[user module] add backup usr

2025-03-11 18:14:00 +01:00
38 changed files with 198 additions and 5697 deletions
--- a/doc/src/SUMMARY.md
+++ b/doc/src/SUMMARY.md
@@ -21,4 +21,3 @@
        - [Updates](./anleitung/updates.md)
        - [Rollbacks](./anleitung/rollback.md)
        - [MicroVM](./anleitung/microvm.md)
        - [Update Nextcloud](./anleitung/update_nextcloud.md)
--- a/doc/src/anleitung/create.md
+++ b/doc/src/anleitung/create.md
@@ -1,19 +1,47 @@
-# Create host with nixos-anywhere
+# Create host with disko-install
-We use a nixos-anywhere wrapper script to deploy new hosts.
+How to use disko-install is described here: https://github.com/nix-community/disko/blob/master/docs/disko-install.md
-The wrapper script takes care of copying persistent host keys before calling nixos-anywhere.
+---
-
+Here are the exact steps to get bakunin running:  
-To accomplish that boot the host from a nixos image and setup a root password.
+First create machines/hostname/configuration.nix  
 Add hosts nixosConfiguration in machines/configurations.nix  
 Boot nixos installer on the Machine.  
 ``` bash
-sudo su
+# establish network connection
-passwd
+wpa_passphrase "network" "password" > wpa.conf
-```
+wpa_supplicant -B -i wlp3s0 -c wpa.conf
 ping 8.8.8.8
 # if that works continue
-After that get the hosts ip using `ip a` and start deployment from your own machine:
+# generate a base hardware config
 nixos-generate-config --root /tmp/config --no-filesystems
-``` bash
+# get the infra repo
-# from infrastrucutre repository root dir:
+nix-shell -p git
-nix develop .#
+git clone https://git.dynamicdiscord.de/kalipso/infrastructure
-remote-install hostname 10.0.42.23
+cd infrastructure
 # add the new generated hardware config (and import in hosts configuration.nix)
 cp /tmp/config/etc/nixos/hardware-configuration.nix machines/bakunin/
 # check which harddrive we want to install the system on
 lsblk #choose harddrive, in this case /dev/sda
 # run nixos-install on that harddrive
 sudo nix --extra-experimental-features flakes --extra-experimental-features nix-command run 'github:nix-community/disko/latest#disko-install' -- --flake .#bakunin --disk main /dev/sda
 # this failed with out of memory
 # running again showed: no disk left on device
 # it seems the usb stick i used for flashing is way to small
 # it is only 
 # with a bigger one (more than 8 gig i guess) it should work
 # instead the disko-install tool i try the old method - first partitioning using disko and then installing the system
 # for that i needed to adjust ./machines/modules/disko/btrfs-laptop.nix and set the disk to "/dev/sda"
 sudo nix --extra-experimental-features "flakes nix-command" run 'github:nix-community/disko/latest' -- --mode format --flake .#bakunin
 # failed with no space left on device.
 # problem is lots of data is written to the local /nix/store which is mounted on tmpfs in ram
 # it seems that a workaround could be modifying the bootable stick to contain a swap partition to extend tmpfs storage
 ```
 # Testing Disko
@@ -21,3 +49,18 @@ Testing disko partitioning is working quite well. Just run the following and che
 ```bash
 nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko
 ```
 Only problem is that encryption is not working, so it needs to be commented out. For testing host fanny the following parts in ```./machines/modules/disko/fanny.nix``` need to be commented out(for both pools!):
 ```nix
 datasets = {
  encrypted = {
    options = {
      encryption = "aes-256-gcm"; #THIS ONE
      keyformat = "passphrase"; #THIS ONE
      keylocation = "file:///tmp/root.key"; #THIS ONE
    };
    # use this to read the key during boot
     postCreateHook = '' #THIS ONE 
       zfs set keylocation="prompt" "zroot/$name"; #THIS ONE 
     ''; #THIS ONE 
 ```
--- a/doc/src/anleitung/update_nextcloud.md
+++ b/doc/src/anleitung/update_nextcloud.md
@@ -1,16 +0,0 @@
 ### Updating nextcloud
 ## Updating the draggable patch
 The draggable patch is a one line patch found in the deck repo under `src/components/cards/CardItem.vue`   
 Direct link: https://git.dynamicdiscord.de/ahtlon/deck/commit/77cbcf42ca80dd32e450839f02faca2e5fed3761   
 The easiest way to apply is
 1. Sync the repo with remote https://github.com/nextcloud/deck/tree/main
 2. Checkout the stable branch for the nextcloud version you need
  - example `git checkout stable31`
 3. Apply the patch using `git cherry-pick bac32ace61e7e1e01168f9220cee1d24ce576d5e`
 4. Start a nix-shell with `nix-shell -p gnumake krankerl php84Packages.composer php nodejs_24`
 5. run `krankerl package`
 6. upload the archive at "./build/artifacts/deck.tar.gz" to a file storage (ask Ahtlon for access to the storj s3 or use own)
 7. Change url and sha in the nextcloud configuration.nix `deck = pkgs.fetchNextcloudApp {};`
--- a/doc/src/anleitung/updates.md
+++ b/doc/src/anleitung/updates.md
@@ -1,11 +1 @@
 # Updates
 ## Nextcloud
 Update nextcloud to a new major version:
 - create state directories: `mkdir /tmp/var /tmp/data`
 - run vm state dirs to initialize state `sudo run-vm nextcloud --dummy-secrets --networking --var /tmp/var --data /tmp/data`
 - Update lock file `nix flake update --commit-lock-file`
 - Change services.nextcloud.package to the next version (do not skip major version upgrades)
 - change custom `extraApps` to the new version
 - TEST!
 - run vm again, it should successfully upgrade nextcloud from old to new version
 - run vm state dirs to initialize state `sudo run-vm nextcloud --dummy-secrets --networking --var /tmp/var --data /tmp/data`
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1746728054,
+        "lastModified": 1736864502,
-        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
+        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "ff442f5d1425feb86344c028298548024f21256d",
+        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
        "type": "github"
      },
      "original": {
@@ -67,16 +67,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1763992789,
+        "lastModified": 1736373539,
-        "narHash": "sha256-WHkdBlw6oyxXIra/vQPYLtqY+3G8dUVZM8bEXk0t8x4=",
+        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "44831a7eaba4360fb81f2acc5ea6de5fde90aaa3",
+        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-25.05",
+        "ref": "release-24.11",
        "repo": "home-manager",
        "type": "github"
      }
@@ -109,11 +109,11 @@
        "spectrum": "spectrum"
      },
      "locked": {
-        "lastModified": 1764549796,
+        "lastModified": 1739104176,
-        "narHash": "sha256-Mswg665P92EoHkBwCwPr/7bdnj04g2Qfb+t02ZEYTHA=",
+        "narHash": "sha256-bNvtud2PUcbYM0i5Uq1v01Dcgq7RuhVKfjaSKkW2KRI=",
        "owner": "astro",
        "repo": "microvm.nix",
-        "rev": "030d055e877cc13d7525b39f434150226d5e4482",
+        "rev": "d3a9b7504d420a1ffd7c83c1bb8fe57deaf939d2",
        "type": "github"
      },
      "original": {
@@ -145,11 +145,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764234087,
+        "lastModified": 1737057290,
-        "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=",
+        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "032a1878682fafe829edfcf5fdfad635a2efe748",
+        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
        "type": "github"
      },
      "original": {
@@ -160,11 +160,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1764440730,
+        "lastModified": 1738816619,
-        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
+        "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
+        "rev": "2eccff41bab80839b1d25b303b53d339fbb07087",
        "type": "github"
      },
      "original": {
@@ -192,11 +192,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1764517877,
+        "lastModified": 1739020877,
-        "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=",
+        "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c",
+        "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
        "type": "github"
      },
      "original": {
@@ -208,16 +208,16 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1764522689,
+        "lastModified": 1739206421,
-        "narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=",
+        "narHash": "sha256-PwQASeL2cGVmrtQYlrBur0U20Xy07uSWVnFup2PHnDs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
+        "rev": "44534bc021b85c8d78e465021e21f33b856e2540",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-25.11",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -235,8 +235,7 @@
        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix",
        "tasklist": "tasklist",
-        "utils": "utils_3",
+        "utils": "utils_3"
        "zineshop": "zineshop"
      }
    },
    "sops-nix": {
@@ -246,11 +245,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764483358,
+        "lastModified": 1739262228,
-        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
+        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
+        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
        "type": "github"
      },
      "original": {
@@ -262,11 +261,11 @@
    "spectrum": {
      "flake": false,
      "locked": {
-        "lastModified": 1759482047,
+        "lastModified": 1733308308,
-        "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
+        "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
        "ref": "refs/heads/main",
-        "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
+        "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
-        "revCount": 996,
+        "revCount": 792,
        "type": "git",
        "url": "https://spectrum-os.org/git/spectrum"
      },
@@ -335,21 +334,6 @@
        "type": "github"
      }
    },
    "systems_5": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "tasklist": {
      "inputs": {
        "nixpkgs": [
@@ -357,11 +341,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1760981884,
+        "lastModified": 1737548421,
-        "narHash": "sha256-ASFWbOhuB6i3AKze5sHCvTM+nqHIuUEZy9MGiTcdZxA=",
+        "narHash": "sha256-gmlqJdC+v86vXc2yMhiza1mvsqh3vMfrEsiw+tV5MXg=",
        "ref": "refs/heads/master",
-        "rev": "b67eb2d778a34c0dceb91a236b390fe493aa3465",
+        "rev": "c5fff78c83959841ac724980a13597dcfa6dc26d",
-        "revCount": 32,
+        "revCount": 29,
        "type": "git",
        "url": "https://git.dynamicdiscord.de/kalipso/tasklist"
      },
@@ -423,45 +407,6 @@
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "utils_4": {
      "inputs": {
        "systems": "systems_5"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "zineshop": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "utils": "utils_4"
      },
      "locked": {
        "lastModified": 1764942243,
        "narHash": "sha256-P02Zm0VAON9SqRxqe6h5vfxgpCBYeiz5JPWGIn6KFFg=",
        "ref": "refs/heads/master",
        "rev": "f56b7eb6887b7e0fecae4a1f4c1311392eebad8d",
        "revCount": 156,
        "type": "git",
        "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
      },
      "original": {
        "type": "git",
        "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -3,7 +3,7 @@
  inputs = {
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -22,11 +22,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    zineshop = {
      url = "git+https://git.dynamicdiscord.de/kalipso/zineshop";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    ep3-bs = {
      url = "git+https://git.dynamicdiscord.de/kalipso/ep3-bs.nix";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -38,7 +33,7 @@
    };
    home-manager=  {
-      url = "github:nix-community/home-manager/release-25.05";
+      url = "github:nix-community/home-manager/release-24.11";
      inputs = {
        nixpkgs.follows = "nixpkgs";
      };
--- a/machines/.sops.yaml
+++ b/machines/.sops.yaml
@@ -8,12 +8,12 @@ keys:
  - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
  - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
  - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
-  - &machine_durruti age1tc6aqmcl74du56d04wsz6mzp83n9990krzu4kuam2jqu8fx6kqpq038xuz
+  - &machine_durruti age1arwef7t65lz40lxhs5svyzentskjzam3e0e0yxen872vwy6v234s9uftvr
-  - &machine_infradocs age1tesz7xnnq9e58n5qwjctty0lw86gzdzd5ke65mxl8znyasx3nalqe4x6yy
+  - &machine_infradocs age15rqsygf7yfe6pv6t4c6c9jc6yk4vu5grmmcu7sexvqfw8763mf2q6qw50h
-  - &machine_overwatch age1hq75x3dpnfqat9sgtfjf8lep49qvkdgza3xwp7ugft3kd74pdfnqfsmmdn
+  - &machine_overwatch age1075ep3sl5ztshnq4jrygxqqqfts9wzk4gvvtwfjcep5ke8nzqs5sxtw7vd
  - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
  - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk
-  - &machine_nextcloud age1g084sl230x94mkd2wq92s03mw0e8mnpjdjfx9uzaxw6psm8neyzqqwpnqe
+  - &machine_nextcloud age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk
  #this dummy key is used for testing.
  - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
 creation_rules:
--- a/machines/bakunin/configuration.nix
+++ b/machines/bakunin/configuration.nix
@@ -48,12 +48,12 @@ in
      firefox
      thunderbird
      telegram-desktop
-      tor-browser
+      tor-browser-bundle-bin
      keepassxc
      libreoffice
      gimp
      inkscape
-      kdePackages.okular
+      okular
      element-desktop
      chromium
      mpv
--- a/machines/durruti/host_config.nix
+++ b/machines/durruti/host_config.nix
@@ -49,10 +49,6 @@ in
      locations."/" = {
        proxyPass = "http://10.0.0.10";
        extraConfig = ''
          client_max_body_size 10G;
          client_body_timeout 3600s;
          send_timeout 3600s;
          fastcgi_buffers 64 4K;
        '';
      };
    };
@@ -77,24 +73,6 @@ in
      };
    };
    services.nginx.virtualHosts."zines.malobeo.org" = {
      forceSSL = true;
      enableACME= true;
      locations."/" = {
        proxyPass = "http://10.0.0.10";
        extraConfig = ''
          client_body_in_file_only clean;
          client_body_buffer_size 32K;
          client_max_body_size 50M;
          sendfile on;
          send_timeout 300s;
        '';
      };
    };
    services.nginx.virtualHosts."status.malobeo.org" = {
      forceSSL = true;
      enableACME= true;
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -1,12 +1,10 @@
 { inputs, config, ... }:
 let
  sshKeys = import ../ssh_keys.nix;
  peers = import ../modules/malobeo/peers.nix;
 in
 {
  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets.wg_private = {};
  sops.secrets.shop_auth = {};
  imports =
    [ # Include the results of the hardware scan.
@@ -20,7 +18,6 @@ in
      inputs.self.nixosModules.malobeo.microvm
      inputs.self.nixosModules.malobeo.metrics
      inputs.self.nixosModules.malobeo.users
      inputs.self.nixosModules.malobeo.backup
    ];
    virtualisation.vmVariantWithDisko = {
@@ -45,11 +42,6 @@ in
    cacheurl = "https://cache.dynamicdiscord.de";
  };
  malobeo.backup = {
    enable = true;
    snapshots = [ "storage/encrypted" "zroot/encrypted/var" ];
  };
  nix = {
    settings.experimental-features = [ "nix-command" "flakes" ];
    #always update microvms
@@ -61,7 +53,6 @@ in
  malobeo.users = {
    malobeo = true;
    admin = true;
    backup = true;
  };
  malobeo.disks = {
@@ -86,42 +77,8 @@ in
    enable = true;
    authorizedKeys = sshKeys.admins;
    ethernetDrivers = ["r8169"];
    zfsExtraPools = [ "storage" ];
  };
  boot.initrd = {
    availableKernelModules = [ "wireguard" ];
    # postMountCommands = ''
    #   ip address flush dev wg-initrd
    #   ip link set dev wg-initrd down
    # '';
    systemd = {
      enable = true;
      network = {
        enable = true;
        netdevs."30-wg-initrd" = {
          netdevConfig = {
            Kind = "wireguard";
            Name = "wg-initrd";
          };
          wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
          wireguardPeers = [{
            AllowedIPs = peers.vpn.allowedIPs;
            PublicKey = peers.vpn.publicKey;
            Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
            PersistentKeepalive = 25;
          }];
        };
        networks."30-wg-initrd" = {
          name = "wg-initrd";
          addresses = [{ Address = "${peers.fanny-initrd.address}/24"; }];
        };
      };
    };
  };
  boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";
  services.malobeo.vpn = {
    enable = true;
    name = "fanny";
@@ -129,13 +86,7 @@ in
  };
  services.malobeo.microvm.enableHostBridge = true;
-  services.malobeo.microvm.deployHosts = [ 
+  services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" "nextcloud" "durruti" ];
    "overwatch" 
    "infradocs" 
    "nextcloud" 
    "durruti" 
    "zineshop"
  ];
  networking = {
    nat = {
@@ -165,10 +116,6 @@ in
        proxyPass = "http://10.0.0.13";
        extraConfig = ''
          proxy_set_header Host $host;
          client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize};
          client_body_timeout 3600s;
          send_timeout 3600s;
          fastcgi_buffers 64 4K;
        '';
      };
    };
@@ -190,26 +137,6 @@ in
        '';
      };
    };
    virtualHosts."zines.malobeo.org" = {
      # created with: nix-shell --packages apacheHttpd --run 'htpasswd -B -c foo.txt malobeo'
      # then content of foo.txt put into sops
      # basicAuthFile = config.sops.secrets.shop_auth.path;
      locations."/" = {
        proxyPass = "http://10.0.0.15:8080";
        extraConfig = ''
          proxy_set_header Host $host;
          client_body_in_file_only clean;
          client_body_buffer_size 32K;
          client_max_body_size 50M;
          sendfile on;
          send_timeout 300s;
        '';
      };
    };
  };
  services.tor = {
@@ -229,10 +156,5 @@ in
  time.timeZone = "Europe/Berlin";
  system.stateVersion = "23.05"; # Do.. Not.. Change..
  sops.secrets.shop_auth = {
    owner = config.services.nginx.user;
    group = config.services.nginx.group;
  };
 }
--- a/machines/fanny/secrets.yaml
+++ b/machines/fanny/secrets.yaml
@@ -1,6 +1,4 @@
 wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
 shop_cleartext: ENC[AES256_GCM,data:sifpX/R6JCcNKgwN2M4Dbflgnfs5CqB8ez5fULPohuFS6k36BLemWzEk,iv:1lRYausj7V/53sfSO9UnJ2OC/Si94JXgIo81Ld74BE8=,tag:5osQU/67bvFeUGA90BSiIA==,type:str]
 shop_auth: ENC[AES256_GCM,data:0NDIRjmGwlSFls12sCb5OlgyGTCHpPQIjycEJGhYlZsWKhEYXV2u3g1RHMkF8Ny913jarjf0BgwSq5pBD9rgPL9t8X8=,iv:3jgCv/Gg93Mhdm4eYzwF9QrK14QL2bcC4wwSajCA88o=,tag:h8dhMK46hABv9gYW4johkA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -25,8 +23,8 @@ sops:
            QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP
            SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-14T10:34:55Z"
+    lastmodified: "2025-01-14T12:41:07Z"
-    mac: ENC[AES256_GCM,data:vcDXtTi0bpqhHnL6XanJo+6a8f5LAE628HazDVaNO34Ll3eRyhi95eYGXQDDkVk2WUn9NJ5oCMPltnU82bpLtskzTfQDuXHaPZJq5gtOuMH/bAKrY0dfShrdyx71LkA4AFlcI1P5hchpbyY1FK3iqe4D0miBv+Q8lCMgQMVrfxI=,iv:1lMzH899K0CnEtm16nyq8FL/aCkSYJVoj7HSKCyUnPg=,tag:mEbkmFNg5VZtSKqq80NrCw==,type:str]
+    mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str]
    pgp:
        - created_at: "2025-02-11T18:32:49Z"
          enc: |-
@@ -67,4 +65,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
    unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.9.2
--- a/machines/hosts.nix
+++ b/machines/hosts.nix
@@ -67,14 +67,6 @@
        };
      };
      zineshop = {
        type = "microvm";
        network = {
          address = "10.0.0.15";
          mac = "D0:E5:CA:F0:D7:F1";
        };
      };
      testvm = {
        type = "host";
      };
--- a/machines/louise/configuration.nix
+++ b/machines/louise/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, inputs, ... }:
+{ config, pkgs, ... }:
 {
  imports =
@@ -9,7 +9,6 @@
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
      inputs.self.nixosModules.malobeo.printing
    ];
  malobeo.autoUpdate = {
@@ -31,12 +30,12 @@
      firefox
      thunderbird
      telegram-desktop
-      tor-browser
+      tor-browser-bundle-bin
      keepassxc
      libreoffice
      gimp
      inkscape
-      kdePackages.okular
+      okular
      element-desktop
      chromium
      mpv
@@ -51,8 +50,6 @@
  };
  services.printing.enable = true;
  services.malobeo.printing.enable = true;
  services.printing.drivers = [
    (pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
    pkgs.gutenprint
--- a/machines/lucia/configuration.nix
+++ b/machines/lucia/configuration.nix
@@ -35,7 +35,8 @@ in
  services = {
  dokuwiki.sites."wiki.malobeo.org" = {
-        #acl = "* @ALL 8";  # everyone can edit using this config
+    enable = true;
    #acl = "* @ALL 8";  # everyone can edit using this config
    # note there is a users file at
    # /var/lib/dokuwiki/<wiki-name>/users.auth.php
    # makes sense to edit it by hand
--- a/machines/modules/KOC658UX.ppd
+++ b/machines/modules/KOC658UX.ppd
--- a/machines/modules/disko/default.nix
+++ b/machines/modules/disko/default.nix
@@ -187,6 +187,7 @@ in
              postCreateHook = lib.mkIf cfg.encryption ''
                zfs set keylocation="prompt" zroot/encrypted;
              '';
            };
            "encrypted/root" = {
              type = "zfs_fs";
@@ -244,18 +245,16 @@ in
              };
              # use this to read the key during boot
              postCreateHook = lib.mkIf cfg.encryption ''
-                zfs set keylocation="prompt" storage/encrypted;
+                zfs set keylocation="file:///root/secret.key" storage/encrypted;
              '';
            };
            "encrypted/data" = {
              type = "zfs_fs";
              mountpoint = "/data";
              options.mountpoint = "legacy";
            };
            "encrypted/data/microvms" = {
              type = "zfs_fs";
              mountpoint = "/data/microvms";
              options.mountpoint = "legacy";
            };
            reserved = {
              # for cow delete if pool is full
@@ -272,7 +271,7 @@ in
    };
    boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
-
+    boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ];
    fileSystems."/".neededForBoot = true;
    fileSystems."/etc".neededForBoot = true;
    fileSystems."/boot".neededForBoot = true;
--- a/machines/modules/host_builder.nix
+++ b/machines/modules/host_builder.nix
@@ -133,13 +133,6 @@ rec {
          mountPoint = "/var";
          tag = "var";
        }
      ] ++ pkgs.lib.optionals (options.dataPath != "") [
        {
          source = "${options.dataPath}";
          securityModel = "mapped";
          mountPoint = "/data";
          tag = "data";
        }
      ]);
      interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
@@ -202,7 +195,8 @@ rec {
  vmNestedMicroVMOverwrites = host: sopsDummy: {
-    microvm.vms = pkgs.lib.mkForce (
+    services.malobeo.microvm.deployHosts = pkgs.lib.mkForce [];
    microvm.vms = 
    let
      # Map the values to each hostname to then generate an Attrset using listToAttrs
      mapperFunc = name: { inherit name; value = {
@@ -216,22 +210,20 @@ rec {
            (vmMicroVMOverwrites name { 
              withNetworking = true; 
              varPath = ""; 
              dataPath = "";
              writableStore = false; })
            (if sopsDummy then (vmSopsOverwrites name) else {})
          ]);
        };
      }; };
    in
-    builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts));
+    builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts);
  };
-  buildVM = host: networking: sopsDummy: disableDisko: varPath: dataPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
+  buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
      modules = [
          (vmMicroVMOverwrites host { 
            withNetworking = networking; 
            varPath = "${varPath}"; 
            dataPath = "${dataPath}"; 
            writableStore = writableStore;
            fwdPort = fwdPort; })
          (if sopsDummy then (vmSopsOverwrites host) else {})
--- a/machines/modules/malobeo/backup.nix
+++ b/machines/modules/malobeo/backup.nix
@@ -1,102 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let 
  cfg = config.malobeo.backup;
  hostToCommand = (hostname: datasetNames: 
    (map (dataset:  { 
      name = "${hostname}_${dataset.sourceDataset}";
      value = { 
        inherit hostname; 
        inherit (dataset) sourceDataset targetDataset;
      }; 
    } ) datasetNames));
  peers = import ./peers.nix;
  enableSnapshots = cfg.snapshots != null;
  enableBackups = cfg.hosts != null;
 in
 {
  options.malobeo.backup = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = "Enable sanoid/syncoid based backup functionality";
    };
    snapshots = mkOption {
      type = types.nullOr (types.listOf types.str);
      default = null;
      description = "Automatic snapshots will be created for the given datasets";
    };
    hosts = mkOption {
      default = null;
      type = types.nullOr (types.attrsOf (types.listOf (types.submodule {
        options = {
          sourceDataset = mkOption {
            type = types.str;
            description = "The source that needs to be backed up";
          };
          targetDataset = mkOption {
            type = types.str;
            description = "The target dataset where the backup should be stored";
          };
        };
      })));
      description = ''
          Hostname with list of datasets to backup. This option should be defined on hosts that will store backups.
          It is necessary to add the machines that get backed up to known hosts.
          This can be done for example systemwide using 
          programs.ssh.knownHosts."10.100.0.101" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc";
          Or set it for the syncoid user directly.
        '';
    };
    sshKey = mkOption {
      default = null;
      type = types.nullOr types.str;
      description = "Set path to ssh key used for pull backups. Otherwise default key is used";
    };
  };
  config = mkIf (cfg.enable) {
    services.sanoid = mkIf (enableSnapshots) {
      enable = true;
      templates."default" = {
        hourly = 24;
        daily = 30; #keep 30 daily snapshots
        monthly = 6; #keep 6 monthly backups
        yearly = 0;
        autosnap = true; #take snapshots automatically
        autoprune = true; #delete old snapshots
      };
      datasets = builtins.listToAttrs (map (name: { inherit name; value = {
        useTemplate = [ "default" ];
        recursive = true;
      }; }) cfg.snapshots);
    };
    services.syncoid = mkIf (enableBackups) {
      enable = true;
      sshKey = cfg.sshKey;
      commonArgs = [
        "--no-sync-snap"
      ];
      interval = "*-*-* 04:15:00";
      commands = builtins.mapAttrs (name: value: {
        source = "backup@${peers.${value.hostname}.address}:${value.sourceDataset}";
        target = "${value.targetDataset}";
        sendOptions = "w";
        recvOptions = "\"\"";
        recursive = true;
      })(builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs hostToCommand cfg.hosts))));
    };
  };
 }
--- a/machines/modules/malobeo/initssh.nix
+++ b/machines/modules/malobeo/initssh.nix
@@ -22,11 +22,6 @@ in
      description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
      example = "r8169";
    };
    zfsExtraPools = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = "Name or GUID of extra ZFS pools that you wish to import during boot.";
    };
  };
  config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
@@ -35,45 +30,35 @@ in
      loader.efi.canTouchEfiVariables = true;
      supportedFilesystems = [ "vfat" "zfs" ];
      zfs = {
        forceImportAll = true;
        requestEncryptionCredentials = true;
        extraPools = cfg.zfsExtraPools;
      };
      initrd = {
        availableKernelModules = cfg.ethernetDrivers;
        systemd = {
          initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ]; 
          enable = true;
          network.enable = true;
          services."stopInitVpn" = {
            description = "stop init vpn";
            wantedBy = [
              "initrd.target"
            ];
            after = [
              "zfs.target"
            ];
            serviceConfig.StandardOutput = "journal+console";
            script = ''
              networkctl down wg-initrd
            '';
            serviceConfig.Type = "oneshot";
      };
        };
-        network = {
+        network.ssh = {
-          flushBeforeStage2 = true;
+          enable = true;
-          ssh = {
+          port = 222;
-            enable = true;
+          authorizedKeys = cfg.authorizedKeys;
-            port = 222;
+          hostKeys = [ "/etc/ssh/initrd" ];
            authorizedKeys = cfg.authorizedKeys;
            hostKeys = [ "/etc/ssh/initrd" ];
          };
        };
        secrets = {
          "/etc/ssh/initrd" = "/etc/ssh/initrd";
        };
        systemd.services.zfs-remote-unlock = {
          description = "Prepare for ZFS remote unlock";
          wantedBy = ["initrd.target"];
          after = ["systemd-networkd.service"];
          path = with pkgs; [ zfs ];
          serviceConfig.Type = "oneshot";
          script = ''
            echo "systemctl default" >> /var/empty/.profile
          '';
        };
      };
      kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
    };
  };
-}
+}
--- a/machines/modules/malobeo/microvm_host.nix
+++ b/machines/modules/malobeo/microvm_host.nix
@@ -62,7 +62,7 @@ in
        addresses = if cfg.enableHostBridgeUnstable then [
          { Address = "10.0.0.1/24"; }
        ] else [
-          { Address = "10.0.0.1/24"; }
+          { addressConfig.Address = "10.0.0.1/24"; }
        ];
      };
@@ -102,22 +102,6 @@ in
          /run/current-system/sw/bin/microvm -Ru ${name}
        '';
      };
      "microvm-init-dirs@${name}" = {
        description = "Initialize microvm directories";
        after = [ "zfs-mount.service" ];
        wantedBy = [ "microvm@${name}.service" ];
        unitConfig.ConditionPathExists = "!/var/lib/microvms/${name}/.is_initialized";
        serviceConfig = {
          Type = "oneshot";
        };
        script = ''
          mkdir -p /var/lib/microvms/${name}/var
          mkdir -p /var/lib/microvms/${name}/etc
          mkdir -p /var/lib/microvms/data/${name}
          touch /var/lib/microvms/${name}/.is_initialized
        '';
      };
    }) {} (cfg.deployHosts);
    systemd.timers = builtins.foldl' (timers: name: timers // {
--- a/machines/modules/malobeo/peers.nix
+++ b/machines/modules/malobeo/peers.nix
@@ -2,7 +2,7 @@
  "vpn" = {
    role = "server";
    publicIp = "5.9.153.217";
-    address = "10.100.0.1";
+    address = [ "10.100.0.1/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
    listenPort = 51821;
    publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
@@ -11,51 +11,36 @@
  "celine" = {
    role = "client";
-    address = "10.100.0.2";
+    address = [ "10.100.0.2/24" ];
    allowedIPs = [ "10.100.0.2/32" ];
    publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
  };
  "desktop" = {
    role = "client";
-    address = "10.100.0.3";
+    address = [ "10.100.0.3/24" ];
    allowedIPs = [ "10.100.0.3/32" ];
    publicKey = "FtY2lcdWcw+nvtydOOUDyaeh/xkaqHA8y9GXzqU0Am0=";
  };
  "atlan-pc" = {
    role = "client";
-    address = "10.100.0.5";
+    address = [ "10.100.0.5/24" ];
    allowedIPs = [ "10.100.0.5/32" ];
    publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
  };
  "hetzner" = {
    role = "client";
-    address = "10.100.0.6";
+    address = [ "10.100.0.6/24" ];
    allowedIPs = [ "10.100.0.6/32" ];
    publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ=";
  };
  "fanny" = {
    role = "client";
-    address = "10.100.0.101";
+    address = [ "10.100.0.101/24" ];
    allowedIPs = [ "10.100.0.101/32" ];
    publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
  };
  "fanny-initrd" = {
    role = "client";
    address = "10.100.0.102";
    allowedIPs = [ "10.100.0.102/32" ];
    #TODO: UPDATE
    publicKey = "h1A2yt7OQ5EJIilC8tQg203u27o6J6/c+Kd/pZ4UWAY=";
  };
  "backup0" = {
    role = "client";
    address = "10.100.0.20";
    allowedIPs = [ "10.100.0.20/32" ];
    publicKey = "Pp55Jg//jREzHdbbIqTXc9N7rnLZIFw904qh6NLrACE=";
  };
 }
--- a/machines/modules/malobeo/printing.nix
+++ b/machines/modules/malobeo/printing.nix
@@ -1,122 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let 
  cfg = config.services.malobeo.printing;
  driverFile = pkgs.writeTextDir "share/cups/model/konicaminoltac258.ppd" (builtins.readFile ../KOC658UX.ppd);
  defaultPpdOptions = {
    PageSize = "A4";
    SelectColor = "Grayscale";
    Finisher = "FS534";
    SaddleUnit = "SD511";
    Model = "C258";
    InputSlot = "Tray1";
    TextPureBlack = "On";
    PhotoPureBlack = "On";
    GraphicPureBlack = "On";
  };
 in
 {
  options.services.malobeo.printing = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = "Setup malobeo printers";
    };
  };
  config = mkIf (cfg.enable) {
    services.printing.enable = true;
    services.printing.drivers = [
      driverFile
    ];
    hardware.printers.ensurePrinters = [ 
      {
        name = "KonicaDefault";
        model = "konicaminoltac258.ppd";
        location = "Zine Workshop";
        deviceUri = "ipp://192.168.1.42/ipp";
        ppdOptions = defaultPpdOptions;
      }
      {
        name = "KonicaBooklet";
        model = "konicaminoltac258.ppd";
        location = "Zine Workshop";
        deviceUri = "ipp://192.168.1.42/ipp";
        ppdOptions = defaultPpdOptions // {
          Fold = "Stitch";
          Staple = "None";
        };
      }
      {
        name = "KonicaPostcard";
        model = "konicaminoltac258.ppd";
        location = "Zine Workshop";
        deviceUri = "ipp://192.168.1.42/ipp";
        ppdOptions = defaultPpdOptions // {
          Fold = "None";
          Staple = "None";
          InputSlot = "BypassTray";
          MediaType = "Thick4";
          KMDuplex = "1Sided";
        };
      }
    ];
  };
 }
 /*
 ALL AVAILABE OPTIONS:
 PaperSources/Paper Source Unit: *None LU207 LU302 PC110 PC114 PC115 PC110+LU302 PC115+LU207 PC115+LU302 PC210 PC214 PC215 PC210+LU302 PC215+LU207 PC215+LU302 PC410 PC414 PC415 PC410+LU302 PC415+LU207 PC415+LU302
 Finisher/Finisher: None FS533 *FS534 JS506 FS536 FS537 FS537+JS602
 KOPunch/Punch Unit: *None PK519 PK519-3 PK519-4 PK519-SWE4 PK520 PK520-3 PK520-4 PK520-SWE4 PK523 PK523-3 PK523-4 PK523-SWE4
 ZFoldPunch/Z-Fold Unit: *None ZU609
 CoverSheetFeeder/Post Inserter: *None PI507
 SaddleUnit/Saddle Kit: None *SD511 SD512
 PrinterHDD/Hard Disk: None *HDD
 AdvancedFunctionCover/Advanced Function(Cover Mode): *Disable Enable
 Model/Model: C658 C558 C458 C368 C308 *C258 C287 C227 C266 C226
 Collate/Collate: False *True
 InputSlot/Paper Tray: AutoSelect *Tray1 Tray2 Tray3 Tray4 LCT ManualFeed
 MediaType/Paper Type: *Plain Plain(2nd) Thick1 Thick1(2nd) Thick1Plus Thick1Plus(2nd) Thick2 Thick2(2nd) Thick3 Thick3(2nd) Thick4 Thick4(2nd) Thin Envelope Transparency Color SingleSidedOnly TAB Letterhead Special Recycled Recycled(2nd) User1 User1(2nd) User2 User2(2nd) User3 User3(2nd) User4 User4(2nd) User5 User5(2nd) User6 User6(2nd) PrinterDefault UserCustomType1 UserCustomType1(2nd) UserCustomType2 UserCustomType2(2nd) UserCustomType3 UserCustomType3(2nd) UserCustomType4 UserCustomType4(2nd) UserCustomType5 UserCustomType5(2nd) UserCustomType6 UserCustomType6(2nd) UserCustomType7 UserCustomType7(2nd) UserCustomType8 UserCustomType8(2nd) UserCustomType9 UserCustomType9(2nd) UserCustomType10 UserCustomType10(2nd) UserCustomType11 UserCustomType11(2nd) UserCustomType12 UserCustomType12(2nd) UserCustomType13 UserCustomType13(2nd) UserCustomType14 UserCustomType14(2nd) UserCustomType15 UserCustomType15(2nd) UserCustomType16 UserCustomType16(2nd) UserCustomType17 UserCustomType17(2nd) UserCustomType18 UserCustomType18(2nd) UserCustomType19 UserCustomType19(2nd)
 PageSize/Paper Size: A3 *A4 A5 A6 B4 B5 B6 SRA3 220mmx330mm 12x18 Tabloid Legal Letter Statement 8x13 8.5x13 8.5x13.5 8.25x13 8.125x13.25 Executive 8K 16K EnvISOB5 EnvC4 EnvC5 EnvC6 EnvChou3 EnvChou4 EnvYou3 EnvYou4 EnvKaku1 EnvKaku2 EnvKaku3 EnvDL EnvMonarch Env10 JapanesePostCard 4x6_PostCard A3Extra A4Extra A5Extra B4Extra B5Extra TabloidExtra LetterExtra StatementExtra LetterTab-F A4Tab-F
 Offset/Offset: *False True
 OutputBin/Output Tray: *Default Tray1 Tray2 Tray3 Tray4
 Binding/Binding Position: *LeftBinding TopBinding RightBinding
 KMDuplex/Print Type: 1Sided *2Sided
 Combination/Combination: *None Booklet
 Staple/Staple: *None 1StapleAuto(Left) 1StapleZeroLeft 1Staple(Right) 2Staples
 Punch/Punch: *None 2holes 3holes 4holes
 Fold/Fold: None *Stitch HalfFold TriFold ZFold1 ZFold2
 FrontCoverPage/Front Cover: None *Printed Blank
 FrontCoverTray/Front Cover Tray: None Tray1 Tray2 Tray3 Tray4 LCT *BypassTray
 BackCoverPage/Back Cover: *None Printed Blank
 BackCoverTray/Back Cover Tray: *None Tray1 Tray2 Tray3 Tray4 LCT BypassTray
 PIFrontCover/Front Cover from Post Inserter: *None PITray1 PITray2
 PIBackCover/Back Cover from Post Inserter: *None PITray1 PITray2
 TransparencyInterleave/Transparency Interleave: *None Blank
 OHPOpTray/Interleave Tray: *None Tray1 Tray2 Tray3 Tray4 LCT
 WaitMode/Output Method: *None ProofMode
 SelectColor/Select Color: Auto Color *Grayscale
 GlossyMode/Glossy Mode: *False True
 OriginalImageType/Color Settings: *Document Photo DTP Web CAD
 AutoTrapping/Auto Trapping: *False True
 BlackOverPrint/Black Over Print: *Off Text TextGraphic
 TextColorMatching/Color Matching (Text): *Auto Vivid Photo Colorimetric
 TextPureBlack/Pure Black (Text): *Auto Off On
 TextScreen/Screen (Text): *Auto Gradation Resolution HighResolution
 PhotoColorMatching/Color Matching (Photo): *Auto Vivid Photo Colorimetric
 PhotoPureBlack/Pure Black (Photo): *Auto Off On
 PhotoScreen/Screen (Photo): *Auto Gradation Resolution HighResolution
 PhotoSmoothing/Smoothing (Photo): *Auto None Dark Medium Light
 GraphicColorMatching/Color Matching (Graphic): *Auto Vivid Photo Colorimetric
 GraphicPureBlack/Pure Black (Graphic): *Auto Off On
 GraphicScreen/Screen (Graphic): *Auto Gradation Resolution HighResolution
 GraphicSmoothing/Smoothing (Graphic): *Auto None Dark Medium Light
 TonerSave/Toner Save: *False True
 String4Pt/Edge Enhancement: *False True
 */
--- a/machines/modules/malobeo/users.nix
+++ b/machines/modules/malobeo/users.nix
@@ -2,7 +2,6 @@
 let 
  cfg = config.malobeo.users;
  sshKeys = import ( inputs.self + /machines/ssh_keys.nix);
  inherit (config.networking) hostName; 
 in
 {
  options.malobeo.users = {
@@ -38,7 +37,6 @@ in
        isNormalUser = true;
        description = "admin user, passwordless sudo access, only ssh";
        hashedPassword = null;
        openssh.authorizedKeys.keys = sshKeys.admins;
        extraGroups = [ "networkmanager" ];
      };
      environment.systemPackages = with pkgs; [];
@@ -68,11 +66,7 @@ in
          users = [ "backup" ];
          commands = [
            {
-              command = "/run/current-system/sw/bin/zfs";
+              command = "${pkgs.zfs-user}/bin/zfs";
              options = [ "NOPASSWD" ];
            }
            {
              command = "/run/current-system/sw/bin/zpool";
              options = [ "NOPASSWD" ];
            }
          ];
@@ -81,13 +75,6 @@ in
    })
    {
      users.mutableUsers = false;
      services.openssh.hostKeys = [
        {
          path = "/etc/ssh/${hostName}";
          type = "ssh-ed25519"; 
        }
      ];
      sops.age.sshKeyPaths = [ "/etc/ssh/${hostName}" ];
      environment.systemPackages = with pkgs; [
        nix-output-monitor
        vim
@@ -98,4 +85,4 @@ in
      ];
    }
  ];
-}
+}
--- a/machines/modules/malobeo/wireguard.nix
+++ b/machines/modules/malobeo/wireguard.nix
@@ -70,7 +70,7 @@ in
      interfaces = {
        malovpn = {
          mtu = 1340; #seems to be necessary to proxypass nginx traffic through vpn
-          address = [ "${myPeer.address}/24" ];
+          address = myPeer.address;
          autostart = cfg.autostart;
          listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;
--- a/machines/nextcloud/configuration.nix
+++ b/machines/nextcloud/configuration.nix
@@ -31,16 +31,12 @@ with lib;
    lokiHost = "10.0.0.14";
  };
  services.postgresqlBackup = {
    enable = true;
  };
  services.nextcloud = {
    enable = true;
-    package = pkgs.nextcloud32;
+    package = pkgs.nextcloud30;
    hostName = "cloud.malobeo.org";
    config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
-    maxUploadSize = "10G";
+    #https = true; #disable for testing
    datadir = "/data/services/nextcloud/";
    database.createLocally = true;
    config.dbtype = "pgsql";
@@ -51,22 +47,21 @@ with lib;
    };
    extraAppsEnable = true;
    extraApps = {
-      inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms;
+      inherit (config.services.nextcloud.package.packages.apps) contacts calendar deck polls;
-      deck = pkgs.fetchNextcloudApp {
+      collectives = pkgs.fetchNextcloudApp {
-        sha256 = "sha256-epjwIANb6vTNx9KqaG6jZc14YPoFMBTCj+/c9JHcWkA=";
+        sha256 = "sha256-cj/8FhzxOACJaUEu0eG9r7iAQmnOG62yFHeyUICalFY=";
-        url = "https://link.storjshare.io/raw/jvrl62dakd6htpyxohjkiiqiw5ma/mal/deck32.tar.gz";
+        url = "https://github.com/nextcloud/collectives/releases/download/v2.15.2/collectives-2.15.2.tar.gz";
        license = "agpl3Plus";
      };
    };
    settings = {
      trusted_domains = ["10.0.0.13"];
      trusted_proxies = [ "10.0.0.1" ];
      "maintenance_window_start" = "1";
      "default_phone_region" = "DE";
    };
    phpOptions = {
      "realpath_cache_size" = "0";
-      "opcache.interned_strings_buffer" = "32";
+      "opcache.interned_strings_buffer" = "23";
    };
  };
--- a/machines/nextcloud/secrets.yaml
+++ b/machines/nextcloud/secrets.yaml
@@ -8,60 +8,60 @@ sops:
        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPT3ZxNEpRVktDWG9BR0Rv
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cFBEempENHlXNnhNb1d5
-            ZUZQTkJwQ0pSblNvTkFOT3BBdjVaSzJhVzBvCnVWc2xRUjBnRFFXSDgxczRMSFMy
+            UitGNFliTDliZUdCSVBPRUVEWDc1Skw3N2xvCkFoL01DL2ZmWHhoMHV4TGdhaFdH
-            WFdaMGo4eE13b0RkZkphN2MvOUZtRmcKLS0tIDFHZU9tNjBNa0sveUYzN2dmYnM1
+            bG9XdUQ4ano4VjRxVTloNnl4OHJ6dkkKLS0tIDJvK2ZjNVhYZ1FkQTVWWjBhSFlt
-            aDd0UlpMR3RNd3BDMmhqNmxhTFRoUlkK6Pni+cswKIU94WkP/fg5fzSmx/fhXjjl
+            R1Ixc3pWNFMvUVl0M1NsZ0txRXFMTkkK5aDgbCd13gAfZUrROnwRHgyXvIF67o1W
-            mRG2o4ALCqcOxAxHBrKJppUCLjUgKG53wPF/jlIzkvbwHwnqVMfYsQ==
+            EzEFyhWatq2KKzv6VoJSFnvEx5lMPSs0LLvOK2qgrsz0jWdy6yUkAg==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1g084sl230x94mkd2wq92s03mw0e8mnpjdjfx9uzaxw6psm8neyzqqwpnqe
+        - recipient: age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRK2o2K2tPTFcvbXRkZ0lq
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc3BSNVdqSTNYZSt4c05K
-            bS9ZOUc3dG1JeERZYVNsc3k3RjcxQ0RsdkRJCkx1VFhBQXRDOElqakJ0eTd3NEJX
+            TnpuYXF1L2lzQkdZOS9uUnA5aUpGTldWZVQ0CkZvN2hubmwvUW5xUWhtaE0xMzlp
-            b0JxOUtSOGJWeXlqdE5DdC9qNHA2N1UKLS0tIEFiQ3ZQM0NOaXRhUHBjVFhRMFk4
+            U3dpRHlmdU5UVG1nTS9XUVpTSjdQQ00KLS0tIC9sWTBOMStOYis1SDhLbjFlVk1F
-            VjBFeldXS1p0Zk1uSk02aHpJd3BPOHcKvCmnK/KttB4RgnID/fj2KOdjvNnV3EWU
+            M2dYNEpmWmxyeXU5S0FuV083NkVaQ3cKXuGyR0YQy+22z2kgM7IPhr0gurWQYczm
-            B9mW4yxbEqhoxtu+GFD3eR/8SvMPEsHl9xorT/ZygMG7hAzedSukWw==
+            FA7C/2hoqb4tyyejomitndBSyxIxnaReO0Apl6JXeTLor8Dpuu42oQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-26T20:00:50Z"
    mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str]
    pgp:
-        - created_at: "2025-03-05T08:24:30Z"
+        - created_at: "2025-02-19T14:34:54Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQGMA5HdvEwzh/H7AQv+Lr4ISzvM/IEkckNhOOYAeZ0XCJ3JviSwT5wh3nd5u7ZJ
+            hQGMA5HdvEwzh/H7AQwAkNhF9L1ocTsJRDyIA+0y24gtvRKAZhSRwds2wvTiBkPS
-            tXdLgLwGvFs0gXBf/R2kAoyEMyFziP3dqehvrjwTipuj/5lLdw73X9kddGkGOeQK
+            jzse8z4wY2yWz/JbEgqJqeFxJCaE64oc+2dETJIl2IsiRBDlXKfpL4yfRV+P6Ffu
-            EDq2+cW3ufuukpyRq+o4lJjMmbwQuqvhqeVOxohQ677e1Xy8q6DorfwOgEgHegK1
+            DQfAR57hKIYa9emx+iFGoDMpRSuuLg4EGDoe1tmAu2OwLhKsqJrbL1ak88GB7/ko
-            t1H/DlVHritv54mPjr9hx0fZ5Auow17wteKD71KD/Y4s9JNB0DghcHAGiwYZzL7U
+            gFk02AF/QYuEetc7R0pZPxB6n1HQGBrvqAFrnHEsxw2rR7I4kNYpEzyf0IuGHfB1
-            aFBY0itZyeJwH7rmFJDTQ+N+595t8dguTS/V1J0SKrIynMXVgTo6dpX10lSRubYe
+            92WfYtdYSni7cqmTPV+t+k6P1VcJe6GXdlQnHk2pByqC2WrcrP+MtaAMkmWqxU72
-            9TQRMO3bmnsdPlmVJ7SlCkcc8blpHSgeQYdaZgPjDmbs+cuAkUMBnR/aEFXIX5IC
+            AGarWEV2bnXmBsM5LcOQF6Mbui9tpEBE0O3lMlzUNXoVYHpOczlqdWkqh/y3Ea8V
-            lohDRX5Vd7dUfVl5CiPNbG8hnvcp2lg7CUBV46fVQ5ZJ73jW1+1Bk3hxGdLklLlF
+            bnHcaLQ8XubRyccK4JYZ4AIMJVPlVcnXdjZ4VFJwjRzGrllorq4x8L0niv60HV/g
-            N3hLzBBUpF8U0mvGMXJYX2gQKivRurIoLHZgmjQTjhA1uBfhTI3ktyLABz04dt7I
+            akxsjW1DPnJURNFacT3JYF+PsN+hpj/ma2k8qUTX5wFVJy3Gm0psVYqE5901ivBA
-            OQYOlpsAZ/qnxbt+37LD0lgBz5XoHDuGNS2nnVQnuvtzt69GDP8mR1QXnhZedTrM
+            yg7mfiftchDvIeGQR8tE0lgBZrJbf/SjpVdawq7DORFVxkaNeoSAxOkCnqZ5kc7C
-            kDxxTXV7tMIbqw55tr+qVVG4H8QGy1xat3LSTIxoMmz0MmkyjQhApPN2ipwjyNof
+            w6zfxABWvwz73QM0AqfNzjkyswGk7N/09Zpj4BvjbbYuAfvIdiVVDHRPez/qWjnB
-            X0Aw9hmAZV52
+            vkt9aLXFepLl
-            =A/yB
+            =4LVt
            -----END PGP MESSAGE-----
          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2025-03-05T08:24:30Z"
+        - created_at: "2025-02-19T14:34:54Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA98TrrsQEbXUAQ//UtocoQPpMZL71RyjSnJFZq1NT4H5KxbcvQb4LtPBbanK
+            hQIMA98TrrsQEbXUARAAmoHJ3i2vABDamIF3Nj6uuawarW+KKjzrIfYvAmWW4fgz
-            /gPja40wOWXy/3plCHuZYQ/mR69k9URgwD6/0RSSmCCuVp/+FPbK3UbMYyTOtYBr
+            zVAquTl1Oculhv+H4eVuylNUM5kwyCkM/VAxy3KoSNZn6aGZVDuns70r9lbNC1R8
-            wKnq9eRP8URK6LINJMcNHzfQtgvTcBclJSY1kLfUVjl2RV2NqXVa6+B1sHJdse8A
+            +diYAIe33rE3h6/Rw74RgOXUgNalONeoBWbIUuG+y9XOIfu7CBoUeGJct4ycYH0h
-            5NyJ/VNRRrNDtNnmIaIHPFUBySVKLqiXeex4gFNy02IcwwSiFZnBt/ReaFjZQTGE
+            bn5iI0e4myDldmSc7OYnyruQMYg9OcKBnQPTZl1qzTqpwR6/BnIhWJcItuc3W5rv
-            TKfyohQF4V4/e35wvhbqWSFYZmWHCwW94gnwTwnlEO/H/NvbNUNDSYL6WwrIFF7+
+            aEunQ8lVyNxhGWMDwFucUJ2WbxkOFOFWPrLGXtsUg/I32aCUNR6X/HnYUezqCoSA
-            h/tP7nWbBxNqSByHGQuJnKSysndwUuSMuH+uj+uYdJDn1L1VEoErfAZcRSsDAz1Z
+            SFJAsaPkBr07o5Be5D03m0s5ryktQUdAElyDaz2Sgc58re9mtYKBAf4P4fKD5Zx+
-            BVkEaPJM6ZmRM48up5eHQtPG2rklmoFw/O/bPd9QUWJ/ZRu2gcY8aLGczHygaq6W
+            TJJGr6dmtb28Nxb5mbMroKbTit92NHHatXfz/YrZ1JyCHuINZ5Sq01TGhx6y71Uj
-            gvZTCPrke7XZTd9S3mAcdlJ2iAYuKY4AmGqfmXbd7mRZXP3DQkRaA/IwCCNJVmhX
+            0Afq3S2la+85UYRsQ5g9q6jM8rBHjm9AdcUkWA1chtn6elAUG8J0B+DUYYwcrMtp
-            um5MbCa17I9Uwh58NBmDuejLcmJDWL5jLmN6S86t3k3jKxwaX56SRwAD92klMdQq
+            YWFaKNHT09FRn4TcgE50Wgn9lX2RZ03viBbgCvDBLh3fmzl+dU1DsFdwuYmbgOeO
-            8UX2dkUkwnnI+YjfOEeLGDAT655TsejpE97JKjI/m39Pwnn+MrDEfNDHhfjX+9QC
+            B6SQ2+SF3VVR7vAn4oPKydztCfYmb+38sCQl/FtZdP1RRW150fXtUx7aAzWGsLhq
-            5k+fiP7yWc7hG3A7jt5vEadazPgDeqy0q7jbmTPtmdieqBs71P3j19l3VKAU8ZnS
+            AObrNp0uMeCBHtpWctwFR1qssfRD3DHkI59MqoGK7ehDtBS6hzayjJp8sTiqCTzS
-            WAGz21MFYjhESmU7fqhTyVE9Dsd4GqyB+ZSa8hHj2ISaOi0QQ9JXjjtQhkDGlsB4
+            WAH/vMH2cvGN3q9mr73bBqHBxAL+ANWxrDvQmM4xwbLxET24ULnsC35bn4psWjTN
-            /PrjZhyqd62wHS075YV1B9YqOhC1nAkC+s9mj9CrWIeH2JMOSK9EUyI=
+            Y3aQqzhaZdYOki09fLENaYl6BMeIcfBx4qUrgfQKLUNqGV5fvVuXJUc=
-            =5u7o
+            =/V5O
            -----END PGP MESSAGE-----
          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
    unencrypted_suffix: _unencrypted
--- a/machines/overwatch/configuration.nix
+++ b/machines/overwatch/configuration.nix
@@ -12,7 +12,6 @@ with lib;
    self.nixosModules.malobeo.metrics
    ../modules/malobeo_user.nix
    ../modules/sshd.nix
    ./printer_module.nix
  ];
  networking.firewall.allowedTCPPorts = [ 80 3100 ];
@@ -67,9 +66,9 @@ with lib;
  services.nginx = {
    enable = true;
-    virtualHosts.${config.services.grafana.settings.server.domain} = {
+    virtualHosts.${config.services.grafana.domain} = {
      locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
          proxyWebsockets = true;
      extraConfig = ''
@@ -78,8 +77,6 @@ with lib;
    };
      };
  };
  printer_scraping.enable = true;
  services.prometheus = {
    enable = true;
@@ -92,12 +89,6 @@ with lib;
          targets = [ "127.0.0.1:9002" ];
        }];
      }
      {
        job_name = "printer";
        static_configs = [{
          targets = [ "127.0.0.1:9091" ];
        }];
      }
      {
        job_name = "durruti";
        static_configs = [{
@@ -116,12 +107,6 @@ with lib;
          targets = [ "10.0.0.13:9002" ];
        }];
      }
      {
        job_name = "zineshop";
        static_configs = [{
          targets = [ "10.0.0.15:9002" ];
        }];
      }
      {
        job_name = "fanny";
        static_configs = [{
--- a/machines/overwatch/printer_module.nix
+++ b/machines/overwatch/printer_module.nix
@@ -1,33 +0,0 @@
 {config, lib, pkgs, ...}:
 {
  options.printer_scraping = {
    enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "Enable the script to pull data from the printer";
    };
    timer = lib.mkOption {
      type = lib.types.str;
      default = "1m";
      description = "systemd timer for script execution";
    };
  };
  config = lib.mkIf config.printer_scraping.enable {
    systemd.services."printer-scraping" = {
      description = "Pull printer stats and upload to influxdb";
      serviceConfig.Type = "oneshot";
      path = with pkgs; [yq jq curl bash];
      script = "bash ${./pull_info.sh}";
    };
    systemd.timers."printer-scraping" = {
      wantedBy = ["timers.target"];
      timerConfig = {
        OnBootSec = "5s";
        OnUnitActiveSec = config.printer_scraping.timer;
        Unit = "printer-scraping.service";
      };
    };
    services.prometheus.pushgateway.enable = true; #Im not dealing with influx
  };
 }
--- a/machines/overwatch/pull_info.sh
+++ b/machines/overwatch/pull_info.sh
@@ -1,133 +0,0 @@
 #!/usr/bin/env bash
 set -eo pipefail
 for command in "jq" "xq" "grep" "curl" "sed"
 do
    if ! command -v $command >/dev/null 2>&1
    then
        echo "$command could not be found"
        exit 1
    fi
 done
 #Functions---------------
 get_cookie () {
    if [[ $1 == "-d" ]]; then
        cookie=$(cat request_example_1.txt)
    else
        cookie=$(curl -s -D - -X GET http://192.168.1.42/wcd/index.html)
    fi
    exitCode="$?"
    if [[ $exitCode == "7" ]];
    then
        echo "Server offline"
        exit 0
    elif [[ $exitCode != "0" ]];
    then 
        echo "Something went wrong"
        exit 1
    fi
    cookie=$(echo "$cookie" | grep Set-Cookie | grep -oP "ID=\K[^.]+" )
    if [[ $cookie == "" ]]
    then
        echo "No cookie got!"
        exit 1
    fi
 }
 get_values () {
    local path="$1"
    local -n keys=$2
    local name="$3"
    local_system_counter_data=$(echo "$system_counter_data" | jq "$path | .[]")
    for key in "${keys[@]}";
    do 
        value=$(echo "$local_system_counter_data" | 
        jq "select(.Type==\"$key\") | .Count" | 
        sed 's/"//g'
        )
        valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
    done
 }
 get_values_DeviceStatus () {
    local -n keys=$1
    local name="$2"
    local_system_counter_data=$(echo "$system_counter_data" | jq ".MFP.Common.DeviceStatus")
    for key in "${keys[@]}";
    do 
        value=$(echo "$local_system_counter_data" | 
        jq ".$key" | 
        sed 's/"//g'
        )
        valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
    done
 }
 get_values_consumables () {
    local -n keys=$1
    local name="$2"
    local_system_consumables_data=$(echo "$system_consumables_data" | jq ".[] |.DeviceInfo.ConsumableList.Consumable | .[]")
    for key in "${keys[@]}";
    do 
        value=$(
            echo "$local_system_consumables_data" | 
            jq "select(.Name==\"$key\") | .CurrentLevel.LevelPer" | 
            sed 's/"//g'
            )
        valueStore=$(echo "$valueStore"; echo "$name"_"${key//[^a-zA-Z_-]/_}" "$value")
    done
 }
 #End Functions----------
 #Variables-----------------------
 system_counter_DeviceStatus_keys=("ScanStatus" "PrintStatus" "Processing" "NetworkErrorStatus" "KmSaasgw" "HddMirroringErrorStatus")
 system_counter_TotalCounter_keys=("Total" "DuplexTotal" "Document" "Paper" "TotalLarge" "PrintPageTotal" "PaperSizeA3" "PaperSizeA4" "PaperSizeB4" "PaperSizeB5" "PaperSizeOther" "Nin12in1" "PaperTypeNormal" "PaperTypeOther")
 system_counter_FullColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
 system_counter_BlackCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
 system_counter_DoubleColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
 system_counter_CopyCounter_keys=("BwTotal" "FullColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
 system_counter_PrintCounter_keys=("BwTotal" "FullColorTotal" "BiColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
 system_counter_ScanFaxCounter_keys=("DocumentReadTotal" "DocumentReadLarge" "FaxReceive" "FaxSend")
 system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit")
 #End Variables-------------
 echo "Getting cookie"
 get_cookie "$@"
 echo "Start extracting info from system_counter"
 if [[ $1 == "-d" ]]; then
    system_counter_data=$(cat system_counter.xml |xq)
 else
    system_counter_data=$(curl -s -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=$cookie" |xq)
 fi
 get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter
 get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.FullColorCounterList.FullColorCounter" system_counter_FullColorCounter_keys FullColorCounter
 get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.BlackCounterList.BlackCounter" system_counter_BlackCounter_keys BlackCounter
 get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.DoubleColorCounterList.DoubleColorCounter" system_counter_DoubleColorCounter_keys DoubleColorCounter
 get_values ".MFP.Count.UserCounterInfo.CopyCounterList.CopyCounter" system_counter_CopyCounter_keys CopyCounter
 get_values ".MFP.Count.UserCounterInfo.ScanFaxCounterList.ScanFaxCounter" system_counter_ScanFaxCounter_keys ScanFaxCounter
 get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus
 echo "Start extracting info from system_consumables"
 if [[ $1 == "-d" ]]; then
    system_consumables_data=$(cat system_consumables.xml |xq)
 else
    system_consumables_data=$(curl -s -X GET http://192.168.1.42/wcd/system_consumable.xml -H "Cookie: ID=$cookie" |xq)
 fi
 get_values_consumables system_consumables_base_keys Consumables
 echo "Sending data to prometheus-pushgateway..."
 echo "$valueStore" | curl -s --data-binary @- http://localhost:9091/metrics/job/printer
 echo "Success!"
 exit 0
--- a/machines/ssh_keys.nix
+++ b/machines/ssh_keys.nix
@@ -7,6 +7,6 @@
 ];
 backup = [
  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIGryhnXdmbGObONG88K+c9zeduMrwtoLHwzMDZg3UXB+Cnq2FXWOrlLZxA+95VUgHpyGZiykJmzeWrKhldDlDeGGd8QCCLeuliiOgXADTYjWaVfhd+6arPZrK2VtqqsguvH40gW1xfoGAOmAT4WFnxWxIaEip0V2u6NOoKTiH9I3bz2Qe4lfJvPXig+XwCXcukXd6XUkDFYDpiw8XNV3X7pqTus5d2RYR97bAhIYZZQ6h50ZpTY8N0lFh4RY5yfx8BhxJW3tfoi9uZvVuPx7dGPsZsSniENFPMNz3UwHGitTJMr4088cJrAGgd5lyFuLouiHiM2JMGA0wx9wWTbWJEwTLaTVQK9gSJf857ndV2zCh9vKlfko4w9bQgqxKg4U/mY8dXX1E7D51nD2ci8Ed+ZG+NEneFLyZhLsD82GkBY+YovA+4xm/pcx+hBhlyqGNxI8v+Jh+JhEyD/ZLgJfq3ZMbGIGsTiDwZ2flLLxImHHEoDoT6PHU6hDhPDJu560="
-  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPP4s6qNKwtu2l5DRKU/Xo6lMRztqNw/MOVsKx58kUE8 root@silizium"
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJKl5FWPskhlnzJs1+mMYrVTMNnRG92uFKUgGlteTPhL"
 ];
 }
--- a/machines/testvm/configuration.nix
+++ b/machines/testvm/configuration.nix
@@ -24,7 +24,7 @@ in
  malobeo.disks = {
    enable = true;
-    encryption = false;
+    encryption = true;
    hostId = "83abc8cb";
    devNodes = "/dev/disk/by-path/";
    root = {
--- a/machines/vpn/configuration.nix
+++ b/machines/vpn/configuration.nix
@@ -45,10 +45,6 @@ with lib;
        proxyPass = "http://10.100.0.101";
        extraConfig = ''
          proxy_set_header Host $host;
          client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize};
          client_body_timeout 3600s;
          send_timeout 3600s;
          fastcgi_buffers 64 4K;
        '';
      };
    };
@@ -70,28 +66,6 @@ with lib;
        '';
      };
    };
    virtualHosts."zines.malobeo.org" = {
      locations."/" = {
        proxyPass = "http://10.100.0.101";
        extraConfig = ''
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header Authorization $http_authorization;  # Pass the Authorization header
          proxy_pass_header Authorization;
          client_body_in_file_only clean;
          client_body_buffer_size 32K;
          client_max_body_size 50M;
          sendfile on;
          send_timeout 300s;
        '';
      };
    };
  };
  system.stateVersion = "22.11"; # Did you read the comment?
--- a/machines/zineshop/configuration.nix
+++ b/machines/zineshop/configuration.nix
@@ -1,34 +0,0 @@
 { self, config, lib, pkgs, inputs, ... }:
 with lib;
 {
  networking = {
    hostName = mkDefault "zineshop";
    useDHCP = false;
  };
  imports = [
    inputs.malobeo.nixosModules.malobeo.metrics
    inputs.malobeo.nixosModules.malobeo.printing
    inputs.zineshop.nixosModules.zineshop
    ../modules/malobeo_user.nix
    ../modules/sshd.nix
  ];
  malobeo.metrics = {
    enable = true;
    enablePromtail = true;
    logNginx = true;
    lokiHost = "10.0.0.14";
  };
  services.printing.enable = true;
  services.malobeo.printing.enable = true;
  services.zineshop.enable = true;
  networking.firewall.allowedTCPPorts = [ 8080 ];
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/outputs.nix
+++ b/outputs.nix
@@ -37,7 +37,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
        sops.sops-init-gpg-key
        pkgs.sops
        pkgs.age
-        pkgs.python313Packages.grip
+        pkgs.python310Packages.grip
        pkgs.mdbook
        pkgs.ssh-to-age
        microvmpkg.microvm
@@ -116,8 +116,6 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
      metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];
      disko.imports = [ ./machines/modules/disko ];
      users.imports = [ ./machines/modules/malobeo/users.nix ];
      backup.imports = [ ./machines/modules/malobeo/backup.nix ];
      printing.imports = [ ./machines/modules/malobeo/printing.nix ];
    };
    hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
--- a/scripts/add_new_host_keys.sh
+++ b/scripts/add_new_host_keys.sh
@@ -31,13 +31,10 @@ cd "$pwpath"
 # Generate SSH keys
 ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
 ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
 wg genkey > wg.private
 publickey=$(cat wg.private | wg pubkey)
 #encrypt the private keys
 sops -e -i ./$hostkey
 sops -e -i ./$initrdkey
 sops -e -i ./wg.private
 #generate encryption key
 tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
@@ -48,9 +45,6 @@ echo
 echo "Hier ist der age public key für sops etc:"
 echo "$(ssh-to-age -i ./"$hostkey".pub)"
 echo
 echo "Hier ist der wireguard pubkey für das gerät"
 echo "$publickey"
 echo 
 echo "Hier ist eine reproduzierbare mac-addresse:"
 echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
--- a/scripts/remote-install-encrypt.sh
+++ b/scripts/remote-install-encrypt.sh
@@ -40,17 +40,16 @@ trap cleanup EXIT
 # Create the directory where sshd expects to find the host keys
 install -d -m755 "$temp/etc/ssh/"
-install -d -m755 "$temp/etc/wireguard/"
+install -d -m755 "$temp/root/"
 ##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
 diskKey=$(sops -d $pwpath/disk.key)
 echo "$diskKey" > /tmp/secret.key
 echo "$diskKey" > $temp/root/secret.key
 sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
-sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
+sopd -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
 sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
 # # Set the correct permissions so sshd will accept the key
 chmod 600 "$temp/etc/ssh/$hostname"
 chmod 600 "$temp/etc/ssh/initrd"
--- a/scripts/run-vm.sh
+++ b/scripts/run-vm.sh
@@ -6,7 +6,6 @@ usage() {
    echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny"
    echo "--writable-store enables writable store. necessary for host with nested imperative microvms like fanny"
    echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate"
    echo "--data path to directory that should be shared as /data"
    echo "--fwd-port forwards the given port to port 80 on vm"
    exit 1
 }
@@ -24,7 +23,6 @@ DUMMY_SECRETS=false
 NO_DISKO=false
 RW_STORE=false
 VAR_PATH=""
 DATA_PATH=""
 FWD_PORT=0
 # check argws
@@ -44,15 +42,6 @@ while [[ "$#" -gt 0 ]]; do
              usage
          fi
          ;;
        --data) 
          if [[ -n "$2" && ! "$2" =~ ^- ]]; then
              DATA_PATH="$2"
              shift
          else
              echo "Error: --data requires a non-empty string argument."
              usage
          fi
          ;;
        --fwd-port) 
          if [[ -n "$2" && ! "$2" =~ ^- ]]; then
              FWD_PORT="$2"
@@ -75,8 +64,4 @@ if [ -n "$VAR_PATH" ]; then
  echo "sharing var directory: $VAR_PATH"
 fi
-if [ -n "$DATA_PATH" ]; then
+nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner"
  echo "sharing data directory: $DATA_PATH"
 fi
 nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" \"$DATA_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner"
--- a/scripts/unlock-boot.sh
+++ b/scripts/unlock-boot.sh
@@ -24,16 +24,12 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
 echo
 if [ $# = 1 ]
    then
-    ssh $sshoptions root@$hostname-initrd "zpool import -a"
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
 elif [ $# = 2 ]
    then
    ip=$2
-    ssh $sshoptions root@$ip "zpool import -a"
+    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
    echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted" 
    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
 else
    echo