fix: get networking on pie working properly

2023-10-08 19:32:00 +02:00 · 2023-10-08 19:32:00 +02:00 · 747481c4ea
parent fe8ebd083f
commit 747481c4ea
41 changed files with 940 additions and 168 deletions
--- a/flake.lock
+++ b/flake.lock
@ -40,9 +40,7 @@
    },
    "agenix": {
      "inputs": {
-        "darwin": [
+        "darwin": "darwin",
          "nix-darwin"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
@ -61,6 +59,28 @@
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1696360011,
        "narHash": "sha256-HpPv27qMuPou4acXcZ8Klm7Zt0Elv9dgDvSJaomWb9Y=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "8b6ea26d5d2e8359d06278364f41fbc4b903b28a",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "deno2nix": {
      "inputs": {
        "devshell": "devshell",
@ -322,27 +342,6 @@
        "type": "github"
      }
    },
    "nix-darwin": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1695686713,
        "narHash": "sha256-rJATx5B/nwlBpt7CJUf85LV27qWPbul5UVV8fu6ABPg=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "e236a1e598a9a59265897948ac9874c364b9555f",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "nixos-flake": {
      "locked": {
        "lastModified": 1692742948,
@ -498,7 +497,6 @@
        "home-manager": "home-manager",
        "mobile-nixos": "mobile-nixos",
        "musnix": "musnix",
        "nix-darwin": "nix-darwin",
        "nixos-flake": "nixos-flake",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2",
--- a/flake.nix
+++ b/flake.nix
@ -12,9 +12,6 @@
    flake-compat.url = "github:edolstra/flake-compat";
    flake-compat.flake = false;
    nix-darwin.url = "github:lnl7/nix-darwin/master";
    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
    home-manager.url = "github:nix-community/home-manager/release-23.05";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
@ -27,7 +24,6 @@
    agenix.url = "github:ryantm/agenix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";
    agenix.inputs.darwin.follows = "nix-darwin";
    nixos-hardware.url = "github:nixos/nixos-hardware";
@ -49,8 +45,6 @@
      systems = [
        "x86_64-linux"
        "aarch64-linux"
        "x86_64-darwin"
        "aarch64-darwin"
      ];
      imports = [
@ -100,7 +94,7 @@
          };
          droppie = {
-            hostname = "backup.b12f.io";
+            hostname = "droppie.b12f.io";
            sshUser = "yule";
          };
--- a/hosts/chocolatebar/configuration.nix
+++ b/hosts/chocolatebar/configuration.nix
@ -1,7 +1,6 @@
 {
  config,
  pkgs,
  flake,
  lib,
  ...
 }:
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -57,7 +57,8 @@
          ./pie
          self.nixosModules.yule
          self.nixosModules.printing
-          self.nixosModules.paperless
+          # self.nixosModules.paperless
          # self.nixosModules.docker
        ];
      };
@ -80,6 +81,17 @@
        ];
      };
      iso-arm = self.nixos-flake.lib.mkLinuxSystem {
        nixpkgs.hostPlatform = "aarch64-linux";
        nixpkgs.buildPlatform = "x86_64-linux";
        imports = [
          "${inputs.nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
          self.nixosModules.base
          ./iso
          self.nixosModules.nixos
        ];
      };
      iso-graphical = self.nixos-flake.lib.mkLinuxSystem {
        nixpkgs.hostPlatform = "x86_64-linux";
        imports = [
--- a/hosts/droppie/configuration.nix
+++ b/hosts/droppie/configuration.nix
@ -23,34 +23,6 @@ in {
  networking.hostName = "droppie";
  security.sudo.extraRules = [
    {
      users = ["${psCfg.user.name}"];
      commands = [
        {
          command = "ALL";
          options = ["NOPASSWD"];
        }
      ];
    }
  ];
  services.ddclient = {
    enable = false;
    ipv6 = true;
    domains = ["backup.b12f.io"];
    server = "ddns.hosting.de";
    username = "b12f";
    use = "web, web=https://ipcheck-ds.wieistmeineip.de/callback/, web-skip='ip\":\"'";
    passwordFile = "/run/agenix/dyndns-droppie.key";
  };
  age.secrets."dyndns-droppie.key" = {
    file = "${flake.self}/secrets/dyndns-droppie.key";
    mode = "400";
    owner = "root";
  };
  # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
  age.secrets."droppie-ssh-root.key" = {
    file = "${flake.self}/secrets/droppie-ssh-root.key";
--- a/hosts/pie/.env.firefly
+++ b/hosts/pie/.env.firefly
@ -0,0 +1,239 @@
 # You can leave this on "local". If you change it to production most console commands will ask for extra confirmation.
 # Never set it to "testing".
 APP_ENV=local
 # Set to true if you want to see debug information in error screens.
 APP_DEBUG=false
 # This should be your email address.
 # If you use Docker or similar, you can set this variable from a file by using SITE_OWNER_FILE
 # The variable is used in some errors shown to users who aren't admin.
 SITE_OWNER=firefly-admin@benjaminbaedorf.eu
 # Firefly III will launch using this language (for new users and unauthenticated visitors)
 # For a list of available languages: https://github.com/firefly-iii/firefly-iii/tree/main/resources/lang
 #
 # If text is still in English, remember that not everything may have been translated.
 DEFAULT_LANGUAGE=en_US
 # The locale defines how numbers are formatted.
 # by default this value is the same as whatever the language is.
 DEFAULT_LOCALE=equal
 # Change this value to your preferred time zone.
 # Example: Europe/Amsterdam
 # For a list of supported time zones, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
 TZ=Europe/Berlin
 # TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy.
 # Set it to ** and reverse proxies work just fine.
 TRUSTED_PROXIES=**
 # The log channel defines where your log entries go to.
 # Several other options exist. You can use 'single' for one big fat error log (not recommended).
 # Also available are 'syslog', 'errorlog' and 'stdout' which will log to the system itself.
 # A rotating log option is 'daily', creates 5 files that (surprise) rotate.
 # A cool option is 'papertrail' for cloud logging
 # Default setting 'stack' will log to 'daily' and to 'stdout' at the same time.
 LOG_CHANNEL=stack
 # Log level. You can set this from least severe to most severe:
 # debug, info, notice, warning, error, critical, alert, emergency
 # If you set it to debug your logs will grow large, and fast. If you set it to emergency probably
 # nothing will get logged, ever.
 APP_LOG_LEVEL=notice
 # Audit log level.
 # The audit log is used to log notable Firefly III events on a separate channel.
 # These log entries may contain sensitive financial information.
 # The audit log is disabled by default.
 #
 # To enable it, set AUDIT_LOG_LEVEL to "info"
 # To disable it, set AUDIT_LOG_LEVEL to "emergency"
 AUDIT_LOG_LEVEL=emergency
 #
 # If you want, you can redirect the audit logs to another channel.
 # Set 'audit_stdout', 'audit_syslog', 'audit_errorlog' to log to the system itself.
 # Use audit_daily to log to a rotating file.
 # Use audit_papertrail to log to papertrail.
 #
 # If you do this, the audit logs may be mixed with normal logs because the settings for these channels
 # are often the same as the settings for the normal logs.
 AUDIT_LOG_CHANNEL=
 #
 # Used when logging to papertrail:
 # Also used when audit logs log to papertrail:
 #
 PAPERTRAIL_HOST=
 PAPERTRAIL_PORT=
 # PostgreSQL supports SSL. You can configure it here.
 # If you use Docker or similar, you can set these variables from a file by appending them with _FILE
 PGSQL_SSL_MODE=prefer
 PGSQL_SSL_ROOT_CERT=null
 PGSQL_SSL_CERT=null
 PGSQL_SSL_KEY=null
 PGSQL_SSL_CRL_FILE=null
 # more PostgreSQL settings
 PGSQL_SCHEMA=public
 # If you're looking for performance improvements, you could install memcached or redis
 CACHE_DRIVER=file
 SESSION_DRIVER=file
 # If you set either of the options above to 'redis', you might want to update these settings too
 # If you use Docker or similar, you can set REDIS_HOST_FILE, REDIS_PASSWORD_FILE or
 # REDIS_PORT_FILE to set the value from a file instead of from an environment variable
 # can be tcp, unix or http
 REDIS_SCHEME=tcp
 # use only when using 'unix' for REDIS_SCHEME. Leave empty otherwise.
 REDIS_PATH=
 # use only when using 'tcp' or 'http' for REDIS_SCHEME. Leave empty otherwise.
 REDIS_HOST=127.0.0.1
 REDIS_PORT=6379
 # Use only with Redis 6+ with proper ACL set. Leave empty otherwise.
 REDIS_USERNAME=
 REDIS_PASSWORD=
 # always use quotes and make sure redis db "0" and "1" exists. Otherwise change accordingly.
 REDIS_DB="0"
 REDIS_CACHE_DB="1"
 # Cookie settings. Should not be necessary to change these.
 # If you use Docker or similar, you can set COOKIE_DOMAIN_FILE to set
 # the value from a file instead of from an environment variable
 # Setting samesite to "strict" may give you trouble logging in.
 COOKIE_PATH="/"
 COOKIE_DOMAIN=
 COOKIE_SECURE=false
 COOKIE_SAMESITE=lax
 # Firefly III can send you the following messages.
 SEND_ERROR_MESSAGE=true
 # These messages contain (sensitive) transaction information:
 SEND_REPORT_JOURNALS=true
 # Set this value to true if you want to set the location of certain things, like transactions.
 # Since this involves an external service, it's optional and disabled by default.
 ENABLE_EXTERNAL_MAP=false
 # Set this value to true if you want Firefly III to download currency exchange rates
 # from the internet. These rates are hosted by the creator of Firefly III inside
 # an Azure Storage Container.
 # Not all currencies may be available. Rates may be wrong.
 ENABLE_EXTERNAL_RATES=true
 # The map will default to this location:
 MAP_DEFAULT_LAT=51.983333
 MAP_DEFAULT_LONG=5.916667
 MAP_DEFAULT_ZOOM=6
 #
 # Firefly III authentication settings
 #
 #
 # Firefly III supports a few authentication methods:
 # - 'web' (default, uses built in DB)
 # - 'remote_user_guard' for Authelia etc
 # Read more about these settings in the documentation.
 # https://docs.firefly-iii.org/firefly-iii/advanced-installation/authentication
 #
 # LDAP is no longer supported :(
 #
 AUTHENTICATION_GUARD=web
 #
 # Remote user guard settings
 #
 AUTHENTICATION_GUARD_HEADER=REMOTE_USER
 AUTHENTICATION_GUARD_EMAIL=
 #
 # Firefly III supports webhooks. These are security sensitive and must be enabled manually first.
 #
 ALLOW_WEBHOOKS=false
 #
 # The static cron job token can be useful when you use Docker and wish to manage cron jobs.
 # 1. Set this token to any 32-character value (this is important!).
 # 2. Use this token in the cron URL instead of a user's command line token that you can find in /profile
 #
 # For more info: https://docs.firefly-iii.org/firefly-iii/advanced-installation/cron/
 #
 # You can set this variable from a file by appending it with _FILE
 #
 STATIC_CRON_TOKEN=
 # You can fine tune the start-up of a Docker container by editing these environment variables.
 # Use this at your own risk. Disabling certain checks and features may result in lots of inconsistent data.
 # However if you know what you're doing you can significantly speed up container start times.
 # Set each value to true to enable, or false to disable.
 # Set this to true to build all locales supported by Firefly III.
 # This may take quite some time (several minutes) and is generally not recommended.
 # If you wish to change or alter the list of locales, start your Docker container with
 # `docker run -v locale.gen:/etc/locale.gen -e DKR_BUILD_LOCALE=true`
 # and make sure your preferred locales are in your own locale.gen.
 DKR_BUILD_LOCALE=false
 # Check if the SQLite database exists. Can be skipped if you're not using SQLite.
 # Won't significantly speed up things.
 DKR_CHECK_SQLITE=true
 # Run database creation and migration commands. Disable this only if you're 100% sure the DB exists
 # and is up to date.
 DKR_RUN_MIGRATION=true
 # Run database upgrade commands. Disable this only when you're 100% sure your DB is up-to-date
 # with the latest fixes (outside of migrations!)
 DKR_RUN_UPGRADE=true
 # Verify database integrity. Includes all data checks and verifications.
 # Disabling this makes Firefly III assume your DB is intact.
 DKR_RUN_VERIFY=true
 # Run database reporting commands. When disabled, Firefly III won't go over your data to report current state.
 # Disabling this should have no impact on data integrity or safety but it won't warn you of possible issues.
 DKR_RUN_REPORT=true
 # Generate OAuth2 keys.
 # When disabled, Firefly III won't attempt to generate OAuth2 Passport keys. This won't be an issue, IFF (if and only if)
 # you had previously generated keys already and they're stored in your database for restoration.
 DKR_RUN_PASSPORT_INSTALL=true
 # Leave the following configuration vars as is.
 # Unless you like to tinker and know what you're doing.
 APP_NAME=FireflyIII
 BROADCAST_DRIVER=log
 QUEUE_DRIVER=sync
 CACHE_PREFIX=firefly
 PUSHER_KEY=
 IPINFO_TOKEN=
 PUSHER_SECRET=
 PUSHER_ID=
 DEMO_USERNAME=
 DEMO_PASSWORD=
 FIREFLY_III_LAYOUT=v1
 #
 # If you have trouble configuring your Firefly III installation, DON'T BOTHER setting this variable.
 # It won't work. It doesn't do ANYTHING. Don't believe the lies you read online. I'm not joking.
 # This configuration value WILL NOT HELP.
 #
 # Notable exception to this rule is Synology, which, according to some users, will use APP_URL to rewrite stuff.
 #
 # This variable is ONLY used in some of the emails Firefly III sends around. Nowhere else.
 # So when configuring anything WEB related this variable doesn't do anything. Nothing
 #
 # If you're stuck I understand you get desperate but look SOMEWHERE ELSE.
 #
 APP_URL=http://localhost
--- a/hosts/pie/.env.firefly-importer
+++ b/hosts/pie/.env.firefly-importer
@ -0,0 +1,126 @@
 # Firefly Data Importer (FIDI) configuration file
 # Where is Firefly III?
 #
 # 1) Make sure you ADD http:// or https://
 # 2) Make sure you REMOVE any trailing slash from the end of the URL.
 # 3) In case of Docker, refer to the internal IP of your Firefly III installation.
 #
 # Setting this value is not mandatory. But it is very useful.
 #
 # This variable can be set from a file if you append it with _FILE
 #
 FIREFLY_III_URL=https://firefly.b12f.io
 #
 # Imagine Firefly III can be reached at "http://172.16.0.2:8082" (internal Docker network or something).
 # But you have a fancy URL: "https://personal-finances.bill.microsoft.com/"
 #
 # In those cases, you can overrule the URL so when the data importer links back to Firefly III, it uses the correct URL.
 #
 # 1) Make sure you ADD http:// or https://
 # 2) Make sure you REMOVE any trailing slash from the end of the URL.
 #
 # IF YOU SET THIS VALUE, YOU MUST ALSO SET THE FIREFLY_III_URL
 #
 # This variable can be set from a file if you append it with _FILE
 #
 VANITY_URL=https://firefly.b12f.io
 #
 # If set to true, the data import will not complain about running into duplicates.
 # This will give you cleaner import mails if you run regular imports.
 #
 # This means that the data importer will not import duplicates, but it will not complain about them either.
 #
 # This setting has no influence on the settings in your configuration(.json).
 #
 # Of course, if something goes wrong *because* the transaction is a duplicate you will
 # NEVER know unless you start digging in your log files. So be careful with this.
 #
 IGNORE_DUPLICATE_ERRORS=false
 #
 # Is the /autoimport even endpoint enabled?
 # By default it's disabled, and the secret alone will not enable it.
 #
 CAN_POST_AUTOIMPORT=false
 #
 # Is the /autoupload endpoint enabled?
 # By default it's disabled, and the secret alone will not enable it.
 #
 CAN_POST_FILES=false
 #
 # Import directory white list. You need to set this before the auto importer will accept a directory to import from.
 #
 # This variable can be set from a file if you append it with _FILE
 #
 IMPORT_DIR_ALLOWLIST=
 #
 # When you're running Firefly III under a (self-signed) certificate,
 # the data importer may have trouble verifying the TLS connection.
 #
 # You have a few options to make sure the data importer can connect
 # to Firefly III:
 # - 'true': will verify all certificates. The most secure option and the default.
 # - 'file.pem': refer to a file (you must provide it) to your custom root or intermediate certificates.
 # - 'false': will verify NO certificates. Not very secure.
 VERIFY_TLS_SECURITY=true
 #
 # If you want, you can set a directory here where the data importer will look for import configurations.
 # This is a separate setting from the /import directory that the auto-import uses.
 # Setting this variable isn't necessary. The default value is "storage/configurations".
 #
 # This variable can be set from a file if you append it with _FILE
 #
 JSON_CONFIGURATION_DIR=
 #
 # Time out when connecting with Firefly III.
 # π*10 seconds is usually fine.
 #
 CONNECTION_TIMEOUT=31.41
 # The following variables can be useful when debugging the application
 APP_ENV=local
 APP_DEBUG=false
 LOG_CHANNEL=stack
 # Log level. You can set this from least severe to most severe:
 # debug, info, notice, warning, error, critical, alert, emergency
 # If you set it to debug your logs will grow large, and fast. If you set it to emergency probably
 # nothing will get logged, ever.
 LOG_LEVEL=debug
 # TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy.
 # Set it to ** and reverse proxies work just fine.
 TRUSTED_PROXIES=
 #
 # Time zone
 #
 TZ=Europe/Amsterdam
 #
 # Use ASSET_URL when you're running the data importer in a sub-directory.
 #
 ASSET_URL=
 #
 # Email settings.
 # The data importer can send you a message with all errors, warnings and messages
 # after a successful import. This is disabled by default
 #
 ENABLE_MAIL_REPORT=false
 #
 # Force Firefly III URL to be secure?
 #
 #
 EXPECT_SECURE_URL=true
 APP_NAME=DataImporter
--- a/hosts/pie/configuration.nix
+++ b/hosts/pie/configuration.nix
@ -1,6 +1,3 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 {
  config,
  pkgs,
@ -22,12 +19,24 @@ in {
  boot.loader.generic-extlinux-compatible.enable = false;
  boot.supportedFilesystems = [ "zfs" ];
  networking.hostId = "34234773";
  boot.kernelPackages = pkgs.linuxPackages_6_1;
  boot.kernelParams = [
    "boot.shell_on_fail=1"
    "ip=192.168.178.2::192.168.178.1:255.255.255.0:pie.b12f.io::auto6"
  ];
  boot.initrd.network.enable = true;
  boot.initrd.network.ssh = {
    enable = true;
    port = 22;
    authorizedKeys = psCfg.user.publicKeys;
    hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
  };
  pub-solar.core.disk-encryption-active = false;
  networking.hostId = "34234773";
  networking.hostName = "pie";
  networking.defaultGateway = {
    address = "192.168.178.1";
@ -41,6 +50,13 @@ in {
    }
  ];
  networking.interfaces.enabcm6e4ei0.ipv6.addresses = [
    {
      address = "fe80::dea6:32ff:fe5c:3164";
      prefixLength = 64;
    }
  ];
  security.sudo.extraRules = [
    {
      users = ["${psCfg.user.name}"];
--- a/hosts/pie/ddclient.nix
+++ b/hosts/pie/ddclient.nix
@ -0,0 +1,44 @@
 {
  flake,
  config,
  pkgs,
  lib,
  ...
 }:
 with lib; let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
  getIP4 = with pkgs; writeShellScriptBin "getIP" ''
    ${curl}/bin/curl -4 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r
  '';
  getIP6 = with pkgs; writeShellScriptBin "getIP" ''
    ${curl}/bin/curl -6 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r
  '';
 in {
  imports = [
    flake.self.nixosModules.ddclient
  ];
  services.ddclient = {
    enable = true;
    protocol = "dyndns1";
    domains = [
      "pie.b12f.io"
      "droppie.b12f.io"
    ];
    server = "ddns.hosting.de";
    username = "b12f";
    usev4 = "cmdv4, cmdv4=${getIP4}/bin/getIP";
    usev6 = "cmdv6, cmdv6=${getIP6}/bin/getIP";
    verbose = true;
    passwordFile = "/run/agenix/dyndns.key";
    interval = "1min";
  };
  age.secrets."dyndns.key" = {
    file = "${flake.self}/secrets/dyndns.key";
    mode = "400";
    owner = "root";
  };
 }
--- a/hosts/pie/default.nix
+++ b/hosts/pie/default.nix
@ -6,5 +6,7 @@
    ./unbound.nix
    ./dhcpd.nix
    ./wake-droppie.nix
    ./ddclient.nix
    # ./firefly.nix
  ];
 }
--- a/hosts/pie/dhcpd.nix
+++ b/hosts/pie/dhcpd.nix
@ -4,6 +4,7 @@
  services.kea.dhcp4 = {
    enable = true;
    settings = {
      interfaces-config = {
        dhcp-socket-type = "raw";
@ -76,6 +77,44 @@
        persist = true;
        type = "memfile";
      };
      subnet6 = [
        {
          subnet = "2a02:908:500:b::/64";
          pools = [
            { pool = "2a02:908:500:b::/64"; }
          ];
          option-data = [
            {
               name = "dns-servers";
               code = 23;
               space = "dhcp6";
               csv-format = true;
               data = "2a02:908:500:b:3077:4e39:7763:b5b7";
            }
          ];
          reservations = [
            {
              hostname = "droppie.local";
              hw-address = "08:f1:ea:97:0f:0c";
              ip-addresses = [
                "2a02:908:500:b:3077:4e39:7763:b5b8"
              ];
            }
            {
              hostname = "pie.local";
              hw-address = "dc:a6:32:5c:31:64";
              ip-addresses = [
                "2a02:908:500:b:3077:4e39:7763:b5b7"
              ];
            }
          ];
        }
      ];
      rebind-timer = 2000;
      renew-timer = 1000;
    };
--- a/hosts/pie/firefly.nix
+++ b/hosts/pie/firefly.nix
@ -0,0 +1,99 @@
 {
  flake,
  config,
  pkgs,
  lib,
  ...
 }: {
  age.secrets."firefly-secrets.env" = {
    file = "${flake.self}/secrets/firefly-secrets.env";
    mode = "600";
  };
  age.secrets."firefly-db-secrets.env" = {
    file = "${flake.self}/secrets/firefly-db-secrets.env";
    mode = "600";
  };
  age.secrets."firefly-importer-secrets.env" = {
    file = "${flake.self}/secrets/firefly-importer-secrets.env";
    mode = "600";
  };
  services.caddy = {
    enable = true;
    extraConfig = ''
    firefly.b12f.io {
      reverse_proxy localhost:8080
    }
    firefly-importer.b12f.io {
      reverse_proxy localhost:8081
    }
    '';
  };
  systemd.services."docker-network-firefly" = let
    docker = config.virtualisation.oci-containers.backend;
    dockerBin = "${pkgs.${docker}}/bin/${docker}";
  in {
    serviceConfig.Type = "oneshot";
    before = ["docker-firefly.service"];
    script = ''
      ${dockerBin} network inspect firefly >/dev/null 2>&1 || ${dockerBin} network create firefly --subnet 172.20.0.0/24
    '';
  };
  virtualisation = {
    oci-containers = {
      backend = "docker";
      containers."firefly" = {
        image = "fireflyiii/core:latest";
        autoStart = true;
        volumes = [
          "/var/lib/firefly/upload:/var/www/html/storage/upload"
        ];
        extraOptions = [ "--network=firefly" ];
        environmentFiles = [
          ./.env.firefly
          config.age.secrets."firefly-secrets.env".path
        ];
        ports = [ "8080:8080" ];
        dependsOn = [ "firefly-db" ];
      };
      containers."firefly-db" = {
        image = "postgres:16";
        autoStart = true;
        volumes = [
          "/var/lib/firefly/db:/var/lib/postgresql/data"
        ];
        extraOptions = [ "--network=firefly" ];
        environmentFiles = [
          config.age.secrets."firefly-db-secrets.env".path
        ];
      };
      containers."firefly-importer" = {
        image = "fireflyiii/data-importer:latest";
        autoStart = true;
        volumes = [
          "/var/lib/firefly/db:/var/lib/postgresql/data"
        ];
        extraOptions = [ "--network=firefly" ];
        ports = [ "8081:8080" ];
        environmentFiles = [
          config.age.secrets."firefly-importer-secrets.env".path
        ];
        dependsOn = [ "firefly" ];
      };
      # containers."cron" = {
      #   image = "alpine";
      #   autoStart = true;
      #   command = ''sh -c "echo \"0 3 * * * wget -qO- http://firefly:8080/api/v1/cron/REPLACEME\" | crontab - && crond -f -L /dev/stdout"'';
      #   extraOptions = [ "--network=firefly" ];
      # };
    };
  };
 }
--- a/hosts/pie/hardware-configuration.nix
+++ b/hosts/pie/hardware-configuration.nix
@ -12,21 +12,30 @@
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  boot.supportedFilesystems = [ "zfs" ];
-  fileSystems."/" = {
+  boot.initrd.luks.devices = {
-    device = "zroot/root";
+    cryptroot = {
      device = "/dev/disk/by-uuid/742f819f-98e5-457d-b21e-30443455fde3";
      bypassWorkqueues = true; # optimization for ssds
    };
  };
  fileSystems."/" =
    { device = "zroot/root";
      fsType = "zfs";
    };
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/DA7C-BE8B";
+    { device = "/dev/disk/by-uuid/0D5D-B809";
      fsType = "vfat";
    };
-  swapDevices = [
+  swapDevices =
-    { device = "/dev/disk/by-uuid/8ce4ae9c-2db0-41b0-8468-91bb184707d1"; }
+    [ { device = "/dev/disk/by-uuid/af71e930-42ce-4174-a098-4ea5753b1ea9"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
--- a/hosts/pie/unbound.nix
+++ b/hosts/pie/unbound.nix
@ -17,9 +17,24 @@
          "\"box\" static"
        ];
        local-data = [
          "\"droppie.local. 10800 IN A 192.168.178.3\""
          "\"droppie.local. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b8\""
          "\"droppie.b12f.io. 10800 IN A 192.168.178.3\""
          "\"droppie.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b8\""
          "\"backup.b12f.io. 10800 IN A 192.168.178.3\""
          "\"backup.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b8\""
          "\"pie.local. 10800 IN A 192.168.178.2\""
          "\"pie.local. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\""
          "\"pie.b12f.io. 10800 IN A 192.168.178.2\""
          "\"pie.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\""
          "\"firefly.b12f.io. 10800 IN A 192.168.178.2\""
          "\"firefly.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\""
          "\"paperless.b12f.io. 10800 IN A 192.168.178.2\""
          "\"paperless.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\""
          "\"fritz.box. 10800 IN A 192.168.178.1\""
          "\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""
        ];
      };
      forward-zone = [
--- a/modules/core/packages.nix
+++ b/modules/core/packages.nix
@ -20,6 +20,6 @@ in {
    findutils
    exfat
-    gitFull
+    gitMinimal
  ];
 }
--- a/modules/ddclient/default.nix
+++ b/modules/ddclient/default.nix
@ -0,0 +1,245 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.ddclient;
  boolToStr = bool: if bool then "yes" else "no";
  dataDir = "/var/lib/ddclient";
  StateDirectory = builtins.baseNameOf dataDir;
  RuntimeDirectory = StateDirectory;
  usev4 = if cfg.usev4 != "" then "usev4=${cfg.usev4}" else "";
  usev6 = if cfg.usev6 != "" then "usev6=${cfg.usev6}" else "";
  configFile' = pkgs.writeText "ddclient.conf" ''
    # This file can be used as a template for configFile or is automatically generated by Nix options.
    use=no
    ${usev4}
    ${usev6}
    cache=${dataDir}/ddclient.cache
    foreground=yes
    login=${cfg.username}
    password=${if cfg.protocol == "nsupdate" then "/run/${RuntimeDirectory}/ddclient.key" else "@password_placeholder@"}
    protocol=${cfg.protocol}
    ${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
    ${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
    ${lib.optionalString (cfg.zone != "")   "zone=${cfg.zone}"}
    ssl=${boolToStr cfg.ssl}
    wildcard=yes
    quiet=${boolToStr cfg.quiet}
    verbose=${boolToStr cfg.verbose}
    ${cfg.extraConfig}
    ${lib.concatStringsSep "," cfg.domains}
  '';
  configFile = if (cfg.configFile != null) then cfg.configFile else configFile';
  preStart = ''
    install --mode=600 --owner=$USER ${configFile} /run/${RuntimeDirectory}/ddclient.conf
    ${lib.optionalString (cfg.configFile == null) (if (cfg.protocol == "nsupdate") then ''
      install --mode=600 --owner=$USER ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key
    '' else if (cfg.passwordFile != null) then ''
      "${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "${cfg.passwordFile}" "/run/${RuntimeDirectory}/ddclient.conf"
    '' else ''
      sed -i '/^password=@password_placeholder@$/d' /run/${RuntimeDirectory}/ddclient.conf
    '')}
  '';
 in with lib; {
  disabledModules = [
    "services/networking/ddclient.nix"
  ];
  imports = [
    (mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ]
      (config:
        let value = getAttrFromPath [ "services" "ddclient" "domain" ] config;
        in if value != "" then [ value ] else []))
    (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "")
    (mkRemovedOptionModule [ "services" "ddclient" "password" ] "Use services.ddclient.passwordFile instead.")
  ];
  ###### interface
  options = {
    services.ddclient = with lib.types; {
      enable = mkOption {
        default = false;
        type = bool;
        description = lib.mdDoc ''
          Whether to synchronise your machine's IP address with a dynamic DNS provider (e.g. dyndns.org).
        '';
      };
      package = mkOption {
        type = package;
        default = pkgs.ddclient;
        defaultText = lib.literalExpression "pkgs.ddclient";
        description = lib.mdDoc ''
          The ddclient executable package run by the service.
        '';
      };
      domains = mkOption {
        default = [ "" ];
        type = listOf str;
        description = lib.mdDoc ''
          Domain name(s) to synchronize.
        '';
      };
      username = mkOption {
        # For `nsupdate` username contains the path to the nsupdate executable
        default = lib.optionalString (config.services.ddclient.protocol == "nsupdate") "${pkgs.bind.dnsutils}/bin/nsupdate";
        defaultText = "";
        type = str;
        description = lib.mdDoc ''
          User name.
        '';
      };
      passwordFile = mkOption {
        default = null;
        type = nullOr str;
        description = lib.mdDoc ''
          A file containing the password or a TSIG key in named format when using the nsupdate protocol.
        '';
      };
      interval = mkOption {
        default = "10min";
        type = str;
        description = lib.mdDoc ''
          The interval at which to run the check and update.
          See {command}`man 7 systemd.time` for the format.
        '';
      };
      configFile = mkOption {
        default = null;
        type = nullOr path;
        description = lib.mdDoc ''
          Path to configuration file.
          When set this overrides the generated configuration from module options.
        '';
        example = "/root/nixos/secrets/ddclient.conf";
      };
      protocol = mkOption {
        default = "dyndns2";
        type = str;
        description = lib.mdDoc ''
          Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols).
        '';
      };
      server = mkOption {
        default = "";
        type = str;
        description = lib.mdDoc ''
          Server address.
        '';
      };
      ssl = mkOption {
        default = true;
        type = bool;
        description = lib.mdDoc ''
          Whether to use SSL/TLS to connect to dynamic DNS provider.
        '';
      };
      quiet = mkOption {
        default = false;
        type = bool;
        description = lib.mdDoc ''
          Print no messages for unnecessary updates.
        '';
      };
      script = mkOption {
        default = "";
        type = str;
        description = lib.mdDoc ''
          script as required by some providers.
        '';
      };
      usev4 = mkOption {
        default = "webv4, webv4=checkip.dyndns.com/, webv4-skip='Current IP Address: '";
        type = str;
        description = lib.mdDoc ''
          Method to determine the IP address to send to the dynamic DNS provider.
        '';
      };
      usev6 = mkOption {
        default = "";
        type = str;
        description = lib.mdDoc ''
          Method to determine the IP address to send to the dynamic DNS provider.
        '';
      };
      verbose = mkOption {
        default = false;
        type = bool;
        description = lib.mdDoc ''
          Print verbose information.
        '';
      };
      zone = mkOption {
        default = "";
        type = str;
        description = lib.mdDoc ''
          zone as required by some providers.
        '';
      };
      extraConfig = mkOption {
        default = "";
        type = lines;
        description = lib.mdDoc ''
          Extra configuration. Contents will be added verbatim to the configuration file.
          ::: {.note}
          `daemon` should not be added here because it does not work great with the systemd-timer approach the service uses.
          :::
        '';
      };
    };
  };
  ###### implementation
  config = mkIf config.services.ddclient.enable {
    systemd.services.ddclient = {
      description = "Dynamic DNS Client";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      restartTriggers = optional (cfg.configFile != null) cfg.configFile;
      serviceConfig = {
        DynamicUser = true;
        RuntimeDirectoryMode = "0700";
        inherit RuntimeDirectory;
        inherit StateDirectory;
        Type = "oneshot";
        ExecStartPre = "!${pkgs.writeShellScript "ddclient-prestart" preStart}";
        ExecStart = "${lib.getBin cfg.package}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
      };
    };
    systemd.timers.ddclient = {
      description = "Run ddclient";
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = cfg.interval;
        OnUnitInactiveSec = cfg.interval;
      };
    };
  };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -10,6 +10,7 @@
      bluetooth = import ./bluetooth;
      core = import ./core;
      crypto = import ./crypto;
      ddclient = import ./ddclient;
      desktop-extended = import ./desktop-extended;
      docker = import ./docker;
      email = import ./email;
--- a/modules/desktop-extended/default.nix
+++ b/modules/desktop-extended/default.nix
@ -12,9 +12,9 @@ in {
  users.users."${psCfg.user.name}".packages = with pkgs; [
    ungoogled-chromium
    gimp
    wine
    gimp
    present-md
    inkscape
    gpxsee
--- a/modules/graphical/sway/config/config.nix
+++ b/modules/graphical/sway/config/config.nix
@ -19,7 +19,7 @@
  set $up i
  set $right l
  # Your preferred terminal emulator
-  set $term ${pkgs.alacritty}
+  set $term ${pkgs.alacritty}/bin/alacritty
  # Your preferred application launcher
  # Note: pass the final command to swaymsg so that the resulting window can be opened
  # on the original workspace that the command was run on.
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -32,12 +32,6 @@
          (import ./neovim-plugins.nix)
          (import ./signal-desktop.nix)
        ];
        nix.nixPath = [
          "nixpkgs=${inputs.nixpkgs}"
          "nixos-config=${../lib/compat/nixos}"
          "home-manager=${inputs.home-manager}"
        ];
      });
    };
  };
--- a/overlays/overrides.nix
+++ b/overlays/overrides.nix
@ -1,41 +0,0 @@
 channels: final: prev: {
  __dontExport = true; # overrides clutter up actual creations
  inherit
    (channels.latest)
    nixd
    ;
  inherit
    (channels.fix-yubikey-agent)
    yubikey-agent
    ;
  inherit
    (channels.master)
    factorio-headless
    paperless-ngx
    waybar
    element-desktop
    signal-desktop
    ;
  haskellPackages =
    prev.haskellPackages.override
    (old: {
      overrides = prev.lib.composeExtensions (old.overrides or (_: _: {})) (hfinal: hprev: let
        version = prev.lib.replaceChars ["."] [""] prev.ghc.version;
      in {
        # same for haskell packages, matching ghc versions
        inherit
          (channels.latest.haskell.packages."ghc${version}")
          haskell-language-server
          ;
      });
    });
  vimPlugins = prev.vimPlugins // {inherit (channels.latest.vimPlugins) nvim-lspconfig;};
 }
--- a/secrets/.fwknoprc
+++ b/secrets/.fwknoprc
--- a/secrets/b12f-env-secrets
+++ b/secrets/b12f-env-secrets
--- a/secrets/cat-test.ovpn
+++ b/secrets/cat-test.ovpn
--- a/secrets/crypto_keyfile-chocolatebar.bin
+++ b/secrets/crypto_keyfile-chocolatebar.bin
--- a/secrets/droppie-ssh-root.key
+++ b/secrets/droppie-ssh-root.key
--- a/secrets/dyndns-droppie.key
+++ b/secrets/dyndns-droppie.key
@ -1,27 +0,0 @@
 age-encryption.org/v1
 -> ssh-rsa kFDS0A
 lbrJzpCXpf3BJYL80d2vD/b4raoPnUKV0D9Ka9yKb72W3ATfA/Cqq7vpisHRnwyj
 3pt1TfrPzti/8ZKDqY/Zw171jQbOF6zW45z4m8yJu4J1LYXh8yYrTR3YPwhPoGYm
 eZJWWj2YghqCFC7vdL/wZFjkStxwBGgrJfNOxJBcXOpUX2TOzfdNAgJ/pEkvdd/L
 jktiU5ITt7KXruwSEXRzHVfmntl4SaqDqYfeb0Y0q2a1oMpxTnBKcYXj6dYcZIHv
 Lm8HX0JsIiThz/DXB4sP2O5GlGeYyibj2iMSCsCqadwDpUndVtJnzFgjSQD5A0gd
 enNTYly3GSmC9TWt/r2VHHyneAnJ3HQKB5hUEqxPz9peemnvfTA89SIGHddmkXfY
 XSeN5WJnSG0+WAOwrpJjzl9CgUg9xJS7dDqVob3CwL9oVEQP8FcuuyqCg72ppd4J
 fdseq5/R+HuVnh6sEUHoaHEDidHtTrpE2Rd49Tesj/BT+YrJyQ/kQqHmy9RiLU2f
 DSRwLO4/qHF6W8UfuF2N08aMxRpxqXPWTjI/vHxoSJRcSqaofF42x50OQU8lY96c
 8bPlDPB7HOBg+7bVvOQCaR3+KRuOx+HYpeMwEokQTwCke+frPfXorilNbAcaFUp4
 QiU1sUZia/FOZ+j47+6pkfC2DfLpiNL2TLWYcNtIzUc
 -> ssh-ed25519 7Wns0A aKiZ8iw+Ub5rByBef0apOn6lG5Bv6tzFCiBu3DN6sSg
 58+9kySg3ajO7E5V87b/qRu9axpu2hQUuY/cVTt2YdI
 -> ssh-rsa wVtlwQ
 RbrfuwS5zQzL9yMWFDSnWj9cQFLirTH37Xf79Dis2CJIDd83vmlmGNY5x1aPpZoZ
 J6XDhibGTJc02DYuNVIE1IXm0x9tc6Z9PTT+WiAFt1JuKHguXTWLRMM9HmyvWWDg
 bFsRDAcYup+SK5d+ME+XooDGueC822rAjkGIRHNSCimGwuLpDRKqyyVfYA+dcfiP
 EoYH7x4S09jYRr1C5EkbraLbm1vijc5ikJw3b42KKbyo3wDwKga+Vk2nl2AtgjZp
 KipZlyjs+IjMRXX5IBpgoRtXcvHuidsOSc+guRo0ihF9MbzRc/Tt2g0V7t3KjeT0
 SJDLmHOos2RKTmx06aidDg
 -> Dz(k-grease ~FF p m)E{J3E
 7Igp3pclCAzAmeky5cPqlIzcITT+0jvieQe7ruSxRYRYqpYU7tMQFmHuNUahp+BP
 MzOYiM+PIQmn
 --- IC9SI76EjaFZxQ5odEeIv49n/O8uOdpM6LE1Z7dtHg4
 l%Àu¯¯ÃE„\ÎüÔ?2\&ÚwG&@¡W£~9"úŠ^ÊÆ†ý¼Á<>oån^šë<C5A1>ã»³xšèOI‡¢uOíò‡21c*ãm¸%ô)ý#”Ø¬eõIÙ6îA/i
--- a/secrets/dyndns.key
+++ b/secrets/dyndns.key
@ -0,0 +1,20 @@
 age-encryption.org/v1
 -> ssh-ed25519 8bHz7g GloMoc3qIJq8coOIqGLIWtAwSZMu/tJdLDLt155o+RA
 XKt0Hw50VXh3YYYbKEqpVAAo4aj6X+24mX8saH6nu1w
 -> ssh-rsa kFDS0A
 dG8ZmFNRKsg0sihla32+amA5mlD/tzPgauOtsH64wAvQjPz+aBr7xL8l5usR+nMV
 BldXVlaYfipevHmWGE48vvNheAbBLNZ/0iIfJpV8EDdcUZd7v8Ijgp5f4zns2nRS
 CGHQRGtcxD1OtPl0Rg5/zF/0vBnmsIUyig/NHmrRaWF08WZBZhMgIcnoRXpUlcnj
 AlrW9ElfSTKRsOT2F4AbVcKBrbagSjzJ9ZrIJ/D4gxW8bE6pYkHd5sflXbL4TsRY
 4G3kBKC41Co5Z6byv4gaT+y0AfX7/Q6f1lvaqOOAbBzt18TaEZYDoe270L53Wfzy
 VPlnM41vo+EsGsKhzTaWLTmBaawSWRhxZScHygZhu+SgIFLEDpU2kOY8XlKp6yuv
 82jyEW+ts9069hGvmzrt5yr+HLMzlhEOPfGYqrDgbmuJsq0E4PQPkQOLeGROxaUs
 zceCwfg4HUFDRHVa8KBy1HjovjkLzl/auvJaUUre5RTGLp7QWYX5rqiME7AndgfV
 joxVMJY0tkrvollNI3xXmfU2xeuK4Jm7Jw54lJ13KaYk1QqC1sMNCo7cuEUIw8Ic
 N3aAU6KRX1ltZ3IIo+vJYVQO34UWNa9Xf6uGFTzX9HzpUYEkHbv90Gx4ck+2sYvi
 3dBfz1koiFyTfOT094zqDuecH0MsmWExtefBDvU7gcU
 -> |0I<)A4-grease
 g/FEYilOi+UwM+E98Rvpav2jqeLUlVeDAo4PVWHNhjIbas8iJV6eKwwJMNfuEJ5D
 wdh+HTDijoUzaYTPgYqcKg
 --- N46xNnGnaWTUqGo6Q7R0VNqgPpUEu0D2VDgOnPZhgiw
 zÁæ¤p¸ŠÕÕaf&èù€H~pÊÊrn·OŸk„÷øàüÍµCÉÝ`ÿÞlùæºe¸ÎÆÓ‘Û¨Ç¾"†Æ¦˜æî……&L41š‡ã)‹y%†Åü:;35ÎÀ‘æ¨‹Ü›
--- a/secrets/firefly-db-secrets.env
+++ b/secrets/firefly-db-secrets.env
@ -0,0 +1,21 @@
 age-encryption.org/v1
 -> ssh-ed25519 8bHz7g vV/SfIESf7TVyAJLgMTm0Tbkd4jLRpcNH/L3ZAIgqyY
 KIm/ih9nmdCVkh/c6ol5DwJARivS5s3v6LXXIOuIh9c
 -> ssh-rsa kFDS0A
 IYso7nT1ccztAARLNc5UsbTM1OE6fYuCrPyWnv4b0FFyYGeiP94baH2zPUKbnCVB
 t2VdtU/B+ywqfdD92LnA0t9huzlSVLIA/If6lg4xZ8dZH3rTJ/lhlCmHhMOXNcJ9
 ytLCz1DSatQfmfPQ2NqBthh68IR/vMStop78l/9p2WWY7v6INIhq5lqNgBHsbRxH
 P+qQcLKFCNEMib/8h/3aNghfRFe/JL+3/B3M+e1+Ee+ASv1EuheJLbZCEhdUo1Z7
 /nJOCH418bbUWRrRx8fwgmqTS+0ViD1jFWdNgf5akD9HU3WMEAStTS0NDi0yWSxC
 5ZsAzrYSplZeXZ+U3G/sNqMsDqHzffWr9OW5o3h1R7/F5P9VBwq2yN1kGaliSK3f
 ePbD4QG/qVMsHCXKUfL8BbytljP8BtLdpsp72ZDwtnujw/NuB8SS1jiWzYmZEeoy
 1zRBY21KbE4Vrm7vqSPPEnlvEsIyTUfeZrk5JDTqb/TbvFsunXc6g6m6QbOdcExE
 SjRPBG0OzYgSNxIt6eM3lnXlp/1UGIZIuu0SaDbmMpZ+KevFg9qQhLRvcwRHi80W
 elOxVY7jU2u5AFF5hdD3J4ANijOz/JFDcPYD0RBrjyrbWXFuL6HvBdUmOo7HZpZb
 cQeQKBfQX+czuVEwdH5zRipxo65/Tt8nN2vCI0Nyx7o
 -> JWdGKAh8-grease >
 RgQ2hCi5bBfRsqGIvrwmrWE
 --- e4oH/zzH6rnwTpoQI5T+etz/BlQD9Kry7lYsAw8BK14
 ¬¸¹êŒÀb†ÄsžŽ^®¢*"ûò—¨ýM°càä¾"Ê*GsXq¦‘UhôU<C3B4>…øŽsEi<45>Û/ˆ3I÷6^ämp¬Y9
 s^y<>XX~ØQ!ˆ«w¾eÄŒp×reiÔ‘E| ÚÊ±ýçÿ¢Õe3$§Äÿl™ï<>Çåèì
 <EFBFBD>¯ì%×øýCŠ—›ê¡žÃ{3EÂV+4ú<34>AùÒ
--- a/secrets/firefly-importer-secrets.env
+++ b/secrets/firefly-importer-secrets.env
--- a/secrets/firefly-secrets.env
+++ b/secrets/firefly-secrets.env
--- a/secrets/hdd_keyfile-chocolatebar.bin
+++ b/secrets/hdd_keyfile-chocolatebar.bin
--- a/secrets/hosting.de-api.key
+++ b/secrets/hosting.de-api.key
--- a/secrets/keyfile-biolimo.bin
+++ b/secrets/keyfile-biolimo.bin
--- a/secrets/keyfile-chocolatebar.bin
+++ b/secrets/keyfile-chocolatebar.bin
--- a/secrets/mopidy.conf
+++ b/secrets/mopidy.conf
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -11,7 +11,7 @@ let
  droppie-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDuXuPPDXTyJgy4JRwbKcPbawvVB1Il2neyRWb4O5sJ root@nixos";
  droppie-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnYTlTmHCl6LOkexqRR9LqjOoFgt9TQ4VzHQGRHJMzF/AGcDRoqC+pBLFSTzRb5/ikAOsb32XHyKVg4nNdJeQshO11QtDmkCB02D/XcIXxnNQ5A8CztT2az5xJtbbWSdamMnHBLcqLiwoLmXbERpdlt8jNqMHrz+bjCUGYVAFSfc/WdIs6EATJ1eF0VFxv7nUh4qhgStABSwhNsnoYOC/DOBSA9aBP1f5Fz9QHUioPTGi2hRwbTbtFUvTrymPpWVFRApa1zvGXcr4YUCm7ia1ZlZKzRpsPkwLxb8Omm4bGmR0cAVwVhVRySnhpCTwbIBLyw+H8PvKWBBba1NAKyMij root@droppie";
-  nougat-2-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINELr5Bvr15GqCHevg9QP8oYFgmaRUUHcPFf4MZho9gI root@nougat-2";
+  pie-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINcTORdlVno0B9R6Yh9qmlOZKA/ZQ8RBzXK7/1rBbE02 root@pie.local";
  baseKeys = [
    bbcom
@ -32,8 +32,8 @@ let
    droppie-user
  ];
-  nougat-2Keys = [
+  pieKeys = [
-    nougat-2-host
+    pie-host
  ];
 in {
  "keyfile-biolimo.bin".publicKeys = biolimoKeys ++ baseKeys;
@ -45,7 +45,7 @@ in {
  "vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys;
  "vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys;
-  "dyndns-droppie.key".publicKeys = droppieKeys ++ baseKeys;
+  "dyndns.key".publicKeys = pieKeys ++ baseKeys;
  "droppie-ssh-root.key".publicKeys = droppieKeys ++ baseKeys;
@ -57,15 +57,11 @@ in {
  "cat-test.ovpn".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys;
-  "hosting.de-api.key".publicKeys = nougat-2Keys ++ baseKeys;
+  "hosting.de-api.key".publicKeys = baseKeys;
-  "concourse-secrets.age".publicKeys = nougat-2Keys ++ baseKeys;
+  "firefly-secrets.env".publicKeys = pieKeys ++ baseKeys;
  "concourse-db-secrets.age".publicKeys = nougat-2Keys ++ baseKeys;
  "concourse-worker-key.age".publicKeys = nougat-2Keys ++ baseKeys;
  "concourse-tsa-host-key.age".publicKeys = nougat-2Keys ++ baseKeys;
  "concourse-session-signing-key.age".publicKeys = nougat-2Keys ++ baseKeys;
-  "keycloak-database-password.age".publicKeys = nougat-2Keys ++ baseKeys;
+  "firefly-db-secrets.env".publicKeys = pieKeys ++ baseKeys;
-  "gitea-database-password.age".publicKeys = nougat-2Keys ++ baseKeys;
+  "firefly-importer-secrets.env".publicKeys = pieKeys ++ baseKeys;
 }
--- a/secrets/vnc-cert-chocolatebar.pem
+++ b/secrets/vnc-cert-chocolatebar.pem
--- a/secrets/vnc-key-chocolatebar.pem
+++ b/secrets/vnc-key-chocolatebar.pem
--- a/users/b12f/default.nix
+++ b/users/b12f/default.nix
@ -34,7 +34,6 @@ in {
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== b12f@biolimo"
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= b12f@chocolatebar"
          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main"
          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
        ];
--- a/users/b12f/session-variables.nix
+++ b/users/b12f/session-variables.nix
@ -14,7 +14,7 @@ in {
      inherit DRONE_RPC_PROTO;
      DRONE_SERVER = DRONE_RPC_PROTO + "://" + DRONE_RPC_HOST;
-      RESTIC_REPOSITORY = "sftp:root@backup.b12f.io:/media/internal/backups";
+      RESTIC_REPOSITORY = "sftp:root@droppie.b12f.io:/media/internal/backups";
      RESTIC_PASSWORD_COMMAND = "secret-tool lookup restic repository-password";
    };
  };