remove zsh, use bash

remove empty extensions
profiles/work: remove teams, use go 1.20, install meld
2023-10-06 01:25:07 +02:00 · 2023-10-06 00:54:45 +02:00 · 2023-10-06 00:37:48 +02:00 · 2023-10-06 00:36:21 +02:00 · 2023-10-06 00:23:48 +02:00 · 2023-10-06 00:22:12 +02:00
165 changed files with 5971 additions and 149 deletions
--- a/flake.lock
+++ b/flake.lock
@ -10,7 +10,7 @@
        ]
      },
      "locked": {
-        "lastModified": 1682101079,
+        "lastModified": 1680281360,
        "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
        "owner": "ryantm",
        "repo": "agenix",
@ -30,11 +30,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694497842,
-        "narHash": "sha256-z03v/m0OwcLBok97KcUgMl8ZFw5Xwsi2z+n6nL7JdXY=",
+        "lastModified": 1686210161,
+        "narHash": "sha256-cgP8P2Gk4WtOzd/Y7nEmweLpPOtMKVvHCIcq9zm9qMk=",
        "owner": "LnL7",
        "repo": "nix-darwin",
-        "rev": "4496ab26628c5f43d2a5c577a06683c753e32fe2",
+        "rev": "40e4b85baac86969f94d6dba893aeae015c562c1",
        "type": "github"
      },
      "original": {
@ -54,11 +54,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1694513707,
-        "narHash": "sha256-wE5kHco3+FQjc+MwTPwLVqYz4hM7uno2CgXDXUFMCpc=",
+        "lastModified": 1683779844,
+        "narHash": "sha256-sIeOU0GsCeQEn5TpqE/jFRN4EGsPsjqVRsPdrzIDABM=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "31c32fb2959103a796e07bbe47e0a5e287c343a8",
+        "rev": "c80189917086e43d49eece2bd86f56813500a0eb",
        "type": "github"
      },
      "original": {
@ -129,6 +129,22 @@
        "type": "github"
      }
    },
+    "factorio-pr": {
+      "locked": {
+        "lastModified": 1676729025,
+        "narHash": "sha256-342GXq1CGPbztLGJcSlbdRbglXlCWMYykeYg/d5Nvyk=",
+        "owner": "werner291",
+        "repo": "nixpkgs",
+        "rev": "e37b8db403154b3c421c6bc21afd725a5ad2df3e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "werner291",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -197,50 +213,35 @@
        "type": "github"
      }
    },
-    "fork": {
-      "locked": {
-        "lastModified": 1692960587,
-        "narHash": "sha256-39SKGdhn8jKKkdqhULbCvQOpdUPE9NNJpy5HTB++Jvg=",
-        "owner": "teutat3s",
-        "repo": "nixpkgs",
-        "rev": "312709dd70684f52496580e533d58645526b1c90",
-        "type": "github"
-      },
-      "original": {
-        "owner": "teutat3s",
-        "ref": "nvfetcher-fix",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "home": {
      "inputs": {
        "nixpkgs": [
          "nixos"
-        ]
+        ],
+        "utils": "utils_2"
      },
      "locked": {
-        "lastModified": 1694465129,
-        "narHash": "sha256-8BQiuobMrCfCbGM7w6Snx+OBYdtTIm0+cGVaKwQ5BFg=",
+        "lastModified": 1681092193,
+        "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "9787dffff5d315c9593d3f9fb0f9bf2097e1b57b",
+        "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-23.05",
+        "ref": "release-22.11",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "latest": {
      "locked": {
-        "lastModified": 1694422566,
-        "narHash": "sha256-lHJ+A9esOz9vln/3CJG23FV6Wd2OoOFbDeEs4cMGMqc=",
+        "lastModified": 1686226982,
+        "narHash": "sha256-nLuiPoeiVfqqzeq9rmXxpybh77VS37dsY/k8N2LoxVg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "3a2786eea085f040a66ecde1bc3ddc7099f6dbeb",
+        "rev": "a64b73e07d4aa65cfcbda29ecf78eaf9e72e44bd",
        "type": "github"
      },
      "original": {
@ -250,29 +251,83 @@
        "type": "github"
      }
    },
+    "musnix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixos"
+        ]
+      },
+      "locked": {
+        "lastModified": 1679269409,
+        "narHash": "sha256-f52ph0rV/tn2Gge6WHqO55K/TNTHAOhgp23uZ7QhlSE=",
+        "owner": "musnix",
+        "repo": "musnix",
+        "rev": "79a6cf5a711e7d2dbf0a3ba0df9bae016d6247f8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "musnix",
+        "repo": "musnix",
+        "type": "github"
+      }
+    },
+    "nixlib": {
+      "locked": {
+        "lastModified": 1685840432,
+        "narHash": "sha256-VJIbiKsY7Xy4E4WcgwUt/UiwYDmN5BAk8tngAjcWsqY=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "961e99baaaa57f5f7042fe7ce089a88786c839f4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
    "nixos": {
      "locked": {
-        "lastModified": 1694499547,
-        "narHash": "sha256-R7xMz1Iia6JthWRHDn36s/E248WB1/je62ovC/dUVKI=",
+        "lastModified": 1686190112,
+        "narHash": "sha256-BRDO/tnq+ruwv14caQLIqejYJ6w5icja5KYpNunOW24=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "e5f018cf150e29aac26c61dac0790ea023c46b24",
+        "rev": "41b86284d3e073bb322da076ae8cd6e116b2ee2a",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-23.05",
+        "ref": "nixos-22.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
+    "nixos-generators": {
+      "inputs": {
+        "nixlib": "nixlib",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1685943944,
+        "narHash": "sha256-GpaQwOkvwkmSWxvWaZqbMKyyOSaBAwgdEcHCqLW/240=",
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "rev": "122dcc32cadf14c5015aa021fae8882c5058263a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "type": "github"
+      }
+    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1694591211,
-        "narHash": "sha256-NPP7XGZH+Q5ey7nE2zGLrBrzKmLYPhj8YgsTSdhH0D4=",
+        "lastModified": 1683965003,
+        "narHash": "sha256-DrzSdOnLv/yFBvS2FqmwBA2xIbN/Lny/WlxHyoLR9zE=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "3ccd87fcdae4732fe33773cefa4375c641a057e7",
+        "rev": "81cd886719e10d4822b2a6caa96e95d56cc915ef",
        "type": "github"
      },
      "original": {
@ -281,6 +336,40 @@
        "type": "github"
      }
    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1685894048,
+        "narHash": "sha256-QKqv1QS+22k9oxncj1AnAxeqS5jGnQiUW3Jq3B+dI1w=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "2e56a850786211972d99d2bb39665a9b5a1801d6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-hensoko": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1666884246,
+        "narHash": "sha256-nSiYCIlMiYodY7GPCFPMF6YHVS2RM/XQZwn2Zrhu2eU=",
+        "ref": "master",
+        "rev": "f1863fb8e3866c1559ca885e1b319ea82baecdbb",
+        "revCount": 23,
+        "type": "git",
+        "url": "https://git.b12f.io/hensoko/nixpkgs"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.b12f.io/hensoko/nixpkgs"
+      }
+    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1672791794,
@ -297,18 +386,37 @@
        "type": "github"
      }
    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1654994491,
+        "narHash": "sha256-HFu3HTFFFcZSKImuiki3q+MLvcc85hRgYvW+sXmH8LE=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "1f8d88087a3753e55a29b5207f7f0997f7c813fa",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-22.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "darwin": "darwin",
        "deploy": "deploy",
        "digga": "digga",
+        "factorio-pr": "factorio-pr",
        "flake-compat": "flake-compat",
-        "fork": "fork",
        "home": "home",
        "latest": "latest",
+        "musnix": "musnix",
        "nixos": "nixos",
-        "nixos-hardware": "nixos-hardware"
+        "nixos-generators": "nixos-generators",
+        "nixos-hardware": "nixos-hardware",
+        "nixpkgs-hensoko": "nixpkgs-hensoko"
      }
    },
    "utils": {
@ -325,6 +433,21 @@
        "repo": "flake-utils",
        "type": "github"
      }
+    },
+    "utils_2": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -36,6 +36,14 @@
    agenix.inputs.darwin.follows = "darwin";

    nixos-hardware.url = "github:nixos/nixos-hardware";
+
+    # hensoko additions
+    musnix.url = "github:musnix/musnix";
+    musnix.inputs.nixpkgs.follows = "nixos";
+
+    nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs";
+
+    factorio-pr.url = "github:werner291/nixpkgs/master";
  };

  outputs = {
@ -46,6 +54,7 @@
    nixos-hardware,
    agenix,
    deploy,
+    musnix,
    ...
  } @ inputs:
    digga.lib.mkFlake
@ -53,7 +62,7 @@
      inherit self inputs;

      channelsConfig = {
-        # allowUnfree = true;
+        allowUnfree = true;
      };

      supportedSystems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin"];
@ -71,6 +80,7 @@
          ];
        };
        latest = {};
+        factorio-pr = {};
        fork = {};
      };

@ -121,6 +131,35 @@
              #})
            ];
          };
+
+          companion = {
+            system = "aarch64-linux";
+            modules = [nixos-hardware.nixosModules.raspberry-pi-4];
+          };
+          cox = {
+            system = "aarch64-linux";
+            modules = [nixos-hardware.nixosModules.raspberry-pi-4];
+          };
+          falcone = {
+            system = "aarch64-linux";
+            modules = [nixos-hardware.nixosModules.raspberry-pi-4];
+          };
+          giggles = {
+            system = "aarch64-linux";
+            modules = [nixos-hardware.nixosModules.raspberry-pi-4];
+          };
+
+          norman = {};
+
+          harrison = {
+            modules = [
+              musnix.nixosModules.musnix
+            ];
+          };
+
+          surfplace = {
+            modules = [nixos-hardware.nixosModules.microsoft-surface-pro-intel];
+          };
        };
        importables = rec {
          profiles =
@ -131,8 +170,39 @@
          suites = with profiles; rec {
            base = [users.pub-solar users.root];
            iso = base ++ [base-user graphical pub-solar-iso];
-            pubsolaros = [full-install base-user users.root];
+            pubsolaros = [base-user users.root];
            anonymous = [pubsolaros users.pub-solar];
+            hensoko = pubsolaros ++ [users.hensoko];
+            hensoko-iot = [server base-user users.root users.iot];
+
+            # server
+            cube = hensoko-iot;
+
+            # home-controller
+            companion = hensoko-iot;
+            cox = hensoko-iot;
+            giggles = hensoko-iot;
+
+            # laptop
+            ringo = hensoko;
+
+            # vm
+            redpanda = hensoko;
+
+            # home pc
+            harrison = hensoko ++ [daw gaming graphical non-free social work];
+
+            # work laptop
+            norman = hensoko ++ [graphical non-free social work];
+
+            # cm4
+            falcone = hensoko-iot;
+
+            # surface
+            surfplace = hensoko ++ [graphical non-free social];
+
+            # chonk
+            chonk = hensoko-iot;
          };
        };
      };
@ -149,8 +219,15 @@
        users = {
          pub-solar = {suites, ...}: {
            imports = suites.base;
-
-            home.stateVersion = "21.03";
+            home.stateVersion = "22.05";
+          };
+          hensoko = {suites, ...}: {
+            imports = suites.base;
+            home.stateVersion = "22.05";
+          };
+          iot = {suites, ...}: {
+            imports = suites.base;
+            home.stateVersion = "22.05";
          };
        }; # digga.lib.importers.rakeLeaves ./users/hm;
      };
@ -170,6 +247,37 @@
        #    path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.bartender;
        #  };
        #};
+        redpanda = {
+          hostname = "192.168.42.71:22";
+          sshUser = "hensoko";
+          fastConnect = true;
+          profilesOrder = ["system" "direnv"];
+          profiles.direnv = {
+            user = "hensoko";
+            path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko;
+          };
+        };
+
+        companion = {sshUser = "iot";};
+        cox = {sshUser = "iot";};
+        giggles = {sshUser = "iot";};
+        ringo = {};
+        cube = {sshUser = "iot";};
+        chonk = {sshUser = "iot";};
      };
+      users = {
+        pub-solar = {suites, ...}: {
+          imports = suites.base;
+          home.stateVersion = "21.03";
+        };
+        hensoko = {suites, ...}: {
+          imports = suites.base;
+          home.stateVersion = "21.03";
+        };
+        iot = {suites, ...}: {
+          imports = suites.base;
+          home.stateVersion = "21.03";
+        };
+      }; # digga.lib.importers.rakeLeaves ./users/hm;
    };
 }
--- a/hosts/chonk/acme.nix
+++ b/hosts/chonk/acme.nix
@ -0,0 +1,10 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "hensoko@gssws.de";
+  };
+}
--- a/hosts/chonk/authelia.nix
+++ b/hosts/chonk/authelia.nix
@ -0,0 +1,112 @@
+{
+  pkgs,
+  config,
+  self,
+  ...
+}: let
+  containerStateDir = "/var/lib/authelia-gssws";
+  hostStateDir = "/opt/authelia";
+  domain = "auth.gssws.de";
+  servicePort = 9091;
+in {
+  age.secrets.authelia_users = {
+    file = "${self}/secrets/chonk_authelia_users.age";
+    owner = "999";
+    group = "999";
+  };
+
+  age.secrets.authelia_storage_encryption_key = {
+    file = "${self}/secrets/chonk_authelia_storage_encryption_key.age";
+    owner = "999";
+    group = "999";
+  };
+
+  age.secrets.authelia_jwt_secret = {
+    file = "${self}/secrets/chonk_authelia_jwt_secret.age";
+    owner = "999";
+    group = "999";
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString servicePort}";
+    };
+  };
+
+  containers."authelia" = {
+    autoStart = true;
+    ephemeral = true;
+    bindMounts = {
+      "${containerStateDir}" = {
+        hostPath = hostStateDir;
+        isReadOnly = false;
+      };
+
+      "/run/agenix" = {
+        hostPath = "/run/agenix";
+        isReadOnly = false;
+      };
+
+      "/run/agenix.d" = {
+        hostPath = "/run/agenix.d";
+        isReadOnly = false;
+      };
+    };
+
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      networking.firewall.enable = false;
+
+      services.authelia.instances."gssws" = {
+        enable = true;
+
+        secrets = {
+          jwtSecretFile = "/run/agenix/authelia_jwt_secret";
+          storageEncryptionKeyFile = "/run/agenix/authelia_storage_encryption_key";
+        };
+
+        settings = {
+          theme = "auto";
+          server.port = servicePort;
+
+          session.domain = domain;
+          default_redirection_url = "https://home.gssws.de/";
+
+          access_control.default_policy = "two_factor";
+
+          authentication_backend = {
+            password_reset.disable = false;
+            file = {
+              path = "/run/agenix/authelia_users";
+            };
+          };
+
+          storage.local.path = "/var/lib/authelia-gssws/db.sqlite3";
+
+          totp = {
+            issuer = "auth.gssws.de";
+            algorithm = "SHA512";
+            digits = 8;
+          };
+
+          webauthn = {
+            display_name = "auth.gssws.de";
+          };
+
+          notifier.smtp = {
+            address = "smtp://mail.gssws.de:25";
+            sender = "Authelia <authelia@gssws.de>";
+            identifier = "auth.gssws.de";
+          };
+        };
+      };
+
+      system.stateVersion = "23.05";
+    };
+  };
+}
--- a/hosts/chonk/backup.nix
+++ b/hosts/chonk/backup.nix
@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  self,
+  ...
+}: {
+  age.secrets.restic_repository_password.file = "${self}/secrets/chonk_restic_repository_password.age";
+  age.secrets.restic_nextcloud_password.file = "${self}/secrets/chonk_restic_nextcloud_password.age";
+
+  programs.ssh.extraConfig = ''
+    Host backup
+      HostName 10.0.1.12
+      Port 32222
+      User backup
+      IdentityFile /run/agenix/restic_ssh_private_key
+  '';
+
+  services.postgresqlBackup = {
+    enable = true;
+    backupAll = true;
+    compression = "zstd";
+  };
+
+  services.restic.backups = {
+    cox = {
+      passwordFile = "/run/agenix/restic_repository_password";
+      paths = [
+        "/mnt/internal/nextcloud"
+        "/var/backup/postgresql"
+      ];
+      repositoryFile = "/run/agenix/restic_nextcloud_password";
+      timerConfig = {
+        OnCalendar = "02:00";
+      };
+    };
+  };
+}
--- a/hosts/chonk/builder.nix
+++ b/hosts/chonk/builder.nix
@ -0,0 +1,29 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: let
+  psCfg = config.pub-solar;
+in {
+  age.secrets.nix-builder-private-key = {
+    owner = "builder";
+    group = "builder";
+    file = "${self}/secrets/chonk_nix_builder_private_key.age";
+  };
+
+  nix.settings.trusted-users = ["builder"];
+
+  boot.binfmt.emulatedSystems = ["aarch64-linux"];
+
+  users.groups."builder" = {};
+
+  users.users."builder" = {
+    isNormalUser = true;
+    group = "builder";
+    shell = pkgs.bashInteractive;
+    openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8hTdDTA+LVlHkOm5IBjT32PvAdCxYfUfFFRx+JGeS6 root@norman"];
+  };
+
+  nix.settings.secret-key-files = "/run/agenix/nix-builder-private-key";
+}
--- a/hosts/chonk/chonk.nix
+++ b/hosts/chonk/chonk.nix
@ -0,0 +1,14 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+with pkgs; let
+  psCfg = config.pub-solar;
+in {
+  imports = [
+    ./configuration.nix
+  ];
+}
--- a/hosts/chonk/configuration.nix
+++ b/hosts/chonk/configuration.nix
@ -0,0 +1,45 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./acme.nix
+    ./backup.nix
+    ./drone.nix
+    ./home-assistant.nix
+    ./nextcloud.nix
+    ./wireguard.nix
+    ./builder.nix
+    ./invidious.nix
+    ./factorio.nix
+
+    ./invoiceplane.nix
+    #./tang.nix
+    #./whiteboard.nix
+
+    ./libvirt-container.nix
+    ./monitoring.nix
+
+    ./authelia.nix
+  ];
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  time.timeZone = "Europe/Berlin";
+
+  services.openssh.ports = [2222];
+
+  networking.nat.enable = true;
+  networking.nat.internalIPs = ["10.10.42.0/24" "10.0.1.1"];
+  networking.nat.externalInterface = "br0";
+
+  networking.firewall.enable = lib.mkForce true;
+  networking.firewall.allowedTCPPorts = [80 443 2222];
+  networking.firewall.allowedUDPPorts = [51899];
+
+  system.stateVersion = "21.05"; # Did you read the comment?
+}
--- a/hosts/chonk/default.nix
+++ b/hosts/chonk/default.nix
@ -0,0 +1,7 @@
+{suites, ...}: {
+  imports =
+    [
+      ./chonk.nix
+    ]
+    ++ suites.chonk;
+}
--- a/hosts/chonk/drone.nix
+++ b/hosts/chonk/drone.nix
@ -0,0 +1,24 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: {
+  age.secrets.drone_exec_runner_config = {
+    file = "${self}/secrets/chonk_drone_exec_runner_config.age";
+    owner = "999";
+  };
+
+  pub-solar.docker-ci-runner = {
+    enable = true;
+    enableKvm = true;
+    nixCacheLocation = "/srv/drone-nix-cache/nix";
+
+    runnerEnvironment = {
+      DRONE_RUNNER_CAPACITY = "10";
+      DRONE_RUNNER_LABELS = "hosttype:baremetal";
+    };
+
+    runnerVarsFile = "/run/agenix/drone_exec_runner_config";
+  };
+}
--- a/hosts/chonk/factorio.nix
+++ b/hosts/chonk/factorio.nix
@ -0,0 +1,177 @@
+{
+  self,
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with pkgs; let
+  modDrv = pkgs.factorio-utils.modDrv {
+    allRecommendedMods = true;
+    allOptionalMods = false;
+  };
+
+  # Krastorio
+  flib = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/EsrBq2XpR9bTp7b/download/flib_0.12.6.zip"
+      ];
+      sha256 = "Wf/w3Bh4jT5DDEp6GCVdg181DxEjiWe1iN3h5X7/oAw=";
+    };
+  };
+
+  krastorio2Assets = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/czsmnaiis25TX8m/download/Krastorio2Assets_1.2.1.zip"
+      ];
+      sha256 = "1Y8I40I8EQLdLuiWDr+aty8p7PNh1pY6IPkRVz2pi5E=";
+    };
+  };
+
+  krastorio2 = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/DepN4zWWjiEJpZt/download/Krastorio2_1.3.18.zip"
+      ];
+      sha256 = "wuMVVW7SbDdBxcUmJLT9MzpC9W1RRJaTs2cYylt6ilU=";
+    };
+
+    deps = [flib krastorio2Assets];
+  };
+
+  # Alien Biomes
+  alienBiomes = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/FH22nM54PfcTios/download/alien-biomes_0.6.8.zip"
+      ];
+      sha256 = "oy7VeSIxJmTNmpu/0tGqhbrfPFoJRQc5eS6eI/Epp1A=";
+    };
+  };
+
+  # Auto Deconstruct
+  autoDeconstruct = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/fSLQCfRGFKTbQSw/download/AutoDeconstruct_0.3.7.zip"
+      ];
+      sha256 = "VYgLhfWSaWtbY8l+c+9v498IPA/Q7XdRveEsw/pxuJw=";
+    };
+  };
+
+  # Cargo Ships
+  cargoShips = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/tcYXBymFT8idCdb/download/cargo-ships_0.1.22.zip"
+      ];
+      sha256 = "pfP97myiibmp00o75Yo9rVYS6cYKgflGiRNsP+FTjFU=";
+    };
+  };
+
+  # Electrical Trains
+  electricalTrains = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/oHXWpoi7kD52Dzt/download/Realistic_Electric_Trains_Krastorio_2_1.0.0.zip"
+      ];
+      sha256 = "ujO5qRHzKgxX/vsYYvoBjh1UKukGD31FvjLQZzCqxlk=";
+    };
+  };
+
+  # far reach
+  farReach = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/KAqfr826ccHHRpG/download/far-reach_1.1.2.zip"
+      ];
+      sha256 = "y1XuduS9WKMtGKLj7hQgh7wOy8l3l5WWlLTm6BJ1yxA=";
+    };
+  };
+
+  # Fluid Must Flow
+  fluidMustFlow = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/J2XA4jPNNWxSSti/download/FluidMustFlow_1.3.1.zip"
+      ];
+      sha256 = "X2dGJCFL1dRRP7BFhFKI7mgtFd4zjHYWO8ehII6aaDc=";
+    };
+  };
+
+  # Recipe Book
+  recipeBook = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/oRQYJ4H7xkc3rtq/download/RecipeBook_3.5.2.zip"
+      ];
+      sha256 = "dPj9FH0r4dXtdrXyAkVIwXveECCBzcVGlJmQsF0oSpE=";
+    };
+  };
+
+  # Regenerate Terrain
+  regenerateTerrain = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/YWTEB6rQeptmxGL/download/regenerate-terrain_0.3.1.zip"
+      ];
+      sha256 = "EIZQeTzHAvSEFAOh6pN0Xd5GbqV9O/wI2QA5YtR8GxU=";
+    };
+  };
+
+  # Space Exploration
+  spaceExploration = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/yy79DMAQtqCcWYW/download/space-exploration_0.6.104.zip"
+      ];
+      sha256 = "5vFD+6R4jqp2PH6ASa1JJ0+acXi+dBwyrM/xil8RyU0=";
+    };
+  };
+
+  # Todo List
+  todoList = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/bJjpgSMamwex7pF/download/Todo-List_19.3.0.zip"
+      ];
+      sha256 = "0QPp7W2OOrkpLs+fOvTxut+6rV0heZdfEA4sbvyb+rs=";
+    };
+  };
+
+  # Vehicle Snap
+  vehicleSnap = modDrv {
+    src = fetchurl {
+      urls = [
+        "https://cloud.pub.solar/s/ZgDTAgY4dxiwZ3d/download/VehicleSnap_1.18.5.zip"
+      ];
+      sha256 = "VRo2feta/CZGXGHbOwLOWdXZUoiqwlLPne0dC3YPyDA=";
+    };
+  };
+in rec
+{
+  services.factorio = {
+    enable = true;
+    package = pkgs.factorio-headless-experimental;
+    openFirewall = true;
+    game-name = "pub.solar Factorio";
+    game-password = "pub.solar";
+    admins = ["hensoko"];
+    mods = [
+      krastorio2
+      alienBiomes
+      autoDeconstruct
+      cargoShips
+      electricalTrains
+      farReach
+      fluidMustFlow
+      recipeBook
+      regenerateTerrain
+      spaceExploration
+      todoList
+      vehicleSnap
+    ];
+  };
+}
--- a/hosts/chonk/hardware-configuration.nix
+++ b/hosts/chonk/hardware-configuration.nix
@ -0,0 +1,118 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+  boot.initrd.kernelModules = ["raid1"];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+  boot.extraModprobeConfig = "options kvm_intel nested=1";
+
+  boot.initrd.luks.forceLuksSupportInInitrd = true;
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03025429121421051300-0:0";
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/9e13c8ea-96d3-45b1-85f4-d1a61233da6f";
+    #keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
+    #fallbackToPassword = true;
+    #bypassWorkqueues = true;
+  };
+
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      port = 22;
+      authorizedKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"];
+      hostKeys = [/etc/secrets/initrd/ssh_host_ed25519_key];
+    };
+    postCommands = ''
+      echo 'cryptsetup-askpass' >> /root/.profile
+    '';
+  };
+
+  boot.initrd.systemd.enable = true;
+
+  boot.initrd.services.swraid = {
+    enable = true;
+    mdadmConf = ''
+      ARRAY /dev/md/0 metadata=1.2 name=data:0 UUID=1156202f:835af09b:2e05e02a:a1869d1c
+    '';
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "ext4";
+  };
+
+  fileSystems."/mnt/internal" = {
+    device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-label/swap";}
+  ];
+
+  networking.bonds."bond0" = {
+    interfaces = ["eno1" "eno2"];
+    driverOptions = {
+      miimon = "100";
+      mode = "balance-xor";
+      xmit_hash_policy = "layer3+4";
+    };
+  };
+
+  networking = {
+    defaultGateway = {
+      address = "80.244.242.1";
+      interface = "br0";
+    };
+
+    defaultGateway6 = {
+      address = "2001:4d88:1ffa:26::1";
+      interface = "br0";
+    };
+
+    nameservers = ["95.129.51.51" "80.244.244.244"];
+
+    bridges."br0".interfaces = ["bond0"];
+
+    interfaces."br0" = {
+      ipv4.addresses = [
+        {
+          address = "80.244.242.2";
+          prefixLength = 29;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "2001:4d88:1ffa:26::2";
+          prefixLength = 64;
+        }
+      ];
+    };
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/chonk/home-assistant.nix
+++ b/hosts/chonk/home-assistant.nix
@ -0,0 +1,26 @@
+{
+  self,
+  pkgs,
+  config,
+  ...
+}: {
+  # HTTP
+  services.nginx.virtualHosts = let
+    makeVirtualHost = target: {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = target;
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_ssl_server_name on;
+          proxy_pass_header Authorization;
+        '';
+      };
+    };
+  in {
+    "ha.gssws.de" = makeVirtualHost "http://10.0.1.254:8123";
+    "ha2.gssws.de" = makeVirtualHost "http://10.0.1.11:8123";
+    "ha.karinsokolowski.de" = makeVirtualHost "http://10.0.1.13:8123";
+  };
+}
--- a/hosts/chonk/invidious.nix
+++ b/hosts/chonk/invidious.nix
@ -0,0 +1,23 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: let
+  domain = "yt.gssws.de";
+in {
+  age.secrets.invidious_db_password.file = "${self}/secrets/chonk_invidious_db_password.age";
+
+  services.invidious = {
+    inherit domain;
+    enable = true;
+    nginx.enable = true;
+    database = {
+      createLocally = true;
+      passwordFile = "/run/agenix/invidious_db_password";
+    };
+    settings = {
+      https_only = true;
+    };
+  };
+}
--- a/hosts/chonk/invoiceplane.nix
+++ b/hosts/chonk/invoiceplane.nix
@ -0,0 +1,63 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: let
+  hostAddress = "10.10.42.1";
+  serviceAddress = "10.10.42.11";
+
+  domain = "inv.gssws.de";
+  hostStateDir = "/mnt/internal/invoiceplane";
+  containerStateDir = "/var/lib/invoiceplane";
+in {
+  # nginx
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/" = {
+        proxyPass = "http://${serviceAddress}:80";
+      };
+    };
+  };
+
+  # invoiceplane
+  containers."invoiceplane" = {
+    privateNetwork = true;
+    hostAddress = "10.10.42.1";
+    localAddress = serviceAddress;
+
+    bindMounts."${containerStateDir}" = {
+      hostPath = hostStateDir;
+      isReadOnly = false;
+    };
+
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      networking.firewall.allowedTCPPorts = [80];
+
+      services.rsyslogd.enable = true;
+
+      services.phpfpm.pools."invoiceplane-${domain}".phpOptions = ''
+        date.timezone = Europe/Berlin
+      '';
+      services.caddy.virtualHosts."http://${domain}".listenAddresses = ["0.0.0.0"];
+
+      services.invoiceplane.sites."${domain}" = {
+        enable = true;
+        stateDir = containerStateDir;
+
+        database = {
+          user = "invoiceplane";
+          name = "invoiceplane";
+        };
+      };
+
+      system.stateVersion = "22.11";
+    };
+  };
+}
--- a/hosts/chonk/libvirt-container.nix
+++ b/hosts/chonk/libvirt-container.nix
@ -0,0 +1,66 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  networking.firewall.allowedTCPPorts = [4222];
+
+  containers."libvirt-container" = {
+    autoStart = true;
+
+    bindMounts."/dev/kvm" = {
+      hostPath = "/dev/kvm";
+      isReadOnly = false;
+    };
+
+    allowedDevices = [
+      {
+        node = "/dev/kvm";
+        modifier = "rw";
+      }
+      {
+        node = "/dev/net/tun";
+        modifier = "rw";
+      }
+      {
+        node = "/dev/vnet*";
+        modifier = "rw";
+      }
+    ];
+
+    forwardPorts = [
+      {
+        hostPort = 4222;
+      }
+    ];
+
+    enableTun = true;
+
+    #extraFlags = [ "-U" ];
+
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      networking.firewall.enable = false;
+
+      virtualisation.libvirtd.enable = true;
+      security.polkit.enable = true;
+
+      services.openssh = {
+        enable = true;
+        ports = [4222];
+      };
+
+      users.users.root = {
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a @teutat3s"
+        ];
+      };
+
+      system.stateVersion = "22.11";
+    };
+  };
+}
--- a/hosts/chonk/monitoring.nix
+++ b/hosts/chonk/monitoring.nix
@ -0,0 +1,84 @@
+{
+  config,
+  lib,
+  self,
+  ...
+}: {
+  pub-solar.monitoring-server = {
+    enable = true;
+    listenAddress = "10.0.1.6";
+    grafana.enable = true;
+    node_exporter = {
+      enable = true;
+      hosts = [
+        "10.0.1.11:9002"
+        "10.0.1.12:9002"
+        "10.0.1.13:9002"
+        "10.0.1.254:9100"
+      ];
+    };
+    snmp = {
+      enable = true;
+      hosts = [
+        "192.168.42.1"
+        #"10.0.1.254:9116" = [
+        #  {
+        #    targets = [ "192.168.42.1" ];
+        #    auth = [ "public_v2" ];
+        #    modules = [ "if_mib" ];
+        #  }
+        #];
+      ];
+    };
+    smokeping = {
+      enable = true;
+      hosts = [
+        "mail.gssws.de"
+        "cust.gssws.de"
+        "data.gssws.de"
+        "mail.hosting.de"
+        "blog.fefe.de"
+        # hosting.de
+        "ovh2.goekal.de"
+        "83.151.16.16"
+        "83.151.16.17"
+        "83.151.16.51"
+        "r2backup17.masterlogin.de"
+        "demo.routing.net"
+        "vsrv07344.customer.vlinux.de"
+        "213.160.76.43"
+        "185.11.139.27"
+        "185.11.137.4"
+        "83.151.30.176"
+        "83.151.28.246"
+        "83.151.21.204"
+        "79.140.42.4"
+        "31.15.67.23"
+        "31.15.64.79"
+        "80.244.244.244"
+        "95.129.51.51"
+        "185.11.137.122"
+        "79.140.41.12"
+      ];
+    };
+  };
+
+  # wireguard exporter
+  networking.firewall.allowedTCPPorts = [9585];
+  services.prometheus = {
+    exporters.wireguard = {
+      enable = true;
+      withRemoteIp = true;
+    };
+    scrapeConfigs = [
+      {
+        job_name = "chonk-wireguard";
+        static_configs = [
+          {
+            targets = ["10.0.1.6:9586"];
+          }
+        ];
+      }
+    ];
+  };
+}
--- a/hosts/chonk/nextcloud-apps.nix
+++ b/hosts/chonk/nextcloud-apps.nix
@ -0,0 +1,29 @@
+{
+  self,
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  services.nextcloud.extraApps = with pkgs.nextcloud27Packages.apps; {
+    inherit bookmarks
+      calendar
+      contacts
+      files_markdown
+      impersonate
+      keeweb
+      maps
+      news
+      notes
+      notify_push
+      tasks
+      #twofactor_totp
+      twofactor_webauthn
+      user_saml;
+
+    "twofactor_totp" = pkgs.fetchzip {
+      sha256 = "zAPNugbvngXcpgWJLD78YAg4G1QtGaphx1bhhg7mLKE=";
+      url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.1/twofactor_totp-v6.4.1.tar.gz";
+    };
+  };
+}
--- a/hosts/chonk/nextcloud-collabora.nix
+++ b/hosts/chonk/nextcloud-collabora.nix
@ -0,0 +1,39 @@
+{...}: {
+  # Collabora Code server
+  virtualisation.oci-containers.containers."nextcloud-collabora-code" = {
+    image = "collabora/code";
+    autoStart = true;
+    ports = ["127.0.0.1:9980:9980"];
+    environment.domain = "data\\.gssws\\.de";
+    extraOptions = ["--cap-add" "MKNOD"];
+  };
+
+  services.nginx.virtualHosts."office.gssws.de" = let
+    proxyPass = "https://127.0.0.1:9980";
+    extraConfig = "proxy_ssl_verify off;";
+  in {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."^~ /browser" = {
+      inherit proxyPass extraConfig;
+    };
+    locations."^~ /hosting/discovery" = {
+      inherit proxyPass extraConfig;
+    };
+    locations."^~ /hosting/capabilities" = {
+      inherit proxyPass extraConfig;
+    };
+    locations."~ ^/cool/(.*)/ws''$" = {
+      inherit proxyPass extraConfig;
+      proxyWebsockets = true;
+    };
+    locations."~ ^/(c|l)ool" = {
+      inherit proxyPass extraConfig;
+    };
+    locations."^~ /cool/adminws" = {
+      inherit proxyPass extraConfig;
+      proxyWebsockets = true;
+    };
+  };
+}
--- a/hosts/chonk/nextcloud.nix
+++ b/hosts/chonk/nextcloud.nix
@ -0,0 +1,124 @@
+{
+  self,
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  notifyPushPort = 7867;
+in {
+  imports = [
+    ./nextcloud-apps.nix
+    ./nextcloud-collabora.nix
+  ];
+
+  age.secrets.nextcloud_db_pass = {
+    owner = "nextcloud";
+    group = "nextcloud";
+    file = "${self}/secrets/chonk_nextcloud_db_pass.age";
+  };
+
+  age.secrets.nextcloud_admin_pass = {
+    owner = "nextcloud";
+    group = "nextcloud";
+    file = "${self}/secrets/chonk_nextcloud_admin_pass.age";
+  };
+
+  # HTTP
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+    virtualHosts."data.gssws.de" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+
+  # DATABASES
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_11;
+
+    settings = {
+      max_connections = "200";
+    };
+
+    ensureDatabases = ["nextcloud"];
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+
+  # NOTIFY PUSH
+  services.nextcloud.notify_push.enable = true;
+
+  # REDIS
+  services.redis.servers."nextcloud".enable = true;
+  users.groups."redis-nextcloud".members = ["nextcloud"];
+
+  # NEXTCLOUD
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud27;
+    enableBrokenCiphersForSSE = false;
+    hostName = "data.gssws.de";
+    https = true;
+    datadir = "/mnt/internal/nextcloud";
+
+    caching.apcu = true;
+    caching.redis = true;
+
+    phpPackage = lib.mkForce pkgs.php82;
+
+    poolSettings = {
+      "pm" = "dynamic";
+      "pm.max_children" = "128";
+      "pm.start_servers" = "64";
+      "pm.min_spare_servers" = "32";
+      "pm.max_spare_servers" = "76";
+      "pm.max_requests" = "500";
+    };
+
+    phpOptions = {
+      short_open_tag = "Off";
+      expose_php = "Off";
+      error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
+      display_errors = "stderr";
+      "opcache.enable_cli" = "1";
+      "opcache.interned_strings_buffer" = "32";
+      "opcache.max_accelerated_files" = "100000";
+      "opcache.memory_consumption" = "256";
+      "opcache.revalidate_freq" = "1";
+      "opcache.fast_shutdown" = "1";
+      "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
+      catch_workers_output = "yes";
+    };
+
+    config = {
+      overwriteProtocol = "https";
+
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "127.0.0.1:5432";
+      dbname = "nextcloud";
+      dbpassFile = "/run/agenix/nextcloud_db_pass";
+      adminpassFile = "/run/agenix/nextcloud_admin_pass";
+      adminuser = "admin";
+
+      trustedProxies = ["80.244.242.2"];
+      defaultPhoneRegion = "DE";
+    };
+  };
+}
--- a/hosts/chonk/tang-container.nix
+++ b/hosts/chonk/tang-container.nix
@ -0,0 +1,68 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  containerStateDir = "/data";
+  hostStateDir = "/opt/tangd";
+  domain = "";
+  serviceAddress = "10.10.42.12";
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${serviceAddress}:${toString servicePort}";
+    };
+  };
+
+  containers."tang" = {
+    autoStart = true;
+    ephemeral = true;
+    bindMounts."${containerStateDir}" = {
+      hostPath = hostStateDir;
+      isReadOnly = false;
+    };
+
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      networking.firewall.enable = false;
+
+      users.groups."_tang" = {};
+
+      users.users."_tang" = {
+        group = "_tang";
+        isSystemUser = true;
+      };
+
+      environment.systemPackages = ["${pkgs.jose}"];
+
+      systemd.services."tangd@" = {
+        enable = true;
+        serviceConfig = {
+          ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
+          ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
+          StandardInput = "socket";
+          StandardOutput = "socket";
+          StandardError = "journal";
+          User = "_tang";
+          Group = "_tang";
+        };
+      };
+
+      systemd.sockets."tangd" = {
+        enable = true;
+        listenStreams = ["${toString servicePort}"];
+        wantedBy = ["sockets.target"];
+        socketConfig = {
+          Accept = true;
+        };
+      };
+
+      system.stateVersion = "22.11";
+    };
+  };
+}
--- a/hosts/chonk/tang.nix
+++ b/hosts/chonk/tang.nix
@ -0,0 +1,25 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: let
+  domain = "t.gssws.de";
+  servicePort = 63080;
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${builtins.toString servicePort}";
+    };
+  };
+
+  virtualisation.oci-containers.containers."tang" = {
+    image = "cloggo/tangd";
+    ports = ["127.0.0.1:${builtins.toString servicePort}:8080"];
+    environment = {
+      IP_WHITELIST = "172.17.0.1";
+    };
+  };
+}
--- a/hosts/chonk/wireguard.nix
+++ b/hosts/chonk/wireguard.nix
@ -0,0 +1,66 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: {
+  age.secrets.home_controller_wireguard.file = "${self}/secrets/chonk_wireguard_key.age";
+
+  systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
+  systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
+
+  # Enable WireGuard
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = ["10.0.1.6"];
+      listenPort = 51899;
+
+      privateKeyFile = "/run/agenix/home_controller_wireguard";
+
+      peers = [
+        {
+          # router
+          publicKey = "xqifcPfCgLNQ1M3w6zfoWVMkkz2lO5GZ/LlOECnPQFc=";
+          allowedIPs = ["10.0.1.1/32"];
+
+          persistentKeepalive = 25;
+        }
+        {
+          # giggles
+          publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
+          allowedIPs = ["10.0.1.11/32"];
+
+          persistentKeepalive = 25;
+        }
+        {
+          # cox
+          publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
+          allowedIPs = ["10.0.1.12/32"];
+
+          persistentKeepalive = 25;
+        }
+        {
+          # companion
+          publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
+          allowedIPs = ["10.0.1.13/32"];
+
+          persistentKeepalive = 25;
+        }
+        {
+          # norman
+          publicKey = "FRNg+bJWPn4vAA2Fw8PXYsTpxdEKdVE+b7eTtl8ORxM=";
+          allowedIPs = ["10.0.1.121/32"];
+
+          persistentKeepalive = 25;
+        }
+        {
+          # hsha
+          publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
+          allowedIPs = ["10.0.1.254/32"];
+
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}
--- a/hosts/companion/companion.nix
+++ b/hosts/companion/companion.nix
@ -0,0 +1,18 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    nixpkgs.crossSystem.system = "aarch64-linux";
+  };
+}
--- a/hosts/companion/configuration.nix
+++ b/hosts/companion/configuration.nix
@ -0,0 +1,43 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  inputs,
+  pkgs,
+  builtins,
+  config,
+  lib,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    ./home-controller.nix
+    ./home-assistant.nix
+  ];
+
+  boot.loader.timeout = lib.mkForce 0;
+
+  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
+
+  boot.loader.grub = {
+    enable = lib.mkForce true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+
+    extraInstallCommands = ''
+      cp -r ${inputs.nixpkgs-hensoko.packages.aarch64-linux.raspberrypi4_firmware_uefi}/share/raspberrypi4-firmware-uefi/* /boot/
+    '';
+  };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  networking.useDHCP = false;
+  networking.interfaces.enabcm6e4ei0.useDHCP = true;
+  networking.networkmanager.enable = lib.mkForce false;
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
--- a/hosts/companion/default.nix
+++ b/hosts/companion/default.nix
@ -0,0 +1,7 @@
+{suites, ...}: {
+  imports =
+    [
+      ./companion.nix
+    ]
+    ++ suites.companion;
+}
--- a/hosts/companion/hardware-configuration.nix
+++ b/hosts/companion/hardware-configuration.nix
@ -0,0 +1,69 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage" "uas"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  #boot.kernelParams = [ "usb-storage.quirks=2109:0716:u,174c:55aa:u" ];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.supportedFilesystems = [];
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+
+  boot.loader.efi.canTouchEfiVariables = false;
+
+  boot.loader.systemd-boot.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = false;
+  boot.loader.timeout = 0;
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/2538df0f-9d17-4651-a7ee-26d6f28e4e71";
+    keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1";
+    fallbackToPassword = true;
+    bypassWorkqueues = true;
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/5552-1B21";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-label/swap";}
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}
--- a/hosts/companion/home-assistant.nix
+++ b/hosts/companion/home-assistant.nix
@ -0,0 +1,99 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: {
+  pub-solar.home-assistant = {
+    enable = true;
+
+    extraComponents = ["androidtv" "fritz" "fritzbox" "fritzbox_callmonitor" "met" "mqtt"];
+    extraPackages = python3Packages:
+      with python3Packages; [
+        # androidtv
+        adb-shell
+        aiofiles
+        androidtv
+
+        # deutsche bahn
+        schiene
+
+        # dwd
+        markdownify
+
+        # hacs
+        aiogithubapi
+
+        # totop
+        pyotp
+      ];
+
+    mqtt = {
+      enable = true;
+      users = {
+        ha = {
+          acl = [
+            "readwrite #"
+          ];
+          hashedPassword = "$7$101$jLA9PReG5btNSvw8$O0c3UzCfcBcvqVH8kMZIwEims7p1L4o/DmOTHO9w9731ggC5SyUpJGQIDiUbv+IrTl/H0+Fz9QF/jvY0QCuxuA==";
+        };
+        nono = {
+          acl = [
+            "readwrite #"
+          ];
+          hashedPassword = "$7$101$votbflBI1KrRRzBy$hCC/qo7Ggaf2vaLv7lo5uPnyrTCb0i6hPQvXuL/OrrUpzP+KNl6efEU7yQ0cDH6/rJ16Fe2PWSTcW+pL8dlgmg==";
+        };
+        z2m = {
+          acl = [
+            "readwrite #"
+          ];
+          hashedPassword = "$7$101$iZE7WOCQIaLtuoVN$M7AAB/mMmhkuXQVmu2RPoJzm744bmwxGTJwE0eoqlPAjyQHbjmOWfEuKoo9jnQCoQu2T96gS8znsUNizGgPWiQ==";
+        };
+      };
+    };
+
+    zigbee2mqtt = {
+      enable = true;
+      device = "/dev/ttyS0";
+      adapter = "deconz";
+    };
+
+    config = {
+      homeassistant = {
+        name = "Berrendorf";
+        time_zone = "Europe/Berlin";
+        temperature_unit = "C";
+        unit_system = "metric";
+        latitude = "50.9279036523298";
+        longitude = "6.583225751885932";
+        country = "DE";
+        external_url = "https://ha.karinsokolowski.de";
+        internal_url = "http://192.168.178.254:8123";
+      };
+      http = {
+        ip_ban_enabled = false;
+        use_x_forwarded_for = true;
+        trusted_proxies = [
+          "127.0.0.1"
+          "10.254.0.21"
+          "10.0.1.5"
+          "10.0.1.6"
+        ];
+      };
+
+      energy = {};
+      frontend = {};
+      history = {};
+      map = {};
+      my = {};
+      mobile_app = {};
+      network = {};
+      notify = {};
+      person = {};
+      ssdp = {};
+      sun = {};
+      system_health = {};
+      zeroconf = {};
+    };
+  };
+}
--- a/hosts/companion/home-controller.nix
+++ b/hosts/companion/home-controller.nix
@ -0,0 +1,16 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: {
+  config = {
+    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age";
+
+    pub-solar.home-controller = {
+      enable = true;
+      ownIp = "10.0.1.13";
+      wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
+    };
+  };
+}
--- a/hosts/cox/backup.nix
+++ b/hosts/cox/backup.nix
@ -0,0 +1,87 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: {
+  age.secrets.backup_restic_htpasswd = {
+    file = "${self}/secrets/cox_backup_restic_htpasswd.age";
+    owner = "${toString config.ids.uids.restic}";
+  };
+
+  services.nginx = {
+    enable = true;
+    clientMaxBodySize = "1G";
+    virtualHosts."backup.local" = {
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:18000";
+        extraConfig = ''
+          proxy_connect_timeout 600;
+          proxy_send_timeout 600;
+          proxy_read_timeout 600;
+          send_timeout 600;
+          proxy_set_header Host ''$host;
+          proxy_set_header X-Forwarded-For ''$remote_addr;
+        '';
+      };
+    };
+  };
+  containers."backup" = {
+    autoStart = true;
+    ephemeral = true;
+    bindMounts = {
+      "/var/lib/restic" = {
+        hostPath = "/opt/backup/hdd/restic";
+        isReadOnly = false;
+      };
+      "/var/lib/restic/.htpasswd" = {
+        hostPath = "/run/agenix/backup_restic_htpasswd";
+        isReadOnly = false;
+      };
+    };
+
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      networking.firewall.enable = false;
+
+      services.restic.server = {
+        enable = true;
+        listenAddress = "0.0.0.0:18000";
+        privateRepos = true;
+        extraFlags = [
+          "--append-only"
+          "--prometheus"
+          "--prometheus-no-auth"
+        ];
+      };
+
+      time.timeZone = "Europe/Berlin";
+      system.stateVersion = "22.11";
+    };
+  };
+
+  #virtualisation.oci-containers = {
+  #  backend = "docker";
+  #  containers = {
+  #    backup-ssh = {
+  #      image = "linuxserver/openssh-server:arm64v8-latest";
+  #      ports = [ "32222:2222" ];
+  #
+  #      environment = {
+  #        PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTpA7OHfZhl1wsbvydLNMtMx4q64fz+ojIAZpVUJEMI root@cube";
+  #        USER_NAME = "backup";
+  #        TZ = "Europe/Berlin";
+  #        PUID = "911";
+  #        PGID = "911";
+  #      };
+  #
+  #      volumes = [
+  #        "/opt/backup/hdd/restic:/data/hdd/restic"
+  #      ];
+  #    };
+  #  };
+  #};
+}
--- a/hosts/cox/configuration.nix
+++ b/hosts/cox/configuration.nix
@ -0,0 +1,30 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ./backup.nix
+    ./hardware-configuration.nix
+    ./home-controller.nix
+    ./paperless.nix
+  ];
+
+  time.timeZone = "Europe/Berlin";
+
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = true;
+  networking.interfaces.wlan0.useDHCP = false;
+  networking.networkmanager.enable = false;
+
+  networking.firewall.allowedTCPPorts = [3689];
+  networking.firewall.allowedUDPPorts = [1900];
+
+  virtualisation.podman.enable = true;
+
+  system.stateVersion = "22.11";
+}
--- a/hosts/cox/cox.nix
+++ b/hosts/cox/cox.nix
@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    boot.plymouth.enable = lib.mkForce false;
+    pub-solar.nextcloud.enable = lib.mkForce false;
+  };
+}
--- a/hosts/cox/default.nix
+++ b/hosts/cox/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./cox.nix
+  ] ++ suites.cox;
+}
--- a/hosts/cox/hardware-configuration.nix
+++ b/hosts/cox/hardware-configuration.nix
@ -0,0 +1,57 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage" "uas"];
+  boot.kernelPackages = pkgs.linuxPackages_6_1;
+  boot.kernelParams = ["usb-storage.quirks=2109:0716:ouw,174c:55aa:u,2109:2813:ouw,2109:0813:ouw"];
+
+  boot.loader = {
+    timeout = 0;
+    efi.canTouchEfiVariables = false;
+
+    systemd-boot.enable = false;
+    generic-extlinux-compatible.enable = false;
+
+    grub = {
+      enable = true;
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+      device = "nodev";
+    };
+  };
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/d86a20a6-686c-4bf8-bd3b-911901272742";
+    keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1";
+    fallbackToPassword = true;
+    bypassWorkqueues = true;
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-label/swap";}
+  ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}
--- a/hosts/cox/home-controller.nix
+++ b/hosts/cox/home-controller.nix
@ -0,0 +1,17 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: {
+  config = {
+    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
+
+    pub-solar.home-controller = {
+      enable = true;
+      ownIp = "10.0.1.12";
+
+      wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
+    };
+  };
+}
--- a/hosts/cox/paperless.nix
+++ b/hosts/cox/paperless.nix
@ -0,0 +1,19 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  pub-solar.paperless = {
+    enable = true;
+    hostStateDir = "/opt/documents/paperless";
+
+    ftp = {
+      enable = true;
+      listenPort = 20021;
+    };
+
+    nextcloud = {
+      enable = true;
+    };
+  };
+}
--- a/hosts/cube/configuration.nix
+++ b/hosts/cube/configuration.nix
@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./home-controller.nix
+  ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  time.timeZone = "Europe/Berlin";
+
+  networking.interfaces.eno1.useDHCP = true;
+
+  networking.nat.enable = true;
+  networking.nat.internalIPs = ["10.10.42.0/24"];
+  networking.nat.externalInterface = "eno1";
+
+  networking.firewall.allowedTCPPorts = [80 443 22];
+  networking.firewall.allowedUDPPorts = [51899];
+
+  networking.firewall.enable = lib.mkForce true;
+
+  system.stateVersion = "21.05"; # Did you read the comment?
+}
--- a/hosts/cube/cube.nix
+++ b/hosts/cube/cube.nix
@ -0,0 +1,15 @@
+{ config, pkgs, lib, ... }:
+with lib;
+with pkgs;
+let
+  psCfg = config.pub-solar;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  pub-solar.core.disk-encryption-active = false;
+
+  networking.networkmanager.enable = lib.mkForce false;
+}
--- a/hosts/cube/default.nix
+++ b/hosts/cube/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./cube.nix
+  ] ++ suites.cube;
+}
--- a/hosts/cube/hardware-configuration.nix
+++ b/hosts/cube/hardware-configuration.nix
@ -0,0 +1,56 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
+  };
+
+  boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "megaraid_sas" "usb_storage" "usbhid" "sd_mod"];
+  boot.initrd.kernelModules = ["dm-snapshot"];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/24ddd650-e9fc-4407-ba4c-cc237de4c484";
+    keyFile = "/dev/disk/by-id/usb-Kingston_DataTraveler_3.0_E0D55E625BE3E72078790030-0:0-part1";
+    fallbackToPassword = true;
+    bypassWorkqueues = true;
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/c47cdc43-d77c-4a01-87b3-a289fa97ef14";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/3ee236cc-c4a6-423b-ba77-7a15ba642123";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/0ddcb856-f39e-45d6-bde3-4fbf9c81fe6c";}
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno2.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/cube/wireguard.nix
+++ b/hosts/cube/wireguard.nix
@ -0,0 +1,63 @@
+{ self, config, pkgs, ... }:
+
+{
+  age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age";
+
+
+  systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
+  systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
+
+  # Enable WireGuard
+  networking.wireguard.interfaces = {
+    wg1 = {
+      # Determines the IP address and subnet of the client's end of the tunnel interface.
+      ips = [ "10.0.1.5" ];
+      listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = "/run/agenix/home_controller_wireguard";
+
+      peers = [
+        # For a client configuration, one peer entry for the server will suffice.
+
+        {
+          # giggles
+          publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
+          allowedIPs = [ "10.0.1.11/32" ];
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+        {
+          # cox
+          publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
+          allowedIPs = [ "10.0.1.12/32" ];
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+        {
+          # companion
+          publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
+          allowedIPs = [ "10.0.1.13/32" ];
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+
+        {
+          # hsha
+          publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
+          allowedIPs = [ "10.0.1.254/32" ];
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}
--- a/hosts/falcone/configuration.nix
+++ b/hosts/falcone/configuration.nix
@ -0,0 +1,48 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ inputs, pkgs, builtins, config, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  pub-solar.core.disk-encryption-active = false;
+
+  boot.loader.grub.enable = lib.mkForce false;
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.generic-extlinux-compatible.enable = lib.mkForce true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = true;
+  networking.networkmanager.enable = lib.mkForce false;
+
+  boot.initrd.network = {
+    enable = true;
+  };
+
+
+  # Open ports in the firewall.
+  #networking.firewall.allowedTCPPorts = [ ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/hosts/falcone/default.nix
+++ b/hosts/falcone/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./falcone.nix
+  ] ++ suites.falcone;
+}
--- a/hosts/falcone/falcone.nix
+++ b/hosts/falcone/falcone.nix
@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    boot.plymouth.enable = lib.mkForce false;
+    pub-solar.nextcloud.enable = lib.mkForce false;
+  };
+}
--- a/hosts/falcone/hardware-configuration.nix
+++ b/hosts/falcone/hardware-configuration.nix
@ -0,0 +1,41 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+  #boot.initrd.supportedFilesystems = [ "zfs" ];
+  #boot.supportedFilesystems = [ "zfs" ];
+
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_19;
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/9f3208ae-ee05-44b8-a0bc-dc1e7499bdb8";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/997A-7FBA";
+      fsType = "vfat";
+    };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}
--- a/hosts/giggles/aioairctrl.nix
+++ b/hosts/giggles/aioairctrl.nix
@ -0,0 +1,24 @@
+{ pkgs, python311 }:
+let
+  pycryptodomex = python311.pkgs.buildPythonPackage rec {
+      pname = "pycryptodomex";
+      version = "3.18.0";
+      src = pkgs.fetchPypi {
+        inherit pname version;
+        sha256 = "Pj7LX+l558G7ACflGDQKz37mBBXXkpXlJR0Txo3eV24=";
+      };
+  };
+in
+  python311.pkgs.buildPythonPackage rec {
+      pname = "aioairctrl";
+      version = "0.2.4";
+      src = pkgs.fetchPypi {
+        inherit pname version;
+        sha256 = "BIJWwMQq3QQjhyO0TSw+C6muyr3Oyv6UHr/Y3iYqRUM=";
+      };
+
+      propagatedBuildInputs = with python311.pkgs; [
+        aiocoap
+        pycryptodomex
+      ];
+  }
--- a/hosts/giggles/avahi-reflector.nix
+++ b/hosts/giggles/avahi-reflector.nix
@ -0,0 +1,8 @@
+{...}: {
+  services.avahi = {
+    enable = true;
+    allowInterfaces = ["eth0" "vlan102" "vlan104"];
+    reflector = true;
+    publish.enable = true;
+  };
+}
--- a/hosts/giggles/configuration.nix
+++ b/hosts/giggles/configuration.nix
@ -0,0 +1,35 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    ./network.nix
+    ./network-dhcp.nix
+    ./avahi-reflector.nix
+    ./unifi.nix
+
+    ./home-controller.nix
+    ./home-assistant.nix
+
+    ./frigate.nix
+
+    # ./tang-container.nix
+  ];
+
+  boot.loader.timeout = 0;
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+
+  time.timeZone = "Europe/Berlin";
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
--- a/hosts/giggles/default.nix
+++ b/hosts/giggles/default.nix
@ -0,0 +1,7 @@
+{suites, ...}: {
+  imports =
+    [
+      ./giggles.nix
+    ]
+    ++ suites.giggles;
+}
--- a/hosts/giggles/frigate.nix
+++ b/hosts/giggles/frigate.nix
@ -0,0 +1,73 @@
+{ ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [80 5000 8554 8555];
+
+  #services.go2rtc = {
+  #  enable = true;
+  #  settings = {
+  #    streams = {
+  #      burgi_cam = [
+  #        "rtsp://admin:XpkFk5Df912VWSwM@10.0.42.60:554/Streaming/Channels/101/?transportmode=unicast"
+  #        "ffmpeg:burgi_cam_sub#audio=opus"
+  #      ];
+  #      burgi_cam_sub = [
+  #        "rtsp://admin:XpkFk5Df912VWSwM@10.0.42.60:554/Streaming/Channels/102/?transportmode=unicast"
+  #      ];
+  #    };
+  #    webrtc = {
+  #      candidates = [ "192.168.42.11:8555" ];
+  #    };
+  #  };
+  #};
+
+  services.frigate = {
+    enable = true;
+    hostname = "frigate";
+    settings = {
+      cameras.burgi = {
+        ffmpeg = {
+          inputs = [
+            {
+              path = "rtsp://admin:XpkFk5Df912VWSwM@10.0.42.60:554/Streaming/Channels/101/?transportmode=unicast";
+              #path = "rtsp://127.0.0.1:8554/burgi_cam";
+              #input_args = "preset-rtsp-restream";
+              roles = [
+                "record"
+                "rtmp"
+              ];
+            }
+            {
+              path = "rtsp://admin:XpkFk5Df912VWSwM@10.0.42.60:554/Streaming/Channels/102/?transportmode=unicast";
+              #path = "rtsp://127.0.0.1:8554/burgi_cam_sub";
+              #input_args = "preset-rtsp-restream";
+              roles = [
+                "detect"
+              ];
+            }
+          ];
+        };
+        detect = {
+          width = 1280;
+          height = 720;
+          fps = 5;
+        };
+      };
+      objects.track = [ "person" "dog" ];
+
+      mqtt = {
+        enabled = true;
+        host = "127.0.0.1";
+        user = "frigate";
+        password = "rDAnboXJhW8K2OJlPI5KpZhggPJusA==";
+      };
+
+      rtmp.enabled = true;
+
+      #detectors.coral = {
+      #  type = "edgetpu";
+      #  device = "usb";
+      #};
+    };
+  };
+}
--- a/hosts/giggles/giggles.nix
+++ b/hosts/giggles/giggles.nix
@ -0,0 +1,19 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    boot.plymouth.enable = lib.mkForce false;
+    pub-solar.nextcloud.enable = lib.mkForce false;
+  };
+}
--- a/hosts/giggles/hardware-configuration.nix
+++ b/hosts/giggles/hardware-configuration.nix
@ -0,0 +1,61 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage" "uas"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.supportedFilesystems = [];
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+
+  boot.loader.efi.canTouchEfiVariables = false;
+
+  boot.loader.systemd-boot.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = false;
+  boot.loader.timeout = 0;
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/5edec8af-5f84-4d9f-9755-8abbb55e00af";
+    keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
+    fallbackToPassword = true;
+    bypassWorkqueues = true;
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-label/swap";}
+  ];
+
+  networking.interfaces.enabcm6e4ei0.useDHCP = true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}
--- a/hosts/giggles/home-assistant.nix
+++ b/hosts/giggles/home-assistant.nix
@ -0,0 +1,249 @@
+{
+  self,
+  config,
+  pkgs,
+  python3Packages,
+  inputs,
+  ...
+}:
+
+{
+  age.secrets.home-assistant_giggles_secrets = {
+    file = "${self}/secrets/home-assistant_giggles_secrets.age";
+    path = "${config.services.home-assistant.configDir}/secrets.yaml";
+    owner = config.systemd.services.home-assistant.serviceConfig.User;
+    group = config.systemd.services.home-assistant.serviceConfig.Group;
+    mode = "0644";
+  };
+
+  users.users."hass".extraGroups = ["dialout"];
+
+  pub-solar.home-assistant = {
+    enable = true;
+    extraComponents = [
+      "default_config"
+      "homeassistant_hardware"
+      "homeassistant_sky_connect"
+
+      "apcupsd"
+      "androidtv"
+      "cast"
+      "esphome"
+      "homekit_controller"
+      "icloud"
+      "ipp"
+      "luci"
+      "met"
+      "python_script"
+      "rpi_power"
+      "shopping_list"
+      "spotify"
+      "tasmota"
+      "unifi"
+      "upnp"
+      "vacuum"
+      "xiaomi_aqara"
+      "xiaomi_miio"
+      "zeroconf"
+    ];
+
+    extraPackages = python311Packages:
+      with python311Packages; [
+        # esphome
+        aiodiscover
+        scapy
+
+        # deutsche bahn
+        schiene
+
+        # dwd
+        dwdwfsapi
+
+        # hacs
+        aiogithubapi
+
+        # philips_airpurifier_coap
+        (callPackage ./aioairctrl.nix {})
+
+        # totop
+        pyotp
+      ];
+
+    config = {
+      homeassistant = {
+        name = "Wohnung";
+
+        country = "DE";
+        currency = "EUR";
+        language = "de";
+        temperature_unit = "C";
+        time_zone = "Europe/Berlin";
+        unit_system = "metric";
+
+        latitude = "52.31501090166047";
+        longitude = "8.910633035293603";
+        elevation = "59";
+
+        external_url = "https://ha2.gssws.de";
+        internal_url = "http://192.168.42.11:8123";
+      };
+      http = {
+        ip_ban_enabled = false;
+        use_x_forwarded_for = true;
+        trusted_proxies = [
+          "127.0.0.1"
+          "10.254.0.21"
+          "10.0.1.5"
+          "10.0.1.6"
+        ];
+      };
+
+      default_config = {};
+      energy = {};
+
+      "automation ui" = "!include automations.yaml";
+
+      device_tracker = [
+        {
+          platform = "luci";
+          host = "192.168.42.1";
+          username = "!secret router_admin_username";
+          password = "!secret router_admin_password";
+        }
+      ];
+
+      python_script = {};
+
+      waste_collection_schedule = {
+        sources = [
+          {
+            name = "jumomind_de";
+            args = {
+              service_id = "sbm";
+              city = "Minden";
+              street = "Schwerinstr.";
+              house_number = "17b";
+            };
+          }
+        ];
+      };
+
+      zone = [
+        {
+          name = "Home";
+          latitude = "52.31501090166047";
+          longitude = "8.910633035293603";
+          radius = "30";
+        }
+        {
+          name = "DKSB";
+          latitude = "52.31249954762553";
+          longitude = "8.910920619964601";
+          radius = "60";
+        }
+        {
+          name = "Hainweg";
+          latitude = "52.3176809501406";
+          longitude = "8.890610933303835";
+          radius = "60";
+        }
+        {
+          name = "Lande";
+          latitude = "52.35688908037632";
+          longitude = "8.898582458496096";
+          radius = "87";
+        }
+        {
+          name = "Rürups";
+          latitude = "52.317152702118655";
+          longitude = "8.89446449221293";
+          radius = "70";
+        }
+        {
+          name = "Schule";
+          latitude = "52.30213492276748";
+          longitude = "8.88126075267792";
+          radius = "200";
+        }
+        {
+          name = "Sokos";
+          latitude = "50.92777444599559";
+          longitude = "6.583169284373658";
+          radius = "50";
+        }
+        {
+          name = "Wohnung Aachen";
+          latitude = "50.7800954893528";
+          longitude = "6.154607534408569";
+          radius = "13";
+        }
+      ];
+    };
+
+    mqtt = {
+      enable = true;
+      users = {
+        ha = {
+          acl = [
+            "readwrite #"
+          ];
+          hashedPassword = "$7$101$lFt8hQl3O8aKF+bO$pcZuI18IT5t4/fpKZmLZQwQs+vcbxZdAQAYJOxRwXGYsxCRjb8jUSU+ZRlpqokOGqf/Cgvymfvml+yoGaC8eaw==";
+        };
+        z2m = {
+          acl = [
+            "readwrite #"
+          ];
+          hashedPassword = "$7$101$M0Q/s9ReWPaMy+pT$Y8t9DwmW3y74lyvYrCE+sqEcz9yGG9VaHw8vt4wVZgUVVV9muY00ymjkwsTNtaTIlnQyB7z7POPLT3PURtQfeg==";
+        };
+
+        frigate = {
+          acl = [
+            "readwrite #"
+          ];
+          hashedPassword = "$7$101$BZvoqhiaWo8TbFEv$KlE8XiE9dhfNV50SoUiBjTgnvSRaCwWdouuVcN4ZeHkR7/4JufQ7adW0VhVmtpv+6V9KOPDlN3wRaV+5eVlF3Q==";
+        };
+        nuki_wohnung = {
+          acl = [
+            "readwrite #"
+          ];
+          hashedPassword = "$7$101$21wWveYvOyQKNuhd$rXD8d4F+Wf4k6LDkM09bsfkQfc+iXakRaH2sygYgOQqfrJ5Egt8D+9LVKa9ZQ12HLPSHDo0bP8ygVmY6iVJCjQ==";
+        };
+        poffertjes = {
+          acl = [
+            "readwrite #"
+          ];
+          hashedPassword = "$7$101$n5J9RKGzFF7bOsOH$YNPQawxsfuDZk/N6NrNzkE5rEfTRlCW5Fjpk6kgwyTg4C6Peyz4I79ii4UMSANJ8DFNsPRL1KohCcXK07SMW2w==";
+        };
+        shelly1_flur_deckenlicht = {
+          acl = [
+            "readwrite #"
+          ];
+          hashedPassword = "$7$101$n0PyELB9214BiluQ$P24lJlXDpKLaGSerrp51z5UUl3wYSek9SbJN+buqoS9acrCn7s3mtSLZfeMP0JT8zXx83GJrNwlDaA0BOu00xg==";
+        };
+        shelly25_abstellraum = {
+          acl = [
+            "readwrite #"
+          ];
+          hashedPassword = "$7$101$n9IcybeGEAhnoWv5$RSnkEJFgDsrKUzEaLfNIa/5v4gkTMZSAq2bb7KzWSG6zaufHdnvtDZT+q7dZ3pkBFXndKtoelmuvm7XJLJC1mg==";
+        };
+        shelly25_badezimmer = {
+          acl = [
+            "readwrite #"
+          ];
+          hashedPassword = "$7$101$PNWBSZUE4Ar5dOhx$2u6dneedx7OLOjH1auoax2AC1GP4oVcXe4OAmO3riNpzXZF9V1cJ7k/GREx9/vO/ONt5PuUygilk3X4SIYnf9A==";
+        };
+        tasmota_wohnzimmer_tv_steckdosenleiste = {
+          acl = [
+            "readwrite #"
+          ];
+          hashedPassword = "$7$101$cywQWWzxPUUpUqdC$Q9tjqE4bW0VaNMVKIuts/wuyFetC//PyLVcRtpaK02HxwlTPY7jWivXUBA/t8l0wGZsS8lsiOIAu8e6bHb+7Xw==";
+        };
+      };
+    };
+
+    zigbee2mqtt = {
+      enable = true;
+      device = "/dev/serial/by-id/usb-Nabu_Casa_SkyConnect_v1.0_aaf7050fdb42ed11bb2843ab2a61ed69-if00-port0";
+    };
+  };
+}
--- a/hosts/giggles/home-controller.nix
+++ b/hosts/giggles/home-controller.nix
@ -0,0 +1,17 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: {
+  config = {
+    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
+
+    pub-solar.home-controller = {
+      enable = true;
+      ownIp = "10.0.1.11";
+
+      wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
+    };
+  };
+}
--- a/hosts/giggles/lrad.nix
+++ b/hosts/giggles/lrad.nix
@ -0,0 +1,51 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  serviceAddress = "10.10.41.11";
+  containerStateDir = "/data";
+  hostStateDir = "/srv/container/lrad";
+in {
+  containers."lrad" = {
+    privateNetwork = true;
+    hostAddress = "10.10.41.1";
+    localAddress = serviceAddress;
+
+    bindMounts."${containerStateDir}" = {
+      hostPath = hostStateDir;
+      isReadOnly = false;
+    };
+
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      networking.firewall.allowedTCPPorts = [63080];
+
+      #users.users."tang".isSystemUser = true;
+
+      systemd.services."tangd" = {
+        enable = true;
+        # TODO: require data/tangd to exist
+        serviceConfig = {
+          ExecStart = "${pkgs.tang}/bin/tangd ${containerStateDir}/data/tangd";
+          StandardInput = "socket";
+          StandardOutput = "socket";
+          StandardError = "journal";
+          User = "tang";
+        };
+      };
+
+      systemd.sockets."tangd" = {
+        enable = true;
+        listenStreams = ["63080"];
+        wantedBy = ["sockets.target"];
+        socketConfig = {
+          Accept = true;
+        };
+      };
+    };
+  };
+}
--- a/hosts/giggles/network-dhcp.nix
+++ b/hosts/giggles/network-dhcp.nix
@ -0,0 +1,81 @@
+{...}: {
+  networking.firewall.checkReversePath = false;
+  networking.firewall.allowedUDPPorts = [67]; # allow dhcp request
+
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      interface = [
+        "vlan101" # network
+        "vlan102" # iot
+        "vlan104" # media
+      ];
+
+      no-resolv = true;
+      no-poll = true;
+
+      server = [
+        "1.1.1.1"
+        "9.9.9.9"
+      ];
+
+      dhcp-authoritative = true;
+
+      dhcp-host = [
+        # vlan101
+        "18:e8:29:c6:29:84,ap-caro,10.0.42.21" # ap-caro
+        "e4:38:83:e7:00:10,ap-hendrik,10.0.42.22" # ap-hendrik
+        "e4:38:83:e7:0a:c4,ap-wohnzimmer,10.0.42.23" # ap-wohnzimmer
+
+        # vlan102
+        "38:1a:52:04:37:d8,printer,172.16.0.15" # printer
+
+        "3c:e9:0e:87:d2:1c,nspanel-hendrik,172.16.0.21" # nspanel_hendrik
+        "3c:e9:0e:87:ef:d0,nspanel-schlafzimmer,172.16.0.22" # nspanel_schlafzimmer
+        "98:0c:33:fe:3d:a8,nuki-wohnung,172.16.0.23" # nuki_wohnung
+        "c8:5c:cc:5c:54:06,presence-wohnzimmer,172.16.0.24" # presence_wohnzimmer
+        "c8:5c:cc:5c:28:7b,presence-hendrik,172.16.0.25" # presence_hendrik
+        "04:78:63:7f:0e:bb,airpurifier-wohnzimmer,172.16.0.26" # airpurifier_wohnzimmer
+        "48:e7:29:c1:a3:f0,nspanel-caro,172.16.0.27" # nspanel_caro
+        "5c:c5:63:eb:e8:b8,poffertjes,172.16.0.28" # poffertjes
+        "d0:ba:e4:e7:7d:d5,airpurifier-hendrik,172.16.0.29" # airpurifier_hendrik
+        "98:f4:ab:f2:43:98,shelly1-flur-deckenlicht,172.16.0.30" # shelly1 flur deckenlicht
+        "a4:cf:12:ba:72:c1,shelly25-abstellraum,172.16.0.31" # shelly25 abstellraum
+        "c8:2b:96:11:10:46,shelly25-badezimmer,172.16.0.32" # shelly25 badezimmer
+        "24:62:ab:41:06:f2,tasmota-tv-steckdosenleiste,172.16.0.33" # tasmota-tv-steckdosenleiste
+
+        # vlan104
+        "30:58:90:1a:3b:ef,box-hendrik,10.42.0.21" # box_hendrik
+        "30:58:90:19:b5:03,box-schlafzimmer,10.42.0.22" # box_schlafzimmer
+        "30:58:90:28:7e:30,box-esstisch,10.42.0.23" # box_esstisch
+
+        "1c:53:f9:23:d7:c4,nh-hendrik,10.42.0.31" # nh_hendrik
+        "1c:53:f9:14:7b:65,nh-kueche,10.42.0.32" # nh_kueche
+        "1c:53:f9:1c:9e:22,nh-wohnzimmer,10.42.0.33" # nh_wohnzimmer
+        "20:1f:3b:96:9f:29,nm-schlafzimmer,10.42.0.34" # nm_schlafzimmer
+
+        "6c:ad:f8:73:a0:94,cc-wohnzimmer,10.42.0.41" # cc_wohnzimmer
+      ];
+
+      dhcp-range = [
+        "vlan101,10.0.42.51,10.0.42.100"
+        "vlan102,172.16.0.101,172.16.0.150"
+        "vlan104,10.42.0.51,10.42.0.100"
+      ];
+
+      dhcp-option = [
+        "option:dns-server,1.1.1.1"
+        "option:mtu,1460"
+
+        # vlan101
+        "vlan101,option:router,10.0.42.1"
+
+        # vlan102
+        "vlan102,option:router,172.16.0.1"
+
+        # vlan104
+        "vlan104,option:router,10.42.0.1"
+      ];
+    };
+  };
+}
--- a/hosts/giggles/network.nix
+++ b/hosts/giggles/network.nix
@ -0,0 +1,55 @@
+{lib, ...}: {
+  networking = {
+    enableIPv6 = false;
+    useDHCP = false;
+    vlans = {
+      vlan101 = {
+        id = 101;
+        interface = "eth0";
+      }; # network vlan
+      vlan102 = {
+        id = 102;
+        interface = "eth0";
+      }; # iot vlan
+      vlan104 = {
+        id = 104;
+        interface = "eth0";
+      }; # media vlan
+    };
+    interfaces = {
+      eth0 = {
+        useDHCP = true;
+        mtu = 1460;
+      };
+
+      vlan101 = {
+        mtu = 1460;
+        ipv4.addresses = [
+          {
+            address = "10.0.42.11";
+            prefixLength = 24;
+          }
+        ];
+      };
+      vlan102 = {
+        mtu = 1460;
+        ipv4.addresses = [
+          {
+            address = "172.16.0.11";
+            prefixLength = 24;
+          }
+        ];
+      };
+      vlan104 = {
+        mtu = 1460;
+        ipv4.addresses = [
+          {
+            address = "10.42.0.11";
+            prefixLength = 24;
+          }
+        ];
+      };
+    };
+    networkmanager.enable = lib.mkForce false;
+  };
+}
--- a/hosts/giggles/tang-container.nix
+++ b/hosts/giggles/tang-container.nix
@ -0,0 +1,58 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  containerStateDir = "/data";
+  hostStateDir = "/opt/tangd";
+  servicePort = 8081;
+in {
+  networking.firewall.allowedTCPPorts = [servicePort];
+
+  containers."tang" = {
+    autoStart = true;
+    ephemeral = true;
+    bindMounts."${containerStateDir}" = {
+      hostPath = hostStateDir;
+      isReadOnly = false;
+    };
+
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      networking.firewall.enable = false;
+
+      users.groups."_tang" = {};
+
+      users.users."_tang" = {
+        group = "_tang";
+        isSystemUser = true;
+      };
+
+      environment.systemPackages = with pkgs; [jose tang];
+
+      systemd.services."tangd@" = {
+        enable = true;
+        serviceConfig = {
+          ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
+          ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
+          User = "_tang";
+          Group = "_tang";
+        };
+      };
+
+      systemd.sockets."tangd" = {
+        enable = true;
+        listenStreams = ["${toString servicePort}"];
+        wantedBy = ["sockets.target"];
+        socketConfig = {
+          Accept = true;
+        };
+      };
+
+      system.stateVersion = "22.11";
+    };
+  };
+}
--- a/hosts/giggles/unifi.nix
+++ b/hosts/giggles/unifi.nix
@ -0,0 +1,11 @@
+{pkgs, ...}:
+
+{
+  networking.firewall.allowedTCPPorts = [8443]; # open unifi web interface port
+
+  services.unifi = {
+    enable = true;
+    unifiPackage = pkgs.unifi7;
+    openFirewall = true;
+  };
+}
--- a/hosts/harrison/.config/sway/config.d/screens.conf
+++ b/hosts/harrison/.config/sway/config.d/screens.conf
@ -0,0 +1,19 @@
+set $left 'Dell Inc. DELL S2721DS D0SVQ43'
+set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
+set $right 'Eizo Nanao Corporation EV2316W 39117013'
+
+output $left {
+  scale 1
+  pos 0 0
+  transform 270
+}
+
+output $middle {
+  scale 1
+  pos 1440 1150
+}
+
+output $right {
+  scale 1
+  pos 3360 1150
+}
--- a/hosts/harrison/configuration.nix
+++ b/hosts/harrison/configuration.nix
@ -0,0 +1,49 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+  time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.dhcpcd.wait = "background";
+  networking.useDHCP = false;
+  networking.interfaces.eno1 = {
+    useDHCP = true;
+    wakeOnLan = {
+      enable = true;
+    };
+  };
+  networking.networkmanager.enable = lib.mkForce false;
+
+  nixpkgs.config.allowUnsupportedSystem = true;
+
+  # List services that you want to enable:
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 22 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.05"; # Did you read the comment?
+}
+
--- a/hosts/harrison/default.nix
+++ b/hosts/harrison/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./harrison.nix
+  ] ++ suites.harrison;
+}
--- a/hosts/harrison/hardware-configuration.nix
+++ b/hosts/harrison/hardware-configuration.nix
@ -0,0 +1,70 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "raid1" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/e3a0394d-8bb5-4049-bf65-90d7202163cd";
+    keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04011806021722115743-0:0-part1";
+    fallbackToPassword = true;
+    bypassWorkqueues = true;
+  };
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.efi = {
+    canTouchEfiVariables = true;
+    efiSysMountPoint = "/boot";
+  };
+  boot.loader.grub = {
+    efiSupport = true;
+    enable = lib.mkForce true;
+    extraEntries = ''
+      menuentry "Windows" {
+        insmod part_gpt
+        insmod fat
+        insmod search_fs_uuid
+        insmod chain
+        search --fs-uuid --set=root 02DB-F12C
+        chainloader /efi/Microsoft/Boot/bootmgfw.efi
+      }
+    '';
+    devices = [ "nodev" ];
+  };
+
+
+  fileSystems = {
+    "/" =
+      {
+        device = "/dev/disk/by-uuid/4ad4db6d-543e-4cc5-a781-396e3b527a05";
+        fsType = "ext4";
+      };
+
+    "/boot" =
+      {
+        device = "/dev/disk/by-uuid/4B4A-B1B4";
+        fsType = "vfat";
+      };
+
+    "/boot2" =
+      {
+        device = "/dev/disk/by-uuid/4B2C-385A";
+        fsType = "vfat";
+      };
+  };
+
+  swapDevices =
+    [{ device = "/dev/mapper/vg0-swap"; }];
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/harrison/harrison.nix
+++ b/hosts/harrison/harrison.nix
@ -0,0 +1,28 @@
+{ config, pkgs, lib, ... }:
+with lib;
+with pkgs;
+let
+  psCfg = config.pub-solar;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+    home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
+      "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
+    };
+
+    pub-solar.paranoia.enable = true;
+    pub-solar.nextcloud.enable = true;
+
+    programs.ausweisapp.enable = true;
+    services.pcscd = {
+      enable = true;
+      plugins = [ pkgs.pcsc-cyberjack ];
+    };
+  };
+}
--- a/hosts/norman/.config/sway/config.d/custom-keybindings.conf
+++ b/hosts/norman/.config/sway/config.d/custom-keybindings.conf
@ -0,0 +1,16 @@
+# Screen brightness controls
+bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
+bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {    print $4}')"
+
+# Keyboard backlight brightness controls
+bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
+
+# Pulse Audio controls
+bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
+bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
+bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
+# Media player controls
+bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
+bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
+bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"
--- a/hosts/norman/.config/sway/config.d/inputs.conf
+++ b/hosts/norman/.config/sway/config.d/inputs.conf
@ -0,0 +1 @@
+input 2:7:SynPS/2_Synaptics_TouchPad events disabled
--- a/hosts/norman/.config/sway/config.d/screens.conf
+++ b/hosts/norman/.config/sway/config.d/screens.conf
@ -0,0 +1,19 @@
+set $left 'Dell Inc. DELL S3222DGM G1FFT63'
+set $right 'Dell Inc. DELL S2721DS D0SVQ43'
+set $bottom 'Chimei Innolux Corporation 0x14D4'
+
+output $left {
+  scale 1
+  pos 0 690
+}
+
+output $right {
+  scale 1
+  pos 2560 0
+  transform 90
+}
+
+output $bottom {
+  scale 1
+  pos 0 2130
+}
--- a/hosts/norman/builder.nix
+++ b/hosts/norman/builder.nix
@ -0,0 +1,27 @@
+{self, ...}: {
+  programs.ssh.extraConfig = ''
+    Host builder
+        Hostname data.gssws.de
+        Port 2222
+        User builder
+        IdentitiesOnly yes
+        IdentityFile /root/.ssh/id_ed25519-builder
+  '';
+
+  nix.buildMachines = [
+    {
+      hostName = "builder";
+      systems = ["x86_64-linux" "aarch64-linux" "i686-linux"];
+      maxJobs = 40;
+      speedFactor = 20;
+      supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
+      mandatoryFeatures = [];
+    }
+  ];
+
+  nix.distributedBuilds = true;
+  nix.settings = {
+    trusted-public-keys = ["chonk:1b/yLBRW2ZeL9jErW1ogMRUTq/hidJnZOxopx363JSo="];
+    builders-use-substitutes = true;
+  };
+}
--- a/hosts/norman/configuration.nix
+++ b/hosts/norman/configuration.nix
@ -0,0 +1,56 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./wireguard.nix
+    ./builder.nix
+  ];
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.firewall = {
+    allowedUDPPorts = [
+      51820
+      51821
+    ]; # Clients and peers can use the same port, see listenport
+  };
+
+  services.tlp = {
+    enable = true;
+    settings = {
+      CPU_SCALING_GOVERNOR_ON_AC = "performance";
+      CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
+
+      # The following prevents the battery from charging fully to
+      # preserve lifetime. Run `tlp fullcharge` to temporarily force
+      # full charge.
+      # https://linrunner.de/tlp/faq/battery.html#how-to-choose-good-battery-charge-thresholds
+      START_CHARGE_THRESH_BAT0 = 40;
+      STOP_CHARGE_THRESH_BAT0 = 80;
+
+      # 100 being the maximum, limit the speed of my CPU to reduce
+      # heat and increase battery usage:
+      CPU_MAX_PERF_ON_AC = 100;
+      CPU_MAX_PERF_ON_BAT = 50;
+    };
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+}
--- a/hosts/norman/default.nix
+++ b/hosts/norman/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./norman.nix
+  ] ++ suites.norman;
+}
--- a/hosts/norman/hardware-configuration.nix
+++ b/hosts/norman/hardware-configuration.nix
@ -0,0 +1,48 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci"];
+  boot.initrd.kernelModules = ["dm-snapshot"];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/cdc29f0f-5b18-4ee7-8d38-1f4bac80b1e6";
+    allowDiscards = true;
+    bypassWorkqueues = true;
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
+    fsType = "ext4";
+    options = [ "discard" ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/84CD-91B6";
+    fsType = "vfat";
+  };
+
+  swapDevices = [{device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9";}];
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  hardware.trackpoint = {
+    enable = true;
+    device = "TPPS/2 ALPS TrackPoint";
+    emulateWheel = true;
+    sensitivity = 100; # default 128
+    speed = 64; # default 97
+  };
+}
--- a/hosts/norman/norman.nix
+++ b/hosts/norman/norman.nix
@ -0,0 +1,28 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  imports = [
+    ./configuration.nix
+  ];
+
+  config = {
+    boot.binfmt.emulatedSystems = ["aarch64-linux"];
+
+    environment.systemPackages = [pkgs.factorio-experimental];
+
+    pub-solar.audio.bluetooth.enable = false;
+
+    home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
+      "sway/config.d/10-inputs.conf".source = ./.config/sway/config.d/inputs.conf;
+      "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
+      "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
+    };
+  };
+}
--- a/hosts/norman/wireguard.nix
+++ b/hosts/norman/wireguard.nix
@ -0,0 +1,95 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
+  systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
+  systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure";
+  systemd.services.wireguard-wg1.serviceConfig.RestartSec = "5s";
+
+  # Enable WireGuard
+  networking.wireguard.interfaces = {
+    # "wg0" is the network interface name. You can name the interface arbitrarily.
+    wg0 = {
+      # Determines the IP address and subnet of the client's end of the tunnel interface.
+      ips = [
+        "10.0.0.13/32"
+        "fc00:200::13/128"
+      ];
+      mtu = 1400;
+      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = "/home/hensoko/.config/wireguard/hosting-de.private";
+
+      peers = [
+        # For a client configuration, one peer entry for the server will suffice.
+
+        {
+          # Public key of the server (not a file path).
+          publicKey = "02/MRPduMGx1as7yS4G7GpL4+pQjsjpyS/tD9iPu8X0=";
+
+          # Forward all the traffic via VPN.
+          allowedIPs = [
+            "10.0.0.0/24"
+            "192.168.50.0/24"
+            "192.168.200.0/24"
+            "10.20.30.0/24"
+            "10.20.50.0/24"
+            "fc00:200::/120"
+            "95.129.51.5"
+            "95.129.54.43"
+            "134.0.28.89"
+            "134.0.27.108"
+            "134.0.25.181"
+          ];
+
+          # Set this to the server IP and port.
+          endpoint = "134.0.30.154:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+    wg1 = {
+      # Determines the IP address and subnet of the client's end of the tunnel interface.
+      ips = [
+        "10.0.1.121"
+      ];
+      mtu = 1400;
+      listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = "/home/hensoko/.config/wireguard/data-gssws-de.private";
+
+      peers = [
+        # For a client configuration, one peer entry for the server will suffice.
+
+        {
+          # Public key of the server (not a file path).
+          publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
+
+          allowedIPs = [
+            "10.0.1.0/24"
+          ];
+
+          # Set this to the server IP and port.
+          endpoint = "80.244.242.2:51899";
+
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}
--- a/hosts/redpanda/configuration.nix
+++ b/hosts/redpanda/configuration.nix
@ -0,0 +1,110 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  # networking.hostName = "nixos"; # Define your hostname.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # Set your time zone.
+  # time.timeZone = "Europe/Amsterdam";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.enp0s3.useDHCP = true;
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  nix = {
+    #package = pkgs.nixFlakes;
+    extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
+  };
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  # console = {
+  #   font = "Lat2-Terminus16";
+  #   keyMap = "us";
+  # };
+
+  # Enable the X11 windowing system.
+  # services.xserver.enable = true;
+
+  # Configure keymap in X11
+  # services.xserver.layout = "us";
+  # services.xserver.xkbOptions = "eurosign:e";
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable sound.
+  # sound.enable = true;
+  # hardware.pulseaudio.enable = true;
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  # services.xserver.libinput.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # users.users.jane = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+  # };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    firefox
+  ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 22 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.05"; # Did you read the comment?
+
+
+}
+
--- a/hosts/redpanda/default.nix
+++ b/hosts/redpanda/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./redpanda.nix
+  ] ++ suites.redpanda;
+}
--- a/hosts/redpanda/hardware-configuration.nix
+++ b/hosts/redpanda/hardware-configuration.nix
@ -0,0 +1,21 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ ];
+
+  boot.initrd.availableKernelModules = [ "ohci_pci" "virtio_pci" "sd_mod" "sr_mod" "virtio_scsi" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+    };
+
+  #virtualisation.virtualbox.guest.enable = true;
+}
--- a/hosts/redpanda/redpanda.nix
+++ b/hosts/redpanda/redpanda.nix
@ -0,0 +1,17 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  #pub-solar.nextcloud.enable = lib.mkForce false;
+
+  config = {
+    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  };
+}
--- a/hosts/ringo/configuration.nix
+++ b/hosts/ringo/configuration.nix
@ -0,0 +1,35 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./home-controller.nix
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.enp0s25.useDHCP = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+}
+
--- a/hosts/ringo/default.nix
+++ b/hosts/ringo/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./ringo.nix
+  ] ++ suites.ringo;
+}
--- a/hosts/ringo/hardware-configuration.nix
+++ b/hosts/ringo/hardware-configuration.nix
@ -0,0 +1,43 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13";
+    keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01";
+    fallbackToPassword = true;
+    bypassWorkqueues = true;
+  };
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/1999ec2e-4564-4f5a-8333-6eb23ae03c8b";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/47ED-2F0B";
+      fsType = "vfat";
+    };
+
+  fileSystems."/home" =
+    {
+      device = "/dev/disk/by-uuid/69c89392-be11-4bd4-8f3b-6b7db20c716e";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/4ef0cdbc-38f4-4dcb-8fe8-553bbdb06192"; }];
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/ringo/home-controller.nix
+++ b/hosts/ringo/home-controller.nix
@ -0,0 +1,17 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}: {
+  config = {
+    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age";
+
+    pub-solar.home-controller = {
+      enable = true;
+      ownIp = "10.0.1.21";
+
+      wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
+    };
+  };
+}
--- a/hosts/ringo/ringo.nix
+++ b/hosts/ringo/ringo.nix
@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+  config.pub-solar.core.lite = true;
+}
--- a/hosts/surfplace/configuration.nix
+++ b/hosts/surfplace/configuration.nix
@ -0,0 +1,32 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ inputs, pkgs, builtins, config, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  time.timeZone = "Europe/Berlin";
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.networkmanager.enable = true;
+
+  #boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
--- a/hosts/surfplace/default.nix
+++ b/hosts/surfplace/default.nix
@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./surfplace.nix
+  ] ++ suites.surfplace;
+}
--- a/hosts/surfplace/hardware-configuration.nix
+++ b/hosts/surfplace/hardware-configuration.nix
@ -0,0 +1,48 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
+  boot.extraModulePackages = [config.boot.kernelPackages.rtl88x2bu];
+
+  microsoft-surface.kernelVersion = "6.1.18";
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/root";
+    fsType = "ext4";
+    encrypted = {
+      enable = true;
+      label = "cryptroot";
+      blkDev = "/dev/disk/by-uuid/77829967-0c52-4a52-a65c-cfc093d18776";
+    };
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/2697-F70A";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-label/swap";}
+  ];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  systemd.services."iptsd" = {
+    serviceConfig = {
+      RestartAfter = "5s";
+    };
+  };
+}
--- a/hosts/surfplace/surfplace.nix
+++ b/hosts/surfplace/surfplace.nix
@ -0,0 +1,11 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+}
--- a/modules/arduino/default.nix
+++ b/modules/arduino/default.nix
@ -9,7 +9,10 @@ with lib; let
  cfg = config.pub-solar.devops;
 in {
  options.pub-solar.arduino = {
-    enable = mkEnableOption "Life with home automation";
+    enable = mkOption {
+      description = "Life with home automation";
+      default = false;
+    };
  };
  config = mkIf cfg.enable {
    users.users = pkgs.lib.setAttrByPath [psCfg.user.name] {
--- a/modules/core/bluetooth.nix
+++ b/modules/core/bluetooth.nix
--- a/modules/crypto/default.nix
+++ b/modules/crypto/default.nix
@ -19,12 +19,17 @@ in {

    services.gnome.gnome-keyring.enable = true;

+    environment.shellInit = ''
+      gpg-connect-agent /bye
+      export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+    '';
    home-manager = with pkgs;
      pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
        systemd.user.services.polkit-gnome-authentication-agent = import ./polkit-gnome-authentication-agent.service.nix pkgs;

        services.gpg-agent = {
          enable = true;
+          enableSshSupport = true;
          pinentryFlavor = "gnome3";
          verbose = true;
        };
@ -36,10 +41,7 @@ in {
        home.packages = [
          gnome.seahorse
          keepassxc
-          libsecret
-          qMasterPassword
-          restic
        ];
-      };
+    };
  };
 }
--- a/modules/graphical/default.nix
+++ b/modules/graphical/default.nix
@ -110,16 +110,7 @@ in {
          gnome.nautilus
          gnome.yelp
          hicolor-icon-theme
-
-          wine
-
          toggle-kbd-layout
-
-          wcwd
-
-          vlc
-
-          gimp
        ];

        xdg.configFile."alacritty/alacritty.yml" = {
--- a/modules/home-assistant/default.nix
+++ b/modules/home-assistant/default.nix
@ -0,0 +1,69 @@
+{
+  lib,
+  config,
+  options,
+  pkgs,
+  inputs,
+  ...
+}:
+with lib; let
+  cfg = config.pub-solar.home-assistant;
+  unstable = import <nixos-unstable> {};
+in {
+  imports = [
+    ./home-assistant.nix
+    ./mqtt.nix
+    ./zigbee.nix
+    (inputs.latest + "/nixos/modules/services/home-automation/home-assistant.nix")
+  ];
+
+  disabledModules = [
+    "services/home-automation/home-assistant.nix"
+  ];
+
+  options.pub-solar.home-assistant = {
+    enable = mkOption {
+      description = "Control your home";
+      type = types.bool;
+      default = false;
+    };
+
+    config = options.services.home-assistant.config;
+    extraComponents = options.services.home-assistant.extraComponents;
+    extraPackages = options.services.home-assistant.extraPackages;
+
+    mqtt = {
+      enable = mkOption {
+        description = "use mqtt";
+        type = types.bool;
+        default = true;
+      };
+
+      users = mkOption {
+        description = "mqtt users";
+        # type = types.AttrSet;
+        default = null;
+      };
+    };
+
+    zigbee2mqtt = {
+      enable = mkOption {
+        description = "Enable zigbee2mqtt";
+        type = types.bool;
+        default = false;
+      };
+
+      device = mkOption {
+        description = "Device to connect to zigbee network";
+        type = types.nullOr types.str;
+        default = null;
+      };
+
+      adapter = mkOption {
+        description = "Specify zigbee adapter type";
+        type = types.nullOr types.str;
+        default = null;
+      };
+    };
+  };
+}
--- a/modules/home-assistant/home-assistant.nix
+++ b/modules/home-assistant/home-assistant.nix
@ -0,0 +1,23 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.pub-solar.home-assistant;
+in {
+  config = mkIf cfg.enable {
+    networking.firewall.allowedUDPPorts = [1900];
+
+    services.home-assistant = {
+      enable = true;
+      openFirewall = true;
+      extraComponents =
+        cfg.extraComponents
+        ++ lib.optionals cfg.mqtt.enable ["mqtt"];
+      extraPackages = cfg.extraPackages;
+      config = cfg.config;
+    };
+  };
+}
--- a/modules/home-assistant/mqtt.nix
+++ b/modules/home-assistant/mqtt.nix
@ -0,0 +1,21 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  haCfg = config.pub-solar.home-assistant;
+  cfg = config.pub-solar.home-assistant.mqtt;
+in {
+  config = mkIf (haCfg.enable && cfg.enable) {
+    networking.firewall.allowedTCPPorts = [
+      1883 # mosquitto
+    ];
+
+    services.mosquitto = {
+      enable = true;
+      listeners = [{users = cfg.users;}];
+    };
+  };
+}
--- a/modules/home-assistant/zigbee.nix
+++ b/modules/home-assistant/zigbee.nix
@ -0,0 +1,40 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  haCfg = config.pub-solar.home-assistant;
+  cfg = config.pub-solar.home-assistant.zigbee2mqtt;
+in {
+  config = mkIf (haCfg.enable && cfg.enable) {
+    networking.firewall.allowedTCPPorts = [
+      8081 # zigbee2mqtt
+    ];
+
+    services.zigbee2mqtt = {
+      enable = true;
+      settings = {
+        frontend = {
+          port = 8081;
+        };
+        permit_join = false;
+        homeassistant = true;
+        availability = true;
+        advanced = {
+          legacy_availability_payload = false;
+        };
+        mqtt = {
+          user = "z2m";
+          password = "!secrets.yaml mqtt_password";
+        };
+        serial = {
+          port = cfg.device;
+          adapter = mkIf (cfg.adapter != null) cfg.adapter;
+        };
+        groups = "groups.yaml";
+      };
+    };
+  };
+}
--- a/modules/home-controller/default.nix
+++ b/modules/home-controller/default.nix
@ -0,0 +1,33 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.home-controller;
+in {
+  imports = [
+    ./wireguard.nix
+    ./monitoring-client.nix
+  ];
+
+  options.pub-solar.home-controller = {
+    enable = mkEnableOption "Control your home";
+
+    ownIp = mkOption {
+      description = ''
+        Internal ip in wireguard used for cluster control-plane communication.
+      '';
+      type = types.str;
+    };
+
+    wireguardPrivateKeyFile = mkOption {
+      description = ''
+        Location of private key file
+      '';
+      type = types.path;
+    };
+  };
+}
--- a/modules/home-controller/monitoring-client.nix
+++ b/modules/home-controller/monitoring-client.nix
@ -0,0 +1,13 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  cfg = config.pub-solar.home-controller;
+in {
+  pub-solar.monitoring-client = lib.mkIf cfg.enable {
+    enable = true;
+    listenAddress = cfg.ownIp;
+  };
+}
--- a/modules/home-controller/wireguard.nix
+++ b/modules/home-controller/wireguard.nix
@ -0,0 +1,34 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.home-controller;
+in {
+  config = mkIf cfg.enable {
+    systemd.services.wireguard-wghome.serviceConfig.Restart = "on-failure";
+    systemd.services.wireguard-wghome.serviceConfig.RestartSec = "5s";
+
+    networking.firewall.allowedUDPPorts = [51899];
+
+    networking.wireguard.interfaces = {
+      wghome = {
+        ips = [cfg.ownIp];
+        listenPort = 51899;
+        privateKeyFile = cfg.wireguardPrivateKeyFile;
+        peers = [
+          {
+            # chonk
+            publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
+            allowedIPs = ["10.0.1.0/24"];
+            endpoint = "vpn.gssws.de:51899";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}
--- a/modules/monitoring-client/default.nix
+++ b/modules/monitoring-client/default.nix
@ -0,0 +1,29 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.monitoring-client;
+in {
+  options.pub-solar.monitoring-client = {
+    enable = mkEnableOption "Install a monitoring client node";
+    listenAddress = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.prometheus.exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = ["systemd"];
+        port = 9002;
+        openFirewall = true;
+        listenAddress = cfg.listenAddress;
+      };
+    };
+  };
+}
--- a/modules/monitoring-server/default.nix
+++ b/modules/monitoring-server/default.nix
@ -0,0 +1,129 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.monitoring-server;
+in {
+  options.pub-solar.monitoring-server = {
+    enable = mkEnableOption "Install a monitoring server node";
+    listenAddress = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+    };
+    grafana = {
+      enable = mkEnableOption "Run grafana";
+      port = mkOption {
+        type = types.int;
+        default = 2342;
+      };
+    };
+    node_exporter = {
+      enable = mkEnableOption "prometheus node-exporter support";
+      hosts = mkOption {
+        type = types.listOf types.str;
+      };
+    };
+    snmp = {
+      enable = mkEnableOption "prometheus snmp export support";
+      hosts = mkOption {
+        #type = types.Or (types.AttrSet types.listOf types.str);
+      };
+      settings = mkOption {
+        type = types.NullOr types.AttrSet;
+        default = null;
+      };
+    };
+    smokeping = {
+      enable = mkEnableOption "prometheus smokeping support";
+      hosts = mkOption {
+        type = types.listOf types.str;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [cfg.grafana.port 9001 9374];
+
+    pub-solar.monitoring-client = {
+      enable = true;
+      listenAddress = cfg.listenAddress;
+    };
+
+    services.grafana = mkIf cfg.grafana.enable {
+      enable = true;
+      settings = {
+        server = {
+          http_addr = cfg.listenAddress;
+          http_port = cfg.grafana.port;
+        };
+      };
+    };
+
+    services.prometheus = {
+      enable = true;
+      listenAddress = cfg.listenAddress;
+      port = 9001;
+      scrapeConfigs = [
+        {
+          job_name = "node_exporters";
+          static_configs = [
+            {
+              targets =
+                ["${cfg.listenAddress}:9002"]
+                ++ cfg.node_exporter.hosts;
+            }
+          ];
+        }
+        {
+          job_name = "snmp_wohnung_aachen_mikrotik";
+          scrape_interval = "15s";
+          static_configs = [
+            {
+              targets = cfg.snmp.hosts;
+            }
+          ];
+          metrics_path = "/snmp";
+          params = {
+            auth = ["public_v2"];
+            module = ["if_mib"];
+          };
+          relabel_configs = [
+            {
+              source_labels = ["__address__"];
+              target_label = "__param_target";
+            }
+            {
+              source_labels = ["__param_target"];
+              target_label = "instance";
+            }
+            {
+              target_label = "__address__";
+              replacement = "10.0.1.254:9116";
+            }
+          ];
+        }
+        {
+          job_name = "smokeping";
+          scrape_interval = "15s";
+          static_configs = [
+            {
+              targets = [
+                "${cfg.listenAddress}:9374"
+              ];
+            }
+          ];
+        }
+      ];
+
+      exporters.smokeping = mkIf cfg.smokeping.enable {
+        enable = true;
+        listenAddress = cfg.listenAddress;
+        hosts = cfg.smokeping.hosts;
+      };
+    };
+  };
+}
--- a/modules/paperless/container.nix
+++ b/modules/paperless/container.nix
@ -0,0 +1,96 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.paperless;
+in {
+  config.containers."paperless" = mkIf cfg.enable {
+    autoStart = true;
+    ephemeral = true;
+
+    tmpfs = ["/tmp:size=2G"];
+
+    timeoutStartSec = "5min";
+
+    bindMounts."/data" = {
+      hostPath = cfg.hostStateDir;
+      isReadOnly = false;
+    };
+
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      networking.firewall.enable = false;
+
+      # paperless
+      services.paperless = {
+        enable = true;
+        dataDir = "/data";
+        consumptionDir = "/data/ftp/consume";
+        consumptionDirIsPublic = true;
+        port = 8899;
+        extraConfig = {
+          PAPERLESS_OCR_LANGUAGE = "deu+eng";
+          PAPERLESS_ALLOWED_HOSTS = "${cfg.domain}";
+          PAPERLESS_CSRF_TRUSTED_ORIGINS = "http://${cfg.domain}";
+          PAPERLESS_CORS_ALLOWED_HOSTS = "http://${cfg.domain}";
+          PAPERLESS_FILENAME_FORMAT = "{correspondent}/{created_year}/{asn}_{title}";
+        };
+      };
+
+      # increase timeout for systemd service
+      systemd.services."paperless-scheduler".serviceConfig."TimeoutStartSec" = "300";
+
+      # ftp
+      users.users."paperless".extraGroups = mkIf cfg.ftp.enable ["ftp"];
+
+      services.vsftpd = mkIf cfg.ftp.enable {
+        enable = true;
+        anonymousUser = true;
+        anonymousUserNoPassword = true;
+        anonymousUserHome = "/data/ftp";
+        anonymousUploadEnable = true;
+        anonymousUmask = "007";
+        writeEnable = true;
+        extraConfig = ''
+          listen=YES
+          listen_ipv6=NO
+          listen_port=${toString cfg.ftp.listenPort}
+          chown_uploads=YES
+          chown_username=paperless
+          download_enable=NO
+          pasv_min_port=${toString cfg.ftp.pasvMinPort}
+          pasv_max_port=${toString cfg.ftp.pasvMaxPort}
+        '';
+      };
+
+      # nextcloud
+      systemd.services.nextcloud-autosync = mkIf cfg.nextcloud.enable {
+        unitConfig = {
+          Description = "Auto sync Nextcloud";
+          After = "network-online.target";
+        };
+        serviceConfig = {
+          User = "paperless";
+          Type = "simple";
+          ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path Documents/_paperless /data/media/documents https://data.gssws.de";
+          TimeoutStopSec = "180";
+          KillMode = "process";
+          KillSignal = "SIGINT";
+        };
+        wantedBy = ["multi-user.target"];
+      };
+
+      systemd.timers.nextcloud-autosync = mkIf cfg.nextcloud.enable {
+        unitConfig.Description = "Automatic sync files with Nextcloud and rerun every 60 minutes";
+        timerConfig.OnUnitActiveSec = "60min";
+        wantedBy = ["multi-user.target" "timers.target"];
+      };
+    };
+  };
+}
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Hendrik Sokolowski	35e8f5116b	remove zsh, use bash All checks were successful continuous-integration/drone/push Build is passing Details	2023-10-06 01:25:07 +02:00
Hendrik Sokolowski	f6ebcdd2a3	remove empty extensions All checks were successful continuous-integration/drone/push Build is passing Details	2023-10-06 00:54:45 +02:00
Hendrik Sokolowski	489001fb5b	profiles/work: remove teams, use go 1.20, install meld All checks were successful continuous-integration/drone/push Build is passing Details	2023-10-06 00:37:48 +02:00
Hendrik Sokolowski	22a8b6ba4b	remove virtualisation from norman	2023-10-06 00:36:21 +02:00
Hendrik Sokolowski	8653f517d4	hosts/norman: SQ, update to nixos 23.05, add discard for luks device, set wireguard mtu to 1400	2023-10-06 00:23:48 +02:00
Hendrik Sokolowski	2fe9f3d502	SQ cube	2023-10-06 00:22:12 +02:00
Hendrik Sokolowski	e822d1ffb3	hosts/chonk: add teutat3s to libvirt container	2023-10-06 00:19:11 +02:00
Hendrik Sokolowski	d30ecc2e24	modules/server: enable nix garbage collection	2023-10-06 00:17:31 +02:00
Hendrik Sokolowski	65990b4fef	modules/server: update to 23.05, add lldpd	2023-10-06 00:15:50 +02:00
Hendrik Sokolowski	ae934b4bde	modules/arduino: disable module by default	2023-10-06 00:14:50 +02:00
Hendrik Sokolowski	dbef702ac3	SQ chonk: Use authelia	2023-10-06 00:14:14 +02:00
Hendrik Sokolowski	9accff4383	SQ cube: update to 23.05, add stick for luks	2023-10-06 00:12:11 +02:00
Hendrik Sokolowski	bd6b6fd8f6	SQ ringo	2023-10-06 00:09:56 +02:00
Hendrik Sokolowski	2245825774	Update to nixos 23.05 All checks were successful continuous-integration/drone/push Build is passing Details	2023-10-06 00:08:26 +02:00
Hendrik Sokolowski	5ba1651350	reorganize, use podman All checks were successful continuous-integration/drone/push Build is passing Details	2023-10-06 00:03:00 +02:00
Hendrik Sokolowski	1f7e4220ee	drop wakeonlan, add wdisplays, gnucash	2023-10-06 00:03:00 +02:00
Hendrik Sokolowski	a03aa75d08	extend ssh config, add yubikey-manager	2023-10-06 00:03:00 +02:00
Hendrik Sokolowski	c10bb47e15	Update to latest nixos-hardware version	2023-10-06 00:03:00 +02:00
Hendrik Sokolowski	6fc725a83b	Use paperless module	2023-10-06 00:03:00 +02:00
Hendrik Sokolowski	5c3b9fd791	Extend monitoring-server	2023-10-06 00:03:00 +02:00
Hendrik Sokolowski	6adbbbeaa4	Extend home-assistant, add dhcp-server, add frigate, add avahi-reflector	2023-10-06 00:03:00 +02:00
Hendrik Sokolowski	b5118aa1d4	Use home-assistant from latest, move zigbee2mqtt port to 8081	2023-10-06 00:03:00 +02:00
Hendrik Sokolowski	e44fad0057	chonk: extend monitoring, use nextcloud-apps from nixos	2023-10-06 00:03:00 +02:00
Hendrik Sokolowski	49eb99ed51	chonk: drop grub version, add ipv6	2023-10-06 00:03:00 +02:00
Hendrik Sokolowski	42dc259691	no longer use openssh server with hpn patches	2023-10-06 00:03:00 +02:00
Hendrik Sokolowski	ef7b1540b4	add python modules for home-assistant, cleanup	2023-10-06 00:03:00 +02:00
Hendrik Sokolowski	b4b18e08d7	use fork for nvfetcher	2023-10-06 00:02:59 +02:00
Hendrik Sokolowski	4f99f73981	Add paperless module	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	668fa94359	Add ha2, update home-assistant config	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	e10e91571c	Add honme-assistant module	2023-10-06 00:01:55 +02:00
teutat3s	f60a0bc019	wip: track nixos-23.05	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	f1b6caa9c5	fix agenix	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	a67d593499	SQ norman	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	0647268dd7	SQ norman	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	570571d7ed	SQ chonk	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	0a32492e8e	SQ norman	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	8a270f07ed	add factorio to chonk, update wireguard config	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	a6376572c1	make companion a ha hub	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	963fc644b1	april fools fools fools fools	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	358097bfdf	Add ungoogled chrome	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	718db6f8c3	drop obsolete config from cube	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	645e223aab	reset later	2023-10-06 00:01:55 +02:00
Hendrik Sokolowski	4a6a9f11e4	bla	2023-10-06 00:01:53 +02:00
Hendrik Sokolowski	f4b49fdcde	reset later	2023-10-06 00:00:29 +02:00
Hendrik Sokolowski	19afde40e3	drop docker statements	2023-10-06 00:00:29 +02:00
Hendrik Sokolowski	95eb32b8be	rekey secrets	2023-10-06 00:00:29 +02:00
Hendrik Sokolowski	09eb7ed41d	Bump flake.lock	2023-10-06 00:00:29 +02:00
Hendrik Sokolowski	8cc79885d8	add hosts	2023-10-06 00:00:29 +02:00
Hendrik Sokolowski	66eadcf1b1	Disable digga fix for now	2023-10-06 00:00:29 +02:00
Hendrik Sokolowski	2df9b037aa	allow unfree	2023-10-06 00:00:29 +02:00
Hendrik Sokolowski	684a15972a	Adapt terminal-life to personal use-case	2023-10-06 00:00:29 +02:00
Hendrik Sokolowski	1eae96f4f2	add profiles.daw	2023-10-06 00:00:27 +02:00
Hendrik Sokolowski	aac86e144b	add profiles.server	2023-10-05 23:59:59 +02:00
Hendrik Sokolowski	fc3486b4ed	Add module to setup wireguard backed zfs enabled k3s cluster	2023-10-05 23:59:59 +02:00
Hendrik Sokolowski	818f0f817a	add profiles.non-free	2023-10-05 23:59:59 +02:00
Hendrik Sokolowski	25f158169f	Update sway applications	2023-10-05 23:59:59 +02:00
Hendrik Sokolowski	d7f35131dc	Modify crypto for personal needs	2023-10-05 23:59:59 +02:00
Hendrik Sokolowski	a4d831c640	update modules.virtualization to personal needs	2023-10-05 23:59:59 +02:00
Hendrik Sokolowski	1bd344e82d	add profiles.virtualisation	2023-10-05 23:59:59 +02:00
Hendrik Sokolowski	0c4a6dab07	add profiles.work	2023-10-05 23:59:59 +02:00
Hendrik Sokolowski	197be5729c	Fix nextcloud talk audio issues	2023-10-05 23:59:59 +02:00
Hendrik Sokolowski	a88d2d40ed	update modules.social for personal needs	2023-10-05 23:59:59 +02:00
Hendrik Sokolowski	6e8676904b	add modules.server	2023-10-05 23:59:59 +02:00
Hendrik Sokolowski	aa4391161d	secrets	2023-10-05 23:59:59 +02:00
Hendrik Sokolowski	cd0cd79f97	Initial hensoko	2023-10-05 23:59:59 +02:00
				`@ -0,0 +1 @@`
				`input 2:7:SynPS/2_Synaptics_TouchPad events disabled`