Merge branch 'migrate-to-lix'

Advertise current prefixes more often than claimed addresses expire.
Also increased lifetimes for claimed addresses.

configuration/common/default.nix

@@ -9,6 +9,7 @@
     ./nix.nix
     ./programs.nix
     ./ssh.nix
+    ./systemd.nix
     ./user.nix
     ./web.nix
   ];

configuration/common/nix.nix

@@ -26,7 +26,6 @@
     experimental-features = [
       "flakes"
       "nix-command"
-      "repl-flake"
     ];
     substituters = [
       "https://nix-cache.clerie.de"
@@ -39,8 +38,8 @@
   # Pin current nixpkgs channel and flake registry to the nixpkgs version
   # the host got build with
   nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
-  nix.registry = lib.mkForce {
-    "nixpkgs" = {
+  nix.registry = {
+    "nixpkgs" = lib.mkForce {
        from = {
          type = "indirect";
          id = "nixpkgs";

configuration/common/systemd.nix

@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+
+  services.journald.extraConfig = ''
+    MaxRetentionSec=7days
+  '';
+
+}

configuration/desktop/fonts.nix

@@ -7,7 +7,7 @@
     roboto
     roboto-mono
     noto-fonts
-    noto-fonts-cjk
     noto-fonts-emoji
-  ];
+    comfortaa
+  ] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
 }

configuration/desktop/gnome.nix

@@ -6,23 +6,23 @@
     tracker.enable = false;
   };
 
-  environment.gnome.excludePackages = with pkgs.gnome; [
-    pkgs.baobab
-    pkgs.epiphany
-    pkgs.gnome-calendar
+  environment.gnome.excludePackages = with pkgs; [
+    baobab
+    epiphany
+    gnome-calendar
     gnome-clocks
-    pkgs.gnome-console
+    gnome-console
     gnome-contacts
     gnome-logs
     gnome-maps
     gnome-music
-    pkgs.gnome-tour
-    pkgs.gnome-photos
+    gnome-tour
+    gnome-photos
     gnome-weather
-    pkgs.gnome-connections
-    pkgs.simple-scan
-    pkgs.yelp
-    pkgs.geary
+    gnome-connections
+    simple-scan
+    yelp
+    geary
   ];
 
   environment.systemPackages = with pkgs; [

configuration/desktop/inputs.nix

@@ -16,6 +16,7 @@
             custom-keybindings = [
               "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
             ];
+            mic-mute = [ "<Control>Print" ];
           };
           "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
             name = "Terminal";

configuration/desktop/power.nix

@@ -9,6 +9,12 @@
     HibernateDelaySec=30m
   '';
 
+  services.upower = {
+    percentageLow = 20;
+    percentageCritical = 10;
+    percentageAction = 8;
+  };
+
   programs.dconf.profiles = {
     user.databases = [
       {

configuration/gpg-ssh/default.nix

@@ -1,7 +1,17 @@
 { pkgs, lib, ... }:
 
-{
+let
 
+  custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
+    configureFlags = prev.configureFlags ++ [
+      # Make sure scdaemon never ever again tries to use its own ccid driver
+      "--disable-ccid-driver"
+    ];
+  });
+
+in {
+
+  programs.gnupg.package = custom_gnupg;
   programs.gnupg.agent = {
     enable = true;
     enableSSHSupport = true;
@@ -9,8 +19,9 @@
   };
 
   environment.systemPackages = with pkgs; [
-    gnupg
+    custom_gnupg
     yubikey-personalization
+    openpgp-card-tools
 
     # Add wrapper around ssh that takes the gnupg ssh-agent
     # instead of gnome-keyring

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720989581,
-        "narHash": "sha256-Mm4FU9Kh5C/vfTDGLpxcR24fXgSdcZXlmZfIoM1wjcg=",
+        "lastModified": 1721567085,
+        "narHash": "sha256-CxWzsNy2dy4zvn2Wi91C/PF+Wyxi3JLOPudc5FoZrhg=",
         "ref": "refs/heads/main",
-        "rev": "49e8db169c74ae7238b9eeba2a51b277dad9a1bf",
-        "revCount": 4,
+        "rev": "0c3142cc8f6396fce7cb4c5fe14137d831315986",
+        "revCount": 11,
         "type": "git",
         "url": "https://git.clerie.de/clerie/berlinerbaeder-exporter.git"
       },
@@ -27,11 +27,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712512137,
-        "narHash": "sha256-crxzFc3lc/ViHYVK+IKmIbifxF6zyHgSwhBKd0lLgWE=",
+        "lastModified": 1724513039,
+        "narHash": "sha256-YdBuRgXEU9CcxPd2EjuvDKcfgxL1kk9Gv8nFVVjIros=",
         "ref": "refs/heads/main",
-        "rev": "221052d8465f0a4437cb8cae3cc9998c87e88f68",
-        "revCount": 2,
+        "rev": "202f4a1a5791c74a9b7d69a4e63e631bdbe36ba6",
+        "revCount": 4,
         "type": "git",
         "url": "https://git.clerie.de/clerie/bij.git"
       },
@@ -98,6 +98,22 @@
         "url": "https://git.clerie.de/clerie/fieldpoc.git"
       }
     },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -120,6 +136,28 @@
       }
     },
     "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "hydra",
+          "nix-eval-jobs",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_3": {
       "inputs": {
         "nixpkgs-lib": [
           "ssh-to-age",
@@ -158,6 +196,39 @@
         "type": "github"
       }
     },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flakey-profile": {
+      "locked": {
+        "lastModified": 1712898590,
+        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "type": "github"
+      }
+    },
     "harmonia": {
       "inputs": {
         "flake-parts": "flake-parts",
@@ -167,20 +238,105 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1716301230,
-        "narHash": "sha256-olEXRstmP0lf0H11ht6j3co7mNwcDEXTm+eGfwdEJzM=",
-        "owner": "clerie",
+        "lastModified": 1727121740,
+        "narHash": "sha256-72nDVSvUfZsLa2HbyricOpA0Eb8gxs/VST25b6DNBpM=",
+        "owner": "nix-community",
         "repo": "harmonia",
-        "rev": "e99509779ce6d6ed46062ac556b71f6ca1eb59ad",
+        "rev": "ff44006a30f93ac40d76c786e15149d901946c2b",
         "type": "github"
       },
       "original": {
-        "owner": "clerie",
-        "ref": "clerie/multiple-signing-keys",
+        "owner": "nix-community",
+        "ref": "harmonia-v1.0.2",
         "repo": "harmonia",
         "type": "github"
       }
     },
+    "hydra": {
+      "inputs": {
+        "lix": "lix",
+        "nix-eval-jobs": "nix-eval-jobs",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733503045,
+        "narHash": "sha256-VoMam8Zzbk+X6dIYwH2f9NqItL6g9YDhQvGybzSl8xQ=",
+        "ref": "refs/heads/main",
+        "rev": "eccf01d4fef67f87b6383f96c73781bd08b686ac",
+        "revCount": 4230,
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/hydra.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/hydra.git"
+      }
+    },
+    "lix": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nix2container": "nix2container",
+        "nixpkgs": [
+          "hydra",
+          "nixpkgs"
+        ],
+        "nixpkgs-regression": "nixpkgs-regression",
+        "pre-commit-hooks": "pre-commit-hooks"
+      },
+      "locked": {
+        "lastModified": 1732112222,
+        "narHash": "sha256-H7GN4++a4vE49SUNojZx+FSk4mmpb2ifJUtJMJHProI=",
+        "ref": "refs/heads/main",
+        "rev": "66f6dbda32959dd5cf3a9aaba15af72d037ab7ff",
+        "revCount": 16513,
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/lix"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/lix"
+      }
+    },
+    "lix-module": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "flakey-profile": "flakey-profile",
+        "lix": "lix_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1732605668,
+        "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=",
+        "ref": "stable",
+        "rev": "96824d606a6656650bbe436366bc89d5ee3a6573",
+        "revCount": 113,
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nixos-module.git"
+      },
+      "original": {
+        "ref": "stable",
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nixos-module.git"
+      }
+    },
+    "lix_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1729298361,
+        "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
+        "rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
+        "type": "tarball",
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
+      }
+    },
     "mitel-ommclient2": {
       "inputs": {
         "nixpkgs": [
@@ -202,6 +358,72 @@
         "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
       }
     },
+    "nix-eval-jobs": {
+      "inputs": {
+        "flake-parts": "flake-parts_2",
+        "lix": [
+          "hydra",
+          "lix"
+        ],
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "hydra",
+          "nixpkgs"
+        ],
+        "treefmt-nix": "treefmt-nix_2"
+      },
+      "locked": {
+        "lastModified": 1732351635,
+        "narHash": "sha256-H94CcQ3yamG5+RMxtxXllR02YIlxQ5WD/8PcolO9yEA=",
+        "ref": "refs/heads/main",
+        "rev": "dfc286ca3dc49118c30d8d6205d6d6af76c62b7a",
+        "revCount": 617,
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nix-eval-jobs"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nix-eval-jobs"
+      }
+    },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "hydra",
+          "nix-eval-jobs",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731952509,
+        "narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "7b5f051df789b6b20d259924d349a9ba3319b226",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
+    "nix2container": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1724996935,
+        "narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=",
+        "owner": "nlewo",
+        "repo": "nix2container",
+        "rev": "fa6bb0a1159f55d071ba99331355955ae30b3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nlewo",
+        "repo": "nix2container",
+        "type": "github"
+      }
+    },
     "nixos-exporter": {
       "inputs": {
         "nixpkgs": [
@@ -254,6 +476,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-regression": {
+      "locked": {
+        "lastModified": 1643052045,
+        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1713434076,
@@ -288,11 +526,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1720957393,
-        "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=",
+        "lastModified": 1732521221,
+        "narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb",
+        "rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d",
         "type": "github"
       },
       "original": {
@@ -302,6 +540,42 @@
         "type": "github"
       }
     },
+    "nurausstieg": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1722174167,
+        "narHash": "sha256-u9ef1BNaXHEnuQEFgqqBLEVZqd5T/sqRBysN71gFOKg=",
+        "ref": "refs/heads/main",
+        "rev": "7f2e0febf3a430e4ba4f6cf1cf1c5ca10c5dd04d",
+        "revCount": 20,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/nurausstieg.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/nurausstieg.git"
+      }
+    },
+    "pre-commit-hooks": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1726745158,
+        "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "berlinerbaeder-exporter": "berlinerbaeder-exporter",
@@ -310,14 +584,38 @@
         "fernglas": "fernglas",
         "fieldpoc": "fieldpoc",
         "harmonia": "harmonia",
+        "hydra": "hydra",
+        "lix-module": "lix-module",
         "nixos-exporter": "nixos-exporter",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_3",
+        "nurausstieg": "nurausstieg",
+        "scan-to-gpg": "scan-to-gpg",
         "solid-xmpp-alarm": "solid-xmpp-alarm",
         "sops-nix": "sops-nix",
         "ssh-to-age": "ssh-to-age"
       }
     },
+    "scan-to-gpg": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733765838,
+        "narHash": "sha256-piKf5W1vUl4y36WuW/192LMXBJyATBF83T9YEz9K3/Y=",
+        "ref": "refs/heads/main",
+        "rev": "b0c07f95146d85a7b62a84fb2a62a773a5942733",
+        "revCount": 17,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/scan-to-gpg.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/scan-to-gpg.git"
+      }
+    },
     "solid-xmpp-alarm": {
       "inputs": {
         "nixpkgs": [
@@ -325,11 +623,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1675686574,
-        "narHash": "sha256-+Xww9mfKbUP4VRPtAJKZ6+YdBYL/0vgGoBXVC9AvmQw=",
+        "lastModified": 1734450899,
+        "narHash": "sha256-SyUOl5YUl/nlZNNM2/vSuFWFdxOCKmTO4BxjIxwVcjQ=",
         "ref": "refs/heads/main",
-        "rev": "79730bd7df798d80c526c42bbd526506f0235ea3",
-        "revCount": 4,
+        "rev": "4bfa8ec27b99e774906c82e6d51d13b32a3ff161",
+        "revCount": 6,
         "type": "git",
         "url": "https://git.clerie.de/clerie/solid-xmpp-alarm.git"
       },
@@ -361,7 +659,7 @@
     },
     "ssh-to-age": {
       "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts_3",
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -395,6 +693,21 @@
         "type": "github"
       }
     },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "treefmt-nix": {
       "inputs": {
         "nixpkgs": [
@@ -415,6 +728,28 @@
         "repo": "treefmt-nix",
         "type": "github"
       }
+    },
+    "treefmt-nix_2": {
+      "inputs": {
+        "nixpkgs": [
+          "hydra",
+          "nix-eval-jobs",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1732292307,
+        "narHash": "sha256-5WSng844vXt8uytT5djmqBCkopyle6ciFgteuA9bJpw=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "705df92694af7093dfbb27109ce16d828a79155f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -19,7 +19,15 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     harmonia = {
-      url = "github:clerie/harmonia/clerie/multiple-signing-keys";
+      url = "github:nix-community/harmonia/harmonia-v1.0.2";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    hydra = {
+      url = "git+https://git.lix.systems/lix-project/hydra.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    lix-module = {
+      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=stable";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
@@ -27,6 +35,14 @@
       url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    nurausstieg = {
+      url = "git+https://git.clerie.de/clerie/nurausstieg.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    scan-to-gpg = {
+      url = "git+https://git.clerie.de/clerie/scan-to-gpg.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     solid-xmpp-alarm = {
       url = "git+https://git.clerie.de/clerie/solid-xmpp-alarm.git";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -118,7 +134,11 @@
         clerie-sops-config
         clerie-sops-edit
         chromium-incognito
+        factorio-launcher
         git-checkout-github-pr
+        git-diff-word
+        git-pp
+        harmonia
         iot-data
         nix-remove-result-links
         nixfiles-auto-install
@@ -126,9 +146,11 @@
         nixfiles-generate-backup-secrets
         nixfiles-update-ssh-host-keys
         print-afra
+        run-with-docker-group
         ssh-gpg
         update-from-hydra
-        uptimestatus;
+        uptimestatus
+        xmppc;
     });
 
     inherit lib self;

flake/modules.nix

@@ -1,7 +1,9 @@
 { self
 , fernglas
 , fieldpoc
+, lix-module
 , nixos-exporter
+, scan-to-gpg
 , solid-xmpp-alarm
 , sops-nix
 , ...
@@ -12,7 +14,9 @@
   imports = [
     fernglas.nixosModules.default
     fieldpoc.nixosModules.default
+    lix-module.nixosModules.default
     nixos-exporter.nixosModules.default
+    scan-to-gpg.nixosModules.scan-to-gpg
     solid-xmpp-alarm.nixosModules.solid-xmpp-alarm
     sops-nix.nixosModules.sops
   ];

flake/overlay.nix

@@ -3,6 +3,9 @@
 , bij
 , chaosevents
 , harmonia
+, hydra
+, nurausstieg
+, scan-to-gpg
 , ssh-to-age
 , ...
 }@inputs:
@@ -14,8 +17,14 @@ final: prev: {
   inherit (chaosevents.packages.${final.system})
     chaosevents;
   harmonia = harmonia.packages.${final.system}.harmonia.override {
-    nixForHarmonia = final.nixVersions.nix_2_21;
+    nixForHarmonia = final.nixVersions.nix_2_23;
   };
+  inherit (hydra.packages.${final.system})
+    hydra;
+  inherit (nurausstieg.packages.${final.system})
+    nurausstieg;
+  inherit (scan-to-gpg.packages.${final.system})
+    scan-to-gpg;
   inherit (ssh-to-age.packages.${final.system})
     ssh-to-age;
 }

hosts/carbon/configuration.nix

@@ -7,12 +7,19 @@
       ../../configuration/router
 
       ./dns.nix
+      ./mdns.nix
       ./net-dsl.nix
       ./net-gastnetz.nix
       ./net-heimnetz.nix
+      ./net-iot.nix
       ./net-lte.nix
+      ./net-mgmt.nix
+      ./net-printer.nix
       ./net-voip.nix
+      ./ntp.nix
       ./ppp.nix
+      ./scan-to-gpg.nix
+      ./wg-clerie.nix
     ];
 
   boot.kernelParams = [ "console=ttyS0,115200n8" ];
@@ -52,6 +59,15 @@
     };
   };
 
+  systemd.services.kea-dhcp4-server = {
+    after = [
+      "network-setup.service"
+    ];
+    requires = [
+      "network-setup.service"
+    ];
+  };
+
   clerie.firewall.enable = true;
 
   clerie.monitoring = {

hosts/carbon/mdns.nix

@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+
+{
+
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+
+    allowInterfaces = [
+      "net-heimnetz"
+      "net-iot"
+    ];
+
+    reflector = true;
+  };
+
+}

hosts/carbon/net-gastnetz.nix

@@ -7,18 +7,24 @@
     id = 202;
     interface = "enp1s0";
   };
-  networking.interfaces."enp1s0.202".ipv6.addresses = [
-    { address = "fd00:3214:9453:4920::1"; prefixLength = 64; }
-    { address = "2001:4cd8:100:1313::1"; prefixLength = 64; } # public IPs for local network
+  networking.bridges."net-gastnetz".interfaces = [
+    "enp1s0.202"
   ];
-  networking.interfaces."enp1s0.202".ipv4.addresses = [
+  networking.interfaces."net-gastnetz".ipv6.addresses = [
+    { address = "fd00:3214:9453:4920::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-gastnetz".ipv4.addresses = [
     { address = "192.168.32.1"; prefixLength = 24; }
   ];
 
   services.radvd.config = ''
-    interface enp1s0.202 {
+    interface net-gastnetz {
       AdvSendAdvert on;
-      prefix 2001:4cd8:100:1313::/64 {};
+      MaxRtrAdvInterval 30;
+      prefix ::/64 {
+        AdvValidLifetime 300;
+        AdvPreferredLifetime 120;
+      };
       RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9
     };
   '';
@@ -26,7 +32,7 @@
   services.kea.dhcp4 = {
     settings = {
       interfaces-config = {
-        interfaces = [ "enp1s0.202" ];
+        interfaces = [ "net-gastnetz" ];
       };
       subnet4 = [
         # Gastnetz
@@ -55,9 +61,9 @@
 
   # net-gastnetz can only access internet
   clerie.firewall.extraForwardFilterCommands = ''
-    ip46tables -A forward-filter -i enp1s0.202 -o ppp-dtagdsl -j ACCEPT
-    ip46tables -A forward-filter -i enp1s0.202 -j DROP
-    ip46tables -A forward-filter -o enp1s0.202 -j DROP
+    ip46tables -A forward-filter -i net-gastnetz -o ppp-dtagdsl -j ACCEPT
+    ip46tables -A forward-filter -i net-gastnetz -j DROP
+    ip46tables -A forward-filter -o net-gastnetz -j DROP
   '';
 
 }

hosts/carbon/net-heimnetz.nix

@@ -14,7 +14,6 @@
   networking.interfaces."net-heimnetz".ipv6.addresses = [
     { address = "fe80::1"; prefixLength = 64; }
     { address = "fd00:152:152:4::1"; prefixLength = 64; }
-    { address = "2001:4cd8:100:1337::1"; prefixLength = 64; } # public IPs for local network
   ];
   networking.interfaces."net-heimnetz".ipv4.addresses = [
     { address = "10.152.4.1"; prefixLength = 24; }
@@ -23,7 +22,11 @@
   services.radvd.config = ''
     interface net-heimnetz {
       AdvSendAdvert on;
-      prefix 2001:4cd8:100:1337::/64 {};
+      MaxRtrAdvInterval 30;
+      prefix ::/64 {
+        AdvValidLifetime 300;
+        AdvPreferredLifetime 120;
+      };
       RDNSS fd00:152:152::1 {};
       DNSSL net.clerie.de {};
     };

hosts/carbon/net-iot.nix

@@ -0,0 +1,80 @@
+{ ... }:
+
+{
+
+  networking.vlans."enp1s0.205" = {
+    id = 205;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-iot".interfaces = [
+    "enp1s0.205"
+  ];
+  networking.interfaces."net-iot".ipv6.addresses = [
+    { address = "fe80::1"; prefixLength = 64; }
+    { address = "fd00:152:152:205::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-iot".ipv4.addresses = [
+    { address = "10.152.205.1"; prefixLength = 24; }
+  ];
+
+  # Enable NTP
+  networking.firewall.interfaces."net-iot".allowedUDPPorts = [ 123 ];
+
+  services.radvd.config = ''
+    interface net-iot {
+      AdvSendAdvert on;
+      MaxRtrAdvInterval 30;
+      prefix ::/64 {
+        AdvValidLifetime 300;
+        AdvPreferredLifetime 120;
+      };
+      RDNSS fd00:152:152::1 {};
+      DNSSL iot.clerie.de {};
+    };
+  '';
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-iot" ];
+      };
+      subnet4 = [
+        {
+          id = 205;
+          subnet = "10.152.205.0/24";
+          pools = [
+            {
+              pool = "10.152.205.100 - 10.152.205.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.205.1";
+            }
+            {
+              name = "domain-name-servers";
+              data = "10.152.0.1";
+            }
+            {
+              name = "domain-name";
+              data = "iot.clerie.de";
+            }
+            {
+              name = "time-servers";
+              data = "10.152.0.1";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  clerie.firewall.extraForwardFilterCommands = ''
+    # Allow access from Heimnetz to IOT devices
+    ip46tables -A forward-filter -i net-heimnetz -o net-iot -j ACCEPT
+    ip46tables -A forward-filter -i net-iot -j DROP
+    ip46tables -A forward-filter -o net-iot -j DROP
+  '';
+
+}

hosts/carbon/net-mgmt.nix

@@ -0,0 +1,63 @@
+{ ... }:
+
+{
+
+  networking.vlans."enp1s0.203" = {
+    id = 203;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-mgmt".interfaces = [
+    "enp1s0.203"
+  ];
+  networking.interfaces."net-mgmt".ipv6.addresses = [
+    { address = "fe80::1"; prefixLength = 64; }
+    { address = "fd00:152:152:203::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-mgmt".ipv4.addresses = [
+    { address = "10.152.203.1"; prefixLength = 24; }
+  ];
+
+  services.radvd.config = ''
+    interface net-mgmt {
+      AdvSendAdvert on;
+      MaxRtrAdvInterval 30;
+      prefix ::/64 {
+        AdvValidLifetime 300;
+        AdvPreferredLifetime 120;
+      };
+    };
+  '';
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-mgmt" ];
+      };
+      subnet4 = [
+        {
+          id = 203;
+          subnet = "10.152.203.0/24";
+          pools = [
+            {
+              pool = "10.152.203.100 - 10.152.203.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.203.1";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  clerie.firewall.extraForwardFilterCommands = ''
+    # Allow access from Heimnetz to MGMT network
+    ip46tables -A forward-filter -i net-heimnetz -o net-mgmt -j ACCEPT
+    ip46tables -A forward-filter -i net-mgmt -j DROP
+    ip46tables -A forward-filter -o net-mgmt -j DROP
+  '';
+
+}

hosts/carbon/net-printer.nix

@@ -0,0 +1,51 @@
+{ ... }:
+
+{
+  networking.vlans."enp1s0.206" = {
+    id = 206;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-printer".interfaces = [
+    "enp1s0.206"
+  ];
+  networking.interfaces."net-printer".ipv4.addresses = [
+    { address = "10.152.206.1"; prefixLength = 24; }
+  ];
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-printer" ];
+      };
+      subnet4 = [
+        {
+          id = 206;
+          subnet = "10.152.206.0/24";
+          pools = [
+            {
+              pool = "10.152.206.100 - 10.152.206.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.206.1";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  # Enable scan-to-gpg
+  networking.firewall.interfaces."net-printer".allowedTCPPorts = [ 2121 ];
+  networking.firewall.interfaces."net-printer".allowedTCPPortRanges = [ { from = 2130; to = 2134; } ];
+
+  clerie.firewall.extraForwardFilterCommands = ''
+    # Allow access from Heimnetz to printer
+    ip46tables -A forward-filter -i net-heimnetz -o net-printer -j ACCEPT
+    ip46tables -A forward-filter -i net-printer -j DROP
+    ip46tables -A forward-filter -o net-printer -j DROP
+  '';
+
+}

hosts/carbon/ntp.nix

@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+
+  services.chrony = {
+    enable = true;
+    extraConfig = ''
+      # Enable NTP server mode
+      allow
+      bindaddress fd00:152:152::1
+      bindaddress 10.152.0.1
+    '';
+  };
+
+}

hosts/carbon/ppp.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, utils, ... }:
+{ config, pkgs, lib, ... }:
 
 {
 
@@ -15,7 +15,7 @@
         noipdefault
         lcp-echo-interval 20
         lcp-echo-failure 3
-        mtu 14592
+        mtu 1492
         hide-password
         defaultroute
         +ipv6
@@ -44,17 +44,20 @@
       cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
     '';
 
-    preStartFile = utils.systemdUtils.lib.makeJobScript "pppd-dtagdsl-pre-start" preStart;
+    preStartFile = pkgs.writeShellApplication {
+      name = "pppd-dtagdsl-pre-start";
+      text = preStart;
+    };
   in {
     EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path;
     ExecStartPre = [
       # "+" marks script to be executed without priviledge restrictions
-      "+${preStartFile}"
+      "+${lib.getExe preStartFile}"
     ];
   };
 
   clerie.firewall.extraForwardMangleCommands = ''
-    ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416
+    ip46tables -t mangle -A forward-mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
   '';
 
 }

hosts/carbon/scan-to-gpg.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+{
+
+  services.scan-to-gpg = {
+    enable = true;
+    gpgkey = "${pkgs.clerie-keys}/gpg/clerie@clerie.de.asc";
+  };
+
+  users.users."clerie".extraGroups = [ "scan-to-gpg" ];
+}

hosts/carbon/secrets.json

@@ -2,6 +2,7 @@
 	"wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]",
 	"pppd-dtagdsl-username": "ENC[AES256_GCM,data:JC7EyyMoN0p5YwnS9W5I0G5Omhk5usw28UiJrCfifGr+2FUgMrtFYAHQdrtWAELvYNBQDPgrHMmQjGQLhpqqK0hH,iv:/q+Fm63GVBApGInyS8i39V/lo6iv+I2omVh47deq+o8=,tag:LkR+1zTDNWuYkhH2iWT7SA==,type:str]",
 	"pppd-dtagdsl-secrets": "ENC[AES256_GCM,data:c5pOb8It1py/9NXNTgLvt9zmsBVbSLHJt4iXWiNA+Osvomw3r7pgoO/JJh9ujomPMnOlDwN7g+pJ,iv:W36gA8E1mWchN6+8hdMdt2epv/RdS91T5ANB/JTcHCE=,tag:7eZ3fZkjERCVJCXYrABnlQ==,type:str]",
+	"wg-clerie": "ENC[AES256_GCM,data:OEZg8ZoLAdVhKkvB0ai13ID3gPnVUU/xkOjZ4KiJ9MnRbcFu5HBd7Nw6iNwh,iv:edPuaehya2ZvYKkiBqNUbXVDAxAT6yNgETnWtd6it94=,tag:cX12szdQfAcC6cij6zk6Dw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -13,8 +14,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-07-13T21:56:57Z",
-		"mac": "ENC[AES256_GCM,data:/jZ/aIQUxYrF0deBTJOyc009yPKfshiYnAB2GR5SRTi00Ls5efKzhjDJaEWvAkgBTFz5/a8fy2k+vXEDsDlrgcgWqMS8/Az5LRf9RWUBWkerDyoBJ2UZRdt7UVPfkN8ObKQpfFqxhzkm4zio+MwSbqSMZil6fGaxz6lyUkwaphg=,iv:KStinEtV1DTaEl0ebMEw8lSMvrE5rtxqfTbzssC9oGY=,tag:YOr8T3wqqxyv0mpO1wMDEg==,type:str]",
+		"lastmodified": "2024-08-13T14:06:43Z",
+		"mac": "ENC[AES256_GCM,data:yGKY0fi3KQWGHBeyNtQ8EJ6561dKRZ5aAjO9zq3odDtX75i2RSjORIlNjBsVvegBzeo8AkwwnzxNPt2sHl6MKDZfEsysWAi8Wolh4UvHk087AnR/uKvtG6t4uUaNIWej2DEzxUtTQ8QP1afsdqGCf0vZVruNcJ4u2xiQbN2vJPc=,iv:CDXJ5/P+h0Enq/0EL1su1Mw55FVYLy4XPSoUCkRkt+U=,tag:AvRfEDYMBunyIQIVCPbXag==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-10T13:05:56Z",

hosts/carbon/wg-clerie.nix

@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  services.wg-clerie = {
+    enable = true;
+    ipv6s = [ "2a01:4f8:c0c:15f1::8111/128" ];
+    ipv4s = [ "10.20.30.111/32" ];
+    defaultViaVPN = false;
+  };
+}

hosts/gatekeeper/configuration.nix

@@ -109,6 +109,11 @@
           allowedIPs = [ "2a01:4f8:c0c:15f1::8110/128" "10.20.30.110/32" ];
           publicKey = "kn6ZtViagKGSyfQJQW6csQE/5r7uKlbC1rbInlQ33xs=";
         }
+        {
+          # carbon
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8111/128" "10.20.30.111/32" ];
+          publicKey = "o6qxGKIoW2ZSFhXeNRXd4G9BRFeYyjZsrUPulB3KhTI=";
+        }
       ];
       listenPort = 51820;
       allowedIPsAsRoutes = false;

hosts/hydra-1/nix-cache.nix

@@ -5,18 +5,10 @@
   services.harmonia = {
     enable = true;
     settings.bind = "[::1]:5005";
-  };
-
-  systemd.services.harmonia = {
-    environment = {
-      SIGN_KEY_PATHS = "%d/key1 %d/key2";
-    };
-    serviceConfig = {
-      LoadCredential = [
-        "key1:${config.sops.secrets."sign-key-nix-cache.clerie.de".path}"
-        "key2:${config.sops.secrets."sign-key-cache.nix.clerie.de".path}"
-      ];
-    };
+    signKeyPaths = [
+      config.sops.secrets."sign-key-nix-cache.clerie.de".path
+      config.sops.secrets."sign-key-cache.nix.clerie.de".path
+    ];
   };
 
   services.nginx.virtualHosts = {

hosts/krypton/android.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+{
+
+  services.udev.packages = [
+    pkgs.android-udev-rules
+  ];
+
+}

hosts/krypton/configuration.nix

@@ -7,6 +7,7 @@
 
       ../../configuration/desktop
 
+      ./android.nix
       ./backup.nix
       #./initrd.nix
       ./network.nix

hosts/krypton/programs.nix

@@ -19,6 +19,7 @@
     onlyoffice-bin
 
     krita
+    inkscape
 
     wireshark
     tcpdump
@@ -28,6 +29,8 @@
     chromium-incognito
 
     print-afra
+
+    factorio-launcher
   ];
 
   # Wireshark

hosts/monitoring-3/grafana.nix

@@ -7,7 +7,7 @@
         domain = "grafana.monitoring.clerie.de";
         root_url = "https://grafana.monitoring.clerie.de";
         http_port = 3001;
-        http_addr = "[::1]";
+        http_addr = "::1";
       };
       "auth.anonymous" = {
         enabled = true;

hosts/monitoring-3/prometheus.nix

@@ -190,6 +190,7 @@ in {
               "www.fem.tu-ilmenau.de"
               "www.heise.de"
               "dyon.net.entr0py.de"
+              "matrix.fachschaften.org"
             ];
           }
         ];
@@ -229,18 +230,10 @@ in {
               "achtbaan.nikhef.nl"
               "www.fem.tu-ilmenau.de"
               "www.heise.de"
-              "pe10-fd2.nodes.nethinks.com"
-              "pe20-fd2.nodes.nethinks.com"
-              "pe10-pet1.nodes.nethinks.com"
-              "pe20-pet1.nodes.nethinks.com"
-              "pe10-ffm1.nodes.nethinks.com"
-              "ie10-ffm2.nodes.nethinks.com"
-              "pe10-ffm2.nodes.nethinks.com"
-              "ie10-due1.nodes.nethinks.com"
-              "pe10-due1.nodes.nethinks.com"
               "matrix.bau-ha.us"
               "dyon.net.entr0py.de"
               "matrix.entr0py.de"
+              "matrix.fachschaften.org"
             ];
           }
         ];
@@ -275,6 +268,7 @@ in {
           {
             targets = [
               "matrix.entr0py.de"
+              "matrix.fachschaften.org"
             ];
           }
         ];
@@ -355,46 +349,6 @@ in {
           relabelAddressToInstance
         ];
       }
-      {
-        job_name = "zimmer-temp";
-        scrape_interval = "20s";
-        scheme = "https";
-        metrics_path = "/data/zimmer-temp/";
-        static_configs = [
-          {
-            targets = [
-              "iot-data.clerie.de"
-            ];
-          }
-        ];
-      }
-      {
-        job_name = "outdoor-temp";
-        scrape_interval = "20s";
-        scheme = "https";
-        metrics_path = "/data/outdoor-temp/";
-        static_configs = [
-          {
-            targets = [
-              "iot-data.clerie.de"
-            ];
-          }
-        ];
-      }
-      {
-        job_name = "xmpp-alerts";
-        scrape_interval = "20s";
-        static_configs = [
-          {
-            targets = [
-              "monitoring-3.mon.clerie.de:9199"
-            ];
-          }
-        ];
-        relabel_configs = [
-          relabelAddressToInstance
-        ];
-      }
       {
         job_name = "hydra";
         scrape_interval = "20s";

hosts/web-2/bubblesort.nix

@@ -1,14 +0,0 @@
-{ pkgs, ... }:
-{
-  services.nginx.virtualHosts = {
-    "bubblesort.clerie.de" = {
-      enableACME = true;
-      forceSSL = true;
-      root = pkgs.fetchgit {
-        url = "https://git.clerie.de/clerie/bubblesort_js.git";
-        rev = "39d54701a11f4fb48d7e023e384a848e6bde5640";
-        sha256 = "sha256-au/sbTVLDER0BbXD6cKJIpq0GcS/saiRQw46mZQWsO0=";
-      };
-    };
-  };
-}

hosts/web-2/clerie.nix

@@ -15,8 +15,8 @@
       forceSSL = true;
       root = pkgs.fetchgit {
         url = "https://git.clerie.de/clerie/clerie.de.git";
-        rev = "785693e6826c6377c3f3200274c281d2ef3317b3";
-        hash = "sha256-cyTHOOm7hpPUD8paKB7Wci3RYAo6Jr/MI/Xqx4iwXwY=";
+        rev = "ec744cbeaf99ae4fd4832d7e594bc72bfabc8706";
+        hash = "sha256-EG8UO/9ycyWjtqLUX7ydctLdIbq/j8zylEK7YYvEwmI=";
       };
       locations."/ssh" = {
         extraConfig = ''

hosts/web-2/configuration.nix

@@ -5,26 +5,23 @@
     [
       ./hardware-configuration.nix
       ./blog.nix
-      ./bubblesort.nix
       ./bula22.nix
       ./chaosevents.nix
       ./clerie.nix
       ./drop.nix
       ./fieldpoc.nix
       ./gitea.nix
-      ./iot-data.nix
       ./ip.nix
       ./legal.nix
       ./meow.nix
       ./milchinsel.nix
       ./mitel-ommclient2.nix
       ./nix-install.nix
-      ./nogo2024.nix
+      ./nurausstieg.nix
       ./ping.nix
       ./public.nix
       ./radicale.nix
       ./reichartstrasse.nix
-      ./tap.nix
       ./uptimestatus.nix
       ./wetter.nix
     ];
@@ -53,7 +50,7 @@
 
   services.postgresql = {
     enable = true;
-    package = pkgs.postgresql_12;
+    package = pkgs.postgresql_16;
   };
 
   clerie.backup = {

hosts/web-2/gitea.nix

@@ -15,7 +15,7 @@
     lfs.enable = true;
     settings = {
       log = {
-        LEVEL = "Info";
+        LEVEL = "Warn";
       };
       database = {
         CHARSET = "utf8";
@@ -28,7 +28,7 @@
       server = {
         ROOT_URL = "https://git.clerie.de/";
         DOMAIN = "git.clerie.de";
-        HTTP_ADDRESS = "127.0.0.1";
+        HTTP_ADDRESS = "::1";
         HTTP_PORT = 3000;
         OFFLINE_MODE = true;
         LANDING_PAGE = "explore";
@@ -80,7 +80,7 @@
       forceSSL = true;
       locations = {
         "/" = {
-          proxyPass = "http://localhost:3000";
+          proxyPass = "http://[::1]:3000";
         };
       };
       extraConfig = ''

hosts/web-2/iot-data.nix

@@ -1,40 +0,0 @@
-{pkgs, ...}:
-
-{
-  users.users.iot-data = {
-    description = "IOT Data Service";
-    group = "iot-data";
-    home = "/var/lib/iot-data/";
-    useDefaultShell = true;
-    isSystemUser = true;
-  };
-  users.groups.iot-data = {};
-
-  systemd.services.iot-data = {
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      RuntimeDirectory = "iot-data";
-      StateDirectory = "iot-data";
-      User = "iot-data";
-      Group = "iot-data";
-    };
-    environment = {
-      IOT_DATA_CONFIG = "/var/src/iot-data-config.json";
-    };
-    script = "gunicorn -w 1 -b [::1]:8235 iot_data:app";
-    path = with pkgs; [ (python3.withPackages (ps: [ ps.gunicorn iot-data ])) ];
-  };
-
-  services.nginx.virtualHosts = {
-    "iot-data.clerie.de" = {
-      enableACME = true;
-      addSSL = true;
-      locations."/" = {
-        proxyPass = "http://[::1]:8235";
-      };
-      extraConfig = ''
-        access_log off;
-      '';
-    };
-  };
-}

hosts/web-2/nogo2024.nix

@@ -1,20 +0,0 @@
-{ pkgs, ... }:
-
-{
-  services.nginx.virtualHosts = {
-    "nogo2024.clerie.de" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        return = "404";
-      };
-      locations."= /nogo2024.ics" = {
-        root = pkgs.fetchgit {
-          url = "https://git.clerie.de/clerie/nogo2024.git";
-          rev = "fdc07667e6cfa09e91eaaee488528fb842a6115d";
-          sha256 = "sha256-qRviw0sQnMmrkwBO0+AWnmeqZK8wXeFxZJgmLMUtzn4=";
-        };
-      };
-    };
-  };
-}

hosts/web-2/nurausstieg.nix

@@ -0,0 +1,41 @@
+{ pkgs, ... }:
+
+{
+
+  systemd.tmpfiles.rules = [
+    "d /var/cache/nginx/nurausstieg - nginx nginx - -"
+  ];
+
+  services.nginx = {
+    commonHttpConfig = ''
+      proxy_cache_path /var/cache/nginx/nurausstieg levels=1:2 use_temp_path=off keys_zone=nurausstieg:1m max_size=10m;
+    '';
+
+    virtualHosts."nurausstieg.clerie.de" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://[::1]:44384";
+        extraConfig = ''
+          proxy_cache nurausstieg;
+          # Ignore upstream cache hints
+          proxy_ignore_headers Cache-Control;
+          # Force cache 200 and 500 responses for one minute
+          proxy_cache_valid 200 500 1m;
+          # Only do a single fetch for missing entries and let other sessions wait
+          proxy_cache_lock on;
+        '';
+      };
+    };
+  };
+
+  systemd.services.nurausstieg = {
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      DynamicUser = true;
+    };
+    path = with pkgs; [ nurausstieg ];
+    script = "nurausstieg --listen [::1]:44384";
+  };
+
+}

hosts/web-2/tap.nix

@@ -1,15 +0,0 @@
-{ pkgs, ... }:
-
-{
-  services.nginx.virtualHosts = {
-    "tap.clerie.de" = {
-      enableACME = true;
-      forceSSL = true;
-      root = pkgs.fetchgit {
-        url = "https://git.clerie.de/clerie/tap.clerie.de.git";
-        rev = "a90df6f6cb6dc58ab807b230527aae76c48cdcc8";
-        sha256 = "sha256-GTUy98NHXvR7pG8lUWZm6wa0XjULnDTSu17C/DQuXBI=";
-      };
-    };
-  };
-}

hosts/zinc/programs.nix

@@ -6,7 +6,11 @@
     firefox
 
     blender
-    cura
+    #cura # libarcus library is currently broken, required for curaengine
+
+    mumble
+
+    factorio-launcher
   ];
 
 }

modules/default.nix

@@ -8,6 +8,7 @@
     ./clerie-firewall
     ./clerie-gc-dir
     ./clerie-system-upgrade
+    ./dhcpcd-prefixdelegation
     ./minecraft-server
     ./monitoring
     ./nginx-port-forward

modules/dhcpcd-prefixdelegation/default.nix

@@ -0,0 +1,144 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.networking.dhcpcd-prefixdelegation;
+
+  downstreamInterfaceConfig = name: opts: "${name}${
+    optionalString (opts.sla_id != null) "/${builtins.toString opts.sla_id}${
+      optionalString (opts.prefix_len != null) "/${builtins.toString opts.prefix_len}${
+        optionalString (opts.suffix != null) "/${opts.suffix}"
+      }"
+    }"
+  }";
+
+  interfaceConfig = name: opts: ''
+    interface ${name}
+      ipv6rs
+      ia_pd ${builtins.toString opts.iaid}${
+        optionalString (opts.prefix != null) "/${opts.prefix}${
+          optionalString (opts.prefix_len != null) "/${builtins.toString opts.prefix_len}"
+        }"
+      } ${concatMapStringsSep " " ({name, value}: downstreamInterfaceConfig name value) (attrsToList opts.interfaces)}
+  '';
+
+
+  dhcpcdConf = pkgs.writeText "dhcpcd.conf" ''
+    duid
+    noipv6rs
+    waitip 6
+    ipv6only
+
+    allowinterfaces ${concatStringsSep " " (builtins.attrNames cfg.interfaces)} ${concatMapStringsSep " " ({name, value}: concatStringsSep "" (builtins.attrNames value.interfaces)) (attrsToList cfg.interfaces)}
+
+    ${concatMapStringsSep "\n" ({name, value}: interfaceConfig name value) (attrsToList cfg.interfaces)}
+  '';
+
+  downstreamInterfaceOpts = { ... }: {
+    options = {
+      sla_id = mkOption {
+        type = with types; nullOr ints.unsigned;
+        default = null;
+      };
+
+      prefix_len = mkOption {
+        type = with types; nullOr ints.unsigned;
+        default = null;
+      };
+
+      suffix = mkOption {
+        type = with types; nullOr str;
+        default = null;
+      };
+    };
+  };
+
+  interfaceOpts = { ... }: {
+    options = {
+      iaid = mkOption {
+        type = with types; ints.unsigned;
+        description = ''
+          Request a delegated prefix with this IAID on this interface
+        '';
+      };
+
+      prefix = mkOption {
+        type = with types; nullOr str;
+        default = null;
+      };
+
+      prefix_len = mkOption {
+        type = with types; nullOr ints.unsigned;
+        default = null;
+      };
+
+      interfaces = mkOption {
+        type = with types; attrsOf (submodule downstreamInterfaceOpts);
+        default = {};
+        description =''
+          Interfaces to assign IPv6 prefixes to
+        '';
+      };
+    };
+  };
+
+in
+
+{
+
+  options = {
+
+    networking.dhcpcd-prefixdelegation = {
+      enable = mkEnableOption "dhcpcd for prefixdelegation";
+
+      interfaces = mkOption {
+        type = with types; attrsOf (submodule interfaceOpts);
+        default = {};
+        description = ''
+          Interfaces to request IPv6 prefixes from
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    environment.etc."dhcpcd.conf".source = dhcpcdConf;
+
+    systemd.services.dhcpcd-prefixdelegation = {
+        description = "DHCP Client for IPv6 Prefix Delegation";
+
+        wantedBy = [ "multi-user.target" ];
+        wants = [ "network.target" ];
+        before = [ "network-online.target" ];
+
+        # Stopping dhcpcd during a reconfiguration is undesirable
+        # because it brings down the network interfaces configured by
+        # dhcpcd.  So do a "systemctl restart" instead.
+        stopIfChanged = false;
+
+        path = [ pkgs.dhcpcd ];
+
+        unitConfig.ConditionCapability = "CAP_NET_ADMIN";
+
+        serviceConfig =
+          { Type = "forking";
+            PIDFile = "/run/dhcpcd/pid";
+            RuntimeDirectory = "dhcpcd";
+            ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd --quiet --config ${dhcpcdConf}";
+            ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind";
+            Restart = "always";
+          };
+      };
+
+    users.users.dhcpcd = {
+      isSystemUser = true;
+      group = "dhcpcd";
+    };
+    users.groups.dhcpcd = {};
+
+  };
+
+}

modules/wg-clerie/default.nix

@@ -25,6 +25,11 @@ in
         default = [];
         description = "IPv4 interface addresses";
       };
+      defaultViaVPN = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Use VPN default route for a protocol, if that protocol is unavailable in the underlay";
+      };
     };
   };
 
@@ -45,7 +50,9 @@ in
         { rule = "to 2a01:4f8:c0c:15f1::1/128 ipproto udp dport 51820 unreachable"; prio = 20001; }
         # Try direct routing first, fallback to VPN
         { rule = "lookup main"; prio = 21000; }
+      ] ++ (if cfg.defaultViaVPN then [
         { rule = "lookup wg-clerie"; prio = 21001; }
+      ] else []) ++ [
         { rule = "unreachable"; prio = 22000; }
       ];
       rules4 = (concatMap (ip: [
@@ -57,7 +64,9 @@ in
         { rule = "to 78.47.183.82/32 ipproto udp dport 51820 unreachable"; prio = 20001; }
         # Try direct routing first, fallback to VPN
         { rule = "lookup main"; prio = 21000; }
+      ] ++ (if cfg.defaultViaVPN then [
         { rule = "lookup wg-clerie"; prio = 21001; }
+      ] else []) ++ [
         { rule = "unreachable"; prio = 22000; }
       ];
     };

pkgs/clerie-sops/clerie-sops-config.nix

@@ -1,37 +1,19 @@
 { pkgs, lib, ... }:
 
-with lib;
+pkgs.python313Packages.buildPythonPackage rec {
+  pname = "clerie-sops-config";
+  version = "0.0.1";
 
-let
-  hosts = builtins.attrNames (builtins.readDir ../../hosts);
+  src = ./.;
 
-  mkAgeKey = hostname: ssh_pub_file:
-    pkgs.runCommand "${hostname}.age" {
-      buildInputs = [ pkgs.ssh-to-age ];
-    } ''
-      ssh-to-age -i ${ssh_pub_file} -o $out
-    '';
+  format = "other";
 
-  ageKeysForHost = hostname: let
-    ssh_pub_file = ../../hosts + "/${hostname}/ssh.pub";
-  in
-    if builtins.pathExists ssh_pub_file then [
-      (fileContents (mkAgeKey hostname ssh_pub_file))
-    ] else [];
+  propagatedBuildInputs = with pkgs; [
+    ssh-to-age
+  ];
 
-  mkCreationRules = hosts:
-    map (hostname: {
-      path_regex = escapeRegex "hosts/${hostname}/secrets.json";
-      key_groups = [{
-        pgp = [
-          (fileContents (pkgs.clerie-keys + "/gpg/clerie@clerie.de.fingerprint.txt"))
-        ];
-        age = ageKeysForHost hostname;
-      }];
-    }) hosts;
-
-  sops_config = {
-    creation_rules = mkCreationRules hosts;
-  };
-in
-  pkgs.writeText "sops.json" (builtins.toJSON sops_config)
+  installPhase = ''
+    mkdir -p $out/bin
+    cp clerie-sops-config.py $out/bin/clerie-sops-config
+  '';
+}

pkgs/clerie-sops/clerie-sops-config.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+
+import sys
+import json
+from pathlib import Path
+import re
+import subprocess
+
+def generate_sops_config(repo_root):
+    admin_keys = []
+
+    # hardcode fingerprints because we can't really generate them automatically currently
+    admin_keys.append("0C982F87B7AFBA0F504F90A2629E741947C87928") # clerie@clerie.de
+
+    list_of_host_directories = sorted(list(filter(lambda path_object: path_object.is_dir(), (repo_root / "hosts").iterdir())))
+
+    creation_rules = []
+
+    for host_directory in list_of_host_directories:
+        host_secrets_file = host_directory / "secrets.json"
+        host_keys = []
+
+        ssh_host_key_file = host_directory / "ssh.pub"
+
+        if ssh_host_key_file.is_file():
+
+            ssh_to_age_command = subprocess.run(["ssh-to-age", "-i", str(ssh_host_key_file)], capture_output=True, text=True)
+            if ssh_to_age_command.returncode == 0:
+                host_keys.append(ssh_to_age_command.stdout.strip())
+
+        creation_rules.append({
+            "key_groups": [{
+                "age": host_keys,
+                "pgp": admin_keys,
+            }],
+            "path_regex": re.escape(str(host_secrets_file)),
+        })
+
+    return {
+        "creation_rules": creation_rules,
+    }
+
+
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print("No repo root specified")
+        exit(1)
+
+    repo_root = Path(sys.argv[1])
+
+    sops_config = generate_sops_config(repo_root)
+
+    print(json.dumps(sops_config))

pkgs/clerie-sops/clerie-sops.nix

@@ -4,8 +4,13 @@ pkgs.writeShellApplication {
   name = "clerie-sops";
   runtimeInputs = with pkgs; [
     sops
+    clerie-sops-config
   ];
   text = ''
-    exec sops --config ${pkgs.clerie-sops-config} "$@"
+    REPO_ROOT="."
+    if GIT_ROOT=$(git rev-parse --show-toplevel); then
+      REPO_ROOT="$GIT_ROOT"
+    fi
+    exec sops --config <(clerie-sops-config "$REPO_ROOT") "$@"
   '';
 }

pkgs/factorio-launcher/default.nix

@@ -0,0 +1,25 @@
+{ pkgs, lib, ... }:
+
+pkgs.buildFHSEnv {
+  name = "factorio-launcher";
+  targetPkgs = pkgs: (with pkgs; [
+        alsa-lib
+        libGL
+        libpulseaudio
+        libxkbcommon
+        wayland
+  ]) ++ (with pkgs.xorg; [
+        libICE
+        libSM
+        libX11
+        libXcursor
+        libXext
+        libXi
+        libXinerama
+        libXrandr
+  ]);
+  runScript = lib.getExe (pkgs.writeShellApplication {
+    name = "launch-factorio";
+    text = builtins.readFile ./launch-factorio.sh;
+  });
+}

pkgs/factorio-launcher/launch-factorio.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ $# -eq 0 ]]; then
+	echo "Pass path to factorio install directory as first argument"
+	exit 1
+fi
+
+FACTORIO_BINARY_PATH=""
+
+for suffix in "" "/factorio" "/x64/factorio" "/bin/x64/factorio" "/factorio/bin/x64/factorio"; do
+	if [[ -f "$1${suffix}" && -x "$1${suffix}" ]]; then
+		FACTORIO_BINARY_PATH="$1${suffix}"
+		break
+	fi
+done
+
+if [[ -z $FACTORIO_BINARY_PATH ]]; then
+	echo "No factorio executable found below $1"
+	exit 1
+fi
+
+shift
+
+set -- "${FACTORIO_BINARY_PATH}" "$@"
+
+exec "$@"

pkgs/git-diff-word/default.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "git-diff-word";
+  text = builtins.readFile ./git-diff-word.sh;
+  runtimeInputs = with pkgs; [
+    git
+  ];
+}

pkgs/git-diff-word/git-diff-word.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+git diff --word-diff=color --word-diff-regex="." "$@"

pkgs/git-pp/default.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "git-pp";
+  text = builtins.readFile ./git-pp.sh;
+  runtimeInputs = with pkgs; [
+    git
+  ];
+}

pkgs/git-pp/git-pp.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+git pull --rebase && git push

pkgs/overlay.nix

@@ -7,7 +7,10 @@ final: prev: {
   clerie-sops-edit = final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
   clerie-update-nixfiles = final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
   chromium-incognito = final.callPackage ./chromium-incognito {};
+  factorio-launcher = final.callPackage ./factorio-launcher {};
   git-checkout-github-pr = final.callPackage ./git-checkout-github-pr {};
+  git-diff-word = final.callPackage ./git-diff-word {};
+  git-pp = final.callPackage ./git-pp {};
   iot-data = final.python3.pkgs.callPackage ./iot-data {};
   nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
   nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
@@ -15,7 +18,10 @@ final: prev: {
   nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
   nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
   print-afra = final.callPackage ./print-afra {};
+  run-with-docker-group = final.callPackage ./run-with-docker-group {};
   ssh-gpg = final.callPackage ./ssh-gpg {};
   update-from-hydra = final.callPackage ./update-from-hydra {};
   uptimestatus = final.python3.pkgs.callPackage ./uptimestatus {};
+
+  xmppc = import ./overrides/xmppc.nix final prev;
 }

pkgs/overrides/xmppc.nix

@@ -0,0 +1,11 @@
+final: prev:
+prev.xmppc.overrideAttrs (finalAttrs: prevAttrs: {
+  version = "0.1.2-clerie-custom";
+  patches = [
+    (final.fetchpatch {
+      # read password from file
+      url = "https://codeberg.org/Anoxinon_e.V./xmppc/pulls/38.patch";
+      hash = "sha256-gAD0mfuvqqC7AFtMdtbW+tJiD1F9tOP6/E0eJayDXqc=";
+    })
+  ];
+})

pkgs/run-with-docker-group/default.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "run-with-docker-group";
+  text = builtins.readFile ./run-with-docker-group.sh;
+}

pkgs/run-with-docker-group/run-with-docker-group.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ $# -eq 0 ]]; then
+	set -- "${SHELL}"
+fi
+
+exec systemd-run \
+	"--property=User=$(id -un)" \
+	"--property=SupplementaryGroups=docker" \
+	"--pty" "--same-dir" "--wait" "--collect" "--service-type=exec" \
+	"--quiet" \
+	"--setenv=PATH" \
+	"--setenv=EDITOR" \
+	"--setenv=PAGER" \
+	"$@"