catering WIP

2024-01-26 23:44:01 +01:00
62 changed files with 666 additions and 976 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -15,11 +15,10 @@ keys:
  - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
  - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
  - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
-  - &okarin e7370b48016c961ef8ad792fda66b19d845b3156
+  - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
  - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
  - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
  - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
  - &koyomi a53d4ca8d2cf54613822c81d660e69babee42643
 creation_rules:
  - path_regex: machines/nunotaba/secrets\.yaml$
    key_groups:
@ -98,13 +97,6 @@ creation_rules:
      - *simon-alpha
      - *simon-beta
      - *yuzuru
  - path_regex: machines/koyomi/secrets\.yaml$
    key_groups:
    - pgp:
      - *simon
      - *simon-alpha
      - *simon-beta
      - *koyomi
  - path_regex: secrets\.yaml$
    key_groups:
    - pgp:
@ -117,4 +109,3 @@ creation_rules:
      - *fuuko
      - *mayushii
      - *renge
      - *koyomi
--- a/README.md
+++ b/README.md
@ -143,10 +143,3 @@ so always consult the file header and other resources as specified in the REUSE
 Please note that those licensing terms only apply to the source files in this repository,
 not any build outputs, like system or package closures.
 They might be licensed differently, depending on their source.
 If you think you have a compelling reason
 why you should be able to use part of this repository under a more permissive license,
 please contact me,
 so we can figure something out.
 Please note, that I can only offer this for files that are solely authored by me,
 as I do not own the rights to other people’s code.
--- a/flake.lock
+++ b/flake.lock
@ -26,11 +26,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1673956053,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
        "type": "github"
      },
      "original": {
@ -44,11 +44,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1701680307,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
        "type": "github"
      },
      "original": {
@ -65,11 +65,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1709087332,
+        "lastModified": 1660459072,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
        "type": "github"
      },
      "original": {
@ -85,11 +85,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715381426,
+        "lastModified": 1704099619,
-        "narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
+        "narHash": "sha256-QRVMkdxLmv+aKGjcgeEg31xtJEIsYq4i1Kbyw5EPS6g=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
+        "rev": "7e398b3d76bc1503171b1364c9d4a07ac06f3851",
        "type": "github"
      },
      "original": {
@ -106,11 +106,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1716457508,
+        "lastModified": 1704100519,
-        "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
+        "narHash": "sha256-SgZC3cxquvwTN07vrYYT9ZkfvuhS5Y1k1F4+AMsuflc=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
+        "rev": "6e91c5df192395753d8e6d55a0352109cb559790",
        "type": "github"
      },
      "original": {
@ -205,6 +205,9 @@
    "nix-pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat",
        "flake-utils": [
          "flake-utils"
        ],
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixpkgs-unstable"
@ -212,11 +215,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1716213921,
+        "lastModified": 1703939133,
-        "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
+        "narHash": "sha256-Gxe+mfOT6bL7wLC/tuT2F+V+Sb44jNr8YsJ3cyIl4Mo=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
+        "rev": "9d3d7e18c6bc4473d7520200d4ddab12f8402d38",
        "type": "github"
      },
      "original": {
@ -228,11 +231,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1716173274,
+        "lastModified": 1704124233,
-        "narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
+        "narHash": "sha256-lBHs/yUtkcGgapHRS31oOb5NqvnVrikvktGOW8rK+sE=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
+        "rev": "f752581d6723a10da7dfe843e917a3b5e4d8115a",
        "type": "github"
      },
      "original": {
@ -244,11 +247,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1716361217,
+        "lastModified": 1703992652,
-        "narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
+        "narHash": "sha256-C0o8AUyu8xYgJ36kOxJfXIroy9if/G6aJbNOpA5W0+M=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
+        "rev": "32f63574c85fbc80e4ba1fbb932cde9619bad25e",
        "type": "github"
      },
      "original": {
@ -272,11 +275,11 @@
        "poetry2nix": "poetry2nix"
      },
      "locked": {
-        "lastModified": 1712934106,
+        "lastModified": 1704120598,
-        "narHash": "sha256-JubHgaV6HUZarwwq4y2rxJaaj2a6euErJfCqpmhrhWk=",
+        "narHash": "sha256-9g7bZbVHAjMPNUWD2okeOdTmTrC9pkCeVe1zFyvtvqo=",
        "ref": "refs/heads/master",
-        "rev": "2bcb2b6c7b0e04f4ef8e51e00fd93a5e5cb00bf8",
+        "rev": "32ef4fd545a29cdcb2613934525b97470818b42e",
-        "revCount": 66,
+        "revCount": 65,
        "type": "git",
        "url": "https://git.sbruder.de/simon/nixpkgs-overlay"
      },
@ -287,43 +290,43 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1710695816,
+        "lastModified": 1685801374,
-        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
+        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
+        "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable_2": {
      "locked": {
-        "lastModified": 1716061101,
+        "lastModified": 1703950681,
-        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
+        "narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
+        "rev": "0aad9113182747452dbfc68b93c86e168811fa6c",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "release-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1716330097,
+        "lastModified": 1703961334,
-        "narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=",
+        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2",
+        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
        "type": "github"
      },
      "original": {
@ -450,11 +453,11 @@
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
-        "lastModified": 1716400300,
+        "lastModified": 1703991717,
-        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
+        "narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
+        "rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -23,6 +23,7 @@
    nixos-hardware.url = "github:nixos/nixos-hardware/master";
    nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
    nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
    nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable";
    sops-nix.url = "github:Mic92/sops-nix";
@ -155,11 +156,12 @@
                pkgs.writeShellScript "unlock-${hostname}" ''
                  set -exo pipefail
                  # opening luks fails if gpg-agent is not unlocked yet
-                  pass "devices/${hostname}/luks" | ssh \
+                  pass "devices/${hostname}/luks" >/dev/null
                  ssh \
                      ${lib.optionalString unlockOverV4 "-4"} \
                      -p 2222 \
                      "root@${targetHost}" \
-                      "cat > /crypt-ramfs/passphrase"
+                      "cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")
                '')
              self.nixosConfigurations);
--- a/keys/machines/koyomi.asc
+++ b/keys/machines/koyomi.asc
@ -1,28 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 xsFNBAAAAAABEACxLvouloEvO6hjBfydEMJIEVzJLBqZJBmBvHmJKRbhWSldCWLi
 bdL7L3Ld1K4uQKSEPNRk6LcVVCAPaXuhyeza57U8PNMBJrDESZ+SdAjuNw5/mDTa
 VF4jgPzrPmQ1ufRiaOgxOj7OAwOqFEZBMeHXPrauY83dHgKJBcRuw5567YTJ0zoJ
 bi3mtetgAeVwgPgQBgihDQhvxgxiOQ0kLbRRDFm8sVsp8o/zJbVy3zop4sJppOSg
 JYzjFyt40wqPQ0TospxvwiYiJhg339hduZZ+J7+4XcdKnTVUNM8Ws7notVFRkWYG
 8jWTUuld815WZUA/2rkjx7GsZ9sLChaXVmXRfUGO3G01zaEZ84PA/XrpemWVMs+I
 y/1UznrSFy3bPh9/Jdpr4D5/gxsJaNs8ioSjb/3fXfZ4+kZySmQiWpagwsLXmPU3
 eno5YjvuU8qCh37zWF7uhsUsIDXw1FWqgy7HoU7HLYHDpRoerEABQpIf3378eZJ1
 +VK/Em2NLyapgBGx+hv+qrUGKAv+/bdTt5XQtQypHI5ihI2H/Rr/ZfTzIWcJIomR
 KwCsjZDuiRWsQWa/WEqthPX/ckNKJuB25tkCFM4owMtgJEMSymRZ6Fd/zdI+WBS2
 1QSECOHFyr8ha0OfpZF6qy8YYqV82EHeTQdqvAY18po8/Y5WGvm4Q0QCQwARAQAB
 zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
 AQgAFgUCAAAAAAkQZg5pur7kJkMCGw8CGQEAANR9EABfKws/H9UX31pJbdWzSotN
 /1OkQxCNQvTmzxByP+JDBZQoplKbhjwVi/seshwxCMGuvBklmFSdpzGXip68QR4Q
 CYQsFg02URFKA8vggnIbpkNMB3/ckM6m6wQlMshTl1DPpZcZflppi/O68hIqtrSN
 /xXx5hIBFqe4NY6+ouHRy+4KPnWqndcHSRC2TaYYiiAo9dBj7VyQsL0zYYyTAl0U
 J6rolDz5VqWzkHklH/UMJ3u8ZwV2VHuyU5Drod8/1bDYtjGXxeUhcd25X4q0Gcqh
 gts0zoV/kYgnX3rGzqT4q6MGHWzlHtblMxtPpV8m/fd2KDvIKDdJPnYsbKDNlX7j
 QwVS8rE2T/FfU2KGoadNmSJACmCdShpCCd7CSHludcXLMDVuFijh4iCHkc3KvJJP
 MrWqBTWzYB73O5WGAWDxL7trw80a5Qi2+5PRCQY0smOR4jC3d36PGjtD8ykCHlqt
 HVZ2CtNl+6loGJ9TTgMwzNOY2PQPP2bhzdB16ht5CDsadFXrFD8mRVcwnQ6F0UU0
 DROW+C7FdYkZiEM9r6QMkRX4Xkc4YTV7EL0kEwJkWvxTbL2X/r1lSOKE27iMk2D/
 kkNzVXEH89ryyJc4Pgro5aTjzkAfTOUc+LV34b2CE0NGLjZvOvTic5SSdsAZ+PVL
 CxhNpGhTpzl96WA2WsNP9Q==
 =slmv
 -----END PGP PUBLIC KEY BLOCK-----
--- a/keys/machines/okarin.asc
+++ b/keys/machines/okarin.asc
@ -1,28 +1,28 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-xsFNBAAAAAABEADJ6iuUnKyoNZU26YWhsIHwTIkhxnNCNDHrq42wSqDgBFU8QyzC
+xsFNBAAAAAABEACgnoiAZQChPJOD9Bh4VxtX+/KWZXBrw9HhK1aufLH2Q4bS+mrg
-Nd8c34QghVGeqCFr/Md5xXMtgCmoNzFCMullb6PwDIYZ+9SP03B2seoqhnRwp1WG
+Te5SgFrfsiiYOvo8O2rESmMIWAHRSGxcdcT09+ZZtZxlxW7dmoUXLaPY+Xft0oDT
-twejt/dP3QgOBP3G4Tr8uxcdHFnLDvkzN66QyV+LcnzrEf0Dw/9y31Nuo5TlG7UT
+ekLBs/g3N9qAXYq8XC/YNw0R1FzhComq/enQT2OTcaWES3b2OlFAkn8SVSTTdKgG
-cUCg36a3l+1tTlc3VnGwjt5jc59teD619h1s5tU5zMlcgjhFMMVKHXH1oc8zK0Q4
+jfmPPjDuTTYWPDPPmVRhaRkT/AcByyRcEcYxw4Zn+62iY9ZuV8FG0O0UcR2I/vEw
-va2YyfW+yWZx9Fm9BWF3VLuBdVlPuHVSCZ/Qf/ykDs8nm7Jvwi/I2TQiAeFN7ln9
+KwYxHBC4IiqWvCmeJ3mEcf2NBbLwp2hB79dyo9RN8zxbu2mwrCNNO0hbkJGsxom1
-vPAYy4z0SQP/w44kVLCe5Mkw4H53LRocPBgxSflzqnJuuEQGroq0xgbP8+xJ8R0h
+NjKh7KZz0eaIpb/WAesimHCaAXcB9ovGiyyHjECmZkvKlAXMttrPkF5QJZW2Iao7
-5WPqLuy86PhslFsuIfKJgzVsNsz3svBxHO6G5bIsVgIjdfT4QPGxVQSvXG0RpdV0
+jcdcT0CNhC9fUwdBPIVRVjQQPyCWrqZEas+zG0tU8nbMy+uI/rT8ALC0zSgQMVyr
-HzhUKojENcS2MEB7MJOLu200Ce3tjuaZD+nPUyH9LilNVgEJXMN0+9SfXmzyH1mE
+YDIM7tYHbuBjgHja8gvwAa116L+uTXzkCTuH3OQHowtuvDjorXDKNs5akqJpAPHF
-ENW6JWUC+oDgweodltJJ2z3kiaXf0GUNWFEv5P0uxkky3nsed4lDmEs0j0nT3YoS
+a/fhXzjtY6RfLVp0Hj1+fnwrzMs0D1YdlJEjsBxvpieMTGPXH0YA5ondK/OsHsQD
-0hemgdK8X3ZRMuLAxGLCL0SykmsbOdTTzZ/QCak8/0jI8iko9eDrmJ4rNkrQYT4+
+uzUgKzgGpq8Kp7hXhxi8gevHmNgVN1F4CNlTy0qOkFgD8U11Fk9O4svI+OtzslPr
-TM0JEpI3wA4ksl5WcB2cpM/G8buw/zNTycgbjcKoYL+E2K+L7JeR9F1DgQARAQAB
+/EXRC/faJeFdT20M0BIqhQVWZFiRRMMsHJgZ04mWG40Wysm8esZ3dwS53QARAQAB
 zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQ2maxnYRbMVYCGw8CGQEAAMkCEAClRHcH4fUUpdXroevY9qpR
+AQgAFgUCAAAAAAkQ5fw8qjuBB6oCGw8CGQEAAOyUEAAHW0hbAjCKylnIaezMqNiG
-O6op26pqBZ839HoD9f4kaZXerhURWVGPcV81uUapR5/B8Pk/OK9LskBetDvoc+J1
+yDwfM+MpNXaqB4sG0UUiIdgSUTk06PN5dlQ0Jfvh1I7P9y8CxqamlqCUXiqqWEOR
-+B3vM34cRIzbSs55BVrx/Mk6Vn9utPoyutlaJ/b5VMCmz4f2zU/XwPbXOzouvVrn
+Am3Q7oxQKQdSDz//2ijWLdNFcT7bxZvNKQ/T78UYka/qmuLHx2jSuakAX2pAUrOf
-uy/bqY7aNz0eoeU7lKXrXc9as+VoJgc3Ty9Tt1vPi8lfTeQfmxUDtoer47dhn89C
+K7mbElSu8LD0y8hIDEyxuzB/aL13sHh1LkOUCSEgZ977EEfIEgPidPwEtGJvEbhN
-3fL9R5/4utKt5nRtweOh6+z9T36jNodeHy3VhpuMnUBKsWSQn6Op2sLoeb6FJbh0
+DaP94cLNapv/lWux8+O5dzKi4R7ghXl6IvrP2LPXQSPF7C3mMZ1ZSX1nFxRjALXi
-t5Tz1AZhqjT4HY8bGWK8v2i916BmGseFjge7CECYg9M5MydznHl9z87sBUiruGs4
+xiFbrJFkwEQQmVro/3wX9BZSmt6VnFRKkXnsCLlf9eT0aTmTirtqHgfet0PHqTNt
-fQTZi8IQySaQ8jCqCx+PB1PYUAsZj4j3o74mx2/erAw8gxBlrme44CuikVdbEKMV
+CxrlLKTZFN3ZFropGZ070ESs4i6WZUBpTdsYh/htyo5bWMcHO8J+K+Ttd1M8btM4
-qYzW/jVJ6EPobtmq+XN8UzU/arf5/BelcU73sQK9fbvCqi47ZMyjC/3UqZ0O12xt
+RtpAc/2UXa4+dVpLOGqdqkmUEJLVLyGnj9wZZgkx3tWGhjnSohCW3YqffQYlXUFn
-uUjf2IcDl8TyWZ3nSSUV7npXrrT05kC6WMK46TwO9wv8F3v3/35UmonAJt8qp/lw
+xuiQQ8jKM6luuunMXLt6D9dzOch70z9bnjOm1Z6q/S3PIzn++awzA6N3VTKNuUBP
-2PNR5W8Sqxr2s+yhkOsh2xwuqBQkdxhqRKeqTv4+kdGAk6ZUmuHmGa1Qni6VsaKT
+Phs6hlcAeqdQ6Q2EiS5iXKqPdK1nd9cPKzHOJf1fwlaRPSKeCtXUgkjAClu+heEn
-TuNRRTEBfQ0QiqF8+lleT2dP4cKI2vAbI0zvyjX6KvNGRb1VlJw3D6Pa0nXW/YQU
+rst1nggIhCBs+rHc518BVZvISLNVlj5LVwN0mKOk9YPuZItBCGX96WWJZdMHeZk0
-NxR1Jvm5bnGfUcnNlzoB4Q==
+MsxjN+we2woCXG5SJGYOyA==
-=6o0h
+=UTw1
 -----END PGP PUBLIC KEY BLOCK-----
--- a/keys/users/simon.asc
+++ b/keys/users/simon.asc
@ -5,39 +5,67 @@ EKpaQ5+0H1NpbW9uIEJydWRlciA8c2ltb25Ac2JydWRlci5kZT6InAQTFgoARAIb
 AQUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBNSKGsqxzb0XAVFm
 K7GgtKRYhaAxBQJlrXkpAhkBAAoJELGgtKRYhaAxe14BAMF2Sj/NbHEfPPj/FH0/
 Pndzxihc7T7JOO9TxwsHMdidAP9eGoz3DgjA4gOtJUDwK70G6XwGnXrY8k42AcNE
-B0JHBLQxU2ltb24gQnJ1ZGVyIDxzaW1vbi5icnVkZXJAbWFpbGJveC50dS1kcmVz
+B0JHBIkCMwQQAQoAHRYhBEfnVZ4DejVlLbv4qo08gvnzCfjsBQJlrZp3AAoJEI08
-ZGVuLmRlPoiZBBMWCgBBFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd20CGwEF
+gvnzCfjsE2IP/RZoV3xvTi9ks5mpClnxdofGR4r2IVFw8TMQLSFfAHAtEJQ+R8fx
-CQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQsaC0pFiFoDGUqAEA
+0Yk+yoBNjt6JFKsvVVyVTZsK5cZcECSaX8E5gAYIB0+5S7TAC+DL9lDhWqhJnvOk
-vqCjV1Fti5v6XpFFX/YU3160v4GYwD1vSdNJTTFfm3kBAO3hu30ecM3rWZf0SJmC
+5nWIM6gdey6H4lmwjMQT9deWFBlHI/4+eEv65B2tlPZH7x2EbXywe5TgAmCAuXBI
-xizTcSJIOEng0z39uk75PV4MuDMEZa13mRYJKwYBBAHaRw8BAQdA1st2Ull8qExF
+7YOCebPh66n0ezJkw0SkEmz5+yMfj/vQNQxvRUpGpMEPDAUvIWEJ+Mb1XRuSZlYy
-xFBS4ZtAxCP4a0yvany8hfclRDuM2W2I9QQYFgoAJgIbAhYhBNSKGsqxzb0XAVFm
+Z8fNh0lMuvDf/GAwoFLiQM8ToprYT1vVnZ+IzEHkjYA1/nDTj1rDxiFCz+FCc+/k
-K7GgtKRYhaAxBQJlrud2BQkB4qNdAIF2IAQZFgoAHRYhBF8781AR60Ih56rcrDR/
+7fjbtbmX1rSLu90jQZx3h0JEb9t4Zd0X9aOstVnqTi9pMWWyFcUgA71+21VqbIQ
-+Gmc2gd2BQJlrXeZAAoJEDR/+Gmc2gd2WGkA/1q7AL8NUkvEOXRXOdHUhFkC2AXp
+LccjaPZ0YK75on5YaD5ZmtHAl5ZD1VIXL0vnyN/XQYa4GUiN0qVwdG9QSEEe8gu8
-V9deFHxrszMWgIxhAQD7QPihv5Cm8SPkClDMeKFnGwlMpeZNM/XYn5FqyLPrBwkQ
+jjAWClU8BroyOtWamOlQWs/RPZsg1G5Nv5KcPJbw67sWzJZYvJhytRMg9yMWM/uC
-saC0pFiFoDG2mQD8CMU8iakviZHNDspU2nZLVRp5RWBGtbeqiq2+KUYzgCEA/REV
+uSC30u/gA49YP2N32XsxwFo8LAUrqn22/WdgcR1NIhHDjzT4SWSTS/ec5lSB998e
-SAd0ks7DaVVxtHY4cn/oN76QeX3RXUAvfTsiPD0CuDgEZa13whIKKwYBBAGXVQEF
+xw+41h4hDHwZn75HYi89FytjS0Sc8C4b2GPw8eqbhKHKMlPKJah2enFXkR85AZJ1
-AQEHQCz6uVsYw1gvKcMfmofGvK8uv4t+PsL0N6jlrPtY/Qt2AwEIB4h+BBgWCgAm
+wJGGhHhUS1mZ9e5SbY5ugtYj8v3Q3RMf47pqSHsO1Z9ojWBpAYforhTEtDFTaW1v
-FiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd8ICGwwFCQPCZwAACgkQsaC0pFiF
+biBCcnVkZXIgPHNpbW9uLmJydWRlckBtYWlsYm94LnR1LWRyZXNkZW4uZGU+iJkE
-oDFfVwEA7ijxFOSx7RhdE9XqNfDk+Gl4s6ste20j0MW3J+jAKTcBALUk/F0OYJIv
+ExYKAEEWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13bQIbAQUJA8JnAAULCQgH
-E6njUIuZlz4wFKJHDpursKIJu91QjzoFuDMEZa14JhYJKwYBBAHaRw8BAQdATUqx
+AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRCxoLSkWIWgMZSoAQC+oKNXUW2Lm/pe
-HSmDAt+Fs/8EN7JvsIuciptaJpLnZApQ5gu2KgeIfgQYFgoAJhYhBNSKGsqxzb0X
+kUVf9hTfXrS/gZjAPW9J00lNMV+beQEA7eG7fR5wzetZl/RImYLGLNNxIkg4SeDT
-AVFmK7GgtKRYhaAxBQJlrXgmAhsgBQkB4TOAAAoJELGgtKRYhaAxMBoBAN7lVHou
+Pf26Tvk9XgyJAjMEEAEKAB0WIQRH51WeA3o1ZS27+KqNPIL58wn47AUCZa2afQAK
-WPLuO6NNPHL8fXYG+9LFrIfVn/ztEKGwhOkhAQDcmy+3iHVaO4JPz6NJcojZzyDp
+CRCNPIL58wn47JgND/0aTHhLlT7QGE9O6RV1kS81YeiQD5UvrJcYh9/wb7plXV/R
-nn/R4uqdSVJ1qNy3Bbg4BGWteO4SCisGAQQBl1UBBQEBB0DVD2QambSi9HXWmBts
+AJ9QUxnw9SKeyyFGjwQeWIkkdJccq8ov5ekz++ErCsFlQtvhzNMa+ZRRJ5XG1m9
-FDf75LrjJa5WTn1my6SVSODaYQMBCAeIdQQYFgoAJxYhBNSKGsqxzb0XAVFmK7Gg
+dyFUKAvZ9vo5EnYOTO72l3TEel4L3V5t6qeUGdJQoVBC3cmLHJ7Vs92cTrmrQnF6
-tKRYhaAxBQJlrXjuAxsABAUJAeEzgAAAA8UBAPjW4ZDp+ITJ9z/v7aL+wLdI0CY4
+JXVgoj41iSmgnHdf8l0rsHc4/ODYDpZpOQjQj24Teb6Hj8jkjhNejGm6Ackcy6UF
-w2I+LYP/VVtUr8JHAQCRFzzkBSz2IXoMKuRvpcJRLMRPS5gTAbrDC/96eGVGBLgz
+KIX4ZDQD2k9SlxDt2LGLjF2rHar4NFYNJwgzO1tMazjTDAV1J9zx44NFaC1dm4oj
-BGWtfDQWCSsGAQQB2kcPAQEHQOtp4pbIVjjXN7J277+pm5EyzIQVD5aHpoi45J1P
+0Nz/xSYyyYyBoeqIG29qZrmWj5yIee64I+POX5REuLvf//64atEAkvODqg8ZhrXB
-NVCLiH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa18NAIbIAUJAeEz
+Jd7BTtsRpUkkzwBv/ZHYJyEwLrUKLXpyx6GejksJ4fX4ftyWAgUOkDI06WI4WnQl
-gAAKCRCxoLSkWIWgMRecAQC6fz9nPhVe1ncJyNn/c2RcZra0sEWwzwRiem7wieOU
+WzTOqIWwbub3M53F8eOGvXLUd6PD3p8ARiCFG+5cqRimmd3WZ5g0C9YWnuKRAOrT
-GgEAhEOJxdEMbNv6mw4kSdLnFmC5VCvTEeLQF7uxP37ADwq4OARlrXuTEgorBgEE
+mrquAFhAeaanp+MRihB9d0nj5Lfx3mtfLAWDHYTj+yXL7de1xJ8p2D4WekJJ9NRJ
-AZdVAQUBAQdAb2sZjRbDkcC3IhREZfUpXR5931F0csq5A6lTNSHyclcDAQgHiHUE
+f8b9d+wswth/1NV/ly64J7aiGpVzE+WcpNGl9pcsisSiXOCGJatPvrl9h6vgU+Oj
-GBYKACcWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa17kwMbAAQFCQHhM4AAAMSe
+2HhE5vf9WmvHxkUwut1Tw2cw5KoukugDZWos8AZ671QebmfnebDUsmSfhkOymbgz
-AQCwkhOqxIjsIJ5DBgybQ4HTu52y3IkCVnx+ikcef8DMowEAgA5A3aSX8x9+p34t
+BGWtd5kWCSsGAQQB2kcPAQEHQNbLdlJZfKhMRcRQUuGbQMQj+GtMr2p8vIX3JUQ7
-6ZX1dbgItWYS1a2bvqlEkvUBnwa4MwRlrX8yFgkrBgEEAdpHDwEBB0D37Ln0CHRc
+jNltiPUEGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13mQIbAgUJA8Jn
-1itQdbnpQs7fFyWqLm5UT59YI2b7pkhK/oh+BBgWCgAmFiEE1IoayrHNvRcBUWYr
+AACBCRCxoLSkWIWgMXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWt
-saC0pFiFoDEFAmWtfzICGyAFCQPCZwAACgkQsaC0pFiFoDFaJgEAmtpmq5QnshEE
+d5kACgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaA
-HDs9yBTxWAnrYfPnvyOi4KID6FbJTI0BAPNohV+XiBbQKmmKrWb5ui0BXNISPCYk
+jGEBAPtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sH8p0A/j2fQV8DVJsn
-H6R7fxacajUC
+fnyFdmEIS14LaLyBTQ411CLkOVI4l5yBAP0Xue1JzV1Spm8Ib5rbAB5l2Q39xwsZ
-=361S
+IkGsiN85Wq7cA4j1BBgWCgAmAhsCFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWu
 53YFCQHio10AgXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWtd5kA
 CgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaAjGEB
 APtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sHCRCxoLSkWIWgMbaZAPwI
 xTyJqS+Jkc0OylTadktVGnlFYEa1t6qKrb4pRjOAIQD9ERVIB3SSzsNpVXG0djhy
 f+g3vpB5fdFdQC99OyI8PQK4OARlrXfCEgorBgEEAZdVAQUBAQdALPq5WxjDWC8p
 wx+ah8a8ry6/i34+wvQ3qOWs+1j9C3YDAQgHiH4EGBYKACYWIQTUihrKsc29FwFR
 ZiuxoLSkWIWgMQUCZa13wgIbDAUJA8JnAAAKCRCxoLSkWIWgMV9XAQDuKPEU5LHt
 GF0T1eo18OT4aXizqy17bSPQxbcn6MApNwEAtST8XQ5gki8TqeNQi5mXPjAUokcO
 m6uwogm73VCPOgW4MwRlrXgmFgkrBgEEAdpHDwEBB0BNSrEdKYMC34Wz/wQ3sm+w
 i5yKm1omkudkClDmC7YqB4h+BBgWCgAmFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEF
 AmWteCYCGyAFCQHhM4AACgkQsaC0pFiFoDEwGgEA3uVUei5Y8u47o008cvx9dgb7
 0sWsh9Wf/O0QobCE6SEBANybL7eIdVo7gk/Po0lyiNnPIOmef9Hi6p1JUnWo3LcF
 uDgEZa147hIKKwYBBAGXVQEFAQEHQNUPZBqZtKL0ddaYG2wUN/vkuuMlrlZOfWbL
 pJVI4NphAwEIB4h1BBgWCgAnFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWteO4D
 GwAEBQkB4TOAAAADxQEA+NbhkOn4hMn3P+/tov7At0jQJjjDYj4tg/9VW1SvwkcB
 AJEXPOQFLPYhegwq5G+lwlEsxE9LmBMBusML/3p4ZUYEuDMEZa18NBYJKwYBBAHa
 Rw8BAQdA62nilshWONc3snbvv6mbkTLMhBUPloemiLjknU81UIuIfgQYFgoAJhYh
 BNSKGsqxzb0XAVFmK7GgtKRYhaAxBQJlrXw0AhsgBQkB4TOAAAoJELGgtKRYhaAx
 F5wBALp/P2c+FV7WdwnI2f9zZFxmtrSwRbDPBGJ6bvCJ45QaAQCEQ4nF0Qxs2/qb
 DiRJ0ucWYLlUK9MR4tAXu7E/fsAPCrg4BGWte5MSCisGAQQBl1UBBQEBB0BvaxmN
 FsORwLciFERl9SldHn3fUXRyyrkDqVM1IfJyVwMBCAeIdQQYFgoAJxYhBNSKGsqx
 zb0XAVFmK7GgtKRYhaAxBQJlrXuTAxsABAUJAeEzgAAAxJ4BALCSE6rEiOwgnkMG
 DJtDgdO7nbLciQJWfH6KRx5/wMyjAQCADkDdpJfzH36nfi3plfV1uAi1ZhLVrZu+
 qUSS9QGfBrgzBGWtfzIWCSsGAQQB2kcPAQEHQPfsufQIdFzWK1B1uelCzt8XJaou
 blRPn1gjZvumSEr+iH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa1/
 MgIbIAUJA8JnAAAKCRCxoLSkWIWgMVomAQCa2marlCeyEQQcOz3IFPFYCeth8+e/
 I6LgogPoVslMjQEA82iFX5eIFtAqaYqtZvm6LQFc0hI8JiQfpHt/FpxqNQI=
 =1z2B
 -----END PGP PUBLIC KEY BLOCK-----
--- a/machines/catering/configuration.nix
+++ b/machines/catering/configuration.nix
@ -0,0 +1,123 @@
 # SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { config, pkgs, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../modules
  ];
  sbruder = {
    nginx.hardening.enable = true;
    full = false;
  };
  networking.hostName = "catering";
  system.stateVersion = "23.05";
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts = {
      "catering.salespointframework.org" = {
        enableACME = true;
        forceSSL = true;
        locations = {
          "/" = {
            proxyPass = "http://localhost:8080";
            extraConfig = ''
              sub_filter '</script>' '</script><script src="/dev.js"></script>';
              sub_filter_once on;
            '';
          };
          "= /dev.js".alias = pkgs.writeText "dev.js" ''
            addEventListener("load", event => {
              document.querySelector("footer").appendChild((() => {
                let el = document.createElement("p")
                el.classList.add("text-center", "fw-bold")
                el.innerText = "Alle Angebot sind fiktiv!"
                return el
              })())
              if (localStorage.getItem("devAck") !== "true") {
                if (confirm("Alle hier präsentierten Angebote sind fiktiv, es können keine rechtsverbindlichen Verträge geschlossen werden. Mit dem Fortfahren bestätigen Sie, dies verstanden zu haben.")) {
                  localStorage.setItem("devAck", "true")
                } else {
                  location = "about:blank"
                }
              }
            })
          '';
        };
      };
      "www.mampf.shop" = {
        forceSSL = true;
        enableACME = true;
        globalRedirect = "catering.salespointframework.org";
      };
      "mampf.shop" = {
        forceSSL = true;
        enableACME = true;
        globalRedirect = "catering.salespointframework.org";
      };
      "presi.catering.salespointframework.org" = {
        enableACME = true;
        forceSSL = true;
        root = "/var/www/presi.catering.salespointframework.org";
        locations."/".tryFiles = "/main.pdf =404";
      };
    };
  };
  systemd.tmpfiles.rules = [
    "d /var/www/presi.catering.salespointframework.org 0755 catering catering - -"
  ];
  users.users.catering = {
    isSystemUser = true;
    group = "catering";
    useDefaultShell = true;
    home = "/var/lib/catering";
    createHome = true;
    openssh.authorizedKeys.keys = config.sbruder.pubkeys.trustedKeys;
  };
  users.groups.catering = { };
  sbruder.static-webserver.vhosts = {
    "salespointframework.org" = {
      redirects = [ "www.salespointframework.org" "salespointframe.work" "www.salespointframe.work" ];
      user = {
        name = "salespoint";
        keys = config.sbruder.pubkeys.trustedKeys;
      };
    };
    "verkaufspunktrahmenwerk.de" = {
      redirects = [ "www.verkaufspunktrahmenwerk.de" "verkaufspuntrahmenwerk.de" "www.verkaufspuntrahmenwerk.de" ];
      user = {
        name = "verkaufspunkt";
        keys = config.sbruder.pubkeys.trustedKeys;
      };
    };
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
 }
--- a/machines/catering/hardware-configuration.nix
+++ b/machines/catering/hardware-configuration.nix
@ -0,0 +1,54 @@
 # SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  sbruder.machine.isVm = true;
  boot = {
    initrd = {
      availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" "sr_mod" ];
    };
    loader = {
      grub.enable = false;
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
  };
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-uuid/c39bdb61-2e4c-464b-8c4c-bb6bb7f342a2";
      fsType = "btrfs";
      options = [ "compress=zstd" ];
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/D976-BBAF";
      fsType = "vfat";
    };
  };
  networking.useDHCP = false;
  networking.usePredictableInterfaceNames = false;
  systemd.network = {
    enable = true;
    networks = {
      eth0 = {
        name = "eth0";
        DHCP = "yes";
        domains = [ "salespointframework.org" ];
        address = [ "2a01:4f9:c011:9c01::1/64" ];
        gateway = [ "fe80::1" ];
      };
    };
  };
  # no smart on qemu disk
  services.smartd.enable = false;
 }
--- a/machines/default.nix
+++ b/machines/default.nix
@ -23,9 +23,6 @@ in
  };
  vueko = {
    system = "aarch64-linux";
    extraModules = [
      "${inputs.infinisilSystem}/config/new-modules/murmur.nix"
    ];
    targetHost = "vueko.sbruder.de";
  };
@ -49,6 +46,9 @@ in
  };
  renge = {
    system = "aarch64-linux";
    extraModules = [
      "${inputs.infinisilSystem}/config/new-modules/murmur.nix"
    ];
    targetHost = "renge.sbruder.de";
  };
@ -76,13 +76,9 @@ in
    targetHost = "yuzuru.sbruder.de";
  };
-  koyomi = {
+  catering = {
-    system = "x86_64-linux";
+    system = "aarch64-linux";
    extraModules = [
      hardware.common-cpu-intel
      hardware.common-pc-ssd
    ];
-    targetHost = "koyomi.sbruder.de";
+    targetHost = "catering.salespointframework.org";
  };
 }
--- a/machines/fuuko/hardware-configuration.nix
+++ b/machines/fuuko/hardware-configuration.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -92,8 +92,6 @@
    }
  ];
  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/sda" "/dev/sdb" "/dev/sdc" ];
  powerManagement.cpuFreqGovernor = "schedutil";
  networking = {
--- a/machines/hitagi/hardware-configuration.nix
+++ b/machines/hitagi/hardware-configuration.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -55,8 +55,6 @@
    { device = "/dev/disk/by-uuid/98de7ced-4d7c-4915-bf5b-1a0300458ea6"; }
  ];
  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
  # GPU
  hardware.opengl = {
    package = pkgs.mesa.drivers;
--- a/machines/koyomi/README.md
+++ b/machines/koyomi/README.md
@ -1,37 +0,0 @@
 <!--
 SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 SPDX-License-Identifier: CC-BY-SA-4.0
 -->
 # koyomi
 ## Hardware
 System from [Hetzner Online Serverbörse](https://www.hetzner.com/sb).
 - Motherboard: FUJITSU D3401-H1
 - CPU: Intel Core i7-6700
 - RAM: 4×16 GB Samsung [M378A2K43CB1-CRC](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43cb1-crc/)/[M378A2K43BB1-CPB](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43bb1-cpb/) (DDR4 2400/2133 MHz)
 - SSD: 2×512 GB M.2 NVMe SAMSUNG MZVLB512HAJQ-00000
 ## Setup
 As it is a physical server (not a VM) in a remote location,
 extra care must be taken when installing.
 Fortunately, Hetzner provides an automated way to reset the server (by sending Ctrl+Alt+Del or force resetting)
 and a rescue system that can be activated before a reboot.
 Additionally, there is also a *vKVM* rescue system,
 that boots a hypervisor from the network and runs a VM which boots from the physical disks.
 The rescue system can be used to start a kexec installer generated by [nixos-generators](https://github.com/nix-community/nixos-generators).
 Ideally, everything goes well and the next reboot works,
 but in the case it does not, the vKVM rescue system can be used for debugging.
 ## Purpose
 Hypervisor. Exact scope is to be determined.
 ## Name
 Araragi Koyomi is a student from the *Monogatari Series*.
--- a/machines/koyomi/configuration.nix
+++ b/machines/koyomi/configuration.nix
@ -1,23 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { config, lib, pkgs, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../modules
    ./services/hypervisor.nix
  ];
  sbruder = {
    wireguard.home.enable = true;
    podman.enable = true;
  };
  networking.hostName = "koyomi";
  system.stateVersion = "23.11";
 }
--- a/machines/koyomi/hardware-configuration.nix
+++ b/machines/koyomi/hardware-configuration.nix
@ -1,74 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { modulesPath, pkgs, ... }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot = {
    swraid.enable = true;
    kernelModules = [ "kvm-intel" ];
    kernelParams = [ "ip=dhcp" ];
    loader = {
      grub = {
        devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
      };
    };
    initrd = {
      availableKernelModules = [ "aesni_intel" "ahci" "e1000e" "nvme" ];
      kernelModules = [ "dm-snapshot" ];
      network.enable = true; # remote unlocking
      luks.devices = {
        koyomi-pv = {
          name = "koyomi-pv";
          device = "/dev/disk/by-uuid/9145417d-e8f5-4aa9-a526-419e507c47fd";
          preLVM = true;
          allowDiscards = true;
        };
      };
      # FIXME XXX HACK
      # This is required to have the md device available under /dev/disk/by-uuid.
      # Both commands are run as part of the regular stage-1 init script,
      # but for some reason, they need to be run twice.
      preLVMCommands = ''
        udevadm trigger
        udevadm settle
      '';
    };
  };
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-uuid/3b31163f-4fec-4e1c-b311-7c8aaca76cd4";
      fsType = "btrfs";
      options = [ "discard=async" "noatime" "compress=zstd" ];
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/12CE-A600";
      fsType = "vfat";
    };
  };
  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
  networking.useDHCP = false;
  networking.usePredictableInterfaceNames = false;
  systemd.network = {
    enable = true;
    networks = {
      eth0 = {
        name = "eth0";
        DHCP = "yes";
        domains = [ "sbruder.de" ];
        address = [ "2a01:4f8:151:712d::1/64" ];
        gateway = [ "fe80::1" ];
      };
    };
  };
 }
--- a/machines/koyomi/secrets.yaml
+++ b/machines/koyomi/secrets.yaml
@ -1,72 +0,0 @@
 wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2024-05-11T21:49:03Z"
    mac: ENC[AES256_GCM,data:yS/v+NWiLlFLTwnbhaYVg98H/ThqW5r+3eC1YsvJRRrF/yZBk6nUtK8CT4tvR9PUeks4a2H15/5aY2oDxnABhXhkbasZjnl3+YGF8SOIwo+YuWJ5A3rHJZQMJGRGg8dwh4xkJMDJKb2Or1uH3ZiSclVMQDiM3RGVifLhtv+gJEc=,iv:ygTcKqU5pzkOoGUx9xw9BzWJx15t28w3tJVH4eAdxS4=,tag:F5/8SSt/eON9zwWGGUyUEQ==,type:str]
    pgp:
        - created_at: "2024-05-11T21:48:51Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4DLHeEFiC484ASAQdATNhq0wu5gLVG+7PHCtdQRxgC6GqQrvrttZnN3AvnZ0ww
            qBdXl+6qkWHyjvclklzcNfpcMD7cmRwRDSDSQASmSTAyulBbgjDuou9Tjl/Rxorl
            hF4Dub78fMESoMASAQdAIhgR5ZyuaP12Mav7NNapUcWrScnmjNPh46oX2W3jDDsw
            in+hRRYC6apDKMcC3IFEzo6vy7OfhEeMR2IthtU0Y+bgdfjpwEOZ4J5CLg2ERZO+
            hF4DM6AcvgVUx2MSAQdAKc70+YldBMdetkmcWWJYDSUbewIJOrDCJBS+TUTQ2hQw
            dq03NJuiqwsrN1YBa1qHELTJj7CvrxTvVSQvDpSEwD3WVk8Qn5z1lMgBrivxCGa8
            1GYBCQIQj3MkZci7qGULIHivbsOSwX6a3T9JQRkmHylyzZDxYRUz3TLhNvjuly58
            TxBJcHkDmXDP5T+UACrryRIN2h/J/+gw6WkHnPJOcs5JFqB9uneVwpW1A3jNMhRD
            iXDXWxIe5PY=
            =zp+l
            -----END PGP MESSAGE-----
          fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
        - created_at: "2024-05-11T21:48:51Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4Dub78fMESoMASAQdAs3PQ1mkR/MS3vg1qCTPiQihx7yZvQlqlhYRsRigJDiEw
            WuZYC66MsLHi2YQEkFoxG0bgt3sHkVRlq72ae713UzfWiI0Dl59dxtGcOtvdo5LK
            1GYBCQIQIupCIS36+zkecqWl1h55C0G/bC+SHdwgp5nFbva+3fidastsvakUDuTW
            dGOLK1FC2xUrct/rLGBmWA48fSOA/VJiiEVzP0TsVCytTx/Y44jm0f5HC85LNnNy
            8GoFUoOn6tE=
            =A7C7
            -----END PGP MESSAGE-----
          fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
        - created_at: "2024-05-11T21:48:51Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4DLHeEFiC484ASAQdAK53bLfsn0k8SFw/88FliX2Yaev9oMGmKSR7f/6vJmH4w
            pZxJqMwkpWt3We5DAkN+VFuawOzPNrV0vmmd8StlajZ5GIaz713QJQ8cpVrE/sPh
            1GYBCQIQUuj0dgOWLtcB/w1vHj0qQW8LnMG5uVY7gk+hPmllQb8TJ1aRUkcPrKoE
            rXUCl17BO59C4AUWLu/0RviAki6FMZC1S0g1z8eOck6CFSnW4i4uMB0g5Yi5kqpK
            K0oWZqedIzU=
            =Z8wz
            -----END PGP MESSAGE-----
          fp: 403215E0F99D2582C7055C512C77841620B8F380
        - created_at: "2024-05-11T21:48:51Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA2YOabq+5CZDAQ//beLzskyTj+PN79rvrupVY5gwWxIhYuoRs2ZkJSlNyRYg
            exNxwPAjssi3yKoUOy9TNbxzOKP5VwehnOPlJ4jyVgdZ9zksJH9k0WnfhlmabHeC
            UnYsUSDB7VUFrpacdIKjmFM6OPlu7Xm98RwSabkmlHEE/voF/Ma5yWT0c3Sx2lzv
            ucNSCqmjY0D6S5tJz+3nYsT54OjS+Jlr96CPOR9dz1jEGGQMfwyMxwMLhVpVBDKE
            uusl5VD3jw50wYbkhvYscGGkdOkLwAFMIwYvw1seYFTb3kux8ChahYQ3QtPn3ZUD
            OoPqYUtgpcnZTAcMGvzL7B0OwJLsCpin454yko56KV/cnIHwSv2cyfsQB0M4dz6l
            OalAS5BpqhZ2ulDm34yFlRE7MD+H12tOzBJIFjGQksv9DiuRyezZnevBqlOdott8
            cSDfO3RD3wGdUOIVwi3B92N5j1w39d2wKoXa19kM66mzsdbQrXwmxKa8gQMkjsG9
            Ds2sUwQlKZ0HvvNkJTJ+NORWKKvwGXKqVPwOTUaZjzQGUtVWg5WSjmFoPQ049nqf
            gLYhy0OeyEAIRe9HjNo5YANPNBF63qTT2++n6xs2ErXjHNNi85yUnhCBqRRI3Od6
            HkLlLQN3i6RdV5C1wJwu3k1N6a+dl03gFgO3PSJZaLpIhHJuOJwYT3rCGi3ZgzXS
            VgFycpleRMSCTjEIY/Ky4PJOlbUykf4CuFWnvJLSOcqjPbozzqjUaw4xzea2Lloj
            +Io3l0AHWqKCmv4qbZxim37YuicyM02A56pk7SMKXOuqbb1m5hBr
            =bvPZ
            -----END PGP MESSAGE-----
          fp: a53d4ca8d2cf54613822c81d660e69babee42643
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/machines/koyomi/services/hypervisor.nix
+++ b/machines/koyomi/services/hypervisor.nix
@ -1,133 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { lib, pkgs, ... }:
 let
  guests = {
    forgejo-actions-runner = {
      mac = "42:80:00:00:00:02";
      v4 = "10.80.32.2";
      v6 = "2a01:4f8:151:712d:1::2";
    };
  };
  # port forwarding for IPv4
  portForwards = {
    tcp = { };
    udp = { };
  };
 in
 {
  virtualisation.libvirtd = {
    enable = true;
    qemu.package = pkgs.qemu_kvm;
  };
  boot.kernel.sysctl = {
    "net.ipv4.conf.all.forwarding" = true;
    "net.ipv6.conf.all.forwarding" = true;
  };
  systemd.network = {
    enable = true;
    netdevs = {
      br-virt = {
        netdevConfig = {
          Name = "br-virt";
          Kind = "bridge";
        };
      };
    };
    networks = {
      br-virt = {
        name = "br-virt";
        address = [ "10.80.32.1/24" "2a01:4f8:151:712d:1::1/80" ];
      };
    };
  };
  services.resolved.enable = false;
  services.dnsmasq = {
    enable = true;
    settings = {
      interface = [ "br-virt" ];
      bind-interfaces = true; # do not bind to the wildcard interface
      bogus-priv = true; # do not forward revese lookups of internal addresses
      dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS
      domain-needed = true; # do not forward names without domain
      no-hosts = true; # do not resolve hosts from /etc/hosts
      no-resolv = true; # only use explicitly configured resolvers
      domain = [ "sbruder.de" ];
      enable-ra = true; # required to tell clients to use DHCPv6
      # Force static configuration
      dhcp-range = [
        "10.80.32.0,static,255.255.255.0"
        "2a01:4f8:151:712d:1::,static,80"
      ];
      dhcp-host = lib.flatten (lib.mapAttrsToList
        (name: { mac, v4, v6 }: [
          "${mac},${v4},${name}"
          "${mac},[${v6}],${name}"
        ])
        guests);
      # Hetzner recursive name servers
      # https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/
      server = [
        "185.12.64.1"
        "185.12.64.2"
        "2a01:4ff:ff00::add:1"
        "2a01:4ff:ff00::add:2"
      ];
    };
  };
  networking.firewall = {
    allowedTCPPorts = map lib.toInt (lib.attrNames portForwards.tcp);
    allowedUDPPorts = map lib.toInt (lib.attrNames portForwards.udp);
    interfaces.br-virt = {
      allowedTCPPorts = [ 53 ]; # EDNS
      allowedUDPPorts = [ 53 67 547 ]; # DNS / DHCP / DHCPv6
    };
  };
  networking.nftables = {
    enable = true;
    ruleset = ''
      # only IPv4
      table ip hypervisor-nat {
        chain postrouting {
          type nat hook postrouting priority filter; policy accept
          oifname eth0 masquerade
        }
        chain prerouting {
          type nat hook prerouting priority dstnat; policy accept
          ${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
            iifname eth0 tcp dport ${port} dnat to ${guests.${guest}.v4}
          '') portForwards.tcp)}
          ${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
            iifname eth0 udp dport ${port} dnat to ${guests.${guest}.v4}
          '') portForwards.udp)}
        }
      }
      table inet hypervisor-filter {
        chain forward {
          type filter hook forward priority filter; policy drop
          iifname br-virt oifname eth0 counter accept
          iifname eth0 oifname br-virt counter accept
        }
      }
    '';
  };
 }
--- a/machines/mayushii/configuration.nix
+++ b/machines/mayushii/configuration.nix
@ -19,7 +19,6 @@
    gui.enable = true;
    media-proxy.enable = true;
    mullvad.enable = true;
    podman.enable = true;
    restic.system = {
      enable = true;
      qos = true;
--- a/machines/mayushii/hardware-configuration.nix
+++ b/machines/mayushii/hardware-configuration.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -45,8 +45,6 @@
    };
  };
  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" ];
  powerManagement = {
    cpuFreqGovernor = "schedutil";
  };
--- a/machines/okarin/README.md
+++ b/machines/okarin/README.md
@ -1,5 +1,5 @@
 <!--
-SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 SPDX-License-Identifier: CC-BY-SA-4.0
 -->
@ -8,7 +8,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0
 ## Hardware
-[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1 GiB RAM, 10 GB SSD).
+[Ionos Cloud VPS](https://cloud.ionos.de/server/vps) S (1 Xeon Gold Gold 5120 vCPU, “512 MB” = 443 MiB RAM, 10 GB SSD).
 ## Purpose
@ -22,50 +22,32 @@ Okabe Rintaro is a mad scientist from *Steins;Gate*
 Much like the namesake,
 this server requires a “mad scientist” approach to set up.
 However, it is much easier than setting up its predecessor,
 which had just above 400 MiB usable memory.
 Ionos does not offer any NixOS installation media.
-I could only choose between various installation media and rescue systems.
+I could only choose between a Debian installation media, Knoppix and GParted.
-Also, installing NixOS with a low amount of memory is problematic.
+Also, installing with a very low amount of memory is quite hard.
 I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
 On there, I installed NixOS.
-Because encryption with `argon2id` as PBKDF is quite memory intensive,
+Because encryption with `argon2id` as PBKDF is quite memory intensive, I had to tune the parameters some.
-I had to tune the parameters to ensure decryption was still possible on the target.
+What I settled on was
-This can be done quite easily by interactively running the following command on the build VM:
+`cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3`.
-    cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3
+To make btrfs use its SSD optimizations,
 I had to force the kernel to see the device as non-rotational:
 `echo 0 > /sys/block/dm-0/queue/rotational`
-The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target.
+Another problem was the usage of VMware by Ionos.
-
+The VM I set this up with was obviously using KVM/QEMU,
-However, since those parameters are not ideal,
+so it needed different kernel modules at boot.
-the following should later be run on the target host itself:
+What worked was setting it up in the local VM with both libvirt and vmware modules,
-
+and then removing the libvirt modules once it was installed on the target.
    cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3
 This will determine the memory usage automatically,
 use one thread
 and set the parameters so that decryption takes 10 seconds (10000 ms).
 The memory usage will not be as high as it could,
 but it will be better.
 Getting the disk image onto the server was done
 by first `rsync`ing the image to another server (to allow for incremental iterations),
 which then provided it via HTTP.
-Using the Debian installation media in rescue mode
+Using the Knoppix live image (booted with `knoppix 2` to avoid starting the gui),
-(as for some reason most other options tried to cache the file in memory and became very slow)
+it was possible to just `curl http://server/okarin.img > /dev/sda`.
 it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`.
 Because of all the pitfalls of this,
 you probably need more than one try.
 To make debugging easier on the target, the following option can be set:
 ```nix
 { pkgs, ... }:
 {
  boot.initrd.preLVMCommands = ''
    ${pkgs.bashInteractive}/bin/bash
  '';
 }
 ```
--- a/machines/okarin/configuration.nix
+++ b/machines/okarin/configuration.nix
@ -9,6 +9,7 @@
    ./hardware-configuration.nix
    ../../modules
    ./services/static-sites.nix
    ./services/proxy.nix
  ];
@ -21,7 +22,7 @@
  networking.hostName = "okarin";
-  system.stateVersion = "23.11";
+  system.stateVersion = "22.11";
  networking.firewall.allowedTCPPorts = [
    80
--- a/machines/okarin/hardware-configuration.nix
+++ b/machines/okarin/hardware-configuration.nix
@ -5,10 +5,6 @@
 { lib, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  sbruder.machine.isVm = true;
  boot = {
@ -16,34 +12,41 @@
    extraModulePackages = [ ];
    kernelParams = [ "ip=dhcp" ];
    initrd = {
-      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ];
+      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "vmxnet3" "vmw_pvscsi" "vmw_vmci" ];
-      kernelModules = [ ];
+      kernelModules = [ "dm-snapshot" "vmw_balloon" ];
      network = {
        enable = true; # remote unlocking
        # for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands
        # this works around this, but is arguably quite hacky
        postCommands = ''
-          ip route add 85.215.165.1 dev eth0
+          ip route add 10.255.255.1 dev eth0
-          ip route add default via 85.215.165.1 dev eth0
+          ip route add default via 10.255.255.1 dev eth0
        '';
      };
-      luks.devices."root".device = "/dev/disk/by-uuid/1dcb9ee1-5594-4174-98a7-a362da09f131";
+      luks.devices."root".device = "/dev/disk/by-uuid/67f2990c-636a-4d80-9f6d-7096fec9e267";
    };
-    loader.grub.device = "/dev/vda";
+    loader.grub.device = "/dev/sda";
  };
  fileSystems = {
    "/" = {
-      device = "/dev/disk/by-uuid/3ab8f4a7-952c-4b6c-93c6-7b307d5bb88b";
+      device = "/dev/disk/by-uuid/8e3082d1-4af3-4d5d-9fde-d30dc7552d41";
      fsType = "btrfs";
-      options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
+      options = [ "compress=zstd" "discard" "noatime" ];
    };
    "/boot" = {
-      device = "/dev/disk/by-uuid/97aec56b-5fea-4445-83dc-4a20dcf482ce";
+      device = "/dev/disk/by-uuid/883c77e8-53bf-4330-bd9e-89ef71ad9518";
      fsType = "ext2";
    };
  };
  swapDevices = [
    {
      device = "/dev/disk/by-partuuid/d9cf5716-25c8-4f72-80e3-696e0dfe1079";
      randomEncryption.enable = true;
    }
  ];
  zramSwap = {
    enable = true;
    memoryPercent = 150;
@ -60,6 +63,11 @@
        name = "eth0";
        DHCP = "yes";
        domains = [ "sbruder.de" ];
        address = [ "2001:8d8:1800:8627::1/64" ];
        gateway = [ "fe80::1" ];
        networkConfig = {
          IPv6AcceptRA = "no";
        };
      };
    };
  };
--- a/machines/okarin/secrets.yaml
+++ b/machines/okarin/secrets.yaml
@ -1,80 +1,80 @@
-wg-home-private-key: ENC[AES256_GCM,data:RkdgneGhH7prr/tkvHJeChQku2eXve9pV/SvtwsOjeinYO9veHw0rimdonY=,iv:vK6zNpu8F+TSLDTaif686Awjhs8WS2XJHzMtlvqlsIM=,tag:aKhV+kspVu+0CgPmYersxw==,type:str]
+wg-home-private-key: ENC[AES256_GCM,data:4L8aIvgFi+mBjnyVy5IkPaeJRadJ5NCKZprSkBPwMNiVaIscjAdp2yinBSk=,iv:6pBo+6M4EkEjz184XvisWXEoomqJXa4M8Qa4nJHI65U=,tag:3DEsmA2xxAlx/PSbD3HOIA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-12-25T22:06:33Z"
+    lastmodified: "2023-05-06T08:49:32Z"
-    mac: ENC[AES256_GCM,data:VbjyqrqDLCBDD9vGOHxSzsr9a5ZFFBJUkBRxJYBLereMDvInPFZnTwplHHkS5TdDFFAsjrcCgpCuPsUIbDdxFUNNtjdIe5JJwFMwT8XEFrgcswMGSKD6mIH2VBWop5pqoAV0eQ3YfKtDyhNHwixR8a+Z+hbGAY01Z19yteo51ZM=,iv:69EeBag+iUEoa18I0w1HeJKRwSQVCMRqUdV2CzUzMnY=,tag:WViKXJExL33jQAIWHUS8xw==,type:str]
+    mac: ENC[AES256_GCM,data:B7e3sh96p2DlqM2SgHWoJ7RZ2q5tnZ6lohNc7UKmwG1HTkrPKW/6jobW2InQnbZn1bPmCERoJIF9QyUz+OxotTiKIXxSL7BJkkfpIkWy9IgjIeADjevHkplm2rXONiXaM2sD46bPKbuRzuhbCZtNwUH74gTVfKPVLVrzpnPRC74=,iv:TTXlBGhO7xLCC3Ad+xiQKmy4b0n0vuQRaCdoe7vpzSE=,tag:dZCharRGK//w48ePu7d2eQ==,type:str]
    pgp:
-        - created_at: "2024-01-24T12:19:03Z"
+        - created_at: "2024-01-22T00:20:17Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hF4DLHeEFiC484ASAQdA4PdmtZTlpcdfuYKSuKN6X4EGjh/l2D8Jxt7dg1y/Z0kw
+            hF4DLHeEFiC484ASAQdALOHWjRYEy+oURe+ERyiQYDjFPDniV0awCBMahhaLzCMw
-            ScG/nWs9hVMFTBeqSM0eHgFfcZhBB/L85eNf9thktTUbcWq0GEUcz5mwUqILtkfA
+            faMYpJTpirKixpFnPQ1W0aIiQ2/grcEJ4qYyXYG7GrqLcFMQfZOV8humZOLnZNB6
-            hF4Dub78fMESoMASAQdAMcVZokes0YKtbUZp7b9zq303WXPga5yn8LbhnaRrHycw
+            hF4Dub78fMESoMASAQdAhpmpD8cyJSauuTHM/RTjLybR1VUGcIY7kLqrB33QLG8w
-            +ECn4t8y8SXFICpAZ5n+xj5U8MdmdKOzhNQLleFKIHtWdyeUlwFi0qYYP8MRCLTB
+            aLu7q0wjY0Rs+7PtJiSKd6O4VOBRrsBmLc7QuBZ4cgBwUfE38g8LuXayuOLZQNb1
-            hF4DM6AcvgVUx2MSAQdAIzXqgZ8WiIxIV05BumWLsyZUChwvDQc47NMd5ehhBEQw
+            hF4DM6AcvgVUx2MSAQdARr9S5DSGRJOcv2IgYMzko8fkMHlIR9uIJdJLMdcJER4w
-            I1LY11LTNENypr5q0mhy615kIbsdhpzAVLf4Bkf921zABsfFzuY5zJHqi8SKVm7/
+            RjcC/s5+P0b7wy9bIaAv3vk3FX4hw56QzhqAXcA1zU1kyjEHPnv3qsiiQbcKDjb0
-            1GYBCQIQHPC99/GrpHG703gozt2I0P2XMhlRpzj359qStWaQZ8NBL5Ugo5BLvphf
+            1GYBCQIQG5VczwWUidoTYkHgZveZhkVyYIiZc/YQrY6n71OrVnUKaH5kZn1XrMKE
-            1/WYAlvnH4Uov2TxKdQs65IJSadQgs7lBWB5gqHklZ76E4Q+00oMQxwGjzMdddA/
+            zRzcc4XCiu8CaSkQp68eqKeHwI8U5N/LAtjHbACxAq6GHatf/+LvJx4CbUrPZxw2
-            hRlLbnUDE1Q=
+            PWZwSFBCZEg=
-            =ol1Y
+            =r7sK
            -----END PGP MESSAGE-----
          fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
-        - created_at: "2024-01-24T12:19:03Z"
+        - created_at: "2024-01-22T00:20:17Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hF4DLHeEFiC484ASAQdAaXq+nn0DDx+RAkEC+x+yeP5xbCIdXkR9tQCgWx1s0jkw
+            hF4DLHeEFiC484ASAQdAGdRYvRfki1zKA2YHnPprf1ld5kJkai4fzxuuH1D3DRQw
-            VRgFkiBa6IsS0vmYknobXkizETtNjEhJ8vNw9nP0zPdjuUZBId2/bJZa7aFdIFRU
+            zt5XhSFMx5ii7C3LIVjGgKnn6A6KTe1Tj314OYtrLeCGV8Eli+eOiSgi4c0nL709
-            hF4Dub78fMESoMASAQdAMLbBcLnc+5UVDsx50SgCVjQoHO4JGE53DE6Q+frDEiow
+            hF4Dub78fMESoMASAQdAb38j/KxQlLRJLrtE5mS1XVCmaEIvyJU1uVcSVU3Bdhgw
-            rVFbLxWlJ/aw9baRdKUMkIUJftnImUQgolXvEfUjdS/oOdY69r4psLlHLQX11Ow1
+            f3iepOZgggHOCiHOCs+UWRmiudwoYqMzXF8G9pb6ESsy01cc1y6mXPh6sftKc6Iz
-            hF4DM6AcvgVUx2MSAQdAUZV3q/IXwUbRv9EokTe+4o83XzeS1h4GK3/3wjnKDHkw
+            hF4DM6AcvgVUx2MSAQdAhq0ynXfS/eYrDAYdxj/qyEg8c2lHFYSaUVtr6v3B/Rcw
-            xHFJR2clEMDlaq7Rx3FTr2a7MlzSnzBLtIwdw5b9ytuRvHjD5q7zCf5bihYnvdjV
+            Su08ppwK9wSbVaEL6p4NPJ0q9mt/36OsvZNaEWL2i7kkrD6q+2yvaGwh/fPcokWI
-            1GYBCQIQFt+CYziUXtEHjJFC1t+S3qkyPRAsVgZL8WlxbKzteW0NOdIZofHx6skG
+            1GYBCQIQRzg0YDKpmBGZY0sC37nIkUC4blEpFTgl+lma0ZQ9PUfbRP3ijRrxyPv/
-            Ebn8aadKcGg534DkwEt5DpIosXKUx4LN5xsCNoU9dHFYMSFE2nzJE4KNFJ8tzRQk
+            aNkUpVAVxjh3VnV/NEm2s03x62iO4uiGoU0BUeI8Jjy4Tvuuodvmfpd4wZw7Mq+V
-            G+tyNMgCYhM=
+            B8h2L/JR7Yo=
-            =2QnY
+            =/wMt
            -----END PGP MESSAGE-----
          fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
-        - created_at: "2024-01-24T12:19:03Z"
+        - created_at: "2024-01-22T00:20:17Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hF4DLHeEFiC484ASAQdA6ojEbZ8HccTtorNbyw9aVKO73AJy6jTGV/qLt+FWoRgw
+            hF4DLHeEFiC484ASAQdAoM3SQYYUQq6OGImJaecw42BZOwOec75IWS00ZorR31ww
-            SsOLiL0UmF1OV7zmXE0ihkWivPqLHtp1U89aYucpAA69DIh4+6M7GUk1xDMxFfRo
+            uaRdi54liGiKpjaebhPcLkX+0TKcW0h11kw6X1wrru1JWi3YLbjohv0qCtfa4wpc
-            hF4Dub78fMESoMASAQdAV2z2DgUz2xWopnDzXywdpHb9eMe9ZxdABxpOJ0ECeBww
+            hF4Dub78fMESoMASAQdASH4+jxa7Qr9AkJpHHPmMx9cj3XyPXLpfzXJ7Yb40pHMw
-            wOC1x+IKIbIRZBDL7jbVUOk1G+GzCL4M7/G7XFSTFYMKvMKkc0Rh69pywFuGaqG8
+            zBiVmQApa4K+ZOVw/vpcSNaN6FufFoDb5IguwHIq+9vILvjvku6YFgAJ4gC76LOP
-            hF4DM6AcvgVUx2MSAQdA7bKGjcW81bzf58FlGGVDy/HjNyuEPNSVZXy0M+/WZAcw
+            hF4DM6AcvgVUx2MSAQdAZGNp/j1sF0rmHhImhnuhgpn9NgRuFtL+BH5dorvrPwIw
-            3iXR9MecA97bKKKhLyNSdYmYlAjZJVIdwd6vjNWjxaB7BIWTYhudTjHesLMxB0vc
+            mK5LsWHvyBFyC+SDNe4mrRkdia/xPECmcWrbvptGVjqlZnjmUbtrYhG+j5O6/817
-            1GYBCQIQlp1TDaBVxalDkeCEjDMRFatgJ3CwulzzW9B8qywOooS0BNtNbtTKGwEh
+            1GYBCQIQ/du7No+ULrBrjWc3q826ju8AqekySHtteKZclRmcHSNP4UEXcmTEMRNL
-            AxDL+wdeqkPABQ0wQ8hYGOw5z665jEOC2JbqbQ7N6LPQZRx/MowO2dGT/kKh2U9H
+            8lMJYK0G3uA9FXO9+2E39k/nIatBGuoaukW7zCouB3bLARZE00Oqh6qHCWVyFJ/S
-            VOK1Bc67BzU=
+            Gzwk8dC0wdc=
-            =3z3V
+            =BWUr
            -----END PGP MESSAGE-----
          fp: 403215E0F99D2582C7055C512C77841620B8F380
-        - created_at: "2024-01-24T12:19:03Z"
+        - created_at: "2024-01-22T00:20:17Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA9pmsZ2EWzFWAQ/9Gl4dO83SmvGHyhEfile6G9ZUmhxwU2RFpPwEmjh4CV/v
+            hQIMA+X8PKo7gQeqARAAhtUvR20r2NV8SNWVuVSopTfCGwaJV99+PEp/l0UjHX6B
-            z1k2zgdF200a6tj96977VhjhIG/LZioEi41M1QdIqgkGsKy89DluCY9RDTqMmqzo
+            lpHgQNHegP6YEsAj5HNFEcV3vM+nbC0hbTtcERBZoxTkyDPOaRAyJpNfGniZVxxp
-            w65JhI+PQqdQuKlsbUh2VLql7LijoIUxuBPowWG1lULZtEvRuCchM5rLFiBSC2YO
+            jxSr/unCN6aJCbdqJZZZlitq84brMQWUE373Rb9B4cNdTYONabZbzZmwTDyzkVR0
-            DA0T73kC2P89CNZlOllZNnVRCRrxm7IsEO6Mo1yOeJL16mYqC9qGGKnvYEbsSm4n
+            ctjmkdBG0upqNn7vukSIg7DM7D9pFolS9142reF7e5jTlxBFWR1Jt+O9A1zypfvq
-            7ZZJvxXGnNzaXisyyjcJNgtsJAUX4TTlPH+Y2jpkhdHUvOkiwVQEokmnqTIKUp0e
+            tK2z9C1pM9LDRmUrKJ/HOKwu6P6USeTKFrp7Gfjr1UkmbgNunxgsdI6gwKY38SpJ
-            7Dc6ZXApFQ1DlMMsjLwy+5AQJQZbY4p4jo9rvmON5i5DLPy4rN5yf8W7zwkuy2gN
+            T+tELs68oC5pGFpZufnYkrGL313HC7Vp/+2+m+W5qXbyNqhDS6uVQHjqz/ROqByb
-            Id53gxDZxHw0+mRsfYRrdOvmfUqqz79TyWVV8bvHR2Mo3shdL1fsWOzTlm66Y9Vt
+            YwJw+x7810nL8+SleXst8oZpxDNDm+TnvWQAH6WiRBSpgVwy945SMvGG+1FLYps2
-            4coJxgUsJEFdnsnXAFep2V18Ypg36b9wQXtZDXWtTg36UliZZ95sUAG2vHQDS50b
+            qOsRMjr+titLZAaUpmIh/oDHG/XOpKPQflcc4/V7t2HK6vLX+xvPIQU8Y5TJkr1T
-            5XG07m1w8YgQSeiCObteAt4PqxEs1GYWmtRUmr4jvRQQzmVXCQP6+o0QJ5WK9bKl
+            nIIh7sMZBUldnUGUfFE3ksP5Gje5OHqK8xoFwYHFGK4QQzXFjPFN2QNvni2z9Y4R
-            auwT+H7POBJ3l+h9ykvmOidkAzeN7EWIirzvhDHsxvCklGCyo+Y3W5ZaLaFGfc/3
+            LLMvyEavqgIa6AeseqMnLuB2hz6wy/JNU/EPUalNca6RleoVA0DjKgjgDTlhQ5Al
-            pdj1G/REVT6aQMtSuYUsD7QoZeiNNBNJXAtUuUS6mWxch8RnkW718wxYZLvi03jS
+            a6sRTy+KmXFfzdO97MJJEkNgA1Hbi1/IpREeA50lYtrDqUvhxw+l1V8N7jw+ZWTS
-            VgHaVWepbw/q0COmjyofCt1qZH+WMKSAguiQ6PHWAdP3hnzGgd7Qo84W54Fb3m1R
+            VgHYyLUxdmOUsqEgQPVA7jiqWePwFEuEDEDVE+d6CcuvFuHFNV1jJEjit3R0wJOd
-            da72FFnILc3IYImbJI6QgJxAeS2K95nIWKdSix07c+m0zzFkemnB
+            QpqnfxW4QTD+JFNJgrD7bj4y1Gu9Z6Lg1IBnHnOwDIoCJoAHp0y6
-            =F0pC
+            =sy/X
            -----END PGP MESSAGE-----
-          fp: e7370b48016c961ef8ad792fda66b19d845b3156
+          fp: 868497ac4266a4d137e0718ae5fc3caa3b8107aa
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.7.3
--- a/machines/okarin/services/proxy.nix
+++ b/machines/okarin/services/proxy.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -6,7 +6,9 @@
 let
  proxyMap = {
    "sbruder.xyz" = "renge";
    "nitter.sbruder.xyz" = "renge";
    "iv.sbruder.xyz" = "renge";
    "libreddit.sbruder.xyz" = "renge";
  };
 in
 {
--- a/machines/okarin/services/static-sites.nix
+++ b/machines/okarin/services/static-sites.nix
@ -0,0 +1,20 @@
 # SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { config, ... }:
 {
  sbruder.static-webserver.vhosts = {
    "maggus.bayern".user = {
      name = "maggus";
      keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
      ] ++ config.sbruder.pubkeys.trustedKeys;
    };
    "arbeitskampf.work".user = {
      name = "arbeitskampf";
    };
  };
 }
--- a/machines/renge/configuration.nix
+++ b/machines/renge/configuration.nix
@ -17,8 +17,8 @@
    ./services/grafana.nix
    ./services/hedgedoc.nix
    ./services/invidious
    ./services/mastodon.nix
    ./services/matrix
    ./services/murmur.nix
    ./services/password-hash-self-service.nix
    ./services/prometheus.nix
    ./services/sbruder.xyz
@ -33,9 +33,6 @@
    };
    wireguard.home.enable = true;
    infovhost.enable = true;
    wkd = {
      enable = true;
    };
  };
  networking.hostName = "renge";
--- a/machines/renge/secrets.yaml
+++ b/machines/renge/secrets.yaml
@ -2,7 +2,7 @@ forgejo-mail: ENC[AES256_GCM,data:3AlFHzVBA5TE4qv5ubG39K0varV8/HabO0q/RJZSD5o=,i
 go-neb-overrides: ENC[AES256_GCM,data:1xy+SdsSTuerRox4skitg1mKLr1MoANFoCzz76TKSA31ORo/oUWVGrYxfusZxrFQWjYGRFpSYzmkzPn1RoWmbXyfwPEcisvjenXLNvwcyoontBd7TiiLdukEtya6RfGLRGKc8tfCzbDUWgiYz5IDMFBvKGnewFjB+au0/Ge2+2DTw6M4negjCz343TO/vbyTr5xT/5smmKz7Ouk9SbEo7yEuHkQPQfedGw2PYT82zdXd/Eje3Zq2EB4xcUU7beGrF1zkOdXQ4OVqB8XnkCnuLtNlnJtsffm0rbPDPD3/nhHKpJ8jXrN54V14dSnHW7yOifGMIus0VFMRZcIT7A+BroM9qzJhW3F4gsF1Bwp0CF+6zLLRjgpA0EOyvOwpLIftBZfMIpveAH62MVY0IBfwDdkI1itEOjj9EhTrOGxBx45Cj6Qk3Mk6ncyr15+E+KAmQRxZJrEW8Grk4PyzuxtxYd0n8LSaRUe1eNVUhHkQNpo/zvAPgrzcRnM91EwIoMvlNmwyC63j1h+OBKlXQgChAaB1O6HFXQY=,iv:pnw0jIcMqA771woDYNHxWMWE6wHGaNsXi5aBXOFAHJU=,tag:Wbcqb0FsctZWOS6u5s82mQ==,type:str]
 hcloud_exporter-environment: ENC[AES256_GCM,data:5gDTeg4C08BgNxBFtzZ7ma6JiafwF4ly5URAG4WxUTlRaUmF32fmbPdAZmveKiKBA8cc6ewcEIfIVJ7d5tbbqCEX+vbf9nr1fuhN05Z6lfsJNLoATclX,iv:GzEnudGDc6+6BJgDtaNnOnT7IK8Z0fsYfs/oJzKO2UA=,tag:LYCvRxNeKdMmNve0aWswrw==,type:str]
 invidious-extra-settings: ENC[AES256_GCM,data:bThgfyu5ESIyTLD7Q09Qici9ZZw/QYfCyBSjtbNb1EglCy0KHZrvDDAN4uDpdKrHxv8ctoN5Db7tRf5LUl6iyW7A5z9uYg481EXq3Sx6tZztepX0vg==,iv:FZ33tQWRsNEPjwuy/mH/N4e4PyjLx7sbv2G+9S5uigY=,tag:0GQn3AgoM2BPC5iCt5py8w==,type:str]
-mastodon-mail: ENC[AES256_GCM,data:RT/fS7cqbcePd2qe7CR5jRh2jtKaS81ICbMUOlPUQsY=,iv:C7GYMB0U2KIfXuEnYaoIEfV89/EnJS6V9iG97X8zkPk=,tag:L4SVe6aYGcarvX1hmMqQOw==,type:str]
+murmur-superuser: ENC[AES256_GCM,data:hPuMK8wbqD/3qKXQbOActq/VJZ+6jFlddQ==,iv:68ZhkpkfxakCOYxFXkCSP/sBamETeSs4CGTRaoBS6co=,tag:5UuYCxDiJ6e2CXjDV5/5yA==,type:str]
 netbox-secret-key: ENC[AES256_GCM,data:lOE95j6CGkbfJQTLeG41g3BPKNhm0arqxIGAzwvXQyeZLBauAdqufQGKD7D4kPNzdZs=,iv:6HWXEr6Ju4IywP+2jpuTfER/bYI2oUgMSZEJCkq4XX8=,tag:TPD5TTr4Sew8lxPS5WIu5Q==,type:str]
 prometheus-htpasswd: ENC[AES256_GCM,data:tiewfUfpvrmbrgk6AsBdiP4ng4TqG5UYf1mFcWOzuk8oO55rfZu+Naummz5RRYhJZil43nHFvn5LfIWkJv+CyPMZjpj7xRp4vb4/OCCAFjEzHhrzYVBYNkHM+ZLUTewEXuPVtZ6CZ5uviTExLN2V1moG3ExJdIoyUD16qh4=,iv:SkH609VxIVKJLmHUUNzICEjxHSyjLdwXfw0b7iU6png=,tag:BfNGcUZmk9ZXUvhoQZn6iQ==,type:str]
 restic-ssh-key: ENC[AES256_GCM,data:9quBzUwv4qylVzESG94wSgzvuodSDM/smPh0j+LYJjXwEN1xksBIW2/Jv0XmF3Q+AWUF/C/lA2jteI3Mf6Pmn7zlqa3H7GwH8Os6/arQI3ywH2dHQLAFxgST2J0AlLGeZcJbntxW0buYw+Rz3q5Jbo+Wo9tQo+2EVvqX320qWBsEwinnahbUhZym3fipyE9g6JxGa3OFGiIn6JAQhst63WgpOfehQsAYu2bdW1gLrgFtURzDQQRQ28RxeD+nMUWRpQcq5GrX2rfSA7sengfQbmP3Ln1atp1YXctTalHsj+n4photBqLz6OfLaFKBqbdKRbinUgVAEarAocEOKk/qf1C6LS8yKjV9Mh/tKeCJQrCI/AccEP5DfMNqdRaWjoQxvjBRKaupPE7Rcuja++K/jm24nP9J8WDcrRSm0tlrVq2JnPHxJv+eUsZoGkvpyOs9AkTG1H2BCckYS5ZG4atjKoBfUvc3CitPNmPZcjSkPrkdRMZbu1BWR+cixFH9rFAUvVIn+e7sWGnqMA8xGXZS,iv:rLOTtmIFP7rwF9JY9ardO9pNqNh1uaobHKtQaGwSuGk=,tag:pCd4ZV0FjfD18qj9oQ236Q==,type:str]
@ -16,8 +16,8 @@ sops:
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2024-06-01T12:03:17Z"
+    lastmodified: "2024-01-10T18:29:17Z"
-    mac: ENC[AES256_GCM,data:6fJfEtnHSQV7oGZ7HMrXYH1lX8ZzfTChOZC25scDP/q5FH8QZ52OntRuQ8DbR+AKUPN/w6o4EotZVxX53Q2Xxi6QdHSqo07GDsWUnIOb5eCNGmEB3c2w20DJv2smTnEr7d6051aPzEUO0ZxUPxxlqcifC6dsdpdxySyG/VY9OQQ=,iv:KAWFRoOQKRd2tf58QYGD8SnHJk1aLwBxgkcRkPgjuN8=,tag:LJFOJuFblp53Te9zoYKq0Q==,type:str]
+    mac: ENC[AES256_GCM,data:jsYCPL7/AFxg9mRM/mKhwiy4eH6ZGMyCCSBu+jSfIk/T8RSd9zh0AZ/p5rAwfbW20AzetivzRB4bSgcymLIcCr900EQLdPIuaZgxeGcbZ80N/7I0zF4u8K8oa1pKhyr1UUj48XjL55IdvVOsyvfq/I/KSbIbO7+fBHeQ51crCeo=,iv:CNmKwvZ61PdeyOvGP7elm/yvokll//fiKxdWFe2cfPo=,tag:PVQRV0G3VtBsD0tk34DHig==,type:str]
    pgp:
        - created_at: "2024-01-22T00:20:10Z"
          enc: |-
--- a/machines/renge/services/mastodon.nix
+++ b/machines/renge/services/mastodon.nix
@ -1,32 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { config, lib, ... }:
 {
  sops.secrets.mastodon-mail = {
    owner = config.services.mastodon.user;
    sopsFile = ../secrets.yaml;
  };
  services.mastodon = {
    enable = true;
    configureNginx = true;
    localDomain = "procrastination.space";
    smtp = {
      createLocally = false;
      host = "vueko.sbruder.de";
      port = 465;
      user = "mastodon@sbruder.de";
      passwordFile = config.sops.secrets.mastodon-mail.path;
      fromAddress = config.services.mastodon.smtp.user;
      authenticate = true;
    };
    streamingProcesses = 5;
    extraConfig = {
      SMTP_TLS = "true";
      RAILS_LOG_LEVEL = "warn";
    };
  };
 }
--- a/machines/renge/services/murmur.nix
+++ b/machines/renge/services/murmur.nix
--- a/machines/renge/services/prometheus.nix
+++ b/machines/renge/services/prometheus.nix
@ -75,7 +75,6 @@ in
          "shinobu.vpn.sbruder.de:9100"
          "nazuna.vpn.sbruder.de:9100"
          "yuzuru.vpn.sbruder.de:9100"
          "koyomi.vpn.sbruder.de:9100"
        ];
        relabel_configs = lib.singleton {
          target_label = "instance";
@ -83,22 +82,6 @@ in
          regex = "(.*)\\.vpn\\.sbruder\\.de:9100";
        };
      }
      {
        job_name = "smartctl";
        static_configs = mkStaticTargets [
          "fuuko.vpn.sbruder.de:9633"
          "mayushii.vpn.sbruder.de:9633"
          "nunotaba.vpn.sbruder.de:9633"
          "hitagi.vpn.sbruder.de:9633"
          "shinobu.vpn.sbruder.de:9633"
          "koyomi.vpn.sbruder.de:9633"
        ];
        relabel_configs = lib.singleton {
          target_label = "instance";
          source_labels = lib.singleton "__address__";
          regex = "(.*)\\.vpn\\.sbruder\\.de:9633";
        };
      }
      {
        job_name = "qbittorrent";
        static_configs = mkStaticTargets [
@ -153,10 +136,8 @@ in
      {
        job_name = "knot";
        static_configs = mkStaticTargets [
          "vueko.vpn.sbruder.de:9433"
          "renge.vpn.sbruder.de:9433"
          "okarin.vpn.sbruder.de:9433"
-          "yuzuru.vpn.sbruder.de:9433"
+          "vueko.vpn.sbruder.de:9433"
        ];
        relabel_configs = lib.singleton {
          target_label = "instance";
--- a/machines/renge/services/sbruder.xyz/default.nix
+++ b/machines/renge/services/sbruder.xyz/default.nix
@ -3,7 +3,11 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { config, pkgs, ... }:
-
+let
  goneVhost = {
    locations."~ .*".return = "303 'https://sbruder.xyz/#history'";
  };
 in
 {
  imports = [
    ./blocks.nix
@ -54,4 +58,7 @@
      };
    };
  };
  services.nginx.virtualHosts."nitter.sbruder.xyz" = goneVhost;
  services.nginx.virtualHosts."libreddit.sbruder.xyz" = goneVhost;
 }
--- a/machines/shinobu/configuration.nix
+++ b/machines/shinobu/configuration.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -9,7 +9,6 @@
    ../../modules
    ./services/co2_exporter.nix
    ./services/ntp.nix
    ./services/router
    ./services/snmp-exporter.nix
    ./services/wordclock-dimmer.nix
--- a/machines/shinobu/services/ntp.nix
+++ b/machines/shinobu/services/ntp.nix
@ -1,11 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 {
  services.ntp = {
    enable = true;
  };
  networking.firewall.allowedUDPPorts = [ 123 ];
 }
--- a/machines/shinobu/services/router/dnsmasq.nix
+++ b/machines/shinobu/services/router/dnsmasq.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -41,16 +41,16 @@ in
        cfg.vlan);
      dhcp-option = lib.flatten (lib.mapAttrsToList
        (name: { subnet, ... }: [
          # Gateway
          "tag:br-${name},option:router,${subnet.v4.gateway}"
          "tag:br-${name},option6:dns-server,${subnet.v6.gateway}"
          # NTP server (runs on gateway)
          "tag:br-${name},option:ntp-server,${subnet.v4.gateway}"
          "tag:br-${name},option6:ntp-server,${subnet.v6.gateway}"
        ])
        cfg.vlan);
      nftset = [
        "/pool.ntp.org/4#inet#filter#iot_ntp4"
        "/pool.ntp.org/6#inet#filter#iot_ntp6" # does not work
      ];
      server = [
        "127.0.0.1#5053"
      ];
--- a/machines/shinobu/services/router/rules.nft
+++ b/machines/shinobu/services/router/rules.nft
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -7,6 +7,16 @@ define PHYSICAL_WAN = "enp1s0"
 define NAT_WAN_IFACES = { $PHYSICAL_WAN }
 table inet filter {
 	# These two sets are dynamically managed by dnsmasq
 	set iot_ntp4 {
 		type ipv4_addr
 		comment "IPv4 addresses of resolved NTP servers"
 	}
 	set iot_ntp6 {
 		type ipv6_addr
 		comment "IPv6 addresses of resolved NTP servers"
 	}
 	chain forward {
 		type filter hook forward priority filter; policy drop
@ -21,6 +31,8 @@ table inet filter {
 		iifname "br-lan" oifname $VLAN_BRIDGES counter accept;
 		iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept
 		iifname "br-iot" ip daddr @iot_ntp4 udp dport 123 counter accept
 		iifname "br-iot" ip6 daddr @iot_ntp6 udp dport 123 counter accept
 		iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept
 	}
 }
--- a/machines/vueko/configuration.nix
+++ b/machines/vueko/configuration.nix
@ -11,7 +11,6 @@
    ./services/fuuko-proxy.nix # FIXME!
    ./services/media.nix
    ./services/murmur.nix
    ./services/restic.nix
  ];
--- a/machines/vueko/secrets.yaml
+++ b/machines/vueko/secrets.yaml
@ -1,5 +1,4 @@
 media-sb-proxy-auth: ENC[AES256_GCM,data:TFAS1PXu+jSt/orjYI1ffPbiCMCZgc22tU4coz9eEi7CyEaMvaKuQpgIPwZDBoL3r1yhXd+USya/PjEL9g3SCpuva5EXiJVYjV+mYaTxgrLx,iv:a5da4EuduMVVwEy0p2sz3XuAwdYFt+D9WgOs4oqQg6s=,tag:2BTqxnXIK+sWj/8RXVrYDg==,type:str]
 murmur-superuser: ENC[AES256_GCM,data:D7EjnKZGSmx8ykVeKqSIAdV4Vql7ZkfEUw==,iv:I8SgiZrlCpyqNeBMJlzttFUJFGqQp5vHu6pMUz/0LoE=,tag:G6QMUh3v2QjxtoXUSoRqcA==,type:str]
 restic-htpasswd: ENC[AES256_GCM,data:om9v+FXOEsOPP7LVntiwyqEKmiCLCwcmMgWBeHxcrlosYT4cElX3MHlu+NQAI0TPwc0mAog1tJyRcTfqK7uYszIzd75/Ig==,iv:7UBHmyqt/2hW9Aw1oRMZtZdOij5mjGF/8nmr3PAq/EI=,tag:TNcECUAdGtch8/bHbOJeNw==,type:str]
 restic-rclone-ssh-key: ENC[AES256_GCM,data:fefY4sVBp786LeUNdLA1CZ83YGZsxP9yvoIx647fVM47jGBfJWcU8PDwbPGfp4ae5aKnuRi/+OpRQHQIuBWa8XH8mWQ0YLs3JzKavmtNqf8mh9hyiEGLSYBbokEkgSPFBxH8CuhNbzrou0cCO7ACXkXnq4Cf0jjkYR2StjsISiJ11nEnle0tchHMFPSho0W7Ph8UZvT6x1naJjBqMrZKepLMCrT4oM3gqgA3R0cvCxQyIY5BHweopDXxuZDVlIiYjG61qt6OKL7O+lt/Kfvd38i6L1CAsloFVQOv4pQwz5b/jNjH+Kg8+tbbksXz2Dm5PU7HBXyav48MqriTqVCeWpmEsbo9j/zEravtNaC/gvpc7v4H/3lqhyY181g2Fxzu3YCjheSwjhtSuLCtXCD4UdW5Ctkb5TDZrMY+NAQdeXqgCawYggN05x6s+UdSitXXHLBjvyIV5ES/7p43zjWDnddAsFQEgILffQRobA9y8VZ+Igj7wo+HJLdNnmJtcqL/j6CM4MOT4hvj1CLhhBdr,iv:zYgnXzxGU2XJcjeclQT5bX6M1r5WG+Z0pZI7R4qpUU0=,tag:CbBUooyhUCkmKp+N6j4ySw==,type:str]
 rspamd-worker-controller: ENC[AES256_GCM,data:STf4vgVsYu6+WfpISKC0L69ixlM+cOiefO4qvHY2gYbV9FirRGxlUIRkmPwk+I6gYxKSC6D8ZTO3Bi2drEuWd8Yhuwjj9Rc1ja7b5UxaT5Q591Iof8S5RbXZKvaWMAQXVeAz4qkBaA==,iv:RzB3EHnzybbYO9E95ianu/Yl+chH7IPomvWG89mIGYU=,tag:yFSx97r/vkf3gVhIxMwcNw==,type:str]
@ -11,8 +10,8 @@ sops:
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2024-06-01T12:03:28Z"
+    lastmodified: "2023-04-29T10:17:21Z"
-    mac: ENC[AES256_GCM,data:KFlisFD6k06XqF6SoQTaMNFpIPYtOgHDFArQueGBcTgjfxzdaxA8AVH1ZBeyFeEFlf4EFfduYcfnqAaGWScOvVW+jVhN/InsNkGf7alPyJ2ifzUD9yhe2/gcOF+eZqPvbTfXsdyfyqkbK7kkRyoYC61T3KPnPzTWqDk/3Chm4k8=,iv:lUbhG5/o5iepukcXHs2FYfue04EJdAbfhX1N0e1C9eA=,tag:EvPEDPoRiLXzbWeHAjTMoQ==,type:str]
+    mac: ENC[AES256_GCM,data:UfLbX+4uDg9Kp8v9lnq9RktT4ltpJYwOHBBPRhO79a1AmLXkp6GilaoMJYjkj0foL92vTUK10wIw547omySwJeY52pTGAvw1IXVaxNp395KLlMPl3EwLS3xj4c0bhzcVEyFl/fxG2gk6BJOzvQXaMYo4COEzDdK6ZDGZKZVKEAM=,iv:mR9Nq+s7wHeZdP6/gW9+zJd/wa1Y4Q5saACwnMOFOZQ=,tag:yYYF8/mKnbxzmPa6nWIGbA==,type:str]
    pgp:
        - created_at: "2024-01-22T00:20:08Z"
          enc: |-
@ -83,4 +82,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 4EA330328CD0D3076E90960194DFA4953D8729DE
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.7.3
--- a/machines/vueko/secrets/mail-users.nix
+++ b/machines/vueko/secrets/mail-users.nix
--- a/machines/yuzuru/services/static-sites.nix
+++ b/machines/yuzuru/services/static-sites.nix
@ -1,9 +1,7 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { config, ... }:
 {
  services.nginx.virtualHosts = {
    "brennende.autos" = {
@ -21,34 +19,9 @@
  };
  sbruder.static-webserver.vhosts = {
    "arbeitskampf.work".user = {
      name = "arbeitskampf";
    };
    "maggus.bayern".user = {
      name = "maggus";
      keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
      ] ++ config.sbruder.pubkeys.trustedKeys;
    };
    "psycho-power-papagei.de" = {
      user.name = "papagei";
      imprint.enable = true;
    };
    "salespointframework.org" = {
      redirects = [
        "www.salespointframework.org"
        "salespointframe.work"
        "www.salespointframe.work"
        "verkaufspunktrahmenwerk.de"
        "www.verkaufspunktrahmenwerk.de"
        "verkaufspuntrahmenwerk.de"
        "www.verkaufspuntrahmenwerk.de"
      ];
      user.name = "salespoint";
    };
  };
 }
--- a/modules/authoritative-dns.nix
+++ b/modules/authoritative-dns.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -7,16 +7,14 @@ let
  cfg = config.sbruder.knot;
  primaryHost = "vueko";
-  secondaryHosts = [ "renge" "okarin" "yuzuru" ];
+  secondaryHosts = [ "okarin" ];
  isPrimaryHost = config.networking.hostName == primaryHost;
  isSecondaryHost = lib.elem config.networking.hostName secondaryHosts;
  addresses = {
    vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ];
-    renge = [ "152.53.13.113" "2a03:4000:6b:d2::1" ];
+    okarin = [ "82.165.242.252" "2001:8d8:1800:8627::1" ];
    okarin = [ "85.215.165.213" "2a01:239:24b:1c00::1" ];
    yuzuru = [ "85.215.73.203" "2a02:247a:272:1600::1" ];
  };
 in
 {
@ -67,7 +65,12 @@ in
              id = host;
              address = hostAddresses;
            })
-            addresses);
+            addresses) ++ lib.optional isPrimaryHost {
            id = "inwx";
            # INWX only allows the specification of one primary DNS,
            # which limits the IP protocol usable for zone transfers to one.
            address = lib.singleton "185.181.104.96";
          };
        }
        (lib.mkIf isPrimaryHost {
          policy = lib.singleton {
@ -85,7 +88,7 @@ in
              zonefile-load = "difference-no-serial";
              journal-content = "all";
              # secondary
-              notify = secondaryHosts;
+              notify = [ "inwx" ] ++ secondaryHosts;
              # dnssec
              dnssec-signing = true;
              dnssec-policy = "default";
--- a/modules/default.nix
+++ b/modules/default.nix
@ -33,8 +33,8 @@
    ./ausweisapp.nix
    ./authoritative-dns.nix
    ./cups.nix
    ./docker.nix
    ./fancontrol.nix
    ./flatpak.nix
    ./fonts.nix
    ./games.nix
    ./grub.nix
@ -54,9 +54,7 @@
    ./nix.nix
    ./office.nix
    ./pipewire.nix
    ./podman.nix
    ./prometheus/node_exporter.nix
    ./prometheus/smartctl_exporter.nix
    ./pubkeys.nix
    ./qbittorrent
    ./restic
@ -69,7 +67,6 @@
    ./udev.nix
    ./unfree.nix
    ./wireguard
    ./wkd
  ];
  config = lib.mkMerge [
@ -81,11 +78,9 @@
        git-lfs # not so essential, but required to clone config
        htop
        tmux
        vim
      ];
      programs.nano.enable = false;
      programs.vim.defaultEditor = true;
      # Clean temporary files on boot
      boot.tmp.cleanOnBoot = true;
@ -113,8 +108,6 @@
      # Support for exotic file systems
      boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
      programs.ssh.startAgent = lib.mkDefault (!config.sbruder.gui.enable);
      # When this is set to true (default), routing everything through a
      # wireguard tunnel does not work.
      networking.firewall.checkReversePath = false;
@ -166,21 +159,11 @@
    (lib.mkIf (!config.sbruder.machine.isVm) {
      # Hard drive monitoring
      services.smartd.enable = lib.mkDefault true;
-      # Firmware updates (only work on EFI systems, so enable only when using systemd-boot)
+      # Firmware updates
-      services.fwupd.enable = lib.mkDefault (config.boot.loader.systemd-boot.enable);
+      services.fwupd.enable = lib.mkDefault true;
    })
    (lib.mkIf (!config.sbruder.full) {
      documentation.enable = lib.mkDefault false;
    })
    (lib.mkIf (config.services.resolved.enable) {
      # With NixOS’s default database order for hosts,
      # resolving the FQDN with hostname -f always returns “localhost”
      # when resolved is enabled.
      # This changes the priority of the files database,
      # which fixes this.
      # This workaround was taken from
      # https://github.com/NixOS/nixpkgs/issues/132646#issuecomment-1782684381
      system.nssDatabases.hosts = lib.mkOrder 500 [ "files" ];
    })
  ];
 }
--- a/modules/docker.nix
+++ b/modules/docker.nix
@ -0,0 +1,47 @@
 # SPDX-FileCopyrightText: 2020-2021 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { config, lib, pkgs, ... }:
 {
  # This uses a custom option (instead of `virtualisation.docker.enable`) since
  # `virtualisation.oci-containers` conditionally sets
  # `virtualisation.docker.enable` and therefore causes an infinite recursion.
  options.sbruder.docker.enable = lib.mkEnableOption "docker with ipv6nat";
  config = lib.mkIf config.sbruder.docker.enable {
    environment.systemPackages = with pkgs; [
      docker-compose
      docker-credential-helpers
      docker-ls
    ];
    virtualisation = {
      docker = {
        enable = true;
        logDriver = "journald";
        extraOptions = lib.concatStringsSep " " [
          "--ipv6"
          "--fixed-cidr-v6=fd00:d0ce:d0ce:d0ce::/64"
        ];
      };
      oci-containers.containers.ipv6nat = {
        image = "robbertkl/ipv6nat";
        volumes = [
          "/var/run/docker.sock:/var/run/docker.sock:ro"
        ];
        extraOptions = [
          "--network=host"
          "--cap-drop=ALL"
          "--cap-add=NET_ADMIN"
          "--cap-add=NET_RAW"
          "--cap-add=SYS_MODULE"
        ];
      };
    };
    environment.etc."modules-load.d/ipv6nat.conf".text = "ip6_tables\n";
  };
 }
--- a/modules/flatpak.nix
+++ b/modules/flatpak.nix
@ -1,19 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
 # Flatpak is only used for programs that are not easily installable natively.
 # They should always be confined as much as possible using Flatseal.
 #
 # To make Flatpak work with Flathub,
 # the following command must be run imperatively:
 #
 #     flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
 #
 # The full guide is available on https://flathub.org/setup/NixOS,
 # though the restart step is not necessary.
 { config, lib, ... }:
 lib.mkIf config.sbruder.gui.enable {
  services.flatpak.enable = true;
 }
--- a/modules/mailserver/postfix.nix
+++ b/modules/mailserver/postfix.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -95,7 +95,6 @@ lib.mkIf cfg.enable {
      smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
      smtpd_tls_mandatory_ciphers = "medium";
      smtpd_tls_loglevel = "1";
      smtpd_tls_received_header = "yes"; # add TLS connection details to Received header
      tls_medium_cipherlist = listToString [
        "ECDHE-ECDSA-AES128-GCM-SHA256"
@ -141,7 +140,6 @@ lib.mkIf cfg.enable {
      # Postscreen
      smtpd = {
        type = "pass";
        args = [ "-o" "smtpd_discard_ehlo_keywords=silent-discard,dsn" ];
      };
      smtp_inet = {
        # Partially overrides upstream
--- a/modules/podman.nix
+++ b/modules/podman.nix
@ -1,29 +0,0 @@
 # SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { config, lib, pkgs, ... }:
 {
  options.sbruder.podman.enable = lib.mkEnableOption "podman";
  config = lib.mkIf config.sbruder.podman.enable {
    boot.enableContainers = false; # FIXME: this only needs to be set for some stateVersions
    environment.systemPackages = with pkgs; [
      buildah
      podman-compose
      skopeo
    ];
    virtualisation = {
      podman = {
        enable = true;
        dockerSocket.enable = true;
        defaultNetwork.settings = {
          ipv6_enabled = true;
        };
      };
    };
  };
 }
--- a/modules/prometheus/node_exporter.nix
+++ b/modules/prometheus/node_exporter.nix
@ -8,10 +8,7 @@
    enable = config.sbruder.wireguard.home.enable;
    listenAddress = config.sbruder.wireguard.home.address;
    enabledCollectors = [ "systemd" ];
-    disabledCollectors = [
+    disabledCollectors = [ "rapl" ];
      "arp.netlink" # https://github.com/prometheus/node_exporter/issues/2849
      "rapl"
    ];
  };
  systemd.services.prometheus-node-exporter.after = [ "wireguard-wg-home.service" ];
--- a/modules/prometheus/smartctl_exporter.nix
+++ b/modules/prometheus/smartctl_exporter.nix
@ -1,22 +0,0 @@
 # SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { config, lib, ... }:
 {
  services.prometheus.exporters.smartctl = {
    enable = config.sbruder.wireguard.home.enable && !config.sbruder.machine.isVm;
    listenAddress = config.sbruder.wireguard.home.address;
    # devices need to be specified for all systems that use NVMe
    # https://github.com/NixOS/nixpkgs/issues/210041
  };
  systemd.services.prometheus-smartctl-exporter = {
    after = [ "wireguard-wg-home.service" ];
    serviceConfig = {
      IPAddressAllow = lib.singleton config.sbruder.wireguard.home.subnet;
      IPAddressDeny = "any";
    };
  };
 }
--- a/modules/restic/system.nix
+++ b/modules/restic/system.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -28,8 +28,6 @@ let
    "/home/*/mounts"
    # Docker (state should be kept somewhere else)
    "/home/*/.local/share/containers" # podman
    "/var/lib/containers/"
    "/var/lib/docker/"
    # Static configuration (generated from this repository)
--- a/modules/ssh.nix
+++ b/modules/ssh.nix
@ -60,12 +60,12 @@
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUEVBJcEibRdQzp0bDXpPqLGQ8vtQTKTcpGZU07W4eo";
    };
    okarin = {
-      hostNames = [ "okarin" "okarin.sbruder.de" "okarin.vpn.sbruder.de" ];
+      hostNames = [ "okarin" "okarin.sbruder.xyz" "okarin.vpn.sbruder.de" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvRAiEAV0Oulii0w3xcHCb0/oHqpA0hz3bn//BQnR8T";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaev8K5KhRovW75IdZ0HYlzvxxo0haeCM0xCVEOuDSa";
    };
    okarin-initrd = {
      hostNames = [ "[okarin.sbruder.de]:2222" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOV+azRrT1zICmDe9D7bm3pOaFzaT+cVXCvxgY1bAbP";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJbp0kZJEXf1gSVcBsef1Bihd5iCzhzSbjgyrC1SXXT";
    };
    shinobu = {
      hostNames = [ "shinobu" "shinobu.lan.shinonome-lab.de" "shinobu.vpn.sbruder.de" ];
@ -87,13 +87,5 @@
      hostNames = [ "[yuzuru.sbruder.de]:2222" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
    };
    koyomi = {
      hostNames = [ "koyomi" "koyomi.sbruder.de" "koyomi.vpn.sbruder.de" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZVoGK0JNltzqVWN9dejWMkedfzcipTv6iX52HTHaVz";
    };
    koyomi-initrd = {
      hostNames = [ "[koyomi.sbruder.de]:2222" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPQuXX9EJXcz7wkG/yDxrZVODaitAQ1lfGzedNrYKhI";
    };
  };
 }
--- a/modules/tools.nix
+++ b/modules/tools.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -48,10 +48,9 @@
    dmidecode # hardware information
    hdparm # hard drive management
    lm_sensors # temperature sensors
    nvme-cli # NVMe management
    parted # partition manager
    pciutils # lspci
-    (reptyr.overrideAttrs (o: o // { doCheck = false; })) # move process to current terminal # tests fail on qemu-user-aarch64 (TODO 24.05: remove)
+    reptyr # move process to current terminal
    smartmontools # hard drive monitoring
    tcpdump # package inspector
    tio # serial console
--- a/modules/unfree.nix
+++ b/modules/unfree.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -41,6 +41,9 @@ in
        # games (okay if they run sandboxed)
        "osu-lazer" # also is free except for one dependency
        "steam"
        "steam-original"
        "steam-runtime"
      ]
    ));
  };
--- a/modules/wireguard/home.nix
+++ b/modules/wireguard/home.nix
@ -33,8 +33,8 @@ let
      publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
    };
    okarin = {
-      address = "10.80.0.14";
+      address = "10.80.0.10";
-      publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA=";
+      publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
    };
    shinobu = {
      address = "10.80.0.12";
@ -48,10 +48,6 @@ let
      address = "10.80.0.16";
      publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
    };
    koyomi = {
      address = "10.80.0.17";
      publicKey = "fvQDGqmkcFUvfUFmkSagJZy6pGIP6ewZrzTQfaz+mmE=";
    };
  };
  cfg = config.sbruder.wireguard.home;
--- a/modules/wkd/default.nix
+++ b/modules/wkd/default.nix
@ -1,49 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { config, lib, ... }:
 let
  cfg = config.sbruder.wkd;
  toFqdn = domain: "openpgpkey.${domain}";
 in
 {
  options.sbruder.wkd = {
    enable = lib.mkEnableOption "Web Key Directory";
    domain = lib.mkOption {
      type = lib.types.str;
      description = "The main domain to listen on. The actual fqdn will be openpgpkey.<domain>.";
      default = "sbruder.de";
    };
    domains = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      description = "Additional domains to serve.";
      default = [ ];
    };
  };
  config = lib.mkIf cfg.enable {
    sbruder.static-webserver.vhosts."${toFqdn cfg.domain}" = {
      redirects = map toFqdn cfg.domains;
      user.name = "wkd";
    };
    services.nginx.virtualHosts."${toFqdn cfg.domain}" = {
      locations."^~ /.well-known/openpgpkey" =
        let
          # workaround for nginx dropping parent headers
          # see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
          parentHeaders = lib.concatStringsSep "\n" (lib.filter
            (lib.hasPrefix "add_header ")
            (lib.splitString "\n" config.services.nginx.commonHttpConfig));
        in
        {
          extraConfig = ''
            ${parentHeaders}
            add_header Access-Control-Allow-Origin * always;
          '';
        };
    };
  };
 }
--- a/pkgs/co2_exporter/default.nix
+++ b/pkgs/co2_exporter/default.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2022-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2022-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -19,7 +19,7 @@ buildGoModule rec {
  vendorHash = "sha256-CMo6FBzw0/OMKEX12oNqhbF/0dRRFR6W3VRp+EU6Q68=";
-  doCheck = false; # no tests
+  oCheck = false; # no tests
  meta = with lib; {
    license = licenses.mit;
--- a/pkgs/contact-page/src/index.html
+++ b/pkgs/contact-page/src/index.html
@ -25,23 +25,15 @@ SPDX-License-Identifier: CC-BY-SA-4.0
          <td><a id="matrix" href="#">(requires javascript)</a></td>
        </tr>
        <tr>
-          <td>Fediverse</td>
+          <td>GitHub</td>
          <td><a rel="me" href="https://procrastination.space/@simon">@simon@procrastination.space</a></td>
        </tr>
        <tr>
          <td>Codeberg</td>
          <td><a href="https://codeberg.org/sbruder">sbruder</a></td>
        </tr>
        <tr>
          <td>(GitHub)</td>
          <td><a href="https://github.com/sbruder">sbruder</a></td>
        </tr>
        <tr>
-          <td>(GitLab)</td>
+          <td>GitLab</td>
          <td><a href="https://gitlab.com/sbruder">sbruder</a></td>
        </tr>
        <tr>
-          <td>Forgejo</td>
+          <td>Gitea</td>
          <td><a href="https://git.sbruder.de/simon">git.sbruder.de</a></td>
        </tr>
        <tr>
--- a/pkgs/wordclock-dimmer/wordclock-dimmer.py
+++ b/pkgs/wordclock-dimmer/wordclock-dimmer.py
@ -61,6 +61,15 @@ def get_color_for_time(time: datetime.time, base=(60, 60, 60)) -> (int, int, int
        )
 def update(client: mqtt.Client):
    time = datetime.datetime.now().time()
    color = get_color_for_time(time)
    print(f"{time}: setting color to {color}")
    sys.stdout.flush()
    set_color(client, *color)
    pass
 client = mqtt.Client("wordclock.py")
 user = os.environ["WORDCLOCK_MQTT_USER"]
@ -74,15 +83,6 @@ host = os.environ["WORDCLOCK_MQTT_HOST"]
 client.username_pw_set(user, password)
 client.connect(host, 1883, 60)
 color = (0, 0, 0)
 while True:
-    time = datetime.datetime.now().time()
+    update(client)
    new_color = get_color_for_time(time)
    if new_color != color:
        color = new_color
        print(f"setting color to {color}")
        sys.stdout.flush()
        set_color(client, *color)
    sleep(300)
--- a/users/simon/modules/games.nix
+++ b/users/simon/modules/games.nix
@ -1,41 +1,98 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-#
+
 # Steam is installed as a flatpak,
 # as this seems to be the only method that does not force me
 # to spend hours debugging various issues with the client.
 #
 # Installation instructions for steam:
 #
 # 1. Run flatpak install flathub com.valvesoftware.Steam
 # 2. Use Flatseal to revoke all filesystem permissions,
 #    development syscalls
 #    and bluetooth.
 # 3. Add GDK_SCALE=2 as an environment variable (hack for sway’s Xwayland)
 # 4. If you previously used steam-sandbox,
 #    you need to copy the files to the flatpak location.
 #    For this, start steam once (you can close it early),
 #    so it creates the new structure.
 #    Then, run the following commands:
 #        rm -rf ~/.var/app/com.valvesoftware.Steam/.local/share/Steam
 #        mv ~/.local/share/steam-sandbox/.local/share/Steam ~/.var/app/com.valvesoftware.Steam/.local/share/
 #    You might want to copy additional files of games,
 #    that do not store files inside of Steam’s directories.
 #    Afterwards, you can delete ~/.local/share/steam-sandbox
 #
 # For MangoHud, the following steps are also necessary:
 # 1. Run flatpak install org.freedesktop.Platform.VulkanLayer.MangoHud
 # 2. Add xdg-config/MangoHud:ro as filesystem mount to Steam in Flatseal
 # 4. For Intel Arc systems,
 #    add /run/wrappers/bin/intel_gpu_top:ro as filiesystem mount
 #    and /run/wrappers/bin to the PATH environment variable in Flatseal
 # 3. Add MANGOHUD=1 as a launch options to all games where MangoHud should be
 #    available
 { lib, nixosConfig, pkgs, ... }:
 let
  cfg = nixosConfig.sbruder.games;
  inherit (nixosConfig.sbruder) unfree;
  steam-sandbox = pkgs.writeShellScriptBin "steam-sandbox" /* bash */ ''
    set -euo pipefail
    shopt -s nullglob # make for loop work for glob if files do not exist
    base_dir="''${XDG_DATA_HOME:-$HOME/.local/share}/steam-sandbox"
    mkdir -p "$base_dir"/{.local/share,.steam,.config,.factorio,data}
    bubblewrap_args=(
        # sandboxing
        --unshare-all
        --share-net
        --die-with-parent
        --new-session
        # basic filesystem
        --tmpfs /tmp
        --proc /proc
        --dev /dev
        --dir "$HOME"
        --dir "$XDG_RUNTIME_DIR"
        --ro-bind /nix/store /nix/store
        # path
        --ro-bind /run/current-system/sw /run/current-system/sw
        --ro-bind /etc/profiles/per-user/$USER/bin /etc/profiles/per-user/$USER/bin
        # system-wide configuration
        --ro-bind /etc/fonts /etc/fonts
        --ro-bind /etc/localtime /etc/localtime
        --ro-bind /etc/machine-id /etc/machine-id
        --ro-bind /etc/os-release /etc/os-release
        --ro-bind /etc/passwd /etc/passwd
        --ro-bind /etc/resolv.conf /etc/resolv.conf
        --ro-bind /etc/ssl/certs /etc/ssl/certs
        --ro-bind /etc/static /etc/static
        # gui
        --ro-bind /tmp/.X11-unix /tmp/.X11-unix
        --ro-bind "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
        --dev-bind /dev/dri /dev/dri
        --ro-bind /run/opengl-driver /run/opengl-driver
        --ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32
        # audio
        --ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse"
        --setenv PULSE_SERVER "$XDG_RUNTIME_DIR/pulse/native"
        --ro-bind "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie" "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie"
        --setenv PULSE_COOKIE "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie/pulse/cookie"
        --ro-bind-try /etc/asound.conf /etc/asound.conf
        --ro-bind-try /etc/alsa/conf.d /etc/alsa/conf.d
        --ro-bind-try "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0"
        # dbus
        --ro-bind /run/dbus/system_bus_socket /run/dbus/system_bus_socket
        --ro-bind "$XDG_RUNTIME_DIR/bus" "$XDG_RUNTIME_DIR/bus"
        # shared data
        --bind "$base_dir/.local/share" "$HOME/.local/share"
        --bind "$base_dir/.steam" "$HOME/.steam"
        --bind "$base_dir/.config" "$HOME/.config"
        --bind "$base_dir/.factorio" "$HOME/.factorio"
        --bind "$base_dir/data" "$HOME/data"
        --ro-bind-try "$HOME/.config/MangoHud" "$HOME/.config/MangoHud"
        # input
        --dev-bind /dev/input /dev/input
        --dev-bind-try /dev/uinput /dev/uinput
        --ro-bind /sys /sys # required for discovery
      )
    for hidraw in /dev/hidraw*; do
        bubblewrap_args+=(--dev-bind $hidraw $hidraw)
    done
    unset SDL_VIDEODRIVER QT_QPA_PLATFORM # games generally don’t support wayland
    export PATH="${pkgs.unstable.mangohud}/bin:$PATH"
    ${pkgs.bubblewrap}/bin/bwrap \
        "''${bubblewrap_args[@]}" \
        ''${SANDBOX_COMMAND:-${pkgs.unstable.steam}/bin/steam} \
        "$@"
  '';
  steam-sandbox-with-icons = pkgs.runCommand "steam-sandbox-with-icons" { } ''
    mkdir -p $out/{bin,share}
    ln -s ${pkgs.steamPackages.steam}/share/icons $out/share
    ln -s ${pkgs.steamPackages.steam}/share/pixmaps $out/share
    ln -s ${steam-sandbox}/bin/steam-sandbox $out/bin/steam-sandbox
  '';
 in
 lib.mkIf cfg.enable {
  home.packages = with pkgs; [
@ -48,7 +105,9 @@ lib.mkIf cfg.enable {
    pcsx2
  ] ++ lib.optionals (cfg.performanceIndex >= 8) [
    unstable.ryujinx
    unstable.yuzu-mainline
  ] ++ lib.optionals unfree.allowSoftware [
    unstable.osu-lazer-sandbox
    steam-sandbox-with-icons
  ];
 }
--- a/users/simon/modules/gpg.nix
+++ b/users/simon/modules/gpg.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-{ lib, nixosConfig, pkgs, ... }:
+{ nixosConfig, pkgs, ... }:
 {
  programs.gpg = {
@ -18,7 +18,7 @@
  services.gpg-agent = rec {
    enable = true;
    enableZshIntegration = true;
-    enableSshSupport = lib.mkDefault nixosConfig.sbruder.gui.enable;
+    enableSshSupport = true;
    pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses";
--- a/users/simon/modules/mpd.nix
+++ b/users/simon/modules/mpd.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -73,7 +73,6 @@ lib.mkIf nixosConfig.sbruder.gui.enable {
      # Lyrics
      lyrics_directory = "${config.services.mpd.musicDirectory}/lyrics";
      follow_now_playing_lyrics = true;
      # Misc
      external_editor = "nvim";
--- a/users/simon/modules/neovim/default.nix
+++ b/users/simon/modules/neovim/default.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@ -54,7 +54,7 @@ in
      haskell-language-server
      jdt-language-server
      unstable.ltex-ls
-      nixd
+      rnix-lsp
      rust-analyzer
      (python3.withPackages (ps: with ps; [
        pyls-isort
--- a/users/simon/modules/neovim/init.lua
+++ b/users/simon/modules/neovim/init.lua
@ -1,4 +1,4 @@
-- SPDX-FileCopyrightText: 2018-2024 Simon Bruder <simon@sbruder.de>
+-- SPDX-FileCopyrightText: 2018-2023 Simon Bruder <simon@sbruder.de>
 --
 -- SPDX-License-Identifier: AGPL-3.0-or-later
@ -348,7 +348,7 @@ lsp.ltex.setup {
 lsp.pylsp.setup {
    on_attach = on_attach,
 }
-lsp.nixd.setup {
+lsp.rnix.setup {
    on_attach = on_attach,
 }
 lsp.rust_analyzer.setup {
--- a/users/simon/modules/pass.nix
+++ b/users/simon/modules/pass.nix
@ -1,8 +1,8 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
  programs.password-store = {
    enable = true;
@ -14,14 +14,4 @@
      PASSWORD_STORE_DIR = "$HOME/.password-store";
    };
  };
  programs.browserpass = {
    enable = true;
    browsers = [ "librewolf" ];
  };
  services.pass-secret-service = {
    enable = true;
    storePath = "${config.xdg.dataHome}/secret-service-password-store";
  };
 }