renge/sbruder.xyz: Make transparency files state

zsh/pass-wrappers: Drop
I can’t remember using them.
2024-01-10 21:42:34 +01:00 · 2024-01-10 21:31:54 +01:00 · 2024-01-10 21:31:54 +01:00 · 2024-01-10 21:31:54 +01:00 · 2024-01-10 21:27:42 +01:00 · 2024-01-06 01:36:51 +01:00
53 changed files with 368 additions and 990 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -5,12 +5,12 @@ keys:
  - &vueko 4EA330328CD0D3076E90960194DFA4953D8729DE
  - &fuuko 2372651C56E22972C2D9F3F569C8187C9C43754E
  - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
-  - &yuzuru F4B5F6971A1FAEA1216FCE1C6745A652A31186DB
  - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
  - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
  - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
  - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
  - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
+  - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
 creation_rules:
  - path_regex: machines/nunotaba/secrets\.yaml$
    key_groups:
@ -37,11 +37,6 @@ creation_rules:
    - pgp:
      - *simon
      - *mayushii
-  - path_regex: machines/yuzuru/secrets\.yaml$
-    key_groups:
-    - pgp:
-      - *simon
-      - *yuzuru
  - path_regex: machines/okarin/secrets\.yaml$
    key_groups:
    - pgp:
@ -67,6 +62,11 @@ creation_rules:
    - pgp:
      - *simon
      - *nazuna
+  - path_regex: machines/yuzuru/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *simon
+      - *yuzuru
  - path_regex: secrets\.yaml$
    key_groups:
    - pgp:
--- a/README.md
+++ b/README.md
@ -57,8 +57,8 @@ On MBR:
    parted /dev/sdX
      mktable GPT
      mkpart primary 1MiB 2MiB
-      mkpart primary 2MiB 500MiB
-      mkpart primary 500MiB 100%
+      mkpart primary 2MiB 512MiB
+      mkpart primary 512MiB 100%
      set 1 bios_grub on
      disk_toggle pmbr_boot
      quit
--- a/flake.lock
+++ b/flake.lock
@ -85,11 +85,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1702195709,
-        "narHash": "sha256-+zRjWkm5rKqQ57PuLZ3JF3xi3vPMiOJzItb1m/43Cq4=",
+        "lastModified": 1704099619,
+        "narHash": "sha256-QRVMkdxLmv+aKGjcgeEg31xtJEIsYq4i1Kbyw5EPS6g=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "6761b8188b860f374b457eddfdb05c82eef9752f",
+        "rev": "7e398b3d76bc1503171b1364c9d4a07ac06f3851",
        "type": "github"
      },
      "original": {
@ -106,11 +106,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1702423270,
-        "narHash": "sha256-3ZA5E+b2XBP+c9qGhWpRApzPq/PZtIPgkeEDpTBV4g8=",
+        "lastModified": 1704100519,
+        "narHash": "sha256-SgZC3cxquvwTN07vrYYT9ZkfvuhS5Y1k1F4+AMsuflc=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "d9297efd3a1c3ebb9027dc68f9da0ac002ae94db",
+        "rev": "6e91c5df192395753d8e6d55a0352109cb559790",
        "type": "github"
      },
      "original": {
@ -215,11 +215,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1702456155,
-        "narHash": "sha256-I2XhXGAecdGlqi6hPWYT83AQtMgL+aa3ulA85RAEgOk=",
+        "lastModified": 1703939133,
+        "narHash": "sha256-Gxe+mfOT6bL7wLC/tuT2F+V+Sb44jNr8YsJ3cyIl4Mo=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "007a45d064c1c32d04e1b8a0de5ef00984c419bc",
+        "rev": "9d3d7e18c6bc4473d7520200d4ddab12f8402d38",
        "type": "github"
      },
      "original": {
@ -231,11 +231,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1702453208,
-        "narHash": "sha256-0wRi9SposfE2wHqjuKt8WO2izKB/ASDOV91URunIqgo=",
+        "lastModified": 1704124233,
+        "narHash": "sha256-lBHs/yUtkcGgapHRS31oOb5NqvnVrikvktGOW8rK+sE=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "7763c6fd1f299cb9361ff2abf755ed9619ef01d6",
+        "rev": "f752581d6723a10da7dfe843e917a3b5e4d8115a",
        "type": "github"
      },
      "original": {
@ -247,11 +247,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1702233072,
-        "narHash": "sha256-H5G2wgbim2Ku6G6w+NSaQaauv6B6DlPhY9fMvArKqRo=",
+        "lastModified": 1703992652,
+        "narHash": "sha256-C0o8AUyu8xYgJ36kOxJfXIroy9if/G6aJbNOpA5W0+M=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "781e2a9797ecf0f146e81425c822dca69fe4a348",
+        "rev": "32f63574c85fbc80e4ba1fbb932cde9619bad25e",
        "type": "github"
      },
      "original": {
@ -275,11 +275,11 @@
        "poetry2nix": "poetry2nix"
      },
      "locked": {
-        "lastModified": 1701527732,
-        "narHash": "sha256-pylAGzBf4a9ShBFR9fAs9KSD2cpPYUeINDCheSru9Yw=",
+        "lastModified": 1704120598,
+        "narHash": "sha256-9g7bZbVHAjMPNUWD2okeOdTmTrC9pkCeVe1zFyvtvqo=",
        "ref": "refs/heads/master",
-        "rev": "37f80d1593ab856372cc0da199f49565f3b05c71",
-        "revCount": 64,
+        "rev": "32ef4fd545a29cdcb2613934525b97470818b42e",
+        "revCount": 65,
        "type": "git",
        "url": "https://git.sbruder.de/simon/nixpkgs-overlay"
      },
@ -306,11 +306,11 @@
    },
    "nixpkgs-stable_2": {
      "locked": {
-        "lastModified": 1702148972,
-        "narHash": "sha256-h2jODFP6n+ABrUWcGRSVPRFfLOkM9TJ2pO+h+9JcaL0=",
+        "lastModified": 1703950681,
+        "narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b8f33c044e51de6dde3ad80a9676945e0e4e3227",
+        "rev": "0aad9113182747452dbfc68b93c86e168811fa6c",
        "type": "github"
      },
      "original": {
@ -322,11 +322,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1702312524,
-        "narHash": "sha256-gkZJRDBUCpTPBvQk25G0B7vfbpEYM5s5OZqghkjZsnE=",
+        "lastModified": 1703961334,
+        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "a9bf124c46ef298113270b1f84a164865987a91c",
+        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
        "type": "github"
      },
      "original": {
@ -453,11 +453,11 @@
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
-        "lastModified": 1702177193,
-        "narHash": "sha256-J2409SyXROoUHYXVy9h4Pj0VU8ReLuy/mzBc9iK4DBg=",
+        "lastModified": 1703991717,
+        "narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "d806e546f96c88cd9f7d91c1c19ebc99ba6277d9",
+        "rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6",
        "type": "github"
      },
      "original": {
--- a/keys/machines/yuzuru.asc
+++ b/keys/machines/yuzuru.asc
@ -1,28 +1,28 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----

-xsFNBAAAAAABEADlgmSvdnFWue1i5dS1qA9df+cRQDA1NDBHYm5dGpsTe7xghvde
-9B1aAzWxbxeppwr2IHvLo1boWyH0ODC5HFxvleaYd6R9oLljQvxZEPq8ANWMyxDx
-T4MyRlLClegMrUaCoQTFxoO7LFujrhKPC1+r/JVBBehJrpw31WAUQV2SLDTPFRMJ
-GVAJXR1vplafbftlkI9K3t12T1RrD1D5QxPtFPPEdwdfPQ8CDE7cCado9iv+P3e+
-9gA3fE0HJzS1ZRySF0sZ5lP3RX3ZBoY7z/8s3ZHGCYfD9ssGwZS5ByjMk2eJiPY2
-tX0ZwffBdzAwyq64e1/ddubGTIhKNPd5Iy2GCnOEgPMC8TCke5Zz5IeInUE3ANyS
-zkuwpCbqT8Vu541yqhs8+dOnH3srgks9OH2Ar2ctMWx3gmICDoCLHrWfbvlkqUwB
-cxnGxAeNzOXiem1Fu5IJwVC5JR1+5b4dqa3k+f/nuWRizvrU26OP/1S+NTz3T7/W
-TEF6KyE7+dy3K4IO95SDYwVp6mF/0fh4FTahNi6B1BDEAZKZjaVXyd2TOk77Y7si
-Tc98E4SUTUlRRCLh8SmUmxalI168LLgGMwUWhDvRw6EP7uh9FBEi1kLXnN6am0kP
-q1jgQL798DzFwcgEYTx7rTDHZLkbwrxWA32Lpu3T6twtaZiQE+o7wuXMTQARAQAB
+xsFNBAAAAAABEACrSqXAEWHXWjyl/FX+r6d0WQmn7/40slxrnBQzl5ERnEOKtzR5
+hMPioWhfFFKeNbTxYp6tV6mbiIm7NKSCOC0o1lkt16Sb8SU3Tzi8uF4gCl6gxmwW
+iHG4k5CYij/jMw3YMX9NEpCVPjita/FXVxrN2aq96cMEgf7kQU9Bs+VmN2nlGCl0
+ATI4tZyJrxjO2okWEfsK3OT0qhqsQrQdsv8QhsG455pv1tmhvgwDY22swORQbBYC
+4Jgp2mtPX/LPXzr3cxnG3hz+d/A9tDtZK9t/uEc1sMMSEws6FiKofVNL00KTvx5/
+1N5PPEACovBmGx17KLYZVo0pNDvIzPvp7UdZ3gbdoK7KvRPzzJ8EdSB/IPP2883w
+bAplPpP6aGkYog3bPsp9o9t5il5hm5ASlKchKZjUp5Mes6sRrnSAnq5zJGpE3bMz
+0NnbcOcuRBNF/cie0eX2XpL4ooI+OTUC0cUa/nnmvRbvH9INVydAhiJmzxhduLvz
+586SzGRoHG1FNumT/I+jQDXgb2hIpZy4keDzsBlfuOCixjKyJPKf39hCbKbiNyed
+R+e8EqqqSwKBdN6neha5o0NPldQRp9BV+uSaVtr6NwmG6nRKMg5QSuxuab0qckwG
+3C33xjBFvodVoYLKTgvYR2qw8QFgI33MKrctQsUW4od1w5rfPVsWTsboowARAQAB
 zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQZ0WmUqMRhtsCGw8CGQEAAIyAEAA89dyQvXx4sS7I1nRlMw9q
-Agbi4h1lrCifEH6srlInbg3kZNgnlsDY+cVCIiy8m/Oyupn0U4uduMI8P7R5kgWQ
-g9+FKFXoLK8P1kO5gani+tWNmBW49leSN8un9YAviKele5wDM/Dg+rNbWDaYHKu5
-SspZV/SiP0JkxXOgxkMgOOl97kNmvv6O3qYHPG5rz5P/YV0pdDSi1cfhdREvTPAl
-eNqzMrdEuE/GUrYJYeF8kN+TswBubTgy4WBqQdMlS+Go1B/7HQd56pl5BHiHM8HZ
-l01ljbgqdYdggmXt7CI90Txe3RRduzKS4ncEQ1VVQiXEmOzU7emu+DFwknGnSgTW
-gW6Nps3u2XhcsJNczf2PdEzDAv0oNAp4So7JdTGetkJ1Yw4quS0l1XWWBm+cf376
-nanAGkENvuBbS36kgHNjNT1EnUnyJoMDMnc1AmSSlTf/ORc+JrzM4PtMonhWJTAU
-eM66tozyJ3qYWApiI2doYwMDuh/u3jvqpTddxklaNFUOxIA2VITP0EgCFkVjW2u3
-0gPY2tV6AtcxcUn1NnhS92xf0//O4fcGOwlTvNaPqDuF0mk9OazAPQ5L37mfNZzb
-XUc3AyZXRZNhlE+aNfeJSKtzFCpGUJfstPmkdOwPxK29G4GDbjzWevpYF9Rv6Xpq
-Ky38rXnis6Hpih/z6/7HOg==
-=5Ki8
+AQgAFgUCAAAAAAkQZJ53DsbqFuQCGw8CGQEAAKv8EABzl8YKtwB0NEfR54L4fC65
+/068DC+BqeT5rMI0T/f9yax9CNWH/j359GGal5TjWaOxZzY5g6KgIzsn/GBo0kNt
+/XhEuNv2zfjeGsF+bugTO+qipZV7hGq3tV8JHqsmRnafoAH+tOIkIKYtL4B5jT6w
+KjOO70WDak0tnO8s5jMAqONf6Ny3OT8Xqy5yZhUvvSqfOY488rkMjbY5hGkuU1+z
+7vOppJRZIIXHQeZZWM4OXXcVayHiVjAKXpVoQ8XGGPL82Io1kDf39lWyIUUk5jCc
+1S0fSyMCZfC8nAprKmXMUZdeQUs4k7BCMmreKTa4G58LMnm6T/rtdoqwnTjk/fIB
+SVea86wcjN7zhXZbrDMVSbHtToX95287kpsXCRmIglX9KNhbT3IPpEz5sq9/9/YA
+fhyXu1lnu2JbGt01lRuBUPlVx1qEQ9Gor1PmOORfMR19KXpVXci+JIhWA8KxMnSv
+Hbj6Iqh/EdhctlrvAnjC4ERA3Om3m6SfrJm+e3kmSpV8Hq2f7gDeDbrruy78AAMv
+RLabJ0+RPBOFCU5XFs+li2t1xgeR8XVgSrMafHbjNREvytLKG0y21kkY+O1Pg0/c
+PuxFfEqzXeH+pqa9Dv/TCXpbkGuos8c3WpFjNmt+XTULfrUvMc0/ClfVqVAfic4H
+GjYdNSdHdZaTkT/4WjVD4A==
+=5kkr
 -----END PGP PUBLIC KEY BLOCK-----
--- a/machines/default.nix
+++ b/machines/default.nix
@ -67,4 +67,9 @@ in

    targetHost = "nazuna.sbruder.de";
  };
+  yuzuru = {
+    system = "x86_64-linux";
+
+    targetHost = "yuzuru.sbruder.de";
+  };
 }
--- a/machines/fuuko/configuration.nix
+++ b/machines/fuuko/configuration.nix
@ -29,7 +29,6 @@
        "/data/media/video"
        "/data/torrent"
      ];
-      prune = true;
    };
    unfree.allowSoftware = true;
  };
--- a/machines/fuuko/secrets.yaml
+++ b/machines/fuuko/secrets.yaml
@ -1,4 +1,3 @@
-restic-ssh-key: ENC[AES256_GCM,data:wA7JCg6Y900s6+1JoevMzbr6fKRN6jbfUuX166VS+TUFhFbn0npz5gKkAQpC8h1io1WaSCPJkJMzr+viOLlnVwqe8zFGm3ZJlKSEqKKK+CatZ95+zKACOZuBAC/2E6rep6JnL/C3/gKMKibVmAL+9TkTX6nA83xwhM65JPLN/+bP29bq0Cr2FopgZgNPQjb6ANB4POy+MUktet63DZ4dJwKvndiCRg4EMLIOqFopbQei6Pxc1F/lC3yBu71YgB4TSGQp/6tXjfFOuXQpI0nFrZCmLYcW03ZqOBQbKg3w4rwlqtnl25/23jpT0kqWp99wHUGMCib5+iywPUMSNDwAsz0fq04JGpTEM9cuxkLWZVfCpguNlgaiwCObyJkA2CHXlIn6KYsDOa6U/Uy9mNRPae52j/E+JdLQycOwT5+n78j0vqtvS69blUC/E7j2IWe17SI8JVCiYFbZXPqVm43jdEiQ9jU4gXMsu6NKppnBhFSrMVUHScS3gR/xnTfrabrr2FWJwIOjdGdJb4pr+nfZ,iv:ow+hzt5YGGD0FDvN+XkZtW74k4mwW+6HqWZMtOwAWDg=,tag:HXogIkcSTq6Ep4M2MXEMew==,type:str]
 wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str]
 wg-mullvad-private-key: ENC[AES256_GCM,data:4smAYjzrMz6bapthHwTdeDJSvnEqnGmDFRZjJwnXWXLSYnEhzhvRttVrmFw=,iv:94o7E8IlZ6V+wez5+Zr9xv92rr06MlUfBCvtMW8VnEA=,tag:SJjrbBseVyWwhf9IHRi7rQ==,type:str]
 wg-qbittorrent-private-key: ENC[AES256_GCM,data:xahW0lKU7yhinWJylyetdHWcdPdeKg3SMAm5WQhJEIIAFe+i2zeiSb2erq4=,iv:wTIsR7SXp4janh6QLA7RhzGdR7mDAMtAqROxFxKfneo=,tag:K/nDVrBv0ctoynxAEStr6w==,type:str]
@ -9,8 +8,8 @@ sops:
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-07-03T09:14:17Z"
-    mac: ENC[AES256_GCM,data:++UfJymDA0rdFYa2lfG3eYQBuqLp/3llSazf8XGNV3H/LqDxC3H9BhWrVhA2itkextBX+Lj7DxeHQLR8oMb538YI00z4Yt1U62sMfjajJEZI/BSnugDum2LqXCigOcC4+1TldH4490GQ2aij/aBqMxrFnqmkVGsqnqKLDxb5kTQ=,iv:QL7CuO14839+0vX1060HEKqdY/4HRFapInOyovn8lNE=,tag:+wMAltwkCAASa48QSzI2Zg==,type:str]
+    lastmodified: "2024-01-10T18:29:18Z"
+    mac: ENC[AES256_GCM,data:askmYGMX50W3U/86DBj9CXhLOZdBrTjbMqRtvegDjfFkOtHLInGuh5urfXGnEBDLtLTjGwdWHCU5DZz9AvBNcl0X6wOM3BGxkMF7+CrZ2FL7ZYw+hJ7JOywNryO/vJLdUZ1MUc0uH1YZdYYHjD7nkyVeDj6aDDkO0UOiLsDNEDw=,iv:gpY4O08YheKFAanPkccp6I7z80ygqMj2IdQnYK9clwI=,tag:OAre51qIvnhfj/vwqSy3wQ==,type:str]
    pgp:
        - created_at: "2021-04-06T11:27:21Z"
          enc: |
@ -53,4 +52,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 2372651C56E22972C2D9F3F569C8187C9C43754E
    unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
--- a/machines/mayushii/configuration.nix
+++ b/machines/mayushii/configuration.nix
@ -40,6 +40,9 @@
      disable spoolss = yes
      usershare max shares = 0
      acl allow execute always = True
+
+      server min protocol = NT1
+      ntlm auth = ntlmv1-permitted
    '';
    shares = {
      qemu = {
--- a/machines/nazuna/configuration.nix
+++ b/machines/nazuna/configuration.nix
@ -9,6 +9,7 @@
  sbruder = {
    nginx.hardening.enable = true;
    wireguard.home.enable = true;
+    infovhost.enable = true;
  };

  networking.hostName = "nazuna";
--- a/machines/nazuna/hardware-configuration.nix
+++ b/machines/nazuna/hardware-configuration.nix
@ -5,6 +5,8 @@
    (modulesPath + "/profiles/qemu-guest.nix")
  ];

+  sbruder.machine.isVm = true;
+
  boot = {
    kernelParams = [ "ip=86.106.183.111/26::86.106.183.65::nazuna" ];
    initrd = {
@ -50,7 +52,4 @@
      };
    };
  };
-
-  # no smart on qemu disk
-  services.smartd.enable = false;
 }
--- a/machines/okarin/configuration.nix
+++ b/machines/okarin/configuration.nix
@ -13,23 +13,13 @@
    nginx.hardening.enable = true;
    full = false;
    wireguard.home.enable = true;
+    infovhost.enable = true;
  };

  networking.hostName = "okarin";

  system.stateVersion = "22.11";

-  services.nginx = {
-    enable = true;
-
-    virtualHosts."okarin.sbruder.de" = {
-      enableACME = true;
-      forceSSL = true;
-
-      root = pkgs.sbruder.imprint;
-    };
-  };
-
  networking.firewall.allowedTCPPorts = [
    80
    443
--- a/machines/okarin/hardware-configuration.nix
+++ b/machines/okarin/hardware-configuration.nix
@ -1,6 +1,8 @@
 { lib, modulesPath, ... }:

 {
+  sbruder.machine.isVm = true;
+
  boot = {
    kernelModules = [ ];
    extraModulePackages = [ ];
@ -65,7 +67,4 @@
      };
    };
  };
-
-  # no smart on virtual disk
-  services.smartd.enable = false;
 }
--- a/machines/okarin/services/static-sites.nix
+++ b/machines/okarin/services/static-sites.nix
@ -11,7 +11,6 @@
    };
    "arbeitskampf.work".user = {
      name = "arbeitskampf";
-      keys = config.sbruder.pubkeys.trustedKeys;
    };
  };
 }
--- a/machines/renge/configuration.nix
+++ b/machines/renge/configuration.nix
@ -17,15 +17,18 @@
    ./services/murmur.nix
    ./services/password-hash-self-service.nix
    ./services/prometheus.nix
-    ./services/psycho-power-papagei.de
    ./services/sbruder.xyz
    ./services/schabernack.nix
  ];

  sbruder = {
    nginx.hardening.enable = true;
-    restic.system.enable = true;
+    restic.system = {
+      enable = true;
+      prune = true;
+    };
    wireguard.home.enable = true;
+    infovhost.enable = true;
  };

  networking.hostName = "renge";
--- a/machines/renge/hardware-configuration.nix
+++ b/machines/renge/hardware-configuration.nix
@ -5,6 +5,8 @@
    (modulesPath + "/profiles/qemu-guest.nix")
  ];

+  sbruder.machine.isVm = true;
+
  boot = {
    kernelModules = [ ];
    extraModulePackages = [ ];
@ -66,7 +68,4 @@
      };
    };
  };
-
-  # no smart on qemu disk
-  services.smartd.enable = false;
 }
--- a/machines/renge/secrets.yaml
+++ b/machines/renge/secrets.yaml
@ -5,6 +5,7 @@ invidious-extra-settings: ENC[AES256_GCM,data:bThgfyu5ESIyTLD7Q09Qici9ZZw/QYfCyB
 murmur-superuser: ENC[AES256_GCM,data:hPuMK8wbqD/3qKXQbOActq/VJZ+6jFlddQ==,iv:68ZhkpkfxakCOYxFXkCSP/sBamETeSs4CGTRaoBS6co=,tag:5UuYCxDiJ6e2CXjDV5/5yA==,type:str]
 netbox-secret-key: ENC[AES256_GCM,data:lOE95j6CGkbfJQTLeG41g3BPKNhm0arqxIGAzwvXQyeZLBauAdqufQGKD7D4kPNzdZs=,iv:6HWXEr6Ju4IywP+2jpuTfER/bYI2oUgMSZEJCkq4XX8=,tag:TPD5TTr4Sew8lxPS5WIu5Q==,type:str]
 prometheus-htpasswd: ENC[AES256_GCM,data:tiewfUfpvrmbrgk6AsBdiP4ng4TqG5UYf1mFcWOzuk8oO55rfZu+Naummz5RRYhJZil43nHFvn5LfIWkJv+CyPMZjpj7xRp4vb4/OCCAFjEzHhrzYVBYNkHM+ZLUTewEXuPVtZ6CZ5uviTExLN2V1moG3ExJdIoyUD16qh4=,iv:SkH609VxIVKJLmHUUNzICEjxHSyjLdwXfw0b7iU6png=,tag:BfNGcUZmk9ZXUvhoQZn6iQ==,type:str]
+restic-ssh-key: ENC[AES256_GCM,data:9quBzUwv4qylVzESG94wSgzvuodSDM/smPh0j+LYJjXwEN1xksBIW2/Jv0XmF3Q+AWUF/C/lA2jteI3Mf6Pmn7zlqa3H7GwH8Os6/arQI3ywH2dHQLAFxgST2J0AlLGeZcJbntxW0buYw+Rz3q5Jbo+Wo9tQo+2EVvqX320qWBsEwinnahbUhZym3fipyE9g6JxGa3OFGiIn6JAQhst63WgpOfehQsAYu2bdW1gLrgFtURzDQQRQ28RxeD+nMUWRpQcq5GrX2rfSA7sengfQbmP3Ln1atp1YXctTalHsj+n4photBqLz6OfLaFKBqbdKRbinUgVAEarAocEOKk/qf1C6LS8yKjV9Mh/tKeCJQrCI/AccEP5DfMNqdRaWjoQxvjBRKaupPE7Rcuja++K/jm24nP9J8WDcrRSm0tlrVq2JnPHxJv+eUsZoGkvpyOs9AkTG1H2BCckYS5ZG4atjKoBfUvc3CitPNmPZcjSkPrkdRMZbu1BWR+cixFH9rFAUvVIn+e7sWGnqMA8xGXZS,iv:rLOTtmIFP7rwF9JY9ardO9pNqNh1uaobHKtQaGwSuGk=,tag:pCd4ZV0FjfD18qj9oQ236Q==,type:str]
 synapse-registration-shared-secret: ENC[AES256_GCM,data:qwUjGPINIuBC3KYqMPmnU3l9uJ85DJsJFixvTFQTSuR+fcq6DEjx03Xk41ff7NJftAi+Gt0QLdqKp+viJfW7eU6iHKyfcgPE/nj46UECCWLM8HISxPFQ9IrP+DIo02k=,iv:C9jhBPexth+gnAs6+DBtEmP2qsWZoKmgw6ILbtXUScA=,tag:M3U+03I0Bj8Nhuu4GB98xw==,type:str]
 synapse-turn-shared-secret: ENC[AES256_GCM,data:9MAsVAEnoF703p1enN70BXqlKZWacYmPCL25CNGdapZulGbMF5rAbpLxkJ3JiBNBYQt+DXSSb6zcmsT6yIqQZ4lW04lwtFV0RPJLfbfW9vUJQ3Bi5NUF,iv:keDUMEeintOwbBQzHHqVl8EFyQC1zqKG2LDvnBFSBxE=,tag:ymSwjZ+qC5kLIxMxlxwcAQ==,type:str]
 turn-static-auth-secret: ENC[AES256_GCM,data:HyFKdLn9yClXwVGv4/UcC5QfnqjTK2ui43/SRJiJYC7soP+BZnbtCTFkVe04H2smRQQi9ftrXLWQQx5DdGZxpg==,iv:tIwZcq4pVzWa1bl7zX/YsEuaVCyDenJnPGL0RhF9lmg=,tag:ddXaLQ3U990eupAHLyXx6w==,type:str]
@ -15,8 +16,8 @@ sops:
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-12-31T13:31:26Z"
-    mac: ENC[AES256_GCM,data:oCTMqcPQ2uADn0tpFpPLBT/4xF/PCYsquxXLPfYh4cPbmiHaQxbouxnLHYmnaIsnq/OeTGffx7/hVgeX64U5NLfLlHUoejqkINwdAbXVJ5EatbE5tRGvtYiaEPK4nhBPfEwHP7WCxiK9LCNFvsmQlO/LJt+ofy/SszI/if6/SZ4=,iv:6/MKaG4AKLMgKQ+eC2sRZqG8HyI12JUie3EBeWiaVuA=,tag:aeEMicIGQ4ScWJMOfzZZnQ==,type:str]
+    lastmodified: "2024-01-10T18:29:17Z"
+    mac: ENC[AES256_GCM,data:jsYCPL7/AFxg9mRM/mKhwiy4eH6ZGMyCCSBu+jSfIk/T8RSd9zh0AZ/p5rAwfbW20AzetivzRB4bSgcymLIcCr900EQLdPIuaZgxeGcbZ80N/7I0zF4u8K8oa1pKhyr1UUj48XjL55IdvVOsyvfq/I/KSbIbO7+fBHeQ51crCeo=,iv:CNmKwvZ61PdeyOvGP7elm/yvokll//fiKxdWFe2cfPo=,tag:PVQRV0G3VtBsD0tk34DHig==,type:str]
    pgp:
        - created_at: "2023-12-31T13:31:08Z"
          enc: |-
--- a/machines/renge/services/prometheus.nix
+++ b/machines/renge/services/prometheus.nix
@ -70,6 +70,7 @@ in
          "okarin.vpn.sbruder.de:9100"
          "shinobu.vpn.sbruder.de:9100"
          "nazuna.vpn.sbruder.de:9100"
+          "yuzuru.vpn.sbruder.de:9100"
        ];
        relabel_configs = lib.singleton {
          target_label = "instance";
--- a/machines/renge/services/psycho-power-papagei.de/default.nix
+++ b/machines/renge/services/psycho-power-papagei.de/default.nix
@ -1,21 +0,0 @@
-{ pkgs, ... }:
-
-{
-  services.nginx.virtualHosts = {
-    "psycho-power-papagei.de" = {
-      forceSSL = true;
-      enableACME = true;
-
-      root = ./.;
-
-      locations = {
-        "/imprint/".alias = "${pkgs.sbruder.imprint}/";
-      };
-    };
-    "www.psycho-power-papagei.de" = {
-      forceSSL = true;
-      enableACME = true;
-      globalRedirect = "psycho-power-papagei.de";
-    };
-  };
-}
--- a/machines/renge/services/psycho-power-papagei.de/index.html
+++ b/machines/renge/services/psycho-power-papagei.de/index.html
@ -1,28 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <title>Psycho-Power-Papagei</title>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <link href="style.css" rel="stylesheet">
-  </head>
-  <body>
-    <main>
-      <img id="parrot-landscape" src="parrot-landscape.jpg">
-      <img id="parrot-portrait" src="parrot-portrait.jpg">
-      <div id="quote">
-        <p id="quote-body"><noscript><code>[] + {} === '[object Object]'</code></noscript></p>
-        <span id="quote-attribution"><noscript>Satz des Pythagoras</noscript></span>
-      </div>
-    </main>
-    <footer>
-      <ul>
-        <li><a href="/imprint/">Impressum</a></li>
-        <li>Zitate: © Ullstein Buchverlage</li>
-        <li id="attribution-landscape">Photo by <a href="https://unsplash.com/photos/uH7YCla3oVE">Yorman Tamayo on Unsplash</a></li>
-        <li id="attribution-portrait">Photo by <a href="https://unsplash.com/photos/vzVWYIr6F8U">Dmitry Chernyshov on Unsplash</a></li>
-      </ul>
-    </footer>
-    <script src="script.js"></script>
-  </body>
-</html>
--- a/machines/renge/services/psycho-power-papagei.de/parrot-landscape.jpg
+++ b/machines/renge/services/psycho-power-papagei.de/parrot-landscape.jpg
--- a/machines/renge/services/psycho-power-papagei.de/parrot-portrait.jpg
+++ b/machines/renge/services/psycho-power-papagei.de/parrot-portrait.jpg
--- a/machines/renge/services/psycho-power-papagei.de/script.js
+++ b/machines/renge/services/psycho-power-papagei.de/script.js
@ -1,111 +0,0 @@
-const quotes = [
-  {
-    quote: "Mein großer Lehrmeister sagte letztens auf einer Wanderung im Himalaya zu mir: »Um die Ängste anderer manipulieren zu können, musst du zuerst lernen, deine eigenen zu beherrschen, Bruce!« Darum werde ich jede Nacht zum Psycho-Power-Papagei!",
-    attribution: "Austrian Psycho",
-  },
-  {
-    quote: "Das klingt irgendwie nach Hitler.",
-    attribution: "Das Känguru",
-  },
-  {
-    quote: "Aha. Ich habe das Gefühl, Sie fragen sich, was meine Spezialfähigkeit ist.",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Aha. Ich empfinde von Ihrer Seite eine negative Einstellung. Eine Art »Och nöö …«.",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Aha. Und dieses Känguru … hören Sie nur dessen Stimme oder können Sie es auch sehen?",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Aha. Und dieses Känguru … springt das vielleicht gerade hier im Zimmer herum?",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Es hat gesagt, ’ne Therapie is nur was für Systemopfer, es habe keine Psychomacken, und ich solle ruhig allein zum Kopfdoktor.",
-    attribution: "Kai-Dieter Kling",
-  },
-  {
-    quote: "Ich weiß echt nicht, was ich hier soll! Ich bin ja hier nicht das Systemopfer mit der Psychomacke.",
-    attribution: "Das Känguru",
-  },
-  {
-    quote: "Doch, doch. Ich lebe ja selbst mit einem Gnu zusammen.",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Der hat ja ’nen Kopfdoktor noch nötiger als du.",
-    attribution: "Das Känguru",
-  },
-  {
-    quote: "Etwas tritt dir gleich in den Arsch, wenn du dich weiter aufführst wie ein Irrer.",
-    attribution: "Das Känguru",
-  },
-  {
-    quote: "Ich bin ein Vogel! Ein lieblicher kleiner Vogel! Tschilp, tschilp, tschilp, tschilp.",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Ich bin kein Psychiater. Ich bin Psychoanalytiker",
-    attribution: "Kai-Dieters Psychiater",
-  },
-  {
-    quote: "Ich will nur hören, wie er Titellieder von Kinderserien singt",
-    attribution: "Das Känguru",
-  },
-  {
-    quote: "Sie beeinträchtigen leider stark die Konzentrationsfähigkeit aber unter uns, ich höre sowieso nie richtig zu, sondern sage immer nur »Aha«, denn wie alle interessiert auch mich das, was mein Gegenüber zu sagen hat, viel weniger als das, was ich zu sagen habe.",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Aha. Haben Sie es schon mal mit Alkohol versucht?",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Ich nenne Ihnen jetzt spontan drei Wörter Bitte merken Sie sich diese Wörter. Ich werde sie am Ende der Sitzung nach diesen drei Wörtern fragen. Keine Sorge. Nur ein Standardtest. Also, hier die drei Wörter: Äh … Suppe, … äh … Salat, … äh … äh … Schnitzel.",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Ich darf nicht mit Patienten ausgehen. Aber das Angebot schmeichelt.",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Aha. Der Pinguin … Vielleicht war ich etwas voreilig mit dem Wort »geheilt«. Sagen wir, es geht Ihnen besser …",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Aha. Sagen wir, es geht Ihnen etwas schlechter. Der Messias?",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Nun gut. Sagen wir, Ihr Zustand hat sich massiv verschlechtert.",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Ich muss gestehen, ich war ja kurz nach Ihren letzten Besuchen selber längere Zeit in Behandlung …",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Ich hatte keine Mutter. Ich bin ein Waisenkind.",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Verstehen Sie nicht? In meiner Erinnerung mach ich mir die Welt, widdewiddewie sie mir gefällt. Jeder Mensch macht das, die meisten leider nur unbewusst. Mit professioneller Hilfe aber kann Ihre Kindheit zu einer Astrid-Lindgren-Geschichte werden. Immer wenn bei mir sehr unangenehme Erinnerungen hochkommen, singe ich zum Beispiel ganz laut Titellieder von Kinderserien. Das lenkt mich ab.",
-    attribution: "Psycho-Power-Papagei",
-  },
-  {
-    quote: "Ich denke, wir sollten die Sitzung an dieser Stelle unterbrechen. Nächstes Mal reden wir dann über Ihre Gefühle für mich.",
-    attribution: "Psycho-Power-Papagei",
-  },
-]
-
-document.addEventListener("DOMContentLoaded", () => {
-  const randomIndex = Math.floor(Math.random() * quotes.length)
-  const randomQuote = quotes[randomIndex]
-  let quoteBodyEl = document.getElementById("quote-body")
-  let quoteAttributionEl = document.getElementById("quote-attribution")
-  quoteBodyEl.innerHTML = randomQuote.quote
-  quoteAttributionEl.innerHTML = randomQuote.attribution
-})
--- a/machines/renge/services/psycho-power-papagei.de/style.css
+++ b/machines/renge/services/psycho-power-papagei.de/style.css
@ -1,94 +0,0 @@
-body {
-  font-family: -apple-system, "Segoe UI", system-ui, Roboto, "Helvetica Neue", Arial, "Noto Sans", "Liberation Sans", sans-serif;
-  margin: 0px;
-
-  min-height: 100vh;
-  display: flex;
-  flex-direction: column;
-}
-
-main {
-  display: flex;
-  flex-direction: column;
-}
-
-#quote {
-  width: 100%;
-  text-align: center;
-  display: flex;
-  flex-direction: column;
-  justify-content: center;
-}
-
-#quote-body {
-  margin: 1rem;
-  font-size: 2rem;
-}
-
-@media (max-aspect-ratio: 4/3) {
-  img#attribution-landscape {
-    display: none;
-  }
-
-  img#parrot-landscape {
-    display: none;
-  }
-
-  footer {
-    margin-top: auto;
-    font-size: 0.75rem;
-  }
-
-  #attribution-landscape {
-    display: none;
-  }
-}
-
-@media (min-aspect-ratio: 4/3) {
-  main {
-    flex-direction: row;
-    height: 100vh;
-  }
-
-  img#parrot-portrait {
-    display: none;
-  }
-
-  img#parrot-landscape {
-    height: 100%;
-  }
-
-  #attribution-portrait {
-    display: none;
-  }
-
-  footer {
-    position: absolute;
-    bottom: 0px;
-    left: 0px;
-    right: 0px;
-
-    margin-top: auto;
-    background: rgba(0,0,0,0.5);
-    box-shadow: 0px 0px 10px 10px rgba(0,0,0,0.5);
-
-    color: white;
-  }
-
-  footer a {
-    color: inherit;
-  }
-}
-
-footer ul {
-  list-style: none;
-  text-align: center;
-}
-
-footer ul li {
-  display: inline;
-}
-
-footer ul li:not(:first-child)::before {
-  content: "· "
-}
--- a/machines/renge/services/sbruder.xyz/default.nix
+++ b/machines/renge/services/sbruder.xyz/default.nix
@ -46,7 +46,7 @@ in
    locations = {
      "/imprint/".alias = "${pkgs.sbruder.imprint}/";
      "/transparency/" = {
-        alias = "${./transparency}/";
+        alias = "/var/www/transparency/";
        extraConfig = ''
          autoindex on;
          charset utf-8;
--- a/machines/renge/services/sbruder.xyz/transparency/2023-04-21-Hetzner-C591581F-ROSKOMNADZOR.txt
+++ b/machines/renge/services/sbruder.xyz/transparency/2023-04-21-Hetzner-C591581F-ROSKOMNADZOR.txt
@ -1,38 +0,0 @@
-Направляется уведомление о внесении в «Единый реестр доменных имен, указателей страниц сайтов в сети «Интернет» и сетевых адресов, позволяющих идентифицировать сайты в сети «Интернет», содержащие информацию, распространение которой в Российской Федерации запрещено» следующего(их) указателя (указателей) страницы (страниц) сайта в сети «Интернет»: https://nitter.sbruder.xyz/ks1v/status/1439866313476689924 . 
-
-В случае непринятия провайдером хостинга и (или) владельцем сайта мер по удалению запрещенной информации и (или) ограничению доступа к сайту в сети «Интернет», будет принято решение о включении в единый реестр сетевого адреса, позволяющего идентифицировать сайт в сети «Интернет», содержащий информацию, распространение которой в Российской Федерации запрещено, а доступ к нему будет ограничен.
-
-Сведения о включении доменных имен, указателей страниц сайтов сети «Интернет» и сетевых адресов доступны круглосуточно в сети «Интернет» по адресу http://eais.rkn.gov.ru .
-
-С уважением,
-ФЕДЕРАЛЬНАЯ СЛУЖБА ПО НАДЗОРУ В СФЕРЕ СВЯЗИ, ИНФОРМАЦИОННЫХ ТЕХНОЛОГИЙ И МАССОВЫХ КОММУНИКАЦИЙ.
-
-----------------------------------------------------------
-Запущено официальное мобильное приложение РОСКОМНАДЗОРА.
-Посредством мобильного приложения возможно:
-1. Подать жалобу в «Единый реестр запрещенной информации» на обнаруженный в сети «Интернет» запрещенный контент;
-2. Проверить ограничение доступа к интернет-ресурсам;
-3. Получить оповещение о внесении в «Единый реестр запрещенной информации» интернет-ресурса в случае, если Вы являетесь его владельцем или провайдером хостинга.
-Мобильное приложение можно скачать по следующим ссылкам:
-https://apps.apple.com/ru/app/ркн/id1511970611 
-https://play.google.com/store/apps/details?id=org.rkn.ermp
-
-
-
-It is notice of making an entry into the "Unified register of domain names, Internet web-site page links and network addresses enabling to identify the Internet web-sites containing the information prohibited for public distribution in the Russian Federation” the Internet web-site page (s) link (s): https://nitter.sbruder.xyz/ks1v/status/1439866313476689924 .
-
-In case the hosting provider and (or) the Internet web-site owner fail to take these measures, the network address enabling to identify Internet web-sites containing the information prohibited for distribution in the Russian Federation will be decided to be entered into the Register and access will be limited.
-
-The information about entering the domain names, Internet web-site page links and network addresses into the Register shall be available on a 24-hour basis at the following Internet address: http://eais.rkn.gov.ru/en/ .
-
-Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (ROSKOMNADZOR).
-
-----------------------------------------------------------
-The official mobile application of ROSKOMNADZOR has been launched.
-Through the mobile application, it is possible to:
-1. Submit a complaint to the "Unified Register of Prohibited Information" about the prohibited content revealed on the Internet;
-2. Check the restriction of access to Internet resources;
-3. Get a notification on inclusion of an Internet resource into the" Unified Register of Prohibited Information " if you are its owner or hosting provider.
-The mobile app can be downloaded at the following links:
-https://apps.apple.com/ru/app/ркн/id1511970611    
-https://play.google.com/store/apps/details?id=org.rkn.ermp 
--- a/machines/renge/services/sbruder.xyz/transparency/2023-04-28-Hetzner-C633C02D-ROSKOMNADZOR.txt
+++ b/machines/renge/services/sbruder.xyz/transparency/2023-04-28-Hetzner-C633C02D-ROSKOMNADZOR.txt
@ -1,38 +0,0 @@
-Направляется уведомление о внесении в «Единый реестр доменных имен, указателей страниц сайтов в сети «Интернет» и сетевых адресов, позволяющих идентифицировать сайты в сети «Интернет», содержащие информацию, распространение которой в Российской Федерации запрещено» следующего(их) указателя (указателей) страницы (страниц) сайта в сети «Интернет»: https://iv.sbruder.xyz/watch?v=NR57D2UVqm4 . 
-
-В случае непринятия провайдером хостинга и (или) владельцем сайта мер по удалению запрещенной информации и (или) ограничению доступа к сайту в сети «Интернет», будет принято решение о включении в единый реестр сетевого адреса, позволяющего идентифицировать сайт в сети «Интернет», содержащий информацию, распространение которой в Российской Федерации запрещено, а доступ к нему будет ограничен.
-
-Сведения о включении доменных имен, указателей страниц сайтов сети «Интернет» и сетевых адресов доступны круглосуточно в сети «Интернет» по адресу http://eais.rkn.gov.ru .
-
-С уважением,
-ФЕДЕРАЛЬНАЯ СЛУЖБА ПО НАДЗОРУ В СФЕРЕ СВЯЗИ, ИНФОРМАЦИОННЫХ ТЕХНОЛОГИЙ И МАССОВЫХ КОММУНИКАЦИЙ.
-
-----------------------------------------------------------
-Запущено официальное мобильное приложение РОСКОМНАДЗОРА.
-Посредством мобильного приложения возможно:
-1. Подать жалобу в «Единый реестр запрещенной информации» на обнаруженный в сети «Интернет» запрещенный контент;
-2. Проверить ограничение доступа к интернет-ресурсам;
-3. Получить оповещение о внесении в «Единый реестр запрещенной информации» интернет-ресурса в случае, если Вы являетесь его владельцем или провайдером хостинга.
-Мобильное приложение можно скачать по следующим ссылкам:
-https://apps.apple.com/ru/app/ркн/id1511970611 
-https://play.google.com/store/apps/details?id=org.rkn.ermp
-
-
-
-It is notice of making an entry into the "Unified register of domain names, Internet web-site page links and network addresses enabling to identify the Internet web-sites containing the information prohibited for public distribution in the Russian Federation” the Internet web-site page (s) link (s): https://iv.sbruder.xyz/watch?v=NR57D2UVqm4 .
-
-In case the hosting provider and (or) the Internet web-site owner fail to take these measures, the network address enabling to identify Internet web-sites containing the information prohibited for distribution in the Russian Federation will be decided to be entered into the Register and access will be limited.
-
-The information about entering the domain names, Internet web-site page links and network addresses into the Register shall be available on a 24-hour basis at the following Internet address: http://eais.rkn.gov.ru/en/ .
-
-Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (ROSKOMNADZOR).
-
-----------------------------------------------------------
-The official mobile application of ROSKOMNADZOR has been launched.
-Through the mobile application, it is possible to:
-1. Submit a complaint to the "Unified Register of Prohibited Information" about the prohibited content revealed on the Internet;
-2. Check the restriction of access to Internet resources;
-3. Get a notification on inclusion of an Internet resource into the" Unified Register of Prohibited Information " if you are its owner or hosting provider.
-The mobile app can be downloaded at the following links:
-https://apps.apple.com/ru/app/ркн/id1511970611    
-https://play.google.com/store/apps/details?id=org.rkn.ermp 
--- a/machines/shinobu/services/router/default.nix
+++ b/machines/shinobu/services/router/default.nix
@ -30,7 +30,6 @@ in
    ./dnsmasq.nix
    ./nft.nix
    ./tc.nix
-    #./wlan.nix
  ];

  boot.kernel.sysctl = {
--- a/machines/shinobu/services/router/wlan.nix
+++ b/machines/shinobu/services/router/wlan.nix
@ -1,65 +0,0 @@
-{ config, pkgs, ... }:
-{
-  sops.secrets.hostapd-config = {
-    sopsFile = ../../secrets.yaml;
-  };
-
-  # The service is mostly taken from nixpkgs pr 222536.
-  systemd.services.hostapd = {
-    path = with pkgs; [ hostapd ];
-    after = [ "sys-subsystem-net-devices-wlp5s0.device" ];
-    bindsTo = [ "sys-subsystem-net-devices-wlp5s0.device" ];
-    wantedBy = [ "multi-user.target" ];
-
-    serviceConfig = {
-      ExecStart = "${pkgs.hostapd}/bin/hostapd ${config.sops.secrets.hostapd-config.path}";
-      Restart = "always";
-      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-      RuntimeDirectory = "hostapd";
-
-      # Hardening
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      DevicePolicy = "closed";
-      DeviceAllow = "/dev/rfkill rw";
-      NoNewPrivileges = true;
-      PrivateUsers = false; # hostapd requires true root access.
-      PrivateTmp = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProcSubset = "pid";
-      ProtectSystem = "strict";
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
-        "AF_NETLINK"
-        "AF_UNIX"
-      ];
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-        "@chown"
-      ];
-      UMask = "0077";
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    iw
-    wirelesstools
-  ];
-
-
-  # Wireless
-  boot.kernelModules = [ "nl80211" ];
-}
--- a/machines/vueko/configuration.nix
+++ b/machines/vueko/configuration.nix
@ -15,6 +15,7 @@
    restic.system.enable = true;
    wireguard.home.enable = true;
    full = false;
+    infovhost.enable = true;

    mailserver = {
      enable = true;
--- a/machines/vueko/hardware-configuration.nix
+++ b/machines/vueko/hardware-configuration.nix
@ -5,6 +5,8 @@
    (modulesPath + "/profiles/qemu-guest.nix")
  ];

+  sbruder.machine.isVm = true;
+
  boot = {
    kernelParams = [ "ip=dhcp" ];
    initrd = {
@ -45,7 +47,4 @@
      };
    };
  };
-
-  # no smart on qemu disk
-  services.smartd.enable = false;
 }
--- a/machines/vueko/secrets/mail-users.nix
+++ b/machines/vueko/secrets/mail-users.nix
--- a/machines/yuzuru/README.md
+++ b/machines/yuzuru/README.md
@ -0,0 +1,18 @@
+# yuzuru
+
+## Hardware
+
+[Strato VPS Entry Linux VC1-1](https://www.strato.de/server/linux-vserver/mini-vserver/) (1 AMD EPYC Milan vCPU, <1 GiB RAM, 30 GiB SSD).
+
+## Purpose
+
+It will host services I want to have separated from the rest of my infrastructure.
+
+## Name
+
+Yuzuru Nishimiya is a character from *A Silent Voice*
+
+## Setup
+
+The setup is very similar to that of `okarin`,
+please see the description there.
--- a/machines/yuzuru/configuration.nix
+++ b/machines/yuzuru/configuration.nix
@ -0,0 +1,26 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules
+
+    ./services/static-sites.nix
+  ];
+
+  sbruder = {
+    nginx.hardening.enable = true;
+    full = false;
+    wireguard.home.enable = true;
+    infovhost.enable = true;
+  };
+
+  networking.hostName = "yuzuru";
+
+  system.stateVersion = "23.11";
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}
--- a/machines/yuzuru/hardware-configuration.nix
+++ b/machines/yuzuru/hardware-configuration.nix
@ -0,0 +1,69 @@
+{ lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  sbruder.machine.isVm = true;
+
+  boot = {
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+    kernelParams = [ "ip=dhcp" ];
+    initrd = {
+      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ];
+      kernelModules = [ ];
+      network = {
+        enable = true; # remote unlocking
+        # For some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands.
+        # This works around this, but is arguably quite hacky.
+        postCommands = ''
+          ip route add 85.215.73.1 dev eth0
+          ip route add default via 85.215.73.1 dev eth0
+        '';
+      };
+      luks.devices."root".device = "/dev/disk/by-uuid/d166ff83-dcc6-4700-95b5-bffae202d985";
+    };
+    loader.grub.device = "/dev/vda";
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/3c91488f-0505-4df6-bf76-96a539dcc27a";
+      fsType = "btrfs";
+      options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/f271b335-9174-47a9-bcca-04ce59ce5708";
+      fsType = "ext2";
+    };
+  };
+
+  swapDevices = [
+    {
+      device = "/dev/disk/by-partuuid/5edbf393-b83e-4d3f-82d1-f07870df40ed";
+      randomEncryption.enable = true;
+    }
+  ];
+
+  zramSwap = {
+    enable = true;
+    memoryPercent = 150;
+  };
+
+  networking = {
+    useDHCP = false;
+    usePredictableInterfaceNames = false;
+  };
+  systemd.network = {
+    enable = true;
+    networks = {
+      eth0 = {
+        name = "eth0";
+        DHCP = "yes";
+        domains = [ "sbruder.de" ];
+      };
+    };
+  };
+}
--- a/machines/yuzuru/secrets.yaml
+++ b/machines/yuzuru/secrets.yaml
@ -0,0 +1,52 @@
+wg-home-private-key: ENC[AES256_GCM,data:0ylkx9p62CBGqVg+T52eHbMwbLcZM/v3tg/wJukDq76heN1TtQqbbqgVZKc=,iv:/aUkqKhihnBWQFLIRjS7kHigBCBXX7L4KY5q+cO9Q00=,tag:jQSMVElMfIyrG5hs7HuxUQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-01-02T22:37:47Z"
+    mac: ENC[AES256_GCM,data:oBfM/DF/TfWJIW1VlvZ4Z+vBQxCmHm8J83pjILtHFBwU14f1H09iIsswY1xyAwO9wO3cttf4xjrSa6mGGUyQFqLdEzj8z/JkCm1vwpLZQW+j8FpRjH1ryyE6G/3eS5tboUZgmAwBPDsulJr3NBi121RHhZvWf1dv2T/J5IcZMxI=,iv://TpDpO8tNaibh8ABqE1AT6CPK62rtUZiFmYP9ST3MA=,tag:5SErG/jDycIdxX3ABOcsow==,type:str]
+    pgp:
+        - created_at: "2024-01-02T22:37:37Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDgSONkM+d4ARAA1V2B8s1NyyJFa+nbKo2sFoubX9OKNYkzib6uvjs2eiOp
+            XuUsqxYZrUXCjwvWpvb9GT4neBV68mqVZMwkt6qQuiwyxSdrx+G8qKT5do0gjwmm
+            BTjOlJnUAWKn5/kzJKG9Yb+RiQZD2rV5/xj6roImCLt6lg97howP5n5PNO+TcDM0
+            0Mz2vJJHbKEgeIjnRPG3MB5IS3WFHkmSe0jBIKXRFuiP9bdVgPAaoXk1v3KmeO3i
+            c2BDOxLWjq4kHzAT/GIRQJxA4/8f6vMVfUlepmhL2jUmw72WrfSC2EfZeWnlm1np
+            M/kAVU+Gd+d2fzv9f+Ut+K8Id5vBDANlp7m5KVJV0howrCxaV/TZ9kiReWpePP8U
+            4EDx2cVi/FDlnDJEr6qDfYZ5bguYeTD0X6c8IK8r6NlWPbQD7W6cvHto71EtXKqG
+            R2XZYVbsRGufNLeNUCcfz1ev+x6Ix9VqsDzkwUFfgXMS4FavQ84TzJV9Z0zhRCme
+            yFGD8lW6LliUxUF5YDRqiceJdDV7Nx+TRIRXXNJq4Fid7b1M+7fdI0JlU3xTPqwm
+            kZFfgAAwt1ji0AtGd4khC30XSr29V3YjqX1ow0wYJ9rYEhnrexS+/iOJvygQ1AcZ
+            nzajsK7dHidC9RNpr2PHqL46KtoksdoL4DT80uT+mwevb8w2wG949WQ+KJOlez3S
+            XAH0NywA6R4KaW6fOShYtL0nDPfYOCm31t4sWpQfxJSQt/6p2fDobbz4q5tTQfjf
+            /Zq8fstojMtM8C5eur4ASa9H8dckRW6Lk/VzsW3u2tP3rl3js1eumcvYumLK
+            =bwxH
+            -----END PGP MESSAGE-----
+          fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
+        - created_at: "2024-01-02T22:37:37Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA2Sedw7G6hbkAQ//Y+ZDDXUxCRqwjTWRz9uoIHcQBrCI2LhecCt8uWRMXbyV
+            q/HaDIjYO5fLrpZ8HGzS4C9B5QH3Vr0yzbGR6l3i77W1FpzY0KYQ5jicttQ56rDL
+            n3APgqBL8sdcq90Hs9iqG4AA9/QhCIupzG18BQ8zWCqJ/2uMx2ddRYxxa3FEgCdi
+            1C0wH2kLlZT7aRH7OlKFbX8QABpGEvBQpG456XghsX92wXou/pJfcrgqh9H0Px+i
+            5kvcSHERq97+2DIQYcck9DfZ6Pf2lfnoM3f2c7Ln3OeaPrnl5wLPrIP/KQBLd8AC
+            6hU8zrsTM4dSSopXnAjc9PEi4kmfLwrcZiokw5kjfaolyRilX8V6+ewaWF6jK2Yo
+            IwsQ09ElGzfXmmkqMrUEGnWr55WZgvDXABMwTr9VwIej47ef1HcqNxwmFe37XndA
+            UDfJ+GUGOkqLBLpamhHp/A/UM8+wrUZIOXJWsJdpP5194wKXBD0zjd+HMxfq+RTk
+            4ICLChn2+MzU58V8FP9WRdYOLQWcHVAfBP8zba9zFf/FCnHrXQjv9lwadYQ8YkhN
+            uSzPB5yvzfa1YOl7PXDn/5EBu5WYGxdTNHouP1hbk8Nxmt37+0VCMDgkUln6qans
+            5FzmAlrFHTX/887d1rP2Rc2HT58Qmgou355UmnkjxMWH6b5WSOo5p+KEHkHwW+7S
+            VgF5p8vBWd9cISMG5aetMpyBwhZAcx5XTXV74pJ8Zc15B0mYvz+BcYM+1Nlqdp0g
+            NVpa3jISybMeGqkbeQmjoT05J5REmYszhGg6SEMyuiLrC64lwDy9
+            =A8pI
+            -----END PGP MESSAGE-----
+          fp: a1ee5bc0249163a047440ef2649e770ec6ea16e4
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/machines/yuzuru/services/static-sites.nix
+++ b/machines/yuzuru/services/static-sites.nix
@ -0,0 +1,23 @@
+{
+  services.nginx.virtualHosts = {
+    "brennende.autos" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."~ .*".return = "303 'https://iv.sbruder.xyz/watch?v=ojToYs6nCnk&t=1684'";
+    };
+    "www.brennende.autos" = {
+      enableACME = true;
+      forceSSL = true;
+
+      globalRedirect = "https://brennende.autos/";
+    };
+  };
+
+  sbruder.static-webserver.vhosts = {
+    "psycho-power-papagei.de" = {
+      user.name = "papagei";
+      imprint.enable = true;
+    };
+  };
+}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -13,6 +13,13 @@
    };
    trusted = (lib.mkEnableOption "the trusted status of this machine (i.e. encrypted root)") // { default = true; };
    gui.enable = lib.mkEnableOption "gui";
+    machine = {
+      isVm = lib.mkOption {
+        type = lib.types.bool;
+        description = "Whether this machine is a virtual machine.";
+        default = false;
+      };
+    };
  };

  # All modules are imported but non-essential modules are activated by
@ -28,6 +35,7 @@
    ./games.nix
    ./grub.nix
    ./gui.nix
+    ./infovhost.nix
    ./initrd-ssh.nix
    ./locales.nix
    ./logitech.nix
@ -87,8 +95,6 @@
      # command-not-found does not work without channels
      programs.command-not-found.enable = false;

-      # Hard drive monitoring
-      services.smartd.enable = lib.mkDefault true;
      # Network monitoring
      services.vnstat.enable = true;
      environment.etc."vnstat.conf".text = ''
@ -146,8 +152,11 @@
        '';
      };
    }
-    (lib.mkIf config.sbruder.full {
-      services.fwupd.enable = true;
+    (lib.mkIf (!config.sbruder.machine.isVm) {
+      # Hard drive monitoring
+      services.smartd.enable = lib.mkDefault true;
+      # Firmware updates
+      services.fwupd.enable = lib.mkDefault true;
    })
    (lib.mkIf (!config.sbruder.full) {
      documentation.enable = lib.mkDefault false;
--- a/modules/infovhost.nix
+++ b/modules/infovhost.nix
@ -0,0 +1,34 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sbruder.infovhost;
+in
+{
+  options.sbruder.infovhost = {
+    enable = lib.mkEnableOption "a vhost displaying legal and/or technical information on the domain of the machine";
+    domain = lib.mkOption {
+      type = lib.types.str;
+      default =
+        if (!(isNull config.networking.domain))
+        then config.networking.domain
+        else "sbruder.de";
+      description = "The domain part of the fqdn.";
+    };
+    fqdn = lib.mkOption {
+      type = lib.types.str;
+      default = "${config.networking.hostName}.${cfg.domain}";
+      description = "The fqdn the vhost should listen on.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nginx.enable = true;
+    services.nginx.virtualHosts."${cfg.fqdn}" = {
+      enableACME = true;
+      forceSSL = true;
+
+      default = true;
+
+      root = pkgs.sbruder.imprint;
+    };
+  };
+}
--- a/modules/nginx-interactive-index/listing.js
+++ b/modules/nginx-interactive-index/listing.js
@ -1,19 +1,17 @@
 document.addEventListener('DOMContentLoaded', () => {
-  function humanFileSize(bytes) {
-      const thresh = 1024
-      if(Math.abs(bytes) < thresh) {
-          return bytes + ' B'
-      }
-      const units = ['KiB','MiB','GiB','TiB','PiB','EiB','ZiB','YiB']
-      var u = -1
-      do {
-          bytes /= thresh
-          ++u
-      } while(Math.abs(bytes) >= thresh && u < units.length - 1)
-      return bytes.toFixed(1)+' '+units[u]
+  function humanFileSize(size) {
+    if (size === 0) {
+      return "0 B";
+    }
+    if (size < 0) {
+      return null;
+    }
+    const base = Math.floor(Math.log2(size) / 10)
+    const unit = ["B", "KiB", "MiB", "GiB", "TiB"][base]
+    const relative = size / 2**(10*base)
+    return relative.toFixed(3) + " " + unit
  }

-
  function textToA(line) {
    let outerElement = document.createElement('div')
    outerElement.innerHTML = line
--- a/modules/ssh.nix
+++ b/modules/ssh.nix
@ -75,5 +75,13 @@
      hostNames = [ "[nazuna.sbruder.de]:2222" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/VDiagTEI5BIjTrPRkGWAH3YurcMEV8i6Q8PSnxlg3";
    };
+    yuzuru = {
+      hostNames = [ "yuzuru" "yuzuru.sbruder.de" "yuzuru.vpn.sbruder.de" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXCG8Dck3bELx7NaKgDnFAUjO/o1iEnq0VT5dZ2P/+m";
+    };
+    yuzuru-initrd = {
+      hostNames = [ "[yuzuru.sbruder.de]:2222" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
+    };
  };
 }
--- a/modules/static-webserver.nix
+++ b/modules/static-webserver.nix
@ -25,6 +25,14 @@ in
            };
            keys = lib.mkOption {
              type = lib.types.listOf lib.types.str;
+              default = config.sbruder.pubkeys.trustedKeys;
+            };
+          };
+          imprint = {
+            enable = lib.mkEnableOption "a location making the imprint available";
+            location = lib.mkOption {
+              type = lib.types.str;
+              default = "/imprint/";
            };
          };
        };
@ -55,11 +63,16 @@ in
      (lib.mapAttrsToList
        (primaryDomain: vhostCfg:
          ({
-            ${primaryDomain} = {
-              enableACME = true;
-              forceSSL = true;
-              root = vhostCfg.root;
-            };
+            ${primaryDomain} = lib.mkMerge [
+              {
+                enableACME = true;
+                forceSSL = true;
+                root = vhostCfg.root;
+              }
+              (lib.mkIf vhostCfg.imprint.enable {
+                locations.${vhostCfg.imprint.location}.alias = "${pkgs.sbruder.imprint}/";
+              })
+            ];
          } // (lib.listToAttrs (map
            (domain: lib.nameValuePair domain {
              enableACME = true;
--- a/modules/wireguard/home.nix
+++ b/modules/wireguard/home.nix
@ -40,6 +40,10 @@ let
      address = "10.80.0.13";
      publicKey = "TALmk853OVeRYoLWFcOE+caRGYmbnkHpLAHIIL2nuyQ=";
    };
+    yuzuru = {
+      address = "10.80.0.16";
+      publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
+    };
  };

  cfg = config.sbruder.wireguard.home;
--- a/users/simon/modules/default.nix
+++ b/users/simon/modules/default.nix
@ -20,7 +20,6 @@
    ./neovim
    ./pass.nix
    ./programs.nix
-    ./qutebrowser
    ./scripts
    ./sway
    ./tmate.nix
--- a/users/simon/modules/qutebrowser/default.nix
+++ b/users/simon/modules/qutebrowser/default.nix
@ -1,308 +0,0 @@
-{ config, lib, nixosConfig, pkgs, ... }:
-let
-  inherit ((import ../common.nix).colorschemes) solarized;
-
-  setOptionForeachPattern = option: value: patterns:
-    let
-      formatValue = value:
-        if lib.isBool value
-        then (if value then "True" else "False")
-        else
-          (if lib.isString value
-          then "r\"${value}\""
-          else (toString value));
-    in
-    lib.concatMapStringsSep
-      "\n"
-      (pattern: "config.set(\"${option}\", ${formatValue value}, \"${pattern}\")")
-      patterns;
-
-  permissionVideo = [
-    "https://chat.sbruder.de"
-    "https://meet.jalr.de"
-  ];
-  permissionAudio = [
-  ] ++ permissionVideo; # capturing video almost always also requires capturing audio
-  permissionNotifications = [
-    "https://chat.sbruder.de"
-  ];
-
-  permissionAutoplay = [
-    "https://iv.sbruder.xyz"
-  ];
-
-  cookieExceptions = [
-  ];
-in
-lib.mkIf nixosConfig.sbruder.gui.enable
-{
-  programs.qutebrowser = {
-    enable = true;
-    aliases = {
-      q = "tab-close"; # one tab
-      qa = "close"; # one window
-      "qa!" = "quit"; # everything
-    };
-    keyBindings = {
-      normal = {
-        ",rm" = "spawn -u readability";
-
-        # reasonable tab cycling
-        J = "tab-prev";
-        K = "tab-next";
-        gJ = "tab-move -";
-        gK = "tab-move +";
-
-        # mpv
-        ",mv" = "spawn mpv --profile=clear-speed {url}";
-        ",ma" = "spawn mpv --player-operation-mode=pseudo-gui --ytdl-format=251/bestaudio/best {url}";
-        ",mq" = "spawn umpv {url}";
-        ",Mv" = "hint links spawn mpv --profile=clear-speed {hint-url}";
-        ",Ma" = "hint links spawn mpv --player-operation-mode=pseudo-gui --ytdl-format=251/bestaudio/best {hint-url}";
-        ",Mq" = "hint links spawn umpv {hint-url}";
-      };
-    };
-    searchEngines = {
-      DEFAULT = "https://bangs.sbruder.de/eval?engine=https://duckduckgo.com/?q=%25s&query={}";
-    };
-    settings = {
-      colors =
-        let
-          fgbg = fg: bg: { inherit fg bg; };
-          topbottom = colour: { top = colour; bottom = colour; };
-        in
-        with solarized; {
-          completion = rec {
-            fg = base1;
-            odd.bg = base02;
-            even.bg = base03;
-            match.fg = green;
-            scrollbar = fgbg base1 base03;
-            category = {
-              inherit (fgbg yellow base03) fg bg;
-              border = topbottom base03;
-            };
-            item.selected = {
-              inherit (fgbg base1 base01) fg bg;
-              border = topbottom base01;
-              inherit match;
-            };
-          };
-          contextmenu = {
-            disabled = fgbg base0 base02;
-            menu = fgbg base1 base03;
-            selected = fgbg base1 base01;
-          };
-          downloads = {
-            bar.bg = base03;
-            start = fgbg base03 blue;
-            stop = fgbg base03 cyan;
-            error.fg = red;
-          };
-          hints = {
-            inherit (fgbg base03 yellow) fg bg;
-            match.fg = base1;
-          };
-          keyhint = {
-            inherit (fgbg base1 base03) fg bg;
-            suffix.fg = base1;
-          };
-          messages = {
-            error = {
-              inherit (fgbg base03 red) fg bg;
-              border = red;
-            };
-            warning = {
-              inherit (fgbg base03 violet) fg bg;
-              border = violet;
-            };
-            info = {
-              inherit (fgbg base1 base03) fg bg;
-              border = base03;
-            };
-          };
-          prompts = {
-            inherit (fgbg base1 base03) fg bg;
-            border = base03;
-            selected = fgbg base1 base01;
-          };
-          statusbar = {
-            normal = fgbg green base03;
-            insert = fgbg base03 blue;
-            passthrough = fgbg base03 cyan;
-            private = fgbg base03 base02;
-            command = {
-              inherit (fgbg base1 base03) fg bg;
-              private = fgbg base1 base03;
-            };
-            caret = {
-              inherit (fgbg base03 violet) fg bg;
-              selection = fgbg base03 blue;
-            };
-            progress.bg = blue;
-            url.fg = base1;
-            url.error.fg = red;
-            url.hover.fg = base1;
-            url.success.http.fg = cyan;
-            url.success.https.fg = green;
-            url.warn.fg = violet;
-          };
-
-          tabs = rec {
-            bar.bg = base03;
-            even = fgbg base1 base03;
-            odd = even;
-            indicator = {
-              start = blue;
-              stop = cyan;
-              error = red;
-            };
-            selected = rec {
-              even = fgbg base02 green;
-              odd = even;
-            };
-            pinned = {
-              inherit even odd selected;
-            };
-          };
-        };
-
-      # UI
-      scrolling.smooth = true;
-      completion.web_history.max_items = 0; # no history
-
-      # Fonts
-      fonts = {
-        web = {
-          family = rec {
-            serif = "Georgia";
-            sans_serif = "PT Sans";
-            standard = sans_serif;
-          };
-        };
-      };
-
-      # Behaviour
-      auto_save.session = true;
-      session.lazy_restore = true;
-      content.autoplay = false;
-      downloads = {
-        location.directory = "/tmp";
-        open_dispatcher = "${pkgs.xdg-utils}/bin/xdg-open"; # QDesktopServices.openUrl always opens Firefox
-      };
-      editor.command = [ "foot" "-e" "nvim" "-f" "{file}" "-c" "normal {line}G{column0}l" ];
-      spellcheck.languages = [ "de-DE" "en-GB" ];
-      url.default_page = "about:blank";
-      url.start_pages = [ "about:blank" ];
-
-      # Privacy
-      content.cookies.accept = "no-3rdparty";
-      content.headers.accept_language = "en-US,en;q=0.5";
-
-      # Filtering (many don’t get used yet due to lack of cosmetic filtering)
-      # https://github.com/gorhill/uBlock/blob/master/assets/assets.json
-      # EasyList is using a mirror because upstream’s servers are slow
-      content.blocking.adblock.lists = [
-        "https://secure.fanboy.co.nz/easylist.txt"
-        "https://secure.fanboy.co.nz/easyprivacy.txt"
-        "https://secure.fanboy.co.nz/fanboy-social.txt"
-        "https://easylist-downloads.adblockplus.org/easylistgermany.txt"
-        "https://filters.adtidy.org/extension/ublock/filters/17.txt"
-        "https://filters.adtidy.org/extension/ublock/filters/3.txt"
-        "https://filters.adtidy.org/extension/ublock/filters/4.txt"
-        "https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/annoyances.txt"
-        "https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/badlists.txt"
-        "https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/badware.txt"
-        "https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/filters.txt"
-        "https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/privacy.txt"
-        "https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/resource-abuse.txt"
-        "https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/unbreak.txt"
-        "https://secure.fanboy.co.nz/fanboy-annoyance.txt"
-        "https://secure.fanboy.co.nz/fanboy-antifacebook.txt"
-        "https://secure.fanboy.co.nz/fanboy-cookiemonster.txt"
-      ];
-    };
-    extraConfig = /* python */ ''
-      import glob
-
-      c.content.user_stylesheets = glob.glob("${config.xdg.configHome}/qutebrowser/userstyles/*.css")
-
-      c.qt.environ = {
-          # otherwise results in severe banding (https://github.com/qutebrowser/qutebrowser/issues/5528)
-          "QT_WAYLAND_DISABLE_WINDOWDECORATION": "0",
-      }
-
-      c.content.headers.custom = {
-          "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
-      }
-
-      c.tabs.padding["top"] = 3
-      c.tabs.padding["bottom"] = 3
-
-      # Permissions
-      ${setOptionForeachPattern "content.media.audio_capture" true permissionAudio}
-      ${setOptionForeachPattern "content.media.audio_video_capture" true permissionVideo}
-      ${setOptionForeachPattern "content.media.video_capture" true permissionVideo}
-      ${setOptionForeachPattern "content.notifications.enabled" true permissionNotifications}
-
-      ${setOptionForeachPattern "content.autoplay" true permissionAutoplay}
-
-      # Cookie exceptions
-      ${setOptionForeachPattern "content.cookies.accept" "all" cookieExceptions}
-    '';
-  };
-
-  xdg.configFile =
-    let
-      replaceExtension = newExtension: filename: "${lib.concatStringsSep "." (lib.init (lib.splitString "." filename))}.${newExtension}";
-
-      regularFilesIn = dir: lib.filterAttrs
-        (_: v: v == "regular")
-        (builtins.readDir (./. + "/${dir}"));
-
-      compileScss = name: file: pkgs.runCommand (replaceExtension "css" name) { } ''
-        ${pkgs.sassc}/bin/sassc ${file} $out
-      '';
-    in
-    {
-      "qutebrowser/bookmarks/urls".source = config.lib.file.mkOutOfStoreSymlink "${config.xdg.dataHome}/qutebrowser/synced-bookmarks/bookmarks";
-      "qutebrowser/quickmarks".source = config.lib.file.mkOutOfStoreSymlink "${config.xdg.dataHome}/qutebrowser/synced-bookmarks/quickmarks";
-    } // (lib.mapAttrs'
-      (k: _: lib.nameValuePair "qutebrowser/greasemonkey/${k}" { source = ./userscripts + "/${k}"; })
-      (regularFilesIn "userscripts")) // (lib.mapAttrs'
-      (k: _: lib.nameValuePair "qutebrowser/userstyles/${replaceExtension "css" k}" { source = compileScss k (./userstyles + "/${k}"); })
-      (regularFilesIn "userstyles"));
-
-  xdg.dataFile = lib.mapAttrs'
-    (dict: sha256: lib.nameValuePair
-      "qutebrowser/qtwebengine_dictionaries/${dict}.bdic"
-      {
-        source = (pkgs.fetchurl {
-          url = "https://chromium.googlesource.com/chromium/deps/hunspell_dictionaries/+/18e09b9197a3b1d771c077c530d1a4ebad04c167/${dict}.bdic?format=TEXT";
-          inherit sha256;
-          postFetch = ''
-            base64 -d "$out" > "$TMPDIR/decoded"
-            mv "$TMPDIR/decoded" "$out"
-          '';
-        });
-      })
-    {
-      "de-DE-3-0" = "sha256-B2pHBwDb0Kpiu4s9JMNOE0C9/oPLvPwDXOly8jwUBAA=";
-      "en-GB-9-0" = "sha256-c8eaQQ+AkgwpsFX3upB9k0A7BajBfQDo5wVO22L3Maw=";
-    };
-
-  home.packages = [
-    (pkgs.writeShellScriptBin "qbmarks" /* bash */ ''
-      set -euo pipefail
-
-      git() {
-          echo "[$] git $@"
-          command git -C "${config.xdg.dataHome}/qutebrowser/synced-bookmarks" "$@"
-      }
-
-      git commit --no-gpg-sign -a -m "Sync on $(hostname)" || true
-      git pull --rebase --no-gpg-sign
-      git push
-    '')
-  ];
-}
--- a/users/simon/modules/qutebrowser/userscripts/bandcamp-volume.user.js
+++ b/users/simon/modules/qutebrowser/userscripts/bandcamp-volume.user.js
@ -1,30 +0,0 @@
-// ==UserScript==
-// @name     Bandcamp: Add volume slider
-// @include  https://*.bandcamp.com/*
-// @include  https://sewerslvt.com/*
-// @include  https://store.sigurros.com/*
-// ==/UserScript==
-function setVolume(volume) {
-  document.querySelectorAll("audio").forEach(el => el.volume = volume / 100)
-  localStorage.setItem("volume", volume)
-}
-
-function loadStoredVolume() {
-  return localStorage.getItem("volume") ? Number(localStorage.getItem("volume")) : 25
-}
-
-const volumeControlContainer = document.createElement("div")
-volumeControlContainer.style.position = "fixed"
-volumeControlContainer.style.top = 0
-volumeControlContainer.style.left = 0
-volumeControlContainer.style["z-index"] = 10000
-const volumeControlSlider = document.createElement("input")
-volumeControlSlider.type = "range"
-volumeControlSlider.min = 0
-volumeControlSlider.max = 100
-volumeControlSlider.value = loadStoredVolume()
-volumeControlSlider.addEventListener("input", e => {setVolume(e.target.value)})
-volumeControlContainer.appendChild(volumeControlSlider)
-document.body.appendChild(volumeControlContainer)
-
-setInterval(() => {setVolume(loadStoredVolume())}, 1000)
--- a/users/simon/modules/qutebrowser/userscripts/better-nginx-index.user.js
+++ b/users/simon/modules/qutebrowser/userscripts/better-nginx-index.user.js
@ -1,53 +0,0 @@
-// ==UserScript==
-// @name     nginx: Better directory index
-// @include  http://localhost:8888/torrent*/download/*
-// @include  https://ci.sbruder.de/nix-store/*
-// ==/UserScript==
-
-// https://stackoverflow.com/a/14919494
-function humanFileSize(bytes) {
-    const thresh = 1024
-    if(Math.abs(bytes) < thresh) {
-        return bytes + ' B'
-    }
-    const units = ['KiB','MiB','GiB','TiB','PiB','EiB','ZiB','YiB']
-    var u = -1;
-    do {
-        bytes /= thresh;
-        ++u;
-    } while(Math.abs(bytes) >= thresh && u < units.length - 1);
-    return bytes.toFixed(1)+' '+units[u]
-}
-
-
-function textToA(line) {
-  let outerElement = document.createElement('div')
-  outerElement.innerHTML = line
-  return outerElement.getElementsByTagName('a')[0]
-}
-
-function parseLine(line) {
-  const href = textToA(line).href
-  const filename = href.substr(-1) === '/' ? decodeURIComponent(href.split('/').slice(-2, -1)[0]) : decodeURIComponent(href.split('/').pop())
-  const size = line.split(' ').pop()
-  return {
-    href: href,
-    filename: filename,
-    size: size
-  }
-}
-
-function processLine(line) {
-  meta = parseLine(line)
-  return `<tr><td><a href="${meta.href}">${meta.filename}</a></td><td>${meta.size === '-' ? '-' : humanFileSize(meta.size)}</td></tr>`
-}
-
-const collator = new Intl.Collator('kn', {numeric: true})
-
-document.querySelector('pre').outerHTML = '<table style="font-family: monospace;"><tr><td><a href="../">../</a></td><td>-</td></tr>' + document.querySelector('pre').innerHTML
-  .split('\n')
-  .filter(line => line !== '')
-  .filter(line => line !== '<a href="../">../</a>')
-  .map(processLine)
-  .sort(collator.compare)
-  .join('\n') + '</table>'
--- a/users/simon/modules/qutebrowser/userscripts/invidious.user.js
+++ b/users/simon/modules/qutebrowser/userscripts/invidious.user.js
@ -1,10 +0,0 @@
-// ==UserScript==
-// @name Invidious Redirect
-// @include http://www.youtube.com/*
-// @include https://www.youtube.com/*
-// @include https://www.youtube-nocookie.com/*
-// @run-at document-start
-// ==/UserScript==
-
-document.close();
-window.location.replace(window.location.href.replace(/www\.youtube(-nocookie)?\.com/, "iv.sbruder.xyz").replace("/shorts/", "/watch?v="))
--- a/users/simon/modules/qutebrowser/userscripts/libreddit.user.js
+++ b/users/simon/modules/qutebrowser/userscripts/libreddit.user.js
@ -1,9 +0,0 @@
-// ==UserScript==
-// @name Libreddit Redirect
-// @include https://www.reddit.com/*
-// @include https://old.reddit.com/*
-// @run-at document-start
-// ==/UserScript==
-
-document.close();
-window.location.replace(window.location.href.replace(/(old|www)?\.reddit\.com/, "libreddit.sbruder.xyz"))
--- a/users/simon/modules/qutebrowser/userscripts/nitter.user.js
+++ b/users/simon/modules/qutebrowser/userscripts/nitter.user.js
@ -1,8 +0,0 @@
-// ==UserScript==
-// @name Nitter Redirect
-// @include https://twitter.com/*
-// @run-at document-start
-// ==/UserScript==
-
-document.close();
-window.location.replace(window.location.href.replace(/twitter\.com/, "nitter.sbruder.xyz"))
--- a/users/simon/modules/qutebrowser/userscripts/per-domain-userstyles.user.js
+++ b/users/simon/modules/qutebrowser/userscripts/per-domain-userstyles.user.js
@ -1,16 +0,0 @@
-// ==UserScript==
-// @name        Per-Domain Userstyles
-// @include     *
-// @run-at      document-start
-// @author      Original by Olmo Kramer
-// ==/UserScript==
-
-(() => {
-  document.addEventListener("readystatechange", () => {
-    if (document.readyState == "interactive") {
-      const doc = document.documentElement
-      doc.setAttribute("data-qb-url", window.location.href)
-      doc.setAttribute("data-qb-domain", window.location.host)
-    }
-  })
-})()
--- a/users/simon/modules/qutebrowser/userstyles/monospace.scss
+++ b/users/simon/modules/qutebrowser/userstyles/monospace.scss
@ -1,22 +0,0 @@
-[data-qb-domain="pad.sbruder.de"] .CodeMirror {
-  font-family: monospace;
-}
-
-[data-qb-domain="github.com"] {
-  code,
-  pre,
-  tt,
-  .blob-code-inner,
-  .text-mono {
-    font-family: monospace !important;
-  }
-}
-
-[data-qb-domain="git.sbruder.de"] {
-  pre,
-  code,
-  kbd,
-  samp {
-    font-family: monospace !important;
-  }
-}
--- a/users/simon/modules/zsh/default.nix
+++ b/users/simon/modules/zsh/default.nix
@ -120,8 +120,6 @@ in

          # history
          setopt HIST_IGNORE_ALL_DUPS
-
-          source ${./pass-wrappers.zsh}
        '')
      ];
    };
--- a/users/simon/modules/zsh/pass-wrappers.zsh
+++ b/users/simon/modules/zsh/pass-wrappers.zsh
@ -1,13 +0,0 @@
-function pass-field() {
-    pass show "$1" | grep "$2" | cut -d: -f2- | tr -d ' '
-}
-
-function drone() (
-    export DRONE_SERVER="$(pass-field sbruder.de/drone Server)"
-    export DRONE_TOKEN="$(pass sbruder.de/drone | head -n 1)"
-    command drone $@
-)
-
-function drone-add-netlify() {
-    drone secret add --name netlify_auth_token --data "$(pass-field web/netlify.com Drone-Key)" "$1"
-}
Author	SHA1	Message	Date
Simon Bruder	513e0cf383	renge/sbruder.xyz: Make transparency files state	2024-01-10 21:42:34 +01:00
Simon Bruder	d86ad02cee	zsh/pass-wrappers: Drop I can’t remember using them.	2024-01-10 21:31:54 +01:00
Simon Bruder	73e99ec61b	qutebrowser: Drop It had been nice while it lasted, but the general usability of LibreWolf is better.	2024-01-10 21:31:54 +01:00
Simon Bruder	da349a7113	nginx-iteractive-index: Reimplement humanFileSize The previous implementation was copy-pasted from a source that did not allow redistribution or sublicensing. Therefore, I reimplemented the function myself.	2024-01-10 21:31:54 +01:00
Simon Bruder	9995ff511e	restic/system: Prune on renge Because of fuuko’s very slow link, the prune had not been successful for a whole quarter. Now that renge has more RAM, it can finally run the prune without having to worry about OOM.	2024-01-10 21:27:42 +01:00
Simon Bruder	34231fb13b	Migrate psycho-power-papagei.de out of repo The files are not compatible with plans for future licensing.	2024-01-06 01:36:51 +01:00
Simon Bruder	492af23f17	static-webserver: Specify default for deploy keys	2024-01-06 01:35:42 +01:00
Simon Bruder	e48f367afd	static-webserver: Add optional imprint	2024-01-06 01:34:52 +01:00
Simon Bruder	9e545950f5	shinobu/wlan: Drop It was not used anyway.	2024-01-06 00:10:02 +01:00
Simon Bruder	8d764fc7e4	mayushii: Allow SMB1 This is required for a Windows XP VM.	2024-01-06 00:08:00 +01:00
Simon Bruder	8757ef7eb8	yuzuru: Add meme site	2024-01-06 00:05:00 +01:00
Simon Bruder	afea7afdbf	vueko/mail: Add alias	2024-01-05 13:11:35 +01:00
Simon Bruder	26d85e97aa	infovhost: Init This avoids boilerplate code for displaying the imprint on the fqdn of the machine.	2024-01-03 12:09:27 +01:00
Simon Bruder	0393661579	yuzuru: Init	2024-01-03 11:44:34 +01:00
Simon Bruder	1d84379383	Use consistent boot partition size in readme	2024-01-02 22:23:53 +01:00
Simon Bruder	a00503d244	flake.lock: Update Flake lock file updates: • Updated input 'home-manager': 'github:nix-community/home-manager/6761b8188b860f374b457eddfdb05c82eef9752f' (2023-12-10) → 'github:nix-community/home-manager/7e398b3d76bc1503171b1364c9d4a07ac06f3851' (2024-01-01) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/d9297efd3a1c3ebb9027dc68f9da0ac002ae94db' (2023-12-12) → 'github:nix-community/home-manager/6e91c5df192395753d8e6d55a0352109cb559790' (2024-01-01) • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/007a45d064c1c32d04e1b8a0de5ef00984c419bc' (2023-12-13) → 'github:cachix/pre-commit-hooks.nix/9d3d7e18c6bc4473d7520200d4ddab12f8402d38' (2023-12-30) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/7763c6fd1f299cb9361ff2abf755ed9619ef01d6' (2023-12-13) → 'github:nixos/nixos-hardware/f752581d6723a10da7dfe843e917a3b5e4d8115a' (2024-01-01) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/781e2a9797ecf0f146e81425c822dca69fe4a348' (2023-12-10) → 'github:nixos/nixpkgs/32f63574c85fbc80e4ba1fbb932cde9619bad25e' (2023-12-31) • Updated input 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=refs/heads/master&rev=37f80d1593ab856372cc0da199f49565f3b05c71' (2023-12-02) → 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=refs/heads/master&rev=32ef4fd545a29cdcb2613934525b97470818b42e' (2024-01-01) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/a9bf124c46ef298113270b1f84a164865987a91c' (2023-12-11) → 'github:nixos/nixpkgs/b0d36bd0a420ecee3bc916c91886caca87c894e9' (2023-12-30) • Updated input 'sops-nix': 'github:Mic92/sops-nix/d806e546f96c88cd9f7d91c1c19ebc99ba6277d9' (2023-12-10) → 'github:Mic92/sops-nix/cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6' (2023-12-31) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/b8f33c044e51de6dde3ad80a9676945e0e4e3227' (2023-12-09) → 'github:NixOS/nixpkgs/0aad9113182747452dbfc68b93c86e168811fa6c' (2023-12-30)	2024-01-02 20:49:34 +01:00
Simon Bruder	2a5da89f53	Do not enable fwupd on virtual machines It only uses up resources on those hosts but serves no purpose.	2024-01-01 16:11:28 +01:00