add hosts

2022-08-22 00:53:04 +02:00 · 2022-08-22 00:53:04 +02:00 · c0f3d1dfb7
parent a236fd9664
commit c0f3d1dfb7
53 changed files with 1926 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -45,6 +45,8 @@
      # hensoko additions
      musnix.url = "github:musnix/musnix";
      musnix.inputs.nixpkgs.follows = "nixos";
      nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs";
    };
  outputs =
@ -107,7 +109,6 @@
              digga.nixosModules.nixConfig
              home.nixosModules.home-manager
              agenix.nixosModules.age
              musnix.nixosModules.musnix
            ];
          };
@ -124,6 +125,27 @@
                (import ./tests/first-test.nix { pkgs = nixos.legacyPackages.x86_64-linux; lib = nixos.lib; })
              ];
            };
            companion = {
              system = "aarch64-linux";
            };
            cox = {
              system = "aarch64-linux";
            };
            falcone = {
              system = "aarch64-linux";
            };
            giggles = {
              system = "aarch64-linux";
            };
            norman = { };
            harrison = {
              modules = [
                musnix.nixosModules.musnix
              ];
            };
          };
          importables = rec {
            profiles = digga.lib.rakeLeaves ./profiles // {
@ -134,7 +156,6 @@
              iso = base ++ [ base-user graphical pub-solar-iso ];
              pubsolaros = [ base-user users.root ];
              anonymous = [ pubsolaros users.pub-solar ];
              pubsolaros-light = [ core-light base-user users.root ];
              hensoko = pubsolaros ++ [ users.hensoko ];
              hensoko-iot = [ server base-user users.root users.iot ];
@ -151,6 +172,15 @@
              # vm
              redpanda = hensoko;
              # home pc
              harrison = hensoko ++ [ daw graphical non-free social work ];
              # work laptop
              norman = hensoko ++ [ graphical non-free social virtualisation work ];
              # cm4
              falcone = hensoko-iot;
            };
          };
        };
@ -186,6 +216,14 @@
              path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko;
            };
          };
          companion = { sshUser = "iot"; };
          cox = { };
          giggles = { };
          ringo = { };
          cube = {
            sshUser = "iot";
          };
        };
      };
 }
--- a/hosts/companion/companion.nix
+++ b/hosts/companion/companion.nix
@ -0,0 +1,16 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./configuration.nix
  ];
  config = {
    boot.plymouth.enable = lib.mkForce false;
    pub-solar.nextcloud.enable = lib.mkForce false;
  };
 }
--- a/hosts/companion/configuration.nix
+++ b/hosts/companion/configuration.nix
@ -0,0 +1,63 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ./hardware-configuration.nix
      ./home-controller.nix
    ];
  boot.loader.timeout = lib.mkForce 0;
  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
  boot.loader.grub = {
    enable = lib.mkForce true;
    efiSupport = true;
    efiInstallAsRemovable = true;
    device = "nodev";
  };
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = true;
  networking.interfaces.wlan0.useDHCP = false;
  networking.networkmanager.enable = lib.mkForce false;
  boot.loader.systemd-boot.enable = lib.mkForce false;
  nix = {
    extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
  };
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim
    wget
  ];
  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 2380 6443 ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/hosts/companion/default.nix
+++ b/hosts/companion/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./companion.nix
  ] ++ suites.companion;
 }
--- a/hosts/companion/hardware-configuration.nix
+++ b/hosts/companion/hardware-configuration.nix
@ -0,0 +1,61 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  boot.initrd.supportedFilesystems = [ "zfs" ];
  boot.supportedFilesystems = [ "zfs" ];
  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
  boot.initrd.luks.devices = {
    cryptroot = {
      device = "/dev/disk/by-uuid/3bbde916-e12a-46a7-9eea-4f5e2aef7883";
      keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1";
      bypassWorkqueues = true;
      fallbackToPassword = true;
    };
  };
  fileSystems."/" =
    {
      device = "zroot/root";
      fsType = "zfs";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/5552-1B21";
      fsType = "vfat";
    };
  fileSystems."/var/lib/rancher/k3s/storage" =
    {
      device = "zroot/kubernetes-localstorage";
      fsType = "zfs";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/0545db4a-0494-44d7-927a-4c78351c4303"; }];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
  networking.hostId = "71f2d82a";
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/hosts/companion/home-controller.nix
+++ b/hosts/companion/home-controller.nix
@ -0,0 +1,55 @@
 { self, config, pkgs, ... }:
 {
  config = {
    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age";
    pub-solar.home-controller = {
      enable = true;
      role = "server";
      ownIp = "10.0.1.13";
      k3s = {
        serverAddr = "https://api.kube:6443";
        tokenFile = "/run/agenix/home_controller_k3s_token";
        enableLocalStorage = true;
        enableZfs = true;
      };
      wireguard = {
        privateKeyFile = "/run/agenix/home_controller_wireguard";
        peers = [
          {
            # cube
            publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
            allowedIPs = [ "10.0.1.5/32" ];
            endpoint = "data.gssws.de:51899";
            persistentKeepalive = 25;
          }
          {
            # giggles
            publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
            allowedIPs = [ "10.0.1.11/32" ];
            endpoint = "giggles.local:51899";
            persistentKeepalive = 25;
          }
          {
            # cox
            publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
            allowedIPs = [ "10.0.1.12/32" ];
            endpoint = "cox.local:51899";
            persistentKeepalive = 25;
          }
          {
            # ringo
            publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
            allowedIPs = [ "10.0.1.21/32" ];
            endpoint = "ringo.local:51899";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
 }
--- a/hosts/cox/configuration.nix
+++ b/hosts/cox/configuration.nix
@ -0,0 +1,64 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ./hardware-configuration.nix
      ./home-controller.nix
    ];
  boot.loader.timeout = 0;
  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
  boot.loader.grub = {
    enable = true;
    efiSupport = true;
    efiInstallAsRemovable = true;
    device = "nodev";
  };
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = true;
  networking.interfaces.wlan0.useDHCP = false;
  networking.networkmanager.enable = lib.mkForce false;
  boot.loader.systemd-boot.enable = lib.mkForce false;
  nix = {
    #package = pkgs.nixFlakes;
    extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
  };
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim
    wget
  ];
  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 2380 6443 ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/hosts/cox/cox.nix
+++ b/hosts/cox/cox.nix
@ -0,0 +1,16 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./configuration.nix
  ];
  config = {
    boot.plymouth.enable = lib.mkForce false;
    pub-solar.nextcloud.enable = lib.mkForce false;
  };
 }
--- a/hosts/cox/default.nix
+++ b/hosts/cox/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./cox.nix
  ] ++ suites.cox;
 }
--- a/hosts/cox/hardware-configuration.nix
+++ b/hosts/cox/hardware-configuration.nix
@ -0,0 +1,61 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  boot.initrd.supportedFilesystems = [ "zfs" ];
  boot.supportedFilesystems = [ "zfs" ];
  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
  boot.initrd.luks.devices = {
    cryptroot = {
      device = "/dev/disk/by-uuid/bf333b74-875f-4187-922e-4b433fb53aa2";
      keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1";
      bypassWorkqueues = true;
      fallbackToPassword = true;
    };
  };
  fileSystems."/" =
    {
      device = "zroot/root";
      fsType = "zfs";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/6CB3-6DB8";
      fsType = "vfat";
    };
  fileSystems."/var/lib/rancher/k3s/storage" =
    {
      device = "zroot/kubernetes-localstorage";
      fsType = "zfs";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/7ef4a3f8-f4a6-42f5-a57d-21f502ed3dba"; }];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
  networking.hostId = "71f2d82a";
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/hosts/cox/home-controller.nix
+++ b/hosts/cox/home-controller.nix
@ -0,0 +1,55 @@
 { self, config, pkgs, ... }:
 {
  config = {
    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
    pub-solar.home-controller = {
      enable = true;
      role = "server";
      ownIp = "10.0.1.12";
      k3s = {
        serverAddr = "https://api.kube:6443";
        tokenFile = "/run/agenix/home_controller_k3s_token";
        enableLocalStorage = true;
        enableZfs = true;
      };
      wireguard = {
        privateKeyFile = "/run/agenix/home_controller_wireguard";
        peers = [
          {
            # cube
            publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
            allowedIPs = [ "10.0.1.5/32" ];
            endpoint = "data.gssws.de:51899";
            persistentKeepalive = 25;
          }
          {
            # giggles
            publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
            allowedIPs = [ "10.0.1.11/32" ];
            endpoint = "giggles.local:51899";
            persistentKeepalive = 25;
          }
          {
            # companion
            publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
            allowedIPs = [ "10.0.1.13/32" ];
            endpoint = "companion.local:51899";
            persistentKeepalive = 25;
          }
          {
            # ringo
            publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
            allowedIPs = [ "10.0.1.21/32" ];
            endpoint = "ringo.local:51899";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
 }
--- a/hosts/cube/acme.nix
+++ b/hosts/cube/acme.nix
@ -0,0 +1,8 @@
 { pkgs, config, ... }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "hensoko@gssws.de";
  };
 }
--- a/hosts/cube/backup.nix
+++ b/hosts/cube/backup.nix
@ -0,0 +1,34 @@
 { config, lib, self, ... }:
 {
  age.secrets.restic_repository_password.file = "${self}/secrets/cube_restic_repository_password.age";
  age.secrets.restic_ssh_private_key.file = "${self}/secrets/cube_restic_ssh_private_key.age";
  programs.ssh.extraConfig = ''
    Host backup
      HostName 10.0.1.12
      Port 32222
      User backup
      IdentityFile /run/agenix/restic_ssh_private_key
  '';
  services.postgresqlBackup = {
    enable = true;
    backupAll = true;
    compression = "zstd";
  };
  services.restic.backups = {
    cox = {
      passwordFile = "/run/agenix/restic_repository_password";
      paths = [
        "/mnt/internal/nextcloud"
        "/var/backup/postgresql"
      ];
      repository = "sftp:backup:/data/hdd/restic";
      timerConfig = {
        OnCalendar = "02:00";
      };
    };
  };
 }
--- a/hosts/cube/configuration.nix
+++ b/hosts/cube/configuration.nix
@ -0,0 +1,55 @@
 { config, lib, pkgs, ... }:
 {
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./acme.nix
      ./backup.nix
      ./drone.nix
      ./home-assistant.nix
      ./nextcloud.nix
      #./whiteboard.nix
      ./wireguard.nix
    ];
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
  boot.loader.systemd-boot.enable = lib.mkForce false;
  time.timeZone = "Europe/Berlin";
  networking = {
    useDHCP = false;
    interfaces.eno1.ipv4.addresses = [{
      address = "80.244.242.2";
      prefixLength = 29;
    }];
    defaultGateway = "80.244.242.1";
    nameservers = [ "95.129.51.51" "80.244.244.244" ];
  };
  nix = {
    trustedUsers = [ "ci-cache-nix-store" ];
  };
  services.openssh.ports = [ 2222 ];
  networking.nat.enable = true;
  networking.nat.internalIPs = [ "10.10.42.0/24" ];
  networking.nat.externalInterface = "eno1";
  networking.firewall.allowedTCPPorts = [ 80 443 2222 ];
  networking.firewall.allowedUDPPorts = [ 51899 ];
  networking.firewall.enable = lib.mkForce true;
  system.stateVersion = "21.05"; # Did you read the comment?
 }
--- a/hosts/cube/cube.nix
+++ b/hosts/cube/cube.nix
@ -0,0 +1,15 @@
 { config, pkgs, lib, ... }:
 with lib;
 with pkgs;
 let
  psCfg = config.pub-solar;
 in
 {
  imports = [
    ./configuration.nix
  ];
  pub-solar.core.disk-encryption-active = false;
  networking.networkmanager.enable = lib.mkForce false;
 }
--- a/hosts/cube/default.nix
+++ b/hosts/cube/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./cube.nix
  ] ++ suites.cube;
 }
--- a/hosts/cube/drone.nix
+++ b/hosts/cube/drone.nix
@ -0,0 +1,21 @@
 { self, config, pkgs, ... }:
 {
  age.secrets.drone_exec_runner_config = {
    file = "${self}/secrets/cube_drone_exec_runner_config.age";
    owner = "999";
  };
  pub-solar.ci-runner = {
    enable = true;
    enableKvm = true;
    nixCacheLocation = "/mnt/internal/ci-cache-nix-store/nix";
    runnerEnvironment = {
      DRONE_RUNNER_CAPACITY = "1";
      DRONE_RUNNER_LABELS = "hosttype:baremetal";
    };
    runnerVarsFile = "/run/agenix/drone_exec_runner_config";
  };
 }
--- a/hosts/cube/hardware-configuration.nix
+++ b/hosts/cube/hardware-configuration.nix
@ -0,0 +1,38 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  boot.extraModprobeConfig = "options kvm_intel nested=1";
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/715ef65c-6cb3-4455-99ed-fe7408935d00";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/e76a2e82-bf17-4287-967c-bd0f16d16875";
      fsType = "ext2";
    };
  fileSystems."/mnt/internal" =
    {
      device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
      fsType = "ext4";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/4b0b445b-ae72-439a-8aeb-cbd6a3ed73b9"; }];
 }
--- a/hosts/cube/home-assistant.nix
+++ b/hosts/cube/home-assistant.nix
@ -0,0 +1,19 @@
 { self, pkgs, config, ... }:
 {
  # HTTP
  services.nginx = {
    virtualHosts."ha.gssws.de" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://10.0.1.254:8123";
        proxyWebsockets = true;
        extraConfig =
          "proxy_ssl_server_name on;" +
          "proxy_pass_header Authorization;"
        ;
      };
    };
  };
 }
--- a/hosts/cube/nextcloud-apps.nix
+++ b/hosts/cube/nextcloud-apps.nix
@ -0,0 +1,156 @@
 { self, pkgs, config, lib, ... }:
 {
  services.nextcloud.extraApps = {
    "bookmarks" = pkgs.fetchNextcloudApp {
      name = "bookmarks";
      sha256 = "+Lon8Bbu1O6axALYFDQUkBw5K0fNonEehY51ZSqOiZA=";
      url = "https://github.com/nextcloud/bookmarks/releases/download/v11.0.3/bookmarks-11.0.3.tar.gz";
      version = "11.0.3";
    };
    "bruteforcesettings" = pkgs.fetchNextcloudApp {
      name = "bruteforcesettings";
      sha256 = "cy1Fg6kCiolkDtPF8u/n4JvPrdJadRv4FVMr1zB/Lmk=";
      url = "https://github.com/nextcloud-releases/bruteforcesettings/releases/download/v2.4.0/bruteforcesettings-v2.4.0.tar.gz";
      version = "2.4.0";
    };
    "calendar" = pkgs.fetchNextcloudApp {
      name = "calendar";
      sha256 = "+LRGl9h40AQdWN9SW+NqGwTafAGwV07Af8nVs3pUCm0=";
      url = "https://github.com/nextcloud-releases/calendar/releases/download/v3.5.0/calendar-v3.5.0.tar.gz";
      version = "3.5.0";
    };
    "contacts" = pkgs.fetchNextcloudApp {
      name = "contacts";
      sha256 = "GTiyZsUHBXPgQ17DHAihmt2W/ZnAjDwfgwnujkRwk6A=";
      url = "https://github.com/nextcloud-releases/contacts/releases/download/v4.2.2/contacts-v4.2.2.tar.gz";
      version = "4.2.2";
    };
    "cookbook" = pkgs.fetchNextcloudApp {
      name = "cookbook";
      sha256 = "v64rLGyMQOdStyivpJsKrNxwumVQvyK3CnHtZ+K+elE=";
      url = "https://github.com/nextcloud/cookbook/releases/download/v0.9.15/Cookbook-0.9.15.tar.gz";
      version = "0.9.15";
    };
    "cospend" = pkgs.fetchNextcloudApp {
      name = "cospend";
      sha256 = "VyTo7jii40a0m2hLuUH5PFJXzogECTfGq+2oifMtNNI=";
      url = "https://github.com/eneiluj/cospend-nc/releases/download/v1.4.10/cospend-1.4.10.tar.gz";
      version = "1.4.10";
    };
    "deck" = pkgs.fetchNextcloudApp {
      name = "deck";
      sha256 = "G4v1B5XHYuKEZxNhkd7Fu5OSbzwcS7yFaDkUkydpdPU=";
      url = "https://github.com/nextcloud-releases/deck/releases/download/v1.7.1/deck-v1.7.1.tar.gz";
      version = "1.7.1";
    };
    "files_accesscontrol" = pkgs.fetchNextcloudApp {
      name = "files_accesscontrol";
      sha256 = "7vfN3FF8pfQ3iQib/3EbG7r5HNyrQXjwgwJ9Cna6nT0=";
      url = "https://github.com/nextcloud-releases/files_accesscontrol/releases/download/v1.14.1/files_accesscontrol-v1.14.1.tar.gz";
      version = "1.14.1";
    };
    "files_automatedtagging" = pkgs.fetchNextcloudApp {
      name = "files_automatedtagging";
      sha256 = "C59NQNxox4gyTqIwQX5Yi8D0VwNqoorPli6CE7bl/P0=";
      url = "https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.14.0/files_automatedtagging-v1.14.0.tar.gz";
      version = "1.14.0";
    };
    "files_fulltextsearch" = pkgs.fetchNextcloudApp {
      name = "files_fulltextsearch";
      sha256 = "+cKu9kvsPxajGzyZhu+DDqsxWKrpZmMMxAKg0tyZdBw=";
      url = "https://github.com/nextcloud-releases/files_fulltextsearch/releases/download/v24.0.1/files_fulltextsearch-v24.0.1.tar.gz";
      version = "24.0.1";
    };
    "files_markdown" = pkgs.fetchNextcloudApp {
      name = "files_markdown";
      sha256 = "6vrPNKcPmJ4DuMXN8/oRMr/B/dTlJn2GGi/w4t2wimk=";
      url = "https://github.com/icewind1991/files_markdown/releases/download/v2.3.6/files_markdown.tar.gz";
      version = "2.3.6";
    };
    "files_mindmap" = pkgs.fetchNextcloudApp {
      name = "files_mindmap";
      sha256 = "GcJqn90n9+3VDndNuiohLMDx9fmmMyMkNVNb/bB7ksM=";
      url = "https://github.com/ACTom/files_mindmap/releases/download/v0.0.26/files_mindmap-0.0.26.tar.gz";
      version = "0.0.26";
    };
    "fulltextsearch" = pkgs.fetchNextcloudApp {
      name = "fulltextsearch";
      sha256 = "7Yp+ZELZf2tqKoZ0td2CgPNym7EbLXyxbVKF8OdpNqs=";
      url = "https://github.com/nextcloud-releases/fulltextsearch/releases/download/v24.0.0/fulltextsearch-v24.0.0.tar.gz";
      version = "24.0.0";
    };
    "groupfolders" = pkgs.fetchNextcloudApp {
      name = "groupfolders";
      sha256 = "RHkvpAWH4HbKbM4ZoUy1HCzydVdw2SYQJvzO02sZEVQ=";
      url = "https://github.com/nextcloud/groupfolders/releases/download/v12.0.2/groupfolders.tar.gz";
      version = "12.0.2";
    };
    "impersonate" = pkgs.fetchNextcloudApp {
      name = "impersonate";
      sha256 = "ww11Rfcy0yXU5+8w/rOXRxH+7eD6G8RAm3fZ3PpXgdM=";
      url = "https://github.com/nextcloud-releases/impersonate/releases/download/v1.11.0/impersonate-v1.11.0.tar.gz";
      version = "1.11.0";
    };
    "keeweb" = pkgs.fetchNextcloudApp {
      name = "keeweb";
      sha256 = "idftaF9EU/f61HmL1gijeuKD4yPuf0MJPth4Xr9WgFs=";
      url = "https://github.com/jhass/nextcloud-keeweb/releases/download/v0.6.9/keeweb-0.6.9.tar.gz";
      version = "0.6.9";
    };
    "maps" = pkgs.fetchNextcloudApp {
      name = "maps";
      sha256 = "6dTNNGHKu97LZvRvg7452e2fw+2loUchtRuv31vLIgY=";
      url = "https://github.com/nextcloud/maps/releases/download/v0.2.1/maps-0.2.1.tar.gz";
      version = "0.2.1";
    };
    "news" = pkgs.fetchNextcloudApp {
      name = "news";
      sha256 = "eS0cFwJmYfGGJmA02AOWO/OXfqfyI71u2GataDj18DE=";
      url = "https://github.com/nextcloud/news/releases/download/18.2.0/news.tar.gz";
      version = "18.2.0";
    };
    "notes" = pkgs.fetchNextcloudApp {
      name = "notes";
      sha256 = "rd3uVkVtARX4enRAWm1ivV468lboYZnYe7/zsqaHYpk=";
      url = "https://github.com/nextcloud/notes/releases/download/v4.5.1/notes.tar.gz";
      version = "4.5.1";
    };
    "quota_warning" = pkgs.fetchNextcloudApp {
      name = "quota_warning";
      sha256 = "UaURF2NIj0h+81vbbFxZuyFX7B9QsicUMK5RKtG5O04=";
      url = "https://github.com/nextcloud-releases/quota_warning/releases/download/v1.14.0/quota_warning-v1.14.0.tar.gz";
      version = "1.14.0";
    };
    "richdocuments" = pkgs.fetchNextcloudApp {
      name = "richdocuments";
      sha256 = "nov6GQX4FEg1MAxuTvWxuk9yAPuWHtE1rsbM1B/1Dgk=";
      url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v6.2.0/richdocuments-v6.2.0.tar.gz";
      version = "6.2.0";
    };
    #"richdocumentscode" = pkgs.fetchNextcloudApp {
    #  name = "richdocumentscode";
    #  sha256 = "URbEB3I02SjoVlRI+gjoNi+/o5Oe4snmoKQUff4T9+A=";
    #  url = "https://github.com/CollaboraOnline/richdocumentscode/releases/download/22.5.502/richdocumentscode.tar.gz";
    #  version = "22.5.502";
    #};
    "spreed" = pkgs.fetchNextcloudApp {
      name = "spreed";
      sha256 = "wg4BYhcbWCaz1OE4sIVlV1r0cUX5Z923ej7Y/Meands=";
      url = "https://github.com/nextcloud-releases/spreed/releases/download/v14.0.5/spreed-v14.0.5.tar.gz";
      version = "14.0.5";
    };
    "tasks" = pkgs.fetchNextcloudApp {
      name = "tasks";
      sha256 = "kXXUzzODi/qRi2NqtJyiS1GmLTx0kFAwtH1p0rCdnRM=";
      url = "https://github.com/nextcloud/tasks/releases/download/v0.14.4/tasks.tar.gz";
      version = "0.14.4";
    };
    "twofactor_totp" = pkgs.fetchNextcloudApp {
      name = "twofactor_totp";
      sha256 = "cRtpRs1s31l8xG84YkZIuR3C3pg2kQFNlrY2f5NTSBo=";
      url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.0/twofactor_totp-v6.4.0.tar.gz";
      version = "6.4.0";
    };
  };
 }
--- a/hosts/cube/nextcloud.nix
+++ b/hosts/cube/nextcloud.nix
@ -0,0 +1,142 @@
 { self, pkgs, config, lib, ... }:
 {
  imports = [
    ./nextcloud-apps.nix
  ];
  age.secrets.nextcloud_db_pass = {
    owner = "nextcloud";
    group = "nextcloud";
    file = "${self}/secrets/cube_nextcloud_db_pass.age";
  };
  age.secrets.nextcloud_admin_pass = {
    owner = "nextcloud";
    group = "nextcloud";
    file = "${self}/secrets/cube_nextcloud_admin_pass.age";
  };
  # HTTP
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
    virtualHosts."data.gssws.de" = {
      enableACME = true;
      forceSSL = true;
    };
  };
  # DATABASES
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_11;
    ensureDatabases = [ "nextcloud" ];
    ensureUsers = [
      {
        name = "nextcloud";
        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
      }
    ];
  };
  # REDIS
  services.redis.servers = {
    "nextcloud".enable = true;
  };
  users.groups."redis-nextcloud".members = [ "nextcloud" ];
  # Collabora Code server
  virtualisation.oci-containers.containers."nextcloud-collabora-code" = {
    image = "collabora/code";
    autoStart = true;
    ports = [ "127.0.0.1:9980:9980" ];
    environment.domain = "data\\.gssws\\.de";
    extraOptions = [ "--cap-add" "MKNOD" ];
  };
  services.nginx.virtualHosts."office.gssws.de" =
  let
    proxyPass = "https://127.0.0.1:9980";
    extraConfig = "proxy_ssl_verify off;";
  in
    {
    enableACME = true;
    forceSSL = true;
    locations."^~ /browser" = {
      inherit proxyPass extraConfig;
    };
    locations."^~ /hosting/discovery" = {
      inherit proxyPass extraConfig;
    };
    locations."^~ /hosting/capabilities" = {
      inherit proxyPass extraConfig;
    };
    locations."~ ^/cool/(.*)/ws''$" = {
      inherit proxyPass extraConfig;
      proxyWebsockets = true;
    };
    locations."~ ^/(c|l)ool" = {
      inherit proxyPass extraConfig;
    };
    locations."^~ /cool/adminws" = {
      inherit proxyPass extraConfig;
      proxyWebsockets = true;
    };
  };
  # NEXTCLOUD
  systemd.services."nextcloud-setup" = {
    requires = [ "postgresql.service" ];
    after = [ "postgresql.service" ];
  };
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud24;
    hostName = "data.gssws.de";
    https = true;
    datadir = "/mnt/internal/nextcloud";
    caching.apcu = true;
    caching.redis = true;
    phpPackage = lib.mkForce pkgs.php81;
    phpOptions = {
      short_open_tag = "Off";
      expose_php = "Off";
      error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
      display_errors = "stderr";
      "opcache.enable_cli" = "1";
      "opcache.interned_strings_buffer" = "32";
      "opcache.max_accelerated_files" = "100000";
      "opcache.memory_consumption" = "256";
      "opcache.revalidate_freq" = "1";
      "opcache.fast_shutdown" = "1";
      "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
      catch_workers_output = "yes";
    };
    config = {
      overwriteProtocol = "https";
      dbtype = "pgsql";
      dbuser = "nextcloud";
      dbhost = "/run/postgresql";
      dbname = "nextcloud";
      dbpassFile = "/run/agenix/nextcloud_db_pass";
      adminpassFile = "/run/agenix/nextcloud_admin_pass";
      adminuser = "admin";
      trustedProxies = [ "80.244.242.2" ];
      defaultPhoneRegion = "DE";
    };
  };
 }
--- a/hosts/cube/wireguard.nix
+++ b/hosts/cube/wireguard.nix
@ -0,0 +1,63 @@
 { self, config, pkgs, ... }:
 {
  age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age";
  systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
  systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
  # Enable WireGuard
  networking.wireguard.interfaces = {
    wg1 = {
      # Determines the IP address and subnet of the client's end of the tunnel interface.
      ips = [ "10.0.1.5" ];
      listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
      # Path to the private key file.
      #
      # Note: The private key can also be included inline via the privateKey option,
      # but this makes the private key world-readable; thus, using privateKeyFile is
      # recommended.
      privateKeyFile = "/run/agenix/home_controller_wireguard";
      peers = [
        # For a client configuration, one peer entry for the server will suffice.
        {
          # giggles
          publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
          allowedIPs = [ "10.0.1.11/32" ];
          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
        {
          # cox
          publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
          allowedIPs = [ "10.0.1.12/32" ];
          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
        {
          # companion
          publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
          allowedIPs = [ "10.0.1.13/32" ];
          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
        {
          # hsha
          publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
          allowedIPs = [ "10.0.1.254/32" ];
          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
      ];
    };
  };
 }
--- a/hosts/falcone/configuration.nix
+++ b/hosts/falcone/configuration.nix
@ -0,0 +1,57 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { inputs, pkgs, builtins, config, lib, ... }:
 {
  imports =
    [
      ./hardware-configuration.nix
    ];
  pub-solar.core.disk-encryption-active = false;
  boot.loader.timeout = lib.mkForce 0;
  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
  boot.loader.grub = {
    enable = lib.mkForce true;
    efiSupport = true;
    efiInstallAsRemovable = true;
    device = "nodev";
    extraInstallCommands = ''
      cp -r ${inputs.nixpkgs-hensoko.packages.aarch64-linux.raspberrypi4_firmware_uefi}/share/raspberrypi4-firmware-uefi/* /boot/
    '';
  };
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = true;
  networking.interfaces.wlan0.useDHCP = false;
  networking.networkmanager.enable = lib.mkForce false;
  boot.loader.systemd-boot.enable = lib.mkForce false;
  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 2380 6443 ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/hosts/falcone/default.nix
+++ b/hosts/falcone/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./falcone.nix
  ] ++ suites.falcone;
 }
--- a/hosts/falcone/falcone.nix
+++ b/hosts/falcone/falcone.nix
@ -0,0 +1,16 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./configuration.nix
  ];
  config = {
    boot.plymouth.enable = lib.mkForce false;
    pub-solar.nextcloud.enable = lib.mkForce false;
  };
 }
--- a/hosts/falcone/hardware-configuration.nix
+++ b/hosts/falcone/hardware-configuration.nix
@ -0,0 +1,35 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  #boot.initrd.supportedFilesystems = [ "zfs" ];
  #boot.supportedFilesystems = [ "zfs" ];
  #boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
  fileSystems."/" =
    { device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
    };
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/hosts/giggles/configuration.nix
+++ b/hosts/giggles/configuration.nix
@ -0,0 +1,65 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./home-controller.nix
    ];
  boot.loader.timeout = 0;
  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
  boot.loader.grub = {
    enable = true;
    efiSupport = true;
    efiInstallAsRemovable = true;
    device = "nodev";
  };
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = true;
  networking.interfaces.wlan0.useDHCP = false;
  networking.networkmanager.enable = lib.mkForce false;
  boot.loader.systemd-boot.enable = lib.mkForce false;
  nix = {
    #package = pkgs.nixFlakes;
    extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
  };
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim
    wget
  ];
  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 2380 6443 ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/hosts/giggles/default.nix
+++ b/hosts/giggles/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./giggles.nix
  ] ++ suites.giggles;
 }
--- a/hosts/giggles/giggles.nix
+++ b/hosts/giggles/giggles.nix
@ -0,0 +1,16 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./configuration.nix
  ];
  config = {
    boot.plymouth.enable = lib.mkForce false;
    pub-solar.nextcloud.enable = lib.mkForce false;
  };
 }
--- a/hosts/giggles/hardware-configuration.nix
+++ b/hosts/giggles/hardware-configuration.nix
@ -0,0 +1,61 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  boot.initrd.supportedFilesystems = [ "zfs" ];
  boot.supportedFilesystems = [ "zfs" ];
  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
  boot.initrd.luks.devices = {
    cryptroot = {
      device = "/dev/disk/by-uuid/ef5804e2-2b07-4434-8144-6ae7d9f615e2";
      keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
      bypassWorkqueues = true;
      fallbackToPassword = true;
    };
  };
  fileSystems."/" =
    {
      device = "zroot/root";
      fsType = "zfs";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/2F05-9B4A";
      fsType = "vfat";
    };
  fileSystems."/var/lib/rancher/k3s/storage" =
    {
      device = "zroot/kubernetes-localstorage";
      fsType = "zfs";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/ddad2310-57b5-4851-a7bd-280d7182bcec"; }];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
  networking.hostId = "71f2d82a";
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/hosts/giggles/home-controller.nix
+++ b/hosts/giggles/home-controller.nix
@ -0,0 +1,53 @@
 { self, config, pkgs, ... }:
 {
  config = {
    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
    pub-solar.home-controller = {
      enable = true;
      role = "server";
      ownIp = "10.0.1.11";
      k3s = {
        enableLocalStorage = true;
        enableZfs = true;
      };
      wireguard = {
        privateKeyFile = "/run/agenix/home_controller_wireguard";
        peers = [
          {
            # cube
            publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
            allowedIPs = [ "10.0.1.5/32" ];
            endpoint = "data.gssws.de:51899";
            persistentKeepalive = 25;
          }
          {
            # cox
            publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
            allowedIPs = [ "10.0.1.12/32" ];
            endpoint = "cox.local:51899";
            persistentKeepalive = 25;
          }
          {
            # companion
            publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
            allowedIPs = [ "10.0.1.13/32" ];
            endpoint = "companion.local:51899";
            persistentKeepalive = 25;
          }
          {
            # ringo
            publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
            allowedIPs = [ "10.0.1.21/32" ];
            endpoint = "ringo.local:51899";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
 }
--- a/hosts/harrison/.config/sway/config.d/screens.conf
+++ b/hosts/harrison/.config/sway/config.d/screens.conf
@ -0,0 +1,19 @@
 set $left 'Dell Inc. DELL S2721DS D0SVQ43'
 set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
 set $right 'Eizo Nanao Corporation EV2316W 39117013'
 output $left {
  scale 1
  pos 0 0
  transform 270
 }
 output $middle {
  scale 1
  pos 1440 1150
 }
 output $right {
  scale 1
  pos 3360 1150
 }
--- a/hosts/harrison/configuration.nix
+++ b/hosts/harrison/configuration.nix
@ -0,0 +1,49 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.dhcpcd.wait = "background";
  networking.useDHCP = false;
  networking.interfaces.eno1 = {
    useDHCP = true;
    wakeOnLan = {
      enable = true;
    };
  };
  networking.networkmanager.enable = lib.mkForce false;
  nixpkgs.config.allowUnsupportedSystem = true;
  # List services that you want to enable:
  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 22 ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.05"; # Did you read the comment?
 }
--- a/hosts/harrison/default.nix
+++ b/hosts/harrison/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./harrison.nix
  ] ++ suites.harrison;
 }
--- a/hosts/harrison/hardware-configuration.nix
+++ b/hosts/harrison/hardware-configuration.nix
@ -0,0 +1,70 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "raid1" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  boot.initrd.luks.devices."cryptroot" = {
    device = "/dev/disk/by-uuid/e3a0394d-8bb5-4049-bf65-90d7202163cd";
    keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04011806021722115743-0:0-part1";
    fallbackToPassword = true;
    bypassWorkqueues = true;
  };
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.efi = {
    canTouchEfiVariables = true;
    efiSysMountPoint = "/boot";
  };
  boot.loader.grub = {
    efiSupport = true;
    enable = lib.mkForce true;
    extraEntries = ''
      menuentry "Windows" {
        insmod part_gpt
        insmod fat
        insmod search_fs_uuid
        insmod chain
        search --fs-uuid --set=root 02DB-F12C
        chainloader /efi/Microsoft/Boot/bootmgfw.efi
      }
    '';
    devices = [ "nodev" ];
  };
  fileSystems = {
    "/" =
      {
        device = "/dev/disk/by-uuid/4ad4db6d-543e-4cc5-a781-396e3b527a05";
        fsType = "ext4";
      };
    "/boot" =
      {
        device = "/dev/disk/by-uuid/4B4A-B1B4";
        fsType = "vfat";
      };
    "/boot2" =
      {
        device = "/dev/disk/by-uuid/4B2C-385A";
        fsType = "vfat";
      };
  };
  swapDevices =
    [{ device = "/dev/mapper/vg0-swap"; }];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/harrison/harrison.nix
+++ b/hosts/harrison/harrison.nix
@ -0,0 +1,21 @@
 { config, pkgs, lib, ... }:
 with lib;
 with pkgs;
 let
  psCfg = config.pub-solar;
 in
 {
  imports = [
    ./configuration.nix
  ];
  config = {
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
      "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
    };
    services.teamviewer.enable = true;
  };
 }
--- a/hosts/norman/.config/sway/config.d/custom-keybindings.conf
+++ b/hosts/norman/.config/sway/config.d/custom-keybindings.conf
@ -0,0 +1,16 @@
 # Screen brightness controls
 bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
 bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {    print $4}')"
 # Keyboard backlight brightness controls
 bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
 bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
 # Pulse Audio controls
 bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
 bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
 bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
 # Media player controls
 bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
 bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
 bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"
--- a/hosts/norman/.config/sway/config.d/screens.conf
+++ b/hosts/norman/.config/sway/config.d/screens.conf
@ -0,0 +1,13 @@
 set $left 'Dell Inc. DELL S2721DS D0SVQ43'
 set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
 output $left {
  scale 1
  pos 0 0
  transform 270
 }
 output $middle {
  scale 1
  pos 1440 1050
 }
--- a/hosts/norman/configuration.nix
+++ b/hosts/norman/configuration.nix
@ -0,0 +1,63 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, ... }:
 {
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./wireguard.nix
    ];
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.firewall = {
    allowedUDPPorts = [
      51820
      51821
    ]; # Clients and peers can use the same port, see listenport
  };
  hardware.nitrokey.enable = true;
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };
  services.tlp = {
    enable = true;
    settings = {
      CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
      CPU_SCALING_GOVERNOR_ON_AC = "performance";
      # The following prevents the battery from charging fully to
      # preserve lifetime. Run `tlp fullcharge` to temporarily force
      # full charge.
      # https://linrunner.de/tlp/faq/battery.html#how-to-choose-good-battery-charge-thresholds
      START_CHARGE_THRESH_BAT0 = 40;
      STOP_CHARGE_THRESH_BAT0 = 80;
      # 100 being the maximum, limit the speed of my CPU to reduce
      # heat and increase battery usage:
      CPU_MAX_PERF_ON_AC = 100;
      CPU_MAX_PERF_ON_BAT = 30;
    };
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.11"; # Did you read the comment?
 }
--- a/hosts/norman/default.nix
+++ b/hosts/norman/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./norman.nix
  ] ++ suites.norman;
 }
--- a/hosts/norman/hardware-configuration.nix
+++ b/hosts/norman/hardware-configuration.nix
@ -0,0 +1,46 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [ ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  boot.loader.grub.trustedBoot = {
    enable = true;
    systemHasTPM = "YES_TPM_is_activated";
  };
  boot.initrd.luks.devices."cryptroot" = {
    device = "/dev/disk/by-uuid/cdc29f0f-5b18-4ee7-8d38-1f4bac80b1e6";
    bypassWorkqueues = true;
  };
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/84CD-91B6";
      fsType = "vfat";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9"; }];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  hardware.trackpoint = {
    enable = true;
    device = "TPPS/2 ALPS TrackPoint";
    emulateWheel = true;
  };
 }
--- a/hosts/norman/norman.nix
+++ b/hosts/norman/norman.nix
@ -0,0 +1,22 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./configuration.nix
  ];
  config = {
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    pub-solar.audio.bluetooth.enable = false;
    home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
      "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
      "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
    };
  };
 }
--- a/hosts/norman/wireguard.nix
+++ b/hosts/norman/wireguard.nix
@ -0,0 +1,93 @@
 { config, pkgs, ... }:
 {
  systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
  systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
  systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure";
  systemd.services.wireguard-wg1.serviceConfig.RestartSec = "5s";
  # Enable WireGuard
  networking.wireguard.interfaces = {
    # "wg0" is the network interface name. You can name the interface arbitrarily.
    wg0 = {
      # Determines the IP address and subnet of the client's end of the tunnel interface.
      ips = [
        "10.0.0.13/32"
        "fc00:200::13/128"
      ];
      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
      # Path to the private key file.
      #
      # Note: The private key can also be included inline via the privateKey option,
      # but this makes the private key world-readable; thus, using privateKeyFile is
      # recommended.
      privateKeyFile = "/home/hensoko/.config/wireguard/hosting-de.private";
      peers = [
        # For a client configuration, one peer entry for the server will suffice.
        {
          # Public key of the server (not a file path).
          publicKey = "02/MRPduMGx1as7yS4G7GpL4+pQjsjpyS/tD9iPu8X0=";
          # Forward all the traffic via VPN.
          allowedIPs = [
            "10.0.0.0/24"
            "192.168.50.0/24"
            "192.168.200.0/24"
            "10.20.30.0/24"
            "fc00:200::/120"
            "95.129.51.5"
            "95.129.54.43"
            "134.0.28.89"
            "134.0.27.108"
            "134.0.25.181"
          ];
          # Set this to the server IP and port.
          endpoint = "134.0.30.154:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
      ];
    };
    wg1 = {
      # Determines the IP address and subnet of the client's end of the tunnel interface.
      ips = [
        "10.7.0.21"
      ];
      listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
      # Path to the private key file.
      #
      # Note: The private key can also be included inline via the privateKey option,
      # but this makes the private key world-readable; thus, using privateKeyFile is
      # recommended.
      privateKeyFile = "/home/hensoko/.config/wireguard/data-gssws-de.private";
      peers = [
        # For a client configuration, one peer entry for the server will suffice.
        {
          # Public key of the server (not a file path).
          publicKey = "RwMocdha7fyx+MGTtQpZhZQGJY4WU79YgpspYBclK3c=";
          # Forward all the traffic via VPN.
          allowedIPs = [
            "10.7.0.0/24"
          ];
          # Set this to the server IP and port.
          endpoint = "80.244.242.2:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
      ];
    };
  };
 }
--- a/hosts/ringo/configuration.nix
+++ b/hosts/ringo/configuration.nix
@ -0,0 +1,35 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, ... }:
 {
  imports =
    [
      ./hardware-configuration.nix
      ./home-controller.nix
    ];
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.enp0s25.useDHCP = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.11"; # Did you read the comment?
 }
--- a/hosts/ringo/default.nix
+++ b/hosts/ringo/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./ringo.nix
  ] ++ suites.ringo;
 }
--- a/hosts/ringo/hardware-configuration.nix
+++ b/hosts/ringo/hardware-configuration.nix
@ -0,0 +1,43 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [ ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  boot.initrd.luks.devices."cryptroot" = {
    device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13";
    keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01";
    fallbackToPassword = true;
    bypassWorkqueues = true;
  };
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/1999ec2e-4564-4f5a-8333-6eb23ae03c8b";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/47ED-2F0B";
      fsType = "vfat";
    };
  fileSystems."/home" =
    {
      device = "/dev/disk/by-uuid/69c89392-be11-4bd4-8f3b-6b7db20c716e";
      fsType = "ext4";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/4ef0cdbc-38f4-4dcb-8fe8-553bbdb06192"; }];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/ringo/home-controller.nix
+++ b/hosts/ringo/home-controller.nix
@ -0,0 +1,43 @@
 { self, config, pkgs, ... }:
 {
  config = {
    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age";
    pub-solar.home-controller = {
      enable = true;
      role = "agent";
      ownIp = "10.0.1.21";
      k3s = {
        serverAddr = "https://api.kube:6443";
        tokenFile = "/run/agenix/home_controller_k3s_token";
      };
      wireguard = {
        privateKeyFile = "/run/agenix/home_controller_wireguard";
        peers = [
          {
            # giggles
            publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
            allowedIPs = [ "10.0.1.11/32" ];
            endpoint = "giggles.local:51899";
          }
          {
            # cox
            publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
            allowedIPs = [ "10.0.1.12/32" ];
            endpoint = "cox.local:51899";
          }
          {
            # companion
            publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
            allowedIPs = [ "10.0.1.13/32" ];
            endpoint = "companion.local:51899";
          }
        ];
      };
    };
  };
 }
--- a/hosts/ringo/ringo.nix
+++ b/hosts/ringo/ringo.nix
@ -0,0 +1,13 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./configuration.nix
  ];
  config.pub-solar.core.lite = true;
 }
--- a/modules/core/bluetooth.nix
+++ b/modules/core/bluetooth.nix
--- a/secrets/cube_drone_exec_runner_config.age
+++ b/secrets/cube_drone_exec_runner_config.age
--- a/secrets/cube_restic_repository_password.age
+++ b/secrets/cube_restic_repository_password.age
@ -0,0 +1,21 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPyiJw +rkFPrQE8peUim4x6Ky9ZOq1th5ClCoBGZnHpyUpdhg
 RUg+Iy9Tr/rYLac2QZXHgEIXVeUgzThkknHKXw0zcc8
 -> ssh-ed25519 YFSOsg f+9e0azb6BGCW2BAqzY0jeGX35SOg5H8esxKnslo1Bw
 zTrfb7rz9rtlGL+RYF+k0bPTJrCCj3sIiRpjqkNwktY
 -> ssh-rsa 42S2Dw
 E0CKXcPmBbOGFjsKpzr6XD2wiK6X6bACpHxO6qdRfN1vntoRLRsrMlHhiB9nbn3V
 wyVou0OtIXoEuW7X/AZDatB2zQp4gs/C6j7jX3MhtzC60qrGpqxZ+qSRwsybbMHl
 23ceddRQfudIkojKolpuZj6LhmqHo7psg8HF+OMMMvq8AU2/FLULOoWy5pjtfZTf
 FrhbjSHJPe8CDGhHVANd7nmhuNYLf/HoO3/VNCmF5g5FVdTl+oIbV/lG+h9XEkMV
 Brmew59jOUNZQkKixA8Qs+Q9jmozVKUfdVNt5214NucExbPkgznOmtp5XyfIZUHP
 fcOAonVVoSTsEP2YiPSOkg
 -> ssh-ed25519 iHV63A RchzJvnl56NtfqNJ4BclwhEnxmxveeXmdKsk5anyoGY
 838Yzcs0Y/d4aRGGpaIUe4HlncnHB/90KPl4Jc6M6gc
 -> ssh-ed25519 uTVbSg yUxd7jAji+mUlayh3HAmtt15LT0qIijFdZfxm/QXJ1A
 B03YY7feAxzquD55hkqdjfjp7F3UOgPws3CHz6vq5/E
 -> s-grease
 sVUB69ht3umxJ0/t3sgli+GG1jJYbRH3NAYRXxyjM7cD7kwimAwa0Cv8briHBncF
 CXY
 --- +656WjsF5wgufRPmpuHmh4BWdHsLLu2R0ZJ9Ryml35k
 —»¢
à£mbjôò%ÞöÇªµüƒÜò¯^S¸ÅÒ0„ðžË ¾Ðgu÷Z“UŸz¸_˜²¶ÛGv„=³6Œ@ã’³Öâ¥ðÒ{0<>nj«
--- a/secrets/cube_restic_ssh_private_key.age
+++ b/secrets/cube_restic_ssh_private_key.age
@ -0,0 +1,22 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPyiJw +A6/Q0jkgCU8oT8UwEOXm+ilWBZSkPheytu+qWJ8ow0
 kBztg+HTVR8tNJR9cws2wAfXf/p+SlDZ/HoXYyhSP5Q
 -> ssh-ed25519 YFSOsg RlxOjmi/X/nXaN1pur/YkOeNMfaNjaeRlhuIy8Xg/C4
 rXLCp5cOgqg97NlsIhNOtReLro3ELEfcfEFmeh5QmXg
 -> ssh-rsa 42S2Dw
 ivPg0J88URraGg/P1pYwPbHAPcLRxOEEGhIve858Wv0TJxyeSLFMEgyal6fKnxQN
 bE+SuV9ZAWRx4LCmaxq35exfXJAclcC4zg+WOui3uojeWf6Yo/Q0OXGYhS5uHMHm
 SJnIKoIKsdrD7g+0hoTKKztrjliK/zw8ooBPP8c6KGKncIhWGWfvS+eBzYkQp0VE
 mMplI6YGTGtKavR7w5X9NG9rb5Ot0jdTuM+Q1URhtXbER1ZJWnEQMfdGeHEYKTXA
 cJR08iiMY3J/XeYnv+I8B8FBCfWZurMDeH72t7TjObaZEBz/gKl6sk1+FuEBLQR0
 r1Fqd9w06fgMcuVLLdFZQg
 -> ssh-ed25519 iHV63A a27f4SrL8d4VTA/zf0ZFN+gRZEZYjfXxGRkK+0BvFBI
 FPY1Vl6t1KMdmLMuhrF0NZptzrwGNyEgw+IHxvZkNT4
 -> ssh-ed25519 uTVbSg cNe3wLmtGYd8E/mVT4nnGc9uKwVfKeLkPOA4iWH/n00
 zUGfMmyqVA8+wH4U9e3aLCOyUn7JQbvd2hFViCGkAZs
 -> ;y-K-grease 'D %/|`ff=t
 EIllMsZQ7AqFv1F9F8SOleLU4Q1PKLJIdw7FL1fveIuPdnBPguvrcyw1kQeCzZ7M
 F2LCYbb0cJUlJi1Mo+LxFEC4cCS0NI1hlMtbh5c4cxy7Ay/cpzCxhY9yVV8
 --- fXi80THZW40z8KwPZUmXCYcp3zjgI/P0SyOGbI6SEOI
 tã_öcO¿9¿<EFBFBD>ÀD:EŒ¯aCXûU¦Åãà×ì´ÐÅ˜í-wØÄ<ÔÚÕâsFw¥{íclœ<6C>Rž×ÙÍÐ®?Zô¦{œ¥%þ1XÝh<C39D>‡çÖÚ`™>`)!ÔÏ9DO+bð<âþ9¨÷4\˜¸ËÒeæ5v<35>ö=kJ”%sðŽÏ|a#ÞºÎ!PIçZ°£•‹êGlªh:j©”ÅO›¦`1dqÓ$0ýRFÉ¦ð.Ý½wùÂ˜]!¸¢<C2B8>Mnøo|ägPšÌ|×¨Ò^Ð"£2òÛÅhB…¬øiÑ«§Òá¨<18>!~f[zü¿;`ÑHpÅH F~–§ëýK<C3BD>ÁJRÖñT~5¬Ag†<67>v•œªR3öf©¼lÁD/7ÔY2ÚÍb™<7F><E284A2>SáO»=)¦8£(±ÅýÛF.ÁÑ+ì<$* 0×îŒ¨Ç’<C387>@¬#R]]±¢Öš8Ç9?ñW·%¯Õñì¤‘ë!ƒÝ,;QåÍº¥£±®ØŠÝÙNÒ~ÿx¸±¥fM*?Úð˜	áå<C3A1>¾Èì'x½ÝÏpØCßªËU
 ¶<>ü_	N.éŽÈ
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -26,6 +26,10 @@ in
  "home_controller_cube_wireguard_key.age".publicKeys = users ++ [ system_cube ];
  "cube_nextcloud_admin_pass.age".publicKeys = users ++ [ system_cube ];
  "cube_nextcloud_db_pass.age".publicKeys = users ++ [ system_cube ];
  "cube_restic_ssh_private_key.age".publicKeys = users ++ [ system_cube ];
  "cube_restic_repository_password.age".publicKeys = users ++ [ system_cube ];
  "cube_drone_exec_runner_config.age".publicKeys = users ++ [ system_cube ];
  "home_controller_ringo_wireguard_key.age".publicKeys = users ++ [ system_ringo ];