[bakunin] add disko device

its not used yet anyways

README.md

@@ -8,7 +8,7 @@ the file structure is based on this [blog post](https://samleathers.com/posts/20
 
 #### durruti
 - nixos-container running on dedicated hetzner server
-- login via ```ssh -p 222 malobeo@5.9.153.217```
+- login via ```ssh -p 222 malobeo@dynamicdiscord.de```
 - if rebuild switch fails due to biglock do ```mount -o remount,rw /nix/var/nix/db```
 - currently is running tasklist in detached tmux session
   - [x] make module with systemd service out of that

doc/src/SUMMARY.md

@@ -12,5 +12,7 @@
             - [musik](./projekte/musik.md)
         - [TODO](./todo.md)
     - [How-to]()
+        - [Sops](./anleitung/sops.md)            
         - [Updates](./anleitung/updates.md)
         - [Rollbacks](./anleitung/rollback.md)
+        - [MicroVM](./anleitung/microvm.md)

doc/src/anleitung/microvm.md

@@ -0,0 +1,52 @@
+### Declaring a MicroVM
+
+The hosts nixosSystems modules should be declared using the ```makeMicroVM``` helper function.
+Use durruti as orientation:
+``` nix
+    modules = makeMicroVM "durruti" "10.0.0.5" [
+      ./durruti/configuration.nix
+    ];
+```
+
+"durruti" is the hostname.  
+"10.0.0.5" is the IP assigned to its tap interface.  
+
+### Testing MicroVMs locally
+MicroVMs can be built and run easily on your local host.
+For durruti this is done by:
+``` bash
+sudo nix run .\#nixosConfigurations.durruti.config.microvm.declaredRunner
+```
+
+It seems to be necessary to run this as root so that the according tap interface can be created.
+To be able to ping the VM or give Internet Access to the VM your host needs to be setup as described below.
+
+### Host Setup
+
+#### Network Bridge
+To provide network access to the VMs a bridge interface needs to be created on your host.
+For that:
+- Add the infrastructure flake as input to your hosts flake  
+- Add ```inputs.malobeo.nixosModules.malobeo``` to your hosts imports
+- enable the host bridge: ```services.malobeo.microvm.enableHostBridge = true;```
+
+If you want to provide Internet access to the VM it is necessary to create a nat.
+This could be done like this:
+``` nix
+networking.nat = {
+  enable = true;
+  internalInterfaces = [ "microvm" ];
+  externalInterface = "eth0"; #change to your interface name
+};
+```
+#### Auto Deploy VMs
+By default no MicroVMs will be initialized on the host - this should be done using the microvm commandline tool.
+But since we want to always deploy certain VMs it can be configured using the ```malobeo.microvm.deployHosts``` option.
+VMs configured using this option will be initialized and autostarted at boot.
+Updating still needs to be done imperative, or by enabling autoupdates.nix
+
+The following example would init and autostart durruti and gitea:
+``` nix
+malobeo.microvm.deployHosts = [ "durruti" "gitea" ];
+```
+

doc/src/anleitung/sops.md

@@ -0,0 +1,25 @@
+# Sops
+
+## How to add admin keys
+- Git:
+    - Generate gpg key
+    - Add public key to `./machines/secrets/keys/users/`
+    - Write the fingerprint of the gpg key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $FINGERPRINT`
+
+- Age:
+    - Generate age key for Sops:   
+      ```
+      $ mkdir -p ~/.config/sops/age
+      $ age-keygen -o ~/.config/sops/age/keys.txt
+      ```
+      or to convert an ssh ed25519 key to an age key
+      ```
+      $ mkdir -p ~/.config/sops/age
+      $ nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
+      ```
+    - Get public key using `$ age-keygen -y ~/.config/sops/age/keys.txt`
+    - Write public key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $PUBKEY`
+
+- Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to
+
+- `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml`

flake.lock

@@ -88,11 +88,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1731240174,
+        "lastModified": 1732122592,
-        "narHash": "sha256-HYu+bPoV3UILhwc4Ar5iQ7aF+DuQWHXl4mljN6Bwq6A=",
+        "narHash": "sha256-lF54irx92m8ddNDQDtOUjKsZAnsGyPL3QTO7byjlxNg=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "dd89404e1885b8d7033106f3898eaef8db660cb2",
+        "rev": "19650774c23df84d0b8f315d2527274563497cad",
         "type": "github"
       },
       "original": {
@@ -103,11 +103,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1729386149,
+        "lastModified": 1731805462,
-        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+        "narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
+        "rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734",
         "type": "github"
       },
       "original": {
@@ -124,11 +124,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729472750,
+        "lastModified": 1732151224,
-        "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
+        "narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
+        "rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c",
         "type": "github"
       },
       "original": {
@@ -139,11 +139,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1730919458,
+        "lastModified": 1731797098,
-        "narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=",
+        "narHash": "sha256-UhWmEZhwJZmVZ1jfHZFzCg+ZLO9Tb/v3Y6LC0UNyeTo=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "e1cc1f6483393634aee94514186d21a4871e78d7",
+        "rev": "672ac2ac86f7dff2f6f3406405bddecf960e0db6",
         "type": "github"
       },
       "original": {
@@ -169,29 +169,13 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1730602179,
-        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1730785428,
+        "lastModified": 1732014248,
-        "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
+        "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
+        "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
         "type": "github"
       },
       "original": {
@@ -203,11 +187,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1730883749,
+        "lastModified": 1731797254,
-        "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
+        "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
+        "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
         "type": "github"
       },
       "original": {
@@ -236,15 +220,14 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
+        ]
-        "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1731047660,
+        "lastModified": 1732186149,
-        "narHash": "sha256-iyp51lPWEQz4c5VH9bVbAuBcFP4crETU2QJYh5V0NYA=",
+        "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "60e1bce1999f126e3b16ef45f89f72f0c3f8d16f",
+        "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
         "type": "github"
       },
       "original": {
@@ -390,11 +373,11 @@
         "systems": "systems_4"
       },
       "locked": {
-        "lastModified": 1726560853,
+        "lastModified": 1731533236,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {

flake.nix

@@ -10,6 +10,8 @@
     mfsync.url = "github:k4lipso/mfsync";
     microvm.url = "github:astro/microvm.nix";
     microvm.inputs.nixpkgs.follows = "nixpkgs";
+    inputs.disko.url = "github:nix-community/disko/latest";
+    inputs.disko.inputs.nixpkgs.follows = "nixpkgs";
 
     utils = {
       url = "github:numtide/flake-utils";

machines/.sops.yaml

@@ -5,6 +5,7 @@
 keys:
   - &admin_kalipso c4639370c41133a738f643a591ddbc4c3387f1fb
   - &admin_kalipso_dsktp aef8d6c7e4761fc297cda833df13aebb1011b5d4
+  - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
   - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
   - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
   - &machine_durruti 4095412245b6efc14cf92ca25911def5a4218567
@@ -15,15 +16,21 @@ creation_rules:
       - *admin_kalipso
       - *admin_kalipso_dsktp
       - *machine_moderatio
+      age:
+      - *admin_atlan
   - path_regex: lucia/secrets.yaml$
     key_groups:
     - pgp:
       - *admin_kalipso
       - *admin_kalipso_dsktp
       - *machine_lucia
+      age:
+      - *admin_atlan
   - path_regex: durruti/secrets.yaml$
     key_groups:
     - pgp:
       - *admin_kalipso
       - *admin_kalipso_dsktp
       - *machine_durruti
+      age:
+      - *admin_atlan

machines/bakunin/configuration.nix

@@ -0,0 +1,87 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../modules/xserver.nix
+      ../modules/malobeo_user.nix
+      ../modules/sshd.nix
+      ../modules/minimal_tools.nix
+      ../modules/autoupdate.nix
+    ];
+
+  malobeo.autoUpdate = {
+    enable = true;
+    url = "https://hydra.dynamicdiscord.de";
+    project = "malobeo";
+    jobset = "infrastructure";
+    cacheurl = "https://cache.dynamicdiscord.de";
+  };
+
+  boot.loader.systemd-boot.enable = true;
+
+  hardware.sane.enable = true; #scanner support
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  users.users.malobeo = {
+    packages = with pkgs; [
+      firefox
+      thunderbird
+      telegram-desktop
+      tor-browser-bundle-bin
+      keepassxc
+      libreoffice
+      gimp
+      inkscape
+      okular
+      element-desktop
+      chromium
+      mpv
+      vlc
+      simple-scan
+    ];
+  };
+
+  services.tor = {
+    enable = true;
+    client.enable = true;
+  };
+
+  services.printing.enable = true;
+  services.printing.drivers = [
+    (pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
+    pkgs.gutenprint
+    pkgs.gutenprintBin
+    pkgs.brlaser
+    pkgs.brgenml1lpr 
+    pkgs.brgenml1cupswrapper
+  ];
+
+  # needed for printing drivers
+  nixpkgs.config.allowUnfree = true; 
+
+  services.acpid.enable = true;
+
+  networking.hostName = "bakunin";
+  networking.networkmanager.enable = true;
+
+  sound.enable = true;
+  hardware.pulseaudio = {
+    enable = true;
+    zeroconf.discovery.enable = true;
+    extraConfig = ''
+      load-module module-zeroconf-discover
+    '';
+  };
+
+  services.avahi = {
+    enable = true;
+  };
+
+
+  time.timeZone = "Europe/Berlin";
+  system.stateVersion = "23.05"; # Do.. Not.. Change..
+}
+

machines/bakunin/hardware-configuration.nix

@@ -0,0 +1,49 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+boot.initrd.luks.devices = {
+root = {
+device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
+preLVM = true;
+allowDiscards = true;
+};
+};
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/402B-2026";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

machines/configuration.nix

@@ -46,6 +46,11 @@ let
     {
       microvm = {
         hypervisor = "qemu";
+        shares = [ {
+          tag = "ro-store";
+          source = "/nix/store";
+          mountPoint = "/nix/.ro-store";
+        } ];
         interfaces = [
           {
             type = "tap";
@@ -78,9 +83,20 @@ in
     ];
   };
 
+  bakunin = nixosSystem {
+    system = "x86_64-linux";
+    specialArgs.inputs = inputs;
+    modules = defaultModules ++ [
+      ./bakunin/configuration.nix
+      inputs.disko.nixosModules.disko
+      ./modules/disko/btrfs-laptop.nix
+    ];
+  };
+
   durruti = nixosSystem {
     system = "x86_64-linux";
     specialArgs.inputs = inputs;
+    specialArgs.self = self;
     modules = makeMicroVM "durruti" "10.0.0.5" [
       ./durruti/configuration.nix
     ];

machines/durruti/configuration.nix

@@ -22,55 +22,16 @@ with lib;
   imports = [
     inputs.ep3-bs.nixosModules.ep3-bs
     inputs.tasklist.nixosModules.malobeo-tasklist
+
+    ./documentation.nix
+
     ../modules/malobeo_user.nix
     ../modules/sshd.nix
     ../modules/minimal_tools.nix
-    ../modules/autoupdate.nix
   ];
 
-  malobeo.autoUpdate = {
-    enable = true;
-    url = "https://hydra.dynamicdiscord.de";
-    project = "malobeo";
-    jobset = "infrastructure";
-    cacheurl = "https://cache.dynamicdiscord.de";
-  };
-
   services.malobeo-tasklist.enable = true;
 
-  services.ep3-bs = {
-    enable = true;
-    in_production = true;
-    favicon = ./circle-a.png;
-    logo = ./malobeo.png;
-
-    mail = {
-      type = "smtp-tls";
-      address = "dynamicdiscorddresden@systemli.org";
-      host = "mail.systemli.org";
-      user = "dynamicdiscorddresden@systemli.org";
-      passwordFile = config.sops.secrets.ep3bsMail.path;
-      auth = "plain";
-    };
-
-
-    database = {
-      user = "malodbuser";
-      passwordFile = config.sops.secrets.ep3bsDb.path;
-    };
-  };
-
-  sops.secrets.ep3bsDb = {
-    owner = config.services.ep3-bs.user;
-    key = "ep3bsDb";
-  };
-
-  sops.secrets.ep3bsMail = {
-    owner = config.services.ep3-bs.user;
-    key = "ep3bsMail";
-  };
-
-
   system.stateVersion = "22.11"; # Did you read the comment?
 }
 

machines/durruti/documentation.nix

@@ -0,0 +1,15 @@
+{ config, self, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."_" = {
+      listen = [ 
+        { addr = "0.0.0.0"; port = 9000; } 
+      ];
+      root = "${self.packages.x86_64-linux.docs}/share/doc";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 9000 ];
+}

machines/durruti/host_config.nix

@@ -33,6 +33,12 @@ in
       }
     ];
 
+    services.nginx.virtualHosts."docs.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/".proxyPass = "http://${cfg.host_ip}:9000";
+    };
+
     services.nginx.virtualHosts."tasklist.malobeo.org" = {
       forceSSL = true;
       enableACME= true;

machines/durruti/secrets.yaml

@@ -6,66 +6,75 @@ sops:
     gcp_kms: []
     azure_kv: []
     hc_vault: []
-    age: []
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOTV0VC92aGo0ZFU1RE84
+            LzJxWUh0MzYrSWJZYldVMTdsMlJ6RkI2WURNCmFVT1ZtMitOSzYySW1RMkE5aDUw
+            bEI2Z3ZhbUdaM2R5eVpkYVlrZks3dW8KLS0tIHFEdWZ2UmREeFl2Q0d0c0lVTGxm
+            SnZxRUcyaUY0QnRtVmdnYW9acmxTWmMKfLb2wgBcQC0Ay34wBvTenZW1jVvDH7aV
+            45+5NzmkhIQRNkKWgRfpT9EQ9cRJz3l7ZYoVgJe8qBhwH64lBqUiqw==
+            -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-06-26T10:07:26Z"
     mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
     pgp:
-        - created_at: "2024-06-26T10:06:21Z"
+        - created_at: "2024-11-14T13:03:00Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQGMA5HdvEwzh/H7AQv8D3vncBeC4Kq+Vzk6XOMV6gRRGOZp+w2e/055sZ40IUu+
+            hQGMA5HdvEwzh/H7AQwAhcsRc3mCqKgUFym0W5lTN6j5xg+o0PF31ZQ3qqkO3b5+
-            43Yi5giVL0I7PZkZD787LNiKy6kTcI6D9tJIp9YSMRVJb4x8oDJWS8NbVZZOUCwT
+            nIPH8Ee7nrcfRCM2AV+TReaZ2qfP4TdU5j00F5977H5UM+UULFM+FSGcY63rkp80
-            d9KYaMO6hN8VobhUKsu7uAKCrgVzPWrWPNmZPvwZ6pxL+cBFK2W/GEvQsXvaELUc
+            1U1ZzxbzTwV5mil8dx3dmENMgFpKy0J2MatPdR5bu/z0o7sLty1DUq9hiQOTfM3F
-            5mNlB4k5S9oG4ZMli3WWhVJRMZgdjGWDKiFVGCSenEkhua/5TUUefV8urf1IBjoN
+            u1mfmY37YewMBmxlzDJ3Z5+lslRJUqa3Ho9atjYhwxZTYgh9QQtnm8kRjNM/HKpQ
-            MB8TPwsm3PBEG6/zrfXls/7Zhbv7mtl1uB9nWBC9M4EL9euzC83X+IiFAlThpoPu
+            sDAWu9JXit33WwHayxUFWZ5syiwsbFxAelrZnluW3KiKu3v+9VO7X6dJsrrIB6Xt
-            eylOhEkAq60tQglk2SRsdFpHvEwaijqSKL0ieDQjvLxLNCdtCQS3yM21S4SkfRvv
+            j/mJhwkwJ39xHD/eQqMJsdAum8Pgxi40XjD6wJvmIhYz1y8Lbymanb+6U+fJk71V
-            pDGQROqjhtgZSF7MZqD67mA9tMwYGlZLfkzjpYrErbG6G4xYGO2ZODPNZ4FH/2Zf
+            ZLsbk+sR1Jkh+L3NV+UGlMusgQuxcE2xQjNMEbpzk1xXsFFz+QxVxx6HZp8xRh4v
-            Yf9xpAd0/m4mmg+py041nas8lgJzOXn5mKIxX/kLkV1U/ccrZXB9DTsWbuRVxh3W
+            M8L2LkiZp5w8iij+uJ+k0ovu4XH2Bf/2myhabfRrk5bPZbweH/bJOxChIgf/b/ZP
-            CZTzgT0VdZWd88cUcYIR0lgBz0vCxDRgyPhc3B3ivoOHBisoBWbYURv+6rYE84Qs
+            FdfHGP0KlJe+jMGY3j7c0lgB9k2vyvYTHaAOcQoe/HdKNvueMMYDIzxLZ6sXsn+z
-            6nDtCt4fUqrfKqnw1b++L1II+QjEBkhawOWNbqE9AxESOLAVwkn4cCOqeWDP8DBq
+            jhdW9FxM9g2ZOStq1Mwjzvb8rJCAFQH0s/3yHZY7rveaI88Z3G11i97D3OME2yAx
-            OBN3luBRDDAj
+            bxCHPCFfvmX/
-            =+dua
+            =3wBJ
             -----END PGP MESSAGE-----
           fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2024-06-26T10:06:21Z"
+        - created_at: "2024-11-14T13:03:00Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA98TrrsQEbXUARAAmj8h6g8Knwg5c/Ugfxcb4nuWuLydyzNZpKJ9YcQ4VTAo
+            hQIMA98TrrsQEbXUAQ//eBqaTG6/KiQFfEMog839q+nukWh3SHSnhCDyCAhdqKA3
-            HA38lHH79JbnIoZ9kvxHzUONBLfnW3KekomUdmj1a2DjWllnsIOH8/16JCpFPXbx
+            Q9FSroIYEOMwE9SYkNC9T0/pf/ZmRuPBpx09b+q+1df4FLdajgpEbg1CyWnw7fyR
-            hcWQFLxXzJcUEbVfONih4Zmb/2OTzSYoDjNzGaBJUx6x3AwJ0jTzCTxF9WIU1ieh
+            731vYt5hvN7PVtBGs842BcEvYwKVG33HTadi53l+pjDURpHGLWLbURiqchGrXpPn
-            9u+ovry7bcHPTn3RS0gQPGRx9gN0A8OSPScKpvz2CRtUA2Uzs0/fIe3NbKQSj6g3
+            o6rih4ueE0TmLHGugGKIr7n/XgH4xpsr/wFLQCnCaVATXdS1Tk86bTeu0HybmPlG
-            rZYityYC7uFoE792dkJ3rG9GZneIwWB8sp1remHyRhxaRN4YNPKmje/Pe/fe7sxQ
+            dw4TZrTSO7uq2GyczIC81HnLPisZ1w+7R0m58kV0FGFoDZIwczW46J/h3NLsjO0t
-            lWPmW4wa2uSI7/2PAkIjafoDmnpaLxQ+qY9hXobpL7OlyAuA+Sy8Ns2z6nXfPSSj
+            4zKV1oJUpCANalDCRBhf5RRatw/OzTgVHnpuGyaoAtWGyZpeQi2ntoEvFb3eWAc3
-            fQE4OS3hhUStv7PdVVvlH6JVGZK/cJOjOX0lF69A5R5XKQlasRq/t5CKBjxDWnb1
+            NMjc2bqamZEdfnBOmPILqRKINm60DkpiI7behY3oV178bWcp3iWsyA4biL0O0pf4
-            2bb3YavIUKWbf/DdlGNb9aKeiYX4RsaMbdc6vU5EOp69S66dF5l5W6+EDLICQEdl
+            FXbW29zHnEr86wTlJmJIC5sGkNNtu0dNFAKuzKjAel9sVor183WkJk8NAgaaI/pD
-            TRNxzofVqjroeQeK9xFd+SXHVwnU9FGPr9cN7803/r17hONDxfL7o7cL1sKfX1tC
+            pQV+l0ClexXGIW7p931Sn7u2JmXeNJM+yqRz5lDWMLakxygW2h4HDI8NOIS7xvP1
-            3nRqV3fxSfosz19jmIDu/6lqvJhBBQ8zQeKz/yWxUKowP6WUNAWsMWC7w89Ie1vA
+            Ip3a5bGctGEVmAK9MEhcRIGcP7Aoacj7iZVg9bnac4HCX3wnnGjLDNL+XDzfmfUB
-            UOy+xO0epIGLJSRU5YBNr9z7854NATnxRWRTya+CyFAgPVoBUxd/+2CjlkUeQWnS
+            M48YUoDS1CSjlcTbgIaL3HeX84EYcoQdRjwRcI3pVpPkJTpi/t2I+/2tOP92sm7S
-            WAELWSqQ4zsAryLhEqSWVg6nwSDCIvF/U56/vIacXwoKMqLYra5gxV78cCU6gcMt
+            WAHfIeh3niCzrQa//nwdAEQq+7YrDCDia7SSxDDrRM+/LTaQacoo9SuaHuEANZ/P
-            08O8qM7cxHy5tGzTm6LQZvXTb8W6ybcPvPw695TirUjq9zYVnaT2lmQ=
+            +x7rrZsnQq8UBpnd+dQCyxipQvwmjtp9N5xKcragt1LdH4M+Q/qoSIo=
-            =7OG0
+            =4vnh
             -----END PGP MESSAGE-----
           fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2024-06-26T10:06:21Z"
+        - created_at: "2024-11-14T13:03:00Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA1kR3vWkIYVnAQ//RZM4ifHThNFNV6pTCGKHdkF7BMHB4gv7BBkXT9cWTGcf
+            hQIMA1kR3vWkIYVnAQ//UfsG62+53p9PyXN+c6hoMg+MqWxjvia9kHvjE3Q3bcO+
-            XxH3tH/kFPBSoWWfmtmHbN1bw77vpKda2lLHyOETGCusOFwuFe0+cz7sWStnf/T6
+            KVYqD8CszyTwiTV0RoTWddyiZwZHKkH/ymTtnNafG6NVo3XrYpRmO7SxmVMm1BIt
-            GVoaCRljhRxlXS2PY9gSG5fLi1uUjmCn9EshdCQdz1ix46kgSe17I+UJYRxi9r4U
+            HrBCdQkLDQOzqbeKBV9bGqO3xHKLEu0vwFkEdpWpNrjkKZfYQ8SjE/6vTJRPeBxx
-            e1R0ky4md8tLGGXg2cz1z48+kS7QX6TA1L5jjrW6MEa5ld2wywXD1g7UKpaP6QAc
+            Z++g8540vZtB0V2YzKStJJ8LcsU+3j1/+NlUJZamXUGT4AnxH3atWuKqC39CZAU6
-            B5xo4G+6zZNYk6x5i0NJ4EJalyyEXBvJDgsFzW4luqBGjMU2zLkq5VTQjssCbp6l
+            0iHxKEcHcQYPAmvTqtxTH0ELIaRYBIRlzCs0MVjmmfVyaeJOZGyd32vikQMUCrf/
-            aE1ZZtMJYDa3IdEV/gEIF7/WmODMopO2hfTWFCx9fZ2cp0gK2d6ffo7vum4WkAMv
+            EvThUCnq3+qCNjLlp1tQbLJV4B6ptAuj6uns2Z9Xmj1j4nFgUKvsc1MPnuSQsOnM
-            FjsbRLCmoZrlwD+/y38Hru2Ok/2cDF+QiEHq0cx+XMjgRrV6vCYrg67kOGjXZ+0v
+            tLF0qsVvunvLbHXhb/Z4uDaNMst8jWEGhk52QYCZ6pgq1zoN63tOAxD+HK12KSYQ
-            eZMPGo5506cp/0cbo6eIoG9XzdNirp9mXQHMBb47/dETr+mBAyVzImuHJVmUgXlK
+            emcDTjGqLTxe2dTiFMHlOkmTk/unEJXI1rJEalBaLqzDFg2tS6I1swQKG115wUfv
-            0nScCjrE2BPfsphMlQKMV007znA8QB65wEuoQ9QWTfgUfxVqzqJxdnFHKSSKAciU
+            COHQtmbWmwIMtcl0q/QHfSyc+jPVHoadj6ZZFS1iL9Er/zx1nuD5ybkHntQdO0Gb
-            fxAJTGN2RnbBDcehvch+QZAnIHznz3c+2WKetmFMpymqL1OKQKjhnEFewOK8rXKM
+            YwfyLzhFQ4gKgDiXwHdjYmHeDnXI9mrH3Cypcc/I8WV96cMnuKQBrD7V3NKpjFMS
-            cEFRo1BOMkaccBBFHt/A/IQJt2+RuADbkxI9rPqPU9iPi3Ts4jFqfNzZp+m+ADHS
+            CaLMVDQqwMoGi+Xi8Ve5oRCa/qt5UEpL1CZZUxNNE11ggPYI22ecKjegdIlGuWHS
-            WAGHQuVbo0oQ5RLEOMPheNbr2eL+uyuMLMNsv41G4Mr+lSjN2/KvBoMQEQvpPasG
+            WAE4FsZZNLt+RWZxIW0iTP0BzDuCMQFkismL0YyDI18g1dG/sl43+ecd6F9yoWYP
-            HDYyoe7JdYbVs+08h465+L+cbi0LzaBUxTm44GliJXVbrz6eqy6lRto=
+            sXjR3gwbASdHHXeYFAxbPX3Q/XT+SQzOAFigPhD0LUFRX2Cf/Q2yu34=
-            =GiUe
+            =FLuF
             -----END PGP MESSAGE-----
           fp: 4095412245b6efc14cf92ca25911def5a4218567
     unencrypted_suffix: _unencrypted

machines/lucia/secrets.yaml

@@ -5,66 +5,75 @@ sops:
     gcp_kms: []
     azure_kv: []
     hc_vault: []
-    age: []
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaVZQT1U3cXp4NHVSb2lh
+            RWRUcjlGY1RtNVNFT3dMSWFaZHJGcC8ybzFFClhhT2RPRHZwbWNSQzdSay8wc0h5
+            NHVUN082U0lhcWF2MnNTaXQ2Q0trRk0KLS0tIHJrNmdEdUI5YVRqck8vejRrVHZ4
+            aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3
+            f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ==
+            -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-10-24T15:09:51Z"
     mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str]
     pgp:
-        - created_at: "2023-10-24T14:42:18Z"
+        - created_at: "2024-11-14T13:02:46Z"
-          enc: |
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQGMA5HdvEwzh/H7AQwAqFy6FthlG4of1IYE42baCy6AHhnCxTKN5i0/ZYXtxz/T
+            hQGMA5HdvEwzh/H7AQv/QepkThVCOMoRZRtHSHEjEriFfp9QS2ZrlgM0p67TtzU3
-            xWTAKEXPlbhT4AMGdIvIbEf7od4Pr7xxrxERkHVn1rkHxqjF+bjFw9J2xRXJvilw
+            edAPqxNq8jGeW7/1FRAwIHGTit9FueL/GRUOVsepbryJMt4ndhybuPdpuEaKeQYv
-            L4pWMKXoJOiuGeNwJfzOVMx2yar6NiFmA3HvFyCASIQeCh3v+cyEDvbdnJoUyHRJ
+            aZLw3XA5FB7maMKFOl59wqoWNrY+d02lXIbLEafUjrL94/p1IEqQd5a/Ze244yXI
-            /f/VnQFSIM4YXvLMqkKXgE0ZnbZc+vNnZkAG2qbz65fB/zdOPQZkVYCbnVKLwiBd
+            V1ty93i6Wmu5N5uf67bfiY00ObAEU+L4QepLHuJvcP2lWU0zvxnPdDqwv+47R1xB
-            eoDth5WbuPnYbK5Vp9wkOPr6KqjM1KN+Kx/ErZ36Ldd2ePk11dCf9O4cE1HcCOmb
+            aJX2G3Vv6QRnpUYL81a8R4E9u9GGH0TwJdaFqQwsVgW1XJdCsAaB5wriqEWX5HOJ
-            mdnFleX4hbMH2bFCpt7HoJql7QsTodx2bX1wnLA+uUVrV5QcT74C/0yAYHhBELez
+            513plEpkBSSlZo/9/lUSHK79jP92DfKvGMxw4t35UULzsJVbCIkM/TzBK0Ruq7Bf
-            cE0gZ+th9l2tOCaCBBMQUa8EfoQD3hEnOmebOMcWoUQdkyKk5SlLeCVsuWKvbidh
+            2rQO1nkF9lqXqPK7ORAkdXX3foHcM474f3w5nCSSlPia5jn7y58Npd9m1za4lOPF
-            3Vvw7jINCTH06jPCWSewSBuTdPiAPJ+4CQ8DWXC7A4luFvJM09HX8h859VDEHA9a
+            rQxHCJ7OSJ6KOsXhDi7cmMfjIfn6cUj5wT685LbjrftYPh95R2lK/ViwfhMQkJb9
-            FCou1ZTWmQEHbDw1DPw70lgBv35pPduQjSfgM71YwgHFtHDdTfWTbzCBoaDfKvj2
+            lCUqJj/7N6UuSDdnHXKg0lgBV5k+ARqh904rR7GTpSdDuSVMVdy9mUGni5V6xTNn
-            XWSevuyOKiinaiYd4jPK6srFyX3Horg1QvVzl3dvNC3o29lrzETSTFoUx75KdluT
+            2IyJzWlvxbUumdh7SVBV5HRjG/sOcmlQtsw2fT21CCFg/n6AdCMgRbtYDoX5OOJc
-            WxGMHNWqN7NS
+            qkz9uKEGrGjb
-            =XZkW
+            =wPkW
             -----END PGP MESSAGE-----
           fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2023-10-24T14:42:18Z"
+        - created_at: "2024-11-14T13:02:46Z"
-          enc: |
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA98TrrsQEbXUAQ//XRoesGtcKw0RNs30FfKgpG/qNVRh4eJTeb1AP7YO9nKA
+            hQIMA98TrrsQEbXUARAArYZZpOEC9sZ4Bgbtie8snwYjhcJiLxcmaODcx0ai24vC
-            WWuZnomu8aDDKiP+why4Cl4raSb2LqTaDAIbeTzw902BeOlIXl6VO5oIWpgC4IQT
+            FOdxKrgxlHeiBV3e+xD0Mdc51waXpRW7Ah6ctyqRreDXXCsYx9RTjkxqbGQTKexU
-            iOMUOTQ6XG4O8xcphItIthc71kpUl34xfWU/Gz67cRj/BSlws26sJ09lH5zZIpcW
+            OAzvi7qPkmZBzDagNeJXjAMc3Z9uPFTxO0c1degnv0S40dns4sZ50sjGz8Dg6DmX
-            1NNPLQKF6KiJ1MY9rTkq9I6EHbaIh6AcBW4buq9x+qASoU1Blp1OgA9m6O9HjQcH
+            HC1ZANIpCmJVd+BFC9MxWQFSP1oswzwIxAmM/8d3aXGJLUQsfFbZXTPaKB5+Llmu
-            X/PKnYv1bm6OxYsMBujXnFnde3c+qfL5w1e4a7pyMu8EthAYLPbm+WT2+H1RJooN
+            Y/yGK4zwcq0PR+YNw9d1lfQD01coLcqNh0cnxW3/DzSnKdpLnr/HeH7K6NivUNOs
-            0+M3tBBjtK6emm7qgNt2vyeIYa5L5XSFYAyPfteKZ7tsT1IHgg3cY/3trchq7w7q
+            58E4iKJgopZZofbIKrHTPik/ZfovCTwPHo0o/m9G2sDB5Y++OJBDcjyD9BC5OEzg
-            D10fGzfw1rP79yI9vY3oQLi4APhAq/RYpFywZJ+qyE+KiDaIzBdhU14NKRdOluaF
+            JW+4rG3dir5cUxJhgM8ZNZUiLcKWSfVo+Xh1RI12Huz4PpZ6dWSpuPxWFBQUZSfp
-            apw5ZpNwD77E6lU5lLdjO4TjaMXjEuytzhmOHF+CrZJN/4c21K3PflnzRRLmcXIf
+            epIUII1u1cKiep8JK5ZUF3k6LzET6ORzzYpY5qGtSEVMLMxLvPK+ECOI1BTHc53Y
-            OY+TPWPBKqg9aXIhx+5tGu3OTmrvRuBsoforZrhHqzYZJygliD4w/D0HpcMfxrJ/
+            GoBPVRdp2Bs0QZuvwiNSd3wKRMoVh8v/8+RSCGRR6pzCfvTp3X4zGfnCUVO9krzG
-            y/iFzwqikikvfkF3FTiTwiFSLOo8G+rCA2TiSLqM6eklAGtzqgrgggnNVDstgiHz
+            ukZJ+eQVUnmywewmYuFH/USN34mqRk6UTkVmw4sgy4bqcV26xSeMCbLAVBoV7dR8
-            DuXHOdzt9pn3DQHb3Z+kEd8p9TEykQrVr6mcW8scvW3iZ6XBbSoxUDY2W14gNMHS
+            a35kyxrs2MIsu9/SuW8zSdfZd0sBhDIEgzQqT7fO1KQQCDJyjBTzjloVSoE4TSXS
-            WAFbpyIyM0JV36DifyFLFuPNF+ZFexnD1/2rzSw5dmDh8Pou9KZnoRGirXbOIFBf
+            WAE7lEhifj43H/jshtyaIgM8UpdFmBtEj9BmsX2jeS5XiZsIbIJbCsmPWYdd4XQ0
-            MwFQRonyDxw8zcMFGhXRmNbfqOE9ImnvkW2pNjYJSuBW4LSGaG8OHx0=
+            m5M8KCUEMDXeVCygKieefCyboUSNOk1gdRmnIRcqJ/r8fxmHqZgn2ko=
-            =2A7P
+            =DC78
             -----END PGP MESSAGE-----
           fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2023-10-24T14:42:18Z"
+        - created_at: "2024-11-14T13:02:46Z"
-          enc: |
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7zVLR7VUDPbAQ/+O/+BPNT3PxzN85kpL6xXfyCf337Ay5gwhJOg5k3JyEwO
+            hQIMA7zVLR7VUDPbAQ//S/8UshLDL5DW0+DXMGL7u/ug/sgCbSM60PvzT3hwAvyL
-            2L1eZncGZHkdeExxgfqWF1yAPvE7vXltikTVp3V+htHoNL8kck8obII/HptVUCrU
+            3mR6CycERSeXuYM67fLIa66WiSFGB1aqEsI1oqPL6W8AwjtGHDKSPhJC8W+9NosB
-            VjFm41kEoWQ9DLXIhmppqBC0hWVkLjCDEXcD5HqtAxt2yKENSFr3pEnFl3vgoHTA
+            OypoV6VppHiDxB2uJvQl7VNnT8d2x6IWdG0bq9NKxCg+6lorw8bky0907qQ/6+hg
-            2TpzC/l2kC24hzk+es54I0sCd3N1LEXC/mBUmptnsZfIcgGdVOWZSGabHg5Mo464
+            2eWI0wPcJR2zIEm5JdNvuyK5k03QPKbTd8aVTeYHZq3JiXF3NZmQHCngdI0iH7SN
-            qc02MYa2Tjuo5svlHGv8bgpQgsIfuB0CcirLMH3FYwKkYHZ7a6KBZj9DwNlM1BYL
+            +QI/p1d/aiyCc+5Ow+Zy5YzPWb22PIROLIH+wJsGxbiJtQJmiKMNQg/YJ/SsCrMI
-            m9eIC6+R57utfV+zgvIaQVDVJgFT74/ffgEYNiX2FRWi0ri6gb4ybf8qX+/m8ZOi
+            ViI80R6bkZ/J9hCN2reTTJXl9uc7PgptLAfMlT2N+DHLRoKQOR+e3xMX3vZO9CK0
-            KDgpATMIr0Lw85lQ2mQmvt7aeULJTl85pE1ihXLu6+pGEQR/48WeRu8OVMU/QHQF
+            R8v0wXPs3NGCBdITu+EPT4twtkjJz31PhqL7crFzm/x4BLiKuNzep+Na4TLMBv3J
-            rRWoJu2kabdlBkYXBBGPN2qGRe/TWWHRm0G7mTnXkoN2idRkodJcVwM8Mvstc5Yx
+            pVdjc6yen8bYvVickLP/hrVIvflkaMdUncWmS2lNZKP9G2BuGMna9Dp4jC1kWWYW
-            3AAb4asl+4xusXNqe+V4ZrkzdnVoFs8RRZyH1QyoqJ79S5uZqOkYObiiJ+wWtahZ
+            608MXgORINmwog2lovxFJGOtq500gcbeYO+LrluULk00/nw27DPkGeD8wkmFMF+m
-            emvN8nhNIr9+WdDFSZYNx+TQTUTFMefcEaTXpPzmUn/nENrvkbXiaVSSmIYQ4YZh
+            c3dhA6zn62nLsUmiU4Bfo92uhxBW/hAF5Fp+RVwA9ptvDdBO7gY6FEZitEXs/rGl
-            1vyiW1W6IZwjXI/aR6P2C1Jrj42WCm+cDXCwKZC1sMRqgkxQBIVukQzAHkyFJknS
+            64RAmFuDmv/WDE87pfBQdlZ7Y1HkO6CLwtfg50Ka8eoemX6sP0GSYHUqbs8M4jnS
-            WAF/TWfXG2S6mnWFKn3cixifUI3pBp+EtYy/CjL7uNBIUQ3EHEbvS5AboSCmgRC7
+            WAEnR1KMQNVdTqhFzBa/TqnUm+oVtZSVrAPSIEgEjhA4WesmGqmcJwJFaQW39Omu
-            wLzHshawAMmJ/bD/jT4wWD0w+NGDzSF8D4b/Ee0LP7R70noS61+s6xo=
+            8zLfZcfdVUuFKyIijXNliG0ryq1uxmWcEl8ePRzjAAzVTRAILNtZzVY=
-            =NnkE
+            =8HBK
             -----END PGP MESSAGE-----
           fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db
     unencrypted_suffix: _unencrypted

machines/modules/disko/btrfs-laptop.nix

@@ -0,0 +1,63 @@
+{ config, self, inputs, ... }:
+
+{
+  imports = [
+    inputs.disko.nixosModules.disko
+  ];
+
+  # https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        # When using disko-install, we will overwrite this value from the commandline
+        device = "/dev/disk/by-id/some-disk-id";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted";
+                  passwordFile = "/tmp/secret.key"; # Interactive
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ];
+                  subvolumes = {
+                    "/root" = {
+                      mountpoint = "/";
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                    };
+                    "/home" = {
+                      mountpoint = "/home";
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                    };
+                    "/nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                    };
+                    "/swap" = {
+                      mountpoint = "/.swapvol";
+                      swap.swapfile.size = "20M";
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

machines/modules/malobeo/microvm_host.nix

@@ -1,4 +1,4 @@
-{ config, lib, options, pkgs, ... }:
+{ config, self, lib, inputs, options, pkgs, ... }:
 
 with lib;
 
@@ -13,12 +13,39 @@ in
         type = types.bool;
         description = lib.mdDoc "Setup bridge device for microvms.";
       };
+
+      enableHostBridgeUnstable = mkOption {
+        default = false;
+        type = types.bool;
+        description = lib.mdDoc "Setup bridge device for microvms.";
+      };
+
+      deployHosts = mkOption {
+        default = [];
+        type = types.listOf types.str;
+        description = ''
+          List hostnames of MicroVMs that should be automatically initializes and autostart
+        '';
+      };
     };
   };
 
-  config = mkIf cfg.enableHostBridge
+
+  imports = [
+    inputs.microvm.nixosModules.host
+  ];
+
+  config = { 
+    assertions = [
       {
-    systemd.network = {
+        assertion = !(cfg.enableHostBridgeUnstable && cfg.enableHostBridge);
+        message = ''
+          Only enableHostBridge or enableHostBridgeUnstable! Not Both!
+        '';
+      }
+    ];
+
+    systemd.network = mkIf (cfg.enableHostBridge || cfg.enableHostBridgeUnstable) {
       enable = true;
       # create a bride device that all the microvms will be connected to
       netdevs."10-microvm".netdevConfig = {
@@ -32,14 +59,11 @@ in
           DHCPServer = true;
           IPv6SendRA = true;
         };
-        addresses = [ {
+        addresses = if cfg.enableHostBridgeUnstable then [
-          Address = "10.0.0.1/24";
+          { Address = "10.0.0.1/24"; }
-        } {
+        ] else [
-          Address = "fd12:3456:789a::1/64";
+          { addressConfig.Address = "10.0.0.1/24"; }
-        } ];
+        ];
-        ipv6Prefixes = [ {
-          Prefix = "fd12:3456:789a::/64";
-        } ];
       };
 
       # connect the vms to the bridge
@@ -48,5 +72,48 @@ in
         networkConfig.Bridge = "microvm";
       };
     }; 
+
+    microvm.vms = 
+    let
+      # Map the values to each hostname to then generate an Attrset using listToAttrs
+      mapperFunc = name: { inherit name; value = {
+          # Host build-time reference to where the MicroVM NixOS is defined
+          # under nixosConfigurations
+          flake = inputs.malobeo; 
+          # Specify from where to let `microvm -u` update later on
+          updateFlake = "git+https://git.dynamicdiscord.de/kalipso/infrastructure";
+        }; };
+    in
+    builtins.listToAttrs (map mapperFunc cfg.deployHosts);
+
+    systemd.services = builtins.foldl' (services: name: services // {
+      "microvm-update@${name}" = {
+        description = "Update MicroVMs automatically";
+        after = [ "network-online.target" ];
+        wants = [ "network-online.target" ];
+        unitConfig.ConditionPathExists = "/var/lib/microvms/${name}";
+        serviceConfig = {
+          LimitNOFILE = "1048576";
+          Type = "oneshot";
+        };
+        path = with pkgs; [ nix git ];
+        environment.HOME = config.users.users.root.home;
+        script = ''
+          /run/current-system/sw/bin/microvm -Ru ${name}
+        '';
+      };
+    }) {} (cfg.deployHosts);
+
+    systemd.timers = builtins.foldl' (timers: name: timers // {
+    "microvm-update-${name}" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Unit = "microvm-update@${name}.service";
+        # three times per hour
+        OnCalendar = "*:0,20,40:00";
+        Persistent = true;
+      };
+    };
+  }) {} (cfg.deployHosts);
   };
 }

machines/ssh_keys.nix

@@ -3,5 +3,6 @@
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfDz5teTvRorVtpMj7i3pffD8W4Dn3Aiqre5L4WZq8Wc4bh2OjabGnIcDWpeToKf38n5m0d95OkIbARJwFN7KlbuQbmnIJ5n6pUj/zzRQ3dQTeSsUjkvdbSXVvTcDczMWwLixc/UKP1DMbiLHz5ZSywPTSH2l40lg74q7tSFGBwMy8uy4tsdp2d2sUIDfpvgGj3Pq+zkQHWyFR5BYyCLDfJMTQvGO0bEsbRIDOjkH8YVni46ds6sQKMgc+L2vPo8S3neFZBQRlERVRvIAzdLiBWqGkiw4YgWQA8ocTfWp9DVzW+BZiatc34+AX3KtLEF1Oz76YsKjBttSQL4myUucuskz2Bs7UYvAsDFlWyiJ43ayZNzvG63m1UVsAoq84IhNYsdkPhd+G1rtnG0KxPVAtn7RkAGt8t7ObU+6xWayHcpSteNeE+QyH9nNmJcXNNKfoOeP4vHUBrBTeURafw527yuZDOYknJmg3O+nkeGseIgBYgq/As4+dD6vhp03Y5chjU4/FC6nEjsGPRdfe2RZx+0cqJkLgdd1paGByUfPfaUKykw4TsCUAiDucRwBjU32MLslUbyzeEkjzOJzOD5Frif3jZZLxaNP2QcHRbTiiKkdn+WFJmjr3BdC60pm7hqvmDxl0UZcz9hDv3wZUALUc92TQXnWc8GicKdpQgRYDRQ== kalipso@c3d2.de"
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxgcjNOYbza3+RfANFDXy7HXNRFlkpDOAcGyB7MKshiVlbPByWRSjfZa0BeRNjpeCd8QkIodKUzqYOCOrc8ad3kiNbdLRcDz57A5xSLD3ynakoWJo0AmJjT3Ta1JJj8inNwwykR0ig5//SrtsZb9HkWJDAF017MokM2r8AWPE1QzcQdh93kojXcgTHrJHzEqgKbEGDEk37f1RvZG4umEFeqdK2FvS5isPa7P9X7hyyoDC8bvEy7xfaDrToJAoXon6r79taxH8UWIvy//xsU0NBLYK2eE4RQe2AjF6Ri+CybI6y1SsHOvyh4nNKWlfUOEL6UnIulRn/LXFOKCJi7xuoTeJXS0+w1DNEuiGosVNXPSKbUm/eDBVnb8Iyep9wmygSZayN82xL5lRlG3Mn45ttecqfm2SJkmduBA5qXcTdDPe/lXTZaVO9tbiIcJfUgd3ttEu2+6YjLn74D965PlovzvR6EhbVUZ8IkOAt4VmuTkXIdm8SCS7jzhsiKeUXoZ4rfa375zi79SIPuIkoMasj6d16wcYOeFIUIMFFccfQ9jQjr9NTSXC2dd7sfbI9I9mF7eRQSsUdSwpP8WH1b+M1MxTbdhEUdPwpOLviTTIuk8E8K8DQDZIcOOh38mCDpyoh02nwfRxlyoYVsKAHIQH02dHTvYEa3/pMsRwGc9W1Ow== kalipso@desktop"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de"
+   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos"
  ];
 }

outputs.nix

@@ -41,7 +41,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
     apps = {
       docs = {
         type = "app";
-        program = builtins.toString (pkgs.writeScript "docs" ''
+        program = builtins.toString (pkgs.writeShellScript "docs" ''
           ${pkgs.mdbook}/bin/mdbook serve --open ./doc
         '');
       };
@@ -50,6 +50,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
   })) // rec {
     nixosConfigurations = import ./machines/configuration.nix (inputs // {
       inherit inputs;
+      self = self;
     });
 
     nixosModules.malobeo.imports = [

shell.nix

@@ -17,6 +17,7 @@ mkShell {
     sops-import-keys-hook
     sops-init-gpg-key
     sops
+    pkgs.age
     pkgs.python310Packages.grip
     pkgs.mdbook
   ];