[user module] add backup usr

2025-03-11 18:19:26 +01:00
21 changed files with 79 additions and 5154 deletions
--- a/doc/src/anleitung/create.md
+++ b/doc/src/anleitung/create.md
@@ -1,19 +1,47 @@
-# Create host with nixos-anywhere
+# Create host with disko-install
-We use a nixos-anywhere wrapper script to deploy new hosts.
+How to use disko-install is described here: https://github.com/nix-community/disko/blob/master/docs/disko-install.md
-The wrapper script takes care of copying persistent host keys before calling nixos-anywhere.
+---
-
+Here are the exact steps to get bakunin running:  
-To accomplish that boot the host from a nixos image and setup a root password.
+First create machines/hostname/configuration.nix  
 Add hosts nixosConfiguration in machines/configurations.nix  
 Boot nixos installer on the Machine.  
 ``` bash
-sudo su
+# establish network connection
-passwd
+wpa_passphrase "network" "password" > wpa.conf
-```
+wpa_supplicant -B -i wlp3s0 -c wpa.conf
 ping 8.8.8.8
 # if that works continue
-After that get the hosts ip using `ip a` and start deployment from your own machine:
+# generate a base hardware config
 nixos-generate-config --root /tmp/config --no-filesystems
-``` bash
+# get the infra repo
-# from infrastrucutre repository root dir:
+nix-shell -p git
-nix develop .#
+git clone https://git.dynamicdiscord.de/kalipso/infrastructure
-remote-install hostname 10.0.42.23
+cd infrastructure
 # add the new generated hardware config (and import in hosts configuration.nix)
 cp /tmp/config/etc/nixos/hardware-configuration.nix machines/bakunin/
 # check which harddrive we want to install the system on
 lsblk #choose harddrive, in this case /dev/sda
 # run nixos-install on that harddrive
 sudo nix --extra-experimental-features flakes --extra-experimental-features nix-command run 'github:nix-community/disko/latest#disko-install' -- --flake .#bakunin --disk main /dev/sda
 # this failed with out of memory
 # running again showed: no disk left on device
 # it seems the usb stick i used for flashing is way to small
 # it is only 
 # with a bigger one (more than 8 gig i guess) it should work
 # instead the disko-install tool i try the old method - first partitioning using disko and then installing the system
 # for that i needed to adjust ./machines/modules/disko/btrfs-laptop.nix and set the disk to "/dev/sda"
 sudo nix --extra-experimental-features "flakes nix-command" run 'github:nix-community/disko/latest' -- --mode format --flake .#bakunin
 # failed with no space left on device.
 # problem is lots of data is written to the local /nix/store which is mounted on tmpfs in ram
 # it seems that a workaround could be modifying the bootable stick to contain a swap partition to extend tmpfs storage
 ```
 # Testing Disko
@@ -21,3 +49,18 @@ Testing disko partitioning is working quite well. Just run the following and che
 ```bash
 nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko
 ```
 Only problem is that encryption is not working, so it needs to be commented out. For testing host fanny the following parts in ```./machines/modules/disko/fanny.nix``` need to be commented out(for both pools!):
 ```nix
 datasets = {
  encrypted = {
    options = {
      encryption = "aes-256-gcm"; #THIS ONE
      keyformat = "passphrase"; #THIS ONE
      keylocation = "file:///tmp/root.key"; #THIS ONE
    };
    # use this to read the key during boot
     postCreateHook = '' #THIS ONE 
       zfs set keylocation="prompt" "zroot/$name"; #THIS ONE 
     ''; #THIS ONE 
 ```
--- a/flake.lock
+++ b/flake.lock
@@ -235,8 +235,7 @@
        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix",
        "tasklist": "tasklist",
-        "utils": "utils_3",
+        "utils": "utils_3"
        "zineshop": "zineshop"
      }
    },
    "sops-nix": {
@@ -335,21 +334,6 @@
        "type": "github"
      }
    },
    "systems_5": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "tasklist": {
      "inputs": {
        "nixpkgs": [
@@ -357,11 +341,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1743458889,
+        "lastModified": 1737548421,
-        "narHash": "sha256-eVTtsCPio3Wj/g/gvKTsyjh90vrNsmgjzXK9jMfcboM=",
+        "narHash": "sha256-gmlqJdC+v86vXc2yMhiza1mvsqh3vMfrEsiw+tV5MXg=",
        "ref": "refs/heads/master",
-        "rev": "b61466549e2687628516aa1f9ba73f251935773a",
+        "rev": "c5fff78c83959841ac724980a13597dcfa6dc26d",
-        "revCount": 30,
+        "revCount": 29,
        "type": "git",
        "url": "https://git.dynamicdiscord.de/kalipso/tasklist"
      },
@@ -423,45 +407,6 @@
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "utils_4": {
      "inputs": {
        "systems": "systems_5"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "zineshop": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "utils": "utils_4"
      },
      "locked": {
        "lastModified": 1744626173,
        "narHash": "sha256-DSuLVFGvmMUoStIs5ar4CLE8eD2dlFPUmPC7CODauts=",
        "ref": "refs/heads/master",
        "rev": "19ce41aca7d92bc8e02f97e7bdbca7ac7ba64090",
        "revCount": 103,
        "type": "git",
        "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
      },
      "original": {
        "type": "git",
        "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -22,11 +22,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    zineshop = {
      url = "git+https://git.dynamicdiscord.de/kalipso/zineshop";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    ep3-bs = {
      url = "git+https://git.dynamicdiscord.de/kalipso/ep3-bs.nix";
      inputs.nixpkgs.follows = "nixpkgs";
--- a/machines/durruti/host_config.nix
+++ b/machines/durruti/host_config.nix
@@ -73,17 +73,6 @@ in
      };
    };
    services.nginx.virtualHosts."shop.malobeo.org" = {
      forceSSL = true;
      enableACME= true;
      locations."/" = {
        proxyPass = "http://10.0.0.10";
        extraConfig = ''
        '';
      };
    };
    services.nginx.virtualHosts."status.malobeo.org" = {
      forceSSL = true;
      enableACME= true;
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -5,7 +5,6 @@ in
 {
  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets.wg_private = {};
  sops.secrets.shop_auth = {};
  imports =
    [ # Include the results of the hardware scan.
@@ -19,7 +18,6 @@ in
      inputs.self.nixosModules.malobeo.microvm
      inputs.self.nixosModules.malobeo.metrics
      inputs.self.nixosModules.malobeo.users
      inputs.self.nixosModules.malobeo.backup
    ];
    virtualisation.vmVariantWithDisko = {
@@ -44,11 +42,6 @@ in
    cacheurl = "https://cache.dynamicdiscord.de";
  };
  malobeo.backup = {
    enable = true;
    snapshots = [ "storage/encrypted" "zroot/encrypted/var" ];
  };
  nix = {
    settings.experimental-features = [ "nix-command" "flakes" ];
    #always update microvms
@@ -60,7 +53,6 @@ in
  malobeo.users = {
    malobeo = true;
    admin = true;
    backup = true;
  };
  malobeo.disks = {
@@ -94,13 +86,7 @@ in
  };
  services.malobeo.microvm.enableHostBridge = true;
-  services.malobeo.microvm.deployHosts = [ 
+  services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" "nextcloud" "durruti" ];
    "overwatch" 
    "infradocs" 
    "nextcloud" 
    "durruti" 
    "zineshop"
  ];
  networking = {
    nat = {
@@ -151,18 +137,6 @@ in
        '';
      };
    };
    virtualHosts."shop.malobeo.org" = {
      # created with: nix-shell --packages apacheHttpd --run 'htpasswd -B -c foo.txt malobeo'
      # then content of foo.txt put into sops
      basicAuthFile = config.sops.secrets.shop_auth.path;
      locations."/" = {
        proxyPass = "http://10.0.0.15:8080";
        extraConfig = ''
          proxy_set_header Host $host;
        '';
      };
    };
  };
  services.tor = {
--- a/machines/fanny/secrets.yaml
+++ b/machines/fanny/secrets.yaml
@@ -1,6 +1,4 @@
 wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
 shop_cleartext: ENC[AES256_GCM,data:sifpX/R6JCcNKgwN2M4Dbflgnfs5CqB8ez5fULPohuFS6k36BLemWzEk,iv:1lRYausj7V/53sfSO9UnJ2OC/Si94JXgIo81Ld74BE8=,tag:5osQU/67bvFeUGA90BSiIA==,type:str]
 shop_auth: ENC[AES256_GCM,data:0NDIRjmGwlSFls12sCb5OlgyGTCHpPQIjycEJGhYlZsWKhEYXV2u3g1RHMkF8Ny913jarjf0BgwSq5pBD9rgPL9t8X8=,iv:3jgCv/Gg93Mhdm4eYzwF9QrK14QL2bcC4wwSajCA88o=,tag:h8dhMK46hABv9gYW4johkA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -25,8 +23,8 @@ sops:
            QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP
            SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-14T10:34:55Z"
+    lastmodified: "2025-01-14T12:41:07Z"
-    mac: ENC[AES256_GCM,data:vcDXtTi0bpqhHnL6XanJo+6a8f5LAE628HazDVaNO34Ll3eRyhi95eYGXQDDkVk2WUn9NJ5oCMPltnU82bpLtskzTfQDuXHaPZJq5gtOuMH/bAKrY0dfShrdyx71LkA4AFlcI1P5hchpbyY1FK3iqe4D0miBv+Q8lCMgQMVrfxI=,iv:1lMzH899K0CnEtm16nyq8FL/aCkSYJVoj7HSKCyUnPg=,tag:mEbkmFNg5VZtSKqq80NrCw==,type:str]
+    mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str]
    pgp:
        - created_at: "2025-02-11T18:32:49Z"
          enc: |-
@@ -67,4 +65,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
    unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.9.2
--- a/machines/hosts.nix
+++ b/machines/hosts.nix
@@ -67,14 +67,6 @@
        };
      };
      zineshop = {
        type = "microvm";
        network = {
          address = "10.0.0.15";
          mac = "D0:E5:CA:F0:D7:F1";
        };
      };
      testvm = {
        type = "host";
      };
--- a/machines/louise/configuration.nix
+++ b/machines/louise/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, inputs, ... }:
+{ config, pkgs, ... }:
 {
  imports =
@@ -9,7 +9,6 @@
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
      inputs.self.nixosModules.malobeo.printing
    ];
  malobeo.autoUpdate = {
@@ -51,8 +50,6 @@
  };
  services.printing.enable = true;
  services.malobeo.printing.enable = true;
  services.printing.drivers = [
    (pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
    pkgs.gutenprint
--- a/machines/modules/KOC658UX.ppd
+++ b/machines/modules/KOC658UX.ppd
--- a/machines/modules/host_builder.nix
+++ b/machines/modules/host_builder.nix
@@ -195,7 +195,8 @@ rec {
  vmNestedMicroVMOverwrites = host: sopsDummy: {
-    microvm.vms = pkgs.lib.mkForce (
+    services.malobeo.microvm.deployHosts = pkgs.lib.mkForce [];
    microvm.vms = 
    let
      # Map the values to each hostname to then generate an Attrset using listToAttrs
      mapperFunc = name: { inherit name; value = {
@@ -215,7 +216,7 @@ rec {
        };
      }; };
    in
-    builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts));
+    builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts);
  };
  buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
--- a/machines/modules/malobeo/backup.nix
+++ b/machines/modules/malobeo/backup.nix
@@ -1,102 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let 
  cfg = config.malobeo.backup;
  hostToCommand = (hostname: datasetNames: 
    (map (dataset:  { 
      name = "${hostname}_${dataset.sourceDataset}";
      value = { 
        inherit hostname; 
        inherit (dataset) sourceDataset targetDataset;
      }; 
    } ) datasetNames));
  peers = import ./peers.nix;
  enableSnapshots = cfg.snapshots != null;
  enableBackups = cfg.hosts != null;
 in
 {
  options.malobeo.backup = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = "Enable sanoid/syncoid based backup functionality";
    };
    snapshots = mkOption {
      type = types.nullOr (types.listOf types.str);
      default = null;
      description = "Automatic snapshots will be created for the given datasets";
    };
    hosts = mkOption {
      default = null;
      type = types.nullOr (types.attrsOf (types.listOf (types.submodule {
        options = {
          sourceDataset = mkOption {
            type = types.str;
            description = "The source that needs to be backed up";
          };
          targetDataset = mkOption {
            type = types.str;
            description = "The target dataset where the backup should be stored";
          };
        };
      })));
      description = ''
          Hostname with list of datasets to backup. This option should be defined on hosts that will store backups.
          It is necessary to add the machines that get backed up to known hosts.
          This can be done for example systemwide using 
          programs.ssh.knownHosts."10.100.0.101" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc";
          Or set it for the syncoid user directly.
        '';
    };
    sshKey = mkOption {
      default = null;
      type = types.nullOr types.str;
      description = "Set path to ssh key used for pull backups. Otherwise default key is used";
    };
  };
  config = mkIf (cfg.enable) {
    services.sanoid = mkIf (enableSnapshots) {
      enable = true;
      templates."default" = {
        hourly = 24;
        daily = 30; #keep 30 daily snapshots
        monthly = 6; #keep 6 monthly backups
        yearly = 0;
        autosnap = true; #take snapshots automatically
        autoprune = true; #delete old snapshots
      };
      datasets = builtins.listToAttrs (map (name: { inherit name; value = {
        useTemplate = [ "default" ];
        recursive = true;
      }; }) cfg.snapshots);
    };
    services.syncoid = mkIf (enableBackups) {
      enable = true;
      sshKey = cfg.sshKey;
      commonArgs = [
        "--no-sync-snap"
      ];
      interval = "*-*-* 04:15:00";
      commands = builtins.mapAttrs (name: value: {
        source = "backup@${peers.${value.hostname}.address}:${value.sourceDataset}";
        target = "${value.targetDataset}";
        sendOptions = "w";
        recvOptions = "\"\"";
        recursive = true;
      })(builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs hostToCommand cfg.hosts))));
    };
  };
 }
--- a/machines/modules/malobeo/microvm_host.nix
+++ b/machines/modules/malobeo/microvm_host.nix
@@ -102,22 +102,6 @@ in
          /run/current-system/sw/bin/microvm -Ru ${name}
        '';
      };
      "microvm-init-dirs@${name}" = {
        description = "Initialize microvm directories";
        after = [ "zfs-mount.service" ];
        wantedBy = [ "microvm@${name}.service" ];
        unitConfig.ConditionPathExists = "!/var/lib/microvms/${name}/.is_initialized";
        serviceConfig = {
          Type = "oneshot";
        };
        script = ''
          mkdir -p /var/lib/microvms/${name}/var
          mkdir -p /var/lib/microvms/${name}/etc
          mkdir -p /var/lib/microvms/data/${name}
          touch /var/lib/microvms/${name}/.is_initialized
        '';
      };
    }) {} (cfg.deployHosts);
    systemd.timers = builtins.foldl' (timers: name: timers // {
--- a/machines/modules/malobeo/peers.nix
+++ b/machines/modules/malobeo/peers.nix
@@ -2,7 +2,7 @@
  "vpn" = {
    role = "server";
    publicIp = "5.9.153.217";
-    address = "10.100.0.1";
+    address = [ "10.100.0.1/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
    listenPort = 51821;
    publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
@@ -11,43 +11,36 @@
  "celine" = {
    role = "client";
-    address = "10.100.0.2";
+    address = [ "10.100.0.2/24" ];
    allowedIPs = [ "10.100.0.2/32" ];
    publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
  };
  "desktop" = {
    role = "client";
-    address = "10.100.0.3";
+    address = [ "10.100.0.3/24" ];
    allowedIPs = [ "10.100.0.3/32" ];
    publicKey = "FtY2lcdWcw+nvtydOOUDyaeh/xkaqHA8y9GXzqU0Am0=";
  };
  "atlan-pc" = {
    role = "client";
-    address = "10.100.0.5";
+    address = [ "10.100.0.5/24" ];
    allowedIPs = [ "10.100.0.5/32" ];
    publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
  };
  "hetzner" = {
    role = "client";
-    address = "10.100.0.6";
+    address = [ "10.100.0.6/24" ];
    allowedIPs = [ "10.100.0.6/32" ];
    publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ=";
  };
  "fanny" = {
    role = "client";
-    address = "10.100.0.101";
+    address = [ "10.100.0.101/24" ];
    allowedIPs = [ "10.100.0.101/32" ];
    publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
  };
  "backup0" = {
    role = "client";
    address = "10.100.0.20";
    allowedIPs = [ "10.100.0.20/32" ];
    publicKey = "Pp55Jg//jREzHdbbIqTXc9N7rnLZIFw904qh6NLrACE=";
  };
 }
--- a/machines/modules/malobeo/printing.nix
+++ b/machines/modules/malobeo/printing.nix
@@ -1,51 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let 
  cfg = config.services.malobeo.printing;
  driverFile = pkgs.writeTextDir "share/cups/model/konicaminoltac258.ppd" (builtins.readFile ../KOC658UX.ppd);
  defaultPpdOptions = {
    PageSize = "A4";
    SelectColor = "Grayscale";
    Finisher = "FS534";
    SaddleUnit = "SD511";
    Model = "C258";
    InputSlot = "Tray1";
  };
 in
 {
  options.services.malobeo.printing = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = "Setup malobeo printers";
    };
  };
  config = mkIf (cfg.enable) {
    services.printing.enable = true;
    services.printing.drivers = [
      driverFile
    ];
    hardware.printers.ensurePrinters = [ {
      name = "KonicaDefault";
      model = "konicaminoltac258.ppd";
      location = "Zine Workshop";
      deviceUri = "ipp://192.168.1.42/ipp";
      ppdOptions = defaultPpdOptions;
    }
    {
      name = "KonicaBooklet";
      model = "konicaminoltac258.ppd";
      location = "Zine Workshop";
      deviceUri = "ipp://192.168.1.42/ipp";
      ppdOptions = defaultPpdOptions // {
        Fold = "Stitch";
        Staple = "None";
      };
    }
  ];
  };
 }
--- a/machines/modules/malobeo/users.nix
+++ b/machines/modules/malobeo/users.nix
@@ -68,11 +68,7 @@ in
          users = [ "backup" ];
          commands = [
            {
-              command = "/run/current-system/sw/bin/zfs";
+              command = "${pkgs.zfs-user}/bin/zfs";
              options = [ "NOPASSWD" ];
            }
            {
              command = "/run/current-system/sw/bin/zpool";
              options = [ "NOPASSWD" ];
            }
          ];
@@ -98,4 +94,4 @@ in
      ];
    }
  ];
-}
+}
--- a/machines/modules/malobeo/wireguard.nix
+++ b/machines/modules/malobeo/wireguard.nix
@@ -70,7 +70,7 @@ in
      interfaces = {
        malovpn = {
          mtu = 1340; #seems to be necessary to proxypass nginx traffic through vpn
-          address = [ "${myPeer.address}/24" ];
+          address = myPeer.address;
          autostart = cfg.autostart;
          listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;
--- a/machines/nextcloud/configuration.nix
+++ b/machines/nextcloud/configuration.nix
@@ -47,7 +47,7 @@ with lib;
    };
    extraAppsEnable = true;
    extraApps = {
-      inherit (config.services.nextcloud.package.packages.apps) contacts calendar deck polls registration;
+      inherit (config.services.nextcloud.package.packages.apps) contacts calendar deck polls;
      collectives = pkgs.fetchNextcloudApp {
        sha256 = "sha256-cj/8FhzxOACJaUEu0eG9r7iAQmnOG62yFHeyUICalFY=";
        url = "https://github.com/nextcloud/collectives/releases/download/v2.15.2/collectives-2.15.2.tar.gz";
@@ -56,7 +56,6 @@ with lib;
    };
    settings = {
      trusted_domains = ["10.0.0.13"];
      trusted_proxies = [ "10.0.0.1" ];
      "maintenance_window_start" = "1";
      "default_phone_region" = "DE";
    };
--- a/machines/overwatch/configuration.nix
+++ b/machines/overwatch/configuration.nix
@@ -107,12 +107,6 @@ with lib;
          targets = [ "10.0.0.13:9002" ];
        }];
      }
      {
        job_name = "zineshop";
        static_configs = [{
          targets = [ "10.0.0.15:9002" ];
        }];
      }
      {
        job_name = "fanny";
        static_configs = [{
--- a/machines/vpn/configuration.nix
+++ b/machines/vpn/configuration.nix
@@ -66,15 +66,6 @@ with lib;
        '';
      };
    };
    virtualHosts."shop.malobeo.org" = {
      locations."/" = {
        proxyPass = "http://10.100.0.101";
        extraConfig = ''
          proxy_set_header Host $host;
        '';
      };
    };
  };
  system.stateVersion = "22.11"; # Did you read the comment?
--- a/machines/zineshop/configuration.nix
+++ b/machines/zineshop/configuration.nix
@@ -1,34 +0,0 @@
 { self, config, lib, pkgs, inputs, ... }:
 with lib;
 {
  networking = {
    hostName = mkDefault "zineshop";
    useDHCP = false;
  };
  imports = [
    inputs.malobeo.nixosModules.malobeo.metrics
    inputs.malobeo.nixosModules.malobeo.printing
    inputs.zineshop.nixosModules.zineshop
    ../modules/malobeo_user.nix
    ../modules/sshd.nix
  ];
  malobeo.metrics = {
    enable = true;
    enablePromtail = true;
    logNginx = true;
    lokiHost = "10.0.0.14";
  };
  services.printing.enable = true;
  services.malobeo.printing.enable = true;
  services.zineshop.enable = true;
  networking.firewall.allowedTCPPorts = [ 8080 ];
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/outputs.nix
+++ b/outputs.nix
@@ -116,8 +116,6 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
      metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];
      disko.imports = [ ./machines/modules/disko ];
      users.imports = [ ./machines/modules/malobeo/users.nix ];
      backup.imports = [ ./machines/modules/malobeo/backup.nix ];
      printing.imports = [ ./machines/modules/malobeo/printing.nix ];
    };
    hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (