hitagi fixup

It is dead[1].

[1]: https://arstechnica.com/gaming/2024/03/switch-emulator-makers-agree-to-pay-2-4-million-to-settle-nintendo-lawsuit/

.sops.yaml

@@ -15,11 +15,10 @@ keys:
   - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
   - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
   - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
-  - &okarin e7370b48016c961ef8ad792fda66b19d845b3156
+  - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
   - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
   - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
   - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
-  - &koyomi a53d4ca8d2cf54613822c81d660e69babee42643
 creation_rules:
   - path_regex: machines/nunotaba/secrets\.yaml$
     key_groups:
@@ -98,13 +97,6 @@ creation_rules:
       - *simon-alpha
       - *simon-beta
       - *yuzuru
-  - path_regex: machines/koyomi/secrets\.yaml$
-    key_groups:
-    - pgp:
-      - *simon
-      - *simon-alpha
-      - *simon-beta
-      - *koyomi
   - path_regex: secrets\.yaml$
     key_groups:
     - pgp:
@@ -117,4 +109,3 @@ creation_rules:
       - *fuuko
       - *mayushii
       - *renge
-      - *koyomi

flake.lock

@@ -44,11 +44,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1709126324,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
         "type": "github"
       },
       "original": {
@@ -65,11 +65,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709087332,
+        "lastModified": 1703887061,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
         "owner": "hercules-ci",
         "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
         "type": "github"
       },
       "original": {
@@ -85,11 +85,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715381426,
+        "lastModified": 1706981411,
-        "narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
+        "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
+        "rev": "652fda4ca6dafeb090943422c34ae9145787af37",
         "type": "github"
       },
       "original": {
@@ -106,11 +106,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716457508,
+        "lastModified": 1709764752,
-        "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
+        "narHash": "sha256-+lM4J4JoJeiN8V+3WSWndPHj1pJ9Jc1UMikGbXLqCTk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
+        "rev": "cf111d1a849ddfc38e9155be029519b0e2329615",
         "type": "github"
       },
       "original": {
@@ -205,6 +205,9 @@
     "nix-pre-commit-hooks": {
       "inputs": {
         "flake-compat": "flake-compat",
+        "flake-utils": [
+          "flake-utils"
+        ],
         "gitignore": "gitignore",
         "nixpkgs": [
           "nixpkgs-unstable"
@@ -212,11 +215,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1716213921,
+        "lastModified": 1708018599,
-        "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
+        "narHash": "sha256-M+Ng6+SePmA8g06CmUZWi1AjG2tFBX9WCXElBHEKnyM=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
+        "rev": "5df5a70ad7575f6601d91f0efec95dd9bc619431",
         "type": "github"
       },
       "original": {
@@ -228,11 +231,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1716173274,
+        "lastModified": 1709410583,
-        "narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
+        "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
+        "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc",
         "type": "github"
       },
       "original": {
@@ -244,11 +247,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1716361217,
+        "lastModified": 1709677081,
-        "narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
+        "narHash": "sha256-tix36Y7u0rkn6mTm0lA45b45oab2cFLqAzDbJxeXS+c=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
+        "rev": "880992dcc006a5e00dd0591446fdf723e6a51a64",
         "type": "github"
       },
       "original": {
@@ -272,11 +275,11 @@
         "poetry2nix": "poetry2nix"
       },
       "locked": {
-        "lastModified": 1712934106,
+        "lastModified": 1704120598,
-        "narHash": "sha256-JubHgaV6HUZarwwq4y2rxJaaj2a6euErJfCqpmhrhWk=",
+        "narHash": "sha256-9g7bZbVHAjMPNUWD2okeOdTmTrC9pkCeVe1zFyvtvqo=",
         "ref": "refs/heads/master",
-        "rev": "2bcb2b6c7b0e04f4ef8e51e00fd93a5e5cb00bf8",
+        "rev": "32ef4fd545a29cdcb2613934525b97470818b42e",
-        "revCount": 66,
+        "revCount": 65,
         "type": "git",
         "url": "https://git.sbruder.de/simon/nixpkgs-overlay"
       },
@@ -287,11 +290,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1710695816,
+        "lastModified": 1704874635,
-        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
+        "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
+        "rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356",
         "type": "github"
       },
       "original": {
@@ -303,11 +306,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1716061101,
+        "lastModified": 1709428628,
-        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
+        "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
+        "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555",
         "type": "github"
       },
       "original": {
@@ -319,11 +322,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1716330097,
+        "lastModified": 1709703039,
-        "narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=",
+        "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2",
+        "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d",
         "type": "github"
       },
       "original": {
@@ -450,11 +453,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1716400300,
+        "lastModified": 1709711091,
-        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
+        "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
+        "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc",
         "type": "github"
       },
       "original": {

flake.nix

@@ -23,6 +23,7 @@
     nixos-hardware.url = "github:nixos/nixos-hardware/master";
 
     nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
+    nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
     nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable";
 
     sops-nix.url = "github:Mic92/sops-nix";
@@ -155,11 +156,12 @@
                 pkgs.writeShellScript "unlock-${hostname}" ''
                   set -exo pipefail
                   # opening luks fails if gpg-agent is not unlocked yet
-                  pass "devices/${hostname}/luks" | ssh \
+                  pass "devices/${hostname}/luks" >/dev/null
+                  ssh \
                       ${lib.optionalString unlockOverV4 "-4"} \
                       -p 2222 \
                       "root@${targetHost}" \
-                      "cat > /crypt-ramfs/passphrase"
+                      "cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")
                 '')
               self.nixosConfigurations);
 

keys/machines/koyomi.asc

@@ -1,28 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBAAAAAABEACxLvouloEvO6hjBfydEMJIEVzJLBqZJBmBvHmJKRbhWSldCWLi
-bdL7L3Ld1K4uQKSEPNRk6LcVVCAPaXuhyeza57U8PNMBJrDESZ+SdAjuNw5/mDTa
-VF4jgPzrPmQ1ufRiaOgxOj7OAwOqFEZBMeHXPrauY83dHgKJBcRuw5567YTJ0zoJ
-bi3mtetgAeVwgPgQBgihDQhvxgxiOQ0kLbRRDFm8sVsp8o/zJbVy3zop4sJppOSg
-JYzjFyt40wqPQ0TospxvwiYiJhg339hduZZ+J7+4XcdKnTVUNM8Ws7notVFRkWYG
-8jWTUuld815WZUA/2rkjx7GsZ9sLChaXVmXRfUGO3G01zaEZ84PA/XrpemWVMs+I
-y/1UznrSFy3bPh9/Jdpr4D5/gxsJaNs8ioSjb/3fXfZ4+kZySmQiWpagwsLXmPU3
-eno5YjvuU8qCh37zWF7uhsUsIDXw1FWqgy7HoU7HLYHDpRoerEABQpIf3378eZJ1
-+VK/Em2NLyapgBGx+hv+qrUGKAv+/bdTt5XQtQypHI5ihI2H/Rr/ZfTzIWcJIomR
-KwCsjZDuiRWsQWa/WEqthPX/ckNKJuB25tkCFM4owMtgJEMSymRZ6Fd/zdI+WBS2
-1QSECOHFyr8ha0OfpZF6qy8YYqV82EHeTQdqvAY18po8/Y5WGvm4Q0QCQwARAQAB
-zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQZg5pur7kJkMCGw8CGQEAANR9EABfKws/H9UX31pJbdWzSotN
-/1OkQxCNQvTmzxByP+JDBZQoplKbhjwVi/seshwxCMGuvBklmFSdpzGXip68QR4Q
-CYQsFg02URFKA8vggnIbpkNMB3/ckM6m6wQlMshTl1DPpZcZflppi/O68hIqtrSN
-/xXx5hIBFqe4NY6+ouHRy+4KPnWqndcHSRC2TaYYiiAo9dBj7VyQsL0zYYyTAl0U
-J6rolDz5VqWzkHklH/UMJ3u8ZwV2VHuyU5Drod8/1bDYtjGXxeUhcd25X4q0Gcqh
-gts0zoV/kYgnX3rGzqT4q6MGHWzlHtblMxtPpV8m/fd2KDvIKDdJPnYsbKDNlX7j
-QwVS8rE2T/FfU2KGoadNmSJACmCdShpCCd7CSHludcXLMDVuFijh4iCHkc3KvJJP
-MrWqBTWzYB73O5WGAWDxL7trw80a5Qi2+5PRCQY0smOR4jC3d36PGjtD8ykCHlqt
-HVZ2CtNl+6loGJ9TTgMwzNOY2PQPP2bhzdB16ht5CDsadFXrFD8mRVcwnQ6F0UU0
-DROW+C7FdYkZiEM9r6QMkRX4Xkc4YTV7EL0kEwJkWvxTbL2X/r1lSOKE27iMk2D/
-kkNzVXEH89ryyJc4Pgro5aTjzkAfTOUc+LV34b2CE0NGLjZvOvTic5SSdsAZ+PVL
-CxhNpGhTpzl96WA2WsNP9Q==
-=slmv
------END PGP PUBLIC KEY BLOCK-----

keys/machines/okarin.asc

@@ -1,28 +1,28 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-xsFNBAAAAAABEADJ6iuUnKyoNZU26YWhsIHwTIkhxnNCNDHrq42wSqDgBFU8QyzC
+xsFNBAAAAAABEACgnoiAZQChPJOD9Bh4VxtX+/KWZXBrw9HhK1aufLH2Q4bS+mrg
-Nd8c34QghVGeqCFr/Md5xXMtgCmoNzFCMullb6PwDIYZ+9SP03B2seoqhnRwp1WG
+Te5SgFrfsiiYOvo8O2rESmMIWAHRSGxcdcT09+ZZtZxlxW7dmoUXLaPY+Xft0oDT
-twejt/dP3QgOBP3G4Tr8uxcdHFnLDvkzN66QyV+LcnzrEf0Dw/9y31Nuo5TlG7UT
+ekLBs/g3N9qAXYq8XC/YNw0R1FzhComq/enQT2OTcaWES3b2OlFAkn8SVSTTdKgG
-cUCg36a3l+1tTlc3VnGwjt5jc59teD619h1s5tU5zMlcgjhFMMVKHXH1oc8zK0Q4
+jfmPPjDuTTYWPDPPmVRhaRkT/AcByyRcEcYxw4Zn+62iY9ZuV8FG0O0UcR2I/vEw
-va2YyfW+yWZx9Fm9BWF3VLuBdVlPuHVSCZ/Qf/ykDs8nm7Jvwi/I2TQiAeFN7ln9
+KwYxHBC4IiqWvCmeJ3mEcf2NBbLwp2hB79dyo9RN8zxbu2mwrCNNO0hbkJGsxom1
-vPAYy4z0SQP/w44kVLCe5Mkw4H53LRocPBgxSflzqnJuuEQGroq0xgbP8+xJ8R0h
+NjKh7KZz0eaIpb/WAesimHCaAXcB9ovGiyyHjECmZkvKlAXMttrPkF5QJZW2Iao7
-5WPqLuy86PhslFsuIfKJgzVsNsz3svBxHO6G5bIsVgIjdfT4QPGxVQSvXG0RpdV0
+jcdcT0CNhC9fUwdBPIVRVjQQPyCWrqZEas+zG0tU8nbMy+uI/rT8ALC0zSgQMVyr
-HzhUKojENcS2MEB7MJOLu200Ce3tjuaZD+nPUyH9LilNVgEJXMN0+9SfXmzyH1mE
+YDIM7tYHbuBjgHja8gvwAa116L+uTXzkCTuH3OQHowtuvDjorXDKNs5akqJpAPHF
-ENW6JWUC+oDgweodltJJ2z3kiaXf0GUNWFEv5P0uxkky3nsed4lDmEs0j0nT3YoS
+a/fhXzjtY6RfLVp0Hj1+fnwrzMs0D1YdlJEjsBxvpieMTGPXH0YA5ondK/OsHsQD
-0hemgdK8X3ZRMuLAxGLCL0SykmsbOdTTzZ/QCak8/0jI8iko9eDrmJ4rNkrQYT4+
+uzUgKzgGpq8Kp7hXhxi8gevHmNgVN1F4CNlTy0qOkFgD8U11Fk9O4svI+OtzslPr
-TM0JEpI3wA4ksl5WcB2cpM/G8buw/zNTycgbjcKoYL+E2K+L7JeR9F1DgQARAQAB
+/EXRC/faJeFdT20M0BIqhQVWZFiRRMMsHJgZ04mWG40Wysm8esZ3dwS53QARAQAB
 zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQ2maxnYRbMVYCGw8CGQEAAMkCEAClRHcH4fUUpdXroevY9qpR
+AQgAFgUCAAAAAAkQ5fw8qjuBB6oCGw8CGQEAAOyUEAAHW0hbAjCKylnIaezMqNiG
-O6op26pqBZ839HoD9f4kaZXerhURWVGPcV81uUapR5/B8Pk/OK9LskBetDvoc+J1
+yDwfM+MpNXaqB4sG0UUiIdgSUTk06PN5dlQ0Jfvh1I7P9y8CxqamlqCUXiqqWEOR
-+B3vM34cRIzbSs55BVrx/Mk6Vn9utPoyutlaJ/b5VMCmz4f2zU/XwPbXOzouvVrn
+Am3Q7oxQKQdSDz//2ijWLdNFcT7bxZvNKQ/T78UYka/qmuLHx2jSuakAX2pAUrOf
-uy/bqY7aNz0eoeU7lKXrXc9as+VoJgc3Ty9Tt1vPi8lfTeQfmxUDtoer47dhn89C
+K7mbElSu8LD0y8hIDEyxuzB/aL13sHh1LkOUCSEgZ977EEfIEgPidPwEtGJvEbhN
-3fL9R5/4utKt5nRtweOh6+z9T36jNodeHy3VhpuMnUBKsWSQn6Op2sLoeb6FJbh0
+DaP94cLNapv/lWux8+O5dzKi4R7ghXl6IvrP2LPXQSPF7C3mMZ1ZSX1nFxRjALXi
-t5Tz1AZhqjT4HY8bGWK8v2i916BmGseFjge7CECYg9M5MydznHl9z87sBUiruGs4
+xiFbrJFkwEQQmVro/3wX9BZSmt6VnFRKkXnsCLlf9eT0aTmTirtqHgfet0PHqTNt
-fQTZi8IQySaQ8jCqCx+PB1PYUAsZj4j3o74mx2/erAw8gxBlrme44CuikVdbEKMV
+CxrlLKTZFN3ZFropGZ070ESs4i6WZUBpTdsYh/htyo5bWMcHO8J+K+Ttd1M8btM4
-qYzW/jVJ6EPobtmq+XN8UzU/arf5/BelcU73sQK9fbvCqi47ZMyjC/3UqZ0O12xt
+RtpAc/2UXa4+dVpLOGqdqkmUEJLVLyGnj9wZZgkx3tWGhjnSohCW3YqffQYlXUFn
-uUjf2IcDl8TyWZ3nSSUV7npXrrT05kC6WMK46TwO9wv8F3v3/35UmonAJt8qp/lw
+xuiQQ8jKM6luuunMXLt6D9dzOch70z9bnjOm1Z6q/S3PIzn++awzA6N3VTKNuUBP
-2PNR5W8Sqxr2s+yhkOsh2xwuqBQkdxhqRKeqTv4+kdGAk6ZUmuHmGa1Qni6VsaKT
+Phs6hlcAeqdQ6Q2EiS5iXKqPdK1nd9cPKzHOJf1fwlaRPSKeCtXUgkjAClu+heEn
-TuNRRTEBfQ0QiqF8+lleT2dP4cKI2vAbI0zvyjX6KvNGRb1VlJw3D6Pa0nXW/YQU
+rst1nggIhCBs+rHc518BVZvISLNVlj5LVwN0mKOk9YPuZItBCGX96WWJZdMHeZk0
-NxR1Jvm5bnGfUcnNlzoB4Q==
+MsxjN+we2woCXG5SJGYOyA==
-=6o0h
+=UTw1
 -----END PGP PUBLIC KEY BLOCK-----

machines/default.nix

@@ -23,9 +23,6 @@ in
   };
   vueko = {
     system = "aarch64-linux";
-    extraModules = [
-      "${inputs.infinisilSystem}/config/new-modules/murmur.nix"
-    ];
 
     targetHost = "vueko.sbruder.de";
   };
@@ -49,6 +46,9 @@ in
   };
   renge = {
     system = "aarch64-linux";
+    extraModules = [
+      "${inputs.infinisilSystem}/config/new-modules/murmur.nix"
+    ];
 
     targetHost = "renge.sbruder.de";
   };
@@ -76,13 +76,9 @@ in
 
     targetHost = "yuzuru.sbruder.de";
   };
-  koyomi = {
+  hyper = {
     system = "x86_64-linux";
-    extraModules = [
-      hardware.common-cpu-intel
-      hardware.common-pc-ssd
-    ];
 
-    targetHost = "koyomi.sbruder.de";
+    targetHost = "hyper.lan.shinonome-lab.de";
   };
 }

machines/fuuko/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -92,8 +92,6 @@
     }
   ];
 
-  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/sda" "/dev/sdb" "/dev/sdc" ];
-
   powerManagement.cpuFreqGovernor = "schedutil";
 
   networking = {

machines/hitagi/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -7,56 +7,44 @@
 {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
   ];
 
+  sbruder.machine.isVm = true;
+
   boot = {
     # Intel arc
     kernelPackages = pkgs.linuxPackages_latest;
-    # fan control configuration from https://gist.github.com/bakman2/e801f342aaa7cade62d7bd54fd3eabd8
+    kernelParams = [ "console=ttyS0" ];
-    kernelModules = [ "kvm-amd" "it87" ];
-    kernelParams = [ "acpi_enforce_resources=lax" ]; # allow it87 to load
-    extraModulePackages = with config.boot.kernelPackages; [ it87 ];
-    extraModprobeConfig = ''
-      options it87 force_id=0x8688
-    '';
     loader = {
       grub.enable = false;
       systemd-boot.enable = true;
       efi.canTouchEfiVariables = true;
     };
     initrd = {
-      availableKernelModules = [ "aesni_intel" "ahci" "ehci_pci" "nvme" "sd_mod" "sr_mod" "usb_storage" "usbhid" "xhci_pci" ];
+      availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "virtio_blk" ];
       kernelModules = [ "dm-snapshot" ];
-      luks.devices = {
-        root = {
-          name = "root";
-          device = "/dev/disk/by-uuid/63c6aa7c-47c5-43f5-b0eb-c32b0768327b";
-          preLVM = true;
-          allowDiscards = true;
-        };
-      };
     };
   };
 
   fileSystems = {
     "/" = {
-      device = "/dev/disk/by-uuid/3994f497-9848-459e-9642-cbc14a7d3c97";
+      device = "/dev/disk/by-uuid/db6c8826-ea3c-4bd6-bcb3-5a9ae3089519";
       fsType = "btrfs";
-      options = [ "discard=async" "noatime" "compress=zstd" ];
+      options = [ "discard=async" "noatime" "compress=zstd" "ssd" ];
     };
 
     "/boot" = {
-      device = "/dev/disk/by-uuid/96B6-34BD";
+      device = "/dev/disk/by-uuid/77DB-CC39";
       fsType = "vfat";
     };
+
+    "/data/steam" = {
+      device = "steam";
+      fsType = "virtiofs";
+    };
   };
 
-  swapDevices = [
-    { device = "/dev/disk/by-uuid/98de7ced-4d7c-4915-bf5b-1a0300458ea6"; }
-  ];
-
-  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
-
   # GPU
   hardware.opengl = {
     package = pkgs.mesa.drivers;
@@ -83,57 +71,4 @@
     capabilities = "cap_perfmon+p";
     source = "${pkgs.intel-gpu-tools}/bin/intel_gpu_top";
   };
-
-  # https://www.reddit.com/r/gigabyte/comments/p5ewjn/b550i_pro_ax_f13_bios_sleep_issue_on_linux/
-  systemd.services.suspend-fix = {
-    wantedBy = [ "multi-user.target" ];
-    description = "Fix suspend";
-
-    script = ''
-      if grep -q "GPP0	.*	\*enabled" /proc/acpi/wakeup; then
-          echo GPP0 > /proc/acpi/wakeup
-          echo "Disabled wakeup for GPP0"
-      else
-          echo "Wakeup for GPP0 already disabled"
-      fi
-    '';
-
-    serviceConfig = {
-      Type = "oneshot";
-    };
-  };
-
-  sbruder.fancontrol = {
-    enable = false; # no hwmon for intel arc (yet)
-    enableDefaultMapping = true;
-    fans = {
-      front = {
-        pwmFile = "/sys/class/hwmon/hwmon1/pwm4";
-        rpmFile = "/sys/class/hwmon/hwmon1/fan4_input";
-        pwmLineStart = 50;
-        neverStop = true;
-      };
-      back = {
-        pwmFile = "/sys/class/hwmon/hwmon1/pwm2";
-        rpmFile = "/sys/class/hwmon/hwmon1/fan2_input";
-      };
-    };
-    sensors = {
-      cpu = {
-        file = "/sys/class/hwmon/hwmon2/temp3_input";
-        min = 50;
-        max = 80;
-      };
-      gpu = {
-        file = "/sys/class/hwmon/hwmon4/temp1_input";
-        min = 50;
-        max = 70;
-      };
-      nvme = {
-        file = "/sys/class/hwmon/hwmon0/temp1_input";
-        min = 40;
-        max = 70;
-      };
-    };
-  };
 }

machines/hyper/README.md

@@ -0,0 +1,39 @@
+<!--
+SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+
+SPDX-License-Identifier: CC-BY-SA-4.0
+-->
+
+# hitagi
+
+## Hardware
+
+Custom build in a be quiet! Pure Base 500
+with the front panel changed to a Pure Base 500DX’s (for better airflow).
+
+ * Motherboard: GIGABYTE B550 AORUS ELITE V2 (rev 1.0)
+ * CPU: AMD Ryzen 7 5800X
+ * RAM:
+   2×16 GB G.Skill Aegis F4-3200C16-16GIS
+   \+ 2×32 GB G.Skill Ripjaws V F4-3200C16-32GVK
+   (both DDR4 3200 MHz CL16-18-18-38)
+ * PSU: be quiet! System Power 10 750W
+ * SSD: 1TB Samsung 980 Pro NVMe
+ * GPU: Intel Arc A770 Limited Edition (16GB VRAM)
+ * Case fans: 2 be quiet! Pure Wings 2 140 mm (included in case), 3 more with PWM
+ * CPU Cooler: Noctua NH-U12S with an additional NF-F12 PWM
+
+This replaces sayuri,
+which features an enterprise HP firmware without fan control,
+an ancient Intel platform that is only usable in YOLO mode (`mitigations=off`)
+and proprietary case, motherboard and power supply.
+
+## Purpose
+
+Tasks that require large amounts of CPU power,
+a high amount of GPU power
+or have to run while I do other things (on my laptop).
+
+## Name
+
+Senjougahara Hitagi is a student from the *Monogatari Series*.

machines/hyper/configuration.nix

@@ -0,0 +1,63 @@
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ lib, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./network.nix
+    ../../modules
+  ];
+
+  networking.hostName = "hyper";
+
+  system.stateVersion = "23.11";
+
+  virtualisation.libvirtd = {
+    enable = true;
+    qemu = {
+      package = pkgs.qemu_kvm;
+      ovmf.enable = true;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    virtiofsd
+  ];
+
+  fileSystems = {
+    "/data/shared" = {
+      device = "/dev/hyper-vg/shared";
+      fsType = "btrfs";
+      options = [ "discard=async" "noatime" "compress=zstd" ];
+    };
+  };
+
+  #environment.etc."libvirt/hooks/qemu".source = pkgs.writeShellScript "libvirt-qemu-hook" ''
+  #  set -euo pipefail
+
+  #  object="$1"
+  #  operation="$2"
+  #  sub_operation="$3"
+  #  extra_arg="$4"
+
+  #  intel_arc_reset_hack_guests=(
+  #    "virtdows"
+  #  )
+
+  #  case "$operation" in
+  #    start)
+  #      if [ "$sub_operation" = "begin" ]; then
+  #        for guest in "''${intel_arc_reset_hack_guests[@]}"; do
+  #          if [ "$guest" = "$object" ]; then
+  #            echo "Applied intel arc reset hack for guest $guest"
+  #            echo > /sys/bus/pci/devices/0000:08:00.0/reset_method
+  #          fi
+  #        done
+  #      fi
+  #    ;;
+  #  esac
+  #'';
+}

machines/hyper/hardware-configuration.nix

@@ -0,0 +1,81 @@
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, lib, modulesPath, pkgs, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    # fan control configuration from https://gist.github.com/bakman2/e801f342aaa7cade62d7bd54fd3eabd8
+    kernelModules = [ "kvm-amd" "it87" ];
+    kernelParams = [
+      "acpi_enforce_resources=lax" # allow it87 to load
+      "ip=dhcp"
+      "iommu=pt"
+      "default_hugepagesz=1G"
+      "hugepagesz=1G"
+      "hugepages=90"
+    ];
+    extraModulePackages = with config.boot.kernelPackages; [ it87 ];
+    extraModprobeConfig = ''
+      options it87 force_id=0x8688
+      options vfio-pci ids=8086:56a0,8086:4f90
+      softdep drm pre: vfio-pci
+      options kvm-amd nested=0 avic=1 npt=1
+    '';
+    loader = {
+      grub.enable = false;
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    initrd = {
+      availableKernelModules = [ "aesni_intel" "ahci" "ehci_pci" "nvme" "r8169" "sd_mod" "sr_mod" "usb_storage" "usbhid" "xhci_pci" ];
+      kernelModules = [ "dm-snapshot" ];
+      luks.devices = {
+        root = {
+          name = "root";
+          device = "/dev/disk/by-uuid/63d366bd-5453-46b5-89d5-a61cbb828102";
+          preLVM = true;
+          allowDiscards = true;
+        };
+      };
+    };
+  };
+
+  # https://www.reddit.com/r/gigabyte/comments/p5ewjn/b550i_pro_ax_f13_bios_sleep_issue_on_linux/
+  systemd.services.suspend-fix = {
+    wantedBy = [ "multi-user.target" ];
+    description = "Fix suspend";
+
+    script = ''
+      if grep -q "GPP0	.*	\*enabled" /proc/acpi/wakeup; then
+          echo GPP0 > /proc/acpi/wakeup
+          echo "Disabled wakeup for GPP0"
+      else
+          echo "Wakeup for GPP0 already disabled"
+      fi
+    '';
+
+    serviceConfig = {
+      Type = "oneshot";
+    };
+  };
+
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/53f4e762-39fa-41a6-8b78-4999d38e6e88";
+      fsType = "btrfs";
+      options = [ "discard=async" "noatime" "compress=zstd" ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/403C-02C1";
+      fsType = "vfat";
+    };
+  };
+}

machines/hyper/network.nix

@@ -0,0 +1,83 @@
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ lib, ... }:
+let
+  vlans = {
+    lan = 10;
+    guest = 30;
+  };
+  dhcpVlans = [ "lan" ];
+in
+{
+  networking.useDHCP = false;
+
+  systemd.network = {
+    enable = true;
+    wait-online.extraArgs = [ "--any" ];
+    netdevs =
+      let
+        vlanNetdevs = (lib.mapAttrs
+          (Name: Id: {
+            netdevConfig = {
+              inherit Name;
+              Kind = "vlan";
+            };
+            vlanConfig = {
+              inherit Id;
+            };
+          })
+          vlans);
+        bridgeNetdevs = (lib.mapAttrs'
+          (name: _: lib.nameValuePair "br-${name}" {
+            netdevConfig = {
+              Name = "br-${name}";
+              Kind = "bridge";
+            };
+          })
+          vlans);
+      in
+      lib.mkMerge [ vlanNetdevs bridgeNetdevs ];
+    networks =
+      let
+        vlanNetworks = (lib.mapAttrs
+          (name: _: {
+            inherit name;
+            matchConfig = {
+              Type = "vlan";
+            };
+            bridge = lib.singleton "br-${name}";
+          })
+          vlans);
+        bridgeNetworks = (lib.mapAttrs'
+          (name: _: lib.nameValuePair "br-${name}"
+            ({
+              name = "br-${name}";
+            } // lib.optionalAttrs (lib.elem name dhcpVlans) {
+              DHCP = "ipv4";
+              networkConfig = {
+                IPv6AcceptRA = "yes";
+              };
+            }))
+          vlans);
+      in
+      lib.mkMerge [
+        {
+          physical-lan = {
+            name = "eno1";
+            vlan = [ "lan" "guest" ];
+            networkConfig = {
+              LinkLocalAddressing = "no";
+              LLDP = "no";
+              EmitLLDP = "no";
+              IPv6AcceptRA = "no";
+              IPv6SendRA = "no";
+            };
+          };
+        }
+        vlanNetworks
+        bridgeNetworks
+      ];
+  };
+}

machines/koyomi/README.md

@@ -1,37 +0,0 @@
-<!--
-SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-
-SPDX-License-Identifier: CC-BY-SA-4.0
--->
-
-# koyomi
-
-## Hardware
-
-System from [Hetzner Online Serverbörse](https://www.hetzner.com/sb).
-
-- Motherboard: FUJITSU D3401-H1
-- CPU: Intel Core i7-6700
-- RAM: 4×16 GB Samsung [M378A2K43CB1-CRC](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43cb1-crc/)/[M378A2K43BB1-CPB](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43bb1-cpb/) (DDR4 2400/2133 MHz)
-- SSD: 2×512 GB M.2 NVMe SAMSUNG MZVLB512HAJQ-00000
-
-## Setup
-
-As it is a physical server (not a VM) in a remote location,
-extra care must be taken when installing.
-Fortunately, Hetzner provides an automated way to reset the server (by sending Ctrl+Alt+Del or force resetting)
-and a rescue system that can be activated before a reboot.
-Additionally, there is also a *vKVM* rescue system,
-that boots a hypervisor from the network and runs a VM which boots from the physical disks.
-
-The rescue system can be used to start a kexec installer generated by [nixos-generators](https://github.com/nix-community/nixos-generators).
-Ideally, everything goes well and the next reboot works,
-but in the case it does not, the vKVM rescue system can be used for debugging.
-
-## Purpose
-
-Hypervisor. Exact scope is to be determined.
-
-## Name
-
-Araragi Koyomi is a student from the *Monogatari Series*.

machines/koyomi/configuration.nix

@@ -1,23 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-    ../../modules
-
-    ./services/hypervisor.nix
-  ];
-
-  sbruder = {
-    wireguard.home.enable = true;
-    podman.enable = true;
-  };
-
-  networking.hostName = "koyomi";
-
-  system.stateVersion = "23.11";
-}

machines/koyomi/hardware-configuration.nix

@@ -1,74 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ modulesPath, pkgs, ... }:
-
-{
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
-
-  boot = {
-    swraid.enable = true;
-    kernelModules = [ "kvm-intel" ];
-    kernelParams = [ "ip=dhcp" ];
-    loader = {
-      grub = {
-        devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
-      };
-    };
-    initrd = {
-      availableKernelModules = [ "aesni_intel" "ahci" "e1000e" "nvme" ];
-      kernelModules = [ "dm-snapshot" ];
-      network.enable = true; # remote unlocking
-      luks.devices = {
-        koyomi-pv = {
-          name = "koyomi-pv";
-          device = "/dev/disk/by-uuid/9145417d-e8f5-4aa9-a526-419e507c47fd";
-          preLVM = true;
-          allowDiscards = true;
-        };
-      };
-
-      # FIXME XXX HACK
-      # This is required to have the md device available under /dev/disk/by-uuid.
-      # Both commands are run as part of the regular stage-1 init script,
-      # but for some reason, they need to be run twice.
-      preLVMCommands = ''
-        udevadm trigger
-        udevadm settle
-      '';
-    };
-  };
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/3b31163f-4fec-4e1c-b311-7c8aaca76cd4";
-      fsType = "btrfs";
-      options = [ "discard=async" "noatime" "compress=zstd" ];
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/12CE-A600";
-      fsType = "vfat";
-    };
-  };
-
-  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
-
-  networking.useDHCP = false;
-  networking.usePredictableInterfaceNames = false;
-  systemd.network = {
-    enable = true;
-    networks = {
-      eth0 = {
-        name = "eth0";
-        DHCP = "yes";
-        domains = [ "sbruder.de" ];
-        address = [ "2a01:4f8:151:712d::1/64" ];
-        gateway = [ "fe80::1" ];
-      };
-    };
-  };
-}

machines/koyomi/secrets.yaml

@@ -1,72 +0,0 @@
-wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2024-05-11T21:49:03Z"
-    mac: ENC[AES256_GCM,data:yS/v+NWiLlFLTwnbhaYVg98H/ThqW5r+3eC1YsvJRRrF/yZBk6nUtK8CT4tvR9PUeks4a2H15/5aY2oDxnABhXhkbasZjnl3+YGF8SOIwo+YuWJ5A3rHJZQMJGRGg8dwh4xkJMDJKb2Or1uH3ZiSclVMQDiM3RGVifLhtv+gJEc=,iv:ygTcKqU5pzkOoGUx9xw9BzWJx15t28w3tJVH4eAdxS4=,tag:F5/8SSt/eON9zwWGGUyUEQ==,type:str]
-    pgp:
-        - created_at: "2024-05-11T21:48:51Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4DLHeEFiC484ASAQdATNhq0wu5gLVG+7PHCtdQRxgC6GqQrvrttZnN3AvnZ0ww
-            qBdXl+6qkWHyjvclklzcNfpcMD7cmRwRDSDSQASmSTAyulBbgjDuou9Tjl/Rxorl
-            hF4Dub78fMESoMASAQdAIhgR5ZyuaP12Mav7NNapUcWrScnmjNPh46oX2W3jDDsw
-            in+hRRYC6apDKMcC3IFEzo6vy7OfhEeMR2IthtU0Y+bgdfjpwEOZ4J5CLg2ERZO+
-            hF4DM6AcvgVUx2MSAQdAKc70+YldBMdetkmcWWJYDSUbewIJOrDCJBS+TUTQ2hQw
-            dq03NJuiqwsrN1YBa1qHELTJj7CvrxTvVSQvDpSEwD3WVk8Qn5z1lMgBrivxCGa8
-            1GYBCQIQj3MkZci7qGULIHivbsOSwX6a3T9JQRkmHylyzZDxYRUz3TLhNvjuly58
-            TxBJcHkDmXDP5T+UACrryRIN2h/J/+gw6WkHnPJOcs5JFqB9uneVwpW1A3jNMhRD
-            iXDXWxIe5PY=
-            =zp+l
-            -----END PGP MESSAGE-----
-          fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
-        - created_at: "2024-05-11T21:48:51Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4Dub78fMESoMASAQdAs3PQ1mkR/MS3vg1qCTPiQihx7yZvQlqlhYRsRigJDiEw
-            WuZYC66MsLHi2YQEkFoxG0bgt3sHkVRlq72ae713UzfWiI0Dl59dxtGcOtvdo5LK
-            1GYBCQIQIupCIS36+zkecqWl1h55C0G/bC+SHdwgp5nFbva+3fidastsvakUDuTW
-            dGOLK1FC2xUrct/rLGBmWA48fSOA/VJiiEVzP0TsVCytTx/Y44jm0f5HC85LNnNy
-            8GoFUoOn6tE=
-            =A7C7
-            -----END PGP MESSAGE-----
-          fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
-        - created_at: "2024-05-11T21:48:51Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4DLHeEFiC484ASAQdAK53bLfsn0k8SFw/88FliX2Yaev9oMGmKSR7f/6vJmH4w
-            pZxJqMwkpWt3We5DAkN+VFuawOzPNrV0vmmd8StlajZ5GIaz713QJQ8cpVrE/sPh
-            1GYBCQIQUuj0dgOWLtcB/w1vHj0qQW8LnMG5uVY7gk+hPmllQb8TJ1aRUkcPrKoE
-            rXUCl17BO59C4AUWLu/0RviAki6FMZC1S0g1z8eOck6CFSnW4i4uMB0g5Yi5kqpK
-            K0oWZqedIzU=
-            =Z8wz
-            -----END PGP MESSAGE-----
-          fp: 403215E0F99D2582C7055C512C77841620B8F380
-        - created_at: "2024-05-11T21:48:51Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA2YOabq+5CZDAQ//beLzskyTj+PN79rvrupVY5gwWxIhYuoRs2ZkJSlNyRYg
-            exNxwPAjssi3yKoUOy9TNbxzOKP5VwehnOPlJ4jyVgdZ9zksJH9k0WnfhlmabHeC
-            UnYsUSDB7VUFrpacdIKjmFM6OPlu7Xm98RwSabkmlHEE/voF/Ma5yWT0c3Sx2lzv
-            ucNSCqmjY0D6S5tJz+3nYsT54OjS+Jlr96CPOR9dz1jEGGQMfwyMxwMLhVpVBDKE
-            uusl5VD3jw50wYbkhvYscGGkdOkLwAFMIwYvw1seYFTb3kux8ChahYQ3QtPn3ZUD
-            OoPqYUtgpcnZTAcMGvzL7B0OwJLsCpin454yko56KV/cnIHwSv2cyfsQB0M4dz6l
-            OalAS5BpqhZ2ulDm34yFlRE7MD+H12tOzBJIFjGQksv9DiuRyezZnevBqlOdott8
-            cSDfO3RD3wGdUOIVwi3B92N5j1w39d2wKoXa19kM66mzsdbQrXwmxKa8gQMkjsG9
-            Ds2sUwQlKZ0HvvNkJTJ+NORWKKvwGXKqVPwOTUaZjzQGUtVWg5WSjmFoPQ049nqf
-            gLYhy0OeyEAIRe9HjNo5YANPNBF63qTT2++n6xs2ErXjHNNi85yUnhCBqRRI3Od6
-            HkLlLQN3i6RdV5C1wJwu3k1N6a+dl03gFgO3PSJZaLpIhHJuOJwYT3rCGi3ZgzXS
-            VgFycpleRMSCTjEIY/Ky4PJOlbUykf4CuFWnvJLSOcqjPbozzqjUaw4xzea2Lloj
-            +Io3l0AHWqKCmv4qbZxim37YuicyM02A56pk7SMKXOuqbb1m5hBr
-            =bvPZ
-            -----END PGP MESSAGE-----
-          fp: a53d4ca8d2cf54613822c81d660e69babee42643
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

machines/koyomi/services/hypervisor.nix

@@ -1,133 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ lib, pkgs, ... }:
-let
-  guests = {
-    forgejo-actions-runner = {
-      mac = "42:80:00:00:00:02";
-      v4 = "10.80.32.2";
-      v6 = "2a01:4f8:151:712d:1::2";
-    };
-  };
-
-  # port forwarding for IPv4
-  portForwards = {
-    tcp = { };
-    udp = { };
-  };
-in
-{
-  virtualisation.libvirtd = {
-    enable = true;
-    qemu.package = pkgs.qemu_kvm;
-  };
-
-  boot.kernel.sysctl = {
-    "net.ipv4.conf.all.forwarding" = true;
-    "net.ipv6.conf.all.forwarding" = true;
-  };
-
-  systemd.network = {
-    enable = true;
-    netdevs = {
-      br-virt = {
-        netdevConfig = {
-          Name = "br-virt";
-          Kind = "bridge";
-        };
-      };
-    };
-    networks = {
-      br-virt = {
-        name = "br-virt";
-        address = [ "10.80.32.1/24" "2a01:4f8:151:712d:1::1/80" ];
-      };
-    };
-  };
-  services.resolved.enable = false;
-
-  services.dnsmasq = {
-    enable = true;
-
-    settings = {
-      interface = [ "br-virt" ];
-
-      bind-interfaces = true; # do not bind to the wildcard interface
-      bogus-priv = true; # do not forward revese lookups of internal addresses
-      dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS
-      domain-needed = true; # do not forward names without domain
-      no-hosts = true; # do not resolve hosts from /etc/hosts
-      no-resolv = true; # only use explicitly configured resolvers
-
-      domain = [ "sbruder.de" ];
-
-      enable-ra = true; # required to tell clients to use DHCPv6
-
-      # Force static configuration
-      dhcp-range = [
-        "10.80.32.0,static,255.255.255.0"
-        "2a01:4f8:151:712d:1::,static,80"
-      ];
-
-      dhcp-host = lib.flatten (lib.mapAttrsToList
-        (name: { mac, v4, v6 }: [
-          "${mac},${v4},${name}"
-          "${mac},[${v6}],${name}"
-        ])
-        guests);
-
-      # Hetzner recursive name servers
-      # https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/
-      server = [
-        "185.12.64.1"
-        "185.12.64.2"
-        "2a01:4ff:ff00::add:1"
-        "2a01:4ff:ff00::add:2"
-      ];
-    };
-  };
-
-  networking.firewall = {
-    allowedTCPPorts = map lib.toInt (lib.attrNames portForwards.tcp);
-    allowedUDPPorts = map lib.toInt (lib.attrNames portForwards.udp);
-
-    interfaces.br-virt = {
-      allowedTCPPorts = [ 53 ]; # EDNS
-      allowedUDPPorts = [ 53 67 547 ]; # DNS / DHCP / DHCPv6
-    };
-  };
-
-  networking.nftables = {
-    enable = true;
-    ruleset = ''
-      # only IPv4
-      table ip hypervisor-nat {
-        chain postrouting {
-          type nat hook postrouting priority filter; policy accept
-          oifname eth0 masquerade
-        }
-
-        chain prerouting {
-          type nat hook prerouting priority dstnat; policy accept
-          ${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
-            iifname eth0 tcp dport ${port} dnat to ${guests.${guest}.v4}
-          '') portForwards.tcp)}
-          ${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
-            iifname eth0 udp dport ${port} dnat to ${guests.${guest}.v4}
-          '') portForwards.udp)}
-        }
-      }
-
-      table inet hypervisor-filter {
-        chain forward {
-          type filter hook forward priority filter; policy drop
-
-          iifname br-virt oifname eth0 counter accept
-          iifname eth0 oifname br-virt counter accept
-        }
-      }
-    '';
-  };
-}

machines/mayushii/configuration.nix

@@ -19,7 +19,6 @@
     gui.enable = true;
     media-proxy.enable = true;
     mullvad.enable = true;
-    podman.enable = true;
     restic.system = {
       enable = true;
       qos = true;

machines/mayushii/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -45,8 +45,6 @@
     };
   };
 
-  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" ];
-
   powerManagement = {
     cpuFreqGovernor = "schedutil";
   };

machines/okarin/README.md

@@ -1,5 +1,5 @@
 <!--
-SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 
 SPDX-License-Identifier: CC-BY-SA-4.0
 -->
@@ -8,7 +8,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0
 
 ## Hardware
 
-[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1 GiB RAM, 10 GB SSD).
+[Ionos Cloud VPS](https://cloud.ionos.de/server/vps) S (1 Xeon Gold Gold 5120 vCPU, “512 MB” = 443 MiB RAM, 10 GB SSD).
 
 ## Purpose
 
@@ -22,50 +22,32 @@ Okabe Rintaro is a mad scientist from *Steins;Gate*
 
 Much like the namesake,
 this server requires a “mad scientist” approach to set up.
-However, it is much easier than setting up its predecessor,
-which had just above 400 MiB usable memory.
 
 Ionos does not offer any NixOS installation media.
-I could only choose between various installation media and rescue systems.
+I could only choose between a Debian installation media, Knoppix and GParted.
-Also, installing NixOS with a low amount of memory is problematic.
+Also, installing with a very low amount of memory is quite hard.
 
 I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
 On there, I installed NixOS.
-Because encryption with `argon2id` as PBKDF is quite memory intensive,
+Because encryption with `argon2id` as PBKDF is quite memory intensive, I had to tune the parameters some.
-I had to tune the parameters to ensure decryption was still possible on the target.
+What I settled on was
-This can be done quite easily by interactively running the following command on the build VM:
+`cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3`.
 
-    cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3
+To make btrfs use its SSD optimizations,
+I had to force the kernel to see the device as non-rotational:
+`echo 0 > /sys/block/dm-0/queue/rotational`
 
-The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target.
+Another problem was the usage of VMware by Ionos.
-
+The VM I set this up with was obviously using KVM/QEMU,
-However, since those parameters are not ideal,
+so it needed different kernel modules at boot.
-the following should later be run on the target host itself:
+What worked was setting it up in the local VM with both libvirt and vmware modules,
-
+and then removing the libvirt modules once it was installed on the target.
-    cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3
-
-This will determine the memory usage automatically,
-use one thread
-and set the parameters so that decryption takes 10 seconds (10000 ms).
-The memory usage will not be as high as it could,
-but it will be better.
 
 Getting the disk image onto the server was done
 by first `rsync`ing the image to another server (to allow for incremental iterations),
 which then provided it via HTTP.
-Using the Debian installation media in rescue mode
+Using the Knoppix live image (booted with `knoppix 2` to avoid starting the gui),
-(as for some reason most other options tried to cache the file in memory and became very slow)
+it was possible to just `curl http://server/okarin.img > /dev/sda`.
-it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`.
 
 Because of all the pitfalls of this,
 you probably need more than one try.
-To make debugging easier on the target, the following option can be set:
-```nix
-{ pkgs, ... }:
-
-{
-  boot.initrd.preLVMCommands = ''
-    ${pkgs.bashInteractive}/bin/bash
-  '';
-}
-```

machines/okarin/configuration.nix

@@ -9,6 +9,7 @@
     ./hardware-configuration.nix
     ../../modules
 
+    ./services/static-sites.nix
     ./services/proxy.nix
   ];
 
@@ -21,7 +22,7 @@
 
   networking.hostName = "okarin";
 
-  system.stateVersion = "23.11";
+  system.stateVersion = "22.11";
 
   networking.firewall.allowedTCPPorts = [
     80

machines/okarin/hardware-configuration.nix

@@ -5,10 +5,6 @@
 { lib, modulesPath, ... }:
 
 {
-  imports = [
-    (modulesPath + "/profiles/qemu-guest.nix")
-  ];
-
   sbruder.machine.isVm = true;
 
   boot = {
@@ -16,34 +12,41 @@
     extraModulePackages = [ ];
     kernelParams = [ "ip=dhcp" ];
     initrd = {
-      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ];
+      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "vmxnet3" "vmw_pvscsi" "vmw_vmci" ];
-      kernelModules = [ ];
+      kernelModules = [ "dm-snapshot" "vmw_balloon" ];
       network = {
         enable = true; # remote unlocking
         # for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands
         # this works around this, but is arguably quite hacky
         postCommands = ''
-          ip route add 85.215.165.1 dev eth0
+          ip route add 10.255.255.1 dev eth0
-          ip route add default via 85.215.165.1 dev eth0
+          ip route add default via 10.255.255.1 dev eth0
         '';
       };
-      luks.devices."root".device = "/dev/disk/by-uuid/1dcb9ee1-5594-4174-98a7-a362da09f131";
+      luks.devices."root".device = "/dev/disk/by-uuid/67f2990c-636a-4d80-9f6d-7096fec9e267";
     };
-    loader.grub.device = "/dev/vda";
+    loader.grub.device = "/dev/sda";
   };
 
   fileSystems = {
     "/" = {
-      device = "/dev/disk/by-uuid/3ab8f4a7-952c-4b6c-93c6-7b307d5bb88b";
+      device = "/dev/disk/by-uuid/8e3082d1-4af3-4d5d-9fde-d30dc7552d41";
       fsType = "btrfs";
-      options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
+      options = [ "compress=zstd" "discard" "noatime" ];
     };
     "/boot" = {
-      device = "/dev/disk/by-uuid/97aec56b-5fea-4445-83dc-4a20dcf482ce";
+      device = "/dev/disk/by-uuid/883c77e8-53bf-4330-bd9e-89ef71ad9518";
       fsType = "ext2";
     };
   };
 
+  swapDevices = [
+    {
+      device = "/dev/disk/by-partuuid/d9cf5716-25c8-4f72-80e3-696e0dfe1079";
+      randomEncryption.enable = true;
+    }
+  ];
+
   zramSwap = {
     enable = true;
     memoryPercent = 150;
@@ -60,6 +63,11 @@
         name = "eth0";
         DHCP = "yes";
         domains = [ "sbruder.de" ];
+        address = [ "2001:8d8:1800:8627::1/64" ];
+        gateway = [ "fe80::1" ];
+        networkConfig = {
+          IPv6AcceptRA = "no";
+        };
       };
     };
   };

machines/okarin/secrets.yaml

@@ -1,80 +1,80 @@
-wg-home-private-key: ENC[AES256_GCM,data:RkdgneGhH7prr/tkvHJeChQku2eXve9pV/SvtwsOjeinYO9veHw0rimdonY=,iv:vK6zNpu8F+TSLDTaif686Awjhs8WS2XJHzMtlvqlsIM=,tag:aKhV+kspVu+0CgPmYersxw==,type:str]
+wg-home-private-key: ENC[AES256_GCM,data:4L8aIvgFi+mBjnyVy5IkPaeJRadJ5NCKZprSkBPwMNiVaIscjAdp2yinBSk=,iv:6pBo+6M4EkEjz184XvisWXEoomqJXa4M8Qa4nJHI65U=,tag:3DEsmA2xxAlx/PSbD3HOIA==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-12-25T22:06:33Z"
+    lastmodified: "2023-05-06T08:49:32Z"
-    mac: ENC[AES256_GCM,data:VbjyqrqDLCBDD9vGOHxSzsr9a5ZFFBJUkBRxJYBLereMDvInPFZnTwplHHkS5TdDFFAsjrcCgpCuPsUIbDdxFUNNtjdIe5JJwFMwT8XEFrgcswMGSKD6mIH2VBWop5pqoAV0eQ3YfKtDyhNHwixR8a+Z+hbGAY01Z19yteo51ZM=,iv:69EeBag+iUEoa18I0w1HeJKRwSQVCMRqUdV2CzUzMnY=,tag:WViKXJExL33jQAIWHUS8xw==,type:str]
+    mac: ENC[AES256_GCM,data:B7e3sh96p2DlqM2SgHWoJ7RZ2q5tnZ6lohNc7UKmwG1HTkrPKW/6jobW2InQnbZn1bPmCERoJIF9QyUz+OxotTiKIXxSL7BJkkfpIkWy9IgjIeADjevHkplm2rXONiXaM2sD46bPKbuRzuhbCZtNwUH74gTVfKPVLVrzpnPRC74=,iv:TTXlBGhO7xLCC3Ad+xiQKmy4b0n0vuQRaCdoe7vpzSE=,tag:dZCharRGK//w48ePu7d2eQ==,type:str]
     pgp:
-        - created_at: "2024-01-24T12:19:03Z"
+        - created_at: "2024-01-22T00:20:17Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4DLHeEFiC484ASAQdA4PdmtZTlpcdfuYKSuKN6X4EGjh/l2D8Jxt7dg1y/Z0kw
+            hF4DLHeEFiC484ASAQdALOHWjRYEy+oURe+ERyiQYDjFPDniV0awCBMahhaLzCMw
-            ScG/nWs9hVMFTBeqSM0eHgFfcZhBB/L85eNf9thktTUbcWq0GEUcz5mwUqILtkfA
+            faMYpJTpirKixpFnPQ1W0aIiQ2/grcEJ4qYyXYG7GrqLcFMQfZOV8humZOLnZNB6
-            hF4Dub78fMESoMASAQdAMcVZokes0YKtbUZp7b9zq303WXPga5yn8LbhnaRrHycw
+            hF4Dub78fMESoMASAQdAhpmpD8cyJSauuTHM/RTjLybR1VUGcIY7kLqrB33QLG8w
-            +ECn4t8y8SXFICpAZ5n+xj5U8MdmdKOzhNQLleFKIHtWdyeUlwFi0qYYP8MRCLTB
+            aLu7q0wjY0Rs+7PtJiSKd6O4VOBRrsBmLc7QuBZ4cgBwUfE38g8LuXayuOLZQNb1
-            hF4DM6AcvgVUx2MSAQdAIzXqgZ8WiIxIV05BumWLsyZUChwvDQc47NMd5ehhBEQw
+            hF4DM6AcvgVUx2MSAQdARr9S5DSGRJOcv2IgYMzko8fkMHlIR9uIJdJLMdcJER4w
-            I1LY11LTNENypr5q0mhy615kIbsdhpzAVLf4Bkf921zABsfFzuY5zJHqi8SKVm7/
+            RjcC/s5+P0b7wy9bIaAv3vk3FX4hw56QzhqAXcA1zU1kyjEHPnv3qsiiQbcKDjb0
-            1GYBCQIQHPC99/GrpHG703gozt2I0P2XMhlRpzj359qStWaQZ8NBL5Ugo5BLvphf
+            1GYBCQIQG5VczwWUidoTYkHgZveZhkVyYIiZc/YQrY6n71OrVnUKaH5kZn1XrMKE
-            1/WYAlvnH4Uov2TxKdQs65IJSadQgs7lBWB5gqHklZ76E4Q+00oMQxwGjzMdddA/
+            zRzcc4XCiu8CaSkQp68eqKeHwI8U5N/LAtjHbACxAq6GHatf/+LvJx4CbUrPZxw2
-            hRlLbnUDE1Q=
+            PWZwSFBCZEg=
-            =ol1Y
+            =r7sK
             -----END PGP MESSAGE-----
           fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
-        - created_at: "2024-01-24T12:19:03Z"
+        - created_at: "2024-01-22T00:20:17Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4DLHeEFiC484ASAQdAaXq+nn0DDx+RAkEC+x+yeP5xbCIdXkR9tQCgWx1s0jkw
+            hF4DLHeEFiC484ASAQdAGdRYvRfki1zKA2YHnPprf1ld5kJkai4fzxuuH1D3DRQw
-            VRgFkiBa6IsS0vmYknobXkizETtNjEhJ8vNw9nP0zPdjuUZBId2/bJZa7aFdIFRU
+            zt5XhSFMx5ii7C3LIVjGgKnn6A6KTe1Tj314OYtrLeCGV8Eli+eOiSgi4c0nL709
-            hF4Dub78fMESoMASAQdAMLbBcLnc+5UVDsx50SgCVjQoHO4JGE53DE6Q+frDEiow
+            hF4Dub78fMESoMASAQdAb38j/KxQlLRJLrtE5mS1XVCmaEIvyJU1uVcSVU3Bdhgw
-            rVFbLxWlJ/aw9baRdKUMkIUJftnImUQgolXvEfUjdS/oOdY69r4psLlHLQX11Ow1
+            f3iepOZgggHOCiHOCs+UWRmiudwoYqMzXF8G9pb6ESsy01cc1y6mXPh6sftKc6Iz
-            hF4DM6AcvgVUx2MSAQdAUZV3q/IXwUbRv9EokTe+4o83XzeS1h4GK3/3wjnKDHkw
+            hF4DM6AcvgVUx2MSAQdAhq0ynXfS/eYrDAYdxj/qyEg8c2lHFYSaUVtr6v3B/Rcw
-            xHFJR2clEMDlaq7Rx3FTr2a7MlzSnzBLtIwdw5b9ytuRvHjD5q7zCf5bihYnvdjV
+            Su08ppwK9wSbVaEL6p4NPJ0q9mt/36OsvZNaEWL2i7kkrD6q+2yvaGwh/fPcokWI
-            1GYBCQIQFt+CYziUXtEHjJFC1t+S3qkyPRAsVgZL8WlxbKzteW0NOdIZofHx6skG
+            1GYBCQIQRzg0YDKpmBGZY0sC37nIkUC4blEpFTgl+lma0ZQ9PUfbRP3ijRrxyPv/
-            Ebn8aadKcGg534DkwEt5DpIosXKUx4LN5xsCNoU9dHFYMSFE2nzJE4KNFJ8tzRQk
+            aNkUpVAVxjh3VnV/NEm2s03x62iO4uiGoU0BUeI8Jjy4Tvuuodvmfpd4wZw7Mq+V
-            G+tyNMgCYhM=
+            B8h2L/JR7Yo=
-            =2QnY
+            =/wMt
             -----END PGP MESSAGE-----
           fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
-        - created_at: "2024-01-24T12:19:03Z"
+        - created_at: "2024-01-22T00:20:17Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4DLHeEFiC484ASAQdA6ojEbZ8HccTtorNbyw9aVKO73AJy6jTGV/qLt+FWoRgw
+            hF4DLHeEFiC484ASAQdAoM3SQYYUQq6OGImJaecw42BZOwOec75IWS00ZorR31ww
-            SsOLiL0UmF1OV7zmXE0ihkWivPqLHtp1U89aYucpAA69DIh4+6M7GUk1xDMxFfRo
+            uaRdi54liGiKpjaebhPcLkX+0TKcW0h11kw6X1wrru1JWi3YLbjohv0qCtfa4wpc
-            hF4Dub78fMESoMASAQdAV2z2DgUz2xWopnDzXywdpHb9eMe9ZxdABxpOJ0ECeBww
+            hF4Dub78fMESoMASAQdASH4+jxa7Qr9AkJpHHPmMx9cj3XyPXLpfzXJ7Yb40pHMw
-            wOC1x+IKIbIRZBDL7jbVUOk1G+GzCL4M7/G7XFSTFYMKvMKkc0Rh69pywFuGaqG8
+            zBiVmQApa4K+ZOVw/vpcSNaN6FufFoDb5IguwHIq+9vILvjvku6YFgAJ4gC76LOP
-            hF4DM6AcvgVUx2MSAQdA7bKGjcW81bzf58FlGGVDy/HjNyuEPNSVZXy0M+/WZAcw
+            hF4DM6AcvgVUx2MSAQdAZGNp/j1sF0rmHhImhnuhgpn9NgRuFtL+BH5dorvrPwIw
-            3iXR9MecA97bKKKhLyNSdYmYlAjZJVIdwd6vjNWjxaB7BIWTYhudTjHesLMxB0vc
+            mK5LsWHvyBFyC+SDNe4mrRkdia/xPECmcWrbvptGVjqlZnjmUbtrYhG+j5O6/817
-            1GYBCQIQlp1TDaBVxalDkeCEjDMRFatgJ3CwulzzW9B8qywOooS0BNtNbtTKGwEh
+            1GYBCQIQ/du7No+ULrBrjWc3q826ju8AqekySHtteKZclRmcHSNP4UEXcmTEMRNL
-            AxDL+wdeqkPABQ0wQ8hYGOw5z665jEOC2JbqbQ7N6LPQZRx/MowO2dGT/kKh2U9H
+            8lMJYK0G3uA9FXO9+2E39k/nIatBGuoaukW7zCouB3bLARZE00Oqh6qHCWVyFJ/S
-            VOK1Bc67BzU=
+            Gzwk8dC0wdc=
-            =3z3V
+            =BWUr
             -----END PGP MESSAGE-----
           fp: 403215E0F99D2582C7055C512C77841620B8F380
-        - created_at: "2024-01-24T12:19:03Z"
+        - created_at: "2024-01-22T00:20:17Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA9pmsZ2EWzFWAQ/9Gl4dO83SmvGHyhEfile6G9ZUmhxwU2RFpPwEmjh4CV/v
+            hQIMA+X8PKo7gQeqARAAhtUvR20r2NV8SNWVuVSopTfCGwaJV99+PEp/l0UjHX6B
-            z1k2zgdF200a6tj96977VhjhIG/LZioEi41M1QdIqgkGsKy89DluCY9RDTqMmqzo
+            lpHgQNHegP6YEsAj5HNFEcV3vM+nbC0hbTtcERBZoxTkyDPOaRAyJpNfGniZVxxp
-            w65JhI+PQqdQuKlsbUh2VLql7LijoIUxuBPowWG1lULZtEvRuCchM5rLFiBSC2YO
+            jxSr/unCN6aJCbdqJZZZlitq84brMQWUE373Rb9B4cNdTYONabZbzZmwTDyzkVR0
-            DA0T73kC2P89CNZlOllZNnVRCRrxm7IsEO6Mo1yOeJL16mYqC9qGGKnvYEbsSm4n
+            ctjmkdBG0upqNn7vukSIg7DM7D9pFolS9142reF7e5jTlxBFWR1Jt+O9A1zypfvq
-            7ZZJvxXGnNzaXisyyjcJNgtsJAUX4TTlPH+Y2jpkhdHUvOkiwVQEokmnqTIKUp0e
+            tK2z9C1pM9LDRmUrKJ/HOKwu6P6USeTKFrp7Gfjr1UkmbgNunxgsdI6gwKY38SpJ
-            7Dc6ZXApFQ1DlMMsjLwy+5AQJQZbY4p4jo9rvmON5i5DLPy4rN5yf8W7zwkuy2gN
+            T+tELs68oC5pGFpZufnYkrGL313HC7Vp/+2+m+W5qXbyNqhDS6uVQHjqz/ROqByb
-            Id53gxDZxHw0+mRsfYRrdOvmfUqqz79TyWVV8bvHR2Mo3shdL1fsWOzTlm66Y9Vt
+            YwJw+x7810nL8+SleXst8oZpxDNDm+TnvWQAH6WiRBSpgVwy945SMvGG+1FLYps2
-            4coJxgUsJEFdnsnXAFep2V18Ypg36b9wQXtZDXWtTg36UliZZ95sUAG2vHQDS50b
+            qOsRMjr+titLZAaUpmIh/oDHG/XOpKPQflcc4/V7t2HK6vLX+xvPIQU8Y5TJkr1T
-            5XG07m1w8YgQSeiCObteAt4PqxEs1GYWmtRUmr4jvRQQzmVXCQP6+o0QJ5WK9bKl
+            nIIh7sMZBUldnUGUfFE3ksP5Gje5OHqK8xoFwYHFGK4QQzXFjPFN2QNvni2z9Y4R
-            auwT+H7POBJ3l+h9ykvmOidkAzeN7EWIirzvhDHsxvCklGCyo+Y3W5ZaLaFGfc/3
+            LLMvyEavqgIa6AeseqMnLuB2hz6wy/JNU/EPUalNca6RleoVA0DjKgjgDTlhQ5Al
-            pdj1G/REVT6aQMtSuYUsD7QoZeiNNBNJXAtUuUS6mWxch8RnkW718wxYZLvi03jS
+            a6sRTy+KmXFfzdO97MJJEkNgA1Hbi1/IpREeA50lYtrDqUvhxw+l1V8N7jw+ZWTS
-            VgHaVWepbw/q0COmjyofCt1qZH+WMKSAguiQ6PHWAdP3hnzGgd7Qo84W54Fb3m1R
+            VgHYyLUxdmOUsqEgQPVA7jiqWePwFEuEDEDVE+d6CcuvFuHFNV1jJEjit3R0wJOd
-            da72FFnILc3IYImbJI6QgJxAeS2K95nIWKdSix07c+m0zzFkemnB
+            QpqnfxW4QTD+JFNJgrD7bj4y1Gu9Z6Lg1IBnHnOwDIoCJoAHp0y6
-            =F0pC
+            =sy/X
             -----END PGP MESSAGE-----
-          fp: e7370b48016c961ef8ad792fda66b19d845b3156
+          fp: 868497ac4266a4d137e0718ae5fc3caa3b8107aa
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.7.3

machines/okarin/services/proxy.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -6,7 +6,9 @@
 let
   proxyMap = {
     "sbruder.xyz" = "renge";
+    "nitter.sbruder.xyz" = "renge";
     "iv.sbruder.xyz" = "renge";
+    "libreddit.sbruder.xyz" = "renge";
   };
 in
 {

machines/okarin/services/static-sites.nix

@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, ... }:
+
+{
+  sbruder.static-webserver.vhosts = {
+    "maggus.bayern".user = {
+      name = "maggus";
+      keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
+      ] ++ config.sbruder.pubkeys.trustedKeys;
+    };
+    "arbeitskampf.work".user = {
+      name = "arbeitskampf";
+    };
+  };
+}

machines/renge/configuration.nix

@@ -17,8 +17,8 @@
     ./services/grafana.nix
     ./services/hedgedoc.nix
     ./services/invidious
-    ./services/mastodon.nix
     ./services/matrix
+    ./services/murmur.nix
     ./services/password-hash-self-service.nix
     ./services/prometheus.nix
     ./services/sbruder.xyz

machines/renge/secrets.yaml

@@ -2,7 +2,7 @@ forgejo-mail: ENC[AES256_GCM,data:3AlFHzVBA5TE4qv5ubG39K0varV8/HabO0q/RJZSD5o=,i
 go-neb-overrides: ENC[AES256_GCM,data:1xy+SdsSTuerRox4skitg1mKLr1MoANFoCzz76TKSA31ORo/oUWVGrYxfusZxrFQWjYGRFpSYzmkzPn1RoWmbXyfwPEcisvjenXLNvwcyoontBd7TiiLdukEtya6RfGLRGKc8tfCzbDUWgiYz5IDMFBvKGnewFjB+au0/Ge2+2DTw6M4negjCz343TO/vbyTr5xT/5smmKz7Ouk9SbEo7yEuHkQPQfedGw2PYT82zdXd/Eje3Zq2EB4xcUU7beGrF1zkOdXQ4OVqB8XnkCnuLtNlnJtsffm0rbPDPD3/nhHKpJ8jXrN54V14dSnHW7yOifGMIus0VFMRZcIT7A+BroM9qzJhW3F4gsF1Bwp0CF+6zLLRjgpA0EOyvOwpLIftBZfMIpveAH62MVY0IBfwDdkI1itEOjj9EhTrOGxBx45Cj6Qk3Mk6ncyr15+E+KAmQRxZJrEW8Grk4PyzuxtxYd0n8LSaRUe1eNVUhHkQNpo/zvAPgrzcRnM91EwIoMvlNmwyC63j1h+OBKlXQgChAaB1O6HFXQY=,iv:pnw0jIcMqA771woDYNHxWMWE6wHGaNsXi5aBXOFAHJU=,tag:Wbcqb0FsctZWOS6u5s82mQ==,type:str]
 hcloud_exporter-environment: ENC[AES256_GCM,data:5gDTeg4C08BgNxBFtzZ7ma6JiafwF4ly5URAG4WxUTlRaUmF32fmbPdAZmveKiKBA8cc6ewcEIfIVJ7d5tbbqCEX+vbf9nr1fuhN05Z6lfsJNLoATclX,iv:GzEnudGDc6+6BJgDtaNnOnT7IK8Z0fsYfs/oJzKO2UA=,tag:LYCvRxNeKdMmNve0aWswrw==,type:str]
 invidious-extra-settings: ENC[AES256_GCM,data:bThgfyu5ESIyTLD7Q09Qici9ZZw/QYfCyBSjtbNb1EglCy0KHZrvDDAN4uDpdKrHxv8ctoN5Db7tRf5LUl6iyW7A5z9uYg481EXq3Sx6tZztepX0vg==,iv:FZ33tQWRsNEPjwuy/mH/N4e4PyjLx7sbv2G+9S5uigY=,tag:0GQn3AgoM2BPC5iCt5py8w==,type:str]
-mastodon-mail: ENC[AES256_GCM,data:RT/fS7cqbcePd2qe7CR5jRh2jtKaS81ICbMUOlPUQsY=,iv:C7GYMB0U2KIfXuEnYaoIEfV89/EnJS6V9iG97X8zkPk=,tag:L4SVe6aYGcarvX1hmMqQOw==,type:str]
+murmur-superuser: ENC[AES256_GCM,data:hPuMK8wbqD/3qKXQbOActq/VJZ+6jFlddQ==,iv:68ZhkpkfxakCOYxFXkCSP/sBamETeSs4CGTRaoBS6co=,tag:5UuYCxDiJ6e2CXjDV5/5yA==,type:str]
 netbox-secret-key: ENC[AES256_GCM,data:lOE95j6CGkbfJQTLeG41g3BPKNhm0arqxIGAzwvXQyeZLBauAdqufQGKD7D4kPNzdZs=,iv:6HWXEr6Ju4IywP+2jpuTfER/bYI2oUgMSZEJCkq4XX8=,tag:TPD5TTr4Sew8lxPS5WIu5Q==,type:str]
 prometheus-htpasswd: ENC[AES256_GCM,data:tiewfUfpvrmbrgk6AsBdiP4ng4TqG5UYf1mFcWOzuk8oO55rfZu+Naummz5RRYhJZil43nHFvn5LfIWkJv+CyPMZjpj7xRp4vb4/OCCAFjEzHhrzYVBYNkHM+ZLUTewEXuPVtZ6CZ5uviTExLN2V1moG3ExJdIoyUD16qh4=,iv:SkH609VxIVKJLmHUUNzICEjxHSyjLdwXfw0b7iU6png=,tag:BfNGcUZmk9ZXUvhoQZn6iQ==,type:str]
 restic-ssh-key: ENC[AES256_GCM,data:9quBzUwv4qylVzESG94wSgzvuodSDM/smPh0j+LYJjXwEN1xksBIW2/Jv0XmF3Q+AWUF/C/lA2jteI3Mf6Pmn7zlqa3H7GwH8Os6/arQI3ywH2dHQLAFxgST2J0AlLGeZcJbntxW0buYw+Rz3q5Jbo+Wo9tQo+2EVvqX320qWBsEwinnahbUhZym3fipyE9g6JxGa3OFGiIn6JAQhst63WgpOfehQsAYu2bdW1gLrgFtURzDQQRQ28RxeD+nMUWRpQcq5GrX2rfSA7sengfQbmP3Ln1atp1YXctTalHsj+n4photBqLz6OfLaFKBqbdKRbinUgVAEarAocEOKk/qf1C6LS8yKjV9Mh/tKeCJQrCI/AccEP5DfMNqdRaWjoQxvjBRKaupPE7Rcuja++K/jm24nP9J8WDcrRSm0tlrVq2JnPHxJv+eUsZoGkvpyOs9AkTG1H2BCckYS5ZG4atjKoBfUvc3CitPNmPZcjSkPrkdRMZbu1BWR+cixFH9rFAUvVIn+e7sWGnqMA8xGXZS,iv:rLOTtmIFP7rwF9JY9ardO9pNqNh1uaobHKtQaGwSuGk=,tag:pCd4ZV0FjfD18qj9oQ236Q==,type:str]
@@ -16,8 +16,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-06-01T12:03:17Z"
+    lastmodified: "2024-01-10T18:29:17Z"
-    mac: ENC[AES256_GCM,data:6fJfEtnHSQV7oGZ7HMrXYH1lX8ZzfTChOZC25scDP/q5FH8QZ52OntRuQ8DbR+AKUPN/w6o4EotZVxX53Q2Xxi6QdHSqo07GDsWUnIOb5eCNGmEB3c2w20DJv2smTnEr7d6051aPzEUO0ZxUPxxlqcifC6dsdpdxySyG/VY9OQQ=,iv:KAWFRoOQKRd2tf58QYGD8SnHJk1aLwBxgkcRkPgjuN8=,tag:LJFOJuFblp53Te9zoYKq0Q==,type:str]
+    mac: ENC[AES256_GCM,data:jsYCPL7/AFxg9mRM/mKhwiy4eH6ZGMyCCSBu+jSfIk/T8RSd9zh0AZ/p5rAwfbW20AzetivzRB4bSgcymLIcCr900EQLdPIuaZgxeGcbZ80N/7I0zF4u8K8oa1pKhyr1UUj48XjL55IdvVOsyvfq/I/KSbIbO7+fBHeQ51crCeo=,iv:CNmKwvZ61PdeyOvGP7elm/yvokll//fiKxdWFe2cfPo=,tag:PVQRV0G3VtBsD0tk34DHig==,type:str]
     pgp:
         - created_at: "2024-01-22T00:20:10Z"
           enc: |-

machines/renge/services/mastodon.nix

@@ -1,32 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, lib, ... }:
-
-{
-  sops.secrets.mastodon-mail = {
-    owner = config.services.mastodon.user;
-    sopsFile = ../secrets.yaml;
-  };
-
-  services.mastodon = {
-    enable = true;
-    configureNginx = true;
-    localDomain = "procrastination.space";
-    smtp = {
-      createLocally = false;
-      host = "vueko.sbruder.de";
-      port = 465;
-      user = "mastodon@sbruder.de";
-      passwordFile = config.sops.secrets.mastodon-mail.path;
-      fromAddress = config.services.mastodon.smtp.user;
-      authenticate = true;
-    };
-    streamingProcesses = 5;
-    extraConfig = {
-      SMTP_TLS = "true";
-      RAILS_LOG_LEVEL = "warn";
-    };
-  };
-}

machines/renge/services/prometheus.nix

@@ -75,7 +75,6 @@ in
           "shinobu.vpn.sbruder.de:9100"
           "nazuna.vpn.sbruder.de:9100"
           "yuzuru.vpn.sbruder.de:9100"
-          "koyomi.vpn.sbruder.de:9100"
         ];
         relabel_configs = lib.singleton {
           target_label = "instance";
@@ -83,22 +82,6 @@ in
           regex = "(.*)\\.vpn\\.sbruder\\.de:9100";
         };
       }
-      {
-        job_name = "smartctl";
-        static_configs = mkStaticTargets [
-          "fuuko.vpn.sbruder.de:9633"
-          "mayushii.vpn.sbruder.de:9633"
-          "nunotaba.vpn.sbruder.de:9633"
-          "hitagi.vpn.sbruder.de:9633"
-          "shinobu.vpn.sbruder.de:9633"
-          "koyomi.vpn.sbruder.de:9633"
-        ];
-        relabel_configs = lib.singleton {
-          target_label = "instance";
-          source_labels = lib.singleton "__address__";
-          regex = "(.*)\\.vpn\\.sbruder\\.de:9633";
-        };
-      }
       {
         job_name = "qbittorrent";
         static_configs = mkStaticTargets [

machines/renge/services/sbruder.xyz/default.nix

@@ -3,7 +3,11 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 { config, pkgs, ... }:
-
+let
+  goneVhost = {
+    locations."~ .*".return = "303 'https://sbruder.xyz/#history'";
+  };
+in
 {
   imports = [
     ./blocks.nix
@@ -54,4 +58,7 @@
       };
     };
   };
+
+  services.nginx.virtualHosts."nitter.sbruder.xyz" = goneVhost;
+  services.nginx.virtualHosts."libreddit.sbruder.xyz" = goneVhost;
 }

machines/vueko/configuration.nix

@@ -11,7 +11,6 @@
 
     ./services/fuuko-proxy.nix # FIXME!
     ./services/media.nix
-    ./services/murmur.nix
     ./services/restic.nix
   ];
 

machines/vueko/secrets.yaml

@@ -1,5 +1,4 @@
 media-sb-proxy-auth: ENC[AES256_GCM,data:TFAS1PXu+jSt/orjYI1ffPbiCMCZgc22tU4coz9eEi7CyEaMvaKuQpgIPwZDBoL3r1yhXd+USya/PjEL9g3SCpuva5EXiJVYjV+mYaTxgrLx,iv:a5da4EuduMVVwEy0p2sz3XuAwdYFt+D9WgOs4oqQg6s=,tag:2BTqxnXIK+sWj/8RXVrYDg==,type:str]
-murmur-superuser: ENC[AES256_GCM,data:D7EjnKZGSmx8ykVeKqSIAdV4Vql7ZkfEUw==,iv:I8SgiZrlCpyqNeBMJlzttFUJFGqQp5vHu6pMUz/0LoE=,tag:G6QMUh3v2QjxtoXUSoRqcA==,type:str]
 restic-htpasswd: ENC[AES256_GCM,data:om9v+FXOEsOPP7LVntiwyqEKmiCLCwcmMgWBeHxcrlosYT4cElX3MHlu+NQAI0TPwc0mAog1tJyRcTfqK7uYszIzd75/Ig==,iv:7UBHmyqt/2hW9Aw1oRMZtZdOij5mjGF/8nmr3PAq/EI=,tag:TNcECUAdGtch8/bHbOJeNw==,type:str]
 restic-rclone-ssh-key: ENC[AES256_GCM,data:fefY4sVBp786LeUNdLA1CZ83YGZsxP9yvoIx647fVM47jGBfJWcU8PDwbPGfp4ae5aKnuRi/+OpRQHQIuBWa8XH8mWQ0YLs3JzKavmtNqf8mh9hyiEGLSYBbokEkgSPFBxH8CuhNbzrou0cCO7ACXkXnq4Cf0jjkYR2StjsISiJ11nEnle0tchHMFPSho0W7Ph8UZvT6x1naJjBqMrZKepLMCrT4oM3gqgA3R0cvCxQyIY5BHweopDXxuZDVlIiYjG61qt6OKL7O+lt/Kfvd38i6L1CAsloFVQOv4pQwz5b/jNjH+Kg8+tbbksXz2Dm5PU7HBXyav48MqriTqVCeWpmEsbo9j/zEravtNaC/gvpc7v4H/3lqhyY181g2Fxzu3YCjheSwjhtSuLCtXCD4UdW5Ctkb5TDZrMY+NAQdeXqgCawYggN05x6s+UdSitXXHLBjvyIV5ES/7p43zjWDnddAsFQEgILffQRobA9y8VZ+Igj7wo+HJLdNnmJtcqL/j6CM4MOT4hvj1CLhhBdr,iv:zYgnXzxGU2XJcjeclQT5bX6M1r5WG+Z0pZI7R4qpUU0=,tag:CbBUooyhUCkmKp+N6j4ySw==,type:str]
 rspamd-worker-controller: ENC[AES256_GCM,data:STf4vgVsYu6+WfpISKC0L69ixlM+cOiefO4qvHY2gYbV9FirRGxlUIRkmPwk+I6gYxKSC6D8ZTO3Bi2drEuWd8Yhuwjj9Rc1ja7b5UxaT5Q591Iof8S5RbXZKvaWMAQXVeAz4qkBaA==,iv:RzB3EHnzybbYO9E95ianu/Yl+chH7IPomvWG89mIGYU=,tag:yFSx97r/vkf3gVhIxMwcNw==,type:str]
@@ -11,8 +10,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-06-01T12:03:28Z"
+    lastmodified: "2023-04-29T10:17:21Z"
-    mac: ENC[AES256_GCM,data:KFlisFD6k06XqF6SoQTaMNFpIPYtOgHDFArQueGBcTgjfxzdaxA8AVH1ZBeyFeEFlf4EFfduYcfnqAaGWScOvVW+jVhN/InsNkGf7alPyJ2ifzUD9yhe2/gcOF+eZqPvbTfXsdyfyqkbK7kkRyoYC61T3KPnPzTWqDk/3Chm4k8=,iv:lUbhG5/o5iepukcXHs2FYfue04EJdAbfhX1N0e1C9eA=,tag:EvPEDPoRiLXzbWeHAjTMoQ==,type:str]
+    mac: ENC[AES256_GCM,data:UfLbX+4uDg9Kp8v9lnq9RktT4ltpJYwOHBBPRhO79a1AmLXkp6GilaoMJYjkj0foL92vTUK10wIw547omySwJeY52pTGAvw1IXVaxNp395KLlMPl3EwLS3xj4c0bhzcVEyFl/fxG2gk6BJOzvQXaMYo4COEzDdK6ZDGZKZVKEAM=,iv:mR9Nq+s7wHeZdP6/gW9+zJd/wa1Y4Q5saACwnMOFOZQ=,tag:yYYF8/mKnbxzmPa6nWIGbA==,type:str]
     pgp:
         - created_at: "2024-01-22T00:20:08Z"
           enc: |-
@@ -83,4 +82,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 4EA330328CD0D3076E90960194DFA4953D8729DE
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.7.3

machines/yuzuru/services/static-sites.nix

@@ -1,9 +1,7 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-{ config, ... }:
-
 {
   services.nginx.virtualHosts = {
     "brennende.autos" = {
@@ -21,18 +19,6 @@
   };
 
   sbruder.static-webserver.vhosts = {
-    "arbeitskampf.work".user = {
-      name = "arbeitskampf";
-    };
-
-    "maggus.bayern".user = {
-      name = "maggus";
-      keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
-      ] ++ config.sbruder.pubkeys.trustedKeys;
-    };
-
     "psycho-power-papagei.de" = {
       user.name = "papagei";
       imprint.enable = true;

modules/authoritative-dns.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -15,7 +15,7 @@ let
   addresses = {
     vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ];
     renge = [ "152.53.13.113" "2a03:4000:6b:d2::1" ];
-    okarin = [ "85.215.165.213" "2a01:239:24b:1c00::1" ];
+    okarin = [ "82.165.242.252" "2001:8d8:1800:8627::1" ];
     yuzuru = [ "85.215.73.203" "2a02:247a:272:1600::1" ];
   };
 in

modules/default.nix

@@ -33,6 +33,7 @@
     ./ausweisapp.nix
     ./authoritative-dns.nix
     ./cups.nix
+    ./docker.nix
     ./fancontrol.nix
     ./flatpak.nix
     ./fonts.nix
@@ -54,9 +55,7 @@
     ./nix.nix
     ./office.nix
     ./pipewire.nix
-    ./podman.nix
     ./prometheus/node_exporter.nix
-    ./prometheus/smartctl_exporter.nix
     ./pubkeys.nix
     ./qbittorrent
     ./restic
@@ -81,11 +80,9 @@
         git-lfs # not so essential, but required to clone config
         htop
         tmux
+        vim
       ];
 
-      programs.nano.enable = false;
-      programs.vim.defaultEditor = true;
-
       # Clean temporary files on boot
       boot.tmp.cleanOnBoot = true;
 
@@ -113,8 +110,6 @@
       # Support for exotic file systems
       boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
 
-      programs.ssh.startAgent = lib.mkDefault (!config.sbruder.gui.enable);
-
       # When this is set to true (default), routing everything through a
       # wireguard tunnel does not work.
       networking.firewall.checkReversePath = false;
@@ -166,8 +161,8 @@
     (lib.mkIf (!config.sbruder.machine.isVm) {
       # Hard drive monitoring
       services.smartd.enable = lib.mkDefault true;
-      # Firmware updates (only work on EFI systems, so enable only when using systemd-boot)
+      # Firmware updates
-      services.fwupd.enable = lib.mkDefault (config.boot.loader.systemd-boot.enable);
+      services.fwupd.enable = lib.mkDefault true;
     })
     (lib.mkIf (!config.sbruder.full) {
       documentation.enable = lib.mkDefault false;

modules/docker.nix

@@ -0,0 +1,47 @@
+# SPDX-FileCopyrightText: 2020-2021 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, lib, pkgs, ... }:
+
+{
+  # This uses a custom option (instead of `virtualisation.docker.enable`) since
+  # `virtualisation.oci-containers` conditionally sets
+  # `virtualisation.docker.enable` and therefore causes an infinite recursion.
+  options.sbruder.docker.enable = lib.mkEnableOption "docker with ipv6nat";
+
+  config = lib.mkIf config.sbruder.docker.enable {
+    environment.systemPackages = with pkgs; [
+      docker-compose
+      docker-credential-helpers
+      docker-ls
+    ];
+
+    virtualisation = {
+      docker = {
+        enable = true;
+        logDriver = "journald";
+        extraOptions = lib.concatStringsSep " " [
+          "--ipv6"
+          "--fixed-cidr-v6=fd00:d0ce:d0ce:d0ce::/64"
+        ];
+      };
+
+      oci-containers.containers.ipv6nat = {
+        image = "robbertkl/ipv6nat";
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock:ro"
+        ];
+        extraOptions = [
+          "--network=host"
+          "--cap-drop=ALL"
+          "--cap-add=NET_ADMIN"
+          "--cap-add=NET_RAW"
+          "--cap-add=SYS_MODULE"
+        ];
+      };
+    };
+
+    environment.etc."modules-load.d/ipv6nat.conf".text = "ip6_tables\n";
+  };
+}

modules/podman.nix

@@ -1,29 +0,0 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, lib, pkgs, ... }:
-
-{
-  options.sbruder.podman.enable = lib.mkEnableOption "podman";
-
-  config = lib.mkIf config.sbruder.podman.enable {
-    boot.enableContainers = false; # FIXME: this only needs to be set for some stateVersions
-
-    environment.systemPackages = with pkgs; [
-      buildah
-      podman-compose
-      skopeo
-    ];
-
-    virtualisation = {
-      podman = {
-        enable = true;
-        dockerSocket.enable = true;
-        defaultNetwork.settings = {
-          ipv6_enabled = true;
-        };
-      };
-    };
-  };
-}

modules/prometheus/smartctl_exporter.nix

@@ -1,22 +0,0 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, lib, ... }:
-
-{
-  services.prometheus.exporters.smartctl = {
-    enable = config.sbruder.wireguard.home.enable && !config.sbruder.machine.isVm;
-    listenAddress = config.sbruder.wireguard.home.address;
-    # devices need to be specified for all systems that use NVMe
-    # https://github.com/NixOS/nixpkgs/issues/210041
-  };
-
-  systemd.services.prometheus-smartctl-exporter = {
-    after = [ "wireguard-wg-home.service" ];
-    serviceConfig = {
-      IPAddressAllow = lib.singleton config.sbruder.wireguard.home.subnet;
-      IPAddressDeny = "any";
-    };
-  };
-}

modules/restic/system.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -28,8 +28,6 @@ let
     "/home/*/mounts"
 
     # Docker (state should be kept somewhere else)
-    "/home/*/.local/share/containers" # podman
-    "/var/lib/containers/"
     "/var/lib/docker/"
 
     # Static configuration (generated from this repository)

modules/ssh.nix

@@ -60,12 +60,12 @@
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUEVBJcEibRdQzp0bDXpPqLGQ8vtQTKTcpGZU07W4eo";
     };
     okarin = {
-      hostNames = [ "okarin" "okarin.sbruder.de" "okarin.vpn.sbruder.de" ];
+      hostNames = [ "okarin" "okarin.sbruder.xyz" "okarin.vpn.sbruder.de" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvRAiEAV0Oulii0w3xcHCb0/oHqpA0hz3bn//BQnR8T";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaev8K5KhRovW75IdZ0HYlzvxxo0haeCM0xCVEOuDSa";
     };
     okarin-initrd = {
       hostNames = [ "[okarin.sbruder.de]:2222" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOV+azRrT1zICmDe9D7bm3pOaFzaT+cVXCvxgY1bAbP";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJbp0kZJEXf1gSVcBsef1Bihd5iCzhzSbjgyrC1SXXT";
     };
     shinobu = {
       hostNames = [ "shinobu" "shinobu.lan.shinonome-lab.de" "shinobu.vpn.sbruder.de" ];
@@ -87,13 +87,5 @@
       hostNames = [ "[yuzuru.sbruder.de]:2222" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
     };
-    koyomi = {
-      hostNames = [ "koyomi" "koyomi.sbruder.de" "koyomi.vpn.sbruder.de" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZVoGK0JNltzqVWN9dejWMkedfzcipTv6iX52HTHaVz";
-    };
-    koyomi-initrd = {
-      hostNames = [ "[koyomi.sbruder.de]:2222" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPQuXX9EJXcz7wkG/yDxrZVODaitAQ1lfGzedNrYKhI";
-    };
   };
 }

modules/tools.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -48,10 +48,9 @@
     dmidecode # hardware information
     hdparm # hard drive management
     lm_sensors # temperature sensors
-    nvme-cli # NVMe management
     parted # partition manager
     pciutils # lspci
-    (reptyr.overrideAttrs (o: o // { doCheck = false; })) # move process to current terminal # tests fail on qemu-user-aarch64 (TODO 24.05: remove)
+    reptyr # move process to current terminal
     smartmontools # hard drive monitoring
     tcpdump # package inspector
     tio # serial console

modules/wireguard/home.nix

@@ -33,8 +33,8 @@ let
       publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
     };
     okarin = {
-      address = "10.80.0.14";
+      address = "10.80.0.10";
-      publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA=";
+      publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
     };
     shinobu = {
       address = "10.80.0.12";
@@ -48,10 +48,6 @@ let
       address = "10.80.0.16";
       publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
     };
-    koyomi = {
-      address = "10.80.0.17";
-      publicKey = "fvQDGqmkcFUvfUFmkSagJZy6pGIP6ewZrzTQfaz+mmE=";
-    };
   };
 
   cfg = config.sbruder.wireguard.home;

pkgs/contact-page/src/index.html

@@ -24,10 +24,6 @@ SPDX-License-Identifier: CC-BY-SA-4.0
           <td>Matrix</td>
           <td><a id="matrix" href="#">(requires javascript)</a></td>
         </tr>
-        <tr>
-          <td>Fediverse</td>
-          <td><a rel="me" href="https://procrastination.space/@simon">@simon@procrastination.space</a></td>
-        </tr>
         <tr>
           <td>Codeberg</td>
           <td><a href="https://codeberg.org/sbruder">sbruder</a></td>

users/simon/modules/gpg.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-{ lib, nixosConfig, pkgs, ... }:
+{ nixosConfig, pkgs, ... }:
 
 {
   programs.gpg = {
@@ -18,7 +18,7 @@
   services.gpg-agent = rec {
     enable = true;
     enableZshIntegration = true;
-    enableSshSupport = lib.mkDefault nixosConfig.sbruder.gui.enable;
+    enableSshSupport = true;
 
     pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses";
 

users/simon/modules/mpd.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -73,7 +73,6 @@ lib.mkIf nixosConfig.sbruder.gui.enable {
 
       # Lyrics
       lyrics_directory = "${config.services.mpd.musicDirectory}/lyrics";
-      follow_now_playing_lyrics = true;
 
       # Misc
       external_editor = "nvim";

users/simon/modules/neovim/default.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -54,7 +54,7 @@ in
       haskell-language-server
       jdt-language-server
       unstable.ltex-ls
-      nixd
+      rnix-lsp
       rust-analyzer
       (python3.withPackages (ps: with ps; [
         pyls-isort

users/simon/modules/neovim/init.lua

@@ -1,4 +1,4 @@
--- SPDX-FileCopyrightText: 2018-2024 Simon Bruder <simon@sbruder.de>
+-- SPDX-FileCopyrightText: 2018-2023 Simon Bruder <simon@sbruder.de>
 --
 -- SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -348,7 +348,7 @@ lsp.ltex.setup {
 lsp.pylsp.setup {
     on_attach = on_attach,
 }
-lsp.nixd.setup {
+lsp.rnix.setup {
     on_attach = on_attach,
 }
 lsp.rust_analyzer.setup {

users/simon/modules/pass.nix

@@ -1,8 +1,8 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
   programs.password-store = {
     enable = true;
@@ -19,9 +19,4 @@
     enable = true;
     browsers = [ "librewolf" ];
   };
-
-  services.pass-secret-service = {
-    enable = true;
-    storePath = "${config.xdg.dataHome}/secret-service-password-store";
-  };
 }