catering WIP

.sops.yaml

@@ -15,7 +15,7 @@ keys:
   - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
   - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
   - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
-  - &okarin e7370b48016c961ef8ad792fda66b19d845b3156
+  - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
   - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
   - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
   - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4

README.md

@@ -143,10 +143,3 @@ so always consult the file header and other resources as specified in the REUSE
 Please note that those licensing terms only apply to the source files in this repository,
 not any build outputs, like system or package closures.
 They might be licensed differently, depending on their source.
-
-If you think you have a compelling reason
-why you should be able to use part of this repository under a more permissive license,
-please contact me,
-so we can figure something out.
-Please note, that I can only offer this for files that are solely authored by me,
-as I do not own the rights to other people’s code.

flake.lock

@@ -26,11 +26,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
         "type": "github"
       },
       "original": {
@@ -44,11 +44,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
         "type": "github"
       },
       "original": {
@@ -65,11 +65,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "lastModified": 1660459072,
+        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
         "owner": "hercules-ci",
         "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
         "type": "github"
       },
       "original": {
@@ -85,11 +85,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712386041,
-        "narHash": "sha256-dA82pOMQNnCJMAsPG7AXG35VmCSMZsJHTFlTHizpKWQ=",
+        "lastModified": 1704099619,
+        "narHash": "sha256-QRVMkdxLmv+aKGjcgeEg31xtJEIsYq4i1Kbyw5EPS6g=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d6bb9f934f2870e5cbc5b94c79e9db22246141ff",
+        "rev": "7e398b3d76bc1503171b1364c9d4a07ac06f3851",
         "type": "github"
       },
       "original": {
@@ -106,11 +106,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712989663,
-        "narHash": "sha256-r2X/DIAyKOLiHoncjcxUk1TENWDTTaigRBaY53Cts/w=",
+        "lastModified": 1704100519,
+        "narHash": "sha256-SgZC3cxquvwTN07vrYYT9ZkfvuhS5Y1k1F4+AMsuflc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "40ab43ae98cb3e6f07eaeaa3f3ed56d589da21b0",
+        "rev": "6e91c5df192395753d8e6d55a0352109cb559790",
         "type": "github"
       },
       "original": {
@@ -215,11 +215,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1712897695,
-        "narHash": "sha256-nMirxrGteNAl9sWiOhoN5tIHyjBbVi5e2tgZUgZlK3Y=",
+        "lastModified": 1703939133,
+        "narHash": "sha256-Gxe+mfOT6bL7wLC/tuT2F+V+Sb44jNr8YsJ3cyIl4Mo=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "40e6053ecb65fcbf12863338a6dcefb3f55f1bf8",
+        "rev": "9d3d7e18c6bc4473d7520200d4ddab12f8402d38",
         "type": "github"
       },
       "original": {
@@ -231,11 +231,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1712909959,
-        "narHash": "sha256-7/5ubuwdEbQ7Z+Vqd4u0mM5L2VMNDsBh54visp27CtQ=",
+        "lastModified": 1704124233,
+        "narHash": "sha256-lBHs/yUtkcGgapHRS31oOb5NqvnVrikvktGOW8rK+sE=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "f58b25254be441cd2a9b4b444ed83f1e51244f1f",
+        "rev": "f752581d6723a10da7dfe843e917a3b5e4d8115a",
         "type": "github"
       },
       "original": {
@@ -247,11 +247,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1712741485,
-        "narHash": "sha256-bCs0+MSTra80oXAsnM6Oq62WsirOIaijQ/BbUY59tR4=",
+        "lastModified": 1703992652,
+        "narHash": "sha256-C0o8AUyu8xYgJ36kOxJfXIroy9if/G6aJbNOpA5W0+M=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b2cf36f43f9ef2ded5711b30b1f393ac423d8f72",
+        "rev": "32f63574c85fbc80e4ba1fbb932cde9619bad25e",
         "type": "github"
       },
       "original": {
@@ -275,11 +275,11 @@
         "poetry2nix": "poetry2nix"
       },
       "locked": {
-        "lastModified": 1712934106,
-        "narHash": "sha256-JubHgaV6HUZarwwq4y2rxJaaj2a6euErJfCqpmhrhWk=",
+        "lastModified": 1704120598,
+        "narHash": "sha256-9g7bZbVHAjMPNUWD2okeOdTmTrC9pkCeVe1zFyvtvqo=",
         "ref": "refs/heads/master",
-        "rev": "2bcb2b6c7b0e04f4ef8e51e00fd93a5e5cb00bf8",
-        "revCount": 66,
+        "rev": "32ef4fd545a29cdcb2613934525b97470818b42e",
+        "revCount": 65,
         "type": "git",
         "url": "https://git.sbruder.de/simon/nixpkgs-overlay"
       },
@@ -290,43 +290,43 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1710695816,
-        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
+        "lastModified": 1685801374,
+        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
+        "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1712437997,
-        "narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=",
+        "lastModified": 1703950681,
+        "narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e38d7cb66ea4f7a0eb6681920615dfcc30fc2920",
+        "rev": "0aad9113182747452dbfc68b93c86e168811fa6c",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "release-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1712791164,
-        "narHash": "sha256-3sbWO1mbpWsLepZGbWaMovSO7ndZeFqDSdX0hZ9nVyw=",
+        "lastModified": 1703961334,
+        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1042fd8b148a9105f3c0aca3a6177fd1d9360ba5",
+        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
         "type": "github"
       },
       "original": {
@@ -453,11 +453,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1712617241,
-        "narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=",
+        "lastModified": 1703991717,
+        "narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c",
+        "rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6",
         "type": "github"
       },
       "original": {

keys/machines/okarin.asc

@@ -1,28 +1,28 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-xsFNBAAAAAABEADJ6iuUnKyoNZU26YWhsIHwTIkhxnNCNDHrq42wSqDgBFU8QyzC
-Nd8c34QghVGeqCFr/Md5xXMtgCmoNzFCMullb6PwDIYZ+9SP03B2seoqhnRwp1WG
-twejt/dP3QgOBP3G4Tr8uxcdHFnLDvkzN66QyV+LcnzrEf0Dw/9y31Nuo5TlG7UT
-cUCg36a3l+1tTlc3VnGwjt5jc59teD619h1s5tU5zMlcgjhFMMVKHXH1oc8zK0Q4
-va2YyfW+yWZx9Fm9BWF3VLuBdVlPuHVSCZ/Qf/ykDs8nm7Jvwi/I2TQiAeFN7ln9
-vPAYy4z0SQP/w44kVLCe5Mkw4H53LRocPBgxSflzqnJuuEQGroq0xgbP8+xJ8R0h
-5WPqLuy86PhslFsuIfKJgzVsNsz3svBxHO6G5bIsVgIjdfT4QPGxVQSvXG0RpdV0
-HzhUKojENcS2MEB7MJOLu200Ce3tjuaZD+nPUyH9LilNVgEJXMN0+9SfXmzyH1mE
-ENW6JWUC+oDgweodltJJ2z3kiaXf0GUNWFEv5P0uxkky3nsed4lDmEs0j0nT3YoS
-0hemgdK8X3ZRMuLAxGLCL0SykmsbOdTTzZ/QCak8/0jI8iko9eDrmJ4rNkrQYT4+
-TM0JEpI3wA4ksl5WcB2cpM/G8buw/zNTycgbjcKoYL+E2K+L7JeR9F1DgQARAQAB
+xsFNBAAAAAABEACgnoiAZQChPJOD9Bh4VxtX+/KWZXBrw9HhK1aufLH2Q4bS+mrg
+Te5SgFrfsiiYOvo8O2rESmMIWAHRSGxcdcT09+ZZtZxlxW7dmoUXLaPY+Xft0oDT
+ekLBs/g3N9qAXYq8XC/YNw0R1FzhComq/enQT2OTcaWES3b2OlFAkn8SVSTTdKgG
+jfmPPjDuTTYWPDPPmVRhaRkT/AcByyRcEcYxw4Zn+62iY9ZuV8FG0O0UcR2I/vEw
+KwYxHBC4IiqWvCmeJ3mEcf2NBbLwp2hB79dyo9RN8zxbu2mwrCNNO0hbkJGsxom1
+NjKh7KZz0eaIpb/WAesimHCaAXcB9ovGiyyHjECmZkvKlAXMttrPkF5QJZW2Iao7
+jcdcT0CNhC9fUwdBPIVRVjQQPyCWrqZEas+zG0tU8nbMy+uI/rT8ALC0zSgQMVyr
+YDIM7tYHbuBjgHja8gvwAa116L+uTXzkCTuH3OQHowtuvDjorXDKNs5akqJpAPHF
+a/fhXzjtY6RfLVp0Hj1+fnwrzMs0D1YdlJEjsBxvpieMTGPXH0YA5ondK/OsHsQD
+uzUgKzgGpq8Kp7hXhxi8gevHmNgVN1F4CNlTy0qOkFgD8U11Fk9O4svI+OtzslPr
+/EXRC/faJeFdT20M0BIqhQVWZFiRRMMsHJgZ04mWG40Wysm8esZ3dwS53QARAQAB
 zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQ2maxnYRbMVYCGw8CGQEAAMkCEAClRHcH4fUUpdXroevY9qpR
-O6op26pqBZ839HoD9f4kaZXerhURWVGPcV81uUapR5/B8Pk/OK9LskBetDvoc+J1
-+B3vM34cRIzbSs55BVrx/Mk6Vn9utPoyutlaJ/b5VMCmz4f2zU/XwPbXOzouvVrn
-uy/bqY7aNz0eoeU7lKXrXc9as+VoJgc3Ty9Tt1vPi8lfTeQfmxUDtoer47dhn89C
-3fL9R5/4utKt5nRtweOh6+z9T36jNodeHy3VhpuMnUBKsWSQn6Op2sLoeb6FJbh0
-t5Tz1AZhqjT4HY8bGWK8v2i916BmGseFjge7CECYg9M5MydznHl9z87sBUiruGs4
-fQTZi8IQySaQ8jCqCx+PB1PYUAsZj4j3o74mx2/erAw8gxBlrme44CuikVdbEKMV
-qYzW/jVJ6EPobtmq+XN8UzU/arf5/BelcU73sQK9fbvCqi47ZMyjC/3UqZ0O12xt
-uUjf2IcDl8TyWZ3nSSUV7npXrrT05kC6WMK46TwO9wv8F3v3/35UmonAJt8qp/lw
-2PNR5W8Sqxr2s+yhkOsh2xwuqBQkdxhqRKeqTv4+kdGAk6ZUmuHmGa1Qni6VsaKT
-TuNRRTEBfQ0QiqF8+lleT2dP4cKI2vAbI0zvyjX6KvNGRb1VlJw3D6Pa0nXW/YQU
-NxR1Jvm5bnGfUcnNlzoB4Q==
-=6o0h
+AQgAFgUCAAAAAAkQ5fw8qjuBB6oCGw8CGQEAAOyUEAAHW0hbAjCKylnIaezMqNiG
+yDwfM+MpNXaqB4sG0UUiIdgSUTk06PN5dlQ0Jfvh1I7P9y8CxqamlqCUXiqqWEOR
+Am3Q7oxQKQdSDz//2ijWLdNFcT7bxZvNKQ/T78UYka/qmuLHx2jSuakAX2pAUrOf
+K7mbElSu8LD0y8hIDEyxuzB/aL13sHh1LkOUCSEgZ977EEfIEgPidPwEtGJvEbhN
+DaP94cLNapv/lWux8+O5dzKi4R7ghXl6IvrP2LPXQSPF7C3mMZ1ZSX1nFxRjALXi
+xiFbrJFkwEQQmVro/3wX9BZSmt6VnFRKkXnsCLlf9eT0aTmTirtqHgfet0PHqTNt
+CxrlLKTZFN3ZFropGZ070ESs4i6WZUBpTdsYh/htyo5bWMcHO8J+K+Ttd1M8btM4
+RtpAc/2UXa4+dVpLOGqdqkmUEJLVLyGnj9wZZgkx3tWGhjnSohCW3YqffQYlXUFn
+xuiQQ8jKM6luuunMXLt6D9dzOch70z9bnjOm1Z6q/S3PIzn++awzA6N3VTKNuUBP
+Phs6hlcAeqdQ6Q2EiS5iXKqPdK1nd9cPKzHOJf1fwlaRPSKeCtXUgkjAClu+heEn
+rst1nggIhCBs+rHc518BVZvISLNVlj5LVwN0mKOk9YPuZItBCGX96WWJZdMHeZk0
+MsxjN+we2woCXG5SJGYOyA==
+=UTw1
 -----END PGP PUBLIC KEY BLOCK-----

keys/users/simon.asc

@@ -5,39 +5,67 @@ EKpaQ5+0H1NpbW9uIEJydWRlciA8c2ltb25Ac2JydWRlci5kZT6InAQTFgoARAIb
 AQUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBNSKGsqxzb0XAVFm
 K7GgtKRYhaAxBQJlrXkpAhkBAAoJELGgtKRYhaAxe14BAMF2Sj/NbHEfPPj/FH0/
 Pndzxihc7T7JOO9TxwsHMdidAP9eGoz3DgjA4gOtJUDwK70G6XwGnXrY8k42AcNE
-B0JHBLQxU2ltb24gQnJ1ZGVyIDxzaW1vbi5icnVkZXJAbWFpbGJveC50dS1kcmVz
-ZGVuLmRlPoiZBBMWCgBBFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd20CGwEF
-CQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQsaC0pFiFoDGUqAEA
-vqCjV1Fti5v6XpFFX/YU3160v4GYwD1vSdNJTTFfm3kBAO3hu30ecM3rWZf0SJmC
-xizTcSJIOEng0z39uk75PV4MuDMEZa13mRYJKwYBBAHaRw8BAQdA1st2Ull8qExF
-xFBS4ZtAxCP4a0yvany8hfclRDuM2W2I9QQYFgoAJgIbAhYhBNSKGsqxzb0XAVFm
-K7GgtKRYhaAxBQJlrud2BQkB4qNdAIF2IAQZFgoAHRYhBF8781AR60Ih56rcrDR/
-+Gmc2gd2BQJlrXeZAAoJEDR/+Gmc2gd2WGkA/1q7AL8NUkvEOXRXOdHUhFkC2AXp
-V9deFHxrszMWgIxhAQD7QPihv5Cm8SPkClDMeKFnGwlMpeZNM/XYn5FqyLPrBwkQ
-saC0pFiFoDG2mQD8CMU8iakviZHNDspU2nZLVRp5RWBGtbeqiq2+KUYzgCEA/REV
-SAd0ks7DaVVxtHY4cn/oN76QeX3RXUAvfTsiPD0CuDgEZa13whIKKwYBBAGXVQEF
-AQEHQCz6uVsYw1gvKcMfmofGvK8uv4t+PsL0N6jlrPtY/Qt2AwEIB4h+BBgWCgAm
-FiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd8ICGwwFCQPCZwAACgkQsaC0pFiF
-oDFfVwEA7ijxFOSx7RhdE9XqNfDk+Gl4s6ste20j0MW3J+jAKTcBALUk/F0OYJIv
-E6njUIuZlz4wFKJHDpursKIJu91QjzoFuDMEZa14JhYJKwYBBAHaRw8BAQdATUqx
-HSmDAt+Fs/8EN7JvsIuciptaJpLnZApQ5gu2KgeIfgQYFgoAJhYhBNSKGsqxzb0X
-AVFmK7GgtKRYhaAxBQJlrXgmAhsgBQkB4TOAAAoJELGgtKRYhaAxMBoBAN7lVHou
-WPLuO6NNPHL8fXYG+9LFrIfVn/ztEKGwhOkhAQDcmy+3iHVaO4JPz6NJcojZzyDp
-nn/R4uqdSVJ1qNy3Bbg4BGWteO4SCisGAQQBl1UBBQEBB0DVD2QambSi9HXWmBts
-FDf75LrjJa5WTn1my6SVSODaYQMBCAeIdQQYFgoAJxYhBNSKGsqxzb0XAVFmK7Gg
-tKRYhaAxBQJlrXjuAxsABAUJAeEzgAAAA8UBAPjW4ZDp+ITJ9z/v7aL+wLdI0CY4
-w2I+LYP/VVtUr8JHAQCRFzzkBSz2IXoMKuRvpcJRLMRPS5gTAbrDC/96eGVGBLgz
-BGWtfDQWCSsGAQQB2kcPAQEHQOtp4pbIVjjXN7J277+pm5EyzIQVD5aHpoi45J1P
-NVCLiH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa18NAIbIAUJAeEz
-gAAKCRCxoLSkWIWgMRecAQC6fz9nPhVe1ncJyNn/c2RcZra0sEWwzwRiem7wieOU
-GgEAhEOJxdEMbNv6mw4kSdLnFmC5VCvTEeLQF7uxP37ADwq4OARlrXuTEgorBgEE
-AZdVAQUBAQdAb2sZjRbDkcC3IhREZfUpXR5931F0csq5A6lTNSHyclcDAQgHiHUE
-GBYKACcWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa17kwMbAAQFCQHhM4AAAMSe
-AQCwkhOqxIjsIJ5DBgybQ4HTu52y3IkCVnx+ikcef8DMowEAgA5A3aSX8x9+p34t
-6ZX1dbgItWYS1a2bvqlEkvUBnwa4MwRlrX8yFgkrBgEEAdpHDwEBB0D37Ln0CHRc
-1itQdbnpQs7fFyWqLm5UT59YI2b7pkhK/oh+BBgWCgAmFiEE1IoayrHNvRcBUWYr
-saC0pFiFoDEFAmWtfzICGyAFCQPCZwAACgkQsaC0pFiFoDFaJgEAmtpmq5QnshEE
-HDs9yBTxWAnrYfPnvyOi4KID6FbJTI0BAPNohV+XiBbQKmmKrWb5ui0BXNISPCYk
-H6R7fxacajUC
-=361S
+B0JHBIkCMwQQAQoAHRYhBEfnVZ4DejVlLbv4qo08gvnzCfjsBQJlrZp3AAoJEI08
+gvnzCfjsE2IP/RZoV3xvTi9ks5mpClnxdofGR4r2IVFw8TMQLSFfAHAtEJQ+R8fx
+0Yk+yoBNjt6JFKsvVVyVTZsK5cZcECSaX8E5gAYIB0+5S7TAC+DL9lDhWqhJnvOk
+5nWIM6gdey6H4lmwjMQT9deWFBlHI/4+eEv65B2tlPZH7x2EbXywe5TgAmCAuXBI
+7YOCebPh66n0ezJkw0SkEmz5+yMfj/vQNQxvRUpGpMEPDAUvIWEJ+Mb1XRuSZlYy
+Z8fNh0lMuvDf/GAwoFLiQM8ToprYT1vVnZ+IzEHkjYA1/nDTj1rDxiFCz+FCc+/k
++7fjbtbmX1rSLu90jQZx3h0JEb9t4Zd0X9aOstVnqTi9pMWWyFcUgA71+21VqbIQ
+LccjaPZ0YK75on5YaD5ZmtHAl5ZD1VIXL0vnyN/XQYa4GUiN0qVwdG9QSEEe8gu8
+jjAWClU8BroyOtWamOlQWs/RPZsg1G5Nv5KcPJbw67sWzJZYvJhytRMg9yMWM/uC
+uSC30u/gA49YP2N32XsxwFo8LAUrqn22/WdgcR1NIhHDjzT4SWSTS/ec5lSB998e
+xw+41h4hDHwZn75HYi89FytjS0Sc8C4b2GPw8eqbhKHKMlPKJah2enFXkR85AZJ1
+wJGGhHhUS1mZ9e5SbY5ugtYj8v3Q3RMf47pqSHsO1Z9ojWBpAYforhTEtDFTaW1v
+biBCcnVkZXIgPHNpbW9uLmJydWRlckBtYWlsYm94LnR1LWRyZXNkZW4uZGU+iJkE
+ExYKAEEWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13bQIbAQUJA8JnAAULCQgH
+AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRCxoLSkWIWgMZSoAQC+oKNXUW2Lm/pe
+kUVf9hTfXrS/gZjAPW9J00lNMV+beQEA7eG7fR5wzetZl/RImYLGLNNxIkg4SeDT
+Pf26Tvk9XgyJAjMEEAEKAB0WIQRH51WeA3o1ZS27+KqNPIL58wn47AUCZa2afQAK
+CRCNPIL58wn47JgND/0aTHhLlT7QGE9O6RV1kS81YeiQD5UvrJcYh9/wb7plXV/R
++AJ9QUxnw9SKeyyFGjwQeWIkkdJccq8ov5ekz++ErCsFlQtvhzNMa+ZRRJ5XG1m9
+dyFUKAvZ9vo5EnYOTO72l3TEel4L3V5t6qeUGdJQoVBC3cmLHJ7Vs92cTrmrQnF6
+JXVgoj41iSmgnHdf8l0rsHc4/ODYDpZpOQjQj24Teb6Hj8jkjhNejGm6Ackcy6UF
+KIX4ZDQD2k9SlxDt2LGLjF2rHar4NFYNJwgzO1tMazjTDAV1J9zx44NFaC1dm4oj
+0Nz/xSYyyYyBoeqIG29qZrmWj5yIee64I+POX5REuLvf//64atEAkvODqg8ZhrXB
+Jd7BTtsRpUkkzwBv/ZHYJyEwLrUKLXpyx6GejksJ4fX4ftyWAgUOkDI06WI4WnQl
+WzTOqIWwbub3M53F8eOGvXLUd6PD3p8ARiCFG+5cqRimmd3WZ5g0C9YWnuKRAOrT
+mrquAFhAeaanp+MRihB9d0nj5Lfx3mtfLAWDHYTj+yXL7de1xJ8p2D4WekJJ9NRJ
+f8b9d+wswth/1NV/ly64J7aiGpVzE+WcpNGl9pcsisSiXOCGJatPvrl9h6vgU+Oj
+2HhE5vf9WmvHxkUwut1Tw2cw5KoukugDZWos8AZ671QebmfnebDUsmSfhkOymbgz
+BGWtd5kWCSsGAQQB2kcPAQEHQNbLdlJZfKhMRcRQUuGbQMQj+GtMr2p8vIX3JUQ7
+jNltiPUEGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13mQIbAgUJA8Jn
+AACBCRCxoLSkWIWgMXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWt
+d5kACgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaA
+jGEBAPtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sH8p0A/j2fQV8DVJsn
+fnyFdmEIS14LaLyBTQ411CLkOVI4l5yBAP0Xue1JzV1Spm8Ib5rbAB5l2Q39xwsZ
+IkGsiN85Wq7cA4j1BBgWCgAmAhsCFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWu
+53YFCQHio10AgXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWtd5kA
+CgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaAjGEB
+APtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sHCRCxoLSkWIWgMbaZAPwI
+xTyJqS+Jkc0OylTadktVGnlFYEa1t6qKrb4pRjOAIQD9ERVIB3SSzsNpVXG0djhy
+f+g3vpB5fdFdQC99OyI8PQK4OARlrXfCEgorBgEEAZdVAQUBAQdALPq5WxjDWC8p
+wx+ah8a8ry6/i34+wvQ3qOWs+1j9C3YDAQgHiH4EGBYKACYWIQTUihrKsc29FwFR
+ZiuxoLSkWIWgMQUCZa13wgIbDAUJA8JnAAAKCRCxoLSkWIWgMV9XAQDuKPEU5LHt
+GF0T1eo18OT4aXizqy17bSPQxbcn6MApNwEAtST8XQ5gki8TqeNQi5mXPjAUokcO
+m6uwogm73VCPOgW4MwRlrXgmFgkrBgEEAdpHDwEBB0BNSrEdKYMC34Wz/wQ3sm+w
+i5yKm1omkudkClDmC7YqB4h+BBgWCgAmFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEF
+AmWteCYCGyAFCQHhM4AACgkQsaC0pFiFoDEwGgEA3uVUei5Y8u47o008cvx9dgb7
+0sWsh9Wf/O0QobCE6SEBANybL7eIdVo7gk/Po0lyiNnPIOmef9Hi6p1JUnWo3LcF
+uDgEZa147hIKKwYBBAGXVQEFAQEHQNUPZBqZtKL0ddaYG2wUN/vkuuMlrlZOfWbL
+pJVI4NphAwEIB4h1BBgWCgAnFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWteO4D
+GwAEBQkB4TOAAAADxQEA+NbhkOn4hMn3P+/tov7At0jQJjjDYj4tg/9VW1SvwkcB
+AJEXPOQFLPYhegwq5G+lwlEsxE9LmBMBusML/3p4ZUYEuDMEZa18NBYJKwYBBAHa
+Rw8BAQdA62nilshWONc3snbvv6mbkTLMhBUPloemiLjknU81UIuIfgQYFgoAJhYh
+BNSKGsqxzb0XAVFmK7GgtKRYhaAxBQJlrXw0AhsgBQkB4TOAAAoJELGgtKRYhaAx
+F5wBALp/P2c+FV7WdwnI2f9zZFxmtrSwRbDPBGJ6bvCJ45QaAQCEQ4nF0Qxs2/qb
+DiRJ0ucWYLlUK9MR4tAXu7E/fsAPCrg4BGWte5MSCisGAQQBl1UBBQEBB0BvaxmN
+FsORwLciFERl9SldHn3fUXRyyrkDqVM1IfJyVwMBCAeIdQQYFgoAJxYhBNSKGsqx
+zb0XAVFmK7GgtKRYhaAxBQJlrXuTAxsABAUJAeEzgAAAxJ4BALCSE6rEiOwgnkMG
+DJtDgdO7nbLciQJWfH6KRx5/wMyjAQCADkDdpJfzH36nfi3plfV1uAi1ZhLVrZu+
+qUSS9QGfBrgzBGWtfzIWCSsGAQQB2kcPAQEHQPfsufQIdFzWK1B1uelCzt8XJaou
+blRPn1gjZvumSEr+iH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa1/
+MgIbIAUJA8JnAAAKCRCxoLSkWIWgMVomAQCa2marlCeyEQQcOz3IFPFYCeth8+e/
+I6LgogPoVslMjQEA82iFX5eIFtAqaYqtZvm6LQFc0hI8JiQfpHt/FpxqNQI=
+=1z2B
 -----END PGP PUBLIC KEY BLOCK-----

machines/catering/configuration.nix

@@ -0,0 +1,123 @@
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules
+  ];
+
+  sbruder = {
+    nginx.hardening.enable = true;
+    full = false;
+  };
+
+  networking.hostName = "catering";
+
+  system.stateVersion = "23.05";
+
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      "catering.salespointframework.org" = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations = {
+          "/" = {
+            proxyPass = "http://localhost:8080";
+            extraConfig = ''
+              sub_filter '</script>' '</script><script src="/dev.js"></script>';
+              sub_filter_once on;
+            '';
+          };
+          "= /dev.js".alias = pkgs.writeText "dev.js" ''
+            addEventListener("load", event => {
+              document.querySelector("footer").appendChild((() => {
+                let el = document.createElement("p")
+                el.classList.add("text-center", "fw-bold")
+                el.innerText = "Alle Angebot sind fiktiv!"
+                return el
+              })())
+
+              if (localStorage.getItem("devAck") !== "true") {
+                if (confirm("Alle hier präsentierten Angebote sind fiktiv, es können keine rechtsverbindlichen Verträge geschlossen werden. Mit dem Fortfahren bestätigen Sie, dies verstanden zu haben.")) {
+                  localStorage.setItem("devAck", "true")
+                } else {
+                  location = "about:blank"
+                }
+              }
+            })
+          '';
+        };
+      };
+
+      "www.mampf.shop" = {
+        forceSSL = true;
+        enableACME = true;
+        globalRedirect = "catering.salespointframework.org";
+      };
+
+      "mampf.shop" = {
+        forceSSL = true;
+        enableACME = true;
+        globalRedirect = "catering.salespointframework.org";
+      };
+
+      "presi.catering.salespointframework.org" = {
+        enableACME = true;
+        forceSSL = true;
+
+        root = "/var/www/presi.catering.salespointframework.org";
+
+        locations."/".tryFiles = "/main.pdf =404";
+      };
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/www/presi.catering.salespointframework.org 0755 catering catering - -"
+  ];
+
+  users.users.catering = {
+    isSystemUser = true;
+    group = "catering";
+    useDefaultShell = true;
+    home = "/var/lib/catering";
+    createHome = true;
+
+    openssh.authorizedKeys.keys = config.sbruder.pubkeys.trustedKeys;
+  };
+  users.groups.catering = { };
+
+  sbruder.static-webserver.vhosts = {
+    "salespointframework.org" = {
+      redirects = [ "www.salespointframework.org" "salespointframe.work" "www.salespointframe.work" ];
+      user = {
+        name = "salespoint";
+        keys = config.sbruder.pubkeys.trustedKeys;
+      };
+    };
+    "verkaufspunktrahmenwerk.de" = {
+      redirects = [ "www.verkaufspunktrahmenwerk.de" "verkaufspuntrahmenwerk.de" "www.verkaufspuntrahmenwerk.de" ];
+      user = {
+        name = "verkaufspunkt";
+        keys = config.sbruder.pubkeys.trustedKeys;
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}

machines/catering/hardware-configuration.nix

@@ -0,0 +1,54 @@
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  sbruder.machine.isVm = true;
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" "sr_mod" ];
+    };
+    loader = {
+      grub.enable = false;
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/c39bdb61-2e4c-464b-8c4c-bb6bb7f342a2";
+      fsType = "btrfs";
+      options = [ "compress=zstd" ];
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/D976-BBAF";
+      fsType = "vfat";
+    };
+  };
+
+  networking.useDHCP = false;
+  networking.usePredictableInterfaceNames = false;
+  systemd.network = {
+    enable = true;
+    networks = {
+      eth0 = {
+        name = "eth0";
+        DHCP = "yes";
+        domains = [ "salespointframework.org" ];
+        address = [ "2a01:4f9:c011:9c01::1/64" ];
+        gateway = [ "fe80::1" ];
+      };
+    };
+  };
+
+  # no smart on qemu disk
+  services.smartd.enable = false;
+}

machines/default.nix

@@ -76,4 +76,9 @@ in
 
     targetHost = "yuzuru.sbruder.de";
   };
+  catering = {
+    system = "aarch64-linux";
+
+    targetHost = "catering.salespointframework.org";
+  };
 }

machines/okarin/README.md

@@ -1,5 +1,5 @@
 <!--
-SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 
 SPDX-License-Identifier: CC-BY-SA-4.0
 -->
@@ -8,7 +8,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0
 
 ## Hardware
 
-[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1 GiB RAM, 10 GB SSD).
+[Ionos Cloud VPS](https://cloud.ionos.de/server/vps) S (1 Xeon Gold Gold 5120 vCPU, “512 MB” = 443 MiB RAM, 10 GB SSD).
 
 ## Purpose
 
@@ -22,50 +22,32 @@ Okabe Rintaro is a mad scientist from *Steins;Gate*
 
 Much like the namesake,
 this server requires a “mad scientist” approach to set up.
-However, it is much easier than setting up its predecessor,
-which had just above 400 MiB usable memory.
 
 Ionos does not offer any NixOS installation media.
-I could only choose between various installation media and rescue systems.
-Also, installing NixOS with a low amount of memory is problematic.
+I could only choose between a Debian installation media, Knoppix and GParted.
+Also, installing with a very low amount of memory is quite hard.
 
 I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
 On there, I installed NixOS.
-Because encryption with `argon2id` as PBKDF is quite memory intensive,
-I had to tune the parameters to ensure decryption was still possible on the target.
-This can be done quite easily by interactively running the following command on the build VM:
+Because encryption with `argon2id` as PBKDF is quite memory intensive, I had to tune the parameters some.
+What I settled on was
+`cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3`.
 
-    cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3
+To make btrfs use its SSD optimizations,
+I had to force the kernel to see the device as non-rotational:
+`echo 0 > /sys/block/dm-0/queue/rotational`
 
-The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target.
-
-However, since those parameters are not ideal,
-the following should later be run on the target host itself:
-
-    cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3
-
-This will determine the memory usage automatically,
-use one thread
-and set the parameters so that decryption takes 10 seconds (10000 ms).
-The memory usage will not be as high as it could,
-but it will be better.
+Another problem was the usage of VMware by Ionos.
+The VM I set this up with was obviously using KVM/QEMU,
+so it needed different kernel modules at boot.
+What worked was setting it up in the local VM with both libvirt and vmware modules,
+and then removing the libvirt modules once it was installed on the target.
 
 Getting the disk image onto the server was done
 by first `rsync`ing the image to another server (to allow for incremental iterations),
 which then provided it via HTTP.
-Using the Debian installation media in rescue mode
-(as for some reason most other options tried to cache the file in memory and became very slow)
-it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`.
+Using the Knoppix live image (booted with `knoppix 2` to avoid starting the gui),
+it was possible to just `curl http://server/okarin.img > /dev/sda`.
 
 Because of all the pitfalls of this,
 you probably need more than one try.
-To make debugging easier on the target, the following option can be set:
-```nix
-{ pkgs, ... }:
-
-{
-  boot.initrd.preLVMCommands = ''
-    ${pkgs.bashInteractive}/bin/bash
-  '';
-}
-```

machines/okarin/configuration.nix

@@ -9,6 +9,7 @@
     ./hardware-configuration.nix
     ../../modules
 
+    ./services/static-sites.nix
     ./services/proxy.nix
   ];
 
@@ -21,7 +22,7 @@
 
   networking.hostName = "okarin";
 
-  system.stateVersion = "23.11";
+  system.stateVersion = "22.11";
 
   networking.firewall.allowedTCPPorts = [
     80

machines/okarin/hardware-configuration.nix

@@ -5,10 +5,6 @@
 { lib, modulesPath, ... }:
 
 {
-  imports = [
-    (modulesPath + "/profiles/qemu-guest.nix")
-  ];
-
   sbruder.machine.isVm = true;
 
   boot = {
@@ -16,34 +12,41 @@
     extraModulePackages = [ ];
     kernelParams = [ "ip=dhcp" ];
     initrd = {
-      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ];
-      kernelModules = [ ];
+      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "vmxnet3" "vmw_pvscsi" "vmw_vmci" ];
+      kernelModules = [ "dm-snapshot" "vmw_balloon" ];
       network = {
         enable = true; # remote unlocking
         # for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands
         # this works around this, but is arguably quite hacky
         postCommands = ''
-          ip route add 85.215.165.1 dev eth0
-          ip route add default via 85.215.165.1 dev eth0
+          ip route add 10.255.255.1 dev eth0
+          ip route add default via 10.255.255.1 dev eth0
         '';
       };
-      luks.devices."root".device = "/dev/disk/by-uuid/1dcb9ee1-5594-4174-98a7-a362da09f131";
+      luks.devices."root".device = "/dev/disk/by-uuid/67f2990c-636a-4d80-9f6d-7096fec9e267";
     };
-    loader.grub.device = "/dev/vda";
+    loader.grub.device = "/dev/sda";
   };
 
   fileSystems = {
     "/" = {
-      device = "/dev/disk/by-uuid/3ab8f4a7-952c-4b6c-93c6-7b307d5bb88b";
+      device = "/dev/disk/by-uuid/8e3082d1-4af3-4d5d-9fde-d30dc7552d41";
       fsType = "btrfs";
-      options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
+      options = [ "compress=zstd" "discard" "noatime" ];
     };
     "/boot" = {
-      device = "/dev/disk/by-uuid/97aec56b-5fea-4445-83dc-4a20dcf482ce";
+      device = "/dev/disk/by-uuid/883c77e8-53bf-4330-bd9e-89ef71ad9518";
       fsType = "ext2";
     };
   };
 
+  swapDevices = [
+    {
+      device = "/dev/disk/by-partuuid/d9cf5716-25c8-4f72-80e3-696e0dfe1079";
+      randomEncryption.enable = true;
+    }
+  ];
+
   zramSwap = {
     enable = true;
     memoryPercent = 150;
@@ -60,6 +63,11 @@
         name = "eth0";
         DHCP = "yes";
         domains = [ "sbruder.de" ];
+        address = [ "2001:8d8:1800:8627::1/64" ];
+        gateway = [ "fe80::1" ];
+        networkConfig = {
+          IPv6AcceptRA = "no";
+        };
       };
     };
   };

machines/okarin/secrets.yaml

@@ -1,80 +1,80 @@
-wg-home-private-key: ENC[AES256_GCM,data:RkdgneGhH7prr/tkvHJeChQku2eXve9pV/SvtwsOjeinYO9veHw0rimdonY=,iv:vK6zNpu8F+TSLDTaif686Awjhs8WS2XJHzMtlvqlsIM=,tag:aKhV+kspVu+0CgPmYersxw==,type:str]
+wg-home-private-key: ENC[AES256_GCM,data:4L8aIvgFi+mBjnyVy5IkPaeJRadJ5NCKZprSkBPwMNiVaIscjAdp2yinBSk=,iv:6pBo+6M4EkEjz184XvisWXEoomqJXa4M8Qa4nJHI65U=,tag:3DEsmA2xxAlx/PSbD3HOIA==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-12-25T22:06:33Z"
-    mac: ENC[AES256_GCM,data:VbjyqrqDLCBDD9vGOHxSzsr9a5ZFFBJUkBRxJYBLereMDvInPFZnTwplHHkS5TdDFFAsjrcCgpCuPsUIbDdxFUNNtjdIe5JJwFMwT8XEFrgcswMGSKD6mIH2VBWop5pqoAV0eQ3YfKtDyhNHwixR8a+Z+hbGAY01Z19yteo51ZM=,iv:69EeBag+iUEoa18I0w1HeJKRwSQVCMRqUdV2CzUzMnY=,tag:WViKXJExL33jQAIWHUS8xw==,type:str]
+    lastmodified: "2023-05-06T08:49:32Z"
+    mac: ENC[AES256_GCM,data:B7e3sh96p2DlqM2SgHWoJ7RZ2q5tnZ6lohNc7UKmwG1HTkrPKW/6jobW2InQnbZn1bPmCERoJIF9QyUz+OxotTiKIXxSL7BJkkfpIkWy9IgjIeADjevHkplm2rXONiXaM2sD46bPKbuRzuhbCZtNwUH74gTVfKPVLVrzpnPRC74=,iv:TTXlBGhO7xLCC3Ad+xiQKmy4b0n0vuQRaCdoe7vpzSE=,tag:dZCharRGK//w48ePu7d2eQ==,type:str]
     pgp:
-        - created_at: "2024-01-24T12:19:03Z"
+        - created_at: "2024-01-22T00:20:17Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4DLHeEFiC484ASAQdA4PdmtZTlpcdfuYKSuKN6X4EGjh/l2D8Jxt7dg1y/Z0kw
-            ScG/nWs9hVMFTBeqSM0eHgFfcZhBB/L85eNf9thktTUbcWq0GEUcz5mwUqILtkfA
-            hF4Dub78fMESoMASAQdAMcVZokes0YKtbUZp7b9zq303WXPga5yn8LbhnaRrHycw
-            +ECn4t8y8SXFICpAZ5n+xj5U8MdmdKOzhNQLleFKIHtWdyeUlwFi0qYYP8MRCLTB
-            hF4DM6AcvgVUx2MSAQdAIzXqgZ8WiIxIV05BumWLsyZUChwvDQc47NMd5ehhBEQw
-            I1LY11LTNENypr5q0mhy615kIbsdhpzAVLf4Bkf921zABsfFzuY5zJHqi8SKVm7/
-            1GYBCQIQHPC99/GrpHG703gozt2I0P2XMhlRpzj359qStWaQZ8NBL5Ugo5BLvphf
-            1/WYAlvnH4Uov2TxKdQs65IJSadQgs7lBWB5gqHklZ76E4Q+00oMQxwGjzMdddA/
-            hRlLbnUDE1Q=
-            =ol1Y
+            hF4DLHeEFiC484ASAQdALOHWjRYEy+oURe+ERyiQYDjFPDniV0awCBMahhaLzCMw
+            faMYpJTpirKixpFnPQ1W0aIiQ2/grcEJ4qYyXYG7GrqLcFMQfZOV8humZOLnZNB6
+            hF4Dub78fMESoMASAQdAhpmpD8cyJSauuTHM/RTjLybR1VUGcIY7kLqrB33QLG8w
+            aLu7q0wjY0Rs+7PtJiSKd6O4VOBRrsBmLc7QuBZ4cgBwUfE38g8LuXayuOLZQNb1
+            hF4DM6AcvgVUx2MSAQdARr9S5DSGRJOcv2IgYMzko8fkMHlIR9uIJdJLMdcJER4w
+            RjcC/s5+P0b7wy9bIaAv3vk3FX4hw56QzhqAXcA1zU1kyjEHPnv3qsiiQbcKDjb0
+            1GYBCQIQG5VczwWUidoTYkHgZveZhkVyYIiZc/YQrY6n71OrVnUKaH5kZn1XrMKE
+            zRzcc4XCiu8CaSkQp68eqKeHwI8U5N/LAtjHbACxAq6GHatf/+LvJx4CbUrPZxw2
+            PWZwSFBCZEg=
+            =r7sK
             -----END PGP MESSAGE-----
           fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
-        - created_at: "2024-01-24T12:19:03Z"
+        - created_at: "2024-01-22T00:20:17Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4DLHeEFiC484ASAQdAaXq+nn0DDx+RAkEC+x+yeP5xbCIdXkR9tQCgWx1s0jkw
-            VRgFkiBa6IsS0vmYknobXkizETtNjEhJ8vNw9nP0zPdjuUZBId2/bJZa7aFdIFRU
-            hF4Dub78fMESoMASAQdAMLbBcLnc+5UVDsx50SgCVjQoHO4JGE53DE6Q+frDEiow
-            rVFbLxWlJ/aw9baRdKUMkIUJftnImUQgolXvEfUjdS/oOdY69r4psLlHLQX11Ow1
-            hF4DM6AcvgVUx2MSAQdAUZV3q/IXwUbRv9EokTe+4o83XzeS1h4GK3/3wjnKDHkw
-            xHFJR2clEMDlaq7Rx3FTr2a7MlzSnzBLtIwdw5b9ytuRvHjD5q7zCf5bihYnvdjV
-            1GYBCQIQFt+CYziUXtEHjJFC1t+S3qkyPRAsVgZL8WlxbKzteW0NOdIZofHx6skG
-            Ebn8aadKcGg534DkwEt5DpIosXKUx4LN5xsCNoU9dHFYMSFE2nzJE4KNFJ8tzRQk
-            G+tyNMgCYhM=
-            =2QnY
+            hF4DLHeEFiC484ASAQdAGdRYvRfki1zKA2YHnPprf1ld5kJkai4fzxuuH1D3DRQw
+            zt5XhSFMx5ii7C3LIVjGgKnn6A6KTe1Tj314OYtrLeCGV8Eli+eOiSgi4c0nL709
+            hF4Dub78fMESoMASAQdAb38j/KxQlLRJLrtE5mS1XVCmaEIvyJU1uVcSVU3Bdhgw
+            f3iepOZgggHOCiHOCs+UWRmiudwoYqMzXF8G9pb6ESsy01cc1y6mXPh6sftKc6Iz
+            hF4DM6AcvgVUx2MSAQdAhq0ynXfS/eYrDAYdxj/qyEg8c2lHFYSaUVtr6v3B/Rcw
+            Su08ppwK9wSbVaEL6p4NPJ0q9mt/36OsvZNaEWL2i7kkrD6q+2yvaGwh/fPcokWI
+            1GYBCQIQRzg0YDKpmBGZY0sC37nIkUC4blEpFTgl+lma0ZQ9PUfbRP3ijRrxyPv/
+            aNkUpVAVxjh3VnV/NEm2s03x62iO4uiGoU0BUeI8Jjy4Tvuuodvmfpd4wZw7Mq+V
+            B8h2L/JR7Yo=
+            =/wMt
             -----END PGP MESSAGE-----
           fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
-        - created_at: "2024-01-24T12:19:03Z"
+        - created_at: "2024-01-22T00:20:17Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4DLHeEFiC484ASAQdA6ojEbZ8HccTtorNbyw9aVKO73AJy6jTGV/qLt+FWoRgw
-            SsOLiL0UmF1OV7zmXE0ihkWivPqLHtp1U89aYucpAA69DIh4+6M7GUk1xDMxFfRo
-            hF4Dub78fMESoMASAQdAV2z2DgUz2xWopnDzXywdpHb9eMe9ZxdABxpOJ0ECeBww
-            wOC1x+IKIbIRZBDL7jbVUOk1G+GzCL4M7/G7XFSTFYMKvMKkc0Rh69pywFuGaqG8
-            hF4DM6AcvgVUx2MSAQdA7bKGjcW81bzf58FlGGVDy/HjNyuEPNSVZXy0M+/WZAcw
-            3iXR9MecA97bKKKhLyNSdYmYlAjZJVIdwd6vjNWjxaB7BIWTYhudTjHesLMxB0vc
-            1GYBCQIQlp1TDaBVxalDkeCEjDMRFatgJ3CwulzzW9B8qywOooS0BNtNbtTKGwEh
-            AxDL+wdeqkPABQ0wQ8hYGOw5z665jEOC2JbqbQ7N6LPQZRx/MowO2dGT/kKh2U9H
-            VOK1Bc67BzU=
-            =3z3V
+            hF4DLHeEFiC484ASAQdAoM3SQYYUQq6OGImJaecw42BZOwOec75IWS00ZorR31ww
+            uaRdi54liGiKpjaebhPcLkX+0TKcW0h11kw6X1wrru1JWi3YLbjohv0qCtfa4wpc
+            hF4Dub78fMESoMASAQdASH4+jxa7Qr9AkJpHHPmMx9cj3XyPXLpfzXJ7Yb40pHMw
+            zBiVmQApa4K+ZOVw/vpcSNaN6FufFoDb5IguwHIq+9vILvjvku6YFgAJ4gC76LOP
+            hF4DM6AcvgVUx2MSAQdAZGNp/j1sF0rmHhImhnuhgpn9NgRuFtL+BH5dorvrPwIw
+            mK5LsWHvyBFyC+SDNe4mrRkdia/xPECmcWrbvptGVjqlZnjmUbtrYhG+j5O6/817
+            1GYBCQIQ/du7No+ULrBrjWc3q826ju8AqekySHtteKZclRmcHSNP4UEXcmTEMRNL
+            8lMJYK0G3uA9FXO9+2E39k/nIatBGuoaukW7zCouB3bLARZE00Oqh6qHCWVyFJ/S
+            Gzwk8dC0wdc=
+            =BWUr
             -----END PGP MESSAGE-----
           fp: 403215E0F99D2582C7055C512C77841620B8F380
-        - created_at: "2024-01-24T12:19:03Z"
+        - created_at: "2024-01-22T00:20:17Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA9pmsZ2EWzFWAQ/9Gl4dO83SmvGHyhEfile6G9ZUmhxwU2RFpPwEmjh4CV/v
-            z1k2zgdF200a6tj96977VhjhIG/LZioEi41M1QdIqgkGsKy89DluCY9RDTqMmqzo
-            w65JhI+PQqdQuKlsbUh2VLql7LijoIUxuBPowWG1lULZtEvRuCchM5rLFiBSC2YO
-            DA0T73kC2P89CNZlOllZNnVRCRrxm7IsEO6Mo1yOeJL16mYqC9qGGKnvYEbsSm4n
-            7ZZJvxXGnNzaXisyyjcJNgtsJAUX4TTlPH+Y2jpkhdHUvOkiwVQEokmnqTIKUp0e
-            7Dc6ZXApFQ1DlMMsjLwy+5AQJQZbY4p4jo9rvmON5i5DLPy4rN5yf8W7zwkuy2gN
-            Id53gxDZxHw0+mRsfYRrdOvmfUqqz79TyWVV8bvHR2Mo3shdL1fsWOzTlm66Y9Vt
-            4coJxgUsJEFdnsnXAFep2V18Ypg36b9wQXtZDXWtTg36UliZZ95sUAG2vHQDS50b
-            5XG07m1w8YgQSeiCObteAt4PqxEs1GYWmtRUmr4jvRQQzmVXCQP6+o0QJ5WK9bKl
-            auwT+H7POBJ3l+h9ykvmOidkAzeN7EWIirzvhDHsxvCklGCyo+Y3W5ZaLaFGfc/3
-            pdj1G/REVT6aQMtSuYUsD7QoZeiNNBNJXAtUuUS6mWxch8RnkW718wxYZLvi03jS
-            VgHaVWepbw/q0COmjyofCt1qZH+WMKSAguiQ6PHWAdP3hnzGgd7Qo84W54Fb3m1R
-            da72FFnILc3IYImbJI6QgJxAeS2K95nIWKdSix07c+m0zzFkemnB
-            =F0pC
+            hQIMA+X8PKo7gQeqARAAhtUvR20r2NV8SNWVuVSopTfCGwaJV99+PEp/l0UjHX6B
+            lpHgQNHegP6YEsAj5HNFEcV3vM+nbC0hbTtcERBZoxTkyDPOaRAyJpNfGniZVxxp
+            jxSr/unCN6aJCbdqJZZZlitq84brMQWUE373Rb9B4cNdTYONabZbzZmwTDyzkVR0
+            ctjmkdBG0upqNn7vukSIg7DM7D9pFolS9142reF7e5jTlxBFWR1Jt+O9A1zypfvq
+            tK2z9C1pM9LDRmUrKJ/HOKwu6P6USeTKFrp7Gfjr1UkmbgNunxgsdI6gwKY38SpJ
+            T+tELs68oC5pGFpZufnYkrGL313HC7Vp/+2+m+W5qXbyNqhDS6uVQHjqz/ROqByb
+            YwJw+x7810nL8+SleXst8oZpxDNDm+TnvWQAH6WiRBSpgVwy945SMvGG+1FLYps2
+            qOsRMjr+titLZAaUpmIh/oDHG/XOpKPQflcc4/V7t2HK6vLX+xvPIQU8Y5TJkr1T
+            nIIh7sMZBUldnUGUfFE3ksP5Gje5OHqK8xoFwYHFGK4QQzXFjPFN2QNvni2z9Y4R
+            LLMvyEavqgIa6AeseqMnLuB2hz6wy/JNU/EPUalNca6RleoVA0DjKgjgDTlhQ5Al
+            a6sRTy+KmXFfzdO97MJJEkNgA1Hbi1/IpREeA50lYtrDqUvhxw+l1V8N7jw+ZWTS
+            VgHYyLUxdmOUsqEgQPVA7jiqWePwFEuEDEDVE+d6CcuvFuHFNV1jJEjit3R0wJOd
+            QpqnfxW4QTD+JFNJgrD7bj4y1Gu9Z6Lg1IBnHnOwDIoCJoAHp0y6
+            =sy/X
             -----END PGP MESSAGE-----
-          fp: e7370b48016c961ef8ad792fda66b19d845b3156
+          fp: 868497ac4266a4d137e0718ae5fc3caa3b8107aa
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.7.3

machines/okarin/services/proxy.nix

@@ -6,7 +6,9 @@
 let
   proxyMap = {
     "sbruder.xyz" = "renge";
+    "nitter.sbruder.xyz" = "renge";
     "iv.sbruder.xyz" = "renge";
+    "libreddit.sbruder.xyz" = "renge";
   };
 in
 {

machines/okarin/services/static-sites.nix

@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, ... }:
+
+{
+  sbruder.static-webserver.vhosts = {
+    "maggus.bayern".user = {
+      name = "maggus";
+      keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
+      ] ++ config.sbruder.pubkeys.trustedKeys;
+    };
+    "arbeitskampf.work".user = {
+      name = "arbeitskampf";
+    };
+  };
+}

machines/renge/configuration.nix

@@ -17,7 +17,6 @@
     ./services/grafana.nix
     ./services/hedgedoc.nix
     ./services/invidious
-    ./services/mastodon.nix
     ./services/matrix
     ./services/murmur.nix
     ./services/password-hash-self-service.nix
@@ -34,9 +33,6 @@
     };
     wireguard.home.enable = true;
     infovhost.enable = true;
-    wkd = {
-      enable = true;
-    };
   };
 
   networking.hostName = "renge";

machines/renge/secrets.yaml

@@ -2,7 +2,6 @@ forgejo-mail: ENC[AES256_GCM,data:3AlFHzVBA5TE4qv5ubG39K0varV8/HabO0q/RJZSD5o=,i
 go-neb-overrides: ENC[AES256_GCM,data:1xy+SdsSTuerRox4skitg1mKLr1MoANFoCzz76TKSA31ORo/oUWVGrYxfusZxrFQWjYGRFpSYzmkzPn1RoWmbXyfwPEcisvjenXLNvwcyoontBd7TiiLdukEtya6RfGLRGKc8tfCzbDUWgiYz5IDMFBvKGnewFjB+au0/Ge2+2DTw6M4negjCz343TO/vbyTr5xT/5smmKz7Ouk9SbEo7yEuHkQPQfedGw2PYT82zdXd/Eje3Zq2EB4xcUU7beGrF1zkOdXQ4OVqB8XnkCnuLtNlnJtsffm0rbPDPD3/nhHKpJ8jXrN54V14dSnHW7yOifGMIus0VFMRZcIT7A+BroM9qzJhW3F4gsF1Bwp0CF+6zLLRjgpA0EOyvOwpLIftBZfMIpveAH62MVY0IBfwDdkI1itEOjj9EhTrOGxBx45Cj6Qk3Mk6ncyr15+E+KAmQRxZJrEW8Grk4PyzuxtxYd0n8LSaRUe1eNVUhHkQNpo/zvAPgrzcRnM91EwIoMvlNmwyC63j1h+OBKlXQgChAaB1O6HFXQY=,iv:pnw0jIcMqA771woDYNHxWMWE6wHGaNsXi5aBXOFAHJU=,tag:Wbcqb0FsctZWOS6u5s82mQ==,type:str]
 hcloud_exporter-environment: ENC[AES256_GCM,data:5gDTeg4C08BgNxBFtzZ7ma6JiafwF4ly5URAG4WxUTlRaUmF32fmbPdAZmveKiKBA8cc6ewcEIfIVJ7d5tbbqCEX+vbf9nr1fuhN05Z6lfsJNLoATclX,iv:GzEnudGDc6+6BJgDtaNnOnT7IK8Z0fsYfs/oJzKO2UA=,tag:LYCvRxNeKdMmNve0aWswrw==,type:str]
 invidious-extra-settings: ENC[AES256_GCM,data:bThgfyu5ESIyTLD7Q09Qici9ZZw/QYfCyBSjtbNb1EglCy0KHZrvDDAN4uDpdKrHxv8ctoN5Db7tRf5LUl6iyW7A5z9uYg481EXq3Sx6tZztepX0vg==,iv:FZ33tQWRsNEPjwuy/mH/N4e4PyjLx7sbv2G+9S5uigY=,tag:0GQn3AgoM2BPC5iCt5py8w==,type:str]
-mastodon-mail: ENC[AES256_GCM,data:RT/fS7cqbcePd2qe7CR5jRh2jtKaS81ICbMUOlPUQsY=,iv:C7GYMB0U2KIfXuEnYaoIEfV89/EnJS6V9iG97X8zkPk=,tag:L4SVe6aYGcarvX1hmMqQOw==,type:str]
 murmur-superuser: ENC[AES256_GCM,data:hPuMK8wbqD/3qKXQbOActq/VJZ+6jFlddQ==,iv:68ZhkpkfxakCOYxFXkCSP/sBamETeSs4CGTRaoBS6co=,tag:5UuYCxDiJ6e2CXjDV5/5yA==,type:str]
 netbox-secret-key: ENC[AES256_GCM,data:lOE95j6CGkbfJQTLeG41g3BPKNhm0arqxIGAzwvXQyeZLBauAdqufQGKD7D4kPNzdZs=,iv:6HWXEr6Ju4IywP+2jpuTfER/bYI2oUgMSZEJCkq4XX8=,tag:TPD5TTr4Sew8lxPS5WIu5Q==,type:str]
 prometheus-htpasswd: ENC[AES256_GCM,data:tiewfUfpvrmbrgk6AsBdiP4ng4TqG5UYf1mFcWOzuk8oO55rfZu+Naummz5RRYhJZil43nHFvn5LfIWkJv+CyPMZjpj7xRp4vb4/OCCAFjEzHhrzYVBYNkHM+ZLUTewEXuPVtZ6CZ5uviTExLN2V1moG3ExJdIoyUD16qh4=,iv:SkH609VxIVKJLmHUUNzICEjxHSyjLdwXfw0b7iU6png=,tag:BfNGcUZmk9ZXUvhoQZn6iQ==,type:str]
@@ -17,8 +16,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-04-26T10:40:21Z"
-    mac: ENC[AES256_GCM,data:rjLzGWhG6YTq8hJWvQeyl2pIGcy/2+UN4Hi1c5Cah8Z+LenYS93MIDVAwcb1c28ZWTKA6SiFyMd5pdMVMVMZP+WccnlwRvPySZhfyGtLXG8gR8yk35pUF+9WvrTvnY6geTPGoQTp/CeujEX9ceZ/s5Wq2vnt8JWdUIhLK7A8hiM=,iv:yhbtxFm1AbolC7t0m3S6hRJQ3paz/c9A3dA02e2l5mg=,tag:CoS0jG38DIdJTrFGcM/Hxw==,type:str]
+    lastmodified: "2024-01-10T18:29:17Z"
+    mac: ENC[AES256_GCM,data:jsYCPL7/AFxg9mRM/mKhwiy4eH6ZGMyCCSBu+jSfIk/T8RSd9zh0AZ/p5rAwfbW20AzetivzRB4bSgcymLIcCr900EQLdPIuaZgxeGcbZ80N/7I0zF4u8K8oa1pKhyr1UUj48XjL55IdvVOsyvfq/I/KSbIbO7+fBHeQ51crCeo=,iv:CNmKwvZ61PdeyOvGP7elm/yvokll//fiKxdWFe2cfPo=,tag:PVQRV0G3VtBsD0tk34DHig==,type:str]
     pgp:
         - created_at: "2024-01-22T00:20:10Z"
           enc: |-

machines/renge/services/mastodon.nix

@@ -1,32 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, lib, ... }:
-
-{
-  sops.secrets.mastodon-mail = {
-    owner = config.services.mastodon.user;
-    sopsFile = ../secrets.yaml;
-  };
-
-  services.mastodon = {
-    enable = true;
-    configureNginx = true;
-    localDomain = "procrastination.space";
-    smtp = {
-      createLocally = false;
-      host = "vueko.sbruder.de";
-      port = 465;
-      user = "mastodon@sbruder.de";
-      passwordFile = config.sops.secrets.mastodon-mail.path;
-      fromAddress = config.services.mastodon.smtp.user;
-      authenticate = true;
-    };
-    streamingProcesses = 5;
-    extraConfig = {
-      SMTP_TLS = "true";
-      RAILS_LOG_LEVEL = "warn";
-    };
-  };
-}

machines/renge/services/prometheus.nix

@@ -136,10 +136,8 @@ in
       {
         job_name = "knot";
         static_configs = mkStaticTargets [
-          "vueko.vpn.sbruder.de:9433"
-          "renge.vpn.sbruder.de:9433"
           "okarin.vpn.sbruder.de:9433"
-          "yuzuru.vpn.sbruder.de:9433"
+          "vueko.vpn.sbruder.de:9433"
         ];
         relabel_configs = lib.singleton {
           target_label = "instance";

machines/renge/services/sbruder.xyz/default.nix

@@ -3,7 +3,11 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 { config, pkgs, ... }:
-
+let
+  goneVhost = {
+    locations."~ .*".return = "303 'https://sbruder.xyz/#history'";
+  };
+in
 {
   imports = [
     ./blocks.nix
@@ -54,4 +58,7 @@
       };
     };
   };
+
+  services.nginx.virtualHosts."nitter.sbruder.xyz" = goneVhost;
+  services.nginx.virtualHosts."libreddit.sbruder.xyz" = goneVhost;
 }

machines/shinobu/configuration.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -9,7 +9,6 @@
     ../../modules
 
     ./services/co2_exporter.nix
-    ./services/ntp.nix
     ./services/router
     ./services/snmp-exporter.nix
     ./services/wordclock-dimmer.nix

machines/shinobu/services/ntp.nix

@@ -1,11 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{
-  services.ntp = {
-    enable = true;
-  };
-
-  networking.firewall.allowedUDPPorts = [ 123 ];
-}

machines/shinobu/services/router/dnsmasq.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -41,16 +41,16 @@ in
         cfg.vlan);
       dhcp-option = lib.flatten (lib.mapAttrsToList
         (name: { subnet, ... }: [
-          # Gateway
           "tag:br-${name},option:router,${subnet.v4.gateway}"
           "tag:br-${name},option6:dns-server,${subnet.v6.gateway}"
-
-          # NTP server (runs on gateway)
-          "tag:br-${name},option:ntp-server,${subnet.v4.gateway}"
-          "tag:br-${name},option6:ntp-server,${subnet.v6.gateway}"
         ])
         cfg.vlan);
 
+      nftset = [
+        "/pool.ntp.org/4#inet#filter#iot_ntp4"
+        "/pool.ntp.org/6#inet#filter#iot_ntp6" # does not work
+      ];
+
       server = [
         "127.0.0.1#5053"
       ];

machines/shinobu/services/router/rules.nft

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -7,6 +7,16 @@ define PHYSICAL_WAN = "enp1s0"
 define NAT_WAN_IFACES = { $PHYSICAL_WAN }
 
 table inet filter {
+	# These two sets are dynamically managed by dnsmasq
+	set iot_ntp4 {
+		type ipv4_addr
+		comment "IPv4 addresses of resolved NTP servers"
+	}
+	set iot_ntp6 {
+		type ipv6_addr
+		comment "IPv6 addresses of resolved NTP servers"
+	}
+
 	chain forward {
 		type filter hook forward priority filter; policy drop
 
@@ -21,6 +31,8 @@ table inet filter {
 		iifname "br-lan" oifname $VLAN_BRIDGES counter accept;
 		iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept
 
+		iifname "br-iot" ip daddr @iot_ntp4 udp dport 123 counter accept
+		iifname "br-iot" ip6 daddr @iot_ntp6 udp dport 123 counter accept
 		iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept
 	}
 }

machines/yuzuru/services/static-sites.nix

@@ -1,9 +1,7 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-{ config, ... }:
-
 {
   services.nginx.virtualHosts = {
     "brennende.autos" = {
@@ -21,34 +19,9 @@
   };
 
   sbruder.static-webserver.vhosts = {
-    "arbeitskampf.work".user = {
-      name = "arbeitskampf";
-    };
-
-    "maggus.bayern".user = {
-      name = "maggus";
-      keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
-      ] ++ config.sbruder.pubkeys.trustedKeys;
-    };
-
     "psycho-power-papagei.de" = {
       user.name = "papagei";
       imprint.enable = true;
     };
-
-    "salespointframework.org" = {
-      redirects = [
-        "www.salespointframework.org"
-        "salespointframe.work"
-        "www.salespointframe.work"
-        "verkaufspunktrahmenwerk.de"
-        "www.verkaufspunktrahmenwerk.de"
-        "verkaufspuntrahmenwerk.de"
-        "www.verkaufspuntrahmenwerk.de"
-      ];
-      user.name = "salespoint";
-    };
   };
 }

modules/authoritative-dns.nix

@@ -7,16 +7,14 @@ let
   cfg = config.sbruder.knot;
 
   primaryHost = "vueko";
-  secondaryHosts = [ "renge" "okarin" "yuzuru" ];
+  secondaryHosts = [ "okarin" ];
 
   isPrimaryHost = config.networking.hostName == primaryHost;
   isSecondaryHost = lib.elem config.networking.hostName secondaryHosts;
 
   addresses = {
     vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ];
-    renge = [ "152.53.13.113" "2a03:4000:6b:d2::1" ];
-    okarin = [ "85.215.165.213" "2a01:239:24b:1c00::1" ];
-    yuzuru = [ "85.215.73.203" "2a02:247a:272:1600::1" ];
+    okarin = [ "82.165.242.252" "2001:8d8:1800:8627::1" ];
   };
 in
 {
@@ -67,7 +65,12 @@ in
               id = host;
               address = hostAddresses;
             })
-            addresses);
+            addresses) ++ lib.optional isPrimaryHost {
+            id = "inwx";
+            # INWX only allows the specification of one primary DNS,
+            # which limits the IP protocol usable for zone transfers to one.
+            address = lib.singleton "185.181.104.96";
+          };
         }
         (lib.mkIf isPrimaryHost {
           policy = lib.singleton {
@@ -85,7 +88,7 @@ in
               zonefile-load = "difference-no-serial";
               journal-content = "all";
               # secondary
-              notify = secondaryHosts;
+              notify = [ "inwx" ] ++ secondaryHosts;
               # dnssec
               dnssec-signing = true;
               dnssec-policy = "default";

modules/default.nix

@@ -35,7 +35,6 @@
     ./cups.nix
     ./docker.nix
     ./fancontrol.nix
-    ./flatpak.nix
     ./fonts.nix
     ./games.nix
     ./grub.nix
@@ -68,7 +67,6 @@
     ./udev.nix
     ./unfree.nix
     ./wireguard
-    ./wkd
   ];
 
   config = lib.mkMerge [
@@ -110,8 +108,6 @@
       # Support for exotic file systems
       boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
 
-      programs.ssh.startAgent = lib.mkDefault (!config.sbruder.gui.enable);
-
       # When this is set to true (default), routing everything through a
       # wireguard tunnel does not work.
       networking.firewall.checkReversePath = false;
@@ -169,15 +165,5 @@
     (lib.mkIf (!config.sbruder.full) {
       documentation.enable = lib.mkDefault false;
     })
-    (lib.mkIf (config.services.resolved.enable) {
-      # With NixOS’s default database order for hosts,
-      # resolving the FQDN with hostname -f always returns “localhost”
-      # when resolved is enabled.
-      # This changes the priority of the files database,
-      # which fixes this.
-      # This workaround was taken from
-      # https://github.com/NixOS/nixpkgs/issues/132646#issuecomment-1782684381
-      system.nssDatabases.hosts = lib.mkOrder 500 [ "files" ];
-    })
   ];
 }

modules/flatpak.nix

@@ -1,19 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-#
-# Flatpak is only used for programs that are not easily installable natively.
-# They should always be confined as much as possible using Flatseal.
-#
-# To make Flatpak work with Flathub,
-# the following command must be run imperatively:
-#
-#     flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
-#
-# The full guide is available on https://flathub.org/setup/NixOS,
-# though the restart step is not necessary.
-{ config, lib, ... }:
-
-lib.mkIf config.sbruder.gui.enable {
-  services.flatpak.enable = true;
-}

modules/mailserver/postfix.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -95,7 +95,6 @@ lib.mkIf cfg.enable {
       smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
       smtpd_tls_mandatory_ciphers = "medium";
       smtpd_tls_loglevel = "1";
-      smtpd_tls_received_header = "yes"; # add TLS connection details to Received header
 
       tls_medium_cipherlist = listToString [
         "ECDHE-ECDSA-AES128-GCM-SHA256"
@@ -141,7 +140,6 @@ lib.mkIf cfg.enable {
       # Postscreen
       smtpd = {
         type = "pass";
-        args = [ "-o" "smtpd_discard_ehlo_keywords=silent-discard,dsn" ];
       };
       smtp_inet = {
         # Partially overrides upstream

modules/prometheus/node_exporter.nix

@@ -8,10 +8,7 @@
     enable = config.sbruder.wireguard.home.enable;
     listenAddress = config.sbruder.wireguard.home.address;
     enabledCollectors = [ "systemd" ];
-    disabledCollectors = [
-      "arp.netlink" # https://github.com/prometheus/node_exporter/issues/2849
-      "rapl"
-    ];
+    disabledCollectors = [ "rapl" ];
   };
 
   systemd.services.prometheus-node-exporter.after = [ "wireguard-wg-home.service" ];

modules/ssh.nix

@@ -60,12 +60,12 @@
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUEVBJcEibRdQzp0bDXpPqLGQ8vtQTKTcpGZU07W4eo";
     };
     okarin = {
-      hostNames = [ "okarin" "okarin.sbruder.de" "okarin.vpn.sbruder.de" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvRAiEAV0Oulii0w3xcHCb0/oHqpA0hz3bn//BQnR8T";
+      hostNames = [ "okarin" "okarin.sbruder.xyz" "okarin.vpn.sbruder.de" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaev8K5KhRovW75IdZ0HYlzvxxo0haeCM0xCVEOuDSa";
     };
     okarin-initrd = {
       hostNames = [ "[okarin.sbruder.de]:2222" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOV+azRrT1zICmDe9D7bm3pOaFzaT+cVXCvxgY1bAbP";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJbp0kZJEXf1gSVcBsef1Bihd5iCzhzSbjgyrC1SXXT";
     };
     shinobu = {
       hostNames = [ "shinobu" "shinobu.lan.shinonome-lab.de" "shinobu.vpn.sbruder.de" ];

modules/tools.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -50,7 +50,7 @@
     lm_sensors # temperature sensors
     parted # partition manager
     pciutils # lspci
-    (reptyr.overrideAttrs (o: o // { doCheck = false; })) # move process to current terminal # tests fail on qemu-user-aarch64 (TODO 24.05: remove)
+    reptyr # move process to current terminal
     smartmontools # hard drive monitoring
     tcpdump # package inspector
     tio # serial console

modules/unfree.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -41,6 +41,9 @@ in
 
         # games (okay if they run sandboxed)
         "osu-lazer" # also is free except for one dependency
+        "steam"
+        "steam-original"
+        "steam-runtime"
       ]
     ));
   };

modules/wireguard/home.nix

@@ -33,8 +33,8 @@ let
       publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
     };
     okarin = {
-      address = "10.80.0.14";
-      publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA=";
+      address = "10.80.0.10";
+      publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
     };
     shinobu = {
       address = "10.80.0.12";

modules/wkd/default.nix

@@ -1,49 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, lib, ... }:
-let
-  cfg = config.sbruder.wkd;
-
-  toFqdn = domain: "openpgpkey.${domain}";
-in
-{
-  options.sbruder.wkd = {
-    enable = lib.mkEnableOption "Web Key Directory";
-    domain = lib.mkOption {
-      type = lib.types.str;
-      description = "The main domain to listen on. The actual fqdn will be openpgpkey.<domain>.";
-      default = "sbruder.de";
-    };
-    domains = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      description = "Additional domains to serve.";
-      default = [ ];
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    sbruder.static-webserver.vhosts."${toFqdn cfg.domain}" = {
-      redirects = map toFqdn cfg.domains;
-      user.name = "wkd";
-    };
-
-    services.nginx.virtualHosts."${toFqdn cfg.domain}" = {
-      locations."^~ /.well-known/openpgpkey" =
-        let
-          # workaround for nginx dropping parent headers
-          # see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
-          parentHeaders = lib.concatStringsSep "\n" (lib.filter
-            (lib.hasPrefix "add_header ")
-            (lib.splitString "\n" config.services.nginx.commonHttpConfig));
-        in
-        {
-          extraConfig = ''
-            ${parentHeaders}
-            add_header Access-Control-Allow-Origin * always;
-          '';
-        };
-    };
-  };
-}

pkgs/co2_exporter/default.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2022-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2022-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -19,7 +19,7 @@ buildGoModule rec {
 
   vendorHash = "sha256-CMo6FBzw0/OMKEX12oNqhbF/0dRRFR6W3VRp+EU6Q68=";
 
-  doCheck = false; # no tests
+  oCheck = false; # no tests
 
   meta = with lib; {
     license = licenses.mit;

pkgs/contact-page/src/index.html

@@ -25,23 +25,15 @@ SPDX-License-Identifier: CC-BY-SA-4.0
           <td><a id="matrix" href="#">(requires javascript)</a></td>
         </tr>
         <tr>
-          <td>Fediverse</td>
-          <td><a rel="me" href="https://procrastination.space/@simon">@simon@procrastination.space</a></td>
-        </tr>
-        <tr>
-          <td>Codeberg</td>
-          <td><a href="https://codeberg.org/sbruder">sbruder</a></td>
-        </tr>
-        <tr>
-          <td>(GitHub)</td>
+          <td>GitHub</td>
           <td><a href="https://github.com/sbruder">sbruder</a></td>
         </tr>
         <tr>
-          <td>(GitLab)</td>
+          <td>GitLab</td>
           <td><a href="https://gitlab.com/sbruder">sbruder</a></td>
         </tr>
         <tr>
-          <td>Forgejo</td>
+          <td>Gitea</td>
           <td><a href="https://git.sbruder.de/simon">git.sbruder.de</a></td>
         </tr>
         <tr>

pkgs/wordclock-dimmer/wordclock-dimmer.py

@@ -61,6 +61,15 @@ def get_color_for_time(time: datetime.time, base=(60, 60, 60)) -> (int, int, int
         )
 
 
+def update(client: mqtt.Client):
+    time = datetime.datetime.now().time()
+    color = get_color_for_time(time)
+    print(f"{time}: setting color to {color}")
+    sys.stdout.flush()
+    set_color(client, *color)
+    pass
+
+
 client = mqtt.Client("wordclock.py")
 
 user = os.environ["WORDCLOCK_MQTT_USER"]
@@ -74,15 +83,6 @@ host = os.environ["WORDCLOCK_MQTT_HOST"]
 client.username_pw_set(user, password)
 client.connect(host, 1883, 60)
 
-color = (0, 0, 0)
-
 while True:
-    time = datetime.datetime.now().time()
-    new_color = get_color_for_time(time)
-    if new_color != color:
-        color = new_color
-        print(f"setting color to {color}")
-        sys.stdout.flush()
-        set_color(client, *color)
-
+    update(client)
     sleep(300)

users/simon/modules/games.nix

@@ -1,41 +1,98 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-#
-# Steam is installed as a flatpak,
-# as this seems to be the only method that does not force me
-# to spend hours debugging various issues with the client.
-#
-# Installation instructions for steam:
-#
-# 1. Run flatpak install flathub com.valvesoftware.Steam
-# 2. Use Flatseal to revoke all filesystem permissions,
-#    development syscalls
-#    and bluetooth.
-# 3. Add GDK_SCALE=2 as an environment variable (hack for sway’s Xwayland)
-# 4. If you previously used steam-sandbox,
-#    you need to copy the files to the flatpak location.
-#    For this, start steam once (you can close it early),
-#    so it creates the new structure.
-#    Then, run the following commands:
-#        rm -rf ~/.var/app/com.valvesoftware.Steam/.local/share/Steam
-#        mv ~/.local/share/steam-sandbox/.local/share/Steam ~/.var/app/com.valvesoftware.Steam/.local/share/
-#    You might want to copy additional files of games,
-#    that do not store files inside of Steam’s directories.
-#    Afterwards, you can delete ~/.local/share/steam-sandbox
-#
-# For MangoHud, the following steps are also necessary:
-# 1. Run flatpak install org.freedesktop.Platform.VulkanLayer.MangoHud
-# 2. Add xdg-config/MangoHud:ro as filesystem mount to Steam in Flatseal
-# 4. For Intel Arc systems,
-#    add /run/wrappers/bin/intel_gpu_top:ro as filiesystem mount
-#    and /run/wrappers/bin to the PATH environment variable in Flatseal
-# 3. Add MANGOHUD=1 as a launch options to all games where MangoHud should be
-#    available
+
 { lib, nixosConfig, pkgs, ... }:
 let
   cfg = nixosConfig.sbruder.games;
   inherit (nixosConfig.sbruder) unfree;
+
+  steam-sandbox = pkgs.writeShellScriptBin "steam-sandbox" /* bash */ ''
+    set -euo pipefail
+    shopt -s nullglob # make for loop work for glob if files do not exist
+    base_dir="''${XDG_DATA_HOME:-$HOME/.local/share}/steam-sandbox"
+    mkdir -p "$base_dir"/{.local/share,.steam,.config,.factorio,data}
+    bubblewrap_args=(
+        # sandboxing
+        --unshare-all
+        --share-net
+        --die-with-parent
+        --new-session
+
+        # basic filesystem
+        --tmpfs /tmp
+        --proc /proc
+        --dev /dev
+        --dir "$HOME"
+        --dir "$XDG_RUNTIME_DIR"
+        --ro-bind /nix/store /nix/store
+        # path
+        --ro-bind /run/current-system/sw /run/current-system/sw
+        --ro-bind /etc/profiles/per-user/$USER/bin /etc/profiles/per-user/$USER/bin
+        # system-wide configuration
+        --ro-bind /etc/fonts /etc/fonts
+        --ro-bind /etc/localtime /etc/localtime
+        --ro-bind /etc/machine-id /etc/machine-id
+        --ro-bind /etc/os-release /etc/os-release
+        --ro-bind /etc/passwd /etc/passwd
+        --ro-bind /etc/resolv.conf /etc/resolv.conf
+        --ro-bind /etc/ssl/certs /etc/ssl/certs
+        --ro-bind /etc/static /etc/static
+
+        # gui
+        --ro-bind /tmp/.X11-unix /tmp/.X11-unix
+        --ro-bind "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
+        --dev-bind /dev/dri /dev/dri
+        --ro-bind /run/opengl-driver /run/opengl-driver
+        --ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32
+
+        # audio
+        --ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse"
+        --setenv PULSE_SERVER "$XDG_RUNTIME_DIR/pulse/native"
+        --ro-bind "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie" "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie"
+        --setenv PULSE_COOKIE "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie/pulse/cookie"
+        --ro-bind-try /etc/asound.conf /etc/asound.conf
+        --ro-bind-try /etc/alsa/conf.d /etc/alsa/conf.d
+        --ro-bind-try "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0"
+
+        # dbus
+        --ro-bind /run/dbus/system_bus_socket /run/dbus/system_bus_socket
+        --ro-bind "$XDG_RUNTIME_DIR/bus" "$XDG_RUNTIME_DIR/bus"
+
+        # shared data
+        --bind "$base_dir/.local/share" "$HOME/.local/share"
+        --bind "$base_dir/.steam" "$HOME/.steam"
+        --bind "$base_dir/.config" "$HOME/.config"
+        --bind "$base_dir/.factorio" "$HOME/.factorio"
+        --bind "$base_dir/data" "$HOME/data"
+        --ro-bind-try "$HOME/.config/MangoHud" "$HOME/.config/MangoHud"
+
+        # input
+        --dev-bind /dev/input /dev/input
+        --dev-bind-try /dev/uinput /dev/uinput
+        --ro-bind /sys /sys # required for discovery
+      )
+
+    for hidraw in /dev/hidraw*; do
+        bubblewrap_args+=(--dev-bind $hidraw $hidraw)
+    done
+
+
+    unset SDL_VIDEODRIVER QT_QPA_PLATFORM # games generally don’t support wayland
+    export PATH="${pkgs.unstable.mangohud}/bin:$PATH"
+
+    ${pkgs.bubblewrap}/bin/bwrap \
+        "''${bubblewrap_args[@]}" \
+        ''${SANDBOX_COMMAND:-${pkgs.unstable.steam}/bin/steam} \
+        "$@"
+  '';
+
+  steam-sandbox-with-icons = pkgs.runCommand "steam-sandbox-with-icons" { } ''
+    mkdir -p $out/{bin,share}
+    ln -s ${pkgs.steamPackages.steam}/share/icons $out/share
+    ln -s ${pkgs.steamPackages.steam}/share/pixmaps $out/share
+    ln -s ${steam-sandbox}/bin/steam-sandbox $out/bin/steam-sandbox
+  '';
 in
 lib.mkIf cfg.enable {
   home.packages = with pkgs; [
@@ -48,7 +105,9 @@ lib.mkIf cfg.enable {
     pcsx2
   ] ++ lib.optionals (cfg.performanceIndex >= 8) [
     unstable.ryujinx
+    unstable.yuzu-mainline
   ] ++ lib.optionals unfree.allowSoftware [
     unstable.osu-lazer-sandbox
+    steam-sandbox-with-icons
   ];
 }

users/simon/modules/gpg.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-{ lib, nixosConfig, pkgs, ... }:
+{ nixosConfig, pkgs, ... }:
 
 {
   programs.gpg = {
@@ -18,7 +18,7 @@
   services.gpg-agent = rec {
     enable = true;
     enableZshIntegration = true;
-    enableSshSupport = lib.mkDefault nixosConfig.sbruder.gui.enable;
+    enableSshSupport = true;
 
     pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses";
 

users/simon/modules/mpd.nix

@@ -73,7 +73,6 @@ lib.mkIf nixosConfig.sbruder.gui.enable {
 
       # Lyrics
       lyrics_directory = "${config.services.mpd.musicDirectory}/lyrics";
-      follow_now_playing_lyrics = true;
 
       # Misc
       external_editor = "nvim";

users/simon/modules/neovim/default.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -54,7 +54,7 @@ in
       haskell-language-server
       jdt-language-server
       unstable.ltex-ls
-      nixd
+      rnix-lsp
       rust-analyzer
       (python3.withPackages (ps: with ps; [
         pyls-isort

users/simon/modules/neovim/init.lua

@@ -1,4 +1,4 @@
--- SPDX-FileCopyrightText: 2018-2024 Simon Bruder <simon@sbruder.de>
+-- SPDX-FileCopyrightText: 2018-2023 Simon Bruder <simon@sbruder.de>
 --
 -- SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -348,7 +348,7 @@ lsp.ltex.setup {
 lsp.pylsp.setup {
     on_attach = on_attach,
 }
-lsp.nixd.setup {
+lsp.rnix.setup {
     on_attach = on_attach,
 }
 lsp.rust_analyzer.setup {

users/simon/modules/pass.nix

@@ -14,9 +14,4 @@
       PASSWORD_STORE_DIR = "$HOME/.password-store";
     };
   };
-
-  programs.browserpass = {
-    enable = true;
-    browsers = [ "librewolf" ];
-  };
 }