pkgs/clerie-ssh-known-hosts: Expose function as package

flake/nixosConfigurations.nix: Pull localNixpkgs directly instead of creating nixpkgs with local overlays again
pkgs/build-support: Move clerie-build-support attribute name to overlay
2025-06-28 16:25:38 +02:00 · 2025-06-28 16:10:46 +02:00 · 2025-06-28 15:32:58 +02:00 · 2025-06-28 15:31:38 +02:00 · 2025-06-28 15:22:16 +02:00 · 2025-06-28 15:14:36 +02:00
130 changed files with 3541 additions and 1570 deletions
--- a/configuration/common/backup.nix
+++ b/configuration/common/backup.nix
@@ -4,8 +4,8 @@
  clerie.backup = {
    targets = {
-      cyan.serverName = "cyan.backup.clerie.de";
+      cyan.serverUrl = "https://cyan.backup.clerie.de";
-      magenta.serverName = "magenta.backup.clerie.de";
+      magenta.serverUrl = "https://magenta.backup.clerie.de";
    };
  };
--- a/configuration/common/certificates.nix
+++ b/configuration/common/certificates.nix
@@ -0,0 +1,11 @@
 { config, lib, ... }:
 with lib;
 {
  environment.sessionVariables = {
    REQUESTS_CA_BUNDLE = mkDefault config.security.pki.caBundle;
  };
 }
--- a/configuration/common/default.nix
+++ b/configuration/common/default.nix
@@ -3,6 +3,7 @@
 {
  imports = [
    ./backup.nix
    ./certificates.nix
    ./initrd.nix
    ./locale.nix
    ./networking.nix
@@ -11,7 +12,6 @@
    ./ssh.nix
    ./systemd.nix
    ./user.nix
    ./web.nix
  ];
  services.fstrim.enable = true;
--- a/configuration/common/web.nix
+++ b/configuration/common/web.nix
@@ -1,50 +0,0 @@
 { ... }:
 {
  services.nginx = {
    enableReload = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    commonHttpConfig = ''
      server_names_hash_bucket_size 64;
      map $remote_addr $remote_addr_anon {
        ~(?P<ip>\d+\.\d+\.\d+)\.          $ip.0;
        ~(?P<ip>[^:]*:[^:]*(:[^:]*)?):    $ip::;
        default                           ::;
      }
      log_format combined_anon '$remote_addr_anon - $remote_user [$time_local] '
                               '"$request" $status $body_bytes_sent '
                               '"$http_referer" "$http_user_agent"';
      log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
                                '"$request" $status $body_bytes_sent '
                                '"$http_referer" "$http_user_agent"';
      access_log /var/log/nginx/access.log vcombined_anon;
    '';
    virtualHosts = {
      "default" = {
        default = true;
        rejectSSL = true;
        locations."/" = {
          return = ''200 "Some piece of infrastructure\n"'';
          extraConfig = ''
            types { } default_type "text/plain; charset=utf-8";
          '';
        };
      };
    };
  };
  services.logrotate.settings.nginx = {
    frequency = "daily";
    maxage = 14;
  };
  security.acme = {
    defaults.email = "letsencrypt@clerie.de";
    acceptTerms = true;
  };
 }
--- a/configuration/desktop/audio.nix
+++ b/configuration/desktop/audio.nix
@@ -2,7 +2,7 @@
 {
-  hardware.pulseaudio.enable = false;
+  services.pulseaudio.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
--- a/configuration/desktop/gnome.nix
+++ b/configuration/desktop/gnome.nix
@@ -2,8 +2,8 @@
 {
  services.gnome = {
-    tracker-miners.enable = false;
+    localsearch.enable = false;
-    tracker.enable = false;
+    tinysparql.enable = false;
  };
  environment.gnome.excludePackages = with pkgs; [
--- a/configuration/desktop/xserver.nix
+++ b/configuration/desktop/xserver.nix
@@ -2,8 +2,8 @@
 {
  services.xserver.enable = true;
-  services.xserver.displayManager.gdm.enable = true;
+  services.displayManager.gdm.enable = true;
-  services.xserver.desktopManager.gnome.enable = true;
+  services.desktopManager.gnome.enable = true;
  services.xserver.excludePackages = with pkgs; [
    xterm
--- a/configuration/dn42/default.nix
+++ b/configuration/dn42/default.nix
@@ -1,22 +0,0 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    wireguard-tools
  ];
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = true;
    "net.ipv6.conf.all.forwarding" = true;
  };
  networking.firewall.checkReversePath = false;
  # Open Firewall for BGP
  networking.firewall.allowedTCPPorts = [ 179 ];
  # Open Fireall for OSPF
  networking.firewall.extraCommands = ''
  ip6tables -A INPUT -p ospfigp -j ACCEPT
  iptables -A INPUT -p ospfigp -j ACCEPT
  '';
 }
--- a/configuration/hetzner-cloud/default.nix
+++ b/configuration/hetzner-cloud/default.nix
@@ -1,8 +0,0 @@
 { ... }:
 {
  networking.useDHCP = false;
  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
  networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
  networking.nameservers = [ "2a01:4ff:ff00::add:2" "2a01:4ff:ff00::add:1" "185.12.64.2" "185.12.64.1" ];
 }
--- a/configuration/hydra-build-machine/default.nix
+++ b/configuration/hydra-build-machine/default.nix
@@ -1,16 +0,0 @@
 { ... }:
 {
  # Allow Hydra to fetch remote URLs in restricted mode
  nix.settings.allowed-uris = "http: https: git+https: github:";
  services.openssh.settings= {
   PermitRootLogin = "yes";
  };
  users.extraUsers.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1"
  ];
 }
--- a/configuration/proxmox-vm/default.nix
+++ b/configuration/proxmox-vm/default.nix
@@ -1,5 +0,0 @@
 { ... }:
 {
  services.qemuGuest.enable = true;
 }
--- a/configuration/router/default.nix
+++ b/configuration/router/default.nix
@@ -1,27 +0,0 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    wireguard-tools
    tcpdump
  ];
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = true;
    "net.ipv6.conf.all.forwarding" = true;
  };
  networking.firewall.checkReversePath = false;
  networking.firewall.allowedTCPPorts = [
    # Open Firewall for BGP
    179
  ];
  networking.firewall.extraCommands = ''
    # Open fireall for OSPF
    ip46tables -A nixos-fw -p ospfigp -j nixos-fw-accept
    # Open firewall for GRE
    ip46tables -A nixos-fw -p gre -j nixos-fw-accept
  '';
 }
--- a/flake.lock
+++ b/flake.lock
@@ -27,11 +27,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1724513039,
+        "lastModified": 1748808701,
-        "narHash": "sha256-YdBuRgXEU9CcxPd2EjuvDKcfgxL1kk9Gv8nFVVjIros=",
+        "narHash": "sha256-IEer4ypv/tL2zzo7nkgyg7xdK6P+Mc/22oPctEgwhiw=",
        "ref": "refs/heads/main",
-        "rev": "202f4a1a5791c74a9b7d69a4e63e631bdbe36ba6",
+        "rev": "5f3748df43e6b6e49cc0a23557a378ef37952483",
-        "revCount": 4,
+        "revCount": 5,
        "type": "git",
        "url": "https://git.clerie.de/clerie/bij.git"
      },
@@ -58,19 +58,36 @@
        "url": "https://git.clerie.de/clerie/chaosevents.git"
      }
    },
    "communities": {
      "flake": false,
      "locked": {
        "lastModified": 1739635166,
        "narHash": "sha256-0ZONcN3ctsZgMVM//UMp+9iQfhODJNFHOhyWwx0EoTg=",
        "owner": "NLNOG",
        "repo": "lg.ring.nlnog.net",
        "rev": "686adbfd5222b830ba4fee998188cc8d96c09169",
        "type": "github"
      },
      "original": {
        "owner": "NLNOG",
        "repo": "lg.ring.nlnog.net",
        "type": "github"
      }
    },
    "fernglas": {
      "inputs": {
        "communities": "communities",
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1700408128,
+        "lastModified": 1741172718,
-        "narHash": "sha256-PLb/q8kIq0wOinkgADHNY6uOB3b3lXQEbLu6ToIFPsU=",
+        "narHash": "sha256-YDEJVlmPzOuKfG26iYuJVOlxFvKBVeb8DbAI9WOtnBU=",
        "owner": "wobcom",
        "repo": "fernglas",
-        "rev": "407325681e3ad344f6fd05334984a40074aa6347",
+        "rev": "64e2f9af8aefeeaa63431477066dcc0236d111e0",
        "type": "github"
      },
      "original": {
@@ -99,6 +116,21 @@
      }
    },
    "flake-compat": {
      "locked": {
        "lastModified": 1746162366,
        "narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=",
        "owner": "nix-community",
        "repo": "flake-compat",
        "rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@@ -122,11 +154,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1712014858,
+        "lastModified": 1733312601,
-        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
        "type": "github"
      },
      "original": {
@@ -136,28 +168,6 @@
      }
    },
    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "hydra",
          "nix-eval-jobs",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1730504689,
        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-parts_3": {
      "inputs": {
        "nixpkgs-lib": [
          "ssh-to-age",
@@ -183,11 +193,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1694529238,
+        "lastModified": 1731533236,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -201,11 +211,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1726560853,
+        "lastModified": 1731533236,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -238,46 +248,51 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1727121740,
+        "lastModified": 1733771848,
-        "narHash": "sha256-72nDVSvUfZsLa2HbyricOpA0Eb8gxs/VST25b6DNBpM=",
+        "narHash": "sha256-tqkTzUdwnTfVuCrcFag7YKgGkiR9srR45e4v0XMXVCY=",
        "owner": "nix-community",
        "repo": "harmonia",
-        "rev": "ff44006a30f93ac40d76c786e15149d901946c2b",
+        "rev": "c26731351ca38f4953a23ef5490358ffba955ab6",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "harmonia-v1.0.2",
+        "ref": "harmonia-v2.0.1",
        "repo": "harmonia",
        "type": "github"
      }
    },
    "hydra": {
      "inputs": {
        "flake-compat": "flake-compat",
        "lix": "lix",
-        "nix-eval-jobs": "nix-eval-jobs",
+        "nixpkgs": "nixpkgs_3"
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1733503045,
+        "lastModified": 1750779764,
-        "narHash": "sha256-VoMam8Zzbk+X6dIYwH2f9NqItL6g9YDhQvGybzSl8xQ=",
+        "narHash": "sha256-JTvJf12NfmiJg+k8zPAvvJIHWA8lzL5SBssQxkwZTwE=",
-        "ref": "refs/heads/main",
+        "ref": "lix-2.93",
-        "rev": "eccf01d4fef67f87b6383f96c73781bd08b686ac",
+        "rev": "175d4c80943403f352ad3ce9ee9a93475a154b91",
-        "revCount": 4230,
+        "revCount": 4259,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/hydra.git"
      },
      "original": {
        "ref": "lix-2.93",
        "type": "git",
        "url": "https://git.lix.systems/lix-project/hydra.git"
      }
    },
    "lix": {
      "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": [
          "hydra",
          "flake-compat"
        ],
        "nix2container": "nix2container",
        "nix_2_18": [
          "hydra"
        ],
        "nixpkgs": [
          "hydra",
          "nixpkgs"
@@ -286,15 +301,16 @@
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
-        "lastModified": 1732112222,
+        "lastModified": 1750762203,
-        "narHash": "sha256-H7GN4++a4vE49SUNojZx+FSk4mmpb2ifJUtJMJHProI=",
+        "narHash": "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=",
-        "ref": "refs/heads/main",
+        "ref": "release-2.93",
-        "rev": "66f6dbda32959dd5cf3a9aaba15af72d037ab7ff",
+        "rev": "38b358ce27203f972faa2973cf44ba80c758f46e",
-        "revCount": 16513,
+        "revCount": 17866,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/lix"
      },
      "original": {
        "ref": "release-2.93",
        "type": "git",
        "url": "https://git.lix.systems/lix-project/lix"
      }
@@ -303,38 +319,68 @@
      "inputs": {
        "flake-utils": "flake-utils_2",
        "flakey-profile": "flakey-profile",
-        "lix": "lix_2",
+        "lix": [
          "lix"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1732605668,
+        "lastModified": 1750776670,
-        "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=",
+        "narHash": "sha256-EfA5K5EZAnspmraJrXQlziffVpaT+QDBiE6yKmuaNNQ=",
-        "ref": "stable",
+        "ref": "release-2.93",
-        "rev": "96824d606a6656650bbe436366bc89d5ee3a6573",
+        "rev": "c3c78a32273e89d28367d8605a4c880f0b6607e3",
-        "revCount": 113,
+        "revCount": 146,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nixos-module.git"
      },
      "original": {
-        "ref": "stable",
+        "ref": "release-2.93",
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nixos-module.git"
      }
    },
    "lix_2": {
-      "flake": false,
+      "inputs": {
        "flake-compat": "flake-compat_2",
        "nix2container": "nix2container_2",
        "nix_2_18": "nix_2_18",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-regression": "nixpkgs-regression_2",
        "pre-commit-hooks": "pre-commit-hooks_2"
      },
      "locked": {
-        "lastModified": 1729298361,
+        "lastModified": 1750762203,
-        "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
+        "narHash": "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=",
-        "rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
+        "ref": "release-2.93",
-        "type": "tarball",
+        "rev": "38b358ce27203f972faa2973cf44ba80c758f46e",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
+        "revCount": 17866,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/lix.git"
      },
      "original": {
-        "type": "tarball",
+        "ref": "release-2.93",
-        "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
+        "type": "git",
        "url": "https://git.lix.systems/lix-project/lix.git"
      }
    },
    "lowdown-src": {
      "flake": false,
      "locked": {
        "lastModified": 1633514407,
        "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
        "owner": "kristapsdz",
        "repo": "lowdown",
        "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
        "type": "github"
      },
      "original": {
        "owner": "kristapsdz",
        "repo": "lowdown",
        "type": "github"
      }
    },
    "mitel-ommclient2": {
@@ -358,56 +404,6 @@
        "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
      }
    },
    "nix-eval-jobs": {
      "inputs": {
        "flake-parts": "flake-parts_2",
        "lix": [
          "hydra",
          "lix"
        ],
        "nix-github-actions": "nix-github-actions",
        "nixpkgs": [
          "hydra",
          "nixpkgs"
        ],
        "treefmt-nix": "treefmt-nix_2"
      },
      "locked": {
        "lastModified": 1732351635,
        "narHash": "sha256-H94CcQ3yamG5+RMxtxXllR02YIlxQ5WD/8PcolO9yEA=",
        "ref": "refs/heads/main",
        "rev": "dfc286ca3dc49118c30d8d6205d6d6af76c62b7a",
        "revCount": 617,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nix-eval-jobs"
      },
      "original": {
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nix-eval-jobs"
      }
    },
    "nix-github-actions": {
      "inputs": {
        "nixpkgs": [
          "hydra",
          "nix-eval-jobs",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1731952509,
        "narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=",
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "rev": "7b5f051df789b6b20d259924d349a9ba3319b226",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "type": "github"
      }
    },
    "nix2container": {
      "flake": false,
      "locked": {
@@ -424,6 +420,50 @@
        "type": "github"
      }
    },
    "nix2container_2": {
      "flake": false,
      "locked": {
        "lastModified": 1724996935,
        "narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=",
        "owner": "nlewo",
        "repo": "nix2container",
        "rev": "fa6bb0a1159f55d071ba99331355955ae30b3401",
        "type": "github"
      },
      "original": {
        "owner": "nlewo",
        "repo": "nix2container",
        "type": "github"
      }
    },
    "nix_2_18": {
      "inputs": {
        "flake-compat": [
          "lix",
          "flake-compat"
        ],
        "lowdown-src": "lowdown-src",
        "nixpkgs": "nixpkgs_4",
        "nixpkgs-regression": [
          "lix",
          "nixpkgs-regression"
        ]
      },
      "locked": {
        "lastModified": 1730375271,
        "narHash": "sha256-RrOFlDGmRXcVRV2p2HqHGqvzGNyWoD0Dado/BNlJ1SI=",
        "owner": "NixOS",
        "repo": "nix",
        "rev": "0f665ff6779454f2117dcc32e44380cda7f45523",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "2.18.9",
        "repo": "nix",
        "type": "github"
      }
    },
    "nixos-exporter": {
      "inputs": {
        "nixpkgs": [
@@ -431,11 +471,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1683625533,
+        "lastModified": 1746733297,
-        "narHash": "sha256-GvKE97JdQuEZ697TLSMRTNABbVJfGVnJ0vfzK4AIFyI=",
+        "narHash": "sha256-CPo/F6oJq3tswg2YT6DsWDFPYXOjw00/3m45JN84PVY=",
        "ref": "refs/heads/main",
-        "rev": "5e86139ee4af27f84228708fd32903bb0c4230f0",
+        "rev": "f1a832f445c9994d9729a6fa1862b8d4a123bd31",
-        "revCount": 19,
+        "revCount": 22,
        "type": "git",
        "url": "https://git.clerie.de/clerie/nixos-exporter.git"
      },
@@ -476,6 +516,22 @@
        "type": "github"
      }
    },
    "nixpkgs-0dc1c7": {
      "locked": {
        "lastModified": 1725718979,
        "narHash": "sha256-TNj62uDY5ilnYu0Jne8/IIunfh1kf6kDPY9KdS+Eotw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "0dc1c7294c13f5d1dd6eccab4f75d268d7296efe",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "0dc1c7294c13f5d1dd6eccab4f75d268d7296efe",
        "type": "github"
      }
    },
    "nixpkgs-regression": {
      "locked": {
        "lastModified": 1643052045,
@@ -492,6 +548,22 @@
        "type": "github"
      }
    },
    "nixpkgs-regression_2": {
      "locked": {
        "lastModified": 1643052045,
        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1713434076,
@@ -526,11 +598,43 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1732521221,
+        "lastModified": 1750622754,
-        "narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=",
+        "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d",
+        "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_4": {
      "locked": {
        "lastModified": 1705033721,
        "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-23.05-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_5": {
      "locked": {
        "lastModified": 1750776420,
        "narHash": "sha256-/CG+w0o0oJ5itVklOoLbdn2dGB0wbZVOoDm4np6w09A=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "30a61f056ac492e3b7cdcb69c1e6abdcf00e39cf",
        "type": "github"
      },
      "original": {
@@ -563,11 +667,11 @@
    "pre-commit-hooks": {
      "flake": false,
      "locked": {
-        "lastModified": 1726745158,
+        "lastModified": 1733318908,
-        "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
+        "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
+        "rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
        "type": "github"
      },
      "original": {
@@ -576,6 +680,42 @@
        "type": "github"
      }
    },
    "pre-commit-hooks_2": {
      "flake": false,
      "locked": {
        "lastModified": 1733318908,
        "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "rainbowrss": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1745667868,
        "narHash": "sha256-T67ZRk+cuFI2P6qJeu8RwbpJD00OORulHGuXebpg9Nw=",
        "ref": "refs/heads/main",
        "rev": "e43037aa525e36d7a3da187a8fc6baeb71db7fd6",
        "revCount": 15,
        "type": "git",
        "url": "https://git.clerie.de/clerie/rainbowrss.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.clerie.de/clerie/rainbowrss.git"
      }
    },
    "root": {
      "inputs": {
        "berlinerbaeder-exporter": "berlinerbaeder-exporter",
@@ -585,11 +725,14 @@
        "fieldpoc": "fieldpoc",
        "harmonia": "harmonia",
        "hydra": "hydra",
        "lix": "lix_2",
        "lix-module": "lix-module",
        "nixos-exporter": "nixos-exporter",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_5",
        "nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
        "nurausstieg": "nurausstieg",
        "rainbowrss": "rainbowrss",
        "scan-to-gpg": "scan-to-gpg",
        "solid-xmpp-alarm": "solid-xmpp-alarm",
        "sops-nix": "sops-nix",
@@ -603,11 +746,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733765838,
+        "lastModified": 1736606141,
-        "narHash": "sha256-piKf5W1vUl4y36WuW/192LMXBJyATBF83T9YEz9K3/Y=",
+        "narHash": "sha256-cIGSrY3tNwOamqt41IPRRw5SPlBtljWZvcXDfCkreUc=",
        "ref": "refs/heads/main",
-        "rev": "b0c07f95146d85a7b62a84fb2a62a773a5942733",
+        "rev": "9f1aa15509c9b0284774be95ef020f612c385353",
-        "revCount": 17,
+        "revCount": 18,
        "type": "git",
        "url": "https://git.clerie.de/clerie/scan-to-gpg.git"
      },
@@ -659,7 +802,7 @@
    },
    "ssh-to-age": {
      "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_2",
        "nixpkgs": [
          "nixpkgs"
        ]
@@ -716,33 +859,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1711963903,
+        "lastModified": 1733662930,
-        "narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
+        "narHash": "sha256-9qOp6jNdezzLMxwwXaXZWPXosHbNqno+f7Ii/xftqZ8=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
+        "rev": "357cda84af1d74626afb7fb3bc12d6957167cda9",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "treefmt-nix_2": {
      "inputs": {
        "nixpkgs": [
          "hydra",
          "nix-eval-jobs",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1732292307,
        "narHash": "sha256-5WSng844vXt8uytT5djmqBCkopyle6ciFgteuA9bJpw=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "705df92694af7093dfbb27109ce16d828a79155f",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,8 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    # for etesync-dav
    nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    berlinerbaeder-exporter = {
      url = "git+https://git.clerie.de/clerie/berlinerbaeder-exporter.git";
@@ -19,15 +21,21 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    harmonia = {
-      url = "github:nix-community/harmonia/harmonia-v1.0.2";
+      url = "github:nix-community/harmonia/harmonia-v2.0.1";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    hydra = {
-      url = "git+https://git.lix.systems/lix-project/hydra.git";
+      url = "git+https://git.lix.systems/lix-project/hydra.git?ref=lix-2.93";
      #inputs.lix.follows = "lix";
      #inputs.nixpkgs.follows = "nixpkgs";
    };
    lix = {
      url = "git+https://git.lix.systems/lix-project/lix.git?ref=release-2.93";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    lix-module = {
-      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=stable";
+      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=release-2.93";
      inputs.lix.follows = "lix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
@@ -39,6 +47,10 @@
      url = "git+https://git.clerie.de/clerie/nurausstieg.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    rainbowrss = {
      url = "git+https://git.clerie.de/clerie/rainbowrss.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    scan-to-gpg = {
      url = "git+https://git.clerie.de/clerie/scan-to-gpg.git";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -58,7 +70,6 @@
  };
  outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
    lib = import ./lib inputs;
    helper = lib.flake-helper;
    localNixpkgs = import ./flake/nixpkgs.nix inputs;
  in {
    clerie.hosts = {
@@ -97,7 +108,12 @@
      osmium = {};
      palladium = {};
      porter = {};
-      storage-2 = {};
+      storage-2 = {
        modules = [
          ./users/frank
        ];
      };
      tungsten = {};
      web-2 = {};
      zinc = {
        modules = [
@@ -113,45 +129,26 @@
    nixosModules = {
      nixfilesInputs = import ./flake/modules.nix inputs;
      clerie = import ./modules;
      profiles = import ./profiles;
      default = self.nixosModules.clerie;
    };
    overlays = {
-      nixfilesInputs = import ./flake/overlay.nix inputs;
+      clerie-inputs = import ./flake/inputs-overlay.nix inputs;
-      clerie = import ./pkgs/overlay.nix;
+      clerie-pkgs = import ./pkgs/overlay.nix;
-      default = self.overlays.clerie;
+      clerie-build-support = import ./pkgs/build-support/overlay.nix;
      clerie-overrides = import ./pkgs/overrides/overlay.nix;
    };
-    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: let
+    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
      let
       pkgs = localNixpkgs.${system};
-    in {
+      in
-      inherit (pkgs)
+      nixpkgs.lib.genAttrs (
-        clerie-keys
+        (builtins.attrNames (self.overlays.clerie-pkgs null null))
-        clerie-system-upgrade
+        ++ (builtins.attrNames (self.overlays.clerie-overrides null null))
-        clerie-merge-nixfiles-update
+      ) (name: pkgs."${name}")
-        clerie-update-nixfiles
+    );
        clerie-sops
        clerie-sops-config
        clerie-sops-edit
        chromium-incognito
        factorio-launcher
        git-checkout-github-pr
        git-diff-word
        git-pp
        harmonia
        iot-data
        nix-remove-result-links
        nixfiles-auto-install
        nixfiles-generate-config
        nixfiles-generate-backup-secrets
        nixfiles-update-ssh-host-keys
        print-afra
        run-with-docker-group
        ssh-gpg
        update-from-hydra
        uptimestatus
        xmppc;
    });
    inherit lib self;
--- a/flake/inputs-overlay.nix
+++ b/flake/inputs-overlay.nix
@@ -1,28 +1,33 @@
 { self
 , nixpkgs-0dc1c7
 , berlinerbaeder-exporter
 , bij
 , chaosevents
 , harmonia
 , hydra
 , nurausstieg
 , rainbowrss
 , scan-to-gpg
 , ssh-to-age
 , ...
 }@inputs:
 final: prev: {
  inherit (nixpkgs-0dc1c7.legacyPackages.${final.system})
    etesync-dav;
  inherit (berlinerbaeder-exporter.packages.${final.system})
    berlinerbaeder-exporter;
  inherit (bij.packages.${final.system})
    bij;
  inherit (chaosevents.packages.${final.system})
    chaosevents;
-  harmonia = harmonia.packages.${final.system}.harmonia.override {
+  inherit (harmonia.packages.${final.system})
-    nixForHarmonia = final.nixVersions.nix_2_23;
+    harmonia;
  };
  inherit (hydra.packages.${final.system})
    hydra;
  inherit (nurausstieg.packages.${final.system})
    nurausstieg;
  inherit (rainbowrss.packages.${final.system})
    rainbowrss;
  inherit (scan-to-gpg.packages.${final.system})
    scan-to-gpg;
  inherit (ssh-to-age.packages.${final.system})
--- a/flake/nixosConfigurations.nix
+++ b/flake/nixosConfigurations.nix
@@ -10,23 +10,19 @@ let
    group ? null,
    modules ? [],
  }: let
-    localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
+    localNixpkgs = import ./nixpkgs.nix inputs;
-  in localNixpkgs.lib.nixosSystem {
+  in nixpkgs.lib.nixosSystem {
    system = system;
    pkgs = localNixpkgs.${system};
    modules = modules ++ [
      self.nixosModules.nixfilesInputs
      self.nixosModules.clerie
      self.nixosModules.profiles
      ({ config, lib, ... }: {
        # Set hostname
        networking.hostName = lib.mkDefault name;
        # Apply overlays
        nixpkgs.overlays = [
          self.overlays.nixfilesInputs
          self.overlays.clerie
        ];
        /*
          Make the contents of the flake availiable to modules.
          Useful for having the monitoring server scraping the
@@ -51,6 +47,9 @@ let
            {};
        in
          secrets;
        # Enable clerie common config
        profiles.clerie.common.enable = true;
      })
      # Config to be applied to every host
--- a/flake/nixpkgs.nix
+++ b/flake/nixpkgs.nix
@@ -8,8 +8,10 @@ let
    import nixpkgs {
      inherit system;
      overlays = [
-        self.overlays.nixfilesInputs
+        self.overlays.clerie-inputs
-        self.overlays.clerie
+        self.overlays.clerie-pkgs
        self.overlays.clerie-build-support
        self.overlays.clerie-overrides
      ];
    };
--- a/hosts/_iso/configuration.nix
+++ b/hosts/_iso/configuration.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, modulesPath, ... }:
+{ pkgs, lib, modulesPath, config, ... }:
 {
  imports = [
@@ -6,10 +6,25 @@
    ../../configuration/gpg-ssh
  ];
  profiles.clerie.network-fallback-dhcp.enable = true;
  # systemd in initrd is broken with ISOs
  # Failed to mount /sysroot/iso
  # https://github.com/NixOS/nixpkgs/issues/327187
  boot.initrd.systemd.enable = false;
  networking.hostName = "isowo";
-  isoImage.isoBaseName = "nixos-isowo";
+  isoImage.isoBaseName = lib.mkForce "nixos-isowo";
  environment.systemPackages = with pkgs; [
    nixfiles-auto-install
  ];
  # Allow user clerie to log in as root directly with ssh keys
  users.users.root.openssh.authorizedKeys.keys = config.users.users.clerie.openssh.authorizedKeys.keys;
  services.openssh.settings = {
    PermitRootLogin = lib.mkForce "yes";
  };
 }
--- a/hosts/aluminium/configuration.nix
+++ b/hosts/aluminium/configuration.nix
@@ -18,7 +18,7 @@
    terminal_output serial
  ";
-  services.wg-clerie = {
+  profiles.clerie.wg-clerie = {
    enable = true;
    ipv6s = [ "2a01:4f8:c0c:15f1::8106/128" ];
    ipv4s = [ "10.20.30.106/32" ];
--- a/hosts/astatine/configuration.nix
+++ b/hosts/astatine/configuration.nix
@@ -4,30 +4,21 @@
  imports =
    [
      ./hardware-configuration.nix
      ./ppp.nix
      ./programs.nix
      ./users.nix
    ];
  profiles.clerie.network-fallback-dhcp.enable = true;
  boot.kernelParams = [ "console=ttyS0,115200n8" ];
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
-  # boot.loader.grub.efiSupport = true;
+  boot.loader.grub.device = "/dev/sda";
  # boot.loader.grub.efiInstallAsRemovable = true;
  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
  # Define on which hard drive you want to install Grub.
  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
  boot.loader.grub.extraConfig = "
    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
    terminal_input serial
    terminal_output serial
  ";
-  #networking.firewall.enable = false;
+  profiles.clerie.wg-clerie = {
  services.wg-clerie = {
    enable = true;
    ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];
    ipv4s = [ "10.20.30.108/32" ];
--- a/hosts/astatine/ppp.nix
+++ b/hosts/astatine/ppp.nix
@@ -1,90 +0,0 @@
 { pkgs, ... }:
 {
  # Make space for VLAN header in containing ethernet segment
  networking.interfaces."enp1s0".mtu = 1518;
  ## DSL-Uplink
  networking.vlans."enp1s0.7" = {
    id = 7;
    interface = "enp1s0";
  };
  services.pppd = {
    enable = true;
    peers.lns-test = {
      config = ''
        plugin pppoe.so enp1s0.7
        user "criese#regiotest@bsa-vdsl"
        ifname ppp-lns-test
        persist
        maxfail 0
        holdoff 5
        noipdefault
        lcp-echo-interval 20
        lcp-echo-failure 3
        hide-password
        nodefaultroute
        +ipv6
        debug
      '';
    };
  };
  /*
  networking.interfaces.lo.useDHCP = true;
  networking.interfaces.ppp-lns-test.useDHCP = true;
  networking.dhcpcd = {
    enable = true;
    extraConfig = ''
      interface ppp-lns-test
        ipv6rs
        ia_pd 0 lo/0
    '';
  };*/
  environment.etc."ppp/ip-up" = {
    text = ''
      #! ${pkgs.runtimeShell} -e
      ${pkgs.iproute2}/bin/ip route flush table 20001 || true
      ${pkgs.iproute2}/bin/ip route add default dev ppp-lns-test table 20001
    '';
    mode = "555";
  };
  environment.etc."ppp/ip-down" = {
    text = ''
      #! ${pkgs.runtimeShell} -e
      ${pkgs.iproute2}/bin/ip route flush table 20001 || true
    '';
    mode = "555";
  };
  environment.etc."ppp/ipv6-up" = {
    text = ''
      #! ${pkgs.runtimeShell} -e
      ${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
      ${pkgs.iproute2}/bin/ip -6 route add default dev ppp-lns-test table 20001
    '';
    mode = "555";
  };
  environment.etc."ppp/ipv6-down" = {
    text = ''
      #! ${pkgs.runtimeShell} -e
      ${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
    '';
    mode = "555";
  };
  petabyte.policyrouting = {
    enable = true;
    rules4 = [
      { rule = "from 212.218.16.237/32 lookup 20001"; prio = 19000; }
      { rule = "from 212.218.16.237/32  unreachable"; prio = 19001; }
    ];
  };
 }
--- a/hosts/astatine/programs.nix
+++ b/hosts/astatine/programs.nix
@@ -1,9 +0,0 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    tcpdump # for remote wireshark
  ];
 }
--- a/hosts/astatine/users.nix
+++ b/hosts/astatine/users.nix
@@ -1,10 +0,0 @@
 { ... }:
 {
  users.users.criese-nethinks = {
    extraGroups = [
      "wheel"
    ];
  };
 }
--- a/hosts/backup-4/configuration.nix
+++ b/hosts/backup-4/configuration.nix
@@ -4,19 +4,32 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm
      ./backup.nix
      ./replication.nix
      ./restic-server.nix
      ./wg-b-palladium.nix
    ];
  profiles.clerie.mercury-vm.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
  networking.useDHCP = false;
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::c"; prefixLength = 64; } ];
+  systemd.network.enable = true;
-  networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; };
+
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.networks."10-wan" = {
    matchConfig.Name = "ens18";
    address = [
      "2001:638:904:ffcb::c/64"
    ];
    routes = [
      { Gateway = "2001:638:904:ffcb::1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  services.nginx.enable = true;
--- a/hosts/backup-4/replication.nix
+++ b/hosts/backup-4/replication.nix
@@ -0,0 +1,20 @@
 { lib, ... }:
 with lib;
 {
  clerie.backup = {
    enable = true;
    targets = mkForce {
      palladium.serverUrl = "http://[fd90:37fd:ddec:d921::2]:43242";
    };
    jobs.replication = {
      paths = [
        "/mnt/backup-4/magenta"
      ];
      exclude = [
        "/mnt/backup-4/magenta/.htpasswd"
      ];
    };
  };
 }
--- a/hosts/backup-4/secrets.json
+++ b/hosts/backup-4/secrets.json
@@ -1,5 +1,8 @@
 {
-	"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:QxdmemBB/iuU+fvc2QRRkbOHO5Ef8ZJqfTdFCnlOqKog5krZ2oIpURuttH9YeggJXV2Cr+kJDGI0b9Ca6BtCkOhahfWicTeFhuODJsSyZJqzw36Ba8pX3nIpqoa7StTydK1Dx5chOi2g8oB4895SvWqDa/qP10yDtBQAYURHYfodb9/tiKzfjJAGDlqsR2h+qmdbAkvR3/oAquBO8Nb493G2sixs20XIG85moYv6l0MPnZtWEXhDT8lM5tw0PCgpSfYaUeMWnmFuzFBj3MQSo3zAjGPeOSYVFlbwbLqFWL507z0dlRgzsxMYB1F4OL38nOpO2CP2/VvbidgbQZjKCfiHMJtWLQfzZIfNEhcF8kq2uhhOwRSKN3G7u1/ezzu+9UlUVMV6PY2jjbZHJ79Knu5SJ3KqphygjjIhdHufqI03BP/aJa0QkE/mGg9is3H0myW5rG9ElA1C4stF,iv:1Ue/H48af3ECUZ5GC0hrMMBfOuCZSuX9wOSAd5XG7Fk=,tag:HchM/ZJEDG4pWQdDanC9cA==,type:str]",
+	"clerie-backup-job-replication": "ENC[AES256_GCM,data:BxOj/jT/GFBNSLc=,iv:zKDmEqUpOUWbU3fEeKDLniZ8D1yzs4kdGjoFLeNZOpo=,tag:iKAxHnIUpvtZwVO+eJW3Xw==,type:str]",
 	"clerie-backup-target-palladium": "ENC[AES256_GCM,data:OaszucYAp4n/ds59nF8D4Qn3U9a6L+ONcbPa+BmSz/EprW7E3kCoJ6+EceahPemTnR53mkP6zAndWaXaBTFfdg==,iv:pqi4+LuLPhtmKucm7JqN6d2hwXzNVx8IPimTL6FgHHg=,tag:+91GgLQNKD/lI7uWojCwjA==,type:str]",
 	"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:gfvmAd7z+jQwoYDJf/Hv2sR9ISJT+Hw4jrHmvW64PXjoETy+LjdsmqEPuRyq/YhrGA2rqW+YodPlkh/eE4crdTL2eNim+ij/OUubliUwBMyJuxsdGKuDUMc+txqN2x6Q24MnnU88P08SKpsm3jciMhz7JEg62W77jhesWlkzsuJDmg9oTlA9SeYOEac3pIKpekfRyE77GSFVUflwwCA+xvcEg5xyuRosFzBWGGEC3kDNB0licF0X6epz3HtlqhCLd/mkuEkftjpkNOFm9oJYzdwYv5PwVNg7G7JOgsUx9e5I29mwWPfhinX1yEFNwxKeB1FbUhYOKhRhdqWD6THVLkDzU0zP8vrm5FXTaxLHZr5+EpKit8/MJS5UBVvpSTDQ0cLExJyonWP2T+zr6rxKwU/q1jQRvsU6DJ7Bt8+9chrXBNOeyPM9xzWN1Zyyrntm9j5Ufj1YFwyrDT5ve2rOgNHA4KoS28+vsP1fcVO8XlLR24zFx5+/1BPG25qSECTPn6KkcL+yV+WS4oOnu4Oo0GVPEz+4SfyYIEVmaV61KC61pKa/6ACeUd6nABcDbReMqPXU7/bksM4sTDoFSmmiAycnxT4xavbaFdfbYIOXVQwYAIjaR1tAqQ6gYVCQ/LtKhIHCGCg10xRXNV3qkPqOUvJ7JnRcre+pQVDVLg==,iv:tvhvTPzhHoG4yG3C+o9s8yh4DafMpPb67nNxbUZcFxQ=,tag:8P5lYeP2EB5AfKgeeBISLg==,type:str]",
 	"wg-b-palladium": "ENC[AES256_GCM,data:XTenrGQFLDndt/XPaDGRLQthVq1UFKJ2mWK3Z+YfT54YpnWO81cslrMMtPc=,iv:tW8NHOcNj3Q26BJBIz7UPR3bmw3nrb0UkkD+gqngw/w=,tag:XDYkIqj6z2Jvhaoiqeyn0g==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:lCuE2EgUo3ER9NNg1rD24Z4cZS+VZ4KmDojnfCsb/LyBsfyu6uOJ4IVtxOE=,iv:KHRP1pXYXk8Fi23cjUZVUUadu9yWoJ2ddxj2fMJJYE0=,tag:TiFlekXM7WLLHAPlmYbP8w==,type:str]",
 	"sops": {
 		"kms": null,
@@ -12,8 +15,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFREUEVzb2JFd3hSaG9y\neVA2a2Fodko0OTI4ZGM0NlZxRmNtYmFDY1hVCm9ncXdWYTJlSU1FSG1WdlNBZ3VW\nM2VtRmZiWldzalRsRWJ0UkV1L1hSMkEKLS0tIGVLQU9kQXhZbC9SUW9CS2JnWGlJ\nQ3RoeXVkRXNkUWNaZ0VQOW1hcEJnNjAKHgZ48PERJlfkkh2TyCLl52zUZY674BXW\n4zPtmhZrb4xlExetINrOd4hZtL7S7qn5GnTxhoxvCddeU+JPPsfWoQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-06-03T18:16:25Z",
+		"lastmodified": "2025-04-18T08:37:08Z",
-		"mac": "ENC[AES256_GCM,data:hWCI1hWTbbasov9Si0JDI39rUuBOEqrz+qxTKrNN4S/r9Ktofrk46b3rxSQF3+bC03HrbCMLk9/7XkvIFJXQj5pa9I1aG8MuMbgF0Z8Ft/uNdHPUUyLJwo/4aav4zXVpdg7zNtPdwjk66pw7iRO5XBmYgnQlnXotHM6S9s7RzuA=,iv:VJmLD1SImGtreceQP+DofnzOGp3sm12iCzbPsqzw6SI=,tag:aUryi0xUG7sd/EOmqrMQCg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:50NF4BI0QUhe622J6nwIF89pLlTdgxVB/MWbO5nWKgQI5xuNrnFghs5yVgZIV7FeONcu2pYykp28fSrFKhvbPt+B90i4HvaaIHdZGDepbEV9ZwK4AU66zZW4KCCPxv4NTYh+AuSi7HTHusXUrNIvRhYvAXjESi7nK7JPm3BTfUk=,iv:fvtTaSXNx6IL6D9DdEa5ovymNYeWJObCBiRiIsG7KeE=,tag:LdfXiAuMHLCb0biThHh1GQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-04T12:30:52Z",
@@ -22,6 +25,6 @@
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
+		"version": "3.9.4"
 	}
 }
--- a/hosts/backup-4/wg-b-palladium.nix
+++ b/hosts/backup-4/wg-b-palladium.nix
@@ -0,0 +1,40 @@
 { config, ... }:
 {
  sops = {
    secrets.wg-b-palladium = {
      owner = "systemd-network";
      group = "systemd-network";
    };
  };
  systemd.network.netdevs."10-wg-b-palladium" = {
    netdevConfig = {
      Kind = "wireguard";
      Name = "wg-b-palladium";
    };
    wireguardConfig = {
      PrivateKeyFile = config.sops.secrets.wg-b-palladium.path;
      ListenPort = 51844;
    };
    wireguardPeers = [
      {
        PublicKey = "YMTOhRAKWfFX1UVBoROPvgcQxTSN4tny35brAocdnwo=";
        AllowedIPs = [ "fd90:37fd:ddec:d921::/64" ];
        PersistentKeepalive = 25;
      }
    ];
  };
  systemd.network.networks."10-wg-b-palladium" = {
    matchConfig.Name = "wg-b-palladium";
    address = [
      "fd90:37fd:ddec:d921::1/64"
    ];
    linkConfig.RequiredForOnline = "no";
  };
  networking.firewall.allowedUDPPorts = [ 51844 ];
 }
--- a/hosts/beryllium/configuration.nix
+++ b/hosts/beryllium/configuration.nix
@@ -6,6 +6,8 @@
      ./hardware-configuration.nix
    ];
  profiles.clerie.network-fallback-dhcp.enable = true;
  boot.kernelParams = [ "console=ttyS0,115200n8" ];
  boot.loader.grub.enable = true;
@@ -20,40 +22,12 @@
  networking.firewall.enable = false;
-  networking.iproute2.enable = true;
+  profiles.clerie.wg-clerie = {
  networking.iproute2.rttablesExtraConfig = ''
    200 wg-clerie
  '';
  petabyte.policyrouting = {
    enable = true;
-    rules6 = [
+    ipv6s = [ "2a01:4f8:c0c:15f1::8107/128" ];
-      { rule = "from 2a01:4f8:c0c:15f1::8107/128 lookup wg-clerie"; prio = 20000; }
+    ipv4s = [ "10.20.30.107/32" ];
      { rule = "from 2a01:4f8:c0c:15f1::8107/128 unreachable"; prio = 20001; }
    ];
    rules4 = [
      { rule = "from 10.20.30.107/32 lookup wg-clerie"; prio = 20000; }
      { rule = "from 10.20.30.107/32 unreachable"; prio = 20001; }
    ];
  };
  networking.wireguard.enable = true;
  networking.wireguard.interfaces = {
    wg-clerie = {
      ips = [ "2a01:4f8:c0c:15f1::8107/128" "10.20.30.107/32" ];
      table = "wg-clerie";
      peers = [
        {
          endpoint = "vpn.clerie.de:51820";
          persistentKeepalive = 25;
          allowedIPs = [ "0.0.0.0/0" "::/0" "10.20.30.0/24" "2a01:4f8:c0c:15f1::/113" ];
          publicKey = "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=";
        }
      ];
    privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
  };
  };
  clerie.monitoring = {
    enable = true;
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -4,7 +4,6 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/router
      ./dns.nix
      ./mdns.nix
@@ -22,6 +21,9 @@
      ./wg-clerie.nix
    ];
  profiles.clerie.common-networking.enable = false;
  profiles.clerie.router.enable = true;
  boot.kernelParams = [ "console=ttyS0,115200n8" ];
  boot.loader.grub.enable = true;
--- a/hosts/clerie-backup/configuration.nix
+++ b/hosts/clerie-backup/configuration.nix
@@ -4,20 +4,26 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm
      ./restic-server.nix
    ];
  profiles.clerie.ruby-vm.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  systemd.network.networks."10-wan" = {
-
+    matchConfig.Name = "ens18";
-  networking.useDHCP = false;
+    address = [
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::6"; prefixLength = 64; } ];
+      "2a00:fe0:1:21f::a/64"
-  networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; };
+    ];
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+    routes = [
      { Gateway ="2a00:fe0:1:21f::1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  services.nginx.enable = true;
@@ -28,10 +34,6 @@
      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiUWufpvAj/Rdxt/frAjs5Q4+/lzaN2jmf5+W3Gazjzw+CH+Agplux6op+LlzF7kAA32yP+lwQto8Rz92NzReDssXd+0JhgAAHrSMrPOPnQbZrierKOfVvDOteklEM4k5JXqZ+xHIMtNomuMV3wCFc18nvwc8t95pDBOI/HwzAwn2mGhVBod0CNXZs8EyMeQJNKLCRwpUrddOX6fz5x/fbPYO4KB3iPkC0X+e/d5SuBvrmwFdnpr2RkCboMPdd6i/0AsY4MLdMV54arS9Ed2jaFKqYCQR5wRdLxndn+aByyVQHQxVU0gVfO9+53NOgiVzhOFzXm6K2KcC/HZR5uj1r ceea@olbers.uberspace.de" ];
      path = "/mnt/clerie-backup/uberspace-ceea";
    };
    uberspace-cleriewi = {
      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAeU+YezmGNNnntAkOL143NlkADi6ekEcaW9yf9yegdkDxwyIyxaWC89B110kRkNe+6KP+LDwrp9vnFJZjst8Gv+dMs0h9U0IdUafhO7TcbbkqynqmtzIwiSGsLby2K9XOYTMlAa2JOfeNScPWccZ8KgXsIBqRGjo3yQfCHXZu9U/8CGXvYPsTGY5QYNeAw5Uaikuf565GHy4ROx2BN7LGug9lK42Hfv8i1lhCLi7wkhQ0EPGBRPkscjz/0Kb2iABMzyUf6uMrDJX/usKrChxkLfidIM9C5YR1E+wXlmy9lijuNP85NpXUEyVTAp9/XLCp1vskfCjsBLO0l+40XNIt cleriewi@biela.uberspace.de" ];
      path = "/mnt/clerie-backup/uberspace-cleriewi";
    };
  };
  # fix borgbackup primary grouping
@@ -51,62 +53,6 @@
      compression = "auto,lzma";
      startAt = "*-*-* 04:07:00";
    };
    backup-replication-palladium = {
      paths = [
        "/mnt/clerie-backup"
      ];
      doInit = true;
      repo =  "borg@palladium.net.clerie.de:." ;
      encryption = {
        mode = "none";
      };
      environment = { BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-palladium"; };
      compression = "auto,lzma";
      startAt = "*-*-* 06:23:00";
    };
    backup-replication-external-drive = {
      paths = [
        "/mnt/clerie-backup"
      ];
      doInit = true;
      repo =  "borg@palladium.net.clerie.de:." ;
      encryption = {
        mode = "none";
      };
      environment = {
        BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-external-drive";
        BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
        BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
      };
      compression = "auto,lzma";
      startAt = "*-*-* 08:37:00";
    };
  };
  users.users.backup-replication = {
    isNormalUser = true;
    group = "backup-replication";
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8kCLiDfVFKgoNvEoMb34jp2n1lQG+k7wigzc4qGmrROlWkJ46/Ym4UrSeQJAd6hwHTcKTZkeOrqDAjZZ+jlidpncJHT5VMW5Ah965pxbBq6Qh1Yz5tKj7nLAQ/+bwEH4qqBFNd796876n3pY/FqhwAHWONqWhLKzMXpFursMSITUPmRXcaPwJrgS9DIYspZ9bBhhRSdQ5N1SiGtaszOQwdevLnNYqdtFOBG4rt9SO6IBIHtaiTIHrrMGS2Lt3NMwkq+O+N+TGaKLjbwqtfUPfPOCmY0XH12OawjxHP9hZ+WH3dPtcu5p+VORciSybPvyh9qzXUrDeO4HDuii2GEFU8JFELYXdT/qBwdIMp82tkgww0zKbTJuc0y/9eR7LCXop4OALhR8+8xWDI9c1ccxu3T7S7zUI1OmTlR9i8rx85D4sz2dtp1jirDoW2KVuIdwe6G3NLfTL95FZRmveEQM3MO8MPpfzZ4EvaMbiQQd/c4VAmGovtSLQhySTpT6qSv0= root@backup-4"
      #"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRANmJ2LYUr0Mavz/JJ7j+7p1zkqvizf6ZLt5XOJ2fj0enDuK7Dc5fxiESLGYTsLRVWuY4hNXVIL7aeJUj1LPf6LEX87APP4hb95t+TFxcES87tFfnFO48eiBbSd25Av2jmHGb6/wY2viYBxfk/vrLjPR6RgICqFsWFcz20bsWmc48FdzXYJCGJfKjHiW+Ut95VL+M/AlGBQHo33FNDyPXV4zh+MeWVkOFicwfh0k+4NH7Psj5n93m9szAlz306t5YZ32HnhSlvObkMk1Ugy6AzPKXrgKBu11pmatf7sFRx1ikYGUiKiezGjatt/8lYZfE8rQKQjwH+6LPt3ZPv06ncfKpH2vbZfonM0KhSsm1OIhJTse+X7ZMxizO6QqYM+BRJJGMbhH1g+6kFRsdlwakHNPE9YvG4NxZ1NxWTUr6F0gPhUEy61LkTnznt3ct1hgQR02KDQ+9i8PvaYeIIzZzRKufv4tV7OZkDLbN97tvAMkgpLjF+8fCg3qjn2Lckzc= root@palladium"
    ];
  };
  users.groups.backup-replication = {};
  environment.systemPackages = with pkgs; [
    bindfs
  ];
  fileSystems."/clerie-backup-replication" = {
    device = "/mnt/clerie-backup";
    fsType = "fuse.bindfs";
    options = [
      "ro"
      "force-user=backup-replication"
      "force-group=backup-replication"
      "perms=0000:ug=rD"
    ];
  };
  clerie.monitoring = {
--- a/hosts/clerie-backup/hardware-configuration.nix
+++ b/hosts/clerie-backup/hardware-configuration.nix
@@ -8,7 +8,7 @@
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
@@ -19,7 +19,7 @@
    };
  fileSystems."/mnt/clerie-backup" =
-    { device = "/dev/disk/by-uuid/69e75b00-23e1-4775-98a6-061a79d806cf";
+    { device = "/dev/disk/by-uuid/15a42e2e-57dc-43ff-a50d-8b73952d4558";
      fsType = "ext4";
    };
@@ -33,4 +33,7 @@
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  boot.swraid.enable = true;
 }
--- a/hosts/clerie-backup/secrets.json
+++ b/hosts/clerie-backup/secrets.json
@@ -1,5 +1,5 @@
 {
-	"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:ZKrEv/bU1X+iO7GLlxsM8HhUy6B2+EXRA8JO2X8E8X5nt8Ydwa+wAqTea3hGyW/QNFrNg/nnAFaVg+VNa6UEqOuF0eg4Nf0LOYTtTpNt4uqDHomfFpvFxDfVCbk4a3fnjnJzk51XnZqeVlvuH2JKg9uD6QzTghTuZfysdGePZdD4WRfY+qHsZg2jREgA26WKsRnD1zU4ZnbRAA1s0Lzf5gG4kFciIzovt0x5MYEiVERFeM+HG1a117EvSlsijPNJVLTaFRLTVOlTOYLKXt4KcRJq9KwoZR/LgEz++rUE4DN5f7iQs+Sb9epH9sV/V06R6AKE5ZFcyi5Y+ipt8B4sWX8PQUeFxNlpljXHro8szGNnLnSxxieg10SEwfIEw+nTGVMHToUpvybzdoI4VPUHZGF+kpqv8ejEzhrKZXyPrd7ZCWGDsTdl8gGSefimpEUR8IwuPqImgu2UU8gT,iv:Y/G/odtZ4enBtNc2Wj7bZjsJ3nur5huYAqlu1PgnWlo=,tag:tg3ut7R2jJd+TVvYHIiTdA==,type:str]",
+	"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:Fe6lcXXy0Hu27Y2LtwQRbk+78+unSGkII144jtstOgK0pyjlJqG2mo8ZG7L+3mmthuu+leZ6XXadEcRGpby3eCwyVEYd3lDr930pPC8hChWYMC5mGkkRUAobYED63iVxcsc36PVFQYMCDbYvtcPk8uQTXfQmhs9kSzCrONrL1Id0L9D+sGoU0snpE+eCNXyiLwuyc1qocchhuHIwkGi4dyVJWgMsKGummF5Pf9zK4KzHmT6RuPouEUAfwHkdPwtOSJ8OqZof/C/CuPYmJQyfOFAqtw8xD9OXUpvyxjC1Kta89sL5cRAE0R15oPvNUmYGaXputm9iMycPjMacpouycx1TXMTEDB0caryX9uEFAyTfPm7keHT86qA1UfImWqEE9QqJ3uCeiwW698SbTZVeKLDBqDCPP+nP/L+N412d+HHyGugPOnTj1gXY50xeOay8Wryw87iDZ9rnJxcn0u5D4+JjOIbjWvydqBXacMD/o0NG2CcQu6LVRAHRiDKoSQWEwx25tzVwn2dsgFV8c3oQ0xQI7050R11Z3M9QWOvPmOZCvYV5VSoxu7r1jMu5asrcPbbhXKatbrabEHCAbDGsBpDkqts3BVUfUaHwboXVR0DxqOC6CHVE34J99SVTGI0kIHXyNqpeUJ36tCXFg7eNPNsu8cra9whjyUUHtw==,iv:Gfg3t3YPw2hz0LJ5hovPftMYOADN2Xjc93VmT2fFVQI=,tag:k6KH4qDPrFYIU2PGgW3F9Q==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:rOpBlDt9K//zlgWo1Bw9IX5jmpLbnit5zi60Ulz8f6tHwqVsKJv5NkxYc9A=,iv:Jlo0QZP6R1CEE20iLa7M/LV/ZX2/33oMv/FzBBo6nvY=,tag:Ttqo7BKd6RuUiMksW6rZnw==,type:str]",
 	"sops": {
 		"kms": null,
@@ -12,8 +12,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UCtUZ3NZQWxOK1FUNDhL\nbWhaanN2OEJIVmpMOURzWU1vcGhuODdtcDJnCm9Nb01NaVVpWDJ6Q3JCbXRkRUJP\nUVdFaGVScUdxRnlpSnRNOG1RalNRaFUKLS0tICs0cW1WR0JMUmdaVWVzdTh2bjFm\nenBzaERpb1hCS1E3TUo3cmxpZFUxWmcKcLL5/YTGyZEVLwHSpbEI5XfWGklkI7h+\n0uhCww8Wh23EpUYFslZ0Nnbf5HX5/Z34qBwf20cvN8eLToTAQvTdeg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-06-03T18:16:18Z",
+		"lastmodified": "2025-02-16T18:13:34Z",
-		"mac": "ENC[AES256_GCM,data:kWeyNv82yc6H+FJjhTh8vkuxjZ4YFEqmZbqzZr+pEXxXeMUEGi9hr7cauGDNxnRMgWJz9KG1M4tzUyEK8rfVQWLc+Wcf/5Pjsxn1Zg0yJiJAxVFV7AcvGdKUeQuBKgOT5L+Z5+cFdvq9+CU/0M+6/e8jB6OdQWcuy0emBaCut4U=,iv:3w5arXHKapwwo7kgLtHcKfO+dhH22opVP+fjagize0c=,tag:+cCaX2FUG+5UYqutE9IsAA==,type:str]",
+		"mac": "ENC[AES256_GCM,data:io2WVxTxHSlxrk7JaN6/fUI7YotvPfgbXTD1lEf1tN7QhuGRH/iZrji/VQlhJ8tk2dAS1Pe0rsTuxCMXcXcxRIh4EYbQky5IZj5jpfPcslQOquTcXzmPYdijPUWSqu6leGc0GG/7KccjSFD8TfwAgeuVrc2Br57yfqKoPf+M0fY=,iv:iYp73PrFnLZoI9014mbqQQERhFtfhb5YmzV6HiUi+YM=,tag:2AZEzhVVdEos5FLkg8cr5w==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-05T12:12:27Z",
--- a/hosts/dn42-il-gw1/configuration.nix
+++ b/hosts/dn42-il-gw1/configuration.nix
@@ -4,49 +4,43 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm
      ../../configuration/dn42
    ];
  profiles.clerie.mercury-vm.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
-  networking.useDHCP = false;
+  systemd.network.networks."10-wan" = {
-  networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:1::1"; prefixLength = 64; } ];
+    matchConfig.Name = "ens20";
-  # VM Nat Netz mercury
+    address = [
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.23"; prefixLength = 24; } ];
+      "2001:638:904:ffc9::7/64"
-  # OSPF Netz
+    ];
-  networking.interfaces.ens19 = {};
+    routes = [
-  # IPv6 Uplink
+      { Gateway = "2001:638:904:ffc9::1"; }
-  networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::7"; prefixLength = 64; } ];
+    ];
-
+    linkConfig.RequiredForOnline = "routable";
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; };
+  };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.networks."10-nat-netz-mercury" = {
    matchConfig.Name = "ens18";
    address = [
      "192.168.10.23/24"
    ];
    routes = [
      { Gateway = "192.168.10.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-dn42-ospf-netz" = {
    matchConfig.Name = "ens19";
    linkConfig.RequiredForOnline = "no";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  networking.wireguard.enable = true;
  networking.wireguard.interfaces = {
    # n0emis
    wg0197 = {
      ips = [
        "fe80::42:1/128"
        # peer fe80::42:42:1/128
      ];
      postSetup = ''
      ip -6 route flush dev wg0197
      ip addr del dev wg0197 fe80::42:1/128 && ip addr add dev wg0197 fe80::42:1/128 peer fe80::42:42:1/128
      '';
      listenPort = 50197;
      allowedIPsAsRoutes = false;
      peers = [
        {
          allowedIPs = [ "fe80::/10" "fd00::/8" ];
          endpoint = "himalia.dn42.n0emis.eu:52574";
          publicKey = "ObF+xGC6DdddJer0IUw6nzC0RqzeKWwEiQU0ieowzhg=";
        }
      ];
      privateKeyFile = config.sops.secrets.wg0197.path;
    };
    # e1mo
    wg0565 = {
      ips = [
@@ -126,27 +120,6 @@
      ];
      privateKeyFile = config.sops.secrets.wg1280.path;
    };
    # perflyst
    wg1302 = {
      ips = [
        "fe80::a14e/128"
        # peer fe80::a14d/128
      ];
      postSetup = ''
      ip -6 route flush dev wg1302
      ip addr del dev wg1302 fe80::a14e/128 && ip addr add dev wg1302 fe80::a14e/128 peer fe80::a14d/128
      '';
      listenPort = 51302;
      allowedIPsAsRoutes = false;
      peers = [
        {
          allowedIPs = [ "fe80::/10" "fd00::/8" ];
          endpoint = "[2a03:4000:6:f6ed::1]:22574";
          publicKey = "TSPvvpMY8dCFk6gd58aYtkibtqUn8EzIF6dXP52b3y8=";
        }
      ];
      privateKeyFile = config.sops.secrets.wg1302.path;
    };
    # lutoma
    wg4719 = {
      ips = [
@@ -167,165 +140,103 @@
      ];
      privateKeyFile = config.sops.secrets.wg4719.path;
    };
    # zaphyra
    wg1718 = {
      ips = [
        "fe80::2574/128"
        # peer fe80::6b61/64
      ];
      postSetup = ''
      ip addr replace dev wg1718 fe80::2574/128 peer fe80::6b61/128
      '';
      listenPort = 51718;
      allowedIPsAsRoutes = false;
      peers = [
        {
          allowedIPs = [ "fe80::/10" "fd00::/8" ];
          endpoint = "router-a.dn42.zaphyra.eu:51831";
          publicKey = "Knm6uEpMsTfZAK68Pl98mHORtb8TtswBfYFGznpHUCI=";
        }
      ];
      privateKeyFile = config.sops.secrets.wg1718.path;
    };
  };
-  petabyte.policyrouting = {
+  networking.firewall.allowedUDPPorts = [
    50565 # wg0565
    51271 # wg1271
    51272 # wg1272
    51280 # wg1280
    54719 # wg4719
    51718 # wg1718
  ];
  profiles.clerie.dn42-router = {
    enable = true;
-    rules6 = [
+    loopbackIp = "fd56:4902:eca0:1::1";
-      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
+    routerId = "192.168.10.23";
-      { rule = "from all to all lookup 2342"; prio = 10000; }
+
-      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
+    ospfInterfaces = [
-      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
+      "ens19"
    ];
    ibgpPeers = [
      {
        peerName = "gw5";
        remoteAddress = "fd56:4902:eca0:5::1";
      }
      {
        peerName = "gw6";
        remoteAddress = "fd56:4902:eca0:6::1";
      }
    ];
    wireguardPeers = [
      {
        peerName = "peer_0565";
        remoteAddress = "fe80::565";
        interfaceName = "wg0565";
        remoteAsn = "4242420565";
        localAddress = "fe80::2574";
      }
      {
        peerName = "peer_1271_north";
        remoteAddress = "fe80::2";
        interfaceName = "wg1271";
        remoteAsn = "4242421271";
        localAddress = "fe80::1";
      }
      {
        peerName = "peer_1271_south";
        remoteAddress = "fe80::1:2";
        interfaceName = "wg1272";
        remoteAsn = "4242421271";
        localAddress = "fe80::1:1";
      }
      {
        peerName = "peer_1280_wg1";
        remoteAddress = "fde3:4c0d:2836:ff00::20";
        interfaceName = "wg1280";
        remoteAsn = "4242421280";
        localAddress = "fde3:4c0d:2836:ff00::21";
      }
      {
        peerName = "peer_4719";
        remoteAddress = "fe80::acab";
        interfaceName = "wg4719";
        remoteAsn = "64719";
        localAddress = "fe80::1";
      }
      {
        peerName = "peer_1718";
        remoteAddress = "fe80::6b61";
        interfaceName = "wg1718";
        remoteAsn = "4242421718";
        localAddress = "fe80::2574";
      }
    ];
  };
  services.bird2.enable = true;
  services.bird2.config = ''
  router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
  ipv6 table ospf6;
  ipv6 table bgp6;
  protocol direct {
          interface "lo";
          ipv6 {
                  table ospf6;
          };
  }
  protocol static {
          ipv6 {
                  table bgp6;
          };
          route fd56:4902:eca0::/48 via "lo";
          route fd56:4902:eca0::/52 via "lo";
  }
  protocol kernel {
          ipv6 {
                  table ospf6;
                  export filter {
                          krt_prefsrc=fd56:4902:eca0:1::1;
                          accept;
                  };
                  import none;
          };
          kernel table 1337;
  }
  protocol kernel {
          ipv6 {
                  table bgp6;
                  export filter {
                          krt_prefsrc=fd56:4902:eca0:1::1;
                          accept;
                  };
                  import none;
          };
          kernel table 2342;
  }
  protocol ospf v3 {
          ipv6 {
                  table ospf6;
                  import all;
                  export all;
          };
          area 0 {
                  interface "ens19" {
                          cost 80;
                          type broadcast;
                  };
          };
  }
  protocol bgp gw5 {
          local as 4242422574;
          graceful restart on;
          neighbor fd56:4902:eca0:5::1 as 4242422574;
          source address fd56:4902:eca0:1::1;
          ipv6 {
                  table bgp6;
                  igp table ospf6;
                  next hop self;
                  import keep filtered;
                  import all;
                  export all;
          };
  }
  protocol bgp gw6 {
          local as 4242422574;
          graceful restart on;
          neighbor fd56:4902:eca0:6::1 as 4242422574;
          source address fd56:4902:eca0:1::1;
          ipv6 {
                  table bgp6;
                  igp table ospf6;
                  next hop self;
                  import keep filtered;
                  import all;
                  export all;
          };
  }
  template bgp bgp_peer {
  	local as 4242422574;
  	graceful restart on;
  	ipv6 {
  		table bgp6;
  		next hop self;
  		import keep filtered;
  		import filter {
  			if net ~ [fd00::/8{48,64}] then accept;
  			reject;
  		};
  		export filter {
  			if net ~ [fd00::/8{48,64}] then accept;
  			reject;
  		};
  	};
  }
  protocol bgp peer_0197_himalia from bgp_peer {
          neighbor fe80::42:42:1%wg0197 as 4242420197;
          source address fe80::42:1;
  }
  protocol bgp peer_0565 from bgp_peer {
 	neighbor fe80::565%wg0565 as 4242420565;
 	source address fe80::2574;
  }
  protocol bgp peer_1271_north from bgp_peer {
  	neighbor fe80::2%wg1271 as 4242421271;
  	source address fe80::1;
  }
  protocol bgp peer_1271_south from bgp_peer {
  	neighbor fe80::1:2%wg1272 as 4242421271;
  	source address fe80::1:1;
  }
  protocol bgp peer_1280_wg1 from bgp_peer {
  	neighbor fde3:4c0d:2836:ff00::20%wg1280 as 4242421280;
  	source address fde3:4c0d:2836:ff00::21;
  }
  protocol bgp peer_1302 from bgp_peer {
  	neighbor fe80::a14d%wg1302 as 4242421302;
  	source address fe80::a14e;
  }
  protocol bgp peer_4719 from bgp_peer {
    neighbor fe80::acab%wg4719 as 64719;
  }
  protocol device {
          scan time 10;
  }
  '';
  clerie.system-auto-upgrade = {
    allowReboot = true;
    autoUpgrade = true;
--- a/hosts/dn42-il-gw1/secrets.json
+++ b/hosts/dn42-il-gw1/secrets.json
@@ -5,21 +5,18 @@
 	"wg1272": "ENC[AES256_GCM,data:LU6jtNkNn2Xs+0OH8cD1HJnbHsNNnqlY83lDFa11/dHwVgdFxMtDXMqIMEc=,iv:/A8rWGR6jExa4ms7jTYC0eZVGCvlKw1I58Co41gw3TU=,tag:tIBRkQzFFpEEzflnDrpcOA==,type:str]",
 	"wg1280": "ENC[AES256_GCM,data:F4KLY6jiZNl52ko32nM0iTER0DyHvaCSmxeYAKB0MLUD8l9u1Ugk6kYZnUc=,iv:XcaxnvxM1kE/ahNFX+BH7Jmr9q2Py1vHHqOjFUqs5O8=,tag:a1up4gGFqyHz2lmDRJl3bA==,type:str]",
 	"wg1302": "ENC[AES256_GCM,data:+MzuBPg3ql0/MEnpVvhQTsPIkKB9xnHN9Fk4VlZwK4ijKl+26d6oTSM7/R0=,iv:bPPmhenQLaKTGaDo4rBlKkrXrS1YysRuntbKq6zi2aQ=,tag:lztaTfDGT4kAq+HZMLl0Dw==,type:str]",
 	"wg1718": "ENC[AES256_GCM,data:lB+j2O15O7ogdB+QdutD3V/h8IREMMlpCsnMJWNPXlz196KM6WNNYCV2v5M=,iv:AwrRPQIFu8A14Vs5A9slkCPMkgU3VZxL1YupJnriEHc=,tag:Vpt0C6SFzUXGotdfc1ocmg==,type:str]",
 	"wg4719": "ENC[AES256_GCM,data:hoOOCUGdYFaAQZ6wkgmQl65M1qArvXa826IeJl+BUGf7UX0vxx9J0C2epTE=,iv:+1JcOgzClehkE0Ihd2mmoenPk51OBZMF0bMqapWah/c=,tag:xI5FU+GJU6BER9/n04ccLA==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:aw11Ygfll6llabXkuxtbTcCn1eb4NZX1IwArcXoRJCJSgwDrQZ3HLatov3w=,iv:J2VD5XS+BrIKeFb0NW1UYZUuGPkbjFmooZ93PVK31gw=,tag:2XLSa/2s6LRq3L7UdrTs/g==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1f0hscql4f4w7vyukzeu693xfedsl596dpjekc23q77ylp92zsvcqf9u75t",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWdFYjFjTmRVRlV3U3p4\nTSsyc1E0dWtiYjNtVkV2SXJEWkxnTDhLN1Y0Cng4aGlidjhydUVGaFcvK215aGdq\nN0FGajYwa1lPUCsva0tmNkErUGtlOWsKLS0tIG9pLzJEUDA2WWUzd1kzSVZrdVRX\nbUxjQzBCd3p0R1dWTTJaRmZNQjJEUVkKPz6OUQHpYrhRxMdQzpZRR3exVqkG2JvX\nI32PwvbeQK8cgpYwKLGar8U8aiPPm0Y64pID1wedDsNZzLqLOrS3wQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-04-28T09:28:04Z",
+		"lastmodified": "2025-06-10T20:51:10Z",
-		"mac": "ENC[AES256_GCM,data:PHdhyie0Ya/nN9Kqj4z+zPyyKZFvGkznkv8Uf3LNSdPKWVtXARZc8Xodm4MjI2HvooryyyMFHkW75Aln02Rlvk3R8oI7rfFZC7s2P+LotumsYgRFf0JOUMxsxOtKW0ehuLy83Bw0rMJQo1gzTgBykcvdc2pkMmALF/vU/1VqgJ4=,iv:0JwcY0Q+8VAiVHYjynhcpsobQXOkK8EBe3QUJ8YUwFE=,tag:9xAcoxAPGxTvHVBydf3u9Q==,type:str]",
+		"mac": "ENC[AES256_GCM,data:9lF4HV0oJyGHXdtYdMxR7+ev7JLAQVr6kE55nLoZcrbC92MHJzQpgM9XAhIynvwdAmC7ARd3orCn6eYkQJDdNX0JjMtebsBE+H4B7mEUCz8wtTN0iHS+oHmQxrqjnoSw2uHh9udgqAJa+sd6VGU3t2XUuuKtVHPwzROqVgvas9M=,iv:KT+BlFeXGZQc5pbBX+XOsmKEydUtir1LuPvseDkFeqw=,tag:hlRskY6b5EAZkUYs7ph/JA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-04-28T09:25:37Z",
@@ -28,6 +25,6 @@
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
+		"version": "3.10.2"
 	}
 }
--- a/hosts/dn42-il-gw5/configuration.nix
+++ b/hosts/dn42-il-gw5/configuration.nix
@@ -4,157 +4,91 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm
      ../../configuration/dn42
    ];
  profiles.clerie.mercury-vm.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
-  networking.useDHCP = false;
+  systemd.network.networks."10-wan" = {
-  # VM Nat Netz mercury
+    matchConfig.Name = "ens21";
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.25"; prefixLength = 24; } ];
+    address = [
-  # OSPF Netz
+      "2001:638:904:ffc9::a/64"
  networking.interfaces.ens19 = {};
  # Lokales Netz
  networking.interfaces.ens20.ipv6.addresses = [ { address = "fd56:4902:eca0:5::1"; prefixLength = 64; } ];
  # IPv6 Uplink
  networking.interfaces.ens21.ipv6.addresses = [ { address = "2001:638:904:ffc9::a"; prefixLength = 64; } ];
  # Ildix
  networking.interfaces.ens22.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::5"; prefixLength = 64; } ];
  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens21"; };
  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
  petabyte.policyrouting = {
    enable = true;
    rules6 = [
      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
      { rule = "from all to all lookup 2342"; prio = 10000; }
      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
    ];
    routes = [
      { Gateway = "2001:638:904:ffc9::1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-nat-netz-mercury" = {
    matchConfig.Name = "ens18";
    address = [
      "192.168.10.25/24"
    ];
    routes = [
      { Gateway = "192.168.10.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-dn42-ospf-netz" = {
    matchConfig.Name = "ens19";
    linkConfig.RequiredForOnline = "no";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-dn42-lokales-netz" = {
    # Aktuell nicht verwendet, da in lo-dn42 umgezogen
    matchConfig.Name = "ens20";
    linkConfig.RequiredForOnline = "no";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-dn42-ildix" = {
    matchConfig.Name = "ens22";
    address = [
      "fd81:edb3:71d8:ffff:2574::5/64"
    ];
    linkConfig.RequiredForOnline = "no";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
-  services.bird2.enable = true;
+  profiles.clerie.dn42-router = {
-  services.bird2.config = ''
+    enable = true;
-  router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
+    loopbackIp = "fd56:4902:eca0:5::1";
    routerId = "192.168.10.25";
-  ipv6 table ospf6;
+    ospfInterfaces = [
-  ipv6 table bgp6;
+      "ens19"
    ];
-  protocol direct {
+    ibgpPeers = [
-    interface "ens20";
+      {
-    ipv6 {
+        peerName = "gw1";
-      table ospf6;
+        remoteAddress = "fd56:4902:eca0:1::1";
    };
      }
-
+      {
-  protocol static {
+        peerName = "gw6";
-          ipv6 {
+        remoteAddress = "fd56:4902:eca0:6::1";
                  table bgp6;
          };
          route fd56:4902:eca0::/48 via "lo";
          route fd56:4902:eca0::/52 via "lo";
      }
    ];
-  protocol kernel {
+    bgpPeers = [
-    ipv6 {
+      {
-      table ospf6;
+        peerName = "peer_ildix_clerie";
-      export filter {
+        localAddress = "fd81:edb3:71d8:ffff:2574::5";
-        krt_prefsrc=fd56:4902:eca0:5::1;
+        remoteAddress = "fd81:edb3:71d8:ffff::13";
-        accept;
+        remoteAsn = "4242422953";
      };
      import none;
    };
    kernel table 1337;
      }
-
+      {
-  protocol kernel {
+        peerName = "peer_ildix_nex";
-          ipv6 {
+        localAddress = "fd81:edb3:71d8:ffff:2574::5";
-                  table bgp6;
+        remoteAddress = "fd81:edb3:71d8:ffff::14";
-                  export filter {
+        remoteAsn = "4242422953";
                          krt_prefsrc=fd56:4902:eca0:5::1;
        accept;
                  };
                  import none;
          };
    kernel table 2342;
  }
  protocol ospf v3 {
    ipv6 {
      table ospf6;
      import all;
      export all;
    };
    area 0 {
      interface "ens19" {
        cost 80;
        type broadcast;
      };
    };
  }
  protocol bgp gw1 {
          local as 4242422574;
          graceful restart on;
          neighbor fd56:4902:eca0:1::1 as 4242422574;
          source address fd56:4902:eca0:5::1;
          ipv6 {
                  table bgp6;
                  igp table ospf6;
                  next hop self;
                  import keep filtered;
                  import all;
                  export all;
          };
  }
  protocol bgp gw6 {
          local as 4242422574;
          graceful restart on;
          neighbor fd56:4902:eca0:6::1 as 4242422574;
          source address fd56:4902:eca0:5::1;
          ipv6 {
      table bgp6;
      igp table ospf6;
                  next hop self;
                  import keep filtered;
                  import all;
                  export all;
          };
  }
  template bgp ildix {
    local as 4242422574;
    graceful restart on;
    source address fd81:edb3:71d8:ffff:2574::5;
    ipv6 {
      table bgp6;
      igp table ospf6;
      next hop self;
      import keep filtered;
      import filter {
        if net ~ [fd00::/8{8,64}] then accept;
        reject;
      };
      export filter {
        if net ~ [fd00::/8{8,64}] then accept;
        reject;
      };
    };
  }
  protocol bgp peer_ildix_clerie from ildix {
    neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
  }
  protocol bgp peer_ildix_nex from ildix {
    neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
      }
    ];
    birdExtraConfig = ''
      # Internal
      protocol bgp peer_2953_dn42_ildix_service {
        local as 4242422574;
@@ -174,11 +108,8 @@
          };
        };
      }
  protocol device {
    scan time 10;
  }
    '';
  };
  clerie.system-auto-upgrade = {
    allowReboot = true;
--- a/hosts/dn42-il-gw6/configuration.nix
+++ b/hosts/dn42-il-gw6/configuration.nix
@@ -4,157 +4,85 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm
      ../../configuration/dn42
    ];
  profiles.clerie.cybercluster-vm.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
-  networking.useDHCP = false;
+  systemd.network.networks."10-wan" = {
-  networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:6::1"; prefixLength = 64; } ];
+    matchConfig.Name = "ens18";
-  # IPv6 Uplink
+    address = [
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc9::9"; prefixLength = 64; } ];
+      "2001:638:904:ffc9::9/64"
  # Ildix
  networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::6"; prefixLength = 64; } ];
  # VM Nat Netz mercury
  networking.interfaces.ens20.ipv4.addresses = [ { address = "192.168.10.26"; prefixLength = 24; } ];
  # OSPF Netz
  networking.interfaces.ens21 = {};
  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens20"; };
  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens18"; };
  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
  petabyte.policyrouting = {
    enable = true;
    rules6 = [
      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
      { rule = "from all to all lookup 2342"; prio = 10000; }
      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
    ];
    routes = [
      { Gateway = "2001:638:904:ffc9::1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-nat-netz-mercury" = {
    matchConfig.Name = "ens20";
    address = [
      "192.168.10.26/24"
    ];
    routes = [
      { Gateway = "192.168.10.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-dn42-ospf-netz" = {
    matchConfig.Name = "ens21";
    linkConfig.RequiredForOnline = "no";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-dn42-ildix" = {
    matchConfig.Name = "ens19";
    address = [
      "fd81:edb3:71d8:ffff:2574::6/64"
    ];
    linkConfig.RequiredForOnline = "no";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
-  services.bird2.enable = true;
+  profiles.clerie.dn42-router = {
-  services.bird2.config = ''
+    enable = true;
-  router id ${ (lib.head config.networking.interfaces.ens20.ipv4.addresses).address };
+    loopbackIp = "fd56:4902:eca0:6::1";
    routerId = "192.168.10.26";
-  ipv6 table ospf6;
+    ospfInterfaces = [
-  ipv6 table bgp6;
+      "ens21"
    ];
-  protocol direct {
+    ibgpPeers = [
-    interface "lo";
+      {
-    ipv6 {
+        peerName = "gw1";
-      table ospf6;
+        remoteAddress = "fd56:4902:eca0:1::1";
    };
      }
-
+      {
-  protocol static {
+        peerName = "gw5";
-          ipv6 {
+        remoteAddress = "fd56:4902:eca0:5::1";
                  table bgp6;
          };
          #route fd56:4902:eca0::/48 via "lo";
          #route fd56:4902:eca0::/52 via "lo";
      }
    ];
-  protocol kernel {
+    bgpPeers = [
-          ipv6 {
+      {
-                  table ospf6;
+        peerName = "peer_ildix_clerie";
-                  export filter {
+        localAddress = "fd81:edb3:71d8:ffff:2574::6";
-                          krt_prefsrc=fd56:4902:eca0:6::1;
+        remoteAddress = "fd81:edb3:71d8:ffff::13";
-  			accept;
+        remoteAsn = "4242422953";
                  };
                  import none;
          };
  	kernel table 1337;
      }
-
+      {
-  protocol kernel {
+        peerName = "peer_ildix_nex";
-          ipv6 {
+        localAddress = "fd81:edb3:71d8:ffff:2574::6";
-                  table bgp6;
+        remoteAddress = "fd81:edb3:71d8:ffff::14";
-                  export filter {
+        remoteAsn = "4242422953";
                          krt_prefsrc=fd56:4902:eca0:6::1;
  			accept;
                  };
                  import none;
          };
          kernel table 2342;
  }
  protocol ospf v3 {
          ipv6 {
                  table ospf6;
                  import all;
                  export all;
          };
          area 0 {
                  interface "ens21" {
                          cost 80;
                          type broadcast;
                  };
          };
  }
  protocol bgp gw1 {
          local as 4242422574;
          graceful restart on;
          neighbor fd56:4902:eca0:1::1 as 4242422574;
          source address fd56:4902:eca0:6::1;
          ipv6 {
                  table bgp6;
                  igp table ospf6;
                  next hop self;
                  import keep filtered;
                  import all;
                  export all;
          };
  }
  protocol bgp gw5 {
          local as 4242422574;
          graceful restart on;
          neighbor fd56:4902:eca0:5::1 as 4242422574;
          source address fd56:4902:eca0:6::1;
          ipv6 {
                  table bgp6;
  		igp table ospf6;
  		next hop self;
                  import keep filtered;
                  import all;
                  export all;
          };
  }
  template bgp ildix {
    local as 4242422574;
    graceful restart on;
    source address fd81:edb3:71d8:ffff:2574::6;
    ipv6 {
      table bgp6;
      igp table ospf6;
      next hop self;
      import keep filtered;
      import filter {
        if net ~ [fd00::/8{8,64}] then accept;
        reject;
      };
      export filter {
        if net ~ [fd00::/8{8,64}] then accept;
        reject;
      };
    };
  }
  protocol bgp peer_ildix_clerie from ildix {
    neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
  }
  protocol bgp peer_ildix_nex from ildix {
    neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
      }
    ];
    birdExtraConfig = ''
      # Internal
      protocol bgp peer_2953_dn42_ildix_service {
        local as 4242422574;
@@ -174,11 +102,8 @@
          };
        };
      }
  protocol device {
          scan time 10;
  }
    '';
  };
  clerie.system-auto-upgrade = {
    allowReboot = true;
--- a/hosts/dn42-ildix-clerie/configuration.nix
+++ b/hosts/dn42-ildix-clerie/configuration.nix
@@ -4,26 +4,47 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm
    ];
  profiles.clerie.mercury-vm.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
-  networking.useDHCP = false;
+  systemd.network.networks."10-wan" = {
-  # VM Nat Netz mercury
+    matchConfig.Name = "ens20";
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.27"; prefixLength = 24; } ];
+    address = [
-  # Ildix
+      "2001:638:904:ffcb::4/64"
-  networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff::13"; prefixLength = 64; } ];
+    ];
    routes = [
      { Gateway = "2001:638:904:ffcb::1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-nat-netz-mercury" = {
    matchConfig.Name = "ens18";
    address = [
      "192.168.10.27/24"
    ];
    routes = [
      { Gateway = "192.168.10.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-dn42-ildix" = {
    matchConfig.Name = "ens19";
    address = [
      "fd81:edb3:71d8:ffff::13/64"
    ];
    routes = [
      # Route to dn42-ildix-service
-  networking.interfaces.ens19.ipv6.routes = [ { address = "fd81:edb3:71d8::"; prefixLength = 48; via = "fd81:edb3:71d8:ffff:2953::1"; } ];
+      { Destination = "fd81:edb3:71d8::/48"; Gateway = "fd81:edb3:71d8:ffff:2953::1"; }
-
+    ];
-  # public address
+    linkConfig.RequiredForOnline = "no";
-  networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffcb::4"; prefixLength = 64; } ];
+    ipv6AcceptRAConfig.DHCPv6Client = "no";
-
+  };
  networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens20"; };
  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
  # Open Firewall for BGP
  networking.firewall.allowedTCPPorts = [ 179 ];
@@ -33,9 +54,10 @@
  iptables -A INPUT -p ospfigp -j ACCEPT
  '';
-  services.bird2.enable = true;
+  services.bird.enable = true;
-  services.bird2.config = ''
+  services.bird.package = pkgs.bird2;
-  router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
+  services.bird.config = ''
  router id 192.168.10.27;
  protocol direct {
    interface "ens19";
--- a/hosts/dn42-ildix-service/bird.nix
+++ b/hosts/dn42-ildix-service/bird.nix
@@ -1,12 +1,13 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 {
  networking.firewall.allowedTCPPorts = [ 179 ];
  # something doesn't work right
-  services.bird2.enable = false;
+  services.bird.enable = false;
-  services.bird2.config = ''
+  services.bird.package = pkgs.bird2;
-  router id ${(lib.head config.networking.interfaces.ens18.ipv4.addresses).address};
+  services.bird.config = ''
  router id 192.168.10.28;
  ipv6 table bgp6;
@@ -21,7 +22,7 @@
    ipv6 {
      table bgp6;
      export filter {
-        krt_prefsrc=${(lib.head config.networking.interfaces.lo.ipv6.addresses).address};
+        krt_prefsrc=fd81:edb3:71d8::1;
        accept;
      };
      import none;
--- a/hosts/dn42-ildix-service/configuration.nix
+++ b/hosts/dn42-ildix-service/configuration.nix
@@ -4,11 +4,13 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
+
      ./bird.nix
      ./fernglas.nix
    ];
  profiles.clerie.mercury-vm.enable = true;
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  # boot.loader.grub.efiSupport = true;
@@ -17,21 +19,52 @@
  # Define on which hard drive you want to install Grub.
  boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
-  networking.useDHCP = false;
+  systemd.network.netdevs."10-lo-dn42" = {
-  networking.interfaces.lo.ipv6.addresses = [
+    netdevConfig = {
-    { address = "fd81:edb3:71d8::1"; prefixLength = 128; }
+      Kind = "dummy";
-    { address = "fd81:edb3:71d8::53"; prefixLength = 128; }
+      Name = "lo-dn42";
-  ];
+    };
-  # VM Nat Netz mercury
+  };
  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.28"; prefixLength = 24; } ];
  # ildix peering lan
  networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2953::1"; prefixLength = 64; } ];
  # IPv6 Uplink
  networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::c"; prefixLength = 64; } ];
-  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; };
+  systemd.network.networks."10-lo-dn42" = {
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
+    matchConfig.Name = "lo-dn42";
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+    address = [
      "fd81:edb3:71d8::1/128"
      "fd81:edb3:71d8::53/128"
    ];
    linkConfig.RequiredForOnline = "no";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-wan" = {
    matchConfig.Name = "ens20";
    address = [
      "2001:638:904:ffc9::c/64"
    ];
    routes = [
      { Gateway = "2001:638:904:ffc9::1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-nat-netz-mercury" = {
    matchConfig.Name = "ens18";
    address = [
      "192.168.10.28/24"
    ];
    routes = [
      { Gateway = "192.168.10.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-dn42-ildix" = {
    matchConfig.Name = "ens19";
    address = [
      "fd81:edb3:71d8:ffff:2953::1/64"
    ];
    linkConfig.RequiredForOnline = "no";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  services.nginx.enable = true;
--- a/hosts/dn42-ildix-service/fernglas.nix
+++ b/hosts/dn42-ildix-service/fernglas.nix
@@ -5,20 +5,21 @@
  services.fernglas = {
    enable = true;
    useMimalloc = false;
    settings = {
      api.bind = "[::1]:3000";
-      collectors = [
+      collectors = {
-        {
+        bgp_any = {
          collector_type = "Bgp";
          bind = "[::]:1179";
          default_peer_config = {
            asn = 4242422953;
-            router_id = "${(lib.head config.networking.interfaces.ens18.ipv4.addresses).address}";
+            router_id = "192.168.10.28";
            route_state = "Accepted";
            add_path = true;
          };
-        }
+        };
-      ];
+      };
    };
  };
--- a/hosts/gatekeeper/configuration.nix
+++ b/hosts/gatekeeper/configuration.nix
@@ -4,19 +4,20 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/router
    ];
  profiles.clerie.hetzner-cloud.enable = true;
  profiles.clerie.router.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
-  networking.useDHCP = false;
+  systemd.network.networks."10-wan" = {
-  # Network
+    address = [
-  networking.interfaces.ens3.ipv4.addresses = [ { address = "78.47.183.82"; prefixLength = 32; } ];
+      "2a01:4f8:c0c:15f1::1/64"
-  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:c0c:15f1::1"; prefixLength = 64; } ];
+      "78.47.183.82/32"
-  networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
+    ];
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+  };
  networking.nameservers = [ "213.133.98.98" "213.133.99.99" "213.133.100.100" ];
  networking.nat = {
    enable = true;
@@ -73,7 +74,7 @@
        {
          # palladium
          allowedIPs = [ "2a01:4f8:c0c:15f1::8103/128" "10.20.30.103/32" ];
-          publicKey = "kxn69ynVyPJeShsAlVz5Xnd7U74GmCAw181b0+/qj3k=";
+          publicKey = "AetxArlP6uiPEPnrk9Yx+ofhBOgOY4NLTqcKM/EA9mk=";
        }
        #{
        #  allowedIPs = [ "2a01:4f8:c0c:15f1::8104/128" "10.20.30.104/32" ];
@@ -114,6 +115,11 @@
          allowedIPs = [ "2a01:4f8:c0c:15f1::8111/128" "10.20.30.111/32" ];
          publicKey = "o6qxGKIoW2ZSFhXeNRXd4G9BRFeYyjZsrUPulB3KhTI=";
        }
        {
          # tungsten
          allowedIPs = [ "2a01:4f8:c0c:15f1::8112/128" "10.20.30.112/32" ];
          publicKey = "OI5/psr3ShrwRqKTTr3Kv92OVRietTcMFNVXtsYybRo=";
        }
      ];
      listenPort = 51820;
      allowedIPsAsRoutes = false;
@@ -125,6 +131,7 @@
  clerie.nginx-port-forward = {
    enable = true;
    resolver = "127.0.0.53";
    tcpPorts."443" = {
      host = "localhost";
      port = 22;
--- a/hosts/hydra-1/configuration.nix
+++ b/hosts/hydra-1/configuration.nix
@@ -4,14 +4,15 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm
      ../../configuration/hydra-build-machine
      ./build-machines.nix
      ./hydra.nix
      ./nix-cache.nix
    ];
  profiles.clerie.mercury-vm.enable = true;
  profiles.clerie.hydra-build-machine.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
@@ -21,12 +22,28 @@
    "aarch64-linux"
  ];
-  networking.useDHCP = false;
+  systemd.network.networks."10-wan" = {
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::a"; prefixLength = 64; } ];
+    matchConfig.Name = "ens18";
-  networking.interfaces.ens19.ipv4.addresses = [ { address = "192.168.10.36"; prefixLength = 24; } ];
+    address = [
-  networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; };
+      "2001:638:904:ffcb::a/64"
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens19"; };
+    ];
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+    routes = [
      { Gateway = "2001:638:904:ffcb::1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-nat-netz-mercury" = {
    matchConfig.Name = "ens19";
    address = [
      "192.168.10.36/24"
    ];
    routes = [
      { Gateway = "192.168.10.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  services.nginx.enable = true;
--- a/hosts/hydra-2/configuration.nix
+++ b/hosts/hydra-2/configuration.nix
@@ -4,10 +4,11 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm
      ../../configuration/hydra-build-machine
    ];
  profiles.clerie.cybercluster-vm.enable = true;
  profiles.clerie.hydra-build-machine.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
@@ -17,12 +18,19 @@
    "aarch64-linux"
  ];
-  networking.useDHCP = false;
+  systemd.network.networks."10-wan" = {
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::100"; prefixLength = 64; } ];
+    matchConfig.Name = "ens18";
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "141.24.50.112"; prefixLength = 24; } ];
+    address = [
-  networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; };
+      "2001:638:904:ffc1::100/64"
-  networking.defaultGateway = { address = "141.24.50.1"; interface = "ens18"; };
+      "141.24.50.112/24"
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+    ];
    routes = [
      { Gateway = "2001:638:904:ffc1::1"; }
      { Gateway = "141.24.50.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  clerie.monitoring = {
    enable = true;
--- a/hosts/krypton/configuration.nix
+++ b/hosts/krypton/configuration.nix
@@ -9,6 +9,7 @@
      ./android.nix
      ./backup.nix
      ./etesync-dav.nix
      #./initrd.nix
      ./network.nix
      ./programs.nix
--- a/hosts/krypton/etesync-dav.nix
+++ b/hosts/krypton/etesync-dav.nix
@@ -0,0 +1,10 @@
 { ... }:
 {
  services.etesync-dav = {
    enable = true;
    apiUrl = "https://etebase.clerie.de";
  };
 }
--- a/hosts/krypton/network.nix
+++ b/hosts/krypton/network.nix
@@ -1,7 +1,7 @@
 { ... }:
 {
-  services.wg-clerie = {
+  profiles.clerie.wg-clerie = {
    enable = true;
    ipv6s = [ "2a01:4f8:c0c:15f1::8011/128" ];
    ipv4s = [ "10.20.30.11/32" ];
--- a/hosts/krypton/programs.nix
+++ b/hosts/krypton/programs.nix
@@ -1,9 +1,7 @@
 { pkgs, ... }:
 {
-  environment.systemPackages = with pkgs; [
+  profiles.clerie.firefox.enable = true;
    firefox-wayland
  ];
  users.users.clerie.packages = with pkgs; [
    keepassxc
@@ -25,10 +23,11 @@
    tcpdump
    nmap
-    okular
+    kdePackages.okular
    chromium-incognito
    print-afra
    git-show-link
    factorio-launcher
  ];
--- a/hosts/mail-2/configuration.nix
+++ b/hosts/mail-2/configuration.nix
@@ -4,16 +4,21 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/hetzner-cloud
      ./mailcow.nix
    ];
  profiles.clerie.hetzner-cloud.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
-  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:1c1c:9577::1"; prefixLength = 64; } ];
+  systemd.network.networks."10-wan" = {
-  networking.interfaces.ens3.ipv4.addresses = [ { address = "5.75.187.112"; prefixLength = 32; } ];
+    address = [
      "2a01:4f8:1c1c:9577::1/64"
      "5.75.187.112/32"
    ];
  };
  clerie.backup = {
    enable = true;
--- a/hosts/monitoring-3/alertmanager.nix
+++ b/hosts/monitoring-3/alertmanager.nix
@@ -63,6 +63,18 @@
            "instance"
          ];
        }
        {
          target_matchers = [
            ''alertname = "StorageAlmostFull"''
          ];
          source_matchers = [
            ''alertname = "StorageFull"''
          ];
          equal = [
            "instance"
            "mountpoint"
          ];
        }
      ];
    };
  };
--- a/hosts/monitoring-3/blackbox.nix
+++ b/hosts/monitoring-3/blackbox.nix
@@ -25,6 +25,48 @@
            fail_if_not_ssl: true
            fail_if_body_not_matches_regexp:
              - "Synapse is running"
            headers:
              User-Agent: "monitoring.clerie.de, blackbox exporter"
        http4:
          prober: http
          http:
            preferred_ip_protocol: ip4
            ip_protocol_fallback: false
            fail_if_ssl: true
            follow_redirects: false
            valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
            headers:
              User-Agent: "monitoring.clerie.de, blackbox exporter"
        http6:
          prober: http
          http:
            preferred_ip_protocol: ip6
            ip_protocol_fallback: false
            fail_if_ssl: true
            follow_redirects: false
            valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
            headers:
              User-Agent: "monitoring.clerie.de, blackbox exporter"
        https4:
          prober: http
          http:
            preferred_ip_protocol: ip4
            ip_protocol_fallback: false
            fail_if_not_ssl: true
            follow_redirects: false
            valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
            headers:
              User-Agent: "monitoring.clerie.de, blackbox exporter"
        https6:
          prober: http
          http:
            preferred_ip_protocol: ip6
            ip_protocol_fallback: false
            fail_if_not_ssl: true
            follow_redirects: false
            valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
            headers:
              User-Agent: "monitoring.clerie.de, blackbox exporter"
    '';
  };
 }
--- a/hosts/monitoring-3/configuration.nix
+++ b/hosts/monitoring-3/configuration.nix
@@ -4,25 +4,43 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm
      ./alertmanager.nix
      ./berlinerbaeder-exporter.nix
      ./blackbox.nix
      ./grafana.nix
      ./nixos-validator.nix
      ./prometheus.nix
      ./targets.nix
      ./uptimestatus.nix
    ];
  profiles.clerie.mercury-vm.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
-  networking.useDHCP = false;
+  systemd.network.networks."10-wan" = {
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.32"; prefixLength = 24; } ];
+    matchConfig.Name = "ens19";
-  networking.interfaces.ens19.ipv6.addresses = [ { address = "2001:638:904:ffca::7"; prefixLength = 64; } ];
+    address = [
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
+      "2001:638:904:ffca::7/64"
-  networking.defaultGateway6 = { address = "2001:638:904:ffca::1"; interface = "ens19"; };
+    ];
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+    routes = [
      { Gateway = "2001:638:904:ffca::1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-nat-netz-mercury" = {
    matchConfig.Name = "ens18";
    address = [
      "192.168.10.32/24"
    ];
    routes = [
      { Gateway = "192.168.10.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  services.prometheus.exporters.node.enable = true;
--- a/hosts/monitoring-3/grafana.nix
+++ b/hosts/monitoring-3/grafana.nix
@@ -38,6 +38,10 @@
        enableACME = true;
        forceSSL   = true;
        locations."/".proxyPass = "http://[::1]:3001/";
        locations."= /api/live/ws" = {
          proxyPass = "http://[::1]:3001";
          proxyWebsockets = true;
        };
      };
    };
  };
--- a/hosts/monitoring-3/prometheus.nix
+++ b/hosts/monitoring-3/prometheus.nix
@@ -55,6 +55,11 @@ let
  eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));
 in {
  sops.secrets.uberspace-monitor-password = {
    owner = "prometheus";
    group = "prometheus";
  };
  networking.hosts = {
    "::1" = [ "monitoring-3.mon.clerie.de" ]; # fd00:327:327:327::1
  }
@@ -126,6 +131,42 @@ in {
          relabelAddressToInstance
        ];
      }
      {
        job_name = "node-exporter-uberspace";
        scrape_interval = "20s";
        metrics_path = "/.node-exporter/metrics";
        basic_auth = {
          username = "monitor";
          password_file = config.sops.secrets.uberspace-monitor-password.path;
        };
        static_configs = [
          {
            targets = map (target: "${target};infra") config.profiles.clerie.monitoring-server.probeTargets.node-exporter-uberspace;
          }
        ];
        relabel_configs = [
          {
            source_labels = [ "__address__" ];
            regex = "(.+);(.+)";
            target_label = "service_level";
            replacement = "\${2}";
          }
          {
            source_labels = [ "__address__" ];
            regex = "(.+);(.+)";
            target_label = "__address__";
            replacement = "\${1}";
          }
          {
            source_labels = [ "__address__" ];
            target_label = "instance";
          }
          {
            target_label = "job";
            replacement = "node-exporter";
          }
        ];
      }
      {
        job_name = "nixos-exporter";
        scrape_interval = "1m";
@@ -156,7 +197,7 @@ in {
          relabelAddressToInstance
          {
            target_label = "__address__";
-            replacement = "[::1]:9153";
+            replacement = "monitoring-3.mon.clerie.de:9153";
          }
        ];
      }
@@ -181,17 +222,7 @@ in {
        };
        static_configs = [
          {
-            targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets [
+            targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets config.profiles.clerie.monitoring-server.probeTargets.blackbox-icmp6;
              "clerie.de"
              "tagesschau.de"
              "google.com"
              "achtbaan.nikhef.nl"
              "fluorine.net.clerie.de"
              "www.fem.tu-ilmenau.de"
              "www.heise.de"
              "dyon.net.entr0py.de"
              "matrix.fachschaften.org"
            ];
          }
        ];
        relabel_configs = [
@@ -223,18 +254,7 @@ in {
        };
        static_configs = [
          {
-            targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets [
+            targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets config.profiles.clerie.monitoring-server.probeTargets.blackbox-icmp4;
              "clerie.de"
              "tagesschau.de"
              "google.com"
              "achtbaan.nikhef.nl"
              "www.fem.tu-ilmenau.de"
              "www.heise.de"
              "matrix.bau-ha.us"
              "dyon.net.entr0py.de"
              "matrix.entr0py.de"
              "matrix.fachschaften.org"
            ];
          }
        ];
        relabel_configs = [
@@ -266,10 +286,7 @@ in {
        };
        static_configs = [
          {
-            targets = [
+            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-synapse;
              "matrix.entr0py.de"
              "matrix.fachschaften.org"
            ];
          }
        ];
        relabel_configs = [
@@ -349,6 +366,122 @@ in {
          relabelAddressToInstance
        ];
      }
      {
        job_name = "blackbox_local_http6";
        scrape_interval = "100s";
        metrics_path = "/probe";
        params = {
          module = [ "http6" ];
        };
        static_configs = [
          {
            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http6;
          }
        ];
        relabel_configs = [
          {
            source_labels = [ "__address__" ];
            target_label = "__param_target";
            replacement = "http://\${1}";
          }
          {
            source_labels = [ "__address__" ];
            target_label = "target";
          }
          {
            target_label = "__address__";
            replacement = "monitoring-3.mon.clerie.de:9115";
          }
          relabelAddressToInstance
        ];
      }
      {
        job_name = "blackbox_local_http4";
        scrape_interval = "100s";
        metrics_path = "/probe";
        params = {
          module = [ "http4" ];
        };
        static_configs = [
          {
            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http4;
          }
        ];
        relabel_configs = [
          {
            source_labels = [ "__address__" ];
            target_label = "__param_target";
            replacement = "http://\${1}";
          }
          {
            source_labels = [ "__address__" ];
            target_label = "target";
          }
          {
            target_label = "__address__";
            replacement = "monitoring-3.mon.clerie.de:9115";
          }
          relabelAddressToInstance
        ];
      }
      {
        job_name = "blackbox_local_https6";
        scrape_interval = "100s";
        metrics_path = "/probe";
        params = {
          module = [ "https6" ];
        };
        static_configs = [
          {
            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http6;
          }
        ];
        relabel_configs = [
          {
            source_labels = [ "__address__" ];
            target_label = "__param_target";
            replacement = "https://\${1}";
          }
          {
            source_labels = [ "__address__" ];
            target_label = "target";
          }
          {
            target_label = "__address__";
            replacement = "monitoring-3.mon.clerie.de:9115";
          }
          relabelAddressToInstance
        ];
      }
      {
        job_name = "blackbox_local_https4";
        scrape_interval = "100s";
        metrics_path = "/probe";
        params = {
          module = [ "https4" ];
        };
        static_configs = [
          {
            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http4;
          }
        ];
        relabel_configs = [
          {
            source_labels = [ "__address__" ];
            target_label = "__param_target";
            replacement = "https://\${1}";
          }
          {
            source_labels = [ "__address__" ];
            target_label = "target";
          }
          {
            target_label = "__address__";
            replacement = "monitoring-3.mon.clerie.de:9115";
          }
          relabelAddressToInstance
        ];
      }
      {
        job_name = "hydra";
        scrape_interval = "20s";
@@ -375,6 +508,19 @@ in {
          relabelAddressToInstance
        ];
      }
      {
        job_name = "clerie_keys";
        scrape_interval = "5m";
        scheme = "https";
        metrics_path = "/gpg/clerie@clerie.de.metrics.txt";
        static_configs = [
          {
            targets = [
              "clerie.de"
            ];
          }
        ];
      }
    ];
    alertmanagers = [
      {
--- a/hosts/monitoring-3/rules.yml
+++ b/hosts/monitoring-3/rules.yml
@@ -17,14 +17,22 @@ groups:
    annotations:
      summary: "Current system of {{ $labels.instance }} not in sync with config"
      description: "The current system hash of {{ $labels.instance }} does not match the one generated by hydra based on the current config"
-  - alert: BackupStorageFull
+  - alert: StorageFull
-    expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 5
+    expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m])) * 100) < 5
    for: 30m
    labels:
      severity: critical
    annotations:
      summary: "Storage of {{ $labels.instance }} is full"
      description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is full"
  - alert: StorageAlmostFull
    expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m])) * 100) < 10
    for: 30m
    labels:
      severity: warning
    annotations:
      summary: "Storage of {{ $labels.instance }} is almost full"
      description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is almost full"
  - alert: ClerieBackupJobLastSuccessfulRunBehind
    expr: time() - last_over_time(clerie_backup_last_successful_run_time{}[5m]) >= 9000
    for: 5m
@@ -65,3 +73,25 @@ groups:
    annotations:
      summary: "Synapse of {{ $labels.target }} unavailable"
      description: "The Synapse backend of {{ $labels.target }} is unreachable or returns garbage"
  - alert: ClerieKeysExpire
    expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 1209600
    labels:
      severity: critical
    annotations:
      summary: "GPG {{ $labels.fingerprint }} is expiring"
      description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then two weeks"
  - alert: ClerieKeysAlmostExpire
    expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 3628800
    labels:
      severity: warning
    annotations:
      summary: "GPG {{ $labels.fingerprint }} is expiring soon"
      description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"
  - alert: NadjaTopIPv4ProxyBroken
    expr: probe_success{job="blackbox_local_http6", target="blog.nadja.top"} != on (target) probe_success{job="blackbox_local_http4", target="blog.nadja.top"}
    for: 5m
    labels:
      severity: critical
    annotations:
      summary: "blog.nadja.top unreachable via IPv4"
      description: "blog.nadja.top unreachable IPv4, but reachable via IPv6"
--- a/hosts/monitoring-3/secrets.json
+++ b/hosts/monitoring-3/secrets.json
@@ -1,4 +1,5 @@
 {
 	"uberspace-monitor-password": "ENC[AES256_GCM,data:NfM9jxZAMkSGFlPYxreP7LJkr9gA2llyVw96okIKNUQ=,iv:z/LW643T36HpKo/xhHcVnF0EqhEXdoiEkDMH6NQzN9A=,tag:KXR2+kizv3To0EvZ66ak9w==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:kYFhMbqL7b0rwE2XIaR4QVT8ahoODmpXKzK5gvkODFJVklubwCmq2bLJk94=,iv:eR+VjxdtS4et9I4okzHyA+if1Rxj2/MuiC0CrWXd0Bg=,tag:rMaYMTvO6gWw6WegehDBFQ==,type:str]",
 	"xmpp-password": "ENC[AES256_GCM,data:eBZsBYqo+juLrYZjBqTcKFirHViRsul+wt6kkOmMhCp4xU7Ou8eJAPCOuhvHcUGxRE44L0yIyUObhRgAj0T5QA==,iv:DsLJ3qCZyrdolJBZFT9FJUNQ75pc8Vz32K2a8RJHuLc=,tag:wOxs2Ulw1aSMadWfjGSKsw==,type:str]",
 	"sops": {
@@ -12,8 +13,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxOGNMcm9vRWxMZjBwcmVS\nVGVoS2kwSmZjOHdGMXQwUmlzV3hhbGhhOVhzCkljQi94aUtORldKOFdqeVNXYnJQ\ndS9Vc0hRRisyL1dESk1NOTQ1dVJyMDgKLS0tIE54VlU1cVRXWXRlVGU5RzR5dXkv\nSEZJeElpWDdJYW9WNWxGLzdjdGR1YUUKGZwFPOc4MD97FBRtj1Py4A9Tz/HlzHcK\nX6nYgkYSUycM4g4d3+N+1NKutfWJ7KheuTlhNRDftyLYmmo5wyEtrw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-04-21T17:08:58Z",
+		"lastmodified": "2025-03-07T20:23:25Z",
-		"mac": "ENC[AES256_GCM,data:UucT7OiO9S3FcO9b1UKPQYXi7v3Ak7/J/VkDN4P9fssS4nky6PyX4oV5UvGcuR3p0pxLAHGJ4rOXj5QbnOqwDqmHfCnoqdItAlXRT1YPdSrelQ/gHyOfexsuV1XLOUS/OXJoYEi3ymKtza4rMIZow+du0YkRxrJQjwM0y8XSa3I=,iv:mDBaVhbHCLdxx5DC7urPPDdVPsCPYqKgLRwfqjLFdnU=,tag:Wpq6ihxIr/eceG12gpOJwQ==,type:str]",
+		"mac": "ENC[AES256_GCM,data:6GY06rVSKtQqaV5kLgTU4Wlu+e+dkNhxaPkJqKE8hrfJzO85WU6/iLvuv4ai0u+cUeWcOZatskzUeaVL/NjrRZnsNnxUqWbljLs8//0uUln71D/DWE4Vpb6Uz9I2iHG2Gftv3iyYF3nucrHiSTvyLzb9fDL+eGv0CHa/KmYk97g=,iv:f6xqDtHoBy7h7KRr2J0kYcaf6indqnRrJsYdcv9EHJs=,tag:uliCg2x92qY9SN9hg08Iuw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-04-21T17:08:30Z",
@@ -22,6 +23,6 @@
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
+		"version": "3.9.4"
 	}
 }
--- a/hosts/monitoring-3/targets.nix
+++ b/hosts/monitoring-3/targets.nix
@@ -0,0 +1,7 @@
 { ... }:
 {
  profiles.clerie.monitoring-server.targets = builtins.fromJSON (builtins.readFile ../../monitoring/targets.json);
 }
--- a/hosts/nonat/configuration.nix
+++ b/hosts/nonat/configuration.nix
@@ -4,28 +4,33 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm
      ../../configuration/router
    ];
  profiles.clerie.mercury-vm.enable = true;
  profiles.clerie.router.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
-  networking.useDHCP = false;
+  systemd.network.networks."10-wan" = {
-  # Network
+    matchConfig.Name = "ens18";
-  networking.interfaces.ens18.ipv4.addresses = [
+    address = [
-    { address = "141.24.46.169"; prefixLength = 24; }
+      "2001:638:904:ffca::6/64"
      "141.24.46.169/24"
    ];
-  networking.interfaces.ens18.ipv6.addresses = [
+    routes = [
-    { address = "2001:638:904:ffca::6"; prefixLength = 64; }
+      { Gateway = "141.24.46.1"; }
      { Gateway = "2001:638:904:ffca::1"; }
    ];
-  networking.defaultGateway = { address = "141.24.46.1"; interface = "ens18"; };
+    linkConfig.RequiredForOnline = "routable";
-  networking.defaultGateway6 = { address = "2001:638:904:ffca::1"; interface = "ens18"; };
+  };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.networks."10-nat-netz-mercury" = {
-
+    matchConfig.Name = "ens19";
-  networking.interfaces.ens19.ipv4.addresses = [
+    address = [
-    { address = "192.168.10.1"; prefixLength = 24; }
+      "192.168.10.1/24"
    ];
    linkConfig.RequiredForOnline = "no";
  };
  networking.nat = {
    enableIPv6 = true;
--- a/hosts/osmium/configuration.nix
+++ b/hosts/osmium/configuration.nix
@@ -4,12 +4,13 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm
      ./nixfiles-updated-inputs.nix
      ./polkit-test.nix
    ];
  profiles.clerie.mercury-vm.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
@@ -19,12 +20,28 @@
    "aarch64-linux"
  ];
-  networking.useDHCP = false;
+  systemd.network.networks."10-wan" = {
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.29"; prefixLength = 24; } ];
+    matchConfig.Name = "ens19";
-  networking.interfaces.ens19.ipv6.addresses = [ { address = "2001:638:904:ffc7::6"; prefixLength = 64; } ];
+    address = [
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
+      "2001:638:904:ffc7::6/64"
-  networking.defaultGateway6 = { address = "2001:638:904:ffc7::1"; interface = "ens19"; };
+    ];
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+    routes = [
      { Gateway = "2001:638:904:ffc7::1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-nat-netz-mercury" = {
    matchConfig.Name = "ens18";
    address = [
      "192.168.10.29/24"
    ];
    routes = [
      { Gateway = "192.168.10.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  environment.systemPackages = with pkgs; [
    git
--- a/hosts/palladium/backup-scripts.nix
+++ b/hosts/palladium/backup-scripts.nix
@@ -1,44 +0,0 @@
 { pkgs, ... }:
 let
  cb-mount = pkgs.writeScriptBin "cb-mount" ''
  #!${pkgs.bash}/bin/bash
  DEVICE=/dev/disk/by-path/pci-0000:00:12.0-ata-2-part1
  ${pkgs.cryptsetup}/bin/cryptsetup luksOpen ''${DEVICE} external-drive
  mkdir -p /mnt/external-drive
  mount /dev/mapper/external-drive /mnt/external-drive
  mkdir -p /mnt/external-drive/clerie-backup
  chown borg:borg -R /mnt/external-drive/clerie-backup
  '';
  cb-unmount = pkgs.writeScriptBin "cb-unmount" ''
  #!${pkgs.bash}/bin/bash
  umount /mnt/external-drive
  ${pkgs.cryptsetup}/bin/cryptsetup luksClose external-drive
  '';
  cb-prepare = pkgs.writeScriptBin "cb-prepare" ''
  echo "Formatting disk"
  sgdisk -Z /dev/disk/by-path/pci-0000:00:12.0-ata-2
  sgdisk -N 1 /dev/disk/by-path/pci-0000:00:12.0-ata-2
  partprobe /dev/disk/by-path/pci-0000:00:12.0-ata-2
  echo "Creating encrypted partition"
  ${pkgs.cryptsetup}/bin/cryptsetup luksFormat -c aes-xts-plain64 --hash=sha256 -s 256 /dev/disk/by-path/pci-0000:00:12.0-ata-2-part1
  echo "Opening encrypted partition"
  ${pkgs.cryptsetup}/bin/cryptsetup luksOpen /dev/disk/by-path/pci-0000:00:12.0-ata-2-part1 external-drive
  echo "Creating file system"
  mkfs.ext4 /dev/mapper/external-drive
  echo "Closing encrypted partition"
  ${pkgs.cryptsetup}/bin/cryptsetup luksClose external-drive
  '';
 in {
  environment.systemPackages = [ cb-mount cb-unmount cb-prepare ];
 }
--- a/hosts/palladium/configuration.nix
+++ b/hosts/palladium/configuration.nix
@@ -5,52 +5,61 @@
    [
      ./hardware-configuration.nix
-      ./backup-scripts.nix
+      ./restic-server.nix
      ./wg-b-palladium.nix
    ];
-  boot.loader.systemd-boot.enable = true;
+  boot.kernelParams = [ "console=ttyS0,115200n8" ];
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "nodev";
  boot.loader.grub.efiSupport = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.grub.extraConfig = "
    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
    terminal_input console serial
    terminal_output gfxterm serial
  ";
-  networking.useDHCP = false;
+  boot.initrd.luks = {
-  networking.interfaces.enp3s0.ipv6.addresses = [
+    devices.lvm = {
-    { address = "fd00:152:152:4::11"; prefixLength = 64; }
+      device = "/dev/disk/by-uuid/f5597381-b59b-4f19-94b7-fd69aac43d6f";
-    { address = "2001:4cd8:100:1337::11"; prefixLength = 64; }
+      bypassWorkqueues = true;
    };
    devices.crypt-storage-palladium = {
      device = "/dev/disk/by-uuid/c54396c0-b5d3-4e61-9ef7-483fa2b4a56d";
    };
  };
  boot.swraid.enable = true;
  systemd.network.networks."10-wan" = {
    matchConfig.Name = "enp3s0";
    address = [
      "fd00:152:152:4::11/64"
    ];
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "enp3s0"; };
+    networkConfig.DHCP = true;
-  networking.nameservers = [ "fd00:152:152::1" ];
+    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  # Keeping the harddrives quiet
  services.udev.extraRules = ''
    KERNEL=="sd?[0-9]", ENV{ID_MODEL}=="ST1000DM003-1SB102", ACTION=="add", RUN+="${pkgs.hdparm}/sbin/hdparm -S 24 /dev/%k"
  '';
-  services.borgbackup.repos = {
+  profiles.clerie.wg-clerie = {
-    clerie-backup = {
+    enable = true;
-      path = "/mnt/palladium/clerie-backup";
+    ipv6s = [ "2a01:4f8:c0c:15f1::8103/128" ];
-      authorizedKeysAppendOnly = [
+    ipv4s = [ "10.20.30.103/32" ];
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFyk716RnbenPMkhLolyIkU8ywUSg8x7hjsXFFQoJx4I root@clerie-backup"
      ];
  };
    external-drive = {
      path = "/mnt/external-drive/clerie-backup";
      authorizedKeysAppendOnly = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPuh74Esdp8JPgIZzM372DaCwtAl2QNtRratnIFG0NRB root@clerie-backup"
      ];
    };
  };
  # Disable automatic directory creation for external-drive repo
  # The directory gets created by the disk formatting script
  # Correct permissons will be set right after mounting
  # This prevents borg from filling up the root drive when no drive is mounted
  systemd.services.borgbackup-repo-external-drive.enable = false;
  clerie.monitoring = {
    enable = true;
    id = "206";
-    pubkey = "fHOYNZ5I3E2JPrd9dUrNBmu75weX4KbDih5q+GCk8Xk=";
+    pubkey = "2Q8mO4Y09Oi9CCfUUvWpZ8yIQezwtE94tz6ZbA0EDwE=";
  };
-  system.stateVersion = "21.03";
+  system.stateVersion = "25.05";
 }
--- a/hosts/palladium/hardware-configuration.nix
+++ b/hosts/palladium/hardware-configuration.nix
@@ -9,26 +9,37 @@
    ];
  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/b217f1e1-1337-4ef0-bad5-15829ba32c7a";
+    { device = "/dev/disk/by-uuid/fbd14cd4-e402-4ad6-b801-8826d6cfc0fb";
      fsType = "ext4";
    };
  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/7A6B-3444";
+    { device = "/dev/disk/by-uuid/8B45-EBB4";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
-  fileSystems."/mnt/palladium" =
+  fileSystems."/data" =
-    { device = "/dev/disk/by-uuid/f20d20ca-6be5-4b16-81fe-e66f31ffd108";
+    { device = "/dev/disk/by-uuid/e7c41c4d-89d8-4083-ac6e-abbccbebf551";
      fsType = "ext4";
    };
-  swapDevices = [ ];
+  swapDevices =
    [ { device = "/dev/disk/by-uuid/6ca5e48f-9b99-4722-b21b-c6f298610157"; }
    ];
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/palladium/restic-server.nix
+++ b/hosts/palladium/restic-server.nix
@@ -0,0 +1,20 @@
 { ... }:
 {
  services.restic.server = {
    enable = true;
    privateRepos = true;
    dataDir = "/data/backup";
    listenAddress = "[::]:43242";
  };
  # restic rest server does not support --htpasswd-file in the current version of nixpkgs
  # until then we copy the secrets to the common location
  sops.secrets.restic-server-backup-htpasswd = {
    path = "/data/backup/.htpasswd";
    owner = "restic";
    group = "restic";
  };
  networking.firewall.interfaces.wg-b-palladium.allowedTCPPorts = [ 43242 ];
 }
--- a/hosts/palladium/secrets.json
+++ b/hosts/palladium/secrets.json
@@ -1,5 +1,8 @@
 {
-	"wg-monitoring": "ENC[AES256_GCM,data:ip6L61RXAVxaPqizhNTr6zVvKgd40CAsgeNFoAXMARM1nl146ayHK2q7mhc=,iv:G4WLmcPpJOxTcW0bHuEwWmth6u8fYoH7GmpkMo8Z3TQ=,tag:xJ+wCVEUMdqfXPcwgr9WSw==,type:str]",
+	"restic-server-backup-htpasswd": "ENC[AES256_GCM,data:ouHDwNJ3UQID54qq+6tEc9Zmpa/i5jDMvzIw5baBV4oGy27JI+f40A6tqmQlbRRsX68XhMhfRcpczfTDmf2tFV7TcWB4yA==,iv:PkjCOHFQxbBvYdmOhARJUNUUsAbJiEDnLDM1UWZhHXA=,tag:3cGdkx0xNdtse9hHPa9mUQ==,type:str]",
 	"wg-b-palladium": "ENC[AES256_GCM,data:VBDyrDYwICbiND8jfkiIr/3oDtP1X9817WhonFYXNSTPZHziEY7U886/DFc=,iv:syqo77FROChv4WKgiGWCUa2ziH2Ds14CT5vVRxGmEvQ=,tag:X2G3JUrabXYmsKPBltOafw==,type:str]",
 	"wg-clerie": "ENC[AES256_GCM,data:fLGZCRbnDrSWQ+9Q/7l3DUKOgw7blcHpd8svHMZFEKMoTfGeZCc37oKAOKU=,iv:GlPXkeVnzSzAnpdSGIydZP+hhEshJ3X/N1fhwJk5Ol4=,tag:0E9RhBPha0Gun6KUNtvYUg==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:3RHk/VI8t9ba/qiWqLkwIxaOt+e0yXw7+f1qpIVdr3JE2NzkVvX6aeP3o2Q=,iv:f4VIK1oyaUilCia1EfEiL18a3zk4+7Ol4ihyhzPounw=,tag:XeTI3iL4qIPS+Z+PDJRGrA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -7,20 +10,20 @@
 		"hc_vault": null,
 		"age": [
 			{
-				"recipient": "age1tl2cd730ctn6jcgg0vf8c5gg9722umk30zwvcwxhejh26p3gt3ds92msyx",
+				"recipient": "age1s3f9hxcd89dk3st2r5funjw7cjcq85nuz4gq8w0aplky9v2wqy7qwukagx",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNHllOHpoYkNyQXMwL002\nRDR4eFVRemc4bW8vYS9GWHFkcmpRbWFFc2tzCmFjV1ZNTzhOYjM4VWltRGhaQ0RP\naC9vN2hrM3NSTDlSd1ZJTldXamJ4NUUKLS0tIDFuUzRKWWQrUFU1SXNqdEV2R1lM\nWXU1by9rYTBINTVralo0TTJmSEZHMm8KYEggCHnOyMcQSdJ9+Ujf61OANuja0ZIf\n+wa9ugc2OZrOYepkjN5X/bETdKfU33pIAL208N9HcOttfhcZq70yUQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY3p1Mi85WTNxK2U5bFVP\ncmlFRXNlK2dWMUt1eW1abzIrb0liR043VHpnClIvaHZ1VWxRSFR3ajc0MmJyMFAw\nSWdVclB2OGJqUjNXTmI4MktXVTVQbncKLS0tIFpJTTZJRmJGeE1xNFFScE81R29J\nR3MzOGY1cVhmalNEaHdyWjkyaHVRTDAKXyz/+WdHsC2AppYNf3/W1xx2Zcfg4p50\nCAamBntNMUK8zYLdhoSBT54qVYJJuYZ6eD6WOIZrdCK4HKGy0d13uw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-05-10T13:25:28Z",
+		"lastmodified": "2025-04-18T08:56:54Z",
-		"mac": "ENC[AES256_GCM,data:fLw0q9h+rlAAiXjtCJeGPi0COEt/UvApRiOpE+ydSrD/jXy+vh2OVW57UZPRBCP1mWtqfUJLiT1BZyOWor7dsPfTvaxCQmYhGcKBLucFEaiUovGgVjxJloD8hDJvSG9SJnlIiDobMsG87MsEWpi70oAbQu3/d4JT1BPSaRpvsjI=,iv:iS7tFqZMa0OzA5ASKPS6CSNTJYYJ0zhjLmBcipjLapg=,tag:Lspazw8Pi5Dxqcrk35A6tA==,type:str]",
+		"mac": "ENC[AES256_GCM,data:QEEcjNqO+tXpl/4TWx+r8WT+ZsdoBw/CBiz6XpG8rsIl0prBWtQ8YW/DeYAxLPMOlb55HuDsneLEpR2DsBB1x6b0lSyjES/hgMRkweKczFLRxrhHh3qXff/wK9sDaEPLvEzvH99x63+1dAZh7z8CVESDTt8QLKK1qCxOf36QNdc=,iv:NbYc0qz0AUGKWpwKg/1QCuTnZ1+m+e6tQxWAuDogVrw=,tag:JEPtLP7V3N+Lx/quMGq/AQ==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2024-05-10T13:25:16Z",
+				"created_at": "2025-04-15T17:32:56Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/+KsEUiNCgfajBMEEFsqHqNG3utLNQSLOd6VX/Rk56CjT9\nUtfiCdZCSzrtyT3Anu72auTJ+PHNAVhhHPcDiUcwY9JYXEXNETzEn0U/byS+kvOD\nNTpcpR1gSxJCj1aDqDDpfQQ02hSpKO4iw0B71gKcekUXcD2AQeeW0Djq60CusWVk\nRgC3odnyTr1CN1+JRtKVZKIa78rfOkyhmFP2G2gvsSHhUBd5RtMhJdfYVUTMIKXO\nQFB2IGCoIzE0zDitCcAZ8q6Dc8lBuAvNSiVkFanJn7e7etU3JwDhYsZKRO7jvNX3\nmjHnQ9vf0idCWAi0oabZQ1OGdwPbtjssxmQkzzR8R/paw+iRB50i1UG3/5ehXTV4\nTp/2rEwrsF8jO1bahTcrJirR7RPLEy2BvJ4ALzmEYrIoEwWuCIexrY+e2C2rXpy5\nK2+9Ch0YCaz8sc700bgO5ZkyvnmnbVJxGCaMGQtT9LXiEWvc36sUXhbEGJ0K782Z\n7uVFRs4xWsrUQHo8lFTfW/vLZDq7FvkGnDf5xnoEJp4BNYvYmMmsFiaygkbbqEdH\n2aHRCam9q5zcuBq+aA40KI1P4adIFgij+fijwQ+019JrfaMEXcmwgtOfkb2OZNOF\nXQ3tRgYLaxSae7BYJA4uTaFq60kpp1c8qgxw3WKPEiHywtl/SaPcx1XD9VJoVTGF\nAgwDvZ9WSAhwutIBD/9O0inQ/HmpwtD1AnE89SuZNuGQty71LVhX2PQQWsUdQOuz\ndKZN1wy6UxIImFGisBodUH+48k1DjbkDjL5cLSAUOt9OhAxW2Ubp6HA6wDJPqWj1\nYQMHKmHlf2zh5G1qTUXV3NNw6hSaWejVDS73WNODv1WfUFXrPN9DVLaPsS/RJo2Q\nAoDG/iedeQhIIBwrLIcQ8ttjv9MTI1GzsNRC/CjxQpDnHabqQzFzenjnVRLDXcmr\nwfw0HeTPeNh+pLYb+sBqzGUP0j1GWui99/6NUeo/TloBWJbIung4wq23gYZbHn+K\nbWJSxSy980mvjCXiRukzXlNJMwLZDVoBlPQSbe/pOApHM9HTScZ+3VcLlYOPjgZk\nhnCvFNm+4/00ZgF+tcvLOugIfqwxvOuqW4gGGhNAycHinJZuSfDHYe6zCfEiqc7t\nnHlbhNvlhC8zDu+fOurC2ju5eGv8LqFiobfsBFVdKpl9Gj7yg00S+QmjBcz0lkE9\n1BftwEQaj+r4EDa4cJHSgP+K76utv4Xzt9hHZZJo7hvii+lGxFI7rBm0xbV5bSuY\ntOhN6d98HH2++AoXufIW5vmnydGk2NXu7O8vi6sQWzoqed84ZHbJDWLQawQ8YQlR\nkbht2PzH4+rq1oOVHbLslxWkYF9WMsQRUef6ALNpys/Dj8N54gEN4RTV+SxIVoUC\nDAM1GWv08EiACgEP/1eiG0aASQogSByxl8ZbRjRg768YVR1fwTa8GG5tE7wfcGiI\njZF2TI+yQWt7gRS4AKNm1gfWEEjCH1tBOj53/Wfwn9ZuGoNqboA2jgsh2rnVVSXR\nOdXK3is/FMh9JREr669be83nnQ8fNP8nIz3snEvKVYVGcdsdkDXBz4GKmJx52NNb\nauL+4w14/0PydCVH/njsFY8FyWqP9lUFgpJU8jHjX28oTB3khwWrDs0THwqilTFn\nhFjgeCy555zeh5rDpBDPdPbLUNd094RB15zaKzn2dC15F8DMCLoA9ASNET7S/+u3\n1SjvI4XnOpxK9hyETcwjzbWJc2gV7U38VqxhQW9Vch3AvXOufMMTm6cobLjiwxjF\nl3XTMJ5GvHDZXCwrGEapy9GbHQjbd9yi0iFgfSGV4nkNmCj1jtAMUngdCqELDVU2\nZe3a8IeJswlTteGlXAM5mwnDaegMsiD/vwsq5Rtl0gs3iI3uIN4RFXuvxP+UeJ/c\ndJWqpF8vcQI4qGN3kxgB30I7mUiz1aggv5uw6nDWRJHTQKLeOkV8ssTq4FLs4XYL\n4z4qmMT5i+8bGu575py/LRDjvXBldeitnQj1jAN2y/uPNVWsZqU3S+OkEosYIgSQ\njAe3N0EyH5k3j7j43x91toYOCAkulAuPkox6GyUKKq4dCPWxg9fqQ8u4PaSN1GYB\nCQIQ3+GP0DNWupTIkTS4Bk1LwbT99lyr2DyExqb2pgXmzn05Qs6CE4+jcIxXnmUQ\nzCl6PLiw+DJ1nq5gKtTrkO96HtHGyfPiUunDZXty1/zNltYjedk7ebkWF3LNXBhE\nK38c6yE=\n=w0Nn\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//aQe91iy/RiR2PJqXhrZVyovraUmm4ivCjPSoookMCHhY\n5HGNdyzttnBjzHNqT8OFo43nu1VPlOYllgQXNbwEj7rSQN5CZQTx35Fhkc2q9q1N\ns3uI+o/RfCLiZMvr5S80lFvmw25hpopGoF0i3sHrORbh5ennzGV2Dsn2RfcQx5Ji\n11kO4QBDNs37cqZEBP4N4R5xEWFMrWPqxVrRuGZkzxR0MPLy+zCSjic0OIXWxi5G\nSTO3rPGn06s3gbMmFgAPVBMR/nyT2kPDwQFbvv7SWNqnyZ1z5S5C7eSpcEa+49IZ\ngHo3hRa0O30bvgc+yhQ9TxhyFmlgk+HWRsc7p1c7B+HK+mwxxnoixfHQLpWEwiQz\nfT32rTG/v4MqNokiyMCvUqffGwBy57YQ0Koggm8kv3GYPbCSXFuGgdxBCUufaIkj\n5n6WmMfjESOEq0+wRw1FZPp6hl1vtCpldlYqm7raOWyzncULvPKbD8AHj7g0QgP/\ndmcVV2ca1V3vklb+FsuiUOJDkGnvue+uUjQ2f/t4JqLYy1dHlfPSX3X+WEJ4U/Nw\nZtpPb7XdgbWLbcDUTpEUGMhlnrLhdjt9w8iDKjZ+kN95fFfR9J4jTyUANIHd0sW1\nuLGphdWX62nmldEIJeselBaVhwiv5qQduNCdDssgZaMlmmdvZUHiABYh8rqKByOF\nAgwDvZ9WSAhwutIBD/4kxHpGFsX6wsP5dfJHGbh6dakqXjidwgkfbgq9eWd3nM9B\nYbmUZNz4vjdWGFIg/zitxpV6SRHItPPLkF0HEqecKrwBC41iczkMTXJsCN19zCEG\nGyMFtiTgYrkLZiN3yMViKbv5sOwm+38dQCE3tL6TZl8Rqi2Wm390DQ/dFSJSdJFb\nLZmOEvUkyChFvS+C6aCIsChoPSRnoqpxzrpJLoozS3EKGb5hKa7SN7zuSyNbUJgR\n4DaruQGNbbSKmInsigqJWtlUbJsYxbOxRGojw2waMRHEvWJfIN6NdsFuCBCMqHA7\nsil+siC7BXqef7nD9UcsjVBPyl7UAtvBAvWpfA83vYwtvSCR8tBPZ7EifyOWplfS\ntdJQFDd14ZGs/kO6j9Ck5d49Y6NuPEfa+wjs8vZGBevWGiErf+RlN7yYRLmX9pr1\nR72U0jC5rhA7+X1JZHEx1DdpNfGDj8MUokXf82aTzQPpOJPPUXOnJP9a6oHFW3Uv\nWmfTSjVbw//B9i/KM5XmVNgp3TyNZmszU36d79W23tnNQhSFpLNz4E/yr+vhvoO1\neowV8gi0BYxNGnUeM+QOFxdvoW4pNyTwVGFbqrJ7xY0m2gYiRpjxf1qpAP5pzm4Z\nrc4c+en8/71oI3Pt2D1IOHMA1VoJbemCxQKjXMb45RJxtSMZTX6kUMeWgXFLvIUC\nDAM1GWv08EiACgEP/RRLSlzAyA297eWSKzDehvMeuf3XL6EgwGo3W4VUjFQLy/k7\nzgJyzmClLaWxoUnhJY26ciaUVX5xzlyamzsuOk+S/Ke/UxHctFhT4jiSfpCj7SJU\n5E+fl4Q1vaH9CwolP/TppYRHw2PrBFHw62+/5o5PzOuSnOQ9M1Yen0sEv3aK1FYb\nCH5lDD12eZ8Qn+aTQUc4DfHGYUZckKp/yWSOYA3/O80bIimSYWjq73CclNQMXeXU\nE520z43xKArHcmbSVcJhxH+tkG+BNJ16l5XQaiKK9p9LlkPyouVvSmedXLsKdt4U\njYGywDAWh39UiepzTNc8I26eM4XcbDZjfF2D9EoNttTXWaHQpIyP/DyzJwShpVGF\nj5l1FmiCXvBxUXUJHP+4ONRtnEjMTQB/6IMWQJ5etVku+8eFRAqrn5J9B5w5/qqj\nf+99lXlORQXo9RDSANinCn6l/zORCUmNqgqfjnuVgsFPJFnUycbyzFsPgZXyF83H\nc/bqAYkjqSlMWzNuhOTgHuDJzt/SPhmbJXJmBH/ZKR52lQRlYonon9+hNE6Ti1aP\nBUdxIpMl89Cj8IPyg24cWlRIRGssIR/7e2iim76lH8VY5QT0M3qUye7KOtKOiJv/\n38kIftzORJ4PQwJnSl2TFqjs/mYSHEx0xc3WednF5ZCDicMYTjkePKJRMHuT0l4B\nYc0BSK8isG7x9SUNSxXUrb26d67ABWRmik+K+B9o7HeQRbPQuPV65m+qBxVEueVu\nYTi+79/6X2pmj/54NbN6Lqaj9SPthnhyDUrduulMRQBvxC2n9gVQ/+UnxEMy\n=Sp14\n-----END PGP MESSAGE-----",
 				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
+		"version": "3.9.4"
 	}
 }
--- a/hosts/palladium/ssh.pub
+++ b/hosts/palladium/ssh.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBc/YTf80MjyVeApOecOlxORIlwCaWtJNWtfggc0B374
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0ZrGvZqxqsGEl2+YNnL5JNpeRc3y0DgqZAkuayfeso
--- a/hosts/palladium/wg-b-palladium.nix
+++ b/hosts/palladium/wg-b-palladium.nix
@@ -0,0 +1,38 @@
 { config, ... }:
 {
  sops = {
    secrets.wg-b-palladium = {
      owner = "systemd-network";
      group = "systemd-network";
    };
  };
  systemd.network.netdevs."10-wg-b-palladium" = {
    netdevConfig = {
      Kind = "wireguard";
      Name = "wg-b-palladium";
    };
    wireguardConfig = {
      PrivateKeyFile = config.sops.secrets.wg-b-palladium.path;
    };
    wireguardPeers = [
      {
        PublicKey = "VstE42L1SmZCIShH5sOqcpVQOV0Xb9cFgljD0lhvKFQ=";
        AllowedIPs = [ "fd90:37fd:ddec:d921::/64" ];
        PersistentKeepalive = 25;
        Endpoint = "backup-4.net.clerie.de:51844";
      }
    ];
  };
  systemd.network.networks."10-wg-b-palladium" = {
    matchConfig.Name = "wg-b-palladium";
    address = [
      "fd90:37fd:ddec:d921::2/64"
    ];
    linkConfig.RequiredForOnline = "no";
  };
 }
--- a/hosts/porter/configuration.nix
+++ b/hosts/porter/configuration.nix
@@ -4,22 +4,51 @@
  imports =
    [
      ./hardware-configuration.nix
      ../../configuration/router
    ];
  profiles.clerie.netcup.enable = true;
  profiles.clerie.router.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
-  networking.useDHCP = false;
+  systemd.network.networks."10-wan" = {
-  # Network
+    matchConfig.Name = "ens3";
-  networking.interfaces.ens3.ipv4.addresses = [ { address = "5.45.100.191"; prefixLength = 22; } ];
+    address = [
-  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a03:4000:6:48d::1"; prefixLength = 64; } ];
+      "2a03:4000:6:48d::1/64"
-  networking.defaultGateway = { address = "5.45.100.1"; interface = "ens3"; };
+      "5.45.100.191/22"
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+    ];
-  networking.nameservers = [ "46.38.255.230" "46.38.252.230" ];
+    routes = [
      { Gateway = "fe80::1"; }
      { Gateway = "5.45.100.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  profiles.clerie.common-webserver.httpDefaultVirtualHost = false;
  services.unbound = {
    enable = true;
    resolveLocalQueries = false;
    settings = {
      server = {
        interface = [ "127.0.0.1" ];
      };
    };
  };
  clerie.nginx-port-forward = {
    enable = true;
    resolver = "127.0.0.1";
    tcpPorts."80" = {
      host = "baikonur.dyn.weimarnetz.de";
      port = 80;
    };
    tcpPorts."443" = {
      host = "baikonur.dyn.weimarnetz.de";
      port = 443;
    };
    tcpPorts."2022" = {
      host = "nonat.net.clerie.de";
      port = 22;
--- a/hosts/storage-2/configuration.nix
+++ b/hosts/storage-2/configuration.nix
@@ -4,22 +4,40 @@
  imports =
    [
      ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
+      ./em.nix
      ./firmware.nix
      ./mixcloud.nix
      ./syncthing.nix
      ./users.nix
    ];
  profiles.clerie.mercury-vm.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
-  networking.useDHCP = false;
+  systemd.network.networks."10-wan" = {
-  networking.interfaces.ens19.ipv4.addresses = [ { address = "192.168.10.35"; prefixLength = 24; } ];
+    matchConfig.Name = "ens18";
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc0::4"; prefixLength = 64; } ];
+    address = [
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens19"; };
+      "2001:638:904:ffc0::4/64"
-  networking.defaultGateway6 = { address = "2001:638:904:ffc0::1"; interface = "ens18"; };
+    ];
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+    routes = [
      { Gateway = "2001:638:904:ffc0::1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  systemd.network.networks."10-nat-netz-mercury" = {
    matchConfig.Name = "ens19";
    address = [
      "192.168.10.35/24"
    ];
    routes = [
      { Gateway = "192.168.10.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
    ipv6AcceptRAConfig.DHCPv6Client = "no";
  };
  services.nginx.enable = true;
--- a/hosts/storage-2/em.nix
+++ b/hosts/storage-2/em.nix
@@ -0,0 +1,17 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  users.users.data-em = {
    group = "data-em";
    home = "/data/em";
    useDefaultShell = true;
    isSystemUser = true;
  };
  users.groups.data-em = {};
  systemd.tmpfiles.rules = [
    "d /data/em - data-em data-em - -"
  ];
 }
--- a/hosts/storage-2/users.nix
+++ b/hosts/storage-2/users.nix
@@ -2,4 +2,5 @@
 {
  users.users.clerie.extraGroups = [ "data-firmware" ];
  users.users.frank.extraGroups = [ "data-em" ];
 }
--- a/hosts/tungsten/configuration.nix
+++ b/hosts/tungsten/configuration.nix
@@ -0,0 +1,38 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ./hardware-configuration.nix
    ];
  profiles.clerie.network-fallback-dhcp.enable = true;
  boot.kernelParams = [ "console=ttyS0,115200n8" ];
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/disk/by-id/ata-InnoDisk_Corp._DRPS-08GJ30AC1QS-A88_20120705AAB200000505";
  boot.loader.grub.extraConfig = "
    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
    terminal_input serial
    terminal_output serial
  ";
  networking.hostName = "tungsten";
  profiles.clerie.wg-clerie = {
    enable = true;
    ipv6s = [ "2a01:4f8:c0c:15f1::8112/128" ];
    ipv4s = [ "10.20.30.112/32" ];
  };
  clerie.monitoring = {
    enable = true;
    id = "216";
    pubkey = "bDmf4xndBNwzcvIGCMq6dhyzjdEZOV2ckhv/37V/PWg=";
    serviceLevel = "event";
  };
  system.stateVersion = "25.05";
 }
--- a/hosts/tungsten/hardware-configuration.nix
+++ b/hosts/tungsten/hardware-configuration.nix
@@ -0,0 +1,46 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ahci" "ohci_pci" "ehci_pci" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/7ed9e29c-d771-49a1-ae8a-8894f347c648";
      fsType = "ext4";
    };
  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/95122f15-5621-457c-972c-c057ca416212";
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/02a2afe4-ee00-4d3d-884a-e195b9814bfd";
      fsType = "ext4";
    };
  fileSystems."/mnt/storage-tungsten" =
    { device = "/dev/disk/by-uuid/3d386e15-9d64-42a6-8d6d-571272d5e78e";
      fsType = "ext4";
    };
  boot.initrd.luks.devices."crypt-storage-tungsten".device = "/dev/disk/by-uuid/e4142245-4c69-42e6-9b1f-fa4dc7fef7d8";
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/tungsten/secrets.json
+++ b/hosts/tungsten/secrets.json
@@ -0,0 +1,27 @@
 {
 	"wg-clerie": "ENC[AES256_GCM,data:OtSzmacWH9leDuykr7Tp5lR2FDoNGQ61V/9z6xBD1eCDSLOvt8UdILMETJU=,iv:NNGqR7UG3bZWETpZRwEdS4O1nRO4cBT72fljpqSbtyc=,tag:mea+5E8B655ljRzk63IDOw==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:+k7ATUbPnEfb4O4lUs8d4ZlvMPlsxC5mrCi1bXOje47XDcpioDwzRTQNPrU=,iv:p4JdSMbBcb/8Uh/9RuUSs64VBRQJHu6k5FB50UsxXVU=,tag:NRyBs1CO77AV4CbD6a6gig==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1dvl2pylf9vs4vt27g8z8nzpuwt88zl5fj7a68papsmenze7gd3mstyalks",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOGRQMDhycnViTVR5M1Aw\nbjFGbXBINTJsTEdKU1ZoMDVIMUQrU1R2M2hFCk9XY0NxMlZoZXJhMVIvZ1hLUXJt\nSVdzWEpraGc3aUFBUWU2Uk9WK2J1cncKLS0tIEZPUVY1V2Z0RDhJR2VweVFsZnY5\nREp1cERaVzcrTTRhL0tpVWpMc1pCdWcKB3ZbqB8tGdXgXra3fRL/gw4IEpNHBqp+\nKnw9XYYV2MDiL02+HF+bABVHbjngG85EGDRTDZMWnJtlxV4l+vzTVw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-02-25T17:46:27Z",
 		"mac": "ENC[AES256_GCM,data:EvbkM81pIqbYkvcBSWtyov5GN8D0PauWAiMmRYgWl2fijlH7zEpsCh0XU544prqpb7vh8ShAuCecVpWsdWUIAIT62ToB28NdefDhX2HDl4B1XeIy2X9i+jhnaXLjbwc+r8IhTHOJ/uWeVrNQyb4g9nOaijzDGVJbwKnJ6M+O7fU=,iv:WAIwdemTsTHLnGtFtg/KgyjId3+RpivNDc1LFZjG3jY=,tag:YmaYFT9smKChwd5vVisfLQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-02-25T17:27:17Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/+In2YZByknfnhl2zYmOUTQCrjpiyXbf8/ai0Ko8TZZCRy\nhrpxyvKP+/u7CMS+giouoxKJ4XLDbHacoz06qF1I9i9iSVelXxQ5epSHk4BLLocw\nP5S6ZnE3jQO4G5goC/LU7nARN2IMwYq2rRZe8o8SLDMTZqGnlk9vBihcE4rN4lpd\nLbSb+cT6wDba32xKNZuP9IRPU2gqjOAg99gbh7Se2zB4Q7AxpgUl6EZZ7OMqVl/C\nbgSQFgwJxFPoH8KBS4wICbHTyWGvg2iEQyh1zNElUwbW112kyfBxGHKFukfEapIj\n2Cv0+Jme3VA750rZmJ4xcOZeoz0n7THBHdFjE122dkXhUdkQmohKzjngIZySUqDI\nuaDf43ebi6tPgCdC6gKLbYUUml+WEOmIRcgmIEswG9iRF/vjOYLK9OxclAKLDDar\nN9zgRFW1qR0HZhAbC61L1CqhKZzjQpNpjYn2pwmR+NnU/DDrlSdJLnHnrMdPeG6l\nBVp7oLhct2DwrypEYOvccrEwRakJSjCyC6cPWbUv7upjovTvcSAh21XNLnHJaMsY\n+sbJf5vshnALIkEXRyMBa5to7RZQvWx9qdklykjbXUEheM9RQATjGdnFQHuM05LI\npWKX038xlEaPe4nJa4PBGub23GZ1zuP3zE+N0W4XTR3r3ZGsMncqntiPJaaBgzWF\nAgwDvZ9WSAhwutIBEADMfdHvINLP6Gu7/DeLUboRnTHpP8x+rfTy9lcIW2RmQHbz\nLeAwBbeqyvLUi9ObjwclVWvPHqbPyGwibt96mTgGnkAEwXCgcXfWz/vCRZ0UHcvT\nimFM4H+ecOKws7t+sf31PAMPE0eSSJIYXVU9pej0qaKzR3zMBvQi6CsB0F1e2Fkz\n0HbilJMELaKFbJJsTXtDyl9Afi8OtVcBoG8P/1ImM/gcJLU548WTwPtzYUufHt5q\nkb45PjEId3m/g6CF6nh4GCQtRwOWjah49Zsk5cuI1aO/Q0gPyndgzFL5fYOfPlGN\nPTQ2KFMUh1dkvVVzyNFFC1vqXx2KH5l2gdTRkzaFQ3Qjjx1kluM5AlEl2Ynx4sbQ\nVaFZHFjQnoFtDn08BzNS7Cu/5SOdXejihen4sg0bGjEz6aVGwHXQJcp0BigH2y3f\n/OtnCK5KjFSQsdgTV5trstQgFQMqbMiVEqd3u+3lTxGJ/dQ7NXerFroITUC4J3Uu\n3VRdWTlgPED8hiA1NQaOiy2bbMzAgaR86qHK6JhxnP/6ETaByPPb27Oisblhhq9p\nCDw4eNGws1WsAyjZkyatzLZwUs2zOt4ZKjDlim8EikdGJpDcHnameRtI97QgPDO/\nzA5zHMrDuMN1iMw92WIAQyEQtJgyy4m3YvUsnlpHqKOgSNpwG/8j1zXHLH2p1IUC\nDAM1GWv08EiACgEQALEoa50qGjadZkaHI2tXFVv8RF1d8nR+L946DyMImjuMObei\n6Sx/Nc3bHzHSMsf27T120EUU0yUERdncoOQTRWBemMoB6tWYGTIAG0uDhrHl6rzW\nOUC5G7023H3cHStXbFFBp+JargnE1XgcapHM0p29GgUCE21UDBXzm7MB6x+9AKdd\nsc6qXD1xNPWc7RSqLL6anvcT/eLZW5Y1Ep2T7r5gQ81Fbxh4RicCphmApDC91Dii\nfZ/Va3JUeFm/82edeE4FqJUO9Akk2sPmVnXBYWPRq55/Uyk61J8u2b8tY7OcLSmr\nw/eaJq2bgDda3MBVzF3G9nr3BGhl8g7lCSCPS3gCFfs7C3Djp/YP0L8rMsH2ym1Q\nEj7rWC3K1xwtqowDx+EcYDMwmUtJqkia6o3WVM1qJM25QuCg2mnv9anMTgWuLpQo\nk1Av4FR+zV6aK3A7mxxjG0BsSUGjrrzoJC5DV1DSZ335lqlZxmthJoF0mda02nbh\nUlzpHEpG3/eWXjfDSbEYU8iVK2HWX9/i2gnXbpREuEnt5xpuSQ/sBT6tmit1FwK2\ntYZ+wtCMjWKkeZtvbP9Fx0nLYhVyMXvLhR1VLosCymKqWCIBj8VINagmPLiToEMd\nfpVs8m35neD4258CZOvBgqFvmxlGb9e27p8PHmlg9UNb/v7sYmSgm4IH0zi11GgB\nCQIQbpoXf1EJlriSHiqcUZCIvY/H37TWSJ6+tCcUSUipA+dLgt4pnKBjeM6RFSPG\n81eTm0AZIpmRDx/i31knPNh5JL6RYm5t66ncM46VkO1FIatkdKDfJbYe9J6ezWCs\nMDYTejoBhQ==\n=EuYe\n-----END PGP MESSAGE-----",
 				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.2"
 	}
 }
--- a/hosts/tungsten/ssh.pub
+++ b/hosts/tungsten/ssh.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJq5WWALjFHvmUdcWdKN5BBRS1F/EWaBet6oftrbxt1F
--- a/hosts/web-2/clerie.nix
+++ b/hosts/web-2/clerie.nix
@@ -27,18 +27,13 @@
        root = pkgs.clerie-keys;
      };
      locations."= /ssh/known_hosts" = {
-        alias = pkgs.writeText "known_hosts" (import ../../lib/ssh-known-hosts.nix);
+        alias = pkgs.clerie-ssh-known-hosts + "/known_hosts";
        extraConfig = ''
          types { }
          default_type "text/plain; charset=utf-8";
        '';
      };
      locations."/gpg" = {
        extraConfig = ''
          types {
            text/plain asc;
          }
        '';
        root = pkgs.clerie-keys;
      };
      locations."~ ^/.well-known/openpgpkey/hu/[a-z0-9]+/?$" = {
--- a/hosts/web-2/configuration.nix
+++ b/hosts/web-2/configuration.nix
@@ -9,6 +9,8 @@
      ./chaosevents.nix
      ./clerie.nix
      ./drop.nix
      ./etebase.nix
      ./feeds.nix
      ./fieldpoc.nix
      ./gitea.nix
      ./ip.nix
@@ -26,16 +28,17 @@
      ./wetter.nix
    ];
  profiles.clerie.hetzner-cloud.enable = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
-  networking.useDHCP = false;
+  systemd.network.networks."10-wan" = {
-  # Network
+    address = [
-  networking.interfaces.ens3.ipv4.addresses = [ { address = "88.99.187.135"; prefixLength = 32; } ];
+      "2a01:4f8:c0c:c580::1/64"
-  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:c0c:c580::1"; prefixLength = 64; } ];
+      "88.99.187.135/32"
-  networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
+    ];
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+  };
  networking.nameservers = [ "213.133.98.98" "213.133.99.99" "213.133.100.100" ];
  services.nginx = {
    enable = true;
--- a/hosts/web-2/etebase.nix
+++ b/hosts/web-2/etebase.nix
@@ -0,0 +1,26 @@
 { ... }:
 {
  services.etebase-server = {
    enable = true;
    port = 8001;
    settings.allowed_hosts.allowed_host1 = "etebase.clerie.de";
  };
  services.nginx.virtualHosts = {
    "etebase.clerie.de" = {
      enableACME = true;
      forceSSL = true;
      locations = {
        "= /" = {
          return = ''302 "/admin/"'';
        };
      };
      locations = {
        "/" = {
          proxyPass = "http://127.0.0.1:8001";
        };
      };
    };
  };
 }
--- a/hosts/web-2/feeds.nix
+++ b/hosts/web-2/feeds.nix
@@ -0,0 +1,49 @@
 { pkgs, ... }:
 {
  users.users."feeds" = {
    isSystemUser = true;
    group = "feeds";
  };
  users.groups."feeds" = {};
  systemd.tmpfiles.rules = [
      "d /data/feeds 0775 root users - -"
      "d /var/lib/feeds - feeds feeds - -"
  ];
  services.nginx = {
    virtualHosts."feeds.clerie.de" = {
      enableACME = true;
      forceSSL = true;
      root = "/var/lib/feeds";
    };
  };
  systemd.services."feeds" = {
    wantedBy = [ "multi-user.target" ];
    requires = [ "network.target" ];
    after = [ "network.target" ];
    serviceConfig = {
      Type = "oneshot";
      WorkingDirectory = "/var/lib/feeds";
      RuntimeDirectory = "feeds";
      User = "feeds";
      Group = "feeds";
      ExecStart = ''
        ${pkgs.feeds-dir}/bin/feeds-dir /data/feeds
      '';
    };
  };
  systemd.timers."feeds" = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "hourly";
      RandomizedDelaySec = "1h";
    };
    requires = [ "network-online.target" ];
    after = [ "network-online.target" ];
  };
 }
--- a/hosts/zinc/configuration.nix
+++ b/hosts/zinc/configuration.nix
@@ -25,7 +25,7 @@
  boot.initrd.systemd.enable = false;
-  services.wg-clerie = {
+  profiles.clerie.wg-clerie = {
    enable = true;
    ipv6s = [ "2a01:4f8:c0c:15f1::8109/128" ];
    ipv4s = [ "10.20.30.109/32" ];
--- a/hosts/zinc/programs.nix
+++ b/hosts/zinc/programs.nix
@@ -2,9 +2,9 @@
 {
-  users.users.clerie.packages = with pkgs; [
+  profiles.clerie.firefox.enable = true;
    firefox
  users.users.clerie.packages = with pkgs; [
    blender
    #cura # libarcus library is currently broken, required for curaengine
--- a/modules/backup/default.nix
+++ b/modules/backup/default.nix
@@ -21,18 +21,11 @@ let
    ) cfg.jobs
  );
-  backupServiceUnits = listToAttrs (map ({jobName, jobOptions, targetName, targetOptions}: let
+  backupServiceUnits = listToAttrs (map ({jobName, jobOptions, targetName, targetOptions}:
    jobPasswordFile = if jobOptions.passwordFile != null then jobOptions.passwordFile else
      config.sops.secrets."clerie-backup-job-${jobName}".path;
    repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath;
    targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else
      config.sops.secrets."clerie-backup-target-${targetName}".path;
    targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
  in
    nameValuePair "clerie-backup-${jobName}-${targetName}" {
      requires = [ "network.target" "local-fs.target" ];
      after = [ "network.target" "local-fs.target" ];
-      path = [ pkgs.restic ];
+      path = [ pkgs.clerie-backup ];
      serviceConfig = {
        Type = "oneshot";
@@ -41,14 +34,7 @@ let
      script = ''
        set -euo pipefail
-        export RESTIC_PASSWORD_FILE=${jobPasswordFile}
+        clerie-backup "${jobName}-${targetName}" backup
        export RESTIC_REPOSITORY="rest:https://${targetUsername}:$(cat ${targetPasswordFile})@${targetOptions.serverName}${repoPath}"
        export RESTIC_PROGRESS_FPS=0.1
        export RESTIC_CACHE_DIR=/var/cache/restic
        restic snapshots --latest 1 || restic init
        restic backup ${optionalString (jobOptions.exclude != []) "--exclude-file ${pkgs.writeText "clerie-backup-${jobName}-${targetName}-excludes" (concatStringsSep "\n" jobOptions.exclude)}"} ${escapeShellArgs jobOptions.paths}
        ${optionalString (config.clerie.monitoring.enable) ''
          echo "clerie_backup_last_successful_run_time{backup_job=\"${jobName}\", backup_target=\"${targetName}\"} $(date +%s)" > /var/lib/prometheus-node-exporter/textfiles/clerie-backup-${jobName}-${targetName}.prom
@@ -69,32 +55,22 @@ let
    }
  ) jobTargetPairs);
-  backupCommands = map ({jobName, jobOptions, targetName, targetOptions}: let
+  backupConfigs = mergeAttrsList (map ({jobName, jobOptions, targetName, targetOptions}: let
      jobPasswordFile = if jobOptions.passwordFile != null then jobOptions.passwordFile else
        config.sops.secrets."clerie-backup-job-${jobName}".path;
      repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath;
      targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else
        config.sops.secrets."clerie-backup-target-${targetName}".path;
      targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
-    in pkgs.writeShellApplication {
+    in {
-      name = "clerie-backup-${jobName}-${targetName}";
+      "clerie-backup/${jobName}-${targetName}/repo_password".source = jobPasswordFile;
-
+      "clerie-backup/${jobName}-${targetName}/repo_url".text = "${targetOptions.serverUrl}${repoPath}";
-      runtimeInputs = [ pkgs.restic ];
+      "clerie-backup/${jobName}-${targetName}/auth_username".text = targetUsername;
-
+      "clerie-backup/${jobName}-${targetName}/auth_password".source = targetPasswordFile;
-      text = ''
+      "clerie-backup/${jobName}-${targetName}/files".text = concatStringsSep "\n" jobOptions.paths;
-        set -euo pipefail
+      "clerie-backup/${jobName}-${targetName}/excludes".text = concatStringsSep "\n" jobOptions.exclude;
        export RESTIC_PASSWORD_FILE=${jobPasswordFile}
        export RESTIC_REPOSITORY="rest:https://${targetUsername}:$(cat ${targetPasswordFile})@${targetOptions.serverName}${repoPath}"
        export RESTIC_PROGRESS_FPS=0.1
        export RESTIC_CACHE_DIR=/var/cache/restic
        restic "$@"
      '';
      checkPhase = "";
    }
-  ) jobTargetPairs;
+  ) jobTargetPairs);
  targetOptions = { ... }: {
    options = {
@@ -106,7 +82,7 @@ let
        type = with types; nullOr str;
        default = null;
      };
-      serverName = mkOption {
+      serverUrl = mkOption {
        type = types.str;
      };
    };
@@ -158,6 +134,7 @@ in
    systemd.tmpfiles.rules = [
      "d /var/cache/restic - - - - -"
    ];
-    environment.systemPackages = backupCommands;
+    environment.systemPackages = [ pkgs.clerie-backup ];
    environment.etc = backupConfigs;
  };
 }
--- a/modules/monitoring/default.nix
+++ b/modules/monitoring/default.nix
@@ -61,9 +61,6 @@ in
    services.prometheus.exporters.node = {
      enable = true;
      #listenAddress = "${monitoring-network-base}${cfg.id}";
      openFirewall = true;
      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100";
      enabledCollectors = [
       "systemd"
      ];
@@ -80,14 +77,10 @@ in
    services.prometheus.exporters.bird = mkIf cfg.bird {
      enable = true;
      openFirewall = true;
      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324";
    };
    services.prometheus.exporters.blackbox = mkIf cfg.blackbox {
      enable = true;
      openFirewall = true;
      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115";
      configFile = pkgs.writeText "blackbox.yml" ''
        modules:
          icmp6:
@@ -109,8 +102,13 @@ in
      listen = "[::]:9152";
    };
-    networking.firewall.extraCommands = ''
+    networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
-      ip46tables -A nixos-fw -i wg-monitoring -p tcp -m tcp --dport 9152 -m comment --comment nixos-exporter -j nixos-fw-accept
+      9100 # node-exporter
-    '';
+      9152 # nixos-exporter
    ] ++ (if cfg.bird then [
      9324 # bird-exporter
    ] else []) ++ (if cfg.blackbox then [
      9115 # blackbox-exporter
    ] else []);
  };
 }
--- a/modules/nginx-port-forward/default.nix
+++ b/modules/nginx-port-forward/default.nix
@@ -9,6 +9,8 @@ let
  mkServerBlock = isUDP: port: forward: ''
    server {
      resolver ${cfg.resolver} ipv4=off valid=30s;
      listen ${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
      listen [::]:${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
@@ -18,7 +20,9 @@ let
        ${ optionalString (sslDhparam != null) "ssl_dhparam ${sslDhparam};" }
      '' }
-      proxy_pass ${forward.host}:${toString forward.port};
+      set $upstream_server ${forward.host}:${toString forward.port};
      proxy_pass $upstream_server;
    }
  '';
@@ -50,6 +54,10 @@ in
  options = {
    clerie.nginx-port-forward = {
      enable = mkEnableOption "Nginx Port Forward";
      resolver = mkOption {
        type = types.str;
        description = "IP address of the resolver to use for upstream hostnames";
      };
      tcpPorts = mkOption {
        type = with types; attrsOf (submodule portOpts);
        default = {};
--- a/monitoring/targets.json
+++ b/monitoring/targets.json
@@ -0,0 +1,52 @@
 {
  "clerie.de": {
    "icmp": { "enable": true },
    "http": { "enable": true }
  },
  "wiki.clerie.de": {
    "http": { "enable": true }
  },
  "blog.nadja.top": {
    "http": { "enable": true }
  },
  "fem.social": {
    "http": { "enable": true }
  },
  "tagesschau.de": {
    "icmp": { "enable": true }
  },
  "google.com": {
    "icmp": { "enable": true }
  },
  "achtbaan.nikhef.nl": {
    "icmp": { "enable": true }
  },
  "www.fem.tu-ilmenau.de": {
    "icmp": { "enable": true }
  },
  "www.heise.de": {
    "icmp": { "enable": true }
  },
  "dyon.net.entr0py.de": {
    "_comment": "Backend server of matrix.entr0py.de",
    "icmp": { "enable": true }
  },
  "matrix.bau-ha.us": {
    "synapse": { "enable": true }
  },
  "matrix.entr0py.de": {
    "synapse": { "enable": true }
  },
  "matrix.fachschaften.org": {
    "synapse": { "enable": true }
  },
  "clerie.uber.space": {
    "clerie-uberspace": { "enable": true }
  },
  "cleriewi.uber.space": {
    "clerie-uberspace": { "enable": true }
  }
 }
--- a/pkgs/build-support/overlay.nix
+++ b/pkgs/build-support/overlay.nix
@@ -0,0 +1,7 @@
 final: prev:
 {
  clerie-build-support = {
    writePythonScript = final.callPackage ./writePythonScript.nix {};
  };
 }
--- a/pkgs/build-support/writePythonScript.nix
+++ b/pkgs/build-support/writePythonScript.nix
@@ -0,0 +1,37 @@
 {
  python3,
  writeTextFile,
  lib,
 }:
 {
  name,
  text,
  runtimePackages ? ps: [],
  pythonPackage ? python3,
  meta ? {},
  passthru ? {},
  derivationArgs ? {},
 }:
 let
  pythonWithPackages = pythonPackage.withPackages runtimePackages;
 in writeTextFile {
  inherit
    name
    meta
    passthru
    derivationArgs
    ;
  executable = true;
  destination = "/bin/${name}";
  allowSubstitutes = true;
  preferLocalBuild = false;
  text = ''
    #!${lib.getExe pythonWithPackages}
    ${text}
  '';
 }
--- a/pkgs/clerie-backup/clerie-backup.sh
+++ b/pkgs/clerie-backup/clerie-backup.sh
@@ -0,0 +1,95 @@
 #!/usr/bin/env bash
 set -euo pipefail
 REPO=
 ACTION=
 if [[ $# -lt 2 ]]; then
 	echo "Command not specified"
 	echo
 	echo "clerie-backup REPO ACTION"
 	echo
 	echo "ACTION: restic,backup"
 	echo
 	echo "Available REPOs (/etc/clerie-backup/):"
 	echo
 	if [[ -d "/etc/clerie-backup" ]]; then
 		find "/etc/clerie-backup/" -mindepth 1 -maxdepth 1 -type d -printf "%f\n" | sort -d
 	fi
 	exit 1
 fi
 REPO="$1"
 shift
 ACTION="$1"
 shift
 CONFIG_DIR="/etc/clerie-backup/${REPO}"
 if [[ ! -d "${CONFIG_DIR}" ]]; then
 	echo "Config dir ${CONFIG_DIR} for ${REPO} does not exist"
 	exit 1
 fi
 ISSUE_EXIST=
 if [[ ! -f "${CONFIG_DIR}/repo_password" ]]; then
 	echo "File ${CONFIG_DIR}/repo_password not found"
 	ISSUE_EXIST=1
 fi
 if [[ ! -f "${CONFIG_DIR}/repo_url" ]]; then
 	echo "File ${CONFIG_DIR}/repo_url not found"
 	ISSUE_EXIST=1
 fi
 if [[ ! -f "${CONFIG_DIR}/auth_username" ]]; then
 	echo "File ${CONFIG_DIR}/auth_username not found"
 	ISSUE_EXIST=1
 fi
 if [[ ! -f "${CONFIG_DIR}/auth_password" ]]; then
 	echo "File ${CONFIG_DIR}/auth_password not found"
 	ISSUE_EXIST=1
 fi
 if [[ -n "${ISSUE_EXIST}" ]]; then
 	exit 1
 fi
 RESTIC_PASSWORD_FILE="${CONFIG_DIR}/repo_password"
 export RESTIC_PASSWORD_FILE
 RESTIC_REPOSITORY="rest:$(cat "${CONFIG_DIR}/repo_url")"
 export RESTIC_REPOSITORY
 RESTIC_REST_USERNAME="$(cat "${CONFIG_DIR}/auth_username")"
 export RESTIC_REST_USERNAME
 RESTIC_REST_PASSWORD="$(cat "${CONFIG_DIR}/auth_password")"
 export RESTIC_REST_PASSWORD
 RESTIC_PROGRESS_FPS="0.1"
 export RESTIC_PROGRESS_FPS
 RESTIC_CACHE_DIR="/var/cache/restic"
 export RESTIC_CACHE_DIR
 case "${ACTION}" in
 restic)
 	restic "$@"
 	;;
 backup)
 	ISSUE_EXIST=
 	if [[ ! -f "${CONFIG_DIR}/excludes" ]]; then
 		echo "File ${CONFIG_DIR}/excludes not found"
 		ISSUE_EXIST=1
 	fi
 	if [[ ! -f "${CONFIG_DIR}/files" ]]; then
 		echo "File ${CONFIG_DIR}/files not found"
 		ISSUE_EXIST=1
 	fi
 	if [[ -n "${ISSUE_EXIST}" ]]; then
 		exit 1
 	fi
        restic snapshots --latest 1 || restic init
        restic backup --exclude-file "${CONFIG_DIR}/excludes" --files-from "${CONFIG_DIR}/files"
 	;;
 *)
 	echo "Unsupported ACTION: ${ACTION}"
 	exit 1
 	;;
 esac
--- a/pkgs/clerie-backup/default.nix
+++ b/pkgs/clerie-backup/default.nix
@@ -0,0 +1,9 @@
 { pkgs, ... }:
 pkgs.writeShellApplication {
  name = "clerie-backup";
  text = builtins.readFile ./clerie-backup.sh;
  runtimeInputs = with pkgs; [
    restic
  ];
 }
--- a/pkgs/clerie-keys/default.nix
+++ b/pkgs/clerie-keys/default.nix
@@ -10,5 +10,8 @@ runCommand "clerie-keys" {
  gpg --import-options import-export --armor -o $out/gpg/clerie@clerie.de.asc --import ${../../users/clerie/gpg.asc}
  gpg --import-options import-export -o $out/gpg/clerie@clerie.de --import ${../../users/clerie/gpg.asc}
-  gpg --import-options show-only --with-colons --fingerprint --import ${../../users/clerie/gpg.asc} | awk -F: '$1 == "fpr" {print $10;}' | head -1 > $out/gpg/clerie@clerie.de.fingerprint.txt
+  gpg --import-options show-only --with-colons --fingerprint --import ${../../users/clerie/gpg.asc} > colons.txt
  cat colons.txt | awk -F: '$1 == "fpr" {print $10;}' | head -1 > $out/gpg/clerie@clerie.de.fingerprint.txt
  cat colons.txt | awk -F: '$1 == "pub" {print "@", $7;}' | date -f - -Iseconds > $out/gpg/clerie@clerie.de.expires.txt
  cat colons.txt | awk '{printf "%s:%s", $0, ($0 ~ /^(pub|sub)/) ? ":" : "\n" }' | awk '$0 ~ /^(pub|sub)/ { print $0}' | awk -F: '{if ($1 == "pub") { fingerprint=$32; keyid=$5 }}  {printf "clerie_keys_gpg_key_expire_time{fingerprint=\"%s\", keyid=\"%s\", subkeyfingerprint=\"%s\", subkeykeyid=\"%s\", type=\"%s\"} %s\n", fingerprint, keyid, ($1 == "sub") ? $30 : "", ($1 == "sub") ? $5 : "", $1, $7}' > $out/gpg/clerie@clerie.de.metrics.txt
 ''
--- a/pkgs/clerie-sops/clerie-sops-edit.sh
+++ b/pkgs/clerie-sops/clerie-sops-edit.sh
@@ -7,17 +7,19 @@ set -euo pipefail
 print_help() {
 	cat << EOF
-clerie-sops-edit <secrets_file> <action> <key>
+clerie-sops-edit <secrets_file> <action> <key> [cmd...]
  This script allows editing single secrets in a secrets file by key.
  <secrets_file> is a sops secrets file
-  <action> is one of "edit", "read", "set" and "append"
+  <action> is one of "edit", "cmd", "read", "set" and "append"
  <key> is the key of the secret in the secrets file to modify
  ACTION "cmd" a command that get passed the decrypted secret in the argument being "{}"
 EOF
 }
-if [[ $# != 3 ]]; then
+if [[ $# -lt 3 ]]; then
 	print_help
 	exit 1
 fi
@@ -33,7 +35,7 @@ fi
 ACTION="$2"
-if ! echo "edit read set append" | grep -wq "${ACTION}"; then
+if ! echo "edit cmd read set append" | grep -wq "${ACTION}"; then
 	echo "Action \"${ACTION}\" not supported"
 	echo
 	print_help
@@ -43,6 +45,15 @@ fi
 KEY="$3"
 KEY_SELECTOR="$(jq -Rsc '[.]' <(echo -n "${KEY}"))"
 if [[ $# -gt 3 && "${ACTION}" != "cmd" ]]; then
 	print_help
 	exit 1
 fi
 shift
 shift
 shift
 if [[ -n $EDITOR ]]; then
 	EDITOR=vim
 fi
@@ -64,6 +75,18 @@ case "${ACTION}" in
 	edit)
 		"${EDITOR}" "${TMP_FILE}"
 		;;
 	cmd)
 		CMD=()
 		while [[ $# -gt 0 ]]; do
 			if [[ "$1" == "{}" ]]; then
 				CMD+=("${TMP_FILE}")
 			else
 				CMD+=("$1")
 			fi
 			shift
 		done
 		"${CMD[@]}"
 		;;
 	read)
 		cat "${TMP_FILE}"
 		;;
--- a/pkgs/clerie-sops/clerie-sops.nix
+++ b/pkgs/clerie-sops/clerie-sops.nix
@@ -11,6 +11,8 @@ pkgs.writeShellApplication {
    if GIT_ROOT=$(git rev-parse --show-toplevel); then
      REPO_ROOT="$GIT_ROOT"
    fi
-    exec sops --config <(clerie-sops-config "$REPO_ROOT") "$@"
+    CONFIG_FILE="$(mktemp)"
    clerie-sops-config "$REPO_ROOT" > "$CONFIG_FILE"
    exec sops --config "$CONFIG_FILE" "$@"
  '';
 }
--- a/pkgs/clerie-ssh-known-hosts/default.nix
+++ b/pkgs/clerie-ssh-known-hosts/default.nix
@@ -1,13 +1,22 @@
 {
  writeTextFile,
 }:
 let
  stripR = str: if (builtins.substring ((builtins.stringLength str) - 1) (builtins.stringLength str) str) == "\n" then stripR (builtins.substring 0 ((builtins.stringLength str) - 1) str) else str;
-  hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../hosts));
+  hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../../hosts));
  sshkeyList = map (hostname: {
    name = hostname;
-    sshPubkey = stripR (builtins.readFile (../hosts + "/${hostname}/ssh.pub"));
+    sshPubkey = stripR (builtins.readFile (../../hosts + "/${hostname}/ssh.pub"));
  }) hostsWithSshPubkey;
  knownHosts = builtins.concatStringsSep "" (builtins.map ({name, sshPubkey}: ''
    ${name} ${sshPubkey}
    ${name}.net.clerie.de ${sshPubkey}
  '') sshkeyList);
-in
+in writeTextFile {
-  knownHosts
+  name = "clerie-ssh-known-hosts";
  destination = "/known_hosts";
  allowSubstitutes = true;
  preferLocalBuild = false;
  text = knownHosts;
 }
--- a/pkgs/clerie-system-remote-install/clerie-system-remote-install.sh
+++ b/pkgs/clerie-system-remote-install/clerie-system-remote-install.sh
@@ -0,0 +1,31 @@
 #!/usr/bin/env bash
 set -xeuo pipefail
 SYSTEM="$1"
 REMOTE_HOST="$2"
 REMOTE_ROOT="$3"
 nix copy "${SYSTEM}" --to "ssh://${REMOTE_HOST}?remote-store=${REMOTE_ROOT}"
 ssh "${REMOTE_HOST}" -- nix-env --store "${REMOTE_ROOT}" -p "${REMOTE_ROOT}/nix/var/nix/profiles/system" --set "${SYSTEM}"
 ssh "${REMOTE_HOST}" -- mkdir -p "${REMOTE_ROOT}/tmp"
 TMPSH="$(ssh "${REMOTE_HOST}" -- mktemp -p "${REMOTE_ROOT}/tmp")"
 # shellcheck disable=SC2087
 ssh "${REMOTE_HOST}" -- tee "${TMPSH}" <<EOF
 #!/usr/bin/env bash
 set -euo pipefail
 nix-env --store "${REMOTE_ROOT}" -p "${REMOTE_ROOT}/nix/var/nix/profiles/system" --set "${SYSTEM}"
 mkdir -m 0775 -p "${REMOTE_ROOT}/etc"
 touch "${REMOTE_ROOT}/etc/NIXOS"
 ln -sfn /proc/mounts "${REMOTE_ROOT}/etc/mtab"
 NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "${REMOTE_ROOT}" -c "/run/current-system/bin/switch-to-configuration boot"
 EOF
 ssh "${REMOTE_HOST}" -- bash "${TMPSH}"
--- a/pkgs/clerie-system-remote-install/default.nix
+++ b/pkgs/clerie-system-remote-install/default.nix
@@ -0,0 +1,6 @@
 { pkgs, ... }:
 pkgs.writeShellApplication {
  name = "clerie-system-remote-install";
  text = builtins.readFile ./clerie-system-remote-install.sh;
 }
--- a/pkgs/clerie-update-nixfiles/clerie-cleanup-branches.nix
+++ b/pkgs/clerie-update-nixfiles/clerie-cleanup-branches.nix
@@ -0,0 +1,10 @@
 { pkgs, ... }:
 pkgs.writeShellApplication {
  name = "clerie-cleanup-branches";
  text = builtins.readFile ./clerie-cleanup-branches.sh;
  runtimeInputs = with pkgs; [
    git
  ];
 }
--- a/pkgs/clerie-update-nixfiles/clerie-cleanup-branches.sh
+++ b/pkgs/clerie-update-nixfiles/clerie-cleanup-branches.sh
@@ -0,0 +1,7 @@
 #!/usr/bin/env bash
 # Removes all branches from origin starting with updated-inputs-* except the 8 newest ones
 git fetch origin --prune
 git branch -r | sed "s/^ *//g" | grep "^origin/updated-inputs-" | sort | head -n -8 | sed "s/^origin\///g" | xargs git push origin --delete
--- a/pkgs/clerie-update-nixfiles/clerie-update-nixfiles.sh
+++ b/pkgs/clerie-update-nixfiles/clerie-update-nixfiles.sh
@@ -56,7 +56,7 @@ echo "[!] Create branch ${UPDATE_BRANCH}"
 xgit checkout -b "${UPDATE_BRANCH}"
 echo "[!] Update nixpkgs"
-nix flake lock --update-input nixpkgs
+nix flake update nixpkgs
 echo "[!] Commit changes"
 xgit add flake.lock
--- a/pkgs/feeds-dir/default.nix
+++ b/pkgs/feeds-dir/default.nix
@@ -0,0 +1,9 @@
 { pkgs, ... }:
 pkgs.writeShellApplication {
  name = "feeds-dir";
  text = builtins.readFile ./feeds-dir.sh;
  runtimeInputs = with pkgs; [
    rainbowrss
  ];
 }
--- a/pkgs/feeds-dir/feeds-dir.sh
+++ b/pkgs/feeds-dir/feeds-dir.sh
@@ -0,0 +1,9 @@
 #!/usr/bin/env bash
 set -euo pipefail
 IN_DIR="${1:-.}"
 for file in "${IN_DIR}"/*.txt; do
 	rainbowrss --feeds "${file}" --out "$(basename "${file}" ".txt").html" || true
 done
--- a/pkgs/git-show-link/default.nix
+++ b/pkgs/git-show-link/default.nix
@@ -0,0 +1,6 @@
 { pkgs, ... }:
 pkgs.clerie-build-support.writePythonScript {
  name = "git-show-link";
  text = builtins.readFile ./git-show-link.py;
 }
--- a/pkgs/git-show-link/git-show-link.py
+++ b/pkgs/git-show-link/git-show-link.py
@@ -0,0 +1,177 @@
 #!/usr/bin/env python3
 import argparse
 from dataclasses import dataclass
 import re
 import subprocess
 from pathlib import Path
 REMOTE_TYPES = {
    "github": {
        "match": re.compile(r'git@github.com:(?P<username>[\w\.-]+)/(?P<project>[\w\.-]+).git'),
        "format-branch": lambda g: f"https://github.com/{g.username}/{g.project}/tree/{g.branch}/",
        "format-branch-file": lambda g: f"https://github.com/{g.username}/{g.project}/blob/{g.branch}/{g.file}",
        "format-branch-dir": lambda g: f"https://github.com/{g.username}/{g.project}/tree/{g.branch}/{g.dir}",
        "format-commit": lambda g: f"https://github.com/{g.username}/{g.project}/commit/{g.commit}/",
        "format-commit-file": lambda g: f"https://github.com/{g.username}/{g.project}/blob/{g.commit}/{g.file}",
        "format-commit-dir": lambda g: f"https://github.com/{g.username}/{g.project}/tree/{g.commit}/{g.dir}",
    },
    "gitea": {
        "match": re.compile(r'(?P<gituser>[\w\.-]+)@(?P<host>[\w\.-]+):(?P<username>[\w\.-]+)/(?P<project>[\w\.-]+).git'),
        "format-branch": lambda g: f"https://{g.host}/{g.username}/{g.project}/src/branch/{g.branch}/",
        "format-branch-file": lambda g: f"https://{g.host}/{g.username}/{g.project}/src/branch/{g.branch}/{g.file}",
        "format-branch-dir": lambda g: f"https://{g.host}/{g.username}/{g.project}/src/branch/{g.branch}/{g.dir}",
        "format-commit": lambda g: f"https://{g.host}/{g.username}/{g.project}/commit/{g.commit}/",
        "format-commit-file": lambda g: f"https://{g.host}/{g.username}/{g.project}/src/commit/{g.commit}/{g.file}",
        "format-commit-dir": lambda g: f"https://{g.host}/{g.username}/{g.project}/src/commit/{g.commit}/{g.dir}",
    },
 }
@dataclass
 class FormatArgs:
    gituser: str = None
    host: str = None
    username: str = None
    project: str = None
    commit: str = None
    branch: str = None
    file: str = None
    dir: str = None
 def is_git_repo():
    s = subprocess.run(["git", "rev-parse"], capture_output=True, text=True)
    return s.returncode == 0
 def get_git_dir():
    s = subprocess.run(["git", "rev-parse", "--show-toplevel"], capture_output=True, text=True)
    return Path(s.stdout.strip())
 def get_remote_branch():
    s = subprocess.run(["git", "status", "--porcelain", "-uno", "-b", "--no-ahead-behind"], capture_output=True, text=True)
    if s.stdout.startswith("## HEAD (no branch)"):
        print("Detached head, can't link")
        exit(1)
    git_status_branch_info = s.stdout.splitlines()[0][3:].split()[0]
    branches = git_status_branch_info.split("...")
    if len(branches) != 2:
        raise Exception("no branch name found")
    local_branch, remote_branch = branches
    remote, branch = remote_branch.split("/", maxsplit=1)
    return {
        "remote": remote,
        "branch": branch,
    }
 def get_remote_url(remote):
    s = subprocess.run(["git", "remote", "get-url", remote], capture_output=True, text=True)
    remote_url = s.stdout.strip()
    return remote_url
 def get_last_commit():
    s = subprocess.run(["git", "rev-parse", "HEAD"], capture_output=True, text=True)
    commit = s.stdout.strip()
    return commit
 def main():
    parser = argparse.ArgumentParser(
        prog='git-show-link',
    )
    parser.add_argument("path", nargs="?", default=None, help="Path to link to specific file or directory")
    parser.add_argument("--branch", dest="display_branch", action='store_true', help="Display link to branch, instead to commit")
    parser.add_argument("--remote-type", dest="remote_type", choices=REMOTE_TYPES.keys(), help="Specify remote type")
    args = parser.parse_args()
    if not is_git_repo():
        print("Not a git repo")
        exit(1)
    git_dir_path = get_git_dir()
    r = get_remote_branch()
    remote_url = get_remote_url(r["remote"])
    selected_remote_types = REMOTE_TYPES
    if args.remote_type is not None:
        selected_remote_types = {
            args.remote_type: REMOTE_TYPES[args.remote_type],
        }
    remote_type_found = False
    for remote_type_name, remote_type in selected_remote_types.items():
        m = remote_type["match"].match(remote_url)
        if m is None:
            continue
        remote_type_found = True
        g = FormatArgs(**m.groupdict())
        if args.path is not None:
            path = Path(args.path).absolute()
            path = path.relative_to(git_dir_path)
            if path.is_dir():
                path = str(path)
                if path == ".":
                    path = ""
                else:
                    path += "/"
                g.dir = path
            else:
                g.file = str(path)
        if g.file is not None:
            if args.display_branch:
                g.branch = r["branch"]
                print(remote_type["format-branch-file"](g))
            else:
                commit = get_last_commit()
                g.commit = commit
                print(remote_type["format-commit-file"](g))
        elif g.dir is not None:
            if args.display_branch:
                g.branch = r["branch"]
                print(remote_type["format-branch-dir"](g))
            else:
                commit = get_last_commit()
                g.commit = commit
                print(remote_type["format-commit-dir"](g))
        else:
            if args.display_branch:
                g.branch = r["branch"]
                print(remote_type["format-branch"](g))
            else:
                commit = get_last_commit()
                g.commit = commit
                print(remote_type["format-commit"](g))
        break
    if not remote_type_found:
        print("No remote type matched")
        exit(1)
 if __name__ == "__main__":
    main()
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
clerie	691d671420	pkgs/clerie-ssh-known-hosts: Expose function as package	2025-06-28 16:25:38 +02:00
clerie	fef845117e	flake/nixosConfigurations.nix: Pull localNixpkgs directly instead of creating nixpkgs with local overlays again	2025-06-28 16:10:46 +02:00
clerie	11970e287c	pkgs/build-support: Move clerie-build-support attribute name to overlay	2025-06-28 15:32:58 +02:00
clerie	cdc1a1e6de	flake.nix: Add unused helper variable	2025-06-28 15:31:38 +02:00
clerie	e9b5dce77f	flake.nix: Common naming scheme for overlays and no default overlays anymore	2025-06-28 15:22:16 +02:00
clerie	23190f0777	pkgs/overlay.nix: Get rid of pkgs/pkgs.nix and move overrides to separate overlay	2025-06-28 15:14:36 +02:00
clerie	1d927638c5	flake.nix: Exclude build support from flake exported packages and make pkgs/pkgs.nix obsolete again	2025-06-28 15:03:46 +02:00
clerie	a754af1ee9	configuration/desktop: Update renamed option name	2025-06-28 14:14:11 +02:00
clerie	617a27d4fe	flake.lock: Update lix	2025-06-28 14:05:39 +02:00
clerie	eace2fabb2	pkgs/build-support: Add writePytonScript helper function	2025-06-28 14:03:57 +02:00
Flake Update Bot	721f6681e1	Update nixpkgs 2025-06-27-01-03	2025-06-27 03:04:09 +02:00
clerie	86bfe85982	hosts/porter: Resolve nginx proxy upstreams via unbound	2025-06-24 16:42:03 +02:00
clerie	e24190ae08	hosts/dn42-il-gw1: Open firewall for wireguard tunnel ports	2025-06-11 08:07:13 +02:00
clerie	9755550435	hosts/dn42-il-gw1: AS4242421718 fix link local peer address	2025-06-11 08:06:42 +02:00
clerie	0dfc013122	hosts/dn42-il-gw1: Add peer AS4242421718	2025-06-10 23:08:38 +02:00
clerie	3c85462f46	monitoring/targets.json: Check fem.social http	2025-06-03 15:43:05 +02:00
clerie	cc1790bf30	modules/nginx-port-forward: Proxy upstream DNS is only reresolved when referenced as a variable	2025-06-03 15:41:56 +02:00
clerie	c97799b97c	hosts/monitoring-3: Alert on broken IPv4 to IPv6 proxy	2025-06-02 18:46:43 +02:00
clerie	3b0986cc57	modules/nginx-port-forward: Hardcode dns response caching time to 30s	2025-06-02 18:30:35 +02:00
clerie	89a96632a2	pkgs/overrides: Disable openpgp support in dino	2025-06-02 18:16:33 +02:00
clerie	a7950d2466	pkgs/overrides: Deactivate notification sounds in dino	2025-06-02 18:04:25 +02:00
clerie	c31b68d96a	flake.lock: Update bij	2025-06-01 22:20:33 +02:00
clerie	c49e26d828	modules/nginx-port-forward: Resolve upstream hostnames as IPv6 only	2025-06-01 20:32:50 +02:00
clerie	5add1baa8d	flake.nix: Update lix	2025-06-01 14:50:29 +02:00
clerie	ff4b3579b3	monitoring/targets.json: Monitor some more websites	2025-06-01 14:25:38 +02:00
clerie	16f709b7aa	monitoring/targets.json: Don't ping matrix hosts	2025-06-01 14:19:22 +02:00
clerie	096fe1dc03	profiles/monitoring-server: Monitor http	2025-06-01 14:08:57 +02:00
clerie	e475e46e3c	profiles/monitoring-server: Fetch monitoring targets from json file	2025-06-01 13:31:43 +02:00
clerie	92f8495111	modules/nginx-port-forward: Automatically reresolve hostnames	2025-05-31 13:03:00 +02:00
clerie	50ca6f03ee	hosts/porter: Proxy port 80 and 443 to baikonur	2025-05-31 13:02:18 +02:00
clerie	1a9475ad7f	profiles/common-webserver: Migrate webserver config to profile	2025-05-31 13:00:43 +02:00
clerie	fae30a0fc5	hosts/monitoring-3: Don't alert for /nix/store disk full	2025-05-29 12:16:26 +02:00
clerie	f70421d8f9	Revert "pkgs/overrides: Dino uses OMEMO by default for new conversations" Fixed upstream This reverts commit `1c087b0c9f`.	2025-05-27 16:35:34 +02:00
Flake Update Bot	3f2c0fc244	Update nixpkgs 2025-05-27-01-03	2025-05-27 03:04:02 +02:00
clerie	cddd9b1a1e	pkgs/git-show-link: Improve linking to directory	2025-05-25 20:48:07 +02:00
clerie	efad5a6cbb	pkgs/git-show-link: Normalize paths	2025-05-25 20:21:51 +02:00
clerie	d334a1a73c	pkgs/git-show-link: Link to files directly	2025-05-25 19:59:59 +02:00
clerie	4fa4c8d669	configuration/common: Don't force requests ca bundle environment var	2025-05-25 14:15:54 +02:00
clerie	46d23fb98a	pkgs/git-show-link: Specify URL format using --remote-type	2025-05-23 14:51:20 +02:00
clerie	4e56adef58	pkgs/git-show-link: Display error message when not executed in a git repo	2025-05-23 14:28:03 +02:00
clerie	b93dc9f16b	configuration/common: Make Python requests always use system CA	2025-05-19 18:43:38 +02:00
clerie	44d1a444ba	pkgs/git-show-link: Handle branch names with slashes properly	2025-05-19 10:49:32 +02:00
clerie	d0c6ecff4c	flake.lock: Update nixos-exporter	2025-05-08 21:50:31 +02:00
clerie	1042cf279f	profiles/hydra-build-machine: Migrate configuration to profile	2025-05-08 17:17:01 +02:00
clerie	fe23b7745f	configuration/dn42: Remove obsolete configuration	2025-05-08 16:31:33 +02:00
clerie	ced991b911	profiles/router: Migrate configuration to profile	2025-05-08 16:17:26 +02:00
clerie	fa1220dcf8	configuration/router: All hosts using this config don't do BGP and OSPF	2025-05-08 15:55:59 +02:00
clerie	802a731a57	Merge remote-tracking branch 'origin/updated-inputs-2025-05-06-01-03'	2025-05-08 12:19:02 +02:00
clerie	8b9acbb9b1	hosts/monitoring-3: Display pretty scraping address for nixos-validator	2025-05-08 12:13:54 +02:00
clerie	0b6d9623bc	modules/monitoring: Migrate firewall from iptables to NixOS declarative	2025-05-08 12:03:35 +02:00
clerie	69ccc0c692	profiles/wg-clerie: Convert systemd timer into a service with sleep	2025-05-08 11:34:05 +02:00
clerie	1c087b0c9f	pkgs/overrides: Dino uses OMEMO by default for new conversations	2025-05-07 18:33:59 +02:00
clerie	8d3057758f	pkgs/pull-scans: Add script	2025-05-06 21:43:41 +02:00
Flake Update Bot	87b0c38260	Update nixpkgs 2025-05-06-01-03	2025-05-06 03:03:05 +02:00
clerie	70cde0e367	hosts/storage-2: Allow frank access to em	2025-05-05 12:24:26 +02:00
clerie	593739120a	hosts/storage-2: Add location em	2025-05-05 12:24:00 +02:00
clerie	1e810adc51	users/frank: Add user	2025-05-05 12:23:15 +02:00
clerie	891b8ae718	hosts/clerie-backup: Update hardware configuration	2025-04-29 17:26:29 +02:00
clerie	f33b8c0cdf	hosts/clerie-backup: Move VM to different region	2025-04-28 15:54:28 +02:00
clerie	dffebb92e8	profiles/firefox: Use webcam through pipewire	2025-04-27 14:12:44 +02:00
clerie	ecdb362f60	profiles/firefox: Provide default configuration	2025-04-27 13:55:33 +02:00
clerie	074ab4befc	flake.lock: Update rainbowrss	2025-04-26 13:58:55 +02:00
clerie	35d572e414	hosts/dn42-ildix-service: Disable mimalloc in fernglas so it builds with current nixpkgs	2025-04-26 13:45:49 +02:00
Flake Update Bot	0e0bb82ebd	Update nixpkgs 2025-04-24-01-03	2025-04-24 03:03:06 +02:00
clerie	4777fb2eae	flake.lock: Update fernglas	2025-04-23 20:02:47 +02:00
clerie	c285e4db89	flake.lock: Update lix	2025-04-22 00:03:40 +02:00
clerie	6e2b11e696	pkgs/uptimestatus: Use python instead of python3	2025-04-21 23:30:51 +02:00
clerie	04f8df6c08	pkgs/iot-data: Remove package	2025-04-21 22:32:53 +02:00
clerie	ae8f8961ea	flake.lock: Update rainbowrss	2025-04-21 22:29:43 +02:00
clerie	414402561b	hosts/backup-4: Replicate backup to palladium	2025-04-18 11:24:06 +02:00
clerie	fed00bd41b	modules/backup: Specify backup server as full URL	2025-04-16 22:03:38 +02:00
clerie	c0a8f8116e	hosts/nonat: Enable DHCPv6 to try out NTP	2025-04-16 21:05:01 +02:00
clerie	e9210d4ada	hosts/backup-4,hosts/palladium: Setup direct VPN tunnel for backups	2025-04-15 20:55:56 +02:00
clerie	47921ea988	hosts/palladium: Enable monitoring	2025-04-15 20:02:38 +02:00
clerie	3fdf10641b	hosts/palladium: Enable wg-clerie	2025-04-15 19:52:24 +02:00
clerie	e9695286b6	pkgs/clerie-sops: Write config to temp file as sops can't read config from pipe	2025-04-15 19:32:21 +02:00
clerie	e125d5d3bf	hosts/monitoring-3: Alert when GPG key is about to expire	2025-04-14 21:45:09 +02:00
clerie	cc00e92b51	hosts/web-2: asc file type is already in default mime types	2025-04-14 21:28:08 +02:00
clerie	aaf7bb8871	users/clerie: Extend GPG expiry date	2025-04-14 20:07:53 +02:00
clerie	84dffed418	profiles/wg-clerie: Send host originating traffic to targets reachable via wg-clerie via wg-clerie	2025-04-14 19:11:42 +02:00
clerie	83a094bbd0	hosts/*: Disable DHCPv6Client on every host	2025-04-13 17:05:37 +02:00
clerie	32ec59e303	pkgs/clerie-update-nixfiles: Add script to delete old update-nixfiles branches	2025-04-07 21:37:47 +02:00
clerie	8af0eb2386	profiles/common: Make common-networking the default	2025-04-07 21:27:03 +02:00
clerie	323018daaa	profiles/common-dns: Fix typo	2025-04-07 21:11:53 +02:00
clerie	98b4cde2e4	pkgs/git-show-link: Pass format args as dataclass	2025-04-07 17:16:00 +02:00
clerie	f9359f4d50	hosts/dn42-ildix-service: Migrate to systemd-networkd	2025-03-24 21:39:04 +01:00
clerie	a44dfd1e65	hosts/dn42-ildix-clerie: Migrate to systemd-networkd	2025-03-24 20:48:17 +01:00
clerie	1d7eb45286	profiles/serial-console: Add profile for serial console and enable on mercury VMs be default	2025-03-23 14:30:17 +01:00
clerie	c100f6e95b	hosts/dn42-il-gw1: Migrate to systemd-networkd and dn42-router profile	2025-03-22 17:51:03 +01:00
clerie	d304a47f89	profiles/dn42-router: Fix defaults and decryption of module options	2025-03-22 17:49:52 +01:00
clerie	58f7ba4518	hosts/dn42-il-gw6: Migrate to systemd-networkd and dn42-router profile	2025-03-22 17:27:39 +01:00
clerie	cfbeab8706	profiles/dn42-router: Take over config from configuration/dn42	2025-03-22 17:11:59 +01:00
clerie	032987bce5	hosts/dn42-il-gw5: Migrate to systemd-networkd and dn42-router profile	2025-03-22 17:05:02 +01:00
clerie	89ec7e8394	profiles/dn42-router: Add module for dn42 router	2025-03-22 17:04:16 +01:00
clerie	2e35c7955e	hosts/dn42-il-gw1: Remove disconnected AS4242420197 n0emis	2025-03-22 14:40:42 +01:00
clerie	6d774cc8ba	hosts/dn42-il-gw1: Remove disconnected AS4242421302 perflyst	2025-03-22 14:38:54 +01:00
clerie	75777aa68c	profiles/common-dns,profiles/common: Enable systemd-resolved everywhere	2025-03-22 14:34:40 +01:00
clerie	552d2a964c	profiles/wg-clerie: Refresh endpoint selection with systemd timer	2025-03-21 18:19:44 +01:00
clerie	9e7deadfb5	hosts/krypton,hosts/zinc: Migrate to systemd-network	2025-03-20 20:07:06 +01:00
clerie	de3bc903ef	profiles/common-networking: Centralize new network config	2025-03-20 20:03:39 +01:00
clerie	fed25f02d8	profiles/wg-clerie: Don't let NetworkManager touch the VPN interface	2025-03-20 19:55:17 +01:00
clerie	7a210b13be	hosts/_iso: Migrate to systemd-network	2025-03-20 19:46:54 +01:00
clerie	a29978c95a	hosts/astatine: Migrate to systemd-network	2025-03-20 19:44:35 +01:00
clerie	2d6afc2093	profiles/wg-clerie: wg-clerie not required for online	2025-03-20 19:43:57 +01:00
clerie	5a719c2f01	hosts/astatine,hosts/beryllium,hosts/tungsten: Migrate to profiles.clerie.wg-clerie	2025-03-20 19:30:47 +01:00
clerie	effb386e51	profiles/wg-clerie: Only configure sops secret if we want to use that	2025-03-20 19:30:10 +01:00
clerie	3ec00be4d0	profiles/wg-clerie: Migrate wg-clerie to systemd-networkd	2025-03-20 19:06:51 +01:00
clerie	006877c4ae	hosts/astatine,hosts/beryllium,hosts/tungsten: Migrate to systemd-networkd Policy routing clashed with the fallback dhcp on any interface module for some unknown reason, therefore wg-clerie is disabled on all of these devices	2025-03-19 20:07:37 +01:00
clerie	3efc575902	hosts/astatine: Remove unused services	2025-03-19 16:48:11 +01:00
clerie	6beb19b93d	hosts/krypton: Use okular from kdePackages	2025-03-18 16:33:38 +01:00
Flake Update Bot	f75393544d	Update nixpkgs 2025-03-17-02-03	2025-03-17 03:03:59 +01:00
clerie	2f84edcd99	hosts/palladium: Migrate to systemd-network	2025-03-16 19:09:27 +01:00
clerie	3deb7383e1	hosts/storage-2: Migrate to systemd-network	2025-03-16 18:44:55 +01:00
clerie	f79d99be54	hosts/osmium: Migrate to systemd-network	2025-03-16 18:37:08 +01:00
clerie	ca2f13f765	hosts/nonat: Migrate to systemd-network	2025-03-16 18:29:21 +01:00
clerie	604c30edea	hosts/monitoring-3: Migrate to systemd-network	2025-03-16 18:21:35 +01:00
clerie	7141a7fadd	hosts/hydra-2: Migrate to systemd-network	2025-03-16 18:12:39 +01:00
clerie	f96326de36	hosts/hydra-1: Migrate to systemd-network	2025-03-16 18:00:16 +01:00
clerie	0cb1c4105a	hosts/clerie-backup: Enable systemd-networkd	2025-03-16 17:50:59 +01:00
clerie	e6be0bd7a6	hosts/clerie-backup: Remove a lot of deprecated backup automation	2025-03-16 17:46:20 +01:00
clerie	dd164c1284	hosts/backup-4: Migrate to systemd-networkd	2025-03-16 17:07:07 +01:00
clerie	21fa57545b	flake.nix: Update lix	2025-03-16 12:20:25 +01:00
clerie	a0a298689e	profiles/mercury-vm,profiles/cybercluster-vm: Add profiles for Proxmox VMs	2025-03-16 12:19:08 +01:00
clerie	97d826ef89	hosts/gatekeeper,hosts/mail-2,hosts/web-2: Migrate Hetzner VMs to systemd-networkd	2025-03-13 19:07:31 +01:00
clerie	8eaf11fb57	profiles/hetzner-cloud: Migrate Hetzner VMs to Hetzner Cloud profile	2025-03-13 18:46:11 +01:00
clerie	ec6390be3f	profiles/netcup: Add profile for Netcup VM	2025-03-13 18:04:19 +01:00
clerie	e4dc3bdc1f	hosts/porter: Migrate to systemd-networkd	2025-03-13 17:42:16 +01:00
clerie	87466f0ac9	hosts/palladium: Fresh system install	2025-03-12 22:18:10 +01:00
clerie	29da5a77c8	pkgs/overlay.nix: Generate overlay from attrset we can use to automatically get the package names for our own packets from	2025-03-12 20:50:49 +01:00
clerie	9bb1d93db7	hosts/palladium: Remove services	2025-03-10 19:18:56 +01:00
clerie	a8b084628f	hosts/monitoring-3: Monitor uberspace hosts	2025-03-07 22:03:34 +01:00
clerie	7254525c8e	pkgs/git-show-link: Match names with special chars too	2025-03-06 20:14:27 +01:00
clerie	dbd16ed438	pkgs/git-show-link: Add helper to display links to local git objects	2025-03-06 20:05:08 +01:00
clerie	26d1ddfaee	hosts/monitoring-3: Enable websockets with Grafana	2025-03-06 18:40:43 +01:00
clerie	3f07e7dbd7	hosts/dn42-il*: Migrate bird config to new module name	2025-03-02 17:36:49 +01:00
clerie	d257df7939	Merge remote-tracking branch 'origin/updated-inputs-2025-02-22-02-03'	2025-03-02 15:06:54 +01:00
clerie	360dbe0a07	hosts/tungsten: Add to monitoring and to wg-clerie	2025-02-25 19:01:57 +01:00
clerie	c4f6bd926e	hosts/tungsten: Add storage	2025-02-25 18:14:35 +01:00
Flake Update Bot	07b0f70747	Update nixpkgs 2025-02-22-02-03	2025-02-22 03:03:06 +01:00
clerie	99c82a2898	pkgs/clerie-system-remote-install: Install NixOS system remotely without evaluating anything on remote	2025-02-21 20:33:01 +01:00
clerie	427820aa37	hosts/tungsten: Init host	2025-02-21 20:26:02 +01:00
clerie	822763abe4	hosts/_iso: Allow clerie to log in to root directly with SSH keys	2025-02-21 20:25:39 +01:00
clerie	9ae31d6786	hosts/_iso: Make iso bootable again by disabling systemd in initrd	2025-02-20 20:20:12 +01:00
clerie	12a5d4b816	hosts/clerie-backup,hosts/backup-4: Add backup repo for cleriewi.uber.space	2025-02-16 19:20:35 +01:00
clerie	638721cceb	pkgs/nixfiles,pkgs/clerie-sops: Allow htpasswd edit the htpasswd file directly and therefor update existing entries	2025-02-16 18:59:47 +01:00
clerie	5345828a56	pkgs/nixfiles: Display generated backup secrets and make configureing hosts optional	2025-02-16 18:34:15 +01:00
clerie	5b03dd5ef9	hosts/backup-4,hosts/clerie-backup: Add backup targets for clerie.uber.space	2025-02-16 12:11:32 +01:00
clerie	141f956e9a	pkgs/clerie-backup: Fix typos	2025-02-15 01:33:12 +01:00
clerie	61a7d64452	modules/backup: Migrate automatic backups to clerie-backup backend	2025-02-14 13:17:26 +01:00
clerie	d17c2855ac	pkgs/clerie-backup: Add script to unify backup configs	2025-02-14 13:09:59 +01:00
clerie	f353d7b494	configuration/common: Content-Type utf-8 everywhere	2025-02-05 19:11:48 +01:00
clerie	420e9a65f2	configuration/common: Serve nix files with mime type text/plain over nginx	2025-01-31 21:54:31 +01:00
clerie	df96b9070d	configuration/desktop: Update renamed options	2025-01-31 21:53:10 +01:00
clerie	3b7f59a66e	hosts/monitoring-3: Warn if storages are almost full	2025-01-21 17:18:41 +01:00
clerie	fd2987c9fe	flake.lock: Update harmonia	2025-01-16 22:06:50 +01:00
clerie	9f7517c75c	hosts/_iso: Overwrite nixos defaults	2025-01-16 19:15:06 +01:00
Flake Update Bot	a2d4f6a803	Update nixpkgs 2025-01-14-02-03	2025-01-14 03:04:10 +01:00
clerie	b0e19708c0	flake.lock: Update scan-to-gpg	2025-01-11 15:39:50 +01:00
clerie	13dd689240	hosts/web-2: Read feeds from different directory	2025-01-06 18:38:16 +01:00
clerie	e70ff56b28	hosts/web-2: Add feeds.clerie.de	2025-01-05 16:26:46 +01:00
clerie	1b86f094c8	hosts/web-2: Redirect to admin interface of etebase	2025-01-03 22:50:42 +01:00
clerie	aad53d5072	hosts/krypton: Add etesync-dav	2025-01-03 16:15:57 +01:00
clerie	df7fba921f	hosts/web-2: Add etebase.clerie.de	2025-01-03 15:49:22 +01:00
clerie	c091d4a952	pkgs/clerie-update-nixfiles: Fix changed nix command	2025-01-03 15:01:09 +01:00
`@@ -1 +1 @@`
	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBc/YTf80MjyVeApOecOlxORIlwCaWtJNWtfggc0B374`	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0ZrGvZqxqsGEl2+YNnL5JNpeRc3y0DgqZAkuayfeso`
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJq5WWALjFHvmUdcWdKN5BBRS1F/EWaBet6oftrbxt1F`