Update from updated-inputs-2025-03-14-02-03

Update nixpkgs 2025-03-14-02-03
Update from updated-inputs-2025-03-13-02-03
2025-03-14 03:04:24 +01:00 · 2025-03-14 03:04:22 +01:00 · 2025-03-13 03:03:08 +01:00 · 2025-03-13 03:03:06 +01:00 · 2025-03-11 03:04:16 +01:00 · 2025-03-11 03:04:13 +01:00
160 changed files with 1960 additions and 4719 deletions
--- a/configuration/common/backup.nix
+++ b/configuration/common/backup.nix
@@ -4,8 +4,8 @@

  clerie.backup = {
    targets = {
-      cyan.serverUrl = "https://cyan.backup.clerie.de";
-      magenta.serverUrl = "https://magenta.backup.clerie.de";
+      cyan.serverName = "cyan.backup.clerie.de";
+      magenta.serverName = "magenta.backup.clerie.de";
    };
  };

--- a/configuration/common/certificates.nix
+++ b/configuration/common/certificates.nix
@@ -1,11 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-
-{
-
-  environment.sessionVariables = {
-    REQUESTS_CA_BUNDLE = mkDefault config.security.pki.caBundle;
-  };
-
-}
--- a/configuration/common/default.nix
+++ b/configuration/common/default.nix
@@ -3,14 +3,15 @@
 {
  imports = [
    ./backup.nix
-    ./certificates.nix
    ./initrd.nix
    ./locale.nix
    ./networking.nix
+    ./nix.nix
    ./programs.nix
    ./ssh.nix
    ./systemd.nix
    ./user.nix
+    ./web.nix
  ];

  services.fstrim.enable = true;
--- a/configuration/common/nix.nix
+++ b/configuration/common/nix.nix
@@ -0,0 +1,70 @@
+{ lib, pkgs, ... }:
+
+{
+
+  clerie.nixfiles.enable = true;
+
+  clerie.system-auto-upgrade.enable = true;
+
+  nix.settings = {
+    trusted-users = [ "@wheel" "@guests" ];
+    auto-optimise-store = true;
+    # Keep buildtime dependencies
+    keep-outputs = true;
+    # Build local, when caches are broken
+    fallback = true;
+  };
+
+  nix.gc = lib.mkDefault {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
+
+  nix.settings = {
+    experimental-features = [
+      "flakes"
+      "nix-command"
+    ];
+    substituters = [
+      "https://nix-cache.clerie.de"
+    ];
+    trusted-public-keys = [
+      "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
+    ];
+  };
+
+  # Pin current nixpkgs channel and flake registry to the nixpkgs version
+  # the host got build with
+  nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
+  nix.registry = {
+    "nixpkgs" = lib.mkForce {
+       from = {
+         type = "indirect";
+         id = "nixpkgs";
+       };
+       to = {
+         type = "path";
+         path = lib.cleanSource pkgs.path;
+       };
+       exact = true;
+    };
+    "templates" = {
+       from = {
+         type = "indirect";
+         id = "templates";
+       };
+       to = {
+         type = "git";
+         url = "https://git.clerie.de/clerie/flake-templates.git";
+       };
+    };
+  };
+
+  documentation.doc.enable = false;
+
+  environment.systemPackages = with pkgs; [
+    nix-remove-result-links
+  ];
+}
--- a/configuration/common/programs.nix
+++ b/configuration/common/programs.nix
@@ -6,7 +6,6 @@
    # My system is fucked
    gptfdisk
    parted
-    grow-last-partition-and-filesystem

    # Normal usage
    htop
--- a/configuration/common/web.nix
+++ b/configuration/common/web.nix
@@ -0,0 +1,54 @@
+{ ... }:
+
+{
+  services.nginx = {
+    enableReload = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    commonHttpConfig = ''
+      server_names_hash_bucket_size 64;
+      charset utf-8;
+      types {
+        text/plain nix;
+      }
+      map $remote_addr $remote_addr_anon {
+        ~(?P<ip>\d+\.\d+\.\d+)\.          $ip.0;
+        ~(?P<ip>[^:]*:[^:]*(:[^:]*)?):    $ip::;
+        default                           ::;
+      }
+      log_format combined_anon '$remote_addr_anon - $remote_user [$time_local] '
+                               '"$request" $status $body_bytes_sent '
+                               '"$http_referer" "$http_user_agent"';
+      log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
+                                '"$request" $status $body_bytes_sent '
+                                '"$http_referer" "$http_user_agent"';
+      access_log /var/log/nginx/access.log vcombined_anon;
+    '';
+
+    virtualHosts = {
+      "default" = {
+        default = true;
+        rejectSSL = true;
+        locations."/" = {
+          return = ''200 "Some piece of infrastructure\n"'';
+          extraConfig = ''
+            types { } default_type "text/plain; charset=utf-8";
+          '';
+        };
+      };
+    };
+  };
+
+  services.logrotate.settings.nginx = {
+    frequency = "daily";
+    maxage = 14;
+  };
+
+  security.acme = {
+    defaults.email = "letsencrypt@clerie.de";
+    acceptTerms = true;
+  };
+}
--- a/configuration/desktop/audio.nix
+++ b/configuration/desktop/audio.nix
@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+
+  services.pulseaudio.enable = false;
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa = {
+      enable = true;
+      support32Bit = true;
+    };
+    pulse = {
+      enable = true;
+    };
+  };
+
+}
--- a/configuration/desktop/default.nix
+++ b/configuration/desktop/default.nix
@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+  imports = [
+    ./audio.nix
+    ./firmware.nix
+    ./fonts.nix
+    ./gnome.nix
+    ./inputs.nix
+    ./networking.nix
+    ./polkit.nix
+    ./power.nix
+    ./printing.nix
+    ./ssh.nix
+    ./xserver.nix
+  ];
+
+  security.sudo.wheelNeedsPassword = true;
+}
--- a/configuration/desktop/firmware.nix
+++ b/configuration/desktop/firmware.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+
+  services.fwupd.enable = true;
+
+}
--- a/configuration/desktop/fonts.nix
+++ b/configuration/desktop/fonts.nix
@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+{
+
+  fonts.enableDefaultPackages = true;
+  fonts.packages = with pkgs; [
+    roboto
+    roboto-mono
+    noto-fonts
+    noto-fonts-emoji
+    comfortaa
+  ] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
+}
--- a/configuration/desktop/gnome.nix
+++ b/configuration/desktop/gnome.nix
@@ -0,0 +1,61 @@
+{ pkgs, ... }:
+
+{
+  services.gnome = {
+    localsearch.enable = false;
+    tinysparql.enable = false;
+  };
+
+  environment.gnome.excludePackages = with pkgs; [
+    baobab
+    epiphany
+    gnome-calendar
+    gnome-clocks
+    gnome-console
+    gnome-contacts
+    gnome-logs
+    gnome-maps
+    gnome-music
+    gnome-tour
+    gnome-photos
+    gnome-weather
+    gnome-connections
+    simple-scan
+    yelp
+    geary
+  ];
+
+  environment.systemPackages = with pkgs; [
+    evolution
+    gnome-terminal
+    gnome-tweaks
+  ];
+
+  services.gnome.evolution-data-server.enable = true;
+
+  programs.dconf.profiles = {
+    user.databases = [
+      {
+        settings = {
+          "org/gnome/desktop/calendar" = {
+            show-weekdate = true;
+          };
+          "org/gnome/desktop/interface" = {
+            enable-hot-corners = false;
+            show-battery-percentage = true;
+          };
+          "org/gnome/desktop/notifications" = {
+            show-in-lock-screen = false;
+          };
+          "org/gnome/desktop/sound" = {
+            event-sounds = false;
+          };
+          "org/gnome/gnome-system-monitor" = {
+            network-in-bits = true;
+            network-total-in-bits = true;
+          };
+        };
+      }
+    ];
+  };
+}
--- a/configuration/desktop/inputs.nix
+++ b/configuration/desktop/inputs.nix
@@ -0,0 +1,43 @@
+{ ... }:
+
+{
+  programs.dconf.profiles = {
+    user.databases = [
+      {
+        settings = {
+          "org/gnome/desktop/peripherals/touchpad" = {
+            disable-while-typing = false;
+            edge-scrolling-enabled = false;
+            natural-scroll = true;
+            tap-to-click = true;
+            two-finger-scrolling-enabled = true;
+          };
+          "org/gnome/settings-daemon/plugins/media-keys" = {
+            custom-keybindings = [
+              "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
+            ];
+            mic-mute = [ "<Control>Print" ];
+          };
+          "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
+            name = "Terminal";
+            binding = "<Primary><Alt>t";
+            command = "gnome-terminal";
+          };
+        };
+      }
+    ];
+    gdm.databases = [
+      {
+        settings = {
+          "org/gnome/desktop/peripherals/touchpad" = {
+            disable-while-typing = false;
+            edge-scrolling-enabled = false;
+            natural-scroll = true;
+            tap-to-click = true;
+            two-finger-scrolling-enabled = true;
+          };
+        };
+      }
+    ];
+  };
+}
--- a/configuration/desktop/networking.nix
+++ b/configuration/desktop/networking.nix
@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+
+  networking.networkmanager.settings = {
+    connectivity = {
+      uri = "http://ping.clerie.de/nm-check.txt";
+    };
+    global-dns = {
+      searches = "net.clerie.de";
+    };
+  };
+
+}
--- a/configuration/desktop/polkit.nix
+++ b/configuration/desktop/polkit.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+
+  security.polkit.enable = true;
+
+}
--- a/configuration/desktop/power.nix
+++ b/configuration/desktop/power.nix
@@ -0,0 +1,42 @@
+{ lib, config, ... }:
+
+{
+  boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
+  services.logind = {
+    lidSwitch = "suspend-then-hibernate";
+  };
+  systemd.sleep.extraConfig = ''
+    HibernateDelaySec=30m
+  '';
+
+  services.upower = {
+    percentageLow = 20;
+    percentageCritical = 10;
+    percentageAction = 8;
+  };
+
+  programs.dconf.profiles = {
+    user.databases = [
+      {
+        settings = {
+          "org/gnome/settings-daemon/plugins/power" = {
+            power-button-action = "hibernate";
+            power-saver-profile-on-low-battery = false;
+            sleep-inactive-ac-type = "nothing";
+          };
+        };
+      }
+    ];
+    gdm.databases = [
+      {
+        settings = {
+          "org/gnome/settings-daemon/plugins/power" = {
+            power-button-action = "hibernate";
+            power-saver-profile-on-low-battery = false;
+            sleep-inactive-ac-type = "nothing";
+          };
+        };
+      }
+    ];
+  };
+}
--- a/configuration/desktop/printing.nix
+++ b/configuration/desktop/printing.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  services.printing.enable = true;
+  services.avahi.enable = true;
+  services.avahi.nssmdns4 = true;
+}
--- a/configuration/desktop/ssh.nix
+++ b/configuration/desktop/ssh.nix
@@ -0,0 +1,34 @@
+{ pkgs, ... }:
+
+{
+
+  imports = [
+    ../../configuration/gpg-ssh
+  ];
+  programs.gnupg.agent = {
+    pinentryPackage = pkgs.pinentry-gtk2;
+  };
+
+  # Do not disable ssh-agent of gnome-keyring, because
+  # gnupg ssh-agent can't handle normal SSH keys properly
+  /*
+  # Disable ssh-agent of gnome-keyring
+  nixpkgs.overlays = [
+    (final: prev: {
+      gnome = prev.gnome // {
+        gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
+          mkdir -p $out
+
+          # Symlink all gnome-keyring binaries
+          ${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
+
+          # Disable autostart for ssh
+          rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+          cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+          echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+        '';
+      };
+    })
+  ];
+  */
+}
--- a/configuration/desktop/xserver.nix
+++ b/configuration/desktop/xserver.nix
@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+{
+  services.xserver.enable = true;
+  services.xserver.displayManager.gdm.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
+
+  services.xserver.excludePackages = with pkgs; [
+    xterm
+  ];
+}
--- a/configuration/dn42/default.nix
+++ b/configuration/dn42/default.nix
@@ -0,0 +1,22 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+  ];
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = true;
+    "net.ipv6.conf.all.forwarding" = true;
+  };
+
+  networking.firewall.checkReversePath = false;
+
+  # Open Firewall for BGP
+  networking.firewall.allowedTCPPorts = [ 179 ];
+  # Open Fireall for OSPF
+  networking.firewall.extraCommands = ''
+  ip6tables -A INPUT -p ospfigp -j ACCEPT
+  iptables -A INPUT -p ospfigp -j ACCEPT
+  '';
+}
--- a/configuration/gpg-ssh/default.nix
+++ b/configuration/gpg-ssh/default.nix
@@ -0,0 +1,51 @@
+{ pkgs, lib, ... }:
+
+let
+
+  custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
+    configureFlags = prev.configureFlags ++ [
+      # Make sure scdaemon never ever again tries to use its own ccid driver
+      "--disable-ccid-driver"
+    ];
+  });
+
+in {
+
+  programs.gnupg.package = custom_gnupg;
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+    pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
+  };
+
+  environment.systemPackages = with pkgs; [
+    custom_gnupg
+    yubikey-personalization
+    openpgp-card-tools
+
+    # Add wrapper around ssh that takes the gnupg ssh-agent
+    # instead of gnome-keyring
+    ssh-gpg
+  ];
+
+  services.pcscd.enable = true;
+
+  # pcscd sometimes breaks and seem to need a manual restart
+  # so we allow users to restart that service themself
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+        if (
+            action.id == "org.freedesktop.systemd1.manage-units"
+            && action.lookup("unit") == "pcscd.service"
+            && action.lookup("verb") == "restart"
+            && subject.isInGroup("users")
+        ) {
+            return polkit.Result.YES;
+        }
+    });
+  '';
+
+  services.udev.packages = with pkgs; [
+    yubikey-personalization
+  ];
+}
--- a/configuration/hydra-build-machine/default.nix
+++ b/configuration/hydra-build-machine/default.nix
@@ -0,0 +1,16 @@
+{ ... }:
+
+{
+
+  # Allow Hydra to fetch remote URLs in restricted mode
+  nix.settings.allowed-uris = "http: https: git+https: github:";
+
+  services.openssh.settings= {
+   PermitRootLogin = "yes";
+  };
+
+  users.extraUsers.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1"
+  ];
+
+}
--- a/configuration/proxmox-vm/default.nix
+++ b/configuration/proxmox-vm/default.nix
@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  services.qemuGuest.enable = true;
+}
--- a/configuration/router/default.nix
+++ b/configuration/router/default.nix
@@ -0,0 +1,27 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+    tcpdump
+  ];
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = true;
+    "net.ipv6.conf.all.forwarding" = true;
+  };
+
+  networking.firewall.checkReversePath = false;
+
+  networking.firewall.allowedTCPPorts = [
+    # Open Firewall for BGP
+    179
+  ];
+
+  networking.firewall.extraCommands = ''
+    # Open fireall for OSPF
+    ip46tables -A nixos-fw -p ospfigp -j nixos-fw-accept
+    # Open firewall for GRE
+    ip46tables -A nixos-fw -p gre -j nixos-fw-accept
+  '';
+}
--- a/flake.lock
+++ b/flake.lock
@@ -27,11 +27,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1748808701,
-        "narHash": "sha256-IEer4ypv/tL2zzo7nkgyg7xdK6P+Mc/22oPctEgwhiw=",
+        "lastModified": 1724513039,
+        "narHash": "sha256-YdBuRgXEU9CcxPd2EjuvDKcfgxL1kk9Gv8nFVVjIros=",
        "ref": "refs/heads/main",
-        "rev": "5f3748df43e6b6e49cc0a23557a378ef37952483",
-        "revCount": 5,
+        "rev": "202f4a1a5791c74a9b7d69a4e63e631bdbe36ba6",
+        "revCount": 4,
        "type": "git",
        "url": "https://git.clerie.de/clerie/bij.git"
      },
@@ -58,36 +58,19 @@
        "url": "https://git.clerie.de/clerie/chaosevents.git"
      }
    },
-    "communities": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1739635166,
-        "narHash": "sha256-0ZONcN3ctsZgMVM//UMp+9iQfhODJNFHOhyWwx0EoTg=",
-        "owner": "NLNOG",
-        "repo": "lg.ring.nlnog.net",
-        "rev": "686adbfd5222b830ba4fee998188cc8d96c09169",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NLNOG",
-        "repo": "lg.ring.nlnog.net",
-        "type": "github"
-      }
-    },
    "fernglas": {
      "inputs": {
-        "communities": "communities",
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1741172718,
-        "narHash": "sha256-YDEJVlmPzOuKfG26iYuJVOlxFvKBVeb8DbAI9WOtnBU=",
+        "lastModified": 1700408128,
+        "narHash": "sha256-PLb/q8kIq0wOinkgADHNY6uOB3b3lXQEbLu6ToIFPsU=",
        "owner": "wobcom",
        "repo": "fernglas",
-        "rev": "64e2f9af8aefeeaa63431477066dcc0236d111e0",
+        "rev": "407325681e3ad344f6fd05334984a40074aa6347",
        "type": "github"
      },
      "original": {
@@ -116,21 +99,6 @@
      }
    },
    "flake-compat": {
-      "locked": {
-        "lastModified": 1746162366,
-        "narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=",
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@@ -168,6 +136,28 @@
      }
    },
    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "hydra",
+          "nix-eval-jobs",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_3": {
      "inputs": {
        "nixpkgs-lib": [
          "ssh-to-age",
@@ -193,11 +183,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
        "type": "github"
      },
      "original": {
@@ -211,11 +201,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
@@ -264,35 +254,30 @@
    },
    "hydra": {
      "inputs": {
-        "flake-compat": "flake-compat",
        "lix": "lix",
-        "nixpkgs": "nixpkgs_3"
+        "nix-eval-jobs": "nix-eval-jobs",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
      },
      "locked": {
-        "lastModified": 1751801455,
-        "narHash": "sha256-hUJqtS88SbNQQSEJAPFyY2vLMh8yA8rQ6jbul50p64M=",
-        "ref": "lix-2.93",
-        "rev": "b940aca430a7ca41f70bdb320659dd62026fe0e9",
-        "revCount": 4261,
+        "lastModified": 1733503045,
+        "narHash": "sha256-VoMam8Zzbk+X6dIYwH2f9NqItL6g9YDhQvGybzSl8xQ=",
+        "ref": "refs/heads/main",
+        "rev": "eccf01d4fef67f87b6383f96c73781bd08b686ac",
+        "revCount": 4230,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/hydra.git"
      },
      "original": {
-        "ref": "lix-2.93",
        "type": "git",
        "url": "https://git.lix.systems/lix-project/hydra.git"
      }
    },
    "lix": {
      "inputs": {
-        "flake-compat": [
-          "hydra",
-          "flake-compat"
-        ],
+        "flake-compat": "flake-compat",
        "nix2container": "nix2container",
-        "nix_2_18": [
-          "hydra"
-        ],
        "nixpkgs": [
          "hydra",
          "nixpkgs"
@@ -301,16 +286,15 @@
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
-        "lastModified": 1751235704,
-        "narHash": "sha256-Jzm3KPZ2gL+0Nl3Mw/2E0B3vqDDi1Xt5+9VCXghUDZ8=",
-        "ref": "release-2.93",
-        "rev": "f3a7bbe5f8d1a8504ddb6362d50106904523e440",
-        "revCount": 17874,
+        "lastModified": 1732112222,
+        "narHash": "sha256-H7GN4++a4vE49SUNojZx+FSk4mmpb2ifJUtJMJHProI=",
+        "ref": "refs/heads/main",
+        "rev": "66f6dbda32959dd5cf3a9aaba15af72d037ab7ff",
+        "revCount": 16513,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/lix"
      },
      "original": {
-        "ref": "release-2.93",
        "type": "git",
        "url": "https://git.lix.systems/lix-project/lix"
      }
@@ -319,68 +303,38 @@
      "inputs": {
        "flake-utils": "flake-utils_2",
        "flakey-profile": "flakey-profile",
-        "lix": [
-          "lix"
-        ],
+        "lix": "lix_2",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1753282722,
-        "narHash": "sha256-KYMUrTV7H/RR5/HRnjV5R3rRIuBXMemyJzTLi50NFTs=",
-        "ref": "release-2.93",
-        "rev": "46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873",
-        "revCount": 149,
+        "lastModified": 1732605668,
+        "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=",
+        "ref": "stable",
+        "rev": "96824d606a6656650bbe436366bc89d5ee3a6573",
+        "revCount": 113,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nixos-module.git"
      },
      "original": {
-        "ref": "release-2.93",
+        "ref": "stable",
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nixos-module.git"
      }
    },
    "lix_2": {
-      "inputs": {
-        "flake-compat": "flake-compat_2",
-        "nix2container": "nix2container_2",
-        "nix_2_18": "nix_2_18",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nixpkgs-regression": "nixpkgs-regression_2",
-        "pre-commit-hooks": "pre-commit-hooks_2"
-      },
-      "locked": {
-        "lastModified": 1753306924,
-        "narHash": "sha256-jLCEW0FvjFhC+c4RHzH+xbkSOxrnpFHnhjOw6sudhx0=",
-        "ref": "release-2.93",
-        "rev": "1a4393d0aac31aba21f5737ede1b171e11336d77",
-        "revCount": 17884,
-        "type": "git",
-        "url": "https://git.lix.systems/lix-project/lix.git"
-      },
-      "original": {
-        "ref": "release-2.93",
-        "type": "git",
-        "url": "https://git.lix.systems/lix-project/lix.git"
-      }
-    },
-    "lowdown-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1633514407,
-        "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
-        "owner": "kristapsdz",
-        "repo": "lowdown",
-        "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
-        "type": "github"
+        "lastModified": 1729298361,
+        "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
+        "rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
+        "type": "tarball",
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
      },
      "original": {
-        "owner": "kristapsdz",
-        "repo": "lowdown",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
      }
    },
    "mitel-ommclient2": {
@@ -404,6 +358,56 @@
        "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
      }
    },
+    "nix-eval-jobs": {
+      "inputs": {
+        "flake-parts": "flake-parts_2",
+        "lix": [
+          "hydra",
+          "lix"
+        ],
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "hydra",
+          "nixpkgs"
+        ],
+        "treefmt-nix": "treefmt-nix_2"
+      },
+      "locked": {
+        "lastModified": 1732351635,
+        "narHash": "sha256-H94CcQ3yamG5+RMxtxXllR02YIlxQ5WD/8PcolO9yEA=",
+        "ref": "refs/heads/main",
+        "rev": "dfc286ca3dc49118c30d8d6205d6d6af76c62b7a",
+        "revCount": 617,
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nix-eval-jobs"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nix-eval-jobs"
+      }
+    },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "hydra",
+          "nix-eval-jobs",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731952509,
+        "narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "7b5f051df789b6b20d259924d349a9ba3319b226",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
    "nix2container": {
      "flake": false,
      "locked": {
@@ -420,50 +424,6 @@
        "type": "github"
      }
    },
-    "nix2container_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1724996935,
-        "narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=",
-        "owner": "nlewo",
-        "repo": "nix2container",
-        "rev": "fa6bb0a1159f55d071ba99331355955ae30b3401",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nlewo",
-        "repo": "nix2container",
-        "type": "github"
-      }
-    },
-    "nix_2_18": {
-      "inputs": {
-        "flake-compat": [
-          "lix",
-          "flake-compat"
-        ],
-        "lowdown-src": "lowdown-src",
-        "nixpkgs": "nixpkgs_4",
-        "nixpkgs-regression": [
-          "lix",
-          "nixpkgs-regression"
-        ]
-      },
-      "locked": {
-        "lastModified": 1730375271,
-        "narHash": "sha256-RrOFlDGmRXcVRV2p2HqHGqvzGNyWoD0Dado/BNlJ1SI=",
-        "owner": "NixOS",
-        "repo": "nix",
-        "rev": "0f665ff6779454f2117dcc32e44380cda7f45523",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "2.18.9",
-        "repo": "nix",
-        "type": "github"
-      }
-    },
    "nixos-exporter": {
      "inputs": {
        "nixpkgs": [
@@ -471,11 +431,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1746733297,
-        "narHash": "sha256-CPo/F6oJq3tswg2YT6DsWDFPYXOjw00/3m45JN84PVY=",
+        "lastModified": 1683625533,
+        "narHash": "sha256-GvKE97JdQuEZ697TLSMRTNABbVJfGVnJ0vfzK4AIFyI=",
        "ref": "refs/heads/main",
-        "rev": "f1a832f445c9994d9729a6fa1862b8d4a123bd31",
-        "revCount": 22,
+        "rev": "5e86139ee4af27f84228708fd32903bb0c4230f0",
+        "revCount": 19,
        "type": "git",
        "url": "https://git.clerie.de/clerie/nixos-exporter.git"
      },
@@ -532,22 +492,6 @@
        "type": "github"
      }
    },
-    "nixpkgs-carbon": {
-      "locked": {
-        "lastModified": 1751206202,
-        "narHash": "sha256-VjK8pEv4cfDpCTh4KW1go98kP25j7KdTNEce342Bh/Y=",
-        "owner": "clerie",
-        "repo": "nixpkgs",
-        "rev": "ac4ac98609c1b30c378458ab7207a9a5b5148457",
-        "type": "github"
-      },
-      "original": {
-        "owner": "clerie",
-        "ref": "clerie/always-setup-netdevs",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "nixpkgs-regression": {
      "locked": {
        "lastModified": 1643052045,
@@ -564,22 +508,6 @@
        "type": "github"
      }
    },
-    "nixpkgs-regression_2": {
-      "locked": {
-        "lastModified": 1643052045,
-        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
-        "type": "github"
-      }
-    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1713434076,
@@ -614,43 +542,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1751582995,
-        "narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=",
+        "lastModified": 1741851582,
+        "narHash": "sha256-cPfs8qMccim2RBgtKGF+x9IBCduRvd/N5F4nYpU0TVE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "7a732ed41ca0dd64b4b71b563ab9805a80a7d693",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-25.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_4": {
-      "locked": {
-        "lastModified": 1705033721,
-        "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-23.05-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_5": {
-      "locked": {
-        "lastModified": 1756542300,
-        "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa",
+        "rev": "6607cf789e541e7873d40d3a8f7815ea92204f32",
        "type": "github"
      },
      "original": {
@@ -683,27 +579,11 @@
    "pre-commit-hooks": {
      "flake": false,
      "locked": {
-        "lastModified": 1733318908,
-        "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
+        "lastModified": 1726745158,
+        "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "type": "github"
-      }
-    },
-    "pre-commit-hooks_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1733318908,
-        "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
+        "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
        "type": "github"
      },
      "original": {
@@ -719,11 +599,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1745667868,
-        "narHash": "sha256-T67ZRk+cuFI2P6qJeu8RwbpJD00OORulHGuXebpg9Nw=",
+        "lastModified": 1736087671,
+        "narHash": "sha256-zWeiCs+8SAS1wN5M3w3vSNNpILoKXqX9aj/ZZcgfMms=",
        "ref": "refs/heads/main",
-        "rev": "e43037aa525e36d7a3da187a8fc6baeb71db7fd6",
-        "revCount": 15,
+        "rev": "ceab6a148233ffb23de19411a3e5579e3394a35b",
+        "revCount": 9,
        "type": "git",
        "url": "https://git.clerie.de/clerie/rainbowrss.git"
      },
@@ -741,20 +621,17 @@
        "fieldpoc": "fieldpoc",
        "harmonia": "harmonia",
        "hydra": "hydra",
-        "lix": "lix_2",
        "lix-module": "lix-module",
        "nixos-exporter": "nixos-exporter",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_3",
        "nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
-        "nixpkgs-carbon": "nixpkgs-carbon",
        "nurausstieg": "nurausstieg",
        "rainbowrss": "rainbowrss",
        "scan-to-gpg": "scan-to-gpg",
        "solid-xmpp-alarm": "solid-xmpp-alarm",
        "sops-nix": "sops-nix",
-        "ssh-to-age": "ssh-to-age",
-        "traveldrafter": "traveldrafter"
+        "ssh-to-age": "ssh-to-age"
      }
    },
    "scan-to-gpg": {
@@ -820,7 +697,7 @@
    },
    "ssh-to-age": {
      "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts_3",
        "nixpkgs": [
          "nixpkgs"
        ]
@@ -869,26 +746,6 @@
        "type": "github"
      }
    },
-    "traveldrafter": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1751817360,
-        "narHash": "sha256-HzOhsPvzCaFeiz8nPq5MkYnYHpUzVaU/P5sxG+Njt+8=",
-        "ref": "refs/heads/main",
-        "rev": "b6610d70f363ecf9704352b1ef39244a816bd34f",
-        "revCount": 22,
-        "type": "git",
-        "url": "https://git.clerie.de/clerie/traveldrafter.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.clerie.de/clerie/traveldrafter.git"
-      }
-    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
@@ -909,6 +766,28 @@
        "repo": "treefmt-nix",
        "type": "github"
      }
+    },
+    "treefmt-nix_2": {
+      "inputs": {
+        "nixpkgs": [
+          "hydra",
+          "nix-eval-jobs",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1732292307,
+        "narHash": "sha256-5WSng844vXt8uytT5djmqBCkopyle6ciFgteuA9bJpw=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "705df92694af7093dfbb27109ce16d828a79155f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -1,7 +1,6 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nixpkgs-carbon.url = "github:clerie/nixpkgs/clerie/always-setup-netdevs";
    # for etesync-dav
    nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
@@ -26,17 +25,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    hydra = {
-      url = "git+https://git.lix.systems/lix-project/hydra.git?ref=lix-2.93";
-      #inputs.lix.follows = "lix";
-      #inputs.nixpkgs.follows = "nixpkgs";
-    };
-    lix = {
-      url = "git+https://git.lix.systems/lix-project/lix.git?ref=release-2.93";
+      url = "git+https://git.lix.systems/lix-project/hydra.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    lix-module = {
-      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=release-2.93";
-      inputs.lix.follows = "lix";
+      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=stable";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
@@ -68,13 +61,11 @@
      url = "github:Mic92/ssh-to-age";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    traveldrafter = {
-      url = "git+https://git.clerie.de/clerie/traveldrafter.git";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
  };
  outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
    lib = import ./lib inputs;
+    helper = lib.flake-helper;
+    localNixpkgs = import ./flake/nixpkgs.nix inputs;
  in {
    clerie.hosts = {
      aluminium = {
@@ -112,11 +103,7 @@
      osmium = {};
      palladium = {};
      porter = {};
-      storage-2 = {
-        modules = [
-          ./users/frank
-        ];
-      };
+      storage-2 = {};
      tungsten = {};
      web-2 = {};
      zinc = {
@@ -138,24 +125,14 @@
    };

    overlays = {
-      clerie-inputs = import ./flake/inputs-overlay.nix inputs;
-      clerie-pkgs = import ./pkgs/overlay.nix;
-      clerie-build-support = import ./pkgs/build-support/overlay.nix;
-      clerie-overrides = import ./pkgs/overrides/overlay.nix;
+      nixfilesInputs = import ./flake/overlay.nix inputs;
+      clerie = import ./pkgs/overlay.nix;
+      default = self.overlays.clerie;
    };

-    nixpkgs = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
-      lib.mkNixpkgs {
-        inherit system;
-      }
-    );
-
-    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
-      nixpkgs.lib.genAttrs (
-        (builtins.attrNames (self.overlays.clerie-pkgs null null))
-        ++ (builtins.attrNames (self.overlays.clerie-overrides null null))
-      ) (name: self.nixpkgs."${system}"."${name}")
-    );
+    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: let
+      pkgs = localNixpkgs.${system};
+    in builtins.mapAttrs (name: value: pkgs."${name}") (import ./pkgs/pkgs.nix));

    inherit lib self;

--- a/flake/hydraJobs.nix
+++ b/flake/hydraJobs.nix
@@ -10,12 +10,6 @@ let
 in {
  inherit (self)
    packages;
-  extraTrackedPackages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
-    nixpkgs.lib.genAttrs [
-      "hydra"
-      "lix"
-    ] (name: self.nixpkgs."${system}"."${name}")
-  );
  nixosConfigurations = buildHosts self.nixosConfigurations;
  iso = self.nixosConfigurations._iso.config.system.build.isoImage;
 }
--- a/flake/nixosConfigurations.nix
+++ b/flake/nixosConfigurations.nix
@@ -11,14 +11,33 @@ let
    modules ? [],
  }: let
    localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
-  in self.lib.nixosSystem {
+  in localNixpkgs.lib.nixosSystem {
    system = system;
-    nixpkgs = localNixpkgs;
    modules = modules ++ [
+      self.nixosModules.nixfilesInputs
+      self.nixosModules.clerie
+      self.nixosModules.profiles
+
      ({ config, lib, ... }: {
        # Set hostname
        networking.hostName = lib.mkDefault name;

+        # Apply overlays
+        nixpkgs.overlays = [
+          self.overlays.nixfilesInputs
+          self.overlays.clerie
+        ];
+
+        /*
+          Make the contents of the flake availiable to modules.
+          Useful for having the monitoring server scraping the
+          target config from all other servers automatically.
+        */
+        _module.args = {
+          inputs = inputs;
+          _nixfiles = self;
+        };
+
        # Expose host group to monitoring
        clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; };

@@ -33,9 +52,6 @@ let
            {};
        in
          secrets;
-
-        # Enable clerie common config
-        profiles.clerie.common.enable = true;
      })

      # Config to be applied to every host
--- a/flake/nixpkgs.nix
+++ b/flake/nixpkgs.nix
@@ -0,0 +1,17 @@
+{ self
+, nixpkgs
+, ...
+}@inputs:
+
+let
+  mkNixpkgs = { system, ... }@args: 
+    import nixpkgs {
+      inherit system;
+      overlays = [
+        self.overlays.nixfilesInputs
+        self.overlays.clerie
+      ];
+    };
+
+in
+  nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: mkNixpkgs { inherit system; })
--- a/flake/inputs-overlay.nix
+++ b/flake/inputs-overlay.nix
@@ -9,7 +9,6 @@
 , rainbowrss
 , scan-to-gpg
 , ssh-to-age
-, traveldrafter
 , ...
 }@inputs:
 final: prev: {
@@ -33,6 +32,4 @@ final: prev: {
    scan-to-gpg;
  inherit (ssh-to-age.packages.${final.system})
    ssh-to-age;
-  inherit (traveldrafter.packages.${final.system})
-    traveldrafter;
 }
--- a/hosts/_iso/configuration.nix
+++ b/hosts/_iso/configuration.nix
@@ -3,11 +3,9 @@
 {
  imports = [
    (modulesPath + "/installer/cd-dvd/installation-cd-base.nix")
+    ../../configuration/gpg-ssh
  ];

-  profiles.clerie.gpg-ssh.enable = true;
-  profiles.clerie.network-fallback-dhcp.enable = true;
-
  # systemd in initrd is broken with ISOs
  # Failed to mount /sysroot/iso
  # https://github.com/NixOS/nixpkgs/issues/327187
--- a/hosts/aluminium/configuration.nix
+++ b/hosts/aluminium/configuration.nix
@@ -18,7 +18,7 @@
    terminal_output serial
  ";

-  profiles.clerie.wg-clerie = {
+  services.wg-clerie = {
    enable = true;
    ipv6s = [ "2a01:4f8:c0c:15f1::8106/128" ];
    ipv4s = [ "10.20.30.106/32" ];
--- a/hosts/astatine/configuration.nix
+++ b/hosts/astatine/configuration.nix
@@ -4,21 +4,30 @@
  imports =
    [
      ./hardware-configuration.nix
-    ];

-  profiles.clerie.network-fallback-dhcp.enable = true;
+      ./ppp.nix
+      ./programs.nix
+      ./users.nix
+    ];

  boot.kernelParams = [ "console=ttyS0,115200n8" ];

+  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
  boot.loader.grub.extraConfig = "
    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
    terminal_input serial
    terminal_output serial
  ";

-  profiles.clerie.wg-clerie = {
+  #networking.firewall.enable = false;
+
+  services.wg-clerie = {
    enable = true;
    ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];
    ipv4s = [ "10.20.30.108/32" ];
--- a/hosts/astatine/ppp.nix
+++ b/hosts/astatine/ppp.nix
@@ -0,0 +1,90 @@
+{ pkgs, ... }:
+
+{
+  # Make space for VLAN header in containing ethernet segment
+  networking.interfaces."enp1s0".mtu = 1518;
+
+  ## DSL-Uplink
+  networking.vlans."enp1s0.7" = {
+    id = 7;
+    interface = "enp1s0";
+  };
+
+  services.pppd = {
+    enable = true;
+    peers.lns-test = {
+      config = ''
+        plugin pppoe.so enp1s0.7
+        user "criese#regiotest@bsa-vdsl"
+        ifname ppp-lns-test
+        persist
+        maxfail 0
+        holdoff 5
+        noipdefault
+        lcp-echo-interval 20
+        lcp-echo-failure 3
+        hide-password
+        nodefaultroute
+        +ipv6
+        debug
+      '';
+    };
+  };
+
+  /*
+  networking.interfaces.lo.useDHCP = true;
+  networking.interfaces.ppp-lns-test.useDHCP = true;
+
+  networking.dhcpcd = {
+    enable = true;
+    extraConfig = ''
+      interface ppp-lns-test
+        ipv6rs
+        ia_pd 0 lo/0
+    '';
+  };*/
+
+  environment.etc."ppp/ip-up" = {
+    text = ''
+      #! ${pkgs.runtimeShell} -e
+
+      ${pkgs.iproute2}/bin/ip route flush table 20001 || true
+      ${pkgs.iproute2}/bin/ip route add default dev ppp-lns-test table 20001
+    '';
+    mode = "555";
+  };
+  environment.etc."ppp/ip-down" = {
+    text = ''
+      #! ${pkgs.runtimeShell} -e
+
+      ${pkgs.iproute2}/bin/ip route flush table 20001 || true
+    '';
+    mode = "555";
+  };
+  environment.etc."ppp/ipv6-up" = {
+    text = ''
+      #! ${pkgs.runtimeShell} -e
+
+      ${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
+      ${pkgs.iproute2}/bin/ip -6 route add default dev ppp-lns-test table 20001
+    '';
+    mode = "555";
+  };
+  environment.etc."ppp/ipv6-down" = {
+    text = ''
+      #! ${pkgs.runtimeShell} -e
+
+      ${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
+    '';
+    mode = "555";
+  };
+
+  petabyte.policyrouting = {
+    enable = true;
+    rules4 = [
+      { rule = "from 212.218.16.237/32 lookup 20001"; prio = 19000; }
+      { rule = "from 212.218.16.237/32  unreachable"; prio = 19001; }
+    ];
+  };
+
+}
--- a/hosts/astatine/programs.nix
+++ b/hosts/astatine/programs.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+{
+
+  environment.systemPackages = with pkgs; [
+    tcpdump # for remote wireshark
+  ];
+
+}
--- a/hosts/astatine/users.nix
+++ b/hosts/astatine/users.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  users.users.criese-nethinks = {
+    extraGroups = [
+      "wheel"
+    ];
+  };
+
+}
--- a/hosts/backup-4/configuration.nix
+++ b/hosts/backup-4/configuration.nix
@@ -4,32 +4,19 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/proxmox-vm

      ./backup.nix
-      ./replication.nix
      ./restic-server.nix
-      ./wg-b-palladium.nix
    ];

-  profiles.clerie.mercury-vm.enable = true;
-
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

  networking.useDHCP = false;
-  systemd.network.enable = true;
-
-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "2001:638:904:ffcb::c/64"
-    ];
-    routes = [
-      { Gateway = "2001:638:904:ffcb::1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
+  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::c"; prefixLength = 64; } ];
+  networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];

  services.nginx.enable = true;

--- a/hosts/backup-4/replication.nix
+++ b/hosts/backup-4/replication.nix
@@ -1,20 +0,0 @@
-{ lib, ... }:
-
-with lib;
-
-{
-  clerie.backup = {
-    enable = true;
-    targets = mkForce {
-      palladium.serverUrl = "http://[fd90:37fd:ddec:d921::2]:43242";
-    };
-    jobs.replication = {
-      paths = [
-        "/mnt/backup-4/magenta"
-      ];
-      exclude = [
-        "/mnt/backup-4/magenta/.htpasswd"
-      ];
-    };
-  };
-}
--- a/hosts/backup-4/secrets.json
+++ b/hosts/backup-4/secrets.json
@@ -1,8 +1,5 @@
 {
-	"clerie-backup-job-replication": "ENC[AES256_GCM,data:BxOj/jT/GFBNSLc=,iv:zKDmEqUpOUWbU3fEeKDLniZ8D1yzs4kdGjoFLeNZOpo=,tag:iKAxHnIUpvtZwVO+eJW3Xw==,type:str]",
-	"clerie-backup-target-palladium": "ENC[AES256_GCM,data:OaszucYAp4n/ds59nF8D4Qn3U9a6L+ONcbPa+BmSz/EprW7E3kCoJ6+EceahPemTnR53mkP6zAndWaXaBTFfdg==,iv:pqi4+LuLPhtmKucm7JqN6d2hwXzNVx8IPimTL6FgHHg=,tag:+91GgLQNKD/lI7uWojCwjA==,type:str]",
 	"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:gfvmAd7z+jQwoYDJf/Hv2sR9ISJT+Hw4jrHmvW64PXjoETy+LjdsmqEPuRyq/YhrGA2rqW+YodPlkh/eE4crdTL2eNim+ij/OUubliUwBMyJuxsdGKuDUMc+txqN2x6Q24MnnU88P08SKpsm3jciMhz7JEg62W77jhesWlkzsuJDmg9oTlA9SeYOEac3pIKpekfRyE77GSFVUflwwCA+xvcEg5xyuRosFzBWGGEC3kDNB0licF0X6epz3HtlqhCLd/mkuEkftjpkNOFm9oJYzdwYv5PwVNg7G7JOgsUx9e5I29mwWPfhinX1yEFNwxKeB1FbUhYOKhRhdqWD6THVLkDzU0zP8vrm5FXTaxLHZr5+EpKit8/MJS5UBVvpSTDQ0cLExJyonWP2T+zr6rxKwU/q1jQRvsU6DJ7Bt8+9chrXBNOeyPM9xzWN1Zyyrntm9j5Ufj1YFwyrDT5ve2rOgNHA4KoS28+vsP1fcVO8XlLR24zFx5+/1BPG25qSECTPn6KkcL+yV+WS4oOnu4Oo0GVPEz+4SfyYIEVmaV61KC61pKa/6ACeUd6nABcDbReMqPXU7/bksM4sTDoFSmmiAycnxT4xavbaFdfbYIOXVQwYAIjaR1tAqQ6gYVCQ/LtKhIHCGCg10xRXNV3qkPqOUvJ7JnRcre+pQVDVLg==,iv:tvhvTPzhHoG4yG3C+o9s8yh4DafMpPb67nNxbUZcFxQ=,tag:8P5lYeP2EB5AfKgeeBISLg==,type:str]",
-	"wg-b-palladium": "ENC[AES256_GCM,data:XTenrGQFLDndt/XPaDGRLQthVq1UFKJ2mWK3Z+YfT54YpnWO81cslrMMtPc=,iv:tW8NHOcNj3Q26BJBIz7UPR3bmw3nrb0UkkD+gqngw/w=,tag:XDYkIqj6z2Jvhaoiqeyn0g==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:lCuE2EgUo3ER9NNg1rD24Z4cZS+VZ4KmDojnfCsb/LyBsfyu6uOJ4IVtxOE=,iv:KHRP1pXYXk8Fi23cjUZVUUadu9yWoJ2ddxj2fMJJYE0=,tag:TiFlekXM7WLLHAPlmYbP8w==,type:str]",
 	"sops": {
 		"kms": null,
@@ -15,8 +12,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFREUEVzb2JFd3hSaG9y\neVA2a2Fodko0OTI4ZGM0NlZxRmNtYmFDY1hVCm9ncXdWYTJlSU1FSG1WdlNBZ3VW\nM2VtRmZiWldzalRsRWJ0UkV1L1hSMkEKLS0tIGVLQU9kQXhZbC9SUW9CS2JnWGlJ\nQ3RoeXVkRXNkUWNaZ0VQOW1hcEJnNjAKHgZ48PERJlfkkh2TyCLl52zUZY674BXW\n4zPtmhZrb4xlExetINrOd4hZtL7S7qn5GnTxhoxvCddeU+JPPsfWoQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-04-18T08:37:08Z",
-		"mac": "ENC[AES256_GCM,data:50NF4BI0QUhe622J6nwIF89pLlTdgxVB/MWbO5nWKgQI5xuNrnFghs5yVgZIV7FeONcu2pYykp28fSrFKhvbPt+B90i4HvaaIHdZGDepbEV9ZwK4AU66zZW4KCCPxv4NTYh+AuSi7HTHusXUrNIvRhYvAXjESi7nK7JPm3BTfUk=,iv:fvtTaSXNx6IL6D9DdEa5ovymNYeWJObCBiRiIsG7KeE=,tag:LdfXiAuMHLCb0biThHh1GQ==,type:str]",
+		"lastmodified": "2025-02-16T18:13:41Z",
+		"mac": "ENC[AES256_GCM,data:O+E3UbWbmlbpUPeSS/BFcJpWr2WEXbu0aaj9u3XUwstp4ba6e0xuVdzfbntQwbN378sDNpDMkAuxp1+R/0THBSs+nqXC9q9IgK+hfSBd7q2v4lvdhxRdM1x4wysTDJGtjFNdfz8EzqMz42Y2IWjxSozgPNpjZSIGhwMBA2TS/gU=,iv:1waH/yUGt5jGJbQlYmp5b97NGVyRykgzI2g1xX+Jo/U=,tag:4bxFxkClt3LbqCH552XePw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-04T12:30:52Z",
@@ -25,6 +22,6 @@
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
+		"version": "3.8.1"
 	}
 }
--- a/hosts/backup-4/wg-b-palladium.nix
+++ b/hosts/backup-4/wg-b-palladium.nix
@@ -1,40 +0,0 @@
-{ config, ... }:
-
-{
-
-  sops = {
-    secrets.wg-b-palladium = {
-      owner = "systemd-network";
-      group = "systemd-network";
-    };
-  };
-
-  systemd.network.netdevs."10-wg-b-palladium" = {
-    netdevConfig = {
-      Kind = "wireguard";
-      Name = "wg-b-palladium";
-    };
-    wireguardConfig = {
-      PrivateKeyFile = config.sops.secrets.wg-b-palladium.path;
-      ListenPort = 51844;
-    };
-    wireguardPeers = [
-      {
-        PublicKey = "YMTOhRAKWfFX1UVBoROPvgcQxTSN4tny35brAocdnwo=";
-        AllowedIPs = [ "fd90:37fd:ddec:d921::/64" ];
-        PersistentKeepalive = 25;
-      }
-    ];
-  };
-
-  systemd.network.networks."10-wg-b-palladium" = {
-    matchConfig.Name = "wg-b-palladium";
-    address = [
-      "fd90:37fd:ddec:d921::1/64"
-    ];
-    linkConfig.RequiredForOnline = "no";
-  };
-
-  networking.firewall.allowedUDPPorts = [ 51844 ];
-
-}
--- a/hosts/beryllium/configuration.nix
+++ b/hosts/beryllium/configuration.nix
@@ -6,8 +6,6 @@
      ./hardware-configuration.nix
    ];

-  profiles.clerie.network-fallback-dhcp.enable = true;
-
  boot.kernelParams = [ "console=ttyS0,115200n8" ];

  boot.loader.grub.enable = true;
@@ -22,11 +20,39 @@

  networking.firewall.enable = false;

-  profiles.clerie.wg-clerie = {
+  networking.iproute2.enable = true;
+  networking.iproute2.rttablesExtraConfig = ''
+    200 wg-clerie
+  '';
+
+  petabyte.policyrouting = {
    enable = true;
-    ipv6s = [ "2a01:4f8:c0c:15f1::8107/128" ];
-    ipv4s = [ "10.20.30.107/32" ];
-    privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
+    rules6 = [
+      { rule = "from 2a01:4f8:c0c:15f1::8107/128 lookup wg-clerie"; prio = 20000; }
+      { rule = "from 2a01:4f8:c0c:15f1::8107/128 unreachable"; prio = 20001; }
+    ];
+    rules4 = [
+      { rule = "from 10.20.30.107/32 lookup wg-clerie"; prio = 20000; }
+      { rule = "from 10.20.30.107/32 unreachable"; prio = 20001; }
+    ];
+  };
+
+
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces = {
+    wg-clerie = {
+      ips = [ "2a01:4f8:c0c:15f1::8107/128" "10.20.30.107/32" ];
+      table = "wg-clerie";
+      peers = [
+        {
+          endpoint = "vpn.clerie.de:51820";
+          persistentKeepalive = 25;
+          allowedIPs = [ "0.0.0.0/0" "::/0" "10.20.30.0/24" "2a01:4f8:c0c:15f1::/113" ];
+          publicKey = "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=";
+        }
+      ];
+      privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
+    };
  };

  clerie.monitoring = {
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -4,6 +4,7 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/router

      ./dns.nix
      ./mdns.nix
@@ -21,9 +22,6 @@
      ./wg-clerie.nix
    ];

-  profiles.clerie.common-networking.enable = false;
-  profiles.clerie.router.enable = true;
-
  boot.kernelParams = [ "console=ttyS0,115200n8" ];

  boot.loader.grub.enable = true;
@@ -63,10 +61,10 @@

  systemd.services.kea-dhcp4-server = {
    after = [
-      "network.target"
+      "network-setup.service"
    ];
-    wants = [
-      "network.target"
+    requires = [
+      "network-setup.service"
    ];
  };

--- a/hosts/clerie-backup/configuration.nix
+++ b/hosts/clerie-backup/configuration.nix
@@ -4,26 +4,20 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/proxmox-vm

      ./restic-server.nix
    ];

-  profiles.clerie.ruby-vm.enable = true;
-
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "2a00:fe0:1:21f::a/64"
-    ];
-    routes = [
-      { Gateway ="2a00:fe0:1:21f::1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+  networking.useDHCP = false;
+  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::6"; prefixLength = 64; } ];
+  networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];

  services.nginx.enable = true;

@@ -34,6 +28,10 @@
      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiUWufpvAj/Rdxt/frAjs5Q4+/lzaN2jmf5+W3Gazjzw+CH+Agplux6op+LlzF7kAA32yP+lwQto8Rz92NzReDssXd+0JhgAAHrSMrPOPnQbZrierKOfVvDOteklEM4k5JXqZ+xHIMtNomuMV3wCFc18nvwc8t95pDBOI/HwzAwn2mGhVBod0CNXZs8EyMeQJNKLCRwpUrddOX6fz5x/fbPYO4KB3iPkC0X+e/d5SuBvrmwFdnpr2RkCboMPdd6i/0AsY4MLdMV54arS9Ed2jaFKqYCQR5wRdLxndn+aByyVQHQxVU0gVfO9+53NOgiVzhOFzXm6K2KcC/HZR5uj1r ceea@olbers.uberspace.de" ];
      path = "/mnt/clerie-backup/uberspace-ceea";
    };
+    uberspace-cleriewi = {
+      authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAeU+YezmGNNnntAkOL143NlkADi6ekEcaW9yf9yegdkDxwyIyxaWC89B110kRkNe+6KP+LDwrp9vnFJZjst8Gv+dMs0h9U0IdUafhO7TcbbkqynqmtzIwiSGsLby2K9XOYTMlAa2JOfeNScPWccZ8KgXsIBqRGjo3yQfCHXZu9U/8CGXvYPsTGY5QYNeAw5Uaikuf565GHy4ROx2BN7LGug9lK42Hfv8i1lhCLi7wkhQ0EPGBRPkscjz/0Kb2iABMzyUf6uMrDJX/usKrChxkLfidIM9C5YR1E+wXlmy9lijuNP85NpXUEyVTAp9/XLCp1vskfCjsBLO0l+40XNIt cleriewi@biela.uberspace.de" ];
+      path = "/mnt/clerie-backup/uberspace-cleriewi";
+    };
  };

  # fix borgbackup primary grouping
@@ -53,6 +51,62 @@
      compression = "auto,lzma";
      startAt = "*-*-* 04:07:00";
    };
+    backup-replication-palladium = {
+      paths = [
+        "/mnt/clerie-backup"
+      ];
+      doInit = true;
+      repo =  "borg@palladium.net.clerie.de:." ;
+      encryption = {
+        mode = "none";
+      };
+      environment = { BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-palladium"; };
+      compression = "auto,lzma";
+      startAt = "*-*-* 06:23:00";
+    };
+    backup-replication-external-drive = {
+      paths = [
+        "/mnt/clerie-backup"
+      ];
+      doInit = true;
+      repo =  "borg@palladium.net.clerie.de:." ;
+      encryption = {
+        mode = "none";
+      };
+      environment = {
+        BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-external-drive";
+        BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
+        BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
+      };
+      compression = "auto,lzma";
+      startAt = "*-*-* 08:37:00";
+    };
+  };
+
+  users.users.backup-replication = {
+    isNormalUser = true;
+    group = "backup-replication";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8kCLiDfVFKgoNvEoMb34jp2n1lQG+k7wigzc4qGmrROlWkJ46/Ym4UrSeQJAd6hwHTcKTZkeOrqDAjZZ+jlidpncJHT5VMW5Ah965pxbBq6Qh1Yz5tKj7nLAQ/+bwEH4qqBFNd796876n3pY/FqhwAHWONqWhLKzMXpFursMSITUPmRXcaPwJrgS9DIYspZ9bBhhRSdQ5N1SiGtaszOQwdevLnNYqdtFOBG4rt9SO6IBIHtaiTIHrrMGS2Lt3NMwkq+O+N+TGaKLjbwqtfUPfPOCmY0XH12OawjxHP9hZ+WH3dPtcu5p+VORciSybPvyh9qzXUrDeO4HDuii2GEFU8JFELYXdT/qBwdIMp82tkgww0zKbTJuc0y/9eR7LCXop4OALhR8+8xWDI9c1ccxu3T7S7zUI1OmTlR9i8rx85D4sz2dtp1jirDoW2KVuIdwe6G3NLfTL95FZRmveEQM3MO8MPpfzZ4EvaMbiQQd/c4VAmGovtSLQhySTpT6qSv0= root@backup-4"
+      #"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRANmJ2LYUr0Mavz/JJ7j+7p1zkqvizf6ZLt5XOJ2fj0enDuK7Dc5fxiESLGYTsLRVWuY4hNXVIL7aeJUj1LPf6LEX87APP4hb95t+TFxcES87tFfnFO48eiBbSd25Av2jmHGb6/wY2viYBxfk/vrLjPR6RgICqFsWFcz20bsWmc48FdzXYJCGJfKjHiW+Ut95VL+M/AlGBQHo33FNDyPXV4zh+MeWVkOFicwfh0k+4NH7Psj5n93m9szAlz306t5YZ32HnhSlvObkMk1Ugy6AzPKXrgKBu11pmatf7sFRx1ikYGUiKiezGjatt/8lYZfE8rQKQjwH+6LPt3ZPv06ncfKpH2vbZfonM0KhSsm1OIhJTse+X7ZMxizO6QqYM+BRJJGMbhH1g+6kFRsdlwakHNPE9YvG4NxZ1NxWTUr6F0gPhUEy61LkTnznt3ct1hgQR02KDQ+9i8PvaYeIIzZzRKufv4tV7OZkDLbN97tvAMkgpLjF+8fCg3qjn2Lckzc= root@palladium"
+    ];
+  };
+
+  users.groups.backup-replication = {};
+
+  environment.systemPackages = with pkgs; [
+    bindfs
+  ];
+
+  fileSystems."/clerie-backup-replication" = {
+    device = "/mnt/clerie-backup";
+    fsType = "fuse.bindfs";
+    options = [
+      "ro"
+      "force-user=backup-replication"
+      "force-group=backup-replication"
+      "perms=0000:ug=rD"
+    ];
  };

  clerie.monitoring = {
--- a/hosts/clerie-backup/hardware-configuration.nix
+++ b/hosts/clerie-backup/hardware-configuration.nix
@@ -8,7 +8,7 @@
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];

-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "virtio_blk" ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
@@ -19,7 +19,7 @@
    };

  fileSystems."/mnt/clerie-backup" =
-    { device = "/dev/disk/by-uuid/15a42e2e-57dc-43ff-a50d-8b73952d4558";
+    { device = "/dev/disk/by-uuid/69e75b00-23e1-4775-98a6-061a79d806cf";
      fsType = "ext4";
    };

@@ -33,7 +33,4 @@
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  boot.swraid.enable = true;
-
-
 }
--- a/hosts/dn42-il-gw1/configuration.nix
+++ b/hosts/dn42-il-gw1/configuration.nix
@@ -4,43 +4,49 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/proxmox-vm
+      ../../configuration/dn42
    ];

-  profiles.clerie.mercury-vm.enable = true;
-
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "ens20";
-    address = [
-      "2001:638:904:ffc9::7/64"
-    ];
-    routes = [
-      { Gateway = "2001:638:904:ffc9::1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-nat-netz-mercury" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "192.168.10.23/24"
-    ];
-    routes = [
-      { Gateway = "192.168.10.1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-dn42-ospf-netz" = {
-    matchConfig.Name = "ens19";
-    linkConfig.RequiredForOnline = "no";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
+  networking.useDHCP = false;
+  networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:1::1"; prefixLength = 64; } ];
+  # VM Nat Netz mercury
+  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.23"; prefixLength = 24; } ];
+  # OSPF Netz
+  networking.interfaces.ens19 = {};
+  # IPv6 Uplink
+  networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::7"; prefixLength = 64; } ];
+
+  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
+  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];

  networking.wireguard.enable = true;
  networking.wireguard.interfaces = {
+    # n0emis
+    wg0197 = {
+      ips = [
+        "fe80::42:1/128"
+        # peer fe80::42:42:1/128
+      ];
+      postSetup = ''
+      ip -6 route flush dev wg0197
+      ip addr del dev wg0197 fe80::42:1/128 && ip addr add dev wg0197 fe80::42:1/128 peer fe80::42:42:1/128
+      '';
+      listenPort = 50197;
+      allowedIPsAsRoutes = false;
+      peers = [
+        {
+          allowedIPs = [ "fe80::/10" "fd00::/8" ];
+          endpoint = "himalia.dn42.n0emis.eu:52574";
+          publicKey = "ObF+xGC6DdddJer0IUw6nzC0RqzeKWwEiQU0ieowzhg=";
+        }
+      ];
+      privateKeyFile = config.sops.secrets.wg0197.path;
+    };
    # e1mo
    wg0565 = {
      ips = [
@@ -120,6 +126,27 @@
      ];
      privateKeyFile = config.sops.secrets.wg1280.path;
    };
+    # perflyst
+    wg1302 = {
+      ips = [
+        "fe80::a14e/128"
+        # peer fe80::a14d/128
+      ];
+      postSetup = ''
+      ip -6 route flush dev wg1302
+      ip addr del dev wg1302 fe80::a14e/128 && ip addr add dev wg1302 fe80::a14e/128 peer fe80::a14d/128
+      '';
+      listenPort = 51302;
+      allowedIPsAsRoutes = false;
+      peers = [
+        {
+          allowedIPs = [ "fe80::/10" "fd00::/8" ];
+          endpoint = "[2a03:4000:6:f6ed::1]:22574";
+          publicKey = "TSPvvpMY8dCFk6gd58aYtkibtqUn8EzIF6dXP52b3y8=";
+        }
+      ];
+      privateKeyFile = config.sops.secrets.wg1302.path;
+    };
    # lutoma
    wg4719 = {
      ips = [
@@ -140,104 +167,168 @@
      ];
      privateKeyFile = config.sops.secrets.wg4719.path;
    };
-    # zaphyra
-    wg1718 = {
-      ips = [
-        "fe80::2574/128"
-        # peer fe80::6b61/64
-      ];
-      postSetup = ''
-      ip addr replace dev wg1718 fe80::2574/128 peer fe80::6b61/128
-      '';
-      listenPort = 51718;
-      allowedIPsAsRoutes = false;
-      peers = [
-        {
-          allowedIPs = [ "fe80::/10" "fd00::/8" ];
-          endpoint = "router-a.dn42.zaphyra.eu:51831";
-          publicKey = "Knm6uEpMsTfZAK68Pl98mHORtb8TtswBfYFGznpHUCI=";
-        }
-      ];
-      privateKeyFile = config.sops.secrets.wg1718.path;
-    };
  };

-  networking.firewall.allowedUDPPorts = [
-    50565 # wg0565
-    51271 # wg1271
-    51272 # wg1272
-    51280 # wg1280
-    54719 # wg4719
-    51718 # wg1718
-  ];
-
-  profiles.clerie.dn42-router = {
+  petabyte.policyrouting = {
    enable = true;
-    loopbackIp = "fd56:4902:eca0:1::1";
-    routerId = "192.168.10.23";
-
-    ospfInterfaces = [
-      "ens19"
-    ];
-
-    ibgpPeers = [
-      {
-        peerName = "gw5";
-        remoteAddress = "fd56:4902:eca0:5::1";
-      }
-      {
-        peerName = "gw6";
-        remoteAddress = "fd56:4902:eca0:6::1";
-      }
-    ];
-
-    wireguardPeers = [
-      {
-        peerName = "peer_0565";
-        remoteAddress = "fe80::565";
-        interfaceName = "wg0565";
-        remoteAsn = "4242420565";
-        localAddress = "fe80::2574";
-      }
-      {
-        peerName = "peer_1271_north";
-        remoteAddress = "fe80::2";
-        interfaceName = "wg1271";
-        remoteAsn = "4242421271";
-        localAddress = "fe80::1";
-      }
-      {
-        peerName = "peer_1271_south";
-        remoteAddress = "fe80::1:2";
-        interfaceName = "wg1272";
-        remoteAsn = "4242421271";
-        localAddress = "fe80::1:1";
-      }
-      {
-        peerName = "peer_1280_wg1";
-        remoteAddress = "fde3:4c0d:2836:ff00::20";
-        interfaceName = "wg1280";
-        remoteAsn = "4242421280";
-        localAddress = "fde3:4c0d:2836:ff00::21";
-      }
-      {
-        peerName = "peer_4719";
-        remoteAddress = "fe80::acab";
-        interfaceName = "wg4719";
-        remoteAsn = "64719";
-        localAddress = "fe80::1";
-      }
-      {
-        peerName = "peer_1718";
-        remoteAddress = "fe80::6b61";
-        interfaceName = "wg1718";
-        remoteAsn = "4242421718";
-        localAddress = "fe80::2574";
-      }
+    rules6 = [
+      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
+      { rule = "from all to all lookup 2342"; prio = 10000; }
+      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
+      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
    ];
  };

-  services.bijwerken = {
+  services.bird.enable = true;
+  services.bird.package = pkgs.bird2;
+  services.bird.config = ''
+  router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
+
+  ipv6 table ospf6;
+  ipv6 table bgp6;
+
+  protocol direct {
+          interface "lo";
+          ipv6 {
+                  table ospf6;
+          };
+  }
+
+  protocol static {
+          ipv6 {
+                  table bgp6;
+          };
+          route fd56:4902:eca0::/48 via "lo";
+          route fd56:4902:eca0::/52 via "lo";
+  }
+
+  protocol kernel {
+          ipv6 {
+                  table ospf6;
+                  export filter {
+                          krt_prefsrc=fd56:4902:eca0:1::1;
+                          accept;
+                  };
+                  import none;
+          };
+          kernel table 1337;
+  }
+
+  protocol kernel {
+          ipv6 {
+                  table bgp6;
+                  export filter {
+                          krt_prefsrc=fd56:4902:eca0:1::1;
+                          accept;
+                  };
+                  import none;
+          };
+          kernel table 2342;
+  }
+
+  protocol ospf v3 {
+          ipv6 {
+                  table ospf6;
+                  import all;
+                  export all;
+          };
+          area 0 {
+                  interface "ens19" {
+                          cost 80;
+                          type broadcast;
+                  };
+          };
+  }
+
+  protocol bgp gw5 {
+          local as 4242422574;
+          graceful restart on;
+          neighbor fd56:4902:eca0:5::1 as 4242422574;
+          source address fd56:4902:eca0:1::1;
+          ipv6 {
+                  table bgp6;
+                  igp table ospf6;
+                  next hop self;
+                  import keep filtered;
+                  import all;
+                  export all;
+          };
+  }
+
+  protocol bgp gw6 {
+          local as 4242422574;
+          graceful restart on;
+          neighbor fd56:4902:eca0:6::1 as 4242422574;
+          source address fd56:4902:eca0:1::1;
+          ipv6 {
+                  table bgp6;
+                  igp table ospf6;
+                  next hop self;
+                  import keep filtered;
+                  import all;
+                  export all;
+          };
+  }
+
+  template bgp bgp_peer {
+  	local as 4242422574;
+  	graceful restart on;
+  	ipv6 {
+  		table bgp6;
+  		next hop self;
+  		import keep filtered;
+  		import filter {
+  			if net ~ [fd00::/8{48,64}] then accept;
+  			reject;
+  		};
+  		export filter {
+  			if net ~ [fd00::/8{48,64}] then accept;
+  			reject;
+  		};
+  	};
+  }
+
+  protocol bgp peer_0197_himalia from bgp_peer {
+          neighbor fe80::42:42:1%wg0197 as 4242420197;
+          source address fe80::42:1;
+  }
+
+  protocol bgp peer_0565 from bgp_peer {
+	neighbor fe80::565%wg0565 as 4242420565;
+	source address fe80::2574;
+  }
+
+  protocol bgp peer_1271_north from bgp_peer {
+  	neighbor fe80::2%wg1271 as 4242421271;
+  	source address fe80::1;
+  }
+
+  protocol bgp peer_1271_south from bgp_peer {
+  	neighbor fe80::1:2%wg1272 as 4242421271;
+  	source address fe80::1:1;
+  }
+
+  protocol bgp peer_1280_wg1 from bgp_peer {
+  	neighbor fde3:4c0d:2836:ff00::20%wg1280 as 4242421280;
+  	source address fde3:4c0d:2836:ff00::21;
+  }
+
+  protocol bgp peer_1302 from bgp_peer {
+  	neighbor fe80::a14d%wg1302 as 4242421302;
+  	source address fe80::a14e;
+  }
+
+  protocol bgp peer_4719 from bgp_peer {
+    neighbor fe80::acab%wg4719 as 64719;
+  }
+
+  protocol device {
+          scan time 10;
+  }
+  '';
+
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
    autoUpgrade = true;
  };

--- a/hosts/dn42-il-gw1/secrets.json
+++ b/hosts/dn42-il-gw1/secrets.json
@@ -5,18 +5,21 @@
 	"wg1272": "ENC[AES256_GCM,data:LU6jtNkNn2Xs+0OH8cD1HJnbHsNNnqlY83lDFa11/dHwVgdFxMtDXMqIMEc=,iv:/A8rWGR6jExa4ms7jTYC0eZVGCvlKw1I58Co41gw3TU=,tag:tIBRkQzFFpEEzflnDrpcOA==,type:str]",
 	"wg1280": "ENC[AES256_GCM,data:F4KLY6jiZNl52ko32nM0iTER0DyHvaCSmxeYAKB0MLUD8l9u1Ugk6kYZnUc=,iv:XcaxnvxM1kE/ahNFX+BH7Jmr9q2Py1vHHqOjFUqs5O8=,tag:a1up4gGFqyHz2lmDRJl3bA==,type:str]",
 	"wg1302": "ENC[AES256_GCM,data:+MzuBPg3ql0/MEnpVvhQTsPIkKB9xnHN9Fk4VlZwK4ijKl+26d6oTSM7/R0=,iv:bPPmhenQLaKTGaDo4rBlKkrXrS1YysRuntbKq6zi2aQ=,tag:lztaTfDGT4kAq+HZMLl0Dw==,type:str]",
-	"wg1718": "ENC[AES256_GCM,data:lB+j2O15O7ogdB+QdutD3V/h8IREMMlpCsnMJWNPXlz196KM6WNNYCV2v5M=,iv:AwrRPQIFu8A14Vs5A9slkCPMkgU3VZxL1YupJnriEHc=,tag:Vpt0C6SFzUXGotdfc1ocmg==,type:str]",
 	"wg4719": "ENC[AES256_GCM,data:hoOOCUGdYFaAQZ6wkgmQl65M1qArvXa826IeJl+BUGf7UX0vxx9J0C2epTE=,iv:+1JcOgzClehkE0Ihd2mmoenPk51OBZMF0bMqapWah/c=,tag:xI5FU+GJU6BER9/n04ccLA==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:aw11Ygfll6llabXkuxtbTcCn1eb4NZX1IwArcXoRJCJSgwDrQZ3HLatov3w=,iv:J2VD5XS+BrIKeFb0NW1UYZUuGPkbjFmooZ93PVK31gw=,tag:2XLSa/2s6LRq3L7UdrTs/g==,type:str]",
 	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1f0hscql4f4w7vyukzeu693xfedsl596dpjekc23q77ylp92zsvcqf9u75t",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWdFYjFjTmRVRlV3U3p4\nTSsyc1E0dWtiYjNtVkV2SXJEWkxnTDhLN1Y0Cng4aGlidjhydUVGaFcvK215aGdq\nN0FGajYwa1lPUCsva0tmNkErUGtlOWsKLS0tIG9pLzJEUDA2WWUzd1kzSVZrdVRX\nbUxjQzBCd3p0R1dWTTJaRmZNQjJEUVkKPz6OUQHpYrhRxMdQzpZRR3exVqkG2JvX\nI32PwvbeQK8cgpYwKLGar8U8aiPPm0Y64pID1wedDsNZzLqLOrS3wQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-06-10T20:51:10Z",
-		"mac": "ENC[AES256_GCM,data:9lF4HV0oJyGHXdtYdMxR7+ev7JLAQVr6kE55nLoZcrbC92MHJzQpgM9XAhIynvwdAmC7ARd3orCn6eYkQJDdNX0JjMtebsBE+H4B7mEUCz8wtTN0iHS+oHmQxrqjnoSw2uHh9udgqAJa+sd6VGU3t2XUuuKtVHPwzROqVgvas9M=,iv:KT+BlFeXGZQc5pbBX+XOsmKEydUtir1LuPvseDkFeqw=,tag:hlRskY6b5EAZkUYs7ph/JA==,type:str]",
+		"lastmodified": "2024-04-28T09:28:04Z",
+		"mac": "ENC[AES256_GCM,data:PHdhyie0Ya/nN9Kqj4z+zPyyKZFvGkznkv8Uf3LNSdPKWVtXARZc8Xodm4MjI2HvooryyyMFHkW75Aln02Rlvk3R8oI7rfFZC7s2P+LotumsYgRFf0JOUMxsxOtKW0ehuLy83Bw0rMJQo1gzTgBykcvdc2pkMmALF/vU/1VqgJ4=,iv:0JwcY0Q+8VAiVHYjynhcpsobQXOkK8EBe3QUJ8YUwFE=,tag:9xAcoxAPGxTvHVBydf3u9Q==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-04-28T09:25:37Z",
@@ -25,6 +28,6 @@
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
+		"version": "3.8.1"
 	}
-}
+}
--- a/hosts/dn42-il-gw5/configuration.nix
+++ b/hosts/dn42-il-gw5/configuration.nix
@@ -4,114 +4,185 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/proxmox-vm
+      ../../configuration/dn42
    ];

-  profiles.clerie.mercury-vm.enable = true;
-
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "ens21";
-    address = [
-      "2001:638:904:ffc9::a/64"
-    ];
-    routes = [
-      { Gateway = "2001:638:904:ffc9::1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-nat-netz-mercury" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "192.168.10.25/24"
-    ];
-    routes = [
-      { Gateway = "192.168.10.1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-dn42-ospf-netz" = {
-    matchConfig.Name = "ens19";
-    linkConfig.RequiredForOnline = "no";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-dn42-lokales-netz" = {
-    # Aktuell nicht verwendet, da in lo-dn42 umgezogen
-    matchConfig.Name = "ens20";
-    linkConfig.RequiredForOnline = "no";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-dn42-ildix" = {
-    matchConfig.Name = "ens22";
-    address = [
-      "fd81:edb3:71d8:ffff:2574::5/64"
-    ];
-    linkConfig.RequiredForOnline = "no";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
+  networking.useDHCP = false;
+  # VM Nat Netz mercury
+  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.25"; prefixLength = 24; } ];
+  # OSPF Netz
+  networking.interfaces.ens19 = {};
+  # Lokales Netz
+  networking.interfaces.ens20.ipv6.addresses = [ { address = "fd56:4902:eca0:5::1"; prefixLength = 64; } ];
+  # IPv6 Uplink
+  networking.interfaces.ens21.ipv6.addresses = [ { address = "2001:638:904:ffc9::a"; prefixLength = 64; } ];
+  # Ildix
+  networking.interfaces.ens22.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::5"; prefixLength = 64; } ];

-  profiles.clerie.dn42-router = {
+  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
+  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens21"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+
+  petabyte.policyrouting = {
    enable = true;
-    loopbackIp = "fd56:4902:eca0:5::1";
-    routerId = "192.168.10.25";
-
-    ospfInterfaces = [
-      "ens19"
+    rules6 = [
+      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
+      { rule = "from all to all lookup 2342"; prio = 10000; }
+      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
+      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
    ];
-
-    ibgpPeers = [
-      {
-        peerName = "gw1";
-        remoteAddress = "fd56:4902:eca0:1::1";
-      }
-      {
-        peerName = "gw6";
-        remoteAddress = "fd56:4902:eca0:6::1";
-      }
-    ];
-
-    bgpPeers = [
-      {
-        peerName = "peer_ildix_clerie";
-        localAddress = "fd81:edb3:71d8:ffff:2574::5";
-        remoteAddress = "fd81:edb3:71d8:ffff::13";
-        remoteAsn = "4242422953";
-      }
-      {
-        peerName = "peer_ildix_nex";
-        localAddress = "fd81:edb3:71d8:ffff:2574::5";
-        remoteAddress = "fd81:edb3:71d8:ffff::14";
-        remoteAsn = "4242422953";
-      }
-    ];
-
-    birdExtraConfig = ''
-      # Internal
-      protocol bgp peer_2953_dn42_ildix_service {
-        local as 4242422574;
-        neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
-        source address fd81:edb3:71d8:ffff:2574::5;
-        multihop 64;
-        ipv6 {
-          table bgp6;
-          igp table ospf6;
-          next hop keep;
-          add paths tx;
-          import filter {
-            reject;
-          };
-          export filter {
-            accept;
-          };
-        };
-      }
-    '';
  };

-  services.bijwerken = {
+  services.bird.enable = true;
+  services.bird.package = pkgs.bird2;
+  services.bird.config = ''
+  router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
+
+  ipv6 table ospf6;
+  ipv6 table bgp6;
+
+  protocol direct {
+    interface "ens20";
+    ipv6 {
+      table ospf6;
+    };
+  }
+
+  protocol static {
+          ipv6 {
+                  table bgp6;
+          };
+          route fd56:4902:eca0::/48 via "lo";
+          route fd56:4902:eca0::/52 via "lo";
+  }
+
+  protocol kernel {
+    ipv6 {
+      table ospf6;
+      export filter {
+        krt_prefsrc=fd56:4902:eca0:5::1;
+        accept;
+      };
+      import none;
+    };
+    kernel table 1337;
+  }
+
+  protocol kernel {
+          ipv6 {
+                  table bgp6;
+                  export filter {
+                          krt_prefsrc=fd56:4902:eca0:5::1;
+        accept;
+                  };
+                  import none;
+          };
+    kernel table 2342;
+  }
+
+  protocol ospf v3 {
+    ipv6 {
+      table ospf6;
+      import all;
+      export all;
+    };
+    area 0 {
+      interface "ens19" {
+        cost 80;
+        type broadcast;
+      };
+    };
+  }
+
+  protocol bgp gw1 {
+          local as 4242422574;
+          graceful restart on;
+          neighbor fd56:4902:eca0:1::1 as 4242422574;
+          source address fd56:4902:eca0:5::1;
+          ipv6 {
+                  table bgp6;
+                  igp table ospf6;
+                  next hop self;
+                  import keep filtered;
+                  import all;
+                  export all;
+          };
+  }
+
+  protocol bgp gw6 {
+          local as 4242422574;
+          graceful restart on;
+          neighbor fd56:4902:eca0:6::1 as 4242422574;
+          source address fd56:4902:eca0:5::1;
+          ipv6 {
+      table bgp6;
+      igp table ospf6;
+                  next hop self;
+                  import keep filtered;
+                  import all;
+                  export all;
+          };
+  }
+
+  template bgp ildix {
+    local as 4242422574;
+    graceful restart on;
+    source address fd81:edb3:71d8:ffff:2574::5;
+    ipv6 {
+      table bgp6;
+      igp table ospf6;
+      next hop self;
+      import keep filtered;
+      import filter {
+        if net ~ [fd00::/8{8,64}] then accept;
+        reject;
+      };
+      export filter {
+        if net ~ [fd00::/8{8,64}] then accept;
+        reject;
+      };
+    };
+  }
+
+  protocol bgp peer_ildix_clerie from ildix {
+    neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
+  }
+
+  protocol bgp peer_ildix_nex from ildix {
+    neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
+  }
+
+  # Internal
+  protocol bgp peer_2953_dn42_ildix_service {
+    local as 4242422574;
+    neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
+    source address fd81:edb3:71d8:ffff:2574::5;
+    multihop 64;
+    ipv6 {
+      table bgp6;
+      igp table ospf6;
+      next hop keep;
+      add paths tx;
+      import filter {
+        reject;
+      };
+      export filter {
+        accept;
+      };
+    };
+  }
+
+  protocol device {
+    scan time 10;
+  }
+  '';
+
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
    autoUpgrade = true;
    startAt = "*-*-* 06:22:00";
  };
--- a/hosts/dn42-il-gw6/configuration.nix
+++ b/hosts/dn42-il-gw6/configuration.nix
@@ -4,108 +4,185 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/proxmox-vm
+      ../../configuration/dn42
    ];

-  profiles.clerie.cybercluster-vm.enable = true;
-
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "2001:638:904:ffc9::9/64"
-    ];
-    routes = [
-      { Gateway = "2001:638:904:ffc9::1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-nat-netz-mercury" = {
-    matchConfig.Name = "ens20";
-    address = [
-      "192.168.10.26/24"
-    ];
-    routes = [
-      { Gateway = "192.168.10.1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-dn42-ospf-netz" = {
-    matchConfig.Name = "ens21";
-    linkConfig.RequiredForOnline = "no";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-dn42-ildix" = {
-    matchConfig.Name = "ens19";
-    address = [
-      "fd81:edb3:71d8:ffff:2574::6/64"
-    ];
-    linkConfig.RequiredForOnline = "no";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
+  networking.useDHCP = false;
+  networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:6::1"; prefixLength = 64; } ];
+  # IPv6 Uplink
+  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc9::9"; prefixLength = 64; } ];
+  # Ildix
+  networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::6"; prefixLength = 64; } ];
+  # VM Nat Netz mercury
+  networking.interfaces.ens20.ipv4.addresses = [ { address = "192.168.10.26"; prefixLength = 24; } ];
+  # OSPF Netz
+  networking.interfaces.ens21 = {};

-  profiles.clerie.dn42-router = {
+
+  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens20"; };
+  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens18"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+
+  petabyte.policyrouting = {
    enable = true;
-    loopbackIp = "fd56:4902:eca0:6::1";
-    routerId = "192.168.10.26";
-
-    ospfInterfaces = [
-      "ens21"
+    rules6 = [
+      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
+      { rule = "from all to all lookup 2342"; prio = 10000; }
+      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
+      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
    ];
-
-    ibgpPeers = [
-      {
-        peerName = "gw1";
-        remoteAddress = "fd56:4902:eca0:1::1";
-      }
-      {
-        peerName = "gw5";
-        remoteAddress = "fd56:4902:eca0:5::1";
-      }
-    ];
-
-    bgpPeers = [
-      {
-        peerName = "peer_ildix_clerie";
-        localAddress = "fd81:edb3:71d8:ffff:2574::6";
-        remoteAddress = "fd81:edb3:71d8:ffff::13";
-        remoteAsn = "4242422953";
-      }
-      {
-        peerName = "peer_ildix_nex";
-        localAddress = "fd81:edb3:71d8:ffff:2574::6";
-        remoteAddress = "fd81:edb3:71d8:ffff::14";
-        remoteAsn = "4242422953";
-      }
-    ];
-
-    birdExtraConfig = ''
-      # Internal
-      protocol bgp peer_2953_dn42_ildix_service {
-        local as 4242422574;
-        neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
-        source address fd81:edb3:71d8:ffff:2574::6;
-        multihop 64;
-        ipv6 {
-          table bgp6;
-          igp table ospf6;
-          next hop keep;
-          add paths tx;
-          import filter {
-            reject;
-          };
-          export filter {
-            accept;
-          };
-        };
-      }
-    '';
  };

-  services.bijwerken = {
+  services.bird.enable = true;
+  services.bird.package = pkgs.bird2;
+  services.bird.config = ''
+  router id ${ (lib.head config.networking.interfaces.ens20.ipv4.addresses).address };
+
+  ipv6 table ospf6;
+  ipv6 table bgp6;
+
+  protocol direct {
+    interface "lo";
+    ipv6 {
+      table ospf6;
+    };
+  }
+
+  protocol static {
+          ipv6 {
+                  table bgp6;
+          };
+          #route fd56:4902:eca0::/48 via "lo";
+          #route fd56:4902:eca0::/52 via "lo";
+  }
+
+  protocol kernel {
+          ipv6 {
+                  table ospf6;
+                  export filter {
+                          krt_prefsrc=fd56:4902:eca0:6::1;
+  			accept;
+                  };
+                  import none;
+          };
+  	kernel table 1337;
+  }
+
+  protocol kernel {
+          ipv6 {
+                  table bgp6;
+                  export filter {
+                          krt_prefsrc=fd56:4902:eca0:6::1;
+  			accept;
+                  };
+                  import none;
+          };
+          kernel table 2342;
+  }
+
+  protocol ospf v3 {
+          ipv6 {
+                  table ospf6;
+                  import all;
+                  export all;
+          };
+          area 0 {
+                  interface "ens21" {
+                          cost 80;
+                          type broadcast;
+                  };
+          };
+  }
+
+  protocol bgp gw1 {
+          local as 4242422574;
+          graceful restart on;
+          neighbor fd56:4902:eca0:1::1 as 4242422574;
+          source address fd56:4902:eca0:6::1;
+          ipv6 {
+                  table bgp6;
+                  igp table ospf6;
+                  next hop self;
+                  import keep filtered;
+                  import all;
+                  export all;
+          };
+  }
+
+  protocol bgp gw5 {
+          local as 4242422574;
+          graceful restart on;
+          neighbor fd56:4902:eca0:5::1 as 4242422574;
+          source address fd56:4902:eca0:6::1;
+          ipv6 {
+                  table bgp6;
+  		igp table ospf6;
+  		next hop self;
+                  import keep filtered;
+                  import all;
+                  export all;
+          };
+  }
+
+  template bgp ildix {
+    local as 4242422574;
+    graceful restart on;
+    source address fd81:edb3:71d8:ffff:2574::6;
+    ipv6 {
+      table bgp6;
+      igp table ospf6;
+      next hop self;
+      import keep filtered;
+      import filter {
+        if net ~ [fd00::/8{8,64}] then accept;
+        reject;
+      };
+      export filter {
+        if net ~ [fd00::/8{8,64}] then accept;
+        reject;
+      };
+    };
+  }
+
+  protocol bgp peer_ildix_clerie from ildix {
+    neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
+  }
+
+  protocol bgp peer_ildix_nex from ildix {
+    neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
+  }
+
+  # Internal
+  protocol bgp peer_2953_dn42_ildix_service {
+    local as 4242422574;
+    neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
+    source address fd81:edb3:71d8:ffff:2574::6;
+    multihop 64;
+    ipv6 {
+      table bgp6;
+      igp table ospf6;
+      next hop keep;
+      add paths tx;
+      import filter {
+        reject;
+      };
+      export filter {
+        accept;
+      };
+    };
+  }
+
+  protocol device {
+          scan time 10;
+  }
+  '';
+
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
    autoUpgrade = true;
    startAt = "*-*-* 07:22:00";
  };
--- a/hosts/dn42-ildix-clerie/configuration.nix
+++ b/hosts/dn42-ildix-clerie/configuration.nix
@@ -4,47 +4,26 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/proxmox-vm
    ];

-  profiles.clerie.mercury-vm.enable = true;
-
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "ens20";
-    address = [
-      "2001:638:904:ffcb::4/64"
-    ];
-    routes = [
-      { Gateway = "2001:638:904:ffcb::1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-nat-netz-mercury" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "192.168.10.27/24"
-    ];
-    routes = [
-      { Gateway = "192.168.10.1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-dn42-ildix" = {
-    matchConfig.Name = "ens19";
-    address = [
-      "fd81:edb3:71d8:ffff::13/64"
-    ];
-    routes = [
-      # Route to dn42-ildix-service
-      { Destination = "fd81:edb3:71d8::/48"; Gateway = "fd81:edb3:71d8:ffff:2953::1"; }
-    ];
-    linkConfig.RequiredForOnline = "no";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
+  networking.useDHCP = false;
+  # VM Nat Netz mercury
+  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.27"; prefixLength = 24; } ];
+  # Ildix
+  networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff::13"; prefixLength = 64; } ];
+  # Route to dn42-ildix-service
+  networking.interfaces.ens19.ipv6.routes = [ { address = "fd81:edb3:71d8::"; prefixLength = 48; via = "fd81:edb3:71d8:ffff:2953::1"; } ];
+
+  # public address
+  networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffcb::4"; prefixLength = 64; } ];
+
+  networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens20"; };
+  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];

  # Open Firewall for BGP
  networking.firewall.allowedTCPPorts = [ 179 ];
@@ -57,7 +36,7 @@
  services.bird.enable = true;
  services.bird.package = pkgs.bird2;
  services.bird.config = ''
-  router id 192.168.10.27;
+  router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };

  protocol direct {
    interface "ens19";
@@ -161,7 +140,8 @@
  }
  '';

-  services.bijwerken = {
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
    autoUpgrade = true;
  };

--- a/hosts/dn42-ildix-service/bird.nix
+++ b/hosts/dn42-ildix-service/bird.nix
@@ -7,7 +7,7 @@
  services.bird.enable = false;
  services.bird.package = pkgs.bird2;
  services.bird.config = ''
-  router id 192.168.10.28;
+  router id ${(lib.head config.networking.interfaces.ens18.ipv4.addresses).address};

  ipv6 table bgp6;

@@ -22,7 +22,7 @@
    ipv6 {
      table bgp6;
      export filter {
-        krt_prefsrc=fd81:edb3:71d8::1;
+        krt_prefsrc=${(lib.head config.networking.interfaces.lo.ipv6.addresses).address};
        accept;
      };
      import none;
--- a/hosts/dn42-ildix-service/configuration.nix
+++ b/hosts/dn42-ildix-service/configuration.nix
@@ -4,13 +4,11 @@
  imports =
    [
      ./hardware-configuration.nix
-
+      ../../configuration/proxmox-vm
      ./bird.nix
      ./fernglas.nix
    ];

-  profiles.clerie.mercury-vm.enable = true;
-
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  # boot.loader.grub.efiSupport = true;
@@ -19,58 +17,28 @@
  # Define on which hard drive you want to install Grub.
  boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only

-  systemd.network.netdevs."10-lo-dn42" = {
-    netdevConfig = {
-      Kind = "dummy";
-      Name = "lo-dn42";
-    };
-  };
+  networking.useDHCP = false;
+  networking.interfaces.lo.ipv6.addresses = [
+    { address = "fd81:edb3:71d8::1"; prefixLength = 128; }
+    { address = "fd81:edb3:71d8::53"; prefixLength = 128; }
+  ];
+  # VM Nat Netz mercury
+  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.28"; prefixLength = 24; } ];
+  # ildix peering lan
+  networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2953::1"; prefixLength = 64; } ];
+  # IPv6 Uplink
+  networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::c"; prefixLength = 64; } ];

-  systemd.network.networks."10-lo-dn42" = {
-    matchConfig.Name = "lo-dn42";
-    address = [
-      "fd81:edb3:71d8::1/128"
-      "fd81:edb3:71d8::53/128"
-    ];
-    linkConfig.RequiredForOnline = "no";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "ens20";
-    address = [
-      "2001:638:904:ffc9::c/64"
-    ];
-    routes = [
-      { Gateway = "2001:638:904:ffc9::1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-nat-netz-mercury" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "192.168.10.28/24"
-    ];
-    routes = [
-      { Gateway = "192.168.10.1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-dn42-ildix" = {
-    matchConfig.Name = "ens19";
-    address = [
-      "fd81:edb3:71d8:ffff:2953::1/64"
-    ];
-    linkConfig.RequiredForOnline = "no";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
+  networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; };
+  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];

  services.nginx.enable = true;

  networking.firewall.allowedTCPPorts = [ 80 443 ];

-  services.bijwerken = {
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
    autoUpgrade = true;
  };

--- a/hosts/dn42-ildix-service/fernglas.nix
+++ b/hosts/dn42-ildix-service/fernglas.nix
@@ -5,21 +5,20 @@

  services.fernglas = {
    enable = true;
-    useMimalloc = false;
    settings = {
      api.bind = "[::1]:3000";
-      collectors = {
-        bgp_any = {
+      collectors = [
+        {
          collector_type = "Bgp";
          bind = "[::]:1179";
          default_peer_config = {
            asn = 4242422953;
-            router_id = "192.168.10.28";
+            router_id = "${(lib.head config.networking.interfaces.ens18.ipv4.addresses).address}";
            route_state = "Accepted";
            add_path = true;
          };
-        };
-      };
+        }
+      ];
    };
  };

--- a/hosts/gatekeeper/configuration.nix
+++ b/hosts/gatekeeper/configuration.nix
@@ -4,14 +4,17 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/router
    ];

  profiles.clerie.hetzner-cloud.enable = true;
-  profiles.clerie.router.enable = true;

  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";

+  networking.useDHCP = false;
+  systemd.network.enable = true;
+
  systemd.network.networks."10-wan" = {
    address = [
      "2a01:4f8:c0c:15f1::1/64"
@@ -74,7 +77,7 @@
        {
          # palladium
          allowedIPs = [ "2a01:4f8:c0c:15f1::8103/128" "10.20.30.103/32" ];
-          publicKey = "AetxArlP6uiPEPnrk9Yx+ofhBOgOY4NLTqcKM/EA9mk=";
+          publicKey = "kxn69ynVyPJeShsAlVz5Xnd7U74GmCAw181b0+/qj3k=";
        }
        #{
        #  allowedIPs = [ "2a01:4f8:c0c:15f1::8104/128" "10.20.30.104/32" ];
@@ -131,7 +134,6 @@

  clerie.nginx-port-forward = {
    enable = true;
-    resolver = "127.0.0.53";
    tcpPorts."443" = {
      host = "localhost";
      port = 22;
--- a/hosts/hydra-1/configuration.nix
+++ b/hosts/hydra-1/configuration.nix
@@ -4,15 +4,14 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/proxmox-vm
+      ../../configuration/hydra-build-machine

      ./build-machines.nix
      ./hydra.nix
      ./nix-cache.nix
    ];

-  profiles.clerie.mercury-vm.enable = true;
-  profiles.clerie.hydra-build-machine.enable = true;
-
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
  
@@ -22,28 +21,12 @@
    "aarch64-linux"
  ];

-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "2001:638:904:ffcb::a/64"
-    ];
-    routes = [
-      { Gateway = "2001:638:904:ffcb::1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-nat-netz-mercury" = {
-    matchConfig.Name = "ens19";
-    address = [
-      "192.168.10.36/24"
-    ];
-    routes = [
-      { Gateway = "192.168.10.1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
+  networking.useDHCP = false;
+  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::a"; prefixLength = 64; } ];
+  networking.interfaces.ens19.ipv4.addresses = [ { address = "192.168.10.36"; prefixLength = 24; } ];
+  networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; };
+  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens19"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];

  services.nginx.enable = true;

--- a/hosts/hydra-2/configuration.nix
+++ b/hosts/hydra-2/configuration.nix
@@ -4,11 +4,10 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/proxmox-vm
+      ../../configuration/hydra-build-machine
    ];

-  profiles.clerie.cybercluster-vm.enable = true;
-  profiles.clerie.hydra-build-machine.enable = true;
-
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

@@ -18,19 +17,12 @@
    "aarch64-linux"
  ];

-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "2001:638:904:ffc1::100/64"
-      "141.24.50.112/24"
-    ];
-    routes = [
-      { Gateway = "2001:638:904:ffc1::1"; }
-      { Gateway = "141.24.50.1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
+  networking.useDHCP = false;
+  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::100"; prefixLength = 64; } ];
+  networking.interfaces.ens18.ipv4.addresses = [ { address = "141.24.50.112"; prefixLength = 24; } ];
+  networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; };
+  networking.defaultGateway = { address = "141.24.50.1"; interface = "ens18"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];

  clerie.monitoring = {
    enable = true;
--- a/hosts/krypton/configuration.nix
+++ b/hosts/krypton/configuration.nix
@@ -5,6 +5,8 @@
    [
      ./hardware-configuration.nix

+      ../../configuration/desktop
+
      ./android.nix
      ./backup.nix
      ./etesync-dav.nix
@@ -13,8 +15,6 @@
      ./programs.nix
    ];

-  profiles.clerie.desktop.enable = true;
-
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
--- a/hosts/krypton/network.nix
+++ b/hosts/krypton/network.nix
@@ -1,7 +1,7 @@
 { ... }:

 {
-  profiles.clerie.wg-clerie = {
+  services.wg-clerie = {
    enable = true;
    ipv6s = [ "2a01:4f8:c0c:15f1::8011/128" ];
    ipv4s = [ "10.20.30.11/32" ];
--- a/hosts/krypton/programs.nix
+++ b/hosts/krypton/programs.nix
@@ -1,7 +1,9 @@
 { pkgs, ... }:

 {
-  profiles.clerie.firefox.enable = true;
+  environment.systemPackages = with pkgs; [
+    firefox-wayland
+  ];

  users.users.clerie.packages = with pkgs; [
    keepassxc
@@ -14,17 +16,16 @@

    tio
    xournalpp
-    libreoffice
+    onlyoffice-bin

    krita
    inkscape
-    dune3d

    wireshark
    tcpdump
    nmap

-    kdePackages.okular
+    okular
    chromium-incognito

    print-afra
--- a/hosts/mail-2/configuration.nix
+++ b/hosts/mail-2/configuration.nix
@@ -13,6 +13,9 @@
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";

+  networking.useDHCP = false;
+  systemd.network.enable = true;
+
  systemd.network.networks."10-wan" = {
    address = [
      "2a01:4f8:1c1c:9577::1/64"
--- a/hosts/monitoring-3/blackbox.nix
+++ b/hosts/monitoring-3/blackbox.nix
@@ -25,48 +25,6 @@
            fail_if_not_ssl: true
            fail_if_body_not_matches_regexp:
              - "Synapse is running"
-            headers:
-              User-Agent: "monitoring.clerie.de, blackbox exporter"
-        http4:
-          prober: http
-          http:
-            preferred_ip_protocol: ip4
-            ip_protocol_fallback: false
-            fail_if_ssl: true
-            follow_redirects: false
-            valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
-            headers:
-              User-Agent: "monitoring.clerie.de, blackbox exporter"
-        http6:
-          prober: http
-          http:
-            preferred_ip_protocol: ip6
-            ip_protocol_fallback: false
-            fail_if_ssl: true
-            follow_redirects: false
-            valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
-            headers:
-              User-Agent: "monitoring.clerie.de, blackbox exporter"
-        https4:
-          prober: http
-          http:
-            preferred_ip_protocol: ip4
-            ip_protocol_fallback: false
-            fail_if_not_ssl: true
-            follow_redirects: false
-            valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
-            headers:
-              User-Agent: "monitoring.clerie.de, blackbox exporter"
-        https6:
-          prober: http
-          http:
-            preferred_ip_protocol: ip6
-            ip_protocol_fallback: false
-            fail_if_not_ssl: true
-            follow_redirects: false
-            valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
-            headers:
-              User-Agent: "monitoring.clerie.de, blackbox exporter"
    '';
  };
 }
--- a/hosts/monitoring-3/configuration.nix
+++ b/hosts/monitoring-3/configuration.nix
@@ -4,43 +4,25 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/proxmox-vm
      ./alertmanager.nix
      ./berlinerbaeder-exporter.nix
      ./blackbox.nix
      ./grafana.nix
      ./nixos-validator.nix
      ./prometheus.nix
-      ./targets.nix
      ./uptimestatus.nix
    ];

-  profiles.clerie.mercury-vm.enable = true;
-
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";

-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "ens19";
-    address = [
-      "2001:638:904:ffca::7/64"
-    ];
-    routes = [
-      { Gateway = "2001:638:904:ffca::1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-nat-netz-mercury" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "192.168.10.32/24"
-    ];
-    routes = [
-      { Gateway = "192.168.10.1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
+  networking.useDHCP = false;
+  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.32"; prefixLength = 24; } ];
+  networking.interfaces.ens19.ipv6.addresses = [ { address = "2001:638:904:ffca::7"; prefixLength = 64; } ];
+  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
+  networking.defaultGateway6 = { address = "2001:638:904:ffca::1"; interface = "ens19"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];

  services.prometheus.exporters.node.enable = true;

--- a/hosts/monitoring-3/dashboards/home.json
+++ b/hosts/monitoring-3/dashboards/home.json
@@ -1,77 +0,0 @@
-{
-  "annotations": {
-    "list": [
-      {
-        "builtIn": 1,
-        "datasource": {
-          "type": "datasource",
-          "uid": "grafana"
-        },
-        "enable": true,
-        "hide": true,
-        "iconColor": "rgba(0, 211, 255, 1)",
-        "name": "Annotations & Alerts",
-        "target": {
-          "limit": 100,
-          "matchAny": false,
-          "tags": [],
-          "type": "dashboard"
-        },
-        "type": "dashboard"
-      }
-    ]
-  },
-  "editable": true,
-  "fiscalYearStartMonth": 0,
-  "graphTooltip": 0,
-  "id": 10,
-  "links": [],
-  "panels": [
-    {
-      "fieldConfig": {
-        "defaults": {},
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 11,
-        "w": 24,
-        "x": 0,
-        "y": 0
-      },
-      "id": 2,
-      "options": {
-        "includeVars": false,
-        "keepTime": false,
-        "maxItems": 10,
-        "query": "",
-        "showFolderNames": true,
-        "showHeadings": false,
-        "showRecentlyViewed": false,
-        "showSearch": true,
-        "showStarred": false,
-        "tags": []
-      },
-      "pluginVersion": "12.0.2+security-01",
-      "title": "Dashboards",
-      "type": "dashlist"
-    }
-  ],
-  "preload": false,
-  "refresh": "",
-  "schemaVersion": 41,
-  "tags": [],
-  "templating": {
-    "list": []
-  },
-  "time": {
-    "from": "now-6h",
-    "to": "now"
-  },
-  "timepicker": {
-    "hidden": true
-  },
-  "timezone": "browser",
-  "title": "Home",
-  "uid": "OqTN9p2nz",
-  "version": 1
-}
--- a/hosts/monitoring-3/dashboards/nginx-exporter.json
+++ b/hosts/monitoring-3/dashboards/nginx-exporter.json
@@ -1,355 +0,0 @@
-{
-  "annotations": {
-    "list": [
-      {
-        "builtIn": 1,
-        "datasource": {
-          "type": "grafana",
-          "uid": "-- Grafana --"
-        },
-        "enable": true,
-        "hide": true,
-        "iconColor": "rgba(0, 211, 255, 1)",
-        "name": "Annotations & Alerts",
-        "type": "dashboard"
-      }
-    ]
-  },
-  "editable": true,
-  "fiscalYearStartMonth": 0,
-  "graphTooltip": 0,
-  "id": 16,
-  "links": [],
-  "panels": [
-    {
-      "datasource": {
-        "type": "prometheus",
-        "uid": "PBFA97CFB590B2093"
-      },
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "palette-classic"
-          },
-          "custom": {
-            "axisBorderShow": false,
-            "axisCenteredZero": false,
-            "axisColorMode": "text",
-            "axisLabel": "",
-            "axisPlacement": "auto",
-            "barAlignment": 0,
-            "barWidthFactor": 0.6,
-            "drawStyle": "line",
-            "fillOpacity": 0,
-            "gradientMode": "none",
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "insertNulls": false,
-            "lineInterpolation": "linear",
-            "lineWidth": 1,
-            "pointSize": 5,
-            "scaleDistribution": {
-              "type": "linear"
-            },
-            "showPoints": "auto",
-            "spanNulls": false,
-            "stacking": {
-              "group": "A",
-              "mode": "none"
-            },
-            "thresholdsStyle": {
-              "mode": "off"
-            }
-          },
-          "mappings": [],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "green"
-              }
-            ]
-          },
-          "unit": "reqps"
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 10,
-        "w": 12,
-        "x": 0,
-        "y": 0
-      },
-      "id": 1,
-      "options": {
-        "legend": {
-          "calcs": [],
-          "displayMode": "list",
-          "placement": "bottom",
-          "showLegend": true
-        },
-        "tooltip": {
-          "hideZeros": false,
-          "mode": "single",
-          "sort": "none"
-        }
-      },
-      "pluginVersion": "12.0.2+security-01",
-      "targets": [
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "${DS_PROMETHEUS}"
-          },
-          "disableTextWrap": false,
-          "editorMode": "builder",
-          "expr": "sum by(server_name) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
-          "fullMetaSearch": false,
-          "includeNullMetadata": true,
-          "legendFormat": "__auto",
-          "range": true,
-          "refId": "A",
-          "useBackend": false
-        }
-      ],
-      "title": "Total requests",
-      "type": "timeseries"
-    },
-    {
-      "datasource": {
-        "type": "prometheus",
-        "uid": "PBFA97CFB590B2093"
-      },
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "palette-classic"
-          },
-          "custom": {
-            "axisBorderShow": false,
-            "axisCenteredZero": false,
-            "axisColorMode": "text",
-            "axisLabel": "",
-            "axisPlacement": "auto",
-            "barAlignment": 0,
-            "barWidthFactor": 0.6,
-            "drawStyle": "line",
-            "fillOpacity": 0,
-            "gradientMode": "none",
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "insertNulls": false,
-            "lineInterpolation": "linear",
-            "lineWidth": 1,
-            "pointSize": 5,
-            "scaleDistribution": {
-              "type": "linear"
-            },
-            "showPoints": "auto",
-            "spanNulls": false,
-            "stacking": {
-              "group": "A",
-              "mode": "none"
-            },
-            "thresholdsStyle": {
-              "mode": "off"
-            }
-          },
-          "mappings": [],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "green"
-              }
-            ]
-          },
-          "unit": "reqps"
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 10,
-        "w": 12,
-        "x": 12,
-        "y": 0
-      },
-      "id": 2,
-      "options": {
-        "legend": {
-          "calcs": [],
-          "displayMode": "list",
-          "placement": "bottom",
-          "showLegend": true
-        },
-        "tooltip": {
-          "hideZeros": false,
-          "mode": "single",
-          "sort": "none"
-        }
-      },
-      "pluginVersion": "12.0.2+security-01",
-      "targets": [
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "${DS_PROMETHEUS}"
-          },
-          "disableTextWrap": false,
-          "editorMode": "builder",
-          "expr": "sum by(server_name, method) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
-          "fullMetaSearch": false,
-          "includeNullMetadata": true,
-          "legendFormat": "{{server_name}}: {{method}}",
-          "range": true,
-          "refId": "A",
-          "useBackend": false
-        }
-      ],
-      "title": "Status codes",
-      "type": "timeseries"
-    },
-    {
-      "datasource": {
-        "type": "prometheus",
-        "uid": "PBFA97CFB590B2093"
-      },
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "palette-classic"
-          },
-          "custom": {
-            "axisBorderShow": false,
-            "axisCenteredZero": false,
-            "axisColorMode": "text",
-            "axisLabel": "",
-            "axisPlacement": "auto",
-            "barAlignment": 0,
-            "barWidthFactor": 0.6,
-            "drawStyle": "line",
-            "fillOpacity": 0,
-            "gradientMode": "none",
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "insertNulls": false,
-            "lineInterpolation": "linear",
-            "lineWidth": 1,
-            "pointSize": 5,
-            "scaleDistribution": {
-              "type": "linear"
-            },
-            "showPoints": "auto",
-            "spanNulls": false,
-            "stacking": {
-              "group": "A",
-              "mode": "none"
-            },
-            "thresholdsStyle": {
-              "mode": "off"
-            }
-          },
-          "mappings": [],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "green"
-              }
-            ]
-          },
-          "unit": "reqps"
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 10,
-        "w": 12,
-        "x": 0,
-        "y": 10
-      },
-      "id": 3,
-      "options": {
-        "legend": {
-          "calcs": [],
-          "displayMode": "list",
-          "placement": "bottom",
-          "showLegend": true
-        },
-        "tooltip": {
-          "hideZeros": false,
-          "mode": "single",
-          "sort": "none"
-        }
-      },
-      "pluginVersion": "12.0.2+security-01",
-      "targets": [
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "${DS_PROMETHEUS}"
-          },
-          "disableTextWrap": false,
-          "editorMode": "builder",
-          "expr": "sum by(server_name, status) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
-          "fullMetaSearch": false,
-          "includeNullMetadata": true,
-          "legendFormat": "{{server_name}}: HTTP {{status}}",
-          "range": true,
-          "refId": "A",
-          "useBackend": false
-        }
-      ],
-      "title": "Response codes",
-      "type": "timeseries"
-    }
-  ],
-  "preload": false,
-  "refresh": "30s",
-  "schemaVersion": 41,
-  "tags": [],
-  "templating": {
-    "list": [
-      {
-        "current": {
-          "text": "All",
-          "value": [
-            "$__all"
-          ]
-        },
-        "definition": "label_values(nginxlog_http_response_count_total,server_name)",
-        "includeAll": true,
-        "label": "vHost",
-        "multi": true,
-        "name": "server_name",
-        "options": [],
-        "query": {
-          "qryType": 1,
-          "query": "label_values(nginxlog_http_response_count_total,server_name)",
-          "refId": "PrometheusVariableQueryEditor-VariableQuery"
-        },
-        "refresh": 1,
-        "regex": "",
-        "type": "query"
-      }
-    ]
-  },
-  "time": {
-    "from": "now-3h",
-    "to": "now"
-  },
-  "timepicker": {},
-  "timezone": "browser",
-  "title": "Nginx Exporter",
-  "uid": "b042a880-3cb0-4dd3-ae48-4745a58af698",
-  "version": 7
-}
--- a/hosts/monitoring-3/dashboards/nixos-status.json
+++ b/hosts/monitoring-3/dashboards/nixos-status.json
@@ -1,135 +0,0 @@
-{
-  "annotations": {
-    "list": [
-      {
-        "builtIn": 1,
-        "datasource": {
-          "type": "grafana",
-          "uid": "-- Grafana --"
-        },
-        "enable": true,
-        "hide": true,
-        "iconColor": "rgba(0, 211, 255, 1)",
-        "name": "Annotations & Alerts",
-        "target": {
-          "limit": 100,
-          "matchAny": false,
-          "tags": [],
-          "type": "dashboard"
-        },
-        "type": "dashboard"
-      }
-    ]
-  },
-  "editable": true,
-  "fiscalYearStartMonth": 0,
-  "graphTooltip": 0,
-  "id": 15,
-  "links": [],
-  "panels": [
-    {
-      "datasource": {
-        "type": "prometheus",
-        "uid": "PBFA97CFB590B2093"
-      },
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "continuous-RdYlGr"
-          },
-          "custom": {
-            "axisPlacement": "auto",
-            "fillOpacity": 70,
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "insertNulls": false,
-            "lineWidth": 0,
-            "spanNulls": false
-          },
-          "mappings": [
-            {
-              "options": {
-                "0": {
-                  "index": 1,
-                  "text": "mismatch"
-                },
-                "1": {
-                  "index": 0,
-                  "text": "sync"
-                }
-              },
-              "type": "value"
-            }
-          ],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "red"
-              }
-            ]
-          }
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 23,
-        "w": 24,
-        "x": 0,
-        "y": 0
-      },
-      "id": 2,
-      "options": {
-        "alignValue": "left",
-        "legend": {
-          "displayMode": "list",
-          "placement": "bottom",
-          "showLegend": true
-        },
-        "mergeValues": true,
-        "rowHeight": 0.9,
-        "showValue": "auto",
-        "tooltip": {
-          "hideZeros": false,
-          "mode": "single",
-          "sort": "none"
-        }
-      },
-      "pluginVersion": "12.0.2+security-01",
-      "targets": [
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "PBFA97CFB590B2093"
-          },
-          "editorMode": "builder",
-          "expr": "nixos_current_system_is_sync",
-          "legendFormat": "{{instance}}",
-          "range": true,
-          "refId": "A"
-        }
-      ],
-      "title": "Config is Sync",
-      "type": "state-timeline"
-    }
-  ],
-  "preload": false,
-  "refresh": "5m",
-  "schemaVersion": 41,
-  "tags": [],
-  "templating": {
-    "list": []
-  },
-  "time": {
-    "from": "now-7d",
-    "to": "now"
-  },
-  "timepicker": {},
-  "timezone": "",
-  "title": "NixOS Status",
-  "uid": "W4j3nz1Vz",
-  "version": 3
-}
--- a/hosts/monitoring-3/dashboards/smokeping.json
+++ b/hosts/monitoring-3/dashboards/smokeping.json
@@ -1,211 +0,0 @@
-{
-  "annotations": {
-    "list": [
-      {
-        "builtIn": 1,
-        "datasource": {
-          "type": "datasource",
-          "uid": "grafana"
-        },
-        "enable": true,
-        "hide": true,
-        "iconColor": "rgba(0, 211, 255, 1)",
-        "name": "Annotations & Alerts",
-        "target": {
-          "limit": 100,
-          "matchAny": false,
-          "tags": [],
-          "type": "dashboard"
-        },
-        "type": "dashboard"
-      }
-    ]
-  },
-  "editable": true,
-  "fiscalYearStartMonth": 0,
-  "graphTooltip": 0,
-  "id": 11,
-  "links": [],
-  "panels": [
-    {
-      "datasource": {
-        "type": "prometheus",
-        "uid": "PBFA97CFB590B2093"
-      },
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "palette-classic"
-          },
-          "custom": {
-            "axisBorderShow": false,
-            "axisCenteredZero": false,
-            "axisColorMode": "text",
-            "axisLabel": "",
-            "axisPlacement": "auto",
-            "barAlignment": 0,
-            "barWidthFactor": 0.6,
-            "drawStyle": "line",
-            "fillOpacity": 0,
-            "gradientMode": "none",
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "insertNulls": false,
-            "lineInterpolation": "linear",
-            "lineWidth": 1,
-            "pointSize": 5,
-            "scaleDistribution": {
-              "type": "linear"
-            },
-            "showPoints": "auto",
-            "spanNulls": false,
-            "stacking": {
-              "group": "A",
-              "mode": "none"
-            },
-            "thresholdsStyle": {
-              "mode": "off"
-            }
-          },
-          "mappings": [],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "green"
-              },
-              {
-                "color": "red",
-                "value": 80
-              }
-            ]
-          },
-          "unit": "s"
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 22,
-        "w": 24,
-        "x": 0,
-        "y": 0
-      },
-      "id": 2,
-      "options": {
-        "legend": {
-          "calcs": [],
-          "displayMode": "list",
-          "placement": "bottom",
-          "showLegend": true
-        },
-        "tooltip": {
-          "hideZeros": false,
-          "mode": "single",
-          "sort": "none"
-        }
-      },
-      "pluginVersion": "12.0.2+security-01",
-      "targets": [
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "PBFA97CFB590B2093"
-          },
-          "editorMode": "code",
-          "exemplar": true,
-          "expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp6\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0 ",
-          "interval": "",
-          "legendFormat": "IPv6 {{target}} ({{instance}})",
-          "range": true,
-          "refId": "A"
-        },
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "PBFA97CFB590B2093"
-          },
-          "editorMode": "code",
-          "exemplar": true,
-          "expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp4\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0",
-          "hide": false,
-          "interval": "",
-          "legendFormat": "IPv4 {{target}} ({{instance}})",
-          "range": true,
-          "refId": "B"
-        }
-      ],
-      "title": "Smokeping",
-      "type": "timeseries"
-    }
-  ],
-  "preload": false,
-  "refresh": "",
-  "schemaVersion": 41,
-  "tags": [],
-  "templating": {
-    "list": [
-      {
-        "current": {
-          "text": "All",
-          "value": "$__all"
-        },
-        "datasource": {
-          "type": "prometheus",
-          "uid": "PBFA97CFB590B2093"
-        },
-        "definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
-        "includeAll": true,
-        "label": "Target:",
-        "multi": true,
-        "name": "target",
-        "options": [],
-        "query": {
-          "query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
-          "refId": "StandardVariableQuery"
-        },
-        "refresh": 1,
-        "regex": "",
-        "type": "query"
-      },
-      {
-        "current": {
-          "text": [
-            "All"
-          ],
-          "value": [
-            "$__all"
-          ]
-        },
-        "datasource": {
-          "type": "prometheus",
-          "uid": "PBFA97CFB590B2093"
-        },
-        "definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
-        "includeAll": true,
-        "label": "Instance:",
-        "multi": true,
-        "name": "instance",
-        "options": [],
-        "query": {
-          "query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
-          "refId": "StandardVariableQuery"
-        },
-        "refresh": 1,
-        "regex": "",
-        "type": "query"
-      }
-    ]
-  },
-  "time": {
-    "from": "now-30m",
-    "to": "now"
-  },
-  "timepicker": {},
-  "timezone": "",
-  "title": "Smokeping",
-  "uid": "IytTVZL7z",
-  "version": 9
-}
--- a/hosts/monitoring-3/prometheus.nix
+++ b/hosts/monitoring-3/prometheus.nix
@@ -52,12 +52,6 @@ let
    attrByPath ["clerie" "monitoring" "blackbox"] false host.config)
    monitoringHosts);

-  nginxlogMonitoringTargets = mapAttrsToList (name: host:
-    "${host.config.networking.hostName}.mon.clerie.de:9117")
-    (filterAttrs (name: host:
-    attrByPath ["services" "prometheus" "exporters" "nginxlog" "enable"] false host.config)
-    monitoringHosts);
-
  eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));

 in {
@@ -110,21 +104,6 @@ in {
          relabelAddressToInstance
        ];
      }
-      {
-        job_name = "alertmanager";
-        scrape_interval = "20s";
-        scheme = "http";
-        static_configs = [
-          {
-            targets = [
-              "monitoring-3.mon.clerie.de:9093"
-            ];
-          }
-        ];
-        relabel_configs = [
-          relabelAddressToInstance
-        ];
-      }
      {
        job_name = "node-exporter";
        scrape_interval = "20s";
@@ -162,7 +141,10 @@ in {
        };
        static_configs = [
          {
-            targets = map (target: "${target};infra") config.profiles.clerie.monitoring-server.probeTargets.node-exporter-uberspace;
+            targets = [
+              "clerie.uber.space;infra"
+              "cleriewi.uber.space;infra"
+            ];
          }
        ];
        relabel_configs = [
@@ -218,7 +200,7 @@ in {
          relabelAddressToInstance
          {
            target_label = "__address__";
-            replacement = "monitoring-3.mon.clerie.de:9153";
+            replacement = "[::1]:9153";
          }
        ];
      }
@@ -243,7 +225,17 @@ in {
        };
        static_configs = [
          {
-            targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets config.profiles.clerie.monitoring-server.probeTargets.blackbox-icmp6;
+            targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets [
+              "clerie.de"
+              "tagesschau.de"
+              "google.com"
+              "achtbaan.nikhef.nl"
+              "fluorine.net.clerie.de"
+              "www.fem.tu-ilmenau.de"
+              "www.heise.de"
+              "dyon.net.entr0py.de"
+              "matrix.fachschaften.org"
+            ];
          }
        ];
        relabel_configs = [
@@ -275,7 +267,18 @@ in {
        };
        static_configs = [
          {
-            targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets config.profiles.clerie.monitoring-server.probeTargets.blackbox-icmp4;
+            targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets [
+              "clerie.de"
+              "tagesschau.de"
+              "google.com"
+              "achtbaan.nikhef.nl"
+              "www.fem.tu-ilmenau.de"
+              "www.heise.de"
+              "matrix.bau-ha.us"
+              "dyon.net.entr0py.de"
+              "matrix.entr0py.de"
+              "matrix.fachschaften.org"
+            ];
          }
        ];
        relabel_configs = [
@@ -307,7 +310,10 @@ in {
        };
        static_configs = [
          {
-            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-synapse;
+            targets = [
+              "matrix.entr0py.de"
+              "matrix.fachschaften.org"
+            ];
          }
        ];
        relabel_configs = [
@@ -387,122 +393,6 @@ in {
          relabelAddressToInstance
        ];
      }
-      {
-        job_name = "blackbox_local_http6";
-        scrape_interval = "100s";
-        metrics_path = "/probe";
-        params = {
-          module = [ "http6" ];
-        };
-        static_configs = [
-          {
-            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http6;
-          }
-        ];
-        relabel_configs = [
-          {
-            source_labels = [ "__address__" ];
-            target_label = "__param_target";
-            replacement = "http://\${1}";
-          }
-          {
-            source_labels = [ "__address__" ];
-            target_label = "target";
-          }
-          {
-            target_label = "__address__";
-            replacement = "monitoring-3.mon.clerie.de:9115";
-          }
-          relabelAddressToInstance
-        ];
-      }
-      {
-        job_name = "blackbox_local_http4";
-        scrape_interval = "100s";
-        metrics_path = "/probe";
-        params = {
-          module = [ "http4" ];
-        };
-        static_configs = [
-          {
-            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http4;
-          }
-        ];
-        relabel_configs = [
-          {
-            source_labels = [ "__address__" ];
-            target_label = "__param_target";
-            replacement = "http://\${1}";
-          }
-          {
-            source_labels = [ "__address__" ];
-            target_label = "target";
-          }
-          {
-            target_label = "__address__";
-            replacement = "monitoring-3.mon.clerie.de:9115";
-          }
-          relabelAddressToInstance
-        ];
-      }
-      {
-        job_name = "blackbox_local_https6";
-        scrape_interval = "100s";
-        metrics_path = "/probe";
-        params = {
-          module = [ "https6" ];
-        };
-        static_configs = [
-          {
-            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http6;
-          }
-        ];
-        relabel_configs = [
-          {
-            source_labels = [ "__address__" ];
-            target_label = "__param_target";
-            replacement = "https://\${1}";
-          }
-          {
-            source_labels = [ "__address__" ];
-            target_label = "target";
-          }
-          {
-            target_label = "__address__";
-            replacement = "monitoring-3.mon.clerie.de:9115";
-          }
-          relabelAddressToInstance
-        ];
-      }
-      {
-        job_name = "blackbox_local_https4";
-        scrape_interval = "100s";
-        metrics_path = "/probe";
-        params = {
-          module = [ "https4" ];
-        };
-        static_configs = [
-          {
-            targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http4;
-          }
-        ];
-        relabel_configs = [
-          {
-            source_labels = [ "__address__" ];
-            target_label = "__param_target";
-            replacement = "https://\${1}";
-          }
-          {
-            source_labels = [ "__address__" ];
-            target_label = "target";
-          }
-          {
-            target_label = "__address__";
-            replacement = "monitoring-3.mon.clerie.de:9115";
-          }
-          relabelAddressToInstance
-        ];
-      }
      {
        job_name = "hydra";
        scrape_interval = "20s";
@@ -529,37 +419,12 @@ in {
          relabelAddressToInstance
        ];
      }
-      {
-        job_name = "clerie_keys";
-        scrape_interval = "5m";
-        scheme = "https";
-        metrics_path = "/gpg/clerie@clerie.de.metrics.txt";
-        static_configs = [
-          {
-            targets = [
-              "clerie.de"
-            ];
-          }
-        ];
-      }
-      {
-        job_name = "nginxlog-exporter";
-        scrape_interval = "20s";
-        static_configs = [
-          {
-            targets = nginxlogMonitoringTargets;
-          }
-        ];
-        relabel_configs = [
-          relabelAddressToInstance
-        ];
-      }
    ];
    alertmanagers = [
      {
        static_configs = [ {
          targets = [
-            "monitoring-3.mon.clerie.de:9093"
+            "[::1]:9093"
          ];
        } ];
      }
--- a/hosts/monitoring-3/rules.yml
+++ b/hosts/monitoring-3/rules.yml
@@ -18,7 +18,7 @@ groups:
      summary: "Current system of {{ $labels.instance }} not in sync with config"
      description: "The current system hash of {{ $labels.instance }} does not match the one generated by hydra based on the current config"
  - alert: StorageFull
-    expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m])) * 100) < 5
+    expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 5
    for: 30m
    labels:
      severity: critical
@@ -26,7 +26,7 @@ groups:
      summary: "Storage of {{ $labels.instance }} is full"
      description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is full"
  - alert: StorageAlmostFull
-    expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m])) * 100) < 10
+    expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 10
    for: 30m
    labels:
      severity: warning
@@ -73,40 +73,3 @@ groups:
    annotations:
      summary: "Synapse of {{ $labels.target }} unavailable"
      description: "The Synapse backend of {{ $labels.target }} is unreachable or returns garbage"
-  - alert: ClerieKeysExpire
-    expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 1209600
-    labels:
-      severity: critical
-    annotations:
-      summary: "GPG {{ $labels.fingerprint }} is expiring"
-      description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then two weeks"
-  - alert: ClerieKeysAlmostExpire
-    expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 3628800
-    labels:
-      severity: warning
-    annotations:
-      summary: "GPG {{ $labels.fingerprint }} is expiring soon"
-      description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"
-  - alert: NadjaTopIPv4ProxyBroken
-    expr: probe_success{job="blackbox_local_http6", target="blog.nadja.top"} != on (target) probe_success{job="blackbox_local_http4", target="blog.nadja.top"}
-    for: 15m
-    labels:
-      severity: critical
-    annotations:
-      summary: "blog.nadja.top unreachable via IPv4"
-      description: "blog.nadja.top unreachable IPv4, but reachable via IPv6"
-  - alert: AlertmanagerNotificationRequestsFailed
-    expr: rate(alertmanager_notification_requests_failed_total[5m]) > 0
-    labels:
-      severity: critical
-    annotations:
-      summary: "Too many notification requests failed"
-      description: "Too many notification requests to Alertmanager integration {{ $labels.integration }} failed"
-  - alert: FemSocialDown
-    expr: min(probe_success{target="fem.social", job=~"blackbox_local_http.*"}) == 0
-    for: 5m
-    labels:
-      severity: critical
-    annotations:
-      summary: "fem.social unavailable via HTTP"
-      description: "fem.social is not fully reachable via HTTP"
--- a/hosts/monitoring-3/targets.nix
+++ b/hosts/monitoring-3/targets.nix
@@ -1,7 +0,0 @@
-{ ... }:
-
-{
-
-  profiles.clerie.monitoring-server.targets = builtins.fromJSON (builtins.readFile ../../monitoring/targets.json);
-
-}
--- a/hosts/nonat/configuration.nix
+++ b/hosts/nonat/configuration.nix
@@ -4,33 +4,28 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/proxmox-vm
+      ../../configuration/router
    ];

-  profiles.clerie.mercury-vm.enable = true;
-  profiles.clerie.router.enable = true;
-
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "2001:638:904:ffca::6/64"
-      "141.24.46.169/24"
-    ];
-    routes = [
-      { Gateway = "141.24.46.1"; }
-      { Gateway = "2001:638:904:ffca::1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-  };
-  systemd.network.networks."10-nat-netz-mercury" = {
-    matchConfig.Name = "ens19";
-    address = [
-      "192.168.10.1/24"
-    ];
-    linkConfig.RequiredForOnline = "no";
-  };
+  networking.useDHCP = false;
+  # Network
+  networking.interfaces.ens18.ipv4.addresses = [
+    { address = "141.24.46.169"; prefixLength = 24; }
+  ];
+  networking.interfaces.ens18.ipv6.addresses = [
+    { address = "2001:638:904:ffca::6"; prefixLength = 64; }
+  ];
+  networking.defaultGateway = { address = "141.24.46.1"; interface = "ens18"; };
+  networking.defaultGateway6 = { address = "2001:638:904:ffca::1"; interface = "ens18"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
+
+  networking.interfaces.ens19.ipv4.addresses = [
+    { address = "192.168.10.1"; prefixLength = 24; }
+  ];

  networking.nat = {
    enableIPv6 = true;
@@ -41,7 +36,8 @@

  networking.firewall.allowedUDPPorts = [];

-  services.bijwerken = {
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
    autoUpgrade = true;
  };

--- a/hosts/osmium/configuration.nix
+++ b/hosts/osmium/configuration.nix
@@ -4,13 +4,12 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/proxmox-vm

      ./nixfiles-updated-inputs.nix
      ./polkit-test.nix
    ];

-  profiles.clerie.mercury-vm.enable = true;
-
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

@@ -20,28 +19,12 @@
    "aarch64-linux"
  ];

-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "ens19";
-    address = [
-      "2001:638:904:ffc7::6/64"
-    ];
-    routes = [
-      { Gateway = "2001:638:904:ffc7::1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-nat-netz-mercury" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "192.168.10.29/24"
-    ];
-    routes = [
-      { Gateway = "192.168.10.1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
+  networking.useDHCP = false;
+  networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.29"; prefixLength = 24; } ];
+  networking.interfaces.ens19.ipv6.addresses = [ { address = "2001:638:904:ffc7::6"; prefixLength = 64; } ];
+  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
+  networking.defaultGateway6 = { address = "2001:638:904:ffc7::1"; interface = "ens19"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];

  environment.systemPackages = with pkgs; [
    git
--- a/hosts/palladium/configuration.nix
+++ b/hosts/palladium/configuration.nix
@@ -4,9 +4,6 @@
  imports =
    [
      ./hardware-configuration.nix
-
-      ./restic-server.nix
-      ./wg-b-palladium.nix
    ];

  boot.kernelParams = [ "console=ttyS0,115200n8" ];
@@ -33,33 +30,19 @@

  boot.swraid.enable = true;

-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "enp3s0";
-    address = [
-      "fd00:152:152:4::11/64"
-    ];
-    networkConfig.DHCP = true;
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
+  networking.useDHCP = false;
+  networking.interfaces.enp3s0.ipv6.addresses = [
+    { address = "fd00:152:152:4::11"; prefixLength = 64; }
+    { address = "2001:4cd8:100:1337::11"; prefixLength = 64; }
+  ];
+  networking.defaultGateway6 = { address = "fe80::1"; interface = "enp3s0"; };
+  networking.nameservers = [ "fd00:152:152::1" ];

  # Keeping the harddrives quiet
  services.udev.extraRules = ''
    KERNEL=="sd?[0-9]", ENV{ID_MODEL}=="ST1000DM003-1SB102", ACTION=="add", RUN+="${pkgs.hdparm}/sbin/hdparm -S 24 /dev/%k"
  '';

-  profiles.clerie.wg-clerie = {
-    enable = true;
-    ipv6s = [ "2a01:4f8:c0c:15f1::8103/128" ];
-    ipv4s = [ "10.20.30.103/32" ];
-  };
-
-  clerie.monitoring = {
-    enable = true;
-    id = "206";
-    pubkey = "2Q8mO4Y09Oi9CCfUUvWpZ8yIQezwtE94tz6ZbA0EDwE=";
-  };
-
  system.stateVersion = "25.05";

 }
--- a/hosts/palladium/restic-server.nix
+++ b/hosts/palladium/restic-server.nix
@@ -1,20 +0,0 @@
-{ ... }:
-
-{
-  services.restic.server = {
-    enable = true;
-    privateRepos = true;
-    dataDir = "/data/backup";
-    listenAddress = "[::]:43242";
-  };
-
-  # restic rest server does not support --htpasswd-file in the current version of nixpkgs
-  # until then we copy the secrets to the common location
-  sops.secrets.restic-server-backup-htpasswd = {
-    path = "/data/backup/.htpasswd";
-    owner = "restic";
-    group = "restic";
-  };
-
-  networking.firewall.interfaces.wg-b-palladium.allowedTCPPorts = [ 43242 ];
-}
--- a/hosts/palladium/secrets.json
+++ b/hosts/palladium/secrets.json
@@ -1,29 +0,0 @@
-{
-	"restic-server-backup-htpasswd": "ENC[AES256_GCM,data:ouHDwNJ3UQID54qq+6tEc9Zmpa/i5jDMvzIw5baBV4oGy27JI+f40A6tqmQlbRRsX68XhMhfRcpczfTDmf2tFV7TcWB4yA==,iv:PkjCOHFQxbBvYdmOhARJUNUUsAbJiEDnLDM1UWZhHXA=,tag:3cGdkx0xNdtse9hHPa9mUQ==,type:str]",
-	"wg-b-palladium": "ENC[AES256_GCM,data:VBDyrDYwICbiND8jfkiIr/3oDtP1X9817WhonFYXNSTPZHziEY7U886/DFc=,iv:syqo77FROChv4WKgiGWCUa2ziH2Ds14CT5vVRxGmEvQ=,tag:X2G3JUrabXYmsKPBltOafw==,type:str]",
-	"wg-clerie": "ENC[AES256_GCM,data:fLGZCRbnDrSWQ+9Q/7l3DUKOgw7blcHpd8svHMZFEKMoTfGeZCc37oKAOKU=,iv:GlPXkeVnzSzAnpdSGIydZP+hhEshJ3X/N1fhwJk5Ol4=,tag:0E9RhBPha0Gun6KUNtvYUg==,type:str]",
-	"wg-monitoring": "ENC[AES256_GCM,data:3RHk/VI8t9ba/qiWqLkwIxaOt+e0yXw7+f1qpIVdr3JE2NzkVvX6aeP3o2Q=,iv:f4VIK1oyaUilCia1EfEiL18a3zk4+7Ol4ihyhzPounw=,tag:XeTI3iL4qIPS+Z+PDJRGrA==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1s3f9hxcd89dk3st2r5funjw7cjcq85nuz4gq8w0aplky9v2wqy7qwukagx",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY3p1Mi85WTNxK2U5bFVP\ncmlFRXNlK2dWMUt1eW1abzIrb0liR043VHpnClIvaHZ1VWxRSFR3ajc0MmJyMFAw\nSWdVclB2OGJqUjNXTmI4MktXVTVQbncKLS0tIFpJTTZJRmJGeE1xNFFScE81R29J\nR3MzOGY1cVhmalNEaHdyWjkyaHVRTDAKXyz/+WdHsC2AppYNf3/W1xx2Zcfg4p50\nCAamBntNMUK8zYLdhoSBT54qVYJJuYZ6eD6WOIZrdCK4HKGy0d13uw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-18T08:56:54Z",
-		"mac": "ENC[AES256_GCM,data:QEEcjNqO+tXpl/4TWx+r8WT+ZsdoBw/CBiz6XpG8rsIl0prBWtQ8YW/DeYAxLPMOlb55HuDsneLEpR2DsBB1x6b0lSyjES/hgMRkweKczFLRxrhHh3qXff/wK9sDaEPLvEzvH99x63+1dAZh7z8CVESDTt8QLKK1qCxOf36QNdc=,iv:NbYc0qz0AUGKWpwKg/1QCuTnZ1+m+e6tQxWAuDogVrw=,tag:JEPtLP7V3N+Lx/quMGq/AQ==,type:str]",
-		"pgp": [
-			{
-				"created_at": "2025-04-15T17:32:56Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//aQe91iy/RiR2PJqXhrZVyovraUmm4ivCjPSoookMCHhY\n5HGNdyzttnBjzHNqT8OFo43nu1VPlOYllgQXNbwEj7rSQN5CZQTx35Fhkc2q9q1N\ns3uI+o/RfCLiZMvr5S80lFvmw25hpopGoF0i3sHrORbh5ennzGV2Dsn2RfcQx5Ji\n11kO4QBDNs37cqZEBP4N4R5xEWFMrWPqxVrRuGZkzxR0MPLy+zCSjic0OIXWxi5G\nSTO3rPGn06s3gbMmFgAPVBMR/nyT2kPDwQFbvv7SWNqnyZ1z5S5C7eSpcEa+49IZ\ngHo3hRa0O30bvgc+yhQ9TxhyFmlgk+HWRsc7p1c7B+HK+mwxxnoixfHQLpWEwiQz\nfT32rTG/v4MqNokiyMCvUqffGwBy57YQ0Koggm8kv3GYPbCSXFuGgdxBCUufaIkj\n5n6WmMfjESOEq0+wRw1FZPp6hl1vtCpldlYqm7raOWyzncULvPKbD8AHj7g0QgP/\ndmcVV2ca1V3vklb+FsuiUOJDkGnvue+uUjQ2f/t4JqLYy1dHlfPSX3X+WEJ4U/Nw\nZtpPb7XdgbWLbcDUTpEUGMhlnrLhdjt9w8iDKjZ+kN95fFfR9J4jTyUANIHd0sW1\nuLGphdWX62nmldEIJeselBaVhwiv5qQduNCdDssgZaMlmmdvZUHiABYh8rqKByOF\nAgwDvZ9WSAhwutIBD/4kxHpGFsX6wsP5dfJHGbh6dakqXjidwgkfbgq9eWd3nM9B\nYbmUZNz4vjdWGFIg/zitxpV6SRHItPPLkF0HEqecKrwBC41iczkMTXJsCN19zCEG\nGyMFtiTgYrkLZiN3yMViKbv5sOwm+38dQCE3tL6TZl8Rqi2Wm390DQ/dFSJSdJFb\nLZmOEvUkyChFvS+C6aCIsChoPSRnoqpxzrpJLoozS3EKGb5hKa7SN7zuSyNbUJgR\n4DaruQGNbbSKmInsigqJWtlUbJsYxbOxRGojw2waMRHEvWJfIN6NdsFuCBCMqHA7\nsil+siC7BXqef7nD9UcsjVBPyl7UAtvBAvWpfA83vYwtvSCR8tBPZ7EifyOWplfS\ntdJQFDd14ZGs/kO6j9Ck5d49Y6NuPEfa+wjs8vZGBevWGiErf+RlN7yYRLmX9pr1\nR72U0jC5rhA7+X1JZHEx1DdpNfGDj8MUokXf82aTzQPpOJPPUXOnJP9a6oHFW3Uv\nWmfTSjVbw//B9i/KM5XmVNgp3TyNZmszU36d79W23tnNQhSFpLNz4E/yr+vhvoO1\neowV8gi0BYxNGnUeM+QOFxdvoW4pNyTwVGFbqrJ7xY0m2gYiRpjxf1qpAP5pzm4Z\nrc4c+en8/71oI3Pt2D1IOHMA1VoJbemCxQKjXMb45RJxtSMZTX6kUMeWgXFLvIUC\nDAM1GWv08EiACgEP/RRLSlzAyA297eWSKzDehvMeuf3XL6EgwGo3W4VUjFQLy/k7\nzgJyzmClLaWxoUnhJY26ciaUVX5xzlyamzsuOk+S/Ke/UxHctFhT4jiSfpCj7SJU\n5E+fl4Q1vaH9CwolP/TppYRHw2PrBFHw62+/5o5PzOuSnOQ9M1Yen0sEv3aK1FYb\nCH5lDD12eZ8Qn+aTQUc4DfHGYUZckKp/yWSOYA3/O80bIimSYWjq73CclNQMXeXU\nE520z43xKArHcmbSVcJhxH+tkG+BNJ16l5XQaiKK9p9LlkPyouVvSmedXLsKdt4U\njYGywDAWh39UiepzTNc8I26eM4XcbDZjfF2D9EoNttTXWaHQpIyP/DyzJwShpVGF\nj5l1FmiCXvBxUXUJHP+4ONRtnEjMTQB/6IMWQJ5etVku+8eFRAqrn5J9B5w5/qqj\nf+99lXlORQXo9RDSANinCn6l/zORCUmNqgqfjnuVgsFPJFnUycbyzFsPgZXyF83H\nc/bqAYkjqSlMWzNuhOTgHuDJzt/SPhmbJXJmBH/ZKR52lQRlYonon9+hNE6Ti1aP\nBUdxIpMl89Cj8IPyg24cWlRIRGssIR/7e2iim76lH8VY5QT0M3qUye7KOtKOiJv/\n38kIftzORJ4PQwJnSl2TFqjs/mYSHEx0xc3WednF5ZCDicMYTjkePKJRMHuT0l4B\nYc0BSK8isG7x9SUNSxXUrb26d67ABWRmik+K+B9o7HeQRbPQuPV65m+qBxVEueVu\nYTi+79/6X2pmj/54NbN6Lqaj9SPthnhyDUrduulMRQBvxC2n9gVQ/+UnxEMy\n=Sp14\n-----END PGP MESSAGE-----",
-				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
-			}
-		],
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}
--- a/hosts/palladium/wg-b-palladium.nix
+++ b/hosts/palladium/wg-b-palladium.nix
@@ -1,38 +0,0 @@
-{ config, ... }:
-
-{
-
-  sops = {
-    secrets.wg-b-palladium = {
-      owner = "systemd-network";
-      group = "systemd-network";
-    };
-  };
-
-  systemd.network.netdevs."10-wg-b-palladium" = {
-    netdevConfig = {
-      Kind = "wireguard";
-      Name = "wg-b-palladium";
-    };
-    wireguardConfig = {
-      PrivateKeyFile = config.sops.secrets.wg-b-palladium.path;
-    };
-    wireguardPeers = [
-      {
-        PublicKey = "VstE42L1SmZCIShH5sOqcpVQOV0Xb9cFgljD0lhvKFQ=";
-        AllowedIPs = [ "fd90:37fd:ddec:d921::/64" ];
-        PersistentKeepalive = 25;
-        Endpoint = "backup-4.net.clerie.de:51844";
-      }
-    ];
-  };
-
-  systemd.network.networks."10-wg-b-palladium" = {
-    matchConfig.Name = "wg-b-palladium";
-    address = [
-      "fd90:37fd:ddec:d921::2/64"
-    ];
-    linkConfig.RequiredForOnline = "no";
-  };
-
-}
--- a/hosts/porter/configuration.nix
+++ b/hosts/porter/configuration.nix
@@ -4,14 +4,16 @@
  imports =
    [
      ./hardware-configuration.nix
+      ../../configuration/router
    ];

  profiles.clerie.netcup.enable = true;
-  profiles.clerie.router.enable = true;

  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";

+  networking.useDHCP = false;
+  systemd.network.enable = true;
  systemd.network.networks."10-wan" = {
    matchConfig.Name = "ens3";
    address = [
@@ -23,32 +25,10 @@
      { Gateway = "5.45.100.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-
-  profiles.clerie.common-webserver.httpDefaultVirtualHost = false;
-
-  services.unbound = {
-    enable = true;
-    resolveLocalQueries = false;
-    settings = {
-      server = {
-        interface = [ "127.0.0.1" ];
-      };
-    };
  };

  clerie.nginx-port-forward = {
    enable = true;
-    resolver = "127.0.0.1";
-    tcpPorts."80" = {
-      host = "baikonur.dyn.weimarnetz.de";
-      port = 80;
-    };
-    tcpPorts."443" = {
-      host = "baikonur.dyn.weimarnetz.de";
-      port = 443;
-    };
    tcpPorts."2022" = {
      host = "nonat.net.clerie.de";
      port = 22;
@@ -58,10 +38,6 @@
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [];

-  services.bijwerken = {
-    autoUpgrade = true;
-  };
-
  clerie.monitoring = {
    enable = true;
    id = "102";
--- a/hosts/storage-2/configuration.nix
+++ b/hosts/storage-2/configuration.nix
@@ -4,40 +4,22 @@
  imports =
    [
      ./hardware-configuration.nix
-      ./em.nix
+      ../../configuration/proxmox-vm
      ./firmware.nix
      ./mixcloud.nix
      ./syncthing.nix
      ./users.nix
    ];

-  profiles.clerie.mercury-vm.enable = true;
-
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";

-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "ens18";
-    address = [
-      "2001:638:904:ffc0::4/64"
-    ];
-    routes = [
-      { Gateway = "2001:638:904:ffc0::1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
-  systemd.network.networks."10-nat-netz-mercury" = {
-    matchConfig.Name = "ens19";
-    address = [
-      "192.168.10.35/24"
-    ];
-    routes = [
-      { Gateway = "192.168.10.1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-    ipv6AcceptRAConfig.DHCPv6Client = "no";
-  };
+  networking.useDHCP = false;
+  networking.interfaces.ens19.ipv4.addresses = [ { address = "192.168.10.35"; prefixLength = 24; } ];
+  networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc0::4"; prefixLength = 64; } ];
+  networking.defaultGateway = { address = "192.168.10.1"; interface = "ens19"; };
+  networking.defaultGateway6 = { address = "2001:638:904:ffc0::1"; interface = "ens18"; };
+  networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];

  services.nginx.enable = true;

@@ -52,7 +34,8 @@
    };
  };

-  services.bijwerken = {
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
    autoUpgrade = true;
  };

--- a/hosts/storage-2/em.nix
+++ b/hosts/storage-2/em.nix
@@ -1,17 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-  users.users.data-em = {
-    group = "data-em";
-    home = "/data/em";
-    useDefaultShell = true;
-    isSystemUser = true;
-  };
-  users.groups.data-em = {};
-
-  systemd.tmpfiles.rules = [
-    "d /data/em - data-em data-em - -"
-  ];
-}
--- a/hosts/storage-2/users.nix
+++ b/hosts/storage-2/users.nix
@@ -2,5 +2,4 @@

 {
  users.users.clerie.extraGroups = [ "data-firmware" ];
-  users.users.frank.extraGroups = [ "data-em" ];
 }
--- a/hosts/tungsten/configuration.nix
+++ b/hosts/tungsten/configuration.nix
@@ -6,8 +6,6 @@
      ./hardware-configuration.nix
    ];

-  profiles.clerie.network-fallback-dhcp.enable = true;
-
  boot.kernelParams = [ "console=ttyS0,115200n8" ];

  boot.loader.grub.enable = true;
@@ -18,9 +16,10 @@
    terminal_output serial
  ";

+
  networking.hostName = "tungsten";

-  profiles.clerie.wg-clerie = {
+  services.wg-clerie = {
    enable = true;
    ipv6s = [ "2a01:4f8:c0c:15f1::8112/128" ];
    ipv4s = [ "10.20.30.112/32" ];
--- a/hosts/web-2/blocked-prefixes.txt
+++ b/hosts/web-2/blocked-prefixes.txt
@@ -1,195 +0,0 @@
-ip6tables -I nixos-fw -s 2400:3200::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2400:3200:baba::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2400:b200:4100::/46 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2401:8680:4100::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2401:b180:4100::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:1000::/36 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:2000::/35 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:4000::/36 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2408:4000:1000::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2408:4009:500::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4000::/31 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4002::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4004::/31 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1000::/43 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1020::/44 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4007::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4009::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400b::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c::/30 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4011::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4012::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4013::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4014::/32 -j nixos-fw-refuse
-iptables -I nixos-fw -s 5.181.224.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.36.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.40.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.48.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.210.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.160.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.176.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.214.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.0.0/14 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 14.1.112.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.91.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.1.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.2.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.4.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.7.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.8.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.17.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.19.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.20.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.24.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.27.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.28.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.32.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.40.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.52.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.56.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.58.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.66.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.68.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.72.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.78.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.80.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.84.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.86.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.88.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.96.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.100.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.102.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.104.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.106.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.98.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.100.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.102.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.103.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.104.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.108.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 45.196.28.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 45.199.179.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.52.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.56.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.76.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.16.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.24.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.78.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.0.0/14 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.86.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.224.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.232.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.72.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.80.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.84.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.88.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.122.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.124.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.0.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.8.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.12.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.16.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.236.0.0/14 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.240.0.0/14 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.244.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.32.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.66.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.68.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.72.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.80.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.82.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.84.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.88.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.92.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.120.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.122.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.124.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.128.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.144.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.150.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.152.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.192.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 59.82.136.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 103.81.186.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 110.76.21.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 110.76.23.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 116.251.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.16.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.64.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 140.205.1.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 140.205.122.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.16.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 156.227.20.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 156.236.12.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 156.236.17.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 156.240.76.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 156.245.1.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.24.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.29.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.30.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.32.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.64.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.66.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.68.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.72.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.76.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.80.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.84.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.86.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.88.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.90.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.92.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.104.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.136.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.138.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 185.78.106.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 198.11.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 202.144.199.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 203.107.64.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 203.107.68.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 205.204.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 223.5.5.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 223.6.6.0/24 -j nixos-fw-refuse
--- a/hosts/web-2/clerie.nix
+++ b/hosts/web-2/clerie.nix
@@ -27,13 +27,18 @@
        root = pkgs.clerie-keys;
      };
      locations."= /ssh/known_hosts" = {
-        alias = pkgs.clerie-ssh-known-hosts + "/known_hosts";
+        alias = pkgs.writeText "known_hosts" (import ../../lib/ssh-known-hosts.nix);
        extraConfig = ''
          types { }
          default_type "text/plain; charset=utf-8";
        '';
      };
      locations."/gpg" = {
+        extraConfig = ''
+          types {
+            text/plain asc;
+          }
+        '';
        root = pkgs.clerie-keys;
      };
      locations."~ ^/.well-known/openpgpkey/hu/[a-z0-9]+/?$" = {
@@ -53,6 +58,9 @@
        '';
        return = "200 ''";
      };
+      extraConfig = ''
+        access_log /var/log/nginx/clerie.de.log combined_anon;
+      '';
    };
  };
 }
--- a/hosts/web-2/configuration.nix
+++ b/hosts/web-2/configuration.nix
@@ -24,7 +24,6 @@
      ./public.nix
      ./radicale.nix
      ./reichartstrasse.nix
-      ./traveldrafter.nix
      ./uptimestatus.nix
      ./wetter.nix
    ];
@@ -34,6 +33,9 @@
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";

+  networking.useDHCP = false;
+  systemd.network.enable = true;
+
  systemd.network.networks."10-wan" = {
    address = [
      "2a01:4f8:c0c:c580::1/64"
@@ -52,8 +54,6 @@

  networking.firewall.allowedTCPPorts = [ 80 443 ];

-  networking.firewall.extraCommands = builtins.readFile ./blocked-prefixes.txt;
-
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_16;
--- a/hosts/web-2/gitea.nix
+++ b/hosts/web-2/gitea.nix
@@ -83,6 +83,9 @@
          proxyPass = "http://[::1]:3000";
        };
      };
+      extraConfig = ''
+        access_log /var/log/nginx/git.clerie.de.log combined_anon;
+      '';
    };
  };
 }
--- a/hosts/web-2/ip.nix
+++ b/hosts/web-2/ip.nix
@@ -53,6 +53,9 @@
          types { } default_type "text/html; charset=utf-8";
        '';
      };
+      extraConfig = ''
+        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
+      '';
    };
    "ip4.clerie.de" = {
      enableACME = true;
@@ -64,6 +67,9 @@
          add_header Access-Control-Allow-Origin *;
        '';
      };
+      extraConfig = ''
+        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
+      '';
    };
    "ip6.clerie.de" = {
      enableACME = true;
@@ -75,6 +81,9 @@
          add_header Access-Control-Allow-Origin *;
        '';
      };
+      extraConfig = ''
+        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
+      '';
    };
  };
 }
--- a/hosts/web-2/legal.nix
+++ b/hosts/web-2/legal.nix
@@ -7,8 +7,8 @@
      forceSSL = true;
      root = pkgs.fetchgit {
        url = "https://git.clerie.de/clerie/legal.clerie.de.git";
-        rev = "b271b9729f4545c340ce9d16ecbca136031da409";
-        sha256 = "sha256-uw69o7LxK+JF1AojSyusU1urshBc63Bgva5lRBgQdKc=";
+        rev = "c6900226e3107a2e370a32759d83db472ab5450d";
+        sha256 = "sha256-lOjbHqYc/85rjotwQ5Oj+MSWnDIfLx2w5mpiJkChbXU=";
      };
      locations."/impressum" = {
        return = ''301 https://legal.clerie.de/#impressum'';
--- a/hosts/web-2/secrets.json
+++ b/hosts/web-2/secrets.json
@@ -4,16 +4,19 @@
 	"clerie-backup-target-magenta": "ENC[AES256_GCM,data:zsPFXpnTWHL2b9/fZiW1fhpla8hTeZb1+O8oihnwDIAcC4Tgn8PrFDEYK7kuWYcdbIvL5XRJRR48erSACsntFA==,iv:lTlAyVl3ndgca4Mp9lSldXmhlP8ECPvE/CM7Zpzy9ao=,tag:LCNF1loABQpZ8Y5wfpXjkg==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:AfkytaHshFSyKkMdKVMdYaq3sKUC9dKYs5rKXN4Ouv5kjDGNXC18liEsRuc=,iv:4mMgsovdAJ++Myr+9GuhAaEBuzDBNZbGK6zfzoAEJ0E=,tag:/d0ZXNbpaMFyxyzov23kdQ==,type:str]",
 	"radicale-htpasswd": "ENC[AES256_GCM,data:+FHsq5We/fc8gBNub/GV5Mfs2i0/7Qm9UPDhb3unEhak6XDAvMSUQb4eaX0wn7Yi3y/gFGmapd0eYilTjfoJnI9gVnvi,iv:lEV8kQh9RBL/xKcCLIRzUR6ADq4zoah1c8Z67Qrs3dQ=,tag:cw6jKYbZUXBD3Zio5CH+Hw==,type:str]",
-	"traveldrafter-htpasswd": "ENC[AES256_GCM,data:f29vVDofv2mJEyn/pMKWW8ZbVTKSofe1EEtcfuCaokdqAyxemcq/2hrXFw8cAGTV2hwVqlM2hzJcT32KBjO/wgUNfv4=,iv:5PdQ+bn/bXmfQstP5A/dLeDk7O0qTjoRTyr4D+AgiG0=,tag:gCBrSJ4cEnZHqePiUpPglA==,type:str]",
 	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1nn8dwl2avshdhwn66w92jvlvz2ugl5fdxc8dxz6lpru72hlq44uq5a88az",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU2tEMHIvRUFxa24wMVcy\nb2lheGR2ekl6S0wzWUd5cTMwTC9HdFN1eVc0CkRjRHdJVUw3ZCtZSTlUOHZCV2J6\nYkxqdnNmU05LTTNmNFZiTzBxZVdkOTgKLS0tIEZUZ0svL2NhcTZPdFZrYUhwQ05Q\nWnZXRWIvRXBOMWNDTzQ4RDNKa3IwSUkKj+vI9dEEUQYN9uT6H1FdexComfbe+iA9\nVzLF970ASzptGiNYtdN9GYdXY7JGHoOfmYy3fpjZGN3p2KqiYyi3UA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-07-06T16:08:39Z",
-		"mac": "ENC[AES256_GCM,data:6EbMSJAKOMgXtlwaVtsmPgrZVgraReAfVJWjZvhe965eLhhP5aeyZqPlA6a93h2FsShVFYWFPI57tdHy9Ymo53oXolSt8Docr2w2FL4BTWHHhkXal9+6aJZAZ+XOPEOUYurFxPOX44l+LDkecSz0NMCgrScWtpphjlkj3yP5GTo=,iv:5w8RC9IAuyEuO0QSZ0FBwW2/qqV56HNG7hZIkEeGEYU=,tag:Zosv1OSMtznnKkSYStu+oA==,type:str]",
+		"lastmodified": "2024-05-10T13:32:34Z",
+		"mac": "ENC[AES256_GCM,data:lxfYT2TEO9KFx0x6DPRQ2mRy5Ft6syyyO1yV9my6GwvDxd1e7odXGRcFo3N1AFod8Y6z4+XaxqZ/GoqSp94Pk8aF4eEhyAFun/UUr8KhKGsnq6xnQA4p37oYccvTY4eohS5YHBr/+AMutddmQ7qiYtQhVViXAr6+dmOsV1Tfu+A=,iv:bC+z9SP2W048bR3aWIcPgRlfLB5n5ccst6OvH0NjYBk=,tag:qhoXUAl0nG4LYy6yXQP2/g==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-10T13:29:58Z",
@@ -24,4 +27,4 @@
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"
 	}
-}
+}
--- a/hosts/web-2/traveldrafter.nix
+++ b/hosts/web-2/traveldrafter.nix
@@ -1,40 +0,0 @@
-{ pkgs, lib, config, ... }: {
-  services.update-from-hydra.paths.traveldrafter = {
-    enable = true;
-    hydraUrl = "https://hydra.clerie.de";
-    hydraProject = "clerie";
-    hydraJobset = "traveldrafter";
-    hydraJob = "packages.x86_64-linux.traveldrafter";
-    nixStoreUri = "https://nix-cache.clerie.de";
-    resultPath = "/srv/traveldrafter";
-  };
-
-  sops.secrets.traveldrafter-htpasswd = {
-    owner = "nginx";
-    group = "nginx";
-  };
-
-  services.nginx.virtualHosts = {
-    "traveldrafter.clerie.de" = {
-      enableACME = true;
-      forceSSL = true;
-      root = "/srv/traveldrafter/lib/node_modules/traveldrafter/web/";
-      basicAuthFile = config.sops.secrets.traveldrafter-htpasswd.path;
-      locations."/api" = {
-        proxyPass = "http://[::1]:3001";
-      };
-    };
-  };
-
-  systemd.services."traveldrafter" = {
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      RuntimeDirectory = "traveldrafter";
-      DynamicUser = true;
-    };
-    environment = {
-      HTTP_PORT = "3001";
-    };
-    script = lib.getExe pkgs.traveldrafter;
-  };
-}
--- a/hosts/zinc/configuration.nix
+++ b/hosts/zinc/configuration.nix
@@ -5,12 +5,12 @@
    [
      ./hardware-configuration.nix

+      ../../configuration/desktop
+
      ./initrd.nix
      ./programs.nix
    ];

-  profiles.clerie.desktop.enable = true;
-
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
@@ -25,7 +25,7 @@

  boot.initrd.systemd.enable = false;

-  profiles.clerie.wg-clerie = {
+  services.wg-clerie = {
    enable = true;
    ipv6s = [ "2a01:4f8:c0c:15f1::8109/128" ];
    ipv4s = [ "10.20.30.109/32" ];
--- a/hosts/zinc/programs.nix
+++ b/hosts/zinc/programs.nix
@@ -2,9 +2,9 @@

 {

-  profiles.clerie.firefox.enable = true;
-
  users.users.clerie.packages = with pkgs; [
+    firefox
+
    blender
    #cura # libarcus library is currently broken, required for curaengine

--- a/lib/default.nix
+++ b/lib/default.nix
@@ -8,8 +8,6 @@ let

  lib = {
    clerie-monitoring-ids = callLibs ./clerie-monitoring-ids.nix;
-    mkNixpkgs = callLibs ./mkNixpkgs.nix;
-    nixosSystem = callLibs ./nixosSystem.nix;
  };

 in
--- a/lib/link-local-wireguard.nix
+++ b/lib/link-local-wireguard.nix
@@ -0,0 +1,22 @@
+{ ... }:
+
+rec {
+  llIPv6 = localIP: peerIP: interface: {
+    ips = [
+      "${localIP}/128"
+    ];
+    postSetup = ''
+    ip -6 route flush dev ${interface}
+    ip addr del dev ${interface} ${localIP}/128 && ip addr add dev ${interface} ${localIP}/128 peer ${peerIP}/128
+    '';
+  };
+  llIPv4 = localIP: peerIP: interface: {
+    ips = [
+      "${localIP}/32"
+    ];
+    postSetup = ''
+    ip -4 route flush dev ${interface}
+    ip addr del dev ${interface} ${localIP}/32 && ip addr add dev ${interface} ${localIP}/32 peer ${peerIP}/32
+    '';
+  };
+}
--- a/lib/mkNixpkgs.nix
+++ b/lib/mkNixpkgs.nix
@@ -1,27 +0,0 @@
-{
-  inputs,
-  self,
-  ...
-}:
-
-/*
-
-  Loads a version of nixpkgs with nixfiles overlays loaded
-
-*/
-{
-  system,
-  nixpkgs ? inputs.nixpkgs,
-  overlays ? [],
-  ...
-}@args:
-
-import nixpkgs {
-  inherit system;
-  overlays = [
-    self.overlays.clerie-inputs
-    self.overlays.clerie-pkgs
-    self.overlays.clerie-build-support
-    self.overlays.clerie-overrides
-  ] ++ overlays;
-}
--- a/lib/nixosSystem.nix
+++ b/lib/nixosSystem.nix
@@ -1,42 +0,0 @@
-{
-  inputs,
-  self,
-  ...
-}:
-
-/*
-
-  nixfiles.lib.nixosSystem, like nixpkgs.lib.nixosSystem but
-  with nixfiles overlays and modules already populated
-
-*/
-{
-  system ? null,
-  nixpkgs ? inputs.nixpkgs,
-  pkgs ? null,
-  modules ? [],
-  ...
-}@args:
-
-nixpkgs.lib.nixosSystem ({
-  system = system;
-  pkgs = if pkgs != null then pkgs else (self.lib.mkNixpkgs {
-    inherit system nixpkgs;
-  });
-  modules = [
-    self.nixosModules.nixfilesInputs
-    self.nixosModules.clerie
-    self.nixosModules.profiles
-    ({ config, lib, ... }: {
-      /*
-        Make the contents of the flake availiable to modules.
-        Useful for having the monitoring server scraping the
-        target config from all other servers automatically.
-      */
-      _module.args = {
-        inputs = inputs;
-        _nixfiles = self;
-      };
-    })
-  ] ++ modules;
-} // builtins.removeAttrs args [ "system" "nixpkgs" "pkgs" "modules" ] )
--- a/pkgs/clerie-ssh-known-hosts/default.nix
+++ b/pkgs/clerie-ssh-known-hosts/default.nix
@@ -1,22 +1,13 @@
-{
-  writeTextFile,
-}:
-
 let
  stripR = str: if (builtins.substring ((builtins.stringLength str) - 1) (builtins.stringLength str) str) == "\n" then stripR (builtins.substring 0 ((builtins.stringLength str) - 1) str) else str;
-  hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../../hosts));
+  hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../hosts));
  sshkeyList = map (hostname: {
    name = hostname;
-    sshPubkey = stripR (builtins.readFile (../../hosts + "/${hostname}/ssh.pub"));
+    sshPubkey = stripR (builtins.readFile (../hosts + "/${hostname}/ssh.pub"));
  }) hostsWithSshPubkey;
  knownHosts = builtins.concatStringsSep "" (builtins.map ({name, sshPubkey}: ''
    ${name} ${sshPubkey}
    ${name}.net.clerie.de ${sshPubkey}
  '') sshkeyList);
-in writeTextFile {
-  name = "clerie-ssh-known-hosts";
-  destination = "/known_hosts";
-  allowSubstitutes = true;
-  preferLocalBuild = false;
-  text = knownHosts;
-}
+in
+  knownHosts
--- a/modules/backup/default.nix
+++ b/modules/backup/default.nix
@@ -64,7 +64,7 @@ let
      targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
    in {
      "clerie-backup/${jobName}-${targetName}/repo_password".source = jobPasswordFile;
-      "clerie-backup/${jobName}-${targetName}/repo_url".text = "${targetOptions.serverUrl}${repoPath}";
+      "clerie-backup/${jobName}-${targetName}/repo_url".text = "https://${targetOptions.serverName}${repoPath}";
      "clerie-backup/${jobName}-${targetName}/auth_username".text = targetUsername;
      "clerie-backup/${jobName}-${targetName}/auth_password".source = targetPasswordFile;
      "clerie-backup/${jobName}-${targetName}/files".text = concatStringsSep "\n" jobOptions.paths;
@@ -82,7 +82,7 @@ let
        type = with types; nullOr str;
        default = null;
      };
-      serverUrl = mkOption {
+      serverName = mkOption {
        type = types.str;
      };
    };
--- a/modules/clerie-system-upgrade/default.nix
+++ b/modules/clerie-system-upgrade/default.nix
@@ -3,13 +3,18 @@
 with lib;

 let
-  cfg = config.services.bijwerken;
+  cfg = config.clerie.system-auto-upgrade;
 in

 {
  options = {
-    services.bijwerken = {
-      enable = mkEnableOption "Automatic system upgrades";
+    clerie.system-auto-upgrade = {
+      enable = mkEnableOption "clerie system upgrade";
+      allowReboot = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Monitor NixOS";
+      };
      autoUpgrade = mkOption {
        type = types.bool;
        default = false;
@@ -20,15 +25,10 @@ in
        default = null;
        description = "Systemd time string for starting the unit";
      };
-      nodeExporterTextfilePath = mkOption {
-        type = with types; nullOr str;
-        default = null;
-        description = "Path to node exporter textfile for putting metrics";
-      };
    };
  };
  config = mkIf cfg.enable {
-    systemd.services.bijwerken-system-upgrade = {
+    systemd.services.clerie-system-auto-upgrade = {
      requires = [ "network-online.target" ];
      after = [ "network-online.target" ];

@@ -38,10 +38,10 @@ in

      serviceConfig = {
        Type = "oneshot";
-        ExecStart = (getExe pkgs.bijwerken-system-upgrade) + " --no-confirm${optionalString (cfg.nodeExporterTextfilePath != null) " --node-exporter-metrics-path ${cfg.nodeExporterTextfilePath}"}";
+        ExecStart = pkgs.clerie-system-upgrade + "/bin/clerie-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/clerie-system-upgrade.prom"}";
      };
    };
-    systemd.timers.bijwerken-system-upgrade = mkIf cfg.autoUpgrade {
+    systemd.timers.clerie-system-auto-upgrade = mkIf cfg.autoUpgrade {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = if cfg.startAt == null then "*-*-* 05:37:00" else cfg.startAt;
@@ -51,7 +51,7 @@ in
      after = [ "network-online.target" ];
    };
    environment.systemPackages = with pkgs; [
-      bijwerken-system-upgrade
+      clerie-system-upgrade
    ];
  };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -5,9 +5,9 @@
    ./policyrouting
    ./akne
    ./backup
-    ./bijwerken
    ./clerie-firewall
    ./clerie-gc-dir
+    ./clerie-system-upgrade
    ./dhcpcd-prefixdelegation
    ./minecraft-server
    ./monitoring
--- a/modules/monitoring/default.nix
+++ b/modules/monitoring/default.nix
@@ -61,6 +61,9 @@ in

    services.prometheus.exporters.node = {
      enable = true;
+      #listenAddress = "${monitoring-network-base}${cfg.id}";
+      openFirewall = true;
+      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100";
      enabledCollectors = [
       "systemd"
      ];
@@ -75,14 +78,16 @@ in

    systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ];

-    services.bijwerken.nodeExporterTextfilePath = "/var/lib/prometheus-node-exporter/textfiles/bijwerken-system-upgrade.prom";
-
    services.prometheus.exporters.bird = mkIf cfg.bird {
      enable = true;
+      openFirewall = true;
+      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324";
    };

    services.prometheus.exporters.blackbox = mkIf cfg.blackbox {
      enable = true;
+      openFirewall = true;
+      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115";
      configFile = pkgs.writeText "blackbox.yml" ''
        modules:
          icmp6:
@@ -104,42 +109,8 @@ in
      listen = "[::]:9152";
    };

-    services.prometheus.exporters.nginxlog = mkIf config.services.nginx.enable {
-      enable = true;
-      settings = {
-        namespaces = [
-          {
-            name = "nginxlog";
-            format = ''$host: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$server_name" rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'';
-            source = {
-              files = [
-                "/var/log/nginx/access.log"
-              ];
-            };
-            relabel_configs = [
-              {
-                target_label = "server_name";
-                from = "server_name";
-              }
-            ];
-          }
-        ];
-      };
-    };
-
-    systemd.services."prometheus-nginxlog-exporter".serviceConfig = {
-      SupplementaryGroups = "nginx";
-    };
-
-    networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
-      9100 # node-exporter
-      9152 # nixos-exporter
-    ] ++ (if cfg.bird then [
-      9324 # bird-exporter
-    ] else []) ++ (if cfg.blackbox then [
-      9115 # blackbox-exporter
-    ] else []) ++ (if config.services.prometheus.exporters.nginxlog.enable then [
-      config.services.prometheus.exporters.nginxlog.port
-    ] else []);
+    networking.firewall.extraCommands = ''
+      ip46tables -A nixos-fw -i wg-monitoring -p tcp -m tcp --dport 9152 -m comment --comment nixos-exporter -j nixos-fw-accept
+    '';
  };
 }
--- a/modules/nginx-port-forward/default.nix
+++ b/modules/nginx-port-forward/default.nix
@@ -9,8 +9,6 @@ let

  mkServerBlock = isUDP: port: forward: ''
    server {
-      resolver ${cfg.resolver} ipv4=off valid=30s;
-
      listen ${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
      listen [::]:${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};

@@ -20,9 +18,7 @@ let
        ${ optionalString (sslDhparam != null) "ssl_dhparam ${sslDhparam};" }
      '' }

-      set $upstream_server ${forward.host}:${toString forward.port};
-
-      proxy_pass $upstream_server;
+      proxy_pass ${forward.host}:${toString forward.port};
    }
  '';

@@ -54,10 +50,6 @@ in
  options = {
    clerie.nginx-port-forward = {
      enable = mkEnableOption "Nginx Port Forward";
-      resolver = mkOption {
-        type = types.str;
-        description = "IP address of the resolver to use for upstream hostnames";
-      };
      tcpPorts = mkOption {
        type = with types; attrsOf (submodule portOpts);
        default = {};
--- a/monitoring/targets.json
+++ b/monitoring/targets.json
@@ -1,52 +0,0 @@
-{
-  "clerie.de": {
-    "icmp": { "enable": true },
-    "http": { "enable": true }
-  },
-  "wiki.clerie.de": {
-    "http": { "enable": true }
-  },
-  "blog.nadja.top": {
-    "http": { "enable": true }
-  },
-  "fem.social": {
-    "http": { "enable": true }
-  },
-
-  "tagesschau.de": {
-    "icmp": { "enable": true }
-  },
-  "google.com": {
-    "icmp": { "enable": true }
-  },
-  "achtbaan.nikhef.nl": {
-    "icmp": { "enable": true }
-  },
-  "www.fem.tu-ilmenau.de": {
-    "icmp": { "enable": true }
-  },
-  "www.heise.de": {
-    "icmp": { "enable": true }
-  },
-
-  "dyon.net.entr0py.de": {
-    "_comment": "Backend server of matrix.entr0py.de",
-    "icmp": { "enable": true }
-  },
-  "matrix.bau-ha.us": {
-    "synapse": { "enable": true }
-  },
-  "matrix.entr0py.de": {
-    "synapse": { "enable": true }
-  },
-  "matrix.fachschaften.org": {
-    "synapse": { "enable": true }
-  },
-
-  "clerie.uber.space": {
-    "clerie-uberspace": { "enable": true }
-  },
-  "cleriewi.uber.space": {
-    "clerie-uberspace": { "enable": true }
-  }
-}
--- a/pkgs/bijwerken-poke/bijwerken-poke.sh
+++ b/pkgs/bijwerken-poke/bijwerken-poke.sh
@@ -1,5 +0,0 @@
-#!/usr/bin/env bash
-
-TARGETS="$(nix --extra-experimental-features "nix-command flakes" eval --raw ".#nixosConfigurations" --apply "nixosConfigurations: builtins.concatStringsSep \"\\n\" (builtins.attrValues (builtins.mapAttrs (name: host: host.config.networking.fqdn) nixosConfigurations))")"
-
-pssh -h <(echo "${TARGETS}") -i -- sudo systemctl start bijwerken-system-upgrade.service --no-block
--- a/Show More
+++ b/Show More