Update nixpkgs 2025-08-27-01-03

pkgs/bijwerken-*,modules/bijwerken: Consolidate system update management and refactor under the same name
profiles/common-nix: Remove guests group from trusted nix users
2025-08-27 03:04:06 +02:00 · 2025-08-17 21:49:24 +02:00 · 2025-08-17 20:02:34 +02:00 · 2025-08-17 19:05:22 +02:00 · 2025-08-17 10:39:01 +02:00 · 2025-08-17 10:17:43 +02:00
59 changed files with 1399 additions and 1096 deletions
--- a/configuration/desktop/audio.nix
+++ b/configuration/desktop/audio.nix
@@ -1,26 +0,0 @@
-{ pkgs, ... }:
-
-{
-
-  services.pulseaudio.enable = false;
-
-  security.rtkit.enable = true;
-  services.pipewire = {
-    enable = true;
-    alsa = {
-      enable = true;
-      support32Bit = true;
-    };
-    pulse = {
-      enable = true;
-    };
-    configPackages = [
-      pkgs.pipewire-all-bluetooth
-    ];
-  };
-
-  environment.systemPackages = with pkgs; [
-    helvum # pipewire routing gui
-  ];
-
-}
--- a/configuration/desktop/default.nix
+++ b/configuration/desktop/default.nix
@@ -1,19 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./audio.nix
-    ./firmware.nix
-    ./fonts.nix
-    ./gnome.nix
-    ./inputs.nix
-    ./networking.nix
-    ./polkit.nix
-    ./power.nix
-    ./printing.nix
-    ./ssh.nix
-    ./xserver.nix
-  ];
-
-  security.sudo.wheelNeedsPassword = true;
-}
--- a/configuration/desktop/firmware.nix
+++ b/configuration/desktop/firmware.nix
@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-
-  services.fwupd.enable = true;
-
-}
--- a/configuration/desktop/fonts.nix
+++ b/configuration/desktop/fonts.nix
@@ -1,13 +0,0 @@
-{ pkgs, ... }:
-
-{
-
-  fonts.enableDefaultPackages = true;
-  fonts.packages = with pkgs; [
-    roboto
-    roboto-mono
-    noto-fonts
-    noto-fonts-emoji
-    comfortaa
-  ] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
-}
--- a/configuration/desktop/gnome.nix
+++ b/configuration/desktop/gnome.nix
@@ -1,61 +0,0 @@
-{ pkgs, ... }:
-
-{
-  services.gnome = {
-    localsearch.enable = false;
-    tinysparql.enable = false;
-  };
-
-  environment.gnome.excludePackages = with pkgs; [
-    baobab
-    epiphany
-    gnome-calendar
-    gnome-clocks
-    gnome-console
-    gnome-contacts
-    gnome-logs
-    gnome-maps
-    gnome-music
-    gnome-tour
-    gnome-photos
-    gnome-weather
-    gnome-connections
-    simple-scan
-    yelp
-    geary
-  ];
-
-  environment.systemPackages = with pkgs; [
-    evolution
-    gnome-terminal
-    gnome-tweaks
-  ];
-
-  services.gnome.evolution-data-server.enable = true;
-
-  programs.dconf.profiles = {
-    user.databases = [
-      {
-        settings = {
-          "org/gnome/desktop/calendar" = {
-            show-weekdate = true;
-          };
-          "org/gnome/desktop/interface" = {
-            enable-hot-corners = false;
-            show-battery-percentage = true;
-          };
-          "org/gnome/desktop/notifications" = {
-            show-in-lock-screen = false;
-          };
-          "org/gnome/desktop/sound" = {
-            event-sounds = false;
-          };
-          "org/gnome/gnome-system-monitor" = {
-            network-in-bits = true;
-            network-total-in-bits = true;
-          };
-        };
-      }
-    ];
-  };
-}
--- a/configuration/desktop/inputs.nix
+++ b/configuration/desktop/inputs.nix
@@ -1,43 +0,0 @@
-{ ... }:
-
-{
-  programs.dconf.profiles = {
-    user.databases = [
-      {
-        settings = {
-          "org/gnome/desktop/peripherals/touchpad" = {
-            disable-while-typing = false;
-            edge-scrolling-enabled = false;
-            natural-scroll = true;
-            tap-to-click = true;
-            two-finger-scrolling-enabled = true;
-          };
-          "org/gnome/settings-daemon/plugins/media-keys" = {
-            custom-keybindings = [
-              "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
-            ];
-            mic-mute = [ "<Control>Print" ];
-          };
-          "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
-            name = "Terminal";
-            binding = "<Primary><Alt>t";
-            command = "gnome-terminal";
-          };
-        };
-      }
-    ];
-    gdm.databases = [
-      {
-        settings = {
-          "org/gnome/desktop/peripherals/touchpad" = {
-            disable-while-typing = false;
-            edge-scrolling-enabled = false;
-            natural-scroll = true;
-            tap-to-click = true;
-            two-finger-scrolling-enabled = true;
-          };
-        };
-      }
-    ];
-  };
-}
--- a/configuration/desktop/networking.nix
+++ b/configuration/desktop/networking.nix
@@ -1,14 +0,0 @@
-{ ... }:
-
-{
-
-  networking.networkmanager.settings = {
-    connectivity = {
-      uri = "http://ping.clerie.de/nm-check.txt";
-    };
-    global-dns = {
-      searches = "net.clerie.de";
-    };
-  };
-
-}
--- a/configuration/desktop/polkit.nix
+++ b/configuration/desktop/polkit.nix
@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-
-  security.polkit.enable = true;
-
-}
--- a/configuration/desktop/power.nix
+++ b/configuration/desktop/power.nix
@@ -1,42 +0,0 @@
-{ lib, config, ... }:
-
-{
-  boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
-  services.logind = {
-    lidSwitch = "suspend-then-hibernate";
-  };
-  systemd.sleep.extraConfig = ''
-    HibernateDelaySec=30m
-  '';
-
-  services.upower = {
-    percentageLow = 20;
-    percentageCritical = 10;
-    percentageAction = 8;
-  };
-
-  programs.dconf.profiles = {
-    user.databases = [
-      {
-        settings = {
-          "org/gnome/settings-daemon/plugins/power" = {
-            power-button-action = "hibernate";
-            power-saver-profile-on-low-battery = false;
-            sleep-inactive-ac-type = "nothing";
-          };
-        };
-      }
-    ];
-    gdm.databases = [
-      {
-        settings = {
-          "org/gnome/settings-daemon/plugins/power" = {
-            power-button-action = "hibernate";
-            power-saver-profile-on-low-battery = false;
-            sleep-inactive-ac-type = "nothing";
-          };
-        };
-      }
-    ];
-  };
-}
--- a/configuration/desktop/printing.nix
+++ b/configuration/desktop/printing.nix
@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-  services.printing.enable = true;
-  services.avahi.enable = true;
-  services.avahi.nssmdns4 = true;
-}
--- a/configuration/desktop/ssh.nix
+++ b/configuration/desktop/ssh.nix
@@ -1,33 +0,0 @@
-{ pkgs, ... }:
-
-{
-
-  profiles.clerie.gpg-ssh.enable = true;
-
-  programs.gnupg.agent = {
-    pinentryPackage = pkgs.pinentry-gtk2;
-  };
-
-  # Do not disable ssh-agent of gnome-keyring, because
-  # gnupg ssh-agent can't handle normal SSH keys properly
-  /*
-  # Disable ssh-agent of gnome-keyring
-  nixpkgs.overlays = [
-    (final: prev: {
-      gnome = prev.gnome // {
-        gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
-          mkdir -p $out
-
-          # Symlink all gnome-keyring binaries
-          ${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
-
-          # Disable autostart for ssh
-          rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
-          cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
-          echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
-        '';
-      };
-    })
-  ];
-  */
-}
--- a/configuration/desktop/xserver.nix
+++ b/configuration/desktop/xserver.nix
@@ -1,11 +0,0 @@
-{ pkgs, ... }:
-
-{
-  services.xserver.enable = true;
-  services.displayManager.gdm.enable = true;
-  services.desktopManager.gnome.enable = true;
-
-  services.xserver.excludePackages = with pkgs; [
-    xterm
-  ];
-}
--- a/flake.lock
+++ b/flake.lock
@@ -646,11 +646,11 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1753549186,
-        "narHash": "sha256-Znl7rzuxKg/Mdm6AhimcKynM7V3YeNDIcLjBuoBcmNs=",
+        "lastModified": 1756125398,
+        "narHash": "sha256-XexyKZpf46cMiO5Vbj+dWSAXOnr285GHsMch8FBoHbc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "17f6bd177404d6d43017595c5264756764444ab8",
+        "rev": "3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5",
        "type": "github"
      },
      "original": {
--- a/hosts/dn42-il-gw1/configuration.nix
+++ b/hosts/dn42-il-gw1/configuration.nix
@@ -237,7 +237,7 @@
    ];
  };

-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    autoUpgrade = true;
  };

--- a/hosts/dn42-il-gw5/configuration.nix
+++ b/hosts/dn42-il-gw5/configuration.nix
@@ -111,7 +111,7 @@
    '';
  };

-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    autoUpgrade = true;
    startAt = "*-*-* 06:22:00";
  };
--- a/hosts/dn42-il-gw6/configuration.nix
+++ b/hosts/dn42-il-gw6/configuration.nix
@@ -105,7 +105,7 @@
    '';
  };

-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    autoUpgrade = true;
    startAt = "*-*-* 07:22:00";
  };
--- a/hosts/dn42-ildix-clerie/configuration.nix
+++ b/hosts/dn42-ildix-clerie/configuration.nix
@@ -161,7 +161,7 @@
  }
  '';

-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    autoUpgrade = true;
  };

--- a/hosts/dn42-ildix-service/configuration.nix
+++ b/hosts/dn42-ildix-service/configuration.nix
@@ -70,7 +70,7 @@

  networking.firewall.allowedTCPPorts = [ 80 443 ];

-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    autoUpgrade = true;
  };

--- a/hosts/krypton/configuration.nix
+++ b/hosts/krypton/configuration.nix
@@ -5,8 +5,6 @@
    [
      ./hardware-configuration.nix

-      ../../configuration/desktop
-
      ./android.nix
      ./backup.nix
      ./etesync-dav.nix
@@ -15,6 +13,8 @@
      ./programs.nix
    ];

+  profiles.clerie.desktop.enable = true;
+
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
--- a/hosts/krypton/programs.nix
+++ b/hosts/krypton/programs.nix
@@ -14,7 +14,7 @@

    tio
    xournalpp
-    onlyoffice-bin
+    libreoffice

    krita
    inkscape
--- a/hosts/monitoring-3/dashboards/home.json
+++ b/hosts/monitoring-3/dashboards/home.json
@@ -0,0 +1,77 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": 10,
+  "links": [],
+  "panels": [
+    {
+      "fieldConfig": {
+        "defaults": {},
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 11,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "includeVars": false,
+        "keepTime": false,
+        "maxItems": 10,
+        "query": "",
+        "showFolderNames": true,
+        "showHeadings": false,
+        "showRecentlyViewed": false,
+        "showSearch": true,
+        "showStarred": false,
+        "tags": []
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "title": "Dashboards",
+      "type": "dashlist"
+    }
+  ],
+  "preload": false,
+  "refresh": "",
+  "schemaVersion": 41,
+  "tags": [],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-6h",
+    "to": "now"
+  },
+  "timepicker": {
+    "hidden": true
+  },
+  "timezone": "browser",
+  "title": "Home",
+  "uid": "OqTN9p2nz",
+  "version": 1
+}
--- a/hosts/monitoring-3/dashboards/nginx-exporter.json
+++ b/hosts/monitoring-3/dashboards/nginx-exporter.json
@@ -0,0 +1,355 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": 16,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green"
+              }
+            ]
+          },
+          "unit": "reqps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "sum by(server_name) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Total requests",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green"
+              }
+            ]
+          },
+          "unit": "reqps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "sum by(server_name, method) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "legendFormat": "{{server_name}}: {{method}}",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Status codes",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green"
+              }
+            ]
+          },
+          "unit": "reqps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 10
+      },
+      "id": 3,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "sum by(server_name, status) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "legendFormat": "{{server_name}}: HTTP {{status}}",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Response codes",
+      "type": "timeseries"
+    }
+  ],
+  "preload": false,
+  "refresh": "30s",
+  "schemaVersion": 41,
+  "tags": [],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "text": "All",
+          "value": [
+            "$__all"
+          ]
+        },
+        "definition": "label_values(nginxlog_http_response_count_total,server_name)",
+        "includeAll": true,
+        "label": "vHost",
+        "multi": true,
+        "name": "server_name",
+        "options": [],
+        "query": {
+          "qryType": 1,
+          "query": "label_values(nginxlog_http_response_count_total,server_name)",
+          "refId": "PrometheusVariableQueryEditor-VariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "type": "query"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-3h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "browser",
+  "title": "Nginx Exporter",
+  "uid": "b042a880-3cb0-4dd3-ae48-4745a58af698",
+  "version": 7
+}
--- a/hosts/monitoring-3/dashboards/nixos-status.json
+++ b/hosts/monitoring-3/dashboards/nixos-status.json
@@ -0,0 +1,135 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": 15,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "continuous-RdYlGr"
+          },
+          "custom": {
+            "axisPlacement": "auto",
+            "fillOpacity": 70,
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineWidth": 0,
+            "spanNulls": false
+          },
+          "mappings": [
+            {
+              "options": {
+                "0": {
+                  "index": 1,
+                  "text": "mismatch"
+                },
+                "1": {
+                  "index": 0,
+                  "text": "sync"
+                }
+              },
+              "type": "value"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "red"
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 23,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "alignValue": "left",
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "mergeValues": true,
+        "rowHeight": 0.9,
+        "showValue": "auto",
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "PBFA97CFB590B2093"
+          },
+          "editorMode": "builder",
+          "expr": "nixos_current_system_is_sync",
+          "legendFormat": "{{instance}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Config is Sync",
+      "type": "state-timeline"
+    }
+  ],
+  "preload": false,
+  "refresh": "5m",
+  "schemaVersion": 41,
+  "tags": [],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-7d",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "NixOS Status",
+  "uid": "W4j3nz1Vz",
+  "version": 3
+}
--- a/hosts/monitoring-3/dashboards/smokeping.json
+++ b/hosts/monitoring-3/dashboards/smokeping.json
@@ -0,0 +1,211 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": 11,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green"
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "s"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 22,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "PBFA97CFB590B2093"
+          },
+          "editorMode": "code",
+          "exemplar": true,
+          "expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp6\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0 ",
+          "interval": "",
+          "legendFormat": "IPv6 {{target}} ({{instance}})",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "PBFA97CFB590B2093"
+          },
+          "editorMode": "code",
+          "exemplar": true,
+          "expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp4\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0",
+          "hide": false,
+          "interval": "",
+          "legendFormat": "IPv4 {{target}} ({{instance}})",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Smokeping",
+      "type": "timeseries"
+    }
+  ],
+  "preload": false,
+  "refresh": "",
+  "schemaVersion": 41,
+  "tags": [],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "text": "All",
+          "value": "$__all"
+        },
+        "datasource": {
+          "type": "prometheus",
+          "uid": "PBFA97CFB590B2093"
+        },
+        "definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
+        "includeAll": true,
+        "label": "Target:",
+        "multi": true,
+        "name": "target",
+        "options": [],
+        "query": {
+          "query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
+          "refId": "StandardVariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "type": "query"
+      },
+      {
+        "current": {
+          "text": [
+            "All"
+          ],
+          "value": [
+            "$__all"
+          ]
+        },
+        "datasource": {
+          "type": "prometheus",
+          "uid": "PBFA97CFB590B2093"
+        },
+        "definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
+        "includeAll": true,
+        "label": "Instance:",
+        "multi": true,
+        "name": "instance",
+        "options": [],
+        "query": {
+          "query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
+          "refId": "StandardVariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "type": "query"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-30m",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Smokeping",
+  "uid": "IytTVZL7z",
+  "version": 9
+}
--- a/hosts/monitoring-3/prometheus.nix
+++ b/hosts/monitoring-3/prometheus.nix
@@ -52,6 +52,12 @@ let
    attrByPath ["clerie" "monitoring" "blackbox"] false host.config)
    monitoringHosts);

+  nginxlogMonitoringTargets = mapAttrsToList (name: host:
+    "${host.config.networking.hostName}.mon.clerie.de:9117")
+    (filterAttrs (name: host:
+    attrByPath ["services" "prometheus" "exporters" "nginxlog" "enable"] false host.config)
+    monitoringHosts);
+
  eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));

 in {
@@ -104,6 +110,21 @@ in {
          relabelAddressToInstance
        ];
      }
+      {
+        job_name = "alertmanager";
+        scrape_interval = "20s";
+        scheme = "http";
+        static_configs = [
+          {
+            targets = [
+              "monitoring-3.mon.clerie.de:9093"
+            ];
+          }
+        ];
+        relabel_configs = [
+          relabelAddressToInstance
+        ];
+      }
      {
        job_name = "node-exporter";
        scrape_interval = "20s";
@@ -521,12 +542,24 @@ in {
          }
        ];
      }
+      {
+        job_name = "nginxlog-exporter";
+        scrape_interval = "20s";
+        static_configs = [
+          {
+            targets = nginxlogMonitoringTargets;
+          }
+        ];
+        relabel_configs = [
+          relabelAddressToInstance
+        ];
+      }
    ];
    alertmanagers = [
      {
        static_configs = [ {
          targets = [
-            "[::1]:9093"
+            "monitoring-3.mon.clerie.de:9093"
          ];
        } ];
      }
--- a/hosts/monitoring-3/rules.yml
+++ b/hosts/monitoring-3/rules.yml
@@ -89,9 +89,24 @@ groups:
      description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"
  - alert: NadjaTopIPv4ProxyBroken
    expr: probe_success{job="blackbox_local_http6", target="blog.nadja.top"} != on (target) probe_success{job="blackbox_local_http4", target="blog.nadja.top"}
-    for: 5m
+    for: 15m
    labels:
      severity: critical
    annotations:
      summary: "blog.nadja.top unreachable via IPv4"
      description: "blog.nadja.top unreachable IPv4, but reachable via IPv6"
+  - alert: AlertmanagerNotificationRequestsFailed
+    expr: rate(alertmanager_notification_requests_failed_total[5m]) > 0
+    labels:
+      severity: critical
+    annotations:
+      summary: "Too many notification requests failed"
+      description: "Too many notification requests to Alertmanager integration {{ $labels.integration }} failed"
+  - alert: FemSocialDown
+    expr: min(probe_success{target="fem.social", job=~"blackbox_local_http.*"}) == 0
+    for: 5m
+    labels:
+      severity: critical
+    annotations:
+      summary: "fem.social unavailable via HTTP"
+      description: "fem.social is not fully reachable via HTTP"
--- a/hosts/nonat/configuration.nix
+++ b/hosts/nonat/configuration.nix
@@ -41,7 +41,7 @@

  networking.firewall.allowedUDPPorts = [];

-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    autoUpgrade = true;
  };

--- a/hosts/porter/configuration.nix
+++ b/hosts/porter/configuration.nix
@@ -58,7 +58,7 @@
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [];

-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    autoUpgrade = true;
  };

--- a/hosts/storage-2/configuration.nix
+++ b/hosts/storage-2/configuration.nix
@@ -52,7 +52,7 @@
    };
  };

-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    autoUpgrade = true;
  };

--- a/hosts/web-2/blocked-prefixes.txt
+++ b/hosts/web-2/blocked-prefixes.txt
@@ -1,862 +1,195 @@
 ip6tables -I nixos-fw -s 2400:3200::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2400:3200:baba::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2400:b200:4100::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2400:b200:4101::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2400:b200:4102::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2400:b200:4103::/48 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 2400:b200:4100::/46 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2401:8680:4100::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2401:b180:4100::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2404:2280:1000::/36 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:1000::/37 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:1800::/37 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:2000::/37 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:2000::/36 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:2800::/37 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:3000::/37 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:3000::/36 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:3800::/37 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:4000::/37 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 2404:2280:2000::/35 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2404:2280:4000::/36 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:4800::/37 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2408:4000:1000::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2408:4009:500::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4000::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4000:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4001::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4001::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4001:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4002::/33 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4000::/31 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4002::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4002:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4004::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4004::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4004:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4005::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4005::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4005:8000::/33 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4004::/31 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4006::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1000::/45 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1000::/47 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1000::/44 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1002::/47 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1008::/45 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1010::/45 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1010::/44 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1018::/45 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4006:1000::/43 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4006:1020::/44 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1020::/45 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1028::/45 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4007::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4007::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4007:8000::/33 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4009::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4009::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4009:8000::/33 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:400b::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400b::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400b:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c::/40 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c::/41 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:80::/41 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:100::/41 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:100::/40 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:180::/41 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:f00::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:f01::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:ffff::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400d::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400d::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400d:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400e::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400e::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400e:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400f::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400f::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400f:8000::/33 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:400c::/30 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4011::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4011::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4011:8000::/33 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4012::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4013::/33 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4013::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4013:8000::/33 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4014::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4014::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4014:8000::/33 -j nixos-fw-refuse
 iptables -I nixos-fw -s 5.181.224.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.208.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.141.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.16.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.36.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.36.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.37.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.38.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.38.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.39.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.40.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.40.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.42.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.44.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.44.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.46.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.209.36.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.209.40.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.48.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.48.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.56.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.64.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.224.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.210.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.210.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.210.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.210.240.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.80.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.88.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.96.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.104.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.224.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.226.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.224.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.0.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.209.128.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.210.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.212.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.64.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.128.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.144.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.160.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.160.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.164.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.176.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.176.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.184.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.192.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.224.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.251.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.252.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.253.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.214.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.214.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.214.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.160.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.162.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.168.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.169.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.69.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.148.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.217.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.217.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.217.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.218.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.218.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.218.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.219.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.219.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.219.40.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.219.128.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.214.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.216.0.0/14 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.220.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.116.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.147.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.224.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.229.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.0.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.8.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.48.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.56.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.184.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.188.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.192.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.200.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.208.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.216.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.0.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.8.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.16.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.16.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.24.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.32.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.32.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.40.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.48.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.48.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.56.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.64.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.64.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.72.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.80.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.80.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.88.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.112.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.223.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.223.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.223.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.223.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.223.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.223.192.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.220.128.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.221.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.222.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 14.1.112.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 14.1.115.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.91.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.91.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.91.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.1.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.2.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.3.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.4.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.5.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.2.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.4.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.7.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.8.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.9.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.10.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.11.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.8.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.17.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.19.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.20.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.21.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.22.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.23.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.24.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.25.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.20.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.24.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.27.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.28.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.29.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.32.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.33.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.34.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.35.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.28.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.32.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.40.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.66.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.67.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.68.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.69.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.70.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.71.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.72.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.73.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.74.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.75.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.52.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.56.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.58.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.66.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.68.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.72.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.78.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.80.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.81.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.84.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.85.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.80.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.84.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.86.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.88.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.96.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.97.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.100.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.101.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.96.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.100.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.102.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.104.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.106.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.98.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.98.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.98.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.99.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.99.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.99.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.100.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.98.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.100.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.101.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.102.0.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.103.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.104.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.104.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.105.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.108.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.108.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.108.64.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 45.196.28.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 45.199.179.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.52.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.52.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.52.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.56.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.56.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.57.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.0.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.75.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.75.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.75.128.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.74.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.76.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.76.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.76.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.0.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.0.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.2.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.4.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.4.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.6.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.8.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.8.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.12.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.77.0.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.16.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.16.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.20.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.24.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.24.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.26.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.32.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.48.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.64.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.80.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.96.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.104.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.128.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.136.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.144.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.152.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.78.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.78.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.0.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.8.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.16.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.16.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.24.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.32.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.32.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.40.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.48.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.48.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.52.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.54.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.56.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.56.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.58.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.60.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.62.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.64.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.64.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.72.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.80.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.80.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.83.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.88.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.104.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.112.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.128.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.78.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.79.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.79.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.144.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.79.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.224.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.8.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.10.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.12.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.14.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.32.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.40.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.48.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.56.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.32.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.40.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.48.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.56.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.144.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.152.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.160.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.168.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.85.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.85.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.85.112.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.85.112.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.85.114.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.85.128.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.80.0.0/14 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.84.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.86.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.86.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.86.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.128.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.87.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.192.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.192.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.194.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.196.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.196.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.198.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.200.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.200.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.202.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.204.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.204.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.206.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.208.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.208.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.210.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.212.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.212.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.214.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.216.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.216.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.218.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.220.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.220.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.222.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.224.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.224.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.226.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.228.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.228.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.230.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.232.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.87.192.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.87.224.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.232.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.234.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.41.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.42.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.43.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.109.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.135.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.0.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.88.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.72.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.72.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.74.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.76.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.76.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.78.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.80.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.82.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.72.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.80.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.84.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.88.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.88.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.90.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.92.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.92.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.94.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.96.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.97.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.98.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.99.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.100.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.101.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.102.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.103.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.104.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.104.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.108.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.122.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.123.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.88.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.96.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.122.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.124.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.124.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.125.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.221.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.224.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.16.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.32.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.48.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.64.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.80.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.112.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.0.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.0.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.1.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.2.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.4.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.5.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.6.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.6.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.7.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.8.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.9.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.10.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.10.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.11.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.12.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.128.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.90.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.235.0.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.235.8.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.235.12.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.13.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.16.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.16.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.18.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.18.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.19.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.20.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.21.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.22.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.23.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.24.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.24.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.26.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.28.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.28.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.29.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.30.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.31.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.236.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.236.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.237.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.237.32.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.237.34.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.238.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.238.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.239.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.240.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.240.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.240.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.241.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.241.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.241.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.242.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.242.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.243.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.244.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.244.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.244.73.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.244.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.192.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.235.16.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.236.0.0/14 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.240.0.0/14 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.244.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.32.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.66.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.67.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.66.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.68.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.68.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.69.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.72.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.72.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.76.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.80.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.82.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.82.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.83.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.84.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.84.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.86.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.88.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.88.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.90.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.92.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.92.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.93.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.96.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.96.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.100.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.104.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.104.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.108.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.96.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.120.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.122.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.123.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.124.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.125.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.128.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.128.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.130.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.132.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.132.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.134.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.136.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.136.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.140.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.144.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.144.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.145.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.146.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.146.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.147.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.150.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.122.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.124.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.128.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.144.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.150.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.151.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.152.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.152.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.153.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.154.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.155.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.156.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.156.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.158.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.160.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.160.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.168.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.176.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.176.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.184.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.192.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.192.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.194.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.196.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.196.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.198.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.99.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.251.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.251.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.251.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.251.224.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.67.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.253.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.253.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.253.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.113.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.224.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.152.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.160.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.192.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.250.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.252.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.254.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 59.82.136.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 103.81.186.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 110.76.21.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 110.76.23.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 116.251.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.0.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.2.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.4.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.6.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.8.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.10.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.12.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.14.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.16.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.18.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 139.95.0.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 139.95.16.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 139.95.64.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 140.205.1.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 140.205.122.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.155.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.192.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 147.139.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.0.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.8.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.16.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.32.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.96.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.224.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.227.20.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.236.12.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.236.17.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.240.76.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.245.1.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 161.117.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.126.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.127.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.128.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.129.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.138.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.143.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.24.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.29.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.30.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.31.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.32.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.33.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.34.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.35.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.64.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.65.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.30.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.32.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.64.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.66.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.68.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.69.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.72.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.73.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.74.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.75.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.76.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.77.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.78.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.79.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.80.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.81.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.82.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.83.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.84.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.85.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.68.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.72.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.76.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.80.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.84.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.86.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.88.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.90.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.92.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.93.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.104.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.105.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.106.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.107.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.136.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.137.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.92.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.104.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.136.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.138.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 185.78.106.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 198.11.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 198.11.137.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 198.11.184.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 202.144.199.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 203.107.64.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 203.107.65.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 203.107.66.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 203.107.67.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 203.107.64.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 203.107.68.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 205.204.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 205.204.102.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 205.204.111.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 205.204.117.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 205.204.125.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 223.5.5.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 223.6.6.0/24 -j nixos-fw-refuse
--- a/hosts/web-2/clerie.nix
+++ b/hosts/web-2/clerie.nix
@@ -53,9 +53,6 @@
        '';
        return = "200 ''";
      };
-      extraConfig = ''
-        access_log /var/log/nginx/clerie.de.log combined_anon;
-      '';
    };
  };
 }
--- a/hosts/web-2/gitea.nix
+++ b/hosts/web-2/gitea.nix
@@ -83,9 +83,6 @@
          proxyPass = "http://[::1]:3000";
        };
      };
-      extraConfig = ''
-        access_log /var/log/nginx/git.clerie.de.log combined_anon;
-      '';
    };
  };
 }
--- a/hosts/web-2/ip.nix
+++ b/hosts/web-2/ip.nix
@@ -53,9 +53,6 @@
          types { } default_type "text/html; charset=utf-8";
        '';
      };
-      extraConfig = ''
-        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
-      '';
    };
    "ip4.clerie.de" = {
      enableACME = true;
@@ -67,9 +64,6 @@
          add_header Access-Control-Allow-Origin *;
        '';
      };
-      extraConfig = ''
-        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
-      '';
    };
    "ip6.clerie.de" = {
      enableACME = true;
@@ -81,9 +75,6 @@
          add_header Access-Control-Allow-Origin *;
        '';
      };
-      extraConfig = ''
-        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
-      '';
    };
  };
 }
--- a/hosts/web-2/legal.nix
+++ b/hosts/web-2/legal.nix
@@ -7,8 +7,8 @@
      forceSSL = true;
      root = pkgs.fetchgit {
        url = "https://git.clerie.de/clerie/legal.clerie.de.git";
-        rev = "c6900226e3107a2e370a32759d83db472ab5450d";
-        sha256 = "sha256-lOjbHqYc/85rjotwQ5Oj+MSWnDIfLx2w5mpiJkChbXU=";
+        rev = "b271b9729f4545c340ce9d16ecbca136031da409";
+        sha256 = "sha256-uw69o7LxK+JF1AojSyusU1urshBc63Bgva5lRBgQdKc=";
      };
      locations."/impressum" = {
        return = ''301 https://legal.clerie.de/#impressum'';
--- a/hosts/zinc/configuration.nix
+++ b/hosts/zinc/configuration.nix
@@ -5,12 +5,12 @@
    [
      ./hardware-configuration.nix

-      ../../configuration/desktop
-
      ./initrd.nix
      ./programs.nix
    ];

+  profiles.clerie.desktop.enable = true;
+
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
--- a/modules/clerie-system-upgrade/default.nix
+++ b/modules/clerie-system-upgrade/default.nix
@@ -3,13 +3,13 @@
 with lib;

 let
-  cfg = config.clerie.system-auto-upgrade;
+  cfg = config.services.bijwerken;
 in

 {
  options = {
-    clerie.system-auto-upgrade = {
-      enable = mkEnableOption "clerie system upgrade";
+    services.bijwerken = {
+      enable = mkEnableOption "Automatic system upgrades";
      autoUpgrade = mkOption {
        type = types.bool;
        default = false;
@@ -20,10 +20,15 @@ in
        default = null;
        description = "Systemd time string for starting the unit";
      };
+      nodeExporterTextfilePath = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        description = "Path to node exporter textfile for putting metrics";
+      };
    };
  };
  config = mkIf cfg.enable {
-    systemd.services.clerie-system-auto-upgrade = {
+    systemd.services.bijwerken-system-upgrade = {
      requires = [ "network-online.target" ];
      after = [ "network-online.target" ];

@@ -33,10 +38,10 @@ in

      serviceConfig = {
        Type = "oneshot";
-        ExecStart = pkgs.clerie-system-upgrade + "/bin/clerie-system-upgrade --no-confirm${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/clerie-system-upgrade.prom"}";
+        ExecStart = (getExe pkgs.bijwerken-system-upgrade) + " --no-confirm${optionalString (cfg.nodeExporterTextfilePath != null) " --node-exporter-metrics-path ${cfg.nodeExporterTextfilePath}"}";
      };
    };
-    systemd.timers.clerie-system-auto-upgrade = mkIf cfg.autoUpgrade {
+    systemd.timers.bijwerken-system-upgrade = mkIf cfg.autoUpgrade {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = if cfg.startAt == null then "*-*-* 05:37:00" else cfg.startAt;
@@ -46,7 +51,7 @@ in
      after = [ "network-online.target" ];
    };
    environment.systemPackages = with pkgs; [
-      clerie-system-upgrade
+      bijwerken-system-upgrade
    ];
  };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -5,9 +5,9 @@
    ./policyrouting
    ./akne
    ./backup
+    ./bijwerken
    ./clerie-firewall
    ./clerie-gc-dir
-    ./clerie-system-upgrade
    ./dhcpcd-prefixdelegation
    ./minecraft-server
    ./monitoring
--- a/modules/monitoring/default.nix
+++ b/modules/monitoring/default.nix
@@ -75,6 +75,8 @@ in

    systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ];

+    services.bijwerken.nodeExporterTextfilePath = "/var/lib/prometheus-node-exporter/textfiles/bijwerken-system-upgrade.prom";
+
    services.prometheus.exporters.bird = mkIf cfg.bird {
      enable = true;
    };
@@ -102,6 +104,33 @@ in
      listen = "[::]:9152";
    };

+    services.prometheus.exporters.nginxlog = mkIf config.services.nginx.enable {
+      enable = true;
+      settings = {
+        namespaces = [
+          {
+            name = "nginxlog";
+            format = ''$host: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$server_name" rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'';
+            source = {
+              files = [
+                "/var/log/nginx/access.log"
+              ];
+            };
+            relabel_configs = [
+              {
+                target_label = "server_name";
+                from = "server_name";
+              }
+            ];
+          }
+        ];
+      };
+    };
+
+    systemd.services."prometheus-nginxlog-exporter".serviceConfig = {
+      SupplementaryGroups = "nginx";
+    };
+
    networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
      9100 # node-exporter
      9152 # nixos-exporter
@@ -109,6 +138,8 @@ in
      9324 # bird-exporter
    ] else []) ++ (if cfg.blackbox then [
      9115 # blackbox-exporter
+    ] else []) ++ (if config.services.prometheus.exporters.nginxlog.enable then [
+      config.services.prometheus.exporters.nginxlog.port
    ] else []);
  };
 }
--- a/pkgs/bijwerken-poke/bijwerken-poke.sh
+++ b/pkgs/bijwerken-poke/bijwerken-poke.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+TARGETS="$(nix --extra-experimental-features "nix-command flakes" eval --raw ".#nixosConfigurations" --apply "nixosConfigurations: builtins.concatStringsSep \"\\n\" (builtins.attrValues (builtins.mapAttrs (name: host: host.config.networking.fqdn) nixosConfigurations))")"
+
+pssh -h <(echo "${TARGETS}") -i -- sudo systemctl start bijwerken-system-upgrade.service --no-block
--- a/pkgs/bijwerken-poke/default.nix
+++ b/pkgs/bijwerken-poke/default.nix
@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "bijwerken-poke";
+  text = builtins.readFile ./bijwerken-poke.sh;
+  runtimeInputs = with pkgs; [
+    pssh
+  ];
+}
+
--- a/pkgs/bijwerken-system-upgrade/bijwerken-system-upgrade.sh
+++ b/pkgs/bijwerken-system-upgrade/bijwerken-system-upgrade.sh
@@ -50,7 +50,7 @@ echo "Set as boot target"

 if [[ -n "$NODE_EXPORTER_METRICS_PATH" ]]; then
 	echo "Write monitoring check data"
-	echo "clerie_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
+	echo "bijwerken_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
 fi

 BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
--- a/pkgs/clerie-system-upgrade/clerie-system-upgrade.nix
+++ b/pkgs/clerie-system-upgrade/clerie-system-upgrade.nix
@@ -1,8 +1,8 @@
 { pkgs, ... }:

 pkgs.writeShellApplication {
-  name = "clerie-system-upgrade";
-  text = builtins.readFile ./clerie-system-upgrade.sh;
+  name = "bijwerken-system-upgrade";
+  text = builtins.readFile ./bijwerken-system-upgrade.sh;
  runtimeInputs = with pkgs; [
    curl
    jq
--- a/pkgs/generate-blocked-prefixes/generate-blocked-prefixes.py
+++ b/pkgs/generate-blocked-prefixes/generate-blocked-prefixes.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python3

+import ipaddress
 import requests

 blocked_asns = [
@@ -10,14 +11,29 @@ r = requests.get('https://bgp.tools/table.txt', stream=True, headers={
    "User-Agent": "https://git.clerie.de/clerie/nixfiles",
 })

-with open("hosts/web-2/blocked-prefixes.txt", "w") as blocked_ips_file:
+selected_ipv6_prefixes = []
+selected_ipv4_prefixes = []
+
 for line in r.iter_lines(decode_unicode=True):
-        ip, asn = line.split()
+    prefix_string, asn_string = line.split()

-        if asn in blocked_asns:
-            if ":" in ip:
-                blocked_ips_file.write(f"ip6tables -I nixos-fw -s {ip} -j nixos-fw-refuse\n")
+    if asn_string in blocked_asns:
+        prefix = ipaddress.ip_network(prefix_string)
+
+        if prefix.version == 6:
+            selected_ipv6_prefixes.append(prefix)
        else:
-                blocked_ips_file.write(f"iptables -I nixos-fw -s {ip} -j nixos-fw-refuse\n")
+            selected_ipv4_prefixes.append(prefix)

+selected_ipv6_prefixes = list(ipaddress.collapse_addresses(selected_ipv6_prefixes))
+selected_ipv4_prefixes = list(ipaddress.collapse_addresses(selected_ipv4_prefixes))

+selected_ipv6_prefixes.sort()
+selected_ipv4_prefixes.sort()
+
+with open("hosts/web-2/blocked-prefixes.txt", "w") as blocked_ips_file:
+    for ipv6_prefix in selected_ipv6_prefixes:
+            blocked_ips_file.write(f"ip6tables -I nixos-fw -s {ipv6_prefix} -j nixos-fw-refuse\n")
+
+    for ipv4_prefix in selected_ipv4_prefixes:
+            blocked_ips_file.write(f"iptables -I nixos-fw -s {ipv4_prefix} -j nixos-fw-refuse\n")
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -1,10 +1,11 @@
 final: prev: {
+  bijwerken-poke = final.callPackage ./bijwerken-poke {};
+  bijwerken-system-upgrade = final.callPackage ./bijwerken-system-upgrade {};
  clerie-backup = final.callPackage ./clerie-backup {};
  clerie-cleanup-branches = final.callPackage ./clerie-update-nixfiles/clerie-cleanup-branches.nix {};
  clerie-keys = final.callPackage ./clerie-keys {};
  clerie-ssh-known-hosts = final.callPackage ./clerie-ssh-known-hosts {};
  clerie-system-remote-install = final.callPackage ./clerie-system-remote-install {};
-  clerie-system-upgrade = final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
  clerie-merge-nixfiles-update = final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
  clerie-sops = final.callPackage ./clerie-sops/clerie-sops.nix {};
  clerie-sops-config = final.callPackage ./clerie-sops/clerie-sops-config.nix {};
--- a/profiles/common-nix/default.nix
+++ b/profiles/common-nix/default.nix
@@ -19,10 +19,10 @@ in {

    clerie.nixfiles.enable = true;

-    clerie.system-auto-upgrade.enable = true;
+    services.bijwerken.enable = true;

    nix.settings = {
-      trusted-users = [ "@wheel" "@guests" ];
+      trusted-users = [ "@wheel" ];
      auto-optimise-store = true;
      # Keep buildtime dependencies
      keep-outputs = true;
--- a/profiles/common-webserver/default.nix
+++ b/profiles/common-webserver/default.nix
@@ -40,7 +40,12 @@ in {
        log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
                                  '"$request" $status $body_bytes_sent '
                                  '"$http_referer" "$http_user_agent"';
-        access_log /var/log/nginx/access.log vcombined_anon;
+        log_format vcombined_anon_monitoring '$host: $remote_addr_anon - $remote_user [$time_local] '
+                                  '"$request" $status $body_bytes_sent '
+                                  '"$http_referer" "$http_user_agent" '
+                                  '"$server_name" '
+                                  'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
+        access_log /var/log/nginx/access.log vcombined_anon_monitoring;
      '';

      virtualHosts = mkIf cfg.httpDefaultVirtualHost {
--- a/profiles/default.nix
+++ b/profiles/default.nix
@@ -9,6 +9,7 @@
    ./common-nix
    ./common-webserver
    ./cybercluster-vm
+    ./desktop
    ./dn42-router
    ./fem-net
    ./firefox
--- a/profiles/desktop/audio.nix
+++ b/profiles/desktop/audio.nix
@@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    services.pulseaudio.enable = false;
+
+    security.rtkit.enable = true;
+    services.pipewire = {
+      enable = true;
+      alsa = {
+        enable = true;
+        support32Bit = true;
+      };
+      pulse = {
+        enable = true;
+      };
+      configPackages = [
+        pkgs.pipewire-all-bluetooth
+      ];
+    };
+
+    environment.systemPackages = with pkgs; [
+      helvum # pipewire routing gui
+    ];
+
+  };
+}
--- a/profiles/desktop/default.nix
+++ b/profiles/desktop/default.nix
@@ -0,0 +1,30 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  options.profiles.clerie.desktop = {
+    enable = mkEnableOption "clerie Desktop Config";
+  };
+
+  imports = [
+    ./audio.nix
+    ./firmware.nix
+    ./fonts.nix
+    ./gnome.nix
+    ./inputs.nix
+    ./networking.nix
+    ./polkit.nix
+    ./power.nix
+    ./printing.nix
+    ./ssh.nix
+    ./xserver.nix
+  ];
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    security.sudo.wheelNeedsPassword = true;
+
+  };
+}
--- a/profiles/desktop/firmware.nix
+++ b/profiles/desktop/firmware.nix
@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    services.fwupd.enable = true;
+
+  };
+
+}
--- a/profiles/desktop/fonts.nix
+++ b/profiles/desktop/fonts.nix
@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    fonts.enableDefaultPackages = true;
+    fonts.packages = with pkgs; [
+      roboto
+      roboto-mono
+      noto-fonts
+      noto-fonts-emoji
+      comfortaa
+    ] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
+
+  };
+
+}
--- a/profiles/desktop/gnome.nix
+++ b/profiles/desktop/gnome.nix
@@ -0,0 +1,69 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    services.gnome = {
+      localsearch.enable = false;
+      tinysparql.enable = false;
+    };
+
+    environment.gnome.excludePackages = with pkgs; [
+      baobab
+      epiphany
+      gnome-calendar
+      gnome-clocks
+      gnome-console
+      gnome-contacts
+      gnome-logs
+      gnome-maps
+      gnome-music
+      gnome-tour
+      gnome-photos
+      gnome-weather
+      gnome-connections
+      simple-scan
+      yelp
+      geary
+    ];
+
+    environment.systemPackages = with pkgs; [
+      evolution
+      gnome-terminal
+      gnome-tweaks
+    ];
+
+    services.gnome.evolution-data-server.enable = true;
+
+    programs.dconf.profiles = {
+      user.databases = [
+        {
+          settings = {
+            "org/gnome/desktop/calendar" = {
+              show-weekdate = true;
+            };
+            "org/gnome/desktop/interface" = {
+              enable-hot-corners = false;
+              show-battery-percentage = true;
+            };
+            "org/gnome/desktop/notifications" = {
+              show-in-lock-screen = false;
+            };
+            "org/gnome/desktop/sound" = {
+              event-sounds = false;
+            };
+            "org/gnome/gnome-system-monitor" = {
+              network-in-bits = true;
+              network-total-in-bits = true;
+            };
+          };
+        }
+      ];
+    };
+
+  };
+
+}
--- a/profiles/desktop/inputs.nix
+++ b/profiles/desktop/inputs.nix
@@ -0,0 +1,51 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    programs.dconf.profiles = {
+      user.databases = [
+        {
+          settings = {
+            "org/gnome/desktop/peripherals/touchpad" = {
+              disable-while-typing = false;
+              edge-scrolling-enabled = false;
+              natural-scroll = true;
+              tap-to-click = true;
+              two-finger-scrolling-enabled = true;
+            };
+            "org/gnome/settings-daemon/plugins/media-keys" = {
+              custom-keybindings = [
+                "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
+              ];
+              mic-mute = [ "<Control>Print" ];
+            };
+            "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
+              name = "Terminal";
+              binding = "<Primary><Alt>t";
+              command = "gnome-terminal";
+            };
+          };
+        }
+      ];
+      gdm.databases = [
+        {
+          settings = {
+            "org/gnome/desktop/peripherals/touchpad" = {
+              disable-while-typing = false;
+              edge-scrolling-enabled = false;
+              natural-scroll = true;
+              tap-to-click = true;
+              two-finger-scrolling-enabled = true;
+            };
+          };
+        }
+      ];
+    };
+
+  };
+
+}
--- a/profiles/desktop/networking.nix
+++ b/profiles/desktop/networking.nix
@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    networking.networkmanager.settings = {
+      connectivity = {
+        uri = "http://ping.clerie.de/nm-check.txt";
+      };
+      global-dns = {
+        searches = "net.clerie.de";
+      };
+    };
+
+  };
+
+}
--- a/profiles/desktop/polkit.nix
+++ b/profiles/desktop/polkit.nix
@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    security.polkit.enable = true;
+
+  };
+
+}
--- a/profiles/desktop/power.nix
+++ b/profiles/desktop/power.nix
@@ -0,0 +1,50 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
+    services.logind = {
+      lidSwitch = "suspend-then-hibernate";
+    };
+    systemd.sleep.extraConfig = ''
+      HibernateDelaySec=30m
+    '';
+
+    services.upower = {
+      percentageLow = 20;
+      percentageCritical = 10;
+      percentageAction = 8;
+    };
+
+    programs.dconf.profiles = {
+      user.databases = [
+        {
+          settings = {
+            "org/gnome/settings-daemon/plugins/power" = {
+              power-button-action = "hibernate";
+              power-saver-profile-on-low-battery = false;
+              sleep-inactive-ac-type = "nothing";
+            };
+          };
+        }
+      ];
+      gdm.databases = [
+        {
+          settings = {
+            "org/gnome/settings-daemon/plugins/power" = {
+              power-button-action = "hibernate";
+              power-saver-profile-on-low-battery = false;
+              sleep-inactive-ac-type = "nothing";
+            };
+          };
+        }
+      ];
+    };
+
+  };
+
+}
--- a/profiles/desktop/printing.nix
+++ b/profiles/desktop/printing.nix
@@ -0,0 +1,14 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    services.printing.enable = true;
+    services.avahi.enable = true;
+    services.avahi.nssmdns4 = true;
+
+  };
+}
--- a/profiles/desktop/ssh.nix
+++ b/profiles/desktop/ssh.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    profiles.clerie.gpg-ssh.enable = true;
+
+    programs.gnupg.agent = {
+      pinentryPackage = pkgs.pinentry-gtk2;
+    };
+
+    # Do not disable ssh-agent of gnome-keyring, because
+    # gnupg ssh-agent can't handle normal SSH keys properly
+    /*
+    # Disable ssh-agent of gnome-keyring
+    nixpkgs.overlays = [
+      (final: prev: {
+        gnome = prev.gnome // {
+          gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
+            mkdir -p $out
+
+            # Symlink all gnome-keyring binaries
+            ${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
+
+            # Disable autostart for ssh
+            rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+            cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+            echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+          '';
+        };
+      })
+    ];
+    */
+
+  };
+}
--- a/profiles/desktop/xserver.nix
+++ b/profiles/desktop/xserver.nix
@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    services.xserver.enable = true;
+    services.displayManager.gdm.enable = true;
+    services.desktopManager.gnome.enable = true;
+
+    services.xserver.excludePackages = with pkgs; [
+      xterm
+    ];
+
+  };
+}
Author	SHA1	Message	Date
Flake Update Bot	5fe51e24fb	Update nixpkgs 2025-08-27-01-03	2025-08-27 03:04:06 +02:00
clerie	dd76691f7d	pkgs/bijwerken-*,modules/bijwerken: Consolidate system update management and refactor under the same name	2025-08-17 21:49:24 +02:00
clerie	72cdef91d9	profiles/common-nix: Remove guests group from trusted nix users	2025-08-17 20:02:34 +02:00
clerie	22c7cb451b	pkgs/nixfiles: Add helper script to trigger system upgrades	2025-08-17 19:05:22 +02:00
clerie	9357981ff3	hosts/monitoring-3: Alert on fem.social unavailable	2025-08-17 10:39:01 +02:00
clerie	eddb365ae5	hosts/monitoring-3: Alert nadja.top down after 15min only	2025-08-17 10:17:43 +02:00
clerie	d01de7fc4a	hosts/monitoring-3: Add dashboards to deployment	2025-08-16 22:01:06 +02:00
clerie	a1ca9313b9	hosts/monitoring-3: Add Nginx Grafana dashboard	2025-08-15 20:50:24 +02:00
clerie	217ede0307	modules/monitoring: Extract metrics from nginx logs	2025-08-15 18:14:41 +02:00
clerie	643478b724	pkgs/generate-blocked-prefixes: Deduplicate prefixes before generating firewall rules	2025-08-14 20:20:33 +02:00
clerie	13b8ccd087	hosts/krypton: don't use onlyoffice anymore	2025-08-09 14:59:03 +02:00
clerie	7c3a97a90a	hosts/web-2: Update legal.clerie.de	2025-08-09 11:42:04 +02:00
clerie	40338d9b85	hosts/monitoring-3: Monitor alertmanager	2025-08-09 11:41:34 +02:00
clerie	7f6f6281cc	profiles/desktop: Migrate from configuration	2025-07-29 23:03:58 +02:00