SQ cube

Bump flake.lock
Updates
2022-08-19 19:42:42 +02:00 · 2022-08-16 19:26:55 +02:00 · 2022-08-16 19:26:55 +02:00 · 2022-08-16 19:26:55 +02:00 · 2022-08-16 19:26:55 +02:00 · 2022-08-16 19:26:55 +02:00
83 changed files with 2466 additions and 57 deletions
--- a/.gitignore
+++ b/.gitignore
@ -11,3 +11,4 @@ pkgs/_sources/.shake*
 tags
 /owners
--- a/flake.lock
+++ b/flake.lock
@ -42,11 +42,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1657835815,
+        "lastModified": 1660649317,
-        "narHash": "sha256-CnZszAYpNKydh6N7+xg+eRtWNVoAAGqc6bg+Lpgq1xc=",
+        "narHash": "sha256-16sWaj3cTZOQQgrmzlvBSRaBFKLrHJrfYh1k7/sSWok=",
        "owner": "LnL7",
        "repo": "nix-darwin",
-        "rev": "54a24f042f93c79f5679f133faddedec61955cf2",
+        "rev": "80871c71edb3da76d40bdff9cae007a2a035c074",
        "type": "github"
      },
      "original": {
@ -307,11 +307,11 @@
    },
    "latest_2": {
      "locked": {
-        "lastModified": 1660305968,
+        "lastModified": 1660574513,
-        "narHash": "sha256-r0X1pZCSEA6mzt5OuTA7nHuLmvnbkwgpFAh1iLIx4GU=",
+        "narHash": "sha256-nkMQ1TKIIAYIVbbUzjxfjPn3H1zZFW20TrHUFAjwvNU=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "c4a0efdd5a728e20791b8d8d2f26f90ac228ee8d",
+        "rev": "af9e00071d0971eb292fd5abef334e66eda3cb69",
        "type": "github"
      },
      "original": {
@ -321,6 +321,26 @@
        "type": "github"
      }
    },
    "musnix": {
      "inputs": {
        "nixpkgs": [
          "nixos"
        ]
      },
      "locked": {
        "lastModified": 1628019651,
        "narHash": "sha256-zLXDF2sfvN8BXb78nHAp3KSbhE1flOkia5+KtiPQ+mQ=",
        "owner": "musnix",
        "repo": "musnix",
        "rev": "7fb04384544fa2e68bf5e71869760674656b62e8",
        "type": "github"
      },
      "original": {
        "owner": "musnix",
        "repo": "musnix",
        "type": "github"
      }
    },
    "naersk": {
      "inputs": {
        "nixpkgs": [
@ -358,11 +378,11 @@
    },
    "nixos": {
      "locked": {
-        "lastModified": 1660318005,
+        "lastModified": 1660581366,
-        "narHash": "sha256-g9WCa9lVUmOV6dYRbEPjv/TLOR5hamjeCcKExVGS3OQ=",
+        "narHash": "sha256-et+bi9/jlSF/pHx5AYB9ZP2XDdZEQ0vnF7xlvs4503Y=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "5c211b47aeadcc178c5320afd4e74c7eed5c389f",
+        "rev": "3d47bbaa26e7a771059d828eecf3bd8bf28a8b0f",
        "type": "github"
      },
      "original": {
@ -378,11 +398,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1657748715,
+        "lastModified": 1660661347,
-        "narHash": "sha256-WecDwDY/hEcDQYzFnccCNa+5Umht0lfjx/d1qGDy/rQ=",
+        "narHash": "sha256-0eSeeQ7oH502rX5hXXi4Pt9CTgEhygp0/EL+biwhkrk=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "3323b944d99b026aebfd8de439e001409dde067d",
+        "rev": "ecef210472ddac2a9e06c7d4c7247a5be96b1cab",
        "type": "github"
      },
      "original": {
@ -441,8 +461,8 @@
    "nur": {
      "locked": {
        "lastModified": 0,
-        "narHash": "sha256-koC6DBYmLCrgXA+AMHVaODf1uHYPmvcFygHfy3eg6vI=",
+        "narHash": "sha256-XzuvFTmsXULdWynQWzgaPHikepNhjEpK4o5WXfmRqek=",
-        "path": "/nix/store/6mfkswqi67m35qwv0vh7kpk8rypbl2rq-source",
+        "path": "/nix/store/all4f5y28iyigh60lz4j1j6j02106dn2-source",
        "type": "path"
      },
      "original": {
@ -480,6 +500,7 @@
        "digga": "digga",
        "home": "home",
        "latest": "latest_2",
        "musnix": "musnix",
        "naersk": "naersk",
        "nixos": "nixos",
        "nixos-generators": "nixos-generators",
--- a/flake.nix
+++ b/flake.nix
@ -38,6 +38,10 @@
      nixos-hardware.url = "github:nixos/nixos-hardware";
      nixos-generators.url = "github:nix-community/nixos-generators";
      # hensoko additions
      musnix.url = "github:musnix/musnix";
      musnix.inputs.nixpkgs.follows = "nixos";
    };
  outputs =
@ -50,6 +54,7 @@
    , agenix
    , nvfetcher
    , deploy
    , musnix
    , ...
    } @ inputs:
    digga.lib.mkFlake
@ -103,6 +108,21 @@
          hosts = {
            /* set host specific properties here */
            PubSolarOS = { };
            companion = {
              system = "aarch64-linux";
            };
            cox = {
              system = "aarch64-linux";
            };
            giggles = {
              system = "aarch64-linux";
            };
            harrison = {
              modules = [
                musnix.nixosModules.musnix
              ];
            };
            norman = { };
          };
          importables = rec {
            profiles = digga.lib.rakeLeaves ./profiles // {
@ -111,8 +131,32 @@
            suites = with profiles; rec {
              base = [ users.pub-solar users.root ];
              iso = base ++ [ base-user graphical pub-solar-iso ];
-              pubsolaros = [ full-install base-user users.root ];
+              pubsolaros = [ base-user users.root ];
              anonymous = [ pubsolaros users.pub-solar ];
              pubsolaros-light = [ base-user users.root ];
              hensoko = pubsolaros ++ [ users.hensoko ];
              hensoko-light = pubsolaros-light ++ [ users.hensoko ];
              hensoko-iot = [ base-user users.root users.hensoko ];
              # server
              cube = hensoko-iot;
              # home-controller
              companion = hensoko-iot;
              cox = hensoko-iot;
              giggles = hensoko-iot;
              # laptop
              ringo = hensoko-light ++ [ ];
              # vm
              redpanda = hensoko;
              # home pc
              harrison = hensoko ++ [ daw graphical non-free social work ];
              # work laptop
              norman = hensoko ++ [ graphical non-free social virtualisation work ];
            };
          };
        };
@ -128,6 +172,8 @@
          };
          users = {
            pub-solar = { suites, ... }: { imports = suites.base; };
            hensoko = { suites, ... }: { imports = suites.base; };
            hensoko_iot = { suites, ... }: { imports = suites.base; };
          }; # digga.lib.importers.rakeLeaves ./users/hm;
        };
@ -135,6 +181,40 @@
        homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
-        deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { };
+        deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
          cube = { };
          companion = {
            #profilesOrder = [ "system" "direnv" ];
            #profiles.direnv = {
            #  user = "hensoko";
            #  path = deploy.lib.aarch64-linux.activate.home-manager self.homeConfigurationsPortable.aarch64-linux."hensoko";
            #};
          };
          cox = {
            #profilesOrder = [ "system" "direnv" ];
            #profiles.direnv = {
            #  user = "hensoko";
            #  path = deploy.lib.aarch64-linux.activate.home-manager self.homeConfigurationsPortable.aarch64-linux."hensoko";
            #};
          };
          giggles = {
            #profilesOrder = [ "system" "direnv" ];
            #profiles.direnv = {
            #  user = "hensoko";
            #  path = deploy.lib.aarch64-linux.activate.home-manager self.homeConfigurationsPortable.aarch64-linux."hensoko";
            #};
          };
          ringo = {
            #profilesOrder = [ "system" "direnv" ];
            #profiles.direnv = {
            #  user = "hensoko";
            #  path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux."hensoko";
            #};
          };
        };
        defaultTemplate = self.templates.bud;
        templates.bud.path = ./.;
        templates.bud.description = "bud template";
      };
 }
--- a/hosts/companion/companion.nix
+++ b/hosts/companion/companion.nix
@ -0,0 +1,16 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./configuration.nix
  ];
  config = {
    boot.plymouth.enable = lib.mkForce false;
    pub-solar.nextcloud.enable = lib.mkForce false;
  };
 }
--- a/hosts/companion/configuration.nix
+++ b/hosts/companion/configuration.nix
@ -0,0 +1,63 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ./hardware-configuration.nix
      ./home-controller.nix
    ];
  boot.loader.timeout = 0;
  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
  boot.loader.grub = {
    enable = true;
    efiSupport = true;
    efiInstallAsRemovable = true;
    device = "nodev";
  };
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = true;
  networking.interfaces.wlan0.useDHCP = false;
  networking.networkmanager.enable = lib.mkForce false;
  boot.loader.systemd-boot.enable = lib.mkForce false;
  nix = {
    extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
  };
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim
    wget
  ];
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/hosts/companion/default.nix
+++ b/hosts/companion/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./companion.nix
  ] ++ suites.companion;
 }
--- a/hosts/companion/hardware-configuration.nix
+++ b/hosts/companion/hardware-configuration.nix
@ -0,0 +1,61 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  boot.initrd.supportedFilesystems = [ "zfs" ];
  boot.supportedFilesystems = [ "zfs" ];
  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
  boot.initrd.luks.devices = {
    cryptroot = {
      device = "/dev/disk/by-uuid/3bbde916-e12a-46a7-9eea-4f5e2aef7883";
      keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1";
      bypassWorkqueues = true;
      fallbackToPassword = true;
    };
  };
  fileSystems."/" =
    {
      device = "zroot/root";
      fsType = "zfs";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/5552-1B21";
      fsType = "vfat";
    };
  fileSystems."/var/lib/rancher/k3s/storage" =
    {
      device = "zroot/kubernetes-localstorage";
      fsType = "zfs";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/0545db4a-0494-44d7-927a-4c78351c4303"; }];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
  networking.hostId = "71f2d82a";
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/hosts/companion/home-controller.nix
+++ b/hosts/companion/home-controller.nix
@ -0,0 +1,55 @@
 { self, config, pkgs, ... }:
 {
  config = {
    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age";
    pub-solar.home-controller = {
      enable = true;
      role = "server";
      ownIp = "10.0.1.13";
      k3s = {
        serverAddr = "https://api.kube:6443";
        tokenFile = "/run/agenix/home_controller_k3s_token";
        enableLocalStorage = true;
        enableZfs = true;
      };
      wireguard = {
        privateKeyFile = "/run/agenix/home_controller_wireguard";
        peers = [
          {
            # cube
            publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
            allowedIPs = [ "10.0.1.5/32" ];
            endpoint = "data.gssws.de:51899";
            persistentKeepalive = 25;
          }
          {
            # giggles
            publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
            allowedIPs = [ "10.0.1.11/32" ];
            endpoint = "giggles.local:51899";
            persistentKeepalive = 25;
          }
          {
            # cox
            publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
            allowedIPs = [ "10.0.1.12/32" ];
            endpoint = "cox.local:51899";
            persistentKeepalive = 25;
          }
          {
            # ringo
            publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
            allowedIPs = [ "10.0.1.21/32" ];
            endpoint = "ringo.local:51899";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
 }
--- a/hosts/cox/configuration.nix
+++ b/hosts/cox/configuration.nix
@ -0,0 +1,64 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ./hardware-configuration.nix
      ./home-controller.nix
    ];
  boot.loader.timeout = 0;
  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
  boot.loader.grub = {
    enable = true;
    efiSupport = true;
    efiInstallAsRemovable = true;
    device = "nodev";
  };
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = true;
  networking.interfaces.wlan0.useDHCP = false;
  networking.networkmanager.enable = lib.mkForce false;
  boot.loader.systemd-boot.enable = lib.mkForce false;
  nix = {
    #package = pkgs.nixFlakes;
    extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
  };
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim
    wget
  ];
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/hosts/cox/cox.nix
+++ b/hosts/cox/cox.nix
@ -0,0 +1,16 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./configuration.nix
  ];
  config = {
    boot.plymouth.enable = lib.mkForce false;
    pub-solar.nextcloud.enable = lib.mkForce false;
  };
 }
--- a/hosts/cox/default.nix
+++ b/hosts/cox/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./cox.nix
  ] ++ suites.cox;
 }
--- a/hosts/cox/hardware-configuration.nix
+++ b/hosts/cox/hardware-configuration.nix
@ -0,0 +1,61 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  boot.initrd.supportedFilesystems = [ "zfs" ];
  boot.supportedFilesystems = [ "zfs" ];
  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
  boot.initrd.luks.devices = {
    cryptroot = {
      device = "/dev/disk/by-uuid/bf333b74-875f-4187-922e-4b433fb53aa2";
      keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1";
      bypassWorkqueues = true;
      fallbackToPassword = true;
    };
  };
  fileSystems."/" =
    {
      device = "zroot/root";
      fsType = "zfs";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/6CB3-6DB8";
      fsType = "vfat";
    };
  fileSystems."/var/lib/rancher/k3s/storage" =
    {
      device = "zroot/kubernetes-localstorage";
      fsType = "zfs";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/7ef4a3f8-f4a6-42f5-a57d-21f502ed3dba"; }];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
  networking.hostId = "71f2d82a";
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/hosts/cox/home-controller.nix
+++ b/hosts/cox/home-controller.nix
@ -0,0 +1,55 @@
 { self, config, pkgs, ... }:
 {
  config = {
    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
    pub-solar.home-controller = {
      enable = true;
      role = "server";
      ownIp = "10.0.1.12";
      k3s = {
        serverAddr = "https://api.kube:6443";
        tokenFile = "/run/agenix/home_controller_k3s_token";
        enableLocalStorage = true;
        enableZfs = true;
      };
      wireguard = {
        privateKeyFile = "/run/agenix/home_controller_wireguard";
        peers = [
          {
            # cube
            publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
            allowedIPs = [ "10.0.1.5/32" ];
            endpoint = "data.gssws.de:51899";
            persistentKeepalive = 25;
          }
          {
            # giggles
            publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
            allowedIPs = [ "10.0.1.11/32" ];
            endpoint = "giggles.local:51899";
            persistentKeepalive = 25;
          }
          {
            # companion
            publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
            allowedIPs = [ "10.0.1.13/32" ];
            endpoint = "companion.local:51899";
            persistentKeepalive = 25;
          }
          {
            # ringo
            publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
            allowedIPs = [ "10.0.1.21/32" ];
            endpoint = "ringo.local:51899";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
 }
--- a/hosts/cube/acme.nix
+++ b/hosts/cube/acme.nix
@ -0,0 +1,8 @@
 { pkgs, config, ... }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "hensoko@gssws.de";
  };
 }
--- a/hosts/cube/configuration.nix
+++ b/hosts/cube/configuration.nix
@ -0,0 +1,42 @@
 { config, lib, pkgs, ... }:
 {
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./acme.nix
      ./home-assistant.nix
      ./nextcloud.nix
      ./wireguard.nix
    ];
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
  boot.loader.systemd-boot.enable = lib.mkForce false;
  time.timeZone = "Europe/Berlin";
  networking = {
    useDHCP = false;
    interfaces.eno1.ipv4.addresses = [{
      address = "80.244.242.2";
      prefixLength = 29;
    }];
    defaultGateway = "80.244.242.1";
    nameservers = [ "95.129.51.51" "80.244.244.244" ];
  };
  services.openssh.ports = [ 2222 ];
  networking.firewall.allowedTCPPorts = [ 80 443 2222 ];
  networking.firewall.allowedUDPPorts = [ 51899 ];
  networking.firewall.enable = lib.mkForce true;
  system.stateVersion = "21.05"; # Did you read the comment?
 }
--- a/hosts/cube/cube.nix
+++ b/hosts/cube/cube.nix
@ -0,0 +1,13 @@
 { config, pkgs, lib, ... }:
 with lib;
 with pkgs;
 let
  psCfg = config.pub-solar;
 in
 {
  imports = [
    ./configuration.nix
  ];
  pub-solar.core.disk-encryption-active = false;
 }
--- a/hosts/cube/default.nix
+++ b/hosts/cube/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./cube.nix
  ] ++ suites.cube;
 }
--- a/hosts/cube/hardware-configuration.nix
+++ b/hosts/cube/hardware-configuration.nix
@ -0,0 +1,37 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/715ef65c-6cb3-4455-99ed-fe7408935d00";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/e76a2e82-bf17-4287-967c-bd0f16d16875";
      fsType = "ext2";
    };
  fileSystems."/mnt/internal" =
    {
      device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
      fsType = "ext4";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/4b0b445b-ae72-439a-8aeb-cbd6a3ed73b9"; }];
 }
--- a/hosts/cube/home-assistant.nix
+++ b/hosts/cube/home-assistant.nix
@ -0,0 +1,19 @@
 { self, pkgs, config, ... }:
 {
  # HTTP
  services.nginx = {
    virtualHosts."ha.gssws.de" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://10.0.1.254:8123";
        proxyWebsockets = true;
        extraConfig =
          "proxy_ssl_server_name on;" +
          "proxy_pass_header Authorization;"
        ;
      };
    };
  };
 }
--- a/hosts/cube/nextcloud.nix
+++ b/hosts/cube/nextcloud.nix
@ -0,0 +1,72 @@
 { self, pkgs, config, ... }:
 {
  age.secrets.nextcloud_db_pass = {
    owner = "nextcloud";
    group = "nextcloud";
    file = "${self}/secrets/cube_nextcloud_db_pass.age";
  };
  age.secrets.nextcloud_admin_pass = {
    owner = "nextcloud";
    group = "nextcloud";
    file = "${self}/secrets/cube_nextcloud_admin_pass.age";
  };
  # HTTP
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
    virtualHosts."data.gssws.de" = {
      enableACME = true;
      forceSSL = true;
    };
  };
  # DATABASES
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_11;
    ensureDatabases = [ "nextcloud" ];
    ensureUsers = [
      {
        name = "nextcloud";
        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
      }
    ];
  };
  systemd.services."nextcloud-setup" = {
    requires = [ "postgresql.service" ];
    after = [ "postgresql.service" ];
  };
  # NEXTCLOUD
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud24;
    hostName = "data.gssws.de";
    https = true;
    datadir = "/mnt/internal/nextcloud";
    autoUpdateApps.enable = true;
    autoUpdateApps.startAt = "05:00:00";
    config = {
      # Further forces Nextcloud to use HTTPS
      overwriteProtocol = "https";
      dbtype = "pgsql";
      dbuser = "nextcloud";
      dbhost = "/run/postgresql";
      dbname = "nextcloud";
      dbpassFile = "/run/agenix/nextcloud_db_pass";
      adminpassFile = "/run/agenix/nextcloud_admin_pass";
      adminuser = "admin";
    };
  };
 }
--- a/hosts/cube/wireguard.nix
+++ b/hosts/cube/wireguard.nix
@ -0,0 +1,63 @@
 { self, config, pkgs, ... }:
 {
  age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age";
  systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
  systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
  # Enable WireGuard
  networking.wireguard.interfaces = {
    wg1 = {
      # Determines the IP address and subnet of the client's end of the tunnel interface.
      ips = [ "10.0.1.5" ];
      listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
      # Path to the private key file.
      #
      # Note: The private key can also be included inline via the privateKey option,
      # but this makes the private key world-readable; thus, using privateKeyFile is
      # recommended.
      privateKeyFile = "/run/agenix/home_controller_wireguard";
      peers = [
        # For a client configuration, one peer entry for the server will suffice.
        {
          # giggles
          publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
          allowedIPs = [ "10.0.1.11/32" ];
          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
        {
          # cox
          publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
          allowedIPs = [ "10.0.1.12/32" ];
          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
        {
          # companion
          publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
          allowedIPs = [ "10.0.1.13/32" ];
          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
        {
          # hsha
          publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
          allowedIPs = [ "10.0.1.254/32" ];
          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
      ];
    };
  };
 }
--- a/hosts/giggles/configuration.nix
+++ b/hosts/giggles/configuration.nix
@ -0,0 +1,65 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./home-controller.nix
    ];
  boot.loader.timeout = 0;
  boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
  boot.loader.grub = {
    enable = true;
    efiSupport = true;
    efiInstallAsRemovable = true;
    device = "nodev";
  };
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = true;
  networking.interfaces.wlan0.useDHCP = false;
  networking.networkmanager.enable = lib.mkForce false;
  boot.loader.systemd-boot.enable = lib.mkForce false;
  nix = {
    #package = pkgs.nixFlakes;
    extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
  };
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim
    wget
  ];
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.11"; # Did you read the comment?
 }
--- a/hosts/giggles/default.nix
+++ b/hosts/giggles/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./giggles.nix
  ] ++ suites.giggles;
 }
--- a/hosts/giggles/giggles.nix
+++ b/hosts/giggles/giggles.nix
@ -0,0 +1,16 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./configuration.nix
  ];
  config = {
    boot.plymouth.enable = lib.mkForce false;
    pub-solar.nextcloud.enable = lib.mkForce false;
  };
 }
--- a/hosts/giggles/hardware-configuration.nix
+++ b/hosts/giggles/hardware-configuration.nix
@ -0,0 +1,61 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  boot.initrd.supportedFilesystems = [ "zfs" ];
  boot.supportedFilesystems = [ "zfs" ];
  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
  boot.initrd.luks.devices = {
    cryptroot = {
      device = "/dev/disk/by-uuid/ef5804e2-2b07-4434-8144-6ae7d9f615e2";
      keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
      bypassWorkqueues = true;
      fallbackToPassword = true;
    };
  };
  fileSystems."/" =
    {
      device = "zroot/root";
      fsType = "zfs";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/2F05-9B4A";
      fsType = "vfat";
    };
  fileSystems."/var/lib/rancher/k3s/storage" =
    {
      device = "zroot/kubernetes-localstorage";
      fsType = "zfs";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/ddad2310-57b5-4851-a7bd-280d7182bcec"; }];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = false;
  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
  networking.hostId = "71f2d82a";
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/hosts/giggles/home-controller.nix
+++ b/hosts/giggles/home-controller.nix
@ -0,0 +1,53 @@
 { self, config, pkgs, ... }:
 {
  config = {
    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
    pub-solar.home-controller = {
      enable = true;
      role = "server";
      ownIp = "10.0.1.11";
      k3s = {
        enableLocalStorage = true;
        enableZfs = true;
      };
      wireguard = {
        privateKeyFile = "/run/agenix/home_controller_wireguard";
        peers = [
          {
            # cube
            publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
            allowedIPs = [ "10.0.1.5/32" ];
            endpoint = "data.gssws.de:51899";
            persistentKeepalive = 25;
          }
          {
            # cox
            publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
            allowedIPs = [ "10.0.1.12/32" ];
            endpoint = "cox.local:51899";
            persistentKeepalive = 25;
          }
          {
            # companion
            publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
            allowedIPs = [ "10.0.1.13/32" ];
            endpoint = "companion.local:51899";
            persistentKeepalive = 25;
          }
          {
            # ringo
            publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
            allowedIPs = [ "10.0.1.21/32" ];
            endpoint = "ringo.local:51899";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
 }
--- a/hosts/harrison/.config/sway/config.d/screens.conf
+++ b/hosts/harrison/.config/sway/config.d/screens.conf
@ -0,0 +1,19 @@
 set $left 'Eizo Nanao Corporation EV2316W 92008103'
 set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
 set $right 'Eizo Nanao Corporation EV2316W 39117013'
 output $left {
  scale 1
  pos 0 0
  transform 270
 }
 output $middle {
  scale 1
  pos 1080 600
 }
 output $right {
  scale 1
  pos 3000 600
 }
--- a/hosts/harrison/configuration.nix
+++ b/hosts/harrison/configuration.nix
@ -0,0 +1,48 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.eno1 = {
    useDHCP = true;
    wakeOnLan = {
      enable = true;
    };
  };
  networking.networkmanager.enable = lib.mkForce false;
  nixpkgs.config.allowUnsupportedSystem = true;
  # List services that you want to enable:
  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 22 ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.05"; # Did you read the comment?
 }
--- a/hosts/harrison/default.nix
+++ b/hosts/harrison/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./harrison.nix
  ] ++ suites.harrison;
 }
--- a/hosts/harrison/hardware-configuration.nix
+++ b/hosts/harrison/hardware-configuration.nix
@ -0,0 +1,76 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "raid1" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  boot.initrd.luks.devices."cryptoroot" = {
    device = "/dev/disk/by-uuid/e3a0394d-8bb5-4049-bf65-90d7202163cd";
    keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04011806021722115743-0:0-part1";
    fallbackToPassword = true;
    bypassWorkqueues = true;
  };
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.efi = {
    canTouchEfiVariables = true;
    efiSysMountPoint = "/boot";
  };
  boot.loader.grub = {
    efiSupport = true;
    enable = true;
    extraEntries = ''
      menuentry "Windows" {
        insmod part_gpt
        insmod fat
        insmod search_fs_uuid
        insmod chain
        search --fs-uuid --set=root 02DB-F12C
        chainloader /efi/Microsoft/Boot/bootmgfw.efi
      }
    '';
    devices = [ "nodev" ];
  };
  fileSystems = {
    "/" =
      {
        device = "/dev/disk/by-uuid/4ad4db6d-543e-4cc5-a781-396e3b527a05";
        fsType = "ext4";
      };
    "/boot" =
      {
        device = "/dev/disk/by-uuid/4B4A-B1B4";
        fsType = "vfat";
      };
    "/boot2" =
      {
        device = "/dev/disk/by-uuid/4B2C-385A";
        fsType = "vfat";
      };
    "/home" =
      {
        device = "/dev/mapper/vg0-home";
        fsType = "ext4";
      };
  };
  swapDevices =
    [{ device = "/dev/mapper/vg0-swap"; }];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/harrison/harrison.nix
+++ b/hosts/harrison/harrison.nix
@ -0,0 +1,21 @@
 { config, pkgs, lib, ... }:
 with lib;
 with pkgs;
 let
  psCfg = config.pub-solar;
 in
 {
  imports = [
    ./configuration.nix
  ];
  config = {
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
      "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
    };
    services.teamviewer.enable = true;
  };
 }
--- a/hosts/norman/.config/sway/config.d/custom-keybindings.conf
+++ b/hosts/norman/.config/sway/config.d/custom-keybindings.conf
@ -0,0 +1,16 @@
 # Screen brightness controls
 bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
 bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {    print $4}')"
 # Keyboard backlight brightness controls
 bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
 bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ {    print $4}')"
 # Pulse Audio controls
 bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
 bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
 bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
 # Media player controls
 bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
 bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
 bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"
--- a/hosts/norman/.config/sway/config.d/screens.conf
+++ b/hosts/norman/.config/sway/config.d/screens.conf
@ -0,0 +1,13 @@
 set $left 'Eizo Nanao Corporation EV2316W 92008103'
 set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
 output $left {
  scale 1
  pos 0 0
  transform 270
 }
 output $middle {
  scale 1
  pos 1080 600
 }
--- a/hosts/norman/configuration.nix
+++ b/hosts/norman/configuration.nix
@ -0,0 +1,67 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, ... }:
 {
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./wireguard.nix
    ];
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.firewall = {
    allowedUDPPorts = [
      51820
      51821
    ]; # Clients and peers can use the same port, see listenport
  };
  hardware.nitrokey.enable = true;
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };
  # Disable bluetooth
  hardware.bluetooth.enable = false;
  services.blueman.enable = false;
  services.tlp = {
    enable = true;
    settings = {
      CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
      CPU_SCALING_GOVERNOR_ON_AC = "performance";
      # The following prevents the battery from charging fully to
      # preserve lifetime. Run `tlp fullcharge` to temporarily force
      # full charge.
      # https://linrunner.de/tlp/faq/battery.html#how-to-choose-good-battery-charge-thresholds
      START_CHARGE_THRESH_BAT0 = 40;
      STOP_CHARGE_THRESH_BAT0 = 80;
      # 100 being the maximum, limit the speed of my CPU to reduce
      # heat and increase battery usage:
      CPU_MAX_PERF_ON_AC = 100;
      CPU_MAX_PERF_ON_BAT = 30;
    };
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.11"; # Did you read the comment?
 }
--- a/hosts/norman/default.nix
+++ b/hosts/norman/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./norman.nix
  ] ++ suites.norman;
 }
--- a/hosts/norman/hardware-configuration.nix
+++ b/hosts/norman/hardware-configuration.nix
@ -0,0 +1,46 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [ ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  boot.loader.grub.trustedBoot = {
    enable = true;
    systemHasTPM = "YES_TPM_is_activated";
  };
  boot.initrd.luks.devices."cryptroot" = {
    device = "/dev/disk/by-uuid/cdc29f0f-5b18-4ee7-8d38-1f4bac80b1e6";
    bypassWorkqueues = true;
  };
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/84CD-91B6";
      fsType = "vfat";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9"; }];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  hardware.trackpoint = {
    enable = true;
    device = "TPPS/2 ALPS TrackPoint";
    emulateWheel = true;
  };
 }
--- a/hosts/norman/norman.nix
+++ b/hosts/norman/norman.nix
@ -0,0 +1,20 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./configuration.nix
  ];
  config = {
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
      "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
      "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
    };
  };
 }
--- a/hosts/norman/wireguard.nix
+++ b/hosts/norman/wireguard.nix
@ -0,0 +1,93 @@
 { config, pkgs, ... }:
 {
  systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
  systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
  systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure";
  systemd.services.wireguard-wg1.serviceConfig.RestartSec = "5s";
  # Enable WireGuard
  networking.wireguard.interfaces = {
    # "wg0" is the network interface name. You can name the interface arbitrarily.
    wg0 = {
      # Determines the IP address and subnet of the client's end of the tunnel interface.
      ips = [
        "10.0.0.13/32"
        "fc00:200::13/128"
      ];
      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
      # Path to the private key file.
      #
      # Note: The private key can also be included inline via the privateKey option,
      # but this makes the private key world-readable; thus, using privateKeyFile is
      # recommended.
      privateKeyFile = "/home/hensoko/.config/wireguard/hosting-de.private";
      peers = [
        # For a client configuration, one peer entry for the server will suffice.
        {
          # Public key of the server (not a file path).
          publicKey = "02/MRPduMGx1as7yS4G7GpL4+pQjsjpyS/tD9iPu8X0=";
          # Forward all the traffic via VPN.
          allowedIPs = [
            "10.0.0.0/24"
            "192.168.50.0/24"
            "192.168.200.0/24"
            "10.20.30.0/24"
            "fc00:200::/120"
            "95.129.51.5"
            "95.129.54.43"
            "134.0.28.89"
            "134.0.27.108"
            "134.0.25.181"
          ];
          # Set this to the server IP and port.
          endpoint = "134.0.30.154:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
      ];
    };
    wg1 = {
      # Determines the IP address and subnet of the client's end of the tunnel interface.
      ips = [
        "10.7.0.21"
      ];
      listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
      # Path to the private key file.
      #
      # Note: The private key can also be included inline via the privateKey option,
      # but this makes the private key world-readable; thus, using privateKeyFile is
      # recommended.
      privateKeyFile = "/home/hensoko/.config/wireguard/data-gssws-de.private";
      peers = [
        # For a client configuration, one peer entry for the server will suffice.
        {
          # Public key of the server (not a file path).
          publicKey = "RwMocdha7fyx+MGTtQpZhZQGJY4WU79YgpspYBclK3c=";
          # Forward all the traffic via VPN.
          allowedIPs = [
            "10.7.0.0/24"
          ];
          # Set this to the server IP and port.
          endpoint = "80.244.242.2:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
      ];
    };
  };
 }
--- a/hosts/redpanda/configuration.nix
+++ b/hosts/redpanda/configuration.nix
@ -0,0 +1,110 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];
  boot.loader.systemd-boot.enable = lib.mkForce false;
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  # boot.loader.grub.efiSupport = true;
  # boot.loader.grub.efiInstallAsRemovable = true;
  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
  # Define on which hard drive you want to install Grub.
  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
  # networking.hostName = "nixos"; # Define your hostname.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # Set your time zone.
  # time.timeZone = "Europe/Amsterdam";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.enp0s3.useDHCP = true;
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  nix = {
    #package = pkgs.nixFlakes;
    extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
  };
  # Select internationalisation properties.
  # i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  # };
  # Enable the X11 windowing system.
  # services.xserver.enable = true;
  # Configure keymap in X11
  # services.xserver.layout = "us";
  # services.xserver.xkbOptions = "eurosign:e";
  # Enable CUPS to print documents.
  # services.printing.enable = true;
  # Enable sound.
  # sound.enable = true;
  # hardware.pulseaudio.enable = true;
  # Enable touchpad support (enabled default in most desktopManager).
  # services.xserver.libinput.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.users.jane = {
  #   isNormalUser = true;
  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
  # };
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim
    wget
    firefox
  ];
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };
  # List services that you want to enable:
  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 22 ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.05"; # Did you read the comment?
 }
--- a/hosts/redpanda/default.nix
+++ b/hosts/redpanda/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./redpanda.nix
  ] ++ suites.redpanda;
 }
--- a/hosts/redpanda/hardware-configuration.nix
+++ b/hosts/redpanda/hardware-configuration.nix
@ -0,0 +1,21 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [ ];
  boot.initrd.availableKernelModules = [ "ohci_pci" "virtio_pci" "sd_mod" "sr_mod" "virtio_scsi" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    {
      device = "/dev/disk/by-label/nixos";
      fsType = "ext4";
    };
  #virtualisation.virtualbox.guest.enable = true;
 }
--- a/hosts/redpanda/redpanda.nix
+++ b/hosts/redpanda/redpanda.nix
@ -0,0 +1,17 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./configuration.nix
  ];
  #pub-solar.nextcloud.enable = lib.mkForce false;
  config = {
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  };
 }
--- a/hosts/ringo/configuration.nix
+++ b/hosts/ringo/configuration.nix
@ -0,0 +1,35 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, ... }:
 {
  imports =
    [
      ./hardware-configuration.nix
      ./home-controller.nix
    ];
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.enp0s25.useDHCP = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.11"; # Did you read the comment?
 }
--- a/hosts/ringo/default.nix
+++ b/hosts/ringo/default.nix
@ -0,0 +1,6 @@
 { suites, ... }:
 {
  imports = [
    ./ringo.nix
  ] ++ suites.ringo;
 }
--- a/hosts/ringo/hardware-configuration.nix
+++ b/hosts/ringo/hardware-configuration.nix
@ -0,0 +1,43 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [ ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  boot.initrd.luks.devices."cryptroot" = {
    device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13";
    keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01";
    fallbackToPassword = true;
    bypassWorkqueues = true;
  };
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/1999ec2e-4564-4f5a-8333-6eb23ae03c8b";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/47ED-2F0B";
      fsType = "vfat";
    };
  fileSystems."/home" =
    {
      device = "/dev/disk/by-uuid/69c89392-be11-4bd4-8f3b-6b7db20c716e";
      fsType = "ext4";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/4ef0cdbc-38f4-4dcb-8fe8-553bbdb06192"; }];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/ringo/home-controller.nix
+++ b/hosts/ringo/home-controller.nix
@ -0,0 +1,43 @@
 { self, config, pkgs, ... }:
 {
  config = {
    age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
    age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age";
    pub-solar.home-controller = {
      enable = true;
      role = "agent";
      ownIp = "10.0.1.21";
      k3s = {
        serverAddr = "https://api.kube:6443";
        tokenFile = "/run/agenix/home_controller_k3s_token";
      };
      wireguard = {
        privateKeyFile = "/run/agenix/home_controller_wireguard";
        peers = [
          {
            # giggles
            publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
            allowedIPs = [ "10.0.1.11/32" ];
            endpoint = "giggles.local:51899";
          }
          {
            # cox
            publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
            allowedIPs = [ "10.0.1.12/32" ];
            endpoint = "cox.local:51899";
          }
          {
            # companion
            publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
            allowedIPs = [ "10.0.1.13/32" ];
            endpoint = "companion.local:51899";
          }
        ];
      };
    };
  };
 }
--- a/hosts/ringo/ringo.nix
+++ b/hosts/ringo/ringo.nix
@ -0,0 +1,13 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [
    ./configuration.nix
  ];
  pub-solar.nextcloud.enable = lib.mkForce false;
 }
--- a/modules/audio/default.nix
+++ b/modules/audio/default.nix
@ -65,6 +65,9 @@ in
        context.default.clock = {
          allowed-rates = [ 44100 48000 88200 96000 ];
          rate = 44100;
          quantum = 2048;
          min-quantum = 1024;
          max-quantum = 4096;
        };
      };
      config.pipewire-pulse = builtins.fromJSON (builtins.readFile ./pipewire-pulse.conf.json);
--- a/modules/core/networking.nix
+++ b/modules/core/networking.nix
@ -26,6 +26,7 @@ in
    networking.networkmanager = {
      # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
      enable = true;
      wifi.backend = "iwd";
    };
    # Customized binary caches list (with fallback to official binary cache)
@ -39,7 +40,7 @@ in
    # Caddy reverse proxy for local services like cups
    services.caddy = {
-      enable = true;
+      enable = false;
      globalConfig = ''
        default_bind 127.0.0.1
        auto_https off
--- a/modules/crypto/default.nix
+++ b/modules/crypto/default.nix
@ -16,11 +16,17 @@ in
    services.gnome.gnome-keyring.enable = true;
    environment.shellInit = ''
      gpg-connect-agent /bye
      export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
    '';
    home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
      systemd.user.services.polkit-gnome-authentication-agent = import ./polkit-gnome-authentication-agent.service.nix pkgs;
      services.gpg-agent = {
        enable = true;
        enableSshSupport = true;
        pinentryFlavor = "gnome3";
        verbose = true;
      };
@ -32,9 +38,6 @@ in
      home.packages = [
        gnome.seahorse
        keepassxc
        libsecret
        qMasterPassword
        restic
      ];
    };
  };
--- a/modules/home-controller/default.nix
+++ b/modules/home-controller/default.nix
@ -0,0 +1,131 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.home-controller;
 in
 {
  imports = [
    ./k3s.nix
    ./wireguard.nix
  ];
  options.pub-solar.home-controller = {
    enable = mkEnableOption "Control your home";
    role = mkOption {
      description = ''
        Whether the node should run as a server or agent.
        Note that the server, by default, also runs as an agent.
      '';
      default = "server";
      type = types.enum [ "server" "agent" ];
    };
    ownIp = mkOption {
      description = ''
        Internal ip in wireguard used for cluster control-plane communication.
      '';
      type = types.str;
    };
    k3s = {
      enableLocalStorage = mkOption {
        description = ''
          Enable local storage provisioner.
        '';
        default = false;
        type = types.bool;
      };
      defaultLocalStoragePath = mkOption {
        description = ''
          Default path to use for local storage provisioner.
        '';
        default = "/var/lib/rancher/k3s/storage";
        type = types.path;
      };
      flannelBackend = mkOption {
        description = ''
          Flannel backend to use.
        '';
        default = "wireguard-native";
        type = types.str;
      };
      serverAddr = mkOption {
        description = ''
          Set server address of master
        '';
        default = "";
        type = types.str;
        example = "https://api.kube:6443";
      };
      tokenFile = mkOption {
        description = ''
          Location of token file used to join cluster.
        '';
        default = "";
        type = types.str;
      };
      enableZfs = mkOption {
        description = ''
          Enable when k3s should use a ZFS compatible runtime.
        '';
        default = false;
        type = types.bool;
      };
      zfsPool = mkOption {
        description = ''
          The ZFS pool to use and create a containerd volume in.
        '';
        default = "zroot";
        type = types.str;
      };
    };
    wireguard = {
      privateKeyFile = mkOption {
        description = ''
          Location of private key file
        '';
        type = types.path;
      };
      listenPort = mkOption {
        description = ''
          Port for wireguard.
        '';
        default = 51899;
        type = types.int;
      };
      peers = mkOption {
        description = ''
          Wireguard peers.
        '';
        type = types.listOf types.attrs;
      };
    };
  };
  config = mkIf cfg.enable {
    boot.kernelModules = [ "rbd" ];
    networking.extraHosts =
      ''
        192.168.42.231 ringo.local
        192.168.42.232 giggles.local
        192.168.42.234 cox.local
        192.168.42.236 companion.local
        10.0.1.11      api.kube giggles.kube
        10.0.1.12      cox.kube
        10.0.1.13      companion.kube
        10.0.1.21      ringo.kube
      '';
  };
 }
--- a/modules/home-controller/k3s.nix
+++ b/modules/home-controller/k3s.nix
@ -0,0 +1,76 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.home-controller;
 in
 {
  config = mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      kubernetes-helm
    ];
    environment.sessionVariables = lib.mkIf (cfg.role == "server") rec {
      KUBECONFIG = "/etc/rancher/k3s/k3s.yaml";
    };
    services.k3s = {
      enable = true;
      docker = false;
      role = cfg.role;
      serverAddr = lib.mkIf (cfg.k3s.serverAddr != "") cfg.k3s.serverAddr;
      tokenFile = lib.mkIf (cfg.k3s.tokenFile != "") cfg.k3s.tokenFile;
      extraFlags = concatStringsSep " " (
        [
          "--node-ip ${cfg.ownIp}"
          "--container-runtime-endpoint unix:///run/containerd/containerd.sock"
          "${optionalString (cfg.role == "server") "--disable servicelb"}"
          "${optionalString (cfg.role == "server") "--disable traefik"}"
          "${optionalString (cfg.role == "server") "--bind-address ${cfg.ownIp}"}"
          "${optionalString (cfg.role == "server" && cfg.k3s.flannelBackend != "") "--flannel-backend=${cfg.k3s.flannelBackend}"}"
          "${optionalString (cfg.role == "server" && !cfg.k3s.enableLocalStorage) "--disable local-storage"}"
          "${optionalString (cfg.role == "server" && cfg.k3s.enableLocalStorage) "--default-local-storage-path ${cfg.k3s.defaultLocalStoragePath}"}"
          "${optionalString cfg.k3s.enableZfs "--snapshotter=zfs"}"
        ]
      );
    };
    systemd.services.containerd = mkIf cfg.k3s.enableZfs {
      serviceConfig = {
        ExecStartPre = [
          "-${pkgs.zfs}/bin/zfs create -o mountpoint=/var/lib/containerd/io.containerd.snapshotter.v1.zfs ${cfg.k3s.zfsPool}/containerd"
        ];
      };
    };
    systemd.services.k3s = {
      after = [ "containerd.service" ];
      requisite = [ "containerd.service" ];
    };
    virtualisation.containerd = {
      enable = true;
      settings =
        let
          fullCNIPlugins = pkgs.buildEnv {
            name = "full-cni";
            paths = with pkgs; [
              cni-plugins
              cni-plugin-flannel
            ];
          };
        in
        {
          plugins."io.containerd.grpc.v1.cri".cni = {
            bin_dir = "${fullCNIPlugins}/bin";
            conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d/";
          };
        };
    };
  };
 }
--- a/modules/home-controller/wireguard.nix
+++ b/modules/home-controller/wireguard.nix
@ -0,0 +1,23 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.home-controller;
 in
 {
  config = mkIf cfg.enable {
    systemd.services.wireguard-wghome.serviceConfig.Restart = "on-failure";
    systemd.services.wireguard-wghome.serviceConfig.RestartSec = "5s";
    networking.firewall.allowedUDPPorts = [ cfg.wireguard.listenPort ];
    networking.wireguard.interfaces = {
      wghome = {
        ips = [ cfg.ownIp ];
        listenPort = cfg.wireguard.listenPort;
        privateKeyFile = cfg.wireguard.privateKeyFile;
        peers = cfg.wireguard.peers;
      };
    };
  };
 }
--- a/modules/server/default.nix
+++ b/modules/server/default.nix
@ -0,0 +1,20 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  cfg = config.pub-solar.server;
 in
 {
  options.pub-solar.server = {
    enable = mkEnableOption "Enable server options like sshd";
  };
  config = mkIf cfg.enable {
    services.openssh = {
      enable = true;
      permitRootLogin = lib.mkForce "prohibit-password";
      passwordAuthentication = true;
      openFirewall = true;
    };
  };
 }
--- a/modules/social/default.nix
+++ b/modules/social/default.nix
@ -14,8 +14,11 @@ in
      home.packages = [
        signal-desktop
        tdesktop
        discord
        element-desktop
-        irssi
+        tdesktop
        mattermost-desktop
        whatsapp-for-linux
      ];
    };
  };
--- a/modules/sway/config/config.d/applications.conf
+++ b/modules/sway/config/config.d/applications.conf
@ -1,15 +1,17 @@
 # switch to workspace with urgent window automatically
 for_window [urgent=latest] focus
 assign [app_id="Element"] $ws7
 assign [app_id="Signal"] $ws7
 assign [app_id="telegramdesktop"] $ws7
 assign [app_id="rambox"] $ws7
 assign [class="Mattermost"] $ws7
 for_window [app_id="keepassxc"] floating disable
 assign [app_id="keepassxc"] $ws8
-for_window [app_id="virt-manager"] floating disable
+assign [app_id=thunderbird title="^.+$"] $ws9
-assign [app_id="virt-manager"] $ws9
+for_window [app_id=thunderbird title="^$"] floating enable
 assign [instance="element"] $ws4
 assign [app_id="Signal"] $ws4
 assign [app_id="telegramdesktop"] $ws4
 # Launcher
 for_window [app_id="launcher" title="Alacritty"] floating enable, border pixel 10, sticky enable
--- a/modules/terminal-life/nvim/default.nix
+++ b/modules/terminal-life/nvim/default.nix
@ -78,24 +78,10 @@ in
  withPython3 = true;
  extraPackages = with pkgs; lib.mkIf (!cfg.lite) [
    ccls
    gopls
    nodejs
    nodePackages.bash-language-server
    nodePackages.dockerfile-language-server-nodejs
    nodePackages.svelte-language-server
    nodePackages.typescript
    nodePackages.typescript-language-server
    nodePackages.vim-language-server
    nodePackages.vue-language-server
    nodePackages.vscode-langservers-extracted
    nodePackages.yaml-language-server
    python39Packages.python-lsp-server
    python3Full
    solargraph
    rnix-lsp
    rust-analyzer
    terraform-ls
    universal-ctags
  ];
--- a/modules/terminal-life/zsh/default.nix
+++ b/modules/terminal-life/zsh/default.nix
@ -50,7 +50,7 @@ in
        name = "romkatv/powerlevel10k";
        tags = [ "as:theme" "depth:1" ];
      }
-      { name = "zdharma/fast-syntax-highlighting"; }
+      { name = "zdharma-continuum/fast-syntax-highlighting"; }
      { name = "chisui/zsh-nix-shell"; }
    ];
  };
--- a/modules/user/default.nix
+++ b/modules/user/default.nix
@ -23,7 +23,7 @@ in
      };
      publicKeys = mkOption {
        description = "User SSH public keys";
-        type = types.listOf types.path;
+        type = types.listOf types.str;
        default = [ ];
      };
      fullName = mkOption {
--- a/modules/virtualisation/default.nix
+++ b/modules/virtualisation/default.nix
@ -18,6 +18,8 @@ in
      "iommu=pt"
    ];
    virtualisation.spiceUSBRedirection.enable = true;
    virtualisation.libvirtd = {
      enable = true;
      qemu.ovmf.enable = true;
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -4,6 +4,7 @@ with final; {
  sources = prev.callPackage (import ./_sources/generated.nix) { };
  # then, call packages with `final.callPackage`
  import-gtk-settings = writeShellScriptBin "import-gtk-settings" (import ./import-gtk-settings.nix final);
  #delve = writeShellScriptBin "delve" (import ./delve.nix final);
  lgcl = writeShellScriptBin "lgcl" (import ./lgcl.nix final);
  mailto-mutt = writeShellScriptBin "mailto-mutt" (import ./mailto-mutt.nix final);
  mopidy-jellyfin = import ./mopidy-jellyfin.nix final;
--- a/pkgs/delve.nix
+++ b/pkgs/delve.nix
@ -0,0 +1,8 @@
 self: with self;
 let
  delve = self.delve.overrideAttrs (old: {
    meta.platforms = [ "x86_64-linux" "aarch64-linux" ];
  });
 in
 ''
 ''
--- a/profiles/base-user/.config/git/config.nix
+++ b/profiles/base-user/.config/git/config.nix
@ -8,25 +8,16 @@ in
  ${if user.fullName != null then "name = ${user.fullName}" else ""}
  ${if user.gpgKeyId != null then "signingkey = ${user.gpgKeyId}" else ""}
 [core]
  editor = /etc/profiles/per-user/${config.pub-solar.user.name}/bin/nvim
  excludesFile = /home/${config.pub-solar.user.name}/.config/git/global_gitignore
 [alias]
  pol = pull
  ack = -c color.grep.linenumber=\"bold yellow\"\n    -c color.grep.filename=\"bold green\"\n    -c color.grep.match=\"reverse yellow\"\n    grep --break --heading --line-number
 # define command which will be used when "nvim"is set as a merge tool
 [mergetool]
  prompt = false
 [merge]
  tool = nvim
 [mergetool "nvim"]
  cmd = /etc/profiles/per-user/${config.pub-solar.user.name}/bin/nvim -f -c \"Gdiffsplit!\" \"$MERGED\"
 [commit]
  gpgsign = true
  template = ${xdg.configHome}/git/gitmessage
 [tag]
  gpgsign = true
 [init]
  defaultBranch = main
 [pull]
--- a/profiles/base-user/default.nix
+++ b/profiles/base-user/default.nix
@ -25,7 +25,7 @@ in
      ];
      initialHashedPassword = if psCfg.user.password != null then psCfg.user.password else "";
      shell = pkgs.zsh;
-      openssh.authorizedKeys.keyFiles = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ];
+      openssh.authorizedKeys.keys = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ];
    };
  };
 }
--- a/profiles/daw/default.nix
+++ b/profiles/daw/default.nix
@ -0,0 +1,21 @@
 { self, config, home-manager, lib, pkgs, inputs, ... }:
 let
  psCfg = config.pub-solar;
 in
 {
  # Sets nrdxp.cachix.org binary cache which just speeds up some builds
  imports = [ ../cachix ];
  config = {
    pub-solar.audio.enable = lib.mkForce true;
    musnix.enable = true;
    environment.systemPackages = with pkgs; [
      ardour
      helm
    ];
    services.pipewire.jack.enable = true;
  };
 }
--- a/profiles/non-free/default.nix
+++ b/profiles/non-free/default.nix
@ -0,0 +1,6 @@
 { self, config, lib, pkgs, ... }:
 let inherit (lib) fileContents;
 in
 {
  hardware.enableRedistributableFirmware = true;
 }
--- a/profiles/server/default.nix
+++ b/profiles/server/default.nix
@ -0,0 +1,7 @@
 { self, config, lib, pkgs, ... }:
 let inherit (lib) fileContents;
 in
 {
  pub-solar.server.enable = true;
  hardware.ksm.enable = true;
 }
--- a/profiles/virtualisation/default.nix
+++ b/profiles/virtualisation/default.nix
@ -0,0 +1,6 @@
 { self, config, lib, pkgs, ... }:
 let inherit (lib) fileContents;
 in
 {
  pub-solar.virtualisation.enable = true;
 }
--- a/profiles/work/default.nix
+++ b/profiles/work/default.nix
@ -0,0 +1,36 @@
 { self, config, home-manager, lib, pkgs, inputs, ... }:
 let
  psCfg = config.pub-solar;
 in
 {
  # Sets nrdxp.cachix.org binary cache which just speeds up some builds
  imports = [ ../cachix ];
  pub-solar.docker.enable = true;
  pub-solar.nextcloud.enable = true;
  pub-solar.social.enable = true;
  pub-solar.office.enable = true;
  boot.kernelParams = [
    "systemd.unified_cgroup_hierarchy=1"
  ];
  environment.systemPackages = with pkgs; [
    jetbrains.idea-community
    minicom
    openjdk11
    putty
    python39Full
    python39Packages.pyyaml
    remmina
    slack
    thunderbird
    vscode
    vscode-extensions.golang.go
    vscode-extensions.ms-python.python
    vscode-extensions.redhat.java
    wireshark
    teams
  ];
 }
--- a/secrets/cube_nextcloud_admin_pass.age
+++ b/secrets/cube_nextcloud_admin_pass.age
@ -0,0 +1,20 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPyiJw wG1VH/Rd8D9VhI2nUdKN8ev8GmDTmByYojrAGXiVQ0c
 Ce5LdJLYhXZxozhrFZOCCcG6DvDlzcwHUp7rsAAYMb4
 -> ssh-ed25519 YFSOsg KWrIirfADk9OlVVF/SvnyE4P4JWorWhcShIWMLaYezg
 kjNaCLQRKwrLKWT6H6mygsawWXas1alwf/rPbpgnIbE
 -> ssh-rsa 42S2Dw
 GlF0Iwkmi2IukEP4aghJLQP4QUv8Lt2qPBsysz/NIfPxtxuVgnphqmbtZ3ylKURL
 iWQbDwvNG3DBQMgbFUTtLpp48yZ++ZWfVCLJxylifoo8Fk1/edOieiQxmKySFIiS
 RBDjal+JFIAMQVa4i9zTJ2HolgFGioq7fsQgimjhhcTpbPWF0YgbeFlD/Bx3Uc3D
 QXHkPGTWWJr8nmsBLW0erQKuT+2pTy3Yo00BmYYfaHhRSWPxaRiUvlQzqwfEJGZy
 N8CWyU8JqacMQfFfMVYYNR8qHGv5p5nu9FtJPQFWz79TB0j0OaowW8VuhP70UVI1
 QvZLDCv1JN4fd9TqDqgcnA
 -> ssh-ed25519 iHV63A b0w5AmQtO1FWnySOYDh3JIWkiFM05WNz9M4H67GVZEM
 suTrfziEta0t9iGJxx+tcvi6BzQS1NJxPmCnPBx5ViU
 -> ssh-ed25519 uTVbSg rMwuqUqpr40KdbuOZnhi9Bya/Ql2F8HfZdAQvcw3JUY
 vVF6J8lzQNXnHgzEMzwkcrOGSExKJmPBmuxDklQ7TGA
 -> ?<GZ,~j-grease
 jdlD7DImSTrtgtmVJVA+M0g9TNqUI7SSRIlpfGB8KL78WuSIvQWv2z0lpzot
 --- 4h3KwWAMcJYCF/K/JGPS3cNpCbSDTC8mTerADBFy2to
 æ½íÓ¤¾øë—L¸×(7ŸÉ„pÉOsTÏI³pJí2ÑkS[Ö¥/–æþ@¶pyºí-¾{øFÚ0Žõ‹“¶ÏÑ²±%Ëà}º^<5E>‚Ô
--- a/secrets/cube_nextcloud_db_pass.age
+++ b/secrets/cube_nextcloud_db_pass.age
@ -0,0 +1,21 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPyiJw 4cMG8rywMIHkCJO0vbcnD46xPHZKTbUFi/bKKPLJW0c
 aOmQ7lws7MIDNE7xejtcomQAtRuXjHd+VSGGy805cUk
 -> ssh-ed25519 YFSOsg UnTniCyloz+bfIlKsgGvQflAOCIwdNBuKIM64ZZ7fSI
 /Q6KAn80cNs38LgOxZhg9tXmAtJJKw5VpN9lfPqNuhc
 -> ssh-rsa 42S2Dw
 FoosAbMAGlculUJOkL+9U2Wajf80dgUY+Acd2MQDbeSR/A/hE+NOv3JtH2Sx9weD
 ww2n/K5uKQhFKrTVIRn5Bp1qYnay2FIn6lz0zu1I2tqmGFCMiR+RhTnrcxFztNjQ
 dYbs4F9mvCDmyn9tShTzqAxnClWCdOHkrXBuCMAg08tp5cjAPqaSMdE0wFn5Jvhg
 DY5nHJWlxbZcGEhJSW2mxKb+HP4ecZ5FY0Uf4qYn/FTcKm7K80Pojg/e72XV7sq9
 04dPKpa162G53BKQXCmv55L6D81YepydA0wAoeTXXfC1E+DxeWfHrsmF80qdEnBg
 ZpPIRWdSBs61zqp4XavsSw
 -> ssh-ed25519 iHV63A mumH3Brpcqa3t8Q495yyV9vn8AKalaf2WchgmsirN2Q
 fk5iQUYBlUiq+8Nblb5H9mhJarPONiyuOG3ioknlbzk
 -> ssh-ed25519 uTVbSg O5xBbchEqAsFJtU4kCZo4gqpByHNAnZO0Ik7p5fwFAM
 e+adn+gDYIF2BW0N1zoHZj+/mciN60rVcCPs9OplLsE
 -> ,-grease M6FrPQz + B{
 QAdvJryfCY0NJ0XU5sC9D5J2KnHIxCcjBi7iFlehcB56qrdQbSPsL+ysZVqTzfQx
 QjDs0lXBKqL2f0g0cWiM9Q
 --- Vl5VtidJZtEk19VojwdWLaGJGsIRkvwRTjW0mdnTqiM
 ¾ÕT_Á‰åŸŽ%<25>Õ2ò³yÍŒWÄK¿õ²hc¤<63>eThÚ<68>ÁçX‰ºš$™õ¶å×TR9;æ$
--- a/secrets/home_controller_companion_wireguard_key.age
+++ b/secrets/home_controller_companion_wireguard_key.age
@ -0,0 +1,20 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPyiJw tQeQac/fLw4UXYx/SXj46HPeG6oPKY4U8IJJI89Fv3c
 rB6bWP8ba0kAA9qwcq81rTDgmerGORN4jAE5Usrz1tY
 -> ssh-ed25519 YFSOsg W1SJl0W8oRo5ApD+40puyRae+MDhsxd6Miv6vHaeXn4
 Z1xqbXD5r0Lo9XvouS967LxnxEX9arLhylZJnFLG0aM
 -> ssh-rsa 42S2Dw
 t48CWYrVFfH1x59IYXJtfkeONo1QPnqN6VMwVzMh0c0Vm5U2OFfAml+/6Kit4QWI
 u7PASBpg+GRsQmoWC9hFJsCDiikg5NIhyBO4feSS+4Cus+8Xr9cSPjYg5EKsgoOd
 +HpTrPhiNG1Wy2pE4kkxSsS5pKOcdIezU+DfqookoXALLneUIUEsaHYCmdOLwE21
 yRzWxiXavQKnvabxnqISYeBK+aHNGtd8hczhnoM8oR7qTaNQwfuQoVa8te0MLTIK
 EXIuev6vESPFtdo3gGJUSbmlXY9hH0tumFFgug185oJwkp745rWKM4QlFEB5fNGR
 LE54GOkv9sF3+Wij/ELHAA
 -> ssh-ed25519 iHV63A OOf5Cx0vckL1ve6WOzL0IAhIKasXAjodubuyKbWKv1Q
 1av0Vqos3YsycBFpncCvP69RunBwCQ4oSextLvR9P+Y
 -> ssh-ed25519 t1M4HQ j2B7jugQZy124AM5f0JK+id4W2TN6n4C0c/HUNFfLU8
 BJr18XJI/XzFgH32nXKZb5SdBbU8raRCKL6PWgad5cs
 -> QwO-grease *8]/h/ 7|S
 LM23rOF57rKeWQ
 --- 7xz9ru8cIHt3zksF696olmLR+vEkwDfVv0tl2stfNhM
 ž´e
T|,7kZ5:AdžNê<IU™èÙo«
’vÉ°ëN‡»+w„Ho<48>âö°éÄ#NŒg©(du)Ì±-Sð° 4è?`Þz
--- a/secrets/home_controller_cox_wireguard_key.age
+++ b/secrets/home_controller_cox_wireguard_key.age
@ -0,0 +1,20 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPyiJw ZGGRZr/HOQSZ1zREl5pqPE0sftSc0CLVHiKBrJ3X938
 cO/aAeVwrQp5OSAl6JTnIPfhEJmG/1rnbJAtoplTESE
 -> ssh-ed25519 YFSOsg G/XSLzhX7SSsOZNWnpdLJ+m6NXyL6F/itN76CfJZzkk
 sNfdi78MFpBcoAh1xPpcvWYkTWQQ2fIL6i1myHdun/U
 -> ssh-rsa 42S2Dw
 RuHlOwIJJhJffpJEcIpUEOX8czKVY8c+bvae1XrCSNplNV1f3CHl/WSdKfhOCC//
 u1qOEiidsDxWphJu3IHjiLgTCmlnwwaISZ2bnEOkTSDNPphARrEA7JfrSyQOlZJB
 Mu1qhSi5u4uGVi4Mk7TuLxCHRnjDUjDLVh96kbjiwrnAAtI/0fK64ci8rx9P1GzD
 aZR1to8+uWFx3sTtr3JUA5I+azQdYb37p5ehlCrvVybcze/16oCkreSDuW88HdoD
 yIXrX3tlnjJJou7LGR/s8o74ookFMT89rlkf8DXMhkPpmiUWYxCyJZ1oS6twtee2
 Gwo4twB5KIHTCmryJsZ5mA
 -> ssh-ed25519 iHV63A Jun3KRgZaEfE0RmefSaa8WLdMoVLhQGH0kwK9IORaSk
 IlMxqMUjdhKOciC3/KTQWIBctjyW3dVHKJpWLfVT+NI
 -> ssh-ed25519 w1vtTQ 0iNKMsnq32OTGYhQNz75FszXV8ePAWTPXTSra0s/WAw
 4eecaT/DX9CowOod+NRva3PiSbrgmjPerTGceN+u3mg
 -> @I^"ao-grease L#%xN`Bb 6l.LN ,
 h77R6GmXSVnEblcP1Kxuf7kCy8DnMtAF
 --- RvWj6AeYYIavoCseUazZH1lw0LFUm0mB9Ww9HeyVRio
 9Aêð7oMÐqÖ#^ÍŽ3@"£Ësõõ‚‚(/Õ<>„¡-{¯ô¯§Óº„¨™[/1AY‰:¦ÉìLZ0<5A>¹üuÄE'¡ákÔVƒ/à
--- a/secrets/home_controller_cube_wireguard_key.age
+++ b/secrets/home_controller_cube_wireguard_key.age
@ -0,0 +1,20 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPyiJw V5crsXjhEfj2BKe5uEjccio8m1hzjvZ1u3DU16SdmVs
 gxC6r8tzwj3l7SW6kn4TXinZV2ZNgKpWsiKGn56CZgE
 -> ssh-ed25519 YFSOsg Q1tpXI8ilmFt3JGx5ad8SCtZRbrbR8DgGNiu7vXQ7x4
 geB/YeAwQqJuLG0pf27W2FhuXm9SS2RRoqe2UaV2U4o
 -> ssh-rsa 42S2Dw
 KWliiGsVgLgkkY1DkKNsNtBUzfKSX820nJfLLOMBgFcil78IJz+Sw5Ns6NFLR7Xe
 +o+HsUxcnLOXhDYMImR9SALYL6TwLdqp1C+LAQ8HXri35IyERU2uqMXdkzYREn4f
 4c4JlCbtCy6F+8nFy0OkK/VtV/yoBpnDMtjDk9wdHYBouSGX91/8QwNUu1L0m0V1
 dvYVjk/tCPDsk3TYGFAR7lG328jt3khqVAV+rcvwwTPzD+jBCkbyGCFQ5N3xZBGI
 Wa3xMB+P9ojv4XAfde0eK+6N0uPvoMvnmPGguJTXiaCEgw8K/ILV6PuhkSyo4Wea
 EytCf4k42l7wjwG4LWFWZA
 -> ssh-ed25519 iHV63A o/IPrEtX8l4ZWCcC/yJWGRUAPDPX7vMJKBvm7ngWRjE
 YoXHRtVmNXlxJ4uJqs7jNW/2pBnjMroj1AlLiERLQGk
 -> ssh-ed25519 uTVbSg WF+8m47L2GWewOEK36k3g+Ozv1JC20cfswQ0ksbhhzs
 w5qbtYBfnrKOB4/ZTiD8Qsd42NibKcgbL9AYQKx9bnM
 -> y-grease y>]"'a W "
 w265AhhbaGNvdOMRX4xs+w
 --- /proerdf6QHIKGNWA0vTE+ZPNuvbJBGhpMEt0DscFgQ
 ™m±çd¾]©ÙˆËÔG±<0F>(n˜ïÁ¨hø¹»Å‚LARR¯ä°ÎëjMÞUVÈ<56>%ÈMÐ^þ©oÐ‹J<E280B9>êQîÿD<C3BF>›nÁŒ
--- a/secrets/home_controller_giggles_wireguard_key.age
+++ b/secrets/home_controller_giggles_wireguard_key.age
@ -0,0 +1,20 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPyiJw gEHEUHodm0u6YauWsDFycNYfBlNEncGz6cGiFVbMSQw
 eb/YlV8CeU2GZaoREi8n4CB6O+bltLjwARBh1SvPHuU
 -> ssh-ed25519 YFSOsg oObR84uRNYEhcbdILnSni61pMzaNQcbMSV8CMdUFCVs
 hZeKavP58fmaxjpZwHDSNf2QnUqn5GqeSx/MVbWM8w0
 -> ssh-rsa 42S2Dw
 W/0mcDisoN/RoEshQ0gDmmYZTfSG3BRAq/PsXT9Xt0mahAqZumfdysT9T2Wkso5O
 2SKVvJvP2YAGNs+d/+lnn5/I8f7qlx6K0oQ1e72Y9ZNmoxgZmL3h2jBR3x+GfgG8
 Qp57nfvoF4js2JyC2MSUm3CjOppxDN/BM2v5qOTuPB5/K3bPOP1iBdENH71f9d64
 PK/7HZA1BTtn4jOWYQ52BZIcOjiA9JoVO6HFvB7d5UobasbbXDhO6ZgZ3aWdsDE4
 /0S099FWbvzTk8aITl5qSphQy0Pgp+yeTobx1Hn/b6vokoNIwaMZniOVd1mS0CuU
 DL8SGpuQUeOl+27sstHfUw
 -> ssh-ed25519 iHV63A 34vhrBbCb4J5xzjoa9o4hWokszJER12Pfd/s8RGxfg4
 2p8SUyhXdks06NJPZMkbKcdsn+YB3+/Ksaipc72mBvg
 -> ssh-ed25519 AsPNJg bAYRIQICTPeVri4/qkBBedxmm08TNoBMseEauYtTkX8
 ZeNmjU+oG4qYSMREtv7QdbRLf3SAmdHnX63eiHjvcOU
 -> J._|'iH-grease VaQ1S' W7^S -r HJ'
 KbnGq5EUW0HcQ4v7n8Gh/4R/Y55bXYOuSPNt2jXTbog
 --- Bk+tEcikn4Gd90ou6llBA1nYq+mRGdfB1TaJvIOYEaw
 ›’×ÎML—ã7|–2žÌF'ZžoàÁZ<C381>{ÿ¯?°J,—®âµ×ÜžmíÈñ\G´†RœaaÁ<61>\tñùäŠ<Àìâë5<C3AB><35>Ú
--- a/secrets/home_controller_k3s_server_token.age
+++ b/secrets/home_controller_k3s_server_token.age
@ -0,0 +1,31 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPyiJw B7i7cir4NIqIxeuwN7lBZiHLaLDNwSD5ZJLs0iYidDo
 fmj7NzNi4DT805TlhjtyMXa1dcu7rGVIllQG4ALtJdo
 -> ssh-ed25519 YFSOsg SpldcBYdyAYW4W+U4JrgkcA8Y5+YnPjW78OISjviDz8
 Czi1SkmtvFmko+fP2hdCanpWJKpo/KndE/MI8BcJVxQ
 -> ssh-rsa 42S2Dw
 EvIS2maHrEa4Qyhrp3TJ/LULJkdCixIEcvI2HS9SUhVRIJS6jpY/Z+pW+XZqxEgk
 P7sp1CjRsjRZ4RZsgBUsgdO4mRnUtSkrTTLzrS84d3QG1QfjQphtF/BSt2+8t1nw
 S/XVZWu/LyFb8Z3TbhVkf3vx7ujIBwjdFj+LiUmEYwB4o57MWKH9aCcvyMLZF4Ne
 AltRXfkGkEVt7Yn0iKwb8yHaqMPa5CjfjDP9ybLp/my08/pZEQTVduKe/Q6p09DM
 8gEF1uVM+3BxXf7yAvt8fW80Hgm21VnYUq0h6exDZaaf0wLPOh0kRnN1MDqK2tjO
 uxre1sro1ZQx5CPCXD4ICQ
 -> ssh-ed25519 iHV63A Toc315/VlOneCwbLzcp2fDqHZSMDNtSprquR3BOVfAg
 ZeEZEdla/o/sAa7Tbh4NY5qqrNkWfHqpbvUokSofC5A
 -> ssh-ed25519 AsPNJg ui5FmbBKlKQ69R38yqlFURrMBTX1n7ysQP7mBo9SSRQ
 c7dp6ewRp/5rHThk/oGcaaCxNwmBWTcfVSK4IrHJh2M
 -> ssh-ed25519 w1vtTQ 7ToJvl/p9DzxX0v/b7nNOIfdgyb85Ja6862Tw2HLLyo
 PkEaeBdx60i9mX6t5Ue5PeabY4COffefCSt65H5hRxU
 -> ssh-ed25519 t1M4HQ 14NmP2HdhTouv66lkTKPEKh7HANgEUIek8FA8wAntSU
 ZZ+Mc8m/Pb16Vbxc9bOZtXJ+0ZXv/YiV30LiKra55cM
 -> ssh-ed25519 uTVbSg 1151u2eVy3izoghgXS1zPukpbSiZo6Mc+JTtCNqrqxE
 5NGufz7+RjYTy4gUfAHjV/g8VdF5FxPcB3GUzafotn8
 -> ssh-ed25519 4eCLig NAsWZu3MFuCEgi/Fm+2kB04A8ZckvTP5ueLjB2NKZDg
 5DKhLww7UKvOxPveJTtuc7jGk/9cypM9UadP1A8C6Ko
 -> t-grease > 8z4 `,R~f.lb
 K0DjBt5R459zTRkIA58mcIYl+Na5m+1SIXbezHjWZy2q1cIX8L331Du4SE6/UCCR
 e3Q
 --- ZjP/FefBuH6f+bEQpgqeiL3Uj+f9AbSCVRQni7pYyjQ
 6{…Ï{;‘5%·n@~óNóÖn!EÏ·A&Ã¢í¯`v‰¶-ÃË5©Æ{œîžïP
 Í8'ém7p‡â1	bàn¾¬#ö0"çí=~àÉê"—¶Ã}ç@Ô89eB Á°
 /¹*´ìUo<”šî.£ñEå)t2fX¶o9FüQG)çÞù
--- a/secrets/home_controller_ringo_wireguard_key.age
+++ b/secrets/home_controller_ringo_wireguard_key.age
@ -0,0 +1,21 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPyiJw zHWVBLJi1r1M3C/3Xf1rCOOXhjihjYuF4f0ZsRo4dWI
 sB14DJ0gjz2Z9+oJG/RBAl5GJ31NOjUJmpSvKwmkEVU
 -> ssh-ed25519 YFSOsg RHtbqm+jWVTkXqyTWRblggdgfbp2OOJmCqieDhI4+HI
 0lc7kKOQL3Abo8UyjXfRHvDcq+dOvPe0q7izfycZkj8
 -> ssh-rsa 42S2Dw
 QnOc7ZIigTURoIjglNY64KzZh8QbhE2TbioIP88F9OztV/1umy5hniBNYrE3grd2
 +nQSdBEHsHKgyElC3VvdKQ9RvzrbrDHnNt4oBgmH70KfAQzH1wehOvofcNMlu0+B
 0ddUjo9BEf5VtxKY4fdUFLoROBv/rIMCuCR69NE4KfS/Cl7I+saWUOzoRVcZKsBc
 XmYYCTDezlVOT0dtoRDJT0PBimXQZ+3D9Fj7VKUOobggUiQBOH7irvpKy/JFG6+0
 C5CRDZKPp4XOKfz/XAqIxbkyzxF6ZRpmXz+QJhHXTCJfWdRMfUl45YO5r/fX6ybV
 vqZnYo4ytlZtIaoe0ipFJQ
 -> ssh-ed25519 iHV63A WkP5FVc9iS9OEQMr2E+ewVvBS1ppHnuCWqGTvdvBY38
 kxdQm6sXkGlFId0KEoMqcbyXII5G1En0g9I6WObwNpk
 -> ssh-ed25519 4eCLig /lrGyo78vdS92cFFs3aS8R/BcM+QDLspab0ftIZU9WE
 +rvfUcml+WEDzZ9B6WbSvfwh+ceHygGIvHsw4UME94k
 -> u\-grease JD#pg \__| M\j|M
 9RN98je/hB0
 --- JoemHAPRRKWcsEMIOEU1Cq8AyPFTtz3qYqCgyeonyrs
 "©´S¹ÐnqRÈvKRËUsF+“ÓE„ôë³}•Ý»^)ªxôx\_´S'ÔÍ Ð/í¶2ô•àbxùÃ]Srôõ‡„Ø„çï ÙñØÈ
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -1,9 +1,33 @@
 let
  # set ssh public keys here for your system and user
-  system = "";
+  user_hensoko_nitrokey_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135";
-  user = "";
+
-  allKeys = [ system user ];
+  user_hensoko_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison";
  user_hensoko_norman_1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc";
  user_hensoko_norman_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work";
  users = [ user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman_1 user_hensoko_norman_2 ];
  system_giggles = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOLyNmSzxVpVQtTWhkH48e03nFDdskE08N4L81MZcLZ root@nixos";
  system_cox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNr7q7eAkROtdvTmw96Q5tZu9W4jt31OCjc6L8uM5Uv root@nixos";
  system_companion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjIyVeAPsIpUTsB5bPEjmJeRFN8Xp3PD9a/41yPp3HM root@nixos";
  system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos";
  system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos";
  systems_home_controller = [ system_giggles system_cox system_companion system_cube system_ringo ];
  allKeys = users ++ systems_home_controller;
 in
 {
-  "secret.age".publicKeys = allKeys;
+  "home_controller_giggles_wireguard_key.age".publicKeys = users ++ [ system_giggles ];
  "home_controller_cox_wireguard_key.age".publicKeys = users ++ [ system_cox ];
  "home_controller_companion_wireguard_key.age".publicKeys = users ++ [ system_companion ];
  "home_controller_cube_wireguard_key.age".publicKeys = users ++ [ system_cube ];
  "cube_nextcloud_admin_pass.age".publicKeys = users ++ [ system_cube ];
  "cube_nextcloud_db_pass.age".publicKeys = users ++ [ system_cube ];
  "home_controller_ringo_wireguard_key.age".publicKeys = users ++ [ system_ringo ];
  "home_controller_k3s_server_token.age".publicKeys = users ++ systems_home_controller;
 }
--- a/users/hensoko/.config/sway/config.d/input-language.conf
+++ b/users/hensoko/.config/sway/config.d/input-language.conf
@ -0,0 +1,3 @@
 input * {
  xkb_layout us(intl)
 }
--- a/users/hensoko/default.nix
+++ b/users/hensoko/default.nix
@ -0,0 +1,29 @@
 { config, hmUsers, pkgs, lib, ... }:
 let
  psCfg = config.pub-solar;
 in
 {
  imports = [
    ./home.nix
  ];
  config = {
    home-manager.users = { inherit (hmUsers) hensoko; };
    pub-solar = {
      user = {
        name = "hensoko";
        description = "hensoko";
        password = "$6$BBUvcGQBFBjBmRLw$VQgMxaVPInM0S/nr3rkWvCvzlI/oSZ0Kj8wb25k4Fx6aHJkxYzurXh4deslVgGKvz0O2LScBamt7M2pV81EWx0";
        fullName = "Hendrik Sokolowski";
        email = "hensoko@gssws.de";
        publicKeys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135"
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
        ];
      };
    };
  };
 }
--- a/users/hensoko/home.nix
+++ b/users/hensoko/home.nix
@ -0,0 +1,95 @@
 { config, pkgs, lib, self, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [ ];
  services.fwupd.enable = true;
  pub-solar.graphical.autologin.enable = false;
  security.sudo.extraRules = [
    {
      users = [ "${psCfg.user.name}" ];
      commands = [
        {
          command = "ALL";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];
  home-manager = pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
    xdg.configFile = mkIf psCfg.sway.enable {
      "sway/config.d/10-input-language.conf".source = ./.config/sway/config.d/input-language.conf;
    };
    home.packages = with pkgs; [
      dig
      fping
      htop
      keepassxc
      ncdu
      sysstat
      tig
      thunderbird
      wakeonlan
      wlr-randr
    ];
    programs.ssh = {
      enable = true;
      matchBlocks = {
        "hsha" = {
          hostname = "192.168.42.5";
          user = "root";
          port = 2222;
        };
        "media" = {
          hostname = "192.168.42.11";
          user = "root";
          port = 2222;
        };
        "ringo" = {
          hostname = "192.168.42.231";
          user = "hensoko";
          port = 22;
        };
        "giggles" = {
          hostname = "192.168.42.232";
          user = "hensoko";
          port = 22;
        };
        "norman" = {
          hostname = "192.168.42.233";
          user = "hensoko";
          port = 22;
        };
        "cox" = {
          hostname = "192.168.42.234";
          user = "hensoko";
          port = 22;
        };
        "cube" = {
          hostname = "80.244.242.2";
          user = "hensoko";
          port = 2222;
        };
        "mail" = {
          hostname = "mail.gssws.de";
          user = "root";
          port = 2222;
        };
        "git" = {
          hostname = "git.gssws.de";
          user = "git";
          port = 2222;
        };
      };
      extraConfig = "PubKeyAcceptedKeyTypes +ssh-rsa";
    };
  };
 }
--- a/users/hensoko_iot/default.nix
+++ b/users/hensoko_iot/default.nix
@ -0,0 +1,29 @@
 { config, hmUsers, pkgs, lib, ... }:
 let
  psCfg = config.pub-solar;
 in
 {
  imports = [
    ./home.nix
  ];
  config = {
    home-manager.users = { inherit (hmUsers) hensoko_iot; };
    pub-solar = {
      user = {
        name = "hensoko";
        description = "hensoko";
        password = "$6$BBUvcGQBFBjBmRLw$VQgMxaVPInM0S/nr3rkWvCvzlI/oSZ0Kj8wb25k4Fx6aHJkxYzurXh4deslVgGKvz0O2LScBamt7M2pV81EWx0";
        fullName = "Hendrik Sokolowski";
        email = "hensoko@gssws.de";
        publicKeys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135"
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
        ];
      };
    };
  };
 }
--- a/users/hensoko_iot/home.nix
+++ b/users/hensoko_iot/home.nix
@ -0,0 +1,39 @@
 { config, pkgs, lib, self, ... }:
 with lib;
 let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in
 {
  imports = [ ];
  pub-solar.graphical.autologin.enable = false;
  security.sudo.extraRules = [
    {
      users = [ "${psCfg.user.name}" ];
      commands = [
        {
          command = "ALL";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];
  environment.systemPackages = [
    grml-zsh-config
  ];
  home-manager = pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
    home.packages = with pkgs; [
      dig
      fping
      htop
      ncdu
      sysstat
      tig
      wakeonlan
    ];
  };
 }
Author	SHA1	Message	Date
Hendrik Sokolowski	06d72216b5	SQ cube	2022-08-19 19:42:42 +02:00
Hendrik Sokolowski	5117333177	Bump flake.lock	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	86eab03d87	Updates	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	845444f528	Update flake.nix	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	552f60b7be	Disable caddy for now	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	464f059089	Adapt terminal-life to personal use-case	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	0028058588	Update daw	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	4a436666ad	Update hensoko, add hensoko_iot	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	ae0cd2e1fd	Add / update hosts, add secrets	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	8144c332d1	Add module to setup wireguard backed zfs enabled k3s cluster	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	91c8eea69f	Add profile for a digital audio workstation	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	98751b66c9	Enable non-free, social, work for harrison	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	e5c9d8e07b	Enable ssh support in gpg agent	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	c39d7f8d0b	Enable nextcloud	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	51201be734	Add social profile to norman and harrison	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	153df0ab4f	Adjust display config	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	e967841fe4	Fix mounts	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	f6706c9aa5	Add screen config for harrison	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	40cb22a7fc	Enable unified cgroup architecture	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	b4df0ccbce	Remove dhcp statements for wifi interface	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	830ddca0fc	Update work profile	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	0d0ca1ac7e	Enable ksm for server profile	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	25d362ed79	Update hardware config for hosts	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	80e26a3350	Add non-free profile	2022-08-16 19:26:55 +02:00
Hendrik Sokolowski	a1c834002a	Use iwd as wifi backend	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	069d63e56e	Update dependencies	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	1e15ff9372	Add minicom	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	db551c0588	Enable passwordless sudo for hensoko	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	afecf5b555	Add wlr-randr, drop obsolete user envs	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	bcbc1440b8	Enable required modules for work profile	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	8dc8a846d4	Remove full-install from default install	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	5c4b11bd92	Add harrison	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	2c4f7967f5	Add thunderbird	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	a1fa3ef7f0	Update sway applications	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	cee78aa6cc	Disable bluetooth	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	7d240cd3e9	Use ip for vpn	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	2b81a311bb	Prohibit root login with password when server module is used	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	d46e871d9e	Add additional public-key	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	c00e84ea39	Enable ssh-agent / nitrokey-support	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	da5aeefbff	Modify crypto for personal needs	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	cc0dd3f8c4	Add virtualisation to norman	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	9fa666aeba	Enable spice usb redirect	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	1da25fe215	Create virtualisation profile	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	19b91c2898	Update flake.lock	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	2bcedac110	Disable autologin	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	783a114146	Update dependencies	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	61525f1390	Use keys instead of keyfiles	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	5d9d2caa4f	Add work profile	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	60b13f9ec2	Do not use nvim	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	4bd786be0e	Disable required gpg sign	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	c60b82b3fc	Add wireguard tunnel, fix screens	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	fe56abbd55	Fix nextcloud talk audio issues	2022-08-16 19:26:47 +02:00
Hendrik Sokolowski	e3295e29a1	Initial config	2022-08-16 19:26:45 +02:00
`@ -11,3 +11,4 @@ pkgs/_sources/.shake*`

	`tags`	`tags`
	`/owners`	`/owners`