[fanny] fix flushing init vpn

I'll remove this later

doc/src/SUMMARY.md

@@ -21,3 +21,4 @@
         - [Updates](./anleitung/updates.md)
         - [Rollbacks](./anleitung/rollback.md)
         - [MicroVM](./anleitung/microvm.md)
+        - [Update Nextcloud](./anleitung/update_nextcloud.md)

doc/src/anleitung/update_nextcloud.md

@@ -0,0 +1,16 @@
+### Updating nextcloud
+
+## Updating the draggable patch
+
+The draggable patch is a one line patch found in the deck repo under `src/components/cards/CardItem.vue`   
+Direct link: https://git.dynamicdiscord.de/ahtlon/deck/commit/77cbcf42ca80dd32e450839f02faca2e5fed3761   
+
+The easiest way to apply is
+1. Sync the repo with remote https://github.com/nextcloud/deck/tree/main
+2. Checkout the stable branch for the nextcloud version you need
+  - example `git checkout stable31`
+3. Apply the patch using `git cherry-pick bac32ace61e7e1e01168f9220cee1d24ce576d5e`
+4. Start a nix-shell with `nix-shell -p gnumake krankerl php84Packages.composer php nodejs_24`
+5. run `krankerl package`
+6. upload the archive at "./build/artifacts/deck.tar.gz" to a file storage (ask Ahtlon for access to the storj s3 or use own)
+7. Change url and sha in the nextcloud configuration.nix `deck = pkgs.fetchNextcloudApp {};`

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736864502,
-        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
+        "lastModified": 1746728054,
+        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
+        "rev": "ff442f5d1425feb86344c028298548024f21256d",
         "type": "github"
       },
       "original": {
@@ -67,16 +67,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1744117652,
-        "narHash": "sha256-t7dFCDl4vIOOUMhEZnJF15aAzkpaup9x4ZRGToDFYWI=",
+        "lastModified": 1748226808,
+        "narHash": "sha256-GaBRgxjWO1bAQa8P2+FDxG4ANBVhjnSjBms096qQdxo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "b4e98224ad1336751a2ac7493967a4c9f6d9cb3f",
+        "rev": "83665c39fa688bd6a1f7c43cf7997a70f6a109f9",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-24.11",
+        "ref": "release-25.05",
         "repo": "home-manager",
         "type": "github"
       }
@@ -109,11 +109,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1743083165,
-        "narHash": "sha256-Fz7AiCJWtoWZ2guJwO3B1h3RuJxYWaCzFIqY0Kmkyrs=",
+        "lastModified": 1748260747,
+        "narHash": "sha256-V3ONd70wm55JxcUa1rE0JU3zD+Cz7KK/iSVhRD7lq68=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "773d5a04e2e10ca7b412270dea11276a496e1b61",
+        "rev": "b6c5dfc2a1c7614c94fd2c5d2e8578fd52396f3b",
         "type": "github"
       },
       "original": {
@@ -145,11 +145,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742568034,
-        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
+        "lastModified": 1747663185,
+        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
+        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
         "type": "github"
       },
       "original": {
@@ -160,11 +160,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1744366945,
-        "narHash": "sha256-OuLhysErPHl53BBifhesrRumJNhrlSgQDfYOTXfgIMg=",
+        "lastModified": 1747900541,
+        "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "1fe3cc2bc5d2dc9c81cb4e63d2f67c1543340df1",
+        "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06",
         "type": "github"
       },
       "original": {
@@ -192,11 +192,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1744232761,
-        "narHash": "sha256-gbl9hE39nQRpZaLjhWKmEu5ejtQsgI5TWYrIVVJn30U=",
+        "lastModified": 1748190013,
+        "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f675531bc7e6657c10a18b565cfebd8aa9e24c14",
+        "rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
         "type": "github"
       },
       "original": {
@@ -208,16 +208,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1744309437,
-        "narHash": "sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5+W0=",
+        "lastModified": 1748162331,
+        "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f9ebe33a928b5d529c895202263a5ce46bdf12f7",
+        "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -235,7 +235,8 @@
         "nixpkgs-unstable": "nixpkgs-unstable",
         "sops-nix": "sops-nix",
         "tasklist": "tasklist",
-        "utils": "utils_3"
+        "utils": "utils_3",
+        "zineshop": "zineshop"
       }
     },
     "sops-nix": {
@@ -245,11 +246,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744103455,
-        "narHash": "sha256-SR6+qjkPjGQG+8eM4dCcVtss8r9bre/LAxFMPJpaZeU=",
+        "lastModified": 1747603214,
+        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "69d5a5a4635c27dae5a742f36108beccc506c1ba",
+        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
         "type": "github"
       },
       "original": {
@@ -261,11 +262,11 @@
     "spectrum": {
       "flake": false,
       "locked": {
-        "lastModified": 1733308308,
-        "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
+        "lastModified": 1746869549,
+        "narHash": "sha256-BKZ/yZO/qeLKh9YqVkKB6wJiDQJAZNN5rk5NsMImsWs=",
         "ref": "refs/heads/main",
-        "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
-        "revCount": 792,
+        "rev": "d927e78530892ec8ed389e8fae5f38abee00ad87",
+        "revCount": 862,
         "type": "git",
         "url": "https://spectrum-os.org/git/spectrum"
       },
@@ -334,6 +335,21 @@
         "type": "github"
       }
     },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "tasklist": {
       "inputs": {
         "nixpkgs": [
@@ -341,11 +357,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743458889,
-        "narHash": "sha256-eVTtsCPio3Wj/g/gvKTsyjh90vrNsmgjzXK9jMfcboM=",
+        "lastModified": 1760981884,
+        "narHash": "sha256-ASFWbOhuB6i3AKze5sHCvTM+nqHIuUEZy9MGiTcdZxA=",
         "ref": "refs/heads/master",
-        "rev": "b61466549e2687628516aa1f9ba73f251935773a",
-        "revCount": 30,
+        "rev": "b67eb2d778a34c0dceb91a236b390fe493aa3465",
+        "revCount": 32,
         "type": "git",
         "url": "https://git.dynamicdiscord.de/kalipso/tasklist"
       },
@@ -407,6 +423,45 @@
         "repo": "flake-utils",
         "type": "github"
       }
+    },
+    "utils_4": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "zineshop": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": "utils_4"
+      },
+      "locked": {
+        "lastModified": 1751462005,
+        "narHash": "sha256-vhr2GORiXij3mL+QIfnL0sKSbbBIglw1wnHWNmFejiA=",
+        "ref": "refs/heads/master",
+        "rev": "f505fb17bf1882cc3683e1e252ce44583cbe58ce",
+        "revCount": 155,
+        "type": "git",
+        "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -3,7 +3,7 @@
 
   inputs = {
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -22,6 +22,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    zineshop = {
+      url = "git+https://git.dynamicdiscord.de/kalipso/zineshop";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     ep3-bs = {
       url = "git+https://git.dynamicdiscord.de/kalipso/ep3-bs.nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -33,7 +38,7 @@
     };
 
     home-manager=  {
-      url = "github:nix-community/home-manager/release-24.11";
+      url = "github:nix-community/home-manager/release-25.05";
       inputs = {
         nixpkgs.follows = "nixpkgs";
       };

machines/bakunin/configuration.nix

@@ -53,7 +53,7 @@ in
       libreoffice
       gimp
       inkscape
-      okular
+      kdePackages.okular
       element-desktop
       chromium
       mpv

machines/durruti/host_config.nix

@@ -73,6 +73,24 @@ in
       };
     };
 
+
+    services.nginx.virtualHosts."zines.malobeo.org" = {
+      forceSSL = true;
+      enableACME= true;
+      locations."/" = {
+        proxyPass = "http://10.0.0.10";
+        extraConfig = ''
+          client_body_in_file_only clean;
+          client_body_buffer_size 32K;
+          
+          client_max_body_size 50M;
+          
+          sendfile on;
+          send_timeout 300s;
+        '';
+      };
+    };
+
     services.nginx.virtualHosts."status.malobeo.org" = {
       forceSSL = true;
       enableACME= true;

machines/fanny/configuration.nix

@@ -1,10 +1,12 @@
 { inputs, config, ... }:
 let
   sshKeys = import ../ssh_keys.nix;
+  peers = import ../modules/malobeo/peers.nix;
 in
 {
   sops.defaultSopsFile = ./secrets.yaml;
   sops.secrets.wg_private = {};
+  sops.secrets.shop_auth = {};
 
   imports =
     [ # Include the results of the hardware scan.
@@ -84,8 +86,42 @@ in
     enable = true;
     authorizedKeys = sshKeys.admins;
     ethernetDrivers = ["r8169"];
+    zfsExtraPools = [ "storage" ];
   };
 
+  boot.initrd = {
+    availableKernelModules = [ "wireguard" ];
+    # postMountCommands = ''
+    #   ip address flush dev wg-initrd
+    #   ip link set dev wg-initrd down
+    # '';
+    systemd = {
+      enable = true;
+      network = {
+        enable = true;
+        netdevs."30-wg-initrd" = {
+          netdevConfig = {
+            Kind = "wireguard";
+            Name = "wg-initrd";
+          };
+          wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
+          wireguardPeers = [{
+            AllowedIPs = peers.vpn.allowedIPs;
+            PublicKey = peers.vpn.publicKey;
+            Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
+            PersistentKeepalive = 25;
+          }];
+        };
+        networks."30-wg-initrd" = {
+          name = "wg-initrd";
+          addresses = [{ Address = "${peers.fanny-initrd.address}/24"; }];
+        };
+      };
+    };
+  };
+
+  boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";
+
   services.malobeo.vpn = {
     enable = true;
     name = "fanny";
@@ -93,7 +129,13 @@ in
   };
 
   services.malobeo.microvm.enableHostBridge = true;
-  services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" "nextcloud" "durruti" ];
+  services.malobeo.microvm.deployHosts = [ 
+    "overwatch" 
+    "infradocs" 
+    "nextcloud" 
+    "durruti" 
+    "zineshop"
+  ];
 
   networking = {
     nat = {
@@ -123,6 +165,7 @@ in
         proxyPass = "http://10.0.0.13";
         extraConfig = ''
           proxy_set_header Host $host;
+          client_max_body_size 10G;
         '';
       };
     };
@@ -144,6 +187,26 @@ in
         '';
       };
     };
+
+    virtualHosts."zines.malobeo.org" = {
+      # created with: nix-shell --packages apacheHttpd --run 'htpasswd -B -c foo.txt malobeo'
+      # then content of foo.txt put into sops
+      # basicAuthFile = config.sops.secrets.shop_auth.path;
+      locations."/" = {
+        proxyPass = "http://10.0.0.15:8080";
+        extraConfig = ''
+          proxy_set_header Host $host;
+
+          client_body_in_file_only clean;
+          client_body_buffer_size 32K;
+          
+          client_max_body_size 50M;
+          
+          sendfile on;
+          send_timeout 300s;
+        '';
+      };
+    };
   };
 
   services.tor = {
@@ -163,5 +226,10 @@ in
 
   time.timeZone = "Europe/Berlin";
   system.stateVersion = "23.05"; # Do.. Not.. Change..
+
+  sops.secrets.shop_auth = {
+    owner = config.services.nginx.user;
+    group = config.services.nginx.group;
+  };
 }
 

machines/fanny/secrets.yaml

@@ -1,4 +1,6 @@
 wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
+shop_cleartext: ENC[AES256_GCM,data:sifpX/R6JCcNKgwN2M4Dbflgnfs5CqB8ez5fULPohuFS6k36BLemWzEk,iv:1lRYausj7V/53sfSO9UnJ2OC/Si94JXgIo81Ld74BE8=,tag:5osQU/67bvFeUGA90BSiIA==,type:str]
+shop_auth: ENC[AES256_GCM,data:0NDIRjmGwlSFls12sCb5OlgyGTCHpPQIjycEJGhYlZsWKhEYXV2u3g1RHMkF8Ny913jarjf0BgwSq5pBD9rgPL9t8X8=,iv:3jgCv/Gg93Mhdm4eYzwF9QrK14QL2bcC4wwSajCA88o=,tag:h8dhMK46hABv9gYW4johkA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +25,8 @@ sops:
             QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP
             SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-14T12:41:07Z"
-    mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str]
+    lastmodified: "2025-04-14T10:34:55Z"
+    mac: ENC[AES256_GCM,data:vcDXtTi0bpqhHnL6XanJo+6a8f5LAE628HazDVaNO34Ll3eRyhi95eYGXQDDkVk2WUn9NJ5oCMPltnU82bpLtskzTfQDuXHaPZJq5gtOuMH/bAKrY0dfShrdyx71LkA4AFlcI1P5hchpbyY1FK3iqe4D0miBv+Q8lCMgQMVrfxI=,iv:1lMzH899K0CnEtm16nyq8FL/aCkSYJVoj7HSKCyUnPg=,tag:mEbkmFNg5VZtSKqq80NrCw==,type:str]
     pgp:
         - created_at: "2025-02-11T18:32:49Z"
           enc: |-
@@ -65,4 +67,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.4

machines/hosts.nix

@@ -67,6 +67,14 @@
         };
       };
 
+      zineshop = {
+        type = "microvm";
+        network = {
+          address = "10.0.0.15";
+          mac = "D0:E5:CA:F0:D7:F1";
+        };
+      };
+
       testvm = {
         type = "host";
       };

machines/louise/configuration.nix

@@ -36,7 +36,7 @@
       libreoffice
       gimp
       inkscape
-      okular
+      kdePackages.okular
       element-desktop
       chromium
       mpv

machines/lucia/configuration.nix

@@ -35,8 +35,7 @@ in
   services = {
 
   dokuwiki.sites."wiki.malobeo.org" = {
-    enable = true;
-    #acl = "* @ALL 8";  # everyone can edit using this config
+        #acl = "* @ALL 8";  # everyone can edit using this config
     # note there is a users file at
     # /var/lib/dokuwiki/<wiki-name>/users.auth.php
     # makes sense to edit it by hand

machines/modules/malobeo/initssh.nix

@@ -22,6 +22,11 @@ in
       description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
       example = "r8169";
     };
+    zfsExtraPools = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Name or GUID of extra ZFS pools that you wish to import during boot.";
+    };
   };
   
   config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
@@ -32,33 +37,41 @@ in
       zfs = {
         forceImportAll = true;
         requestEncryptionCredentials = true;
-        
+        extraPools = cfg.zfsExtraPools;
       };
       initrd = {
         availableKernelModules = cfg.ethernetDrivers;
         systemd = {
+          initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ]; 
           enable = true;
           network.enable = true;
+          services."stopInitVpn" = {
+            description = "stop init vpn";
+            wantedBy = [
+              "initrd.target"
+            ];
+            after = [
+              "zfs.target"
+            ];
+            serviceConfig.StandardOutput = "journal+console";
+            script = ''
+              networkctl down wg-initrd
+            '';
+            serviceConfig.Type = "oneshot";
+      };
         };
-        network.ssh = {
-          enable = true;
-          port = 222;
-          authorizedKeys = cfg.authorizedKeys;
-          hostKeys = [ "/etc/ssh/initrd" ];
+        network = {
+          flushBeforeStage2 = true;
+          ssh = {
+            enable = true;
+            port = 222;
+            authorizedKeys = cfg.authorizedKeys;
+            hostKeys = [ "/etc/ssh/initrd" ];
+          };
         };
         secrets = {
           "/etc/ssh/initrd" = "/etc/ssh/initrd";
         };
-        systemd.services.zfs-remote-unlock = {
-          description = "Prepare for ZFS remote unlock";
-          wantedBy = ["initrd.target"];
-          after = ["systemd-networkd.service"];
-          path = with pkgs; [ zfs ];
-          serviceConfig.Type = "oneshot";
-          script = ''
-            echo "systemctl default" >> /var/empty/.profile
-          '';
-        };
       };
       kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
     };

machines/modules/malobeo/microvm_host.nix

@@ -62,7 +62,7 @@ in
         addresses = if cfg.enableHostBridgeUnstable then [
           { Address = "10.0.0.1/24"; }
         ] else [
-          { addressConfig.Address = "10.0.0.1/24"; }
+          { Address = "10.0.0.1/24"; }
         ];
       };
 

machines/modules/malobeo/peers.nix

@@ -44,6 +44,14 @@
     publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
   };
 
+  "fanny-initrd" = {
+    role = "client";
+    address = "10.100.0.102";
+    allowedIPs = [ "10.100.0.102/32" ];
+    #TODO: UPDATE
+    publicKey = "h1A2yt7OQ5EJIilC8tQg203u27o6J6/c+Kd/pZ4UWAY=";
+  };
+
   "backup0" = {
     role = "client";
     address = "10.100.0.20";

machines/modules/malobeo/printing.nix

@@ -11,6 +11,9 @@ let
     SaddleUnit = "SD511";
     Model = "C258";
     InputSlot = "Tray1";
+    TextPureBlack = "On";
+    PhotoPureBlack = "On";
+    GraphicPureBlack = "On";
   };
 
 in
@@ -29,23 +32,91 @@ in
       driverFile
     ];
 
-    hardware.printers.ensurePrinters = [ {
-      name = "KonicaDefault";
-      model = "konicaminoltac258.ppd";
-      location = "Zine Workshop";
-      deviceUri = "ipp://192.168.1.42/ipp";
-      ppdOptions = defaultPpdOptions;
-    }
-    {
-      name = "KonicaBooklet";
-      model = "konicaminoltac258.ppd";
-      location = "Zine Workshop";
-      deviceUri = "ipp://192.168.1.42/ipp";
-      ppdOptions = defaultPpdOptions // {
-        Fold = "Stitch";
-        Staple = "None";
-      };
-    }
-  ];
+    hardware.printers.ensurePrinters = [ 
+      {
+        name = "KonicaDefault";
+        model = "konicaminoltac258.ppd";
+        location = "Zine Workshop";
+        deviceUri = "ipp://192.168.1.42/ipp";
+        ppdOptions = defaultPpdOptions;
+      }
+      {
+        name = "KonicaBooklet";
+        model = "konicaminoltac258.ppd";
+        location = "Zine Workshop";
+        deviceUri = "ipp://192.168.1.42/ipp";
+        ppdOptions = defaultPpdOptions // {
+          Fold = "Stitch";
+          Staple = "None";
+        };
+      }
+      {
+        name = "KonicaPostcard";
+        model = "konicaminoltac258.ppd";
+        location = "Zine Workshop";
+        deviceUri = "ipp://192.168.1.42/ipp";
+        ppdOptions = defaultPpdOptions // {
+          Fold = "None";
+          Staple = "None";
+          InputSlot = "BypassTray";
+          MediaType = "Thick4";
+          KMDuplex = "1Sided";
+        };
+      }
+    ];
   };
 }
+
+/*
+ALL AVAILABE OPTIONS:
+
+PaperSources/Paper Source Unit: *None LU207 LU302 PC110 PC114 PC115 PC110+LU302 PC115+LU207 PC115+LU302 PC210 PC214 PC215 PC210+LU302 PC215+LU207 PC215+LU302 PC410 PC414 PC415 PC410+LU302 PC415+LU207 PC415+LU302
+Finisher/Finisher: None FS533 *FS534 JS506 FS536 FS537 FS537+JS602
+KOPunch/Punch Unit: *None PK519 PK519-3 PK519-4 PK519-SWE4 PK520 PK520-3 PK520-4 PK520-SWE4 PK523 PK523-3 PK523-4 PK523-SWE4
+ZFoldPunch/Z-Fold Unit: *None ZU609
+CoverSheetFeeder/Post Inserter: *None PI507
+SaddleUnit/Saddle Kit: None *SD511 SD512
+PrinterHDD/Hard Disk: None *HDD
+AdvancedFunctionCover/Advanced Function(Cover Mode): *Disable Enable
+Model/Model: C658 C558 C458 C368 C308 *C258 C287 C227 C266 C226
+Collate/Collate: False *True
+InputSlot/Paper Tray: AutoSelect *Tray1 Tray2 Tray3 Tray4 LCT ManualFeed
+MediaType/Paper Type: *Plain Plain(2nd) Thick1 Thick1(2nd) Thick1Plus Thick1Plus(2nd) Thick2 Thick2(2nd) Thick3 Thick3(2nd) Thick4 Thick4(2nd) Thin Envelope Transparency Color SingleSidedOnly TAB Letterhead Special Recycled Recycled(2nd) User1 User1(2nd) User2 User2(2nd) User3 User3(2nd) User4 User4(2nd) User5 User5(2nd) User6 User6(2nd) PrinterDefault UserCustomType1 UserCustomType1(2nd) UserCustomType2 UserCustomType2(2nd) UserCustomType3 UserCustomType3(2nd) UserCustomType4 UserCustomType4(2nd) UserCustomType5 UserCustomType5(2nd) UserCustomType6 UserCustomType6(2nd) UserCustomType7 UserCustomType7(2nd) UserCustomType8 UserCustomType8(2nd) UserCustomType9 UserCustomType9(2nd) UserCustomType10 UserCustomType10(2nd) UserCustomType11 UserCustomType11(2nd) UserCustomType12 UserCustomType12(2nd) UserCustomType13 UserCustomType13(2nd) UserCustomType14 UserCustomType14(2nd) UserCustomType15 UserCustomType15(2nd) UserCustomType16 UserCustomType16(2nd) UserCustomType17 UserCustomType17(2nd) UserCustomType18 UserCustomType18(2nd) UserCustomType19 UserCustomType19(2nd)
+PageSize/Paper Size: A3 *A4 A5 A6 B4 B5 B6 SRA3 220mmx330mm 12x18 Tabloid Legal Letter Statement 8x13 8.5x13 8.5x13.5 8.25x13 8.125x13.25 Executive 8K 16K EnvISOB5 EnvC4 EnvC5 EnvC6 EnvChou3 EnvChou4 EnvYou3 EnvYou4 EnvKaku1 EnvKaku2 EnvKaku3 EnvDL EnvMonarch Env10 JapanesePostCard 4x6_PostCard A3Extra A4Extra A5Extra B4Extra B5Extra TabloidExtra LetterExtra StatementExtra LetterTab-F A4Tab-F
+Offset/Offset: *False True
+OutputBin/Output Tray: *Default Tray1 Tray2 Tray3 Tray4
+Binding/Binding Position: *LeftBinding TopBinding RightBinding
+KMDuplex/Print Type: 1Sided *2Sided
+Combination/Combination: *None Booklet
+Staple/Staple: *None 1StapleAuto(Left) 1StapleZeroLeft 1Staple(Right) 2Staples
+Punch/Punch: *None 2holes 3holes 4holes
+Fold/Fold: None *Stitch HalfFold TriFold ZFold1 ZFold2
+FrontCoverPage/Front Cover: None *Printed Blank
+FrontCoverTray/Front Cover Tray: None Tray1 Tray2 Tray3 Tray4 LCT *BypassTray
+BackCoverPage/Back Cover: *None Printed Blank
+BackCoverTray/Back Cover Tray: *None Tray1 Tray2 Tray3 Tray4 LCT BypassTray
+PIFrontCover/Front Cover from Post Inserter: *None PITray1 PITray2
+PIBackCover/Back Cover from Post Inserter: *None PITray1 PITray2
+TransparencyInterleave/Transparency Interleave: *None Blank
+OHPOpTray/Interleave Tray: *None Tray1 Tray2 Tray3 Tray4 LCT
+WaitMode/Output Method: *None ProofMode
+SelectColor/Select Color: Auto Color *Grayscale
+GlossyMode/Glossy Mode: *False True
+OriginalImageType/Color Settings: *Document Photo DTP Web CAD
+AutoTrapping/Auto Trapping: *False True
+BlackOverPrint/Black Over Print: *Off Text TextGraphic
+TextColorMatching/Color Matching (Text): *Auto Vivid Photo Colorimetric
+TextPureBlack/Pure Black (Text): *Auto Off On
+TextScreen/Screen (Text): *Auto Gradation Resolution HighResolution
+PhotoColorMatching/Color Matching (Photo): *Auto Vivid Photo Colorimetric
+PhotoPureBlack/Pure Black (Photo): *Auto Off On
+PhotoScreen/Screen (Photo): *Auto Gradation Resolution HighResolution
+PhotoSmoothing/Smoothing (Photo): *Auto None Dark Medium Light
+GraphicColorMatching/Color Matching (Graphic): *Auto Vivid Photo Colorimetric
+GraphicPureBlack/Pure Black (Graphic): *Auto Off On
+GraphicScreen/Screen (Graphic): *Auto Gradation Resolution HighResolution
+GraphicSmoothing/Smoothing (Graphic): *Auto None Dark Medium Light
+TonerSave/Toner Save: *False True
+String4Pt/Edge Enhancement: *False True
+
+*/

machines/nextcloud/configuration.nix

@@ -36,7 +36,7 @@ with lib;
     package = pkgs.nextcloud31;
     hostName = "cloud.malobeo.org";
     config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
-    #https = true; #disable for testing
+    maxUploadSize = "10G";
     datadir = "/data/services/nextcloud/";
     database.createLocally = true;
     config.dbtype = "pgsql";
@@ -47,12 +47,17 @@ with lib;
     };
     extraAppsEnable = true;
     extraApps = {
-      inherit (config.services.nextcloud.package.packages.apps) contacts calendar deck polls registration collectives forms;
+      inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms;
       appointments = pkgs.fetchNextcloudApp {
         sha256 = "sha256-ls1rLnsX7U9wo2WkEtzhrvliTcWUl6LWXolE/9etJ78=";
         url = "https://github.com/SergeyMosin/Appointments/raw/refs/tags/v2.4.3/build/artifacts/appstore/appointments.tar.gz";
         license = "agpl3Plus";
       };
+      deck = pkgs.fetchNextcloudApp {
+        sha256 = "sha256-1sqDmJpM9SffMY2aaxwzqntdjdcUaRySyaUDv9VHuiE=";
+        url = "https://link.storjshare.io/raw/jw7pf6gct34j3pcqvlq6ddasvdwq/mal/deck.tar.gz";
+        license = "agpl3Plus";
+      };
     };
     settings = {
       trusted_domains = ["10.0.0.13"];

machines/overwatch/configuration.nix

@@ -12,6 +12,7 @@ with lib;
     self.nixosModules.malobeo.metrics
     ../modules/malobeo_user.nix
     ../modules/sshd.nix
+    ./printer_module.nix
   ];
 
   networking.firewall.allowedTCPPorts = [ 80 3100 ];
@@ -66,9 +67,9 @@ with lib;
 
   services.nginx = {
     enable = true;
-    virtualHosts.${config.services.grafana.domain} = {
+    virtualHosts.${config.services.grafana.settings.server.domain} = {
       locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
           proxyWebsockets = true;
 
       extraConfig = ''
@@ -78,6 +79,8 @@ with lib;
       };
   };
   
+  printer_scraping.enable = true;
+
   services.prometheus = {
     enable = true;
     port = 9001;
@@ -89,6 +92,12 @@ with lib;
           targets = [ "127.0.0.1:9002" ];
         }];
       }
+      {
+        job_name = "printer";
+        static_configs = [{
+          targets = [ "127.0.0.1:9091" ];
+        }];
+      }
       {
         job_name = "durruti";
         static_configs = [{
@@ -107,6 +116,12 @@ with lib;
           targets = [ "10.0.0.13:9002" ];
         }];
       }
+      {
+        job_name = "zineshop";
+        static_configs = [{
+          targets = [ "10.0.0.15:9002" ];
+        }];
+      }
       {
         job_name = "fanny";
         static_configs = [{

machines/overwatch/printer_module.nix

@@ -0,0 +1,33 @@
+{config, lib, pkgs, ...}:
+{
+  options.printer_scraping = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable the script to pull data from the printer";
+    };
+    timer = lib.mkOption {
+      type = lib.types.str;
+      default = "1m";
+      description = "systemd timer for script execution";
+    };
+  };
+
+  config = lib.mkIf config.printer_scraping.enable {
+    systemd.services."printer-scraping" = {
+      description = "Pull printer stats and upload to influxdb";
+      serviceConfig.Type = "oneshot";
+      path = with pkgs; [yq jq curl bash];
+      script = "bash ${./pull_info.sh}";
+    };
+    systemd.timers."printer-scraping" = {
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnBootSec = "5s";
+        OnUnitActiveSec = config.printer_scraping.timer;
+        Unit = "printer-scraping.service";
+      };
+    };
+    services.prometheus.pushgateway.enable = true; #Im not dealing with influx
+  };
+}

machines/overwatch/pull_info.sh

@@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+set -eo pipefail
+for command in "jq" "xq" "grep" "curl" "sed"
+do
+    if ! command -v $command >/dev/null 2>&1
+    then
+        echo "$command could not be found"
+        exit 1
+    fi
+done
+#Functions---------------
+get_cookie () {
+    if [[ $1 == "-d" ]]; then
+        cookie=$(cat request_example_1.txt)
+    else
+        cookie=$(curl -s -D - -X GET http://192.168.1.42/wcd/index.html)
+    fi
+
+    exitCode="$?"
+    if [[ $exitCode == "7" ]];
+    then
+        echo "Server offline"
+        exit 0
+    elif [[ $exitCode != "0" ]];
+    then 
+        echo "Something went wrong"
+        exit 1
+    fi
+
+    cookie=$(echo "$cookie" | grep Set-Cookie | grep -oP "ID=\K[^.]+" )
+    if [[ $cookie == "" ]]
+    then
+        echo "No cookie got!"
+        exit 1
+    fi
+}
+get_values () {
+    local path="$1"
+    local -n keys=$2
+    local name="$3"
+
+    local_system_counter_data=$(echo "$system_counter_data" | jq "$path | .[]")
+    for key in "${keys[@]}";
+    do 
+        value=$(echo "$local_system_counter_data" | 
+        jq "select(.Type==\"$key\") | .Count" | 
+        sed 's/"//g'
+        )
+        valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
+    done
+}
+get_values_DeviceStatus () {
+    local -n keys=$1
+    local name="$2"
+
+    local_system_counter_data=$(echo "$system_counter_data" | jq ".MFP.Common.DeviceStatus")
+    for key in "${keys[@]}";
+    do 
+        value=$(echo "$local_system_counter_data" | 
+        jq ".$key" | 
+        sed 's/"//g'
+        )
+        valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
+    done
+
+}
+get_values_consumables () {
+    local -n keys=$1
+    local name="$2"
+
+    local_system_consumables_data=$(echo "$system_consumables_data" | jq ".[] |.DeviceInfo.ConsumableList.Consumable | .[]")
+    for key in "${keys[@]}";
+    do 
+        value=$(
+            echo "$local_system_consumables_data" | 
+            jq "select(.Name==\"$key\") | .CurrentLevel.LevelPer" | 
+            sed 's/"//g'
+            )
+        valueStore=$(echo "$valueStore"; echo "$name"_"${key//[^a-zA-Z_-]/_}" "$value")
+    done
+}
+#End Functions----------
+
+#Variables-----------------------
+system_counter_DeviceStatus_keys=("ScanStatus" "PrintStatus" "Processing" "NetworkErrorStatus" "KmSaasgw" "HddMirroringErrorStatus")
+system_counter_TotalCounter_keys=("Total" "DuplexTotal" "Document" "Paper" "TotalLarge" "PrintPageTotal" "PaperSizeA3" "PaperSizeA4" "PaperSizeB4" "PaperSizeB5" "PaperSizeOther" "Nin12in1" "PaperTypeNormal" "PaperTypeOther")
+system_counter_FullColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_BlackCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_DoubleColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_CopyCounter_keys=("BwTotal" "FullColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
+system_counter_PrintCounter_keys=("BwTotal" "FullColorTotal" "BiColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
+system_counter_ScanFaxCounter_keys=("DocumentReadTotal" "DocumentReadLarge" "FaxReceive" "FaxSend")
+system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit")
+#End Variables-------------
+
+echo "Getting cookie"
+get_cookie "$@"
+
+echo "Start extracting info from system_counter"
+if [[ $1 == "-d" ]]; then
+    system_counter_data=$(cat system_counter.xml |xq)
+else
+    system_counter_data=$(curl -s -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=$cookie" |xq)
+fi
+
+get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.FullColorCounterList.FullColorCounter" system_counter_FullColorCounter_keys FullColorCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.BlackCounterList.BlackCounter" system_counter_BlackCounter_keys BlackCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.DoubleColorCounterList.DoubleColorCounter" system_counter_DoubleColorCounter_keys DoubleColorCounter
+
+get_values ".MFP.Count.UserCounterInfo.CopyCounterList.CopyCounter" system_counter_CopyCounter_keys CopyCounter
+
+get_values ".MFP.Count.UserCounterInfo.ScanFaxCounterList.ScanFaxCounter" system_counter_ScanFaxCounter_keys ScanFaxCounter
+
+get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus
+
+echo "Start extracting info from system_consumables"
+if [[ $1 == "-d" ]]; then
+    system_consumables_data=$(cat system_consumables.xml |xq)
+else
+    system_consumables_data=$(curl -s -X GET http://192.168.1.42/wcd/system_consumable.xml -H "Cookie: ID=$cookie" |xq)
+fi
+
+get_values_consumables system_consumables_base_keys Consumables
+
+echo "Sending data to prometheus-pushgateway..."
+
+echo "$valueStore" | curl -s --data-binary @- http://localhost:9091/metrics/job/printer
+echo "Success!"
+exit 0

machines/ssh_keys.nix

@@ -7,6 +7,6 @@
  ];
  backup = [
   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIGryhnXdmbGObONG88K+c9zeduMrwtoLHwzMDZg3UXB+Cnq2FXWOrlLZxA+95VUgHpyGZiykJmzeWrKhldDlDeGGd8QCCLeuliiOgXADTYjWaVfhd+6arPZrK2VtqqsguvH40gW1xfoGAOmAT4WFnxWxIaEip0V2u6NOoKTiH9I3bz2Qe4lfJvPXig+XwCXcukXd6XUkDFYDpiw8XNV3X7pqTus5d2RYR97bAhIYZZQ6h50ZpTY8N0lFh4RY5yfx8BhxJW3tfoi9uZvVuPx7dGPsZsSniENFPMNz3UwHGitTJMr4088cJrAGgd5lyFuLouiHiM2JMGA0wx9wWTbWJEwTLaTVQK9gSJf857ndV2zCh9vKlfko4w9bQgqxKg4U/mY8dXX1E7D51nD2ci8Ed+ZG+NEneFLyZhLsD82GkBY+YovA+4xm/pcx+hBhlyqGNxI8v+Jh+JhEyD/ZLgJfq3ZMbGIGsTiDwZ2flLLxImHHEoDoT6PHU6hDhPDJu560="
-  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJKl5FWPskhlnzJs1+mMYrVTMNnRG92uFKUgGlteTPhL"
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPP4s6qNKwtu2l5DRKU/Xo6lMRztqNw/MOVsKx58kUE8 root@silizium"
  ];
 }

machines/vpn/configuration.nix

@@ -66,6 +66,28 @@ with lib;
         '';
       };
     };
+
+    virtualHosts."zines.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.100.0.101";
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Authorization $http_authorization;  # Pass the Authorization header
+          proxy_pass_header Authorization;
+
+          client_body_in_file_only clean;
+          client_body_buffer_size 32K;
+          
+          client_max_body_size 50M;
+          
+          sendfile on;
+          send_timeout 300s;
+        '';
+      };
+    };
   };
 
   system.stateVersion = "22.11"; # Did you read the comment?

machines/zineshop/configuration.nix

@@ -0,0 +1,34 @@
+{ self, config, lib, pkgs, inputs, ... }:
+
+with lib;
+
+{
+  networking = {
+    hostName = mkDefault "zineshop";
+    useDHCP = false;
+  };
+
+  imports = [
+    inputs.malobeo.nixosModules.malobeo.metrics
+    inputs.malobeo.nixosModules.malobeo.printing
+    inputs.zineshop.nixosModules.zineshop
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+  ];
+
+  malobeo.metrics = {
+    enable = true;
+    enablePromtail = true;
+    logNginx = true;
+    lokiHost = "10.0.0.14";
+  };
+
+  services.printing.enable = true;
+  services.malobeo.printing.enable = true;
+
+  services.zineshop.enable = true;
+  networking.firewall.allowedTCPPorts = [ 8080 ];
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+

outputs.nix

@@ -37,7 +37,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
         sops.sops-init-gpg-key
         pkgs.sops
         pkgs.age
-        pkgs.python310Packages.grip
+        pkgs.python313Packages.grip
         pkgs.mdbook
         pkgs.ssh-to-age
         microvmpkg.microvm

scripts/add_new_host_keys.sh

@@ -31,10 +31,13 @@ cd "$pwpath"
 # Generate SSH keys
 ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
 ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
+wg genkey > wg.private
+publickey=$(cat wg.private | wg pubkey)
 
 #encrypt the private keys
 sops -e -i ./$hostkey
 sops -e -i ./$initrdkey
+sops -e -i ./wg.private
 
 #generate encryption key
 tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
@@ -45,6 +48,9 @@ echo
 echo "Hier ist der age public key für sops etc:"
 echo "$(ssh-to-age -i ./"$hostkey".pub)"
 echo
+echo "Hier ist der wireguard pubkey für das gerät"
+echo "$publickey"
+echo 
 echo "Hier ist eine reproduzierbare mac-addresse:"
 echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
 

scripts/remote-install-encrypt.sh

@@ -40,7 +40,9 @@ trap cleanup EXIT
 
 # Create the directory where sshd expects to find the host keys
 install -d -m755 "$temp/etc/ssh/"
+install -d -m755 "$temp/etc/wireguard/"
 
+##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
 diskKey=$(sops -d $pwpath/disk.key)
 echo "$diskKey" > /tmp/secret.key
 
@@ -48,6 +50,7 @@ sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
 
 sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
 
+sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
 # # Set the correct permissions so sshd will accept the key
 chmod 600 "$temp/etc/ssh/$hostname"
 chmod 600 "$temp/etc/ssh/initrd"

scripts/unlock-boot.sh

@@ -24,14 +24,16 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
 echo
 if [ $# = 1 ]
     then
-    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
+    ssh $sshoptions root@$hostname-initrd "zpool import -a"
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
     echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
 
 elif [ $# = 2 ]
     then
     ip=$2
-    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
-    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
+    ssh $sshoptions root@$ip "zpool import -a"
+    echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted" 
+    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
     
 else
     echo