Update nixpkgs 2025-08-16-01-03

hosts/monitoring-3: Add Nginx Grafana dashboard
modules/monitoring: Extract metrics from nginx logs
2025-08-16 03:04:21 +02:00 · 2025-08-15 20:50:24 +02:00 · 2025-08-15 18:14:41 +02:00 · 2025-08-14 20:20:33 +02:00 · 2025-08-09 14:59:03 +02:00 · 2025-08-09 11:42:04 +02:00
61 changed files with 1205 additions and 355 deletions
--- a/configuration/desktop/audio.nix
+++ b/configuration/desktop/audio.nix
@@ -1,19 +0,0 @@
 { ... }:
 {
  services.pulseaudio.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa = {
      enable = true;
      support32Bit = true;
    };
    pulse = {
      enable = true;
    };
  };
 }
--- a/configuration/desktop/default.nix
+++ b/configuration/desktop/default.nix
@@ -1,19 +0,0 @@
 { ... }:
 {
  imports = [
    ./audio.nix
    ./firmware.nix
    ./fonts.nix
    ./gnome.nix
    ./inputs.nix
    ./networking.nix
    ./polkit.nix
    ./power.nix
    ./printing.nix
    ./ssh.nix
    ./xserver.nix
  ];
  security.sudo.wheelNeedsPassword = true;
 }
--- a/configuration/desktop/firmware.nix
+++ b/configuration/desktop/firmware.nix
@@ -1,7 +0,0 @@
 { ... }:
 {
  services.fwupd.enable = true;
 }
--- a/configuration/desktop/fonts.nix
+++ b/configuration/desktop/fonts.nix
@@ -1,13 +0,0 @@
 { pkgs, ... }:
 {
  fonts.enableDefaultPackages = true;
  fonts.packages = with pkgs; [
    roboto
    roboto-mono
    noto-fonts
    noto-fonts-emoji
    comfortaa
  ] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
 }
--- a/configuration/desktop/gnome.nix
+++ b/configuration/desktop/gnome.nix
@@ -1,61 +0,0 @@
 { pkgs, ... }:
 {
  services.gnome = {
    localsearch.enable = false;
    tinysparql.enable = false;
  };
  environment.gnome.excludePackages = with pkgs; [
    baobab
    epiphany
    gnome-calendar
    gnome-clocks
    gnome-console
    gnome-contacts
    gnome-logs
    gnome-maps
    gnome-music
    gnome-tour
    gnome-photos
    gnome-weather
    gnome-connections
    simple-scan
    yelp
    geary
  ];
  environment.systemPackages = with pkgs; [
    evolution
    gnome-terminal
    gnome-tweaks
  ];
  services.gnome.evolution-data-server.enable = true;
  programs.dconf.profiles = {
    user.databases = [
      {
        settings = {
          "org/gnome/desktop/calendar" = {
            show-weekdate = true;
          };
          "org/gnome/desktop/interface" = {
            enable-hot-corners = false;
            show-battery-percentage = true;
          };
          "org/gnome/desktop/notifications" = {
            show-in-lock-screen = false;
          };
          "org/gnome/desktop/sound" = {
            event-sounds = false;
          };
          "org/gnome/gnome-system-monitor" = {
            network-in-bits = true;
            network-total-in-bits = true;
          };
        };
      }
    ];
  };
 }
--- a/configuration/desktop/inputs.nix
+++ b/configuration/desktop/inputs.nix
@@ -1,43 +0,0 @@
 { ... }:
 {
  programs.dconf.profiles = {
    user.databases = [
      {
        settings = {
          "org/gnome/desktop/peripherals/touchpad" = {
            disable-while-typing = false;
            edge-scrolling-enabled = false;
            natural-scroll = true;
            tap-to-click = true;
            two-finger-scrolling-enabled = true;
          };
          "org/gnome/settings-daemon/plugins/media-keys" = {
            custom-keybindings = [
              "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
            ];
            mic-mute = [ "<Control>Print" ];
          };
          "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
            name = "Terminal";
            binding = "<Primary><Alt>t";
            command = "gnome-terminal";
          };
        };
      }
    ];
    gdm.databases = [
      {
        settings = {
          "org/gnome/desktop/peripherals/touchpad" = {
            disable-while-typing = false;
            edge-scrolling-enabled = false;
            natural-scroll = true;
            tap-to-click = true;
            two-finger-scrolling-enabled = true;
          };
        };
      }
    ];
  };
 }
--- a/configuration/desktop/networking.nix
+++ b/configuration/desktop/networking.nix
@@ -1,14 +0,0 @@
 { ... }:
 {
  networking.networkmanager.settings = {
    connectivity = {
      uri = "http://ping.clerie.de/nm-check.txt";
    };
    global-dns = {
      searches = "net.clerie.de";
    };
  };
 }
--- a/configuration/desktop/polkit.nix
+++ b/configuration/desktop/polkit.nix
@@ -1,7 +0,0 @@
 { ... }:
 {
  security.polkit.enable = true;
 }
--- a/configuration/desktop/power.nix
+++ b/configuration/desktop/power.nix
@@ -1,42 +0,0 @@
 { lib, config, ... }:
 {
  boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
  services.logind = {
    lidSwitch = "suspend-then-hibernate";
  };
  systemd.sleep.extraConfig = ''
    HibernateDelaySec=30m
  '';
  services.upower = {
    percentageLow = 20;
    percentageCritical = 10;
    percentageAction = 8;
  };
  programs.dconf.profiles = {
    user.databases = [
      {
        settings = {
          "org/gnome/settings-daemon/plugins/power" = {
            power-button-action = "hibernate";
            power-saver-profile-on-low-battery = false;
            sleep-inactive-ac-type = "nothing";
          };
        };
      }
    ];
    gdm.databases = [
      {
        settings = {
          "org/gnome/settings-daemon/plugins/power" = {
            power-button-action = "hibernate";
            power-saver-profile-on-low-battery = false;
            sleep-inactive-ac-type = "nothing";
          };
        };
      }
    ];
  };
 }
--- a/configuration/desktop/printing.nix
+++ b/configuration/desktop/printing.nix
@@ -1,7 +0,0 @@
 { ... }:
 {
  services.printing.enable = true;
  services.avahi.enable = true;
  services.avahi.nssmdns4 = true;
 }
--- a/configuration/desktop/ssh.nix
+++ b/configuration/desktop/ssh.nix
@@ -1,33 +0,0 @@
 { pkgs, ... }:
 {
  profiles.clerie.gpg-ssh.enable = true;
  programs.gnupg.agent = {
    pinentryPackage = pkgs.pinentry-gtk2;
  };
  # Do not disable ssh-agent of gnome-keyring, because
  # gnupg ssh-agent can't handle normal SSH keys properly
  /*
  # Disable ssh-agent of gnome-keyring
  nixpkgs.overlays = [
    (final: prev: {
      gnome = prev.gnome // {
        gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
          mkdir -p $out
          # Symlink all gnome-keyring binaries
          ${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
          # Disable autostart for ssh
          rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
          cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
          echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
        '';
      };
    })
  ];
  */
 }
--- a/configuration/desktop/xserver.nix
+++ b/configuration/desktop/xserver.nix
@@ -1,11 +0,0 @@
 { pkgs, ... }:
 {
  services.xserver.enable = true;
  services.displayManager.gdm.enable = true;
  services.desktopManager.gnome.enable = true;
  services.xserver.excludePackages = with pkgs; [
    xterm
  ];
 }
--- a/flake.lock
+++ b/flake.lock
@@ -269,11 +269,11 @@
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1750779764,
+        "lastModified": 1751801455,
-        "narHash": "sha256-JTvJf12NfmiJg+k8zPAvvJIHWA8lzL5SBssQxkwZTwE=",
+        "narHash": "sha256-hUJqtS88SbNQQSEJAPFyY2vLMh8yA8rQ6jbul50p64M=",
        "ref": "lix-2.93",
-        "rev": "175d4c80943403f352ad3ce9ee9a93475a154b91",
+        "rev": "b940aca430a7ca41f70bdb320659dd62026fe0e9",
-        "revCount": 4259,
+        "revCount": 4261,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/hydra.git"
      },
@@ -301,11 +301,11 @@
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
-        "lastModified": 1750762203,
+        "lastModified": 1751235704,
-        "narHash": "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=",
+        "narHash": "sha256-Jzm3KPZ2gL+0Nl3Mw/2E0B3vqDDi1Xt5+9VCXghUDZ8=",
        "ref": "release-2.93",
-        "rev": "38b358ce27203f972faa2973cf44ba80c758f46e",
+        "rev": "f3a7bbe5f8d1a8504ddb6362d50106904523e440",
-        "revCount": 17866,
+        "revCount": 17874,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/lix"
      },
@@ -327,11 +327,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750776670,
+        "lastModified": 1753282722,
-        "narHash": "sha256-EfA5K5EZAnspmraJrXQlziffVpaT+QDBiE6yKmuaNNQ=",
+        "narHash": "sha256-KYMUrTV7H/RR5/HRnjV5R3rRIuBXMemyJzTLi50NFTs=",
        "ref": "release-2.93",
-        "rev": "c3c78a32273e89d28367d8605a4c880f0b6607e3",
+        "rev": "46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873",
-        "revCount": 146,
+        "revCount": 149,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nixos-module.git"
      },
@@ -353,11 +353,11 @@
        "pre-commit-hooks": "pre-commit-hooks_2"
      },
      "locked": {
-        "lastModified": 1750762203,
+        "lastModified": 1753306924,
-        "narHash": "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=",
+        "narHash": "sha256-jLCEW0FvjFhC+c4RHzH+xbkSOxrnpFHnhjOw6sudhx0=",
        "ref": "release-2.93",
-        "rev": "38b358ce27203f972faa2973cf44ba80c758f46e",
+        "rev": "1a4393d0aac31aba21f5737ede1b171e11336d77",
-        "revCount": 17866,
+        "revCount": 17884,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/lix.git"
      },
@@ -614,11 +614,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1750622754,
+        "lastModified": 1751582995,
-        "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=",
+        "narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1",
+        "rev": "7a732ed41ca0dd64b4b71b563ab9805a80a7d693",
        "type": "github"
      },
      "original": {
@@ -646,11 +646,11 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1750776420,
+        "lastModified": 1755186698,
-        "narHash": "sha256-/CG+w0o0oJ5itVklOoLbdn2dGB0wbZVOoDm4np6w09A=",
+        "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "30a61f056ac492e3b7cdcb69c1e6abdcf00e39cf",
+        "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",
        "type": "github"
      },
      "original": {
@@ -753,7 +753,8 @@
        "scan-to-gpg": "scan-to-gpg",
        "solid-xmpp-alarm": "solid-xmpp-alarm",
        "sops-nix": "sops-nix",
-        "ssh-to-age": "ssh-to-age"
+        "ssh-to-age": "ssh-to-age",
        "traveldrafter": "traveldrafter"
      }
    },
    "scan-to-gpg": {
@@ -868,6 +869,26 @@
        "type": "github"
      }
    },
    "traveldrafter": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1751817360,
        "narHash": "sha256-HzOhsPvzCaFeiz8nPq5MkYnYHpUzVaU/P5sxG+Njt+8=",
        "ref": "refs/heads/main",
        "rev": "b6610d70f363ecf9704352b1ef39244a816bd34f",
        "revCount": 22,
        "type": "git",
        "url": "https://git.clerie.de/clerie/traveldrafter.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.clerie.de/clerie/traveldrafter.git"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
--- a/flake.nix
+++ b/flake.nix
@@ -68,6 +68,10 @@
      url = "github:Mic92/ssh-to-age";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    traveldrafter = {
      url = "git+https://git.clerie.de/clerie/traveldrafter.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
    lib = import ./lib inputs;
--- a/flake/hydraJobs.nix
+++ b/flake/hydraJobs.nix
@@ -10,6 +10,12 @@ let
 in {
  inherit (self)
    packages;
  extraTrackedPackages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
    nixpkgs.lib.genAttrs [
      "hydra"
      "lix"
    ] (name: self.nixpkgs."${system}"."${name}")
  );
  nixosConfigurations = buildHosts self.nixosConfigurations;
  iso = self.nixosConfigurations._iso.config.system.build.isoImage;
 }
--- a/flake/inputs-overlay.nix
+++ b/flake/inputs-overlay.nix
@@ -9,6 +9,7 @@
 , rainbowrss
 , scan-to-gpg
 , ssh-to-age
 , traveldrafter
 , ...
 }@inputs:
 final: prev: {
@@ -32,4 +33,6 @@ final: prev: {
    scan-to-gpg;
  inherit (ssh-to-age.packages.${final.system})
    ssh-to-age;
  inherit (traveldrafter.packages.${final.system})
    traveldrafter;
 }
--- a/hosts/dn42-il-gw1/configuration.nix
+++ b/hosts/dn42-il-gw1/configuration.nix
@@ -238,7 +238,6 @@
  };
  clerie.system-auto-upgrade = {
    allowReboot = true;
    autoUpgrade = true;
  };
--- a/hosts/dn42-il-gw5/configuration.nix
+++ b/hosts/dn42-il-gw5/configuration.nix
@@ -112,7 +112,6 @@
  };
  clerie.system-auto-upgrade = {
    allowReboot = true;
    autoUpgrade = true;
    startAt = "*-*-* 06:22:00";
  };
--- a/hosts/dn42-il-gw6/configuration.nix
+++ b/hosts/dn42-il-gw6/configuration.nix
@@ -106,7 +106,6 @@
  };
  clerie.system-auto-upgrade = {
    allowReboot = true;
    autoUpgrade = true;
    startAt = "*-*-* 07:22:00";
  };
--- a/hosts/dn42-ildix-clerie/configuration.nix
+++ b/hosts/dn42-ildix-clerie/configuration.nix
@@ -162,7 +162,6 @@
  '';
  clerie.system-auto-upgrade = {
    allowReboot = true;
    autoUpgrade = true;
  };
--- a/hosts/dn42-ildix-service/configuration.nix
+++ b/hosts/dn42-ildix-service/configuration.nix
@@ -71,7 +71,6 @@
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  clerie.system-auto-upgrade = {
    allowReboot = true;
    autoUpgrade = true;
  };
--- a/hosts/krypton/configuration.nix
+++ b/hosts/krypton/configuration.nix
@@ -5,8 +5,6 @@
    [
      ./hardware-configuration.nix
      ../../configuration/desktop
      ./android.nix
      ./backup.nix
      ./etesync-dav.nix
@@ -15,6 +13,8 @@
      ./programs.nix
    ];
  profiles.clerie.desktop.enable = true;
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
--- a/hosts/krypton/programs.nix
+++ b/hosts/krypton/programs.nix
@@ -14,10 +14,11 @@
    tio
    xournalpp
-    onlyoffice-bin
+    libreoffice
    krita
    inkscape
    dune3d
    wireshark
    tcpdump
--- a/hosts/monitoring-3/dashboards/nginx-exporter.json
+++ b/hosts/monitoring-3/dashboards/nginx-exporter.json
@@ -0,0 +1,355 @@
 {
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": {
          "type": "grafana",
          "uid": "-- Grafana --"
        },
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "type": "dashboard"
      }
    ]
  },
  "editable": true,
  "fiscalYearStartMonth": 0,
  "graphTooltip": 0,
  "id": 16,
  "links": [],
  "panels": [
    {
      "datasource": {
        "type": "prometheus",
        "uid": "PBFA97CFB590B2093"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "palette-classic"
          },
          "custom": {
            "axisBorderShow": false,
            "axisCenteredZero": false,
            "axisColorMode": "text",
            "axisLabel": "",
            "axisPlacement": "auto",
            "barAlignment": 0,
            "barWidthFactor": 0.6,
            "drawStyle": "line",
            "fillOpacity": 0,
            "gradientMode": "none",
            "hideFrom": {
              "legend": false,
              "tooltip": false,
              "viz": false
            },
            "insertNulls": false,
            "lineInterpolation": "linear",
            "lineWidth": 1,
            "pointSize": 5,
            "scaleDistribution": {
              "type": "linear"
            },
            "showPoints": "auto",
            "spanNulls": false,
            "stacking": {
              "group": "A",
              "mode": "none"
            },
            "thresholdsStyle": {
              "mode": "off"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green"
              }
            ]
          },
          "unit": "reqps"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 0,
        "y": 0
      },
      "id": 1,
      "options": {
        "legend": {
          "calcs": [],
          "displayMode": "list",
          "placement": "bottom",
          "showLegend": true
        },
        "tooltip": {
          "hideZeros": false,
          "mode": "single",
          "sort": "none"
        }
      },
      "pluginVersion": "12.0.2+security-01",
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${DS_PROMETHEUS}"
          },
          "disableTextWrap": false,
          "editorMode": "builder",
          "expr": "sum by(server_name) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
          "fullMetaSearch": false,
          "includeNullMetadata": true,
          "legendFormat": "__auto",
          "range": true,
          "refId": "A",
          "useBackend": false
        }
      ],
      "title": "Total requests",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "PBFA97CFB590B2093"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "palette-classic"
          },
          "custom": {
            "axisBorderShow": false,
            "axisCenteredZero": false,
            "axisColorMode": "text",
            "axisLabel": "",
            "axisPlacement": "auto",
            "barAlignment": 0,
            "barWidthFactor": 0.6,
            "drawStyle": "line",
            "fillOpacity": 0,
            "gradientMode": "none",
            "hideFrom": {
              "legend": false,
              "tooltip": false,
              "viz": false
            },
            "insertNulls": false,
            "lineInterpolation": "linear",
            "lineWidth": 1,
            "pointSize": 5,
            "scaleDistribution": {
              "type": "linear"
            },
            "showPoints": "auto",
            "spanNulls": false,
            "stacking": {
              "group": "A",
              "mode": "none"
            },
            "thresholdsStyle": {
              "mode": "off"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green"
              }
            ]
          },
          "unit": "reqps"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 12,
        "y": 0
      },
      "id": 2,
      "options": {
        "legend": {
          "calcs": [],
          "displayMode": "list",
          "placement": "bottom",
          "showLegend": true
        },
        "tooltip": {
          "hideZeros": false,
          "mode": "single",
          "sort": "none"
        }
      },
      "pluginVersion": "12.0.2+security-01",
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${DS_PROMETHEUS}"
          },
          "disableTextWrap": false,
          "editorMode": "builder",
          "expr": "sum by(server_name, method) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
          "fullMetaSearch": false,
          "includeNullMetadata": true,
          "legendFormat": "{{server_name}}: {{method}}",
          "range": true,
          "refId": "A",
          "useBackend": false
        }
      ],
      "title": "Status codes",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "PBFA97CFB590B2093"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "palette-classic"
          },
          "custom": {
            "axisBorderShow": false,
            "axisCenteredZero": false,
            "axisColorMode": "text",
            "axisLabel": "",
            "axisPlacement": "auto",
            "barAlignment": 0,
            "barWidthFactor": 0.6,
            "drawStyle": "line",
            "fillOpacity": 0,
            "gradientMode": "none",
            "hideFrom": {
              "legend": false,
              "tooltip": false,
              "viz": false
            },
            "insertNulls": false,
            "lineInterpolation": "linear",
            "lineWidth": 1,
            "pointSize": 5,
            "scaleDistribution": {
              "type": "linear"
            },
            "showPoints": "auto",
            "spanNulls": false,
            "stacking": {
              "group": "A",
              "mode": "none"
            },
            "thresholdsStyle": {
              "mode": "off"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green"
              }
            ]
          },
          "unit": "reqps"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 0,
        "y": 10
      },
      "id": 3,
      "options": {
        "legend": {
          "calcs": [],
          "displayMode": "list",
          "placement": "bottom",
          "showLegend": true
        },
        "tooltip": {
          "hideZeros": false,
          "mode": "single",
          "sort": "none"
        }
      },
      "pluginVersion": "12.0.2+security-01",
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${DS_PROMETHEUS}"
          },
          "disableTextWrap": false,
          "editorMode": "builder",
          "expr": "sum by(server_name, status) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
          "fullMetaSearch": false,
          "includeNullMetadata": true,
          "legendFormat": "{{server_name}}: HTTP {{status}}",
          "range": true,
          "refId": "A",
          "useBackend": false
        }
      ],
      "title": "Response codes",
      "type": "timeseries"
    }
  ],
  "preload": false,
  "refresh": "30s",
  "schemaVersion": 41,
  "tags": [],
  "templating": {
    "list": [
      {
        "current": {
          "text": "All",
          "value": [
            "$__all"
          ]
        },
        "definition": "label_values(nginxlog_http_response_count_total,server_name)",
        "includeAll": true,
        "label": "vHost",
        "multi": true,
        "name": "server_name",
        "options": [],
        "query": {
          "qryType": 1,
          "query": "label_values(nginxlog_http_response_count_total,server_name)",
          "refId": "PrometheusVariableQueryEditor-VariableQuery"
        },
        "refresh": 1,
        "regex": "",
        "type": "query"
      }
    ]
  },
  "time": {
    "from": "now-3h",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "browser",
  "title": "Nginx Exporter",
  "uid": "b042a880-3cb0-4dd3-ae48-4745a58af698",
  "version": 7
 }
--- a/hosts/monitoring-3/prometheus.nix
+++ b/hosts/monitoring-3/prometheus.nix
@@ -52,6 +52,12 @@ let
    attrByPath ["clerie" "monitoring" "blackbox"] false host.config)
    monitoringHosts);
  nginxlogMonitoringTargets = mapAttrsToList (name: host:
    "${host.config.networking.hostName}.mon.clerie.de:9117")
    (filterAttrs (name: host:
    attrByPath ["services" "prometheus" "exporters" "nginxlog" "enable"] false host.config)
    monitoringHosts);
  eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));
 in {
@@ -104,6 +110,21 @@ in {
          relabelAddressToInstance
        ];
      }
      {
        job_name = "alertmanager";
        scrape_interval = "20s";
        scheme = "http";
        static_configs = [
          {
            targets = [
              "monitoring-3.mon.clerie.de:9093"
            ];
          }
        ];
        relabel_configs = [
          relabelAddressToInstance
        ];
      }
      {
        job_name = "node-exporter";
        scrape_interval = "20s";
@@ -521,12 +542,24 @@ in {
          }
        ];
      }
      {
        job_name = "nginxlog-exporter";
        scrape_interval = "20s";
        static_configs = [
          {
            targets = nginxlogMonitoringTargets;
          }
        ];
        relabel_configs = [
          relabelAddressToInstance
        ];
      }
    ];
    alertmanagers = [
      {
        static_configs = [ {
          targets = [
-            "[::1]:9093"
+            "monitoring-3.mon.clerie.de:9093"
          ];
        } ];
      }
--- a/hosts/monitoring-3/rules.yml
+++ b/hosts/monitoring-3/rules.yml
@@ -95,3 +95,10 @@ groups:
    annotations:
      summary: "blog.nadja.top unreachable via IPv4"
      description: "blog.nadja.top unreachable IPv4, but reachable via IPv6"
  - alert: AlertmanagerNotificationRequestsFailed
    expr: rate(alertmanager_notification_requests_failed_total[5m]) > 0
    labels:
      severity: critical
    annotations:
      summary: "Too many notification requests failed"
      description: "Too many notification requests to Alertmanager integration {{ $labels.integration }} failed"
--- a/hosts/nonat/configuration.nix
+++ b/hosts/nonat/configuration.nix
@@ -42,7 +42,6 @@
  networking.firewall.allowedUDPPorts = [];
  clerie.system-auto-upgrade = {
    allowReboot = true;
    autoUpgrade = true;
  };
--- a/hosts/porter/configuration.nix
+++ b/hosts/porter/configuration.nix
@@ -58,6 +58,10 @@
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [];
  clerie.system-auto-upgrade = {
    autoUpgrade = true;
  };
  clerie.monitoring = {
    enable = true;
    id = "102";
--- a/hosts/storage-2/configuration.nix
+++ b/hosts/storage-2/configuration.nix
@@ -53,7 +53,6 @@
  };
  clerie.system-auto-upgrade = {
    allowReboot = true;
    autoUpgrade = true;
  };
--- a/hosts/web-2/blocked-prefixes.txt
+++ b/hosts/web-2/blocked-prefixes.txt
@@ -0,0 +1,195 @@
 ip6tables -I nixos-fw -s 2400:3200::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2400:3200:baba::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2400:b200:4100::/46 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2401:8680:4100::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2401:b180:4100::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2404:2280:1000::/36 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2404:2280:2000::/35 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2404:2280:4000::/36 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2408:4000:1000::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2408:4009:500::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4000::/31 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4002::/32 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4004::/31 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4006::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4006:1000::/43 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4006:1020::/44 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4007::/32 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4009::/32 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:400b::/32 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:400c::/30 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4011::/32 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4012::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4013::/32 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4014::/32 -j nixos-fw-refuse
 iptables -I nixos-fw -s 5.181.224.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.208.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.0.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.36.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.40.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.48.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.64.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.210.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.212.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.128.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.160.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.176.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.192.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.214.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.216.0.0/14 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.220.64.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.220.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.221.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.222.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 14.1.112.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.91.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.1.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.2.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.4.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.7.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.8.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.17.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.19.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.20.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.24.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.27.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.28.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.32.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.40.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.52.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.56.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.58.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.66.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.68.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.72.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.78.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.80.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.84.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.86.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.88.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.96.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.100.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.102.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.104.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.106.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.98.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.100.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.102.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.103.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.104.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.108.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 45.196.28.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 45.199.179.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.52.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.56.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.74.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.76.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.0.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.16.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.24.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.32.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.64.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.96.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.78.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.79.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.79.128.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.79.192.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.80.0.0/14 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.84.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.86.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.128.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.192.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.224.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.232.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.88.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.0.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.72.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.80.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.84.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.88.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.96.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.122.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.124.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.90.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.235.0.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.235.8.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.235.12.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.235.16.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.236.0.0/14 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.240.0.0/14 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.244.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.32.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.66.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.68.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.72.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.80.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.82.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.84.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.88.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.92.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.96.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.120.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.122.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.124.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.128.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.144.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.150.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.152.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.160.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.192.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.250.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.252.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.254.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 59.82.136.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 103.81.186.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 110.76.21.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 110.76.23.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 116.251.64.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 139.95.0.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 139.95.16.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 139.95.64.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 140.205.1.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 140.205.122.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 147.139.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.0.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.16.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.32.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.64.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.192.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.227.20.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.236.12.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.236.17.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.240.76.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.245.1.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 161.117.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.24.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.29.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.30.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.32.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.64.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.66.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.68.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.72.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.76.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.80.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.84.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.86.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.88.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.90.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.92.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.104.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.136.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.138.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 185.78.106.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 198.11.128.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 202.144.199.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 203.107.64.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 203.107.68.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 205.204.96.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 223.5.5.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 223.6.6.0/24 -j nixos-fw-refuse
--- a/hosts/web-2/clerie.nix
+++ b/hosts/web-2/clerie.nix
@@ -53,9 +53,6 @@
        '';
        return = "200 ''";
      };
      extraConfig = ''
        access_log /var/log/nginx/clerie.de.log combined_anon;
      '';
    };
  };
 }
--- a/hosts/web-2/configuration.nix
+++ b/hosts/web-2/configuration.nix
@@ -24,6 +24,7 @@
      ./public.nix
      ./radicale.nix
      ./reichartstrasse.nix
      ./traveldrafter.nix
      ./uptimestatus.nix
      ./wetter.nix
    ];
@@ -51,6 +52,8 @@
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.extraCommands = builtins.readFile ./blocked-prefixes.txt;
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_16;
--- a/hosts/web-2/gitea.nix
+++ b/hosts/web-2/gitea.nix
@@ -83,9 +83,6 @@
          proxyPass = "http://[::1]:3000";
        };
      };
      extraConfig = ''
        access_log /var/log/nginx/git.clerie.de.log combined_anon;
      '';
    };
  };
 }
--- a/hosts/web-2/ip.nix
+++ b/hosts/web-2/ip.nix
@@ -53,9 +53,6 @@
          types { } default_type "text/html; charset=utf-8";
        '';
      };
      extraConfig = ''
        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
      '';
    };
    "ip4.clerie.de" = {
      enableACME = true;
@@ -67,9 +64,6 @@
          add_header Access-Control-Allow-Origin *;
        '';
      };
      extraConfig = ''
        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
      '';
    };
    "ip6.clerie.de" = {
      enableACME = true;
@@ -81,9 +75,6 @@
          add_header Access-Control-Allow-Origin *;
        '';
      };
      extraConfig = ''
        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
      '';
    };
  };
 }
--- a/hosts/web-2/legal.nix
+++ b/hosts/web-2/legal.nix
@@ -7,8 +7,8 @@
      forceSSL = true;
      root = pkgs.fetchgit {
        url = "https://git.clerie.de/clerie/legal.clerie.de.git";
-        rev = "c6900226e3107a2e370a32759d83db472ab5450d";
+        rev = "b271b9729f4545c340ce9d16ecbca136031da409";
-        sha256 = "sha256-lOjbHqYc/85rjotwQ5Oj+MSWnDIfLx2w5mpiJkChbXU=";
+        sha256 = "sha256-uw69o7LxK+JF1AojSyusU1urshBc63Bgva5lRBgQdKc=";
      };
      locations."/impressum" = {
        return = ''301 https://legal.clerie.de/#impressum'';
--- a/hosts/web-2/secrets.json
+++ b/hosts/web-2/secrets.json
@@ -4,19 +4,16 @@
 	"clerie-backup-target-magenta": "ENC[AES256_GCM,data:zsPFXpnTWHL2b9/fZiW1fhpla8hTeZb1+O8oihnwDIAcC4Tgn8PrFDEYK7kuWYcdbIvL5XRJRR48erSACsntFA==,iv:lTlAyVl3ndgca4Mp9lSldXmhlP8ECPvE/CM7Zpzy9ao=,tag:LCNF1loABQpZ8Y5wfpXjkg==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:AfkytaHshFSyKkMdKVMdYaq3sKUC9dKYs5rKXN4Ouv5kjDGNXC18liEsRuc=,iv:4mMgsovdAJ++Myr+9GuhAaEBuzDBNZbGK6zfzoAEJ0E=,tag:/d0ZXNbpaMFyxyzov23kdQ==,type:str]",
 	"radicale-htpasswd": "ENC[AES256_GCM,data:+FHsq5We/fc8gBNub/GV5Mfs2i0/7Qm9UPDhb3unEhak6XDAvMSUQb4eaX0wn7Yi3y/gFGmapd0eYilTjfoJnI9gVnvi,iv:lEV8kQh9RBL/xKcCLIRzUR6ADq4zoah1c8Z67Qrs3dQ=,tag:cw6jKYbZUXBD3Zio5CH+Hw==,type:str]",
 	"traveldrafter-htpasswd": "ENC[AES256_GCM,data:f29vVDofv2mJEyn/pMKWW8ZbVTKSofe1EEtcfuCaokdqAyxemcq/2hrXFw8cAGTV2hwVqlM2hzJcT32KBjO/wgUNfv4=,iv:5PdQ+bn/bXmfQstP5A/dLeDk7O0qTjoRTyr4D+AgiG0=,tag:gCBrSJ4cEnZHqePiUpPglA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1nn8dwl2avshdhwn66w92jvlvz2ugl5fdxc8dxz6lpru72hlq44uq5a88az",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU2tEMHIvRUFxa24wMVcy\nb2lheGR2ekl6S0wzWUd5cTMwTC9HdFN1eVc0CkRjRHdJVUw3ZCtZSTlUOHZCV2J6\nYkxqdnNmU05LTTNmNFZiTzBxZVdkOTgKLS0tIEZUZ0svL2NhcTZPdFZrYUhwQ05Q\nWnZXRWIvRXBOMWNDTzQ4RDNKa3IwSUkKj+vI9dEEUQYN9uT6H1FdexComfbe+iA9\nVzLF970ASzptGiNYtdN9GYdXY7JGHoOfmYy3fpjZGN3p2KqiYyi3UA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-05-10T13:32:34Z",
+		"lastmodified": "2025-07-06T16:08:39Z",
-		"mac": "ENC[AES256_GCM,data:lxfYT2TEO9KFx0x6DPRQ2mRy5Ft6syyyO1yV9my6GwvDxd1e7odXGRcFo3N1AFod8Y6z4+XaxqZ/GoqSp94Pk8aF4eEhyAFun/UUr8KhKGsnq6xnQA4p37oYccvTY4eohS5YHBr/+AMutddmQ7qiYtQhVViXAr6+dmOsV1Tfu+A=,iv:bC+z9SP2W048bR3aWIcPgRlfLB5n5ccst6OvH0NjYBk=,tag:qhoXUAl0nG4LYy6yXQP2/g==,type:str]",
+		"mac": "ENC[AES256_GCM,data:6EbMSJAKOMgXtlwaVtsmPgrZVgraReAfVJWjZvhe965eLhhP5aeyZqPlA6a93h2FsShVFYWFPI57tdHy9Ymo53oXolSt8Docr2w2FL4BTWHHhkXal9+6aJZAZ+XOPEOUYurFxPOX44l+LDkecSz0NMCgrScWtpphjlkj3yP5GTo=,iv:5w8RC9IAuyEuO0QSZ0FBwW2/qqV56HNG7hZIkEeGEYU=,tag:Zosv1OSMtznnKkSYStu+oA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-10T13:29:58Z",
@@ -27,4 +24,4 @@
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"
 	}
-}
+}
--- a/hosts/web-2/traveldrafter.nix
+++ b/hosts/web-2/traveldrafter.nix
@@ -0,0 +1,40 @@
 { pkgs, lib, config, ... }: {
  services.update-from-hydra.paths.traveldrafter = {
    enable = true;
    hydraUrl = "https://hydra.clerie.de";
    hydraProject = "clerie";
    hydraJobset = "traveldrafter";
    hydraJob = "packages.x86_64-linux.traveldrafter";
    nixStoreUri = "https://nix-cache.clerie.de";
    resultPath = "/srv/traveldrafter";
  };
  sops.secrets.traveldrafter-htpasswd = {
    owner = "nginx";
    group = "nginx";
  };
  services.nginx.virtualHosts = {
    "traveldrafter.clerie.de" = {
      enableACME = true;
      forceSSL = true;
      root = "/srv/traveldrafter/lib/node_modules/traveldrafter/web/";
      basicAuthFile = config.sops.secrets.traveldrafter-htpasswd.path;
      locations."/api" = {
        proxyPass = "http://[::1]:3001";
      };
    };
  };
  systemd.services."traveldrafter" = {
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      RuntimeDirectory = "traveldrafter";
      DynamicUser = true;
    };
    environment = {
      HTTP_PORT = "3001";
    };
    script = lib.getExe pkgs.traveldrafter;
  };
 }
--- a/hosts/zinc/configuration.nix
+++ b/hosts/zinc/configuration.nix
@@ -5,12 +5,12 @@
    [
      ./hardware-configuration.nix
      ../../configuration/desktop
      ./initrd.nix
      ./programs.nix
    ];
  profiles.clerie.desktop.enable = true;
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
--- a/modules/clerie-system-upgrade/default.nix
+++ b/modules/clerie-system-upgrade/default.nix
@@ -10,11 +10,6 @@ in
  options = {
    clerie.system-auto-upgrade = {
      enable = mkEnableOption "clerie system upgrade";
      allowReboot = mkOption {
        type = types.bool;
        default = false;
        description = "Monitor NixOS";
      };
      autoUpgrade = mkOption {
        type = types.bool;
        default = false;
@@ -38,7 +33,7 @@ in
      serviceConfig = {
        Type = "oneshot";
-        ExecStart = pkgs.clerie-system-upgrade + "/bin/clerie-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/clerie-system-upgrade.prom"}";
+        ExecStart = pkgs.clerie-system-upgrade + "/bin/clerie-system-upgrade --no-confirm${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/clerie-system-upgrade.prom"}";
      };
    };
    systemd.timers.clerie-system-auto-upgrade = mkIf cfg.autoUpgrade {
--- a/modules/monitoring/default.nix
+++ b/modules/monitoring/default.nix
@@ -102,6 +102,33 @@ in
      listen = "[::]:9152";
    };
    services.prometheus.exporters.nginxlog = mkIf config.services.nginx.enable {
      enable = true;
      settings = {
        namespaces = [
          {
            name = "nginxlog";
            format = ''$host: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$server_name" rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'';
            source = {
              files = [
                "/var/log/nginx/access.log"
              ];
            };
            relabel_configs = [
              {
                target_label = "server_name";
                from = "server_name";
              }
            ];
          }
        ];
      };
    };
    systemd.services."prometheus-nginxlog-exporter".serviceConfig = {
      SupplementaryGroups = "nginx";
    };
    networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
      9100 # node-exporter
      9152 # nixos-exporter
@@ -109,6 +136,8 @@ in
      9324 # bird-exporter
    ] else []) ++ (if cfg.blackbox then [
      9115 # blackbox-exporter
    ] else []) ++ (if config.services.prometheus.exporters.nginxlog.enable then [
      config.services.prometheus.exporters.nginxlog.port
    ] else []);
  };
 }
--- a/pkgs/clerie-system-upgrade/clerie-system-upgrade.sh
+++ b/pkgs/clerie-system-upgrade/clerie-system-upgrade.sh
@@ -2,16 +2,11 @@
 set -euo pipefail
 ALLOW_REBOOT=
 NO_CONFIRM=
 NODE_EXPORTER_METRICS_PATH=
 while [[ $# -gt 0 ]]; do
 	case $1 in
 		--allow-reboot)
 			ALLOW_REBOOT=1
 			shift
 		;;
 		--no-confirm)
 			NO_CONFIRM=1
 			shift
@@ -63,13 +58,8 @@ ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel
 if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then
 	echo "Reboot is required"
-	if [[ -n "$ALLOW_REBOOT" ]]; then
+	echo "Rebooting system now"
-		echo "Rebooting system now"
+	shutdown -r +1 "System update requires reboot"
 		shutdown -r +1 "System update requires reboot"
 	else
 		echo "Automatic reboot not allowed (maybe use --allow-reboot next time)"
 		echo "The system upgrade is staged, please reboot manually soon"
 	fi
 else
 	echo "No reboot is required"
 	echo "Activating system now"
--- a/pkgs/generate-blocked-prefixes/default.nix
+++ b/pkgs/generate-blocked-prefixes/default.nix
@@ -0,0 +1,7 @@
 { pkgs, ... }:
 pkgs.clerie-build-support.writePythonScript {
  name = "generate-blocked-prefixes";
  runtimePackages = ps: with ps; [ requests ];
  text = builtins.readFile ./generate-blocked-prefixes.py;
 }
--- a/pkgs/generate-blocked-prefixes/generate-blocked-prefixes.py
+++ b/pkgs/generate-blocked-prefixes/generate-blocked-prefixes.py
@@ -0,0 +1,39 @@
 #!/usr/bin/env python3
 import ipaddress
 import requests
 blocked_asns = [
    "45102", # Alibaba (US) Technology Co., Ltd.
 ]
 r = requests.get('https://bgp.tools/table.txt', stream=True, headers={
    "User-Agent": "https://git.clerie.de/clerie/nixfiles",
 })
 selected_ipv6_prefixes = []
 selected_ipv4_prefixes = []
 for line in r.iter_lines(decode_unicode=True):
    prefix_string, asn_string = line.split()
    if asn_string in blocked_asns:
        prefix = ipaddress.ip_network(prefix_string)
        if prefix.version == 6:
            selected_ipv6_prefixes.append(prefix)
        else:
            selected_ipv4_prefixes.append(prefix)
 selected_ipv6_prefixes = list(ipaddress.collapse_addresses(selected_ipv6_prefixes))
 selected_ipv4_prefixes = list(ipaddress.collapse_addresses(selected_ipv4_prefixes))
 selected_ipv6_prefixes.sort()
 selected_ipv4_prefixes.sort()
 with open("hosts/web-2/blocked-prefixes.txt", "w") as blocked_ips_file:
    for ipv6_prefix in selected_ipv6_prefixes:
            blocked_ips_file.write(f"ip6tables -I nixos-fw -s {ipv6_prefix} -j nixos-fw-refuse\n")
    for ipv4_prefix in selected_ipv4_prefixes:
            blocked_ips_file.write(f"iptables -I nixos-fw -s {ipv4_prefix} -j nixos-fw-refuse\n")
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -13,6 +13,7 @@ final: prev: {
  chromium-incognito = final.callPackage ./chromium-incognito {};
  factorio-launcher = final.callPackage ./factorio-launcher {};
  feeds-dir = final.callPackage ./feeds-dir {};
  generate-blocked-prefixes = final.callPackage ./generate-blocked-prefixes {};
  git-checkout-github-pr = final.callPackage ./git-checkout-github-pr {};
  git-diff-word = final.callPackage ./git-diff-word {};
  git-pp = final.callPackage ./git-pp {};
@@ -22,6 +23,7 @@ final: prev: {
  nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
  nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
  nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
  pipewire-all-bluetooth = final.callPackage ./pipewire-all-bluetooth {};
  print-afra = final.callPackage ./print-afra {};
  run-with-docker-group = final.callPackage ./run-with-docker-group {};
  ssh-gpg = final.callPackage ./ssh-gpg {};
--- a/pkgs/pipewire-all-bluetooth/all-bluetooth.conf
+++ b/pkgs/pipewire-all-bluetooth/all-bluetooth.conf
@@ -0,0 +1,29 @@
 context.modules = [
 {   name = libpipewire-module-combine-stream
    args = {
        combine.mode = sink
        node.name = "all-bluetooth"
        node.description = "All Bluetooth devices"
        combine.latency-compensate = false
        combine.props = {
            audio.position = [ FL FR ]
        }
        stream.props = {
        }
        stream.rules = [
            {
                matches = [
                    {
                        node.name = "~bluez_output.*"
                        media.class = "Audio/Sink"
                    }
                ]
                actions = {
                    create-stream = {
                    }
                }
            }
        ]
    }
 }
 ]
--- a/pkgs/pipewire-all-bluetooth/default.nix
+++ b/pkgs/pipewire-all-bluetooth/default.nix
@@ -0,0 +1,9 @@
 {
 runCommand,
 ... }:
 runCommand "pipewire-all-bluetooth" {} ''
  mkdir -p $out/share/pipewire/pipewire.conf.d
  cp ${./all-bluetooth.conf} $out/share/pipewire/pipewire.conf.d/all-bluetooth.conf
 ''
--- a/pkgs/uptimestatus/default.nix
+++ b/pkgs/uptimestatus/default.nix
@@ -4,6 +4,7 @@
  flask,
  requests,
  python,
  setuptools,
 }:
 let
@@ -19,6 +20,10 @@ let
 in buildPythonPackage rec {
  inherit src pname version;
  pyproject = true;
  build-system = [ setuptools ];
  propagatedBuildInputs = [
    flask
    requests
--- a/profiles/common-webserver/default.nix
+++ b/profiles/common-webserver/default.nix
@@ -40,7 +40,12 @@ in {
        log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
                                  '"$request" $status $body_bytes_sent '
                                  '"$http_referer" "$http_user_agent"';
-        access_log /var/log/nginx/access.log vcombined_anon;
+        log_format vcombined_anon_monitoring '$host: $remote_addr_anon - $remote_user [$time_local] '
                                  '"$request" $status $body_bytes_sent '
                                  '"$http_referer" "$http_user_agent" '
                                  '"$server_name" '
                                  'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
        access_log /var/log/nginx/access.log vcombined_anon_monitoring;
      '';
      virtualHosts = mkIf cfg.httpDefaultVirtualHost {
--- a/profiles/default.nix
+++ b/profiles/default.nix
@@ -9,6 +9,7 @@
    ./common-nix
    ./common-webserver
    ./cybercluster-vm
    ./desktop
    ./dn42-router
    ./fem-net
    ./firefox
--- a/profiles/desktop/audio.nix
+++ b/profiles/desktop/audio.nix
@@ -0,0 +1,31 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  config = mkIf config.profiles.clerie.desktop.enable {
    services.pulseaudio.enable = false;
    security.rtkit.enable = true;
    services.pipewire = {
      enable = true;
      alsa = {
        enable = true;
        support32Bit = true;
      };
      pulse = {
        enable = true;
      };
      configPackages = [
        pkgs.pipewire-all-bluetooth
      ];
    };
    environment.systemPackages = with pkgs; [
      helvum # pipewire routing gui
    ];
  };
 }
--- a/profiles/desktop/default.nix
+++ b/profiles/desktop/default.nix
@@ -0,0 +1,30 @@
 { config, lib, ... }:
 with lib;
 {
  options.profiles.clerie.desktop = {
    enable = mkEnableOption "clerie Desktop Config";
  };
  imports = [
    ./audio.nix
    ./firmware.nix
    ./fonts.nix
    ./gnome.nix
    ./inputs.nix
    ./networking.nix
    ./polkit.nix
    ./power.nix
    ./printing.nix
    ./ssh.nix
    ./xserver.nix
  ];
  config = mkIf config.profiles.clerie.desktop.enable {
    security.sudo.wheelNeedsPassword = true;
  };
 }
--- a/profiles/desktop/firmware.nix
+++ b/profiles/desktop/firmware.nix
@@ -0,0 +1,13 @@
 { config, lib, ... }:
 with lib;
 {
  config = mkIf config.profiles.clerie.desktop.enable {
    services.fwupd.enable = true;
  };
 }
--- a/profiles/desktop/fonts.nix
+++ b/profiles/desktop/fonts.nix
@@ -0,0 +1,20 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  config = mkIf config.profiles.clerie.desktop.enable {
    fonts.enableDefaultPackages = true;
    fonts.packages = with pkgs; [
      roboto
      roboto-mono
      noto-fonts
      noto-fonts-emoji
      comfortaa
    ] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
  };
 }
--- a/profiles/desktop/gnome.nix
+++ b/profiles/desktop/gnome.nix
@@ -0,0 +1,69 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  config = mkIf config.profiles.clerie.desktop.enable {
    services.gnome = {
      localsearch.enable = false;
      tinysparql.enable = false;
    };
    environment.gnome.excludePackages = with pkgs; [
      baobab
      epiphany
      gnome-calendar
      gnome-clocks
      gnome-console
      gnome-contacts
      gnome-logs
      gnome-maps
      gnome-music
      gnome-tour
      gnome-photos
      gnome-weather
      gnome-connections
      simple-scan
      yelp
      geary
    ];
    environment.systemPackages = with pkgs; [
      evolution
      gnome-terminal
      gnome-tweaks
    ];
    services.gnome.evolution-data-server.enable = true;
    programs.dconf.profiles = {
      user.databases = [
        {
          settings = {
            "org/gnome/desktop/calendar" = {
              show-weekdate = true;
            };
            "org/gnome/desktop/interface" = {
              enable-hot-corners = false;
              show-battery-percentage = true;
            };
            "org/gnome/desktop/notifications" = {
              show-in-lock-screen = false;
            };
            "org/gnome/desktop/sound" = {
              event-sounds = false;
            };
            "org/gnome/gnome-system-monitor" = {
              network-in-bits = true;
              network-total-in-bits = true;
            };
          };
        }
      ];
    };
  };
 }
--- a/profiles/desktop/inputs.nix
+++ b/profiles/desktop/inputs.nix
@@ -0,0 +1,51 @@
 { config, lib, ... }:
 with lib;
 {
  config = mkIf config.profiles.clerie.desktop.enable {
    programs.dconf.profiles = {
      user.databases = [
        {
          settings = {
            "org/gnome/desktop/peripherals/touchpad" = {
              disable-while-typing = false;
              edge-scrolling-enabled = false;
              natural-scroll = true;
              tap-to-click = true;
              two-finger-scrolling-enabled = true;
            };
            "org/gnome/settings-daemon/plugins/media-keys" = {
              custom-keybindings = [
                "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
              ];
              mic-mute = [ "<Control>Print" ];
            };
            "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
              name = "Terminal";
              binding = "<Primary><Alt>t";
              command = "gnome-terminal";
            };
          };
        }
      ];
      gdm.databases = [
        {
          settings = {
            "org/gnome/desktop/peripherals/touchpad" = {
              disable-while-typing = false;
              edge-scrolling-enabled = false;
              natural-scroll = true;
              tap-to-click = true;
              two-finger-scrolling-enabled = true;
            };
          };
        }
      ];
    };
  };
 }
--- a/profiles/desktop/networking.nix
+++ b/profiles/desktop/networking.nix
@@ -0,0 +1,20 @@
 { config, lib, ... }:
 with lib;
 {
  config = mkIf config.profiles.clerie.desktop.enable {
    networking.networkmanager.settings = {
      connectivity = {
        uri = "http://ping.clerie.de/nm-check.txt";
      };
      global-dns = {
        searches = "net.clerie.de";
      };
    };
  };
 }
--- a/profiles/desktop/polkit.nix
+++ b/profiles/desktop/polkit.nix
@@ -0,0 +1,13 @@
 { config, lib, ... }:
 with lib;
 {
  config = mkIf config.profiles.clerie.desktop.enable {
    security.polkit.enable = true;
  };
 }
--- a/profiles/desktop/power.nix
+++ b/profiles/desktop/power.nix
@@ -0,0 +1,50 @@
 { config, lib, ... }:
 with lib;
 {
  config = mkIf config.profiles.clerie.desktop.enable {
    boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
    services.logind = {
      lidSwitch = "suspend-then-hibernate";
    };
    systemd.sleep.extraConfig = ''
      HibernateDelaySec=30m
    '';
    services.upower = {
      percentageLow = 20;
      percentageCritical = 10;
      percentageAction = 8;
    };
    programs.dconf.profiles = {
      user.databases = [
        {
          settings = {
            "org/gnome/settings-daemon/plugins/power" = {
              power-button-action = "hibernate";
              power-saver-profile-on-low-battery = false;
              sleep-inactive-ac-type = "nothing";
            };
          };
        }
      ];
      gdm.databases = [
        {
          settings = {
            "org/gnome/settings-daemon/plugins/power" = {
              power-button-action = "hibernate";
              power-saver-profile-on-low-battery = false;
              sleep-inactive-ac-type = "nothing";
            };
          };
        }
      ];
    };
  };
 }
--- a/profiles/desktop/printing.nix
+++ b/profiles/desktop/printing.nix
@@ -0,0 +1,14 @@
 { config, lib, ... }:
 with lib;
 {
  config = mkIf config.profiles.clerie.desktop.enable {
    services.printing.enable = true;
    services.avahi.enable = true;
    services.avahi.nssmdns4 = true;
  };
 }
--- a/profiles/desktop/ssh.nix
+++ b/profiles/desktop/ssh.nix
@@ -0,0 +1,39 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  config = mkIf config.profiles.clerie.desktop.enable {
    profiles.clerie.gpg-ssh.enable = true;
    programs.gnupg.agent = {
      pinentryPackage = pkgs.pinentry-gtk2;
    };
    # Do not disable ssh-agent of gnome-keyring, because
    # gnupg ssh-agent can't handle normal SSH keys properly
    /*
    # Disable ssh-agent of gnome-keyring
    nixpkgs.overlays = [
      (final: prev: {
        gnome = prev.gnome // {
          gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
            mkdir -p $out
            # Symlink all gnome-keyring binaries
            ${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
            # Disable autostart for ssh
            rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
            cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
            echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
          '';
        };
      })
    ];
    */
  };
 }
--- a/profiles/desktop/xserver.nix
+++ b/profiles/desktop/xserver.nix
@@ -0,0 +1,18 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  config = mkIf config.profiles.clerie.desktop.enable {
    services.xserver.enable = true;
    services.displayManager.gdm.enable = true;
    services.desktopManager.gnome.enable = true;
    services.xserver.excludePackages = with pkgs; [
      xterm
    ];
  };
 }
Author	SHA1	Message	Date
Flake Update Bot	8f2f39f72e	Update nixpkgs 2025-08-16-01-03	2025-08-16 03:04:21 +02:00
clerie	a1ca9313b9	hosts/monitoring-3: Add Nginx Grafana dashboard	2025-08-15 20:50:24 +02:00
clerie	217ede0307	modules/monitoring: Extract metrics from nginx logs	2025-08-15 18:14:41 +02:00
clerie	643478b724	pkgs/generate-blocked-prefixes: Deduplicate prefixes before generating firewall rules	2025-08-14 20:20:33 +02:00
clerie	13b8ccd087	hosts/krypton: don't use onlyoffice anymore	2025-08-09 14:59:03 +02:00
clerie	7c3a97a90a	hosts/web-2: Update legal.clerie.de	2025-08-09 11:42:04 +02:00
clerie	40338d9b85	hosts/monitoring-3: Monitor alertmanager	2025-08-09 11:41:34 +02:00
clerie	7f6f6281cc	profiles/desktop: Migrate from configuration	2025-07-29 23:03:58 +02:00
clerie	2d4acb5a49	flake.lock: Update lix	2025-07-29 18:04:22 +02:00
Flake Update Bot	905682cf17	Update nixpkgs 2025-07-29-01-03	2025-07-29 03:04:11 +02:00
clerie	f5ec777e9b	flake/hydraJobs.nix: Track additional packages in hydra	2025-07-28 22:48:59 +02:00
clerie	944bced757	pkgs/pipewire-all-bluetooth: A pipewire audio sink that distributes to all Bluetooth speakers	2025-07-28 22:36:49 +02:00
clerie	5bd15927d5	hosts/web-2: Block Alibaba Cloud because of scraper bots	2025-07-18 23:55:33 +02:00
clerie	9b05a008bb	configuration/desktop: Add helvum audio routing gui	2025-07-15 19:39:46 +02:00
clerie	871ba5ea43	pkgs/uptimestatus: Explicitly specify build system	2025-07-15 19:26:50 +02:00
clerie	560e53f77b	hosts/krypton: Add drune3d program	2025-07-12 13:21:30 +02:00
clerie	03aa425038	hosts/web-2: Add traveldrafter.clerie.de	2025-07-06 18:17:31 +02:00
clerie	751efd02bb	hosts/porter: Enable system auto upgrade	2025-07-05 20:16:01 +02:00
clerie	43d1133772	modules/clerie-system-upgrade: Always reboot after an update	2025-06-30 18:35:57 +02:00