Update nixpkgs 2024-09-12-01-03

configuration/common/default.nix

@@ -9,6 +9,7 @@
     ./nix.nix
     ./programs.nix
     ./ssh.nix
+    ./systemd.nix
     ./user.nix
     ./web.nix
   ];

configuration/common/nix.nix

@@ -39,8 +39,8 @@
   # Pin current nixpkgs channel and flake registry to the nixpkgs version
   # the host got build with
   nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
-  nix.registry = lib.mkForce {
+  nix.registry = {
-    "nixpkgs" = {
+    "nixpkgs" = lib.mkForce {
        from = {
          type = "indirect";
          id = "nixpkgs";

configuration/common/systemd.nix

@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+
+  services.journald.extraConfig = ''
+    MaxRetentionSec=7days
+  '';
+
+}

configuration/desktop/fonts.nix

@@ -9,5 +9,6 @@
     noto-fonts
     noto-fonts-cjk
     noto-fonts-emoji
+    comfortaa
   ];
 }

configuration/desktop/gnome.nix

@@ -6,23 +6,23 @@
     tracker.enable = false;
   };
 
-  environment.gnome.excludePackages = with pkgs.gnome; [
+  environment.gnome.excludePackages = with pkgs; [
-    pkgs.baobab
+    baobab
-    pkgs.epiphany
+    epiphany
-    pkgs.gnome-calendar
+    gnome-calendar
     gnome-clocks
-    pkgs.gnome-console
+    gnome-console
     gnome-contacts
     gnome-logs
     gnome-maps
     gnome-music
-    pkgs.gnome-tour
+    gnome-tour
-    pkgs.gnome-photos
+    gnome-photos
     gnome-weather
-    pkgs.gnome-connections
+    gnome-connections
-    pkgs.simple-scan
+    simple-scan
-    pkgs.yelp
+    yelp
-    pkgs.geary
+    geary
   ];
 
   environment.systemPackages = with pkgs; [

configuration/gpg-ssh/default.nix

@@ -11,6 +11,7 @@
   environment.systemPackages = with pkgs; [
     gnupg
     yubikey-personalization
+    openpgp-card-tools
 
     # Add wrapper around ssh that takes the gnupg ssh-agent
     # instead of gnome-keyring

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720989581,
+        "lastModified": 1721567085,
-        "narHash": "sha256-Mm4FU9Kh5C/vfTDGLpxcR24fXgSdcZXlmZfIoM1wjcg=",
+        "narHash": "sha256-CxWzsNy2dy4zvn2Wi91C/PF+Wyxi3JLOPudc5FoZrhg=",
         "ref": "refs/heads/main",
-        "rev": "49e8db169c74ae7238b9eeba2a51b277dad9a1bf",
+        "rev": "0c3142cc8f6396fce7cb4c5fe14137d831315986",
-        "revCount": 4,
+        "revCount": 11,
         "type": "git",
         "url": "https://git.clerie.de/clerie/berlinerbaeder-exporter.git"
       },
@@ -27,11 +27,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712512137,
+        "lastModified": 1724513039,
-        "narHash": "sha256-crxzFc3lc/ViHYVK+IKmIbifxF6zyHgSwhBKd0lLgWE=",
+        "narHash": "sha256-YdBuRgXEU9CcxPd2EjuvDKcfgxL1kk9Gv8nFVVjIros=",
         "ref": "refs/heads/main",
-        "rev": "221052d8465f0a4437cb8cae3cc9998c87e88f68",
+        "rev": "202f4a1a5791c74a9b7d69a4e63e631bdbe36ba6",
-        "revCount": 2,
+        "revCount": 4,
         "type": "git",
         "url": "https://git.clerie.de/clerie/bij.git"
       },
@@ -288,11 +288,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1720957393,
+        "lastModified": 1725983898,
-        "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=",
+        "narHash": "sha256-4b3A9zPpxAxLnkF9MawJNHDtOOl6ruL0r6Og1TEDGCE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb",
+        "rev": "1355a0cbfeac61d785b7183c0caaec1f97361b43",
         "type": "github"
       },
       "original": {
@@ -302,6 +302,26 @@
         "type": "github"
       }
     },
+    "nurausstieg": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1722174167,
+        "narHash": "sha256-u9ef1BNaXHEnuQEFgqqBLEVZqd5T/sqRBysN71gFOKg=",
+        "ref": "refs/heads/main",
+        "rev": "7f2e0febf3a430e4ba4f6cf1cf1c5ca10c5dd04d",
+        "revCount": 20,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/nurausstieg.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/nurausstieg.git"
+      }
+    },
     "root": {
       "inputs": {
         "berlinerbaeder-exporter": "berlinerbaeder-exporter",
@@ -313,6 +333,7 @@
         "nixos-exporter": "nixos-exporter",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_3",
+        "nurausstieg": "nurausstieg",
         "solid-xmpp-alarm": "solid-xmpp-alarm",
         "sops-nix": "sops-nix",
         "ssh-to-age": "ssh-to-age"

flake.nix

@@ -27,6 +27,10 @@
       url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    nurausstieg = {
+      url = "git+https://git.clerie.de/clerie/nurausstieg.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     solid-xmpp-alarm = {
       url = "git+https://git.clerie.de/clerie/solid-xmpp-alarm.git";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -119,6 +123,7 @@
         clerie-sops-edit
         chromium-incognito
         git-checkout-github-pr
+        git-diff-word
         iot-data
         nix-remove-result-links
         nixfiles-auto-install
@@ -126,6 +131,7 @@
         nixfiles-generate-backup-secrets
         nixfiles-update-ssh-host-keys
         print-afra
+        run-with-docker-group
         ssh-gpg
         update-from-hydra
         uptimestatus;

flake/overlay.nix

@@ -3,6 +3,7 @@
 , bij
 , chaosevents
 , harmonia
+, nurausstieg
 , ssh-to-age
 , ...
 }@inputs:
@@ -16,6 +17,8 @@ final: prev: {
   harmonia = harmonia.packages.${final.system}.harmonia.override {
     nixForHarmonia = final.nixVersions.nix_2_21;
   };
+  inherit (nurausstieg.packages.${final.system})
+    nurausstieg;
   inherit (ssh-to-age.packages.${final.system})
     ssh-to-age;
 }

hosts/carbon/configuration.nix

@@ -10,9 +10,13 @@
       ./net-dsl.nix
       ./net-gastnetz.nix
       ./net-heimnetz.nix
+      ./net-iot.nix
       ./net-lte.nix
+      ./net-mgmt.nix
       ./net-voip.nix
+      ./ntp.nix
       ./ppp.nix
+      ./wg-clerie.nix
     ];
 
   boot.kernelParams = [ "console=ttyS0,115200n8" ];
@@ -52,6 +56,22 @@
     };
   };
 
+  systemd.services.kea-dhcp4-server = {
+    after = [
+      "network-setup.service"
+    ];
+    requires = [
+      "network-setup.service"
+    ];
+  };
+
+  systemd.services."system-reboot" = {
+    script = ''
+      ${pkgs.systemd}/bin/reboot
+    '';
+    startAt = "*-*-* 1/3:13:14";
+  };
+
   clerie.firewall.enable = true;
 
   clerie.monitoring = {

hosts/carbon/net-gastnetz.nix

@@ -7,18 +7,23 @@
     id = 202;
     interface = "enp1s0";
   };
-  networking.interfaces."enp1s0.202".ipv6.addresses = [
+  networking.bridges."net-gastnetz".interfaces = [
-    { address = "fd00:3214:9453:4920::1"; prefixLength = 64; }
+    "enp1s0.202"
-    { address = "2001:4cd8:100:1313::1"; prefixLength = 64; } # public IPs for local network
   ];
-  networking.interfaces."enp1s0.202".ipv4.addresses = [
+  networking.interfaces."net-gastnetz".ipv6.addresses = [
+    { address = "fd00:3214:9453:4920::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-gastnetz".ipv4.addresses = [
     { address = "192.168.32.1"; prefixLength = 24; }
   ];
 
   services.radvd.config = ''
-    interface enp1s0.202 {
+    interface net-gastnetz {
       AdvSendAdvert on;
-      prefix 2001:4cd8:100:1313::/64 {};
+      prefix ::/64 {
+        AdvValidLifetime 60;
+        AdvPreferredLifetime 30;
+      };
       RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9
     };
   '';
@@ -26,7 +31,7 @@
   services.kea.dhcp4 = {
     settings = {
       interfaces-config = {
-        interfaces = [ "enp1s0.202" ];
+        interfaces = [ "net-gastnetz" ];
       };
       subnet4 = [
         # Gastnetz
@@ -55,9 +60,9 @@
 
   # net-gastnetz can only access internet
   clerie.firewall.extraForwardFilterCommands = ''
-    ip46tables -A forward-filter -i enp1s0.202 -o ppp-dtagdsl -j ACCEPT
+    ip46tables -A forward-filter -i net-gastnetz -o ppp-dtagdsl -j ACCEPT
-    ip46tables -A forward-filter -i enp1s0.202 -j DROP
+    ip46tables -A forward-filter -i net-gastnetz -j DROP
-    ip46tables -A forward-filter -o enp1s0.202 -j DROP
+    ip46tables -A forward-filter -o net-gastnetz -j DROP
   '';
 
 }

hosts/carbon/net-heimnetz.nix

@@ -14,7 +14,6 @@
   networking.interfaces."net-heimnetz".ipv6.addresses = [
     { address = "fe80::1"; prefixLength = 64; }
     { address = "fd00:152:152:4::1"; prefixLength = 64; }
-    { address = "2001:4cd8:100:1337::1"; prefixLength = 64; } # public IPs for local network
   ];
   networking.interfaces."net-heimnetz".ipv4.addresses = [
     { address = "10.152.4.1"; prefixLength = 24; }
@@ -23,7 +22,10 @@
   services.radvd.config = ''
     interface net-heimnetz {
       AdvSendAdvert on;
-      prefix 2001:4cd8:100:1337::/64 {};
+      prefix ::/64 {
+        AdvValidLifetime 60;
+        AdvPreferredLifetime 30;
+      };
       RDNSS fd00:152:152::1 {};
       DNSSL net.clerie.de {};
     };

hosts/carbon/net-iot.nix

@@ -0,0 +1,79 @@
+{ ... }:
+
+{
+
+  networking.vlans."enp1s0.205" = {
+    id = 205;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-iot".interfaces = [
+    "enp1s0.205"
+  ];
+  networking.interfaces."net-iot".ipv6.addresses = [
+    { address = "fe80::1"; prefixLength = 64; }
+    { address = "fd00:152:152:205::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-iot".ipv4.addresses = [
+    { address = "10.152.205.1"; prefixLength = 24; }
+  ];
+
+  # Enable NTP
+  networking.firewall.interfaces."net-iot".allowedUDPPorts = [ 123 ];
+
+  services.radvd.config = ''
+    interface net-iot {
+      AdvSendAdvert on;
+      prefix ::/64 {
+        AdvValidLifetime 60;
+        AdvPreferredLifetime 30;
+      };
+      RDNSS fd00:152:152::1 {};
+      DNSSL iot.clerie.de {};
+    };
+  '';
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-iot" ];
+      };
+      subnet4 = [
+        {
+          id = 205;
+          subnet = "10.152.205.0/24";
+          pools = [
+            {
+              pool = "10.152.205.100 - 10.152.205.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.205.1";
+            }
+            {
+              name = "domain-name-servers";
+              data = "10.152.0.1";
+            }
+            {
+              name = "domain-name";
+              data = "iot.clerie.de";
+            }
+            {
+              name = "time-servers";
+              data = "10.152.0.1";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  clerie.firewall.extraForwardFilterCommands = ''
+    # Allow access from Heimnetz to IOT devices
+    ip46tables -A forward-filter -i net-heimnetz -o net-iot -j ACCEPT
+    ip46tables -A forward-filter -i net-iot -j DROP
+    ip46tables -A forward-filter -o net-iot -j DROP
+  '';
+
+}

hosts/carbon/net-mgmt.nix

@@ -0,0 +1,62 @@
+{ ... }:
+
+{
+
+  networking.vlans."enp1s0.203" = {
+    id = 203;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-mgmt".interfaces = [
+    "enp1s0.203"
+  ];
+  networking.interfaces."net-mgmt".ipv6.addresses = [
+    { address = "fe80::1"; prefixLength = 64; }
+    { address = "fd00:152:152:203::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-mgmt".ipv4.addresses = [
+    { address = "10.152.203.1"; prefixLength = 24; }
+  ];
+
+  services.radvd.config = ''
+    interface net-mgmt {
+      AdvSendAdvert on;
+      prefix ::/64 {
+        AdvValidLifetime 60;
+        AdvPreferredLifetime 30;
+      };
+    };
+  '';
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-mgmt" ];
+      };
+      subnet4 = [
+        {
+          id = 203;
+          subnet = "10.152.203.0/24";
+          pools = [
+            {
+              pool = "10.152.203.100 - 10.152.203.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.203.1";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  clerie.firewall.extraForwardFilterCommands = ''
+    # Allow access from Heimnetz to MGMT network
+    ip46tables -A forward-filter -i net-heimnetz -o net-mgmt -j ACCEPT
+    ip46tables -A forward-filter -i net-mgmt -j DROP
+    ip46tables -A forward-filter -o net-mgmt -j DROP
+  '';
+
+}

hosts/carbon/ntp.nix

@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+
+  services.chrony = {
+    enable = true;
+    extraConfig = ''
+      # Enable NTP server mode
+      allow
+      bindaddress fd00:152:152::1
+      bindaddress 10.152.0.1
+    '';
+  };
+
+}

hosts/carbon/ppp.nix

@@ -15,7 +15,7 @@
         noipdefault
         lcp-echo-interval 20
         lcp-echo-failure 3
-        mtu 14592
+        mtu 1492
         hide-password
         defaultroute
         +ipv6
@@ -57,4 +57,28 @@
     ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416
   '';
 
+  networking.dhcpcd-prefixdelegation = {
+    enable = true;
+    interfaces = {
+      "ppp-dtagdsl" = {
+        iaid = 1;
+        interfaces = {
+          "net-heimnetz" = {
+            sla_id = 201;
+            prefix_len = 64;
+          };
+        };
+      };
+    };
+  };
+
+  environment.etc."ppp/ipv6-up" = {
+    text = ''
+      #!${pkgs.runtimeShell}
+
+      set -euo pipefail
+
+      ${pkgs.dhcpcd}/bin/dhcpcd --renew $1
+    '';
+  };
 }

hosts/carbon/secrets.json

@@ -2,6 +2,7 @@
 	"wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]",
 	"pppd-dtagdsl-username": "ENC[AES256_GCM,data:JC7EyyMoN0p5YwnS9W5I0G5Omhk5usw28UiJrCfifGr+2FUgMrtFYAHQdrtWAELvYNBQDPgrHMmQjGQLhpqqK0hH,iv:/q+Fm63GVBApGInyS8i39V/lo6iv+I2omVh47deq+o8=,tag:LkR+1zTDNWuYkhH2iWT7SA==,type:str]",
 	"pppd-dtagdsl-secrets": "ENC[AES256_GCM,data:c5pOb8It1py/9NXNTgLvt9zmsBVbSLHJt4iXWiNA+Osvomw3r7pgoO/JJh9ujomPMnOlDwN7g+pJ,iv:W36gA8E1mWchN6+8hdMdt2epv/RdS91T5ANB/JTcHCE=,tag:7eZ3fZkjERCVJCXYrABnlQ==,type:str]",
+	"wg-clerie": "ENC[AES256_GCM,data:OEZg8ZoLAdVhKkvB0ai13ID3gPnVUU/xkOjZ4KiJ9MnRbcFu5HBd7Nw6iNwh,iv:edPuaehya2ZvYKkiBqNUbXVDAxAT6yNgETnWtd6it94=,tag:cX12szdQfAcC6cij6zk6Dw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -13,8 +14,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-07-13T21:56:57Z",
+		"lastmodified": "2024-08-13T14:06:43Z",
-		"mac": "ENC[AES256_GCM,data:/jZ/aIQUxYrF0deBTJOyc009yPKfshiYnAB2GR5SRTi00Ls5efKzhjDJaEWvAkgBTFz5/a8fy2k+vXEDsDlrgcgWqMS8/Az5LRf9RWUBWkerDyoBJ2UZRdt7UVPfkN8ObKQpfFqxhzkm4zio+MwSbqSMZil6fGaxz6lyUkwaphg=,iv:KStinEtV1DTaEl0ebMEw8lSMvrE5rtxqfTbzssC9oGY=,tag:YOr8T3wqqxyv0mpO1wMDEg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:yGKY0fi3KQWGHBeyNtQ8EJ6561dKRZ5aAjO9zq3odDtX75i2RSjORIlNjBsVvegBzeo8AkwwnzxNPt2sHl6MKDZfEsysWAi8Wolh4UvHk087AnR/uKvtG6t4uUaNIWej2DEzxUtTQ8QP1afsdqGCf0vZVruNcJ4u2xiQbN2vJPc=,iv:CDXJ5/P+h0Enq/0EL1su1Mw55FVYLy4XPSoUCkRkt+U=,tag:AvRfEDYMBunyIQIVCPbXag==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-10T13:05:56Z",

hosts/carbon/wg-clerie.nix

@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  services.wg-clerie = {
+    enable = true;
+    ipv6s = [ "2a01:4f8:c0c:15f1::8111/128" ];
+    ipv4s = [ "10.20.30.111/32" ];
+  };
+}

hosts/gatekeeper/configuration.nix

@@ -109,6 +109,11 @@
           allowedIPs = [ "2a01:4f8:c0c:15f1::8110/128" "10.20.30.110/32" ];
           publicKey = "kn6ZtViagKGSyfQJQW6csQE/5r7uKlbC1rbInlQ33xs=";
         }
+        {
+          # carbon
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8111/128" "10.20.30.111/32" ];
+          publicKey = "o6qxGKIoW2ZSFhXeNRXd4G9BRFeYyjZsrUPulB3KhTI=";
+        }
       ];
       listenPort = 51820;
       allowedIPsAsRoutes = false;

hosts/krypton/android.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+{
+
+  services.udev.packages = [
+    pkgs.android-udev-rules
+  ];
+
+}

hosts/krypton/configuration.nix

@@ -7,6 +7,7 @@
 
       ../../configuration/desktop
 
+      ./android.nix
       ./backup.nix
       #./initrd.nix
       ./network.nix

hosts/krypton/programs.nix

@@ -19,6 +19,7 @@
     onlyoffice-bin
 
     krita
+    inkscape
 
     wireshark
     tcpdump

hosts/monitoring-3/grafana.nix

@@ -7,7 +7,7 @@
         domain = "grafana.monitoring.clerie.de";
         root_url = "https://grafana.monitoring.clerie.de";
         http_port = 3001;
-        http_addr = "[::1]";
+        http_addr = "::1";
       };
       "auth.anonymous" = {
         enabled = true;

hosts/web-2/configuration.nix

@@ -20,6 +20,7 @@
       ./mitel-ommclient2.nix
       ./nix-install.nix
       ./nogo2024.nix
+      ./nurausstieg.nix
       ./ping.nix
       ./public.nix
       ./radicale.nix

hosts/web-2/gitea.nix

@@ -15,7 +15,7 @@
     lfs.enable = true;
     settings = {
       log = {
-        LEVEL = "Info";
+        LEVEL = "Warn";
       };
       database = {
         CHARSET = "utf8";
@@ -28,7 +28,7 @@
       server = {
         ROOT_URL = "https://git.clerie.de/";
         DOMAIN = "git.clerie.de";
-        HTTP_ADDRESS = "127.0.0.1";
+        HTTP_ADDRESS = "::1";
         HTTP_PORT = 3000;
         OFFLINE_MODE = true;
         LANDING_PAGE = "explore";
@@ -80,7 +80,7 @@
       forceSSL = true;
       locations = {
         "/" = {
-          proxyPass = "http://localhost:3000";
+          proxyPass = "http://[::1]:3000";
         };
       };
       extraConfig = ''

hosts/web-2/nurausstieg.nix

@@ -0,0 +1,41 @@
+{ pkgs, ... }:
+
+{
+
+  systemd.tmpfiles.rules = [
+    "d /var/cache/nginx/nurausstieg - nginx nginx - -"
+  ];
+
+  services.nginx = {
+    commonHttpConfig = ''
+      proxy_cache_path /var/cache/nginx/nurausstieg levels=1:2 use_temp_path=off keys_zone=nurausstieg:1m max_size=10m;
+    '';
+
+    virtualHosts."nurausstieg.clerie.de" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://[::1]:44384";
+        extraConfig = ''
+          proxy_cache nurausstieg;
+          # Ignore upstream cache hints
+          proxy_ignore_headers Cache-Control;
+          # Force cache 200 and 500 responses for one minute
+          proxy_cache_valid 200 500 1m;
+          # Only do a single fetch for missing entries and let other sessions wait
+          proxy_cache_lock on;
+        '';
+      };
+    };
+  };
+
+  systemd.services.nurausstieg = {
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      DynamicUser = true;
+    };
+    path = with pkgs; [ nurausstieg ];
+    script = "nurausstieg --listen [::1]:44384";
+  };
+
+}

modules/default.nix

@@ -8,6 +8,7 @@
     ./clerie-firewall
     ./clerie-gc-dir
     ./clerie-system-upgrade
+    ./dhcpcd-prefixdelegation
     ./minecraft-server
     ./monitoring
     ./nginx-port-forward

modules/dhcpcd-prefixdelegation/default.nix

@@ -0,0 +1,144 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.networking.dhcpcd-prefixdelegation;
+
+  downstreamInterfaceConfig = name: opts: "${name}${
+    optionalString (opts.sla_id != null) "/${builtins.toString opts.sla_id}${
+      optionalString (opts.prefix_len != null) "/${builtins.toString opts.prefix_len}${
+        optionalString (opts.suffix != null) "/${opts.suffix}"
+      }"
+    }"
+  }";
+
+  interfaceConfig = name: opts: ''
+    interface ${name}
+      ipv6rs
+      ia_pd ${builtins.toString opts.iaid}${
+        optionalString (opts.prefix != null) "/${opts.prefix}${
+          optionalString (opts.prefix_len != null) "/${builtins.toString opts.prefix_len}"
+        }"
+      } ${concatMapStringsSep " " ({name, value}: downstreamInterfaceConfig name value) (attrsToList opts.interfaces)}
+  '';
+
+
+  dhcpcdConf = pkgs.writeText "dhcpcd.conf" ''
+    duid
+    noipv6rs
+    waitip 6
+    ipv6only
+
+    allowinterfaces ${concatStringsSep " " (builtins.attrNames cfg.interfaces)} ${concatMapStringsSep " " ({name, value}: concatStringsSep "" (builtins.attrNames value.interfaces)) (attrsToList cfg.interfaces)}
+
+    ${concatMapStringsSep "\n" ({name, value}: interfaceConfig name value) (attrsToList cfg.interfaces)}
+  '';
+
+  downstreamInterfaceOpts = { ... }: {
+    options = {
+      sla_id = mkOption {
+        type = with types; nullOr ints.unsigned;
+        default = null;
+      };
+
+      prefix_len = mkOption {
+        type = with types; nullOr ints.unsigned;
+        default = null;
+      };
+
+      suffix = mkOption {
+        type = with types; nullOr str;
+        default = null;
+      };
+    };
+  };
+
+  interfaceOpts = { ... }: {
+    options = {
+      iaid = mkOption {
+        type = with types; ints.unsigned;
+        description = ''
+          Request a delegated prefix with this IAID on this interface
+        '';
+      };
+
+      prefix = mkOption {
+        type = with types; nullOr str;
+        default = null;
+      };
+
+      prefix_len = mkOption {
+        type = with types; nullOr ints.unsigned;
+        default = null;
+      };
+
+      interfaces = mkOption {
+        type = with types; attrsOf (submodule downstreamInterfaceOpts);
+        default = {};
+        description =''
+          Interfaces to assign IPv6 prefixes to
+        '';
+      };
+    };
+  };
+
+in
+
+{
+
+  options = {
+
+    networking.dhcpcd-prefixdelegation = {
+      enable = mkEnableOption "dhcpcd for prefixdelegation";
+
+      interfaces = mkOption {
+        type = with types; attrsOf (submodule interfaceOpts);
+        default = {};
+        description = ''
+          Interfaces to request IPv6 prefixes from
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    environment.etc."dhcpcd.conf".source = dhcpcdConf;
+
+    systemd.services.dhcpcd-prefixdelegation = {
+        description = "DHCP Client for IPv6 Prefix Delegation";
+
+        wantedBy = [ "multi-user.target" ];
+        wants = [ "network.target" ];
+        before = [ "network-online.target" ];
+
+        # Stopping dhcpcd during a reconfiguration is undesirable
+        # because it brings down the network interfaces configured by
+        # dhcpcd.  So do a "systemctl restart" instead.
+        stopIfChanged = false;
+
+        path = [ pkgs.dhcpcd ];
+
+        unitConfig.ConditionCapability = "CAP_NET_ADMIN";
+
+        serviceConfig =
+          { Type = "forking";
+            PIDFile = "/run/dhcpcd/pid";
+            RuntimeDirectory = "dhcpcd";
+            ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd --quiet --config ${dhcpcdConf}";
+            ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind";
+            Restart = "always";
+          };
+      };
+
+    users.users.dhcpcd = {
+      isSystemUser = true;
+      group = "dhcpcd";
+    };
+    users.groups.dhcpcd = {};
+
+  };
+
+}

pkgs/git-diff-word/default.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "git-diff-word";
+  text = builtins.readFile ./git-diff-word.sh;
+  runtimeInputs = with pkgs; [
+    git
+  ];
+}

pkgs/git-diff-word/git-diff-word.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+git diff --word-diff=color --word-diff-regex="." "$@"

pkgs/overlay.nix

@@ -8,6 +8,7 @@ final: prev: {
   clerie-update-nixfiles = final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
   chromium-incognito = final.callPackage ./chromium-incognito {};
   git-checkout-github-pr = final.callPackage ./git-checkout-github-pr {};
+  git-diff-word = final.callPackage ./git-diff-word {};
   iot-data = final.python3.pkgs.callPackage ./iot-data {};
   nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
   nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
@@ -15,6 +16,7 @@ final: prev: {
   nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
   nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
   print-afra = final.callPackage ./print-afra {};
+  run-with-docker-group = final.callPackage ./run-with-docker-group {};
   ssh-gpg = final.callPackage ./ssh-gpg {};
   update-from-hydra = final.callPackage ./update-from-hydra {};
   uptimestatus = final.python3.pkgs.callPackage ./uptimestatus {};

pkgs/run-with-docker-group/default.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "run-with-docker-group";
+  text = builtins.readFile ./run-with-docker-group.sh;
+}

pkgs/run-with-docker-group/run-with-docker-group.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ $# -eq 0 ]]; then
+	set -- "${SHELL}"
+fi
+
+exec systemd-run \
+	"--property=User=$(id -un)" \
+	"--property=SupplementaryGroups=docker" \
+	"--pty" "--same-dir" "--wait" "--collect" "--service-type=exec" \
+	"--quiet" \
+	"$@"