okarin: Migrate to different VPS

Previously, it was hosted on Ionos’s VMware-based infrastructure. I already had a VPS on their new KVM-based infrastructure, as I was planning to migrate okarin to it eventually (as it is cheaper). However, the new infrastructure does not offer PTR records for IPv6 addresses. Therefore, I was waiting until they would implement that feature (as the support promised me they would to in the near future). However, they are now migrating the (at least my) guests from their VMware hypervisors onto the KVM ones, assigning new IPv6 addresses to them. This makes the old VPS essentially the same as the old one, but with less memory and more expensive. So I decided to migrate now.
sbruder.xyz: Remove deprecated services
2024-04-17 12:40:46 +02:00 · 2024-04-16 23:40:39 +02:00 · 2024-04-16 23:40:37 +02:00 · 2024-04-14 17:24:11 +02:00 · 2024-04-13 12:23:36 +02:00 · 2024-04-13 12:09:36 +02:00
38 changed files with 428 additions and 407 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -15,7 +15,7 @@ keys:
  - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
  - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
  - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
-  - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
+  - &okarin e7370b48016c961ef8ad792fda66b19d845b3156
  - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
  - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
  - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
--- a/README.md
+++ b/README.md
@ -143,3 +143,10 @@ so always consult the file header and other resources as specified in the REUSE
 Please note that those licensing terms only apply to the source files in this repository,
 not any build outputs, like system or package closures.
 They might be licensed differently, depending on their source.
+
+If you think you have a compelling reason
+why you should be able to use part of this repository under a more permissive license,
+please contact me,
+so we can figure something out.
+Please note, that I can only offer this for files that are solely authored by me,
+as I do not own the rights to other people’s code.
--- a/flake.lock
+++ b/flake.lock
@ -26,11 +26,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
@ -44,11 +44,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1701680307,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
@ -65,11 +65,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1660459072,
-        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
-        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
@ -85,11 +85,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704099619,
-        "narHash": "sha256-QRVMkdxLmv+aKGjcgeEg31xtJEIsYq4i1Kbyw5EPS6g=",
+        "lastModified": 1712386041,
+        "narHash": "sha256-dA82pOMQNnCJMAsPG7AXG35VmCSMZsJHTFlTHizpKWQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "7e398b3d76bc1503171b1364c9d4a07ac06f3851",
+        "rev": "d6bb9f934f2870e5cbc5b94c79e9db22246141ff",
        "type": "github"
      },
      "original": {
@ -106,11 +106,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704100519,
-        "narHash": "sha256-SgZC3cxquvwTN07vrYYT9ZkfvuhS5Y1k1F4+AMsuflc=",
+        "lastModified": 1712989663,
+        "narHash": "sha256-r2X/DIAyKOLiHoncjcxUk1TENWDTTaigRBaY53Cts/w=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "6e91c5df192395753d8e6d55a0352109cb559790",
+        "rev": "40ab43ae98cb3e6f07eaeaa3f3ed56d589da21b0",
        "type": "github"
      },
      "original": {
@ -215,11 +215,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1703939133,
-        "narHash": "sha256-Gxe+mfOT6bL7wLC/tuT2F+V+Sb44jNr8YsJ3cyIl4Mo=",
+        "lastModified": 1712897695,
+        "narHash": "sha256-nMirxrGteNAl9sWiOhoN5tIHyjBbVi5e2tgZUgZlK3Y=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "9d3d7e18c6bc4473d7520200d4ddab12f8402d38",
+        "rev": "40e6053ecb65fcbf12863338a6dcefb3f55f1bf8",
        "type": "github"
      },
      "original": {
@ -231,11 +231,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1704124233,
-        "narHash": "sha256-lBHs/yUtkcGgapHRS31oOb5NqvnVrikvktGOW8rK+sE=",
+        "lastModified": 1712909959,
+        "narHash": "sha256-7/5ubuwdEbQ7Z+Vqd4u0mM5L2VMNDsBh54visp27CtQ=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "f752581d6723a10da7dfe843e917a3b5e4d8115a",
+        "rev": "f58b25254be441cd2a9b4b444ed83f1e51244f1f",
        "type": "github"
      },
      "original": {
@ -247,11 +247,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1703992652,
-        "narHash": "sha256-C0o8AUyu8xYgJ36kOxJfXIroy9if/G6aJbNOpA5W0+M=",
+        "lastModified": 1712741485,
+        "narHash": "sha256-bCs0+MSTra80oXAsnM6Oq62WsirOIaijQ/BbUY59tR4=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "32f63574c85fbc80e4ba1fbb932cde9619bad25e",
+        "rev": "b2cf36f43f9ef2ded5711b30b1f393ac423d8f72",
        "type": "github"
      },
      "original": {
@ -275,11 +275,11 @@
        "poetry2nix": "poetry2nix"
      },
      "locked": {
-        "lastModified": 1704120598,
-        "narHash": "sha256-9g7bZbVHAjMPNUWD2okeOdTmTrC9pkCeVe1zFyvtvqo=",
+        "lastModified": 1712934106,
+        "narHash": "sha256-JubHgaV6HUZarwwq4y2rxJaaj2a6euErJfCqpmhrhWk=",
        "ref": "refs/heads/master",
-        "rev": "32ef4fd545a29cdcb2613934525b97470818b42e",
-        "revCount": 65,
+        "rev": "2bcb2b6c7b0e04f4ef8e51e00fd93a5e5cb00bf8",
+        "revCount": 66,
        "type": "git",
        "url": "https://git.sbruder.de/simon/nixpkgs-overlay"
      },
@ -290,43 +290,43 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1685801374,
-        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
+        "lastModified": 1710695816,
+        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
+        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-23.05",
+        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable_2": {
      "locked": {
-        "lastModified": 1703950681,
-        "narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=",
+        "lastModified": 1712437997,
+        "narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "0aad9113182747452dbfc68b93c86e168811fa6c",
+        "rev": "e38d7cb66ea4f7a0eb6681920615dfcc30fc2920",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "release-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1703961334,
-        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
+        "lastModified": 1712791164,
+        "narHash": "sha256-3sbWO1mbpWsLepZGbWaMovSO7ndZeFqDSdX0hZ9nVyw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
+        "rev": "1042fd8b148a9105f3c0aca3a6177fd1d9360ba5",
        "type": "github"
      },
      "original": {
@ -453,11 +453,11 @@
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
-        "lastModified": 1703991717,
-        "narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=",
+        "lastModified": 1712617241,
+        "narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6",
+        "rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c",
        "type": "github"
      },
      "original": {
--- a/keys/machines/okarin.asc
+++ b/keys/machines/okarin.asc
@ -1,28 +1,28 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----

-xsFNBAAAAAABEACgnoiAZQChPJOD9Bh4VxtX+/KWZXBrw9HhK1aufLH2Q4bS+mrg
-Te5SgFrfsiiYOvo8O2rESmMIWAHRSGxcdcT09+ZZtZxlxW7dmoUXLaPY+Xft0oDT
-ekLBs/g3N9qAXYq8XC/YNw0R1FzhComq/enQT2OTcaWES3b2OlFAkn8SVSTTdKgG
-jfmPPjDuTTYWPDPPmVRhaRkT/AcByyRcEcYxw4Zn+62iY9ZuV8FG0O0UcR2I/vEw
-KwYxHBC4IiqWvCmeJ3mEcf2NBbLwp2hB79dyo9RN8zxbu2mwrCNNO0hbkJGsxom1
-NjKh7KZz0eaIpb/WAesimHCaAXcB9ovGiyyHjECmZkvKlAXMttrPkF5QJZW2Iao7
-jcdcT0CNhC9fUwdBPIVRVjQQPyCWrqZEas+zG0tU8nbMy+uI/rT8ALC0zSgQMVyr
-YDIM7tYHbuBjgHja8gvwAa116L+uTXzkCTuH3OQHowtuvDjorXDKNs5akqJpAPHF
-a/fhXzjtY6RfLVp0Hj1+fnwrzMs0D1YdlJEjsBxvpieMTGPXH0YA5ondK/OsHsQD
-uzUgKzgGpq8Kp7hXhxi8gevHmNgVN1F4CNlTy0qOkFgD8U11Fk9O4svI+OtzslPr
-/EXRC/faJeFdT20M0BIqhQVWZFiRRMMsHJgZ04mWG40Wysm8esZ3dwS53QARAQAB
+xsFNBAAAAAABEADJ6iuUnKyoNZU26YWhsIHwTIkhxnNCNDHrq42wSqDgBFU8QyzC
+Nd8c34QghVGeqCFr/Md5xXMtgCmoNzFCMullb6PwDIYZ+9SP03B2seoqhnRwp1WG
+twejt/dP3QgOBP3G4Tr8uxcdHFnLDvkzN66QyV+LcnzrEf0Dw/9y31Nuo5TlG7UT
+cUCg36a3l+1tTlc3VnGwjt5jc59teD619h1s5tU5zMlcgjhFMMVKHXH1oc8zK0Q4
+va2YyfW+yWZx9Fm9BWF3VLuBdVlPuHVSCZ/Qf/ykDs8nm7Jvwi/I2TQiAeFN7ln9
+vPAYy4z0SQP/w44kVLCe5Mkw4H53LRocPBgxSflzqnJuuEQGroq0xgbP8+xJ8R0h
+5WPqLuy86PhslFsuIfKJgzVsNsz3svBxHO6G5bIsVgIjdfT4QPGxVQSvXG0RpdV0
+HzhUKojENcS2MEB7MJOLu200Ce3tjuaZD+nPUyH9LilNVgEJXMN0+9SfXmzyH1mE
+ENW6JWUC+oDgweodltJJ2z3kiaXf0GUNWFEv5P0uxkky3nsed4lDmEs0j0nT3YoS
+0hemgdK8X3ZRMuLAxGLCL0SykmsbOdTTzZ/QCak8/0jI8iko9eDrmJ4rNkrQYT4+
+TM0JEpI3wA4ksl5WcB2cpM/G8buw/zNTycgbjcKoYL+E2K+L7JeR9F1DgQARAQAB
 zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQ5fw8qjuBB6oCGw8CGQEAAOyUEAAHW0hbAjCKylnIaezMqNiG
-yDwfM+MpNXaqB4sG0UUiIdgSUTk06PN5dlQ0Jfvh1I7P9y8CxqamlqCUXiqqWEOR
-Am3Q7oxQKQdSDz//2ijWLdNFcT7bxZvNKQ/T78UYka/qmuLHx2jSuakAX2pAUrOf
-K7mbElSu8LD0y8hIDEyxuzB/aL13sHh1LkOUCSEgZ977EEfIEgPidPwEtGJvEbhN
-DaP94cLNapv/lWux8+O5dzKi4R7ghXl6IvrP2LPXQSPF7C3mMZ1ZSX1nFxRjALXi
-xiFbrJFkwEQQmVro/3wX9BZSmt6VnFRKkXnsCLlf9eT0aTmTirtqHgfet0PHqTNt
-CxrlLKTZFN3ZFropGZ070ESs4i6WZUBpTdsYh/htyo5bWMcHO8J+K+Ttd1M8btM4
-RtpAc/2UXa4+dVpLOGqdqkmUEJLVLyGnj9wZZgkx3tWGhjnSohCW3YqffQYlXUFn
-xuiQQ8jKM6luuunMXLt6D9dzOch70z9bnjOm1Z6q/S3PIzn++awzA6N3VTKNuUBP
-Phs6hlcAeqdQ6Q2EiS5iXKqPdK1nd9cPKzHOJf1fwlaRPSKeCtXUgkjAClu+heEn
-rst1nggIhCBs+rHc518BVZvISLNVlj5LVwN0mKOk9YPuZItBCGX96WWJZdMHeZk0
-MsxjN+we2woCXG5SJGYOyA==
-=UTw1
+AQgAFgUCAAAAAAkQ2maxnYRbMVYCGw8CGQEAAMkCEAClRHcH4fUUpdXroevY9qpR
+O6op26pqBZ839HoD9f4kaZXerhURWVGPcV81uUapR5/B8Pk/OK9LskBetDvoc+J1
+B3vM34cRIzbSs55BVrx/Mk6Vn9utPoyutlaJ/b5VMCmz4f2zU/XwPbXOzouvVrn
+uy/bqY7aNz0eoeU7lKXrXc9as+VoJgc3Ty9Tt1vPi8lfTeQfmxUDtoer47dhn89C
+3fL9R5/4utKt5nRtweOh6+z9T36jNodeHy3VhpuMnUBKsWSQn6Op2sLoeb6FJbh0
+t5Tz1AZhqjT4HY8bGWK8v2i916BmGseFjge7CECYg9M5MydznHl9z87sBUiruGs4
+fQTZi8IQySaQ8jCqCx+PB1PYUAsZj4j3o74mx2/erAw8gxBlrme44CuikVdbEKMV
+qYzW/jVJ6EPobtmq+XN8UzU/arf5/BelcU73sQK9fbvCqi47ZMyjC/3UqZ0O12xt
+uUjf2IcDl8TyWZ3nSSUV7npXrrT05kC6WMK46TwO9wv8F3v3/35UmonAJt8qp/lw
+2PNR5W8Sqxr2s+yhkOsh2xwuqBQkdxhqRKeqTv4+kdGAk6ZUmuHmGa1Qni6VsaKT
+TuNRRTEBfQ0QiqF8+lleT2dP4cKI2vAbI0zvyjX6KvNGRb1VlJw3D6Pa0nXW/YQU
+NxR1Jvm5bnGfUcnNlzoB4Q==
+=6o0h
 -----END PGP PUBLIC KEY BLOCK-----
--- a/keys/users/simon.asc
+++ b/keys/users/simon.asc
@ -5,67 +5,39 @@ EKpaQ5+0H1NpbW9uIEJydWRlciA8c2ltb25Ac2JydWRlci5kZT6InAQTFgoARAIb
 AQUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBNSKGsqxzb0XAVFm
 K7GgtKRYhaAxBQJlrXkpAhkBAAoJELGgtKRYhaAxe14BAMF2Sj/NbHEfPPj/FH0/
 Pndzxihc7T7JOO9TxwsHMdidAP9eGoz3DgjA4gOtJUDwK70G6XwGnXrY8k42AcNE
-B0JHBIkCMwQQAQoAHRYhBEfnVZ4DejVlLbv4qo08gvnzCfjsBQJlrZp3AAoJEI08
-gvnzCfjsE2IP/RZoV3xvTi9ks5mpClnxdofGR4r2IVFw8TMQLSFfAHAtEJQ+R8fx
-0Yk+yoBNjt6JFKsvVVyVTZsK5cZcECSaX8E5gAYIB0+5S7TAC+DL9lDhWqhJnvOk
-5nWIM6gdey6H4lmwjMQT9deWFBlHI/4+eEv65B2tlPZH7x2EbXywe5TgAmCAuXBI
-7YOCebPh66n0ezJkw0SkEmz5+yMfj/vQNQxvRUpGpMEPDAUvIWEJ+Mb1XRuSZlYy
-Z8fNh0lMuvDf/GAwoFLiQM8ToprYT1vVnZ+IzEHkjYA1/nDTj1rDxiFCz+FCc+/k
-+7fjbtbmX1rSLu90jQZx3h0JEb9t4Zd0X9aOstVnqTi9pMWWyFcUgA71+21VqbIQ
-LccjaPZ0YK75on5YaD5ZmtHAl5ZD1VIXL0vnyN/XQYa4GUiN0qVwdG9QSEEe8gu8
-jjAWClU8BroyOtWamOlQWs/RPZsg1G5Nv5KcPJbw67sWzJZYvJhytRMg9yMWM/uC
-uSC30u/gA49YP2N32XsxwFo8LAUrqn22/WdgcR1NIhHDjzT4SWSTS/ec5lSB998e
-xw+41h4hDHwZn75HYi89FytjS0Sc8C4b2GPw8eqbhKHKMlPKJah2enFXkR85AZJ1
-wJGGhHhUS1mZ9e5SbY5ugtYj8v3Q3RMf47pqSHsO1Z9ojWBpAYforhTEtDFTaW1v
-biBCcnVkZXIgPHNpbW9uLmJydWRlckBtYWlsYm94LnR1LWRyZXNkZW4uZGU+iJkE
-ExYKAEEWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13bQIbAQUJA8JnAAULCQgH
-AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRCxoLSkWIWgMZSoAQC+oKNXUW2Lm/pe
-kUVf9hTfXrS/gZjAPW9J00lNMV+beQEA7eG7fR5wzetZl/RImYLGLNNxIkg4SeDT
-Pf26Tvk9XgyJAjMEEAEKAB0WIQRH51WeA3o1ZS27+KqNPIL58wn47AUCZa2afQAK
-CRCNPIL58wn47JgND/0aTHhLlT7QGE9O6RV1kS81YeiQD5UvrJcYh9/wb7plXV/R
-+AJ9QUxnw9SKeyyFGjwQeWIkkdJccq8ov5ekz++ErCsFlQtvhzNMa+ZRRJ5XG1m9
-dyFUKAvZ9vo5EnYOTO72l3TEel4L3V5t6qeUGdJQoVBC3cmLHJ7Vs92cTrmrQnF6
-JXVgoj41iSmgnHdf8l0rsHc4/ODYDpZpOQjQj24Teb6Hj8jkjhNejGm6Ackcy6UF
-KIX4ZDQD2k9SlxDt2LGLjF2rHar4NFYNJwgzO1tMazjTDAV1J9zx44NFaC1dm4oj
-0Nz/xSYyyYyBoeqIG29qZrmWj5yIee64I+POX5REuLvf//64atEAkvODqg8ZhrXB
-Jd7BTtsRpUkkzwBv/ZHYJyEwLrUKLXpyx6GejksJ4fX4ftyWAgUOkDI06WI4WnQl
-WzTOqIWwbub3M53F8eOGvXLUd6PD3p8ARiCFG+5cqRimmd3WZ5g0C9YWnuKRAOrT
-mrquAFhAeaanp+MRihB9d0nj5Lfx3mtfLAWDHYTj+yXL7de1xJ8p2D4WekJJ9NRJ
-f8b9d+wswth/1NV/ly64J7aiGpVzE+WcpNGl9pcsisSiXOCGJatPvrl9h6vgU+Oj
-2HhE5vf9WmvHxkUwut1Tw2cw5KoukugDZWos8AZ671QebmfnebDUsmSfhkOymbgz
-BGWtd5kWCSsGAQQB2kcPAQEHQNbLdlJZfKhMRcRQUuGbQMQj+GtMr2p8vIX3JUQ7
-jNltiPUEGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13mQIbAgUJA8Jn
-AACBCRCxoLSkWIWgMXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWt
-d5kACgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaA
-jGEBAPtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sH8p0A/j2fQV8DVJsn
-fnyFdmEIS14LaLyBTQ411CLkOVI4l5yBAP0Xue1JzV1Spm8Ib5rbAB5l2Q39xwsZ
-IkGsiN85Wq7cA4j1BBgWCgAmAhsCFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWu
-53YFCQHio10AgXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWtd5kA
-CgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaAjGEB
-APtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sHCRCxoLSkWIWgMbaZAPwI
-xTyJqS+Jkc0OylTadktVGnlFYEa1t6qKrb4pRjOAIQD9ERVIB3SSzsNpVXG0djhy
-f+g3vpB5fdFdQC99OyI8PQK4OARlrXfCEgorBgEEAZdVAQUBAQdALPq5WxjDWC8p
-wx+ah8a8ry6/i34+wvQ3qOWs+1j9C3YDAQgHiH4EGBYKACYWIQTUihrKsc29FwFR
-ZiuxoLSkWIWgMQUCZa13wgIbDAUJA8JnAAAKCRCxoLSkWIWgMV9XAQDuKPEU5LHt
-GF0T1eo18OT4aXizqy17bSPQxbcn6MApNwEAtST8XQ5gki8TqeNQi5mXPjAUokcO
-m6uwogm73VCPOgW4MwRlrXgmFgkrBgEEAdpHDwEBB0BNSrEdKYMC34Wz/wQ3sm+w
-i5yKm1omkudkClDmC7YqB4h+BBgWCgAmFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEF
-AmWteCYCGyAFCQHhM4AACgkQsaC0pFiFoDEwGgEA3uVUei5Y8u47o008cvx9dgb7
-0sWsh9Wf/O0QobCE6SEBANybL7eIdVo7gk/Po0lyiNnPIOmef9Hi6p1JUnWo3LcF
-uDgEZa147hIKKwYBBAGXVQEFAQEHQNUPZBqZtKL0ddaYG2wUN/vkuuMlrlZOfWbL
-pJVI4NphAwEIB4h1BBgWCgAnFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWteO4D
-GwAEBQkB4TOAAAADxQEA+NbhkOn4hMn3P+/tov7At0jQJjjDYj4tg/9VW1SvwkcB
-AJEXPOQFLPYhegwq5G+lwlEsxE9LmBMBusML/3p4ZUYEuDMEZa18NBYJKwYBBAHa
-Rw8BAQdA62nilshWONc3snbvv6mbkTLMhBUPloemiLjknU81UIuIfgQYFgoAJhYh
-BNSKGsqxzb0XAVFmK7GgtKRYhaAxBQJlrXw0AhsgBQkB4TOAAAoJELGgtKRYhaAx
-F5wBALp/P2c+FV7WdwnI2f9zZFxmtrSwRbDPBGJ6bvCJ45QaAQCEQ4nF0Qxs2/qb
-DiRJ0ucWYLlUK9MR4tAXu7E/fsAPCrg4BGWte5MSCisGAQQBl1UBBQEBB0BvaxmN
-FsORwLciFERl9SldHn3fUXRyyrkDqVM1IfJyVwMBCAeIdQQYFgoAJxYhBNSKGsqx
-zb0XAVFmK7GgtKRYhaAxBQJlrXuTAxsABAUJAeEzgAAAxJ4BALCSE6rEiOwgnkMG
-DJtDgdO7nbLciQJWfH6KRx5/wMyjAQCADkDdpJfzH36nfi3plfV1uAi1ZhLVrZu+
-qUSS9QGfBrgzBGWtfzIWCSsGAQQB2kcPAQEHQPfsufQIdFzWK1B1uelCzt8XJaou
-blRPn1gjZvumSEr+iH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa1/
-MgIbIAUJA8JnAAAKCRCxoLSkWIWgMVomAQCa2marlCeyEQQcOz3IFPFYCeth8+e/
-I6LgogPoVslMjQEA82iFX5eIFtAqaYqtZvm6LQFc0hI8JiQfpHt/FpxqNQI=
-=1z2B
+B0JHBLQxU2ltb24gQnJ1ZGVyIDxzaW1vbi5icnVkZXJAbWFpbGJveC50dS1kcmVz
+ZGVuLmRlPoiZBBMWCgBBFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd20CGwEF
+CQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQsaC0pFiFoDGUqAEA
+vqCjV1Fti5v6XpFFX/YU3160v4GYwD1vSdNJTTFfm3kBAO3hu30ecM3rWZf0SJmC
+xizTcSJIOEng0z39uk75PV4MuDMEZa13mRYJKwYBBAHaRw8BAQdA1st2Ull8qExF
+xFBS4ZtAxCP4a0yvany8hfclRDuM2W2I9QQYFgoAJgIbAhYhBNSKGsqxzb0XAVFm
+K7GgtKRYhaAxBQJlrud2BQkB4qNdAIF2IAQZFgoAHRYhBF8781AR60Ih56rcrDR/
+Gmc2gd2BQJlrXeZAAoJEDR/+Gmc2gd2WGkA/1q7AL8NUkvEOXRXOdHUhFkC2AXp
+V9deFHxrszMWgIxhAQD7QPihv5Cm8SPkClDMeKFnGwlMpeZNM/XYn5FqyLPrBwkQ
+saC0pFiFoDG2mQD8CMU8iakviZHNDspU2nZLVRp5RWBGtbeqiq2+KUYzgCEA/REV
+SAd0ks7DaVVxtHY4cn/oN76QeX3RXUAvfTsiPD0CuDgEZa13whIKKwYBBAGXVQEF
+AQEHQCz6uVsYw1gvKcMfmofGvK8uv4t+PsL0N6jlrPtY/Qt2AwEIB4h+BBgWCgAm
+FiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd8ICGwwFCQPCZwAACgkQsaC0pFiF
+oDFfVwEA7ijxFOSx7RhdE9XqNfDk+Gl4s6ste20j0MW3J+jAKTcBALUk/F0OYJIv
+E6njUIuZlz4wFKJHDpursKIJu91QjzoFuDMEZa14JhYJKwYBBAHaRw8BAQdATUqx
+HSmDAt+Fs/8EN7JvsIuciptaJpLnZApQ5gu2KgeIfgQYFgoAJhYhBNSKGsqxzb0X
+AVFmK7GgtKRYhaAxBQJlrXgmAhsgBQkB4TOAAAoJELGgtKRYhaAxMBoBAN7lVHou
+WPLuO6NNPHL8fXYG+9LFrIfVn/ztEKGwhOkhAQDcmy+3iHVaO4JPz6NJcojZzyDp
+nn/R4uqdSVJ1qNy3Bbg4BGWteO4SCisGAQQBl1UBBQEBB0DVD2QambSi9HXWmBts
+FDf75LrjJa5WTn1my6SVSODaYQMBCAeIdQQYFgoAJxYhBNSKGsqxzb0XAVFmK7Gg
+tKRYhaAxBQJlrXjuAxsABAUJAeEzgAAAA8UBAPjW4ZDp+ITJ9z/v7aL+wLdI0CY4
+w2I+LYP/VVtUr8JHAQCRFzzkBSz2IXoMKuRvpcJRLMRPS5gTAbrDC/96eGVGBLgz
+BGWtfDQWCSsGAQQB2kcPAQEHQOtp4pbIVjjXN7J277+pm5EyzIQVD5aHpoi45J1P
+NVCLiH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa18NAIbIAUJAeEz
+gAAKCRCxoLSkWIWgMRecAQC6fz9nPhVe1ncJyNn/c2RcZra0sEWwzwRiem7wieOU
+GgEAhEOJxdEMbNv6mw4kSdLnFmC5VCvTEeLQF7uxP37ADwq4OARlrXuTEgorBgEE
+AZdVAQUBAQdAb2sZjRbDkcC3IhREZfUpXR5931F0csq5A6lTNSHyclcDAQgHiHUE
+GBYKACcWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa17kwMbAAQFCQHhM4AAAMSe
+AQCwkhOqxIjsIJ5DBgybQ4HTu52y3IkCVnx+ikcef8DMowEAgA5A3aSX8x9+p34t
+6ZX1dbgItWYS1a2bvqlEkvUBnwa4MwRlrX8yFgkrBgEEAdpHDwEBB0D37Ln0CHRc
+1itQdbnpQs7fFyWqLm5UT59YI2b7pkhK/oh+BBgWCgAmFiEE1IoayrHNvRcBUWYr
+saC0pFiFoDEFAmWtfzICGyAFCQPCZwAACgkQsaC0pFiFoDFaJgEAmtpmq5QnshEE
+HDs9yBTxWAnrYfPnvyOi4KID6FbJTI0BAPNohV+XiBbQKmmKrWb5ui0BXNISPCYk
+H6R7fxacajUC
+=361S
 -----END PGP PUBLIC KEY BLOCK-----
--- a/machines/okarin/README.md
+++ b/machines/okarin/README.md
@ -1,5 +1,5 @@
 <!--
-SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>

 SPDX-License-Identifier: CC-BY-SA-4.0
 -->
@ -8,7 +8,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0

 ## Hardware

-[Ionos Cloud VPS](https://cloud.ionos.de/server/vps) S (1 Xeon Gold Gold 5120 vCPU, “512 MB” = 443 MiB RAM, 10 GB SSD).
+[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1 GiB RAM, 10 GB SSD).

 ## Purpose

@ -22,32 +22,50 @@ Okabe Rintaro is a mad scientist from *Steins;Gate*

 Much like the namesake,
 this server requires a “mad scientist” approach to set up.
+However, it is much easier than setting up its predecessor,
+which had just above 400 MiB usable memory.

 Ionos does not offer any NixOS installation media.
-I could only choose between a Debian installation media, Knoppix and GParted.
-Also, installing with a very low amount of memory is quite hard.
+I could only choose between various installation media and rescue systems.
+Also, installing NixOS with a low amount of memory is problematic.

 I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
 On there, I installed NixOS.
-Because encryption with `argon2id` as PBKDF is quite memory intensive, I had to tune the parameters some.
-What I settled on was
-`cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3`.
+Because encryption with `argon2id` as PBKDF is quite memory intensive,
+I had to tune the parameters to ensure decryption was still possible on the target.
+This can be done quite easily by interactively running the following command on the build VM:

-To make btrfs use its SSD optimizations,
-I had to force the kernel to see the device as non-rotational:
-`echo 0 > /sys/block/dm-0/queue/rotational`
+    cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3

-Another problem was the usage of VMware by Ionos.
-The VM I set this up with was obviously using KVM/QEMU,
-so it needed different kernel modules at boot.
-What worked was setting it up in the local VM with both libvirt and vmware modules,
-and then removing the libvirt modules once it was installed on the target.
+The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target.
+
+However, since those parameters are not ideal,
+the following should later be run on the target host itself:
+
+    cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3
+
+This will determine the memory usage automatically,
+use one thread
+and set the parameters so that decryption takes 10 seconds (10000 ms).
+The memory usage will not be as high as it could,
+but it will be better.

 Getting the disk image onto the server was done
 by first `rsync`ing the image to another server (to allow for incremental iterations),
 which then provided it via HTTP.
-Using the Knoppix live image (booted with `knoppix 2` to avoid starting the gui),
-it was possible to just `curl http://server/okarin.img > /dev/sda`.
+Using the Debian installation media in rescue mode
+(as for some reason most other options tried to cache the file in memory and became very slow)
+it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`.

 Because of all the pitfalls of this,
 you probably need more than one try.
+To make debugging easier on the target, the following option can be set:
+```nix
+{ pkgs, ... }:
+
+{
+  boot.initrd.preLVMCommands = ''
+    ${pkgs.bashInteractive}/bin/bash
+  '';
+}
+```
--- a/machines/okarin/configuration.nix
+++ b/machines/okarin/configuration.nix
@ -9,7 +9,6 @@
    ./hardware-configuration.nix
    ../../modules

-    ./services/static-sites.nix
    ./services/proxy.nix
  ];

@ -22,7 +21,7 @@

  networking.hostName = "okarin";

-  system.stateVersion = "22.11";
+  system.stateVersion = "23.11";

  networking.firewall.allowedTCPPorts = [
    80
--- a/machines/okarin/hardware-configuration.nix
+++ b/machines/okarin/hardware-configuration.nix
@ -5,6 +5,10 @@
 { lib, modulesPath, ... }:

 {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
  sbruder.machine.isVm = true;

  boot = {
@ -12,41 +16,34 @@
    extraModulePackages = [ ];
    kernelParams = [ "ip=dhcp" ];
    initrd = {
-      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "vmxnet3" "vmw_pvscsi" "vmw_vmci" ];
-      kernelModules = [ "dm-snapshot" "vmw_balloon" ];
+      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ];
+      kernelModules = [ ];
      network = {
        enable = true; # remote unlocking
        # for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands
        # this works around this, but is arguably quite hacky
        postCommands = ''
-          ip route add 10.255.255.1 dev eth0
-          ip route add default via 10.255.255.1 dev eth0
+          ip route add 85.215.165.1 dev eth0
+          ip route add default via 85.215.165.1 dev eth0
        '';
      };
-      luks.devices."root".device = "/dev/disk/by-uuid/67f2990c-636a-4d80-9f6d-7096fec9e267";
+      luks.devices."root".device = "/dev/disk/by-uuid/1dcb9ee1-5594-4174-98a7-a362da09f131";
    };
-    loader.grub.device = "/dev/sda";
+    loader.grub.device = "/dev/vda";
  };

  fileSystems = {
    "/" = {
-      device = "/dev/disk/by-uuid/8e3082d1-4af3-4d5d-9fde-d30dc7552d41";
+      device = "/dev/disk/by-uuid/3ab8f4a7-952c-4b6c-93c6-7b307d5bb88b";
      fsType = "btrfs";
-      options = [ "compress=zstd" "discard" "noatime" ];
+      options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
    };
    "/boot" = {
-      device = "/dev/disk/by-uuid/883c77e8-53bf-4330-bd9e-89ef71ad9518";
+      device = "/dev/disk/by-uuid/97aec56b-5fea-4445-83dc-4a20dcf482ce";
      fsType = "ext2";
    };
  };

-  swapDevices = [
-    {
-      device = "/dev/disk/by-partuuid/d9cf5716-25c8-4f72-80e3-696e0dfe1079";
-      randomEncryption.enable = true;
-    }
-  ];
-
  zramSwap = {
    enable = true;
    memoryPercent = 150;
@ -63,11 +60,6 @@
        name = "eth0";
        DHCP = "yes";
        domains = [ "sbruder.de" ];
-        address = [ "2001:8d8:1800:8627::1/64" ];
-        gateway = [ "fe80::1" ];
-        networkConfig = {
-          IPv6AcceptRA = "no";
-        };
      };
    };
  };
--- a/machines/okarin/secrets.yaml
+++ b/machines/okarin/secrets.yaml
@ -1,80 +1,80 @@
-wg-home-private-key: ENC[AES256_GCM,data:4L8aIvgFi+mBjnyVy5IkPaeJRadJ5NCKZprSkBPwMNiVaIscjAdp2yinBSk=,iv:6pBo+6M4EkEjz184XvisWXEoomqJXa4M8Qa4nJHI65U=,tag:3DEsmA2xxAlx/PSbD3HOIA==,type:str]
+wg-home-private-key: ENC[AES256_GCM,data:RkdgneGhH7prr/tkvHJeChQku2eXve9pV/SvtwsOjeinYO9veHw0rimdonY=,iv:vK6zNpu8F+TSLDTaif686Awjhs8WS2XJHzMtlvqlsIM=,tag:aKhV+kspVu+0CgPmYersxw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-05-06T08:49:32Z"
-    mac: ENC[AES256_GCM,data:B7e3sh96p2DlqM2SgHWoJ7RZ2q5tnZ6lohNc7UKmwG1HTkrPKW/6jobW2InQnbZn1bPmCERoJIF9QyUz+OxotTiKIXxSL7BJkkfpIkWy9IgjIeADjevHkplm2rXONiXaM2sD46bPKbuRzuhbCZtNwUH74gTVfKPVLVrzpnPRC74=,iv:TTXlBGhO7xLCC3Ad+xiQKmy4b0n0vuQRaCdoe7vpzSE=,tag:dZCharRGK//w48ePu7d2eQ==,type:str]
+    lastmodified: "2023-12-25T22:06:33Z"
+    mac: ENC[AES256_GCM,data:VbjyqrqDLCBDD9vGOHxSzsr9a5ZFFBJUkBRxJYBLereMDvInPFZnTwplHHkS5TdDFFAsjrcCgpCuPsUIbDdxFUNNtjdIe5JJwFMwT8XEFrgcswMGSKD6mIH2VBWop5pqoAV0eQ3YfKtDyhNHwixR8a+Z+hbGAY01Z19yteo51ZM=,iv:69EeBag+iUEoa18I0w1HeJKRwSQVCMRqUdV2CzUzMnY=,tag:WViKXJExL33jQAIWHUS8xw==,type:str]
    pgp:
-        - created_at: "2024-01-22T00:20:17Z"
+        - created_at: "2024-01-24T12:19:03Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hF4DLHeEFiC484ASAQdALOHWjRYEy+oURe+ERyiQYDjFPDniV0awCBMahhaLzCMw
-            faMYpJTpirKixpFnPQ1W0aIiQ2/grcEJ4qYyXYG7GrqLcFMQfZOV8humZOLnZNB6
-            hF4Dub78fMESoMASAQdAhpmpD8cyJSauuTHM/RTjLybR1VUGcIY7kLqrB33QLG8w
-            aLu7q0wjY0Rs+7PtJiSKd6O4VOBRrsBmLc7QuBZ4cgBwUfE38g8LuXayuOLZQNb1
-            hF4DM6AcvgVUx2MSAQdARr9S5DSGRJOcv2IgYMzko8fkMHlIR9uIJdJLMdcJER4w
-            RjcC/s5+P0b7wy9bIaAv3vk3FX4hw56QzhqAXcA1zU1kyjEHPnv3qsiiQbcKDjb0
-            1GYBCQIQG5VczwWUidoTYkHgZveZhkVyYIiZc/YQrY6n71OrVnUKaH5kZn1XrMKE
-            zRzcc4XCiu8CaSkQp68eqKeHwI8U5N/LAtjHbACxAq6GHatf/+LvJx4CbUrPZxw2
-            PWZwSFBCZEg=
-            =r7sK
+            hF4DLHeEFiC484ASAQdA4PdmtZTlpcdfuYKSuKN6X4EGjh/l2D8Jxt7dg1y/Z0kw
+            ScG/nWs9hVMFTBeqSM0eHgFfcZhBB/L85eNf9thktTUbcWq0GEUcz5mwUqILtkfA
+            hF4Dub78fMESoMASAQdAMcVZokes0YKtbUZp7b9zq303WXPga5yn8LbhnaRrHycw
+            +ECn4t8y8SXFICpAZ5n+xj5U8MdmdKOzhNQLleFKIHtWdyeUlwFi0qYYP8MRCLTB
+            hF4DM6AcvgVUx2MSAQdAIzXqgZ8WiIxIV05BumWLsyZUChwvDQc47NMd5ehhBEQw
+            I1LY11LTNENypr5q0mhy615kIbsdhpzAVLf4Bkf921zABsfFzuY5zJHqi8SKVm7/
+            1GYBCQIQHPC99/GrpHG703gozt2I0P2XMhlRpzj359qStWaQZ8NBL5Ugo5BLvphf
+            1/WYAlvnH4Uov2TxKdQs65IJSadQgs7lBWB5gqHklZ76E4Q+00oMQxwGjzMdddA/
+            hRlLbnUDE1Q=
+            =ol1Y
            -----END PGP MESSAGE-----
          fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
-        - created_at: "2024-01-22T00:20:17Z"
+        - created_at: "2024-01-24T12:19:03Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hF4DLHeEFiC484ASAQdAGdRYvRfki1zKA2YHnPprf1ld5kJkai4fzxuuH1D3DRQw
-            zt5XhSFMx5ii7C3LIVjGgKnn6A6KTe1Tj314OYtrLeCGV8Eli+eOiSgi4c0nL709
-            hF4Dub78fMESoMASAQdAb38j/KxQlLRJLrtE5mS1XVCmaEIvyJU1uVcSVU3Bdhgw
-            f3iepOZgggHOCiHOCs+UWRmiudwoYqMzXF8G9pb6ESsy01cc1y6mXPh6sftKc6Iz
-            hF4DM6AcvgVUx2MSAQdAhq0ynXfS/eYrDAYdxj/qyEg8c2lHFYSaUVtr6v3B/Rcw
-            Su08ppwK9wSbVaEL6p4NPJ0q9mt/36OsvZNaEWL2i7kkrD6q+2yvaGwh/fPcokWI
-            1GYBCQIQRzg0YDKpmBGZY0sC37nIkUC4blEpFTgl+lma0ZQ9PUfbRP3ijRrxyPv/
-            aNkUpVAVxjh3VnV/NEm2s03x62iO4uiGoU0BUeI8Jjy4Tvuuodvmfpd4wZw7Mq+V
-            B8h2L/JR7Yo=
-            =/wMt
+            hF4DLHeEFiC484ASAQdAaXq+nn0DDx+RAkEC+x+yeP5xbCIdXkR9tQCgWx1s0jkw
+            VRgFkiBa6IsS0vmYknobXkizETtNjEhJ8vNw9nP0zPdjuUZBId2/bJZa7aFdIFRU
+            hF4Dub78fMESoMASAQdAMLbBcLnc+5UVDsx50SgCVjQoHO4JGE53DE6Q+frDEiow
+            rVFbLxWlJ/aw9baRdKUMkIUJftnImUQgolXvEfUjdS/oOdY69r4psLlHLQX11Ow1
+            hF4DM6AcvgVUx2MSAQdAUZV3q/IXwUbRv9EokTe+4o83XzeS1h4GK3/3wjnKDHkw
+            xHFJR2clEMDlaq7Rx3FTr2a7MlzSnzBLtIwdw5b9ytuRvHjD5q7zCf5bihYnvdjV
+            1GYBCQIQFt+CYziUXtEHjJFC1t+S3qkyPRAsVgZL8WlxbKzteW0NOdIZofHx6skG
+            Ebn8aadKcGg534DkwEt5DpIosXKUx4LN5xsCNoU9dHFYMSFE2nzJE4KNFJ8tzRQk
+            G+tyNMgCYhM=
+            =2QnY
            -----END PGP MESSAGE-----
          fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
-        - created_at: "2024-01-22T00:20:17Z"
+        - created_at: "2024-01-24T12:19:03Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hF4DLHeEFiC484ASAQdAoM3SQYYUQq6OGImJaecw42BZOwOec75IWS00ZorR31ww
-            uaRdi54liGiKpjaebhPcLkX+0TKcW0h11kw6X1wrru1JWi3YLbjohv0qCtfa4wpc
-            hF4Dub78fMESoMASAQdASH4+jxa7Qr9AkJpHHPmMx9cj3XyPXLpfzXJ7Yb40pHMw
-            zBiVmQApa4K+ZOVw/vpcSNaN6FufFoDb5IguwHIq+9vILvjvku6YFgAJ4gC76LOP
-            hF4DM6AcvgVUx2MSAQdAZGNp/j1sF0rmHhImhnuhgpn9NgRuFtL+BH5dorvrPwIw
-            mK5LsWHvyBFyC+SDNe4mrRkdia/xPECmcWrbvptGVjqlZnjmUbtrYhG+j5O6/817
-            1GYBCQIQ/du7No+ULrBrjWc3q826ju8AqekySHtteKZclRmcHSNP4UEXcmTEMRNL
-            8lMJYK0G3uA9FXO9+2E39k/nIatBGuoaukW7zCouB3bLARZE00Oqh6qHCWVyFJ/S
-            Gzwk8dC0wdc=
-            =BWUr
+            hF4DLHeEFiC484ASAQdA6ojEbZ8HccTtorNbyw9aVKO73AJy6jTGV/qLt+FWoRgw
+            SsOLiL0UmF1OV7zmXE0ihkWivPqLHtp1U89aYucpAA69DIh4+6M7GUk1xDMxFfRo
+            hF4Dub78fMESoMASAQdAV2z2DgUz2xWopnDzXywdpHb9eMe9ZxdABxpOJ0ECeBww
+            wOC1x+IKIbIRZBDL7jbVUOk1G+GzCL4M7/G7XFSTFYMKvMKkc0Rh69pywFuGaqG8
+            hF4DM6AcvgVUx2MSAQdA7bKGjcW81bzf58FlGGVDy/HjNyuEPNSVZXy0M+/WZAcw
+            3iXR9MecA97bKKKhLyNSdYmYlAjZJVIdwd6vjNWjxaB7BIWTYhudTjHesLMxB0vc
+            1GYBCQIQlp1TDaBVxalDkeCEjDMRFatgJ3CwulzzW9B8qywOooS0BNtNbtTKGwEh
+            AxDL+wdeqkPABQ0wQ8hYGOw5z665jEOC2JbqbQ7N6LPQZRx/MowO2dGT/kKh2U9H
+            VOK1Bc67BzU=
+            =3z3V
            -----END PGP MESSAGE-----
          fp: 403215E0F99D2582C7055C512C77841620B8F380
-        - created_at: "2024-01-22T00:20:17Z"
+        - created_at: "2024-01-24T12:19:03Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hQIMA+X8PKo7gQeqARAAhtUvR20r2NV8SNWVuVSopTfCGwaJV99+PEp/l0UjHX6B
-            lpHgQNHegP6YEsAj5HNFEcV3vM+nbC0hbTtcERBZoxTkyDPOaRAyJpNfGniZVxxp
-            jxSr/unCN6aJCbdqJZZZlitq84brMQWUE373Rb9B4cNdTYONabZbzZmwTDyzkVR0
-            ctjmkdBG0upqNn7vukSIg7DM7D9pFolS9142reF7e5jTlxBFWR1Jt+O9A1zypfvq
-            tK2z9C1pM9LDRmUrKJ/HOKwu6P6USeTKFrp7Gfjr1UkmbgNunxgsdI6gwKY38SpJ
-            T+tELs68oC5pGFpZufnYkrGL313HC7Vp/+2+m+W5qXbyNqhDS6uVQHjqz/ROqByb
-            YwJw+x7810nL8+SleXst8oZpxDNDm+TnvWQAH6WiRBSpgVwy945SMvGG+1FLYps2
-            qOsRMjr+titLZAaUpmIh/oDHG/XOpKPQflcc4/V7t2HK6vLX+xvPIQU8Y5TJkr1T
-            nIIh7sMZBUldnUGUfFE3ksP5Gje5OHqK8xoFwYHFGK4QQzXFjPFN2QNvni2z9Y4R
-            LLMvyEavqgIa6AeseqMnLuB2hz6wy/JNU/EPUalNca6RleoVA0DjKgjgDTlhQ5Al
-            a6sRTy+KmXFfzdO97MJJEkNgA1Hbi1/IpREeA50lYtrDqUvhxw+l1V8N7jw+ZWTS
-            VgHYyLUxdmOUsqEgQPVA7jiqWePwFEuEDEDVE+d6CcuvFuHFNV1jJEjit3R0wJOd
-            QpqnfxW4QTD+JFNJgrD7bj4y1Gu9Z6Lg1IBnHnOwDIoCJoAHp0y6
-            =sy/X
+            hQIMA9pmsZ2EWzFWAQ/9Gl4dO83SmvGHyhEfile6G9ZUmhxwU2RFpPwEmjh4CV/v
+            z1k2zgdF200a6tj96977VhjhIG/LZioEi41M1QdIqgkGsKy89DluCY9RDTqMmqzo
+            w65JhI+PQqdQuKlsbUh2VLql7LijoIUxuBPowWG1lULZtEvRuCchM5rLFiBSC2YO
+            DA0T73kC2P89CNZlOllZNnVRCRrxm7IsEO6Mo1yOeJL16mYqC9qGGKnvYEbsSm4n
+            7ZZJvxXGnNzaXisyyjcJNgtsJAUX4TTlPH+Y2jpkhdHUvOkiwVQEokmnqTIKUp0e
+            7Dc6ZXApFQ1DlMMsjLwy+5AQJQZbY4p4jo9rvmON5i5DLPy4rN5yf8W7zwkuy2gN
+            Id53gxDZxHw0+mRsfYRrdOvmfUqqz79TyWVV8bvHR2Mo3shdL1fsWOzTlm66Y9Vt
+            4coJxgUsJEFdnsnXAFep2V18Ypg36b9wQXtZDXWtTg36UliZZ95sUAG2vHQDS50b
+            5XG07m1w8YgQSeiCObteAt4PqxEs1GYWmtRUmr4jvRQQzmVXCQP6+o0QJ5WK9bKl
+            auwT+H7POBJ3l+h9ykvmOidkAzeN7EWIirzvhDHsxvCklGCyo+Y3W5ZaLaFGfc/3
+            pdj1G/REVT6aQMtSuYUsD7QoZeiNNBNJXAtUuUS6mWxch8RnkW718wxYZLvi03jS
+            VgHaVWepbw/q0COmjyofCt1qZH+WMKSAguiQ6PHWAdP3hnzGgd7Qo84W54Fb3m1R
+            da72FFnILc3IYImbJI6QgJxAeS2K95nIWKdSix07c+m0zzFkemnB
+            =F0pC
            -----END PGP MESSAGE-----
-          fp: 868497ac4266a4d137e0718ae5fc3caa3b8107aa
+          fp: e7370b48016c961ef8ad792fda66b19d845b3156
    unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
--- a/machines/okarin/services/proxy.nix
+++ b/machines/okarin/services/proxy.nix
@ -6,9 +6,7 @@
 let
  proxyMap = {
    "sbruder.xyz" = "renge";
-    "nitter.sbruder.xyz" = "renge";
    "iv.sbruder.xyz" = "renge";
-    "libreddit.sbruder.xyz" = "renge";
  };
 in
 {
--- a/machines/okarin/services/static-sites.nix
+++ b/machines/okarin/services/static-sites.nix
@ -1,20 +0,0 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, ... }:
-
-{
-  sbruder.static-webserver.vhosts = {
-    "maggus.bayern".user = {
-      name = "maggus";
-      keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
-      ] ++ config.sbruder.pubkeys.trustedKeys;
-    };
-    "arbeitskampf.work".user = {
-      name = "arbeitskampf";
-    };
-  };
-}
--- a/machines/renge/configuration.nix
+++ b/machines/renge/configuration.nix
@ -33,6 +33,9 @@
    };
    wireguard.home.enable = true;
    infovhost.enable = true;
+    wkd = {
+      enable = true;
+    };
  };

  networking.hostName = "renge";
--- a/machines/renge/services/prometheus.nix
+++ b/machines/renge/services/prometheus.nix
@ -136,8 +136,10 @@ in
      {
        job_name = "knot";
        static_configs = mkStaticTargets [
-          "okarin.vpn.sbruder.de:9433"
          "vueko.vpn.sbruder.de:9433"
+          "renge.vpn.sbruder.de:9433"
+          "okarin.vpn.sbruder.de:9433"
+          "yuzuru.vpn.sbruder.de:9433"
        ];
        relabel_configs = lib.singleton {
          target_label = "instance";
--- a/machines/renge/services/sbruder.xyz/default.nix
+++ b/machines/renge/services/sbruder.xyz/default.nix
@ -3,11 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later

 { config, pkgs, ... }:
-let
-  goneVhost = {
-    locations."~ .*".return = "303 'https://sbruder.xyz/#history'";
-  };
-in
+
 {
  imports = [
    ./blocks.nix
@ -58,7 +54,4 @@ in
      };
    };
  };
-
-  services.nginx.virtualHosts."nitter.sbruder.xyz" = goneVhost;
-  services.nginx.virtualHosts."libreddit.sbruder.xyz" = goneVhost;
 }
--- a/machines/shinobu/configuration.nix
+++ b/machines/shinobu/configuration.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@ -9,6 +9,7 @@
    ../../modules

    ./services/co2_exporter.nix
+    ./services/ntp.nix
    ./services/router
    ./services/snmp-exporter.nix
    ./services/wordclock-dimmer.nix
--- a/machines/shinobu/services/ntp.nix
+++ b/machines/shinobu/services/ntp.nix
@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{
+  services.ntp = {
+    enable = true;
+  };
+
+  networking.firewall.allowedUDPPorts = [ 123 ];
+}
--- a/machines/shinobu/services/router/dnsmasq.nix
+++ b/machines/shinobu/services/router/dnsmasq.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@ -41,16 +41,16 @@ in
        cfg.vlan);
      dhcp-option = lib.flatten (lib.mapAttrsToList
        (name: { subnet, ... }: [
+          # Gateway
          "tag:br-${name},option:router,${subnet.v4.gateway}"
          "tag:br-${name},option6:dns-server,${subnet.v6.gateway}"
+
+          # NTP server (runs on gateway)
+          "tag:br-${name},option:ntp-server,${subnet.v4.gateway}"
+          "tag:br-${name},option6:ntp-server,${subnet.v6.gateway}"
        ])
        cfg.vlan);

-      nftset = [
-        "/pool.ntp.org/4#inet#filter#iot_ntp4"
-        "/pool.ntp.org/6#inet#filter#iot_ntp6" # does not work
-      ];
-
      server = [
        "127.0.0.1#5053"
      ];
--- a/machines/shinobu/services/router/rules.nft
+++ b/machines/shinobu/services/router/rules.nft
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@ -7,16 +7,6 @@ define PHYSICAL_WAN = "enp1s0"
 define NAT_WAN_IFACES = { $PHYSICAL_WAN }

 table inet filter {
-	# These two sets are dynamically managed by dnsmasq
-	set iot_ntp4 {
-		type ipv4_addr
-		comment "IPv4 addresses of resolved NTP servers"
-	}
-	set iot_ntp6 {
-		type ipv6_addr
-		comment "IPv6 addresses of resolved NTP servers"
-	}
-
 	chain forward {
 		type filter hook forward priority filter; policy drop

@ -31,8 +21,6 @@ table inet filter {
 		iifname "br-lan" oifname $VLAN_BRIDGES counter accept;
 		iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept

-		iifname "br-iot" ip daddr @iot_ntp4 udp dport 123 counter accept
-		iifname "br-iot" ip6 daddr @iot_ntp6 udp dport 123 counter accept
 		iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept
 	}
 }
--- a/machines/vueko/secrets/mail-users.nix
+++ b/machines/vueko/secrets/mail-users.nix
--- a/machines/yuzuru/services/static-sites.nix
+++ b/machines/yuzuru/services/static-sites.nix
@ -1,7 +1,9 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

+{ config, ... }:
+
 {
  services.nginx.virtualHosts = {
    "brennende.autos" = {
@ -19,9 +21,34 @@
  };

  sbruder.static-webserver.vhosts = {
+    "arbeitskampf.work".user = {
+      name = "arbeitskampf";
+    };
+
+    "maggus.bayern".user = {
+      name = "maggus";
+      keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
+      ] ++ config.sbruder.pubkeys.trustedKeys;
+    };
+
    "psycho-power-papagei.de" = {
      user.name = "papagei";
      imprint.enable = true;
    };
+
+    "salespointframework.org" = {
+      redirects = [
+        "www.salespointframework.org"
+        "salespointframe.work"
+        "www.salespointframe.work"
+        "verkaufspunktrahmenwerk.de"
+        "www.verkaufspunktrahmenwerk.de"
+        "verkaufspuntrahmenwerk.de"
+        "www.verkaufspuntrahmenwerk.de"
+      ];
+      user.name = "salespoint";
+    };
  };
 }
--- a/modules/authoritative-dns.nix
+++ b/modules/authoritative-dns.nix
@ -7,14 +7,16 @@ let
  cfg = config.sbruder.knot;

  primaryHost = "vueko";
-  secondaryHosts = [ "okarin" ];
+  secondaryHosts = [ "renge" "okarin" "yuzuru" ];

  isPrimaryHost = config.networking.hostName == primaryHost;
  isSecondaryHost = lib.elem config.networking.hostName secondaryHosts;

  addresses = {
    vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ];
-    okarin = [ "82.165.242.252" "2001:8d8:1800:8627::1" ];
+    renge = [ "152.53.13.113" "2a03:4000:6b:d2::1" ];
+    okarin = [ "85.215.165.213" "2a01:239:24b:1c00::1" ];
+    yuzuru = [ "85.215.73.203" "2a02:247a:272:1600::1" ];
  };
 in
 {
@ -65,12 +67,7 @@ in
              id = host;
              address = hostAddresses;
            })
-            addresses) ++ lib.optional isPrimaryHost {
-            id = "inwx";
-            # INWX only allows the specification of one primary DNS,
-            # which limits the IP protocol usable for zone transfers to one.
-            address = lib.singleton "185.181.104.96";
-          };
+            addresses);
        }
        (lib.mkIf isPrimaryHost {
          policy = lib.singleton {
@ -88,7 +85,7 @@ in
              zonefile-load = "difference-no-serial";
              journal-content = "all";
              # secondary
-              notify = [ "inwx" ] ++ secondaryHosts;
+              notify = secondaryHosts;
              # dnssec
              dnssec-signing = true;
              dnssec-policy = "default";
--- a/modules/default.nix
+++ b/modules/default.nix
@ -35,6 +35,7 @@
    ./cups.nix
    ./docker.nix
    ./fancontrol.nix
+    ./flatpak.nix
    ./fonts.nix
    ./games.nix
    ./grub.nix
@ -67,6 +68,7 @@
    ./udev.nix
    ./unfree.nix
    ./wireguard
+    ./wkd
  ];

  config = lib.mkMerge [
@ -165,5 +167,15 @@
    (lib.mkIf (!config.sbruder.full) {
      documentation.enable = lib.mkDefault false;
    })
+    (lib.mkIf (config.services.resolved.enable) {
+      # With NixOS’s default database order for hosts,
+      # resolving the FQDN with hostname -f always returns “localhost”
+      # when resolved is enabled.
+      # This changes the priority of the files database,
+      # which fixes this.
+      # This workaround was taken from
+      # https://github.com/NixOS/nixpkgs/issues/132646#issuecomment-1782684381
+      system.nssDatabases.hosts = lib.mkOrder 500 [ "files" ];
+    })
  ];
 }
--- a/modules/flatpak.nix
+++ b/modules/flatpak.nix
@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+#
+# Flatpak is only used for programs that are not easily installable natively.
+# They should always be confined as much as possible using Flatseal.
+#
+# To make Flatpak work with Flathub,
+# the following command must be run imperatively:
+#
+#     flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
+#
+# The full guide is available on https://flathub.org/setup/NixOS,
+# though the restart step is not necessary.
+{ config, lib, ... }:
+
+lib.mkIf config.sbruder.gui.enable {
+  services.flatpak.enable = true;
+}
--- a/modules/mailserver/postfix.nix
+++ b/modules/mailserver/postfix.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@ -95,6 +95,7 @@ lib.mkIf cfg.enable {
      smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
      smtpd_tls_mandatory_ciphers = "medium";
      smtpd_tls_loglevel = "1";
+      smtpd_tls_received_header = "yes"; # add TLS connection details to Received header

      tls_medium_cipherlist = listToString [
        "ECDHE-ECDSA-AES128-GCM-SHA256"
@ -140,6 +141,7 @@ lib.mkIf cfg.enable {
      # Postscreen
      smtpd = {
        type = "pass";
+        args = [ "-o" "smtpd_discard_ehlo_keywords=silent-discard,dsn" ];
      };
      smtp_inet = {
        # Partially overrides upstream
--- a/modules/prometheus/node_exporter.nix
+++ b/modules/prometheus/node_exporter.nix
@ -8,7 +8,10 @@
    enable = config.sbruder.wireguard.home.enable;
    listenAddress = config.sbruder.wireguard.home.address;
    enabledCollectors = [ "systemd" ];
-    disabledCollectors = [ "rapl" ];
+    disabledCollectors = [
+      "arp.netlink" # https://github.com/prometheus/node_exporter/issues/2849
+      "rapl"
+    ];
  };

  systemd.services.prometheus-node-exporter.after = [ "wireguard-wg-home.service" ];
--- a/modules/ssh.nix
+++ b/modules/ssh.nix
@ -60,12 +60,12 @@
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUEVBJcEibRdQzp0bDXpPqLGQ8vtQTKTcpGZU07W4eo";
    };
    okarin = {
-      hostNames = [ "okarin" "okarin.sbruder.xyz" "okarin.vpn.sbruder.de" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaev8K5KhRovW75IdZ0HYlzvxxo0haeCM0xCVEOuDSa";
+      hostNames = [ "okarin" "okarin.sbruder.de" "okarin.vpn.sbruder.de" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvRAiEAV0Oulii0w3xcHCb0/oHqpA0hz3bn//BQnR8T";
    };
    okarin-initrd = {
      hostNames = [ "[okarin.sbruder.de]:2222" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJbp0kZJEXf1gSVcBsef1Bihd5iCzhzSbjgyrC1SXXT";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOV+azRrT1zICmDe9D7bm3pOaFzaT+cVXCvxgY1bAbP";
    };
    shinobu = {
      hostNames = [ "shinobu" "shinobu.lan.shinonome-lab.de" "shinobu.vpn.sbruder.de" ];
--- a/modules/tools.nix
+++ b/modules/tools.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@ -50,7 +50,7 @@
    lm_sensors # temperature sensors
    parted # partition manager
    pciutils # lspci
-    reptyr # move process to current terminal
+    (reptyr.overrideAttrs (o: o // { doCheck = false; })) # move process to current terminal # tests fail on qemu-user-aarch64 (TODO 24.05: remove)
    smartmontools # hard drive monitoring
    tcpdump # package inspector
    tio # serial console
--- a/modules/unfree.nix
+++ b/modules/unfree.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@ -41,9 +41,6 @@ in

        # games (okay if they run sandboxed)
        "osu-lazer" # also is free except for one dependency
-        "steam"
-        "steam-original"
-        "steam-runtime"
      ]
    ));
  };
--- a/modules/wireguard/home.nix
+++ b/modules/wireguard/home.nix
@ -33,8 +33,8 @@ let
      publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
    };
    okarin = {
-      address = "10.80.0.10";
-      publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
+      address = "10.80.0.14";
+      publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA=";
    };
    shinobu = {
      address = "10.80.0.12";
--- a/modules/wkd/default.nix
+++ b/modules/wkd/default.nix
@ -0,0 +1,49 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, lib, ... }:
+let
+  cfg = config.sbruder.wkd;
+
+  toFqdn = domain: "openpgpkey.${domain}";
+in
+{
+  options.sbruder.wkd = {
+    enable = lib.mkEnableOption "Web Key Directory";
+    domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The main domain to listen on. The actual fqdn will be openpgpkey.<domain>.";
+      default = "sbruder.de";
+    };
+    domains = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = "Additional domains to serve.";
+      default = [ ];
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    sbruder.static-webserver.vhosts."${toFqdn cfg.domain}" = {
+      redirects = map toFqdn cfg.domains;
+      user.name = "wkd";
+    };
+
+    services.nginx.virtualHosts."${toFqdn cfg.domain}" = {
+      locations."^~ /.well-known/openpgpkey" =
+        let
+          # workaround for nginx dropping parent headers
+          # see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
+          parentHeaders = lib.concatStringsSep "\n" (lib.filter
+            (lib.hasPrefix "add_header ")
+            (lib.splitString "\n" config.services.nginx.commonHttpConfig));
+        in
+        {
+          extraConfig = ''
+            ${parentHeaders}
+            add_header Access-Control-Allow-Origin * always;
+          '';
+        };
+    };
+  };
+}
--- a/pkgs/co2_exporter/default.nix
+++ b/pkgs/co2_exporter/default.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2022-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2022-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@ -19,7 +19,7 @@ buildGoModule rec {

  vendorHash = "sha256-CMo6FBzw0/OMKEX12oNqhbF/0dRRFR6W3VRp+EU6Q68=";

-  oCheck = false; # no tests
+  doCheck = false; # no tests

  meta = with lib; {
    license = licenses.mit;
--- a/pkgs/contact-page/src/index.html
+++ b/pkgs/contact-page/src/index.html
@ -25,15 +25,19 @@ SPDX-License-Identifier: CC-BY-SA-4.0
          <td><a id="matrix" href="#">(requires javascript)</a></td>
        </tr>
        <tr>
-          <td>GitHub</td>
+          <td>Codeberg</td>
+          <td><a href="https://codeberg.org/sbruder">sbruder</a></td>
+        </tr>
+        <tr>
+          <td>(GitHub)</td>
          <td><a href="https://github.com/sbruder">sbruder</a></td>
        </tr>
        <tr>
-          <td>GitLab</td>
+          <td>(GitLab)</td>
          <td><a href="https://gitlab.com/sbruder">sbruder</a></td>
        </tr>
        <tr>
-          <td>Gitea</td>
+          <td>Forgejo</td>
          <td><a href="https://git.sbruder.de/simon">git.sbruder.de</a></td>
        </tr>
        <tr>
--- a/pkgs/wordclock-dimmer/wordclock-dimmer.py
+++ b/pkgs/wordclock-dimmer/wordclock-dimmer.py
@ -61,15 +61,6 @@ def get_color_for_time(time: datetime.time, base=(60, 60, 60)) -> (int, int, int
        )


-def update(client: mqtt.Client):
-    time = datetime.datetime.now().time()
-    color = get_color_for_time(time)
-    print(f"{time}: setting color to {color}")
-    sys.stdout.flush()
-    set_color(client, *color)
-    pass
-
-
 client = mqtt.Client("wordclock.py")

 user = os.environ["WORDCLOCK_MQTT_USER"]
@ -83,6 +74,15 @@ host = os.environ["WORDCLOCK_MQTT_HOST"]
 client.username_pw_set(user, password)
 client.connect(host, 1883, 60)

+color = (0, 0, 0)
+
 while True:
-    update(client)
+    time = datetime.datetime.now().time()
+    new_color = get_color_for_time(time)
+    if new_color != color:
+        color = new_color
+        print(f"setting color to {color}")
+        sys.stdout.flush()
+        set_color(client, *color)
+
    sleep(300)
--- a/users/simon/modules/games.nix
+++ b/users/simon/modules/games.nix
@ -1,98 +1,41 @@
-# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-
+#
+# Steam is installed as a flatpak,
+# as this seems to be the only method that does not force me
+# to spend hours debugging various issues with the client.
+#
+# Installation instructions for steam:
+#
+# 1. Run flatpak install flathub com.valvesoftware.Steam
+# 2. Use Flatseal to revoke all filesystem permissions,
+#    development syscalls
+#    and bluetooth.
+# 3. Add GDK_SCALE=2 as an environment variable (hack for sway’s Xwayland)
+# 4. If you previously used steam-sandbox,
+#    you need to copy the files to the flatpak location.
+#    For this, start steam once (you can close it early),
+#    so it creates the new structure.
+#    Then, run the following commands:
+#        rm -rf ~/.var/app/com.valvesoftware.Steam/.local/share/Steam
+#        mv ~/.local/share/steam-sandbox/.local/share/Steam ~/.var/app/com.valvesoftware.Steam/.local/share/
+#    You might want to copy additional files of games,
+#    that do not store files inside of Steam’s directories.
+#    Afterwards, you can delete ~/.local/share/steam-sandbox
+#
+# For MangoHud, the following steps are also necessary:
+# 1. Run flatpak install org.freedesktop.Platform.VulkanLayer.MangoHud
+# 2. Add xdg-config/MangoHud:ro as filesystem mount to Steam in Flatseal
+# 4. For Intel Arc systems,
+#    add /run/wrappers/bin/intel_gpu_top:ro as filiesystem mount
+#    and /run/wrappers/bin to the PATH environment variable in Flatseal
+# 3. Add MANGOHUD=1 as a launch options to all games where MangoHud should be
+#    available
 { lib, nixosConfig, pkgs, ... }:
 let
  cfg = nixosConfig.sbruder.games;
  inherit (nixosConfig.sbruder) unfree;
-
-  steam-sandbox = pkgs.writeShellScriptBin "steam-sandbox" /* bash */ ''
-    set -euo pipefail
-    shopt -s nullglob # make for loop work for glob if files do not exist
-    base_dir="''${XDG_DATA_HOME:-$HOME/.local/share}/steam-sandbox"
-    mkdir -p "$base_dir"/{.local/share,.steam,.config,.factorio,data}
-    bubblewrap_args=(
-        # sandboxing
-        --unshare-all
-        --share-net
-        --die-with-parent
-        --new-session
-
-        # basic filesystem
-        --tmpfs /tmp
-        --proc /proc
-        --dev /dev
-        --dir "$HOME"
-        --dir "$XDG_RUNTIME_DIR"
-        --ro-bind /nix/store /nix/store
-        # path
-        --ro-bind /run/current-system/sw /run/current-system/sw
-        --ro-bind /etc/profiles/per-user/$USER/bin /etc/profiles/per-user/$USER/bin
-        # system-wide configuration
-        --ro-bind /etc/fonts /etc/fonts
-        --ro-bind /etc/localtime /etc/localtime
-        --ro-bind /etc/machine-id /etc/machine-id
-        --ro-bind /etc/os-release /etc/os-release
-        --ro-bind /etc/passwd /etc/passwd
-        --ro-bind /etc/resolv.conf /etc/resolv.conf
-        --ro-bind /etc/ssl/certs /etc/ssl/certs
-        --ro-bind /etc/static /etc/static
-
-        # gui
-        --ro-bind /tmp/.X11-unix /tmp/.X11-unix
-        --ro-bind "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
-        --dev-bind /dev/dri /dev/dri
-        --ro-bind /run/opengl-driver /run/opengl-driver
-        --ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32
-
-        # audio
-        --ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse"
-        --setenv PULSE_SERVER "$XDG_RUNTIME_DIR/pulse/native"
-        --ro-bind "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie" "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie"
-        --setenv PULSE_COOKIE "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie/pulse/cookie"
-        --ro-bind-try /etc/asound.conf /etc/asound.conf
-        --ro-bind-try /etc/alsa/conf.d /etc/alsa/conf.d
-        --ro-bind-try "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0"
-
-        # dbus
-        --ro-bind /run/dbus/system_bus_socket /run/dbus/system_bus_socket
-        --ro-bind "$XDG_RUNTIME_DIR/bus" "$XDG_RUNTIME_DIR/bus"
-
-        # shared data
-        --bind "$base_dir/.local/share" "$HOME/.local/share"
-        --bind "$base_dir/.steam" "$HOME/.steam"
-        --bind "$base_dir/.config" "$HOME/.config"
-        --bind "$base_dir/.factorio" "$HOME/.factorio"
-        --bind "$base_dir/data" "$HOME/data"
-        --ro-bind-try "$HOME/.config/MangoHud" "$HOME/.config/MangoHud"
-
-        # input
-        --dev-bind /dev/input /dev/input
-        --dev-bind-try /dev/uinput /dev/uinput
-        --ro-bind /sys /sys # required for discovery
-      )
-
-    for hidraw in /dev/hidraw*; do
-        bubblewrap_args+=(--dev-bind $hidraw $hidraw)
-    done
-
-
-    unset SDL_VIDEODRIVER QT_QPA_PLATFORM # games generally don’t support wayland
-    export PATH="${pkgs.unstable.mangohud}/bin:$PATH"
-
-    ${pkgs.bubblewrap}/bin/bwrap \
-        "''${bubblewrap_args[@]}" \
-        ''${SANDBOX_COMMAND:-${pkgs.unstable.steam}/bin/steam} \
-        "$@"
-  '';
-
-  steam-sandbox-with-icons = pkgs.runCommand "steam-sandbox-with-icons" { } ''
-    mkdir -p $out/{bin,share}
-    ln -s ${pkgs.steamPackages.steam}/share/icons $out/share
-    ln -s ${pkgs.steamPackages.steam}/share/pixmaps $out/share
-    ln -s ${steam-sandbox}/bin/steam-sandbox $out/bin/steam-sandbox
-  '';
 in
 lib.mkIf cfg.enable {
  home.packages = with pkgs; [
@ -105,9 +48,7 @@ lib.mkIf cfg.enable {
    pcsx2
  ] ++ lib.optionals (cfg.performanceIndex >= 8) [
    unstable.ryujinx
-    unstable.yuzu-mainline
  ] ++ lib.optionals unfree.allowSoftware [
    unstable.osu-lazer-sandbox
-    steam-sandbox-with-icons
  ];
 }
--- a/users/simon/modules/mpd.nix
+++ b/users/simon/modules/mpd.nix
@ -73,6 +73,7 @@ lib.mkIf nixosConfig.sbruder.gui.enable {

      # Lyrics
      lyrics_directory = "${config.services.mpd.musicDirectory}/lyrics";
+      follow_now_playing_lyrics = true;

      # Misc
      external_editor = "nvim";
--- a/users/simon/modules/neovim/default.nix
+++ b/users/simon/modules/neovim/default.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@ -54,7 +54,7 @@ in
      haskell-language-server
      jdt-language-server
      unstable.ltex-ls
-      rnix-lsp
+      nixd
      rust-analyzer
      (python3.withPackages (ps: with ps; [
        pyls-isort
--- a/users/simon/modules/neovim/init.lua
+++ b/users/simon/modules/neovim/init.lua
@ -1,4 +1,4 @@
-- SPDX-FileCopyrightText: 2018-2023 Simon Bruder <simon@sbruder.de>
+-- SPDX-FileCopyrightText: 2018-2024 Simon Bruder <simon@sbruder.de>
 --
 -- SPDX-License-Identifier: AGPL-3.0-or-later

@ -348,7 +348,7 @@ lsp.ltex.setup {
 lsp.pylsp.setup {
    on_attach = on_attach,
 }
-lsp.rnix.setup {
+lsp.nixd.setup {
    on_attach = on_attach,
 }
 lsp.rust_analyzer.setup {
--- a/users/simon/modules/pass.nix
+++ b/users/simon/modules/pass.nix
@ -14,4 +14,9 @@
      PASSWORD_STORE_DIR = "$HOME/.password-store";
    };
  };
+
+  programs.browserpass = {
+    enable = true;
+    browsers = [ "librewolf" ];
+  };
 }
Author	SHA1	Message	Date
Simon Bruder	16cf73afb9	okarin: Migrate to different VPS Previously, it was hosted on Ionos’s VMware-based infrastructure. I already had a VPS on their new KVM-based infrastructure, as I was planning to migrate okarin to it eventually (as it is cheaper). However, the new infrastructure does not offer PTR records for IPv6 addresses. Therefore, I was waiting until they would implement that feature (as the support promised me they would to in the near future). However, they are now migrating the (at least my) guests from their VMware hypervisors onto the KVM ones, assigning new IPv6 addresses to them. This makes the old VPS essentially the same as the old one, but with less memory and more expensive. So I decided to migrate now.	2024-04-17 12:40:46 +02:00
Simon Bruder	853e817901	sbruder.xyz: Remove deprecated services	2024-04-16 23:40:39 +02:00
Simon Bruder	7daad927e8	yuzuru/static-sites: Migrate okarin’s sites	2024-04-16 23:40:37 +02:00
Simon Bruder	ae35e82369	vueko/mail: Add alias	2024-04-14 17:24:11 +02:00
Simon Bruder	670ff94dda	tools: Fix reptyr build in qemu-user-aarch64 This was already fixed in NixOS unstable: https://github.com/NixOS/nixpkgs/pull/292342	2024-04-13 12:23:36 +02:00
Simon Bruder	62c26e06a5	neovim: Switch to nixd rnix-lsp is no longer maintained and the package is currently broken in nixpkgs as it depends on an insecure Nix version.	2024-04-13 12:09:36 +02:00
Simon Bruder	5f81e9db4b	renge/invidious: Remove patch It is included in the newer version.	2024-04-13 12:08:36 +02:00
Simon Bruder	10f2e5638f	flake.lock: Update Flake lock file updates: • Updated input 'flake-utils': 'github:numtide/flake-utils/d465f4819400de7c8d874d50b982301f28a84605' (2024-02-28) → 'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a' (2024-03-11) • Updated input 'home-manager': 'github:nix-community/home-manager/652fda4ca6dafeb090943422c34ae9145787af37' (2024-02-03) → 'github:nix-community/home-manager/d6bb9f934f2870e5cbc5b94c79e9db22246141ff' (2024-04-06) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/cf111d1a849ddfc38e9155be029519b0e2329615' (2024-03-06) → 'github:nix-community/home-manager/40ab43ae98cb3e6f07eaeaa3f3ed56d589da21b0' (2024-04-13) • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/5df5a70ad7575f6601d91f0efec95dd9bc619431' (2024-02-15) → 'github:cachix/pre-commit-hooks.nix/40e6053ecb65fcbf12863338a6dcefb3f55f1bf8' (2024-04-12) • Updated input 'nix-pre-commit-hooks/gitignore': 'github:hercules-ci/gitignore.nix/43e1aa1308018f37118e34d3a9cb4f5e75dc11d5' (2023-12-29) → 'github:hercules-ci/gitignore.nix/637db329424fd7e46cf4185293b9cc8c88c95394' (2024-02-28) • Updated input 'nix-pre-commit-hooks/nixpkgs-stable': 'github:NixOS/nixpkgs/3dc440faeee9e889fe2d1b4d25ad0f430d449356' (2024-01-10) → 'github:NixOS/nixpkgs/614b4613980a522ba49f0d194531beddbb7220d3' (2024-03-17) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/59e37017b9ed31dee303dbbd4531c594df95cfbc' (2024-03-02) → 'github:nixos/nixos-hardware/f58b25254be441cd2a9b4b444ed83f1e51244f1f' (2024-04-12) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/880992dcc006a5e00dd0591446fdf723e6a51a64' (2024-03-05) → 'github:nixos/nixpkgs/b2cf36f43f9ef2ded5711b30b1f393ac423d8f72' (2024-04-10) • Updated input 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=refs/heads/master&rev=32ef4fd545a29cdcb2613934525b97470818b42e' (2024-01-01) → 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=refs/heads/master&rev=2bcb2b6c7b0e04f4ef8e51e00fd93a5e5cb00bf8' (2024-04-12) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/9df3e30ce24fd28c7b3e2de0d986769db5d6225d' (2024-03-06) → 'github:nixos/nixpkgs/1042fd8b148a9105f3c0aca3a6177fd1d9360ba5' (2024-04-10) • Updated input 'sops-nix': 'github:Mic92/sops-nix/25dd60fdd08fcacee2567a26ba6b91fe098941dc' (2024-03-06) → 'github:Mic92/sops-nix/538c114cfdf1f0458f507087b1dcf018ce1c0c4c' (2024-04-08) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/66d65cb00b82ffa04ee03347595aa20e41fe3555' (2024-03-03) → 'github:NixOS/nixpkgs/e38d7cb66ea4f7a0eb6681920615dfcc30fc2920' (2024-04-06)	2024-04-13 10:39:56 +02:00
Simon Bruder	1f75062bc2	vueko/mail: Add alias	2024-04-04 16:00:01 +02:00
Simon Bruder	526db3d97b	vueko/mail: Add alias	2024-04-02 19:13:43 +02:00
Simon Bruder	ad209fa0f7	vueko/mail: Add alias	2024-04-02 15:41:23 +02:00
Simon Bruder	00bada7b12	renge: Fix invidious The patch is already in upstream, but for multiple reasons, I decided to only apply the patch and not update.	2024-03-31 19:57:09 +02:00
Simon Bruder	f30318869b	vueko/mail: Add alias	2024-03-31 13:07:27 +02:00
Simon Bruder	709f8d5676	ncmpcpp: Follow now playing lyrics	2024-03-31 13:03:35 +02:00
Simon Bruder	51e8dd4169	vueko/mail: Add alias	2024-03-15 14:05:28 +01:00
Simon Bruder	fc7f0f8648	co2_exporter: Fix typo in doCheck	2024-03-15 14:01:32 +01:00
Simon Bruder	11d0870f5c	vueko/mail: Add alias	2024-03-14 10:59:43 +01:00
Simon Bruder	a1645314f4	games: Drop yuzu It is dead[1]. [1]: https://arstechnica.com/gaming/2024/03/switch-emulator-makers-agree-to-pay-2-4-million-to-settle-nintendo-lawsuit/	2024-03-07 11:59:36 +01:00
Simon Bruder	47cb7b4b32	flake.lock: Update Flake lock file updates: • Updated input 'flake-utils': 'github:numtide/flake-utils/1ef2e671c3b0c19053962c07dbda38332dcebf26' (2024-01-15) → 'github:numtide/flake-utils/d465f4819400de7c8d874d50b982301f28a84605' (2024-02-28) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/043ba285c6dc20f36441d48525402bcb9743c498' (2024-02-14) → 'github:nix-community/home-manager/cf111d1a849ddfc38e9155be029519b0e2329615' (2024-03-06) • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/0db2e67ee49910adfa13010e7f012149660af7f0' (2024-02-07) → 'github:cachix/pre-commit-hooks.nix/5df5a70ad7575f6601d91f0efec95dd9bc619431' (2024-02-15) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/f1b2f71c86a5b1941d20608db0b1e88a07d31303' (2024-02-13) → 'github:nixos/nixos-hardware/59e37017b9ed31dee303dbbd4531c594df95cfbc' (2024-03-02) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/01885a071465e223f8f68971f864b15829988504' (2024-02-13) → 'github:nixos/nixpkgs/880992dcc006a5e00dd0591446fdf723e6a51a64' (2024-03-05) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/35ff7e87ee05199a8003f438ec11a174bcbd98ea' (2024-02-13) → 'github:nixos/nixpkgs/9df3e30ce24fd28c7b3e2de0d986769db5d6225d' (2024-03-06) • Updated input 'sops-nix': 'github:Mic92/sops-nix/48afd3264ec52bee85231a7122612e2c5202fa74' (2024-02-13) → 'github:Mic92/sops-nix/25dd60fdd08fcacee2567a26ba6b91fe098941dc' (2024-03-06) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/d8cd80616c8800feec0cab64331d7c3d5a1a6d98' (2024-02-10) → 'github:NixOS/nixpkgs/66d65cb00b82ffa04ee03347595aa20e41fe3555' (2024-03-03)	2024-03-07 09:50:31 +01:00
Simon Bruder	07cac97bef	vueko/mail: Add alias	2024-03-02 11:47:52 +01:00
Simon Bruder	4c119f0b80	authoritative-dns: Drop INWX secondaries	2024-02-27 15:57:04 +01:00
Simon Bruder	939df6ae2a	wordclock-dimmer: Make logging less verbose The time is already stored in the journal, so it does not need to be logged. Only logging changed values makes the log less polluted once a fixed value has been reached ((3, 3, 3) or (3, 0, 0)):	2024-02-24 20:57:49 +01:00
Simon Bruder	8f1d0a149c	node_exporter: Disable ARP netlink collector It currently fails (logging an error message on every scrape). This disables the netlink collector, making it fall back to reading ARP entries from /proc/net/arp.	2024-02-24 20:52:38 +01:00
Simon Bruder	a9f86e7ced	Fix resolving FQDN when resolved is enabled	2024-02-24 19:21:56 +01:00
Simon Bruder	3816e6fc5d	authoritative-dns: Add renge, yuzuru to secondaries	2024-02-24 13:22:17 +01:00
Simon Bruder	bb8152d772	vueko/mail: Add alias	2024-02-23 19:21:13 +01:00
Simon Bruder	06958ad544	vueko/mail: Remove alias	2024-02-23 19:21:12 +01:00
Simon Bruder	5375a858bd	Replace steam with flatpak I am no longer willing to accept hours upon hours of debugging just to get the client to work. I don’t get why they would ship a 32-bit GTK2 executable that uses CEF with its sandbox disabled in 2024. Obviously, this makes debugging quite hard as things don’t work well, even when they work. This leaves red herrings everywhere (“Is this segfault a symptom of the issue I’m facing or is that also happening to other users where it works fine?”). Flatpak also seems to have quite good sandboxing features when Flatseal is used for every application to take away any unnecessary permissions.	2024-02-23 19:21:11 +01:00
Simon Bruder	ef2c667bfe	shinobu: Add NTP server This also changes the firewall rules for the IoT network to no longer accept connections to ntp.org pool hosts over 123/UDP. All clients should use the local NTP server.	2024-02-15 13:39:42 +01:00
Simon Bruder	7f8859f85b	mailserver/postfix: Update copyright year This was forgotten in `c944812a68` and `242a2315be`.	2024-02-15 13:10:42 +01:00
Simon Bruder	c4a9d39a15	flake.lock: Update Flake lock file updates: • Updated input 'home-manager': 'github:nix-community/home-manager/10cd9c53115061aa6a0a90aad0b0dde6a999cdb9' (2024-01-19) → 'github:nix-community/home-manager/652fda4ca6dafeb090943422c34ae9145787af37' (2024-02-03) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/6b28ab2d798c1c84e24053d95f4ee1dd9d81e2fb' (2024-01-24) → 'github:nix-community/home-manager/043ba285c6dc20f36441d48525402bcb9743c498' (2024-02-14) • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/f56597d53fd174f796b5a7d3ee0b494f9e2285cc' (2024-01-20) → 'github:cachix/pre-commit-hooks.nix/0db2e67ee49910adfa13010e7f012149660af7f0' (2024-02-07) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/e756ff62c2e9db4f7c197bc1849a02024a7bfb2e' (2024-01-24) → 'github:nixos/nixos-hardware/f1b2f71c86a5b1941d20608db0b1e88a07d31303' (2024-02-13) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/d7f206b723e42edb09d9d753020a84b3061a79d8' (2024-01-22) → 'github:nixos/nixpkgs/01885a071465e223f8f68971f864b15829988504' (2024-02-13) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21) → 'github:nixos/nixpkgs/35ff7e87ee05199a8003f438ec11a174bcbd98ea' (2024-02-13) • Updated input 'sops-nix': 'github:Mic92/sops-nix/ae171b54e76ced88d506245249609f8c87305752' (2024-01-21) → 'github:Mic92/sops-nix/48afd3264ec52bee85231a7122612e2c5202fa74' (2024-02-13) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/a1982c92d8980a0114372973cbdfe0a307f1bdea' (2024-01-12) → 'github:NixOS/nixpkgs/d8cd80616c8800feec0cab64331d7c3d5a1a6d98' (2024-02-10)	2024-02-15 11:32:16 +01:00
Simon Bruder	a5ae1bf7cd	contact-page: Update git hosters	2024-02-14 15:00:25 +01:00
Simon Bruder	74e5dd2639	Add license exceptions to readme	2024-02-14 14:54:46 +01:00
Simon Bruder	badd33a312	vueko/mail: Add alias	2024-02-12 11:28:35 +01:00
Simon Bruder	db24be0a69	vueko/mail: Add alias	2024-02-12 11:18:49 +01:00
Simon Bruder	0696d74877	vueko/mail: Add alias	2024-02-11 10:58:54 +01:00
Simon Bruder	d645aca536	vueko/mail: Add alias	2024-02-09 11:55:45 +01:00
Simon Bruder	4752437cf5	vueko/mail: Add alias	2024-02-04 14:10:12 +01:00
Simon Bruder	242a2315be	mailserver: Disallow requesting DSN over SMTP This still allows requesting a DSN over submission, so trusted clients are not affected. It only affects sending DSN to other systems, which now no longer takes place. This is done to avoid leaking rspamd internals.	2024-02-03 01:15:17 +01:00
Simon Bruder	c944812a68	mailserver: Extend Received header with TLS info	2024-02-03 00:12:05 +01:00
Simon Bruder	0e870e7188	vueko/mail: Add alias	2024-02-02 12:30:29 +01:00
Simon Bruder	ef3939403a	yuzuru/static-sites: Add salespointframework This had previously been hosted on a separate machine that was now decommissioned.	2024-02-01 00:40:56 +01:00
Simon Bruder	a2cf57ec47	vueko/mail: Drop aliases	2024-01-31 12:07:57 +01:00
Simon Bruder	f454aafa20	vueko/mail: Drop aliases	2024-01-27 22:56:33 +01:00
Simon Bruder	c5f3b172f3	vueko/mail: Add alias	2024-01-27 22:08:11 +01:00
Simon Bruder	7c4b4a5a9b	vueko/mail: Drop aliases	2024-01-27 22:06:25 +01:00
Simon Bruder	7c26753c04	vueko/mail: Add alias	2024-01-27 20:17:40 +01:00
Simon Bruder	eecb609dab	vueko/mail: Drop aliases	2024-01-27 19:00:50 +01:00
Simon Bruder	9caef40c21	wkd: Init	2024-01-27 17:22:53 +01:00
Simon Bruder	0d9e100d01	Replace key for SOPS with minimal key It was exported with gpg --armor --export-options export-minimal --export KEYID	2024-01-27 11:10:49 +01:00
Simon Bruder	a09967c1c4	pass: Enable browserpass for librewolf	2024-01-27 10:33:27 +01:00
Simon Bruder	4ff453a133	flake.lock: Update Flake lock file updates: • Updated input 'flake-utils': 'github:numtide/flake-utils/4022d587cbbfd70fe950c1e2083a02621806a725' (2023-12-04) → 'github:numtide/flake-utils/1ef2e671c3b0c19053962c07dbda38332dcebf26' (2024-01-15) • Updated input 'home-manager': 'github:nix-community/home-manager/7e398b3d76bc1503171b1364c9d4a07ac06f3851' (2024-01-01) → 'github:nix-community/home-manager/10cd9c53115061aa6a0a90aad0b0dde6a999cdb9' (2024-01-19) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/6e91c5df192395753d8e6d55a0352109cb559790' (2024-01-01) → 'github:nix-community/home-manager/6b28ab2d798c1c84e24053d95f4ee1dd9d81e2fb' (2024-01-24) • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/9d3d7e18c6bc4473d7520200d4ddab12f8402d38' (2023-12-30) → 'github:cachix/pre-commit-hooks.nix/f56597d53fd174f796b5a7d3ee0b494f9e2285cc' (2024-01-20) • Updated input 'nix-pre-commit-hooks/flake-compat': 'github:edolstra/flake-compat/35bb57c0c8d8b62bbfd284272c928ceb64ddbde9' (2023-01-17) → 'github:edolstra/flake-compat/0f9255e01c2351cc7d116c072cb317785dd33b33' (2023-10-04) • Updated input 'nix-pre-commit-hooks/gitignore': 'github:hercules-ci/gitignore.nix/a20de23b925fd8264fd7fad6454652e142fd7f73' (2022-08-14) → 'github:hercules-ci/gitignore.nix/43e1aa1308018f37118e34d3a9cb4f5e75dc11d5' (2023-12-29) • Updated input 'nix-pre-commit-hooks/nixpkgs-stable': 'github:NixOS/nixpkgs/c37ca420157f4abc31e26f436c1145f8951ff373' (2023-06-03) → 'github:NixOS/nixpkgs/3dc440faeee9e889fe2d1b4d25ad0f430d449356' (2024-01-10) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/f752581d6723a10da7dfe843e917a3b5e4d8115a' (2024-01-01) → 'github:nixos/nixos-hardware/e756ff62c2e9db4f7c197bc1849a02024a7bfb2e' (2024-01-24) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/32f63574c85fbc80e4ba1fbb932cde9619bad25e' (2023-12-31) → 'github:nixos/nixpkgs/d7f206b723e42edb09d9d753020a84b3061a79d8' (2024-01-22) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/b0d36bd0a420ecee3bc916c91886caca87c894e9' (2023-12-30) → 'github:nixos/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21) • Updated input 'sops-nix': 'github:Mic92/sops-nix/cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6' (2023-12-31) → 'github:Mic92/sops-nix/ae171b54e76ced88d506245249609f8c87305752' (2024-01-21) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/0aad9113182747452dbfc68b93c86e168811fa6c' (2023-12-30) → 'github:NixOS/nixpkgs/a1982c92d8980a0114372973cbdfe0a307f1bdea' (2024-01-12)	2024-01-24 13:26:28 +01:00