rename terraform, remove version

rename deprecated property
drop docker statements
2022-11-26 15:41:27 +01:00 · 2022-11-26 15:41:13 +01:00 · 2022-11-26 15:37:08 +01:00 · 2022-11-26 15:37:08 +01:00 · 2022-11-26 15:37:08 +01:00 · 2022-11-26 15:37:08 +01:00
109 changed files with 3576 additions and 234 deletions
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1665870395,
-        "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=",
+        "lastModified": 1662241716,
+        "narHash": "sha256-urqPvSvvGUhkwzTDxUI8N1nsdMysbAfjmBNZaTYBZRU=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "a630400067c6d03c9b3e0455347dc8559db14288",
+        "rev": "c96da5835b76d3d8e8d99a0fec6fe32f8539ee2e",
        "type": "github"
      },
      "original": {
@ -42,11 +42,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1667419884,
-        "narHash": "sha256-oLNw87ZI5NxTMlNQBv1wG2N27CUzo9admaFlnmavpiY=",
+        "lastModified": 1661882940,
+        "narHash": "sha256-4LaVFnV22WrOA0aolqqk9dXrM8crikcrLQt29G18F7M=",
        "owner": "LnL7",
        "repo": "nix-darwin",
-        "rev": "cfc0125eafadc9569d3d6a16ee928375b77e3100",
+        "rev": "80cec5115aae74accc4ccfb9f84306d7863f0632",
        "type": "github"
      },
      "original": {
@ -143,18 +143,13 @@
        "nixpkgs-unstable": "nixpkgs-unstable"
      },
      "locked": {
-        "lastModified": 1661600857,
-        "narHash": "sha256-KfQCcTtfvU0PXV4fD9XKIMcKx9lUUR0xWJoBgc12fKE=",
-        "owner": "pub-solar",
-        "repo": "digga",
-        "rev": "c902b3ef0aa45cb4f336c390f647bb182c38a221",
-        "type": "github"
+        "narHash": "sha256-Kpfm2PNs+kZU0W7qcugoPATLG8I2P7FJFGTgsf1LJiU=",
+        "path": "/nix/store/gyv51hksh3bngdqvafrwil6liskb57c1-source",
+        "type": "path"
      },
      "original": {
-        "owner": "pub-solar",
-        "ref": "fix/bootstrap-iso",
-        "repo": "digga",
-        "type": "github"
+        "id": "digga",
+        "type": "indirect"
      }
    },
    "flake-compat": {
@ -192,27 +187,11 @@
    "flake-compat_3": {
      "flake": false,
      "locked": {
-        "lastModified": 1650374568,
-        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "lastModified": 1648199409,
+        "narHash": "sha256-JwPKdC2PoVBkG6E+eWw3j6BMR6sL3COpYWfif7RVb8Y=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_4": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1650374568,
-        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "rev": "64a525ee38886ab9028e6f61790de0832aa3ef03",
        "type": "github"
      },
      "original": {
@ -272,11 +251,11 @@
    },
    "flake-utils_3": {
      "locked": {
-        "lastModified": 1667077288,
-        "narHash": "sha256-bdC8sFNDpT0HK74u9fUkpbf1MEzVYJ+ka7NXCdgBoaA=",
+        "lastModified": 1649676176,
+        "narHash": "sha256-OWKJratjt2RW151VUlJPRALb7OU2S5s+f0vLj4o1bHM=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "6ee9ebb6b1ee695d2cacc4faa053a7b9baa76817",
+        "rev": "a4b154ebbdc88c8498a5c7b01589addc9e9cb678",
        "type": "github"
      },
      "original": {
@ -292,11 +271,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1667677389,
-        "narHash": "sha256-y9Zdq8vtsn0T5TO1iTvWA7JndYIAGjzCjbYVi/hOSmA=",
+        "lastModified": 1656169755,
+        "narHash": "sha256-Nlnm4jeQWEGjYrE6hxi/7HYHjBSZ/E0RtjCYifnNsWk=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "87d55517f6f36aa1afbd7a4a064869d5a1d405b8",
+        "rev": "4a3d01fb53f52ac83194081272795aa4612c2381",
        "type": "github"
      },
      "original": {
@ -324,11 +303,11 @@
    },
    "latest_2": {
      "locked": {
-        "lastModified": 1667629849,
-        "narHash": "sha256-P+v+nDOFWicM4wziFK9S/ajF2lc0N2Rg9p6Y35uMoZI=",
+        "lastModified": 1662019588,
+        "narHash": "sha256-oPEjHKGGVbBXqwwL+UjsveJzghWiWV0n9ogo1X6l4cw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "3bacde6273b09a21a8ccfba15586fb165078fb62",
+        "rev": "2da64a81275b68fdad38af669afeda43d401e94b",
        "type": "github"
      },
      "original": {
@ -338,6 +317,26 @@
        "type": "github"
      }
    },
+    "musnix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixos"
+        ]
+      },
+      "locked": {
+        "lastModified": 1662101674,
+        "narHash": "sha256-Yn4jpQ3xMn2U8E/hZiaCulFn7NkUTZ5PMMPY8ClMJD4=",
+        "owner": "musnix",
+        "repo": "musnix",
+        "rev": "c28a81cfdc33cbe95bce3aa853da5d8e5d8f5d00",
+        "type": "github"
+      },
+      "original": {
+        "owner": "musnix",
+        "repo": "musnix",
+        "type": "github"
+      }
+    },
    "naersk": {
      "inputs": {
        "nixpkgs": [
@ -375,11 +374,11 @@
    },
    "nixos": {
      "locked": {
-        "lastModified": 1667653703,
-        "narHash": "sha256-Xow4vx52/g5zkhlgZnMEm/TEXsj+13jTPCc2jIhW1xU=",
+        "lastModified": 1662099760,
+        "narHash": "sha256-MdZLCTJPeHi/9fg6R9fiunyDwP3XHJqDd51zWWz9px0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "f09ad462c5a121d0239fde645aacb2221553a217",
+        "rev": "67e45078141102f45eff1589a831aeaa3182b41e",
        "type": "github"
      },
      "original": {
@ -395,11 +394,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1666812839,
-        "narHash": "sha256-0nBDgjPU+iDsvz89W+cDEyhnFGSwCJmwDl/gMGqYiU0=",
+        "lastModified": 1660727616,
+        "narHash": "sha256-zYTIvdPMYMx/EYqXODAwIIU30RiEHqNHdgarIHuEYZc=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "41f3518bc194389df22a3d198215eae75e6b5ab9",
+        "rev": "adccd191a0e83039d537e021f19495b7bad546a1",
        "type": "github"
      },
      "original": {
@ -410,11 +409,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1667768008,
-        "narHash": "sha256-PGbX0s2hhXGnZDFVE6UIhPSOf5YegpWs5dUXpT/14F0=",
+        "lastModified": 1662458987,
+        "narHash": "sha256-hcDwRlsXZMp2Er3vQk1JEUZWhBPLVC9vTT4xHvhpcE0=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "f6483e0def85efb9c1e884efbaff45a5e7aabb34",
+        "rev": "504b32caf83986b7e6b9c79c1c13008f83290f19",
        "type": "github"
      },
      "original": {
@ -457,7 +456,6 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 0,
        "narHash": "sha256-koC6DBYmLCrgXA+AMHVaODf1uHYPmvcFygHfy3eg6vI=",
        "path": "/nix/store/6mfkswqi67m35qwv0vh7kpk8rypbl2rq-source",
        "type": "path"
@ -469,18 +467,18 @@
    },
    "nvfetcher": {
      "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_3",
        "flake-utils": "flake-utils_3",
        "nixpkgs": [
          "nixos"
        ]
      },
      "locked": {
-        "lastModified": 1667620329,
-        "narHash": "sha256-v1Zk7rtEbAGpevBGPZvZBKpwbmw4I+uVwxvd+pBlp3o=",
+        "lastModified": 1654975372,
+        "narHash": "sha256-wkNZ16akgKViuZzE/IM+bux4uaJ04KIwUeexH8gBjgw=",
        "owner": "berberman",
        "repo": "nvfetcher",
-        "rev": "294826951113dcd3aa9abbcacfb1aa5b95a19116",
+        "rev": "d4b237c10f14f72f8266b0f658faad822e491e55",
        "type": "github"
      },
      "original": {
@ -495,9 +493,9 @@
        "darwin": "darwin",
        "deploy": "deploy",
        "digga": "digga",
-        "flake-compat": "flake-compat_3",
        "home": "home",
        "latest": "latest_2",
+        "musnix": "musnix",
        "naersk": "naersk",
        "nixos": "nixos",
        "nixos-generators": "nixos-generators",
--- a/flake.nix
+++ b/flake.nix
@ -8,19 +8,19 @@
  inputs =
    {
      # Track channels with commits tested and built by hydra
-      nixos.url = "github:nixos/nixpkgs/nixos-22.05";
+      nixos.url = "github:nixos/nixpkgs/nixos-22.11";
      latest.url = "github:nixos/nixpkgs/nixos-unstable";

      flake-compat.url = "github:edolstra/flake-compat";
      flake-compat.flake = false;

-      digga.url = "github:pub-solar/digga/fix/bootstrap-iso";
+      #digga.url = "github:pub-solar/digga/fix/bootstrap-iso";
      digga.inputs.nixpkgs.follows = "nixos";
      digga.inputs.nixlib.follows = "nixos";
      digga.inputs.home-manager.follows = "home";
      digga.inputs.deploy.follows = "deploy";

-      home.url = "github:nix-community/home-manager/release-22.05";
+      home.url = "github:nix-community/home-manager/release-22.11";
      home.inputs.nixpkgs.follows = "nixos";

      darwin.url = "github:LnL7/nix-darwin";
@ -41,6 +41,12 @@
      nixos-hardware.url = "github:nixos/nixos-hardware";

      nixos-generators.url = "github:nix-community/nixos-generators";
+
+      # hensoko additions
+      musnix.url = "github:musnix/musnix";
+      musnix.inputs.nixpkgs.follows = "nixos";
+
+      nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs";
    };

  outputs =
@ -53,6 +59,7 @@
    , agenix
    , nvfetcher
    , deploy
+    , musnix
    , ...
    } @ inputs:
    digga.lib.mkFlake
@ -60,7 +67,7 @@
        inherit self inputs;

        channelsConfig = {
-          # allowUnfree = true;
+          allowUnfree = true;
        };

        supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
@ -118,6 +125,27 @@
                (import ./tests/first-test.nix { pkgs = nixos.legacyPackages.x86_64-linux; lib = nixos.lib; })
              ];
            };
+
+            companion = {
+              system = "aarch64-linux";
+            };
+            cox = {
+              system = "aarch64-linux";
+            };
+            falcone = {
+              system = "aarch64-linux";
+            };
+            giggles = {
+              system = "aarch64-linux";
+            };
+
+            norman = { };
+
+            harrison = {
+              modules = [
+                musnix.nixosModules.musnix
+              ];
+            };
          };
          importables = rec {
            profiles = digga.lib.rakeLeaves ./profiles // {
@ -126,8 +154,33 @@
            suites = with profiles; rec {
              base = [ users.pub-solar users.root ];
              iso = base ++ [ base-user graphical pub-solar-iso ];
-              pubsolaros = [ full-install base-user users.root ];
+              pubsolaros = [ base-user users.root ];
              anonymous = [ pubsolaros users.pub-solar ];
+              hensoko = pubsolaros ++ [ users.hensoko ];
+              hensoko-iot = [ server base-user users.root users.iot ];
+
+              # server
+              cube = hensoko-iot;
+
+              # home-controller
+              companion = hensoko-iot;
+              cox = hensoko-iot;
+              giggles = hensoko-iot;
+
+              # laptop
+              ringo = hensoko;
+
+              # vm
+              redpanda = hensoko;
+
+              # home pc
+              harrison = hensoko ++ [ daw graphical non-free social work ];
+
+              # work laptop
+              norman = hensoko ++ [ graphical non-free social virtualisation work ];
+
+              # cm4
+              falcone = hensoko-iot;
            };
          };
        };
@ -143,6 +196,8 @@
          };
          users = {
            pub-solar = { suites, ... }: { imports = suites.base; };
+            hensoko = { suites, ... }: { imports = suites.base; };
+            iot = { suites, ... }: { imports = suites.base; };
          }; # digga.lib.importers.rakeLeaves ./users/hm;
        };

@ -150,6 +205,25 @@

        homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;

-        deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { };
+        deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
+          redpanda = {
+            hostname = "192.168.42.71:22";
+            sshUser = "hensoko";
+            fastConnect = true;
+            profilesOrder = [ "system" "direnv" ];
+            profiles.direnv = {
+              user = "hensoko";
+              path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko;
+            };
+          };
+
+          companion = { sshUser = "iot"; };
+          cox = { };
+          giggles = { };
+          ringo = { };
+          cube = {
+            sshUser = "iot";
+          };
+        };
      };
 }
--- a/hosts/companion/companion.nix
+++ b/hosts/companion/companion.nix
@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    boot.plymouth.enable = lib.mkForce false;
+    pub-solar.nextcloud.enable = lib.mkForce false;
+  };
+}
--- a/hosts/companion/configuration.nix
+++ b/hosts/companion/configuration.nix
@ -0,0 +1,63 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./home-controller.nix
+    ];
+
+  boot.loader.timeout = lib.mkForce 0;
+
+  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
+
+  boot.loader.grub = {
+    enable = lib.mkForce true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = true;
+  networking.interfaces.wlan0.useDHCP = false;
+  networking.networkmanager.enable = lib.mkForce false;
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  nix = {
+    extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
+  };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+  ];
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 2380 6443 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/hosts/companion/default.nix
+++ b/hosts/companion/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./companion.nix
+  ] ++ suites.companion;
+}
--- a/hosts/companion/hardware-configuration.nix
+++ b/hosts/companion/hardware-configuration.nix
@ -0,0 +1,61 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+  boot.initrd.supportedFilesystems = [ "zfs" ];
+  boot.supportedFilesystems = [ "zfs" ];
+
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
+
+  boot.initrd.luks.devices = {
+    cryptroot = {
+      device = "/dev/disk/by-uuid/3bbde916-e12a-46a7-9eea-4f5e2aef7883";
+      keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1";
+      bypassWorkqueues = true;
+      fallbackToPassword = true;
+    };
+  };
+
+  fileSystems."/" =
+    {
+      device = "zroot/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/5552-1B21";
+      fsType = "vfat";
+    };
+
+  fileSystems."/var/lib/rancher/k3s/storage" =
+    {
+      device = "zroot/kubernetes-localstorage";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/0545db4a-0494-44d7-927a-4c78351c4303"; }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+  networking.hostId = "71f2d82a";
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}
--- a/hosts/companion/home-controller.nix
+++ b/hosts/companion/home-controller.nix
@ -0,0 +1,55 @@
+{ self, config, pkgs, ... }:
+
+{
+  config = {
+    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
+    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age";
+
+    pub-solar.home-controller = {
+      enable = true;
+      role = "server";
+      ownIp = "10.0.1.13";
+
+      k3s = {
+        serverAddr = "https://api.kube:6443";
+        tokenFile = "/run/agenix/home_controller_k3s_token";
+        enableLocalStorage = true;
+        enableZfs = true;
+      };
+
+      wireguard = {
+        privateKeyFile = "/run/agenix/home_controller_wireguard";
+        peers = [
+          {
+            # cube
+            publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
+            allowedIPs = [ "10.0.1.5/32" ];
+            endpoint = "data.gssws.de:51899";
+            persistentKeepalive = 25;
+          }
+          {
+            # giggles
+            publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
+            allowedIPs = [ "10.0.1.11/32" ];
+            endpoint = "giggles.local:51899";
+            persistentKeepalive = 25;
+          }
+          {
+            # cox
+            publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
+            allowedIPs = [ "10.0.1.12/32" ];
+            endpoint = "cox.local:51899";
+            persistentKeepalive = 25;
+          }
+          {
+            # ringo
+            publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
+            allowedIPs = [ "10.0.1.21/32" ];
+            endpoint = "ringo.local:51899";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}
--- a/hosts/cox/configuration.nix
+++ b/hosts/cox/configuration.nix
@ -0,0 +1,64 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./home-controller.nix
+    ];
+
+  boot.loader.timeout = 0;
+
+  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = true;
+  networking.interfaces.wlan0.useDHCP = false;
+  networking.networkmanager.enable = lib.mkForce false;
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  nix = {
+    #package = pkgs.nixFlakes;
+    extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
+  };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+  ];
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 2380 6443 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/hosts/cox/cox.nix
+++ b/hosts/cox/cox.nix
@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    boot.plymouth.enable = lib.mkForce false;
+    pub-solar.nextcloud.enable = lib.mkForce false;
+  };
+}
--- a/hosts/cox/default.nix
+++ b/hosts/cox/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./cox.nix
+  ] ++ suites.cox;
+}
--- a/hosts/cox/hardware-configuration.nix
+++ b/hosts/cox/hardware-configuration.nix
@ -0,0 +1,61 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+  boot.initrd.supportedFilesystems = [ "zfs" ];
+  boot.supportedFilesystems = [ "zfs" ];
+
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
+
+  boot.initrd.luks.devices = {
+    cryptroot = {
+      device = "/dev/disk/by-uuid/bf333b74-875f-4187-922e-4b433fb53aa2";
+      keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1";
+      bypassWorkqueues = true;
+      fallbackToPassword = true;
+    };
+  };
+
+  fileSystems."/" =
+    {
+      device = "zroot/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/6CB3-6DB8";
+      fsType = "vfat";
+    };
+
+  fileSystems."/var/lib/rancher/k3s/storage" =
+    {
+      device = "zroot/kubernetes-localstorage";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/7ef4a3f8-f4a6-42f5-a57d-21f502ed3dba"; }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+  networking.hostId = "71f2d82a";
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}
--- a/hosts/cox/home-controller.nix
+++ b/hosts/cox/home-controller.nix
@ -0,0 +1,55 @@
+{ self, config, pkgs, ... }:
+
+{
+  config = {
+    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
+    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
+
+    pub-solar.home-controller = {
+      enable = true;
+      role = "server";
+      ownIp = "10.0.1.12";
+
+      k3s = {
+        serverAddr = "https://api.kube:6443";
+        tokenFile = "/run/agenix/home_controller_k3s_token";
+        enableLocalStorage = true;
+        enableZfs = true;
+      };
+
+      wireguard = {
+        privateKeyFile = "/run/agenix/home_controller_wireguard";
+        peers = [
+          {
+            # cube
+            publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
+            allowedIPs = [ "10.0.1.5/32" ];
+            endpoint = "data.gssws.de:51899";
+            persistentKeepalive = 25;
+          }
+          {
+            # giggles
+            publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
+            allowedIPs = [ "10.0.1.11/32" ];
+            endpoint = "giggles.local:51899";
+            persistentKeepalive = 25;
+          }
+          {
+            # companion
+            publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
+            allowedIPs = [ "10.0.1.13/32" ];
+            endpoint = "companion.local:51899";
+            persistentKeepalive = 25;
+          }
+          {
+            # ringo
+            publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
+            allowedIPs = [ "10.0.1.21/32" ];
+            endpoint = "ringo.local:51899";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}
--- a/hosts/cube/acme.nix
+++ b/hosts/cube/acme.nix
@ -0,0 +1,8 @@
+{ pkgs, config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "hensoko@gssws.de";
+  };
+}
--- a/hosts/cube/backup.nix
+++ b/hosts/cube/backup.nix
@ -0,0 +1,34 @@
+{ config, lib, self, ... }:
+
+{
+  age.secrets.restic_repository_password.file = "${self}/secrets/cube_restic_repository_password.age";
+  age.secrets.restic_ssh_private_key.file = "${self}/secrets/cube_restic_ssh_private_key.age";
+
+  programs.ssh.extraConfig = ''
+    Host backup
+      HostName 10.0.1.12
+      Port 32222
+      User backup
+      IdentityFile /run/agenix/restic_ssh_private_key
+  '';
+
+  services.postgresqlBackup = {
+    enable = true;
+    backupAll = true;
+    compression = "zstd";
+  };
+
+  services.restic.backups = {
+    cox = {
+      passwordFile = "/run/agenix/restic_repository_password";
+      paths = [
+        "/mnt/internal/nextcloud"
+        "/var/backup/postgresql"
+      ];
+      repository = "sftp:backup:/data/hdd/restic";
+      timerConfig = {
+        OnCalendar = "02:00";
+      };
+    };
+  };
+}
--- a/hosts/cube/configuration.nix
+++ b/hosts/cube/configuration.nix
@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ./acme.nix
+      ./backup.nix
+      ./drone.nix
+      ./home-assistant.nix
+      ./nextcloud.nix
+      #./whiteboard.nix
+      ./wireguard.nix
+    ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  time.timeZone = "Europe/Berlin";
+
+  networking = {
+    useDHCP = false;
+
+    interfaces.eno1.ipv4.addresses = [{
+      address = "80.244.242.2";
+      prefixLength = 29;
+    }];
+
+    defaultGateway = "80.244.242.1";
+    nameservers = [ "95.129.51.51" "80.244.244.244" ];
+  };
+
+  nix = {
+    trustedUsers = [ "ci-cache-nix-store" ];
+  };
+
+  services.openssh.ports = [ 2222 ];
+
+  networking.nat.enable = true;
+  networking.nat.internalIPs = [ "10.10.42.0/24" ];
+  networking.nat.externalInterface = "eno1";
+
+
+  networking.firewall.allowedTCPPorts = [ 80 443 2222 ];
+  networking.firewall.allowedUDPPorts = [ 51899 ];
+
+  networking.firewall.enable = lib.mkForce true;
+
+  system.stateVersion = "21.05"; # Did you read the comment?
+}
--- a/hosts/cube/cube.nix
+++ b/hosts/cube/cube.nix
@ -0,0 +1,15 @@
+{ config, pkgs, lib, ... }:
+with lib;
+with pkgs;
+let
+  psCfg = config.pub-solar;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  pub-solar.core.disk-encryption-active = false;
+
+  networking.networkmanager.enable = lib.mkForce false;
+}
--- a/hosts/cube/default.nix
+++ b/hosts/cube/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./cube.nix
+  ] ++ suites.cube;
+}
--- a/hosts/cube/drone.nix
+++ b/hosts/cube/drone.nix
@ -0,0 +1,21 @@
+{ self, config, pkgs, ... }:
+
+{
+  age.secrets.drone_exec_runner_config = {
+    file = "${self}/secrets/cube_drone_exec_runner_config.age";
+    owner = "999";
+  };
+
+  pub-solar.ci-runner = {
+    enable = true;
+    enableKvm = true;
+    nixCacheLocation = "/mnt/internal/ci-cache-nix-store/nix";
+
+    runnerEnvironment = {
+      DRONE_RUNNER_CAPACITY = "1";
+      DRONE_RUNNER_LABELS = "hosttype:baremetal";
+    };
+
+    runnerVarsFile = "/run/agenix/drone_exec_runner_config";
+  };
+}
--- a/hosts/cube/hardware-configuration.nix
+++ b/hosts/cube/hardware-configuration.nix
@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+  boot.extraModprobeConfig = "options kvm_intel nested=1";
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/715ef65c-6cb3-4455-99ed-fe7408935d00";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/e76a2e82-bf17-4287-967c-bd0f16d16875";
+      fsType = "ext2";
+    };
+
+  fileSystems."/mnt/internal" =
+    {
+      device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/4b0b445b-ae72-439a-8aeb-cbd6a3ed73b9"; }];
+}
--- a/hosts/cube/home-assistant.nix
+++ b/hosts/cube/home-assistant.nix
@ -0,0 +1,19 @@
+{ self, pkgs, config, ... }:
+
+{
+  # HTTP
+  services.nginx = {
+    virtualHosts."ha.gssws.de" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://10.0.1.254:8123";
+        proxyWebsockets = true;
+        extraConfig =
+          "proxy_ssl_server_name on;" +
+          "proxy_pass_header Authorization;"
+        ;
+      };
+    };
+  };
+}
--- a/hosts/cube/nextcloud-apps.nix
+++ b/hosts/cube/nextcloud-apps.nix
@ -0,0 +1,156 @@
+{ self, pkgs, config, lib, ... }:
+
+{
+  services.nextcloud.extraApps = {
+    "bookmarks" = pkgs.fetchNextcloudApp {
+      name = "bookmarks";
+      sha256 = "+Lon8Bbu1O6axALYFDQUkBw5K0fNonEehY51ZSqOiZA=";
+      url = "https://github.com/nextcloud/bookmarks/releases/download/v11.0.3/bookmarks-11.0.3.tar.gz";
+      version = "11.0.3";
+    };
+    "bruteforcesettings" = pkgs.fetchNextcloudApp {
+      name = "bruteforcesettings";
+      sha256 = "cy1Fg6kCiolkDtPF8u/n4JvPrdJadRv4FVMr1zB/Lmk=";
+      url = "https://github.com/nextcloud-releases/bruteforcesettings/releases/download/v2.4.0/bruteforcesettings-v2.4.0.tar.gz";
+      version = "2.4.0";
+    };
+    "calendar" = pkgs.fetchNextcloudApp {
+      name = "calendar";
+      sha256 = "+LRGl9h40AQdWN9SW+NqGwTafAGwV07Af8nVs3pUCm0=";
+      url = "https://github.com/nextcloud-releases/calendar/releases/download/v3.5.0/calendar-v3.5.0.tar.gz";
+      version = "3.5.0";
+    };
+    "contacts" = pkgs.fetchNextcloudApp {
+      name = "contacts";
+      sha256 = "GTiyZsUHBXPgQ17DHAihmt2W/ZnAjDwfgwnujkRwk6A=";
+      url = "https://github.com/nextcloud-releases/contacts/releases/download/v4.2.2/contacts-v4.2.2.tar.gz";
+      version = "4.2.2";
+    };
+    "cookbook" = pkgs.fetchNextcloudApp {
+      name = "cookbook";
+      sha256 = "v64rLGyMQOdStyivpJsKrNxwumVQvyK3CnHtZ+K+elE=";
+      url = "https://github.com/nextcloud/cookbook/releases/download/v0.9.15/Cookbook-0.9.15.tar.gz";
+      version = "0.9.15";
+    };
+    "cospend" = pkgs.fetchNextcloudApp {
+      name = "cospend";
+      sha256 = "VyTo7jii40a0m2hLuUH5PFJXzogECTfGq+2oifMtNNI=";
+      url = "https://github.com/eneiluj/cospend-nc/releases/download/v1.4.10/cospend-1.4.10.tar.gz";
+      version = "1.4.10";
+    };
+    "deck" = pkgs.fetchNextcloudApp {
+      name = "deck";
+      sha256 = "G4v1B5XHYuKEZxNhkd7Fu5OSbzwcS7yFaDkUkydpdPU=";
+      url = "https://github.com/nextcloud-releases/deck/releases/download/v1.7.1/deck-v1.7.1.tar.gz";
+      version = "1.7.1";
+    };
+    "files_accesscontrol" = pkgs.fetchNextcloudApp {
+      name = "files_accesscontrol";
+      sha256 = "7vfN3FF8pfQ3iQib/3EbG7r5HNyrQXjwgwJ9Cna6nT0=";
+      url = "https://github.com/nextcloud-releases/files_accesscontrol/releases/download/v1.14.1/files_accesscontrol-v1.14.1.tar.gz";
+      version = "1.14.1";
+    };
+    "files_automatedtagging" = pkgs.fetchNextcloudApp {
+      name = "files_automatedtagging";
+      sha256 = "C59NQNxox4gyTqIwQX5Yi8D0VwNqoorPli6CE7bl/P0=";
+      url = "https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.14.0/files_automatedtagging-v1.14.0.tar.gz";
+      version = "1.14.0";
+    };
+    "files_fulltextsearch" = pkgs.fetchNextcloudApp {
+      name = "files_fulltextsearch";
+      sha256 = "+cKu9kvsPxajGzyZhu+DDqsxWKrpZmMMxAKg0tyZdBw=";
+      url = "https://github.com/nextcloud-releases/files_fulltextsearch/releases/download/v24.0.1/files_fulltextsearch-v24.0.1.tar.gz";
+      version = "24.0.1";
+    };
+    "files_markdown" = pkgs.fetchNextcloudApp {
+      name = "files_markdown";
+      sha256 = "6vrPNKcPmJ4DuMXN8/oRMr/B/dTlJn2GGi/w4t2wimk=";
+      url = "https://github.com/icewind1991/files_markdown/releases/download/v2.3.6/files_markdown.tar.gz";
+      version = "2.3.6";
+    };
+    "files_mindmap" = pkgs.fetchNextcloudApp {
+      name = "files_mindmap";
+      sha256 = "GcJqn90n9+3VDndNuiohLMDx9fmmMyMkNVNb/bB7ksM=";
+      url = "https://github.com/ACTom/files_mindmap/releases/download/v0.0.26/files_mindmap-0.0.26.tar.gz";
+      version = "0.0.26";
+    };
+    "fulltextsearch" = pkgs.fetchNextcloudApp {
+      name = "fulltextsearch";
+      sha256 = "7Yp+ZELZf2tqKoZ0td2CgPNym7EbLXyxbVKF8OdpNqs=";
+      url = "https://github.com/nextcloud-releases/fulltextsearch/releases/download/v24.0.0/fulltextsearch-v24.0.0.tar.gz";
+      version = "24.0.0";
+    };
+    "groupfolders" = pkgs.fetchNextcloudApp {
+      name = "groupfolders";
+      sha256 = "RHkvpAWH4HbKbM4ZoUy1HCzydVdw2SYQJvzO02sZEVQ=";
+      url = "https://github.com/nextcloud/groupfolders/releases/download/v12.0.2/groupfolders.tar.gz";
+      version = "12.0.2";
+    };
+    "impersonate" = pkgs.fetchNextcloudApp {
+      name = "impersonate";
+      sha256 = "ww11Rfcy0yXU5+8w/rOXRxH+7eD6G8RAm3fZ3PpXgdM=";
+      url = "https://github.com/nextcloud-releases/impersonate/releases/download/v1.11.0/impersonate-v1.11.0.tar.gz";
+      version = "1.11.0";
+    };
+    "keeweb" = pkgs.fetchNextcloudApp {
+      name = "keeweb";
+      sha256 = "idftaF9EU/f61HmL1gijeuKD4yPuf0MJPth4Xr9WgFs=";
+      url = "https://github.com/jhass/nextcloud-keeweb/releases/download/v0.6.9/keeweb-0.6.9.tar.gz";
+      version = "0.6.9";
+    };
+    "maps" = pkgs.fetchNextcloudApp {
+      name = "maps";
+      sha256 = "6dTNNGHKu97LZvRvg7452e2fw+2loUchtRuv31vLIgY=";
+      url = "https://github.com/nextcloud/maps/releases/download/v0.2.1/maps-0.2.1.tar.gz";
+      version = "0.2.1";
+    };
+    "news" = pkgs.fetchNextcloudApp {
+      name = "news";
+      sha256 = "eS0cFwJmYfGGJmA02AOWO/OXfqfyI71u2GataDj18DE=";
+      url = "https://github.com/nextcloud/news/releases/download/18.2.0/news.tar.gz";
+      version = "18.2.0";
+    };
+    "notes" = pkgs.fetchNextcloudApp {
+      name = "notes";
+      sha256 = "rd3uVkVtARX4enRAWm1ivV468lboYZnYe7/zsqaHYpk=";
+      url = "https://github.com/nextcloud/notes/releases/download/v4.5.1/notes.tar.gz";
+      version = "4.5.1";
+    };
+    "quota_warning" = pkgs.fetchNextcloudApp {
+      name = "quota_warning";
+      sha256 = "UaURF2NIj0h+81vbbFxZuyFX7B9QsicUMK5RKtG5O04=";
+      url = "https://github.com/nextcloud-releases/quota_warning/releases/download/v1.14.0/quota_warning-v1.14.0.tar.gz";
+      version = "1.14.0";
+    };
+    "richdocuments" = pkgs.fetchNextcloudApp {
+      name = "richdocuments";
+      sha256 = "nov6GQX4FEg1MAxuTvWxuk9yAPuWHtE1rsbM1B/1Dgk=";
+      url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v6.2.0/richdocuments-v6.2.0.tar.gz";
+      version = "6.2.0";
+    };
+    #"richdocumentscode" = pkgs.fetchNextcloudApp {
+    #  name = "richdocumentscode";
+    #  sha256 = "URbEB3I02SjoVlRI+gjoNi+/o5Oe4snmoKQUff4T9+A=";
+    #  url = "https://github.com/CollaboraOnline/richdocumentscode/releases/download/22.5.502/richdocumentscode.tar.gz";
+    #  version = "22.5.502";
+    #};
+    "spreed" = pkgs.fetchNextcloudApp {
+      name = "spreed";
+      sha256 = "wg4BYhcbWCaz1OE4sIVlV1r0cUX5Z923ej7Y/Meands=";
+      url = "https://github.com/nextcloud-releases/spreed/releases/download/v14.0.5/spreed-v14.0.5.tar.gz";
+      version = "14.0.5";
+    };
+    "tasks" = pkgs.fetchNextcloudApp {
+      name = "tasks";
+      sha256 = "kXXUzzODi/qRi2NqtJyiS1GmLTx0kFAwtH1p0rCdnRM=";
+      url = "https://github.com/nextcloud/tasks/releases/download/v0.14.4/tasks.tar.gz";
+      version = "0.14.4";
+    };
+    "twofactor_totp" = pkgs.fetchNextcloudApp {
+      name = "twofactor_totp";
+      sha256 = "cRtpRs1s31l8xG84YkZIuR3C3pg2kQFNlrY2f5NTSBo=";
+      url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.0/twofactor_totp-v6.4.0.tar.gz";
+      version = "6.4.0";
+    };
+  };
+}
--- a/hosts/cube/nextcloud.nix
+++ b/hosts/cube/nextcloud.nix
@ -0,0 +1,142 @@
+{ self, pkgs, config, lib, ... }:
+
+{
+  imports = [
+    ./nextcloud-apps.nix
+  ];
+
+  age.secrets.nextcloud_db_pass = {
+    owner = "nextcloud";
+    group = "nextcloud";
+    file = "${self}/secrets/cube_nextcloud_db_pass.age";
+  };
+
+  age.secrets.nextcloud_admin_pass = {
+    owner = "nextcloud";
+    group = "nextcloud";
+    file = "${self}/secrets/cube_nextcloud_admin_pass.age";
+  };
+
+  # HTTP
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+    virtualHosts."data.gssws.de" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+
+  # DATABASES
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_11;
+
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+
+  # REDIS
+  services.redis.servers = {
+    "nextcloud".enable = true;
+  };
+
+  users.groups."redis-nextcloud".members = [ "nextcloud" ];
+
+  # Collabora Code server
+  virtualisation.oci-containers.containers."nextcloud-collabora-code" = {
+    image = "collabora/code";
+    autoStart = true;
+    ports = [ "127.0.0.1:9980:9980" ];
+    environment.domain = "data\\.gssws\\.de";
+    extraOptions = [ "--cap-add" "MKNOD" ];
+  };
+
+  services.nginx.virtualHosts."office.gssws.de" =
+  let
+    proxyPass = "https://127.0.0.1:9980";
+    extraConfig = "proxy_ssl_verify off;";
+  in
+    {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."^~ /browser" = {
+      inherit proxyPass extraConfig;
+    };
+    locations."^~ /hosting/discovery" = {
+      inherit proxyPass extraConfig;
+    };
+    locations."^~ /hosting/capabilities" = {
+      inherit proxyPass extraConfig;
+    };
+    locations."~ ^/cool/(.*)/ws''$" = {
+      inherit proxyPass extraConfig;
+      proxyWebsockets = true;
+    };
+    locations."~ ^/(c|l)ool" = {
+      inherit proxyPass extraConfig;
+    };
+    locations."^~ /cool/adminws" = {
+      inherit proxyPass extraConfig;
+      proxyWebsockets = true;
+    };
+  };
+
+  # NEXTCLOUD
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud24;
+    hostName = "data.gssws.de";
+    https = true;
+    datadir = "/mnt/internal/nextcloud";
+
+    caching.apcu = true;
+    caching.redis = true;
+
+    phpPackage = lib.mkForce pkgs.php81;
+
+    phpOptions = {
+      short_open_tag = "Off";
+      expose_php = "Off";
+      error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
+      display_errors = "stderr";
+      "opcache.enable_cli" = "1";
+      "opcache.interned_strings_buffer" = "32";
+      "opcache.max_accelerated_files" = "100000";
+      "opcache.memory_consumption" = "256";
+      "opcache.revalidate_freq" = "1";
+      "opcache.fast_shutdown" = "1";
+      "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
+      catch_workers_output = "yes";
+    };
+
+    config = {
+      overwriteProtocol = "https";
+
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql";
+      dbname = "nextcloud";
+      dbpassFile = "/run/agenix/nextcloud_db_pass";
+      adminpassFile = "/run/agenix/nextcloud_admin_pass";
+      adminuser = "admin";
+
+      trustedProxies = [ "80.244.242.2" ];
+      defaultPhoneRegion = "DE";
+    };
+  };
+}
--- a/hosts/cube/wireguard.nix
+++ b/hosts/cube/wireguard.nix
@ -0,0 +1,63 @@
+{ self, config, pkgs, ... }:
+
+{
+  age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age";
+
+
+  systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
+  systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
+
+  # Enable WireGuard
+  networking.wireguard.interfaces = {
+    wg1 = {
+      # Determines the IP address and subnet of the client's end of the tunnel interface.
+      ips = [ "10.0.1.5" ];
+      listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = "/run/agenix/home_controller_wireguard";
+
+      peers = [
+        # For a client configuration, one peer entry for the server will suffice.
+
+        {
+          # giggles
+          publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
+          allowedIPs = [ "10.0.1.11/32" ];
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+        {
+          # cox
+          publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
+          allowedIPs = [ "10.0.1.12/32" ];
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+        {
+          # companion
+          publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
+          allowedIPs = [ "10.0.1.13/32" ];
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+
+        {
+          # hsha
+          publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
+          allowedIPs = [ "10.0.1.254/32" ];
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}
--- a/hosts/falcone/configuration.nix
+++ b/hosts/falcone/configuration.nix
@ -0,0 +1,57 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ inputs, pkgs, builtins, config, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  pub-solar.core.disk-encryption-active = false;
+
+  boot.loader.timeout = lib.mkForce 0;
+
+  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
+
+  boot.loader.grub = {
+    enable = lib.mkForce true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+
+    extraInstallCommands = ''
+      cp -r ${inputs.nixpkgs-hensoko.packages.aarch64-linux.raspberrypi4_firmware_uefi}/share/raspberrypi4-firmware-uefi/* /boot/
+    '';
+  };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = true;
+  networking.interfaces.wlan0.useDHCP = false;
+  networking.networkmanager.enable = lib.mkForce false;
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 2380 6443 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/hosts/falcone/default.nix
+++ b/hosts/falcone/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./falcone.nix
+  ] ++ suites.falcone;
+}
--- a/hosts/falcone/falcone.nix
+++ b/hosts/falcone/falcone.nix
@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    boot.plymouth.enable = lib.mkForce false;
+    pub-solar.nextcloud.enable = lib.mkForce false;
+  };
+}
--- a/hosts/falcone/hardware-configuration.nix
+++ b/hosts/falcone/hardware-configuration.nix
@ -0,0 +1,35 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+  #boot.initrd.supportedFilesystems = [ "zfs" ];
+  #boot.supportedFilesystems = [ "zfs" ];
+
+  #boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+    };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}
--- a/hosts/giggles/configuration.nix
+++ b/hosts/giggles/configuration.nix
@ -0,0 +1,65 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ./home-controller.nix
+    ];
+
+  boot.loader.timeout = 0;
+
+  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = true;
+  networking.interfaces.wlan0.useDHCP = false;
+  networking.networkmanager.enable = lib.mkForce false;
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  nix = {
+    #package = pkgs.nixFlakes;
+    extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
+  };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+  ];
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 2380 6443 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/hosts/giggles/default.nix
+++ b/hosts/giggles/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./giggles.nix
+  ] ++ suites.giggles;
+}
--- a/hosts/giggles/giggles.nix
+++ b/hosts/giggles/giggles.nix
@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    boot.plymouth.enable = lib.mkForce false;
+    pub-solar.nextcloud.enable = lib.mkForce false;
+  };
+}
--- a/hosts/giggles/hardware-configuration.nix
+++ b/hosts/giggles/hardware-configuration.nix
@ -0,0 +1,61 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+  boot.initrd.supportedFilesystems = [ "zfs" ];
+  boot.supportedFilesystems = [ "zfs" ];
+
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
+
+  boot.initrd.luks.devices = {
+    cryptroot = {
+      device = "/dev/disk/by-uuid/ef5804e2-2b07-4434-8144-6ae7d9f615e2";
+      keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
+      bypassWorkqueues = true;
+      fallbackToPassword = true;
+    };
+  };
+
+  fileSystems."/" =
+    {
+      device = "zroot/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/2F05-9B4A";
+      fsType = "vfat";
+    };
+
+  fileSystems."/var/lib/rancher/k3s/storage" =
+    {
+      device = "zroot/kubernetes-localstorage";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/ddad2310-57b5-4851-a7bd-280d7182bcec"; }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+  networking.hostId = "71f2d82a";
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}
--- a/hosts/giggles/home-controller.nix
+++ b/hosts/giggles/home-controller.nix
@ -0,0 +1,53 @@
+{ self, config, pkgs, ... }:
+
+{
+  config = {
+    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
+    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
+
+    pub-solar.home-controller = {
+      enable = true;
+      role = "server";
+      ownIp = "10.0.1.11";
+
+      k3s = {
+        enableLocalStorage = true;
+        enableZfs = true;
+      };
+
+      wireguard = {
+        privateKeyFile = "/run/agenix/home_controller_wireguard";
+        peers = [
+          {
+            # cube
+            publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
+            allowedIPs = [ "10.0.1.5/32" ];
+            endpoint = "data.gssws.de:51899";
+            persistentKeepalive = 25;
+          }
+          {
+            # cox
+            publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
+            allowedIPs = [ "10.0.1.12/32" ];
+            endpoint = "cox.local:51899";
+            persistentKeepalive = 25;
+          }
+          {
+            # companion
+            publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
+            allowedIPs = [ "10.0.1.13/32" ];
+            endpoint = "companion.local:51899";
+            persistentKeepalive = 25;
+          }
+          {
+            # ringo
+            publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
+            allowedIPs = [ "10.0.1.21/32" ];
+            endpoint = "ringo.local:51899";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}
--- a/hosts/harrison/.config/sway/config.d/screens.conf
+++ b/hosts/harrison/.config/sway/config.d/screens.conf
@ -0,0 +1,19 @@
+set $left 'Dell Inc. DELL S2721DS D0SVQ43'
+set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
+set $right 'Eizo Nanao Corporation EV2316W 39117013'
+
+output $left {
+  scale 1
+  pos 0 0
+  transform 270
+}
+
+output $middle {
+  scale 1
+  pos 1440 1150
+}
+
+output $right {
+  scale 1
+  pos 3360 1150
+}
--- a/hosts/harrison/configuration.nix
+++ b/hosts/harrison/configuration.nix
@ -0,0 +1,49 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+  time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.dhcpcd.wait = "background";
+  networking.useDHCP = false;
+  networking.interfaces.eno1 = {
+    useDHCP = true;
+    wakeOnLan = {
+      enable = true;
+    };
+  };
+  networking.networkmanager.enable = lib.mkForce false;
+
+  nixpkgs.config.allowUnsupportedSystem = true;
+
+  # List services that you want to enable:
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 22 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.05"; # Did you read the comment?
+}
+
--- a/hosts/harrison/default.nix
+++ b/hosts/harrison/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./harrison.nix
+  ] ++ suites.harrison;
+}
--- a/hosts/harrison/hardware-configuration.nix
+++ b/hosts/harrison/hardware-configuration.nix
@ -0,0 +1,70 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "raid1" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/e3a0394d-8bb5-4049-bf65-90d7202163cd";
+    keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04011806021722115743-0:0-part1";
+    fallbackToPassword = true;
+    bypassWorkqueues = true;
+  };
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.efi = {
+    canTouchEfiVariables = true;
+    efiSysMountPoint = "/boot";
+  };
+  boot.loader.grub = {
+    efiSupport = true;
+    enable = lib.mkForce true;
+    extraEntries = ''
+      menuentry "Windows" {
+        insmod part_gpt
+        insmod fat
+        insmod search_fs_uuid
+        insmod chain
+        search --fs-uuid --set=root 02DB-F12C
+        chainloader /efi/Microsoft/Boot/bootmgfw.efi
+      }
+    '';
+    devices = [ "nodev" ];
+  };
+
+
+  fileSystems = {
+    "/" =
+      {
+        device = "/dev/disk/by-uuid/4ad4db6d-543e-4cc5-a781-396e3b527a05";
+        fsType = "ext4";
+      };
+
+    "/boot" =
+      {
+        device = "/dev/disk/by-uuid/4B4A-B1B4";
+        fsType = "vfat";
+      };
+
+    "/boot2" =
+      {
+        device = "/dev/disk/by-uuid/4B2C-385A";
+        fsType = "vfat";
+      };
+  };
+
+  swapDevices =
+    [{ device = "/dev/mapper/vg0-swap"; }];
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/harrison/harrison.nix
+++ b/hosts/harrison/harrison.nix
@ -0,0 +1,21 @@
+{ config, pkgs, lib, ... }:
+with lib;
+with pkgs;
+let
+  psCfg = config.pub-solar;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+    home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
+      "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
+    };
+
+    services.teamviewer.enable = true;
+  };
+}
--- a/hosts/norman/.config/sway/config.d/custom-keybindings.conf
+++ b/hosts/norman/.config/sway/config.d/custom-keybindings.conf
@ -0,0 +1,16 @@
+# Screen brightness controls
+bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
+bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {    print $4}')"
+
+# Keyboard backlight brightness controls
+bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+
+# Pulse Audio controls
+bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
+bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
+bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
+# Media player controls
+bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
+bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
+bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"
--- a/hosts/norman/.config/sway/config.d/screens.conf
+++ b/hosts/norman/.config/sway/config.d/screens.conf
@ -0,0 +1,13 @@
+set $left 'Dell Inc. DELL S2721DS D0SVQ43'
+set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
+
+output $left {
+  scale 1
+  pos 0 0
+  transform 270
+}
+
+output $middle {
+  scale 1
+  pos 1440 1050
+}
--- a/hosts/norman/configuration.nix
+++ b/hosts/norman/configuration.nix
@ -0,0 +1,63 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ./wireguard.nix
+    ];
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.firewall = {
+    allowedUDPPorts = [
+      51820
+      51821
+    ]; # Clients and peers can use the same port, see listenport
+  };
+
+  hardware.nitrokey.enable = true;
+
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  services.tlp = {
+    enable = true;
+    settings = {
+      CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
+      CPU_SCALING_GOVERNOR_ON_AC = "performance";
+
+      # The following prevents the battery from charging fully to
+      # preserve lifetime. Run `tlp fullcharge` to temporarily force
+      # full charge.
+      # https://linrunner.de/tlp/faq/battery.html#how-to-choose-good-battery-charge-thresholds
+      START_CHARGE_THRESH_BAT0 = 40;
+      STOP_CHARGE_THRESH_BAT0 = 80;
+
+      # 100 being the maximum, limit the speed of my CPU to reduce
+      # heat and increase battery usage:
+      CPU_MAX_PERF_ON_AC = 100;
+      CPU_MAX_PERF_ON_BAT = 30;
+    };
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+}
+
--- a/hosts/norman/default.nix
+++ b/hosts/norman/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./norman.nix
+  ] ++ suites.norman;
+}
--- a/hosts/norman/hardware-configuration.nix
+++ b/hosts/norman/hardware-configuration.nix
@ -0,0 +1,46 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  boot.loader.grub.trustedBoot = {
+    enable = true;
+    systemHasTPM = "YES_TPM_is_activated";
+  };
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/cdc29f0f-5b18-4ee7-8d38-1f4bac80b1e6";
+    bypassWorkqueues = true;
+  };
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/84CD-91B6";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9"; }];
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  hardware.trackpoint = {
+    enable = true;
+    device = "TPPS/2 ALPS TrackPoint";
+    emulateWheel = true;
+  };
+}
--- a/hosts/norman/norman.nix
+++ b/hosts/norman/norman.nix
@ -0,0 +1,22 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+    pub-solar.audio.bluetooth.enable = false;
+
+    home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
+      "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
+      "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
+    };
+  };
+}
--- a/hosts/norman/wireguard.nix
+++ b/hosts/norman/wireguard.nix
@ -0,0 +1,93 @@
+{ config, pkgs, ... }:
+
+{
+  systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
+  systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
+  systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure";
+  systemd.services.wireguard-wg1.serviceConfig.RestartSec = "5s";
+
+  # Enable WireGuard
+  networking.wireguard.interfaces = {
+    # "wg0" is the network interface name. You can name the interface arbitrarily.
+    wg0 = {
+      # Determines the IP address and subnet of the client's end of the tunnel interface.
+      ips = [
+        "10.0.0.13/32"
+        "fc00:200::13/128"
+      ];
+      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = "/home/hensoko/.config/wireguard/hosting-de.private";
+
+      peers = [
+        # For a client configuration, one peer entry for the server will suffice.
+
+        {
+          # Public key of the server (not a file path).
+          publicKey = "02/MRPduMGx1as7yS4G7GpL4+pQjsjpyS/tD9iPu8X0=";
+
+          # Forward all the traffic via VPN.
+          allowedIPs = [
+            "10.0.0.0/24"
+            "192.168.50.0/24"
+            "192.168.200.0/24"
+            "10.20.30.0/24"
+            "fc00:200::/120"
+            "95.129.51.5"
+            "95.129.54.43"
+            "134.0.28.89"
+            "134.0.27.108"
+            "134.0.25.181"
+          ];
+
+          # Set this to the server IP and port.
+          endpoint = "134.0.30.154:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+    wg1 = {
+      # Determines the IP address and subnet of the client's end of the tunnel interface.
+      ips = [
+        "10.7.0.21"
+      ];
+      listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = "/home/hensoko/.config/wireguard/data-gssws-de.private";
+
+      peers = [
+        # For a client configuration, one peer entry for the server will suffice.
+
+        {
+          # Public key of the server (not a file path).
+          publicKey = "RwMocdha7fyx+MGTtQpZhZQGJY4WU79YgpspYBclK3c=";
+
+          # Forward all the traffic via VPN.
+          allowedIPs = [
+            "10.7.0.0/24"
+          ];
+
+          # Set this to the server IP and port.
+          endpoint = "80.244.242.2:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+      ];
+
+    };
+  };
+}
+
--- a/hosts/redpanda/configuration.nix
+++ b/hosts/redpanda/configuration.nix
@ -0,0 +1,110 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  # networking.hostName = "nixos"; # Define your hostname.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # Set your time zone.
+  # time.timeZone = "Europe/Amsterdam";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.enp0s3.useDHCP = true;
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  nix = {
+    #package = pkgs.nixFlakes;
+    extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
+  };
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  # console = {
+  #   font = "Lat2-Terminus16";
+  #   keyMap = "us";
+  # };
+
+  # Enable the X11 windowing system.
+  # services.xserver.enable = true;
+
+  # Configure keymap in X11
+  # services.xserver.layout = "us";
+  # services.xserver.xkbOptions = "eurosign:e";
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable sound.
+  # sound.enable = true;
+  # hardware.pulseaudio.enable = true;
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  # services.xserver.libinput.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # users.users.jane = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+  # };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    firefox
+  ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 22 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.05"; # Did you read the comment?
+
+
+}
+
--- a/hosts/redpanda/default.nix
+++ b/hosts/redpanda/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./redpanda.nix
+  ] ++ suites.redpanda;
+}
--- a/hosts/redpanda/hardware-configuration.nix
+++ b/hosts/redpanda/hardware-configuration.nix
@ -0,0 +1,21 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ ];
+
+  boot.initrd.availableKernelModules = [ "ohci_pci" "virtio_pci" "sd_mod" "sr_mod" "virtio_scsi" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+    };
+
+  #virtualisation.virtualbox.guest.enable = true;
+}
--- a/hosts/redpanda/redpanda.nix
+++ b/hosts/redpanda/redpanda.nix
@ -0,0 +1,17 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  #pub-solar.nextcloud.enable = lib.mkForce false;
+
+  config = {
+    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  };
+}
--- a/hosts/ringo/configuration.nix
+++ b/hosts/ringo/configuration.nix
@ -0,0 +1,35 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./home-controller.nix
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.enp0s25.useDHCP = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+}
+
--- a/hosts/ringo/default.nix
+++ b/hosts/ringo/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./ringo.nix
+  ] ++ suites.ringo;
+}
--- a/hosts/ringo/hardware-configuration.nix
+++ b/hosts/ringo/hardware-configuration.nix
@ -0,0 +1,43 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13";
+    keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01";
+    fallbackToPassword = true;
+    bypassWorkqueues = true;
+  };
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/1999ec2e-4564-4f5a-8333-6eb23ae03c8b";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/47ED-2F0B";
+      fsType = "vfat";
+    };
+
+  fileSystems."/home" =
+    {
+      device = "/dev/disk/by-uuid/69c89392-be11-4bd4-8f3b-6b7db20c716e";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/4ef0cdbc-38f4-4dcb-8fe8-553bbdb06192"; }];
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/ringo/home-controller.nix
+++ b/hosts/ringo/home-controller.nix
@ -0,0 +1,43 @@
+{ self, config, pkgs, ... }:
+
+{
+  config = {
+    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
+    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age";
+
+    pub-solar.home-controller = {
+      enable = true;
+      role = "agent";
+      ownIp = "10.0.1.21";
+
+      k3s = {
+        serverAddr = "https://api.kube:6443";
+        tokenFile = "/run/agenix/home_controller_k3s_token";
+      };
+
+      wireguard = {
+        privateKeyFile = "/run/agenix/home_controller_wireguard";
+        peers = [
+          {
+            # giggles
+            publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
+            allowedIPs = [ "10.0.1.11/32" ];
+            endpoint = "giggles.local:51899";
+          }
+          {
+            # cox
+            publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
+            allowedIPs = [ "10.0.1.12/32" ];
+            endpoint = "cox.local:51899";
+          }
+          {
+            # companion
+            publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
+            allowedIPs = [ "10.0.1.13/32" ];
+            endpoint = "companion.local:51899";
+          }
+        ];
+      };
+    };
+  };
+}
--- a/hosts/ringo/ringo.nix
+++ b/hosts/ringo/ringo.nix
@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  config.pub-solar.core.lite = true;
+}
--- a/modules/audio/default.nix
+++ b/modules/audio/default.nix
@ -65,6 +65,9 @@ in
        context.default.clock = {
          allowed-rates = [ 44100 48000 88200 96000 ];
          rate = 44100;
+          quantum = 2048;
+          min-quantum = 1024;
+          max-quantum = 4096;
        };
      };
      config.pipewire-pulse = builtins.fromJSON (builtins.readFile ./pipewire-pulse.conf.json);
--- a/modules/compat/default.nix
+++ b/modules/compat/default.nix
@ -2,5 +2,5 @@
  # Both things below are for
  # https://github.com/NixOS/nixpkgs/issues/124215
  documentation.info.enable = lib.mkForce false;
-  nix.sandboxPaths = [ "/bin/sh=${pkgs.bash}/bin/sh" ];
+  nix.settings.extra-sandbox-paths = [ "/bin/sh=${pkgs.bash}/bin/sh" ];
 }
--- a/modules/core/bluetooth.nix
+++ b/modules/core/bluetooth.nix
--- a/modules/core/hibernation.nix
+++ b/modules/core/hibernation.nix
@ -12,8 +12,8 @@ in
    };

    resumeDevice = mkOption {
-      type = types.str;
-      default = "/dev/sda1";
+      type = types.nullOr types.str;
+      default = null;
      description = "The location of the hibernation resume swap file.";
    };

@ -26,7 +26,7 @@ in

  config = {
    boot = mkIf cfg.enable {
-      resumeDevice = cfg.resumeDevice;
+      resumeDevice = mkIf (cfg.resumeDevice != null) cfg.resumeDevice;
      kernelParams = mkIf (cfg.resumeOffset != null) [ "resume_offset=${builtins.toString cfg.resumeOffset}" ];
    };
  };
--- a/modules/core/networking.nix
+++ b/modules/core/networking.nix
@ -1,10 +1,12 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-let cfg = config.pub-solar.core;
-in
 {
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.pub-solar.core;
+in {
  options.pub-solar.core = {
    enableCaddy = mkOption {
      type = types.bool;
@ -17,12 +19,12 @@ in

    binaryCaches = mkOption {
      type = types.listOf types.str;
-      default = [ ];
+      default = [];
      description = "Binary caches to use.";
    };
    publicKeys = mkOption {
      type = types.listOf types.str;
-      default = [ ];
+      default = [];
      description = "Public keys of binary caches.";
    };
  };
@ -39,15 +41,16 @@ in
    networking.firewall.enable = true;

    # Customized binary caches list (with fallback to official binary cache)
-    nix.binaryCaches = cfg.binaryCaches;
-    nix.binaryCachePublicKeys = cfg.publicKeys;
+    nix.settings.substituters = cfg.binaryCaches;
+    nix.settings.trusted-public-keys = cfg.publicKeys;

    # These entries get added to /etc/hosts
    networking.hosts = {
-      "127.0.0.1" = [ ]
-        ++ lib.optionals cfg.enableCaddy [ "caddy.local" ]
-        ++ lib.optionals config.pub-solar.printing.enable [ "cups.local" ]
-        ++ lib.optionals cfg.enableHelp [ "help.local" ];
+      "127.0.0.1" =
+        []
+        ++ lib.optionals cfg.enableCaddy ["caddy.local"]
+        ++ lib.optionals config.pub-solar.printing.enable ["cups.local"]
+        ++ lib.optionals cfg.enableHelp ["help.local"];
    };

    # Caddy reverse proxy for local services like cups
--- a/modules/core/nix.nix
+++ b/modules/core/nix.nix
@ -1,19 +1,25 @@
-{ config, pkgs, lib, inputs, ... }:
-
 {
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}: {
  nix = {
    # Use default version alias for nix package
    package = pkgs.nix;
-    # Improve nix store disk usage
-    autoOptimiseStore = true;
    gc.automatic = true;
    optimise.automatic = true;
-    # Prevents impurities in builds
-    useSandbox = true;
-    # give root and @wheel special privileges with nix
-    trustedUsers = [ "root" "@wheel" ];
-    # This is just a representation of the nix default
-    systemFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    settings = {
+      # Improve nix store disk usage
+      auto-optimise-store = true;
+      # Prevents impurities in builds
+      sandbox = true;
+      # give root and @wheel special privileges with nix
+      trusted-users = ["root" "@wheel"];
+      # This is just a representation of the nix default
+      system-features = ["nixos-test" "benchmark" "big-parallel" "kvm"];
+    };
    # Generally useful nix option defaults
    extraOptions = ''
      min-free = 536870912
--- a/modules/crypto/default.nix
+++ b/modules/crypto/default.nix
@ -16,11 +16,18 @@ in

    services.gnome.gnome-keyring.enable = true;

+    environment.shellInit = ''
+      gpg-connect-agent /bye
+      export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+    '';
+
    home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
      systemd.user.services.polkit-gnome-authentication-agent = import ./polkit-gnome-authentication-agent.service.nix pkgs;

      services.gpg-agent = {
        enable = true;
+        defaultCacheTtl = 300;
+        enableSshSupport = true;
        pinentryFlavor = "gnome3";
        verbose = true;
      };
@ -32,9 +39,6 @@ in
      home.packages = [
        gnome.seahorse
        keepassxc
-        libsecret
-        qMasterPassword
-        restic
      ];
    };
  };
--- a/modules/devops/default.nix
+++ b/modules/devops/default.nix
@ -19,7 +19,7 @@ in
        ansible-lint
        restic
        shellcheck
-        terraform_0_15
+        terraform
      ];
    };
  };
--- a/modules/docker-ci-runner/default.nix
+++ b/modules/docker-ci-runner/default.nix
@ -0,0 +1,105 @@
+{ lib, config, pkgs, self, ... }:
+
+with lib;
+let
+  bootstrap = pkgs.writeScript "bootstrap.sh" ''
+    #!/usr/bin/env bash
+
+    set -e
+
+    apt update
+    apt install --yes curl git sudo xz-utils
+
+    adduser --system --uid 999 build
+    chown build /nix
+
+    sudo -u build curl -L https://nixos.org/nix/install > install
+    sudo -u build sh install
+
+    echo "export PATH=/nix/var/nix/profiles/per-user/build/profile/bin:''$PATH" >> /etc/profile
+
+    mkdir /etc/nix
+    echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf
+
+    export nix_user_config_file="/home/build/.local/share/nix/trusted-settings.json"
+    mkdir -p $(dirname \\$nix_user_config_file)
+    echo '{"extra-experimental-features":{"nix-command flakes":true},"extra-substituters":{"https://nix-dram.cachix.org https://dram.cachix.org  https://nrdxp.cachix.org https://nix-community.cachix.org":true},"extra-trusted-public-keys":{"nix-dram.cachix.org-1:CKjZ0L1ZiqH3kzYAZRt8tg8vewAx5yj8Du/+iR8Efpg= dram.cachix.org-1:baoy1SXpwYdKbqdTbfKGTKauDDeDlHhUpC+QuuILEMY= nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=":true}}' > \\$nix_user_config_file
+    chown -R build /home/build/
+
+    curl -L https://github.com/drone-runners/drone-runner-exec/releases/latest/download/drone_runner_exec_linux_amd64.tar.gz | tar xz
+    sudo install -t /usr/local/bin drone-runner-exec
+
+    if [ ! -f /run/vars ]; then
+      exit 1
+    fi
+
+    cp -a /run/vars /run/runtime-vars
+    env | grep "DRONE" >> /run/runtime-vars
+
+    su - -s /bin/bash build sh -c "/usr/local/bin/drone-runner-exec daemon /run/runtime-vars"
+  '';
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.docker-ci-runner;
+in
+{
+  options.pub-solar.docker-ci-runner = {
+    enable = lib.mkEnableOption "Enables a systemd service that runs drone-ci-runner";
+
+    enableKvm = lib.mkOption {
+      description = ''
+        Enable kvm support.
+      '';
+      default = true;
+      type = types.bool;
+    };
+
+    nixCacheLocation = lib.mkOption {
+      description = ''
+        Location of nix cache that is shared between builds
+      '';
+      type = types.path;
+    };
+
+    runnerEnvironment = lib.mkOption {
+      description = ''
+        Additional environment vars added to the vars file on container runtime
+      '';
+      default = {};
+    };
+
+    runnerVarsFile = lib.mkOption {
+      description = ''
+        Location of vars file passed to drone runner
+      '';
+      type = types.path;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation = {
+      docker = {
+        enable = true; # sadly podman is not supported rightnow
+      };
+
+      oci-containers = {
+        backend = "docker";
+        containers."drone-exec-runner" = {
+          image = "debian";
+          autoStart = true;
+          entrypoint = "bash";
+          cmd = [ "/bootstrap.sh" ];
+          
+          volumes = [
+            "${cfg.runnerVarsFile}:/run/vars"
+            "${cfg.nixCacheLocation}:/nix"
+            "${bootstrap}:/bootstrap.sh"
+          ];
+
+          environment = cfg.runnerEnvironment;
+          
+          extraOptions = lib.mkIf cfg.enableKvm [ "--device=/dev/kvm" ];
+        };
+      };
+    };
+  };
+}
--- a/modules/docker/default.nix
+++ b/modules/docker/default.nix
@ -1,19 +1,23 @@
-{ lib, config, pkgs, ... }:
-with lib;
-let
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.docker;
-in
-{
+in {
  options.pub-solar.docker = {
    enable = mkEnableOption "Life in metal boxes";
  };

  config = mkIf cfg.enable {
    virtualisation.docker.enable = true;
-    users.users = with pkgs; pkgs.lib.setAttrByPath [ psCfg.user.name ] {
-      extraGroups = [ "docker" ];
-    };
+    users.users = with pkgs;
+      pkgs.lib.setAttrByPath [psCfg.user.name] {
+        extraGroups = ["docker"];
+      };

    environment.systemPackages = with pkgs; [
      docker-compose
--- a/modules/graphical/alacritty.nix
+++ b/modules/graphical/alacritty.nix
@ -66,29 +66,97 @@
      x = 0;
      y = 0;
    };
-
-    use_thin_strokes = true;
  };

  key_bindings = [
-    { key = "V"; mods = "Control|Alt"; action = "Paste"; }
-    { key = "C"; mods = "Control|Alt"; action = "Copy"; }
-    { key = "Paste"; action = "Paste"; }
-    { key = "Copy"; action = "Copy"; }
-    { key = "Q"; mods = "Command"; action = "Quit"; }
-    { key = "W"; mods = "Command"; action = "Quit"; }
-    { key = "Insert"; mods = "Shift"; action = "PasteSelection"; }
-    { key = "Key0"; mods = "Control"; action = "ResetFontSize"; }
-    { key = "Equals"; mods = "Control"; action = "IncreaseFontSize"; }
-    { key = "PageUp"; mods = "Shift"; action = "ScrollPageUp"; }
-    { key = "PageDown"; mods = "Shift"; action = "ScrollPageDown"; }
-    { key = "Minus"; mods = "Control"; action = "DecreaseFontSize"; }
-    { key = "H"; mode = "Vi|~Search"; action = "ScrollToBottom"; }
-    { key = "H"; mode = "Vi|~Search"; action = "ToggleViMode"; }
-    { key = "I"; mode = "Vi|~Search"; action = "Up"; }
-    { key = "K"; mode = "Vi|~Search"; action = "Down"; }
-    { key = "J"; mode = "Vi|~Search"; action = "Left"; }
-    { key = "L"; mode = "Vi|~Search"; action = "Right"; }
+    {
+      key = "V";
+      mods = "Control|Alt";
+      action = "Paste";
+    }
+    {
+      key = "C";
+      mods = "Control|Alt";
+      action = "Copy";
+    }
+    {
+      key = "Paste";
+      action = "Paste";
+    }
+    {
+      key = "Copy";
+      action = "Copy";
+    }
+    {
+      key = "Q";
+      mods = "Command";
+      action = "Quit";
+    }
+    {
+      key = "W";
+      mods = "Command";
+      action = "Quit";
+    }
+    {
+      key = "Insert";
+      mods = "Shift";
+      action = "PasteSelection";
+    }
+    {
+      key = "Key0";
+      mods = "Control";
+      action = "ResetFontSize";
+    }
+    {
+      key = "Equals";
+      mods = "Control";
+      action = "IncreaseFontSize";
+    }
+    {
+      key = "PageUp";
+      mods = "Shift";
+      action = "ScrollPageUp";
+    }
+    {
+      key = "PageDown";
+      mods = "Shift";
+      action = "ScrollPageDown";
+    }
+    {
+      key = "Minus";
+      mods = "Control";
+      action = "DecreaseFontSize";
+    }
+    {
+      key = "H";
+      mode = "Vi|~Search";
+      action = "ScrollToBottom";
+    }
+    {
+      key = "H";
+      mode = "Vi|~Search";
+      action = "ToggleViMode";
+    }
+    {
+      key = "I";
+      mode = "Vi|~Search";
+      action = "Up";
+    }
+    {
+      key = "K";
+      mode = "Vi|~Search";
+      action = "Down";
+    }
+    {
+      key = "J";
+      mode = "Vi|~Search";
+      action = "Left";
+    }
+    {
+      key = "L";
+      mode = "Vi|~Search";
+      action = "Right";
+    }
  ];

  # Base16 Burn 256 - alacritty color config
@ -164,12 +232,30 @@
    };

    indexed_colors = [
-      { index = 16; color = "0xdf5923"; }
-      { index = 17; color = "0xd70000"; }
-      { index = 18; color = "0x2d2a2e"; }
-      { index = 19; color = "0x303030"; }
-      { index = 20; color = "0xd3d1d4"; }
-      { index = 21; color = "0x303030"; }
+      {
+        index = 16;
+        color = "0xdf5923";
+      }
+      {
+        index = 17;
+        color = "0xd70000";
+      }
+      {
+        index = 18;
+        color = "0x2d2a2e";
+      }
+      {
+        index = 19;
+        color = "0x303030";
+      }
+      {
+        index = 20;
+        color = "0xd3d1d4";
+      }
+      {
+        index = 21;
+        color = "0x303030";
+      }
    ];
  };
 }
--- a/modules/home-controller/default.nix
+++ b/modules/home-controller/default.nix
@ -0,0 +1,131 @@
+{ lib, config, pkgs, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.home-controller;
+in
+{
+  imports = [
+    ./k3s.nix
+    ./wireguard.nix
+  ];
+
+  options.pub-solar.home-controller = {
+    enable = mkEnableOption "Control your home";
+
+    role = mkOption {
+      description = ''
+        Whether the node should run as a server or agent.
+        Note that the server, by default, also runs as an agent.
+      '';
+      default = "server";
+      type = types.enum [ "server" "agent" ];
+    };
+
+    ownIp = mkOption {
+      description = ''
+        Internal ip in wireguard used for cluster control-plane communication.
+      '';
+      type = types.str;
+    };
+
+    k3s = {
+      enableLocalStorage = mkOption {
+        description = ''
+          Enable local storage provisioner.
+        '';
+        default = false;
+        type = types.bool;
+      };
+
+      defaultLocalStoragePath = mkOption {
+        description = ''
+          Default path to use for local storage provisioner.
+        '';
+        default = "/var/lib/rancher/k3s/storage";
+        type = types.path;
+      };
+
+      flannelBackend = mkOption {
+        description = ''
+          Flannel backend to use.
+        '';
+        default = "wireguard-native";
+        type = types.str;
+      };
+
+      serverAddr = mkOption {
+        description = ''
+          Set server address of master
+        '';
+        default = "";
+        type = types.str;
+        example = "https://api.kube:6443";
+      };
+
+      tokenFile = mkOption {
+        description = ''
+          Location of token file used to join cluster.
+        '';
+        default = "";
+        type = types.str;
+      };
+
+      enableZfs = mkOption {
+        description = ''
+          Enable when k3s should use a ZFS compatible runtime.
+        '';
+        default = false;
+        type = types.bool;
+      };
+
+      zfsPool = mkOption {
+        description = ''
+          The ZFS pool to use and create a containerd volume in.
+        '';
+        default = "zroot";
+        type = types.str;
+      };
+    };
+
+    wireguard = {
+      privateKeyFile = mkOption {
+        description = ''
+          Location of private key file
+        '';
+        type = types.path;
+      };
+
+      listenPort = mkOption {
+        description = ''
+          Port for wireguard.
+        '';
+        default = 51899;
+        type = types.int;
+      };
+
+      peers = mkOption {
+        description = ''
+          Wireguard peers.
+        '';
+        type = types.listOf types.attrs;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    boot.kernelModules = [ "rbd" ];
+
+    networking.extraHosts =
+      ''
+        192.168.42.231 ringo.local
+        192.168.42.232 giggles.local
+        192.168.42.234 cox.local
+        192.168.42.236 companion.local
+        10.0.1.11      api.kube giggles.kube
+        10.0.1.12      cox.kube
+        10.0.1.13      companion.kube
+        10.0.1.21      ringo.kube
+      '';
+  };
+}
--- a/modules/home-controller/k3s.nix
+++ b/modules/home-controller/k3s.nix
@ -0,0 +1,77 @@
+{ lib, config, pkgs, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.home-controller;
+in
+{
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      kubernetes-helm
+    ];
+
+    environment.sessionVariables = lib.mkIf (cfg.role == "server") rec {
+      KUBECONFIG = "/etc/rancher/k3s/k3s.yaml";
+    };
+
+    networking.firewall.enable = lib.mkForce false;
+
+    services.k3s = {
+      enable = true;
+      role = cfg.role;
+      serverAddr = lib.mkIf (cfg.k3s.serverAddr != "") cfg.k3s.serverAddr;
+      tokenFile = lib.mkIf (cfg.k3s.tokenFile != "") cfg.k3s.tokenFile;
+      extraFlags = concatStringsSep " " (
+        [
+          "--node-ip ${cfg.ownIp}"
+          "--container-runtime-endpoint unix:///run/containerd/containerd.sock"
+
+          "${optionalString (cfg.role == "server") "--disable servicelb"}"
+          "${optionalString (cfg.role == "server") "--disable traefik"}"
+
+          "${optionalString (cfg.role == "server") "--bind-address ${cfg.ownIp}"}"
+
+          "${optionalString (cfg.role == "server" && cfg.k3s.flannelBackend != "") "--flannel-backend=${cfg.k3s.flannelBackend}"}"
+
+          "${optionalString (cfg.role == "server" && !cfg.k3s.enableLocalStorage) "--disable local-storage"}"
+          "${optionalString (cfg.role == "server" && cfg.k3s.enableLocalStorage) "--default-local-storage-path ${cfg.k3s.defaultLocalStoragePath}"}"
+
+          "${optionalString cfg.k3s.enableZfs "--snapshotter=zfs"}"
+        ]
+      );
+    };
+
+    systemd.services.containerd = mkIf cfg.k3s.enableZfs {
+      serviceConfig = {
+        ExecStartPre = [
+          "-${pkgs.zfs}/bin/zfs create -o mountpoint=/var/lib/containerd/io.containerd.snapshotter.v1.zfs ${cfg.k3s.zfsPool}/containerd"
+        ];
+      };
+    };
+
+    systemd.services.k3s = {
+      after = [ "containerd.service" ];
+      requisite = [ "containerd.service" ];
+    };
+
+    virtualisation.containerd = {
+      enable = true;
+      settings =
+        let
+          fullCNIPlugins = pkgs.buildEnv {
+            name = "full-cni";
+            paths = with pkgs; [
+              cni-plugins
+              cni-plugin-flannel
+            ];
+          };
+        in
+        {
+          plugins."io.containerd.grpc.v1.cri".cni = {
+            bin_dir = "${fullCNIPlugins}/bin";
+            conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d/";
+          };
+        };
+    };
+  };
+}
--- a/modules/home-controller/wireguard.nix
+++ b/modules/home-controller/wireguard.nix
@ -0,0 +1,23 @@
+{ lib, config, pkgs, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.home-controller;
+in
+{
+  config = mkIf cfg.enable {
+    systemd.services.wireguard-wghome.serviceConfig.Restart = "on-failure";
+    systemd.services.wireguard-wghome.serviceConfig.RestartSec = "5s";
+
+    networking.firewall.allowedUDPPorts = [ cfg.wireguard.listenPort ];
+
+    networking.wireguard.interfaces = {
+      wghome = {
+        ips = [ cfg.ownIp ];
+        listenPort = cfg.wireguard.listenPort;
+        privateKeyFile = cfg.wireguard.privateKeyFile;
+        peers = cfg.wireguard.peers;
+      };
+    };
+  };
+}
--- a/modules/server/default.nix
+++ b/modules/server/default.nix
@ -0,0 +1,22 @@
+{ lib, config, pkgs, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.server;
+in
+{
+  options.pub-solar.server = {
+    enable = mkEnableOption "Enable server options like sshd";
+  };
+
+  config = mkIf cfg.enable {
+    pub-solar.core.lite = true;
+
+    services.openssh = {
+      enable = true;
+      permitRootLogin = lib.mkForce "prohibit-password";
+      passwordAuthentication = true;
+      openFirewall = true;
+    };
+  };
+}
--- a/modules/social/default.nix
+++ b/modules/social/default.nix
@ -14,8 +14,11 @@ in
      home.packages = [
        signal-desktop
        tdesktop
+        discord
        element-desktop
-        irssi
+        tdesktop
+        mattermost-desktop
+        whatsapp-for-linux
      ];
    };
  };
--- a/modules/sway/config/config.d/applications.conf
+++ b/modules/sway/config/config.d/applications.conf
@ -1,15 +1,17 @@
 # switch to workspace with urgent window automatically
 for_window [urgent=latest] focus

+assign [app_id="Element"] $ws7
+assign [app_id="Signal"] $ws7
+assign [app_id="telegramdesktop"] $ws7
+assign [app_id="rambox"] $ws7
+assign [class="Mattermost"] $ws7
+
 for_window [app_id="keepassxc"] floating disable
 assign [app_id="keepassxc"] $ws8

-for_window [app_id="virt-manager"] floating disable
-assign [app_id="virt-manager"] $ws9
-
-assign [instance="element"] $ws4
-assign [app_id="Signal"] $ws4
-assign [app_id="telegramdesktop"] $ws4
+assign [app_id=thunderbird title="^.+$"] $ws9
+for_window [app_id=thunderbird title="^$"] floating enable

 # Launcher
 for_window [app_id="launcher" title="Alacritty"] floating enable, border pixel 10, sticky enable
--- a/modules/sway/default.nix
+++ b/modules/sway/default.nix
@ -1,9 +1,12 @@
-{ lib, config, pkgs, ... }:
-with lib;
-let
-  psCfg = config.pub-solar;
-in
 {
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+in {
  options.pub-solar.sway = {
    enable = mkEnableOption "Life in boxes";

@ -22,14 +25,14 @@ in

  config = mkIf psCfg.sway.enable (mkMerge [
    (mkIf (psCfg.sway.v4l2loopback.enable) {
-      boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
-      boot.kernelModules = [ "v4l2loopback" ];
+      boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback];
+      boot.kernelModules = ["v4l2loopback"];
      boot.extraModprobeConfig = ''
        options v4l2loopback exclusive_caps=1 devices=3
      '';
    })

-    ({
+    {
      environment.systemPackages = with pkgs; [
        linuxPackages.v4l2loopback
      ];
@ -48,60 +51,60 @@ in
            };
          };
        };
-        extraPortals = with pkgs; [ xdg-desktop-portal-gtk ];
-        gtkUsePortal = true;
+        extraPortals = with pkgs; [xdg-desktop-portal-gtk];
      };

      services.pipewire.enable = true;

-      home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
-        home.packages = with pkgs; [
-          sway
-          grim
-          kanshi
-          mako
-          slurp
-          swayidle
-          swaylock
-          swaybg
-          xwayland
+      home-manager = with pkgs;
+        pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
+          home.packages = with pkgs; [
+            sway
+            grim
+            kanshi
+            mako
+            slurp
+            swayidle
+            swaylock
+            swaybg
+            xwayland

-          libappindicator-gtk3
+            libappindicator-gtk3

-          wl-clipboard
-          wf-recorder
-          brightnessctl
-          gammastep
-          geoclue2
-          xsettingsd
-          ydotool
+            wl-clipboard
+            wf-recorder
+            brightnessctl
+            gammastep
+            geoclue2
+            xsettingsd
+            ydotool

-          sway-launcher
-          record-screen
-          import-gtk-settings
-          s
-          wcwd
-        ];
+            sway-launcher
+            record-screen
+            import-gtk-settings
+            s
+            wcwd
+          ];

-        programs.waybar.enable = true;
-        #programs.waybar.systemd.enable = true;
+          programs.waybar.enable = true;
+          #programs.waybar.systemd.enable = true;

-        systemd.user.services.mako = import ./mako.service.nix { inherit pkgs psCfg; };
-        systemd.user.services.sway = import ./sway.service.nix { inherit pkgs psCfg; };
-        systemd.user.services.swayidle = import ./swayidle.service.nix { inherit pkgs psCfg; };
-        systemd.user.services.xsettingsd = import ./xsettingsd.service.nix { inherit pkgs psCfg; };
-        systemd.user.services.waybar = import ./waybar.service.nix { inherit pkgs psCfg; };
-        systemd.user.targets.sway-session = import ./sway-session.target.nix { inherit pkgs psCfg; };
+          systemd.user.services.mako = import ./mako.service.nix { inherit pkgs psCfg; };
+          systemd.user.services.sway = import ./sway.service.nix {inherit pkgs psCfg;};
+          systemd.user.services.swayidle = import ./swayidle.service.nix {inherit pkgs psCfg;};
+          systemd.user.services.xsettingsd = import ./xsettingsd.service.nix {inherit pkgs psCfg;};
+          systemd.user.services.waybar = import ./waybar.service.nix {inherit pkgs psCfg;};
+          systemd.user.targets.sway-session = import ./sway-session.target.nix {inherit pkgs psCfg;};

-        xdg.configFile."sway/config".text = import ./config/config.nix { inherit config pkgs; };
-        xdg.configFile."sway/config.d/colorscheme.conf".source = ./config/config.d/colorscheme.conf;
-        xdg.configFile."sway/config.d/theme.conf".source = ./config/config.d/theme.conf;
-        xdg.configFile."sway/config.d/gaps.conf".source = ./config/config.d/gaps.conf;
-        xdg.configFile."sway/config.d/custom-keybindings.conf".source = ./config/config.d/custom-keybindings.conf;
-        xdg.configFile."sway/config.d/mode_system.conf".text = import ./config/config.d/mode_system.conf.nix { inherit pkgs psCfg; };
-        xdg.configFile."sway/config.d/applications.conf".source = ./config/config.d/applications.conf;
-        xdg.configFile."sway/config.d/systemd.conf".source = ./config/config.d/systemd.conf;
-      };
-    })
+          xdg.configFile."sway/config".text = import ./config/config.nix {inherit config pkgs;};
+          xdg.configFile."sway/config.d/colorscheme.conf".source = ./config/config.d/colorscheme.conf;
+          xdg.configFile."sway/config.d/theme.conf".source = ./config/config.d/theme.conf;
+          xdg.configFile."sway/config.d/gaps.conf".source = ./config/config.d/gaps.conf;
+          xdg.configFile."sway/config.d/custom-keybindings.conf".source = ./config/config.d/custom-keybindings.conf;
+          xdg.configFile."sway/config.d/mode_system.conf".text = import ./config/config.d/mode_system.conf.nix {inherit pkgs psCfg;};
+          xdg.configFile."sway/config.d/applications.conf".source = ./config/config.d/applications.conf;
+          xdg.configFile."sway/config.d/systemd.conf".source = ./config/config.d/systemd.conf;
+        };
+    }
  ]);
 }
--- a/modules/terminal-life/default.nix
+++ b/modules/terminal-life/default.nix
@ -47,7 +47,7 @@ in
        watson
      ];

-      programs.neovim = import ./nvim { inherit config; inherit pkgs; };
+      programs.neovim = import ./nvim { inherit config; inherit pkgs; inherit lib; };
      programs.fzf = import ./fzf { inherit config; inherit pkgs; };
      programs.zsh = import ./zsh { inherit config; inherit pkgs; inherit self; };
    };
--- a/modules/terminal-life/nvim/default.nix
+++ b/modules/terminal-life/nvim/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.terminal-life;
@ -17,29 +17,22 @@ in
  withRuby = true;
  withPython3 = true;

-  extraPackages = with pkgs; lib.mkIf (!cfg.lite) [
-    ccls
+  extraPackages = with pkgs; [
+    rnix-lsp
+    universal-ctags
+  ]
+
+  ++ lib.optionals (!cfg.lite) [
    gopls
-    nodejs
-    nodePackages.bash-language-server
-    nodePackages.dockerfile-language-server-nodejs
-    nodePackages.svelte-language-server
-    nodePackages.typescript
-    nodePackages.typescript-language-server
-    nodePackages.vim-language-server
-    nodePackages.vue-language-server
-    nodePackages.vscode-langservers-extracted
-    nodePackages.yaml-language-server
    python39Packages.python-lsp-server
    python3Full
-    solargraph
-    rnix-lsp
-    rust-analyzer
-    terraform-ls
-    universal-ctags
-  ];
+  ]
+  ;

  plugins = with pkgs.vimPlugins; [
+  ]
+
+  ++ lib.optionals (!cfg.lite) [
    nvim-cmp
    cmp-nvim-lsp
    cmp_luasnip
--- a/modules/terminal-life/nvim/init.vim
+++ b/modules/terminal-life/nvim/init.vim
@ -13,6 +13,7 @@ set expandtab
 set shiftwidth=2
 set number
 set relativenumber
+set mouse=

 set undolevels=1000
 set undoreload=10000
--- a/modules/terminal-life/nvim/lsp.vim
+++ b/modules/terminal-life/nvim/lsp.vim
@ -73,8 +73,7 @@ lua <<EOF
  end

  -- Add additional capabilities supported by nvim-cmp
-  local capabilities = vim.lsp.protocol.make_client_capabilities()
-  capabilities = require('cmp_nvim_lsp').update_capabilities(capabilities)
+  local capabilities = require('cmp_nvim_lsp').default_capabilities()

  -- vscode HTML lsp needs this https://github.com/neovim/nvim-lspconfig/blob/master/doc/server_configurations.md#html
  capabilities.textDocument.completion.completionItem.snippetSupport = true
--- a/modules/user/default.nix
+++ b/modules/user/default.nix
@ -41,6 +41,16 @@ in
        type = types.nullOr types.str;
        default = null;
      };
+      latitude = mkOption {
+        description = "Latitude";
+        type = types.nullOr types.str;
+        default = null;
+      };
+      longitude = mkOption {
+        description = "Longitude";
+        type = types.nullOr types.str;
+        default = null;
+      };
    };
  };
 }
--- a/modules/virtualisation/default.nix
+++ b/modules/virtualisation/default.nix
@ -18,6 +18,8 @@ in
      "iommu=pt"
    ];

+    virtualisation.spiceUSBRedirection.enable = true;
+
    virtualisation.libvirtd = {
      enable = true;
      qemu.ovmf.enable = true;
--- a/profiles/cachix/default.nix
+++ b/profiles/cachix/default.nix
@ -1,11 +1,13 @@
-{ pkgs, lib, ... }:
-let
+{
+  pkgs,
+  lib,
+  ...
+}: let
  folder = ./.;
  toImport = name: value: folder + ("/" + name);
  filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key && key != "default.nix";
  imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
-in
-{
+in {
  inherit imports;
-  nix.binaryCaches = [ "https://cache.nixos.org/" ];
+  nix.settings.substituters = ["https://cache.nixos.org/"];
 }
--- a/profiles/cachix/nix-community.nix
+++ b/profiles/cachix/nix-community.nix
@ -1,9 +1,9 @@
 {
-  nix = {
-    binaryCaches = [
+  nix.settings = {
+    substituters = [
      "https://nix-community.cachix.org"
    ];
-    binaryCachePublicKeys = [
+    trusted-public-keys = [
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
    ];
  };
--- a/profiles/cachix/nrdxp.nix
+++ b/profiles/cachix/nrdxp.nix
@ -1,9 +1,9 @@
 {
-  nix = {
-    binaryCaches = [
+  nix.settings = {
+    substituters = [
      "https://nrdxp.cachix.org"
    ];
-    binaryCachePublicKeys = [
+    trusted-public-keys = [
      "nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4="
    ];
  };
--- a/profiles/daw/default.nix
+++ b/profiles/daw/default.nix
@ -0,0 +1,21 @@
+{ self, config, home-manager, lib, pkgs, inputs, ... }:
+let
+  psCfg = config.pub-solar;
+in
+{
+  # Sets nrdxp.cachix.org binary cache which just speeds up some builds
+  imports = [ ../cachix ];
+
+  config = {
+    pub-solar.audio.enable = lib.mkForce true;
+
+    musnix.enable = true;
+
+    environment.systemPackages = with pkgs; [
+      ardour
+      helm
+    ];
+
+    services.pipewire.jack.enable = true;
+  };
+}
--- a/profiles/gaming/default.nix
+++ b/profiles/gaming/default.nix
@ -1,9 +1,5 @@
 { self, config, lib, pkgs, ... }:
-let inherit (lib) fileContents;
-in
+
 {
  pub-solar.gaming.enable = true;
-  pub-solar.docker.enable = true;
-  pub-solar.docker.enable = true;
-  pub-solar.docker.enable = true;
-};
+}
--- a/profiles/non-free/default.nix
+++ b/profiles/non-free/default.nix
@ -0,0 +1,6 @@
+{ self, config, lib, pkgs, ... }:
+let inherit (lib) fileContents;
+in
+{
+  hardware.enableRedistributableFirmware = true;
+}
--- a/profiles/server/default.nix
+++ b/profiles/server/default.nix
@ -0,0 +1,7 @@
+{ self, config, lib, pkgs, ... }:
+let inherit (lib) fileContents;
+in
+{
+  pub-solar.server.enable = true;
+  hardware.ksm.enable = true;
+}
--- a/profiles/virtualisation/default.nix
+++ b/profiles/virtualisation/default.nix
@ -0,0 +1,6 @@
+{ self, config, lib, pkgs, ... }:
+let inherit (lib) fileContents;
+in
+{
+  pub-solar.virtualisation.enable = true;
+}
--- a/profiles/work/default.nix
+++ b/profiles/work/default.nix
@ -0,0 +1,35 @@
+{ self, config, home-manager, lib, pkgs, inputs, ... }:
+let
+  psCfg = config.pub-solar;
+in
+{
+  # Sets nrdxp.cachix.org binary cache which just speeds up some builds
+  imports = [ ../cachix ];
+
+  pub-solar.docker.enable = true;
+  pub-solar.nextcloud.enable = true;
+  pub-solar.social.enable = true;
+  pub-solar.office.enable = true;
+
+  systemd.enableUnifiedCgroupHierarchy = true;
+
+  environment.systemPackages = with pkgs; [
+    jetbrains.idea-community
+    minicom
+    openjdk11
+    putty
+    python39Full
+    python39Packages.pyyaml
+    remmina
+    slack
+    thunderbird
+    vscode
+    vscode-extensions.golang.go
+    vscode-extensions.ms-python.python
+    vscode-extensions.redhat.java
+    wireshark
+    teams
+    go_1_18
+  ];
+
+}
--- a/secrets/cube_drone_exec_runner_config.age
+++ b/secrets/cube_drone_exec_runner_config.age
--- a/secrets/cube_nextcloud_admin_pass.age
+++ b/secrets/cube_nextcloud_admin_pass.age
@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw Lb3cUJx1ruB5F2snfYFnLyoefqBcW4DTokzXRXCeDEU
+DrdiYlMciVJv4E7g3OC4oKSP4GUJGpSSD8OdtRI5Ie8
+-> ssh-ed25519 YFSOsg TRLTf+SzNp6crC1/J2UPMjTkv1AC31BgC9tq/yReSHM
+qoxXTpcTkIKFe4saj5L93IGW9VAh+g3S+JB+YGiyQPk
+-> ssh-rsa 42S2Dw
+m+3/ZseNUvXVKrlBwDyaYl8iPIw8jpiqwzyVfxov9gCOTxBOgysgtaxrxt/afDbl
+baoPurJd3X3ybBIweLF5yA/7/hdVinm8mf5Lx6/CLeex3z/2mk0Q4HgL2Hr4Og0I
+vyto/IlcUuELNEUSAR3yN2tioPr0UO4cQZ2BLS+33PHy1KVmkQkdFfKJnZ5rsZR+
+idjxpgP1dCBrWQFX+xlpuBSQaQh1Myt1zOgFMxnn1TkfVlycVGZ+9n8WemJhwLsL
+W8wME3yVXGst6+eBVJCC4TJn8C8HMM74y8UWn+cs3nEBLOxroNoiyzRxfxNKTjKT
+z58U883ysiE1Ek+YUDifaQ
+-> ssh-ed25519 iHV63A R3oijyljfqkwjOaYxvr9URPGoYkGp9UBAiD02Jkfnmk
+Lp0TRJKQnmzqZQVZWOgKZ8lW4c6IIbzb1i3l2rMu0wY
+-> ssh-ed25519 uTVbSg ie3Tms/F40dyce0h78X7Rz5UOL7OZTiCikZHFkx08C4
+bE7/mDTbbYdZrblfeRBzPIUbIP+xk7Sbnhe6hr1QKjI
+-> 11ptM-grease 3G5&ES {rbC;\ hvt^Bbt
+H/uWAA3ZxrIp6DJdpq+GKvzPyUiFZJeZiZYhd0FjfHynYcCDAZX7sSg
+--- qcN8XPWUDeupoo9UwYA0/1xtcwODav/m5jfD10pwk+E
+|õˆÛï–nëv?cg/4yp2j Í4'D[]˜$ô¾Çrô†V*ß³;ÁF<ät¥ßaO4Ècœ¹"8"ÁÓ³yL¦låò"Ê€ëu[oT
--- a/secrets/cube_nextcloud_db_pass.age
+++ b/secrets/cube_nextcloud_db_pass.age
@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw MVw8LNthB8QmaZkImEqh0WEJbMOpHbyxJDMSy2EHPg8
+SCMM/6XKd/vxgdax905gBlmJoLSy4gzXye90qolLbvA
+-> ssh-ed25519 YFSOsg 9PWhN9+Fu6271HD1xxf05y8R0tvkNJh2YPQDFwql1UI
+lEde6zjTg3JlxmJDL1YPY6qJcvnweN9yShOFtqSi68M
+-> ssh-rsa 42S2Dw
+rJFYtgtLCfDKxJ+/be9SQyqH9djIcHtTv5Xz539ip02V8if8GytrN/1BjB5MuKEz
+UwyQevUmd0ulXD9C5Tq+S+6XQDxb/ZvYBmVLb7X5vMDyLejSM2G8Fm3GBgoVNSby
+29O3TYBxiYQZ2LIteHjG2a02AS70EY4A9uBCqewIL14aSkpsV3NQszZOIaz8IkiA
+i+dfzSqUvinru05px902axtlCbPBzLe7OYsDrMnY+tX9QAofRRyoC+iTzJ/m3llO
+7PiqyBULHFkmO61+HLuswYa0JZmdK01BgRwStQWUF/qvmyKmGodQMrZQeH1xhzaQ
+GjAGfFdh4qqyjOnroiubWg
+-> ssh-ed25519 iHV63A 41ScxFCeSMjWHjDJUSj67ds1z9ZNPBzEAmEYN4731Do
+Z0492PapySyaR55QieONJ5shfEYZ18BXDxJjbg1YDpc
+-> ssh-ed25519 uTVbSg MAMpK9Taay/HTdwetp+KulK2H5l/2VHUagmAp6J4Yxk
+HVIj+fQz4Do3igFV0Io608pAhJYiKbkPBzGGfCDdZBA
+-> T(Zcs<^-grease
+aWEKrfAoGHq1M6KlBEMTHkyoN3eyQ7Q
+--- jYM2HW6lhvyad0W7tly1RQ5CTzaqoxhyUZXAwky7lmc
+oãp§îwvËÉœN^ŸŽIµ+rû3%³<14>ä˜ê‹±ES„²ì0Ê4ðJ—a<¡{gú£	Û
--- a/secrets/cube_restic_repository_password.age
+++ b/secrets/cube_restic_repository_password.age
@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw fUCzt+HSlnbvcpt70692+TpoX+eVJiuAKuBBOVGDlAU
+lt/jtC5XLRNXJ/SG3fkqSF3sfL6wKz4x+YmdXf5LPbk
+-> ssh-ed25519 YFSOsg 9zVMrXIpIfvBbSG4rlVIIIqBQeB24EI+CcAXWA5IXjk
+4kZ+vD6vp2SikzhwmOtZjCz+AMuCZMvbAXTnhZmk5Mw
+-> ssh-rsa 42S2Dw
+pPLgaBmvbDZEp7vwHKf+RlIZ1mthJ5uT1nIDIvRiMx51PX2nFcR9ynRVWVB3DFSr
+GujDJ3WCvf3qUg/E35EaEHiJaG8Ey8yWBmswj2O7FOtnM9Gq3BbbedHDLcWEcT+T
+9K12UvXQfM/Gki2CxIO8umpV4OHMXkRn/jsn+p/V7pfiVZoEaBa6UHWAhBm0fZjV
+B9yR4MjjuOQJYzemowwa6ZdFLxxUfudCAJBkn785hu3vbMVDPQpdd7XzXXFM/Ewk
+pIanTQ+DH58DrMOEy0v8PMvoNtG5QFAtl6AizEZtJmH9+a3HLcPOhXO9BSQBFdu4
+Zv1cX4JvCrTOF+iopufJpg
+-> ssh-ed25519 iHV63A z9+KV9tDTwZW9MAmvlMYPZMQFfZJxR3JhxHpXmfWhyU
+OxlOMSKY5L/j/91FJmxoBMDHhD/jDiI5sdmpv+zZ0ZQ
+-> ssh-ed25519 uTVbSg HOHFEOuv/AjJGSmI5uaIXk+5y2FzM3UmiPbvOZByO38
+zf2RI2U4Q0djP3wwpiRAe0bpr5LQwFkjxV2n4cFwgeI
+-> Xw\=9[g(-grease &J6]O2WG
+wCODexJaCztNZwXvcpZkodVUh3LWIk50eacTlWmwt47TuBaRqV3DIdxw4h7VwsOk
+8Ax3o91+Fxpq1ys4QCJfECDaVhgadTqRWIfoq5KNmgUVFhRB3H2L0et7tp+S
+--- xEJ2HSGLdcewY/QpuHVBdUdzvbH4NnOq6X4hnefQEEA
+ƒE_Ê27Ý‰ùnÎWT¢Ô½"žø–œ±ES÷Œ$UQýÃl¹œ§\
âÌDr6•…â¾´ƒ
+ð5ÒÞš´Oz¥Ô6èqDÆõÀ‚m<E2809A>'ž
--- a/secrets/cube_restic_ssh_private_key.age
+++ b/secrets/cube_restic_ssh_private_key.age
--- a/secrets/email_gssws_password.age
+++ b/secrets/email_gssws_password.age
@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw WDCX18hqP4zehe/bGEd6jHdDl6uzi19n0J/0MxBDaAA
+lXVuZ0drWG+u8CyOIXMULCdA6Oy0MVPUn5I2rLYCxBQ
+-> ssh-ed25519 YFSOsg C+pqppRNeZ/0Vra9fgDaVUVnJAXhQhAgg8fBrd2tSFA
+sW/dYGPpBzVwqyNR2vuBWbBeV+MleR02qyBXsyR9zoM
+-> ssh-rsa 42S2Dw
+pCsCOOp0pQoNlTIF5ZSk/mOXpno9jHzQIXsEbj+ES42x+fdoNeF8Mrm5mO30umen
+XL3oTgrZ9Y7xkfuu2Pc5JE4kPP6/s47BRaUNcBVvBVcvlJFDCgDkjwQPLJ4Zc0YY
+PNlefyG+XwXL7W46aHERtfoqteC0XBzz/N8P+RFMj6Sjc3kQnpoQwOSyMDhsFeK+
+bwInKk+iCpPFpmSNxVl2Prl9RNvgP1eXxFApT0Q3kwAbW0MEtovHvkg2bWDtvG6L
+UcFIR2S8VbvUGQ0GExQu4MP7pDOSeIWyEc+nhvZpYwwqpYUE5yfnZw1j+75i5EJt
+iehvv8NREK94wAihHsfBBQ
+-> ssh-ed25519 iHV63A QR5ZdM9A+aqoyhlrVUjQ3+4tJIz4j7hdBxgT94rPpCI
+NTnTLh3yrOag5l8JMG1HLgJgDJtQ5GGfiNAUtrNwfjU
+-> ssh-ed25519 VApqug 5I3aO1h548np4ck6bFsTSYy2gkBLjm71JzPq2f3q9Aw
+4AN//16M8J3SYtX8qkB68dAx8T08oeJwRr/lF7ZAYWE
+-> ssh-ed25519 NhniTw nt44tSNaFi1I6lKn1OIUlSg+6kFjFL17WbYTA0J5ESw
+GSeyR0Im2QeS5WhYmfKcLU5XKq7v2o5N9uJ/2RUAUs8
+-> Kf!HHt[Z-grease ;+D
+C7JIgwSgL2zo0CeR+nF0j69w9oOhtZZu0jQ
+--- PEFAclabwmjx2Faeuk8WkdRu/AdwGqORwTqDPVsCpdo
+¤<EFBFBD>Äß¨{îÿçÓ£ÇØß[lÁÍ»6çÕ7¿¿ñì÷½hÚäà¦÷.ç×Íyss€¦BñkpbÃ
--- a/secrets/home_controller_companion_wireguard_key.age
+++ b/secrets/home_controller_companion_wireguard_key.age
@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw o4N8NmW8LiDRYhFe/FAjOhNVBrIfR0b/CFdGQsxVtWM
+hCLU6rlPPOwIXUEo3XczTLOEOSpzhi8CmUUilpgZjgk
+-> ssh-ed25519 YFSOsg m1QEvo5sxpXKiz1mqU8vSqOkizROkwDOWTqy/nAbyGA
+Je9eJsT4cgyCE/orOfClUSzorzXwQIm1fQWwd5FczWw
+-> ssh-rsa 42S2Dw
+aznDLPbJy/sfJHsYLt2bt7wzwPEn2NdYDsdxVzOqmZJL/3wVvjHUTaioaIsZBqaf
+/HWZYBgMPRIQHXjtGJTQXLFpM2TjEwzJqkIHMJoVq099YWHq/JvZeU+h/d7rXiXC
+3I0NSAikvBXa1+X1WPKQrvRBsqhiwnDGUDWXauTzSDu4FHLgAxGU+47xEp1EuJDJ
+YdXXMOqFvrN9iokaGlRlOprhVCver2YMDqGSUekbEifJDpyGmCqYOygh9qltLDfd
+QQjAIV8E+jYrvG168hMQQzoE8oZRMv7UYATmJ8bdTP244owoeEhiW+g43XWYduv6
+QKIJPlwASiGalUZPsIPoEA
+-> ssh-ed25519 iHV63A 4RSm0/OwowRHTa0W2Gfbq9LTI4d0gM8macNk3Gntv0g
+sN82+hCyatAWEckguYGN0TxvSYDqP5cnY46s9z5JLvY
+-> ssh-ed25519 t1M4HQ YILk5vPHK6++f9QB3dGMSWoai1b8pBWG/lIC+g2hK3Y
+A874dqyb8aTqyIQ54J4MaQYf/psIS4Ixcp23iwA5wwY
+-> tV2gFP~-grease :{( C-v' cM2 Or?|@#I~
+nhLrAX8v3J/6846qoFDyKf6mUc+qWAmNXOYgu7DnDi9VtBsmDYhhmhzPF6k90YFG
+sJKoy1BEcOaLcy8UNGNTnmkQ0qI5Ig6CgPu8ohA1vKYMfTpfsl6nayU
+--- ngrcCLqZmP/lqvIuBYgisjkHHjWmrUjApvZMjbLTB/I
+Q`•<wRâeè-ûÙ·)‰t<E280B0>ìúßË¸pµC½›Ø¼)÷é+À¢én2½ÓŒf13"SV°Iz@Â%n×&Òj©‡¸‰[Ò«V×.E
--- a/secrets/home_controller_cox_wireguard_key.age
+++ b/secrets/home_controller_cox_wireguard_key.age
@ -0,0 +1,24 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw gZfQvV9HCdO9j5zpwMA5Yl6l6D0YMflyzmZ0v7f34Uo
+Cnr79ukKmOLh9ZRY7QknE5fvpXg4ud/fQL5C2b0x2Iw
+-> ssh-ed25519 YFSOsg C/OJOHpk3+ErUt06r8qmgaHJBU5NT8cFplFL4+9rNzU
+n4VhOfN06R9hN6+9/Y/ewAN++BbZRSJMQHjifXR++M8
+-> ssh-rsa 42S2Dw
+JBbRTa+oX87YqJlH2+cZdaw/WMajk2HDa9kZ5z1dkbdcVrZrTyIYrnUuMjIQ4nmB
+JT9J6gV/y4FL0bN9d2uzNg45NGg3ZDkeCYsCT+N3tQXEReFUWk77cZifxDtnNUCL
+8Z+wcys9AZhFfL8+4a2R0sris76WMxUy5CHVay11U7bsh6P1uAcjtXqSPpdezKd9
+gIZ7GVE/nFEwnT/G0rROH3tiGON2J3LrjbVdUn/Lu4n7YDMRDZFBhLsDw9ULdTu3
+lNBsx/vzCkZnkbDGJl8N7X5hBEe2ww+GvvfvHJwwABpD7rgC0MQxPDM5IBEVsufH
+/CSrkWpJcUzEJMNdUBinzg
+-> ssh-ed25519 iHV63A Aape0gDjnscqXIPeBoZbHsb5GEwm2MkWBOwkErZfRUU
+/mHovPO5uRwfPKBFuW0P2UT/Zi2idvHwI9ukJ1Hb8m4
+-> ssh-ed25519 w1vtTQ Qp0fg5wN0709/99WttXspmctRkdVANA039oeyc1qB34
+mXy/qVJJhysMZxzoROp53nnryegjs6/tzRWCV2QtzUA
+-> Gxy]y/-grease 6
+AUBVuO3rqf/dwC84Ns7x2Ce4CgUcw5Rm6MHK+KsKtSndt7CbfQiyfqvYKRvcEfmc
+BHJf3LCEgw0eBb4/nzlzT4lmIrjYAXBUbw0K+7E94jxMkNhWmjRto9gpYMBzqbdw
+6aQ
+--- gtgGRISbHrAdJT4edKyToERGIPZ9CR6Md+9KeRx386o
+øú†[ÏFž;B¶±e\jQ—ÊBZŸù¥[ð|º/²±ìÅËe›å7õ.1¨'ús<ú§“ßâ7ùXK
+c
+Ð×˜€ã,íÝ±
--- a/secrets/home_controller_cube_wireguard_key.age
+++ b/secrets/home_controller_cube_wireguard_key.age
@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw H9fC9B01yBIuK4kuLCR+T+PNPXr9GHyft8mZCnPDkTY
+814T5tV6Y2fK2dgr66nCive8TFykciQfNmWAPEq7AjA
+-> ssh-ed25519 YFSOsg JtumpQSIC4q9Os3pu5E8yKygzPveW7a28Ec0mnoTQw4
+Sidzfymq9mkA/vbwHFbfz7vprlTjOQGywQULyz4FJiE
+-> ssh-rsa 42S2Dw
+uhfQ06sREfsIph1DPBlwV0x5uVq8+qsaZMGwoJgx5y5JEPOkW4OVHqJeVRLswvLP
+JAqNypMaJ99ZQAlTWWVZPP3fLT7xqT71MpwyMWerQ9aHs0TdmDT4Uflv8MXj70j0
+0m8HySMzBuWOIZJT2nTipcfrpsZSJJ852ATtPMWSxkd86FHwwKRfAobrWxgq7y3S
+y4Mg+hHbLpyiHwJkgKFDj9zqbxxMxEuizE9e3xeAGCkOuUI15SdT6clzeEk79KjN
+LA0AAukjogRX11OduAP/F/xUlYK+R3qPV6RC4DjdWv8jkyul3/VvHVUXTKQXh6dH
+s2GVRWrewkvkVx1FGr9kFg
+-> ssh-ed25519 iHV63A jJ0elkHdU2Si46g6NvwlQT2HSv5X04ETvppVS0KXg04
+uf701nEPCV+h3R5tZKJVUPoSnZ0Q9G9YvbRbT1JaC58
+-> ssh-ed25519 uTVbSg gZsQ/qVZfcBh2TjfjYr5x2derahCkp10NbcYEOu/lA8
+TKx+3ZZuYOI9x2WeYxlkc1eg4NB/t096Yfn/L6y+v/8
+-> u36Zx2-grease EcPV lR? 5*n
+jweUnWSlMzAJ9zos5dI4rA5EVzJe3haX0JtORFEQnbG088O8iRZG/s/V8G8KZmO1
+5LJnnPjvNA
+--- lt548aI1VX+cDd5wQYt8PPpSDSlpKhWyiPjsMlAiyeU
+÷nQåžès…¶1Ž¦¼8ç<%Þ<>Hw½·ýÄå‰Ò´Êùc}FÇ<46>
Ÿ¥—<C2A5>È&;\F*ªl¿–EëüÖKC«ÿ(/éqx'\ƒ£ÑÙ‡º
--- a/secrets/home_controller_giggles_wireguard_key.age
+++ b/secrets/home_controller_giggles_wireguard_key.age
--- a/secrets/home_controller_k3s_server_token.age
+++ b/secrets/home_controller_k3s_server_token.age
@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw W/U4+IyFlvgdGjYz8VLl3zNHd5F080l6huk1vZ10zDY
+WHSK6Ed61as8uxaQXjgmvXaLfP7Q+fPd4WO3VybOMl8
+-> ssh-ed25519 YFSOsg ESWB9/RDuP9fxx/TS3lZsW96hDM2LA8p+zzoTXqV6yM
+pOeo9uWK7tbIUn5W+TyXWDc/+sTpb/EWZiyNVg6OH2k
+-> ssh-rsa 42S2Dw
+blHbM168vNPv/y30ZlWVdAS3emVBPjisH9K62g2LAu2Wf3Pva7Q43LRFMRVfjSt5
+SxlIIoYzjKRuRIT+7Xn6Cj3SP1GqWxHeQKN1X+FrDGTjIewpKMS2oBCHaZMxB3IZ
+4XduldZ6GU6RYrmtXwMsP81zbXB2QV2GXpk7NM4pbM4M/hlqKN6HbQ5J4kJMTXCY
+ywUY5/C7CqqwrcngHiLVNDiKSX3xdO/feIAnM3XXOoxpVGTFTAZYz2IQzuL/7qW6
+Igv+S1oRqs/QB9JdmMEh14uhbYQQzKAwtAT2POXr9H3tXM9dGQXsW8ZCPsuYGV4u
+wmvcaQp/qjIVVh+QGhfNOA
+-> ssh-ed25519 iHV63A 9ZEIlu9uekDrcAnyMHepTbERFib9pcuRilydeLH8vAo
+6+B75hZz7XKUz3mkXTdbjkQgBTTja0GAfQ7Dr9Wi1gA
+-> ssh-ed25519 AsPNJg CC5Iz+4FZoy+WRLMV0ocXjr1ppJC8gGEMo+/bb/3ySE
+3LO4l2J9ZL0KuDyrhWSJu3xPiJ5BGe+osMsNfzah4Ko
+-> ssh-ed25519 w1vtTQ rJJerqmPOJJ982+jgYYH9fA4Tp+ii2IVS++6MSmNC1U
+MNFfkKH6PFcyql16QSYRQHzCSR3ya9kBEL4+tIwfhJE
+-> ssh-ed25519 t1M4HQ Cmkge+A7A1bVQ3noE2i7cm+dq19eMQt2XJEviXhsu0k
+xarfNuUkjPT52Ev6LS4RrJ2vcfI/Zd4X7ZJ0G8Rzjy8
+-> ssh-ed25519 uTVbSg v+xMMQuAekrQv+9nzsco/2PWMairB7fXOKPl+AkxBlU
+NFNtRbnWREPxMOrj4llQxRqAbaN5zEyim1754HGzRuE
+-> ssh-ed25519 4eCLig Rg6JepI6x04zPpMRft39u8X+BNtWmZiImXVjJJK7CBE
+btxuxcWpO8Lppo3mq5UZyJHSoTeiTieuKYfkqiAWSMw
+-> qj]-grease V'P>/]u
+m0/WOWcbS8nFbfWjFuMMB0UAvVTc8gZ/A2/bNTHcq8ei79xVVkgYL5qAEkj8GOJK
+s0uoBBlmeHmEHImkXtJ/0k7uNCZnkg
+--- ae6LeiygI+l2U4vOKEYfeul1sTxsaJlKnC4CpYjRt+w
+š*ª$ ÝÐ
+O
+Ä^;{rFXÌÊ?‰7g%‡&oú¼úÞUƒÉŽ·ê[Z6û<36>´wS<77> .¼Ö®hÜ\hÆ+êÖ“<C396>Q“‚‡6ú¥L¦Ÿ<C2A6>q>¸‰<v
*üŸ—ô[}
¢„¦…û}tw“%·bTŽÑž<C391>ªYêÅÒ”Žƒ*`BwÚË_è0òm÷
--- a/secrets/home_controller_ringo_wireguard_key.age
+++ b/secrets/home_controller_ringo_wireguard_key.age
@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw pRuaBofxSRqaNVQOwKyO4yGWsoyhKreIVgGOZMorOG4
+I7Xc/48WFrUKVsYQaP4/8Imes8MotqSmKaZj4DDvpMo
+-> ssh-ed25519 YFSOsg RnMS27pPBXQWcPtyg+qb4tzNpRZuYSMIzFpPtexuhmU
+t2CT19SBljt/72YxV+T6BLr/ce3Q3FicONrFc+uYKDo
+-> ssh-rsa 42S2Dw
+VsXOqxopV5hIGlc2RGLjL5daOsGi//gPUXs8kIBBJhEn/LLW4kTJyF8XCY8N6rF6
+Pv3aNkUbWqExMYr4pSckvbBs0GJgapnXXllLv50trnoU/Ep+ivA6gbzQQBdRnJ16
+4+oeMoK7Tvc4IObdfBHj2ycAVLVJg6s1Udk5e7cqm4OmKoi8LKM0K8ORZQFqyGdD
+A268NUcYYyaisrCJB5fU1u9IXrCeKyQP/PLnx/DyDmPQnvF21vN36qX6yf7NcMYW
+Wl/f61ccjyowmw38DJJl2RLJm0O/OBX86OL4rGwv6FiBMWCQq72mJkXT5jT5/517
+W6F9XdVTY3CkA2+DA+/fPA
+-> ssh-ed25519 iHV63A x4Ol6Sqm06NdBqoKERzPxxURtaj7pFH3rG82vjFk0zk
+PGHXbBhvL0uzJ0g1fempdHOJC5FVqAIGGKAsTh10IE0
+-> ssh-ed25519 4eCLig /mQ3Xbw2zGk17ERcBXDvoycf+b5n9FkSfK13Wpwl1is
+tVqCcGQCe97l8DBKndoxgMXpYpzXfvUMzE+boQIKUYI
+-> xKFa^,u-grease i*A1
+rmaXwdKXLzmP502X/6lZN8Mwb4slzuQB7VtaGwiJDy2wjJWchXhnvMa+PsR33RFz
+AOPcTU+HnLBz
+--- +1UaVKEG/xwItB9tXG2sxxV3nl/jAJzHJE6M26nKgEc
+4ƒ{çÝ-²ÀíHøµ‹<07>§a4A6ü@2B£‡S_Î¡;4(ì€æX éh`Õ²ö
+±Êä0<ÈIcK-2nù‚ã_£ÀDô
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -1,9 +1,42 @@
 let
  # set ssh public keys here for your system and user
-  system = "";
-  user = "";
-  allKeys = [ system user ];
+  user_hensoko_nitrokey_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135";
+
+  user_hensoko_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison";
+  user_hensoko_norman_1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc";
+  user_hensoko_norman_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work";
+
+  system_giggles = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOLyNmSzxVpVQtTWhkH48e03nFDdskE08N4L81MZcLZ root@nixos";
+  system_cox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNr7q7eAkROtdvTmw96Q5tZu9W4jt31OCjc6L8uM5Uv root@nixos";
+  system_companion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjIyVeAPsIpUTsB5bPEjmJeRFN8Xp3PD9a/41yPp3HM root@nixos";
+
+  system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos";
+  system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos";
+
+  system_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGsY9APkK11hlcqKXER+iqaJZ/x5HNacQ8FXfLe2SA4 root@nixos";
+  system_norman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFePAtdXP/4J0UdChfRC78Tj/yBZaUNTNnbwXe9HJx6 root@nixos";
+
+  users = [ user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman_1 user_hensoko_norman_2 ];
+  systems_email_accounts = [ system_harrison system_norman ];
+  systems_home_controller = [ system_giggles system_cox system_companion system_cube system_ringo ];
+  allKeys = users ++ systems_home_controller;
 in
 {
-  "secret.age".publicKeys = allKeys;
+  "email_gssws_password.age".publicKeys = users ++ systems_email_accounts;
+
+  "home_controller_giggles_wireguard_key.age".publicKeys = users ++ [ system_giggles ];
+  "home_controller_cox_wireguard_key.age".publicKeys = users ++ [ system_cox ];
+  "home_controller_companion_wireguard_key.age".publicKeys = users ++ [ system_companion ];
+
+  "home_controller_cube_wireguard_key.age".publicKeys = users ++ [ system_cube ];
+  "cube_nextcloud_admin_pass.age".publicKeys = users ++ [ system_cube ];
+  "cube_nextcloud_db_pass.age".publicKeys = users ++ [ system_cube ];
+  "cube_restic_ssh_private_key.age".publicKeys = users ++ [ system_cube ];
+  "cube_restic_repository_password.age".publicKeys = users ++ [ system_cube ];
+
+  "cube_drone_exec_runner_config.age".publicKeys = users ++ [ system_cube ];
+
+  "home_controller_ringo_wireguard_key.age".publicKeys = users ++ [ system_ringo ];
+
+  "home_controller_k3s_server_token.age".publicKeys = users ++ systems_home_controller;
 }
--- a/users/hensoko/.config/sway/config.d/input-language.conf
+++ b/users/hensoko/.config/sway/config.d/input-language.conf
@ -0,0 +1,3 @@
+input * {
+  xkb_layout us(intl)
+}
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Hendrik Sokolowski	a6fbe87942	rename terraform, remove version	2022-11-26 15:41:27 +01:00
Hendrik Sokolowski	0b61a83501	rename deprecated property	2022-11-26 15:41:13 +01:00
Hendrik Sokolowski	b3f2894565	drop docker statements	2022-11-26 15:37:08 +01:00
Hendrik Sokolowski	6a19820841	Make resumeDevice optional	2022-11-26 15:37:08 +01:00
Hendrik Sokolowski	aa4af55cb9	NixOS module for a drone ci runner in docker	2022-11-26 15:37:08 +01:00
Hendrik Sokolowski	8b399cbd79	rekey secrets	2022-11-26 15:37:08 +01:00
Hendrik Sokolowski	9b39b3c8ef	Bump flake.lock	2022-11-26 15:37:07 +01:00
Hendrik Sokolowski	c0f3d1dfb7	add hosts	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	a236fd9664	SQ modules.crypto	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	61f0579832	Disable digga fix for now	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	93419615a6	allow unfree	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	8d084ac2cb	Adapt terminal-life to personal use-case	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	d36b32c84e	add profiles.daw	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	d8a09bf213	add profiles.server	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	c6fefac861	Add module to setup wireguard backed zfs enabled k3s cluster	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	9720df91f0	add profiles.non-free	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	bf1944d9c8	Remove full-install from default install	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	61917ac1fa	Update sway applications	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	704bc8a514	Modify crypto for personal needs	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	8e06f61267	update modules.virtualization to personal needs	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	cb984b89d1	add profiles.virtualisation	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	4020d3ea20	add profiles.work	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	4b1283ee32	Fix nextcloud talk audio issues	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	91f2b4e58a	update modules.social for personal needs	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	7729d42687	add modules.server	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	fb2e558bf8	secrets	2022-11-26 15:36:55 +01:00
Hendrik Sokolowski	6a7b4b003b	Initial hensoko	2022-11-26 15:36:55 +01:00
teutat3s	f51e4f3633	nixos: 22.11 racoon, bump flake.lock	2022-11-26 04:48:58 +01:00
teutat3s	6a343e7540	sway: don't use gtkUsePortal, it's deprecated see: `ebde08adf3`	2022-11-26 04:44:54 +01:00
teutat3s	e7ef245e32	docker-compose default to version 2 now	2022-11-26 04:42:16 +01:00
teutat3s	8a6ee0a53e	alacritty: remove use_thin_strokes see: https://github.com/alacritty/alacritty/pull/6186	2022-11-26 04:42:11 +01:00
teutat3s	d6236d0b0d	neovim: config updates for 0.8.x use default_capabilities set mouse= to disable new default mouse behaviour	2022-11-26 04:42:03 +01:00
teutat3s	f97cf1d0e9	nix: use new nix.settings syntax	2022-11-26 04:40:22 +01:00