Update from updated-inputs-2025-11-15-02-03

Update nixpkgs 2025-11-15-02-03
Update from updated-inputs-2025-11-13-02-03
2025-11-15 03:04:23 +01:00 · 2025-11-15 03:04:21 +01:00 · 2025-11-13 03:04:14 +01:00 · 2025-11-13 03:04:12 +01:00 · 2025-11-10 03:04:12 +01:00 · 2025-11-10 03:04:09 +01:00
125 changed files with 3572 additions and 877 deletions
--- a/configuration/common/certificates.nix
+++ b/configuration/common/certificates.nix
@@ -0,0 +1,11 @@
 { config, lib, ... }:
 with lib;
 {
  environment.sessionVariables = {
    REQUESTS_CA_BUNDLE = mkDefault config.security.pki.caBundle;
  };
 }
--- a/configuration/common/default.nix
+++ b/configuration/common/default.nix
@@ -3,15 +3,14 @@
 {
  imports = [
    ./backup.nix
    ./certificates.nix
    ./initrd.nix
    ./locale.nix
    ./networking.nix
    ./nix.nix
    ./programs.nix
    ./ssh.nix
    ./systemd.nix
    ./user.nix
    ./web.nix
  ];
  services.fstrim.enable = true;
--- a/configuration/common/nix.nix
+++ b/configuration/common/nix.nix
@@ -1,70 +0,0 @@
 { lib, pkgs, ... }:
 {
  clerie.nixfiles.enable = true;
  clerie.system-auto-upgrade.enable = true;
  nix.settings = {
    trusted-users = [ "@wheel" "@guests" ];
    auto-optimise-store = true;
    # Keep buildtime dependencies
    keep-outputs = true;
    # Build local, when caches are broken
    fallback = true;
  };
  nix.gc = lib.mkDefault {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 30d";
  };
  nix.settings = {
    experimental-features = [
      "flakes"
      "nix-command"
    ];
    substituters = [
      "https://nix-cache.clerie.de"
    ];
    trusted-public-keys = [
      "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
    ];
  };
  # Pin current nixpkgs channel and flake registry to the nixpkgs version
  # the host got build with
  nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
  nix.registry = {
    "nixpkgs" = lib.mkForce {
       from = {
         type = "indirect";
         id = "nixpkgs";
       };
       to = {
         type = "path";
         path = lib.cleanSource pkgs.path;
       };
       exact = true;
    };
    "templates" = {
       from = {
         type = "indirect";
         id = "templates";
       };
       to = {
         type = "git";
         url = "https://git.clerie.de/clerie/flake-templates.git";
       };
    };
  };
  documentation.doc.enable = false;
  environment.systemPackages = with pkgs; [
    nix-remove-result-links
  ];
 }
--- a/configuration/common/programs.nix
+++ b/configuration/common/programs.nix
@@ -6,6 +6,7 @@
    # My system is fucked
    gptfdisk
    parted
    grow-last-partition-and-filesystem
    # Normal usage
    htop
--- a/configuration/common/web.nix
+++ b/configuration/common/web.nix
@@ -1,54 +0,0 @@
 { ... }:
 {
  services.nginx = {
    enableReload = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    commonHttpConfig = ''
      server_names_hash_bucket_size 64;
      charset utf-8;
      types {
        text/plain nix;
      }
      map $remote_addr $remote_addr_anon {
        ~(?P<ip>\d+\.\d+\.\d+)\.          $ip.0;
        ~(?P<ip>[^:]*:[^:]*(:[^:]*)?):    $ip::;
        default                           ::;
      }
      log_format combined_anon '$remote_addr_anon - $remote_user [$time_local] '
                               '"$request" $status $body_bytes_sent '
                               '"$http_referer" "$http_user_agent"';
      log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
                                '"$request" $status $body_bytes_sent '
                                '"$http_referer" "$http_user_agent"';
      access_log /var/log/nginx/access.log vcombined_anon;
    '';
    virtualHosts = {
      "default" = {
        default = true;
        rejectSSL = true;
        locations."/" = {
          return = ''200 "Some piece of infrastructure\n"'';
          extraConfig = ''
            types { } default_type "text/plain; charset=utf-8";
          '';
        };
      };
    };
  };
  services.logrotate.settings.nginx = {
    frequency = "daily";
    maxage = 14;
  };
  security.acme = {
    defaults.email = "letsencrypt@clerie.de";
    acceptTerms = true;
  };
 }
--- a/configuration/desktop/audio.nix
+++ b/configuration/desktop/audio.nix
@@ -1,19 +0,0 @@
 { ... }:
 {
  services.pulseaudio.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa = {
      enable = true;
      support32Bit = true;
    };
    pulse = {
      enable = true;
    };
  };
 }
--- a/configuration/desktop/default.nix
+++ b/configuration/desktop/default.nix
@@ -1,19 +0,0 @@
 { ... }:
 {
  imports = [
    ./audio.nix
    ./firmware.nix
    ./fonts.nix
    ./gnome.nix
    ./inputs.nix
    ./networking.nix
    ./polkit.nix
    ./power.nix
    ./printing.nix
    ./ssh.nix
    ./xserver.nix
  ];
  security.sudo.wheelNeedsPassword = true;
 }
--- a/configuration/desktop/firmware.nix
+++ b/configuration/desktop/firmware.nix
@@ -1,7 +0,0 @@
 { ... }:
 {
  services.fwupd.enable = true;
 }
--- a/configuration/desktop/fonts.nix
+++ b/configuration/desktop/fonts.nix
@@ -1,13 +0,0 @@
 { pkgs, ... }:
 {
  fonts.enableDefaultPackages = true;
  fonts.packages = with pkgs; [
    roboto
    roboto-mono
    noto-fonts
    noto-fonts-emoji
    comfortaa
  ] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
 }
--- a/configuration/desktop/gnome.nix
+++ b/configuration/desktop/gnome.nix
@@ -1,61 +0,0 @@
 { pkgs, ... }:
 {
  services.gnome = {
    localsearch.enable = false;
    tinysparql.enable = false;
  };
  environment.gnome.excludePackages = with pkgs; [
    baobab
    epiphany
    gnome-calendar
    gnome-clocks
    gnome-console
    gnome-contacts
    gnome-logs
    gnome-maps
    gnome-music
    gnome-tour
    gnome-photos
    gnome-weather
    gnome-connections
    simple-scan
    yelp
    geary
  ];
  environment.systemPackages = with pkgs; [
    evolution
    gnome-terminal
    gnome-tweaks
  ];
  services.gnome.evolution-data-server.enable = true;
  programs.dconf.profiles = {
    user.databases = [
      {
        settings = {
          "org/gnome/desktop/calendar" = {
            show-weekdate = true;
          };
          "org/gnome/desktop/interface" = {
            enable-hot-corners = false;
            show-battery-percentage = true;
          };
          "org/gnome/desktop/notifications" = {
            show-in-lock-screen = false;
          };
          "org/gnome/desktop/sound" = {
            event-sounds = false;
          };
          "org/gnome/gnome-system-monitor" = {
            network-in-bits = true;
            network-total-in-bits = true;
          };
        };
      }
    ];
  };
 }
--- a/configuration/desktop/inputs.nix
+++ b/configuration/desktop/inputs.nix
@@ -1,43 +0,0 @@
 { ... }:
 {
  programs.dconf.profiles = {
    user.databases = [
      {
        settings = {
          "org/gnome/desktop/peripherals/touchpad" = {
            disable-while-typing = false;
            edge-scrolling-enabled = false;
            natural-scroll = true;
            tap-to-click = true;
            two-finger-scrolling-enabled = true;
          };
          "org/gnome/settings-daemon/plugins/media-keys" = {
            custom-keybindings = [
              "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
            ];
            mic-mute = [ "<Control>Print" ];
          };
          "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
            name = "Terminal";
            binding = "<Primary><Alt>t";
            command = "gnome-terminal";
          };
        };
      }
    ];
    gdm.databases = [
      {
        settings = {
          "org/gnome/desktop/peripherals/touchpad" = {
            disable-while-typing = false;
            edge-scrolling-enabled = false;
            natural-scroll = true;
            tap-to-click = true;
            two-finger-scrolling-enabled = true;
          };
        };
      }
    ];
  };
 }
--- a/configuration/desktop/networking.nix
+++ b/configuration/desktop/networking.nix
@@ -1,14 +0,0 @@
 { ... }:
 {
  networking.networkmanager.settings = {
    connectivity = {
      uri = "http://ping.clerie.de/nm-check.txt";
    };
    global-dns = {
      searches = "net.clerie.de";
    };
  };
 }
--- a/configuration/desktop/polkit.nix
+++ b/configuration/desktop/polkit.nix
@@ -1,7 +0,0 @@
 { ... }:
 {
  security.polkit.enable = true;
 }
--- a/configuration/desktop/power.nix
+++ b/configuration/desktop/power.nix
@@ -1,42 +0,0 @@
 { lib, config, ... }:
 {
  boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
  services.logind = {
    lidSwitch = "suspend-then-hibernate";
  };
  systemd.sleep.extraConfig = ''
    HibernateDelaySec=30m
  '';
  services.upower = {
    percentageLow = 20;
    percentageCritical = 10;
    percentageAction = 8;
  };
  programs.dconf.profiles = {
    user.databases = [
      {
        settings = {
          "org/gnome/settings-daemon/plugins/power" = {
            power-button-action = "hibernate";
            power-saver-profile-on-low-battery = false;
            sleep-inactive-ac-type = "nothing";
          };
        };
      }
    ];
    gdm.databases = [
      {
        settings = {
          "org/gnome/settings-daemon/plugins/power" = {
            power-button-action = "hibernate";
            power-saver-profile-on-low-battery = false;
            sleep-inactive-ac-type = "nothing";
          };
        };
      }
    ];
  };
 }
--- a/configuration/desktop/printing.nix
+++ b/configuration/desktop/printing.nix
@@ -1,7 +0,0 @@
 { ... }:
 {
  services.printing.enable = true;
  services.avahi.enable = true;
  services.avahi.nssmdns4 = true;
 }
--- a/configuration/desktop/ssh.nix
+++ b/configuration/desktop/ssh.nix
@@ -1,34 +0,0 @@
 { pkgs, ... }:
 {
  imports = [
    ../../configuration/gpg-ssh
  ];
  programs.gnupg.agent = {
    pinentryPackage = pkgs.pinentry-gtk2;
  };
  # Do not disable ssh-agent of gnome-keyring, because
  # gnupg ssh-agent can't handle normal SSH keys properly
  /*
  # Disable ssh-agent of gnome-keyring
  nixpkgs.overlays = [
    (final: prev: {
      gnome = prev.gnome // {
        gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
          mkdir -p $out
          # Symlink all gnome-keyring binaries
          ${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
          # Disable autostart for ssh
          rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
          cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
          echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
        '';
      };
    })
  ];
  */
 }
--- a/configuration/desktop/xserver.nix
+++ b/configuration/desktop/xserver.nix
@@ -1,11 +0,0 @@
 { pkgs, ... }:
 {
  services.xserver.enable = true;
  services.xserver.displayManager.gdm.enable = true;
  services.xserver.desktopManager.gnome.enable = true;
  services.xserver.excludePackages = with pkgs; [
    xterm
  ];
 }
--- a/configuration/gpg-ssh/default.nix
+++ b/configuration/gpg-ssh/default.nix
@@ -1,51 +0,0 @@
 { pkgs, lib, ... }:
 let
  custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
    configureFlags = prev.configureFlags ++ [
      # Make sure scdaemon never ever again tries to use its own ccid driver
      "--disable-ccid-driver"
    ];
  });
 in {
  programs.gnupg.package = custom_gnupg;
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
  };
  environment.systemPackages = with pkgs; [
    custom_gnupg
    yubikey-personalization
    openpgp-card-tools
    # Add wrapper around ssh that takes the gnupg ssh-agent
    # instead of gnome-keyring
    ssh-gpg
  ];
  services.pcscd.enable = true;
  # pcscd sometimes breaks and seem to need a manual restart
  # so we allow users to restart that service themself
  security.polkit.extraConfig = ''
    polkit.addRule(function(action, subject) {
        if (
            action.id == "org.freedesktop.systemd1.manage-units"
            && action.lookup("unit") == "pcscd.service"
            && action.lookup("verb") == "restart"
            && subject.isInGroup("users")
        ) {
            return polkit.Result.YES;
        }
    });
  '';
  services.udev.packages = with pkgs; [
    yubikey-personalization
  ];
 }
--- a/flake.lock
+++ b/flake.lock
@@ -27,11 +27,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1724513039,
+        "lastModified": 1748808701,
-        "narHash": "sha256-YdBuRgXEU9CcxPd2EjuvDKcfgxL1kk9Gv8nFVVjIros=",
+        "narHash": "sha256-IEer4ypv/tL2zzo7nkgyg7xdK6P+Mc/22oPctEgwhiw=",
        "ref": "refs/heads/main",
-        "rev": "202f4a1a5791c74a9b7d69a4e63e631bdbe36ba6",
+        "rev": "5f3748df43e6b6e49cc0a23557a378ef37952483",
-        "revCount": 4,
+        "revCount": 5,
        "type": "git",
        "url": "https://git.clerie.de/clerie/bij.git"
      },
@@ -116,6 +116,21 @@
      }
    },
    "flake-compat": {
      "locked": {
        "lastModified": 1746162366,
        "narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=",
        "owner": "nix-community",
        "repo": "flake-compat",
        "rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@@ -153,28 +168,6 @@
      }
    },
    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "hydra",
          "nix-eval-jobs",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1730504689,
        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-parts_3": {
      "inputs": {
        "nixpkgs-lib": [
          "ssh-to-age",
@@ -271,52 +264,55 @@
    },
    "hydra": {
      "inputs": {
-        "lix": [
+        "flake-compat": "flake-compat",
-          "lix"
+        "lix": "lix",
-        ],
+        "nixpkgs": "nixpkgs_3"
        "nix-eval-jobs": "nix-eval-jobs",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1744102671,
+        "lastModified": 1759516991,
-        "narHash": "sha256-/y92PMLAG1ueMInNKaar27H6voo5m1jDnJhxcIYOp5M=",
+        "narHash": "sha256-esoe/uYPyy4a6hAwZq1QgkSe7dnZ5c0zHHXDq/JG9Yk=",
-        "ref": "lix-2.92",
+        "ref": "lix-2.93",
-        "rev": "dd8114c53075524d06ba1de3346e39610923427b",
+        "rev": "b1328322a49e8e153635ea8b3b602db363de727f",
-        "revCount": 4235,
+        "revCount": 4284,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/hydra.git"
      },
      "original": {
-        "ref": "lix-2.92",
+        "ref": "lix-2.93",
        "type": "git",
        "url": "https://git.lix.systems/lix-project/hydra.git"
      }
    },
    "lix": {
      "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": [
          "hydra",
          "flake-compat"
        ],
        "nix2container": "nix2container",
        "nix_2_18": [
          "hydra"
        ],
        "nixpkgs": [
          "hydra",
          "nixpkgs"
        ],
        "nixpkgs-regression": "nixpkgs-regression",
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
-        "lastModified": 1742250400,
+        "lastModified": 1757791921,
-        "narHash": "sha256-be2mY7VFiWcPw7GcaJBbUvpnpoLd39wxqTXagBNTR5w=",
+        "narHash": "sha256-83qbJckLOLrAsKO88UI9N4QRatNEc3gUFtLMiAPwK0g=",
-        "ref": "release-2.92",
+        "ref": "release-2.93",
-        "rev": "d8db15010d2059a23a17f70ef542b4d1e7d2c640",
+        "rev": "b7c2f17e9133e8b85d41c58b52f9d4e3254f41da",
-        "revCount": 16651,
+        "revCount": 17892,
        "type": "git",
-        "url": "https://git.lix.systems/lix-project/lix.git"
+        "url": "https://git.lix.systems/lix-project/lix"
      },
      "original": {
-        "ref": "release-2.92",
+        "ref": "release-2.93",
        "type": "git",
-        "url": "https://git.lix.systems/lix-project/lix.git"
+        "url": "https://git.lix.systems/lix-project/lix"
      }
    },
    "lix-module": {
@@ -331,20 +327,62 @@
        ]
      },
      "locked": {
-        "lastModified": 1742943028,
+        "lastModified": 1756125859,
-        "narHash": "sha256-fprwZKE1uMzO9tiWWOrmLWBW3GPkMayQfb0xOvVFIno=",
+        "narHash": "sha256-6a+PWILmqHCs9B5eIBLg6HSZ8jYweZpgOWO8FlyVwYI=",
-        "ref": "release-2.92",
+        "ref": "release-2.93",
-        "rev": "3fae818597ca2f1474de62022f850c23be50528d",
+        "rev": "d3292125035b04df00d01549a26e948631fabe1e",
-        "revCount": 134,
+        "revCount": 156,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nixos-module.git"
      },
      "original": {
-        "ref": "release-2.92",
+        "ref": "release-2.93",
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nixos-module.git"
      }
    },
    "lix_2": {
      "inputs": {
        "flake-compat": "flake-compat_2",
        "nix2container": "nix2container_2",
        "nix_2_18": "nix_2_18",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-regression": "nixpkgs-regression_2",
        "pre-commit-hooks": "pre-commit-hooks_2"
      },
      "locked": {
        "lastModified": 1759940703,
        "narHash": "sha256-/dXDCzYnQbkqCsvUDIxgIH4BS/fyxIu73m2v4ftJLXQ=",
        "ref": "release-2.93",
        "rev": "75c03142049242a5687309e59e4f356fbc92789a",
        "revCount": 17894,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/lix.git"
      },
      "original": {
        "ref": "release-2.93",
        "type": "git",
        "url": "https://git.lix.systems/lix-project/lix.git"
      }
    },
    "lowdown-src": {
      "flake": false,
      "locked": {
        "lastModified": 1633514407,
        "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
        "owner": "kristapsdz",
        "repo": "lowdown",
        "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
        "type": "github"
      },
      "original": {
        "owner": "kristapsdz",
        "repo": "lowdown",
        "type": "github"
      }
    },
    "mitel-ommclient2": {
      "inputs": {
        "nixpkgs": [
@@ -366,55 +404,24 @@
        "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
      }
    },
-    "nix-eval-jobs": {
+    "mu5001tool": {
      "inputs": {
        "flake-parts": "flake-parts_2",
        "lix": [
          "hydra",
          "lix"
        ],
        "nix-github-actions": "nix-github-actions",
        "nixpkgs": [
          "hydra",
          "nixpkgs"
        ],
        "treefmt-nix": "treefmt-nix_2"
      },
      "locked": {
        "lastModified": 1737237842,
        "narHash": "sha256-tPr61X9v/OMVt7VXOs1RRStciwN8gDGxEKx+h0/Fg48=",
        "ref": "release-2.92",
        "rev": "fdaeb722d05a3ac58daaa24d4b5fa8db4457d82e",
        "revCount": 621,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nix-eval-jobs"
      },
      "original": {
        "ref": "release-2.92",
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nix-eval-jobs"
      }
    },
    "nix-github-actions": {
      "inputs": {
        "nixpkgs": [
          "hydra",
          "nix-eval-jobs",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1731952509,
+        "lastModified": 1757627777,
-        "narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=",
+        "narHash": "sha256-NGUqHQ+/BaUhjgSYQauTihTtNyhhnQRMJ8t7ZSPNpmk=",
-        "owner": "nix-community",
+        "ref": "refs/heads/main",
-        "repo": "nix-github-actions",
+        "rev": "b7b0f0d5191433bca1377f7d818b800627a83fda",
-        "rev": "7b5f051df789b6b20d259924d349a9ba3319b226",
+        "revCount": 9,
-        "type": "github"
+        "type": "git",
        "url": "https://git.clerie.de/clerie/mu5001tool.git"
      },
      "original": {
-        "owner": "nix-community",
+        "type": "git",
-        "repo": "nix-github-actions",
+        "url": "https://git.clerie.de/clerie/mu5001tool.git"
        "type": "github"
      }
    },
    "nix2container": {
@@ -433,6 +440,50 @@
        "type": "github"
      }
    },
    "nix2container_2": {
      "flake": false,
      "locked": {
        "lastModified": 1724996935,
        "narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=",
        "owner": "nlewo",
        "repo": "nix2container",
        "rev": "fa6bb0a1159f55d071ba99331355955ae30b3401",
        "type": "github"
      },
      "original": {
        "owner": "nlewo",
        "repo": "nix2container",
        "type": "github"
      }
    },
    "nix_2_18": {
      "inputs": {
        "flake-compat": [
          "lix",
          "flake-compat"
        ],
        "lowdown-src": "lowdown-src",
        "nixpkgs": "nixpkgs_4",
        "nixpkgs-regression": [
          "lix",
          "nixpkgs-regression"
        ]
      },
      "locked": {
        "lastModified": 1730375271,
        "narHash": "sha256-RrOFlDGmRXcVRV2p2HqHGqvzGNyWoD0Dado/BNlJ1SI=",
        "owner": "NixOS",
        "repo": "nix",
        "rev": "0f665ff6779454f2117dcc32e44380cda7f45523",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "2.18.9",
        "repo": "nix",
        "type": "github"
      }
    },
    "nixos-exporter": {
      "inputs": {
        "nixpkgs": [
@@ -501,6 +552,22 @@
        "type": "github"
      }
    },
    "nixpkgs-carbon": {
      "locked": {
        "lastModified": 1751206202,
        "narHash": "sha256-VjK8pEv4cfDpCTh4KW1go98kP25j7KdTNEce342Bh/Y=",
        "owner": "clerie",
        "repo": "nixpkgs",
        "rev": "ac4ac98609c1b30c378458ab7207a9a5b5148457",
        "type": "github"
      },
      "original": {
        "owner": "clerie",
        "ref": "clerie/always-setup-netdevs",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-regression": {
      "locked": {
        "lastModified": 1643052045,
@@ -517,6 +584,22 @@
        "type": "github"
      }
    },
    "nixpkgs-regression_2": {
      "locked": {
        "lastModified": 1643052045,
        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1713434076,
@@ -551,11 +634,43 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1746663147,
+        "lastModified": 1759281824,
-        "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=",
+        "narHash": "sha256-FIBE1qXv9TKvSNwst6FumyHwCRH3BlWDpfsnqRDCll0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
+        "rev": "5b5be50345d4113d04ba58c444348849f5585b4a",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_4": {
      "locked": {
        "lastModified": 1705033721,
        "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-23.05-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_5": {
      "locked": {
        "lastModified": 1762977756,
        "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55",
        "type": "github"
      },
      "original": {
@@ -601,6 +716,22 @@
        "type": "github"
      }
    },
    "pre-commit-hooks_2": {
      "flake": false,
      "locked": {
        "lastModified": 1733318908,
        "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "rainbowrss": {
      "inputs": {
        "nixpkgs": [
@@ -630,18 +761,21 @@
        "fieldpoc": "fieldpoc",
        "harmonia": "harmonia",
        "hydra": "hydra",
-        "lix": "lix",
+        "lix": "lix_2",
        "lix-module": "lix-module",
        "mu5001tool": "mu5001tool",
        "nixos-exporter": "nixos-exporter",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_5",
        "nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
        "nixpkgs-carbon": "nixpkgs-carbon",
        "nurausstieg": "nurausstieg",
        "rainbowrss": "rainbowrss",
        "scan-to-gpg": "scan-to-gpg",
        "solid-xmpp-alarm": "solid-xmpp-alarm",
        "sops-nix": "sops-nix",
-        "ssh-to-age": "ssh-to-age"
+        "ssh-to-age": "ssh-to-age",
        "traveldrafter": "traveldrafter"
      }
    },
    "scan-to-gpg": {
@@ -707,7 +841,7 @@
    },
    "ssh-to-age": {
      "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_2",
        "nixpkgs": [
          "nixpkgs"
        ]
@@ -756,6 +890,26 @@
        "type": "github"
      }
    },
    "traveldrafter": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1751817360,
        "narHash": "sha256-HzOhsPvzCaFeiz8nPq5MkYnYHpUzVaU/P5sxG+Njt+8=",
        "ref": "refs/heads/main",
        "rev": "b6610d70f363ecf9704352b1ef39244a816bd34f",
        "revCount": 22,
        "type": "git",
        "url": "https://git.clerie.de/clerie/traveldrafter.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.clerie.de/clerie/traveldrafter.git"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
@@ -776,28 +930,6 @@
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "treefmt-nix_2": {
      "inputs": {
        "nixpkgs": [
          "hydra",
          "nix-eval-jobs",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1732292307,
        "narHash": "sha256-5WSng844vXt8uytT5djmqBCkopyle6ciFgteuA9bJpw=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "705df92694af7093dfbb27109ce16d828a79155f",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,7 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    nixpkgs-carbon.url = "github:clerie/nixpkgs/clerie/always-setup-netdevs";
    # for etesync-dav
    nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
@@ -25,20 +26,24 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    hydra = {
-      url = "git+https://git.lix.systems/lix-project/hydra.git?ref=lix-2.92";
+      url = "git+https://git.lix.systems/lix-project/hydra.git?ref=lix-2.93";
-      inputs.lix.follows = "lix";
+      #inputs.lix.follows = "lix";
-      inputs.nixpkgs.follows = "nixpkgs";
+      #inputs.nixpkgs.follows = "nixpkgs";
    };
    lix = {
-      url = "git+https://git.lix.systems/lix-project/lix.git?ref=release-2.92";
+      url = "git+https://git.lix.systems/lix-project/lix.git?ref=release-2.93";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    lix-module = {
-      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=release-2.92";
+      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=release-2.93";
      inputs.lix.follows = "lix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
    mu5001tool = {
      url = "git+https://git.clerie.de/clerie/mu5001tool.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixos-exporter = {
      url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -67,11 +72,13 @@
      url = "github:Mic92/ssh-to-age";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    traveldrafter = {
      url = "git+https://git.clerie.de/clerie/traveldrafter.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
    lib = import ./lib inputs;
    helper = lib.flake-helper;
    localNixpkgs = import ./flake/nixpkgs.nix inputs;
  in {
    clerie.hosts = {
      aluminium = {
@@ -135,14 +142,24 @@
    };
    overlays = {
-      nixfilesInputs = import ./flake/overlay.nix inputs;
+      clerie-inputs = import ./flake/inputs-overlay.nix inputs;
-      clerie = import ./pkgs/overlay.nix;
+      clerie-pkgs = import ./pkgs/overlay.nix;
-      default = self.overlays.clerie;
+      clerie-build-support = import ./pkgs/build-support/overlay.nix;
      clerie-overrides = import ./pkgs/overrides/overlay.nix;
    };
-    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: let
+    nixpkgs = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
-      pkgs = localNixpkgs.${system};
+      lib.mkNixpkgs {
-    in builtins.mapAttrs (name: value: pkgs."${name}") (import ./pkgs/pkgs.nix));
+        inherit system;
      }
    );
    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
      nixpkgs.lib.genAttrs (
        (builtins.attrNames (self.overlays.clerie-pkgs null null))
        ++ (builtins.attrNames (self.overlays.clerie-overrides null null))
      ) (name: self.nixpkgs."${system}"."${name}")
    );
    inherit lib self;
--- a/flake/hydraJobs.nix
+++ b/flake/hydraJobs.nix
@@ -10,6 +10,12 @@ let
 in {
  inherit (self)
    packages;
  extraTrackedPackages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
    nixpkgs.lib.genAttrs [
      "hydra"
      "lix"
    ] (name: self.nixpkgs."${system}"."${name}")
  );
  nixosConfigurations = buildHosts self.nixosConfigurations;
  iso = self.nixosConfigurations._iso.config.system.build.isoImage;
 }
--- a/flake/inputs-overlay.nix
+++ b/flake/inputs-overlay.nix
@@ -5,10 +5,12 @@
 , chaosevents
 , harmonia
 , hydra
 , mu5001tool
 , nurausstieg
 , rainbowrss
 , scan-to-gpg
 , ssh-to-age
 , traveldrafter
 , ...
 }@inputs:
 final: prev: {
@@ -24,6 +26,8 @@ final: prev: {
    harmonia;
  inherit (hydra.packages.${final.system})
    hydra;
  inherit (mu5001tool.packages.${final.system})
    mu5001tool;
  inherit (nurausstieg.packages.${final.system})
    nurausstieg;
  inherit (rainbowrss.packages.${final.system})
@@ -32,4 +36,6 @@ final: prev: {
    scan-to-gpg;
  inherit (ssh-to-age.packages.${final.system})
    ssh-to-age;
  inherit (traveldrafter.packages.${final.system})
    traveldrafter;
 }
--- a/flake/nixosConfigurations.nix
+++ b/flake/nixosConfigurations.nix
@@ -11,33 +11,14 @@ let
    modules ? [],
  }: let
    localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
-  in localNixpkgs.lib.nixosSystem {
+  in self.lib.nixosSystem {
    system = system;
    nixpkgs = localNixpkgs;
    modules = modules ++ [
      self.nixosModules.nixfilesInputs
      self.nixosModules.clerie
      self.nixosModules.profiles
      ({ config, lib, ... }: {
        # Set hostname
        networking.hostName = lib.mkDefault name;
        # Apply overlays
        nixpkgs.overlays = [
          self.overlays.nixfilesInputs
          self.overlays.clerie
        ];
        /*
          Make the contents of the flake availiable to modules.
          Useful for having the monitoring server scraping the
          target config from all other servers automatically.
        */
        _module.args = {
          inputs = inputs;
          _nixfiles = self;
        };
        # Expose host group to monitoring
        clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; };
--- a/flake/nixpkgs.nix
+++ b/flake/nixpkgs.nix
@@ -1,17 +0,0 @@
 { self
 , nixpkgs
 , ...
 }@inputs:
 let
  mkNixpkgs = { system, ... }@args: 
    import nixpkgs {
      inherit system;
      overlays = [
        self.overlays.nixfilesInputs
        self.overlays.clerie
      ];
    };
 in
  nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: mkNixpkgs { inherit system; })
--- a/hosts/_iso/configuration.nix
+++ b/hosts/_iso/configuration.nix
@@ -3,9 +3,9 @@
 {
  imports = [
    (modulesPath + "/installer/cd-dvd/installation-cd-base.nix")
    ../../configuration/gpg-ssh
  ];
  profiles.clerie.gpg-ssh.enable = true;
  profiles.clerie.network-fallback-dhcp.enable = true;
  # systemd in initrd is broken with ISOs
--- a/hosts/astatine/configuration.nix
+++ b/hosts/astatine/configuration.nix
@@ -4,6 +4,10 @@
  imports =
    [
      ./hardware-configuration.nix
      ./grafana.nix
      ./mu5001tool.nix
      ./prometheus.nix
    ];
  profiles.clerie.network-fallback-dhcp.enable = true;
@@ -18,6 +22,16 @@
    terminal_output serial
  ";
  sops.secrets.monitoring-htpasswd = {
    owner = "nginx";
    group = "nginx";
  };
  services.nginx = {
    enable = true;
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  profiles.clerie.wg-clerie = {
    enable = true;
    ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];
--- a/hosts/astatine/grafana.nix
+++ b/hosts/astatine/grafana.nix
@@ -0,0 +1,45 @@
 { config, ... }:
 {
  services.grafana = {
    enable  = true;
    settings = {
      server = {
        domain = "grafana.astatine.net.clerie.de";
        root_url = "https://grafana.astatine.net.clerie.de";
        http_port = 3001;
        http_addr = "::1";
      };
      "auth.anonymous" = {
        enabled = true;
      };
    };
    provision = {
      enable = true;
      datasources.settings.datasources = [
        {
          type = "prometheus";
          name = "Prometheus";
          url = "http://[::1]:9090";
          isDefault = true;
        }
      ];
    };
  };
  services.nginx = {
    virtualHosts = {
      "grafana.astatine.net.clerie.de" = {
        enableACME = true;
        forceSSL   = true;
        basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
        locations."/".proxyPass = "http://[::1]:3001/";
        locations."= /api/live/ws" = {
          proxyPass = "http://[::1]:3001";
          proxyWebsockets = true;
        };
      };
    };
  };
 }
--- a/hosts/astatine/mu5001tool.nix
+++ b/hosts/astatine/mu5001tool.nix
@@ -0,0 +1,18 @@
 { config, pkgs, lib, ... }:
 {
  systemd.services."mu5001tool" = {
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      DynamicUser = true;
      LoadCredential = "zte-hypermobile-5g-password:${config.sops.secrets."zte-hypermobile-5g-password".path}";
      Restart = "on-failure";
      RestartSec = "15s";
    };
    script = ''
      ${lib.getExe pkgs.mu5001tool} --password-file ''${CREDENTIALS_DIRECTORY}/zte-hypermobile-5g-password prometheus-exporter --listen-port 9242
    '';
  };
 }
--- a/hosts/astatine/prometheus.nix
+++ b/hosts/astatine/prometheus.nix
@@ -0,0 +1,46 @@
 { config, ... }:
 {
  services.prometheus = {
    enable = true;
    enableReload = true;
    listenAddress = "[::1]";
    scrapeConfigs = [
      {
        job_name = "prometheus";
        scrape_interval = "20s";
        scheme = "http";
        static_configs = [
          {
            targets = [
              "[::1]:9090"
            ];
          }
        ];
      }
      {
        job_name = "mu5001tool";
        scrape_interval = "20s";
        static_configs = [
          {
            targets = [
              "[::1]:9242"
            ];
          }
        ];
      }
    ];
  };
  services.nginx = {
    virtualHosts = {
      "prometheus.astatine.net.clerie.de" = {
        enableACME = true;
        forceSSL   = true;
        basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
        locations."/".proxyPass = "http://[::1]:9090/";
      };
    };
  };
 }
--- a/hosts/astatine/secrets.json
+++ b/hosts/astatine/secrets.json
@@ -1,19 +1,17 @@
 {
 	"wg-clerie": "ENC[AES256_GCM,data:DbchcO6GTmSFyoHrRAkfu2flaKYrQHPk+rIerekYO4Cto9sqaWLgaSigpS8=,iv:no1xNRVqsKzAN6ssYA0Ir+utOM9tg8OBUT9PY2v0HPA=,tag:lZj1wEPFWHaf52N7YHEQKQ==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:dTKKeieaGvECkHUpATLorhOgr9Re5CAH25y1WTcSqJZDsvnwD4CBbqMv2QQ=,iv:u1n1wyAW5aNcVYfGN8BmrEhIhtA3EfRDBNu65IdBZMI=,tag:RJYgOpel9uy6dC72MmqS5A==,type:str]",
 	"monitoring-htpasswd": "ENC[AES256_GCM,data:0uQ+Gwedi9kTaOzrwVzkNkS9qL0Dwmph1leK2sj/TndfSn3yaq7ur7ZHoPjWUl5Oy1poxU2rIUxWHajYC0n3yHv2AuGT,iv:FyH4MHcgW5iHkAsahNFtshnqqPOMlukg8aYfhcN9onw=,tag:q3BsnyKLrKYi/xDP6GmSkA==,type:str]",
 	"zte-hypermobile-5g-password": "ENC[AES256_GCM,data:lqxQICmWYwMejn8=,iv:TPYOs/cL/ETw7Ee0+YG/+Fhd7ASi0kr4rDLEiste+2Y=,tag:6O6AXIHkIjPm7hJVC4Y/1g==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1fffvnazdv3ys9ww8v4g832hv5nkvnk6d728syerzvpgskfmfkq8q00whpv",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUF5dkRwdXRmUkJ1SXN5\nLzdOVkhWYUJGdFd4Qklsa1BXeVZlTGx0eDE0ClZmYWNLMEVzaVVXWGkwQUt5ZHF5\nS1c5OU9PWjBTelM5R2phNFdVNncxUUkKLS0tIDlwSXFyZWNVT1dtdGU5dVFSRHNE\nUUpJZHJZRTd6TnBUU2dCWW90UTRVb0UKCWrHWmQTNhez16wgEKj4EQA4+UBRmGQn\n+NHSjBCMBmmTdHb05nENYVK515Z0T/60+9N3VlNyHWS9IgC3mZRUBg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-04-21T16:03:13Z",
+		"lastmodified": "2025-09-08T21:03:41Z",
-		"mac": "ENC[AES256_GCM,data:fA8fhOZbX30TYgwZXB7sQDNmck0JRDyAnEXf5nCYtli/Qvs78fTs4DdC08VOpOni8uAVARkFsGSo6Fjo/MpTSDVA8VNYZig/we/bWF+LQlEMCmiqwOI1R6eQ3GPxcRXltlO2aPPlT9BpLwIVZjGGjIsmjpVE8xjkCbLUUqj+UxY=,iv:fHLyw96QLVRrAQky2kR7TDDxf8CNXDV9lVQ5RETzJEI=,tag:y+cG9u3d6vCUmPyNMDRWpA==,type:str]",
+		"mac": "ENC[AES256_GCM,data:ztS/Z6mn8hFAPsks2evJRJFocw/3oz22O2HeSEkY7Mu+bfNvClsJuvuTbnDadB0IwKiLDFWRMGs/UPFmNP6J/euro4cFHDWXopdXg7eDFGDoJDKIg4fBUtofdXIqWvDoQ9LeZNvc5Z4EEQYhs3LwFnAU0x15acwIIxr5TB9l8g8=,iv:WVjavmcrEs2CyYTfoTTP44c9TqFubUdE+PBN2jRPR+s=,tag:fBXzU69Q9MwD3o/Nyu5OZA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-04-21T16:02:41Z",
@@ -24,4 +22,4 @@
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"
 	}
-}
+}
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -6,6 +6,7 @@
      ./hardware-configuration.nix
      ./dns.nix
      ./ds-lite-ncfttb.nix
      ./mdns.nix
      ./net-dsl.nix
      ./net-gastnetz.nix
@@ -16,7 +17,7 @@
      ./net-printer.nix
      ./net-voip.nix
      ./ntp.nix
-      ./ppp.nix
+      ./ppp-ncfttb.nix
      ./scan-to-gpg.nix
      ./wg-clerie.nix
    ];
@@ -39,7 +40,7 @@
  networking.nat = {
    enableIPv6 = true;
    enable = true;
-    externalInterface = "ppp-dtagdsl";
+    externalInterface = "ppp-ncfttb";
    internalIPv6s = [ "fd00:152:152::/48" "fd00:3214:9453:4920::/64"];
    internalIPs = [ "10.152.0.0/16" "192.168.32.0/24" ];
  };
@@ -63,10 +64,10 @@
  systemd.services.kea-dhcp4-server = {
    after = [
-      "network-setup.service"
+      "network.target"
    ];
-    requires = [
+    wants = [
-      "network-setup.service"
+      "network.target"
    ];
  };
--- a/hosts/carbon/ds-lite-ncfttb.nix
+++ b/hosts/carbon/ds-lite-ncfttb.nix
@@ -0,0 +1,18 @@
 { ... }:
 {
  profiles.clerie.ds-lite = {
    enable = true;
    wanInterfaceName = "ppp-ncfttb";
    tunnelInterfaceName = "ds-lite-ncfttb";
    lanInterfaces = [
      {
        name = "net-heimnetz";
        sla_id = 201;
        prefix_len = 64;
      }
    ];
  };
 }
--- a/hosts/carbon/net-dsl.nix
+++ b/hosts/carbon/net-dsl.nix
@@ -3,17 +3,17 @@
 {
  ## DSL-Uplink
-  networking.vlans."enp1s0.7" = {
+  networking.vlans."enp1s0.10" = {
-    id = 7;
+    id = 10;
    interface = "enp1s0";
  };
-  networking.vlans."enp3s0.7" = {
+  networking.vlans."enp3s0.10" = {
-    id = 7;
+    id = 10;
    interface = "enp3s0";
  };
  networking.bridges."net-dsl".interfaces = [
-    "enp1s0.7"
+    "enp1s0.10"
-    "enp3s0.7"
+    "enp3s0.10"
  ];
 }
--- a/hosts/carbon/net-gastnetz.nix
+++ b/hosts/carbon/net-gastnetz.nix
@@ -61,7 +61,7 @@
  # net-gastnetz can only access internet
  clerie.firewall.extraForwardFilterCommands = ''
-    ip46tables -A forward-filter -i net-gastnetz -o ppp-dtagdsl -j ACCEPT
+    ip46tables -A forward-filter -i net-gastnetz -o ppp-ncfttb -j ACCEPT
    ip46tables -A forward-filter -i net-gastnetz -j DROP
    ip46tables -A forward-filter -o net-gastnetz -j DROP
  '';
--- a/hosts/carbon/ppp-ncfttb.nix
+++ b/hosts/carbon/ppp-ncfttb.nix
@@ -4,11 +4,11 @@
  services.pppd = {
    enable = true;
-    peers.dtagdsl = {
+    peers.ncfttb = {
      config = ''
        plugin pppoe.so net-dsl
-        user "''${PPPD_DTAGDSL_USERNAME}"
+        user "''${PPPD_NETCOLOGNE_USERNAME}"
-        ifname ppp-dtagdsl
+        ifname ppp-ncfttb
        persist
        maxfail 0
        holdoff 5
@@ -24,9 +24,9 @@
    };
  };
-  environment.etc."ppp/peers/dtagdsl".enable = false;
+  environment.etc."ppp/peers/ncfttb".enable = false;
-  systemd.services."pppd-dtagdsl".serviceConfig = let
+  systemd.services."pppd-ncfttb".serviceConfig = let
    preStart = ''
      mkdir -p /etc/ppp/peers
@@ -34,22 +34,22 @@
      umask u=rw,g=,o=
      # Copy config and substitute username
-      rm -f /etc/ppp/peers/dtagdsl
+      rm -f /etc/ppp/peers/ncfttb
-      ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl
+      ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/ncfttb".source}" > /etc/ppp/peers/ncfttb
      # Copy login secrets
      rm -f /etc/ppp/pap-secrets
-      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets
+      cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/pap-secrets
      rm -f /etc/ppp/chap-secrets
-      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
+      cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/chap-secrets
    '';
    preStartFile = pkgs.writeShellApplication {
-      name = "pppd-dtagdsl-pre-start";
+      name = "pppd-ncfttb-pre-start";
      text = preStart;
    };
  in {
-    EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path;
+    EnvironmentFile = config.sops.secrets.pppd-ncfttb-username.path;
    ExecStartPre = [
      # "+" marks script to be executed without priviledge restrictions
      "+${lib.getExe preStartFile}"
--- a/hosts/carbon/secrets.json
+++ b/hosts/carbon/secrets.json
@@ -1,21 +1,17 @@
 {
 	"wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]",
-	"pppd-dtagdsl-username": "ENC[AES256_GCM,data:JC7EyyMoN0p5YwnS9W5I0G5Omhk5usw28UiJrCfifGr+2FUgMrtFYAHQdrtWAELvYNBQDPgrHMmQjGQLhpqqK0hH,iv:/q+Fm63GVBApGInyS8i39V/lo6iv+I2omVh47deq+o8=,tag:LkR+1zTDNWuYkhH2iWT7SA==,type:str]",
+	"pppd-ncfttb-username": "ENC[AES256_GCM,data:vyOCNm23xsD3Kj+R7zqnBjH4jEIfYpx/YUUGPcVzqMs9pnFEembahtFTl2sNzOFXLfYCYg==,iv:gMfi/6jldkXCnfdvhu5X1VKj58sVsPR8IX8iEECPfgk=,tag:PJGyIASP6RPAdVULEnn+Gg==,type:str]",
-	"pppd-dtagdsl-secrets": "ENC[AES256_GCM,data:c5pOb8It1py/9NXNTgLvt9zmsBVbSLHJt4iXWiNA+Osvomw3r7pgoO/JJh9ujomPMnOlDwN7g+pJ,iv:W36gA8E1mWchN6+8hdMdt2epv/RdS91T5ANB/JTcHCE=,tag:7eZ3fZkjERCVJCXYrABnlQ==,type:str]",
+	"pppd-ncfttb-secrets": "ENC[AES256_GCM,data:IEAguET78vdzRo47UvxbDdz+kKgYWVxYakPPu5rNAZ4BCui7DUG3qm2X9bBdHSMA,iv:Q8D58HXkCoVbqwFoYk+dizXNcEP1J63uMaDSNEzfg2g=,tag:R/xG3owmbVDOLM79sfBQjA==,type:str]",
 	"wg-clerie": "ENC[AES256_GCM,data:OEZg8ZoLAdVhKkvB0ai13ID3gPnVUU/xkOjZ4KiJ9MnRbcFu5HBd7Nw6iNwh,iv:edPuaehya2ZvYKkiBqNUbXVDAxAT6yNgETnWtd6it94=,tag:cX12szdQfAcC6cij6zk6Dw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age16mln27e2p58gu6dpxfclttmuzfnq39mv62kthjpps33g3nl3scfq449857",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-08-13T14:06:43Z",
+		"lastmodified": "2025-10-24T19:16:49Z",
-		"mac": "ENC[AES256_GCM,data:yGKY0fi3KQWGHBeyNtQ8EJ6561dKRZ5aAjO9zq3odDtX75i2RSjORIlNjBsVvegBzeo8AkwwnzxNPt2sHl6MKDZfEsysWAi8Wolh4UvHk087AnR/uKvtG6t4uUaNIWej2DEzxUtTQ8QP1afsdqGCf0vZVruNcJ4u2xiQbN2vJPc=,iv:CDXJ5/P+h0Enq/0EL1su1Mw55FVYLy4XPSoUCkRkt+U=,tag:AvRfEDYMBunyIQIVCPbXag==,type:str]",
+		"mac": "ENC[AES256_GCM,data:ADhCQ7JxrEq+5ssevuuQVf3uyHcrcNVSzdT8bkFfDFVEE1hKv8q9QsGxhIaKtv4N2gt079fy0YA+WFKH6H8zWb5ONepH4H/mAek2SYgAtmVsxwdWY13zswsJUPi2CfbaCWOqppb9IiDb8+RCbzY2u/8Qqwk8gx/0uw2hr3IJrhM=,iv:c1/TS+W4pQgh2oPT77LX+dUL929YppRYdZCmMl2yN+M=,tag:fTk1sxdeT9xFjDMhqiHZAg==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-10T13:05:56Z",
@@ -24,6 +20,6 @@
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
+		"version": "3.10.2"
 	}
-}
+}
--- a/hosts/clerie-backup/configuration.nix
+++ b/hosts/clerie-backup/configuration.nix
@@ -45,13 +45,18 @@
        "/mnt/clerie-backup"
      ];
      doInit = true;
-      repo =  "u275370-sub2@u275370.your-storagebox.de:./clerie-backup/" ;
+      repo = "u275370-sub2@u275370.your-storagebox.de:./clerie-backup/";
      encryption = {
        mode = "none";
      };
      environment = { BORG_RSH = "ssh -p 23 -i /var/src/secrets/ssh/borg-backup-replication-hetzner"; };
      compression = "auto,lzma";
      startAt = "*-*-* 04:07:00";
      readWritePaths = [ "/var/lib/prometheus-node-exporter/textfiles" ];
      postPrune = ''
        echo "backup_replication_hetzner_last_successful_run_time $(date +%s)" > /var/lib/prometheus-node-exporter/textfiles/backup-replication-hetzner.prom
      '';
    };
  };
--- a/hosts/dn42-il-gw1/configuration.nix
+++ b/hosts/dn42-il-gw1/configuration.nix
@@ -140,8 +140,37 @@
      ];
      privateKeyFile = config.sops.secrets.wg4719.path;
    };
    # zaphyra
    wg1718 = {
      ips = [
        "fe80::2574/128"
        # peer fe80::6b61/64
      ];
      postSetup = ''
      ip addr replace dev wg1718 fe80::2574/128 peer fe80::6b61/128
      '';
      listenPort = 51718;
      allowedIPsAsRoutes = false;
      peers = [
        {
          allowedIPs = [ "fe80::/10" "fd00::/8" ];
          endpoint = "router-a.dn42.zaphyra.eu:51831";
          publicKey = "Knm6uEpMsTfZAK68Pl98mHORtb8TtswBfYFGznpHUCI=";
        }
      ];
      privateKeyFile = config.sops.secrets.wg1718.path;
    };
  };
  networking.firewall.allowedUDPPorts = [
    50565 # wg0565
    51271 # wg1271
    51272 # wg1272
    51280 # wg1280
    54719 # wg4719
    51718 # wg1718
  ];
  profiles.clerie.dn42-router = {
    enable = true;
    loopbackIp = "fd56:4902:eca0:1::1";
@@ -198,11 +227,17 @@
        remoteAsn = "64719";
        localAddress = "fe80::1";
      }
      {
        peerName = "peer_1718";
        remoteAddress = "fe80::6b61";
        interfaceName = "wg1718";
        remoteAsn = "4242421718";
        localAddress = "fe80::2574";
      }
    ];
  };
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    allowReboot = true;
    autoUpgrade = true;
  };
--- a/hosts/dn42-il-gw1/secrets.json
+++ b/hosts/dn42-il-gw1/secrets.json
@@ -5,21 +5,18 @@
 	"wg1272": "ENC[AES256_GCM,data:LU6jtNkNn2Xs+0OH8cD1HJnbHsNNnqlY83lDFa11/dHwVgdFxMtDXMqIMEc=,iv:/A8rWGR6jExa4ms7jTYC0eZVGCvlKw1I58Co41gw3TU=,tag:tIBRkQzFFpEEzflnDrpcOA==,type:str]",
 	"wg1280": "ENC[AES256_GCM,data:F4KLY6jiZNl52ko32nM0iTER0DyHvaCSmxeYAKB0MLUD8l9u1Ugk6kYZnUc=,iv:XcaxnvxM1kE/ahNFX+BH7Jmr9q2Py1vHHqOjFUqs5O8=,tag:a1up4gGFqyHz2lmDRJl3bA==,type:str]",
 	"wg1302": "ENC[AES256_GCM,data:+MzuBPg3ql0/MEnpVvhQTsPIkKB9xnHN9Fk4VlZwK4ijKl+26d6oTSM7/R0=,iv:bPPmhenQLaKTGaDo4rBlKkrXrS1YysRuntbKq6zi2aQ=,tag:lztaTfDGT4kAq+HZMLl0Dw==,type:str]",
 	"wg1718": "ENC[AES256_GCM,data:lB+j2O15O7ogdB+QdutD3V/h8IREMMlpCsnMJWNPXlz196KM6WNNYCV2v5M=,iv:AwrRPQIFu8A14Vs5A9slkCPMkgU3VZxL1YupJnriEHc=,tag:Vpt0C6SFzUXGotdfc1ocmg==,type:str]",
 	"wg4719": "ENC[AES256_GCM,data:hoOOCUGdYFaAQZ6wkgmQl65M1qArvXa826IeJl+BUGf7UX0vxx9J0C2epTE=,iv:+1JcOgzClehkE0Ihd2mmoenPk51OBZMF0bMqapWah/c=,tag:xI5FU+GJU6BER9/n04ccLA==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:aw11Ygfll6llabXkuxtbTcCn1eb4NZX1IwArcXoRJCJSgwDrQZ3HLatov3w=,iv:J2VD5XS+BrIKeFb0NW1UYZUuGPkbjFmooZ93PVK31gw=,tag:2XLSa/2s6LRq3L7UdrTs/g==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1f0hscql4f4w7vyukzeu693xfedsl596dpjekc23q77ylp92zsvcqf9u75t",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWdFYjFjTmRVRlV3U3p4\nTSsyc1E0dWtiYjNtVkV2SXJEWkxnTDhLN1Y0Cng4aGlidjhydUVGaFcvK215aGdq\nN0FGajYwa1lPUCsva0tmNkErUGtlOWsKLS0tIG9pLzJEUDA2WWUzd1kzSVZrdVRX\nbUxjQzBCd3p0R1dWTTJaRmZNQjJEUVkKPz6OUQHpYrhRxMdQzpZRR3exVqkG2JvX\nI32PwvbeQK8cgpYwKLGar8U8aiPPm0Y64pID1wedDsNZzLqLOrS3wQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-04-28T09:28:04Z",
+		"lastmodified": "2025-06-10T20:51:10Z",
-		"mac": "ENC[AES256_GCM,data:PHdhyie0Ya/nN9Kqj4z+zPyyKZFvGkznkv8Uf3LNSdPKWVtXARZc8Xodm4MjI2HvooryyyMFHkW75Aln02Rlvk3R8oI7rfFZC7s2P+LotumsYgRFf0JOUMxsxOtKW0ehuLy83Bw0rMJQo1gzTgBykcvdc2pkMmALF/vU/1VqgJ4=,iv:0JwcY0Q+8VAiVHYjynhcpsobQXOkK8EBe3QUJ8YUwFE=,tag:9xAcoxAPGxTvHVBydf3u9Q==,type:str]",
+		"mac": "ENC[AES256_GCM,data:9lF4HV0oJyGHXdtYdMxR7+ev7JLAQVr6kE55nLoZcrbC92MHJzQpgM9XAhIynvwdAmC7ARd3orCn6eYkQJDdNX0JjMtebsBE+H4B7mEUCz8wtTN0iHS+oHmQxrqjnoSw2uHh9udgqAJa+sd6VGU3t2XUuuKtVHPwzROqVgvas9M=,iv:KT+BlFeXGZQc5pbBX+XOsmKEydUtir1LuPvseDkFeqw=,tag:hlRskY6b5EAZkUYs7ph/JA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-04-28T09:25:37Z",
@@ -28,6 +25,6 @@
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
+		"version": "3.10.2"
 	}
-}
+}
--- a/hosts/dn42-il-gw5/configuration.nix
+++ b/hosts/dn42-il-gw5/configuration.nix
@@ -111,8 +111,7 @@
    '';
  };
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    allowReboot = true;
    autoUpgrade = true;
    startAt = "*-*-* 06:22:00";
  };
--- a/hosts/dn42-il-gw6/configuration.nix
+++ b/hosts/dn42-il-gw6/configuration.nix
@@ -105,8 +105,7 @@
    '';
  };
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    allowReboot = true;
    autoUpgrade = true;
    startAt = "*-*-* 07:22:00";
  };
--- a/hosts/dn42-ildix-clerie/configuration.nix
+++ b/hosts/dn42-ildix-clerie/configuration.nix
@@ -161,8 +161,7 @@
  }
  '';
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    allowReboot = true;
    autoUpgrade = true;
  };
--- a/hosts/dn42-ildix-service/configuration.nix
+++ b/hosts/dn42-ildix-service/configuration.nix
@@ -70,8 +70,7 @@
  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    allowReboot = true;
    autoUpgrade = true;
  };
--- a/hosts/gatekeeper/configuration.nix
+++ b/hosts/gatekeeper/configuration.nix
@@ -131,6 +131,7 @@
  clerie.nginx-port-forward = {
    enable = true;
    resolver = "127.0.0.53";
    tcpPorts."443" = {
      host = "localhost";
      port = 22;
--- a/hosts/krypton/configuration.nix
+++ b/hosts/krypton/configuration.nix
@@ -5,8 +5,6 @@
    [
      ./hardware-configuration.nix
      ../../configuration/desktop
      ./android.nix
      ./backup.nix
      ./etesync-dav.nix
@@ -15,6 +13,8 @@
      ./programs.nix
    ];
  profiles.clerie.desktop.enable = true;
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
--- a/hosts/krypton/programs.nix
+++ b/hosts/krypton/programs.nix
@@ -11,17 +11,21 @@
    signal-desktop
    dino
    fractal
    tuba
    flare-signal
    tio
    xournalpp
-    onlyoffice-bin
+    libreoffice
    krita
    inkscape
    dune3d
    wireshark
    tcpdump
    nmap
    pkgs."http.server"
    kdePackages.okular
    chromium-incognito
--- a/hosts/monitoring-3/blackbox.nix
+++ b/hosts/monitoring-3/blackbox.nix
@@ -25,6 +25,48 @@
            fail_if_not_ssl: true
            fail_if_body_not_matches_regexp:
              - "Synapse is running"
            headers:
              User-Agent: "monitoring.clerie.de, blackbox exporter"
        http4:
          prober: http
          http:
            preferred_ip_protocol: ip4
            ip_protocol_fallback: false
            fail_if_ssl: true
            follow_redirects: false
            valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
            headers:
              User-Agent: "monitoring.clerie.de, blackbox exporter"
        http6:
          prober: http
          http:
            preferred_ip_protocol: ip6
            ip_protocol_fallback: false
            fail_if_ssl: true
            follow_redirects: false
            valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
            headers:
              User-Agent: "monitoring.clerie.de, blackbox exporter"
        https4:
          prober: http
          http:
            preferred_ip_protocol: ip4
            ip_protocol_fallback: false
            fail_if_not_ssl: true
            follow_redirects: false
            valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
            headers:
              User-Agent: "monitoring.clerie.de, blackbox exporter"
        https6:
          prober: http
          http:
            preferred_ip_protocol: ip6
            ip_protocol_fallback: false
            fail_if_not_ssl: true
            follow_redirects: false
            valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
            headers:
              User-Agent: "monitoring.clerie.de, blackbox exporter"
    '';
  };
 }
--- a/hosts/monitoring-3/configuration.nix
+++ b/hosts/monitoring-3/configuration.nix
@@ -10,6 +10,7 @@
      ./grafana.nix
      ./nixos-validator.nix
      ./prometheus.nix
      ./targets.nix
      ./uptimestatus.nix
    ];
--- a/hosts/monitoring-3/dashboards/home.json
+++ b/hosts/monitoring-3/dashboards/home.json
@@ -0,0 +1,77 @@
 {
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": {
          "type": "datasource",
          "uid": "grafana"
        },
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "target": {
          "limit": 100,
          "matchAny": false,
          "tags": [],
          "type": "dashboard"
        },
        "type": "dashboard"
      }
    ]
  },
  "editable": true,
  "fiscalYearStartMonth": 0,
  "graphTooltip": 0,
  "id": 10,
  "links": [],
  "panels": [
    {
      "fieldConfig": {
        "defaults": {},
        "overrides": []
      },
      "gridPos": {
        "h": 11,
        "w": 24,
        "x": 0,
        "y": 0
      },
      "id": 2,
      "options": {
        "includeVars": false,
        "keepTime": false,
        "maxItems": 10,
        "query": "",
        "showFolderNames": true,
        "showHeadings": false,
        "showRecentlyViewed": false,
        "showSearch": true,
        "showStarred": false,
        "tags": []
      },
      "pluginVersion": "12.0.2+security-01",
      "title": "Dashboards",
      "type": "dashlist"
    }
  ],
  "preload": false,
  "refresh": "",
  "schemaVersion": 41,
  "tags": [],
  "templating": {
    "list": []
  },
  "time": {
    "from": "now-6h",
    "to": "now"
  },
  "timepicker": {
    "hidden": true
  },
  "timezone": "browser",
  "title": "Home",
  "uid": "OqTN9p2nz",
  "version": 1
 }
--- a/hosts/monitoring-3/dashboards/nginx-exporter.json
+++ b/hosts/monitoring-3/dashboards/nginx-exporter.json
@@ -0,0 +1,355 @@
 {
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": {
          "type": "grafana",
          "uid": "-- Grafana --"
        },
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "type": "dashboard"
      }
    ]
  },
  "editable": true,
  "fiscalYearStartMonth": 0,
  "graphTooltip": 0,
  "id": 16,
  "links": [],
  "panels": [
    {
      "datasource": {
        "type": "prometheus",
        "uid": "PBFA97CFB590B2093"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "palette-classic"
          },
          "custom": {
            "axisBorderShow": false,
            "axisCenteredZero": false,
            "axisColorMode": "text",
            "axisLabel": "",
            "axisPlacement": "auto",
            "barAlignment": 0,
            "barWidthFactor": 0.6,
            "drawStyle": "line",
            "fillOpacity": 0,
            "gradientMode": "none",
            "hideFrom": {
              "legend": false,
              "tooltip": false,
              "viz": false
            },
            "insertNulls": false,
            "lineInterpolation": "linear",
            "lineWidth": 1,
            "pointSize": 5,
            "scaleDistribution": {
              "type": "linear"
            },
            "showPoints": "auto",
            "spanNulls": false,
            "stacking": {
              "group": "A",
              "mode": "none"
            },
            "thresholdsStyle": {
              "mode": "off"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green"
              }
            ]
          },
          "unit": "reqps"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 0,
        "y": 0
      },
      "id": 1,
      "options": {
        "legend": {
          "calcs": [],
          "displayMode": "list",
          "placement": "bottom",
          "showLegend": true
        },
        "tooltip": {
          "hideZeros": false,
          "mode": "single",
          "sort": "none"
        }
      },
      "pluginVersion": "12.0.2+security-01",
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${DS_PROMETHEUS}"
          },
          "disableTextWrap": false,
          "editorMode": "builder",
          "expr": "sum by(server_name) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
          "fullMetaSearch": false,
          "includeNullMetadata": true,
          "legendFormat": "__auto",
          "range": true,
          "refId": "A",
          "useBackend": false
        }
      ],
      "title": "Total requests",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "PBFA97CFB590B2093"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "palette-classic"
          },
          "custom": {
            "axisBorderShow": false,
            "axisCenteredZero": false,
            "axisColorMode": "text",
            "axisLabel": "",
            "axisPlacement": "auto",
            "barAlignment": 0,
            "barWidthFactor": 0.6,
            "drawStyle": "line",
            "fillOpacity": 0,
            "gradientMode": "none",
            "hideFrom": {
              "legend": false,
              "tooltip": false,
              "viz": false
            },
            "insertNulls": false,
            "lineInterpolation": "linear",
            "lineWidth": 1,
            "pointSize": 5,
            "scaleDistribution": {
              "type": "linear"
            },
            "showPoints": "auto",
            "spanNulls": false,
            "stacking": {
              "group": "A",
              "mode": "none"
            },
            "thresholdsStyle": {
              "mode": "off"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green"
              }
            ]
          },
          "unit": "reqps"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 12,
        "y": 0
      },
      "id": 2,
      "options": {
        "legend": {
          "calcs": [],
          "displayMode": "list",
          "placement": "bottom",
          "showLegend": true
        },
        "tooltip": {
          "hideZeros": false,
          "mode": "single",
          "sort": "none"
        }
      },
      "pluginVersion": "12.0.2+security-01",
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${DS_PROMETHEUS}"
          },
          "disableTextWrap": false,
          "editorMode": "builder",
          "expr": "sum by(server_name, method) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
          "fullMetaSearch": false,
          "includeNullMetadata": true,
          "legendFormat": "{{server_name}}: {{method}}",
          "range": true,
          "refId": "A",
          "useBackend": false
        }
      ],
      "title": "Status codes",
      "type": "timeseries"
    },
    {
      "datasource": {
        "type": "prometheus",
        "uid": "PBFA97CFB590B2093"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "palette-classic"
          },
          "custom": {
            "axisBorderShow": false,
            "axisCenteredZero": false,
            "axisColorMode": "text",
            "axisLabel": "",
            "axisPlacement": "auto",
            "barAlignment": 0,
            "barWidthFactor": 0.6,
            "drawStyle": "line",
            "fillOpacity": 0,
            "gradientMode": "none",
            "hideFrom": {
              "legend": false,
              "tooltip": false,
              "viz": false
            },
            "insertNulls": false,
            "lineInterpolation": "linear",
            "lineWidth": 1,
            "pointSize": 5,
            "scaleDistribution": {
              "type": "linear"
            },
            "showPoints": "auto",
            "spanNulls": false,
            "stacking": {
              "group": "A",
              "mode": "none"
            },
            "thresholdsStyle": {
              "mode": "off"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green"
              }
            ]
          },
          "unit": "reqps"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 10,
        "w": 12,
        "x": 0,
        "y": 10
      },
      "id": 3,
      "options": {
        "legend": {
          "calcs": [],
          "displayMode": "list",
          "placement": "bottom",
          "showLegend": true
        },
        "tooltip": {
          "hideZeros": false,
          "mode": "single",
          "sort": "none"
        }
      },
      "pluginVersion": "12.0.2+security-01",
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "${DS_PROMETHEUS}"
          },
          "disableTextWrap": false,
          "editorMode": "builder",
          "expr": "sum by(server_name, status) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
          "fullMetaSearch": false,
          "includeNullMetadata": true,
          "legendFormat": "{{server_name}}: HTTP {{status}}",
          "range": true,
          "refId": "A",
          "useBackend": false
        }
      ],
      "title": "Response codes",
      "type": "timeseries"
    }
  ],
  "preload": false,
  "refresh": "30s",
  "schemaVersion": 41,
  "tags": [],
  "templating": {
    "list": [
      {
        "current": {
          "text": "All",
          "value": [
            "$__all"
          ]
        },
        "definition": "label_values(nginxlog_http_response_count_total,server_name)",
        "includeAll": true,
        "label": "vHost",
        "multi": true,
        "name": "server_name",
        "options": [],
        "query": {
          "qryType": 1,
          "query": "label_values(nginxlog_http_response_count_total,server_name)",
          "refId": "PrometheusVariableQueryEditor-VariableQuery"
        },
        "refresh": 1,
        "regex": "",
        "type": "query"
      }
    ]
  },
  "time": {
    "from": "now-3h",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "browser",
  "title": "Nginx Exporter",
  "uid": "b042a880-3cb0-4dd3-ae48-4745a58af698",
  "version": 7
 }
--- a/hosts/monitoring-3/dashboards/nixos-status.json
+++ b/hosts/monitoring-3/dashboards/nixos-status.json
@@ -0,0 +1,135 @@
 {
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": {
          "type": "grafana",
          "uid": "-- Grafana --"
        },
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "target": {
          "limit": 100,
          "matchAny": false,
          "tags": [],
          "type": "dashboard"
        },
        "type": "dashboard"
      }
    ]
  },
  "editable": true,
  "fiscalYearStartMonth": 0,
  "graphTooltip": 0,
  "id": 15,
  "links": [],
  "panels": [
    {
      "datasource": {
        "type": "prometheus",
        "uid": "PBFA97CFB590B2093"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "continuous-RdYlGr"
          },
          "custom": {
            "axisPlacement": "auto",
            "fillOpacity": 70,
            "hideFrom": {
              "legend": false,
              "tooltip": false,
              "viz": false
            },
            "insertNulls": false,
            "lineWidth": 0,
            "spanNulls": false
          },
          "mappings": [
            {
              "options": {
                "0": {
                  "index": 1,
                  "text": "mismatch"
                },
                "1": {
                  "index": 0,
                  "text": "sync"
                }
              },
              "type": "value"
            }
          ],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "red"
              }
            ]
          }
        },
        "overrides": []
      },
      "gridPos": {
        "h": 23,
        "w": 24,
        "x": 0,
        "y": 0
      },
      "id": 2,
      "options": {
        "alignValue": "left",
        "legend": {
          "displayMode": "list",
          "placement": "bottom",
          "showLegend": true
        },
        "mergeValues": true,
        "rowHeight": 0.9,
        "showValue": "auto",
        "tooltip": {
          "hideZeros": false,
          "mode": "single",
          "sort": "none"
        }
      },
      "pluginVersion": "12.0.2+security-01",
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "PBFA97CFB590B2093"
          },
          "editorMode": "builder",
          "expr": "nixos_current_system_is_sync",
          "legendFormat": "{{instance}}",
          "range": true,
          "refId": "A"
        }
      ],
      "title": "Config is Sync",
      "type": "state-timeline"
    }
  ],
  "preload": false,
  "refresh": "5m",
  "schemaVersion": 41,
  "tags": [],
  "templating": {
    "list": []
  },
  "time": {
    "from": "now-7d",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "",
  "title": "NixOS Status",
  "uid": "W4j3nz1Vz",
  "version": 3
 }
--- a/hosts/monitoring-3/dashboards/smokeping.json
+++ b/hosts/monitoring-3/dashboards/smokeping.json
@@ -0,0 +1,211 @@
 {
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": {
          "type": "datasource",
          "uid": "grafana"
        },
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "target": {
          "limit": 100,
          "matchAny": false,
          "tags": [],
          "type": "dashboard"
        },
        "type": "dashboard"
      }
    ]
  },
  "editable": true,
  "fiscalYearStartMonth": 0,
  "graphTooltip": 0,
  "id": 11,
  "links": [],
  "panels": [
    {
      "datasource": {
        "type": "prometheus",
        "uid": "PBFA97CFB590B2093"
      },
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "palette-classic"
          },
          "custom": {
            "axisBorderShow": false,
            "axisCenteredZero": false,
            "axisColorMode": "text",
            "axisLabel": "",
            "axisPlacement": "auto",
            "barAlignment": 0,
            "barWidthFactor": 0.6,
            "drawStyle": "line",
            "fillOpacity": 0,
            "gradientMode": "none",
            "hideFrom": {
              "legend": false,
              "tooltip": false,
              "viz": false
            },
            "insertNulls": false,
            "lineInterpolation": "linear",
            "lineWidth": 1,
            "pointSize": 5,
            "scaleDistribution": {
              "type": "linear"
            },
            "showPoints": "auto",
            "spanNulls": false,
            "stacking": {
              "group": "A",
              "mode": "none"
            },
            "thresholdsStyle": {
              "mode": "off"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green"
              },
              {
                "color": "red",
                "value": 80
              }
            ]
          },
          "unit": "s"
        },
        "overrides": []
      },
      "gridPos": {
        "h": 22,
        "w": 24,
        "x": 0,
        "y": 0
      },
      "id": 2,
      "options": {
        "legend": {
          "calcs": [],
          "displayMode": "list",
          "placement": "bottom",
          "showLegend": true
        },
        "tooltip": {
          "hideZeros": false,
          "mode": "single",
          "sort": "none"
        }
      },
      "pluginVersion": "12.0.2+security-01",
      "targets": [
        {
          "datasource": {
            "type": "prometheus",
            "uid": "PBFA97CFB590B2093"
          },
          "editorMode": "code",
          "exemplar": true,
          "expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp6\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0 ",
          "interval": "",
          "legendFormat": "IPv6 {{target}} ({{instance}})",
          "range": true,
          "refId": "A"
        },
        {
          "datasource": {
            "type": "prometheus",
            "uid": "PBFA97CFB590B2093"
          },
          "editorMode": "code",
          "exemplar": true,
          "expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp4\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0",
          "hide": false,
          "interval": "",
          "legendFormat": "IPv4 {{target}} ({{instance}})",
          "range": true,
          "refId": "B"
        }
      ],
      "title": "Smokeping",
      "type": "timeseries"
    }
  ],
  "preload": false,
  "refresh": "",
  "schemaVersion": 41,
  "tags": [],
  "templating": {
    "list": [
      {
        "current": {
          "text": "All",
          "value": "$__all"
        },
        "datasource": {
          "type": "prometheus",
          "uid": "PBFA97CFB590B2093"
        },
        "definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
        "includeAll": true,
        "label": "Target:",
        "multi": true,
        "name": "target",
        "options": [],
        "query": {
          "query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
          "refId": "StandardVariableQuery"
        },
        "refresh": 1,
        "regex": "",
        "type": "query"
      },
      {
        "current": {
          "text": [
            "All"
          ],
          "value": [
            "$__all"
          ]
        },
        "datasource": {
          "type": "prometheus",
          "uid": "PBFA97CFB590B2093"
        },
        "definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
        "includeAll": true,
        "label": "Instance:",
        "multi": true,
        "name": "instance",
        "options": [],
        "query": {
          "query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
          "refId": "StandardVariableQuery"
        },
        "refresh": 1,
        "regex": "",
        "type": "query"
      }
    ]
  },
  "time": {
    "from": "now-30m",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "",
  "title": "Smokeping",
  "uid": "IytTVZL7z",
  "version": 9
 }
--- a/hosts/monitoring-3/prometheus.nix
+++ b/hosts/monitoring-3/prometheus.nix
@@ -52,6 +52,12 @@ let
    attrByPath ["clerie" "monitoring" "blackbox"] false host.config)
    monitoringHosts);
  nginxlogMonitoringTargets = mapAttrsToList (name: host:
    "${host.config.networking.hostName}.mon.clerie.de:9117")
    (filterAttrs (name: host:
    attrByPath ["services" "prometheus" "exporters" "nginxlog" "enable"] false host.config)
    monitoringHosts);
  eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));
 in {
@@ -104,6 +110,21 @@ in {
          relabelAddressToInstance
        ];
      }
      {
        job_name = "alertmanager";
        scrape_interval = "20s";
        scheme = "http";
        static_configs = [
          {
            targets = [
              "monitoring-3.mon.clerie.de:9093"
            ];
          }
        ];
        relabel_configs = [
          relabelAddressToInstance
        ];
      }
      {
        job_name = "node-exporter";
        scrape_interval = "20s";
@@ -141,10 +162,7 @@ in {
        };
        static_configs = [
          {
-            targets = [
+            targets = map (target: "${target};infra") config.profiles.clerie.monitoring-server.probeTargets.node-exporter-uberspace;
              "clerie.uber.space;infra"
              "cleriewi.uber.space;infra"
            ];
          }
        ];
        relabel_configs = [
@@ -225,17 +243,7 @@ in {
        };
        static_configs = [
          {
-            targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets [
+            targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets config.profiles.clerie.monitoring-server.probeTargets.blackbox-icmp6;
              "clerie.de"
              "tagesschau.de"
              "google.com"
              "achtbaan.nikhef.nl"
              "fluorine.net.clerie.de"
              "www.fem.tu-ilmenau.de"
              "www.heise.de"
              "dyon.net.entr0py.de"
              "matrix.fachschaften.org"
            ];
          }
        ];
        relabel_configs = [
@@ -267,18 +275,7 @@ in {
        };
        static_configs = [
          {
-            targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets [
+            targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets config.profiles.clerie.monitoring-server.probeTargets.blackbox-icmp4;
              "clerie.de"
              "tagesschau.de"
              "google.com"
              "achtbaan.nikhef.nl"
              "www.fem.tu-ilmenau.de"
              "www.heise.de"
              "matrix.bau-ha.us"
              "dyon.net.entr0py.de"
              "matrix.entr0py.de"
              "matrix.fachschaften.org"
            ];
          }
        ];
        relabel_configs = [
@@ -310,10 +307,7 @@ in {
        };
        static_configs = [
          {
-            targets = [
+            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-synapse;
              "matrix.entr0py.de"
              "matrix.fachschaften.org"
            ];
          }
        ];
        relabel_configs = [
@@ -393,6 +387,122 @@ in {
          relabelAddressToInstance
        ];
      }
      {
        job_name = "blackbox_local_http6";
        scrape_interval = "100s";
        metrics_path = "/probe";
        params = {
          module = [ "http6" ];
        };
        static_configs = [
          {
            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http6;
          }
        ];
        relabel_configs = [
          {
            source_labels = [ "__address__" ];
            target_label = "__param_target";
            replacement = "http://\${1}";
          }
          {
            source_labels = [ "__address__" ];
            target_label = "target";
          }
          {
            target_label = "__address__";
            replacement = "monitoring-3.mon.clerie.de:9115";
          }
          relabelAddressToInstance
        ];
      }
      {
        job_name = "blackbox_local_http4";
        scrape_interval = "100s";
        metrics_path = "/probe";
        params = {
          module = [ "http4" ];
        };
        static_configs = [
          {
            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http4;
          }
        ];
        relabel_configs = [
          {
            source_labels = [ "__address__" ];
            target_label = "__param_target";
            replacement = "http://\${1}";
          }
          {
            source_labels = [ "__address__" ];
            target_label = "target";
          }
          {
            target_label = "__address__";
            replacement = "monitoring-3.mon.clerie.de:9115";
          }
          relabelAddressToInstance
        ];
      }
      {
        job_name = "blackbox_local_https6";
        scrape_interval = "100s";
        metrics_path = "/probe";
        params = {
          module = [ "https6" ];
        };
        static_configs = [
          {
            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http6;
          }
        ];
        relabel_configs = [
          {
            source_labels = [ "__address__" ];
            target_label = "__param_target";
            replacement = "https://\${1}";
          }
          {
            source_labels = [ "__address__" ];
            target_label = "target";
          }
          {
            target_label = "__address__";
            replacement = "monitoring-3.mon.clerie.de:9115";
          }
          relabelAddressToInstance
        ];
      }
      {
        job_name = "blackbox_local_https4";
        scrape_interval = "100s";
        metrics_path = "/probe";
        params = {
          module = [ "https4" ];
        };
        static_configs = [
          {
            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http4;
          }
        ];
        relabel_configs = [
          {
            source_labels = [ "__address__" ];
            target_label = "__param_target";
            replacement = "https://\${1}";
          }
          {
            source_labels = [ "__address__" ];
            target_label = "target";
          }
          {
            target_label = "__address__";
            replacement = "monitoring-3.mon.clerie.de:9115";
          }
          relabelAddressToInstance
        ];
      }
      {
        job_name = "hydra";
        scrape_interval = "20s";
@@ -432,12 +542,24 @@ in {
          }
        ];
      }
      {
        job_name = "nginxlog-exporter";
        scrape_interval = "20s";
        static_configs = [
          {
            targets = nginxlogMonitoringTargets;
          }
        ];
        relabel_configs = [
          relabelAddressToInstance
        ];
      }
    ];
    alertmanagers = [
      {
        static_configs = [ {
          targets = [
-            "[::1]:9093"
+            "monitoring-3.mon.clerie.de:9093"
          ];
        } ];
      }
--- a/hosts/monitoring-3/rules.yml
+++ b/hosts/monitoring-3/rules.yml
@@ -18,7 +18,7 @@ groups:
      summary: "Current system of {{ $labels.instance }} not in sync with config"
      description: "The current system hash of {{ $labels.instance }} does not match the one generated by hydra based on the current config"
  - alert: StorageFull
-    expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 5
+    expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m])) * 100) < 5
    for: 30m
    labels:
      severity: critical
@@ -26,7 +26,7 @@ groups:
      summary: "Storage of {{ $labels.instance }} is full"
      description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is full"
  - alert: StorageAlmostFull
-    expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 10
+    expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m])) * 100) < 10
    for: 30m
    labels:
      severity: warning
@@ -87,3 +87,26 @@ groups:
    annotations:
      summary: "GPG {{ $labels.fingerprint }} is expiring soon"
      description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"
  - alert: NadjaTopIPv4ProxyBroken
    expr: probe_success{job="blackbox_local_http6", target="blog.nadja.top"} != on (target) probe_success{job="blackbox_local_http4", target="blog.nadja.top"}
    for: 15m
    labels:
      severity: critical
    annotations:
      summary: "blog.nadja.top unreachable via IPv4"
      description: "blog.nadja.top unreachable IPv4, but reachable via IPv6"
  - alert: AlertmanagerNotificationRequestsFailed
    expr: rate(alertmanager_notification_requests_failed_total[5m]) > 0
    labels:
      severity: critical
    annotations:
      summary: "Too many notification requests failed"
      description: "Too many notification requests to Alertmanager integration {{ $labels.integration }} failed"
  - alert: FemSocialDown
    expr: min(probe_success{target="fem.social", job=~"blackbox_local_http.*"}) == 0
    for: 5m
    labels:
      severity: critical
    annotations:
      summary: "fem.social unavailable via HTTP"
      description: "fem.social is not fully reachable via HTTP"
--- a/hosts/monitoring-3/targets.nix
+++ b/hosts/monitoring-3/targets.nix
@@ -0,0 +1,7 @@
 { ... }:
 {
  profiles.clerie.monitoring-server.targets = builtins.fromJSON (builtins.readFile ../../monitoring/targets.json);
 }
--- a/hosts/nonat/configuration.nix
+++ b/hosts/nonat/configuration.nix
@@ -41,8 +41,7 @@
  networking.firewall.allowedUDPPorts = [];
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    allowReboot = true;
    autoUpgrade = true;
  };
--- a/hosts/porter/configuration.nix
+++ b/hosts/porter/configuration.nix
@@ -26,8 +26,29 @@
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  profiles.clerie.common-webserver.httpDefaultVirtualHost = false;
  services.unbound = {
    enable = true;
    resolveLocalQueries = false;
    settings = {
      server = {
        interface = [ "127.0.0.1" ];
      };
    };
  };
  clerie.nginx-port-forward = {
    enable = true;
    resolver = "127.0.0.1";
    tcpPorts."80" = {
      host = "baikonur.dyn.weimarnetz.de";
      port = 80;
    };
    tcpPorts."443" = {
      host = "baikonur.dyn.weimarnetz.de";
      port = 443;
    };
    tcpPorts."2022" = {
      host = "nonat.net.clerie.de";
      port = 22;
@@ -37,6 +58,10 @@
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [];
  services.bijwerken = {
    autoUpgrade = true;
  };
  clerie.monitoring = {
    enable = true;
    id = "102";
--- a/hosts/storage-2/configuration.nix
+++ b/hosts/storage-2/configuration.nix
@@ -52,8 +52,7 @@
    };
  };
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
    allowReboot = true;
    autoUpgrade = true;
  };
--- a/hosts/storage-2/em.nix
+++ b/hosts/storage-2/em.nix
@@ -11,7 +11,28 @@ with lib;
  };
  users.groups.data-em = {};
  users.users.data-em-mp3 = {
    group = "data-em-mp3";
    home = "/data/em-mp3";
    useDefaultShell = true;
    isSystemUser = true;
  };
  users.groups.data-em-mp3 = {};
  systemd.tmpfiles.rules = [
    "d /data/em - data-em data-em - -"
    "d /data/em-mp3 - data-em-mp3 data-em-mp3 - -"
  ];
  systemd.services.convert-flac-dir-to-mp3 = {
    serviceConfig = {
      Type = "oneshot";
      ExecStart = "${lib.getExe pkgs.convert-flac-dir-to-mp3} /data/em /data/em-mp3";
      StateDirectory = "convert-flac-dir-to-mp3";
      WorkingDirectory = "/var/lib/convert-flac-dir-to-mp3";
      User = "data-em-mp3";
      Group = "data-em-mp3";
    };
    startAt = "*-*-* 03:47:00";
  };
 }
--- a/hosts/storage-2/mixcloud.nix
+++ b/hosts/storage-2/mixcloud.nix
@@ -53,17 +53,23 @@ in {
    "mixcloud.clerie.de" = {
      enableACME = true;
      forceSSL = true;
      basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
      locations."/" = {
        alias = "/data/mixcloud/";
        basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
        extraConfig = ''
          autoindex on;
          autoindex_exact_size off;
        '';
      };
      locations."/api/" = {
        alias = "/data/mixcloud/";
        extraConfig = ''
          autoindex on;
          autoindex_format json;
        '';
      };
      locations."/media/" = {
        alias = "/data/media/";
        basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
        extraConfig = ''
          autoindex on;
          autoindex_exact_size off;
--- a/hosts/web-2/blocked-prefixes.txt
+++ b/hosts/web-2/blocked-prefixes.txt
@@ -0,0 +1,195 @@
 ip6tables -I nixos-fw -s 2400:3200::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2400:3200:baba::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2400:b200:4100::/46 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2401:8680:4100::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2401:b180:4100::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2404:2280:1000::/36 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2404:2280:2000::/35 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2404:2280:4000::/36 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2408:4000:1000::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2408:4009:500::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4000::/31 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4002::/32 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4004::/31 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4006::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4006:1000::/43 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4006:1020::/44 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4007::/32 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4009::/32 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:400b::/32 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:400c::/30 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4011::/32 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4012::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4013::/32 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4014::/32 -j nixos-fw-refuse
 iptables -I nixos-fw -s 5.181.224.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.208.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.0.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.36.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.40.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.48.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.64.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.210.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.212.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.128.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.160.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.176.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.192.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.214.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.216.0.0/14 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.220.64.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.220.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.221.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.222.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 14.1.112.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.91.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.1.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.2.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.4.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.7.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.8.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.17.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.19.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.20.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.24.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.27.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.28.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.32.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.40.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.52.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.56.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.58.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.66.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.68.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.72.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.78.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.80.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.84.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.86.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.88.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.96.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.100.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.102.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.104.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.106.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.98.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.100.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.102.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.103.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.104.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.108.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 45.196.28.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 45.199.179.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.52.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.56.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.74.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.76.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.0.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.16.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.24.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.32.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.64.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.96.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.78.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.79.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.79.128.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.79.192.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.80.0.0/14 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.84.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.86.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.128.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.192.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.224.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.232.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.88.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.0.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.72.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.80.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.84.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.88.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.96.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.122.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.124.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.90.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.235.0.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.235.8.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.235.12.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.235.16.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.236.0.0/14 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.240.0.0/14 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.244.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.32.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.66.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.68.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.72.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.80.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.82.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.84.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.88.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.92.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.96.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.120.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.122.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.124.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.128.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.144.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.150.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.152.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.160.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.192.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.250.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.252.0.0/15 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.254.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 59.82.136.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 103.81.186.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 110.76.21.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 110.76.23.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 116.251.64.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 139.95.0.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 139.95.16.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 139.95.64.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 140.205.1.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 140.205.122.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 147.139.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.0.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.16.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.32.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.64.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.192.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.227.20.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.236.12.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.236.17.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.240.76.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.245.1.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 161.117.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.24.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.29.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.30.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.32.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.64.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.66.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.68.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.72.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.76.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.80.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.84.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.86.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.88.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.90.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.92.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.104.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.136.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.138.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 185.78.106.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 198.11.128.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 202.144.199.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 203.107.64.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 203.107.68.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 205.204.96.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 223.5.5.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 223.6.6.0/24 -j nixos-fw-refuse
--- a/hosts/web-2/clerie.nix
+++ b/hosts/web-2/clerie.nix
@@ -27,7 +27,7 @@
        root = pkgs.clerie-keys;
      };
      locations."= /ssh/known_hosts" = {
-        alias = pkgs.writeText "known_hosts" (import ../../lib/ssh-known-hosts.nix);
+        alias = pkgs.clerie-ssh-known-hosts + "/known_hosts";
        extraConfig = ''
          types { }
          default_type "text/plain; charset=utf-8";
@@ -53,9 +53,6 @@
        '';
        return = "200 ''";
      };
      extraConfig = ''
        access_log /var/log/nginx/clerie.de.log combined_anon;
      '';
    };
  };
 }
--- a/hosts/web-2/configuration.nix
+++ b/hosts/web-2/configuration.nix
@@ -24,6 +24,7 @@
      ./public.nix
      ./radicale.nix
      ./reichartstrasse.nix
      ./traveldrafter.nix
      ./uptimestatus.nix
      ./wetter.nix
    ];
@@ -51,6 +52,8 @@
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.extraCommands = builtins.readFile ./blocked-prefixes.txt;
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_16;
--- a/hosts/web-2/gitea.nix
+++ b/hosts/web-2/gitea.nix
@@ -83,9 +83,6 @@
          proxyPass = "http://[::1]:3000";
        };
      };
      extraConfig = ''
        access_log /var/log/nginx/git.clerie.de.log combined_anon;
      '';
    };
  };
 }
--- a/hosts/web-2/ip.nix
+++ b/hosts/web-2/ip.nix
@@ -53,9 +53,6 @@
          types { } default_type "text/html; charset=utf-8";
        '';
      };
      extraConfig = ''
        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
      '';
    };
    "ip4.clerie.de" = {
      enableACME = true;
@@ -67,9 +64,6 @@
          add_header Access-Control-Allow-Origin *;
        '';
      };
      extraConfig = ''
        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
      '';
    };
    "ip6.clerie.de" = {
      enableACME = true;
@@ -81,9 +75,6 @@
          add_header Access-Control-Allow-Origin *;
        '';
      };
      extraConfig = ''
        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
      '';
    };
  };
 }
--- a/hosts/web-2/legal.nix
+++ b/hosts/web-2/legal.nix
@@ -7,8 +7,8 @@
      forceSSL = true;
      root = pkgs.fetchgit {
        url = "https://git.clerie.de/clerie/legal.clerie.de.git";
-        rev = "c6900226e3107a2e370a32759d83db472ab5450d";
+        rev = "b271b9729f4545c340ce9d16ecbca136031da409";
-        sha256 = "sha256-lOjbHqYc/85rjotwQ5Oj+MSWnDIfLx2w5mpiJkChbXU=";
+        sha256 = "sha256-uw69o7LxK+JF1AojSyusU1urshBc63Bgva5lRBgQdKc=";
      };
      locations."/impressum" = {
        return = ''301 https://legal.clerie.de/#impressum'';
--- a/hosts/web-2/secrets.json
+++ b/hosts/web-2/secrets.json
@@ -4,19 +4,16 @@
 	"clerie-backup-target-magenta": "ENC[AES256_GCM,data:zsPFXpnTWHL2b9/fZiW1fhpla8hTeZb1+O8oihnwDIAcC4Tgn8PrFDEYK7kuWYcdbIvL5XRJRR48erSACsntFA==,iv:lTlAyVl3ndgca4Mp9lSldXmhlP8ECPvE/CM7Zpzy9ao=,tag:LCNF1loABQpZ8Y5wfpXjkg==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:AfkytaHshFSyKkMdKVMdYaq3sKUC9dKYs5rKXN4Ouv5kjDGNXC18liEsRuc=,iv:4mMgsovdAJ++Myr+9GuhAaEBuzDBNZbGK6zfzoAEJ0E=,tag:/d0ZXNbpaMFyxyzov23kdQ==,type:str]",
 	"radicale-htpasswd": "ENC[AES256_GCM,data:+FHsq5We/fc8gBNub/GV5Mfs2i0/7Qm9UPDhb3unEhak6XDAvMSUQb4eaX0wn7Yi3y/gFGmapd0eYilTjfoJnI9gVnvi,iv:lEV8kQh9RBL/xKcCLIRzUR6ADq4zoah1c8Z67Qrs3dQ=,tag:cw6jKYbZUXBD3Zio5CH+Hw==,type:str]",
 	"traveldrafter-htpasswd": "ENC[AES256_GCM,data:f29vVDofv2mJEyn/pMKWW8ZbVTKSofe1EEtcfuCaokdqAyxemcq/2hrXFw8cAGTV2hwVqlM2hzJcT32KBjO/wgUNfv4=,iv:5PdQ+bn/bXmfQstP5A/dLeDk7O0qTjoRTyr4D+AgiG0=,tag:gCBrSJ4cEnZHqePiUpPglA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1nn8dwl2avshdhwn66w92jvlvz2ugl5fdxc8dxz6lpru72hlq44uq5a88az",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU2tEMHIvRUFxa24wMVcy\nb2lheGR2ekl6S0wzWUd5cTMwTC9HdFN1eVc0CkRjRHdJVUw3ZCtZSTlUOHZCV2J6\nYkxqdnNmU05LTTNmNFZiTzBxZVdkOTgKLS0tIEZUZ0svL2NhcTZPdFZrYUhwQ05Q\nWnZXRWIvRXBOMWNDTzQ4RDNKa3IwSUkKj+vI9dEEUQYN9uT6H1FdexComfbe+iA9\nVzLF970ASzptGiNYtdN9GYdXY7JGHoOfmYy3fpjZGN3p2KqiYyi3UA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-05-10T13:32:34Z",
+		"lastmodified": "2025-07-06T16:08:39Z",
-		"mac": "ENC[AES256_GCM,data:lxfYT2TEO9KFx0x6DPRQ2mRy5Ft6syyyO1yV9my6GwvDxd1e7odXGRcFo3N1AFod8Y6z4+XaxqZ/GoqSp94Pk8aF4eEhyAFun/UUr8KhKGsnq6xnQA4p37oYccvTY4eohS5YHBr/+AMutddmQ7qiYtQhVViXAr6+dmOsV1Tfu+A=,iv:bC+z9SP2W048bR3aWIcPgRlfLB5n5ccst6OvH0NjYBk=,tag:qhoXUAl0nG4LYy6yXQP2/g==,type:str]",
+		"mac": "ENC[AES256_GCM,data:6EbMSJAKOMgXtlwaVtsmPgrZVgraReAfVJWjZvhe965eLhhP5aeyZqPlA6a93h2FsShVFYWFPI57tdHy9Ymo53oXolSt8Docr2w2FL4BTWHHhkXal9+6aJZAZ+XOPEOUYurFxPOX44l+LDkecSz0NMCgrScWtpphjlkj3yP5GTo=,iv:5w8RC9IAuyEuO0QSZ0FBwW2/qqV56HNG7hZIkEeGEYU=,tag:Zosv1OSMtznnKkSYStu+oA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-10T13:29:58Z",
@@ -27,4 +24,4 @@
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"
 	}
-}
+}
--- a/hosts/web-2/traveldrafter.nix
+++ b/hosts/web-2/traveldrafter.nix
@@ -0,0 +1,40 @@
 { pkgs, lib, config, ... }: {
  services.update-from-hydra.paths.traveldrafter = {
    enable = true;
    hydraUrl = "https://hydra.clerie.de";
    hydraProject = "clerie";
    hydraJobset = "traveldrafter";
    hydraJob = "packages.x86_64-linux.traveldrafter";
    nixStoreUri = "https://nix-cache.clerie.de";
    resultPath = "/srv/traveldrafter";
  };
  sops.secrets.traveldrafter-htpasswd = {
    owner = "nginx";
    group = "nginx";
  };
  services.nginx.virtualHosts = {
    "traveldrafter.clerie.de" = {
      enableACME = true;
      forceSSL = true;
      root = "/srv/traveldrafter/lib/node_modules/traveldrafter/web/";
      basicAuthFile = config.sops.secrets.traveldrafter-htpasswd.path;
      locations."/api" = {
        proxyPass = "http://[::1]:3001";
      };
    };
  };
  systemd.services."traveldrafter" = {
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      RuntimeDirectory = "traveldrafter";
      DynamicUser = true;
    };
    environment = {
      HTTP_PORT = "3001";
    };
    script = lib.getExe pkgs.traveldrafter;
  };
 }
--- a/hosts/zinc/configuration.nix
+++ b/hosts/zinc/configuration.nix
@@ -5,12 +5,12 @@
    [
      ./hardware-configuration.nix
      ../../configuration/desktop
      ./initrd.nix
      ./programs.nix
    ];
  profiles.clerie.desktop.enable = true;
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -8,6 +8,8 @@ let
  lib = {
    clerie-monitoring-ids = callLibs ./clerie-monitoring-ids.nix;
    mkNixpkgs = callLibs ./mkNixpkgs.nix;
    nixosSystem = callLibs ./nixosSystem.nix;
  };
 in
--- a/lib/link-local-wireguard.nix
+++ b/lib/link-local-wireguard.nix
@@ -1,22 +0,0 @@
 { ... }:
 rec {
  llIPv6 = localIP: peerIP: interface: {
    ips = [
      "${localIP}/128"
    ];
    postSetup = ''
    ip -6 route flush dev ${interface}
    ip addr del dev ${interface} ${localIP}/128 && ip addr add dev ${interface} ${localIP}/128 peer ${peerIP}/128
    '';
  };
  llIPv4 = localIP: peerIP: interface: {
    ips = [
      "${localIP}/32"
    ];
    postSetup = ''
    ip -4 route flush dev ${interface}
    ip addr del dev ${interface} ${localIP}/32 && ip addr add dev ${interface} ${localIP}/32 peer ${peerIP}/32
    '';
  };
 }
--- a/lib/mkNixpkgs.nix
+++ b/lib/mkNixpkgs.nix
@@ -0,0 +1,27 @@
 {
  inputs,
  self,
  ...
 }:
 /*
  Loads a version of nixpkgs with nixfiles overlays loaded
 */
 {
  system,
  nixpkgs ? inputs.nixpkgs,
  overlays ? [],
  ...
 }@args:
 import nixpkgs {
  inherit system;
  overlays = [
    self.overlays.clerie-inputs
    self.overlays.clerie-pkgs
    self.overlays.clerie-build-support
    self.overlays.clerie-overrides
  ] ++ overlays;
 }
--- a/lib/nixosSystem.nix
+++ b/lib/nixosSystem.nix
@@ -0,0 +1,42 @@
 {
  inputs,
  self,
  ...
 }:
 /*
  nixfiles.lib.nixosSystem, like nixpkgs.lib.nixosSystem but
  with nixfiles overlays and modules already populated
 */
 {
  system ? null,
  nixpkgs ? inputs.nixpkgs,
  pkgs ? null,
  modules ? [],
  ...
 }@args:
 nixpkgs.lib.nixosSystem ({
  system = system;
  pkgs = if pkgs != null then pkgs else (self.lib.mkNixpkgs {
    inherit system nixpkgs;
  });
  modules = [
    self.nixosModules.nixfilesInputs
    self.nixosModules.clerie
    self.nixosModules.profiles
    ({ config, lib, ... }: {
      /*
        Make the contents of the flake availiable to modules.
        Useful for having the monitoring server scraping the
        target config from all other servers automatically.
      */
      _module.args = {
        inputs = inputs;
        _nixfiles = self;
      };
    })
  ] ++ modules;
 } // builtins.removeAttrs args [ "system" "nixpkgs" "pkgs" "modules" ] )
--- a/modules/clerie-system-upgrade/default.nix
+++ b/modules/clerie-system-upgrade/default.nix
@@ -3,18 +3,13 @@
 with lib;
 let
-  cfg = config.clerie.system-auto-upgrade;
+  cfg = config.services.bijwerken;
 in
 {
  options = {
-    clerie.system-auto-upgrade = {
+    services.bijwerken = {
-      enable = mkEnableOption "clerie system upgrade";
+      enable = mkEnableOption "Automatic system upgrades";
      allowReboot = mkOption {
        type = types.bool;
        default = false;
        description = "Monitor NixOS";
      };
      autoUpgrade = mkOption {
        type = types.bool;
        default = false;
@@ -25,10 +20,15 @@ in
        default = null;
        description = "Systemd time string for starting the unit";
      };
      nodeExporterTextfilePath = mkOption {
        type = with types; nullOr str;
        default = null;
        description = "Path to node exporter textfile for putting metrics";
      };
    };
  };
  config = mkIf cfg.enable {
-    systemd.services.clerie-system-auto-upgrade = {
+    systemd.services.bijwerken-system-upgrade = {
      requires = [ "network-online.target" ];
      after = [ "network-online.target" ];
@@ -38,10 +38,10 @@ in
      serviceConfig = {
        Type = "oneshot";
-        ExecStart = pkgs.clerie-system-upgrade + "/bin/clerie-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/clerie-system-upgrade.prom"}";
+        ExecStart = (getExe pkgs.bijwerken-system-upgrade) + " --no-confirm${optionalString (cfg.nodeExporterTextfilePath != null) " --node-exporter-metrics-path ${cfg.nodeExporterTextfilePath}"}";
      };
    };
-    systemd.timers.clerie-system-auto-upgrade = mkIf cfg.autoUpgrade {
+    systemd.timers.bijwerken-system-upgrade = mkIf cfg.autoUpgrade {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = if cfg.startAt == null then "*-*-* 05:37:00" else cfg.startAt;
@@ -51,7 +51,7 @@ in
      after = [ "network-online.target" ];
    };
    environment.systemPackages = with pkgs; [
-      clerie-system-upgrade
+      bijwerken-system-upgrade
    ];
  };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -5,9 +5,9 @@
    ./policyrouting
    ./akne
    ./backup
    ./bijwerken
    ./clerie-firewall
    ./clerie-gc-dir
    ./clerie-system-upgrade
    ./dhcpcd-prefixdelegation
    ./minecraft-server
    ./monitoring
--- a/modules/monitoring/default.nix
+++ b/modules/monitoring/default.nix
@@ -75,6 +75,8 @@ in
    systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ];
    services.bijwerken.nodeExporterTextfilePath = "/var/lib/prometheus-node-exporter/textfiles/bijwerken-system-upgrade.prom";
    services.prometheus.exporters.bird = mkIf cfg.bird {
      enable = true;
    };
@@ -102,6 +104,33 @@ in
      listen = "[::]:9152";
    };
    services.prometheus.exporters.nginxlog = mkIf config.services.nginx.enable {
      enable = true;
      settings = {
        namespaces = [
          {
            name = "nginxlog";
            format = ''$host: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$server_name" rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'';
            source = {
              files = [
                "/var/log/nginx/access.log"
              ];
            };
            relabel_configs = [
              {
                target_label = "server_name";
                from = "server_name";
              }
            ];
          }
        ];
      };
    };
    systemd.services."prometheus-nginxlog-exporter".serviceConfig = {
      SupplementaryGroups = "nginx";
    };
    networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
      9100 # node-exporter
      9152 # nixos-exporter
@@ -109,6 +138,8 @@ in
      9324 # bird-exporter
    ] else []) ++ (if cfg.blackbox then [
      9115 # blackbox-exporter
    ] else []) ++ (if config.services.prometheus.exporters.nginxlog.enable then [
      config.services.prometheus.exporters.nginxlog.port
    ] else []);
  };
 }
--- a/modules/nginx-port-forward/default.nix
+++ b/modules/nginx-port-forward/default.nix
@@ -9,6 +9,8 @@ let
  mkServerBlock = isUDP: port: forward: ''
    server {
      resolver ${cfg.resolver} ipv4=off valid=30s;
      listen ${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
      listen [::]:${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
@@ -18,7 +20,9 @@ let
        ${ optionalString (sslDhparam != null) "ssl_dhparam ${sslDhparam};" }
      '' }
-      proxy_pass ${forward.host}:${toString forward.port};
+      set $upstream_server ${forward.host}:${toString forward.port};
      proxy_pass $upstream_server;
    }
  '';
@@ -50,6 +54,10 @@ in
  options = {
    clerie.nginx-port-forward = {
      enable = mkEnableOption "Nginx Port Forward";
      resolver = mkOption {
        type = types.str;
        description = "IP address of the resolver to use for upstream hostnames";
      };
      tcpPorts = mkOption {
        type = with types; attrsOf (submodule portOpts);
        default = {};
--- a/monitoring/targets.json
+++ b/monitoring/targets.json
@@ -0,0 +1,55 @@
 {
  "clerie.de": {
    "icmp": { "enable": true },
    "http": { "enable": true }
  },
  "wiki.clerie.de": {
    "http": { "enable": true }
  },
  "blog.nadja.top": {
    "http": { "enable": true }
  },
  "fem.social": {
    "http": { "enable": true }
  },
  "tagesschau.de": {
    "icmp": { "enable": true }
  },
  "google.com": {
    "icmp": { "enable": true }
  },
  "achtbaan.nikhef.nl": {
    "icmp": { "enable": true }
  },
  "www.fem.tu-ilmenau.de": {
    "icmp": { "enable": true }
  },
  "www.heise.de": {
    "icmp": { "enable": true }
  },
  "dyon.net.entr0py.de": {
    "_comment": "Backend server of matrix.entr0py.de",
    "icmp": { "enable": true }
  },
  "matrix.bau-ha.us": {
    "synapse": { "enable": true }
  },
  "matrix.entr0py.de": {
    "synapse": { "enable": true }
  },
  "matrix.fachschaften.org": {
    "synapse": { "enable": true }
  },
  "clerie.uber.space": {
    "clerie-uberspace": { "enable": true }
  },
  "cleriewi.uber.space": {
    "clerie-uberspace": { "enable": true }
  },
  "reichart.uber.space": {
    "clerie-uberspace": { "enable": true }
  }
 }
--- a/pkgs/bijwerken-poke/bijwerken-poke.sh
+++ b/pkgs/bijwerken-poke/bijwerken-poke.sh
@@ -0,0 +1,5 @@
 #!/usr/bin/env bash
 TARGETS="$(nix --extra-experimental-features "nix-command flakes" eval --raw ".#nixosConfigurations" --apply "nixosConfigurations: builtins.concatStringsSep \"\\n\" (builtins.attrValues (builtins.mapAttrs (name: host: host.config.networking.fqdn) nixosConfigurations))")"
 pssh -h <(echo "${TARGETS}") -i -- sudo systemctl start bijwerken-system-upgrade.service --no-block
--- a/pkgs/bijwerken-poke/default.nix
+++ b/pkgs/bijwerken-poke/default.nix
@@ -0,0 +1,10 @@
 { pkgs, ... }:
 pkgs.writeShellApplication {
  name = "bijwerken-poke";
  text = builtins.readFile ./bijwerken-poke.sh;
  runtimeInputs = with pkgs; [
    pssh
  ];
 }
--- a/pkgs/bijwerken-system-upgrade/bijwerken-system-upgrade.sh
+++ b/pkgs/bijwerken-system-upgrade/bijwerken-system-upgrade.sh
@@ -2,16 +2,11 @@
 set -euo pipefail
 ALLOW_REBOOT=
 NO_CONFIRM=
 NODE_EXPORTER_METRICS_PATH=
 while [[ $# -gt 0 ]]; do
 	case $1 in
 		--allow-reboot)
 			ALLOW_REBOOT=1
 			shift
 		;;
 		--no-confirm)
 			NO_CONFIRM=1
 			shift
@@ -45,7 +40,7 @@ if [[ -z $NO_CONFIRM ]]; then
 fi
 echo "Download ${STORE_PATH}"
-nix copy --from "https://nix-cache.clerie.de" "${STORE_PATH}"
+nix copy --to daemon "${STORE_PATH}"
 echo "Add to system profile"
 nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}"
@@ -55,7 +50,7 @@ echo "Set as boot target"
 if [[ -n "$NODE_EXPORTER_METRICS_PATH" ]]; then
 	echo "Write monitoring check data"
-	echo "clerie_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
+	echo "bijwerken_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
 fi
 BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
@@ -63,13 +58,8 @@ ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel
 if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then
 	echo "Reboot is required"
-	if [[ -n "$ALLOW_REBOOT" ]]; then
+	echo "Rebooting system now"
-		echo "Rebooting system now"
+	shutdown -r +1 "System update requires reboot"
 		shutdown -r +1 "System update requires reboot"
 	else
 		echo "Automatic reboot not allowed (maybe use --allow-reboot next time)"
 		echo "The system upgrade is staged, please reboot manually soon"
 	fi
 else
 	echo "No reboot is required"
 	echo "Activating system now"
--- a/pkgs/clerie-system-upgrade/clerie-system-upgrade.nix
+++ b/pkgs/clerie-system-upgrade/clerie-system-upgrade.nix
@@ -1,8 +1,8 @@
 { pkgs, ... }:
 pkgs.writeShellApplication {
-  name = "clerie-system-upgrade";
+  name = "bijwerken-system-upgrade";
-  text = builtins.readFile ./clerie-system-upgrade.sh;
+  text = builtins.readFile ./bijwerken-system-upgrade.sh;
  runtimeInputs = with pkgs; [
    curl
    jq
--- a/pkgs/build-support/overlay.nix
+++ b/pkgs/build-support/overlay.nix
@@ -0,0 +1,7 @@
 final: prev:
 {
  clerie-build-support = {
    writePythonScript = final.callPackage ./writePythonScript.nix {};
  };
 }
--- a/pkgs/build-support/writePythonScript.nix
+++ b/pkgs/build-support/writePythonScript.nix
@@ -0,0 +1,56 @@
 {
  python3,
  makeWrapper,
  runCommand,
  lib,
 }:
 {
  name,
  text,
  runtimePackages ? ps: [],
  pythonPackage ? python3,
  runtimeInputs ? [],
  meta ? {},
  passthru ? {},
  derivationArgs ? {},
 }:
 let
  pythonWithPackages = pythonPackage.withPackages runtimePackages;
 in runCommand name ({
  passAsFile = [ "text" ] ++ (derivationArgs.passAsFile or []);
  meta = {
    mainProgram = name;
  } // meta // (derivationArgs.meta or {});
  passthru = passthru // (derivationArgs.passthru or {});
  nativeBuildInputs = [ makeWrapper ] ++ (derivationArgs.nativeBuildInputs or []);
  executable = true;
  destination = "/bin/${name}";
  allowSubstitutes = true;
  preferLocalBuild = false;
  text = ''
    #!${lib.getExe pythonWithPackages}
    ${text}
  '';
 } // (
  builtins.removeAttrs derivationArgs [ "passAsFile" "meta" "passthru" "nativeBuildInputs" ]
 ))
 ''
 mkdir -p $out/bin
 target=$out/bin/${lib.escapeShellArg name}
 cp "$textPath" "$target"
 chmod +x "$target"
 wrapProgram "$target" --prefix PATH : "${lib.makeBinPath runtimeInputs}"
 ''
--- a/pkgs/clerie-ssh-known-hosts/default.nix
+++ b/pkgs/clerie-ssh-known-hosts/default.nix
@@ -1,13 +1,22 @@
 {
  writeTextFile,
 }:
 let
  stripR = str: if (builtins.substring ((builtins.stringLength str) - 1) (builtins.stringLength str) str) == "\n" then stripR (builtins.substring 0 ((builtins.stringLength str) - 1) str) else str;
-  hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../hosts));
+  hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../../hosts));
  sshkeyList = map (hostname: {
    name = hostname;
-    sshPubkey = stripR (builtins.readFile (../hosts + "/${hostname}/ssh.pub"));
+    sshPubkey = stripR (builtins.readFile (../../hosts + "/${hostname}/ssh.pub"));
  }) hostsWithSshPubkey;
  knownHosts = builtins.concatStringsSep "" (builtins.map ({name, sshPubkey}: ''
    ${name} ${sshPubkey}
    ${name}.net.clerie.de ${sshPubkey}
  '') sshkeyList);
-in
+in writeTextFile {
-  knownHosts
+  name = "clerie-ssh-known-hosts";
  destination = "/known_hosts";
  allowSubstitutes = true;
  preferLocalBuild = false;
  text = knownHosts;
 }
--- a/pkgs/convert-flac-dir-to-mp3/convert-flac-dir-to-mp3.py
+++ b/pkgs/convert-flac-dir-to-mp3/convert-flac-dir-to-mp3.py
@@ -0,0 +1,109 @@
 #!/usr/bin/env python
 import argparse
 from pathlib import Path
 from progress.bar import Bar
 import shutil
 import subprocess
 def files_and_dirs_for_directory(path):
    filepaths = []
    dirpaths = []
    for dirpath, dirnames, filenames in path.walk():
        dirpaths.append(dirpath)
        for filename in filenames:
            filepath = dirpath / filename
            filepaths.append(filepath)
    return set(filepaths), set(dirpaths)
 def make_paths_relative(paths, relative_to_path):
    return set(path.relative_to(relative_to_path) for path in paths)
 def replace_suffix(path, suffix):
    return path.with_name(path.stem + suffix)
 def convert_filepath(path):
    if path.suffix == ".flac":
        return replace_suffix(path, ".mp3")
    return path
 def ffmpeg_flac_to_mp3(in_path, out_path):
    print("")
    subprocess.run(["ffmpeg", "-hide_banner", "-loglevel", "warning", "-stats", "-i", in_path, "-ab", "320k", "-map_metadata", "0", "-id3v2_version", "3", out_path], check=True)
    print("")
 if __name__ == "__main__":
    parser = argparse.ArgumentParser(prog="convert-flac-dir-to-mp3")
    parser.add_argument("from_dir", type=Path)
    parser.add_argument("to_dir", type=Path)
    args = parser.parse_args()
    from_path = args.from_dir.absolute()
    to_path = args.to_dir.absolute()
    if not from_path.exists():
        raise Exception("from_path does not exist")
    if not to_path.exists():
        raise Exception("to_path does not exist")
    if not from_path.is_dir():
        raise Exception("from_path is not a directory")
    if not to_path.is_dir():
        raise Exception("to_path is not a directory")
    print(f"Converting {from_path} to {to_path}…")
    from_filepaths, from_dirpaths = files_and_dirs_for_directory(from_path)
    to_filepaths, to_dirpaths = files_and_dirs_for_directory(to_path)
    relative_from_filepaths = make_paths_relative(from_filepaths, from_path)
    relative_to_filepaths = make_paths_relative(to_filepaths, to_path)
    converted_from_filepaths = set(convert_filepath(filepath) for filepath in relative_from_filepaths)
    filepaths_missing_in_to_path = converted_from_filepaths - relative_to_filepaths
    relative_from_dirpaths = make_paths_relative(from_dirpaths, from_path)
    relative_to_dirpaths = make_paths_relative(to_dirpaths, to_path)
    dirpaths_missing_in_to_path = relative_from_dirpaths - relative_to_dirpaths
    print(f"Missing {len(filepaths_missing_in_to_path)} files and {len(dirpaths_missing_in_to_path)} directories")
    if len(dirpaths_missing_in_to_path) > 0:
        for dirpath in Bar("Creating directories").iter(dirpaths_missing_in_to_path):
            (to_path / dirpath).mkdir(parents=True, exist_ok=True)
    if len(filepaths_missing_in_to_path) > 0:
        for filepath in Bar("Creating files").iter(filepaths_missing_in_to_path):
            if filepath in relative_from_filepaths:
                # Just copy the file
                shutil.copy(from_path / filepath, to_path / filepath)
            elif filepath.suffix == ".mp3" and replace_suffix(filepath, ".flac") in relative_from_filepaths:
                # Convert from flac
                print("")
                print(f"Converting {to_path / filepath}…")
                # Tempfile for ffmpeg
                tmpfilepath = filepath.with_name(".~" + filepath.name)
                (to_path / tmpfilepath).unlink(missing_ok=True)
                print(f"Using tempfile for ffmpeg {to_path / tmpfilepath}…")
                # Convert
                ffmpeg_flac_to_mp3(from_path / replace_suffix(filepath, ".flac"), to_path / tmpfilepath)
                # Rename tempfile
                (to_path / tmpfilepath).rename(to_path / filepath)
            else:
                raise Exception("Unable to figure out how to get {to_path / filepath} from {from_path}")
--- a/pkgs/convert-flac-dir-to-mp3/default.nix
+++ b/pkgs/convert-flac-dir-to-mp3/default.nix
@@ -0,0 +1,8 @@
 { pkgs, ... }:
 pkgs.clerie-build-support.writePythonScript {
  name = "convert-flac-dir-to-mp3";
  runtimePackages = ps: with ps; [ progress ];
  runtimeInputs = [ pkgs.ffmpeg-headless ];
  text = builtins.readFile ./convert-flac-dir-to-mp3.py;
 }
--- a/pkgs/curl-timings/curl-timings.sh
+++ b/pkgs/curl-timings/curl-timings.sh
@@ -0,0 +1,16 @@
 #!/usr/bin/env bash
 curl -w "Request to %{url}
 time_namelookup: %{time_namelookup}s
 time_connect: %{time_connect}s
 time_appconnect: %{time_appconnect}s
 time_pretransfer: %{time_pretransfer}s
 time_starttransfer: %{time_starttransfer}s
 time_posttransfer: %{time_posttransfer}s
 time_queue: %{time_queue}s
 time_redirect: %{time_redirect}s
 time_starttransfer: %{time_starttransfer}s
 time_total: %{time_total}s
 " -o /dev/null -s "$@"
--- a/pkgs/curl-timings/default.nix
+++ b/pkgs/curl-timings/default.nix
@@ -0,0 +1,12 @@
 {
  curl,
  writeShellApplication,
 }:
 writeShellApplication {
  name = "curl-timings";
  text = builtins.readFile ./curl-timings.sh;
  runtimeInputs = [
    curl
  ];
 }
--- a/pkgs/ds-lite-dhcpcd-hook/default.nix
+++ b/pkgs/ds-lite-dhcpcd-hook/default.nix
@@ -0,0 +1,12 @@
 { pkgs, ... }:
 pkgs.writeShellApplication {
  name = "ds-lite-dhcpcd-hook";
  text = builtins.readFile ./ds-lite-dhcpcd-hook.sh;
  runtimeInputs = with pkgs; [
    iproute2
    jq
    dig
    gawk
  ];
 }
--- a/pkgs/ds-lite-dhcpcd-hook/ds-lite-dhcpcd-hook.sh
+++ b/pkgs/ds-lite-dhcpcd-hook/ds-lite-dhcpcd-hook.sh
@@ -0,0 +1,102 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # Setting up required environment variables
 # shellcheck disable=SC2154
 WAN_INTERFACE_NAME="${DS_LITE_WAN_INTERFACE_NAME}"
 # shellcheck disable=SC2154
 TUNNEL_INTERFACE_NAME="${DS_LITE_TUNNEL_INTERFACE_NAME}"
 log_dhcp () {
 	echo "<ds-lite-dhcpcd-hook> ${WAN_INTERFACE_NAME}: $1"
 }
 log_tunnel () {
 	echo "<ds-lite-dhcpcd-hook> ${WAN_INTERFACE_NAME} (${TUNNEL_INTERFACE_NAME}): $1"
 }
 # Check if the event calling this hook is for the wan interface
 # exit immediately if not
 # shellcheck disable=SC2154
 if [[ "$interface" != "$WAN_INTERFACE_NAME" ]]; then
 	exit
 fi
 # Make sure the event calling this hook carries the environment variable
 # in question. The environment variable is not provided with every call
 # and we just want to exit if it is not provided
 # shellcheck disable=SC2154
 if [[ ! -v new_dhcp6_aftr_name ]]; then
 	# Variable is not set
 	exit
 fi
 # shellcheck disable=SC2154
 if [[ -z "${new_dhcp6_aftr_name}" ]]; then
 	# Variable is empty, can't do anything
 	exit
 fi
 # shellcheck disable=SC2154
 AFTR_NAME="$new_dhcp6_aftr_name"
 log_dhcp "Received new AFTR_NAME ${AFTR_NAME}"
 # Make sure we have a nameserver to resolve aftr name against
 # shellcheck disable=SC2154
 if [[ ! -v new_dhcp6_name_servers ]]; then
 	# Variable is not set
 	exit
 fi
 # shellcheck disable=SC2154
 if [[ -z "${new_dhcp6_name_servers}" ]]; then
 	# Variable is empty, can't do anything
 	exit
 fi
 # shellcheck disable=SC2154
 NAME_SERVERS="$new_dhcp6_name_servers"
 log_dhcp "Received new NAME_SERVERS ${NAME_SERVERS}"
 # Select first nameserver
 NAME_SERVER="$(echo "${NAME_SERVERS}" | awk '{print $1;}')"
 log_dhcp "Selected NAME_SERVER ${NAME_SERVER}"
 # Figure out a usable IPv6 address on the wan interface, to origin our DNS requests and tunnel
 WAN_INTERFACE_ADDRESS="$(ip --json address show "${WAN_INTERFACE_NAME}" | jq -r '.[0].addr_info[] | select(.family == "inet6" and .scope == "global" and .mngtmpaddr == true) | .local')"
 log_dhcp "Using WAN_INTERFACE_ADDRESS ${WAN_INTERFACE_ADDRESS}"
 AFTR_ADDRESS="$(dig "@${NAME_SERVER}" -b "${WAN_INTERFACE_ADDRESS}" AAAA "${AFTR_NAME}" +short | head -1)"
 log_dhcp "Resolved AFTR_NAME ${AFTR_NAME} to ${AFTR_ADDRESS}"
 # Check if there is already a tunnel interface
 if TUNNEL_INTERFACE_CONFIG="$(ip --json link show "${TUNNEL_INTERFACE_NAME}")"; then
 	TUNNEL_INTERFACE_OPERSTATE="$(echo "${TUNNEL_INTERFACE_CONFIG}" | jq -r '.[0].operstate')"
 	TUNNEL_INTERFACE_ORIGIN_ADDRESS="$(echo "${TUNNEL_INTERFACE_CONFIG}" | jq -r '.[0].address')"
 	TUNNEL_INTERFACE_REMOTE_ADDRESS="$(echo "${TUNNEL_INTERFACE_CONFIG}" | jq -r '.[0].broadcast')"
 	# Reconfigure tunnel interface, if not already in state we want
 	if [[ "${TUNNEL_INTERFACE_ORIGIN_ADDRESS}" != "${WAN_INTERFACE_ADDRESS}" || "${TUNNEL_INTERFACE_REMOTE_ADDRESS}" != "${AFTR_ADDRESS}" || "${TUNNEL_INTERFACE_OPERSTATE}" != "UNKNOWN" ]]; then
 		log_tunnel "Bad configuration, fixing tunnel parameter"
 		ip tunnel change "${TUNNEL_INTERFACE_NAME}" mode ipip6 local "${WAN_INTERFACE_ADDRESS}" remote "${AFTR_ADDRESS}"
 		ip link set "$TUNNEL_INTERFACE_NAME" up
 	else
 		log_tunnel "Tunnel already configured"
 	fi
 else
 	log_tunnel "Setting up DS-Lite tunnel"
 	ip tunnel add "${TUNNEL_INTERFACE_NAME}" mode ipip6 local "${WAN_INTERFACE_ADDRESS}" remote "${AFTR_ADDRESS}"
 	ip link set "$TUNNEL_INTERFACE_NAME" up
 fi
 log_tunnel "Setting default route"
 ip route replace default dev "${TUNNEL_INTERFACE_NAME}"
 log_tunnel "Tunnel setup finished"
--- a/pkgs/generate-blocked-prefixes/default.nix
+++ b/pkgs/generate-blocked-prefixes/default.nix
@@ -0,0 +1,7 @@
 { pkgs, ... }:
 pkgs.clerie-build-support.writePythonScript {
  name = "generate-blocked-prefixes";
  runtimePackages = ps: with ps; [ requests ];
  text = builtins.readFile ./generate-blocked-prefixes.py;
 }
--- a/pkgs/generate-blocked-prefixes/generate-blocked-prefixes.py
+++ b/pkgs/generate-blocked-prefixes/generate-blocked-prefixes.py
@@ -0,0 +1,39 @@
 #!/usr/bin/env python3
 import ipaddress
 import requests
 blocked_asns = [
    "45102", # Alibaba (US) Technology Co., Ltd.
 ]
 r = requests.get('https://bgp.tools/table.txt', stream=True, headers={
    "User-Agent": "https://git.clerie.de/clerie/nixfiles",
 })
 selected_ipv6_prefixes = []
 selected_ipv4_prefixes = []
 for line in r.iter_lines(decode_unicode=True):
    prefix_string, asn_string = line.split()
    if asn_string in blocked_asns:
        prefix = ipaddress.ip_network(prefix_string)
        if prefix.version == 6:
            selected_ipv6_prefixes.append(prefix)
        else:
            selected_ipv4_prefixes.append(prefix)
 selected_ipv6_prefixes = list(ipaddress.collapse_addresses(selected_ipv6_prefixes))
 selected_ipv4_prefixes = list(ipaddress.collapse_addresses(selected_ipv4_prefixes))
 selected_ipv6_prefixes.sort()
 selected_ipv4_prefixes.sort()
 with open("hosts/web-2/blocked-prefixes.txt", "w") as blocked_ips_file:
    for ipv6_prefix in selected_ipv6_prefixes:
            blocked_ips_file.write(f"ip6tables -I nixos-fw -s {ipv6_prefix} -j nixos-fw-refuse\n")
    for ipv4_prefix in selected_ipv4_prefixes:
            blocked_ips_file.write(f"iptables -I nixos-fw -s {ipv4_prefix} -j nixos-fw-refuse\n")
--- a/pkgs/git-show-link/default.nix
+++ b/pkgs/git-show-link/default.nix
@@ -1,13 +1,6 @@
 { pkgs, ... }:
-pkgs.writeTextFile {
+pkgs.clerie-build-support.writePythonScript {
  name = "git-show-link";
-  executable = true;
+  text = builtins.readFile ./git-show-link.py;
  destination = "/bin/git-show-link";
  allowSubstitutes = true;
  preferLocalBuild = false;
  text = ''
    #!${pkgs.python3.withPackages (ps: with ps; [])}/bin/python3
    ${builtins.readFile ./git-show-link.py}
  '';
 }
--- a/pkgs/git-show-link/git-show-link.py
+++ b/pkgs/git-show-link/git-show-link.py
@@ -4,21 +4,28 @@ import argparse
 from dataclasses import dataclass
 import re
 import subprocess
 from pathlib import Path
-REMOTE_TYPES = [
+REMOTE_TYPES = {
-    {
+    "github": {
        # github
        "match": re.compile(r'git@github.com:(?P<username>[\w\.-]+)/(?P<project>[\w\.-]+).git'),
        "format-branch": lambda g: f"https://github.com/{g.username}/{g.project}/tree/{g.branch}/",
        "format-branch-file": lambda g: f"https://github.com/{g.username}/{g.project}/blob/{g.branch}/{g.file}",
        "format-branch-dir": lambda g: f"https://github.com/{g.username}/{g.project}/tree/{g.branch}/{g.dir}",
        "format-commit": lambda g: f"https://github.com/{g.username}/{g.project}/commit/{g.commit}/",
        "format-commit-file": lambda g: f"https://github.com/{g.username}/{g.project}/blob/{g.commit}/{g.file}",
        "format-commit-dir": lambda g: f"https://github.com/{g.username}/{g.project}/tree/{g.commit}/{g.dir}",
    },
-    {
+    "gitea": {
        # gitea
        "match": re.compile(r'(?P<gituser>[\w\.-]+)@(?P<host>[\w\.-]+):(?P<username>[\w\.-]+)/(?P<project>[\w\.-]+).git'),
        "format-branch": lambda g: f"https://{g.host}/{g.username}/{g.project}/src/branch/{g.branch}/",
        "format-branch-file": lambda g: f"https://{g.host}/{g.username}/{g.project}/src/branch/{g.branch}/{g.file}",
        "format-branch-dir": lambda g: f"https://{g.host}/{g.username}/{g.project}/src/branch/{g.branch}/{g.dir}",
        "format-commit": lambda g: f"https://{g.host}/{g.username}/{g.project}/commit/{g.commit}/",
        "format-commit-file": lambda g: f"https://{g.host}/{g.username}/{g.project}/src/commit/{g.commit}/{g.file}",
        "format-commit-dir": lambda g: f"https://{g.host}/{g.username}/{g.project}/src/commit/{g.commit}/{g.dir}",
    },
-]
+}
@dataclass
 class FormatArgs:
@@ -28,10 +35,25 @@ class FormatArgs:
    project: str = None
    commit: str = None
    branch: str = None
    file: str = None
    dir: str = None
 def is_git_repo():
    s = subprocess.run(["git", "rev-parse"], capture_output=True, text=True)
    return s.returncode == 0
 def get_git_dir():
    s = subprocess.run(["git", "rev-parse", "--show-toplevel"], capture_output=True, text=True)
    return Path(s.stdout.strip())
 def get_remote_branch():
    s = subprocess.run(["git", "status", "--porcelain", "-uno", "-b", "--no-ahead-behind"], capture_output=True, text=True)
    if s.stdout.startswith("## HEAD (no branch)"):
        print("Detached head, can't link")
        exit(1)
    git_status_branch_info = s.stdout.splitlines()[0][3:].split()[0]
    branches = git_status_branch_info.split("...")
@@ -41,7 +63,7 @@ def get_remote_branch():
    local_branch, remote_branch = branches
-    remote, branch = remote_branch.split("/")
+    remote, branch = remote_branch.split("/", maxsplit=1)
    return {
        "remote": remote,
@@ -67,31 +89,89 @@ def main():
        prog='git-show-link',
    )
    parser.add_argument("path", nargs="?", default=None, help="Path to link to specific file or directory")
    parser.add_argument("--branch", dest="display_branch", action='store_true', help="Display link to branch, instead to commit")
    parser.add_argument("--remote-type", dest="remote_type", choices=REMOTE_TYPES.keys(), help="Specify remote type")
    args = parser.parse_args()
    if not is_git_repo():
        print("Not a git repo")
        exit(1)
    git_dir_path = get_git_dir()
    r = get_remote_branch()
    remote_url = get_remote_url(r["remote"])
-    for remote_type in REMOTE_TYPES:
+    selected_remote_types = REMOTE_TYPES
    if args.remote_type is not None:
        selected_remote_types = {
            args.remote_type: REMOTE_TYPES[args.remote_type],
        }
    remote_type_found = False
    for remote_type_name, remote_type in selected_remote_types.items():
        m = remote_type["match"].match(remote_url)
        if m is None:
            continue
        remote_type_found = True
        g = FormatArgs(**m.groupdict())
-        if args.display_branch:
+        if args.path is not None:
-            g.branch = r["branch"]
+            path = Path(args.path).absolute()
-            print(remote_type["format-branch"](g))
+            path = path.relative_to(git_dir_path)
            if path.is_dir():
                path = str(path)
                if path == ".":
                    path = ""
                else:
                    path += "/"
                g.dir = path
            else:
                g.file = str(path)
        if g.file is not None:
            if args.display_branch:
                g.branch = r["branch"]
                print(remote_type["format-branch-file"](g))
            else:
                commit = get_last_commit()
                g.commit = commit
                print(remote_type["format-commit-file"](g))
        elif g.dir is not None:
            if args.display_branch:
                g.branch = r["branch"]
                print(remote_type["format-branch-dir"](g))
            else:
                commit = get_last_commit()
                g.commit = commit
                print(remote_type["format-commit-dir"](g))
        else:
-            commit = get_last_commit()
+            if args.display_branch:
-            g.commit = commit
+                g.branch = r["branch"]
-            print(remote_type["format-commit"](g))
+                print(remote_type["format-branch"](g))
            else:
                commit = get_last_commit()
                g.commit = commit
                print(remote_type["format-commit"](g))
        break
    if not remote_type_found:
        print("No remote type matched")
        exit(1)
 if __name__ == "__main__":
    main()
--- a/pkgs/grow-last-partition-and-filesystem/default.nix
+++ b/pkgs/grow-last-partition-and-filesystem/default.nix
@@ -0,0 +1,19 @@
 {
  e2fsprogs,
  gptfdisk,
  jq,
  parted,
  writeShellApplication,
 }:
 writeShellApplication {
  name = "grow-last-partition-and-filesystem";
  text = builtins.readFile ./grow-last-partition-and-filesystem.sh;
  runtimeInputs = [
    e2fsprogs
    gptfdisk
    jq
    parted
  ];
 }
--- a/pkgs/grow-last-partition-and-filesystem/grow-last-partition-and-filesystem.sh
+++ b/pkgs/grow-last-partition-and-filesystem/grow-last-partition-and-filesystem.sh
@@ -0,0 +1,32 @@
 #!/usr/bin/env bash
 set -euo pipefail
 if [[ $# -ne 1 ]]; then
 	echo "Pass device to grow as first argument:"
 	echo "grow-last-partition-and-filesystem DEVICE"
 	exit 1
 fi
 DEVICE="$1"
 echo "Move GTP backup header to end of disk"
 sgdisk "${DEVICE}" --move-second-header
 PARTITIONDATA="$(parted --script --json --fix "${DEVICE}" print)"
 PARTNUMBER="$(echo "${PARTITIONDATA}" | jq -r '.disk.partitions | last | .number')"
 PARTNAME="$(echo "${PARTITIONDATA}" | jq -r '.disk.partitions | last | .name')"
 echo "Growing partition ${DEVICE}${PARTNUMBER} (${PARTNAME})"
 echo
 parted "${DEVICE}" resizepart "${PARTNUMBER}" 100%
 echo
 echo "Resizing filesystem"
 echo
 resize2fs "${DEVICE}${PARTNUMBER}"
 echo "Done."
--- a/pkgs/http.server/default.nix
+++ b/pkgs/http.server/default.nix
@@ -0,0 +1,14 @@
 {
  python3,
  writeShellApplication,
 }:
 writeShellApplication {
  name = "http.server";
  text = ''
    python3 -m http.server "$@"
  '';
  runtimeInputs = [
    python3
  ];
 }
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -1 +1,38 @@
-final: prev: builtins.mapAttrs (name: value: value final prev) (import ./pkgs.nix)
+final: prev: {
  bijwerken-poke = final.callPackage ./bijwerken-poke {};
  bijwerken-system-upgrade = final.callPackage ./bijwerken-system-upgrade {};
  clerie-backup = final.callPackage ./clerie-backup {};
  clerie-cleanup-branches = final.callPackage ./clerie-update-nixfiles/clerie-cleanup-branches.nix {};
  clerie-keys = final.callPackage ./clerie-keys {};
  clerie-ssh-known-hosts = final.callPackage ./clerie-ssh-known-hosts {};
  clerie-system-remote-install = final.callPackage ./clerie-system-remote-install {};
  clerie-merge-nixfiles-update = final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
  clerie-sops = final.callPackage ./clerie-sops/clerie-sops.nix {};
  clerie-sops-config = final.callPackage ./clerie-sops/clerie-sops-config.nix {};
  clerie-sops-edit = final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
  clerie-update-nixfiles = final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
  chromium-incognito = final.callPackage ./chromium-incognito {};
  convert-flac-dir-to-mp3 = final.callPackage ./convert-flac-dir-to-mp3 {};
  curl-timings = final.callPackage ./curl-timings {};
  ds-lite-dhcpcd-hook = final.callPackage ./ds-lite-dhcpcd-hook {};
  factorio-launcher = final.callPackage ./factorio-launcher {};
  feeds-dir = final.callPackage ./feeds-dir {};
  generate-blocked-prefixes = final.callPackage ./generate-blocked-prefixes {};
  git-checkout-github-pr = final.callPackage ./git-checkout-github-pr {};
  git-diff-word = final.callPackage ./git-diff-word {};
  git-pp = final.callPackage ./git-pp {};
  git-show-link = final.callPackage ./git-show-link {};
  grow-last-partition-and-filesystem = final.callPackage ./grow-last-partition-and-filesystem {};
  "http.server" = final.callPackage ./http.server {};
  nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
  nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
  nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
  nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
  nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
  pipewire-all-bluetooth = final.callPackage ./pipewire-all-bluetooth {};
  print-afra = final.callPackage ./print-afra {};
  run-with-docker-group = final.callPackage ./run-with-docker-group {};
  ssh-gpg = final.callPackage ./ssh-gpg {};
  update-from-hydra = final.callPackage ./update-from-hydra {};
  uptimestatus = final.python3.pkgs.callPackage ./uptimestatus {};
 }
--- a/pkgs/overrides/dino.nix
+++ b/pkgs/overrides/dino.nix
@@ -1,10 +1,8 @@
 final: prev:
 prev.dino.overrideAttrs (finalAttrs: prevAttrs: {
-  patches = [
+  mesonFlags = prevAttrs.mesonFlags ++ [
-    (final.fetchpatch {
+    (final.lib.mesonEnable "plugin-openpgp" false)
-      # in new chats, enable omemo by default
+    (final.lib.mesonEnable "plugin-notification-sound" false)
      url = "https://cyberchaos.dev/-/snippets/25/raw/main/omemo-default.patch";
      hash = "sha256-WXu9R+SKexgSQ93sQfFXG2CIboW3pYe5d1nsiP07wtE=";
    })
  ];
 })
--- a/Show More
+++ b/Show More