fix: get networking on pie working properly

flake.lock

@@ -40,9 +40,7 @@
     },
     "agenix": {
       "inputs": {
-        "darwin": [
-          "nix-darwin"
-        ],
+        "darwin": "darwin",
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -61,6 +59,28 @@
         "type": "github"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1696360011,
+        "narHash": "sha256-HpPv27qMuPou4acXcZ8Klm7Zt0Elv9dgDvSJaomWb9Y=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "8b6ea26d5d2e8359d06278364f41fbc4b903b28a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "deno2nix": {
       "inputs": {
         "devshell": "devshell",
@@ -322,27 +342,6 @@
         "type": "github"
       }
     },
-    "nix-darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1695686713,
-        "narHash": "sha256-rJATx5B/nwlBpt7CJUf85LV27qWPbul5UVV8fu6ABPg=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "e236a1e598a9a59265897948ac9874c364b9555f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "ref": "master",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
     "nixos-flake": {
       "locked": {
         "lastModified": 1692742948,
@@ -498,7 +497,6 @@
         "home-manager": "home-manager",
         "mobile-nixos": "mobile-nixos",
         "musnix": "musnix",
-        "nix-darwin": "nix-darwin",
         "nixos-flake": "nixos-flake",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2",

flake.nix

@@ -12,9 +12,6 @@
     flake-compat.url = "github:edolstra/flake-compat";
     flake-compat.flake = false;
 
-    nix-darwin.url = "github:lnl7/nix-darwin/master";
-    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
-
     home-manager.url = "github:nix-community/home-manager/release-23.05";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
@@ -27,7 +24,6 @@
 
     agenix.url = "github:ryantm/agenix";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
-    agenix.inputs.darwin.follows = "nix-darwin";
 
     nixos-hardware.url = "github:nixos/nixos-hardware";
 
@@ -49,8 +45,6 @@
       systems = [
         "x86_64-linux"
         "aarch64-linux"
-        "x86_64-darwin"
-        "aarch64-darwin"
       ];
 
       imports = [
@@ -100,7 +94,7 @@
           };
 
           droppie = {
-            hostname = "backup.b12f.io";
+            hostname = "droppie.b12f.io";
             sshUser = "yule";
           };
 

hosts/chocolatebar/configuration.nix

@@ -1,7 +1,6 @@
 {
   config,
   pkgs,
-  flake,
   lib,
   ...
 }:

hosts/default.nix

@@ -57,7 +57,8 @@
           ./pie
           self.nixosModules.yule
           self.nixosModules.printing
-          self.nixosModules.paperless
+          # self.nixosModules.paperless
+          # self.nixosModules.docker
         ];
       };
 
@@ -80,6 +81,17 @@
         ];
       };
 
+      iso-arm = self.nixos-flake.lib.mkLinuxSystem {
+        nixpkgs.hostPlatform = "aarch64-linux";
+        nixpkgs.buildPlatform = "x86_64-linux";
+        imports = [
+          "${inputs.nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
+          self.nixosModules.base
+          ./iso
+          self.nixosModules.nixos
+        ];
+      };
+
       iso-graphical = self.nixos-flake.lib.mkLinuxSystem {
         nixpkgs.hostPlatform = "x86_64-linux";
         imports = [

hosts/droppie/configuration.nix

@@ -23,34 +23,6 @@ in {
 
   networking.hostName = "droppie";
 
-  security.sudo.extraRules = [
-    {
-      users = ["${psCfg.user.name}"];
-      commands = [
-        {
-          command = "ALL";
-          options = ["NOPASSWD"];
-        }
-      ];
-    }
-  ];
-
-  services.ddclient = {
-    enable = false;
-    ipv6 = true;
-    domains = ["backup.b12f.io"];
-    server = "ddns.hosting.de";
-    username = "b12f";
-    use = "web, web=https://ipcheck-ds.wieistmeineip.de/callback/, web-skip='ip\":\"'";
-    passwordFile = "/run/agenix/dyndns-droppie.key";
-  };
-
-  age.secrets."dyndns-droppie.key" = {
-    file = "${flake.self}/secrets/dyndns-droppie.key";
-    mode = "400";
-    owner = "root";
-  };
-
   # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
   age.secrets."droppie-ssh-root.key" = {
     file = "${flake.self}/secrets/droppie-ssh-root.key";

hosts/pie/.env.firefly

@@ -0,0 +1,239 @@
+# You can leave this on "local". If you change it to production most console commands will ask for extra confirmation.
+# Never set it to "testing".
+APP_ENV=local
+
+# Set to true if you want to see debug information in error screens.
+APP_DEBUG=false
+
+# This should be your email address.
+# If you use Docker or similar, you can set this variable from a file by using SITE_OWNER_FILE
+# The variable is used in some errors shown to users who aren't admin.
+SITE_OWNER=firefly-admin@benjaminbaedorf.eu
+
+# Firefly III will launch using this language (for new users and unauthenticated visitors)
+# For a list of available languages: https://github.com/firefly-iii/firefly-iii/tree/main/resources/lang
+#
+# If text is still in English, remember that not everything may have been translated.
+DEFAULT_LANGUAGE=en_US
+
+# The locale defines how numbers are formatted.
+# by default this value is the same as whatever the language is.
+DEFAULT_LOCALE=equal
+
+# Change this value to your preferred time zone.
+# Example: Europe/Amsterdam
+# For a list of supported time zones, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+TZ=Europe/Berlin
+
+# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy.
+# Set it to ** and reverse proxies work just fine.
+TRUSTED_PROXIES=**
+
+# The log channel defines where your log entries go to.
+# Several other options exist. You can use 'single' for one big fat error log (not recommended).
+# Also available are 'syslog', 'errorlog' and 'stdout' which will log to the system itself.
+# A rotating log option is 'daily', creates 5 files that (surprise) rotate.
+# A cool option is 'papertrail' for cloud logging
+# Default setting 'stack' will log to 'daily' and to 'stdout' at the same time.
+LOG_CHANNEL=stack
+
+# Log level. You can set this from least severe to most severe:
+# debug, info, notice, warning, error, critical, alert, emergency
+# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably
+# nothing will get logged, ever.
+APP_LOG_LEVEL=notice
+
+# Audit log level.
+# The audit log is used to log notable Firefly III events on a separate channel.
+# These log entries may contain sensitive financial information.
+# The audit log is disabled by default.
+#
+# To enable it, set AUDIT_LOG_LEVEL to "info"
+# To disable it, set AUDIT_LOG_LEVEL to "emergency"
+AUDIT_LOG_LEVEL=emergency
+
+#
+# If you want, you can redirect the audit logs to another channel.
+# Set 'audit_stdout', 'audit_syslog', 'audit_errorlog' to log to the system itself.
+# Use audit_daily to log to a rotating file.
+# Use audit_papertrail to log to papertrail.
+#
+# If you do this, the audit logs may be mixed with normal logs because the settings for these channels
+# are often the same as the settings for the normal logs.
+AUDIT_LOG_CHANNEL=
+
+#
+# Used when logging to papertrail:
+# Also used when audit logs log to papertrail:
+#
+PAPERTRAIL_HOST=
+PAPERTRAIL_PORT=
+
+# PostgreSQL supports SSL. You can configure it here.
+# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
+PGSQL_SSL_MODE=prefer
+PGSQL_SSL_ROOT_CERT=null
+PGSQL_SSL_CERT=null
+PGSQL_SSL_KEY=null
+PGSQL_SSL_CRL_FILE=null
+
+# more PostgreSQL settings
+PGSQL_SCHEMA=public
+
+# If you're looking for performance improvements, you could install memcached or redis
+CACHE_DRIVER=file
+SESSION_DRIVER=file
+
+# If you set either of the options above to 'redis', you might want to update these settings too
+# If you use Docker or similar, you can set REDIS_HOST_FILE, REDIS_PASSWORD_FILE or
+# REDIS_PORT_FILE to set the value from a file instead of from an environment variable
+
+# can be tcp, unix or http
+REDIS_SCHEME=tcp
+
+# use only when using 'unix' for REDIS_SCHEME. Leave empty otherwise.
+REDIS_PATH=
+
+# use only when using 'tcp' or 'http' for REDIS_SCHEME. Leave empty otherwise.
+REDIS_HOST=127.0.0.1
+REDIS_PORT=6379
+
+# Use only with Redis 6+ with proper ACL set. Leave empty otherwise.
+REDIS_USERNAME=
+REDIS_PASSWORD=
+
+# always use quotes and make sure redis db "0" and "1" exists. Otherwise change accordingly.
+REDIS_DB="0"
+REDIS_CACHE_DB="1"
+
+# Cookie settings. Should not be necessary to change these.
+# If you use Docker or similar, you can set COOKIE_DOMAIN_FILE to set
+# the value from a file instead of from an environment variable
+# Setting samesite to "strict" may give you trouble logging in.
+COOKIE_PATH="/"
+COOKIE_DOMAIN=
+COOKIE_SECURE=false
+COOKIE_SAMESITE=lax
+
+# Firefly III can send you the following messages.
+SEND_ERROR_MESSAGE=true
+
+# These messages contain (sensitive) transaction information:
+SEND_REPORT_JOURNALS=true
+
+# Set this value to true if you want to set the location of certain things, like transactions.
+# Since this involves an external service, it's optional and disabled by default.
+ENABLE_EXTERNAL_MAP=false
+
+# Set this value to true if you want Firefly III to download currency exchange rates
+# from the internet. These rates are hosted by the creator of Firefly III inside
+# an Azure Storage Container.
+# Not all currencies may be available. Rates may be wrong.
+ENABLE_EXTERNAL_RATES=true
+
+# The map will default to this location:
+MAP_DEFAULT_LAT=51.983333
+MAP_DEFAULT_LONG=5.916667
+MAP_DEFAULT_ZOOM=6
+
+#
+# Firefly III authentication settings
+#
+
+#
+# Firefly III supports a few authentication methods:
+# - 'web' (default, uses built in DB)
+# - 'remote_user_guard' for Authelia etc
+# Read more about these settings in the documentation.
+# https://docs.firefly-iii.org/firefly-iii/advanced-installation/authentication
+#
+# LDAP is no longer supported :(
+#
+AUTHENTICATION_GUARD=web
+
+#
+# Remote user guard settings
+#
+AUTHENTICATION_GUARD_HEADER=REMOTE_USER
+AUTHENTICATION_GUARD_EMAIL=
+
+#
+# Firefly III supports webhooks. These are security sensitive and must be enabled manually first.
+#
+ALLOW_WEBHOOKS=false
+
+#
+# The static cron job token can be useful when you use Docker and wish to manage cron jobs.
+# 1. Set this token to any 32-character value (this is important!).
+# 2. Use this token in the cron URL instead of a user's command line token that you can find in /profile
+#
+# For more info: https://docs.firefly-iii.org/firefly-iii/advanced-installation/cron/
+#
+# You can set this variable from a file by appending it with _FILE
+#
+STATIC_CRON_TOKEN=
+
+# You can fine tune the start-up of a Docker container by editing these environment variables.
+# Use this at your own risk. Disabling certain checks and features may result in lots of inconsistent data.
+# However if you know what you're doing you can significantly speed up container start times.
+# Set each value to true to enable, or false to disable.
+
+# Set this to true to build all locales supported by Firefly III.
+# This may take quite some time (several minutes) and is generally not recommended.
+# If you wish to change or alter the list of locales, start your Docker container with
+# `docker run -v locale.gen:/etc/locale.gen -e DKR_BUILD_LOCALE=true`
+# and make sure your preferred locales are in your own locale.gen.
+DKR_BUILD_LOCALE=false
+
+# Check if the SQLite database exists. Can be skipped if you're not using SQLite.
+# Won't significantly speed up things.
+DKR_CHECK_SQLITE=true
+
+# Run database creation and migration commands. Disable this only if you're 100% sure the DB exists
+# and is up to date.
+DKR_RUN_MIGRATION=true
+
+# Run database upgrade commands. Disable this only when you're 100% sure your DB is up-to-date
+# with the latest fixes (outside of migrations!)
+DKR_RUN_UPGRADE=true
+
+# Verify database integrity. Includes all data checks and verifications.
+# Disabling this makes Firefly III assume your DB is intact.
+DKR_RUN_VERIFY=true
+
+# Run database reporting commands. When disabled, Firefly III won't go over your data to report current state.
+# Disabling this should have no impact on data integrity or safety but it won't warn you of possible issues.
+DKR_RUN_REPORT=true
+
+# Generate OAuth2 keys.
+# When disabled, Firefly III won't attempt to generate OAuth2 Passport keys. This won't be an issue, IFF (if and only if)
+# you had previously generated keys already and they're stored in your database for restoration.
+DKR_RUN_PASSPORT_INSTALL=true
+
+# Leave the following configuration vars as is.
+# Unless you like to tinker and know what you're doing.
+APP_NAME=FireflyIII
+BROADCAST_DRIVER=log
+QUEUE_DRIVER=sync
+CACHE_PREFIX=firefly
+PUSHER_KEY=
+IPINFO_TOKEN=
+PUSHER_SECRET=
+PUSHER_ID=
+DEMO_USERNAME=
+DEMO_PASSWORD=
+FIREFLY_III_LAYOUT=v1
+
+#
+# If you have trouble configuring your Firefly III installation, DON'T BOTHER setting this variable.
+# It won't work. It doesn't do ANYTHING. Don't believe the lies you read online. I'm not joking.
+# This configuration value WILL NOT HELP.
+#
+# Notable exception to this rule is Synology, which, according to some users, will use APP_URL to rewrite stuff.
+#
+# This variable is ONLY used in some of the emails Firefly III sends around. Nowhere else.
+# So when configuring anything WEB related this variable doesn't do anything. Nothing
+#
+# If you're stuck I understand you get desperate but look SOMEWHERE ELSE.
+#
+APP_URL=http://localhost

hosts/pie/.env.firefly-importer

@@ -0,0 +1,126 @@
+# Firefly Data Importer (FIDI) configuration file
+
+# Where is Firefly III?
+#
+# 1) Make sure you ADD http:// or https://
+# 2) Make sure you REMOVE any trailing slash from the end of the URL.
+# 3) In case of Docker, refer to the internal IP of your Firefly III installation.
+#
+# Setting this value is not mandatory. But it is very useful.
+#
+# This variable can be set from a file if you append it with _FILE
+#
+FIREFLY_III_URL=https://firefly.b12f.io
+
+#
+# Imagine Firefly III can be reached at "http://172.16.0.2:8082" (internal Docker network or something).
+# But you have a fancy URL: "https://personal-finances.bill.microsoft.com/"
+#
+# In those cases, you can overrule the URL so when the data importer links back to Firefly III, it uses the correct URL.
+#
+# 1) Make sure you ADD http:// or https://
+# 2) Make sure you REMOVE any trailing slash from the end of the URL.
+#
+# IF YOU SET THIS VALUE, YOU MUST ALSO SET THE FIREFLY_III_URL
+#
+# This variable can be set from a file if you append it with _FILE
+#
+VANITY_URL=https://firefly.b12f.io
+
+#
+# If set to true, the data import will not complain about running into duplicates.
+# This will give you cleaner import mails if you run regular imports.
+#
+# This means that the data importer will not import duplicates, but it will not complain about them either.
+#
+# This setting has no influence on the settings in your configuration(.json).
+#
+# Of course, if something goes wrong *because* the transaction is a duplicate you will
+# NEVER know unless you start digging in your log files. So be careful with this.
+#
+IGNORE_DUPLICATE_ERRORS=false
+
+#
+# Is the /autoimport even endpoint enabled?
+# By default it's disabled, and the secret alone will not enable it.
+#
+CAN_POST_AUTOIMPORT=false
+
+#
+# Is the /autoupload endpoint enabled?
+# By default it's disabled, and the secret alone will not enable it.
+#
+CAN_POST_FILES=false
+
+#
+# Import directory white list. You need to set this before the auto importer will accept a directory to import from.
+#
+# This variable can be set from a file if you append it with _FILE
+#
+IMPORT_DIR_ALLOWLIST=
+
+#
+# When you're running Firefly III under a (self-signed) certificate,
+# the data importer may have trouble verifying the TLS connection.
+#
+# You have a few options to make sure the data importer can connect
+# to Firefly III:
+# - 'true': will verify all certificates. The most secure option and the default.
+# - 'file.pem': refer to a file (you must provide it) to your custom root or intermediate certificates.
+# - 'false': will verify NO certificates. Not very secure.
+VERIFY_TLS_SECURITY=true
+
+#
+# If you want, you can set a directory here where the data importer will look for import configurations.
+# This is a separate setting from the /import directory that the auto-import uses.
+# Setting this variable isn't necessary. The default value is "storage/configurations".
+#
+# This variable can be set from a file if you append it with _FILE
+#
+JSON_CONFIGURATION_DIR=
+
+#
+# Time out when connecting with Firefly III.
+# π*10 seconds is usually fine.
+#
+CONNECTION_TIMEOUT=31.41
+
+# The following variables can be useful when debugging the application
+APP_ENV=local
+APP_DEBUG=false
+LOG_CHANNEL=stack
+
+# Log level. You can set this from least severe to most severe:
+# debug, info, notice, warning, error, critical, alert, emergency
+# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably
+# nothing will get logged, ever.
+LOG_LEVEL=debug
+
+# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy.
+# Set it to ** and reverse proxies work just fine.
+TRUSTED_PROXIES=
+
+#
+# Time zone
+#
+TZ=Europe/Amsterdam
+
+#
+# Use ASSET_URL when you're running the data importer in a sub-directory.
+#
+ASSET_URL=
+
+#
+# Email settings.
+# The data importer can send you a message with all errors, warnings and messages
+# after a successful import. This is disabled by default
+#
+ENABLE_MAIL_REPORT=false
+
+#
+# Force Firefly III URL to be secure?
+#
+#
+EXPECT_SECURE_URL=true
+
+APP_NAME=DataImporter

hosts/pie/configuration.nix

@@ -1,6 +1,3 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
 {
   config,
   pkgs,
@@ -22,12 +19,24 @@ in {
   boot.loader.generic-extlinux-compatible.enable = false;
 
   boot.supportedFilesystems = [ "zfs" ];
-  networking.hostId = "34234773";
-
   boot.kernelPackages = pkgs.linuxPackages_6_1;
 
+  boot.kernelParams = [
+    "boot.shell_on_fail=1"
+    "ip=192.168.178.2::192.168.178.1:255.255.255.0:pie.b12f.io::auto6"
+  ];
+
+  boot.initrd.network.enable = true;
+  boot.initrd.network.ssh = {
+    enable = true;
+    port = 22;
+    authorizedKeys = psCfg.user.publicKeys;
+    hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
+  };
+
   pub-solar.core.disk-encryption-active = false;
 
+  networking.hostId = "34234773";
   networking.hostName = "pie";
   networking.defaultGateway = {
     address = "192.168.178.1";
@@ -41,6 +50,13 @@ in {
     }
   ];
 
+  networking.interfaces.enabcm6e4ei0.ipv6.addresses = [
+    {
+      address = "fe80::dea6:32ff:fe5c:3164";
+      prefixLength = 64;
+    }
+  ];
+
   security.sudo.extraRules = [
     {
       users = ["${psCfg.user.name}"];

hosts/pie/ddclient.nix

@@ -0,0 +1,44 @@
+{
+  flake,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+
+  getIP4 = with pkgs; writeShellScriptBin "getIP" ''
+    ${curl}/bin/curl -4 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r
+  '';
+  getIP6 = with pkgs; writeShellScriptBin "getIP" ''
+    ${curl}/bin/curl -6 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r
+  '';
+in {
+  imports = [
+    flake.self.nixosModules.ddclient
+  ];
+
+  services.ddclient = {
+    enable = true;
+    protocol = "dyndns1";
+    domains = [
+      "pie.b12f.io"
+      "droppie.b12f.io"
+    ];
+    server = "ddns.hosting.de";
+    username = "b12f";
+    usev4 = "cmdv4, cmdv4=${getIP4}/bin/getIP";
+    usev6 = "cmdv6, cmdv6=${getIP6}/bin/getIP";
+    verbose = true;
+    passwordFile = "/run/agenix/dyndns.key";
+    interval = "1min";
+  };
+
+  age.secrets."dyndns.key" = {
+    file = "${flake.self}/secrets/dyndns.key";
+    mode = "400";
+    owner = "root";
+  };
+}

hosts/pie/default.nix

@@ -6,5 +6,7 @@
     ./unbound.nix
     ./dhcpd.nix
     ./wake-droppie.nix
+    ./ddclient.nix
+    # ./firefly.nix
   ];
 }

hosts/pie/dhcpd.nix

@@ -4,6 +4,7 @@
 
   services.kea.dhcp4 = {
     enable = true;
+
     settings = {
       interfaces-config = {
         dhcp-socket-type = "raw";
@@ -76,6 +77,44 @@
         persist = true;
         type = "memfile";
       };
+
+      subnet6 = [
+        {
+          subnet = "2a02:908:500:b::/64";
+
+          pools = [
+            { pool = "2a02:908:500:b::/64"; }
+          ];
+
+          option-data = [
+            {
+               name = "dns-servers";
+               code = 23;
+               space = "dhcp6";
+               csv-format = true;
+               data = "2a02:908:500:b:3077:4e39:7763:b5b7";
+            }
+          ];
+
+          reservations = [
+            {
+              hostname = "droppie.local";
+              hw-address = "08:f1:ea:97:0f:0c";
+              ip-addresses = [
+                "2a02:908:500:b:3077:4e39:7763:b5b8"
+              ];
+            }
+            {
+              hostname = "pie.local";
+              hw-address = "dc:a6:32:5c:31:64";
+              ip-addresses = [
+                "2a02:908:500:b:3077:4e39:7763:b5b7"
+              ];
+            }
+          ];
+        }
+      ];
+
       rebind-timer = 2000;
       renew-timer = 1000;
     };

hosts/pie/firefly.nix

@@ -0,0 +1,99 @@
+{
+  flake,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  age.secrets."firefly-secrets.env" = {
+    file = "${flake.self}/secrets/firefly-secrets.env";
+    mode = "600";
+  };
+
+  age.secrets."firefly-db-secrets.env" = {
+    file = "${flake.self}/secrets/firefly-db-secrets.env";
+    mode = "600";
+  };
+
+  age.secrets."firefly-importer-secrets.env" = {
+    file = "${flake.self}/secrets/firefly-importer-secrets.env";
+    mode = "600";
+  };
+
+  services.caddy = {
+    enable = true;
+    extraConfig = ''
+    firefly.b12f.io {
+      reverse_proxy localhost:8080
+    }
+    firefly-importer.b12f.io {
+      reverse_proxy localhost:8081
+    }
+    '';
+  };
+
+  systemd.services."docker-network-firefly" = let
+    docker = config.virtualisation.oci-containers.backend;
+    dockerBin = "${pkgs.${docker}}/bin/${docker}";
+  in {
+    serviceConfig.Type = "oneshot";
+    before = ["docker-firefly.service"];
+    script = ''
+      ${dockerBin} network inspect firefly >/dev/null 2>&1 || ${dockerBin} network create firefly --subnet 172.20.0.0/24
+    '';
+  };
+
+  virtualisation = {
+    oci-containers = {
+      backend = "docker";
+
+      containers."firefly" = {
+        image = "fireflyiii/core:latest";
+        autoStart = true;
+        volumes = [
+          "/var/lib/firefly/upload:/var/www/html/storage/upload"
+        ];
+        extraOptions = [ "--network=firefly" ];
+        environmentFiles = [
+          ./.env.firefly
+          config.age.secrets."firefly-secrets.env".path
+        ];
+        ports = [ "8080:8080" ];
+        dependsOn = [ "firefly-db" ];
+      };
+
+      containers."firefly-db" = {
+        image = "postgres:16";
+        autoStart = true;
+        volumes = [
+          "/var/lib/firefly/db:/var/lib/postgresql/data"
+        ];
+        extraOptions = [ "--network=firefly" ];
+        environmentFiles = [
+          config.age.secrets."firefly-db-secrets.env".path
+        ];
+      };
+
+      containers."firefly-importer" = {
+        image = "fireflyiii/data-importer:latest";
+        autoStart = true;
+        volumes = [
+          "/var/lib/firefly/db:/var/lib/postgresql/data"
+        ];
+        extraOptions = [ "--network=firefly" ];
+        ports = [ "8081:8080" ];
+        environmentFiles = [
+          config.age.secrets."firefly-importer-secrets.env".path
+        ];
+        dependsOn = [ "firefly" ];
+      };
+
+      # containers."cron" = {
+      #   image = "alpine";
+      #   autoStart = true;
+      #   command = ''sh -c "echo \"0 3 * * * wget -qO- http://firefly:8080/api/v1/cron/REPLACEME\" | crontab - && crond -f -L /dev/stdout"'';
+      #   extraOptions = [ "--network=firefly" ];
+      # };
+    };
+  };
+}

hosts/pie/hardware-configuration.nix

@@ -12,21 +12,30 @@
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
+  boot.supportedFilesystems = [ "zfs" ];
 
-  fileSystems."/" = {
-    device = "zroot/root";
+  boot.initrd.luks.devices = {
+    cryptroot = {
+      device = "/dev/disk/by-uuid/742f819f-98e5-457d-b21e-30443455fde3";
+      bypassWorkqueues = true; # optimization for ssds
+    };
+  };
+
+  fileSystems."/" =
+    { device = "zroot/root";
       fsType = "zfs";
     };
 
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/DA7C-BE8B";
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/0D5D-B809";
       fsType = "vfat";
     };
 
-  swapDevices = [
-    { device = "/dev/disk/by-uuid/8ce4ae9c-2db0-41b0-8468-91bb184707d1"; }
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/af71e930-42ce-4174-a098-4ea5753b1ea9"; }
     ];
 
+
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction

hosts/pie/unbound.nix

@@ -17,9 +17,24 @@
           "\"box\" static"
         ];
         local-data = [
+          "\"droppie.local. 10800 IN A 192.168.178.3\""
+          "\"droppie.local. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b8\""
+          "\"droppie.b12f.io. 10800 IN A 192.168.178.3\""
+          "\"droppie.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b8\""
           "\"backup.b12f.io. 10800 IN A 192.168.178.3\""
+          "\"backup.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b8\""
+
           "\"pie.local. 10800 IN A 192.168.178.2\""
+          "\"pie.local. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\""
+          "\"pie.b12f.io. 10800 IN A 192.168.178.2\""
+          "\"pie.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\""
+          "\"firefly.b12f.io. 10800 IN A 192.168.178.2\""
+          "\"firefly.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\""
+          "\"paperless.b12f.io. 10800 IN A 192.168.178.2\""
+          "\"paperless.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\""
+
           "\"fritz.box. 10800 IN A 192.168.178.1\""
+          "\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""
         ];
       };
       forward-zone = [

modules/core/packages.nix

@@ -20,6 +20,6 @@ in {
     findutils
     exfat
 
-    gitFull
+    gitMinimal
   ];
 }

modules/ddclient/default.nix

@@ -0,0 +1,245 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.ddclient;
+  boolToStr = bool: if bool then "yes" else "no";
+  dataDir = "/var/lib/ddclient";
+  StateDirectory = builtins.baseNameOf dataDir;
+  RuntimeDirectory = StateDirectory;
+
+  usev4 = if cfg.usev4 != "" then "usev4=${cfg.usev4}" else "";
+  usev6 = if cfg.usev6 != "" then "usev6=${cfg.usev6}" else "";
+
+  configFile' = pkgs.writeText "ddclient.conf" ''
+    # This file can be used as a template for configFile or is automatically generated by Nix options.
+    use=no
+    ${usev4}
+    ${usev6}
+    cache=${dataDir}/ddclient.cache
+    foreground=yes
+    login=${cfg.username}
+    password=${if cfg.protocol == "nsupdate" then "/run/${RuntimeDirectory}/ddclient.key" else "@password_placeholder@"}
+    protocol=${cfg.protocol}
+    ${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
+    ${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
+    ${lib.optionalString (cfg.zone != "")   "zone=${cfg.zone}"}
+    ssl=${boolToStr cfg.ssl}
+    wildcard=yes
+    quiet=${boolToStr cfg.quiet}
+    verbose=${boolToStr cfg.verbose}
+    ${cfg.extraConfig}
+    ${lib.concatStringsSep "," cfg.domains}
+  '';
+  configFile = if (cfg.configFile != null) then cfg.configFile else configFile';
+
+  preStart = ''
+    install --mode=600 --owner=$USER ${configFile} /run/${RuntimeDirectory}/ddclient.conf
+    ${lib.optionalString (cfg.configFile == null) (if (cfg.protocol == "nsupdate") then ''
+      install --mode=600 --owner=$USER ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key
+    '' else if (cfg.passwordFile != null) then ''
+      "${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "${cfg.passwordFile}" "/run/${RuntimeDirectory}/ddclient.conf"
+    '' else ''
+      sed -i '/^password=@password_placeholder@$/d' /run/${RuntimeDirectory}/ddclient.conf
+    '')}
+  '';
+in with lib; {
+  disabledModules = [
+    "services/networking/ddclient.nix"
+  ];
+
+  imports = [
+    (mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ]
+      (config:
+        let value = getAttrFromPath [ "services" "ddclient" "domain" ] config;
+        in if value != "" then [ value ] else []))
+    (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "")
+    (mkRemovedOptionModule [ "services" "ddclient" "password" ] "Use services.ddclient.passwordFile instead.")
+  ];
+
+  ###### interface
+
+  options = {
+    services.ddclient = with lib.types; {
+      enable = mkOption {
+        default = false;
+        type = bool;
+        description = lib.mdDoc ''
+          Whether to synchronise your machine's IP address with a dynamic DNS provider (e.g. dyndns.org).
+        '';
+      };
+
+      package = mkOption {
+        type = package;
+        default = pkgs.ddclient;
+        defaultText = lib.literalExpression "pkgs.ddclient";
+        description = lib.mdDoc ''
+          The ddclient executable package run by the service.
+        '';
+      };
+
+      domains = mkOption {
+        default = [ "" ];
+        type = listOf str;
+        description = lib.mdDoc ''
+          Domain name(s) to synchronize.
+        '';
+      };
+
+      username = mkOption {
+        # For `nsupdate` username contains the path to the nsupdate executable
+        default = lib.optionalString (config.services.ddclient.protocol == "nsupdate") "${pkgs.bind.dnsutils}/bin/nsupdate";
+        defaultText = "";
+        type = str;
+        description = lib.mdDoc ''
+          User name.
+        '';
+      };
+
+      passwordFile = mkOption {
+        default = null;
+        type = nullOr str;
+        description = lib.mdDoc ''
+          A file containing the password or a TSIG key in named format when using the nsupdate protocol.
+        '';
+      };
+
+      interval = mkOption {
+        default = "10min";
+        type = str;
+        description = lib.mdDoc ''
+          The interval at which to run the check and update.
+          See {command}`man 7 systemd.time` for the format.
+        '';
+      };
+
+      configFile = mkOption {
+        default = null;
+        type = nullOr path;
+        description = lib.mdDoc ''
+          Path to configuration file.
+          When set this overrides the generated configuration from module options.
+        '';
+        example = "/root/nixos/secrets/ddclient.conf";
+      };
+
+      protocol = mkOption {
+        default = "dyndns2";
+        type = str;
+        description = lib.mdDoc ''
+          Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols).
+        '';
+      };
+
+      server = mkOption {
+        default = "";
+        type = str;
+        description = lib.mdDoc ''
+          Server address.
+        '';
+      };
+
+      ssl = mkOption {
+        default = true;
+        type = bool;
+        description = lib.mdDoc ''
+          Whether to use SSL/TLS to connect to dynamic DNS provider.
+        '';
+      };
+
+      quiet = mkOption {
+        default = false;
+        type = bool;
+        description = lib.mdDoc ''
+          Print no messages for unnecessary updates.
+        '';
+      };
+
+      script = mkOption {
+        default = "";
+        type = str;
+        description = lib.mdDoc ''
+          script as required by some providers.
+        '';
+      };
+
+      usev4 = mkOption {
+        default = "webv4, webv4=checkip.dyndns.com/, webv4-skip='Current IP Address: '";
+        type = str;
+        description = lib.mdDoc ''
+          Method to determine the IP address to send to the dynamic DNS provider.
+        '';
+      };
+
+      usev6 = mkOption {
+        default = "";
+        type = str;
+        description = lib.mdDoc ''
+          Method to determine the IP address to send to the dynamic DNS provider.
+        '';
+      };
+
+      verbose = mkOption {
+        default = false;
+        type = bool;
+        description = lib.mdDoc ''
+          Print verbose information.
+        '';
+      };
+
+      zone = mkOption {
+        default = "";
+        type = str;
+        description = lib.mdDoc ''
+          zone as required by some providers.
+        '';
+      };
+
+      extraConfig = mkOption {
+        default = "";
+        type = lines;
+        description = lib.mdDoc ''
+          Extra configuration. Contents will be added verbatim to the configuration file.
+
+          ::: {.note}
+          `daemon` should not be added here because it does not work great with the systemd-timer approach the service uses.
+          :::
+        '';
+      };
+    };
+  };
+
+
+  ###### implementation
+
+  config = mkIf config.services.ddclient.enable {
+    systemd.services.ddclient = {
+      description = "Dynamic DNS Client";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      restartTriggers = optional (cfg.configFile != null) cfg.configFile;
+
+      serviceConfig = {
+        DynamicUser = true;
+        RuntimeDirectoryMode = "0700";
+        inherit RuntimeDirectory;
+        inherit StateDirectory;
+        Type = "oneshot";
+        ExecStartPre = "!${pkgs.writeShellScript "ddclient-prestart" preStart}";
+        ExecStart = "${lib.getBin cfg.package}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
+      };
+    };
+
+    systemd.timers.ddclient = {
+      description = "Run ddclient";
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = cfg.interval;
+        OnUnitInactiveSec = cfg.interval;
+      };
+    };
+  };
+}

modules/default.nix

@@ -10,6 +10,7 @@
       bluetooth = import ./bluetooth;
       core = import ./core;
       crypto = import ./crypto;
+      ddclient = import ./ddclient;
       desktop-extended = import ./desktop-extended;
       docker = import ./docker;
       email = import ./email;

modules/desktop-extended/default.nix

@@ -12,9 +12,9 @@ in {
 
   users.users."${psCfg.user.name}".packages = with pkgs; [
     ungoogled-chromium
-    gimp
     wine
 
+    gimp
     present-md
     inkscape
     gpxsee

modules/graphical/sway/config/config.nix

@@ -19,7 +19,7 @@
   set $up i
   set $right l
   # Your preferred terminal emulator
-  set $term ${pkgs.alacritty}
+  set $term ${pkgs.alacritty}/bin/alacritty
   # Your preferred application launcher
   # Note: pass the final command to swaymsg so that the resulting window can be opened
   # on the original workspace that the command was run on.

overlays/default.nix

@@ -32,12 +32,6 @@
           (import ./neovim-plugins.nix)
           (import ./signal-desktop.nix)
         ];
-
-        nix.nixPath = [
-          "nixpkgs=${inputs.nixpkgs}"
-          "nixos-config=${../lib/compat/nixos}"
-          "home-manager=${inputs.home-manager}"
-        ];
       });
     };
   };

overlays/overrides.nix

@@ -1,41 +0,0 @@
-channels: final: prev: {
-  __dontExport = true; # overrides clutter up actual creations
-
-  inherit
-    (channels.latest)
-
-    nixd
-    ;
-
-  inherit
-    (channels.fix-yubikey-agent)
-
-    yubikey-agent
-    ;
-
-  inherit
-    (channels.master)
-
-    factorio-headless
-    paperless-ngx
-    waybar
-    element-desktop
-    signal-desktop
-    ;
-
-  haskellPackages =
-    prev.haskellPackages.override
-    (old: {
-      overrides = prev.lib.composeExtensions (old.overrides or (_: _: {})) (hfinal: hprev: let
-        version = prev.lib.replaceChars ["."] [""] prev.ghc.version;
-      in {
-        # same for haskell packages, matching ghc versions
-        inherit
-          (channels.latest.haskell.packages."ghc${version}")
-          haskell-language-server
-          ;
-      });
-    });
-
-  vimPlugins = prev.vimPlugins // {inherit (channels.latest.vimPlugins) nvim-lspconfig;};
-}

secrets/dyndns-droppie.key

@@ -1,27 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa kFDS0A
-lbrJzpCXpf3BJYL80d2vD/b4raoPnUKV0D9Ka9yKb72W3ATfA/Cqq7vpisHRnwyj
-3pt1TfrPzti/8ZKDqY/Zw171jQbOF6zW45z4m8yJu4J1LYXh8yYrTR3YPwhPoGYm
-eZJWWj2YghqCFC7vdL/wZFjkStxwBGgrJfNOxJBcXOpUX2TOzfdNAgJ/pEkvdd/L
-jktiU5ITt7KXruwSEXRzHVfmntl4SaqDqYfeb0Y0q2a1oMpxTnBKcYXj6dYcZIHv
-Lm8HX0JsIiThz/DXB4sP2O5GlGeYyibj2iMSCsCqadwDpUndVtJnzFgjSQD5A0gd
-enNTYly3GSmC9TWt/r2VHHyneAnJ3HQKB5hUEqxPz9peemnvfTA89SIGHddmkXfY
-XSeN5WJnSG0+WAOwrpJjzl9CgUg9xJS7dDqVob3CwL9oVEQP8FcuuyqCg72ppd4J
-fdseq5/R+HuVnh6sEUHoaHEDidHtTrpE2Rd49Tesj/BT+YrJyQ/kQqHmy9RiLU2f
-DSRwLO4/qHF6W8UfuF2N08aMxRpxqXPWTjI/vHxoSJRcSqaofF42x50OQU8lY96c
-8bPlDPB7HOBg+7bVvOQCaR3+KRuOx+HYpeMwEokQTwCke+frPfXorilNbAcaFUp4
-QiU1sUZia/FOZ+j47+6pkfC2DfLpiNL2TLWYcNtIzUc
--> ssh-ed25519 7Wns0A aKiZ8iw+Ub5rByBef0apOn6lG5Bv6tzFCiBu3DN6sSg
-58+9kySg3ajO7E5V87b/qRu9axpu2hQUuY/cVTt2YdI
--> ssh-rsa wVtlwQ
-RbrfuwS5zQzL9yMWFDSnWj9cQFLirTH37Xf79Dis2CJIDd83vmlmGNY5x1aPpZoZ
-J6XDhibGTJc02DYuNVIE1IXm0x9tc6Z9PTT+WiAFt1JuKHguXTWLRMM9HmyvWWDg
-bFsRDAcYup+SK5d+ME+XooDGueC822rAjkGIRHNSCimGwuLpDRKqyyVfYA+dcfiP
-EoYH7x4S09jYRr1C5EkbraLbm1vijc5ikJw3b42KKbyo3wDwKga+Vk2nl2AtgjZp
-KipZlyjs+IjMRXX5IBpgoRtXcvHuidsOSc+guRo0ihF9MbzRc/Tt2g0V7t3KjeT0
-SJDLmHOos2RKTmx06aidDg
--> Dz(k-grease ~FF p m)E{J3E
-7Igp3pclCAzAmeky5cPqlIzcITT+0jvieQe7ruSxRYRYqpYU7tMQFmHuNUahp+BP
-MzOYiM+PIQmn
---- IC9SI76EjaFZxQ5odEeIv49n/O8uOdpM6LE1Z7dtHg4
-l%Àu¯¯ÃE„\ÎüÔ?2\&ÚwG&@¡­W£~9"úŠ^ÊƆý¼Á<>oån^šë<C5A1>㻳xšèOI‡¢uOíò‡21c*ãm¸%ô)ý#”جeõIÙ6îA/i

secrets/dyndns.key

@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 8bHz7g GloMoc3qIJq8coOIqGLIWtAwSZMu/tJdLDLt155o+RA
+XKt0Hw50VXh3YYYbKEqpVAAo4aj6X+24mX8saH6nu1w
+-> ssh-rsa kFDS0A
+dG8ZmFNRKsg0sihla32+amA5mlD/tzPgauOtsH64wAvQjPz+aBr7xL8l5usR+nMV
+BldXVlaYfipevHmWGE48vvNheAbBLNZ/0iIfJpV8EDdcUZd7v8Ijgp5f4zns2nRS
+CGHQRGtcxD1OtPl0Rg5/zF/0vBnmsIUyig/NHmrRaWF08WZBZhMgIcnoRXpUlcnj
+AlrW9ElfSTKRsOT2F4AbVcKBrbagSjzJ9ZrIJ/D4gxW8bE6pYkHd5sflXbL4TsRY
+4G3kBKC41Co5Z6byv4gaT+y0AfX7/Q6f1lvaqOOAbBzt18TaEZYDoe270L53Wfzy
+VPlnM41vo+EsGsKhzTaWLTmBaawSWRhxZScHygZhu+SgIFLEDpU2kOY8XlKp6yuv
+82jyEW+ts9069hGvmzrt5yr+HLMzlhEOPfGYqrDgbmuJsq0E4PQPkQOLeGROxaUs
+zceCwfg4HUFDRHVa8KBy1HjovjkLzl/auvJaUUre5RTGLp7QWYX5rqiME7AndgfV
+joxVMJY0tkrvollNI3xXmfU2xeuK4Jm7Jw54lJ13KaYk1QqC1sMNCo7cuEUIw8Ic
+N3aAU6KRX1ltZ3IIo+vJYVQO34UWNa9Xf6uGFTzX9HzpUYEkHbv90Gx4ck+2sYvi
+3dBfz1koiFyTfOT094zqDuecH0MsmWExtefBDvU7gcU
+-> |0I<)A4-grease
+g/FEYilOi+UwM+E98Rvpav2jqeLUlVeDAo4PVWHNhjIbas8iJV6eKwwJMNfuEJ5D
+wdh+HTDijoUzaYTPgYqcKg
+--- N46xNnGnaWTUqGo6Q7R0VNqgPpUEu0D2VDgOnPZhgiw
+zÁæ¤p¸ŠÕÕaf&èù€H~pÊÊrn·OŸk„÷øàü͵CÉÝ`ÿÞlùæºe¸ÎÆÓ‘ۨǾ"†Æ¦˜æî……&L41š‡ã)‹y%†Åü:;35ÎÀ‘樋ܛ

secrets/firefly-db-secrets.env

@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 8bHz7g vV/SfIESf7TVyAJLgMTm0Tbkd4jLRpcNH/L3ZAIgqyY
+KIm/ih9nmdCVkh/c6ol5DwJARivS5s3v6LXXIOuIh9c
+-> ssh-rsa kFDS0A
+IYso7nT1ccztAARLNc5UsbTM1OE6fYuCrPyWnv4b0FFyYGeiP94baH2zPUKbnCVB
+t2VdtU/B+ywqfdD92LnA0t9huzlSVLIA/If6lg4xZ8dZH3rTJ/lhlCmHhMOXNcJ9
+ytLCz1DSatQfmfPQ2NqBthh68IR/vMStop78l/9p2WWY7v6INIhq5lqNgBHsbRxH
+P+qQcLKFCNEMib/8h/3aNghfRFe/JL+3/B3M+e1+Ee+ASv1EuheJLbZCEhdUo1Z7
+/nJOCH418bbUWRrRx8fwgmqTS+0ViD1jFWdNgf5akD9HU3WMEAStTS0NDi0yWSxC
+5ZsAzrYSplZeXZ+U3G/sNqMsDqHzffWr9OW5o3h1R7/F5P9VBwq2yN1kGaliSK3f
+ePbD4QG/qVMsHCXKUfL8BbytljP8BtLdpsp72ZDwtnujw/NuB8SS1jiWzYmZEeoy
+1zRBY21KbE4Vrm7vqSPPEnlvEsIyTUfeZrk5JDTqb/TbvFsunXc6g6m6QbOdcExE
+SjRPBG0OzYgSNxIt6eM3lnXlp/1UGIZIuu0SaDbmMpZ+KevFg9qQhLRvcwRHi80W
+elOxVY7jU2u5AFF5hdD3J4ANijOz/JFDcPYD0RBrjyrbWXFuL6HvBdUmOo7HZpZb
+cQeQKBfQX+czuVEwdH5zRipxo65/Tt8nN2vCI0Nyx7o
+-> JWdGKAh8-grease >
+RgQ2hCi5bBfRsqGIvrwmrWE
+--- e4oH/zzH6rnwTpoQI5T+etz/BlQD9Kry7lYsAw8BK14
+¬¸¹êŒÀb†ÄsžŽ^®¢*"ûò—¨ýM°càä¾"Ê*GsXq¦‘UhôU<C3B4>…øŽsEi<45>Û/ˆ3I÷6^ämp¬Y9
+s^y<>XX~ØQ!ˆ«w¾eÄŒp×reiÔ‘E| Úʱýçÿ¢Õe3$­§Äÿl™ï<>Çåèì
+<EFBFBD>¯ì%×øýCŠ—›ê¡žÃ{3EÂV+4ú<34>AùÒ

secrets/secrets.nix

@@ -11,7 +11,7 @@ let
   droppie-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDuXuPPDXTyJgy4JRwbKcPbawvVB1Il2neyRWb4O5sJ root@nixos";
   droppie-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnYTlTmHCl6LOkexqRR9LqjOoFgt9TQ4VzHQGRHJMzF/AGcDRoqC+pBLFSTzRb5/ikAOsb32XHyKVg4nNdJeQshO11QtDmkCB02D/XcIXxnNQ5A8CztT2az5xJtbbWSdamMnHBLcqLiwoLmXbERpdlt8jNqMHrz+bjCUGYVAFSfc/WdIs6EATJ1eF0VFxv7nUh4qhgStABSwhNsnoYOC/DOBSA9aBP1f5Fz9QHUioPTGi2hRwbTbtFUvTrymPpWVFRApa1zvGXcr4YUCm7ia1ZlZKzRpsPkwLxb8Omm4bGmR0cAVwVhVRySnhpCTwbIBLyw+H8PvKWBBba1NAKyMij root@droppie";
 
-  nougat-2-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINELr5Bvr15GqCHevg9QP8oYFgmaRUUHcPFf4MZho9gI root@nougat-2";
+  pie-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINcTORdlVno0B9R6Yh9qmlOZKA/ZQ8RBzXK7/1rBbE02 root@pie.local";
 
   baseKeys = [
     bbcom
@@ -32,8 +32,8 @@ let
     droppie-user
   ];
 
-  nougat-2Keys = [
-    nougat-2-host
+  pieKeys = [
+    pie-host
   ];
 in {
   "keyfile-biolimo.bin".publicKeys = biolimoKeys ++ baseKeys;
@@ -45,7 +45,7 @@ in {
   "vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys;
   "vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys;
 
-  "dyndns-droppie.key".publicKeys = droppieKeys ++ baseKeys;
+  "dyndns.key".publicKeys = pieKeys ++ baseKeys;
 
   "droppie-ssh-root.key".publicKeys = droppieKeys ++ baseKeys;
 
@@ -57,15 +57,11 @@ in {
 
   "cat-test.ovpn".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys;
 
-  "hosting.de-api.key".publicKeys = nougat-2Keys ++ baseKeys;
+  "hosting.de-api.key".publicKeys = baseKeys;
 
-  "concourse-secrets.age".publicKeys = nougat-2Keys ++ baseKeys;
-  "concourse-db-secrets.age".publicKeys = nougat-2Keys ++ baseKeys;
-  "concourse-worker-key.age".publicKeys = nougat-2Keys ++ baseKeys;
-  "concourse-tsa-host-key.age".publicKeys = nougat-2Keys ++ baseKeys;
-  "concourse-session-signing-key.age".publicKeys = nougat-2Keys ++ baseKeys;
+  "firefly-secrets.env".publicKeys = pieKeys ++ baseKeys;
 
-  "keycloak-database-password.age".publicKeys = nougat-2Keys ++ baseKeys;
+  "firefly-db-secrets.env".publicKeys = pieKeys ++ baseKeys;
 
-  "gitea-database-password.age".publicKeys = nougat-2Keys ++ baseKeys;
+  "firefly-importer-secrets.env".publicKeys = pieKeys ++ baseKeys;
 }

users/b12f/default.nix

@@ -34,7 +34,6 @@ in {
           "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== b12f@biolimo"
           "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
           "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= b12f@chocolatebar"
-
           "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main"
           "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
         ];

users/b12f/session-variables.nix

@@ -14,7 +14,7 @@ in {
       inherit DRONE_RPC_PROTO;
       DRONE_SERVER = DRONE_RPC_PROTO + "://" + DRONE_RPC_HOST;
 
-      RESTIC_REPOSITORY = "sftp:root@backup.b12f.io:/media/internal/backups";
+      RESTIC_REPOSITORY = "sftp:root@droppie.b12f.io:/media/internal/backups";
       RESTIC_PASSWORD_COMMAND = "secret-tool lookup restic repository-password";
     };
   };