Update from updated-inputs-2025-06-25-01-03

configuration/common/default.nix

@@ -7,6 +7,7 @@
     ./initrd.nix
     ./locale.nix
     ./networking.nix
+    ./nix.nix
     ./programs.nix
     ./ssh.nix
     ./systemd.nix

configuration/common/nix.nix

@@ -0,0 +1,70 @@
+{ lib, pkgs, ... }:
+
+{
+
+  clerie.nixfiles.enable = true;
+
+  clerie.system-auto-upgrade.enable = true;
+
+  nix.settings = {
+    trusted-users = [ "@wheel" "@guests" ];
+    auto-optimise-store = true;
+    # Keep buildtime dependencies
+    keep-outputs = true;
+    # Build local, when caches are broken
+    fallback = true;
+  };
+
+  nix.gc = lib.mkDefault {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
+
+  nix.settings = {
+    experimental-features = [
+      "flakes"
+      "nix-command"
+    ];
+    substituters = [
+      "https://nix-cache.clerie.de"
+    ];
+    trusted-public-keys = [
+      "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
+    ];
+  };
+
+  # Pin current nixpkgs channel and flake registry to the nixpkgs version
+  # the host got build with
+  nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
+  nix.registry = {
+    "nixpkgs" = lib.mkForce {
+       from = {
+         type = "indirect";
+         id = "nixpkgs";
+       };
+       to = {
+         type = "path";
+         path = lib.cleanSource pkgs.path;
+       };
+       exact = true;
+    };
+    "templates" = {
+       from = {
+         type = "indirect";
+         id = "templates";
+       };
+       to = {
+         type = "git";
+         url = "https://git.clerie.de/clerie/flake-templates.git";
+       };
+    };
+  };
+
+  documentation.doc.enable = false;
+
+  environment.systemPackages = with pkgs; [
+    nix-remove-result-links
+  ];
+}

configuration/common/programs.nix

@@ -6,7 +6,6 @@
     # My system is fucked
     gptfdisk
     parted
-    grow-last-partition-and-filesystem
 
     # Normal usage
     htop

configuration/desktop/audio.nix

@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+
+  services.pulseaudio.enable = false;
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa = {
+      enable = true;
+      support32Bit = true;
+    };
+    pulse = {
+      enable = true;
+    };
+  };
+
+}

configuration/desktop/default.nix

@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+  imports = [
+    ./audio.nix
+    ./firmware.nix
+    ./fonts.nix
+    ./gnome.nix
+    ./inputs.nix
+    ./networking.nix
+    ./polkit.nix
+    ./power.nix
+    ./printing.nix
+    ./ssh.nix
+    ./xserver.nix
+  ];
+
+  security.sudo.wheelNeedsPassword = true;
+}

configuration/desktop/firmware.nix

@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+
+  services.fwupd.enable = true;
+
+}

configuration/desktop/fonts.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+{
+
+  fonts.enableDefaultPackages = true;
+  fonts.packages = with pkgs; [
+    roboto
+    roboto-mono
+    noto-fonts
+    noto-fonts-emoji
+    comfortaa
+  ] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
+}

configuration/desktop/gnome.nix

@@ -0,0 +1,61 @@
+{ pkgs, ... }:
+
+{
+  services.gnome = {
+    localsearch.enable = false;
+    tinysparql.enable = false;
+  };
+
+  environment.gnome.excludePackages = with pkgs; [
+    baobab
+    epiphany
+    gnome-calendar
+    gnome-clocks
+    gnome-console
+    gnome-contacts
+    gnome-logs
+    gnome-maps
+    gnome-music
+    gnome-tour
+    gnome-photos
+    gnome-weather
+    gnome-connections
+    simple-scan
+    yelp
+    geary
+  ];
+
+  environment.systemPackages = with pkgs; [
+    evolution
+    gnome-terminal
+    gnome-tweaks
+  ];
+
+  services.gnome.evolution-data-server.enable = true;
+
+  programs.dconf.profiles = {
+    user.databases = [
+      {
+        settings = {
+          "org/gnome/desktop/calendar" = {
+            show-weekdate = true;
+          };
+          "org/gnome/desktop/interface" = {
+            enable-hot-corners = false;
+            show-battery-percentage = true;
+          };
+          "org/gnome/desktop/notifications" = {
+            show-in-lock-screen = false;
+          };
+          "org/gnome/desktop/sound" = {
+            event-sounds = false;
+          };
+          "org/gnome/gnome-system-monitor" = {
+            network-in-bits = true;
+            network-total-in-bits = true;
+          };
+        };
+      }
+    ];
+  };
+}

configuration/desktop/inputs.nix

@@ -0,0 +1,43 @@
+{ ... }:
+
+{
+  programs.dconf.profiles = {
+    user.databases = [
+      {
+        settings = {
+          "org/gnome/desktop/peripherals/touchpad" = {
+            disable-while-typing = false;
+            edge-scrolling-enabled = false;
+            natural-scroll = true;
+            tap-to-click = true;
+            two-finger-scrolling-enabled = true;
+          };
+          "org/gnome/settings-daemon/plugins/media-keys" = {
+            custom-keybindings = [
+              "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
+            ];
+            mic-mute = [ "<Control>Print" ];
+          };
+          "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
+            name = "Terminal";
+            binding = "<Primary><Alt>t";
+            command = "gnome-terminal";
+          };
+        };
+      }
+    ];
+    gdm.databases = [
+      {
+        settings = {
+          "org/gnome/desktop/peripherals/touchpad" = {
+            disable-while-typing = false;
+            edge-scrolling-enabled = false;
+            natural-scroll = true;
+            tap-to-click = true;
+            two-finger-scrolling-enabled = true;
+          };
+        };
+      }
+    ];
+  };
+}

configuration/desktop/networking.nix

@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+
+  networking.networkmanager.settings = {
+    connectivity = {
+      uri = "http://ping.clerie.de/nm-check.txt";
+    };
+    global-dns = {
+      searches = "net.clerie.de";
+    };
+  };
+
+}

configuration/desktop/polkit.nix

@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+
+  security.polkit.enable = true;
+
+}

configuration/desktop/power.nix

@@ -0,0 +1,42 @@
+{ lib, config, ... }:
+
+{
+  boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
+  services.logind = {
+    lidSwitch = "suspend-then-hibernate";
+  };
+  systemd.sleep.extraConfig = ''
+    HibernateDelaySec=30m
+  '';
+
+  services.upower = {
+    percentageLow = 20;
+    percentageCritical = 10;
+    percentageAction = 8;
+  };
+
+  programs.dconf.profiles = {
+    user.databases = [
+      {
+        settings = {
+          "org/gnome/settings-daemon/plugins/power" = {
+            power-button-action = "hibernate";
+            power-saver-profile-on-low-battery = false;
+            sleep-inactive-ac-type = "nothing";
+          };
+        };
+      }
+    ];
+    gdm.databases = [
+      {
+        settings = {
+          "org/gnome/settings-daemon/plugins/power" = {
+            power-button-action = "hibernate";
+            power-saver-profile-on-low-battery = false;
+            sleep-inactive-ac-type = "nothing";
+          };
+        };
+      }
+    ];
+  };
+}

configuration/desktop/printing.nix

@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  services.printing.enable = true;
+  services.avahi.enable = true;
+  services.avahi.nssmdns4 = true;
+}

configuration/desktop/ssh.nix

@@ -0,0 +1,34 @@
+{ pkgs, ... }:
+
+{
+
+  imports = [
+    ../../configuration/gpg-ssh
+  ];
+  programs.gnupg.agent = {
+    pinentryPackage = pkgs.pinentry-gtk2;
+  };
+
+  # Do not disable ssh-agent of gnome-keyring, because
+  # gnupg ssh-agent can't handle normal SSH keys properly
+  /*
+  # Disable ssh-agent of gnome-keyring
+  nixpkgs.overlays = [
+    (final: prev: {
+      gnome = prev.gnome // {
+        gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
+          mkdir -p $out
+
+          # Symlink all gnome-keyring binaries
+          ${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
+
+          # Disable autostart for ssh
+          rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+          cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+          echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
+        '';
+      };
+    })
+  ];
+  */
+}

configuration/desktop/xserver.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+{
+  services.xserver.enable = true;
+  services.xserver.displayManager.gdm.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
+
+  services.xserver.excludePackages = with pkgs; [
+    xterm
+  ];
+}

configuration/gpg-ssh/default.nix

@@ -0,0 +1,51 @@
+{ pkgs, lib, ... }:
+
+let
+
+  custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
+    configureFlags = prev.configureFlags ++ [
+      # Make sure scdaemon never ever again tries to use its own ccid driver
+      "--disable-ccid-driver"
+    ];
+  });
+
+in {
+
+  programs.gnupg.package = custom_gnupg;
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+    pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
+  };
+
+  environment.systemPackages = with pkgs; [
+    custom_gnupg
+    yubikey-personalization
+    openpgp-card-tools
+
+    # Add wrapper around ssh that takes the gnupg ssh-agent
+    # instead of gnome-keyring
+    ssh-gpg
+  ];
+
+  services.pcscd.enable = true;
+
+  # pcscd sometimes breaks and seem to need a manual restart
+  # so we allow users to restart that service themself
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+        if (
+            action.id == "org.freedesktop.systemd1.manage-units"
+            && action.lookup("unit") == "pcscd.service"
+            && action.lookup("verb") == "restart"
+            && subject.isInGroup("users")
+        ) {
+            return polkit.Result.YES;
+        }
+    });
+  '';
+
+  services.udev.packages = with pkgs; [
+    yubikey-personalization
+  ];
+}

flake.lock

@@ -269,11 +269,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1751801455,
-        "narHash": "sha256-hUJqtS88SbNQQSEJAPFyY2vLMh8yA8rQ6jbul50p64M=",
+        "lastModified": 1748520450,
+        "narHash": "sha256-thTwt6c/qdLg65urUWSENbmwf/ofvujpFNNTcF+iZvI=",
         "ref": "lix-2.93",
-        "rev": "b940aca430a7ca41f70bdb320659dd62026fe0e9",
-        "revCount": 4261,
+        "rev": "509c94cdb7e11d48e67a5a68c0d5fadfcda7bad5",
+        "revCount": 4257,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/hydra.git"
       },
@@ -290,9 +290,6 @@
           "flake-compat"
         ],
         "nix2container": "nix2container",
-        "nix_2_18": [
-          "hydra"
-        ],
         "nixpkgs": [
           "hydra",
           "nixpkgs"
@@ -301,11 +298,11 @@
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1751235704,
-        "narHash": "sha256-Jzm3KPZ2gL+0Nl3Mw/2E0B3vqDDi1Xt5+9VCXghUDZ8=",
+        "lastModified": 1747597901,
+        "narHash": "sha256-jS+P57tXZEl+zvPfEIHFbd1j3xfuWcrcMrcnbm9wWbE=",
         "ref": "release-2.93",
-        "rev": "f3a7bbe5f8d1a8504ddb6362d50106904523e440",
-        "revCount": 17874,
+        "rev": "33eaaf02fd3f380e99032b25e741eeeb10573cad",
+        "revCount": 17846,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/lix"
       },
@@ -327,11 +324,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753282722,
-        "narHash": "sha256-KYMUrTV7H/RR5/HRnjV5R3rRIuBXMemyJzTLi50NFTs=",
+        "lastModified": 1748254718,
+        "narHash": "sha256-Uf6HNA0JctJH4ZdrZ/xb185mT0/XusLxnric9Xhg7Es=",
         "ref": "release-2.93",
-        "rev": "46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873",
-        "revCount": 149,
+        "rev": "3855614ceafe562393472cca5fb2005297889a75",
+        "revCount": 143,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/nixos-module.git"
       },
@@ -345,7 +342,6 @@
       "inputs": {
         "flake-compat": "flake-compat_2",
         "nix2container": "nix2container_2",
-        "nix_2_18": "nix_2_18",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -353,11 +349,11 @@
         "pre-commit-hooks": "pre-commit-hooks_2"
       },
       "locked": {
-        "lastModified": 1753306924,
-        "narHash": "sha256-jLCEW0FvjFhC+c4RHzH+xbkSOxrnpFHnhjOw6sudhx0=",
+        "lastModified": 1747597901,
+        "narHash": "sha256-jS+P57tXZEl+zvPfEIHFbd1j3xfuWcrcMrcnbm9wWbE=",
         "ref": "release-2.93",
-        "rev": "1a4393d0aac31aba21f5737ede1b171e11336d77",
-        "revCount": 17884,
+        "rev": "33eaaf02fd3f380e99032b25e741eeeb10573cad",
+        "revCount": 17846,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/lix.git"
       },
@@ -367,22 +363,6 @@
         "url": "https://git.lix.systems/lix-project/lix.git"
       }
     },
-    "lowdown-src": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1633514407,
-        "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
-        "owner": "kristapsdz",
-        "repo": "lowdown",
-        "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "kristapsdz",
-        "repo": "lowdown",
-        "type": "github"
-      }
-    },
     "mitel-ommclient2": {
       "inputs": {
         "nixpkgs": [
@@ -404,26 +384,6 @@
         "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
       }
     },
-    "mu5001tool": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1757627777,
-        "narHash": "sha256-NGUqHQ+/BaUhjgSYQauTihTtNyhhnQRMJ8t7ZSPNpmk=",
-        "ref": "refs/heads/main",
-        "rev": "b7b0f0d5191433bca1377f7d818b800627a83fda",
-        "revCount": 9,
-        "type": "git",
-        "url": "https://git.clerie.de/clerie/mu5001tool.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.clerie.de/clerie/mu5001tool.git"
-      }
-    },
     "nix2container": {
       "flake": false,
       "locked": {
@@ -456,34 +416,6 @@
         "type": "github"
       }
     },
-    "nix_2_18": {
-      "inputs": {
-        "flake-compat": [
-          "lix",
-          "flake-compat"
-        ],
-        "lowdown-src": "lowdown-src",
-        "nixpkgs": "nixpkgs_4",
-        "nixpkgs-regression": [
-          "lix",
-          "nixpkgs-regression"
-        ]
-      },
-      "locked": {
-        "lastModified": 1730375271,
-        "narHash": "sha256-RrOFlDGmRXcVRV2p2HqHGqvzGNyWoD0Dado/BNlJ1SI=",
-        "owner": "NixOS",
-        "repo": "nix",
-        "rev": "0f665ff6779454f2117dcc32e44380cda7f45523",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "2.18.9",
-        "repo": "nix",
-        "type": "github"
-      }
-    },
     "nixos-exporter": {
       "inputs": {
         "nixpkgs": [
@@ -552,22 +484,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-carbon": {
-      "locked": {
-        "lastModified": 1751206202,
-        "narHash": "sha256-VjK8pEv4cfDpCTh4KW1go98kP25j7KdTNEce342Bh/Y=",
-        "owner": "clerie",
-        "repo": "nixpkgs",
-        "rev": "ac4ac98609c1b30c378458ab7207a9a5b5148457",
-        "type": "github"
-      },
-      "original": {
-        "owner": "clerie",
-        "ref": "clerie/always-setup-netdevs",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs-regression": {
       "locked": {
         "lastModified": 1643052045,
@@ -634,11 +550,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1751582995,
-        "narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=",
+        "lastModified": 1748437600,
+        "narHash": "sha256-hYKMs3ilp09anGO7xzfGs3JqEgUqFMnZ8GMAqI6/k04=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7a732ed41ca0dd64b4b71b563ab9805a80a7d693",
+        "rev": "7282cb574e0607e65224d33be8241eae7cfe0979",
         "type": "github"
       },
       "original": {
@@ -650,27 +566,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1705033721,
-        "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
+        "lastModified": 1750506804,
+        "narHash": "sha256-VLFNc4egNjovYVxDGyBYTrvVCgDYgENp5bVi9fPTDYc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-23.05-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_5": {
-      "locked": {
-        "lastModified": 1758277210,
-        "narHash": "sha256-iCGWf/LTy+aY0zFu8q12lK8KuZp7yvdhStehhyX1v8w=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "8eaee110344796db060382e15d3af0a9fc396e0e",
+        "rev": "4206c4cb56751df534751b058295ea61357bbbaa",
         "type": "github"
       },
       "original": {
@@ -763,19 +663,16 @@
         "hydra": "hydra",
         "lix": "lix_2",
         "lix-module": "lix-module",
-        "mu5001tool": "mu5001tool",
         "nixos-exporter": "nixos-exporter",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_4",
         "nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
-        "nixpkgs-carbon": "nixpkgs-carbon",
         "nurausstieg": "nurausstieg",
         "rainbowrss": "rainbowrss",
         "scan-to-gpg": "scan-to-gpg",
         "solid-xmpp-alarm": "solid-xmpp-alarm",
         "sops-nix": "sops-nix",
-        "ssh-to-age": "ssh-to-age",
-        "traveldrafter": "traveldrafter"
+        "ssh-to-age": "ssh-to-age"
       }
     },
     "scan-to-gpg": {
@@ -890,26 +787,6 @@
         "type": "github"
       }
     },
-    "traveldrafter": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1751817360,
-        "narHash": "sha256-HzOhsPvzCaFeiz8nPq5MkYnYHpUzVaU/P5sxG+Njt+8=",
-        "ref": "refs/heads/main",
-        "rev": "b6610d70f363ecf9704352b1ef39244a816bd34f",
-        "revCount": 22,
-        "type": "git",
-        "url": "https://git.clerie.de/clerie/traveldrafter.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.clerie.de/clerie/traveldrafter.git"
-      }
-    },
     "treefmt-nix": {
       "inputs": {
         "nixpkgs": [

flake.nix

@@ -1,7 +1,6 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nixpkgs-carbon.url = "github:clerie/nixpkgs/clerie/always-setup-netdevs";
     # for etesync-dav
     nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
@@ -40,10 +39,6 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
-    mu5001tool = {
-      url = "git+https://git.clerie.de/clerie/mu5001tool.git";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
     nixos-exporter = {
       url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -72,13 +67,11 @@
       url = "github:Mic92/ssh-to-age";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    traveldrafter = {
-      url = "git+https://git.clerie.de/clerie/traveldrafter.git";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
   };
   outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
     lib = import ./lib inputs;
+    helper = lib.flake-helper;
+    localNixpkgs = import ./flake/nixpkgs.nix inputs;
   in {
     clerie.hosts = {
       aluminium = {
@@ -142,24 +135,14 @@
     };
 
     overlays = {
-      clerie-inputs = import ./flake/inputs-overlay.nix inputs;
-      clerie-pkgs = import ./pkgs/overlay.nix;
-      clerie-build-support = import ./pkgs/build-support/overlay.nix;
-      clerie-overrides = import ./pkgs/overrides/overlay.nix;
+      nixfilesInputs = import ./flake/overlay.nix inputs;
+      clerie = import ./pkgs/overlay.nix;
+      default = self.overlays.clerie;
     };
 
-    nixpkgs = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
-      lib.mkNixpkgs {
-        inherit system;
-      }
-    );
-
-    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
-      nixpkgs.lib.genAttrs (
-        (builtins.attrNames (self.overlays.clerie-pkgs null null))
-        ++ (builtins.attrNames (self.overlays.clerie-overrides null null))
-      ) (name: self.nixpkgs."${system}"."${name}")
-    );
+    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: let
+      pkgs = localNixpkgs.${system};
+    in builtins.mapAttrs (name: value: pkgs."${name}") (import ./pkgs/pkgs.nix));
 
     inherit lib self;
 

flake/hydraJobs.nix

@@ -10,12 +10,6 @@ let
 in {
   inherit (self)
     packages;
-  extraTrackedPackages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
-    nixpkgs.lib.genAttrs [
-      "hydra"
-      "lix"
-    ] (name: self.nixpkgs."${system}"."${name}")
-  );
   nixosConfigurations = buildHosts self.nixosConfigurations;
   iso = self.nixosConfigurations._iso.config.system.build.isoImage;
 }

flake/nixosConfigurations.nix

@@ -11,14 +11,33 @@ let
     modules ? [],
   }: let
     localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
-  in self.lib.nixosSystem {
+  in localNixpkgs.lib.nixosSystem {
     system = system;
-    nixpkgs = localNixpkgs;
     modules = modules ++ [
+      self.nixosModules.nixfilesInputs
+      self.nixosModules.clerie
+      self.nixosModules.profiles
+
       ({ config, lib, ... }: {
         # Set hostname
         networking.hostName = lib.mkDefault name;
 
+        # Apply overlays
+        nixpkgs.overlays = [
+          self.overlays.nixfilesInputs
+          self.overlays.clerie
+        ];
+
+        /*
+          Make the contents of the flake availiable to modules.
+          Useful for having the monitoring server scraping the
+          target config from all other servers automatically.
+        */
+        _module.args = {
+          inputs = inputs;
+          _nixfiles = self;
+        };
+
         # Expose host group to monitoring
         clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; };
 

flake/nixpkgs.nix

@@ -0,0 +1,17 @@
+{ self
+, nixpkgs
+, ...
+}@inputs:
+
+let
+  mkNixpkgs = { system, ... }@args: 
+    import nixpkgs {
+      inherit system;
+      overlays = [
+        self.overlays.nixfilesInputs
+        self.overlays.clerie
+      ];
+    };
+
+in
+  nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: mkNixpkgs { inherit system; })

flake/overlay.nix

@@ -5,12 +5,10 @@
 , chaosevents
 , harmonia
 , hydra
-, mu5001tool
 , nurausstieg
 , rainbowrss
 , scan-to-gpg
 , ssh-to-age
-, traveldrafter
 , ...
 }@inputs:
 final: prev: {
@@ -26,8 +24,6 @@ final: prev: {
     harmonia;
   inherit (hydra.packages.${final.system})
     hydra;
-  inherit (mu5001tool.packages.${final.system})
-    mu5001tool;
   inherit (nurausstieg.packages.${final.system})
     nurausstieg;
   inherit (rainbowrss.packages.${final.system})
@@ -36,6 +32,4 @@ final: prev: {
     scan-to-gpg;
   inherit (ssh-to-age.packages.${final.system})
     ssh-to-age;
-  inherit (traveldrafter.packages.${final.system})
-    traveldrafter;
 }

hosts/_iso/configuration.nix

@@ -3,9 +3,9 @@
 {
   imports = [
     (modulesPath + "/installer/cd-dvd/installation-cd-base.nix")
+    ../../configuration/gpg-ssh
   ];
 
-  profiles.clerie.gpg-ssh.enable = true;
   profiles.clerie.network-fallback-dhcp.enable = true;
 
   # systemd in initrd is broken with ISOs

hosts/astatine/configuration.nix

@@ -4,10 +4,6 @@
   imports =
     [
       ./hardware-configuration.nix
-
-      ./grafana.nix
-      ./mu5001tool.nix
-      ./prometheus.nix
     ];
 
   profiles.clerie.network-fallback-dhcp.enable = true;
@@ -22,16 +18,6 @@
     terminal_output serial
   ";
 
-  sops.secrets.monitoring-htpasswd = {
-    owner = "nginx";
-    group = "nginx";
-  };
-  services.nginx = {
-    enable = true;
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
   profiles.clerie.wg-clerie = {
     enable = true;
     ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];

hosts/astatine/grafana.nix

@@ -1,45 +0,0 @@
-{ config, ... }:
-{
-  services.grafana = {
-    enable  = true;
-    settings = {
-      server = {
-        domain = "grafana.astatine.net.clerie.de";
-        root_url = "https://grafana.astatine.net.clerie.de";
-        http_port = 3001;
-        http_addr = "::1";
-      };
-      "auth.anonymous" = {
-        enabled = true;
-      };
-    };
-
-    provision = {
-      enable = true;
-      datasources.settings.datasources = [
-        {
-          type = "prometheus";
-          name = "Prometheus";
-          url = "http://[::1]:9090";
-          isDefault = true;
-        }
-      ];
-    };
-  };
-
-  services.nginx = {
-    virtualHosts = {
-      "grafana.astatine.net.clerie.de" = {
-        enableACME = true;
-        forceSSL   = true;
-        basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
-        locations."/".proxyPass = "http://[::1]:3001/";
-        locations."= /api/live/ws" = {
-          proxyPass = "http://[::1]:3001";
-          proxyWebsockets = true;
-        };
-      };
-    };
-  };
-
-}

hosts/astatine/mu5001tool.nix

@@ -1,18 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-
-  systemd.services."mu5001tool" = {
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      DynamicUser = true;
-      LoadCredential = "zte-hypermobile-5g-password:${config.sops.secrets."zte-hypermobile-5g-password".path}";
-      Restart = "on-failure";
-      RestartSec = "15s";
-    };
-    script = ''
-      ${lib.getExe pkgs.mu5001tool} --password-file ''${CREDENTIALS_DIRECTORY}/zte-hypermobile-5g-password prometheus-exporter --listen-port 9242
-    '';
-  };
-
-}

hosts/astatine/prometheus.nix

@@ -1,46 +0,0 @@
-{ config, ... }:
-
-{
-  services.prometheus = {
-    enable = true;
-    enableReload = true;
-    listenAddress = "[::1]";
-    scrapeConfigs = [
-      {
-        job_name = "prometheus";
-        scrape_interval = "20s";
-        scheme = "http";
-        static_configs = [
-          {
-            targets = [
-              "[::1]:9090"
-            ];
-          }
-        ];
-      }
-      {
-        job_name = "mu5001tool";
-        scrape_interval = "20s";
-        static_configs = [
-          {
-            targets = [
-              "[::1]:9242"
-            ];
-          }
-        ];
-      }
-    ];
-  };
-
-  services.nginx = {
-    virtualHosts = {
-      "prometheus.astatine.net.clerie.de" = {
-        enableACME = true;
-        forceSSL   = true;
-        basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
-        locations."/".proxyPass = "http://[::1]:9090/";
-      };
-    };
-  };
-
-}

hosts/astatine/secrets.json

@@ -1,17 +1,19 @@
 {
 	"wg-clerie": "ENC[AES256_GCM,data:DbchcO6GTmSFyoHrRAkfu2flaKYrQHPk+rIerekYO4Cto9sqaWLgaSigpS8=,iv:no1xNRVqsKzAN6ssYA0Ir+utOM9tg8OBUT9PY2v0HPA=,tag:lZj1wEPFWHaf52N7YHEQKQ==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:dTKKeieaGvECkHUpATLorhOgr9Re5CAH25y1WTcSqJZDsvnwD4CBbqMv2QQ=,iv:u1n1wyAW5aNcVYfGN8BmrEhIhtA3EfRDBNu65IdBZMI=,tag:RJYgOpel9uy6dC72MmqS5A==,type:str]",
-	"monitoring-htpasswd": "ENC[AES256_GCM,data:0uQ+Gwedi9kTaOzrwVzkNkS9qL0Dwmph1leK2sj/TndfSn3yaq7ur7ZHoPjWUl5Oy1poxU2rIUxWHajYC0n3yHv2AuGT,iv:FyH4MHcgW5iHkAsahNFtshnqqPOMlukg8aYfhcN9onw=,tag:q3BsnyKLrKYi/xDP6GmSkA==,type:str]",
-	"zte-hypermobile-5g-password": "ENC[AES256_GCM,data:lqxQICmWYwMejn8=,iv:TPYOs/cL/ETw7Ee0+YG/+Fhd7ASi0kr4rDLEiste+2Y=,tag:6O6AXIHkIjPm7hJVC4Y/1g==,type:str]",
 	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1fffvnazdv3ys9ww8v4g832hv5nkvnk6d728syerzvpgskfmfkq8q00whpv",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUF5dkRwdXRmUkJ1SXN5\nLzdOVkhWYUJGdFd4Qklsa1BXeVZlTGx0eDE0ClZmYWNLMEVzaVVXWGkwQUt5ZHF5\nS1c5OU9PWjBTelM5R2phNFdVNncxUUkKLS0tIDlwSXFyZWNVT1dtdGU5dVFSRHNE\nUUpJZHJZRTd6TnBUU2dCWW90UTRVb0UKCWrHWmQTNhez16wgEKj4EQA4+UBRmGQn\n+NHSjBCMBmmTdHb05nENYVK515Z0T/60+9N3VlNyHWS9IgC3mZRUBg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-09-08T21:03:41Z",
-		"mac": "ENC[AES256_GCM,data:ztS/Z6mn8hFAPsks2evJRJFocw/3oz22O2HeSEkY7Mu+bfNvClsJuvuTbnDadB0IwKiLDFWRMGs/UPFmNP6J/euro4cFHDWXopdXg7eDFGDoJDKIg4fBUtofdXIqWvDoQ9LeZNvc5Z4EEQYhs3LwFnAU0x15acwIIxr5TB9l8g8=,iv:WVjavmcrEs2CyYTfoTTP44c9TqFubUdE+PBN2jRPR+s=,tag:fBXzU69Q9MwD3o/Nyu5OZA==,type:str]",
+		"lastmodified": "2024-04-21T16:03:13Z",
+		"mac": "ENC[AES256_GCM,data:fA8fhOZbX30TYgwZXB7sQDNmck0JRDyAnEXf5nCYtli/Qvs78fTs4DdC08VOpOni8uAVARkFsGSo6Fjo/MpTSDVA8VNYZig/we/bWF+LQlEMCmiqwOI1R6eQ3GPxcRXltlO2aPPlT9BpLwIVZjGGjIsmjpVE8xjkCbLUUqj+UxY=,iv:fHLyw96QLVRrAQky2kR7TDDxf8CNXDV9lVQ5RETzJEI=,tag:y+cG9u3d6vCUmPyNMDRWpA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-04-21T16:02:41Z",
@@ -22,4 +24,4 @@
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"
 	}
-}
+}

hosts/carbon/configuration.nix

@@ -63,10 +63,10 @@
 
   systemd.services.kea-dhcp4-server = {
     after = [
-      "network.target"
+      "network-setup.service"
     ];
-    wants = [
-      "network.target"
+    requires = [
+      "network-setup.service"
     ];
   };
 

hosts/dn42-il-gw1/configuration.nix

@@ -237,7 +237,8 @@
     ];
   };
 
-  services.bijwerken = {
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
     autoUpgrade = true;
   };
 

hosts/dn42-il-gw5/configuration.nix

@@ -111,7 +111,8 @@
     '';
   };
 
-  services.bijwerken = {
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
     autoUpgrade = true;
     startAt = "*-*-* 06:22:00";
   };

hosts/dn42-il-gw6/configuration.nix

@@ -105,7 +105,8 @@
     '';
   };
 
-  services.bijwerken = {
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
     autoUpgrade = true;
     startAt = "*-*-* 07:22:00";
   };

hosts/dn42-ildix-clerie/configuration.nix

@@ -161,7 +161,8 @@
   }
   '';
 
-  services.bijwerken = {
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
     autoUpgrade = true;
   };
 

hosts/dn42-ildix-service/configuration.nix

@@ -70,7 +70,8 @@
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
-  services.bijwerken = {
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
     autoUpgrade = true;
   };
 

hosts/krypton/configuration.nix

@@ -5,6 +5,8 @@
     [
       ./hardware-configuration.nix
 
+      ../../configuration/desktop
+
       ./android.nix
       ./backup.nix
       ./etesync-dav.nix
@@ -13,8 +15,6 @@
       ./programs.nix
     ];
 
-  profiles.clerie.desktop.enable = true;
-
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;

hosts/krypton/programs.nix

@@ -14,11 +14,10 @@
 
     tio
     xournalpp
-    libreoffice
+    onlyoffice-bin
 
     krita
     inkscape
-    dune3d
 
     wireshark
     tcpdump

hosts/monitoring-3/dashboards/home.json

@@ -1,77 +0,0 @@
-{
-  "annotations": {
-    "list": [
-      {
-        "builtIn": 1,
-        "datasource": {
-          "type": "datasource",
-          "uid": "grafana"
-        },
-        "enable": true,
-        "hide": true,
-        "iconColor": "rgba(0, 211, 255, 1)",
-        "name": "Annotations & Alerts",
-        "target": {
-          "limit": 100,
-          "matchAny": false,
-          "tags": [],
-          "type": "dashboard"
-        },
-        "type": "dashboard"
-      }
-    ]
-  },
-  "editable": true,
-  "fiscalYearStartMonth": 0,
-  "graphTooltip": 0,
-  "id": 10,
-  "links": [],
-  "panels": [
-    {
-      "fieldConfig": {
-        "defaults": {},
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 11,
-        "w": 24,
-        "x": 0,
-        "y": 0
-      },
-      "id": 2,
-      "options": {
-        "includeVars": false,
-        "keepTime": false,
-        "maxItems": 10,
-        "query": "",
-        "showFolderNames": true,
-        "showHeadings": false,
-        "showRecentlyViewed": false,
-        "showSearch": true,
-        "showStarred": false,
-        "tags": []
-      },
-      "pluginVersion": "12.0.2+security-01",
-      "title": "Dashboards",
-      "type": "dashlist"
-    }
-  ],
-  "preload": false,
-  "refresh": "",
-  "schemaVersion": 41,
-  "tags": [],
-  "templating": {
-    "list": []
-  },
-  "time": {
-    "from": "now-6h",
-    "to": "now"
-  },
-  "timepicker": {
-    "hidden": true
-  },
-  "timezone": "browser",
-  "title": "Home",
-  "uid": "OqTN9p2nz",
-  "version": 1
-}

hosts/monitoring-3/dashboards/nginx-exporter.json

@@ -1,355 +0,0 @@
-{
-  "annotations": {
-    "list": [
-      {
-        "builtIn": 1,
-        "datasource": {
-          "type": "grafana",
-          "uid": "-- Grafana --"
-        },
-        "enable": true,
-        "hide": true,
-        "iconColor": "rgba(0, 211, 255, 1)",
-        "name": "Annotations & Alerts",
-        "type": "dashboard"
-      }
-    ]
-  },
-  "editable": true,
-  "fiscalYearStartMonth": 0,
-  "graphTooltip": 0,
-  "id": 16,
-  "links": [],
-  "panels": [
-    {
-      "datasource": {
-        "type": "prometheus",
-        "uid": "PBFA97CFB590B2093"
-      },
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "palette-classic"
-          },
-          "custom": {
-            "axisBorderShow": false,
-            "axisCenteredZero": false,
-            "axisColorMode": "text",
-            "axisLabel": "",
-            "axisPlacement": "auto",
-            "barAlignment": 0,
-            "barWidthFactor": 0.6,
-            "drawStyle": "line",
-            "fillOpacity": 0,
-            "gradientMode": "none",
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "insertNulls": false,
-            "lineInterpolation": "linear",
-            "lineWidth": 1,
-            "pointSize": 5,
-            "scaleDistribution": {
-              "type": "linear"
-            },
-            "showPoints": "auto",
-            "spanNulls": false,
-            "stacking": {
-              "group": "A",
-              "mode": "none"
-            },
-            "thresholdsStyle": {
-              "mode": "off"
-            }
-          },
-          "mappings": [],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "green"
-              }
-            ]
-          },
-          "unit": "reqps"
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 10,
-        "w": 12,
-        "x": 0,
-        "y": 0
-      },
-      "id": 1,
-      "options": {
-        "legend": {
-          "calcs": [],
-          "displayMode": "list",
-          "placement": "bottom",
-          "showLegend": true
-        },
-        "tooltip": {
-          "hideZeros": false,
-          "mode": "single",
-          "sort": "none"
-        }
-      },
-      "pluginVersion": "12.0.2+security-01",
-      "targets": [
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "${DS_PROMETHEUS}"
-          },
-          "disableTextWrap": false,
-          "editorMode": "builder",
-          "expr": "sum by(server_name) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
-          "fullMetaSearch": false,
-          "includeNullMetadata": true,
-          "legendFormat": "__auto",
-          "range": true,
-          "refId": "A",
-          "useBackend": false
-        }
-      ],
-      "title": "Total requests",
-      "type": "timeseries"
-    },
-    {
-      "datasource": {
-        "type": "prometheus",
-        "uid": "PBFA97CFB590B2093"
-      },
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "palette-classic"
-          },
-          "custom": {
-            "axisBorderShow": false,
-            "axisCenteredZero": false,
-            "axisColorMode": "text",
-            "axisLabel": "",
-            "axisPlacement": "auto",
-            "barAlignment": 0,
-            "barWidthFactor": 0.6,
-            "drawStyle": "line",
-            "fillOpacity": 0,
-            "gradientMode": "none",
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "insertNulls": false,
-            "lineInterpolation": "linear",
-            "lineWidth": 1,
-            "pointSize": 5,
-            "scaleDistribution": {
-              "type": "linear"
-            },
-            "showPoints": "auto",
-            "spanNulls": false,
-            "stacking": {
-              "group": "A",
-              "mode": "none"
-            },
-            "thresholdsStyle": {
-              "mode": "off"
-            }
-          },
-          "mappings": [],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "green"
-              }
-            ]
-          },
-          "unit": "reqps"
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 10,
-        "w": 12,
-        "x": 12,
-        "y": 0
-      },
-      "id": 2,
-      "options": {
-        "legend": {
-          "calcs": [],
-          "displayMode": "list",
-          "placement": "bottom",
-          "showLegend": true
-        },
-        "tooltip": {
-          "hideZeros": false,
-          "mode": "single",
-          "sort": "none"
-        }
-      },
-      "pluginVersion": "12.0.2+security-01",
-      "targets": [
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "${DS_PROMETHEUS}"
-          },
-          "disableTextWrap": false,
-          "editorMode": "builder",
-          "expr": "sum by(server_name, method) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
-          "fullMetaSearch": false,
-          "includeNullMetadata": true,
-          "legendFormat": "{{server_name}}: {{method}}",
-          "range": true,
-          "refId": "A",
-          "useBackend": false
-        }
-      ],
-      "title": "Status codes",
-      "type": "timeseries"
-    },
-    {
-      "datasource": {
-        "type": "prometheus",
-        "uid": "PBFA97CFB590B2093"
-      },
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "palette-classic"
-          },
-          "custom": {
-            "axisBorderShow": false,
-            "axisCenteredZero": false,
-            "axisColorMode": "text",
-            "axisLabel": "",
-            "axisPlacement": "auto",
-            "barAlignment": 0,
-            "barWidthFactor": 0.6,
-            "drawStyle": "line",
-            "fillOpacity": 0,
-            "gradientMode": "none",
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "insertNulls": false,
-            "lineInterpolation": "linear",
-            "lineWidth": 1,
-            "pointSize": 5,
-            "scaleDistribution": {
-              "type": "linear"
-            },
-            "showPoints": "auto",
-            "spanNulls": false,
-            "stacking": {
-              "group": "A",
-              "mode": "none"
-            },
-            "thresholdsStyle": {
-              "mode": "off"
-            }
-          },
-          "mappings": [],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "green"
-              }
-            ]
-          },
-          "unit": "reqps"
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 10,
-        "w": 12,
-        "x": 0,
-        "y": 10
-      },
-      "id": 3,
-      "options": {
-        "legend": {
-          "calcs": [],
-          "displayMode": "list",
-          "placement": "bottom",
-          "showLegend": true
-        },
-        "tooltip": {
-          "hideZeros": false,
-          "mode": "single",
-          "sort": "none"
-        }
-      },
-      "pluginVersion": "12.0.2+security-01",
-      "targets": [
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "${DS_PROMETHEUS}"
-          },
-          "disableTextWrap": false,
-          "editorMode": "builder",
-          "expr": "sum by(server_name, status) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
-          "fullMetaSearch": false,
-          "includeNullMetadata": true,
-          "legendFormat": "{{server_name}}: HTTP {{status}}",
-          "range": true,
-          "refId": "A",
-          "useBackend": false
-        }
-      ],
-      "title": "Response codes",
-      "type": "timeseries"
-    }
-  ],
-  "preload": false,
-  "refresh": "30s",
-  "schemaVersion": 41,
-  "tags": [],
-  "templating": {
-    "list": [
-      {
-        "current": {
-          "text": "All",
-          "value": [
-            "$__all"
-          ]
-        },
-        "definition": "label_values(nginxlog_http_response_count_total,server_name)",
-        "includeAll": true,
-        "label": "vHost",
-        "multi": true,
-        "name": "server_name",
-        "options": [],
-        "query": {
-          "qryType": 1,
-          "query": "label_values(nginxlog_http_response_count_total,server_name)",
-          "refId": "PrometheusVariableQueryEditor-VariableQuery"
-        },
-        "refresh": 1,
-        "regex": "",
-        "type": "query"
-      }
-    ]
-  },
-  "time": {
-    "from": "now-3h",
-    "to": "now"
-  },
-  "timepicker": {},
-  "timezone": "browser",
-  "title": "Nginx Exporter",
-  "uid": "b042a880-3cb0-4dd3-ae48-4745a58af698",
-  "version": 7
-}

hosts/monitoring-3/dashboards/nixos-status.json

@@ -1,135 +0,0 @@
-{
-  "annotations": {
-    "list": [
-      {
-        "builtIn": 1,
-        "datasource": {
-          "type": "grafana",
-          "uid": "-- Grafana --"
-        },
-        "enable": true,
-        "hide": true,
-        "iconColor": "rgba(0, 211, 255, 1)",
-        "name": "Annotations & Alerts",
-        "target": {
-          "limit": 100,
-          "matchAny": false,
-          "tags": [],
-          "type": "dashboard"
-        },
-        "type": "dashboard"
-      }
-    ]
-  },
-  "editable": true,
-  "fiscalYearStartMonth": 0,
-  "graphTooltip": 0,
-  "id": 15,
-  "links": [],
-  "panels": [
-    {
-      "datasource": {
-        "type": "prometheus",
-        "uid": "PBFA97CFB590B2093"
-      },
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "continuous-RdYlGr"
-          },
-          "custom": {
-            "axisPlacement": "auto",
-            "fillOpacity": 70,
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "insertNulls": false,
-            "lineWidth": 0,
-            "spanNulls": false
-          },
-          "mappings": [
-            {
-              "options": {
-                "0": {
-                  "index": 1,
-                  "text": "mismatch"
-                },
-                "1": {
-                  "index": 0,
-                  "text": "sync"
-                }
-              },
-              "type": "value"
-            }
-          ],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "red"
-              }
-            ]
-          }
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 23,
-        "w": 24,
-        "x": 0,
-        "y": 0
-      },
-      "id": 2,
-      "options": {
-        "alignValue": "left",
-        "legend": {
-          "displayMode": "list",
-          "placement": "bottom",
-          "showLegend": true
-        },
-        "mergeValues": true,
-        "rowHeight": 0.9,
-        "showValue": "auto",
-        "tooltip": {
-          "hideZeros": false,
-          "mode": "single",
-          "sort": "none"
-        }
-      },
-      "pluginVersion": "12.0.2+security-01",
-      "targets": [
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "PBFA97CFB590B2093"
-          },
-          "editorMode": "builder",
-          "expr": "nixos_current_system_is_sync",
-          "legendFormat": "{{instance}}",
-          "range": true,
-          "refId": "A"
-        }
-      ],
-      "title": "Config is Sync",
-      "type": "state-timeline"
-    }
-  ],
-  "preload": false,
-  "refresh": "5m",
-  "schemaVersion": 41,
-  "tags": [],
-  "templating": {
-    "list": []
-  },
-  "time": {
-    "from": "now-7d",
-    "to": "now"
-  },
-  "timepicker": {},
-  "timezone": "",
-  "title": "NixOS Status",
-  "uid": "W4j3nz1Vz",
-  "version": 3
-}

hosts/monitoring-3/dashboards/smokeping.json

@@ -1,211 +0,0 @@
-{
-  "annotations": {
-    "list": [
-      {
-        "builtIn": 1,
-        "datasource": {
-          "type": "datasource",
-          "uid": "grafana"
-        },
-        "enable": true,
-        "hide": true,
-        "iconColor": "rgba(0, 211, 255, 1)",
-        "name": "Annotations & Alerts",
-        "target": {
-          "limit": 100,
-          "matchAny": false,
-          "tags": [],
-          "type": "dashboard"
-        },
-        "type": "dashboard"
-      }
-    ]
-  },
-  "editable": true,
-  "fiscalYearStartMonth": 0,
-  "graphTooltip": 0,
-  "id": 11,
-  "links": [],
-  "panels": [
-    {
-      "datasource": {
-        "type": "prometheus",
-        "uid": "PBFA97CFB590B2093"
-      },
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "palette-classic"
-          },
-          "custom": {
-            "axisBorderShow": false,
-            "axisCenteredZero": false,
-            "axisColorMode": "text",
-            "axisLabel": "",
-            "axisPlacement": "auto",
-            "barAlignment": 0,
-            "barWidthFactor": 0.6,
-            "drawStyle": "line",
-            "fillOpacity": 0,
-            "gradientMode": "none",
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "insertNulls": false,
-            "lineInterpolation": "linear",
-            "lineWidth": 1,
-            "pointSize": 5,
-            "scaleDistribution": {
-              "type": "linear"
-            },
-            "showPoints": "auto",
-            "spanNulls": false,
-            "stacking": {
-              "group": "A",
-              "mode": "none"
-            },
-            "thresholdsStyle": {
-              "mode": "off"
-            }
-          },
-          "mappings": [],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "green"
-              },
-              {
-                "color": "red",
-                "value": 80
-              }
-            ]
-          },
-          "unit": "s"
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 22,
-        "w": 24,
-        "x": 0,
-        "y": 0
-      },
-      "id": 2,
-      "options": {
-        "legend": {
-          "calcs": [],
-          "displayMode": "list",
-          "placement": "bottom",
-          "showLegend": true
-        },
-        "tooltip": {
-          "hideZeros": false,
-          "mode": "single",
-          "sort": "none"
-        }
-      },
-      "pluginVersion": "12.0.2+security-01",
-      "targets": [
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "PBFA97CFB590B2093"
-          },
-          "editorMode": "code",
-          "exemplar": true,
-          "expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp6\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0 ",
-          "interval": "",
-          "legendFormat": "IPv6 {{target}} ({{instance}})",
-          "range": true,
-          "refId": "A"
-        },
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "PBFA97CFB590B2093"
-          },
-          "editorMode": "code",
-          "exemplar": true,
-          "expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp4\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0",
-          "hide": false,
-          "interval": "",
-          "legendFormat": "IPv4 {{target}} ({{instance}})",
-          "range": true,
-          "refId": "B"
-        }
-      ],
-      "title": "Smokeping",
-      "type": "timeseries"
-    }
-  ],
-  "preload": false,
-  "refresh": "",
-  "schemaVersion": 41,
-  "tags": [],
-  "templating": {
-    "list": [
-      {
-        "current": {
-          "text": "All",
-          "value": "$__all"
-        },
-        "datasource": {
-          "type": "prometheus",
-          "uid": "PBFA97CFB590B2093"
-        },
-        "definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
-        "includeAll": true,
-        "label": "Target:",
-        "multi": true,
-        "name": "target",
-        "options": [],
-        "query": {
-          "query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
-          "refId": "StandardVariableQuery"
-        },
-        "refresh": 1,
-        "regex": "",
-        "type": "query"
-      },
-      {
-        "current": {
-          "text": [
-            "All"
-          ],
-          "value": [
-            "$__all"
-          ]
-        },
-        "datasource": {
-          "type": "prometheus",
-          "uid": "PBFA97CFB590B2093"
-        },
-        "definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
-        "includeAll": true,
-        "label": "Instance:",
-        "multi": true,
-        "name": "instance",
-        "options": [],
-        "query": {
-          "query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
-          "refId": "StandardVariableQuery"
-        },
-        "refresh": 1,
-        "regex": "",
-        "type": "query"
-      }
-    ]
-  },
-  "time": {
-    "from": "now-30m",
-    "to": "now"
-  },
-  "timepicker": {},
-  "timezone": "",
-  "title": "Smokeping",
-  "uid": "IytTVZL7z",
-  "version": 9
-}

hosts/monitoring-3/prometheus.nix

@@ -52,12 +52,6 @@ let
     attrByPath ["clerie" "monitoring" "blackbox"] false host.config)
     monitoringHosts);
 
-  nginxlogMonitoringTargets = mapAttrsToList (name: host:
-    "${host.config.networking.hostName}.mon.clerie.de:9117")
-    (filterAttrs (name: host:
-    attrByPath ["services" "prometheus" "exporters" "nginxlog" "enable"] false host.config)
-    monitoringHosts);
-
   eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));
 
 in {
@@ -110,21 +104,6 @@ in {
           relabelAddressToInstance
         ];
       }
-      {
-        job_name = "alertmanager";
-        scrape_interval = "20s";
-        scheme = "http";
-        static_configs = [
-          {
-            targets = [
-              "monitoring-3.mon.clerie.de:9093"
-            ];
-          }
-        ];
-        relabel_configs = [
-          relabelAddressToInstance
-        ];
-      }
       {
         job_name = "node-exporter";
         scrape_interval = "20s";
@@ -542,24 +521,12 @@ in {
           }
         ];
       }
-      {
-        job_name = "nginxlog-exporter";
-        scrape_interval = "20s";
-        static_configs = [
-          {
-            targets = nginxlogMonitoringTargets;
-          }
-        ];
-        relabel_configs = [
-          relabelAddressToInstance
-        ];
-      }
     ];
     alertmanagers = [
       {
         static_configs = [ {
           targets = [
-            "monitoring-3.mon.clerie.de:9093"
+            "[::1]:9093"
           ];
         } ];
       }

hosts/monitoring-3/rules.yml

@@ -89,24 +89,9 @@ groups:
       description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"
   - alert: NadjaTopIPv4ProxyBroken
     expr: probe_success{job="blackbox_local_http6", target="blog.nadja.top"} != on (target) probe_success{job="blackbox_local_http4", target="blog.nadja.top"}
-    for: 15m
+    for: 5m
     labels:
       severity: critical
     annotations:
       summary: "blog.nadja.top unreachable via IPv4"
       description: "blog.nadja.top unreachable IPv4, but reachable via IPv6"
-  - alert: AlertmanagerNotificationRequestsFailed
-    expr: rate(alertmanager_notification_requests_failed_total[5m]) > 0
-    labels:
-      severity: critical
-    annotations:
-      summary: "Too many notification requests failed"
-      description: "Too many notification requests to Alertmanager integration {{ $labels.integration }} failed"
-  - alert: FemSocialDown
-    expr: min(probe_success{target="fem.social", job=~"blackbox_local_http.*"}) == 0
-    for: 5m
-    labels:
-      severity: critical
-    annotations:
-      summary: "fem.social unavailable via HTTP"
-      description: "fem.social is not fully reachable via HTTP"

hosts/nonat/configuration.nix

@@ -41,7 +41,8 @@
 
   networking.firewall.allowedUDPPorts = [];
 
-  services.bijwerken = {
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
     autoUpgrade = true;
   };
 

hosts/porter/configuration.nix

@@ -58,10 +58,6 @@
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   networking.firewall.allowedUDPPorts = [];
 
-  services.bijwerken = {
-    autoUpgrade = true;
-  };
-
   clerie.monitoring = {
     enable = true;
     id = "102";

hosts/storage-2/configuration.nix

@@ -52,7 +52,8 @@
     };
   };
 
-  services.bijwerken = {
+  clerie.system-auto-upgrade = {
+    allowReboot = true;
     autoUpgrade = true;
   };
 

hosts/storage-2/em.nix

@@ -11,28 +11,7 @@ with lib;
   };
   users.groups.data-em = {};
 
-  users.users.data-em-mp3 = {
-    group = "data-em-mp3";
-    home = "/data/em-mp3";
-    useDefaultShell = true;
-    isSystemUser = true;
-  };
-  users.groups.data-em-mp3 = {};
-
   systemd.tmpfiles.rules = [
     "d /data/em - data-em data-em - -"
-    "d /data/em-mp3 - data-em-mp3 data-em-mp3 - -"
   ];
-
-  systemd.services.convert-flac-dir-to-mp3 = {
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = "${lib.getExe pkgs.convert-flac-dir-to-mp3} /data/em /data/em-mp3";
-      StateDirectory = "convert-flac-dir-to-mp3";
-      WorkingDirectory = "/var/lib/convert-flac-dir-to-mp3";
-      User = "data-em-mp3";
-      Group = "data-em-mp3";
-    };
-    startAt = "*-*-* 03:47:00";
-  };
 }

hosts/web-2/blocked-prefixes.txt

@@ -1,195 +0,0 @@
-ip6tables -I nixos-fw -s 2400:3200::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2400:3200:baba::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2400:b200:4100::/46 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2401:8680:4100::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2401:b180:4100::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:1000::/36 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:2000::/35 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:4000::/36 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2408:4000:1000::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2408:4009:500::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4000::/31 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4002::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4004::/31 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1000::/43 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1020::/44 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4007::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4009::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400b::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c::/30 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4011::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4012::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4013::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4014::/32 -j nixos-fw-refuse
-iptables -I nixos-fw -s 5.181.224.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.36.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.40.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.48.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.210.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.160.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.176.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.214.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.0.0/14 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 14.1.112.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.91.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.1.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.2.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.4.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.7.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.8.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.17.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.19.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.20.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.24.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.27.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.28.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.32.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.40.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.52.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.56.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.58.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.66.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.68.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.72.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.78.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.80.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.84.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.86.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.88.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.96.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.100.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.102.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.104.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.106.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.98.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.100.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.102.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.103.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.104.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.108.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 45.196.28.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 45.199.179.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.52.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.56.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.76.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.16.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.24.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.78.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.0.0/14 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.86.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.224.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.232.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.72.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.80.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.84.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.88.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.122.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.124.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.0.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.8.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.12.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.16.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.236.0.0/14 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.240.0.0/14 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.244.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.32.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.66.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.68.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.72.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.80.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.82.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.84.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.88.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.92.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.120.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.122.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.124.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.128.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.144.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.150.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.152.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.192.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 59.82.136.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 103.81.186.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 110.76.21.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 110.76.23.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 116.251.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.16.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.64.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 140.205.1.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 140.205.122.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.16.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 156.227.20.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 156.236.12.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 156.236.17.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 156.240.76.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 156.245.1.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.24.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.29.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.30.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.32.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.64.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.66.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.68.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.72.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.76.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.80.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.84.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.86.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.88.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.90.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.92.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.104.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.136.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.138.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 185.78.106.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 198.11.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 202.144.199.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 203.107.64.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 203.107.68.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 205.204.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 223.5.5.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 223.6.6.0/24 -j nixos-fw-refuse

hosts/web-2/clerie.nix

@@ -27,7 +27,7 @@
         root = pkgs.clerie-keys;
       };
       locations."= /ssh/known_hosts" = {
-        alias = pkgs.clerie-ssh-known-hosts + "/known_hosts";
+        alias = pkgs.writeText "known_hosts" (import ../../lib/ssh-known-hosts.nix);
         extraConfig = ''
           types { }
           default_type "text/plain; charset=utf-8";
@@ -53,6 +53,9 @@
         '';
         return = "200 ''";
       };
+      extraConfig = ''
+        access_log /var/log/nginx/clerie.de.log combined_anon;
+      '';
     };
   };
 }

hosts/web-2/configuration.nix

@@ -24,7 +24,6 @@
       ./public.nix
       ./radicale.nix
       ./reichartstrasse.nix
-      ./traveldrafter.nix
       ./uptimestatus.nix
       ./wetter.nix
     ];
@@ -52,8 +51,6 @@
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
-  networking.firewall.extraCommands = builtins.readFile ./blocked-prefixes.txt;
-
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_16;

hosts/web-2/gitea.nix

@@ -83,6 +83,9 @@
           proxyPass = "http://[::1]:3000";
         };
       };
+      extraConfig = ''
+        access_log /var/log/nginx/git.clerie.de.log combined_anon;
+      '';
     };
   };
 }

hosts/web-2/ip.nix

@@ -53,6 +53,9 @@
           types { } default_type "text/html; charset=utf-8";
         '';
       };
+      extraConfig = ''
+        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
+      '';
     };
     "ip4.clerie.de" = {
       enableACME = true;
@@ -64,6 +67,9 @@
           add_header Access-Control-Allow-Origin *;
         '';
       };
+      extraConfig = ''
+        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
+      '';
     };
     "ip6.clerie.de" = {
       enableACME = true;
@@ -75,6 +81,9 @@
           add_header Access-Control-Allow-Origin *;
         '';
       };
+      extraConfig = ''
+        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
+      '';
     };
   };
 }

hosts/web-2/legal.nix

@@ -7,8 +7,8 @@
       forceSSL = true;
       root = pkgs.fetchgit {
         url = "https://git.clerie.de/clerie/legal.clerie.de.git";
-        rev = "b271b9729f4545c340ce9d16ecbca136031da409";
-        sha256 = "sha256-uw69o7LxK+JF1AojSyusU1urshBc63Bgva5lRBgQdKc=";
+        rev = "c6900226e3107a2e370a32759d83db472ab5450d";
+        sha256 = "sha256-lOjbHqYc/85rjotwQ5Oj+MSWnDIfLx2w5mpiJkChbXU=";
       };
       locations."/impressum" = {
         return = ''301 https://legal.clerie.de/#impressum'';

hosts/web-2/secrets.json

@@ -4,16 +4,19 @@
 	"clerie-backup-target-magenta": "ENC[AES256_GCM,data:zsPFXpnTWHL2b9/fZiW1fhpla8hTeZb1+O8oihnwDIAcC4Tgn8PrFDEYK7kuWYcdbIvL5XRJRR48erSACsntFA==,iv:lTlAyVl3ndgca4Mp9lSldXmhlP8ECPvE/CM7Zpzy9ao=,tag:LCNF1loABQpZ8Y5wfpXjkg==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:AfkytaHshFSyKkMdKVMdYaq3sKUC9dKYs5rKXN4Ouv5kjDGNXC18liEsRuc=,iv:4mMgsovdAJ++Myr+9GuhAaEBuzDBNZbGK6zfzoAEJ0E=,tag:/d0ZXNbpaMFyxyzov23kdQ==,type:str]",
 	"radicale-htpasswd": "ENC[AES256_GCM,data:+FHsq5We/fc8gBNub/GV5Mfs2i0/7Qm9UPDhb3unEhak6XDAvMSUQb4eaX0wn7Yi3y/gFGmapd0eYilTjfoJnI9gVnvi,iv:lEV8kQh9RBL/xKcCLIRzUR6ADq4zoah1c8Z67Qrs3dQ=,tag:cw6jKYbZUXBD3Zio5CH+Hw==,type:str]",
-	"traveldrafter-htpasswd": "ENC[AES256_GCM,data:f29vVDofv2mJEyn/pMKWW8ZbVTKSofe1EEtcfuCaokdqAyxemcq/2hrXFw8cAGTV2hwVqlM2hzJcT32KBjO/wgUNfv4=,iv:5PdQ+bn/bXmfQstP5A/dLeDk7O0qTjoRTyr4D+AgiG0=,tag:gCBrSJ4cEnZHqePiUpPglA==,type:str]",
 	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1nn8dwl2avshdhwn66w92jvlvz2ugl5fdxc8dxz6lpru72hlq44uq5a88az",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU2tEMHIvRUFxa24wMVcy\nb2lheGR2ekl6S0wzWUd5cTMwTC9HdFN1eVc0CkRjRHdJVUw3ZCtZSTlUOHZCV2J6\nYkxqdnNmU05LTTNmNFZiTzBxZVdkOTgKLS0tIEZUZ0svL2NhcTZPdFZrYUhwQ05Q\nWnZXRWIvRXBOMWNDTzQ4RDNKa3IwSUkKj+vI9dEEUQYN9uT6H1FdexComfbe+iA9\nVzLF970ASzptGiNYtdN9GYdXY7JGHoOfmYy3fpjZGN3p2KqiYyi3UA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-07-06T16:08:39Z",
-		"mac": "ENC[AES256_GCM,data:6EbMSJAKOMgXtlwaVtsmPgrZVgraReAfVJWjZvhe965eLhhP5aeyZqPlA6a93h2FsShVFYWFPI57tdHy9Ymo53oXolSt8Docr2w2FL4BTWHHhkXal9+6aJZAZ+XOPEOUYurFxPOX44l+LDkecSz0NMCgrScWtpphjlkj3yP5GTo=,iv:5w8RC9IAuyEuO0QSZ0FBwW2/qqV56HNG7hZIkEeGEYU=,tag:Zosv1OSMtznnKkSYStu+oA==,type:str]",
+		"lastmodified": "2024-05-10T13:32:34Z",
+		"mac": "ENC[AES256_GCM,data:lxfYT2TEO9KFx0x6DPRQ2mRy5Ft6syyyO1yV9my6GwvDxd1e7odXGRcFo3N1AFod8Y6z4+XaxqZ/GoqSp94Pk8aF4eEhyAFun/UUr8KhKGsnq6xnQA4p37oYccvTY4eohS5YHBr/+AMutddmQ7qiYtQhVViXAr6+dmOsV1Tfu+A=,iv:bC+z9SP2W048bR3aWIcPgRlfLB5n5ccst6OvH0NjYBk=,tag:qhoXUAl0nG4LYy6yXQP2/g==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-10T13:29:58Z",
@@ -24,4 +27,4 @@
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"
 	}
-}
+}

hosts/web-2/traveldrafter.nix

@@ -1,40 +0,0 @@
-{ pkgs, lib, config, ... }: {
-  services.update-from-hydra.paths.traveldrafter = {
-    enable = true;
-    hydraUrl = "https://hydra.clerie.de";
-    hydraProject = "clerie";
-    hydraJobset = "traveldrafter";
-    hydraJob = "packages.x86_64-linux.traveldrafter";
-    nixStoreUri = "https://nix-cache.clerie.de";
-    resultPath = "/srv/traveldrafter";
-  };
-
-  sops.secrets.traveldrafter-htpasswd = {
-    owner = "nginx";
-    group = "nginx";
-  };
-
-  services.nginx.virtualHosts = {
-    "traveldrafter.clerie.de" = {
-      enableACME = true;
-      forceSSL = true;
-      root = "/srv/traveldrafter/lib/node_modules/traveldrafter/web/";
-      basicAuthFile = config.sops.secrets.traveldrafter-htpasswd.path;
-      locations."/api" = {
-        proxyPass = "http://[::1]:3001";
-      };
-    };
-  };
-
-  systemd.services."traveldrafter" = {
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      RuntimeDirectory = "traveldrafter";
-      DynamicUser = true;
-    };
-    environment = {
-      HTTP_PORT = "3001";
-    };
-    script = lib.getExe pkgs.traveldrafter;
-  };
-}

hosts/zinc/configuration.nix

@@ -5,12 +5,12 @@
     [
       ./hardware-configuration.nix
 
+      ../../configuration/desktop
+
       ./initrd.nix
       ./programs.nix
     ];
 
-  profiles.clerie.desktop.enable = true;
-
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;

lib/default.nix

@@ -8,8 +8,6 @@ let
 
   lib = {
     clerie-monitoring-ids = callLibs ./clerie-monitoring-ids.nix;
-    mkNixpkgs = callLibs ./mkNixpkgs.nix;
-    nixosSystem = callLibs ./nixosSystem.nix;
   };
 
 in

lib/link-local-wireguard.nix

@@ -0,0 +1,22 @@
+{ ... }:
+
+rec {
+  llIPv6 = localIP: peerIP: interface: {
+    ips = [
+      "${localIP}/128"
+    ];
+    postSetup = ''
+    ip -6 route flush dev ${interface}
+    ip addr del dev ${interface} ${localIP}/128 && ip addr add dev ${interface} ${localIP}/128 peer ${peerIP}/128
+    '';
+  };
+  llIPv4 = localIP: peerIP: interface: {
+    ips = [
+      "${localIP}/32"
+    ];
+    postSetup = ''
+    ip -4 route flush dev ${interface}
+    ip addr del dev ${interface} ${localIP}/32 && ip addr add dev ${interface} ${localIP}/32 peer ${peerIP}/32
+    '';
+  };
+}

lib/mkNixpkgs.nix

@@ -1,27 +0,0 @@
-{
-  inputs,
-  self,
-  ...
-}:
-
-/*
-
-  Loads a version of nixpkgs with nixfiles overlays loaded
-
-*/
-{
-  system,
-  nixpkgs ? inputs.nixpkgs,
-  overlays ? [],
-  ...
-}@args:
-
-import nixpkgs {
-  inherit system;
-  overlays = [
-    self.overlays.clerie-inputs
-    self.overlays.clerie-pkgs
-    self.overlays.clerie-build-support
-    self.overlays.clerie-overrides
-  ] ++ overlays;
-}

lib/nixosSystem.nix

@@ -1,42 +0,0 @@
-{
-  inputs,
-  self,
-  ...
-}:
-
-/*
-
-  nixfiles.lib.nixosSystem, like nixpkgs.lib.nixosSystem but
-  with nixfiles overlays and modules already populated
-
-*/
-{
-  system ? null,
-  nixpkgs ? inputs.nixpkgs,
-  pkgs ? null,
-  modules ? [],
-  ...
-}@args:
-
-nixpkgs.lib.nixosSystem ({
-  system = system;
-  pkgs = if pkgs != null then pkgs else (self.lib.mkNixpkgs {
-    inherit system nixpkgs;
-  });
-  modules = [
-    self.nixosModules.nixfilesInputs
-    self.nixosModules.clerie
-    self.nixosModules.profiles
-    ({ config, lib, ... }: {
-      /*
-        Make the contents of the flake availiable to modules.
-        Useful for having the monitoring server scraping the
-        target config from all other servers automatically.
-      */
-      _module.args = {
-        inputs = inputs;
-        _nixfiles = self;
-      };
-    })
-  ] ++ modules;
-} // builtins.removeAttrs args [ "system" "nixpkgs" "pkgs" "modules" ] )

lib/ssh-known-hosts.nix

@@ -1,22 +1,13 @@
-{
-  writeTextFile,
-}:
-
 let
   stripR = str: if (builtins.substring ((builtins.stringLength str) - 1) (builtins.stringLength str) str) == "\n" then stripR (builtins.substring 0 ((builtins.stringLength str) - 1) str) else str;
-  hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../../hosts));
+  hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../hosts));
   sshkeyList = map (hostname: {
     name = hostname;
-    sshPubkey = stripR (builtins.readFile (../../hosts + "/${hostname}/ssh.pub"));
+    sshPubkey = stripR (builtins.readFile (../hosts + "/${hostname}/ssh.pub"));
   }) hostsWithSshPubkey;
   knownHosts = builtins.concatStringsSep "" (builtins.map ({name, sshPubkey}: ''
     ${name} ${sshPubkey}
     ${name}.net.clerie.de ${sshPubkey}
   '') sshkeyList);
-in writeTextFile {
-  name = "clerie-ssh-known-hosts";
-  destination = "/known_hosts";
-  allowSubstitutes = true;
-  preferLocalBuild = false;
-  text = knownHosts;
-}
+in
+  knownHosts

modules/clerie-system-upgrade/default.nix

@@ -3,13 +3,18 @@
 with lib;
 
 let
-  cfg = config.services.bijwerken;
+  cfg = config.clerie.system-auto-upgrade;
 in
 
 {
   options = {
-    services.bijwerken = {
-      enable = mkEnableOption "Automatic system upgrades";
+    clerie.system-auto-upgrade = {
+      enable = mkEnableOption "clerie system upgrade";
+      allowReboot = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Monitor NixOS";
+      };
       autoUpgrade = mkOption {
         type = types.bool;
         default = false;
@@ -20,15 +25,10 @@ in
         default = null;
         description = "Systemd time string for starting the unit";
       };
-      nodeExporterTextfilePath = mkOption {
-        type = with types; nullOr str;
-        default = null;
-        description = "Path to node exporter textfile for putting metrics";
-      };
     };
   };
   config = mkIf cfg.enable {
-    systemd.services.bijwerken-system-upgrade = {
+    systemd.services.clerie-system-auto-upgrade = {
       requires = [ "network-online.target" ];
       after = [ "network-online.target" ];
 
@@ -38,10 +38,10 @@ in
 
       serviceConfig = {
         Type = "oneshot";
-        ExecStart = (getExe pkgs.bijwerken-system-upgrade) + " --no-confirm${optionalString (cfg.nodeExporterTextfilePath != null) " --node-exporter-metrics-path ${cfg.nodeExporterTextfilePath}"}";
+        ExecStart = pkgs.clerie-system-upgrade + "/bin/clerie-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/clerie-system-upgrade.prom"}";
       };
     };
-    systemd.timers.bijwerken-system-upgrade = mkIf cfg.autoUpgrade {
+    systemd.timers.clerie-system-auto-upgrade = mkIf cfg.autoUpgrade {
       wantedBy = [ "timers.target" ];
       timerConfig = {
         OnCalendar = if cfg.startAt == null then "*-*-* 05:37:00" else cfg.startAt;
@@ -51,7 +51,7 @@ in
       after = [ "network-online.target" ];
     };
     environment.systemPackages = with pkgs; [
-      bijwerken-system-upgrade
+      clerie-system-upgrade
     ];
   };
 }

modules/default.nix

@@ -5,9 +5,9 @@
     ./policyrouting
     ./akne
     ./backup
-    ./bijwerken
     ./clerie-firewall
     ./clerie-gc-dir
+    ./clerie-system-upgrade
     ./dhcpcd-prefixdelegation
     ./minecraft-server
     ./monitoring

modules/monitoring/default.nix

@@ -75,8 +75,6 @@ in
 
     systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ];
 
-    services.bijwerken.nodeExporterTextfilePath = "/var/lib/prometheus-node-exporter/textfiles/bijwerken-system-upgrade.prom";
-
     services.prometheus.exporters.bird = mkIf cfg.bird {
       enable = true;
     };
@@ -104,33 +102,6 @@ in
       listen = "[::]:9152";
     };
 
-    services.prometheus.exporters.nginxlog = mkIf config.services.nginx.enable {
-      enable = true;
-      settings = {
-        namespaces = [
-          {
-            name = "nginxlog";
-            format = ''$host: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$server_name" rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'';
-            source = {
-              files = [
-                "/var/log/nginx/access.log"
-              ];
-            };
-            relabel_configs = [
-              {
-                target_label = "server_name";
-                from = "server_name";
-              }
-            ];
-          }
-        ];
-      };
-    };
-
-    systemd.services."prometheus-nginxlog-exporter".serviceConfig = {
-      SupplementaryGroups = "nginx";
-    };
-
     networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
       9100 # node-exporter
       9152 # nixos-exporter
@@ -138,8 +109,6 @@ in
       9324 # bird-exporter
     ] else []) ++ (if cfg.blackbox then [
       9115 # blackbox-exporter
-    ] else []) ++ (if config.services.prometheus.exporters.nginxlog.enable then [
-      config.services.prometheus.exporters.nginxlog.port
     ] else []);
   };
 }

pkgs/bijwerken-poke/bijwerken-poke.sh

@@ -1,5 +0,0 @@
-#!/usr/bin/env bash
-
-TARGETS="$(nix --extra-experimental-features "nix-command flakes" eval --raw ".#nixosConfigurations" --apply "nixosConfigurations: builtins.concatStringsSep \"\\n\" (builtins.attrValues (builtins.mapAttrs (name: host: host.config.networking.fqdn) nixosConfigurations))")"
-
-pssh -h <(echo "${TARGETS}") -i -- sudo systemctl start bijwerken-system-upgrade.service --no-block

pkgs/bijwerken-poke/default.nix

@@ -1,10 +0,0 @@
-{ pkgs, ... }:
-
-pkgs.writeShellApplication {
-  name = "bijwerken-poke";
-  text = builtins.readFile ./bijwerken-poke.sh;
-  runtimeInputs = with pkgs; [
-    pssh
-  ];
-}
-

pkgs/build-support/overlay.nix

@@ -1,7 +0,0 @@
-final: prev:
-
-{
-  clerie-build-support = {
-    writePythonScript = final.callPackage ./writePythonScript.nix {};
-  };
-}

pkgs/build-support/writePythonScript.nix

@@ -1,56 +0,0 @@
-{
-  python3,
-  makeWrapper,
-  runCommand,
-  lib,
-}:
-
-{
-  name,
-  text,
-  runtimePackages ? ps: [],
-  pythonPackage ? python3,
-  runtimeInputs ? [],
-  meta ? {},
-  passthru ? {},
-  derivationArgs ? {},
-}:
-
-let
-
-  pythonWithPackages = pythonPackage.withPackages runtimePackages;
-
-in runCommand name ({
-  passAsFile = [ "text" ] ++ (derivationArgs.passAsFile or []);
-
-  meta = {
-    mainProgram = name;
-  } // meta // (derivationArgs.meta or {});
-
-  passthru = passthru // (derivationArgs.passthru or {});
-
-  nativeBuildInputs = [ makeWrapper ] ++ (derivationArgs.nativeBuildInputs or []);
-
-  executable = true;
-  destination = "/bin/${name}";
-  allowSubstitutes = true;
-  preferLocalBuild = false;
-  text = ''
-    #!${lib.getExe pythonWithPackages}
-
-    ${text}
-  '';
-} // (
-  builtins.removeAttrs derivationArgs [ "passAsFile" "meta" "passthru" "nativeBuildInputs" ]
-))
-''
-mkdir -p $out/bin
-
-target=$out/bin/${lib.escapeShellArg name}
-
-cp "$textPath" "$target"
-
-chmod +x "$target"
-
-wrapProgram "$target" --prefix PATH : "${lib.makeBinPath runtimeInputs}"
-''

pkgs/clerie-system-upgrade/clerie-system-upgrade.nix

@@ -1,8 +1,8 @@
 { pkgs, ... }:
 
 pkgs.writeShellApplication {
-  name = "bijwerken-system-upgrade";
-  text = builtins.readFile ./bijwerken-system-upgrade.sh;
+  name = "clerie-system-upgrade";
+  text = builtins.readFile ./clerie-system-upgrade.sh;
   runtimeInputs = with pkgs; [
     curl
     jq

pkgs/clerie-system-upgrade/clerie-system-upgrade.sh

@@ -2,11 +2,16 @@
 
 set -euo pipefail
 
+ALLOW_REBOOT=
 NO_CONFIRM=
 NODE_EXPORTER_METRICS_PATH=
 
 while [[ $# -gt 0 ]]; do
 	case $1 in
+		--allow-reboot)
+			ALLOW_REBOOT=1
+			shift
+		;;
 		--no-confirm)
 			NO_CONFIRM=1
 			shift
@@ -40,7 +45,7 @@ if [[ -z $NO_CONFIRM ]]; then
 fi
 
 echo "Download ${STORE_PATH}"
-nix copy --to daemon "${STORE_PATH}"
+nix copy --from "https://nix-cache.clerie.de" "${STORE_PATH}"
 
 echo "Add to system profile"
 nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}"
@@ -50,7 +55,7 @@ echo "Set as boot target"
 
 if [[ -n "$NODE_EXPORTER_METRICS_PATH" ]]; then
 	echo "Write monitoring check data"
-	echo "bijwerken_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
+	echo "clerie_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
 fi
 
 BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
@@ -58,8 +63,13 @@ ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel
 
 if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then
 	echo "Reboot is required"
-	echo "Rebooting system now"
-	shutdown -r +1 "System update requires reboot"
+	if [[ -n "$ALLOW_REBOOT" ]]; then
+		echo "Rebooting system now"
+		shutdown -r +1 "System update requires reboot"
+	else
+		echo "Automatic reboot not allowed (maybe use --allow-reboot next time)"
+		echo "The system upgrade is staged, please reboot manually soon"
+	fi
 else
 	echo "No reboot is required"
 	echo "Activating system now"

pkgs/convert-flac-dir-to-mp3/convert-flac-dir-to-mp3.py

@@ -1,109 +0,0 @@
-#!/usr/bin/env python
-
-import argparse
-from pathlib import Path
-from progress.bar import Bar
-import shutil
-import subprocess
-
-def files_and_dirs_for_directory(path):
-    filepaths = []
-    dirpaths = []
-
-    for dirpath, dirnames, filenames in path.walk():
-        dirpaths.append(dirpath)
-
-        for filename in filenames:
-            filepath = dirpath / filename
-            filepaths.append(filepath)
-
-    return set(filepaths), set(dirpaths)
-
-def make_paths_relative(paths, relative_to_path):
-    return set(path.relative_to(relative_to_path) for path in paths)
-
-def replace_suffix(path, suffix):
-    return path.with_name(path.stem + suffix)
-
-def convert_filepath(path):
-    if path.suffix == ".flac":
-        return replace_suffix(path, ".mp3")
-
-    return path
-
-def ffmpeg_flac_to_mp3(in_path, out_path):
-    print("")
-    subprocess.run(["ffmpeg", "-hide_banner", "-loglevel", "warning", "-stats", "-i", in_path, "-ab", "320k", "-map_metadata", "0", "-id3v2_version", "3", out_path], check=True)
-    print("")
-
-if __name__ == "__main__":
-
-    parser = argparse.ArgumentParser(prog="convert-flac-dir-to-mp3")
-    parser.add_argument("from_dir", type=Path)
-    parser.add_argument("to_dir", type=Path)
-
-    args = parser.parse_args()
-
-    from_path = args.from_dir.absolute()
-    to_path = args.to_dir.absolute()
-
-    if not from_path.exists():
-        raise Exception("from_path does not exist")
-
-    if not to_path.exists():
-        raise Exception("to_path does not exist")
-
-    if not from_path.is_dir():
-        raise Exception("from_path is not a directory")
-
-    if not to_path.is_dir():
-        raise Exception("to_path is not a directory")
-
-    print(f"Converting {from_path} to {to_path}…")
-
-    from_filepaths, from_dirpaths = files_and_dirs_for_directory(from_path)
-    to_filepaths, to_dirpaths = files_and_dirs_for_directory(to_path)
-
-
-    relative_from_filepaths = make_paths_relative(from_filepaths, from_path)
-    relative_to_filepaths = make_paths_relative(to_filepaths, to_path)
-
-    converted_from_filepaths = set(convert_filepath(filepath) for filepath in relative_from_filepaths)
-
-    filepaths_missing_in_to_path = converted_from_filepaths - relative_to_filepaths
-
-
-    relative_from_dirpaths = make_paths_relative(from_dirpaths, from_path)
-    relative_to_dirpaths = make_paths_relative(to_dirpaths, to_path)
-
-    dirpaths_missing_in_to_path = relative_from_dirpaths - relative_to_dirpaths
-
-    print(f"Missing {len(filepaths_missing_in_to_path)} files and {len(dirpaths_missing_in_to_path)} directories")
-
-    if len(dirpaths_missing_in_to_path) > 0:
-        for dirpath in Bar("Creating directories").iter(dirpaths_missing_in_to_path):
-            (to_path / dirpath).mkdir(parents=True, exist_ok=True)
-
-    if len(filepaths_missing_in_to_path) > 0:
-        for filepath in Bar("Creating files").iter(filepaths_missing_in_to_path):
-            if filepath in relative_from_filepaths:
-                # Just copy the file
-                shutil.copy(from_path / filepath, to_path / filepath)
-            elif filepath.suffix == ".mp3" and replace_suffix(filepath, ".flac") in relative_from_filepaths:
-                # Convert from flac
-                print("")
-                print(f"Converting {to_path / filepath}…")
-
-                # Tempfile for ffmpeg
-                tmpfilepath = filepath.with_name(".~" + filepath.name)
-                (to_path / tmpfilepath).unlink(missing_ok=True)
-
-                print(f"Using tempfile for ffmpeg {to_path / tmpfilepath}…")
-
-                # Convert
-                ffmpeg_flac_to_mp3(from_path / replace_suffix(filepath, ".flac"), to_path / tmpfilepath)
-
-                # Rename tempfile
-                (to_path / tmpfilepath).rename(to_path / filepath)
-            else:
-                raise Exception("Unable to figure out how to get {to_path / filepath} from {from_path}")

pkgs/convert-flac-dir-to-mp3/default.nix

@@ -1,8 +0,0 @@
-{ pkgs, ... }:
-
-pkgs.clerie-build-support.writePythonScript {
-  name = "convert-flac-dir-to-mp3";
-  runtimePackages = ps: with ps; [ progress ];
-  runtimeInputs = [ pkgs.ffmpeg-headless ];
-  text = builtins.readFile ./convert-flac-dir-to-mp3.py;
-}

pkgs/curl-timings/curl-timings.sh

@@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-
-curl -w "Request to %{url}
-
-time_namelookup: %{time_namelookup}s
-time_connect: %{time_connect}s
-time_appconnect: %{time_appconnect}s
-time_pretransfer: %{time_pretransfer}s
-time_starttransfer: %{time_starttransfer}s
-time_posttransfer: %{time_posttransfer}s
-time_queue: %{time_queue}s
-time_redirect: %{time_redirect}s
-time_starttransfer: %{time_starttransfer}s
-
-time_total: %{time_total}s
-" -o /dev/null -s "$@"

pkgs/curl-timings/default.nix

@@ -1,12 +0,0 @@
-{
-  curl,
-  writeShellApplication,
-}:
-
-writeShellApplication {
-  name = "curl-timings";
-  text = builtins.readFile ./curl-timings.sh;
-  runtimeInputs = [
-    curl
-  ];
-}

pkgs/generate-blocked-prefixes/default.nix

@@ -1,7 +0,0 @@
-{ pkgs, ... }:
-
-pkgs.clerie-build-support.writePythonScript {
-  name = "generate-blocked-prefixes";
-  runtimePackages = ps: with ps; [ requests ];
-  text = builtins.readFile ./generate-blocked-prefixes.py;
-}

pkgs/generate-blocked-prefixes/generate-blocked-prefixes.py

@@ -1,39 +0,0 @@
-#!/usr/bin/env python3
-
-import ipaddress
-import requests
-
-blocked_asns = [
-    "45102", # Alibaba (US) Technology Co., Ltd.
-]
-
-r = requests.get('https://bgp.tools/table.txt', stream=True, headers={
-    "User-Agent": "https://git.clerie.de/clerie/nixfiles",
-})
-
-selected_ipv6_prefixes = []
-selected_ipv4_prefixes = []
-
-for line in r.iter_lines(decode_unicode=True):
-    prefix_string, asn_string = line.split()
-
-    if asn_string in blocked_asns:
-        prefix = ipaddress.ip_network(prefix_string)
-
-        if prefix.version == 6:
-            selected_ipv6_prefixes.append(prefix)
-        else:
-            selected_ipv4_prefixes.append(prefix)
-
-selected_ipv6_prefixes = list(ipaddress.collapse_addresses(selected_ipv6_prefixes))
-selected_ipv4_prefixes = list(ipaddress.collapse_addresses(selected_ipv4_prefixes))
-
-selected_ipv6_prefixes.sort()
-selected_ipv4_prefixes.sort()
-
-with open("hosts/web-2/blocked-prefixes.txt", "w") as blocked_ips_file:
-    for ipv6_prefix in selected_ipv6_prefixes:
-            blocked_ips_file.write(f"ip6tables -I nixos-fw -s {ipv6_prefix} -j nixos-fw-refuse\n")
-
-    for ipv4_prefix in selected_ipv4_prefixes:
-            blocked_ips_file.write(f"iptables -I nixos-fw -s {ipv4_prefix} -j nixos-fw-refuse\n")

pkgs/git-show-link/default.nix

@@ -1,6 +1,13 @@
 { pkgs, ... }:
 
-pkgs.clerie-build-support.writePythonScript {
+pkgs.writeTextFile {
   name = "git-show-link";
-  text = builtins.readFile ./git-show-link.py;
+  executable = true;
+  destination = "/bin/git-show-link";
+  allowSubstitutes = true;
+  preferLocalBuild = false;
+  text = ''
+    #!${pkgs.python3.withPackages (ps: with ps; [])}/bin/python3
+    ${builtins.readFile ./git-show-link.py}
+  '';
 }

pkgs/grow-last-partition-and-filesystem/default.nix

@@ -1,19 +0,0 @@
-{
-  e2fsprogs,
-  gptfdisk,
-  jq,
-  parted,
-  writeShellApplication,
-}:
-
-writeShellApplication {
-  name = "grow-last-partition-and-filesystem";
-  text = builtins.readFile ./grow-last-partition-and-filesystem.sh;
-  runtimeInputs = [
-    e2fsprogs
-    gptfdisk
-    jq
-    parted
-  ];
-}
-

pkgs/grow-last-partition-and-filesystem/grow-last-partition-and-filesystem.sh

@@ -1,32 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-if [[ $# -ne 1 ]]; then
-	echo "Pass device to grow as first argument:"
-	echo "grow-last-partition-and-filesystem DEVICE"
-
-	exit 1
-fi
-
-DEVICE="$1"
-
-echo "Move GTP backup header to end of disk"
-sgdisk "${DEVICE}" --move-second-header
-
-PARTITIONDATA="$(parted --script --json --fix "${DEVICE}" print)"
-PARTNUMBER="$(echo "${PARTITIONDATA}" | jq -r '.disk.partitions | last | .number')"
-PARTNAME="$(echo "${PARTITIONDATA}" | jq -r '.disk.partitions | last | .name')"
-
-echo "Growing partition ${DEVICE}${PARTNUMBER} (${PARTNAME})"
-echo
-
-parted "${DEVICE}" resizepart "${PARTNUMBER}" 100%
-
-echo
-echo "Resizing filesystem"
-echo
-
-resize2fs "${DEVICE}${PARTNUMBER}"
-
-echo "Done."

pkgs/overlay.nix

@@ -1,36 +1 @@
-final: prev: {
-  bijwerken-poke = final.callPackage ./bijwerken-poke {};
-  bijwerken-system-upgrade = final.callPackage ./bijwerken-system-upgrade {};
-  clerie-backup = final.callPackage ./clerie-backup {};
-  clerie-cleanup-branches = final.callPackage ./clerie-update-nixfiles/clerie-cleanup-branches.nix {};
-  clerie-keys = final.callPackage ./clerie-keys {};
-  clerie-ssh-known-hosts = final.callPackage ./clerie-ssh-known-hosts {};
-  clerie-system-remote-install = final.callPackage ./clerie-system-remote-install {};
-  clerie-merge-nixfiles-update = final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
-  clerie-sops = final.callPackage ./clerie-sops/clerie-sops.nix {};
-  clerie-sops-config = final.callPackage ./clerie-sops/clerie-sops-config.nix {};
-  clerie-sops-edit = final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
-  clerie-update-nixfiles = final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
-  chromium-incognito = final.callPackage ./chromium-incognito {};
-  convert-flac-dir-to-mp3 = final.callPackage ./convert-flac-dir-to-mp3 {};
-  curl-timings = final.callPackage ./curl-timings {};
-  factorio-launcher = final.callPackage ./factorio-launcher {};
-  feeds-dir = final.callPackage ./feeds-dir {};
-  generate-blocked-prefixes = final.callPackage ./generate-blocked-prefixes {};
-  git-checkout-github-pr = final.callPackage ./git-checkout-github-pr {};
-  git-diff-word = final.callPackage ./git-diff-word {};
-  git-pp = final.callPackage ./git-pp {};
-  git-show-link = final.callPackage ./git-show-link {};
-  grow-last-partition-and-filesystem = final.callPackage ./grow-last-partition-and-filesystem {};
-  nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
-  nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
-  nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
-  nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
-  nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
-  pipewire-all-bluetooth = final.callPackage ./pipewire-all-bluetooth {};
-  print-afra = final.callPackage ./print-afra {};
-  run-with-docker-group = final.callPackage ./run-with-docker-group {};
-  ssh-gpg = final.callPackage ./ssh-gpg {};
-  update-from-hydra = final.callPackage ./update-from-hydra {};
-  uptimestatus = final.python3.pkgs.callPackage ./uptimestatus {};
-}
+final: prev: builtins.mapAttrs (name: value: value final prev) (import ./pkgs.nix)

pkgs/overrides/overlay.nix

@@ -1,4 +0,0 @@
-final: prev: {
-  dino = import ./dino.nix final prev;
-  xmppc = import ./xmppc.nix final prev;
-}

pkgs/pipewire-all-bluetooth/all-bluetooth.conf

@@ -1,29 +0,0 @@
-context.modules = [
-{   name = libpipewire-module-combine-stream
-    args = {
-        combine.mode = sink
-        node.name = "all-bluetooth"
-        node.description = "All Bluetooth devices"
-        combine.latency-compensate = false
-        combine.props = {
-            audio.position = [ FL FR ]
-        }
-        stream.props = {
-        }
-        stream.rules = [
-            {
-                matches = [
-                    {
-                        node.name = "~bluez_output.*"
-                        media.class = "Audio/Sink"
-                    }
-                ]
-                actions = {
-                    create-stream = {
-                    }
-                }
-            }
-        ]
-    }
-}
-]

pkgs/pipewire-all-bluetooth/default.nix

@@ -1,9 +0,0 @@
-{
-runCommand,
-... }:
-
-runCommand "pipewire-all-bluetooth" {} ''
-  mkdir -p $out/share/pipewire/pipewire.conf.d
-
-  cp ${./all-bluetooth.conf} $out/share/pipewire/pipewire.conf.d/all-bluetooth.conf
-''

pkgs/pkgs.nix

@@ -0,0 +1,32 @@
+{
+  clerie-backup = final: prev: final.callPackage ./clerie-backup {};
+  clerie-cleanup-branches = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-cleanup-branches.nix {};
+  clerie-keys = final: prev: final.callPackage ./clerie-keys {};
+  clerie-system-remote-install = final: prev: final.callPackage ./clerie-system-remote-install {};
+  clerie-system-upgrade = final: prev: final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
+  clerie-merge-nixfiles-update = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
+  clerie-sops = final: prev: final.callPackage ./clerie-sops/clerie-sops.nix {};
+  clerie-sops-config = final: prev: final.callPackage ./clerie-sops/clerie-sops-config.nix {};
+  clerie-sops-edit = final: prev: final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
+  clerie-update-nixfiles = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
+  chromium-incognito = final: prev: final.callPackage ./chromium-incognito {};
+  factorio-launcher = final: prev: final.callPackage ./factorio-launcher {};
+  feeds-dir = final: prev: final.callPackage ./feeds-dir {};
+  git-checkout-github-pr = final: prev: final.callPackage ./git-checkout-github-pr {};
+  git-diff-word = final: prev: final.callPackage ./git-diff-word {};
+  git-pp = final: prev: final.callPackage ./git-pp {};
+  git-show-link = final: prev: final.callPackage ./git-show-link {};
+  nix-remove-result-links = final: prev: final.callPackage ./nix-remove-result-links {};
+  nixfiles-auto-install = final: prev: final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
+  nixfiles-generate-config = final: prev: final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
+  nixfiles-generate-backup-secrets = final: prev: final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
+  nixfiles-update-ssh-host-keys = final: prev: final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
+  print-afra = final: prev: final.callPackage ./print-afra {};
+  run-with-docker-group = final: prev: final.callPackage ./run-with-docker-group {};
+  ssh-gpg = final: prev: final.callPackage ./ssh-gpg {};
+  update-from-hydra = final: prev: final.callPackage ./update-from-hydra {};
+  uptimestatus = final: prev: final.python3.pkgs.callPackage ./uptimestatus {};
+
+  dino = final: prev: import ./overrides/dino.nix final prev;
+  xmppc = final: prev: import ./overrides/xmppc.nix final prev;
+}

pkgs/uptimestatus/default.nix

@@ -4,7 +4,6 @@
   flask,
   requests,
   python,
-  setuptools,
 }:
 
 let
@@ -20,10 +19,6 @@ let
 in buildPythonPackage rec {
   inherit src pname version;
 
-  pyproject = true;
-
-  build-system = [ setuptools ];
-
   propagatedBuildInputs = [
     flask
     requests

profiles/common-nix/default.nix

@@ -1,88 +0,0 @@
-{ lib, pkgs, config, ... }:
-
-with lib;
-
-let
-
-  cfg = config.profiles.clerie.common-nix;
-
-in {
-
-  options.profiles.clerie.common-nix = {
-    enable = mkEnableOption "Common nix config";
-    useClerieNixCache = (mkEnableOption "Use nix cache from clerie") // {
-      default = true;
-    };
-  };
-
-  config = mkIf config.profiles.clerie.common-nix.enable {
-
-    clerie.nixfiles.enable = true;
-
-    services.bijwerken.enable = true;
-
-    nix.settings = {
-      trusted-users = [ "@wheel" ];
-      auto-optimise-store = true;
-      # Keep buildtime dependencies
-      keep-outputs = true;
-      # Build local, when caches are broken
-      fallback = true;
-    };
-
-    nix.gc = lib.mkDefault {
-      automatic = true;
-      dates = "weekly";
-      options = "--delete-older-than 30d";
-    };
-
-
-    nix.settings = {
-      experimental-features = [
-        "flakes"
-        "nix-command"
-      ];
-      substituters = if cfg.useClerieNixCache then [
-        "https://nix-cache.clerie.de"
-      ] else [];
-      trusted-public-keys = if cfg.useClerieNixCache then [
-        "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
-      ] else [];
-    };
-
-    # Pin current nixpkgs channel and flake registry to the nixpkgs version
-    # the host got build with
-    nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
-    nix.registry = {
-      "nixpkgs" = lib.mkForce {
-         from = {
-           type = "indirect";
-           id = "nixpkgs";
-         };
-         to = {
-           type = "path";
-           path = lib.cleanSource pkgs.path;
-         };
-         exact = true;
-      };
-      "templates" = {
-         from = {
-           type = "indirect";
-           id = "templates";
-         };
-         to = {
-           type = "git";
-           url = "https://git.clerie.de/clerie/flake-templates.git";
-         };
-      };
-    };
-
-    documentation.doc.enable = false;
-
-    environment.systemPackages = with pkgs; [
-      nix-remove-result-links
-    ];
-
-  };
-
-}

profiles/common-webserver/default.nix

@@ -40,12 +40,7 @@ in {
         log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
                                   '"$request" $status $body_bytes_sent '
                                   '"$http_referer" "$http_user_agent"';
-        log_format vcombined_anon_monitoring '$host: $remote_addr_anon - $remote_user [$time_local] '
-                                  '"$request" $status $body_bytes_sent '
-                                  '"$http_referer" "$http_user_agent" '
-                                  '"$server_name" '
-                                  'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
-        access_log /var/log/nginx/access.log vcombined_anon_monitoring;
+        access_log /var/log/nginx/access.log vcombined_anon;
       '';
 
       virtualHosts = mkIf cfg.httpDefaultVirtualHost {

profiles/common/default.nix

@@ -13,7 +13,6 @@ with lib;
     profiles.clerie.common-dns.enable = mkDefault true;
 
     profiles.clerie.common-networking.enable = mkDefault true;
-    profiles.clerie.common-nix.enable = mkDefault true;
 
     profiles.clerie.common-webserver.enable = mkDefault true;
 

profiles/default.nix

@@ -6,14 +6,11 @@
     ./common
     ./common-dns
     ./common-networking
-    ./common-nix
     ./common-webserver
     ./cybercluster-vm
-    ./desktop
     ./dn42-router
     ./fem-net
     ./firefox
-    ./gpg-ssh
     ./hetzner-cloud
     ./hydra-build-machine
     ./mercury-vm

profiles/desktop/audio.nix

@@ -1,31 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-
-  config = mkIf config.profiles.clerie.desktop.enable {
-
-    services.pulseaudio.enable = false;
-
-    security.rtkit.enable = true;
-    services.pipewire = {
-      enable = true;
-      alsa = {
-        enable = true;
-        support32Bit = true;
-      };
-      pulse = {
-        enable = true;
-      };
-      configPackages = [
-        pkgs.pipewire-all-bluetooth
-      ];
-    };
-
-    environment.systemPackages = with pkgs; [
-      helvum # pipewire routing gui
-    ];
-
-  };
-}

profiles/desktop/default.nix

@@ -1,30 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-
-{
-
-  options.profiles.clerie.desktop = {
-    enable = mkEnableOption "clerie Desktop Config";
-  };
-
-  imports = [
-    ./audio.nix
-    ./firmware.nix
-    ./fonts.nix
-    ./gnome.nix
-    ./inputs.nix
-    ./networking.nix
-    ./polkit.nix
-    ./power.nix
-    ./printing.nix
-    ./ssh.nix
-    ./xserver.nix
-  ];
-
-  config = mkIf config.profiles.clerie.desktop.enable {
-
-    security.sudo.wheelNeedsPassword = true;
-
-  };
-}

profiles/desktop/firmware.nix

@@ -1,13 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-
-{
-
-  config = mkIf config.profiles.clerie.desktop.enable {
-
-    services.fwupd.enable = true;
-
-  };
-
-}

profiles/desktop/fonts.nix

@@ -1,20 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-
-  config = mkIf config.profiles.clerie.desktop.enable {
-
-    fonts.enableDefaultPackages = true;
-    fonts.packages = with pkgs; [
-      roboto
-      roboto-mono
-      noto-fonts
-      noto-fonts-emoji
-      comfortaa
-    ] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
-
-  };
-
-}

profiles/desktop/gnome.nix

@@ -1,69 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-
-  config = mkIf config.profiles.clerie.desktop.enable {
-
-    services.gnome = {
-      localsearch.enable = false;
-      tinysparql.enable = false;
-    };
-
-    environment.gnome.excludePackages = with pkgs; [
-      baobab
-      epiphany
-      gnome-calendar
-      gnome-clocks
-      gnome-console
-      gnome-contacts
-      gnome-logs
-      gnome-maps
-      gnome-music
-      gnome-tour
-      gnome-photos
-      gnome-weather
-      gnome-connections
-      simple-scan
-      yelp
-      geary
-    ];
-
-    environment.systemPackages = with pkgs; [
-      evolution
-      gnome-terminal
-      gnome-tweaks
-    ];
-
-    services.gnome.evolution-data-server.enable = true;
-
-    programs.dconf.profiles = {
-      user.databases = [
-        {
-          settings = {
-            "org/gnome/desktop/calendar" = {
-              show-weekdate = true;
-            };
-            "org/gnome/desktop/interface" = {
-              enable-hot-corners = false;
-              show-battery-percentage = true;
-            };
-            "org/gnome/desktop/notifications" = {
-              show-in-lock-screen = false;
-            };
-            "org/gnome/desktop/sound" = {
-              event-sounds = false;
-            };
-            "org/gnome/gnome-system-monitor" = {
-              network-in-bits = true;
-              network-total-in-bits = true;
-            };
-          };
-        }
-      ];
-    };
-
-  };
-
-}

profiles/desktop/inputs.nix

@@ -1,51 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-
-{
-
-  config = mkIf config.profiles.clerie.desktop.enable {
-
-    programs.dconf.profiles = {
-      user.databases = [
-        {
-          settings = {
-            "org/gnome/desktop/peripherals/touchpad" = {
-              disable-while-typing = false;
-              edge-scrolling-enabled = false;
-              natural-scroll = true;
-              tap-to-click = true;
-              two-finger-scrolling-enabled = true;
-            };
-            "org/gnome/settings-daemon/plugins/media-keys" = {
-              custom-keybindings = [
-                "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
-              ];
-              mic-mute = [ "<Control>Print" ];
-            };
-            "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
-              name = "Terminal";
-              binding = "<Primary><Alt>t";
-              command = "gnome-terminal";
-            };
-          };
-        }
-      ];
-      gdm.databases = [
-        {
-          settings = {
-            "org/gnome/desktop/peripherals/touchpad" = {
-              disable-while-typing = false;
-              edge-scrolling-enabled = false;
-              natural-scroll = true;
-              tap-to-click = true;
-              two-finger-scrolling-enabled = true;
-            };
-          };
-        }
-      ];
-    };
-
-  };
-
-}

profiles/desktop/networking.nix

@@ -1,20 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-
-{
-
-  config = mkIf config.profiles.clerie.desktop.enable {
-
-    networking.networkmanager.settings = {
-      connectivity = {
-        uri = "http://ping.clerie.de/nm-check.txt";
-      };
-      global-dns = {
-        searches = "net.clerie.de";
-      };
-    };
-
-  };
-
-}

profiles/desktop/polkit.nix

@@ -1,13 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-
-{
-
-  config = mkIf config.profiles.clerie.desktop.enable {
-
-    security.polkit.enable = true;
-
-  };
-
-}

profiles/desktop/power.nix

@@ -1,50 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-
-{
-
-  config = mkIf config.profiles.clerie.desktop.enable {
-
-    boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
-    services.logind = {
-      lidSwitch = "suspend-then-hibernate";
-    };
-    systemd.sleep.extraConfig = ''
-      HibernateDelaySec=30m
-    '';
-
-    services.upower = {
-      percentageLow = 20;
-      percentageCritical = 10;
-      percentageAction = 8;
-    };
-
-    programs.dconf.profiles = {
-      user.databases = [
-        {
-          settings = {
-            "org/gnome/settings-daemon/plugins/power" = {
-              power-button-action = "hibernate";
-              power-saver-profile-on-low-battery = false;
-              sleep-inactive-ac-type = "nothing";
-            };
-          };
-        }
-      ];
-      gdm.databases = [
-        {
-          settings = {
-            "org/gnome/settings-daemon/plugins/power" = {
-              power-button-action = "hibernate";
-              power-saver-profile-on-low-battery = false;
-              sleep-inactive-ac-type = "nothing";
-            };
-          };
-        }
-      ];
-    };
-
-  };
-
-}

profiles/desktop/printing.nix

@@ -1,14 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-
-{
-
-  config = mkIf config.profiles.clerie.desktop.enable {
-
-    services.printing.enable = true;
-    services.avahi.enable = true;
-    services.avahi.nssmdns4 = true;
-
-  };
-}

profiles/desktop/ssh.nix

@@ -1,39 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-
-  config = mkIf config.profiles.clerie.desktop.enable {
-
-    profiles.clerie.gpg-ssh.enable = true;
-
-    programs.gnupg.agent = {
-      pinentryPackage = pkgs.pinentry-gtk2;
-    };
-
-    # Do not disable ssh-agent of gnome-keyring, because
-    # gnupg ssh-agent can't handle normal SSH keys properly
-    /*
-    # Disable ssh-agent of gnome-keyring
-    nixpkgs.overlays = [
-      (final: prev: {
-        gnome = prev.gnome // {
-          gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
-            mkdir -p $out
-
-            # Symlink all gnome-keyring binaries
-            ${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
-
-            # Disable autostart for ssh
-            rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
-            cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
-            echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
-          '';
-        };
-      })
-    ];
-    */
-
-  };
-}

profiles/desktop/xserver.nix

@@ -1,18 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-
-  config = mkIf config.profiles.clerie.desktop.enable {
-
-    services.xserver.enable = true;
-    services.displayManager.gdm.enable = true;
-    services.desktopManager.gnome.enable = true;
-
-    services.xserver.excludePackages = with pkgs; [
-      xterm
-    ];
-
-  };
-}