renge/murmur: Migrate to vueko

Flake lock file updates:

• Updated input 'home-manager':
    'github:nix-community/home-manager/d6bb9f934f2870e5cbc5b94c79e9db22246141ff' (2024-04-06)
  → 'github:nix-community/home-manager/ab5542e9dbd13d0100f8baae2bc2d68af901f4b4' (2024-05-10)
• Updated input 'home-manager-unstable':
    'github:nix-community/home-manager/40ab43ae98cb3e6f07eaeaa3f3ed56d589da21b0' (2024-04-13)
  → 'github:nix-community/home-manager/850cb322046ef1a268449cf1ceda5fd24d930b05' (2024-05-23)
• Updated input 'nix-pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/40e6053ecb65fcbf12863338a6dcefb3f55f1bf8' (2024-04-12)
  → 'github:cachix/pre-commit-hooks.nix/0e8fcc54b842ad8428c9e705cb5994eaf05c26a0' (2024-05-20)
• Removed input 'nix-pre-commit-hooks/flake-utils'
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/f58b25254be441cd2a9b4b444ed83f1e51244f1f' (2024-04-12)
  → 'github:nixos/nixos-hardware/d9e0b26202fd500cf3e79f73653cce7f7d541191' (2024-05-20)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/b2cf36f43f9ef2ded5711b30b1f393ac423d8f72' (2024-04-10)
  → 'github:nixos/nixpkgs/46397778ef1f73414b03ed553a3368f0e7e33c2f' (2024-05-22)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/1042fd8b148a9105f3c0aca3a6177fd1d9360ba5' (2024-04-10)
  → 'github:nixos/nixpkgs/5710852ba686cc1fd0d3b8e22b3117d43ba374c2' (2024-05-21)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/538c114cfdf1f0458f507087b1dcf018ce1c0c4c' (2024-04-08)
  → 'github:Mic92/sops-nix/b549832718b8946e875c016a4785d204fcfc2e53' (2024-05-22)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/e38d7cb66ea4f7a0eb6681920615dfcc30fc2920' (2024-04-06)
  → 'github:NixOS/nixpkgs/e7cc61784ddf51c81487637b3031a6dd2d6673a2' (2024-05-18)

.sops.yaml

@@ -15,10 +15,11 @@ keys:
   - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
   - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
   - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
-  - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
+  - &okarin e7370b48016c961ef8ad792fda66b19d845b3156
   - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
   - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
   - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
+  - &koyomi a53d4ca8d2cf54613822c81d660e69babee42643
 creation_rules:
   - path_regex: machines/nunotaba/secrets\.yaml$
     key_groups:
@@ -97,6 +98,13 @@ creation_rules:
       - *simon-alpha
       - *simon-beta
       - *yuzuru
+  - path_regex: machines/koyomi/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *simon
+      - *simon-alpha
+      - *simon-beta
+      - *koyomi
   - path_regex: secrets\.yaml$
     key_groups:
     - pgp:
@@ -109,3 +117,4 @@ creation_rules:
       - *fuuko
       - *mayushii
       - *renge
+      - *koyomi

README.md

@@ -143,3 +143,10 @@ so always consult the file header and other resources as specified in the REUSE
 Please note that those licensing terms only apply to the source files in this repository,
 not any build outputs, like system or package closures.
 They might be licensed differently, depending on their source.
+
+If you think you have a compelling reason
+why you should be able to use part of this repository under a more permissive license,
+please contact me,
+so we can figure something out.
+Please note, that I can only offer this for files that are solely authored by me,
+as I do not own the rights to other people’s code.

flake.lock

@@ -26,11 +26,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -44,11 +44,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1701680307,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -65,11 +65,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1660459072,
-        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
         "owner": "hercules-ci",
         "repo": "gitignore.nix",
-        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
         "type": "github"
       },
       "original": {
@@ -85,11 +85,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704099619,
-        "narHash": "sha256-QRVMkdxLmv+aKGjcgeEg31xtJEIsYq4i1Kbyw5EPS6g=",
+        "lastModified": 1715381426,
+        "narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "7e398b3d76bc1503171b1364c9d4a07ac06f3851",
+        "rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
         "type": "github"
       },
       "original": {
@@ -106,11 +106,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704100519,
-        "narHash": "sha256-SgZC3cxquvwTN07vrYYT9ZkfvuhS5Y1k1F4+AMsuflc=",
+        "lastModified": 1716457508,
+        "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6e91c5df192395753d8e6d55a0352109cb559790",
+        "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
         "type": "github"
       },
       "original": {
@@ -205,9 +205,6 @@
     "nix-pre-commit-hooks": {
       "inputs": {
         "flake-compat": "flake-compat",
-        "flake-utils": [
-          "flake-utils"
-        ],
         "gitignore": "gitignore",
         "nixpkgs": [
           "nixpkgs-unstable"
@@ -215,11 +212,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1703939133,
-        "narHash": "sha256-Gxe+mfOT6bL7wLC/tuT2F+V+Sb44jNr8YsJ3cyIl4Mo=",
+        "lastModified": 1716213921,
+        "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "9d3d7e18c6bc4473d7520200d4ddab12f8402d38",
+        "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
         "type": "github"
       },
       "original": {
@@ -231,11 +228,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1704124233,
-        "narHash": "sha256-lBHs/yUtkcGgapHRS31oOb5NqvnVrikvktGOW8rK+sE=",
+        "lastModified": 1716173274,
+        "narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "f752581d6723a10da7dfe843e917a3b5e4d8115a",
+        "rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
         "type": "github"
       },
       "original": {
@@ -247,11 +244,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1703992652,
-        "narHash": "sha256-C0o8AUyu8xYgJ36kOxJfXIroy9if/G6aJbNOpA5W0+M=",
+        "lastModified": 1716361217,
+        "narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "32f63574c85fbc80e4ba1fbb932cde9619bad25e",
+        "rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
         "type": "github"
       },
       "original": {
@@ -275,11 +272,11 @@
         "poetry2nix": "poetry2nix"
       },
       "locked": {
-        "lastModified": 1704120598,
-        "narHash": "sha256-9g7bZbVHAjMPNUWD2okeOdTmTrC9pkCeVe1zFyvtvqo=",
+        "lastModified": 1712934106,
+        "narHash": "sha256-JubHgaV6HUZarwwq4y2rxJaaj2a6euErJfCqpmhrhWk=",
         "ref": "refs/heads/master",
-        "rev": "32ef4fd545a29cdcb2613934525b97470818b42e",
-        "revCount": 65,
+        "rev": "2bcb2b6c7b0e04f4ef8e51e00fd93a5e5cb00bf8",
+        "revCount": 66,
         "type": "git",
         "url": "https://git.sbruder.de/simon/nixpkgs-overlay"
       },
@@ -290,43 +287,43 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1685801374,
-        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
+        "lastModified": 1710695816,
+        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
+        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.05",
+        "ref": "nixos-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1703950681,
-        "narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=",
+        "lastModified": 1716061101,
+        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0aad9113182747452dbfc68b93c86e168811fa6c",
+        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "release-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1703961334,
-        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
+        "lastModified": 1716330097,
+        "narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
+        "rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2",
         "type": "github"
       },
       "original": {
@@ -453,11 +450,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1703991717,
-        "narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=",
+        "lastModified": 1716400300,
+        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6",
+        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
         "type": "github"
       },
       "original": {

flake.nix

@@ -23,7 +23,6 @@
     nixos-hardware.url = "github:nixos/nixos-hardware/master";
 
     nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
-    nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
     nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable";
 
     sops-nix.url = "github:Mic92/sops-nix";
@@ -156,12 +155,11 @@
                 pkgs.writeShellScript "unlock-${hostname}" ''
                   set -exo pipefail
                   # opening luks fails if gpg-agent is not unlocked yet
-                  pass "devices/${hostname}/luks" >/dev/null
-                  ssh \
+                  pass "devices/${hostname}/luks" | ssh \
                       ${lib.optionalString unlockOverV4 "-4"} \
                       -p 2222 \
                       "root@${targetHost}" \
-                      "cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")
+                      "cat > /crypt-ramfs/passphrase"
                 '')
               self.nixosConfigurations);
 

keys/machines/koyomi.asc

@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEACxLvouloEvO6hjBfydEMJIEVzJLBqZJBmBvHmJKRbhWSldCWLi
+bdL7L3Ld1K4uQKSEPNRk6LcVVCAPaXuhyeza57U8PNMBJrDESZ+SdAjuNw5/mDTa
+VF4jgPzrPmQ1ufRiaOgxOj7OAwOqFEZBMeHXPrauY83dHgKJBcRuw5567YTJ0zoJ
+bi3mtetgAeVwgPgQBgihDQhvxgxiOQ0kLbRRDFm8sVsp8o/zJbVy3zop4sJppOSg
+JYzjFyt40wqPQ0TospxvwiYiJhg339hduZZ+J7+4XcdKnTVUNM8Ws7notVFRkWYG
+8jWTUuld815WZUA/2rkjx7GsZ9sLChaXVmXRfUGO3G01zaEZ84PA/XrpemWVMs+I
+y/1UznrSFy3bPh9/Jdpr4D5/gxsJaNs8ioSjb/3fXfZ4+kZySmQiWpagwsLXmPU3
+eno5YjvuU8qCh37zWF7uhsUsIDXw1FWqgy7HoU7HLYHDpRoerEABQpIf3378eZJ1
++VK/Em2NLyapgBGx+hv+qrUGKAv+/bdTt5XQtQypHI5ihI2H/Rr/ZfTzIWcJIomR
+KwCsjZDuiRWsQWa/WEqthPX/ckNKJuB25tkCFM4owMtgJEMSymRZ6Fd/zdI+WBS2
+1QSECOHFyr8ha0OfpZF6qy8YYqV82EHeTQdqvAY18po8/Y5WGvm4Q0QCQwARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQZg5pur7kJkMCGw8CGQEAANR9EABfKws/H9UX31pJbdWzSotN
+/1OkQxCNQvTmzxByP+JDBZQoplKbhjwVi/seshwxCMGuvBklmFSdpzGXip68QR4Q
+CYQsFg02URFKA8vggnIbpkNMB3/ckM6m6wQlMshTl1DPpZcZflppi/O68hIqtrSN
+/xXx5hIBFqe4NY6+ouHRy+4KPnWqndcHSRC2TaYYiiAo9dBj7VyQsL0zYYyTAl0U
+J6rolDz5VqWzkHklH/UMJ3u8ZwV2VHuyU5Drod8/1bDYtjGXxeUhcd25X4q0Gcqh
+gts0zoV/kYgnX3rGzqT4q6MGHWzlHtblMxtPpV8m/fd2KDvIKDdJPnYsbKDNlX7j
+QwVS8rE2T/FfU2KGoadNmSJACmCdShpCCd7CSHludcXLMDVuFijh4iCHkc3KvJJP
+MrWqBTWzYB73O5WGAWDxL7trw80a5Qi2+5PRCQY0smOR4jC3d36PGjtD8ykCHlqt
+HVZ2CtNl+6loGJ9TTgMwzNOY2PQPP2bhzdB16ht5CDsadFXrFD8mRVcwnQ6F0UU0
+DROW+C7FdYkZiEM9r6QMkRX4Xkc4YTV7EL0kEwJkWvxTbL2X/r1lSOKE27iMk2D/
+kkNzVXEH89ryyJc4Pgro5aTjzkAfTOUc+LV34b2CE0NGLjZvOvTic5SSdsAZ+PVL
+CxhNpGhTpzl96WA2WsNP9Q==
+=slmv
+-----END PGP PUBLIC KEY BLOCK-----

keys/machines/okarin.asc

@@ -1,28 +1,28 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-xsFNBAAAAAABEACgnoiAZQChPJOD9Bh4VxtX+/KWZXBrw9HhK1aufLH2Q4bS+mrg
-Te5SgFrfsiiYOvo8O2rESmMIWAHRSGxcdcT09+ZZtZxlxW7dmoUXLaPY+Xft0oDT
-ekLBs/g3N9qAXYq8XC/YNw0R1FzhComq/enQT2OTcaWES3b2OlFAkn8SVSTTdKgG
-jfmPPjDuTTYWPDPPmVRhaRkT/AcByyRcEcYxw4Zn+62iY9ZuV8FG0O0UcR2I/vEw
-KwYxHBC4IiqWvCmeJ3mEcf2NBbLwp2hB79dyo9RN8zxbu2mwrCNNO0hbkJGsxom1
-NjKh7KZz0eaIpb/WAesimHCaAXcB9ovGiyyHjECmZkvKlAXMttrPkF5QJZW2Iao7
-jcdcT0CNhC9fUwdBPIVRVjQQPyCWrqZEas+zG0tU8nbMy+uI/rT8ALC0zSgQMVyr
-YDIM7tYHbuBjgHja8gvwAa116L+uTXzkCTuH3OQHowtuvDjorXDKNs5akqJpAPHF
-a/fhXzjtY6RfLVp0Hj1+fnwrzMs0D1YdlJEjsBxvpieMTGPXH0YA5ondK/OsHsQD
-uzUgKzgGpq8Kp7hXhxi8gevHmNgVN1F4CNlTy0qOkFgD8U11Fk9O4svI+OtzslPr
-/EXRC/faJeFdT20M0BIqhQVWZFiRRMMsHJgZ04mWG40Wysm8esZ3dwS53QARAQAB
+xsFNBAAAAAABEADJ6iuUnKyoNZU26YWhsIHwTIkhxnNCNDHrq42wSqDgBFU8QyzC
+Nd8c34QghVGeqCFr/Md5xXMtgCmoNzFCMullb6PwDIYZ+9SP03B2seoqhnRwp1WG
+twejt/dP3QgOBP3G4Tr8uxcdHFnLDvkzN66QyV+LcnzrEf0Dw/9y31Nuo5TlG7UT
+cUCg36a3l+1tTlc3VnGwjt5jc59teD619h1s5tU5zMlcgjhFMMVKHXH1oc8zK0Q4
+va2YyfW+yWZx9Fm9BWF3VLuBdVlPuHVSCZ/Qf/ykDs8nm7Jvwi/I2TQiAeFN7ln9
+vPAYy4z0SQP/w44kVLCe5Mkw4H53LRocPBgxSflzqnJuuEQGroq0xgbP8+xJ8R0h
+5WPqLuy86PhslFsuIfKJgzVsNsz3svBxHO6G5bIsVgIjdfT4QPGxVQSvXG0RpdV0
+HzhUKojENcS2MEB7MJOLu200Ce3tjuaZD+nPUyH9LilNVgEJXMN0+9SfXmzyH1mE
+ENW6JWUC+oDgweodltJJ2z3kiaXf0GUNWFEv5P0uxkky3nsed4lDmEs0j0nT3YoS
+0hemgdK8X3ZRMuLAxGLCL0SykmsbOdTTzZ/QCak8/0jI8iko9eDrmJ4rNkrQYT4+
+TM0JEpI3wA4ksl5WcB2cpM/G8buw/zNTycgbjcKoYL+E2K+L7JeR9F1DgQARAQAB
 zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQ5fw8qjuBB6oCGw8CGQEAAOyUEAAHW0hbAjCKylnIaezMqNiG
-yDwfM+MpNXaqB4sG0UUiIdgSUTk06PN5dlQ0Jfvh1I7P9y8CxqamlqCUXiqqWEOR
-Am3Q7oxQKQdSDz//2ijWLdNFcT7bxZvNKQ/T78UYka/qmuLHx2jSuakAX2pAUrOf
-K7mbElSu8LD0y8hIDEyxuzB/aL13sHh1LkOUCSEgZ977EEfIEgPidPwEtGJvEbhN
-DaP94cLNapv/lWux8+O5dzKi4R7ghXl6IvrP2LPXQSPF7C3mMZ1ZSX1nFxRjALXi
-xiFbrJFkwEQQmVro/3wX9BZSmt6VnFRKkXnsCLlf9eT0aTmTirtqHgfet0PHqTNt
-CxrlLKTZFN3ZFropGZ070ESs4i6WZUBpTdsYh/htyo5bWMcHO8J+K+Ttd1M8btM4
-RtpAc/2UXa4+dVpLOGqdqkmUEJLVLyGnj9wZZgkx3tWGhjnSohCW3YqffQYlXUFn
-xuiQQ8jKM6luuunMXLt6D9dzOch70z9bnjOm1Z6q/S3PIzn++awzA6N3VTKNuUBP
-Phs6hlcAeqdQ6Q2EiS5iXKqPdK1nd9cPKzHOJf1fwlaRPSKeCtXUgkjAClu+heEn
-rst1nggIhCBs+rHc518BVZvISLNVlj5LVwN0mKOk9YPuZItBCGX96WWJZdMHeZk0
-MsxjN+we2woCXG5SJGYOyA==
-=UTw1
+AQgAFgUCAAAAAAkQ2maxnYRbMVYCGw8CGQEAAMkCEAClRHcH4fUUpdXroevY9qpR
+O6op26pqBZ839HoD9f4kaZXerhURWVGPcV81uUapR5/B8Pk/OK9LskBetDvoc+J1
++B3vM34cRIzbSs55BVrx/Mk6Vn9utPoyutlaJ/b5VMCmz4f2zU/XwPbXOzouvVrn
+uy/bqY7aNz0eoeU7lKXrXc9as+VoJgc3Ty9Tt1vPi8lfTeQfmxUDtoer47dhn89C
+3fL9R5/4utKt5nRtweOh6+z9T36jNodeHy3VhpuMnUBKsWSQn6Op2sLoeb6FJbh0
+t5Tz1AZhqjT4HY8bGWK8v2i916BmGseFjge7CECYg9M5MydznHl9z87sBUiruGs4
+fQTZi8IQySaQ8jCqCx+PB1PYUAsZj4j3o74mx2/erAw8gxBlrme44CuikVdbEKMV
+qYzW/jVJ6EPobtmq+XN8UzU/arf5/BelcU73sQK9fbvCqi47ZMyjC/3UqZ0O12xt
+uUjf2IcDl8TyWZ3nSSUV7npXrrT05kC6WMK46TwO9wv8F3v3/35UmonAJt8qp/lw
+2PNR5W8Sqxr2s+yhkOsh2xwuqBQkdxhqRKeqTv4+kdGAk6ZUmuHmGa1Qni6VsaKT
+TuNRRTEBfQ0QiqF8+lleT2dP4cKI2vAbI0zvyjX6KvNGRb1VlJw3D6Pa0nXW/YQU
+NxR1Jvm5bnGfUcnNlzoB4Q==
+=6o0h
 -----END PGP PUBLIC KEY BLOCK-----

keys/users/simon.asc

@@ -5,67 +5,39 @@ EKpaQ5+0H1NpbW9uIEJydWRlciA8c2ltb25Ac2JydWRlci5kZT6InAQTFgoARAIb
 AQUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBNSKGsqxzb0XAVFm
 K7GgtKRYhaAxBQJlrXkpAhkBAAoJELGgtKRYhaAxe14BAMF2Sj/NbHEfPPj/FH0/
 Pndzxihc7T7JOO9TxwsHMdidAP9eGoz3DgjA4gOtJUDwK70G6XwGnXrY8k42AcNE
-B0JHBIkCMwQQAQoAHRYhBEfnVZ4DejVlLbv4qo08gvnzCfjsBQJlrZp3AAoJEI08
-gvnzCfjsE2IP/RZoV3xvTi9ks5mpClnxdofGR4r2IVFw8TMQLSFfAHAtEJQ+R8fx
-0Yk+yoBNjt6JFKsvVVyVTZsK5cZcECSaX8E5gAYIB0+5S7TAC+DL9lDhWqhJnvOk
-5nWIM6gdey6H4lmwjMQT9deWFBlHI/4+eEv65B2tlPZH7x2EbXywe5TgAmCAuXBI
-7YOCebPh66n0ezJkw0SkEmz5+yMfj/vQNQxvRUpGpMEPDAUvIWEJ+Mb1XRuSZlYy
-Z8fNh0lMuvDf/GAwoFLiQM8ToprYT1vVnZ+IzEHkjYA1/nDTj1rDxiFCz+FCc+/k
-+7fjbtbmX1rSLu90jQZx3h0JEb9t4Zd0X9aOstVnqTi9pMWWyFcUgA71+21VqbIQ
-LccjaPZ0YK75on5YaD5ZmtHAl5ZD1VIXL0vnyN/XQYa4GUiN0qVwdG9QSEEe8gu8
-jjAWClU8BroyOtWamOlQWs/RPZsg1G5Nv5KcPJbw67sWzJZYvJhytRMg9yMWM/uC
-uSC30u/gA49YP2N32XsxwFo8LAUrqn22/WdgcR1NIhHDjzT4SWSTS/ec5lSB998e
-xw+41h4hDHwZn75HYi89FytjS0Sc8C4b2GPw8eqbhKHKMlPKJah2enFXkR85AZJ1
-wJGGhHhUS1mZ9e5SbY5ugtYj8v3Q3RMf47pqSHsO1Z9ojWBpAYforhTEtDFTaW1v
-biBCcnVkZXIgPHNpbW9uLmJydWRlckBtYWlsYm94LnR1LWRyZXNkZW4uZGU+iJkE
-ExYKAEEWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13bQIbAQUJA8JnAAULCQgH
-AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRCxoLSkWIWgMZSoAQC+oKNXUW2Lm/pe
-kUVf9hTfXrS/gZjAPW9J00lNMV+beQEA7eG7fR5wzetZl/RImYLGLNNxIkg4SeDT
-Pf26Tvk9XgyJAjMEEAEKAB0WIQRH51WeA3o1ZS27+KqNPIL58wn47AUCZa2afQAK
-CRCNPIL58wn47JgND/0aTHhLlT7QGE9O6RV1kS81YeiQD5UvrJcYh9/wb7plXV/R
-+AJ9QUxnw9SKeyyFGjwQeWIkkdJccq8ov5ekz++ErCsFlQtvhzNMa+ZRRJ5XG1m9
-dyFUKAvZ9vo5EnYOTO72l3TEel4L3V5t6qeUGdJQoVBC3cmLHJ7Vs92cTrmrQnF6
-JXVgoj41iSmgnHdf8l0rsHc4/ODYDpZpOQjQj24Teb6Hj8jkjhNejGm6Ackcy6UF
-KIX4ZDQD2k9SlxDt2LGLjF2rHar4NFYNJwgzO1tMazjTDAV1J9zx44NFaC1dm4oj
-0Nz/xSYyyYyBoeqIG29qZrmWj5yIee64I+POX5REuLvf//64atEAkvODqg8ZhrXB
-Jd7BTtsRpUkkzwBv/ZHYJyEwLrUKLXpyx6GejksJ4fX4ftyWAgUOkDI06WI4WnQl
-WzTOqIWwbub3M53F8eOGvXLUd6PD3p8ARiCFG+5cqRimmd3WZ5g0C9YWnuKRAOrT
-mrquAFhAeaanp+MRihB9d0nj5Lfx3mtfLAWDHYTj+yXL7de1xJ8p2D4WekJJ9NRJ
-f8b9d+wswth/1NV/ly64J7aiGpVzE+WcpNGl9pcsisSiXOCGJatPvrl9h6vgU+Oj
-2HhE5vf9WmvHxkUwut1Tw2cw5KoukugDZWos8AZ671QebmfnebDUsmSfhkOymbgz
-BGWtd5kWCSsGAQQB2kcPAQEHQNbLdlJZfKhMRcRQUuGbQMQj+GtMr2p8vIX3JUQ7
-jNltiPUEGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13mQIbAgUJA8Jn
-AACBCRCxoLSkWIWgMXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWt
-d5kACgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaA
-jGEBAPtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sH8p0A/j2fQV8DVJsn
-fnyFdmEIS14LaLyBTQ411CLkOVI4l5yBAP0Xue1JzV1Spm8Ib5rbAB5l2Q39xwsZ
-IkGsiN85Wq7cA4j1BBgWCgAmAhsCFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWu
-53YFCQHio10AgXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWtd5kA
-CgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaAjGEB
-APtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sHCRCxoLSkWIWgMbaZAPwI
-xTyJqS+Jkc0OylTadktVGnlFYEa1t6qKrb4pRjOAIQD9ERVIB3SSzsNpVXG0djhy
-f+g3vpB5fdFdQC99OyI8PQK4OARlrXfCEgorBgEEAZdVAQUBAQdALPq5WxjDWC8p
-wx+ah8a8ry6/i34+wvQ3qOWs+1j9C3YDAQgHiH4EGBYKACYWIQTUihrKsc29FwFR
-ZiuxoLSkWIWgMQUCZa13wgIbDAUJA8JnAAAKCRCxoLSkWIWgMV9XAQDuKPEU5LHt
-GF0T1eo18OT4aXizqy17bSPQxbcn6MApNwEAtST8XQ5gki8TqeNQi5mXPjAUokcO
-m6uwogm73VCPOgW4MwRlrXgmFgkrBgEEAdpHDwEBB0BNSrEdKYMC34Wz/wQ3sm+w
-i5yKm1omkudkClDmC7YqB4h+BBgWCgAmFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEF
-AmWteCYCGyAFCQHhM4AACgkQsaC0pFiFoDEwGgEA3uVUei5Y8u47o008cvx9dgb7
-0sWsh9Wf/O0QobCE6SEBANybL7eIdVo7gk/Po0lyiNnPIOmef9Hi6p1JUnWo3LcF
-uDgEZa147hIKKwYBBAGXVQEFAQEHQNUPZBqZtKL0ddaYG2wUN/vkuuMlrlZOfWbL
-pJVI4NphAwEIB4h1BBgWCgAnFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWteO4D
-GwAEBQkB4TOAAAADxQEA+NbhkOn4hMn3P+/tov7At0jQJjjDYj4tg/9VW1SvwkcB
-AJEXPOQFLPYhegwq5G+lwlEsxE9LmBMBusML/3p4ZUYEuDMEZa18NBYJKwYBBAHa
-Rw8BAQdA62nilshWONc3snbvv6mbkTLMhBUPloemiLjknU81UIuIfgQYFgoAJhYh
-BNSKGsqxzb0XAVFmK7GgtKRYhaAxBQJlrXw0AhsgBQkB4TOAAAoJELGgtKRYhaAx
-F5wBALp/P2c+FV7WdwnI2f9zZFxmtrSwRbDPBGJ6bvCJ45QaAQCEQ4nF0Qxs2/qb
-DiRJ0ucWYLlUK9MR4tAXu7E/fsAPCrg4BGWte5MSCisGAQQBl1UBBQEBB0BvaxmN
-FsORwLciFERl9SldHn3fUXRyyrkDqVM1IfJyVwMBCAeIdQQYFgoAJxYhBNSKGsqx
-zb0XAVFmK7GgtKRYhaAxBQJlrXuTAxsABAUJAeEzgAAAxJ4BALCSE6rEiOwgnkMG
-DJtDgdO7nbLciQJWfH6KRx5/wMyjAQCADkDdpJfzH36nfi3plfV1uAi1ZhLVrZu+
-qUSS9QGfBrgzBGWtfzIWCSsGAQQB2kcPAQEHQPfsufQIdFzWK1B1uelCzt8XJaou
-blRPn1gjZvumSEr+iH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa1/
-MgIbIAUJA8JnAAAKCRCxoLSkWIWgMVomAQCa2marlCeyEQQcOz3IFPFYCeth8+e/
-I6LgogPoVslMjQEA82iFX5eIFtAqaYqtZvm6LQFc0hI8JiQfpHt/FpxqNQI=
-=1z2B
+B0JHBLQxU2ltb24gQnJ1ZGVyIDxzaW1vbi5icnVkZXJAbWFpbGJveC50dS1kcmVz
+ZGVuLmRlPoiZBBMWCgBBFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd20CGwEF
+CQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQsaC0pFiFoDGUqAEA
+vqCjV1Fti5v6XpFFX/YU3160v4GYwD1vSdNJTTFfm3kBAO3hu30ecM3rWZf0SJmC
+xizTcSJIOEng0z39uk75PV4MuDMEZa13mRYJKwYBBAHaRw8BAQdA1st2Ull8qExF
+xFBS4ZtAxCP4a0yvany8hfclRDuM2W2I9QQYFgoAJgIbAhYhBNSKGsqxzb0XAVFm
+K7GgtKRYhaAxBQJlrud2BQkB4qNdAIF2IAQZFgoAHRYhBF8781AR60Ih56rcrDR/
++Gmc2gd2BQJlrXeZAAoJEDR/+Gmc2gd2WGkA/1q7AL8NUkvEOXRXOdHUhFkC2AXp
+V9deFHxrszMWgIxhAQD7QPihv5Cm8SPkClDMeKFnGwlMpeZNM/XYn5FqyLPrBwkQ
+saC0pFiFoDG2mQD8CMU8iakviZHNDspU2nZLVRp5RWBGtbeqiq2+KUYzgCEA/REV
+SAd0ks7DaVVxtHY4cn/oN76QeX3RXUAvfTsiPD0CuDgEZa13whIKKwYBBAGXVQEF
+AQEHQCz6uVsYw1gvKcMfmofGvK8uv4t+PsL0N6jlrPtY/Qt2AwEIB4h+BBgWCgAm
+FiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd8ICGwwFCQPCZwAACgkQsaC0pFiF
+oDFfVwEA7ijxFOSx7RhdE9XqNfDk+Gl4s6ste20j0MW3J+jAKTcBALUk/F0OYJIv
+E6njUIuZlz4wFKJHDpursKIJu91QjzoFuDMEZa14JhYJKwYBBAHaRw8BAQdATUqx
+HSmDAt+Fs/8EN7JvsIuciptaJpLnZApQ5gu2KgeIfgQYFgoAJhYhBNSKGsqxzb0X
+AVFmK7GgtKRYhaAxBQJlrXgmAhsgBQkB4TOAAAoJELGgtKRYhaAxMBoBAN7lVHou
+WPLuO6NNPHL8fXYG+9LFrIfVn/ztEKGwhOkhAQDcmy+3iHVaO4JPz6NJcojZzyDp
+nn/R4uqdSVJ1qNy3Bbg4BGWteO4SCisGAQQBl1UBBQEBB0DVD2QambSi9HXWmBts
+FDf75LrjJa5WTn1my6SVSODaYQMBCAeIdQQYFgoAJxYhBNSKGsqxzb0XAVFmK7Gg
+tKRYhaAxBQJlrXjuAxsABAUJAeEzgAAAA8UBAPjW4ZDp+ITJ9z/v7aL+wLdI0CY4
+w2I+LYP/VVtUr8JHAQCRFzzkBSz2IXoMKuRvpcJRLMRPS5gTAbrDC/96eGVGBLgz
+BGWtfDQWCSsGAQQB2kcPAQEHQOtp4pbIVjjXN7J277+pm5EyzIQVD5aHpoi45J1P
+NVCLiH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa18NAIbIAUJAeEz
+gAAKCRCxoLSkWIWgMRecAQC6fz9nPhVe1ncJyNn/c2RcZra0sEWwzwRiem7wieOU
+GgEAhEOJxdEMbNv6mw4kSdLnFmC5VCvTEeLQF7uxP37ADwq4OARlrXuTEgorBgEE
+AZdVAQUBAQdAb2sZjRbDkcC3IhREZfUpXR5931F0csq5A6lTNSHyclcDAQgHiHUE
+GBYKACcWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa17kwMbAAQFCQHhM4AAAMSe
+AQCwkhOqxIjsIJ5DBgybQ4HTu52y3IkCVnx+ikcef8DMowEAgA5A3aSX8x9+p34t
+6ZX1dbgItWYS1a2bvqlEkvUBnwa4MwRlrX8yFgkrBgEEAdpHDwEBB0D37Ln0CHRc
+1itQdbnpQs7fFyWqLm5UT59YI2b7pkhK/oh+BBgWCgAmFiEE1IoayrHNvRcBUWYr
+saC0pFiFoDEFAmWtfzICGyAFCQPCZwAACgkQsaC0pFiFoDFaJgEAmtpmq5QnshEE
+HDs9yBTxWAnrYfPnvyOi4KID6FbJTI0BAPNohV+XiBbQKmmKrWb5ui0BXNISPCYk
+H6R7fxacajUC
+=361S
 -----END PGP PUBLIC KEY BLOCK-----

machines/default.nix

@@ -23,6 +23,9 @@ in
   };
   vueko = {
     system = "aarch64-linux";
+    extraModules = [
+      "${inputs.infinisilSystem}/config/new-modules/murmur.nix"
+    ];
 
     targetHost = "vueko.sbruder.de";
   };
@@ -46,9 +49,6 @@ in
   };
   renge = {
     system = "aarch64-linux";
-    extraModules = [
-      "${inputs.infinisilSystem}/config/new-modules/murmur.nix"
-    ];
 
     targetHost = "renge.sbruder.de";
   };
@@ -76,4 +76,13 @@ in
 
     targetHost = "yuzuru.sbruder.de";
   };
+  koyomi = {
+    system = "x86_64-linux";
+    extraModules = [
+      hardware.common-cpu-intel
+      hardware.common-pc-ssd
+    ];
+
+    targetHost = "koyomi.sbruder.de";
+  };
 }

machines/fuuko/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -92,6 +92,8 @@
     }
   ];
 
+  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/sda" "/dev/sdb" "/dev/sdc" ];
+
   powerManagement.cpuFreqGovernor = "schedutil";
 
   networking = {

machines/hitagi/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -55,6 +55,8 @@
     { device = "/dev/disk/by-uuid/98de7ced-4d7c-4915-bf5b-1a0300458ea6"; }
   ];
 
+  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
+
   # GPU
   hardware.opengl = {
     package = pkgs.mesa.drivers;

machines/koyomi/README.md

@@ -0,0 +1,37 @@
+<!--
+SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+
+SPDX-License-Identifier: CC-BY-SA-4.0
+-->
+
+# koyomi
+
+## Hardware
+
+System from [Hetzner Online Serverbörse](https://www.hetzner.com/sb).
+
+- Motherboard: FUJITSU D3401-H1
+- CPU: Intel Core i7-6700
+- RAM: 4×16 GB Samsung [M378A2K43CB1-CRC](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43cb1-crc/)/[M378A2K43BB1-CPB](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43bb1-cpb/) (DDR4 2400/2133 MHz)
+- SSD: 2×512 GB M.2 NVMe SAMSUNG MZVLB512HAJQ-00000
+
+## Setup
+
+As it is a physical server (not a VM) in a remote location,
+extra care must be taken when installing.
+Fortunately, Hetzner provides an automated way to reset the server (by sending Ctrl+Alt+Del or force resetting)
+and a rescue system that can be activated before a reboot.
+Additionally, there is also a *vKVM* rescue system,
+that boots a hypervisor from the network and runs a VM which boots from the physical disks.
+
+The rescue system can be used to start a kexec installer generated by [nixos-generators](https://github.com/nix-community/nixos-generators).
+Ideally, everything goes well and the next reboot works,
+but in the case it does not, the vKVM rescue system can be used for debugging.
+
+## Purpose
+
+Hypervisor. Exact scope is to be determined.
+
+## Name
+
+Araragi Koyomi is a student from the *Monogatari Series*.

machines/koyomi/configuration.nix

@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules
+
+    ./services/hypervisor.nix
+  ];
+
+  sbruder = {
+    wireguard.home.enable = true;
+    podman.enable = true;
+  };
+
+  networking.hostName = "koyomi";
+
+  system.stateVersion = "23.11";
+}

machines/koyomi/hardware-configuration.nix

@@ -0,0 +1,74 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ modulesPath, pkgs, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    swraid.enable = true;
+    kernelModules = [ "kvm-intel" ];
+    kernelParams = [ "ip=dhcp" ];
+    loader = {
+      grub = {
+        devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
+      };
+    };
+    initrd = {
+      availableKernelModules = [ "aesni_intel" "ahci" "e1000e" "nvme" ];
+      kernelModules = [ "dm-snapshot" ];
+      network.enable = true; # remote unlocking
+      luks.devices = {
+        koyomi-pv = {
+          name = "koyomi-pv";
+          device = "/dev/disk/by-uuid/9145417d-e8f5-4aa9-a526-419e507c47fd";
+          preLVM = true;
+          allowDiscards = true;
+        };
+      };
+
+      # FIXME XXX HACK
+      # This is required to have the md device available under /dev/disk/by-uuid.
+      # Both commands are run as part of the regular stage-1 init script,
+      # but for some reason, they need to be run twice.
+      preLVMCommands = ''
+        udevadm trigger
+        udevadm settle
+      '';
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/3b31163f-4fec-4e1c-b311-7c8aaca76cd4";
+      fsType = "btrfs";
+      options = [ "discard=async" "noatime" "compress=zstd" ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/12CE-A600";
+      fsType = "vfat";
+    };
+  };
+
+  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
+
+  networking.useDHCP = false;
+  networking.usePredictableInterfaceNames = false;
+  systemd.network = {
+    enable = true;
+    networks = {
+      eth0 = {
+        name = "eth0";
+        DHCP = "yes";
+        domains = [ "sbruder.de" ];
+        address = [ "2a01:4f8:151:712d::1/64" ];
+        gateway = [ "fe80::1" ];
+      };
+    };
+  };
+}

machines/koyomi/secrets.yaml

@@ -0,0 +1,72 @@
+wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-05-11T21:49:03Z"
+    mac: ENC[AES256_GCM,data:yS/v+NWiLlFLTwnbhaYVg98H/ThqW5r+3eC1YsvJRRrF/yZBk6nUtK8CT4tvR9PUeks4a2H15/5aY2oDxnABhXhkbasZjnl3+YGF8SOIwo+YuWJ5A3rHJZQMJGRGg8dwh4xkJMDJKb2Or1uH3ZiSclVMQDiM3RGVifLhtv+gJEc=,iv:ygTcKqU5pzkOoGUx9xw9BzWJx15t28w3tJVH4eAdxS4=,tag:F5/8SSt/eON9zwWGGUyUEQ==,type:str]
+    pgp:
+        - created_at: "2024-05-11T21:48:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DLHeEFiC484ASAQdATNhq0wu5gLVG+7PHCtdQRxgC6GqQrvrttZnN3AvnZ0ww
+            qBdXl+6qkWHyjvclklzcNfpcMD7cmRwRDSDSQASmSTAyulBbgjDuou9Tjl/Rxorl
+            hF4Dub78fMESoMASAQdAIhgR5ZyuaP12Mav7NNapUcWrScnmjNPh46oX2W3jDDsw
+            in+hRRYC6apDKMcC3IFEzo6vy7OfhEeMR2IthtU0Y+bgdfjpwEOZ4J5CLg2ERZO+
+            hF4DM6AcvgVUx2MSAQdAKc70+YldBMdetkmcWWJYDSUbewIJOrDCJBS+TUTQ2hQw
+            dq03NJuiqwsrN1YBa1qHELTJj7CvrxTvVSQvDpSEwD3WVk8Qn5z1lMgBrivxCGa8
+            1GYBCQIQj3MkZci7qGULIHivbsOSwX6a3T9JQRkmHylyzZDxYRUz3TLhNvjuly58
+            TxBJcHkDmXDP5T+UACrryRIN2h/J/+gw6WkHnPJOcs5JFqB9uneVwpW1A3jNMhRD
+            iXDXWxIe5PY=
+            =zp+l
+            -----END PGP MESSAGE-----
+          fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
+        - created_at: "2024-05-11T21:48:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dub78fMESoMASAQdAs3PQ1mkR/MS3vg1qCTPiQihx7yZvQlqlhYRsRigJDiEw
+            WuZYC66MsLHi2YQEkFoxG0bgt3sHkVRlq72ae713UzfWiI0Dl59dxtGcOtvdo5LK
+            1GYBCQIQIupCIS36+zkecqWl1h55C0G/bC+SHdwgp5nFbva+3fidastsvakUDuTW
+            dGOLK1FC2xUrct/rLGBmWA48fSOA/VJiiEVzP0TsVCytTx/Y44jm0f5HC85LNnNy
+            8GoFUoOn6tE=
+            =A7C7
+            -----END PGP MESSAGE-----
+          fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
+        - created_at: "2024-05-11T21:48:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DLHeEFiC484ASAQdAK53bLfsn0k8SFw/88FliX2Yaev9oMGmKSR7f/6vJmH4w
+            pZxJqMwkpWt3We5DAkN+VFuawOzPNrV0vmmd8StlajZ5GIaz713QJQ8cpVrE/sPh
+            1GYBCQIQUuj0dgOWLtcB/w1vHj0qQW8LnMG5uVY7gk+hPmllQb8TJ1aRUkcPrKoE
+            rXUCl17BO59C4AUWLu/0RviAki6FMZC1S0g1z8eOck6CFSnW4i4uMB0g5Yi5kqpK
+            K0oWZqedIzU=
+            =Z8wz
+            -----END PGP MESSAGE-----
+          fp: 403215E0F99D2582C7055C512C77841620B8F380
+        - created_at: "2024-05-11T21:48:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA2YOabq+5CZDAQ//beLzskyTj+PN79rvrupVY5gwWxIhYuoRs2ZkJSlNyRYg
+            exNxwPAjssi3yKoUOy9TNbxzOKP5VwehnOPlJ4jyVgdZ9zksJH9k0WnfhlmabHeC
+            UnYsUSDB7VUFrpacdIKjmFM6OPlu7Xm98RwSabkmlHEE/voF/Ma5yWT0c3Sx2lzv
+            ucNSCqmjY0D6S5tJz+3nYsT54OjS+Jlr96CPOR9dz1jEGGQMfwyMxwMLhVpVBDKE
+            uusl5VD3jw50wYbkhvYscGGkdOkLwAFMIwYvw1seYFTb3kux8ChahYQ3QtPn3ZUD
+            OoPqYUtgpcnZTAcMGvzL7B0OwJLsCpin454yko56KV/cnIHwSv2cyfsQB0M4dz6l
+            OalAS5BpqhZ2ulDm34yFlRE7MD+H12tOzBJIFjGQksv9DiuRyezZnevBqlOdott8
+            cSDfO3RD3wGdUOIVwi3B92N5j1w39d2wKoXa19kM66mzsdbQrXwmxKa8gQMkjsG9
+            Ds2sUwQlKZ0HvvNkJTJ+NORWKKvwGXKqVPwOTUaZjzQGUtVWg5WSjmFoPQ049nqf
+            gLYhy0OeyEAIRe9HjNo5YANPNBF63qTT2++n6xs2ErXjHNNi85yUnhCBqRRI3Od6
+            HkLlLQN3i6RdV5C1wJwu3k1N6a+dl03gFgO3PSJZaLpIhHJuOJwYT3rCGi3ZgzXS
+            VgFycpleRMSCTjEIY/Ky4PJOlbUykf4CuFWnvJLSOcqjPbozzqjUaw4xzea2Lloj
+            +Io3l0AHWqKCmv4qbZxim37YuicyM02A56pk7SMKXOuqbb1m5hBr
+            =bvPZ
+            -----END PGP MESSAGE-----
+          fp: a53d4ca8d2cf54613822c81d660e69babee42643
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

machines/koyomi/services/hypervisor.nix

@@ -0,0 +1,133 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ lib, pkgs, ... }:
+let
+  guests = {
+    forgejo-actions-runner = {
+      mac = "42:80:00:00:00:02";
+      v4 = "10.80.32.2";
+      v6 = "2a01:4f8:151:712d:1::2";
+    };
+  };
+
+  # port forwarding for IPv4
+  portForwards = {
+    tcp = { };
+    udp = { };
+  };
+in
+{
+  virtualisation.libvirtd = {
+    enable = true;
+    qemu.package = pkgs.qemu_kvm;
+  };
+
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.forwarding" = true;
+    "net.ipv6.conf.all.forwarding" = true;
+  };
+
+  systemd.network = {
+    enable = true;
+    netdevs = {
+      br-virt = {
+        netdevConfig = {
+          Name = "br-virt";
+          Kind = "bridge";
+        };
+      };
+    };
+    networks = {
+      br-virt = {
+        name = "br-virt";
+        address = [ "10.80.32.1/24" "2a01:4f8:151:712d:1::1/80" ];
+      };
+    };
+  };
+  services.resolved.enable = false;
+
+  services.dnsmasq = {
+    enable = true;
+
+    settings = {
+      interface = [ "br-virt" ];
+
+      bind-interfaces = true; # do not bind to the wildcard interface
+      bogus-priv = true; # do not forward revese lookups of internal addresses
+      dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS
+      domain-needed = true; # do not forward names without domain
+      no-hosts = true; # do not resolve hosts from /etc/hosts
+      no-resolv = true; # only use explicitly configured resolvers
+
+      domain = [ "sbruder.de" ];
+
+      enable-ra = true; # required to tell clients to use DHCPv6
+
+      # Force static configuration
+      dhcp-range = [
+        "10.80.32.0,static,255.255.255.0"
+        "2a01:4f8:151:712d:1::,static,80"
+      ];
+
+      dhcp-host = lib.flatten (lib.mapAttrsToList
+        (name: { mac, v4, v6 }: [
+          "${mac},${v4},${name}"
+          "${mac},[${v6}],${name}"
+        ])
+        guests);
+
+      # Hetzner recursive name servers
+      # https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/
+      server = [
+        "185.12.64.1"
+        "185.12.64.2"
+        "2a01:4ff:ff00::add:1"
+        "2a01:4ff:ff00::add:2"
+      ];
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = map lib.toInt (lib.attrNames portForwards.tcp);
+    allowedUDPPorts = map lib.toInt (lib.attrNames portForwards.udp);
+
+    interfaces.br-virt = {
+      allowedTCPPorts = [ 53 ]; # EDNS
+      allowedUDPPorts = [ 53 67 547 ]; # DNS / DHCP / DHCPv6
+    };
+  };
+
+  networking.nftables = {
+    enable = true;
+    ruleset = ''
+      # only IPv4
+      table ip hypervisor-nat {
+        chain postrouting {
+          type nat hook postrouting priority filter; policy accept
+          oifname eth0 masquerade
+        }
+
+        chain prerouting {
+          type nat hook prerouting priority dstnat; policy accept
+          ${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
+            iifname eth0 tcp dport ${port} dnat to ${guests.${guest}.v4}
+          '') portForwards.tcp)}
+          ${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
+            iifname eth0 udp dport ${port} dnat to ${guests.${guest}.v4}
+          '') portForwards.udp)}
+        }
+      }
+
+      table inet hypervisor-filter {
+        chain forward {
+          type filter hook forward priority filter; policy drop
+
+          iifname br-virt oifname eth0 counter accept
+          iifname eth0 oifname br-virt counter accept
+        }
+      }
+    '';
+  };
+}

machines/mayushii/configuration.nix

@@ -19,6 +19,7 @@
     gui.enable = true;
     media-proxy.enable = true;
     mullvad.enable = true;
+    podman.enable = true;
     restic.system = {
       enable = true;
       qos = true;

machines/mayushii/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -45,6 +45,8 @@
     };
   };
 
+  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" ];
+
   powerManagement = {
     cpuFreqGovernor = "schedutil";
   };

machines/okarin/README.md

@@ -1,5 +1,5 @@
 <!--
-SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 
 SPDX-License-Identifier: CC-BY-SA-4.0
 -->
@@ -8,7 +8,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0
 
 ## Hardware
 
-[Ionos Cloud VPS](https://cloud.ionos.de/server/vps) S (1 Xeon Gold Gold 5120 vCPU, “512 MB” = 443 MiB RAM, 10 GB SSD).
+[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1 GiB RAM, 10 GB SSD).
 
 ## Purpose
 
@@ -22,32 +22,50 @@ Okabe Rintaro is a mad scientist from *Steins;Gate*
 
 Much like the namesake,
 this server requires a “mad scientist” approach to set up.
+However, it is much easier than setting up its predecessor,
+which had just above 400 MiB usable memory.
 
 Ionos does not offer any NixOS installation media.
-I could only choose between a Debian installation media, Knoppix and GParted.
-Also, installing with a very low amount of memory is quite hard.
+I could only choose between various installation media and rescue systems.
+Also, installing NixOS with a low amount of memory is problematic.
 
 I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
 On there, I installed NixOS.
-Because encryption with `argon2id` as PBKDF is quite memory intensive, I had to tune the parameters some.
-What I settled on was
-`cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3`.
+Because encryption with `argon2id` as PBKDF is quite memory intensive,
+I had to tune the parameters to ensure decryption was still possible on the target.
+This can be done quite easily by interactively running the following command on the build VM:
 
-To make btrfs use its SSD optimizations,
-I had to force the kernel to see the device as non-rotational:
-`echo 0 > /sys/block/dm-0/queue/rotational`
+    cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3
 
-Another problem was the usage of VMware by Ionos.
-The VM I set this up with was obviously using KVM/QEMU,
-so it needed different kernel modules at boot.
-What worked was setting it up in the local VM with both libvirt and vmware modules,
-and then removing the libvirt modules once it was installed on the target.
+The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target.
+
+However, since those parameters are not ideal,
+the following should later be run on the target host itself:
+
+    cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3
+
+This will determine the memory usage automatically,
+use one thread
+and set the parameters so that decryption takes 10 seconds (10000 ms).
+The memory usage will not be as high as it could,
+but it will be better.
 
 Getting the disk image onto the server was done
 by first `rsync`ing the image to another server (to allow for incremental iterations),
 which then provided it via HTTP.
-Using the Knoppix live image (booted with `knoppix 2` to avoid starting the gui),
-it was possible to just `curl http://server/okarin.img > /dev/sda`.
+Using the Debian installation media in rescue mode
+(as for some reason most other options tried to cache the file in memory and became very slow)
+it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`.
 
 Because of all the pitfalls of this,
 you probably need more than one try.
+To make debugging easier on the target, the following option can be set:
+```nix
+{ pkgs, ... }:
+
+{
+  boot.initrd.preLVMCommands = ''
+    ${pkgs.bashInteractive}/bin/bash
+  '';
+}
+```

machines/okarin/configuration.nix

@@ -9,7 +9,6 @@
     ./hardware-configuration.nix
     ../../modules
 
-    ./services/static-sites.nix
     ./services/proxy.nix
   ];
 
@@ -22,7 +21,7 @@
 
   networking.hostName = "okarin";
 
-  system.stateVersion = "22.11";
+  system.stateVersion = "23.11";
 
   networking.firewall.allowedTCPPorts = [
     80

machines/okarin/hardware-configuration.nix

@@ -5,6 +5,10 @@
 { lib, modulesPath, ... }:
 
 {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
   sbruder.machine.isVm = true;
 
   boot = {
@@ -12,41 +16,34 @@
     extraModulePackages = [ ];
     kernelParams = [ "ip=dhcp" ];
     initrd = {
-      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "vmxnet3" "vmw_pvscsi" "vmw_vmci" ];
-      kernelModules = [ "dm-snapshot" "vmw_balloon" ];
+      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ];
+      kernelModules = [ ];
       network = {
         enable = true; # remote unlocking
         # for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands
         # this works around this, but is arguably quite hacky
         postCommands = ''
-          ip route add 10.255.255.1 dev eth0
-          ip route add default via 10.255.255.1 dev eth0
+          ip route add 85.215.165.1 dev eth0
+          ip route add default via 85.215.165.1 dev eth0
         '';
       };
-      luks.devices."root".device = "/dev/disk/by-uuid/67f2990c-636a-4d80-9f6d-7096fec9e267";
+      luks.devices."root".device = "/dev/disk/by-uuid/1dcb9ee1-5594-4174-98a7-a362da09f131";
     };
-    loader.grub.device = "/dev/sda";
+    loader.grub.device = "/dev/vda";
   };
 
   fileSystems = {
     "/" = {
-      device = "/dev/disk/by-uuid/8e3082d1-4af3-4d5d-9fde-d30dc7552d41";
+      device = "/dev/disk/by-uuid/3ab8f4a7-952c-4b6c-93c6-7b307d5bb88b";
       fsType = "btrfs";
-      options = [ "compress=zstd" "discard" "noatime" ];
+      options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
     };
     "/boot" = {
-      device = "/dev/disk/by-uuid/883c77e8-53bf-4330-bd9e-89ef71ad9518";
+      device = "/dev/disk/by-uuid/97aec56b-5fea-4445-83dc-4a20dcf482ce";
       fsType = "ext2";
     };
   };
 
-  swapDevices = [
-    {
-      device = "/dev/disk/by-partuuid/d9cf5716-25c8-4f72-80e3-696e0dfe1079";
-      randomEncryption.enable = true;
-    }
-  ];
-
   zramSwap = {
     enable = true;
     memoryPercent = 150;
@@ -63,11 +60,6 @@
         name = "eth0";
         DHCP = "yes";
         domains = [ "sbruder.de" ];
-        address = [ "2001:8d8:1800:8627::1/64" ];
-        gateway = [ "fe80::1" ];
-        networkConfig = {
-          IPv6AcceptRA = "no";
-        };
       };
     };
   };

machines/okarin/secrets.yaml

@@ -1,80 +1,80 @@
-wg-home-private-key: ENC[AES256_GCM,data:4L8aIvgFi+mBjnyVy5IkPaeJRadJ5NCKZprSkBPwMNiVaIscjAdp2yinBSk=,iv:6pBo+6M4EkEjz184XvisWXEoomqJXa4M8Qa4nJHI65U=,tag:3DEsmA2xxAlx/PSbD3HOIA==,type:str]
+wg-home-private-key: ENC[AES256_GCM,data:RkdgneGhH7prr/tkvHJeChQku2eXve9pV/SvtwsOjeinYO9veHw0rimdonY=,iv:vK6zNpu8F+TSLDTaif686Awjhs8WS2XJHzMtlvqlsIM=,tag:aKhV+kspVu+0CgPmYersxw==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-05-06T08:49:32Z"
-    mac: ENC[AES256_GCM,data:B7e3sh96p2DlqM2SgHWoJ7RZ2q5tnZ6lohNc7UKmwG1HTkrPKW/6jobW2InQnbZn1bPmCERoJIF9QyUz+OxotTiKIXxSL7BJkkfpIkWy9IgjIeADjevHkplm2rXONiXaM2sD46bPKbuRzuhbCZtNwUH74gTVfKPVLVrzpnPRC74=,iv:TTXlBGhO7xLCC3Ad+xiQKmy4b0n0vuQRaCdoe7vpzSE=,tag:dZCharRGK//w48ePu7d2eQ==,type:str]
+    lastmodified: "2023-12-25T22:06:33Z"
+    mac: ENC[AES256_GCM,data:VbjyqrqDLCBDD9vGOHxSzsr9a5ZFFBJUkBRxJYBLereMDvInPFZnTwplHHkS5TdDFFAsjrcCgpCuPsUIbDdxFUNNtjdIe5JJwFMwT8XEFrgcswMGSKD6mIH2VBWop5pqoAV0eQ3YfKtDyhNHwixR8a+Z+hbGAY01Z19yteo51ZM=,iv:69EeBag+iUEoa18I0w1HeJKRwSQVCMRqUdV2CzUzMnY=,tag:WViKXJExL33jQAIWHUS8xw==,type:str]
     pgp:
-        - created_at: "2024-01-22T00:20:17Z"
+        - created_at: "2024-01-24T12:19:03Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4DLHeEFiC484ASAQdALOHWjRYEy+oURe+ERyiQYDjFPDniV0awCBMahhaLzCMw
-            faMYpJTpirKixpFnPQ1W0aIiQ2/grcEJ4qYyXYG7GrqLcFMQfZOV8humZOLnZNB6
-            hF4Dub78fMESoMASAQdAhpmpD8cyJSauuTHM/RTjLybR1VUGcIY7kLqrB33QLG8w
-            aLu7q0wjY0Rs+7PtJiSKd6O4VOBRrsBmLc7QuBZ4cgBwUfE38g8LuXayuOLZQNb1
-            hF4DM6AcvgVUx2MSAQdARr9S5DSGRJOcv2IgYMzko8fkMHlIR9uIJdJLMdcJER4w
-            RjcC/s5+P0b7wy9bIaAv3vk3FX4hw56QzhqAXcA1zU1kyjEHPnv3qsiiQbcKDjb0
-            1GYBCQIQG5VczwWUidoTYkHgZveZhkVyYIiZc/YQrY6n71OrVnUKaH5kZn1XrMKE
-            zRzcc4XCiu8CaSkQp68eqKeHwI8U5N/LAtjHbACxAq6GHatf/+LvJx4CbUrPZxw2
-            PWZwSFBCZEg=
-            =r7sK
+            hF4DLHeEFiC484ASAQdA4PdmtZTlpcdfuYKSuKN6X4EGjh/l2D8Jxt7dg1y/Z0kw
+            ScG/nWs9hVMFTBeqSM0eHgFfcZhBB/L85eNf9thktTUbcWq0GEUcz5mwUqILtkfA
+            hF4Dub78fMESoMASAQdAMcVZokes0YKtbUZp7b9zq303WXPga5yn8LbhnaRrHycw
+            +ECn4t8y8SXFICpAZ5n+xj5U8MdmdKOzhNQLleFKIHtWdyeUlwFi0qYYP8MRCLTB
+            hF4DM6AcvgVUx2MSAQdAIzXqgZ8WiIxIV05BumWLsyZUChwvDQc47NMd5ehhBEQw
+            I1LY11LTNENypr5q0mhy615kIbsdhpzAVLf4Bkf921zABsfFzuY5zJHqi8SKVm7/
+            1GYBCQIQHPC99/GrpHG703gozt2I0P2XMhlRpzj359qStWaQZ8NBL5Ugo5BLvphf
+            1/WYAlvnH4Uov2TxKdQs65IJSadQgs7lBWB5gqHklZ76E4Q+00oMQxwGjzMdddA/
+            hRlLbnUDE1Q=
+            =ol1Y
             -----END PGP MESSAGE-----
           fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
-        - created_at: "2024-01-22T00:20:17Z"
+        - created_at: "2024-01-24T12:19:03Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4DLHeEFiC484ASAQdAGdRYvRfki1zKA2YHnPprf1ld5kJkai4fzxuuH1D3DRQw
-            zt5XhSFMx5ii7C3LIVjGgKnn6A6KTe1Tj314OYtrLeCGV8Eli+eOiSgi4c0nL709
-            hF4Dub78fMESoMASAQdAb38j/KxQlLRJLrtE5mS1XVCmaEIvyJU1uVcSVU3Bdhgw
-            f3iepOZgggHOCiHOCs+UWRmiudwoYqMzXF8G9pb6ESsy01cc1y6mXPh6sftKc6Iz
-            hF4DM6AcvgVUx2MSAQdAhq0ynXfS/eYrDAYdxj/qyEg8c2lHFYSaUVtr6v3B/Rcw
-            Su08ppwK9wSbVaEL6p4NPJ0q9mt/36OsvZNaEWL2i7kkrD6q+2yvaGwh/fPcokWI
-            1GYBCQIQRzg0YDKpmBGZY0sC37nIkUC4blEpFTgl+lma0ZQ9PUfbRP3ijRrxyPv/
-            aNkUpVAVxjh3VnV/NEm2s03x62iO4uiGoU0BUeI8Jjy4Tvuuodvmfpd4wZw7Mq+V
-            B8h2L/JR7Yo=
-            =/wMt
+            hF4DLHeEFiC484ASAQdAaXq+nn0DDx+RAkEC+x+yeP5xbCIdXkR9tQCgWx1s0jkw
+            VRgFkiBa6IsS0vmYknobXkizETtNjEhJ8vNw9nP0zPdjuUZBId2/bJZa7aFdIFRU
+            hF4Dub78fMESoMASAQdAMLbBcLnc+5UVDsx50SgCVjQoHO4JGE53DE6Q+frDEiow
+            rVFbLxWlJ/aw9baRdKUMkIUJftnImUQgolXvEfUjdS/oOdY69r4psLlHLQX11Ow1
+            hF4DM6AcvgVUx2MSAQdAUZV3q/IXwUbRv9EokTe+4o83XzeS1h4GK3/3wjnKDHkw
+            xHFJR2clEMDlaq7Rx3FTr2a7MlzSnzBLtIwdw5b9ytuRvHjD5q7zCf5bihYnvdjV
+            1GYBCQIQFt+CYziUXtEHjJFC1t+S3qkyPRAsVgZL8WlxbKzteW0NOdIZofHx6skG
+            Ebn8aadKcGg534DkwEt5DpIosXKUx4LN5xsCNoU9dHFYMSFE2nzJE4KNFJ8tzRQk
+            G+tyNMgCYhM=
+            =2QnY
             -----END PGP MESSAGE-----
           fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
-        - created_at: "2024-01-22T00:20:17Z"
+        - created_at: "2024-01-24T12:19:03Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4DLHeEFiC484ASAQdAoM3SQYYUQq6OGImJaecw42BZOwOec75IWS00ZorR31ww
-            uaRdi54liGiKpjaebhPcLkX+0TKcW0h11kw6X1wrru1JWi3YLbjohv0qCtfa4wpc
-            hF4Dub78fMESoMASAQdASH4+jxa7Qr9AkJpHHPmMx9cj3XyPXLpfzXJ7Yb40pHMw
-            zBiVmQApa4K+ZOVw/vpcSNaN6FufFoDb5IguwHIq+9vILvjvku6YFgAJ4gC76LOP
-            hF4DM6AcvgVUx2MSAQdAZGNp/j1sF0rmHhImhnuhgpn9NgRuFtL+BH5dorvrPwIw
-            mK5LsWHvyBFyC+SDNe4mrRkdia/xPECmcWrbvptGVjqlZnjmUbtrYhG+j5O6/817
-            1GYBCQIQ/du7No+ULrBrjWc3q826ju8AqekySHtteKZclRmcHSNP4UEXcmTEMRNL
-            8lMJYK0G3uA9FXO9+2E39k/nIatBGuoaukW7zCouB3bLARZE00Oqh6qHCWVyFJ/S
-            Gzwk8dC0wdc=
-            =BWUr
+            hF4DLHeEFiC484ASAQdA6ojEbZ8HccTtorNbyw9aVKO73AJy6jTGV/qLt+FWoRgw
+            SsOLiL0UmF1OV7zmXE0ihkWivPqLHtp1U89aYucpAA69DIh4+6M7GUk1xDMxFfRo
+            hF4Dub78fMESoMASAQdAV2z2DgUz2xWopnDzXywdpHb9eMe9ZxdABxpOJ0ECeBww
+            wOC1x+IKIbIRZBDL7jbVUOk1G+GzCL4M7/G7XFSTFYMKvMKkc0Rh69pywFuGaqG8
+            hF4DM6AcvgVUx2MSAQdA7bKGjcW81bzf58FlGGVDy/HjNyuEPNSVZXy0M+/WZAcw
+            3iXR9MecA97bKKKhLyNSdYmYlAjZJVIdwd6vjNWjxaB7BIWTYhudTjHesLMxB0vc
+            1GYBCQIQlp1TDaBVxalDkeCEjDMRFatgJ3CwulzzW9B8qywOooS0BNtNbtTKGwEh
+            AxDL+wdeqkPABQ0wQ8hYGOw5z665jEOC2JbqbQ7N6LPQZRx/MowO2dGT/kKh2U9H
+            VOK1Bc67BzU=
+            =3z3V
             -----END PGP MESSAGE-----
           fp: 403215E0F99D2582C7055C512C77841620B8F380
-        - created_at: "2024-01-22T00:20:17Z"
+        - created_at: "2024-01-24T12:19:03Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA+X8PKo7gQeqARAAhtUvR20r2NV8SNWVuVSopTfCGwaJV99+PEp/l0UjHX6B
-            lpHgQNHegP6YEsAj5HNFEcV3vM+nbC0hbTtcERBZoxTkyDPOaRAyJpNfGniZVxxp
-            jxSr/unCN6aJCbdqJZZZlitq84brMQWUE373Rb9B4cNdTYONabZbzZmwTDyzkVR0
-            ctjmkdBG0upqNn7vukSIg7DM7D9pFolS9142reF7e5jTlxBFWR1Jt+O9A1zypfvq
-            tK2z9C1pM9LDRmUrKJ/HOKwu6P6USeTKFrp7Gfjr1UkmbgNunxgsdI6gwKY38SpJ
-            T+tELs68oC5pGFpZufnYkrGL313HC7Vp/+2+m+W5qXbyNqhDS6uVQHjqz/ROqByb
-            YwJw+x7810nL8+SleXst8oZpxDNDm+TnvWQAH6WiRBSpgVwy945SMvGG+1FLYps2
-            qOsRMjr+titLZAaUpmIh/oDHG/XOpKPQflcc4/V7t2HK6vLX+xvPIQU8Y5TJkr1T
-            nIIh7sMZBUldnUGUfFE3ksP5Gje5OHqK8xoFwYHFGK4QQzXFjPFN2QNvni2z9Y4R
-            LLMvyEavqgIa6AeseqMnLuB2hz6wy/JNU/EPUalNca6RleoVA0DjKgjgDTlhQ5Al
-            a6sRTy+KmXFfzdO97MJJEkNgA1Hbi1/IpREeA50lYtrDqUvhxw+l1V8N7jw+ZWTS
-            VgHYyLUxdmOUsqEgQPVA7jiqWePwFEuEDEDVE+d6CcuvFuHFNV1jJEjit3R0wJOd
-            QpqnfxW4QTD+JFNJgrD7bj4y1Gu9Z6Lg1IBnHnOwDIoCJoAHp0y6
-            =sy/X
+            hQIMA9pmsZ2EWzFWAQ/9Gl4dO83SmvGHyhEfile6G9ZUmhxwU2RFpPwEmjh4CV/v
+            z1k2zgdF200a6tj96977VhjhIG/LZioEi41M1QdIqgkGsKy89DluCY9RDTqMmqzo
+            w65JhI+PQqdQuKlsbUh2VLql7LijoIUxuBPowWG1lULZtEvRuCchM5rLFiBSC2YO
+            DA0T73kC2P89CNZlOllZNnVRCRrxm7IsEO6Mo1yOeJL16mYqC9qGGKnvYEbsSm4n
+            7ZZJvxXGnNzaXisyyjcJNgtsJAUX4TTlPH+Y2jpkhdHUvOkiwVQEokmnqTIKUp0e
+            7Dc6ZXApFQ1DlMMsjLwy+5AQJQZbY4p4jo9rvmON5i5DLPy4rN5yf8W7zwkuy2gN
+            Id53gxDZxHw0+mRsfYRrdOvmfUqqz79TyWVV8bvHR2Mo3shdL1fsWOzTlm66Y9Vt
+            4coJxgUsJEFdnsnXAFep2V18Ypg36b9wQXtZDXWtTg36UliZZ95sUAG2vHQDS50b
+            5XG07m1w8YgQSeiCObteAt4PqxEs1GYWmtRUmr4jvRQQzmVXCQP6+o0QJ5WK9bKl
+            auwT+H7POBJ3l+h9ykvmOidkAzeN7EWIirzvhDHsxvCklGCyo+Y3W5ZaLaFGfc/3
+            pdj1G/REVT6aQMtSuYUsD7QoZeiNNBNJXAtUuUS6mWxch8RnkW718wxYZLvi03jS
+            VgHaVWepbw/q0COmjyofCt1qZH+WMKSAguiQ6PHWAdP3hnzGgd7Qo84W54Fb3m1R
+            da72FFnILc3IYImbJI6QgJxAeS2K95nIWKdSix07c+m0zzFkemnB
+            =F0pC
             -----END PGP MESSAGE-----
-          fp: 868497ac4266a4d137e0718ae5fc3caa3b8107aa
+          fp: e7370b48016c961ef8ad792fda66b19d845b3156
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

machines/okarin/services/proxy.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -6,9 +6,7 @@
 let
   proxyMap = {
     "sbruder.xyz" = "renge";
-    "nitter.sbruder.xyz" = "renge";
     "iv.sbruder.xyz" = "renge";
-    "libreddit.sbruder.xyz" = "renge";
   };
 in
 {

machines/okarin/services/static-sites.nix

@@ -1,20 +0,0 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, ... }:
-
-{
-  sbruder.static-webserver.vhosts = {
-    "maggus.bayern".user = {
-      name = "maggus";
-      keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
-      ] ++ config.sbruder.pubkeys.trustedKeys;
-    };
-    "arbeitskampf.work".user = {
-      name = "arbeitskampf";
-    };
-  };
-}

machines/renge/configuration.nix

@@ -17,8 +17,8 @@
     ./services/grafana.nix
     ./services/hedgedoc.nix
     ./services/invidious
+    ./services/mastodon.nix
     ./services/matrix
-    ./services/murmur.nix
     ./services/password-hash-self-service.nix
     ./services/prometheus.nix
     ./services/sbruder.xyz
@@ -33,6 +33,9 @@
     };
     wireguard.home.enable = true;
     infovhost.enable = true;
+    wkd = {
+      enable = true;
+    };
   };
 
   networking.hostName = "renge";

machines/renge/secrets.yaml

@@ -2,7 +2,7 @@ forgejo-mail: ENC[AES256_GCM,data:3AlFHzVBA5TE4qv5ubG39K0varV8/HabO0q/RJZSD5o=,i
 go-neb-overrides: ENC[AES256_GCM,data:1xy+SdsSTuerRox4skitg1mKLr1MoANFoCzz76TKSA31ORo/oUWVGrYxfusZxrFQWjYGRFpSYzmkzPn1RoWmbXyfwPEcisvjenXLNvwcyoontBd7TiiLdukEtya6RfGLRGKc8tfCzbDUWgiYz5IDMFBvKGnewFjB+au0/Ge2+2DTw6M4negjCz343TO/vbyTr5xT/5smmKz7Ouk9SbEo7yEuHkQPQfedGw2PYT82zdXd/Eje3Zq2EB4xcUU7beGrF1zkOdXQ4OVqB8XnkCnuLtNlnJtsffm0rbPDPD3/nhHKpJ8jXrN54V14dSnHW7yOifGMIus0VFMRZcIT7A+BroM9qzJhW3F4gsF1Bwp0CF+6zLLRjgpA0EOyvOwpLIftBZfMIpveAH62MVY0IBfwDdkI1itEOjj9EhTrOGxBx45Cj6Qk3Mk6ncyr15+E+KAmQRxZJrEW8Grk4PyzuxtxYd0n8LSaRUe1eNVUhHkQNpo/zvAPgrzcRnM91EwIoMvlNmwyC63j1h+OBKlXQgChAaB1O6HFXQY=,iv:pnw0jIcMqA771woDYNHxWMWE6wHGaNsXi5aBXOFAHJU=,tag:Wbcqb0FsctZWOS6u5s82mQ==,type:str]
 hcloud_exporter-environment: ENC[AES256_GCM,data:5gDTeg4C08BgNxBFtzZ7ma6JiafwF4ly5URAG4WxUTlRaUmF32fmbPdAZmveKiKBA8cc6ewcEIfIVJ7d5tbbqCEX+vbf9nr1fuhN05Z6lfsJNLoATclX,iv:GzEnudGDc6+6BJgDtaNnOnT7IK8Z0fsYfs/oJzKO2UA=,tag:LYCvRxNeKdMmNve0aWswrw==,type:str]
 invidious-extra-settings: ENC[AES256_GCM,data:bThgfyu5ESIyTLD7Q09Qici9ZZw/QYfCyBSjtbNb1EglCy0KHZrvDDAN4uDpdKrHxv8ctoN5Db7tRf5LUl6iyW7A5z9uYg481EXq3Sx6tZztepX0vg==,iv:FZ33tQWRsNEPjwuy/mH/N4e4PyjLx7sbv2G+9S5uigY=,tag:0GQn3AgoM2BPC5iCt5py8w==,type:str]
-murmur-superuser: ENC[AES256_GCM,data:hPuMK8wbqD/3qKXQbOActq/VJZ+6jFlddQ==,iv:68ZhkpkfxakCOYxFXkCSP/sBamETeSs4CGTRaoBS6co=,tag:5UuYCxDiJ6e2CXjDV5/5yA==,type:str]
+mastodon-mail: ENC[AES256_GCM,data:RT/fS7cqbcePd2qe7CR5jRh2jtKaS81ICbMUOlPUQsY=,iv:C7GYMB0U2KIfXuEnYaoIEfV89/EnJS6V9iG97X8zkPk=,tag:L4SVe6aYGcarvX1hmMqQOw==,type:str]
 netbox-secret-key: ENC[AES256_GCM,data:lOE95j6CGkbfJQTLeG41g3BPKNhm0arqxIGAzwvXQyeZLBauAdqufQGKD7D4kPNzdZs=,iv:6HWXEr6Ju4IywP+2jpuTfER/bYI2oUgMSZEJCkq4XX8=,tag:TPD5TTr4Sew8lxPS5WIu5Q==,type:str]
 prometheus-htpasswd: ENC[AES256_GCM,data:tiewfUfpvrmbrgk6AsBdiP4ng4TqG5UYf1mFcWOzuk8oO55rfZu+Naummz5RRYhJZil43nHFvn5LfIWkJv+CyPMZjpj7xRp4vb4/OCCAFjEzHhrzYVBYNkHM+ZLUTewEXuPVtZ6CZ5uviTExLN2V1moG3ExJdIoyUD16qh4=,iv:SkH609VxIVKJLmHUUNzICEjxHSyjLdwXfw0b7iU6png=,tag:BfNGcUZmk9ZXUvhoQZn6iQ==,type:str]
 restic-ssh-key: ENC[AES256_GCM,data:9quBzUwv4qylVzESG94wSgzvuodSDM/smPh0j+LYJjXwEN1xksBIW2/Jv0XmF3Q+AWUF/C/lA2jteI3Mf6Pmn7zlqa3H7GwH8Os6/arQI3ywH2dHQLAFxgST2J0AlLGeZcJbntxW0buYw+Rz3q5Jbo+Wo9tQo+2EVvqX320qWBsEwinnahbUhZym3fipyE9g6JxGa3OFGiIn6JAQhst63WgpOfehQsAYu2bdW1gLrgFtURzDQQRQ28RxeD+nMUWRpQcq5GrX2rfSA7sengfQbmP3Ln1atp1YXctTalHsj+n4photBqLz6OfLaFKBqbdKRbinUgVAEarAocEOKk/qf1C6LS8yKjV9Mh/tKeCJQrCI/AccEP5DfMNqdRaWjoQxvjBRKaupPE7Rcuja++K/jm24nP9J8WDcrRSm0tlrVq2JnPHxJv+eUsZoGkvpyOs9AkTG1H2BCckYS5ZG4atjKoBfUvc3CitPNmPZcjSkPrkdRMZbu1BWR+cixFH9rFAUvVIn+e7sWGnqMA8xGXZS,iv:rLOTtmIFP7rwF9JY9ardO9pNqNh1uaobHKtQaGwSuGk=,tag:pCd4ZV0FjfD18qj9oQ236Q==,type:str]
@@ -16,8 +16,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-01-10T18:29:17Z"
-    mac: ENC[AES256_GCM,data:jsYCPL7/AFxg9mRM/mKhwiy4eH6ZGMyCCSBu+jSfIk/T8RSd9zh0AZ/p5rAwfbW20AzetivzRB4bSgcymLIcCr900EQLdPIuaZgxeGcbZ80N/7I0zF4u8K8oa1pKhyr1UUj48XjL55IdvVOsyvfq/I/KSbIbO7+fBHeQ51crCeo=,iv:CNmKwvZ61PdeyOvGP7elm/yvokll//fiKxdWFe2cfPo=,tag:PVQRV0G3VtBsD0tk34DHig==,type:str]
+    lastmodified: "2024-06-01T12:03:17Z"
+    mac: ENC[AES256_GCM,data:6fJfEtnHSQV7oGZ7HMrXYH1lX8ZzfTChOZC25scDP/q5FH8QZ52OntRuQ8DbR+AKUPN/w6o4EotZVxX53Q2Xxi6QdHSqo07GDsWUnIOb5eCNGmEB3c2w20DJv2smTnEr7d6051aPzEUO0ZxUPxxlqcifC6dsdpdxySyG/VY9OQQ=,iv:KAWFRoOQKRd2tf58QYGD8SnHJk1aLwBxgkcRkPgjuN8=,tag:LJFOJuFblp53Te9zoYKq0Q==,type:str]
     pgp:
         - created_at: "2024-01-22T00:20:10Z"
           enc: |-

machines/renge/services/mastodon.nix

@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, lib, ... }:
+
+{
+  sops.secrets.mastodon-mail = {
+    owner = config.services.mastodon.user;
+    sopsFile = ../secrets.yaml;
+  };
+
+  services.mastodon = {
+    enable = true;
+    configureNginx = true;
+    localDomain = "procrastination.space";
+    smtp = {
+      createLocally = false;
+      host = "vueko.sbruder.de";
+      port = 465;
+      user = "mastodon@sbruder.de";
+      passwordFile = config.sops.secrets.mastodon-mail.path;
+      fromAddress = config.services.mastodon.smtp.user;
+      authenticate = true;
+    };
+    streamingProcesses = 5;
+    extraConfig = {
+      SMTP_TLS = "true";
+      RAILS_LOG_LEVEL = "warn";
+    };
+  };
+}

machines/renge/services/prometheus.nix

@@ -75,6 +75,7 @@ in
           "shinobu.vpn.sbruder.de:9100"
           "nazuna.vpn.sbruder.de:9100"
           "yuzuru.vpn.sbruder.de:9100"
+          "koyomi.vpn.sbruder.de:9100"
         ];
         relabel_configs = lib.singleton {
           target_label = "instance";
@@ -82,6 +83,22 @@ in
           regex = "(.*)\\.vpn\\.sbruder\\.de:9100";
         };
       }
+      {
+        job_name = "smartctl";
+        static_configs = mkStaticTargets [
+          "fuuko.vpn.sbruder.de:9633"
+          "mayushii.vpn.sbruder.de:9633"
+          "nunotaba.vpn.sbruder.de:9633"
+          "hitagi.vpn.sbruder.de:9633"
+          "shinobu.vpn.sbruder.de:9633"
+          "koyomi.vpn.sbruder.de:9633"
+        ];
+        relabel_configs = lib.singleton {
+          target_label = "instance";
+          source_labels = lib.singleton "__address__";
+          regex = "(.*)\\.vpn\\.sbruder\\.de:9633";
+        };
+      }
       {
         job_name = "qbittorrent";
         static_configs = mkStaticTargets [
@@ -136,8 +153,10 @@ in
       {
         job_name = "knot";
         static_configs = mkStaticTargets [
-          "okarin.vpn.sbruder.de:9433"
           "vueko.vpn.sbruder.de:9433"
+          "renge.vpn.sbruder.de:9433"
+          "okarin.vpn.sbruder.de:9433"
+          "yuzuru.vpn.sbruder.de:9433"
         ];
         relabel_configs = lib.singleton {
           target_label = "instance";

machines/renge/services/sbruder.xyz/default.nix

@@ -3,11 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 { config, pkgs, ... }:
-let
-  goneVhost = {
-    locations."~ .*".return = "303 'https://sbruder.xyz/#history'";
-  };
-in
+
 {
   imports = [
     ./blocks.nix
@@ -58,7 +54,4 @@ in
       };
     };
   };
-
-  services.nginx.virtualHosts."nitter.sbruder.xyz" = goneVhost;
-  services.nginx.virtualHosts."libreddit.sbruder.xyz" = goneVhost;
 }

machines/shinobu/configuration.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -9,6 +9,7 @@
     ../../modules
 
     ./services/co2_exporter.nix
+    ./services/ntp.nix
     ./services/router
     ./services/snmp-exporter.nix
     ./services/wordclock-dimmer.nix

machines/shinobu/services/ntp.nix

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{
+  services.ntp = {
+    enable = true;
+  };
+
+  networking.firewall.allowedUDPPorts = [ 123 ];
+}

machines/shinobu/services/router/dnsmasq.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -41,16 +41,16 @@ in
         cfg.vlan);
       dhcp-option = lib.flatten (lib.mapAttrsToList
         (name: { subnet, ... }: [
+          # Gateway
           "tag:br-${name},option:router,${subnet.v4.gateway}"
           "tag:br-${name},option6:dns-server,${subnet.v6.gateway}"
+
+          # NTP server (runs on gateway)
+          "tag:br-${name},option:ntp-server,${subnet.v4.gateway}"
+          "tag:br-${name},option6:ntp-server,${subnet.v6.gateway}"
         ])
         cfg.vlan);
 
-      nftset = [
-        "/pool.ntp.org/4#inet#filter#iot_ntp4"
-        "/pool.ntp.org/6#inet#filter#iot_ntp6" # does not work
-      ];
-
       server = [
         "127.0.0.1#5053"
       ];

machines/shinobu/services/router/rules.nft

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -7,16 +7,6 @@ define PHYSICAL_WAN = "enp1s0"
 define NAT_WAN_IFACES = { $PHYSICAL_WAN }
 
 table inet filter {
-	# These two sets are dynamically managed by dnsmasq
-	set iot_ntp4 {
-		type ipv4_addr
-		comment "IPv4 addresses of resolved NTP servers"
-	}
-	set iot_ntp6 {
-		type ipv6_addr
-		comment "IPv6 addresses of resolved NTP servers"
-	}
-
 	chain forward {
 		type filter hook forward priority filter; policy drop
 
@@ -31,8 +21,6 @@ table inet filter {
 		iifname "br-lan" oifname $VLAN_BRIDGES counter accept;
 		iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept
 
-		iifname "br-iot" ip daddr @iot_ntp4 udp dport 123 counter accept
-		iifname "br-iot" ip6 daddr @iot_ntp6 udp dport 123 counter accept
 		iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept
 	}
 }

machines/vueko/configuration.nix

@@ -11,6 +11,7 @@
 
     ./services/fuuko-proxy.nix # FIXME!
     ./services/media.nix
+    ./services/murmur.nix
     ./services/restic.nix
   ];
 

machines/vueko/secrets.yaml

@@ -1,4 +1,5 @@
 media-sb-proxy-auth: ENC[AES256_GCM,data:TFAS1PXu+jSt/orjYI1ffPbiCMCZgc22tU4coz9eEi7CyEaMvaKuQpgIPwZDBoL3r1yhXd+USya/PjEL9g3SCpuva5EXiJVYjV+mYaTxgrLx,iv:a5da4EuduMVVwEy0p2sz3XuAwdYFt+D9WgOs4oqQg6s=,tag:2BTqxnXIK+sWj/8RXVrYDg==,type:str]
+murmur-superuser: ENC[AES256_GCM,data:D7EjnKZGSmx8ykVeKqSIAdV4Vql7ZkfEUw==,iv:I8SgiZrlCpyqNeBMJlzttFUJFGqQp5vHu6pMUz/0LoE=,tag:G6QMUh3v2QjxtoXUSoRqcA==,type:str]
 restic-htpasswd: ENC[AES256_GCM,data:om9v+FXOEsOPP7LVntiwyqEKmiCLCwcmMgWBeHxcrlosYT4cElX3MHlu+NQAI0TPwc0mAog1tJyRcTfqK7uYszIzd75/Ig==,iv:7UBHmyqt/2hW9Aw1oRMZtZdOij5mjGF/8nmr3PAq/EI=,tag:TNcECUAdGtch8/bHbOJeNw==,type:str]
 restic-rclone-ssh-key: ENC[AES256_GCM,data:fefY4sVBp786LeUNdLA1CZ83YGZsxP9yvoIx647fVM47jGBfJWcU8PDwbPGfp4ae5aKnuRi/+OpRQHQIuBWa8XH8mWQ0YLs3JzKavmtNqf8mh9hyiEGLSYBbokEkgSPFBxH8CuhNbzrou0cCO7ACXkXnq4Cf0jjkYR2StjsISiJ11nEnle0tchHMFPSho0W7Ph8UZvT6x1naJjBqMrZKepLMCrT4oM3gqgA3R0cvCxQyIY5BHweopDXxuZDVlIiYjG61qt6OKL7O+lt/Kfvd38i6L1CAsloFVQOv4pQwz5b/jNjH+Kg8+tbbksXz2Dm5PU7HBXyav48MqriTqVCeWpmEsbo9j/zEravtNaC/gvpc7v4H/3lqhyY181g2Fxzu3YCjheSwjhtSuLCtXCD4UdW5Ctkb5TDZrMY+NAQdeXqgCawYggN05x6s+UdSitXXHLBjvyIV5ES/7p43zjWDnddAsFQEgILffQRobA9y8VZ+Igj7wo+HJLdNnmJtcqL/j6CM4MOT4hvj1CLhhBdr,iv:zYgnXzxGU2XJcjeclQT5bX6M1r5WG+Z0pZI7R4qpUU0=,tag:CbBUooyhUCkmKp+N6j4ySw==,type:str]
 rspamd-worker-controller: ENC[AES256_GCM,data:STf4vgVsYu6+WfpISKC0L69ixlM+cOiefO4qvHY2gYbV9FirRGxlUIRkmPwk+I6gYxKSC6D8ZTO3Bi2drEuWd8Yhuwjj9Rc1ja7b5UxaT5Q591Iof8S5RbXZKvaWMAQXVeAz4qkBaA==,iv:RzB3EHnzybbYO9E95ianu/Yl+chH7IPomvWG89mIGYU=,tag:yFSx97r/vkf3gVhIxMwcNw==,type:str]
@@ -10,8 +11,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-04-29T10:17:21Z"
-    mac: ENC[AES256_GCM,data:UfLbX+4uDg9Kp8v9lnq9RktT4ltpJYwOHBBPRhO79a1AmLXkp6GilaoMJYjkj0foL92vTUK10wIw547omySwJeY52pTGAvw1IXVaxNp395KLlMPl3EwLS3xj4c0bhzcVEyFl/fxG2gk6BJOzvQXaMYo4COEzDdK6ZDGZKZVKEAM=,iv:mR9Nq+s7wHeZdP6/gW9+zJd/wa1Y4Q5saACwnMOFOZQ=,tag:yYYF8/mKnbxzmPa6nWIGbA==,type:str]
+    lastmodified: "2024-06-01T12:03:28Z"
+    mac: ENC[AES256_GCM,data:KFlisFD6k06XqF6SoQTaMNFpIPYtOgHDFArQueGBcTgjfxzdaxA8AVH1ZBeyFeEFlf4EFfduYcfnqAaGWScOvVW+jVhN/InsNkGf7alPyJ2ifzUD9yhe2/gcOF+eZqPvbTfXsdyfyqkbK7kkRyoYC61T3KPnPzTWqDk/3Chm4k8=,iv:lUbhG5/o5iepukcXHs2FYfue04EJdAbfhX1N0e1C9eA=,tag:EvPEDPoRiLXzbWeHAjTMoQ==,type:str]
     pgp:
         - created_at: "2024-01-22T00:20:08Z"
           enc: |-
@@ -82,4 +83,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 4EA330328CD0D3076E90960194DFA4953D8729DE
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

machines/yuzuru/services/static-sites.nix

@@ -1,7 +1,9 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+{ config, ... }:
+
 {
   services.nginx.virtualHosts = {
     "brennende.autos" = {
@@ -19,9 +21,34 @@
   };
 
   sbruder.static-webserver.vhosts = {
+    "arbeitskampf.work".user = {
+      name = "arbeitskampf";
+    };
+
+    "maggus.bayern".user = {
+      name = "maggus";
+      keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
+      ] ++ config.sbruder.pubkeys.trustedKeys;
+    };
+
     "psycho-power-papagei.de" = {
       user.name = "papagei";
       imprint.enable = true;
     };
+
+    "salespointframework.org" = {
+      redirects = [
+        "www.salespointframework.org"
+        "salespointframe.work"
+        "www.salespointframe.work"
+        "verkaufspunktrahmenwerk.de"
+        "www.verkaufspunktrahmenwerk.de"
+        "verkaufspuntrahmenwerk.de"
+        "www.verkaufspuntrahmenwerk.de"
+      ];
+      user.name = "salespoint";
+    };
   };
 }

modules/authoritative-dns.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -7,14 +7,16 @@ let
   cfg = config.sbruder.knot;
 
   primaryHost = "vueko";
-  secondaryHosts = [ "okarin" ];
+  secondaryHosts = [ "renge" "okarin" "yuzuru" ];
 
   isPrimaryHost = config.networking.hostName == primaryHost;
   isSecondaryHost = lib.elem config.networking.hostName secondaryHosts;
 
   addresses = {
     vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ];
-    okarin = [ "82.165.242.252" "2001:8d8:1800:8627::1" ];
+    renge = [ "152.53.13.113" "2a03:4000:6b:d2::1" ];
+    okarin = [ "85.215.165.213" "2a01:239:24b:1c00::1" ];
+    yuzuru = [ "85.215.73.203" "2a02:247a:272:1600::1" ];
   };
 in
 {
@@ -65,12 +67,7 @@ in
               id = host;
               address = hostAddresses;
             })
-            addresses) ++ lib.optional isPrimaryHost {
-            id = "inwx";
-            # INWX only allows the specification of one primary DNS,
-            # which limits the IP protocol usable for zone transfers to one.
-            address = lib.singleton "185.181.104.96";
-          };
+            addresses);
         }
         (lib.mkIf isPrimaryHost {
           policy = lib.singleton {
@@ -88,7 +85,7 @@ in
               zonefile-load = "difference-no-serial";
               journal-content = "all";
               # secondary
-              notify = [ "inwx" ] ++ secondaryHosts;
+              notify = secondaryHosts;
               # dnssec
               dnssec-signing = true;
               dnssec-policy = "default";

modules/default.nix

@@ -33,8 +33,8 @@
     ./ausweisapp.nix
     ./authoritative-dns.nix
     ./cups.nix
-    ./docker.nix
     ./fancontrol.nix
+    ./flatpak.nix
     ./fonts.nix
     ./games.nix
     ./grub.nix
@@ -54,7 +54,9 @@
     ./nix.nix
     ./office.nix
     ./pipewire.nix
+    ./podman.nix
     ./prometheus/node_exporter.nix
+    ./prometheus/smartctl_exporter.nix
     ./pubkeys.nix
     ./qbittorrent
     ./restic
@@ -67,6 +69,7 @@
     ./udev.nix
     ./unfree.nix
     ./wireguard
+    ./wkd
   ];
 
   config = lib.mkMerge [
@@ -78,9 +81,11 @@
         git-lfs # not so essential, but required to clone config
         htop
         tmux
-        vim
       ];
 
+      programs.nano.enable = false;
+      programs.vim.defaultEditor = true;
+
       # Clean temporary files on boot
       boot.tmp.cleanOnBoot = true;
 
@@ -108,6 +113,8 @@
       # Support for exotic file systems
       boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
 
+      programs.ssh.startAgent = lib.mkDefault (!config.sbruder.gui.enable);
+
       # When this is set to true (default), routing everything through a
       # wireguard tunnel does not work.
       networking.firewall.checkReversePath = false;
@@ -159,11 +166,21 @@
     (lib.mkIf (!config.sbruder.machine.isVm) {
       # Hard drive monitoring
       services.smartd.enable = lib.mkDefault true;
-      # Firmware updates
-      services.fwupd.enable = lib.mkDefault true;
+      # Firmware updates (only work on EFI systems, so enable only when using systemd-boot)
+      services.fwupd.enable = lib.mkDefault (config.boot.loader.systemd-boot.enable);
     })
     (lib.mkIf (!config.sbruder.full) {
       documentation.enable = lib.mkDefault false;
     })
+    (lib.mkIf (config.services.resolved.enable) {
+      # With NixOS’s default database order for hosts,
+      # resolving the FQDN with hostname -f always returns “localhost”
+      # when resolved is enabled.
+      # This changes the priority of the files database,
+      # which fixes this.
+      # This workaround was taken from
+      # https://github.com/NixOS/nixpkgs/issues/132646#issuecomment-1782684381
+      system.nssDatabases.hosts = lib.mkOrder 500 [ "files" ];
+    })
   ];
 }

modules/docker.nix

@@ -1,47 +0,0 @@
-# SPDX-FileCopyrightText: 2020-2021 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, lib, pkgs, ... }:
-
-{
-  # This uses a custom option (instead of `virtualisation.docker.enable`) since
-  # `virtualisation.oci-containers` conditionally sets
-  # `virtualisation.docker.enable` and therefore causes an infinite recursion.
-  options.sbruder.docker.enable = lib.mkEnableOption "docker with ipv6nat";
-
-  config = lib.mkIf config.sbruder.docker.enable {
-    environment.systemPackages = with pkgs; [
-      docker-compose
-      docker-credential-helpers
-      docker-ls
-    ];
-
-    virtualisation = {
-      docker = {
-        enable = true;
-        logDriver = "journald";
-        extraOptions = lib.concatStringsSep " " [
-          "--ipv6"
-          "--fixed-cidr-v6=fd00:d0ce:d0ce:d0ce::/64"
-        ];
-      };
-
-      oci-containers.containers.ipv6nat = {
-        image = "robbertkl/ipv6nat";
-        volumes = [
-          "/var/run/docker.sock:/var/run/docker.sock:ro"
-        ];
-        extraOptions = [
-          "--network=host"
-          "--cap-drop=ALL"
-          "--cap-add=NET_ADMIN"
-          "--cap-add=NET_RAW"
-          "--cap-add=SYS_MODULE"
-        ];
-      };
-    };
-
-    environment.etc."modules-load.d/ipv6nat.conf".text = "ip6_tables\n";
-  };
-}

modules/flatpak.nix

@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+#
+# Flatpak is only used for programs that are not easily installable natively.
+# They should always be confined as much as possible using Flatseal.
+#
+# To make Flatpak work with Flathub,
+# the following command must be run imperatively:
+#
+#     flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
+#
+# The full guide is available on https://flathub.org/setup/NixOS,
+# though the restart step is not necessary.
+{ config, lib, ... }:
+
+lib.mkIf config.sbruder.gui.enable {
+  services.flatpak.enable = true;
+}

modules/mailserver/postfix.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -95,6 +95,7 @@ lib.mkIf cfg.enable {
       smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
       smtpd_tls_mandatory_ciphers = "medium";
       smtpd_tls_loglevel = "1";
+      smtpd_tls_received_header = "yes"; # add TLS connection details to Received header
 
       tls_medium_cipherlist = listToString [
         "ECDHE-ECDSA-AES128-GCM-SHA256"
@@ -140,6 +141,7 @@ lib.mkIf cfg.enable {
       # Postscreen
       smtpd = {
         type = "pass";
+        args = [ "-o" "smtpd_discard_ehlo_keywords=silent-discard,dsn" ];
       };
       smtp_inet = {
         # Partially overrides upstream

modules/podman.nix

@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, lib, pkgs, ... }:
+
+{
+  options.sbruder.podman.enable = lib.mkEnableOption "podman";
+
+  config = lib.mkIf config.sbruder.podman.enable {
+    boot.enableContainers = false; # FIXME: this only needs to be set for some stateVersions
+
+    environment.systemPackages = with pkgs; [
+      buildah
+      podman-compose
+      skopeo
+    ];
+
+    virtualisation = {
+      podman = {
+        enable = true;
+        dockerSocket.enable = true;
+        defaultNetwork.settings = {
+          ipv6_enabled = true;
+        };
+      };
+    };
+  };
+}

modules/prometheus/node_exporter.nix

@@ -8,7 +8,10 @@
     enable = config.sbruder.wireguard.home.enable;
     listenAddress = config.sbruder.wireguard.home.address;
     enabledCollectors = [ "systemd" ];
-    disabledCollectors = [ "rapl" ];
+    disabledCollectors = [
+      "arp.netlink" # https://github.com/prometheus/node_exporter/issues/2849
+      "rapl"
+    ];
   };
 
   systemd.services.prometheus-node-exporter.after = [ "wireguard-wg-home.service" ];

modules/prometheus/smartctl_exporter.nix

@@ -0,0 +1,22 @@
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, lib, ... }:
+
+{
+  services.prometheus.exporters.smartctl = {
+    enable = config.sbruder.wireguard.home.enable && !config.sbruder.machine.isVm;
+    listenAddress = config.sbruder.wireguard.home.address;
+    # devices need to be specified for all systems that use NVMe
+    # https://github.com/NixOS/nixpkgs/issues/210041
+  };
+
+  systemd.services.prometheus-smartctl-exporter = {
+    after = [ "wireguard-wg-home.service" ];
+    serviceConfig = {
+      IPAddressAllow = lib.singleton config.sbruder.wireguard.home.subnet;
+      IPAddressDeny = "any";
+    };
+  };
+}

modules/restic/system.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -28,6 +28,8 @@ let
     "/home/*/mounts"
 
     # Docker (state should be kept somewhere else)
+    "/home/*/.local/share/containers" # podman
+    "/var/lib/containers/"
     "/var/lib/docker/"
 
     # Static configuration (generated from this repository)

modules/ssh.nix

@@ -60,12 +60,12 @@
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUEVBJcEibRdQzp0bDXpPqLGQ8vtQTKTcpGZU07W4eo";
     };
     okarin = {
-      hostNames = [ "okarin" "okarin.sbruder.xyz" "okarin.vpn.sbruder.de" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaev8K5KhRovW75IdZ0HYlzvxxo0haeCM0xCVEOuDSa";
+      hostNames = [ "okarin" "okarin.sbruder.de" "okarin.vpn.sbruder.de" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvRAiEAV0Oulii0w3xcHCb0/oHqpA0hz3bn//BQnR8T";
     };
     okarin-initrd = {
       hostNames = [ "[okarin.sbruder.de]:2222" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJbp0kZJEXf1gSVcBsef1Bihd5iCzhzSbjgyrC1SXXT";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOV+azRrT1zICmDe9D7bm3pOaFzaT+cVXCvxgY1bAbP";
     };
     shinobu = {
       hostNames = [ "shinobu" "shinobu.lan.shinonome-lab.de" "shinobu.vpn.sbruder.de" ];
@@ -87,5 +87,13 @@
       hostNames = [ "[yuzuru.sbruder.de]:2222" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
     };
+    koyomi = {
+      hostNames = [ "koyomi" "koyomi.sbruder.de" "koyomi.vpn.sbruder.de" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZVoGK0JNltzqVWN9dejWMkedfzcipTv6iX52HTHaVz";
+    };
+    koyomi-initrd = {
+      hostNames = [ "[koyomi.sbruder.de]:2222" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPQuXX9EJXcz7wkG/yDxrZVODaitAQ1lfGzedNrYKhI";
+    };
   };
 }

modules/tools.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -48,9 +48,10 @@
     dmidecode # hardware information
     hdparm # hard drive management
     lm_sensors # temperature sensors
+    nvme-cli # NVMe management
     parted # partition manager
     pciutils # lspci
-    reptyr # move process to current terminal
+    (reptyr.overrideAttrs (o: o // { doCheck = false; })) # move process to current terminal # tests fail on qemu-user-aarch64 (TODO 24.05: remove)
     smartmontools # hard drive monitoring
     tcpdump # package inspector
     tio # serial console

modules/unfree.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -41,9 +41,6 @@ in
 
         # games (okay if they run sandboxed)
         "osu-lazer" # also is free except for one dependency
-        "steam"
-        "steam-original"
-        "steam-runtime"
       ]
     ));
   };

modules/wireguard/home.nix

@@ -33,8 +33,8 @@ let
       publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
     };
     okarin = {
-      address = "10.80.0.10";
-      publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
+      address = "10.80.0.14";
+      publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA=";
     };
     shinobu = {
       address = "10.80.0.12";
@@ -48,6 +48,10 @@ let
       address = "10.80.0.16";
       publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
     };
+    koyomi = {
+      address = "10.80.0.17";
+      publicKey = "fvQDGqmkcFUvfUFmkSagJZy6pGIP6ewZrzTQfaz+mmE=";
+    };
   };
 
   cfg = config.sbruder.wireguard.home;

modules/wkd/default.nix

@@ -0,0 +1,49 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, lib, ... }:
+let
+  cfg = config.sbruder.wkd;
+
+  toFqdn = domain: "openpgpkey.${domain}";
+in
+{
+  options.sbruder.wkd = {
+    enable = lib.mkEnableOption "Web Key Directory";
+    domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The main domain to listen on. The actual fqdn will be openpgpkey.<domain>.";
+      default = "sbruder.de";
+    };
+    domains = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = "Additional domains to serve.";
+      default = [ ];
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    sbruder.static-webserver.vhosts."${toFqdn cfg.domain}" = {
+      redirects = map toFqdn cfg.domains;
+      user.name = "wkd";
+    };
+
+    services.nginx.virtualHosts."${toFqdn cfg.domain}" = {
+      locations."^~ /.well-known/openpgpkey" =
+        let
+          # workaround for nginx dropping parent headers
+          # see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
+          parentHeaders = lib.concatStringsSep "\n" (lib.filter
+            (lib.hasPrefix "add_header ")
+            (lib.splitString "\n" config.services.nginx.commonHttpConfig));
+        in
+        {
+          extraConfig = ''
+            ${parentHeaders}
+            add_header Access-Control-Allow-Origin * always;
+          '';
+        };
+    };
+  };
+}

pkgs/co2_exporter/default.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2022-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2022-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -19,7 +19,7 @@ buildGoModule rec {
 
   vendorHash = "sha256-CMo6FBzw0/OMKEX12oNqhbF/0dRRFR6W3VRp+EU6Q68=";
 
-  oCheck = false; # no tests
+  doCheck = false; # no tests
 
   meta = with lib; {
     license = licenses.mit;

pkgs/contact-page/src/index.html

@@ -25,15 +25,23 @@ SPDX-License-Identifier: CC-BY-SA-4.0
           <td><a id="matrix" href="#">(requires javascript)</a></td>
         </tr>
         <tr>
-          <td>GitHub</td>
+          <td>Fediverse</td>
+          <td><a rel="me" href="https://procrastination.space/@simon">@simon@procrastination.space</a></td>
+        </tr>
+        <tr>
+          <td>Codeberg</td>
+          <td><a href="https://codeberg.org/sbruder">sbruder</a></td>
+        </tr>
+        <tr>
+          <td>(GitHub)</td>
           <td><a href="https://github.com/sbruder">sbruder</a></td>
         </tr>
         <tr>
-          <td>GitLab</td>
+          <td>(GitLab)</td>
           <td><a href="https://gitlab.com/sbruder">sbruder</a></td>
         </tr>
         <tr>
-          <td>Gitea</td>
+          <td>Forgejo</td>
           <td><a href="https://git.sbruder.de/simon">git.sbruder.de</a></td>
         </tr>
         <tr>

pkgs/wordclock-dimmer/wordclock-dimmer.py

@@ -61,15 +61,6 @@ def get_color_for_time(time: datetime.time, base=(60, 60, 60)) -> (int, int, int
         )
 
 
-def update(client: mqtt.Client):
-    time = datetime.datetime.now().time()
-    color = get_color_for_time(time)
-    print(f"{time}: setting color to {color}")
-    sys.stdout.flush()
-    set_color(client, *color)
-    pass
-
-
 client = mqtt.Client("wordclock.py")
 
 user = os.environ["WORDCLOCK_MQTT_USER"]
@@ -83,6 +74,15 @@ host = os.environ["WORDCLOCK_MQTT_HOST"]
 client.username_pw_set(user, password)
 client.connect(host, 1883, 60)
 
+color = (0, 0, 0)
+
 while True:
-    update(client)
+    time = datetime.datetime.now().time()
+    new_color = get_color_for_time(time)
+    if new_color != color:
+        color = new_color
+        print(f"setting color to {color}")
+        sys.stdout.flush()
+        set_color(client, *color)
+
     sleep(300)

users/simon/modules/games.nix

@@ -1,98 +1,41 @@
-# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-
+#
+# Steam is installed as a flatpak,
+# as this seems to be the only method that does not force me
+# to spend hours debugging various issues with the client.
+#
+# Installation instructions for steam:
+#
+# 1. Run flatpak install flathub com.valvesoftware.Steam
+# 2. Use Flatseal to revoke all filesystem permissions,
+#    development syscalls
+#    and bluetooth.
+# 3. Add GDK_SCALE=2 as an environment variable (hack for sway’s Xwayland)
+# 4. If you previously used steam-sandbox,
+#    you need to copy the files to the flatpak location.
+#    For this, start steam once (you can close it early),
+#    so it creates the new structure.
+#    Then, run the following commands:
+#        rm -rf ~/.var/app/com.valvesoftware.Steam/.local/share/Steam
+#        mv ~/.local/share/steam-sandbox/.local/share/Steam ~/.var/app/com.valvesoftware.Steam/.local/share/
+#    You might want to copy additional files of games,
+#    that do not store files inside of Steam’s directories.
+#    Afterwards, you can delete ~/.local/share/steam-sandbox
+#
+# For MangoHud, the following steps are also necessary:
+# 1. Run flatpak install org.freedesktop.Platform.VulkanLayer.MangoHud
+# 2. Add xdg-config/MangoHud:ro as filesystem mount to Steam in Flatseal
+# 4. For Intel Arc systems,
+#    add /run/wrappers/bin/intel_gpu_top:ro as filiesystem mount
+#    and /run/wrappers/bin to the PATH environment variable in Flatseal
+# 3. Add MANGOHUD=1 as a launch options to all games where MangoHud should be
+#    available
 { lib, nixosConfig, pkgs, ... }:
 let
   cfg = nixosConfig.sbruder.games;
   inherit (nixosConfig.sbruder) unfree;
-
-  steam-sandbox = pkgs.writeShellScriptBin "steam-sandbox" /* bash */ ''
-    set -euo pipefail
-    shopt -s nullglob # make for loop work for glob if files do not exist
-    base_dir="''${XDG_DATA_HOME:-$HOME/.local/share}/steam-sandbox"
-    mkdir -p "$base_dir"/{.local/share,.steam,.config,.factorio,data}
-    bubblewrap_args=(
-        # sandboxing
-        --unshare-all
-        --share-net
-        --die-with-parent
-        --new-session
-
-        # basic filesystem
-        --tmpfs /tmp
-        --proc /proc
-        --dev /dev
-        --dir "$HOME"
-        --dir "$XDG_RUNTIME_DIR"
-        --ro-bind /nix/store /nix/store
-        # path
-        --ro-bind /run/current-system/sw /run/current-system/sw
-        --ro-bind /etc/profiles/per-user/$USER/bin /etc/profiles/per-user/$USER/bin
-        # system-wide configuration
-        --ro-bind /etc/fonts /etc/fonts
-        --ro-bind /etc/localtime /etc/localtime
-        --ro-bind /etc/machine-id /etc/machine-id
-        --ro-bind /etc/os-release /etc/os-release
-        --ro-bind /etc/passwd /etc/passwd
-        --ro-bind /etc/resolv.conf /etc/resolv.conf
-        --ro-bind /etc/ssl/certs /etc/ssl/certs
-        --ro-bind /etc/static /etc/static
-
-        # gui
-        --ro-bind /tmp/.X11-unix /tmp/.X11-unix
-        --ro-bind "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
-        --dev-bind /dev/dri /dev/dri
-        --ro-bind /run/opengl-driver /run/opengl-driver
-        --ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32
-
-        # audio
-        --ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse"
-        --setenv PULSE_SERVER "$XDG_RUNTIME_DIR/pulse/native"
-        --ro-bind "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie" "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie"
-        --setenv PULSE_COOKIE "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie/pulse/cookie"
-        --ro-bind-try /etc/asound.conf /etc/asound.conf
-        --ro-bind-try /etc/alsa/conf.d /etc/alsa/conf.d
-        --ro-bind-try "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0"
-
-        # dbus
-        --ro-bind /run/dbus/system_bus_socket /run/dbus/system_bus_socket
-        --ro-bind "$XDG_RUNTIME_DIR/bus" "$XDG_RUNTIME_DIR/bus"
-
-        # shared data
-        --bind "$base_dir/.local/share" "$HOME/.local/share"
-        --bind "$base_dir/.steam" "$HOME/.steam"
-        --bind "$base_dir/.config" "$HOME/.config"
-        --bind "$base_dir/.factorio" "$HOME/.factorio"
-        --bind "$base_dir/data" "$HOME/data"
-        --ro-bind-try "$HOME/.config/MangoHud" "$HOME/.config/MangoHud"
-
-        # input
-        --dev-bind /dev/input /dev/input
-        --dev-bind-try /dev/uinput /dev/uinput
-        --ro-bind /sys /sys # required for discovery
-      )
-
-    for hidraw in /dev/hidraw*; do
-        bubblewrap_args+=(--dev-bind $hidraw $hidraw)
-    done
-
-
-    unset SDL_VIDEODRIVER QT_QPA_PLATFORM # games generally don’t support wayland
-    export PATH="${pkgs.unstable.mangohud}/bin:$PATH"
-
-    ${pkgs.bubblewrap}/bin/bwrap \
-        "''${bubblewrap_args[@]}" \
-        ''${SANDBOX_COMMAND:-${pkgs.unstable.steam}/bin/steam} \
-        "$@"
-  '';
-
-  steam-sandbox-with-icons = pkgs.runCommand "steam-sandbox-with-icons" { } ''
-    mkdir -p $out/{bin,share}
-    ln -s ${pkgs.steamPackages.steam}/share/icons $out/share
-    ln -s ${pkgs.steamPackages.steam}/share/pixmaps $out/share
-    ln -s ${steam-sandbox}/bin/steam-sandbox $out/bin/steam-sandbox
-  '';
 in
 lib.mkIf cfg.enable {
   home.packages = with pkgs; [
@@ -105,9 +48,7 @@ lib.mkIf cfg.enable {
     pcsx2
   ] ++ lib.optionals (cfg.performanceIndex >= 8) [
     unstable.ryujinx
-    unstable.yuzu-mainline
   ] ++ lib.optionals unfree.allowSoftware [
     unstable.osu-lazer-sandbox
-    steam-sandbox-with-icons
   ];
 }

users/simon/modules/gpg.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-{ nixosConfig, pkgs, ... }:
+{ lib, nixosConfig, pkgs, ... }:
 
 {
   programs.gpg = {
@@ -18,7 +18,7 @@
   services.gpg-agent = rec {
     enable = true;
     enableZshIntegration = true;
-    enableSshSupport = true;
+    enableSshSupport = lib.mkDefault nixosConfig.sbruder.gui.enable;
 
     pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses";
 

users/simon/modules/mpd.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -73,6 +73,7 @@ lib.mkIf nixosConfig.sbruder.gui.enable {
 
       # Lyrics
       lyrics_directory = "${config.services.mpd.musicDirectory}/lyrics";
+      follow_now_playing_lyrics = true;
 
       # Misc
       external_editor = "nvim";

users/simon/modules/neovim/default.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -54,7 +54,7 @@ in
       haskell-language-server
       jdt-language-server
       unstable.ltex-ls
-      rnix-lsp
+      nixd
       rust-analyzer
       (python3.withPackages (ps: with ps; [
         pyls-isort

users/simon/modules/neovim/init.lua

@@ -1,4 +1,4 @@
--- SPDX-FileCopyrightText: 2018-2023 Simon Bruder <simon@sbruder.de>
+-- SPDX-FileCopyrightText: 2018-2024 Simon Bruder <simon@sbruder.de>
 --
 -- SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -348,7 +348,7 @@ lsp.ltex.setup {
 lsp.pylsp.setup {
     on_attach = on_attach,
 }
-lsp.rnix.setup {
+lsp.nixd.setup {
     on_attach = on_attach,
 }
 lsp.rust_analyzer.setup {

users/simon/modules/pass.nix

@@ -1,8 +1,8 @@
-# SPDX-FileCopyrightText: 2020 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
   programs.password-store = {
     enable = true;
@@ -14,4 +14,14 @@
       PASSWORD_STORE_DIR = "$HOME/.password-store";
     };
   };
+
+  programs.browserpass = {
+    enable = true;
+    browsers = [ "librewolf" ];
+  };
+
+  services.pass-secret-service = {
+    enable = true;
+    storePath = "${config.xdg.dataHome}/secret-service-password-store";
+  };
 }