[nextcloud] fix hostname

its not used yet anyways

README.md

@@ -8,7 +8,7 @@ the file structure is based on this [blog post](https://samleathers.com/posts/20
 
 #### durruti
 - nixos-container running on dedicated hetzner server
-- login via ```ssh -p 222 malobeo@5.9.153.217```
+- login via ```ssh -p 222 malobeo@dynamicdiscord.de```
 - if rebuild switch fails due to biglock do ```mount -o remount,rw /nix/var/nix/db```
 - currently is running tasklist in detached tmux session
   - [x] make module with systemd service out of that

doc/src/SUMMARY.md

@@ -12,6 +12,7 @@
             - [musik](./projekte/musik.md)
         - [TODO](./todo.md)
     - [How-to]()
+        - [Sops](./anleitung/sops.md)            
         - [Updates](./anleitung/updates.md)
         - [Rollbacks](./anleitung/rollback.md)
         - [MicroVM](./anleitung/microvm.md)

doc/src/anleitung/microvm.md

@@ -22,6 +22,8 @@ It seems to be necessary to run this as root so that the according tap interface
 To be able to ping the VM or give Internet Access to the VM your host needs to be setup as described below.
 
 ### Host Setup
+
+#### Network Bridge
 To provide network access to the VMs a bridge interface needs to be created on your host.
 For that:
 - Add the infrastructure flake as input to your hosts flake  
@@ -37,3 +39,14 @@ networking.nat = {
   externalInterface = "eth0"; #change to your interface name
 };
 ```
+#### Auto Deploy VMs
+By default no MicroVMs will be initialized on the host - this should be done using the microvm commandline tool.
+But since we want to always deploy certain VMs it can be configured using the ```malobeo.microvm.deployHosts``` option.
+VMs configured using this option will be initialized and autostarted at boot.
+Updating still needs to be done imperative, or by enabling autoupdates.nix
+
+The following example would init and autostart durruti and gitea:
+``` nix
+malobeo.microvm.deployHosts = [ "durruti" "gitea" ];
+```
+

doc/src/anleitung/sops.md

@@ -0,0 +1,25 @@
+# Sops
+
+## How to add admin keys
+- Git:
+    - Generate gpg key
+    - Add public key to `./machines/secrets/keys/users/`
+    - Write the fingerprint of the gpg key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $FINGERPRINT`
+
+- Age:
+    - Generate age key for Sops:   
+      ```
+      $ mkdir -p ~/.config/sops/age
+      $ age-keygen -o ~/.config/sops/age/keys.txt
+      ```
+      or to convert an ssh ed25519 key to an age key
+      ```
+      $ mkdir -p ~/.config/sops/age
+      $ nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
+      ```
+    - Get public key using `$ age-keygen -y ~/.config/sops/age/keys.txt`
+    - Write public key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $PUBKEY`
+
+- Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to
+
+- `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml`

flake.lock

@@ -88,11 +88,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1731240174,
+        "lastModified": 1732122592,
-        "narHash": "sha256-HYu+bPoV3UILhwc4Ar5iQ7aF+DuQWHXl4mljN6Bwq6A=",
+        "narHash": "sha256-lF54irx92m8ddNDQDtOUjKsZAnsGyPL3QTO7byjlxNg=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "dd89404e1885b8d7033106f3898eaef8db660cb2",
+        "rev": "19650774c23df84d0b8f315d2527274563497cad",
         "type": "github"
       },
       "original": {
@@ -103,11 +103,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1729386149,
+        "lastModified": 1731805462,
-        "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+        "narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
+        "rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734",
         "type": "github"
       },
       "original": {
@@ -124,11 +124,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729472750,
+        "lastModified": 1732151224,
-        "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
+        "narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
+        "rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c",
         "type": "github"
       },
       "original": {
@@ -139,11 +139,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1730919458,
+        "lastModified": 1731797098,
-        "narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=",
+        "narHash": "sha256-UhWmEZhwJZmVZ1jfHZFzCg+ZLO9Tb/v3Y6LC0UNyeTo=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "e1cc1f6483393634aee94514186d21a4871e78d7",
+        "rev": "672ac2ac86f7dff2f6f3406405bddecf960e0db6",
         "type": "github"
       },
       "original": {
@@ -169,29 +169,13 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1730602179,
-        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1730785428,
+        "lastModified": 1732014248,
-        "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
+        "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
+        "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
         "type": "github"
       },
       "original": {
@@ -203,11 +187,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1730883749,
+        "lastModified": 1731797254,
-        "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
+        "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
+        "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
         "type": "github"
       },
       "original": {
@@ -236,15 +220,14 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
+        ]
-        "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1731047660,
+        "lastModified": 1732186149,
-        "narHash": "sha256-iyp51lPWEQz4c5VH9bVbAuBcFP4crETU2QJYh5V0NYA=",
+        "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "60e1bce1999f126e3b16ef45f89f72f0c3f8d16f",
+        "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
         "type": "github"
       },
       "original": {
@@ -390,11 +373,11 @@
         "systems": "systems_4"
       },
       "locked": {
-        "lastModified": 1726560853,
+        "lastModified": 1731533236,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {

machines/.sops.yaml

@@ -5,6 +5,7 @@
 keys:
   - &admin_kalipso c4639370c41133a738f643a591ddbc4c3387f1fb
   - &admin_kalipso_dsktp aef8d6c7e4761fc297cda833df13aebb1011b5d4
+  - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
   - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
   - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
   - &machine_durruti 4095412245b6efc14cf92ca25911def5a4218567
@@ -15,15 +16,39 @@ creation_rules:
       - *admin_kalipso
       - *admin_kalipso_dsktp
       - *machine_moderatio
+      age:
+      - *admin_atlan
   - path_regex: lucia/secrets.yaml$
     key_groups:
     - pgp:
       - *admin_kalipso
       - *admin_kalipso_dsktp
       - *machine_lucia
+      age:
+      - *admin_atlan
   - path_regex: durruti/secrets.yaml$
     key_groups:
     - pgp:
       - *admin_kalipso
       - *admin_kalipso_dsktp
       - *machine_durruti
+      age:
+      - *admin_atlan
+
+  - path_regex: discourse/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      - *machine_durruti
+      age:
+      - *admin_atlan
+    
+  - path_regex: nextcloud/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      - *machine_durruti
+      age:
+      - *admin_atlan

machines/configuration.nix

@@ -46,6 +46,11 @@ let
     {
       microvm = {
         hypervisor = "qemu";
+        shares = [ {
+          tag = "ro-store";
+          source = "/nix/store";
+          mountPoint = "/nix/.ro-store";
+        } ];
         interfaces = [
           {
             type = "tap";
@@ -81,6 +86,7 @@ in
   durruti = nixosSystem {
     system = "x86_64-linux";
     specialArgs.inputs = inputs;
+    specialArgs.self = self;
     modules = makeMicroVM "durruti" "10.0.0.5" [
       ./durruti/configuration.nix
     ];
@@ -95,11 +101,21 @@ in
     ];
   };
 
-  gitea = nixosSystem {
+  discourse = nixosSystem {
     system = "x86_64-linux";
     specialArgs.inputs = inputs;
-    modules = makeMicroVM "gitea" "10.0.0.6" [
+    specialArgs.self = self;
-      ./gitea/configuration.nix
+    modules = makeMicroVM "discourse" "10.0.0.7" [
+      ./discourse/configuration.nix
+    ];
+  };
+
+  nextcloud = nixosSystem {
+    system = "x86_64-linux";
+    specialArgs.inputs = inputs;
+    specialArgs.self = self;
+    modules = makeMicroVM "nextcloud" "10.0.0.11" [
+      ./nextcloud/configuration.nix
     ];
   };
 }

machines/discourse/configuration.nix

@@ -0,0 +1,47 @@
+{ config, lib, pkgs,  ... }:
+
+with lib;
+
+{
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets = {
+    discourseAdminPasswordFile = {};
+    discourseSecretKeyBaseFile = {};
+  };
+
+  networking = {
+    hostName = mkDefault "discourse";
+    useDHCP = false;
+    nameservers = [ "1.1.1.1" ];
+  };
+
+  imports = [
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+    ../modules/minimal_tools.nix
+    ../modules/autoupdate.nix
+  ];
+
+  services.discourse = {
+    enable = true;
+    hostname = "forum.malobeol.org";
+    admin = {
+      email = "admin@example.org";
+      username = "admin";
+      fullName = "Admin";
+      passwordFile = config.sops.secrets.discourseAdminPasswordFile.path;
+    };
+    secretKeyBaseFile = config.sops.secrets.discourseSecretKeyBaseFile.path;
+    database.createLocally = true;
+    enableACME = false;
+  };
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_13;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+

machines/discourse/secrets.yaml

@@ -0,0 +1,81 @@
+discourseSecretKeyBaseFile: ENC[AES256_GCM,data:XKjcm+sOt4HazADjcJ6MilYNZMbO5IVMGnfdUXyx+9OjmEfk/zb0dhIjpZ2t6P1UfQUFI7NT2BMKgEjb2EG+5Kjxsq4mN+zoBxZAZI0WM6/WoF3ydwuqVamr1rIXfGN/W58UAink8K4SW7B6sbb76yQOWoP/GRHEaIxNvdnsGyE=,iv:LaoFS0O1qIpL/w1Gp98Em14hRohNR/FNqir38hBbCac=,tag:2zV5XRSkL6zYxylJoJ/OLQ==,type:str]
+#ENC[AES256_GCM,data:sCvaoU2W7sc=,iv:iZdeM7YEkyOhkQUrHoRFJEnWw47OmBvi5AJ3ZEXck8k=,tag:wnh19onScSBPkyZw8PLQiA==,type:comment]
+discourseAdminPasswordFile: ENC[AES256_GCM,data:01pJVQ==,iv:FjU8sM0n1YDhywUoaWHnvBcsNMFeqqxp+eYyAKByT1E=,tag:LR70T8ywo80PQHNHj6aJEA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVG1UYmZyWk8vZXJPdFBm
+            bHlwMUJ0ZjJQS3A0ZytLbXRCbGxyREZKajJjClI3NEt3c0RyOVZrZzh4ZGFsQ1Ft
+            NFdJd3hhRTNaV0ZGRHdBdEVOdm4wR0EKLS0tIDlvcFB0Z1VtRUVQVFBKRVRuN3Jn
+            RmI4OWI3YU5PUkFpeUROMEJHbXU1MjAKOOt7LCeH4mJtm+ngT9A2Ubzdje435RK+
+            PomvgpBQ3t3ry+mBMz25DdgIYgBsnDS2ji5mavd3Zx2dbah0q4Cdrw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-26T17:23:55Z"
+    mac: ENC[AES256_GCM,data:axeHNSEsXZu4LCaQoy8FzDd7yBjy5nrjDmEF5pEwxmCw4bp1Gssdy2CVs0oDqU0UbOQ8D5Q8tevhdhxSTx19JF9HnaD4b3NL6+bmObx+d67zVqtyv1E0hHDgfsQBuoMQOou2ht6hhkz/VRUmbBICOZERc7o87uzXNXG2pP34vNY=,iv:jaBiGbxC62rnhotquYZ6id0f94+crve7Cnn8dFnzdC4=,tag:7lCHK6HvqDmOEfCA+wHtIg==,type:str]
+    pgp:
+        - created_at: "2024-11-26T17:23:19Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv9EDScYMdx0QPqz9ipgvsZTBOqsrLUvGOYcwod9412bMzO
+            Oic5VkkiCSDPARP2JRGlS1Qvr3Oecdvo/TBpThWrWgaxS6THHPUyiaZGQhQXUnHo
+            d6u+OPMH4eZ3Vmn5pzbRwTg1mpKKwtvtMo+xCEaygPFGoIMMlmDr/q3agsJ07YBI
+            Ip9764gqBS6N+J3KN6j3XM/LHEu3e/qwp049BCslfWqVKZB7lQ7NbVkyGCM37aL9
+            /GQSUvD+MU6WeIGd4Hr73pbc+MrB/KbSbufuwOVIUdZU/n6znusa1LjMuFgg9iOU
+            jsUmsdt7EhVpz7aQ1obFIcDVa7HFNF+Lp+78QgAInMK9QNWzH4OJumhrqovtbajg
+            xGfe0AJnkctYMOA3a6SHT2YZv3/iLqMkz/ioEVInlB9BAfNFK9UZWadVLEYyzJQR
+            1rs54kbtm71/eTi3eadS3yRfEHoSgHrrPuRN2tzSCi1w2QK0a724v5Jtr/epzycT
+            oA4ha42dC4z1n66b7NAb0lYBSqZhcVm6wStypBGtCd0B08bFDzXng3PtfeVrD1jg
+            b37smpXoQNe6vvG6M9yr2qg6V21SZWw3a4K93qDn+mihbOsnpZj24L0fJctIZSC3
+            la3aPsVYQg==
+            =G43o
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2024-11-26T17:23:19Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUARAAlFNovLVBXXDUSMxBYsZll4UZ7+sPAdLZ+kDu49JlX4rJ
+            zNo3NiNrVMfUUZpWx3q5mYGUR5Ys441kwhDlUhj5Jv7X7PkTl2KU+pZZBr5DBnD0
+            8Nzm8CeI+3gphujX7CGjUcRUKjOMSa8nhIvz919TW1KCmr1xLDQw8yZGWn+VVBe1
+            g3ut0OEDFHBcU4T3DcFq7UMUCPpwo1Eas2tcLg4N18YCZanL34ziVlHlzocvE4Jz
+            1Y/tWvYj/OytktRDITi9/OIdS4hmSSPe8Qzb5abSCz20CzojVaDwEFGgwv9IRkBQ
+            C7RmPyd3u8Y/13tMORKz65LExmolhQyW4GVozDdEFQckwBYxMmaY9q7JVgKi5WD+
+            8s3r4vcIdISKlWH0E3qmJhkHxpoDmAS7NLXb8ROpCjKZKTK+XE0AEK8S3CFNgbvA
+            yKAnr7MVMJJBjbgxKJaoIjwNwkXQWCvm1f2s+xJTGQGHG+2hMgVoYb6dlpir08jR
+            yDHYxtpz/tRSXkjM7C6+r3SzZub/xowtWNUeZJqhsBhpP7cVT/dkd9cKvL+LTYM5
+            nQpczoNfBSn/wt87rCV6lFRyUsqhqUfMIR4T8mpa+2weneqX8olb8CT4312E9eEw
+            mqVX+fGETWpUN/cEpnFFcXS/MPAJCHyedov5MgdmBL/XEVKbWAPk22CGgFv8GHTS
+            VgEKUaeKWKThwCYl8ylTpgO7eZ+retflRpoVUddWyAiTe/rTvrBfR9hayZPYp2Lf
+            vmQLDfcHAH/DmazB7CAlomaLS/1ab1zHltvSw4HFKFy9lxl692Fk
+            =BnOX
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+        - created_at: "2024-11-26T17:23:19Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1kR3vWkIYVnARAAm1JETHrYuQ282GaaCLC9ZRjtskt3Tt9sAveKoltS6PgG
+            zDE1L5XFgWMg+IrxISqw4a6dIoJcJVlSIaojPkAENqjeHWEFdI6QoQ2P3yNgU8Fd
+            MzTukSmPZwP/XMLE73SIWU7+23qlnnCQrHzqNHZh6vijz6fIjQ4xfvGnV2n0MD/V
+            BVjPZJv3BbV+Xaf43hwEsFfn90h8wyd1Ls3Q7PlQA9lL952B9IAm3koN/LWAbYqo
+            oxSXb13kQuvtL6TwsHc1QGlHWaEdJRgTLnYxroqgOC6PXKqoTSmX4adeExWCMg7E
+            HGe/S/PG6xBJlWhZcDS2ldZjFCHojy43NsJj/0ir4onBqehvb/Bw2RiVrRW9ZCNx
+            Ydk1UXdk/2bFeHSTaSNEgXEsU6GQNFRKS+PkxLst5xT2GLnPAQu1vCxVsYOze8BX
+            AwySIEEZikqb9ycP0eJGOYRPW1Vw43xUaexClLa6zFi+o45jxbzCOChpAobjIQ4t
+            kOdtEnKYTg9jWuK57zCD8/EmY98kfSSRas119fJ/8eeFib2I4WT9WwAbD4+8Ld4c
+            GzUg00mim2Xz6LPJkqX3SNL9/ZHqlirJMoMcltIro14dT+BsgBL/8OnHXQ0SMRhg
+            wz+Dx7fUcP+rkN8tSG/wXQ3CAMv8lfOw1XqKzx4mMqjaVoqbhKNPUtYRUAWWPx/S
+            VgEmV0aoiD0ar/QxZRUZwWawTPsJOCxZptvvsW22jWq/G7VyX6OR56XmI+jPUCFm
+            1WN8TkplHFtFqUTyQL8lI66iQiaYMmpjjVU6TKqNGShHSj65cB/n
+            =38qM
+            -----END PGP MESSAGE-----
+          fp: 4095412245b6efc14cf92ca25911def5a4218567
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

machines/durruti/configuration.nix

@@ -22,55 +22,16 @@ with lib;
   imports = [
     inputs.ep3-bs.nixosModules.ep3-bs
     inputs.tasklist.nixosModules.malobeo-tasklist
+
+    ./documentation.nix
+
     ../modules/malobeo_user.nix
     ../modules/sshd.nix
     ../modules/minimal_tools.nix
-    ../modules/autoupdate.nix
   ];
 
-  malobeo.autoUpdate = {
-    enable = true;
-    url = "https://hydra.dynamicdiscord.de";
-    project = "malobeo";
-    jobset = "infrastructure";
-    cacheurl = "https://cache.dynamicdiscord.de";
-  };
-
   services.malobeo-tasklist.enable = true;
 
-  services.ep3-bs = {
-    enable = true;
-    in_production = true;
-    favicon = ./circle-a.png;
-    logo = ./malobeo.png;
-
-    mail = {
-      type = "smtp-tls";
-      address = "dynamicdiscorddresden@systemli.org";
-      host = "mail.systemli.org";
-      user = "dynamicdiscorddresden@systemli.org";
-      passwordFile = config.sops.secrets.ep3bsMail.path;
-      auth = "plain";
-    };
-
-
-    database = {
-      user = "malodbuser";
-      passwordFile = config.sops.secrets.ep3bsDb.path;
-    };
-  };
-
-  sops.secrets.ep3bsDb = {
-    owner = config.services.ep3-bs.user;
-    key = "ep3bsDb";
-  };
-
-  sops.secrets.ep3bsMail = {
-    owner = config.services.ep3-bs.user;
-    key = "ep3bsMail";
-  };
-
-
   system.stateVersion = "22.11"; # Did you read the comment?
 }
 

machines/durruti/documentation.nix

@@ -0,0 +1,15 @@
+{ config, self, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."_" = {
+      listen = [ 
+        { addr = "0.0.0.0"; port = 9000; } 
+      ];
+      root = "${self.packages.x86_64-linux.docs}/share/doc";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 9000 ];
+}

machines/durruti/host_config.nix

@@ -33,6 +33,12 @@ in
       }
     ];
 
+    services.nginx.virtualHosts."docs.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/".proxyPass = "http://${cfg.host_ip}:9000";
+    };
+
     services.nginx.virtualHosts."tasklist.malobeo.org" = {
       forceSSL = true;
       enableACME= true;

machines/durruti/secrets.yaml

@@ -6,66 +6,75 @@ sops:
     gcp_kms: []
     azure_kv: []
     hc_vault: []
-    age: []
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOTV0VC92aGo0ZFU1RE84
+            LzJxWUh0MzYrSWJZYldVMTdsMlJ6RkI2WURNCmFVT1ZtMitOSzYySW1RMkE5aDUw
+            bEI2Z3ZhbUdaM2R5eVpkYVlrZks3dW8KLS0tIHFEdWZ2UmREeFl2Q0d0c0lVTGxm
+            SnZxRUcyaUY0QnRtVmdnYW9acmxTWmMKfLb2wgBcQC0Ay34wBvTenZW1jVvDH7aV
+            45+5NzmkhIQRNkKWgRfpT9EQ9cRJz3l7ZYoVgJe8qBhwH64lBqUiqw==
+            -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-06-26T10:07:26Z"
     mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
     pgp:
-        - created_at: "2024-06-26T10:06:21Z"
+        - created_at: "2024-11-14T13:03:00Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQGMA5HdvEwzh/H7AQv8D3vncBeC4Kq+Vzk6XOMV6gRRGOZp+w2e/055sZ40IUu+
+            hQGMA5HdvEwzh/H7AQwAhcsRc3mCqKgUFym0W5lTN6j5xg+o0PF31ZQ3qqkO3b5+
-            43Yi5giVL0I7PZkZD787LNiKy6kTcI6D9tJIp9YSMRVJb4x8oDJWS8NbVZZOUCwT
+            nIPH8Ee7nrcfRCM2AV+TReaZ2qfP4TdU5j00F5977H5UM+UULFM+FSGcY63rkp80
-            d9KYaMO6hN8VobhUKsu7uAKCrgVzPWrWPNmZPvwZ6pxL+cBFK2W/GEvQsXvaELUc
+            1U1ZzxbzTwV5mil8dx3dmENMgFpKy0J2MatPdR5bu/z0o7sLty1DUq9hiQOTfM3F
-            5mNlB4k5S9oG4ZMli3WWhVJRMZgdjGWDKiFVGCSenEkhua/5TUUefV8urf1IBjoN
+            u1mfmY37YewMBmxlzDJ3Z5+lslRJUqa3Ho9atjYhwxZTYgh9QQtnm8kRjNM/HKpQ
-            MB8TPwsm3PBEG6/zrfXls/7Zhbv7mtl1uB9nWBC9M4EL9euzC83X+IiFAlThpoPu
+            sDAWu9JXit33WwHayxUFWZ5syiwsbFxAelrZnluW3KiKu3v+9VO7X6dJsrrIB6Xt
-            eylOhEkAq60tQglk2SRsdFpHvEwaijqSKL0ieDQjvLxLNCdtCQS3yM21S4SkfRvv
+            j/mJhwkwJ39xHD/eQqMJsdAum8Pgxi40XjD6wJvmIhYz1y8Lbymanb+6U+fJk71V
-            pDGQROqjhtgZSF7MZqD67mA9tMwYGlZLfkzjpYrErbG6G4xYGO2ZODPNZ4FH/2Zf
+            ZLsbk+sR1Jkh+L3NV+UGlMusgQuxcE2xQjNMEbpzk1xXsFFz+QxVxx6HZp8xRh4v
-            Yf9xpAd0/m4mmg+py041nas8lgJzOXn5mKIxX/kLkV1U/ccrZXB9DTsWbuRVxh3W
+            M8L2LkiZp5w8iij+uJ+k0ovu4XH2Bf/2myhabfRrk5bPZbweH/bJOxChIgf/b/ZP
-            CZTzgT0VdZWd88cUcYIR0lgBz0vCxDRgyPhc3B3ivoOHBisoBWbYURv+6rYE84Qs
+            FdfHGP0KlJe+jMGY3j7c0lgB9k2vyvYTHaAOcQoe/HdKNvueMMYDIzxLZ6sXsn+z
-            6nDtCt4fUqrfKqnw1b++L1II+QjEBkhawOWNbqE9AxESOLAVwkn4cCOqeWDP8DBq
+            jhdW9FxM9g2ZOStq1Mwjzvb8rJCAFQH0s/3yHZY7rveaI88Z3G11i97D3OME2yAx
-            OBN3luBRDDAj
+            bxCHPCFfvmX/
-            =+dua
+            =3wBJ
             -----END PGP MESSAGE-----
           fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2024-06-26T10:06:21Z"
+        - created_at: "2024-11-14T13:03:00Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA98TrrsQEbXUARAAmj8h6g8Knwg5c/Ugfxcb4nuWuLydyzNZpKJ9YcQ4VTAo
+            hQIMA98TrrsQEbXUAQ//eBqaTG6/KiQFfEMog839q+nukWh3SHSnhCDyCAhdqKA3
-            HA38lHH79JbnIoZ9kvxHzUONBLfnW3KekomUdmj1a2DjWllnsIOH8/16JCpFPXbx
+            Q9FSroIYEOMwE9SYkNC9T0/pf/ZmRuPBpx09b+q+1df4FLdajgpEbg1CyWnw7fyR
-            hcWQFLxXzJcUEbVfONih4Zmb/2OTzSYoDjNzGaBJUx6x3AwJ0jTzCTxF9WIU1ieh
+            731vYt5hvN7PVtBGs842BcEvYwKVG33HTadi53l+pjDURpHGLWLbURiqchGrXpPn
-            9u+ovry7bcHPTn3RS0gQPGRx9gN0A8OSPScKpvz2CRtUA2Uzs0/fIe3NbKQSj6g3
+            o6rih4ueE0TmLHGugGKIr7n/XgH4xpsr/wFLQCnCaVATXdS1Tk86bTeu0HybmPlG
-            rZYityYC7uFoE792dkJ3rG9GZneIwWB8sp1remHyRhxaRN4YNPKmje/Pe/fe7sxQ
+            dw4TZrTSO7uq2GyczIC81HnLPisZ1w+7R0m58kV0FGFoDZIwczW46J/h3NLsjO0t
-            lWPmW4wa2uSI7/2PAkIjafoDmnpaLxQ+qY9hXobpL7OlyAuA+Sy8Ns2z6nXfPSSj
+            4zKV1oJUpCANalDCRBhf5RRatw/OzTgVHnpuGyaoAtWGyZpeQi2ntoEvFb3eWAc3
-            fQE4OS3hhUStv7PdVVvlH6JVGZK/cJOjOX0lF69A5R5XKQlasRq/t5CKBjxDWnb1
+            NMjc2bqamZEdfnBOmPILqRKINm60DkpiI7behY3oV178bWcp3iWsyA4biL0O0pf4
-            2bb3YavIUKWbf/DdlGNb9aKeiYX4RsaMbdc6vU5EOp69S66dF5l5W6+EDLICQEdl
+            FXbW29zHnEr86wTlJmJIC5sGkNNtu0dNFAKuzKjAel9sVor183WkJk8NAgaaI/pD
-            TRNxzofVqjroeQeK9xFd+SXHVwnU9FGPr9cN7803/r17hONDxfL7o7cL1sKfX1tC
+            pQV+l0ClexXGIW7p931Sn7u2JmXeNJM+yqRz5lDWMLakxygW2h4HDI8NOIS7xvP1
-            3nRqV3fxSfosz19jmIDu/6lqvJhBBQ8zQeKz/yWxUKowP6WUNAWsMWC7w89Ie1vA
+            Ip3a5bGctGEVmAK9MEhcRIGcP7Aoacj7iZVg9bnac4HCX3wnnGjLDNL+XDzfmfUB
-            UOy+xO0epIGLJSRU5YBNr9z7854NATnxRWRTya+CyFAgPVoBUxd/+2CjlkUeQWnS
+            M48YUoDS1CSjlcTbgIaL3HeX84EYcoQdRjwRcI3pVpPkJTpi/t2I+/2tOP92sm7S
-            WAELWSqQ4zsAryLhEqSWVg6nwSDCIvF/U56/vIacXwoKMqLYra5gxV78cCU6gcMt
+            WAHfIeh3niCzrQa//nwdAEQq+7YrDCDia7SSxDDrRM+/LTaQacoo9SuaHuEANZ/P
-            08O8qM7cxHy5tGzTm6LQZvXTb8W6ybcPvPw695TirUjq9zYVnaT2lmQ=
+            +x7rrZsnQq8UBpnd+dQCyxipQvwmjtp9N5xKcragt1LdH4M+Q/qoSIo=
-            =7OG0
+            =4vnh
             -----END PGP MESSAGE-----
           fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2024-06-26T10:06:21Z"
+        - created_at: "2024-11-14T13:03:00Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA1kR3vWkIYVnAQ//RZM4ifHThNFNV6pTCGKHdkF7BMHB4gv7BBkXT9cWTGcf
+            hQIMA1kR3vWkIYVnAQ//UfsG62+53p9PyXN+c6hoMg+MqWxjvia9kHvjE3Q3bcO+
-            XxH3tH/kFPBSoWWfmtmHbN1bw77vpKda2lLHyOETGCusOFwuFe0+cz7sWStnf/T6
+            KVYqD8CszyTwiTV0RoTWddyiZwZHKkH/ymTtnNafG6NVo3XrYpRmO7SxmVMm1BIt
-            GVoaCRljhRxlXS2PY9gSG5fLi1uUjmCn9EshdCQdz1ix46kgSe17I+UJYRxi9r4U
+            HrBCdQkLDQOzqbeKBV9bGqO3xHKLEu0vwFkEdpWpNrjkKZfYQ8SjE/6vTJRPeBxx
-            e1R0ky4md8tLGGXg2cz1z48+kS7QX6TA1L5jjrW6MEa5ld2wywXD1g7UKpaP6QAc
+            Z++g8540vZtB0V2YzKStJJ8LcsU+3j1/+NlUJZamXUGT4AnxH3atWuKqC39CZAU6
-            B5xo4G+6zZNYk6x5i0NJ4EJalyyEXBvJDgsFzW4luqBGjMU2zLkq5VTQjssCbp6l
+            0iHxKEcHcQYPAmvTqtxTH0ELIaRYBIRlzCs0MVjmmfVyaeJOZGyd32vikQMUCrf/
-            aE1ZZtMJYDa3IdEV/gEIF7/WmODMopO2hfTWFCx9fZ2cp0gK2d6ffo7vum4WkAMv
+            EvThUCnq3+qCNjLlp1tQbLJV4B6ptAuj6uns2Z9Xmj1j4nFgUKvsc1MPnuSQsOnM
-            FjsbRLCmoZrlwD+/y38Hru2Ok/2cDF+QiEHq0cx+XMjgRrV6vCYrg67kOGjXZ+0v
+            tLF0qsVvunvLbHXhb/Z4uDaNMst8jWEGhk52QYCZ6pgq1zoN63tOAxD+HK12KSYQ
-            eZMPGo5506cp/0cbo6eIoG9XzdNirp9mXQHMBb47/dETr+mBAyVzImuHJVmUgXlK
+            emcDTjGqLTxe2dTiFMHlOkmTk/unEJXI1rJEalBaLqzDFg2tS6I1swQKG115wUfv
-            0nScCjrE2BPfsphMlQKMV007znA8QB65wEuoQ9QWTfgUfxVqzqJxdnFHKSSKAciU
+            COHQtmbWmwIMtcl0q/QHfSyc+jPVHoadj6ZZFS1iL9Er/zx1nuD5ybkHntQdO0Gb
-            fxAJTGN2RnbBDcehvch+QZAnIHznz3c+2WKetmFMpymqL1OKQKjhnEFewOK8rXKM
+            YwfyLzhFQ4gKgDiXwHdjYmHeDnXI9mrH3Cypcc/I8WV96cMnuKQBrD7V3NKpjFMS
-            cEFRo1BOMkaccBBFHt/A/IQJt2+RuADbkxI9rPqPU9iPi3Ts4jFqfNzZp+m+ADHS
+            CaLMVDQqwMoGi+Xi8Ve5oRCa/qt5UEpL1CZZUxNNE11ggPYI22ecKjegdIlGuWHS
-            WAGHQuVbo0oQ5RLEOMPheNbr2eL+uyuMLMNsv41G4Mr+lSjN2/KvBoMQEQvpPasG
+            WAE4FsZZNLt+RWZxIW0iTP0BzDuCMQFkismL0YyDI18g1dG/sl43+ecd6F9yoWYP
-            HDYyoe7JdYbVs+08h465+L+cbi0LzaBUxTm44GliJXVbrz6eqy6lRto=
+            sXjR3gwbASdHHXeYFAxbPX3Q/XT+SQzOAFigPhD0LUFRX2Cf/Q2yu34=
-            =GiUe
+            =FLuF
             -----END PGP MESSAGE-----
           fp: 4095412245b6efc14cf92ca25911def5a4218567
     unencrypted_suffix: _unencrypted

machines/gitea/configuration.nix

@@ -1,37 +0,0 @@
-{ config, lib, pkgs, inputs, ... }:
-
-with lib;
-
-{
-  #sops.defaultSopsFile = ./secrets.yaml;
-
-  networking = {
-    hostName = mkDefault "gitea";
-    useDHCP = false;
-    nameservers = [ "1.1.1.1" ];
-  };
-
-  imports = [
-    ../modules/malobeo_user.nix
-    ../modules/sshd.nix
-    ../modules/minimal_tools.nix
-    ../modules/autoupdate.nix
-  ];
-
-  services.gitea = {
-    enable = true;
-    appName = "malobeo git instance";
-
-    settings.server = {
-      DOMAIN = "git.malobeo.org";
-      HTTP_PORT = 3001;
-      SSH_PORT = 22;
-      ROOT_URL = "https://git.malobeo.org/";
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 3001 ];
-
-  system.stateVersion = "22.11"; # Did you read the comment?
-}
-

machines/lucia/secrets.yaml

@@ -5,66 +5,75 @@ sops:
     gcp_kms: []
     azure_kv: []
     hc_vault: []
-    age: []
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaVZQT1U3cXp4NHVSb2lh
+            RWRUcjlGY1RtNVNFT3dMSWFaZHJGcC8ybzFFClhhT2RPRHZwbWNSQzdSay8wc0h5
+            NHVUN082U0lhcWF2MnNTaXQ2Q0trRk0KLS0tIHJrNmdEdUI5YVRqck8vejRrVHZ4
+            aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3
+            f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ==
+            -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-10-24T15:09:51Z"
     mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str]
     pgp:
-        - created_at: "2023-10-24T14:42:18Z"
+        - created_at: "2024-11-14T13:02:46Z"
-          enc: |
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQGMA5HdvEwzh/H7AQwAqFy6FthlG4of1IYE42baCy6AHhnCxTKN5i0/ZYXtxz/T
+            hQGMA5HdvEwzh/H7AQv/QepkThVCOMoRZRtHSHEjEriFfp9QS2ZrlgM0p67TtzU3
-            xWTAKEXPlbhT4AMGdIvIbEf7od4Pr7xxrxERkHVn1rkHxqjF+bjFw9J2xRXJvilw
+            edAPqxNq8jGeW7/1FRAwIHGTit9FueL/GRUOVsepbryJMt4ndhybuPdpuEaKeQYv
-            L4pWMKXoJOiuGeNwJfzOVMx2yar6NiFmA3HvFyCASIQeCh3v+cyEDvbdnJoUyHRJ
+            aZLw3XA5FB7maMKFOl59wqoWNrY+d02lXIbLEafUjrL94/p1IEqQd5a/Ze244yXI
-            /f/VnQFSIM4YXvLMqkKXgE0ZnbZc+vNnZkAG2qbz65fB/zdOPQZkVYCbnVKLwiBd
+            V1ty93i6Wmu5N5uf67bfiY00ObAEU+L4QepLHuJvcP2lWU0zvxnPdDqwv+47R1xB
-            eoDth5WbuPnYbK5Vp9wkOPr6KqjM1KN+Kx/ErZ36Ldd2ePk11dCf9O4cE1HcCOmb
+            aJX2G3Vv6QRnpUYL81a8R4E9u9GGH0TwJdaFqQwsVgW1XJdCsAaB5wriqEWX5HOJ
-            mdnFleX4hbMH2bFCpt7HoJql7QsTodx2bX1wnLA+uUVrV5QcT74C/0yAYHhBELez
+            513plEpkBSSlZo/9/lUSHK79jP92DfKvGMxw4t35UULzsJVbCIkM/TzBK0Ruq7Bf
-            cE0gZ+th9l2tOCaCBBMQUa8EfoQD3hEnOmebOMcWoUQdkyKk5SlLeCVsuWKvbidh
+            2rQO1nkF9lqXqPK7ORAkdXX3foHcM474f3w5nCSSlPia5jn7y58Npd9m1za4lOPF
-            3Vvw7jINCTH06jPCWSewSBuTdPiAPJ+4CQ8DWXC7A4luFvJM09HX8h859VDEHA9a
+            rQxHCJ7OSJ6KOsXhDi7cmMfjIfn6cUj5wT685LbjrftYPh95R2lK/ViwfhMQkJb9
-            FCou1ZTWmQEHbDw1DPw70lgBv35pPduQjSfgM71YwgHFtHDdTfWTbzCBoaDfKvj2
+            lCUqJj/7N6UuSDdnHXKg0lgBV5k+ARqh904rR7GTpSdDuSVMVdy9mUGni5V6xTNn
-            XWSevuyOKiinaiYd4jPK6srFyX3Horg1QvVzl3dvNC3o29lrzETSTFoUx75KdluT
+            2IyJzWlvxbUumdh7SVBV5HRjG/sOcmlQtsw2fT21CCFg/n6AdCMgRbtYDoX5OOJc
-            WxGMHNWqN7NS
+            qkz9uKEGrGjb
-            =XZkW
+            =wPkW
             -----END PGP MESSAGE-----
           fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2023-10-24T14:42:18Z"
+        - created_at: "2024-11-14T13:02:46Z"
-          enc: |
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA98TrrsQEbXUAQ//XRoesGtcKw0RNs30FfKgpG/qNVRh4eJTeb1AP7YO9nKA
+            hQIMA98TrrsQEbXUARAArYZZpOEC9sZ4Bgbtie8snwYjhcJiLxcmaODcx0ai24vC
-            WWuZnomu8aDDKiP+why4Cl4raSb2LqTaDAIbeTzw902BeOlIXl6VO5oIWpgC4IQT
+            FOdxKrgxlHeiBV3e+xD0Mdc51waXpRW7Ah6ctyqRreDXXCsYx9RTjkxqbGQTKexU
-            iOMUOTQ6XG4O8xcphItIthc71kpUl34xfWU/Gz67cRj/BSlws26sJ09lH5zZIpcW
+            OAzvi7qPkmZBzDagNeJXjAMc3Z9uPFTxO0c1degnv0S40dns4sZ50sjGz8Dg6DmX
-            1NNPLQKF6KiJ1MY9rTkq9I6EHbaIh6AcBW4buq9x+qASoU1Blp1OgA9m6O9HjQcH
+            HC1ZANIpCmJVd+BFC9MxWQFSP1oswzwIxAmM/8d3aXGJLUQsfFbZXTPaKB5+Llmu
-            X/PKnYv1bm6OxYsMBujXnFnde3c+qfL5w1e4a7pyMu8EthAYLPbm+WT2+H1RJooN
+            Y/yGK4zwcq0PR+YNw9d1lfQD01coLcqNh0cnxW3/DzSnKdpLnr/HeH7K6NivUNOs
-            0+M3tBBjtK6emm7qgNt2vyeIYa5L5XSFYAyPfteKZ7tsT1IHgg3cY/3trchq7w7q
+            58E4iKJgopZZofbIKrHTPik/ZfovCTwPHo0o/m9G2sDB5Y++OJBDcjyD9BC5OEzg
-            D10fGzfw1rP79yI9vY3oQLi4APhAq/RYpFywZJ+qyE+KiDaIzBdhU14NKRdOluaF
+            JW+4rG3dir5cUxJhgM8ZNZUiLcKWSfVo+Xh1RI12Huz4PpZ6dWSpuPxWFBQUZSfp
-            apw5ZpNwD77E6lU5lLdjO4TjaMXjEuytzhmOHF+CrZJN/4c21K3PflnzRRLmcXIf
+            epIUII1u1cKiep8JK5ZUF3k6LzET6ORzzYpY5qGtSEVMLMxLvPK+ECOI1BTHc53Y
-            OY+TPWPBKqg9aXIhx+5tGu3OTmrvRuBsoforZrhHqzYZJygliD4w/D0HpcMfxrJ/
+            GoBPVRdp2Bs0QZuvwiNSd3wKRMoVh8v/8+RSCGRR6pzCfvTp3X4zGfnCUVO9krzG
-            y/iFzwqikikvfkF3FTiTwiFSLOo8G+rCA2TiSLqM6eklAGtzqgrgggnNVDstgiHz
+            ukZJ+eQVUnmywewmYuFH/USN34mqRk6UTkVmw4sgy4bqcV26xSeMCbLAVBoV7dR8
-            DuXHOdzt9pn3DQHb3Z+kEd8p9TEykQrVr6mcW8scvW3iZ6XBbSoxUDY2W14gNMHS
+            a35kyxrs2MIsu9/SuW8zSdfZd0sBhDIEgzQqT7fO1KQQCDJyjBTzjloVSoE4TSXS
-            WAFbpyIyM0JV36DifyFLFuPNF+ZFexnD1/2rzSw5dmDh8Pou9KZnoRGirXbOIFBf
+            WAE7lEhifj43H/jshtyaIgM8UpdFmBtEj9BmsX2jeS5XiZsIbIJbCsmPWYdd4XQ0
-            MwFQRonyDxw8zcMFGhXRmNbfqOE9ImnvkW2pNjYJSuBW4LSGaG8OHx0=
+            m5M8KCUEMDXeVCygKieefCyboUSNOk1gdRmnIRcqJ/r8fxmHqZgn2ko=
-            =2A7P
+            =DC78
             -----END PGP MESSAGE-----
           fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-        - created_at: "2023-10-24T14:42:18Z"
+        - created_at: "2024-11-14T13:02:46Z"
-          enc: |
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7zVLR7VUDPbAQ/+O/+BPNT3PxzN85kpL6xXfyCf337Ay5gwhJOg5k3JyEwO
+            hQIMA7zVLR7VUDPbAQ//S/8UshLDL5DW0+DXMGL7u/ug/sgCbSM60PvzT3hwAvyL
-            2L1eZncGZHkdeExxgfqWF1yAPvE7vXltikTVp3V+htHoNL8kck8obII/HptVUCrU
+            3mR6CycERSeXuYM67fLIa66WiSFGB1aqEsI1oqPL6W8AwjtGHDKSPhJC8W+9NosB
-            VjFm41kEoWQ9DLXIhmppqBC0hWVkLjCDEXcD5HqtAxt2yKENSFr3pEnFl3vgoHTA
+            OypoV6VppHiDxB2uJvQl7VNnT8d2x6IWdG0bq9NKxCg+6lorw8bky0907qQ/6+hg
-            2TpzC/l2kC24hzk+es54I0sCd3N1LEXC/mBUmptnsZfIcgGdVOWZSGabHg5Mo464
+            2eWI0wPcJR2zIEm5JdNvuyK5k03QPKbTd8aVTeYHZq3JiXF3NZmQHCngdI0iH7SN
-            qc02MYa2Tjuo5svlHGv8bgpQgsIfuB0CcirLMH3FYwKkYHZ7a6KBZj9DwNlM1BYL
+            +QI/p1d/aiyCc+5Ow+Zy5YzPWb22PIROLIH+wJsGxbiJtQJmiKMNQg/YJ/SsCrMI
-            m9eIC6+R57utfV+zgvIaQVDVJgFT74/ffgEYNiX2FRWi0ri6gb4ybf8qX+/m8ZOi
+            ViI80R6bkZ/J9hCN2reTTJXl9uc7PgptLAfMlT2N+DHLRoKQOR+e3xMX3vZO9CK0
-            KDgpATMIr0Lw85lQ2mQmvt7aeULJTl85pE1ihXLu6+pGEQR/48WeRu8OVMU/QHQF
+            R8v0wXPs3NGCBdITu+EPT4twtkjJz31PhqL7crFzm/x4BLiKuNzep+Na4TLMBv3J
-            rRWoJu2kabdlBkYXBBGPN2qGRe/TWWHRm0G7mTnXkoN2idRkodJcVwM8Mvstc5Yx
+            pVdjc6yen8bYvVickLP/hrVIvflkaMdUncWmS2lNZKP9G2BuGMna9Dp4jC1kWWYW
-            3AAb4asl+4xusXNqe+V4ZrkzdnVoFs8RRZyH1QyoqJ79S5uZqOkYObiiJ+wWtahZ
+            608MXgORINmwog2lovxFJGOtq500gcbeYO+LrluULk00/nw27DPkGeD8wkmFMF+m
-            emvN8nhNIr9+WdDFSZYNx+TQTUTFMefcEaTXpPzmUn/nENrvkbXiaVSSmIYQ4YZh
+            c3dhA6zn62nLsUmiU4Bfo92uhxBW/hAF5Fp+RVwA9ptvDdBO7gY6FEZitEXs/rGl
-            1vyiW1W6IZwjXI/aR6P2C1Jrj42WCm+cDXCwKZC1sMRqgkxQBIVukQzAHkyFJknS
+            64RAmFuDmv/WDE87pfBQdlZ7Y1HkO6CLwtfg50Ka8eoemX6sP0GSYHUqbs8M4jnS
-            WAF/TWfXG2S6mnWFKn3cixifUI3pBp+EtYy/CjL7uNBIUQ3EHEbvS5AboSCmgRC7
+            WAEnR1KMQNVdTqhFzBa/TqnUm+oVtZSVrAPSIEgEjhA4WesmGqmcJwJFaQW39Omu
-            wLzHshawAMmJ/bD/jT4wWD0w+NGDzSF8D4b/Ee0LP7R70noS61+s6xo=
+            8zLfZcfdVUuFKyIijXNliG0ryq1uxmWcEl8ePRzjAAzVTRAILNtZzVY=
-            =NnkE
+            =8HBK
             -----END PGP MESSAGE-----
           fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db
     unencrypted_suffix: _unencrypted

machines/modules/malobeo/microvm_host.nix

@@ -1,4 +1,4 @@
-{ config, lib, options, pkgs, ... }:
+{ config, self, lib, inputs, options, pkgs, ... }:
 
 with lib;
 
@@ -13,12 +13,39 @@ in
         type = types.bool;
         description = lib.mdDoc "Setup bridge device for microvms.";
       };
+
+      enableHostBridgeUnstable = mkOption {
+        default = false;
+        type = types.bool;
+        description = lib.mdDoc "Setup bridge device for microvms.";
+      };
+
+      deployHosts = mkOption {
+        default = [];
+        type = types.listOf types.str;
+        description = ''
+          List hostnames of MicroVMs that should be automatically initializes and autostart
+        '';
+      };
     };
   };
 
-  config = mkIf cfg.enableHostBridge
+
-  { 
+  imports = [
-    systemd.network = {
+    inputs.microvm.nixosModules.host
+  ];
+
+  config = { 
+    assertions = [
+      {
+        assertion = !(cfg.enableHostBridgeUnstable && cfg.enableHostBridge);
+        message = ''
+          Only enableHostBridge or enableHostBridgeUnstable! Not Both!
+        '';
+      }
+    ];
+
+    systemd.network = mkIf (cfg.enableHostBridge || cfg.enableHostBridgeUnstable) {
       enable = true;
       # create a bride device that all the microvms will be connected to
       netdevs."10-microvm".netdevConfig = {
@@ -32,14 +59,11 @@ in
           DHCPServer = true;
           IPv6SendRA = true;
         };
-        addresses = [ {
+        addresses = if cfg.enableHostBridgeUnstable then [
-          Address = "10.0.0.1/24";
+          { Address = "10.0.0.1/24"; }
-        } {
+        ] else [
-          Address = "fd12:3456:789a::1/64";
+          { addressConfig.Address = "10.0.0.1/24"; }
-        } ];
+        ];
-        ipv6Prefixes = [ {
-          Prefix = "fd12:3456:789a::/64";
-        } ];
       };
 
       # connect the vms to the bridge
@@ -47,6 +71,50 @@ in
         matchConfig.Name = "vm-*";
         networkConfig.Bridge = "microvm";
       };
+    }; 
+
+    microvm.vms = 
+    let
+      # Map the values to each hostname to then generate a Attrs using listToAttrs
+      mapperFunc = name: { inherit name; value = {
+          # Host build-time reference to where the MicroVM NixOS is defined
+          # under nixosConfigurations
+          flake = inputs.malobeo; 
+          # Specify from where to let `microvm -u` update later on
+          updateFlake = "git+https://git.dynamicdiscord.de/kalipso/infrastructure";
+        }; };
+    in
+    builtins.listToAttrs (map mapperFunc cfg.deployHosts);
+
+    systemd.services = builtins.foldl' (services: name: services // {
+      "microvm-update@${name}" = {
+        description = "Update MicroVMs automatically";
+        after = [ "network-online.target" ];
+        wants = [ "network-online.target" ];
+        unitConfig.ConditionPathExists = "/var/lib/microvms/${name}";
+        serviceConfig = {
+          LimitNOFILE = "1048576";
+          Type = "oneshot";
+        };
+        path = with pkgs; [ nix git ];
+        environment.HOME = config.users.users.root.home;
+        scriptArgs = "%i";
+        script = ''
+          /run/current-system/sw/bin/microvm -Ru ${name}
+        '';
+      };
+    }) {} (cfg.deployHosts);
+
+    systemd.timers = builtins.foldl' (timers: name: timers // {
+    "microvm-update-${name}" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Unit = "microvm-update@${name}.service";
+        # three times per hour
+        OnCalendar = "*:0,20,40:00";
+        Persistent = true;
+      };
     };
+  }) {} (cfg.deployHosts);
   };
 }

machines/nextcloud/configuration.nix

@@ -0,0 +1,46 @@
+{ config, lib, pkgs,  ... }:
+
+with lib;
+
+{
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets = {
+    nextcloudAdminPass = {};
+  };
+
+  networking = {
+    hostName = mkDefault "nextcloud";
+    useDHCP = false;
+    nameservers = [ "1.1.1.1" ];
+  };
+
+  imports = [
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+    ../modules/minimal_tools.nix
+    ../modules/autoupdate.nix
+  ];
+
+  environment.etc."nextcloud-admin-pass".text = "hXz5vspPsFPY";
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud30;
+    hostName = "10.0.0.11";
+    #config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
+    config.adminpassFile = "/etc/nextcloud-admin-pass"; #user=root
+    extraAppsEnable = true;
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps) contacts calendar;
+      collectives = pkgs.fetchNextcloudApp {
+        sha256 = "sha256-ErCWmQCI+ym9Pvsf84Z9yq4CyYJ1uVhyhhlS2bVSJ54=";
+        url = "https://github.com/nextcloud/collectives/releases/download/v2.15.1/collectives-2.15.1.tar.gz";
+        license = "agpl3Plus";
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+

machines/nextcloud/secrets.yaml

@@ -0,0 +1,79 @@
+nextcloudAdminPass: ENC[AES256_GCM,data:es9hhtCcqBqPbV2L,iv:Kyq5kqao0uaMPs0GeRkJT9OWYSZfImBXngg51k0uQ0M=,tag:zN/u90/j4rmdo0HtY+cF9w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVGxsNmZ3Z0RIYmMyL0Mr
+            UUpaMEZLTCtQaGFrL1YwOVBicEtNRTVaVGhRCmhDSUgxYXpRcldaMngvOWJDdnNo
+            b2ZFbUdmcE9EV2E3SkMvZ1RpKzZmeU0KLS0tIE5hNmVFTXpBZFZ3bHYwQlJQaUtw
+            UFJmTVFaOTJXN09QLzY4emh5Z3hqRjAKXk1PSwR2x0H2cMN06fyigiusz8v2IRIg
+            S4ZTq/JX39U4QQHgWA1dFPfC636LNBo+QKdl/2mjwnXW7duqDJ+5kA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-26T20:00:50Z"
+    mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str]
+    pgp:
+        - created_at: "2024-11-26T19:59:36Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv+KkX46UGQzLvhrk/VUCnnMdLEcNbYfk4h+sZJzs1riOGA
+            LAKYNeaeN6iLLeZX+T2/s5OT4WkIEKGg8/gziurdx01BR70M96Faubp6EVtdK44+
+            6F5BLLrDhlEKDNOx48qPwJdFjbYW4wZLWmv5nzwPmmRCKO7MoI9UHKq69msCor1i
+            ralbjlVHyKSuRfvflKAlxFoEqeB6H+ryc54g3stk1j2eFiMNuF/oKDJZT+XI5LHZ
+            Ai80DAWoUBYgpP4aWiNC075GPutdPlZ3mrGf5+7QnNm7GmNUdJN5VAWmI2NUGr1J
+            BLopnPFo4juWNsZkLMj2aAuKvGTkhz2PuFKfLj6Erpu82RAjadpFWx239n+i4Ryq
+            wSquYshpuiecLEejntTBKLEacwp+aPx8IHKnOOKBTdJj+YYaISiznQAlkF7WS+lg
+            MTZR85BvCxiPogujL7uhYSx1wM5FVkuAIPf1JOJCRvQt30eRRrR0VMrmqQ1Kl5OT
+            VMzZRIGIoC5vrKGeIIjJ0lgBWQ3bYFh/LGrwKetku6TRAH29mp/XwQqBC97RsUYb
+            EOxft5sUWaYrXK+z2yzCxOQBWKJISPgcyhdoKfYGnRkHXHi2Uay84oQP4co72eVF
+            cAhEJOxMw36e
+            =bSaN
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2024-11-26T19:59:36Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUARAAmG88ZDt43zj6dCJkYYVj7MGIhIviJzilTvX4+EfNobtA
+            tll60GYfRotKnwbuqzSVaaIcV+6cDQ5I1hG5WNFJSXm7DpJ0W1Ir1x2hpxektXFa
+            fQ+9HiCOfEqUu5PEynCAD1jN6CQLdl87hLQx9TqbZnHuUYPSH1o9Y6kbA/Vp3bpy
+            evJc8qa66WHYH1kjdEw+qneD5HzZQOLOtXZ7xkxjGbyMcYex9JfyGHohO5dpLg6B
+            3XrLlIWWERVz04MlnzlaMKfzhoMCU9ByqJSQ3VBm9kblQqu54fOZD2sN8j9ACEfL
+            YNC7Jm2rasVSqv09G1kso9/VNDw3kNCLvjnpE5rJRP7Ckfj+4FxQN/zPVUwQ1e1k
+            upoQ8MHyf1bJr8vspm/prm9zp+PRRTUwY1Yyts/ffj+CF5ec9M3jr/RSeEAdswsL
+            6dLKBL1LuLAjKXOuVnQ7E6gN940Y994sDFkbqEmzzCUHGcfxSF3IDn/qpkQlqerU
+            B/D43Yef+rtsUDyTA5RUpxKleGORcS4sV0BhQrNXeFclaMTyMr+AbOei4Y77qlD1
+            x/fHB3IT4Intvp9k4m6jJ86RtLpVhEoA4cHEdCCiXHzUpA6aVtNHVAOqT/aBykrf
+            uSm1wu/nl6yKbIwTJueli1OfQYKEYcUdjOrEOwXb+UDQKSohWZrMg0sj7/S6Pl/S
+            WAG1BZ20HXD2ZrVqESV87Pl04nKMqswrio+BINfAT9X3ya7L3DF69MR18bDt+ZIB
+            0F3+9WUREGI5in4S3hXNxrgfLNFl1YLklfWLYcx0HXJN3z6F2eJOUvM=
+            =aT3U
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+        - created_at: "2024-11-26T19:59:36Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1kR3vWkIYVnARAAqFyuCtvu6AidWg/9+btEcjWv0sBZaIRpYfX3p2QECwCu
+            UYAtssvSHgHdBEQzU27MA/5CGmEreB3NhWrjGquv88RojLO1JuhNHGYPZKeIcBKr
+            I2oS79RKuYs+d2Qu0KUYDaVoY9M5YJsfkju2FOXqMNYlbqX+lDuWnisigj3n2N4e
+            OEBnVIpfPBQE6c1Z9DaQJE7MyBbKfg5YeWjlwwh+fCf1dV/nGp+QdD88F3dzWMoK
+            xNGt69TwZ8JUVmElAIJqLJTpyDI5xHQUw2A6ddPSTk/u363eHhOnZZUNAAm3FdO5
+            0x+4QhcBaH59S8WDZhw4MVmZN7v4+3l3mf7Rx/TXSz4oJg+U7RMgvc291/gowNVm
+            /cVhBlMYz4Ogx/OYR/t+nzq35r+eBungTB+dRXw7qTTfkCtNgp34JMCkGAq5WWnY
+            57H2HtssGiMF0qN4SfWxw7317oUmqHI2XvG0yWt42G++jNgIGbDOtuc/7wATEbhK
+            SBX2aLqDIB1OUwLHQeawyKkB0qGmRSVPkPg8JLwRp43ICETH1WPkY5m/a2slVlDj
+            qgdw00clTI5Fgu/5G5QBD4Ds9f9ZwjrMD4v+NYfGxa0ajisXl1X6CL1+YvQ6Uicf
+            QmIRJYxyVd0VoXScZnsk0T/XTKjJB/fRLRalA2PmlZ1v+gisCUz2dhM+OHtSjGTS
+            WAG5znRbP8UMVt02O0PgbzHYtIUAtQLCuBnzfEKJn721rqCXf7DXU3jrR73Ys6ce
+            VJzkVBMnBszF71GN56t0PaUYIDOnaGvgjMtHHtOCLQHSK7asnm/Bc+E=
+            =Znii
+            -----END PGP MESSAGE-----
+          fp: 4095412245b6efc14cf92ca25911def5a4218567
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

machines/ssh_keys.nix

@@ -3,5 +3,6 @@
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfDz5teTvRorVtpMj7i3pffD8W4Dn3Aiqre5L4WZq8Wc4bh2OjabGnIcDWpeToKf38n5m0d95OkIbARJwFN7KlbuQbmnIJ5n6pUj/zzRQ3dQTeSsUjkvdbSXVvTcDczMWwLixc/UKP1DMbiLHz5ZSywPTSH2l40lg74q7tSFGBwMy8uy4tsdp2d2sUIDfpvgGj3Pq+zkQHWyFR5BYyCLDfJMTQvGO0bEsbRIDOjkH8YVni46ds6sQKMgc+L2vPo8S3neFZBQRlERVRvIAzdLiBWqGkiw4YgWQA8ocTfWp9DVzW+BZiatc34+AX3KtLEF1Oz76YsKjBttSQL4myUucuskz2Bs7UYvAsDFlWyiJ43ayZNzvG63m1UVsAoq84IhNYsdkPhd+G1rtnG0KxPVAtn7RkAGt8t7ObU+6xWayHcpSteNeE+QyH9nNmJcXNNKfoOeP4vHUBrBTeURafw527yuZDOYknJmg3O+nkeGseIgBYgq/As4+dD6vhp03Y5chjU4/FC6nEjsGPRdfe2RZx+0cqJkLgdd1paGByUfPfaUKykw4TsCUAiDucRwBjU32MLslUbyzeEkjzOJzOD5Frif3jZZLxaNP2QcHRbTiiKkdn+WFJmjr3BdC60pm7hqvmDxl0UZcz9hDv3wZUALUc92TQXnWc8GicKdpQgRYDRQ== kalipso@c3d2.de"
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxgcjNOYbza3+RfANFDXy7HXNRFlkpDOAcGyB7MKshiVlbPByWRSjfZa0BeRNjpeCd8QkIodKUzqYOCOrc8ad3kiNbdLRcDz57A5xSLD3ynakoWJo0AmJjT3Ta1JJj8inNwwykR0ig5//SrtsZb9HkWJDAF017MokM2r8AWPE1QzcQdh93kojXcgTHrJHzEqgKbEGDEk37f1RvZG4umEFeqdK2FvS5isPa7P9X7hyyoDC8bvEy7xfaDrToJAoXon6r79taxH8UWIvy//xsU0NBLYK2eE4RQe2AjF6Ri+CybI6y1SsHOvyh4nNKWlfUOEL6UnIulRn/LXFOKCJi7xuoTeJXS0+w1DNEuiGosVNXPSKbUm/eDBVnb8Iyep9wmygSZayN82xL5lRlG3Mn45ttecqfm2SJkmduBA5qXcTdDPe/lXTZaVO9tbiIcJfUgd3ttEu2+6YjLn74D965PlovzvR6EhbVUZ8IkOAt4VmuTkXIdm8SCS7jzhsiKeUXoZ4rfa375zi79SIPuIkoMasj6d16wcYOeFIUIMFFccfQ9jQjr9NTSXC2dd7sfbI9I9mF7eRQSsUdSwpP8WH1b+M1MxTbdhEUdPwpOLviTTIuk8E8K8DQDZIcOOh38mCDpyoh02nwfRxlyoYVsKAHIQH02dHTvYEa3/pMsRwGc9W1Ow== kalipso@desktop"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de"
+   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos"
  ];
 }

outputs.nix

@@ -50,6 +50,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
   })) // rec {
     nixosConfigurations = import ./machines/configuration.nix (inputs // {
       inherit inputs;
+      self = self;
     });
 
     nixosModules.malobeo.imports = [

shell.nix

@@ -17,6 +17,7 @@ mkShell {
     sops-import-keys-hook
     sops-init-gpg-key
     sops
+    pkgs.age
     pkgs.python310Packages.grip
     pkgs.mdbook
   ];