Update nixpkgs 2025-08-15-01-03

pkgs/generate-blocked-prefixes: Deduplicate prefixes before generating firewall rules
hosts/krypton: don't use onlyoffice anymore
2025-08-15 03:03:18 +02:00 · 2025-08-14 20:20:33 +02:00 · 2025-08-09 14:59:03 +02:00 · 2025-08-09 11:42:04 +02:00 · 2025-08-09 11:41:34 +02:00 · 2025-07-29 23:03:58 +02:00
324 changed files with 14400 additions and 5101 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-result
+result*
 .Trash-1000
--- a/README.md
+++ b/README.md
@@ -0,0 +1,5 @@
+# clerie's nixfiles
+
+This repository contains all the configuration for clerie's infrastructure.
+
+[Build Status](https://hydra.clerie.de/jobset/nixfiles/nixfiles#tabs-jobs) | [Installer ISO](https://hydra.clerie.de/job/nixfiles/nixfiles/iso/latest)
--- a/configuration/common/backup.nix
+++ b/configuration/common/backup.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+
+  clerie.backup = {
+    targets = {
+      cyan.serverUrl = "https://cyan.backup.clerie.de";
+      magenta.serverUrl = "https://magenta.backup.clerie.de";
+    };
+  };
+
+}
--- a/configuration/common/certificates.nix
+++ b/configuration/common/certificates.nix
@@ -0,0 +1,11 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  environment.sessionVariables = {
+    REQUESTS_CA_BUNDLE = mkDefault config.security.pki.caBundle;
+  };
+
+}
--- a/configuration/common/default.nix
+++ b/configuration/common/default.nix
@@ -2,56 +2,16 @@

 {
  imports = [
-    ../../modules
+    ./backup.nix
+    ./certificates.nix
+    ./initrd.nix
+    ./locale.nix
+    ./networking.nix
+    ./programs.nix
+    ./ssh.nix
+    ./systemd.nix
+    ./user.nix
  ];

-  networking.domain = "net.clerie.de";
-
-  time.timeZone = "Europe/Berlin";
-
-  i18n.defaultLocale = "en_US.UTF-8";
-  console = {
-    keyMap = "de-latin1";
-  };
-
-  security.sudo.wheelNeedsPassword = false;
-
-  nix.trustedUsers = [ "@wheel" ];
-
-  users.users.clerie = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnUBblmmVoMMBftn4EnwnzqR12m9zill51LpO124hHb10K2rqxNoq8tYSc2pMkV/3briZovffpe5SzB+m2MnXbtOBstIEXkrPZQ78vaZ/nLh7+eWg30lCmMPwjf2wIjlTXkcbxbsi7FbPW7FsolGkU/0mqGhqK1Xft/g7SnCXIoGPSSrHMXEv5dPPofCa1Z0Un+98wQTVfOSKek6TnIsfLbG01UFQVkN7afE4dqSmMiWwEm2PK9l+OiBA2/QzDpbtu9wsfTol4c192vFEWR9crB2YZ1JlMbjVWHjYmB7NFsS0A6lUOikss0Y+LUWS2/QuM/kqybSo4rasZMAIazM6D clerie"
-    ];
-  };
-
-  environment.systemPackages = with pkgs; [
-    htop
-    tmux
-  ];
-
-  programs.mtr.enable = true;
-
-  services.openssh.enable = true;
-  services.openssh.passwordAuthentication = false;
-  services.openssh.challengeResponseAuthentication = false;
-  services.openssh.permitRootLogin = lib.mkDefault "no";
-
-  services.nginx = {
-    enableReload = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-  };
-
-  security.acme = {
-    email = "letsencrypt@clerie.de";
-    acceptTerms = true;
-  };
-
-  nixpkgs.overlays = [
-    (import ../../pkgs/overlay.nix)
-  ];
+  services.fstrim.enable = true;
 }
--- a/configuration/common/initrd.nix
+++ b/configuration/common/initrd.nix
@@ -0,0 +1,7 @@
+{ lib, ... }:
+
+{
+
+  boot.initrd.systemd.enable = lib.mkDefault true;
+
+}
--- a/configuration/common/locale.nix
+++ b/configuration/common/locale.nix
@@ -0,0 +1,26 @@
+{ ... }:
+
+{
+
+  time.timeZone = "Europe/Berlin";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "de_DE.UTF-8";
+    # LC_COLLATE # How to sort stuff
+    # LC_CTYPE # Character recognition of bytes
+    # LC_IDENTIFICATION # What to show as system locale
+    LC_MONETARY = "de_DE.UTF-8"; # Currency formats
+    # LC_MEASSAGES # General message lang
+    LC_MEASUREMENT = "de_DE.UTF-8"; # Units used for numbers
+    LC_NAME = "de_DE.UTF-8"; # Names of persons
+    # LC_NUMERIC # Punctiation of numbers
+    LC_PAPER = "de_DE.UTF-8"; # Paper size
+    LC_TELEPHONE = "de_DE.UTF-8"; # Phone number formats
+    LC_TIME = "de_DE.UTF-8"; # Time format
+  };
+  console = {
+    keyMap = "de-latin1";
+  };
+
+}
--- a/configuration/common/networking.nix
+++ b/configuration/common/networking.nix
@@ -0,0 +1,9 @@
+{ lib, ... }:
+
+{
+
+  networking.domain = "net.clerie.de";
+
+  networking.firewall.logRefusedConnections = lib.mkDefault false;
+
+}
--- a/configuration/common/programs.nix
+++ b/configuration/common/programs.nix
@@ -0,0 +1,40 @@
+{ pkgs, ... }:
+
+{
+
+  environment.systemPackages = with pkgs; [
+    # My system is fucked
+    gptfdisk
+    parted
+
+    # Normal usage
+    htop
+    tmux
+
+    # Deployment
+    bij
+    clerie-sops
+    clerie-sops-edit
+    sops
+
+    # Debugging
+    jq
+    curl
+  ];
+
+  programs.vim = {
+    enable = true;
+    defaultEditor = true;
+  };
+
+  programs.mtr.enable = true;
+
+  programs.git.enable = true;
+  programs.git.config = {
+    user = {
+      name = "clerie";
+      email = "git@clerie.de";
+    };
+  };
+
+}
--- a/configuration/common/ssh.nix
+++ b/configuration/common/ssh.nix
@@ -0,0 +1,16 @@
+{ lib, ... }:
+
+{
+
+  services.openssh.enable = true;
+  services.openssh.settings = {
+    PasswordAuthentication = false;
+    KbdInteractiveAuthentication = false;
+    PermitRootLogin = lib.mkDefault "no";
+  };
+  services.openssh.hostKeys = lib.mkForce [
+    # Only create ed25519 host keys
+    { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+  ];
+
+}
--- a/configuration/common/systemd.nix
+++ b/configuration/common/systemd.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+
+  services.journald.extraConfig = ''
+    MaxRetentionSec=7days
+  '';
+
+}
--- a/configuration/common/user.nix
+++ b/configuration/common/user.nix
@@ -0,0 +1,9 @@
+{ lib, ... }:
+
+{
+
+  security.sudo.wheelNeedsPassword = lib.mkDefault false;
+
+  users.groups.guests = {};
+
+}
--- a/configuration/dn42/default.nix
+++ b/configuration/dn42/default.nix
@@ -1,22 +0,0 @@
-{ pkgs, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    wireguard-tools
-  ];
-
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = true;
-    "net.ipv6.conf.all.forwarding" = true;
-  };
-
-  networking.firewall.checkReversePath = false;
-
-  # Open Firewall for BGP
-  networking.firewall.allowedTCPPorts = [ 179 ];
-  # Open Fireall for OSPF
-  networking.firewall.extraCommands = ''
-  ip6tables -A INPUT -p ospfigp -j ACCEPT
-  iptables -A INPUT -p ospfigp -j ACCEPT
-  '';
-}
--- a/configuration/proxmox-vm/default.nix
+++ b/configuration/proxmox-vm/default.nix
@@ -1,5 +0,0 @@
-{ ... }:
-
-{
-  services.qemuGuest.enable = true;
-}
--- a/configuration/router/default.nix
+++ b/configuration/router/default.nix
@@ -1,28 +0,0 @@
-{ pkgs, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    wireguard-tools
-  ];
-
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = true;
-    "net.ipv6.conf.all.forwarding" = true;
-  };
-
-  networking.firewall.checkReversePath = false;
-
-  networking.firewall.allowedTCPPorts = [
-    # Open Firewall for BGP
-    179
-  ];
-
-  networking.firewall.extraCommands = ''
-    # Open fireall for OSPF
-    ip6tables -A INPUT -p ospfigp -j ACCEPT
-    iptables -A INPUT -p ospfigp -j ACCEPT
-    # Open firewall for GRE
-    ip6tables -A INPUT -p gre -j ACCEPT
-    iptables -A INPUT -p gre -j ACCEPT
-  '';
-}
--- a/deploy.sh
+++ b/deploy.sh
@@ -1,32 +0,0 @@
-#!/usr/bin/env bash
-
-DEPLOY_HOST=$1
-DEPLOY_ADDRESS=$2
-DEPLOY_PORT=$3
-
-if [ -z $DEPLOY_HOST ]; then
-  exit 1
-fi
-
-cmd=" \
-nixos-rebuild switch \
-  -I nixos-config=hosts/${DEPLOY_HOST}/configuration.nix \
-"
-
-if [ -z $DEPLOY_ADDRESS ] || [ $DEPLOY_ADDRESS = "-" ]; then
-  DEPLOY_ADDRESS="clerie@${DEPLOY_HOST}.net.clerie.de"
-fi
-
-if [ $DEPLOY_ADDRESS != "localhost" ]; then
-  cmd="${cmd} \
-  --target-host ${DEPLOY_ADDRESS} \
-  --build-host localhost \
-  --use-remote-sudo \
-  "
-fi
-
-if [ -n "$DEPLOY_PORT" ]; then
-  cmd="NIX_SSHOPTS=\"-p $DEPLOY_PORT\" ${cmd}"
-fi
-
-eval ${cmd}
--- a/flake.lock
+++ b/flake.lock
@@ -0,0 +1,916 @@
+{
+  "nodes": {
+    "berlinerbaeder-exporter": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1721567085,
+        "narHash": "sha256-CxWzsNy2dy4zvn2Wi91C/PF+Wyxi3JLOPudc5FoZrhg=",
+        "ref": "refs/heads/main",
+        "rev": "0c3142cc8f6396fce7cb4c5fe14137d831315986",
+        "revCount": 11,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/berlinerbaeder-exporter.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/berlinerbaeder-exporter.git"
+      }
+    },
+    "bij": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748808701,
+        "narHash": "sha256-IEer4ypv/tL2zzo7nkgyg7xdK6P+Mc/22oPctEgwhiw=",
+        "ref": "refs/heads/main",
+        "rev": "5f3748df43e6b6e49cc0a23557a378ef37952483",
+        "revCount": 5,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/bij.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/bij.git"
+      }
+    },
+    "chaosevents": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1708189846,
+        "narHash": "sha256-7vVQOvB8cD3AqEGmDsBSnnk1vsGfQ8aObTWGvjturDo=",
+        "ref": "refs/heads/main",
+        "rev": "ae351c9685ee8491d471e9ad3bc907ac6d999ae5",
+        "revCount": 6,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/chaosevents.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/chaosevents.git"
+      }
+    },
+    "communities": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1739635166,
+        "narHash": "sha256-0ZONcN3ctsZgMVM//UMp+9iQfhODJNFHOhyWwx0EoTg=",
+        "owner": "NLNOG",
+        "repo": "lg.ring.nlnog.net",
+        "rev": "686adbfd5222b830ba4fee998188cc8d96c09169",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NLNOG",
+        "repo": "lg.ring.nlnog.net",
+        "type": "github"
+      }
+    },
+    "fernglas": {
+      "inputs": {
+        "communities": "communities",
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1741172718,
+        "narHash": "sha256-YDEJVlmPzOuKfG26iYuJVOlxFvKBVeb8DbAI9WOtnBU=",
+        "owner": "wobcom",
+        "repo": "fernglas",
+        "rev": "64e2f9af8aefeeaa63431477066dcc0236d111e0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "wobcom",
+        "repo": "fernglas",
+        "type": "github"
+      }
+    },
+    "fieldpoc": {
+      "inputs": {
+        "mitel-ommclient2": "mitel-ommclient2",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1711287766,
+        "narHash": "sha256-2roymGPfsQZC1Lg/i3iffBQ8c86DLEXmuoKQIlbOg5o=",
+        "ref": "refs/heads/main",
+        "rev": "f707f212378f9d8de103ac96abcd9d377a2605a8",
+        "revCount": 56,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/fieldpoc.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/fieldpoc.git"
+      }
+    },
+    "flake-compat": {
+      "locked": {
+        "lastModified": 1746162366,
+        "narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=",
+        "owner": "nix-community",
+        "repo": "flake-compat",
+        "rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "harmonia",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "ssh-to-age",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709336216,
+        "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flakey-profile": {
+      "locked": {
+        "lastModified": 1712898590,
+        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "type": "github"
+      }
+    },
+    "harmonia": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1733771848,
+        "narHash": "sha256-tqkTzUdwnTfVuCrcFag7YKgGkiR9srR45e4v0XMXVCY=",
+        "owner": "nix-community",
+        "repo": "harmonia",
+        "rev": "c26731351ca38f4953a23ef5490358ffba955ab6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "harmonia-v2.0.1",
+        "repo": "harmonia",
+        "type": "github"
+      }
+    },
+    "hydra": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "lix": "lix",
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1751801455,
+        "narHash": "sha256-hUJqtS88SbNQQSEJAPFyY2vLMh8yA8rQ6jbul50p64M=",
+        "ref": "lix-2.93",
+        "rev": "b940aca430a7ca41f70bdb320659dd62026fe0e9",
+        "revCount": 4261,
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/hydra.git"
+      },
+      "original": {
+        "ref": "lix-2.93",
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/hydra.git"
+      }
+    },
+    "lix": {
+      "inputs": {
+        "flake-compat": [
+          "hydra",
+          "flake-compat"
+        ],
+        "nix2container": "nix2container",
+        "nix_2_18": [
+          "hydra"
+        ],
+        "nixpkgs": [
+          "hydra",
+          "nixpkgs"
+        ],
+        "nixpkgs-regression": "nixpkgs-regression",
+        "pre-commit-hooks": "pre-commit-hooks"
+      },
+      "locked": {
+        "lastModified": 1751235704,
+        "narHash": "sha256-Jzm3KPZ2gL+0Nl3Mw/2E0B3vqDDi1Xt5+9VCXghUDZ8=",
+        "ref": "release-2.93",
+        "rev": "f3a7bbe5f8d1a8504ddb6362d50106904523e440",
+        "revCount": 17874,
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/lix"
+      },
+      "original": {
+        "ref": "release-2.93",
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/lix"
+      }
+    },
+    "lix-module": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "flakey-profile": "flakey-profile",
+        "lix": [
+          "lix"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1753282722,
+        "narHash": "sha256-KYMUrTV7H/RR5/HRnjV5R3rRIuBXMemyJzTLi50NFTs=",
+        "ref": "release-2.93",
+        "rev": "46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873",
+        "revCount": 149,
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nixos-module.git"
+      },
+      "original": {
+        "ref": "release-2.93",
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nixos-module.git"
+      }
+    },
+    "lix_2": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "nix2container": "nix2container_2",
+        "nix_2_18": "nix_2_18",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-regression": "nixpkgs-regression_2",
+        "pre-commit-hooks": "pre-commit-hooks_2"
+      },
+      "locked": {
+        "lastModified": 1753306924,
+        "narHash": "sha256-jLCEW0FvjFhC+c4RHzH+xbkSOxrnpFHnhjOw6sudhx0=",
+        "ref": "release-2.93",
+        "rev": "1a4393d0aac31aba21f5737ede1b171e11336d77",
+        "revCount": 17884,
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/lix.git"
+      },
+      "original": {
+        "ref": "release-2.93",
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/lix.git"
+      }
+    },
+    "lowdown-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1633514407,
+        "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
+        "owner": "kristapsdz",
+        "repo": "lowdown",
+        "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "kristapsdz",
+        "repo": "lowdown",
+        "type": "github"
+      }
+    },
+    "mitel-ommclient2": {
+      "inputs": {
+        "nixpkgs": [
+          "fieldpoc",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1687019250,
+        "narHash": "sha256-cN9ZuQ/1irnoYg013v1ZDn15MHcFXhxILGhRNDGd794=",
+        "ref": "refs/heads/main",
+        "rev": "a11629f543a8b43451cecc46600a78cbb6af015a",
+        "revCount": 70,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
+      }
+    },
+    "nix2container": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1724996935,
+        "narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=",
+        "owner": "nlewo",
+        "repo": "nix2container",
+        "rev": "fa6bb0a1159f55d071ba99331355955ae30b3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nlewo",
+        "repo": "nix2container",
+        "type": "github"
+      }
+    },
+    "nix2container_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1724996935,
+        "narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=",
+        "owner": "nlewo",
+        "repo": "nix2container",
+        "rev": "fa6bb0a1159f55d071ba99331355955ae30b3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nlewo",
+        "repo": "nix2container",
+        "type": "github"
+      }
+    },
+    "nix_2_18": {
+      "inputs": {
+        "flake-compat": [
+          "lix",
+          "flake-compat"
+        ],
+        "lowdown-src": "lowdown-src",
+        "nixpkgs": "nixpkgs_4",
+        "nixpkgs-regression": [
+          "lix",
+          "nixpkgs-regression"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730375271,
+        "narHash": "sha256-RrOFlDGmRXcVRV2p2HqHGqvzGNyWoD0Dado/BNlJ1SI=",
+        "owner": "NixOS",
+        "repo": "nix",
+        "rev": "0f665ff6779454f2117dcc32e44380cda7f45523",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "2.18.9",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
+    "nixos-exporter": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746733297,
+        "narHash": "sha256-CPo/F6oJq3tswg2YT6DsWDFPYXOjw00/3m45JN84PVY=",
+        "ref": "refs/heads/main",
+        "rev": "f1a832f445c9994d9729a6fa1862b8d4a123bd31",
+        "revCount": 22,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/nixos-exporter.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/nixos-exporter.git"
+      }
+    },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1721413321,
+        "narHash": "sha256-0GdiQScDceUrVGbxYpV819LHesK3szHOhJ09e6sgES4=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "ab165a8a6cd12781d76fe9cbccb9e975d0fb634f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1686501370,
+        "narHash": "sha256-G0WuM9fqTPRc2URKP9Lgi5nhZMqsfHGrdEbrLvAPJcg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "75a5ebf473cd60148ba9aec0d219f72e5cf52519",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-0dc1c7": {
+      "locked": {
+        "lastModified": 1725718979,
+        "narHash": "sha256-TNj62uDY5ilnYu0Jne8/IIunfh1kf6kDPY9KdS+Eotw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0dc1c7294c13f5d1dd6eccab4f75d268d7296efe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0dc1c7294c13f5d1dd6eccab4f75d268d7296efe",
+        "type": "github"
+      }
+    },
+    "nixpkgs-carbon": {
+      "locked": {
+        "lastModified": 1751206202,
+        "narHash": "sha256-VjK8pEv4cfDpCTh4KW1go98kP25j7KdTNEce342Bh/Y=",
+        "owner": "clerie",
+        "repo": "nixpkgs",
+        "rev": "ac4ac98609c1b30c378458ab7207a9a5b5148457",
+        "type": "github"
+      },
+      "original": {
+        "owner": "clerie",
+        "ref": "clerie/always-setup-netdevs",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-regression": {
+      "locked": {
+        "lastModified": 1643052045,
+        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      }
+    },
+    "nixpkgs-regression_2": {
+      "locked": {
+        "lastModified": 1643052045,
+        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1713434076,
+        "narHash": "sha256-+/p5edwlkqKZc6GDAQl+92Hoe1f3NNbUF9uj+X9H3pU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8494ae076b7878d61a7d2d25e89a847fe8f8364c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1665732960,
+        "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1751582995,
+        "narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "7a732ed41ca0dd64b4b71b563ab9805a80a7d693",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1705033721,
+        "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.05-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1755027561,
+        "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nurausstieg": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1722174167,
+        "narHash": "sha256-u9ef1BNaXHEnuQEFgqqBLEVZqd5T/sqRBysN71gFOKg=",
+        "ref": "refs/heads/main",
+        "rev": "7f2e0febf3a430e4ba4f6cf1cf1c5ca10c5dd04d",
+        "revCount": 20,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/nurausstieg.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/nurausstieg.git"
+      }
+    },
+    "pre-commit-hooks": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1733318908,
+        "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1733318908,
+        "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "rainbowrss": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745667868,
+        "narHash": "sha256-T67ZRk+cuFI2P6qJeu8RwbpJD00OORulHGuXebpg9Nw=",
+        "ref": "refs/heads/main",
+        "rev": "e43037aa525e36d7a3da187a8fc6baeb71db7fd6",
+        "revCount": 15,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/rainbowrss.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/rainbowrss.git"
+      }
+    },
+    "root": {
+      "inputs": {
+        "berlinerbaeder-exporter": "berlinerbaeder-exporter",
+        "bij": "bij",
+        "chaosevents": "chaosevents",
+        "fernglas": "fernglas",
+        "fieldpoc": "fieldpoc",
+        "harmonia": "harmonia",
+        "hydra": "hydra",
+        "lix": "lix_2",
+        "lix-module": "lix-module",
+        "nixos-exporter": "nixos-exporter",
+        "nixos-hardware": "nixos-hardware",
+        "nixpkgs": "nixpkgs_5",
+        "nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
+        "nixpkgs-carbon": "nixpkgs-carbon",
+        "nurausstieg": "nurausstieg",
+        "rainbowrss": "rainbowrss",
+        "scan-to-gpg": "scan-to-gpg",
+        "solid-xmpp-alarm": "solid-xmpp-alarm",
+        "sops-nix": "sops-nix",
+        "ssh-to-age": "ssh-to-age",
+        "traveldrafter": "traveldrafter"
+      }
+    },
+    "scan-to-gpg": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736606141,
+        "narHash": "sha256-cIGSrY3tNwOamqt41IPRRw5SPlBtljWZvcXDfCkreUc=",
+        "ref": "refs/heads/main",
+        "rev": "9f1aa15509c9b0284774be95ef020f612c385353",
+        "revCount": 18,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/scan-to-gpg.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/scan-to-gpg.git"
+      }
+    },
+    "solid-xmpp-alarm": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1734450899,
+        "narHash": "sha256-SyUOl5YUl/nlZNNM2/vSuFWFdxOCKmTO4BxjIxwVcjQ=",
+        "ref": "refs/heads/main",
+        "rev": "4bfa8ec27b99e774906c82e6d51d13b32a3ff161",
+        "revCount": 6,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/solid-xmpp-alarm.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/solid-xmpp-alarm.git"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1713532771,
+        "narHash": "sha256-vfKxhYVMzG2tg48/1rewBoSLCrKIjQsG1j7Nm/Y2gf4=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "a929a011a09db735abc45a8a45d1ff7fdee62755",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
+    "ssh-to-age": {
+      "inputs": {
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1712553767,
+        "narHash": "sha256-hg6lBgxmTJ2hc1EFUoiA6BLA2QZGIfoBIxub9FK3x6M=",
+        "owner": "Mic92",
+        "repo": "ssh-to-age",
+        "rev": "5842a0023432eca39537060f38cbff7c9c2123c7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "ssh-to-age",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "traveldrafter": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1751817360,
+        "narHash": "sha256-HzOhsPvzCaFeiz8nPq5MkYnYHpUzVaU/P5sxG+Njt+8=",
+        "ref": "refs/heads/main",
+        "rev": "b6610d70f363ecf9704352b1ef39244a816bd34f",
+        "revCount": 22,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/traveldrafter.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/traveldrafter.git"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "harmonia",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733662930,
+        "narHash": "sha256-9qOp6jNdezzLMxwwXaXZWPXosHbNqno+f7Ii/xftqZ8=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "357cda84af1d74626afb7fb3bc12d6957167cda9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@@ -0,0 +1,173 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-carbon.url = "github:clerie/nixpkgs/clerie/always-setup-netdevs";
+    # for etesync-dav
+    nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+    berlinerbaeder-exporter = {
+      url = "git+https://git.clerie.de/clerie/berlinerbaeder-exporter.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    bij = {
+      url = "git+https://git.clerie.de/clerie/bij.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    chaosevents = {
+      url = "git+https://git.clerie.de/clerie/chaosevents.git";
+      #inputs.nixpkgs.follows = "nixpkgs";
+    };
+    fernglas = {
+      url = "github:wobcom/fernglas";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    harmonia = {
+      url = "github:nix-community/harmonia/harmonia-v2.0.1";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    hydra = {
+      url = "git+https://git.lix.systems/lix-project/hydra.git?ref=lix-2.93";
+      #inputs.lix.follows = "lix";
+      #inputs.nixpkgs.follows = "nixpkgs";
+    };
+    lix = {
+      url = "git+https://git.lix.systems/lix-project/lix.git?ref=release-2.93";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    lix-module = {
+      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=release-2.93";
+      inputs.lix.follows = "lix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
+    nixos-exporter = {
+      url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nurausstieg = {
+      url = "git+https://git.clerie.de/clerie/nurausstieg.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    rainbowrss = {
+      url = "git+https://git.clerie.de/clerie/rainbowrss.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    scan-to-gpg = {
+      url = "git+https://git.clerie.de/clerie/scan-to-gpg.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    solid-xmpp-alarm = {
+      url = "git+https://git.clerie.de/clerie/solid-xmpp-alarm.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    ssh-to-age = {
+      url = "github:Mic92/ssh-to-age";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    traveldrafter = {
+      url = "git+https://git.clerie.de/clerie/traveldrafter.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+  outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
+    lib = import ./lib inputs;
+  in {
+    clerie.hosts = {
+      aluminium = {
+        group = "event";
+      };
+      astatine = {
+        group = "event";
+        modules = [
+          ./users/criese-nethinks
+          ./users/isa
+        ];
+      };
+      backup-4 = {};
+      beryllium = {
+        group = "event";
+      };
+      carbon = {};
+      clerie-backup = {};
+      dn42-il-gw1 = {};
+      dn42-il-gw5 = {};
+      dn42-il-gw6 = {};
+      dn42-ildix-clerie = {};
+      dn42-ildix-service = {};
+      gatekeeper = {};
+      hydra-1 = {};
+      hydra-2 = {};
+      krypton = {
+        modules = [
+          nixos-hardware.nixosModules.lenovo-thinkpad-x270
+        ];
+      };
+      mail-2 = {};
+      monitoring-3 = {};
+      nonat = {};
+      osmium = {};
+      palladium = {};
+      porter = {};
+      storage-2 = {
+        modules = [
+          ./users/frank
+        ];
+      };
+      tungsten = {};
+      web-2 = {};
+      zinc = {
+        modules = [
+          nixos-hardware.nixosModules.common-cpu-intel
+        ];
+      };
+      # nixfiles-auto-install: add new host above
+      _iso = {};
+    };
+
+    nixosConfigurations = import ./flake/nixosConfigurations.nix inputs;
+
+    nixosModules = {
+      nixfilesInputs = import ./flake/modules.nix inputs;
+      clerie = import ./modules;
+      profiles = import ./profiles;
+      default = self.nixosModules.clerie;
+    };
+
+    overlays = {
+      clerie-inputs = import ./flake/inputs-overlay.nix inputs;
+      clerie-pkgs = import ./pkgs/overlay.nix;
+      clerie-build-support = import ./pkgs/build-support/overlay.nix;
+      clerie-overrides = import ./pkgs/overrides/overlay.nix;
+    };
+
+    nixpkgs = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
+      lib.mkNixpkgs {
+        inherit system;
+      }
+    );
+
+    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
+      nixpkgs.lib.genAttrs (
+        (builtins.attrNames (self.overlays.clerie-pkgs null null))
+        ++ (builtins.attrNames (self.overlays.clerie-overrides null null))
+      ) (name: self.nixpkgs."${system}"."${name}")
+    );
+
+    inherit lib self;
+
+    hydraJobs = import ./flake/hydraJobs.nix inputs;
+
+    nixConfig = {
+      extra-substituters = [
+        "https://nix-cache.clerie.de"
+      ];
+      extra-trusted-public-keys = [
+        "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
+      ];
+    };
+  };
+}
--- a/flake/hydraJobs.nix
+++ b/flake/hydraJobs.nix
@@ -0,0 +1,21 @@
+{ self
+, nixpkgs
+, ...
+}@inputs:
+
+let
+
+  buildHosts = hosts: builtins.mapAttrs (name: host: host.config.system.build.toplevel) (nixpkgs.lib.filterAttrs (name: host: (builtins.substring 0 1 name) != "_") hosts);
+
+in {
+  inherit (self)
+    packages;
+  extraTrackedPackages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
+    nixpkgs.lib.genAttrs [
+      "hydra"
+      "lix"
+    ] (name: self.nixpkgs."${system}"."${name}")
+  );
+  nixosConfigurations = buildHosts self.nixosConfigurations;
+  iso = self.nixosConfigurations._iso.config.system.build.isoImage;
+}
--- a/flake/inputs-overlay.nix
+++ b/flake/inputs-overlay.nix
@@ -0,0 +1,38 @@
+{ self
+, nixpkgs-0dc1c7
+, berlinerbaeder-exporter
+, bij
+, chaosevents
+, harmonia
+, hydra
+, nurausstieg
+, rainbowrss
+, scan-to-gpg
+, ssh-to-age
+, traveldrafter
+, ...
+}@inputs:
+final: prev: {
+  inherit (nixpkgs-0dc1c7.legacyPackages.${final.system})
+    etesync-dav;
+  inherit (berlinerbaeder-exporter.packages.${final.system})
+    berlinerbaeder-exporter;
+  inherit (bij.packages.${final.system})
+    bij;
+  inherit (chaosevents.packages.${final.system})
+    chaosevents;
+  inherit (harmonia.packages.${final.system})
+    harmonia;
+  inherit (hydra.packages.${final.system})
+    hydra;
+  inherit (nurausstieg.packages.${final.system})
+    nurausstieg;
+  inherit (rainbowrss.packages.${final.system})
+    rainbowrss;
+  inherit (scan-to-gpg.packages.${final.system})
+    scan-to-gpg;
+  inherit (ssh-to-age.packages.${final.system})
+    ssh-to-age;
+  inherit (traveldrafter.packages.${final.system})
+    traveldrafter;
+}
--- a/flake/modules.nix
+++ b/flake/modules.nix
@@ -0,0 +1,23 @@
+{ self
+, fernglas
+, fieldpoc
+, lix-module
+, nixos-exporter
+, scan-to-gpg
+, solid-xmpp-alarm
+, sops-nix
+, ...
+}@inputs:
+{ ... }:
+
+{
+  imports = [
+    fernglas.nixosModules.default
+    fieldpoc.nixosModules.default
+    lix-module.nixosModules.default
+    nixos-exporter.nixosModules.default
+    scan-to-gpg.nixosModules.scan-to-gpg
+    solid-xmpp-alarm.nixosModules.solid-xmpp-alarm
+    sops-nix.nixosModules.sops
+  ];
+}
--- a/flake/nixosConfigurations.nix
+++ b/flake/nixosConfigurations.nix
@@ -0,0 +1,53 @@
+{ self
+, nixpkgs
+, ...
+}@inputs:
+
+let
+  generateNixosSystem = {
+    name,
+    system ? "x86_64-linux",
+    group ? null,
+    modules ? [],
+  }: let
+    localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
+  in self.lib.nixosSystem {
+    system = system;
+    nixpkgs = localNixpkgs;
+    modules = modules ++ [
+      ({ config, lib, ... }: {
+        # Set hostname
+        networking.hostName = lib.mkDefault name;
+
+        # Expose host group to monitoring
+        clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; };
+
+        # Automatically load secrets from sops file for host
+        sops.defaultSopsFile = ../hosts + "/${name}/secrets.json";
+        sops.secrets = let
+          secretFile = config.sops.defaultSopsFile;
+          secretNames = builtins.filter (name: name != "sops") (builtins.attrNames (builtins.fromJSON (builtins.readFile secretFile)));
+          secrets = if builtins.pathExists secretFile then
+            lib.listToAttrs (builtins.map (name: lib.nameValuePair name {}) secretNames)
+          else
+            {};
+        in
+          secrets;
+
+        # Enable clerie common config
+        profiles.clerie.common.enable = true;
+      })
+
+      # Config to be applied to every host
+      ../configuration/common
+      ../users/clerie
+
+      # Host specific config
+      (../hosts + "/${name}/configuration.nix")
+    ];
+  };
+
+  mapToNixosConfigurations = hosts: builtins.mapAttrs (name: host: generateNixosSystem ({ inherit name; } //  host)) hosts;
+
+in
+  mapToNixosConfigurations self.clerie.hosts
--- a/hosts/_iso/configuration.nix
+++ b/hosts/_iso/configuration.nix
@@ -0,0 +1,30 @@
+{ pkgs, lib, modulesPath, config, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/installation-cd-base.nix")
+  ];
+
+  profiles.clerie.gpg-ssh.enable = true;
+  profiles.clerie.network-fallback-dhcp.enable = true;
+
+  # systemd in initrd is broken with ISOs
+  # Failed to mount /sysroot/iso
+  # https://github.com/NixOS/nixpkgs/issues/327187
+  boot.initrd.systemd.enable = false;
+
+  networking.hostName = "isowo";
+  isoImage.isoBaseName = lib.mkForce "nixos-isowo";
+
+  environment.systemPackages = with pkgs; [
+    nixfiles-auto-install
+  ];
+
+  # Allow user clerie to log in as root directly with ssh keys
+  users.users.root.openssh.authorizedKeys.keys = config.users.users.clerie.openssh.authorizedKeys.keys;
+
+  services.openssh.settings = {
+    PermitRootLogin = lib.mkForce "yes";
+  };
+
+}
--- a/hosts/aluminium/configuration.nix
+++ b/hosts/aluminium/configuration.nix
@@ -0,0 +1,37 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+
+      ./fieldpoc.nix
+    ];
+
+  boot.kernelParams = [ "console=ttyS0,115200n8" ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.extraConfig = "
+    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
+    terminal_input serial
+    terminal_output serial
+  ";
+
+  profiles.clerie.wg-clerie = {
+    enable = true;
+    ipv6s = [ "2a01:4f8:c0c:15f1::8106/128" ];
+    ipv4s = [ "10.20.30.106/32" ];
+    privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "212";
+    pubkey = "P1ONelxezvkcLJFyvuCVeIUd3uewPIlONfKk9y6h9QE=";
+    serviceLevel = "event";
+    privateKeyFile = "/var/src/secrets/wireguard/wg-monitoring";
+  };
+
+  system.stateVersion = "22.11";
+}
--- a/hosts/aluminium/fieldpoc.nix
+++ b/hosts/aluminium/fieldpoc.nix
@@ -0,0 +1,32 @@
+{ config, pkgs, ... }:
+
+{
+
+  networking.interfaces.enp3s0.ipv4.addresses = [ { address = "10.42.132.1"; prefixLength = 24; } ];
+  networking.firewall.trustedInterfaces = [ "enp3s0" ];
+
+  services.fieldpoc = {
+    enable = true;
+    ommIp = "10.42.132.2";
+    ommUser = "omm";
+    ommPasswordPath = config.sops.secrets.fieldpoc-ommpassword.path;
+    sipsecretPath = config.sops.secrets.fieldpoc-sipsecret.path;
+    dhcp = {
+      enable = true;
+      interface = "enp3s0";
+      subnet = "10.42.132.0/24";
+      pool = "10.42.132.200 - 10.42.132.250";
+      router = "10.42.132.1";
+      dnsServers = "10.42.10.8";
+      omm = "10.42.132.2";
+      reservations = [
+        {
+          name = "omm";
+          macAddress = "00:30:42:1b:8c:7c";
+          ipAddress = "10.42.132.2";
+        }
+      ];
+    };
+  };
+
+}
--- a/hosts/aluminium/hardware-configuration.nix
+++ b/hosts/aluminium/hardware-configuration.nix
@@ -0,0 +1,35 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/33e8b880-8074-4f12-8aaf-24d7ab190e0a";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/aluminium/secrets.json
+++ b/hosts/aluminium/secrets.json
@@ -0,0 +1,27 @@
+{
+	"fieldpoc-ommpassword": "ENC[AES256_GCM,data:F856G4jZjbj7RQ==,iv:svnlwqEPMDHHlSSv5Anv7w7TlDjHUBmKqiBL+IBV+1w=,tag:fnySgzaHzf2paWEBwD4DYg==,type:str]",
+	"fieldpoc-sipsecret": "ENC[AES256_GCM,data:ysnHLFHPbOcgTfoAmZy+3Q==,iv:6G66WDGzuyfTzezVK0uwY5Ihv22dR7x7g/A1fvxUhjk=,tag:WUVNU6Bw5u0kyHpyFsKmaw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age12nr9jt7u04ef0uf3h3pmh5wsw0t5ax7flwtk0t57zhsqj7s0lvnqxdgtu4",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2SVJHaWVpVFRtZ0tiTElr\ndk5jem4xbm1rTDdkNFdEanR3eGljak4ySUFrCkVSKzhOMzB6elR6WlFtaW5vTXZK\nVE1TZ0pLcmo5alJnL2thVWVvRmV5YjgKLS0tIFJUY3pVKzhoSDNpQ0Z4TC9vdmNL\nc0RlZ1pVUmhIMjRPd1ltZFBlMXZhZncKgtH6HYaK9GLPmwHpIRXwwyhWLqHVvhDV\nRCusRPXi7vpl9Codn/gKa1yhtS+Nbrftpfibcf4Zpp6tbICBJw6Chw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-05-10T12:55:36Z",
+		"mac": "ENC[AES256_GCM,data:rYVMHm97fym9o88cF6IjPsOl1ZgIafIlvw3BhS3y1tFKuiIAmsqL+DvD+yy8oLz2atvyxIdcKihDRNoriC6V80WZg2jqedSbkK0QQHng8z+9KE0SAfoacuJqb/SMULOPVvW81Zhox3Y0fbSVdO3WScx7Z0czNBZ0JGWVObRFbHY=,iv:97/B4g0JTHLlyR9yV8xqhhDnkDDfS9VhsXFb8v3pMVs=,tag:No47WYn/Uk6R2mq2j2gpzw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-05-10T12:54:53Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPARAAqgQosLYib0E8DjzA2YFhXqSvsDhRQblHDMNgTuO2/LkB\nVFj674m60/04eFHkUzAo1Ix9W8ji3Q/vVLJ/bLcfx4mGS7atBNzCFHlRrXPcSS5v\nMyihaRqfusweNTwYF64aQ2iE/EWjEDRo4Ssl5aOoilnPHpIqaTyeIbejzHoZWqqi\n7GZttP33NiQP0iWVO4SXlwkF5yuZT6qaHjUIOQEGImz5q87eMUtTNm+Xf3Qx/jAw\nqSkxwN5ySMuMcMqGpShhztoXpe123YlvNr22fZzkBHU5AwakscC5nf8skaMc2Lrh\nJ/+qFL2tWdgEf/fPd7aYFEIuC2YdJRo+yGMZ9s2VjD9ZlBQUFd8KZhytxmzoO3rW\nNKPM7/4tMyhdomt+uKqQNrVDOFMdyR+xLowyGgVqn9MDDDcnQhEdGyqk+WEeQCWN\nXlrQEVshHvC0YTIIXoyFljmMo/z251FoVY8+PHZOQzAJB2RyUIzjEDTX3a7xDNff\n5j9THrSloPLXuW9lXQO8qX8h/50GbJ2Hjpapslx3jhYx7viOHp2h3ojXbNditrIE\nWHEw679IjgTuantfnTzy1NPtIVvH5twrncPRdRsOqVVL4UHI66O5SCATAuVFXM7O\n+ZlLZS3TnuHE9JDlmV1Ts065VB3iYxXA/3p78gCcVp9otQVeDSVq3PTmKzUCLbSF\nAgwDvZ9WSAhwutIBD/9xwPiMUY60fKMS5/BoFYxKB4Ml41MalHdSURmU5IMp5oax\ngykVOoWmOTw3pm90lsZg809SwO3rbJjejMzzUZZpN+vN2pJbZeqRaY7Av/y1K6Sq\nlWXY7Jzbw2bI3JDPVq0tetM4EixGyN+P5p4tVB07BxKzbaN7dCFWk8EkFZBS5Fg9\nQiqLBwk1EofEsZHEbw6BYPivYHi0Cy63ghQ8t66SfhMyh+s2t9jPFB7s24UACaOe\nQ2aC1CP+kDvEMIlS3StNcHGUvZ73/CAkbTmbb0gynFw3odNN7+8tWHmWL3J+0RaO\n0TfXABH8/A3zka97IoZvMt9SqO0FT9VrxE2xBp318rsTfQrkYN8UiiBfvGjI6Gc2\nlZ7qXgFa1tlzYmTjYYs6TCxyT0a8mCt7wOS5yFkph4pXEumJIhh7nmJlr3/gdapt\nwA/LhAq63+UNCGvAKum2XdfwycLDvxciyz40c0ZN25SDQ+2WQp51/GESvVQNDyIc\ngI+BTFSxVjW2Qs7WdN2dJeQ7bLmN0EpGNGszHYiz/T0zowvuUiOrfjVdoNigSPwR\nSeNDI7KQ+miLiqLCSSNTF6D3MlstHBXeEfGLbJ1qFvT4hX5ErI0xmn3lVeAeQIAu\nW9wMvtmMtt7XAef9hzyUUKvnkf3pQw+GBtvY4/pCJrFWKw8vADmLZ56t8UlNFIUC\nDAM1GWv08EiACgEP/icY5+u/9/LLXcnQ0gUsOwL1ChTAOnJxl2Dfu6Wdl/Xohe20\n6VsznYeAyOQ7pq0yweTRYejx96S5M1H+M6uZJPt4lMUaX4/WwM0zJeRH0nsaqbQT\nr6YUZX+jWKhVtuHZinmSLLo5Kj/DH2DPkDPH+ZZbPHjbsltPnYggx8x5NfseN1wO\nLe/dUCz3uH0LhgMpIxeQRWJSkstV64F907SyuU8fqaQJbq28YuEYZS99yE4VTUH/\nYion7EfHpAU54f9SfAahe4VL4hvDIKQ5qbC8JiiQnPYXElNwvQnDwOpysOAq9LQL\n0VXanXeQf/mXfjRc+NiiF+7sfavSRNmIkKOm8xEgdEASQ8lh4UDhoA8mcSnB1dFJ\nAt8YOmkPEC7kplF2wQNFI0RpI+xsJ4hxsCZ3QFoXNwHK1HbeEZ7/FxtSvzxFdXsx\nNyB7EagsIMq/G6R4J9rWCHAf9LKlnFNyVzMin2LoOUtp17yvODXOszKVEj38TMfr\nz9K31QTellrFzJCNTY1VwZyb1JJfiVsbGCqJTbILB3SYV36Lwb3neAvK1P4KsVFY\nDIqMHeY3oLoxLyHRajtjKxhYTwjB3c0ov2IAqOszAvwnO9YBClxeewMt2/Vv2Eok\nzgkEV3cTSZCtPPhF7+C/0bZ35A1MDNXaG1AyQS+4idN0a3LuIgROF3Ow8gB81GgB\nCQIQBdPtKSJqTekbsvXlb4HEHZmjdwjoinMUiuDjAsccGSAvuEqC85NLKjn3+KpK\n7nYnI6NAI6SJ4IUy6YJ4/nKPw6hKTEn442rhUDMmQ3dmCMQFBTLx+VSUpsHE2SSL\nyZ8fqDq6Dw==\n=LtRd\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/aluminium/ssh.pub
+++ b/hosts/aluminium/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICm4kHCK4ACXtZt9ziBXnykiR1onPQtbmfAKU/fcqr8G
--- a/hosts/astatine/configuration.nix
+++ b/hosts/astatine/configuration.nix
@@ -0,0 +1,36 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  profiles.clerie.network-fallback-dhcp.enable = true;
+
+  boot.kernelParams = [ "console=ttyS0,115200n8" ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.extraConfig = "
+    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
+    terminal_input serial
+    terminal_output serial
+  ";
+
+  profiles.clerie.wg-clerie = {
+    enable = true;
+    ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];
+    ipv4s = [ "10.20.30.108/32" ];
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "214";
+    pubkey = "I4xh3t6vIcNyntZkewXX56eWrEd3J0hhaYV45xj6uVU=";
+    serviceLevel = "event";
+  };
+
+  system.stateVersion = "23.05";
+}
+
--- a/hosts/astatine/hardware-configuration.nix
+++ b/hosts/astatine/hardware-configuration.nix
@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ohci_pci" "ehci_pci" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/ff68d582-80b9-4c3b-8b9a-bbe7089e882d";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/astatine/secrets.json
+++ b/hosts/astatine/secrets.json
@@ -0,0 +1,27 @@
+{
+	"wg-clerie": "ENC[AES256_GCM,data:DbchcO6GTmSFyoHrRAkfu2flaKYrQHPk+rIerekYO4Cto9sqaWLgaSigpS8=,iv:no1xNRVqsKzAN6ssYA0Ir+utOM9tg8OBUT9PY2v0HPA=,tag:lZj1wEPFWHaf52N7YHEQKQ==,type:str]",
+	"wg-monitoring": "ENC[AES256_GCM,data:dTKKeieaGvECkHUpATLorhOgr9Re5CAH25y1WTcSqJZDsvnwD4CBbqMv2QQ=,iv:u1n1wyAW5aNcVYfGN8BmrEhIhtA3EfRDBNu65IdBZMI=,tag:RJYgOpel9uy6dC72MmqS5A==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1fffvnazdv3ys9ww8v4g832hv5nkvnk6d728syerzvpgskfmfkq8q00whpv",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUF5dkRwdXRmUkJ1SXN5\nLzdOVkhWYUJGdFd4Qklsa1BXeVZlTGx0eDE0ClZmYWNLMEVzaVVXWGkwQUt5ZHF5\nS1c5OU9PWjBTelM5R2phNFdVNncxUUkKLS0tIDlwSXFyZWNVT1dtdGU5dVFSRHNE\nUUpJZHJZRTd6TnBUU2dCWW90UTRVb0UKCWrHWmQTNhez16wgEKj4EQA4+UBRmGQn\n+NHSjBCMBmmTdHb05nENYVK515Z0T/60+9N3VlNyHWS9IgC3mZRUBg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-21T16:03:13Z",
+		"mac": "ENC[AES256_GCM,data:fA8fhOZbX30TYgwZXB7sQDNmck0JRDyAnEXf5nCYtli/Qvs78fTs4DdC08VOpOni8uAVARkFsGSo6Fjo/MpTSDVA8VNYZig/we/bWF+LQlEMCmiqwOI1R6eQ3GPxcRXltlO2aPPlT9BpLwIVZjGGjIsmjpVE8xjkCbLUUqj+UxY=,iv:fHLyw96QLVRrAQky2kR7TDDxf8CNXDV9lVQ5RETzJEI=,tag:y+cG9u3d6vCUmPyNMDRWpA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-21T16:02:41Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/8DFDlQ8NflA+CIVi5xaPC77pZeoO0LIKUhmFUhTnqLBBp\nNidFQ+24VmsfhmyPqbF7V3RpO6jvEjTfolnHjWoFV1X3BXmN9bkZbLw6pElMLIVw\n7vCjIyqe06OEzwV5uyn/ye0K/Mxa94MjnpF3wnUid61qSp2C8EJgNV13iTXr/rRy\nQaKZKTigfZF6Kprchr8PgpuL6G50yL7LBaNhdbIxDr1zZ6BO7J60FlDYQf0yUU7H\nmhwiCXKLJ3srSWgTKLJLHCfvQzy3bY0khoNeaLeb97cMuO05d42kc0/qa06R0dEX\nRgOoAnVGTd5VHJL72hMRcZFl0nx7o18rsFUK2Y/xSTOf36QqLjf3RIOt0r/CpGh8\nbVCOc9DXZORvnPqPYCj99sr/2Td2Zw4ZigebnRH3g/Nsrah9LHEBJHRd1MvgklHq\nUlCccoCGGo2T8xCLOjNqNkQbu8TFAAv541PyVI60STR6VxuSZgrKMD9dyUxZJTXj\nYaj1Emue4VbexWkoZlJbn0kFzn6GQLYOz/g5X43VSL2X+o5FKLZOi+IyffVFdpz9\nzb9OTbRaGkIE0xub/MUwkchcUHoqbNVnflV0vcx50kf+jhl+RPo8DSLLWKH+HqSI\n3GUvCtknGsX9XznAijQn2hkXgcQI6tBswweeG13xLnok+2whmo5G9jRE/E7ErZeF\nAgwDvZ9WSAhwutIBD/9fvllnh2ycsUil0QIeQOo30pp7tMPwSxyMy3+uBMSScqHb\nHHK58P7nL7cdj8u+7h/EWMSDrLI0JI6JGGmEth5uMS0EmzjdwnNPLf7eTfAZ+XDe\nf8OMbh+7s7YgM/mM8CeQLoReBGJWpDDcXlVO8vA/5hVIlQ7OfkTcFIKap5h93k9N\nPkKfFXdEfCGhxzSI0hSjCy2kP/d5kaIFcVAHrRgQAMIQYZU6bpRNLKlGcDuDXPy3\n4l3N5orpBHRoVWXH3tKFjnyh4sI1Aw0tYrKQCfA/kRmcDF0+sKaZ+fxqHHWkF+2b\nv8L7LAlFtkEO69LUAHBIhG3fP8pTbUn0AVOI63OQ8Hi6a3vzzFFITLmkTGADtVZv\nepqtz1LuSKArr8MHz8w7v/kJ9E5H6Qd2zvQ8wo0BYu+RjhYbOkianu6DHINj4tGp\nC2RJX/M2j0R8pey4m5ffrEb/lhTNn2XlYcQvb0+EsX+7vZ4WyY8boqwn7DFsfWIh\neOtFlOmQvvWJzv+02F7bGIFwrWgk3iUJSUPordNUSi+jVZOKMFAyJKSdfBKMrXfo\nXqN1hnQdTvE+hamoSsIPoSfI2L/Pk+fkRsom/tlUR8EEkQZQuijKuCDOC8FuXXqV\nB8mYkqXHSomws/M838LSo9QvWDb57aZaihofElzWHsEzA5QZ428hKjMFILRU/IUC\nDAM1GWv08EiACgEQAKU2HTKNS1H8XKzsAfb+1/VkVXA6PGVBYkxP/6K92uydY7Ym\nl87Pc4ixYAnyzf3HelkZxmjtIYH4GqA9TwQJvjT/gLPTYgV4WZ2S7KHsdMdHIoTv\nONp13ohP/nhKsk94XC7DfapEGKcMJIC3z+e/QW98f9cEHoTRfPB5ND3JKcA7oLRG\nxjEtZdre6FXxjVLizyUaMQPtLyDGVXbtS5xpwG/UkZiUeIC9Cm5N1n8lWLjyQ7j3\nW9+aA+PFmh5I5cx4SY/Hw6Hke56tFADCLd3Gp3ZRfstuQRPhNrX4gOM3qT2NBVCR\nXFPGSOBE3Bu1Lm/UbePGpvQdlyHDg63vghUsl1o8c280M3dfMH3Q9e0OobiNVksu\nMEDvR5GPHLEvabj/zvoM7+SpMSaNGqJP4X8e/90WTg4JQbAPB7K/XZqKtwVTqqfs\nWFfU798M2xQZpy5aHgsI77rPdgDWw1NvlIcTSClZyXs42Iqo1ORVoY9mNzJfsop9\nLbbKsF39leLTqSJZi1ZsfdPsjetKxGhRCv3eDdU0vco2tH2xVexPqT4ZcCbqUWfx\nfJrux7CmOUmbyNLjvq0gDEG8Xe2J+InvmML7dXvZK6wd8wh6ODfdrQ+A3ga4XIGm\n0FkiEuVGohUhENHZzPkNBSUykdEYxoRfQQeUAFmywjXnEDBcSj8j1z2Y2IJZ1GgB\nCQIQrLziglrWl7GDjSFhstu83UXngV4M38PiHZSJBo2Ect0nr6o42ZCxhDC22A8V\nQOh286DVqEELdiCHvs18U5aOgFpE+t4MHObkQhE1nX5xDFtOwySaaXkga8XFGnt9\nVAPIsf93xA==\n=nhxm\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/astatine/ssh.pub
+++ b/hosts/astatine/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQegq2ZQx0fNVHlITNHdZoSAh5jsaDyv3Sej3a8Y4j3
--- a/hosts/backup-4/backup.nix
+++ b/hosts/backup-4/backup.nix
@@ -0,0 +1,13 @@
+{ ... }:
+
+{
+  services.borgbackup.repos = {
+    krypton = {
+      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDV3GpgaDqgTlWX0//DQ7AedYo0sD4e37OHl4/OqU7C+YfIuzaC8+KRfugTQS4R8UBKuxFHJC867aHq2rxIfKzKFtmyVPT7ywbpgNW3FDugQZ5MdPo8eHV19jnaZ9jkhUpJmMzayW+hU0GxT1fEXzSaewJknY3afdTKAi3dM+7LAcxVa82qwwArNuH06wrthU9eyva2QWMeZ6aEzzZgSxxrLQZFIXRtA81JcFmjL1IwxepDyUsbTj31Wmvf4n6YI6wxY9QhKyS4bahlnQmW0CpKwX6lKtGRRMVilTZLKa0aR0z15ltPE5h1USUnxiyo5YVB+1QA8luCnQAzIeZODEc3um8AfH4Z83MqU802K8yRmjJUhkoezJwRjewJito3Pfc4TOC2pdo7Na9bb5omTz7jiTRDvQkysWSZGyd22Vsl48tVuRTve/VkhBZuqOwH9yqBz5rl2hG7GHOiHD40kjxq+fJW8vge1hdu1TEQK8ubn1Cod/GuvuWFMTAwagYrJs0= clerie@krypton" ];
+      path = "/mnt/backup-4/krypton";
+    };
+  };
+
+  # fix borgbackup primary grouping
+  users.users.borg.group = "borg";
+}
--- a/hosts/backup-4/configuration.nix
+++ b/hosts/backup-4/configuration.nix
@@ -4,38 +4,37 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
-      ../../configuration/proxmox-vm
+
+      ./backup.nix
+      ./replication.nix
+      ./restic-server.nix
+      ./wg-b-palladium.nix
    ];

+  profiles.clerie.mercury-vm.enable = true;
+
  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

-  networking.hostName = "backup-4";
-
  networking.useDHCP = false;
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::c"; prefixLength = 64; } ];
-  networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.enable = true;

-  services.rsnapshot = {
-    enable = true;
-    extraConfig = ''
-      snapshot_root	/mnt/backup-4/
-      rsync_short_args	-rltD
-      retain	alpha	14
-      ssh_args	-o BatchMode=yes -o IdentityFile=/var/src/secrets/rsnapshot/id_rsa
-      backup	backup-replication@clerie-backup.net.clerie.de:/clerie-backup-replication/	clerie-backup/
-    '';
-    # rsync_short_args
-    # -a -> -rlptgoD
-    # -rltD ist wie -a nur das alle Dateiberechtigungen und Besitzangabe ignoriert werden
-    cronIntervals = {
-      alpha = "15 6 * * * ";
-    };
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "2001:638:904:ffcb::c/64"
+    ];
+    routes = [
+      { Gateway = "2001:638:904:ffcb::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };

+  services.nginx.enable = true;
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
  clerie.monitoring = {
    enable = true;
    id = "205";
--- a/hosts/backup-4/replication.nix
+++ b/hosts/backup-4/replication.nix
@@ -0,0 +1,20 @@
+{ lib, ... }:
+
+with lib;
+
+{
+  clerie.backup = {
+    enable = true;
+    targets = mkForce {
+      palladium.serverUrl = "http://[fd90:37fd:ddec:d921::2]:43242";
+    };
+    jobs.replication = {
+      paths = [
+        "/mnt/backup-4/magenta"
+      ];
+      exclude = [
+        "/mnt/backup-4/magenta/.htpasswd"
+      ];
+    };
+  };
+}
--- a/hosts/backup-4/restic-server.nix
+++ b/hosts/backup-4/restic-server.nix
@@ -0,0 +1,29 @@
+{ ... }:
+
+{
+  services.restic.server = {
+    enable = true;
+    privateRepos = true;
+    dataDir = "/mnt/backup-4/magenta";
+    listenAddress = "[::1]:43242";
+  };
+
+  # restic rest server does not support --htpasswd-file in the current version of nixpkgs
+  # until then we copy the secrets to the common location
+  sops.secrets.restic-server-magenta-htpasswd = {
+    path = "/mnt/backup-4/magenta/.htpasswd";
+    owner = "restic";
+    group = "restic";
+  };
+
+  services.nginx.virtualHosts."magenta.backup.clerie.de" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://[::1]:43242/";
+      extraConfig = ''
+        client_max_body_size 10G;
+      '';
+    };
+  };
+}
--- a/hosts/backup-4/secrets.json
+++ b/hosts/backup-4/secrets.json
@@ -0,0 +1,30 @@
+{
+	"clerie-backup-job-replication": "ENC[AES256_GCM,data:BxOj/jT/GFBNSLc=,iv:zKDmEqUpOUWbU3fEeKDLniZ8D1yzs4kdGjoFLeNZOpo=,tag:iKAxHnIUpvtZwVO+eJW3Xw==,type:str]",
+	"clerie-backup-target-palladium": "ENC[AES256_GCM,data:OaszucYAp4n/ds59nF8D4Qn3U9a6L+ONcbPa+BmSz/EprW7E3kCoJ6+EceahPemTnR53mkP6zAndWaXaBTFfdg==,iv:pqi4+LuLPhtmKucm7JqN6d2hwXzNVx8IPimTL6FgHHg=,tag:+91GgLQNKD/lI7uWojCwjA==,type:str]",
+	"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:gfvmAd7z+jQwoYDJf/Hv2sR9ISJT+Hw4jrHmvW64PXjoETy+LjdsmqEPuRyq/YhrGA2rqW+YodPlkh/eE4crdTL2eNim+ij/OUubliUwBMyJuxsdGKuDUMc+txqN2x6Q24MnnU88P08SKpsm3jciMhz7JEg62W77jhesWlkzsuJDmg9oTlA9SeYOEac3pIKpekfRyE77GSFVUflwwCA+xvcEg5xyuRosFzBWGGEC3kDNB0licF0X6epz3HtlqhCLd/mkuEkftjpkNOFm9oJYzdwYv5PwVNg7G7JOgsUx9e5I29mwWPfhinX1yEFNwxKeB1FbUhYOKhRhdqWD6THVLkDzU0zP8vrm5FXTaxLHZr5+EpKit8/MJS5UBVvpSTDQ0cLExJyonWP2T+zr6rxKwU/q1jQRvsU6DJ7Bt8+9chrXBNOeyPM9xzWN1Zyyrntm9j5Ufj1YFwyrDT5ve2rOgNHA4KoS28+vsP1fcVO8XlLR24zFx5+/1BPG25qSECTPn6KkcL+yV+WS4oOnu4Oo0GVPEz+4SfyYIEVmaV61KC61pKa/6ACeUd6nABcDbReMqPXU7/bksM4sTDoFSmmiAycnxT4xavbaFdfbYIOXVQwYAIjaR1tAqQ6gYVCQ/LtKhIHCGCg10xRXNV3qkPqOUvJ7JnRcre+pQVDVLg==,iv:tvhvTPzhHoG4yG3C+o9s8yh4DafMpPb67nNxbUZcFxQ=,tag:8P5lYeP2EB5AfKgeeBISLg==,type:str]",
+	"wg-b-palladium": "ENC[AES256_GCM,data:XTenrGQFLDndt/XPaDGRLQthVq1UFKJ2mWK3Z+YfT54YpnWO81cslrMMtPc=,iv:tW8NHOcNj3Q26BJBIz7UPR3bmw3nrb0UkkD+gqngw/w=,tag:XDYkIqj6z2Jvhaoiqeyn0g==,type:str]",
+	"wg-monitoring": "ENC[AES256_GCM,data:lCuE2EgUo3ER9NNg1rD24Z4cZS+VZ4KmDojnfCsb/LyBsfyu6uOJ4IVtxOE=,iv:KHRP1pXYXk8Fi23cjUZVUUadu9yWoJ2ddxj2fMJJYE0=,tag:TiFlekXM7WLLHAPlmYbP8w==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1yx7pqg8hz68487k92kgwhdzuc4cuym7l567a5adel9gtvp8l7qeqlg9zr4",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFREUEVzb2JFd3hSaG9y\neVA2a2Fodko0OTI4ZGM0NlZxRmNtYmFDY1hVCm9ncXdWYTJlSU1FSG1WdlNBZ3VW\nM2VtRmZiWldzalRsRWJ0UkV1L1hSMkEKLS0tIGVLQU9kQXhZbC9SUW9CS2JnWGlJ\nQ3RoeXVkRXNkUWNaZ0VQOW1hcEJnNjAKHgZ48PERJlfkkh2TyCLl52zUZY674BXW\n4zPtmhZrb4xlExetINrOd4hZtL7S7qn5GnTxhoxvCddeU+JPPsfWoQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-18T08:37:08Z",
+		"mac": "ENC[AES256_GCM,data:50NF4BI0QUhe622J6nwIF89pLlTdgxVB/MWbO5nWKgQI5xuNrnFghs5yVgZIV7FeONcu2pYykp28fSrFKhvbPt+B90i4HvaaIHdZGDepbEV9ZwK4AU66zZW4KCCPxv4NTYh+AuSi7HTHusXUrNIvRhYvAXjESi7nK7JPm3BTfUk=,iv:fvtTaSXNx6IL6D9DdEa5ovymNYeWJObCBiRiIsG7KeE=,tag:LdfXiAuMHLCb0biThHh1GQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-05-04T12:30:52Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPARAAoI+lgyV1TA9VwFGdsDIhwCvynN8v9VYWjujnUr9G/7vV\n2t4MKxlMatvYJSU/AyrO/iXaDokZ6AMBcWHrvUnVimkljUKqgK1gIdHTaQks7GrZ\nR2zx+dVH6EeQOhNLVzzFm1yM692YI4XDXtmeXCrJCKA9DmSB4uzdV4jWlWAYSS1S\nL0/ZNBz0c7PabTHfzhqvBj/+IBnH/Mch80WZyQNtuZFUCQyXdhluKYhaeU7+eUgX\nmHXIy6mZqTYJahUWz0r6D+Iko8HhGPwMFTVnsYCERvfLWZ4Kfr0Zf2tgqt4x0l5x\nza6hnx6gGzrbGqnBLgqP5lH10q1lmZluLi45ChIsI5sScyhcZgjq7+0gdRfjyOC6\nXhjYMzfQ+epcO6RavTnXsEXG0YMtocFIxVZhidv6FCSoRALqOl3z6tksJFfyploR\nDIjYh7iPjUkrgbV1lyH91jIBcRWZP2UvwiXP9qB6/GgAR14TqmF2u9uIywYwqKnf\nX+ptzHSI7i1DxizbF/Tu4Dw1Bz9ZlYpm8ojL3uEw0qSuclxjTd2/T5qogkZ3a+UF\nBuopoUoCIOXLik9VLiKzCJHAcWuSehWbL0+p+1cIlRESH8VdzQ3r8rrSErUoWA+7\nk06Fzl6iBeFMnP1rWWtFetfJeC/Z0PDe1GdFa/xdTpt/sMeNw5qhHzCSiUHavYOF\nAgwDvZ9WSAhwutIBEAC2V4Cqj5ffXmJ64R1y58F0fT4QNJ5lHg3xmvbuQrJoINMY\nC94ysRGpOX8IFVHIL/WypB2HixFEE3ZnEdcbviKJRZ7ukxvy6/Vs9a5SiX8QDFfi\n0UtWg9jEh86mGqPoxjMnyAcv+e+xcbz3izw7cEAYpjlTGTLOmQhHUgv58hs1L6ND\nre+MAUs53iyzoprMezEoU+7rDavy2a68BUMHaZrivCA2l2jH1ApEWz/dxv/3S1Qb\n6sRxumWfLj68UNKcn2nNwfs8xpHLAIWnnZB9BBmwPb989wpg8WLlacpWUtL1QzUT\nmCI8EKyWKMuIZXOnXVNqEmA2jDVDpbXOfMPHw0l0kKNx7tAXtjkWR7IE8T5iTspq\nL1F6d/caDroOnwHYCkJ+QzNstikTevOntIgMRYXkx1+QL+C+rS3K+My7281If1/G\n9XXcIAsi4f5BLmC1xT8my45UaziFlw99KoEFga208uHl9k0j/cZhSIKDgr08sR6e\nQa1p2WAFLhK1AjCcomSkEnLfWSStcUBAhBkFexWYcxlhUerczE0dhV+yH8daug7A\ntcKTKC3ooGkQAPHKcWZHUFnm0dd6TME73xpMLMgo5N4Qli+yvgX3RnvfCzWGN+pN\nkV5hF4kTBmf0/YLYhAft0+TQSKyGymF5MSMW06X5syHE/s/mznV4G1A6FGwbnIUC\nDAM1GWv08EiACgEP/0XA6/lfkb3iUnjR/JH9BOp9nAldAIouTWB3zcuJddfP4kfT\np/+AsK7DMOp/RYWnngKVNSihkAuVfGUfhZpDvF0aS2Cjk3gmgMa2n3K/1g2ypZXR\na5HsXTqAH9EzMxhaHWRkvrb0Kf5jYt20MVIPvI3PuNQNS+gV66zxo7rdZLfINs8r\nigniDPn9vBteXEg9do50fmk70RuqBS2+0RYMgGO6xgz7+qFXBuGbtq/fAVwVsqMu\nG6cPuLNRrZ0aX+2fm1Ay/c25SV15VR5M/zo0qAFoHIGdapjxeOeoncW2KMWRo69w\nDuNMidDFcFOvYqJJ6Ih9ZkZAgtR+uOOjiC9SeKQuFQ7nONfPqpBDuNwHogha2EIU\n3LQpksg2QM7jziZsenNrsbx1nz8QpYC4newsdqjNjqNl/8ZZpv1AEGavrnfQ1ud+\nCxgvUUXhvedk2T+vnNSNmRFsAzIUp6Vy6zGtg/tuagMootexbs6nI9P1iVBh7ojD\ni6/YmOantNhVo9B0XgVXF6JgtlQ8eFZ0gHrAt1YeQejPoiHNQe9S1fOiOv2cTbZI\njWRLGgzNyj9rLRlyGP98Tf3YLjZ9bR1gRylnbdl4l0DFDRNd/tF4CO/20ai8QkZm\ncKZnP7t2hMvILf1LYCty8CDNKM0MQ3k/AawaUKMjNGj6DUdN8JUKS+8sDpW/1GYB\nCQIQv2lQ6ZD+9GTC8hbMrxkM7nm8GfDOgA8fhoyRNSCkUnrXkIvnk5dG4u2hgHOD\naC/VyW8ahSuMqINO7epMhSJD8971MG+qpeLSSPEL4W9uibosY8jT1Mkeg8fkSFHE\nu0LyQcg=\n=EO+v\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.4"
+	}
+}
--- a/hosts/backup-4/ssh.pub
+++ b/hosts/backup-4/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUaAo7yYjuVpWadxPqrUGrZWwLNltvc+PfOT8z36Eip
--- a/hosts/backup-4/wg-b-palladium.nix
+++ b/hosts/backup-4/wg-b-palladium.nix
@@ -0,0 +1,40 @@
+{ config, ... }:
+
+{
+
+  sops = {
+    secrets.wg-b-palladium = {
+      owner = "systemd-network";
+      group = "systemd-network";
+    };
+  };
+
+  systemd.network.netdevs."10-wg-b-palladium" = {
+    netdevConfig = {
+      Kind = "wireguard";
+      Name = "wg-b-palladium";
+    };
+    wireguardConfig = {
+      PrivateKeyFile = config.sops.secrets.wg-b-palladium.path;
+      ListenPort = 51844;
+    };
+    wireguardPeers = [
+      {
+        PublicKey = "YMTOhRAKWfFX1UVBoROPvgcQxTSN4tny35brAocdnwo=";
+        AllowedIPs = [ "fd90:37fd:ddec:d921::/64" ];
+        PersistentKeepalive = 25;
+      }
+    ];
+  };
+
+  systemd.network.networks."10-wg-b-palladium" = {
+    matchConfig.Name = "wg-b-palladium";
+    address = [
+      "fd90:37fd:ddec:d921::1/64"
+    ];
+    linkConfig.RequiredForOnline = "no";
+  };
+
+  networking.firewall.allowedUDPPorts = [ 51844 ];
+
+}
--- a/hosts/beryllium/configuration.nix
+++ b/hosts/beryllium/configuration.nix
@@ -0,0 +1,41 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  profiles.clerie.network-fallback-dhcp.enable = true;
+
+  boot.kernelParams = [ "console=ttyS0,115200n8" ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.extraConfig = "
+    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
+    terminal_input serial
+    terminal_output serial
+  ";
+
+  networking.hostName = "beryllium";
+
+  networking.firewall.enable = false;
+
+  profiles.clerie.wg-clerie = {
+    enable = true;
+    ipv6s = [ "2a01:4f8:c0c:15f1::8107/128" ];
+    ipv4s = [ "10.20.30.107/32" ];
+    privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "213";
+    pubkey = "hMIr7fgfZwSjNufRaMtq+7MDxfwN3XLJ4ZlmSOoFrz4=";
+    serviceLevel ="event";
+    privateKeyFile = "/var/src/secrets/wireguard/wg-monitoring";
+  };
+
+  system.stateVersion = "22.11";
+}
--- a/hosts/beryllium/hardware-configuration.nix
+++ b/hosts/beryllium/hardware-configuration.nix
@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/b6ea0f34-629b-42b4-a01b-28e37abf1248";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp8s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -4,14 +4,29 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
-      ../../configuration/router
+
+      ./dns.nix
+      ./mdns.nix
+      ./net-dsl.nix
+      ./net-gastnetz.nix
+      ./net-heimnetz.nix
+      ./net-iot.nix
+      ./net-lte.nix
+      ./net-mgmt.nix
+      ./net-printer.nix
+      ./net-voip.nix
+      ./ntp.nix
+      ./ppp.nix
+      ./scan-to-gpg.nix
+      ./wg-clerie.nix
    ];

+  profiles.clerie.common-networking.enable = false;
+  profiles.clerie.router.enable = true;
+
  boot.kernelParams = [ "console=ttyS0,115200n8" ];

  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/sda";
  boot.loader.grub.extraConfig = "
    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
@@ -19,238 +34,50 @@
    terminal_output serial
  ";

-  networking.hostName = "carbon";
-
  networking.useDHCP = false;
-  # Local Router IPs
-  networking.interfaces.lo.ipv6.addresses = [
-    { address = "fd00:152:152:104::1"; prefixLength = 64; }
-    { address = "fd00:152:152::1"; prefixLength = 128; } # Anycast
-  ];
-  networking.interfaces.lo.ipv4.addresses = [
-    { address = "10.152.104.1"; prefixLength = 24; }
-    { address = "10.152.0.1"; prefixLength = 32; } # Anycast
-  ];
-  # Network
-  ## Uplink
-  networking.interfaces.enp1s0.useDHCP = true;
-  ## Local Network
-  networking.interfaces.enp2s0.ipv6.addresses = [
-    { address = "fd00:152:152:4::1"; prefixLength = 64; }
-    { address = "2a01:4f8:1c0c:8221::1"; prefixLength = 64; } # public IPs for local network
-  ];
-  networking.interfaces.enp2s0.ipv4.addresses = [
-    { address = "10.152.4.1"; prefixLength = 24; }
-  ];

  networking.nat = {
    enableIPv6 = true;
    enable = true;
-    externalInterface = "enp1s0";
-    internalIPv6s = [ "fd00:152:152::/48" ];
-    internalIPs = [ "10.152.0.0/16" ];
+    externalInterface = "ppp-dtagdsl";
+    internalIPv6s = [ "fd00:152:152::/48" "fd00:3214:9453:4920::/64"];
+    internalIPs = [ "10.152.0.0/16" "192.168.32.0/24" ];
  };

-  networking.wireguard.enable = true;
-  networking.wireguard.interfaces = {
-    wg-gatekeeper4 = {
-      ips = [ "fe80::127:2/64" "169.254.127.2/24" ];
-      peers = [ {
-          allowedIPs = [ "0.0.0.0/0" "::/0" ];
-          endpoint = "78.47.183.82:50127";
-          publicKey = "y+Bk5eIHgmnq9xuBDD+fk/OIkKRZU6AE4ISx4RdDDyg=";
-          persistentKeepalive = 25;
-      } ];
-      allowedIPsAsRoutes = false;
-      privateKeyFile = "/var/src/secrets/wireguard/wg-gatekeeper4";
-    };
-    wg-porter4 = {
-      ips = [ "fe80::138:2/64" "169.254.138.2/24" ];
-      peers = [ {
-          allowedIPs = [ "0.0.0.0/0" "::/0" ];
-          endpoint = "5.45.100.191:50138";
-          publicKey = "aP6optNE7nVk6coo+USkSDtB62rAc/isfofRML9V2HM=";
-          persistentKeepalive = 25;
-      } ];
-      allowedIPsAsRoutes = false;
-      privateKeyFile = "/var/src/secrets/wireguard/wg-porter4";
-    };
-  };
+  services.radvd.enable = true;

-  clerie.gre-tunnel = {
+  services.kea.dhcp4 = {
    enable = true;
-    ipv6= {
-      gre-gatekeeper6 = {
-        remote = "fd00:152:152:101::1";
-        local = (lib.head config.networking.interfaces.lo.ipv6.addresses).address;
-        address = "fd00:153:153:201::2/64";
+    settings = {
+      interfaces-config = {
+        service-sockets-max-retries = 15;
+        service-sockets-retry-wait-time = 2000;
      };
-    };
-    ipv4 = {
-      gre-gatekeeper4 = {
-        remote = "10.152.101.1";
-        local = (lib.head config.networking.interfaces.lo.ipv4.addresses).address;
-        address = "10.153.201.2/24";
+      lease-database = {
+        name = "/var/lib/kea/dhcp4.leases";
+        persist = true;
+        type = "memfile";
      };
    };
  };

-  # Routing tables
-  # Table: 10000
-  # - primary routes
-  # Table: 11000
-  # - ospf routes
-  # Table: 20101
-  # - default route to gatekeeper
-  #
-  # We will never use main table anymore
-  petabyte.policyrouting = {
-    enable = true;
-    rules6 = [
-      # main routes first except default route
-      { rule = "lookup main suppress_prefixlength 0"; prio = 10000; }
-      # Prefixes defaulting to gatekeeper
-      { rule = "from 2a01:4f8:1c0c:8221::/64 lookup 20101"; prio = 20000; }
-      { rule = "from 2a01:4f8:1c0c:8221::/64 unreachable"; prio = 20001; }
-      # Everything else defaulting to main table after this
+  systemd.services.kea-dhcp4-server = {
+    after = [
+      "network.target"
    ];
-    rules4 = [
-      # main routes first except default route
-      { rule = "lookup main suppress_prefixlength 0"; prio = 10000; }
-      # Prefixes defaulting to gatekeeper
-      #{ rule = "from xxx lookup 20101"; prio = 20000; }
-      # Everything else defaulting to main table after this
+    wants = [
+      "network.target"
    ];
  };

-  services.bird2.enable = true;
-  services.bird2.config = ''
-  router id ${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address };
+  clerie.firewall.enable = true;

-  ipv6 table gatekeeper6;
-  ipv4 table gatekeeper4;
-
-  protocol static static_gatekeeper_6 {
-          ipv6 {
-                  table gatekeeper6;
-          };
-          route ::/0 via fd00:153:153:201::1;
-  }
-  protocol static static_gatekeeper_4 {
-          ipv4 {
-                  table gatekeeper4;
-          };
-          route 0.0.0.0/0 via 10.153.201.1;
-  }
-
-  protocol kernel kernel_gatekeeper_6 {
-    ipv6 {
-      table gatekeeper6;
-      export filter {
-        krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv6.addresses).address };
-        accept;
-      };
-      import none;
-    };
-    kernel table 20101;
-  }
-  protocol kernel kernel_gatekeeper_4 {
-    ipv4 {
-      table gatekeeper4;
-      export filter {
-        krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address };
-        accept;
-      };
-      import none;
-    };
-    kernel table 20101;
-  }
-
-  ipv6 table ospf6;
-  ipv4 table ospf4;
-
-  protocol direct direct_lo {
-    interface "lo";
-    ipv6 {
-      table ospf6;
-    };
-    ipv4 {
-      table ospf4;
-    };
-  }
-
-  protocol direct direct_enp2s0 {
-    interface "enp2s0";
-    ipv6 {
-      table ospf6;
-    };
-    ipv4 {
-      table ospf4;
-    };
-  }
-
-  protocol kernel kernel_ospf6 {
-    ipv6 {
-      table ospf6;
-      export filter {
-        krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv6.addresses).address };
-        accept;
-      };
-      import none;
-    };
-  }
-
-  protocol kernel kernel_ospf4 {
-    ipv4 {
-      table ospf4;
-      export filter {
-        krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address };
-        accept;
-      };
-      import none;
-    };
-  }
-
-  protocol ospf v3 ospf_6 {
-    ipv6 {
-      table ospf6;
-      import all;
-      export all;
-    };
-    area 0 {
-      interface "wg-gatekeeper4" {
-        cost 80;
-        type pointopoint;
-      };
-      interface "wg-porter4" {
-        cost 80;
-        type pointopoint;
-      };
-    };
-  }
-
-  protocol ospf v3 ospf_4 {
-    ipv4 {
-      table ospf4;
-      import all;
-      export all;
-    };
-    area 0 {
-      interface "wg-gatekeeper4" {
-        cost 80;
-        type pointopoint;
-      };
-      interface "wg-porter4" {
-        cost 80;
-        type pointopoint;
-      };
-    };
-  }
-
-  protocol device {
-    scan time 10;
-  }
-  '';
+  clerie.monitoring = {
+    enable = true;
+    id = "104";
+    pubkey = "sro9DUSMtVr5xV2o3GTgg+0vmLj+bRc8fN+3pIr6+HY=";
+    blackbox = true;
+  };

  system.stateVersion = "21.03";
 }
--- a/hosts/carbon/dns.nix
+++ b/hosts/carbon/dns.nix
@@ -0,0 +1,34 @@
+{ ... }:
+
+{
+
+  # Loopbacks for DNS resolver IPs
+  networking.interfaces.lo.ipv6.addresses = [
+    { address = "fd00:152:152::1"; prefixLength = 128; } # Anycast
+  ];
+  networking.interfaces.lo.ipv4.addresses = [
+    { address = "10.152.0.1"; prefixLength = 32; } # Anycast
+  ];
+
+  networking.firewall.allowedUDPPorts = [ 53 ];
+  networking.firewall.allowedTCPPorts = [ 53 ];
+
+  services.unbound = {
+    enable = true;
+    resolveLocalQueries = false;
+    settings = {
+      server = {
+        interface = [ "fd00:152:152::1" "10.152.0.1" ];
+        access-control = [ "::/0 allow" "0.0.0.0/0 allow" ];
+        prefer-ip6 = true;
+        prefetch = true;
+        serve-expired = true;
+        serve-expired-ttl-reset = true;
+      };
+    };
+  };
+
+  # Use Anycast Nameservers
+  networking.nameservers = [ "fd00:152:152::1" "10.152.0.1" ];
+
+}
--- a/hosts/carbon/mdns.nix
+++ b/hosts/carbon/mdns.nix
@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+
+{
+
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+
+    allowInterfaces = [
+      "net-heimnetz"
+      "net-iot"
+    ];
+
+    reflector = true;
+  };
+
+}
--- a/hosts/carbon/net-dsl.nix
+++ b/hosts/carbon/net-dsl.nix
@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+
+  ## DSL-Uplink
+  networking.vlans."enp1s0.7" = {
+    id = 7;
+    interface = "enp1s0";
+  };
+  networking.vlans."enp3s0.7" = {
+    id = 7;
+    interface = "enp3s0";
+  };
+  networking.bridges."net-dsl".interfaces = [
+    "enp1s0.7"
+    "enp3s0.7"
+  ];
+
+}
--- a/hosts/carbon/net-gastnetz.nix
+++ b/hosts/carbon/net-gastnetz.nix
@@ -0,0 +1,69 @@
+{ ... }:
+
+{
+
+  ## Gastnetz
+  networking.vlans."enp1s0.202" = {
+    id = 202;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-gastnetz".interfaces = [
+    "enp1s0.202"
+  ];
+  networking.interfaces."net-gastnetz".ipv6.addresses = [
+    { address = "fd00:3214:9453:4920::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-gastnetz".ipv4.addresses = [
+    { address = "192.168.32.1"; prefixLength = 24; }
+  ];
+
+  services.radvd.config = ''
+    interface net-gastnetz {
+      AdvSendAdvert on;
+      MaxRtrAdvInterval 30;
+      prefix ::/64 {
+        AdvValidLifetime 300;
+        AdvPreferredLifetime 120;
+      };
+      RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9
+    };
+  '';
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-gastnetz" ];
+      };
+      subnet4 = [
+        # Gastnetz
+        {
+          id = 202;
+          subnet = "192.168.32.0/24";
+          pools = [
+            {
+              pool = "192.168.32.100 - 192.168.32.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "192.168.32.1";
+            }
+            {
+              name = "domain-name-servers";
+              data = "9.9.9.9,149.112.112.112"; # Quad 9
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  # net-gastnetz can only access internet
+  clerie.firewall.extraForwardFilterCommands = ''
+    ip46tables -A forward-filter -i net-gastnetz -o ppp-dtagdsl -j ACCEPT
+    ip46tables -A forward-filter -i net-gastnetz -j DROP
+    ip46tables -A forward-filter -o net-gastnetz -j DROP
+  '';
+
+}
--- a/hosts/carbon/net-heimnetz.nix
+++ b/hosts/carbon/net-heimnetz.nix
@@ -0,0 +1,69 @@
+{ ... }:
+
+{
+
+  ## Heimnetz
+  networking.vlans."enp1s0.201" = {
+    id = 201;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-heimnetz".interfaces = [
+    "enp1s0.201"
+    "enp2s0"
+  ];
+  networking.interfaces."net-heimnetz".ipv6.addresses = [
+    { address = "fe80::1"; prefixLength = 64; }
+    { address = "fd00:152:152:4::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-heimnetz".ipv4.addresses = [
+    { address = "10.152.4.1"; prefixLength = 24; }
+  ];
+
+  services.radvd.config = ''
+    interface net-heimnetz {
+      AdvSendAdvert on;
+      MaxRtrAdvInterval 30;
+      prefix ::/64 {
+        AdvValidLifetime 300;
+        AdvPreferredLifetime 120;
+      };
+      RDNSS fd00:152:152::1 {};
+      DNSSL net.clerie.de {};
+    };
+  '';
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-heimnetz" ];
+      };
+      subnet4 = [
+        # Heimnetz
+        {
+          id = 201;
+          subnet = "10.152.4.0/24";
+          pools = [
+            {
+              pool = "10.152.4.100 - 10.152.4.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.4.1";
+            }
+            {
+              name = "domain-name-servers";
+              data = "10.152.0.1";
+            }
+            {
+              name = "domain-name";
+              data = "net.clerie.de";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+}
--- a/hosts/carbon/net-iot.nix
+++ b/hosts/carbon/net-iot.nix
@@ -0,0 +1,80 @@
+{ ... }:
+
+{
+
+  networking.vlans."enp1s0.205" = {
+    id = 205;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-iot".interfaces = [
+    "enp1s0.205"
+  ];
+  networking.interfaces."net-iot".ipv6.addresses = [
+    { address = "fe80::1"; prefixLength = 64; }
+    { address = "fd00:152:152:205::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-iot".ipv4.addresses = [
+    { address = "10.152.205.1"; prefixLength = 24; }
+  ];
+
+  # Enable NTP
+  networking.firewall.interfaces."net-iot".allowedUDPPorts = [ 123 ];
+
+  services.radvd.config = ''
+    interface net-iot {
+      AdvSendAdvert on;
+      MaxRtrAdvInterval 30;
+      prefix ::/64 {
+        AdvValidLifetime 300;
+        AdvPreferredLifetime 120;
+      };
+      RDNSS fd00:152:152::1 {};
+      DNSSL iot.clerie.de {};
+    };
+  '';
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-iot" ];
+      };
+      subnet4 = [
+        {
+          id = 205;
+          subnet = "10.152.205.0/24";
+          pools = [
+            {
+              pool = "10.152.205.100 - 10.152.205.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.205.1";
+            }
+            {
+              name = "domain-name-servers";
+              data = "10.152.0.1";
+            }
+            {
+              name = "domain-name";
+              data = "iot.clerie.de";
+            }
+            {
+              name = "time-servers";
+              data = "10.152.0.1";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  clerie.firewall.extraForwardFilterCommands = ''
+    # Allow access from Heimnetz to IOT devices
+    ip46tables -A forward-filter -i net-heimnetz -o net-iot -j ACCEPT
+    ip46tables -A forward-filter -i net-iot -j DROP
+    ip46tables -A forward-filter -o net-iot -j DROP
+  '';
+
+}
--- a/hosts/carbon/net-lte.nix
+++ b/hosts/carbon/net-lte.nix
@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+
+  ## LTE-Uplink
+  networking.vlans."enp1s0.102" = {
+    id = 102;
+    interface = "enp1s0";
+  };
+
+}
--- a/hosts/carbon/net-mgmt.nix
+++ b/hosts/carbon/net-mgmt.nix
@@ -0,0 +1,63 @@
+{ ... }:
+
+{
+
+  networking.vlans."enp1s0.203" = {
+    id = 203;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-mgmt".interfaces = [
+    "enp1s0.203"
+  ];
+  networking.interfaces."net-mgmt".ipv6.addresses = [
+    { address = "fe80::1"; prefixLength = 64; }
+    { address = "fd00:152:152:203::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-mgmt".ipv4.addresses = [
+    { address = "10.152.203.1"; prefixLength = 24; }
+  ];
+
+  services.radvd.config = ''
+    interface net-mgmt {
+      AdvSendAdvert on;
+      MaxRtrAdvInterval 30;
+      prefix ::/64 {
+        AdvValidLifetime 300;
+        AdvPreferredLifetime 120;
+      };
+    };
+  '';
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-mgmt" ];
+      };
+      subnet4 = [
+        {
+          id = 203;
+          subnet = "10.152.203.0/24";
+          pools = [
+            {
+              pool = "10.152.203.100 - 10.152.203.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.203.1";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  clerie.firewall.extraForwardFilterCommands = ''
+    # Allow access from Heimnetz to MGMT network
+    ip46tables -A forward-filter -i net-heimnetz -o net-mgmt -j ACCEPT
+    ip46tables -A forward-filter -i net-mgmt -j DROP
+    ip46tables -A forward-filter -o net-mgmt -j DROP
+  '';
+
+}
--- a/hosts/carbon/net-printer.nix
+++ b/hosts/carbon/net-printer.nix
@@ -0,0 +1,51 @@
+{ ... }:
+
+{
+  networking.vlans."enp1s0.206" = {
+    id = 206;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-printer".interfaces = [
+    "enp1s0.206"
+  ];
+  networking.interfaces."net-printer".ipv4.addresses = [
+    { address = "10.152.206.1"; prefixLength = 24; }
+  ];
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-printer" ];
+      };
+      subnet4 = [
+        {
+          id = 206;
+          subnet = "10.152.206.0/24";
+          pools = [
+            {
+              pool = "10.152.206.100 - 10.152.206.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.206.1";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  # Enable scan-to-gpg
+  networking.firewall.interfaces."net-printer".allowedTCPPorts = [ 2121 ];
+  networking.firewall.interfaces."net-printer".allowedTCPPortRanges = [ { from = 2130; to = 2134; } ];
+
+  clerie.firewall.extraForwardFilterCommands = ''
+    # Allow access from Heimnetz to printer
+    ip46tables -A forward-filter -i net-heimnetz -o net-printer -j ACCEPT
+    ip46tables -A forward-filter -i net-printer -j DROP
+    ip46tables -A forward-filter -o net-printer -j DROP
+  '';
+
+}
--- a/hosts/carbon/net-voip.nix
+++ b/hosts/carbon/net-voip.nix
@@ -0,0 +1,105 @@
+{ ... }:
+
+{
+
+  ## VoIP
+  networking.vlans."enp1s0.204" = {
+    id = 204;
+    interface = "enp1s0";
+  };
+  networking.interfaces."enp1s0.204".ipv4.addresses = [
+    { address = "10.152.33.1"; prefixLength = 24; }
+  ];
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "enp1s0.204" ];
+      };
+      option-def = [
+        {
+          space = "dhcp4";
+          name = "vendor-encapsulated-options";
+          code = 43;
+          type = "empty";
+          encapsulate = "sipdect";
+        }
+        {
+          space = "sipdect";
+          name = "ommip1";
+          code = 10;
+          type = "ipv4-address";
+        }
+        {
+          space = "sipdect";
+          name = "ommip2";
+          code = 19;
+          type = "ipv4-address";
+        }
+        {
+          space = "sipdect";
+          name = "syslogip";
+          code = 14;
+          type = "ipv4-address";
+        }
+        {
+          space = "sipdect";
+          name = "syslogport";
+          code = 15;
+          type = "int16";
+        }
+        {
+          space = "dhcp4";
+          name = "magic_str";
+          code = 224;
+          type = "string";
+        }
+      ];
+      subnet4 = [
+        # VoIP
+        {
+          id = 204;
+          subnet = "10.152.33.0/24";
+          pools = [
+            {
+              pool = "10.152.33.10 - 10.152.33.200";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.33.1";
+            }
+          ];
+
+          reservations = [
+            {
+              hostname = "iridium";
+              hw-address = "00:30:42:1B:8C:7C";
+              ip-address = "10.152.33.11";
+              option-data = [
+                {
+                  name = "host-name";
+                  data = "iridium";
+                }
+                {
+                  name = "vendor-encapsulated-options";
+                }
+                {
+                  space = "sipdect";
+                  name = "ommip1";
+                  data = "10.152.33.11";
+                }
+                {
+                  name = "magic_str";
+                  data = "OpenMobilitySIP-DECT";
+                }
+              ];
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+}
--- a/hosts/carbon/ntp.nix
+++ b/hosts/carbon/ntp.nix
@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+
+  services.chrony = {
+    enable = true;
+    extraConfig = ''
+      # Enable NTP server mode
+      allow
+      bindaddress fd00:152:152::1
+      bindaddress 10.152.0.1
+    '';
+  };
+
+}
--- a/hosts/carbon/ppp.nix
+++ b/hosts/carbon/ppp.nix
@@ -0,0 +1,63 @@
+{ config, pkgs, lib, ... }:
+
+{
+
+  services.pppd = {
+    enable = true;
+    peers.dtagdsl = {
+      config = ''
+        plugin pppoe.so net-dsl
+        user "''${PPPD_DTAGDSL_USERNAME}"
+        ifname ppp-dtagdsl
+        persist
+        maxfail 0
+        holdoff 5
+        noipdefault
+        lcp-echo-interval 20
+        lcp-echo-failure 3
+        mtu 1492
+        hide-password
+        defaultroute
+        +ipv6
+        debug
+      '';
+    };
+  };
+
+  environment.etc."ppp/peers/dtagdsl".enable = false;
+
+  systemd.services."pppd-dtagdsl".serviceConfig = let
+    preStart = ''
+      mkdir -p /etc/ppp/peers
+
+      # Created files only readable by root
+      umask u=rw,g=,o=
+
+      # Copy config and substitute username
+      rm -f /etc/ppp/peers/dtagdsl
+      ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl
+
+      # Copy login secrets
+      rm -f /etc/ppp/pap-secrets
+      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets
+      rm -f /etc/ppp/chap-secrets
+      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
+    '';
+
+    preStartFile = pkgs.writeShellApplication {
+      name = "pppd-dtagdsl-pre-start";
+      text = preStart;
+    };
+  in {
+    EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path;
+    ExecStartPre = [
+      # "+" marks script to be executed without priviledge restrictions
+      "+${lib.getExe preStartFile}"
+    ];
+  };
+
+  clerie.firewall.extraForwardMangleCommands = ''
+    ip46tables -t mangle -A forward-mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+  '';
+
+}
--- a/hosts/carbon/scan-to-gpg.nix
+++ b/hosts/carbon/scan-to-gpg.nix
@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+{
+
+  services.scan-to-gpg = {
+    enable = true;
+    gpgkey = "${pkgs.clerie-keys}/gpg/clerie@clerie.de.asc";
+  };
+
+  users.users."clerie".extraGroups = [ "scan-to-gpg" ];
+}
--- a/hosts/carbon/secrets.json
+++ b/hosts/carbon/secrets.json
@@ -0,0 +1,29 @@
+{
+	"wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]",
+	"pppd-dtagdsl-username": "ENC[AES256_GCM,data:JC7EyyMoN0p5YwnS9W5I0G5Omhk5usw28UiJrCfifGr+2FUgMrtFYAHQdrtWAELvYNBQDPgrHMmQjGQLhpqqK0hH,iv:/q+Fm63GVBApGInyS8i39V/lo6iv+I2omVh47deq+o8=,tag:LkR+1zTDNWuYkhH2iWT7SA==,type:str]",
+	"pppd-dtagdsl-secrets": "ENC[AES256_GCM,data:c5pOb8It1py/9NXNTgLvt9zmsBVbSLHJt4iXWiNA+Osvomw3r7pgoO/JJh9ujomPMnOlDwN7g+pJ,iv:W36gA8E1mWchN6+8hdMdt2epv/RdS91T5ANB/JTcHCE=,tag:7eZ3fZkjERCVJCXYrABnlQ==,type:str]",
+	"wg-clerie": "ENC[AES256_GCM,data:OEZg8ZoLAdVhKkvB0ai13ID3gPnVUU/xkOjZ4KiJ9MnRbcFu5HBd7Nw6iNwh,iv:edPuaehya2ZvYKkiBqNUbXVDAxAT6yNgETnWtd6it94=,tag:cX12szdQfAcC6cij6zk6Dw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age16mln27e2p58gu6dpxfclttmuzfnq39mv62kthjpps33g3nl3scfq449857",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-08-13T14:06:43Z",
+		"mac": "ENC[AES256_GCM,data:yGKY0fi3KQWGHBeyNtQ8EJ6561dKRZ5aAjO9zq3odDtX75i2RSjORIlNjBsVvegBzeo8AkwwnzxNPt2sHl6MKDZfEsysWAi8Wolh4UvHk087AnR/uKvtG6t4uUaNIWej2DEzxUtTQ8QP1afsdqGCf0vZVruNcJ4u2xiQbN2vJPc=,iv:CDXJ5/P+h0Enq/0EL1su1Mw55FVYLy4XPSoUCkRkt+U=,tag:AvRfEDYMBunyIQIVCPbXag==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-05-10T13:05:56Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//ZkYls0F1NMJDUkJw7tOO+pgRm6R8u29qNLAbGMtMGGqB\nwc69WpYfO7hy2IQKGcGBp/Qrp5+gpmNBGjyq6AKEaox1TKCu2drKVRClH/Htzjhe\niAllegoS1Z0W8RGze3C9i5SiUHvVaK3c2iUJ8bCTitTgUZNvteCCgXECL42Jjb49\neGZSsTDkSUr89wECHs5thx8SV2hcYk+mZk7J/yZO54BVHxZXPfYdgyINwWnmU1vf\nqOnePaIBiRTz3+ICvb9pnndlO3KEXClnBq3N6q9IcNgfH/eCenQPc6Z2TRS/2aGl\nBvK+zygO9QJVJcprNx2WdTahf6fXGU8ZmvWj9R3wv62KmQNTWmLQzCEzpTxkfpnw\nMY2WTSFZ4EHm8xSzQMJK7QyXLyH8tOemqb/sRJpaFdvLIw66nmQtAHnY9xcKSOrC\nGdN0pyX7yEtFajgRfPU2kQb9wzyoj3hRU2lNlsvJC58R+rMLsNw5FT4+LFC2RBO4\n+E7th4fFEj6dyFfISRZfi/Rj4FWBtHLxLBm15xEYRoblciQDb0o3Qh0SIgbxnaCG\nM3Dp8zJ1EiWLPtxUo/G/8P0MkfbzuO9h07ypM/Y8r40Yrbxb4QFadXEeYcNMaRGz\n2UW84LNipLeirwQVajQv5FsCRiBCcU6hoJ9MCgDWKWDU45yFy5UBCZ88KH5PdUyF\nAgwDvZ9WSAhwutIBD/4iGSjtc9LI4OR6UXOWwm78lR685QvVy4zwdwaFzwXECWGn\niPKj8H8ku9DxxxSr316/8eC0IEs2mcyU62yVbrGP5fp9zsNnQKp1LQVPx+9tyzi3\nKrIL1nFQreMtqSKn7w/HDWG2HubbgazZAs97tN9hTVtMHCE5bu6nmRcBnnzNX248\nH+kFACSdP7Oya2TiJNqSs8JrB/BSZu2nk/yVwDd6y+mgkXKDjzIUK8B6NMP7cwf/\n4ukNkhgCaO4vGboKl6DIIMtkEkGlPcxqid3XRSai+KyB1hucDei+ZwCKWgR1W6PW\nYNTZdL6gwz/t5AMxoT1y8lnoNrtmvv6HzmlytKeuK64h1oOwwUdruJFnGGGVVfuC\nLoJPKF7CX4JGPW3hvofrXMfaJTBj5cyuUga02yiLfYbT4bUqb78dOt9AeKx4Hkej\nZvmFoaivMwWg5rkKjt9frI4b8ST/J0tmqwdLzYsrUUdBItviBEulv46jYlHw/qME\nP2hLgr2IeSEutaxyYxQl07rg8b43T8RvsRsQ/ySKn+Z8qC7sDxzXsRLeHuOoZnDD\nyf1UTSt9dfKY6oJ8SKd8Q0wSPMcVd5KgW/WIV8Wp3he63ONOdmiQgLhF++xFtK//\n0OXLvXVsT0qQBBCY7sPdfVQsSpjENl0ef2o4+5MirIzoFTQdRk3jINnoGzmQu4UC\nDAM1GWv08EiACgEP/0Q/h8MGGVjAvJGxloY/Ed4gvn2rVn7Uw6XPUktSoUQnwq9A\npmMsVDnrw2NWjWktjjgFC6HbMtkAlNH7UukxCzvTimwl5KOib8Yk+CKME6KGlFmh\nvEfx6YRmvDrE8qYVM4MYXccXUW4vbbzGJl9ReRH3ouvlxSIeZ8zH28EUE8ntVok9\njNcUHt05SFrM8O5LdjsCOEV1ltG8IWIPL4kVVDWDgy6WHzm7+lcWmGn0B9Astrpp\nxKnk/mjJoivoUpJoZcFpr5U8O4kcCrwmQJppn6/8xiJuoFWbSjbWw7M4BPWK3LOF\nRmgfv8OVgZ/DvR6uCkTXg+yc60s3DvbJ9KSLSjPguxcmUPNTZwZrH1fcsbgpSgfS\njGb0GouQDNY62DsfyGS1JEGiuG2SZPZajIbOVPkuxYvUbscPWjdJhwvRdhdF3/6t\n4tAM9b1Uf+xmFhbHBcqAeQIRxCSERYVeGuHxg5JOVmQkjFOJptFZgJEVCqP/0bPA\n+AoSF/Wq9IpuKH+dirU9RVATc35F4GP4gc0mKjR03i84+DDYvB3l8oeDDlYUygga\nueK2+HX7BDeQmdh4nWxV/7An1owt3DATj2dve437cqUtXhgWprea9VOzzl0shZyw\niIRukJq7A0IJA70gPXNOhLhls4fv9VdecNlbuF8NROA7t9Fwx0G36uysfARe1GgB\nCQIQnwDSpF57ZfhaQjNGmGCGXW51ARrlC9gHevQ2M8gIt9TowIJvkUJRP+1rsDXq\nGekIV6a+rNpbr9Lbgh7EbEG+OoHRSLD1sk5aK5nNQRUqlQprNqfxJ+wr6qkqYdGQ\nYLcwaMzwBw==\n=CejJ\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/carbon/ssh.pub
+++ b/hosts/carbon/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGdyTanEqCieqt81Ri8xHnw1dyK3i8srDi1F+xIb3Js3
--- a/hosts/carbon/wg-clerie.nix
+++ b/hosts/carbon/wg-clerie.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  services.wg-clerie = {
+    enable = true;
+    ipv6s = [ "2a01:4f8:c0c:15f1::8111/128" ];
+    ipv4s = [ "10.20.30.111/32" ];
+    defaultViaVPN = false;
+  };
+}
--- a/hosts/clerie-backup/configuration.nix
+++ b/hosts/clerie-backup/configuration.nix
@@ -4,96 +4,55 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
-      ../../configuration/proxmox-vm
+
+      ./restic-server.nix
    ];

+  profiles.clerie.ruby-vm.enable = true;
+
  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "2a00:fe0:1:21f::a/64"
+    ];
+    routes = [
+      { Gateway ="2a00:fe0:1:21f::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };

-  networking.hostName = "clerie-backup";
+  services.nginx.enable = true;

-  networking.useDHCP = false;
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::6"; prefixLength = 64; } ];
-  networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.borgbackup.repos = {
-    #clerie = {
-    #  authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnUBblmmVoMMBftn4EnwnzqR12m9zill51LpO124hHb10K2rqxNoq8tYSc2pMkV/3briZovffpe5SzB+m2MnXbtOBstIEXkrPZQ78vaZ/nLh7+eWg30lCmMPwjf2wIjlTXkcbxbsi7FbPW7FsolGkU/0mqGhqK1Xft/g7SnCXIoGPSSrHMXEv5dPPofCa1Z0Un+98wQTVfOSKek6TnIsfLbG01UFQVkN7afE4dqSmMiWwEm2PK9l+OiBA2/QzDpbtu9wsfTol4c192vFEWR9crB2YZ1JlMbjVWHjYmB7NFsS0A6lUOikss0Y+LUWS2/QuM/kqybSo4rasZMAIazM6D clerie" ];
-    #  path = "/mnt/clerie-backup/clerie";
-    #};
-    cosima = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2x5h7F3rRy8G8r6twd549TRyIB/WsKOxJWIcUbAc3FFOIvbtXyT/zR91K58usZzcVdZjobyLa9aNfJNvA3ez2dO0PaqoRLg9Bgq44/bd6492N4ALROAgbmMwuTwA3gq2TYrWUCICGlYvBv7eVoSKrGECw4IZkAgoXu/pucz9yi10ccsu+cfZxuBRZtn5QmRIo8uhyGcjhtk9obB0JkUrGrubJRhxUazEH5j+bn/DHmYpmIyRV/82YvA+GR3B/PODF0fi7sFoeBQefCPTCHftYROB1P7G70wvO9rC9xTWSGPVeM7PmtArRKxOX89yqhVuHr2hWrPLLFMbY3wMNVKD5 cosima" ];
-      path = "/mnt/clerie-backup/cosima";
-    };
-    krypton = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDV3GpgaDqgTlWX0//DQ7AedYo0sD4e37OHl4/OqU7C+YfIuzaC8+KRfugTQS4R8UBKuxFHJC867aHq2rxIfKzKFtmyVPT7ywbpgNW3FDugQZ5MdPo8eHV19jnaZ9jkhUpJmMzayW+hU0GxT1fEXzSaewJknY3afdTKAi3dM+7LAcxVa82qwwArNuH06wrthU9eyva2QWMeZ6aEzzZgSxxrLQZFIXRtA81JcFmjL1IwxepDyUsbTj31Wmvf4n6YI6wxY9QhKyS4bahlnQmW0CpKwX6lKtGRRMVilTZLKa0aR0z15ltPE5h1USUnxiyo5YVB+1QA8luCnQAzIeZODEc3um8AfH4Z83MqU802K8yRmjJUhkoezJwRjewJito3Pfc4TOC2pdo7Na9bb5omTz7jiTRDvQkysWSZGyd22Vsl48tVuRTve/VkhBZuqOwH9yqBz5rl2hG7GHOiHD40kjxq+fJW8vge1hdu1TEQK8ubn1Cod/GuvuWFMTAwagYrJs0= clerie@krypton" ];
-      path = "/mnt/clerie-backup/krypton";
-    };
-    mail-1 = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqsAeI+iZ89MpkjNpLViJjC0FxHPVokpVVeU1IqD3KqhF70dqf3IuJSnhCfW4i2RPkwVwLkT1WsUmnI3Pp3izreBL+Y/RA2jG/x0380It/6RBwFtZA+6E7OgQtwca6APYIPSjlQnEfRrQV0Kz16qBZZRjo/VG20rDxUSiS+bPk5ar3JFjCSf4DnikeWR5u5brL6nFnHaiw7PbRTytdeb3y/g1TdBceLE0ISLtA/LJqlaRo5dKeDv69Loet65TA66PpCR3wp3yROaLVx7IF+Pr+x4WO6XMKjlaOjWygdW9zJ3fKa3pEhtzlcYHczDVLXyGszsKvUoRioP3m1GQY3gg7 root@mail-1" ];
-      path = "/mnt/clerie-backup/mail-1";
-    };
-    terra = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHoEImO4ARWCJAMZSx5kgbO/PUjEdckQl0O99sK5ZCCv/bVy16UXOsh4+c0W0z7zJbhuuxavi/xccJGZWp8ZKE0N5oboMEK47QFlr4oQvG3BGjUu3WzCM5Z6T+S15yEVbRPlfW7hpg+UEDyg2g37oWqO1JUoBOzq1TnXUgNeeP3tvFwqZ6FVec3T30IRCPogF47PndTiQtCYO+lTjUJubwxHaj77JZu11uGKAdH3XOH+IFZCkvzbxpVSSc+FprGAgPyWEYqoS+iq/MWbxkxAVLL7mBEbjS8hfS+QdPWvHy/st8MPB/cEKGyCMoDg1nIOLbwy84L4/XXGnpaw4CdGYn/QzQ5+Crq7ehSpk6UGNDDScCQ5rsvg/sbqvoAqpRZBbTXxcLhLshGqu8q+a7BaPhIrFfkZ4N1jNaTq1P5V1rr9CHQtrtLCihhD3krgRxfDmi530jLA1RSVWO3PEt3LpTfYNeznzVLaD1/rA5RDUi+EC0QhHv5A+fksnU6cbiY6E= user@Arch-PC" ];
-      path = "/mnt/clerie-backup/terra";
-    };
    uberspace-ceea = {
      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiUWufpvAj/Rdxt/frAjs5Q4+/lzaN2jmf5+W3Gazjzw+CH+Agplux6op+LlzF7kAA32yP+lwQto8Rz92NzReDssXd+0JhgAAHrSMrPOPnQbZrierKOfVvDOteklEM4k5JXqZ+xHIMtNomuMV3wCFc18nvwc8t95pDBOI/HwzAwn2mGhVBod0CNXZs8EyMeQJNKLCRwpUrddOX6fz5x/fbPYO4KB3iPkC0X+e/d5SuBvrmwFdnpr2RkCboMPdd6i/0AsY4MLdMV54arS9Ed2jaFKqYCQR5wRdLxndn+aByyVQHQxVU0gVfO9+53NOgiVzhOFzXm6K2KcC/HZR5uj1r ceea@olbers.uberspace.de" ];
      path = "/mnt/clerie-backup/uberspace-ceea";
    };
-    uberspace-cleriebl = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA+E9Hguv/KPvBMAQ8L+Gn9YqbZwhUpGfHEIYSl2+NvvLWWQy9ayQJ1bgqshK/DUsMVH54jMTiGpI18I+MUT4J4+Ww9O2pT7ZnQbPyk6EuHSMZM+9iHoLR7szaxXDKaD9CD1qguB5/wsGQGyB5OvZoCwQsCZgkMGgU+egOnHKipacsgYhI8RSzRxKkNnUK4L4Xea+7RqSIBM4gtZcc2uqkwrIPIZwi4Xs7aH4ibO6B0exEY1SYEkJGD/u9hA9zDv2jkykodBKmSZlf8L/e5JWjDj+PHjlsbn9tfH6GdWf/rNynt4E9QStqetnMvWKZIBCNXs9O/URJU4+lWFbamIwJ cleriebl@johnson.uberspace.de" ];
-      path = "/mnt/clerie-backup/uberspace-cleriebl";
-    };
-    uberspace-clerieda = {
-      authorizedKeys = [ "" ];
-      path = "/mnt/clerie-backup/uberspace-cleriemx";
-    };
-    uberspace-cleriewi = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAeU+YezmGNNnntAkOL143NlkADi6ekEcaW9yf9yegdkDxwyIyxaWC89B110kRkNe+6KP+LDwrp9vnFJZjst8Gv+dMs0h9U0IdUafhO7TcbbkqynqmtzIwiSGsLby2K9XOYTMlAa2JOfeNScPWccZ8KgXsIBqRGjo3yQfCHXZu9U/8CGXvYPsTGY5QYNeAw5Uaikuf565GHy4ROx2BN7LGug9lK42Hfv8i1lhCLi7wkhQ0EPGBRPkscjz/0Kb2iABMzyUf6uMrDJX/usKrChxkLfidIM9C5YR1E+wXlmy9lijuNP85NpXUEyVTAp9/XLCp1vskfCjsBLO0l+40XNIt cleriewi@biela.uberspace.de" ];
-      path = "/mnt/clerie-backup/uberspace-cleriewi";
-    };
-    web-1 = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN7oldAaDoRJbY0/QdNSb9wCM0ART3UrW+ay7WhsrZoOl3GN+YLE5sPkCxbQRxbb7q/lacXdnlSlCoCZ2k/y1EbITX3BT5e5XAAsF1QElPokvI/tKFH5XakosaXP/di7hhVfzEC2ELiuUBuz8dycaskSGblYhSSea9Y3+o2JeNgLokBL7RcJkcSr5JkMeW3M1dd8obmL6NHY1802ehT6cIgZ7+fY+5UsU3YeAIQUPBRrVnwuroN6K3oPMhKKMPP9bCvI/ZAX/+/VrxECuVMz2MF8inq37J9E8xJ9kyIq5gYA9SWEGImm2O9vlA6XIRT/2W05aRyZSwbw6WBSm6Q2pb web-1" ];
-      path = "/mnt/clerie-backup/web-1";
-    };
-    web-2 = {
-      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKC1pw7u/LcriXMt9mRhjjw7IvKh3Hfj2R6sZbybk5x6 web-2"];
-      path = "/mnt/clerie-backup/web-2";
-    };
  };

  # fix borgbackup primary grouping
  users.users.borg.group = "borg";

-  users.users.backup-replication = {
-    isNormalUser = true;
-    group = "backup-replication";
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8kCLiDfVFKgoNvEoMb34jp2n1lQG+k7wigzc4qGmrROlWkJ46/Ym4UrSeQJAd6hwHTcKTZkeOrqDAjZZ+jlidpncJHT5VMW5Ah965pxbBq6Qh1Yz5tKj7nLAQ/+bwEH4qqBFNd796876n3pY/FqhwAHWONqWhLKzMXpFursMSITUPmRXcaPwJrgS9DIYspZ9bBhhRSdQ5N1SiGtaszOQwdevLnNYqdtFOBG4rt9SO6IBIHtaiTIHrrMGS2Lt3NMwkq+O+N+TGaKLjbwqtfUPfPOCmY0XH12OawjxHP9hZ+WH3dPtcu5p+VORciSybPvyh9qzXUrDeO4HDuii2GEFU8JFELYXdT/qBwdIMp82tkgww0zKbTJuc0y/9eR7LCXop4OALhR8+8xWDI9c1ccxu3T7S7zUI1OmTlR9i8rx85D4sz2dtp1jirDoW2KVuIdwe6G3NLfTL95FZRmveEQM3MO8MPpfzZ4EvaMbiQQd/c4VAmGovtSLQhySTpT6qSv0= root@backup-4"
-    ];
-  };
-
-  users.groups.backup-replication = {};
-
-  environment.systemPackages = with pkgs; [
-    bindfs
-  ];
-
-  fileSystems."/clerie-backup-replication" = {
-    device = "/mnt/clerie-backup";
-    fsType = "fuse.bindfs";
-    options = [
-      "ro"
-      "force-user=backup-replication"
-      "force-group=backup-replication"
-      "perms=0000:ug=rD"
-    ];
+  services.borgbackup.jobs = {
+    backup-replication-hetzner = {
+      paths = [
+        "/mnt/clerie-backup"
+      ];
+      doInit = true;
+      repo =  "u275370-sub2@u275370.your-storagebox.de:./clerie-backup/" ;
+      encryption = {
+        mode = "none";
+      };
+      environment = { BORG_RSH = "ssh -p 23 -i /var/src/secrets/ssh/borg-backup-replication-hetzner"; };
+      compression = "auto,lzma";
+      startAt = "*-*-* 04:07:00";
+    };
  };

  clerie.monitoring = {
--- a/hosts/clerie-backup/hardware-configuration.nix
+++ b/hosts/clerie-backup/hardware-configuration.nix
@@ -8,9 +8,9 @@
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];

-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  fileSystems."/" =
@@ -19,10 +19,21 @@
    };

  fileSystems."/mnt/clerie-backup" =
-    { device = "/dev/disk/by-uuid/69de70f0-9b46-47f3-9ac7-348f57934d55";
+    { device = "/dev/disk/by-uuid/15a42e2e-57dc-43ff-a50d-8b73952d4558";
      fsType = "ext4";
    };

  swapDevices = [ ];

+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  boot.swraid.enable = true;
+
+
 }
--- a/hosts/clerie-backup/restic-server.nix
+++ b/hosts/clerie-backup/restic-server.nix
@@ -0,0 +1,29 @@
+{ ... }:
+
+{
+  services.restic.server = {
+    enable = true;
+    privateRepos = true;
+    dataDir = "/mnt/clerie-backup/cyan";
+    listenAddress = "[::1]:43242";
+  };
+
+  # restic rest server does not support --htpasswd-file in the current version of nixpkgs
+  # until then we copy the secrets to the common location
+  sops.secrets.restic-server-cyan-htpasswd = {
+    path = "/mnt/clerie-backup/cyan/.htpasswd";
+    owner = "restic";
+    group = "restic";
+  };
+
+  services.nginx.virtualHosts."cyan.backup.clerie.de" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://[::1]:43242/";
+      extraConfig = ''
+        client_max_body_size 10G;
+      '';
+    };
+  };
+}
--- a/hosts/clerie-backup/secrets.json
+++ b/hosts/clerie-backup/secrets.json
@@ -0,0 +1,27 @@
+{
+	"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:Fe6lcXXy0Hu27Y2LtwQRbk+78+unSGkII144jtstOgK0pyjlJqG2mo8ZG7L+3mmthuu+leZ6XXadEcRGpby3eCwyVEYd3lDr930pPC8hChWYMC5mGkkRUAobYED63iVxcsc36PVFQYMCDbYvtcPk8uQTXfQmhs9kSzCrONrL1Id0L9D+sGoU0snpE+eCNXyiLwuyc1qocchhuHIwkGi4dyVJWgMsKGummF5Pf9zK4KzHmT6RuPouEUAfwHkdPwtOSJ8OqZof/C/CuPYmJQyfOFAqtw8xD9OXUpvyxjC1Kta89sL5cRAE0R15oPvNUmYGaXputm9iMycPjMacpouycx1TXMTEDB0caryX9uEFAyTfPm7keHT86qA1UfImWqEE9QqJ3uCeiwW698SbTZVeKLDBqDCPP+nP/L+N412d+HHyGugPOnTj1gXY50xeOay8Wryw87iDZ9rnJxcn0u5D4+JjOIbjWvydqBXacMD/o0NG2CcQu6LVRAHRiDKoSQWEwx25tzVwn2dsgFV8c3oQ0xQI7050R11Z3M9QWOvPmOZCvYV5VSoxu7r1jMu5asrcPbbhXKatbrabEHCAbDGsBpDkqts3BVUfUaHwboXVR0DxqOC6CHVE34J99SVTGI0kIHXyNqpeUJ36tCXFg7eNPNsu8cra9whjyUUHtw==,iv:Gfg3t3YPw2hz0LJ5hovPftMYOADN2Xjc93VmT2fFVQI=,tag:k6KH4qDPrFYIU2PGgW3F9Q==,type:str]",
+	"wg-monitoring": "ENC[AES256_GCM,data:rOpBlDt9K//zlgWo1Bw9IX5jmpLbnit5zi60Ulz8f6tHwqVsKJv5NkxYc9A=,iv:Jlo0QZP6R1CEE20iLa7M/LV/ZX2/33oMv/FzBBo6nvY=,tag:Ttqo7BKd6RuUiMksW6rZnw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1px682xeu0xfkr49qdqe95er040p2vv3ugekk04e36jj2wqs7tyfs8mhclh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UCtUZ3NZQWxOK1FUNDhL\nbWhaanN2OEJIVmpMOURzWU1vcGhuODdtcDJnCm9Nb01NaVVpWDJ6Q3JCbXRkRUJP\nUVdFaGVScUdxRnlpSnRNOG1RalNRaFUKLS0tICs0cW1WR0JMUmdaVWVzdTh2bjFm\nenBzaERpb1hCS1E3TUo3cmxpZFUxWmcKcLL5/YTGyZEVLwHSpbEI5XfWGklkI7h+\n0uhCww8Wh23EpUYFslZ0Nnbf5HX5/Z34qBwf20cvN8eLToTAQvTdeg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-16T18:13:34Z",
+		"mac": "ENC[AES256_GCM,data:io2WVxTxHSlxrk7JaN6/fUI7YotvPfgbXTD1lEf1tN7QhuGRH/iZrji/VQlhJ8tk2dAS1Pe0rsTuxCMXcXcxRIh4EYbQky5IZj5jpfPcslQOquTcXzmPYdijPUWSqu6leGc0GG/7KccjSFD8TfwAgeuVrc2Br57yfqKoPf+M0fY=,iv:iYp73PrFnLZoI9014mbqQQERhFtfhb5YmzV6HiUi+YM=,tag:2AZEzhVVdEos5FLkg8cr5w==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-05-05T12:12:27Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//UhUFxM0YiI1MJgzlBj6Re5rfRYIgQlU033+RK+IBMdJl\njK13jjXYD7bRGlkYWNQbUYk6SWIvU+mvrXdKzXvYsNwK8j99JMRz9pOuScj8o+qs\nZ8pv5ILFXiRBxHbGsxPJQG84tNmSdVQDe3E+ief+t7Gdzui4D6TNGKnciHX4jhN6\nFNng09P4c/DmKLc6r1gRc6UvY5UGkgzVQpvSOkHHI68xGsSzQbZCEeCQGLGmZYyU\nC2ocGWK/9SjPBGMu4LeVlrGACJGMcAuVQKDHRqIlLsla1kbbzzLKOk/6JTenDRak\nC+rzU7fm4jnr2nvAqc6aiG3cqwIdJlaxzy7J9O9lXiAaj0sDBlrf7JEmpbQHKwmP\n9uFhZCMOOcHhVnksLUbEYLrZetK50KOLEjIIc9WIJ0X34QGRkwgbiKE3FGKxHRpC\nmgOSzZWy2VdEnWifu65x2mlFc6iFsHCpdpCl4Hs+DUH2tHi3f2o4rmHUBI8ys6zt\nm/UqSs2w6mftyCIGO+bvpMkJ2EVL1lrQBvL6Oh3u80S5ra4aKVOKui2TiFeQitBA\ntXZPW1EtkmLUsYZD7kUpFn+uInJqNhdoXJPb1D+jqlafT0+xLFXOAgJJ7RerFiCR\n4bi+6h0Z5ybUXp3klboMEWLROpcJ0Z0tgTBL8SlwmzYr6/mDiXgwWTCRa3fv2HqF\nAgwDvZ9WSAhwutIBEAC5+q2rg7IJ+90/TMshrybw+390znLedu8t4ubEIuklzEnK\niUW181+/pbY9gC5H2OQt2A693PLE6/gbdhkned6f3fmLUfbBQeoGRup54f7LWtQU\nwV7CbskhuglKxBgi3WKv0mDYGEOK88h566M/UkC3GBMzNYJjRji6+G9/xVJ4V27d\n7dWBo1mv73QvnmAzOFApJkXi7TGZQzgoUa4kt/bglrkkHZIDYVt5o4JNnXDTI4Fw\nj046WYrQAgqEOujg5nzhtHk+4MVYv6YCA8LPVojVoU4wHuIJZOOZGCk9yLZKagW1\nyQpJTq7XT/cOfb4+nV8cTt3W36ak6yR8/2zcW4Ys40p8pRAgisQv9k1dFuYKGhAg\nJiTBYbw0znp+g89YCljlVC8sx61Dl4fd2WzzYIlq8YzE3RXlBTPE4Vc2obu40pVY\nrwOyYgOzzR2wwjuuPhekvrmwSAURXyxNcGBxKb7OWEP7m+O17UQMC9icICloPaUh\nW9hVmGWmLJfV9bjAtcJuKrMGOJkrg2jsqi4YZW9L+f19TrfFuobbK96zR0mT6hJl\n5zJQn0oo0s3gL2764qT6EeS7iSYaiWB/Dx0JCHr/ecp2+8LzWhmZk7kogAH78J16\nnwUUI1IDDo10JX5/zblfJrsPE8Yk11ToNOhMD484HZ/a1Sydr6IUPI5g0A2yP4UC\nDAM1GWv08EiACgEP+wdQpiVH14ZpfC06VMpDM9BwshMgbHLKP8rJqm6TS1VEx72K\nqMjpSYpw8W5J7M6NGEoXaC59VXuxOQWFX7m2Sgi6Yzo8YhdEiOutGxmD2snuhc7I\nSoYKehsTlm9tjIcLZy1B9TM8JCS9V6yJVkpoNCbaSFfdw4idz02hevOGyzxEA2T1\nlNNij9H+nkw6KCN9Ckt1inhwDfo4B2vZT4fkb46+hqNDJx+1Xh4LIzToN2YvLJZl\nR/eptlV3Xr3EMOba0r3RL/dz4vf0djEXdSyfw/pBKa9i4aGUuwMfx5o9qAieikTv\nUYrejwfXLCAwDDd1b/ieECZ6iE5gnfZtO5aLxRHgl2nD3Wr5lWBrmuATRusvbDpC\nsz2OuiaHm8ivx51n1MweyikBBilDMXIbgXc9pGIGxGdICKypZkJVR1tFBy4Ovjm3\nfpuO+hXeeRa1PFgyh4s8eaZL42v3OAu3lWLbKeXRtui6PC5w8hw0m/8YVooufLm2\nkh8qMKwB/oev52NJZTfi28fZXdSMsdFJ5nWXUoMAelcgOJ3Mu5Rwc3/ro/PqAN/i\nHel9MZVfGBAgRU3x36i2/fVDM1olCqCTYEz3Z4916TKJq2PWRQ+Y8z5eTxl0h3Nu\nGJBTOMDyemEVVcY8HLTG15iudhX2pilTgM5aXQQukKHFoZBHDUu1FQEraMa81GgB\nCQIQj/dOVj3MymQYdSl6n1LCN2UjBEm9AX1Js8v6nY7tLHJo9etTKt57M3xuUCTi\n1VJIXwLWQskI+LPRlyJj63j2cSWs3KrAeigLe8SFb1v7JUYj7aYm9LTawcevSsPr\n69m9Y2zRBg==\n=lDcq\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/clerie-backup/ssh.pub
+++ b/hosts/clerie-backup/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsTlqDyK726hwhX8lbs9EhMrkf3LsKIm5Ya3k39C7VZ
--- a/hosts/dn42-il-gw1/configuration.nix
+++ b/hosts/dn42-il-gw1/configuration.nix
@@ -4,73 +4,63 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
-      ../../configuration/proxmox-vm
-      ../../configuration/dn42
    ];

+  profiles.clerie.mercury-vm.enable = true;
+
  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

-  networking.hostName = "dn42-il-gw1";
-
-  networking.useDHCP = false;
-  networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:1::1"; prefixLength = 64; } ];
-  # VM Nat Netz mercury
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.23"; prefixLength = 24; } ];
-  # OSPF Netz
-  networking.interfaces.ens19 = {};
-  # IPv6 Uplink
-  networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::7"; prefixLength = 64; } ];
-
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
-  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens20";
+    address = [
+      "2001:638:904:ffc9::7/64"
+    ];
+    routes = [
+      { Gateway = "2001:638:904:ffc9::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "192.168.10.23/24"
+    ];
+    routes = [
+      { Gateway = "192.168.10.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-dn42-ospf-netz" = {
+    matchConfig.Name = "ens19";
+    linkConfig.RequiredForOnline = "no";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };

  networking.wireguard.enable = true;
  networking.wireguard.interfaces = {
-    # n0emis
-    wg0197 = {
-      ips = [
-        "fe80::42:1/128"
-        # peer fe80::42:42:1/128
-      ];
-      postSetup = ''
-      ip -6 route flush dev wg0197
-      ip addr del dev wg0197 fe80::42:1/128 && ip addr add dev wg0197 fe80::42:1/128 peer fe80::42:42:1/128
-      '';
-      listenPort = 50197;
-      allowedIPsAsRoutes = false;
-      peers = [
-        {
-          allowedIPs = [ "fe80::/10" "fd00::/8" ];
-          endpoint = "himalia.dn42.n0emis.eu:52574";
-          publicKey = "ObF+xGC6DdddJer0IUw6nzC0RqzeKWwEiQU0ieowzhg=";
-        }
-      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg0197";
-    };
    # e1mo
    wg0565 = {
      ips = [
-        "fe80::43:43:1/128"
-        # peer fe80::43:1/128
+        "fe80::2574/128"
+        # peer fe80::565/128
      ];
      postSetup = ''
      ip -6 route flush dev wg0565
-      ip addr del dev wg0565 fe80::43:43:1/128 && ip addr add dev wg0565 fe80::43:43:1/128 peer fe80::43:1/128
+      ip addr del dev wg0565 fe80::2574/128 && ip addr add dev wg0565 fe80::2574/128 peer fe80::565/128
      '';
      listenPort = 50565;
      allowedIPsAsRoutes = false;
      peers = [
        {
          allowedIPs = [ "fe80::/10" "fd00::/8" ];
-          endpoint = "de-fra1.dn42.net.dont-break.it:22574";
-          publicKey = "shGS36iaWgcJL1FVLhZHPxLHkPETIy2FFdgmNyx1DSk=";
+          endpoint = "dn42-nbg1.net.dont-break.it:22574";
+          publicKey = "qYaDuYYVpuFqy7KyC5PmJavqs0a7GtyuES8VwugdPSQ=";
        }
      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg0565";
+      privateKeyFile = config.sops.secrets.wg0565.path;
    };
    # fooker
    wg1271 = {
@@ -91,7 +81,7 @@
          publicKey = "xxPjHWVzePinOOMnuhwGAI3PKY9pvpifIvIbPu3IwQw=";
        }
      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg1271";
+      privateKeyFile = config.sops.secrets.wg1271.path;
    };
    wg1272 = {
      ips = [
@@ -111,7 +101,7 @@
          publicKey = "Iae2R4B7VVsloKWK8T1j1vLMuxpP4dVDUdzEg/YpAjE=";
        }
      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg1272";
+      privateKeyFile = config.sops.secrets.wg1272.path;
    };
    # margau
    wg1280 = {
@@ -128,188 +118,134 @@
          publicKey = "CEge9jdHQArzdniUiWyB3IUZOjGiew3gPmz/MOf4ahU=";
        }
      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg1280";
+      privateKeyFile = config.sops.secrets.wg1280.path;
    };
-    # perflyst
-    wg1302 = {
+    # lutoma
+    wg4719 = {
      ips = [
-        "fe80::a14e/128"
-        # peer fe80::a14d/128
+        #"fe80::1/128"
+        # peer fe80::acab/128
      ];
      postSetup = ''
-      ip -6 route flush dev wg1302
-      ip addr del dev wg1302 fe80::a14e/128 && ip addr add dev wg1302 fe80::a14e/128 peer fe80::a14d/128
+      ip addr add dev wg4719 fe80::1/128 peer fe80::acab/128
      '';
-      listenPort = 51302;
+      listenPort = 54719;
      allowedIPsAsRoutes = false;
      peers = [
        {
          allowedIPs = [ "fe80::/10" "fd00::/8" ];
-          endpoint = "[2a03:4000:6:f6ed::1]:22574";
-          publicKey = "TSPvvpMY8dCFk6gd58aYtkibtqUn8EzIF6dXP52b3y8=";
+          endpoint = "[2603:c020:8001:ed42::42]:42546";
+          publicKey = "MkVyCgIq0BOStFIu2/Wl91ofFuRvnG3ZqTWFfVs/VlQ=";
        }
      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg1302";
+      privateKeyFile = config.sops.secrets.wg4719.path;
+    };
+    # zaphyra
+    wg1718 = {
+      ips = [
+        "fe80::2574/128"
+        # peer fe80::6b61/64
+      ];
+      postSetup = ''
+      ip addr replace dev wg1718 fe80::2574/128 peer fe80::6b61/128
+      '';
+      listenPort = 51718;
+      allowedIPsAsRoutes = false;
+      peers = [
+        {
+          allowedIPs = [ "fe80::/10" "fd00::/8" ];
+          endpoint = "router-a.dn42.zaphyra.eu:51831";
+          publicKey = "Knm6uEpMsTfZAK68Pl98mHORtb8TtswBfYFGznpHUCI=";
+        }
+      ];
+      privateKeyFile = config.sops.secrets.wg1718.path;
    };
  };

-  petabyte.policyrouting = {
+  networking.firewall.allowedUDPPorts = [
+    50565 # wg0565
+    51271 # wg1271
+    51272 # wg1272
+    51280 # wg1280
+    54719 # wg4719
+    51718 # wg1718
+  ];
+
+  profiles.clerie.dn42-router = {
    enable = true;
-    rules6 = [
-      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
-      { rule = "from all to all lookup 2342"; prio = 10000; }
-      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
-      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
+    loopbackIp = "fd56:4902:eca0:1::1";
+    routerId = "192.168.10.23";
+
+    ospfInterfaces = [
+      "ens19"
+    ];
+
+    ibgpPeers = [
+      {
+        peerName = "gw5";
+        remoteAddress = "fd56:4902:eca0:5::1";
+      }
+      {
+        peerName = "gw6";
+        remoteAddress = "fd56:4902:eca0:6::1";
+      }
+    ];
+
+    wireguardPeers = [
+      {
+        peerName = "peer_0565";
+        remoteAddress = "fe80::565";
+        interfaceName = "wg0565";
+        remoteAsn = "4242420565";
+        localAddress = "fe80::2574";
+      }
+      {
+        peerName = "peer_1271_north";
+        remoteAddress = "fe80::2";
+        interfaceName = "wg1271";
+        remoteAsn = "4242421271";
+        localAddress = "fe80::1";
+      }
+      {
+        peerName = "peer_1271_south";
+        remoteAddress = "fe80::1:2";
+        interfaceName = "wg1272";
+        remoteAsn = "4242421271";
+        localAddress = "fe80::1:1";
+      }
+      {
+        peerName = "peer_1280_wg1";
+        remoteAddress = "fde3:4c0d:2836:ff00::20";
+        interfaceName = "wg1280";
+        remoteAsn = "4242421280";
+        localAddress = "fde3:4c0d:2836:ff00::21";
+      }
+      {
+        peerName = "peer_4719";
+        remoteAddress = "fe80::acab";
+        interfaceName = "wg4719";
+        remoteAsn = "64719";
+        localAddress = "fe80::1";
+      }
+      {
+        peerName = "peer_1718";
+        remoteAddress = "fe80::6b61";
+        interfaceName = "wg1718";
+        remoteAsn = "4242421718";
+        localAddress = "fe80::2574";
+      }
    ];
  };

-  services.bird2.enable = true;
-  services.bird2.config = ''
-  router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
-
-  ipv6 table ospf6;
-  ipv6 table bgp6;
-
-  protocol direct {
-          interface "lo";
-          ipv6 {
-                  table ospf6;
-          };
-  }
-
-  protocol static {
-          ipv6 {
-                  table bgp6;
-          };
-          route fd56:4902:eca0::/48 via "lo";
-          route fd56:4902:eca0::/52 via "lo";
-  }
-
-  protocol kernel {
-          ipv6 {
-                  table ospf6;
-                  export filter {
-                          krt_prefsrc=fd56:4902:eca0:1::1;
-                          accept;
-                  };
-                  import none;
-          };
-          kernel table 1337;
-  }
-
-  protocol kernel {
-          ipv6 {
-                  table bgp6;
-                  export filter {
-                          krt_prefsrc=fd56:4902:eca0:1::1;
-                          accept;
-                  };
-                  import none;
-          };
-          kernel table 2342;
-  }
-
-  protocol ospf v3 {
-          ipv6 {
-                  table ospf6;
-                  import all;
-                  export all;
-          };
-          area 0 {
-                  interface "ens19" {
-                          cost 80;
-                          type broadcast;
-                  };
-          };
-  }
-
-  protocol bgp gw5 {
-          local as 4242422574;
-          graceful restart on;
-          neighbor fd56:4902:eca0:5::1 as 4242422574;
-          source address fd56:4902:eca0:1::1;
-          ipv6 {
-                  table bgp6;
-                  igp table ospf6;
-                  next hop self;
-                  import keep filtered;
-                  import all;
-                  export all;
-          };
-  }
-
-  protocol bgp gw6 {
-          local as 4242422574;
-          graceful restart on;
-          neighbor fd56:4902:eca0:6::1 as 4242422574;
-          source address fd56:4902:eca0:1::1;
-          ipv6 {
-                  table bgp6;
-                  igp table ospf6;
-                  next hop self;
-                  import keep filtered;
-                  import all;
-                  export all;
-          };
-  }
-
-  template bgp bgp_peer {
-  	local as 4242422574;
-  	graceful restart on;
-  	ipv6 {
-  		table bgp6;
-  		next hop self;
-  		import keep filtered;
-  		import filter {
-  			if net ~ [fd00::/8{48,64}] then accept;
-  			reject;
-  		};
-  		export filter {
-  			if net ~ [fd00::/8{48,64}] then accept;
-  			reject;
-  		};
-  	};
-  }
-
-  protocol bgp peer_0197_himalia from bgp_peer {
-          neighbor fe80::42:42:1%wg0197 as 4242420197;
-          source address fe80::42:1;
-  }
-
-  protocol bgp peer_0565 from bgp_peer {
-  	neighbor fe80::43:1%wg0565 as 4242420565;
-  	source address fd80::43:43:1;
-  }
-
-  protocol bgp peer_1271_north from bgp_peer {
-  	neighbor fe80::2%wg1271 as 4242421271;
-  	source address fe80::1;
-  }
-
-  protocol bgp peer_1271_south from bgp_peer {
-  	neighbor fe80::1:2%wg1272 as 4242421271;
-  	source address fe80::1:1;
-  }
-
-  protocol bgp peer_1280_wg1 from bgp_peer {
-  	neighbor fde3:4c0d:2836:ff00::20%wg1280 as 4242421280;
-  	source address fde3:4c0d:2836:ff00::21;
-  }
-
-  protocol bgp peer_1302 from bgp_peer {
-  	neighbor fe80::a14d%wg1302 as 4242421302;
-  	source address fe80::a14e;
-  }
-
-  protocol device {
-          scan time 10;
-  }
-  '';
+  clerie.system-auto-upgrade = {
+    autoUpgrade = true;
+  };

  clerie.monitoring = {
    enable = true;
    id = "301";
    pubkey = "kTuC3/rLr4Qb3C4oEn1ecB/vS78poxmu6/Id3Rc1VGY=";
+    bird = true;
  };

  system.stateVersion = "21.03";
--- a/hosts/dn42-il-gw1/secrets.json
+++ b/hosts/dn42-il-gw1/secrets.json
@@ -0,0 +1,30 @@
+{
+	"wg0197": "ENC[AES256_GCM,data:1QJ5GXLMLIOj6xNC4sMnShjyB1wqfTkhkPTlLJz6AJxMjA0BsBZvZ1Pdln4=,iv:nVRIQB8/Ged616ELhkGnDyAz6A+3HQ55+yG0vf0f7aQ=,tag:GtI8ICMCih1tN4Xoc+8RdQ==,type:str]",
+	"wg0565": "ENC[AES256_GCM,data:kLgKOGDA+kPDB0SZ/yU7Ax7NYn28LiVT2W6zSsc0APfyoZWW6nF0fUQFv4s=,iv:6zjLGAOROifubQUMxRLvoFzN6GRYob841rzNiVyrt84=,tag:Gh15/ROPYiqqobcJcTzmGQ==,type:str]",
+	"wg1271": "ENC[AES256_GCM,data:NPcFMxVNpwoPkLsb6NvZVxGxw+Og3RzlYx7TAL9nT95x6I8aDRpOnR5tY5w=,iv:gYuem6vX+jRQvirrt3lZQb5gKnN/z32W/MgmGuzQ/Ks=,tag:I9qZJSNKFEM3Vx4Yugxy1w==,type:str]",
+	"wg1272": "ENC[AES256_GCM,data:LU6jtNkNn2Xs+0OH8cD1HJnbHsNNnqlY83lDFa11/dHwVgdFxMtDXMqIMEc=,iv:/A8rWGR6jExa4ms7jTYC0eZVGCvlKw1I58Co41gw3TU=,tag:tIBRkQzFFpEEzflnDrpcOA==,type:str]",
+	"wg1280": "ENC[AES256_GCM,data:F4KLY6jiZNl52ko32nM0iTER0DyHvaCSmxeYAKB0MLUD8l9u1Ugk6kYZnUc=,iv:XcaxnvxM1kE/ahNFX+BH7Jmr9q2Py1vHHqOjFUqs5O8=,tag:a1up4gGFqyHz2lmDRJl3bA==,type:str]",
+	"wg1302": "ENC[AES256_GCM,data:+MzuBPg3ql0/MEnpVvhQTsPIkKB9xnHN9Fk4VlZwK4ijKl+26d6oTSM7/R0=,iv:bPPmhenQLaKTGaDo4rBlKkrXrS1YysRuntbKq6zi2aQ=,tag:lztaTfDGT4kAq+HZMLl0Dw==,type:str]",
+	"wg1718": "ENC[AES256_GCM,data:lB+j2O15O7ogdB+QdutD3V/h8IREMMlpCsnMJWNPXlz196KM6WNNYCV2v5M=,iv:AwrRPQIFu8A14Vs5A9slkCPMkgU3VZxL1YupJnriEHc=,tag:Vpt0C6SFzUXGotdfc1ocmg==,type:str]",
+	"wg4719": "ENC[AES256_GCM,data:hoOOCUGdYFaAQZ6wkgmQl65M1qArvXa826IeJl+BUGf7UX0vxx9J0C2epTE=,iv:+1JcOgzClehkE0Ihd2mmoenPk51OBZMF0bMqapWah/c=,tag:xI5FU+GJU6BER9/n04ccLA==,type:str]",
+	"wg-monitoring": "ENC[AES256_GCM,data:aw11Ygfll6llabXkuxtbTcCn1eb4NZX1IwArcXoRJCJSgwDrQZ3HLatov3w=,iv:J2VD5XS+BrIKeFb0NW1UYZUuGPkbjFmooZ93PVK31gw=,tag:2XLSa/2s6LRq3L7UdrTs/g==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1f0hscql4f4w7vyukzeu693xfedsl596dpjekc23q77ylp92zsvcqf9u75t",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWdFYjFjTmRVRlV3U3p4\nTSsyc1E0dWtiYjNtVkV2SXJEWkxnTDhLN1Y0Cng4aGlidjhydUVGaFcvK215aGdq\nN0FGajYwa1lPUCsva0tmNkErUGtlOWsKLS0tIG9pLzJEUDA2WWUzd1kzSVZrdVRX\nbUxjQzBCd3p0R1dWTTJaRmZNQjJEUVkKPz6OUQHpYrhRxMdQzpZRR3exVqkG2JvX\nI32PwvbeQK8cgpYwKLGar8U8aiPPm0Y64pID1wedDsNZzLqLOrS3wQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-10T20:51:10Z",
+		"mac": "ENC[AES256_GCM,data:9lF4HV0oJyGHXdtYdMxR7+ev7JLAQVr6kE55nLoZcrbC92MHJzQpgM9XAhIynvwdAmC7ARd3orCn6eYkQJDdNX0JjMtebsBE+H4B7mEUCz8wtTN0iHS+oHmQxrqjnoSw2uHh9udgqAJa+sd6VGU3t2XUuuKtVHPwzROqVgvas9M=,iv:KT+BlFeXGZQc5pbBX+XOsmKEydUtir1LuPvseDkFeqw=,tag:hlRskY6b5EAZkUYs7ph/JA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-28T09:25:37Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPARAAlFtkAfaMk8tnLsnJwAJXqrwUMxojYbMcxTDokKUqaQFE\ndlirkl0o0Kgk78BINxV0hjBpu54DvpBMl/Iv8TVpnZqCgNli4WOrOVg3OwVWqbmw\nZ4Hu3ToeogVlFx5U9tB/u/Z3tvsf3TpznansXmP1GaTt0P2Ur3Xn4Gvsgc5ikSXs\nZSwPpmDJiJwa49empWjUtYnMVo48l6midUny4JR1CC6Gr8QobBtImMXFNTQc4q37\nmDV5mkDCsdyDhEFMX8VXDHPMdLKl8zg1B46AqMQE88Rr8mROuZVuC6sjC4NY8YLn\nqwuUGr8AnNvU/e0/HTdnYwrqDZxBaqg9RylEJjU00aVj5Sea4/AiK+e4QpLukhFN\naul3XWB+aQ3VcspsDv/n/TK9d0Db0fniTdQEGDfaXRJi2bDRZUkneELQ+Z4BCgHw\nu9XlJJt+Ts6Gx22c24BpaR5H4IpY2wqkhLHm/kdzu082pKPfHQojtJopX1N5sHjJ\nrwF+y1xuWnucOyzbKCIHYv5BIxlTeftLyzwzZWWUjaidj2xWmHWnPo+27/+jb1IQ\ntXs3rD8dI4Sc5gxgHtC/jRGyFKOoiva+xzKF4qLZI2MYnhXa+ITF9LabdXj083T/\nVR1gdsgQjgPSgrIl/8oqw4oF95y0gQctTmvuV4XLI9ZbZDoEHsRxq43OxkpnVR2F\nAgwDvZ9WSAhwutIBD/0f45DOEuN2gGUfFgxlpUeJ/ToRqFbgRJxGGS8PY23YStsE\n4H9ZVcV5NmBiu9bZOzDYy25Lp1Sox1ciAkId7gZL+3QIRbvL554MT6DTC2E+zdqk\n+QstJ67jmzauDwPZBtjjxv8VbndoUtVsUKQzVFNoyDbtoKfiUUsowDdJerqF9eO9\npvylIkU7X4UOApOgFM9y7iXB0RDsuiszSKUP81Sexn97NvhLig9FMGAUpCsWjNZ1\nOAJzTOOuw99vLRZQIZj8F10B2dHxi3iAMsfJPltLfNt3JzSTvT219ObcqRfMZdtQ\nGy9wAkoC+pfRVCwb7sYbe+evTtTwPP4OHarUJxCPbCiwieD+GW9szyeLIGjn3NE2\nZDxFOnkzrVV4VKL9J6KXLI5g3wpPaTg9enJ+7izNRmU497SL2oBOfoz6hjb15E0N\n9Ebq0Kpb7dinCB/UU2RHvHn2gixCaYWwPBDIJqv3AL1hfz+dmu0HTUL5uUxkCRUy\nT1V6aTyHe4fb/tL1CFiGBuL+IQg76JmmSjWrpYsNyMkOgCAfmkFeSd0YTnd04pnf\nFqcstU42OnJxtjylaSLQDjnBZ8HDSuWrOGdNppw2ZmD/mCeqfZoSb1XDdFXJbKdO\nwFbs7znx5ZObN+06nD04mqT28/YaY6juNBlhZZz27+vZhzWA1b+97V4stxxRbYUC\nDAM1GWv08EiACgEQAIovtpP23VT3HKWrqDSjAdssTBUncJNWxNhZvp5VS6axsfnU\njDeMAJSOS6c/+RolvKZ2Y4T8XovSSqMC1U598AkPMIbb0eQ8IvuA5UIDZgvIBEKl\nwzyo9myppeN/l910WJs+Vo6DFKLQfBTpRjOzqC/YvzLZUUVFhr+6l4lOWx/lkEFP\n+mt86GALAJT1HT047hebLeQZPnIj/BhPagbD4qR4sJUc5wQxc25T1Oxb5/ToFR0t\nBSqEUdUIG0rvMsDRzpQ4mdg7i6D6PXb4eweTTOCWzpyiFSLfWE9qWXpqCFgpd4xI\nzAEofhbSQH5HqAvTplDhIRKtwK6Ze1aticuRdWjrorHVa602PR3RzFMWMtQa9j12\nK4igA3FD6cHdoRUMoLq8YAyxEwUOgHPmOub+9MOOMmI7Q5bj+oByK2Q2Thq1T6Px\nIVQzq6J5nWFXtRpx9/UFPLnjEqc3ehOItQrnH8980Ocy4nghaKqJGpAQtoP2t5nV\n6aGJ7tqTsv5MDZ+b4pRE/7GjG4v2t4I/BQd/0GU0vndfZx5KmwmTsCrVmrmwhFr8\nBNNNngqsHUZxK0RVI0sA90N23om0ATLWl8gt1mvMWZ8p9NPWQdDa1AVkLBgq6hZN\n9JtRacIS2zuiib5AohijVwp3uTDPL/32au2rAg2vWEFy1jSMnEUDCqTKGJIu1GYB\nCQIQANxUiUXBtAhd1pBA9VOhhD1T57AkDvHfk8gEyNKPC3+RI1GL2ImA+dEQY0Ie\nl4P0mcQTf8tlRgnHZhvf1ktXp46oAV1StGfKEil8WU3N/5gFeCNvRRuGMx05av+t\nfgAAnS4=\n=Ew+/\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
--- a/hosts/dn42-il-gw1/ssh.pub
+++ b/hosts/dn42-il-gw1/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINbpzEFngWD8gZpGKvOdo5CVMPlaDCylNKorf/ZN93rT
--- a/hosts/dn42-il-gw5/configuration.nix
+++ b/hosts/dn42-il-gw5/configuration.nix
@@ -4,170 +4,123 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
-      ../../configuration/proxmox-vm
-      ../../configuration/dn42
    ];

+  profiles.clerie.mercury-vm.enable = true;
+
  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

-  networking.hostName = "dn42-il-gw5";
-
-  networking.useDHCP = false;
-  # VM Nat Netz mercury
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.25"; prefixLength = 24; } ];
-  # OSPF Netz
-  networking.interfaces.ens19 = {};
-  # Lokales Netz
-  networking.interfaces.ens20.ipv6.addresses = [ { address = "fd56:4902:eca0:5::1"; prefixLength = 64; } ];
-  # IPv6 Uplink
-  networking.interfaces.ens21.ipv6.addresses = [ { address = "2001:638:904:ffc9::a"; prefixLength = 64; } ];
-  # Ildix
-  networking.interfaces.ens22.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::5"; prefixLength = 64; } ];
-
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
-  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens21"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
-
-  petabyte.policyrouting = {
-    enable = true;
-    rules6 = [
-      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
-      { rule = "from all to all lookup 2342"; prio = 10000; }
-      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
-      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens21";
+    address = [
+      "2001:638:904:ffc9::a/64"
    ];
+    routes = [
+      { Gateway = "2001:638:904:ffc9::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "192.168.10.25/24"
+    ];
+    routes = [
+      { Gateway = "192.168.10.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-dn42-ospf-netz" = {
+    matchConfig.Name = "ens19";
+    linkConfig.RequiredForOnline = "no";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-dn42-lokales-netz" = {
+    # Aktuell nicht verwendet, da in lo-dn42 umgezogen
+    matchConfig.Name = "ens20";
+    linkConfig.RequiredForOnline = "no";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-dn42-ildix" = {
+    matchConfig.Name = "ens22";
+    address = [
+      "fd81:edb3:71d8:ffff:2574::5/64"
+    ];
+    linkConfig.RequiredForOnline = "no";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };

-  services.bird2.enable = true;
-  services.bird2.config = ''
-  router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
+  profiles.clerie.dn42-router = {
+    enable = true;
+    loopbackIp = "fd56:4902:eca0:5::1";
+    routerId = "192.168.10.25";

-  ipv6 table ospf6;
-  ipv6 table bgp6;
+    ospfInterfaces = [
+      "ens19"
+    ];

-  protocol direct {
-    interface "ens20";
-    ipv6 {
-      table ospf6;
-    };
-  }
+    ibgpPeers = [
+      {
+        peerName = "gw1";
+        remoteAddress = "fd56:4902:eca0:1::1";
+      }
+      {
+        peerName = "gw6";
+        remoteAddress = "fd56:4902:eca0:6::1";
+      }
+    ];

-  protocol static {
-          ipv6 {
-                  table bgp6;
+    bgpPeers = [
+      {
+        peerName = "peer_ildix_clerie";
+        localAddress = "fd81:edb3:71d8:ffff:2574::5";
+        remoteAddress = "fd81:edb3:71d8:ffff::13";
+        remoteAsn = "4242422953";
+      }
+      {
+        peerName = "peer_ildix_nex";
+        localAddress = "fd81:edb3:71d8:ffff:2574::5";
+        remoteAddress = "fd81:edb3:71d8:ffff::14";
+        remoteAsn = "4242422953";
+      }
+    ];
+
+    birdExtraConfig = ''
+      # Internal
+      protocol bgp peer_2953_dn42_ildix_service {
+        local as 4242422574;
+        neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
+        source address fd81:edb3:71d8:ffff:2574::5;
+        multihop 64;
+        ipv6 {
+          table bgp6;
+          igp table ospf6;
+          next hop keep;
+          add paths tx;
+          import filter {
+            reject;
          };
-          route fd56:4902:eca0::/48 via "lo";
-          route fd56:4902:eca0::/52 via "lo";
-  }
-
-  protocol kernel {
-    ipv6 {
-      table ospf6;
-      export filter {
-        krt_prefsrc=fd56:4902:eca0:5::1;
-        accept;
-      };
-      import none;
-    };
-    kernel table 1337;
-  }
-
-  protocol kernel {
-          ipv6 {
-                  table bgp6;
-                  export filter {
-                          krt_prefsrc=fd56:4902:eca0:5::1;
-        accept;
-                  };
-                  import none;
+          export filter {
+            accept;
          };
-    kernel table 2342;
-  }
+        };
+      }
+    '';
+  };

-  protocol ospf v3 {
-    ipv6 {
-      table ospf6;
-      import all;
-      export all;
-    };
-    area 0 {
-      interface "ens19" {
-        cost 80;
-        type broadcast;
-      };
-    };
-  }
-
-  protocol bgp gw1 {
-          local as 4242422574;
-          graceful restart on;
-          neighbor fd56:4902:eca0:1::1 as 4242422574;
-          source address fd56:4902:eca0:5::1;
-          ipv6 {
-                  table bgp6;
-                  igp table ospf6;
-                  next hop self;
-                  import keep filtered;
-                  import all;
-                  export all;
-          };
-  }
-
-  protocol bgp gw6 {
-          local as 4242422574;
-          graceful restart on;
-          neighbor fd56:4902:eca0:6::1 as 4242422574;
-          source address fd56:4902:eca0:5::1;
-          ipv6 {
-      table bgp6;
-      igp table ospf6;
-                  next hop self;
-                  import keep filtered;
-                  import all;
-                  export all;
-          };
-  }
-
-  template bgp ildix {
-    local as 4242422574;
-    graceful restart on;
-    source address fd81:edb3:71d8:ffff:2574::5;
-    ipv6 {
-      table bgp6;
-      igp table ospf6;
-      next hop self;
-      import keep filtered;
-      import filter {
-        if net ~ [fd00::/8{8,64}] then accept;
-        reject;
-      };
-      export filter {
-        if net ~ [fd00::/8{8,64}] then accept;
-        reject;
-      };
-    };
-  }
-
-  protocol bgp peer_ildix_clerie from ildix {
-    neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
-  }
-
-  protocol bgp peer_ildix_nex from ildix {
-    neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
-  }
-
-  protocol device {
-    scan time 10;
-  }
-  '';
+  clerie.system-auto-upgrade = {
+    autoUpgrade = true;
+    startAt = "*-*-* 06:22:00";
+  };

  clerie.monitoring = {
    enable = true;
    id = "305";
    pubkey = "DRJ4FFqNCRgxzmD+k4WKVKJiKKTxTm5Uupcz04j1Ag8=";
+    bird = true;
  };

  system.stateVersion = "21.03";
--- a/hosts/dn42-il-gw5/secrets.json
+++ b/hosts/dn42-il-gw5/secrets.json
@@ -0,0 +1,26 @@
+{
+	"wg-monitoring": "ENC[AES256_GCM,data:1tXtGSt4efVLWDJBv+YTW7G9e9FWWNk7eP92uAwXQs/wBiiD8rg8HGWxD44=,iv:nQfYtyIJRm+K/slCIQljVt6FBkyyXgmHt8Jf41wGJaU=,tag:vyAa5DqOttQ6I/3qr8gJaQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17a24csx3mdehmlcpmmqg209j57jkxkznjy0603ltxaws2fvwzapqm2r002",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWGszcUF2dUJQMmpQdHZ4\ncXhQSGRzZlhPcVVhRUlpejNleHMrOVVGVnpJClpmb0RIM3dpTzFzYVNJSjkraU4v\naFZVUnBGRFQ3VjNwSTRsNUhQT1dYOUEKLS0tIGYrVkRWV1JwTnFZYkJVYmhSWkJO\nOGhJSktyVWdTQTE1ZFhqL2NRZmpScjAKM/BBc28TgTVOuaToHDyLMuuKsxeAlYHU\nsvmVQfOH8G54DGS9iAh8R9yVlMWvGZ6TzG8Pjxba3GNZcnwHrnmpyg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-21T17:22:54Z",
+		"mac": "ENC[AES256_GCM,data:7CBfWGDo4hfji5h5/d7vq1MVx8RLtgN1JJKLGayFaUQG3TRk3paBcQ6/w1JlzpTMhKVYiCZHmMJW4M8a+/sNIEw1hVqfvMqfCyS8E4u7Ap/NQkV8rLq7X5W6WxWhBVUh/vjnEUBxAJf3WgWbaUxwCNxbffmVVtf4cCCGum/WL4k=,iv:PHDJfXXovDTfkJ9lyrMtxu5+try1zKOjdSKljTDNi2o=,tag:VdJ51XBhvP4MmlHrOlIwTw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-21T17:22:43Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//VLuWsS3MWpM8+RblzWZ0Drkz5X+rZ/ik3DtX80zeBqxw\nhYwgnzzUC/0uyH4JrjiC2d4vGrDtdoO+YhXMZxmmXEijc+USijZbrNmPRaj9yMe7\n4yF0US1grvoPR2Vynaa7fKSCHN42K8EwtREEeaLJ7fiqWf8iEEN34W2wF2UxeXFY\nBNpTrLnxHletEX6Scp2mCrN0ueDtp8jdpInEZ35nkMbDJC49w+vgeC7sJg5//EB3\nO+AqmrNIXh12cXQzHjkvenJqU5t0AONoIYUnGK4364pdgVUgAppxIp/R4Xsyi4CG\ntg9hdxAcMUzM6DciHKmzZly1F7LJp9HhzY7cA0y3YCkUFAzUfNYpgdJ8BckeZafZ\n4/6yKw/Xr6yWk8tg3bpwl1FWC+NPPTgLvabb6b/6EKZroT0SQphdVOuSoGqqHStu\nPuHP3LocYRWX8/TW8Rlf58BVpMKnWZis1+Xy0g+56BDggSzHtlt4K8F2iiEcapXU\nAetvp/OYshy1VOl+lq+ld85kz9/6ro80kwqDMB657tnXNTxghqKOonTTlwEJxkI1\n44Mgj7uo38Dmq20Y1oYav0THcJuI9sYMf+ig1GZT56j3iI73eMbDjJGcKO+a6C9Q\ntI4iPP6nFiAGCQZTpMmaqWN7ym9lRrffkvlwcfD3Sbk6X6f0RjGlbFUmX0ksydGF\nAgwDvZ9WSAhwutIBEACOhsdLTk9WMmksXzzjMZJlvlmmJdh2dX1i63RaZT/ZLTOS\nEkQ5qvkkKy92OUV3QWMA+TZ8GREqO/chAZC0agUK/sQq6sbbCaz0L+D7hVD/NYBO\nH5JlUs31Z9S5JOEx1lTFkqUTqYGypiHXoH5SIZiXCINFxTH9oEBKFpRYyBy8BBrT\nwgChoDQNOrAM1jIy/HBhQSykSSOAgO191qIDf05DJO6Io/tdrwj+KvhVfrX3OV0N\nTRIdb69NMnmD/jrWJui4IkiEU5KreuHBhlez2uzj9Qq8wzGRXG84gCajciIitZ8r\nurYBqOPoxHPsP3TAbR7ih4CmTopEctMw50+LBq1/oD4ftE/HetTtis96BuK/fWqG\nVgTFNvadSXcMVNp2gIutbzi1IgxyMt8wPXji4gcIbT8OWTY3Nsk6/Nbp5sjc5T6A\nqNogCLG9Rf1q1WERWLEIcCV5wqbS/dYegyvR2NirjC60iL04RzSQaClRAbgkXD/N\nAUh7ayVYtpcb4H0CsId8ylxG1Qs+bIUoQTYPEFop8qO2bV+7Q9g1LCEMLmUMmOYO\n1hUyIVRiTnSkTQYF2vZrxWGjJrdnkRFuWLG1qYyc1G5URiv5R29zQnY2Ww6zaKOM\nL5SKrVz+zPbiKHyT3wQsRhArre/ZBJqy24IB0w43WBTK9P1q19t6G74+0x4mFoUC\nDAM1GWv08EiACgEP/iKYEacSCEq/lKf6rKDwxdtxxJ5/lLUtgiFjSL6gfV3PxJRG\nnc1SMBO2RDR8lMOyzFGPnNWsTFmTa1A1TkQ9yPb8MgVEZhf+1wXGQDPy8Ng97+Ra\nn6cT5IaJZb5Tkfww53jDwWGnbPZwrSorIYd+/p7Xu703XZ2Lz5kQZiehbKiNcxO3\n2vJciT0lVAQWpmOtbyuvAPtRsc/qXbfOmmzzFBKa0caZPY2rquYnYU17ZuYkFVMk\nky7cDrJiWEuDfGr/AmcdWuRnZmD7QEYq7tHBxeyiwC6xdygfcJHg/RDMmKeCRibP\n9KdSv8yK2qR6xZwYbe7MF4XxoH+VHse4Byp9HWmy+SilAcmiAIkGB63VYibfJNq7\nrundhRyhKHBD+p2HNySPemVynIlTvErIxRMTs0t+davsLrsprUaErfNVgoDAk/oJ\nvuVbSkH4dUhRw+AE2uzaLR63N4mAKFDi+i60rLzeIjKRaWLYbtX3exfVtzJ2/AFL\nvxZEEPha0ddu+l9/6nyFxxwEbD3LSTAnBgn9xhz5uVOuJqwU9jpTKgwjWkGvfTIz\nHm/pM+fhx1PqMReQSI3+g3RtdaUeW88SnOcNN7QxS6VcjBPX4/RH+w9p9wZSLJIc\nmrLjVhHvj0D+2haicseIdeL5o/Zg0Sdi86TOLrGpGw+q/WljWxrpChJl/iyw1GgB\nCQIQjbJKHURAPuktpmkNv66l7q4AhthHWxRe8wNAsLLv9gTBlsM7RcT8J+spVg7j\nd+3eULppGCFfr6aMGgUHicE8WdYUnGThBastUFMg/nAhSY3YPBQp21ba2OgpHe+z\nasrxAXRCag==\n=RSoI\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/dn42-il-gw5/ssh.pub
+++ b/hosts/dn42-il-gw5/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCgFELN24kkb40/Pv2aOwhfqoqbCEdQPBTND7nTw1hd
--- a/hosts/dn42-il-gw6/configuration.nix
+++ b/hosts/dn42-il-gw6/configuration.nix
@@ -4,170 +4,117 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
-      ../../configuration/proxmox-vm
-      ../../configuration/dn42
    ];

+  profiles.clerie.cybercluster-vm.enable = true;
+
  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

-  networking.hostName = "dn42-il-gw6";
-
-  networking.useDHCP = false;
-  networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:6::1"; prefixLength = 64; } ];
-  # IPv6 Uplink
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc9::9"; prefixLength = 64; } ];
-  # Ildix
-  networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::6"; prefixLength = 64; } ];
-  # VM Nat Netz mercury
-  networking.interfaces.ens20.ipv4.addresses = [ { address = "192.168.10.26"; prefixLength = 24; } ];
-  # OSPF Netz
-  networking.interfaces.ens21 = {};
-
-
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens20"; };
-  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens18"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
-
-  petabyte.policyrouting = {
-    enable = true;
-    rules6 = [
-      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
-      { rule = "from all to all lookup 2342"; prio = 10000; }
-      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
-      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "2001:638:904:ffc9::9/64"
    ];
+    routes = [
+      { Gateway = "2001:638:904:ffc9::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens20";
+    address = [
+      "192.168.10.26/24"
+    ];
+    routes = [
+      { Gateway = "192.168.10.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-dn42-ospf-netz" = {
+    matchConfig.Name = "ens21";
+    linkConfig.RequiredForOnline = "no";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-dn42-ildix" = {
+    matchConfig.Name = "ens19";
+    address = [
+      "fd81:edb3:71d8:ffff:2574::6/64"
+    ];
+    linkConfig.RequiredForOnline = "no";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };

-  services.bird2.enable = true;
-  services.bird2.config = ''
-  router id ${ (lib.head config.networking.interfaces.ens20.ipv4.addresses).address };
+  profiles.clerie.dn42-router = {
+    enable = true;
+    loopbackIp = "fd56:4902:eca0:6::1";
+    routerId = "192.168.10.26";

-  ipv6 table ospf6;
-  ipv6 table bgp6;
+    ospfInterfaces = [
+      "ens21"
+    ];

-  protocol direct {
-    interface "lo";
-    ipv6 {
-      table ospf6;
-    };
-  }
+    ibgpPeers = [
+      {
+        peerName = "gw1";
+        remoteAddress = "fd56:4902:eca0:1::1";
+      }
+      {
+        peerName = "gw5";
+        remoteAddress = "fd56:4902:eca0:5::1";
+      }
+    ];

-  protocol static {
-          ipv6 {
-                  table bgp6;
+    bgpPeers = [
+      {
+        peerName = "peer_ildix_clerie";
+        localAddress = "fd81:edb3:71d8:ffff:2574::6";
+        remoteAddress = "fd81:edb3:71d8:ffff::13";
+        remoteAsn = "4242422953";
+      }
+      {
+        peerName = "peer_ildix_nex";
+        localAddress = "fd81:edb3:71d8:ffff:2574::6";
+        remoteAddress = "fd81:edb3:71d8:ffff::14";
+        remoteAsn = "4242422953";
+      }
+    ];
+
+    birdExtraConfig = ''
+      # Internal
+      protocol bgp peer_2953_dn42_ildix_service {
+        local as 4242422574;
+        neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
+        source address fd81:edb3:71d8:ffff:2574::6;
+        multihop 64;
+        ipv6 {
+          table bgp6;
+          igp table ospf6;
+          next hop keep;
+          add paths tx;
+          import filter {
+            reject;
          };
-          #route fd56:4902:eca0::/48 via "lo";
-          #route fd56:4902:eca0::/52 via "lo";
-  }
-
-  protocol kernel {
-          ipv6 {
-                  table ospf6;
-                  export filter {
-                          krt_prefsrc=fd56:4902:eca0:6::1;
-  			accept;
-                  };
-                  import none;
+          export filter {
+            accept;
          };
-  	kernel table 1337;
-  }
+        };
+      }
+    '';
+  };

-  protocol kernel {
-          ipv6 {
-                  table bgp6;
-                  export filter {
-                          krt_prefsrc=fd56:4902:eca0:6::1;
-  			accept;
-                  };
-                  import none;
-          };
-          kernel table 2342;
-  }
-
-  protocol ospf v3 {
-          ipv6 {
-                  table ospf6;
-                  import all;
-                  export all;
-          };
-          area 0 {
-                  interface "ens21" {
-                          cost 80;
-                          type broadcast;
-                  };
-          };
-  }
-
-  protocol bgp gw1 {
-          local as 4242422574;
-          graceful restart on;
-          neighbor fd56:4902:eca0:1::1 as 4242422574;
-          source address fd56:4902:eca0:6::1;
-          ipv6 {
-                  table bgp6;
-                  igp table ospf6;
-                  next hop self;
-                  import keep filtered;
-                  import all;
-                  export all;
-          };
-  }
-
-  protocol bgp gw5 {
-          local as 4242422574;
-          graceful restart on;
-          neighbor fd56:4902:eca0:5::1 as 4242422574;
-          source address fd56:4902:eca0:6::1;
-          ipv6 {
-                  table bgp6;
-  		igp table ospf6;
-  		next hop self;
-                  import keep filtered;
-                  import all;
-                  export all;
-          };
-  }
-
-  template bgp ildix {
-    local as 4242422574;
-    graceful restart on;
-    source address fd81:edb3:71d8:ffff:2574::6;
-    ipv6 {
-      table bgp6;
-      igp table ospf6;
-      next hop self;
-      import keep filtered;
-      import filter {
-        if net ~ [fd00::/8{8,64}] then accept;
-        reject;
-      };
-      export filter {
-        if net ~ [fd00::/8{8,64}] then accept;
-        reject;
-      };
-    };
-  }
-
-  protocol bgp peer_ildix_clerie from ildix {
-    neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
-  }
-
-  protocol bgp peer_ildix_nex from ildix {
-    neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
-  }
-
-  protocol device {
-          scan time 10;
-  }
-  '';
+  clerie.system-auto-upgrade = {
+    autoUpgrade = true;
+    startAt = "*-*-* 07:22:00";
+  };

  clerie.monitoring = {
    enable = true;
    id = "306";
    pubkey = "5+/S3Fj0HknkKgUTgtmDhS7MoHZ2Ygsi/+eij+Gnf34=";
+    bird = true;
  };

  system.stateVersion = "21.03";
--- a/hosts/dn42-il-gw6/secrets.json
+++ b/hosts/dn42-il-gw6/secrets.json
@@ -0,0 +1,26 @@
+{
+	"wg-monitoring": "ENC[AES256_GCM,data:qqia7se7/bjSXQUxR7O0Xr5oJmnWp9vu/gwJqYdmsJlgG2IctIT1miUZheE=,iv:QzMBjOfwh7zMysJHMf18StonFGIvDZ/zQZ3QbJpeoss=,tag:VjaNTlcyPh9NgqjBTHY2eQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1syldhpzgdu099cke2lexq6g9mtx7pa6k7jtt33jrxyhgpysf2d7qw5mzjf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwZUxqV3BNbFU0SjRhWHpB\nbXc4bnhHUHdYckxyWlZ0K1pjbkh5cVRvT0ZzClVOVGhxSkhwMG5yMjREWnduQlY4\nbmRjaXlqKzduanNjRzI4TGpUQmd6dHMKLS0tIE5sYnlodmZrZWxxRnF5QlhUL2Vs\nVlJqSnNHVVZFdlhLaldva0FiYjcyRnMKp2YCzfnio2zZNnMD5viaxVRjfJapia41\n7UrJmMTrD40Bnw3DA66JWPzxHLIASF0Vb7x1blTozcRgST72JL6NIw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-21T17:27:03Z",
+		"mac": "ENC[AES256_GCM,data:r3Gi8RQ5IUS0/qGDpiK+Xyc1K8y/hYg6rPEfLr1bLQgJvn+PkZj/KH8mJnGGUVydWPZnVwMUcwUkhOndPhJEhD1xtRG8cN7BerpGmlS/Hj8MBfC+MPcT4Dr87NIhWlLV/bVn14t6S3a7YWmT8Oq5Ka5UhNeHp98cbrDpv7ROuqw=,iv:QEUbLIcBDdt9I7/Lv+loCFJIh63cEjhta3kyFnXG9Yk=,tag:5974Ps9Ez8n+J7SkjZ2mUg==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-21T17:26:54Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//T0O4/GpIDgW7oB56Chmr3jNQME2DzPp2v+HrWiO8UI9s\nqiTPui5PvwE6MZBKWCWDdju+jPVA5T1uygwyMXPD7bmW13+Ic23eYgq0JlKILpjE\nM5ktX246WK7D+JZAqooqNt+Qtk/PC30gmqz/stv69YXkqHUO0hOJ4C7tl1zNEGpQ\nYNCCfnoMunESKSSroqzxdm37H3L6/paFlxoGV43KFZM3KwEvXH15/hhrna0i805J\nqkjvZxKEyKfL17/f4ZpksfFlErPaDVBjtjl+dldKxDP7aTrXSwb/dlFmTzsP0YcL\ncJgLQibJb1BivV8hPeR0WI7gISxflfh/9KF0P4/B5wwCbCbymeN8oncqFFpJ98Qc\n2796cj9/LOLBT8fJLLp3U42Fdbm6Gp67FSsiMAuG8ihTfxDsAt2qVL4p0FlOGoot\nEiryOyMnBgrTryc72GHJEtggrsxKxvc+1weAfCRVpy7IcggxBTm2ER+kouiQQbfb\nZv3f/7K1w00FVbk5SEH7MASLswW+kmACUQKV8vF3XIstgJT0qHo71sY9FExLdULx\nt6TbGJLV+ilTZSETwGFnLKQ7Qxyy5tFXDA5VURON/dtGoiIG7uJTHEjtgdXulodx\ngLuR9zJR7UgIQNbaefopFCRWYXAR/W0sTqgXyTizsN75CIVZBewakDxUVCrDWUeF\nAgwDvZ9WSAhwutIBEADS4b6DTDrdgOuGvBIJtBs11gxoog4DCOjYWLI4kcCD68R0\n4RjDylxzzvA4W3CgoqvHaNBmksNscVxXEsjdnpMWSUZtFGtN1xttAd95QXQSbb1d\nYN0Jz+o0X97PFPvlJSZ/P7Qa31Ce2cO2kUP917zW/Sk/irinBHUuxjRpzw5nKc93\nD/9i+IgXfLILA9rCH1q7xGFd4tCHtW3ELXi4qtv53Bo9tc9agG+wlDhiPbz3MITp\n0Ya+XYAsvNTq/ukHq1IHGVdbnsb2gh18xPNYB8X0s4gNL6+uaLyLUfA+9548MMeT\nBgoVvHMzVRSUslJvrxFiV7DEmSzrDp+WCPmNbCAIIPMk2H4IDSOgEyjBHD+0d372\nOtHaVn6koJ4Cx4ipF/XZL/iL165lFWkznpcPoyVXk9tSp6axWuv7tX3rFUw4emT4\nXURWTBopPKmeTk8lP2U6MrKdEnPhXPbLoYcMbpSqZvICj/BYdhhO1ntlU2GZHVFj\nl3PstfkZgbXQdh8yCZ3SElY4r7rQKeKpYHKL9mRbGdp/8DbGR1Q974+LluzLbuyM\nxNzDAJGxCKxbPSSp95H/Pv0UP3Se6LJDd/dnmMVW3EdKkHmDp7iwN4dLmoAVheRq\n6CpeYI7jqASGZ02LhNu1tOXdb5LRDKCb+9pO9QE0cDEMzqn3ApgcGb1yYq8Ak4UC\nDAM1GWv08EiACgEQAI0X93L6kH3YAuzJYyx+rYUoV0HIXJ2x2mssUiP7jiujKu6k\n44+GkjbG7XSv0zhGIGxILCFDG+FxFDmDdOtxUKKB2Ed967PXKsbyevYdYiZJw6Un\nLUE1hQ4YpJbYs+dPkTkm+/A71TSS/lUiyNJQJ9Mc9OTuP0DHEZWU22uhbFRMJcD4\n8VTrFNewtCQ+/Y5TA7x1aahPdvTuz7D372bg8XddkE36r2gK201rvm9KhDIYZN0P\np2UadFeLEbGzgkoBN/kKj+U+CEFn2WUF326ZoroNrvAuVSCfp4WPyhadAZ0hv4An\nBlK1gnokJho2RYvUI/PDfvPpqoG9JwvoI1x/tU2IW/V2P19PzkKCUyo0q/FcXwi9\ndD5y29BCGamn9VS2q2dPtxoomCD/n6gCqWf39BoZq08JSR5iYggikcYEcOzLdgF3\nQ7/gLOigtbQWnv42Cglf5NmfZT6BQAR8RSWd3GSRCp8qQN8QW3lJZSkqCYlQmShu\niEye2ajPeq3Ft0Xe+hjBD9XInMxZI6KFrBROB3/qQKnEu48jXwU6jCcP1vvm4YbL\nNRE0sTTw6P0Kg3sF7edqNvlF4XwJo4QwzEPB901kCyJKgMQZAkMTzCeS+TZjfOtr\nt/0iouUANl6CI+gns1RfUm0oLmJqBBfkvGF4RLtiRO5Qy1oUCLdOakM3gyZZ1GYB\nCQIQnCKilN/LbAYWW/kJLEkZVmK9zUP71phFOBQNvW5bOwmJ/y3QnEt3XbVuVyst\nksctGDMabxaRACR5Ua5DyI4Re+eTX0kX75M8U2QO0eFjKVrHdE9qVtmgWoOncHFn\nYlzveIE=\n=i377\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/dn42-il-gw6/ssh.pub
+++ b/hosts/dn42-il-gw6/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGI7h8xpVDM0BsY+XGwp8kX1XKn82Cg0lhd1M4Eldsp5
--- a/hosts/dn42-ildix-clerie/configuration.nix
+++ b/hosts/dn42-ildix-clerie/configuration.nix
@@ -4,26 +4,47 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
-      ../../configuration/proxmox-vm
    ];

+  profiles.clerie.mercury-vm.enable = true;
+
  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

-  networking.hostName = "dn42-ildix-clerie";
-
-  networking.useDHCP = false;
-  # VM Nat Netz mercury
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.27"; prefixLength = 24; } ];
-  # Ildix
-  networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff::13"; prefixLength = 64; } ];
-  # Route to dn42-ildix-service
-  networking.interfaces.ens19.ipv6.routes = [ { address = "fd81:edb3:71d8::"; prefixLength = 48; via = "fd81:edb3:71d8:ffff:2953::1"; } ];
-
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens20";
+    address = [
+      "2001:638:904:ffcb::4/64"
+    ];
+    routes = [
+      { Gateway = "2001:638:904:ffcb::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "192.168.10.27/24"
+    ];
+    routes = [
+      { Gateway = "192.168.10.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-dn42-ildix" = {
+    matchConfig.Name = "ens19";
+    address = [
+      "fd81:edb3:71d8:ffff::13/64"
+    ];
+    routes = [
+      # Route to dn42-ildix-service
+      { Destination = "fd81:edb3:71d8::/48"; Gateway = "fd81:edb3:71d8:ffff:2953::1"; }
+    ];
+    linkConfig.RequiredForOnline = "no";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };

  # Open Firewall for BGP
  networking.firewall.allowedTCPPorts = [ 179 ];
@@ -33,9 +54,10 @@
  iptables -A INPUT -p ospfigp -j ACCEPT
  '';

-  services.bird2.enable = true;
-  services.bird2.config = ''
-  router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
+  services.bird.enable = true;
+  services.bird.package = pkgs.bird2;
+  services.bird.config = ''
+  router id 192.168.10.27;

  protocol direct {
    interface "ens19";
@@ -117,21 +139,19 @@
  # Internal
  protocol bgp peer_2953_dn42_ildix_service {
    local as 4242422953;
-    graceful restart on;
-    neighbor fd81:edb3:71d8:ffff:2953::1 as 4242422953;
+    neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
    source address fd81:edb3:71d8:ffff::13;
+    multihop 64;
+    rr client;
    ipv6 {
      table master6;
      next hop keep;
-      import keep filtered;
+      add paths tx;
      import filter {
-        if net ~ [fd81:edb3:71d8::/48{48,128}] then bgp_path.prepend(4242422953);
-        if net ~ [fd81:edb3:71d8::/48{48,64}] then accept;
        reject;
      };
      export filter {
-        if net ~ [fd00::/8{8,64}] then accept;
-        reject;
+        accept;
      };
    };
  }
@@ -141,5 +161,16 @@
  }
  '';

+  clerie.system-auto-upgrade = {
+    autoUpgrade = true;
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "399";
+    pubkey = "K7NkCFKSnMIgC0D5wejSpty56AYacfxE+feMsfWtHSo=";
+    bird = true;
+  };
+
  system.stateVersion = "21.03";
 }
--- a/hosts/dn42-ildix-clerie/secrets.json
+++ b/hosts/dn42-ildix-clerie/secrets.json
@@ -0,0 +1,26 @@
+{
+	"wg-monitoring": "ENC[AES256_GCM,data:LGm+hg215dTJBPfwr6KXUl6jhKBOgNV+eglyBZVa//M6A44iGmk8AAITUgI=,iv:zcQQAY/cG/DGG5nGPLAcfPZXy7IiWAREVVIZiMf5zz0=,tag:M9P6UlpB2xurMfRn7TEl4Q==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1r44rs8ujkc3xmz07d9m7as8rg054fqmpmdt0fr4xd3tltk2zwcps98jm74",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyYk14c3RPQzZXTkhlb0hS\ndWE4YlNIM0Ira0JTT0tRd3N0bUNRT1hGczFFCkRLa0twUmxaYyswaUR3R003Syta\nNXpTMkxLWFhLWnVKaDlXMnM1ZlBWck0KLS0tIGpoNWgrRnJmOG5XT1YyL0x6Zk9T\nOVZ0eDdYa3BzQ1pBR1JaSnR3Q1h5eUEKQXrtxKZRwTbfiqVYFM6u8F7rIsk/fCQb\nsZ1fPSIhVI8colyzHDhZOEc95RC5FgbfZdOP5EPKPgEGgo/HtWetOg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-21T17:19:22Z",
+		"mac": "ENC[AES256_GCM,data:urrl88PONhdSQfnRxp79tJ0cShuD6I7BiwQj+7nVNT1YDZ0PlIRWCZWlrw0CIYp7pkWzE5UHLnVSPNDX8Pf99bWJqdo3kfnkxhcSAlOn0kTQVGVtRzxmFNYdu3Mvtni+ebHJzB92u6376j1YPhyjPPC7D1yV/8FG/MaHo/HMZ2Y=,iv:Ajrf94TeZ7W49PvOM4GiNip1YazqIoIb1KfTgahgdZA=,tag:HIoDNm9/b+6K/WOaH9eCaQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-21T17:19:13Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//Y4StFde6UAotA0bKAswDHVMFHXNDwi2u0DFQB87NMJTd\nyOaP19TZzVUZKl20QAhPoa87JdmdwWySiUW6HjQgFwDUm4HYsibufI0lml81KsM6\nYUNw8VZbD1rFs2H3Q6U8Qdp7pwfTppPIpe9l0z2JzC6uic87nhjtkaGGGvMqyeFg\nky4R7A9QDAugcM91+7gzId+0sPdbNV/QQL+PgEyiB0jhIt2bKIck/NUSxmIefEmV\nLpXWo6iV5Z15QSBGuN2cbZWInY9UbXZ/KH6bP0knQYX1w2sXmEg+KlnW9b7iW8Kz\nW9/FK6znPSjJ3+hs6Sf/CT6ZQ86rYJ5854dikuoBTKaeRgEQD6lX5o0T7T4p/n6B\nn5nQSBlg0fxCujpooq3n2hdghmSzKyQyonRhc5oDWKw/QWdkX/h6XLdiZvRgexdP\n8WpiModrxfzplZhtpcRdBs/XNFH7tnT1ZKeJODqVY4e0F3/6stnbkuJfeY+ZmTJd\nCC8HVrxaWlUtGu/67IiVz4s9mMgAsl8MGLp0mPyIEK3zVbnlmvVB+tQNe5Rb5cbk\nvpgivgPkmmgmTHRzhsCfnEXj0kN5SxQAXAmp8WkGChz/V0cft873RN3k2GYk7Iwe\nKJHpV/DctOpoqIq44dponJdqKWwXMSBHcFOt4pIJx85ma349yt80U3yhGr5oB76F\nAgwDvZ9WSAhwutIBEACNjvJZSGAfCdOdm5Q91Y3kFW7gwuTyQPMjdLGGd7qP0E4E\n0d9/aks6FpT1ycIP62wUIpkclGHv3YZuA5Tj3CGC4I3aqE2HspBxFdT8XF43w5Cz\nqqnNfhbQZxBOWJHDTsT96E3K+lZ8IIIgMPX8SHOzdrg7YlX3LmptHy49C5XpC9F4\nHczDLb6GhQzY3O0q+VFm6j/mWeWHJ2ygDZiL8w3lpJjMG7RPxRTVszAiJ3n7ltXm\nMcsLLVrRmvGRQtPD/5umFBpZ9XsLPupHCQv8YTIxmI9cY4RO9Yx44Uw7N4tQDVlz\ng+iK+5OsywDPYny5FWxNTuzcPokzEovzytyj9rs2PHyYSQ8Qr59TAzRNqKNUYuJu\n12I/vfE0xxaRow6f8BRePV2Yrb9kaoXEcINNTqCg9Q7XEPaaCp6dMHiJsHEtcDp8\n1XNss+tv1jOMP3OhOG3VZGNy8gRssbPa5BJvYpszr38BW9Li+6rC+afqTkVOu37O\nubFuGg8uL5QPH7NWcW1ohJaT3PVemA7MscmngLH4l9Qz8UXqkbWgJKYedVrUol+P\nG7K5A3lOzTKWlQu8CSFbbYGx+NnucJiAIy6eWIQB6bawfkQVET/00dy/7VuKcO/t\nxHj/6L5/GqVjPiGU3zyP+VlGzlsIkU7JsOMweKDaS7ZqUOGopStxaXPJyQ94voUC\nDAM1GWv08EiACgEP/iaNz29e9ZqInPXtrk+lCntzCteF5e+K2QrcdLT34+6bmlsn\nyNgOLNbrNP9u/1W1EFutAxZfeOLfk7rOtSSK2Zhh5C6u4OdViqVYgajPI7aAUfrh\n3cPgdlWFFcAbgKwwuDJI/qin0IuU2jSpVsY8Z6xfCNFPOZuvXC9UWJIUTjqVmfuw\ne1hQVn3K2XAGOcfJRopuakTRc/XrSIlZ+yce07nPpnc5vNUoE4e3NqEPk/pmgjm6\ngcEWKlveVpdRlTsbC4cr2c/zE8I9ges1ctduk9qram2laTJSa/tvSmIMnAmDuIII\nzY0kNOaJAn0mhSsDP1f+34/5a8rW8OivypAf+i0VxFvKGy955sHN6mmB4HONwURC\nrgAqZwBiT0mhLUsInJKk3BfSlo7th9T2/BXdBjgEIR15kjwij6Vkbdzz0X7Qw7Q2\nwySKZsiUVVDDPD7pp8FLtf2CEayCZeVef9ZlJIZ3Q7YqIp0Rv9LiLXHB5wbeFEIt\nepG8QBKnPgzgfUrO/Inbfr0AB/fDX5f3N2Bhh5UHU8S3uAJwZjGsjPUklT+ysQ05\nXFwIIgHXGCWXsg++PWw5GTlOpvaGTlzqBu6B0D/6diPRKnf1COOZtApwjhm49Io5\nV5ZOeZuABF54WvBrPH/rv6JUvYYPF0iAN3opv/0JJVGPw3ZRUt7Ix864VBYp1GgB\nCQIQKuDZY2reZmJzjudMdNwlw538VonNWfqOt7pv69UntLTXp3hKBZJODrDi2jJ/\nesCR3AZkC+L3A1qJwGOAJL60lQ575AZKAWhYCceEZd1p+4SBZh81GM46Izxr5fsx\n+57tfsT79Q==\n=rtgK\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/dn42-ildix-clerie/ssh.pub
+++ b/hosts/dn42-ildix-clerie/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANa33GhY8tK+rGFKjrEbaw289bMqh1Aazyo04B//27t
--- a/hosts/dn42-ildix-service/bird.nix
+++ b/hosts/dn42-ildix-service/bird.nix
@@ -0,0 +1,63 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 179 ];
+
+  # something doesn't work right
+  services.bird.enable = false;
+  services.bird.package = pkgs.bird2;
+  services.bird.config = ''
+  router id 192.168.10.28;
+
+  ipv6 table bgp6;
+
+  protocol static {
+    ipv6 {
+      table bgp6;
+    };
+    route fd81:edb3:71d8::/48 via "lo";
+  }
+
+  protocol kernel {
+    ipv6 {
+      table bgp6;
+      export filter {
+        krt_prefsrc=fd81:edb3:71d8::1;
+        accept;
+      };
+      import none;
+    };
+  }
+
+  template bgp ildix {
+    local as 4242422953;
+    graceful restart on;
+    source address fd81:edb3:71d8:ffff:2953::1;
+    ipv6 {
+      table bgp6;
+      next hop self;
+      import keep filtered;
+      import filter {
+        if net ~ [fd00::/8{8,64}] then accept;
+        reject;
+      };
+      export filter {
+        if net ~ [fd81:edb3:71d8::/48{48,64}] then accept;
+        reject;
+      };
+    };
+  }
+
+  protocol bgp peer_ildix_clerie from ildix {
+    neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
+  }
+
+  protocol bgp peer_ildix_nex from ildix {
+    neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
+  }
+
+  protocol device {
+    scan time 10;
+  }
+  '';
+}
--- a/hosts/dn42-ildix-service/configuration.nix
+++ b/hosts/dn42-ildix-service/configuration.nix
@@ -0,0 +1,85 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+
+      ./bird.nix
+      ./fernglas.nix
+    ];
+
+  profiles.clerie.mercury-vm.enable = true;
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
+
+  systemd.network.netdevs."10-lo-dn42" = {
+    netdevConfig = {
+      Kind = "dummy";
+      Name = "lo-dn42";
+    };
+  };
+
+  systemd.network.networks."10-lo-dn42" = {
+    matchConfig.Name = "lo-dn42";
+    address = [
+      "fd81:edb3:71d8::1/128"
+      "fd81:edb3:71d8::53/128"
+    ];
+    linkConfig.RequiredForOnline = "no";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens20";
+    address = [
+      "2001:638:904:ffc9::c/64"
+    ];
+    routes = [
+      { Gateway = "2001:638:904:ffc9::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "192.168.10.28/24"
+    ];
+    routes = [
+      { Gateway = "192.168.10.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-dn42-ildix" = {
+    matchConfig.Name = "ens19";
+    address = [
+      "fd81:edb3:71d8:ffff:2953::1/64"
+    ];
+    linkConfig.RequiredForOnline = "no";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+
+  services.nginx.enable = true;
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  clerie.system-auto-upgrade = {
+    autoUpgrade = true;
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "391";
+    pubkey = "Rfu2JLxAk0seAZgt43sOEAF69Z9uQaOjeNgM4jJF0h4=";
+  };
+
+  system.stateVersion = "23.05";
+}
+
--- a/hosts/dn42-ildix-service/fernglas.nix
+++ b/hosts/dn42-ildix-service/fernglas.nix
@@ -0,0 +1,38 @@
+{ config, lib, inputs, ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 3000 1179 ];
+
+  services.fernglas = {
+    enable = true;
+    useMimalloc = false;
+    settings = {
+      api.bind = "[::1]:3000";
+      collectors = {
+        bgp_any = {
+          collector_type = "Bgp";
+          bind = "[::]:1179";
+          default_peer_config = {
+            asn = 4242422953;
+            router_id = "192.168.10.28";
+            route_state = "Accepted";
+            add_path = true;
+          };
+        };
+      };
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "lg.ildix.clerie.de" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        root = inputs.fernglas.packages."x86_64-linux"."fernglas-frontend";
+      };
+      locations."/api/" = {
+        proxyPass = "http://${config.services.fernglas.settings.api.bind}";
+      };
+    };
+  };
+}
--- a/hosts/dn42-ildix-service/hardware-configuration.nix
+++ b/hosts/dn42-ildix-service/hardware-configuration.nix
@@ -0,0 +1,34 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/5f2174f2-981a-468b-967e-1c1b6a32b8a3";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens19.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens20.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/dn42-ildix-service/secrets.json
+++ b/hosts/dn42-ildix-service/secrets.json
@@ -0,0 +1,26 @@
+{
+	"wg-monitoring": "ENC[AES256_GCM,data:kG/PCFQv4pRaup3sKOZNkwoJQ5Fdo/k5UUTh8/fedq87gA8yF7esZySUYc4=,iv:JYlaGotwiIiXVnfz98pjL1j2YwNtgoTmmk//9bABqz4=,tag:v7Csuvn1EjOxWnD2YHQ7kA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1d3scmrwmhl5wzfq632sjg679kae3vsn8q5lmx05xrltnh5jt0yls6xnm00",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvM1hpMUJ4d2xvUWgxcFRs\nTGwyYW5vQWdwL1JObm1BR3J4OFB2Z09HQkIwCnh1TVlvUFNmOXVvdFZLL1AwNC9p\nNUxMV3ZsMW53RElXcU0veGQ2NCtyQmsKLS0tIG01Q3lIbDR0ZEQ2dDlONlhlSGho\nbU1LdzZlOGtmVmJKQjNiTE5RWVlyakkK2dm5BQ2P1cZVpFKLtARm1E9aoGM9j351\nbYmmdtTnXrgVM0rZuexiM+G+3MjZEFvGI+RkrFcGcY3WSKy0OQSlfg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-20T21:14:46Z",
+		"mac": "ENC[AES256_GCM,data:WdiOdmBc6EabnWM5Wkxj3W7a+qDJr4wQQEMR39bZabTMuW+8Y/p/eX5YxUL7U6XisI5c6JPIGcGYU7gaLWSvQ9uh6eFn/NZm+3WmyVXzAUjYDC2I8pm9DKAbPUU95zMmgSQDGJYr8ZFzfTDFepCn1poaxJ7TDpfD7tUfaDwDq34=,iv:vm6BHsXkb9pjKDeI/oXU7lYg4uHuFhE9g5s/JXDu5/o=,tag:hGGz8JKjBZ84Nx/3xT+p4Q==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-20T21:14:21Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPARAAgc9leAf7bGiTcp9NJIjjQvoOCOllkpm6p/2nMoQZtdGY\nmA0L68jRwBhPZ6XSu1OfRCArWDDoUPTWIU0Oc/ev5yxJY9gyhQWQ9ddfJqKKHN2d\nUapLgcyS0vJNbUC5M1Se9M24s7MpLekMeohM/ohbm+/rr6Dro3qlBaf5jaYRZv2l\n1ciKK+A8WxfFKNPdZiKwSB2nrj5pS9v/bdkenUJSZq+cvg7btropXOslniMGGKvG\nPt5BauBYgCVSmjN+ZPdHHDA4C50mLTrQs+EB9R9XLv1ro6r1VcRmaQS332KTN9h1\nXFSp4fn7p/xOw8gcTcg1DuhLTxP5UWYTK/N/CqtozgiKf8jpEb50CFzp6JjKdd3S\nCyzSGnyWfWu1OU8UzsN+1uQDdiqhtflFI73UZuRNmffdnNwCUHP/0ViDIvyT+Kr/\n9XDjIEGZi0biOlFeXg6mb08D/vYbPp7gMShhLyTIWvlXVfiaEWMNlrz2a0iXBZDF\nKM2UVAX1J/3kq7eS6KgteedwTJgeF/la+shXQKVicJPhQSSnJtf7GibV+IybjS6j\nGuzvbTPLY1VRwhcr01Y2MsGTS1kuKvuYkmfbK2V9/ot0ioNVppiS7ivb5DrNglCR\noL7mdWITTkfKnHOVczquU0CvMdHoOOjE2xEIrGB+kLZG96h0bsppc6Dg3cDSZXKF\nAgwDvZ9WSAhwutIBD/94d2rtBuXPAIyGHc1EYUBE1NpPdK7FoFJf3an1PuxO4nb8\nQrFc/6sFtUQCAwT/Sau9d7JRj8vO6819ygyRQt6e5zzvbd9xd/mAyFgkKCvWlWZG\nXQttvkiINVQEMrYvyxCJwyTBLvwpv9gZhhouMZ/6NUrmZYOVZ78Jo4oILfS1W/OK\nmUruUbUdE9hVuA/VKbJ0W9vkg5Tm/sOp0lW1iITUQ8SDrDaXkyG9ceALxnTd5xCN\nZxPWY8GNEMOQZgnUeeN8nOoCOih1LSHrFhwKGyrZQo+anGHHSuUxPNkiKIeDHUdc\nNzxcnTyPnKfTSDOf88gqyC4UC4fcrQUVHdF2qJlWkfpSle0FGT6s2stvuiVLV8Yl\nN/O3/aVe5oT+XwsK4m+PAk2QBGBN3ivqfE9M4U/3AY8PRUI60qyLi7DOg+cnIfyQ\nfu8gWc69di2PhJi4Xy4Q9+kMUi5pAufpZdDME6HYT5EPBaO3oTWeMIi8kMHrc9e1\nXCHjmYKD6h9zv9XBSpBLZf2DguHUlMlBmx4JSX4R4q/eO/SQE1NjTkygD8RwnzA/\nBs5ZZ3lR1E4qpHTaLEp1j2LTORXdk5AoMhXyMzbTEjceCCVQM5TVMG5CrnPBpF6T\nv3G3SNIytz5jaRkh9QQZje2dFtGk1f1lrR7/uvDzvKDY5fZMuXw5yfB18dIw8IUC\nDAM1GWv08EiACgEP/iNb902syK7YGSXlz8lzlQY/uuUgoNN+12+CAOMP94tmnOhA\ndIo02zsnQ7JdOsguqm/hzl0aXOHNYbk78uq/fljnl7Vgackc8KNKZ4tI0kvDwO1W\nj+bISGeRcEkgOw8w2XbQkBBOWtT0Tea6lo3RwsOUR9O4uWifI083TSUFLKIe+2L7\nvciXuWt9iGYISUnt7nOOLWT1otCrZj0CnCyGNN0QPuN0PnUdq3rTF7OAEQXPXbp7\nzGpszkhwOv1rZ//wNX3kxw3CBuu10Z6RK/zX1jQpvRxo+nU3ACNhxH92q5dhinvj\nbm3uZd6N9GN/bjdd2ZnWuwSeovZqb4i8Abfk5te6KKpIUEm8166Wux8oHvVBpJgZ\nrXvP0WcyQJtFbAuJDw9GW1KIvz3disFvfGK4A0oFFk5YXVJqmIeUEz7fgVAIH9Um\nFFtc8c+qW6lMEJYTqZlrt9EkoochwLeI6zSONkDpCcXif7C/s8F7vvzrS0BNyQ5G\nMQqNdf/b6I5Ue2X0K6suIx6c54ThmsgtkM+Zcg77C9xF97kRZffFnB+PIsxYUUhq\noZ/QspiiqWkFRDA+1+3fwRN4bv3biCWRlIUm4YPV7Kxzo/Ycem3XZUd86vQZvq18\nsD+XT4tueGTcoyFDXg5a/IVEJ10B5v2ipr4j76wFZ29QOeMr+QnOQinj+eAm1GgB\nCQIQHL1VhjubcxdoWwKW5JvAEAsKTGUeAamWcPPA0n4/msnaR6kcTDLF1QjN/8E3\nz7WdHVikJDk/Bdmzx7HdmoRSckeZf2bk6DKtfUYNB7CbUWppwLIdRCNKGYgTf8vi\nRZi1vIZRrA==\n=EbyO\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/dn42-ildix-service/ssh.pub
+++ b/hosts/dn42-ildix-service/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbqGg6BF4MLSgDIe0Q0EsaogXPlYKHCNKWvfIXkNq7L
--- a/hosts/gatekeeper/configuration.nix
+++ b/hosts/gatekeeper/configuration.nix
@@ -4,32 +4,20 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
-      ../../configuration/router
    ];

+  profiles.clerie.hetzner-cloud.enable = true;
+  profiles.clerie.router.enable = true;
+
  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/sda";

-  networking.hostName = "gatekeeper";
-
-  networking.useDHCP = false;
-  # Local Router IPs
-  networking.interfaces.lo.ipv6.addresses = [
-    { address = "fd00:152:152:101::1"; prefixLength = 64; }
-    { address = "fd00:152:152::1"; prefixLength = 128; } # Anycast
-  ];
-  networking.interfaces.lo.ipv4.addresses = [
-    { address = "10.152.101.1"; prefixLength = 24; }
-    { address = "10.152.0.1"; prefixLength = 32; } # Anycast
-  ];
-  # Network
-  networking.interfaces.ens3.ipv4.addresses = [ { address = "78.47.183.82"; prefixLength = 32; } ];
-  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:c0c:15f1::1"; prefixLength = 64; } ];
-  networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
-  networking.nameservers = [ "213.133.98.98" "213.133.99.99" "213.133.100.100" ];
+  systemd.network.networks."10-wan" = {
+    address = [
+      "2a01:4f8:c0c:15f1::1/64"
+      "78.47.183.82/32"
+    ];
+  };

  networking.nat = {
    enable = true;
@@ -40,38 +28,6 @@

  networking.wireguard.enable = true;
  networking.wireguard.interfaces = {
-    wg-carbon4 = {
-      ips = [ "fe80::127:1/64" "169.254.127.1/24" ];
-      peers = [ {
-          allowedIPs = [ "0.0.0.0/0" "::/0" ];
-          publicKey = "5EVyQC0y704asO4SwsGbAoFGKusuO4a6IJ2bS/5bcTI=";
-      } ];
-      listenPort = 50127;
-      allowedIPsAsRoutes = false;
-      privateKeyFile = "/var/src/secrets/wireguard/wg-carbon4";
-    };
-    wg-porter6 = {
-      ips = [ "fe80::101:1/64" "169.254.101.1/24" ];
-      peers = [ {
-          allowedIPs = [ "0.0.0.0/0" "::/0" ];
-          endpoint = "[2a03:4000:6:48d::1]:50101";
-          publicKey = "Jr1GBeNWrYjz7QyiI8XSOSRo/kGsCCtGGAzxmM5Hkn0=";
-      } ];
-      listenPort = 50101;
-      allowedIPsAsRoutes = false;
-      privateKeyFile = "/var/src/secrets/wireguard/wg-porter6";
-    };
-    wg-nonat6 = {
-      ips = [ "fe80::128:1/64" "169.254.128.1/24" ];
-      peers = [ {
-          allowedIPs = [ "0.0.0.0/0" "::/0" ];
-          endpoint = "[2001:638:904:ffca::6]:50128";
-          publicKey = "0GGDyPj/0uMaba9pmOyj+Sx+3jMivpRdpTJhadl6bS8=";
-      } ];
-      listenPort = 50128;
-      allowedIPsAsRoutes = false;
-      privateKeyFile = "/var/src/secrets/wireguard/wg-nonat6";
-    };
    wg-vpn = {
      ips = [ "2a01:4f8:c0c:15f1::8001/113" "10.20.30.1/24" ];
      peers = [
@@ -86,9 +42,9 @@
          publicKey = "QGQHWwDE1XIeiReFcacLxin4Dqlz1pBXvttFnzBMJSY=";
        }
        {
-          # nexus
+          # ceasium
          allowedIPs = [ "2a01:4f8:c0c:15f1::8012/128" "10.20.30.12/32" ];
-          publicKey = "tEJzPPEJkoTPkhzTWyFDZ+5U146ovHA/4Mv3JButSAQ=";
+          publicKey = "tvWpYlaS3ItTWH9CZv4SHzXToIblJP2j+Mt1V+3cegM=";
        }
        {
          # terra
@@ -96,25 +52,86 @@
          publicKey = "peZ94x44sMRNqNxcaN+DI2UMwVFzugZjnnbqbxWcBEs=";
        }
        {
-          # palladium
-          allowedIPs = [ "2a01:4f8:c0c:15f1::8103/128" "10.20.30.103/32" ];
-          publicKey = "kxn69ynVyPJeShsAlVz5Xnd7U74GmCAw181b0+/qj3k=";
+          # e1mo
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8015/128" "10.20.30.15/32" ];
+          publicKey = "j+ao/TTTE2hThdqBtLQuC67QSaKXMhhWTky6MzkhrxY=";
        }
        {
-          allowedIPs = [ "2a01:4f8:c0c:15f1::8104/128" "10.20.30.104/32" ];
-          publicKey = "k1eQINwZPRdIEhND5sKAcHMxEpz/Z+B/2ZCdLhHCG3w=";
+          # jannik
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8016/128" "10.20.30.16/32" ];
+          publicKey = "V6Kc++QmJ4RkLSWvcLj/KgbIafvi7URV6dOgFnKSAwM=";
+        }
+        {
+          # evey
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8017/128" "10.20.30.17/32" ];
+          publicKey = "DD18B0plaYuhHK+yJ1nlEv6EmM+Krw/alXmz+X3SI18=";
+        }
+        {
+          # amy
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8018/128" "10.20.30.18/32" ];
+          publicKey = "tXO6qzYGTcuiMZhfTF2Af1qoIdpv3EqqepldrjVm9hI=";
+        }
+        {
+          # palladium
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8103/128" "10.20.30.103/32" ];
+          publicKey = "AetxArlP6uiPEPnrk9Yx+ofhBOgOY4NLTqcKM/EA9mk=";
+        }
+        #{
+        #  allowedIPs = [ "2a01:4f8:c0c:15f1::8104/128" "10.20.30.104/32" ];
+        #  publicKey = "k1eQINwZPRdIEhND5sKAcHMxEpz/Z+B/2ZCdLhHCG3w=";
+        #}
+        {
+          # vcp-bula-mon
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8105/128" "10.20.30.105/32" ];
+          publicKey = "6gi04ExLQnpwxmTzQwQz3AsPS+ujKmANh6+o0nAzJwM=";
+        }
+        {
+          # aluminium
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8106/128" "10.20.30.106/32" ];
+          publicKey = "kuUeStBuU6d8PGFHFhP5pEvy0nuZ0TmScI8w7MOt0is=";
+        }
+        {
+          # beryllium
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8107/128" "10.20.30.107/32" ];
+          publicKey = "SReFUcvw/4fLSkFGjkhDRyY9wyMCcjJ4Yiczt9X64Eo=";
+        }
+        {
+          # astatine
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8108/128" "10.20.30.108/32" ];
+          publicKey = "4b4M+we+476AV/fQ3lOmDbHFA0vvb3LwOEPVvNpuGm0=";
+        }
+        {
+          # zinc
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8109/128" "10.20.30.109/32" ];
+          publicKey = "syHX6PO1N3Annv5t2W8bdAo/kMoYenzrcPrUHxkIBEE=";
+        }
+        {
+          # zinc-initrd
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8110/128" "10.20.30.110/32" ];
+          publicKey = "kn6ZtViagKGSyfQJQW6csQE/5r7uKlbC1rbInlQ33xs=";
+        }
+        {
+          # carbon
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8111/128" "10.20.30.111/32" ];
+          publicKey = "o6qxGKIoW2ZSFhXeNRXd4G9BRFeYyjZsrUPulB3KhTI=";
+        }
+        {
+          # tungsten
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8112/128" "10.20.30.112/32" ];
+          publicKey = "OI5/psr3ShrwRqKTTr3Kv92OVRietTcMFNVXtsYybRo=";
        }
      ];
      listenPort = 51820;
      allowedIPsAsRoutes = false;
-      privateKeyFile = "/var/src/secrets/wireguard/wg-vpn";
+      privateKeyFile = config.sops.secrets.wg-vpn.path;
    };
  };

-  networking.firewall.allowedUDPPorts = [ 50101 50127 50128 51820 ];
+  networking.firewall.allowedUDPPorts = [ 51820 ];

  clerie.nginx-port-forward = {
    enable = true;
+    resolver = "127.0.0.53";
    tcpPorts."443" = {
      host = "localhost";
      port = 22;
@@ -123,133 +140,13 @@
      host = "nonat.net.clerie.de";
      port = 22;
    };
-    # riese
-    tcpPorts."25566" = {
-      host = "minecraft-2.net.clerie.de";
-      port = 25566;
-    };
-    # chaos
-    tcpPorts."25568" = {
-      host = "minecraft-2.net.clerie.de";
-      port = 25568;
-    };
-    # aerilon
-    tcpPorts."25569" = {
-      host = "minecraft-2.net.clerie.de";
-      port = 25565;
-    };
  };

-  clerie.gre-tunnel = {
-    enable = true;
-    ipv6= {
-      gre-carbon6 = {
-        remote = "fd00:152:152:104::1";
-        local = (lib.head config.networking.interfaces.lo.ipv6.addresses).address;
-        address = "fd00:153:153:201::1/64";
-      };
-    };
-    ipv4 = {
-      gre-carbon4 = {
-        remote = "10.152.104.1";
-        local = (lib.head config.networking.interfaces.lo.ipv4.addresses).address;
-        address = "10.153.201.1/24";
-      };
-    };
-  };
-
-  services.bird2.enable = true;
-  services.bird2.config = ''
-  router id ${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address };
-
-  ipv6 table ospf6;
-  ipv4 table ospf4;
-
-  protocol direct {
-    interface "lo";
-    ipv6 {
-      table ospf6;
-    };
-    ipv4 {
-      table ospf4;
-    };
-  }
-
-  protocol kernel kernel_ospf6 {
-    ipv6 {
-      table ospf6;
-      export filter {
-        krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv6.addresses).address };
-        accept;
-      };
-      import none;
-    };
-  }
-
-  protocol kernel kernel_ospf4 {
-    ipv4 {
-      table ospf4;
-      export filter {
-        krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address };
-        accept;
-      };
-      import none;
-    };
-  }
-
-  protocol ospf v3 ospf_6 {
-    ipv6 {
-      table ospf6;
-      import all;
-      export all;
-    };
-    area 0 {
-      interface "wg-carbon4" {
-        cost 80;
-        type pointopoint;
-      };
-      interface "wg-porter6" {
-        cost 80;
-        type pointopoint;
-      };
-      interface "wg-nonat6" {
-        cost 80;
-        type pointopoint;
-      };
-    };
-  }
-
-  protocol ospf v3 ospf_4 {
-    ipv4 {
-      table ospf4;
-      import all;
-      export all;
-    };
-    area 0 {
-      interface "wg-carbon4" {
-        cost 80;
-        type pointopoint;
-      };
-      interface "wg-porter6" {
-        cost 80;
-        type pointopoint;
-      };
-      interface "wg-nonat6" {
-        cost 80;
-        type pointopoint;
-      };
-    };
-  }
-
-  protocol device {
-    scan time 10;
-  }
-  '';
-
  clerie.monitoring = {
    enable = true;
    id = "101";
    pubkey = "H9Pvx/BzwEMM7acT9mioT8zBD2Yn13L82EKKqdAfeGM=";
+    blackbox = true;
  };

  system.stateVersion = "21.03";
--- a/hosts/gatekeeper/secrets.json
+++ b/hosts/gatekeeper/secrets.json
@@ -0,0 +1,27 @@
+{
+	"wg-monitoring": "ENC[AES256_GCM,data:90tdQSEYHcJy95AhDX0AT4HrXJK2BNqaeZMSZ7t43NlW/CJjOsfgcgO6EIY=,iv:B/RFe6bBBo5lielWMMCOnVlXrf7eooJFcerG30vxsFk=,tag:FOuPPWE5eP8BgWXni/3BlA==,type:str]",
+	"wg-vpn": "ENC[AES256_GCM,data:aFGd3R6hfiilCScRtmgS8jMLPQv++yisf1YNYnyARdL+KfW7RvvtGq4egpI=,iv:63WCUk52GdZYv2J8HX+dV8sCP7zKrjolIxGGosxJqg4=,tag:bJwvHiRQHD2FexwRF1hugw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age10npthg6ycgv6s40vynhj5ryaug2delh96fqcvjnc8nw2ccmjga7suxm7xe",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOcDJvYU4vdFJ4T0duWXR4\nVG15SFFZVDRSQXBDaFgxOGM5NTltK0ozblVZCmJXc3JOV1RQMFV4cGpvUnRIbGZv\nMmJiOGFIYTFqc0FVaEFHZnJjU1dUUDgKLS0tIFV6Ulp4ellVQzBsVkRjL0dIdGJ4\nRE02ZFpxNU9IMit0UHdIK2dHOVdXekkKTIGrO7fngsJMTMiKb5KSMh1BCtwTVQCG\nofSx9j9Bd2gz6MPz7Rrft4B67eliHQ78yHJbVvxO9m3cwHM3fv0AdQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-21T17:40:19Z",
+		"mac": "ENC[AES256_GCM,data:xt8AFwN+Y8x2kWQVH5MPEPzzWm5m4kgkt+mYKoFbRpfdA6FVnlhl+W+jmZlDz6Hbh6Dkk3cDvD3A3PpvYqsctll6mkjWQLBKphhnZIsGHzAHgdn+cpJ7VAPvWO4iEPjv5ChrPo2JAOKvQcJDooG7yWGB3ltzBqBWCH6TlZ2qxD4=,iv:4HxXa0tWiweHoYG2c7VrLoKgphRX3WRaAFQC98iAVJ4=,tag:y3VBdl2QpEOn1Z5IPS2aVA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-21T17:38:49Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//QonQ5TyKJqsl5ma5UvVOONrc2YXXRbLW7cUxU5FEtkU6\nfvMzmQPBHRX64BMOgpmL32/gCJKB+Q/gpl1RciQBr67DwAQczaZ6E4sUEPeFqiTf\nEUXCRYF54ctaW0Tn8kmTAmpyRxx5Y1jiFK08z4w0KXFKuLHBzrjxbPwu4EYeHp6V\n2XyVKPXEhV7UXxhDgrL+nt48zT+8RixWxm0B3oUGfk5lwH4vAfCAosFxP/IUYza7\nmAB3vM0Iywo9voX9/BPn5cOHvdFs5GEhNHs7X0eJPf3rV6oPpbf117TS+4qpWuhk\n97AyHPoWj8JNIxiIB0YvojBzXsxk404XfRh09dyRKL2dEsV2kve/0Sr1roHvhGwQ\nzhKaEknbC9N7DrL57dnryJhcebgV7xEWyQNIADbDCPxS0IkCoQAFxw0xdxpyQfrg\nVSVBnl5wQr6EgN+AbarXqO74U9dtXfT+eaKYW+Nz5+6aI4TLmp29Gin+m6Tisn+/\n/RLDJdmpX8n6m0s4PiPVm2B7VAo9S8xYWN2lyEjSxFQ3+1+pYB0P7VQHAoFGsQy4\nLVaCzES9dMqvCMJOMTFhDvCfJ9FNa1x8HXPN3YjFgESfmCr9nyr3DJp3wqtKM5tE\nLyfGBBRpEChnuVJdXyUpJFag1l6DtyBCBHSdz3KTAmdD4ltGxqdFFl69DhdBsguF\nAgwDvZ9WSAhwutIBD/0eOOFN9OC2m0r/ZFPHuOE3MNhn0ygS3BdfURcCHcNN9EC0\nrzJ7ZBfIUiUifgdjqQZWjgndGNWZ3iLzePpS4bXfcxl6LvRGnMOOSE2d4EBFSb7o\n4YbtuFhhkO+FsHYOyb76EyrEQoJ64GiozZOTKgDBJ7zWF5KLddjkqU610uyPlLpW\n2JeD+bo627ulRS7eW1q2BTQIsOID/+1tt1xT7szQ1LotM4fm8uHsUZhZ0ILh5QIj\nHUCBGJOeLTJuyMHrzbD9dRphtFOzoT12WOG1mpqdEe4ujtXJaSIjqrAu95iKJ1zQ\nti+ISotBI2v8k78xETiFoHSpcrecjpamy8cYPX7B/f19zIpdA59G7HQkeqE6hcMy\nTBr90WgTkuBMKZ3XFuii/4J6BmMwy05q3BNAjO7LbLKrMwdaqhTuyWhUpQNIW8kd\n7sdWimZSxBM9bjEMYmF2XdDCHQcQP0hx8yE6p0LHMYsLS7uBO+KFg72Mg8EnJGfS\nSGxNqCwf7YSExOMGkxrga1J/AbGA5M7AI+b4Hj2zV4pV+2VyL1+dox7ovB0gZRP3\nhCoUCx/fKZdDwXlqwun36f5995L6LAzDfM/d9MGV45jz3zWoTpXjX3KUNC314tsX\n6/95J83uJr/KoQUotXXzosJqBDr1rCzE24AZ9ZO7JA1chZeiYz+UenlHGq7DuIUC\nDAM1GWv08EiACgEP+wfsWD0gbf/A8Ph3VFpy+K2kix7QJGvumRcdzxO0/XpKs49I\npAh4RmeDr3rVNOsWrBEIbKb184XabR33g6xgXRNx1H5LyUMRZWJ2N3UeOe3g0rH4\nKyC1ycm1Utp//4Ckrh3F8DADXZH4F4c3cp9YwEz0ZWgkTzqi7LiDk8YnMMBqdqdD\n7MB+g3COqcP0A4rOn4ZfBcyt8HPakxARLgL1cSckCJeQpnrexYQCRXeqNMadjbuS\nEM41/vlOukOw+JRsVO8aDTM99r4GBlBgoxEDy4P0IEutWU90RANkEwLkuil5hwMC\n+sPTi1GP1GZOlunAYs8tixeaYNuw+TLy0L8+ZnnCdh38IgjLCuZQrSoi32l5bFrO\nyj4mbN0oLdwVQd+zxLno0fLo1OMHe7LDCirhK7j1r8v3/cSBb1yaesD2SGsnotXD\n87uaPhZ3zj9AET5SPC+lkqB9uJ3A9o1WAmcQIEQe8REOThE8zarh+yUYXsMndwRH\n5IPGBpkoq/zO3n9AJA3IxSrSYhKRgol4jz21XYkpmy+tuwcPoaWI/dZqD2APtMXd\nvuGLr7dACXm6kp5QCPlCFYGVvHOqJBCaYOK4fZt85totWQD+JvHyiPPA2ArblIcA\nwQLf8bEQ8cAXHwWA9OVc6r03bGDTAHKinNyrbw8G+M/nUrF6PwYrVLym87Q51GgB\nCQIQkm+IOyGpl/9gckDZBLG9oFFm/b4Tvi/IFvTy0JzQhgJJ0Nma8ZYC23mInMPl\nwv10rPn8INb6N621Qg6hORzhsn3enCqYXz2a6QRG0Bz8AU+6LiSNqdUjUxxhjzaZ\n99G317yXDA==\n=3IUP\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/gatekeeper/ssh.pub
+++ b/hosts/gatekeeper/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhHoM0m6PZnCCzWOugKnN/BqhadwYzEE8xbABQxEhgo
--- a/hosts/hydra-1/build-machines.nix
+++ b/hosts/hydra-1/build-machines.nix
@@ -0,0 +1,36 @@
+{ ... }:
+
+{
+
+  nix = {
+    distributedBuilds = true;
+    buildMachines = [
+#      {
+#        hostName = "hydra-1.net.clerie.de";
+#        sshUser = "root";
+#        systems = [
+#          "x86_64-linux"
+#          "armv6l-linux"
+#          "armv7l-linux"
+#          "aarch64-linux"
+#        ];
+#        sshKey = "/var/lib/hydra/id_ed25519";
+#      }
+      {
+        hostName = "hydra-2.net.clerie.de";
+        sshUser = "root";
+        systems = [
+          "x86_64-linux"
+          "armv6l-linux"
+          "armv7l-linux"
+          "aarch64-linux"
+        ];
+        sshKey = "/var/lib/hydra/id_ed25519";
+      }
+    ];
+  };
+
+  programs.ssh.knownHosts."hydra-1.net.clerie.de".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE2xQBCsFBCwL9n4OP/bPngtNO1fy9kPw13Z/NDoba16 root@hydra-1";
+  programs.ssh.knownHosts."hydra-2.net.clerie.de".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZED9QM+qe7sB6R6atvP6WNaI2sC2nh7TTsD6kgRpnr root@hydra-2";
+
+}
--- a/hosts/hydra-1/cache.nix.clerie.de/index.txt
+++ b/hosts/hydra-1/cache.nix.clerie.de/index.txt
@@ -0,0 +1,24 @@
+Nix Cache by clerie
+
+Public key:
+
+  cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=
+
+NixOS Configuration:
+
+  nix.settings = {
+    substituters = [
+      "https://cache.nix.clerie.de"
+    ];
+    trusted-public-keys = [
+      "cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
+    ];
+  }
+
+Try:
+
+  nix build --substituters "https://cache.nix.clerie.de" \
+  --trusted-public-keys "cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" \
+  "git+https://git.clerie.de/clerie/fieldpoc.git#fieldpoc"
+
+.-*..*-.
--- a/hosts/hydra-1/configuration.nix
+++ b/hosts/hydra-1/configuration.nix
@@ -0,0 +1,59 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+
+      ./build-machines.nix
+      ./hydra.nix
+      ./nix-cache.nix
+    ];
+
+  profiles.clerie.mercury-vm.enable = true;
+  profiles.clerie.hydra-build-machine.enable = true;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+  
+  boot.binfmt.emulatedSystems = [
+    "armv6l-linux"
+    "armv7l-linux"
+    "aarch64-linux"
+  ];
+
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "2001:638:904:ffcb::a/64"
+    ];
+    routes = [
+      { Gateway = "2001:638:904:ffcb::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens19";
+    address = [
+      "192.168.10.36/24"
+    ];
+    routes = [
+      { Gateway = "192.168.10.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+
+  services.nginx.enable = true;
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  clerie.monitoring = {
+    enable = true;
+    id = "210";
+    pubkey = "bA7b+vRlfvbGma74+Tz+FHGcRKPe+oAOfXmuqDR4+Sc=";
+  };
+
+  system.stateVersion = "22.11";
+}
--- a/hosts/hydra-1/hardware-configuration.nix
+++ b/hosts/hydra-1/hardware-configuration.nix
@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/05ec1a84-7889-4551-bbb9-388b90039839";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens19.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/hydra-1/hydra.nix
+++ b/hosts/hydra-1/hydra.nix
@@ -0,0 +1,28 @@
+{ ... }:
+
+{
+  services.hydra = {
+    enable = true;
+    port = 3001;
+    hydraURL = "https://hydra.clerie.de";
+    listenHost = "localhost";
+    notificationSender = "noreply@hydra.clerie.de";
+    useSubstitutes = true;
+    extraConfig = ''
+      binary_cache_public_uri = https://nix-cache.clerie.de
+    '';
+  };
+
+  services.nginx.virtualHosts = {
+    "hydra.clerie.de" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://localhost:3001";
+        };
+      };
+    };
+  };
+
+}
--- a/hosts/hydra-1/nix-cache-key.pub
+++ b/hosts/hydra-1/nix-cache-key.pub
@@ -0,0 +1 @@
+nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=
--- a/hosts/hydra-1/nix-cache.nix
+++ b/hosts/hydra-1/nix-cache.nix
@@ -0,0 +1,67 @@
+{ config, pkgs, ... }:
+
+{
+
+  services.harmonia = {
+    enable = true;
+    settings.bind = "[::1]:5005";
+    signKeyPaths = [
+      config.sops.secrets."sign-key-nix-cache.clerie.de".path
+      config.sops.secrets."sign-key-cache.nix.clerie.de".path
+    ];
+  };
+
+  services.nginx.virtualHosts = {
+    "nix-cache.clerie.de" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."= /" = {
+        index = "/index.txt";
+      };
+      locations."= /index.txt" = {
+        root = ./cache.nix.clerie.de;
+      };
+      locations."/" = {
+        proxyPass = "http://[::1]:5005";
+        extraConfig = ''
+          proxy_redirect http:// https://;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $connection_upgrade;
+        '';
+      };
+    };
+    "cache.nix.clerie.de" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."= /" = {
+        index = "/index.txt";
+      };
+      locations."= /index.txt" = {
+        root = ./cache.nix.clerie.de;
+      };
+      locations."= /nix/store/" = {
+        extraConfig = ''
+          return 404;
+        '';
+      };
+      locations."/nix/store/" = {
+        root = "/";
+        extraConfig = ''
+          autoindex on;
+          autoindex_exact_size off;
+        '';
+      };
+      locations."/" = {
+        proxyPass = "http://[::1]:5005";
+        extraConfig = ''
+          proxy_redirect http:// https://;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $connection_upgrade;
+        '';
+      };
+    };
+  };
+
+}
--- a/hosts/hydra-1/secrets.json
+++ b/hosts/hydra-1/secrets.json
@@ -0,0 +1,28 @@
+{
+	"sign-key-nix-cache.clerie.de": "ENC[AES256_GCM,data:V6PHF1p8I43uErwNdixWeU5dw6liI/8LtFL61bZ7vldvv/7RbqJ/e5gvLYhrsK5hzLYbBqKEpt2v7007Jh/A16fX0VZ+M1d5OqTClAzRdW6FC/A/JAaJfcDphYK2MXeXdNtN9WlRS6hBK9T6,iv:Y0eiMTFu34/Oy6hRHHPJ+wWOJsJ9S7mUFKwfJiRwjus=,tag:sYsjS3LVGDPUy2ZrDlXw8g==,type:str]",
+	"sign-key-cache.nix.clerie.de": "ENC[AES256_GCM,data:vuc21vilquxcasVXv7dsMSDxq1i0pUENmuoehFZHQd2vJqpkT8IFjwRBdVScxBgcz2/qv1iA3Ou4yBVPAfUKmOM6S1hzJGPxOfQySUTrQE6LgJZFAe/nKxNdiE0cBksMF7UtfJt4AmRv93BN,iv:s1N0U1X6sY/0HM7OMAGjrqFRRpiwHpedQn11/U3C944=,tag:nDrmDhB4D2OCu1ZLfoflag==,type:str]",
+	"wg-monitoring": "ENC[AES256_GCM,data:C5C1s8GgEhu0QrIYiToJu/6Be7njwwNzdj5oMDGihT0m4lCtkwDI9NPxdBQ=,iv:icgVuwsJjl9+6pank/0MenY3Sm9eZiJ4KqQHASz+GXE=,tag:ANKZxndDHXAakUFr0euvkQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1v7etelmpeksue9q4fdz826e4zd8d45vjfm057m33jmjeuhr6dcssyw4f60",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiS01SZzVxOGVjeDNuMEY2\nMjd3VjJHRTgyckZxbitFYTg5cUNZNHk5TTM0CkM3QnZyaFFmTUp2T2phZ3FuR3lR\nd1E3TlpsRnBQVXM4WlNIKzdTelJIbkUKLS0tIG5xR1VlK25LR3JucDIwakMzNVp6\nYkI1ZmorajhDUHdHZHQ0QlkxMkE5dHMKTaffSqKMM7Z6pDmMLvRr6MEsNPvJ9ycF\ny5Wilaie7qdFPEWJDNXOmmKwJgF/wPIsYYouL+YlKaOalL4X0i4xgA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-05-22T15:14:09Z",
+		"mac": "ENC[AES256_GCM,data:kOC/GOhtq00jcHQoLSaCeI9ACUDv4aoMH8+Zn3tCEpK2k71/mdzV0ces5Aojxu7CIsZh+0GpStCPVgA68Ke96PKt5yYv4G0PaN0dlFs8luvl29OcvEWIvM3Hzb3KVmp5/rYsch4l1YrxCO9PqNVN6aIwe0mdJlLLpwTshZ2bgu8=,iv:0YkBoKBqi7S3ioXbo8p1yr5jVRjjBAI/y8cy9VJhIDU=,tag:3VQKXWhoK+nFZ4WKz3Y3AA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-21T16:29:22Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPARAAjrV8h3h9H5LiACawYTxnw0Zf31/4NSR5Wnl04IWN+qNg\nbeZmxj4KWuN2DxEjeERm3yNmyzDlhj7LNvmEMpdhE8DGgXVnXOeVvM+GPuKh4ej7\nLy0leHsXvyje12rzSw0Fidqs+PbXpsbeo4NmnNi7VIgjs3zuAzlNuH7AnLkPmUA+\nUAThUl+mswjARYr7UhP6YipQ2mFlrC2oL8guPwpWKvIq1rW8t+Ug9O8IMCA/x/iY\nJZ/04Tygc/EnDuCdvzMOf0n5xWe6CxRbgt81cfeoEP1PVJfof5pP4Rnfob22izst\nxBDnjnxd08xXOkPRHPN/KliMgRxmIVtlWz2tvL11OEmE2N4HJs+K6tpMbHMSm1UG\neA1mseDHw/f5z6tmH/sLFNtyXoznfiLoiQ83T+dUIeq9V9FEO7RqaeI8Qdy1enSQ\nCUXHdc4T3w525px/kYEm8QqUtyWcJHls609WG4togL4zll4MHsGP2gxx+FU4ezWI\nakD3j2KBzSzVP/UGu/oy9bDD30aA29+AJ2gNbvm2kLlY7K6As5u7Ug/u55x/tKQW\nbSbvcRzSXaAWmJtEld4EL+CdEphyMGQSdRSCceS9AqfTtvl88vlNp7EZK7mL4oBC\n8Rox3xzyRkqGpNEeryl6GIi0Y5QUe+AmyGPGNkqfzK1xkafElkqhhKhyOPVu27qF\nAgwDvZ9WSAhwutIBEAC6+vzKfG/E6ZT0RXE+rqrLx8lzrES4mhhOWbktyA1Y1CPo\n3YUkGSZHLUgg3zR4RlT1bhdfG3gpsYizFe3pVsMMkNrIhrPv4fDAqFNSBfVKYJdR\nKb59Qpxpwq+bBdu4Rame2ogTXwzTpZtW+y9jaWoxlgjCTMdlaNzsC/I2SN2gfDFe\n6XqPJaN4VrHX3jXlqrEDjrgFSn1t8ozxe+saaiX8eHygJJyAOWp0qhkDbhJwv9eD\nRveVAhGbQA9z+f6tKXvQiCJbW8GSpu3Udze34f315XRig6tVvAOsUw7zELjlXGHj\nfZVzrBWuC2GtE/uCC4iqIoPGjpk9RZ2fBgSCUVqhQMR4ZxDfB2uNSU4YcsrcOsjn\npUCzGDUWbO8ZleUTWQUehsrWYiZnF4n8M6d6zT8ihgr978iB/NdWlq1nByG2v1DX\nLKgpigiz60kN+EXJyAM1wd0m/DXnFCMnmKLLvto0ACwKe2l5gRXCLpIij7EqWWk1\nU5aQ/3M9YwVMGLGpPDFb5RJ7GXAXsotUEe0MRPeEIhvFdZbGOF9Xtv1E9WJ2PTaF\nwsDpPlufvd1qa/7fXM1ra7nxoksN5I0XYu3NjtMM+2WAtVSBZ6vASWxu5Che5pSt\nXsv9is4H+ORcfd1KDKfGwZtGoGwzeVN4Us6xirjeLzIOdE6QPfw3VYa5eC7YoYUC\nDAM1GWv08EiACgEP/2Bql2AOtUUcrzQIupSut1Bw4jt/Be93I110pjeB4typASRv\nolZgKcWUyv8P0jD3RRwoxJigJjLEolpLSy6F88w5M07fNdtgROuzs3M7nd7tMPS9\nR4RZcLJh87AFVcOt62mM+8FbvA2KTcDmFuA/h+z5T0SKZwjA6xkC92wS7qpYRbOo\nqqnqOgOpv7O3KUl8CQUgeA7UcpWA1Tqu4kEUN4rhaLnJzB/KUx+UzfgumBgrsAss\n2/XcT2l5vZSwmvVbpj1Op8SJhqfB0A3/h6sfq1pxzyDBA7OvsJekdTDwLl2QZtHS\nbKteh4iog5CRSAlbrwt65krh84RJyEU238kzeg1C7JMj799/6paXyWqOZPZaktew\namzFksVdZLSosMFKRmraBPJkTYqyjzy3U3OsXSz63NnHAbIyWJg7MzTLDHHoMSus\nXFXQXXrEnHZYg+1oynTTa0KOD9gEaz0ResHxMokZL0D6Y5FFtM3F4Y5Usvm/ZkM3\no7R8Mh7yKODBPwAO4RXAQQOqWsT+MqAhNHtjZCzIE+mtcY9v3VcUENs7ZDmC6/Cw\n7zl4NxiHOw0874q3DoZtyCVVN7iMnhg3ZXRYOBzaLeUZQP8y5Ex2gjE3nJ3sAy/H\nYdTmJYg7G9Gz4Ffced32hNRD+44XrKXlZBkCKpFGwWHJrjQJS5imrIGdFGvC1GgB\nCQIQfn/f746as53METJMSWUlxADRft5dqrMqqaaqDNAVR5W/Qmsa0fwAUQf76Qxa\nz1++MconWYhB9No/cWM1GspEDOShz3scZ/wth7MmOcBPnscIcsMTt1A0AM+h2hF8\nPOECHUyMzw==\n=SmBP\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/hydra-1/ssh.pub
+++ b/hosts/hydra-1/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE2xQBCsFBCwL9n4OP/bPngtNO1fy9kPw13Z/NDoba16
--- a/hosts/hydra-2/configuration.nix
+++ b/hosts/hydra-2/configuration.nix
@@ -0,0 +1,42 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  profiles.clerie.cybercluster-vm.enable = true;
+  profiles.clerie.hydra-build-machine.enable = true;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+
+  boot.binfmt.emulatedSystems = [
+    "armv6l-linux"
+    "armv7l-linux"
+    "aarch64-linux"
+  ];
+
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "2001:638:904:ffc1::100/64"
+      "141.24.50.112/24"
+    ];
+    routes = [
+      { Gateway = "2001:638:904:ffc1::1"; }
+      { Gateway = "141.24.50.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "211";
+    pubkey = "aWtxaM6GKhPwIJWRIQSqJwUa6nhfnD89JkkN9bt2NwE=";
+  };
+
+  system.stateVersion = "22.11";
+}
--- a/hosts/hydra-2/hardware-configuration.nix
+++ b/hosts/hydra-2/hardware-configuration.nix
@@ -0,0 +1,32 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/8ca81275-100c-4c09-82b5-665b1542444f";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens19.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/hydra-2/secrets.json
+++ b/hosts/hydra-2/secrets.json
@@ -0,0 +1,26 @@
+{
+	"wg-monitoring": "ENC[AES256_GCM,data:qc1VehsElpUpX6xzEn5qtge44farh48fZ9GqC//UbWK1LDrlEktGrU1SCGc=,iv:IC+WInx+Lb9DvExID9/Spk5rjkeDoMZOWTPP9S28PvQ=,tag:/2IjntZ7WV5MCheYr6xSIg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1eye7ssyazf9rndzkerj2dul3ryyuwha4v9r8gq554nu4l8k4cf9q8lgsdt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqUkF4ZUZxZTVUbFNFRDMy\nS2RUZUhjUTFZclBYYzZyaG04anpPcDVLNXhRCmtkUlB5YWo1d1hsdDRCWGdVRkk5\nWnRXbmg3d0V5Z3VKeUZ1b0hGQWZIdEEKLS0tIFZ6V1RZTDlCMXNZdUNVRUVJaGta\nRy9MbnB2dkd6RGlOaVhJTVk2eGdvVWMKZSzRhhjAxjLRcQa4Nbvyi7Zls3mJZCE/\nrUqcHuyduael4qrTbfk/gt2A/9xPkUzd6HkdhlohJbCWQlTDU3wXGA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-21T16:46:44Z",
+		"mac": "ENC[AES256_GCM,data:h77zaEMheujRolb6G4Z9BpFdNFrolxy2+qswaSFgsgbM9ZwqD8jB9wqPmg+bjnAd+LgElpTMe1qTOwxGr0dGimxaeG8eXWNhCjZTBjr2vj2cg73ZceO1xtqKWK3hXP+WN7N4Mx4SnwRdW55YgJ9YuUpQm/usZJRwhf0pRBtFVSU=,iv:oP2AFlAogCMLyt735UHDFnNlJHmfkKMTQt+EXB8kHrM=,tag:c0UaF2QnVsgv/6rGGxfVHg==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-21T16:46:31Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//V4COlA/fpSiHUfBinB+ZjThFHu3Ddk/cLtYzTXzm3LoS\n1JGiyC0mjh02meuLBI0m4vkX3o79/kmEcpNgDihNR9dbdKZ9sA1VvV142DR3jneC\nCoo/q8Jl/8Fpb8DEoVSZbJzG/QdFgmOo/cbdZmGB7iqdwwK6A0tp1EtTLZyq0pfX\nBMcMMkcKn+EOh3Ul/7PpEu5/qUyaR97pXLnsxjBZGOphmNgcXM2tZErkjf+czgH6\nm576Bt7z4hnCtFClPs3nJIA4nfaUFwYgsWkdVLfgv/jKXyV+Weci7WONdVWo5P6W\nuIA23zY32GTv6EOsk4kb/Jrn77r1G7mOOA+6mxVhzA0E3EHxmwLpEW7g0TtDTDiT\nyiIoR3QwBq2hZa+HOloEJ+pOnmhhiVEAWw/HLbH0zfEfPCA39feAiaWZ5gS6naeU\nrlUQIKV3bFrOyc3O1ghlBa77M5geRbdeJ64n9/r0gLi5Qc14yAYaO8mz4XUhZmDf\nXQW2a90sZ8A2KkrMGE5D3xp2L+61fjJ5TxAQi9aeEJwQHgb7I153k8J77vKw5CVo\ncQkwBJDGGtPftyysyHpGTQ6CCaLhC8f/MB8Mvru5r756zW8NbYcXt0lamxVCB6gt\n1+AUwoUzRmAAej5M4n0Zhv0tTJymyrVsQKjHyKlGDEB3frUlHXuDUUrg8dxZ5ByF\nAgwDvZ9WSAhwutIBEADF/hOya2CKNcixVdlOrjhbc/Fgr48R34PPkTyCeBvP+OkR\ndmu3VcXrTIPcFboMJQIp/m8cyUOL81n8EM/ilFpTJV2N6Pof94ztZDCRAOfy9UZ7\naMQJIA9t4V4oHTH1mFdN0t26WfqqNTzaELIzIHzfuXp7AGZY2So+O2U8RKwwGVla\nnAaXyHBlWUiLsHMWzRc8OwYRR3M5d8Wbz7E+K5+4kLZZNKE9AIu4vxnddQnGy8Bh\nkkykgnz3/my6Z6aoRJOHeqiy77ICO8sJGHqd+9xtUgJHdi3/ZVlZSmp/tMTx/MMK\nG4Qk5/R9KG5PTLZlHLz0v0UHZrmJbQaqQMcKoxFJFae4ygxUEcwVGweCRXd9u5jb\nn3kxdp6dYvMDTe9MPRr0NWNyO8ioNVWmBw7W4OdAJxhnyx4C5//yIpBB7I0npwDU\nOMM8WcHkI/N7+v7gf1rSIcArKwKQO7Be8d8MGstRTrEaqs7WgslSveO41/qQfFvu\nRw29MHIvF8d/Mj7YwMHUTLFYiKwOl4ccDw5lpnTKu4Oj55l7xHMSTYLFBz1EYlU5\noSp3RipvblXCkesgYjZxwZiWpYPnBWUXi49Q2pH6fJ4nEClB802cCFNbmZxwL8QQ\nzpOU5zDPLMiN8GaqDMQEgFTVPdfGkdaK1yQVLQkb9vmeZtGCOj8D7edd6e8QYoUC\nDAM1GWv08EiACgEQAMLQwhngxPMiOdzhtNEv4uyHA7hS1E9NIKMNXaXnGNa1WBib\n+cZ06MCGsCO4E0+h9oGLdhIBx/qQadu2FU4nMY/H/IuyRLAJAeGC3VxTo7of6Wez\nHnMepaeP4vdct+odlhK5l+i16CYcDk0LeC/6MbEQmAcTsf6EWZ3Nt0xR6mwV8mKS\n5CMhPdL57t26kJdkKCr782a7j2fsqU9x5rahskuGC4QtYx/J0QabDLaY80zswBUz\nDXiFhAsDIx1vXaBtSuUsJBtA++eYZ6ysJksZLksTuoiR1Z/RLdFHXNavw/CAjd5C\nHQ7n13v4G4p/7UE2cCqK+5yNctxLeuQ/9QzPvg/0zoAnBF7cm9sLp+8qFl1nnri0\nXa9CPgIjWFwX34D24KwykE12OLTWZahMae5Ke4okR6e8OGIJyurrTfIwRa2iZRTp\nrk58jhyCr44xeaZMB9/CFDTJ2wTBbQW6SzZrMjrvCypNAH0B/Z0SUMUEVaLdbO4P\nLSu/MvlGDoBxnulgFLPuLc8OQ+NQr8KD6xqmuC64FGh5lq4mhltWXNC/AW3gyvf6\nI61oEpHviaRk66IAt6N4Wt9ZWxbsuibfc1e4yvrwKxPjtI/eIU0/MD2ZqbGM/7ZO\nNeGI8DbTwsW6Jzco7LE9qsi3+D2OoffIj1tgYmuV+LvsyPbCFmDGGJC72jyW1GYB\nCQIQ9s2T8Cbu+waeABEc/4XidJdejOXgEHD3+Ztwx3+6C4grA3f8lV28wxcH1bJ8\n10YOf+aEHYDrC99mthP8f7Nk3VxNDCqbN0HkSC5pW35zD7ririit0ClZ0/8njtYo\niD6Vdjw=\n=blcz\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/hydra-2/ssh.pub
+++ b/hosts/hydra-2/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZED9QM+qe7sB6R6atvP6WNaI2sC2nh7TTsD6kgRpnr
--- a/hosts/krypton/android.nix
+++ b/hosts/krypton/android.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+{
+
+  services.udev.packages = [
+    pkgs.android-udev-rules
+  ];
+
+}
--- a/hosts/krypton/backup.nix
+++ b/hosts/krypton/backup.nix
@@ -0,0 +1,26 @@
+{ ... }:
+
+{
+  clerie.backup = {
+    enable = true;
+    jobs.main = {
+      paths = [
+        "/home"
+        "/var/lib"
+      ];
+      exclude = [
+        "/home/*/.local/share/Trash/*"
+        "/home/*/.config/*.log"
+        "/home/*/.local/*.log"
+        "/home/*/.cache/*"
+        "/home/*/.config/*[Cc]ache*/*"
+        "/home/*/.mozilla/*/cache/*"
+        "/home/*/.thumbnails/*"
+        "/home/*/.config/Element/Cache/*"
+
+        "/home/clerie/tmp/*"
+        "/home/clere/Downloads/*"
+      ];
+    };
+  };
+}
--- a/hosts/krypton/configuration.nix
+++ b/hosts/krypton/configuration.nix
@@ -0,0 +1,39 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+
+      ./android.nix
+      ./backup.nix
+      ./etesync-dav.nix
+      #./initrd.nix
+      ./network.nix
+      ./programs.nix
+    ];
+
+  profiles.clerie.desktop.enable = true;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.timeout = 0;
+
+  boot.initrd.luks = {
+    devices.lvm = {
+      device = "/dev/disk/by-uuid/f7059f75-764d-4cd1-9da7-7c64b05bff38";
+      bypassWorkqueues = true;
+    };
+  };
+
+  # https://wiki.clerie.de/notiz/pm-hibernation-image-allocation-is-97054-pages-short
+  boot.kernel.sysctl."vm.swappiness" = 1;
+
+  boot.binfmt.emulatedSystems = [
+    "aarch64-linux"
+  ];
+
+  system.stateVersion = "23.05";
+}
+
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICm4kHCK4ACXtZt9ziBXnykiR1onPQtbmfAKU/fcqr8G`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQegq2ZQx0fNVHlITNHdZoSAh5jsaDyv3Sej3a8Y4j3`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUaAo7yYjuVpWadxPqrUGrZWwLNltvc+PfOT8z36Eip`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGdyTanEqCieqt81Ri8xHnw1dyK3i8srDi1F+xIb3Js3`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsTlqDyK726hwhX8lbs9EhMrkf3LsKIm5Ya3k39C7VZ`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINbpzEFngWD8gZpGKvOdo5CVMPlaDCylNKorf/ZN93rT`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCgFELN24kkb40/Pv2aOwhfqoqbCEdQPBTND7nTw1hd`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGI7h8xpVDM0BsY+XGwp8kX1XKn82Cg0lhd1M4Eldsp5`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANa33GhY8tK+rGFKjrEbaw289bMqh1Aazyo04B//27t`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbqGg6BF4MLSgDIe0Q0EsaogXPlYKHCNKWvfIXkNq7L`