hosts/_iso: Make iso bootable again by disabling systemd in initrd

configuration/common/web.nix

@@ -10,6 +10,10 @@
 
     commonHttpConfig = ''
       server_names_hash_bucket_size 64;
+      charset utf-8;
+      types {
+        text/plain nix;
+      }
       map $remote_addr $remote_addr_anon {
         ~(?P<ip>\d+\.\d+\.\d+)\.          $ip.0;
         ~(?P<ip>[^:]*:[^:]*(:[^:]*)?):    $ip::;

configuration/desktop/audio.nix

@@ -2,7 +2,7 @@
 
 {
 
-  hardware.pulseaudio.enable = false;
+  services.pulseaudio.enable = false;
 
   security.rtkit.enable = true;
   services.pipewire = {

configuration/desktop/gnome.nix

@@ -2,8 +2,8 @@
 
 {
   services.gnome = {
-    tracker-miners.enable = false;
+    localsearch.enable = false;
-    tracker.enable = false;
+    tinysparql.enable = false;
   };
 
   environment.gnome.excludePackages = with pkgs; [

flake.lock

@@ -122,11 +122,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712014858,
+        "lastModified": 1733312601,
-        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
         "type": "github"
       },
       "original": {
@@ -238,16 +238,16 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1727121740,
+        "lastModified": 1733771848,
-        "narHash": "sha256-72nDVSvUfZsLa2HbyricOpA0Eb8gxs/VST25b6DNBpM=",
+        "narHash": "sha256-tqkTzUdwnTfVuCrcFag7YKgGkiR9srR45e4v0XMXVCY=",
         "owner": "nix-community",
         "repo": "harmonia",
-        "rev": "ff44006a30f93ac40d76c786e15149d901946c2b",
+        "rev": "c26731351ca38f4953a23ef5490358ffba955ab6",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "harmonia-v1.0.2",
+        "ref": "harmonia-v2.0.1",
         "repo": "harmonia",
         "type": "github"
       }
@@ -476,6 +476,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-0dc1c7": {
+      "locked": {
+        "lastModified": 1725718979,
+        "narHash": "sha256-TNj62uDY5ilnYu0Jne8/IIunfh1kf6kDPY9KdS+Eotw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0dc1c7294c13f5d1dd6eccab4f75d268d7296efe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0dc1c7294c13f5d1dd6eccab4f75d268d7296efe",
+        "type": "github"
+      }
+    },
     "nixpkgs-regression": {
       "locked": {
         "lastModified": 1643052045,
@@ -526,11 +542,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1732521221,
+        "lastModified": 1736701207,
-        "narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=",
+        "narHash": "sha256-jG/+MvjVY7SlTakzZ2fJ5dC3V1PrKKrUEOEE30jrOKA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d",
+        "rev": "ed4a395ea001367c1f13d34b1e01aa10290f67d6",
         "type": "github"
       },
       "original": {
@@ -576,6 +592,26 @@
         "type": "github"
       }
     },
+    "rainbowrss": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736087671,
+        "narHash": "sha256-zWeiCs+8SAS1wN5M3w3vSNNpILoKXqX9aj/ZZcgfMms=",
+        "ref": "refs/heads/main",
+        "rev": "ceab6a148233ffb23de19411a3e5579e3394a35b",
+        "revCount": 9,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/rainbowrss.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/rainbowrss.git"
+      }
+    },
     "root": {
       "inputs": {
         "berlinerbaeder-exporter": "berlinerbaeder-exporter",
@@ -589,7 +625,9 @@
         "nixos-exporter": "nixos-exporter",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_3",
+        "nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
         "nurausstieg": "nurausstieg",
+        "rainbowrss": "rainbowrss",
         "scan-to-gpg": "scan-to-gpg",
         "solid-xmpp-alarm": "solid-xmpp-alarm",
         "sops-nix": "sops-nix",
@@ -603,11 +641,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733765838,
+        "lastModified": 1736606141,
-        "narHash": "sha256-piKf5W1vUl4y36WuW/192LMXBJyATBF83T9YEz9K3/Y=",
+        "narHash": "sha256-cIGSrY3tNwOamqt41IPRRw5SPlBtljWZvcXDfCkreUc=",
         "ref": "refs/heads/main",
-        "rev": "b0c07f95146d85a7b62a84fb2a62a773a5942733",
+        "rev": "9f1aa15509c9b0284774be95ef020f612c385353",
-        "revCount": 17,
+        "revCount": 18,
         "type": "git",
         "url": "https://git.clerie.de/clerie/scan-to-gpg.git"
       },
@@ -716,11 +754,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711963903,
+        "lastModified": 1733662930,
-        "narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
+        "narHash": "sha256-9qOp6jNdezzLMxwwXaXZWPXosHbNqno+f7Ii/xftqZ8=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
+        "rev": "357cda84af1d74626afb7fb3bc12d6957167cda9",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,6 +1,8 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    # for etesync-dav
+    nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
     berlinerbaeder-exporter = {
       url = "git+https://git.clerie.de/clerie/berlinerbaeder-exporter.git";
@@ -19,7 +21,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     harmonia = {
-      url = "github:nix-community/harmonia/harmonia-v1.0.2";
+      url = "github:nix-community/harmonia/harmonia-v2.0.1";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     hydra = {
@@ -39,6 +41,10 @@
       url = "git+https://git.clerie.de/clerie/nurausstieg.git";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    rainbowrss = {
+      url = "git+https://git.clerie.de/clerie/rainbowrss.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     scan-to-gpg = {
       url = "git+https://git.clerie.de/clerie/scan-to-gpg.git";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -126,6 +132,7 @@
       pkgs = localNixpkgs.${system};
     in {
       inherit (pkgs)
+        clerie-backup
         clerie-keys
         clerie-system-upgrade
         clerie-merge-nixfiles-update

flake/overlay.nix

@@ -1,28 +1,33 @@
 { self
+, nixpkgs-0dc1c7
 , berlinerbaeder-exporter
 , bij
 , chaosevents
 , harmonia
 , hydra
 , nurausstieg
+, rainbowrss
 , scan-to-gpg
 , ssh-to-age
 , ...
 }@inputs:
 final: prev: {
+  inherit (nixpkgs-0dc1c7.legacyPackages.${final.system})
+    etesync-dav;
   inherit (berlinerbaeder-exporter.packages.${final.system})
     berlinerbaeder-exporter;
   inherit (bij.packages.${final.system})
     bij;
   inherit (chaosevents.packages.${final.system})
     chaosevents;
-  harmonia = harmonia.packages.${final.system}.harmonia.override {
+  inherit (harmonia.packages.${final.system})
-    nixForHarmonia = final.nixVersions.nix_2_23;
+    harmonia;
-  };
   inherit (hydra.packages.${final.system})
     hydra;
   inherit (nurausstieg.packages.${final.system})
     nurausstieg;
+  inherit (rainbowrss.packages.${final.system})
+    rainbowrss;
   inherit (scan-to-gpg.packages.${final.system})
     scan-to-gpg;
   inherit (ssh-to-age.packages.${final.system})

hosts/_iso/configuration.nix

@@ -6,10 +6,20 @@
     ../../configuration/gpg-ssh
   ];
 
+  # systemd in initrd is broken with ISOs
+  # Failed to mount /sysroot/iso
+  # https://github.com/NixOS/nixpkgs/issues/327187
+  boot.initrd.systemd.enable = false;
+
   networking.hostName = "isowo";
-  isoImage.isoBaseName = "nixos-isowo";
+  isoImage.isoBaseName = lib.mkForce "nixos-isowo";
 
   environment.systemPackages = with pkgs; [
     nixfiles-auto-install
   ];
+
+  services.openssh.settings = {
+    PermitRootLogin = lib.mkForce "yes";
+  };
+
 }

hosts/backup-4/secrets.json

@@ -1,5 +1,5 @@
 {
-	"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:QxdmemBB/iuU+fvc2QRRkbOHO5Ef8ZJqfTdFCnlOqKog5krZ2oIpURuttH9YeggJXV2Cr+kJDGI0b9Ca6BtCkOhahfWicTeFhuODJsSyZJqzw36Ba8pX3nIpqoa7StTydK1Dx5chOi2g8oB4895SvWqDa/qP10yDtBQAYURHYfodb9/tiKzfjJAGDlqsR2h+qmdbAkvR3/oAquBO8Nb493G2sixs20XIG85moYv6l0MPnZtWEXhDT8lM5tw0PCgpSfYaUeMWnmFuzFBj3MQSo3zAjGPeOSYVFlbwbLqFWL507z0dlRgzsxMYB1F4OL38nOpO2CP2/VvbidgbQZjKCfiHMJtWLQfzZIfNEhcF8kq2uhhOwRSKN3G7u1/ezzu+9UlUVMV6PY2jjbZHJ79Knu5SJ3KqphygjjIhdHufqI03BP/aJa0QkE/mGg9is3H0myW5rG9ElA1C4stF,iv:1Ue/H48af3ECUZ5GC0hrMMBfOuCZSuX9wOSAd5XG7Fk=,tag:HchM/ZJEDG4pWQdDanC9cA==,type:str]",
+	"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:gfvmAd7z+jQwoYDJf/Hv2sR9ISJT+Hw4jrHmvW64PXjoETy+LjdsmqEPuRyq/YhrGA2rqW+YodPlkh/eE4crdTL2eNim+ij/OUubliUwBMyJuxsdGKuDUMc+txqN2x6Q24MnnU88P08SKpsm3jciMhz7JEg62W77jhesWlkzsuJDmg9oTlA9SeYOEac3pIKpekfRyE77GSFVUflwwCA+xvcEg5xyuRosFzBWGGEC3kDNB0licF0X6epz3HtlqhCLd/mkuEkftjpkNOFm9oJYzdwYv5PwVNg7G7JOgsUx9e5I29mwWPfhinX1yEFNwxKeB1FbUhYOKhRhdqWD6THVLkDzU0zP8vrm5FXTaxLHZr5+EpKit8/MJS5UBVvpSTDQ0cLExJyonWP2T+zr6rxKwU/q1jQRvsU6DJ7Bt8+9chrXBNOeyPM9xzWN1Zyyrntm9j5Ufj1YFwyrDT5ve2rOgNHA4KoS28+vsP1fcVO8XlLR24zFx5+/1BPG25qSECTPn6KkcL+yV+WS4oOnu4Oo0GVPEz+4SfyYIEVmaV61KC61pKa/6ACeUd6nABcDbReMqPXU7/bksM4sTDoFSmmiAycnxT4xavbaFdfbYIOXVQwYAIjaR1tAqQ6gYVCQ/LtKhIHCGCg10xRXNV3qkPqOUvJ7JnRcre+pQVDVLg==,iv:tvhvTPzhHoG4yG3C+o9s8yh4DafMpPb67nNxbUZcFxQ=,tag:8P5lYeP2EB5AfKgeeBISLg==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:lCuE2EgUo3ER9NNg1rD24Z4cZS+VZ4KmDojnfCsb/LyBsfyu6uOJ4IVtxOE=,iv:KHRP1pXYXk8Fi23cjUZVUUadu9yWoJ2ddxj2fMJJYE0=,tag:TiFlekXM7WLLHAPlmYbP8w==,type:str]",
 	"sops": {
 		"kms": null,
@@ -12,8 +12,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFREUEVzb2JFd3hSaG9y\neVA2a2Fodko0OTI4ZGM0NlZxRmNtYmFDY1hVCm9ncXdWYTJlSU1FSG1WdlNBZ3VW\nM2VtRmZiWldzalRsRWJ0UkV1L1hSMkEKLS0tIGVLQU9kQXhZbC9SUW9CS2JnWGlJ\nQ3RoeXVkRXNkUWNaZ0VQOW1hcEJnNjAKHgZ48PERJlfkkh2TyCLl52zUZY674BXW\n4zPtmhZrb4xlExetINrOd4hZtL7S7qn5GnTxhoxvCddeU+JPPsfWoQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-06-03T18:16:25Z",
+		"lastmodified": "2025-02-16T18:13:41Z",
-		"mac": "ENC[AES256_GCM,data:hWCI1hWTbbasov9Si0JDI39rUuBOEqrz+qxTKrNN4S/r9Ktofrk46b3rxSQF3+bC03HrbCMLk9/7XkvIFJXQj5pa9I1aG8MuMbgF0Z8Ft/uNdHPUUyLJwo/4aav4zXVpdg7zNtPdwjk66pw7iRO5XBmYgnQlnXotHM6S9s7RzuA=,iv:VJmLD1SImGtreceQP+DofnzOGp3sm12iCzbPsqzw6SI=,tag:aUryi0xUG7sd/EOmqrMQCg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:O+E3UbWbmlbpUPeSS/BFcJpWr2WEXbu0aaj9u3XUwstp4ba6e0xuVdzfbntQwbN378sDNpDMkAuxp1+R/0THBSs+nqXC9q9IgK+hfSBd7q2v4lvdhxRdM1x4wysTDJGtjFNdfz8EzqMz42Y2IWjxSozgPNpjZSIGhwMBA2TS/gU=,iv:1waH/yUGt5jGJbQlYmp5b97NGVyRykgzI2g1xX+Jo/U=,tag:4bxFxkClt3LbqCH552XePw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-04T12:30:52Z",

hosts/clerie-backup/secrets.json

@@ -1,5 +1,5 @@
 {
-	"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:ZKrEv/bU1X+iO7GLlxsM8HhUy6B2+EXRA8JO2X8E8X5nt8Ydwa+wAqTea3hGyW/QNFrNg/nnAFaVg+VNa6UEqOuF0eg4Nf0LOYTtTpNt4uqDHomfFpvFxDfVCbk4a3fnjnJzk51XnZqeVlvuH2JKg9uD6QzTghTuZfysdGePZdD4WRfY+qHsZg2jREgA26WKsRnD1zU4ZnbRAA1s0Lzf5gG4kFciIzovt0x5MYEiVERFeM+HG1a117EvSlsijPNJVLTaFRLTVOlTOYLKXt4KcRJq9KwoZR/LgEz++rUE4DN5f7iQs+Sb9epH9sV/V06R6AKE5ZFcyi5Y+ipt8B4sWX8PQUeFxNlpljXHro8szGNnLnSxxieg10SEwfIEw+nTGVMHToUpvybzdoI4VPUHZGF+kpqv8ejEzhrKZXyPrd7ZCWGDsTdl8gGSefimpEUR8IwuPqImgu2UU8gT,iv:Y/G/odtZ4enBtNc2Wj7bZjsJ3nur5huYAqlu1PgnWlo=,tag:tg3ut7R2jJd+TVvYHIiTdA==,type:str]",
+	"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:Fe6lcXXy0Hu27Y2LtwQRbk+78+unSGkII144jtstOgK0pyjlJqG2mo8ZG7L+3mmthuu+leZ6XXadEcRGpby3eCwyVEYd3lDr930pPC8hChWYMC5mGkkRUAobYED63iVxcsc36PVFQYMCDbYvtcPk8uQTXfQmhs9kSzCrONrL1Id0L9D+sGoU0snpE+eCNXyiLwuyc1qocchhuHIwkGi4dyVJWgMsKGummF5Pf9zK4KzHmT6RuPouEUAfwHkdPwtOSJ8OqZof/C/CuPYmJQyfOFAqtw8xD9OXUpvyxjC1Kta89sL5cRAE0R15oPvNUmYGaXputm9iMycPjMacpouycx1TXMTEDB0caryX9uEFAyTfPm7keHT86qA1UfImWqEE9QqJ3uCeiwW698SbTZVeKLDBqDCPP+nP/L+N412d+HHyGugPOnTj1gXY50xeOay8Wryw87iDZ9rnJxcn0u5D4+JjOIbjWvydqBXacMD/o0NG2CcQu6LVRAHRiDKoSQWEwx25tzVwn2dsgFV8c3oQ0xQI7050R11Z3M9QWOvPmOZCvYV5VSoxu7r1jMu5asrcPbbhXKatbrabEHCAbDGsBpDkqts3BVUfUaHwboXVR0DxqOC6CHVE34J99SVTGI0kIHXyNqpeUJ36tCXFg7eNPNsu8cra9whjyUUHtw==,iv:Gfg3t3YPw2hz0LJ5hovPftMYOADN2Xjc93VmT2fFVQI=,tag:k6KH4qDPrFYIU2PGgW3F9Q==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:rOpBlDt9K//zlgWo1Bw9IX5jmpLbnit5zi60Ulz8f6tHwqVsKJv5NkxYc9A=,iv:Jlo0QZP6R1CEE20iLa7M/LV/ZX2/33oMv/FzBBo6nvY=,tag:Ttqo7BKd6RuUiMksW6rZnw==,type:str]",
 	"sops": {
 		"kms": null,
@@ -12,8 +12,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UCtUZ3NZQWxOK1FUNDhL\nbWhaanN2OEJIVmpMOURzWU1vcGhuODdtcDJnCm9Nb01NaVVpWDJ6Q3JCbXRkRUJP\nUVdFaGVScUdxRnlpSnRNOG1RalNRaFUKLS0tICs0cW1WR0JMUmdaVWVzdTh2bjFm\nenBzaERpb1hCS1E3TUo3cmxpZFUxWmcKcLL5/YTGyZEVLwHSpbEI5XfWGklkI7h+\n0uhCww8Wh23EpUYFslZ0Nnbf5HX5/Z34qBwf20cvN8eLToTAQvTdeg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-06-03T18:16:18Z",
+		"lastmodified": "2025-02-16T18:13:34Z",
-		"mac": "ENC[AES256_GCM,data:kWeyNv82yc6H+FJjhTh8vkuxjZ4YFEqmZbqzZr+pEXxXeMUEGi9hr7cauGDNxnRMgWJz9KG1M4tzUyEK8rfVQWLc+Wcf/5Pjsxn1Zg0yJiJAxVFV7AcvGdKUeQuBKgOT5L+Z5+cFdvq9+CU/0M+6/e8jB6OdQWcuy0emBaCut4U=,iv:3w5arXHKapwwo7kgLtHcKfO+dhH22opVP+fjagize0c=,tag:+cCaX2FUG+5UYqutE9IsAA==,type:str]",
+		"mac": "ENC[AES256_GCM,data:io2WVxTxHSlxrk7JaN6/fUI7YotvPfgbXTD1lEf1tN7QhuGRH/iZrji/VQlhJ8tk2dAS1Pe0rsTuxCMXcXcxRIh4EYbQky5IZj5jpfPcslQOquTcXzmPYdijPUWSqu6leGc0GG/7KccjSFD8TfwAgeuVrc2Br57yfqKoPf+M0fY=,iv:iYp73PrFnLZoI9014mbqQQERhFtfhb5YmzV6HiUi+YM=,tag:2AZEzhVVdEos5FLkg8cr5w==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-05T12:12:27Z",

hosts/krypton/configuration.nix

@@ -9,6 +9,7 @@
 
       ./android.nix
       ./backup.nix
+      ./etesync-dav.nix
       #./initrd.nix
       ./network.nix
       ./programs.nix

hosts/krypton/etesync-dav.nix

@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+
+  services.etesync-dav = {
+    enable = true;
+    apiUrl = "https://etebase.clerie.de";
+  };
+
+}

hosts/monitoring-3/alertmanager.nix

@@ -63,6 +63,18 @@
             "instance"
           ];
         }
+        {
+          target_matchers = [
+            ''alertname = "StorageAlmostFull"''
+          ];
+          source_matchers = [
+            ''alertname = "StorageFull"''
+          ];
+          equal = [
+            "instance"
+            "mountpoint"
+          ];
+        }
       ];
     };
   };

hosts/monitoring-3/rules.yml

@@ -17,7 +17,7 @@ groups:
     annotations:
       summary: "Current system of {{ $labels.instance }} not in sync with config"
       description: "The current system hash of {{ $labels.instance }} does not match the one generated by hydra based on the current config"
-  - alert: BackupStorageFull
+  - alert: StorageFull
     expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 5
     for: 30m
     labels:
@@ -25,6 +25,14 @@ groups:
     annotations:
       summary: "Storage of {{ $labels.instance }} is full"
       description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is full"
+  - alert: StorageAlmostFull
+    expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 10
+    for: 30m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Storage of {{ $labels.instance }} is almost full"
+      description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is almost full"
   - alert: ClerieBackupJobLastSuccessfulRunBehind
     expr: time() - last_over_time(clerie_backup_last_successful_run_time{}[5m]) >= 9000
     for: 5m

hosts/web-2/configuration.nix

@@ -9,6 +9,8 @@
       ./chaosevents.nix
       ./clerie.nix
       ./drop.nix
+      ./etebase.nix
+      ./feeds.nix
       ./fieldpoc.nix
       ./gitea.nix
       ./ip.nix

hosts/web-2/etebase.nix

@@ -0,0 +1,26 @@
+{ ... }:
+
+{
+  services.etebase-server = {
+    enable = true;
+    port = 8001;
+    settings.allowed_hosts.allowed_host1 = "etebase.clerie.de";
+  };
+
+  services.nginx.virtualHosts = {
+    "etebase.clerie.de" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "= /" = {
+          return = ''302 "/admin/"'';
+        };
+      };
+      locations = {
+        "/" = {
+          proxyPass = "http://127.0.0.1:8001";
+        };
+      };
+    };
+  };
+}

hosts/web-2/feeds.nix

@@ -0,0 +1,49 @@
+{ pkgs, ... }:
+
+{
+  users.users."feeds" = {
+    isSystemUser = true;
+    group = "feeds";
+  };
+
+  users.groups."feeds" = {};
+
+  systemd.tmpfiles.rules = [
+      "d /data/feeds 0775 root users - -"
+      "d /var/lib/feeds - feeds feeds - -"
+  ];
+
+  services.nginx = {
+    virtualHosts."feeds.clerie.de" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/var/lib/feeds";
+    };
+  };
+
+  systemd.services."feeds" = {
+    wantedBy = [ "multi-user.target" ];
+    requires = [ "network.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      WorkingDirectory = "/var/lib/feeds";
+      RuntimeDirectory = "feeds";
+      User = "feeds";
+      Group = "feeds";
+      ExecStart = ''
+        ${pkgs.feeds-dir}/bin/feeds-dir /data/feeds
+      '';
+    };
+  };
+
+  systemd.timers."feeds" = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "hourly";
+      RandomizedDelaySec = "1h";
+    };
+    requires = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+  };
+}

modules/backup/default.nix

@@ -21,18 +21,11 @@ let
     ) cfg.jobs
   );
 
-  backupServiceUnits = listToAttrs (map ({jobName, jobOptions, targetName, targetOptions}: let
+  backupServiceUnits = listToAttrs (map ({jobName, jobOptions, targetName, targetOptions}:
-    jobPasswordFile = if jobOptions.passwordFile != null then jobOptions.passwordFile else
-      config.sops.secrets."clerie-backup-job-${jobName}".path;
-    repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath;
-    targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else
-      config.sops.secrets."clerie-backup-target-${targetName}".path;
-    targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
-  in
     nameValuePair "clerie-backup-${jobName}-${targetName}" {
       requires = [ "network.target" "local-fs.target" ];
       after = [ "network.target" "local-fs.target" ];
-      path = [ pkgs.restic ];
+      path = [ pkgs.clerie-backup ];
 
       serviceConfig = {
         Type = "oneshot";
@@ -41,14 +34,7 @@ let
       script = ''
         set -euo pipefail
 
-        export RESTIC_PASSWORD_FILE=${jobPasswordFile}
+        clerie-backup "${jobName}-${targetName}" backup
-        export RESTIC_REPOSITORY="rest:https://${targetUsername}:$(cat ${targetPasswordFile})@${targetOptions.serverName}${repoPath}"
-        export RESTIC_PROGRESS_FPS=0.1
-        export RESTIC_CACHE_DIR=/var/cache/restic
-
-        restic snapshots --latest 1 || restic init
-
-        restic backup ${optionalString (jobOptions.exclude != []) "--exclude-file ${pkgs.writeText "clerie-backup-${jobName}-${targetName}-excludes" (concatStringsSep "\n" jobOptions.exclude)}"} ${escapeShellArgs jobOptions.paths}
 
         ${optionalString (config.clerie.monitoring.enable) ''
           echo "clerie_backup_last_successful_run_time{backup_job=\"${jobName}\", backup_target=\"${targetName}\"} $(date +%s)" > /var/lib/prometheus-node-exporter/textfiles/clerie-backup-${jobName}-${targetName}.prom
@@ -69,32 +55,22 @@ let
     }
   ) jobTargetPairs);
 
-  backupCommands = map ({jobName, jobOptions, targetName, targetOptions}: let
+  backupConfigs = mergeAttrsList (map ({jobName, jobOptions, targetName, targetOptions}: let
       jobPasswordFile = if jobOptions.passwordFile != null then jobOptions.passwordFile else
         config.sops.secrets."clerie-backup-job-${jobName}".path;
       repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath;
       targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else
         config.sops.secrets."clerie-backup-target-${targetName}".path;
       targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
-    in pkgs.writeShellApplication {
+    in {
-      name = "clerie-backup-${jobName}-${targetName}";
+      "clerie-backup/${jobName}-${targetName}/repo_password".source = jobPasswordFile;
-
+      "clerie-backup/${jobName}-${targetName}/repo_url".text = "https://${targetOptions.serverName}${repoPath}";
-      runtimeInputs = [ pkgs.restic ];
+      "clerie-backup/${jobName}-${targetName}/auth_username".text = targetUsername;
-
+      "clerie-backup/${jobName}-${targetName}/auth_password".source = targetPasswordFile;
-      text = ''
+      "clerie-backup/${jobName}-${targetName}/files".text = concatStringsSep "\n" jobOptions.paths;
-        set -euo pipefail
+      "clerie-backup/${jobName}-${targetName}/excludes".text = concatStringsSep "\n" jobOptions.exclude;
-
-        export RESTIC_PASSWORD_FILE=${jobPasswordFile}
-        export RESTIC_REPOSITORY="rest:https://${targetUsername}:$(cat ${targetPasswordFile})@${targetOptions.serverName}${repoPath}"
-        export RESTIC_PROGRESS_FPS=0.1
-        export RESTIC_CACHE_DIR=/var/cache/restic
-
-        restic "$@"
-      '';
-
-      checkPhase = "";
     }
-  ) jobTargetPairs;
+  ) jobTargetPairs);
 
   targetOptions = { ... }: {
     options = {
@@ -158,6 +134,7 @@ in
     systemd.tmpfiles.rules = [
       "d /var/cache/restic - - - - -"
     ];
-    environment.systemPackages = backupCommands;
+    environment.systemPackages = [ pkgs.clerie-backup ];
+    environment.etc = backupConfigs;
   };
 }

pkgs/clerie-backup/clerie-backup.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+REPO=
+ACTION=
+
+if [[ $# -lt 2 ]]; then
+	echo "Command not specified"
+	echo
+	echo "clerie-backup REPO ACTION"
+	echo
+	echo "ACTION: restic,backup"
+	echo
+	echo "Available REPOs (/etc/clerie-backup/):"
+	echo
+	if [[ -d "/etc/clerie-backup" ]]; then
+		find "/etc/clerie-backup/" -mindepth 1 -maxdepth 1 -type d -printf "%f\n" | sort -d
+	fi
+	exit 1
+fi
+
+REPO="$1"
+shift
+
+ACTION="$1"
+shift
+
+CONFIG_DIR="/etc/clerie-backup/${REPO}"
+if [[ ! -d "${CONFIG_DIR}" ]]; then
+	echo "Config dir ${CONFIG_DIR} for ${REPO} does not exist"
+	exit 1
+fi
+
+ISSUE_EXIST=
+if [[ ! -f "${CONFIG_DIR}/repo_password" ]]; then
+	echo "File ${CONFIG_DIR}/repo_password not found"
+	ISSUE_EXIST=1
+fi
+if [[ ! -f "${CONFIG_DIR}/repo_url" ]]; then
+	echo "File ${CONFIG_DIR}/repo_url not found"
+	ISSUE_EXIST=1
+fi
+if [[ ! -f "${CONFIG_DIR}/auth_username" ]]; then
+	echo "File ${CONFIG_DIR}/auth_username not found"
+	ISSUE_EXIST=1
+fi
+if [[ ! -f "${CONFIG_DIR}/auth_password" ]]; then
+	echo "File ${CONFIG_DIR}/auth_password not found"
+	ISSUE_EXIST=1
+fi
+if [[ -n "${ISSUE_EXIST}" ]]; then
+	exit 1
+fi
+
+RESTIC_PASSWORD_FILE="${CONFIG_DIR}/repo_password"
+export RESTIC_PASSWORD_FILE
+RESTIC_REPOSITORY="rest:$(cat "${CONFIG_DIR}/repo_url")"
+export RESTIC_REPOSITORY
+RESTIC_REST_USERNAME="$(cat "${CONFIG_DIR}/auth_username")"
+export RESTIC_REST_USERNAME
+RESTIC_REST_PASSWORD="$(cat "${CONFIG_DIR}/auth_password")"
+export RESTIC_REST_PASSWORD
+RESTIC_PROGRESS_FPS="0.1"
+export RESTIC_PROGRESS_FPS
+RESTIC_CACHE_DIR="/var/cache/restic"
+export RESTIC_CACHE_DIR
+
+case "${ACTION}" in
+restic)
+	restic "$@"
+	;;
+backup)
+	ISSUE_EXIST=
+	if [[ ! -f "${CONFIG_DIR}/excludes" ]]; then
+		echo "File ${CONFIG_DIR}/excludes not found"
+		ISSUE_EXIST=1
+	fi
+	if [[ ! -f "${CONFIG_DIR}/files" ]]; then
+		echo "File ${CONFIG_DIR}/files not found"
+		ISSUE_EXIST=1
+	fi
+	if [[ -n "${ISSUE_EXIST}" ]]; then
+		exit 1
+	fi
+
+        restic snapshots --latest 1 || restic init
+
+        restic backup --exclude-file "${CONFIG_DIR}/excludes" --files-from "${CONFIG_DIR}/files"
+	;;
+*)
+	echo "Unsupported ACTION: ${ACTION}"
+	exit 1
+	;;
+esac

pkgs/clerie-backup/default.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "clerie-backup";
+  text = builtins.readFile ./clerie-backup.sh;
+  runtimeInputs = with pkgs; [
+    restic
+  ];
+}

pkgs/clerie-sops/clerie-sops-edit.sh

@@ -7,17 +7,19 @@ set -euo pipefail
 
 print_help() {
 	cat << EOF
-clerie-sops-edit <secrets_file> <action> <key>
+clerie-sops-edit <secrets_file> <action> <key> [cmd...]
 
   This script allows editing single secrets in a secrets file by key.
 
   <secrets_file> is a sops secrets file
-  <action> is one of "edit", "read", "set" and "append"
+  <action> is one of "edit", "cmd", "read", "set" and "append"
   <key> is the key of the secret in the secrets file to modify
+
+  ACTION "cmd" a command that get passed the decrypted secret in the argument being "{}"
 EOF
 }
 
-if [[ $# != 3 ]]; then
+if [[ $# -lt 3 ]]; then
 	print_help
 	exit 1
 fi
@@ -33,7 +35,7 @@ fi
 
 ACTION="$2"
 
-if ! echo "edit read set append" | grep -wq "${ACTION}"; then
+if ! echo "edit cmd read set append" | grep -wq "${ACTION}"; then
 	echo "Action \"${ACTION}\" not supported"
 	echo
 	print_help
@@ -43,6 +45,15 @@ fi
 KEY="$3"
 KEY_SELECTOR="$(jq -Rsc '[.]' <(echo -n "${KEY}"))"
 
+if [[ $# -gt 3 && "${ACTION}" != "cmd" ]]; then
+	print_help
+	exit 1
+fi
+
+shift
+shift
+shift
+
 if [[ -n $EDITOR ]]; then
 	EDITOR=vim
 fi
@@ -64,6 +75,18 @@ case "${ACTION}" in
 	edit)
 		"${EDITOR}" "${TMP_FILE}"
 		;;
+	cmd)
+		CMD=()
+		while [[ $# -gt 0 ]]; do
+			if [[ "$1" == "{}" ]]; then
+				CMD+=("${TMP_FILE}")
+			else
+				CMD+=("$1")
+			fi
+			shift
+		done
+		"${CMD[@]}"
+		;;
 	read)
 		cat "${TMP_FILE}"
 		;;

pkgs/clerie-update-nixfiles/clerie-update-nixfiles.sh

@@ -56,7 +56,7 @@ echo "[!] Create branch ${UPDATE_BRANCH}"
 xgit checkout -b "${UPDATE_BRANCH}"
 
 echo "[!] Update nixpkgs"
-nix flake lock --update-input nixpkgs
+nix flake update nixpkgs
 
 echo "[!] Commit changes"
 xgit add flake.lock

pkgs/feeds-dir/default.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "feeds-dir";
+  text = builtins.readFile ./feeds-dir.sh;
+  runtimeInputs = with pkgs; [
+    rainbowrss
+  ];
+}

pkgs/feeds-dir/feeds-dir.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+IN_DIR="${1:-.}"
+
+for file in "${IN_DIR}"/*.txt; do
+	rainbowrss --feeds "${file}" --out "$(basename "${file}" ".txt").html" || true
+done

pkgs/nixfiles/nixfiles-generate-backup-secrets.sh

@@ -4,17 +4,50 @@ set -euo pipefail
 
 cd "$(git rev-parse --show-toplevel)"
 
+if [[ $# -eq 0 || $# -gt 2 ]]; then
+	echo "Usage: nixfiles-generate-backup-secrets HOST [--configure-host]"
+	echo
+	echo "  --configure-host"
+	echo "      Directly sets the secrets in the hosts secret store"
+	exit 1
+fi
+
 host="$1"
 
+CONFIGURE_HOST=
+
+if [[ $# -eq 2 ]]; then
+	if [[ "$2" == "--configure-host" ]]; then
+		if [[ ! -f "hosts/${host}/secrets.json" ]]; then
+			echo "Host ${host} does not have a secrets file, can't configure"
+			exit 1
+		fi
+		CONFIGURE_HOST=1
+	else
+		echo "Unknown option $2"
+		exit 1
+	fi
+fi
+
 job_main="$(pwgen -1 64 1)"
 target_cyan="$(pwgen -1 64 1)"
-target_cyan_htpasswd="$(htpasswd -nbB "${host}" "${target_cyan}")"
 target_magenta="$(pwgen -1 64 1)"
-target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")"
 
+echo "${target_cyan}" | clerie-sops-edit "hosts/clerie-backup/secrets.json" cmd "restic-server-cyan-htpasswd" htpasswd -iB "{}" "${host}"
+echo "${target_magenta}" | clerie-sops-edit "hosts/backup-4/secrets.json" cmd "restic-server-magenta-htpasswd" htpasswd -iB "{}" "${host}"
+
+echo "Repo password main: ${job_main}"
+echo
+echo "URL cyan: https://cyan.backup.clerie.de/${host}/main"
+echo "Auth username cyan: ${host}"
+echo "Auth password cyan: ${target_cyan}"
+echo
+echo "URL magenta: https://magenta.backup.clerie.de/${host}/main"
+echo "Auth username magenta: ${host}"
+echo "Auth password magenta: ${target_magenta}"
+
+if [[ -n "${CONFIGURE_HOST}" ]]; then
 	echo "$job_main" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-job-main"
 	echo "$target_cyan" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-cyan"
 	echo "$target_magenta" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-magenta"
-
+fi
-echo "${target_cyan_htpasswd}" | clerie-sops-edit "hosts/clerie-backup/secrets.json" append "restic-server-cyan-htpasswd"
-echo "$target_magenta_htpasswd" | clerie-sops-edit "hosts/backup-4/secrets.json" append "restic-server-magenta-htpasswd"

pkgs/overlay.nix

@@ -1,4 +1,5 @@
 final: prev: {
+  clerie-backup = final.callPackage ./clerie-backup {};
   clerie-keys = final.callPackage ./clerie-keys {};
   clerie-system-upgrade = final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
   clerie-merge-nixfiles-update = final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
@@ -8,6 +9,7 @@ final: prev: {
   clerie-update-nixfiles = final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
   chromium-incognito = final.callPackage ./chromium-incognito {};
   factorio-launcher = final.callPackage ./factorio-launcher {};
+  feeds-dir = final.callPackage ./feeds-dir {};
   git-checkout-github-pr = final.callPackage ./git-checkout-github-pr {};
   git-diff-word = final.callPackage ./git-diff-word {};
   git-pp = final.callPackage ./git-pp {};