bla

flake.lock

@@ -2,16 +2,19 @@
   "nodes": {
     "agenix": {
       "inputs": {
+        "darwin": [
+          "darwin"
+        ],
         "nixpkgs": [
           "nixos"
         ]
       },
       "locked": {
-        "lastModified": 1673301561,
+        "lastModified": 1677247280,
-        "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=",
+        "narHash": "sha256-sa+8MtoAOSLsWP9vf0qiJUyMovIEYgDzHE8TkoK04Hk=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68",
+        "rev": "833f87c8ff574a29aea3e091045cbaed3cf86bc1",
         "type": "github"
       },
       "original": {
@@ -73,11 +76,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1655976588,
+        "lastModified": 1671489820,
-        "narHash": "sha256-VreHyH6ITkf/1EX/8h15UqhddJnUleb0HgbC3gMkAEQ=",
+        "narHash": "sha256-qoei5HDJ8psd1YUPD7DhbHdhLIT9L2nadscp4Qk37uk=",
         "owner": "numtide",
         "repo": "devshell",
-        "rev": "899ca4629020592a13a46783587f6e674179d1db",
+        "rev": "5aa3a8039c68b4bf869327446590f4cdf90bb634",
         "type": "github"
       },
       "original": {
@@ -126,6 +129,22 @@
         "type": "github"
       }
     },
+    "factorio-pr": {
+      "locked": {
+        "lastModified": 1676729025,
+        "narHash": "sha256-342GXq1CGPbztLGJcSlbdRbglXlCWMYykeYg/d5Nvyk=",
+        "owner": "werner291",
+        "repo": "nixpkgs",
+        "rev": "e37b8db403154b3c421c6bc21afd725a5ad2df3e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "werner291",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -202,11 +221,11 @@
         "utils": "utils_2"
       },
       "locked": {
-        "lastModified": 1674440933,
+        "lastModified": 1676257154,
-        "narHash": "sha256-CASRcD/rK3fn5vUCti3jzry7zi0GsqRsBohNq9wPgLs=",
+        "narHash": "sha256-eW3jymNLpdxS5fkp9NWKyNtgL0Gqtgg1vCTofKXDF1g=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "65c47ced082e3353113614f77b1bc18822dc731f",
+        "rev": "2cb27c79117a2a75ff3416c3199a2dc57af6a527",
         "type": "github"
       },
       "original": {
@@ -218,11 +237,11 @@
     },
     "latest": {
       "locked": {
-        "lastModified": 1674641431,
+        "lastModified": 1677063315,
-        "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
+        "narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
+        "rev": "988cc958c57ce4350ec248d2d53087777f9e1949",
         "type": "github"
       },
       "original": {
@@ -239,11 +258,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1673395322,
+        "lastModified": 1676707513,
-        "narHash": "sha256-Xwaoz3+/+kCu8Przi1W3MWdQcOQ9wLVrr8nfBN6L6wA=",
+        "narHash": "sha256-Cr8f0zUpjb9T+aiClDFpJKVqfKKa6S/fbxPcSTX8UHI=",
         "owner": "musnix",
         "repo": "musnix",
-        "rev": "46d6e6435edcfa2a4adcfdd95d576979b710f4cb",
+        "rev": "2289b7c353e56ee18270fb6b43965036942b2d0f",
         "type": "github"
       },
       "original": {
@@ -269,11 +288,11 @@
     },
     "nixos": {
       "locked": {
-        "lastModified": 1674781052,
+        "lastModified": 1677075010,
-        "narHash": "sha256-nseKFXRvmZ+BDAeWQtsiad+5MnvI/M2Ak9iAWzooWBw=",
+        "narHash": "sha256-X+UmR1AkdR//lPVcShmLy8p1n857IGf7y+cyCArp8bU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "cc4bb87f5457ba06af9ae57ee4328a49ce674b1b",
+        "rev": "c95bf18beba4290af25c60cbaaceea1110d0f727",
         "type": "github"
       },
       "original": {
@@ -289,11 +308,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1674666581,
+        "lastModified": 1676297861,
-        "narHash": "sha256-KNI2s/xrL7WOYaPJAWKBtb7cCH3335rLfsL+B+ssuGY=",
+        "narHash": "sha256-YECUmK34xzg0IERpnbCnaO6z6YgfecJlstMWX7dqOZ8=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "6a5dc1d3d557ea7b5c19b15ff91955124d0400fa",
+        "rev": "1e0a05219f2a557d4622bc38f542abb360518795",
         "type": "github"
       },
       "original": {
@@ -304,11 +323,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1674550793,
+        "lastModified": 1677232326,
-        "narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=",
+        "narHash": "sha256-rAk2/80kLvA3yIMmSV86T1B4kNvwCFMSQ1FxXndaUB0=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103",
+        "rev": "2d44015779cced4eec9df5b8dab238b9f6312cb2",
         "type": "github"
       },
       "original": {
@@ -340,7 +359,7 @@
       "locked": {
         "lastModified": 1666884246,
         "narHash": "sha256-nSiYCIlMiYodY7GPCFPMF6YHVS2RM/XQZwn2Zrhu2eU=",
-        "ref": "master",
+        "ref": "refs/heads/master",
         "rev": "f1863fb8e3866c1559ca885e1b319ea82baecdbb",
         "revCount": 23,
         "type": "git",
@@ -353,11 +372,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1674641431,
+        "lastModified": 1672791794,
-        "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
+        "narHash": "sha256-mqGPpGmwap0Wfsf3o2b6qHJW1w2kk/I6cGCGIU+3t6o=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
+        "rev": "9813adc7f7c0edd738c6bdd8431439688bb0cb3d",
         "type": "github"
       },
       "original": {
@@ -401,6 +420,7 @@
         "darwin": "darwin",
         "deploy": "deploy",
         "digga": "digga",
+        "factorio-pr": "factorio-pr",
         "flake-compat": "flake-compat",
         "home": "home",
         "latest": "latest",

flake.nix

@@ -42,6 +42,8 @@
     musnix.inputs.nixpkgs.follows = "nixos";
 
     nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs";
+
+    factorio-pr.url = "github:werner291/nixpkgs/master";
   };
 
   outputs = {
@@ -78,6 +80,7 @@
           ];
         };
         latest = {};
+        factorio-pr = {};
         fork = {};
       };
 
@@ -131,15 +134,19 @@
 
           companion = {
             system = "aarch64-linux";
+            modules = [nixos-hardware.nixosModules.raspberry-pi-4];
           };
           cox = {
             system = "aarch64-linux";
+            modules = [nixos-hardware.nixosModules.raspberry-pi-4];
           };
           falcone = {
             system = "aarch64-linux";
+            modules = [nixos-hardware.nixosModules.raspberry-pi-4];
           };
           giggles = {
             system = "aarch64-linux";
+            modules = [nixos-hardware.nixosModules.raspberry-pi-4];
           };
 
           norman = {};
@@ -186,13 +193,17 @@
             harrison = hensoko ++ [daw gaming graphical non-free social work];
 
             # work laptop
-            norman = hensoko ++ [ graphical non-free social virtualisation work ];
+            norman = hensoko ++ [graphical non-free social virtualisation work gaming];
 
             # cm4
             falcone = hensoko-iot;
 
             # surface
             surfplace = hensoko ++ [graphical non-free social];
+
+            # chonk
+            chonk = hensoko-iot;
+          };
         };
       };
 
@@ -206,40 +217,18 @@
           };
         };
         users = {
-            pub-solar = { suites, ... }: { imports = suites.base; };
+          pub-solar = {suites, ...}: {
-            hensoko = { suites, ... }: { imports = suites.base; };
+            imports = suites.base;
-            iot = { suites, ... }: { imports = suites.base; };
+            home.stateVersion = "22.05";
-          }; # digga.lib.importers.rakeLeaves ./users/hm;
           };
-
+          hensoko = {suites, ...}: {
-        devshell = ./shell;
+            imports = suites.base;
-
+            home.stateVersion = "22.05";
-        homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
-
-        deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
-          redpanda = {
-            hostname = "192.168.42.71:22";
-            sshUser = "hensoko";
-            fastConnect = true;
-            profilesOrder = [ "system" "direnv" ];
-            profiles.direnv = {
-              user = "hensoko";
-              path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko;
           };
+          iot = {suites, ...}: {
+            imports = suites.base;
+            home.stateVersion = "22.05";
           };
-
-          companion = { sshUser = "iot"; };
-          cox = { sshUser = "iot"; };
-          giggles = { sshUser = "iot"; };
-          ringo = { };
-          cube = {
-            sshUser = "iot";
-          };
-        };
-        users = {
-          pub-solar = {suites, ...}: { imports = suites.base; home.stateVersion = "21.03"; };
-          hensoko = {suites, ...}: { imports = suites.base; home.stateVersion = "21.03"; };
-          iot = {suites, ...}: { imports = suites.base; home.stateVersion = "21.03"; };
         }; # digga.lib.importers.rakeLeaves ./users/hm;
       };
 
@@ -268,6 +257,27 @@
             path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko;
           };
         };
+
+        companion = {sshUser = "iot";};
+        cox = {sshUser = "iot";};
+        giggles = {sshUser = "iot";};
+        ringo = {};
+        cube = {sshUser = "iot";};
+        chonk = {sshUser = "iot";};
       };
+      users = {
+        pub-solar = {suites, ...}: {
+          imports = suites.base;
+          home.stateVersion = "21.03";
+        };
+        hensoko = {suites, ...}: {
+          imports = suites.base;
+          home.stateVersion = "21.03";
+        };
+        iot = {suites, ...}: {
+          imports = suites.base;
+          home.stateVersion = "21.03";
+        };
+      }; # digga.lib.importers.rakeLeaves ./users/hm;
     };
 }

hosts/chonk/acme.nix

@@ -0,0 +1,10 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "hensoko@gssws.de";
+  };
+}

hosts/chonk/backup.nix

@@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  self,
+  ...
+}: {
+  age.secrets.restic_repository_password.file = "${self}/secrets/chonk_restic_repository_password.age";
+  age.secrets.restic_nextcloud_password.file = "${self}/secrets/chonk_restic_nextcloud_password.age";
+
+  programs.ssh.extraConfig = ''
+    Host backup
+      HostName 10.0.1.12
+      Port 32222
+      User backup
+      IdentityFile /run/agenix/restic_ssh_private_key
+  '';
+
+  services.postgresqlBackup = {
+    enable = true;
+    backupAll = true;
+    compression = "zstd";
+  };
+
+  services.restic.backups = {
+    cox = {
+      passwordFile = "/run/agenix/restic_repository_password";
+      paths = [
+        "/mnt/internal/nextcloud"
+        "/var/backup/postgresql"
+      ];
+      repositoryFile = "/run/agenix/restic_nextcloud_password";
+      timerConfig = {
+        OnCalendar = "02:00";
+      };
+    };
+  };
+}

hosts/chonk/builder.nix

@@ -0,0 +1,31 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: let
+  psCfg = config.pub-solar;
+in {
+  age.secrets.nix-builder-private-key = {
+    owner = "builder";
+    group = "builder";
+    file = "${self}/secrets/chonk_nix_builder_private_key.age";
+  };
+
+  programs.ssh.package = pkgs.openssh_hpn;
+
+  nix.settings.trusted-users = ["builder"];
+
+  boot.binfmt.emulatedSystems = ["aarch64-linux"];
+
+  users.groups."builder" = {};
+
+  users.users."builder" = {
+    isNormalUser = true;
+    group = "builder";
+    shell = pkgs.bashInteractive;
+    openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8hTdDTA+LVlHkOm5IBjT32PvAdCxYfUfFFRx+JGeS6 root@norman"];
+  };
+
+  nix.settings.secret-key-files = "/run/agenix/nix-builder-private-key";
+}

hosts/chonk/chonk.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+with pkgs; let
+  psCfg = config.pub-solar;
+in {
+  imports = [
+    ./configuration.nix
+  ];
+
+  networking.networkmanager.enable = lib.mkForce false;
+}

hosts/chonk/configuration.nix

@@ -0,0 +1,41 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./acme.nix
+    ./backup.nix
+    ./drone.nix
+    ./home-assistant.nix
+    ./nextcloud.nix
+    ./wireguard.nix
+    ./builder.nix
+    ./invidious.nix
+    ./factorio.nix
+
+    ./invoiceplane.nix
+    #./tang.nix
+    #./whiteboard.nix
+  ];
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  time.timeZone = "Europe/Berlin";
+
+  services.openssh.ports = [2222];
+
+  networking.nat.enable = true;
+  networking.nat.internalIPs = ["10.10.42.0/24"];
+  networking.nat.externalInterface = "eno1";
+
+  networking.firewall.allowedTCPPorts = [80 443 2222];
+  networking.firewall.allowedUDPPorts = [51899];
+
+  networking.firewall.enable = lib.mkForce true;
+
+  system.stateVersion = "21.05"; # Did you read the comment?
+}

hosts/chonk/default.nix

@@ -0,0 +1,7 @@
+{suites, ...}: {
+  imports =
+    [
+      ./chonk.nix
+    ]
+    ++ suites.chonk;
+}

hosts/chonk/drone.nix

@@ -0,0 +1,24 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: {
+  age.secrets.drone_exec_runner_config = {
+    file = "${self}/secrets/chonk_drone_exec_runner_config.age";
+    owner = "999";
+  };
+
+  pub-solar.docker-ci-runner = {
+    enable = true;
+    enableKvm = true;
+    nixCacheLocation = "/srv/drone-nix-cache/nix";
+
+    runnerEnvironment = {
+      DRONE_RUNNER_CAPACITY = "10";
+      DRONE_RUNNER_LABELS = "hosttype:baremetal";
+    };
+
+    runnerVarsFile = "/run/agenix/drone_exec_runner_config";
+  };
+}

hosts/chonk/factorio.nix

@@ -0,0 +1,24 @@
+{
+  self,
+  config,
+  pkgs,
+  fetchurl,
+  ...
+}: let
+  #far-reach = pkgs.factorio-utils.modDrv rec {
+  #  src = fetchurl {
+  #    urls = [ "https://dl-mod.factorio.com/download/c48a8fbbe6941453173ae4e8a353976f3d757773/far-reach_1.1.2.zip?secure=0rFEz6-kw9j2JtrOUv3yEw,1677274141" ];
+  #    sha256 = "";
+  #  };
+  #};
+in {
+  services.factorio = {
+    enable = true;
+    package = pkgs.factorio-headless-experimental;
+    openFirewall = true;
+    game-name = "pub.solar Factorio";
+    game-password = "pub.solar";
+    admins = ["hensoko"];
+    #mods = [ far-reach ];
+  };
+}

hosts/chonk/hardware-configuration.nix

@@ -0,0 +1,103 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+  boot.initrd.kernelModules = ["raid1"];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+  boot.extraModprobeConfig = "options kvm_intel nested=1";
+
+  boot.initrd.luks.forceLuksSupportInInitrd = true;
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03025429121421051300-0:0";
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/9e13c8ea-96d3-45b1-85f4-d1a61233da6f";
+    #keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
+    #fallbackToPassword = true;
+    #bypassWorkqueues = true;
+  };
+
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      port = 22;
+      authorizedKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"];
+      hostKeys = [/etc/secrets/initrd/ssh_host_ed25519_key];
+    };
+    postCommands = ''
+      echo 'cryptsetup-askpass' >> /root/.profile
+    '';
+  };
+
+  boot.initrd.systemd.enable = true;
+
+  boot.initrd.services.swraid = {
+    enable = true;
+    mdadmConf = ''
+      ARRAY /dev/md/0 metadata=1.2 name=data:0 UUID=1156202f:835af09b:2e05e02a:a1869d1c
+    '';
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "ext4";
+  };
+
+  fileSystems."/mnt/internal" = {
+    device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-label/swap";}
+  ];
+
+  networking.bonds."bond0" = {
+    interfaces = ["eno1" "eno2"];
+    driverOptions = {
+      miimon = "100";
+      mode = "balance-xor";
+      xmit_hash_policy = "layer3+4";
+    };
+  };
+
+  networking = {
+    defaultGateway = "80.244.242.1";
+
+    nameservers = ["95.129.51.51" "80.244.244.244"];
+
+    interfaces."bond0" = {
+      ipv4.addresses = [
+        {
+          address = "80.244.242.2";
+          prefixLength = 29;
+        }
+      ];
+    };
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/chonk/home-assistant.nix

@@ -0,0 +1,21 @@
+{
+  self,
+  pkgs,
+  config,
+  ...
+}: {
+  # HTTP
+  services.nginx = {
+    virtualHosts."ha.gssws.de" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://10.0.1.254:8123";
+        proxyWebsockets = true;
+        extraConfig =
+          "proxy_ssl_server_name on;"
+          + "proxy_pass_header Authorization;";
+      };
+    };
+  };
+}

hosts/chonk/invidious.nix

@@ -0,0 +1,23 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: let
+  domain = "yt.gssws.de";
+in {
+  age.secrets.invidious_db_password.file = "${self}/secrets/chonk_invidious_db_password.age";
+
+  services.invidious = {
+    inherit domain;
+    enable = true;
+    nginx.enable = true;
+    database = {
+      createLocally = true;
+      passwordFile = "/run/agenix/invidious_db_password";
+    };
+    settings = {
+      https_only = true;
+    };
+  };
+}

hosts/chonk/invoiceplane.nix

@@ -0,0 +1,65 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: let
+  hostAddress = "10.10.42.1";
+  serviceAddress = "10.10.42.11";
+
+  domain = "inv.gssws.de";
+  hostStateDir = "/mnt/internal/invoiceplane";
+  containerStateDir = "/var/lib/invoiceplane";
+in {
+  # nginx
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/" = {
+        proxyPass = "http://${serviceAddress}:80";
+      };
+    };
+  };
+
+  # invoiceplane
+  containers."invoiceplane" = {
+    privateNetwork = true;
+    hostAddress = "10.10.42.1";
+    localAddress = serviceAddress;
+
+    bindMounts."${containerStateDir}" = {
+      hostPath = hostStateDir;
+      isReadOnly = false;
+    };
+
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      networking.firewall.allowedTCPPorts = [80];
+
+      services.rsyslogd.enable = true;
+
+      services.phpfpm.pools."invoiceplane-${domain}".phpOptions = ''
+        date.timezone = Europe/Berlin
+      '';
+      services.caddy.virtualHosts."http://${domain}".listenAddresses = ["0.0.0.0"];
+
+      services.invoiceplane.sites."${domain}" = {
+        enable = true;
+        stateDir = containerStateDir;
+
+        extraConfig = ''
+          ENABLE_DEBUG=true
+        '';
+
+        database = {
+          user = "invoiceplane";
+          name = "invoiceplane";
+        };
+      };
+    };
+  };
+}

hosts/chonk/nextcloud-apps.nix

@@ -0,0 +1,87 @@
+{
+  self,
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  notify_push = pkgs.fetchzip {
+    sha256 = "7q1I4V2xUkRUK8qfEwxPNW/srkrGPPXiS1Y1Ew22zls=";
+    url = "https://github.com/nextcloud-releases/notify_push/releases/download/v0.5.2/notify_push-v0.5.2.tar.gz";
+  };
+in {
+  systemd.services.nextcloud-notify-push = {
+    enable = true;
+    wantedBy = ["multi-user.target"];
+    serviceConfig = {
+      Environment = [
+        "PORT=7867"
+        "NEXTCLOUD_URL=https://data.gssws.de"
+      ];
+      ExecStart = "${notify_push}/bin/x86_64/notify_push /mnt/internal/nextcloud/config/config.php";
+      User = "nextcloud";
+    };
+  };
+
+  services.nextcloud.extraApps = with pkgs.nextcloud25Packages.apps; {
+    inherit bookmarks calendar contacts deck keeweb news tasks;
+    inherit notify_push;
+
+    "bruteforcesettings" = pkgs.fetchzip {
+      sha256 = "8Sev4B7AOzLGPX6a4in0BEXJ5oL6m2EYGuBExSCnfok=";
+      url = "https://github.com/nextcloud-releases/bruteforcesettings/releases/download/v2.4.0/bruteforcesettings-v2.4.0.tar.gz";
+    };
+    "cookbook" = pkgs.fetchzip {
+      sha256 = "j7nAprAIY4NMPD6kXfmXVW+PgpRiyx5SRPSe6IEB/vY=";
+      url = "https://github.com/nextcloud/cookbook/releases/download/v0.10.1/Cookbook-0.10.1.tar.gz";
+    };
+    "cospend" = pkgs.fetchzip {
+      sha256 = "vGjK9Sy+q4ycS5MWeTTrwDGPTOp6t4leH+rF/Y54d0c=";
+      url = "https://github.com/eneiluj/cospend-nc/releases/download/v1.5.5/cospend-1.5.5.tar.gz";
+    };
+    "files_accesscontrol" = pkgs.fetchzip {
+      sha256 = "34goKXWLUym5p7alby3WEyFzr346psHUeJ/+OZtfGmc=";
+      url = "https://github.com/nextcloud-releases/files_accesscontrol/releases/download/v1.15.1/files_accesscontrol-v1.15.1.tar.gz";
+    };
+    "files_automatedtagging" = pkgs.fetchzip {
+      sha256 = "PmcqHojtfww3wNIFoLM+hVXAjoo4zqzK6sUMeveHYa0=";
+      url = "https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.15.0/files_automatedtagging-v1.15.0.tar.gz";
+    };
+    "files_fulltextsearch" = pkgs.fetchzip {
+      sha256 = "DEl/CbCvwiWvkNQOuKtHWzifq3AMrhL5wLHmSMuL4TU=";
+      url = "https://github.com/nextcloud-releases/files_fulltextsearch/releases/download/25.0.0/files_fulltextsearch-25.0.0.tar.gz";
+    };
+    "files_mindmap" = pkgs.fetchzip {
+      sha256 = "/u1H2QvyKfdGjelFAkLc3rRGQlm3T+OajAbpUF0+cdY=";
+      url = "https://github.com/ACTom/files_mindmap/releases/download/v0.0.27/files_mindmap-0.0.27.tar.gz";
+    };
+    "fulltextsearch" = pkgs.fetchzip {
+      sha256 = "1LVo5Cv6Gf4M/laVlHfm5wAQ8I8EsdLIThVm/jUj6uA=";
+      url = "https://github.com/nextcloud-releases/fulltextsearch/releases/download/25.0.0/fulltextsearch-25.0.0.tar.gz";
+    };
+    "groupfolders" = pkgs.fetchzip {
+      sha256 = "CGGt5QEzdJqOJywZQTQYeKIy/2JhHYGACHrfAmH9LD0=";
+      url = "https://github.com/nextcloud-releases/groupfolders/releases/download/v13.1.0/groupfolders-v13.1.0.tar.gz";
+    };
+    "maps" = pkgs.fetchzip {
+      sha256 = "8HNew2sIlMd+wt2a6jXa1tZpub56AnB5gfBs/cYlkcI=";
+      url = "https://github.com/nextcloud/maps/releases/download/v0.2.4/maps-0.2.4.tar.gz";
+    };
+    #"notify_push" = pkgs.fetchzip {
+    #  sha256 = "7q1I4V2xUkRUK8qfEwxPNW/srkrGPPXiS1Y1Ew22zls=";
+    #  url = "https://github.com/nextcloud-releases/notify_push/releases/download/v0.5.2/notify_push-v0.5.2.tar.gz";
+    #};
+    "quota_warning" = pkgs.fetchzip {
+      sha256 = "If4tW4yJbJ1xgfOyN0wxcgHLxXUrtKPdphRhbQOM6b4=";
+      url = "https://github.com/nextcloud-releases/quota_warning/releases/download/v1.15.0/quota_warning-v1.15.0.tar.gz";
+    };
+    "richdocuments" = pkgs.fetchzip {
+      sha256 = "I6Y3lyZADiUCpmnkRS7Muc54uOOvKpWdlQ189EKzesA=";
+      url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v7.0.2/richdocuments-v7.0.2.tar.gz";
+    };
+    #"twofactor_totp" = pkgs.fetchzip {
+    #  sha256 = "p3Ft3sQ/2HPXCFE03dm8pBL39b7bWCi2iAxHkbOK2V4=";
+    #  url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.1/twofactor_totp-v6.4.1.tar.gz";
+    #};
+  };
+}

hosts/chonk/nextcloud.nix

@@ -0,0 +1,164 @@
+{
+  self,
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  notifyPushPort = 7867;
+in {
+  imports = [
+    ./nextcloud-apps.nix
+  ];
+
+  age.secrets.nextcloud_db_pass = {
+    owner = "nextcloud";
+    group = "nextcloud";
+    file = "${self}/secrets/chonk_nextcloud_db_pass.age";
+  };
+
+  age.secrets.nextcloud_admin_pass = {
+    owner = "nextcloud";
+    group = "nextcloud";
+    file = "${self}/secrets/chonk_nextcloud_admin_pass.age";
+  };
+
+  # HTTP
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+    virtualHosts."data.gssws.de" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."^~ /push/" = {
+        proxyPass = "http://127.0.0.1:${toString notifyPushPort}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  # DATABASES
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_11;
+
+    settings = {
+      max_connections = "200";
+    };
+
+    ensureDatabases = ["nextcloud"];
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+
+  # REDIS
+  services.redis.servers = {
+    "nextcloud".enable = true;
+  };
+
+  users.groups."redis-nextcloud".members = ["nextcloud"];
+
+  # Collabora Code server
+  virtualisation.oci-containers.containers."nextcloud-collabora-code" = {
+    image = "collabora/code";
+    autoStart = true;
+    ports = ["127.0.0.1:9980:9980"];
+    environment.domain = "data\\.gssws\\.de";
+    extraOptions = ["--cap-add" "MKNOD"];
+  };
+
+  services.nginx.virtualHosts."office.gssws.de" = let
+    proxyPass = "https://127.0.0.1:9980";
+    extraConfig = "proxy_ssl_verify off;";
+  in {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."^~ /browser" = {
+      inherit proxyPass extraConfig;
+    };
+    locations."^~ /hosting/discovery" = {
+      inherit proxyPass extraConfig;
+    };
+    locations."^~ /hosting/capabilities" = {
+      inherit proxyPass extraConfig;
+    };
+    locations."~ ^/cool/(.*)/ws''$" = {
+      inherit proxyPass extraConfig;
+      proxyWebsockets = true;
+    };
+    locations."~ ^/(c|l)ool" = {
+      inherit proxyPass extraConfig;
+    };
+    locations."^~ /cool/adminws" = {
+      inherit proxyPass extraConfig;
+      proxyWebsockets = true;
+    };
+  };
+
+  # NEXTCLOUD
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud25;
+    hostName = "data.gssws.de";
+    https = true;
+    datadir = "/mnt/internal/nextcloud";
+
+    caching.apcu = true;
+    caching.redis = true;
+
+    phpPackage = lib.mkForce pkgs.php81;
+
+    poolSettings = {
+      "pm" = "dynamic";
+      "pm.max_children" = "128";
+      "pm.start_servers" = "64";
+      "pm.min_spare_servers" = "32";
+      "pm.max_spare_servers" = "76";
+      "pm.max_requests" = "500";
+    };
+
+    phpOptions = {
+      short_open_tag = "Off";
+      expose_php = "Off";
+      error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
+      display_errors = "stderr";
+      "opcache.enable_cli" = "1";
+      "opcache.interned_strings_buffer" = "32";
+      "opcache.max_accelerated_files" = "100000";
+      "opcache.memory_consumption" = "256";
+      "opcache.revalidate_freq" = "1";
+      "opcache.fast_shutdown" = "1";
+      "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
+      catch_workers_output = "yes";
+    };
+
+    config = {
+      overwriteProtocol = "https";
+
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql";
+      dbname = "nextcloud";
+      dbpassFile = "/run/agenix/nextcloud_db_pass";
+      adminpassFile = "/run/agenix/nextcloud_admin_pass";
+      adminuser = "admin";
+
+      trustedProxies = ["80.244.242.2"];
+      defaultPhoneRegion = "DE";
+    };
+  };
+}

hosts/chonk/tang-container.nix

@@ -0,0 +1,68 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  containerStateDir = "/data";
+  hostStateDir = "/opt/tangd";
+  domain = "";
+  serviceAddress = "10.10.42.12";
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${serviceAddress}:${toString servicePort}";
+    };
+  };
+
+  containers."tang" = {
+    autoStart = true;
+    ephemeral = true;
+    bindMounts."${containerStateDir}" = {
+      hostPath = hostStateDir;
+      isReadOnly = false;
+    };
+
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      networking.firewall.enable = false;
+
+      users.groups."_tang" = {};
+
+      users.users."_tang" = {
+        group = "_tang";
+        isSystemUser = true;
+      };
+
+      environment.systemPackages = ["${pkgs.jose}"];
+
+      systemd.services."tangd@" = {
+        enable = true;
+        serviceConfig = {
+          ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
+          ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
+          StandardInput = "socket";
+          StandardOutput = "socket";
+          StandardError = "journal";
+          User = "_tang";
+          Group = "_tang";
+        };
+      };
+
+      systemd.sockets."tangd" = {
+        enable = true;
+        listenStreams = ["${toString servicePort}"];
+        wantedBy = ["sockets.target"];
+        socketConfig = {
+          Accept = true;
+        };
+      };
+
+      system.stateVersion = "22.11";
+    };
+  };
+}

hosts/chonk/tang.nix

@@ -0,0 +1,25 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: let
+  domain = "t.gssws.de";
+  servicePort = 63080;
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${builtins.toString servicePort}";
+    };
+  };
+
+  virtualisation.oci-containers.containers."tang" = {
+    image = "cloggo/tangd";
+    ports = ["127.0.0.1:${builtins.toString servicePort}:8080"];
+    environment = {
+      IP_WHITELIST = "172.17.0.1";
+    };
+  };
+}

hosts/chonk/wireguard.nix

@@ -0,0 +1,65 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: {
+  age.secrets.home_controller_wireguard.file = "${self}/secrets/chonk_wireguard_key.age";
+
+  systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
+  systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
+
+  # Enable WireGuard
+  networking.wireguard.interfaces = {
+    wg1 = {
+      # Determines the IP address and subnet of the client's end of the tunnel interface.
+      ips = ["10.0.1.6"];
+      listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = "/run/agenix/home_controller_wireguard";
+
+      peers = [
+        # For a client configuration, one peer entry for the server will suffice.
+
+        {
+          # giggles
+          publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
+          allowedIPs = ["10.0.1.11/32"];
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+        {
+          # cox
+          publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
+          allowedIPs = ["10.0.1.12/32"];
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+        {
+          # companion
+          publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
+          allowedIPs = ["10.0.1.13/32"];
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+
+        {
+          # hsha
+          publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
+          allowedIPs = ["10.0.1.254/32"];
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}

hosts/companion/configuration.nix

@@ -1,15 +1,17 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ inputs, pkgs, builtins, config, lib, ... }:
-
 {
-  imports =
+  inputs,
-    [
+  pkgs,
+  builtins,
+  config,
+  lib,
+  ...
+}: {
+  imports = [
     ./hardware-configuration.nix
     ./home-controller.nix
-      ./paperless.nix
   ];
 
   boot.loader.timeout = lib.mkForce 0;
@@ -53,4 +55,3 @@
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "22.11"; # Did you read the comment?
 }
-

hosts/cox/backup.nix

@@ -1,23 +1,87 @@
-{ self, config, pkgs, ... }:
-
 {
-  virtualisation.oci-containers = {
+  self,
-    backend = "docker";
+  config,
-    containers = {
+  pkgs,
-      backup-ssh = {
+  ...
-        image = "linuxserver/openssh-server:arm64v8-latest";
+}: {
-        ports = [ "32222:2222" ];
+  age.secrets.backup_restic_htpasswd = {
-
+    file = "${self}/secrets/cox_backup_restic_htpasswd.age";
-        environment = {
+    owner = "${toString config.ids.uids.restic}";
-          PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTpA7OHfZhl1wsbvydLNMtMx4q64fz+ojIAZpVUJEMI root@cube";
-          USER_NAME = "backup";
-          TZ = "Europe/Berlin";
-          PUID = "911";
-          PGID = "911";
   };
 
-        volumes = [ "/opt/backup/hdd/restic:/data/hdd/restic" ];
+  services.nginx = {
+    enable = true;
+    clientMaxBodySize = "1G";
+    virtualHosts."backup.local" = {
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:18000";
+        extraConfig = ''
+          proxy_connect_timeout 600;
+          proxy_send_timeout 600;
+          proxy_read_timeout 600;
+          send_timeout 600;
+          proxy_set_header Host ''$host;
+          proxy_set_header X-Forwarded-For ''$remote_addr;
+        '';
       };
     };
   };
+  containers."backup" = {
+    autoStart = true;
+    ephemeral = true;
+    bindMounts = {
+      "/var/lib/restic" = {
+        hostPath = "/opt/backup/hdd/restic";
+        isReadOnly = false;
+      };
+      "/var/lib/restic/.htpasswd" = {
+        hostPath = "/run/agenix/backup_restic_htpasswd";
+        isReadOnly = false;
+      };
+    };
+
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      networking.firewall.enable = false;
+
+      services.restic.server = {
+        enable = true;
+        listenAddress = "0.0.0.0:18000";
+        privateRepos = true;
+        extraFlags = [
+          "--append-only"
+          "--prometheus"
+          "--prometheus-no-auth"
+        ];
+      };
+
+      time.timeZone = "Europe/Berlin";
+      system.stateVersion = "22.11";
+    };
+  };
+
+  #virtualisation.oci-containers = {
+  #  backend = "docker";
+  #  containers = {
+  #    backup-ssh = {
+  #      image = "linuxserver/openssh-server:arm64v8-latest";
+  #      ports = [ "32222:2222" ];
+  #
+  #      environment = {
+  #        PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTpA7OHfZhl1wsbvydLNMtMx4q64fz+ojIAZpVUJEMI root@cube";
+  #        USER_NAME = "backup";
+  #        TZ = "Europe/Berlin";
+  #        PUID = "911";
+  #        PGID = "911";
+  #      };
+  #
+  #      volumes = [
+  #        "/opt/backup/hdd/restic:/data/hdd/restic"
+  #      ];
+  #    };
+  #  };
+  #};
 }

hosts/cox/configuration.nix

@@ -1,20 +1,19 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, lib, ... }:
-
 {
-  imports =
+  config,
-    [
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
     ./backup.nix
     ./hardware-configuration.nix
     ./home-controller.nix
     ./paperless.nix
   ];
 
-  boot.loader.timeout = 0;
-
   boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
 
   boot.loader.grub = {
@@ -63,4 +62,3 @@
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "22.11"; # Did you read the comment?
 }
-

hosts/cox/hardware-configuration.nix

@@ -1,11 +1,15 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
+  config,
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
   boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage" "uas"];
@@ -16,6 +20,8 @@
   boot.kernelPackages = pkgs.linuxPackages_6_1;
   boot.supportedFilesystems = [];
 
+  boot.kernelParams = ["usb-storage.quirks=2109:0716:ouw,174c:55aa:u,2109:2813:ouw,2109:0813:ouw"];
+
   boot.loader.grub = {
     enable = true;
     efiSupport = true;
@@ -27,6 +33,7 @@
 
   boot.loader.systemd-boot.enable = false;
   boot.loader.generic-extlinux-compatible.enable = false;
+
   boot.loader.timeout = 0;
 
   boot.initrd.luks.devices."cryptroot" = {
@@ -36,18 +43,18 @@
     bypassWorkqueues = true;
   };
 
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "/dev/disk/by-uuid/6a419f58-bef1-4dd9-9b4f-389e35ba686a";
+    device = "/dev/disk/by-label/root";
     fsType = "ext4";
   };
 
-  fileSystems."/boot" =
+  fileSystems."/boot" = {
-    { device = "/dev/disk/by-uuid/6CB3-6DB8";
+    device = "/dev/disk/by-label/boot";
     fsType = "vfat";
   };
 
-  swapDevices =
+  swapDevices = [
-    [ { device = "/dev/disk/by-uuid/ea401985-e25f-4d13-8d72-5a5660c4384f"; }
+    {device = "/dev/disk/by-label/swap";}
   ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

hosts/cox/home-controller.nix

@@ -1,6 +1,9 @@
-{ self, config, pkgs, ... }:
-
 {
+  self,
+  config,
+  pkgs,
+  ...
+}: {
   config = {
     #age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
     age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
@@ -21,9 +24,9 @@
         privateKeyFile = "/run/agenix/home_controller_wireguard";
         peers = [
           {
-            # cube
+            # chonk
-            publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
+            publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
-            allowedIPs = [ "10.0.1.5/32" ];
+            allowedIPs = ["10.0.1.6/32"];
             endpoint = "data.gssws.de:51899";
             persistentKeepalive = 25;
           }

hosts/cox/paperless.nix

@@ -1,6 +1,8 @@
-{ pkgs, config, ... }:
+{
-
+  pkgs,
-let
+  config,
+  ...
+}: let
   containerStateDir = "/data";
   hostStateDir = "/opt/documents/paperless";
   httpPort = 80;
@@ -8,17 +10,20 @@ let
   ftpListenPort = 20021;
   ftpPasvMinPort = 22021;
   ftpPasvMaxPort = 24021;
-  domain = "cox.local";
+  domain = "paperless.local";
-in
+in {
-  {
-
   networking.firewall = {
     allowedTCPPorts = [
       httpPort
       ftpListenPort
     ];
 
-      allowedTCPPortRanges = [ { from = ftpPasvMinPort; to = ftpPasvMaxPort; } ];
+    allowedTCPPortRanges = [
+      {
+        from = ftpPasvMinPort;
+        to = ftpPasvMaxPort;
+      }
+    ];
   };
 
   services.nginx = {
@@ -47,7 +52,11 @@ in
       isReadOnly = false;
     };
 
-      config = { config, pkgs, ... }: {
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
       networking.firewall.enable = false;
 
       users.users."paperless".extraGroups = ["ftp"];
@@ -63,7 +72,6 @@ in
           PAPERLESS_ALLOWED_HOSTS = "${domain}";
           PAPERLESS_CSRF_TRUSTED_ORIGINS = "http://${domain}";
           PAPERLESS_CORS_ALLOWED_HOSTS = "http://${domain}";
-
         };
       };
 

hosts/cube/backup.nix

@@ -1,8 +1,11 @@
-{ config, lib, self, ... }:
-
 {
+  config,
+  lib,
+  self,
+  ...
+}: {
   age.secrets.restic_repository_password.file = "${self}/secrets/cube_restic_repository_password.age";
-  age.secrets.restic_ssh_private_key.file = "${self}/secrets/cube_restic_ssh_private_key.age";
+  age.secrets.restic_nextcloud_password.file = "${self}/secrets/cube_restic_nextcloud_password.age";
 
   programs.ssh.extraConfig = ''
     Host backup
@@ -25,7 +28,9 @@
         "/mnt/internal/nextcloud"
         "/var/backup/postgresql"
       ];
-      repository = "sftp:backup:/data/hdd/restic";
+      repositoryFile = "/run/agenix/restic_nextcloud_password";
+      #repository = "rest:http://nextcloud:md1TYoRcOqdr7sBRH9ZH0iGos0yv2pLhrnZc3Xhk@10.0.1.12";
+      #repository = "sftp:backup:/data/hdd/restic";
       timerConfig = {
         OnCalendar = "02:00";
       };

hosts/giggles/home-controller.nix

@@ -1,6 +1,9 @@
-{ self, config, pkgs, ... }:
-
 {
+  self,
+  config,
+  pkgs,
+  ...
+}: {
   config = {
     age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
 
@@ -18,9 +21,9 @@
         privateKeyFile = "/run/agenix/home_controller_wireguard";
         peers = [
           {
-            # cube
+            # chonk
-            publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
+            publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
-            allowedIPs = [ "10.0.1.5/32" ];
+            allowedIPs = ["10.0.1.6/32"];
             endpoint = "data.gssws.de:51899";
             persistentKeepalive = 25;
           }

hosts/norman/builder.nix

@@ -0,0 +1,28 @@
+{self, ...}: {
+  programs.ssh.extraConfig = ''
+    Host builder
+        Hostname data.gssws.de
+        Port 2222
+        User builder
+        IdentitiesOnly yes
+        IdentityFile /root/.ssh/id_ed25519-builder
+  '';
+
+  nix.buildMachines = [
+    {
+      hostName = "builder";
+      systems = ["x86_64-linux" "aarch64-linux"];
+      maxJobs = 20;
+      speedFactor = 2;
+      supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
+      mandatoryFeatures = [];
+    }
+  ];
+
+  nix.distributedBuilds = true;
+  nix.settings = {
+    substituters = ["ssh-ng://builder"];
+    trusted-public-keys = ["chonk:1b/yLBRW2ZeL9jErW1ogMRUTq/hidJnZOxopx363JSo="];
+    builders-use-substitutes = true;
+  };
+}

hosts/norman/configuration.nix

@@ -1,15 +1,16 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, ... }:
-
 {
-  imports =
+  config,
-    [
+  pkgs,
+  ...
+}: {
+  imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
     ./wireguard.nix
+    ./builder.nix
   ];
 
   # Set your time zone.
@@ -60,4 +61,3 @@
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "21.11"; # Did you read the comment?
 }
-

hosts/norman/hardware-configuration.nix

@@ -1,9 +1,13 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
   imports = [];
 
   boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci"];
@@ -11,6 +15,7 @@
   boot.kernelModules = ["kvm-intel"];
   boot.extraModulePackages = [];
 
+  boot.kernelPackages = pkgs.linuxPackages_latest;
   boot.loader.grub.trustedBoot = {
     enable = true;
     systemHasTPM = "YES_TPM_is_activated";
@@ -21,20 +26,17 @@
     bypassWorkqueues = true;
   };
 
-  fileSystems."/" =
+  fileSystems."/" = {
-    {
     device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
     fsType = "ext4";
   };
 
-  fileSystems."/boot" =
+  fileSystems."/boot" = {
-    {
     device = "/dev/disk/by-uuid/84CD-91B6";
     fsType = "vfat";
   };
 
-  swapDevices =
+  swapDevices = [{device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9";}];
-    [{ device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9"; }];
 
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 
@@ -42,5 +44,7 @@
     enable = true;
     device = "TPPS/2 ALPS TrackPoint";
     emulateWheel = true;
+    sensitivity = 100; # default 128
+    speed = 64; # default 97
   };
 }

hosts/norman/norman.nix

@@ -1,10 +1,13 @@
-{ config, pkgs, lib, ... }:
+{
-with lib;
+  config,
-let
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
   psCfg = config.pub-solar;
   xdg = config.home-manager.users."${psCfg.user.name}".xdg;
-in
+in {
-{
   imports = [
     ./configuration.nix
   ];
@@ -12,6 +15,8 @@ in
   config = {
     boot.binfmt.emulatedSystems = ["aarch64-linux"];
 
+    environment.systemPackages = [pkgs.factorio-experimental];
+
     pub-solar.audio.bluetooth.enable = false;
 
     home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {

hosts/norman/wireguard.nix

@@ -1,6 +1,8 @@
-{ config, pkgs, ... }:
-
 {
+  config,
+  pkgs,
+  ...
+}: {
   systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
   systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
   systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure";
@@ -73,7 +75,7 @@
 
         {
           # Public key of the server (not a file path).
-          publicKey = "RwMocdha7fyx+MGTtQpZhZQGJY4WU79YgpspYBclK3c=";
+          publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
 
           # Forward all the traffic via VPN.
           allowedIPs = [
@@ -87,8 +89,6 @@
           persistentKeepalive = 25;
         }
       ];
-
     };
   };
 }
-

modules/social/default.nix

@@ -18,11 +18,8 @@ in {
         home.packages = [
           signal-desktop
           tdesktop
-          discord
           element-desktop
-          tdesktop
           mattermost-desktop
-          whatsapp-for-linux
         ];
       };
   };

modules/terminal-life/default.nix

@@ -24,17 +24,17 @@ in {
   config = mkIf cfg.enable {
     programs.command-not-found.enable = false;
 
+    # Needed to get zsh completion for system packages (e.g. systemd).
+    environment.pathsToLink = ["/share/zsh"];
+
+    environment.shells = with pkgs; [
+      zsh
+    ];
+
     environment.systemPackages = with pkgs; [
       screen
     ];
 
-    # Starship is a fast and featureful shell prompt
-    # starship.toml has sane defaults that can be changed there
-    programs.starship = {
-      enable = true;
-      settings = import ./starship.toml.nix;
-    };
-
     home-manager = with pkgs;
       pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
         home.packages = [
@@ -61,20 +61,21 @@ in {
           watson
         ];
 
-        programs.bash = import ./bash {
-          inherit config;
-          inherit pkgs;
-          inherit self;
-        };
-        programs.fzf = import ./fzf {
-          inherit config;
-          inherit pkgs;
-        };
         programs.neovim = import ./nvim {
           inherit config;
           inherit pkgs;
           inherit lib;
         };
+        programs.fzf = import ./fzf {
+          inherit config;
+          inherit pkgs;
+        };
+        programs.zsh = import ./zsh {
+          inherit config;
+          inherit pkgs;
+          inherit self;
+          inherit lib;
+        };
       };
   };
 }

modules/terminal-life/zsh/default.nix

@@ -0,0 +1,124 @@
+{
+  config,
+  pkgs,
+  self,
+  lib,
+  ...
+}: let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  enable = true;
+  enableAutosuggestions = true;
+  enableCompletion = true;
+  dotDir = ".config/zsh";
+
+  history = {
+    ignoreDups = true;
+    expireDuplicatesFirst = true;
+    ignoreSpace = true;
+    path = "$HOME/.local/share/zsh/zsh_history";
+    save = 10000;
+    size = 10000;
+  };
+
+  loginExtra = lib.mkIf psCfg.sway.enable ''
+    [ "$(tty)" = "/dev/tty1" ] && exec ${pkgs.sway-service}/bin/sway-service
+  '';
+
+  shellAliases = {
+    nano = "nvim";
+    vi = "nvim";
+    vim = "nvim";
+    mutt = "neomutt";
+    ls = "exa";
+    la = "exa --group-directories-first -lag";
+    fm = "vifm .";
+    vifm = "vifm .";
+    wget = "wget --hsts-file=$XDG_CACHE_HOME/wget-hsts";
+    irssi = "irssi --config=$XDG_CONFIG_HOME/irssi/config --home=$XDG_DATA_HOME/irssi";
+    drone = "DRONE_TOKEN=$(secret-tool lookup drone token) drone";
+    no = "manix \"\" | grep '^# ' | sed 's/^# \(.*\) (.*/\1/;s/ (.*//;s/^# //' | fzf --preview=\"manix '{}'\" | xargs manix";
+    # fix nixos-option
+    nixos-option = "nixos-option -I nixpkgs=${self}/lib/compat";
+    myip = "dig +short myip.opendns.com @208.67.222.222 2>&1";
+  };
+  plugins = [
+    # src gets fetched by nvfetcher, see: ./pkgs/sources.toml
+    {
+      # will source ohmyzsh/plugins/z/
+      name = "zsh-plugins-z";
+      file = "plugins/z/z.plugin.zsh";
+      src = pkgs.sources.ohmyzsh.src;
+    }
+    {
+      name = "zsh-powerlevel10k";
+      file = "powerlevel10k.zsh-theme";
+      src = pkgs.sources.powerlevel10k.src;
+    }
+    {
+      name = "zsh-fast-syntax-highlighting";
+      file = "F-Sy-H.plugin.zsh";
+      src = pkgs.sources.F-Sy-H.src;
+    }
+    {
+      name = "zsh-nix-shell";
+      file = "nix-shell.plugin.zsh";
+      src = pkgs.sources.zsh-nix-shell.src;
+    }
+  ];
+
+  initExtra =
+    ''
+      bindkey -v
+      bindkey -v 'jj' vi-cmd-mode
+      bindkey -a 'i' up-line
+      bindkey -a 'k' down-line
+      bindkey -a 'j' backward-char
+      bindkey -a 'h' vi-insert
+      bindkey '^[[H' beginning-of-line
+      bindkey '^[[F' end-of-line
+      bindkey '^R' history-incremental-pattern-search-backward
+      bindkey '^ ' autosuggest-accept
+      bindkey '^q' push-line-or-edit
+
+      bindkey '^R' fzf-history-widget
+
+      # ArrowUp/Down start searching history with current input
+      autoload -U up-line-or-beginning-search
+      autoload -U down-line-or-beginning-search
+      zle -N up-line-or-beginning-search
+      zle -N down-line-or-beginning-search
+      bindkey "^[[A" up-line-or-beginning-search
+      bindkey "^[[B" down-line-or-beginning-search
+      bindkey "^P" up-line-or-beginning-search
+      bindkey "^N" down-line-or-beginning-search
+
+      # MAKE CTRL+S WORK IN VIM
+      stty -ixon
+      stty erase '^?'
+
+      precmd () {
+        DIR_NAME=$(pwd | sed "s|^$HOME|~|g")
+        echo -e -n "\e]2;$DIR_NAME\e\\"
+
+        if [ $(date +%d%m) = '0104' ]; then
+          if [ $? -eq 0 ]; then
+            echo "Success! That was a great command! I can't wait to see what amazing stuff you'll be up to next."
+          fi
+        fi
+      }
+
+      # If a command is not found, show me where it is
+      source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh
+    ''
+    + builtins.readFile ./base16.zsh
+    + builtins.readFile ./p10k.zsh
+    + ''
+      source ${pkgs.fzf}/share/fzf/key-bindings.zsh
+      source ${pkgs.fzf}/share/fzf/completion.zsh
+      source ${pkgs.git-bug}/share/zsh/site-functions/git-bug
+      eval "$(direnv hook zsh)"
+    ''
+    + builtins.readFile ./fzf.zsh;
+}

overlays/invidious.nix

@@ -0,0 +1,12 @@
+final: prev: {
+  invidious = prev.invidious.overrideAttrs (oldAttrs: rec {
+    version = "unstable-2023-02-22";
+    src = prev.fetchFromGitHub {
+      owner = "iv-org";
+      repo = "invidious";
+      rev = "0995e0447c2b54d80b55231830b847d41c19b404";
+      hash = "sha256-hXF836jxMriMJ/qcBJIF5cRvQG719PStKqTZQcIRqlw=";
+      fetchSubmodules = true;
+    };
+  });
+}

overlays/overrides.nix

@@ -12,6 +12,11 @@ channels: final: prev: {
     nvfetcher
     ;
 
+  inherit
+    (channels.factorio-pr)
+    factorio
+    ;
+
   haskellPackages =
     prev.haskellPackages.override
     (old: {

secrets/chonk_invidious_db_password.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw BzbEPs8LDz17/aVKQoDoRaTdQmKw8MKb4oqKvBFGuAM
+/zMIU+KoMrQ6ouI4vK/YyvEtzZ7ut8c9BJH8YTYldac
+-> ssh-ed25519 YFSOsg CUwGu/W2wYrVNLHlGETFtsVhchDZUXfEi9JYZ88VkBU
+ZD3lYlRTgk2g/L5Hy+Fcs1fLh3gKDdhRhWn0Gc4JP/A
+-> ssh-ed25519 iHV63A mZ2DkCasSr/s3S6RXjf8QLi5P4UXOzQqqPNkLUkh4VU
+E/eXCLd9cZt+i9Bg7iEh8LbWFn0rsTtzqDB9kaFtVUg
+-> ssh-ed25519 Oya/Zw kD7aVVY0BrrNbDyoHa/7/8bUF8W74mYFPgHe/CVMpxg
+jytr3knsUz9aaGf421m6mN9QgU4Tt3UykTEt8T8mNVg
+-> p'c-grease J
+vWgF1GduUf9hstTzuVdrUC6ytMofGgYE8nglE/mUTa+a69SDKrn/
+--- kKHfCTImeN1RY9HxI2fWeJTec47FBwwr2gQB13sYdrw
+Jýéø) Ù:
†Ó½–бèW—¡"~»cgRÔ _ù¥@­wD‰‹Ì+ûjÁ'D¤Í3ÐýaS‘j2U¶&-5ÁÐÑ

secrets/chonk_invoiceplane_db_password.age

@@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw yDJ66eI1Mp9+UoFYkd4ur3aaUBAALqveNM5FK1cpSx0
+r7eXodJ94kzvLq2oRIk7aPZtArJ1xm37FShQwr1BBSA
+-> ssh-ed25519 YFSOsg Sef4VkHt4bMmPsUPJLXOB7nOgPO0pDcV+6MHvBItOG8
+MDyOFqyzDJ6MMxkgFqkxYQl25a7cXOn9iCu2sbONhBs
+-> ssh-rsa 42S2Dw
+Y3yN6FJOz5eDG7gRDLZJiujOaGJ/fm5lPNHvSVl7T5DYmiHedJ5F7on6CztMDuvv
+LNrWXTO7Jy/LBPLZ516SG+o752sTfby1xpDAgo0pKejSs/o7XmccMDvwzdVAsPkt
+Dk7ou4Fba0D9MnIeIwnhZolKxVPyFeUBfoPNkvDLtQeb48lqJ2N+bgVzjHQEKpL5
+1Hx/v4x9jUKTj/cK7eds5j3tzitLNpaxkm20LcVpWlLLGZkAmYijwXPphaY0EXJY
+qw0Z1OSJd6WnLUo0ozGtoYGiqxnP42duL31ajI7HiNfMMJqWER7WJaB2h4pA9eTO
+1HCHP/C+rNCeWHtjXr8b0Q
+-> ssh-ed25519 iHV63A cpEqVauWzNmXoGgNcdV438BLDyWh+pQBCXVOEg98x1o
+fFmcIWj3kv3ZdhFTMjaxxYIw0/9rO+HKTnTq3pbSz58
+-> ssh-ed25519 uTVbSg NODGHdge8Dp8fz1wvBRXJF+syIdZmvX/AL3I2u+tkwE
+foU59bLRz6NOvaZZA/bYU/eQ97/z+ONINGVB30yk6vI
+-> ssh-ed25519 Oya/Zw huI2DM77Xa7yPaUg0hnLZmsXOLvgOJALO+ixfmpfwF0
+vOcIEA+mfsferBNqnM/XdaoDDtDS+fJu4gPHMHuIenc
+-> l-grease T= 30lLW1F G
+dHaeEO9LZVIC+26ZVLfGP0thkSDKwwqzM9OdH4Yj2ixuSxdGHKg8eYUmkc4aUmr4
+Qa3y5GzKf8nQkfSJceG8/FsQrcm1OvjhePi99yE
+--- DugQPlVCIYj1uGYP1Bta+9P7HdN9Ej4di5AjQWK0CKg
+éÿ	õÑ4QW„ó Y»<59>í­œµóϹ.^æ°Ÿ(tÆÒ3w="пy4/‹3xÙàÀŠQáŒÆÏ•Q
…"X:R-å
U­˜å
£)«œ

secrets/chonk_nextcloud_admin_pass.age

@@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw Zv5YkeU/1DPR0tuZ+dkI76xF473aFaLltqfO5ZfvFy0
+xoWSTmpQSc84tskFAv2XfKkD2gzunCH6XSttO5dVCQM
+-> ssh-ed25519 YFSOsg datPvOnMKeP6zH7ThhAeK9k0uyKIulbgY5CAoAsu+w0
+0YjqwWWpkYHqT7XEAfPKynQFgjRHfdg1eNVECEJeXMA
+-> ssh-rsa 42S2Dw
+Waw5Z5JSx5ZpSrqptOjFDlXPiZIFY+YeT5vZBwvSY4eRNIOsvALR+53zKuDkIHEl
+TZ1CsgOU1DLuONSS0mP0Oa+eQImVR4NuDaxvfLNqTiLKwYEeBs6DwSL77xwMLtw/
+wQL1MWMIcFTtExA/ul3rX3Y4B1TS7t50nvhgohFu5WTeNtXkIdgmbJ3CyflhqamN
+L/Kxxn+/92scpIItKu5kgPJEO2MpX2GiwjokD6uY+3kxbS1HGXUJAc3COOwWMgEs
+1BwQk/SKt8URcxGiugoagQ6M0zFqZRgGNkqh2uCsjaaT5we0lUuhYlL1gIMbe/FG
+CR85WlwoEhzKvnnfgdYLFA
+-> ssh-ed25519 iHV63A OqkSBucVJtboalsYV3/heEz1ZkSIADNDLEarRPWgklc
+76HOz0Vi1oGwSZCBA3bOSNn7auAnmPE7uHVedVjxGTM
+-> ssh-ed25519 uTVbSg +X8ylXfSx+Yg14KORdcPSTr1FvDaTMeb62MjQ/gqA2k
+r7M9BL070ijThnFLczko29G5P0ikwRW+6VJ8JYhHevs
+-> ssh-ed25519 Oya/Zw wXPvHIhPEqbKPme+OLfrJdxIVAghA0LGTGWwOr2yoys
+FsriMbp2jb40ZyxapHratwoA/C7dk8nNhvaFU0YAfpM
+-> =HAZ-grease 6e?x*"~
+y4DPqeGgLo+PJv/Nja0AMPZ2g31nIqbXwKt3g1I8xHu4rwkM9G/c
+--- O3v2CaEy4phy18h9152SkVV6qQhdz/aWJQ9bVI9YHHY
+<EFBFBD>$邀孻f
@
#}▂&rゲy砲𡟻3癦ロ<E799A6>鏴U蒀𧡰s唚<73>f鱣[缸N利紊T#h
+b<EFBFBD>鵜攤𪊓iR
衁<>犟e!z<>

secrets/chonk_nextcloud_db_pass.age

@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw 7kU8OQWy/jGDRUq1hkGl9cNldEgWvk4oG3O2DMw0qGI
+XlIzPLT0Gh2/bse6ch4TemO+uzIK4oqyFwDDa7ylXuA
+-> ssh-ed25519 YFSOsg dWvGDRO+/3dT7qN04Ykuh4u4aVZSkNAZQl2bbCE0jkg
+5QxL1xUjv1OHCJR/+rxw055lIKngtDvarTg7wOaiqu4
+-> ssh-rsa 42S2Dw
+V9Zo+91MGptezt9ZGX7aGd4sGsoFmBV9k4gbImTXz2CGOXuHUbzFv73j/ikpvXU6
+NpCU8nYgBuM8E3GTxrorCFIlBgGpjQI28PrbD7Y8b7nqn585Zqn7S+E5DFln0Zd5
+phKfY4NdWypRW4xjuHVjDO8I2uiVd8qD7rhYbE6c611hySudPmrY7k2m41Qz7D2O
+j97ATtt2FNFk5MpsNjSKk0w5QeKIVqDTIXTlewRi4eFf3TdLI5vzpBwIELStf/XU
+sBmEzqX3EEBvrB41brSPPwQJ7mJ7MaRzjNXmtgytEwirgnI9TA2dv4/xc5zksJgF
+zg1F+rlyRC2TOWDNi8Om5g
+-> ssh-ed25519 iHV63A IVXUYIxX37FZw+Vn7ZmLc14du4M6120vS+XAY+amx3Q
+G9J8NhNx3bwLF1vCWuq1fWQq9//r1IxoXPdJfjg5oQQ
+-> ssh-ed25519 uTVbSg v7e3YZQJqK0SZ/F/YSrMPOX8hwAt1+UNf+1YDlzkMSI
+1kqIoiR7Oojue2JFHYJB7+piw1j/9U86Thy+eYqphPQ
+-> ssh-ed25519 Oya/Zw /EUf0yv0UBi0wPFEl48IK7dJ7m2Z+Y+6EpYqoP75Kx8
+dDDQ+dZhrujnyo2Z40cwisFMpwC+4TsaBTGH7ofn8qU
+-> Gg'26s6y-grease 8c
+X06Ld3joZpAZby/RIFlRb9gqVT4grrQXQInV/g
+--- FVcdFxUlZ7vydcDrU7jzFjipxKygYL8t/aDHNC/TN7w
++øgOAóìiœ‹§nùûW<C3BB>¹÷¿xŠT“¾UÍ3ü¯"Âxo<78>`“?Õáf<C3A1>:¡iÚMrúÒ̓¦m™

secrets/chonk_restic_repository_password.age

@@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw x2nB3+kHq5bhYL4Gmu7mcLx8jW8ywUEEkInvVkmH5m8
+cMDnbfUtv4AUTlsBh39xeVFyn8jndfd/XxPU01Re1FU
+-> ssh-ed25519 YFSOsg rSr6F981RuhKipasm4xcFTqORbkyCxiId/UvtBy8SW0
+763z8aYG61IYtSfaKBUuQfe7s6SsfujvQF8qx+ALqVY
+-> ssh-rsa 42S2Dw
+M78y3Q2hLhSGwWe+sVixdgdkL/NPRp3yVdmsLSJ7dkU/JlIikTJ1Idzp2WR9VbZ9
+PyIrBLSVmYlx5SI9ksLfeQZyFoocP7/yKOAdHh7HMvXjpkakN6ZBa4dHELPxLMy0
+x7DQX09Q1h6xTfyghYoIyk29sOHHpT66WaTAPz/cHciJst2TAojJU1qfdJ/ZPU0T
+9tq/iOaAhGSdFkFVjhETDwS1lYxKnzxYaMKQeoRBcCdWTVGrbSJLVUMH4pFT1iIv
+I8auITrGbSZdm1tJAc8aiBIDI1r5lHz1ozrkamazI9dn+5iF5qWIj+9MVtg0l06X
+In7knX1skVcG2x2USjdZgw
+-> ssh-ed25519 iHV63A SP+EEU7gJi6o2xnzlsJO2RBplyNWjIMrOYOWweBtKQU
+Q/9+4yyRRndmPKjx8up5lijZhICDamxrBAUZtbzteB0
+-> ssh-ed25519 uTVbSg v4RUldxeE2I7Sw1ASpkfcBLiv9b8yJMUOmeydaqa4hk
+OreiiziBBpTCKM/D/4eI181AvRD9mwjTUULGeatKUgo
+-> ssh-ed25519 Oya/Zw 51sjyVTCtYbG4e4pROOjg7Cr4lX8LGXdGtf+8drR9y8
+Hc6H9PPDJGAmwgO/qOjbt2W2KNXEGlqlbcExmsZQNAE
+-> <O-grease lr/]6 OsFzy7 E@<zV R
+LhERj36DtC7MwfGTT1Z85I42SCUnJMdl6oToreQSERKbBa5SpTuUo5baqRqM7MdW
+JQjLt5MZ0dna
+--- SUtdBUH80GU2DjGWmvigOpbRWYkki1VdZi8NkMXFTcE
+ê|9µ¼µ÷´a<C2B4>ÒÒUÒšÀˆšÄã>õ–÷9<C3B7>.Q¨ÈßÑÞ¢©¨zD6È‘‚Af„-Ååz“SSÝf¥t<C2A5>“Íc\Ón’.ÿhÿN[``çõ

secrets/chonk_wireguard_key.age

@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw YN25mqloDpfTK9BHraZeaX4wlMNyGmuaB9ikhc1qPx0
+MBblsaQ14v/aUrt9BT7Sdef5t7zLXujlNBbKOoKRNvQ
+-> ssh-ed25519 YFSOsg GPhY1N8XFr0vxYcho63L/tF1QFuE6vlxGpf+fEUaDn0
+jCVovM/dwU839i3Ry7hjvdJcAKcjAshZE00zfxmSc/c
+-> ssh-rsa 42S2Dw
+khLfcbecRWa0gNw1vCfP8FIbYll+uNrGEysaPHzEtk6hYzOrPw5BOct9PGG32M63
+USRC5onMkkZXH3RJjAze+JOaNIQML3l5Wx6LNfAiKE7MBtrbEFw9WpPb3yA3vBtF
+/h/ngNIjMTryltOq4ovXTDif6bC2CBcBi4zfThqGaBmIk+hqZHAPZIEaQAH5i6JM
+Sic+Y0VTUbNDsz9qvE6RFfs4plGAoRG1RDFBTwdYhReXf/7/ISSQE1sm0r8rY7wk
+rFp3AGyQQaAJqa2RlA4LeI9z+0okmXrA9e4Q0VezQPN65Ru2qGFKUGg6dgA0czmM
+3rIX9HbzV9vlgmjtXhf6Aw
+-> ssh-ed25519 iHV63A CJ6pAaBDuZtsVnBHYvlbhwkTSQmHLVNksADDRW1j/A4
+/Vww88tZwVUWwWg8gqdXhKI5vVggGUxgbgeMUkqQagI
+-> ssh-ed25519 Oya/Zw ExTtW9P8FWD9s0o3GBycwN16McaP0LVbJuD9cLUejgs
+G2BJ8FGHPSqB8/ks5hrGKVDQ0GcaEcS3CK3b7AzB7mI
+-> C-grease \T$\ Fn4_2KJ E 2Ju.&t'
+jBuy2c0fpq3ibHy3LJOj6xmga+6C9z2WwvSTBTs/lyEXDNgFG9sgEDmjPayMJhAN
+JTHQmBJyJ9ae2dMZqhfEPXrcZynNR/F8gd8TyWodXWZhvw
+--- FH53Gij4AICM76S4DTZkI1BwEVohhnw/Qnanc4BphE4
+ňŠÐߌÜB7#pB†pþ¡§¡X˜O7ê_c^Í<>6Àû<C380>IÜÞͪƹEìoâ·Ï¸¤/Þ<>ÛM˜µÚ<>JÉ(;ÖÅìU‡ä 6

secrets/cube_restic_nextcloud_password.age

@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw zqUMfOd04sohMIlfrNdHj9XJPh+1AiZDSG82rALFEn0
+AjULNhyeKzMJYzas/Ck5te047CGGkoTGWrl4Zf+fK/g
+-> ssh-ed25519 YFSOsg Wf12fsV6ddeCYGrJG/IEc/pm3qltWroW9+xgUvBNhBg
+FB6dw6npV16JNMcmhLOh2CrV+Ytxym1Q3X6fi8mXPh4
+-> ssh-rsa 42S2Dw
+QSORqDFOuGhFBNjCjF1u43tfgAp9okVheVWdY851j4b3JAtX8nsygwEpx0ntNZIk
+pYIH7/QreainFDB0WM+sj8too/96YOmrjqf6k1strpP12pI75ArCcQq27XJWk0oD
+cIaiAgtzmO8jk1YQTKUDUxvaEv6tX1Lb3r+j3MfHuR6nX4Zx0C6YdmUBFT4t9/9C
+DLh990iFG6/wHO+1HSiknGf5V4eUChMfpyh9FgXkOVAQC7JprKgfePbyh2TY9usj
+ViRmP6kT8jV7EvqpnsXRuMB3MC0yzrX92OGC1QKArTdj9sNgPduawamposGYiwNm
+HAYgbfRbzgcRl/tN8MNSfg
+-> ssh-ed25519 iHV63A w9EB0URrVNcTMDhUA+D3z6eDPvaLZihSVpzT8Vr9jHo
+ofmrgw+5Jaf1wWXTzBDeijQwY59I/tHfU1fmrZCUTyo
+-> ssh-ed25519 uTVbSg qH1A4EHjDjauEa0ideqeWvSwP6ADmziNZOnXnEnrYyg
+y7MfmMtWlIGWl/HLyUQVQgJUxzvDKez0WXD6VGq4TfM
+-> w>S%-grease nxLQF J+B{F F+"3V
+wAF9N9WZyJAygP6EoouxvH9CG0EIIgXBNcnToP73VNNTaPxWOWRyL4rP7yZ9jSyR
+JRaZzh9xwASjiqG2GAStcHormaz1JMVy
+--- 8QzYdkT1uITqWc6bhvOvDxygLgaiVwWZrgWKOTF0pKc
+
L‹æÉGAÖxIó³i
¾Š˜¢ŠêÌ+Jg-“p±Dfy¾ü­<C3BC>ø[÷1xÅä
ùï©’<C2A9>Bqn'¾DkèO<´*n£ØÉ?u[o•ÐlÔ.µ&$”9|Øe
+â‘+õEíŠ	:ô8ÃZg­Ø׉E(]ˆõ~å»

secrets/secrets.nix

@@ -3,14 +3,14 @@ let
   user_hensoko_nitrokey_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135";
 
   user_hensoko_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison";
-  user_hensoko_norman_1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc";
+  user_hensoko_norman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work";
-  user_hensoko_norman_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work";
 
   system_giggles = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwogNjatRZlft4qUFDFKg73kiYB1HNZZ0xGUwfyfTzP root@nixos";
   system_cox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMINORCNhrxSdo2z70GkKrV8vcge2elgNPYzdRve+hI5 root@nixos";
   system_companion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4u9Q36B8acRdBJi2RYU5pYpIMeCh+HKmtInR+IKQs root@nixos";
 
   system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos";
+  system_chonk = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICt8I4z42DXGL3d6eju3WzSEnJMeaWPn3y+f/82oYBzy root@nixos";
   system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos";
 
   system_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGsY9APkK11hlcqKXER+iqaJZ/x5HNacQ8FXfLe2SA4 root@nixos";
@@ -18,27 +18,38 @@ let
 
   system_surfplace = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAmim1CFeTPPDz/34sDYhF773NquhbqIS6v4mWM4qSd root@nixos";
 
-  users = [ user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman_1 user_hensoko_norman_2 ];
+  users = [user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman];
   systems_email_accounts = [system_harrison system_norman system_surfplace];
   systems_home_controller = [system_giggles system_cox system_companion system_cube system_ringo];
   allKeys = users ++ systems_home_controller;
-in
+in {
-{
   "email_gssws_password.age".publicKeys = users ++ systems_email_accounts;
 
   "home_controller_giggles_wireguard_key.age".publicKeys = users ++ [system_giggles];
   "home_controller_cox_wireguard_key.age".publicKeys = users ++ [system_cox];
   "home_controller_companion_wireguard_key.age".publicKeys = users ++ [system_companion];
 
+  "cox_backup_restic_htpasswd.age".publicKeys = users ++ [system_cox];
+
   "home_controller_cube_wireguard_key.age".publicKeys = users ++ [system_cube];
   "cube_nextcloud_admin_pass.age".publicKeys = users ++ [system_cube];
   "cube_nextcloud_db_pass.age".publicKeys = users ++ [system_cube];
   "cube_restic_ssh_private_key.age".publicKeys = users ++ [system_cube];
   "cube_restic_repository_password.age".publicKeys = users ++ [system_cube];
-
   "cube_drone_exec_runner_config.age".publicKeys = users ++ [system_cube];
-
   "cube_invoiceplane_db_password.age".publicKeys = users ++ [system_cube];
+  "cube_restic_nextcloud_password.age".publicKeys = users ++ [system_cube];
+
+  "chonk_wireguard_key.age".publicKeys = users ++ [system_chonk];
+  "chonk_nextcloud_admin_pass.age".publicKeys = users ++ [system_chonk];
+  "chonk_nextcloud_db_pass.age".publicKeys = users ++ [system_chonk];
+  "chonk_restic_ssh_private_key.age".publicKeys = users ++ [system_chonk];
+  "chonk_restic_repository_password.age".publicKeys = users ++ [system_chonk];
+  "chonk_drone_exec_runner_config.age".publicKeys = users ++ [system_chonk];
+  "chonk_invoiceplane_db_password.age".publicKeys = users ++ [system_chonk];
+  "chonk_restic_nextcloud_password.age".publicKeys = users ++ [system_chonk];
+  "chonk_nix_builder_private_key.age".publicKeys = users ++ [system_chonk];
+  "chonk_invidious_db_password.age".publicKeys = users ++ [system_chonk];
 
   "home_controller_ringo_wireguard_key.age".publicKeys = users ++ [system_ringo];
 

users/hensoko/ssh.nix

@@ -1,13 +1,22 @@
-{ config, pkgs, lib, self, ... }:
-with lib;
-let
-  psCfg = config.pub-solar;
-in
 {
+  config,
+  pkgs,
+  lib,
+  self,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+in {
   home-manager = pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
     programs.ssh = {
       enable = true;
       matchBlocks = {
+        "builder" = {
+          hostname = "data.gssws.de";
+          user = "builder";
+          port = 2222;
+        };
         "hsha" = {
           hostname = "192.168.42.5";
           user = "root";
@@ -30,7 +39,7 @@ in
         "companion" = {
           user = "iot";
         };
-        "cube" = {
+        "chonk" = {
           hostname = "80.244.242.2";
           user = "iot";
           port = 2222;