[docs] updates fix linebreaks

Flake lock file updates:

• Updated input 'home-manager':
    'github:nix-community/home-manager/bd65bc3cde04c16755955630b344bc9e35272c56?narHash=sha256-dinzAqCjenWDxuy%2BMqUQq0I4zUSfaCvN9rzuCmgMZJY%3D' (2025-01-08)
  → 'github:nix-community/home-manager/b4e98224ad1336751a2ac7493967a4c9f6d9cb3f?narHash=sha256-t7dFCDl4vIOOUMhEZnJF15aAzkpaup9x4ZRGToDFYWI%3D' (2025-04-08)
• Updated input 'microvm':
    'github:astro/microvm.nix/d3a9b7504d420a1ffd7c83c1bb8fe57deaf939d2?narHash=sha256-bNvtud2PUcbYM0i5Uq1v01Dcgq7RuhVKfjaSKkW2KRI%3D' (2025-02-09)
  → 'github:astro/microvm.nix/773d5a04e2e10ca7b412270dea11276a496e1b61?narHash=sha256-Fz7AiCJWtoWZ2guJwO3B1h3RuJxYWaCzFIqY0Kmkyrs%3D' (2025-03-27)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453?narHash=sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL%2BtIBm49vpepwL1MQ%3D' (2025-01-16)
  → 'github:nix-community/nixos-generators/42ee229088490e3777ed7d1162cb9e9d8c3dbb11?narHash=sha256-QaMEhcnscfF2MqB7flZr%2BsLJMMYZPnvqO4NYf9B4G38%3D' (2025-03-21)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/2eccff41bab80839b1d25b303b53d339fbb07087?narHash=sha256-5yRlg48XmpcX5b5HesdGMOte%2BYuCy9rzQkJz%2Bimcu6I%3D' (2025-02-06)
  → 'github:NixOS/nixos-hardware/1fe3cc2bc5d2dc9c81cb4e63d2f67c1543340df1?narHash=sha256-OuLhysErPHl53BBifhesrRumJNhrlSgQDfYOTXfgIMg%3D' (2025-04-11)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/44534bc021b85c8d78e465021e21f33b856e2540?narHash=sha256-PwQASeL2cGVmrtQYlrBur0U20Xy07uSWVnFup2PHnDs%3D' (2025-02-10)
  → 'github:NixOS/nixpkgs/f9ebe33a928b5d529c895202263a5ce46bdf12f7?narHash=sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5%2BW0%3D' (2025-04-10)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/a79cfe0ebd24952b580b1cf08cd906354996d547?narHash=sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y%3D' (2025-02-08)
  → 'github:NixOS/nixpkgs/f675531bc7e6657c10a18b565cfebd8aa9e24c14?narHash=sha256-gbl9hE39nQRpZaLjhWKmEu5ejtQsgI5TWYrIVVJn30U%3D' (2025-04-09)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/07af005bb7d60c7f118d9d9f5530485da5d1e975?narHash=sha256-7JAGezJ0Dn5qIyA2%2BT4Dt/xQgAbhCglh6lzCekTVMeU%3D' (2025-02-11)
  → 'github:Mic92/sops-nix/69d5a5a4635c27dae5a742f36108beccc506c1ba?narHash=sha256-SR6%2BqjkPjGQG%2B8eM4dCcVtss8r9bre/LAxFMPJpaZeU%3D' (2025-04-08)

doc/src/anleitung/create.md

@@ -1,47 +1,19 @@
-# Create host with disko-install
-How to use disko-install is described here: https://github.com/nix-community/disko/blob/master/docs/disko-install.md
----
-Here are the exact steps to get bakunin running:  
-First create machines/hostname/configuration.nix  
-Add hosts nixosConfiguration in machines/configurations.nix  
-Boot nixos installer on the Machine.  
+# Create host with nixos-anywhere
+We use a nixos-anywhere wrapper script to deploy new hosts.
+The wrapper script takes care of copying persistent host keys before calling nixos-anywhere.
+
+To accomplish that boot the host from a nixos image and setup a root password.
 ``` bash
-# establish network connection
-wpa_passphrase "network" "password" > wpa.conf
-wpa_supplicant -B -i wlp3s0 -c wpa.conf
-ping 8.8.8.8
-# if that works continue
+sudo su
+passwd
+```
 
-# generate a base hardware config
-nixos-generate-config --root /tmp/config --no-filesystems
+After that get the hosts ip using `ip a` and start deployment from your own machine:
 
-# get the infra repo
-nix-shell -p git
-git clone https://git.dynamicdiscord.de/kalipso/infrastructure
-cd infrastructure
-
-# add the new generated hardware config (and import in hosts configuration.nix)
-cp /tmp/config/etc/nixos/hardware-configuration.nix machines/bakunin/
-
-# check which harddrive we want to install the system on
-lsblk #choose harddrive, in this case /dev/sda
-
-# run nixos-install on that harddrive
-sudo nix --extra-experimental-features flakes --extra-experimental-features nix-command run 'github:nix-community/disko/latest#disko-install' -- --flake .#bakunin --disk main /dev/sda
-
-# this failed with out of memory
-# running again showed: no disk left on device
-# it seems the usb stick i used for flashing is way to small
-# it is only 
-# with a bigger one (more than 8 gig i guess) it should work
-# instead the disko-install tool i try the old method - first partitioning using disko and then installing the system
-# for that i needed to adjust ./machines/modules/disko/btrfs-laptop.nix and set the disk to "/dev/sda"
-
-sudo nix --extra-experimental-features "flakes nix-command" run 'github:nix-community/disko/latest' -- --mode format --flake .#bakunin
-
-# failed with no space left on device.
-# problem is lots of data is written to the local /nix/store which is mounted on tmpfs in ram
-# it seems that a workaround could be modifying the bootable stick to contain a swap partition to extend tmpfs storage
+``` bash
+# from infrastrucutre repository root dir:
+nix develop .#
+remote-install hostname 10.0.42.23
 ```
 
 # Testing Disko
@@ -49,18 +21,3 @@ Testing disko partitioning is working quite well. Just run the following and che
 ```bash
 nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko
 ```
-
-Only problem is that encryption is not working, so it needs to be commented out. For testing host fanny the following parts in ```./machines/modules/disko/fanny.nix``` need to be commented out(for both pools!):
-```nix
-datasets = {
-  encrypted = {
-    options = {
-      encryption = "aes-256-gcm"; #THIS ONE
-      keyformat = "passphrase"; #THIS ONE
-      keylocation = "file:///tmp/root.key"; #THIS ONE
-    };
-    # use this to read the key during boot
-     postCreateHook = '' #THIS ONE 
-       zfs set keylocation="prompt" "zroot/$name"; #THIS ONE 
-     ''; #THIS ONE 
-```

doc/src/anleitung/updates.md

@@ -1 +1,11 @@
 # Updates
+## Nextcloud
+Update nextcloud to a new major version:
+- create state directories: `mkdir /tmp/var /tmp/data`
+- run vm state dirs to initialize state `sudo run-vm nextcloud --dummy-secrets --networking --var /tmp/var --data /tmp/data`
+- Update lock file `nix flake update --commit-lock-file`
+- Change services.nextcloud.package to the next version (do not skip major version upgrades)
+- change custom `extraApps` to the new version
+- TEST!
+- run vm again, it should successfully upgrade nextcloud from old to new version
+- run vm state dirs to initialize state `sudo run-vm nextcloud --dummy-secrets --networking --var /tmp/var --data /tmp/data`

flake.lock

@@ -67,11 +67,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736373539,
-        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
+        "lastModified": 1744117652,
+        "narHash": "sha256-t7dFCDl4vIOOUMhEZnJF15aAzkpaup9x4ZRGToDFYWI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
+        "rev": "b4e98224ad1336751a2ac7493967a4c9f6d9cb3f",
         "type": "github"
       },
       "original": {
@@ -109,11 +109,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1739104176,
-        "narHash": "sha256-bNvtud2PUcbYM0i5Uq1v01Dcgq7RuhVKfjaSKkW2KRI=",
+        "lastModified": 1743083165,
+        "narHash": "sha256-Fz7AiCJWtoWZ2guJwO3B1h3RuJxYWaCzFIqY0Kmkyrs=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "d3a9b7504d420a1ffd7c83c1bb8fe57deaf939d2",
+        "rev": "773d5a04e2e10ca7b412270dea11276a496e1b61",
         "type": "github"
       },
       "original": {
@@ -145,11 +145,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737057290,
-        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
+        "lastModified": 1742568034,
+        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
+        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
         "type": "github"
       },
       "original": {
@@ -160,11 +160,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1738816619,
-        "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=",
+        "lastModified": 1744366945,
+        "narHash": "sha256-OuLhysErPHl53BBifhesrRumJNhrlSgQDfYOTXfgIMg=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "2eccff41bab80839b1d25b303b53d339fbb07087",
+        "rev": "1fe3cc2bc5d2dc9c81cb4e63d2f67c1543340df1",
         "type": "github"
       },
       "original": {
@@ -192,11 +192,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1739020877,
-        "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
+        "lastModified": 1744232761,
+        "narHash": "sha256-gbl9hE39nQRpZaLjhWKmEu5ejtQsgI5TWYrIVVJn30U=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
+        "rev": "f675531bc7e6657c10a18b565cfebd8aa9e24c14",
         "type": "github"
       },
       "original": {
@@ -208,11 +208,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1739206421,
-        "narHash": "sha256-PwQASeL2cGVmrtQYlrBur0U20Xy07uSWVnFup2PHnDs=",
+        "lastModified": 1744309437,
+        "narHash": "sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5+W0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "44534bc021b85c8d78e465021e21f33b856e2540",
+        "rev": "f9ebe33a928b5d529c895202263a5ce46bdf12f7",
         "type": "github"
       },
       "original": {
@@ -245,11 +245,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1739262228,
-        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
+        "lastModified": 1744103455,
+        "narHash": "sha256-SR6+qjkPjGQG+8eM4dCcVtss8r9bre/LAxFMPJpaZeU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
+        "rev": "69d5a5a4635c27dae5a742f36108beccc506c1ba",
         "type": "github"
       },
       "original": {
@@ -341,11 +341,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737548421,
-        "narHash": "sha256-gmlqJdC+v86vXc2yMhiza1mvsqh3vMfrEsiw+tV5MXg=",
+        "lastModified": 1743458889,
+        "narHash": "sha256-eVTtsCPio3Wj/g/gvKTsyjh90vrNsmgjzXK9jMfcboM=",
         "ref": "refs/heads/master",
-        "rev": "c5fff78c83959841ac724980a13597dcfa6dc26d",
-        "revCount": 29,
+        "rev": "b61466549e2687628516aa1f9ba73f251935773a",
+        "revCount": 30,
         "type": "git",
         "url": "https://git.dynamicdiscord.de/kalipso/tasklist"
       },

machines/.sops.yaml

@@ -8,12 +8,12 @@ keys:
   - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
   - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
   - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
-  - &machine_durruti age1arwef7t65lz40lxhs5svyzentskjzam3e0e0yxen872vwy6v234s9uftvr
-  - &machine_infradocs age15rqsygf7yfe6pv6t4c6c9jc6yk4vu5grmmcu7sexvqfw8763mf2q6qw50h
-  - &machine_overwatch age1075ep3sl5ztshnq4jrygxqqqfts9wzk4gvvtwfjcep5ke8nzqs5sxtw7vd
+  - &machine_durruti age1tc6aqmcl74du56d04wsz6mzp83n9990krzu4kuam2jqu8fx6kqpq038xuz
+  - &machine_infradocs age1tesz7xnnq9e58n5qwjctty0lw86gzdzd5ke65mxl8znyasx3nalqe4x6yy
+  - &machine_overwatch age1hq75x3dpnfqat9sgtfjf8lep49qvkdgza3xwp7ugft3kd74pdfnqfsmmdn
   - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
   - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk
-  - &machine_nextcloud age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk
+  - &machine_nextcloud age1g084sl230x94mkd2wq92s03mw0e8mnpjdjfx9uzaxw6psm8neyzqqwpnqe
   #this dummy key is used for testing.
   - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
 creation_rules:

machines/fanny/configuration.nix

@@ -18,6 +18,7 @@ in
       inputs.self.nixosModules.malobeo.microvm
       inputs.self.nixosModules.malobeo.metrics
       inputs.self.nixosModules.malobeo.users
+      inputs.self.nixosModules.malobeo.backup
     ];
 
     virtualisation.vmVariantWithDisko = {
@@ -42,6 +43,11 @@ in
     cacheurl = "https://cache.dynamicdiscord.de";
   };
 
+  malobeo.backup = {
+    enable = true;
+    snapshots = [ "storage/encrypted" "zroot/encrypted/var" ];
+  };
+
   nix = {
     settings.experimental-features = [ "nix-command" "flakes" ];
     #always update microvms
@@ -53,6 +59,7 @@ in
   malobeo.users = {
     malobeo = true;
     admin = true;
+    backup = true;
   };
 
   malobeo.disks = {

machines/louise/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, inputs, ... }:
 
 {
   imports =
@@ -9,6 +9,7 @@
       ../modules/sshd.nix
       ../modules/minimal_tools.nix
       ../modules/autoupdate.nix
+      inputs.self.nixosModules.malobeo.printing
     ];
 
   malobeo.autoUpdate = {
@@ -50,6 +51,8 @@
   };
 
   services.printing.enable = true;
+  services.malobeo.printing.enable = true;
+
   services.printing.drivers = [
     (pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
     pkgs.gutenprint

machines/modules/disko/default.nix

@@ -187,7 +187,6 @@ in
               postCreateHook = lib.mkIf cfg.encryption ''
                 zfs set keylocation="prompt" zroot/encrypted;
               '';
-
             };
             "encrypted/root" = {
               type = "zfs_fs";
@@ -245,16 +244,18 @@ in
               };
               # use this to read the key during boot
               postCreateHook = lib.mkIf cfg.encryption ''
-                zfs set keylocation="file:///root/secret.key" storage/encrypted;
+                zfs set keylocation="prompt" storage/encrypted;
               '';
             };
             "encrypted/data" = {
               type = "zfs_fs";
               mountpoint = "/data";
+              options.mountpoint = "legacy";
             };
             "encrypted/data/microvms" = {
               type = "zfs_fs";
               mountpoint = "/data/microvms";
+              options.mountpoint = "legacy";
             };
             reserved = {
               # for cow delete if pool is full
@@ -271,7 +272,7 @@ in
     };
 
     boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
-    boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ];
+
     fileSystems."/".neededForBoot = true;
     fileSystems."/etc".neededForBoot = true;
     fileSystems."/boot".neededForBoot = true;

machines/modules/host_builder.nix

@@ -133,6 +133,13 @@ rec {
           mountPoint = "/var";
           tag = "var";
         }
+      ] ++ pkgs.lib.optionals (options.dataPath != "") [
+        {
+          source = "${options.dataPath}";
+          securityModel = "mapped";
+          mountPoint = "/data";
+          tag = "data";
+        }
       ]);
 
       interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
@@ -195,8 +202,7 @@ rec {
 
   vmNestedMicroVMOverwrites = host: sopsDummy: {
 
-    services.malobeo.microvm.deployHosts = pkgs.lib.mkForce [];
-    microvm.vms = 
+    microvm.vms = pkgs.lib.mkForce (
     let
       # Map the values to each hostname to then generate an Attrset using listToAttrs
       mapperFunc = name: { inherit name; value = {
@@ -210,20 +216,22 @@ rec {
             (vmMicroVMOverwrites name { 
               withNetworking = true; 
               varPath = ""; 
+              dataPath = "";
               writableStore = false; })
             (if sopsDummy then (vmSopsOverwrites name) else {})
           ]);
         };
       }; };
     in
-    builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts);
+    builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts));
   };
 
-  buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
+  buildVM = host: networking: sopsDummy: disableDisko: varPath: dataPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
       modules = [
           (vmMicroVMOverwrites host { 
             withNetworking = networking; 
             varPath = "${varPath}"; 
+            dataPath = "${dataPath}"; 
             writableStore = writableStore;
             fwdPort = fwdPort; })
           (if sopsDummy then (vmSopsOverwrites host) else {})

machines/modules/malobeo/backup.nix

@@ -0,0 +1,102 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let 
+  cfg = config.malobeo.backup;
+  hostToCommand = (hostname: datasetNames: 
+    (map (dataset:  { 
+      name = "${hostname}_${dataset.sourceDataset}";
+      value = { 
+        inherit hostname; 
+        inherit (dataset) sourceDataset targetDataset;
+      }; 
+    } ) datasetNames));
+  peers = import ./peers.nix;
+
+  enableSnapshots = cfg.snapshots != null;
+  enableBackups = cfg.hosts != null;
+in
+{
+  options.malobeo.backup = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable sanoid/syncoid based backup functionality";
+    };
+
+    snapshots = mkOption {
+      type = types.nullOr (types.listOf types.str);
+      default = null;
+      description = "Automatic snapshots will be created for the given datasets";
+    };
+
+    hosts = mkOption {
+      default = null;
+      type = types.nullOr (types.attrsOf (types.listOf (types.submodule {
+        options = {
+          sourceDataset = mkOption {
+            type = types.str;
+            description = "The source that needs to be backed up";
+          };
+          targetDataset = mkOption {
+            type = types.str;
+            description = "The target dataset where the backup should be stored";
+          };
+        };
+      })));
+      description = ''
+          Hostname with list of datasets to backup. This option should be defined on hosts that will store backups.
+
+          It is necessary to add the machines that get backed up to known hosts.
+          This can be done for example systemwide using 
+          programs.ssh.knownHosts."10.100.0.101" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc";
+          Or set it for the syncoid user directly.
+        '';
+    };
+
+    sshKey = mkOption {
+      default = null;
+      type = types.nullOr types.str;
+      description = "Set path to ssh key used for pull backups. Otherwise default key is used";
+    };
+  };
+  
+  config = mkIf (cfg.enable) {
+    services.sanoid = mkIf (enableSnapshots) {
+      enable = true;
+  
+      templates."default" = {
+        hourly = 24;
+        daily = 30; #keep 30 daily snapshots
+        monthly = 6; #keep 6 monthly backups
+        yearly = 0;
+  
+        autosnap = true; #take snapshots automatically
+        autoprune = true; #delete old snapshots
+      };
+  
+      datasets = builtins.listToAttrs (map (name: { inherit name; value = {
+        useTemplate = [ "default" ];
+        recursive = true;
+      }; }) cfg.snapshots);
+    };
+
+    services.syncoid = mkIf (enableBackups) {
+      enable = true;
+      sshKey = cfg.sshKey;
+  
+      commonArgs = [
+        "--no-sync-snap"
+      ];
+  
+      interval = "*-*-* 04:15:00";
+  
+      commands = builtins.mapAttrs (name: value: {
+        source = "backup@${peers.${value.hostname}.address}:${value.sourceDataset}";
+        target = "${value.targetDataset}";
+        sendOptions = "w";
+        recvOptions = "\"\"";
+        recursive = true;
+      })(builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs hostToCommand cfg.hosts))));
+    };
+  };
+}

machines/modules/malobeo/initssh.nix

@@ -30,7 +30,9 @@ in
       loader.efi.canTouchEfiVariables = true;
       supportedFilesystems = [ "vfat" "zfs" ];
       zfs = {
+        forceImportAll = true;
         requestEncryptionCredentials = true;
+        
       };
       initrd = {
         availableKernelModules = cfg.ethernetDrivers;

machines/modules/malobeo/microvm_host.nix

@@ -102,6 +102,22 @@ in
           /run/current-system/sw/bin/microvm -Ru ${name}
         '';
       };
+
+      "microvm-init-dirs@${name}" = {
+        description = "Initialize microvm directories";
+        after = [ "zfs-mount.service" ];
+        wantedBy = [ "microvm@${name}.service" ];
+        unitConfig.ConditionPathExists = "!/var/lib/microvms/${name}/.is_initialized";
+        serviceConfig = {
+          Type = "oneshot";
+        };
+        script = ''
+          mkdir -p /var/lib/microvms/${name}/var
+          mkdir -p /var/lib/microvms/${name}/etc
+          mkdir -p /var/lib/microvms/data/${name}
+          touch /var/lib/microvms/${name}/.is_initialized
+        '';
+      };
     }) {} (cfg.deployHosts);
 
     systemd.timers = builtins.foldl' (timers: name: timers // {

machines/modules/malobeo/peers.nix

@@ -2,7 +2,7 @@
   "vpn" = {
     role = "server";
     publicIp = "5.9.153.217";
-    address = [ "10.100.0.1/24" ];
+    address = "10.100.0.1";
     allowedIPs = [ "10.100.0.0/24" ];
     listenPort = 51821;
     publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
@@ -11,36 +11,43 @@
 
   "celine" = {
     role = "client";
-    address = [ "10.100.0.2/24" ];
+    address = "10.100.0.2";
     allowedIPs = [ "10.100.0.2/32" ];
     publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
   };
 
   "desktop" = {
     role = "client";
-    address = [ "10.100.0.3/24" ];
+    address = "10.100.0.3";
     allowedIPs = [ "10.100.0.3/32" ];
     publicKey = "FtY2lcdWcw+nvtydOOUDyaeh/xkaqHA8y9GXzqU0Am0=";
   };
 
   "atlan-pc" = {
     role = "client";
-    address = [ "10.100.0.5/24" ];
+    address = "10.100.0.5";
     allowedIPs = [ "10.100.0.5/32" ];
     publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
   };
 
   "hetzner" = {
     role = "client";
-    address = [ "10.100.0.6/24" ];
+    address = "10.100.0.6";
     allowedIPs = [ "10.100.0.6/32" ];
     publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ=";
   };
 
   "fanny" = {
     role = "client";
-    address = [ "10.100.0.101/24" ];
+    address = "10.100.0.101";
     allowedIPs = [ "10.100.0.101/32" ];
     publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
   };
+
+  "backup0" = {
+    role = "client";
+    address = "10.100.0.20";
+    allowedIPs = [ "10.100.0.20/32" ];
+    publicKey = "Pp55Jg//jREzHdbbIqTXc9N7rnLZIFw904qh6NLrACE=";
+  };
 }

machines/modules/malobeo/printing.nix

@@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let 
+  cfg = config.services.malobeo.printing;
+  driverFile = pkgs.writeTextDir "share/cups/model/konicaminoltac258.ppd" (builtins.readFile ../KOC658UX.ppd);
+
+  defaultPpdOptions = {
+    PageSize = "A4";
+    SelectColor = "Grayscale";
+    Finisher = "FS534";
+    SaddleUnit = "SD511";
+    Model = "C258";
+    InputSlot = "Tray1";
+  };
+
+in
+{
+  options.services.malobeo.printing = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Setup malobeo printers";
+    };
+  };
+  
+  config = mkIf (cfg.enable) {
+    services.printing.enable = true;
+    services.printing.drivers = [
+      driverFile
+    ];
+
+    hardware.printers.ensurePrinters = [ {
+      name = "KonicaDefault";
+      model = "konicaminoltac258.ppd";
+      location = "Zine Workshop";
+      deviceUri = "ipp://192.168.1.42/ipp";
+      ppdOptions = defaultPpdOptions;
+    }
+    {
+      name = "KonicaBooklet";
+      model = "konicaminoltac258.ppd";
+      location = "Zine Workshop";
+      deviceUri = "ipp://192.168.1.42/ipp";
+      ppdOptions = defaultPpdOptions // {
+        Fold = "Stitch";
+        Staple = "None";
+      };
+    }
+  ];
+  };
+}

machines/modules/malobeo/users.nix

@@ -2,18 +2,24 @@
 let 
   cfg = config.malobeo.users;
   sshKeys = import ( inputs.self + /machines/ssh_keys.nix);
+  inherit (config.networking) hostName; 
 in
 {
   options.malobeo.users = {
     malobeo = lib.mkOption {
       type = lib.types.bool;
       default = true;
-      description = "enable malobeo user, defaults to on";
+      description = "enable malobeo user, defaults to on, ";
     };
     admin = lib.mkOption {
       type = lib.types.bool;
       default = true;
-      description = "enable admin user, defaults to on to prevent lockouts";
+      description = "enable admin user, defaults to on to prevent lockouts, passwordless sudo access";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "enable backup user, ";
     };
   };
   config = lib.mkMerge [
@@ -32,6 +38,7 @@ in
         isNormalUser = true;
         description = "admin user, passwordless sudo access, only ssh";
         hashedPassword = null;
+        openssh.authorizedKeys.keys = sshKeys.admins;
         extraGroups = [ "networkmanager" ];
       };
       environment.systemPackages = with pkgs; [];
@@ -48,8 +55,39 @@ in
         }
       ];
     })
+    (lib.mkIf cfg.backup {
+      users.users.backup = {
+        isNormalUser = true;
+        hashedPassword = null;
+        openssh.authorizedKeys.keys = sshKeys.backup;
+        description = "backup user for pull style backups, can only use zfs commands";
+      };
+      environment.systemPackages = with pkgs; [];
+      security.sudo.extraRules = [
+        {
+          users = [ "backup" ];
+          commands = [
+            {
+              command = "/run/current-system/sw/bin/zfs";
+              options = [ "NOPASSWD" ];
+            }
+            {
+              command = "/run/current-system/sw/bin/zpool";
+              options = [ "NOPASSWD" ];
+            }
+          ];
+        }
+      ];
+    })
     {
       users.mutableUsers = false;
+      services.openssh.hostKeys = [
+        {
+          path = "/etc/ssh/${hostName}";
+          type = "ssh-ed25519"; 
+        }
+      ];
+      sops.age.sshKeyPaths = [ "/etc/ssh/${hostName}" ];
       environment.systemPackages = with pkgs; [
         nix-output-monitor
         vim
@@ -60,4 +98,4 @@ in
       ];
     }
   ];
-}
+}

machines/modules/malobeo/wireguard.nix

@@ -70,7 +70,7 @@ in
       interfaces = {
         malovpn = {
           mtu = 1340; #seems to be necessary to proxypass nginx traffic through vpn
-          address = myPeer.address;
+          address = [ "${myPeer.address}/24" ];
           autostart = cfg.autostart;
           listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;
 

machines/nextcloud/configuration.nix

@@ -33,7 +33,7 @@ with lib;
 
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud30;
+    package = pkgs.nextcloud31;
     hostName = "cloud.malobeo.org";
     config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
     #https = true; #disable for testing
@@ -47,21 +47,22 @@ with lib;
     };
     extraAppsEnable = true;
     extraApps = {
-      inherit (config.services.nextcloud.package.packages.apps) contacts calendar deck polls;
-      collectives = pkgs.fetchNextcloudApp {
-        sha256 = "sha256-cj/8FhzxOACJaUEu0eG9r7iAQmnOG62yFHeyUICalFY=";
-        url = "https://github.com/nextcloud/collectives/releases/download/v2.15.2/collectives-2.15.2.tar.gz";
+      inherit (config.services.nextcloud.package.packages.apps) contacts calendar deck polls registration collectives forms;
+      appointments = pkgs.fetchNextcloudApp {
+        sha256 = "sha256-ls1rLnsX7U9wo2WkEtzhrvliTcWUl6LWXolE/9etJ78=";
+        url = "https://github.com/SergeyMosin/Appointments/raw/refs/tags/v2.4.3/build/artifacts/appstore/appointments.tar.gz";
         license = "agpl3Plus";
       };
     };
     settings = {
       trusted_domains = ["10.0.0.13"];
+      trusted_proxies = [ "10.0.0.1" ];
       "maintenance_window_start" = "1";
       "default_phone_region" = "DE";
     };
     phpOptions = {
       "realpath_cache_size" = "0";
-      "opcache.interned_strings_buffer" = "23";
+      "opcache.interned_strings_buffer" = "32";
     };
   };
 

machines/nextcloud/secrets.yaml

@@ -8,60 +8,60 @@ sops:
         - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cFBEempENHlXNnhNb1d5
-            UitGNFliTDliZUdCSVBPRUVEWDc1Skw3N2xvCkFoL01DL2ZmWHhoMHV4TGdhaFdH
-            bG9XdUQ4ano4VjRxVTloNnl4OHJ6dkkKLS0tIDJvK2ZjNVhYZ1FkQTVWWjBhSFlt
-            R1Ixc3pWNFMvUVl0M1NsZ0txRXFMTkkK5aDgbCd13gAfZUrROnwRHgyXvIF67o1W
-            EzEFyhWatq2KKzv6VoJSFnvEx5lMPSs0LLvOK2qgrsz0jWdy6yUkAg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPT3ZxNEpRVktDWG9BR0Rv
+            ZUZQTkJwQ0pSblNvTkFOT3BBdjVaSzJhVzBvCnVWc2xRUjBnRFFXSDgxczRMSFMy
+            WFdaMGo4eE13b0RkZkphN2MvOUZtRmcKLS0tIDFHZU9tNjBNa0sveUYzN2dmYnM1
+            aDd0UlpMR3RNd3BDMmhqNmxhTFRoUlkK6Pni+cswKIU94WkP/fg5fzSmx/fhXjjl
+            mRG2o4ALCqcOxAxHBrKJppUCLjUgKG53wPF/jlIzkvbwHwnqVMfYsQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk
+        - recipient: age1g084sl230x94mkd2wq92s03mw0e8mnpjdjfx9uzaxw6psm8neyzqqwpnqe
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc3BSNVdqSTNYZSt4c05K
-            TnpuYXF1L2lzQkdZOS9uUnA5aUpGTldWZVQ0CkZvN2hubmwvUW5xUWhtaE0xMzlp
-            U3dpRHlmdU5UVG1nTS9XUVpTSjdQQ00KLS0tIC9sWTBOMStOYis1SDhLbjFlVk1F
-            M2dYNEpmWmxyeXU5S0FuV083NkVaQ3cKXuGyR0YQy+22z2kgM7IPhr0gurWQYczm
-            FA7C/2hoqb4tyyejomitndBSyxIxnaReO0Apl6JXeTLor8Dpuu42oQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRK2o2K2tPTFcvbXRkZ0lq
+            bS9ZOUc3dG1JeERZYVNsc3k3RjcxQ0RsdkRJCkx1VFhBQXRDOElqakJ0eTd3NEJX
+            b0JxOUtSOGJWeXlqdE5DdC9qNHA2N1UKLS0tIEFiQ3ZQM0NOaXRhUHBjVFhRMFk4
+            VjBFeldXS1p0Zk1uSk02aHpJd3BPOHcKvCmnK/KttB4RgnID/fj2KOdjvNnV3EWU
+            B9mW4yxbEqhoxtu+GFD3eR/8SvMPEsHl9xorT/ZygMG7hAzedSukWw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-11-26T20:00:50Z"
     mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str]
     pgp:
-        - created_at: "2025-02-19T14:34:54Z"
+        - created_at: "2025-03-05T08:24:30Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQGMA5HdvEwzh/H7AQwAkNhF9L1ocTsJRDyIA+0y24gtvRKAZhSRwds2wvTiBkPS
-            jzse8z4wY2yWz/JbEgqJqeFxJCaE64oc+2dETJIl2IsiRBDlXKfpL4yfRV+P6Ffu
-            DQfAR57hKIYa9emx+iFGoDMpRSuuLg4EGDoe1tmAu2OwLhKsqJrbL1ak88GB7/ko
-            gFk02AF/QYuEetc7R0pZPxB6n1HQGBrvqAFrnHEsxw2rR7I4kNYpEzyf0IuGHfB1
-            92WfYtdYSni7cqmTPV+t+k6P1VcJe6GXdlQnHk2pByqC2WrcrP+MtaAMkmWqxU72
-            AGarWEV2bnXmBsM5LcOQF6Mbui9tpEBE0O3lMlzUNXoVYHpOczlqdWkqh/y3Ea8V
-            bnHcaLQ8XubRyccK4JYZ4AIMJVPlVcnXdjZ4VFJwjRzGrllorq4x8L0niv60HV/g
-            akxsjW1DPnJURNFacT3JYF+PsN+hpj/ma2k8qUTX5wFVJy3Gm0psVYqE5901ivBA
-            yg7mfiftchDvIeGQR8tE0lgBZrJbf/SjpVdawq7DORFVxkaNeoSAxOkCnqZ5kc7C
-            w6zfxABWvwz73QM0AqfNzjkyswGk7N/09Zpj4BvjbbYuAfvIdiVVDHRPez/qWjnB
-            vkt9aLXFepLl
-            =4LVt
+            hQGMA5HdvEwzh/H7AQv+Lr4ISzvM/IEkckNhOOYAeZ0XCJ3JviSwT5wh3nd5u7ZJ
+            tXdLgLwGvFs0gXBf/R2kAoyEMyFziP3dqehvrjwTipuj/5lLdw73X9kddGkGOeQK
+            EDq2+cW3ufuukpyRq+o4lJjMmbwQuqvhqeVOxohQ677e1Xy8q6DorfwOgEgHegK1
+            t1H/DlVHritv54mPjr9hx0fZ5Auow17wteKD71KD/Y4s9JNB0DghcHAGiwYZzL7U
+            aFBY0itZyeJwH7rmFJDTQ+N+595t8dguTS/V1J0SKrIynMXVgTo6dpX10lSRubYe
+            9TQRMO3bmnsdPlmVJ7SlCkcc8blpHSgeQYdaZgPjDmbs+cuAkUMBnR/aEFXIX5IC
+            lohDRX5Vd7dUfVl5CiPNbG8hnvcp2lg7CUBV46fVQ5ZJ73jW1+1Bk3hxGdLklLlF
+            N3hLzBBUpF8U0mvGMXJYX2gQKivRurIoLHZgmjQTjhA1uBfhTI3ktyLABz04dt7I
+            OQYOlpsAZ/qnxbt+37LD0lgBz5XoHDuGNS2nnVQnuvtzt69GDP8mR1QXnhZedTrM
+            kDxxTXV7tMIbqw55tr+qVVG4H8QGy1xat3LSTIxoMmz0MmkyjQhApPN2ipwjyNof
+            X0Aw9hmAZV52
+            =A/yB
             -----END PGP MESSAGE-----
           fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2025-02-19T14:34:54Z"
+        - created_at: "2025-03-05T08:24:30Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA98TrrsQEbXUARAAmoHJ3i2vABDamIF3Nj6uuawarW+KKjzrIfYvAmWW4fgz
-            zVAquTl1Oculhv+H4eVuylNUM5kwyCkM/VAxy3KoSNZn6aGZVDuns70r9lbNC1R8
-            +diYAIe33rE3h6/Rw74RgOXUgNalONeoBWbIUuG+y9XOIfu7CBoUeGJct4ycYH0h
-            bn5iI0e4myDldmSc7OYnyruQMYg9OcKBnQPTZl1qzTqpwR6/BnIhWJcItuc3W5rv
-            aEunQ8lVyNxhGWMDwFucUJ2WbxkOFOFWPrLGXtsUg/I32aCUNR6X/HnYUezqCoSA
-            SFJAsaPkBr07o5Be5D03m0s5ryktQUdAElyDaz2Sgc58re9mtYKBAf4P4fKD5Zx+
-            TJJGr6dmtb28Nxb5mbMroKbTit92NHHatXfz/YrZ1JyCHuINZ5Sq01TGhx6y71Uj
-            0Afq3S2la+85UYRsQ5g9q6jM8rBHjm9AdcUkWA1chtn6elAUG8J0B+DUYYwcrMtp
-            YWFaKNHT09FRn4TcgE50Wgn9lX2RZ03viBbgCvDBLh3fmzl+dU1DsFdwuYmbgOeO
-            B6SQ2+SF3VVR7vAn4oPKydztCfYmb+38sCQl/FtZdP1RRW150fXtUx7aAzWGsLhq
-            AObrNp0uMeCBHtpWctwFR1qssfRD3DHkI59MqoGK7ehDtBS6hzayjJp8sTiqCTzS
-            WAH/vMH2cvGN3q9mr73bBqHBxAL+ANWxrDvQmM4xwbLxET24ULnsC35bn4psWjTN
-            Y3aQqzhaZdYOki09fLENaYl6BMeIcfBx4qUrgfQKLUNqGV5fvVuXJUc=
-            =/V5O
+            hQIMA98TrrsQEbXUAQ//UtocoQPpMZL71RyjSnJFZq1NT4H5KxbcvQb4LtPBbanK
+            /gPja40wOWXy/3plCHuZYQ/mR69k9URgwD6/0RSSmCCuVp/+FPbK3UbMYyTOtYBr
+            wKnq9eRP8URK6LINJMcNHzfQtgvTcBclJSY1kLfUVjl2RV2NqXVa6+B1sHJdse8A
+            5NyJ/VNRRrNDtNnmIaIHPFUBySVKLqiXeex4gFNy02IcwwSiFZnBt/ReaFjZQTGE
+            TKfyohQF4V4/e35wvhbqWSFYZmWHCwW94gnwTwnlEO/H/NvbNUNDSYL6WwrIFF7+
+            h/tP7nWbBxNqSByHGQuJnKSysndwUuSMuH+uj+uYdJDn1L1VEoErfAZcRSsDAz1Z
+            BVkEaPJM6ZmRM48up5eHQtPG2rklmoFw/O/bPd9QUWJ/ZRu2gcY8aLGczHygaq6W
+            gvZTCPrke7XZTd9S3mAcdlJ2iAYuKY4AmGqfmXbd7mRZXP3DQkRaA/IwCCNJVmhX
+            um5MbCa17I9Uwh58NBmDuejLcmJDWL5jLmN6S86t3k3jKxwaX56SRwAD92klMdQq
+            8UX2dkUkwnnI+YjfOEeLGDAT655TsejpE97JKjI/m39Pwnn+MrDEfNDHhfjX+9QC
+            5k+fiP7yWc7hG3A7jt5vEadazPgDeqy0q7jbmTPtmdieqBs71P3j19l3VKAU8ZnS
+            WAGz21MFYjhESmU7fqhTyVE9Dsd4GqyB+ZSa8hHj2ISaOi0QQ9JXjjtQhkDGlsB4
+            /PrjZhyqd62wHS075YV1B9YqOhC1nAkC+s9mj9CrWIeH2JMOSK9EUyI=
+            =5u7o
             -----END PGP MESSAGE-----
           fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
     unencrypted_suffix: _unencrypted

machines/ssh_keys.nix

@@ -5,4 +5,8 @@
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos"
  ];
+ backup = [
+  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIGryhnXdmbGObONG88K+c9zeduMrwtoLHwzMDZg3UXB+Cnq2FXWOrlLZxA+95VUgHpyGZiykJmzeWrKhldDlDeGGd8QCCLeuliiOgXADTYjWaVfhd+6arPZrK2VtqqsguvH40gW1xfoGAOmAT4WFnxWxIaEip0V2u6NOoKTiH9I3bz2Qe4lfJvPXig+XwCXcukXd6XUkDFYDpiw8XNV3X7pqTus5d2RYR97bAhIYZZQ6h50ZpTY8N0lFh4RY5yfx8BhxJW3tfoi9uZvVuPx7dGPsZsSniENFPMNz3UwHGitTJMr4088cJrAGgd5lyFuLouiHiM2JMGA0wx9wWTbWJEwTLaTVQK9gSJf857ndV2zCh9vKlfko4w9bQgqxKg4U/mY8dXX1E7D51nD2ci8Ed+ZG+NEneFLyZhLsD82GkBY+YovA+4xm/pcx+hBhlyqGNxI8v+Jh+JhEyD/ZLgJfq3ZMbGIGsTiDwZ2flLLxImHHEoDoT6PHU6hDhPDJu560="
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJKl5FWPskhlnzJs1+mMYrVTMNnRG92uFKUgGlteTPhL"
+ ];
 }

machines/testvm/configuration.nix

@@ -24,7 +24,7 @@ in
 
   malobeo.disks = {
     enable = true;
-    encryption = true;
+    encryption = false;
     hostId = "83abc8cb";
     devNodes = "/dev/disk/by-path/";
     root = {

outputs.nix

@@ -116,6 +116,8 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
       metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];
       disko.imports = [ ./machines/modules/disko ];
       users.imports = [ ./machines/modules/malobeo/users.nix ];
+      backup.imports = [ ./machines/modules/malobeo/backup.nix ];
+      printing.imports = [ ./machines/modules/malobeo/printing.nix ];
     };
 
     hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (

scripts/remote-install-encrypt.sh

@@ -40,15 +40,13 @@ trap cleanup EXIT
 
 # Create the directory where sshd expects to find the host keys
 install -d -m755 "$temp/etc/ssh/"
-install -d -m755 "$temp/root/"
 
 diskKey=$(sops -d $pwpath/disk.key)
 echo "$diskKey" > /tmp/secret.key
-echo "$diskKey" > $temp/root/secret.key
 
 sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
 
-sopd -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
+sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
 
 # # Set the correct permissions so sshd will accept the key
 chmod 600 "$temp/etc/ssh/$hostname"

scripts/run-vm.sh

@@ -6,6 +6,7 @@ usage() {
     echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny"
     echo "--writable-store enables writable store. necessary for host with nested imperative microvms like fanny"
     echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate"
+    echo "--data path to directory that should be shared as /data"
     echo "--fwd-port forwards the given port to port 80 on vm"
     exit 1
 }
@@ -23,6 +24,7 @@ DUMMY_SECRETS=false
 NO_DISKO=false
 RW_STORE=false
 VAR_PATH=""
+DATA_PATH=""
 FWD_PORT=0
 
 # check argws
@@ -42,6 +44,15 @@ while [[ "$#" -gt 0 ]]; do
               usage
           fi
           ;;
+        --data) 
+          if [[ -n "$2" && ! "$2" =~ ^- ]]; then
+              DATA_PATH="$2"
+              shift
+          else
+              echo "Error: --data requires a non-empty string argument."
+              usage
+          fi
+          ;;
         --fwd-port) 
           if [[ -n "$2" && ! "$2" =~ ^- ]]; then
               FWD_PORT="$2"
@@ -64,4 +75,8 @@ if [ -n "$VAR_PATH" ]; then
   echo "sharing var directory: $VAR_PATH"
 fi
 
-nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner"
+if [ -n "$DATA_PATH" ]; then
+  echo "sharing data directory: $DATA_PATH"
+fi
+
+nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" \"$DATA_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner"

scripts/unlock-boot.sh

@@ -25,11 +25,13 @@ echo
 if [ $# = 1 ]
     then
     echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
 
 elif [ $# = 2 ]
     then
     ip=$2
     echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
+    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
     
 else
     echo