywTP8H1I
+            TkFpiaZ7OG8G
+            =VXoo
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-19T22:45:26Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUARAAmhiwA8S+wZ0wiyIJwmRyLMWj3Xm95dTnEoeZmJ2I3O4g
+            0szCKLdW8eUWrjZML09ByPYXQINkuyUR+g72+/ALEr9F587GxWDdMwcwLSlIYlX0
+            3GwnJ7ACv/uTZjK24AXno3TkffPQy+rRQwXkpmUz7CMCeH/WRmVtf1LFUuxgbcrj
+            Kmx9x52dn+ae5JOeMkEu4t8lAtI1pv1JRPnm6RIqK2N7VBRGjiD9SiyJiwLqV2GN
+            7N+vepFhbBKPzt+CFpnPWnFePb+TtQmAdJVULedlFPLcJGsPMloEXSuunK2eKveB
+            Vj1NO80i8PEVup02IlEabp+H7eYV8wZOviAJ7HGVhpw6kxD1tqO98KeSFfhuqbul
+            ijaeF2COgf9lioR6Y8T+RhTqeEZK85U/OGXgiM7MdTdYQV9BrY5nR5XSYIrK6zl9
+            TlS24DdM/Sd2939o+wdtgpm0FNQjW3WwA3n2QE/rqjQ6z2pyCTH16yRalAgHKNk/
+            B3uDGxIO5ua6xZwPzFrOB7uKggB8W/lx1eyAT53Lv7MTRp9PW6mm+NoVkNIzmCYa
+            5G2Y/bluKRt39O6UuSVrN8YLcyYCC+xYUfQf4Lr6/CwZ/XbgMTYm29+IgkOkgoS0
+            UxPcmXUgxi98lu5IhdIwWTNtaWEvT9adwmd3bxebWgDmUvK5QxAc7BYUnGIe+C7S
+            WAHA1m5OEQrNFLKGTSha/K20cDAoV2f4IAykRRWD3zieBAP3rzsIv78mgrMBIWP6
+            z1L41UXlBToKfcw8TI9XKIlYId/asI7mR+bqT3oLSdni8qr32VpRjZ0=
+            =MPBp
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/machines/fanny/hardware-configuration.nix
+++ b/machines/fanny/hardware-configuration.nix
@@ -0,0 +1,49 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+boot.initrd.luks.devices = {
+root = {
+device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
+preLVM = true;
+allowDiscards = true;
+};
+};
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/402B-2026";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/machines/fanny/secrets.yaml
+++ b/machines/fanny/secrets.yaml
@@ -0,0 +1,68 @@
+wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTmdrV1IyM2hldloxM3Zh
+            cGVIZmtCZ0FLTEQxcFBLaVh0VXUwNWVGR1hBCnJ6SHpzckh5VVduM0Z2dkh2WHdy
+            WGxRV0JFZTdqcWgzUFlSZkowZElJd2MKLS0tIGxYL0orSVdmZzJBSEIvRUNDUVlK
+            RWFLOWp4TVJBM3llS0lmQlBUQ2ZQNkUKEz/dXR0tkVeyC9Oxai5gZEAhRImdL1FL
+            2LdVRiCt3MqR9wtfw1/pR7166Bx8nLIN42uWh2YU5j0/0rXNq+I6Qg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQW5OU2FiNStkazFRRHBK
+            U2kzNkpWRDVQTDBkTFFNWnREcjh6NlhmRnhZCkxMYlZhcUlGUnN3QWFzbVkyYlpX
+            eWZaOUxsUCtZYmx0U29ZckFaMjNLTFEKLS0tIExxV0REL3MwUTZpMkgxYlZMc0JS
+            cTNEYTBGT3VRaDI1eUhucnd5d2JhTWMKNZlkUjxX2QTFoiCWPzz62jz4kK8d5rW/
+            MJ1w69Qve7lsUAg74YlFF7i/yYSZZkHoRMs92lRmq3lHlbK6aaUMTw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-14T12:41:07Z"
+    mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str]
+    pgp:
+        - created_at: "2025-01-14T12:32:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv/YM4JBfaFngZt0SmMP3fBCodQXWnWMjy5VYoTOKKaOfG8
+            5GRTf+o1stsru3EKImh5PTqniRO6UH+/DOKBY8zHsy9lXojGka3uPJRKv7JUD5YO
+            8NjlHwwg+jcQN/qtrWc+1D69zR1aO/6yxfgujL3r/fJ4reqtSNfkVYVy2lEcw2ZN
+            zhlN+fBxZCyHyUTKLcXrG7Fg8BRudjwBnIsBTLAVFkWg0bnlq38vicGpF5CHsRjA
+            cTPq2D9ev888WKHcjFcXYqxeKkXkqBuOOMlCHQyJCv8HHfA/GY+pBQfiVmvSt77O
+            /MA8hVYl8G4tRFsbUdZzqtPbAsLy30w1e9dpsD2M6tD55V2RNUCrznB2lo0uXZ24
+            9MUnad+NQdntbe5B2OBUF/MNKZ9/tC+B9pBm7Tx3rxSELytGuQF11x4EyLwn+Ict
+            iBBV5P3RiulxLW6MbDs+7JPILfcMfg6e8q+GY1dnIPZrs8Qf5W60FxbOYYiMvJ9k
+            UtnZAixVdlpkAsQz/t630lgBX9DLYjEVgaxC+zqtRjfHkoyvGIac6cgHDX/fBs7p
+            Woud0RbwffhOhaIF47Z2W4UPfn5Mtcu63fQpjCM9urk9asaRPeNDTeEYVjqSZD6N
+            J+o9dahBHvIF
+            =GKm4
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-14T12:32:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUARAAmD4PfLpRVUXTo5yyS9LSs5vmEvnCmNc0ad4Oiv7YAxhs
+            W7SCKHq2zOfGIeZZHP0wjRnJELwMCVLy4dVo/slDHCiy8T4MZXaYR04ZaJJ+OHrF
+            e5xxAA6FjipufvxgRZvLhDj+g+RaX2TuxdL9gFSVS81rvEpSRDnydt2O/6G4SGBR
+            GO5b176eMerrqOqRLL5Ou4b6oitagvRwZzOXQ+YonKZz3STlyXRMgWxeFTDK9T/q
+            yYOwPVAOU1jhYzUjHNAYCp3CH4ERScrO7AwomAWH+Fe48WRbg2ebdqRnuv/Vl4PM
+            wc5DQcCIIIIENMGIYOzUo1KrfQlevzXF/mbgAgo/uVuRl3Y3lCRAcZBQOtUCF5Ap
+            FhsO87EMXlZWj3bv08f21t3hQztfuaHIqFpCbSIGgmiE9cAY0cOtCYpJfCYdV7iT
+            cOElJgYRbAsAbFC9wTQWEvwIxrgnCIrkCg1bzP5KNLG1K+ae5J7qN77qeTQw2/ul
+            QDDUUNnzjes562t+/xFLQa/bust1Y8pAYn1s1LEBol1hLX4Igonlkw303UPjZOI2
+            MyH5hOh0hNUReuOpHpre/pYquE8Dd27XKAHfJsSd3ZLJG5+1Msw23lIsptgovNrB
+            5VRvPj8WPojiDHqN27kt/IuayN3TeoJFjmAjkoFjlyKTcs+b6cDkxUw3LcP+6NjS
+            WAHQI0pWTa5zD8UPow4DHxteP4jW/6ddBfJ1Vz1scqKMXYvxFkRqZvn3uAJOtcuw
+            CgQ4CXE43n4G7g5gvWl6ZFW8tdXR7Sw+USnHR/9oS9fV0rHcxxDFEfE=
+            =9FN4
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/machines/hosts.nix
+++ b/machines/hosts.nix
@@ -0,0 +1,75 @@
+{ ... }:
+
+{
+  malobeo = {
+    hosts = {
+      louise = {
+        type = "host";
+      };
+
+      bakunin = {
+        type = "host";
+      };
+
+      fanny = {
+        type = "host";
+      };
+
+      lucia = {
+        type = "rpi";
+      };
+
+      durruti = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.5";
+          mac = "52:DA:0D:F9:EF:F9";
+        };
+      };
+
+      vpn = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.10";
+          mac = "D0:E5:CA:F0:D7:E6";
+        };
+      };
+
+      infradocs = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.11";
+          mac = "D0:E5:CA:F0:D7:E7";
+        };
+      };
+
+      uptimekuma = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.12";
+          mac = "D0:E5:CA:F0:D7:E8";
+        };
+      };
+
+      nextcloud = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.13";
+          mac = "D0:E5:CA:F0:D7:E9";
+        };
+      };
+
+      overwatch = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.14";
+          mac = "D0:E5:CA:F0:D7:E0";
+        };
+      };
+
+      testvm = {
+        type = "host";
+      };
+    };
+  };
+}
--- a/machines/infradocs/configuration.nix
+++ b/machines/infradocs/configuration.nix
@@ -0,0 +1,27 @@
+{ self, config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  networking = {
+    hostName = mkDefault "infradocs";
+    useDHCP = false;
+  };
+
+  imports = [
+    inputs.malobeo.nixosModules.malobeo.metrics
+    ../durruti/documentation.nix
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+  ];
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/machines/louise/configuration.nix
+++ b/machines/louise/configuration.nix
@@ -67,17 +67,13 @@
  networking.hostName = "louise";
  networking.networkmanager.enable = true;

-  sound.enable = true;
-  hardware.pulseaudio = {
-    enable = true;
-    zeroconf.discovery.enable = true;
-    extraConfig = ''
-      load-module module-zeroconf-discover
-    '';
-  };
-
-  services.avahi = {
+  security.rtkit.enable = true;
+  services.pipewire = {
    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    systemWide = true;
  };


--- a/machines/lucia/configuration.nix
+++ b/machines/lucia/configuration.nix
@@ -6,8 +6,8 @@ in
 {
  imports =
    [ # Include the results of the hardware scan.
+      ./hardware_configuration.nix
      ../modules/malobeo_user.nix
-      ./file_server.nix
    ];

  sops.defaultSopsFile = ./secrets.yaml;
@@ -15,20 +15,12 @@ in

  services.openssh.enable = true;
  services.openssh.ports = [ 22 ];
-  services.openssh.passwordAuthentication = false;
+  services.openssh.settings.PasswordAuthentication = false;
  services.openssh.settings.PermitRootLogin = "prohibit-password";
  users.users.root.openssh.authorizedKeys.keys = sshKeys.admins;

  # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
  boot.loader.grub.enable = false;
-  boot.loader.raspberryPi.enable = false;
-  boot.loader.raspberryPi.version = 3;
-  boot.loader.raspberryPi.uboot.enable = true;
-  boot.loader.raspberryPi.firmwareConfig = ''
-    dtparam=audio=on
-    hdmi_ignore_edid_audio=1
-    audio_pwm_mode=2
-  '';

  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = true;
@@ -40,12 +32,8 @@ in
  # Set your time zone.
  time.timeZone = "Europe/Berlin";

-  # hardware audio support:
-  sound.enable = true;
-
  services = {

-
  dokuwiki.sites."wiki.malobeo.org" = {
    enable = true;
    #acl = "* @ALL 8";  # everyone can edit using this config
@@ -199,7 +187,7 @@ in

  services.avahi = {
    enable = true;
-    nssmdns = true;
+    nssmdns4 = true;
    publish = {
      enable = true;
      addresses = true;
--- a/machines/lucia/dummy.yaml
+++ b/machines/lucia/dummy.yaml
@@ -0,0 +1,70 @@
+hello: ENC[AES256_GCM,data:ehp7eckur8THsbnSUcFYobA2SVDORUpqBcPTWC6/EvunlZbihaJoDoSfSh4Itg==,iv:nEHRg9TfYVdmJgrBs62Tek/3JhwFz8BMKHph4ThUqA8=,tag:1h2DSiOk4khxhRc7YX9ljg==,type:str]
+njala_api_key: ENC[AES256_GCM,data:vGH79aN2m1rZ0278ydoCQ0U5393HL0AZlajTVWcRbD+/V7QREN7ROW2LrdVK95I0cxobmJQ=,iv:vMpFTwWkC0R1/J9fZaks7c0G1Vj64/ryRkN5EgpWCdU=,tag:g2MJADBrJYTbmj2bhUQ8UA==,type:str]
+wireguard_private: ENC[AES256_GCM,data:T4c0qdFZdrwRU9i+nzAdg4ePEVXyeG4e/zNyn8G9Kd//Fwu1woNhQiyDuAo=,iv:VGPCSeU+RqjUdUlLA+RaCXQZK6AMdE4BwOdxM3whwaM=,tag:pXOwj3zxuFRpv2TInjISuw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArU0lpUjBadHc2c1lPMUtv
+            dmtqRTd0OEd6TnJrQjJaaFFaMjQ0MWlONEJZClBrdVNMb2xhK2RXRzlmN2dmTzZk
+            SStWSzVGbWdqNEFpMnc3RFdpYWNEcTQKLS0tIDY0SlBvcmJ5RjFKTHQyN3lpSEZ2
+            Z3hTOHN2VWVPMENVS1YzR0Z6Y0MxZmMKf0K43yWL7DE15wqEWb6Z0xsQ3nb1Ybyi
+            0gKxb3hTeoWJnJug3hWyeAJvAJ4pzaA5v8PonnSIJK4UxBUnr+5nGw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIa0pnOGFlYU5OenJvWGhl
+            TjFhU0NyWmprRDY3ZWIrRHdmSVBMS3pER3dZCmVQdlVYQ0pFRTBwZXQ1Z1V5ODVK
+            dkREdEpsYk1MMm5kZU1hUEJYRWZDVjAKLS0tIHdsUjJTaURjaGErclJadTF0clhh
+            aStSbDZ6NWtFZ2NrNHY1a29DTmo4bGcKfZZjFA2j5RgMf0crK8TV67iVizzmXvBR
+            6tePJuCePnNDOoZ7WV5YThxYOPSTI1QvfEvcC1qo7l3Kca9jdkkfbQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-19T22:46:57Z"
+    mac: ENC[AES256_GCM,data:GIRj11bDZi38RobJvGoOf5geN42gaGk3294EvB21M/Y+lAsDOUUUbU1fQbBPRUsYvA/lyuHMQWRORTdy0LdjN9ejzwcuev8+j4i6A1zwPSmjIL2+Jp2pBqQj0F6th27hECJlh0wK3vU/aNcccRJP9kEgRME+7FS5uYw9r+ZPJWk=,iv:CUgdVr1b3O4niYTSFokA9uWR3ceiU+6qo+3N+K1BZ3Q=,tag:AERU8MZWHqVsZ+zbT27WIg==,type:str]
+    pgp:
+        - created_at: "2025-01-19T22:46:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQwAqm3KeXNDFMwVoz9qIIqtNHR+KIcdvdRTlG0GA5BEBiHp
+            hSGkyK/Ni3GGX0WYU5Cf85Id/eEoxqDqDd9kX6MSZK3LBnH+hFy4JiSPENVpmwfQ
+            eONaMwdfwI+/5ZfquVj/AApTXZ8ENhdBzLTuAfIa2hGPDwwkajzkVIg18TZOvKG6
+            f2wiEpnSOVHKnPcGhI1dGxN9TqqN74IUoPhThRzQ79l9RcTEZVClos9IPOhaPfk0
+            TvcBQez3G5Mn8W+s7kg4rl7g6XRZqjcaOuNwopB0x+Dx+alZExsTR6A+1Gf+29a+
+            ELwQYg2mkKUi48vrcKXxz+OMhW7V7wuXQIjLP4jULc7LI3ShRP8z4QKy7asOVRBh
+            XPjxRJ2RcTtEHYUoW3guzoZGSiPW/ex2fcupwaSRDG2GQ/ImiB5dmXSaG2va1MbX
+            z93Ej7Gy2IURglWCK29v4mJiqtDzq8/GNztT7zezHxyUAjjuJ59qXzFF/MQPibxY
+            p3dTfkNNrTqrCQnrFa8k0lgBtKmvz/HO3eCguXVMNgOt+BmfZbJqq+AD8HKYNxaM
+            W0A+9WRmYXcOEUqfaoX9IE9LhgqDd/xgpW4CujUZrXRYgf4IokSm/MFAD/ZnoxKm
+            n2My3wf5PCNd
+            =oUOe
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-19T22:46:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ/9HD1muIaf8us6XE5hGfrXuy5axFeJNBtc8igo/OP3jCam
+            M2pjwDNIX3EjsgrK2WYo43Xt7aHW5bqnP+d1faLXJ3I0cMia3XxSLmaKswQRrBSi
+            P00ew43kBSx0Smwixf5zCSCzBpWrtOXI8monO8xYLtRnSpfKBf/4kc2gQiuAxByd
+            fxdE/x1et0XXiK038KgHMnYdOIvMTGcpymoSDHk0bDw+ruBqG93cmzOkT4Oc5CsF
+            oeFN83ku1cGFQr58hUhJ1q5eUTK/lDEVYElGJ2n0pGxThYyrUz3SIzZu3Jbxgs/Q
+            2Xok4KsNPEbY2VKz/d3nrwbg2S3VF/CHl9sKxoFK8g3WcEE+HO7BFqvz901H+aUJ
+            5mN7stKSs5pViDHusv3Kv2+eT2fPJ4lPU2IEvXkCt3jjB/G0UDz+t6Qn1Wr8PPcO
+            8u+QafpILgYTK7QOF88GYstq8iWOWHlN9VKFYfqHMGWkrMtnGRWCbXsNmg7lKh6D
+            MtdvROsESVDKtydZwBpoQ4ILLROhkoL+eOMzFOgc/i4PWFlva2RBuRnZQNlieq/R
+            9aYpGsZbD+YYGjQKhlwwakpWK5XOoqqSh6Fv6Qzonu2Y++Zf9c9zpe+LINlUhxEY
+            AA1YnxbqvVJCqoBuq5avAd0fivhFDes0OmR7jLZzluotgwUePwBOVGo5l2ow/03S
+            WAGO2443OWOfbmTi/mq1C/8It1WAkC70XSQbff9pHLd4pRA6XgjMXbJ8+5X0FXRM
+            H5nWOAaO4Dp6SnccT3Q9zytkm+lXdJL6Rou3PkmP4JBvU535bNv5a3k=
+            =732R
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/machines/lucia/file_server.nix
+++ b/machines/lucia/file_server.nix
@@ -1,36 +0,0 @@
-{
-  #automount mit udisks2
-    #siehe udevadm monitor
-    #bash-script?
-    #user-oder root mount
-  #systemd-automount villeicht
-    fileSystems = {
-      "/mnt/extHdd0" = {               #statisches mounten ist am einfachsten aber kein hotplug möglich
-        device = "/dev/disk/by-uuid/"; #noch ausfüllen
-        fsType = "ext4";               #zfs wäre hier cool
-        options = [ "users" "nofail" ];
-      };
-      "/exports/extHdd0" = {
-        device = "/mnt/extHdd0";
-        fsType = "none";
-      };
-    };
-
-    users.groups = { nfs = {gid = 1003; }; }; #erstelle nfs user und gruppe für isolation
-    users.users.nfs = {
-      isSystemUser = true;
-      group = "nfs";
-      uid = 1003;
-    };
-    users.users.malobeo.extraGroups = [ "nfs" ];
-    
-    systemd.tmpfiles.rules = [ "d /export 0775 nfs nfs -" ]; #erstelle nfs ordner
-
-    services.nfs.server = {
-      enable = true;
-      exports = ''
-        /export 192.168.1.0/24(ro, nohide, no_subtree_check, async, all_squash, anonuid=1003, anongid=1003)
-      '';
-    };
-    networking.firewall.allowedTCPPorts = [ 2049 ]; #wir benutzen NfsV4 hoffentlich
-}
--- a/machines/lucia/secrets.yaml
+++ b/machines/lucia/secrets.yaml
@@ -1,71 +1,81 @@
 hello: ENC[AES256_GCM,data:3VuyuX7MaLSmor4W22F3FUCGp8SUq4pE6z5nuiZenH07+zEeMAllVCP6g/j1fQ==,iv:A3Oh99AchsmrkMEb4ZRSIigb8Cr+3WlQtsgyZJGpLY8=,tag:TOHF9BaydkRD6cJAndryTg==,type:str]
 njala_api_key: ENC[AES256_GCM,data:qXGngMJaAOk2Gb8B4nwMTht9Vp/OEhGmKS5vh1kpi0MyqcsmwuwpWuUz+RWD6NDFn2w/35M=,iv:lsZyCrmcT1xJcLjzK4zkcRYmbKUeLUFYZ7oDfCVJV8c=,tag:WK+aF3XGBRDQuvL87Qdusw==,type:str]
+wireguard_private: ENC[AES256_GCM,data:ZxGbYLQKvrPibLpId+xbvqphlcgm/U5Se9XMS4FogmY4HfJnh9Y4Ja/x20I=,iv:PnZjiyKk1XuIq5/NLtOdWh20ytDEMYM7LJqmCoSrD0s=,tag:CZErG28Lo3aiQGovxEeZtA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
-    age: []
-    lastmodified: "2023-10-24T15:09:51Z"
-    mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str]
-    pgp:
-        - created_at: "2023-10-24T14:42:18Z"
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaVZQT1U3cXp4NHVSb2lh
+            RWRUcjlGY1RtNVNFT3dMSWFaZHJGcC8ybzFFClhhT2RPRHZwbWNSQzdSay8wc0h5
+            NHVUN082U0lhcWF2MnNTaXQ2Q0trRk0KLS0tIHJrNmdEdUI5YVRqck8vejRrVHZ4
+            aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3
+            f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-14T18:10:54Z"
+    mac: ENC[AES256_GCM,data:DPQsRraMAvoezHsA7uM8q8sEevnZRnpU1vydEL72r6KJj12dT58KXCTuUeNgD+320LE1i83k6HLdM9C/+uniu73Ba5JSwglLLDBkZpfsdCde0aqkGjQd/RF/0Vb8ZbE/KCCCMVOjT6hX6RSDSEujoRMY26n1CWYtPeivqpWb5NY=,iv:TarRTCyPRoyQEb3qoXAJcOYtrTtftyZO4ahkyTZT8qU=,tag:A0kqa1szfk6Z5etivjB/lA==,type:str]
+    pgp:
+        - created_at: "2024-11-14T13:02:46Z"
+          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hQGMA5HdvEwzh/H7AQwAqFy6FthlG4of1IYE42baCy6AHhnCxTKN5i0/ZYXtxz/T
-            xWTAKEXPlbhT4AMGdIvIbEf7od4Pr7xxrxERkHVn1rkHxqjF+bjFw9J2xRXJvilw
-            L4pWMKXoJOiuGeNwJfzOVMx2yar6NiFmA3HvFyCASIQeCh3v+cyEDvbdnJoUyHRJ
-            /f/VnQFSIM4YXvLMqkKXgE0ZnbZc+vNnZkAG2qbz65fB/zdOPQZkVYCbnVKLwiBd
-            eoDth5WbuPnYbK5Vp9wkOPr6KqjM1KN+Kx/ErZ36Ldd2ePk11dCf9O4cE1HcCOmb
-            mdnFleX4hbMH2bFCpt7HoJql7QsTodx2bX1wnLA+uUVrV5QcT74C/0yAYHhBELez
-            cE0gZ+th9l2tOCaCBBMQUa8EfoQD3hEnOmebOMcWoUQdkyKk5SlLeCVsuWKvbidh
-            3Vvw7jINCTH06jPCWSewSBuTdPiAPJ+4CQ8DWXC7A4luFvJM09HX8h859VDEHA9a
-            FCou1ZTWmQEHbDw1DPw70lgBv35pPduQjSfgM71YwgHFtHDdTfWTbzCBoaDfKvj2
-            XWSevuyOKiinaiYd4jPK6srFyX3Horg1QvVzl3dvNC3o29lrzETSTFoUx75KdluT
-            WxGMHNWqN7NS
-            =XZkW
+            hQGMA5HdvEwzh/H7AQv/QepkThVCOMoRZRtHSHEjEriFfp9QS2ZrlgM0p67TtzU3
+            edAPqxNq8jGeW7/1FRAwIHGTit9FueL/GRUOVsepbryJMt4ndhybuPdpuEaKeQYv
+            aZLw3XA5FB7maMKFOl59wqoWNrY+d02lXIbLEafUjrL94/p1IEqQd5a/Ze244yXI
+            V1ty93i6Wmu5N5uf67bfiY00ObAEU+L4QepLHuJvcP2lWU0zvxnPdDqwv+47R1xB
+            aJX2G3Vv6QRnpUYL81a8R4E9u9GGH0TwJdaFqQwsVgW1XJdCsAaB5wriqEWX5HOJ
+            513plEpkBSSlZo/9/lUSHK79jP92DfKvGMxw4t35UULzsJVbCIkM/TzBK0Ruq7Bf
+            2rQO1nkF9lqXqPK7ORAkdXX3foHcM474f3w5nCSSlPia5jn7y58Npd9m1za4lOPF
+            rQxHCJ7OSJ6KOsXhDi7cmMfjIfn6cUj5wT685LbjrftYPh95R2lK/ViwfhMQkJb9
+            lCUqJj/7N6UuSDdnHXKg0lgBV5k+ARqh904rR7GTpSdDuSVMVdy9mUGni5V6xTNn
+            2IyJzWlvxbUumdh7SVBV5HRjG/sOcmlQtsw2fT21CCFg/n6AdCMgRbtYDoX5OOJc
+            qkz9uKEGrGjb
+            =wPkW
            -----END PGP MESSAGE-----
          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2023-10-24T14:42:18Z"
-          enc: |
+        - created_at: "2024-11-14T13:02:46Z"
+          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hQIMA98TrrsQEbXUAQ//XRoesGtcKw0RNs30FfKgpG/qNVRh4eJTeb1AP7YO9nKA
-            WWuZnomu8aDDKiP+why4Cl4raSb2LqTaDAIbeTzw902BeOlIXl6VO5oIWpgC4IQT
-            iOMUOTQ6XG4O8xcphItIthc71kpUl34xfWU/Gz67cRj/BSlws26sJ09lH5zZIpcW
-            1NNPLQKF6KiJ1MY9rTkq9I6EHbaIh6AcBW4buq9x+qASoU1Blp1OgA9m6O9HjQcH
-            X/PKnYv1bm6OxYsMBujXnFnde3c+qfL5w1e4a7pyMu8EthAYLPbm+WT2+H1RJooN
-            0+M3tBBjtK6emm7qgNt2vyeIYa5L5XSFYAyPfteKZ7tsT1IHgg3cY/3trchq7w7q
-            D10fGzfw1rP79yI9vY3oQLi4APhAq/RYpFywZJ+qyE+KiDaIzBdhU14NKRdOluaF
-            apw5ZpNwD77E6lU5lLdjO4TjaMXjEuytzhmOHF+CrZJN/4c21K3PflnzRRLmcXIf
-            OY+TPWPBKqg9aXIhx+5tGu3OTmrvRuBsoforZrhHqzYZJygliD4w/D0HpcMfxrJ/
-            y/iFzwqikikvfkF3FTiTwiFSLOo8G+rCA2TiSLqM6eklAGtzqgrgggnNVDstgiHz
-            DuXHOdzt9pn3DQHb3Z+kEd8p9TEykQrVr6mcW8scvW3iZ6XBbSoxUDY2W14gNMHS
-            WAFbpyIyM0JV36DifyFLFuPNF+ZFexnD1/2rzSw5dmDh8Pou9KZnoRGirXbOIFBf
-            MwFQRonyDxw8zcMFGhXRmNbfqOE9ImnvkW2pNjYJSuBW4LSGaG8OHx0=
-            =2A7P
+            hQIMA98TrrsQEbXUARAArYZZpOEC9sZ4Bgbtie8snwYjhcJiLxcmaODcx0ai24vC
+            FOdxKrgxlHeiBV3e+xD0Mdc51waXpRW7Ah6ctyqRreDXXCsYx9RTjkxqbGQTKexU
+            OAzvi7qPkmZBzDagNeJXjAMc3Z9uPFTxO0c1degnv0S40dns4sZ50sjGz8Dg6DmX
+            HC1ZANIpCmJVd+BFC9MxWQFSP1oswzwIxAmM/8d3aXGJLUQsfFbZXTPaKB5+Llmu
+            Y/yGK4zwcq0PR+YNw9d1lfQD01coLcqNh0cnxW3/DzSnKdpLnr/HeH7K6NivUNOs
+            58E4iKJgopZZofbIKrHTPik/ZfovCTwPHo0o/m9G2sDB5Y++OJBDcjyD9BC5OEzg
+            JW+4rG3dir5cUxJhgM8ZNZUiLcKWSfVo+Xh1RI12Huz4PpZ6dWSpuPxWFBQUZSfp
+            epIUII1u1cKiep8JK5ZUF3k6LzET6ORzzYpY5qGtSEVMLMxLvPK+ECOI1BTHc53Y
+            GoBPVRdp2Bs0QZuvwiNSd3wKRMoVh8v/8+RSCGRR6pzCfvTp3X4zGfnCUVO9krzG
+            ukZJ+eQVUnmywewmYuFH/USN34mqRk6UTkVmw4sgy4bqcV26xSeMCbLAVBoV7dR8
+            a35kyxrs2MIsu9/SuW8zSdfZd0sBhDIEgzQqT7fO1KQQCDJyjBTzjloVSoE4TSXS
+            WAE7lEhifj43H/jshtyaIgM8UpdFmBtEj9BmsX2jeS5XiZsIbIJbCsmPWYdd4XQ0
+            m5M8KCUEMDXeVCygKieefCyboUSNOk1gdRmnIRcqJ/r8fxmHqZgn2ko=
+            =DC78
            -----END PGP MESSAGE-----
          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2023-10-24T14:42:18Z"
-          enc: |
+        - created_at: "2024-11-14T13:02:46Z"
+          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hQIMA7zVLR7VUDPbAQ/+O/+BPNT3PxzN85kpL6xXfyCf337Ay5gwhJOg5k3JyEwO
-            2L1eZncGZHkdeExxgfqWF1yAPvE7vXltikTVp3V+htHoNL8kck8obII/HptVUCrU
-            VjFm41kEoWQ9DLXIhmppqBC0hWVkLjCDEXcD5HqtAxt2yKENSFr3pEnFl3vgoHTA
-            2TpzC/l2kC24hzk+es54I0sCd3N1LEXC/mBUmptnsZfIcgGdVOWZSGabHg5Mo464
-            qc02MYa2Tjuo5svlHGv8bgpQgsIfuB0CcirLMH3FYwKkYHZ7a6KBZj9DwNlM1BYL
-            m9eIC6+R57utfV+zgvIaQVDVJgFT74/ffgEYNiX2FRWi0ri6gb4ybf8qX+/m8ZOi
-            KDgpATMIr0Lw85lQ2mQmvt7aeULJTl85pE1ihXLu6+pGEQR/48WeRu8OVMU/QHQF
-            rRWoJu2kabdlBkYXBBGPN2qGRe/TWWHRm0G7mTnXkoN2idRkodJcVwM8Mvstc5Yx
-            3AAb4asl+4xusXNqe+V4ZrkzdnVoFs8RRZyH1QyoqJ79S5uZqOkYObiiJ+wWtahZ
-            emvN8nhNIr9+WdDFSZYNx+TQTUTFMefcEaTXpPzmUn/nENrvkbXiaVSSmIYQ4YZh
-            1vyiW1W6IZwjXI/aR6P2C1Jrj42WCm+cDXCwKZC1sMRqgkxQBIVukQzAHkyFJknS
-            WAF/TWfXG2S6mnWFKn3cixifUI3pBp+EtYy/CjL7uNBIUQ3EHEbvS5AboSCmgRC7
-            wLzHshawAMmJ/bD/jT4wWD0w+NGDzSF8D4b/Ee0LP7R70noS61+s6xo=
-            =NnkE
+            hQIMA7zVLR7VUDPbAQ//S/8UshLDL5DW0+DXMGL7u/ug/sgCbSM60PvzT3hwAvyL
+            3mR6CycERSeXuYM67fLIa66WiSFGB1aqEsI1oqPL6W8AwjtGHDKSPhJC8W+9NosB
+            OypoV6VppHiDxB2uJvQl7VNnT8d2x6IWdG0bq9NKxCg+6lorw8bky0907qQ/6+hg
+            2eWI0wPcJR2zIEm5JdNvuyK5k03QPKbTd8aVTeYHZq3JiXF3NZmQHCngdI0iH7SN
+            +QI/p1d/aiyCc+5Ow+Zy5YzPWb22PIROLIH+wJsGxbiJtQJmiKMNQg/YJ/SsCrMI
+            ViI80R6bkZ/J9hCN2reTTJXl9uc7PgptLAfMlT2N+DHLRoKQOR+e3xMX3vZO9CK0
+            R8v0wXPs3NGCBdITu+EPT4twtkjJz31PhqL7crFzm/x4BLiKuNzep+Na4TLMBv3J
+            pVdjc6yen8bYvVickLP/hrVIvflkaMdUncWmS2lNZKP9G2BuGMna9Dp4jC1kWWYW
+            608MXgORINmwog2lovxFJGOtq500gcbeYO+LrluULk00/nw27DPkGeD8wkmFMF+m
+            c3dhA6zn62nLsUmiU4Bfo92uhxBW/hAF5Fp+RVwA9ptvDdBO7gY6FEZitEXs/rGl
+            64RAmFuDmv/WDE87pfBQdlZ7Y1HkO6CLwtfg50Ka8eoemX6sP0GSYHUqbs8M4jnS
+            WAEnR1KMQNVdTqhFzBa/TqnUm+oVtZSVrAPSIEgEjhA4WesmGqmcJwJFaQW39Omu
+            8zLfZcfdVUuFKyIijXNliG0ryq1uxmWcEl8ePRzjAAzVTRAILNtZzVY=
+            =8HBK
            -----END PGP MESSAGE-----
          fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db
    unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
--- a/machines/moderatio/configuration.nix
+++ b/machines/moderatio/configuration.nix
@@ -1,92 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, ... }:
-
-{
-  services.acpid.enable = true;
-
-  boot.kernelPackages = pkgs.linuxPackages_5_4;
-  services.xserver.videoDrivers = [ "intel" ];
-  services.xserver.deviceSection = ''
-    Option "DRI" "2"
-    Option "TearFree" "true"
-  '';
-
-  zramSwap.enable = true;
-  zramSwap.memoryPercent = 150;
-
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ./zfs.nix
-
-      ../modules/xserver.nix
-      ../modules/malobeo_user.nix
-      ../modules/sshd.nix
-      ../modules/minimal_tools.nix
-    ];
-
-  users.users.malobeo = {
-    packages = with pkgs; [
-      firefox
-      thunderbird
-    ];
-  };
-
-  networking.hostName = "moderatio"; # Define your hostname.
-  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
-
-  # Set your time zone.
-  time.timeZone = "Europe/Berlin";
-
-  # Select internationalisation properties.
-  # i18n.defaultLocale = "en_US.UTF-8";
-  # console = {
-  #   font = "Lat2-Terminus16";
-  #   keyMap = "us";
-  #   useXkbConfig = true; # use xkbOptions in tty.
-  # };
-
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
-
-  # Enable sound.
-  sound.enable = true;
-  hardware.pulseaudio.enable = true;
-
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
-  #   enable = true;
-  #   enableSSHSupport = true;
-  # };
-
-  # List services that you want to enable:
-
-  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  # Copy the NixOS configuration file and link it from the resulting system
-  # (/run/current-system/configuration.nix). This is useful in case you
-  # accidentally delete configuration.nix.
-  # system.copySystemConfiguration = true;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.05"; # Did you read the comment?
-
-}
-
--- a/machines/moderatio/zfs.nix
+++ b/machines/moderatio/zfs.nix
@@ -1,34 +0,0 @@
-{ config, pkgs, ... }:
-
-{ boot.supportedFilesystems = [ "zfs" ];
-  networking.hostId = "ae749b82";
-  #boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
-boot.loader.efi.efiSysMountPoint = "/boot/efi";
-boot.loader.efi.canTouchEfiVariables = false;
-boot.loader.generationsDir.copyKernels = true;
-boot.loader.grub.efiInstallAsRemovable = true;
-boot.loader.grub.enable = true;
-boot.loader.grub.version = 2;
-boot.loader.grub.copyKernels = true;
-boot.loader.grub.efiSupport = true;
-boot.loader.grub.zfsSupport = true;
-boot.loader.grub.extraPrepareConfig = ''
-  mkdir -p /boot/efis
-  for i in  /boot/efis/*; do mount $i ; done
-
-  mkdir -p /boot/efi
-  mount /boot/efi
-'';
-boot.loader.grub.extraInstallCommands = ''
-ESP_MIRROR=$(mktemp -d)
-cp -r /boot/efi/EFI $ESP_MIRROR
-for i in /boot/efis/*; do
- cp -r $ESP_MIRROR/EFI $i
-done
-rm -rf $ESP_MIRROR
-'';
-boot.loader.grub.devices = [
-      "/dev/disk/by-id/ata-ST250LT003-9YG14C_W041QXCA"
-    ];
-users.users.root.initialHashedPassword = "$6$PmoyhSlGGT6SI0t0$.cFsLyhtO1ks1LUDhLjG0vT44/NjuWCBrv5vUSXqwrU5WpaBvvthnLp0Dfwfyd6Zcdx/4izDcjQAgEWs4QdzW0";
-}
--- a/machines/modules/disko/default.nix
+++ b/machines/modules/disko/default.nix
@@ -0,0 +1,278 @@
+{config, inputs, lib, ...}:
+let 
+  cfg = config.malobeo.disks;
+in
+{
+  imports = [inputs.disko.nixosModules.disko];
+  options.malobeo.disks = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable disko disk creation";
+    };
+    hostId = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+      description = "Host ID for zfs disks, generate with 'head -c4 /dev/urandom | od -A none -t x4'";
+    };
+    encryption = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Allows encryption to be disabled for testing";
+    };
+    devNodes = lib.mkOption {
+      type = lib.types.str;
+      default = "/dev/disk/by-id/";
+      description = ''
+        where disks should be mounted from
+        https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html#selecting-dev-names-when-creating-a-pool-linux
+        use "/dev/disk/by-path/" for vm's
+      '';
+    };
+    root = {
+      disk0 = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        description = "name ab /dev für root dateisystem";
+      };
+      disk1 = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        description = "name ab /dev für eventuellen root mirror";
+      };
+      swap = lib.mkOption {
+        type = lib.types.str;
+        default = "8G";
+        description = "size of swap partition (only disk0)";
+      };
+      reservation = lib.mkOption {
+        type = lib.types.str;
+        default = "20GiB";
+        description = "zfs reservation";
+      };
+      mirror = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "mirror zfs root pool";
+      };
+    };
+    storage = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Enable storage pool";
+      };
+      disks = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        description = "name ab /dev/ für storage pool";
+        example = "ata-ST16000NE000-2RW103_ZL2P0YSZ";
+      };
+      reservation = lib.mkOption {
+        type = lib.types.str;
+        default = "20GiB";
+        description = "zfs reservation";
+      };
+      mirror = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "mirror zfs storage pool";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.hostId = cfg.hostId;
+    disko.devices = {
+      disk = lib.mkMerge [
+        {
+          ssd0 = lib.mkIf (cfg.root.disk0 != "") {
+            type = "disk";
+            device = "/dev/${cfg.root.disk0}";
+            content = {
+              type = "gpt";
+              partitions = {
+                ESP = {
+                  size = "1024M";
+                  type = "EF00";
+                  content = {
+                    type = "filesystem";
+                    format = "vfat";
+                    mountpoint = "/boot";
+                    mountOptions = [ "umask=0077" ];
+                  };
+                };
+                encryptedSwap = {
+                  size = cfg.root.swap;
+                  content =  {
+                    type = "swap";
+                    randomEncryption = true;
+                  };
+                };
+                zfs = {
+                  size = "100%";
+                  content = {
+                    type = "zfs";
+                    pool = "zroot";
+                  };
+                };
+              };
+            };
+          };
+          ssd1 = lib.mkIf (cfg.root.disk1 != "") {
+            type = "disk";
+            device = "/dev/${cfg.root.disk1}";
+            content = {
+              type = "gpt";
+              partitions = {
+                zfs = {
+                  size = "100%";
+                  content = {
+                    type = "zfs";
+                    pool = "zroot";
+                  };
+                };
+              };
+            };
+          };
+        }
+        (lib.mkIf cfg.storage.enable (
+          lib.mkMerge (
+            map (diskname: {
+              "${diskname}" = {
+                type = "disk";
+                device = "/dev/${diskname}";
+                content = {
+                  type = "gpt";
+                  partitions = {
+                    zfs = {
+                      size = "100%";
+                      content = {
+                        type = "zfs";
+                        pool = "storage";
+                      };
+                    };
+                  };
+                };
+              };
+            }) cfg.storage.disks
+          )
+        ))
+      ];
+
+      zpool = {
+        zroot = {
+          type = "zpool";
+          mode = lib.mkIf cfg.root.mirror "mirror";
+          # Workaround: cannot import 'zroot': I/O error in disko tests
+          options.cachefile = "none";
+          rootFsOptions = {
+            mountpoint = "none";
+            xattr = "sa";         # für microvm virtiofs mount
+            acltype = "posixacl"; # für microvm virtiofs mount 
+            compression = "zstd";
+            "com.sun:auto-snapshot" = "false";
+          };
+
+          datasets = {
+            encrypted = {
+              type = "zfs_fs";
+              options = {
+                mountpoint = "none";
+                encryption = lib.mkIf cfg.encryption "aes-256-gcm";
+                keyformat = lib.mkIf cfg.encryption "passphrase";
+                keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
+              };
+              # use this to read the key during boot
+              postCreateHook = lib.mkIf cfg.encryption ''
+                zfs set keylocation="prompt" zroot/encrypted;
+              '';
+
+            };
+            "encrypted/root" = {
+              type = "zfs_fs";
+              mountpoint = "/";
+              options.mountpoint = "legacy";
+            };
+            "encrypted/var" = {
+              type = "zfs_fs";
+              mountpoint = "/var";
+              options.mountpoint = "legacy";
+            };
+            "encrypted/etc" = {
+              type = "zfs_fs";
+              mountpoint = "/etc";
+              options.mountpoint = "legacy";
+            };
+            "encrypted/home" = {
+              type = "zfs_fs";
+              mountpoint = "/home";
+              options.mountpoint = "legacy";
+            };
+            "encrypted/nix" = {
+              type = "zfs_fs";
+              mountpoint = "/nix";
+              options.mountpoint = "legacy";
+            };
+            reserved = {
+              # for cow delete if pool is full
+              options = {
+                canmount = "off";
+                mountpoint = "none";
+                reservation = "${cfg.root.reservation}";
+              };
+              type = "zfs_fs";
+            };
+          };
+        };
+
+        storage = lib.mkIf cfg.storage.enable {
+          type = "zpool";
+          mode = lib.mkIf (cfg.storage.mirror) "mirror";
+          rootFsOptions = { 
+            mountpoint = "none";
+            xattr = "sa";         # für microvm virtiofs mount
+            acltype = "posixacl"; # für microvm virtiofs mount 
+          };
+          datasets = {
+            encrypted = {
+              type = "zfs_fs";
+              options = {
+                mountpoint = "none";
+                encryption = lib.mkIf cfg.encryption "aes-256-gcm";
+                keyformat = lib.mkIf cfg.encryption "passphrase";
+                keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
+              };
+              # use this to read the key during boot
+              postCreateHook = lib.mkIf cfg.encryption ''
+                zfs set keylocation="file:///root/secret.key" storage/encrypted;
+              '';
+            };
+            "encrypted/data" = {
+              type = "zfs_fs";
+              mountpoint = "/data";
+            };
+            reserved = {
+              # for cow delete if pool is full
+              options = {
+                canmount = "off";
+                mountpoint = "none";
+                reservation = "${cfg.storage.reservation}";
+              };
+              type = "zfs_fs";
+            };
+          };
+        };
+      };
+    };
+
+    boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
+    boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ];
+    fileSystems."/".neededForBoot = true;
+    fileSystems."/etc".neededForBoot = true;
+    fileSystems."/boot".neededForBoot = true;
+    fileSystems."/var".neededForBoot = true;
+    fileSystems."/home".neededForBoot = true;
+    fileSystems."/nix".neededForBoot = true;
+  };
+}
--- a/machines/modules/host_builder.nix
+++ b/machines/modules/host_builder.nix
@@ -0,0 +1,243 @@
+{ self
+, nixpkgs-unstable
+, nixpkgs
+, sops-nix
+, inputs
+, hosts
+, ...
+}:
+let
+  pkgs = nixpkgs.legacyPackages."x86_64-linux";
+in
+rec {
+  nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
+  nixosSystemUnstable = nixpkgs-unstable.lib.makeOverridable nixpkgs-unstable.lib.nixosSystem;
+
+  baseModules = [
+    # make flake inputs accessiable in NixOS
+    { _module.args.inputs = inputs; }
+    {
+      imports = [
+        ({ pkgs, ... }: {
+          nix = {
+            extraOptions = ''
+              experimental-features = nix-command flakes
+            '';
+
+            settings = {
+              substituters = [
+                "https://cache.dynamicdiscord.de"
+                "https://cache.nixos.org/"
+              ];
+              trusted-public-keys = [
+                "cache.dynamicdiscord.de:DKueZicqi2NhJJXz9MYgUbiyobMs10fTyHCgAUibRP4="
+              ];
+              trusted-users = [ "root" "@wheel" ];
+            };
+          };
+        })
+
+        sops-nix.nixosModules.sops
+      ];
+    }
+  ];
+  defaultModules = baseModules;
+
+  makeMicroVM = hostName: ipv4Addr: macAddr: modules: [
+    {
+      microvm = {
+        hypervisor = "cloud-hypervisor";
+        mem = 2560;
+        shares = [
+          {
+            source = "/nix/store";
+            mountPoint = "/nix/.ro-store";
+            tag = "store";
+            proto = "virtiofs";
+            socket = "store.socket";
+          }
+          {
+            source = "/var/lib/microvms/${hostName}/etc";
+            mountPoint = "/etc";
+            tag = "etc";
+            proto = "virtiofs";
+            socket = "etc.socket";
+          }
+          {
+            source = "/var/lib/microvms/${hostName}/var";
+            mountPoint = "/var";
+            tag = "var";
+            proto = "virtiofs";
+            socket = "var.socket";
+          }
+        ];
+
+        interfaces = [
+          {
+            type = "tap";
+            id = "vm-${hostName}";
+            mac = "${macAddr}";
+          }
+        ];
+      };
+
+      systemd.network.enable = true;
+      
+      systemd.network.networks."20-lan" = {
+        matchConfig.Type = "ether";
+        networkConfig = {
+          Address = [ "${ipv4Addr}/24" ];
+          Gateway = "10.0.0.1";
+          DNS = ["1.1.1.1"];
+          DHCP = "no";
+        };
+      };
+    }
+  ] ++ defaultModules ++ modules;
+
+  inputsMod = inputs // { malobeo = self; };
+
+
+    vmMicroVMOverwrites = hostname: options: {
+      microvm = rec {
+        mem = pkgs.lib.mkForce 4096;
+        hypervisor = pkgs.lib.mkForce "qemu";
+        socket = pkgs.lib.mkForce null;
+
+
+        #needed for hosts that deploy imperative microvms (for example fanny)
+        writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store";
+        volumes = pkgs.lib.mkIf options.writableStore [ {
+          image = "nix-store-overlay.img";
+          mountPoint = writableStoreOverlay;
+          size = 2048;
+        } ];
+
+        shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [
+          {
+            tag = "ro-store";
+            source = "/nix/store";
+            mountPoint = "/nix/.ro-store";
+          }
+        ] ++ pkgs.lib.optionals (options.varPath != "") [
+          {
+            source = "${options.varPath}";
+            securityModel = "mapped";
+            mountPoint = "/var";
+            tag = "var";
+          }
+        ]);
+
+        interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
+          type = "user";
+          id = "eth0";
+          mac = "02:23:de:ad:be:ef";
+        }]);
+
+        #if networking is disabled forward port 80 to still have access to webservices
+        forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [
+          { from = "host"; host.port = options.fwdPort; guest.port = 80; }
+        ]);
+
+      };
+
+      fileSystems = {
+        "/".fsType = pkgs.lib.mkForce "tmpfs";
+
+        # prometheus uses a memory mapped file which doesnt seem supported by 9p shares
+        # therefore we mount a tmpfs inside the datadir
+        "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce {
+          fsType = pkgs.lib.mkForce "tmpfs";
+        });
+      };
+
+      boot.isContainer = pkgs.lib.mkForce false;
+      services.timesyncd.enable = false;
+      users.users.root.password = "";
+      services.getty.helpLine = ''
+        Log in as "root" with an empty password.
+        Use "reboot" to shut qemu down.
+      '';
+    };
+
+    vmDiskoOverwrites = {
+      boot.initrd = {
+        secrets = pkgs.lib.mkForce {};
+        network.ssh.enable = pkgs.lib.mkForce false;
+      };
+
+      malobeo.disks.enable = pkgs.lib.mkForce false;
+      networking.hostId = "a3c3101f";
+    };
+
+    vmSopsOverwrites = host: {
+      sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml;
+
+      environment.etc = {
+        devHostKey = {
+          source = ../secrets/devkey_ed25519;
+          mode = "0600";
+        };
+      };
+
+      services.openssh.hostKeys = [{
+        path = "/etc/devHostKey";
+        type = "ed25519";
+      }];
+    };
+
+    vmNestedMicroVMOverwrites = host: sopsDummy: {
+
+      services.malobeo.microvm.deployHosts = pkgs.lib.mkForce [];
+      microvm.vms = 
+      let
+        # Map the values to each hostname to then generate an Attrset using listToAttrs
+        mapperFunc = name: { inherit name; value = {
+          specialArgs.inputs = inputsMod;
+          specialArgs.self = self;
+          config = {
+            imports = (makeMicroVM "${name}" 
+                                   "${hosts.malobeo.hosts.${name}.network.address}"
+                                   "${hosts.malobeo.hosts.${name}.network.mac}" [
+              ../${name}/configuration.nix     
+              (vmMicroVMOverwrites name { 
+                withNetworking = true; 
+                varPath = ""; 
+                writableStore = false; })
+              (if sopsDummy then (vmSopsOverwrites name) else {})
+            ]);
+          };
+        }; };
+      in
+      builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts);
+    };
+
+    buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
+        modules = [
+            (vmMicroVMOverwrites host { 
+              withNetworking = networking; 
+              varPath = "${varPath}"; 
+              writableStore = writableStore;
+              fwdPort = fwdPort; })
+            (if sopsDummy then (vmSopsOverwrites host) else {})
+            (if disableDisko then vmDiskoOverwrites else {})
+          ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [
+            inputs.microvm.nixosModules.microvm
+          ] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [
+            (vmNestedMicroVMOverwrites host sopsDummy)
+        ];
+      });
+
+  buildHost = hosts: (builtins.mapAttrs (host: settings: nixosSystem {
+    system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux";
+    specialArgs.inputs = inputsMod;
+    specialArgs.self = self;
+    modules = (if (settings.type != "microvm") then
+      defaultModules ++ [ ../${host}/configuration.nix ]
+      else
+      makeMicroVM "${host}" "${settings.network.address}" "${settings.network.mac}" [
+        inputs.microvm.nixosModules.microvm
+        ../${host}/configuration.nix
+      ]);
+  }) hosts);
+}
--- a/machines/modules/malobeo/initssh.nix
+++ b/machines/modules/malobeo/initssh.nix
@@ -0,0 +1,64 @@
+{ config, lib, pkgs, ... }:
+let 
+  cfg = config.malobeo.initssh;
+  inherit (config.networking) hostName;
+
+in
+{
+  options.malobeo.initssh = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable initrd-ssh";
+    };
+    authorizedKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Authorized keys for the initrd ssh";
+    };
+    ethernetDrivers = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
+      example = "r8169";
+    };
+  };
+  
+  config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
+    boot = {
+      loader.systemd-boot.enable = true;
+      loader.efi.canTouchEfiVariables = true;
+      supportedFilesystems = [ "vfat" "zfs" ];
+      zfs = {
+        requestEncryptionCredentials = true;
+      };
+      initrd = {
+        availableKernelModules = cfg.ethernetDrivers;
+        systemd = {
+          enable = true;
+          network.enable = true;
+        };
+        network.ssh = {
+          enable = true;
+          port = 222;
+          authorizedKeys = cfg.authorizedKeys;
+          hostKeys = [ "/etc/ssh/initrd" ];
+        };
+        secrets = {
+          "/etc/ssh/initrd" = "/etc/ssh/initrd";
+        };
+        systemd.services.zfs-remote-unlock = {
+          description = "Prepare for ZFS remote unlock";
+          wantedBy = ["initrd.target"];
+          after = ["systemd-networkd.service"];
+          path = with pkgs; [ zfs ];
+          serviceConfig.Type = "oneshot";
+          script = ''
+            echo "systemctl default" >> /var/empty/.profile
+          '';
+        };
+      };
+      kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
+    };
+  };
+}
--- a/machines/modules/malobeo/metrics.nix
+++ b/machines/modules/malobeo/metrics.nix
@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+let 
+  cfg = config.malobeo.metrics;
+in
+{
+  options.malobeo.metrics = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable sharing metrics";
+    };
+    enablePromtail = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Enable sharing logs";
+    };
+    logNginx = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Share nginx logs";
+    };
+    lokiHost = lib.mkOption {
+      type = lib.types.str;
+      default = "10.0.0.14";
+      description = "Address of loki host";
+    };
+  };
+  
+  config = lib.mkIf (cfg.enable) {
+
+    networking.firewall.allowedTCPPorts = [ 9002 ];
+
+    services.prometheus = {
+      exporters = {
+        node = {
+          enable = true;
+          enabledCollectors = [ "systemd" "processes" ];
+          port = 9002;
+        };
+      };
+    };
+
+    services.promtail = {
+      enable = cfg.enablePromtail;
+      configFile = import ./promtail_config.nix { 
+        lokiAddress = cfg.lokiHost;
+        logNginx = cfg.logNginx;
+        config = config;
+        pkgs = pkgs;
+      };
+    };
+
+    users.users.promtail.extraGroups = [ "systemd-journal" ] ++ (lib.optionals cfg.logNginx [ "nginx" ]) ;
+
+  };
+}
--- a/machines/modules/malobeo/microvm_client.nix
+++ b/machines/modules/malobeo/microvm_client.nix
@@ -0,0 +1,28 @@
+{config, lib, pkgs, ...}:
+let
+  cfg = config.services.malobeo.microvm.client;
+in
+{
+  options.services.malobeo.microvm.client = {
+    nextcloud = {
+      enable = lib.mkEnableOption "enable the nextcloud microvm wrapper";
+      datadir = lib.mkOption {
+        type = lib.types.string;
+        default = "/data/services/nextcloud/";
+        description = "set a custom datadir";
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.nextcloud.enable { #add check for run-vm?
+      services.malobeo.microvm.deployHosts = ["nextcloud"];
+      microvm.vms.nextcloud.config.microvm.shares = lib.mkAfter [{
+        source = cfg.datadir;
+        mountPoint = "/datadir";
+        tag = "nc-datadir";
+        proto = "virtiofs";
+      }];
+    })
+  ];
+}
--- a/machines/modules/malobeo/microvm_host.nix
+++ b/machines/modules/malobeo/microvm_host.nix
@@ -0,0 +1,119 @@
+{ config, self, lib, inputs, options, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.malobeo.microvm;
+in
+{
+  options = {
+    services.malobeo.microvm = {
+      enableHostBridge = mkOption {
+        default = false;
+        type = types.bool;
+        description = lib.mdDoc "Setup bridge device for microvms.";
+      };
+
+      enableHostBridgeUnstable = mkOption {
+        default = false;
+        type = types.bool;
+        description = lib.mdDoc "Setup bridge device for microvms.";
+      };
+
+      deployHosts = mkOption {
+        default = [];
+        type = types.listOf types.str;
+        description = ''
+          List hostnames of MicroVMs that should be automatically initializes and autostart
+        '';
+      };
+    };
+  };
+
+
+  imports = [
+    inputs.microvm.nixosModules.host
+  ];
+
+  config = { 
+    assertions = [
+      {
+        assertion = !(cfg.enableHostBridgeUnstable && cfg.enableHostBridge);
+        message = ''
+          Only enableHostBridge or enableHostBridgeUnstable! Not Both!
+        '';
+      }
+    ];
+
+    systemd.network = mkIf (cfg.enableHostBridge || cfg.enableHostBridgeUnstable) {
+      enable = true;
+      # create a bride device that all the microvms will be connected to
+      netdevs."10-microvm".netdevConfig = {
+        Kind = "bridge";
+        Name = "microvm";
+      };
+
+      networks."10-microvm" = {
+        matchConfig.Name = "microvm";
+        networkConfig = {
+          DHCPServer = true;
+          IPv6SendRA = true;
+        };
+        addresses = if cfg.enableHostBridgeUnstable then [
+          { Address = "10.0.0.1/24"; }
+        ] else [
+          { addressConfig.Address = "10.0.0.1/24"; }
+        ];
+      };
+
+      # connect the vms to the bridge
+      networks."11-microvm" = {
+        matchConfig.Name = "vm-*";
+        networkConfig.Bridge = "microvm";
+      };
+    }; 
+
+    microvm.vms = 
+    let
+      # Map the values to each hostname to then generate an Attrset using listToAttrs
+      mapperFunc = name: { inherit name; value = {
+          # Host build-time reference to where the MicroVM NixOS is defined
+          # under nixosConfigurations
+          flake = inputs.malobeo; 
+          # Specify from where to let `microvm -u` update later on
+          updateFlake = "git+https://git.dynamicdiscord.de/kalipso/infrastructure";
+        }; };
+    in
+    builtins.listToAttrs (map mapperFunc cfg.deployHosts);
+
+    systemd.services = builtins.foldl' (services: name: services // {
+      "microvm-update@${name}" = {
+        description = "Update MicroVMs automatically";
+        after = [ "network-online.target" ];
+        wants = [ "network-online.target" ];
+        unitConfig.ConditionPathExists = "/var/lib/microvms/${name}";
+        serviceConfig = {
+          LimitNOFILE = "1048576";
+          Type = "oneshot";
+        };
+        path = with pkgs; [ nix git ];
+        environment.HOME = config.users.users.root.home;
+        script = ''
+          /run/current-system/sw/bin/microvm -Ru ${name}
+        '';
+      };
+    }) {} (cfg.deployHosts);
+
+    systemd.timers = builtins.foldl' (timers: name: timers // {
+    "microvm-update-${name}" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Unit = "microvm-update@${name}.service";
+        # three times per hour
+        OnCalendar = "*:0,20,40:00";
+        Persistent = true;
+      };
+    };
+  }) {} (cfg.deployHosts);
+  };
+}
--- a/machines/modules/malobeo/peers.nix
+++ b/machines/modules/malobeo/peers.nix
@@ -0,0 +1,39 @@
+{
+  "vpn" = {
+    role = "server";
+    publicIp = "5.9.153.217";
+    address = [ "10.100.0.1/24" ];
+    allowedIPs = [ "10.100.0.0/24" ];
+    listenPort = 51821;
+    publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
+    persistentKeepalive = 25;
+  };
+
+  "celine" = {
+    role = "client";
+    address = [ "10.100.0.2/24" ];
+    allowedIPs = [ "10.100.0.2/32" ];
+    publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
+  };
+
+  "desktop" = {
+    role = "client";
+    address = [ "10.100.0.3/24" ];
+    allowedIPs = [ "10.100.0.3/32" ];
+    publicKey = "FtY2lcdWcw+nvtydOOUDyaeh/xkaqHA8y9GXzqU0Am0=";
+  };
+
+  "atlan-pc" = {
+    role = "client";
+    address = [ "10.100.0.5/24" ];
+    allowedIPs = [ "10.100.0.5/32" ];
+    publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
+  };
+
+  "fanny" = {
+    role = "client";
+    address = [ "10.100.0.101/24" ];
+    allowedIPs = [ "10.100.0.101/32" ];
+    publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
+  };
+}
--- a/machines/modules/malobeo/promtail_config.nix
+++ b/machines/modules/malobeo/promtail_config.nix
@@ -0,0 +1,49 @@
+{ logNginx, lokiAddress, config, pkgs, ... }:
+
+let
+  basecfg = ''
+    server:
+      http_listen_port: 9080
+      grpc_listen_port: 0
+    
+    positions:
+      filename: /tmp/positions.yaml
+    
+    clients:
+      - url: http://${lokiAddress}:3100/loki/api/v1/push
+  '';
+
+  withNginx = ''
+    scrape_configs:
+      - job_name: journal
+        journal:
+          max_age: 12h
+          labels:
+            job: systemd-journal
+            host: ${config.networking.hostName}
+        relabel_configs:
+          - source_labels: ["__journal__systemd_unit"]
+            target_label: "unit"
+      - job_name: nginx
+        static_configs:
+        - targets:
+            - localhost
+          labels:
+            job: nginx
+            __path__: /var/log/nginx/*log
+  '';
+
+  withoutNginx = ''
+    scrape_configs:
+      - job_name: journal
+        journal:
+          max_age: 12h
+          labels:
+            job: systemd-journal
+            host: ${config.networking.hostName}
+        relabel_configs:
+          - source_labels: ["__journal__systemd_unit"]
+            target_label: "unit"
+  '';
+in
+pkgs.writeText "promtailcfg.yaml" (if logNginx then ''${basecfg}${withNginx}'' else ''${basecfg}${withoutNginx}'')
--- a/machines/modules/malobeo/wireguard.nix
+++ b/machines/modules/malobeo/wireguard.nix
@@ -0,0 +1,101 @@
+{ config, self, lib, inputs, options, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.malobeo.vpn;
+  peers = import ./peers.nix;
+  myPeer = if cfg.name == "" then peers.${config.networking.hostName} else peers.${cfg.name};
+
+  peerList = builtins.filter (peer: peer.role != myPeer.role) (builtins.attrValues peers);
+  peerListWithEndpoint = map (host:
+    if host.role == "server" then
+      host // { endpoint = "${host.publicIp}:${builtins.toString host.listenPort}"; }
+    else
+      host
+  ) peerList;
+  filteredPeerlist = map (host: builtins.removeAttrs host [ 
+    "role" 
+    "address" 
+    "listenPort" 
+    "publicIp" 
+  ] ) peerListWithEndpoint;
+in
+{
+  options = {
+    services.malobeo.vpn = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = lib.mdDoc "Setup wireguard to access malobeo maintainance vpn";
+      };
+
+      autostart = mkOption {
+        default = true;
+        type = types.bool;
+        description = lib.mdDoc "whether to autostart vpn interface on boot";
+      };
+
+      name = mkOption {
+        default = "";
+        type = types.str;
+        description = ''
+          Name of the host in peers.nix, if empty uses hostname
+        '';
+      };
+
+      privateKeyFile = mkOption {
+        default = "";
+        type = types.str;
+        description = ''
+          Path to private key
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable { 
+    assertions = [
+      {
+        assertion = !(myPeer.role != "client" && myPeer.role != "server");
+        message = ''
+          VPN Role must be either client or server, nothing else!
+        '';
+      }
+    ];
+    
+    boot.kernel.sysctl."net.ipv4.ip_forward" = mkIf (myPeer.role == "server") 1;
+
+    networking.wg-quick = {
+      interfaces = {
+        malovpn = {
+          mtu = 1340; #seems to be necessary to proxypass nginx traffic through vpn
+          address = myPeer.address;
+          autostart = cfg.autostart;
+          listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;
+
+          # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+          # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+          postUp = mkIf (myPeer.role == "server") ''
+            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
+          '';
+
+          # This undoes the above command
+          postDown = mkIf (myPeer.role == "server") ''
+            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
+          '';
+
+          privateKeyFile = cfg.privateKeyFile;
+
+          peers = filteredPeerlist;
+        };
+      };
+    };
+
+    #networking.nat = mkIf (myPeer.role == "server"){
+    #  enable = true;
+    #  internalInterfaces = [ "microvm" ];
+    #  externalInterface = "eth0"; #change to your interface name
+    #};
+  };
+}
--- a/machines/modules/malobeo_user.nix
+++ b/machines/modules/malobeo_user.nix
@@ -6,7 +6,7 @@ in
 {
  users.users.malobeo = {
    isNormalUser = true;
-    extraGroups = [ "wheel" "pulse-access" "scanner" "lp" ];
+    extraGroups = [ "pipewire" "wheel" "pulse-access" "scanner" "lp" ];
    openssh.authorizedKeys.keys = sshKeys.admins;
    initialPassword = "test";
  };
--- a/machines/modules/sshd.nix
+++ b/machines/modules/sshd.nix
@@ -6,7 +6,7 @@ in
 {
  services.openssh.enable = true;
  services.openssh.ports = [ 22 ];
-  services.openssh.passwordAuthentication = false;
+  services.openssh.settings.PasswordAuthentication = false;
  services.openssh.settings.PermitRootLogin = "no";
  users.users.root.openssh.authorizedKeys.keys = sshKeys.admins;
 }
--- a/machines/modules/xserver.nix
+++ b/machines/modules/xserver.nix
@@ -7,7 +7,6 @@
      xterm.enable = false;
      cinnamon.enable = true;
    };
-
-    displayManager.defaultSession = "cinnamon";
  };
+  services.displayManager.defaultSession = "cinnamon";
 }
--- a/machines/nextcloud/configuration.nix
+++ b/machines/nextcloud/configuration.nix
@@ -0,0 +1,72 @@
+{ config, self, lib, pkgs,  ... }:
+
+with lib;
+
+{
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets = {
+    nextcloudAdminPass = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+  };
+
+  networking = {
+    hostName = mkDefault "nextcloud";
+    useDHCP = false;
+  };
+
+  imports = [
+    self.nixosModules.malobeo.metrics
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+    ../modules/minimal_tools.nix
+    ../modules/autoupdate.nix
+  ];
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud30;
+    hostName = "cloud.malobeo.org";
+    config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
+    #https = true; #disable for testing
+    datadir = "/datadir";
+    database.createLocally = true;
+    config.dbtype = "pgsql";
+    configureRedis = true;
+    caching = {
+      redis = true;
+      apcu = true;
+    };
+    extraAppsEnable = true;
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps) contacts calendar deck polls;
+      collectives = pkgs.fetchNextcloudApp {
+        sha256 = "sha256-cj/8FhzxOACJaUEu0eG9r7iAQmnOG62yFHeyUICalFY=";
+        url = "https://github.com/nextcloud/collectives/releases/download/v2.15.2/collectives-2.15.2.tar.gz";
+        license = "agpl3Plus";
+      };
+    };
+    settings = {
+      trusted_domains = ["10.0.0.13"];
+      "maintenance_window_start" = "1";
+      "default_phone_region" = "DE";
+    };
+    phpOptions = {
+      "realpath_cache_size" = "0";
+      "opcache.interned_strings_buffer" = "23";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/machines/nextcloud/dummy.yaml
+++ b/machines/nextcloud/dummy.yaml
@@ -0,0 +1,68 @@
+nextcloudAdminPass: ENC[AES256_GCM,data:4GvCg7g=,iv:3m2Vh86WzrVR7BG0xlNwRE9ebIGLWbVdcxoYC9x7dXo=,tag:t2bWTVlw9rHSVnkXW8ZTFQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbTYrcUV3Wk0xSDM1Mm0w
+            TkoxZHBFUXFBSC80YzkwV3paWGpRaFY2WndZClh1c0xmNWpWMjFXOS9OYU9OU2Mx
+            c3NEREczaDkvNC90eERwb0RKUlNZemsKLS0tIEp1VWZISXZoWFNuRC9mVE1JUmc3
+            bUNFd2dyRGludFQ3MzdiRzFTcXUwWlkKFGd8Uvfu2W1LejgQFpF162JnVmfPxAuX
+            IQ3oopYXUBM3QqCXGLTY3DBffD4WZ4AXyGLsfUtwn3kcvjQ85ewidw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraEtDblNxMGY0NlhzcDdM
+            RFo2VGI1UFE4eVdZdDZ5ZTNKRUFCRWFHOWdBCkRBaGk2WmYxK2ovbHQrSGl3akVp
+            TUhxck83Q1NVQy9VU0lXOEVraGtOZ1UKLS0tIDYxS0hHSW1nZW9hOTFJNCtheU1x
+            ZXk2b1RVd1FoYk4xTGxKQ1cxZmVJalkKkC5XckyrgwfqaeVq+OjNCzAtKKiCf7Q9
+            sC9ZMlPoOAm8xpLEpWgNooOBa04YsDEe9XgN8S0HrVxt/NHlnS5+ow==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-19T22:23:37Z"
+    mac: ENC[AES256_GCM,data:ZVMA4qgliSASQ0LtuedU4pybVwJA0x4vdSlOspsTF22s9DjRbG2tA7PpxTqDBGliBqS4w5J6Rqp3OSF7zddZ23GOz72sOZv0WY5YGeYxIltT7RWSMRkhkwXoM8Pf3BOYCZ4Gy8zaMVnbwbhHZ9LZI6wulh19SDKBV965moUW+Z0=,iv:tmz8C1kGUZq8gfzTHoaU/8RfrT5ohLqA11H42l7TEv0=,tag:E3AV6t2bbKASeVI2G3kNYA==,type:str]
+    pgp:
+        - created_at: "2025-01-19T22:23:26Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQwAsbbUEzSg7iETqT40w/+qjJ+iuHUeeZ+NFMPVVedbLuZX
+            /gPPSJ3JSx3wxJke+QPX/OUiRxXwGBZ5yg7CDoc+RrrdaavazuOUGISL38KPQiin
+            TmUq4nY6nWjMqHPSaQ+NiGxRpIErCQCUx6YEdi4YgHhf9J4KEg0f7ueR5wWlfzx4
+            c7pXkEubFpPy4v45mh8sYXOQTa2yt2keprJ6iqmfL/HKnCJf1TBFxJAvwnPuKDfe
+            npvE4Pk5hcoKjFQNsqpnz7Etc8XfAYXSCXSLKfSaZNSeXQRhE1lHLH9OPnC46li7
+            Dw6SPW0/4MTJrg08JvrNeogQ1QohLT4mkfAnASVUUeGFaF7UhztVoodqMsG8kuhD
+            LtmYv625h3j/QqshpFPGe8nJG1DziE4YHngxvgToIC+6+Q2x47ciulpimlpt6b6w
+            s+mGEVlJLSoJMd9jwE53PMXteBYKWgSEL7osj1V5KIJDFSgwfjYEngCkuyxjf8e3
+            uYxb1WEadSyLhW8xnoyE0lYB6WI8m6j2Ls9TFG7kKtQqrnVSZd2nsKk/5wPVIAXO
+            nrMtb4Q88PLM1eusiLgCs592owKHoWVYqBRpi79EBlnGZwmTfDQzTsQlL7aQCbIo
+            kBI1swNH3g==
+            =K/IK
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-19T22:23:26Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ/7BGOQn8xVX9IOFHnUXKdiw/+fcXHu0L7CLuhcEfpZRJNI
+            vIbztLTH5gT59SkS07cIEcYWqERO+gjK6pZLCxmYO/c15YDWCv1PtS4YHZAET+ow
+            YHzBTZDq2k+pV/cTbUtJgGYOxuqkqUtflyGZSQM+NjSXu4In83u+nwkEaKSxcaWt
+            q9rrYVkBUiika2FYtyehoCoDuyJzNmfGhZ9CPJaUzrSzuRLQZy6Hdg8TDPTzGqi4
+            awo53eOdsEpNu1AQ5rnJ19RFLU63IQlwEnApnXZZ+AX8J2//KgLOcAqjo5skJuN1
+            EJBh4DjfmOdCCN3uRccNiDn9YYrPP5Jl3jfnkMUQ2gVEE/c5ib84hvjc+y9Eh1jJ
+            s2JqhfX+ccV5kuva1q1CuTUCHQVEKahJAvghl77JQjtUY6Lf+5QLeKbchUnwxaIN
+            v6MwZmdCwBJOS40SnA+Ft2g9psho4MIPXtu4DR4t5VWvhrmw2cl7TCffQslWETxE
+            267PHQegcO40skEOYwkLSv7PWycL3YUg/EfPuElAobqlM45UQA/lcC5seV0WvEPB
+            Lj+Pk8stY3LZ5wpblmmA72PyJhTq7ghsPvxlyRByHIS8v94gu5Zasbi63WGmxgPA
+            mt/M/HIQEf2XOOKuJnGJ3yDwLTAHAgFa0jlIgvt4gkuhm5ibcHLmedBh4ecRNfDS
+            VgFA4UwqUKN1XYTWOvT1vlxE9UE+dgVO0QNMX8yw1ivmL2eyPUk8HtIpKbuDLFIC
+            iKwHMtUIW/q7UPmfKLRbDumimG/290GXxN24ouiN8AR0dCXK9oor
+            =EsRn
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/machines/nextcloud/secrets.yaml
+++ b/machines/nextcloud/secrets.yaml
@@ -0,0 +1,68 @@
+nextcloudAdminPass: ENC[AES256_GCM,data:es9hhtCcqBqPbV2L,iv:Kyq5kqao0uaMPs0GeRkJT9OWYSZfImBXngg51k0uQ0M=,tag:zN/u90/j4rmdo0HtY+cF9w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqSk9GWktrZ3FsRHpOcTJp
+            Y3VWMytTRlhxVXJma1puT1lMRTN2NHBNV2xrCi8xYTFWeVN6RWl0Um9mZXpoKzFh
+            SjVFcGJRNlhkVUZQYXpEb0EwYzUvUjQKLS0tIGEvdGdMRGxvcndxMllZTWZqKzg1
+            aWlJOTdYV1JMM0dIWEFDSHRuQWdlcVUKsdwGZ3SkJEf4ALDhHUlSQJNKrFyWd7fW
+            WTGk66NJ2yD8ko/6OyB9J9U0WPbFLgr972H+klBq/IDmOx0hClbYNA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNzdib3Ztd0g0MlVqYVF6
+            cUtjZzEyY2FJYVRoT1p5RlJwYVQwUXVOUkNVCkp4V3hMYlJsaVN4RjlwQXNWS1Jt
+            aitzWVdOcUdrNHorenZGZU1iWFZzVjgKLS0tIGNGcTU5OUJLM3VzQk1uODFwS1hO
+            WG16Y25tMDkreGFnSFRKN1AybyttYWcKcLHJScp2Ozh0jIdi7Hb/tSjaCGorqXaC
+            9DIrQPHbPP1RIc6Ak8Kn30/BHEWV3VaiBCT3vfS9pNJQNjB4T+901g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-26T20:00:50Z"
+    mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str]
+    pgp:
+        - created_at: "2025-01-21T21:04:08Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv/ejIylIgs3yeVcZriQTA8d/xyXTdFw6On422lTCDk3d0W
+            GOdV44vAzUzNX5tziQtLjectLUrKh9Qb9WaP4VnTCGI0XJ/dEtYRCkYMx8MjjbLl
+            8GqFi3Hw958Uykp9wt0iiP6BQ42Fo77EPxVcn21eHKZY0zg/vaeRXXeXSzkjzANs
+            NN/KFS06uFRJhmp+0z6hDRrHnpb0wd5JGjHOp96jK9LmpwfZZZlVpAHp04hOhlPV
+            cMmdjg9IRSubvbraTbDrgwB0h3JKdqovFDnAP/KvT+rw5xnVUVMq/3tUNq4MbfZb
+            CvQrXsjQJQbEhY+eAJZVRO07kX0+zMvIin4ss7Xt++qlo4/OvFvuGbnUhJE+hrBb
+            nkyGhbDrjpsfa3djCEZ0UxMAWtPeIQ7T8QMkGY+UKeJKxfOGSchARnfCtGD/rtsj
+            wuhqGya7g7WP78WzwASzlPwB5jpdQ29/zLWXR60lNCYu0UYSVYmlspZnKEB0FkLO
+            TNUrwXXMrM0XwMVaG/sF0lgBEPE6CTuE85evCHFyu6zhEAa7YimKAPIowcwYLSJ2
+            46KfttJAYnRnb68Kk9N5xcFyvhKyTx/6eMdxkgr2LMoSTBDUgZfG3rDQC+ZbFE3m
+            bUOvx3Ho80EC
+            =oQd6
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-21T21:04:08Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ//eu7YkPL7dU4AYWCZI7THsiJ51SOMahOXp/qC5yL18aZY
+            r4SpyNhFezGIJfMuhwBSZZBI/MNW6M+zMwIJ2wkioxUDnDvfVi10/cV6p85U75Jn
+            59e1afN+eekG2DCI6sWPmLy8jmYh4CQRdEurtfzquDOARZ4IHZjotP5AWI8OPHlM
+            FdK2jGXFVevQY0m619CNm78D2NEdlGe1QtLVSazWQ8MsDLfMnHTYFUy3EoSihzat
+            QkcR//8whzlLT/NcqKlnBDNBU7FvPov+ZdUmIw1mx2wp5f2sGp4m737Yhoey2aFL
+            qLXHDc91nVRcw95FBDNYlSH8a2AzT4sm4vFR5EkC6vrfz+v1pdg1Fc3dc++hPgE0
+            MYWn6f4v8lDhPhw2kpmAP4Oz4uPdmPgdfXKiIzr7qf3O5lIC6ZIIwoqhj2f0odj6
+            7anDUN5C3B5ruFU3UNJEBLrZelbmg4zf2hAtzfoi0L9paIZX5SCLP3PDbvdRbADc
+            oyC3Gw/DeddQ9ZeP+wYiwJ/614zRBmZRzQr9RFowf0gJBSS7TaWPCONfUJ/3eekX
+            or8JpLTD5PMQNoS0L4S41Cj+yOg/AlmHF/9yvj1GVTKT9rBj3Snki9NOmY2ZUQo3
+            BDdnsftA3w4q4iu06ojQkrjn/FJjmNzb83XR2WxrHFUAaY//nISyY/9uTsEhwFbS
+            WAFlKfmyVc7nLBI12i0yWLLy/tcVF3c8gtGfNmyoe/RIr+6EQmzUi0v+X49Tnzpj
+            8JAnE+4Jzm2ijqF4Ats5KoXqFiLUenJZQHJ3IFoI36n+hM4P/ICeZ4k=
+            =s9pl
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/machines/overwatch/configuration.nix
+++ b/machines/overwatch/configuration.nix
@@ -0,0 +1,131 @@
+{ config, self, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  networking = {
+    hostName = mkDefault "overwatch";
+    useDHCP = false;
+  };
+
+  imports = [
+    self.nixosModules.malobeo.metrics
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 80 3100 ];
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = false;
+    lokiHost = "10.0.0.14";
+  };
+
+  services.grafana = {
+    enable = true;
+    settings.server = {
+      domain = "grafana.malobeo.org";
+      http_port = 2342;
+      http_addr = "127.0.0.1";
+    };
+
+    provision.datasources.settings = {
+      apiVersion = 1;
+
+      datasources = [
+        {
+          name = "loki";
+          type = "loki";
+          access = "proxy";
+          uid = "eeakiack8nqwwc";
+          url = "http://localhost:3100";
+          editable = false;
+        }
+        {
+          name = "prometheus";
+          type = "prometheus";
+          access = "proxy";
+          uid = "feakib1gq7ugwc";
+          url = "http://localhost:9001";
+          editable = false;
+
+        }
+      ];
+    };
+
+    provision.dashboards.settings = {
+      apiVersion = 1;
+      providers = [{
+        name = "default";
+        options.path = ./dashboards;
+      }];
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts.${config.services.grafana.domain} = {
+      locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+          proxyWebsockets = true;
+
+      extraConfig = ''
+        proxy_set_header Host $host;
+      '';
+    };
+      };
+  };
+
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+
+    scrapeConfigs = [
+      {
+        job_name = "overwatch";
+        static_configs = [{
+          targets = [ "127.0.0.1:9002" ];
+        }];
+      }
+      {
+        job_name = "durruti";
+        static_configs = [{
+          targets = [ "10.0.0.5:9002" ];
+        }];
+      }
+      {
+        job_name = "infradocs";
+        static_configs = [{
+          targets = [ "10.0.0.11:9002" ];
+        }];
+      }
+      {
+        job_name = "nextcloud";
+        static_configs = [{
+          targets = [ "10.0.0.13:9002" ];
+        }];
+      }
+      {
+        job_name = "fanny";
+        static_configs = [{
+          targets = [ "10.0.0.1:9002" ];
+        }];
+      }
+      # add vpn - check how to reach it first. most probably 10.100.0.1
+    ];
+  };
+
+  services.loki = {
+    enable = true;
+    configFile = ./loki.yaml;
+  };
+
+  users.users.promtail.extraGroups = [ "nginx" "systemd-journal" ];
+
+
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/machines/overwatch/dashboards/main.json
+++ b/machines/overwatch/dashboards/main.json
--- a/machines/overwatch/dashboards/node_full.json
+++ b/machines/overwatch/dashboards/node_full.json
--- a/machines/overwatch/loki.yaml
+++ b/machines/overwatch/loki.yaml
@@ -0,0 +1,60 @@
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+  grpc_listen_port: 9096
+  log_level: info
+  grpc_server_max_concurrent_streams: 1000
+
+common:
+  instance_addr: 127.0.0.1
+  path_prefix: /tmp/loki
+  storage:
+    filesystem:
+      chunks_directory: /tmp/loki/chunks
+      rules_directory: /tmp/loki/rules
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+query_range:
+  results_cache:
+    cache:
+      embedded_cache:
+        enabled: true
+        max_size_mb: 100
+
+schema_config:
+  configs:
+    - from: 2020-10-24
+      store: tsdb
+      object_store: filesystem
+      schema: v13
+      index:
+        prefix: index_
+        period: 24h
+
+pattern_ingester:
+  enabled: true
+  metric_aggregation:
+    loki_address: localhost:3100
+
+ruler:
+  alertmanager_url: http://localhost:9093
+
+frontend:
+  encoding: protobuf
+
+# By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
+# analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
+#
+# Statistics help us better understand how Loki is used, and they show us performance
+# levels for most users. This helps us prioritize features and documentation.
+# For more information on what's sent, look at
+# https://github.com/grafana/loki/blob/main/pkg/analytics/stats.go
+# Refer to the buildReport method to see what goes into a report.
+#
+# If you would like to disable reporting, uncomment the following lines:
+analytics:
+  reporting_enabled: false
--- a/machines/overwatch/promtail.yaml
+++ b/machines/overwatch/promtail.yaml
@@ -0,0 +1,29 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: http://10.0.0.13:3100/loki/api/v1/push
+
+  
+scrape_configs:
+  - job_name: journal
+    journal:
+      max_age: 12h
+      labels:
+        job: systemd-journal
+        host: overwatch
+    relabel_configs:
+      - source_labels: ["__journal__systemd_unit"]
+        target_label: "unit"
+  - job_name: nginx
+    static_configs:
+    - targets:
+        - localhost
+      labels:
+        job: nginx
+        __path__: /var/log/nginx/*log
+
--- a/machines/overwatch/secrets.yaml
+++ b/machines/overwatch/secrets.yaml
@@ -0,0 +1,59 @@
+grafana_admin: ENC[AES256_GCM,data:c+ZnOyxSXrG4eiK8ETKHheadiSz98LLHYwxb,iv:Ut2qFD2p6OmKDWjLMjFxyISxzTdJpZpgIB7obW5bgkY=,tag:HdayzjXQ1Zc7w9ITLzKLxA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxN1VURXJuMENJV1Z2eEtS
+            bUR2cTNmNUdhU1B4SHZNMW9KRDV2dW5VNmlNCjdmYXpZb05mMEdPdjN4c0VWOUhV
+            RW4vV05CMno1MmJmYzdESjN5MFVFcjQKLS0tIDNxTE1KaW1EVGhtOEQwWXZndk53
+            bFBCMExGdEdMb2Z0TzF0Yk02MUpkN0kKIUm9iUvU/xu1Xl6yoYSVGcIXKnGsp/D/
+            RjVQ7tgJIbrupubny/fg4v2sz5HOs5uzmEq4ZKgBWrBeMPss4gYstA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-22T00:51:32Z"
+    mac: ENC[AES256_GCM,data:TEEyPmVxIJxC49hDqDbwzTZZ/tNymFr0dMvWn6DRli70Kp5XXNCLTpicAbiFh3WoyzbDpN/5c2yxVNGjhB8nXgKpCZdffdONMY6eSCpPbblYwJS7hNsjW+u2wysSFPDAk5apwbNXJcKnlI1tBcGQRHlym9ShSw6fT7K7afWYWqo=,iv:583DWNug8yNF/vZZN4btT6P1yUa0b1UN4frvAX4UKv0=,tag:YI5KIAe5P5Bx0TZU4wG8ag==,type:str]
+    pgp:
+        - created_at: "2025-01-22T00:51:09Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv+PxajhJgXHcxwJ7Mk0gjqFV0dGmNJ1m0eY3gPyIS38GSB
+            Rjto1zUd6EARu1GnxSrVrSZYlQaL6x3l2DuFIP7mtymvlFrmhiAoDz/si0zlzsJp
+            WZyQZdepnt9FyYJAwTzbmfVdpZDYajuMI38byMJqzUhS7SEOsPwiU1KRoTHcf4se
+            2E+9v8OwTVT2UoDxyiVJuDAA+K+Jh2RjHk3p/uVnZDqqQpI9UAI8LrCpun9uALpH
+            +29wyhkCZ9RIHU7nDQNVvwHkbYCyRUwR44bciSwITpjp7GuZCcZvzSSimPktkC9q
+            VZkHA6rHgHgcu6mnMfpP0+j4gB0dU0t4hGF41klV3YpEGfYcFIsKV10lfa6aMNmW
+            08RuLdCtnQyplYhgBm1zQvYHJsIuwK9s1B2dz3Z8l3o2eg8AqFuIL+MlZOvf5A/2
+            MOXffyXbOM5Dhy7DdUckTOYYfwWe1mStw3vx3I3mAFzuOOR7HQuzlc9Bf1oxh36T
+            6e/qOijjPPqkLeR2mufo0lgBBFTQFt2jVvMo1lrCB8Amj4yj/4noXTzglkYTYBKs
+            S513kUdhAGtWoNrqcItOYAn/gl+CPGY2Op3tJBVCWM6aT/KO6M/LPJ7wiQk2zlOL
+            pp7SnCKvv9eQ
+            =N+uj
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-22T00:51:09Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ//fm/TcxgsAMY6P8jvOQMcRBmjjVwfLP1UTTnkRUa36Mmn
+            2V9619zsH1dzTp0gUVV8mvIKUtpz2nCBTZBJw803wW9KorxW6f4e3+mIWelZT5WM
+            sLcQPFWAYKDVnSfk5j8kRSmpM6k2xFRB9DTEMIyFH9PZL99Fztp2hjTn553YTQOo
+            pdw+AMzgptYQghW/Pl/32wXHwCO+bL8tyk62VIQO13l3tX83oSslXNkFzNQYt3jv
+            xXFUaQEGD/1lFLeFnIuJZzfjWt6n0fShJboUcuk/ZIcYdwrbG0pyLLoBoObSRQtG
+            t+7VpWpfl3rnk822SU9z9YcaMNy9HD3Kz9Qh0BRQiN3scCMzm1LyzlXLqlc/gPiq
+            JyCxy98vJXIxmlLQZpDFfTMe3xsc8jSsHI6av+wEFKGEJAOUkDtRYvLfZdgDTfiB
+            XTAhQ3ixnlBxdZZ9DjBXyVfM8q9iB8bggFi7g2SjO32LKhXRFUqZR+avddCyKR/V
+            hRpWjDRn+eX2tl7LPawvX6tIow3aZiezkMVyeRXfcZCvpicq64b80LrYR+JJUfJE
+            vxHaekKImrdJ9ocii0wW91ZmESJwL6m5lt3ZsCY5GTlEDt4wBse5uhj48mtuK8sh
+            g8uQMKp7SiiCtV5a6O1SQLDJeAt6VCcRyudLToO9S4gwrGXNPcGxsHj07XAN2PHS
+            WAE6wUhufXfpa8UgSWy7fmEZt4L03XlRfC7bm/ycwaFww3A7w4+B1gkW6gOon6sy
+            nOyIxUZfU6abZWKzH+OIuViKH7xPiULDy75gEmkRHjKu5BiC3Tx0eO4=
+            =+PPr
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/machines/secrets/devkey_ed25519
+++ b/machines/secrets/devkey_ed25519
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwgAAAJgdrbX3Ha21
+9wAAAAtzc2gtZWQyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwg
+AAAECaQfylNoG/uN8fozvq3loBLWQ3gIKPOGnZpwyHUlAMO2meyBkJbC8RMkqhl/tAUoIt
+pSePyGKhyL5J7ArxxRTCAAAADmthbGlwc29AY2VsaW5lAQIDBAUGBw==
+-----END OPENSSH PRIVATE KEY-----
--- a/machines/secrets/devkey_ed25519.pub
+++ b/machines/secrets/devkey_ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmeyBkJbC8RMkqhl/tAUoItpSePyGKhyL5J7ArxxRTC kalipso@celine
--- a/machines/ssh_keys.nix
+++ b/machines/ssh_keys.nix
@@ -3,5 +3,6 @@
   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfDz5teTvRorVtpMj7i3pffD8W4Dn3Aiqre5L4WZq8Wc4bh2OjabGnIcDWpeToKf38n5m0d95OkIbARJwFN7KlbuQbmnIJ5n6pUj/zzRQ3dQTeSsUjkvdbSXVvTcDczMWwLixc/UKP1DMbiLHz5ZSywPTSH2l40lg74q7tSFGBwMy8uy4tsdp2d2sUIDfpvgGj3Pq+zkQHWyFR5BYyCLDfJMTQvGO0bEsbRIDOjkH8YVni46ds6sQKMgc+L2vPo8S3neFZBQRlERVRvIAzdLiBWqGkiw4YgWQA8ocTfWp9DVzW+BZiatc34+AX3KtLEF1Oz76YsKjBttSQL4myUucuskz2Bs7UYvAsDFlWyiJ43ayZNzvG63m1UVsAoq84IhNYsdkPhd+G1rtnG0KxPVAtn7RkAGt8t7ObU+6xWayHcpSteNeE+QyH9nNmJcXNNKfoOeP4vHUBrBTeURafw527yuZDOYknJmg3O+nkeGseIgBYgq/As4+dD6vhp03Y5chjU4/FC6nEjsGPRdfe2RZx+0cqJkLgdd1paGByUfPfaUKykw4TsCUAiDucRwBjU32MLslUbyzeEkjzOJzOD5Frif3jZZLxaNP2QcHRbTiiKkdn+WFJmjr3BdC60pm7hqvmDxl0UZcz9hDv3wZUALUc92TQXnWc8GicKdpQgRYDRQ== kalipso@c3d2.de"
   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxgcjNOYbza3+RfANFDXy7HXNRFlkpDOAcGyB7MKshiVlbPByWRSjfZa0BeRNjpeCd8QkIodKUzqYOCOrc8ad3kiNbdLRcDz57A5xSLD3ynakoWJo0AmJjT3Ta1JJj8inNwwykR0ig5//SrtsZb9HkWJDAF017MokM2r8AWPE1QzcQdh93kojXcgTHrJHzEqgKbEGDEk37f1RvZG4umEFeqdK2FvS5isPa7P9X7hyyoDC8bvEy7xfaDrToJAoXon6r79taxH8UWIvy//xsU0NBLYK2eE4RQe2AjF6Ri+CybI6y1SsHOvyh4nNKWlfUOEL6UnIulRn/LXFOKCJi7xuoTeJXS0+w1DNEuiGosVNXPSKbUm/eDBVnb8Iyep9wmygSZayN82xL5lRlG3Mn45ttecqfm2SJkmduBA5qXcTdDPe/lXTZaVO9tbiIcJfUgd3ttEu2+6YjLn74D965PlovzvR6EhbVUZ8IkOAt4VmuTkXIdm8SCS7jzhsiKeUXoZ4rfa375zi79SIPuIkoMasj6d16wcYOeFIUIMFFccfQ9jQjr9NTSXC2dd7sfbI9I9mF7eRQSsUdSwpP8WH1b+M1MxTbdhEUdPwpOLviTTIuk8E8K8DQDZIcOOh38mCDpyoh02nwfRxlyoYVsKAHIQH02dHTvYEa3/pMsRwGc9W1Ow== kalipso@desktop"
   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de"
+   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos"
 ];
 }
--- a/machines/testvm/configuration.nix
+++ b/machines/testvm/configuration.nix
@@ -0,0 +1,59 @@
+{ config, pkgs, inputs, ... }:
+let
+  sshKeys = import ../ssh_keys.nix;
+in
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      #./hardware-configuration.nix
+      ../modules/malobeo_user.nix
+      ../modules/sshd.nix
+      ../modules/minimal_tools.nix
+      inputs.self.nixosModules.malobeo.initssh
+      inputs.self.nixosModules.malobeo.disko
+    ];
+
+
+  boot.initrd.systemd.enable = true;
+  boot.loader.systemd-boot.enable = true;
+  malobeo.initssh = {
+    enable = true;
+    authorizedKeys = sshKeys.admins;
+    ethernetDrivers = ["virtio_net"];
+  };
+
+  malobeo.disks = {
+    enable = true;
+    encryption = true;
+    hostId = "83abc8cb";
+    devNodes = "/dev/disk/by-path/";
+    root = {
+      disk0 = "disk/by-path/pci-0000:04:00.0";
+      swap = "1G";
+      reservation = "1G";
+      mirror = false;
+    };
+    storage = {
+      enable = true;
+      disks = ["disk/by-path/pci-0000:08:00.0" "disk/by-path/pci-0000:09:00.0"];
+      reservation = "1G";
+      mirror = true;
+    };
+  };
+
+  boot.initrd.kernelModules = ["virtio_blk" "zfs" "virtio_console" "virtio_pci" "virtio" "virtio_net"];
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  # needed for printing drivers
+  nixpkgs.config.allowUnfree = true; 
+
+  services.acpid.enable = true;
+
+  networking.hostName = "testvm";
+  networking.networkmanager.enable = true;
+
+  time.timeZone = "Europe/Berlin";
+  system.stateVersion = "23.05"; # Do.. Not.. Change..
+}
+
--- a/machines/testvm/disk.key
+++ b/machines/testvm/disk.key
@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:GH71ek6+a++P9sDUjO0IPojdU1epX98wcTqmoEgsu0j+,iv:LysgsJdPDvKOUz7l0IyV58QHN2RHvHP14bt1p4571NM=,tag:1WrqC3S+Z6bkE2d76RYtXA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOVI3b1dBa2d5SElHcFdq\nVHZwWlpIU3NpYm8zQnY3aVhOVkxnU1pkZUJNCkJ6bzhqdU5EVy9Wa0creXJHZ1pu\nbkRPVTR1K0o0dmlYbGVIbVRiWjFyL1kKLS0tIHl0aFpUYy9hWmpsNUFoY2JpWUhL\nalluN1RRSTBNUlprZWFISlFoUExXUXMKaULQKgVLNfHX8m0Ac1YhcbM/yhioyNCu\na1AUDjBmruKL9ngqz9Dwzxx0sJJOIFKMdYMVn9uQfui/XCHewO6uRw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-12-31T02:35:20Z",
+		"mac": "ENC[AES256_GCM,data:7K8G7ZFaA7wT0lwujkuJP0HL8WW0m/IkMjgFU9ikWe/GVZMlFDWTafaRNLxdBHNhHwilM8suH2z0P36Xae6pReh47PpID5JS8NC1V38fzww5qW74eFkHq3Pu8HRWb66u7zA/LiyOcEQgtrdP1zbnfmHUgakyNluSn7W1gOtsfxw=,iv:l65AiYn7ETRySF1Wr9nOUk9Fd1I4VGqd/zZbqkCyxYA=,tag:TeVyRa8aN6hIn3iIKPPvbQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-12-31T02:35:05Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/ZITVtnQl5xO2XLTTaNAZ50WhHkVV1G9H2TyxO0NbaUPj\nbo7LdbuB/+cv3wpg5oy5VpWW/JLElqizxbrE5gzQCzorwGE7lpKW0XQubofW8t9l\n+6k9UFXxyfVQJHwcIbexYfL2UhN62eSzzxPiKYVyNw4oM9ySeU+MCeCiv0omLUPg\nWSdOH4q1QYkRGJO8db7KlJSdvCoVjyEiCaLwKdWnPk5pbC+U7wp75fPdFwmzBchc\np9TXKeFF8dVGI7DKuGXA7lBm4ZzgSt4wNdZmc7mvTrTInaDVFA/ptbAfhh2/hNEx\npOijlXbc8ARKAhuLASPy6j37Nm2QdNm/8dl5x6eA7Sx7FcO8qV38Q//V4/DZZddJ\nT3NLC4tWLglpdyFX7H0zmZ+jQOLGJHorwzO+NgSOEj3N4venHYvJyI+vwVGjVCjQ\n1tZUIxGMx5iu959PinvlvBYI7oeKITPLyo8pRRx2EaA+UEBR2f3y+R0bTiBhChKM\nieUIVIK/fbvhdXhwwfRe0lgBm05hL/Vmdbal9QU8o/HIPeGTNitaqLQ59Ets7qm4\nf2FhHaOMO0YaDPtCNBGbRh/mEWH8tjhnI1sLJg/0rR9sOQ/oCzzIYILogIkm3ueE\notFqp95QQPVA\n=P16c\n-----END PGP MESSAGE-----",
+				"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
+			},
+			{
+				"created_at": "2024-12-31T02:35:05Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//fAGV0oLuiwL4TmQnrHF88ixvZ/HghKI9k/5zlORIdoaR\na1w6U32coX8HpEfcqON45ZQWSCFtlizlmL55jb1ugXFY/bS+KECO8XaMDhHXNkB/\ndfeCmASvqIlFkl/X3YeD2FhHa3ZlcS93x0duJ+oo18WIErkNuECOL7hwkh+m5YfS\nWtW9Z3J51qfS5S6ctdm9vKcYSrgTkADsyVQp9GqxO3xZGpWudGWDaK0gVBX5wk5t\n1uKhDpnIZdFZ42N5Oy/UqXF5pfEQ0OwxlOS8VMleq1wEPc/DPVku23HRSReS0k7x\nuVeFZpaOfe22ncgI4TVQln8JT0+ZPeAwqBn6LWp0XnPnQdkyE79ARMPqBTPN/6Pn\nFkVpInBVukVJ1AiGpHHxESPtiKoMUZpE+k3WG2dRFWmaON+n0kR4VFpOju3apxTH\n8RGN+Uyn6MswNOZDKoDjlVtkcwgJgar/KwxXNlF7BU3/KMDEBf1UHuQE58Y2eBsC\nI85AEpbskEeOu+MF1SNJkdx/BR+lUaR6ax+dVzOIwxLyyDoCGg4SEoL1Hh1nNRth\nxRZnYfN3FBGv3FnvpaCbfbBDLLkWxzst5HRjp+v2lyPM4eVtyvYPGdfYM5FK1den\nXVawulE3cjM786/Z7X2IK5IDzrvo8nIs/Keg2YqnZe0UgM3XFCoYnwxi2Rev1J3S\nWAHTBs22q/cEk3SLlfzLyqWochY33gI6fC2amOvC5HNhcs7vr6CF1W44d3Yx6WCO\npqxY9jmc4gVWeBLZV/d9T95qLwOQK7L1/tokdbggQcEXFOqpvPzm5pc=\n=qp/h\n-----END PGP MESSAGE-----",
+				"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}
--- a/machines/uptimekuma/configuration.nix
+++ b/machines/uptimekuma/configuration.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  networking = {
+    hostName = mkDefault "uptimekuma";
+    useDHCP = false;
+  };
+
+  imports = [
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 80 ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."status.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3001";
+        extraConfig = ''
+        '';
+      };
+
+    };
+  };
+
+  services.uptime-kuma = {
+    enable = true;
+  };
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/machines/vpn/configuration.nix
+++ b/machines/vpn/configuration.nix
@@ -0,0 +1,73 @@
+{ config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets.wg_private = {};
+
+  networking = {
+    hostName = mkDefault "vpn";
+    useDHCP = false;
+    nameservers = [ "1.1.1.1" ];
+    firewall = {
+      allowedUDPPorts = [ 51821 ];
+      allowedTCPPorts = [ 80 ];
+    };
+  };
+
+  imports = [
+    inputs.self.nixosModules.malobeo.vpn
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+    ../modules/minimal_tools.nix
+  ];
+
+  services.malobeo.vpn = {
+    enable = true;
+    name = "vpn";
+    privateKeyFile = config.sops.secrets.wg_private.path;
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."docs.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."cloud.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."grafana.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
+    virtualHosts."tasklist.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+  };
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/machines/vpn/dummy.yaml
+++ b/machines/vpn/dummy.yaml
@@ -0,0 +1,68 @@
+wg_private: ENC[AES256_GCM,data:s+dZfKCfrdZnFKhmCl7u1LRzR5dMflJumh1uVQ5Dktb5teohxDo0zlOR7KE=,iv:N9WSEzGonWNkqix8yaImhvrxpcAEJraWEcTrXORASow=,tag:pKgOmtKJ933FEKZVDHCWWQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMFk2bzE3OG9VR0VqOTIz
+            UEQySS9SUnRmMDFqVTg1dks3WTZvbE13VGxVCitHVE1SVlBlYkZwejNlWWNMTVhF
+            M2EzSFRmS3lFd1VPMHRpMjhtMVgyVDQKLS0tIGJObk1kcWlaeUhveHdrY1BEQkh4
+            WTJua1FvNFFtMDFGWE9ZaW9wWFoxcncKlYHjkzlUj+rBPmXK/jj9XCUoGrQ4vBXH
+            ZTItzrbCI30juPjy6dJ0ffZF2ILvJLUdwurz4lZFybNuUjhE2sAY+A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5S1dhZUVpT3NMaGR4eEhV
+            dUxvUGVvMUtPbWhEQnpJd3Y1YTBYbm1QMTBVCmpQbkhvM3VWV2MvcmY2RVhVOWdy
+            MVZxK201bmcwVHlwUlFnb0p5eGFNNGsKLS0tIDlrc1ErS0NiRUJ0UFZnNHNNSk9m
+            U2xLQVhoS2NxNUVvcGZBYW9VVkZNOUEKeCpijhxpkAxCB9/iIQmek03mj7b14sqs
+            CuGKgoeq7C6eG1PK3I8MzGplQMyCpEFQ+33KMj0vGwktpv/eVzC8/w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-19T22:47:26Z"
+    mac: ENC[AES256_GCM,data:DiriXLPnm+08q1Jp1YxjEdsJzFiewQxgu1JDdevo9aGdkq92Xu8cnSxLzWUkh8bEDx4uhjOXvZd3PSU9rWiTh899U3Ou99NiSOgR1+wr5ouR20viCZqIe86YqoZlLJnYs2dlZDhL+ggwFqYJ5wfWbq7OauIVEEdnM/57RyNI2qM=,iv:lwOJi4pVGGHn7+CGq7jAHorOTFtl7ONzzV35ec1uEsg=,tag:DhjloWlsGqM579NafaERIw==,type:str]
+    pgp:
+        - created_at: "2025-01-19T21:35:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQwAoO2gRS+Vwu+5KZ4V2ReXPcjFcEUb6aoYe8PNUhjBu0yE
+            hs4lhWGy53BdupQ+cyxk0U+L6UhOjTfIAYE9emqTDlF5OImN/379j9NfiPe/K0/8
+            ylSOuzNgVmTpsXlHGaXE2wk0ADp1P9mZUwbJ5vHCtm+ZFe5HCuTrB61drIU0fEYw
+            NVCaARK/IRn5eAlPCjPuW1mhKP+3HNGMQszqCRKMU5kLZPzjqsHmEITSFJ5bVtAu
+            fLRtF8SyJpHgvyw1AH1IX6I+/lrDRQro0oD/0LcC1Nay9n86WIWhA/VbotyFCkI2
+            gZtV0IQq05mxO11DycgxlDLQk6nqiqDDjWv/8kj23HnQ3BAO6SXLKhHWq9rH8EOX
+            wkee7RHc09GWNcGL93YMkjIHWJyitphpU/NtTmEpTptzry5vPfittPaZ+zU+MF8G
+            REyft2X9Aj7UWcL1w3kbX9BDWuxImcirWWCShHakSrzAlpuIoXVQA6MCl6/Jr2Ve
+            lLx3lDX+BiSpU01zY32q0lgBOGcSEcRVXTiYO00EoJbIiEMwqm1aAXQzaCvhCCpP
+            54NsNzZ4eoGL0DmioKwzLbv1CpIJs3w0k6StfOtTCPKdlL99k24Z8GyJ44UnkhCe
+            V32jGc/yCong
+            =OZSD
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2025-01-19T21:35:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUARAAhnd9Z1gekp4XWw+gcWK5j9mXWP7XS/FGNXmmCUBKec1j
+            zXzMJjG1YZyCYmqj3XGFMFwg2Ex6pBPoOTzOL2VOGd9mZvHjh0MGtuUopg1GprE7
+            NoyrYlV2UikyBSzVlsvykyNCYWfEt0uDotnGIK0NXYzfWfqgw+ImAH/PvNRY4nIB
+            wxI/Ze100ITAN7Dop9d6MFUZbrYKZTMsO8w5Z7TWHRPzFWH//XZjY7UpxvNVP1oJ
+            RXqqo2I97P0c6H7s17+xw6ZjyE0Qoin1gq4XSMHc4l8o+3D7fWecoTLxcjma5gvY
+            SMVCYeSrI2kc8DJ2RVeXdDlEP7SS3bwPNaE4Tklxv1rE+CUuYQ1X6dkPVKnKLfRS
+            Lwy614LDAarZmvXc3jPgFkpG+grE80PAStzOze0eWyZA/oCAI3/CS+yaeBAI4viz
+            UEkNmCMTZu1eXyIurC/suTOdq4nehGlD/2F8EKU+Y/6f6J2wHUJdvLjNxOuAOHd0
+            lGSu61gt/b2PFy/aHqFgQaZCPUMJ8UfK8JQ66zOIUW3HzsXOsvVqo/8DMQRIw7/z
+            3tZ43LPjmIeCRFwPfbIbeThoZmq1SPejkzadxDEwD3U0YAiblBJ2E+AyEDiKqP/N
+            D+NRN5Ta0ySAmGOyYgDES8QDDBQGA4cSZak7pMidCrSbAagNyYNg3Qrowc0aG93S
+            WAFD/Q4EtOdM6kveLdbDkPX/bAiCFwhzSCtDVkLAPxfrkw/a+az6emPWmImML5FT
+            to3vvXendrd9+u6uSNK5acuwzW2cW8GM4gLC90+p/kRFJukiGJbl400=
+            =6Gw4
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/machines/vpn/secrets.yaml
+++ b/machines/vpn/secrets.yaml
@@ -0,0 +1,68 @@
+wg_private: ENC[AES256_GCM,data:uuBYbOTiThZYiNetM+FOLFVMr/HII9otG4FvN5YvuRErvNjgmAYxVncV71k=,iv:Sy3HAEcALod2pL4IZ/GSjVybLAviOoO+DsW8OROzgTg=,tag:hynRmiilafVzWCjx2Xoxhw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBua1FUY1pZamY5R1ExOC8r
+            cUU4VE9VVUJjeEdXNEJnMUM5WEtUL0E2NWhZCm5xTXZ2WnhFcXRGVkdQNHlTcDBC
+            cTlySDcxaGJXOFl0UWJ6RlYzekdJaU0KLS0tIEo1RmVIZG9mOGpJM2NlOEQyKzNG
+            a0FsVGh6TlBBWG5qNTBFWVVWb3U2ZUEKp6Rfi5h1j9+nosARUcuVFUDLajaHf5SK
+            PFDpyy+n1msB4E+Yuku6ySxyf58TqPvy/JnVA7Nhkmir7IngIdfX1w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT2hGalZFaktoUHdJRXJy
+            dlg0NVZxNSsvV0VsQndOV2VqZHJzcnI3cFEwCmg0eHl0djNpcmVSaHlEM2h0R2dm
+            QzRveGlpbldYeFFQdmVHSlVtU1FhcGsKLS0tIHFnZ0xyaDRidE5naElnNWNOZmM2
+            RUpHanJrOUx1endqRytjOW9VV1dLQ1UKcS6MhvTHTn+3sCh/wrMDw4z5aYHmKbER
+            n/doy/gDtIWeIlw9TPNdCtOu/P/atNnrjvpTDCU1i+H86fODFmu5zw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-17T22:01:22Z"
+    mac: ENC[AES256_GCM,data:ctpzk2gUHSLThmZpRFwIBKX+SfwKt8/V8AWQbPnoBqJ9KwuHcRKkkT2yEMx3l2qKUy7DgrqRXhSVGbF57poXC9nshyjXMrrjMQA4PBB7a3SAwgpcX6j+aEx0xIt8GTUVxcn0xDvbP9xJ+adeACLUvkE+a4EB1jtdsL/iacxlv5Y=,iv:Zw+sG7oXmPRGa2jWc+mloGMBq6CnDQgz5x7ke5paeW8=,tag:RtfGmrSt8U8Je7Dq9FQGTg==,type:str]
+    pgp:
+        - created_at: "2024-12-19T15:09:08Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv/bueAXskPGUYQwlmujEEdjh2o3yGxTScqCEwYbghRPbf+
+            a59WXJMtIkOCxRF0bkyfoKLudJJeWRteBfN3aqdUKtFqr4g7PfavLmipRaqm1cmJ
+            EswakDt4raLx2C4HAyZvaab4fzA592tqpGU5RBRmwtkxjfCL0bY6zV/FHmk7NzYg
+            RAaEChpaUGXSTmwDiXJn1FJ1QwOSTlKm0ccoUbB1MSHi8A3LqH0lEHPqq5mb3Yhx
+            XIvOKPTZ+ODX9duLOQrAPWAfOShcyjd8SAA+uygJ7PYnXeN9HpuROcl4WEB1mpKa
+            h2AGwtUpOC9tpqKJ3kueBUePpsSHM9s1qmeImItSycFHzlB/hnuFQFndhV6I2yaP
+            lDs/Vpsfoeq3/ufR4Cajqwd7Q6dRGmf71/Sk6QhjXZQapGRcIfGWlOMcHn/z+ura
+            PPn2EtTxkgzp9G8ksOdTzIoriM7RmosC7N1BgSpw+vRUXn4dNhHN4h9LcR9XsX0u
+            lUJXfAc5DOl0bkpJ0y1B0lgBldvxchsMsg4RS2GNhIs20gjMfFLs4eRlcXU8Yps5
+            HizBAKW5frOePfzVM+GD30IstOd/pJPYrRCzg7Ym1oY/+IZTLfK/7MW2bvtP5IJy
+            LN6uk4NCOKwA
+            =Mdnc
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2024-12-19T15:09:08Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUAQ//bvRwMD4xzEq9wihdYG/XHb72Y8RYzHLA1/okH0Kfe9wW
+            DomZhwi/VPoLf8RWTZfa0/S1PnPyOZdfEP46ZM2WSksNydMidqY7fOuFYxTI5cRG
+            javuZjAH0ZyMMG3J+Y+zzFCFRMBT8n5yDtv+bDbi1T16SJj0gpYW2IIEglOudPVl
+            vDM6bqHD5UefHtxhYGRnPaxqenLxCoNYq4DAx8+8DoIj7RTg4+rjrglW16G7KU5n
+            t7acEiD+J0fXeQM7bLTYuiI0gSkaftSuQ1GVEDgw6M80pSdWfrqE5xue+8t3MPDA
+            UGQGjXxG4ykOV5Wggs3EjOVkscgmQxWJgMYNanCZJEy36WWlzPnG59O1kiXW+6AQ
+            TCy4ZXb3SyUJ1kSoI9pJ3PSaADaID9rDgIn+IkIfY0E+QVrw9qL4qN0rqISx++EW
+            XOBucRspIqcXzFGikuz4yIwLBWVAqGhr5iKge8FVjBPVUX+JPgJjFw25fAFZkkds
+            mJDAkbzJh6iALxSIoj++kPIw+f4xQXKPPPLJiJzpuWAcZJiA3WM10iakGyuKmYPL
+            qVgwo1hXOVODwbkBvztJOGIMqMXNLQP9A45kpNjFuyPn8WcignmvoFXtGbr9BtCY
+            sZAZrDFw/JxVLVPSM3duKC6R8r8MQfp1ZNVLU9fMzqfReu+6gD5biESM+rnYC4TS
+            WAGB3htm92PRqdsJnDrgO8kzi9fHNxo0htj9fmo8ipNY+eeLfrAW6ocqPMBzCuyf
+            3EbF+PS9PRg0lHyjkBC2pF6PD8DHVL/2OTSpWOZdp8FCqogZg7e7dMI=
+            =vQSV
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/outputs.nix
+++ b/outputs.nix
@@ -4,6 +4,7 @@
 , nixpkgs-unstable
 , nixos-generators
 , sops-nix
+, microvm
 , ...
 } @inputs:

@@ -13,17 +14,106 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
  let
    pkgs-unstable = nixpkgs-unstable.legacyPackages."${system}";
    pkgs = nixpkgs.legacyPackages."${system}";
+
+    hosts = import ./machines/hosts.nix ( inputs // { inherit inputs; self = self; });
+    utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; hosts = hosts; });
  in
  {
-    devShells.default = pkgs.callPackage ./shell.nix {
-      inherit (sops-nix.packages."${pkgs.system}") sops-import-keys-hook ssh-to-pgp sops-init-gpg-key;
-    };
-  })) // rec {
-    nixosConfigurations = import ./machines/configuration.nix (inputs // {
-      inherit inputs;
-    });
+    devShells.default =
+    let
+      sops = sops-nix.packages."${pkgs.system}";
+      microvmpkg = microvm.packages."${pkgs.system}";
+      installed = builtins.attrNames self.legacyPackages."${pkgs.system}".scripts;
+    in
+    pkgs.mkShell {
+      sopsPGPKeyDirs = [
+        "./machines/secrets/keys/hosts"
+        "./machines/secrets/keys/users"
+      ];
+    
+      nativeBuildInputs = [
+        sops.ssh-to-pgp
+        sops.sops-import-keys-hook
+        sops.sops-init-gpg-key
+        pkgs.sops
+        pkgs.age
+        pkgs.python310Packages.grip
+        pkgs.mdbook
+        microvmpkg.microvm
+      ];

-    nixosModules.malobeo = import ./machines/durruti/host_config.nix;
+      packages = builtins.map (pkgName: self.legacyPackages."${pkgs.system}".scripts.${pkgName}) installed;
+      shellHook = ''echo "Available scripts: ${builtins.concatStringsSep " " installed}"'';
+    };
+
+    legacyPackages = {
+      scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
+      scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
+      scripts.run-vm = self.packages.${system}.run-vm;
+    };
+
+    vmBuilder = utils.buildVM;
+
+    packages = {
+      docs = pkgs.stdenv.mkDerivation {
+        name = "malobeo-docs";
+        phases = [ "buildPhase" ];
+        buildInputs = [ pkgs.mdbook ];
+      
+        inputs = pkgs.lib.sourceFilesBySuffices ./doc/. [ ".md" ".toml" ];
+      
+        buildPhase = ''
+          dest=$out/share/doc
+          mkdir -p $dest
+          cp -r --no-preserve=all $inputs/* ./
+          mdbook build
+          ls
+          cp -r ./book/* $dest
+        '';
+      };
+
+      run-vm = pkgs.writeShellScriptBin "run-vm"  (builtins.readFile ./scripts/run-vm.sh);
+    };
+
+    apps = {
+      docs = {
+        type = "app";
+        program = builtins.toString (pkgs.writeShellScript "docs" ''
+          ${pkgs.xdg-utils}/bin/xdg-open "${self.packages.${system}.docs}/share/doc/index.html"
+        '');
+      };
+
+
+      docsDev = {
+        type = "app";
+        program = builtins.toString (pkgs.writeShellScript "docs" ''
+          echo "needs to run from infrastuctre root folder"
+          ${pkgs.mdbook}/bin/mdbook serve --open ./doc
+        '');
+      };
+
+      run-vm = {
+        type = "app";
+        program = "${self.packages.${system}.run-vm}/bin/run-vm";
+      };
+    };
+
+  })) // (
+  let
+    hosts = import ./machines/hosts.nix ( inputs // { inherit inputs; self = self; });
+    utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; hosts = hosts; });
+  in
+  {
+    nixosConfigurations = utils.buildHost hosts.malobeo.hosts;
+
+    nixosModules.malobeo = {
+      host.imports = [ ./machines/durruti/host_config.nix ];
+      microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ./machines/modules/malobeo/microvm_client.nix];
+      vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
+      initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
+      metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];
+      disko.imports = [ ./machines/modules/disko ];
+    };

    hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
      let
@@ -36,4 +126,4 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
      nixpkgs.lib.mapAttrs getBuildEntry self.nixosConfigurations

      );
-}
+})
--- a/scripts/remote-install-encrypt.sh
+++ b/scripts/remote-install-encrypt.sh
@@ -0,0 +1,63 @@
+set -o errexit
+set -o pipefail
+
+if [ $# -lt 2 ]; then
+  echo
+  echo "Install NixOS to the host system with secrets and encryption"
+  echo "Usage: $0 <hostname> <ip> (user)"
+  exit 1
+fi
+
+if [ ! -e flake.nix ]
+    then
+    echo "flake.nix not found. Searching down."
+    while [ ! -e flake.nix ]
+        do
+        if [ $PWD = "/" ]
+            then
+            echo "Found root. Aborting."
+            exit 1
+            else
+            cd ..
+        fi
+    done
+fi
+
+hostname=$1
+ipaddress=$2
+
+# Create a temporary directory
+temp=$(mktemp -d)
+
+# Function to cleanup temporary directory on exit
+cleanup() {
+  rm -rf "$temp"
+}
+trap cleanup EXIT
+
+# Create the directory where sshd expects to find the host keys
+install -d -m755 "$temp/etc/ssh/"
+install -d -m755 "$temp/root/"
+
+diskKey=$(sops -d machines/$hostname/disk.key)
+echo "$diskKey" > /tmp/secret.key
+echo "$diskKey" > $temp/root/secret.key
+
+ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
+ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""
+
+# # Set the correct permissions so sshd will accept the key
+chmod 600 "$temp/etc/ssh/$hostname"
+chmod 600 "$temp/etc/ssh/initrd"
+
+# Install NixOS to the host system with our secrets and encription
+# optional --build-on-remote
+if [ $# = 3 ]
+  then
+  nix run github:numtide/nixos-anywhere -- --extra-files "$temp"   \
+ --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname $3@$ipaddress
+
+else
+nix run github:numtide/nixos-anywhere -- --extra-files "$temp"   \
+ --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
+fi
--- a/scripts/run-vm.sh
+++ b/scripts/run-vm.sh
@@ -0,0 +1,67 @@
+usage() {
+    echo "Usage: run-vm <hostname> [--networking] [--dummy-secrets] [--no-disko]"
+    echo "ATTENTION: This script must be run from the flakes root directory"
+    echo "--networking setup interfaces. requires root and hostbridge enabled on the host"
+    echo "--dummy-secrets run vm with dummy sops secrets"
+    echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny"
+    echo "--writable-store enables writable store. necessary for host with nested imperative microvms like fanny"
+    echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate"
+    echo "--fwd-port forwards the given port to port 80 on vm"
+    exit 1
+}
+
+# check at least one arg was given
+if [ "$#" -lt 1 ]; then
+    usage
+fi
+
+HOSTNAME=$1
+
+# Optionale Argumente
+NETWORK=false
+DUMMY_SECRETS=false
+NO_DISKO=false
+RW_STORE=false
+VAR_PATH=""
+FWD_PORT=0
+
+# check argws
+shift
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        --networking) NETWORK=true ;;
+        --dummy-secrets) DUMMY_SECRETS=true ;;
+        --no-disko) NO_DISKO=true ;;
+        --writable-store) RW_STORE=true ;;
+        --var) 
+          if [[ -n "$2" && ! "$2" =~ ^- ]]; then
+              VAR_PATH="$2"
+              shift
+          else
+              echo "Error: --var requires a non-empty string argument."
+              usage
+          fi
+          ;;
+        --fwd-port) 
+          if [[ -n "$2" && ! "$2" =~ ^- ]]; then
+              FWD_PORT="$2"
+              shift
+          else
+              echo "Error: --var requires a non-empty string argument."
+              usage
+          fi
+          ;;
+        *) echo "Unknown argument: $1"; usage ;;
+    esac
+    shift
+done
+echo "starting host $HOSTNAME"
+echo "enable networking: $NETWORK"
+echo "deploy dummy secrets: $DUMMY_SECRETS"
+echo "disable disko and initrd secrets: $NO_DISKO"
+echo "use writable store: $RW_STORE"
+if [ -n "$VAR_PATH" ]; then
+  echo "sharing var directory: $VAR_PATH"
+fi
+
+nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner"
--- a/scripts/unlock-boot.sh
+++ b/scripts/unlock-boot.sh
@@ -0,0 +1,40 @@
+set -o errexit
+set -o pipefail
+
+sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T"
+HOSTNAME=$1
+
+if [ ! -e flake.nix ]
+    then
+    echo "flake.nix not found. Searching down."
+    while [ ! -e flake.nix ]
+        do
+        if [ $PWD = "/" ]
+            then
+            echo "Found root. Aborting."
+            exit 1
+            else
+            cd ..
+        fi
+    done
+fi
+
+echo
+if [ $# = 1 ]
+    then
+    diskkey=$(sops -d machines/$HOSTNAME/disk.key)
+    echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root
+
+elif [ $# = 2 ]
+    then
+    diskkey=$(sops -d machines/$HOSTNAME/disk.key)
+    IP=$2
+    echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root
+    
+else
+    echo
+    echo "Unlock the root disk on a remote host."
+    echo "Usage: $0 <hostname> [ip]"
+    echo "If an IP is not provided, the hostname will be used as the IP address."
+    exit 1
+fi
--- a/shell.nix
+++ b/shell.nix
@@ -1,22 +0,0 @@
-{ mkShell
-, sops-import-keys-hook
-, ssh-to-pgp
-, sops-init-gpg-key
-, sops
-, pkgs
-}:
-
-mkShell {
-  sopsPGPKeyDirs = [
-    "./machines/secrets/keys/hosts"
-    "./machines/secrets/keys/users"
-  ];
-
-  nativeBuildInputs = [
-    ssh-to-pgp
-    sops-import-keys-hook
-    sops-init-gpg-key
-    sops
-    pkgs.python310Packages.grip
-  ];
-}
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmeyBkJbC8RMkqhl/tAUoItpSePyGKhyL5J7ArxxRTC kalipso@celine`