Merge pull request 'modules/forgejo: allow migrations from local networks' (#262) from forgejo/allow-local-migrations into main

Reviewed-on: #262
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>

.editorconfig

@@ -20,41 +20,8 @@ indent_style = unset
 indent_size = unset
 
 [{.*,secrets}/**]
-end_of_line = unset
-insert_final_newline = unset
-trim_trailing_whitespace = unset
-charset = unset
-indent_style = unset
-indent_size = unset
-
-[*.rom]
-end_of_line = unset
-insert_final_newline = unset
-trim_trailing_whitespace = unset
-charset = unset
-indent_style = unset
-indent_size = unset
-
-[*.py]
-indent_size = 4
-
-[*.md]
-max_line_length = off
-trim_trailing_whitespace = false
-
-# Ignore diffs/patches
-[*.{diff,patch}]
-end_of_line = unset
-insert_final_newline = unset
-trim_trailing_whitespace = unset
-indent_size = unset
-charset = unset
-indent_style = unset
-indent_size = unset
-
-[{.*,secrets}/**]
-end_of_line = unset
-insert_final_newline = unset
+end_of_line = false
+insert_final_newline = false
 trim_trailing_whitespace = unset
 charset = unset
 indent_style = unset

.forgejo/workflows/check.yml

@@ -10,7 +10,7 @@ jobs:
 
       - name: Check formatting
         run: |
-          nix --accept-flake-config --access-tokens '' develop --command treefmt --fail-on-change
+          nix --accept-flake-config --access-tokens '' develop --command treefmt --ci
 
       - name: Run flake checks
         run: |
@@ -18,14 +18,20 @@ jobs:
           # Prevent cache garbage collection by creating GC roots
           mkdir -p /var/lib/gitea-runner/tankstelle/.local/state/nix/results
 
-          for target in $(nix flake show --json --all-systems | jq '
+          for target in $(nix flake show --json --all-systems | jq --raw-output '
             .["nixosConfigurations"] |
             to_entries[] |
-            .key
-            ' | tr -d '"'
+            .key'
           ); do
             nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
               build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$target" ".#nixosConfigurations.${target}.config.system.build.toplevel"
           done
 
-          nix --print-build-logs --verbose --accept-flake-config --access-tokens '' flake check
+          for check in $(nix flake show --json --all-systems | jq --raw-output '
+            .checks."x86_64-linux" |
+            to_entries[] |
+            .key'
+          ); do
+            nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
+              build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$check" ".#checks.x86_64-linux.${check}"
+          done

docs/administrative-access.md

@@ -63,12 +63,6 @@ Example NixOS snippet for WireGuard client config
             #endpoint = "138.201.80.102:51820";
             persistentKeepalive = 15;
           }
-          { # flora-6.pub.solar
-            publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
-            allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ];
-            endpoint = "80.71.153.210:51820";
-            persistentKeepalive = 15;
-          }
           { # metronom.pub.solar
             publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo=";
             allowedIPs = [ "10.7.6.3/32" "fd00:fae:fae:fae:fae:3::/96" ];
@@ -85,6 +79,39 @@ Example NixOS snippet for WireGuard client config
             #endpoint = "80.244.242.5:51820";
             persistentKeepalive = 15;
           }
+          {
+            # trinkgenossin.pub.solar
+            publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
+            allowedIPs = [
+              "10.7.6.5/32"
+              "fd00:fae:fae:fae:fae:5::/96"
+            ];
+            #endpoint = "85.215.152.22:51820";
+            endpoint = "[2a01:239:35d:f500::1]:51820";
+            persistentKeepalive = 15;
+          }
+          {
+            # delite.pub.solar
+            publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k=";
+            allowedIPs = [
+              "10.7.6.6/32"
+              "fd00:fae:fae:fae:fae:6::/96"
+            ];
+            #endpoint = "5.255.119.132:51820";
+            endpoint = "[2a04:52c0:124:9d8c::2]:51820";
+            persistentKeepalive = 15;
+          }
+          {
+            # blue-shell.pub.solar
+            publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8=";
+            allowedIPs = [
+              "10.7.6.7/32"
+              "fd00:fae:fae:fae:fae:7::/96"
+            ];
+            #endpoint = "194.13.83.205:51820";
+            endpoint = "[2a03:4000:43:24e::1]:51820";
+            persistentKeepalive = 15;
+          }
         ];
       };
     };

docs/backups.md

@@ -0,0 +1,36 @@
+# Backups
+
+We use [Restic](https://restic.readthedocs.io/en/stable/) to create backups and push them to two repositories.
+Check `./modules/backups.nix` and `./hosts/nachtigall/backups.nix` for working examples.
+
+### Hetzner Storagebox
+
+- Uses SFTP for transfer of backups
+
+Adding a new host SSH public key to the storagebox:
+
+First, [SSH to nachtigall](./administrative-access.md#ssh-access), then become root and add the new SSH public key
+
+```
+sudo -i
+echo '<ssh-public-key>' | ssh -p23 u377325@u377325.your-storagebox.de install-ssh-key
+```
+
+[Link to Hetzner storagebox docs](https://docs.hetzner.com/robot/storage-box/backup-space-ssh-keys).
+
+### Garage S3 buckets
+
+- Uses S3 for transfer of backups
+- One bucket per host, e.g. `nachtigall-backups`, `metronom-backups`
+
+To start transfering backups from a new hosts, this is how to create a new bucket:
+
+First, [SSH to trinkgenossin](./administrative-access.md#ssh-access), then use the `garage` CLI to create a new key and bucket:
+
+```
+export GARAGE_RPC_SECRET=<secret-in-keepass>
+
+garage bucket create <hostname>-backups
+garage key create <hostname>-backups-key
+garage bucket allow <hostname>-backups --read --write --key <hostname>-backups-key
+```

docs/cachix.md

@@ -0,0 +1,55 @@
+# Cachix usage
+
+URL: https://pub-solar.cachix.org
+
+Requirements:
+
+- [Install cachix](https://docs.cachix.org/installation)
+- Optional: To push to the cache, you need to set `CACHIX_AUTH_TOKEN` in your environment. To generate one for you, follow the [Getting Started](https://docs.cachix.org/getting-started#authenticating) docs and login with your GitHub account.
+- Add our binary cache [to your nix config](https://docs.cachix.org/faq#cachix-use-effects). To add the pub-solar cache, run:
+
+```
+cachix use pub-solar
+```
+
+Example to build and push a custom package of a host in this flake (e.g. after creating an overlay):
+
+```
+nix build --json -f . '.#nixosConfigurations.nachtigall.pkgs.keycloak^*' \
+  | jq -r '.[].outputs | to_entries[].value' \
+  | cachix push pub-solar
+```
+
+Example to build and push a package in the `nixpkgs` repo:
+
+```
+cd nixpkgs
+nix build --json -f . 'pkgs.lix^*' \
+  | jq -r '.[].outputs | to_entries[].value' \
+  | cachix push pub-solar
+```
+
+Checking if a package has been correctly pushed to the cache:
+
+```
+❯ nix build --json '/nix/store/f76xi83z4xk9sn6pbh38rh97yvqhb5m0-noto-fonts-color-emoji-png-2.042.drv^*' | jq -r '.[].outputs | to_entries[].value'  | cachix push pub-solar
+Pushing 1 paths (0 are already present) using zstd to cache pub-solar ⏳
+
+✓ /nix/store/xpgpi84765dxqja3gd5pldj49xx2v0xl-noto-fonts-color-emoji-png-2.042 (10.30 MiB)
+
+All done.
+
+❯ curl -I https://pub-solar.cachix.org/xpgpi84765dxqja3gd5pldj49xx2v0xl.narinfo
+HTTP/2 200
+date: Mon, 26 Aug 2024 09:31:10 GMT
+content-type: text/x-nix-narinfo
+traceparent: 00-b99db37cc9c2581b8d226cdf81e54507-794fc49193659c03-01
+tracestate:
+cache-control: public, max-age=14400
+last-modified: Mon, 26 Aug 2024 09:31:10 GMT
+cf-cache-status: EXPIRED
+report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A67KGsCIsYjoFdvndxJ0rkmb7BZ5ztIpm8WUJKAiUPRVWvbYeXU9gU27P7zryiUtArbwrLzHhhMija0yyXk0kwNa3suz8gNzKK6z1CX1FWDZiiP07rnq7zAg8nZbSBiEU%2FZrU9nSrR6mhuL9ihbmW1Hf"}],"group":"cf-nel","max_age":604800}
+nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
+server: cloudflare
+cf-ray: 8b92ceab0d19c80e-DUS
+```

docs/deletion-request.md

@@ -50,7 +50,7 @@ Docs: https://forgejo.org/docs/latest/admin/command-line/#delete
 ### Matrix
 
 ```
-curl --header "Authorization: Bearer <admin-access-token>" --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
+curl --header "Authorization: Bearer <admin-access-token>" --request POST http://127.0.0.1:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
 ```
 
 Docs: https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#deactivate-account

docs/deploying.md

@@ -13,12 +13,6 @@ For nachtigall.pub.solar:
 deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false --keep-result --result-path ./results
 ```
 
-For flora-6.pub.solar:
-
-```
-deploy --targets '.#flora-6' --magic-rollback false --auto-rollback false --keep-result --result-path ./results
-```
-
 For metronom.pub.solar (aarch64-linux):
 
 ```

docs/dns.md

@@ -1,18 +1,10 @@
 # Changing DNS entries
 
 Our current DNS provider is [namecheap](https://www.namecheap.com/).
-We use [Terraform](https://www.terraform.io) to declaratively manage our pub.solar DNS records.
+We use [OpenTofu](https://opentofu.org) to declaratively manage our pub.solar DNS records.
 
 ### Initial setup
 
-Skip this step if you already have a `triton` profile setup.
-
-```
-triton profile create
-```
-
-Please follow https://docs.greenbaum.cloud/en/devops/triton-cli.html for the details.
-
 You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro),
 look for "namecheap API key" in the pub.solar Keepass database.
 
@@ -28,13 +20,15 @@ You will probably also need to add your external IP to the [API allow list](http
 dig -4 ip @dns.toys
 ```
 
-Now, change into the terraform directory and initialize the terraform providers.
+Now, change into the terraform directory and initialize the terraform providers. To decrypt existing state,
+search for "terraform state passphrase" in the pub.solar Keepass database.
 
 ```
 cd terraform
-export TRITON_KEY_ID=$(cat ~/.config/triton/profiles.d/lev-1-pub_solar.json | jq --raw-output .keyId)
+export TF_VAR_state_passphrase=$(secret-tool lookup pub.solar terraform-state-passphrase-dns)
 
-terraform init
+alias tofu="terraform-backend-git --access-logs --tf tofu git terraform"
+tofu init
 ```
 
 Make your changes, e.g. in `dns.tf`.
@@ -46,20 +40,21 @@ $EDITOR dns.tf
 Plan your changes using:
 
 ```
-terraform plan -out pub-solar-infra.plan
+tofu plan -out pub-solar-infra.plan
 ```
 
 After verification, apply your changes with:
 
 ```
-terraform apply "pub-solar-infra.plan"
+tofu apply "pub-solar-infra.plan"
 ```
 
 ### Useful links
 
-We use the Manta remote backend to save the terraform state for collaboration.
+We use terraform-backend-git remote backend with opentofu state encryption for collaboration.
 
-- https://www.terraform.io/language/v1.2.x/settings/backends/manta
+- https://github.com/plumber-cd/terraform-backend-git
+- https://opentofu.org/docs/language/state/encryption
 
 Namecheap Terraform provider docs:
 

docs/drone-ci.md

@@ -1,19 +0,0 @@
-# Drone CI
-
-We currently use two CI systems, [drone CI](https://drone.io), reachable via
-https://ci.pub.solar and [Forgejo Actions](https://forgejo.org/docs/latest/user/actions/),
-which UI is integrated into https://git.pub.solar, for example
-https://git.pub.solar/pub-solar/infra/actions.
-
-### Signing the `.drone.yml` file
-
-Login to https://ci.pub.solar by clicking on the user icon in the bottom left.
-After logging in, you can view your personal API token by clicking on the same
-icon. If you're using the nix [development-shell](./development-shell.md), the
-`drone` command will already be installed.
-
-```
-export DRONE_TOKEN=<your-drone-api-token>
-
-drone --token $DRONE_TOKEN sign --save pub-solar/os
-```

docs/garage.md

@@ -0,0 +1,84 @@
+# Garage
+
+### How-To create a new bucket + keys
+
+Requirements:
+
+- `garage` RPC credentials, in the shared keepass, search for 'garage rpc secret'.
+- [Setup WireGuard](./administrative-access.md#ssh-access) for hosts: `trinkgenossin`, optionally: `delite`, `blue-shell`
+
+```
+ssh barkeeper@trinkgenossin.wg.pub.solar
+```
+
+```
+# Add a few spaces to avoid leaking the secret to the shell history
+   export GARAGE_RPC_SECRET=<secret-in-keepass>
+```
+
+Now, you can run the following command to check the cluster status:
+
+```
+garage status
+```
+
+Command to list all existing buckets:
+
+```
+garage bucket list
+```
+
+Creating a new bucket and access keys:
+
+```
+garage bucket create <bucket-name>
+garage key create <bucket-name>-key
+garage bucket allow <bucket-name> --read --write --key <bucket-name>-key
+```
+
+Full example for `mastodon` bucket:
+
+```
+garage bucket create mastodon
+
+garage key create mastodon-key
+
+garage bucket allow mastodon --read --write --key mastodon-key
+```
+
+Then [setup your favourite S3 client](https://garagehq.deuxfleurs.fr/documentation/connect/cli/)
+or use the bucket with any [S3 compatible software](https://garagehq.deuxfleurs.fr/documentation/connect/).
+
+Further reading:
+
+- https://garagehq.deuxfleurs.fr/documentation/quick-start/
+- https://garagehq.deuxfleurs.fr/documentation/connect/
+- https://garagehq.deuxfleurs.fr/documentation/connect/apps/#mastodon
+
+### Notes on manual setup steps
+
+```
+ssh barkeeper@trinkgenossin.wg.pub.solar
+
+# Add a few spaces to avoid leaking the secret to the shell history
+    export GARAGE_RPC_SECRET=<secret-in-keepass>
+
+# Uses the default config /etc/garage.toml
+garage node id
+
+garage node connect <node-id2>
+garage node connect <node-id3>
+
+garage status
+
+#Zones
+#DE-1 DE-2 NL-1
+
+garage layout assign fdaa -z DE-1 -c 800G -t trinkgenossin
+garage layout assign 8835 -z DE-2 -c 800G -t blue-shell
+garage layout assign 73da -z NL-1 -c 800G -t delite
+garage layout show
+garage layout apply --version 1
+```
+
+Source: https://garagehq.deuxfleurs.fr/documentation/cookbook/real-world/#creating-a-cluster-layout

docs/mediawiki-updates.md

@@ -4,7 +4,7 @@ See the [mediawiki-oidc-docker repository](https://git.pub.solar/pub-solar/media
 for instructions on updating our customized mediawiki docker image.
 
 To deploy a new docker image to `nachtigall`, first bump the mediawiki version
-of the docker image tag in `hosts/nachtigall/apps/mediawiki.nix` (search for
+of the docker image tag in `modules/mediawiki/default.nix` (search for
 `image`).
 
 Next, push your changes to https://git.pub.solar and get them reviewed and
@@ -19,7 +19,7 @@ exit
 ```
 
 ```
-deploy --targets '.#nachtigall'
+deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false --keep-result --result-path ./results
 ```
 
 Then, finalize the update by running the database migration script (in a [SSH](./administrative-access.md#ssh-access) shell on `nachtigall`):

docs/nextcloud.md

@@ -0,0 +1,19 @@
+# Nextcloud debugging
+
+Set loglevel to `0` for debug logs:
+
+```nix
+services.nextcloud.settings.loglevel = 0;
+```
+
+Then, logs appear in the `phpfpm-nextcloud.service` logs:
+
+```bash
+sudo journalctl -fu phpfpm-nextcloud
+```
+
+Make sure to set the loglevel back to the default `2` warning after debugging:
+
+```nix
+services.nextcloud.settings.loglevel = 2;
+```

docs/nixos-anywhere.md

@@ -0,0 +1,13 @@
+```
+curl -L https://github.com/nix-community/nixos-images/releases/download/nixos-unstable/nixos-kexec-installer-noninteractive-x86_64-linux.tar.gz | tar -xzf- -C /root
+/root/kexec/run
+```
+
+```
+mkdir -p /etc/secrets/initrd
+ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519_key
+```
+
+```
+nix run github:nix-community/nixos-anywhere -- --flake .#blue-shell root@194.13.83.205
+```

docs/unlocking-zfs-pool.md

@@ -6,13 +6,13 @@ accessing the server via SSH as user `root` on port 2222.
 Nachtigall:
 
 ```
-ssh root@nachtigall.pub.solar -p2222
+ssh -4 root@nachtigall.pub.solar -p2222
 ```
 
 Metronom:
 
 ```
-ssh root@metronom.pub.solar -p2222
+ssh -4 root@metronom.pub.solar -p2222
 ```
 
 After connecting, paste the encryption passphrase you can find in the shared

flake.lock

@@ -14,11 +14,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1716561646,
-        "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
         "type": "github"
       },
       "original": {
@@ -52,11 +52,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1715699772,
-        "narHash": "sha256-sKhqIgucN5sI/7UQgBwsonzR4fONjfMr9OcHK/vPits=",
+        "lastModified": 1727447169,
+        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "b3ea6f333f9057b77efd9091119ba67089399ced",
+        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
         "type": "github"
       },
       "original": {
@@ -87,6 +87,26 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731274291,
+        "narHash": "sha256-cZ0QMpv5p2a6WEE+o9uu0a4ma6RzQDOQTbm7PbixWz8=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "element-stickers": {
       "inputs": {
         "maunium-stickerpicker": [
@@ -114,11 +134,11 @@
     "element-themes": {
       "flake": false,
       "locked": {
-        "lastModified": 1716915815,
-        "narHash": "sha256-5xOzatIJIzu/38TQAYWO8eFtYl0kaCBFJWrjLyyluU8=",
+        "lastModified": 1718859621,
+        "narHash": "sha256-ZOOm6UFGNSkGrdwbG5saLAYgAPYJ7E80ogA40CaW+E4=",
         "owner": "aaronraimist",
         "repo": "element-themes",
-        "rev": "6ed3a981191cbd59f03ea530f16e096b9a4c278c",
+        "rev": "3bc82abc3dd468dabc933f0f9d0b443ed97554a6",
         "type": "github"
       },
       "original": {
@@ -147,11 +167,11 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1668681692,
-        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -165,11 +185,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1717285511,
-        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
         "type": "github"
       },
       "original": {
@@ -214,18 +234,19 @@
         "type": "github"
       }
     },
-    "flake-utils_3": {
+    "fork": {
       "locked": {
-        "lastModified": 1653893745,
-        "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
+        "lastModified": 1729963002,
+        "narHash": "sha256-2zrYfd/qdfExU5zVwvH80uJnKc/dMeK6zp3O1UtW2Mo=",
+        "owner": "teutat3s",
+        "repo": "nixpkgs",
+        "rev": "005faaacbeede0296dec5c844f508027ab8a3ff6",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "teutat3s",
+        "ref": "init-matrix-authentication-service-module",
+        "repo": "nixpkgs",
         "type": "github"
       }
     },
@@ -236,16 +257,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1717476296,
-        "narHash": "sha256-ScHe38Tr+TxGURC17kby4mIIxOG3aJvZWXzPM79UnEk=",
+        "lastModified": 1726989464,
+        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "095ef64aa3b2ab4a4f1bf07f29997e21e3a5576a",
+        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
         "repo": "home-manager",
         "type": "github"
       }
@@ -259,11 +280,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1707424749,
-        "narHash": "sha256-eTvts5E3zmD4/DoAI9KedQjRwica0cg36wwIVp1NWbM=",
+        "lastModified": 1731518114,
+        "narHash": "sha256-h9Wb3VjmXBZwTO3prRweUKwp2H9hZHCQKrkbU+2WPQs=",
         "ref": "main",
-        "rev": "1202a23c205b3c07a5feb5caf6813f21b3c69307",
-        "revCount": 30,
+        "rev": "060ecccc5f8c92a0705ab91ff047811efd559468",
+        "revCount": 36,
         "type": "git",
         "url": "https://git.pub.solar/pub-solar/keycloak-theme"
       },
@@ -277,11 +298,11 @@
       "flake": false,
       "locked": {
         "dir": "web",
-        "lastModified": 1716038335,
-        "narHash": "sha256-OjmeIkSds59i6lHG/M3Z+32k9nGgm/owJ4x+xwyx0Qs=",
+        "lastModified": 1718796561,
+        "narHash": "sha256-RKAAHve17lrJokgAPkM2k/E+f9djencwwg3Xcd70Yfw=",
         "owner": "maunium",
         "repo": "stickerpicker",
-        "rev": "47f17fde452b5e9f0c9e96ce0e2c878dd0574b7f",
+        "rev": "333567f481e60443360aa7199d481e1a45b3a523",
         "type": "github"
       },
       "original": {
@@ -299,11 +320,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716993688,
-        "narHash": "sha256-vo5k2wQekfeoq/2aleQkBN41dQiQHNTniZeVONWiWLs=",
+        "lastModified": 1731153869,
+        "narHash": "sha256-3Ftf9oqOypcEyyrWJ0baVkRpvQqroK/SVBFLvU3nPuc=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "c0d5b8c54d6828516c97f6be9f2d00c63a363df4",
+        "rev": "5c74ab862c8070cbf6400128a1b56abb213656da",
         "type": "github"
       },
       "original": {
@@ -313,111 +334,49 @@
         "type": "github"
       }
     },
-    "nixos-flake": {
-      "locked": {
-        "lastModified": 1716406291,
-        "narHash": "sha256-qHjJ6alc4o3p51hrPp3JGdC5Pbz5EjF+UZq1HbK8av0=",
-        "owner": "srid",
-        "repo": "nixos-flake",
-        "rev": "aa9100167350cbdffaa272b0fd382d7c23606b86",
-        "type": "github"
-      },
-      "original": {
-        "owner": "srid",
-        "repo": "nixos-flake",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1717159533,
-        "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=",
+        "lastModified": 1731239293,
+        "narHash": "sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
+        "rev": "9256f7c71a195ebe7a218043d9f93390d49e6884",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "nixpkgs-2205": {
-      "locked": {
-        "lastModified": 1685573264,
-        "narHash": "sha256-Zffu01pONhs/pqH07cjlF10NnMDLok8ix5Uk4rhOnZQ=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "380be19fbd2d9079f677978361792cb25e8a3635",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-22.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-23_05": {
-      "locked": {
-        "lastModified": 1704290814,
-        "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-23.05",
-        "type": "indirect"
-      }
-    },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1717284937,
-        "narHash": "sha256-lIbdfCsf8LMFloheeE6N31+BMIeixqyQWbSr2vk79EQ=",
+        "lastModified": 1730504152,
+        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1705856552,
-        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable",
-        "type": "indirect"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
       }
     },
     "root": {
       "inputs": {
         "agenix": "agenix",
         "deploy-rs": "deploy-rs",
+        "disko": "disko",
         "element-stickers": "element-stickers",
         "element-themes": "element-themes",
         "flake-parts": "flake-parts",
+        "fork": "fork",
         "home-manager": "home-manager",
         "keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
         "maunium-stickerpicker": "maunium-stickerpicker",
         "nix-darwin": "nix-darwin",
-        "nixos-flake": "nixos-flake",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-2205": "nixpkgs-2205",
         "simple-nixos-mailserver": "simple-nixos-mailserver",
-        "triton-vmtools": "triton-vmtools",
         "unstable": "unstable"
       }
     },
@@ -425,24 +384,25 @@
       "inputs": {
         "blobs": "blobs",
         "flake-compat": "flake-compat_2",
-        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-23_05": "nixpkgs-23_05",
-        "nixpkgs-23_11": [
+        "nixpkgs": [
+          "unstable"
+        ],
+        "nixpkgs-24_05": [
           "nixpkgs"
         ],
         "utils": "utils_2"
       },
       "locked": {
-        "lastModified": 1706219574,
-        "narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=",
+        "lastModified": 1718084203,
+        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf",
+        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
         "type": "gitlab"
       },
       "original": {
         "owner": "simple-nixos-mailserver",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
         "repo": "nixos-mailserver",
         "type": "gitlab"
       }
@@ -507,37 +467,28 @@
         "type": "github"
       }
     },
-    "triton-vmtools": {
-      "inputs": {
-        "flake-utils": "flake-utils_3",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
+    "systems_5": {
       "locked": {
-        "dir": "vmtools",
-        "lastModified": 1698443513,
-        "narHash": "sha256-wX2JIJ3JmJn6MAurdyjwZU+FZjLCwBArMrVSeeCb/ZU=",
-        "ref": "main",
-        "rev": "0d039dcf06afb8cbddd7ac54bae4d0d185f3e88e",
-        "revCount": 85,
-        "type": "git",
-        "url": "https://git.pub.solar/pub-solar/infra-vintage?dir=vmtools"
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
       },
       "original": {
-        "dir": "vmtools",
-        "ref": "main",
-        "type": "git",
-        "url": "https://git.pub.solar/pub-solar/infra-vintage?dir=vmtools"
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
       }
     },
     "unstable": {
       "locked": {
-        "lastModified": 1717196966,
-        "narHash": "sha256-yZKhxVIKd2lsbOqYd5iDoUIwsRZFqE87smE2Vzf6Ck0=",
+        "lastModified": 1731139594,
+        "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "57610d2f8f0937f39dbd72251e9614b1561942d8",
+        "rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2",
         "type": "github"
       },
       "original": {
@@ -566,12 +517,15 @@
       }
     },
     "utils_2": {
+      "inputs": {
+        "systems": "systems_5"
+      },
       "locked": {
-        "lastModified": 1605370193,
-        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "lastModified": 1709126324,
+        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,23 +1,24 @@
 {
   inputs = {
     # Track channels with commits tested and built by hydra
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
     unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-
-    nixpkgs-2205.url = "github:nixos/nixpkgs/nixos-22.05";
+    fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module";
 
     nix-darwin.url = "github:lnl7/nix-darwin/master";
     nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
 
-    home-manager.url = "github:nix-community/home-manager/release-23.11";
+    home-manager.url = "github:nix-community/home-manager/release-24.05";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
     flake-parts.url = "github:hercules-ci/flake-parts";
-    nixos-flake.url = "github:srid/nixos-flake";
 
     deploy-rs.url = "github:serokell/deploy-rs";
     deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
 
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+
     agenix.url = "github:ryantm/agenix";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
     agenix.inputs.darwin.follows = "nix-darwin";
@@ -26,9 +27,6 @@
     keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main";
     keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixpkgs";
 
-    triton-vmtools.url = "git+https://git.pub.solar/pub-solar/infra-vintage?ref=main&dir=vmtools";
-    triton-vmtools.inputs.nixpkgs.follows = "nixpkgs";
-
     element-themes.url = "github:aaronraimist/element-themes/master";
     element-themes.flake = false;
 
@@ -39,8 +37,9 @@
     element-stickers.inputs.maunium-stickerpicker.follows = "maunium-stickerpicker";
     element-stickers.inputs.nixpkgs.follows = "nixpkgs";
 
-    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
-    simple-nixos-mailserver.inputs.nixpkgs-23_11.follows = "nixpkgs";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
+    simple-nixos-mailserver.inputs.nixpkgs-24_05.follows = "nixpkgs";
+    simple-nixos-mailserver.inputs.nixpkgs.follows = "unstable";
   };
 
   outputs =
@@ -52,7 +51,6 @@
       ];
 
       imports = [
-        inputs.nixos-flake.flakeModule
         ./logins
         ./lib
         ./overlays
@@ -64,6 +62,7 @@
           system,
           pkgs,
           config,
+          lib,
           ...
         }:
         {
@@ -76,6 +75,27 @@
             unstable = import inputs.unstable { inherit system; };
             master = import inputs.master { inherit system; };
           };
+
+          checks =
+            let
+              nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { };
+              testDir = builtins.attrNames (builtins.readDir ./tests);
+              testFiles = builtins.filter (n: builtins.match "^.*.nix$" n != null) testDir;
+            in
+            builtins.listToAttrs (
+              map (x: {
+                name = "test-${lib.strings.removeSuffix ".nix" x}";
+                value = nixos-lib.runTest (
+                  import (./tests + "/${x}") {
+                    inherit self;
+                    inherit pkgs;
+                    inherit lib;
+                    inherit config;
+                  }
+                );
+              }) testFiles
+            );
+
           devShells.default = pkgs.mkShell {
             buildInputs = with pkgs; [
               deploy-rs
@@ -88,12 +108,15 @@
               nvfetcher
               shellcheck
               shfmt
-              treefmt
+              inputs.unstable.legacyPackages.${system}.treefmt2
               nixos-generators
-              inputs.nixpkgs-2205.legacyPackages.${system}.terraform
+              inputs.unstable.legacyPackages.${system}.opentofu
+              terraform-backend-git
+              terraform-ls
               jq
             ];
           };
+
           devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; };
         };
 
@@ -122,10 +145,6 @@
               hostname = "nachtigall.wg.pub.solar";
               sshUser = username;
             };
-            flora-6 = {
-              hostname = "flora-6.wg.pub.solar";
-              sshUser = username;
-            };
             metronom = {
               hostname = "metronom.wg.pub.solar";
               sshUser = username;
@@ -134,6 +153,22 @@
               hostname = "tankstelle.wg.pub.solar";
               sshUser = username;
             };
+            underground = {
+              hostname = "80.244.242.3";
+              sshUser = username;
+            };
+            trinkgenossin = {
+              hostname = "trinkgenossin.wg.pub.solar";
+              sshUser = username;
+            };
+            delite = {
+              hostname = "delite.wg.pub.solar";
+              sshUser = username;
+            };
+            blue-shell = {
+              hostname = "blue-shell.wg.pub.solar";
+              sshUser = username;
+            };
           };
         };
     };

hosts/blue-shell/configuration.nix

@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  boot.loader.grub.enable = true;
+
+  boot.kernelParams = [
+    "boot.shell_on_fail=1"
+    "ip=dhcp"
+  ];
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.05"; # Did you read the comment?
+}

hosts/blue-shell/default.nix

@@ -1,11 +1,13 @@
-{ ... }:
+{ flake, ... }:
 
 {
   imports = [
-    # Include the results of the hardware scan.
     ./hardware-configuration.nix
     ./configuration.nix
-    ./triton-vmtools.nix
+    ./disk-config.nix
+
+    ./networking.nix
     ./wireguard.nix
+    #./backups.nix
   ];
 }

hosts/blue-shell/disk-config.nix

@@ -0,0 +1,101 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/vdb";
+        content = {
+          type = "gpt";
+          partitions = {
+            bios = {
+              size = "1M";
+              type = "EF02"; # for grub MBR
+            };
+            boot = {
+              size = "1G";
+              type = "8300";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/boot";
+                mountOptions = [ "defaults" ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "cryptroot";
+                extraOpenArgs = [ ];
+                # if you want to use the key for interactive login be sure there is no trailing newline
+                # for example use `echo -n "password" > /tmp/secret.key`
+                passwordFile = "/tmp/luks-password";
+                content = {
+                  type = "lvm_pv";
+                  vg = "vg0";
+                };
+              };
+            };
+          };
+        };
+      };
+      data = {
+        type = "disk";
+        device = "/dev/vdc";
+        content = {
+          type = "gpt";
+          partitions = {
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "cryptdata";
+                extraOpenArgs = [ ];
+                # if you want to use the key for interactive login be sure there is no trailing newline
+                # for example use `echo -n "password" > /tmp/secret.key`
+                passwordFile = "/tmp/luks-password";
+                content = {
+                  type = "filesystem";
+                  format = "xfs";
+                  mountpoint = "/var/lib/garage/data";
+                  mountOptions = [ "defaults" ];
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      vg0 = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100G";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [ "defaults" ];
+            };
+          };
+          swap = {
+            size = "16G";
+            content = {
+              type = "swap";
+            };
+          };
+          metadata = {
+            size = "50G";
+            content = {
+              type = "filesystem";
+              format = "btrfs";
+              mountpoint = "/var/lib/garage/meta";
+              mountOptions = [ "defaults" ];
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/blue-shell/hardware-configuration.nix

@@ -0,0 +1,27 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "sr_mod"
+    "virtio_blk"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/blue-shell/networking.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+{
+  services.garage.settings.rpc_public_addr = "[2a03:4000:43:24e::1]:3901";
+
+  networking.hostName = "blue-shell";
+  networking.hostId = "00000005";
+
+  networking.useDHCP = false;
+  systemd.network.enable = true;
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens3";
+    address = [
+      "194.13.83.205/22"
+      "2a03:4000:43:24e::1/64"
+    ];
+    gateway = [
+      "194.13.80.1"
+      "fe80::1"
+    ];
+  };
+}

hosts/blue-shell/wireguard.nix

@@ -0,0 +1,51 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+let
+  wireguardIPv4 = "10.7.6.7";
+  wireguardIPv6 = "fd00:fae:fae:fae:fae:7::";
+in
+{
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  age.secrets.wg-private-key.file = "${flake.self}/secrets/blue-shell-wg-private-key.age";
+
+  networking.wireguard.interfaces = {
+    wg-ssh = {
+      listenPort = 51820;
+      mtu = 1300;
+      ips = [
+        "${wireguardIPv4}/32"
+        "${wireguardIPv6}/96"
+      ];
+      privateKeyFile = config.age.secrets.wg-private-key.path;
+      peers = flake.self.logins.admins.wireguardDevices ++ [
+        {
+          # trinkgenossin.pub.solar
+          publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
+          allowedIPs = [
+            "10.7.6.5/32"
+            "fd00:fae:fae:fae:fae:5::/96"
+          ];
+          #endpoint = "85.215.152.22:51820";
+          endpoint = "[2a01:239:35d:f500::1]:51820";
+          persistentKeepalive = 15;
+        }
+      ];
+    };
+  };
+
+  services.openssh.listenAddresses = [
+    {
+      addr = wireguardIPv4;
+      port = 22;
+    }
+    {
+      addr = "[${wireguardIPv6}]";
+      port = 22;
+    }
+  ];
+}

hosts/default.nix

@@ -1,9 +1,35 @@
-{ self, ... }:
+{
+  self,
+  inputs,
+  config,
+  ...
+}:
 {
   flake = {
-    nixosConfigurations = {
-      nachtigall = self.nixos-flake.lib.mkLinuxSystem {
+    nixosModules = {
+      home-manager = {
         imports = [
+          inputs.home-manager.nixosModules.home-manager
+          {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.extraSpecialArgs = {
+              flake = {
+                inherit self inputs config;
+              };
+            };
+          }
+        ];
+      };
+    };
+    nixosConfigurations = {
+      nachtigall = self.inputs.nixpkgs.lib.nixosSystem {
+        specialArgs = {
+          flake = {
+            inherit self inputs config;
+          };
+        };
+        modules = [
           self.inputs.agenix.nixosModules.default
           self.nixosModules.home-manager
           ./nachtigall
@@ -11,6 +37,7 @@
           self.nixosModules.unlock-zfs-on-boot
           self.nixosModules.core
           self.nixosModules.docker
+          self.nixosModules.backups
 
           self.nixosModules.nginx
           self.nixosModules.collabora
@@ -33,6 +60,7 @@
           self.nixosModules.promtail
           self.nixosModules.searx
           self.nixosModules.tmate
+          self.nixosModules.tt-rss
           self.nixosModules.obs-portal
           self.nixosModules.matrix
           self.nixosModules.matrix-irc
@@ -41,32 +69,20 @@
         ];
       };
 
-      flora-6 = self.nixos-flake.lib.mkLinuxSystem {
-        imports = [
-          self.inputs.agenix.nixosModules.default
-          self.nixosModules.home-manager
-          ./flora-6
-          self.nixosModules.overlays
-          self.nixosModules.core
-
-          self.nixosModules.keycloak
-          self.nixosModules.caddy
-          self.nixosModules.drone
-          self.nixosModules.forgejo-actions-runner
-          self.nixosModules.grafana
-          self.nixosModules.prometheus
-          self.nixosModules.loki
-        ];
-      };
-
-      metronom = self.nixos-flake.lib.mkLinuxSystem {
-        imports = [
+      metronom = self.inputs.nixpkgs.lib.nixosSystem {
+        specialArgs = {
+          flake = {
+            inherit self inputs config;
+          };
+        };
+        modules = [
           self.inputs.agenix.nixosModules.default
           self.nixosModules.home-manager
           ./metronom
           self.nixosModules.overlays
           self.nixosModules.unlock-zfs-on-boot
           self.nixosModules.core
+          self.nixosModules.backups
           self.nixosModules.mail
           self.nixosModules.prometheus-exporters
           self.nixosModules.promtail
@@ -75,17 +91,117 @@
         ];
       };
 
-      tankstelle = self.nixos-flake.lib.mkLinuxSystem {
-        imports = [
+      tankstelle = self.inputs.nixpkgs.lib.nixosSystem {
+        specialArgs = {
+          flake = {
+            inherit self inputs config;
+          };
+        };
+        modules = [
           self.inputs.agenix.nixosModules.default
           self.nixosModules.home-manager
           ./tankstelle
           self.nixosModules.overlays
           self.nixosModules.core
+          self.nixosModules.backups
           self.nixosModules.prometheus-exporters
           self.nixosModules.promtail
         ];
       };
+
+      trinkgenossin = self.inputs.nixpkgs.lib.nixosSystem {
+        specialArgs = {
+          flake = {
+            inherit self inputs config;
+          };
+        };
+        modules = [
+          self.inputs.agenix.nixosModules.default
+          self.nixosModules.home-manager
+          ./trinkgenossin
+          self.nixosModules.backups
+          self.nixosModules.overlays
+          self.nixosModules.unlock-luks-on-boot
+          self.nixosModules.core
+
+          self.nixosModules.garage
+          self.nixosModules.nginx
+
+          # This module is already using options, and those options are used by the grafana module
+          self.nixosModules.keycloak
+          self.nixosModules.grafana
+          self.nixosModules.prometheus
+          self.nixosModules.loki
+        ];
+      };
+
+      delite = self.inputs.nixpkgs.lib.nixosSystem {
+        specialArgs = {
+          flake = {
+            inherit self inputs config;
+          };
+        };
+        modules = [
+          self.inputs.agenix.nixosModules.default
+          self.inputs.disko.nixosModules.disko
+          self.nixosModules.home-manager
+          ./delite
+          self.nixosModules.overlays
+          self.nixosModules.unlock-luks-on-boot
+          self.nixosModules.core
+          self.nixosModules.prometheus-exporters
+          self.nixosModules.promtail
+
+          self.nixosModules.garage
+          self.nixosModules.nginx
+        ];
+      };
+
+      blue-shell = self.inputs.nixpkgs.lib.nixosSystem {
+        specialArgs = {
+          flake = {
+            inherit self inputs config;
+          };
+        };
+        modules = [
+          self.inputs.agenix.nixosModules.default
+          self.inputs.disko.nixosModules.disko
+          self.nixosModules.home-manager
+          ./blue-shell
+          self.nixosModules.overlays
+          self.nixosModules.unlock-luks-on-boot
+          self.nixosModules.core
+          self.nixosModules.prometheus-exporters
+          self.nixosModules.promtail
+
+          self.nixosModules.garage
+          self.nixosModules.nginx
+        ];
+      };
+
+      underground = self.inputs.nixpkgs.lib.nixosSystem {
+        specialArgs = {
+          flake = {
+            inherit self inputs config;
+          };
+        };
+        modules = [
+          self.inputs.agenix.nixosModules.default
+          self.nixosModules.home-manager
+          ./underground
+          self.nixosModules.overlays
+          self.nixosModules.unlock-luks-on-boot
+          self.nixosModules.core
+
+          self.nixosModules.backups
+          self.nixosModules.keycloak
+          self.nixosModules.postgresql
+          self.nixosModules.matrix
+          self.nixosModules.matrix-irc
+          self.nixosModules.nginx
+          self.nixosModules.nginx-matrix
+        ];
+      };
     };
   };
 }

hosts/delite/configuration.nix

@@ -0,0 +1,33 @@
+{
+  flake,
+  config,
+  pkgs,
+  ...
+}:
+{
+  boot.loader.grub.enable = true;
+
+  boot.kernelParams = [
+    "boot.shell_on_fail=1"
+    "ip=5.255.119.132::5.255.119.1:255.255.255.0:delite::off"
+  ];
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.05"; # Did you read the comment?
+}

hosts/delite/default.nix

@@ -0,0 +1,13 @@
+{ flake, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./configuration.nix
+    ./disk-config.nix
+
+    ./networking.nix
+    ./wireguard.nix
+    #./backups.nix
+  ];
+}

hosts/delite/disk-config.nix

@@ -0,0 +1,84 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/vda";
+        content = {
+          type = "gpt";
+          partitions = {
+            bios = {
+              size = "1M";
+              type = "EF02"; # for grub MBR
+            };
+            boot = {
+              size = "1G";
+              type = "8300";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/boot";
+                mountOptions = [ "defaults" ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "cryptroot";
+                extraOpenArgs = [ ];
+                # if you want to use the key for interactive login be sure there is no trailing newline
+                # for example use `echo -n "password" > /tmp/secret.key`
+                passwordFile = "/tmp/luks-password";
+                content = {
+                  type = "lvm_pv";
+                  vg = "vg0";
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      vg0 = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "40G";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [ "defaults" ];
+            };
+          };
+          swap = {
+            size = "8G";
+            content = {
+              type = "swap";
+            };
+          };
+          data = {
+            size = "800G";
+            content = {
+              type = "filesystem";
+              format = "xfs";
+              mountpoint = "/var/lib/garage/data";
+              mountOptions = [ "defaults" ];
+            };
+          };
+          metadata = {
+            size = "50G";
+            content = {
+              type = "filesystem";
+              format = "btrfs";
+              mountpoint = "/var/lib/garage/meta";
+              mountOptions = [ "defaults" ];
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/delite/hardware-configuration.nix

@@ -0,0 +1,26 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_blk"
+  ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/delite/networking.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+{
+  services.garage.settings.rpc_public_addr = "[2a04:52c0:124:9d8c::2]:3901";
+
+  networking.hostName = "delite";
+  networking.hostId = "00000004";
+
+  networking.useDHCP = false;
+  systemd.network.enable = true;
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens3";
+    address = [
+      "5.255.119.132/24"
+      "2a04:52c0:124:9d8c::2/48"
+    ];
+    gateway = [
+      "5.255.119.1"
+      "2a04:52c0:124::1"
+    ];
+  };
+}

hosts/delite/wireguard.nix

@@ -0,0 +1,51 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+let
+  wireguardIPv4 = "10.7.6.6";
+  wireguardIPv6 = "fd00:fae:fae:fae:fae:6::";
+in
+{
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  age.secrets.wg-private-key.file = "${flake.self}/secrets/delite-wg-private-key.age";
+
+  networking.wireguard.interfaces = {
+    wg-ssh = {
+      listenPort = 51820;
+      mtu = 1300;
+      ips = [
+        "${wireguardIPv4}/32"
+        "${wireguardIPv6}/96"
+      ];
+      privateKeyFile = config.age.secrets.wg-private-key.path;
+      peers = flake.self.logins.admins.wireguardDevices ++ [
+        {
+          # trinkgenossin.pub.solar
+          publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
+          allowedIPs = [
+            "10.7.6.5/32"
+            "fd00:fae:fae:fae:fae:5::/96"
+          ];
+          #endpoint = "85.215.152.22:51820";
+          endpoint = "[2a01:239:35d:f500::1]:51820";
+          persistentKeepalive = 15;
+        }
+      ];
+    };
+  };
+
+  services.openssh.listenAddresses = [
+    {
+      addr = wireguardIPv4;
+      port = 22;
+    }
+    {
+      addr = "[${wireguardIPv6}]";
+      port = 22;
+    }
+  ];
+}

hosts/flora-6/configuration.nix

@@ -1,72 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  flake,
-  ...
-}:
-let
-  psCfg = config.pub-solar;
-in
-{
-  config = {
-    # Override nix.conf for more agressive garbage collection
-    nix.extraOptions = lib.mkForce ''
-      experimental-features = flakes nix-command
-      min-free = 536870912
-      keep-outputs = false
-      keep-derivations = false
-      fallback = true
-    '';
-
-    # # #
-    # # # Triton host specific options
-    # # # DO NOT ALTER below this line, changes might render system unbootable
-    # # #
-
-    # Use the systemd-boot EFI boot loader.
-    boot.loader.systemd-boot.enable = true;
-    boot.loader.efi.canTouchEfiVariables = true;
-
-    # Force getting the hostname from cloud-init
-    networking.hostName = lib.mkDefault "";
-
-    # We use cloud-init to configure networking, this option should fix
-    # systemd-networkd-wait-online timeouts
-    #systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
-    systemd.network.wait-online.ignoredInterfaces = [
-      "docker0"
-      "wg-ssh"
-    ];
-
-    # List services that you want to enable:
-    services.cloud-init.enable = true;
-    services.cloud-init.ext4.enable = true;
-    services.cloud-init.network.enable = true;
-    # use the default NixOS cloud-init config, but add some SmartOS customization to it
-    environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = ''
-      datasource_list: [ SmartOS ]
-
-      # Do not create the centos/ubuntu/debian user
-      users: [ ]
-
-      # mount second disk with label ephemeral0, gets formated by cloud-init
-      # this will fail to get added to /etc/fstab as it's read-only, but should
-      # mount at boot anyway
-      mounts:
-      - [ vdb, /data, auto, "defaults,nofail" ]
-    '';
-
-    # We manage the firewall with nix, too
-    # altough triton can also manage firewall rules via the triton fwrule subcommand
-    networking.firewall.enable = true;
-
-    # This value determines the NixOS release from which the default
-    # settings for stateful data, like file locations and database versions
-    # on your system were taken. It‘s perfectly fine and recommended to leave
-    # this value at the release version of the first install of this system.
-    # Before changing this value read the documentation for this option
-    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-    system.stateVersion = "22.05"; # Did you read the comment?
-  };
-}

hosts/flora-6/triton-vmtools.nix

@@ -1,6 +0,0 @@
-{ pkgs, flake, ... }:
-{
-  environment.systemPackages = with pkgs; [
-    flake.inputs.triton-vmtools.packages.${pkgs.system}.default
-  ];
-}

hosts/metronom/backups.nix

@@ -1,13 +1,29 @@
-{ flake, ... }:
+{ config, flake, ... }:
 {
-  age.secrets."restic-repo-droppie" = {
-    file = "${flake.self}/secrets/restic-repo-droppie.age";
+  age.secrets."restic-repo-storagebox-metronom" = {
+    file = "${flake.self}/secrets/restic-repo-storagebox-metronom.age";
     mode = "400";
     owner = "root";
   };
-  age.secrets."restic-repo-storagebox" = {
-    file = "${flake.self}/secrets/restic-repo-storagebox.age";
+  age.secrets.restic-repo-garage-metronom = {
+    file = "${flake.self}/secrets/restic-repo-garage-metronom.age";
     mode = "400";
     owner = "root";
   };
+  age.secrets.restic-repo-garage-metronom-env = {
+    file = "${flake.self}/secrets/restic-repo-garage-metronom-env.age";
+    mode = "400";
+    owner = "root";
+  };
+
+  pub-solar-os.backups.repos.storagebox = {
+    passwordFile = config.age.secrets."restic-repo-storagebox-metronom".path;
+    repository = "sftp:u377325@u377325.your-storagebox.de:/metronom-backups";
+  };
+
+  pub-solar-os.backups.repos.garage = {
+    passwordFile = config.age.secrets."restic-repo-garage-metronom".path;
+    environmentFile = config.age.secrets."restic-repo-garage-metronom-env".path;
+    repository = "s3:https://buckets.pub.solar/metronom-backups";
+  };
 }

hosts/metronom/configuration.nix

@@ -18,6 +18,19 @@
   # https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets
   systemd.services.zfs-mount.enable = false;
 
+  services.zfs.autoScrub = {
+    enable = true;
+    pools = [ "root_pool" ];
+  };
+
+  # Declarative SSH private key
+  age.secrets."metronom-root-ssh-key" = {
+    file = "${flake.self}/secrets/metronom-root-ssh-key.age";
+    path = "/root/.ssh/id_ed25519";
+    mode = "400";
+    owner = "root";
+  };
+
   # Declarative SSH private key
   #age.secrets."metronom-root-ssh-key" = {
   #  file = "${flake.self}/secrets/metronom-root-ssh-key.age";

hosts/metronom/default.nix

@@ -7,6 +7,6 @@
 
     ./networking.nix
     ./wireguard.nix
-    #./backups.nix
+    ./backups.nix
   ];
 }

hosts/metronom/wireguard.nix

@@ -19,15 +19,6 @@
       ];
       privateKeyFile = config.age.secrets.wg-private-key.path;
       peers = flake.self.logins.admins.wireguardDevices ++ [
-        {
-          # flora-6.pub.solar
-          endpoint = "80.71.153.210:51820";
-          publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
-          allowedIPs = [
-            "10.7.6.2/32"
-            "fd00:fae:fae:fae:fae:2::/96"
-          ];
-        }
         {
           # nachtigall.pub.solar
           endpoint = "138.201.80.102:51820";
@@ -37,6 +28,17 @@
             "fd00:fae:fae:fae:fae:1::/96"
           ];
         }
+        {
+          # trinkgenossin.pub.solar
+          publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
+          allowedIPs = [
+            "10.7.6.5/32"
+            "fd00:fae:fae:fae:fae:5::/96"
+          ];
+          #endpoint = "85.215.152.22:51820";
+          endpoint = "[2a01:239:35d:f500::1]:51820";
+          persistentKeepalive = 15;
+        }
       ];
     };
   };

hosts/nachtigall/backups.nix

@@ -1,13 +1,34 @@
-{ flake, ... }:
+{ config, flake, ... }:
 {
   age.secrets."restic-repo-droppie" = {
     file = "${flake.self}/secrets/restic-repo-droppie.age";
     mode = "400";
     owner = "root";
   };
-  age.secrets."restic-repo-storagebox" = {
-    file = "${flake.self}/secrets/restic-repo-storagebox.age";
+  age.secrets."restic-repo-storagebox-nachtigall" = {
+    file = "${flake.self}/secrets/restic-repo-storagebox-nachtigall.age";
     mode = "400";
     owner = "root";
   };
+  age.secrets.restic-repo-garage-nachtigall = {
+    file = "${flake.self}/secrets/restic-repo-garage-nachtigall.age";
+    mode = "400";
+    owner = "root";
+  };
+  age.secrets.restic-repo-garage-nachtigall-env = {
+    file = "${flake.self}/secrets/restic-repo-garage-nachtigall-env.age";
+    mode = "400";
+    owner = "root";
+  };
+
+  pub-solar-os.backups.repos.storagebox = {
+    passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path;
+    repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
+  };
+
+  pub-solar-os.backups.repos.garage = {
+    passwordFile = config.age.secrets."restic-repo-garage-nachtigall".path;
+    environmentFile = config.age.secrets."restic-repo-garage-nachtigall-env".path;
+    repository = "s3:https://buckets.pub.solar/nachtigall-backups";
+  };
 }

hosts/nachtigall/configuration.nix

@@ -35,6 +35,11 @@
   # https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets
   systemd.services.zfs-mount.enable = false;
 
+  services.zfs.autoScrub = {
+    enable = true;
+    pools = [ "root_pool" ];
+  };
+
   # Declarative SSH private key
   age.secrets."nachtigall-root-ssh-key" = {
     file = "${flake.self}/secrets/nachtigall-root-ssh-key.age";
@@ -43,9 +48,77 @@
     owner = "root";
   };
 
-  pub-solar-os.auth.enable = true;
+  # keycloak
+  age.secrets.keycloak-database-password = {
+    file = "${flake.self}/secrets/keycloak-database-password.age";
+    mode = "600";
+    #owner = "keycloak";
+  };
 
-  nixpkgs.config.permittedInsecurePackages = [ "keycloak-23.0.6" ];
+  pub-solar-os.auth = {
+    enable = true;
+    database-password-file = config.age.secrets.keycloak-database-password.path;
+  };
+
+  # matrix-synapse
+  age.secrets."matrix-synapse-signing-key" = {
+    file = "${flake.self}/secrets/matrix-synapse-signing-key.age";
+    mode = "400";
+    owner = "matrix-synapse";
+  };
+
+  age.secrets."matrix-synapse-secret-config.yaml" = {
+    file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age";
+    mode = "400";
+    owner = "matrix-synapse";
+  };
+
+  age.secrets."matrix-synapse-sliding-sync-secret" = {
+    file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
+    mode = "400";
+    owner = "matrix-synapse";
+  };
+
+  age.secrets."matrix-authentication-service-secret-config.yml" = {
+    file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age";
+    mode = "400";
+    owner = "matrix-authentication-service";
+  };
+
+  pub-solar-os.matrix = {
+    enable = true;
+    synapse = {
+      sliding-sync.enable = false;
+      signing_key_path = config.age.secrets."matrix-synapse-signing-key".path;
+      extra-config-files = [
+        config.age.secrets."matrix-synapse-secret-config.yaml".path
+
+        # The registration file is automatically generated after starting the
+        # appservice for the first time.
+        # cp /var/lib/mautrix-telegram/telegram-registration.yaml \
+        #   /var/lib/matrix-synapse/
+        # chown matrix-synapse:matrix-synapse \
+        #   /var/lib/matrix-synapse/telegram-registration.yaml
+        "/var/lib/matrix-synapse/telegram-registration.yaml"
+      ];
+      app-service-config-files = [
+        "/var/lib/matrix-synapse/telegram-registration.yaml"
+        "/var/lib/matrix-appservice-irc/registration.yml"
+        # "/matrix-appservice-slack-registration.yaml"
+        # "/hookshot-registration.yml"
+        # "/matrix-mautrix-signal-registration.yaml"
+        # "/matrix-mautrix-telegram-registration.yaml"
+      ];
+    };
+    matrix-authentication-service.extra-config-files = [
+      config.age.secrets."matrix-authentication-service-secret-config.yml".path
+    ];
+  };
+
+  systemd.services.postgresql = {
+    after = [ "var-lib-postgresql.mount" ];
+    requisite = [ "var-lib-postgresql.mount" ];
+  };
 
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database

hosts/nachtigall/default.nix

@@ -9,5 +9,12 @@
     ./networking.nix
     ./wireguard.nix
     ./backups.nix
+    "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
+    "${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix"
+  ];
+
+  disabledModules = [
+    "services/matrix/matrix-authentication-service.nix "
+    "services/web-apps/mastodon.nix"
   ];
 }

hosts/nachtigall/wireguard.nix

@@ -19,15 +19,6 @@
       ];
       privateKeyFile = config.age.secrets.wg-private-key.path;
       peers = flake.self.logins.admins.wireguardDevices ++ [
-        {
-          # flora-6.pub.solar
-          endpoint = "80.71.153.210:51820";
-          publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
-          allowedIPs = [
-            "10.7.6.2/32"
-            "fd00:fae:fae:fae:fae:2::/96"
-          ];
-        }
         {
           # tankstelle.pub.solar
           endpoint = "80.244.242.5:51820";
@@ -37,6 +28,17 @@
             "fd00:fae:fae:fae:fae:4::/96"
           ];
         }
+        {
+          # trinkgenossin.pub.solar
+          publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
+          allowedIPs = [
+            "10.7.6.5/32"
+            "fd00:fae:fae:fae:fae:5::/96"
+          ];
+          #endpoint = "85.215.152.22:51820";
+          endpoint = "[2a01:239:35d:f500::1]:51820";
+          persistentKeepalive = 15;
+        }
       ];
     };
   };

hosts/tankstelle/backups.nix

@@ -5,8 +5,8 @@
     mode = "400";
     owner = "root";
   };
-  age.secrets."restic-repo-storagebox" = {
-    file = "${flake.self}/secrets/restic-repo-storagebox.age";
+  age.secrets."restic-repo-storagebox-tankstelle" = {
+    file = "${flake.self}/secrets/restic-repo-storagebox-tankstelle.age";
     mode = "400";
     owner = "root";
   };

hosts/tankstelle/wireguard.nix

@@ -29,13 +29,15 @@
           ];
         }
         {
-          # flora-6.pub.solar
-          endpoint = "80.71.153.210:51820";
-          publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
+          # trinkgenossin.pub.solar
+          publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
           allowedIPs = [
-            "10.7.6.2/32"
-            "fd00:fae:fae:fae:fae:2::/96"
+            "10.7.6.5/32"
+            "fd00:fae:fae:fae:fae:5::/96"
           ];
+          #endpoint = "85.215.152.22:51820";
+          endpoint = "[2a01:239:35d:f500::1]:51820";
+          persistentKeepalive = 15;
         }
       ];
     };

hosts/trinkgenossin/configuration.nix

@@ -0,0 +1,35 @@
+{
+  flake,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  boot.loader.grub.enable = true;
+  boot.loader.grub.devices = [ "/dev/vda" ];
+
+  boot.kernelParams = [
+    "boot.shell_on_fail=1"
+    "ip=dhcp"
+  ];
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.05"; # Did you read the comment?
+}

hosts/trinkgenossin/default.nix

@@ -0,0 +1,12 @@
+{ flake, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./configuration.nix
+
+    ./networking.nix
+    ./wireguard.nix
+    #./backups.nix
+  ];
+}

hosts/trinkgenossin/hardware-configuration.nix

@@ -8,45 +8,47 @@
   modulesPath,
   ...
 }:
+
 {
   imports = [ ];
 
   boot.initrd.availableKernelModules = [
-    "ahci"
+    "ata_piix"
+    "uhci_hcd"
     "virtio_pci"
-    "xhci_pci"
     "sr_mod"
     "virtio_blk"
+    "virtio_net"
   ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/52a1fd17-63d7-4d0a-b7ff-74aceaf6085a";
+  };
+
   fileSystems."/" = {
     device = "/dev/disk/by-label/nixos";
-    autoResize = true;
     fsType = "ext4";
   };
 
   fileSystems."/boot" = {
     device = "/dev/disk/by-label/boot";
-    fsType = "vfat";
-  };
-
-  fileSystems."/data" = {
-    device = "/dev/disk/by-label/ephemeral0";
     fsType = "ext4";
-    options = [
-      "defaults"
-      "nofail"
-    ];
   };
 
-  swapDevices = [ ];
+  fileSystems."/var/lib/garage/data" = {
+    device = "/dev/disk/by-label/data";
+    fsType = "xfs";
+  };
 
-  networking.useDHCP = lib.mkDefault false;
-  networking.networkmanager.enable = lib.mkForce false;
+  fileSystems."/var/lib/garage/meta" = {
+    device = "/dev/disk/by-label/metadata";
+    fsType = "btrfs";
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/trinkgenossin/networking.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+{
+  services.garage.settings.rpc_public_addr = "[2a01:239:35d:f500::1]:3901";
+
+  networking.hostName = "trinkgenossin";
+  networking.hostId = "00000003";
+
+  networking.enableIPv6 = true;
+  networking.useDHCP = true;
+}

hosts/trinkgenossin/wireguard.nix

@@ -4,18 +4,22 @@
   flake,
   ...
 }:
+let
+  wireguardIPv4 = "10.7.6.5";
+  wireguardIPv6 = "fd00:fae:fae:fae:fae:5::";
+in
 {
   networking.firewall.allowedUDPPorts = [ 51820 ];
 
-  age.secrets.wg-private-key.file = "${flake.self}/secrets/flora6-wg-private-key.age";
+  age.secrets.wg-private-key.file = "${flake.self}/secrets/trinkgenossin-wg-private-key.age";
 
   networking.wireguard.interfaces = {
     wg-ssh = {
       listenPort = 51820;
       mtu = 1300;
       ips = [
-        "10.7.6.2/32"
-        "fd00:fae:fae:fae:fae:2::/96"
+        "${wireguardIPv4}/32"
+        "${wireguardIPv6}/96"
       ];
       privateKeyFile = config.age.secrets.wg-private-key.path;
       peers = flake.self.logins.admins.wireguardDevices ++ [
@@ -47,17 +51,35 @@
             "fd00:fae:fae:fae:fae:4::/96"
           ];
         }
+        {
+          # delite.pub.solar
+          endpoint = "5.255.119.132:51820";
+          publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k=";
+          allowedIPs = [
+            "10.7.6.6/32"
+            "fd00:fae:fae:fae:fae:6::/96"
+          ];
+        }
+        {
+          # blue-shell.pub.solar
+          endpoint = "194.13.83.205:51820";
+          publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8=";
+          allowedIPs = [
+            "10.7.6.7/32"
+            "fd00:fae:fae:fae:fae:7::/96"
+          ];
+        }
       ];
     };
   };
 
   services.openssh.listenAddresses = [
     {
-      addr = "10.7.6.2";
+      addr = wireguardIPv4;
       port = 22;
     }
     {
-      addr = "[fd00:fae:fae:fae:fae:2::]";
+      addr = "[${wireguardIPv6}]";
       port = 22;
     }
   ];

hosts/underground/configuration.nix

@@ -0,0 +1,72 @@
+{
+  flake,
+  config,
+  pkgs,
+  ...
+}:
+{
+  # Use GRUB2 as the boot loader.
+  boot.loader.grub = {
+    enable = true;
+    devices = [ "/dev/vda" ];
+  };
+
+  pub-solar-os.networking.domain = "test.pub.solar";
+
+  systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ];
+
+  # keycloak
+  pub-solar-os.auth = {
+    enable = true;
+    database-password-file = "/tmp/dbf";
+  };
+  services.keycloak.database.createLocally = true;
+
+  # matrix-synapse
+  # test.pub.solar /.well-known is required for federation
+  services.nginx.virtualHosts."${config.pub-solar-os.networking.domain}" = {
+    default = true;
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  age.secrets."staging-matrix-synapse-secret-config.yaml" = {
+    file = "${flake.self}/secrets/staging-matrix-synapse-secret-config.yaml.age";
+    mode = "400";
+    owner = "matrix-synapse";
+  };
+
+  age.secrets."staging-matrix-authentication-service-secret-config.yml" = {
+    file = "${flake.self}/secrets/staging-matrix-authentication-service-secret-config.yml.age";
+    mode = "400";
+    owner = "matrix-authentication-service";
+  };
+
+  pub-solar-os.matrix = {
+    enable = true;
+    synapse = {
+      extra-config-files = [
+        config.age.secrets."staging-matrix-synapse-secret-config.yaml".path
+
+        # The registration file is automatically generated after starting the
+        # appservice for the first time.
+        # cp /var/lib/mautrix-telegram/telegram-registration.yaml \
+        #   /var/lib/matrix-synapse/
+        # chown matrix-synapse:matrix-synapse \
+        #   /var/lib/matrix-synapse/telegram-registration.yaml
+        #"/var/lib/matrix-synapse/telegram-registration.yaml"
+      ];
+      app-service-config-files = [
+        "/var/lib/matrix-appservice-irc/registration.yml"
+        #"/var/lib/matrix-synapse/telegram-registration.yaml"
+      ];
+    };
+    matrix-authentication-service.extra-config-files = [
+      config.age.secrets."staging-matrix-authentication-service-secret-config.yml".path
+    ];
+  };
+
+  services.openssh.openFirewall = true;
+
+  system.stateVersion = "24.05";
+}

hosts/underground/default.nix

@@ -0,0 +1,16 @@
+{ flake, ... }:
+
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./configuration.nix
+
+    ./networking.nix
+    "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
+  ];
+
+  disabledModules = [
+    "services/matrix/matrix-authentication-service.nix "
+  ];
+}

hosts/underground/hardware-configuration.nix

@@ -0,0 +1,47 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-label/cryptroot";
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-label/swap"; }
+  ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/underground/networking.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+{
+
+  networking.hostName = "underground";
+
+  networking = {
+    defaultGateway = {
+      address = "80.244.242.1";
+      interface = "enp1s0";
+    };
+    nameservers = [
+      "95.129.51.51"
+      "80.244.244.244"
+    ];
+    interfaces.enp1s0 = {
+      useDHCP = false;
+      ipv4.addresses = [
+        {
+          address = "80.244.242.3";
+          prefixLength = 29;
+        }
+      ];
+    };
+  };
+}

logins/admins.nix

@@ -63,6 +63,7 @@
   teutat3s = {
     sshPubKeys = {
       teutat3s-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a";
+      teutat3s-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
     };
 
     secretEncryptionKeys = {

logins/robots.nix

@@ -2,6 +2,5 @@
   # Used for restic backups to droppie, a server run by @b12f
   "root@droppie" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie";
 
-  # robot user on flora-6
-  "hakkonaut@flora-6" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6";
+  "hakkonaut" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut";
 }

modules/backups/default.nix

@@ -0,0 +1,290 @@
+{
+  flake,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  utils = import "${flake.inputs.nixpkgs}/nixos/lib/utils.nix" {
+    inherit lib;
+    inherit config;
+    inherit pkgs;
+  };
+  # Type for a valid systemd unit option. Needed for correctly passing "timerConfig" to "systemd.timers"
+  inherit (utils.systemdUtils.unitOptions) unitOption;
+  inherit (lib)
+    literalExpression
+    mkOption
+    mkPackageOption
+    types
+    ;
+in
+{
+  options.pub-solar-os.backups = {
+    repos = mkOption {
+      description = ''
+        Configuration of Restic repositories.
+      '';
+      type = types.attrsOf (
+        types.submodule (
+          { name, ... }:
+          {
+            options = {
+              passwordFile = mkOption {
+                type = types.str;
+                description = ''
+                  Read the repository password from a file.
+                '';
+                example = "/etc/nixos/restic-password";
+              };
+
+              environmentFile = mkOption {
+                type = with types; nullOr str;
+                default = null;
+                description = ''
+                  Read repository secrets as environment variables from a file.
+                '';
+                example = "/etc/nixos/restic-env";
+              };
+
+              repository = mkOption {
+                type = with types; nullOr str;
+                default = null;
+                description = ''
+                  repository to backup to.
+                '';
+                example = "sftp:backup@192.168.1.100:/backups/${name}";
+              };
+            };
+          }
+        )
+      );
+
+      default = { };
+      example = {
+        remotebackup = {
+          repository = "sftp:backup@host:/backups/home";
+          passwordFile = "/etc/nixos/secrets/restic-password";
+          environmentFile = "/etc/nixos/secrets/restic-env";
+        };
+      };
+    };
+
+    restic = mkOption {
+      description = ''
+        Periodic backups to create with Restic.
+      '';
+      type = types.attrsOf (
+        types.submodule (
+          { name, ... }:
+          {
+            options = {
+              paths = mkOption {
+                # This is nullable for legacy reasons only. We should consider making it a pure listOf
+                # after some time has passed since this comment was added.
+                type = types.nullOr (types.listOf types.str);
+                default = [ ];
+                description = ''
+                  Which paths to backup, in addition to ones specified via
+                  `dynamicFilesFrom`.  If null or an empty array and
+                  `dynamicFilesFrom` is also null, no backup command will be run.
+                   This can be used to create a prune-only job.
+                '';
+                example = [
+                  "/var/lib/postgresql"
+                  "/home/user/backup"
+                ];
+              };
+
+              exclude = mkOption {
+                type = types.listOf types.str;
+                default = [ ];
+                description = ''
+                  Patterns to exclude when backing up. See
+                  https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files for
+                  details on syntax.
+                '';
+                example = [
+                  "/var/cache"
+                  "/home/*/.cache"
+                  ".git"
+                ];
+              };
+
+              timerConfig = mkOption {
+                type = types.nullOr (types.attrsOf unitOption);
+                default = {
+                  OnCalendar = "daily";
+                  Persistent = true;
+                };
+                description = ''
+                  When to run the backup. See {manpage}`systemd.timer(5)` for
+                  details. If null no timer is created and the backup will only
+                  run when explicitly started.
+                '';
+                example = {
+                  OnCalendar = "00:05";
+                  RandomizedDelaySec = "5h";
+                  Persistent = true;
+                };
+              };
+
+              user = mkOption {
+                type = types.str;
+                default = "root";
+                description = ''
+                  As which user the backup should run.
+                '';
+                example = "postgresql";
+              };
+
+              extraBackupArgs = mkOption {
+                type = types.listOf types.str;
+                default = [ ];
+                description = ''
+                  Extra arguments passed to restic backup.
+                '';
+                example = [ "--exclude-file=/etc/nixos/restic-ignore" ];
+              };
+
+              extraOptions = mkOption {
+                type = types.listOf types.str;
+                default = [ ];
+                description = ''
+                  Extra extended options to be passed to the restic --option flag.
+                '';
+                example = [ "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'" ];
+              };
+
+              initialize = mkOption {
+                type = types.bool;
+                default = false;
+                description = ''
+                  Create the repository if it doesn't exist.
+                '';
+              };
+
+              pruneOpts = mkOption {
+                type = types.listOf types.str;
+                default = [ ];
+                description = ''
+                  A list of options (--keep-\* et al.) for 'restic forget
+                  --prune', to automatically prune old snapshots.  The
+                  'forget' command is run *after* the 'backup' command, so
+                  keep that in mind when constructing the --keep-\* options.
+                '';
+                example = [
+                  "--keep-daily 7"
+                  "--keep-weekly 5"
+                  "--keep-monthly 12"
+                  "--keep-yearly 75"
+                ];
+              };
+
+              runCheck = mkOption {
+                type = types.bool;
+                default = (builtins.length config.pub-solar-os.backups.restic.${name}.checkOpts > 0);
+                defaultText = literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0'';
+                description = "Whether to run the `check` command with the provided `checkOpts` options.";
+                example = true;
+              };
+
+              checkOpts = mkOption {
+                type = types.listOf types.str;
+                default = [ ];
+                description = ''
+                  A list of options for 'restic check'.
+                '';
+                example = [ "--with-cache" ];
+              };
+
+              dynamicFilesFrom = mkOption {
+                type = with types; nullOr str;
+                default = null;
+                description = ''
+                  A script that produces a list of files to back up.  The
+                  results of this command are given to the '--files-from'
+                  option. The result is merged with paths specified via `paths`.
+                '';
+                example = "find /home/matt/git -type d -name .git";
+              };
+
+              backupPrepareCommand = mkOption {
+                type = with types; nullOr str;
+                default = null;
+                description = ''
+                  A script that must run before starting the backup process.
+                '';
+              };
+
+              backupCleanupCommand = mkOption {
+                type = with types; nullOr str;
+                default = null;
+                description = ''
+                  A script that must run after finishing the backup process.
+                '';
+              };
+
+              package = mkPackageOption pkgs "restic" { };
+
+              createWrapper = lib.mkOption {
+                type = lib.types.bool;
+                default = true;
+                description = ''
+                  Whether to generate and add a script to the system path, that has the same environment variables set
+                  as the systemd service. This can be used to e.g. mount snapshots or perform other opterations, without
+                  having to manually specify most options.
+                '';
+              };
+            };
+          }
+        )
+      );
+      default = { };
+      example = {
+        localbackup = {
+          paths = [ "/home" ];
+          exclude = [ "/home/*/.cache" ];
+          initialize = true;
+        };
+        remotebackup = {
+          paths = [ "/home" ];
+          extraOptions = [
+            "sftp.command='ssh backup@host -i /etc/nixos/secrets/backup-private-key -s sftp'"
+          ];
+          timerConfig = {
+            OnCalendar = "00:05";
+            RandomizedDelaySec = "5h";
+          };
+        };
+      };
+    };
+  };
+
+  config = {
+    services.restic.backups =
+      let
+        repos = config.pub-solar-os.backups.repos;
+        restic = config.pub-solar-os.backups.restic;
+
+        repoNames = builtins.attrNames repos;
+        backupNames = builtins.attrNames restic;
+
+        createBackups =
+          backupName:
+          map (repoName: {
+            name = "${backupName}-${repoName}";
+            value = repos."${repoName}" // restic."${backupName}";
+          }) repoNames;
+
+      in
+      builtins.listToAttrs (lib.lists.flatten (map createBackups backupNames));
+
+    # Used for pub-solar-os.backups.repos.storagebox
+    programs.ssh.knownHosts = {
+      "u377325.your-storagebox.de".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
+      "[u377325.your-storagebox.de]:23".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
+    };
+  };
+}

modules/core/networking.nix

@@ -31,13 +31,17 @@
 
     networking.hosts = {
       "10.7.6.1" = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ];
-      "10.7.6.2" = [ "flora-6.wg.${config.pub-solar-os.networking.domain}" ];
       "10.7.6.3" = [ "metronom.wg.${config.pub-solar-os.networking.domain}" ];
       "10.7.6.4" = [ "tankstelle.wg.${config.pub-solar-os.networking.domain}" ];
+      "10.7.6.5" = [ "trinkgenossin.wg.${config.pub-solar-os.networking.domain}" ];
+      "10.7.6.6" = [ "delite.wg.${config.pub-solar-os.networking.domain}" ];
+      "10.7.6.7" = [ "blue-shell.wg.${config.pub-solar-os.networking.domain}" ];
       "fd00:fae:fae:fae:fae:1::" = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ];
-      "fd00:fae:fae:fae:fae:2::" = [ "flora-6.wg.${config.pub-solar-os.networking.domain}" ];
       "fd00:fae:fae:fae:fae:3::" = [ "metronom.wg.${config.pub-solar-os.networking.domain}" ];
       "fd00:fae:fae:fae:fae:4::" = [ "tankstelle.wg.${config.pub-solar-os.networking.domain}" ];
+      "fd00:fae:fae:fae:fae:5::" = [ "trinkgenossin.wg.${config.pub-solar-os.networking.domain}" ];
+      "fd00:fae:fae:fae:fae:6::" = [ "delite.wg.${config.pub-solar-os.networking.domain}" ];
+      "fd00:fae:fae:fae:fae:7::" = [ "blue-shell.wg.${config.pub-solar-os.networking.domain}" ];
     };
 
     services.openssh = {

modules/core/nix.nix

@@ -6,7 +6,21 @@
   ...
 }:
 {
-  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ ];
+  nixpkgs.config = lib.mkDefault {
+    allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ ];
+    permittedInsecurePackages = [ "olm-3.2.16" ];
+  };
+
+  system.activationScripts.diff-closures = {
+    text = ''
+      if [[ -e /run/current-system ]]; then
+        ${config.nix.package}/bin/nix store diff-closures \
+          /run/current-system "$systemConfig" \
+          --extra-experimental-features nix-command
+      fi
+    '';
+    supportsDryActivation = true;
+  };
 
   nix = {
     # Use default version alias for nix package

modules/coturn/default.nix

@@ -18,7 +18,7 @@
     min-port = 49000;
     max-port = 50000;
     use-auth-secret = true;
-    static-auth-secret-file = "/run/agenix/coturn-static-auth-secret";
+    static-auth-secret-file = config.age.secrets."coturn-static-auth-secret".path;
     realm = "turn.${config.pub-solar-os.networking.domain}";
     cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
     pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";

modules/drone/default.nix

@@ -1,114 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  flake,
-  ...
-}:
-{
-  age.secrets.drone-secrets = {
-    file = "${flake.self}/secrets/drone-secrets.age";
-    mode = "600";
-    owner = "drone";
-  };
-  age.secrets.drone-db-secrets = {
-    file = "${flake.self}/secrets/drone-db-secrets.age";
-    mode = "600";
-    owner = "drone";
-  };
-
-  users.users.drone = {
-    description = "Drone Service";
-    home = "/var/lib/drone";
-    useDefaultShell = true;
-    uid = 994;
-    group = "drone";
-    isSystemUser = true;
-  };
-
-  users.groups.drone = { };
-
-  systemd.tmpfiles.rules = [ "d '/var/lib/drone-db' 0750 drone drone - -" ];
-
-  services.caddy.virtualHosts."ci.${config.pub-solar-os.networking.domain}" = {
-    logFormat = lib.mkForce ''
-      output discard
-    '';
-    extraConfig = ''
-      reverse_proxy :4000
-    '';
-  };
-
-  systemd.services."docker-network-drone" =
-    let
-      docker = config.virtualisation.oci-containers.backend;
-      dockerBin = "${pkgs.${docker}}/bin/${docker}";
-    in
-    {
-      serviceConfig.Type = "oneshot";
-      before = [ "docker-drone-server.service" ];
-      script = ''
-        ${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24
-      '';
-    };
-
-  virtualisation = {
-    docker = {
-      enable = true; # sadly podman is not supported rightnow
-      extraOptions = ''
-        --data-root /data/docker
-      '';
-    };
-
-    oci-containers = {
-      backend = "docker";
-      containers."drone-db" = {
-        image = "postgres:14";
-        autoStart = true;
-        user = "994";
-        volumes = [ "/var/lib/drone-db:/var/lib/postgresql/data" ];
-        extraOptions = [ "--network=drone-net" ];
-        environmentFiles = [ config.age.secrets.drone-db-secrets.path ];
-      };
-      containers."drone-server" = {
-        image = "drone/drone:2";
-        autoStart = true;
-        user = "994";
-        ports = [ "127.0.0.1:4000:80" ];
-        dependsOn = [ "drone-db" ];
-        extraOptions = [
-          "--network=drone-net"
-          "--pull=always"
-          "--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1"
-        ];
-        environment = {
-          DRONE_GITEA_SERVER = "https://git.${config.pub-solar-os.networking.domain}";
-          DRONE_SERVER_HOST = "ci.${config.pub-solar-os.networking.domain}";
-          DRONE_SERVER_PROTO = "https";
-          DRONE_DATABASE_DRIVER = "postgres";
-        };
-        environmentFiles = [ config.age.secrets.drone-secrets.path ];
-      };
-      containers."drone-docker-runner" = {
-        image = "drone/drone-runner-docker:1";
-        autoStart = true;
-        # needs to run as root
-        #user = "994";
-        volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
-        dependsOn = [ "drone-db" ];
-        extraOptions = [
-          "--network=drone-net"
-          "--pull=always"
-          "--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1"
-        ];
-        environment = {
-          DRONE_RPC_HOST = "ci.${config.pub-solar-os.networking.domain}";
-          DRONE_RPC_PROTO = "https";
-          DRONE_RUNNER_CAPACITY = "2";
-          DRONE_RUNNER_NAME = "flora-6-docker-runner";
-        };
-        environmentFiles = [ config.age.secrets.drone-secrets.path ];
-      };
-    };
-  };
-}

modules/forgejo-actions-runner/default.nix

@@ -1,67 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  flake,
-  ...
-}:
-{
-  age.secrets.forgejo-actions-runner-token = {
-    file = "${flake.self}/secrets/forgejo-actions-runner-token.age";
-    mode = "440";
-  };
-
-  # Trust docker bridge interface traffic
-  # Needed for the docker runner to communicate with the act_runner cache
-  networking.firewall.trustedInterfaces = [ "br-+" ];
-
-  users.users.gitea-runner = {
-    home = "/var/lib/gitea-runner/flora-6";
-    useDefaultShell = true;
-    group = "gitea-runner";
-    isSystemUser = true;
-  };
-
-  users.groups.gitea-runner = { };
-
-  systemd.services."gitea-runner-flora\\x2d6".serviceConfig = {
-    DynamicUser = lib.mkForce false;
-  };
-
-  systemd.tmpfiles.rules = [
-    "d '/data/gitea-actions-runner' 0750 gitea-runner gitea-runner - -"
-    "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -"
-  ];
-
-  # forgejo actions runner
-  # https://forgejo.org/docs/latest/admin/actions/
-  # https://docs.gitea.com/usage/actions/quickstart
-  services.gitea-actions-runner = {
-    package = pkgs.forgejo-runner;
-    instances."flora-6" = {
-      enable = true;
-      name = config.networking.hostName;
-      url = "https://git.pub.solar";
-      tokenFile = config.age.secrets.forgejo-actions-runner-token.path;
-      settings = {
-        cache = {
-          enabled = true;
-          dir = "/data/gitea-actions-runner/actcache";
-          host = "";
-          port = 0;
-          external_server = "";
-        };
-      };
-      labels = [
-        # provide a debian 12 bookworm base with Node.js for actions
-        "debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
-        # fake the ubuntu name, commonly used in actions examples
-        "ubuntu-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
-        # alpine with Node.js
-        "alpine-latest:docker://node:20-alpine"
-        # nix flakes enabled image with Node.js
-        "nix-flakes:docker://git.pub.solar/pub-solar/nix-flakes-node:latest"
-      ];
-    };
-  };
-}

modules/forgejo/default.nix

@@ -141,6 +141,12 @@
         LOGIN_REMEMBER_DAYS = 365;
       };
 
+      # See https://docs.gitea.com/administration/config-cheat-sheet#migrations-migrations
+      migrations = {
+        # This allows migrations from the same forgejo instance
+        ALLOW_LOCALNETWORKS = true;
+      };
+
       # https://forgejo.org/docs/next/admin/config-cheat-sheet/#indexer-indexer
       indexer = {
         REPO_INDEXER_ENABLED = true;
@@ -163,7 +169,7 @@
   # gitea gitconfig
   programs.gnupg.agent = {
     enable = true;
-    pinentryFlavor = "curses";
+    pinentryPackage = pkgs.pinentry-curses;
   };
   # Required to make gpg work without a graphical environment?
   # otherwise generating a new gpg key fails with this error:
@@ -182,7 +188,7 @@
       OnCalendar = "*-*-* 00:00:00 Etc/UTC";
     };
     initialize = true;
-    passwordFile = config.age.secrets."restic-repo-storagebox".path;
+    passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path;
     repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
     backupPrepareCommand = ''
       ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d gitea > /tmp/forgejo-backup.sql

modules/garage/default.nix

@@ -0,0 +1,142 @@
+{
+  config,
+  lib,
+  pkgs,
+  flake,
+  ...
+}:
+{
+  age.secrets."garage-rpc-secret" = {
+    file = "${flake.self}/secrets/garage-rpc-secret.age";
+    mode = "400";
+  };
+
+  age.secrets."garage-admin-token" = {
+    file = "${flake.self}/secrets/garage-admin-token.age";
+    mode = "400";
+  };
+
+  age.secrets."acme-namecheap-env" = {
+    file = "${flake.self}/secrets/acme-namecheap-env.age";
+    mode = "400";
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    3900
+    3901
+    3902
+  ];
+
+  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 3903 ];
+
+  security.acme = {
+    defaults = {
+      # LEGO_DISABLE_CNAME_SUPPORT=true set here to fix issues with CNAME
+      # detection, as we use wildcard DNS for garage
+      environmentFile = config.age.secrets.acme-namecheap-env.path;
+    };
+    certs = {
+      # Wildcard certificate gets created automatically
+      "buckets.${config.pub-solar-os.networking.domain}" = {
+        # disable http challenge
+        webroot = null;
+        # enable dns challenge
+        dnsProvider = "namecheap";
+      };
+      # Wildcard certificate gets created automatically
+      "web.${config.pub-solar-os.networking.domain}" = {
+        # disable http challenge
+        webroot = null;
+        # enable dns challenge
+        dnsProvider = "namecheap";
+      };
+    };
+  };
+
+  services.nginx = {
+    upstreams.s3_backend.servers = {
+      "[::1]:3900" = { };
+    };
+    upstreams.web_backend.servers = {
+      "[::1]:3902" = { };
+    };
+    virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = {
+      serverAliases = [ "*.buckets.${config.pub-solar-os.networking.domain}" ];
+
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://s3_backend";
+        extraConfig = ''
+          client_max_body_size 64m;
+          proxy_max_temp_file_size 0;
+        '';
+      };
+    };
+    virtualHosts."web.${config.pub-solar-os.networking.domain}" = {
+      serverAliases = [ "*.web.${config.pub-solar-os.networking.domain}" ];
+
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://web_backend";
+      };
+    };
+  };
+
+  services.garage = {
+    enable = true;
+    package = pkgs.garage_1_0_1;
+    settings = {
+      data_dir = "/var/lib/garage/data";
+      metadata_dir = "/var/lib/garage/meta";
+      db_engine = "lmdb";
+      replication_factor = 3;
+      compression_level = 2;
+      rpc_bind_addr = "[::]:3901";
+      s3_api = {
+        s3_region = "eu-central";
+        api_bind_addr = "[::]:3900";
+        root_domain = ".buckets.${config.pub-solar-os.networking.domain}";
+      };
+      s3_web = {
+        bind_addr = "[::]:3902";
+        root_domain = ".web.${config.pub-solar-os.networking.domain}";
+        index = "index.html";
+      };
+      admin = {
+        api_bind_addr = "[::]:3903";
+      };
+    };
+  };
+
+  users.users.garage = {
+    isSystemUser = true;
+    home = "/var/lib/garage";
+    group = "garage";
+  };
+
+  users.groups.garage = { };
+
+  # Adapted from https://git.clan.lol/clan/clan-core/src/commit/23a9e35c665ff531fe1193dcc47056432fbbeacf/clanModules/garage/default.nix
+  # Disabled DynamicUser https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/web-servers/garage.nix
+  # for mounts + permissions to work
+  systemd.services.garage = {
+    serviceConfig = {
+      user = "garage";
+      group = "garage";
+      DynamicUser = false;
+      LoadCredential = [
+        "rpc_secret_path:${config.age.secrets.garage-rpc-secret.path}"
+        "admin_token_path:${config.age.secrets.garage-admin-token.path}"
+      ];
+      Environment = [
+        "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
+        "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
+        "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
+      ];
+    };
+  };
+}

modules/grafana/default.nix

@@ -33,15 +33,17 @@
       group = "grafana";
       user = "grafana";
     };
+    "grafana-dashboards/grafana-garage-dashboard-prometheus.json" = {
+      source = ./grafana-dashboards/grafana-garage-dashboard-prometheus.json;
+      group = "grafana";
+      user = "grafana";
+    };
   };
 
-  services.caddy.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = {
-    logFormat = lib.mkForce ''
-      output discard
-    '';
-    extraConfig = ''
-      reverse_proxy :${toString config.services.grafana.settings.server.http_port}
-    '';
+  services.nginx.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
   };
 
   services.grafana = {
@@ -64,7 +66,7 @@
         password = "\$__file{${config.age.secrets.grafana-smtp-password.path}}";
         from_address = "no-reply@pub.solar";
         from_name = "grafana.pub.solar";
-        ehlo_identity = "flora-6.pub.solar";
+        ehlo_identity = "grafana.pub.solar";
       };
       security = {
         admin_email = "crew@pub.solar";

modules/grafana/grafana-dashboards/node-exporter-full_rev33.json

@@ -1,47 +1,4 @@
 {
-  "__inputs": [
-    {
-      "name": "DS_PROMETHEUS",
-      "label": "Prometheus",
-      "description": "",
-      "type": "datasource",
-      "pluginId": "prometheus",
-      "pluginName": "Prometheus"
-    }
-  ],
-  "__elements": {},
-  "__requires": [
-    {
-      "type": "panel",
-      "id": "gauge",
-      "name": "Gauge",
-      "version": ""
-    },
-    {
-      "type": "grafana",
-      "id": "grafana",
-      "name": "Grafana",
-      "version": "9.4.3"
-    },
-    {
-      "type": "datasource",
-      "id": "prometheus",
-      "name": "Prometheus",
-      "version": "1.0.0"
-    },
-    {
-      "type": "panel",
-      "id": "stat",
-      "name": "Stat",
-      "version": ""
-    },
-    {
-      "type": "panel",
-      "id": "timeseries",
-      "name": "Time series",
-      "version": ""
-    }
-  ],
   "annotations": {
     "list": [
       {
@@ -69,7 +26,6 @@
   "fiscalYearStartMonth": 0,
   "gnetId": 1860,
   "graphTooltip": 1,
-  "id": null,
   "links": [
     {
       "icon": "external link",
@@ -171,6 +127,8 @@
       "id": 20,
       "links": [],
       "options": {
+        "minVizHeight": 75,
+        "minVizWidth": 75,
         "orientation": "horizontal",
         "reduceOptions": {
           "calcs": ["lastNotNull"],
@@ -178,9 +136,10 @@
           "values": false
         },
         "showThresholdLabels": false,
-        "showThresholdMarkers": true
+        "showThresholdMarkers": true,
+        "sizing": "auto"
       },
-      "pluginVersion": "9.4.3",
+      "pluginVersion": "10.2.7",
       "targets": [
         {
           "datasource": {
@@ -257,6 +216,8 @@
       "id": 155,
       "links": [],
       "options": {
+        "minVizHeight": 75,
+        "minVizWidth": 75,
         "orientation": "horizontal",
         "reduceOptions": {
           "calcs": ["lastNotNull"],
@@ -264,9 +225,10 @@
           "values": false
         },
         "showThresholdLabels": false,
-        "showThresholdMarkers": true
+        "showThresholdMarkers": true,
+        "sizing": "auto"
       },
-      "pluginVersion": "9.4.3",
+      "pluginVersion": "10.2.7",
       "targets": [
         {
           "datasource": {
@@ -343,6 +305,8 @@
       "id": 19,
       "links": [],
       "options": {
+        "minVizHeight": 75,
+        "minVizWidth": 75,
         "orientation": "horizontal",
         "reduceOptions": {
           "calcs": ["lastNotNull"],
@@ -350,9 +314,10 @@
           "values": false
         },
         "showThresholdLabels": false,
-        "showThresholdMarkers": true
+        "showThresholdMarkers": true,
+        "sizing": "auto"
       },
-      "pluginVersion": "9.4.3",
+      "pluginVersion": "10.2.7",
       "targets": [
         {
           "datasource": {
@@ -419,6 +384,8 @@
       "id": 16,
       "links": [],
       "options": {
+        "minVizHeight": 75,
+        "minVizWidth": 75,
         "orientation": "horizontal",
         "reduceOptions": {
           "calcs": ["lastNotNull"],
@@ -426,9 +393,10 @@
           "values": false
         },
         "showThresholdLabels": false,
-        "showThresholdMarkers": true
+        "showThresholdMarkers": true,
+        "sizing": "auto"
       },
-      "pluginVersion": "9.4.3",
+      "pluginVersion": "10.2.7",
       "targets": [
         {
           "datasource": {
@@ -521,6 +489,8 @@
       "id": 21,
       "links": [],
       "options": {
+        "minVizHeight": 75,
+        "minVizWidth": 75,
         "orientation": "horizontal",
         "reduceOptions": {
           "calcs": ["lastNotNull"],
@@ -528,9 +498,10 @@
           "values": false
         },
         "showThresholdLabels": false,
-        "showThresholdMarkers": true
+        "showThresholdMarkers": true,
+        "sizing": "auto"
       },
-      "pluginVersion": "9.4.3",
+      "pluginVersion": "10.2.7",
       "targets": [
         {
           "datasource": {
@@ -605,6 +576,8 @@
       "id": 154,
       "links": [],
       "options": {
+        "minVizHeight": 75,
+        "minVizWidth": 75,
         "orientation": "horizontal",
         "reduceOptions": {
           "calcs": ["lastNotNull"],
@@ -612,9 +585,10 @@
           "values": false
         },
         "showThresholdLabels": false,
-        "showThresholdMarkers": true
+        "showThresholdMarkers": true,
+        "sizing": "auto"
       },
-      "pluginVersion": "9.4.3",
+      "pluginVersion": "10.2.7",
       "targets": [
         {
           "datasource": {
@@ -693,9 +667,10 @@
           "fields": "",
           "values": false
         },
-        "textMode": "auto"
+        "textMode": "auto",
+        "wideLayout": true
       },
-      "pluginVersion": "9.4.3",
+      "pluginVersion": "10.2.7",
       "targets": [
         {
           "datasource": {
@@ -772,9 +747,10 @@
           "fields": "",
           "values": false
         },
-        "textMode": "auto"
+        "textMode": "auto",
+        "wideLayout": true
       },
-      "pluginVersion": "9.4.3",
+      "pluginVersion": "10.2.7",
       "targets": [
         {
           "datasource": {
@@ -857,9 +833,10 @@
           "fields": "",
           "values": false
         },
-        "textMode": "auto"
+        "textMode": "auto",
+        "wideLayout": true
       },
-      "pluginVersion": "9.4.3",
+      "pluginVersion": "10.2.7",
       "targets": [
         {
           "datasource": {
@@ -940,9 +917,10 @@
           "fields": "",
           "values": false
         },
-        "textMode": "auto"
+        "textMode": "auto",
+        "wideLayout": true
       },
-      "pluginVersion": "9.4.3",
+      "pluginVersion": "10.2.7",
       "targets": [
         {
           "datasource": {
@@ -1021,9 +999,10 @@
           "fields": "",
           "values": false
         },
-        "textMode": "auto"
+        "textMode": "auto",
+        "wideLayout": true
       },
-      "pluginVersion": "9.4.3",
+      "pluginVersion": "10.2.7",
       "targets": [
         {
           "datasource": {
@@ -1081,6 +1060,7 @@
             "mode": "palette-classic"
           },
           "custom": {
+            "axisBorderShow": false,
             "axisCenteredZero": false,
             "axisColorMode": "text",
             "axisLabel": "",
@@ -1094,6 +1074,7 @@
               "tooltip": false,
               "viz": false
             },
+            "insertNulls": false,
             "lineInterpolation": "smooth",
             "lineWidth": 1,
             "pointSize": 5,
@@ -1361,6 +1342,7 @@
             "mode": "palette-classic"
           },
           "custom": {
+            "axisBorderShow": false,
             "axisCenteredZero": false,
             "axisColorMode": "text",
             "axisLabel": "",
@@ -1374,6 +1356,7 @@
               "tooltip": false,
               "viz": false
             },
+            "insertNulls": false,
             "lineInterpolation": "linear",
             "lineWidth": 1,
             "pointSize": 5,
@@ -1879,6 +1862,7 @@
             "mode": "palette-classic"
           },
           "custom": {
+            "axisBorderShow": false,
             "axisCenteredZero": false,
             "axisColorMode": "text",
             "axisLabel": "",
@@ -1892,6 +1876,7 @@
               "tooltip": false,
               "viz": false
             },
+            "insertNulls": false,
             "lineInterpolation": "linear",
             "lineWidth": 1,
             "pointSize": 5,
@@ -2347,6 +2332,7 @@
             "mode": "palette-classic"
           },
           "custom": {
+            "axisBorderShow": false,
             "axisCenteredZero": false,
             "axisColorMode": "text",
             "axisLabel": "",
@@ -2360,6 +2346,7 @@
               "tooltip": false,
               "viz": false
             },
+            "insertNulls": false,
             "lineInterpolation": "linear",
             "lineWidth": 1,
             "pointSize": 5,
@@ -13021,8 +13008,7 @@
                 "mode": "absolute",
                 "steps": [
                   {
-                    "color": "green",
-                    "value": null
+                    "color": "green"
                   },
                   {
                     "color": "red",
@@ -13226,8 +13212,7 @@
                 "mode": "absolute",
                 "steps": [
                   {
-                    "color": "green",
-                    "value": null
+                    "color": "green"
                   },
                   {
                     "color": "red",
@@ -23154,8 +23139,7 @@
   ],
   "refresh": "",
   "revision": 1,
-  "schemaVersion": 38,
-  "style": "dark",
+  "schemaVersion": 39,
   "tags": ["linux"],
   "templating": {
     "list": [
@@ -23178,7 +23162,11 @@
         "type": "datasource"
       },
       {
-        "current": {},
+        "current": {
+          "selected": false,
+          "text": "node-exporter",
+          "value": "node-exporter"
+        },
         "datasource": {
           "type": "prometheus",
           "uid": "${DS_PROMETHEUS}"
@@ -23204,7 +23192,11 @@
         "useTags": false
       },
       {
-        "current": {},
+        "current": {
+          "selected": true,
+          "text": "nachtigall",
+          "value": "nachtigall"
+        },
         "datasource": {
           "type": "prometheus",
           "uid": "${DS_PROMETHEUS}"
@@ -23274,6 +23266,6 @@
   "timezone": "browser",
   "title": "Node Exporter Full",
   "uid": "rYdddlPWk",
-  "version": 87,
+  "version": 2,
   "weekStart": ""
 }

modules/keycloak/default.nix

@@ -6,23 +6,22 @@
   ...
 }:
 {
-  options.pub-solar-os.auth = {
-    enable = lib.mkEnableOption "Enable keycloak to run on the node";
+  options.pub-solar-os.auth = with lib; {
+    enable = mkEnableOption "Enable keycloak to run on the node";
 
-    realm = lib.mkOption {
+    realm = mkOption {
       description = "Name of the realm";
-      type = lib.types.str;
+      type = types.str;
       default = config.pub-solar-os.networking.domain;
     };
+
+    database-password-file = mkOption {
+      description = "Database password file path";
+      type = types.str;
+    };
   };
 
   config = lib.mkIf config.pub-solar-os.auth.enable {
-    age.secrets.keycloak-database-password = {
-      file = "${flake.self}/secrets/keycloak-database-password.age";
-      mode = "600";
-      #owner = "keycloak";
-    };
-
     services.nginx.virtualHosts."auth.${config.pub-solar-os.networking.domain}" = {
       enableACME = true;
       forceSSL = true;
@@ -46,13 +45,12 @@
     # keycloak
     services.keycloak = {
       enable = true;
-      database.passwordFile = config.age.secrets.keycloak-database-password.path;
+      database.passwordFile = config.pub-solar-os.auth.database-password-file;
       settings = {
         hostname = "auth.${config.pub-solar-os.networking.domain}";
         http-host = "127.0.0.1";
         http-port = 8080;
         proxy = "edge";
-        features = "declarative-user-profile";
       };
       themes = {
         "pub.solar" =
@@ -60,14 +58,12 @@
       };
     };
 
-    services.restic.backups.keycloak-storagebox = {
+    pub-solar-os.backups.restic.keycloak = {
       paths = [ "/tmp/keycloak-backup.sql" ];
       timerConfig = {
         OnCalendar = "*-*-* 03:00:00 Etc/UTC";
       };
       initialize = true;
-      passwordFile = config.age.secrets."restic-repo-storagebox".path;
-      repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
       backupPrepareCommand = ''
         ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
       '';

modules/loki/default.nix

@@ -48,7 +48,6 @@
         };
       };
       chunk_store_config = {
-        max_look_back_period = "0s";
         chunk_cache_config = {
           embedded_cache = {
             enabled = true;
@@ -64,8 +63,8 @@
         split_queries_by_interval = "0";
       };
       compactor = {
-        shared_store = "filesystem";
         compaction_interval = "10m";
+        delete_request_store = "filesystem";
         retention_enabled = true;
         retention_delete_delay = "2h";
         retention_delete_worker_count = 150;
@@ -82,6 +81,16 @@
               period = "24h";
             };
           }
+          {
+            from = "2024-05-31";
+            store = "tsdb";
+            object_store = "filesystem";
+            schema = "v13";
+            index = {
+              prefix = "index_";
+              period = "24h";
+            };
+          }
         ];
       };
     };
@@ -99,7 +108,7 @@
       };
       clients = [
         {
-          url = "http://flora-6.wg.pub.solar:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
+          url = "http://trinkgenossin.wg.pub.solar:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
         }
       ];
       scrape_configs = [
@@ -109,7 +118,7 @@
             max_age = "24h";
             labels = {
               job = "systemd-journal";
-              host = "flora-6";
+              host = "trinkgenossin";
             };
           };
           relabel_configs = [

modules/mail/default.nix

@@ -67,4 +67,20 @@
   };
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "security@pub.solar";
+
+  pub-solar-os.backups.restic.mail = {
+    paths = [
+      "/var/vmail"
+      "/var/dkim"
+    ];
+    timerConfig = {
+      OnCalendar = "*-*-* 02:00:00 Etc/UTC";
+    };
+    initialize = true;
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 4"
+      "--keep-monthly 3"
+    ];
+  };
 }

modules/mailman/default.nix

@@ -91,7 +91,7 @@
       OnCalendar = "*-*-* 02:00:00 Etc/UTC";
     };
     initialize = true;
-    passwordFile = config.age.secrets."restic-repo-storagebox".path;
+    passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path;
     repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
     pruneOpts = [
       "--keep-daily 7"

modules/mastodon/default.nix

@@ -7,6 +7,21 @@
 }:
 
 {
+  age.secrets."mastodon-active-record-encryption-deterministic-key" = {
+    file = "${flake.self}/secrets//mastodon-active-record-encryption-deterministic-key.age";
+    mode = "400";
+    owner = config.services.mastodon.user;
+  };
+  age.secrets."mastodon-active-record-encryption-key-derivation-salt" = {
+    file = "${flake.self}/secrets//mastodon-active-record-encryption-key-derivation-salt.age";
+    mode = "400";
+    owner = config.services.mastodon.user;
+  };
+  age.secrets."mastodon-active-record-encryption-primary-key" = {
+    file = "${flake.self}/secrets//mastodon-active-record-encryption-primary-key.age";
+    mode = "400";
+    owner = config.services.mastodon.user;
+  };
   age.secrets."mastodon-secret-key-base" = {
     file = "${flake.self}/secrets/mastodon-secret-key-base.age";
     mode = "400";
@@ -54,6 +69,9 @@
     webProcesses = 2;
     # Threads per process used by the mastodon-web service
     webThreads = 5;
+    activeRecordEncryptionDeterministicKeyFile = "/run/agenix/mastodon-active-record-encryption-deterministic-key";
+    activeRecordEncryptionKeyDerivationSaltFile = "/run/agenix/mastodon-active-record-encryption-key-derivation-salt";
+    activeRecordEncryptionPrimaryKeyFile = "/run/agenix/mastodon-active-record-encryption-primary-key";
     secretKeyBaseFile = "/run/agenix/mastodon-secret-key-base";
     otpSecretFile = "/run/agenix/mastodon-otp-secret";
     vapidPrivateKeyFile = "/run/agenix/mastodon-vapid-private-key";
@@ -67,20 +85,20 @@
       passwordFile = "/run/agenix/mastodon-smtp-password";
       fromAddress = "mastodon-notifications@pub.solar";
     };
+    # Defined in ./opensearch.nix
+    elasticsearch.host = "127.0.0.1";
     mediaAutoRemove = {
       olderThanDays = 7;
     };
     extraEnvFiles = [ "/run/agenix/mastodon-extra-env-secrets" ];
     extraConfig = {
       WEB_DOMAIN = "mastodon.${config.pub-solar-os.networking.domain}";
-      # Defined in ./opensearch.nix
-      ES_HOST = "127.0.0.1";
       # S3 File storage (optional)
       # -----------------------
       S3_ENABLED = "true";
-      S3_BUCKET = "pub-solar-mastodon";
-      S3_REGION = "europe-west-1";
-      S3_ENDPOINT = "https://gateway.tardigradeshare.io";
+      S3_BUCKET = "mastodon";
+      S3_REGION = "eu-central";
+      S3_ENDPOINT = "https://buckets.pub.solar";
       S3_ALIAS_HOST = "files.${config.pub-solar-os.networking.domain}";
       # Translation (optional)
       # -----------------------
@@ -106,7 +124,7 @@
       OnCalendar = "*-*-* 04:00:00 Etc/UTC";
     };
     initialize = true;
-    passwordFile = config.age.secrets."restic-repo-storagebox".path;
+    passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path;
     repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
     backupPrepareCommand = ''
       ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d mastodon > /tmp/mastodon-backup.sql

modules/matrix-irc/default.nix

@@ -16,11 +16,6 @@ let
   synapseClientPort = "${toString listenerWithClient.port}";
 in
 {
-  systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [
-    "@system-service @pkey"
-    "~@privileged @resources"
-    "@chown"
-  ];
   services.matrix-appservice-irc = {
     enable = true;
     localpart = "irc_bot";
@@ -40,7 +35,8 @@ in
           port = 1113;
         };
         logging = {
-          level = "debug";
+          # set to debug for debugging
+          level = "warn";
           maxFiles = 5;
           toCosole = true;
         };

modules/matrix/default.nix

@@ -1,6 +1,7 @@
 {
   flake,
   config,
+  lib,
   pkgs,
   ...
 }:
@@ -9,272 +10,324 @@ let
   serverDomain = "${config.pub-solar-os.networking.domain}";
 in
 {
-  age.secrets."matrix-synapse-signing-key" = {
-    file = "${flake.self}/secrets/matrix-synapse-signing-key.age";
-    mode = "400";
-    owner = "matrix-synapse";
+  options.pub-solar-os = {
+    matrix = {
+      enable = lib.mkEnableOption "Enable matrix-synapse and matrix-authentication-service to run on the node";
+
+      synapse = {
+        app-service-config-files = lib.mkOption {
+          description = "List of app service config files";
+          type = lib.types.listOf lib.types.str;
+          default = [ ];
+        };
+
+        extra-config-files = lib.mkOption {
+          description = "List of extra synapse config files";
+          type = lib.types.listOf lib.types.str;
+          default = [ ];
+        };
+
+        signing_key_path = lib.mkOption {
+          description = "Path to file containing the signing key";
+          type = lib.types.str;
+          default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key";
+        };
+
+        sliding-sync.enable = lib.mkEnableOption {
+          description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+";
+          default = false;
+        };
+      };
+
+      matrix-authentication-service = {
+        extra-config-files = lib.mkOption {
+          description = "List of extra mas config files";
+          type = lib.types.listOf lib.types.str;
+          default = [ ];
+        };
+      };
+    };
   };
 
-  age.secrets."matrix-synapse-secret-config.yaml" = {
-    file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age";
-    mode = "400";
-    owner = "matrix-synapse";
-  };
-
-  age.secrets."matrix-synapse-sliding-sync-secret" = {
-    file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
-    mode = "400";
-    owner = "matrix-synapse";
-  };
-
-  services.matrix-synapse = {
-    enable = true;
-    settings = {
-      server_name = serverDomain;
-      public_baseurl = "https://${publicDomain}/";
-      database = {
-        name = "psycopg2";
-        args = {
-          host = "/run/postgresql";
-          cp_max = 10;
-          cp_min = 5;
-          database = "matrix";
+  config = lib.mkIf config.pub-solar-os.matrix.enable {
+    services.matrix-synapse = {
+      enable = true;
+      settings = {
+        server_name = serverDomain;
+        public_baseurl = "https://${publicDomain}/";
+        database = {
+          name = "psycopg2";
+          args = {
+            host = "/run/postgresql";
+            cp_max = 10;
+            cp_min = 5;
+            database = "matrix";
+          };
+          allow_unsafe_locale = false;
+          txn_limit = 0;
         };
-        allow_unsafe_locale = false;
-        txn_limit = 0;
-      };
-      listeners = [
-        {
-          bind_addresses = [ "127.0.0.1" ];
-          port = 8008;
-          resources = [
-            {
-              compress = true;
-              names = [ "client" ];
-            }
-            {
-              compress = false;
-              names = [ "federation" ];
-            }
-          ];
-          tls = false;
-          type = "http";
-          x_forwarded = true;
-        }
-        {
-          bind_addresses = [ "127.0.0.1" ];
-          port = 8012;
-          resources = [ { names = [ "metrics" ]; } ];
-          tls = false;
-          type = "metrics";
-        }
-      ];
+        listeners = [
+          {
+            bind_addresses = [ "127.0.0.1" ];
+            port = 8008;
+            resources = [
+              {
+                compress = true;
+                names = [ "client" ];
+              }
+              {
+                compress = false;
+                names = [ "federation" ];
+              }
+            ];
+            tls = false;
+            type = "http";
+            x_forwarded = true;
+          }
+          {
+            bind_addresses = [ "127.0.0.1" ];
+            port = 8012;
+            resources = [ { names = [ "metrics" ]; } ];
+            tls = false;
+            type = "metrics";
+          }
+        ];
 
-      account_threepid_delegates.msisdn = "";
-      alias_creation_rules = [
-        {
-          action = "allow";
-          alias = "*";
-          room_id = "*";
-          user_id = "*";
-        }
-      ];
-      allow_guest_access = false;
-      allow_public_rooms_over_federation = true;
-      allow_public_rooms_without_auth = false;
-      auto_join_rooms = [
-        "#community:${serverDomain}"
-        "#general:${serverDomain}"
-      ];
+        account_threepid_delegates.msisdn = "";
+        alias_creation_rules = [
+          {
+            action = "allow";
+            alias = "*";
+            room_id = "*";
+            user_id = "*";
+          }
+        ];
+        allow_guest_access = false;
+        allow_public_rooms_over_federation = true;
+        allow_public_rooms_without_auth = false;
+        auto_join_rooms = [
+          "#community:${serverDomain}"
+          "#general:${serverDomain}"
+        ];
 
-      autocreate_auto_join_rooms = true;
-      caches.global_factor = 0.5;
+        autocreate_auto_join_rooms = true;
+        caches.global_factor = 0.5;
 
-      default_room_version = "10";
-      disable_msisdn_registration = true;
-      enable_media_repo = true;
-      enable_metrics = true;
-      mau_stats_only = true;
-      enable_registration = false;
-      enable_registration_captcha = false;
-      enable_registration_without_verification = false;
-      enable_room_list_search = true;
-      encryption_enabled_by_default_for_room_type = "off";
-      event_cache_size = "100K";
-      federation_rr_transactions_per_room_per_second = 50;
-      federation_client_minimum_tls_version = "1.2";
-      forget_rooms_on_leave = true;
-      include_profile_data_on_invite = true;
-      instance_map = { };
-      limit_profile_requests_to_users_who_share_rooms = false;
+        default_room_version = "10";
+        disable_msisdn_registration = true;
+        enable_media_repo = true;
+        enable_metrics = true;
+        mau_stats_only = true;
+        enable_registration = false;
+        enable_registration_captcha = false;
+        enable_registration_without_verification = false;
+        enable_room_list_search = true;
+        encryption_enabled_by_default_for_room_type = "off";
+        event_cache_size = "100K";
+        federation_rr_transactions_per_room_per_second = 50;
+        federation_client_minimum_tls_version = "1.2";
+        forget_rooms_on_leave = true;
+        include_profile_data_on_invite = true;
+        instance_map = { };
+        limit_profile_requests_to_users_who_share_rooms = false;
 
-      log_config = ./matrix-log-config.yaml;
+        max_spider_size = "10M";
+        max_upload_size = "50M";
+        media_storage_providers = [ ];
 
-      max_spider_size = "10M";
-      max_upload_size = "50M";
-      media_storage_providers = [ ];
+        password_config = {
+          enabled = false;
+          localdb_enabled = false;
+          pepper = "";
+        };
 
-      password_config = {
-        enabled = false;
-        localdb_enabled = false;
-        pepper = "";
-      };
+        presence.enabled = true;
+        push.include_content = false;
 
-      presence.enabled = true;
-      push.include_content = false;
-
-      rc_admin_redaction = {
-        burst_count = 50;
-        per_second = 1;
-      };
-      rc_federation = {
-        concurrent = 3;
-        reject_limit = 50;
-        sleep_delay = 500;
-        sleep_limit = 10;
-        window_size = 1000;
-      };
-      rc_invites = {
-        per_issuer = {
+        rc_admin_redaction = {
+          burst_count = 50;
+          per_second = 1;
+        };
+        rc_federation = {
+          concurrent = 3;
+          reject_limit = 50;
+          sleep_delay = 500;
+          sleep_limit = 10;
+          window_size = 1000;
+        };
+        rc_invites = {
+          per_issuer = {
+            burst_count = 10;
+            per_second = 0.3;
+          };
+          per_room = {
+            burst_count = 10;
+            per_second = 0.3;
+          };
+          per_user = {
+            burst_count = 5;
+            per_second = 3.0e-3;
+          };
+        };
+        rc_joins = {
+          local = {
+            burst_count = 10;
+            per_second = 0.1;
+          };
+          remote = {
+            burst_count = 10;
+            per_second = 1.0e-2;
+          };
+        };
+        rc_login = {
+          account = {
+            burst_count = 3;
+            per_second = 0.17;
+          };
+          address = {
+            burst_count = 3;
+            per_second = 0.17;
+          };
+          failed_attempts = {
+            burst_count = 3;
+            per_second = 0.17;
+          };
+        };
+        rc_message = {
           burst_count = 10;
-          per_second = 0.3;
+          per_second = 0.2;
         };
-        per_room = {
-          burst_count = 10;
-          per_second = 0.3;
-        };
-        per_user = {
-          burst_count = 5;
-          per_second = 3.0e-3;
-        };
-      };
-      rc_joins = {
-        local = {
-          burst_count = 10;
-          per_second = 0.1;
-        };
-        remote = {
-          burst_count = 10;
-          per_second = 1.0e-2;
-        };
-      };
-      rc_login = {
-        account = {
+        rc_registration = {
           burst_count = 3;
           per_second = 0.17;
         };
-        address = {
-          burst_count = 3;
-          per_second = 0.17;
-        };
-        failed_attempts = {
-          burst_count = 3;
-          per_second = 0.17;
+        redaction_retention_period = "7d";
+        forgotten_room_retention_period = "7d";
+        redis.enabled = false;
+        registration_requires_token = false;
+        registrations_require_3pid = [ "email" ];
+        report_stats = false;
+        require_auth_for_profile_requests = false;
+        room_list_publication_rules = [
+          {
+            action = "allow";
+            alias = "*";
+            room_id = "*";
+            user_id = "*";
+          }
+        ];
+
+        signing_key_path = config.pub-solar-os.matrix.synapse.signing_key_path;
+
+        stream_writers = { };
+        trusted_key_servers = [ { server_name = "matrix.org"; } ];
+        suppress_key_server_warning = true;
+
+        turn_allow_guests = false;
+        turn_uris = [
+          "turn:${config.services.coturn.realm}:3478?transport=udp"
+          "turn:${config.services.coturn.realm}:3478?transport=tcp"
+        ];
+        turn_user_lifetime = "1h";
+
+        url_preview_accept_language = [
+          "en-US"
+          "en"
+        ];
+        url_preview_enabled = true;
+        url_preview_ip_range_blacklist = [
+          "127.0.0.0/8"
+          "10.0.0.0/8"
+          "172.16.0.0/12"
+          "192.168.0.0/16"
+          "100.64.0.0/10"
+          "192.0.0.0/24"
+          "169.254.0.0/16"
+          "192.88.99.0/24"
+          "198.18.0.0/15"
+          "192.0.2.0/24"
+          "198.51.100.0/24"
+          "203.0.113.0/24"
+          "224.0.0.0/4"
+          "::1/128"
+          "fe80::/10"
+          "fc00::/7"
+          "2001:db8::/32"
+          "ff00::/8"
+          "fec0::/10"
+        ];
+
+        user_directory = {
+          prefer_local_users = false;
+          search_all_users = false;
         };
+        user_ips_max_age = "28d";
+
+        app_service_config_files = config.pub-solar-os.matrix.synapse.app-service-config-files;
       };
-      rc_message = {
-        burst_count = 10;
-        per_second = 0.2;
-      };
-      rc_registration = {
-        burst_count = 3;
-        per_second = 0.17;
-      };
-      redaction_retention_period = "7d";
-      forgotten_room_retention_period = "7d";
-      redis.enabled = false;
-      registration_requires_token = false;
-      registrations_require_3pid = [ "email" ];
-      report_stats = false;
-      require_auth_for_profile_requests = false;
-      room_list_publication_rules = [
-        {
-          action = "allow";
-          alias = "*";
-          room_id = "*";
-          user_id = "*";
-        }
+
+      withJemalloc = true;
+
+      extraConfigFiles = config.pub-solar-os.matrix.synapse.extra-config-files;
+
+      extras = [
+        "oidc"
+        "redis"
       ];
 
-      signing_key_path = "/run/agenix/matrix-synapse-signing-key";
-
-      stream_writers = { };
-      trusted_key_servers = [ { server_name = "matrix.org"; } ];
-      suppress_key_server_warning = true;
-
-      turn_allow_guests = false;
-      turn_uris = [
-        "turn:${config.services.coturn.realm}:3478?transport=udp"
-        "turn:${config.services.coturn.realm}:3478?transport=tcp"
-      ];
-      turn_user_lifetime = "1h";
-
-      url_preview_accept_language = [
-        "en-US"
-        "en"
-      ];
-      url_preview_enabled = true;
-      url_preview_ip_range_blacklist = [
-        "127.0.0.0/8"
-        "10.0.0.0/8"
-        "172.16.0.0/12"
-        "192.168.0.0/16"
-        "100.64.0.0/10"
-        "192.0.0.0/24"
-        "169.254.0.0/16"
-        "192.88.99.0/24"
-        "198.18.0.0/15"
-        "192.0.2.0/24"
-        "198.51.100.0/24"
-        "203.0.113.0/24"
-        "224.0.0.0/4"
-        "::1/128"
-        "fe80::/10"
-        "fc00::/7"
-        "2001:db8::/32"
-        "ff00::/8"
-        "fec0::/10"
-      ];
-
-      user_directory = {
-        prefer_local_users = false;
-        search_all_users = false;
-      };
-      user_ips_max_age = "28d";
-
-      app_service_config_files = [
-        "/var/lib/matrix-synapse/telegram-registration.yaml"
-        "/var/lib/matrix-appservice-irc/registration.yml"
-        # "/matrix-appservice-slack-registration.yaml"
-        # "/hookshot-registration.yml"
-        # "/matrix-mautrix-signal-registration.yaml"
-        # "/matrix-mautrix-telegram-registration.yaml"
-      ];
+      plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
     };
 
-    withJemalloc = true;
-
-    extraConfigFiles = [
-      "/run/agenix/matrix-synapse-secret-config.yaml"
-
-      # The registration file is automatically generated after starting the
-      # appservice for the first time.
-      # cp /var/lib/mautrix-telegram/telegram-registration.yaml \
-      #   /var/lib/matrix-synapse/
-      # chown matrix-synapse:matrix-synapse \
-      #   /var/lib/matrix-synapse/telegram-registration.yaml
-      "/var/lib/matrix-synapse/telegram-registration.yaml"
-    ];
-
-    extras = [
-      "oidc"
-      "redis"
-    ];
-
-    plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
-
-    sliding-sync = {
+    services.matrix-authentication-service = {
       enable = true;
+      createDatabase = true;
+      extraConfigFiles = config.pub-solar-os.matrix.matrix-authentication-service.extra-config-files;
+
+      settings = {
+        http.public_base = "https://mas.${config.pub-solar-os.networking.domain}";
+        http.issuer = "https://mas.${config.pub-solar-os.networking.domain}";
+        http.listeners = [
+          {
+            name = "web";
+            resources = [
+              { name = "discovery"; }
+              { name = "human"; }
+              { name = "oauth"; }
+              { name = "compat"; }
+              { name = "graphql"; }
+              {
+                name = "assets";
+                path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets";
+              }
+            ];
+            binds = [
+              {
+                host = "0.0.0.0";
+                port = 8090;
+              }
+            ];
+            proxy_protocol = false;
+          }
+          {
+            name = "internal";
+            resources = [
+              { name = "health"; }
+            ];
+            binds = [
+              {
+                host = "0.0.0.0";
+                port = 8081;
+              }
+            ];
+            proxy_protocol = false;
+          }
+        ];
+        passwords.enabled = false;
+      };
+    };
+
+    services.matrix-sliding-sync = {
+      enable = config.pub-solar-os.matrix.synapse.sliding-sync.enable;
       settings = {
         SYNCV3_SERVER = "https://${publicDomain}";
         SYNCV3_BINDADDR = "127.0.0.1:8011";
@@ -284,31 +337,29 @@ in
       };
       environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
     };
-  };
 
-  services.restic.backups.matrix-synapse-storagebox = {
-    paths = [
-      "/var/lib/matrix-synapse"
-      "/var/lib/matrix-appservice-irc"
-      "/var/lib/mautrix-telegram"
-      "/tmp/matrix-synapse-backup.sql"
-    ];
-    timerConfig = {
-      OnCalendar = "*-*-* 05:00:00 Etc/UTC";
+    pub-solar-os.backups.restic.matrix-synapse = {
+      paths = [
+        "/var/lib/matrix-synapse"
+        "/var/lib/matrix-appservice-irc"
+        "/var/lib/mautrix-telegram"
+        "/tmp/matrix-synapse-backup.sql"
+      ];
+      timerConfig = {
+        OnCalendar = "*-*-* 05:00:00 Etc/UTC";
+      };
+      initialize = true;
+      backupPrepareCommand = ''
+        ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
+      '';
+      backupCleanupCommand = ''
+        rm /tmp/matrix-synapse-backup.sql
+      '';
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 4"
+        "--keep-monthly 3"
+      ];
     };
-    initialize = true;
-    passwordFile = config.age.secrets."restic-repo-storagebox".path;
-    repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
-    backupPrepareCommand = ''
-      ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
-    '';
-    backupCleanupCommand = ''
-      rm /tmp/matrix-synapse-backup.sql
-    '';
-    pruneOpts = [
-      "--keep-daily 7"
-      "--keep-weekly 4"
-      "--keep-monthly 3"
-    ];
   };
 }

modules/matrix/matrix-log-config.yaml

@@ -1,40 +0,0 @@
-version: 1
-
-formatters:
-  precise:
-    format: "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s"
-
-filters:
-  context:
-    (): synapse.util.logcontext.LoggingContextFilter
-    request: ""
-
-handlers:
-  console:
-    class: logging.StreamHandler
-    formatter: precise
-    filters: [context]
-
-loggers:
-  synapse:
-    level: WARNING
-
-  synapse.storage.SQL:
-    # beware: increasing this to DEBUG will make synapse log sensitive
-    # information such as access tokens.
-    level: WARNING
-
-  synapse.http.matrixfederationclient:
-    level: CRITICAL
-  synapse.federation.sender.per_destination_queue:
-    level: CRITICAL
-  synapse.handlers.device:
-    level: CRITICAL
-  synapse.replication.tcp.handler:
-    level: CRITICAL
-  shared_secret_authenticator:
-    level: INFO
-
-root:
-  level: WARNING
-  handlers: [console]

modules/mediawiki/default.nix

@@ -211,7 +211,7 @@ in
       backend = "docker";
 
       containers."mediawiki" = {
-        image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.41.1";
+        image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.42.1";
         user = "1000:${builtins.toString gid}";
         autoStart = true;
 
@@ -232,4 +232,27 @@ in
       };
     };
   };
+
+  pub-solar-os.backups.restic.mediawiki = {
+    paths = [
+      "/var/lib/mediawiki/images"
+      "/var/lib/mediawiki/uploads"
+      "/tmp/mediawiki-backup.sql"
+    ];
+    timerConfig = {
+      OnCalendar = "*-*-* 00:30:00 Etc/UTC";
+    };
+    initialize = true;
+    backupPrepareCommand = ''
+      ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d mediawiki > /tmp/mediawiki-backup.sql
+    '';
+    backupCleanupCommand = ''
+      rm /tmp/mediawiki-backup.sql
+    '';
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 4"
+      "--keep-monthly 3"
+    ];
+  };
 }

modules/nextcloud/default.nix

@@ -31,7 +31,6 @@
     https = true;
     secretFile = config.age.secrets."nextcloud-secrets".path; # secret
     maxUploadSize = "1G";
-    skeletonDirectory = "./nextcloud-skeleton";
 
     configureRedis = true;
 
@@ -47,11 +46,11 @@
       dbtype = "pgsql";
       dbname = "nextcloud";
       dbtableprefix = "oc_";
-      overwriteProtocol = "https";
     };
 
-    extraOptions = {
+    settings = {
       overwrite.cli.url = "http://cloud.${config.pub-solar-os.networking.domain}";
+      overwriteprotocol = "https";
 
       installed = true;
       default_phone_region = "+49";
@@ -92,12 +91,13 @@
 
       auth.bruteforce.protection.enabled = true;
       trashbin_retention_obligation = "auto,7";
-      skeletondirectory = "";
+      skeletondirectory = "./nextcloud-skeleton";
       defaultapp = "file";
       activity_expire_days = "14";
       integrity.check.disabled = false;
       updater.release.channel = "stable";
-      loglevel = 0;
+      loglevel = 2;
+      debug = false;
       maintenance_window_start = "1";
       # maintenance = false;
       app_install_overwrite = [
@@ -111,6 +111,10 @@
 
     phpOptions = {
       "opcache.interned_strings_buffer" = "32";
+      "opcache.max_accelerated_files" = "16229";
+      "opcache.memory_consumption" = "256";
+      # https://docs.nextcloud.com/server/latest/admin_manual/installation/server_tuning.html#enable-php-opcache
+      "opcache.revalidate_freq" = "60";
       # https://docs.nextcloud.com/server/latest/admin_manual/installation/server_tuning.html#:~:text=opcache.jit%20%3D%201255%20opcache.jit_buffer_size%20%3D%20128m
       "opcache.jit" = "1255";
       "opcache.jit_buffer_size" = "128M";
@@ -141,7 +145,7 @@
       OnCalendar = "*-*-* 01:00:00 Etc/UTC";
     };
     initialize = true;
-    passwordFile = config.age.secrets."restic-repo-storagebox".path;
+    passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path;
     repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
     backupPrepareCommand = ''
       ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d nextcloud > /tmp/nextcloud-backup.sql

modules/nginx-mastodon-files/default.nix

@@ -1,8 +1,7 @@
 { config, ... }:
 
 let
-  objStorHost = "link.tardigradeshare.io";
-  objStorBucket = "s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon";
+  objStorHost = "mastodon.web.pub.solar";
 in
 {
   services.nginx.virtualHosts = {
@@ -10,6 +9,12 @@ in
       enableACME = true;
       forceSSL = true;
 
+      # Use variable to force nginx to perform a DNS resolution on its value,
+      # the IP of the object storage provider may not always remain the same.
+      extraConfig = ''
+        set $s3_backend 'https://${objStorHost}';
+      '';
+
       locations = {
         "= /" = {
           index = "index.html";
@@ -25,7 +30,6 @@ in
               deny all;
             }
 
-            resolver 8.8.8.8;
             proxy_set_header Host ${objStorHost};
             proxy_set_header Connection \'\';
             proxy_set_header Authorization \'\';
@@ -40,7 +44,7 @@ in
             proxy_hide_header x-amz-bucket-region;
             proxy_hide_header x-amzn-requestid;
             proxy_ignore_headers Set-Cookie;
-            proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download;
+            proxy_pass $s3_backend$request_uri;
             proxy_intercept_errors off;
             proxy_ssl_protocols TLSv1.2 TLSv1.3;
             proxy_ssl_server_name on;

modules/nginx-matrix/default.nix

@@ -10,11 +10,14 @@ let
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
     add_header X-XSS-Protection "1; mode=block";
   '';
-  clientConfig = import ./element-client-config.nix { inherit lib pkgs; };
+  clientConfig = import ./element-client-config.nix { inherit config lib pkgs; };
   wellKnownClient = domain: {
     "m.homeserver".base_url = "https://matrix.${domain}";
     "m.identity_server".base_url = "https://matrix.${domain}";
-    "org.matrix.msc3575.proxy".url = "https://matrix.${domain}";
+    "org.matrix.msc2965.authentication" = {
+      issuer = "https://mas.${domain}/";
+      account = "https://mas.${domain}/account";
+    };
     "im.vector.riot.e2ee".default = true;
     "io.element.e2ee" = {
       default = true;
@@ -85,6 +88,27 @@ in
       root = pkgs.element-stickerpicker;
     };
 
+    "mas.${config.pub-solar-os.networking.domain}" = {
+      root = "/dev/null";
+
+      forceSSL = lib.mkDefault true;
+      enableACME = lib.mkDefault true;
+
+      locations = {
+        "/" = {
+          proxyPass = "http://127.0.0.1:8090";
+
+          extraConfig = ''
+            ${commonHeaders}
+            proxy_http_version 1.1;
+
+            # Forward the client IP address
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          '';
+        };
+      };
+    };
+
     "matrix.${config.pub-solar-os.networking.domain}" = {
       root = "/dev/null";
 
@@ -99,28 +123,41 @@ in
       locations = {
         # For telegram
         "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = {
+          priority = 100;
           proxyPass = "http://127.0.0.1:8009";
           extraConfig = commonHeaders;
         };
 
-        # sliding-sync
-        "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
-          proxyPass = "http://127.0.0.1:8011";
-          extraConfig = commonHeaders;
+        # Forward to the auth service
+        "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
+          priority = 100;
+          proxyPass = "http://127.0.0.1:8090";
+
+          extraConfig = ''
+            ${commonHeaders}
+            proxy_http_version 1.1;
+
+            # Forward the client IP address
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          '';
         };
 
-        "~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = {
+        # Forward to Synapse
+        # as per https://element-hq.github.io/synapse/latest/reverse_proxy.html#nginx
+        "~ ^(/_matrix|/_synapse/client)" = {
+          priority = 200;
           proxyPass = "http://127.0.0.1:8008";
 
           extraConfig = ''
             ${commonHeaders}
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
 
             client_body_buffer_size 25M;
             client_max_body_size 50M;
             proxy_max_temp_file_size 0;
+            proxy_http_version 1.1;
           '';
         };
       };

modules/nginx-matrix/element-client-config.nix

@@ -1,9 +1,14 @@
-{ pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 {
   default_server_config = {
     "m.homeserver" = {
-      base_url = "https://matrix.pub.solar";
-      server_name = "pub.solar";
+      base_url = "https://matrix.${config.pub-solar-os.networking.domain}";
+      server_name = "${config.pub-solar-os.networking.domain}";
     };
     "m.identity_server" = {
       base_url = "";

modules/nginx-website/default.nix

@@ -7,7 +7,7 @@
   services.nginx.virtualHosts = {
     "www.${config.pub-solar-os.networking.domain}" = {
       enableACME = true;
-      addSSL = true;
+      forceSSL = true;
 
       extraConfig = ''
         error_log /dev/null;

modules/nginx/default.nix

@@ -10,9 +10,10 @@ let
   webserverGroup = "hakkonaut";
 in
 {
+  users.users.nginx.extraGroups = [ webserverGroup ];
+
   services.nginx = {
     enable = true;
-    group = webserverGroup;
     enableReload = true;
     proxyCachePath.cache = {
       enable = true;
@@ -21,6 +22,13 @@ in
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
+    resolver.addresses = [
+      # quad9.net
+      "9.9.9.9"
+      "149.112.112.112"
+      "[2620:fe::fe]"
+      "[2620:fe::9]"
+    ];
     appendHttpConfig = ''
       # https://my.f5.com/manage/s/article/K51798430
       proxy_headers_hash_bucket_size 128;

modules/obs-portal/default.nix

@@ -147,4 +147,26 @@ in
       };
     };
   };
+
+  pub-solar-os.backups.restic.obs-portal = {
+    paths = [
+      "/var/lib/obs-portal/data"
+      "/tmp/obs-portal-backup.sql"
+    ];
+    timerConfig = {
+      OnCalendar = "*-*-* 01:30:00 Etc/UTC";
+    };
+    initialize = true;
+    backupPrepareCommand = ''
+      ${pkgs.docker}/bin/docker exec -i --user postgres obs-portal-db pg_dump obs > /tmp/obs-portal-backup.sql
+    '';
+    backupCleanupCommand = ''
+      rm /tmp/obs-portal-backup.sql
+    '';
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 4"
+      "--keep-monthly 3"
+    ];
+  };
 }

modules/postgresql/default.nix

@@ -25,9 +25,4 @@
       full_page_writes = false;
     };
   };
-
-  systemd.services.postgresql = {
-    after = [ "var-lib-postgresql.mount" ];
-    requisite = [ "var-lib-postgresql.mount" ];
-  };
 }

modules/prometheus/alert-rules.nix

@@ -24,10 +24,10 @@ lib.mapAttrsToList
     #   description = "Configurations of AlertManager cluster instances are out of sync.";
     # };
 
-    #alert_manager_e2e_dead_man_switch = {
-    #  condition = "vector(1)";
-    #  description = "Prometheus DeadManSwitch is an always-firing alert. It's used as an end-to-end test of Prometheus through the Alertmanager.";
-    #};
+    alert_manager_e2e_dead_man_switch = {
+      condition = "vector(1)";
+      description = "Prometheus DeadManSwitch is an always-firing alert. It's used as an end-to-end test of Prometheus through the Alertmanager.";
+    };
 
     # prometheus_not_connected_to_alertmanager = {
     #   condition = "prometheus_notifications_alertmanagers_discovered < 1";
@@ -142,8 +142,8 @@ lib.mapAttrsToList
 
     cpu_using_90percent = {
       condition = ''100 - (avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) >= 90'';
-      time = "10m";
-      description = "{{$labels.instance}} is running with cpu usage > 90% for at least 10 minutes: {{$value}}";
+      time = "20m";
+      description = "{{$labels.instance}} is running with cpu usage > 90% for at least 20 minutes: {{$value}}";
     };
 
     reboot = {
@@ -234,10 +234,10 @@ lib.mapAttrsToList
       };
     */
 
-    host_memory_under_memory_pressure = {
-      condition = "rate(node_vmstat_pgmajfault[1m]) > 1000";
-      description = "{{$labels.instance}}: The node is under heavy memory pressure. High rate of major page faults: {{$value}}";
-    };
+    #host_memory_under_memory_pressure = {
+    #  condition = "rate(node_vmstat_pgmajfault[1m]) > 1000";
+    #  description = "{{$labels.instance}}: The node is under heavy memory pressure. High rate of major page faults: {{$value}}";
+    #};
 
     # ext4_errors = {
     #   condition = "ext4_errors_value > 0";
@@ -250,4 +250,10 @@ lib.mapAttrsToList
     #   description =
     #     "alertmanager: number of active silences has changed: {{$value}}";
     # };
+
+    garage_cluster_healthy = {
+      condition = "cluster_healthy == 0";
+      time = "15m";
+      description = "garage cluster on {{$labels.instance}} is not healthy: {{$labels.result}}!";
+    };
   })

modules/prometheus/default.nix

@@ -12,15 +12,27 @@
     owner = "alertmanager";
   };
 
-  services.caddy.virtualHosts."alerts.${config.pub-solar-os.networking.domain}" = {
-    logFormat = lib.mkForce ''
-      output discard
-    '';
-    extraConfig = ''
-      bind 10.7.6.2 fd00:fae:fae:fae:fae:2::
-      tls internal
-      reverse_proxy :${toString config.services.prometheus.alertmanager.port}
-    '';
+  security.acme.certs = {
+    "alerts.${config.pub-solar-os.networking.domain}" = {
+      # disable http challenge
+      webroot = null;
+      # enable dns challenge
+      dnsProvider = "namecheap";
+    };
+  };
+
+  services.nginx.virtualHosts."alerts.${config.pub-solar-os.networking.domain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    listenAddresses = [
+      "10.7.6.5"
+      "[fd00:fae:fae:fae:fae:5::]"
+    ];
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.prometheus.alertmanager.port}";
+    };
   };
 
   services.prometheus = {
@@ -41,12 +53,6 @@
       {
         job_name = "node-exporter";
         static_configs = [
-          {
-            targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
-            labels = {
-              instance = "flora-6";
-            };
-          }
           {
             targets = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ];
             labels = {
@@ -69,6 +75,30 @@
               instance = "tankstelle";
             };
           }
+          {
+            targets = [
+              "trinkgenossin.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}"
+            ];
+            labels = {
+              instance = "trinkgenossin";
+            };
+          }
+          {
+            targets = [
+              "delite.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}"
+            ];
+            labels = {
+              instance = "delite";
+            };
+          }
+          {
+            targets = [
+              "blue-shell.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}"
+            ];
+            labels = {
+              instance = "blue-shell";
+            };
+          }
         ];
       }
       {
@@ -83,6 +113,29 @@
           }
         ];
       }
+      {
+        job_name = "garage";
+        static_configs = [
+          {
+            targets = [ "trinkgenossin.wg.${config.pub-solar-os.networking.domain}:3903" ];
+            labels = {
+              instance = "trinkgenossin";
+            };
+          }
+          {
+            targets = [ "delite.wg.${config.pub-solar-os.networking.domain}:3903" ];
+            labels = {
+              instance = "delite";
+            };
+          }
+          {
+            targets = [ "blue-shell.wg.${config.pub-solar-os.networking.domain}:3903" ];
+            labels = {
+              instance = "blue-shell";
+            };
+          }
+        ];
+      }
     ];
 
     ruleFiles = [

modules/promtail/default.nix

@@ -18,7 +18,7 @@
       };
       clients = [
         {
-          url = "http://flora-6.wg.pub.solar:${toString flake.self.nixosConfigurations.flora-6.config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
+          url = "http://trinkgenossin.wg.pub.solar:${toString flake.self.nixosConfigurations.trinkgenossin.config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
         }
       ];
       scrape_configs = [

modules/tt-rss/default.nix

@@ -0,0 +1,82 @@
+{
+  flake,
+  config,
+  pkgs,
+  ...
+}:
+let
+  ttrss-auth-oidc = pkgs.stdenv.mkDerivation {
+    name = "ttrss-auth-oidc";
+    version = "7ebfbc91e92bb133beb907c6bde79279ee5156df";
+    src = pkgs.fetchgit {
+      url = "https://git.tt-rss.org/fox/ttrss-auth-oidc.git";
+      rev = "7ebfbc91e92bb133beb907c6bde79279ee5156df";
+      hash = "sha256-G6vZBvSWms6s6nHZWsxJjMGuubt/imiBvbp6ykwrZbg=";
+    };
+    installPhase = ''
+      mkdir -p $out/auth_oidc
+      cp -r * $out/auth_oidc
+    '';
+  };
+in
+{
+  age.secrets.tt-rss-database-password = {
+    file = "${flake.self}/secrets/tt-rss-database-password.age";
+    owner = "tt_rss";
+    mode = "600";
+  };
+  age.secrets.tt-rss-keycloak-client-secret = {
+    file = "${flake.self}/secrets/tt-rss-keycloak-client-secret.age";
+    owner = "tt_rss";
+    mode = "600";
+  };
+  age.secrets.tt-rss-smtp-password = {
+    file = "${flake.self}/secrets/tt-rss-smtp-password.age";
+    owner = "tt_rss";
+    mode = "600";
+  };
+  age.secrets.tt-rss-feed-crypt-key = {
+    file = "${flake.self}/secrets/tt-rss-feed-crypt-key.age";
+    owner = "tt_rss";
+    mode = "600";
+  };
+
+  services.nginx.virtualHosts."rss.${config.pub-solar-os.networking.domain}" = {
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  services.tt-rss = {
+    enable = true;
+    virtualHost = "rss.${config.pub-solar-os.networking.domain}";
+    selfUrlPath = "https://rss.${config.pub-solar-os.networking.domain}";
+    root = "/var/lib/tt-rss";
+    logDestination = "";
+    plugins = [
+      "auth_internal"
+      "note"
+      "auth_oidc"
+    ];
+    pluginPackages = [ ttrss-auth-oidc ];
+    email = {
+      server = "mail.pub.solar";
+      security = "tls";
+      login = "admins@pub.solar";
+      fromName = "pub.solar RSS server";
+      fromAddress = "rss@pub.solar";
+      digestSubject = "[RSS] New headlines for last 24 hours";
+    };
+    database = {
+      passwordFile = config.age.secrets.tt-rss-database-password.path;
+      createLocally = true;
+    };
+    extraConfig = ''
+      putenv('TTRSS_SMTP_PASSWORD=' . file_get_contents('${config.age.secrets.tt-rss-smtp-password.path}'));
+      putenv('TTRSS_AUTH_OIDC_NAME=pub.solar ID');
+      putenv('TTRSS_AUTH_OIDC_URL=https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/');
+      putenv('TTRSS_AUTH_OIDC_CLIENT_ID=tt-rss');
+      putenv('TTRSS_AUTH_OIDC_CLIENT_SECRET=' . file_get_contents('${config.age.secrets.tt-rss-keycloak-client-secret.path}'));
+      putenv('TTRSS_FEED_CRYPT_KEY=' . file_get_contents('${config.age.secrets.tt-rss-feed-crypt-key.path}'));
+    '';
+  };
+}

modules/unlock-luks-on-boot/default.nix

@@ -0,0 +1,20 @@
+{ flake, config, ... }:
+{
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      # To prevent ssh clients from freaking out because a different host key is used,
+      # a different port for ssh is useful (assuming the same host has also a regular sshd running)
+      port = 2222;
+
+      # Please create this manually the first time.
+      hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
+      authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
+    };
+    postCommands = ''
+      # Automatically ask for the password on SSH login
+      echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
+    '';
+  };
+}

overlays/default.nix

@@ -12,12 +12,12 @@
                 unstable = import inputs.unstable { system = prev.system; };
               in
               {
-                forgejo-runner = unstable.forgejo-runner;
-                prometheus-node-exporter = unstable.prometheus-node-exporter;
                 element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
                 element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
                   inherit (inputs) element-stickers maunium-stickerpicker;
                 };
+                mastodon = unstable.mastodon;
+                matrix-authentication-service = unstable.matrix-authentication-service;
               }
             )
           ];

secrets/acme-namecheap-env.age

@@ -0,0 +1,48 @@
+age-encryption.org/v1
+-> ssh-ed25519 NID4eA WtfgDmnK5l9s9DMhWgmk+tel+/uqPx8SHBd0qfWY3jk
+ZS3Qu4v3pnA+lYzJ3kad7T3LhcY7oE8fPsGQ1uQH1AA
+-> ssh-ed25519 9RQHxg SpHG3ijNizTi1YXvZCJS79Uwt4oGkYzqIme+eqQi9AQ
+GqVhyfaTF6tLwuo0vIby0vBv3JufHz59IdNX9ifWtSA
+-> ssh-ed25519 eP5MMw 9uU7tlyOzOxlsW/bfUmzjgicU3i2J5uCGWEVIljnHiM
+tDJdTB1rBJTXVaGFOOmtG5n2Ae0XOCsi41S0EagRmeM
+-> ssh-ed25519 uYcDNw ge+lEVE8+pS/S+eO+6sPqo/czym30CJbQnhTp11NsW4
+jxL7Xhn/7JRylJ/JbeGkmhMMeJ8G2KPEKVVq1icQXKU
+-> ssh-rsa f5THog
+Ybod3f7gvCiBUcNyLV6AXoBchtRGspQah9JwygSGCtBKmWPOUSw3/DVva9nPVwHB
+q4t05bEHINMZIoWy4l3VQ1jw+GTxW+6OeWDHrxHOG2hlu1/OT0tZnsQIjWwT/6Sg
+fzy6X04yD2ADkwHH6VJYjC2Lxa7kEOeCeKOACyyab7rlXk+HauytUDlcF3Nl3nOc
+JQZzfwIORU0XWVy+gDocwVqDaRJXZxhMW8oDjlU8BKgf/DpvExLfuZ9AHHJBU0Y9
+HefbTbGO1s5J0T+HEkuIDce9iPQEe8ufaSVO6tKyHpgguIAiLIkjqrdLNRmXv/y8
+9W653Xqar7fimd/sykb4K/PpdwvQcB9Ogy23t6s3Qxz5yPtC2m8IC3lgR+N+/nJO
+n29QuXFBNUZu/QBXnWMS2QF09MGE2aav/CiwFuNiTf5D4UGGN3Y7XhX/KVOFJTZX
+r1GLtch6rvD9RtfyKxAdbtCqbBEQJmoiut9ia5EzG4TvdPAE4XK3QNTn2BSmfjvI
+3aXiXOFSbdJqkxyI6ZU2mUMMor3OWrXxWizDDYef6iHZxGlWFqA/kVXyZgdwTK9n
+8Re6SYR8roH7T35eILzP4sskElN32UO/A+JyGfP1lOclGTlOrtp4HYTfY0NhhRJT
+L7YIB0pNbaRxMBsxsxwU47j3qMkaO1uzP+DgpUacWJY
+-> ssh-rsa kFDS0A
+GJjiIApapBS6F8pmh6lblCHG3FlVWL+WKN1Gi2u/6Pa1YbkiBCgYFTQBwm5GsBMR
+4tQwRJcQQDGgGddIH4/QcMAl1fTYLm3N1w8rueywgAbOwaWktKnJFYTj7lS6PSNr
+bZyqyiGvgi0oYYSVjRnm7MmCrycuKmhcGHv1ijj5J8yOxe6qFsomsn9QZm1DmR/m
+EZmc5DIYXjhuauzGgqtPVmjHi6hXTN8NX7Fg81aegko79yA12hmyHmaBj4P96Kqv
+RyWZ9Moc3ccyxq74jNzp0eFuPNhUJuNBqrKozCc2Lo3KQAmoqI27THkF/HA8ECGP
+BJDK7JdHBXyHhf/Fc5O5xOxHieIU8tHR0LLJn7VEvQyqTlKmWkZ5J53AqE8UDmm9
+0gY6zFh7h3SjyBwqktzGJ9zXn3bp4fpg0M1+SaYp9Qf6hkJ9k79Zth4s4ggxgvOl
+veib2sg3PCmL1OCMPMtyW3JkKsq0J+PtJdlAC9cmVvfvAMHKy2+aADsLt0H8Cpt2
+cNOxbnU29eLWgG9uzcCXfqqNtmSia6LUMu71GahAuteZUV8RnDOZdCNW4U2Ohnq/
+9znMqERVo0d3LgjaB0P3HXCCqhVFYTTDWg31R6N2RzSh7mb02CFgt7N+vHleQqAo
+G/6Pb+kKYSEbU884z95+o56eQrvPunCN9Vu1CjEBfG4
+-> piv-p256 vRzPNw A2dcPImS0ih5CjePQP5oPrPfwns6zAMP0J72P7fyzD/A
+p46umKyZjbc1MjOQGnJIRu6V99O+/PmVXQvryX/9XW4
+-> piv-p256 zqq/iw A5nBHU2O+bxsFqplf2GV6pK5wQ+hJ9l7tyFIe57QVKzw
+Ik6aUY3t4geZ3yiWPqBGlBem9xNU83x7t3UA7pYB55I
+-> ssh-ed25519 YFSOsg OhynWXlurzqU3ohq1ecH018Ja4wyWazDLv6isajeBUE
+Xnjo8yS9IkMwCGNeLi6BABYxjXDLbpuTrVfwAxjDWdQ
+-> ssh-ed25519 iHV63A 5CVIOtSwima5gIvwoAYExcy1tfOo8942RQ+SsflPbAM
+4HV21GcuyddIjonOZZFgjgpR5smjce7OlMN3DCy0/sU
+-> ssh-ed25519 BVsyTA mkLu2Vpr16bAZWimh6sViq5HlB1+lNOc2WPCxzgfqAg
+cIDgWit139jipd7XmZcT8mTRDKK8rJV9xIxIaPVL9pM
+-> ssh-ed25519 +3V2lQ eqfktAyV2Pia7T7XEfcYiHN9Jd4zivMzJk3in4XOTx0
+gZzO+MTyBOJR1EgGn4Mhh4rnIyr3N9gmlFty83ou+GU
+--- yJrzTzStOkRCNRu3Y+knfqTqHrwW0S0Bsko7oG/s86o
+®,Bgm°þ÷€få‚T¾èä`1†&1³%7Q˜(¯•¸Ÿ:?ßÝ
+êÎø—æ‡ðj£ùÄO_rqwÃÏi£O®´D›·)@0•ZK'óô+apU§<Ö`ºõµœctª. þ¡<C3BE>–ÌXÇNæ+íŒÂh†Ù=‰'‡VÑn^HHöv±5aa²nKÝþD¦×™

secrets/alertmanager-envfile.age

@@ -1,43 +1,43 @@
 age-encryption.org/v1
--> ssh-ed25519 Y0ZZaw TsTaRLA+9WtN9+FJWpXeP12Af5EXMbo+ANTaLC9YlC8
-Yols084RY1C9gfOrDMwJcFRuGZ/5dgGuJey7RXqm7g0
--> ssh-ed25519 uYcDNw ZLAINtv10PGMtK5TL5Tf0NyK/r1iww+vTC09ElMGoX0
-EgBB3aiHHdaDue9+Zdxg6mTV2VHeLoDN9wT+hlAzVMk
+-> ssh-ed25519 NID4eA jIwfpP0rFLANj63MsJAse0R+TQbGf7mUStdusSLkkCg
+RHyxZqWGYMvhQYfZUc89GPly42u7MR9gSpR8aFWH6LI
+-> ssh-ed25519 uYcDNw JGsVrWwxwA8ftUM+Fo1jFigWfpvNUwoNkK5zKIu582Y
+BzM82Iqmta2Dtb8xey2nkoil7mDipn1iZtGMPKwPcPI
 -> ssh-rsa f5THog
-aiJqMs3/u06tzs8lx2ISlQm87TDatqEn47v3LB3HehPanRpZx9O1HUIRTeiWkMU9
-XroGe27HQCCPd63QunBHUH7WStA10IS4rHVpMcULB5IM4jwcbOhSYSiGyY2sbv8+
-Nn/04ZOwrfzTabC7moV1DqAw6hnlDqKWp/q5N6xMb780w5vn6Poni3OJfuLaBWaT
-r6WhE5evVt3F4jyYI64fB2hFw4AR2N/zIMOMvBncLFwJf9lbIFdbsENZf94cYceF
-Tj150xdMPuErBsSJQOlfDYSmyioNN3UJUWiYsDeM3nbPEVPHhfTk6b2/lMhSQkcY
-KcuMj/mN/7w7i4HSxW6mUcK2sUMV1BcSSGYRH9ZFf7kq++KpyiP7vB8vaZkcKbfJ
-qqrIcXTuXhR+/bWZWqf/GQOVwRwe1TnqN5MoZHipg3a/UCe0gMM617VwZcfhBzjA
-eW6VUdjSewwA8YHEuDrAeoQ4CMs7y56EaIlr2IlQy6uzJPX9eeO0auO9RZ5AR40a
-7un0FrlTJX9uorpCD/zi3tvd22W5qVoMGZ8vXJShZmT9he9K3Bv6XbzG4DJQ9/nv
-xZ676HUYhWeyYZFBvt6DnEBneiDJFeaV2AeuQY+juHBOfBrbYmlE0S4Pd8uRSJ7w
-u5UJTT+RV5TkZhpCqqYm7DphYocnrv7Ic+QKmvKE4ls
+LkPMatwkNWAElm+RQiCHtHH2QPgVsAAd5b4qF0R0O6r+0CYzEF2OAOZ0LDsytTB8
+7oHAHxA6kAga/pqKUaJl28xw7ujVIb1CunZFvVSxtOTYRrEy1Rxe3AKUOm+ZmfPL
+66Ef58HWMCHzK9sc/ojo7Us4okfRhJBklB9lnORkSfdkvEHLeq0R0FfDtDCnynRD
+SKqlx3VbdWe9k6UOJidA+dY8Wx0w2TQM1c21nDr4vXsXpZf6ttT4HvrqbSrS9V1c
+nGofWP+72WinOpFRDQdLvdKvaNbLPwhigqL1VqaIcsnye5zZjQDNn+SYf55byBkS
+CMXj238UqvdDxB4E3mBEgpFxOnyi6kLQXcPEBF/xQ5fER0RS5MkWkuH4Up+BCQ+/
+CppqZrw85OOa9jAyWxil3yLQNAnLGi/P+mesPxSI+i2Not9wbUTALr4COG+1qvfF
+2MbHiqREoajnQUJjhGhXaAA332X7hNuOF/DjmBr7i81oWVmKs6TjCDVL7Yo9xu3j
+BcFqMlaOgr8gObwnyJ9BbtW4sBtnOeD5onPxWluV1+Ql8Idjmu/BKeuqIyGX6wFl
+606lbprSTRVjLZWvg3gWaIMlXdcnat9PmHeRk/yzTrHke2aFSkvUKLymnRCHETae
+Rh8ILeQTq36Ul9r7qklBNu4M7/f+jeX7gYPH/yDUCXc
 -> ssh-rsa kFDS0A
-HhilpvIiUps80SXYUXg5vqNmcy8SACvxpC5dTVBU2n+4OVXQY/35Il5ZOrUX3U7a
-arfVp/KaQF7Oncu3x8F6Tp1ibUwmoyAV6OYqqs128nEPwkNbJvwrLY3aEBm+NIzm
-gMlLRjj6EP84TVWgOsenQCS4l957f0QoNVxQ3f+GWdOiZZJFsv//ndsflng8zPlF
-bGZy8c1TxDZfOD0/kW3Nx05c9X0EHKOEoDUc0p4qntrWlflxcvLONCgv1gZuPMF+
-jMsPFP81eu3rkEUxefJ1qbvvGuW0cbzfwiStv7iGQ+Skh/vcoM0qw6p+csNKyHVO
-8nYFcs9kD8067zMnyuqiUHASfZ4rPqTji0iiPC5kZn6N0YSgz2bybkXcoqmy3m6y
-qs0S+RD99o2vCLhW46hZyKAgUyTU1DW42EmnZkPrLoqV7uin8fAwPO/98Q/b3Rkr
-zBRtyTEbooHvOCL8limiRtDl+5LMcjRFNWk8AN+9vHMsYurXPNOCnd8n2Z4MbT2U
-AhpoAD/+8HXp0InBJ/sclITVAc6tPb2CbJW6mrFezH8Ri+/6u+zSF84JDd9ZrCOz
-oIshiGZmhP5mIuspVrxgKlm78a56vQrygpqzvuSSYk3zIJxmhEkZhw09/ga+rhyB
-pkKn7GRyZTfKjwt5nnvW5/bmQndTa13j+7RhkRgBSvU
--> piv-p256 vRzPNw Awpc8paUfKnP6r0bYsaoeDE9GVSnads4/a3jCVScgS4V
-YydKOS09kyZDYN843SHIsYUimtSQKvGhIuycPWOFojc
--> piv-p256 zqq/iw A54xbcufPkLpTD+N47AiIe/xZ/0vA5kDJ4p3rIZw0a4A
-1WFP2K3tfUxtdKDBEmT3cx/u1i5nCzFR7cK4kN3WjC4
--> ssh-ed25519 YFSOsg L0lPSkoPVRKGlJ9MzkJx+cQvnZw/5m/j/JO4aRzd52Q
-o/N7zQkvbGGoadiJSvL6lfuP63uqzxEIxDtIg4tgKIo
--> ssh-ed25519 iHV63A qfLWZhbDisCSJ4vFFTR+XpRUR0WViuAqarf56M0ekT4
-ZSWW34pFRr0M2jFhnphIPJ5ch37ASM6OgTzyHSo0KAs
--> ssh-ed25519 BVsyTA JcFezSIfTF+AP8LYfFqz+wIpUrE0aoc1usiLtWxAPQE
-F9uhFyCPK46kIy+ud4V5/ESacQgc9R0JV+JTEZO6nBI
--> ssh-ed25519 +3V2lQ G4yT1e7B5O2Gy6tusRMxuWOFScynWfFY5AjrJvxMK1o
-n1OVFRqzijWlc+B93cBNdFPz+8CBYOsI5hpF1wz7xr0
---- 61u55uUc7z59iHF1IeyBLmcR6u7STUhpOPb/ODf75Vc
-<$kxpû´ÚH:}ò*ä/Tâ®Ñ$‹ÕbÀJ\F*ðòWîzÉ6 Ý	±Âì<î̹>e?ñ¼<C3B1>Ÿ6ÚµÌ~Ô!
+X1vrBlpHkWOVyhBokgO0yNDQk57S92xADIi88w2UU+nTYFgo/RsyTCCFAFMaDvR3
+kQdtorCowxQpKLnTzER8i2ABZAgAmUzGQuRPDKcqZuZH9oypNkBs6qeVI3TA5GKu
+V/IfKLeR57K3cpZT+TcOzKUqm/AAZO+rwdnrfW9qVAb7vlo3TWawfBHb+Fl7y9JL
+pEjhDMhnA7na67Ktz1MFm80XRneMTW+0NGtcTd1iQfjfHe0WfFuYU4H6aZ8ZpZYw
+2rLa+EmFqUpv0ELwdGViqmjUNwJunsJ6rhJZlMn43v5/XPLpapQr0zwtXzzfzZHd
+HnI6/X97zPYUFDsUeI6x2CiVKHVWMGjJ9VPAexpJepZSkgI6On2/mfs4++XnDWLv
+qsvsJqVzM075eH0LUyXq4WGu7oJc4OdfMm1CrEBKAaqdKRl0HnBZGSER3C/qAhLK
+Ihbk+kti5C7GTzRyUlzkwINVFV0pePClLP7AC5vdKMhXysGQlxNJsTeUTdAOhrAm
+UeWnd0Xp+K8OBsUgyGktKBMofNAJ+MilSKt3x7tJk3QuQIGjqHCshpkMf0ckixrh
+aDN9Rj+s0A8C3hrVv8z602jBrM5tfYOZv+q1/yFQo+ieic6Y9WEzzrTMJEHxFSzX
+KadqfZii8HCGQODcXh8VRpWDVjzt/pDVR/zu/0YCP+0
+-> piv-p256 vRzPNw A4KCXAKoTYy8euaKXot9+c5N21WG9/9uLPomiiI6rZ5W
+vbTcLpDNM1qVdTBCUPMrlX2GpyeMUsKaKLFl5GVVdYY
+-> piv-p256 zqq/iw ArX1s306JaaWVPiTA7XyzyTKcsBDHjeIiSoOg+5PhsBj
+zzmU1T5q5ff6TzIXhWqiVM0Oxxo/ln3uExBXBlLFcME
+-> ssh-ed25519 YFSOsg tgHAr/emB3i+9Hd+q9oYCjkPO+RuXv22kimdXz06Zys
+p8sYz3j5I95ZBJroWxUSzWljcj8E3Ic9uwwyrUWm1+E
+-> ssh-ed25519 iHV63A 9UXBAcuwIfuoTHcWYhLVa9qtJ7UsLsIQsH2Bn0T/Wy8
+OvfX4cOKJYv9pwaQp3yD/QPZdDnGSC6f1qemtKENtpE
+-> ssh-ed25519 BVsyTA nC+YMVK5YyCM79iNijTaBgIZDPi7Bvlunuzl2s9SrRw
+xVUpZwdIcszqsRdZw74fJrSduzxqrO25EMfuypipys0
+-> ssh-ed25519 +3V2lQ 4n/lkQ1nwcXD7mNc3DzIfC5xGF2mn27AoO36Chei8AA
+vDe0RU8Xm3L+/nFM0lKK3jv6hqiUE/YxZUFyHUsqAfI
+--- D4n9aVPWABXpzO9DI20yHf11MRJ5ACWVhT16bDls5pA
+iR	ÅÏÿ%µÙØY^Ï	Ýñý’µ¶{“²°Ý”#®Z0´P6šÿ+ÛÄR!i›J-\ul°9!å¬`Z÷¿Nh²

secrets/blue-shell-wg-private-key.age

@@ -0,0 +1,43 @@
+age-encryption.org/v1
+-> ssh-ed25519 eP5MMw 3H1XEr/Vt2TOQUvGu3K54CxbigkVpaC6hofMOfFR60U
+hqFTOoMhyhb/Fsywzu4nYXmEACOunenO/4NwPaVdrZs
+-> ssh-ed25519 uYcDNw raghSMdCaiQrfGviMlc9Pwh8cx33IWh+mnsxL8jgTQM
+aOMrh/746UulH7hkOV6XRiwEszgJtrI33mmzY5S2Ipg
+-> ssh-rsa f5THog
+Hm/2fpGDwqKG9K6zLYXuSDwOppDtDfw665ppaVzRvnNppizkilCohBzCrwXTMyeH
+KKZKqaEt+n35wrurfMfqQf1AkamEimjlXCMmr9IwrBHbJeIJuHn6vGSOssQ0Sq4R
+dr002QrKsGDzlL8dCLmaKU6VPTXcSbCOgDnBW/AyU7bvN51jtgm+jOIey7jH9Bm4
+0nU0UNcPiShgSbXLPp0V6O/1zQBOVeFGyGenblAKlqLILPvc04f4703alqSbKwXF
+q6GoS0Dipzr4N8X4Thzgc8H/YQ6cBVGQTebVGHqFEngLQ2C0yZWlDfJsKnKOGUce
+xSxSskfzEv2s9VHDrXeiTAzSYaLoZI0JEDHOSICmZT2wqT1voFokIQV8twORGpOo
+RAlNX0BULPEg5Mi2k3V4ZBcG5EwUjEcHAg+0cQ82D0f4OJEqMVIa3dse/lBbrFzC
+/Gkr8+LPWVv7f+mRr3sdKtZ1nBwz1uTP5qIA9m92UeLVdVjmp20hixmlgftAbTBm
+MtIH2xqkitpb6bhImGIbnxpg7U8IqQZNfavvOM9yqj0uud/Nh8ruUuwxci4RS7yP
+YlIcompHudeirCLPvYx1T6nYRB2GB1tpTcyQN60pb6YC7lH9w/tLhZf8GFcMdIY8
+eLx7FoWfNj2dIp8EpBrRUEaQlea6Eb1r2DYTjmNunnI
+-> ssh-rsa kFDS0A
+SPaIIABa0Wja26CIyeUvrlt+LWJY+Iw2+OouRZkMfi5YxDflb6SATesWh3zMD5+A
+SOiA/oUiRfGRVMmqiEznd2BLyUO7FQDv8tIT38R3m8Nj2Lb/kWtuhPKqrk0PPvr+
+kYR3iyM4klqccCzwOYwWfpO4ZkFACBApTOFYbU4WX50WDRQRco7M8funj10BAIsL
+H7hOKtigx2RJaJDcU3MPHV4beECpKbeH9scICEDmi098UP3850g1lN5AR7NjWvLi
+zr3Z8Up4UjEwH2mvuNnAbvA+0HOu5geIae+VUqy3EN7XFC5HnMHB6eK12Q1VAmF5
+MbgkppMeoqLnxIdLT9xxRNhD50B3QR8MNHgaNWuBqfl86XPfXjxYP5kRaCAraego
+nbE1gItlgIPESpf0ocfIEyXb0tSup8c+99ezgxBMrzNP6UtVGRhZvwLTpBZmrLoc
+5P/hTr0WQE7d/6lmY9VyDsXasPU758tUhM/cJxmmUyZcCOhjAiJdWSYHe7AUjSQy
+rUSKUSYwqM/epFNqdnanj4pmmRkSk/0AiEKikvb5DvWpHrnsL/EuQqtT382IGv6P
+VA6ORv3BmL8IjNnTppZsG8k91WWHLEqxoDKUHg6WHfJ5XqnEM4maFsRZs53QLqLB
+vjAxAeJHjFg13wkfJmo9mZNbw/0WXS/K+xmeOTYuH/8
+-> piv-p256 vRzPNw AwPYD0NiFDZ3/0L0+BEUS0hm7RddL3sPXUshz7XtIQVi
+7rzoQuAQQHxkuYFx5TrLEXZbGsERg78mAXcgQySwHGw
+-> piv-p256 zqq/iw A0Ec624/7FOTPVAbZDjhsBy0i5L1Tw9LwYfH/7DeKHi9
+djfKQINL2LVAAueovp/V1IGyhuy5LGQtOws5Dtih9sw
+-> ssh-ed25519 YFSOsg 6EeEfNtlQ7/a5Rc5iShfSa2ZjIoN6QcLDI0hJgpF8AY
+Tcp4iqFjBTTzSUAZrxRWe8QkvuEoPWVagNL4EiZLMIA
+-> ssh-ed25519 iHV63A P8IDXAspyflmLqtPOqPWE+J9s9e3OccKc5+8s/Wi9H8
+iRZba5723Ux5oo8YA2TDyiaWyGzHlAcvEiD7I99vq4o
+-> ssh-ed25519 BVsyTA LB7gg2/eozH+f9BNC4Q1m6Pl7b6znkO5rPVgvKSjen4
+AjNzM/44dMy7JyUcAT7c4pAFTtOuapiGtiqLdBPGrKA
+-> ssh-ed25519 +3V2lQ NHbovTrC4cTSsqb3AfmVOJ/pL0QQbK9GpMUpQMAW7w8
+iwAoDSQnucAzQPOgZZtl2bnJQ1mU19aoruItkQqJuZ8
+--- itqKtiBSCvkVJ5boq7PeY3uRMemElImzWvSeTwbz3y4
+×ZP38†¶0¿Òe¯8W’j–Ž÷[ªø#;ñHjÀëÏwïYÂœp¨µ“6W`ôhŒ²ªs§õvbÈ·èÓWu·ÔœxZ5f5½ 

secrets/coturn-static-auth-secret.age

@@ -1,44 +1,43 @@
 age-encryption.org/v1
--> ssh-ed25519 iDKjwg ZUEOvf7JnWeFNohEAhloJ0+YL2SwHujjm2YG85NLHyU
-HwrrqLMlNmfSlZVt/lCkIwqmCYLARbDOBhIm+AYmDEM
--> ssh-ed25519 uYcDNw Lrek6ru/vb2JIZyALem40oNZCf3ia/U6sb5hRyDaakA
-N34LLq2+qJOlbyaYXUtNP17fDPjF+evgZ6kOs7mVhYI
+-> ssh-ed25519 iDKjwg vLO2012STCeqJACpBNg5uKyWx/u0Yfvwxek3S+0Q1C4
+6vPjunf0CQeWTwznZXPc5iVL/eiF7SrPqGeuvgcfizM
+-> ssh-ed25519 uYcDNw QwGWHxl6dTO1HEfw7pEtdvb2ne0RiNMb8SkWRIrRJQg
+ffdyTEltr6wlrnA9isU17orFvSRmicPvX+w2t0QBJIY
 -> ssh-rsa f5THog
-jmwJ+hV1/50cWemVUhPTkTFgnd7iJ0YLtjU4fEKXghWIlie/OR3AK++1f2UJxKT4
-Z/32ALRBnmb7FlAPyYbxIns3IUJP+Z/Il5SCeDrtwaUxmtluwXwwO07WlztqZJlO
-bvZ0ifDazxOFZO6QfXQE2SaPDOqcH2AAiiL50eXMgbdY5lARYW2Qbai/2a4t/PuT
-Qn8WAwjyXOIdOnaYb/MZWyp0GQYsa3nEhYyOWvTSjSROEfR5qBtGNYkUBBTYF+YO
-DGOYStbPSkIhnYYQmNajlcy9wMW5fH36ujGdnMH7C6DgcSCY2iTDTdE3cyCxAuaJ
-bRThKyXYsvhMKgrFzbhlgt68taESb4KcKcNO5r7lqqID/I0b/fVltsKpkXrSCB53
-Th/aXLXPUrYEkbdP6nqDBbUjeA8RDid1raIF1O29Ok72oU48q50QXqP8GF+honkg
-HSdXmhPtlZyArlJNWogDaU9FkWp81E0JS8G0OnoNilCmiu7sF717GG4pkA6GTnaB
-hlJSiVWBPhmhVURIOKkRl5bIWLUvJESPLVVog/vsW7OJETOb2u+AlwvaBNY8w1wE
-An+m/qNO/H9Nksw0B4C9nLfasE/nDvbOT/Igc7k6jP0sw6/PAWnosJY5vDyIpR8k
-7q3rBPnsZRXUr213ue8xs0G7SsbLheYNu3/D4YdB1tg
+XjKRMzLPZlrTQEDJzgCwBbjZwIy6fMYGLuBR8TS15SAIbttLoikF/AV5zqJDaE9j
+RaRJIIQV6LYCm1fHOsoua0XGxicvJkdithrDC4zsEEJ5n2luNj+sQd7h9ruOdkO5
+l+Og+MphPM9naul+MJ/DluzS863DewkCNENEWe5H5MkHujOoqEsRsGdrRPXUbAPW
+oNIr6h7FHCTFTkxfj1aAqDHdK8R4Yqo2K0vnHHfNS3PeN+CQJOrGNzokYybMRxqK
+RXoJD0QKAUCV8cdXGr0XuS/ljv0lFODKhupy5ObYU71052nxo8j7KTq2NpZXqjul
+PWyetcPtH5nLCs2L31XoBk7cEE8g/eSjPky3gSMdjGjdB7qskmuPcAHlHEwQzecG
+D6J1LjrPa8OMVD4AdR0KAXSnSvzt/RhyymiZWtBeKg52rm4KK3PVbJqq05m+PEYA
+a8wFT6fJOqmNr4gj4peIUHca0gYWhfzhLpXsj4/MKTPxzdUem/wbbMJrM7oQpwma
+svN0vvqCUc2wfw2Apr3WwoAnNTIohZOngNkKNWNweXtPOee2qgZO3ko2wpFa+Yh+
+IMonHHVhtdchTidx4RttgDIaW/+i//XGfqPdmanO5wUmm+SwgqkkQkRHzmtbmgsq
+KlrAmjL5biH9f9sBItYMdKafgyQppMAQ3hXt5wgAgj8
 -> ssh-rsa kFDS0A
-BwaozSAR0Lcn3ZOHhC/OuOYRZqW0ayV4kL7CSLgaw6x9WqA7NLcsE+HDr7aDx/lP
-K7TmFGYMrOiIk3siZ4Qc/JwZXPiayxGITcwoY82L+FrJKJmQd6c/3exggsHlc7B9
-1ijXoQgjnorlopI70Cyt3QLQyMCPFb7tuZFEKR0NqBzcFTi5fKVYcMrfa1WVxzMO
-0Ic+mhwMIAst6SQqOkqaVbtUYxATupQx+9FwThk+9NDety1vacb+lQ7hvCnImpTd
-uENry/G68I7zWhNuCeE6wj8lCplFkW7dvrJyoxUVokWheFnUKjziA3ZybfMyAmI9
-vJZnTvTc/7UxJCnuk/pB89q3ttm8LFT6AFAwZ1PY2ndWBMRlnOaB0JXSBKXZCYYV
-bmJ/NSNdzyO9Q4MrKwYO+O8SOkVWM9EqKYv+FMO5CksU/N9EOUkpZeLpMYh1WXPX
-BMKmXzRWp3YEsFH0g74ZBjFpTo+FK0bbRfYfTj7wtS9LpOFPr51qRDwv0zocM9cQ
-MkpNtuSqpXboCLGytJE34pAsDY1BHJpdAOwlwavwK8N/yxlF89ktIAtHpOaV5QNF
-r8oW2DLERj/s2yunrjZ5kQXaxbn2GBeml5gFyYWPnKVIa5x0PA6LgT2OMYd2x4vA
-r7UGlMktJLosJGjJEUVLUHXarKkTz8Xwrw4vtaaLIyc
--> piv-p256 vRzPNw ApWXG3ayudUSrW8zw38cU6hYVeCVZhIQm/ZbjKpZqgnb
-NqaQ7bjTAuMei08uNpVaK23uVmspjlkGyleF8phudVM
--> piv-p256 zqq/iw AxdOZ9zfYgKZJY9HhQokUHwSKbfKl7i7X+FPO30EADcr
-qsniaELyEVrTeSaJG/lp3sCPCmbTUA7CWdMxA9tsBXc
--> ssh-ed25519 YFSOsg 64fhQVd3dvwHCBXa0QiK6E8rYA1jScm0UiBvJVuL6Eo
-YAvXqNw6kQkTzBpDIboqa9gOoTgHE8hcaIMTg6UkODs
--> ssh-ed25519 iHV63A BlO/mSeyxTFBIa77g0Ce2CcaVf9SAiw9/OzkgnaHEV0
-sjmnXCpwe5KTgIJ1ZaM8j1U4fYi2Y5/WpwpUfAe8Dbk
--> ssh-ed25519 BVsyTA gt6iV6mhL2G957w7IbJVzNFV8QMHOzP5uOkgSp5QgzM
-Vvz1jjLKA9qbqAE1g0UyHySrrnG16ENdz9TxwyoML+g
--> ssh-ed25519 +3V2lQ g453jshh1sgCdUyhg3jlU0A0X+byL5jobpu2toWTYRU
-S2k6Nk+UBv8gcJZoIdZUc2Kd+Rv4jzzcEyGm+eb+KUg
---- 8ahetWGfwjnJYRnkeSS15sLjDBBtN28biMlYCPSvObQ
-i’cü'ióë4Aî6$}ß!IÚ3ó¨ÍÄ™	Ù›3yŒ<79>ç¶;¶ƒ
-O<EFBFBD>.<2E>œ[„Íf%jTà4ŸG¶÷ãÙ¸W#iÐzuä`'Á*zmû‡òèE‡6ÓضÑúéª[ê€
+XAY8GSsx8B5q039L14C/t4cGK2sAm9eqO33r//YgpI5nkvw+pZrbJegdCItfHXHd
+9BwBGOowTe5Qmj6RVfz4rwsj57HJbt6ivoIrU3vH+GLsNs4JIg5lwz1/WCsotw6W
+8jQXiiZbA4nvzQzyZjJVKavTCfvbRXdzc+CUZiWgQDXsSFejp3ODeOvUds8YKWiz
+jYILyzUzyAf05HDC2SIUhfA/UoXokfpo6uZuryWXjRBgaRENa9csDnktc8V+61W7
+gUnu6yt/rN6oiBesnUZQK4sPd5YE6EcOT2gtLp1qKxtRuF9TEX25oLHi52kPBu8j
+TNGbCU2ImGW3Z6TkAj+/XQzwEIrbLgb7APMkI3DtWyIIxZn5QJdDOOCseKMKt2Lu
+VH1RF9C26mqcx7+WGCJKylARX8sbT1/ZsCWSUnmenYuGNQQppMwcQGSICs0YmFkH
+XnV19+pt93i5rVFs9IUxFCqFKKjElCiPgIHe0QlGuxifeiMXYuNi8g4ObN5X6GEL
+MPm0+sr19dheOZicyxqJ/jSlEOP8bHgN/VDHjKtsMWQD9r3NfLH7btNjA8HTITDI
+YvLLVCP6OR3ZlMz2HUXDpbaPYSSZvrEtwkqCIe3ij6066Y5cTsYHWEwOvXaKYh9P
+OJtPgLQDV9VfU9hK60E+C5qGQAvHhBgPUfXS8JMJkyw
+-> piv-p256 vRzPNw A2vUnNzWtQNNOU//b3muMZeM1qdO3GyREn73VgdxMX4Q
+6AzSUdoPB4zMbFsf0fr6sxbCsg+5/qmBtkCo3ry88Gc
+-> piv-p256 zqq/iw AwVuYkScYFB1OzvBz9255ebDwPO4o8szD79gPnzgK/t9
+UCm3jzlAPdfGvxO2VrE2DBvcGlaJpMTINJl2qcq+4oA
+-> ssh-ed25519 YFSOsg wUzSRyoZOde45Uv+KaN/ARAxIRt1bPAqN30P6nM9b1o
+pmufkyRBD4BoL4a+dbS321KSdjPRrB09MssNU6N0dtE
+-> ssh-ed25519 iHV63A qyqt+LHR4YGE+P2D2mq7qOS959vLZ9K2yalLvGg3riw
+1oDuGVg7Jn+8MIlsHb8KCDImManVGnlIMoqFt9w9Wjg
+-> ssh-ed25519 BVsyTA skF/Np1FrFUSWJgCw5PN9uSy+bMezPHV7lH4jm67TCc
+QrtBW86S8cB6GLsw6LVGK5jhFQS56MvATcPspGJwmAE
+-> ssh-ed25519 +3V2lQ DPCBFzgin6QTJx0QZ0+52qW+6xXmGA4M+hFEIFAvpC4
+QuuoukU5PC4BW2ieS52rkGcPRPuvrROE37gZpd7cudw
+--- fVPm/8JI93qQmr6bEdb8JEtRpKtsBHnK88A1tptYLIs
+|9Á:\Ù›ŒèHÐ(„–•a-[çf„-Bpýu[€,¤bz¿ö'jA¸áyp`4üð“ï<E2809C>lÆ•|—Nj‹3ç
;”˜¾¾)“±ëGȾb÷ÿ¦&ÓWãF/ý‹‚±yõ¹

secrets/delite-wg-private-key.age

@@ -0,0 +1,43 @@
+age-encryption.org/v1
+-> ssh-ed25519 9RQHxg dVdaiC3H/M+tA/xIW3NdwQax68lkydLDLm6OxTx1lSc
+HRLezYbdAPHNbQm/2WXT16wVX+ZC7GKlVp48aIECsdw
+-> ssh-ed25519 uYcDNw SqHkg361mGpjrcynYld45CU/jfnPp55bt75apCWlADE
+Z55QoOPVt2u1d5Q/96PHfA0MFAaO4y3CWuJNBnVy2IU
+-> ssh-rsa f5THog
+yKfwc4z4mIVfDJW5aEk7O9ddRL0YKOZFV+xKE6OyMGv6luJ+yM3QcPxu9yppCfMA
+AIreVH2/4Tn+WhYv0dQuVeTR7SLqfn+TynkfK6ZZ8NbjSZXnakPqNLtOWi6C8VIH
+MAfTTg1NGOG7E3TGmMqFrQnxYdpIvtfeGaBfiMhGLoWnCzJOzVkZSf1Qx+ibor1T
+ZtJGsAVoAqGlFoWNDNrlemx9/5qxARe/GSSUyKtEb8VtbvN2hgJeg3YAKBANYkUS
+C2Py72R662WBKPSd8vZRaQEJzP78b+LjBPmF98E8EZcHD/L6I6QRirpD8E89nN8b
+/vp/Ze2q5R+9ot2TIO4Q9TJKLs8uMYUNUImrWQM9eBG444dmuTNDDfBFeI0Xwwug
+FrHxS5pE8QzRdla/fIt/Py02F/734pb1LRCBPaLr5F7gFTBtIXe1TCvwfigiYrZ8
+3zD4mpasIz1a7MlOIBIUuNAvAvJIwemenzxoCPTJUIPR9Ja06JUJe0qe/qOOaUAE
+iio/a7XLYAUnTqHQ8efufS7RF8HB61Q5/CEtjE4NnpaiZkG+KQ57xjTwrfKSALxK
+FN5ydIMY2aNg6Hh+n0MlCfpV2N8XYqOF4YWWRKY39516i8QCvvL21k+lt3P0Lpad
+E5fn9FWoLqJw+evJsF/PyTrLT68tQbcY90mIGC6n/Ww
+-> ssh-rsa kFDS0A
+dTkAwE1+eD5KvpKvI0Wja9vV3wgKogv9ADKyf/u6meetXQ0isUnqxhqBbQZKhVqU
+StNE4dSwg9gBwsPmNXJ2Avc9LMIBuhDomPOp8bqdO/r0IyDvJ+TngnJsroK7dfL5
+foIDtakdAOVZM12ytm5hZlUNfXppAJUF1T9w5LIBWAMQQYJs39u+RrLfHoIvXTor
+OvTikrdYfGiWdX3XIGQAfoPct3ZEKmD76ypH8ESw8kKF7ZfRQNDDP3LMbakoFs8K
+Jrh5S9e3b5hdiDsv0DFtMISm8l6ec2mhhkVhSPgJ0mZYimMUg2QW1b61aTbE+LEI
+K9O27ci1UKhxvLnxA3UWrYcm9SX3dvFgH8c+hJDdydHRGtMA3OU6Ut2HuGKaLfys
+P7F7gffBTEeW2na2I00k3/oq9CCT4AP1d/CKlGd8ZtRvv5Axv6ThehCFZ/FLYGCg
+kLBTHCX9qfvltdkKHIZwgxQ7JSGvNf/4bBzUz47o4gBhtnADaPondeLkqRS8sMwF
+gq4UtG13Y2NfVYLtydrZCpUSMXekibZ8Rj2ER1uy1PD32clevgmgbTSyniSbJDa9
+NFAeQS8KiyfvnxtLNNoMflR5yL2O4bX8Eo5ooaxILxga4M7ckcuKz2SMjDjpSBbK
+ndwen9EsZuQwK9Av09h3gZeRy/t1ne6MtZrsTY5W7+Q
+-> piv-p256 vRzPNw AyZQpsc9MqXbooqG+eK5gQQbfe4ka6pG7uixb8ONVGQz
+FWuy/qAQidT6C8YMb3674epUzZw0Rb2NMCK5t9wdnT0
+-> piv-p256 zqq/iw ApTqG55jHkxwd3cT2Hvw84V2DcoHo1M+q9eP2eLxSE2t
++27Dzy6pzGpOwTqUG17QaDC93O3PSJIfy/d4eBnuLw0
+-> ssh-ed25519 YFSOsg mRmdt4AzDKbzKvMPOEHg+jQSRs2RF7f7ev/jzP7SuFE
+VmNGaudQF6R8xDWBz6bFfmk2J8twCUEzcXj2AG5teKI
+-> ssh-ed25519 iHV63A pXrKk8kpTBDxhiio5ZY7krRJIDkxYJZOMqCaW9Q7OGQ
+9/xgfjzsd2JT6FQ2YWELl9jqph3+HTF8jChvbiHceJo
+-> ssh-ed25519 BVsyTA z8nXuz2JOAn8t8OW+AzFRAXb5ulAuderatBFDrb6klY
+Z+7S5aGCCV7f9WwHWr5LrsKW7rnpidImwoiP2dXcxew
+-> ssh-ed25519 +3V2lQ p99nuu5l75p1y3Ea1yRdFBQSxvYRVRJzX1undANyFVk
+QHzKD4WvtnRI0wgiaIYKWwXrG5Qg0vQ+V6eTJUk+A8k
+--- od3JqYVYOFEDzaNHY5oDbfOjhUBsiQFd9pNGSkAw8Dk
+øFJÒMmá|šž—>¿|ÉÏü‹µ
ï¾ê0½µ:+‡¬¥U^ØÑÚYؼ÷æ/‰ŠwÊ X+8gt
RNPÍ^\€N}«ü£

secrets/drone-db-secrets.age

@@ -1,43 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 Y0ZZaw 5slOxDM4xGALMpYxFm1WBX4Sds7itgPBMIiY97d7Egk
-mZNzn4I6obUHAdox6eVR4H82EZagZ1IrCcq0CDtK44Y
--> ssh-ed25519 uYcDNw w5lzhmA8wIMXihKF25d5jx4/Cc5BFE3Lw6ad60b0wBg
-v9z03cpts6oVlcTQ48hMw8rjWHp1JUOov2qCUjFN4bs
--> ssh-rsa f5THog
-A93Usdjf6yJFLFqDiy6UUIJ4faBgQXIvk0pZlABlj9M5n7fSf9uzR6sSih4HNCvm
-sMkZ4wKyQHJnUB4Uc2jGrdcWqpmP5MLYHhj74Rxsi6heZuCRf94KH7sE/03A958w
-jAV4v9z4EqmkvWLNQi/hxMVMs5A61Vs63WIX/TA6vhL8Yrn0FeIKlRZYUVIeMu42
-pbEuLWeIzbUioAuEA1ZKV5VDx+6ack8TS/Dj5bTNEnzFWpjnHjO0/GeQU+aaQZTe
-Zy325TcRosT0V7PIh0tDQZKKRpOH/e9LnDkd8NIjyfEsGdDYaP1EVOYVxPCqUDAh
-A0kV1kkTiBzaXDkuakc+HDCIxtYXLWthsmbD+vI3D7FlTl0CY4fOP0wwO/0rS5Yp
-KDuxjz89II1H4+ZvlcPUihyW7OEj4d+NwFQy+7Qq0Y9Ii0NONXNsnx17FKXJwOMo
-NKyLo097FvHV7k8F9wv9mmZboRulDAoRyDngeO0+SJA90uJass04DuiZvK+g3Hry
-xVzbkk59j9EQqUogopW/oSeSbUP0pvcKOahGcSIW8vmadDTgnN7zzqf3fq+dJ2TM
-QD2IXAwvoTFBE+9DnPOtptk1X1D2umZuAWTzGAseXOImrPFZ+bEr5MV3qLGlg7sL
-yA7Mvbp4diVdH5aePzeBefhxrYphz+yfCbELFTYam9g
--> ssh-rsa kFDS0A
-Ng0FhTDjASWJkrlNh+UZxU/dU/wfmoV1/fwTv6Xg69k/2qU9lk0oR6e5xAimvX6u
-h7rKAYt3zSRIFveGczPCflC1nycG9wLSpaoJghav+q+muoDQ/fbSKSgHFXITC7Me
-f/wblyWvJsUQbjxSW3g6/8EGz6FvpTnycPtD2vbRj+Ctq72GPA2ZWg/OC4jAUlDs
-r6X0Ql2jwWzy3Y12v0mPknlBezN8cIfjBmoNOWokUeGJIBjujlS7loA1yif09BLg
-PTSLCY1YH3QYcm6lCXK0HaNcMjSSk/ZK9D0wROriF9PBbkpWgg5NlIrqGaeqPN9z
-QwRR2DvhuCa1br57F36Y2LKGphYjmhWAtzCyQ0h9YQ+AzEy9uFCbK0IFyyeVl/fN
-+HBGgxacJBcEGsNV3mbJvh6dn1348eex0GgaQEf1B/lu/y66WHbmSqVyUDfWkqEz
-IytAC43VT2rKgg+B5u0d/JhLDLwXTp7iVDy52ul1n7keJHk8t1GDaufAXbWqalQ4
-vuyxs6ghSIXUi27IZrYblg/OEPFTBfcoMXkmCgyx5a+eK+DhnBazWjy5j+vgp2so
-ZQRQurbG02qpZasTwBM3iy4ZklX/uFjsKnk0c/YcmK4YcMviHcQQjdjKruEE93u+
-Za1KE+qZGLkhFCd9O3ZPMtEjRjpN10XIs5ylKQ9MKU4
--> piv-p256 vRzPNw AiNjNIR0OGHBu5Qn+bvn+Lk5VnpI2BQ3eJ3+2/FTJfZC
-elT3acRVdmtBl0qC5YbvfntxkJrsZwEJqlF6aN5hhWw
--> piv-p256 zqq/iw AjIzSibkqG+YcP894QekM61Wsty6MaKBghlWapHfU0Jn
-HyXBp8DxtnNsfuzZq13bwgma5CzLTf3UB5Eht6XUwe8
--> ssh-ed25519 YFSOsg WRBQZZYM+X26hfoH4zvNWQulZvVWP/Ha5OgkUmGK/Q4
-5Hw4ZDNawn5YRC673Op/sbpexOKeL3gez2B7oZxUKhA
--> ssh-ed25519 iHV63A wyr8R4DlqLAu0XypddVoFimK2ZMncWaa+KWV7vMEQm8
-puV3g1t5AbnEgC0S1U4ft1evB7KuNppEi1g/AtxHgWE
--> ssh-ed25519 BVsyTA 0N3iyyGqTCRAHHcK7QfN5xRttorc2E2GL0RDTIVIBU4
-Bph0OujqmXzi9IswduX9Mbh+yRdPKOwCf3fBv2zUzqI
--> ssh-ed25519 +3V2lQ 0p90VtsxWyGFaeeoTISIxQRyeKVk0HoGGq71tjpIPjg
-sRf73Tp3BJ0DsTnJO2xVGyCKjaX7C7oydXj+39dKMUg
---- +/HCG0s/x+c03NG5qrgliJ+5EXXI6UnuJz5XDv2aphY
-ÞšÂ<>™Ý@»=£L¬“7*®„ÐFq<46>UÒ*ûU꿉»È$e=þLgJ|*1Ͻ
BÚE ZG—_Ü5ê²ð—²ŽíÂ,òöÛi<C39B>_'¸d7
Ý3Ú“Nä3ãç¡*»ðªê<C2AA>£ŽáŽòqýŸ‰Oy#¶([l³†pÄf¼õ¾¥ö

secrets/forgejo-actions-runner-token.age

@@ -1,43 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 Y0ZZaw tm4AmC8yXPgR82lgsQR4VZn4xfGiK8o6fIn8pKPY6XQ
-IDnsYVD8noh2HdPNvjY/M5G+meR5rwvVI5SVN/cHEVM
--> ssh-ed25519 uYcDNw ZB7GyOvD8S8XLqE1AeMXWTPcJnvEntWbZ7TGg8CJVxc
-Bfb/+P2DEiKI9ZWH105rLAYQXTUwWftWtudUGnVtjSU
--> ssh-rsa f5THog
-Q3Hqks6BMGmP8TXnUkbblO8btrVdls7AUdxDW8e/w5biis/4awZVBHuZCLpiasM7
-7RWXcUep2VVyfCMb+8tedaf5a1MpGPDkZvdbxhfDVWZakh7vsEnth+gK2QsV0h8e
-eIgfDMA9J6DHXNCr4EYSf22PxY12KPqGqsMpVBhOZQuXoJwJy0ob3jbJEOYfPlu6
-V+TLYQNGQ2UQ+A7zjpUrGz1L+u7rUejY4Rv1BmCakg1bLEs8oSDmIVmsuVmFPqOI
-wqQJvnYlRAdioVQZwYCiqJech2QJ0ZhtC/ZeVp4c6TgFwB1ottxiAI8l7Bz1nFzW
-/E85qU3Jkh1tcNcLsVHj8+tnxwn1SSQ3xQxcOT9l1Po98sNapK7mwd/xx3pJ1hH8
-5YUQAtG80e5YmOBxkabVI4s612wACfK9JrIdL+uyIIzGeNHgoimjx7GuOCQ2ut6L
-gj/+Rcv3e0ERkNaXTXGkcdrsMTt45lGmyxUgxz6lbHgtqq+r+BHogiQ9cdPKwXuK
-wom4AvaMOBKCxtB4qVsuNHRd0I8OaA9Ab9SUvHCRvzCkJRHP4qc0zRJif7Rk4qRl
-rAGYwVxq3DRk2HHCQCYC26VqLU6B5LuAAqOipVhOeTfbgaSGD6Wfrt+XBBPmWB7o
-i9zDrk5GKehsPeDKgjh9uVd1y+IBHcWoYBxR5WPTYnA
--> ssh-rsa kFDS0A
-HS3y8/5wAej0jv0sQqhdGwWd79vUwkrLkoKKPmqo9HlJaO70Cr1bnAIdyA8PBphs
-NIRjIcdClbUBuelZudzuhHuEzH8/JMAVwgHoIiUxviEIr6JpJVBagtvSHp1nfDdn
-x/hkpt2isSYb6fVzYgewqkdD3tv9XEm/WR2JmzlfaNTV9N9x/HNJYy5iYoTWRxKr
-e8R7txdmgRaDDxpbkJdWBcoV9HVgytTMtvBkqGViWzaFDopb9nDlfN/C7/BkCp6H
-9b65JqznpIChoJV7+sK5SEw8VcFj7ikIHzREWscEn8XBb7Kth2iVukaEPM+BgGZz
-Irk0IdkSb/XmQFwsOLnQViwUjkFXGXwHyMdHIcU2qEzZ4PN0PgEengILt9vqWJs0
-qHxrA7sKiC1D8S0i1+Dn+DiI//1s5Bbmp1jk626tH6fNKqSOlpwM47IGArTxCAFd
-NMinIBnR47DUCXWheirsWF6yP7kwX7vOW1dR4UVJJnVPKkgjklwCZvJiNAo0Soo+
-95zuugaeobsJ+qz2Pv+l8BGYriOFpRIAu7YTy9yY7mqHwC5MoeY0G8eNg5UmEzFz
-JsEbKPsZcsMg4WdywzLU2aufK4M/Cd7lVPGZzuZ8hJHBF/EvTFov7L/HK5VnhZar
-CYtILdyiVvmMZ7dhEARG1GG988W9wMendikmKpM4dTA
--> piv-p256 vRzPNw AuCJRxHGmvv25VTHpnbfMLyLIj8K+daFD97wwHvFAqHl
-m4lPR+5h3+xmdL0OBfmNoxSM/O5Ca+2lVRLwITUtVmQ
--> piv-p256 zqq/iw ApNbp/6seWw6gCj/QWKLYlmuHaqdaSKVI+Hup1fKAO2O
-xpNXgDXMVFe15eS+L9lGaI0Ip2F13SuhjCTQLDtBIr0
--> ssh-ed25519 YFSOsg v9BtvUZh5HIvN7nsnErVrHbWTwRhWpj/SlHoiiJSIR0
-ol9z9juHfOCuZsSpuRl/zGFuJg5RzpKK1YnX+VDLDTA
--> ssh-ed25519 iHV63A yfa9P22C7+wCMqtRRSyiOhcFnLWPI50jMWxWpLarMT8
-VpU+Uv/20JJGkTWTATiF5JImMsDKwyHMj+Wp0mMC/MQ
--> ssh-ed25519 BVsyTA dUj/mHSyOm61h2ETa4tSX7Cyf+KRN8AMXCVKwMbJTE0
-E1EEPqVQSqlxSAi7DaMlaS1Az1D5XsasrPrIdwylSAE
--> ssh-ed25519 +3V2lQ AWBlXeuJq76UgQR0xQVPMN0NUq/mqa2iDlIDBBp/Wjo
-XiliN4FB5YQ7qmTyV3AIbvoCY8UoGS6Vi5LpVWrH9kg
---- V4Tp84/WJUM+/l+eEjlypE4Lx47BtkGFpEnNIdIB35E
-ô¡qzîL¡çzYNŽv×0[¿AöKN<ÛÀ<C39B>ö¦÷:,D<>¢S¹:!$`Õw©^‡àŽhi†O'(ž7!=ÿC(ÿï>´ûDоÙFÐ=J

secrets/forgejo-mailer-password.age

@@ -1,43 +1,43 @@
 age-encryption.org/v1
--> ssh-ed25519 iDKjwg t2wVQkkmL35JIXb3x9xxWmRECF7yet7c4+EdoFhCaAs
-GJxaYARfYJdNDq6Ay81r4+TsTAMmPd7AxZMTq/GzuIY
--> ssh-ed25519 uYcDNw LeXqaLu9EylzTOle7lma4la5S3NDPjALTybvV2ppd3c
-JCdLMyK1c+Sldqla8dVUDK28Zl+nLXnsh/MXQ4d/yJw
+-> ssh-ed25519 iDKjwg vmr542fc5ndYRiW5ukHanhTMBV4TgSduloYjuWwmpw8
+ACSBzerGx8Rd17zNfgO3qSqwBuQio9oyYaa5ypUbBxk
+-> ssh-ed25519 uYcDNw fjP84i8BsNOfBoVDpH25MBC6D3xPXwbbO9ghLKr+mE4
+TRKHWqVvzLP/AOJ5SJ5qeKj6UdYp2+tsxO/GVRy+qt0
 -> ssh-rsa f5THog
-ePz4dSiyFwtX5HmwF7/vyXKAwH52aVfjwQcyovl8r9srFt2o19MLkMvPM+CVXXo+
-v0Dc6dNdfp6Oyn4rNvGMNtsL7Zb4B32OVck/uGn4pI9aC3wsOvr1JvetolaepATG
-vnxB+TYjM/S/iYpxaKbrhKBOM466dUygI4bS/GPT749+R9610mZ+jle1yylyvRTM
-WiTJaNbOEKOnwPPgZdBbZEcisbz5BFJhVHBxxd/1DXZPRBeg9Xn7514IwbtRgRS2
-x6gzSDFZBcpvXQ/g86JveORI9eoS97w1Fgv1bJnwhoZ3yebDThPnP0xU6I64nCwJ
-H0W+Rrutq4UgMkYghElCoFyunPz73M7PArzW44PPCOeGUrVDsqbTgf9YD5s3HDsc
-TZqrcgzY6/cLzulgM2Is5b4ZEecWLNGoe84sjHR5OXneGf9BXcB5GpgWIC//ZFym
-Sr/UOlfI0YtZpY5ph/10uWqi838idwMTjOZGuope5T5m8+rsbxlwAKRf2E31nx5e
-rjW4hdV4tm2yZm+E75FEIo1yhu4JKm+MCv8ri8217c2Ex/qqDQ5pi/meOrjKGFgc
-7FKkg2h6ir1rh0bMYTpZAelpKVicTQpY4HyphiFuk5cCt6cXiEMiwRBm3QrwmSvl
-KcmXweuoYiunkb5q2GG6sE0d3yZluG7g5mPWE7WFngM
+IMiwRGW5B09oJDDJamyQBOwtFu+KhxUQQ1w0RJEnpITZZzyfHOuhAuwsjLy+us9v
+znzSA7bo1YusdFjzfW4RZeueuW8vvWdsv9Cjadlg6Bb2uP7sWeh7qH+IoyB2Z9Kt
+fZ0O6O+65pOybsCKZ9cUuZ+E9E5nG2KRjzdV+csEKAshGLqeo2RILKZB8oSx9tZr
+sjPXRFLchj/6zbY1yBs+q0+qC7ldUBdJLDtl5Yj6hzB4fk1JuPTSDWtKSHBYDz60
+Ri3CO1Z0z+8/IJWZqaa0a7jCYH6v4ZzboGrdE7MJq6Tyorl26bitSSevXHJmCrJq
+ZpcpZfs/kVFu05ftaVul6vyPM09QOIQx+ia9tIKmCgWNcrM5mSy63C9klutXOW6j
+GZ60YUnOvVDz+i0wmaZvMs3C4THhdtOsln/dVrqOKFKf704mAsO4cSEwqNyoXy7n
+/WbxDQcTU62pKEkwlU//CjuA0rHwmX8m/tweNuokh8fPJ6SLE9dLqxPzmeq9JX7q
+RNO+eZZ2NnjpkrI46stVS3p3FUHPbk9mhIiyfr4LgSBCoNWv1TkLS8DOqWOeNKfy
+8wLAjgvpNIk8Vgbhoe4/G8wB5Qvr0vfGmdjzA5miu28YZ8PXHN6DlkaT9T0iROuZ
+HM8j2FND2EYLB/Je19ctYNDjCmEYFhsvH/H448QMODw
 -> ssh-rsa kFDS0A
-jvdXdLAU/L/dD6bmuXIXEaZIGAEOFTujxuVy7oFHSeAZk4AyT2ZBLfuDa1KI3iSR
-19hImXIZyaQJh5RSTkEHpwdsxexbzcQV8y77XdF2neNj6OYjMfpP8a5foGcu9Rnd
-/DRSkRNumkTfpet/gSiRIPz0Sj++HA8/X3GwRlwqPKE12As06ebL76003NX/u7ep
-6jJR/sOlLJV2VtqU1tvgQ5VV7KIyMTlP2a38MDCtOHTVmK8inVNqL28H0ptYJ1IZ
-KId96pKqR0v+h/qhHHQoYBJxCBUHc3Rp8eZdssLpLfRHGLQ1ccpV7KUr4ihKFh+9
-wu5/YD9qrQls1EjXi1mj/kCvT2FplUJEZqgBBRY1/mHjpWmx999E5QijjhWchBL/
-PgF0oF25MABESrm/edvThwp7MVTA8ZSY8xj40D9bfsBGrpVBlf5hKsSulpiaMQGK
-6ScH4sRFXDhwC7j8OOMZWcqNvEc3KjgjJwl+qFTXDdBe+zd5sF+orjORjIge1z3c
-v2wngm6vTX4GobrtqiC2ZmolWbRxz7a4IwWNPrmEql8Bnmf1bfRy4X5/EOuIy1zN
-s/3Qu0KjjVBikU60RyXAdRI2M+aCKSKushp7bThT2j+VJTGIsmEbG190VjChTkmb
-meF98Mt2uJoJjzCYdyaGCQRWAr/f8ER0GZgLXS4Apt8
--> piv-p256 vRzPNw Am/95gSJXOtEBedzoMQBFwWC4E30vZcMINW5JjeM7ot4
-TzGZSlKt50OxQryrIQHSqMj+dnIDV5+adfohG9heDTs
--> piv-p256 zqq/iw A5R9tfUoQmodbn9rt0M0x3lnJUMz02u66HR4+RTIcU6/
-D9JRgjM280CDu/ds6j4lequ3VGEwz2aEYf6Pu4e8Hf8
--> ssh-ed25519 YFSOsg 8YXBlEpaC0Vkewf7awp/RuHxaV92jp8Lnf391jd8UDc
-9bzGios7kSFpAKJbmjupcpf7/BCn6XwQMDfh1uRb1qs
--> ssh-ed25519 iHV63A 2WrmaliPbgh0rJLJJkgy1sUI4S0H07PwZ9oJNk5R+z4
-SdjvYKOlZLClUKs+KUQ2ek4X7amZn56Fcfo0TnAeTO4
--> ssh-ed25519 BVsyTA +RlXlmh3g6GLA7W26NmDEd4fRSVrJ8lzY1ZZ8OuuT2U
-+quL6DjgTibaE878QG9w281ArQ/9LS5467Nfm5TiADg
--> ssh-ed25519 +3V2lQ 4B1XgSPLOVjzzNlxNYmLeIxABUnXcvETOOWlaXnmgRU
-bgdGjPihq6SnGVWsntPhajgy4sLD8c6VWSYeSlllUx4
---- LEtvqKl5+C4uRIigcNFI3hVXkxov9Wt1CasYuMvEpvU
-¦V †ãCC{ËË©u%ŒÒr¤37ÓSG6	¤(Eëê1¡ çì–àmP©Fwï¸
+nSuC6Kgnp3+r41SXWEqIkryUlhWQTl5Qr0muXhnsBmuN+2iVBGYFqxqJSDpdnvbM
+SIIy5c5rLfGSNRejRebgvyCntEvrOiGtmgubpURMEaXwJiEI+Hqfju1V8yi2RUto
+KTR/YhYv0i50pLMV4JD7MWPga/zeYUVhE8eISUNFbiJS+ve3BP/3Tg2E9tUvTsCG
+j7MxM4Td1jH2jCa7ueYOJ0R/qr0BKIEOGP4e+7YCByujYWKTV1JHOZehzIYA5wFs
+Bqq7GZnTTiP5n/kh7CgNyWORdBW4gaBslyhjAJI3hCbBvZer547K4moP6aPKog32
+yTZQVVu/kZzCIgA/4TzWr/g11fKD0dUnPCmXbctQVgeOtYAbnWJBFwMmXvQdRU2P
+jt5Ce0WqwhExaE8fAx7v3AYXhYgAOBem4uIe34PAuj672Tc1U61hztSCynE2cXI/
+2ZyCoWZZC/4fjUTFXC8urATfjgGV5PrhRcU4JtnQwytjd0Ru4pm56zZCpzmHxWMi
+bbyVSF5NisCvjF5rxyS4XXNfg52fkV01gJsJ48B9dnSs5HYTBaWQWJ00sO5ssGRm
+9H+T/Bsi42X6lnlt8ybzYD7aDIJbfz56vHf18/tfRhOzYbIBE7Rnkvs0vsNwT05K
+OGOb3iLFtxGGIpSC5Ba1T8h1TuEAawhmrHkF/Lfdr8g
+-> piv-p256 vRzPNw AquhJELiSYcW1KeKiied88TcDZYgtjdZm46FlV7CRsmt
+ikxq4EIkI3UXqjns1QJdAe0N3mEh7sbzYPu9H0IvmCA
+-> piv-p256 zqq/iw A94RUts75asVyQG7IZSfg7mDgcWI/hruOfRqD8Pdn4Ff
+17kI8IKl98f5lMqdcvqpTO8EN7pr9HP0SJJxFlIMcrw
+-> ssh-ed25519 YFSOsg gvcjFcWsCaBjYXvab/eyIhDhfw2bjc3u+nOenGiebTc
+hi30KYU9aYxWG/ZWFZQ4qW/P+hi+ms3140/9BTYNo7k
+-> ssh-ed25519 iHV63A RVCt2pceoQfdaBWd5qXcT0x/0dQgLP3jKpa6xeDdnyY
+Q1arCu2nmcl3Qt/uqV6UeXUf/OffvNl7ZWtqbWjrw4k
+-> ssh-ed25519 BVsyTA DX/5O7PCLEBoraM0qFy821i8GZysh2+XhR1fGV50SCw
+hN/a4NwiX9oySM7Uyt6vS9hjOTHNbN3tF9DAHF0vDiI
+-> ssh-ed25519 +3V2lQ uXmSWC+gV5JsARpa8cDv6faykEoYJHH0TqnWc8yzhQM
+/y/94BU9Mwqcez6y2tJoCEkg8c5x9p8FkUbbhUpKh9M
+--- SA5BB1izTywLQB/5ghs3XqlOzr0ag2gI2/09M3eVtjY
+±µ¦ýE¨Õ8SLJðZ½Ð°s\–4Â#ÏRB
rç|eÉY/ü|/.B¹
<0A>ÖÑ

secrets/garage-rpc-secret.age

@@ -0,0 +1,47 @@
+age-encryption.org/v1
+-> ssh-ed25519 NID4eA HQEbsh8zoRkgWQHuHLF/iu6GZhCXJ7h0bCbj2z4uyh0
+lhRAIYM2mWCmwT9WGESgQnf1EadGPMZARC+EnVMH4Vg
+-> ssh-ed25519 9RQHxg GIKGKtJTCWVTZdXn+GpWPDTqQjk44ptA7/D2LmREmzU
+WuKeF8IZG70jA9zHaULJ4uXp3sj5MSga21rLOI4st4s
+-> ssh-ed25519 eP5MMw 6rWxeM8wnvSOxIbvQidqr0MREqzEdsWMTibrWmy0hVA
+LkTgGZyJsl4vfq7jUbeFbrL/naaULV9E6yHyVG3hbso
+-> ssh-ed25519 uYcDNw EC2iOzQLOUnt8a+V/zal82jrOBtBQrIWcaDo4tq0cUo
+T3iWlaRzbctnTrBCQ5aOwGND4QxmDnhulq9PcvtoBqA
+-> ssh-rsa f5THog
+NCQjF/OsBHHODFWMhgz0pkyo9YJN4bUsocgEIx+Zag60wR13cmt4dLMU7k9U2LT1
+S7gs0ZVY/7RrA9GaxTyXT9c4UlehJX33+lfR/nNCbWguilcZ8yYV2pa8DQqBRPSm
+Ub6AlkgRos0R3nBfUDiUWuwZ3ZY2qWOp4WWzcrCFej65WBdrQABD07LRUghnEPCM
+eJEOJE5nnScvK8wVmw7OTVjA9ZTOS5/opF0v76Y3kU88/VuovJz7hb2AcANuB7W+
+jT5+hKhpTaBlL/A/AmgQmJJ9GiAvdn9KUNIeqt8Nfgpc4Vs3sHJZ3HZVwC6gL3vR
+dOE0D+eh0bmI1J7t8jpRa1r9tZyKxEwZqUh/O80/d+yZygw2x8ignLpcRhLmrT9d
+c7guE8Y71+mSxeITFN6QY/+5hY4EJ0XR1t4FZHgKgMjtPBPYyx1ogQNTQf4WaNld
+XWh7goRD+w3RhducqRdmhc0RhDpCazvbGXCyBxZOImgis69CQZQlFJhpCt+Z8B+Y
+QJxesMxpvGsV9c5r8SP7UF2juhzsG6cciq8NgF/7zIq7LEbVOgBVSCLCWx+DgaBa
+Fkdnrc8xw89CA6aIwlwptpWn8rOlSiTljiMkogzWwU1QcTcZuMF7/xbDrXaZ+X9C
+JBliKQ8sO/BVEOexJ+WuF9ORyLB9JjbdGdw7LRUhPMI
+-> ssh-rsa kFDS0A
+dp8Sgszmxvk2xJ13SOQQ/ArEiTHr20nbyptGBO8esZmSOWW/7CYz7GzMT1VBNXhC
+vWgK5zknuaWWbj5o8zO3LFLPct9NvuPTSTCWYbGOR5r+I5Py+SNWNGXyZ8MycPqM
+5yNQXdhfpgTGT2I/ZbQVk3QrualTKX/usgDsIkFvkwq2/ACGsVRnfZUenZwc5XKm
+SWAzjbN8OEwtFG33fprOjYkrtfJeyMVSfdPkgg8P4Io4n1DXySZUAzR8z9uD4H5p
+HfaXWGF0JfC5LnS+8Q2lUeoB1nfb/BDMybNhfz0U9S2WyLlnjSpMBugi5bzR3Y6n
+bAHYIPnFbjstGGzBq7u0QYI8nPNrCxYdp0bZ6cgtUQfrUei6SMZcudXJXIK+DRk5
+FoHaTHkJBUTQPeN821KCjlYgV01pg86NNBMxJV9L8zJqtYp7nk7CLrG4JiwgN/+4
+MmEsmkifjOmSHuLSkrcrZdum3nlUkiaoWcjBYFwzXN6kxffefkzcoQK+Uio1m+m6
+cY6MDo5c1JzVNGIaeNJycutb7pG1iYzHGiVh5Xg2piU9Q8a+b445bShx8m9lKrHh
+VD2TeiU/P47LLURNsUpA87B2H6kLlQgj8mT9oxNp/a6rhKjaTWrt8tbApNVuttHs
+C4/N6cWeP+JwYLUSdjehTkS/3m6Gs9wPgx9uiBwi/Fk
+-> piv-p256 vRzPNw A8BVgFdKagBtB82Fbylx71jPgc8f8hVF1N06/HkIZ4oH
+/gxYFwlY4Gx8HbtKjMf9Ba+gxkLTb2ZGcyKEbnke5Ew
+-> piv-p256 zqq/iw Auev9DCuQrWVMFh8ckLgfrN1aOAVrjSsaKl00GNaneg0
+ZdqFFOSTWf1dsEdoponH1j9hXYag2/l6+pJMedYuVvA
+-> ssh-ed25519 YFSOsg GuwGTH0D0YimZksECOmqpsB8S8I/my7fDRGlJyO5oGY
+uyX0FBN3hIF3az8OiP5L+DwgG69eDATVHPaNOsX35Ys
+-> ssh-ed25519 iHV63A pD7q8qdejDfhxTWCvrfmm2oTmSdg0bNKNwPhhXH/fBE
+fVhPi/U/9MFfj2vORYM3gqEZK3dXawIAappo8eo1U94
+-> ssh-ed25519 BVsyTA iwscr5+fZh4ErmdvKJ1ta5ZSEWVHtQEIXTfzYyvTEmo
+7n+41EGr1knWuHScqWF25xZijMIAjvk9iMGZzIr3v8w
+-> ssh-ed25519 +3V2lQ HjPClU7+EumicsRX8wUk6r/W0G5eJOJ01rrunUHpBxM
+fOS+2bO9IgRd7pjZ3gWaFeLb/xBYFcJY/anHXaX6wFg
+--- 7M/9M7Lz3skL2JNpQZtfMcsL/aKutELcIyQtDu8Kies
+¨_…"šBþ=ò&3_¶^ŸýÜkÕqwÀ"<22>{õ+ú³à<C2B3>Aݵe’«ÿJ‘ŒÌ:ï[×íÄõ’
,gý 2:–rÿ|çÂ*vµÎ&ö"^ùksÀÈK–_âFñK