Update from updated-inputs-2025-03-23-02-03

systemd-networkd

Policy routing clashed with the fallback dhcp on any interface module
for some unknown reason, therefore wg-clerie is disabled on all of these
devices

configuration/common/web.nix

@@ -10,6 +10,10 @@
 
     commonHttpConfig = ''
       server_names_hash_bucket_size 64;
+      charset utf-8;
+      types {
+        text/plain nix;
+      }
       map $remote_addr $remote_addr_anon {
         ~(?P<ip>\d+\.\d+\.\d+)\.          $ip.0;
         ~(?P<ip>[^:]*:[^:]*(:[^:]*)?):    $ip::;

configuration/desktop/audio.nix

@@ -2,7 +2,7 @@
 
 {
 
-  hardware.pulseaudio.enable = false;
+  services.pulseaudio.enable = false;
 
   security.rtkit.enable = true;
   services.pipewire = {

configuration/desktop/gnome.nix

@@ -2,8 +2,8 @@
 
 {
   services.gnome = {
-    tracker-miners.enable = false;
-    tracker.enable = false;
+    localsearch.enable = false;
+    tinysparql.enable = false;
   };
 
   environment.gnome.excludePackages = with pkgs; [

configuration/hetzner-cloud/default.nix

@@ -1,8 +0,0 @@
-{ ... }:
-
-{
-  networking.useDHCP = false;
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
-  networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
-  networking.nameservers = [ "2a01:4ff:ff00::add:2" "2a01:4ff:ff00::add:1" "185.12.64.2" "185.12.64.1" ];
-}

configuration/proxmox-vm/default.nix

@@ -1,5 +0,0 @@
-{ ... }:
-
-{
-  services.qemuGuest.enable = true;
-}

flake.lock

@@ -122,11 +122,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712014858,
-        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
         "type": "github"
       },
       "original": {
@@ -201,11 +201,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1726560853,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -238,38 +238,41 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1727121740,
-        "narHash": "sha256-72nDVSvUfZsLa2HbyricOpA0Eb8gxs/VST25b6DNBpM=",
+        "lastModified": 1733771848,
+        "narHash": "sha256-tqkTzUdwnTfVuCrcFag7YKgGkiR9srR45e4v0XMXVCY=",
         "owner": "nix-community",
         "repo": "harmonia",
-        "rev": "ff44006a30f93ac40d76c786e15149d901946c2b",
+        "rev": "c26731351ca38f4953a23ef5490358ffba955ab6",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "harmonia-v1.0.2",
+        "ref": "harmonia-v2.0.1",
         "repo": "harmonia",
         "type": "github"
       }
     },
     "hydra": {
       "inputs": {
-        "lix": "lix",
+        "lix": [
+          "lix"
+        ],
         "nix-eval-jobs": "nix-eval-jobs",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1733503045,
-        "narHash": "sha256-VoMam8Zzbk+X6dIYwH2f9NqItL6g9YDhQvGybzSl8xQ=",
-        "ref": "refs/heads/main",
-        "rev": "eccf01d4fef67f87b6383f96c73781bd08b686ac",
-        "revCount": 4230,
+        "lastModified": 1737885770,
+        "narHash": "sha256-neRDOoeJj4svdSAxXW8ZJOYWQzzOCRYppkaLaHPfs3A=",
+        "ref": "lix-2.92",
+        "rev": "7b3d065a13b21ec8109a250ac6148553bda52d5e",
+        "revCount": 4233,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/hydra.git"
       },
       "original": {
+        "ref": "lix-2.92",
         "type": "git",
         "url": "https://git.lix.systems/lix-project/hydra.git"
       }
@@ -279,64 +282,52 @@
         "flake-compat": "flake-compat",
         "nix2container": "nix2container",
         "nixpkgs": [
-          "hydra",
           "nixpkgs"
         ],
         "nixpkgs-regression": "nixpkgs-regression",
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1732112222,
-        "narHash": "sha256-H7GN4++a4vE49SUNojZx+FSk4mmpb2ifJUtJMJHProI=",
-        "ref": "refs/heads/main",
-        "rev": "66f6dbda32959dd5cf3a9aaba15af72d037ab7ff",
-        "revCount": 16513,
+        "lastModified": 1741509550,
+        "narHash": "sha256-O7+c7MYOvKnGhE5qwRqV+q0NePEtiz6spM1Mfu/Heck=",
+        "ref": "release-2.92",
+        "rev": "0d1f794178d42bfa1ef40ecb80be514139779184",
+        "revCount": 16641,
         "type": "git",
-        "url": "https://git.lix.systems/lix-project/lix"
+        "url": "https://git.lix.systems/lix-project/lix.git"
       },
       "original": {
+        "ref": "release-2.92",
         "type": "git",
-        "url": "https://git.lix.systems/lix-project/lix"
+        "url": "https://git.lix.systems/lix-project/lix.git"
       }
     },
     "lix-module": {
       "inputs": {
         "flake-utils": "flake-utils_2",
         "flakey-profile": "flakey-profile",
-        "lix": "lix_2",
+        "lix": [
+          "lix"
+        ],
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1732605668,
-        "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=",
-        "ref": "stable",
-        "rev": "96824d606a6656650bbe436366bc89d5ee3a6573",
-        "revCount": 113,
+        "lastModified": 1741892773,
+        "narHash": "sha256-8oUT6D7VlsuLkms3zBsUaPBUoxucmFq62QdtyVpjq0Y=",
+        "ref": "release-2.92",
+        "rev": "ed7a2fa83145868ecb830d6b3c73ebfd81a9e911",
+        "revCount": 130,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/nixos-module.git"
       },
       "original": {
-        "ref": "stable",
+        "ref": "release-2.92",
         "type": "git",
         "url": "https://git.lix.systems/lix-project/nixos-module.git"
       }
     },
-    "lix_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1729298361,
-        "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
-        "rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
-        "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
-      }
-    },
     "mitel-ommclient2": {
       "inputs": {
         "nixpkgs": [
@@ -373,11 +364,11 @@
         "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
-        "lastModified": 1732351635,
-        "narHash": "sha256-H94CcQ3yamG5+RMxtxXllR02YIlxQ5WD/8PcolO9yEA=",
+        "lastModified": 1737237917,
+        "narHash": "sha256-xd3/Wr4aPc2MY61qyQ6qQ8AGoG3H/DDcJWziP4EhhXY=",
         "ref": "refs/heads/main",
-        "rev": "dfc286ca3dc49118c30d8d6205d6d6af76c62b7a",
-        "revCount": 617,
+        "rev": "6482bee40b89ab2c28d2e988848aa9ae0429d78c",
+        "revCount": 621,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/nix-eval-jobs"
       },
@@ -476,6 +467,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-0dc1c7": {
+      "locked": {
+        "lastModified": 1725718979,
+        "narHash": "sha256-TNj62uDY5ilnYu0Jne8/IIunfh1kf6kDPY9KdS+Eotw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0dc1c7294c13f5d1dd6eccab4f75d268d7296efe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0dc1c7294c13f5d1dd6eccab4f75d268d7296efe",
+        "type": "github"
+      }
+    },
     "nixpkgs-regression": {
       "locked": {
         "lastModified": 1643052045,
@@ -526,11 +533,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1732521221,
-        "narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=",
+        "lastModified": 1742422364,
+        "narHash": "sha256-mNqIplmEohk5jRkqYqG19GA8MbQ/D4gQSK0Mu4LvfRQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d",
+        "rev": "a84ebe20c6bc2ecbcfb000a50776219f48d134cc",
         "type": "github"
       },
       "original": {
@@ -563,11 +570,11 @@
     "pre-commit-hooks": {
       "flake": false,
       "locked": {
-        "lastModified": 1726745158,
-        "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
+        "lastModified": 1733318908,
+        "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
+        "rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
         "type": "github"
       },
       "original": {
@@ -576,6 +583,26 @@
         "type": "github"
       }
     },
+    "rainbowrss": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736087671,
+        "narHash": "sha256-zWeiCs+8SAS1wN5M3w3vSNNpILoKXqX9aj/ZZcgfMms=",
+        "ref": "refs/heads/main",
+        "rev": "ceab6a148233ffb23de19411a3e5579e3394a35b",
+        "revCount": 9,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/rainbowrss.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/rainbowrss.git"
+      }
+    },
     "root": {
       "inputs": {
         "berlinerbaeder-exporter": "berlinerbaeder-exporter",
@@ -585,11 +612,14 @@
         "fieldpoc": "fieldpoc",
         "harmonia": "harmonia",
         "hydra": "hydra",
+        "lix": "lix",
         "lix-module": "lix-module",
         "nixos-exporter": "nixos-exporter",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_3",
+        "nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
         "nurausstieg": "nurausstieg",
+        "rainbowrss": "rainbowrss",
         "scan-to-gpg": "scan-to-gpg",
         "solid-xmpp-alarm": "solid-xmpp-alarm",
         "sops-nix": "sops-nix",
@@ -603,11 +633,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733765838,
-        "narHash": "sha256-piKf5W1vUl4y36WuW/192LMXBJyATBF83T9YEz9K3/Y=",
+        "lastModified": 1736606141,
+        "narHash": "sha256-cIGSrY3tNwOamqt41IPRRw5SPlBtljWZvcXDfCkreUc=",
         "ref": "refs/heads/main",
-        "rev": "b0c07f95146d85a7b62a84fb2a62a773a5942733",
-        "revCount": 17,
+        "rev": "9f1aa15509c9b0284774be95ef020f612c385353",
+        "revCount": 18,
         "type": "git",
         "url": "https://git.clerie.de/clerie/scan-to-gpg.git"
       },
@@ -716,11 +746,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711963903,
-        "narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
+        "lastModified": 1733662930,
+        "narHash": "sha256-9qOp6jNdezzLMxwwXaXZWPXosHbNqno+f7Ii/xftqZ8=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
+        "rev": "357cda84af1d74626afb7fb3bc12d6957167cda9",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,6 +1,8 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    # for etesync-dav
+    nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
     berlinerbaeder-exporter = {
       url = "git+https://git.clerie.de/clerie/berlinerbaeder-exporter.git";
@@ -19,15 +21,21 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     harmonia = {
-      url = "github:nix-community/harmonia/harmonia-v1.0.2";
+      url = "github:nix-community/harmonia/harmonia-v2.0.1";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     hydra = {
-      url = "git+https://git.lix.systems/lix-project/hydra.git";
+      url = "git+https://git.lix.systems/lix-project/hydra.git?ref=lix-2.92";
+      inputs.lix.follows = "lix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    lix = {
+      url = "git+https://git.lix.systems/lix-project/lix.git?ref=release-2.92";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     lix-module = {
-      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=stable";
+      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=release-2.92";
+      inputs.lix.follows = "lix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
@@ -39,6 +47,10 @@
       url = "git+https://git.clerie.de/clerie/nurausstieg.git";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    rainbowrss = {
+      url = "git+https://git.clerie.de/clerie/rainbowrss.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     scan-to-gpg = {
       url = "git+https://git.clerie.de/clerie/scan-to-gpg.git";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -98,6 +110,7 @@
       palladium = {};
       porter = {};
       storage-2 = {};
+      tungsten = {};
       web-2 = {};
       zinc = {
         modules = [
@@ -113,6 +126,7 @@
     nixosModules = {
       nixfilesInputs = import ./flake/modules.nix inputs;
       clerie = import ./modules;
+      profiles = import ./profiles;
       default = self.nixosModules.clerie;
     };
 
@@ -124,34 +138,7 @@
 
     packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: let
       pkgs = localNixpkgs.${system};
-    in {
-      inherit (pkgs)
-        clerie-keys
-        clerie-system-upgrade
-        clerie-merge-nixfiles-update
-        clerie-update-nixfiles
-        clerie-sops
-        clerie-sops-config
-        clerie-sops-edit
-        chromium-incognito
-        factorio-launcher
-        git-checkout-github-pr
-        git-diff-word
-        git-pp
-        harmonia
-        iot-data
-        nix-remove-result-links
-        nixfiles-auto-install
-        nixfiles-generate-config
-        nixfiles-generate-backup-secrets
-        nixfiles-update-ssh-host-keys
-        print-afra
-        run-with-docker-group
-        ssh-gpg
-        update-from-hydra
-        uptimestatus
-        xmppc;
-    });
+    in builtins.mapAttrs (name: value: pkgs."${name}") (import ./pkgs/pkgs.nix));
 
     inherit lib self;
 

flake/nixosConfigurations.nix

@@ -16,6 +16,7 @@ let
     modules = modules ++ [
       self.nixosModules.nixfilesInputs
       self.nixosModules.clerie
+      self.nixosModules.profiles
 
       ({ config, lib, ... }: {
         # Set hostname
@@ -51,6 +52,9 @@ let
             {};
         in
           secrets;
+
+        # Enable clerie common config
+        profiles.clerie.common.enable = true;
       })
 
       # Config to be applied to every host

flake/overlay.nix

@@ -1,28 +1,33 @@
 { self
+, nixpkgs-0dc1c7
 , berlinerbaeder-exporter
 , bij
 , chaosevents
 , harmonia
 , hydra
 , nurausstieg
+, rainbowrss
 , scan-to-gpg
 , ssh-to-age
 , ...
 }@inputs:
 final: prev: {
+  inherit (nixpkgs-0dc1c7.legacyPackages.${final.system})
+    etesync-dav;
   inherit (berlinerbaeder-exporter.packages.${final.system})
     berlinerbaeder-exporter;
   inherit (bij.packages.${final.system})
     bij;
   inherit (chaosevents.packages.${final.system})
     chaosevents;
-  harmonia = harmonia.packages.${final.system}.harmonia.override {
-    nixForHarmonia = final.nixVersions.nix_2_23;
-  };
+  inherit (harmonia.packages.${final.system})
+    harmonia;
   inherit (hydra.packages.${final.system})
     hydra;
   inherit (nurausstieg.packages.${final.system})
     nurausstieg;
+  inherit (rainbowrss.packages.${final.system})
+    rainbowrss;
   inherit (scan-to-gpg.packages.${final.system})
     scan-to-gpg;
   inherit (ssh-to-age.packages.${final.system})

hosts/_iso/configuration.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, modulesPath, ... }:
+{ pkgs, lib, modulesPath, config, ... }:
 
 {
   imports = [
@@ -6,10 +6,28 @@
     ../../configuration/gpg-ssh
   ];
 
+  profiles.clerie.network-fallback-dhcp.enable = true;
+
+  # systemd in initrd is broken with ISOs
+  # Failed to mount /sysroot/iso
+  # https://github.com/NixOS/nixpkgs/issues/327187
+  boot.initrd.systemd.enable = false;
+
+  networking.useDHCP = false;
+  systemd.network.enable = true;
+
   networking.hostName = "isowo";
-  isoImage.isoBaseName = "nixos-isowo";
+  isoImage.isoBaseName = lib.mkForce "nixos-isowo";
 
   environment.systemPackages = with pkgs; [
     nixfiles-auto-install
   ];
+
+  # Allow user clerie to log in as root directly with ssh keys
+  users.users.root.openssh.authorizedKeys.keys = config.users.users.clerie.openssh.authorizedKeys.keys;
+
+  services.openssh.settings = {
+    PermitRootLogin = lib.mkForce "yes";
+  };
+
 }

hosts/aluminium/configuration.nix

@@ -18,7 +18,10 @@
     terminal_output serial
   ";
 
-  services.wg-clerie = {
+  networking.useDHCP = false;
+  systemd.network.enable = true;
+
+  profiles.clerie.wg-clerie = {
     enable = true;
     ipv6s = [ "2a01:4f8:c0c:15f1::8106/128" ];
     ipv4s = [ "10.20.30.106/32" ];

hosts/astatine/configuration.nix

@@ -4,30 +4,24 @@
   imports =
     [
       ./hardware-configuration.nix
-
-      ./ppp.nix
-      ./programs.nix
-      ./users.nix
     ];
 
+  profiles.clerie.network-fallback-dhcp.enable = true;
+
   boot.kernelParams = [ "console=ttyS0,115200n8" ];
 
-  # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
-  # boot.loader.grub.efiSupport = true;
-  # boot.loader.grub.efiInstallAsRemovable = true;
-  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  # Define on which hard drive you want to install Grub.
-  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+  boot.loader.grub.device = "/dev/sda";
   boot.loader.grub.extraConfig = "
     serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
     terminal_input serial
     terminal_output serial
   ";
 
-  #networking.firewall.enable = false;
+  networking.useDHCP = false;
+  systemd.network.enable = true;
 
-  services.wg-clerie = {
+  profiles.clerie.wg-clerie = {
     enable = true;
     ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];
     ipv4s = [ "10.20.30.108/32" ];

hosts/astatine/ppp.nix

@@ -1,90 +0,0 @@
-{ pkgs, ... }:
-
-{
-  # Make space for VLAN header in containing ethernet segment
-  networking.interfaces."enp1s0".mtu = 1518;
-
-  ## DSL-Uplink
-  networking.vlans."enp1s0.7" = {
-    id = 7;
-    interface = "enp1s0";
-  };
-
-  services.pppd = {
-    enable = true;
-    peers.lns-test = {
-      config = ''
-        plugin pppoe.so enp1s0.7
-        user "criese#regiotest@bsa-vdsl"
-        ifname ppp-lns-test
-        persist
-        maxfail 0
-        holdoff 5
-        noipdefault
-        lcp-echo-interval 20
-        lcp-echo-failure 3
-        hide-password
-        nodefaultroute
-        +ipv6
-        debug
-      '';
-    };
-  };
-
-  /*
-  networking.interfaces.lo.useDHCP = true;
-  networking.interfaces.ppp-lns-test.useDHCP = true;
-
-  networking.dhcpcd = {
-    enable = true;
-    extraConfig = ''
-      interface ppp-lns-test
-        ipv6rs
-        ia_pd 0 lo/0
-    '';
-  };*/
-
-  environment.etc."ppp/ip-up" = {
-    text = ''
-      #! ${pkgs.runtimeShell} -e
-
-      ${pkgs.iproute2}/bin/ip route flush table 20001 || true
-      ${pkgs.iproute2}/bin/ip route add default dev ppp-lns-test table 20001
-    '';
-    mode = "555";
-  };
-  environment.etc."ppp/ip-down" = {
-    text = ''
-      #! ${pkgs.runtimeShell} -e
-
-      ${pkgs.iproute2}/bin/ip route flush table 20001 || true
-    '';
-    mode = "555";
-  };
-  environment.etc."ppp/ipv6-up" = {
-    text = ''
-      #! ${pkgs.runtimeShell} -e
-
-      ${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
-      ${pkgs.iproute2}/bin/ip -6 route add default dev ppp-lns-test table 20001
-    '';
-    mode = "555";
-  };
-  environment.etc."ppp/ipv6-down" = {
-    text = ''
-      #! ${pkgs.runtimeShell} -e
-
-      ${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
-    '';
-    mode = "555";
-  };
-
-  petabyte.policyrouting = {
-    enable = true;
-    rules4 = [
-      { rule = "from 212.218.16.237/32 lookup 20001"; prio = 19000; }
-      { rule = "from 212.218.16.237/32  unreachable"; prio = 19001; }
-    ];
-  };
-
-}

hosts/astatine/programs.nix

@@ -1,9 +0,0 @@
-{ pkgs, ... }:
-
-{
-
-  environment.systemPackages = with pkgs; [
-    tcpdump # for remote wireshark
-  ];
-
-}

hosts/astatine/users.nix

@@ -1,10 +0,0 @@
-{ ... }:
-
-{
-  users.users.criese-nethinks = {
-    extraGroups = [
-      "wheel"
-    ];
-  };
-
-}

hosts/backup-4/configuration.nix

@@ -4,19 +4,29 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
 
       ./backup.nix
       ./restic-server.nix
     ];
 
+  profiles.clerie.mercury-vm.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
 
   networking.useDHCP = false;
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::c"; prefixLength = 64; } ];
-  networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.enable = true;
+
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "2001:638:904:ffcb::c/64"
+    ];
+    routes = [
+      { Gateway = "2001:638:904:ffcb::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
 
   services.nginx.enable = true;
 

hosts/backup-4/secrets.json

@@ -1,5 +1,5 @@
 {
-	"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:QxdmemBB/iuU+fvc2QRRkbOHO5Ef8ZJqfTdFCnlOqKog5krZ2oIpURuttH9YeggJXV2Cr+kJDGI0b9Ca6BtCkOhahfWicTeFhuODJsSyZJqzw36Ba8pX3nIpqoa7StTydK1Dx5chOi2g8oB4895SvWqDa/qP10yDtBQAYURHYfodb9/tiKzfjJAGDlqsR2h+qmdbAkvR3/oAquBO8Nb493G2sixs20XIG85moYv6l0MPnZtWEXhDT8lM5tw0PCgpSfYaUeMWnmFuzFBj3MQSo3zAjGPeOSYVFlbwbLqFWL507z0dlRgzsxMYB1F4OL38nOpO2CP2/VvbidgbQZjKCfiHMJtWLQfzZIfNEhcF8kq2uhhOwRSKN3G7u1/ezzu+9UlUVMV6PY2jjbZHJ79Knu5SJ3KqphygjjIhdHufqI03BP/aJa0QkE/mGg9is3H0myW5rG9ElA1C4stF,iv:1Ue/H48af3ECUZ5GC0hrMMBfOuCZSuX9wOSAd5XG7Fk=,tag:HchM/ZJEDG4pWQdDanC9cA==,type:str]",
+	"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:gfvmAd7z+jQwoYDJf/Hv2sR9ISJT+Hw4jrHmvW64PXjoETy+LjdsmqEPuRyq/YhrGA2rqW+YodPlkh/eE4crdTL2eNim+ij/OUubliUwBMyJuxsdGKuDUMc+txqN2x6Q24MnnU88P08SKpsm3jciMhz7JEg62W77jhesWlkzsuJDmg9oTlA9SeYOEac3pIKpekfRyE77GSFVUflwwCA+xvcEg5xyuRosFzBWGGEC3kDNB0licF0X6epz3HtlqhCLd/mkuEkftjpkNOFm9oJYzdwYv5PwVNg7G7JOgsUx9e5I29mwWPfhinX1yEFNwxKeB1FbUhYOKhRhdqWD6THVLkDzU0zP8vrm5FXTaxLHZr5+EpKit8/MJS5UBVvpSTDQ0cLExJyonWP2T+zr6rxKwU/q1jQRvsU6DJ7Bt8+9chrXBNOeyPM9xzWN1Zyyrntm9j5Ufj1YFwyrDT5ve2rOgNHA4KoS28+vsP1fcVO8XlLR24zFx5+/1BPG25qSECTPn6KkcL+yV+WS4oOnu4Oo0GVPEz+4SfyYIEVmaV61KC61pKa/6ACeUd6nABcDbReMqPXU7/bksM4sTDoFSmmiAycnxT4xavbaFdfbYIOXVQwYAIjaR1tAqQ6gYVCQ/LtKhIHCGCg10xRXNV3qkPqOUvJ7JnRcre+pQVDVLg==,iv:tvhvTPzhHoG4yG3C+o9s8yh4DafMpPb67nNxbUZcFxQ=,tag:8P5lYeP2EB5AfKgeeBISLg==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:lCuE2EgUo3ER9NNg1rD24Z4cZS+VZ4KmDojnfCsb/LyBsfyu6uOJ4IVtxOE=,iv:KHRP1pXYXk8Fi23cjUZVUUadu9yWoJ2ddxj2fMJJYE0=,tag:TiFlekXM7WLLHAPlmYbP8w==,type:str]",
 	"sops": {
 		"kms": null,
@@ -12,8 +12,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFREUEVzb2JFd3hSaG9y\neVA2a2Fodko0OTI4ZGM0NlZxRmNtYmFDY1hVCm9ncXdWYTJlSU1FSG1WdlNBZ3VW\nM2VtRmZiWldzalRsRWJ0UkV1L1hSMkEKLS0tIGVLQU9kQXhZbC9SUW9CS2JnWGlJ\nQ3RoeXVkRXNkUWNaZ0VQOW1hcEJnNjAKHgZ48PERJlfkkh2TyCLl52zUZY674BXW\n4zPtmhZrb4xlExetINrOd4hZtL7S7qn5GnTxhoxvCddeU+JPPsfWoQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-06-03T18:16:25Z",
-		"mac": "ENC[AES256_GCM,data:hWCI1hWTbbasov9Si0JDI39rUuBOEqrz+qxTKrNN4S/r9Ktofrk46b3rxSQF3+bC03HrbCMLk9/7XkvIFJXQj5pa9I1aG8MuMbgF0Z8Ft/uNdHPUUyLJwo/4aav4zXVpdg7zNtPdwjk66pw7iRO5XBmYgnQlnXotHM6S9s7RzuA=,iv:VJmLD1SImGtreceQP+DofnzOGp3sm12iCzbPsqzw6SI=,tag:aUryi0xUG7sd/EOmqrMQCg==,type:str]",
+		"lastmodified": "2025-02-16T18:13:41Z",
+		"mac": "ENC[AES256_GCM,data:O+E3UbWbmlbpUPeSS/BFcJpWr2WEXbu0aaj9u3XUwstp4ba6e0xuVdzfbntQwbN378sDNpDMkAuxp1+R/0THBSs+nqXC9q9IgK+hfSBd7q2v4lvdhxRdM1x4wysTDJGtjFNdfz8EzqMz42Y2IWjxSozgPNpjZSIGhwMBA2TS/gU=,iv:1waH/yUGt5jGJbQlYmp5b97NGVyRykgzI2g1xX+Jo/U=,tag:4bxFxkClt3LbqCH552XePw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-04T12:30:52Z",

hosts/beryllium/configuration.nix

@@ -6,6 +6,8 @@
       ./hardware-configuration.nix
     ];
 
+  profiles.clerie.network-fallback-dhcp.enable = true;
+
   boot.kernelParams = [ "console=ttyS0,115200n8" ];
 
   boot.loader.grub.enable = true;
@@ -18,41 +20,16 @@
 
   networking.hostName = "beryllium";
 
+  networking.useDHCP = false;
+  systemd.network.enable = true;
+
   networking.firewall.enable = false;
 
-  networking.iproute2.enable = true;
-  networking.iproute2.rttablesExtraConfig = ''
-    200 wg-clerie
-  '';
-
-  petabyte.policyrouting = {
+  profiles.clerie.wg-clerie = {
     enable = true;
-    rules6 = [
-      { rule = "from 2a01:4f8:c0c:15f1::8107/128 lookup wg-clerie"; prio = 20000; }
-      { rule = "from 2a01:4f8:c0c:15f1::8107/128 unreachable"; prio = 20001; }
-    ];
-    rules4 = [
-      { rule = "from 10.20.30.107/32 lookup wg-clerie"; prio = 20000; }
-      { rule = "from 10.20.30.107/32 unreachable"; prio = 20001; }
-    ];
-  };
-
-
-  networking.wireguard.enable = true;
-  networking.wireguard.interfaces = {
-    wg-clerie = {
-      ips = [ "2a01:4f8:c0c:15f1::8107/128" "10.20.30.107/32" ];
-      table = "wg-clerie";
-      peers = [
-        {
-          endpoint = "vpn.clerie.de:51820";
-          persistentKeepalive = 25;
-          allowedIPs = [ "0.0.0.0/0" "::/0" "10.20.30.0/24" "2a01:4f8:c0c:15f1::/113" ];
-          publicKey = "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=";
-        }
-      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
-    };
+    ipv6s = [ "2a01:4f8:c0c:15f1::8107/128" ];
+    ipv4s = [ "10.20.30.107/32" ];
+    privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
   };
 
   clerie.monitoring = {

hosts/clerie-backup/configuration.nix

@@ -4,20 +4,28 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
 
       ./restic-server.nix
     ];
 
+  profiles.clerie.cybercluster-vm.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
 
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-
   networking.useDHCP = false;
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::6"; prefixLength = 64; } ];
-  networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.enable = true;
+
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "2001:638:904:ffc1::6/64"
+    ];
+    routes = [
+      { Gateway ="2001:638:904:ffc1::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
 
   services.nginx.enable = true;
 
@@ -28,10 +36,6 @@
       authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiUWufpvAj/Rdxt/frAjs5Q4+/lzaN2jmf5+W3Gazjzw+CH+Agplux6op+LlzF7kAA32yP+lwQto8Rz92NzReDssXd+0JhgAAHrSMrPOPnQbZrierKOfVvDOteklEM4k5JXqZ+xHIMtNomuMV3wCFc18nvwc8t95pDBOI/HwzAwn2mGhVBod0CNXZs8EyMeQJNKLCRwpUrddOX6fz5x/fbPYO4KB3iPkC0X+e/d5SuBvrmwFdnpr2RkCboMPdd6i/0AsY4MLdMV54arS9Ed2jaFKqYCQR5wRdLxndn+aByyVQHQxVU0gVfO9+53NOgiVzhOFzXm6K2KcC/HZR5uj1r ceea@olbers.uberspace.de" ];
       path = "/mnt/clerie-backup/uberspace-ceea";
     };
-    uberspace-cleriewi = {
-      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAeU+YezmGNNnntAkOL143NlkADi6ekEcaW9yf9yegdkDxwyIyxaWC89B110kRkNe+6KP+LDwrp9vnFJZjst8Gv+dMs0h9U0IdUafhO7TcbbkqynqmtzIwiSGsLby2K9XOYTMlAa2JOfeNScPWccZ8KgXsIBqRGjo3yQfCHXZu9U/8CGXvYPsTGY5QYNeAw5Uaikuf565GHy4ROx2BN7LGug9lK42Hfv8i1lhCLi7wkhQ0EPGBRPkscjz/0Kb2iABMzyUf6uMrDJX/usKrChxkLfidIM9C5YR1E+wXlmy9lijuNP85NpXUEyVTAp9/XLCp1vskfCjsBLO0l+40XNIt cleriewi@biela.uberspace.de" ];
-      path = "/mnt/clerie-backup/uberspace-cleriewi";
-    };
   };
 
   # fix borgbackup primary grouping
@@ -51,62 +55,6 @@
       compression = "auto,lzma";
       startAt = "*-*-* 04:07:00";
     };
-    backup-replication-palladium = {
-      paths = [
-        "/mnt/clerie-backup"
-      ];
-      doInit = true;
-      repo =  "borg@palladium.net.clerie.de:." ;
-      encryption = {
-        mode = "none";
-      };
-      environment = { BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-palladium"; };
-      compression = "auto,lzma";
-      startAt = "*-*-* 06:23:00";
-    };
-    backup-replication-external-drive = {
-      paths = [
-        "/mnt/clerie-backup"
-      ];
-      doInit = true;
-      repo =  "borg@palladium.net.clerie.de:." ;
-      encryption = {
-        mode = "none";
-      };
-      environment = {
-        BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-external-drive";
-        BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
-        BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
-      };
-      compression = "auto,lzma";
-      startAt = "*-*-* 08:37:00";
-    };
-  };
-
-  users.users.backup-replication = {
-    isNormalUser = true;
-    group = "backup-replication";
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8kCLiDfVFKgoNvEoMb34jp2n1lQG+k7wigzc4qGmrROlWkJ46/Ym4UrSeQJAd6hwHTcKTZkeOrqDAjZZ+jlidpncJHT5VMW5Ah965pxbBq6Qh1Yz5tKj7nLAQ/+bwEH4qqBFNd796876n3pY/FqhwAHWONqWhLKzMXpFursMSITUPmRXcaPwJrgS9DIYspZ9bBhhRSdQ5N1SiGtaszOQwdevLnNYqdtFOBG4rt9SO6IBIHtaiTIHrrMGS2Lt3NMwkq+O+N+TGaKLjbwqtfUPfPOCmY0XH12OawjxHP9hZ+WH3dPtcu5p+VORciSybPvyh9qzXUrDeO4HDuii2GEFU8JFELYXdT/qBwdIMp82tkgww0zKbTJuc0y/9eR7LCXop4OALhR8+8xWDI9c1ccxu3T7S7zUI1OmTlR9i8rx85D4sz2dtp1jirDoW2KVuIdwe6G3NLfTL95FZRmveEQM3MO8MPpfzZ4EvaMbiQQd/c4VAmGovtSLQhySTpT6qSv0= root@backup-4"
-      #"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRANmJ2LYUr0Mavz/JJ7j+7p1zkqvizf6ZLt5XOJ2fj0enDuK7Dc5fxiESLGYTsLRVWuY4hNXVIL7aeJUj1LPf6LEX87APP4hb95t+TFxcES87tFfnFO48eiBbSd25Av2jmHGb6/wY2viYBxfk/vrLjPR6RgICqFsWFcz20bsWmc48FdzXYJCGJfKjHiW+Ut95VL+M/AlGBQHo33FNDyPXV4zh+MeWVkOFicwfh0k+4NH7Psj5n93m9szAlz306t5YZ32HnhSlvObkMk1Ugy6AzPKXrgKBu11pmatf7sFRx1ikYGUiKiezGjatt/8lYZfE8rQKQjwH+6LPt3ZPv06ncfKpH2vbZfonM0KhSsm1OIhJTse+X7ZMxizO6QqYM+BRJJGMbhH1g+6kFRsdlwakHNPE9YvG4NxZ1NxWTUr6F0gPhUEy61LkTnznt3ct1hgQR02KDQ+9i8PvaYeIIzZzRKufv4tV7OZkDLbN97tvAMkgpLjF+8fCg3qjn2Lckzc= root@palladium"
-    ];
-  };
-
-  users.groups.backup-replication = {};
-
-  environment.systemPackages = with pkgs; [
-    bindfs
-  ];
-
-  fileSystems."/clerie-backup-replication" = {
-    device = "/mnt/clerie-backup";
-    fsType = "fuse.bindfs";
-    options = [
-      "ro"
-      "force-user=backup-replication"
-      "force-group=backup-replication"
-      "perms=0000:ug=rD"
-    ];
   };
 
   clerie.monitoring = {

hosts/clerie-backup/secrets.json

@@ -1,5 +1,5 @@
 {
-	"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:ZKrEv/bU1X+iO7GLlxsM8HhUy6B2+EXRA8JO2X8E8X5nt8Ydwa+wAqTea3hGyW/QNFrNg/nnAFaVg+VNa6UEqOuF0eg4Nf0LOYTtTpNt4uqDHomfFpvFxDfVCbk4a3fnjnJzk51XnZqeVlvuH2JKg9uD6QzTghTuZfysdGePZdD4WRfY+qHsZg2jREgA26WKsRnD1zU4ZnbRAA1s0Lzf5gG4kFciIzovt0x5MYEiVERFeM+HG1a117EvSlsijPNJVLTaFRLTVOlTOYLKXt4KcRJq9KwoZR/LgEz++rUE4DN5f7iQs+Sb9epH9sV/V06R6AKE5ZFcyi5Y+ipt8B4sWX8PQUeFxNlpljXHro8szGNnLnSxxieg10SEwfIEw+nTGVMHToUpvybzdoI4VPUHZGF+kpqv8ejEzhrKZXyPrd7ZCWGDsTdl8gGSefimpEUR8IwuPqImgu2UU8gT,iv:Y/G/odtZ4enBtNc2Wj7bZjsJ3nur5huYAqlu1PgnWlo=,tag:tg3ut7R2jJd+TVvYHIiTdA==,type:str]",
+	"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:Fe6lcXXy0Hu27Y2LtwQRbk+78+unSGkII144jtstOgK0pyjlJqG2mo8ZG7L+3mmthuu+leZ6XXadEcRGpby3eCwyVEYd3lDr930pPC8hChWYMC5mGkkRUAobYED63iVxcsc36PVFQYMCDbYvtcPk8uQTXfQmhs9kSzCrONrL1Id0L9D+sGoU0snpE+eCNXyiLwuyc1qocchhuHIwkGi4dyVJWgMsKGummF5Pf9zK4KzHmT6RuPouEUAfwHkdPwtOSJ8OqZof/C/CuPYmJQyfOFAqtw8xD9OXUpvyxjC1Kta89sL5cRAE0R15oPvNUmYGaXputm9iMycPjMacpouycx1TXMTEDB0caryX9uEFAyTfPm7keHT86qA1UfImWqEE9QqJ3uCeiwW698SbTZVeKLDBqDCPP+nP/L+N412d+HHyGugPOnTj1gXY50xeOay8Wryw87iDZ9rnJxcn0u5D4+JjOIbjWvydqBXacMD/o0NG2CcQu6LVRAHRiDKoSQWEwx25tzVwn2dsgFV8c3oQ0xQI7050R11Z3M9QWOvPmOZCvYV5VSoxu7r1jMu5asrcPbbhXKatbrabEHCAbDGsBpDkqts3BVUfUaHwboXVR0DxqOC6CHVE34J99SVTGI0kIHXyNqpeUJ36tCXFg7eNPNsu8cra9whjyUUHtw==,iv:Gfg3t3YPw2hz0LJ5hovPftMYOADN2Xjc93VmT2fFVQI=,tag:k6KH4qDPrFYIU2PGgW3F9Q==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:rOpBlDt9K//zlgWo1Bw9IX5jmpLbnit5zi60Ulz8f6tHwqVsKJv5NkxYc9A=,iv:Jlo0QZP6R1CEE20iLa7M/LV/ZX2/33oMv/FzBBo6nvY=,tag:Ttqo7BKd6RuUiMksW6rZnw==,type:str]",
 	"sops": {
 		"kms": null,
@@ -12,8 +12,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UCtUZ3NZQWxOK1FUNDhL\nbWhaanN2OEJIVmpMOURzWU1vcGhuODdtcDJnCm9Nb01NaVVpWDJ6Q3JCbXRkRUJP\nUVdFaGVScUdxRnlpSnRNOG1RalNRaFUKLS0tICs0cW1WR0JMUmdaVWVzdTh2bjFm\nenBzaERpb1hCS1E3TUo3cmxpZFUxWmcKcLL5/YTGyZEVLwHSpbEI5XfWGklkI7h+\n0uhCww8Wh23EpUYFslZ0Nnbf5HX5/Z34qBwf20cvN8eLToTAQvTdeg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-06-03T18:16:18Z",
-		"mac": "ENC[AES256_GCM,data:kWeyNv82yc6H+FJjhTh8vkuxjZ4YFEqmZbqzZr+pEXxXeMUEGi9hr7cauGDNxnRMgWJz9KG1M4tzUyEK8rfVQWLc+Wcf/5Pjsxn1Zg0yJiJAxVFV7AcvGdKUeQuBKgOT5L+Z5+cFdvq9+CU/0M+6/e8jB6OdQWcuy0emBaCut4U=,iv:3w5arXHKapwwo7kgLtHcKfO+dhH22opVP+fjagize0c=,tag:+cCaX2FUG+5UYqutE9IsAA==,type:str]",
+		"lastmodified": "2025-02-16T18:13:34Z",
+		"mac": "ENC[AES256_GCM,data:io2WVxTxHSlxrk7JaN6/fUI7YotvPfgbXTD1lEf1tN7QhuGRH/iZrji/VQlhJ8tk2dAS1Pe0rsTuxCMXcXcxRIh4EYbQky5IZj5jpfPcslQOquTcXzmPYdijPUWSqu6leGc0GG/7KccjSFD8TfwAgeuVrc2Br57yfqKoPf+M0fY=,iv:iYp73PrFnLZoI9014mbqQQERhFtfhb5YmzV6HiUi+YM=,tag:2AZEzhVVdEos5FLkg8cr5w==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-05T12:12:27Z",

hosts/dn42-il-gw1/configuration.nix

@@ -4,49 +4,41 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
-      ../../configuration/dn42
     ];
 
+  profiles.clerie.mercury-vm.enable = true;
+  profiles.clerie.common-networking.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
 
-  networking.useDHCP = false;
-  networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:1::1"; prefixLength = 64; } ];
-  # VM Nat Netz mercury
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.23"; prefixLength = 24; } ];
-  # OSPF Netz
-  networking.interfaces.ens19 = {};
-  # IPv6 Uplink
-  networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::7"; prefixLength = 64; } ];
-
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
-  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens20";
+    address = [
+      "2001:638:904:ffc9::7/64"
+    ];
+    routes = [
+      { Gateway = "2001:638:904:ffc9::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "192.168.10.23/24"
+    ];
+    routes = [
+      { Gateway = "192.168.10.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  systemd.network.networks."10-dn42-ospf-netz" = {
+    matchConfig.Name = "ens19";
+    linkConfig.RequiredForOnline = "no";
+  };
 
   networking.wireguard.enable = true;
   networking.wireguard.interfaces = {
-    # n0emis
-    wg0197 = {
-      ips = [
-        "fe80::42:1/128"
-        # peer fe80::42:42:1/128
-      ];
-      postSetup = ''
-      ip -6 route flush dev wg0197
-      ip addr del dev wg0197 fe80::42:1/128 && ip addr add dev wg0197 fe80::42:1/128 peer fe80::42:42:1/128
-      '';
-      listenPort = 50197;
-      allowedIPsAsRoutes = false;
-      peers = [
-        {
-          allowedIPs = [ "fe80::/10" "fd00::/8" ];
-          endpoint = "himalia.dn42.n0emis.eu:52574";
-          publicKey = "ObF+xGC6DdddJer0IUw6nzC0RqzeKWwEiQU0ieowzhg=";
-        }
-      ];
-      privateKeyFile = config.sops.secrets.wg0197.path;
-    };
     # e1mo
     wg0565 = {
       ips = [
@@ -126,27 +118,6 @@
       ];
       privateKeyFile = config.sops.secrets.wg1280.path;
     };
-    # perflyst
-    wg1302 = {
-      ips = [
-        "fe80::a14e/128"
-        # peer fe80::a14d/128
-      ];
-      postSetup = ''
-      ip -6 route flush dev wg1302
-      ip addr del dev wg1302 fe80::a14e/128 && ip addr add dev wg1302 fe80::a14e/128 peer fe80::a14d/128
-      '';
-      listenPort = 51302;
-      allowedIPsAsRoutes = false;
-      peers = [
-        {
-          allowedIPs = [ "fe80::/10" "fd00::/8" ];
-          endpoint = "[2a03:4000:6:f6ed::1]:22574";
-          publicKey = "TSPvvpMY8dCFk6gd58aYtkibtqUn8EzIF6dXP52b3y8=";
-        }
-      ];
-      privateKeyFile = config.sops.secrets.wg1302.path;
-    };
     # lutoma
     wg4719 = {
       ips = [
@@ -169,163 +140,65 @@
     };
   };
 
-  petabyte.policyrouting = {
+  profiles.clerie.dn42-router = {
     enable = true;
-    rules6 = [
-      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
-      { rule = "from all to all lookup 2342"; prio = 10000; }
-      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
-      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
+    loopbackIp = "fd56:4902:eca0:1::1";
+    routerId = "192.168.10.23";
+
+    ospfInterfaces = [
+      "ens19"
+    ];
+
+    ibgpPeers = [
+      {
+        peerName = "gw5";
+        remoteAddress = "fd56:4902:eca0:5::1";
+      }
+      {
+        peerName = "gw6";
+        remoteAddress = "fd56:4902:eca0:6::1";
+      }
+    ];
+
+    wireguardPeers = [
+      {
+        peerName = "peer_0565";
+        remoteAddress = "fe80::565";
+        interfaceName = "wg0565";
+        remoteAsn = "4242420565";
+        localAddress = "fe80::2574";
+      }
+      {
+        peerName = "peer_1271_north";
+        remoteAddress = "fe80::2";
+        interfaceName = "wg1271";
+        remoteAsn = "4242421271";
+        localAddress = "fe80::1";
+      }
+      {
+        peerName = "peer_1271_south";
+        remoteAddress = "fe80::1:2";
+        interfaceName = "wg1272";
+        remoteAsn = "4242421271";
+        localAddress = "fe80::1:1";
+      }
+      {
+        peerName = "peer_1280_wg1";
+        remoteAddress = "fde3:4c0d:2836:ff00::20";
+        interfaceName = "wg1280";
+        remoteAsn = "4242421280";
+        localAddress = "fde3:4c0d:2836:ff00::21";
+      }
+      {
+        peerName = "peer_4719";
+        remoteAddress = "fe80::acab";
+        interfaceName = "wg4719";
+        remoteAsn = "64719";
+        localAddress = "fe80::1";
+      }
     ];
   };
 
-  services.bird2.enable = true;
-  services.bird2.config = ''
-  router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
-
-  ipv6 table ospf6;
-  ipv6 table bgp6;
-
-  protocol direct {
-          interface "lo";
-          ipv6 {
-                  table ospf6;
-          };
-  }
-
-  protocol static {
-          ipv6 {
-                  table bgp6;
-          };
-          route fd56:4902:eca0::/48 via "lo";
-          route fd56:4902:eca0::/52 via "lo";
-  }
-
-  protocol kernel {
-          ipv6 {
-                  table ospf6;
-                  export filter {
-                          krt_prefsrc=fd56:4902:eca0:1::1;
-                          accept;
-                  };
-                  import none;
-          };
-          kernel table 1337;
-  }
-
-  protocol kernel {
-          ipv6 {
-                  table bgp6;
-                  export filter {
-                          krt_prefsrc=fd56:4902:eca0:1::1;
-                          accept;
-                  };
-                  import none;
-          };
-          kernel table 2342;
-  }
-
-  protocol ospf v3 {
-          ipv6 {
-                  table ospf6;
-                  import all;
-                  export all;
-          };
-          area 0 {
-                  interface "ens19" {
-                          cost 80;
-                          type broadcast;
-                  };
-          };
-  }
-
-  protocol bgp gw5 {
-          local as 4242422574;
-          graceful restart on;
-          neighbor fd56:4902:eca0:5::1 as 4242422574;
-          source address fd56:4902:eca0:1::1;
-          ipv6 {
-                  table bgp6;
-                  igp table ospf6;
-                  next hop self;
-                  import keep filtered;
-                  import all;
-                  export all;
-          };
-  }
-
-  protocol bgp gw6 {
-          local as 4242422574;
-          graceful restart on;
-          neighbor fd56:4902:eca0:6::1 as 4242422574;
-          source address fd56:4902:eca0:1::1;
-          ipv6 {
-                  table bgp6;
-                  igp table ospf6;
-                  next hop self;
-                  import keep filtered;
-                  import all;
-                  export all;
-          };
-  }
-
-  template bgp bgp_peer {
-  	local as 4242422574;
-  	graceful restart on;
-  	ipv6 {
-  		table bgp6;
-  		next hop self;
-  		import keep filtered;
-  		import filter {
-  			if net ~ [fd00::/8{48,64}] then accept;
-  			reject;
-  		};
-  		export filter {
-  			if net ~ [fd00::/8{48,64}] then accept;
-  			reject;
-  		};
-  	};
-  }
-
-  protocol bgp peer_0197_himalia from bgp_peer {
-          neighbor fe80::42:42:1%wg0197 as 4242420197;
-          source address fe80::42:1;
-  }
-
-  protocol bgp peer_0565 from bgp_peer {
-	neighbor fe80::565%wg0565 as 4242420565;
-	source address fe80::2574;
-  }
-
-  protocol bgp peer_1271_north from bgp_peer {
-  	neighbor fe80::2%wg1271 as 4242421271;
-  	source address fe80::1;
-  }
-
-  protocol bgp peer_1271_south from bgp_peer {
-  	neighbor fe80::1:2%wg1272 as 4242421271;
-  	source address fe80::1:1;
-  }
-
-  protocol bgp peer_1280_wg1 from bgp_peer {
-  	neighbor fde3:4c0d:2836:ff00::20%wg1280 as 4242421280;
-  	source address fde3:4c0d:2836:ff00::21;
-  }
-
-  protocol bgp peer_1302 from bgp_peer {
-  	neighbor fe80::a14d%wg1302 as 4242421302;
-  	source address fe80::a14e;
-  }
-
-  protocol bgp peer_4719 from bgp_peer {
-    neighbor fe80::acab%wg4719 as 64719;
-  }
-
-  protocol device {
-          scan time 10;
-  }
-  '';
-
   clerie.system-auto-upgrade = {
     allowReboot = true;
     autoUpgrade = true;

hosts/dn42-il-gw5/configuration.nix

@@ -4,181 +4,108 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
-      ../../configuration/dn42
     ];
 
+  profiles.clerie.mercury-vm.enable = true;
+  profiles.clerie.common-networking.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
 
-  networking.useDHCP = false;
-  # VM Nat Netz mercury
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.25"; prefixLength = 24; } ];
-  # OSPF Netz
-  networking.interfaces.ens19 = {};
-  # Lokales Netz
-  networking.interfaces.ens20.ipv6.addresses = [ { address = "fd56:4902:eca0:5::1"; prefixLength = 64; } ];
-  # IPv6 Uplink
-  networking.interfaces.ens21.ipv6.addresses = [ { address = "2001:638:904:ffc9::a"; prefixLength = 64; } ];
-  # Ildix
-  networking.interfaces.ens22.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::5"; prefixLength = 64; } ];
-
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
-  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens21"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
-
-  petabyte.policyrouting = {
-    enable = true;
-    rules6 = [
-      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
-      { rule = "from all to all lookup 2342"; prio = 10000; }
-      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
-      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens21";
+    address = [
+      "2001:638:904:ffc9::a/64"
     ];
+    routes = [
+      { Gateway = "2001:638:904:ffc9::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "192.168.10.25/24"
+    ];
+    routes = [
+      { Gateway = "192.168.10.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  systemd.network.networks."10-dn42-ospf-netz" = {
+    matchConfig.Name = "ens19";
+    linkConfig.RequiredForOnline = "no";
+  };
+  systemd.network.networks."10-dn42-lokales-netz" = {
+    # Aktuell nicht verwendet, da in lo-dn42 umgezogen
+    matchConfig.Name = "ens20";
+    linkConfig.RequiredForOnline = "no";
+  };
+  systemd.network.networks."10-dn42-ildix" = {
+    matchConfig.Name = "ens22";
+    address = [
+      "fd81:edb3:71d8:ffff:2574::5/64"
+    ];
+    linkConfig.RequiredForOnline = "no";
   };
 
-  services.bird2.enable = true;
-  services.bird2.config = ''
-  router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
+  profiles.clerie.dn42-router = {
+    enable = true;
+    loopbackIp = "fd56:4902:eca0:5::1";
+    routerId = "192.168.10.25";
 
-  ipv6 table ospf6;
-  ipv6 table bgp6;
+    ospfInterfaces = [
+      "ens19"
+    ];
 
-  protocol direct {
-    interface "ens20";
-    ipv6 {
-      table ospf6;
-    };
-  }
+    ibgpPeers = [
+      {
+        peerName = "gw1";
+        remoteAddress = "fd56:4902:eca0:1::1";
+      }
+      {
+        peerName = "gw6";
+        remoteAddress = "fd56:4902:eca0:6::1";
+      }
+    ];
 
-  protocol static {
-          ipv6 {
-                  table bgp6;
+    bgpPeers = [
+      {
+        peerName = "peer_ildix_clerie";
+        localAddress = "fd81:edb3:71d8:ffff:2574::5";
+        remoteAddress = "fd81:edb3:71d8:ffff::13";
+        remoteAsn = "4242422953";
+      }
+      {
+        peerName = "peer_ildix_nex";
+        localAddress = "fd81:edb3:71d8:ffff:2574::5";
+        remoteAddress = "fd81:edb3:71d8:ffff::14";
+        remoteAsn = "4242422953";
+      }
+    ];
+
+    birdExtraConfig = ''
+      # Internal
+      protocol bgp peer_2953_dn42_ildix_service {
+        local as 4242422574;
+        neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
+        source address fd81:edb3:71d8:ffff:2574::5;
+        multihop 64;
+        ipv6 {
+          table bgp6;
+          igp table ospf6;
+          next hop keep;
+          add paths tx;
+          import filter {
+            reject;
           };
-          route fd56:4902:eca0::/48 via "lo";
-          route fd56:4902:eca0::/52 via "lo";
-  }
-
-  protocol kernel {
-    ipv6 {
-      table ospf6;
-      export filter {
-        krt_prefsrc=fd56:4902:eca0:5::1;
-        accept;
-      };
-      import none;
-    };
-    kernel table 1337;
-  }
-
-  protocol kernel {
-          ipv6 {
-                  table bgp6;
-                  export filter {
-                          krt_prefsrc=fd56:4902:eca0:5::1;
-        accept;
-                  };
-                  import none;
+          export filter {
+            accept;
           };
-    kernel table 2342;
-  }
-
-  protocol ospf v3 {
-    ipv6 {
-      table ospf6;
-      import all;
-      export all;
-    };
-    area 0 {
-      interface "ens19" {
-        cost 80;
-        type broadcast;
-      };
-    };
-  }
-
-  protocol bgp gw1 {
-          local as 4242422574;
-          graceful restart on;
-          neighbor fd56:4902:eca0:1::1 as 4242422574;
-          source address fd56:4902:eca0:5::1;
-          ipv6 {
-                  table bgp6;
-                  igp table ospf6;
-                  next hop self;
-                  import keep filtered;
-                  import all;
-                  export all;
-          };
-  }
-
-  protocol bgp gw6 {
-          local as 4242422574;
-          graceful restart on;
-          neighbor fd56:4902:eca0:6::1 as 4242422574;
-          source address fd56:4902:eca0:5::1;
-          ipv6 {
-      table bgp6;
-      igp table ospf6;
-                  next hop self;
-                  import keep filtered;
-                  import all;
-                  export all;
-          };
-  }
-
-  template bgp ildix {
-    local as 4242422574;
-    graceful restart on;
-    source address fd81:edb3:71d8:ffff:2574::5;
-    ipv6 {
-      table bgp6;
-      igp table ospf6;
-      next hop self;
-      import keep filtered;
-      import filter {
-        if net ~ [fd00::/8{8,64}] then accept;
-        reject;
-      };
-      export filter {
-        if net ~ [fd00::/8{8,64}] then accept;
-        reject;
-      };
-    };
-  }
-
-  protocol bgp peer_ildix_clerie from ildix {
-    neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
-  }
-
-  protocol bgp peer_ildix_nex from ildix {
-    neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
-  }
-
-  # Internal
-  protocol bgp peer_2953_dn42_ildix_service {
-    local as 4242422574;
-    neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
-    source address fd81:edb3:71d8:ffff:2574::5;
-    multihop 64;
-    ipv6 {
-      table bgp6;
-      igp table ospf6;
-      next hop keep;
-      add paths tx;
-      import filter {
-        reject;
-      };
-      export filter {
-        accept;
-      };
-    };
-  }
-
-  protocol device {
-    scan time 10;
-  }
-  '';
+        };
+      }
+    '';
+  };
 
   clerie.system-auto-upgrade = {
     allowReboot = true;

hosts/dn42-il-gw6/configuration.nix

@@ -4,181 +4,103 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
-      ../../configuration/dn42
     ];
 
+  profiles.clerie.cybercluster-vm.enable = true;
+  profiles.clerie.common-networking.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
 
-  networking.useDHCP = false;
-  networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:6::1"; prefixLength = 64; } ];
-  # IPv6 Uplink
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc9::9"; prefixLength = 64; } ];
-  # Ildix
-  networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::6"; prefixLength = 64; } ];
-  # VM Nat Netz mercury
-  networking.interfaces.ens20.ipv4.addresses = [ { address = "192.168.10.26"; prefixLength = 24; } ];
-  # OSPF Netz
-  networking.interfaces.ens21 = {};
-
-
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens20"; };
-  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens18"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
-
-  petabyte.policyrouting = {
-    enable = true;
-    rules6 = [
-      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
-      { rule = "from all to all lookup 2342"; prio = 10000; }
-      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
-      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "2001:638:904:ffc9::9/64"
     ];
+    routes = [
+      { Gateway = "2001:638:904:ffc9::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens20";
+    address = [
+      "192.168.10.26/24"
+    ];
+    routes = [
+      { Gateway = "192.168.10.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  systemd.network.networks."10-dn42-ospf-netz" = {
+    matchConfig.Name = "ens21";
+    linkConfig.RequiredForOnline = "no";
+  };
+  systemd.network.networks."10-dn42-ildix" = {
+    matchConfig.Name = "ens19";
+    address = [
+      "fd81:edb3:71d8:ffff:2574::6/64"
+    ];
+    linkConfig.RequiredForOnline = "no";
   };
 
-  services.bird2.enable = true;
-  services.bird2.config = ''
-  router id ${ (lib.head config.networking.interfaces.ens20.ipv4.addresses).address };
+  profiles.clerie.dn42-router = {
+    enable = true;
+    loopbackIp = "fd56:4902:eca0:6::1";
+    routerId = "192.168.10.26";
 
-  ipv6 table ospf6;
-  ipv6 table bgp6;
+    ospfInterfaces = [
+      "ens21"
+    ];
 
-  protocol direct {
-    interface "lo";
-    ipv6 {
-      table ospf6;
-    };
-  }
+    ibgpPeers = [
+      {
+        peerName = "gw1";
+        remoteAddress = "fd56:4902:eca0:1::1";
+      }
+      {
+        peerName = "gw5";
+        remoteAddress = "fd56:4902:eca0:5::1";
+      }
+    ];
 
-  protocol static {
-          ipv6 {
-                  table bgp6;
+    bgpPeers = [
+      {
+        peerName = "peer_ildix_clerie";
+        localAddress = "fd81:edb3:71d8:ffff:2574::6";
+        remoteAddress = "fd81:edb3:71d8:ffff::13";
+        remoteAsn = "4242422953";
+      }
+      {
+        peerName = "peer_ildix_nex";
+        localAddress = "fd81:edb3:71d8:ffff:2574::6";
+        remoteAddress = "fd81:edb3:71d8:ffff::14";
+        remoteAsn = "4242422953";
+      }
+    ];
+
+    birdExtraConfig = ''
+      # Internal
+      protocol bgp peer_2953_dn42_ildix_service {
+        local as 4242422574;
+        neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
+        source address fd81:edb3:71d8:ffff:2574::6;
+        multihop 64;
+        ipv6 {
+          table bgp6;
+          igp table ospf6;
+          next hop keep;
+          add paths tx;
+          import filter {
+            reject;
           };
-          #route fd56:4902:eca0::/48 via "lo";
-          #route fd56:4902:eca0::/52 via "lo";
-  }
-
-  protocol kernel {
-          ipv6 {
-                  table ospf6;
-                  export filter {
-                          krt_prefsrc=fd56:4902:eca0:6::1;
-  			accept;
-                  };
-                  import none;
+          export filter {
+            accept;
           };
-  	kernel table 1337;
-  }
-
-  protocol kernel {
-          ipv6 {
-                  table bgp6;
-                  export filter {
-                          krt_prefsrc=fd56:4902:eca0:6::1;
-  			accept;
-                  };
-                  import none;
-          };
-          kernel table 2342;
-  }
-
-  protocol ospf v3 {
-          ipv6 {
-                  table ospf6;
-                  import all;
-                  export all;
-          };
-          area 0 {
-                  interface "ens21" {
-                          cost 80;
-                          type broadcast;
-                  };
-          };
-  }
-
-  protocol bgp gw1 {
-          local as 4242422574;
-          graceful restart on;
-          neighbor fd56:4902:eca0:1::1 as 4242422574;
-          source address fd56:4902:eca0:6::1;
-          ipv6 {
-                  table bgp6;
-                  igp table ospf6;
-                  next hop self;
-                  import keep filtered;
-                  import all;
-                  export all;
-          };
-  }
-
-  protocol bgp gw5 {
-          local as 4242422574;
-          graceful restart on;
-          neighbor fd56:4902:eca0:5::1 as 4242422574;
-          source address fd56:4902:eca0:6::1;
-          ipv6 {
-                  table bgp6;
-  		igp table ospf6;
-  		next hop self;
-                  import keep filtered;
-                  import all;
-                  export all;
-          };
-  }
-
-  template bgp ildix {
-    local as 4242422574;
-    graceful restart on;
-    source address fd81:edb3:71d8:ffff:2574::6;
-    ipv6 {
-      table bgp6;
-      igp table ospf6;
-      next hop self;
-      import keep filtered;
-      import filter {
-        if net ~ [fd00::/8{8,64}] then accept;
-        reject;
-      };
-      export filter {
-        if net ~ [fd00::/8{8,64}] then accept;
-        reject;
-      };
-    };
-  }
-
-  protocol bgp peer_ildix_clerie from ildix {
-    neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
-  }
-
-  protocol bgp peer_ildix_nex from ildix {
-    neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
-  }
-
-  # Internal
-  protocol bgp peer_2953_dn42_ildix_service {
-    local as 4242422574;
-    neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
-    source address fd81:edb3:71d8:ffff:2574::6;
-    multihop 64;
-    ipv6 {
-      table bgp6;
-      igp table ospf6;
-      next hop keep;
-      add paths tx;
-      import filter {
-        reject;
-      };
-      export filter {
-        accept;
-      };
-    };
-  }
-
-  protocol device {
-          scan time 10;
-  }
-  '';
+        };
+      }
+    '';
+  };
 
   clerie.system-auto-upgrade = {
     allowReboot = true;

hosts/dn42-ildix-clerie/configuration.nix

@@ -4,9 +4,10 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
     ];
 
+  profiles.clerie.mercury-vm.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
 
@@ -23,7 +24,6 @@
 
   networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens20"; };
   networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
 
   # Open Firewall for BGP
   networking.firewall.allowedTCPPorts = [ 179 ];
@@ -33,8 +33,9 @@
   iptables -A INPUT -p ospfigp -j ACCEPT
   '';
 
-  services.bird2.enable = true;
-  services.bird2.config = ''
+  services.bird.enable = true;
+  services.bird.package = pkgs.bird2;
+  services.bird.config = ''
   router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
 
   protocol direct {

hosts/dn42-ildix-service/bird.nix

@@ -1,11 +1,12 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 {
   networking.firewall.allowedTCPPorts = [ 179 ];
 
   # something doesn't work right
-  services.bird2.enable = false;
-  services.bird2.config = ''
+  services.bird.enable = false;
+  services.bird.package = pkgs.bird2;
+  services.bird.config = ''
   router id ${(lib.head config.networking.interfaces.ens18.ipv4.addresses).address};
 
   ipv6 table bgp6;

hosts/dn42-ildix-service/configuration.nix

@@ -4,11 +4,13 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
+
       ./bird.nix
       ./fernglas.nix
     ];
 
+  profiles.clerie.mercury-vm.enable = true;
+
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
   # boot.loader.grub.efiSupport = true;
@@ -31,7 +33,6 @@
 
   networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; };
   networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
 
   services.nginx.enable = true;
 

hosts/gatekeeper/configuration.nix

@@ -7,16 +7,20 @@
       ../../configuration/router
     ];
 
+  profiles.clerie.hetzner-cloud.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/sda";
 
   networking.useDHCP = false;
-  # Network
-  networking.interfaces.ens3.ipv4.addresses = [ { address = "78.47.183.82"; prefixLength = 32; } ];
-  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:c0c:15f1::1"; prefixLength = 64; } ];
-  networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
-  networking.nameservers = [ "213.133.98.98" "213.133.99.99" "213.133.100.100" ];
+  systemd.network.enable = true;
+
+  systemd.network.networks."10-wan" = {
+    address = [
+      "2a01:4f8:c0c:15f1::1/64"
+      "78.47.183.82/32"
+    ];
+  };
 
   networking.nat = {
     enable = true;
@@ -114,6 +118,11 @@
           allowedIPs = [ "2a01:4f8:c0c:15f1::8111/128" "10.20.30.111/32" ];
           publicKey = "o6qxGKIoW2ZSFhXeNRXd4G9BRFeYyjZsrUPulB3KhTI=";
         }
+        {
+          # tungsten
+          allowedIPs = [ "2a01:4f8:c0c:15f1::8112/128" "10.20.30.112/32" ];
+          publicKey = "OI5/psr3ShrwRqKTTr3Kv92OVRietTcMFNVXtsYybRo=";
+        }
       ];
       listenPort = 51820;
       allowedIPsAsRoutes = false;

hosts/hydra-1/configuration.nix

@@ -4,7 +4,6 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
       ../../configuration/hydra-build-machine
 
       ./build-machines.nix
@@ -12,6 +11,8 @@
       ./nix-cache.nix
     ];
 
+  profiles.clerie.mercury-vm.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
   
@@ -22,11 +23,28 @@
   ];
 
   networking.useDHCP = false;
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::a"; prefixLength = 64; } ];
-  networking.interfaces.ens19.ipv4.addresses = [ { address = "192.168.10.36"; prefixLength = 24; } ];
-  networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; };
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens19"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.enable = true;
+
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "2001:638:904:ffcb::a/64"
+    ];
+    routes = [
+      { Gateway = "2001:638:904:ffcb::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens19";
+    address = [
+      "192.168.10.36/24"
+    ];
+    routes = [
+      { Gateway = "192.168.10.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
 
   services.nginx.enable = true;
 

hosts/hydra-2/configuration.nix

@@ -4,10 +4,11 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
       ../../configuration/hydra-build-machine
     ];
 
+  profiles.clerie.cybercluster-vm.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
 
@@ -18,11 +19,20 @@
   ];
 
   networking.useDHCP = false;
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::100"; prefixLength = 64; } ];
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "141.24.50.112"; prefixLength = 24; } ];
-  networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; };
-  networking.defaultGateway = { address = "141.24.50.1"; interface = "ens18"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.enable = true;
+
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "2001:638:904:ffc1::100/64"
+      "141.24.50.112/24"
+    ];
+    routes = [
+      { Gateway = "2001:638:904:ffc1::1"; }
+      { Gateway = "141.24.50.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
 
   clerie.monitoring = {
     enable = true;

hosts/krypton/configuration.nix

@@ -9,6 +9,7 @@
 
       ./android.nix
       ./backup.nix
+      ./etesync-dav.nix
       #./initrd.nix
       ./network.nix
       ./programs.nix

hosts/krypton/etesync-dav.nix

@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+
+  services.etesync-dav = {
+    enable = true;
+    apiUrl = "https://etebase.clerie.de";
+  };
+
+}

hosts/krypton/network.nix

@@ -1,7 +1,9 @@
 { ... }:
 
 {
-  services.wg-clerie = {
+  profiles.clerie.common-networking.enable = true;
+
+  profiles.clerie.wg-clerie = {
     enable = true;
     ipv6s = [ "2a01:4f8:c0c:15f1::8011/128" ];
     ipv4s = [ "10.20.30.11/32" ];

hosts/krypton/programs.nix

@@ -25,10 +25,11 @@
     tcpdump
     nmap
 
-    okular
+    kdePackages.okular
     chromium-incognito
 
     print-afra
+    git-show-link
 
     factorio-launcher
   ];

hosts/mail-2/configuration.nix

@@ -4,16 +4,24 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/hetzner-cloud
 
       ./mailcow.nix
     ];
 
+  profiles.clerie.hetzner-cloud.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/sda";
 
-  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:1c1c:9577::1"; prefixLength = 64; } ];
-  networking.interfaces.ens3.ipv4.addresses = [ { address = "5.75.187.112"; prefixLength = 32; } ];
+  networking.useDHCP = false;
+  systemd.network.enable = true;
+
+  systemd.network.networks."10-wan" = {
+    address = [
+      "2a01:4f8:1c1c:9577::1/64"
+      "5.75.187.112/32"
+    ];
+  };
 
   clerie.backup = {
     enable = true;

hosts/monitoring-3/alertmanager.nix

@@ -63,6 +63,18 @@
             "instance"
           ];
         }
+        {
+          target_matchers = [
+            ''alertname = "StorageAlmostFull"''
+          ];
+          source_matchers = [
+            ''alertname = "StorageFull"''
+          ];
+          equal = [
+            "instance"
+            "mountpoint"
+          ];
+        }
       ];
     };
   };

hosts/monitoring-3/configuration.nix

@@ -4,7 +4,6 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
       ./alertmanager.nix
       ./berlinerbaeder-exporter.nix
       ./blackbox.nix
@@ -14,15 +13,34 @@
       ./uptimestatus.nix
     ];
 
+  profiles.clerie.mercury-vm.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/sda";
 
   networking.useDHCP = false;
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.32"; prefixLength = 24; } ];
-  networking.interfaces.ens19.ipv6.addresses = [ { address = "2001:638:904:ffca::7"; prefixLength = 64; } ];
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
-  networking.defaultGateway6 = { address = "2001:638:904:ffca::1"; interface = "ens19"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.enable = true;
+
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens19";
+    address = [
+      "2001:638:904:ffca::7/64"
+    ];
+    routes = [
+      { Gateway = "2001:638:904:ffca::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "192.168.10.32/24"
+    ];
+    routes = [
+      { Gateway = "192.168.10.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
 
   services.prometheus.exporters.node.enable = true;
 

hosts/monitoring-3/grafana.nix

@@ -38,6 +38,10 @@
         enableACME = true;
         forceSSL   = true;
         locations."/".proxyPass = "http://[::1]:3001/";
+        locations."= /api/live/ws" = {
+          proxyPass = "http://[::1]:3001";
+          proxyWebsockets = true;
+        };
       };
     };
   };

hosts/monitoring-3/prometheus.nix

@@ -55,6 +55,11 @@ let
   eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));
 
 in {
+  sops.secrets.uberspace-monitor-password = {
+    owner = "prometheus";
+    group = "prometheus";
+  };
+
   networking.hosts = {
     "::1" = [ "monitoring-3.mon.clerie.de" ]; # fd00:327:327:327::1
   }
@@ -126,6 +131,45 @@ in {
           relabelAddressToInstance
         ];
       }
+      {
+        job_name = "node-exporter-uberspace";
+        scrape_interval = "20s";
+        metrics_path = "/.node-exporter/metrics";
+        basic_auth = {
+          username = "monitor";
+          password_file = config.sops.secrets.uberspace-monitor-password.path;
+        };
+        static_configs = [
+          {
+            targets = [
+              "clerie.uber.space;infra"
+              "cleriewi.uber.space;infra"
+            ];
+          }
+        ];
+        relabel_configs = [
+          {
+            source_labels = [ "__address__" ];
+            regex = "(.+);(.+)";
+            target_label = "service_level";
+            replacement = "\${2}";
+          }
+          {
+            source_labels = [ "__address__" ];
+            regex = "(.+);(.+)";
+            target_label = "__address__";
+            replacement = "\${1}";
+          }
+          {
+            source_labels = [ "__address__" ];
+            target_label = "instance";
+          }
+          {
+            target_label = "job";
+            replacement = "node-exporter";
+          }
+        ];
+      }
       {
         job_name = "nixos-exporter";
         scrape_interval = "1m";

hosts/monitoring-3/rules.yml

@@ -17,7 +17,7 @@ groups:
     annotations:
       summary: "Current system of {{ $labels.instance }} not in sync with config"
       description: "The current system hash of {{ $labels.instance }} does not match the one generated by hydra based on the current config"
-  - alert: BackupStorageFull
+  - alert: StorageFull
     expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 5
     for: 30m
     labels:
@@ -25,6 +25,14 @@ groups:
     annotations:
       summary: "Storage of {{ $labels.instance }} is full"
       description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is full"
+  - alert: StorageAlmostFull
+    expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 10
+    for: 30m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Storage of {{ $labels.instance }} is almost full"
+      description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is almost full"
   - alert: ClerieBackupJobLastSuccessfulRunBehind
     expr: time() - last_over_time(clerie_backup_last_successful_run_time{}[5m]) >= 9000
     for: 5m

hosts/monitoring-3/secrets.json

@@ -1,4 +1,5 @@
 {
+	"uberspace-monitor-password": "ENC[AES256_GCM,data:NfM9jxZAMkSGFlPYxreP7LJkr9gA2llyVw96okIKNUQ=,iv:z/LW643T36HpKo/xhHcVnF0EqhEXdoiEkDMH6NQzN9A=,tag:KXR2+kizv3To0EvZ66ak9w==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:kYFhMbqL7b0rwE2XIaR4QVT8ahoODmpXKzK5gvkODFJVklubwCmq2bLJk94=,iv:eR+VjxdtS4et9I4okzHyA+if1Rxj2/MuiC0CrWXd0Bg=,tag:rMaYMTvO6gWw6WegehDBFQ==,type:str]",
 	"xmpp-password": "ENC[AES256_GCM,data:eBZsBYqo+juLrYZjBqTcKFirHViRsul+wt6kkOmMhCp4xU7Ou8eJAPCOuhvHcUGxRE44L0yIyUObhRgAj0T5QA==,iv:DsLJ3qCZyrdolJBZFT9FJUNQ75pc8Vz32K2a8RJHuLc=,tag:wOxs2Ulw1aSMadWfjGSKsw==,type:str]",
 	"sops": {
@@ -12,8 +13,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxOGNMcm9vRWxMZjBwcmVS\nVGVoS2kwSmZjOHdGMXQwUmlzV3hhbGhhOVhzCkljQi94aUtORldKOFdqeVNXYnJQ\ndS9Vc0hRRisyL1dESk1NOTQ1dVJyMDgKLS0tIE54VlU1cVRXWXRlVGU5RzR5dXkv\nSEZJeElpWDdJYW9WNWxGLzdjdGR1YUUKGZwFPOc4MD97FBRtj1Py4A9Tz/HlzHcK\nX6nYgkYSUycM4g4d3+N+1NKutfWJ7KheuTlhNRDftyLYmmo5wyEtrw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-04-21T17:08:58Z",
-		"mac": "ENC[AES256_GCM,data:UucT7OiO9S3FcO9b1UKPQYXi7v3Ak7/J/VkDN4P9fssS4nky6PyX4oV5UvGcuR3p0pxLAHGJ4rOXj5QbnOqwDqmHfCnoqdItAlXRT1YPdSrelQ/gHyOfexsuV1XLOUS/OXJoYEi3ymKtza4rMIZow+du0YkRxrJQjwM0y8XSa3I=,iv:mDBaVhbHCLdxx5DC7urPPDdVPsCPYqKgLRwfqjLFdnU=,tag:Wpq6ihxIr/eceG12gpOJwQ==,type:str]",
+		"lastmodified": "2025-03-07T20:23:25Z",
+		"mac": "ENC[AES256_GCM,data:6GY06rVSKtQqaV5kLgTU4Wlu+e+dkNhxaPkJqKE8hrfJzO85WU6/iLvuv4ai0u+cUeWcOZatskzUeaVL/NjrRZnsNnxUqWbljLs8//0uUln71D/DWE4Vpb6Uz9I2iHG2Gftv3iyYF3nucrHiSTvyLzb9fDL+eGv0CHa/KmYk97g=,iv:f6xqDtHoBy7h7KRr2J0kYcaf6indqnRrJsYdcv9EHJs=,tag:uliCg2x92qY9SN9hg08Iuw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-04-21T17:08:30Z",
@@ -22,6 +23,6 @@
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
+		"version": "3.9.4"
 	}
 }

hosts/nonat/configuration.nix

@@ -4,28 +4,36 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
       ../../configuration/router
     ];
 
+  profiles.clerie.mercury-vm.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
 
   networking.useDHCP = false;
-  # Network
-  networking.interfaces.ens18.ipv4.addresses = [
-    { address = "141.24.46.169"; prefixLength = 24; }
-  ];
-  networking.interfaces.ens18.ipv6.addresses = [
-    { address = "2001:638:904:ffca::6"; prefixLength = 64; }
-  ];
-  networking.defaultGateway = { address = "141.24.46.1"; interface = "ens18"; };
-  networking.defaultGateway6 = { address = "2001:638:904:ffca::1"; interface = "ens18"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.enable = true;
 
-  networking.interfaces.ens19.ipv4.addresses = [
-    { address = "192.168.10.1"; prefixLength = 24; }
-  ];
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "2001:638:904:ffca::6/64"
+      "141.24.46.169/24"
+    ];
+    routes = [
+      { Gateway = "141.24.46.1"; }
+      { Gateway = "2001:638:904:ffca::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens19";
+    address = [
+      "192.168.10.1/24"
+    ];
+    linkConfig.RequiredForOnline = "no";
+  };
 
   networking.nat = {
     enableIPv6 = true;

hosts/osmium/configuration.nix

@@ -4,12 +4,13 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
 
       ./nixfiles-updated-inputs.nix
       ./polkit-test.nix
     ];
 
+  profiles.clerie.mercury-vm.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
 
@@ -20,11 +21,28 @@
   ];
 
   networking.useDHCP = false;
-  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.29"; prefixLength = 24; } ];
-  networking.interfaces.ens19.ipv6.addresses = [ { address = "2001:638:904:ffc7::6"; prefixLength = 64; } ];
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
-  networking.defaultGateway6 = { address = "2001:638:904:ffc7::1"; interface = "ens19"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.enable = true;
+
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens19";
+    address = [
+      "2001:638:904:ffc7::6/64"
+    ];
+    routes = [
+      { Gateway = "2001:638:904:ffc7::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "192.168.10.29/24"
+    ];
+    routes = [
+      { Gateway = "192.168.10.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
 
   environment.systemPackages = with pkgs; [
     git

hosts/palladium/backup-scripts.nix

@@ -1,44 +0,0 @@
-{ pkgs, ... }:
-
-let
-  cb-mount = pkgs.writeScriptBin "cb-mount" ''
-  #!${pkgs.bash}/bin/bash
-
-  DEVICE=/dev/disk/by-path/pci-0000:00:12.0-ata-2-part1
-
-  ${pkgs.cryptsetup}/bin/cryptsetup luksOpen ''${DEVICE} external-drive
-  mkdir -p /mnt/external-drive
-  mount /dev/mapper/external-drive /mnt/external-drive
-
-  mkdir -p /mnt/external-drive/clerie-backup
-  chown borg:borg -R /mnt/external-drive/clerie-backup
-  '';
-
-  cb-unmount = pkgs.writeScriptBin "cb-unmount" ''
-  #!${pkgs.bash}/bin/bash
-
-  umount /mnt/external-drive
-  ${pkgs.cryptsetup}/bin/cryptsetup luksClose external-drive
-  '';
-
-  cb-prepare = pkgs.writeScriptBin "cb-prepare" ''
-  echo "Formatting disk"
-  sgdisk -Z /dev/disk/by-path/pci-0000:00:12.0-ata-2
-  sgdisk -N 1 /dev/disk/by-path/pci-0000:00:12.0-ata-2
-  partprobe /dev/disk/by-path/pci-0000:00:12.0-ata-2
-
-  echo "Creating encrypted partition"
-  ${pkgs.cryptsetup}/bin/cryptsetup luksFormat -c aes-xts-plain64 --hash=sha256 -s 256 /dev/disk/by-path/pci-0000:00:12.0-ata-2-part1
-
-  echo "Opening encrypted partition"
-  ${pkgs.cryptsetup}/bin/cryptsetup luksOpen /dev/disk/by-path/pci-0000:00:12.0-ata-2-part1 external-drive
-
-  echo "Creating file system"
-  mkfs.ext4 /dev/mapper/external-drive
-
-  echo "Closing encrypted partition"
-  ${pkgs.cryptsetup}/bin/cryptsetup luksClose external-drive
-  '';
-in {
-  environment.systemPackages = [ cb-mount cb-unmount cb-prepare ];
-}

hosts/palladium/configuration.nix

@@ -4,53 +4,49 @@
   imports =
     [
       ./hardware-configuration.nix
-
-      ./backup-scripts.nix
     ];
 
-  boot.loader.systemd-boot.enable = true;
+  boot.kernelParams = [ "console=ttyS0,115200n8" ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "nodev";
+  boot.loader.grub.efiSupport = true;
   boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub.extraConfig = "
+    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
+    terminal_input console serial
+    terminal_output gfxterm serial
+  ";
+
+  boot.initrd.luks = {
+    devices.lvm = {
+      device = "/dev/disk/by-uuid/f5597381-b59b-4f19-94b7-fd69aac43d6f";
+      bypassWorkqueues = true;
+    };
+    devices.crypt-storage-palladium = {
+      device = "/dev/disk/by-uuid/c54396c0-b5d3-4e61-9ef7-483fa2b4a56d";
+    };
+  };
+
+  boot.swraid.enable = true;
 
   networking.useDHCP = false;
-  networking.interfaces.enp3s0.ipv6.addresses = [
-    { address = "fd00:152:152:4::11"; prefixLength = 64; }
-    { address = "2001:4cd8:100:1337::11"; prefixLength = 64; }
-  ];
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "enp3s0"; };
-  networking.nameservers = [ "fd00:152:152::1" ];
+  systemd.network.enable = true;
+
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "enp3s0";
+    address = [
+      "fd00:152:152:4::11/64"
+    ];
+    networkConfig.DHCP = true;
+    linkConfig.RequiredForOnline = "routable";
+  };
 
   # Keeping the harddrives quiet
   services.udev.extraRules = ''
     KERNEL=="sd?[0-9]", ENV{ID_MODEL}=="ST1000DM003-1SB102", ACTION=="add", RUN+="${pkgs.hdparm}/sbin/hdparm -S 24 /dev/%k"
   '';
 
-  services.borgbackup.repos = {
-    clerie-backup = {
-      path = "/mnt/palladium/clerie-backup";
-      authorizedKeysAppendOnly = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFyk716RnbenPMkhLolyIkU8ywUSg8x7hjsXFFQoJx4I root@clerie-backup"
-      ];
-    };
-    external-drive = {
-      path = "/mnt/external-drive/clerie-backup";
-      authorizedKeysAppendOnly = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPuh74Esdp8JPgIZzM372DaCwtAl2QNtRratnIFG0NRB root@clerie-backup"
-      ];
-    };
-  };
-
-  # Disable automatic directory creation for external-drive repo
-  # The directory gets created by the disk formatting script
-  # Correct permissons will be set right after mounting
-  # This prevents borg from filling up the root drive when no drive is mounted
-  systemd.services.borgbackup-repo-external-drive.enable = false;
-
-  clerie.monitoring = {
-    enable = true;
-    id = "206";
-    pubkey = "fHOYNZ5I3E2JPrd9dUrNBmu75weX4KbDih5q+GCk8Xk=";
-  };
-
-  system.stateVersion = "21.03";
+  system.stateVersion = "25.05";
 
 }

hosts/palladium/hardware-configuration.nix

@@ -9,26 +9,37 @@
     ];
 
   boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/b217f1e1-1337-4ef0-bad5-15829ba32c7a";
+    { device = "/dev/disk/by-uuid/fbd14cd4-e402-4ad6-b801-8826d6cfc0fb";
       fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/7A6B-3444";
+    { device = "/dev/disk/by-uuid/8B45-EBB4";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
-  fileSystems."/mnt/palladium" =
-    { device = "/dev/disk/by-uuid/f20d20ca-6be5-4b16-81fe-e66f31ffd108";
+  fileSystems."/data" =
+    { device = "/dev/disk/by-uuid/e7c41c4d-89d8-4083-ac6e-abbccbebf551";
       fsType = "ext4";
     };
 
-  swapDevices = [ ];
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/6ca5e48f-9b99-4722-b21b-c6f298610157"; }
+    ];
 
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/palladium/secrets.json

@@ -1,26 +0,0 @@
-{
-	"wg-monitoring": "ENC[AES256_GCM,data:ip6L61RXAVxaPqizhNTr6zVvKgd40CAsgeNFoAXMARM1nl146ayHK2q7mhc=,iv:G4WLmcPpJOxTcW0bHuEwWmth6u8fYoH7GmpkMo8Z3TQ=,tag:xJ+wCVEUMdqfXPcwgr9WSw==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1tl2cd730ctn6jcgg0vf8c5gg9722umk30zwvcwxhejh26p3gt3ds92msyx",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNHllOHpoYkNyQXMwL002\nRDR4eFVRemc4bW8vYS9GWHFkcmpRbWFFc2tzCmFjV1ZNTzhOYjM4VWltRGhaQ0RP\naC9vN2hrM3NSTDlSd1ZJTldXamJ4NUUKLS0tIDFuUzRKWWQrUFU1SXNqdEV2R1lM\nWXU1by9rYTBINTVralo0TTJmSEZHMm8KYEggCHnOyMcQSdJ9+Ujf61OANuja0ZIf\n+wa9ugc2OZrOYepkjN5X/bETdKfU33pIAL208N9HcOttfhcZq70yUQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2024-05-10T13:25:28Z",
-		"mac": "ENC[AES256_GCM,data:fLw0q9h+rlAAiXjtCJeGPi0COEt/UvApRiOpE+ydSrD/jXy+vh2OVW57UZPRBCP1mWtqfUJLiT1BZyOWor7dsPfTvaxCQmYhGcKBLucFEaiUovGgVjxJloD8hDJvSG9SJnlIiDobMsG87MsEWpi70oAbQu3/d4JT1BPSaRpvsjI=,iv:iS7tFqZMa0OzA5ASKPS6CSNTJYYJ0zhjLmBcipjLapg=,tag:Lspazw8Pi5Dxqcrk35A6tA==,type:str]",
-		"pgp": [
-			{
-				"created_at": "2024-05-10T13:25:16Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/+KsEUiNCgfajBMEEFsqHqNG3utLNQSLOd6VX/Rk56CjT9\nUtfiCdZCSzrtyT3Anu72auTJ+PHNAVhhHPcDiUcwY9JYXEXNETzEn0U/byS+kvOD\nNTpcpR1gSxJCj1aDqDDpfQQ02hSpKO4iw0B71gKcekUXcD2AQeeW0Djq60CusWVk\nRgC3odnyTr1CN1+JRtKVZKIa78rfOkyhmFP2G2gvsSHhUBd5RtMhJdfYVUTMIKXO\nQFB2IGCoIzE0zDitCcAZ8q6Dc8lBuAvNSiVkFanJn7e7etU3JwDhYsZKRO7jvNX3\nmjHnQ9vf0idCWAi0oabZQ1OGdwPbtjssxmQkzzR8R/paw+iRB50i1UG3/5ehXTV4\nTp/2rEwrsF8jO1bahTcrJirR7RPLEy2BvJ4ALzmEYrIoEwWuCIexrY+e2C2rXpy5\nK2+9Ch0YCaz8sc700bgO5ZkyvnmnbVJxGCaMGQtT9LXiEWvc36sUXhbEGJ0K782Z\n7uVFRs4xWsrUQHo8lFTfW/vLZDq7FvkGnDf5xnoEJp4BNYvYmMmsFiaygkbbqEdH\n2aHRCam9q5zcuBq+aA40KI1P4adIFgij+fijwQ+019JrfaMEXcmwgtOfkb2OZNOF\nXQ3tRgYLaxSae7BYJA4uTaFq60kpp1c8qgxw3WKPEiHywtl/SaPcx1XD9VJoVTGF\nAgwDvZ9WSAhwutIBD/9O0inQ/HmpwtD1AnE89SuZNuGQty71LVhX2PQQWsUdQOuz\ndKZN1wy6UxIImFGisBodUH+48k1DjbkDjL5cLSAUOt9OhAxW2Ubp6HA6wDJPqWj1\nYQMHKmHlf2zh5G1qTUXV3NNw6hSaWejVDS73WNODv1WfUFXrPN9DVLaPsS/RJo2Q\nAoDG/iedeQhIIBwrLIcQ8ttjv9MTI1GzsNRC/CjxQpDnHabqQzFzenjnVRLDXcmr\nwfw0HeTPeNh+pLYb+sBqzGUP0j1GWui99/6NUeo/TloBWJbIung4wq23gYZbHn+K\nbWJSxSy980mvjCXiRukzXlNJMwLZDVoBlPQSbe/pOApHM9HTScZ+3VcLlYOPjgZk\nhnCvFNm+4/00ZgF+tcvLOugIfqwxvOuqW4gGGhNAycHinJZuSfDHYe6zCfEiqc7t\nnHlbhNvlhC8zDu+fOurC2ju5eGv8LqFiobfsBFVdKpl9Gj7yg00S+QmjBcz0lkE9\n1BftwEQaj+r4EDa4cJHSgP+K76utv4Xzt9hHZZJo7hvii+lGxFI7rBm0xbV5bSuY\ntOhN6d98HH2++AoXufIW5vmnydGk2NXu7O8vi6sQWzoqed84ZHbJDWLQawQ8YQlR\nkbht2PzH4+rq1oOVHbLslxWkYF9WMsQRUef6ALNpys/Dj8N54gEN4RTV+SxIVoUC\nDAM1GWv08EiACgEP/1eiG0aASQogSByxl8ZbRjRg768YVR1fwTa8GG5tE7wfcGiI\njZF2TI+yQWt7gRS4AKNm1gfWEEjCH1tBOj53/Wfwn9ZuGoNqboA2jgsh2rnVVSXR\nOdXK3is/FMh9JREr669be83nnQ8fNP8nIz3snEvKVYVGcdsdkDXBz4GKmJx52NNb\nauL+4w14/0PydCVH/njsFY8FyWqP9lUFgpJU8jHjX28oTB3khwWrDs0THwqilTFn\nhFjgeCy555zeh5rDpBDPdPbLUNd094RB15zaKzn2dC15F8DMCLoA9ASNET7S/+u3\n1SjvI4XnOpxK9hyETcwjzbWJc2gV7U38VqxhQW9Vch3AvXOufMMTm6cobLjiwxjF\nl3XTMJ5GvHDZXCwrGEapy9GbHQjbd9yi0iFgfSGV4nkNmCj1jtAMUngdCqELDVU2\nZe3a8IeJswlTteGlXAM5mwnDaegMsiD/vwsq5Rtl0gs3iI3uIN4RFXuvxP+UeJ/c\ndJWqpF8vcQI4qGN3kxgB30I7mUiz1aggv5uw6nDWRJHTQKLeOkV8ssTq4FLs4XYL\n4z4qmMT5i+8bGu575py/LRDjvXBldeitnQj1jAN2y/uPNVWsZqU3S+OkEosYIgSQ\njAe3N0EyH5k3j7j43x91toYOCAkulAuPkox6GyUKKq4dCPWxg9fqQ8u4PaSN1GYB\nCQIQ3+GP0DNWupTIkTS4Bk1LwbT99lyr2DyExqb2pgXmzn05Qs6CE4+jcIxXnmUQ\nzCl6PLiw+DJ1nq5gKtTrkO96HtHGyfPiUunDZXty1/zNltYjedk7ebkWF3LNXBhE\nK38c6yE=\n=w0Nn\n-----END PGP MESSAGE-----",
-				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
-			}
-		],
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
-	}
-}

hosts/palladium/ssh.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBc/YTf80MjyVeApOecOlxORIlwCaWtJNWtfggc0B374
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0ZrGvZqxqsGEl2+YNnL5JNpeRc3y0DgqZAkuayfeso

hosts/porter/configuration.nix

@@ -7,16 +7,25 @@
       ../../configuration/router
     ];
 
+  profiles.clerie.netcup.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/sda";
 
   networking.useDHCP = false;
-  # Network
-  networking.interfaces.ens3.ipv4.addresses = [ { address = "5.45.100.191"; prefixLength = 22; } ];
-  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a03:4000:6:48d::1"; prefixLength = 64; } ];
-  networking.defaultGateway = { address = "5.45.100.1"; interface = "ens3"; };
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
-  networking.nameservers = [ "46.38.255.230" "46.38.252.230" ];
+  systemd.network.enable = true;
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens3";
+    address = [
+      "2a03:4000:6:48d::1/64"
+      "5.45.100.191/22"
+    ];
+    routes = [
+      { Gateway = "fe80::1"; }
+      { Gateway = "5.45.100.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
 
   clerie.nginx-port-forward = {
     enable = true;

hosts/storage-2/configuration.nix

@@ -4,22 +4,40 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/proxmox-vm
       ./firmware.nix
       ./mixcloud.nix
       ./syncthing.nix
       ./users.nix
     ];
 
+  profiles.clerie.mercury-vm.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
 
   networking.useDHCP = false;
-  networking.interfaces.ens19.ipv4.addresses = [ { address = "192.168.10.35"; prefixLength = 24; } ];
-  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc0::4"; prefixLength = 64; } ];
-  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens19"; };
-  networking.defaultGateway6 = { address = "2001:638:904:ffc0::1"; interface = "ens18"; };
-  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+  systemd.network.enable = true;
+
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "2001:638:904:ffc0::4/64"
+    ];
+    routes = [
+      { Gateway = "2001:638:904:ffc0::1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  systemd.network.networks."10-nat-netz-mercury" = {
+    matchConfig.Name = "ens19";
+    address = [
+      "192.168.10.35/24"
+    ];
+    routes = [
+      { Gateway = "192.168.10.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
 
   services.nginx.enable = true;
 

hosts/tungsten/configuration.nix

@@ -0,0 +1,41 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  profiles.clerie.network-fallback-dhcp.enable = true;
+
+  boot.kernelParams = [ "console=ttyS0,115200n8" ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/disk/by-id/ata-InnoDisk_Corp._DRPS-08GJ30AC1QS-A88_20120705AAB200000505";
+  boot.loader.grub.extraConfig = "
+    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
+    terminal_input serial
+    terminal_output serial
+  ";
+
+  networking.useDHCP = false;
+  systemd.network.enable = true;
+
+  networking.hostName = "tungsten";
+
+  profiles.clerie.wg-clerie = {
+    enable = true;
+    ipv6s = [ "2a01:4f8:c0c:15f1::8112/128" ];
+    ipv4s = [ "10.20.30.112/32" ];
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "216";
+    pubkey = "bDmf4xndBNwzcvIGCMq6dhyzjdEZOV2ckhv/37V/PWg=";
+    serviceLevel = "event";
+  };
+
+  system.stateVersion = "25.05";
+}
+

hosts/tungsten/hardware-configuration.nix

@@ -0,0 +1,46 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "ohci_pci" "ehci_pci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/7ed9e29c-d771-49a1-ae8a-8894f347c648";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/95122f15-5621-457c-972c-c057ca416212";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/02a2afe4-ee00-4d3d-884a-e195b9814bfd";
+      fsType = "ext4";
+    };
+
+  fileSystems."/mnt/storage-tungsten" =
+    { device = "/dev/disk/by-uuid/3d386e15-9d64-42a6-8d6d-571272d5e78e";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."crypt-storage-tungsten".device = "/dev/disk/by-uuid/e4142245-4c69-42e6-9b1f-fa4dc7fef7d8";
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/tungsten/secrets.json

@@ -0,0 +1,27 @@
+{
+	"wg-clerie": "ENC[AES256_GCM,data:OtSzmacWH9leDuykr7Tp5lR2FDoNGQ61V/9z6xBD1eCDSLOvt8UdILMETJU=,iv:NNGqR7UG3bZWETpZRwEdS4O1nRO4cBT72fljpqSbtyc=,tag:mea+5E8B655ljRzk63IDOw==,type:str]",
+	"wg-monitoring": "ENC[AES256_GCM,data:+k7ATUbPnEfb4O4lUs8d4ZlvMPlsxC5mrCi1bXOje47XDcpioDwzRTQNPrU=,iv:p4JdSMbBcb/8Uh/9RuUSs64VBRQJHu6k5FB50UsxXVU=,tag:NRyBs1CO77AV4CbD6a6gig==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1dvl2pylf9vs4vt27g8z8nzpuwt88zl5fj7a68papsmenze7gd3mstyalks",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOGRQMDhycnViTVR5M1Aw\nbjFGbXBINTJsTEdKU1ZoMDVIMUQrU1R2M2hFCk9XY0NxMlZoZXJhMVIvZ1hLUXJt\nSVdzWEpraGc3aUFBUWU2Uk9WK2J1cncKLS0tIEZPUVY1V2Z0RDhJR2VweVFsZnY5\nREp1cERaVzcrTTRhL0tpVWpMc1pCdWcKB3ZbqB8tGdXgXra3fRL/gw4IEpNHBqp+\nKnw9XYYV2MDiL02+HF+bABVHbjngG85EGDRTDZMWnJtlxV4l+vzTVw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-25T17:46:27Z",
+		"mac": "ENC[AES256_GCM,data:EvbkM81pIqbYkvcBSWtyov5GN8D0PauWAiMmRYgWl2fijlH7zEpsCh0XU544prqpb7vh8ShAuCecVpWsdWUIAIT62ToB28NdefDhX2HDl4B1XeIy2X9i+jhnaXLjbwc+r8IhTHOJ/uWeVrNQyb4g9nOaijzDGVJbwKnJ6M+O7fU=,iv:WAIwdemTsTHLnGtFtg/KgyjId3+RpivNDc1LFZjG3jY=,tag:YmaYFT9smKChwd5vVisfLQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-02-25T17:27:17Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/+In2YZByknfnhl2zYmOUTQCrjpiyXbf8/ai0Ko8TZZCRy\nhrpxyvKP+/u7CMS+giouoxKJ4XLDbHacoz06qF1I9i9iSVelXxQ5epSHk4BLLocw\nP5S6ZnE3jQO4G5goC/LU7nARN2IMwYq2rRZe8o8SLDMTZqGnlk9vBihcE4rN4lpd\nLbSb+cT6wDba32xKNZuP9IRPU2gqjOAg99gbh7Se2zB4Q7AxpgUl6EZZ7OMqVl/C\nbgSQFgwJxFPoH8KBS4wICbHTyWGvg2iEQyh1zNElUwbW112kyfBxGHKFukfEapIj\n2Cv0+Jme3VA750rZmJ4xcOZeoz0n7THBHdFjE122dkXhUdkQmohKzjngIZySUqDI\nuaDf43ebi6tPgCdC6gKLbYUUml+WEOmIRcgmIEswG9iRF/vjOYLK9OxclAKLDDar\nN9zgRFW1qR0HZhAbC61L1CqhKZzjQpNpjYn2pwmR+NnU/DDrlSdJLnHnrMdPeG6l\nBVp7oLhct2DwrypEYOvccrEwRakJSjCyC6cPWbUv7upjovTvcSAh21XNLnHJaMsY\n+sbJf5vshnALIkEXRyMBa5to7RZQvWx9qdklykjbXUEheM9RQATjGdnFQHuM05LI\npWKX038xlEaPe4nJa4PBGub23GZ1zuP3zE+N0W4XTR3r3ZGsMncqntiPJaaBgzWF\nAgwDvZ9WSAhwutIBEADMfdHvINLP6Gu7/DeLUboRnTHpP8x+rfTy9lcIW2RmQHbz\nLeAwBbeqyvLUi9ObjwclVWvPHqbPyGwibt96mTgGnkAEwXCgcXfWz/vCRZ0UHcvT\nimFM4H+ecOKws7t+sf31PAMPE0eSSJIYXVU9pej0qaKzR3zMBvQi6CsB0F1e2Fkz\n0HbilJMELaKFbJJsTXtDyl9Afi8OtVcBoG8P/1ImM/gcJLU548WTwPtzYUufHt5q\nkb45PjEId3m/g6CF6nh4GCQtRwOWjah49Zsk5cuI1aO/Q0gPyndgzFL5fYOfPlGN\nPTQ2KFMUh1dkvVVzyNFFC1vqXx2KH5l2gdTRkzaFQ3Qjjx1kluM5AlEl2Ynx4sbQ\nVaFZHFjQnoFtDn08BzNS7Cu/5SOdXejihen4sg0bGjEz6aVGwHXQJcp0BigH2y3f\n/OtnCK5KjFSQsdgTV5trstQgFQMqbMiVEqd3u+3lTxGJ/dQ7NXerFroITUC4J3Uu\n3VRdWTlgPED8hiA1NQaOiy2bbMzAgaR86qHK6JhxnP/6ETaByPPb27Oisblhhq9p\nCDw4eNGws1WsAyjZkyatzLZwUs2zOt4ZKjDlim8EikdGJpDcHnameRtI97QgPDO/\nzA5zHMrDuMN1iMw92WIAQyEQtJgyy4m3YvUsnlpHqKOgSNpwG/8j1zXHLH2p1IUC\nDAM1GWv08EiACgEQALEoa50qGjadZkaHI2tXFVv8RF1d8nR+L946DyMImjuMObei\n6Sx/Nc3bHzHSMsf27T120EUU0yUERdncoOQTRWBemMoB6tWYGTIAG0uDhrHl6rzW\nOUC5G7023H3cHStXbFFBp+JargnE1XgcapHM0p29GgUCE21UDBXzm7MB6x+9AKdd\nsc6qXD1xNPWc7RSqLL6anvcT/eLZW5Y1Ep2T7r5gQ81Fbxh4RicCphmApDC91Dii\nfZ/Va3JUeFm/82edeE4FqJUO9Akk2sPmVnXBYWPRq55/Uyk61J8u2b8tY7OcLSmr\nw/eaJq2bgDda3MBVzF3G9nr3BGhl8g7lCSCPS3gCFfs7C3Djp/YP0L8rMsH2ym1Q\nEj7rWC3K1xwtqowDx+EcYDMwmUtJqkia6o3WVM1qJM25QuCg2mnv9anMTgWuLpQo\nk1Av4FR+zV6aK3A7mxxjG0BsSUGjrrzoJC5DV1DSZ335lqlZxmthJoF0mda02nbh\nUlzpHEpG3/eWXjfDSbEYU8iVK2HWX9/i2gnXbpREuEnt5xpuSQ/sBT6tmit1FwK2\ntYZ+wtCMjWKkeZtvbP9Fx0nLYhVyMXvLhR1VLosCymKqWCIBj8VINagmPLiToEMd\nfpVs8m35neD4258CZOvBgqFvmxlGb9e27p8PHmlg9UNb/v7sYmSgm4IH0zi11GgB\nCQIQbpoXf1EJlriSHiqcUZCIvY/H37TWSJ6+tCcUSUipA+dLgt4pnKBjeM6RFSPG\n81eTm0AZIpmRDx/i31knPNh5JL6RYm5t66ncM46VkO1FIatkdKDfJbYe9J6ezWCs\nMDYTejoBhQ==\n=EuYe\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.2"
+	}
+}

hosts/tungsten/ssh.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJq5WWALjFHvmUdcWdKN5BBRS1F/EWaBet6oftrbxt1F

hosts/web-2/configuration.nix

@@ -9,6 +9,8 @@
       ./chaosevents.nix
       ./clerie.nix
       ./drop.nix
+      ./etebase.nix
+      ./feeds.nix
       ./fieldpoc.nix
       ./gitea.nix
       ./ip.nix
@@ -26,16 +28,20 @@
       ./wetter.nix
     ];
 
+  profiles.clerie.hetzner-cloud.enable = true;
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/sda";
 
   networking.useDHCP = false;
-  # Network
-  networking.interfaces.ens3.ipv4.addresses = [ { address = "88.99.187.135"; prefixLength = 32; } ];
-  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:c0c:c580::1"; prefixLength = 64; } ];
-  networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
-  networking.nameservers = [ "213.133.98.98" "213.133.99.99" "213.133.100.100" ];
+  systemd.network.enable = true;
+
+  systemd.network.networks."10-wan" = {
+    address = [
+      "2a01:4f8:c0c:c580::1/64"
+      "88.99.187.135/32"
+    ];
+  };
 
   services.nginx = {
     enable = true;

hosts/web-2/etebase.nix

@@ -0,0 +1,26 @@
+{ ... }:
+
+{
+  services.etebase-server = {
+    enable = true;
+    port = 8001;
+    settings.allowed_hosts.allowed_host1 = "etebase.clerie.de";
+  };
+
+  services.nginx.virtualHosts = {
+    "etebase.clerie.de" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "= /" = {
+          return = ''302 "/admin/"'';
+        };
+      };
+      locations = {
+        "/" = {
+          proxyPass = "http://127.0.0.1:8001";
+        };
+      };
+    };
+  };
+}

hosts/web-2/feeds.nix

@@ -0,0 +1,49 @@
+{ pkgs, ... }:
+
+{
+  users.users."feeds" = {
+    isSystemUser = true;
+    group = "feeds";
+  };
+
+  users.groups."feeds" = {};
+
+  systemd.tmpfiles.rules = [
+      "d /data/feeds 0775 root users - -"
+      "d /var/lib/feeds - feeds feeds - -"
+  ];
+
+  services.nginx = {
+    virtualHosts."feeds.clerie.de" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/var/lib/feeds";
+    };
+  };
+
+  systemd.services."feeds" = {
+    wantedBy = [ "multi-user.target" ];
+    requires = [ "network.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      WorkingDirectory = "/var/lib/feeds";
+      RuntimeDirectory = "feeds";
+      User = "feeds";
+      Group = "feeds";
+      ExecStart = ''
+        ${pkgs.feeds-dir}/bin/feeds-dir /data/feeds
+      '';
+    };
+  };
+
+  systemd.timers."feeds" = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "hourly";
+      RandomizedDelaySec = "1h";
+    };
+    requires = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+  };
+}

hosts/zinc/configuration.nix

@@ -11,6 +11,8 @@
       ./programs.nix
     ];
 
+  profiles.clerie.common-networking.enable = true;
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
@@ -25,7 +27,7 @@
 
   boot.initrd.systemd.enable = false;
 
-  services.wg-clerie = {
+  profiles.clerie.wg-clerie = {
     enable = true;
     ipv6s = [ "2a01:4f8:c0c:15f1::8109/128" ];
     ipv4s = [ "10.20.30.109/32" ];

modules/backup/default.nix

@@ -21,18 +21,11 @@ let
     ) cfg.jobs
   );
 
-  backupServiceUnits = listToAttrs (map ({jobName, jobOptions, targetName, targetOptions}: let
-    jobPasswordFile = if jobOptions.passwordFile != null then jobOptions.passwordFile else
-      config.sops.secrets."clerie-backup-job-${jobName}".path;
-    repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath;
-    targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else
-      config.sops.secrets."clerie-backup-target-${targetName}".path;
-    targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
-  in
+  backupServiceUnits = listToAttrs (map ({jobName, jobOptions, targetName, targetOptions}:
     nameValuePair "clerie-backup-${jobName}-${targetName}" {
       requires = [ "network.target" "local-fs.target" ];
       after = [ "network.target" "local-fs.target" ];
-      path = [ pkgs.restic ];
+      path = [ pkgs.clerie-backup ];
 
       serviceConfig = {
         Type = "oneshot";
@@ -41,14 +34,7 @@ let
       script = ''
         set -euo pipefail
 
-        export RESTIC_PASSWORD_FILE=${jobPasswordFile}
-        export RESTIC_REPOSITORY="rest:https://${targetUsername}:$(cat ${targetPasswordFile})@${targetOptions.serverName}${repoPath}"
-        export RESTIC_PROGRESS_FPS=0.1
-        export RESTIC_CACHE_DIR=/var/cache/restic
-
-        restic snapshots --latest 1 || restic init
-
-        restic backup ${optionalString (jobOptions.exclude != []) "--exclude-file ${pkgs.writeText "clerie-backup-${jobName}-${targetName}-excludes" (concatStringsSep "\n" jobOptions.exclude)}"} ${escapeShellArgs jobOptions.paths}
+        clerie-backup "${jobName}-${targetName}" backup
 
         ${optionalString (config.clerie.monitoring.enable) ''
           echo "clerie_backup_last_successful_run_time{backup_job=\"${jobName}\", backup_target=\"${targetName}\"} $(date +%s)" > /var/lib/prometheus-node-exporter/textfiles/clerie-backup-${jobName}-${targetName}.prom
@@ -69,32 +55,22 @@ let
     }
   ) jobTargetPairs);
 
-  backupCommands = map ({jobName, jobOptions, targetName, targetOptions}: let
+  backupConfigs = mergeAttrsList (map ({jobName, jobOptions, targetName, targetOptions}: let
       jobPasswordFile = if jobOptions.passwordFile != null then jobOptions.passwordFile else
         config.sops.secrets."clerie-backup-job-${jobName}".path;
       repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath;
       targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else
         config.sops.secrets."clerie-backup-target-${targetName}".path;
       targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
-    in pkgs.writeShellApplication {
-      name = "clerie-backup-${jobName}-${targetName}";
-
-      runtimeInputs = [ pkgs.restic ];
-
-      text = ''
-        set -euo pipefail
-
-        export RESTIC_PASSWORD_FILE=${jobPasswordFile}
-        export RESTIC_REPOSITORY="rest:https://${targetUsername}:$(cat ${targetPasswordFile})@${targetOptions.serverName}${repoPath}"
-        export RESTIC_PROGRESS_FPS=0.1
-        export RESTIC_CACHE_DIR=/var/cache/restic
-
-        restic "$@"
-      '';
-
-      checkPhase = "";
+    in {
+      "clerie-backup/${jobName}-${targetName}/repo_password".source = jobPasswordFile;
+      "clerie-backup/${jobName}-${targetName}/repo_url".text = "https://${targetOptions.serverName}${repoPath}";
+      "clerie-backup/${jobName}-${targetName}/auth_username".text = targetUsername;
+      "clerie-backup/${jobName}-${targetName}/auth_password".source = targetPasswordFile;
+      "clerie-backup/${jobName}-${targetName}/files".text = concatStringsSep "\n" jobOptions.paths;
+      "clerie-backup/${jobName}-${targetName}/excludes".text = concatStringsSep "\n" jobOptions.exclude;
     }
-  ) jobTargetPairs;
+  ) jobTargetPairs);
 
   targetOptions = { ... }: {
     options = {
@@ -158,6 +134,7 @@ in
     systemd.tmpfiles.rules = [
       "d /var/cache/restic - - - - -"
     ];
-    environment.systemPackages = backupCommands;
+    environment.systemPackages = [ pkgs.clerie-backup ];
+    environment.etc = backupConfigs;
   };
 }

pkgs/clerie-backup/clerie-backup.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+REPO=
+ACTION=
+
+if [[ $# -lt 2 ]]; then
+	echo "Command not specified"
+	echo
+	echo "clerie-backup REPO ACTION"
+	echo
+	echo "ACTION: restic,backup"
+	echo
+	echo "Available REPOs (/etc/clerie-backup/):"
+	echo
+	if [[ -d "/etc/clerie-backup" ]]; then
+		find "/etc/clerie-backup/" -mindepth 1 -maxdepth 1 -type d -printf "%f\n" | sort -d
+	fi
+	exit 1
+fi
+
+REPO="$1"
+shift
+
+ACTION="$1"
+shift
+
+CONFIG_DIR="/etc/clerie-backup/${REPO}"
+if [[ ! -d "${CONFIG_DIR}" ]]; then
+	echo "Config dir ${CONFIG_DIR} for ${REPO} does not exist"
+	exit 1
+fi
+
+ISSUE_EXIST=
+if [[ ! -f "${CONFIG_DIR}/repo_password" ]]; then
+	echo "File ${CONFIG_DIR}/repo_password not found"
+	ISSUE_EXIST=1
+fi
+if [[ ! -f "${CONFIG_DIR}/repo_url" ]]; then
+	echo "File ${CONFIG_DIR}/repo_url not found"
+	ISSUE_EXIST=1
+fi
+if [[ ! -f "${CONFIG_DIR}/auth_username" ]]; then
+	echo "File ${CONFIG_DIR}/auth_username not found"
+	ISSUE_EXIST=1
+fi
+if [[ ! -f "${CONFIG_DIR}/auth_password" ]]; then
+	echo "File ${CONFIG_DIR}/auth_password not found"
+	ISSUE_EXIST=1
+fi
+if [[ -n "${ISSUE_EXIST}" ]]; then
+	exit 1
+fi
+
+RESTIC_PASSWORD_FILE="${CONFIG_DIR}/repo_password"
+export RESTIC_PASSWORD_FILE
+RESTIC_REPOSITORY="rest:$(cat "${CONFIG_DIR}/repo_url")"
+export RESTIC_REPOSITORY
+RESTIC_REST_USERNAME="$(cat "${CONFIG_DIR}/auth_username")"
+export RESTIC_REST_USERNAME
+RESTIC_REST_PASSWORD="$(cat "${CONFIG_DIR}/auth_password")"
+export RESTIC_REST_PASSWORD
+RESTIC_PROGRESS_FPS="0.1"
+export RESTIC_PROGRESS_FPS
+RESTIC_CACHE_DIR="/var/cache/restic"
+export RESTIC_CACHE_DIR
+
+case "${ACTION}" in
+restic)
+	restic "$@"
+	;;
+backup)
+	ISSUE_EXIST=
+	if [[ ! -f "${CONFIG_DIR}/excludes" ]]; then
+		echo "File ${CONFIG_DIR}/excludes not found"
+		ISSUE_EXIST=1
+	fi
+	if [[ ! -f "${CONFIG_DIR}/files" ]]; then
+		echo "File ${CONFIG_DIR}/files not found"
+		ISSUE_EXIST=1
+	fi
+	if [[ -n "${ISSUE_EXIST}" ]]; then
+		exit 1
+	fi
+
+        restic snapshots --latest 1 || restic init
+
+        restic backup --exclude-file "${CONFIG_DIR}/excludes" --files-from "${CONFIG_DIR}/files"
+	;;
+*)
+	echo "Unsupported ACTION: ${ACTION}"
+	exit 1
+	;;
+esac

pkgs/clerie-backup/default.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "clerie-backup";
+  text = builtins.readFile ./clerie-backup.sh;
+  runtimeInputs = with pkgs; [
+    restic
+  ];
+}

pkgs/clerie-sops/clerie-sops-edit.sh

@@ -7,17 +7,19 @@ set -euo pipefail
 
 print_help() {
 	cat << EOF
-clerie-sops-edit <secrets_file> <action> <key>
+clerie-sops-edit <secrets_file> <action> <key> [cmd...]
 
   This script allows editing single secrets in a secrets file by key.
 
   <secrets_file> is a sops secrets file
-  <action> is one of "edit", "read", "set" and "append"
+  <action> is one of "edit", "cmd", "read", "set" and "append"
   <key> is the key of the secret in the secrets file to modify
+
+  ACTION "cmd" a command that get passed the decrypted secret in the argument being "{}"
 EOF
 }
 
-if [[ $# != 3 ]]; then
+if [[ $# -lt 3 ]]; then
 	print_help
 	exit 1
 fi
@@ -33,7 +35,7 @@ fi
 
 ACTION="$2"
 
-if ! echo "edit read set append" | grep -wq "${ACTION}"; then
+if ! echo "edit cmd read set append" | grep -wq "${ACTION}"; then
 	echo "Action \"${ACTION}\" not supported"
 	echo
 	print_help
@@ -43,6 +45,15 @@ fi
 KEY="$3"
 KEY_SELECTOR="$(jq -Rsc '[.]' <(echo -n "${KEY}"))"
 
+if [[ $# -gt 3 && "${ACTION}" != "cmd" ]]; then
+	print_help
+	exit 1
+fi
+
+shift
+shift
+shift
+
 if [[ -n $EDITOR ]]; then
 	EDITOR=vim
 fi
@@ -64,6 +75,18 @@ case "${ACTION}" in
 	edit)
 		"${EDITOR}" "${TMP_FILE}"
 		;;
+	cmd)
+		CMD=()
+		while [[ $# -gt 0 ]]; do
+			if [[ "$1" == "{}" ]]; then
+				CMD+=("${TMP_FILE}")
+			else
+				CMD+=("$1")
+			fi
+			shift
+		done
+		"${CMD[@]}"
+		;;
 	read)
 		cat "${TMP_FILE}"
 		;;

pkgs/clerie-system-remote-install/clerie-system-remote-install.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -xeuo pipefail
+
+SYSTEM="$1"
+REMOTE_HOST="$2"
+REMOTE_ROOT="$3"
+
+nix copy "${SYSTEM}" --to "ssh://${REMOTE_HOST}?remote-store=${REMOTE_ROOT}"
+
+ssh "${REMOTE_HOST}" -- nix-env --store "${REMOTE_ROOT}" -p "${REMOTE_ROOT}/nix/var/nix/profiles/system" --set "${SYSTEM}"
+
+ssh "${REMOTE_HOST}" -- mkdir -p "${REMOTE_ROOT}/tmp"
+TMPSH="$(ssh "${REMOTE_HOST}" -- mktemp -p "${REMOTE_ROOT}/tmp")"
+
+# shellcheck disable=SC2087
+ssh "${REMOTE_HOST}" -- tee "${TMPSH}" <<EOF
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+nix-env --store "${REMOTE_ROOT}" -p "${REMOTE_ROOT}/nix/var/nix/profiles/system" --set "${SYSTEM}"
+mkdir -m 0775 -p "${REMOTE_ROOT}/etc"
+touch "${REMOTE_ROOT}/etc/NIXOS"
+
+ln -sfn /proc/mounts "${REMOTE_ROOT}/etc/mtab"
+
+NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "${REMOTE_ROOT}" -c "/run/current-system/bin/switch-to-configuration boot"
+EOF
+
+ssh "${REMOTE_HOST}" -- bash "${TMPSH}"

pkgs/clerie-system-remote-install/default.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "clerie-system-remote-install";
+  text = builtins.readFile ./clerie-system-remote-install.sh;
+}

pkgs/clerie-update-nixfiles/clerie-update-nixfiles.sh

@@ -56,7 +56,7 @@ echo "[!] Create branch ${UPDATE_BRANCH}"
 xgit checkout -b "${UPDATE_BRANCH}"
 
 echo "[!] Update nixpkgs"
-nix flake lock --update-input nixpkgs
+nix flake update nixpkgs
 
 echo "[!] Commit changes"
 xgit add flake.lock

pkgs/feeds-dir/default.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "feeds-dir";
+  text = builtins.readFile ./feeds-dir.sh;
+  runtimeInputs = with pkgs; [
+    rainbowrss
+  ];
+}

pkgs/feeds-dir/feeds-dir.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+IN_DIR="${1:-.}"
+
+for file in "${IN_DIR}"/*.txt; do
+	rainbowrss --feeds "${file}" --out "$(basename "${file}" ".txt").html" || true
+done

pkgs/git-show-link/default.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+pkgs.writeTextFile {
+  name = "git-show-link";
+  executable = true;
+  destination = "/bin/git-show-link";
+  allowSubstitutes = true;
+  preferLocalBuild = false;
+  text = ''
+    #!${pkgs.python3.withPackages (ps: with ps; [])}/bin/python3
+    ${builtins.readFile ./git-show-link.py}
+  '';
+}

pkgs/git-show-link/git-show-link.py

@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+
+import argparse
+import re
+import subprocess
+
+REMOTE_TYPES = [
+    {
+        # github
+        "match": re.compile(r'git@github.com:(?P<username>[\w\.-]+)/(?P<project>[\w\.-]+).git'),
+        "format-branch": lambda g, b: f"https://github.com/{g['username']}/{g['project']}/tree/{b}/",
+        "format-commit": lambda g, c: f"https://github.com/{g['username']}/{g['project']}/commit/{c}/",
+    },
+    {
+        # gitea
+        "match": re.compile(r'(?P<gituser>[\w\.-]+)@(?P<host>[\w\.-]+):(?P<username>[\w\.-]+)/(?P<project>[\w\.-]+).git'),
+        "format-branch": lambda g, b: f"https://{g['host']}/{g['username']}/{g['project']}/src/branch/{b}/",
+        "format-commit": lambda g, c: f"https://{g['host']}/{g['username']}/{g['project']}/commit/{c}/",
+    },
+]
+
+def get_remote_branch():
+    s = subprocess.run(["git", "status", "--porcelain", "-uno", "-b", "--no-ahead-behind"], capture_output=True, text=True)
+
+    git_status_branch_info = s.stdout.splitlines()[0][3:].split()[0]
+
+    branches = git_status_branch_info.split("...")
+
+    if len(branches) != 2:
+        raise Exception("no branch name found")
+
+    local_branch, remote_branch = branches
+
+    remote, branch = remote_branch.split("/")
+
+    return {
+        "remote": remote,
+        "branch": branch,
+    }
+
+def get_remote_url(remote):
+    s = subprocess.run(["git", "remote", "get-url", remote], capture_output=True, text=True)
+
+    remote_url = s.stdout.strip()
+
+    return remote_url
+
+def get_last_commit():
+    s = subprocess.run(["git", "rev-parse", "HEAD"], capture_output=True, text=True)
+
+    commit = s.stdout.strip()
+
+    return commit
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog='git-show-link',
+    )
+
+    parser.add_argument("--branch", dest="display_branch", action='store_true', help="Display link to branch, instead to commit")
+
+    args = parser.parse_args()
+
+    r = get_remote_branch()
+
+    remote_url = get_remote_url(r["remote"])
+
+    for remote_type in REMOTE_TYPES:
+        m = remote_type["match"].match(remote_url)
+
+        if m is None:
+            continue
+
+        g = m.groupdict()
+
+        if args.display_branch:
+            print(remote_type["format-branch"](g, r["branch"]))
+        else:
+            commit = get_last_commit()
+            print(remote_type["format-commit"](g, commit))
+        break
+
+
+if __name__ == "__main__":
+    main()

pkgs/nixfiles/nixfiles-generate-backup-secrets.sh

@@ -4,17 +4,50 @@ set -euo pipefail
 
 cd "$(git rev-parse --show-toplevel)"
 
+if [[ $# -eq 0 || $# -gt 2 ]]; then
+	echo "Usage: nixfiles-generate-backup-secrets HOST [--configure-host]"
+	echo
+	echo "  --configure-host"
+	echo "      Directly sets the secrets in the hosts secret store"
+	exit 1
+fi
+
 host="$1"
 
+CONFIGURE_HOST=
+
+if [[ $# -eq 2 ]]; then
+	if [[ "$2" == "--configure-host" ]]; then
+		if [[ ! -f "hosts/${host}/secrets.json" ]]; then
+			echo "Host ${host} does not have a secrets file, can't configure"
+			exit 1
+		fi
+		CONFIGURE_HOST=1
+	else
+		echo "Unknown option $2"
+		exit 1
+	fi
+fi
+
 job_main="$(pwgen -1 64 1)"
 target_cyan="$(pwgen -1 64 1)"
-target_cyan_htpasswd="$(htpasswd -nbB "${host}" "${target_cyan}")"
 target_magenta="$(pwgen -1 64 1)"
-target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")"
 
-echo "$job_main" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-job-main"
-echo "$target_cyan" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-cyan"
-echo "$target_magenta" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-magenta"
+echo "${target_cyan}" | clerie-sops-edit "hosts/clerie-backup/secrets.json" cmd "restic-server-cyan-htpasswd" htpasswd -iB "{}" "${host}"
+echo "${target_magenta}" | clerie-sops-edit "hosts/backup-4/secrets.json" cmd "restic-server-magenta-htpasswd" htpasswd -iB "{}" "${host}"
 
-echo "${target_cyan_htpasswd}" | clerie-sops-edit "hosts/clerie-backup/secrets.json" append "restic-server-cyan-htpasswd"
-echo "$target_magenta_htpasswd" | clerie-sops-edit "hosts/backup-4/secrets.json" append "restic-server-magenta-htpasswd"
+echo "Repo password main: ${job_main}"
+echo
+echo "URL cyan: https://cyan.backup.clerie.de/${host}/main"
+echo "Auth username cyan: ${host}"
+echo "Auth password cyan: ${target_cyan}"
+echo
+echo "URL magenta: https://magenta.backup.clerie.de/${host}/main"
+echo "Auth username magenta: ${host}"
+echo "Auth password magenta: ${target_magenta}"
+
+if [[ -n "${CONFIGURE_HOST}" ]]; then
+	echo "$job_main" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-job-main"
+	echo "$target_cyan" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-cyan"
+	echo "$target_magenta" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-magenta"
+fi

pkgs/overlay.nix

@@ -1,27 +1 @@
-final: prev: {
-  clerie-keys = final.callPackage ./clerie-keys {};
-  clerie-system-upgrade = final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
-  clerie-merge-nixfiles-update = final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
-  clerie-sops = final.callPackage ./clerie-sops/clerie-sops.nix {};
-  clerie-sops-config = final.callPackage ./clerie-sops/clerie-sops-config.nix {};
-  clerie-sops-edit = final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
-  clerie-update-nixfiles = final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
-  chromium-incognito = final.callPackage ./chromium-incognito {};
-  factorio-launcher = final.callPackage ./factorio-launcher {};
-  git-checkout-github-pr = final.callPackage ./git-checkout-github-pr {};
-  git-diff-word = final.callPackage ./git-diff-word {};
-  git-pp = final.callPackage ./git-pp {};
-  iot-data = final.python3.pkgs.callPackage ./iot-data {};
-  nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
-  nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
-  nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
-  nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
-  nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
-  print-afra = final.callPackage ./print-afra {};
-  run-with-docker-group = final.callPackage ./run-with-docker-group {};
-  ssh-gpg = final.callPackage ./ssh-gpg {};
-  update-from-hydra = final.callPackage ./update-from-hydra {};
-  uptimestatus = final.python3.pkgs.callPackage ./uptimestatus {};
-
-  xmppc = import ./overrides/xmppc.nix final prev;
-}
+final: prev: builtins.mapAttrs (name: value: value final prev) (import ./pkgs.nix)

pkgs/pkgs.nix

@@ -0,0 +1,31 @@
+{
+  clerie-backup = final: prev: final.callPackage ./clerie-backup {};
+  clerie-keys = final: prev: final.callPackage ./clerie-keys {};
+  clerie-system-remote-install = final: prev: final.callPackage ./clerie-system-remote-install {};
+  clerie-system-upgrade = final: prev: final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
+  clerie-merge-nixfiles-update = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
+  clerie-sops = final: prev: final.callPackage ./clerie-sops/clerie-sops.nix {};
+  clerie-sops-config = final: prev: final.callPackage ./clerie-sops/clerie-sops-config.nix {};
+  clerie-sops-edit = final: prev: final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
+  clerie-update-nixfiles = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
+  chromium-incognito = final: prev: final.callPackage ./chromium-incognito {};
+  factorio-launcher = final: prev: final.callPackage ./factorio-launcher {};
+  feeds-dir = final: prev: final.callPackage ./feeds-dir {};
+  git-checkout-github-pr = final: prev: final.callPackage ./git-checkout-github-pr {};
+  git-diff-word = final: prev: final.callPackage ./git-diff-word {};
+  git-pp = final: prev: final.callPackage ./git-pp {};
+  git-show-link = final: prev: final.callPackage ./git-show-link {};
+  iot-data = final: prev: final.python3.pkgs.callPackage ./iot-data {};
+  nix-remove-result-links = final: prev: final.callPackage ./nix-remove-result-links {};
+  nixfiles-auto-install = final: prev: final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
+  nixfiles-generate-config = final: prev: final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
+  nixfiles-generate-backup-secrets = final: prev: final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
+  nixfiles-update-ssh-host-keys = final: prev: final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
+  print-afra = final: prev: final.callPackage ./print-afra {};
+  run-with-docker-group = final: prev: final.callPackage ./run-with-docker-group {};
+  ssh-gpg = final: prev: final.callPackage ./ssh-gpg {};
+  update-from-hydra = final: prev: final.callPackage ./update-from-hydra {};
+  uptimestatus = final: prev: final.python3.pkgs.callPackage ./uptimestatus {};
+
+  xmppc = final: prev: import ./overrides/xmppc.nix final prev;
+}

profiles/common-dns/default.nix

@@ -0,0 +1,22 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  options.profiles.clerie.common-dns = {
+    enable = mkEnableOption "Common dns config";
+  };
+
+  config = mkIf config.profiles.clerie.common-dns.enable {
+
+    # Use systemd-resolved everywhere
+    services.resolved.enable = true;
+
+    # Do not use any DNS servers as fallback
+    services.resolved.fallbackDns = [];
+
+    networking.networkmanager.dns = "systemd-networkd";
+
+  };
+}

profiles/common-networking/default.nix

@@ -0,0 +1,24 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  options.profiles.clerie.common-networking = {
+    enable = mkEnableOption "Common networking config";
+  };
+
+  config = mkIf config.profiles.clerie.common-networking.enable {
+
+    # Disable scripted network
+    networking.useDHCP = false;
+    # Enable systemd-networkd
+    systemd.network.enable = true;
+
+    # Don't wait for online, if NetworkManger is running too
+    systemd.network.wait-online = mkIf (config.networking.networkmanager.enable == true) {
+      enable = false;
+    };
+
+  };
+}

profiles/common/default.nix

@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  options.profiles.clerie.common = {
+    enable = mkEnableOption "Cleries common config";
+  };
+
+  config = mkIf config.profiles.clerie.common.enable {
+
+    profiles.clerie.common-dns.enable = true;
+
+    # Disabled while we are still in transition
+    #profiles.clerie.common-network.enable = true;
+
+  };
+}

profiles/cybercluster-vm/default.nix

@@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  options.profiles.clerie.cybercluster-vm = {
+    enable = mkEnableOption "Profile for cybercluster VMs";
+  };
+
+  config = mkIf config.profiles.clerie.cybercluster-vm.enable {
+
+    profiles.clerie.fem-net.enable = true;
+
+    services.qemuGuest.enable = true;
+
+  };
+}

profiles/default.nix

@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+
+  imports = [
+    ./common
+    ./common-dns
+    ./common-networking
+    ./cybercluster-vm
+    ./dn42-router
+    ./fem-net
+    ./hetzner-cloud
+    ./mercury-vm
+    ./netcup
+    ./network-fallback-dhcp
+    ./wg-clerie
+  ];
+
+}

profiles/dn42-router/default.nix

@@ -0,0 +1,291 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+
+  cfg = config.profiles.clerie.dn42-router;
+
+  myAsn = 4242422574;
+  ospf6Table = 1337;
+  bgp6Table = 2342;
+
+in {
+
+  options.profiles.clerie.dn42-router = {
+    enable = mkEnableOption "DN42 router base config";
+    loopbackIp = mkOption {
+      type = types.str;
+      description = "IPv6 lookback IP";
+    };
+    routerId = mkOption {
+      type = types.str;
+      description = "IPv6 lookback IP";
+    };
+    ospfInterfaces = mkOption {
+      type = with types; listOf str;
+      default = [];
+    };
+    ibgpPeers = mkOption {
+      type = with types; listOf (submodule ({ ... }: {
+        options = {
+          remoteAddress = mkOption {
+            type = types.str;
+          };
+          peerName = mkOption {
+            type = types.str;
+          };
+        };
+      }));
+      default = [];
+      description = "External bgp peers";
+    };
+    bgpPeers = mkOption {
+      type = with types; listOf (submodule ({ ... }: {
+        options = {
+          localAddress = mkOption {
+            type = types.str;
+          };
+          remoteAddress = mkOption {
+            type = types.str;
+          };
+          peerName = mkOption {
+            type = types.str;
+          };
+          remoteAsn = mkOption {
+            type = types.str;
+          };
+        };
+      }));
+      default = [];
+      description = "External bgp peers";
+    };
+    wireguardPeers = mkOption {
+      type = with types; listOf (submodule ({ ... }: {
+        options = {
+          interfaceName = mkOption {
+            type = types.str;
+          };
+          localAddress = mkOption {
+            type = types.str;
+          };
+          #localAddressPrefixlen = ;
+          remoteAddress = mkOption {
+            type = types.str;
+          };
+          #remoteAddressPrefixlen = ;
+          #localPrivateKey = ;
+          #remotePublicKey = ;
+          #localListenPort = ;
+          #remoteEnpoint = ;
+          peerName = mkOption {
+            type = types.str;
+          };
+          remoteAsn = mkOption {
+            type = types.str;
+          };
+        };
+      }));
+      default = [];
+      description = "External bgp peers connected via wireguard";
+    };
+    birdExtraConfig = mkOption {
+      type = types.str;
+      default = "";
+    };
+  };
+
+  config = mkIf config.profiles.clerie.dn42-router.enable {
+
+    systemd.network.config.routeTables = {
+      bgp6 = bgp6Table;
+      ospf6 = ospf6Table;
+    };
+    systemd.network.config.addRouteTablesToIPRoute2 = true;
+
+    environment.systemPackages = with pkgs; [
+      wireguard-tools
+    ];
+
+    boot.kernel.sysctl = {
+      "net.ipv4.ip_forward" = true;
+      "net.ipv6.conf.all.forwarding" = true;
+    };
+
+    networking.firewall.checkReversePath = false;
+
+    # Open Firewall for BGP
+    networking.firewall.allowedTCPPorts = [ 179 ];
+    # Open Fireall for OSPF
+    networking.firewall.extraCommands = ''
+      ip6tables -A INPUT -p ospfigp -j ACCEPT
+      iptables -A INPUT -p ospfigp -j ACCEPT
+    '';
+
+    systemd.network.netdevs."10-lo-dn42" = {
+      netdevConfig = {
+        Kind = "dummy";
+        Name = "lo-dn42";
+      };
+    };
+
+    systemd.network.networks."10-lo-dn42" = {
+      matchConfig.Name = "lo-dn42";
+      address = [ "${ cfg.loopbackIp }/128" ];
+      linkConfig.RequiredForOnline = "no";
+      routingPolicyRules = [
+        {
+          Priority = 10000;
+          Family = "ipv6";
+          To = "fd56:4902:eca0::/48";
+          Table = "ospf6";
+        }
+        {
+          Priority = 11000;
+          Family = "ipv6";
+          Table = "bgp6";
+        }
+        {
+          Priority = 15000;
+          Family = "ipv6";
+          From = "fd56:4902:eca0::/48";
+          Type = "unreachable";
+        }
+        {
+          Priority = 16000;
+          Family = "ipv6";
+          To = "fd56:4902:eca0::/48";
+          Type = "unreachable";
+        }
+        {
+          Priority = 20000;
+          Family = "both";
+          Table = "main";
+        }
+      ];
+    };
+
+    services.bird.enable = true;
+    services.bird.package = pkgs.bird2;
+    services.bird.config = ''
+      router id ${ cfg.routerId };
+  
+      ipv6 table ospf6;
+      ipv6 table bgp6;
+  
+      protocol direct {
+        interface "lo-dn42";
+        ipv6 {
+          table ospf6;
+        };
+      }
+  
+      protocol static {
+        ipv6 {
+          table bgp6;
+        };
+        route fd56:4902:eca0::/48 via "lo-dn42";
+      }
+  
+      protocol kernel {
+        ipv6 {
+          table ospf6;
+          export filter {
+            krt_prefsrc=${ cfg.loopbackIp };
+            accept;
+          };
+          import none;
+        };
+        kernel table ${ toString ospf6Table };
+      }
+  
+      protocol kernel {
+        ipv6 {
+          table bgp6;
+          export filter {
+            krt_prefsrc=${ cfg.loopbackIp };
+            accept;
+          };
+          import none;
+        };
+        kernel table ${ toString bgp6Table };
+      }
+
+      protocol device {
+        scan time 10;
+      }
+
+      protocol ospf v3 {
+        ipv6 {
+          table ospf6;
+          import all;
+          export all;
+        };
+        area 0 {
+          ${ concatMapStringsSep "\n" (interfaceName: ''
+          interface "${interfaceName}" {
+            cost 80;
+            type broadcast;
+          };
+          '') cfg.ospfInterfaces}
+        };
+      }
+    
+      template bgp ibgp_peer {
+        local as ${ toString myAsn };
+        graceful restart on;
+        source address ${ cfg.loopbackIp};
+        ipv6 {
+          table bgp6;
+          igp table ospf6;
+          next hop self;
+          import keep filtered;
+          import all;
+          export all;
+        };
+      }
+    
+      ${concatMapStringsSep "\n" ( peerConfig: ''
+      protocol bgp ${peerConfig.peerName} from ibgp_peer {
+        neighbor ${peerConfig.remoteAddress} as ${ toString myAsn };
+      }
+      '') cfg.ibgpPeers}
+
+      template bgp bgp_peer {
+        local as ${ toString myAsn };
+        graceful restart on;
+        ipv6 {
+          table bgp6;
+          next hop self;
+          import keep filtered;
+          import filter {
+            if net ~ [fd00::/8{48,64}] then accept;
+            reject;
+          };
+          export filter {
+            if net ~ [fd00::/8{48,64}] then accept;
+            reject;
+          };
+        };
+      }
+
+      ${concatMapStringsSep "\n" ( peerConfig: ''
+      protocol bgp ${peerConfig.peerName} from bgp_peer {
+        neighbor ${peerConfig.remoteAddress} as ${peerConfig.remoteAsn};
+        source address ${peerConfig.localAddress};
+      }
+      '') cfg.bgpPeers}
+
+      ${concatMapStringsSep "\n" ( peerConfig: ''
+      protocol bgp ${peerConfig.peerName} from bgp_peer {
+        neighbor ${peerConfig.remoteAddress}%${peerConfig.interfaceName} as ${peerConfig.remoteAsn};
+        source address ${peerConfig.localAddress};
+      }
+      '') cfg.wireguardPeers}
+
+      ${ cfg.birdExtraConfig }
+
+    '';
+  
+  };
+}

profiles/fem-net/default.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  options.profiles.clerie.fem-net = {
+    enable = mkEnableOption "Profile for FeM-Net";
+  };
+
+  config = mkIf config.profiles.clerie.fem-net.enable {
+
+    networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+
+  };
+}

profiles/hetzner-cloud/default.nix

@@ -0,0 +1,36 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  options.profiles.clerie.hetzner-cloud = {
+    enable = mkEnableOption "Profile for Hetzner Cloud VMs";
+  };
+
+  config = mkIf config.profiles.clerie.hetzner-cloud.enable {
+
+    services.qemuGuest.enable = true;
+
+    systemd.network.networks."10-wan" = {
+      matchConfig.Name = "ens3";
+      routes = [
+        { Gateway = "fe80::1"; }
+        { Gateway = "172.31.1.1"; GatewayOnLink = true; }
+      ];
+      linkConfig.RequiredForOnline = "routable";
+    };
+
+    networking.nameservers = [
+      # There are two different batches of DNS servers
+      # This one
+      "2a01:4ff:ff00::add:2" "2a01:4ff:ff00::add:1"
+      "185.12.64.2" "185.12.64.1"
+      # And that one
+      "213.133.98.98" "213.133.99.99" "213.133.100.100"
+      # Couldn't find out which to use
+    ];
+
+ };
+
+}

profiles/mercury-vm/default.nix

@@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  options.profiles.clerie.mercury-vm = {
+    enable = mkEnableOption "Profile for mercury VMs";
+  };
+
+  config = mkIf config.profiles.clerie.mercury-vm.enable {
+
+    profiles.clerie.fem-net.enable = true;
+
+    services.qemuGuest.enable = true;
+
+  };
+}

profiles/netcup/default.nix

@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  options.profiles.clerie.netcup = {
+    enable = mkEnableOption "Profile for Netcup VM";
+  };
+
+  config = mkIf config.profiles.clerie.netcup.enable {
+
+    services.qemuGuest.enable = true;
+
+    # https://helpcenter.netcup.com/de/wiki/server/nameserver/
+    networking.nameservers = [ "2a03:4000:0:1::e1e6" "2a03:4000:8000::fce6" "46.38.255.230" "46.38.252.230" ];
+
+  };
+
+}

profiles/network-fallback-dhcp/default.nix

@@ -0,0 +1,22 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  options.profiles.clerie.network-fallback-dhcp = {
+    enable = mkEnableOption "Profile for systemd-network falling back to DHCP on all interfaces";
+  };
+
+  config = mkIf config.profiles.clerie.network-fallback-dhcp.enable {
+
+    systemd.network.wait-online.anyInterface = true;
+
+    systemd.network.networks."90-lan-dhcp" = {
+      matchConfig.Type = "ether";
+      networkConfig.DHCP = true;
+      linkConfig.RequiredForOnline = "routable";
+    };
+
+  };
+}

profiles/wg-clerie/default.nix

@@ -0,0 +1,213 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.profiles.clerie.wg-clerie;
+in
+
+{
+  options = {
+    profiles.clerie.wg-clerie = {
+      enable = mkEnableOption "VPN for public static IP";
+      privateKeyFile = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        description = "Path to file containing private key for wireguard interface";
+      };
+      ipv6s = mkOption {
+        type = with types; listOf str;
+        default = [];
+        description = "IPv6 interface addresses";
+      };
+      ipv4s = mkOption {
+        type = with types; listOf str;
+        default = [];
+        description = "IPv4 interface addresses";
+      };
+      defaultViaVPN = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Use VPN default route for a protocol, if that protocol is unavailable in the underlay";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    systemd.network.config.routeTables = {
+      wg-clerie = 200;
+    };
+    systemd.network.config.addRouteTablesToIPRoute2 = true;
+
+    sops = (mkIf (cfg.privateKeyFile == null) {
+      secrets.wg-clerie = {
+        owner = "systemd-network";
+        group = "systemd-network";
+      };
+    });
+
+    networking.networkmanager.unmanaged = [
+      "interface-name:wg-clerie"
+    ];
+
+    systemd.network.netdevs."10-wg-clerie" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg-clerie";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = if cfg.privateKeyFile != null then cfg.privateKeyFile else
+          config.sops.secrets.wg-clerie.path;
+        RouteTable = "wg-clerie";
+      };
+      wireguardPeers = [
+        {
+          PublicKey = "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=";
+          AllowedIPs = [ "0.0.0.0/0" "::/0" "10.20.30.0/24" "2a01:4f8:c0c:15f1::/113" ];
+          PersistentKeepalive = 25;
+        }
+      ];
+    };
+
+    systemd.network.networks."10-wg-clerie" = {
+      matchConfig.Name = "wg-clerie";
+      address = cfg.ipv6s ++ cfg.ipv4s;
+      linkConfig.RequiredForOnline = "no";
+      routingPolicyRules = (builtins.map
+        (ip: {
+          Priority = 19000;
+          Family = "ipv6";
+          From = ip;
+          #Type = "table";
+          Table = "wg-clerie";
+        })
+        cfg.ipv6s
+      ) ++ (builtins.map
+        (ip: {
+          Priority = 19001;
+          Family = "ipv6";
+          From = ip;
+          Type = "unreachable";
+        })
+        cfg.ipv6s
+      ) ++ (builtins.map
+        (ip: {
+          Priority = 19000;
+          Family = "ipv4";
+          From = ip;
+          #Type = "table";
+          Table = "wg-clerie";
+        })
+        cfg.ipv4s
+      ) ++ (builtins.map
+        (ip: {
+          Priority = 19001;
+          Family = "ipv4";
+          From = ip;
+          Type = "unreachable";
+        })
+        cfg.ipv4s
+      ) ++ [
+        {
+          Priority = 20000;
+          Family = "ipv6";
+          To = "2a01:4f8:c0c:15f1::1/128";
+          IPProtocol = "udp";
+          DestinationPort = 51820;
+          #Type = "table";
+          Table = "main";
+        }
+        {
+          Priority = 20001;
+          Family = "ipv6";
+          To = "2a01:4f8:c0c:15f1::1/128";
+          IPProtocol = "udp";
+          DestinationPort = 51820;
+          Type = "unreachable";
+        }
+        {
+          Priority = 20000;
+          Family = "ipv4";
+          To = "78.47.183.82/32";
+          IPProtocol = "udp";
+          DestinationPort = 51820;
+          #Type = "table";
+          Table = "main";
+        }
+        {
+          Priority = 20001;
+          Family = "ipv4";
+          To = "78.47.183.82/32";
+          IPProtocol = "udp";
+          DestinationPort = 51820;
+          Type = "unreachable";
+        }
+        {
+          Priority = 21000;
+          Family = "both";
+          #Type = "table";
+          Table = "main";
+        }
+      ] ++ (if cfg.defaultViaVPN then [
+        {
+          Priority = 21001;
+          Family = "both";
+          #Type = "table";
+          Table = "wg-clerie";
+        }
+      ] else []) ++ [
+        {
+          Priority = 22000;
+          Family = "both";
+          Type = "unreachable";
+        }
+      ];
+    };
+
+    systemd.services."wg-clerie-endpoint-refresh" = {
+      serviceConfig = {
+        Type = "oneshot";
+      };
+
+      path = [ pkgs.wireguard-tools pkgs.iproute2 ];
+
+      script = ''
+        set -euo pipefail
+
+        # Don't do anything as long as interface is not configured
+        if ! wg show wg-clerie endpoints > /dev/null; then
+          exit 0
+        fi
+
+        endpoint=""
+
+        if ip route get 2a01:4f8:c0c:15f1::1 ipproto udp dport 51820 &>/dev/null; then
+          endpoint="[2a01:4f8:c0c:15f1::1]:51820"
+        else
+          endpoint="78.47.183.82:51820"
+        fi
+
+        wg set wg-clerie peer "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=" endpoint "''${endpoint}"
+      '';
+
+      requires = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+    };
+
+    systemd.timers."wg-clerie-endpoint-refresh" = {
+      wantedBy = [ "timers.target" ];
+
+      timerConfig = {
+        OnCalendar = "*-*-* *:*:0/5";
+        RandomizedDelaySec = "5s";
+      };
+
+      requires = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+    };
+
+    environment.systemPackages = [ pkgs.wireguard-tools ];
+
+  };
+}