[nixpkgs] 24.05 -> 24.11

[docs] add local persistent microvm usage
[nix] output vm packages for each host
2024-12-13 03:56:56 +01:00 · 2024-12-13 03:36:45 +01:00 · 2024-12-13 03:36:44 +01:00 · 2024-12-13 03:36:41 +01:00 · 2024-12-13 03:36:17 +01:00 · 2024-12-13 03:36:17 +01:00
27 changed files with 970 additions and 301 deletions
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ the file structure is based on this [blog post](https://samleathers.com/posts/20
 #### durruti
 - nixos-container running on dedicated hetzner server
- login via ```ssh -p 222 malobeo@5.9.153.217```
+- login via ```ssh -p 222 malobeo@dynamicdiscord.de```
 - if rebuild switch fails due to biglock do ```mount -o remount,rw /nix/var/nix/db```
 - currently is running tasklist in detached tmux session
  - [x] make module with systemd service out of that
--- a/doc/src/SUMMARY.md
+++ b/doc/src/SUMMARY.md
@@ -12,6 +12,8 @@
            - [musik](./projekte/musik.md)
        - [TODO](./todo.md)
    - [How-to]()
        - [Create New Host](./anleitung/create.md)
        - [Sops](./anleitung/sops.md)            
        - [Updates](./anleitung/updates.md)
        - [Rollbacks](./anleitung/rollback.md)
        - [MicroVM](./anleitung/microvm.md)
--- a/doc/src/anleitung/create.md
+++ b/doc/src/anleitung/create.md
@@ -0,0 +1,66 @@
 # Create host with disko-install
 How to use disko-install is described here: https://github.com/nix-community/disko/blob/master/docs/disko-install.md
 ---
 Here are the exact steps to get bakunin running:  
 First create machines/hostname/configuration.nix  
 Add hosts nixosConfiguration in machines/configurations.nix  
 Boot nixos installer on the Machine.  
 ``` bash
 # establish network connection
 wpa_passphrase "network" "password" > wpa.conf
 wpa_supplicant -B -i wlp3s0 -c wpa.conf
 ping 8.8.8.8
 # if that works continue
 # generate a base hardware config
 nixos-generate-config --root /tmp/config --no-filesystems
 # get the infra repo
 nix-shell -p git
 git clone https://git.dynamicdiscord.de/kalipso/infrastructure
 cd infrastructure
 # add the new generated hardware config (and import in hosts configuration.nix)
 cp /tmp/config/etc/nixos/hardware-configuration.nix machines/bakunin/
 # check which harddrive we want to install the system on
 lsblk #choose harddrive, in this case /dev/sda
 # run nixos-install on that harddrive
 sudo nix --extra-experimental-features flakes --extra-experimental-features nix-command run 'github:nix-community/disko/latest#disko-install' -- --flake .#bakunin --disk main /dev/sda
 # this failed with out of memory
 # running again showed: no disk left on device
 # it seems the usb stick i used for flashing is way to small
 # it is only 
 # with a bigger one (more than 8 gig i guess) it should work
 # instead the disko-install tool i try the old method - first partitioning using disko and then installing the system
 # for that i needed to adjust ./machines/modules/disko/btrfs-laptop.nix and set the disk to "/dev/sda"
 sudo nix --extra-experimental-features "flakes nix-command" run 'github:nix-community/disko/latest' -- --mode format --flake .#bakunin
 # failed with no space left on device.
 # problem is lots of data is written to the local /nix/store which is mounted on tmpfs in ram
 # it seems that a workaround could be modifying the bootable stick to contain a swap partition to extend tmpfs storage
 ```
 # Testing Disko
 Testing disko partitioning is working quite well. Just run the following and check the datasets in the vm:
 ```bash
 nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko
 ```
 Only problem is that encryption is not working, so it needs to be commented out. For testing host fanny the following parts in ```./machines/modules/disko/fanny.nix``` need to be commented out(for both pools!):
 ```nix
 datasets = {
  encrypted = {
    options = {
      encryption = "aes-256-gcm"; #THIS ONE
      keyformat = "passphrase"; #THIS ONE
      keylocation = "file:///tmp/root.key"; #THIS ONE
    };
    # use this to read the key during boot
     postCreateHook = '' #THIS ONE 
       zfs set keylocation="prompt" "zroot/$name"; #THIS ONE 
     ''; #THIS ONE 
 ```
--- a/doc/src/anleitung/microvm.md
+++ b/doc/src/anleitung/microvm.md
@@ -12,16 +12,48 @@ Use durruti as orientation:
 "10.0.0.5" is the IP assigned to its tap interface.  
 ### Testing MicroVMs locally
-MicroVMs can be built and run easily on your local host.
+MicroVMs can be built and run easily on your local host, but they are not persistent!
-For durruti this is done by:
+For durruti for example this is done by:
 ``` bash
-sudo nix run .\#nixosConfigurations.durruti.config.microvm.declaredRunner
+nix run .\#durruti-vm
 ```
 ### Testing persistent microvms
 In order to test persistent microvms locally we need to create them using the ```microvm``` command.  
 This is necessary to be able to mount persistent /etc and /var volumes on those hosts.  
 Do the following:
 ```bash
 # go into our repo and start the default dev shell (or us direnv)
 nix develop .#
 # create a microvm on your host (on the example of durruti)
 sudo microvm -c durruti -f git+file:///home/username/path/to/infrastructure/repo
 # start the vm
 sudo systemctl start microvm@durruti.serivce
 # this may fail, if so we most probably need to create /var /etc manually, then restart
 sudo mkdir /var/lib/microvms/durruti/{var, etc}
 # now you can for example get the rsa host key from /var/lib/microvms/durruti/etc/ssh/
 # alternatively u can run the vm in interactive mode (maybe stop the microvm@durruti.service first)
 microvm -r durruti
 # after u made changes to the microvm update and restart the vm 
 microvm -uR durruti
 # deleting the vm again:
 sudo systemctl stop microvm@durruti.service
 sudo systemctl stop microvm-virtiofsd@durruti.service
 sudo rm -rf /var/lib/microvms/durruti
 ```
 It seems to be necessary to run this as root so that the according tap interface can be created.
 To be able to ping the VM or give Internet Access to the VM your host needs to be setup as described below.
 ### Host Setup
 #### Network Bridge
 To provide network access to the VMs a bridge interface needs to be created on your host.
 For that:
 - Add the infrastructure flake as input to your hosts flake  
@@ -37,3 +69,13 @@ networking.nat = {
  externalInterface = "eth0"; #change to your interface name
 };
 ```
 #### Auto Deploy VMs
 By default no MicroVMs will be initialized on the host - this should be done using the microvm commandline tool.
 But since we want to always deploy certain VMs it can be configured using the ```malobeo.microvm.deployHosts``` option.
 VMs configured using this option will be initialized and autostarted at boot.
 Updating still needs to be done imperative, or by enabling autoupdates.nix
 The following example would init and autostart durruti and gitea:
 ``` nix
 malobeo.microvm.deployHosts = [ "durruti" "gitea" ];
 ```
--- a/doc/src/anleitung/sops.md
+++ b/doc/src/anleitung/sops.md
@@ -0,0 +1,25 @@
 # Sops
 ## How to add admin keys
 - Git:
    - Generate gpg key
    - Add public key to `./machines/secrets/keys/users/`
    - Write the fingerprint of the gpg key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $FINGERPRINT`
 - Age:
    - Generate age key for Sops:   
      ```
      $ mkdir -p ~/.config/sops/age
      $ age-keygen -o ~/.config/sops/age/keys.txt
      ```
      or to convert an ssh ed25519 key to an age key
      ```
      $ mkdir -p ~/.config/sops/age
      $ nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
      ```
    - Get public key using `$ age-keygen -y ~/.config/sops/age/keys.txt`
    - Write public key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $PUBKEY`
 - Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to
 - `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml`
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,26 @@
 {
  "nodes": {
    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1730135292,
        "narHash": "sha256-CI27qHAbc3/tIe8sb37kiHNaeCqGxNimckCMj0lW5kg=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "ab58501b2341bc5e0fc88f2f5983a679b075ddf5",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "latest",
        "repo": "disko",
        "type": "github"
      }
    },
    "ep3-bs": {
      "inputs": {
        "nixpkgs": [
@@ -26,11 +47,11 @@
        "systems": "systems_3"
      },
      "locked": {
-        "lastModified": 1726560853,
+        "lastModified": 1731533236,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -46,16 +67,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1726989464,
+        "lastModified": 1733951536,
-        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
+        "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
+        "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-24.05",
+        "ref": "release-24.11",
        "repo": "home-manager",
        "type": "github"
      }
@@ -88,11 +109,11 @@
        "spectrum": "spectrum"
      },
      "locked": {
-        "lastModified": 1731240174,
+        "lastModified": 1734041466,
-        "narHash": "sha256-HYu+bPoV3UILhwc4Ar5iQ7aF+DuQWHXl4mljN6Bwq6A=",
+        "narHash": "sha256-51bhaMe8BZuNAStUHvo07nDO72wmw8PAqkSYH4U31Yo=",
        "owner": "astro",
        "repo": "microvm.nix",
-        "rev": "dd89404e1885b8d7033106f3898eaef8db660cb2",
+        "rev": "3910e65c3d92c82ea41ab295c66df4c0b4f9e7b3",
        "type": "github"
      },
      "original": {
@@ -103,11 +124,11 @@
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1729386149,
+        "lastModified": 1733620091,
-        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+        "narHash": "sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
+        "rev": "f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b",
        "type": "github"
      },
      "original": {
@@ -124,11 +145,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1729472750,
+        "lastModified": 1733965598,
-        "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
+        "narHash": "sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
+        "rev": "d162ffdf0a30f3d19e67df5091d6744ab8b9229f",
        "type": "github"
      },
      "original": {
@@ -139,11 +160,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1730919458,
+        "lastModified": 1733861262,
-        "narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=",
+        "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "e1cc1f6483393634aee94514186d21a4871e78d7",
+        "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
        "type": "github"
      },
      "original": {
@@ -169,29 +190,13 @@
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1730602179,
        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1730785428,
+        "lastModified": 1733759999,
-        "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
+        "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
+        "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
        "type": "github"
      },
      "original": {
@@ -203,22 +208,23 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1730883749,
+        "lastModified": 1733808091,
-        "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
+        "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
+        "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "disko": "disko",
        "ep3-bs": "ep3-bs",
        "home-manager": "home-manager",
        "mfsync": "mfsync",
@@ -236,15 +242,14 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1731047660,
+        "lastModified": 1733965552,
-        "narHash": "sha256-iyp51lPWEQz4c5VH9bVbAuBcFP4crETU2QJYh5V0NYA=",
+        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "60e1bce1999f126e3b16ef45f89f72f0c3f8d16f",
+        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
        "type": "github"
      },
      "original": {
@@ -256,11 +261,11 @@
    "spectrum": {
      "flake": false,
      "locked": {
-        "lastModified": 1729945407,
+        "lastModified": 1733308308,
-        "narHash": "sha256-iGNMamNOAnVTETnIVqDWd6fl74J8fLEi1ejdZiNjEtY=",
+        "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
        "ref": "refs/heads/main",
-        "rev": "f1d94ee7029af18637dbd5fdf4749621533693fa",
+        "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
-        "revCount": 764,
+        "revCount": 792,
        "type": "git",
        "url": "https://spectrum-os.org/git/spectrum"
      },
@@ -390,11 +395,11 @@
        "systems": "systems_4"
      },
      "locked": {
-        "lastModified": 1726560853,
+        "lastModified": 1731533236,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -3,13 +3,15 @@
  inputs = {
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    mfsync.url = "github:k4lipso/mfsync";
    microvm.url = "github:astro/microvm.nix";
    microvm.inputs.nixpkgs.follows = "nixpkgs";
    disko.url = "github:nix-community/disko/latest";
    disko.inputs.nixpkgs.follows = "nixpkgs";
    utils = {
      url = "github:numtide/flake-utils";
@@ -31,7 +33,7 @@
    };
    home-manager=  {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager/release-24.11";
      inputs = {
        nixpkgs.follows = "nixpkgs";
      };
--- a/machines/.sops.yaml
+++ b/machines/.sops.yaml
@@ -5,6 +5,7 @@
 keys:
  - &admin_kalipso c4639370c41133a738f643a591ddbc4c3387f1fb
  - &admin_kalipso_dsktp aef8d6c7e4761fc297cda833df13aebb1011b5d4
  - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
  - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
  - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
  - &machine_durruti 4095412245b6efc14cf92ca25911def5a4218567
@@ -15,15 +16,21 @@ creation_rules:
      - *admin_kalipso
      - *admin_kalipso_dsktp
      - *machine_moderatio
      age:
      - *admin_atlan
  - path_regex: lucia/secrets.yaml$
    key_groups:
    - pgp:
      - *admin_kalipso
      - *admin_kalipso_dsktp
      - *machine_lucia
      age:
      - *admin_atlan
  - path_regex: durruti/secrets.yaml$
    key_groups:
    - pgp:
      - *admin_kalipso
      - *admin_kalipso_dsktp
      - *machine_durruti
      age:
      - *admin_atlan
--- a/machines/bakunin/configuration.nix
+++ b/machines/bakunin/configuration.nix
@@ -0,0 +1,83 @@
 { config, pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      #./hardware-configuration.nix
      ../modules/xserver.nix
      ../modules/malobeo_user.nix
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
    ];
  malobeo.autoUpdate = {
    enable = true;
    url = "https://hydra.dynamicdiscord.de";
    project = "malobeo";
    jobset = "infrastructure";
    cacheurl = "https://cache.dynamicdiscord.de";
  };
  boot.loader.systemd-boot.enable = true;
  hardware.sane.enable = true; #scanner support
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  users.users.malobeo = {
    packages = with pkgs; [
      firefox
      thunderbird
      telegram-desktop
      tor-browser-bundle-bin
      keepassxc
      libreoffice
      gimp
      inkscape
      okular
      element-desktop
      chromium
      mpv
      vlc
      simple-scan
    ];
  };
  services.tor = {
    enable = true;
    client.enable = true;
  };
  services.printing.enable = true;
  services.printing.drivers = [
    (pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
    pkgs.gutenprint
    pkgs.gutenprintBin
    pkgs.brlaser
    pkgs.brgenml1lpr 
    pkgs.brgenml1cupswrapper
  ];
  # needed for printing drivers
  nixpkgs.config.allowUnfree = true; 
  services.acpid.enable = true;
  networking.hostName = "bakunin";
  networking.networkmanager.enable = true;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    systemWide = true;
  };
  time.timeZone = "Europe/Berlin";
  system.stateVersion = "23.05"; # Do.. Not.. Change..
 }
--- a/machines/bakunin/hardware-configuration.nix
+++ b/machines/bakunin/hardware-configuration.nix
@@ -0,0 +1,49 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
 boot.initrd.luks.devices = {
 root = {
 device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
 preLVM = true;
 allowDiscards = true;
 };
 };
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/402B-2026";
      fsType = "vfat";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/configuration.nix
+++ b/machines/configuration.nix
@@ -45,7 +45,32 @@ let
    inputs.microvm.nixosModules.microvm
    {
      microvm = {
-        hypervisor = "qemu";
+        hypervisor = "cloud-hypervisor";
        mem = 2560;
        shares = [
          {
            source = "/nix/store";
            mountPoint = "/nix/.ro-store";
            tag = "store";
            proto = "virtiofs";
            socket = "store.socket";
          }
          {
            source = "/var/lib/microvms/${hostName}/etc";
            mountPoint = "/etc";
            tag = "etc";
            proto = "virtiofs";
            socket = "etc.socket";
          }
          {
            source = "/var/lib/microvms/${hostName}/var";
            mountPoint = "/var";
            tag = "var";
            proto = "virtiofs";
            socket = "var.socket";
          }
        ];
        interfaces = [
          {
            type = "tap";
@@ -78,9 +103,31 @@ in
    ];
  };
  bakunin = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
    modules = defaultModules ++ [
      ./bakunin/configuration.nix
      inputs.disko.nixosModules.disko
      ./modules/disko/btrfs-laptop.nix
    ];
  };
  fanny = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
    modules = defaultModules ++ [
      ./fanny/configuration.nix
      inputs.disko.nixosModules.disko
      ./modules/disko/fanny.nix
    ];
  };
  durruti = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
    specialArgs.self = self;
    modules = makeMicroVM "durruti" "10.0.0.5" [
      ./durruti/configuration.nix
    ];
@@ -94,12 +141,4 @@ in
      ./lucia/hardware_configuration.nix
    ];
  };
  gitea = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
    modules = makeMicroVM "gitea" "10.0.0.6" [
      ./gitea/configuration.nix
    ];
  };
 }
--- a/machines/durruti/configuration.nix
+++ b/machines/durruti/configuration.nix
@@ -22,55 +22,16 @@ with lib;
  imports = [
    inputs.ep3-bs.nixosModules.ep3-bs
    inputs.tasklist.nixosModules.malobeo-tasklist
    ./documentation.nix
    ../modules/malobeo_user.nix
    ../modules/sshd.nix
    ../modules/minimal_tools.nix
    ../modules/autoupdate.nix
  ];
  malobeo.autoUpdate = {
    enable = true;
    url = "https://hydra.dynamicdiscord.de";
    project = "malobeo";
    jobset = "infrastructure";
    cacheurl = "https://cache.dynamicdiscord.de";
  };
  services.malobeo-tasklist.enable = true;
  services.ep3-bs = {
    enable = true;
    in_production = true;
    favicon = ./circle-a.png;
    logo = ./malobeo.png;
    mail = {
      type = "smtp-tls";
      address = "dynamicdiscorddresden@systemli.org";
      host = "mail.systemli.org";
      user = "dynamicdiscorddresden@systemli.org";
      passwordFile = config.sops.secrets.ep3bsMail.path;
      auth = "plain";
    };
    database = {
      user = "malodbuser";
      passwordFile = config.sops.secrets.ep3bsDb.path;
    };
  };
  sops.secrets.ep3bsDb = {
    owner = config.services.ep3-bs.user;
    key = "ep3bsDb";
  };
  sops.secrets.ep3bsMail = {
    owner = config.services.ep3-bs.user;
    key = "ep3bsMail";
  };
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/machines/durruti/documentation.nix
+++ b/machines/durruti/documentation.nix
@@ -0,0 +1,15 @@
 { config, self, ... }:
 {
  services.nginx = {
    enable = true;
    virtualHosts."_" = {
      listen = [ 
        { addr = "0.0.0.0"; port = 9000; } 
      ];
      root = "${self.packages.x86_64-linux.docs}/share/doc";
    };
  };
  networking.firewall.allowedTCPPorts = [ 9000 ];
 }
--- a/machines/durruti/host_config.nix
+++ b/machines/durruti/host_config.nix
@@ -33,6 +33,12 @@ in
      }
    ];
    services.nginx.virtualHosts."docs.malobeo.org" = {
      forceSSL = true;
      enableACME= true;
      locations."/".proxyPass = "http://${cfg.host_ip}:9000";
    };
    services.nginx.virtualHosts."tasklist.malobeo.org" = {
      forceSSL = true;
      enableACME= true;
--- a/machines/durruti/secrets.yaml
+++ b/machines/durruti/secrets.yaml
@@ -6,66 +6,75 @@ sops:
    gcp_kms: []
    azure_kv: []
    hc_vault: []
-    age: []
+    age:
        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOTV0VC92aGo0ZFU1RE84
            LzJxWUh0MzYrSWJZYldVMTdsMlJ6RkI2WURNCmFVT1ZtMitOSzYySW1RMkE5aDUw
            bEI2Z3ZhbUdaM2R5eVpkYVlrZks3dW8KLS0tIHFEdWZ2UmREeFl2Q0d0c0lVTGxm
            SnZxRUcyaUY0QnRtVmdnYW9acmxTWmMKfLb2wgBcQC0Ay34wBvTenZW1jVvDH7aV
            45+5NzmkhIQRNkKWgRfpT9EQ9cRJz3l7ZYoVgJe8qBhwH64lBqUiqw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-06-26T10:07:26Z"
    mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
    pgp:
-        - created_at: "2024-06-26T10:06:21Z"
+        - created_at: "2024-11-14T13:03:00Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQGMA5HdvEwzh/H7AQv8D3vncBeC4Kq+Vzk6XOMV6gRRGOZp+w2e/055sZ40IUu+
+            hQGMA5HdvEwzh/H7AQwAhcsRc3mCqKgUFym0W5lTN6j5xg+o0PF31ZQ3qqkO3b5+
-            43Yi5giVL0I7PZkZD787LNiKy6kTcI6D9tJIp9YSMRVJb4x8oDJWS8NbVZZOUCwT
+            nIPH8Ee7nrcfRCM2AV+TReaZ2qfP4TdU5j00F5977H5UM+UULFM+FSGcY63rkp80
-            d9KYaMO6hN8VobhUKsu7uAKCrgVzPWrWPNmZPvwZ6pxL+cBFK2W/GEvQsXvaELUc
+            1U1ZzxbzTwV5mil8dx3dmENMgFpKy0J2MatPdR5bu/z0o7sLty1DUq9hiQOTfM3F
-            5mNlB4k5S9oG4ZMli3WWhVJRMZgdjGWDKiFVGCSenEkhua/5TUUefV8urf1IBjoN
+            u1mfmY37YewMBmxlzDJ3Z5+lslRJUqa3Ho9atjYhwxZTYgh9QQtnm8kRjNM/HKpQ
-            MB8TPwsm3PBEG6/zrfXls/7Zhbv7mtl1uB9nWBC9M4EL9euzC83X+IiFAlThpoPu
+            sDAWu9JXit33WwHayxUFWZ5syiwsbFxAelrZnluW3KiKu3v+9VO7X6dJsrrIB6Xt
-            eylOhEkAq60tQglk2SRsdFpHvEwaijqSKL0ieDQjvLxLNCdtCQS3yM21S4SkfRvv
+            j/mJhwkwJ39xHD/eQqMJsdAum8Pgxi40XjD6wJvmIhYz1y8Lbymanb+6U+fJk71V
-            pDGQROqjhtgZSF7MZqD67mA9tMwYGlZLfkzjpYrErbG6G4xYGO2ZODPNZ4FH/2Zf
+            ZLsbk+sR1Jkh+L3NV+UGlMusgQuxcE2xQjNMEbpzk1xXsFFz+QxVxx6HZp8xRh4v
-            Yf9xpAd0/m4mmg+py041nas8lgJzOXn5mKIxX/kLkV1U/ccrZXB9DTsWbuRVxh3W
+            M8L2LkiZp5w8iij+uJ+k0ovu4XH2Bf/2myhabfRrk5bPZbweH/bJOxChIgf/b/ZP
-            CZTzgT0VdZWd88cUcYIR0lgBz0vCxDRgyPhc3B3ivoOHBisoBWbYURv+6rYE84Qs
+            FdfHGP0KlJe+jMGY3j7c0lgB9k2vyvYTHaAOcQoe/HdKNvueMMYDIzxLZ6sXsn+z
-            6nDtCt4fUqrfKqnw1b++L1II+QjEBkhawOWNbqE9AxESOLAVwkn4cCOqeWDP8DBq
+            jhdW9FxM9g2ZOStq1Mwjzvb8rJCAFQH0s/3yHZY7rveaI88Z3G11i97D3OME2yAx
-            OBN3luBRDDAj
+            bxCHPCFfvmX/
-            =+dua
+            =3wBJ
            -----END PGP MESSAGE-----
          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2024-06-26T10:06:21Z"
+        - created_at: "2024-11-14T13:03:00Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA98TrrsQEbXUARAAmj8h6g8Knwg5c/Ugfxcb4nuWuLydyzNZpKJ9YcQ4VTAo
+            hQIMA98TrrsQEbXUAQ//eBqaTG6/KiQFfEMog839q+nukWh3SHSnhCDyCAhdqKA3
-            HA38lHH79JbnIoZ9kvxHzUONBLfnW3KekomUdmj1a2DjWllnsIOH8/16JCpFPXbx
+            Q9FSroIYEOMwE9SYkNC9T0/pf/ZmRuPBpx09b+q+1df4FLdajgpEbg1CyWnw7fyR
-            hcWQFLxXzJcUEbVfONih4Zmb/2OTzSYoDjNzGaBJUx6x3AwJ0jTzCTxF9WIU1ieh
+            731vYt5hvN7PVtBGs842BcEvYwKVG33HTadi53l+pjDURpHGLWLbURiqchGrXpPn
-            9u+ovry7bcHPTn3RS0gQPGRx9gN0A8OSPScKpvz2CRtUA2Uzs0/fIe3NbKQSj6g3
+            o6rih4ueE0TmLHGugGKIr7n/XgH4xpsr/wFLQCnCaVATXdS1Tk86bTeu0HybmPlG
-            rZYityYC7uFoE792dkJ3rG9GZneIwWB8sp1remHyRhxaRN4YNPKmje/Pe/fe7sxQ
+            dw4TZrTSO7uq2GyczIC81HnLPisZ1w+7R0m58kV0FGFoDZIwczW46J/h3NLsjO0t
-            lWPmW4wa2uSI7/2PAkIjafoDmnpaLxQ+qY9hXobpL7OlyAuA+Sy8Ns2z6nXfPSSj
+            4zKV1oJUpCANalDCRBhf5RRatw/OzTgVHnpuGyaoAtWGyZpeQi2ntoEvFb3eWAc3
-            fQE4OS3hhUStv7PdVVvlH6JVGZK/cJOjOX0lF69A5R5XKQlasRq/t5CKBjxDWnb1
+            NMjc2bqamZEdfnBOmPILqRKINm60DkpiI7behY3oV178bWcp3iWsyA4biL0O0pf4
-            2bb3YavIUKWbf/DdlGNb9aKeiYX4RsaMbdc6vU5EOp69S66dF5l5W6+EDLICQEdl
+            FXbW29zHnEr86wTlJmJIC5sGkNNtu0dNFAKuzKjAel9sVor183WkJk8NAgaaI/pD
-            TRNxzofVqjroeQeK9xFd+SXHVwnU9FGPr9cN7803/r17hONDxfL7o7cL1sKfX1tC
+            pQV+l0ClexXGIW7p931Sn7u2JmXeNJM+yqRz5lDWMLakxygW2h4HDI8NOIS7xvP1
-            3nRqV3fxSfosz19jmIDu/6lqvJhBBQ8zQeKz/yWxUKowP6WUNAWsMWC7w89Ie1vA
+            Ip3a5bGctGEVmAK9MEhcRIGcP7Aoacj7iZVg9bnac4HCX3wnnGjLDNL+XDzfmfUB
-            UOy+xO0epIGLJSRU5YBNr9z7854NATnxRWRTya+CyFAgPVoBUxd/+2CjlkUeQWnS
+            M48YUoDS1CSjlcTbgIaL3HeX84EYcoQdRjwRcI3pVpPkJTpi/t2I+/2tOP92sm7S
-            WAELWSqQ4zsAryLhEqSWVg6nwSDCIvF/U56/vIacXwoKMqLYra5gxV78cCU6gcMt
+            WAHfIeh3niCzrQa//nwdAEQq+7YrDCDia7SSxDDrRM+/LTaQacoo9SuaHuEANZ/P
-            08O8qM7cxHy5tGzTm6LQZvXTb8W6ybcPvPw695TirUjq9zYVnaT2lmQ=
+            +x7rrZsnQq8UBpnd+dQCyxipQvwmjtp9N5xKcragt1LdH4M+Q/qoSIo=
-            =7OG0
+            =4vnh
            -----END PGP MESSAGE-----
          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2024-06-26T10:06:21Z"
+        - created_at: "2024-11-14T13:03:00Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA1kR3vWkIYVnAQ//RZM4ifHThNFNV6pTCGKHdkF7BMHB4gv7BBkXT9cWTGcf
+            hQIMA1kR3vWkIYVnAQ//UfsG62+53p9PyXN+c6hoMg+MqWxjvia9kHvjE3Q3bcO+
-            XxH3tH/kFPBSoWWfmtmHbN1bw77vpKda2lLHyOETGCusOFwuFe0+cz7sWStnf/T6
+            KVYqD8CszyTwiTV0RoTWddyiZwZHKkH/ymTtnNafG6NVo3XrYpRmO7SxmVMm1BIt
-            GVoaCRljhRxlXS2PY9gSG5fLi1uUjmCn9EshdCQdz1ix46kgSe17I+UJYRxi9r4U
+            HrBCdQkLDQOzqbeKBV9bGqO3xHKLEu0vwFkEdpWpNrjkKZfYQ8SjE/6vTJRPeBxx
-            e1R0ky4md8tLGGXg2cz1z48+kS7QX6TA1L5jjrW6MEa5ld2wywXD1g7UKpaP6QAc
+            Z++g8540vZtB0V2YzKStJJ8LcsU+3j1/+NlUJZamXUGT4AnxH3atWuKqC39CZAU6
-            B5xo4G+6zZNYk6x5i0NJ4EJalyyEXBvJDgsFzW4luqBGjMU2zLkq5VTQjssCbp6l
+            0iHxKEcHcQYPAmvTqtxTH0ELIaRYBIRlzCs0MVjmmfVyaeJOZGyd32vikQMUCrf/
-            aE1ZZtMJYDa3IdEV/gEIF7/WmODMopO2hfTWFCx9fZ2cp0gK2d6ffo7vum4WkAMv
+            EvThUCnq3+qCNjLlp1tQbLJV4B6ptAuj6uns2Z9Xmj1j4nFgUKvsc1MPnuSQsOnM
-            FjsbRLCmoZrlwD+/y38Hru2Ok/2cDF+QiEHq0cx+XMjgRrV6vCYrg67kOGjXZ+0v
+            tLF0qsVvunvLbHXhb/Z4uDaNMst8jWEGhk52QYCZ6pgq1zoN63tOAxD+HK12KSYQ
-            eZMPGo5506cp/0cbo6eIoG9XzdNirp9mXQHMBb47/dETr+mBAyVzImuHJVmUgXlK
+            emcDTjGqLTxe2dTiFMHlOkmTk/unEJXI1rJEalBaLqzDFg2tS6I1swQKG115wUfv
-            0nScCjrE2BPfsphMlQKMV007znA8QB65wEuoQ9QWTfgUfxVqzqJxdnFHKSSKAciU
+            COHQtmbWmwIMtcl0q/QHfSyc+jPVHoadj6ZZFS1iL9Er/zx1nuD5ybkHntQdO0Gb
-            fxAJTGN2RnbBDcehvch+QZAnIHznz3c+2WKetmFMpymqL1OKQKjhnEFewOK8rXKM
+            YwfyLzhFQ4gKgDiXwHdjYmHeDnXI9mrH3Cypcc/I8WV96cMnuKQBrD7V3NKpjFMS
-            cEFRo1BOMkaccBBFHt/A/IQJt2+RuADbkxI9rPqPU9iPi3Ts4jFqfNzZp+m+ADHS
+            CaLMVDQqwMoGi+Xi8Ve5oRCa/qt5UEpL1CZZUxNNE11ggPYI22ecKjegdIlGuWHS
-            WAGHQuVbo0oQ5RLEOMPheNbr2eL+uyuMLMNsv41G4Mr+lSjN2/KvBoMQEQvpPasG
+            WAE4FsZZNLt+RWZxIW0iTP0BzDuCMQFkismL0YyDI18g1dG/sl43+ecd6F9yoWYP
-            HDYyoe7JdYbVs+08h465+L+cbi0LzaBUxTm44GliJXVbrz6eqy6lRto=
+            sXjR3gwbASdHHXeYFAxbPX3Q/XT+SQzOAFigPhD0LUFRX2Cf/Q2yu34=
-            =GiUe
+            =FLuF
            -----END PGP MESSAGE-----
          fp: 4095412245b6efc14cf92ca25911def5a4218567
    unencrypted_suffix: _unencrypted
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -0,0 +1,44 @@
 { config, pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      #./hardware-configuration.nix
      ../modules/malobeo_user.nix
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
    ];
  malobeo.autoUpdate = {
    enable = true;
    url = "https://hydra.dynamicdiscord.de";
    project = "malobeo";
    jobset = "infrastructure";
    cacheurl = "https://cache.dynamicdiscord.de";
  };
  boot.loader.systemd-boot.enable = true;
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  services.tor = {
    enable = true;
    client.enable = true;
  };
  # needed for printing drivers
  nixpkgs.config.allowUnfree = true; 
  services.acpid.enable = true;
  networking.hostName = "fanny";
  networking.hostId = "1312acab";
  networking.networkmanager.enable = true;
  virtualisation.vmVariant.virtualisation.graphics = false;
  time.timeZone = "Europe/Berlin";
  system.stateVersion = "23.05"; # Do.. Not.. Change..
 }
--- a/machines/fanny/hardware-configuration.nix
+++ b/machines/fanny/hardware-configuration.nix
@@ -0,0 +1,49 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
 boot.initrd.luks.devices = {
 root = {
 device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
 preLVM = true;
 allowDiscards = true;
 };
 };
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/402B-2026";
      fsType = "vfat";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/gitea/configuration.nix
+++ b/machines/gitea/configuration.nix
@@ -1,37 +0,0 @@
 { config, lib, pkgs, inputs, ... }:
 with lib;
 {
  #sops.defaultSopsFile = ./secrets.yaml;
  networking = {
    hostName = mkDefault "gitea";
    useDHCP = false;
    nameservers = [ "1.1.1.1" ];
  };
  imports = [
    ../modules/malobeo_user.nix
    ../modules/sshd.nix
    ../modules/minimal_tools.nix
    ../modules/autoupdate.nix
  ];
  services.gitea = {
    enable = true;
    appName = "malobeo git instance";
    settings.server = {
      DOMAIN = "git.malobeo.org";
      HTTP_PORT = 3001;
      SSH_PORT = 22;
      ROOT_URL = "https://git.malobeo.org/";
    };
  };
  networking.firewall.allowedTCPPorts = [ 3001 ];
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/machines/louise/configuration.nix
+++ b/machines/louise/configuration.nix
@@ -67,17 +67,13 @@
  networking.hostName = "louise";
  networking.networkmanager.enable = true;
-  sound.enable = true;
+  security.rtkit.enable = true;
-  hardware.pulseaudio = {
+  services.pipewire = {
    enable = true;
    zeroconf.discovery.enable = true;
    extraConfig = ''
      load-module module-zeroconf-discover
    '';
  };
  services.avahi = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    systemWide = true;
  };
--- a/machines/lucia/configuration.nix
+++ b/machines/lucia/configuration.nix
@@ -20,14 +20,6 @@ in
  # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
  boot.loader.grub.enable = false;
  boot.loader.raspberryPi.enable = false;
  boot.loader.raspberryPi.version = 3;
  boot.loader.raspberryPi.uboot.enable = true;
  boot.loader.raspberryPi.firmwareConfig = ''
    dtparam=audio=on
    hdmi_ignore_edid_audio=1
    audio_pwm_mode=2
  '';
  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = true;
@@ -39,12 +31,8 @@ in
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # hardware audio support:
  sound.enable = true;
  services = {
  dokuwiki.sites."wiki.malobeo.org" = {
    enable = true;
    #acl = "* @ALL 8";  # everyone can edit using this config
--- a/machines/lucia/secrets.yaml
+++ b/machines/lucia/secrets.yaml
@@ -5,66 +5,75 @@ sops:
    gcp_kms: []
    azure_kv: []
    hc_vault: []
-    age: []
+    age:
        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaVZQT1U3cXp4NHVSb2lh
            RWRUcjlGY1RtNVNFT3dMSWFaZHJGcC8ybzFFClhhT2RPRHZwbWNSQzdSay8wc0h5
            NHVUN082U0lhcWF2MnNTaXQ2Q0trRk0KLS0tIHJrNmdEdUI5YVRqck8vejRrVHZ4
            aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3
            f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-10-24T15:09:51Z"
    mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str]
    pgp:
-        - created_at: "2023-10-24T14:42:18Z"
+        - created_at: "2024-11-14T13:02:46Z"
-          enc: |
+          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQGMA5HdvEwzh/H7AQwAqFy6FthlG4of1IYE42baCy6AHhnCxTKN5i0/ZYXtxz/T
+            hQGMA5HdvEwzh/H7AQv/QepkThVCOMoRZRtHSHEjEriFfp9QS2ZrlgM0p67TtzU3
-            xWTAKEXPlbhT4AMGdIvIbEf7od4Pr7xxrxERkHVn1rkHxqjF+bjFw9J2xRXJvilw
+            edAPqxNq8jGeW7/1FRAwIHGTit9FueL/GRUOVsepbryJMt4ndhybuPdpuEaKeQYv
-            L4pWMKXoJOiuGeNwJfzOVMx2yar6NiFmA3HvFyCASIQeCh3v+cyEDvbdnJoUyHRJ
+            aZLw3XA5FB7maMKFOl59wqoWNrY+d02lXIbLEafUjrL94/p1IEqQd5a/Ze244yXI
-            /f/VnQFSIM4YXvLMqkKXgE0ZnbZc+vNnZkAG2qbz65fB/zdOPQZkVYCbnVKLwiBd
+            V1ty93i6Wmu5N5uf67bfiY00ObAEU+L4QepLHuJvcP2lWU0zvxnPdDqwv+47R1xB
-            eoDth5WbuPnYbK5Vp9wkOPr6KqjM1KN+Kx/ErZ36Ldd2ePk11dCf9O4cE1HcCOmb
+            aJX2G3Vv6QRnpUYL81a8R4E9u9GGH0TwJdaFqQwsVgW1XJdCsAaB5wriqEWX5HOJ
-            mdnFleX4hbMH2bFCpt7HoJql7QsTodx2bX1wnLA+uUVrV5QcT74C/0yAYHhBELez
+            513plEpkBSSlZo/9/lUSHK79jP92DfKvGMxw4t35UULzsJVbCIkM/TzBK0Ruq7Bf
-            cE0gZ+th9l2tOCaCBBMQUa8EfoQD3hEnOmebOMcWoUQdkyKk5SlLeCVsuWKvbidh
+            2rQO1nkF9lqXqPK7ORAkdXX3foHcM474f3w5nCSSlPia5jn7y58Npd9m1za4lOPF
-            3Vvw7jINCTH06jPCWSewSBuTdPiAPJ+4CQ8DWXC7A4luFvJM09HX8h859VDEHA9a
+            rQxHCJ7OSJ6KOsXhDi7cmMfjIfn6cUj5wT685LbjrftYPh95R2lK/ViwfhMQkJb9
-            FCou1ZTWmQEHbDw1DPw70lgBv35pPduQjSfgM71YwgHFtHDdTfWTbzCBoaDfKvj2
+            lCUqJj/7N6UuSDdnHXKg0lgBV5k+ARqh904rR7GTpSdDuSVMVdy9mUGni5V6xTNn
-            XWSevuyOKiinaiYd4jPK6srFyX3Horg1QvVzl3dvNC3o29lrzETSTFoUx75KdluT
+            2IyJzWlvxbUumdh7SVBV5HRjG/sOcmlQtsw2fT21CCFg/n6AdCMgRbtYDoX5OOJc
-            WxGMHNWqN7NS
+            qkz9uKEGrGjb
-            =XZkW
+            =wPkW
            -----END PGP MESSAGE-----
          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2023-10-24T14:42:18Z"
+        - created_at: "2024-11-14T13:02:46Z"
-          enc: |
+          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA98TrrsQEbXUAQ//XRoesGtcKw0RNs30FfKgpG/qNVRh4eJTeb1AP7YO9nKA
+            hQIMA98TrrsQEbXUARAArYZZpOEC9sZ4Bgbtie8snwYjhcJiLxcmaODcx0ai24vC
-            WWuZnomu8aDDKiP+why4Cl4raSb2LqTaDAIbeTzw902BeOlIXl6VO5oIWpgC4IQT
+            FOdxKrgxlHeiBV3e+xD0Mdc51waXpRW7Ah6ctyqRreDXXCsYx9RTjkxqbGQTKexU
-            iOMUOTQ6XG4O8xcphItIthc71kpUl34xfWU/Gz67cRj/BSlws26sJ09lH5zZIpcW
+            OAzvi7qPkmZBzDagNeJXjAMc3Z9uPFTxO0c1degnv0S40dns4sZ50sjGz8Dg6DmX
-            1NNPLQKF6KiJ1MY9rTkq9I6EHbaIh6AcBW4buq9x+qASoU1Blp1OgA9m6O9HjQcH
+            HC1ZANIpCmJVd+BFC9MxWQFSP1oswzwIxAmM/8d3aXGJLUQsfFbZXTPaKB5+Llmu
-            X/PKnYv1bm6OxYsMBujXnFnde3c+qfL5w1e4a7pyMu8EthAYLPbm+WT2+H1RJooN
+            Y/yGK4zwcq0PR+YNw9d1lfQD01coLcqNh0cnxW3/DzSnKdpLnr/HeH7K6NivUNOs
-            0+M3tBBjtK6emm7qgNt2vyeIYa5L5XSFYAyPfteKZ7tsT1IHgg3cY/3trchq7w7q
+            58E4iKJgopZZofbIKrHTPik/ZfovCTwPHo0o/m9G2sDB5Y++OJBDcjyD9BC5OEzg
-            D10fGzfw1rP79yI9vY3oQLi4APhAq/RYpFywZJ+qyE+KiDaIzBdhU14NKRdOluaF
+            JW+4rG3dir5cUxJhgM8ZNZUiLcKWSfVo+Xh1RI12Huz4PpZ6dWSpuPxWFBQUZSfp
-            apw5ZpNwD77E6lU5lLdjO4TjaMXjEuytzhmOHF+CrZJN/4c21K3PflnzRRLmcXIf
+            epIUII1u1cKiep8JK5ZUF3k6LzET6ORzzYpY5qGtSEVMLMxLvPK+ECOI1BTHc53Y
-            OY+TPWPBKqg9aXIhx+5tGu3OTmrvRuBsoforZrhHqzYZJygliD4w/D0HpcMfxrJ/
+            GoBPVRdp2Bs0QZuvwiNSd3wKRMoVh8v/8+RSCGRR6pzCfvTp3X4zGfnCUVO9krzG
-            y/iFzwqikikvfkF3FTiTwiFSLOo8G+rCA2TiSLqM6eklAGtzqgrgggnNVDstgiHz
+            ukZJ+eQVUnmywewmYuFH/USN34mqRk6UTkVmw4sgy4bqcV26xSeMCbLAVBoV7dR8
-            DuXHOdzt9pn3DQHb3Z+kEd8p9TEykQrVr6mcW8scvW3iZ6XBbSoxUDY2W14gNMHS
+            a35kyxrs2MIsu9/SuW8zSdfZd0sBhDIEgzQqT7fO1KQQCDJyjBTzjloVSoE4TSXS
-            WAFbpyIyM0JV36DifyFLFuPNF+ZFexnD1/2rzSw5dmDh8Pou9KZnoRGirXbOIFBf
+            WAE7lEhifj43H/jshtyaIgM8UpdFmBtEj9BmsX2jeS5XiZsIbIJbCsmPWYdd4XQ0
-            MwFQRonyDxw8zcMFGhXRmNbfqOE9ImnvkW2pNjYJSuBW4LSGaG8OHx0=
+            m5M8KCUEMDXeVCygKieefCyboUSNOk1gdRmnIRcqJ/r8fxmHqZgn2ko=
-            =2A7P
+            =DC78
            -----END PGP MESSAGE-----
          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2023-10-24T14:42:18Z"
+        - created_at: "2024-11-14T13:02:46Z"
-          enc: |
+          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA7zVLR7VUDPbAQ/+O/+BPNT3PxzN85kpL6xXfyCf337Ay5gwhJOg5k3JyEwO
+            hQIMA7zVLR7VUDPbAQ//S/8UshLDL5DW0+DXMGL7u/ug/sgCbSM60PvzT3hwAvyL
-            2L1eZncGZHkdeExxgfqWF1yAPvE7vXltikTVp3V+htHoNL8kck8obII/HptVUCrU
+            3mR6CycERSeXuYM67fLIa66WiSFGB1aqEsI1oqPL6W8AwjtGHDKSPhJC8W+9NosB
-            VjFm41kEoWQ9DLXIhmppqBC0hWVkLjCDEXcD5HqtAxt2yKENSFr3pEnFl3vgoHTA
+            OypoV6VppHiDxB2uJvQl7VNnT8d2x6IWdG0bq9NKxCg+6lorw8bky0907qQ/6+hg
-            2TpzC/l2kC24hzk+es54I0sCd3N1LEXC/mBUmptnsZfIcgGdVOWZSGabHg5Mo464
+            2eWI0wPcJR2zIEm5JdNvuyK5k03QPKbTd8aVTeYHZq3JiXF3NZmQHCngdI0iH7SN
-            qc02MYa2Tjuo5svlHGv8bgpQgsIfuB0CcirLMH3FYwKkYHZ7a6KBZj9DwNlM1BYL
+            +QI/p1d/aiyCc+5Ow+Zy5YzPWb22PIROLIH+wJsGxbiJtQJmiKMNQg/YJ/SsCrMI
-            m9eIC6+R57utfV+zgvIaQVDVJgFT74/ffgEYNiX2FRWi0ri6gb4ybf8qX+/m8ZOi
+            ViI80R6bkZ/J9hCN2reTTJXl9uc7PgptLAfMlT2N+DHLRoKQOR+e3xMX3vZO9CK0
-            KDgpATMIr0Lw85lQ2mQmvt7aeULJTl85pE1ihXLu6+pGEQR/48WeRu8OVMU/QHQF
+            R8v0wXPs3NGCBdITu+EPT4twtkjJz31PhqL7crFzm/x4BLiKuNzep+Na4TLMBv3J
-            rRWoJu2kabdlBkYXBBGPN2qGRe/TWWHRm0G7mTnXkoN2idRkodJcVwM8Mvstc5Yx
+            pVdjc6yen8bYvVickLP/hrVIvflkaMdUncWmS2lNZKP9G2BuGMna9Dp4jC1kWWYW
-            3AAb4asl+4xusXNqe+V4ZrkzdnVoFs8RRZyH1QyoqJ79S5uZqOkYObiiJ+wWtahZ
+            608MXgORINmwog2lovxFJGOtq500gcbeYO+LrluULk00/nw27DPkGeD8wkmFMF+m
-            emvN8nhNIr9+WdDFSZYNx+TQTUTFMefcEaTXpPzmUn/nENrvkbXiaVSSmIYQ4YZh
+            c3dhA6zn62nLsUmiU4Bfo92uhxBW/hAF5Fp+RVwA9ptvDdBO7gY6FEZitEXs/rGl
-            1vyiW1W6IZwjXI/aR6P2C1Jrj42WCm+cDXCwKZC1sMRqgkxQBIVukQzAHkyFJknS
+            64RAmFuDmv/WDE87pfBQdlZ7Y1HkO6CLwtfg50Ka8eoemX6sP0GSYHUqbs8M4jnS
-            WAF/TWfXG2S6mnWFKn3cixifUI3pBp+EtYy/CjL7uNBIUQ3EHEbvS5AboSCmgRC7
+            WAEnR1KMQNVdTqhFzBa/TqnUm+oVtZSVrAPSIEgEjhA4WesmGqmcJwJFaQW39Omu
-            wLzHshawAMmJ/bD/jT4wWD0w+NGDzSF8D4b/Ee0LP7R70noS61+s6xo=
+            8zLfZcfdVUuFKyIijXNliG0ryq1uxmWcEl8ePRzjAAzVTRAILNtZzVY=
-            =NnkE
+            =8HBK
            -----END PGP MESSAGE-----
          fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db
    unencrypted_suffix: _unencrypted
--- a/machines/modules/disko/btrfs-laptop.nix
+++ b/machines/modules/disko/btrfs-laptop.nix
@@ -0,0 +1,63 @@
 { config, self, inputs, ... }:
 {
  imports = [
    inputs.disko.nixosModules.disko
  ];
  # https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        # When using disko-install, we will overwrite this value from the commandline
        device = "/dev/disk/by-id/some-disk-id";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "512M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            luks = {
              size = "100%";
              content = {
                type = "luks";
                name = "crypted";
                passwordFile = /tmp/secret.key; # Interactive
                content = {
                  type = "btrfs";
                  extraArgs = [ "-f" ];
                  subvolumes = {
                    "/root" = {
                      mountpoint = "/";
                      mountOptions = [ "compress=zstd" "noatime" ];
                    };
                    "/home" = {
                      mountpoint = "/home";
                      mountOptions = [ "compress=zstd" "noatime" ];
                    };
                    "/nix" = {
                      mountpoint = "/nix";
                      mountOptions = [ "compress=zstd" "noatime" ];
                    };
                    "/swap" = {
                      mountpoint = "/.swapvol";
                      swap.swapfile.size = "20M";
                    };
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/machines/modules/disko/fanny.nix
+++ b/machines/modules/disko/fanny.nix
@@ -0,0 +1,141 @@
 {
  disko.devices = {
    disk = {
      ssd = {
        type = "disk";
        device = "/dev/sda";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "1024M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
      hdd0 = {
        type = "disk";
        device = "/dev/sdb";
        content = {
          type = "gpt";
          partitions = {
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "storage";
              };
            };
          };
        };
      };
      hdd1 = {
        type = "disk";
        device = "/dev/sdc";
        content = {
          type = "gpt";
          partitions = {
            zfs = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "storage";
              };
            };
          };
        };
      };
    };
    zpool = {
      zroot = {
        type = "zpool";
        mode = "";
        # Workaround: cannot import 'zroot': I/O error in disko tests
        options.cachefile = "none";
        rootFsOptions = {
          compression = "zstd";
          "com.sun:auto-snapshot" = "false";
        };
        datasets = {
          encrypted = {
            type = "zfs_fs";
            options = {
              mountpoint = "none";
              encryption = "aes-256-gcm";
              keyformat = "passphrase";
              keylocation = "file:///tmp/root.key";
            };
            # use this to read the key during boot
            postCreateHook = ''
              zfs set keylocation="prompt" "zroot/$name";
            '';
          };
          "encrypted/root" = {
            type = "zfs_fs";
            mountpoint = "/";
          };
          "encrypted/var" = {
            type = "zfs_fs";
            mountpoint = "/var";
          };
          "encrypted/etc" = {
            type = "zfs_fs";
            mountpoint = "/etc";
          };
          "encrypted/home" = {
            type = "zfs_fs";
            mountpoint = "/home";
          };
          "encrypted/nix" = {
            type = "zfs_fs";
            mountpoint = "/nix";
          };
        };
      };
      storage = {
        type = "zpool";
        mode = "mirror";
        datasets = {
          encrypted = {
            type = "zfs_fs";
            options = {
              mountpoint = "none";
              encryption = "aes-256-gcm";
              keyformat = "passphrase";
              keylocation = "file:///tmp/storage.key";
            };
            # use this to read the key during boot
            postCreateHook = ''
              zfs set keylocation="prompt" "zroot/$name";
            '';
          };
          "encrypted/data" = {
            type = "zfs_fs";
            mountpoint = "/data";
          };
        };
      };
    };
  };
 }
--- a/machines/modules/malobeo/microvm_host.nix
+++ b/machines/modules/malobeo/microvm_host.nix
@@ -1,4 +1,4 @@
-{ config, lib, options, pkgs, ... }:
+{ config, self, lib, inputs, options, pkgs, ... }:
 with lib;
@@ -13,12 +13,39 @@ in
        type = types.bool;
        description = lib.mdDoc "Setup bridge device for microvms.";
      };
      enableHostBridgeUnstable = mkOption {
        default = false;
        type = types.bool;
        description = lib.mdDoc "Setup bridge device for microvms.";
      };
      deployHosts = mkOption {
        default = [];
        type = types.listOf types.str;
        description = ''
          List hostnames of MicroVMs that should be automatically initializes and autostart
        '';
      };
    };
  };
-  config = mkIf cfg.enableHostBridge
+
-  { 
+  imports = [
-    systemd.network = {
+    inputs.microvm.nixosModules.host
  ];
  config = { 
    assertions = [
      {
        assertion = !(cfg.enableHostBridgeUnstable && cfg.enableHostBridge);
        message = ''
          Only enableHostBridge or enableHostBridgeUnstable! Not Both!
        '';
      }
    ];
    systemd.network = mkIf (cfg.enableHostBridge || cfg.enableHostBridgeUnstable) {
      enable = true;
      # create a bride device that all the microvms will be connected to
      netdevs."10-microvm".netdevConfig = {
@@ -32,14 +59,11 @@ in
          DHCPServer = true;
          IPv6SendRA = true;
        };
-        addresses = [ {
+        addresses = if cfg.enableHostBridgeUnstable then [
-          Address = "10.0.0.1/24";
+          { Address = "10.0.0.1/24"; }
-        } {
+        ] else [
-          Address = "fd12:3456:789a::1/64";
+          { addressConfig.Address = "10.0.0.1/24"; }
-        } ];
+        ];
        ipv6Prefixes = [ {
          Prefix = "fd12:3456:789a::/64";
        } ];
      };
      # connect the vms to the bridge
@@ -47,6 +71,49 @@ in
        matchConfig.Name = "vm-*";
        networkConfig.Bridge = "microvm";
      };
    }; 
    microvm.vms = 
    let
      # Map the values to each hostname to then generate an Attrset using listToAttrs
      mapperFunc = name: { inherit name; value = {
          # Host build-time reference to where the MicroVM NixOS is defined
          # under nixosConfigurations
          flake = inputs.malobeo; 
          # Specify from where to let `microvm -u` update later on
          updateFlake = "git+https://git.dynamicdiscord.de/kalipso/infrastructure";
        }; };
    in
    builtins.listToAttrs (map mapperFunc cfg.deployHosts);
    systemd.services = builtins.foldl' (services: name: services // {
      "microvm-update@${name}" = {
        description = "Update MicroVMs automatically";
        after = [ "network-online.target" ];
        wants = [ "network-online.target" ];
        unitConfig.ConditionPathExists = "/var/lib/microvms/${name}";
        serviceConfig = {
          LimitNOFILE = "1048576";
          Type = "oneshot";
        };
        path = with pkgs; [ nix git ];
        environment.HOME = config.users.users.root.home;
        script = ''
          /run/current-system/sw/bin/microvm -Ru ${name}
        '';
      };
    }) {} (cfg.deployHosts);
    systemd.timers = builtins.foldl' (timers: name: timers // {
    "microvm-update-${name}" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        Unit = "microvm-update@${name}.service";
        # three times per hour
        OnCalendar = "*:0,20,40:00";
        Persistent = true;
      };
    };
  }) {} (cfg.deployHosts);
  };
 }
--- a/machines/ssh_keys.nix
+++ b/machines/ssh_keys.nix
@@ -3,5 +3,6 @@
   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfDz5teTvRorVtpMj7i3pffD8W4Dn3Aiqre5L4WZq8Wc4bh2OjabGnIcDWpeToKf38n5m0d95OkIbARJwFN7KlbuQbmnIJ5n6pUj/zzRQ3dQTeSsUjkvdbSXVvTcDczMWwLixc/UKP1DMbiLHz5ZSywPTSH2l40lg74q7tSFGBwMy8uy4tsdp2d2sUIDfpvgGj3Pq+zkQHWyFR5BYyCLDfJMTQvGO0bEsbRIDOjkH8YVni46ds6sQKMgc+L2vPo8S3neFZBQRlERVRvIAzdLiBWqGkiw4YgWQA8ocTfWp9DVzW+BZiatc34+AX3KtLEF1Oz76YsKjBttSQL4myUucuskz2Bs7UYvAsDFlWyiJ43ayZNzvG63m1UVsAoq84IhNYsdkPhd+G1rtnG0KxPVAtn7RkAGt8t7ObU+6xWayHcpSteNeE+QyH9nNmJcXNNKfoOeP4vHUBrBTeURafw527yuZDOYknJmg3O+nkeGseIgBYgq/As4+dD6vhp03Y5chjU4/FC6nEjsGPRdfe2RZx+0cqJkLgdd1paGByUfPfaUKykw4TsCUAiDucRwBjU32MLslUbyzeEkjzOJzOD5Frif3jZZLxaNP2QcHRbTiiKkdn+WFJmjr3BdC60pm7hqvmDxl0UZcz9hDv3wZUALUc92TQXnWc8GicKdpQgRYDRQ== kalipso@c3d2.de"
   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxgcjNOYbza3+RfANFDXy7HXNRFlkpDOAcGyB7MKshiVlbPByWRSjfZa0BeRNjpeCd8QkIodKUzqYOCOrc8ad3kiNbdLRcDz57A5xSLD3ynakoWJo0AmJjT3Ta1JJj8inNwwykR0ig5//SrtsZb9HkWJDAF017MokM2r8AWPE1QzcQdh93kojXcgTHrJHzEqgKbEGDEk37f1RvZG4umEFeqdK2FvS5isPa7P9X7hyyoDC8bvEy7xfaDrToJAoXon6r79taxH8UWIvy//xsU0NBLYK2eE4RQe2AjF6Ri+CybI6y1SsHOvyh4nNKWlfUOEL6UnIulRn/LXFOKCJi7xuoTeJXS0+w1DNEuiGosVNXPSKbUm/eDBVnb8Iyep9wmygSZayN82xL5lRlG3Mn45ttecqfm2SJkmduBA5qXcTdDPe/lXTZaVO9tbiIcJfUgd3ttEu2+6YjLn74D965PlovzvR6EhbVUZ8IkOAt4VmuTkXIdm8SCS7jzhsiKeUXoZ4rfa375zi79SIPuIkoMasj6d16wcYOeFIUIMFFccfQ9jQjr9NTSXC2dd7sfbI9I9mF7eRQSsUdSwpP8WH1b+M1MxTbdhEUdPwpOLviTTIuk8E8K8DQDZIcOOh38mCDpyoh02nwfRxlyoYVsKAHIQH02dHTvYEa3/pMsRwGc9W1Ow== kalipso@desktop"
   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de"
   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos"
 ];
 }
--- a/outputs.nix
+++ b/outputs.nix
@@ -4,6 +4,7 @@
 , nixpkgs-unstable
 , nixos-generators
 , sops-nix
 , microvm
 , ...
 } @inputs:
@@ -15,8 +16,27 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
    pkgs = nixpkgs.legacyPackages."${system}";
  in
  {
-    devShells.default = pkgs.callPackage ./shell.nix {
+    devShells.default =
-      inherit (sops-nix.packages."${pkgs.system}") sops-import-keys-hook ssh-to-pgp sops-init-gpg-key;
+    let
      sops = sops-nix.packages."${pkgs.system}";
      microvmpkg = microvm.packages."${pkgs.system}";
    in
    pkgs.mkShell {
      sopsPGPKeyDirs = [
        "./machines/secrets/keys/hosts"
        "./machines/secrets/keys/users"
      ];
      nativeBuildInputs = [
        sops.ssh-to-pgp
        sops.sops-import-keys-hook
        sops.sops-init-gpg-key
        pkgs.sops
        pkgs.age
        pkgs.python310Packages.grip
        pkgs.mdbook
        microvmpkg.microvm
      ];
    };
    packages = {
@@ -36,7 +56,46 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
          cp -r ./book/* $dest
        '';
      };
-    };
+    } //
    builtins.foldl'
    (result: host:
      let
        inherit (self.nixosConfigurations.${host}) config;
      in
      result // {
        # boot any machine in a microvm
        "${host}-vm" = (self.nixosConfigurations.${host}.extendModules {
          modules = [{
            microvm = {
              mem = pkgs.lib.mkForce 4096;
              hypervisor = pkgs.lib.mkForce "qemu";
              socket = pkgs.lib.mkForce null;
              shares = pkgs.lib.mkForce [{
                tag = "ro-store";
                source = "/nix/store";
                mountPoint = "/nix/.ro-store";
              }];
              interfaces = pkgs.lib.mkForce [{
                type = "user";
                id = "eth0";
                mac = "02:23:de:ad:be:ef";
              }];
            };
            boot.isContainer = pkgs.lib.mkForce false;
            users.users.root.password = "";
            fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs";
            services.getty.helpLine = ''
              Log in as "root" with an empty password.
              Use "reboot" to shut qemu down.
            '';
          }] ++ pkgs.lib.optionals (! config ? microvm) [
            microvm.nixosModules.microvm
          ];
        }).config.microvm.declaredRunner;
    })
    { }
    (builtins.attrNames self.nixosConfigurations);
    apps = {
      docs = {
@@ -50,6 +109,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
  })) // rec {
    nixosConfigurations = import ./machines/configuration.nix (inputs // {
      inherit inputs;
      self = self;
    });
    nixosModules.malobeo.imports = [
--- a/shell.nix
+++ b/shell.nix
@@ -1,23 +0,0 @@
 { mkShell
 , sops-import-keys-hook
 , ssh-to-pgp
 , sops-init-gpg-key
 , sops
 , pkgs
 }:
 mkShell {
  sopsPGPKeyDirs = [
    "./machines/secrets/keys/hosts"
    "./machines/secrets/keys/users"
  ];
  nativeBuildInputs = [
    ssh-to-pgp
    sops-import-keys-hook
    sops-init-gpg-key
    sops
    pkgs.python310Packages.grip
    pkgs.mdbook
  ];
 }
Author	SHA1	Message	Date
kalipso	3734af5388	[nixpkgs] 24.05 -> 24.11 All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 5m52s Details Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 7m30s Details	2024-12-13 03:56:56 +01:00
kalipso	4367161e5f	[docs] add local persistent microvm usage	2024-12-13 03:36:45 +01:00
kalipso	49435d68ff	[nix] output vm packages for each host this now runs any host as microvm. it removes shared directories for microvms so no manuall setup is needed (expect you want persistence). i took it from c3d2, thanks guys for the inspiration <3 https://gitea.c3d2.de/c3d2/nix-config/src/branch/master/packages.nix	2024-12-13 03:36:44 +01:00
kalipso	b2f8b308cb	[nixpkgs] update microvm	2024-12-13 03:36:41 +01:00
kalipso	a292b01365	[microvms] fix #39 Microvms are not persistent	2024-12-13 03:36:17 +01:00
kalipso	d6a615cc35	[nix] fix devshell	2024-12-13 03:36:17 +01:00
kalipso	37a6a1dffb	[doc] add basic microvm documentation	2024-12-13 03:36:17 +01:00
kalipso	f853a47eb9	[docs] add vmWithDisko documentation	2024-12-13 03:36:17 +01:00
kalipso	7dbbaf08af	[fanny] setup disko drive layout	2024-12-13 03:36:17 +01:00
kalipso	046c11234f	[fanny] init	2024-12-13 03:36:17 +01:00
kalipso	bcfba8daf5	[machines] switch PulseAudio to Pipewire All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 9m34s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 9m42s Details	2024-12-03 00:50:44 +01:00
kalipso	2a97e2424f	[lucia] rm deprecated boot.loader.raspberryPi All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m7s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 4m6s Details needs to be fixed still according to https://github.com/NixOS/nixpkgs/pull/241534	2024-12-03 00:45:07 +01:00
kalipso	533b496bde	[machines] remove sound.enable = true;	2024-12-03 00:31:54 +01:00
kalipso	27c402152f	[nixpkgs] 24.05 -> 24.11 All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m31s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 2m52s Details	2024-12-03 00:14:13 +01:00
kalipso	551b07375b	[docs] WIP add host creation using disko All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 6m16s Details	2024-12-03 00:08:42 +01:00
kalipso	42f83603df	[bakunin] ignore hardware conf till we generated proper one All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m29s Details Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m17s Details	2024-11-26 14:08:13 +01:00
kalipso	c0207dad33	[nixpkgs] fix typo All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m50s Details Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m26s Details	2024-11-26 13:22:52 +01:00
kalipso	f61ea6ce5c	[bakunin] add disko device Some checks failed Evaluate Hydra Jobs / eval-hydra-jobs (push) Failing after 1m4s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Failing after 50s Details	2024-11-26 13:14:36 +01:00
kalipso	cfdbb58663	[bakunin] init	2024-11-26 13:02:44 +01:00
kalipso	b39a9398f0	[microvm] fix typo All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m25s Details	2024-11-26 12:58:45 +01:00
kalipso	ad2edf017a	[nixpkgs] update All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m36s Details	2024-11-23 12:54:59 +01:00
kalipso	f922105b2f	[durruti] disable ep3bs All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m48s Details its not used yet anyways	2024-11-23 12:51:03 +01:00
kalipso	e759346756	[durruti] disable autoupdate microvms get updated by the host	2024-11-23 12:50:36 +01:00
kalipso	e5e3433df0	[microvm] automatic update from master every 20mins All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m47s Details	2024-11-23 12:30:29 +01:00
kalipso	c54d27bceb	[microvm] update flake from master All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m55s Details	2024-11-21 16:40:56 +01:00
kalipso	9a3135d339	[readme] rm durruti ip All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m57s Details	2024-11-21 16:19:03 +01:00
kalipso	054076e683	Merge remote-tracking branch 'origin' into documentation All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m20s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m51s Details	2024-11-21 16:09:04 +01:00
kalipso	d212728676	[microvm] differentiate between stable and unstable nixpkgs Some checks failed Evaluate Hydra Jobs / eval-hydra-jobs (push) Has been cancelled Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Failing after 14m32s Details	2024-11-21 16:07:42 +01:00
kalipso	28bf68098c	[microvm] Fix conditionals within module finally i hope....	2024-11-21 16:07:42 +01:00
kalipso	2961a96860	[microvm] mv mkIf down one layer	2024-11-21 16:07:42 +01:00
kalipso	7d825731bd	[docs] update microvm docu	2024-11-21 16:07:42 +01:00
kalipso	3fe5b8da20	[microvm] separate enableHostBridge from deployHosts	2024-11-21 16:07:42 +01:00
kalipso	1bafdec4ab	[microvm] fix errors within module still checking if list is empty does not work as expected -.-	2024-11-21 16:07:42 +01:00
kalipso	7b1bce6dc8	[microvm] fix type	2024-11-21 16:07:42 +01:00
kalipso	02c1e307ed	[microvm] fix comparision	2024-11-21 16:07:42 +01:00
kalipso	26cc4b245e	[microvm] add microvm deployment option to host	2024-11-21 16:07:42 +01:00
kalipso	d6d449d1d8	[doc] add basic microvm documentation	2024-11-21 16:07:42 +01:00
kalipso	af881b8996	[docs] fix docs app exec format error	2024-11-21 16:07:42 +01:00
kalipso	d2e97448f7	[microvm] differentiate between stable and unstable nixpkgs All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m47s Details	2024-11-21 15:59:00 +01:00
kalipso	84fef37dc7	[microvm] Fix conditionals within module finally i hope....	2024-11-21 15:59:00 +01:00
kalipso	bdd13a204f	[microvm] mv mkIf down one layer	2024-11-21 15:59:00 +01:00
kalipso	d0ed65d13a	[docs] update microvm docu	2024-11-21 15:59:00 +01:00
kalipso	873a4f3831	[microvm] separate enableHostBridge from deployHosts	2024-11-21 15:59:00 +01:00
kalipso	64dbe6bb84	[microvm] fix errors within module still checking if list is empty does not work as expected -.-	2024-11-21 15:59:00 +01:00
kalipso	ca8e0cffda	[microvm] fix type	2024-11-21 15:59:00 +01:00
kalipso	1dc140ad9f	[microvm] fix comparision	2024-11-21 15:59:00 +01:00
kalipso	3f4c7350c2	[microvm] add microvm deployment option to host	2024-11-21 15:59:00 +01:00
kalipso	efffa450d4	[microvm] share read only nix store this reduces build times drastically	2024-11-21 15:59:00 +01:00
kalipso	dbdf817d79	[doc] add basic microvm documentation	2024-11-21 15:59:00 +01:00
kalipso	2cdfe8c999	[docs] fix docs app exec format error	2024-11-21 15:59:00 +01:00
kalipso	03f03e86e4	[microvm] put vm creation into function	2024-11-21 15:59:00 +01:00
kalipso	1aeb1c2ab9	[microvm] rm duplicate option	2024-11-21 15:59:00 +01:00
kalipso	d012f7cb5a	[microvm] split module files	2024-11-21 15:59:00 +01:00
kalipso	5498418d06	[microvm] setup network, allow adding bridge interface to host	2024-11-21 15:59:00 +01:00
kalipso	ee7ee52c3f	[durruti] make durruti microvm Networking still needs to be done but the vm boots using ```nix run .\#nixosConfigurations.durruti.config.microvm.declaredRunner```	2024-11-21 15:59:00 +01:00
kalipso	f91e515ce2	[nixpkgs] add microvm.nix	2024-11-21 15:59:00 +01:00
kalipso	370d975dbb	[durruti] add docs.malobeo.org to host_config All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m7s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 4m7s Details	2024-11-19 15:23:07 +01:00
kalipso	048e0653a5	[durruti] serve docs on port 9000 All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m45s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m35s Details	2024-11-19 15:17:28 +01:00
kalipso	b9cddb0bae	[microvm] share read only nix store this reduces build times drastically	2024-11-19 15:10:13 +01:00
kalipso	05087d9fa6	[durruti] WIP add documentation.nix	2024-11-19 14:11:54 +01:00
ahtlon	47d386d81a	Fix docs about updating keys	2024-11-19 14:11:54 +01:00
ahtlon	3f469c09f0	Add documentation describing how to add keys to sops	2024-11-19 14:11:54 +01:00
kalipso	65f9fda381	[sops] updatekeys for ahtlon	2024-11-19 14:11:54 +01:00
ahtlon	73e3742af5	Add atlan's sops and ssh pubkeys	2024-11-19 14:11:54 +01:00
Ahtlon	a71061e24e	Merge pull request 'Add atlan's sops and ssh pubkeys' (#27 ) from sops into master All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m51s Details Reviewed-on: #27	2024-11-14 18:36:21 +01:00
ahtlon	b3d74f5f39	Fix docs about updating keys All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m5s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m33s Details	2024-11-14 18:31:36 +01:00
ahtlon	3cb8423485	Add documentation describing how to add keys to sops	2024-11-14 17:56:56 +01:00
kalipso	88dad0193b	[sops] updatekeys for ahtlon All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m14s Details Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m18s Details	2024-11-14 14:03:42 +01:00
ahtlon	2a66f7ae29	Add atlan's sops and ssh pubkeys All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m52s Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m1s Details	2024-11-13 20:58:58 +01:00