okarin: Migrate to different VPS

Previously, it was hosted on Ionos’s VMware-based infrastructure. I
already had a VPS on their new KVM-based infrastructure, as I was
planning to migrate okarin to it eventually (as it is cheaper). However,
the new infrastructure does not offer PTR records for IPv6 addresses.
Therefore, I was waiting until they would implement that feature (as the
support promised me they would to in the near future).

However, they are now migrating the (at least my) guests from their
VMware hypervisors onto the KVM ones, assigning new IPv6 addresses to
them. This makes the old VPS essentially the same as the old one, but
with less memory and more expensive. So I decided to migrate now.

.sops.yaml

@@ -19,7 +19,6 @@ keys:
   - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
   - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
   - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
-  - &koyomi a53d4ca8d2cf54613822c81d660e69babee42643
 creation_rules:
   - path_regex: machines/nunotaba/secrets\.yaml$
     key_groups:
@@ -98,13 +97,6 @@ creation_rules:
       - *simon-alpha
       - *simon-beta
       - *yuzuru
-  - path_regex: machines/koyomi/secrets\.yaml$
-    key_groups:
-    - pgp:
-      - *simon
-      - *simon-alpha
-      - *simon-beta
-      - *koyomi
   - path_regex: secrets\.yaml$
     key_groups:
     - pgp:
@@ -117,4 +109,3 @@ creation_rules:
       - *fuuko
       - *mayushii
       - *renge
-      - *koyomi

flake.lock

@@ -85,11 +85,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715381426,
-        "narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
+        "lastModified": 1712386041,
+        "narHash": "sha256-dA82pOMQNnCJMAsPG7AXG35VmCSMZsJHTFlTHizpKWQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
+        "rev": "d6bb9f934f2870e5cbc5b94c79e9db22246141ff",
         "type": "github"
       },
       "original": {
@@ -106,11 +106,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716457508,
-        "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
+        "lastModified": 1712989663,
+        "narHash": "sha256-r2X/DIAyKOLiHoncjcxUk1TENWDTTaigRBaY53Cts/w=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
+        "rev": "40ab43ae98cb3e6f07eaeaa3f3ed56d589da21b0",
         "type": "github"
       },
       "original": {
@@ -205,6 +205,9 @@
     "nix-pre-commit-hooks": {
       "inputs": {
         "flake-compat": "flake-compat",
+        "flake-utils": [
+          "flake-utils"
+        ],
         "gitignore": "gitignore",
         "nixpkgs": [
           "nixpkgs-unstable"
@@ -212,11 +215,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1716213921,
-        "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
+        "lastModified": 1712897695,
+        "narHash": "sha256-nMirxrGteNAl9sWiOhoN5tIHyjBbVi5e2tgZUgZlK3Y=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
+        "rev": "40e6053ecb65fcbf12863338a6dcefb3f55f1bf8",
         "type": "github"
       },
       "original": {
@@ -228,11 +231,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1716173274,
-        "narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
+        "lastModified": 1712909959,
+        "narHash": "sha256-7/5ubuwdEbQ7Z+Vqd4u0mM5L2VMNDsBh54visp27CtQ=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
+        "rev": "f58b25254be441cd2a9b4b444ed83f1e51244f1f",
         "type": "github"
       },
       "original": {
@@ -244,11 +247,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1716361217,
-        "narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
+        "lastModified": 1712741485,
+        "narHash": "sha256-bCs0+MSTra80oXAsnM6Oq62WsirOIaijQ/BbUY59tR4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
+        "rev": "b2cf36f43f9ef2ded5711b30b1f393ac423d8f72",
         "type": "github"
       },
       "original": {
@@ -303,11 +306,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1716061101,
-        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
+        "lastModified": 1712437997,
+        "narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
+        "rev": "e38d7cb66ea4f7a0eb6681920615dfcc30fc2920",
         "type": "github"
       },
       "original": {
@@ -319,11 +322,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1716330097,
-        "narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=",
+        "lastModified": 1712791164,
+        "narHash": "sha256-3sbWO1mbpWsLepZGbWaMovSO7ndZeFqDSdX0hZ9nVyw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2",
+        "rev": "1042fd8b148a9105f3c0aca3a6177fd1d9360ba5",
         "type": "github"
       },
       "original": {
@@ -450,11 +453,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1716400300,
-        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
+        "lastModified": 1712617241,
+        "narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
+        "rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -23,6 +23,7 @@
     nixos-hardware.url = "github:nixos/nixos-hardware/master";
 
     nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
+    nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
     nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable";
 
     sops-nix.url = "github:Mic92/sops-nix";
@@ -155,11 +156,12 @@
                 pkgs.writeShellScript "unlock-${hostname}" ''
                   set -exo pipefail
                   # opening luks fails if gpg-agent is not unlocked yet
-                  pass "devices/${hostname}/luks" | ssh \
+                  pass "devices/${hostname}/luks" >/dev/null
+                  ssh \
                       ${lib.optionalString unlockOverV4 "-4"} \
                       -p 2222 \
                       "root@${targetHost}" \
-                      "cat > /crypt-ramfs/passphrase"
+                      "cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")
                 '')
               self.nixosConfigurations);
 

keys/machines/koyomi.asc

@@ -1,28 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBAAAAAABEACxLvouloEvO6hjBfydEMJIEVzJLBqZJBmBvHmJKRbhWSldCWLi
-bdL7L3Ld1K4uQKSEPNRk6LcVVCAPaXuhyeza57U8PNMBJrDESZ+SdAjuNw5/mDTa
-VF4jgPzrPmQ1ufRiaOgxOj7OAwOqFEZBMeHXPrauY83dHgKJBcRuw5567YTJ0zoJ
-bi3mtetgAeVwgPgQBgihDQhvxgxiOQ0kLbRRDFm8sVsp8o/zJbVy3zop4sJppOSg
-JYzjFyt40wqPQ0TospxvwiYiJhg339hduZZ+J7+4XcdKnTVUNM8Ws7notVFRkWYG
-8jWTUuld815WZUA/2rkjx7GsZ9sLChaXVmXRfUGO3G01zaEZ84PA/XrpemWVMs+I
-y/1UznrSFy3bPh9/Jdpr4D5/gxsJaNs8ioSjb/3fXfZ4+kZySmQiWpagwsLXmPU3
-eno5YjvuU8qCh37zWF7uhsUsIDXw1FWqgy7HoU7HLYHDpRoerEABQpIf3378eZJ1
-+VK/Em2NLyapgBGx+hv+qrUGKAv+/bdTt5XQtQypHI5ihI2H/Rr/ZfTzIWcJIomR
-KwCsjZDuiRWsQWa/WEqthPX/ckNKJuB25tkCFM4owMtgJEMSymRZ6Fd/zdI+WBS2
-1QSECOHFyr8ha0OfpZF6qy8YYqV82EHeTQdqvAY18po8/Y5WGvm4Q0QCQwARAQAB
-zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQZg5pur7kJkMCGw8CGQEAANR9EABfKws/H9UX31pJbdWzSotN
-/1OkQxCNQvTmzxByP+JDBZQoplKbhjwVi/seshwxCMGuvBklmFSdpzGXip68QR4Q
-CYQsFg02URFKA8vggnIbpkNMB3/ckM6m6wQlMshTl1DPpZcZflppi/O68hIqtrSN
-/xXx5hIBFqe4NY6+ouHRy+4KPnWqndcHSRC2TaYYiiAo9dBj7VyQsL0zYYyTAl0U
-J6rolDz5VqWzkHklH/UMJ3u8ZwV2VHuyU5Drod8/1bDYtjGXxeUhcd25X4q0Gcqh
-gts0zoV/kYgnX3rGzqT4q6MGHWzlHtblMxtPpV8m/fd2KDvIKDdJPnYsbKDNlX7j
-QwVS8rE2T/FfU2KGoadNmSJACmCdShpCCd7CSHludcXLMDVuFijh4iCHkc3KvJJP
-MrWqBTWzYB73O5WGAWDxL7trw80a5Qi2+5PRCQY0smOR4jC3d36PGjtD8ykCHlqt
-HVZ2CtNl+6loGJ9TTgMwzNOY2PQPP2bhzdB16ht5CDsadFXrFD8mRVcwnQ6F0UU0
-DROW+C7FdYkZiEM9r6QMkRX4Xkc4YTV7EL0kEwJkWvxTbL2X/r1lSOKE27iMk2D/
-kkNzVXEH89ryyJc4Pgro5aTjzkAfTOUc+LV34b2CE0NGLjZvOvTic5SSdsAZ+PVL
-CxhNpGhTpzl96WA2WsNP9Q==
-=slmv
------END PGP PUBLIC KEY BLOCK-----

machines/default.nix

@@ -23,9 +23,6 @@ in
   };
   vueko = {
     system = "aarch64-linux";
-    extraModules = [
-      "${inputs.infinisilSystem}/config/new-modules/murmur.nix"
-    ];
 
     targetHost = "vueko.sbruder.de";
   };
@@ -49,6 +46,9 @@ in
   };
   renge = {
     system = "aarch64-linux";
+    extraModules = [
+      "${inputs.infinisilSystem}/config/new-modules/murmur.nix"
+    ];
 
     targetHost = "renge.sbruder.de";
   };
@@ -76,13 +76,4 @@ in
 
     targetHost = "yuzuru.sbruder.de";
   };
-  koyomi = {
-    system = "x86_64-linux";
-    extraModules = [
-      hardware.common-cpu-intel
-      hardware.common-pc-ssd
-    ];
-
-    targetHost = "koyomi.sbruder.de";
-  };
 }

machines/fuuko/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -92,8 +92,6 @@
     }
   ];
 
-  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/sda" "/dev/sdb" "/dev/sdc" ];
-
   powerManagement.cpuFreqGovernor = "schedutil";
 
   networking = {

machines/hitagi/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -55,8 +55,6 @@
     { device = "/dev/disk/by-uuid/98de7ced-4d7c-4915-bf5b-1a0300458ea6"; }
   ];
 
-  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
-
   # GPU
   hardware.opengl = {
     package = pkgs.mesa.drivers;

machines/koyomi/README.md

@@ -1,37 +0,0 @@
-<!--
-SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-
-SPDX-License-Identifier: CC-BY-SA-4.0
--->
-
-# koyomi
-
-## Hardware
-
-System from [Hetzner Online Serverbörse](https://www.hetzner.com/sb).
-
-- Motherboard: FUJITSU D3401-H1
-- CPU: Intel Core i7-6700
-- RAM: 4×16 GB Samsung [M378A2K43CB1-CRC](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43cb1-crc/)/[M378A2K43BB1-CPB](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43bb1-cpb/) (DDR4 2400/2133 MHz)
-- SSD: 2×512 GB M.2 NVMe SAMSUNG MZVLB512HAJQ-00000
-
-## Setup
-
-As it is a physical server (not a VM) in a remote location,
-extra care must be taken when installing.
-Fortunately, Hetzner provides an automated way to reset the server (by sending Ctrl+Alt+Del or force resetting)
-and a rescue system that can be activated before a reboot.
-Additionally, there is also a *vKVM* rescue system,
-that boots a hypervisor from the network and runs a VM which boots from the physical disks.
-
-The rescue system can be used to start a kexec installer generated by [nixos-generators](https://github.com/nix-community/nixos-generators).
-Ideally, everything goes well and the next reboot works,
-but in the case it does not, the vKVM rescue system can be used for debugging.
-
-## Purpose
-
-Hypervisor. Exact scope is to be determined.
-
-## Name
-
-Araragi Koyomi is a student from the *Monogatari Series*.

machines/koyomi/configuration.nix

@@ -1,23 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-    ../../modules
-
-    ./services/hypervisor.nix
-  ];
-
-  sbruder = {
-    wireguard.home.enable = true;
-    podman.enable = true;
-  };
-
-  networking.hostName = "koyomi";
-
-  system.stateVersion = "23.11";
-}

machines/koyomi/hardware-configuration.nix

@@ -1,74 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ modulesPath, pkgs, ... }:
-
-{
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
-
-  boot = {
-    swraid.enable = true;
-    kernelModules = [ "kvm-intel" ];
-    kernelParams = [ "ip=dhcp" ];
-    loader = {
-      grub = {
-        devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
-      };
-    };
-    initrd = {
-      availableKernelModules = [ "aesni_intel" "ahci" "e1000e" "nvme" ];
-      kernelModules = [ "dm-snapshot" ];
-      network.enable = true; # remote unlocking
-      luks.devices = {
-        koyomi-pv = {
-          name = "koyomi-pv";
-          device = "/dev/disk/by-uuid/9145417d-e8f5-4aa9-a526-419e507c47fd";
-          preLVM = true;
-          allowDiscards = true;
-        };
-      };
-
-      # FIXME XXX HACK
-      # This is required to have the md device available under /dev/disk/by-uuid.
-      # Both commands are run as part of the regular stage-1 init script,
-      # but for some reason, they need to be run twice.
-      preLVMCommands = ''
-        udevadm trigger
-        udevadm settle
-      '';
-    };
-  };
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/3b31163f-4fec-4e1c-b311-7c8aaca76cd4";
-      fsType = "btrfs";
-      options = [ "discard=async" "noatime" "compress=zstd" ];
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/12CE-A600";
-      fsType = "vfat";
-    };
-  };
-
-  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
-
-  networking.useDHCP = false;
-  networking.usePredictableInterfaceNames = false;
-  systemd.network = {
-    enable = true;
-    networks = {
-      eth0 = {
-        name = "eth0";
-        DHCP = "yes";
-        domains = [ "sbruder.de" ];
-        address = [ "2a01:4f8:151:712d::1/64" ];
-        gateway = [ "fe80::1" ];
-      };
-    };
-  };
-}

machines/koyomi/secrets.yaml

@@ -1,72 +0,0 @@
-wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2024-05-11T21:49:03Z"
-    mac: ENC[AES256_GCM,data:yS/v+NWiLlFLTwnbhaYVg98H/ThqW5r+3eC1YsvJRRrF/yZBk6nUtK8CT4tvR9PUeks4a2H15/5aY2oDxnABhXhkbasZjnl3+YGF8SOIwo+YuWJ5A3rHJZQMJGRGg8dwh4xkJMDJKb2Or1uH3ZiSclVMQDiM3RGVifLhtv+gJEc=,iv:ygTcKqU5pzkOoGUx9xw9BzWJx15t28w3tJVH4eAdxS4=,tag:F5/8SSt/eON9zwWGGUyUEQ==,type:str]
-    pgp:
-        - created_at: "2024-05-11T21:48:51Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4DLHeEFiC484ASAQdATNhq0wu5gLVG+7PHCtdQRxgC6GqQrvrttZnN3AvnZ0ww
-            qBdXl+6qkWHyjvclklzcNfpcMD7cmRwRDSDSQASmSTAyulBbgjDuou9Tjl/Rxorl
-            hF4Dub78fMESoMASAQdAIhgR5ZyuaP12Mav7NNapUcWrScnmjNPh46oX2W3jDDsw
-            in+hRRYC6apDKMcC3IFEzo6vy7OfhEeMR2IthtU0Y+bgdfjpwEOZ4J5CLg2ERZO+
-            hF4DM6AcvgVUx2MSAQdAKc70+YldBMdetkmcWWJYDSUbewIJOrDCJBS+TUTQ2hQw
-            dq03NJuiqwsrN1YBa1qHELTJj7CvrxTvVSQvDpSEwD3WVk8Qn5z1lMgBrivxCGa8
-            1GYBCQIQj3MkZci7qGULIHivbsOSwX6a3T9JQRkmHylyzZDxYRUz3TLhNvjuly58
-            TxBJcHkDmXDP5T+UACrryRIN2h/J/+gw6WkHnPJOcs5JFqB9uneVwpW1A3jNMhRD
-            iXDXWxIe5PY=
-            =zp+l
-            -----END PGP MESSAGE-----
-          fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
-        - created_at: "2024-05-11T21:48:51Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4Dub78fMESoMASAQdAs3PQ1mkR/MS3vg1qCTPiQihx7yZvQlqlhYRsRigJDiEw
-            WuZYC66MsLHi2YQEkFoxG0bgt3sHkVRlq72ae713UzfWiI0Dl59dxtGcOtvdo5LK
-            1GYBCQIQIupCIS36+zkecqWl1h55C0G/bC+SHdwgp5nFbva+3fidastsvakUDuTW
-            dGOLK1FC2xUrct/rLGBmWA48fSOA/VJiiEVzP0TsVCytTx/Y44jm0f5HC85LNnNy
-            8GoFUoOn6tE=
-            =A7C7
-            -----END PGP MESSAGE-----
-          fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
-        - created_at: "2024-05-11T21:48:51Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4DLHeEFiC484ASAQdAK53bLfsn0k8SFw/88FliX2Yaev9oMGmKSR7f/6vJmH4w
-            pZxJqMwkpWt3We5DAkN+VFuawOzPNrV0vmmd8StlajZ5GIaz713QJQ8cpVrE/sPh
-            1GYBCQIQUuj0dgOWLtcB/w1vHj0qQW8LnMG5uVY7gk+hPmllQb8TJ1aRUkcPrKoE
-            rXUCl17BO59C4AUWLu/0RviAki6FMZC1S0g1z8eOck6CFSnW4i4uMB0g5Yi5kqpK
-            K0oWZqedIzU=
-            =Z8wz
-            -----END PGP MESSAGE-----
-          fp: 403215E0F99D2582C7055C512C77841620B8F380
-        - created_at: "2024-05-11T21:48:51Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA2YOabq+5CZDAQ//beLzskyTj+PN79rvrupVY5gwWxIhYuoRs2ZkJSlNyRYg
-            exNxwPAjssi3yKoUOy9TNbxzOKP5VwehnOPlJ4jyVgdZ9zksJH9k0WnfhlmabHeC
-            UnYsUSDB7VUFrpacdIKjmFM6OPlu7Xm98RwSabkmlHEE/voF/Ma5yWT0c3Sx2lzv
-            ucNSCqmjY0D6S5tJz+3nYsT54OjS+Jlr96CPOR9dz1jEGGQMfwyMxwMLhVpVBDKE
-            uusl5VD3jw50wYbkhvYscGGkdOkLwAFMIwYvw1seYFTb3kux8ChahYQ3QtPn3ZUD
-            OoPqYUtgpcnZTAcMGvzL7B0OwJLsCpin454yko56KV/cnIHwSv2cyfsQB0M4dz6l
-            OalAS5BpqhZ2ulDm34yFlRE7MD+H12tOzBJIFjGQksv9DiuRyezZnevBqlOdott8
-            cSDfO3RD3wGdUOIVwi3B92N5j1w39d2wKoXa19kM66mzsdbQrXwmxKa8gQMkjsG9
-            Ds2sUwQlKZ0HvvNkJTJ+NORWKKvwGXKqVPwOTUaZjzQGUtVWg5WSjmFoPQ049nqf
-            gLYhy0OeyEAIRe9HjNo5YANPNBF63qTT2++n6xs2ErXjHNNi85yUnhCBqRRI3Od6
-            HkLlLQN3i6RdV5C1wJwu3k1N6a+dl03gFgO3PSJZaLpIhHJuOJwYT3rCGi3ZgzXS
-            VgFycpleRMSCTjEIY/Ky4PJOlbUykf4CuFWnvJLSOcqjPbozzqjUaw4xzea2Lloj
-            +Io3l0AHWqKCmv4qbZxim37YuicyM02A56pk7SMKXOuqbb1m5hBr
-            =bvPZ
-            -----END PGP MESSAGE-----
-          fp: a53d4ca8d2cf54613822c81d660e69babee42643
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

machines/koyomi/services/hypervisor.nix

@@ -1,133 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ lib, pkgs, ... }:
-let
-  guests = {
-    forgejo-actions-runner = {
-      mac = "42:80:00:00:00:02";
-      v4 = "10.80.32.2";
-      v6 = "2a01:4f8:151:712d:1::2";
-    };
-  };
-
-  # port forwarding for IPv4
-  portForwards = {
-    tcp = { };
-    udp = { };
-  };
-in
-{
-  virtualisation.libvirtd = {
-    enable = true;
-    qemu.package = pkgs.qemu_kvm;
-  };
-
-  boot.kernel.sysctl = {
-    "net.ipv4.conf.all.forwarding" = true;
-    "net.ipv6.conf.all.forwarding" = true;
-  };
-
-  systemd.network = {
-    enable = true;
-    netdevs = {
-      br-virt = {
-        netdevConfig = {
-          Name = "br-virt";
-          Kind = "bridge";
-        };
-      };
-    };
-    networks = {
-      br-virt = {
-        name = "br-virt";
-        address = [ "10.80.32.1/24" "2a01:4f8:151:712d:1::1/80" ];
-      };
-    };
-  };
-  services.resolved.enable = false;
-
-  services.dnsmasq = {
-    enable = true;
-
-    settings = {
-      interface = [ "br-virt" ];
-
-      bind-interfaces = true; # do not bind to the wildcard interface
-      bogus-priv = true; # do not forward revese lookups of internal addresses
-      dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS
-      domain-needed = true; # do not forward names without domain
-      no-hosts = true; # do not resolve hosts from /etc/hosts
-      no-resolv = true; # only use explicitly configured resolvers
-
-      domain = [ "sbruder.de" ];
-
-      enable-ra = true; # required to tell clients to use DHCPv6
-
-      # Force static configuration
-      dhcp-range = [
-        "10.80.32.0,static,255.255.255.0"
-        "2a01:4f8:151:712d:1::,static,80"
-      ];
-
-      dhcp-host = lib.flatten (lib.mapAttrsToList
-        (name: { mac, v4, v6 }: [
-          "${mac},${v4},${name}"
-          "${mac},[${v6}],${name}"
-        ])
-        guests);
-
-      # Hetzner recursive name servers
-      # https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/
-      server = [
-        "185.12.64.1"
-        "185.12.64.2"
-        "2a01:4ff:ff00::add:1"
-        "2a01:4ff:ff00::add:2"
-      ];
-    };
-  };
-
-  networking.firewall = {
-    allowedTCPPorts = map lib.toInt (lib.attrNames portForwards.tcp);
-    allowedUDPPorts = map lib.toInt (lib.attrNames portForwards.udp);
-
-    interfaces.br-virt = {
-      allowedTCPPorts = [ 53 ]; # EDNS
-      allowedUDPPorts = [ 53 67 547 ]; # DNS / DHCP / DHCPv6
-    };
-  };
-
-  networking.nftables = {
-    enable = true;
-    ruleset = ''
-      # only IPv4
-      table ip hypervisor-nat {
-        chain postrouting {
-          type nat hook postrouting priority filter; policy accept
-          oifname eth0 masquerade
-        }
-
-        chain prerouting {
-          type nat hook prerouting priority dstnat; policy accept
-          ${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
-            iifname eth0 tcp dport ${port} dnat to ${guests.${guest}.v4}
-          '') portForwards.tcp)}
-          ${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
-            iifname eth0 udp dport ${port} dnat to ${guests.${guest}.v4}
-          '') portForwards.udp)}
-        }
-      }
-
-      table inet hypervisor-filter {
-        chain forward {
-          type filter hook forward priority filter; policy drop
-
-          iifname br-virt oifname eth0 counter accept
-          iifname eth0 oifname br-virt counter accept
-        }
-      }
-    '';
-  };
-}

machines/mayushii/configuration.nix

@@ -19,7 +19,6 @@
     gui.enable = true;
     media-proxy.enable = true;
     mullvad.enable = true;
-    podman.enable = true;
     restic.system = {
       enable = true;
       qos = true;

machines/mayushii/hardware-configuration.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -45,8 +45,6 @@
     };
   };
 
-  services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" ];
-
   powerManagement = {
     cpuFreqGovernor = "schedutil";
   };

machines/okarin/services/proxy.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 

machines/renge/configuration.nix

@@ -17,8 +17,8 @@
     ./services/grafana.nix
     ./services/hedgedoc.nix
     ./services/invidious
-    ./services/mastodon.nix
     ./services/matrix
+    ./services/murmur.nix
     ./services/password-hash-self-service.nix
     ./services/prometheus.nix
     ./services/sbruder.xyz

machines/renge/secrets.yaml

@@ -2,7 +2,7 @@ forgejo-mail: ENC[AES256_GCM,data:3AlFHzVBA5TE4qv5ubG39K0varV8/HabO0q/RJZSD5o=,i
 go-neb-overrides: ENC[AES256_GCM,data:1xy+SdsSTuerRox4skitg1mKLr1MoANFoCzz76TKSA31ORo/oUWVGrYxfusZxrFQWjYGRFpSYzmkzPn1RoWmbXyfwPEcisvjenXLNvwcyoontBd7TiiLdukEtya6RfGLRGKc8tfCzbDUWgiYz5IDMFBvKGnewFjB+au0/Ge2+2DTw6M4negjCz343TO/vbyTr5xT/5smmKz7Ouk9SbEo7yEuHkQPQfedGw2PYT82zdXd/Eje3Zq2EB4xcUU7beGrF1zkOdXQ4OVqB8XnkCnuLtNlnJtsffm0rbPDPD3/nhHKpJ8jXrN54V14dSnHW7yOifGMIus0VFMRZcIT7A+BroM9qzJhW3F4gsF1Bwp0CF+6zLLRjgpA0EOyvOwpLIftBZfMIpveAH62MVY0IBfwDdkI1itEOjj9EhTrOGxBx45Cj6Qk3Mk6ncyr15+E+KAmQRxZJrEW8Grk4PyzuxtxYd0n8LSaRUe1eNVUhHkQNpo/zvAPgrzcRnM91EwIoMvlNmwyC63j1h+OBKlXQgChAaB1O6HFXQY=,iv:pnw0jIcMqA771woDYNHxWMWE6wHGaNsXi5aBXOFAHJU=,tag:Wbcqb0FsctZWOS6u5s82mQ==,type:str]
 hcloud_exporter-environment: ENC[AES256_GCM,data:5gDTeg4C08BgNxBFtzZ7ma6JiafwF4ly5URAG4WxUTlRaUmF32fmbPdAZmveKiKBA8cc6ewcEIfIVJ7d5tbbqCEX+vbf9nr1fuhN05Z6lfsJNLoATclX,iv:GzEnudGDc6+6BJgDtaNnOnT7IK8Z0fsYfs/oJzKO2UA=,tag:LYCvRxNeKdMmNve0aWswrw==,type:str]
 invidious-extra-settings: ENC[AES256_GCM,data:bThgfyu5ESIyTLD7Q09Qici9ZZw/QYfCyBSjtbNb1EglCy0KHZrvDDAN4uDpdKrHxv8ctoN5Db7tRf5LUl6iyW7A5z9uYg481EXq3Sx6tZztepX0vg==,iv:FZ33tQWRsNEPjwuy/mH/N4e4PyjLx7sbv2G+9S5uigY=,tag:0GQn3AgoM2BPC5iCt5py8w==,type:str]
-mastodon-mail: ENC[AES256_GCM,data:RT/fS7cqbcePd2qe7CR5jRh2jtKaS81ICbMUOlPUQsY=,iv:C7GYMB0U2KIfXuEnYaoIEfV89/EnJS6V9iG97X8zkPk=,tag:L4SVe6aYGcarvX1hmMqQOw==,type:str]
+murmur-superuser: ENC[AES256_GCM,data:hPuMK8wbqD/3qKXQbOActq/VJZ+6jFlddQ==,iv:68ZhkpkfxakCOYxFXkCSP/sBamETeSs4CGTRaoBS6co=,tag:5UuYCxDiJ6e2CXjDV5/5yA==,type:str]
 netbox-secret-key: ENC[AES256_GCM,data:lOE95j6CGkbfJQTLeG41g3BPKNhm0arqxIGAzwvXQyeZLBauAdqufQGKD7D4kPNzdZs=,iv:6HWXEr6Ju4IywP+2jpuTfER/bYI2oUgMSZEJCkq4XX8=,tag:TPD5TTr4Sew8lxPS5WIu5Q==,type:str]
 prometheus-htpasswd: ENC[AES256_GCM,data:tiewfUfpvrmbrgk6AsBdiP4ng4TqG5UYf1mFcWOzuk8oO55rfZu+Naummz5RRYhJZil43nHFvn5LfIWkJv+CyPMZjpj7xRp4vb4/OCCAFjEzHhrzYVBYNkHM+ZLUTewEXuPVtZ6CZ5uviTExLN2V1moG3ExJdIoyUD16qh4=,iv:SkH609VxIVKJLmHUUNzICEjxHSyjLdwXfw0b7iU6png=,tag:BfNGcUZmk9ZXUvhoQZn6iQ==,type:str]
 restic-ssh-key: ENC[AES256_GCM,data:9quBzUwv4qylVzESG94wSgzvuodSDM/smPh0j+LYJjXwEN1xksBIW2/Jv0XmF3Q+AWUF/C/lA2jteI3Mf6Pmn7zlqa3H7GwH8Os6/arQI3ywH2dHQLAFxgST2J0AlLGeZcJbntxW0buYw+Rz3q5Jbo+Wo9tQo+2EVvqX320qWBsEwinnahbUhZym3fipyE9g6JxGa3OFGiIn6JAQhst63WgpOfehQsAYu2bdW1gLrgFtURzDQQRQ28RxeD+nMUWRpQcq5GrX2rfSA7sengfQbmP3Ln1atp1YXctTalHsj+n4photBqLz6OfLaFKBqbdKRbinUgVAEarAocEOKk/qf1C6LS8yKjV9Mh/tKeCJQrCI/AccEP5DfMNqdRaWjoQxvjBRKaupPE7Rcuja++K/jm24nP9J8WDcrRSm0tlrVq2JnPHxJv+eUsZoGkvpyOs9AkTG1H2BCckYS5ZG4atjKoBfUvc3CitPNmPZcjSkPrkdRMZbu1BWR+cixFH9rFAUvVIn+e7sWGnqMA8xGXZS,iv:rLOTtmIFP7rwF9JY9ardO9pNqNh1uaobHKtQaGwSuGk=,tag:pCd4ZV0FjfD18qj9oQ236Q==,type:str]
@@ -16,8 +16,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-06-01T12:03:17Z"
-    mac: ENC[AES256_GCM,data:6fJfEtnHSQV7oGZ7HMrXYH1lX8ZzfTChOZC25scDP/q5FH8QZ52OntRuQ8DbR+AKUPN/w6o4EotZVxX53Q2Xxi6QdHSqo07GDsWUnIOb5eCNGmEB3c2w20DJv2smTnEr7d6051aPzEUO0ZxUPxxlqcifC6dsdpdxySyG/VY9OQQ=,iv:KAWFRoOQKRd2tf58QYGD8SnHJk1aLwBxgkcRkPgjuN8=,tag:LJFOJuFblp53Te9zoYKq0Q==,type:str]
+    lastmodified: "2024-01-10T18:29:17Z"
+    mac: ENC[AES256_GCM,data:jsYCPL7/AFxg9mRM/mKhwiy4eH6ZGMyCCSBu+jSfIk/T8RSd9zh0AZ/p5rAwfbW20AzetivzRB4bSgcymLIcCr900EQLdPIuaZgxeGcbZ80N/7I0zF4u8K8oa1pKhyr1UUj48XjL55IdvVOsyvfq/I/KSbIbO7+fBHeQ51crCeo=,iv:CNmKwvZ61PdeyOvGP7elm/yvokll//fiKxdWFe2cfPo=,tag:PVQRV0G3VtBsD0tk34DHig==,type:str]
     pgp:
         - created_at: "2024-01-22T00:20:10Z"
           enc: |-

machines/renge/services/mastodon.nix

@@ -1,32 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, lib, ... }:
-
-{
-  sops.secrets.mastodon-mail = {
-    owner = config.services.mastodon.user;
-    sopsFile = ../secrets.yaml;
-  };
-
-  services.mastodon = {
-    enable = true;
-    configureNginx = true;
-    localDomain = "procrastination.space";
-    smtp = {
-      createLocally = false;
-      host = "vueko.sbruder.de";
-      port = 465;
-      user = "mastodon@sbruder.de";
-      passwordFile = config.sops.secrets.mastodon-mail.path;
-      fromAddress = config.services.mastodon.smtp.user;
-      authenticate = true;
-    };
-    streamingProcesses = 5;
-    extraConfig = {
-      SMTP_TLS = "true";
-      RAILS_LOG_LEVEL = "warn";
-    };
-  };
-}

machines/renge/services/prometheus.nix

@@ -75,7 +75,6 @@ in
           "shinobu.vpn.sbruder.de:9100"
           "nazuna.vpn.sbruder.de:9100"
           "yuzuru.vpn.sbruder.de:9100"
-          "koyomi.vpn.sbruder.de:9100"
         ];
         relabel_configs = lib.singleton {
           target_label = "instance";
@@ -83,22 +82,6 @@ in
           regex = "(.*)\\.vpn\\.sbruder\\.de:9100";
         };
       }
-      {
-        job_name = "smartctl";
-        static_configs = mkStaticTargets [
-          "fuuko.vpn.sbruder.de:9633"
-          "mayushii.vpn.sbruder.de:9633"
-          "nunotaba.vpn.sbruder.de:9633"
-          "hitagi.vpn.sbruder.de:9633"
-          "shinobu.vpn.sbruder.de:9633"
-          "koyomi.vpn.sbruder.de:9633"
-        ];
-        relabel_configs = lib.singleton {
-          target_label = "instance";
-          source_labels = lib.singleton "__address__";
-          regex = "(.*)\\.vpn\\.sbruder\\.de:9633";
-        };
-      }
       {
         job_name = "qbittorrent";
         static_configs = mkStaticTargets [

machines/vueko/configuration.nix

@@ -11,7 +11,6 @@
 
     ./services/fuuko-proxy.nix # FIXME!
     ./services/media.nix
-    ./services/murmur.nix
     ./services/restic.nix
   ];
 

machines/vueko/secrets.yaml

@@ -1,5 +1,4 @@
 media-sb-proxy-auth: ENC[AES256_GCM,data:TFAS1PXu+jSt/orjYI1ffPbiCMCZgc22tU4coz9eEi7CyEaMvaKuQpgIPwZDBoL3r1yhXd+USya/PjEL9g3SCpuva5EXiJVYjV+mYaTxgrLx,iv:a5da4EuduMVVwEy0p2sz3XuAwdYFt+D9WgOs4oqQg6s=,tag:2BTqxnXIK+sWj/8RXVrYDg==,type:str]
-murmur-superuser: ENC[AES256_GCM,data:D7EjnKZGSmx8ykVeKqSIAdV4Vql7ZkfEUw==,iv:I8SgiZrlCpyqNeBMJlzttFUJFGqQp5vHu6pMUz/0LoE=,tag:G6QMUh3v2QjxtoXUSoRqcA==,type:str]
 restic-htpasswd: ENC[AES256_GCM,data:om9v+FXOEsOPP7LVntiwyqEKmiCLCwcmMgWBeHxcrlosYT4cElX3MHlu+NQAI0TPwc0mAog1tJyRcTfqK7uYszIzd75/Ig==,iv:7UBHmyqt/2hW9Aw1oRMZtZdOij5mjGF/8nmr3PAq/EI=,tag:TNcECUAdGtch8/bHbOJeNw==,type:str]
 restic-rclone-ssh-key: ENC[AES256_GCM,data:fefY4sVBp786LeUNdLA1CZ83YGZsxP9yvoIx647fVM47jGBfJWcU8PDwbPGfp4ae5aKnuRi/+OpRQHQIuBWa8XH8mWQ0YLs3JzKavmtNqf8mh9hyiEGLSYBbokEkgSPFBxH8CuhNbzrou0cCO7ACXkXnq4Cf0jjkYR2StjsISiJ11nEnle0tchHMFPSho0W7Ph8UZvT6x1naJjBqMrZKepLMCrT4oM3gqgA3R0cvCxQyIY5BHweopDXxuZDVlIiYjG61qt6OKL7O+lt/Kfvd38i6L1CAsloFVQOv4pQwz5b/jNjH+Kg8+tbbksXz2Dm5PU7HBXyav48MqriTqVCeWpmEsbo9j/zEravtNaC/gvpc7v4H/3lqhyY181g2Fxzu3YCjheSwjhtSuLCtXCD4UdW5Ctkb5TDZrMY+NAQdeXqgCawYggN05x6s+UdSitXXHLBjvyIV5ES/7p43zjWDnddAsFQEgILffQRobA9y8VZ+Igj7wo+HJLdNnmJtcqL/j6CM4MOT4hvj1CLhhBdr,iv:zYgnXzxGU2XJcjeclQT5bX6M1r5WG+Z0pZI7R4qpUU0=,tag:CbBUooyhUCkmKp+N6j4ySw==,type:str]
 rspamd-worker-controller: ENC[AES256_GCM,data:STf4vgVsYu6+WfpISKC0L69ixlM+cOiefO4qvHY2gYbV9FirRGxlUIRkmPwk+I6gYxKSC6D8ZTO3Bi2drEuWd8Yhuwjj9Rc1ja7b5UxaT5Q591Iof8S5RbXZKvaWMAQXVeAz4qkBaA==,iv:RzB3EHnzybbYO9E95ianu/Yl+chH7IPomvWG89mIGYU=,tag:yFSx97r/vkf3gVhIxMwcNw==,type:str]
@@ -11,8 +10,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-06-01T12:03:28Z"
-    mac: ENC[AES256_GCM,data:KFlisFD6k06XqF6SoQTaMNFpIPYtOgHDFArQueGBcTgjfxzdaxA8AVH1ZBeyFeEFlf4EFfduYcfnqAaGWScOvVW+jVhN/InsNkGf7alPyJ2ifzUD9yhe2/gcOF+eZqPvbTfXsdyfyqkbK7kkRyoYC61T3KPnPzTWqDk/3Chm4k8=,iv:lUbhG5/o5iepukcXHs2FYfue04EJdAbfhX1N0e1C9eA=,tag:EvPEDPoRiLXzbWeHAjTMoQ==,type:str]
+    lastmodified: "2023-04-29T10:17:21Z"
+    mac: ENC[AES256_GCM,data:UfLbX+4uDg9Kp8v9lnq9RktT4ltpJYwOHBBPRhO79a1AmLXkp6GilaoMJYjkj0foL92vTUK10wIw547omySwJeY52pTGAvw1IXVaxNp395KLlMPl3EwLS3xj4c0bhzcVEyFl/fxG2gk6BJOzvQXaMYo4COEzDdK6ZDGZKZVKEAM=,iv:mR9Nq+s7wHeZdP6/gW9+zJd/wa1Y4Q5saACwnMOFOZQ=,tag:yYYF8/mKnbxzmPa6nWIGbA==,type:str]
     pgp:
         - created_at: "2024-01-22T00:20:08Z"
           enc: |-
@@ -83,4 +82,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 4EA330328CD0D3076E90960194DFA4953D8729DE
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.7.3

modules/authoritative-dns.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 

modules/default.nix

@@ -33,6 +33,7 @@
     ./ausweisapp.nix
     ./authoritative-dns.nix
     ./cups.nix
+    ./docker.nix
     ./fancontrol.nix
     ./flatpak.nix
     ./fonts.nix
@@ -54,9 +55,7 @@
     ./nix.nix
     ./office.nix
     ./pipewire.nix
-    ./podman.nix
     ./prometheus/node_exporter.nix
-    ./prometheus/smartctl_exporter.nix
     ./pubkeys.nix
     ./qbittorrent
     ./restic
@@ -81,11 +80,9 @@
         git-lfs # not so essential, but required to clone config
         htop
         tmux
+        vim
       ];
 
-      programs.nano.enable = false;
-      programs.vim.defaultEditor = true;
-
       # Clean temporary files on boot
       boot.tmp.cleanOnBoot = true;
 
@@ -113,8 +110,6 @@
       # Support for exotic file systems
       boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
 
-      programs.ssh.startAgent = lib.mkDefault (!config.sbruder.gui.enable);
-
       # When this is set to true (default), routing everything through a
       # wireguard tunnel does not work.
       networking.firewall.checkReversePath = false;
@@ -166,8 +161,8 @@
     (lib.mkIf (!config.sbruder.machine.isVm) {
       # Hard drive monitoring
       services.smartd.enable = lib.mkDefault true;
-      # Firmware updates (only work on EFI systems, so enable only when using systemd-boot)
-      services.fwupd.enable = lib.mkDefault (config.boot.loader.systemd-boot.enable);
+      # Firmware updates
+      services.fwupd.enable = lib.mkDefault true;
     })
     (lib.mkIf (!config.sbruder.full) {
       documentation.enable = lib.mkDefault false;

modules/docker.nix

@@ -0,0 +1,47 @@
+# SPDX-FileCopyrightText: 2020-2021 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, lib, pkgs, ... }:
+
+{
+  # This uses a custom option (instead of `virtualisation.docker.enable`) since
+  # `virtualisation.oci-containers` conditionally sets
+  # `virtualisation.docker.enable` and therefore causes an infinite recursion.
+  options.sbruder.docker.enable = lib.mkEnableOption "docker with ipv6nat";
+
+  config = lib.mkIf config.sbruder.docker.enable {
+    environment.systemPackages = with pkgs; [
+      docker-compose
+      docker-credential-helpers
+      docker-ls
+    ];
+
+    virtualisation = {
+      docker = {
+        enable = true;
+        logDriver = "journald";
+        extraOptions = lib.concatStringsSep " " [
+          "--ipv6"
+          "--fixed-cidr-v6=fd00:d0ce:d0ce:d0ce::/64"
+        ];
+      };
+
+      oci-containers.containers.ipv6nat = {
+        image = "robbertkl/ipv6nat";
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock:ro"
+        ];
+        extraOptions = [
+          "--network=host"
+          "--cap-drop=ALL"
+          "--cap-add=NET_ADMIN"
+          "--cap-add=NET_RAW"
+          "--cap-add=SYS_MODULE"
+        ];
+      };
+    };
+
+    environment.etc."modules-load.d/ipv6nat.conf".text = "ip6_tables\n";
+  };
+}

modules/podman.nix

@@ -1,29 +0,0 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, lib, pkgs, ... }:
-
-{
-  options.sbruder.podman.enable = lib.mkEnableOption "podman";
-
-  config = lib.mkIf config.sbruder.podman.enable {
-    boot.enableContainers = false; # FIXME: this only needs to be set for some stateVersions
-
-    environment.systemPackages = with pkgs; [
-      buildah
-      podman-compose
-      skopeo
-    ];
-
-    virtualisation = {
-      podman = {
-        enable = true;
-        dockerSocket.enable = true;
-        defaultNetwork.settings = {
-          ipv6_enabled = true;
-        };
-      };
-    };
-  };
-}

modules/prometheus/smartctl_exporter.nix

@@ -1,22 +0,0 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-{ config, lib, ... }:
-
-{
-  services.prometheus.exporters.smartctl = {
-    enable = config.sbruder.wireguard.home.enable && !config.sbruder.machine.isVm;
-    listenAddress = config.sbruder.wireguard.home.address;
-    # devices need to be specified for all systems that use NVMe
-    # https://github.com/NixOS/nixpkgs/issues/210041
-  };
-
-  systemd.services.prometheus-smartctl-exporter = {
-    after = [ "wireguard-wg-home.service" ];
-    serviceConfig = {
-      IPAddressAllow = lib.singleton config.sbruder.wireguard.home.subnet;
-      IPAddressDeny = "any";
-    };
-  };
-}

modules/restic/system.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -28,8 +28,6 @@ let
     "/home/*/mounts"
 
     # Docker (state should be kept somewhere else)
-    "/home/*/.local/share/containers" # podman
-    "/var/lib/containers/"
     "/var/lib/docker/"
 
     # Static configuration (generated from this repository)

modules/ssh.nix

@@ -87,13 +87,5 @@
       hostNames = [ "[yuzuru.sbruder.de]:2222" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
     };
-    koyomi = {
-      hostNames = [ "koyomi" "koyomi.sbruder.de" "koyomi.vpn.sbruder.de" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZVoGK0JNltzqVWN9dejWMkedfzcipTv6iX52HTHaVz";
-    };
-    koyomi-initrd = {
-      hostNames = [ "[koyomi.sbruder.de]:2222" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPQuXX9EJXcz7wkG/yDxrZVODaitAQ1lfGzedNrYKhI";
-    };
   };
 }

modules/tools.nix

@@ -48,7 +48,6 @@
     dmidecode # hardware information
     hdparm # hard drive management
     lm_sensors # temperature sensors
-    nvme-cli # NVMe management
     parted # partition manager
     pciutils # lspci
     (reptyr.overrideAttrs (o: o // { doCheck = false; })) # move process to current terminal # tests fail on qemu-user-aarch64 (TODO 24.05: remove)

modules/wireguard/home.nix

@@ -48,10 +48,6 @@ let
       address = "10.80.0.16";
       publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
     };
-    koyomi = {
-      address = "10.80.0.17";
-      publicKey = "fvQDGqmkcFUvfUFmkSagJZy6pGIP6ewZrzTQfaz+mmE=";
-    };
   };
 
   cfg = config.sbruder.wireguard.home;

pkgs/contact-page/src/index.html

@@ -24,10 +24,6 @@ SPDX-License-Identifier: CC-BY-SA-4.0
           <td>Matrix</td>
           <td><a id="matrix" href="#">(requires javascript)</a></td>
         </tr>
-        <tr>
-          <td>Fediverse</td>
-          <td><a rel="me" href="https://procrastination.space/@simon">@simon@procrastination.space</a></td>
-        </tr>
         <tr>
           <td>Codeberg</td>
           <td><a href="https://codeberg.org/sbruder">sbruder</a></td>

users/simon/modules/gpg.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-{ lib, nixosConfig, pkgs, ... }:
+{ nixosConfig, pkgs, ... }:
 
 {
   programs.gpg = {
@@ -18,7 +18,7 @@
   services.gpg-agent = rec {
     enable = true;
     enableZshIntegration = true;
-    enableSshSupport = lib.mkDefault nixosConfig.sbruder.gui.enable;
+    enableSshSupport = true;
 
     pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses";
 

users/simon/modules/mpd.nix

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 

users/simon/modules/pass.nix

@@ -1,8 +1,8 @@
-# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
   programs.password-store = {
     enable = true;
@@ -19,9 +19,4 @@
     enable = true;
     browsers = [ "librewolf" ];
   };
-
-  services.pass-secret-service = {
-    enable = true;
-    storePath = "${config.xdg.dataHome}/secret-service-password-store";
-  };
 }