Update nixpkgs 2024-09-12-01-03

modules/dhcpcd-prefixdelegation: Add dhcpcd module specifically for prefixdelegation
configuration/desktop: Fix renamed gnome packages
2024-09-12 09:30:04 +02:00 · 2024-09-05 12:46:09 +02:00 · 2024-09-05 05:53:54 +02:00 · 2024-09-05 05:20:43 +02:00 · 2024-09-02 03:03:57 +02:00 · 2024-08-28 08:46:57 +02:00
262 changed files with 10934 additions and 4317 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-result
+result*
 .Trash-1000
--- a/README.md
+++ b/README.md
@@ -0,0 +1,5 @@
+# clerie's nixfiles
+
+This repository contains all the configuration for clerie's infrastructure.
+
+[Build Status](https://hydra.clerie.de/jobset/nixfiles/nixfiles#tabs-jobs) | [Installer ISO](https://hydra.clerie.de/job/nixfiles/nixfiles/iso/latest)
--- a/configuration/common/backup.nix
+++ b/configuration/common/backup.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+
+  clerie.backup = {
+    targets = {
+      cyan.serverName = "cyan.backup.clerie.de";
+      magenta.serverName = "magenta.backup.clerie.de";
+    };
+  };
+
+}
--- a/configuration/common/default.nix
+++ b/configuration/common/default.nix
@@ -2,56 +2,17 @@

 {
  imports = [
-    ../../modules
+    ./backup.nix
+    ./initrd.nix
+    ./locale.nix
+    ./networking.nix
+    ./nix.nix
+    ./programs.nix
+    ./ssh.nix
+    ./systemd.nix
+    ./user.nix
+    ./web.nix
  ];

-  networking.domain = "net.clerie.de";
-
-  time.timeZone = "Europe/Berlin";
-
-  i18n.defaultLocale = "en_US.UTF-8";
-  console = {
-    keyMap = "de-latin1";
-  };
-
-  security.sudo.wheelNeedsPassword = false;
-
-  nix.trustedUsers = [ "@wheel" ];
-
-  users.users.clerie = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnUBblmmVoMMBftn4EnwnzqR12m9zill51LpO124hHb10K2rqxNoq8tYSc2pMkV/3briZovffpe5SzB+m2MnXbtOBstIEXkrPZQ78vaZ/nLh7+eWg30lCmMPwjf2wIjlTXkcbxbsi7FbPW7FsolGkU/0mqGhqK1Xft/g7SnCXIoGPSSrHMXEv5dPPofCa1Z0Un+98wQTVfOSKek6TnIsfLbG01UFQVkN7afE4dqSmMiWwEm2PK9l+OiBA2/QzDpbtu9wsfTol4c192vFEWR9crB2YZ1JlMbjVWHjYmB7NFsS0A6lUOikss0Y+LUWS2/QuM/kqybSo4rasZMAIazM6D clerie"
-    ];
-  };
-
-  environment.systemPackages = with pkgs; [
-    htop
-    tmux
-  ];
-
-  programs.mtr.enable = true;
-
-  services.openssh.enable = true;
-  services.openssh.passwordAuthentication = false;
-  services.openssh.challengeResponseAuthentication = false;
-  services.openssh.permitRootLogin = lib.mkDefault "no";
-
-  services.nginx = {
-    enableReload = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-  };
-
-  security.acme = {
-    email = "letsencrypt@clerie.de";
-    acceptTerms = true;
-  };
-
-  nixpkgs.overlays = [
-    (import ../../pkgs/overlay.nix)
-  ];
+  services.fstrim.enable = true;
 }
--- a/configuration/common/initrd.nix
+++ b/configuration/common/initrd.nix
@@ -0,0 +1,7 @@
+{ lib, ... }:
+
+{
+
+  boot.initrd.systemd.enable = lib.mkDefault true;
+
+}
--- a/configuration/common/locale.nix
+++ b/configuration/common/locale.nix
@@ -0,0 +1,26 @@
+{ ... }:
+
+{
+
+  time.timeZone = "Europe/Berlin";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "de_DE.UTF-8";
+    # LC_COLLATE # How to sort stuff
+    # LC_CTYPE # Character recognition of bytes
+    # LC_IDENTIFICATION # What to show as system locale
+    LC_MONETARY = "de_DE.UTF-8"; # Currency formats
+    # LC_MEASSAGES # General message lang
+    LC_MEASUREMENT = "de_DE.UTF-8"; # Units used for numbers
+    LC_NAME = "de_DE.UTF-8"; # Names of persons
+    # LC_NUMERIC # Punctiation of numbers
+    LC_PAPER = "de_DE.UTF-8"; # Paper size
+    LC_TELEPHONE = "de_DE.UTF-8"; # Phone number formats
+    LC_TIME = "de_DE.UTF-8"; # Time format
+  };
+  console = {
+    keyMap = "de-latin1";
+  };
+
+}
--- a/configuration/common/networking.nix
+++ b/configuration/common/networking.nix
@@ -0,0 +1,9 @@
+{ lib, ... }:
+
+{
+
+  networking.domain = "net.clerie.de";
+
+  networking.firewall.logRefusedConnections = lib.mkDefault false;
+
+}
--- a/configuration/common/nix.nix
+++ b/configuration/common/nix.nix
@@ -0,0 +1,71 @@
+{ lib, pkgs, ... }:
+
+{
+
+  clerie.nixfiles.enable = true;
+
+  clerie.system-auto-upgrade.enable = true;
+
+  nix.settings = {
+    trusted-users = [ "@wheel" "@guests" ];
+    auto-optimise-store = true;
+    # Keep buildtime dependencies
+    keep-outputs = true;
+    # Build local, when caches are broken
+    fallback = true;
+  };
+
+  nix.gc = lib.mkDefault {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
+
+  nix.settings = {
+    experimental-features = [
+      "flakes"
+      "nix-command"
+      "repl-flake"
+    ];
+    substituters = [
+      "https://nix-cache.clerie.de"
+    ];
+    trusted-public-keys = [
+      "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
+    ];
+  };
+
+  # Pin current nixpkgs channel and flake registry to the nixpkgs version
+  # the host got build with
+  nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
+  nix.registry = {
+    "nixpkgs" = lib.mkForce {
+       from = {
+         type = "indirect";
+         id = "nixpkgs";
+       };
+       to = {
+         type = "path";
+         path = lib.cleanSource pkgs.path;
+       };
+       exact = true;
+    };
+    "templates" = {
+       from = {
+         type = "indirect";
+         id = "templates";
+       };
+       to = {
+         type = "git";
+         url = "https://git.clerie.de/clerie/flake-templates.git";
+       };
+    };
+  };
+
+  documentation.doc.enable = false;
+
+  environment.systemPackages = with pkgs; [
+    nix-remove-result-links
+  ];
+}
--- a/configuration/common/programs.nix
+++ b/configuration/common/programs.nix
@@ -0,0 +1,40 @@
+{ pkgs, ... }:
+
+{
+
+  environment.systemPackages = with pkgs; [
+    # My system is fucked
+    gptfdisk
+    parted
+
+    # Normal usage
+    htop
+    tmux
+
+    # Deployment
+    bij
+    clerie-sops
+    clerie-sops-edit
+    sops
+
+    # Debugging
+    jq
+    curl
+  ];
+
+  programs.vim = {
+    enable = true;
+    defaultEditor = true;
+  };
+
+  programs.mtr.enable = true;
+
+  programs.git.enable = true;
+  programs.git.config = {
+    user = {
+      name = "clerie";
+      email = "git@clerie.de";
+    };
+  };
+
+}
--- a/configuration/common/ssh.nix
+++ b/configuration/common/ssh.nix
@@ -0,0 +1,16 @@
+{ lib, ... }:
+
+{
+
+  services.openssh.enable = true;
+  services.openssh.settings = {
+    PasswordAuthentication = false;
+    KbdInteractiveAuthentication = false;
+    PermitRootLogin = lib.mkDefault "no";
+  };
+  services.openssh.hostKeys = lib.mkForce [
+    # Only create ed25519 host keys
+    { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+  ];
+
+}
--- a/configuration/common/systemd.nix
+++ b/configuration/common/systemd.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+
+  services.journald.extraConfig = ''
+    MaxRetentionSec=7days
+  '';
+
+}
--- a/configuration/common/user.nix
+++ b/configuration/common/user.nix
@@ -0,0 +1,9 @@
+{ lib, ... }:
+
+{
+
+  security.sudo.wheelNeedsPassword = lib.mkDefault false;
+
+  users.groups.guests = {};
+
+}
--- a/configuration/common/web.nix
+++ b/configuration/common/web.nix
@@ -0,0 +1,50 @@
+{ ... }:
+
+{
+  services.nginx = {
+    enableReload = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    commonHttpConfig = ''
+      server_names_hash_bucket_size 64;
+      map $remote_addr $remote_addr_anon {
+        ~(?P<ip>\d+\.\d+\.\d+)\.          $ip.0;
+        ~(?P<ip>[^:]*:[^:]*(:[^:]*)?):    $ip::;
+        default                           ::;
+      }
+      log_format combined_anon '$remote_addr_anon - $remote_user [$time_local] '
+                               '"$request" $status $body_bytes_sent '
+                               '"$http_referer" "$http_user_agent"';
+      log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
+                                '"$request" $status $body_bytes_sent '
+                                '"$http_referer" "$http_user_agent"';
+      access_log /var/log/nginx/access.log vcombined_anon;
+    '';
+
+    virtualHosts = {
+      "default" = {
+        default = true;
+        rejectSSL = true;
+        locations."/" = {
+          return = ''200 "Some piece of infrastructure\n"'';
+          extraConfig = ''
+            types { } default_type "text/plain; charset=utf-8";
+          '';
+        };
+      };
+    };
+  };
+
+  services.logrotate.settings.nginx = {
+    frequency = "daily";
+    maxage = 14;
+  };
+
+  security.acme = {
+    defaults.email = "letsencrypt@clerie.de";
+    acceptTerms = true;
+  };
+}
--- a/configuration/desktop/audio.nix
+++ b/configuration/desktop/audio.nix
@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+
+  hardware.pulseaudio.enable = false;
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa = {
+      enable = true;
+      support32Bit = true;
+    };
+    pulse = {
+      enable = true;
+    };
+  };
+
+}
--- a/configuration/desktop/default.nix
+++ b/configuration/desktop/default.nix
@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+  imports = [
+    ./audio.nix
+    ./firmware.nix
+    ./fonts.nix
+    ./gnome.nix
+    ./inputs.nix
+    ./networking.nix
+    ./polkit.nix
+    ./power.nix
+    ./printing.nix
+    ./ssh.nix
+    ./xserver.nix
+  ];
+
+  security.sudo.wheelNeedsPassword = true;
+}
--- a/configuration/desktop/firmware.nix
+++ b/configuration/desktop/firmware.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+
+  services.fwupd.enable = true;
+
+}
--- a/configuration/desktop/fonts.nix
+++ b/configuration/desktop/fonts.nix
@@ -0,0 +1,14 @@
+{ pkgs, ... }:
+
+{
+
+  fonts.enableDefaultPackages = true;
+  fonts.packages = with pkgs; [
+    roboto
+    roboto-mono
+    noto-fonts
+    noto-fonts-cjk
+    noto-fonts-emoji
+    comfortaa
+  ];
+}
--- a/configuration/desktop/gnome.nix
+++ b/configuration/desktop/gnome.nix
@@ -0,0 +1,61 @@
+{ pkgs, ... }:
+
+{
+  services.gnome = {
+    tracker-miners.enable = false;
+    tracker.enable = false;
+  };
+
+  environment.gnome.excludePackages = with pkgs; [
+    baobab
+    epiphany
+    gnome-calendar
+    gnome-clocks
+    gnome-console
+    gnome-contacts
+    gnome-logs
+    gnome-maps
+    gnome-music
+    gnome-tour
+    gnome-photos
+    gnome-weather
+    gnome-connections
+    simple-scan
+    yelp
+    geary
+  ];
+
+  environment.systemPackages = with pkgs; [
+    evolution
+    gnome-terminal
+    gnome-tweaks
+  ];
+
+  services.gnome.evolution-data-server.enable = true;
+
+  programs.dconf.profiles = {
+    user.databases = [
+      {
+        settings = {
+          "org/gnome/desktop/calendar" = {
+            show-weekdate = true;
+          };
+          "org/gnome/desktop/interface" = {
+            enable-hot-corners = false;
+            show-battery-percentage = true;
+          };
+          "org/gnome/desktop/notifications" = {
+            show-in-lock-screen = false;
+          };
+          "org/gnome/desktop/sound" = {
+            event-sounds = false;
+          };
+          "org/gnome/gnome-system-monitor" = {
+            network-in-bits = true;
+            network-total-in-bits = true;
+          };
+        };
+      }
+    ];
+  };
+}
--- a/configuration/desktop/inputs.nix
+++ b/configuration/desktop/inputs.nix
@@ -0,0 +1,42 @@
+{ ... }:
+
+{
+  programs.dconf.profiles = {
+    user.databases = [
+      {
+        settings = {
+          "org/gnome/desktop/peripherals/touchpad" = {
+            disable-while-typing = false;
+            edge-scrolling-enabled = false;
+            natural-scroll = true;
+            tap-to-click = true;
+            two-finger-scrolling-enabled = true;
+          };
+          "org/gnome/settings-daemon/plugins/media-keys" = {
+            custom-keybindings = [
+              "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
+            ];
+          };
+          "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
+            name = "Terminal";
+            binding = "<Primary><Alt>t";
+            command = "gnome-terminal";
+          };
+        };
+      }
+    ];
+    gdm.databases = [
+      {
+        settings = {
+          "org/gnome/desktop/peripherals/touchpad" = {
+            disable-while-typing = false;
+            edge-scrolling-enabled = false;
+            natural-scroll = true;
+            tap-to-click = true;
+            two-finger-scrolling-enabled = true;
+          };
+        };
+      }
+    ];
+  };
+}
--- a/configuration/desktop/networking.nix
+++ b/configuration/desktop/networking.nix
@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+
+  networking.networkmanager.settings = {
+    connectivity = {
+      uri = "http://ping.clerie.de/nm-check.txt";
+    };
+    global-dns = {
+      searches = "net.clerie.de";
+    };
+  };
+
+}
--- a/configuration/desktop/polkit.nix
+++ b/configuration/desktop/polkit.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+
+  security.polkit.enable = true;
+
+}
--- a/configuration/desktop/power.nix
+++ b/configuration/desktop/power.nix
@@ -0,0 +1,36 @@
+{ lib, config, ... }:
+
+{
+  boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
+  services.logind = {
+    lidSwitch = "suspend-then-hibernate";
+  };
+  systemd.sleep.extraConfig = ''
+    HibernateDelaySec=30m
+  '';
+
+  programs.dconf.profiles = {
+    user.databases = [
+      {
+        settings = {
+          "org/gnome/settings-daemon/plugins/power" = {
+            power-button-action = "hibernate";
+            power-saver-profile-on-low-battery = false;
+            sleep-inactive-ac-type = "nothing";
+          };
+        };
+      }
+    ];
+    gdm.databases = [
+      {
+        settings = {
+          "org/gnome/settings-daemon/plugins/power" = {
+            power-button-action = "hibernate";
+            power-saver-profile-on-low-battery = false;
+            sleep-inactive-ac-type = "nothing";
+          };
+        };
+      }
+    ];
+  };
+}
--- a/configuration/desktop/printing.nix
+++ b/configuration/desktop/printing.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  services.printing.enable = true;
+  services.avahi.enable = true;
+  services.avahi.nssmdns4 = true;
+}
--- a/configuration/desktop/ssh.nix
+++ b/configuration/desktop/ssh.nix
@@ -0,0 +1,34 @@
+{ pkgs, ... }:
+
+{
+
+  imports = [
+    ../../configuration/gpg-ssh
+  ];
+  programs.gnupg.agent = {
+    pinentryPackage = pkgs.pinentry-gtk2;
+  };
+
+  # Do not disable ssh-agent of gnome-keyring, because
+  # gnupg ssh-agent can't handle normal SSH keys properly
+  /*
+  # Disable ssh-agent of gnome-keyring
+  nixpkgs.overlays = [
+    (final: prev: {
+      gnome = prev.gnome // {
+        gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
+          mkdir -p $out
+
+          # Symlink all gnome-keyring binaries
+          ${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
+
+          # Disable autostart for ssh
+          rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+          cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+          echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+        '';
+      };
+    })
+  ];
+  */
+}
--- a/configuration/desktop/xserver.nix
+++ b/configuration/desktop/xserver.nix
@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+{
+  services.xserver.enable = true;
+  services.xserver.displayManager.gdm.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
+
+  services.xserver.excludePackages = with pkgs; [
+    xterm
+  ];
+}
--- a/configuration/gpg-ssh/default.nix
+++ b/configuration/gpg-ssh/default.nix
@@ -0,0 +1,41 @@
+{ pkgs, lib, ... }:
+
+{
+
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+    pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
+  };
+
+  environment.systemPackages = with pkgs; [
+    gnupg
+    yubikey-personalization
+    openpgp-card-tools
+
+    # Add wrapper around ssh that takes the gnupg ssh-agent
+    # instead of gnome-keyring
+    ssh-gpg
+  ];
+
+  services.pcscd.enable = true;
+
+  # pcscd sometimes breaks and seem to need a manual restart
+  # so we allow users to restart that service themself
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+        if (
+            action.id == "org.freedesktop.systemd1.manage-units"
+            && action.lookup("unit") == "pcscd.service"
+            && action.lookup("verb") == "restart"
+            && subject.isInGroup("users")
+        ) {
+            return polkit.Result.YES;
+        }
+    });
+  '';
+
+  services.udev.packages = with pkgs; [
+    yubikey-personalization
+  ];
+}
--- a/configuration/hetzner-cloud/default.nix
+++ b/configuration/hetzner-cloud/default.nix
@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  networking.useDHCP = false;
+  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+  networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
+  networking.nameservers = [ "2a01:4ff:ff00::add:2" "2a01:4ff:ff00::add:1" "185.12.64.2" "185.12.64.1" ];
+}
--- a/configuration/hydra-build-machine/default.nix
+++ b/configuration/hydra-build-machine/default.nix
@@ -0,0 +1,16 @@
+{ ... }:
+
+{
+
+  # Allow Hydra to fetch remote URLs in restricted mode
+  nix.settings.allowed-uris = "http: https: git+https: github:";
+
+  services.openssh.settings= {
+   PermitRootLogin = "yes";
+  };
+
+  users.extraUsers.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1"
+  ];
+
+}
--- a/configuration/router/default.nix
+++ b/configuration/router/default.nix
@@ -3,6 +3,7 @@
 {
  environment.systemPackages = with pkgs; [
    wireguard-tools
+    tcpdump
  ];

  boot.kernel.sysctl = {
@@ -19,10 +20,8 @@

  networking.firewall.extraCommands = ''
    # Open fireall for OSPF
-    ip6tables -A INPUT -p ospfigp -j ACCEPT
-    iptables -A INPUT -p ospfigp -j ACCEPT
+    ip46tables -A nixos-fw -p ospfigp -j nixos-fw-accept
    # Open firewall for GRE
-    ip6tables -A INPUT -p gre -j ACCEPT
-    iptables -A INPUT -p gre -j ACCEPT
+    ip46tables -A nixos-fw -p gre -j nixos-fw-accept
  '';
 }
--- a/deploy.sh
+++ b/deploy.sh
@@ -1,32 +0,0 @@
-#!/usr/bin/env bash
-
-DEPLOY_HOST=$1
-DEPLOY_ADDRESS=$2
-DEPLOY_PORT=$3
-
-if [ -z $DEPLOY_HOST ]; then
-  exit 1
-fi
-
-cmd=" \
-nixos-rebuild switch \
-  -I nixos-config=hosts/${DEPLOY_HOST}/configuration.nix \
-"
-
-if [ -z $DEPLOY_ADDRESS ] || [ $DEPLOY_ADDRESS = "-" ]; then
-  DEPLOY_ADDRESS="clerie@${DEPLOY_HOST}.net.clerie.de"
-fi
-
-if [ $DEPLOY_ADDRESS != "localhost" ]; then
-  cmd="${cmd} \
-  --target-host ${DEPLOY_ADDRESS} \
-  --build-host localhost \
-  --use-remote-sudo \
-  "
-fi
-
-if [ -n "$DEPLOY_PORT" ]; then
-  cmd="NIX_SSHOPTS=\"-p $DEPLOY_PORT\" ${cmd}"
-fi
-
-eval ${cmd}
--- a/flake.lock
+++ b/flake.lock
@@ -0,0 +1,443 @@
+{
+  "nodes": {
+    "berlinerbaeder-exporter": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1721567085,
+        "narHash": "sha256-CxWzsNy2dy4zvn2Wi91C/PF+Wyxi3JLOPudc5FoZrhg=",
+        "ref": "refs/heads/main",
+        "rev": "0c3142cc8f6396fce7cb4c5fe14137d831315986",
+        "revCount": 11,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/berlinerbaeder-exporter.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/berlinerbaeder-exporter.git"
+      }
+    },
+    "bij": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1724513039,
+        "narHash": "sha256-YdBuRgXEU9CcxPd2EjuvDKcfgxL1kk9Gv8nFVVjIros=",
+        "ref": "refs/heads/main",
+        "rev": "202f4a1a5791c74a9b7d69a4e63e631bdbe36ba6",
+        "revCount": 4,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/bij.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/bij.git"
+      }
+    },
+    "chaosevents": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1708189846,
+        "narHash": "sha256-7vVQOvB8cD3AqEGmDsBSnnk1vsGfQ8aObTWGvjturDo=",
+        "ref": "refs/heads/main",
+        "rev": "ae351c9685ee8491d471e9ad3bc907ac6d999ae5",
+        "revCount": 6,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/chaosevents.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/chaosevents.git"
+      }
+    },
+    "fernglas": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700408128,
+        "narHash": "sha256-PLb/q8kIq0wOinkgADHNY6uOB3b3lXQEbLu6ToIFPsU=",
+        "owner": "wobcom",
+        "repo": "fernglas",
+        "rev": "407325681e3ad344f6fd05334984a40074aa6347",
+        "type": "github"
+      },
+      "original": {
+        "owner": "wobcom",
+        "repo": "fernglas",
+        "type": "github"
+      }
+    },
+    "fieldpoc": {
+      "inputs": {
+        "mitel-ommclient2": "mitel-ommclient2",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1711287766,
+        "narHash": "sha256-2roymGPfsQZC1Lg/i3iffBQ8c86DLEXmuoKQIlbOg5o=",
+        "ref": "refs/heads/main",
+        "rev": "f707f212378f9d8de103ac96abcd9d377a2605a8",
+        "revCount": 56,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/fieldpoc.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/fieldpoc.git"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "harmonia",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1712014858,
+        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "ssh-to-age",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709336216,
+        "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "harmonia": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1716301230,
+        "narHash": "sha256-olEXRstmP0lf0H11ht6j3co7mNwcDEXTm+eGfwdEJzM=",
+        "owner": "clerie",
+        "repo": "harmonia",
+        "rev": "e99509779ce6d6ed46062ac556b71f6ca1eb59ad",
+        "type": "github"
+      },
+      "original": {
+        "owner": "clerie",
+        "ref": "clerie/multiple-signing-keys",
+        "repo": "harmonia",
+        "type": "github"
+      }
+    },
+    "mitel-ommclient2": {
+      "inputs": {
+        "nixpkgs": [
+          "fieldpoc",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1687019250,
+        "narHash": "sha256-cN9ZuQ/1irnoYg013v1ZDn15MHcFXhxILGhRNDGd794=",
+        "ref": "refs/heads/main",
+        "rev": "a11629f543a8b43451cecc46600a78cbb6af015a",
+        "revCount": 70,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
+      }
+    },
+    "nixos-exporter": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1683625533,
+        "narHash": "sha256-GvKE97JdQuEZ697TLSMRTNABbVJfGVnJ0vfzK4AIFyI=",
+        "ref": "refs/heads/main",
+        "rev": "5e86139ee4af27f84228708fd32903bb0c4230f0",
+        "revCount": 19,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/nixos-exporter.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/nixos-exporter.git"
+      }
+    },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1721413321,
+        "narHash": "sha256-0GdiQScDceUrVGbxYpV819LHesK3szHOhJ09e6sgES4=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "ab165a8a6cd12781d76fe9cbccb9e975d0fb634f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1686501370,
+        "narHash": "sha256-G0WuM9fqTPRc2URKP9Lgi5nhZMqsfHGrdEbrLvAPJcg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "75a5ebf473cd60148ba9aec0d219f72e5cf52519",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1713434076,
+        "narHash": "sha256-+/p5edwlkqKZc6GDAQl+92Hoe1f3NNbUF9uj+X9H3pU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8494ae076b7878d61a7d2d25e89a847fe8f8364c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1665732960,
+        "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1725983898,
+        "narHash": "sha256-4b3A9zPpxAxLnkF9MawJNHDtOOl6ruL0r6Og1TEDGCE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "1355a0cbfeac61d785b7183c0caaec1f97361b43",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nurausstieg": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1722174167,
+        "narHash": "sha256-u9ef1BNaXHEnuQEFgqqBLEVZqd5T/sqRBysN71gFOKg=",
+        "ref": "refs/heads/main",
+        "rev": "7f2e0febf3a430e4ba4f6cf1cf1c5ca10c5dd04d",
+        "revCount": 20,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/nurausstieg.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/nurausstieg.git"
+      }
+    },
+    "root": {
+      "inputs": {
+        "berlinerbaeder-exporter": "berlinerbaeder-exporter",
+        "bij": "bij",
+        "chaosevents": "chaosevents",
+        "fernglas": "fernglas",
+        "fieldpoc": "fieldpoc",
+        "harmonia": "harmonia",
+        "nixos-exporter": "nixos-exporter",
+        "nixos-hardware": "nixos-hardware",
+        "nixpkgs": "nixpkgs_3",
+        "nurausstieg": "nurausstieg",
+        "solid-xmpp-alarm": "solid-xmpp-alarm",
+        "sops-nix": "sops-nix",
+        "ssh-to-age": "ssh-to-age"
+      }
+    },
+    "solid-xmpp-alarm": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1675686574,
+        "narHash": "sha256-+Xww9mfKbUP4VRPtAJKZ6+YdBYL/0vgGoBXVC9AvmQw=",
+        "ref": "refs/heads/main",
+        "rev": "79730bd7df798d80c526c42bbd526506f0235ea3",
+        "revCount": 4,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/solid-xmpp-alarm.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/solid-xmpp-alarm.git"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1713532771,
+        "narHash": "sha256-vfKxhYVMzG2tg48/1rewBoSLCrKIjQsG1j7Nm/Y2gf4=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "a929a011a09db735abc45a8a45d1ff7fdee62755",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
+    "ssh-to-age": {
+      "inputs": {
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1712553767,
+        "narHash": "sha256-hg6lBgxmTJ2hc1EFUoiA6BLA2QZGIfoBIxub9FK3x6M=",
+        "owner": "Mic92",
+        "repo": "ssh-to-age",
+        "rev": "5842a0023432eca39537060f38cbff7c9c2123c7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "ssh-to-age",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "harmonia",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1711963903,
+        "narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@@ -0,0 +1,153 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+    berlinerbaeder-exporter = {
+      url = "git+https://git.clerie.de/clerie/berlinerbaeder-exporter.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    bij = {
+      url = "git+https://git.clerie.de/clerie/bij.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    chaosevents = {
+      url = "git+https://git.clerie.de/clerie/chaosevents.git";
+      #inputs.nixpkgs.follows = "nixpkgs";
+    };
+    fernglas = {
+      url = "github:wobcom/fernglas";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    harmonia = {
+      url = "github:clerie/harmonia/clerie/multiple-signing-keys";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
+    nixos-exporter = {
+      url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nurausstieg = {
+      url = "git+https://git.clerie.de/clerie/nurausstieg.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    solid-xmpp-alarm = {
+      url = "git+https://git.clerie.de/clerie/solid-xmpp-alarm.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    ssh-to-age = {
+      url = "github:Mic92/ssh-to-age";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+  outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
+    lib = import ./lib inputs;
+    helper = lib.flake-helper;
+    localNixpkgs = import ./flake/nixpkgs.nix inputs;
+  in {
+    clerie.hosts = {
+      aluminium = {
+        group = "event";
+      };
+      astatine = {
+        group = "event";
+        modules = [
+          ./users/criese-nethinks
+          ./users/isa
+        ];
+      };
+      backup-4 = {};
+      beryllium = {
+        group = "event";
+      };
+      carbon = {};
+      clerie-backup = {};
+      dn42-il-gw1 = {};
+      dn42-il-gw5 = {};
+      dn42-il-gw6 = {};
+      dn42-ildix-clerie = {};
+      dn42-ildix-service = {};
+      gatekeeper = {};
+      hydra-1 = {};
+      hydra-2 = {};
+      krypton = {
+        modules = [
+          nixos-hardware.nixosModules.lenovo-thinkpad-x270
+        ];
+      };
+      mail-2 = {};
+      monitoring-3 = {};
+      nonat = {};
+      osmium = {};
+      palladium = {};
+      porter = {};
+      storage-2 = {};
+      web-2 = {};
+      zinc = {
+        modules = [
+          nixos-hardware.nixosModules.common-cpu-intel
+        ];
+      };
+      # nixfiles-auto-install: add new host above
+      _iso = {};
+    };
+
+    nixosConfigurations = import ./flake/nixosConfigurations.nix inputs;
+
+    nixosModules = {
+      nixfilesInputs = import ./flake/modules.nix inputs;
+      clerie = import ./modules;
+      default = self.nixosModules.clerie;
+    };
+
+    overlays = {
+      nixfilesInputs = import ./flake/overlay.nix inputs;
+      clerie = import ./pkgs/overlay.nix;
+      default = self.overlays.clerie;
+    };
+
+    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: let
+      pkgs = localNixpkgs.${system};
+    in {
+      inherit (pkgs)
+        clerie-keys
+        clerie-system-upgrade
+        clerie-merge-nixfiles-update
+        clerie-update-nixfiles
+        clerie-sops
+        clerie-sops-config
+        clerie-sops-edit
+        chromium-incognito
+        git-checkout-github-pr
+        git-diff-word
+        iot-data
+        nix-remove-result-links
+        nixfiles-auto-install
+        nixfiles-generate-config
+        nixfiles-generate-backup-secrets
+        nixfiles-update-ssh-host-keys
+        print-afra
+        run-with-docker-group
+        ssh-gpg
+        update-from-hydra
+        uptimestatus;
+    });
+
+    inherit lib self;
+
+    hydraJobs = import ./flake/hydraJobs.nix inputs;
+
+    nixConfig = {
+      extra-substituters = [
+        "https://nix-cache.clerie.de"
+      ];
+      extra-trusted-public-keys = [
+        "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
+      ];
+    };
+  };
+}
--- a/flake/hydraJobs.nix
+++ b/flake/hydraJobs.nix
@@ -0,0 +1,15 @@
+{ self
+, nixpkgs
+, ...
+}@inputs:
+
+let
+
+  buildHosts = hosts: builtins.mapAttrs (name: host: host.config.system.build.toplevel) (nixpkgs.lib.filterAttrs (name: host: (builtins.substring 0 1 name) != "_") hosts);
+
+in {
+  inherit (self)
+    packages;
+  nixosConfigurations = buildHosts self.nixosConfigurations;
+  iso = self.nixosConfigurations._iso.config.system.build.isoImage;
+}
--- a/flake/modules.nix
+++ b/flake/modules.nix
@@ -0,0 +1,19 @@
+{ self
+, fernglas
+, fieldpoc
+, nixos-exporter
+, solid-xmpp-alarm
+, sops-nix
+, ...
+}@inputs:
+{ ... }:
+
+{
+  imports = [
+    fernglas.nixosModules.default
+    fieldpoc.nixosModules.default
+    nixos-exporter.nixosModules.default
+    solid-xmpp-alarm.nixosModules.solid-xmpp-alarm
+    sops-nix.nixosModules.sops
+  ];
+}
--- a/flake/nixosConfigurations.nix
+++ b/flake/nixosConfigurations.nix
@@ -0,0 +1,68 @@
+{ self
+, nixpkgs
+, ...
+}@inputs:
+
+let
+  generateNixosSystem = {
+    name,
+    system ? "x86_64-linux",
+    group ? null,
+    modules ? [],
+  }: let
+    localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
+  in localNixpkgs.lib.nixosSystem {
+    system = system;
+    modules = modules ++ [
+      self.nixosModules.nixfilesInputs
+      self.nixosModules.clerie
+
+      ({ config, lib, ... }: {
+        # Set hostname
+        networking.hostName = lib.mkDefault name;
+
+        # Apply overlays
+        nixpkgs.overlays = [
+          self.overlays.nixfilesInputs
+          self.overlays.clerie
+        ];
+
+        /*
+          Make the contents of the flake availiable to modules.
+          Useful for having the monitoring server scraping the
+          target config from all other servers automatically.
+        */
+        _module.args = {
+          inputs = inputs;
+          _nixfiles = self;
+        };
+
+        # Expose host group to monitoring
+        clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; };
+
+        # Automatically load secrets from sops file for host
+        sops.defaultSopsFile = ../hosts + "/${name}/secrets.json";
+        sops.secrets = let
+          secretFile = config.sops.defaultSopsFile;
+          secretNames = builtins.filter (name: name != "sops") (builtins.attrNames (builtins.fromJSON (builtins.readFile secretFile)));
+          secrets = if builtins.pathExists secretFile then
+            lib.listToAttrs (builtins.map (name: lib.nameValuePair name {}) secretNames)
+          else
+            {};
+        in
+          secrets;
+      })
+
+      # Config to be applied to every host
+      ../configuration/common
+      ../users/clerie
+
+      # Host specific config
+      (../hosts + "/${name}/configuration.nix")
+    ];
+  };
+
+  mapToNixosConfigurations = hosts: builtins.mapAttrs (name: host: generateNixosSystem ({ inherit name; } //  host)) hosts;
+
+in
+  mapToNixosConfigurations self.clerie.hosts
--- a/flake/nixpkgs.nix
+++ b/flake/nixpkgs.nix
@@ -0,0 +1,17 @@
+{ self
+, nixpkgs
+, ...
+}@inputs:
+
+let
+  mkNixpkgs = { system, ... }@args: 
+    import nixpkgs {
+      inherit system;
+      overlays = [
+        self.overlays.nixfilesInputs
+        self.overlays.clerie
+      ];
+    };
+
+in
+  nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: mkNixpkgs { inherit system; })
--- a/flake/overlay.nix
+++ b/flake/overlay.nix
@@ -0,0 +1,24 @@
+{ self
+, berlinerbaeder-exporter
+, bij
+, chaosevents
+, harmonia
+, nurausstieg
+, ssh-to-age
+, ...
+}@inputs:
+final: prev: {
+  inherit (berlinerbaeder-exporter.packages.${final.system})
+    berlinerbaeder-exporter;
+  inherit (bij.packages.${final.system})
+    bij;
+  inherit (chaosevents.packages.${final.system})
+    chaosevents;
+  harmonia = harmonia.packages.${final.system}.harmonia.override {
+    nixForHarmonia = final.nixVersions.nix_2_21;
+  };
+  inherit (nurausstieg.packages.${final.system})
+    nurausstieg;
+  inherit (ssh-to-age.packages.${final.system})
+    ssh-to-age;
+}
--- a/hosts/_iso/configuration.nix
+++ b/hosts/_iso/configuration.nix
@@ -0,0 +1,15 @@
+{ pkgs, lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/installation-cd-base.nix")
+    ../../configuration/gpg-ssh
+  ];
+
+  networking.hostName = "isowo";
+  isoImage.isoBaseName = "nixos-isowo";
+
+  environment.systemPackages = with pkgs; [
+    nixfiles-auto-install
+  ];
+}
--- a/hosts/aluminium/configuration.nix
+++ b/hosts/aluminium/configuration.nix
@@ -0,0 +1,37 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+
+      ./fieldpoc.nix
+    ];
+
+  boot.kernelParams = [ "console=ttyS0,115200n8" ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.extraConfig = "
+    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
+    terminal_input serial
+    terminal_output serial
+  ";
+
+  services.wg-clerie = {
+    enable = true;
+    ipv6s = [ "2a01:4f8:c0c:15f1::8106/128" ];
+    ipv4s = [ "10.20.30.106/32" ];
+    privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "212";
+    pubkey = "P1ONelxezvkcLJFyvuCVeIUd3uewPIlONfKk9y6h9QE=";
+    serviceLevel = "event";
+    privateKeyFile = "/var/src/secrets/wireguard/wg-monitoring";
+  };
+
+  system.stateVersion = "22.11";
+}
--- a/hosts/aluminium/fieldpoc.nix
+++ b/hosts/aluminium/fieldpoc.nix
@@ -0,0 +1,32 @@
+{ config, pkgs, ... }:
+
+{
+
+  networking.interfaces.enp3s0.ipv4.addresses = [ { address = "10.42.132.1"; prefixLength = 24; } ];
+  networking.firewall.trustedInterfaces = [ "enp3s0" ];
+
+  services.fieldpoc = {
+    enable = true;
+    ommIp = "10.42.132.2";
+    ommUser = "omm";
+    ommPasswordPath = config.sops.secrets.fieldpoc-ommpassword.path;
+    sipsecretPath = config.sops.secrets.fieldpoc-sipsecret.path;
+    dhcp = {
+      enable = true;
+      interface = "enp3s0";
+      subnet = "10.42.132.0/24";
+      pool = "10.42.132.200 - 10.42.132.250";
+      router = "10.42.132.1";
+      dnsServers = "10.42.10.8";
+      omm = "10.42.132.2";
+      reservations = [
+        {
+          name = "omm";
+          macAddress = "00:30:42:1b:8c:7c";
+          ipAddress = "10.42.132.2";
+        }
+      ];
+    };
+  };
+
+}
--- a/hosts/aluminium/hardware-configuration.nix
+++ b/hosts/aluminium/hardware-configuration.nix
@@ -0,0 +1,35 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/33e8b880-8074-4f12-8aaf-24d7ab190e0a";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/aluminium/secrets.json
+++ b/hosts/aluminium/secrets.json
@@ -0,0 +1,27 @@
+{
+	"fieldpoc-ommpassword": "ENC[AES256_GCM,data:F856G4jZjbj7RQ==,iv:svnlwqEPMDHHlSSv5Anv7w7TlDjHUBmKqiBL+IBV+1w=,tag:fnySgzaHzf2paWEBwD4DYg==,type:str]",
+	"fieldpoc-sipsecret": "ENC[AES256_GCM,data:ysnHLFHPbOcgTfoAmZy+3Q==,iv:6G66WDGzuyfTzezVK0uwY5Ihv22dR7x7g/A1fvxUhjk=,tag:WUVNU6Bw5u0kyHpyFsKmaw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age12nr9jt7u04ef0uf3h3pmh5wsw0t5ax7flwtk0t57zhsqj7s0lvnqxdgtu4",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2SVJHaWVpVFRtZ0tiTElr\ndk5jem4xbm1rTDdkNFdEanR3eGljak4ySUFrCkVSKzhOMzB6elR6WlFtaW5vTXZK\nVE1TZ0pLcmo5alJnL2thVWVvRmV5YjgKLS0tIFJUY3pVKzhoSDNpQ0Z4TC9vdmNL\nc0RlZ1pVUmhIMjRPd1ltZFBlMXZhZncKgtH6HYaK9GLPmwHpIRXwwyhWLqHVvhDV\nRCusRPXi7vpl9Codn/gKa1yhtS+Nbrftpfibcf4Zpp6tbICBJw6Chw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-05-10T12:55:36Z",
+		"mac": "ENC[AES256_GCM,data:rYVMHm97fym9o88cF6IjPsOl1ZgIafIlvw3BhS3y1tFKuiIAmsqL+DvD+yy8oLz2atvyxIdcKihDRNoriC6V80WZg2jqedSbkK0QQHng8z+9KE0SAfoacuJqb/SMULOPVvW81Zhox3Y0fbSVdO3WScx7Z0czNBZ0JGWVObRFbHY=,iv:97/B4g0JTHLlyR9yV8xqhhDnkDDfS9VhsXFb8v3pMVs=,tag:No47WYn/Uk6R2mq2j2gpzw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-05-10T12:54:53Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPARAAqgQosLYib0E8DjzA2YFhXqSvsDhRQblHDMNgTuO2/LkB\nVFj674m60/04eFHkUzAo1Ix9W8ji3Q/vVLJ/bLcfx4mGS7atBNzCFHlRrXPcSS5v\nMyihaRqfusweNTwYF64aQ2iE/EWjEDRo4Ssl5aOoilnPHpIqaTyeIbejzHoZWqqi\n7GZttP33NiQP0iWVO4SXlwkF5yuZT6qaHjUIOQEGImz5q87eMUtTNm+Xf3Qx/jAw\nqSkxwN5ySMuMcMqGpShhztoXpe123YlvNr22fZzkBHU5AwakscC5nf8skaMc2Lrh\nJ/+qFL2tWdgEf/fPd7aYFEIuC2YdJRo+yGMZ9s2VjD9ZlBQUFd8KZhytxmzoO3rW\nNKPM7/4tMyhdomt+uKqQNrVDOFMdyR+xLowyGgVqn9MDDDcnQhEdGyqk+WEeQCWN\nXlrQEVshHvC0YTIIXoyFljmMo/z251FoVY8+PHZOQzAJB2RyUIzjEDTX3a7xDNff\n5j9THrSloPLXuW9lXQO8qX8h/50GbJ2Hjpapslx3jhYx7viOHp2h3ojXbNditrIE\nWHEw679IjgTuantfnTzy1NPtIVvH5twrncPRdRsOqVVL4UHI66O5SCATAuVFXM7O\n+ZlLZS3TnuHE9JDlmV1Ts065VB3iYxXA/3p78gCcVp9otQVeDSVq3PTmKzUCLbSF\nAgwDvZ9WSAhwutIBD/9xwPiMUY60fKMS5/BoFYxKB4Ml41MalHdSURmU5IMp5oax\ngykVOoWmOTw3pm90lsZg809SwO3rbJjejMzzUZZpN+vN2pJbZeqRaY7Av/y1K6Sq\nlWXY7Jzbw2bI3JDPVq0tetM4EixGyN+P5p4tVB07BxKzbaN7dCFWk8EkFZBS5Fg9\nQiqLBwk1EofEsZHEbw6BYPivYHi0Cy63ghQ8t66SfhMyh+s2t9jPFB7s24UACaOe\nQ2aC1CP+kDvEMIlS3StNcHGUvZ73/CAkbTmbb0gynFw3odNN7+8tWHmWL3J+0RaO\n0TfXABH8/A3zka97IoZvMt9SqO0FT9VrxE2xBp318rsTfQrkYN8UiiBfvGjI6Gc2\nlZ7qXgFa1tlzYmTjYYs6TCxyT0a8mCt7wOS5yFkph4pXEumJIhh7nmJlr3/gdapt\nwA/LhAq63+UNCGvAKum2XdfwycLDvxciyz40c0ZN25SDQ+2WQp51/GESvVQNDyIc\ngI+BTFSxVjW2Qs7WdN2dJeQ7bLmN0EpGNGszHYiz/T0zowvuUiOrfjVdoNigSPwR\nSeNDI7KQ+miLiqLCSSNTF6D3MlstHBXeEfGLbJ1qFvT4hX5ErI0xmn3lVeAeQIAu\nW9wMvtmMtt7XAef9hzyUUKvnkf3pQw+GBtvY4/pCJrFWKw8vADmLZ56t8UlNFIUC\nDAM1GWv08EiACgEP/icY5+u/9/LLXcnQ0gUsOwL1ChTAOnJxl2Dfu6Wdl/Xohe20\n6VsznYeAyOQ7pq0yweTRYejx96S5M1H+M6uZJPt4lMUaX4/WwM0zJeRH0nsaqbQT\nr6YUZX+jWKhVtuHZinmSLLo5Kj/DH2DPkDPH+ZZbPHjbsltPnYggx8x5NfseN1wO\nLe/dUCz3uH0LhgMpIxeQRWJSkstV64F907SyuU8fqaQJbq28YuEYZS99yE4VTUH/\nYion7EfHpAU54f9SfAahe4VL4hvDIKQ5qbC8JiiQnPYXElNwvQnDwOpysOAq9LQL\n0VXanXeQf/mXfjRc+NiiF+7sfavSRNmIkKOm8xEgdEASQ8lh4UDhoA8mcSnB1dFJ\nAt8YOmkPEC7kplF2wQNFI0RpI+xsJ4hxsCZ3QFoXNwHK1HbeEZ7/FxtSvzxFdXsx\nNyB7EagsIMq/G6R4J9rWCHAf9LKlnFNyVzMin2LoOUtp17yvODXOszKVEj38TMfr\nz9K31QTellrFzJCNTY1VwZyb1JJfiVsbGCqJTbILB3SYV36Lwb3neAvK1P4KsVFY\nDIqMHeY3oLoxLyHRajtjKxhYTwjB3c0ov2IAqOszAvwnO9YBClxeewMt2/Vv2Eok\nzgkEV3cTSZCtPPhF7+C/0bZ35A1MDNXaG1AyQS+4idN0a3LuIgROF3Ow8gB81GgB\nCQIQBdPtKSJqTekbsvXlb4HEHZmjdwjoinMUiuDjAsccGSAvuEqC85NLKjn3+KpK\n7nYnI6NAI6SJ4IUy6YJ4/nKPw6hKTEn442rhUDMmQ3dmCMQFBTLx+VSUpsHE2SSL\nyZ8fqDq6Dw==\n=LtRd\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/aluminium/ssh.pub
+++ b/hosts/aluminium/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICm4kHCK4ACXtZt9ziBXnykiR1onPQtbmfAKU/fcqr8G
--- a/hosts/astatine/configuration.nix
+++ b/hosts/astatine/configuration.nix
@@ -0,0 +1,45 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+
+      ./ppp.nix
+      ./programs.nix
+      ./users.nix
+    ];
+
+  boot.kernelParams = [ "console=ttyS0,115200n8" ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+  boot.loader.grub.extraConfig = "
+    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
+    terminal_input serial
+    terminal_output serial
+  ";
+
+  #networking.firewall.enable = false;
+
+  services.wg-clerie = {
+    enable = true;
+    ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];
+    ipv4s = [ "10.20.30.108/32" ];
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "214";
+    pubkey = "I4xh3t6vIcNyntZkewXX56eWrEd3J0hhaYV45xj6uVU=";
+    serviceLevel = "event";
+  };
+
+  system.stateVersion = "23.05";
+}
+
--- a/hosts/astatine/hardware-configuration.nix
+++ b/hosts/astatine/hardware-configuration.nix
@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ohci_pci" "ehci_pci" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/ff68d582-80b9-4c3b-8b9a-bbe7089e882d";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/astatine/ppp.nix
+++ b/hosts/astatine/ppp.nix
@@ -0,0 +1,90 @@
+{ pkgs, ... }:
+
+{
+  # Make space for VLAN header in containing ethernet segment
+  networking.interfaces."enp1s0".mtu = 1518;
+
+  ## DSL-Uplink
+  networking.vlans."enp1s0.7" = {
+    id = 7;
+    interface = "enp1s0";
+  };
+
+  services.pppd = {
+    enable = true;
+    peers.lns-test = {
+      config = ''
+        plugin pppoe.so enp1s0.7
+        user "criese#regiotest@bsa-vdsl"
+        ifname ppp-lns-test
+        persist
+        maxfail 0
+        holdoff 5
+        noipdefault
+        lcp-echo-interval 20
+        lcp-echo-failure 3
+        hide-password
+        nodefaultroute
+        +ipv6
+        debug
+      '';
+    };
+  };
+
+  /*
+  networking.interfaces.lo.useDHCP = true;
+  networking.interfaces.ppp-lns-test.useDHCP = true;
+
+  networking.dhcpcd = {
+    enable = true;
+    extraConfig = ''
+      interface ppp-lns-test
+        ipv6rs
+        ia_pd 0 lo/0
+    '';
+  };*/
+
+  environment.etc."ppp/ip-up" = {
+    text = ''
+      #! ${pkgs.runtimeShell} -e
+
+      ${pkgs.iproute2}/bin/ip route flush table 20001 || true
+      ${pkgs.iproute2}/bin/ip route add default dev ppp-lns-test table 20001
+    '';
+    mode = "555";
+  };
+  environment.etc."ppp/ip-down" = {
+    text = ''
+      #! ${pkgs.runtimeShell} -e
+
+      ${pkgs.iproute2}/bin/ip route flush table 20001 || true
+    '';
+    mode = "555";
+  };
+  environment.etc."ppp/ipv6-up" = {
+    text = ''
+      #! ${pkgs.runtimeShell} -e
+
+      ${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
+      ${pkgs.iproute2}/bin/ip -6 route add default dev ppp-lns-test table 20001
+    '';
+    mode = "555";
+  };
+  environment.etc."ppp/ipv6-down" = {
+    text = ''
+      #! ${pkgs.runtimeShell} -e
+
+      ${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
+    '';
+    mode = "555";
+  };
+
+  petabyte.policyrouting = {
+    enable = true;
+    rules4 = [
+      { rule = "from 212.218.16.237/32 lookup 20001"; prio = 19000; }
+      { rule = "from 212.218.16.237/32  unreachable"; prio = 19001; }
+    ];
+  };
+
+}
--- a/hosts/astatine/programs.nix
+++ b/hosts/astatine/programs.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+{
+
+  environment.systemPackages = with pkgs; [
+    tcpdump # for remote wireshark
+  ];
+
+}
--- a/hosts/astatine/secrets.json
+++ b/hosts/astatine/secrets.json
@@ -0,0 +1,27 @@
+{
+	"wg-clerie": "ENC[AES256_GCM,data:DbchcO6GTmSFyoHrRAkfu2flaKYrQHPk+rIerekYO4Cto9sqaWLgaSigpS8=,iv:no1xNRVqsKzAN6ssYA0Ir+utOM9tg8OBUT9PY2v0HPA=,tag:lZj1wEPFWHaf52N7YHEQKQ==,type:str]",
+	"wg-monitoring": "ENC[AES256_GCM,data:dTKKeieaGvECkHUpATLorhOgr9Re5CAH25y1WTcSqJZDsvnwD4CBbqMv2QQ=,iv:u1n1wyAW5aNcVYfGN8BmrEhIhtA3EfRDBNu65IdBZMI=,tag:RJYgOpel9uy6dC72MmqS5A==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1fffvnazdv3ys9ww8v4g832hv5nkvnk6d728syerzvpgskfmfkq8q00whpv",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUF5dkRwdXRmUkJ1SXN5\nLzdOVkhWYUJGdFd4Qklsa1BXeVZlTGx0eDE0ClZmYWNLMEVzaVVXWGkwQUt5ZHF5\nS1c5OU9PWjBTelM5R2phNFdVNncxUUkKLS0tIDlwSXFyZWNVT1dtdGU5dVFSRHNE\nUUpJZHJZRTd6TnBUU2dCWW90UTRVb0UKCWrHWmQTNhez16wgEKj4EQA4+UBRmGQn\n+NHSjBCMBmmTdHb05nENYVK515Z0T/60+9N3VlNyHWS9IgC3mZRUBg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-21T16:03:13Z",
+		"mac": "ENC[AES256_GCM,data:fA8fhOZbX30TYgwZXB7sQDNmck0JRDyAnEXf5nCYtli/Qvs78fTs4DdC08VOpOni8uAVARkFsGSo6Fjo/MpTSDVA8VNYZig/we/bWF+LQlEMCmiqwOI1R6eQ3GPxcRXltlO2aPPlT9BpLwIVZjGGjIsmjpVE8xjkCbLUUqj+UxY=,iv:fHLyw96QLVRrAQky2kR7TDDxf8CNXDV9lVQ5RETzJEI=,tag:y+cG9u3d6vCUmPyNMDRWpA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-21T16:02:41Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/8DFDlQ8NflA+CIVi5xaPC77pZeoO0LIKUhmFUhTnqLBBp\nNidFQ+24VmsfhmyPqbF7V3RpO6jvEjTfolnHjWoFV1X3BXmN9bkZbLw6pElMLIVw\n7vCjIyqe06OEzwV5uyn/ye0K/Mxa94MjnpF3wnUid61qSp2C8EJgNV13iTXr/rRy\nQaKZKTigfZF6Kprchr8PgpuL6G50yL7LBaNhdbIxDr1zZ6BO7J60FlDYQf0yUU7H\nmhwiCXKLJ3srSWgTKLJLHCfvQzy3bY0khoNeaLeb97cMuO05d42kc0/qa06R0dEX\nRgOoAnVGTd5VHJL72hMRcZFl0nx7o18rsFUK2Y/xSTOf36QqLjf3RIOt0r/CpGh8\nbVCOc9DXZORvnPqPYCj99sr/2Td2Zw4ZigebnRH3g/Nsrah9LHEBJHRd1MvgklHq\nUlCccoCGGo2T8xCLOjNqNkQbu8TFAAv541PyVI60STR6VxuSZgrKMD9dyUxZJTXj\nYaj1Emue4VbexWkoZlJbn0kFzn6GQLYOz/g5X43VSL2X+o5FKLZOi+IyffVFdpz9\nzb9OTbRaGkIE0xub/MUwkchcUHoqbNVnflV0vcx50kf+jhl+RPo8DSLLWKH+HqSI\n3GUvCtknGsX9XznAijQn2hkXgcQI6tBswweeG13xLnok+2whmo5G9jRE/E7ErZeF\nAgwDvZ9WSAhwutIBD/9fvllnh2ycsUil0QIeQOo30pp7tMPwSxyMy3+uBMSScqHb\nHHK58P7nL7cdj8u+7h/EWMSDrLI0JI6JGGmEth5uMS0EmzjdwnNPLf7eTfAZ+XDe\nf8OMbh+7s7YgM/mM8CeQLoReBGJWpDDcXlVO8vA/5hVIlQ7OfkTcFIKap5h93k9N\nPkKfFXdEfCGhxzSI0hSjCy2kP/d5kaIFcVAHrRgQAMIQYZU6bpRNLKlGcDuDXPy3\n4l3N5orpBHRoVWXH3tKFjnyh4sI1Aw0tYrKQCfA/kRmcDF0+sKaZ+fxqHHWkF+2b\nv8L7LAlFtkEO69LUAHBIhG3fP8pTbUn0AVOI63OQ8Hi6a3vzzFFITLmkTGADtVZv\nepqtz1LuSKArr8MHz8w7v/kJ9E5H6Qd2zvQ8wo0BYu+RjhYbOkianu6DHINj4tGp\nC2RJX/M2j0R8pey4m5ffrEb/lhTNn2XlYcQvb0+EsX+7vZ4WyY8boqwn7DFsfWIh\neOtFlOmQvvWJzv+02F7bGIFwrWgk3iUJSUPordNUSi+jVZOKMFAyJKSdfBKMrXfo\nXqN1hnQdTvE+hamoSsIPoSfI2L/Pk+fkRsom/tlUR8EEkQZQuijKuCDOC8FuXXqV\nB8mYkqXHSomws/M838LSo9QvWDb57aZaihofElzWHsEzA5QZ428hKjMFILRU/IUC\nDAM1GWv08EiACgEQAKU2HTKNS1H8XKzsAfb+1/VkVXA6PGVBYkxP/6K92uydY7Ym\nl87Pc4ixYAnyzf3HelkZxmjtIYH4GqA9TwQJvjT/gLPTYgV4WZ2S7KHsdMdHIoTv\nONp13ohP/nhKsk94XC7DfapEGKcMJIC3z+e/QW98f9cEHoTRfPB5ND3JKcA7oLRG\nxjEtZdre6FXxjVLizyUaMQPtLyDGVXbtS5xpwG/UkZiUeIC9Cm5N1n8lWLjyQ7j3\nW9+aA+PFmh5I5cx4SY/Hw6Hke56tFADCLd3Gp3ZRfstuQRPhNrX4gOM3qT2NBVCR\nXFPGSOBE3Bu1Lm/UbePGpvQdlyHDg63vghUsl1o8c280M3dfMH3Q9e0OobiNVksu\nMEDvR5GPHLEvabj/zvoM7+SpMSaNGqJP4X8e/90WTg4JQbAPB7K/XZqKtwVTqqfs\nWFfU798M2xQZpy5aHgsI77rPdgDWw1NvlIcTSClZyXs42Iqo1ORVoY9mNzJfsop9\nLbbKsF39leLTqSJZi1ZsfdPsjetKxGhRCv3eDdU0vco2tH2xVexPqT4ZcCbqUWfx\nfJrux7CmOUmbyNLjvq0gDEG8Xe2J+InvmML7dXvZK6wd8wh6ODfdrQ+A3ga4XIGm\n0FkiEuVGohUhENHZzPkNBSUykdEYxoRfQQeUAFmywjXnEDBcSj8j1z2Y2IJZ1GgB\nCQIQrLziglrWl7GDjSFhstu83UXngV4M38PiHZSJBo2Ect0nr6o42ZCxhDC22A8V\nQOh286DVqEELdiCHvs18U5aOgFpE+t4MHObkQhE1nX5xDFtOwySaaXkga8XFGnt9\nVAPIsf93xA==\n=nhxm\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/astatine/ssh.pub
+++ b/hosts/astatine/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQegq2ZQx0fNVHlITNHdZoSAh5jsaDyv3Sej3a8Y4j3
--- a/hosts/astatine/users.nix
+++ b/hosts/astatine/users.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  users.users.criese-nethinks = {
+    extraGroups = [
+      "wheel"
+    ];
+  };
+
+}
--- a/hosts/backup-4/backup.nix
+++ b/hosts/backup-4/backup.nix
@@ -0,0 +1,13 @@
+{ ... }:
+
+{
+  services.borgbackup.repos = {
+    krypton = {
+      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDV3GpgaDqgTlWX0//DQ7AedYo0sD4e37OHl4/OqU7C+YfIuzaC8+KRfugTQS4R8UBKuxFHJC867aHq2rxIfKzKFtmyVPT7ywbpgNW3FDugQZ5MdPo8eHV19jnaZ9jkhUpJmMzayW+hU0GxT1fEXzSaewJknY3afdTKAi3dM+7LAcxVa82qwwArNuH06wrthU9eyva2QWMeZ6aEzzZgSxxrLQZFIXRtA81JcFmjL1IwxepDyUsbTj31Wmvf4n6YI6wxY9QhKyS4bahlnQmW0CpKwX6lKtGRRMVilTZLKa0aR0z15ltPE5h1USUnxiyo5YVB+1QA8luCnQAzIeZODEc3um8AfH4Z83MqU802K8yRmjJUhkoezJwRjewJito3Pfc4TOC2pdo7Na9bb5omTz7jiTRDvQkysWSZGyd22Vsl48tVuRTve/VkhBZuqOwH9yqBz5rl2hG7GHOiHD40kjxq+fJW8vge1hdu1TEQK8ubn1Cod/GuvuWFMTAwagYrJs0= clerie@krypton" ];
+      path = "/mnt/backup-4/krypton";
+    };
+  };
+
+  # fix borgbackup primary grouping
+  users.users.borg.group = "borg";
+}
--- a/hosts/backup-4/configuration.nix
+++ b/hosts/backup-4/configuration.nix
@@ -0,0 +1,32 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ../../configuration/proxmox-vm
+
+      ./backup.nix
+      ./restic-server.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+
+  networking.useDHCP = false;
+  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::c"; prefixLength = 64; } ];
+  networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+
+  services.nginx.enable = true;
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  clerie.monitoring = {
+    enable = true;
+    id = "205";
+    pubkey = "CLEF5hLdjwPqfU1oaM16fusJ705iNzUBxYsb4/YuGw4=";
+  };
+
+  system.stateVersion = "21.03";
+}
--- a/hosts/minecraft-2/hardware-configuration.nix
+++ b/hosts/minecraft-2/hardware-configuration.nix
@@ -8,13 +8,18 @@
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];

-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/472ace36-d152-4139-9ea8-76f104e619d3";
+    { device = "/dev/disk/by-uuid/eb9bcb35-4f34-4cd6-b1b3-3a86de40571b";
+      fsType = "ext4";
+    };
+
+  fileSystems."/mnt/backup-4" =
+    { device = "/dev/disk/by-uuid/f4d2a27d-664b-45f7-abc2-adf6691ad363";
      fsType = "ext4";
    };

--- a/hosts/backup-4/restic-server.nix
+++ b/hosts/backup-4/restic-server.nix
@@ -0,0 +1,29 @@
+{ ... }:
+
+{
+  services.restic.server = {
+    enable = true;
+    privateRepos = true;
+    dataDir = "/mnt/backup-4/magenta";
+    listenAddress = "[::1]:43242";
+  };
+
+  # restic rest server does not support --htpasswd-file in the current version of nixpkgs
+  # until then we copy the secrets to the common location
+  sops.secrets.restic-server-magenta-htpasswd = {
+    path = "/mnt/backup-4/magenta/.htpasswd";
+    owner = "restic";
+    group = "restic";
+  };
+
+  services.nginx.virtualHosts."magenta.backup.clerie.de" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://[::1]:43242/";
+      extraConfig = ''
+        client_max_body_size 10G;
+      '';
+    };
+  };
+}
--- a/hosts/backup-4/secrets.json
+++ b/hosts/backup-4/secrets.json
@@ -0,0 +1,27 @@
+{
+	"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:QxdmemBB/iuU+fvc2QRRkbOHO5Ef8ZJqfTdFCnlOqKog5krZ2oIpURuttH9YeggJXV2Cr+kJDGI0b9Ca6BtCkOhahfWicTeFhuODJsSyZJqzw36Ba8pX3nIpqoa7StTydK1Dx5chOi2g8oB4895SvWqDa/qP10yDtBQAYURHYfodb9/tiKzfjJAGDlqsR2h+qmdbAkvR3/oAquBO8Nb493G2sixs20XIG85moYv6l0MPnZtWEXhDT8lM5tw0PCgpSfYaUeMWnmFuzFBj3MQSo3zAjGPeOSYVFlbwbLqFWL507z0dlRgzsxMYB1F4OL38nOpO2CP2/VvbidgbQZjKCfiHMJtWLQfzZIfNEhcF8kq2uhhOwRSKN3G7u1/ezzu+9UlUVMV6PY2jjbZHJ79Knu5SJ3KqphygjjIhdHufqI03BP/aJa0QkE/mGg9is3H0myW5rG9ElA1C4stF,iv:1Ue/H48af3ECUZ5GC0hrMMBfOuCZSuX9wOSAd5XG7Fk=,tag:HchM/ZJEDG4pWQdDanC9cA==,type:str]",
+	"wg-monitoring": "ENC[AES256_GCM,data:lCuE2EgUo3ER9NNg1rD24Z4cZS+VZ4KmDojnfCsb/LyBsfyu6uOJ4IVtxOE=,iv:KHRP1pXYXk8Fi23cjUZVUUadu9yWoJ2ddxj2fMJJYE0=,tag:TiFlekXM7WLLHAPlmYbP8w==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1yx7pqg8hz68487k92kgwhdzuc4cuym7l567a5adel9gtvp8l7qeqlg9zr4",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFREUEVzb2JFd3hSaG9y\neVA2a2Fodko0OTI4ZGM0NlZxRmNtYmFDY1hVCm9ncXdWYTJlSU1FSG1WdlNBZ3VW\nM2VtRmZiWldzalRsRWJ0UkV1L1hSMkEKLS0tIGVLQU9kQXhZbC9SUW9CS2JnWGlJ\nQ3RoeXVkRXNkUWNaZ0VQOW1hcEJnNjAKHgZ48PERJlfkkh2TyCLl52zUZY674BXW\n4zPtmhZrb4xlExetINrOd4hZtL7S7qn5GnTxhoxvCddeU+JPPsfWoQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-06-03T18:16:25Z",
+		"mac": "ENC[AES256_GCM,data:hWCI1hWTbbasov9Si0JDI39rUuBOEqrz+qxTKrNN4S/r9Ktofrk46b3rxSQF3+bC03HrbCMLk9/7XkvIFJXQj5pa9I1aG8MuMbgF0Z8Ft/uNdHPUUyLJwo/4aav4zXVpdg7zNtPdwjk66pw7iRO5XBmYgnQlnXotHM6S9s7RzuA=,iv:VJmLD1SImGtreceQP+DofnzOGp3sm12iCzbPsqzw6SI=,tag:aUryi0xUG7sd/EOmqrMQCg==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-05-04T12:30:52Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPARAAoI+lgyV1TA9VwFGdsDIhwCvynN8v9VYWjujnUr9G/7vV\n2t4MKxlMatvYJSU/AyrO/iXaDokZ6AMBcWHrvUnVimkljUKqgK1gIdHTaQks7GrZ\nR2zx+dVH6EeQOhNLVzzFm1yM692YI4XDXtmeXCrJCKA9DmSB4uzdV4jWlWAYSS1S\nL0/ZNBz0c7PabTHfzhqvBj/+IBnH/Mch80WZyQNtuZFUCQyXdhluKYhaeU7+eUgX\nmHXIy6mZqTYJahUWz0r6D+Iko8HhGPwMFTVnsYCERvfLWZ4Kfr0Zf2tgqt4x0l5x\nza6hnx6gGzrbGqnBLgqP5lH10q1lmZluLi45ChIsI5sScyhcZgjq7+0gdRfjyOC6\nXhjYMzfQ+epcO6RavTnXsEXG0YMtocFIxVZhidv6FCSoRALqOl3z6tksJFfyploR\nDIjYh7iPjUkrgbV1lyH91jIBcRWZP2UvwiXP9qB6/GgAR14TqmF2u9uIywYwqKnf\nX+ptzHSI7i1DxizbF/Tu4Dw1Bz9ZlYpm8ojL3uEw0qSuclxjTd2/T5qogkZ3a+UF\nBuopoUoCIOXLik9VLiKzCJHAcWuSehWbL0+p+1cIlRESH8VdzQ3r8rrSErUoWA+7\nk06Fzl6iBeFMnP1rWWtFetfJeC/Z0PDe1GdFa/xdTpt/sMeNw5qhHzCSiUHavYOF\nAgwDvZ9WSAhwutIBEAC2V4Cqj5ffXmJ64R1y58F0fT4QNJ5lHg3xmvbuQrJoINMY\nC94ysRGpOX8IFVHIL/WypB2HixFEE3ZnEdcbviKJRZ7ukxvy6/Vs9a5SiX8QDFfi\n0UtWg9jEh86mGqPoxjMnyAcv+e+xcbz3izw7cEAYpjlTGTLOmQhHUgv58hs1L6ND\nre+MAUs53iyzoprMezEoU+7rDavy2a68BUMHaZrivCA2l2jH1ApEWz/dxv/3S1Qb\n6sRxumWfLj68UNKcn2nNwfs8xpHLAIWnnZB9BBmwPb989wpg8WLlacpWUtL1QzUT\nmCI8EKyWKMuIZXOnXVNqEmA2jDVDpbXOfMPHw0l0kKNx7tAXtjkWR7IE8T5iTspq\nL1F6d/caDroOnwHYCkJ+QzNstikTevOntIgMRYXkx1+QL+C+rS3K+My7281If1/G\n9XXcIAsi4f5BLmC1xT8my45UaziFlw99KoEFga208uHl9k0j/cZhSIKDgr08sR6e\nQa1p2WAFLhK1AjCcomSkEnLfWSStcUBAhBkFexWYcxlhUerczE0dhV+yH8daug7A\ntcKTKC3ooGkQAPHKcWZHUFnm0dd6TME73xpMLMgo5N4Qli+yvgX3RnvfCzWGN+pN\nkV5hF4kTBmf0/YLYhAft0+TQSKyGymF5MSMW06X5syHE/s/mznV4G1A6FGwbnIUC\nDAM1GWv08EiACgEP/0XA6/lfkb3iUnjR/JH9BOp9nAldAIouTWB3zcuJddfP4kfT\np/+AsK7DMOp/RYWnngKVNSihkAuVfGUfhZpDvF0aS2Cjk3gmgMa2n3K/1g2ypZXR\na5HsXTqAH9EzMxhaHWRkvrb0Kf5jYt20MVIPvI3PuNQNS+gV66zxo7rdZLfINs8r\nigniDPn9vBteXEg9do50fmk70RuqBS2+0RYMgGO6xgz7+qFXBuGbtq/fAVwVsqMu\nG6cPuLNRrZ0aX+2fm1Ay/c25SV15VR5M/zo0qAFoHIGdapjxeOeoncW2KMWRo69w\nDuNMidDFcFOvYqJJ6Ih9ZkZAgtR+uOOjiC9SeKQuFQ7nONfPqpBDuNwHogha2EIU\n3LQpksg2QM7jziZsenNrsbx1nz8QpYC4newsdqjNjqNl/8ZZpv1AEGavrnfQ1ud+\nCxgvUUXhvedk2T+vnNSNmRFsAzIUp6Vy6zGtg/tuagMootexbs6nI9P1iVBh7ojD\ni6/YmOantNhVo9B0XgVXF6JgtlQ8eFZ0gHrAt1YeQejPoiHNQe9S1fOiOv2cTbZI\njWRLGgzNyj9rLRlyGP98Tf3YLjZ9bR1gRylnbdl4l0DFDRNd/tF4CO/20ai8QkZm\ncKZnP7t2hMvILf1LYCty8CDNKM0MQ3k/AawaUKMjNGj6DUdN8JUKS+8sDpW/1GYB\nCQIQv2lQ6ZD+9GTC8hbMrxkM7nm8GfDOgA8fhoyRNSCkUnrXkIvnk5dG4u2hgHOD\naC/VyW8ahSuMqINO7epMhSJD8971MG+qpeLSSPEL4W9uibosY8jT1Mkeg8fkSFHE\nu0LyQcg=\n=EO+v\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/backup-4/ssh.pub
+++ b/hosts/backup-4/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUaAo7yYjuVpWadxPqrUGrZWwLNltvc+PfOT8z36Eip
--- a/hosts/beryllium/configuration.nix
+++ b/hosts/beryllium/configuration.nix
@@ -0,0 +1,67 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  boot.kernelParams = [ "console=ttyS0,115200n8" ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.extraConfig = "
+    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
+    terminal_input serial
+    terminal_output serial
+  ";
+
+  networking.hostName = "beryllium";
+
+  networking.firewall.enable = false;
+
+  networking.iproute2.enable = true;
+  networking.iproute2.rttablesExtraConfig = ''
+    200 wg-clerie
+  '';
+
+  petabyte.policyrouting = {
+    enable = true;
+    rules6 = [
+      { rule = "from 2a01:4f8:c0c:15f1::8107/128 lookup wg-clerie"; prio = 20000; }
+      { rule = "from 2a01:4f8:c0c:15f1::8107/128 unreachable"; prio = 20001; }
+    ];
+    rules4 = [
+      { rule = "from 10.20.30.107/32 lookup wg-clerie"; prio = 20000; }
+      { rule = "from 10.20.30.107/32 unreachable"; prio = 20001; }
+    ];
+  };
+
+
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces = {
+    wg-clerie = {
+      ips = [ "2a01:4f8:c0c:15f1::8107/128" "10.20.30.107/32" ];
+      table = "wg-clerie";
+      peers = [
+        {
+          endpoint = "vpn.clerie.de:51820";
+          persistentKeepalive = 25;
+          allowedIPs = [ "0.0.0.0/0" "::/0" "10.20.30.0/24" "2a01:4f8:c0c:15f1::/113" ];
+          publicKey = "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=";
+        }
+      ];
+      privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
+    };
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "213";
+    pubkey = "hMIr7fgfZwSjNufRaMtq+7MDxfwN3XLJ4ZlmSOoFrz4=";
+    serviceLevel ="event";
+    privateKeyFile = "/var/src/secrets/wireguard/wg-monitoring";
+  };
+
+  system.stateVersion = "22.11";
+}
--- a/hosts/beryllium/hardware-configuration.nix
+++ b/hosts/beryllium/hardware-configuration.nix
@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/b6ea0f34-629b-42b4-a01b-28e37abf1248";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp8s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -4,14 +4,24 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
      ../../configuration/router
+
+      ./dns.nix
+      ./net-dsl.nix
+      ./net-gastnetz.nix
+      ./net-heimnetz.nix
+      ./net-iot.nix
+      ./net-lte.nix
+      ./net-mgmt.nix
+      ./net-voip.nix
+      ./ntp.nix
+      ./ppp.nix
+      ./wg-clerie.nix
    ];

  boot.kernelParams = [ "console=ttyS0,115200n8" ];

  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/sda";
  boot.loader.grub.extraConfig = "
    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
@@ -19,238 +29,57 @@
    terminal_output serial
  ";

-  networking.hostName = "carbon";
-
  networking.useDHCP = false;
-  # Local Router IPs
-  networking.interfaces.lo.ipv6.addresses = [
-    { address = "fd00:152:152:104::1"; prefixLength = 64; }
-    { address = "fd00:152:152::1"; prefixLength = 128; } # Anycast
-  ];
-  networking.interfaces.lo.ipv4.addresses = [
-    { address = "10.152.104.1"; prefixLength = 24; }
-    { address = "10.152.0.1"; prefixLength = 32; } # Anycast
-  ];
-  # Network
-  ## Uplink
-  networking.interfaces.enp1s0.useDHCP = true;
-  ## Local Network
-  networking.interfaces.enp2s0.ipv6.addresses = [
-    { address = "fd00:152:152:4::1"; prefixLength = 64; }
-    { address = "2a01:4f8:1c0c:8221::1"; prefixLength = 64; } # public IPs for local network
-  ];
-  networking.interfaces.enp2s0.ipv4.addresses = [
-    { address = "10.152.4.1"; prefixLength = 24; }
-  ];

  networking.nat = {
    enableIPv6 = true;
    enable = true;
-    externalInterface = "enp1s0";
-    internalIPv6s = [ "fd00:152:152::/48" ];
-    internalIPs = [ "10.152.0.0/16" ];
+    externalInterface = "ppp-dtagdsl";
+    internalIPv6s = [ "fd00:152:152::/48" "fd00:3214:9453:4920::/64"];
+    internalIPs = [ "10.152.0.0/16" "192.168.32.0/24" ];
  };

-  networking.wireguard.enable = true;
-  networking.wireguard.interfaces = {
-    wg-gatekeeper4 = {
-      ips = [ "fe80::127:2/64" "169.254.127.2/24" ];
-      peers = [ {
-          allowedIPs = [ "0.0.0.0/0" "::/0" ];
-          endpoint = "78.47.183.82:50127";
-          publicKey = "y+Bk5eIHgmnq9xuBDD+fk/OIkKRZU6AE4ISx4RdDDyg=";
-          persistentKeepalive = 25;
-      } ];
-      allowedIPsAsRoutes = false;
-      privateKeyFile = "/var/src/secrets/wireguard/wg-gatekeeper4";
-    };
-    wg-porter4 = {
-      ips = [ "fe80::138:2/64" "169.254.138.2/24" ];
-      peers = [ {
-          allowedIPs = [ "0.0.0.0/0" "::/0" ];
-          endpoint = "5.45.100.191:50138";
-          publicKey = "aP6optNE7nVk6coo+USkSDtB62rAc/isfofRML9V2HM=";
-          persistentKeepalive = 25;
-      } ];
-      allowedIPsAsRoutes = false;
-      privateKeyFile = "/var/src/secrets/wireguard/wg-porter4";
-    };
-  };
+  services.radvd.enable = true;

-  clerie.gre-tunnel = {
+  services.kea.dhcp4 = {
    enable = true;
-    ipv6= {
-      gre-gatekeeper6 = {
-        remote = "fd00:152:152:101::1";
-        local = (lib.head config.networking.interfaces.lo.ipv6.addresses).address;
-        address = "fd00:153:153:201::2/64";
+    settings = {
+      interfaces-config = {
+        service-sockets-max-retries = 15;
+        service-sockets-retry-wait-time = 2000;
      };
-    };
-    ipv4 = {
-      gre-gatekeeper4 = {
-        remote = "10.152.101.1";
-        local = (lib.head config.networking.interfaces.lo.ipv4.addresses).address;
-        address = "10.153.201.2/24";
+      lease-database = {
+        name = "/var/lib/kea/dhcp4.leases";
+        persist = true;
+        type = "memfile";
      };
    };
  };

-  # Routing tables
-  # Table: 10000
-  # - primary routes
-  # Table: 11000
-  # - ospf routes
-  # Table: 20101
-  # - default route to gatekeeper
-  #
-  # We will never use main table anymore
-  petabyte.policyrouting = {
-    enable = true;
-    rules6 = [
-      # main routes first except default route
-      { rule = "lookup main suppress_prefixlength 0"; prio = 10000; }
-      # Prefixes defaulting to gatekeeper
-      { rule = "from 2a01:4f8:1c0c:8221::/64 lookup 20101"; prio = 20000; }
-      { rule = "from 2a01:4f8:1c0c:8221::/64 unreachable"; prio = 20001; }
-      # Everything else defaulting to main table after this
+  systemd.services.kea-dhcp4-server = {
+    after = [
+      "network-setup.service"
    ];
-    rules4 = [
-      # main routes first except default route
-      { rule = "lookup main suppress_prefixlength 0"; prio = 10000; }
-      # Prefixes defaulting to gatekeeper
-      #{ rule = "from xxx lookup 20101"; prio = 20000; }
-      # Everything else defaulting to main table after this
+    requires = [
+      "network-setup.service"
    ];
  };

-  services.bird2.enable = true;
-  services.bird2.config = ''
-  router id ${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address };
+  systemd.services."system-reboot" = {
+    script = ''
+      ${pkgs.systemd}/bin/reboot
+    '';
+    startAt = "*-*-* 1/3:13:14";
+  };

-  ipv6 table gatekeeper6;
-  ipv4 table gatekeeper4;
+  clerie.firewall.enable = true;

-  protocol static static_gatekeeper_6 {
-          ipv6 {
-                  table gatekeeper6;
-          };
-          route ::/0 via fd00:153:153:201::1;
-  }
-  protocol static static_gatekeeper_4 {
-          ipv4 {
-                  table gatekeeper4;
-          };
-          route 0.0.0.0/0 via 10.153.201.1;
-  }
-
-  protocol kernel kernel_gatekeeper_6 {
-    ipv6 {
-      table gatekeeper6;
-      export filter {
-        krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv6.addresses).address };
-        accept;
-      };
-      import none;
-    };
-    kernel table 20101;
-  }
-  protocol kernel kernel_gatekeeper_4 {
-    ipv4 {
-      table gatekeeper4;
-      export filter {
-        krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address };
-        accept;
-      };
-      import none;
-    };
-    kernel table 20101;
-  }
-
-  ipv6 table ospf6;
-  ipv4 table ospf4;
-
-  protocol direct direct_lo {
-    interface "lo";
-    ipv6 {
-      table ospf6;
-    };
-    ipv4 {
-      table ospf4;
-    };
-  }
-
-  protocol direct direct_enp2s0 {
-    interface "enp2s0";
-    ipv6 {
-      table ospf6;
-    };
-    ipv4 {
-      table ospf4;
-    };
-  }
-
-  protocol kernel kernel_ospf6 {
-    ipv6 {
-      table ospf6;
-      export filter {
-        krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv6.addresses).address };
-        accept;
-      };
-      import none;
-    };
-  }
-
-  protocol kernel kernel_ospf4 {
-    ipv4 {
-      table ospf4;
-      export filter {
-        krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address };
-        accept;
-      };
-      import none;
-    };
-  }
-
-  protocol ospf v3 ospf_6 {
-    ipv6 {
-      table ospf6;
-      import all;
-      export all;
-    };
-    area 0 {
-      interface "wg-gatekeeper4" {
-        cost 80;
-        type pointopoint;
-      };
-      interface "wg-porter4" {
-        cost 80;
-        type pointopoint;
-      };
-    };
-  }
-
-  protocol ospf v3 ospf_4 {
-    ipv4 {
-      table ospf4;
-      import all;
-      export all;
-    };
-    area 0 {
-      interface "wg-gatekeeper4" {
-        cost 80;
-        type pointopoint;
-      };
-      interface "wg-porter4" {
-        cost 80;
-        type pointopoint;
-      };
-    };
-  }
-
-  protocol device {
-    scan time 10;
-  }
-  '';
+  clerie.monitoring = {
+    enable = true;
+    id = "104";
+    pubkey = "sro9DUSMtVr5xV2o3GTgg+0vmLj+bRc8fN+3pIr6+HY=";
+    blackbox = true;
+  };

  system.stateVersion = "21.03";
 }
--- a/hosts/carbon/dns.nix
+++ b/hosts/carbon/dns.nix
@@ -0,0 +1,34 @@
+{ ... }:
+
+{
+
+  # Loopbacks for DNS resolver IPs
+  networking.interfaces.lo.ipv6.addresses = [
+    { address = "fd00:152:152::1"; prefixLength = 128; } # Anycast
+  ];
+  networking.interfaces.lo.ipv4.addresses = [
+    { address = "10.152.0.1"; prefixLength = 32; } # Anycast
+  ];
+
+  networking.firewall.allowedUDPPorts = [ 53 ];
+  networking.firewall.allowedTCPPorts = [ 53 ];
+
+  services.unbound = {
+    enable = true;
+    resolveLocalQueries = false;
+    settings = {
+      server = {
+        interface = [ "fd00:152:152::1" "10.152.0.1" ];
+        access-control = [ "::/0 allow" "0.0.0.0/0 allow" ];
+        prefer-ip6 = true;
+        prefetch = true;
+        serve-expired = true;
+        serve-expired-ttl-reset = true;
+      };
+    };
+  };
+
+  # Use Anycast Nameservers
+  networking.nameservers = [ "fd00:152:152::1" "10.152.0.1" ];
+
+}
--- a/hosts/carbon/net-dsl.nix
+++ b/hosts/carbon/net-dsl.nix
@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+
+  ## DSL-Uplink
+  networking.vlans."enp1s0.7" = {
+    id = 7;
+    interface = "enp1s0";
+  };
+  networking.vlans."enp3s0.7" = {
+    id = 7;
+    interface = "enp3s0";
+  };
+  networking.bridges."net-dsl".interfaces = [
+    "enp1s0.7"
+    "enp3s0.7"
+  ];
+
+}
--- a/hosts/carbon/net-gastnetz.nix
+++ b/hosts/carbon/net-gastnetz.nix
@@ -0,0 +1,68 @@
+{ ... }:
+
+{
+
+  ## Gastnetz
+  networking.vlans."enp1s0.202" = {
+    id = 202;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-gastnetz".interfaces = [
+    "enp1s0.202"
+  ];
+  networking.interfaces."net-gastnetz".ipv6.addresses = [
+    { address = "fd00:3214:9453:4920::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-gastnetz".ipv4.addresses = [
+    { address = "192.168.32.1"; prefixLength = 24; }
+  ];
+
+  services.radvd.config = ''
+    interface net-gastnetz {
+      AdvSendAdvert on;
+      prefix ::/64 {
+        AdvValidLifetime 60;
+        AdvPreferredLifetime 30;
+      };
+      RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9
+    };
+  '';
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-gastnetz" ];
+      };
+      subnet4 = [
+        # Gastnetz
+        {
+          id = 202;
+          subnet = "192.168.32.0/24";
+          pools = [
+            {
+              pool = "192.168.32.100 - 192.168.32.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "192.168.32.1";
+            }
+            {
+              name = "domain-name-servers";
+              data = "9.9.9.9,149.112.112.112"; # Quad 9
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  # net-gastnetz can only access internet
+  clerie.firewall.extraForwardFilterCommands = ''
+    ip46tables -A forward-filter -i net-gastnetz -o ppp-dtagdsl -j ACCEPT
+    ip46tables -A forward-filter -i net-gastnetz -j DROP
+    ip46tables -A forward-filter -o net-gastnetz -j DROP
+  '';
+
+}
--- a/hosts/carbon/net-heimnetz.nix
+++ b/hosts/carbon/net-heimnetz.nix
@@ -0,0 +1,68 @@
+{ ... }:
+
+{
+
+  ## Heimnetz
+  networking.vlans."enp1s0.201" = {
+    id = 201;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-heimnetz".interfaces = [
+    "enp1s0.201"
+    "enp2s0"
+  ];
+  networking.interfaces."net-heimnetz".ipv6.addresses = [
+    { address = "fe80::1"; prefixLength = 64; }
+    { address = "fd00:152:152:4::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-heimnetz".ipv4.addresses = [
+    { address = "10.152.4.1"; prefixLength = 24; }
+  ];
+
+  services.radvd.config = ''
+    interface net-heimnetz {
+      AdvSendAdvert on;
+      prefix ::/64 {
+        AdvValidLifetime 60;
+        AdvPreferredLifetime 30;
+      };
+      RDNSS fd00:152:152::1 {};
+      DNSSL net.clerie.de {};
+    };
+  '';
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-heimnetz" ];
+      };
+      subnet4 = [
+        # Heimnetz
+        {
+          id = 201;
+          subnet = "10.152.4.0/24";
+          pools = [
+            {
+              pool = "10.152.4.100 - 10.152.4.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.4.1";
+            }
+            {
+              name = "domain-name-servers";
+              data = "10.152.0.1";
+            }
+            {
+              name = "domain-name";
+              data = "net.clerie.de";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+}
--- a/hosts/carbon/net-iot.nix
+++ b/hosts/carbon/net-iot.nix
@@ -0,0 +1,79 @@
+{ ... }:
+
+{
+
+  networking.vlans."enp1s0.205" = {
+    id = 205;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-iot".interfaces = [
+    "enp1s0.205"
+  ];
+  networking.interfaces."net-iot".ipv6.addresses = [
+    { address = "fe80::1"; prefixLength = 64; }
+    { address = "fd00:152:152:205::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-iot".ipv4.addresses = [
+    { address = "10.152.205.1"; prefixLength = 24; }
+  ];
+
+  # Enable NTP
+  networking.firewall.interfaces."net-iot".allowedUDPPorts = [ 123 ];
+
+  services.radvd.config = ''
+    interface net-iot {
+      AdvSendAdvert on;
+      prefix ::/64 {
+        AdvValidLifetime 60;
+        AdvPreferredLifetime 30;
+      };
+      RDNSS fd00:152:152::1 {};
+      DNSSL iot.clerie.de {};
+    };
+  '';
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-iot" ];
+      };
+      subnet4 = [
+        {
+          id = 205;
+          subnet = "10.152.205.0/24";
+          pools = [
+            {
+              pool = "10.152.205.100 - 10.152.205.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.205.1";
+            }
+            {
+              name = "domain-name-servers";
+              data = "10.152.0.1";
+            }
+            {
+              name = "domain-name";
+              data = "iot.clerie.de";
+            }
+            {
+              name = "time-servers";
+              data = "10.152.0.1";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  clerie.firewall.extraForwardFilterCommands = ''
+    # Allow access from Heimnetz to IOT devices
+    ip46tables -A forward-filter -i net-heimnetz -o net-iot -j ACCEPT
+    ip46tables -A forward-filter -i net-iot -j DROP
+    ip46tables -A forward-filter -o net-iot -j DROP
+  '';
+
+}
--- a/hosts/carbon/net-lte.nix
+++ b/hosts/carbon/net-lte.nix
@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+
+  ## LTE-Uplink
+  networking.vlans."enp1s0.102" = {
+    id = 102;
+    interface = "enp1s0";
+  };
+
+}
--- a/hosts/carbon/net-mgmt.nix
+++ b/hosts/carbon/net-mgmt.nix
@@ -0,0 +1,62 @@
+{ ... }:
+
+{
+
+  networking.vlans."enp1s0.203" = {
+    id = 203;
+    interface = "enp1s0";
+  };
+  networking.bridges."net-mgmt".interfaces = [
+    "enp1s0.203"
+  ];
+  networking.interfaces."net-mgmt".ipv6.addresses = [
+    { address = "fe80::1"; prefixLength = 64; }
+    { address = "fd00:152:152:203::1"; prefixLength = 64; }
+  ];
+  networking.interfaces."net-mgmt".ipv4.addresses = [
+    { address = "10.152.203.1"; prefixLength = 24; }
+  ];
+
+  services.radvd.config = ''
+    interface net-mgmt {
+      AdvSendAdvert on;
+      prefix ::/64 {
+        AdvValidLifetime 60;
+        AdvPreferredLifetime 30;
+      };
+    };
+  '';
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "net-mgmt" ];
+      };
+      subnet4 = [
+        {
+          id = 203;
+          subnet = "10.152.203.0/24";
+          pools = [
+            {
+              pool = "10.152.203.100 - 10.152.203.240";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.203.1";
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  clerie.firewall.extraForwardFilterCommands = ''
+    # Allow access from Heimnetz to MGMT network
+    ip46tables -A forward-filter -i net-heimnetz -o net-mgmt -j ACCEPT
+    ip46tables -A forward-filter -i net-mgmt -j DROP
+    ip46tables -A forward-filter -o net-mgmt -j DROP
+  '';
+
+}
--- a/hosts/carbon/net-voip.nix
+++ b/hosts/carbon/net-voip.nix
@@ -0,0 +1,105 @@
+{ ... }:
+
+{
+
+  ## VoIP
+  networking.vlans."enp1s0.204" = {
+    id = 204;
+    interface = "enp1s0";
+  };
+  networking.interfaces."enp1s0.204".ipv4.addresses = [
+    { address = "10.152.33.1"; prefixLength = 24; }
+  ];
+
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [ "enp1s0.204" ];
+      };
+      option-def = [
+        {
+          space = "dhcp4";
+          name = "vendor-encapsulated-options";
+          code = 43;
+          type = "empty";
+          encapsulate = "sipdect";
+        }
+        {
+          space = "sipdect";
+          name = "ommip1";
+          code = 10;
+          type = "ipv4-address";
+        }
+        {
+          space = "sipdect";
+          name = "ommip2";
+          code = 19;
+          type = "ipv4-address";
+        }
+        {
+          space = "sipdect";
+          name = "syslogip";
+          code = 14;
+          type = "ipv4-address";
+        }
+        {
+          space = "sipdect";
+          name = "syslogport";
+          code = 15;
+          type = "int16";
+        }
+        {
+          space = "dhcp4";
+          name = "magic_str";
+          code = 224;
+          type = "string";
+        }
+      ];
+      subnet4 = [
+        # VoIP
+        {
+          id = 204;
+          subnet = "10.152.33.0/24";
+          pools = [
+            {
+              pool = "10.152.33.10 - 10.152.33.200";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "10.152.33.1";
+            }
+          ];
+
+          reservations = [
+            {
+              hostname = "iridium";
+              hw-address = "00:30:42:1B:8C:7C";
+              ip-address = "10.152.33.11";
+              option-data = [
+                {
+                  name = "host-name";
+                  data = "iridium";
+                }
+                {
+                  name = "vendor-encapsulated-options";
+                }
+                {
+                  space = "sipdect";
+                  name = "ommip1";
+                  data = "10.152.33.11";
+                }
+                {
+                  name = "magic_str";
+                  data = "OpenMobilitySIP-DECT";
+                }
+              ];
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+}
--- a/hosts/carbon/ntp.nix
+++ b/hosts/carbon/ntp.nix
@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+
+  services.chrony = {
+    enable = true;
+    extraConfig = ''
+      # Enable NTP server mode
+      allow
+      bindaddress fd00:152:152::1
+      bindaddress 10.152.0.1
+    '';
+  };
+
+}
--- a/hosts/carbon/ppp.nix
+++ b/hosts/carbon/ppp.nix
@@ -0,0 +1,84 @@
+{ config, pkgs, utils, ... }:
+
+{
+
+  services.pppd = {
+    enable = true;
+    peers.dtagdsl = {
+      config = ''
+        plugin pppoe.so net-dsl
+        user "''${PPPD_DTAGDSL_USERNAME}"
+        ifname ppp-dtagdsl
+        persist
+        maxfail 0
+        holdoff 5
+        noipdefault
+        lcp-echo-interval 20
+        lcp-echo-failure 3
+        mtu 1492
+        hide-password
+        defaultroute
+        +ipv6
+        debug
+      '';
+    };
+  };
+
+  environment.etc."ppp/peers/dtagdsl".enable = false;
+
+  systemd.services."pppd-dtagdsl".serviceConfig = let
+    preStart = ''
+      mkdir -p /etc/ppp/peers
+
+      # Created files only readable by root
+      umask u=rw,g=,o=
+
+      # Copy config and substitute username
+      rm -f /etc/ppp/peers/dtagdsl
+      ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl
+
+      # Copy login secrets
+      rm -f /etc/ppp/pap-secrets
+      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets
+      rm -f /etc/ppp/chap-secrets
+      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
+    '';
+
+    preStartFile = utils.systemdUtils.lib.makeJobScript "pppd-dtagdsl-pre-start" preStart;
+  in {
+    EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path;
+    ExecStartPre = [
+      # "+" marks script to be executed without priviledge restrictions
+      "+${preStartFile}"
+    ];
+  };
+
+  clerie.firewall.extraForwardMangleCommands = ''
+    ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416
+  '';
+
+  networking.dhcpcd-prefixdelegation = {
+    enable = true;
+    interfaces = {
+      "ppp-dtagdsl" = {
+        iaid = 1;
+        interfaces = {
+          "net-heimnetz" = {
+            sla_id = 201;
+            prefix_len = 64;
+          };
+        };
+      };
+    };
+  };
+
+  environment.etc."ppp/ipv6-up" = {
+    text = ''
+      #!${pkgs.runtimeShell}
+
+      set -euo pipefail
+
+      ${pkgs.dhcpcd}/bin/dhcpcd --renew $1
+    '';
+  };
+}
--- a/hosts/carbon/secrets.json
+++ b/hosts/carbon/secrets.json
@@ -0,0 +1,29 @@
+{
+	"wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]",
+	"pppd-dtagdsl-username": "ENC[AES256_GCM,data:JC7EyyMoN0p5YwnS9W5I0G5Omhk5usw28UiJrCfifGr+2FUgMrtFYAHQdrtWAELvYNBQDPgrHMmQjGQLhpqqK0hH,iv:/q+Fm63GVBApGInyS8i39V/lo6iv+I2omVh47deq+o8=,tag:LkR+1zTDNWuYkhH2iWT7SA==,type:str]",
+	"pppd-dtagdsl-secrets": "ENC[AES256_GCM,data:c5pOb8It1py/9NXNTgLvt9zmsBVbSLHJt4iXWiNA+Osvomw3r7pgoO/JJh9ujomPMnOlDwN7g+pJ,iv:W36gA8E1mWchN6+8hdMdt2epv/RdS91T5ANB/JTcHCE=,tag:7eZ3fZkjERCVJCXYrABnlQ==,type:str]",
+	"wg-clerie": "ENC[AES256_GCM,data:OEZg8ZoLAdVhKkvB0ai13ID3gPnVUU/xkOjZ4KiJ9MnRbcFu5HBd7Nw6iNwh,iv:edPuaehya2ZvYKkiBqNUbXVDAxAT6yNgETnWtd6it94=,tag:cX12szdQfAcC6cij6zk6Dw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age16mln27e2p58gu6dpxfclttmuzfnq39mv62kthjpps33g3nl3scfq449857",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-08-13T14:06:43Z",
+		"mac": "ENC[AES256_GCM,data:yGKY0fi3KQWGHBeyNtQ8EJ6561dKRZ5aAjO9zq3odDtX75i2RSjORIlNjBsVvegBzeo8AkwwnzxNPt2sHl6MKDZfEsysWAi8Wolh4UvHk087AnR/uKvtG6t4uUaNIWej2DEzxUtTQ8QP1afsdqGCf0vZVruNcJ4u2xiQbN2vJPc=,iv:CDXJ5/P+h0Enq/0EL1su1Mw55FVYLy4XPSoUCkRkt+U=,tag:AvRfEDYMBunyIQIVCPbXag==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-05-10T13:05:56Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//ZkYls0F1NMJDUkJw7tOO+pgRm6R8u29qNLAbGMtMGGqB\nwc69WpYfO7hy2IQKGcGBp/Qrp5+gpmNBGjyq6AKEaox1TKCu2drKVRClH/Htzjhe\niAllegoS1Z0W8RGze3C9i5SiUHvVaK3c2iUJ8bCTitTgUZNvteCCgXECL42Jjb49\neGZSsTDkSUr89wECHs5thx8SV2hcYk+mZk7J/yZO54BVHxZXPfYdgyINwWnmU1vf\nqOnePaIBiRTz3+ICvb9pnndlO3KEXClnBq3N6q9IcNgfH/eCenQPc6Z2TRS/2aGl\nBvK+zygO9QJVJcprNx2WdTahf6fXGU8ZmvWj9R3wv62KmQNTWmLQzCEzpTxkfpnw\nMY2WTSFZ4EHm8xSzQMJK7QyXLyH8tOemqb/sRJpaFdvLIw66nmQtAHnY9xcKSOrC\nGdN0pyX7yEtFajgRfPU2kQb9wzyoj3hRU2lNlsvJC58R+rMLsNw5FT4+LFC2RBO4\n+E7th4fFEj6dyFfISRZfi/Rj4FWBtHLxLBm15xEYRoblciQDb0o3Qh0SIgbxnaCG\nM3Dp8zJ1EiWLPtxUo/G/8P0MkfbzuO9h07ypM/Y8r40Yrbxb4QFadXEeYcNMaRGz\n2UW84LNipLeirwQVajQv5FsCRiBCcU6hoJ9MCgDWKWDU45yFy5UBCZ88KH5PdUyF\nAgwDvZ9WSAhwutIBD/4iGSjtc9LI4OR6UXOWwm78lR685QvVy4zwdwaFzwXECWGn\niPKj8H8ku9DxxxSr316/8eC0IEs2mcyU62yVbrGP5fp9zsNnQKp1LQVPx+9tyzi3\nKrIL1nFQreMtqSKn7w/HDWG2HubbgazZAs97tN9hTVtMHCE5bu6nmRcBnnzNX248\nH+kFACSdP7Oya2TiJNqSs8JrB/BSZu2nk/yVwDd6y+mgkXKDjzIUK8B6NMP7cwf/\n4ukNkhgCaO4vGboKl6DIIMtkEkGlPcxqid3XRSai+KyB1hucDei+ZwCKWgR1W6PW\nYNTZdL6gwz/t5AMxoT1y8lnoNrtmvv6HzmlytKeuK64h1oOwwUdruJFnGGGVVfuC\nLoJPKF7CX4JGPW3hvofrXMfaJTBj5cyuUga02yiLfYbT4bUqb78dOt9AeKx4Hkej\nZvmFoaivMwWg5rkKjt9frI4b8ST/J0tmqwdLzYsrUUdBItviBEulv46jYlHw/qME\nP2hLgr2IeSEutaxyYxQl07rg8b43T8RvsRsQ/ySKn+Z8qC7sDxzXsRLeHuOoZnDD\nyf1UTSt9dfKY6oJ8SKd8Q0wSPMcVd5KgW/WIV8Wp3he63ONOdmiQgLhF++xFtK//\n0OXLvXVsT0qQBBCY7sPdfVQsSpjENl0ef2o4+5MirIzoFTQdRk3jINnoGzmQu4UC\nDAM1GWv08EiACgEP/0Q/h8MGGVjAvJGxloY/Ed4gvn2rVn7Uw6XPUktSoUQnwq9A\npmMsVDnrw2NWjWktjjgFC6HbMtkAlNH7UukxCzvTimwl5KOib8Yk+CKME6KGlFmh\nvEfx6YRmvDrE8qYVM4MYXccXUW4vbbzGJl9ReRH3ouvlxSIeZ8zH28EUE8ntVok9\njNcUHt05SFrM8O5LdjsCOEV1ltG8IWIPL4kVVDWDgy6WHzm7+lcWmGn0B9Astrpp\nxKnk/mjJoivoUpJoZcFpr5U8O4kcCrwmQJppn6/8xiJuoFWbSjbWw7M4BPWK3LOF\nRmgfv8OVgZ/DvR6uCkTXg+yc60s3DvbJ9KSLSjPguxcmUPNTZwZrH1fcsbgpSgfS\njGb0GouQDNY62DsfyGS1JEGiuG2SZPZajIbOVPkuxYvUbscPWjdJhwvRdhdF3/6t\n4tAM9b1Uf+xmFhbHBcqAeQIRxCSERYVeGuHxg5JOVmQkjFOJptFZgJEVCqP/0bPA\n+AoSF/Wq9IpuKH+dirU9RVATc35F4GP4gc0mKjR03i84+DDYvB3l8oeDDlYUygga\nueK2+HX7BDeQmdh4nWxV/7An1owt3DATj2dve437cqUtXhgWprea9VOzzl0shZyw\niIRukJq7A0IJA70gPXNOhLhls4fv9VdecNlbuF8NROA7t9Fwx0G36uysfARe1GgB\nCQIQnwDSpF57ZfhaQjNGmGCGXW51ARrlC9gHevQ2M8gIt9TowIJvkUJRP+1rsDXq\nGekIV6a+rNpbr9Lbgh7EbEG+OoHRSLD1sk5aK5nNQRUqlQprNqfxJ+wr6qkqYdGQ\nYLcwaMzwBw==\n=CejJ\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/carbon/ssh.pub
+++ b/hosts/carbon/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGdyTanEqCieqt81Ri8xHnw1dyK3i8srDi1F+xIb3Js3
--- a/hosts/carbon/wg-clerie.nix
+++ b/hosts/carbon/wg-clerie.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  services.wg-clerie = {
+    enable = true;
+    ipv6s = [ "2a01:4f8:c0c:15f1::8111/128" ];
+    ipv4s = [ "10.20.30.111/32" ];
+  };
+}
--- a/hosts/clerie-backup/configuration.nix
+++ b/hosts/clerie-backup/configuration.nix
@@ -4,64 +4,109 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
      ../../configuration/proxmox-vm
+
+      ./restic-server.nix
    ];

  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];

-  networking.hostName = "clerie-backup";
-
  networking.useDHCP = false;
  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::6"; prefixLength = 64; } ];
  networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; };
  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];

+  services.nginx.enable = true;
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
  services.borgbackup.repos = {
-    clerie = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnUBblmmVoMMBftn4EnwnzqR12m9zill51LpO124hHb10K2rqxNoq8tYSc2pMkV/3briZovffpe5SzB+m2MnXbtOBstIEXkrPZQ78vaZ/nLh7+eWg30lCmMPwjf2wIjlTXkcbxbsi7FbPW7FsolGkU/0mqGhqK1Xft/g7SnCXIoGPSSrHMXEv5dPPofCa1Z0Un+98wQTVfOSKek6TnIsfLbG01UFQVkN7afE4dqSmMiWwEm2PK9l+OiBA2/QzDpbtu9wsfTol4c192vFEWR9crB2YZ1JlMbjVWHjYmB7NFsS0A6lUOikss0Y+LUWS2/QuM/kqybSo4rasZMAIazM6D clerie" ];
-      path = "/mnt/clerie-backup/clerie";
-    };
-    cosima = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2x5h7F3rRy8G8r6twd549TRyIB/WsKOxJWIcUbAc3FFOIvbtXyT/zR91K58usZzcVdZjobyLa9aNfJNvA3ez2dO0PaqoRLg9Bgq44/bd6492N4ALROAgbmMwuTwA3gq2TYrWUCICGlYvBv7eVoSKrGECw4IZkAgoXu/pucz9yi10ccsu+cfZxuBRZtn5QmRIo8uhyGcjhtk9obB0JkUrGrubJRhxUazEH5j+bn/DHmYpmIyRV/82YvA+GR3B/PODF0fi7sFoeBQefCPTCHftYROB1P7G70wvO9rC9xTWSGPVeM7PmtArRKxOX89yqhVuHr2hWrPLLFMbY3wMNVKD5 cosima" ];
-      path = "/mnt/clerie-backup/cosima";
-    };
-    krypton = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDV3GpgaDqgTlWX0//DQ7AedYo0sD4e37OHl4/OqU7C+YfIuzaC8+KRfugTQS4R8UBKuxFHJC867aHq2rxIfKzKFtmyVPT7ywbpgNW3FDugQZ5MdPo8eHV19jnaZ9jkhUpJmMzayW+hU0GxT1fEXzSaewJknY3afdTKAi3dM+7LAcxVa82qwwArNuH06wrthU9eyva2QWMeZ6aEzzZgSxxrLQZFIXRtA81JcFmjL1IwxepDyUsbTj31Wmvf4n6YI6wxY9QhKyS4bahlnQmW0CpKwX6lKtGRRMVilTZLKa0aR0z15ltPE5h1USUnxiyo5YVB+1QA8luCnQAzIeZODEc3um8AfH4Z83MqU802K8yRmjJUhkoezJwRjewJito3Pfc4TOC2pdo7Na9bb5omTz7jiTRDvQkysWSZGyd22Vsl48tVuRTve/VkhBZuqOwH9yqBz5rl2hG7GHOiHD40kjxq+fJW8vge1hdu1TEQK8ubn1Cod/GuvuWFMTAwagYrJs0= clerie@krypton" ];
-      path = "/mnt/clerie-backup/krypton";
-    };
-    mail-1 = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqsAeI+iZ89MpkjNpLViJjC0FxHPVokpVVeU1IqD3KqhF70dqf3IuJSnhCfW4i2RPkwVwLkT1WsUmnI3Pp3izreBL+Y/RA2jG/x0380It/6RBwFtZA+6E7OgQtwca6APYIPSjlQnEfRrQV0Kz16qBZZRjo/VG20rDxUSiS+bPk5ar3JFjCSf4DnikeWR5u5brL6nFnHaiw7PbRTytdeb3y/g1TdBceLE0ISLtA/LJqlaRo5dKeDv69Loet65TA66PpCR3wp3yROaLVx7IF+Pr+x4WO6XMKjlaOjWygdW9zJ3fKa3pEhtzlcYHczDVLXyGszsKvUoRioP3m1GQY3gg7 root@mail-1" ];
-      path = "/mnt/clerie-backup/mail-1";
-    };
    uberspace-ceea = {
      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiUWufpvAj/Rdxt/frAjs5Q4+/lzaN2jmf5+W3Gazjzw+CH+Agplux6op+LlzF7kAA32yP+lwQto8Rz92NzReDssXd+0JhgAAHrSMrPOPnQbZrierKOfVvDOteklEM4k5JXqZ+xHIMtNomuMV3wCFc18nvwc8t95pDBOI/HwzAwn2mGhVBod0CNXZs8EyMeQJNKLCRwpUrddOX6fz5x/fbPYO4KB3iPkC0X+e/d5SuBvrmwFdnpr2RkCboMPdd6i/0AsY4MLdMV54arS9Ed2jaFKqYCQR5wRdLxndn+aByyVQHQxVU0gVfO9+53NOgiVzhOFzXm6K2KcC/HZR5uj1r ceea@olbers.uberspace.de" ];
      path = "/mnt/clerie-backup/uberspace-ceea";
    };
-    uberspace-cleriebl = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA+E9Hguv/KPvBMAQ8L+Gn9YqbZwhUpGfHEIYSl2+NvvLWWQy9ayQJ1bgqshK/DUsMVH54jMTiGpI18I+MUT4J4+Ww9O2pT7ZnQbPyk6EuHSMZM+9iHoLR7szaxXDKaD9CD1qguB5/wsGQGyB5OvZoCwQsCZgkMGgU+egOnHKipacsgYhI8RSzRxKkNnUK4L4Xea+7RqSIBM4gtZcc2uqkwrIPIZwi4Xs7aH4ibO6B0exEY1SYEkJGD/u9hA9zDv2jkykodBKmSZlf8L/e5JWjDj+PHjlsbn9tfH6GdWf/rNynt4E9QStqetnMvWKZIBCNXs9O/URJU4+lWFbamIwJ cleriebl@johnson.uberspace.de" ];
-      path = "/mnt/clerie-backup/uberspace-cleriebl";
-    };
-    uberspace-clerieda = {
-      authorizedKeys = [ "" ];
-      path = "/mnt/clerie-backup/uberspace-cleriemx";
-    };
    uberspace-cleriewi = {
      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAeU+YezmGNNnntAkOL143NlkADi6ekEcaW9yf9yegdkDxwyIyxaWC89B110kRkNe+6KP+LDwrp9vnFJZjst8Gv+dMs0h9U0IdUafhO7TcbbkqynqmtzIwiSGsLby2K9XOYTMlAa2JOfeNScPWccZ8KgXsIBqRGjo3yQfCHXZu9U/8CGXvYPsTGY5QYNeAw5Uaikuf565GHy4ROx2BN7LGug9lK42Hfv8i1lhCLi7wkhQ0EPGBRPkscjz/0Kb2iABMzyUf6uMrDJX/usKrChxkLfidIM9C5YR1E+wXlmy9lijuNP85NpXUEyVTAp9/XLCp1vskfCjsBLO0l+40XNIt cleriewi@biela.uberspace.de" ];
      path = "/mnt/clerie-backup/uberspace-cleriewi";
    };
-    web-1 = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN7oldAaDoRJbY0/QdNSb9wCM0ART3UrW+ay7WhsrZoOl3GN+YLE5sPkCxbQRxbb7q/lacXdnlSlCoCZ2k/y1EbITX3BT5e5XAAsF1QElPokvI/tKFH5XakosaXP/di7hhVfzEC2ELiuUBuz8dycaskSGblYhSSea9Y3+o2JeNgLokBL7RcJkcSr5JkMeW3M1dd8obmL6NHY1802ehT6cIgZ7+fY+5UsU3YeAIQUPBRrVnwuroN6K3oPMhKKMPP9bCvI/ZAX/+/VrxECuVMz2MF8inq37J9E8xJ9kyIq5gYA9SWEGImm2O9vlA6XIRT/2W05aRyZSwbw6WBSm6Q2pb web-1" ];
-      path = "/mnt/clerie-backup/web-1";
+  };
+
+  # fix borgbackup primary grouping
+  users.users.borg.group = "borg";
+
+  services.borgbackup.jobs = {
+    backup-replication-hetzner = {
+      paths = [
+        "/mnt/clerie-backup"
+      ];
+      doInit = true;
+      repo =  "u275370-sub2@u275370.your-storagebox.de:./clerie-backup/" ;
+      encryption = {
+        mode = "none";
+      };
+      environment = { BORG_RSH = "ssh -p 23 -i /var/src/secrets/ssh/borg-backup-replication-hetzner"; };
+      compression = "auto,lzma";
+      startAt = "*-*-* 04:07:00";
    };
-    web-2 = {
-      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKC1pw7u/LcriXMt9mRhjjw7IvKh3Hfj2R6sZbybk5x6 web-2"];
-      path = "/mnt/clerie-backup/web-2";
+    backup-replication-palladium = {
+      paths = [
+        "/mnt/clerie-backup"
+      ];
+      doInit = true;
+      repo =  "borg@palladium.net.clerie.de:." ;
+      encryption = {
+        mode = "none";
+      };
+      environment = { BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-palladium"; };
+      compression = "auto,lzma";
+      startAt = "*-*-* 06:23:00";
    };
+    backup-replication-external-drive = {
+      paths = [
+        "/mnt/clerie-backup"
+      ];
+      doInit = true;
+      repo =  "borg@palladium.net.clerie.de:." ;
+      encryption = {
+        mode = "none";
+      };
+      environment = {
+        BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-external-drive";
+        BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
+        BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
+      };
+      compression = "auto,lzma";
+      startAt = "*-*-* 08:37:00";
+    };
+  };
+
+  users.users.backup-replication = {
+    isNormalUser = true;
+    group = "backup-replication";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8kCLiDfVFKgoNvEoMb34jp2n1lQG+k7wigzc4qGmrROlWkJ46/Ym4UrSeQJAd6hwHTcKTZkeOrqDAjZZ+jlidpncJHT5VMW5Ah965pxbBq6Qh1Yz5tKj7nLAQ/+bwEH4qqBFNd796876n3pY/FqhwAHWONqWhLKzMXpFursMSITUPmRXcaPwJrgS9DIYspZ9bBhhRSdQ5N1SiGtaszOQwdevLnNYqdtFOBG4rt9SO6IBIHtaiTIHrrMGS2Lt3NMwkq+O+N+TGaKLjbwqtfUPfPOCmY0XH12OawjxHP9hZ+WH3dPtcu5p+VORciSybPvyh9qzXUrDeO4HDuii2GEFU8JFELYXdT/qBwdIMp82tkgww0zKbTJuc0y/9eR7LCXop4OALhR8+8xWDI9c1ccxu3T7S7zUI1OmTlR9i8rx85D4sz2dtp1jirDoW2KVuIdwe6G3NLfTL95FZRmveEQM3MO8MPpfzZ4EvaMbiQQd/c4VAmGovtSLQhySTpT6qSv0= root@backup-4"
+      #"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRANmJ2LYUr0Mavz/JJ7j+7p1zkqvizf6ZLt5XOJ2fj0enDuK7Dc5fxiESLGYTsLRVWuY4hNXVIL7aeJUj1LPf6LEX87APP4hb95t+TFxcES87tFfnFO48eiBbSd25Av2jmHGb6/wY2viYBxfk/vrLjPR6RgICqFsWFcz20bsWmc48FdzXYJCGJfKjHiW+Ut95VL+M/AlGBQHo33FNDyPXV4zh+MeWVkOFicwfh0k+4NH7Psj5n93m9szAlz306t5YZ32HnhSlvObkMk1Ugy6AzPKXrgKBu11pmatf7sFRx1ikYGUiKiezGjatt/8lYZfE8rQKQjwH+6LPt3ZPv06ncfKpH2vbZfonM0KhSsm1OIhJTse+X7ZMxizO6QqYM+BRJJGMbhH1g+6kFRsdlwakHNPE9YvG4NxZ1NxWTUr6F0gPhUEy61LkTnznt3ct1hgQR02KDQ+9i8PvaYeIIzZzRKufv4tV7OZkDLbN97tvAMkgpLjF+8fCg3qjn2Lckzc= root@palladium"
+    ];
+  };
+
+  users.groups.backup-replication = {};
+
+  environment.systemPackages = with pkgs; [
+    bindfs
+  ];
+
+  fileSystems."/clerie-backup-replication" = {
+    device = "/mnt/clerie-backup";
+    fsType = "fuse.bindfs";
+    options = [
+      "ro"
+      "force-user=backup-replication"
+      "force-group=backup-replication"
+      "perms=0000:ug=rD"
+    ];
  };

  clerie.monitoring = {
--- a/hosts/clerie-backup/hardware-configuration.nix
+++ b/hosts/clerie-backup/hardware-configuration.nix
@@ -9,8 +9,8 @@
    ];

  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

  fileSystems."/" =
@@ -19,10 +19,18 @@
    };

  fileSystems."/mnt/clerie-backup" =
-    { device = "/dev/disk/by-uuid/69de70f0-9b46-47f3-9ac7-348f57934d55";
+    { device = "/dev/disk/by-uuid/69e75b00-23e1-4775-98a6-061a79d806cf";
      fsType = "ext4";
    };

  swapDevices = [ ];

+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/clerie-backup/restic-server.nix
+++ b/hosts/clerie-backup/restic-server.nix
@@ -0,0 +1,29 @@
+{ ... }:
+
+{
+  services.restic.server = {
+    enable = true;
+    privateRepos = true;
+    dataDir = "/mnt/clerie-backup/cyan";
+    listenAddress = "[::1]:43242";
+  };
+
+  # restic rest server does not support --htpasswd-file in the current version of nixpkgs
+  # until then we copy the secrets to the common location
+  sops.secrets.restic-server-cyan-htpasswd = {
+    path = "/mnt/clerie-backup/cyan/.htpasswd";
+    owner = "restic";
+    group = "restic";
+  };
+
+  services.nginx.virtualHosts."cyan.backup.clerie.de" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://[::1]:43242/";
+      extraConfig = ''
+        client_max_body_size 10G;
+      '';
+    };
+  };
+}
--- a/hosts/clerie-backup/secrets.json
+++ b/hosts/clerie-backup/secrets.json
@@ -0,0 +1,27 @@
+{
+	"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:ZKrEv/bU1X+iO7GLlxsM8HhUy6B2+EXRA8JO2X8E8X5nt8Ydwa+wAqTea3hGyW/QNFrNg/nnAFaVg+VNa6UEqOuF0eg4Nf0LOYTtTpNt4uqDHomfFpvFxDfVCbk4a3fnjnJzk51XnZqeVlvuH2JKg9uD6QzTghTuZfysdGePZdD4WRfY+qHsZg2jREgA26WKsRnD1zU4ZnbRAA1s0Lzf5gG4kFciIzovt0x5MYEiVERFeM+HG1a117EvSlsijPNJVLTaFRLTVOlTOYLKXt4KcRJq9KwoZR/LgEz++rUE4DN5f7iQs+Sb9epH9sV/V06R6AKE5ZFcyi5Y+ipt8B4sWX8PQUeFxNlpljXHro8szGNnLnSxxieg10SEwfIEw+nTGVMHToUpvybzdoI4VPUHZGF+kpqv8ejEzhrKZXyPrd7ZCWGDsTdl8gGSefimpEUR8IwuPqImgu2UU8gT,iv:Y/G/odtZ4enBtNc2Wj7bZjsJ3nur5huYAqlu1PgnWlo=,tag:tg3ut7R2jJd+TVvYHIiTdA==,type:str]",
+	"wg-monitoring": "ENC[AES256_GCM,data:rOpBlDt9K//zlgWo1Bw9IX5jmpLbnit5zi60Ulz8f6tHwqVsKJv5NkxYc9A=,iv:Jlo0QZP6R1CEE20iLa7M/LV/ZX2/33oMv/FzBBo6nvY=,tag:Ttqo7BKd6RuUiMksW6rZnw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1px682xeu0xfkr49qdqe95er040p2vv3ugekk04e36jj2wqs7tyfs8mhclh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UCtUZ3NZQWxOK1FUNDhL\nbWhaanN2OEJIVmpMOURzWU1vcGhuODdtcDJnCm9Nb01NaVVpWDJ6Q3JCbXRkRUJP\nUVdFaGVScUdxRnlpSnRNOG1RalNRaFUKLS0tICs0cW1WR0JMUmdaVWVzdTh2bjFm\nenBzaERpb1hCS1E3TUo3cmxpZFUxWmcKcLL5/YTGyZEVLwHSpbEI5XfWGklkI7h+\n0uhCww8Wh23EpUYFslZ0Nnbf5HX5/Z34qBwf20cvN8eLToTAQvTdeg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-06-03T18:16:18Z",
+		"mac": "ENC[AES256_GCM,data:kWeyNv82yc6H+FJjhTh8vkuxjZ4YFEqmZbqzZr+pEXxXeMUEGi9hr7cauGDNxnRMgWJz9KG1M4tzUyEK8rfVQWLc+Wcf/5Pjsxn1Zg0yJiJAxVFV7AcvGdKUeQuBKgOT5L+Z5+cFdvq9+CU/0M+6/e8jB6OdQWcuy0emBaCut4U=,iv:3w5arXHKapwwo7kgLtHcKfO+dhH22opVP+fjagize0c=,tag:+cCaX2FUG+5UYqutE9IsAA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-05-05T12:12:27Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//UhUFxM0YiI1MJgzlBj6Re5rfRYIgQlU033+RK+IBMdJl\njK13jjXYD7bRGlkYWNQbUYk6SWIvU+mvrXdKzXvYsNwK8j99JMRz9pOuScj8o+qs\nZ8pv5ILFXiRBxHbGsxPJQG84tNmSdVQDe3E+ief+t7Gdzui4D6TNGKnciHX4jhN6\nFNng09P4c/DmKLc6r1gRc6UvY5UGkgzVQpvSOkHHI68xGsSzQbZCEeCQGLGmZYyU\nC2ocGWK/9SjPBGMu4LeVlrGACJGMcAuVQKDHRqIlLsla1kbbzzLKOk/6JTenDRak\nC+rzU7fm4jnr2nvAqc6aiG3cqwIdJlaxzy7J9O9lXiAaj0sDBlrf7JEmpbQHKwmP\n9uFhZCMOOcHhVnksLUbEYLrZetK50KOLEjIIc9WIJ0X34QGRkwgbiKE3FGKxHRpC\nmgOSzZWy2VdEnWifu65x2mlFc6iFsHCpdpCl4Hs+DUH2tHi3f2o4rmHUBI8ys6zt\nm/UqSs2w6mftyCIGO+bvpMkJ2EVL1lrQBvL6Oh3u80S5ra4aKVOKui2TiFeQitBA\ntXZPW1EtkmLUsYZD7kUpFn+uInJqNhdoXJPb1D+jqlafT0+xLFXOAgJJ7RerFiCR\n4bi+6h0Z5ybUXp3klboMEWLROpcJ0Z0tgTBL8SlwmzYr6/mDiXgwWTCRa3fv2HqF\nAgwDvZ9WSAhwutIBEAC5+q2rg7IJ+90/TMshrybw+390znLedu8t4ubEIuklzEnK\niUW181+/pbY9gC5H2OQt2A693PLE6/gbdhkned6f3fmLUfbBQeoGRup54f7LWtQU\nwV7CbskhuglKxBgi3WKv0mDYGEOK88h566M/UkC3GBMzNYJjRji6+G9/xVJ4V27d\n7dWBo1mv73QvnmAzOFApJkXi7TGZQzgoUa4kt/bglrkkHZIDYVt5o4JNnXDTI4Fw\nj046WYrQAgqEOujg5nzhtHk+4MVYv6YCA8LPVojVoU4wHuIJZOOZGCk9yLZKagW1\nyQpJTq7XT/cOfb4+nV8cTt3W36ak6yR8/2zcW4Ys40p8pRAgisQv9k1dFuYKGhAg\nJiTBYbw0znp+g89YCljlVC8sx61Dl4fd2WzzYIlq8YzE3RXlBTPE4Vc2obu40pVY\nrwOyYgOzzR2wwjuuPhekvrmwSAURXyxNcGBxKb7OWEP7m+O17UQMC9icICloPaUh\nW9hVmGWmLJfV9bjAtcJuKrMGOJkrg2jsqi4YZW9L+f19TrfFuobbK96zR0mT6hJl\n5zJQn0oo0s3gL2764qT6EeS7iSYaiWB/Dx0JCHr/ecp2+8LzWhmZk7kogAH78J16\nnwUUI1IDDo10JX5/zblfJrsPE8Yk11ToNOhMD484HZ/a1Sydr6IUPI5g0A2yP4UC\nDAM1GWv08EiACgEP+wdQpiVH14ZpfC06VMpDM9BwshMgbHLKP8rJqm6TS1VEx72K\nqMjpSYpw8W5J7M6NGEoXaC59VXuxOQWFX7m2Sgi6Yzo8YhdEiOutGxmD2snuhc7I\nSoYKehsTlm9tjIcLZy1B9TM8JCS9V6yJVkpoNCbaSFfdw4idz02hevOGyzxEA2T1\nlNNij9H+nkw6KCN9Ckt1inhwDfo4B2vZT4fkb46+hqNDJx+1Xh4LIzToN2YvLJZl\nR/eptlV3Xr3EMOba0r3RL/dz4vf0djEXdSyfw/pBKa9i4aGUuwMfx5o9qAieikTv\nUYrejwfXLCAwDDd1b/ieECZ6iE5gnfZtO5aLxRHgl2nD3Wr5lWBrmuATRusvbDpC\nsz2OuiaHm8ivx51n1MweyikBBilDMXIbgXc9pGIGxGdICKypZkJVR1tFBy4Ovjm3\nfpuO+hXeeRa1PFgyh4s8eaZL42v3OAu3lWLbKeXRtui6PC5w8hw0m/8YVooufLm2\nkh8qMKwB/oev52NJZTfi28fZXdSMsdFJ5nWXUoMAelcgOJ3Mu5Rwc3/ro/PqAN/i\nHel9MZVfGBAgRU3x36i2/fVDM1olCqCTYEz3Z4916TKJq2PWRQ+Y8z5eTxl0h3Nu\nGJBTOMDyemEVVcY8HLTG15iudhX2pilTgM5aXQQukKHFoZBHDUu1FQEraMa81GgB\nCQIQj/dOVj3MymQYdSl6n1LCN2UjBEm9AX1Js8v6nY7tLHJo9etTKt57M3xuUCTi\n1VJIXwLWQskI+LPRlyJj63j2cSWs3KrAeigLe8SFb1v7JUYj7aYm9LTawcevSsPr\n69m9Y2zRBg==\n=lDcq\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/clerie-backup/ssh.pub
+++ b/hosts/clerie-backup/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsTlqDyK726hwhX8lbs9EhMrkf3LsKIm5Ya3k39C7VZ
--- a/hosts/dn42-il-gw1/configuration.nix
+++ b/hosts/dn42-il-gw1/configuration.nix
@@ -4,17 +4,13 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
      ../../configuration/proxmox-vm
      ../../configuration/dn42
    ];

  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

-  networking.hostName = "dn42-il-gw1";
-
  networking.useDHCP = false;
  networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:1::1"; prefixLength = 64; } ];
  # VM Nat Netz mercury
@@ -49,28 +45,28 @@
          publicKey = "ObF+xGC6DdddJer0IUw6nzC0RqzeKWwEiQU0ieowzhg=";
        }
      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg0197";
+      privateKeyFile = config.sops.secrets.wg0197.path;
    };
    # e1mo
    wg0565 = {
      ips = [
-        "fe80::43:43:1/128"
-        # peer fe80::43:1/128
+        "fe80::2574/128"
+        # peer fe80::565/128
      ];
      postSetup = ''
      ip -6 route flush dev wg0565
-      ip addr del dev wg0565 fe80::43:43:1/128 && ip addr add dev wg0565 fe80::43:43:1/128 peer fe80::43:1/128
+      ip addr del dev wg0565 fe80::2574/128 && ip addr add dev wg0565 fe80::2574/128 peer fe80::565/128
      '';
      listenPort = 50565;
      allowedIPsAsRoutes = false;
      peers = [
        {
          allowedIPs = [ "fe80::/10" "fd00::/8" ];
-          endpoint = "de-fra1.dn42.net.dont-break.it:22574";
-          publicKey = "shGS36iaWgcJL1FVLhZHPxLHkPETIy2FFdgmNyx1DSk=";
+          endpoint = "dn42-nbg1.net.dont-break.it:22574";
+          publicKey = "qYaDuYYVpuFqy7KyC5PmJavqs0a7GtyuES8VwugdPSQ=";
        }
      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg0565";
+      privateKeyFile = config.sops.secrets.wg0565.path;
    };
    # fooker
    wg1271 = {
@@ -91,7 +87,7 @@
          publicKey = "xxPjHWVzePinOOMnuhwGAI3PKY9pvpifIvIbPu3IwQw=";
        }
      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg1271";
+      privateKeyFile = config.sops.secrets.wg1271.path;
    };
    wg1272 = {
      ips = [
@@ -111,7 +107,7 @@
          publicKey = "Iae2R4B7VVsloKWK8T1j1vLMuxpP4dVDUdzEg/YpAjE=";
        }
      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg1272";
+      privateKeyFile = config.sops.secrets.wg1272.path;
    };
    # margau
    wg1280 = {
@@ -128,7 +124,7 @@
          publicKey = "CEge9jdHQArzdniUiWyB3IUZOjGiew3gPmz/MOf4ahU=";
        }
      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg1280";
+      privateKeyFile = config.sops.secrets.wg1280.path;
    };
    # perflyst
    wg1302 = {
@@ -149,7 +145,27 @@
          publicKey = "TSPvvpMY8dCFk6gd58aYtkibtqUn8EzIF6dXP52b3y8=";
        }
      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg1302";
+      privateKeyFile = config.sops.secrets.wg1302.path;
+    };
+    # lutoma
+    wg4719 = {
+      ips = [
+        #"fe80::1/128"
+        # peer fe80::acab/128
+      ];
+      postSetup = ''
+      ip addr add dev wg4719 fe80::1/128 peer fe80::acab/128
+      '';
+      listenPort = 54719;
+      allowedIPsAsRoutes = false;
+      peers = [
+        {
+          allowedIPs = [ "fe80::/10" "fd00::/8" ];
+          endpoint = "[2603:c020:8001:ed42::42]:42546";
+          publicKey = "MkVyCgIq0BOStFIu2/Wl91ofFuRvnG3ZqTWFfVs/VlQ=";
+        }
+      ];
+      privateKeyFile = config.sops.secrets.wg4719.path;
    };
  };

@@ -277,8 +293,8 @@
  }

  protocol bgp peer_0565 from bgp_peer {
-  	neighbor fe80::43:1%wg0565 as 4242420565;
-  	source address fd80::43:43:1;
+	neighbor fe80::565%wg0565 as 4242420565;
+	source address fe80::2574;
  }

  protocol bgp peer_1271_north from bgp_peer {
@@ -301,10 +317,26 @@
  	source address fe80::a14e;
  }

+  protocol bgp peer_4719 from bgp_peer {
+    neighbor fe80::acab%wg4719 as 64719;
+  }
+
  protocol device {
          scan time 10;
  }
  '';

+  clerie.system-auto-upgrade = {
+    allowReboot = true;
+    autoUpgrade = true;
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "301";
+    pubkey = "kTuC3/rLr4Qb3C4oEn1ecB/vS78poxmu6/Id3Rc1VGY=";
+    bird = true;
+  };
+
  system.stateVersion = "21.03";
 }
--- a/hosts/dn42-il-gw1/secrets.json
+++ b/hosts/dn42-il-gw1/secrets.json
@@ -0,0 +1,33 @@
+{
+	"wg0197": "ENC[AES256_GCM,data:1QJ5GXLMLIOj6xNC4sMnShjyB1wqfTkhkPTlLJz6AJxMjA0BsBZvZ1Pdln4=,iv:nVRIQB8/Ged616ELhkGnDyAz6A+3HQ55+yG0vf0f7aQ=,tag:GtI8ICMCih1tN4Xoc+8RdQ==,type:str]",
+	"wg0565": "ENC[AES256_GCM,data:kLgKOGDA+kPDB0SZ/yU7Ax7NYn28LiVT2W6zSsc0APfyoZWW6nF0fUQFv4s=,iv:6zjLGAOROifubQUMxRLvoFzN6GRYob841rzNiVyrt84=,tag:Gh15/ROPYiqqobcJcTzmGQ==,type:str]",
+	"wg1271": "ENC[AES256_GCM,data:NPcFMxVNpwoPkLsb6NvZVxGxw+Og3RzlYx7TAL9nT95x6I8aDRpOnR5tY5w=,iv:gYuem6vX+jRQvirrt3lZQb5gKnN/z32W/MgmGuzQ/Ks=,tag:I9qZJSNKFEM3Vx4Yugxy1w==,type:str]",
+	"wg1272": "ENC[AES256_GCM,data:LU6jtNkNn2Xs+0OH8cD1HJnbHsNNnqlY83lDFa11/dHwVgdFxMtDXMqIMEc=,iv:/A8rWGR6jExa4ms7jTYC0eZVGCvlKw1I58Co41gw3TU=,tag:tIBRkQzFFpEEzflnDrpcOA==,type:str]",
+	"wg1280": "ENC[AES256_GCM,data:F4KLY6jiZNl52ko32nM0iTER0DyHvaCSmxeYAKB0MLUD8l9u1Ugk6kYZnUc=,iv:XcaxnvxM1kE/ahNFX+BH7Jmr9q2Py1vHHqOjFUqs5O8=,tag:a1up4gGFqyHz2lmDRJl3bA==,type:str]",
+	"wg1302": "ENC[AES256_GCM,data:+MzuBPg3ql0/MEnpVvhQTsPIkKB9xnHN9Fk4VlZwK4ijKl+26d6oTSM7/R0=,iv:bPPmhenQLaKTGaDo4rBlKkrXrS1YysRuntbKq6zi2aQ=,tag:lztaTfDGT4kAq+HZMLl0Dw==,type:str]",
+	"wg4719": "ENC[AES256_GCM,data:hoOOCUGdYFaAQZ6wkgmQl65M1qArvXa826IeJl+BUGf7UX0vxx9J0C2epTE=,iv:+1JcOgzClehkE0Ihd2mmoenPk51OBZMF0bMqapWah/c=,tag:xI5FU+GJU6BER9/n04ccLA==,type:str]",
+	"wg-monitoring": "ENC[AES256_GCM,data:aw11Ygfll6llabXkuxtbTcCn1eb4NZX1IwArcXoRJCJSgwDrQZ3HLatov3w=,iv:J2VD5XS+BrIKeFb0NW1UYZUuGPkbjFmooZ93PVK31gw=,tag:2XLSa/2s6LRq3L7UdrTs/g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1f0hscql4f4w7vyukzeu693xfedsl596dpjekc23q77ylp92zsvcqf9u75t",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWdFYjFjTmRVRlV3U3p4\nTSsyc1E0dWtiYjNtVkV2SXJEWkxnTDhLN1Y0Cng4aGlidjhydUVGaFcvK215aGdq\nN0FGajYwa1lPUCsva0tmNkErUGtlOWsKLS0tIG9pLzJEUDA2WWUzd1kzSVZrdVRX\nbUxjQzBCd3p0R1dWTTJaRmZNQjJEUVkKPz6OUQHpYrhRxMdQzpZRR3exVqkG2JvX\nI32PwvbeQK8cgpYwKLGar8U8aiPPm0Y64pID1wedDsNZzLqLOrS3wQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-28T09:28:04Z",
+		"mac": "ENC[AES256_GCM,data:PHdhyie0Ya/nN9Kqj4z+zPyyKZFvGkznkv8Uf3LNSdPKWVtXARZc8Xodm4MjI2HvooryyyMFHkW75Aln02Rlvk3R8oI7rfFZC7s2P+LotumsYgRFf0JOUMxsxOtKW0ehuLy83Bw0rMJQo1gzTgBykcvdc2pkMmALF/vU/1VqgJ4=,iv:0JwcY0Q+8VAiVHYjynhcpsobQXOkK8EBe3QUJ8YUwFE=,tag:9xAcoxAPGxTvHVBydf3u9Q==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-28T09:25:37Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPARAAlFtkAfaMk8tnLsnJwAJXqrwUMxojYbMcxTDokKUqaQFE\ndlirkl0o0Kgk78BINxV0hjBpu54DvpBMl/Iv8TVpnZqCgNli4WOrOVg3OwVWqbmw\nZ4Hu3ToeogVlFx5U9tB/u/Z3tvsf3TpznansXmP1GaTt0P2Ur3Xn4Gvsgc5ikSXs\nZSwPpmDJiJwa49empWjUtYnMVo48l6midUny4JR1CC6Gr8QobBtImMXFNTQc4q37\nmDV5mkDCsdyDhEFMX8VXDHPMdLKl8zg1B46AqMQE88Rr8mROuZVuC6sjC4NY8YLn\nqwuUGr8AnNvU/e0/HTdnYwrqDZxBaqg9RylEJjU00aVj5Sea4/AiK+e4QpLukhFN\naul3XWB+aQ3VcspsDv/n/TK9d0Db0fniTdQEGDfaXRJi2bDRZUkneELQ+Z4BCgHw\nu9XlJJt+Ts6Gx22c24BpaR5H4IpY2wqkhLHm/kdzu082pKPfHQojtJopX1N5sHjJ\nrwF+y1xuWnucOyzbKCIHYv5BIxlTeftLyzwzZWWUjaidj2xWmHWnPo+27/+jb1IQ\ntXs3rD8dI4Sc5gxgHtC/jRGyFKOoiva+xzKF4qLZI2MYnhXa+ITF9LabdXj083T/\nVR1gdsgQjgPSgrIl/8oqw4oF95y0gQctTmvuV4XLI9ZbZDoEHsRxq43OxkpnVR2F\nAgwDvZ9WSAhwutIBD/0f45DOEuN2gGUfFgxlpUeJ/ToRqFbgRJxGGS8PY23YStsE\n4H9ZVcV5NmBiu9bZOzDYy25Lp1Sox1ciAkId7gZL+3QIRbvL554MT6DTC2E+zdqk\n+QstJ67jmzauDwPZBtjjxv8VbndoUtVsUKQzVFNoyDbtoKfiUUsowDdJerqF9eO9\npvylIkU7X4UOApOgFM9y7iXB0RDsuiszSKUP81Sexn97NvhLig9FMGAUpCsWjNZ1\nOAJzTOOuw99vLRZQIZj8F10B2dHxi3iAMsfJPltLfNt3JzSTvT219ObcqRfMZdtQ\nGy9wAkoC+pfRVCwb7sYbe+evTtTwPP4OHarUJxCPbCiwieD+GW9szyeLIGjn3NE2\nZDxFOnkzrVV4VKL9J6KXLI5g3wpPaTg9enJ+7izNRmU497SL2oBOfoz6hjb15E0N\n9Ebq0Kpb7dinCB/UU2RHvHn2gixCaYWwPBDIJqv3AL1hfz+dmu0HTUL5uUxkCRUy\nT1V6aTyHe4fb/tL1CFiGBuL+IQg76JmmSjWrpYsNyMkOgCAfmkFeSd0YTnd04pnf\nFqcstU42OnJxtjylaSLQDjnBZ8HDSuWrOGdNppw2ZmD/mCeqfZoSb1XDdFXJbKdO\nwFbs7znx5ZObN+06nD04mqT28/YaY6juNBlhZZz27+vZhzWA1b+97V4stxxRbYUC\nDAM1GWv08EiACgEQAIovtpP23VT3HKWrqDSjAdssTBUncJNWxNhZvp5VS6axsfnU\njDeMAJSOS6c/+RolvKZ2Y4T8XovSSqMC1U598AkPMIbb0eQ8IvuA5UIDZgvIBEKl\nwzyo9myppeN/l910WJs+Vo6DFKLQfBTpRjOzqC/YvzLZUUVFhr+6l4lOWx/lkEFP\n+mt86GALAJT1HT047hebLeQZPnIj/BhPagbD4qR4sJUc5wQxc25T1Oxb5/ToFR0t\nBSqEUdUIG0rvMsDRzpQ4mdg7i6D6PXb4eweTTOCWzpyiFSLfWE9qWXpqCFgpd4xI\nzAEofhbSQH5HqAvTplDhIRKtwK6Ze1aticuRdWjrorHVa602PR3RzFMWMtQa9j12\nK4igA3FD6cHdoRUMoLq8YAyxEwUOgHPmOub+9MOOMmI7Q5bj+oByK2Q2Thq1T6Px\nIVQzq6J5nWFXtRpx9/UFPLnjEqc3ehOItQrnH8980Ocy4nghaKqJGpAQtoP2t5nV\n6aGJ7tqTsv5MDZ+b4pRE/7GjG4v2t4I/BQd/0GU0vndfZx5KmwmTsCrVmrmwhFr8\nBNNNngqsHUZxK0RVI0sA90N23om0ATLWl8gt1mvMWZ8p9NPWQdDa1AVkLBgq6hZN\n9JtRacIS2zuiib5AohijVwp3uTDPL/32au2rAg2vWEFy1jSMnEUDCqTKGJIu1GYB\nCQIQANxUiUXBtAhd1pBA9VOhhD1T57AkDvHfk8gEyNKPC3+RI1GL2ImA+dEQY0Ie\nl4P0mcQTf8tlRgnHZhvf1ktXp46oAV1StGfKEil8WU3N/5gFeCNvRRuGMx05av+t\nfgAAnS4=\n=Ew+/\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/dn42-il-gw1/ssh.pub
+++ b/hosts/dn42-il-gw1/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINbpzEFngWD8gZpGKvOdo5CVMPlaDCylNKorf/ZN93rT
--- a/hosts/dn42-il-gw5/configuration.nix
+++ b/hosts/dn42-il-gw5/configuration.nix
@@ -4,17 +4,13 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
      ../../configuration/proxmox-vm
      ../../configuration/dn42
    ];

  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

-  networking.hostName = "dn42-il-gw5";
-
  networking.useDHCP = false;
  # VM Nat Netz mercury
  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.25"; prefixLength = 24; } ];
@@ -159,10 +155,43 @@
    neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
  }

+  # Internal
+  protocol bgp peer_2953_dn42_ildix_service {
+    local as 4242422574;
+    neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
+    source address fd81:edb3:71d8:ffff:2574::5;
+    multihop 64;
+    ipv6 {
+      table bgp6;
+      igp table ospf6;
+      next hop keep;
+      add paths tx;
+      import filter {
+        reject;
+      };
+      export filter {
+        accept;
+      };
+    };
+  }
+
  protocol device {
    scan time 10;
  }
  '';

+  clerie.system-auto-upgrade = {
+    allowReboot = true;
+    autoUpgrade = true;
+    startAt = "*-*-* 06:22:00";
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "305";
+    pubkey = "DRJ4FFqNCRgxzmD+k4WKVKJiKKTxTm5Uupcz04j1Ag8=";
+    bird = true;
+  };
+
  system.stateVersion = "21.03";
 }
--- a/hosts/dn42-il-gw5/secrets.json
+++ b/hosts/dn42-il-gw5/secrets.json
@@ -0,0 +1,26 @@
+{
+	"wg-monitoring": "ENC[AES256_GCM,data:1tXtGSt4efVLWDJBv+YTW7G9e9FWWNk7eP92uAwXQs/wBiiD8rg8HGWxD44=,iv:nQfYtyIJRm+K/slCIQljVt6FBkyyXgmHt8Jf41wGJaU=,tag:vyAa5DqOttQ6I/3qr8gJaQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17a24csx3mdehmlcpmmqg209j57jkxkznjy0603ltxaws2fvwzapqm2r002",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWGszcUF2dUJQMmpQdHZ4\ncXhQSGRzZlhPcVVhRUlpejNleHMrOVVGVnpJClpmb0RIM3dpTzFzYVNJSjkraU4v\naFZVUnBGRFQ3VjNwSTRsNUhQT1dYOUEKLS0tIGYrVkRWV1JwTnFZYkJVYmhSWkJO\nOGhJSktyVWdTQTE1ZFhqL2NRZmpScjAKM/BBc28TgTVOuaToHDyLMuuKsxeAlYHU\nsvmVQfOH8G54DGS9iAh8R9yVlMWvGZ6TzG8Pjxba3GNZcnwHrnmpyg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-21T17:22:54Z",
+		"mac": "ENC[AES256_GCM,data:7CBfWGDo4hfji5h5/d7vq1MVx8RLtgN1JJKLGayFaUQG3TRk3paBcQ6/w1JlzpTMhKVYiCZHmMJW4M8a+/sNIEw1hVqfvMqfCyS8E4u7Ap/NQkV8rLq7X5W6WxWhBVUh/vjnEUBxAJf3WgWbaUxwCNxbffmVVtf4cCCGum/WL4k=,iv:PHDJfXXovDTfkJ9lyrMtxu5+try1zKOjdSKljTDNi2o=,tag:VdJ51XBhvP4MmlHrOlIwTw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-21T17:22:43Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//VLuWsS3MWpM8+RblzWZ0Drkz5X+rZ/ik3DtX80zeBqxw\nhYwgnzzUC/0uyH4JrjiC2d4vGrDtdoO+YhXMZxmmXEijc+USijZbrNmPRaj9yMe7\n4yF0US1grvoPR2Vynaa7fKSCHN42K8EwtREEeaLJ7fiqWf8iEEN34W2wF2UxeXFY\nBNpTrLnxHletEX6Scp2mCrN0ueDtp8jdpInEZ35nkMbDJC49w+vgeC7sJg5//EB3\nO+AqmrNIXh12cXQzHjkvenJqU5t0AONoIYUnGK4364pdgVUgAppxIp/R4Xsyi4CG\ntg9hdxAcMUzM6DciHKmzZly1F7LJp9HhzY7cA0y3YCkUFAzUfNYpgdJ8BckeZafZ\n4/6yKw/Xr6yWk8tg3bpwl1FWC+NPPTgLvabb6b/6EKZroT0SQphdVOuSoGqqHStu\nPuHP3LocYRWX8/TW8Rlf58BVpMKnWZis1+Xy0g+56BDggSzHtlt4K8F2iiEcapXU\nAetvp/OYshy1VOl+lq+ld85kz9/6ro80kwqDMB657tnXNTxghqKOonTTlwEJxkI1\n44Mgj7uo38Dmq20Y1oYav0THcJuI9sYMf+ig1GZT56j3iI73eMbDjJGcKO+a6C9Q\ntI4iPP6nFiAGCQZTpMmaqWN7ym9lRrffkvlwcfD3Sbk6X6f0RjGlbFUmX0ksydGF\nAgwDvZ9WSAhwutIBEACOhsdLTk9WMmksXzzjMZJlvlmmJdh2dX1i63RaZT/ZLTOS\nEkQ5qvkkKy92OUV3QWMA+TZ8GREqO/chAZC0agUK/sQq6sbbCaz0L+D7hVD/NYBO\nH5JlUs31Z9S5JOEx1lTFkqUTqYGypiHXoH5SIZiXCINFxTH9oEBKFpRYyBy8BBrT\nwgChoDQNOrAM1jIy/HBhQSykSSOAgO191qIDf05DJO6Io/tdrwj+KvhVfrX3OV0N\nTRIdb69NMnmD/jrWJui4IkiEU5KreuHBhlez2uzj9Qq8wzGRXG84gCajciIitZ8r\nurYBqOPoxHPsP3TAbR7ih4CmTopEctMw50+LBq1/oD4ftE/HetTtis96BuK/fWqG\nVgTFNvadSXcMVNp2gIutbzi1IgxyMt8wPXji4gcIbT8OWTY3Nsk6/Nbp5sjc5T6A\nqNogCLG9Rf1q1WERWLEIcCV5wqbS/dYegyvR2NirjC60iL04RzSQaClRAbgkXD/N\nAUh7ayVYtpcb4H0CsId8ylxG1Qs+bIUoQTYPEFop8qO2bV+7Q9g1LCEMLmUMmOYO\n1hUyIVRiTnSkTQYF2vZrxWGjJrdnkRFuWLG1qYyc1G5URiv5R29zQnY2Ww6zaKOM\nL5SKrVz+zPbiKHyT3wQsRhArre/ZBJqy24IB0w43WBTK9P1q19t6G74+0x4mFoUC\nDAM1GWv08EiACgEP/iKYEacSCEq/lKf6rKDwxdtxxJ5/lLUtgiFjSL6gfV3PxJRG\nnc1SMBO2RDR8lMOyzFGPnNWsTFmTa1A1TkQ9yPb8MgVEZhf+1wXGQDPy8Ng97+Ra\nn6cT5IaJZb5Tkfww53jDwWGnbPZwrSorIYd+/p7Xu703XZ2Lz5kQZiehbKiNcxO3\n2vJciT0lVAQWpmOtbyuvAPtRsc/qXbfOmmzzFBKa0caZPY2rquYnYU17ZuYkFVMk\nky7cDrJiWEuDfGr/AmcdWuRnZmD7QEYq7tHBxeyiwC6xdygfcJHg/RDMmKeCRibP\n9KdSv8yK2qR6xZwYbe7MF4XxoH+VHse4Byp9HWmy+SilAcmiAIkGB63VYibfJNq7\nrundhRyhKHBD+p2HNySPemVynIlTvErIxRMTs0t+davsLrsprUaErfNVgoDAk/oJ\nvuVbSkH4dUhRw+AE2uzaLR63N4mAKFDi+i60rLzeIjKRaWLYbtX3exfVtzJ2/AFL\nvxZEEPha0ddu+l9/6nyFxxwEbD3LSTAnBgn9xhz5uVOuJqwU9jpTKgwjWkGvfTIz\nHm/pM+fhx1PqMReQSI3+g3RtdaUeW88SnOcNN7QxS6VcjBPX4/RH+w9p9wZSLJIc\nmrLjVhHvj0D+2haicseIdeL5o/Zg0Sdi86TOLrGpGw+q/WljWxrpChJl/iyw1GgB\nCQIQjbJKHURAPuktpmkNv66l7q4AhthHWxRe8wNAsLLv9gTBlsM7RcT8J+spVg7j\nd+3eULppGCFfr6aMGgUHicE8WdYUnGThBastUFMg/nAhSY3YPBQp21ba2OgpHe+z\nasrxAXRCag==\n=RSoI\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/dn42-il-gw5/ssh.pub
+++ b/hosts/dn42-il-gw5/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCgFELN24kkb40/Pv2aOwhfqoqbCEdQPBTND7nTw1hd
--- a/hosts/dn42-il-gw6/configuration.nix
+++ b/hosts/dn42-il-gw6/configuration.nix
@@ -4,17 +4,13 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
      ../../configuration/proxmox-vm
      ../../configuration/dn42
    ];

  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

-  networking.hostName = "dn42-il-gw6";
-
  networking.useDHCP = false;
  networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:6::1"; prefixLength = 64; } ];
  # IPv6 Uplink
@@ -159,10 +155,43 @@
    neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
  }

+  # Internal
+  protocol bgp peer_2953_dn42_ildix_service {
+    local as 4242422574;
+    neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
+    source address fd81:edb3:71d8:ffff:2574::6;
+    multihop 64;
+    ipv6 {
+      table bgp6;
+      igp table ospf6;
+      next hop keep;
+      add paths tx;
+      import filter {
+        reject;
+      };
+      export filter {
+        accept;
+      };
+    };
+  }
+
  protocol device {
          scan time 10;
  }
  '';

+  clerie.system-auto-upgrade = {
+    allowReboot = true;
+    autoUpgrade = true;
+    startAt = "*-*-* 07:22:00";
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "306";
+    pubkey = "5+/S3Fj0HknkKgUTgtmDhS7MoHZ2Ygsi/+eij+Gnf34=";
+    bird = true;
+  };
+
  system.stateVersion = "21.03";
 }
--- a/hosts/dn42-il-gw6/secrets.json
+++ b/hosts/dn42-il-gw6/secrets.json
@@ -0,0 +1,26 @@
+{
+	"wg-monitoring": "ENC[AES256_GCM,data:qqia7se7/bjSXQUxR7O0Xr5oJmnWp9vu/gwJqYdmsJlgG2IctIT1miUZheE=,iv:QzMBjOfwh7zMysJHMf18StonFGIvDZ/zQZ3QbJpeoss=,tag:VjaNTlcyPh9NgqjBTHY2eQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1syldhpzgdu099cke2lexq6g9mtx7pa6k7jtt33jrxyhgpysf2d7qw5mzjf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwZUxqV3BNbFU0SjRhWHpB\nbXc4bnhHUHdYckxyWlZ0K1pjbkh5cVRvT0ZzClVOVGhxSkhwMG5yMjREWnduQlY4\nbmRjaXlqKzduanNjRzI4TGpUQmd6dHMKLS0tIE5sYnlodmZrZWxxRnF5QlhUL2Vs\nVlJqSnNHVVZFdlhLaldva0FiYjcyRnMKp2YCzfnio2zZNnMD5viaxVRjfJapia41\n7UrJmMTrD40Bnw3DA66JWPzxHLIASF0Vb7x1blTozcRgST72JL6NIw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-21T17:27:03Z",
+		"mac": "ENC[AES256_GCM,data:r3Gi8RQ5IUS0/qGDpiK+Xyc1K8y/hYg6rPEfLr1bLQgJvn+PkZj/KH8mJnGGUVydWPZnVwMUcwUkhOndPhJEhD1xtRG8cN7BerpGmlS/Hj8MBfC+MPcT4Dr87NIhWlLV/bVn14t6S3a7YWmT8Oq5Ka5UhNeHp98cbrDpv7ROuqw=,iv:QEUbLIcBDdt9I7/Lv+loCFJIh63cEjhta3kyFnXG9Yk=,tag:5974Ps9Ez8n+J7SkjZ2mUg==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-21T17:26:54Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//T0O4/GpIDgW7oB56Chmr3jNQME2DzPp2v+HrWiO8UI9s\nqiTPui5PvwE6MZBKWCWDdju+jPVA5T1uygwyMXPD7bmW13+Ic23eYgq0JlKILpjE\nM5ktX246WK7D+JZAqooqNt+Qtk/PC30gmqz/stv69YXkqHUO0hOJ4C7tl1zNEGpQ\nYNCCfnoMunESKSSroqzxdm37H3L6/paFlxoGV43KFZM3KwEvXH15/hhrna0i805J\nqkjvZxKEyKfL17/f4ZpksfFlErPaDVBjtjl+dldKxDP7aTrXSwb/dlFmTzsP0YcL\ncJgLQibJb1BivV8hPeR0WI7gISxflfh/9KF0P4/B5wwCbCbymeN8oncqFFpJ98Qc\n2796cj9/LOLBT8fJLLp3U42Fdbm6Gp67FSsiMAuG8ihTfxDsAt2qVL4p0FlOGoot\nEiryOyMnBgrTryc72GHJEtggrsxKxvc+1weAfCRVpy7IcggxBTm2ER+kouiQQbfb\nZv3f/7K1w00FVbk5SEH7MASLswW+kmACUQKV8vF3XIstgJT0qHo71sY9FExLdULx\nt6TbGJLV+ilTZSETwGFnLKQ7Qxyy5tFXDA5VURON/dtGoiIG7uJTHEjtgdXulodx\ngLuR9zJR7UgIQNbaefopFCRWYXAR/W0sTqgXyTizsN75CIVZBewakDxUVCrDWUeF\nAgwDvZ9WSAhwutIBEADS4b6DTDrdgOuGvBIJtBs11gxoog4DCOjYWLI4kcCD68R0\n4RjDylxzzvA4W3CgoqvHaNBmksNscVxXEsjdnpMWSUZtFGtN1xttAd95QXQSbb1d\nYN0Jz+o0X97PFPvlJSZ/P7Qa31Ce2cO2kUP917zW/Sk/irinBHUuxjRpzw5nKc93\nD/9i+IgXfLILA9rCH1q7xGFd4tCHtW3ELXi4qtv53Bo9tc9agG+wlDhiPbz3MITp\n0Ya+XYAsvNTq/ukHq1IHGVdbnsb2gh18xPNYB8X0s4gNL6+uaLyLUfA+9548MMeT\nBgoVvHMzVRSUslJvrxFiV7DEmSzrDp+WCPmNbCAIIPMk2H4IDSOgEyjBHD+0d372\nOtHaVn6koJ4Cx4ipF/XZL/iL165lFWkznpcPoyVXk9tSp6axWuv7tX3rFUw4emT4\nXURWTBopPKmeTk8lP2U6MrKdEnPhXPbLoYcMbpSqZvICj/BYdhhO1ntlU2GZHVFj\nl3PstfkZgbXQdh8yCZ3SElY4r7rQKeKpYHKL9mRbGdp/8DbGR1Q974+LluzLbuyM\nxNzDAJGxCKxbPSSp95H/Pv0UP3Se6LJDd/dnmMVW3EdKkHmDp7iwN4dLmoAVheRq\n6CpeYI7jqASGZ02LhNu1tOXdb5LRDKCb+9pO9QE0cDEMzqn3ApgcGb1yYq8Ak4UC\nDAM1GWv08EiACgEQAI0X93L6kH3YAuzJYyx+rYUoV0HIXJ2x2mssUiP7jiujKu6k\n44+GkjbG7XSv0zhGIGxILCFDG+FxFDmDdOtxUKKB2Ed967PXKsbyevYdYiZJw6Un\nLUE1hQ4YpJbYs+dPkTkm+/A71TSS/lUiyNJQJ9Mc9OTuP0DHEZWU22uhbFRMJcD4\n8VTrFNewtCQ+/Y5TA7x1aahPdvTuz7D372bg8XddkE36r2gK201rvm9KhDIYZN0P\np2UadFeLEbGzgkoBN/kKj+U+CEFn2WUF326ZoroNrvAuVSCfp4WPyhadAZ0hv4An\nBlK1gnokJho2RYvUI/PDfvPpqoG9JwvoI1x/tU2IW/V2P19PzkKCUyo0q/FcXwi9\ndD5y29BCGamn9VS2q2dPtxoomCD/n6gCqWf39BoZq08JSR5iYggikcYEcOzLdgF3\nQ7/gLOigtbQWnv42Cglf5NmfZT6BQAR8RSWd3GSRCp8qQN8QW3lJZSkqCYlQmShu\niEye2ajPeq3Ft0Xe+hjBD9XInMxZI6KFrBROB3/qQKnEu48jXwU6jCcP1vvm4YbL\nNRE0sTTw6P0Kg3sF7edqNvlF4XwJo4QwzEPB901kCyJKgMQZAkMTzCeS+TZjfOtr\nt/0iouUANl6CI+gns1RfUm0oLmJqBBfkvGF4RLtiRO5Qy1oUCLdOakM3gyZZ1GYB\nCQIQnCKilN/LbAYWW/kJLEkZVmK9zUP71phFOBQNvW5bOwmJ/y3QnEt3XbVuVyst\nksctGDMabxaRACR5Ua5DyI4Re+eTX0kX75M8U2QO0eFjKVrHdE9qVtmgWoOncHFn\nYlzveIE=\n=i377\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/dn42-il-gw6/ssh.pub
+++ b/hosts/dn42-il-gw6/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGI7h8xpVDM0BsY+XGwp8kX1XKn82Cg0lhd1M4Eldsp5
--- a/hosts/dn42-ildix-clerie/configuration.nix
+++ b/hosts/dn42-ildix-clerie/configuration.nix
@@ -4,16 +4,12 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
      ../../configuration/proxmox-vm
    ];

  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

-  networking.hostName = "dn42-ildix-clerie";
-
  networking.useDHCP = false;
  # VM Nat Netz mercury
  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.27"; prefixLength = 24; } ];
@@ -22,6 +18,10 @@
  # Route to dn42-ildix-service
  networking.interfaces.ens19.ipv6.routes = [ { address = "fd81:edb3:71d8::"; prefixLength = 48; via = "fd81:edb3:71d8:ffff:2953::1"; } ];

+  # public address
+  networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffcb::4"; prefixLength = 64; } ];
+
+  networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens20"; };
  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];

@@ -110,24 +110,26 @@
    neighbor fd81:edb3:71d8:ffff:3929::1 as 4242423929;
  }

+  protocol bgp peer_2619_frainz_dn42 from bgp_peer {
+    neighbor fd81:edb3:71d8:ffff:2619::1 as 4242422619;
+  }
+
  # Internal
  protocol bgp peer_2953_dn42_ildix_service {
    local as 4242422953;
-    graceful restart on;
-    neighbor fd81:edb3:71d8:ffff:2953::1 as 4242422953;
+    neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
    source address fd81:edb3:71d8:ffff::13;
+    multihop 64;
+    rr client;
    ipv6 {
      table master6;
      next hop keep;
-      import keep filtered;
+      add paths tx;
      import filter {
-        if net ~ [fd81:edb3:71d8::/48{48,128}] then bgp_path.prepend(4242422953);
-        if net ~ [fd81:edb3:71d8::/48{48,64}] then accept;
        reject;
      };
      export filter {
-        if net ~ [fd00::/8{8,64}] then accept;
-        reject;
+        accept;
      };
    };
  }
@@ -137,5 +139,17 @@
  }
  '';

+  clerie.system-auto-upgrade = {
+    allowReboot = true;
+    autoUpgrade = true;
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "399";
+    pubkey = "K7NkCFKSnMIgC0D5wejSpty56AYacfxE+feMsfWtHSo=";
+    bird = true;
+  };
+
  system.stateVersion = "21.03";
 }
--- a/hosts/dn42-ildix-clerie/secrets.json
+++ b/hosts/dn42-ildix-clerie/secrets.json
@@ -0,0 +1,26 @@
+{
+	"wg-monitoring": "ENC[AES256_GCM,data:LGm+hg215dTJBPfwr6KXUl6jhKBOgNV+eglyBZVa//M6A44iGmk8AAITUgI=,iv:zcQQAY/cG/DGG5nGPLAcfPZXy7IiWAREVVIZiMf5zz0=,tag:M9P6UlpB2xurMfRn7TEl4Q==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1r44rs8ujkc3xmz07d9m7as8rg054fqmpmdt0fr4xd3tltk2zwcps98jm74",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyYk14c3RPQzZXTkhlb0hS\ndWE4YlNIM0Ira0JTT0tRd3N0bUNRT1hGczFFCkRLa0twUmxaYyswaUR3R003Syta\nNXpTMkxLWFhLWnVKaDlXMnM1ZlBWck0KLS0tIGpoNWgrRnJmOG5XT1YyL0x6Zk9T\nOVZ0eDdYa3BzQ1pBR1JaSnR3Q1h5eUEKQXrtxKZRwTbfiqVYFM6u8F7rIsk/fCQb\nsZ1fPSIhVI8colyzHDhZOEc95RC5FgbfZdOP5EPKPgEGgo/HtWetOg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-21T17:19:22Z",
+		"mac": "ENC[AES256_GCM,data:urrl88PONhdSQfnRxp79tJ0cShuD6I7BiwQj+7nVNT1YDZ0PlIRWCZWlrw0CIYp7pkWzE5UHLnVSPNDX8Pf99bWJqdo3kfnkxhcSAlOn0kTQVGVtRzxmFNYdu3Mvtni+ebHJzB92u6376j1YPhyjPPC7D1yV/8FG/MaHo/HMZ2Y=,iv:Ajrf94TeZ7W49PvOM4GiNip1YazqIoIb1KfTgahgdZA=,tag:HIoDNm9/b+6K/WOaH9eCaQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-21T17:19:13Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//Y4StFde6UAotA0bKAswDHVMFHXNDwi2u0DFQB87NMJTd\nyOaP19TZzVUZKl20QAhPoa87JdmdwWySiUW6HjQgFwDUm4HYsibufI0lml81KsM6\nYUNw8VZbD1rFs2H3Q6U8Qdp7pwfTppPIpe9l0z2JzC6uic87nhjtkaGGGvMqyeFg\nky4R7A9QDAugcM91+7gzId+0sPdbNV/QQL+PgEyiB0jhIt2bKIck/NUSxmIefEmV\nLpXWo6iV5Z15QSBGuN2cbZWInY9UbXZ/KH6bP0knQYX1w2sXmEg+KlnW9b7iW8Kz\nW9/FK6znPSjJ3+hs6Sf/CT6ZQ86rYJ5854dikuoBTKaeRgEQD6lX5o0T7T4p/n6B\nn5nQSBlg0fxCujpooq3n2hdghmSzKyQyonRhc5oDWKw/QWdkX/h6XLdiZvRgexdP\n8WpiModrxfzplZhtpcRdBs/XNFH7tnT1ZKeJODqVY4e0F3/6stnbkuJfeY+ZmTJd\nCC8HVrxaWlUtGu/67IiVz4s9mMgAsl8MGLp0mPyIEK3zVbnlmvVB+tQNe5Rb5cbk\nvpgivgPkmmgmTHRzhsCfnEXj0kN5SxQAXAmp8WkGChz/V0cft873RN3k2GYk7Iwe\nKJHpV/DctOpoqIq44dponJdqKWwXMSBHcFOt4pIJx85ma349yt80U3yhGr5oB76F\nAgwDvZ9WSAhwutIBEACNjvJZSGAfCdOdm5Q91Y3kFW7gwuTyQPMjdLGGd7qP0E4E\n0d9/aks6FpT1ycIP62wUIpkclGHv3YZuA5Tj3CGC4I3aqE2HspBxFdT8XF43w5Cz\nqqnNfhbQZxBOWJHDTsT96E3K+lZ8IIIgMPX8SHOzdrg7YlX3LmptHy49C5XpC9F4\nHczDLb6GhQzY3O0q+VFm6j/mWeWHJ2ygDZiL8w3lpJjMG7RPxRTVszAiJ3n7ltXm\nMcsLLVrRmvGRQtPD/5umFBpZ9XsLPupHCQv8YTIxmI9cY4RO9Yx44Uw7N4tQDVlz\ng+iK+5OsywDPYny5FWxNTuzcPokzEovzytyj9rs2PHyYSQ8Qr59TAzRNqKNUYuJu\n12I/vfE0xxaRow6f8BRePV2Yrb9kaoXEcINNTqCg9Q7XEPaaCp6dMHiJsHEtcDp8\n1XNss+tv1jOMP3OhOG3VZGNy8gRssbPa5BJvYpszr38BW9Li+6rC+afqTkVOu37O\nubFuGg8uL5QPH7NWcW1ohJaT3PVemA7MscmngLH4l9Qz8UXqkbWgJKYedVrUol+P\nG7K5A3lOzTKWlQu8CSFbbYGx+NnucJiAIy6eWIQB6bawfkQVET/00dy/7VuKcO/t\nxHj/6L5/GqVjPiGU3zyP+VlGzlsIkU7JsOMweKDaS7ZqUOGopStxaXPJyQ94voUC\nDAM1GWv08EiACgEP/iaNz29e9ZqInPXtrk+lCntzCteF5e+K2QrcdLT34+6bmlsn\nyNgOLNbrNP9u/1W1EFutAxZfeOLfk7rOtSSK2Zhh5C6u4OdViqVYgajPI7aAUfrh\n3cPgdlWFFcAbgKwwuDJI/qin0IuU2jSpVsY8Z6xfCNFPOZuvXC9UWJIUTjqVmfuw\ne1hQVn3K2XAGOcfJRopuakTRc/XrSIlZ+yce07nPpnc5vNUoE4e3NqEPk/pmgjm6\ngcEWKlveVpdRlTsbC4cr2c/zE8I9ges1ctduk9qram2laTJSa/tvSmIMnAmDuIII\nzY0kNOaJAn0mhSsDP1f+34/5a8rW8OivypAf+i0VxFvKGy955sHN6mmB4HONwURC\nrgAqZwBiT0mhLUsInJKk3BfSlo7th9T2/BXdBjgEIR15kjwij6Vkbdzz0X7Qw7Q2\nwySKZsiUVVDDPD7pp8FLtf2CEayCZeVef9ZlJIZ3Q7YqIp0Rv9LiLXHB5wbeFEIt\nepG8QBKnPgzgfUrO/Inbfr0AB/fDX5f3N2Bhh5UHU8S3uAJwZjGsjPUklT+ysQ05\nXFwIIgHXGCWXsg++PWw5GTlOpvaGTlzqBu6B0D/6diPRKnf1COOZtApwjhm49Io5\nV5ZOeZuABF54WvBrPH/rv6JUvYYPF0iAN3opv/0JJVGPw3ZRUt7Ix864VBYp1GgB\nCQIQKuDZY2reZmJzjudMdNwlw538VonNWfqOt7pv69UntLTXp3hKBZJODrDi2jJ/\nesCR3AZkC+L3A1qJwGOAJL60lQ575AZKAWhYCceEZd1p+4SBZh81GM46Izxr5fsx\n+57tfsT79Q==\n=rtgK\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/dn42-ildix-clerie/ssh.pub
+++ b/hosts/dn42-ildix-clerie/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANa33GhY8tK+rGFKjrEbaw289bMqh1Aazyo04B//27t
--- a/hosts/dn42-ildix-service/bird.nix
+++ b/hosts/dn42-ildix-service/bird.nix
@@ -0,0 +1,62 @@
+{ config, lib, ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 179 ];
+
+  # something doesn't work right
+  services.bird2.enable = false;
+  services.bird2.config = ''
+  router id ${(lib.head config.networking.interfaces.ens18.ipv4.addresses).address};
+
+  ipv6 table bgp6;
+
+  protocol static {
+    ipv6 {
+      table bgp6;
+    };
+    route fd81:edb3:71d8::/48 via "lo";
+  }
+
+  protocol kernel {
+    ipv6 {
+      table bgp6;
+      export filter {
+        krt_prefsrc=${(lib.head config.networking.interfaces.lo.ipv6.addresses).address};
+        accept;
+      };
+      import none;
+    };
+  }
+
+  template bgp ildix {
+    local as 4242422953;
+    graceful restart on;
+    source address fd81:edb3:71d8:ffff:2953::1;
+    ipv6 {
+      table bgp6;
+      next hop self;
+      import keep filtered;
+      import filter {
+        if net ~ [fd00::/8{8,64}] then accept;
+        reject;
+      };
+      export filter {
+        if net ~ [fd81:edb3:71d8::/48{48,64}] then accept;
+        reject;
+      };
+    };
+  }
+
+  protocol bgp peer_ildix_clerie from ildix {
+    neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
+  }
+
+  protocol bgp peer_ildix_nex from ildix {
+    neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
+  }
+
+  protocol device {
+    scan time 10;
+  }
+  '';
+}
--- a/hosts/dn42-ildix-service/configuration.nix
+++ b/hosts/dn42-ildix-service/configuration.nix
@@ -0,0 +1,53 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ../../configuration/proxmox-vm
+      ./bird.nix
+      ./fernglas.nix
+    ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
+
+  networking.useDHCP = false;
+  networking.interfaces.lo.ipv6.addresses = [
+    { address = "fd81:edb3:71d8::1"; prefixLength = 128; }
+    { address = "fd81:edb3:71d8::53"; prefixLength = 128; }
+  ];
+  # VM Nat Netz mercury
+  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.28"; prefixLength = 24; } ];
+  # ildix peering lan
+  networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2953::1"; prefixLength = 64; } ];
+  # IPv6 Uplink
+  networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::c"; prefixLength = 64; } ];
+
+  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; };
+  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+
+  services.nginx.enable = true;
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
+    autoUpgrade = true;
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "391";
+    pubkey = "Rfu2JLxAk0seAZgt43sOEAF69Z9uQaOjeNgM4jJF0h4=";
+  };
+
+  system.stateVersion = "23.05";
+}
+
--- a/hosts/dn42-ildix-service/fernglas.nix
+++ b/hosts/dn42-ildix-service/fernglas.nix
@@ -0,0 +1,37 @@
+{ config, lib, inputs, ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 3000 1179 ];
+
+  services.fernglas = {
+    enable = true;
+    settings = {
+      api.bind = "[::1]:3000";
+      collectors = [
+        {
+          collector_type = "Bgp";
+          bind = "[::]:1179";
+          default_peer_config = {
+            asn = 4242422953;
+            router_id = "${(lib.head config.networking.interfaces.ens18.ipv4.addresses).address}";
+            route_state = "Accepted";
+            add_path = true;
+          };
+        }
+      ];
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "lg.ildix.clerie.de" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        root = inputs.fernglas.packages."x86_64-linux"."fernglas-frontend";
+      };
+      locations."/api/" = {
+        proxyPass = "http://${config.services.fernglas.settings.api.bind}";
+      };
+    };
+  };
+}
--- a/hosts/dn42-ildix-service/hardware-configuration.nix
+++ b/hosts/dn42-ildix-service/hardware-configuration.nix
@@ -0,0 +1,34 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/5f2174f2-981a-468b-967e-1c1b6a32b8a3";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens19.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens20.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/dn42-ildix-service/secrets.json
+++ b/hosts/dn42-ildix-service/secrets.json
@@ -0,0 +1,26 @@
+{
+	"wg-monitoring": "ENC[AES256_GCM,data:kG/PCFQv4pRaup3sKOZNkwoJQ5Fdo/k5UUTh8/fedq87gA8yF7esZySUYc4=,iv:JYlaGotwiIiXVnfz98pjL1j2YwNtgoTmmk//9bABqz4=,tag:v7Csuvn1EjOxWnD2YHQ7kA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1d3scmrwmhl5wzfq632sjg679kae3vsn8q5lmx05xrltnh5jt0yls6xnm00",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvM1hpMUJ4d2xvUWgxcFRs\nTGwyYW5vQWdwL1JObm1BR3J4OFB2Z09HQkIwCnh1TVlvUFNmOXVvdFZLL1AwNC9p\nNUxMV3ZsMW53RElXcU0veGQ2NCtyQmsKLS0tIG01Q3lIbDR0ZEQ2dDlONlhlSGho\nbU1LdzZlOGtmVmJKQjNiTE5RWVlyakkK2dm5BQ2P1cZVpFKLtARm1E9aoGM9j351\nbYmmdtTnXrgVM0rZuexiM+G+3MjZEFvGI+RkrFcGcY3WSKy0OQSlfg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-20T21:14:46Z",
+		"mac": "ENC[AES256_GCM,data:WdiOdmBc6EabnWM5Wkxj3W7a+qDJr4wQQEMR39bZabTMuW+8Y/p/eX5YxUL7U6XisI5c6JPIGcGYU7gaLWSvQ9uh6eFn/NZm+3WmyVXzAUjYDC2I8pm9DKAbPUU95zMmgSQDGJYr8ZFzfTDFepCn1poaxJ7TDpfD7tUfaDwDq34=,iv:vm6BHsXkb9pjKDeI/oXU7lYg4uHuFhE9g5s/JXDu5/o=,tag:hGGz8JKjBZ84Nx/3xT+p4Q==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-20T21:14:21Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPARAAgc9leAf7bGiTcp9NJIjjQvoOCOllkpm6p/2nMoQZtdGY\nmA0L68jRwBhPZ6XSu1OfRCArWDDoUPTWIU0Oc/ev5yxJY9gyhQWQ9ddfJqKKHN2d\nUapLgcyS0vJNbUC5M1Se9M24s7MpLekMeohM/ohbm+/rr6Dro3qlBaf5jaYRZv2l\n1ciKK+A8WxfFKNPdZiKwSB2nrj5pS9v/bdkenUJSZq+cvg7btropXOslniMGGKvG\nPt5BauBYgCVSmjN+ZPdHHDA4C50mLTrQs+EB9R9XLv1ro6r1VcRmaQS332KTN9h1\nXFSp4fn7p/xOw8gcTcg1DuhLTxP5UWYTK/N/CqtozgiKf8jpEb50CFzp6JjKdd3S\nCyzSGnyWfWu1OU8UzsN+1uQDdiqhtflFI73UZuRNmffdnNwCUHP/0ViDIvyT+Kr/\n9XDjIEGZi0biOlFeXg6mb08D/vYbPp7gMShhLyTIWvlXVfiaEWMNlrz2a0iXBZDF\nKM2UVAX1J/3kq7eS6KgteedwTJgeF/la+shXQKVicJPhQSSnJtf7GibV+IybjS6j\nGuzvbTPLY1VRwhcr01Y2MsGTS1kuKvuYkmfbK2V9/ot0ioNVppiS7ivb5DrNglCR\noL7mdWITTkfKnHOVczquU0CvMdHoOOjE2xEIrGB+kLZG96h0bsppc6Dg3cDSZXKF\nAgwDvZ9WSAhwutIBD/94d2rtBuXPAIyGHc1EYUBE1NpPdK7FoFJf3an1PuxO4nb8\nQrFc/6sFtUQCAwT/Sau9d7JRj8vO6819ygyRQt6e5zzvbd9xd/mAyFgkKCvWlWZG\nXQttvkiINVQEMrYvyxCJwyTBLvwpv9gZhhouMZ/6NUrmZYOVZ78Jo4oILfS1W/OK\nmUruUbUdE9hVuA/VKbJ0W9vkg5Tm/sOp0lW1iITUQ8SDrDaXkyG9ceALxnTd5xCN\nZxPWY8GNEMOQZgnUeeN8nOoCOih1LSHrFhwKGyrZQo+anGHHSuUxPNkiKIeDHUdc\nNzxcnTyPnKfTSDOf88gqyC4UC4fcrQUVHdF2qJlWkfpSle0FGT6s2stvuiVLV8Yl\nN/O3/aVe5oT+XwsK4m+PAk2QBGBN3ivqfE9M4U/3AY8PRUI60qyLi7DOg+cnIfyQ\nfu8gWc69di2PhJi4Xy4Q9+kMUi5pAufpZdDME6HYT5EPBaO3oTWeMIi8kMHrc9e1\nXCHjmYKD6h9zv9XBSpBLZf2DguHUlMlBmx4JSX4R4q/eO/SQE1NjTkygD8RwnzA/\nBs5ZZ3lR1E4qpHTaLEp1j2LTORXdk5AoMhXyMzbTEjceCCVQM5TVMG5CrnPBpF6T\nv3G3SNIytz5jaRkh9QQZje2dFtGk1f1lrR7/uvDzvKDY5fZMuXw5yfB18dIw8IUC\nDAM1GWv08EiACgEP/iNb902syK7YGSXlz8lzlQY/uuUgoNN+12+CAOMP94tmnOhA\ndIo02zsnQ7JdOsguqm/hzl0aXOHNYbk78uq/fljnl7Vgackc8KNKZ4tI0kvDwO1W\nj+bISGeRcEkgOw8w2XbQkBBOWtT0Tea6lo3RwsOUR9O4uWifI083TSUFLKIe+2L7\nvciXuWt9iGYISUnt7nOOLWT1otCrZj0CnCyGNN0QPuN0PnUdq3rTF7OAEQXPXbp7\nzGpszkhwOv1rZ//wNX3kxw3CBuu10Z6RK/zX1jQpvRxo+nU3ACNhxH92q5dhinvj\nbm3uZd6N9GN/bjdd2ZnWuwSeovZqb4i8Abfk5te6KKpIUEm8166Wux8oHvVBpJgZ\nrXvP0WcyQJtFbAuJDw9GW1KIvz3disFvfGK4A0oFFk5YXVJqmIeUEz7fgVAIH9Um\nFFtc8c+qW6lMEJYTqZlrt9EkoochwLeI6zSONkDpCcXif7C/s8F7vvzrS0BNyQ5G\nMQqNdf/b6I5Ue2X0K6suIx6c54ThmsgtkM+Zcg77C9xF97kRZffFnB+PIsxYUUhq\noZ/QspiiqWkFRDA+1+3fwRN4bv3biCWRlIUm4YPV7Kxzo/Ycem3XZUd86vQZvq18\nsD+XT4tueGTcoyFDXg5a/IVEJ10B5v2ipr4j76wFZ29QOeMr+QnOQinj+eAm1GgB\nCQIQHL1VhjubcxdoWwKW5JvAEAsKTGUeAamWcPPA0n4/msnaR6kcTDLF1QjN/8E3\nz7WdHVikJDk/Bdmzx7HdmoRSckeZf2bk6DKtfUYNB7CbUWppwLIdRCNKGYgTf8vi\nRZi1vIZRrA==\n=EbyO\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/dn42-ildix-service/ssh.pub
+++ b/hosts/dn42-ildix-service/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbqGg6BF4MLSgDIe0Q0EsaogXPlYKHCNKWvfIXkNq7L
--- a/hosts/gatekeeper/configuration.nix
+++ b/hosts/gatekeeper/configuration.nix
@@ -4,26 +4,13 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/common
      ../../configuration/router
    ];

  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/sda";

-  networking.hostName = "gatekeeper";
-
  networking.useDHCP = false;
-  # Local Router IPs
-  networking.interfaces.lo.ipv6.addresses = [
-    { address = "fd00:152:152:101::1"; prefixLength = 64; }
-    { address = "fd00:152:152::1"; prefixLength = 128; } # Anycast
-  ];
-  networking.interfaces.lo.ipv4.addresses = [
-    { address = "10.152.101.1"; prefixLength = 24; }
-    { address = "10.152.0.1"; prefixLength = 32; } # Anycast
-  ];
  # Network
  networking.interfaces.ens3.ipv4.addresses = [ { address = "78.47.183.82"; prefixLength = 32; } ];
  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:c0c:15f1::1"; prefixLength = 64; } ];
@@ -40,38 +27,6 @@

  networking.wireguard.enable = true;
  networking.wireguard.interfaces = {
-    wg-carbon4 = {
-      ips = [ "fe80::127:1/64" "169.254.127.1/24" ];
-      peers = [ {
-          allowedIPs = [ "0.0.0.0/0" "::/0" ];
-          publicKey = "5EVyQC0y704asO4SwsGbAoFGKusuO4a6IJ2bS/5bcTI=";
-      } ];
-      listenPort = 50127;
-      allowedIPsAsRoutes = false;
-      privateKeyFile = "/var/src/secrets/wireguard/wg-carbon4";
-    };
-    wg-porter6 = {
-      ips = [ "fe80::101:1/64" "169.254.101.1/24" ];
-      peers = [ {
-          allowedIPs = [ "0.0.0.0/0" "::/0" ];
-          endpoint = "[2a03:4000:6:48d::1]:50101";
-          publicKey = "Jr1GBeNWrYjz7QyiI8XSOSRo/kGsCCtGGAzxmM5Hkn0=";
-      } ];
-      listenPort = 50101;
-      allowedIPsAsRoutes = false;
-      privateKeyFile = "/var/src/secrets/wireguard/wg-porter6";
-    };
-    wg-nonat6 = {
-      ips = [ "fe80::128:1/64" "169.254.128.1/24" ];
-      peers = [ {
-          allowedIPs = [ "0.0.0.0/0" "::/0" ];
-          endpoint = "[2001:638:904:ffca::6]:50128";
-          publicKey = "0GGDyPj/0uMaba9pmOyj+Sx+3jMivpRdpTJhadl6bS8=";
-      } ];
-      listenPort = 50128;
-      allowedIPsAsRoutes = false;
-      privateKeyFile = "/var/src/secrets/wireguard/wg-nonat6";
-    };
    wg-vpn = {
      ips = [ "2a01:4f8:c0c:15f1::8001/113" "10.20.30.1/24" ];
      peers = [
@@ -86,32 +41,87 @@
          publicKey = "QGQHWwDE1XIeiReFcacLxin4Dqlz1pBXvttFnzBMJSY=";
        }
        {
-          # nexus
+          # ceasium
          allowedIPs = [ "2a01:4f8:c0c:15f1::8012/128" "10.20.30.12/32" ];
-          publicKey = "tEJzPPEJkoTPkhzTWyFDZ+5U146ovHA/4Mv3JButSAQ=";
+          publicKey = "tvWpYlaS3ItTWH9CZv4SHzXToIblJP2j+Mt1V+3cegM=";
        }
        {
          # terra
          allowedIPs = [ "2a01:4f8:c0c:15f1::8014/128" "10.20.30.14/32" ];
          publicKey = "peZ94x44sMRNqNxcaN+DI2UMwVFzugZjnnbqbxWcBEs=";
        }
+        {
+          # e1mo
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8015/128" "10.20.30.15/32" ];
+          publicKey = "j+ao/TTTE2hThdqBtLQuC67QSaKXMhhWTky6MzkhrxY=";
+        }
+        {
+          # jannik
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8016/128" "10.20.30.16/32" ];
+          publicKey = "V6Kc++QmJ4RkLSWvcLj/KgbIafvi7URV6dOgFnKSAwM=";
+        }
+        {
+          # evey
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8017/128" "10.20.30.17/32" ];
+          publicKey = "DD18B0plaYuhHK+yJ1nlEv6EmM+Krw/alXmz+X3SI18=";
+        }
+        {
+          # amy
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8018/128" "10.20.30.18/32" ];
+          publicKey = "tXO6qzYGTcuiMZhfTF2Af1qoIdpv3EqqepldrjVm9hI=";
+        }
        {
          # palladium
          allowedIPs = [ "2a01:4f8:c0c:15f1::8103/128" "10.20.30.103/32" ];
          publicKey = "kxn69ynVyPJeShsAlVz5Xnd7U74GmCAw181b0+/qj3k=";
        }
+        #{
+        #  allowedIPs = [ "2a01:4f8:c0c:15f1::8104/128" "10.20.30.104/32" ];
+        #  publicKey = "k1eQINwZPRdIEhND5sKAcHMxEpz/Z+B/2ZCdLhHCG3w=";
+        #}
        {
-          allowedIPs = [ "2a01:4f8:c0c:15f1::8104/128" "10.20.30.104/32" ];
-          publicKey = "k1eQINwZPRdIEhND5sKAcHMxEpz/Z+B/2ZCdLhHCG3w=";
+          # vcp-bula-mon
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8105/128" "10.20.30.105/32" ];
+          publicKey = "6gi04ExLQnpwxmTzQwQz3AsPS+ujKmANh6+o0nAzJwM=";
+        }
+        {
+          # aluminium
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8106/128" "10.20.30.106/32" ];
+          publicKey = "kuUeStBuU6d8PGFHFhP5pEvy0nuZ0TmScI8w7MOt0is=";
+        }
+        {
+          # beryllium
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8107/128" "10.20.30.107/32" ];
+          publicKey = "SReFUcvw/4fLSkFGjkhDRyY9wyMCcjJ4Yiczt9X64Eo=";
+        }
+        {
+          # astatine
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8108/128" "10.20.30.108/32" ];
+          publicKey = "4b4M+we+476AV/fQ3lOmDbHFA0vvb3LwOEPVvNpuGm0=";
+        }
+        {
+          # zinc
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8109/128" "10.20.30.109/32" ];
+          publicKey = "syHX6PO1N3Annv5t2W8bdAo/kMoYenzrcPrUHxkIBEE=";
+        }
+        {
+          # zinc-initrd
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8110/128" "10.20.30.110/32" ];
+          publicKey = "kn6ZtViagKGSyfQJQW6csQE/5r7uKlbC1rbInlQ33xs=";
+        }
+        {
+          # carbon
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8111/128" "10.20.30.111/32" ];
+          publicKey = "o6qxGKIoW2ZSFhXeNRXd4G9BRFeYyjZsrUPulB3KhTI=";
        }
      ];
      listenPort = 51820;
      allowedIPsAsRoutes = false;
-      privateKeyFile = "/var/src/secrets/wireguard/wg-vpn";
+      privateKeyFile = config.sops.secrets.wg-vpn.path;
    };
  };

-  networking.firewall.allowedUDPPorts = [ 50101 50127 50128 51820 ];
+  networking.firewall.allowedUDPPorts = [ 51820 ];

  clerie.nginx-port-forward = {
    enable = true;
@@ -123,133 +133,13 @@
      host = "nonat.net.clerie.de";
      port = 22;
    };
-    # riese
-    tcpPorts."25566" = {
-      host = "minecraft-2.net.clerie.de";
-      port = 25566;
-    };
-    # chaos
-    tcpPorts."25568" = {
-      host = "minecraft-2.net.clerie.de";
-      port = 25568;
-    };
-    # aerilon
-    tcpPorts."25569" = {
-      host = "minecraft-2.net.clerie.de";
-      port = 25565;
-    };
  };

-  clerie.gre-tunnel = {
-    enable = true;
-    ipv6= {
-      gre-carbon6 = {
-        remote = "fd00:152:152:104::1";
-        local = (lib.head config.networking.interfaces.lo.ipv6.addresses).address;
-        address = "fd00:153:153:201::1/64";
-      };
-    };
-    ipv4 = {
-      gre-carbon4 = {
-        remote = "10.152.104.1";
-        local = (lib.head config.networking.interfaces.lo.ipv4.addresses).address;
-        address = "10.153.201.1/24";
-      };
-    };
-  };
-
-  services.bird2.enable = true;
-  services.bird2.config = ''
-  router id ${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address };
-
-  ipv6 table ospf6;
-  ipv4 table ospf4;
-
-  protocol direct {
-    interface "lo";
-    ipv6 {
-      table ospf6;
-    };
-    ipv4 {
-      table ospf4;
-    };
-  }
-
-  protocol kernel kernel_ospf6 {
-    ipv6 {
-      table ospf6;
-      export filter {
-        krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv6.addresses).address };
-        accept;
-      };
-      import none;
-    };
-  }
-
-  protocol kernel kernel_ospf4 {
-    ipv4 {
-      table ospf4;
-      export filter {
-        krt_prefsrc=${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address };
-        accept;
-      };
-      import none;
-    };
-  }
-
-  protocol ospf v3 ospf_6 {
-    ipv6 {
-      table ospf6;
-      import all;
-      export all;
-    };
-    area 0 {
-      interface "wg-carbon4" {
-        cost 80;
-        type pointopoint;
-      };
-      interface "wg-porter6" {
-        cost 80;
-        type pointopoint;
-      };
-      interface "wg-nonat6" {
-        cost 80;
-        type pointopoint;
-      };
-    };
-  }
-
-  protocol ospf v3 ospf_4 {
-    ipv4 {
-      table ospf4;
-      import all;
-      export all;
-    };
-    area 0 {
-      interface "wg-carbon4" {
-        cost 80;
-        type pointopoint;
-      };
-      interface "wg-porter6" {
-        cost 80;
-        type pointopoint;
-      };
-      interface "wg-nonat6" {
-        cost 80;
-        type pointopoint;
-      };
-    };
-  }
-
-  protocol device {
-    scan time 10;
-  }
-  '';
-
  clerie.monitoring = {
    enable = true;
    id = "101";
    pubkey = "H9Pvx/BzwEMM7acT9mioT8zBD2Yn13L82EKKqdAfeGM=";
+    blackbox = true;
  };

  system.stateVersion = "21.03";
--- a/hosts/gatekeeper/secrets.json
+++ b/hosts/gatekeeper/secrets.json
@@ -0,0 +1,27 @@
+{
+	"wg-monitoring": "ENC[AES256_GCM,data:90tdQSEYHcJy95AhDX0AT4HrXJK2BNqaeZMSZ7t43NlW/CJjOsfgcgO6EIY=,iv:B/RFe6bBBo5lielWMMCOnVlXrf7eooJFcerG30vxsFk=,tag:FOuPPWE5eP8BgWXni/3BlA==,type:str]",
+	"wg-vpn": "ENC[AES256_GCM,data:aFGd3R6hfiilCScRtmgS8jMLPQv++yisf1YNYnyARdL+KfW7RvvtGq4egpI=,iv:63WCUk52GdZYv2J8HX+dV8sCP7zKrjolIxGGosxJqg4=,tag:bJwvHiRQHD2FexwRF1hugw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age10npthg6ycgv6s40vynhj5ryaug2delh96fqcvjnc8nw2ccmjga7suxm7xe",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOcDJvYU4vdFJ4T0duWXR4\nVG15SFFZVDRSQXBDaFgxOGM5NTltK0ozblVZCmJXc3JOV1RQMFV4cGpvUnRIbGZv\nMmJiOGFIYTFqc0FVaEFHZnJjU1dUUDgKLS0tIFV6Ulp4ellVQzBsVkRjL0dIdGJ4\nRE02ZFpxNU9IMit0UHdIK2dHOVdXekkKTIGrO7fngsJMTMiKb5KSMh1BCtwTVQCG\nofSx9j9Bd2gz6MPz7Rrft4B67eliHQ78yHJbVvxO9m3cwHM3fv0AdQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-21T17:40:19Z",
+		"mac": "ENC[AES256_GCM,data:xt8AFwN+Y8x2kWQVH5MPEPzzWm5m4kgkt+mYKoFbRpfdA6FVnlhl+W+jmZlDz6Hbh6Dkk3cDvD3A3PpvYqsctll6mkjWQLBKphhnZIsGHzAHgdn+cpJ7VAPvWO4iEPjv5ChrPo2JAOKvQcJDooG7yWGB3ltzBqBWCH6TlZ2qxD4=,iv:4HxXa0tWiweHoYG2c7VrLoKgphRX3WRaAFQC98iAVJ4=,tag:y3VBdl2QpEOn1Z5IPS2aVA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-04-21T17:38:49Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//QonQ5TyKJqsl5ma5UvVOONrc2YXXRbLW7cUxU5FEtkU6\nfvMzmQPBHRX64BMOgpmL32/gCJKB+Q/gpl1RciQBr67DwAQczaZ6E4sUEPeFqiTf\nEUXCRYF54ctaW0Tn8kmTAmpyRxx5Y1jiFK08z4w0KXFKuLHBzrjxbPwu4EYeHp6V\n2XyVKPXEhV7UXxhDgrL+nt48zT+8RixWxm0B3oUGfk5lwH4vAfCAosFxP/IUYza7\nmAB3vM0Iywo9voX9/BPn5cOHvdFs5GEhNHs7X0eJPf3rV6oPpbf117TS+4qpWuhk\n97AyHPoWj8JNIxiIB0YvojBzXsxk404XfRh09dyRKL2dEsV2kve/0Sr1roHvhGwQ\nzhKaEknbC9N7DrL57dnryJhcebgV7xEWyQNIADbDCPxS0IkCoQAFxw0xdxpyQfrg\nVSVBnl5wQr6EgN+AbarXqO74U9dtXfT+eaKYW+Nz5+6aI4TLmp29Gin+m6Tisn+/\n/RLDJdmpX8n6m0s4PiPVm2B7VAo9S8xYWN2lyEjSxFQ3+1+pYB0P7VQHAoFGsQy4\nLVaCzES9dMqvCMJOMTFhDvCfJ9FNa1x8HXPN3YjFgESfmCr9nyr3DJp3wqtKM5tE\nLyfGBBRpEChnuVJdXyUpJFag1l6DtyBCBHSdz3KTAmdD4ltGxqdFFl69DhdBsguF\nAgwDvZ9WSAhwutIBD/0eOOFN9OC2m0r/ZFPHuOE3MNhn0ygS3BdfURcCHcNN9EC0\nrzJ7ZBfIUiUifgdjqQZWjgndGNWZ3iLzePpS4bXfcxl6LvRGnMOOSE2d4EBFSb7o\n4YbtuFhhkO+FsHYOyb76EyrEQoJ64GiozZOTKgDBJ7zWF5KLddjkqU610uyPlLpW\n2JeD+bo627ulRS7eW1q2BTQIsOID/+1tt1xT7szQ1LotM4fm8uHsUZhZ0ILh5QIj\nHUCBGJOeLTJuyMHrzbD9dRphtFOzoT12WOG1mpqdEe4ujtXJaSIjqrAu95iKJ1zQ\nti+ISotBI2v8k78xETiFoHSpcrecjpamy8cYPX7B/f19zIpdA59G7HQkeqE6hcMy\nTBr90WgTkuBMKZ3XFuii/4J6BmMwy05q3BNAjO7LbLKrMwdaqhTuyWhUpQNIW8kd\n7sdWimZSxBM9bjEMYmF2XdDCHQcQP0hx8yE6p0LHMYsLS7uBO+KFg72Mg8EnJGfS\nSGxNqCwf7YSExOMGkxrga1J/AbGA5M7AI+b4Hj2zV4pV+2VyL1+dox7ovB0gZRP3\nhCoUCx/fKZdDwXlqwun36f5995L6LAzDfM/d9MGV45jz3zWoTpXjX3KUNC314tsX\n6/95J83uJr/KoQUotXXzosJqBDr1rCzE24AZ9ZO7JA1chZeiYz+UenlHGq7DuIUC\nDAM1GWv08EiACgEP+wfsWD0gbf/A8Ph3VFpy+K2kix7QJGvumRcdzxO0/XpKs49I\npAh4RmeDr3rVNOsWrBEIbKb184XabR33g6xgXRNx1H5LyUMRZWJ2N3UeOe3g0rH4\nKyC1ycm1Utp//4Ckrh3F8DADXZH4F4c3cp9YwEz0ZWgkTzqi7LiDk8YnMMBqdqdD\n7MB+g3COqcP0A4rOn4ZfBcyt8HPakxARLgL1cSckCJeQpnrexYQCRXeqNMadjbuS\nEM41/vlOukOw+JRsVO8aDTM99r4GBlBgoxEDy4P0IEutWU90RANkEwLkuil5hwMC\n+sPTi1GP1GZOlunAYs8tixeaYNuw+TLy0L8+ZnnCdh38IgjLCuZQrSoi32l5bFrO\nyj4mbN0oLdwVQd+zxLno0fLo1OMHe7LDCirhK7j1r8v3/cSBb1yaesD2SGsnotXD\n87uaPhZ3zj9AET5SPC+lkqB9uJ3A9o1WAmcQIEQe8REOThE8zarh+yUYXsMndwRH\n5IPGBpkoq/zO3n9AJA3IxSrSYhKRgol4jz21XYkpmy+tuwcPoaWI/dZqD2APtMXd\nvuGLr7dACXm6kp5QCPlCFYGVvHOqJBCaYOK4fZt85totWQD+JvHyiPPA2ArblIcA\nwQLf8bEQ8cAXHwWA9OVc6r03bGDTAHKinNyrbw8G+M/nUrF6PwYrVLym87Q51GgB\nCQIQkm+IOyGpl/9gckDZBLG9oFFm/b4Tvi/IFvTy0JzQhgJJ0Nma8ZYC23mInMPl\nwv10rPn8INb6N621Qg6hORzhsn3enCqYXz2a6QRG0Bz8AU+6LiSNqdUjUxxhjzaZ\n99G317yXDA==\n=3IUP\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/gatekeeper/ssh.pub
+++ b/hosts/gatekeeper/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhHoM0m6PZnCCzWOugKnN/BqhadwYzEE8xbABQxEhgo
--- a/hosts/hydra-1/build-machines.nix
+++ b/hosts/hydra-1/build-machines.nix
@@ -0,0 +1,36 @@
+{ ... }:
+
+{
+
+  nix = {
+    distributedBuilds = true;
+    buildMachines = [
+#      {
+#        hostName = "hydra-1.net.clerie.de";
+#        sshUser = "root";
+#        systems = [
+#          "x86_64-linux"
+#          "armv6l-linux"
+#          "armv7l-linux"
+#          "aarch64-linux"
+#        ];
+#        sshKey = "/var/lib/hydra/id_ed25519";
+#      }
+      {
+        hostName = "hydra-2.net.clerie.de";
+        sshUser = "root";
+        systems = [
+          "x86_64-linux"
+          "armv6l-linux"
+          "armv7l-linux"
+          "aarch64-linux"
+        ];
+        sshKey = "/var/lib/hydra/id_ed25519";
+      }
+    ];
+  };
+
+  programs.ssh.knownHosts."hydra-1.net.clerie.de".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE2xQBCsFBCwL9n4OP/bPngtNO1fy9kPw13Z/NDoba16 root@hydra-1";
+  programs.ssh.knownHosts."hydra-2.net.clerie.de".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZED9QM+qe7sB6R6atvP6WNaI2sC2nh7TTsD6kgRpnr root@hydra-2";
+
+}
--- a/hosts/hydra-1/cache.nix.clerie.de/index.txt
+++ b/hosts/hydra-1/cache.nix.clerie.de/index.txt
@@ -0,0 +1,24 @@
+Nix Cache by clerie
+
+Public key:
+
+  cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=
+
+NixOS Configuration:
+
+  nix.settings = {
+    substituters = [
+      "https://cache.nix.clerie.de"
+    ];
+    trusted-public-keys = [
+      "cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
+    ];
+  }
+
+Try:
+
+  nix build --substituters "https://cache.nix.clerie.de" \
+  --trusted-public-keys "cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" \
+  "git+https://git.clerie.de/clerie/fieldpoc.git#fieldpoc"
+
+.-*..*-.
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICm4kHCK4ACXtZt9ziBXnykiR1onPQtbmfAKU/fcqr8G`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQegq2ZQx0fNVHlITNHdZoSAh5jsaDyv3Sej3a8Y4j3`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUaAo7yYjuVpWadxPqrUGrZWwLNltvc+PfOT8z36Eip`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGdyTanEqCieqt81Ri8xHnw1dyK3i8srDi1F+xIb3Js3`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsTlqDyK726hwhX8lbs9EhMrkf3LsKIm5Ya3k39C7VZ`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINbpzEFngWD8gZpGKvOdo5CVMPlaDCylNKorf/ZN93rT`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCgFELN24kkb40/Pv2aOwhfqoqbCEdQPBTND7nTw1hd`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGI7h8xpVDM0BsY+XGwp8kX1XKn82Cg0lhd1M4Eldsp5`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANa33GhY8tK+rGFKjrEbaw289bMqh1Aazyo04B//27t`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbqGg6BF4MLSgDIe0Q0EsaogXPlYKHCNKWvfIXkNq7L`