change script to first import storage before unlocking root

I'll remove this later

doc/src/SUMMARY.md

@@ -21,3 +21,4 @@
         - [Updates](./anleitung/updates.md)
         - [Rollbacks](./anleitung/rollback.md)
         - [MicroVM](./anleitung/microvm.md)
+        - [Update Nextcloud](./anleitung/update_nextcloud.md)

doc/src/anleitung/create.md

@@ -1,47 +1,19 @@
-# Create host with disko-install
-How to use disko-install is described here: https://github.com/nix-community/disko/blob/master/docs/disko-install.md
----
-Here are the exact steps to get bakunin running:  
-First create machines/hostname/configuration.nix  
-Add hosts nixosConfiguration in machines/configurations.nix  
-Boot nixos installer on the Machine.  
+# Create host with nixos-anywhere
+We use a nixos-anywhere wrapper script to deploy new hosts.
+The wrapper script takes care of copying persistent host keys before calling nixos-anywhere.
+
+To accomplish that boot the host from a nixos image and setup a root password.
 ``` bash
-# establish network connection
-wpa_passphrase "network" "password" > wpa.conf
-wpa_supplicant -B -i wlp3s0 -c wpa.conf
-ping 8.8.8.8
-# if that works continue
+sudo su
+passwd
+```
 
-# generate a base hardware config
-nixos-generate-config --root /tmp/config --no-filesystems
+After that get the hosts ip using `ip a` and start deployment from your own machine:
 
-# get the infra repo
-nix-shell -p git
-git clone https://git.dynamicdiscord.de/kalipso/infrastructure
-cd infrastructure
-
-# add the new generated hardware config (and import in hosts configuration.nix)
-cp /tmp/config/etc/nixos/hardware-configuration.nix machines/bakunin/
-
-# check which harddrive we want to install the system on
-lsblk #choose harddrive, in this case /dev/sda
-
-# run nixos-install on that harddrive
-sudo nix --extra-experimental-features flakes --extra-experimental-features nix-command run 'github:nix-community/disko/latest#disko-install' -- --flake .#bakunin --disk main /dev/sda
-
-# this failed with out of memory
-# running again showed: no disk left on device
-# it seems the usb stick i used for flashing is way to small
-# it is only 
-# with a bigger one (more than 8 gig i guess) it should work
-# instead the disko-install tool i try the old method - first partitioning using disko and then installing the system
-# for that i needed to adjust ./machines/modules/disko/btrfs-laptop.nix and set the disk to "/dev/sda"
-
-sudo nix --extra-experimental-features "flakes nix-command" run 'github:nix-community/disko/latest' -- --mode format --flake .#bakunin
-
-# failed with no space left on device.
-# problem is lots of data is written to the local /nix/store which is mounted on tmpfs in ram
-# it seems that a workaround could be modifying the bootable stick to contain a swap partition to extend tmpfs storage
+``` bash
+# from infrastrucutre repository root dir:
+nix develop .#
+remote-install hostname 10.0.42.23
 ```
 
 # Testing Disko
@@ -49,18 +21,3 @@ Testing disko partitioning is working quite well. Just run the following and che
 ```bash
 nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko
 ```
-
-Only problem is that encryption is not working, so it needs to be commented out. For testing host fanny the following parts in ```./machines/modules/disko/fanny.nix``` need to be commented out(for both pools!):
-```nix
-datasets = {
-  encrypted = {
-    options = {
-      encryption = "aes-256-gcm"; #THIS ONE
-      keyformat = "passphrase"; #THIS ONE
-      keylocation = "file:///tmp/root.key"; #THIS ONE
-    };
-    # use this to read the key during boot
-     postCreateHook = '' #THIS ONE 
-       zfs set keylocation="prompt" "zroot/$name"; #THIS ONE 
-     ''; #THIS ONE 
-```

doc/src/anleitung/update_nextcloud.md

@@ -0,0 +1,16 @@
+### Updating nextcloud
+
+## Updating the draggable patch
+
+The draggable patch is a one line patch found in the deck repo under `src/components/cards/CardItem.vue`   
+Direct link: https://git.dynamicdiscord.de/ahtlon/deck/commit/77cbcf42ca80dd32e450839f02faca2e5fed3761   
+
+The easiest way to apply is
+1. Sync the repo with remote https://github.com/nextcloud/deck/tree/main
+2. Checkout the stable branch for the nextcloud version you need
+  - example `git checkout stable31`
+3. Apply the patch using `git cherry-pick bac32ace61e7e1e01168f9220cee1d24ce576d5e`
+4. Start a nix-shell with `nix-shell -p gnumake krankerl php84Packages.composer php nodejs_24`
+5. run `krankerl package`
+6. upload the archive at "./build/artifacts/deck.tar.gz" to a file storage (ask Ahtlon for access to the storj s3 or use own)
+7. Change url and sha in the nextcloud configuration.nix `deck = pkgs.fetchNextcloudApp {};`

doc/src/anleitung/updates.md

@@ -1 +1,11 @@
 # Updates
+## Nextcloud
+Update nextcloud to a new major version:
+- create state directories: `mkdir /tmp/var /tmp/data`
+- run vm state dirs to initialize state `sudo run-vm nextcloud --dummy-secrets --networking --var /tmp/var --data /tmp/data`
+- Update lock file `nix flake update --commit-lock-file`
+- Change services.nextcloud.package to the next version (do not skip major version upgrades)
+- change custom `extraApps` to the new version
+- TEST!
+- run vm again, it should successfully upgrade nextcloud from old to new version
+- run vm state dirs to initialize state `sudo run-vm nextcloud --dummy-secrets --networking --var /tmp/var --data /tmp/data`

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736864502,
-        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
+        "lastModified": 1746728054,
+        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
+        "rev": "ff442f5d1425feb86344c028298548024f21256d",
         "type": "github"
       },
       "original": {
@@ -67,16 +67,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1736373539,
-        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
+        "lastModified": 1748226808,
+        "narHash": "sha256-GaBRgxjWO1bAQa8P2+FDxG4ANBVhjnSjBms096qQdxo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
+        "rev": "83665c39fa688bd6a1f7c43cf7997a70f6a109f9",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-24.11",
+        "ref": "release-25.05",
         "repo": "home-manager",
         "type": "github"
       }
@@ -109,11 +109,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1739104176,
-        "narHash": "sha256-bNvtud2PUcbYM0i5Uq1v01Dcgq7RuhVKfjaSKkW2KRI=",
+        "lastModified": 1748260747,
+        "narHash": "sha256-V3ONd70wm55JxcUa1rE0JU3zD+Cz7KK/iSVhRD7lq68=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "d3a9b7504d420a1ffd7c83c1bb8fe57deaf939d2",
+        "rev": "b6c5dfc2a1c7614c94fd2c5d2e8578fd52396f3b",
         "type": "github"
       },
       "original": {
@@ -145,11 +145,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737057290,
-        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
+        "lastModified": 1747663185,
+        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
+        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
         "type": "github"
       },
       "original": {
@@ -160,11 +160,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1738816619,
-        "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=",
+        "lastModified": 1747900541,
+        "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "2eccff41bab80839b1d25b303b53d339fbb07087",
+        "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06",
         "type": "github"
       },
       "original": {
@@ -192,11 +192,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1739020877,
-        "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
+        "lastModified": 1748190013,
+        "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
+        "rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
         "type": "github"
       },
       "original": {
@@ -208,16 +208,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1739206421,
-        "narHash": "sha256-PwQASeL2cGVmrtQYlrBur0U20Xy07uSWVnFup2PHnDs=",
+        "lastModified": 1748162331,
+        "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "44534bc021b85c8d78e465021e21f33b856e2540",
+        "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -235,7 +235,8 @@
         "nixpkgs-unstable": "nixpkgs-unstable",
         "sops-nix": "sops-nix",
         "tasklist": "tasklist",
-        "utils": "utils_3"
+        "utils": "utils_3",
+        "zineshop": "zineshop"
       }
     },
     "sops-nix": {
@@ -245,11 +246,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1739262228,
-        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
+        "lastModified": 1747603214,
+        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
+        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
         "type": "github"
       },
       "original": {
@@ -261,11 +262,11 @@
     "spectrum": {
       "flake": false,
       "locked": {
-        "lastModified": 1733308308,
-        "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
+        "lastModified": 1746869549,
+        "narHash": "sha256-BKZ/yZO/qeLKh9YqVkKB6wJiDQJAZNN5rk5NsMImsWs=",
         "ref": "refs/heads/main",
-        "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
-        "revCount": 792,
+        "rev": "d927e78530892ec8ed389e8fae5f38abee00ad87",
+        "revCount": 862,
         "type": "git",
         "url": "https://spectrum-os.org/git/spectrum"
       },
@@ -334,6 +335,21 @@
         "type": "github"
       }
     },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "tasklist": {
       "inputs": {
         "nixpkgs": [
@@ -341,11 +357,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737548421,
-        "narHash": "sha256-gmlqJdC+v86vXc2yMhiza1mvsqh3vMfrEsiw+tV5MXg=",
+        "lastModified": 1760981884,
+        "narHash": "sha256-ASFWbOhuB6i3AKze5sHCvTM+nqHIuUEZy9MGiTcdZxA=",
         "ref": "refs/heads/master",
-        "rev": "c5fff78c83959841ac724980a13597dcfa6dc26d",
-        "revCount": 29,
+        "rev": "b67eb2d778a34c0dceb91a236b390fe493aa3465",
+        "revCount": 32,
         "type": "git",
         "url": "https://git.dynamicdiscord.de/kalipso/tasklist"
       },
@@ -407,6 +423,45 @@
         "repo": "flake-utils",
         "type": "github"
       }
+    },
+    "utils_4": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "zineshop": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": "utils_4"
+      },
+      "locked": {
+        "lastModified": 1751462005,
+        "narHash": "sha256-vhr2GORiXij3mL+QIfnL0sKSbbBIglw1wnHWNmFejiA=",
+        "ref": "refs/heads/master",
+        "rev": "f505fb17bf1882cc3683e1e252ce44583cbe58ce",
+        "revCount": 155,
+        "type": "git",
+        "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -3,7 +3,7 @@
 
   inputs = {
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -22,6 +22,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    zineshop = {
+      url = "git+https://git.dynamicdiscord.de/kalipso/zineshop";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     ep3-bs = {
       url = "git+https://git.dynamicdiscord.de/kalipso/ep3-bs.nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -33,7 +38,7 @@
     };
 
     home-manager=  {
-      url = "github:nix-community/home-manager/release-24.11";
+      url = "github:nix-community/home-manager/release-25.05";
       inputs = {
         nixpkgs.follows = "nixpkgs";
       };

machines/.sops.yaml

@@ -8,12 +8,12 @@ keys:
   - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
   - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
   - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
-  - &machine_durruti age1arwef7t65lz40lxhs5svyzentskjzam3e0e0yxen872vwy6v234s9uftvr
-  - &machine_infradocs age15rqsygf7yfe6pv6t4c6c9jc6yk4vu5grmmcu7sexvqfw8763mf2q6qw50h
-  - &machine_overwatch age1075ep3sl5ztshnq4jrygxqqqfts9wzk4gvvtwfjcep5ke8nzqs5sxtw7vd
+  - &machine_durruti age1tc6aqmcl74du56d04wsz6mzp83n9990krzu4kuam2jqu8fx6kqpq038xuz
+  - &machine_infradocs age1tesz7xnnq9e58n5qwjctty0lw86gzdzd5ke65mxl8znyasx3nalqe4x6yy
+  - &machine_overwatch age1hq75x3dpnfqat9sgtfjf8lep49qvkdgza3xwp7ugft3kd74pdfnqfsmmdn
   - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
   - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk
-  - &machine_nextcloud age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk
+  - &machine_nextcloud age1g084sl230x94mkd2wq92s03mw0e8mnpjdjfx9uzaxw6psm8neyzqqwpnqe
   #this dummy key is used for testing.
   - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
 creation_rules:

machines/bakunin/configuration.nix

@@ -53,7 +53,7 @@ in
       libreoffice
       gimp
       inkscape
-      okular
+      kdePackages.okular
       element-desktop
       chromium
       mpv

machines/durruti/host_config.nix

@@ -73,6 +73,24 @@ in
       };
     };
 
+
+    services.nginx.virtualHosts."zines.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+          client_body_in_file_only clean;
+          client_body_buffer_size 32K;
+          
+          client_max_body_size 50M;
+          
+          sendfile on;
+          send_timeout 300s;
+        '';
+      };
+    };
+
     services.nginx.virtualHosts."status.malobeo.org" = {
       forceSSL = true;
       enableACME= true;

machines/fanny/configuration.nix

@@ -1,10 +1,12 @@
 { inputs, config, ... }:
 let
   sshKeys = import ../ssh_keys.nix;
+  peers = import ../modules/malobeo/peers.nix;
 in
 {
   sops.defaultSopsFile = ./secrets.yaml;
   sops.secrets.wg_private = {};
+  sops.secrets.shop_auth = {};
 
   imports =
     [ # Include the results of the hardware scan.
@@ -18,6 +20,7 @@ in
       inputs.self.nixosModules.malobeo.microvm
       inputs.self.nixosModules.malobeo.metrics
       inputs.self.nixosModules.malobeo.users
+      inputs.self.nixosModules.malobeo.backup
     ];
 
     virtualisation.vmVariantWithDisko = {
@@ -42,6 +45,11 @@ in
     cacheurl = "https://cache.dynamicdiscord.de";
   };
 
+  malobeo.backup = {
+    enable = true;
+    snapshots = [ "storage/encrypted" "zroot/encrypted/var" ];
+  };
+
   nix = {
     settings.experimental-features = [ "nix-command" "flakes" ];
     #always update microvms
@@ -53,6 +61,7 @@ in
   malobeo.users = {
     malobeo = true;
     admin = true;
+    backup = true;
   };
 
   malobeo.disks = {
@@ -79,6 +88,35 @@ in
     ethernetDrivers = ["r8169"];
   };
 
+  boot.initrd = {
+    availableKernelModules = [ "wireguard" ];
+    systemd = {
+      enable = true;
+      network = {
+        enable = true;
+        netdevs."30-wg-initrd" = {
+          netdevConfig = {
+            Kind = "wireguard";
+            Name = "wg-initrd";
+          };
+          wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
+          wireguardPeers = [{
+            AllowedIPs = peers.fanny-initrd.allowedIPs;
+            PublicKey = peers.fanny-initrd.publicKey;
+            Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
+            PersistentKeepalive = 25;
+          }];
+        };
+        networks."30-wg-initrd" = {
+          name = "wg-initrd";
+          addresses = [{ Address = peers.fanny-initrd.address; }];
+        };
+      };
+    };
+  };
+
+  boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";
+
   services.malobeo.vpn = {
     enable = true;
     name = "fanny";
@@ -86,7 +124,13 @@ in
   };
 
   services.malobeo.microvm.enableHostBridge = true;
-  services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" "nextcloud" "durruti" ];
+  services.malobeo.microvm.deployHosts = [ 
+    "overwatch" 
+    "infradocs" 
+    "nextcloud" 
+    "durruti" 
+    "zineshop"
+  ];
 
   networking = {
     nat = {
@@ -116,6 +160,7 @@ in
         proxyPass = "http://10.0.0.13";
         extraConfig = ''
           proxy_set_header Host $host;
+          client_max_body_size 10G;
         '';
       };
     };
@@ -137,6 +182,26 @@ in
         '';
       };
     };
+
+    virtualHosts."zines.malobeo.org" = {
+      # created with: nix-shell --packages apacheHttpd --run 'htpasswd -B -c foo.txt malobeo'
+      # then content of foo.txt put into sops
+      # basicAuthFile = config.sops.secrets.shop_auth.path;
+      locations."/" = {
+        proxyPass = "http://10.0.0.15:8080";
+        extraConfig = ''
+          proxy_set_header Host $host;
+
+          client_body_in_file_only clean;
+          client_body_buffer_size 32K;
+          
+          client_max_body_size 50M;
+          
+          sendfile on;
+          send_timeout 300s;
+        '';
+      };
+    };
   };
 
   services.tor = {
@@ -156,5 +221,10 @@ in
 
   time.timeZone = "Europe/Berlin";
   system.stateVersion = "23.05"; # Do.. Not.. Change..
+
+  sops.secrets.shop_auth = {
+    owner = config.services.nginx.user;
+    group = config.services.nginx.group;
+  };
 }
 

machines/fanny/secrets.yaml

@@ -1,4 +1,6 @@
 wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
+shop_cleartext: ENC[AES256_GCM,data:sifpX/R6JCcNKgwN2M4Dbflgnfs5CqB8ez5fULPohuFS6k36BLemWzEk,iv:1lRYausj7V/53sfSO9UnJ2OC/Si94JXgIo81Ld74BE8=,tag:5osQU/67bvFeUGA90BSiIA==,type:str]
+shop_auth: ENC[AES256_GCM,data:0NDIRjmGwlSFls12sCb5OlgyGTCHpPQIjycEJGhYlZsWKhEYXV2u3g1RHMkF8Ny913jarjf0BgwSq5pBD9rgPL9t8X8=,iv:3jgCv/Gg93Mhdm4eYzwF9QrK14QL2bcC4wwSajCA88o=,tag:h8dhMK46hABv9gYW4johkA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +25,8 @@ sops:
             QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP
             SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-14T12:41:07Z"
-    mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str]
+    lastmodified: "2025-04-14T10:34:55Z"
+    mac: ENC[AES256_GCM,data:vcDXtTi0bpqhHnL6XanJo+6a8f5LAE628HazDVaNO34Ll3eRyhi95eYGXQDDkVk2WUn9NJ5oCMPltnU82bpLtskzTfQDuXHaPZJq5gtOuMH/bAKrY0dfShrdyx71LkA4AFlcI1P5hchpbyY1FK3iqe4D0miBv+Q8lCMgQMVrfxI=,iv:1lMzH899K0CnEtm16nyq8FL/aCkSYJVoj7HSKCyUnPg=,tag:mEbkmFNg5VZtSKqq80NrCw==,type:str]
     pgp:
         - created_at: "2025-02-11T18:32:49Z"
           enc: |-
@@ -65,4 +67,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.4

machines/hosts.nix

@@ -67,6 +67,14 @@
         };
       };
 
+      zineshop = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.15";
+          mac = "D0:E5:CA:F0:D7:F1";
+        };
+      };
+
       testvm = {
         type = "host";
       };

machines/louise/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, inputs, ... }:
 
 {
   imports =
@@ -9,6 +9,7 @@
       ../modules/sshd.nix
       ../modules/minimal_tools.nix
       ../modules/autoupdate.nix
+      inputs.self.nixosModules.malobeo.printing
     ];
 
   malobeo.autoUpdate = {
@@ -35,7 +36,7 @@
       libreoffice
       gimp
       inkscape
-      okular
+      kdePackages.okular
       element-desktop
       chromium
       mpv
@@ -50,6 +51,8 @@
   };
 
   services.printing.enable = true;
+  services.malobeo.printing.enable = true;
+
   services.printing.drivers = [
     (pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
     pkgs.gutenprint

machines/lucia/configuration.nix

@@ -35,8 +35,7 @@ in
   services = {
 
   dokuwiki.sites."wiki.malobeo.org" = {
-    enable = true;
-    #acl = "* @ALL 8";  # everyone can edit using this config
+        #acl = "* @ALL 8";  # everyone can edit using this config
     # note there is a users file at
     # /var/lib/dokuwiki/<wiki-name>/users.auth.php
     # makes sense to edit it by hand

machines/modules/disko/default.nix

@@ -187,7 +187,6 @@ in
               postCreateHook = lib.mkIf cfg.encryption ''
                 zfs set keylocation="prompt" zroot/encrypted;
               '';
-
             };
             "encrypted/root" = {
               type = "zfs_fs";
@@ -245,16 +244,18 @@ in
               };
               # use this to read the key during boot
               postCreateHook = lib.mkIf cfg.encryption ''
-                zfs set keylocation="file:///root/secret.key" storage/encrypted;
+                zfs set keylocation="prompt" storage/encrypted;
               '';
             };
             "encrypted/data" = {
               type = "zfs_fs";
               mountpoint = "/data";
+              options.mountpoint = "legacy";
             };
             "encrypted/data/microvms" = {
               type = "zfs_fs";
               mountpoint = "/data/microvms";
+              options.mountpoint = "legacy";
             };
             reserved = {
               # for cow delete if pool is full
@@ -271,7 +272,7 @@ in
     };
 
     boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
-    boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ];
+
     fileSystems."/".neededForBoot = true;
     fileSystems."/etc".neededForBoot = true;
     fileSystems."/boot".neededForBoot = true;

machines/modules/host_builder.nix

@@ -133,6 +133,13 @@ rec {
           mountPoint = "/var";
           tag = "var";
         }
+      ] ++ pkgs.lib.optionals (options.dataPath != "") [
+        {
+          source = "${options.dataPath}";
+          securityModel = "mapped";
+          mountPoint = "/data";
+          tag = "data";
+        }
       ]);
 
       interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
@@ -195,8 +202,7 @@ rec {
 
   vmNestedMicroVMOverwrites = host: sopsDummy: {
 
-    services.malobeo.microvm.deployHosts = pkgs.lib.mkForce [];
-    microvm.vms = 
+    microvm.vms = pkgs.lib.mkForce (
     let
       # Map the values to each hostname to then generate an Attrset using listToAttrs
       mapperFunc = name: { inherit name; value = {
@@ -210,20 +216,22 @@ rec {
             (vmMicroVMOverwrites name { 
               withNetworking = true; 
               varPath = ""; 
+              dataPath = "";
               writableStore = false; })
             (if sopsDummy then (vmSopsOverwrites name) else {})
           ]);
         };
       }; };
     in
-    builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts);
+    builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts));
   };
 
-  buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
+  buildVM = host: networking: sopsDummy: disableDisko: varPath: dataPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
       modules = [
           (vmMicroVMOverwrites host { 
             withNetworking = networking; 
             varPath = "${varPath}"; 
+            dataPath = "${dataPath}"; 
             writableStore = writableStore;
             fwdPort = fwdPort; })
           (if sopsDummy then (vmSopsOverwrites host) else {})

machines/modules/malobeo/backup.nix

@@ -0,0 +1,102 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let 
+  cfg = config.malobeo.backup;
+  hostToCommand = (hostname: datasetNames: 
+    (map (dataset:  { 
+      name = "${hostname}_${dataset.sourceDataset}";
+      value = { 
+        inherit hostname; 
+        inherit (dataset) sourceDataset targetDataset;
+      }; 
+    } ) datasetNames));
+  peers = import ./peers.nix;
+
+  enableSnapshots = cfg.snapshots != null;
+  enableBackups = cfg.hosts != null;
+in
+{
+  options.malobeo.backup = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable sanoid/syncoid based backup functionality";
+    };
+
+    snapshots = mkOption {
+      type = types.nullOr (types.listOf types.str);
+      default = null;
+      description = "Automatic snapshots will be created for the given datasets";
+    };
+
+    hosts = mkOption {
+      default = null;
+      type = types.nullOr (types.attrsOf (types.listOf (types.submodule {
+        options = {
+          sourceDataset = mkOption {
+            type = types.str;
+            description = "The source that needs to be backed up";
+          };
+          targetDataset = mkOption {
+            type = types.str;
+            description = "The target dataset where the backup should be stored";
+          };
+        };
+      })));
+      description = ''
+          Hostname with list of datasets to backup. This option should be defined on hosts that will store backups.
+
+          It is necessary to add the machines that get backed up to known hosts.
+          This can be done for example systemwide using 
+          programs.ssh.knownHosts."10.100.0.101" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc";
+          Or set it for the syncoid user directly.
+        '';
+    };
+
+    sshKey = mkOption {
+      default = null;
+      type = types.nullOr types.str;
+      description = "Set path to ssh key used for pull backups. Otherwise default key is used";
+    };
+  };
+  
+  config = mkIf (cfg.enable) {
+    services.sanoid = mkIf (enableSnapshots) {
+      enable = true;
+  
+      templates."default" = {
+        hourly = 24;
+        daily = 30; #keep 30 daily snapshots
+        monthly = 6; #keep 6 monthly backups
+        yearly = 0;
+  
+        autosnap = true; #take snapshots automatically
+        autoprune = true; #delete old snapshots
+      };
+  
+      datasets = builtins.listToAttrs (map (name: { inherit name; value = {
+        useTemplate = [ "default" ];
+        recursive = true;
+      }; }) cfg.snapshots);
+    };
+
+    services.syncoid = mkIf (enableBackups) {
+      enable = true;
+      sshKey = cfg.sshKey;
+  
+      commonArgs = [
+        "--no-sync-snap"
+      ];
+  
+      interval = "*-*-* 04:15:00";
+  
+      commands = builtins.mapAttrs (name: value: {
+        source = "backup@${peers.${value.hostname}.address}:${value.sourceDataset}";
+        target = "${value.targetDataset}";
+        sendOptions = "w";
+        recvOptions = "\"\"";
+        recursive = true;
+      })(builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs hostToCommand cfg.hosts))));
+    };
+  };
+}

machines/modules/malobeo/initssh.nix

@@ -30,7 +30,9 @@ in
       loader.efi.canTouchEfiVariables = true;
       supportedFilesystems = [ "vfat" "zfs" ];
       zfs = {
+        forceImportAll = true;
         requestEncryptionCredentials = true;
+        
       };
       initrd = {
         availableKernelModules = cfg.ethernetDrivers;
@@ -54,11 +56,11 @@ in
           path = with pkgs; [ zfs ];
           serviceConfig.Type = "oneshot";
           script = ''
-            echo "systemctl default" >> /var/empty/.profile
+            echo "zfs load-key -a; killall zfs; systemctl default" >> /var/empty/.profile
           '';
         };
       };
       kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
     };
   };
-}
+}

machines/modules/malobeo/microvm_host.nix

@@ -62,7 +62,7 @@ in
         addresses = if cfg.enableHostBridgeUnstable then [
           { Address = "10.0.0.1/24"; }
         ] else [
-          { addressConfig.Address = "10.0.0.1/24"; }
+          { Address = "10.0.0.1/24"; }
         ];
       };
 
@@ -102,6 +102,22 @@ in
           /run/current-system/sw/bin/microvm -Ru ${name}
         '';
       };
+
+      "microvm-init-dirs@${name}" = {
+        description = "Initialize microvm directories";
+        after = [ "zfs-mount.service" ];
+        wantedBy = [ "microvm@${name}.service" ];
+        unitConfig.ConditionPathExists = "!/var/lib/microvms/${name}/.is_initialized";
+        serviceConfig = {
+          Type = "oneshot";
+        };
+        script = ''
+          mkdir -p /var/lib/microvms/${name}/var
+          mkdir -p /var/lib/microvms/${name}/etc
+          mkdir -p /var/lib/microvms/data/${name}
+          touch /var/lib/microvms/${name}/.is_initialized
+        '';
+      };
     }) {} (cfg.deployHosts);
 
     systemd.timers = builtins.foldl' (timers: name: timers // {

machines/modules/malobeo/peers.nix

@@ -2,7 +2,7 @@
   "vpn" = {
     role = "server";
     publicIp = "5.9.153.217";
-    address = [ "10.100.0.1/24" ];
+    address = "10.100.0.1";
     allowedIPs = [ "10.100.0.0/24" ];
     listenPort = 51821;
     publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
@@ -11,36 +11,51 @@
 
   "celine" = {
     role = "client";
-    address = [ "10.100.0.2/24" ];
+    address = "10.100.0.2";
     allowedIPs = [ "10.100.0.2/32" ];
     publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
   };
 
   "desktop" = {
     role = "client";
-    address = [ "10.100.0.3/24" ];
+    address = "10.100.0.3";
     allowedIPs = [ "10.100.0.3/32" ];
     publicKey = "FtY2lcdWcw+nvtydOOUDyaeh/xkaqHA8y9GXzqU0Am0=";
   };
 
   "atlan-pc" = {
     role = "client";
-    address = [ "10.100.0.5/24" ];
+    address = "10.100.0.5";
     allowedIPs = [ "10.100.0.5/32" ];
     publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
   };
 
   "hetzner" = {
     role = "client";
-    address = [ "10.100.0.6/24" ];
+    address = "10.100.0.6";
     allowedIPs = [ "10.100.0.6/32" ];
     publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ=";
   };
 
   "fanny" = {
     role = "client";
-    address = [ "10.100.0.101/24" ];
+    address = "10.100.0.101";
     allowedIPs = [ "10.100.0.101/32" ];
     publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
   };
+
+  "fanny-initrd" = {
+    role = "client";
+    address = "10.100.0.102";
+    allowedIPs = [ "10.100.0.102/32" ];
+    #TODO: UPDATE
+    publicKey = "h1A2yt7OQ5EJIilC8tQg203u27o6J6/c+Kd/pZ4UWAY=";
+  };
+
+  "backup0" = {
+    role = "client";
+    address = "10.100.0.20";
+    allowedIPs = [ "10.100.0.20/32" ];
+    publicKey = "Pp55Jg//jREzHdbbIqTXc9N7rnLZIFw904qh6NLrACE=";
+  };
 }

machines/modules/malobeo/printing.nix

@@ -0,0 +1,122 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let 
+  cfg = config.services.malobeo.printing;
+  driverFile = pkgs.writeTextDir "share/cups/model/konicaminoltac258.ppd" (builtins.readFile ../KOC658UX.ppd);
+
+  defaultPpdOptions = {
+    PageSize = "A4";
+    SelectColor = "Grayscale";
+    Finisher = "FS534";
+    SaddleUnit = "SD511";
+    Model = "C258";
+    InputSlot = "Tray1";
+    TextPureBlack = "On";
+    PhotoPureBlack = "On";
+    GraphicPureBlack = "On";
+  };
+
+in
+{
+  options.services.malobeo.printing = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Setup malobeo printers";
+    };
+  };
+  
+  config = mkIf (cfg.enable) {
+    services.printing.enable = true;
+    services.printing.drivers = [
+      driverFile
+    ];
+
+    hardware.printers.ensurePrinters = [ 
+      {
+        name = "KonicaDefault";
+        model = "konicaminoltac258.ppd";
+        location = "Zine Workshop";
+        deviceUri = "ipp://192.168.1.42/ipp";
+        ppdOptions = defaultPpdOptions;
+      }
+      {
+        name = "KonicaBooklet";
+        model = "konicaminoltac258.ppd";
+        location = "Zine Workshop";
+        deviceUri = "ipp://192.168.1.42/ipp";
+        ppdOptions = defaultPpdOptions // {
+          Fold = "Stitch";
+          Staple = "None";
+        };
+      }
+      {
+        name = "KonicaPostcard";
+        model = "konicaminoltac258.ppd";
+        location = "Zine Workshop";
+        deviceUri = "ipp://192.168.1.42/ipp";
+        ppdOptions = defaultPpdOptions // {
+          Fold = "None";
+          Staple = "None";
+          InputSlot = "BypassTray";
+          MediaType = "Thick4";
+          KMDuplex = "1Sided";
+        };
+      }
+    ];
+  };
+}
+
+/*
+ALL AVAILABE OPTIONS:
+
+PaperSources/Paper Source Unit: *None LU207 LU302 PC110 PC114 PC115 PC110+LU302 PC115+LU207 PC115+LU302 PC210 PC214 PC215 PC210+LU302 PC215+LU207 PC215+LU302 PC410 PC414 PC415 PC410+LU302 PC415+LU207 PC415+LU302
+Finisher/Finisher: None FS533 *FS534 JS506 FS536 FS537 FS537+JS602
+KOPunch/Punch Unit: *None PK519 PK519-3 PK519-4 PK519-SWE4 PK520 PK520-3 PK520-4 PK520-SWE4 PK523 PK523-3 PK523-4 PK523-SWE4
+ZFoldPunch/Z-Fold Unit: *None ZU609
+CoverSheetFeeder/Post Inserter: *None PI507
+SaddleUnit/Saddle Kit: None *SD511 SD512
+PrinterHDD/Hard Disk: None *HDD
+AdvancedFunctionCover/Advanced Function(Cover Mode): *Disable Enable
+Model/Model: C658 C558 C458 C368 C308 *C258 C287 C227 C266 C226
+Collate/Collate: False *True
+InputSlot/Paper Tray: AutoSelect *Tray1 Tray2 Tray3 Tray4 LCT ManualFeed
+MediaType/Paper Type: *Plain Plain(2nd) Thick1 Thick1(2nd) Thick1Plus Thick1Plus(2nd) Thick2 Thick2(2nd) Thick3 Thick3(2nd) Thick4 Thick4(2nd) Thin Envelope Transparency Color SingleSidedOnly TAB Letterhead Special Recycled Recycled(2nd) User1 User1(2nd) User2 User2(2nd) User3 User3(2nd) User4 User4(2nd) User5 User5(2nd) User6 User6(2nd) PrinterDefault UserCustomType1 UserCustomType1(2nd) UserCustomType2 UserCustomType2(2nd) UserCustomType3 UserCustomType3(2nd) UserCustomType4 UserCustomType4(2nd) UserCustomType5 UserCustomType5(2nd) UserCustomType6 UserCustomType6(2nd) UserCustomType7 UserCustomType7(2nd) UserCustomType8 UserCustomType8(2nd) UserCustomType9 UserCustomType9(2nd) UserCustomType10 UserCustomType10(2nd) UserCustomType11 UserCustomType11(2nd) UserCustomType12 UserCustomType12(2nd) UserCustomType13 UserCustomType13(2nd) UserCustomType14 UserCustomType14(2nd) UserCustomType15 UserCustomType15(2nd) UserCustomType16 UserCustomType16(2nd) UserCustomType17 UserCustomType17(2nd) UserCustomType18 UserCustomType18(2nd) UserCustomType19 UserCustomType19(2nd)
+PageSize/Paper Size: A3 *A4 A5 A6 B4 B5 B6 SRA3 220mmx330mm 12x18 Tabloid Legal Letter Statement 8x13 8.5x13 8.5x13.5 8.25x13 8.125x13.25 Executive 8K 16K EnvISOB5 EnvC4 EnvC5 EnvC6 EnvChou3 EnvChou4 EnvYou3 EnvYou4 EnvKaku1 EnvKaku2 EnvKaku3 EnvDL EnvMonarch Env10 JapanesePostCard 4x6_PostCard A3Extra A4Extra A5Extra B4Extra B5Extra TabloidExtra LetterExtra StatementExtra LetterTab-F A4Tab-F
+Offset/Offset: *False True
+OutputBin/Output Tray: *Default Tray1 Tray2 Tray3 Tray4
+Binding/Binding Position: *LeftBinding TopBinding RightBinding
+KMDuplex/Print Type: 1Sided *2Sided
+Combination/Combination: *None Booklet
+Staple/Staple: *None 1StapleAuto(Left) 1StapleZeroLeft 1Staple(Right) 2Staples
+Punch/Punch: *None 2holes 3holes 4holes
+Fold/Fold: None *Stitch HalfFold TriFold ZFold1 ZFold2
+FrontCoverPage/Front Cover: None *Printed Blank
+FrontCoverTray/Front Cover Tray: None Tray1 Tray2 Tray3 Tray4 LCT *BypassTray
+BackCoverPage/Back Cover: *None Printed Blank
+BackCoverTray/Back Cover Tray: *None Tray1 Tray2 Tray3 Tray4 LCT BypassTray
+PIFrontCover/Front Cover from Post Inserter: *None PITray1 PITray2
+PIBackCover/Back Cover from Post Inserter: *None PITray1 PITray2
+TransparencyInterleave/Transparency Interleave: *None Blank
+OHPOpTray/Interleave Tray: *None Tray1 Tray2 Tray3 Tray4 LCT
+WaitMode/Output Method: *None ProofMode
+SelectColor/Select Color: Auto Color *Grayscale
+GlossyMode/Glossy Mode: *False True
+OriginalImageType/Color Settings: *Document Photo DTP Web CAD
+AutoTrapping/Auto Trapping: *False True
+BlackOverPrint/Black Over Print: *Off Text TextGraphic
+TextColorMatching/Color Matching (Text): *Auto Vivid Photo Colorimetric
+TextPureBlack/Pure Black (Text): *Auto Off On
+TextScreen/Screen (Text): *Auto Gradation Resolution HighResolution
+PhotoColorMatching/Color Matching (Photo): *Auto Vivid Photo Colorimetric
+PhotoPureBlack/Pure Black (Photo): *Auto Off On
+PhotoScreen/Screen (Photo): *Auto Gradation Resolution HighResolution
+PhotoSmoothing/Smoothing (Photo): *Auto None Dark Medium Light
+GraphicColorMatching/Color Matching (Graphic): *Auto Vivid Photo Colorimetric
+GraphicPureBlack/Pure Black (Graphic): *Auto Off On
+GraphicScreen/Screen (Graphic): *Auto Gradation Resolution HighResolution
+GraphicSmoothing/Smoothing (Graphic): *Auto None Dark Medium Light
+TonerSave/Toner Save: *False True
+String4Pt/Edge Enhancement: *False True
+
+*/

machines/modules/malobeo/users.nix

@@ -2,18 +2,24 @@
 let 
   cfg = config.malobeo.users;
   sshKeys = import ( inputs.self + /machines/ssh_keys.nix);
+  inherit (config.networking) hostName; 
 in
 {
   options.malobeo.users = {
     malobeo = lib.mkOption {
       type = lib.types.bool;
       default = true;
-      description = "enable malobeo user, defaults to on";
+      description = "enable malobeo user, defaults to on, ";
     };
     admin = lib.mkOption {
       type = lib.types.bool;
       default = true;
-      description = "enable admin user, defaults to on to prevent lockouts";
+      description = "enable admin user, defaults to on to prevent lockouts, passwordless sudo access";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "enable backup user, ";
     };
   };
   config = lib.mkMerge [
@@ -32,6 +38,7 @@ in
         isNormalUser = true;
         description = "admin user, passwordless sudo access, only ssh";
         hashedPassword = null;
+        openssh.authorizedKeys.keys = sshKeys.admins;
         extraGroups = [ "networkmanager" ];
       };
       environment.systemPackages = with pkgs; [];
@@ -48,8 +55,39 @@ in
         }
       ];
     })
+    (lib.mkIf cfg.backup {
+      users.users.backup = {
+        isNormalUser = true;
+        hashedPassword = null;
+        openssh.authorizedKeys.keys = sshKeys.backup;
+        description = "backup user for pull style backups, can only use zfs commands";
+      };
+      environment.systemPackages = with pkgs; [];
+      security.sudo.extraRules = [
+        {
+          users = [ "backup" ];
+          commands = [
+            {
+              command = "/run/current-system/sw/bin/zfs";
+              options = [ "NOPASSWD" ];
+            }
+            {
+              command = "/run/current-system/sw/bin/zpool";
+              options = [ "NOPASSWD" ];
+            }
+          ];
+        }
+      ];
+    })
     {
       users.mutableUsers = false;
+      services.openssh.hostKeys = [
+        {
+          path = "/etc/ssh/${hostName}";
+          type = "ssh-ed25519"; 
+        }
+      ];
+      sops.age.sshKeyPaths = [ "/etc/ssh/${hostName}" ];
       environment.systemPackages = with pkgs; [
         nix-output-monitor
         vim
@@ -60,4 +98,4 @@ in
       ];
     }
   ];
-}
+}

machines/modules/malobeo/wireguard.nix

@@ -70,7 +70,7 @@ in
       interfaces = {
         malovpn = {
           mtu = 1340; #seems to be necessary to proxypass nginx traffic through vpn
-          address = myPeer.address;
+          address = [ "${myPeer.address}/24" ];
           autostart = cfg.autostart;
           listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;
 

machines/nextcloud/configuration.nix

@@ -33,10 +33,10 @@ with lib;
 
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud30;
+    package = pkgs.nextcloud31;
     hostName = "cloud.malobeo.org";
     config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
-    #https = true; #disable for testing
+    maxUploadSize = "10G";
     datadir = "/data/services/nextcloud/";
     database.createLocally = true;
     config.dbtype = "pgsql";
@@ -47,21 +47,27 @@ with lib;
     };
     extraAppsEnable = true;
     extraApps = {
-      inherit (config.services.nextcloud.package.packages.apps) contacts calendar deck polls;
-      collectives = pkgs.fetchNextcloudApp {
-        sha256 = "sha256-cj/8FhzxOACJaUEu0eG9r7iAQmnOG62yFHeyUICalFY=";
-        url = "https://github.com/nextcloud/collectives/releases/download/v2.15.2/collectives-2.15.2.tar.gz";
+      inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms;
+      appointments = pkgs.fetchNextcloudApp {
+        sha256 = "sha256-ls1rLnsX7U9wo2WkEtzhrvliTcWUl6LWXolE/9etJ78=";
+        url = "https://github.com/SergeyMosin/Appointments/raw/refs/tags/v2.4.3/build/artifacts/appstore/appointments.tar.gz";
+        license = "agpl3Plus";
+      };
+      deck = pkgs.fetchNextcloudApp {
+        sha256 = "sha256-1sqDmJpM9SffMY2aaxwzqntdjdcUaRySyaUDv9VHuiE=";
+        url = "https://link.storjshare.io/raw/jw7pf6gct34j3pcqvlq6ddasvdwq/mal/deck.tar.gz";
         license = "agpl3Plus";
       };
     };
     settings = {
       trusted_domains = ["10.0.0.13"];
+      trusted_proxies = [ "10.0.0.1" ];
       "maintenance_window_start" = "1";
       "default_phone_region" = "DE";
     };
     phpOptions = {
       "realpath_cache_size" = "0";
-      "opcache.interned_strings_buffer" = "23";
+      "opcache.interned_strings_buffer" = "32";
     };
   };
 

machines/nextcloud/secrets.yaml

@@ -8,60 +8,60 @@ sops:
         - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cFBEempENHlXNnhNb1d5
-            UitGNFliTDliZUdCSVBPRUVEWDc1Skw3N2xvCkFoL01DL2ZmWHhoMHV4TGdhaFdH
-            bG9XdUQ4ano4VjRxVTloNnl4OHJ6dkkKLS0tIDJvK2ZjNVhYZ1FkQTVWWjBhSFlt
-            R1Ixc3pWNFMvUVl0M1NsZ0txRXFMTkkK5aDgbCd13gAfZUrROnwRHgyXvIF67o1W
-            EzEFyhWatq2KKzv6VoJSFnvEx5lMPSs0LLvOK2qgrsz0jWdy6yUkAg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPT3ZxNEpRVktDWG9BR0Rv
+            ZUZQTkJwQ0pSblNvTkFOT3BBdjVaSzJhVzBvCnVWc2xRUjBnRFFXSDgxczRMSFMy
+            WFdaMGo4eE13b0RkZkphN2MvOUZtRmcKLS0tIDFHZU9tNjBNa0sveUYzN2dmYnM1
+            aDd0UlpMR3RNd3BDMmhqNmxhTFRoUlkK6Pni+cswKIU94WkP/fg5fzSmx/fhXjjl
+            mRG2o4ALCqcOxAxHBrKJppUCLjUgKG53wPF/jlIzkvbwHwnqVMfYsQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk
+        - recipient: age1g084sl230x94mkd2wq92s03mw0e8mnpjdjfx9uzaxw6psm8neyzqqwpnqe
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc3BSNVdqSTNYZSt4c05K
-            TnpuYXF1L2lzQkdZOS9uUnA5aUpGTldWZVQ0CkZvN2hubmwvUW5xUWhtaE0xMzlp
-            U3dpRHlmdU5UVG1nTS9XUVpTSjdQQ00KLS0tIC9sWTBOMStOYis1SDhLbjFlVk1F
-            M2dYNEpmWmxyeXU5S0FuV083NkVaQ3cKXuGyR0YQy+22z2kgM7IPhr0gurWQYczm
-            FA7C/2hoqb4tyyejomitndBSyxIxnaReO0Apl6JXeTLor8Dpuu42oQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRK2o2K2tPTFcvbXRkZ0lq
+            bS9ZOUc3dG1JeERZYVNsc3k3RjcxQ0RsdkRJCkx1VFhBQXRDOElqakJ0eTd3NEJX
+            b0JxOUtSOGJWeXlqdE5DdC9qNHA2N1UKLS0tIEFiQ3ZQM0NOaXRhUHBjVFhRMFk4
+            VjBFeldXS1p0Zk1uSk02aHpJd3BPOHcKvCmnK/KttB4RgnID/fj2KOdjvNnV3EWU
+            B9mW4yxbEqhoxtu+GFD3eR/8SvMPEsHl9xorT/ZygMG7hAzedSukWw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-11-26T20:00:50Z"
     mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str]
     pgp:
-        - created_at: "2025-02-19T14:34:54Z"
+        - created_at: "2025-03-05T08:24:30Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQGMA5HdvEwzh/H7AQwAkNhF9L1ocTsJRDyIA+0y24gtvRKAZhSRwds2wvTiBkPS
-            jzse8z4wY2yWz/JbEgqJqeFxJCaE64oc+2dETJIl2IsiRBDlXKfpL4yfRV+P6Ffu
-            DQfAR57hKIYa9emx+iFGoDMpRSuuLg4EGDoe1tmAu2OwLhKsqJrbL1ak88GB7/ko
-            gFk02AF/QYuEetc7R0pZPxB6n1HQGBrvqAFrnHEsxw2rR7I4kNYpEzyf0IuGHfB1
-            92WfYtdYSni7cqmTPV+t+k6P1VcJe6GXdlQnHk2pByqC2WrcrP+MtaAMkmWqxU72
-            AGarWEV2bnXmBsM5LcOQF6Mbui9tpEBE0O3lMlzUNXoVYHpOczlqdWkqh/y3Ea8V
-            bnHcaLQ8XubRyccK4JYZ4AIMJVPlVcnXdjZ4VFJwjRzGrllorq4x8L0niv60HV/g
-            akxsjW1DPnJURNFacT3JYF+PsN+hpj/ma2k8qUTX5wFVJy3Gm0psVYqE5901ivBA
-            yg7mfiftchDvIeGQR8tE0lgBZrJbf/SjpVdawq7DORFVxkaNeoSAxOkCnqZ5kc7C
-            w6zfxABWvwz73QM0AqfNzjkyswGk7N/09Zpj4BvjbbYuAfvIdiVVDHRPez/qWjnB
-            vkt9aLXFepLl
-            =4LVt
+            hQGMA5HdvEwzh/H7AQv+Lr4ISzvM/IEkckNhOOYAeZ0XCJ3JviSwT5wh3nd5u7ZJ
+            tXdLgLwGvFs0gXBf/R2kAoyEMyFziP3dqehvrjwTipuj/5lLdw73X9kddGkGOeQK
+            EDq2+cW3ufuukpyRq+o4lJjMmbwQuqvhqeVOxohQ677e1Xy8q6DorfwOgEgHegK1
+            t1H/DlVHritv54mPjr9hx0fZ5Auow17wteKD71KD/Y4s9JNB0DghcHAGiwYZzL7U
+            aFBY0itZyeJwH7rmFJDTQ+N+595t8dguTS/V1J0SKrIynMXVgTo6dpX10lSRubYe
+            9TQRMO3bmnsdPlmVJ7SlCkcc8blpHSgeQYdaZgPjDmbs+cuAkUMBnR/aEFXIX5IC
+            lohDRX5Vd7dUfVl5CiPNbG8hnvcp2lg7CUBV46fVQ5ZJ73jW1+1Bk3hxGdLklLlF
+            N3hLzBBUpF8U0mvGMXJYX2gQKivRurIoLHZgmjQTjhA1uBfhTI3ktyLABz04dt7I
+            OQYOlpsAZ/qnxbt+37LD0lgBz5XoHDuGNS2nnVQnuvtzt69GDP8mR1QXnhZedTrM
+            kDxxTXV7tMIbqw55tr+qVVG4H8QGy1xat3LSTIxoMmz0MmkyjQhApPN2ipwjyNof
+            X0Aw9hmAZV52
+            =A/yB
             -----END PGP MESSAGE-----
           fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2025-02-19T14:34:54Z"
+        - created_at: "2025-03-05T08:24:30Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA98TrrsQEbXUARAAmoHJ3i2vABDamIF3Nj6uuawarW+KKjzrIfYvAmWW4fgz
-            zVAquTl1Oculhv+H4eVuylNUM5kwyCkM/VAxy3KoSNZn6aGZVDuns70r9lbNC1R8
-            +diYAIe33rE3h6/Rw74RgOXUgNalONeoBWbIUuG+y9XOIfu7CBoUeGJct4ycYH0h
-            bn5iI0e4myDldmSc7OYnyruQMYg9OcKBnQPTZl1qzTqpwR6/BnIhWJcItuc3W5rv
-            aEunQ8lVyNxhGWMDwFucUJ2WbxkOFOFWPrLGXtsUg/I32aCUNR6X/HnYUezqCoSA
-            SFJAsaPkBr07o5Be5D03m0s5ryktQUdAElyDaz2Sgc58re9mtYKBAf4P4fKD5Zx+
-            TJJGr6dmtb28Nxb5mbMroKbTit92NHHatXfz/YrZ1JyCHuINZ5Sq01TGhx6y71Uj
-            0Afq3S2la+85UYRsQ5g9q6jM8rBHjm9AdcUkWA1chtn6elAUG8J0B+DUYYwcrMtp
-            YWFaKNHT09FRn4TcgE50Wgn9lX2RZ03viBbgCvDBLh3fmzl+dU1DsFdwuYmbgOeO
-            B6SQ2+SF3VVR7vAn4oPKydztCfYmb+38sCQl/FtZdP1RRW150fXtUx7aAzWGsLhq
-            AObrNp0uMeCBHtpWctwFR1qssfRD3DHkI59MqoGK7ehDtBS6hzayjJp8sTiqCTzS
-            WAH/vMH2cvGN3q9mr73bBqHBxAL+ANWxrDvQmM4xwbLxET24ULnsC35bn4psWjTN
-            Y3aQqzhaZdYOki09fLENaYl6BMeIcfBx4qUrgfQKLUNqGV5fvVuXJUc=
-            =/V5O
+            hQIMA98TrrsQEbXUAQ//UtocoQPpMZL71RyjSnJFZq1NT4H5KxbcvQb4LtPBbanK
+            /gPja40wOWXy/3plCHuZYQ/mR69k9URgwD6/0RSSmCCuVp/+FPbK3UbMYyTOtYBr
+            wKnq9eRP8URK6LINJMcNHzfQtgvTcBclJSY1kLfUVjl2RV2NqXVa6+B1sHJdse8A
+            5NyJ/VNRRrNDtNnmIaIHPFUBySVKLqiXeex4gFNy02IcwwSiFZnBt/ReaFjZQTGE
+            TKfyohQF4V4/e35wvhbqWSFYZmWHCwW94gnwTwnlEO/H/NvbNUNDSYL6WwrIFF7+
+            h/tP7nWbBxNqSByHGQuJnKSysndwUuSMuH+uj+uYdJDn1L1VEoErfAZcRSsDAz1Z
+            BVkEaPJM6ZmRM48up5eHQtPG2rklmoFw/O/bPd9QUWJ/ZRu2gcY8aLGczHygaq6W
+            gvZTCPrke7XZTd9S3mAcdlJ2iAYuKY4AmGqfmXbd7mRZXP3DQkRaA/IwCCNJVmhX
+            um5MbCa17I9Uwh58NBmDuejLcmJDWL5jLmN6S86t3k3jKxwaX56SRwAD92klMdQq
+            8UX2dkUkwnnI+YjfOEeLGDAT655TsejpE97JKjI/m39Pwnn+MrDEfNDHhfjX+9QC
+            5k+fiP7yWc7hG3A7jt5vEadazPgDeqy0q7jbmTPtmdieqBs71P3j19l3VKAU8ZnS
+            WAGz21MFYjhESmU7fqhTyVE9Dsd4GqyB+ZSa8hHj2ISaOi0QQ9JXjjtQhkDGlsB4
+            /PrjZhyqd62wHS075YV1B9YqOhC1nAkC+s9mj9CrWIeH2JMOSK9EUyI=
+            =5u7o
             -----END PGP MESSAGE-----
           fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
     unencrypted_suffix: _unencrypted

machines/overwatch/configuration.nix

@@ -12,6 +12,7 @@ with lib;
     self.nixosModules.malobeo.metrics
     ../modules/malobeo_user.nix
     ../modules/sshd.nix
+    ./printer_module.nix
   ];
 
   networking.firewall.allowedTCPPorts = [ 80 3100 ];
@@ -66,9 +67,9 @@ with lib;
 
   services.nginx = {
     enable = true;
-    virtualHosts.${config.services.grafana.domain} = {
+    virtualHosts.${config.services.grafana.settings.server.domain} = {
       locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
           proxyWebsockets = true;
 
       extraConfig = ''
@@ -77,6 +78,8 @@ with lib;
     };
       };
   };
+  
+  printer_scraping.enable = true;
 
   services.prometheus = {
     enable = true;
@@ -89,6 +92,12 @@ with lib;
           targets = [ "127.0.0.1:9002" ];
         }];
       }
+      {
+        job_name = "printer";
+        static_configs = [{
+          targets = [ "127.0.0.1:9091" ];
+        }];
+      }
       {
         job_name = "durruti";
         static_configs = [{
@@ -107,6 +116,12 @@ with lib;
           targets = [ "10.0.0.13:9002" ];
         }];
       }
+      {
+        job_name = "zineshop";
+        static_configs = [{
+          targets = [ "10.0.0.15:9002" ];
+        }];
+      }
       {
         job_name = "fanny";
         static_configs = [{

machines/overwatch/printer_module.nix

@@ -0,0 +1,33 @@
+{config, lib, pkgs, ...}:
+{
+  options.printer_scraping = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable the script to pull data from the printer";
+    };
+    timer = lib.mkOption {
+      type = lib.types.str;
+      default = "1m";
+      description = "systemd timer for script execution";
+    };
+  };
+
+  config = lib.mkIf config.printer_scraping.enable {
+    systemd.services."printer-scraping" = {
+      description = "Pull printer stats and upload to influxdb";
+      serviceConfig.Type = "oneshot";
+      path = with pkgs; [yq jq curl bash];
+      script = "bash ${./pull_info.sh}";
+    };
+    systemd.timers."printer-scraping" = {
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnBootSec = "5s";
+        OnUnitActiveSec = config.printer_scraping.timer;
+        Unit = "printer-scraping.service";
+      };
+    };
+    services.prometheus.pushgateway.enable = true; #Im not dealing with influx
+  };
+}

machines/overwatch/pull_info.sh

@@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+set -eo pipefail
+for command in "jq" "xq" "grep" "curl" "sed"
+do
+    if ! command -v $command >/dev/null 2>&1
+    then
+        echo "$command could not be found"
+        exit 1
+    fi
+done
+#Functions---------------
+get_cookie () {
+    if [[ $1 == "-d" ]]; then
+        cookie=$(cat request_example_1.txt)
+    else
+        cookie=$(curl -s -D - -X GET http://192.168.1.42/wcd/index.html)
+    fi
+
+    exitCode="$?"
+    if [[ $exitCode == "7" ]];
+    then
+        echo "Server offline"
+        exit 0
+    elif [[ $exitCode != "0" ]];
+    then 
+        echo "Something went wrong"
+        exit 1
+    fi
+
+    cookie=$(echo "$cookie" | grep Set-Cookie | grep -oP "ID=\K[^.]+" )
+    if [[ $cookie == "" ]]
+    then
+        echo "No cookie got!"
+        exit 1
+    fi
+}
+get_values () {
+    local path="$1"
+    local -n keys=$2
+    local name="$3"
+
+    local_system_counter_data=$(echo "$system_counter_data" | jq "$path | .[]")
+    for key in "${keys[@]}";
+    do 
+        value=$(echo "$local_system_counter_data" | 
+        jq "select(.Type==\"$key\") | .Count" | 
+        sed 's/"//g'
+        )
+        valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
+    done
+}
+get_values_DeviceStatus () {
+    local -n keys=$1
+    local name="$2"
+
+    local_system_counter_data=$(echo "$system_counter_data" | jq ".MFP.Common.DeviceStatus")
+    for key in "${keys[@]}";
+    do 
+        value=$(echo "$local_system_counter_data" | 
+        jq ".$key" | 
+        sed 's/"//g'
+        )
+        valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
+    done
+
+}
+get_values_consumables () {
+    local -n keys=$1
+    local name="$2"
+
+    local_system_consumables_data=$(echo "$system_consumables_data" | jq ".[] |.DeviceInfo.ConsumableList.Consumable | .[]")
+    for key in "${keys[@]}";
+    do 
+        value=$(
+            echo "$local_system_consumables_data" | 
+            jq "select(.Name==\"$key\") | .CurrentLevel.LevelPer" | 
+            sed 's/"//g'
+            )
+        valueStore=$(echo "$valueStore"; echo "$name"_"${key//[^a-zA-Z_-]/_}" "$value")
+    done
+}
+#End Functions----------
+
+#Variables-----------------------
+system_counter_DeviceStatus_keys=("ScanStatus" "PrintStatus" "Processing" "NetworkErrorStatus" "KmSaasgw" "HddMirroringErrorStatus")
+system_counter_TotalCounter_keys=("Total" "DuplexTotal" "Document" "Paper" "TotalLarge" "PrintPageTotal" "PaperSizeA3" "PaperSizeA4" "PaperSizeB4" "PaperSizeB5" "PaperSizeOther" "Nin12in1" "PaperTypeNormal" "PaperTypeOther")
+system_counter_FullColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_BlackCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_DoubleColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_CopyCounter_keys=("BwTotal" "FullColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
+system_counter_PrintCounter_keys=("BwTotal" "FullColorTotal" "BiColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
+system_counter_ScanFaxCounter_keys=("DocumentReadTotal" "DocumentReadLarge" "FaxReceive" "FaxSend")
+system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit")
+#End Variables-------------
+
+echo "Getting cookie"
+get_cookie "$@"
+
+echo "Start extracting info from system_counter"
+if [[ $1 == "-d" ]]; then
+    system_counter_data=$(cat system_counter.xml |xq)
+else
+    system_counter_data=$(curl -s -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=$cookie" |xq)
+fi
+
+get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.FullColorCounterList.FullColorCounter" system_counter_FullColorCounter_keys FullColorCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.BlackCounterList.BlackCounter" system_counter_BlackCounter_keys BlackCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.DoubleColorCounterList.DoubleColorCounter" system_counter_DoubleColorCounter_keys DoubleColorCounter
+
+get_values ".MFP.Count.UserCounterInfo.CopyCounterList.CopyCounter" system_counter_CopyCounter_keys CopyCounter
+
+get_values ".MFP.Count.UserCounterInfo.ScanFaxCounterList.ScanFaxCounter" system_counter_ScanFaxCounter_keys ScanFaxCounter
+
+get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus
+
+echo "Start extracting info from system_consumables"
+if [[ $1 == "-d" ]]; then
+    system_consumables_data=$(cat system_consumables.xml |xq)
+else
+    system_consumables_data=$(curl -s -X GET http://192.168.1.42/wcd/system_consumable.xml -H "Cookie: ID=$cookie" |xq)
+fi
+
+get_values_consumables system_consumables_base_keys Consumables
+
+echo "Sending data to prometheus-pushgateway..."
+
+echo "$valueStore" | curl -s --data-binary @- http://localhost:9091/metrics/job/printer
+echo "Success!"
+exit 0

machines/ssh_keys.nix

@@ -5,4 +5,8 @@
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos"
  ];
+ backup = [
+  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIGryhnXdmbGObONG88K+c9zeduMrwtoLHwzMDZg3UXB+Cnq2FXWOrlLZxA+95VUgHpyGZiykJmzeWrKhldDlDeGGd8QCCLeuliiOgXADTYjWaVfhd+6arPZrK2VtqqsguvH40gW1xfoGAOmAT4WFnxWxIaEip0V2u6NOoKTiH9I3bz2Qe4lfJvPXig+XwCXcukXd6XUkDFYDpiw8XNV3X7pqTus5d2RYR97bAhIYZZQ6h50ZpTY8N0lFh4RY5yfx8BhxJW3tfoi9uZvVuPx7dGPsZsSniENFPMNz3UwHGitTJMr4088cJrAGgd5lyFuLouiHiM2JMGA0wx9wWTbWJEwTLaTVQK9gSJf857ndV2zCh9vKlfko4w9bQgqxKg4U/mY8dXX1E7D51nD2ci8Ed+ZG+NEneFLyZhLsD82GkBY+YovA+4xm/pcx+hBhlyqGNxI8v+Jh+JhEyD/ZLgJfq3ZMbGIGsTiDwZ2flLLxImHHEoDoT6PHU6hDhPDJu560="
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPP4s6qNKwtu2l5DRKU/Xo6lMRztqNw/MOVsKx58kUE8 root@silizium"
+ ];
 }

machines/testvm/configuration.nix

@@ -24,7 +24,7 @@ in
 
   malobeo.disks = {
     enable = true;
-    encryption = true;
+    encryption = false;
     hostId = "83abc8cb";
     devNodes = "/dev/disk/by-path/";
     root = {

machines/vpn/configuration.nix

@@ -66,6 +66,28 @@ with lib;
         '';
       };
     };
+
+    virtualHosts."zines.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Authorization $http_authorization;  # Pass the Authorization header
+          proxy_pass_header Authorization;
+
+          client_body_in_file_only clean;
+          client_body_buffer_size 32K;
+          
+          client_max_body_size 50M;
+          
+          sendfile on;
+          send_timeout 300s;
+        '';
+      };
+    };
   };
 
   system.stateVersion = "22.11"; # Did you read the comment?

machines/zineshop/configuration.nix

@@ -0,0 +1,34 @@
+{ self, config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  networking = {
+    hostName = mkDefault "zineshop";
+    useDHCP = false;
+  };
+
+  imports = [
+    inputs.malobeo.nixosModules.malobeo.metrics
+    inputs.malobeo.nixosModules.malobeo.printing
+    inputs.zineshop.nixosModules.zineshop
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+  ];
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
+  services.printing.enable = true;
+  services.malobeo.printing.enable = true;
+
+  services.zineshop.enable = true;
+  networking.firewall.allowedTCPPorts = [ 8080 ];
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+

outputs.nix

@@ -37,7 +37,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
         sops.sops-init-gpg-key
         pkgs.sops
         pkgs.age
-        pkgs.python310Packages.grip
+        pkgs.python313Packages.grip
         pkgs.mdbook
         pkgs.ssh-to-age
         microvmpkg.microvm
@@ -116,6 +116,8 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
       metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];
       disko.imports = [ ./machines/modules/disko ];
       users.imports = [ ./machines/modules/malobeo/users.nix ];
+      backup.imports = [ ./machines/modules/malobeo/backup.nix ];
+      printing.imports = [ ./machines/modules/malobeo/printing.nix ];
     };
 
     hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (

scripts/add_new_host_keys.sh

@@ -31,10 +31,13 @@ cd "$pwpath"
 # Generate SSH keys
 ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
 ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
+wg genkey > wg.private
+publickey=$(cat wg.private | wg pubkey)
 
 #encrypt the private keys
 sops -e -i ./$hostkey
 sops -e -i ./$initrdkey
+sops -e -i ./wg.private
 
 #generate encryption key
 tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
@@ -45,6 +48,9 @@ echo
 echo "Hier ist der age public key für sops etc:"
 echo "$(ssh-to-age -i ./"$hostkey".pub)"
 echo
+echo "Hier ist der wireguard pubkey für das gerät"
+echo "$publickey"
+echo 
 echo "Hier ist eine reproduzierbare mac-addresse:"
 echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
 

scripts/remote-install-encrypt.sh

@@ -40,16 +40,17 @@ trap cleanup EXIT
 
 # Create the directory where sshd expects to find the host keys
 install -d -m755 "$temp/etc/ssh/"
-install -d -m755 "$temp/root/"
+install -d -m755 "$temp/etc/wireguard/"
 
+##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
 diskKey=$(sops -d $pwpath/disk.key)
 echo "$diskKey" > /tmp/secret.key
-echo "$diskKey" > $temp/root/secret.key
 
 sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
 
-sopd -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
+sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
 
+sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
 # # Set the correct permissions so sshd will accept the key
 chmod 600 "$temp/etc/ssh/$hostname"
 chmod 600 "$temp/etc/ssh/initrd"

scripts/run-vm.sh

@@ -6,6 +6,7 @@ usage() {
     echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny"
     echo "--writable-store enables writable store. necessary for host with nested imperative microvms like fanny"
     echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate"
+    echo "--data path to directory that should be shared as /data"
     echo "--fwd-port forwards the given port to port 80 on vm"
     exit 1
 }
@@ -23,6 +24,7 @@ DUMMY_SECRETS=false
 NO_DISKO=false
 RW_STORE=false
 VAR_PATH=""
+DATA_PATH=""
 FWD_PORT=0
 
 # check argws
@@ -42,6 +44,15 @@ while [[ "$#" -gt 0 ]]; do
               usage
           fi
           ;;
+        --data) 
+          if [[ -n "$2" && ! "$2" =~ ^- ]]; then
+              DATA_PATH="$2"
+              shift
+          else
+              echo "Error: --data requires a non-empty string argument."
+              usage
+          fi
+          ;;
         --fwd-port) 
           if [[ -n "$2" && ! "$2" =~ ^- ]]; then
               FWD_PORT="$2"
@@ -64,4 +75,8 @@ if [ -n "$VAR_PATH" ]; then
   echo "sharing var directory: $VAR_PATH"
 fi
 
-nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner"
+if [ -n "$DATA_PATH" ]; then
+  echo "sharing data directory: $DATA_PATH"
+fi
+
+nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" \"$DATA_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner"

scripts/unlock-boot.sh

@@ -24,12 +24,16 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
 echo
 if [ $# = 1 ]
     then
-    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
+    ssh $sshoptions root@$hostname-initrd "zpool import -a"
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
 
 elif [ $# = 2 ]
     then
     ip=$2
-    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
+    ssh $sshoptions root@$ip "zpool import -a"
+    echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted" 
+    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
     
 else
     echo