Update nixpkgs 2025-08-17-01-03

configuration/common/default.nix

@@ -7,7 +7,6 @@
     ./initrd.nix
     ./locale.nix
     ./networking.nix
-    ./nix.nix
     ./programs.nix
     ./ssh.nix
     ./systemd.nix

configuration/common/nix.nix

@@ -1,70 +0,0 @@
-{ lib, pkgs, ... }:
-
-{
-
-  clerie.nixfiles.enable = true;
-
-  clerie.system-auto-upgrade.enable = true;
-
-  nix.settings = {
-    trusted-users = [ "@wheel" "@guests" ];
-    auto-optimise-store = true;
-    # Keep buildtime dependencies
-    keep-outputs = true;
-    # Build local, when caches are broken
-    fallback = true;
-  };
-
-  nix.gc = lib.mkDefault {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 30d";
-  };
-
-
-  nix.settings = {
-    experimental-features = [
-      "flakes"
-      "nix-command"
-    ];
-    substituters = [
-      "https://nix-cache.clerie.de"
-    ];
-    trusted-public-keys = [
-      "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
-    ];
-  };
-
-  # Pin current nixpkgs channel and flake registry to the nixpkgs version
-  # the host got build with
-  nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
-  nix.registry = {
-    "nixpkgs" = lib.mkForce {
-       from = {
-         type = "indirect";
-         id = "nixpkgs";
-       };
-       to = {
-         type = "path";
-         path = lib.cleanSource pkgs.path;
-       };
-       exact = true;
-    };
-    "templates" = {
-       from = {
-         type = "indirect";
-         id = "templates";
-       };
-       to = {
-         type = "git";
-         url = "https://git.clerie.de/clerie/flake-templates.git";
-       };
-    };
-  };
-
-  documentation.doc.enable = false;
-
-  environment.systemPackages = with pkgs; [
-    nix-remove-result-links
-  ];
-}

configuration/desktop/audio.nix

@@ -1,19 +0,0 @@
-{ ... }:
-
-{
-
-  services.pulseaudio.enable = false;
-
-  security.rtkit.enable = true;
-  services.pipewire = {
-    enable = true;
-    alsa = {
-      enable = true;
-      support32Bit = true;
-    };
-    pulse = {
-      enable = true;
-    };
-  };
-
-}

configuration/desktop/default.nix

@@ -1,19 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./audio.nix
-    ./firmware.nix
-    ./fonts.nix
-    ./gnome.nix
-    ./inputs.nix
-    ./networking.nix
-    ./polkit.nix
-    ./power.nix
-    ./printing.nix
-    ./ssh.nix
-    ./xserver.nix
-  ];
-
-  security.sudo.wheelNeedsPassword = true;
-}

configuration/desktop/firmware.nix

@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-
-  services.fwupd.enable = true;
-
-}

configuration/desktop/fonts.nix

@@ -1,13 +0,0 @@
-{ pkgs, ... }:
-
-{
-
-  fonts.enableDefaultPackages = true;
-  fonts.packages = with pkgs; [
-    roboto
-    roboto-mono
-    noto-fonts
-    noto-fonts-emoji
-    comfortaa
-  ] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
-}

configuration/desktop/gnome.nix

@@ -1,61 +0,0 @@
-{ pkgs, ... }:
-
-{
-  services.gnome = {
-    localsearch.enable = false;
-    tinysparql.enable = false;
-  };
-
-  environment.gnome.excludePackages = with pkgs; [
-    baobab
-    epiphany
-    gnome-calendar
-    gnome-clocks
-    gnome-console
-    gnome-contacts
-    gnome-logs
-    gnome-maps
-    gnome-music
-    gnome-tour
-    gnome-photos
-    gnome-weather
-    gnome-connections
-    simple-scan
-    yelp
-    geary
-  ];
-
-  environment.systemPackages = with pkgs; [
-    evolution
-    gnome-terminal
-    gnome-tweaks
-  ];
-
-  services.gnome.evolution-data-server.enable = true;
-
-  programs.dconf.profiles = {
-    user.databases = [
-      {
-        settings = {
-          "org/gnome/desktop/calendar" = {
-            show-weekdate = true;
-          };
-          "org/gnome/desktop/interface" = {
-            enable-hot-corners = false;
-            show-battery-percentage = true;
-          };
-          "org/gnome/desktop/notifications" = {
-            show-in-lock-screen = false;
-          };
-          "org/gnome/desktop/sound" = {
-            event-sounds = false;
-          };
-          "org/gnome/gnome-system-monitor" = {
-            network-in-bits = true;
-            network-total-in-bits = true;
-          };
-        };
-      }
-    ];
-  };
-}

configuration/desktop/inputs.nix

@@ -1,43 +0,0 @@
-{ ... }:
-
-{
-  programs.dconf.profiles = {
-    user.databases = [
-      {
-        settings = {
-          "org/gnome/desktop/peripherals/touchpad" = {
-            disable-while-typing = false;
-            edge-scrolling-enabled = false;
-            natural-scroll = true;
-            tap-to-click = true;
-            two-finger-scrolling-enabled = true;
-          };
-          "org/gnome/settings-daemon/plugins/media-keys" = {
-            custom-keybindings = [
-              "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
-            ];
-            mic-mute = [ "<Control>Print" ];
-          };
-          "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
-            name = "Terminal";
-            binding = "<Primary><Alt>t";
-            command = "gnome-terminal";
-          };
-        };
-      }
-    ];
-    gdm.databases = [
-      {
-        settings = {
-          "org/gnome/desktop/peripherals/touchpad" = {
-            disable-while-typing = false;
-            edge-scrolling-enabled = false;
-            natural-scroll = true;
-            tap-to-click = true;
-            two-finger-scrolling-enabled = true;
-          };
-        };
-      }
-    ];
-  };
-}

configuration/desktop/networking.nix

@@ -1,14 +0,0 @@
-{ ... }:
-
-{
-
-  networking.networkmanager.settings = {
-    connectivity = {
-      uri = "http://ping.clerie.de/nm-check.txt";
-    };
-    global-dns = {
-      searches = "net.clerie.de";
-    };
-  };
-
-}

configuration/desktop/polkit.nix

@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-
-  security.polkit.enable = true;
-
-}

configuration/desktop/power.nix

@@ -1,42 +0,0 @@
-{ lib, config, ... }:
-
-{
-  boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
-  services.logind = {
-    lidSwitch = "suspend-then-hibernate";
-  };
-  systemd.sleep.extraConfig = ''
-    HibernateDelaySec=30m
-  '';
-
-  services.upower = {
-    percentageLow = 20;
-    percentageCritical = 10;
-    percentageAction = 8;
-  };
-
-  programs.dconf.profiles = {
-    user.databases = [
-      {
-        settings = {
-          "org/gnome/settings-daemon/plugins/power" = {
-            power-button-action = "hibernate";
-            power-saver-profile-on-low-battery = false;
-            sleep-inactive-ac-type = "nothing";
-          };
-        };
-      }
-    ];
-    gdm.databases = [
-      {
-        settings = {
-          "org/gnome/settings-daemon/plugins/power" = {
-            power-button-action = "hibernate";
-            power-saver-profile-on-low-battery = false;
-            sleep-inactive-ac-type = "nothing";
-          };
-        };
-      }
-    ];
-  };
-}

configuration/desktop/printing.nix

@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-  services.printing.enable = true;
-  services.avahi.enable = true;
-  services.avahi.nssmdns4 = true;
-}

configuration/desktop/ssh.nix

@@ -1,34 +0,0 @@
-{ pkgs, ... }:
-
-{
-
-  imports = [
-    ../../configuration/gpg-ssh
-  ];
-  programs.gnupg.agent = {
-    pinentryPackage = pkgs.pinentry-gtk2;
-  };
-
-  # Do not disable ssh-agent of gnome-keyring, because
-  # gnupg ssh-agent can't handle normal SSH keys properly
-  /*
-  # Disable ssh-agent of gnome-keyring
-  nixpkgs.overlays = [
-    (final: prev: {
-      gnome = prev.gnome // {
-        gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
-          mkdir -p $out
-
-          # Symlink all gnome-keyring binaries
-          ${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
-
-          # Disable autostart for ssh
-          rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
-          cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
-          echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
-        '';
-      };
-    })
-  ];
-  */
-}

configuration/desktop/xserver.nix

@@ -1,11 +0,0 @@
-{ pkgs, ... }:
-
-{
-  services.xserver.enable = true;
-  services.xserver.displayManager.gdm.enable = true;
-  services.xserver.desktopManager.gnome.enable = true;
-
-  services.xserver.excludePackages = with pkgs; [
-    xterm
-  ];
-}

configuration/gpg-ssh/default.nix

@@ -1,51 +0,0 @@
-{ pkgs, lib, ... }:
-
-let
-
-  custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
-    configureFlags = prev.configureFlags ++ [
-      # Make sure scdaemon never ever again tries to use its own ccid driver
-      "--disable-ccid-driver"
-    ];
-  });
-
-in {
-
-  programs.gnupg.package = custom_gnupg;
-  programs.gnupg.agent = {
-    enable = true;
-    enableSSHSupport = true;
-    pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
-  };
-
-  environment.systemPackages = with pkgs; [
-    custom_gnupg
-    yubikey-personalization
-    openpgp-card-tools
-
-    # Add wrapper around ssh that takes the gnupg ssh-agent
-    # instead of gnome-keyring
-    ssh-gpg
-  ];
-
-  services.pcscd.enable = true;
-
-  # pcscd sometimes breaks and seem to need a manual restart
-  # so we allow users to restart that service themself
-  security.polkit.extraConfig = ''
-    polkit.addRule(function(action, subject) {
-        if (
-            action.id == "org.freedesktop.systemd1.manage-units"
-            && action.lookup("unit") == "pcscd.service"
-            && action.lookup("verb") == "restart"
-            && subject.isInGroup("users")
-        ) {
-            return polkit.Result.YES;
-        }
-    });
-  '';
-
-  services.udev.packages = with pkgs; [
-    yubikey-personalization
-  ];
-}

flake.lock

@@ -269,11 +269,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1748520450,
+        "lastModified": 1751801455,
-        "narHash": "sha256-thTwt6c/qdLg65urUWSENbmwf/ofvujpFNNTcF+iZvI=",
+        "narHash": "sha256-hUJqtS88SbNQQSEJAPFyY2vLMh8yA8rQ6jbul50p64M=",
         "ref": "lix-2.93",
-        "rev": "509c94cdb7e11d48e67a5a68c0d5fadfcda7bad5",
+        "rev": "b940aca430a7ca41f70bdb320659dd62026fe0e9",
-        "revCount": 4257,
+        "revCount": 4261,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/hydra.git"
       },
@@ -290,6 +290,9 @@
           "flake-compat"
         ],
         "nix2container": "nix2container",
+        "nix_2_18": [
+          "hydra"
+        ],
         "nixpkgs": [
           "hydra",
           "nixpkgs"
@@ -298,11 +301,11 @@
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1747597901,
+        "lastModified": 1751235704,
-        "narHash": "sha256-jS+P57tXZEl+zvPfEIHFbd1j3xfuWcrcMrcnbm9wWbE=",
+        "narHash": "sha256-Jzm3KPZ2gL+0Nl3Mw/2E0B3vqDDi1Xt5+9VCXghUDZ8=",
         "ref": "release-2.93",
-        "rev": "33eaaf02fd3f380e99032b25e741eeeb10573cad",
+        "rev": "f3a7bbe5f8d1a8504ddb6362d50106904523e440",
-        "revCount": 17846,
+        "revCount": 17874,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/lix"
       },
@@ -324,11 +327,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748254718,
+        "lastModified": 1753282722,
-        "narHash": "sha256-Uf6HNA0JctJH4ZdrZ/xb185mT0/XusLxnric9Xhg7Es=",
+        "narHash": "sha256-KYMUrTV7H/RR5/HRnjV5R3rRIuBXMemyJzTLi50NFTs=",
         "ref": "release-2.93",
-        "rev": "3855614ceafe562393472cca5fb2005297889a75",
+        "rev": "46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873",
-        "revCount": 143,
+        "revCount": 149,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/nixos-module.git"
       },
@@ -342,6 +345,7 @@
       "inputs": {
         "flake-compat": "flake-compat_2",
         "nix2container": "nix2container_2",
+        "nix_2_18": "nix_2_18",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -349,11 +353,11 @@
         "pre-commit-hooks": "pre-commit-hooks_2"
       },
       "locked": {
-        "lastModified": 1747597901,
+        "lastModified": 1753306924,
-        "narHash": "sha256-jS+P57tXZEl+zvPfEIHFbd1j3xfuWcrcMrcnbm9wWbE=",
+        "narHash": "sha256-jLCEW0FvjFhC+c4RHzH+xbkSOxrnpFHnhjOw6sudhx0=",
         "ref": "release-2.93",
-        "rev": "33eaaf02fd3f380e99032b25e741eeeb10573cad",
+        "rev": "1a4393d0aac31aba21f5737ede1b171e11336d77",
-        "revCount": 17846,
+        "revCount": 17884,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/lix.git"
       },
@@ -363,6 +367,22 @@
         "url": "https://git.lix.systems/lix-project/lix.git"
       }
     },
+    "lowdown-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1633514407,
+        "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
+        "owner": "kristapsdz",
+        "repo": "lowdown",
+        "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "kristapsdz",
+        "repo": "lowdown",
+        "type": "github"
+      }
+    },
     "mitel-ommclient2": {
       "inputs": {
         "nixpkgs": [
@@ -416,6 +436,34 @@
         "type": "github"
       }
     },
+    "nix_2_18": {
+      "inputs": {
+        "flake-compat": [
+          "lix",
+          "flake-compat"
+        ],
+        "lowdown-src": "lowdown-src",
+        "nixpkgs": "nixpkgs_4",
+        "nixpkgs-regression": [
+          "lix",
+          "nixpkgs-regression"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730375271,
+        "narHash": "sha256-RrOFlDGmRXcVRV2p2HqHGqvzGNyWoD0Dado/BNlJ1SI=",
+        "owner": "NixOS",
+        "repo": "nix",
+        "rev": "0f665ff6779454f2117dcc32e44380cda7f45523",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "2.18.9",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
     "nixos-exporter": {
       "inputs": {
         "nixpkgs": [
@@ -484,6 +532,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-carbon": {
+      "locked": {
+        "lastModified": 1751206202,
+        "narHash": "sha256-VjK8pEv4cfDpCTh4KW1go98kP25j7KdTNEce342Bh/Y=",
+        "owner": "clerie",
+        "repo": "nixpkgs",
+        "rev": "ac4ac98609c1b30c378458ab7207a9a5b5148457",
+        "type": "github"
+      },
+      "original": {
+        "owner": "clerie",
+        "ref": "clerie/always-setup-netdevs",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-regression": {
       "locked": {
         "lastModified": 1643052045,
@@ -550,11 +614,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1748437600,
+        "lastModified": 1751582995,
-        "narHash": "sha256-hYKMs3ilp09anGO7xzfGs3JqEgUqFMnZ8GMAqI6/k04=",
+        "narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7282cb574e0607e65224d33be8241eae7cfe0979",
+        "rev": "7a732ed41ca0dd64b4b71b563ab9805a80a7d693",
         "type": "github"
       },
       "original": {
@@ -566,11 +630,27 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1750506804,
+        "lastModified": 1705033721,
-        "narHash": "sha256-VLFNc4egNjovYVxDGyBYTrvVCgDYgENp5bVi9fPTDYc=",
+        "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4206c4cb56751df534751b058295ea61357bbbaa",
+        "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.05-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1755186698,
+        "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",
         "type": "github"
       },
       "original": {
@@ -665,14 +745,16 @@
         "lix-module": "lix-module",
         "nixos-exporter": "nixos-exporter",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_5",
         "nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
+        "nixpkgs-carbon": "nixpkgs-carbon",
         "nurausstieg": "nurausstieg",
         "rainbowrss": "rainbowrss",
         "scan-to-gpg": "scan-to-gpg",
         "solid-xmpp-alarm": "solid-xmpp-alarm",
         "sops-nix": "sops-nix",
-        "ssh-to-age": "ssh-to-age"
+        "ssh-to-age": "ssh-to-age",
+        "traveldrafter": "traveldrafter"
       }
     },
     "scan-to-gpg": {
@@ -787,6 +869,26 @@
         "type": "github"
       }
     },
+    "traveldrafter": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1751817360,
+        "narHash": "sha256-HzOhsPvzCaFeiz8nPq5MkYnYHpUzVaU/P5sxG+Njt+8=",
+        "ref": "refs/heads/main",
+        "rev": "b6610d70f363ecf9704352b1ef39244a816bd34f",
+        "revCount": 22,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/traveldrafter.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/traveldrafter.git"
+      }
+    },
     "treefmt-nix": {
       "inputs": {
         "nixpkgs": [

flake.nix

@@ -1,6 +1,7 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-carbon.url = "github:clerie/nixpkgs/clerie/always-setup-netdevs";
     # for etesync-dav
     nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
@@ -67,11 +68,13 @@
       url = "github:Mic92/ssh-to-age";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    traveldrafter = {
+      url = "git+https://git.clerie.de/clerie/traveldrafter.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
   outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
     lib = import ./lib inputs;
-    helper = lib.flake-helper;
-    localNixpkgs = import ./flake/nixpkgs.nix inputs;
   in {
     clerie.hosts = {
       aluminium = {
@@ -135,14 +138,24 @@
     };
 
     overlays = {
-      nixfilesInputs = import ./flake/overlay.nix inputs;
+      clerie-inputs = import ./flake/inputs-overlay.nix inputs;
-      clerie = import ./pkgs/overlay.nix;
+      clerie-pkgs = import ./pkgs/overlay.nix;
-      default = self.overlays.clerie;
+      clerie-build-support = import ./pkgs/build-support/overlay.nix;
+      clerie-overrides = import ./pkgs/overrides/overlay.nix;
     };
 
-    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: let
+    nixpkgs = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
-      pkgs = localNixpkgs.${system};
+      lib.mkNixpkgs {
-    in builtins.mapAttrs (name: value: pkgs."${name}") (import ./pkgs/pkgs.nix));
+        inherit system;
+      }
+    );
+
+    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
+      nixpkgs.lib.genAttrs (
+        (builtins.attrNames (self.overlays.clerie-pkgs null null))
+        ++ (builtins.attrNames (self.overlays.clerie-overrides null null))
+      ) (name: self.nixpkgs."${system}"."${name}")
+    );
 
     inherit lib self;
 

flake/hydraJobs.nix

@@ -10,6 +10,12 @@ let
 in {
   inherit (self)
     packages;
+  extraTrackedPackages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
+    nixpkgs.lib.genAttrs [
+      "hydra"
+      "lix"
+    ] (name: self.nixpkgs."${system}"."${name}")
+  );
   nixosConfigurations = buildHosts self.nixosConfigurations;
   iso = self.nixosConfigurations._iso.config.system.build.isoImage;
 }

flake/inputs-overlay.nix

@@ -9,6 +9,7 @@
 , rainbowrss
 , scan-to-gpg
 , ssh-to-age
+, traveldrafter
 , ...
 }@inputs:
 final: prev: {
@@ -32,4 +33,6 @@ final: prev: {
     scan-to-gpg;
   inherit (ssh-to-age.packages.${final.system})
     ssh-to-age;
+  inherit (traveldrafter.packages.${final.system})
+    traveldrafter;
 }

flake/nixosConfigurations.nix

@@ -11,33 +11,14 @@ let
     modules ? [],
   }: let
     localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
-  in localNixpkgs.lib.nixosSystem {
+  in self.lib.nixosSystem {
     system = system;
+    nixpkgs = localNixpkgs;
     modules = modules ++ [
-      self.nixosModules.nixfilesInputs
-      self.nixosModules.clerie
-      self.nixosModules.profiles
-
       ({ config, lib, ... }: {
         # Set hostname
         networking.hostName = lib.mkDefault name;
 
-        # Apply overlays
-        nixpkgs.overlays = [
-          self.overlays.nixfilesInputs
-          self.overlays.clerie
-        ];
-
-        /*
-          Make the contents of the flake availiable to modules.
-          Useful for having the monitoring server scraping the
-          target config from all other servers automatically.
-        */
-        _module.args = {
-          inputs = inputs;
-          _nixfiles = self;
-        };
-
         # Expose host group to monitoring
         clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; };
 

flake/nixpkgs.nix

@@ -1,17 +0,0 @@
-{ self
-, nixpkgs
-, ...
-}@inputs:
-
-let
-  mkNixpkgs = { system, ... }@args: 
-    import nixpkgs {
-      inherit system;
-      overlays = [
-        self.overlays.nixfilesInputs
-        self.overlays.clerie
-      ];
-    };
-
-in
-  nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: mkNixpkgs { inherit system; })

hosts/_iso/configuration.nix

@@ -3,9 +3,9 @@
 {
   imports = [
     (modulesPath + "/installer/cd-dvd/installation-cd-base.nix")
-    ../../configuration/gpg-ssh
   ];
 
+  profiles.clerie.gpg-ssh.enable = true;
   profiles.clerie.network-fallback-dhcp.enable = true;
 
   # systemd in initrd is broken with ISOs

hosts/carbon/configuration.nix

@@ -63,10 +63,10 @@
 
   systemd.services.kea-dhcp4-server = {
     after = [
-      "network-setup.service"
+      "network.target"
     ];
-    requires = [
+    wants = [
-      "network-setup.service"
+      "network.target"
     ];
   };
 

hosts/dn42-il-gw1/configuration.nix

@@ -238,7 +238,6 @@
   };
 
   clerie.system-auto-upgrade = {
-    allowReboot = true;
     autoUpgrade = true;
   };
 

hosts/dn42-il-gw5/configuration.nix

@@ -112,7 +112,6 @@
   };
 
   clerie.system-auto-upgrade = {
-    allowReboot = true;
     autoUpgrade = true;
     startAt = "*-*-* 06:22:00";
   };

hosts/dn42-il-gw6/configuration.nix

@@ -106,7 +106,6 @@
   };
 
   clerie.system-auto-upgrade = {
-    allowReboot = true;
     autoUpgrade = true;
     startAt = "*-*-* 07:22:00";
   };

hosts/dn42-ildix-clerie/configuration.nix

@@ -162,7 +162,6 @@
   '';
 
   clerie.system-auto-upgrade = {
-    allowReboot = true;
     autoUpgrade = true;
   };
 

hosts/dn42-ildix-service/configuration.nix

@@ -71,7 +71,6 @@
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   clerie.system-auto-upgrade = {
-    allowReboot = true;
     autoUpgrade = true;
   };
 

hosts/gatekeeper/configuration.nix

@@ -131,6 +131,7 @@
 
   clerie.nginx-port-forward = {
     enable = true;
+    resolver = "127.0.0.53";
     tcpPorts."443" = {
       host = "localhost";
       port = 22;

hosts/krypton/configuration.nix

@@ -5,8 +5,6 @@
     [
       ./hardware-configuration.nix
 
-      ../../configuration/desktop
-
       ./android.nix
       ./backup.nix
       ./etesync-dav.nix
@@ -15,6 +13,8 @@
       ./programs.nix
     ];
 
+  profiles.clerie.desktop.enable = true;
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;

hosts/krypton/programs.nix

@@ -14,10 +14,11 @@
 
     tio
     xournalpp
-    onlyoffice-bin
+    libreoffice
 
     krita
     inkscape
+    dune3d
 
     wireshark
     tcpdump

hosts/monitoring-3/dashboards/home.json

@@ -0,0 +1,77 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": 10,
+  "links": [],
+  "panels": [
+    {
+      "fieldConfig": {
+        "defaults": {},
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 11,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "includeVars": false,
+        "keepTime": false,
+        "maxItems": 10,
+        "query": "",
+        "showFolderNames": true,
+        "showHeadings": false,
+        "showRecentlyViewed": false,
+        "showSearch": true,
+        "showStarred": false,
+        "tags": []
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "title": "Dashboards",
+      "type": "dashlist"
+    }
+  ],
+  "preload": false,
+  "refresh": "",
+  "schemaVersion": 41,
+  "tags": [],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-6h",
+    "to": "now"
+  },
+  "timepicker": {
+    "hidden": true
+  },
+  "timezone": "browser",
+  "title": "Home",
+  "uid": "OqTN9p2nz",
+  "version": 1
+}

hosts/monitoring-3/dashboards/nginx-exporter.json

@@ -0,0 +1,355 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": 16,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green"
+              }
+            ]
+          },
+          "unit": "reqps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "sum by(server_name) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Total requests",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green"
+              }
+            ]
+          },
+          "unit": "reqps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "sum by(server_name, method) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "legendFormat": "{{server_name}}: {{method}}",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Status codes",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green"
+              }
+            ]
+          },
+          "unit": "reqps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 10
+      },
+      "id": 3,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "sum by(server_name, status) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "legendFormat": "{{server_name}}: HTTP {{status}}",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Response codes",
+      "type": "timeseries"
+    }
+  ],
+  "preload": false,
+  "refresh": "30s",
+  "schemaVersion": 41,
+  "tags": [],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "text": "All",
+          "value": [
+            "$__all"
+          ]
+        },
+        "definition": "label_values(nginxlog_http_response_count_total,server_name)",
+        "includeAll": true,
+        "label": "vHost",
+        "multi": true,
+        "name": "server_name",
+        "options": [],
+        "query": {
+          "qryType": 1,
+          "query": "label_values(nginxlog_http_response_count_total,server_name)",
+          "refId": "PrometheusVariableQueryEditor-VariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "type": "query"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-3h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "browser",
+  "title": "Nginx Exporter",
+  "uid": "b042a880-3cb0-4dd3-ae48-4745a58af698",
+  "version": 7
+}

hosts/monitoring-3/dashboards/nixos-status.json

@@ -0,0 +1,135 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": 15,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "continuous-RdYlGr"
+          },
+          "custom": {
+            "axisPlacement": "auto",
+            "fillOpacity": 70,
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineWidth": 0,
+            "spanNulls": false
+          },
+          "mappings": [
+            {
+              "options": {
+                "0": {
+                  "index": 1,
+                  "text": "mismatch"
+                },
+                "1": {
+                  "index": 0,
+                  "text": "sync"
+                }
+              },
+              "type": "value"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "red"
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 23,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "alignValue": "left",
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "mergeValues": true,
+        "rowHeight": 0.9,
+        "showValue": "auto",
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "PBFA97CFB590B2093"
+          },
+          "editorMode": "builder",
+          "expr": "nixos_current_system_is_sync",
+          "legendFormat": "{{instance}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Config is Sync",
+      "type": "state-timeline"
+    }
+  ],
+  "preload": false,
+  "refresh": "5m",
+  "schemaVersion": 41,
+  "tags": [],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-7d",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "NixOS Status",
+  "uid": "W4j3nz1Vz",
+  "version": 3
+}

hosts/monitoring-3/dashboards/smokeping.json

@@ -0,0 +1,211 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": 11,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green"
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "s"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 22,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "PBFA97CFB590B2093"
+          },
+          "editorMode": "code",
+          "exemplar": true,
+          "expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp6\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0 ",
+          "interval": "",
+          "legendFormat": "IPv6 {{target}} ({{instance}})",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "PBFA97CFB590B2093"
+          },
+          "editorMode": "code",
+          "exemplar": true,
+          "expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp4\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0",
+          "hide": false,
+          "interval": "",
+          "legendFormat": "IPv4 {{target}} ({{instance}})",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Smokeping",
+      "type": "timeseries"
+    }
+  ],
+  "preload": false,
+  "refresh": "",
+  "schemaVersion": 41,
+  "tags": [],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "text": "All",
+          "value": "$__all"
+        },
+        "datasource": {
+          "type": "prometheus",
+          "uid": "PBFA97CFB590B2093"
+        },
+        "definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
+        "includeAll": true,
+        "label": "Target:",
+        "multi": true,
+        "name": "target",
+        "options": [],
+        "query": {
+          "query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
+          "refId": "StandardVariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "type": "query"
+      },
+      {
+        "current": {
+          "text": [
+            "All"
+          ],
+          "value": [
+            "$__all"
+          ]
+        },
+        "datasource": {
+          "type": "prometheus",
+          "uid": "PBFA97CFB590B2093"
+        },
+        "definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
+        "includeAll": true,
+        "label": "Instance:",
+        "multi": true,
+        "name": "instance",
+        "options": [],
+        "query": {
+          "query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
+          "refId": "StandardVariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "type": "query"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-30m",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Smokeping",
+  "uid": "IytTVZL7z",
+  "version": 9
+}

hosts/monitoring-3/prometheus.nix

@@ -52,6 +52,12 @@ let
     attrByPath ["clerie" "monitoring" "blackbox"] false host.config)
     monitoringHosts);
 
+  nginxlogMonitoringTargets = mapAttrsToList (name: host:
+    "${host.config.networking.hostName}.mon.clerie.de:9117")
+    (filterAttrs (name: host:
+    attrByPath ["services" "prometheus" "exporters" "nginxlog" "enable"] false host.config)
+    monitoringHosts);
+
   eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));
 
 in {
@@ -104,6 +110,21 @@ in {
           relabelAddressToInstance
         ];
       }
+      {
+        job_name = "alertmanager";
+        scrape_interval = "20s";
+        scheme = "http";
+        static_configs = [
+          {
+            targets = [
+              "monitoring-3.mon.clerie.de:9093"
+            ];
+          }
+        ];
+        relabel_configs = [
+          relabelAddressToInstance
+        ];
+      }
       {
         job_name = "node-exporter";
         scrape_interval = "20s";
@@ -521,12 +542,24 @@ in {
           }
         ];
       }
+      {
+        job_name = "nginxlog-exporter";
+        scrape_interval = "20s";
+        static_configs = [
+          {
+            targets = nginxlogMonitoringTargets;
+          }
+        ];
+        relabel_configs = [
+          relabelAddressToInstance
+        ];
+      }
     ];
     alertmanagers = [
       {
         static_configs = [ {
           targets = [
-            "[::1]:9093"
+            "monitoring-3.mon.clerie.de:9093"
           ];
         } ];
       }

hosts/monitoring-3/rules.yml

@@ -95,3 +95,10 @@ groups:
     annotations:
       summary: "blog.nadja.top unreachable via IPv4"
       description: "blog.nadja.top unreachable IPv4, but reachable via IPv6"
+  - alert: AlertmanagerNotificationRequestsFailed
+    expr: rate(alertmanager_notification_requests_failed_total[5m]) > 0
+    labels:
+      severity: critical
+    annotations:
+      summary: "Too many notification requests failed"
+      description: "Too many notification requests to Alertmanager integration {{ $labels.integration }} failed"

hosts/nonat/configuration.nix

@@ -42,7 +42,6 @@
   networking.firewall.allowedUDPPorts = [];
 
   clerie.system-auto-upgrade = {
-    allowReboot = true;
     autoUpgrade = true;
   };
 

hosts/porter/configuration.nix

@@ -28,8 +28,19 @@
 
   profiles.clerie.common-webserver.httpDefaultVirtualHost = false;
 
+  services.unbound = {
+    enable = true;
+    resolveLocalQueries = false;
+    settings = {
+      server = {
+        interface = [ "127.0.0.1" ];
+      };
+    };
+  };
+
   clerie.nginx-port-forward = {
     enable = true;
+    resolver = "127.0.0.1";
     tcpPorts."80" = {
       host = "baikonur.dyn.weimarnetz.de";
       port = 80;
@@ -47,6 +58,10 @@
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   networking.firewall.allowedUDPPorts = [];
 
+  clerie.system-auto-upgrade = {
+    autoUpgrade = true;
+  };
+
   clerie.monitoring = {
     enable = true;
     id = "102";

hosts/storage-2/configuration.nix

@@ -53,7 +53,6 @@
   };
 
   clerie.system-auto-upgrade = {
-    allowReboot = true;
     autoUpgrade = true;
   };
 

hosts/web-2/blocked-prefixes.txt

@@ -0,0 +1,195 @@
+ip6tables -I nixos-fw -s 2400:3200::/48 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 2400:3200:baba::/48 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 2400:b200:4100::/46 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 2401:8680:4100::/48 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 2401:b180:4100::/48 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 2404:2280:1000::/36 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 2404:2280:2000::/35 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 2404:2280:4000::/36 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 2408:4000:1000::/48 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 2408:4009:500::/48 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4000::/31 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4002::/32 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4004::/31 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4006::/48 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4006:1000::/43 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4006:1020::/44 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4007::/32 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4009::/32 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:400b::/32 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:400c::/30 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4011::/32 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4012::/48 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4013::/32 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4014::/32 -j nixos-fw-refuse
+iptables -I nixos-fw -s 5.181.224.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.208.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.209.0.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.209.36.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.209.40.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.209.48.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.209.64.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.209.128.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.210.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.212.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.213.0.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.213.128.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.213.160.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.213.176.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.213.192.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.214.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.216.0.0/14 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.220.64.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.220.128.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.221.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.222.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 14.1.112.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.91.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.1.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.2.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.4.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.7.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.8.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.17.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.19.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.20.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.24.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.27.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.28.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.32.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.40.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.52.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.56.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.58.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.66.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.68.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.72.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.78.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.80.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.84.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.86.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.88.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.96.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.100.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.102.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.104.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.106.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.98.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.100.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.102.0.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.103.0.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.104.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.108.0.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 45.196.28.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 45.199.179.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.52.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.56.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.74.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.76.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.77.0.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.77.16.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.77.24.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.77.32.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.77.64.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.77.96.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.77.128.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.78.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.79.0.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.79.128.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.79.192.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.80.0.0/14 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.84.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.86.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.87.0.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.87.128.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.87.192.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.87.224.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.87.232.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.88.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.0.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.72.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.80.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.84.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.88.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.96.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.122.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.124.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.128.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.90.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.235.0.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.235.8.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.235.12.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.235.16.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.236.0.0/14 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.240.0.0/14 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.244.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.32.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.66.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.68.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.72.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.80.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.82.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.84.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.88.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.92.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.96.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.120.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.122.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.124.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.128.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.144.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.150.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.152.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.160.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.192.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.250.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.252.0.0/15 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.254.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 59.82.136.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 103.81.186.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 110.76.21.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 110.76.23.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 116.251.64.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 139.95.0.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 139.95.16.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 139.95.64.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 140.205.1.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 140.205.122.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 147.139.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 149.129.0.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 149.129.16.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 149.129.32.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 149.129.64.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 149.129.192.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 156.227.20.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 156.236.12.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 156.236.17.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 156.240.76.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 156.245.1.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 161.117.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.24.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.29.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.30.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.32.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.64.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.66.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.68.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.72.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.76.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.80.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.84.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.86.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.88.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.90.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.92.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.104.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.136.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.138.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 185.78.106.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 198.11.128.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 202.144.199.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 203.107.64.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 203.107.68.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 205.204.96.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 223.5.5.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 223.6.6.0/24 -j nixos-fw-refuse

hosts/web-2/clerie.nix

@@ -27,7 +27,7 @@
         root = pkgs.clerie-keys;
       };
       locations."= /ssh/known_hosts" = {
-        alias = pkgs.writeText "known_hosts" (import ../../lib/ssh-known-hosts.nix);
+        alias = pkgs.clerie-ssh-known-hosts + "/known_hosts";
         extraConfig = ''
           types { }
           default_type "text/plain; charset=utf-8";
@@ -53,9 +53,6 @@
         '';
         return = "200 ''";
       };
-      extraConfig = ''
-        access_log /var/log/nginx/clerie.de.log combined_anon;
-      '';
     };
   };
 }

hosts/web-2/configuration.nix

@@ -24,6 +24,7 @@
       ./public.nix
       ./radicale.nix
       ./reichartstrasse.nix
+      ./traveldrafter.nix
       ./uptimestatus.nix
       ./wetter.nix
     ];
@@ -51,6 +52,8 @@
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
+  networking.firewall.extraCommands = builtins.readFile ./blocked-prefixes.txt;
+
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_16;

hosts/web-2/gitea.nix

@@ -83,9 +83,6 @@
           proxyPass = "http://[::1]:3000";
         };
       };
-      extraConfig = ''
-        access_log /var/log/nginx/git.clerie.de.log combined_anon;
-      '';
     };
   };
 }

hosts/web-2/ip.nix

@@ -53,9 +53,6 @@
           types { } default_type "text/html; charset=utf-8";
         '';
       };
-      extraConfig = ''
-        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
-      '';
     };
     "ip4.clerie.de" = {
       enableACME = true;
@@ -67,9 +64,6 @@
           add_header Access-Control-Allow-Origin *;
         '';
       };
-      extraConfig = ''
-        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
-      '';
     };
     "ip6.clerie.de" = {
       enableACME = true;
@@ -81,9 +75,6 @@
           add_header Access-Control-Allow-Origin *;
         '';
       };
-      extraConfig = ''
-        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
-      '';
     };
   };
 }

hosts/web-2/legal.nix

@@ -7,8 +7,8 @@
       forceSSL = true;
       root = pkgs.fetchgit {
         url = "https://git.clerie.de/clerie/legal.clerie.de.git";
-        rev = "c6900226e3107a2e370a32759d83db472ab5450d";
+        rev = "b271b9729f4545c340ce9d16ecbca136031da409";
-        sha256 = "sha256-lOjbHqYc/85rjotwQ5Oj+MSWnDIfLx2w5mpiJkChbXU=";
+        sha256 = "sha256-uw69o7LxK+JF1AojSyusU1urshBc63Bgva5lRBgQdKc=";
       };
       locations."/impressum" = {
         return = ''301 https://legal.clerie.de/#impressum'';

hosts/web-2/secrets.json

@@ -4,19 +4,16 @@
 	"clerie-backup-target-magenta": "ENC[AES256_GCM,data:zsPFXpnTWHL2b9/fZiW1fhpla8hTeZb1+O8oihnwDIAcC4Tgn8PrFDEYK7kuWYcdbIvL5XRJRR48erSACsntFA==,iv:lTlAyVl3ndgca4Mp9lSldXmhlP8ECPvE/CM7Zpzy9ao=,tag:LCNF1loABQpZ8Y5wfpXjkg==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:AfkytaHshFSyKkMdKVMdYaq3sKUC9dKYs5rKXN4Ouv5kjDGNXC18liEsRuc=,iv:4mMgsovdAJ++Myr+9GuhAaEBuzDBNZbGK6zfzoAEJ0E=,tag:/d0ZXNbpaMFyxyzov23kdQ==,type:str]",
 	"radicale-htpasswd": "ENC[AES256_GCM,data:+FHsq5We/fc8gBNub/GV5Mfs2i0/7Qm9UPDhb3unEhak6XDAvMSUQb4eaX0wn7Yi3y/gFGmapd0eYilTjfoJnI9gVnvi,iv:lEV8kQh9RBL/xKcCLIRzUR6ADq4zoah1c8Z67Qrs3dQ=,tag:cw6jKYbZUXBD3Zio5CH+Hw==,type:str]",
+	"traveldrafter-htpasswd": "ENC[AES256_GCM,data:f29vVDofv2mJEyn/pMKWW8ZbVTKSofe1EEtcfuCaokdqAyxemcq/2hrXFw8cAGTV2hwVqlM2hzJcT32KBjO/wgUNfv4=,iv:5PdQ+bn/bXmfQstP5A/dLeDk7O0qTjoRTyr4D+AgiG0=,tag:gCBrSJ4cEnZHqePiUpPglA==,type:str]",
 	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1nn8dwl2avshdhwn66w92jvlvz2ugl5fdxc8dxz6lpru72hlq44uq5a88az",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU2tEMHIvRUFxa24wMVcy\nb2lheGR2ekl6S0wzWUd5cTMwTC9HdFN1eVc0CkRjRHdJVUw3ZCtZSTlUOHZCV2J6\nYkxqdnNmU05LTTNmNFZiTzBxZVdkOTgKLS0tIEZUZ0svL2NhcTZPdFZrYUhwQ05Q\nWnZXRWIvRXBOMWNDTzQ4RDNKa3IwSUkKj+vI9dEEUQYN9uT6H1FdexComfbe+iA9\nVzLF970ASzptGiNYtdN9GYdXY7JGHoOfmYy3fpjZGN3p2KqiYyi3UA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-05-10T13:32:34Z",
+		"lastmodified": "2025-07-06T16:08:39Z",
-		"mac": "ENC[AES256_GCM,data:lxfYT2TEO9KFx0x6DPRQ2mRy5Ft6syyyO1yV9my6GwvDxd1e7odXGRcFo3N1AFod8Y6z4+XaxqZ/GoqSp94Pk8aF4eEhyAFun/UUr8KhKGsnq6xnQA4p37oYccvTY4eohS5YHBr/+AMutddmQ7qiYtQhVViXAr6+dmOsV1Tfu+A=,iv:bC+z9SP2W048bR3aWIcPgRlfLB5n5ccst6OvH0NjYBk=,tag:qhoXUAl0nG4LYy6yXQP2/g==,type:str]",
+		"mac": "ENC[AES256_GCM,data:6EbMSJAKOMgXtlwaVtsmPgrZVgraReAfVJWjZvhe965eLhhP5aeyZqPlA6a93h2FsShVFYWFPI57tdHy9Ymo53oXolSt8Docr2w2FL4BTWHHhkXal9+6aJZAZ+XOPEOUYurFxPOX44l+LDkecSz0NMCgrScWtpphjlkj3yP5GTo=,iv:5w8RC9IAuyEuO0QSZ0FBwW2/qqV56HNG7hZIkEeGEYU=,tag:Zosv1OSMtznnKkSYStu+oA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-10T13:29:58Z",
@@ -27,4 +24,4 @@
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"
 	}
-}
+}

hosts/web-2/traveldrafter.nix

@@ -0,0 +1,40 @@
+{ pkgs, lib, config, ... }: {
+  services.update-from-hydra.paths.traveldrafter = {
+    enable = true;
+    hydraUrl = "https://hydra.clerie.de";
+    hydraProject = "clerie";
+    hydraJobset = "traveldrafter";
+    hydraJob = "packages.x86_64-linux.traveldrafter";
+    nixStoreUri = "https://nix-cache.clerie.de";
+    resultPath = "/srv/traveldrafter";
+  };
+
+  sops.secrets.traveldrafter-htpasswd = {
+    owner = "nginx";
+    group = "nginx";
+  };
+
+  services.nginx.virtualHosts = {
+    "traveldrafter.clerie.de" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/srv/traveldrafter/lib/node_modules/traveldrafter/web/";
+      basicAuthFile = config.sops.secrets.traveldrafter-htpasswd.path;
+      locations."/api" = {
+        proxyPass = "http://[::1]:3001";
+      };
+    };
+  };
+
+  systemd.services."traveldrafter" = {
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      RuntimeDirectory = "traveldrafter";
+      DynamicUser = true;
+    };
+    environment = {
+      HTTP_PORT = "3001";
+    };
+    script = lib.getExe pkgs.traveldrafter;
+  };
+}

hosts/zinc/configuration.nix

@@ -5,12 +5,12 @@
     [
       ./hardware-configuration.nix
 
-      ../../configuration/desktop
-
       ./initrd.nix
       ./programs.nix
     ];
 
+  profiles.clerie.desktop.enable = true;
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;

lib/default.nix

@@ -8,6 +8,8 @@ let
 
   lib = {
     clerie-monitoring-ids = callLibs ./clerie-monitoring-ids.nix;
+    mkNixpkgs = callLibs ./mkNixpkgs.nix;
+    nixosSystem = callLibs ./nixosSystem.nix;
   };
 
 in

lib/link-local-wireguard.nix

@@ -1,22 +0,0 @@
-{ ... }:
-
-rec {
-  llIPv6 = localIP: peerIP: interface: {
-    ips = [
-      "${localIP}/128"
-    ];
-    postSetup = ''
-    ip -6 route flush dev ${interface}
-    ip addr del dev ${interface} ${localIP}/128 && ip addr add dev ${interface} ${localIP}/128 peer ${peerIP}/128
-    '';
-  };
-  llIPv4 = localIP: peerIP: interface: {
-    ips = [
-      "${localIP}/32"
-    ];
-    postSetup = ''
-    ip -4 route flush dev ${interface}
-    ip addr del dev ${interface} ${localIP}/32 && ip addr add dev ${interface} ${localIP}/32 peer ${peerIP}/32
-    '';
-  };
-}

lib/mkNixpkgs.nix

@@ -0,0 +1,27 @@
+{
+  inputs,
+  self,
+  ...
+}:
+
+/*
+
+  Loads a version of nixpkgs with nixfiles overlays loaded
+
+*/
+{
+  system,
+  nixpkgs ? inputs.nixpkgs,
+  overlays ? [],
+  ...
+}@args:
+
+import nixpkgs {
+  inherit system;
+  overlays = [
+    self.overlays.clerie-inputs
+    self.overlays.clerie-pkgs
+    self.overlays.clerie-build-support
+    self.overlays.clerie-overrides
+  ] ++ overlays;
+}

lib/nixosSystem.nix

@@ -0,0 +1,42 @@
+{
+  inputs,
+  self,
+  ...
+}:
+
+/*
+
+  nixfiles.lib.nixosSystem, like nixpkgs.lib.nixosSystem but
+  with nixfiles overlays and modules already populated
+
+*/
+{
+  system ? null,
+  nixpkgs ? inputs.nixpkgs,
+  pkgs ? null,
+  modules ? [],
+  ...
+}@args:
+
+nixpkgs.lib.nixosSystem ({
+  system = system;
+  pkgs = if pkgs != null then pkgs else (self.lib.mkNixpkgs {
+    inherit system nixpkgs;
+  });
+  modules = [
+    self.nixosModules.nixfilesInputs
+    self.nixosModules.clerie
+    self.nixosModules.profiles
+    ({ config, lib, ... }: {
+      /*
+        Make the contents of the flake availiable to modules.
+        Useful for having the monitoring server scraping the
+        target config from all other servers automatically.
+      */
+      _module.args = {
+        inputs = inputs;
+        _nixfiles = self;
+      };
+    })
+  ] ++ modules;
+} // builtins.removeAttrs args [ "system" "nixpkgs" "pkgs" "modules" ] )

modules/clerie-system-upgrade/default.nix

@@ -10,11 +10,6 @@ in
   options = {
     clerie.system-auto-upgrade = {
       enable = mkEnableOption "clerie system upgrade";
-      allowReboot = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Monitor NixOS";
-      };
       autoUpgrade = mkOption {
         type = types.bool;
         default = false;
@@ -38,7 +33,7 @@ in
 
       serviceConfig = {
         Type = "oneshot";
-        ExecStart = pkgs.clerie-system-upgrade + "/bin/clerie-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/clerie-system-upgrade.prom"}";
+        ExecStart = pkgs.clerie-system-upgrade + "/bin/clerie-system-upgrade --no-confirm${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/clerie-system-upgrade.prom"}";
       };
     };
     systemd.timers.clerie-system-auto-upgrade = mkIf cfg.autoUpgrade {

modules/monitoring/default.nix

@@ -102,6 +102,33 @@ in
       listen = "[::]:9152";
     };
 
+    services.prometheus.exporters.nginxlog = mkIf config.services.nginx.enable {
+      enable = true;
+      settings = {
+        namespaces = [
+          {
+            name = "nginxlog";
+            format = ''$host: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$server_name" rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'';
+            source = {
+              files = [
+                "/var/log/nginx/access.log"
+              ];
+            };
+            relabel_configs = [
+              {
+                target_label = "server_name";
+                from = "server_name";
+              }
+            ];
+          }
+        ];
+      };
+    };
+
+    systemd.services."prometheus-nginxlog-exporter".serviceConfig = {
+      SupplementaryGroups = "nginx";
+    };
+
     networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
       9100 # node-exporter
       9152 # nixos-exporter
@@ -109,6 +136,8 @@ in
       9324 # bird-exporter
     ] else []) ++ (if cfg.blackbox then [
       9115 # blackbox-exporter
+    ] else []) ++ (if config.services.prometheus.exporters.nginxlog.enable then [
+      config.services.prometheus.exporters.nginxlog.port
     ] else []);
   };
 }

modules/nginx-port-forward/default.nix

@@ -9,7 +9,7 @@ let
 
   mkServerBlock = isUDP: port: forward: ''
     server {
-      resolver 127.0.0.53 ipv4=off valid=30s;
+      resolver ${cfg.resolver} ipv4=off valid=30s;
 
       listen ${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
       listen [::]:${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
@@ -54,6 +54,10 @@ in
   options = {
     clerie.nginx-port-forward = {
       enable = mkEnableOption "Nginx Port Forward";
+      resolver = mkOption {
+        type = types.str;
+        description = "IP address of the resolver to use for upstream hostnames";
+      };
       tcpPorts = mkOption {
         type = with types; attrsOf (submodule portOpts);
         default = {};

pkgs/build-support/overlay.nix

@@ -0,0 +1,7 @@
+final: prev:
+
+{
+  clerie-build-support = {
+    writePythonScript = final.callPackage ./writePythonScript.nix {};
+  };
+}

pkgs/build-support/writePythonScript.nix

@@ -0,0 +1,37 @@
+{
+  python3,
+  writeTextFile,
+  lib,
+}:
+
+{
+  name,
+  text,
+  runtimePackages ? ps: [],
+  pythonPackage ? python3,
+  meta ? {},
+  passthru ? {},
+  derivationArgs ? {},
+}:
+
+let
+
+  pythonWithPackages = pythonPackage.withPackages runtimePackages;
+
+in writeTextFile {
+  inherit
+    name
+    meta
+    passthru
+    derivationArgs
+    ;
+  executable = true;
+  destination = "/bin/${name}";
+  allowSubstitutes = true;
+  preferLocalBuild = false;
+  text = ''
+    #!${lib.getExe pythonWithPackages}
+
+    ${text}
+  '';
+}

pkgs/clerie-ssh-known-hosts/default.nix

@@ -1,13 +1,22 @@
+{
+  writeTextFile,
+}:
+
 let
   stripR = str: if (builtins.substring ((builtins.stringLength str) - 1) (builtins.stringLength str) str) == "\n" then stripR (builtins.substring 0 ((builtins.stringLength str) - 1) str) else str;
-  hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../hosts));
+  hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../../hosts));
   sshkeyList = map (hostname: {
     name = hostname;
-    sshPubkey = stripR (builtins.readFile (../hosts + "/${hostname}/ssh.pub"));
+    sshPubkey = stripR (builtins.readFile (../../hosts + "/${hostname}/ssh.pub"));
   }) hostsWithSshPubkey;
   knownHosts = builtins.concatStringsSep "" (builtins.map ({name, sshPubkey}: ''
     ${name} ${sshPubkey}
     ${name}.net.clerie.de ${sshPubkey}
   '') sshkeyList);
-in
+in writeTextFile {
-  knownHosts
+  name = "clerie-ssh-known-hosts";
+  destination = "/known_hosts";
+  allowSubstitutes = true;
+  preferLocalBuild = false;
+  text = knownHosts;
+}

pkgs/clerie-system-upgrade/clerie-system-upgrade.sh

@@ -2,16 +2,11 @@
 
 set -euo pipefail
 
-ALLOW_REBOOT=
 NO_CONFIRM=
 NODE_EXPORTER_METRICS_PATH=
 
 while [[ $# -gt 0 ]]; do
 	case $1 in
-		--allow-reboot)
-			ALLOW_REBOOT=1
-			shift
-		;;
 		--no-confirm)
 			NO_CONFIRM=1
 			shift
@@ -63,13 +58,8 @@ ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel
 
 if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then
 	echo "Reboot is required"
-	if [[ -n "$ALLOW_REBOOT" ]]; then
+	echo "Rebooting system now"
-		echo "Rebooting system now"
+	shutdown -r +1 "System update requires reboot"
-		shutdown -r +1 "System update requires reboot"
-	else
-		echo "Automatic reboot not allowed (maybe use --allow-reboot next time)"
-		echo "The system upgrade is staged, please reboot manually soon"
-	fi
 else
 	echo "No reboot is required"
 	echo "Activating system now"

pkgs/generate-blocked-prefixes/default.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+
+pkgs.clerie-build-support.writePythonScript {
+  name = "generate-blocked-prefixes";
+  runtimePackages = ps: with ps; [ requests ];
+  text = builtins.readFile ./generate-blocked-prefixes.py;
+}

pkgs/generate-blocked-prefixes/generate-blocked-prefixes.py

@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+
+import ipaddress
+import requests
+
+blocked_asns = [
+    "45102", # Alibaba (US) Technology Co., Ltd.
+]
+
+r = requests.get('https://bgp.tools/table.txt', stream=True, headers={
+    "User-Agent": "https://git.clerie.de/clerie/nixfiles",
+})
+
+selected_ipv6_prefixes = []
+selected_ipv4_prefixes = []
+
+for line in r.iter_lines(decode_unicode=True):
+    prefix_string, asn_string = line.split()
+
+    if asn_string in blocked_asns:
+        prefix = ipaddress.ip_network(prefix_string)
+
+        if prefix.version == 6:
+            selected_ipv6_prefixes.append(prefix)
+        else:
+            selected_ipv4_prefixes.append(prefix)
+
+selected_ipv6_prefixes = list(ipaddress.collapse_addresses(selected_ipv6_prefixes))
+selected_ipv4_prefixes = list(ipaddress.collapse_addresses(selected_ipv4_prefixes))
+
+selected_ipv6_prefixes.sort()
+selected_ipv4_prefixes.sort()
+
+with open("hosts/web-2/blocked-prefixes.txt", "w") as blocked_ips_file:
+    for ipv6_prefix in selected_ipv6_prefixes:
+            blocked_ips_file.write(f"ip6tables -I nixos-fw -s {ipv6_prefix} -j nixos-fw-refuse\n")
+
+    for ipv4_prefix in selected_ipv4_prefixes:
+            blocked_ips_file.write(f"iptables -I nixos-fw -s {ipv4_prefix} -j nixos-fw-refuse\n")

pkgs/git-show-link/default.nix

@@ -1,13 +1,6 @@
 { pkgs, ... }:
 
-pkgs.writeTextFile {
+pkgs.clerie-build-support.writePythonScript {
   name = "git-show-link";
-  executable = true;
+  text = builtins.readFile ./git-show-link.py;
-  destination = "/bin/git-show-link";
-  allowSubstitutes = true;
-  preferLocalBuild = false;
-  text = ''
-    #!${pkgs.python3.withPackages (ps: with ps; [])}/bin/python3
-    ${builtins.readFile ./git-show-link.py}
-  '';
 }

pkgs/overlay.nix

@@ -1 +1,32 @@
-final: prev: builtins.mapAttrs (name: value: value final prev) (import ./pkgs.nix)
+final: prev: {
+  clerie-backup = final.callPackage ./clerie-backup {};
+  clerie-cleanup-branches = final.callPackage ./clerie-update-nixfiles/clerie-cleanup-branches.nix {};
+  clerie-keys = final.callPackage ./clerie-keys {};
+  clerie-ssh-known-hosts = final.callPackage ./clerie-ssh-known-hosts {};
+  clerie-system-remote-install = final.callPackage ./clerie-system-remote-install {};
+  clerie-system-upgrade = final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
+  clerie-merge-nixfiles-update = final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
+  clerie-sops = final.callPackage ./clerie-sops/clerie-sops.nix {};
+  clerie-sops-config = final.callPackage ./clerie-sops/clerie-sops-config.nix {};
+  clerie-sops-edit = final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
+  clerie-update-nixfiles = final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
+  chromium-incognito = final.callPackage ./chromium-incognito {};
+  factorio-launcher = final.callPackage ./factorio-launcher {};
+  feeds-dir = final.callPackage ./feeds-dir {};
+  generate-blocked-prefixes = final.callPackage ./generate-blocked-prefixes {};
+  git-checkout-github-pr = final.callPackage ./git-checkout-github-pr {};
+  git-diff-word = final.callPackage ./git-diff-word {};
+  git-pp = final.callPackage ./git-pp {};
+  git-show-link = final.callPackage ./git-show-link {};
+  nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
+  nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
+  nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
+  nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
+  nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
+  pipewire-all-bluetooth = final.callPackage ./pipewire-all-bluetooth {};
+  print-afra = final.callPackage ./print-afra {};
+  run-with-docker-group = final.callPackage ./run-with-docker-group {};
+  ssh-gpg = final.callPackage ./ssh-gpg {};
+  update-from-hydra = final.callPackage ./update-from-hydra {};
+  uptimestatus = final.python3.pkgs.callPackage ./uptimestatus {};
+}

pkgs/overrides/overlay.nix

@@ -0,0 +1,4 @@
+final: prev: {
+  dino = import ./dino.nix final prev;
+  xmppc = import ./xmppc.nix final prev;
+}

pkgs/pipewire-all-bluetooth/all-bluetooth.conf

@@ -0,0 +1,29 @@
+context.modules = [
+{   name = libpipewire-module-combine-stream
+    args = {
+        combine.mode = sink
+        node.name = "all-bluetooth"
+        node.description = "All Bluetooth devices"
+        combine.latency-compensate = false
+        combine.props = {
+            audio.position = [ FL FR ]
+        }
+        stream.props = {
+        }
+        stream.rules = [
+            {
+                matches = [
+                    {
+                        node.name = "~bluez_output.*"
+                        media.class = "Audio/Sink"
+                    }
+                ]
+                actions = {
+                    create-stream = {
+                    }
+                }
+            }
+        ]
+    }
+}
+]

pkgs/pipewire-all-bluetooth/default.nix

@@ -0,0 +1,9 @@
+{
+runCommand,
+... }:
+
+runCommand "pipewire-all-bluetooth" {} ''
+  mkdir -p $out/share/pipewire/pipewire.conf.d
+
+  cp ${./all-bluetooth.conf} $out/share/pipewire/pipewire.conf.d/all-bluetooth.conf
+''

pkgs/pkgs.nix

@@ -1,32 +0,0 @@
-{
-  clerie-backup = final: prev: final.callPackage ./clerie-backup {};
-  clerie-cleanup-branches = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-cleanup-branches.nix {};
-  clerie-keys = final: prev: final.callPackage ./clerie-keys {};
-  clerie-system-remote-install = final: prev: final.callPackage ./clerie-system-remote-install {};
-  clerie-system-upgrade = final: prev: final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
-  clerie-merge-nixfiles-update = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
-  clerie-sops = final: prev: final.callPackage ./clerie-sops/clerie-sops.nix {};
-  clerie-sops-config = final: prev: final.callPackage ./clerie-sops/clerie-sops-config.nix {};
-  clerie-sops-edit = final: prev: final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
-  clerie-update-nixfiles = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
-  chromium-incognito = final: prev: final.callPackage ./chromium-incognito {};
-  factorio-launcher = final: prev: final.callPackage ./factorio-launcher {};
-  feeds-dir = final: prev: final.callPackage ./feeds-dir {};
-  git-checkout-github-pr = final: prev: final.callPackage ./git-checkout-github-pr {};
-  git-diff-word = final: prev: final.callPackage ./git-diff-word {};
-  git-pp = final: prev: final.callPackage ./git-pp {};
-  git-show-link = final: prev: final.callPackage ./git-show-link {};
-  nix-remove-result-links = final: prev: final.callPackage ./nix-remove-result-links {};
-  nixfiles-auto-install = final: prev: final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
-  nixfiles-generate-config = final: prev: final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
-  nixfiles-generate-backup-secrets = final: prev: final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
-  nixfiles-update-ssh-host-keys = final: prev: final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
-  print-afra = final: prev: final.callPackage ./print-afra {};
-  run-with-docker-group = final: prev: final.callPackage ./run-with-docker-group {};
-  ssh-gpg = final: prev: final.callPackage ./ssh-gpg {};
-  update-from-hydra = final: prev: final.callPackage ./update-from-hydra {};
-  uptimestatus = final: prev: final.python3.pkgs.callPackage ./uptimestatus {};
-
-  dino = final: prev: import ./overrides/dino.nix final prev;
-  xmppc = final: prev: import ./overrides/xmppc.nix final prev;
-}

pkgs/uptimestatus/default.nix

@@ -4,6 +4,7 @@
   flask,
   requests,
   python,
+  setuptools,
 }:
 
 let
@@ -19,6 +20,10 @@ let
 in buildPythonPackage rec {
   inherit src pname version;
 
+  pyproject = true;
+
+  build-system = [ setuptools ];
+
   propagatedBuildInputs = [
     flask
     requests

profiles/common-nix/default.nix

@@ -0,0 +1,88 @@
+{ lib, pkgs, config, ... }:
+
+with lib;
+
+let
+
+  cfg = config.profiles.clerie.common-nix;
+
+in {
+
+  options.profiles.clerie.common-nix = {
+    enable = mkEnableOption "Common nix config";
+    useClerieNixCache = (mkEnableOption "Use nix cache from clerie") // {
+      default = true;
+    };
+  };
+
+  config = mkIf config.profiles.clerie.common-nix.enable {
+
+    clerie.nixfiles.enable = true;
+
+    clerie.system-auto-upgrade.enable = true;
+
+    nix.settings = {
+      trusted-users = [ "@wheel" "@guests" ];
+      auto-optimise-store = true;
+      # Keep buildtime dependencies
+      keep-outputs = true;
+      # Build local, when caches are broken
+      fallback = true;
+    };
+
+    nix.gc = lib.mkDefault {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+    };
+
+
+    nix.settings = {
+      experimental-features = [
+        "flakes"
+        "nix-command"
+      ];
+      substituters = if cfg.useClerieNixCache then [
+        "https://nix-cache.clerie.de"
+      ] else [];
+      trusted-public-keys = if cfg.useClerieNixCache then [
+        "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
+      ] else [];
+    };
+
+    # Pin current nixpkgs channel and flake registry to the nixpkgs version
+    # the host got build with
+    nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
+    nix.registry = {
+      "nixpkgs" = lib.mkForce {
+         from = {
+           type = "indirect";
+           id = "nixpkgs";
+         };
+         to = {
+           type = "path";
+           path = lib.cleanSource pkgs.path;
+         };
+         exact = true;
+      };
+      "templates" = {
+         from = {
+           type = "indirect";
+           id = "templates";
+         };
+         to = {
+           type = "git";
+           url = "https://git.clerie.de/clerie/flake-templates.git";
+         };
+      };
+    };
+
+    documentation.doc.enable = false;
+
+    environment.systemPackages = with pkgs; [
+      nix-remove-result-links
+    ];
+
+  };
+
+}

profiles/common-webserver/default.nix

@@ -40,7 +40,12 @@ in {
         log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
                                   '"$request" $status $body_bytes_sent '
                                   '"$http_referer" "$http_user_agent"';
-        access_log /var/log/nginx/access.log vcombined_anon;
+        log_format vcombined_anon_monitoring '$host: $remote_addr_anon - $remote_user [$time_local] '
+                                  '"$request" $status $body_bytes_sent '
+                                  '"$http_referer" "$http_user_agent" '
+                                  '"$server_name" '
+                                  'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
+        access_log /var/log/nginx/access.log vcombined_anon_monitoring;
       '';
 
       virtualHosts = mkIf cfg.httpDefaultVirtualHost {

profiles/common/default.nix

@@ -13,6 +13,7 @@ with lib;
     profiles.clerie.common-dns.enable = mkDefault true;
 
     profiles.clerie.common-networking.enable = mkDefault true;
+    profiles.clerie.common-nix.enable = mkDefault true;
 
     profiles.clerie.common-webserver.enable = mkDefault true;
 

profiles/default.nix

@@ -6,11 +6,14 @@
     ./common
     ./common-dns
     ./common-networking
+    ./common-nix
     ./common-webserver
     ./cybercluster-vm
+    ./desktop
     ./dn42-router
     ./fem-net
     ./firefox
+    ./gpg-ssh
     ./hetzner-cloud
     ./hydra-build-machine
     ./mercury-vm

profiles/desktop/audio.nix

@@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    services.pulseaudio.enable = false;
+
+    security.rtkit.enable = true;
+    services.pipewire = {
+      enable = true;
+      alsa = {
+        enable = true;
+        support32Bit = true;
+      };
+      pulse = {
+        enable = true;
+      };
+      configPackages = [
+        pkgs.pipewire-all-bluetooth
+      ];
+    };
+
+    environment.systemPackages = with pkgs; [
+      helvum # pipewire routing gui
+    ];
+
+  };
+}

profiles/desktop/default.nix

@@ -0,0 +1,30 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  options.profiles.clerie.desktop = {
+    enable = mkEnableOption "clerie Desktop Config";
+  };
+
+  imports = [
+    ./audio.nix
+    ./firmware.nix
+    ./fonts.nix
+    ./gnome.nix
+    ./inputs.nix
+    ./networking.nix
+    ./polkit.nix
+    ./power.nix
+    ./printing.nix
+    ./ssh.nix
+    ./xserver.nix
+  ];
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    security.sudo.wheelNeedsPassword = true;
+
+  };
+}

profiles/desktop/firmware.nix

@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    services.fwupd.enable = true;
+
+  };
+
+}

profiles/desktop/fonts.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    fonts.enableDefaultPackages = true;
+    fonts.packages = with pkgs; [
+      roboto
+      roboto-mono
+      noto-fonts
+      noto-fonts-emoji
+      comfortaa
+    ] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
+
+  };
+
+}

profiles/desktop/gnome.nix

@@ -0,0 +1,69 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    services.gnome = {
+      localsearch.enable = false;
+      tinysparql.enable = false;
+    };
+
+    environment.gnome.excludePackages = with pkgs; [
+      baobab
+      epiphany
+      gnome-calendar
+      gnome-clocks
+      gnome-console
+      gnome-contacts
+      gnome-logs
+      gnome-maps
+      gnome-music
+      gnome-tour
+      gnome-photos
+      gnome-weather
+      gnome-connections
+      simple-scan
+      yelp
+      geary
+    ];
+
+    environment.systemPackages = with pkgs; [
+      evolution
+      gnome-terminal
+      gnome-tweaks
+    ];
+
+    services.gnome.evolution-data-server.enable = true;
+
+    programs.dconf.profiles = {
+      user.databases = [
+        {
+          settings = {
+            "org/gnome/desktop/calendar" = {
+              show-weekdate = true;
+            };
+            "org/gnome/desktop/interface" = {
+              enable-hot-corners = false;
+              show-battery-percentage = true;
+            };
+            "org/gnome/desktop/notifications" = {
+              show-in-lock-screen = false;
+            };
+            "org/gnome/desktop/sound" = {
+              event-sounds = false;
+            };
+            "org/gnome/gnome-system-monitor" = {
+              network-in-bits = true;
+              network-total-in-bits = true;
+            };
+          };
+        }
+      ];
+    };
+
+  };
+
+}

profiles/desktop/inputs.nix

@@ -0,0 +1,51 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    programs.dconf.profiles = {
+      user.databases = [
+        {
+          settings = {
+            "org/gnome/desktop/peripherals/touchpad" = {
+              disable-while-typing = false;
+              edge-scrolling-enabled = false;
+              natural-scroll = true;
+              tap-to-click = true;
+              two-finger-scrolling-enabled = true;
+            };
+            "org/gnome/settings-daemon/plugins/media-keys" = {
+              custom-keybindings = [
+                "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
+              ];
+              mic-mute = [ "<Control>Print" ];
+            };
+            "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
+              name = "Terminal";
+              binding = "<Primary><Alt>t";
+              command = "gnome-terminal";
+            };
+          };
+        }
+      ];
+      gdm.databases = [
+        {
+          settings = {
+            "org/gnome/desktop/peripherals/touchpad" = {
+              disable-while-typing = false;
+              edge-scrolling-enabled = false;
+              natural-scroll = true;
+              tap-to-click = true;
+              two-finger-scrolling-enabled = true;
+            };
+          };
+        }
+      ];
+    };
+
+  };
+
+}

profiles/desktop/networking.nix

@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    networking.networkmanager.settings = {
+      connectivity = {
+        uri = "http://ping.clerie.de/nm-check.txt";
+      };
+      global-dns = {
+        searches = "net.clerie.de";
+      };
+    };
+
+  };
+
+}

profiles/desktop/polkit.nix

@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    security.polkit.enable = true;
+
+  };
+
+}

profiles/desktop/power.nix

@@ -0,0 +1,50 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
+    services.logind = {
+      lidSwitch = "suspend-then-hibernate";
+    };
+    systemd.sleep.extraConfig = ''
+      HibernateDelaySec=30m
+    '';
+
+    services.upower = {
+      percentageLow = 20;
+      percentageCritical = 10;
+      percentageAction = 8;
+    };
+
+    programs.dconf.profiles = {
+      user.databases = [
+        {
+          settings = {
+            "org/gnome/settings-daemon/plugins/power" = {
+              power-button-action = "hibernate";
+              power-saver-profile-on-low-battery = false;
+              sleep-inactive-ac-type = "nothing";
+            };
+          };
+        }
+      ];
+      gdm.databases = [
+        {
+          settings = {
+            "org/gnome/settings-daemon/plugins/power" = {
+              power-button-action = "hibernate";
+              power-saver-profile-on-low-battery = false;
+              sleep-inactive-ac-type = "nothing";
+            };
+          };
+        }
+      ];
+    };
+
+  };
+
+}

profiles/desktop/printing.nix

@@ -0,0 +1,14 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    services.printing.enable = true;
+    services.avahi.enable = true;
+    services.avahi.nssmdns4 = true;
+
+  };
+}

profiles/desktop/ssh.nix

@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    profiles.clerie.gpg-ssh.enable = true;
+
+    programs.gnupg.agent = {
+      pinentryPackage = pkgs.pinentry-gtk2;
+    };
+
+    # Do not disable ssh-agent of gnome-keyring, because
+    # gnupg ssh-agent can't handle normal SSH keys properly
+    /*
+    # Disable ssh-agent of gnome-keyring
+    nixpkgs.overlays = [
+      (final: prev: {
+        gnome = prev.gnome // {
+          gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
+            mkdir -p $out
+
+            # Symlink all gnome-keyring binaries
+            ${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
+
+            # Disable autostart for ssh
+            rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+            cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+            echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+          '';
+        };
+      })
+    ];
+    */
+
+  };
+}

profiles/desktop/xserver.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  config = mkIf config.profiles.clerie.desktop.enable {
+
+    services.xserver.enable = true;
+    services.displayManager.gdm.enable = true;
+    services.desktopManager.gnome.enable = true;
+
+    services.xserver.excludePackages = with pkgs; [
+      xterm
+    ];
+
+  };
+}

profiles/gpg-ssh/default.nix

@@ -0,0 +1,64 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+
+let
+
+  cfg = config.profiles.clerie.gpg-ssh;
+
+  custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
+    configureFlags = prev.configureFlags ++ [
+      # Make sure scdaemon never ever again tries to use its own ccid driver
+      "--disable-ccid-driver"
+    ];
+  });
+
+in {
+
+  options.profiles.clerie.gpg-ssh = {
+    enable = mkEnableOption "SSH integration for GPG";
+  };
+
+  config = mkIf config.profiles.clerie.gpg-ssh.enable {
+
+    programs.gnupg.package = custom_gnupg;
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+      pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
+    };
+
+    environment.systemPackages = with pkgs; [
+      custom_gnupg
+      yubikey-personalization
+      openpgp-card-tools
+
+      # Add wrapper around ssh that takes the gnupg ssh-agent
+      # instead of gnome-keyring
+      ssh-gpg
+    ];
+
+    services.pcscd.enable = true;
+
+    # pcscd sometimes breaks and seem to need a manual restart
+    # so we allow users to restart that service themself
+    security.polkit.extraConfig = ''
+      polkit.addRule(function(action, subject) {
+          if (
+              action.id == "org.freedesktop.systemd1.manage-units"
+              && action.lookup("unit") == "pcscd.service"
+              && action.lookup("verb") == "restart"
+              && subject.isInGroup("users")
+          ) {
+              return polkit.Result.YES;
+          }
+      });
+    '';
+
+    services.udev.packages = with pkgs; [
+      yubikey-personalization
+    ];
+
+  };
+
+}