flake.lock: Update

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/8cd5ce828d5d1d16feff37340171a98fc3bf6526?narHash=sha256-mCxPABZ6jRjUQx3bPP4vjA68ETbPLNz9V2pk9tO7pRQ%3D' (2025-09-10)
  → 'github:nixos/nixpkgs/9a094440e02a699be5c57453a092a8baf569bdad?narHash=sha256-Vp9K5ol6h0J90jG7Rm4RWZsCB3x7v5VPx588TQ1dkfs%3D' (2025-09-14)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/ab0f3607a6c7486ea22229b92ed2d355f1482ee0?narHash=sha256-zwE/e7CuPJUWKdvvTCB7iunV4E/%2BG0lKfv4kk/5Izdg%3D' (2025-09-10)
  → 'github:nixos/nixpkgs/c23193b943c6c689d70ee98ce3128239ed9e32d1?narHash=sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820%3D' (2025-09-13)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/0bf793823386187dff101ee2a9d4ed26de8bbf8c?narHash=sha256-S9F6bHUBh%2BCFEUalv/qxNImRapCxvSnOzWBUZgK1zDU%3D' (2025-09-10)
  → 'github:Mic92/sops-nix/ee6f91c1c11acf7957d94a130de77561ec24b8ab?narHash=sha256-TumOaykhZO8SOs/faz6GQhqkOcFLoQvESLSF1cJ4mZc%3D' (2025-09-14)

.gitignore

@@ -1 +1,2 @@
 .direnv/
+result

.sops.yaml

@@ -9,6 +9,12 @@ keys:
   - &server_inc1 age1g5luz2rtel3surgzuh62rkvtey7lythrvfenyq954vmeyfpxjqkqdj3wt8
   - &server_http-proxy age1gq8434ku0xekqmvnseeunv83e779cg03c06gwrusnymdsr3rpufqx6vr3m
   - &server_ca age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk
+  - &server_monitoring01 age1vpns76ykll8jgdlu3h05cur4ew2t3k7u03kxdg8y6ypfhsfhq9fqyurjey
+  - &server_jelly01 age1hchvlf3apn8g8jq2743pw53sd6v6ay6xu6lqk0qufrjeccan9vzsc7hdfq
+  - &server_nix-cache01 age1a0477laj9sdh79wdas5v7hzk6au8fach74njg8epfw2rdht90qjsakkwd6
+  - &server_pgdb1 age1ha34qeksr4jeaecevqvv2afqem67eja2mvawlmrqsudch0e7fe7qtpsekv
+  - &server_nats1 age1cxt8kwqzx35yuldazcc49q88qvgy9ajkz30xu0h37uw3ts97jagqgmn2ga
+  - &server_auth01 age16prza00sqzuhwwcyakj6z4hvwkruwkqpmmrsn94a5ucgpkelncdq2ldctk
 creation_rules:
   - path_regex: secrets/[^/]+\.(yaml|json|env|ini)
     key_groups:
@@ -23,6 +29,12 @@ creation_rules:
         - *server_inc1
         - *server_http-proxy
         - *server_ca
+        - *server_monitoring01
+        - *server_jelly01
+        - *server_nix-cache01
+        - *server_pgdb1
+        - *server_nats1
+        - *server_auth01
   - path_regex: secrets/ns3/[^/]+\.(yaml|json|env|ini)
     key_groups:
       - age:
@@ -33,8 +45,28 @@ creation_rules:
       - age:
         - *admin_torjus
         - *server_ca
+  - path_regex: secrets/monitoring01/[^/]+\.(yaml|json|env|ini)
+    key_groups:
+      - age:
+        - *admin_torjus
+        - *server_monitoring01
   - path_regex: secrets/ca/keys/.+
     key_groups:
       - age:
         - *admin_torjus
         - *server_ca
+  - path_regex: secrets/nix-cache01/.+
+    key_groups:
+      - age:
+        - *admin_torjus
+        - *server_nix-cache01
+  - path_regex: secrets/http-proxy/.+
+    key_groups:
+      - age:
+        - *admin_torjus
+        - *server_http-proxy
+  - path_regex: secrets/auth01/[^/]+\.(yaml|json|env|ini|)
+    key_groups:
+      - age:
+        - *admin_torjus
+        - *server_auth01

common/vm/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./qemu-guest.nix
+  ];
+}

common/vm/qemu-guest.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.qemuGuest.enable = true;
+}

flake.lock

@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "alerttonotify": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1739310461,
+        "narHash": "sha256-GscftfATX84Aae9FObrQOe+hr5MsEma2Fc5fdzuu3hA=",
+        "ref": "master",
+        "rev": "53915cec6356be1a2d44ac2cbd0a71b32d679e6f",
+        "revCount": 7,
+        "type": "git",
+        "url": "https://git.t-juice.club/torjus/alerttonotify"
+      },
+      "original": {
+        "ref": "master",
+        "type": "git",
+        "url": "https://git.t-juice.club/torjus/alerttonotify"
+      }
+    },
     "backup-helper": {
       "inputs": {
         "nixpkgs": [
@@ -7,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1727998045,
+        "lastModified": 1738015166,
-        "narHash": "sha256-BOvQHqs50Hk1sevvuJQai83kYuwTN27FTgmTitPsJtw=",
+        "narHash": "sha256-573tR4aXNjILKvYnjZUM5DZZME2H6YTHJkUKs3ZehFU=",
         "ref": "master",
-        "rev": "162c35769cc06b117b6753eb93460af650b64921",
+        "rev": "f9540cc065692c7ca80735e7b08399459e0ea6d6",
-        "revCount": 31,
+        "revCount": 35,
         "type": "git",
         "url": "https://git.t-juice.club/torjus/backup-helper"
       },
@@ -21,29 +42,50 @@
         "url": "https://git.t-juice.club/torjus/backup-helper"
       }
     },
+    "labmon": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748983975,
+        "narHash": "sha256-DA5mOqxwLMj/XLb4hvBU1WtE6cuVej7PjUr8N0EZsCE=",
+        "ref": "master",
+        "rev": "040a73e891a70ff06ec7ab31d7167914129dbf7d",
+        "revCount": 17,
+        "type": "git",
+        "url": "https://git.t-juice.club/torjus/labmon"
+      },
+      "original": {
+        "ref": "master",
+        "type": "git",
+        "url": "https://git.t-juice.club/torjus/labmon"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1732749044,
+        "lastModified": 1757810152,
-        "narHash": "sha256-T38FQOg0BV5M8FN1712fovzNakSOENEYs+CSkg31C9Y=",
+        "narHash": "sha256-Vp9K5ol6h0J90jG7Rm4RWZsCB3x7v5VPx588TQ1dkfs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0c5b4ecbed5b155b705336aa96d878e55acd8685",
+        "rev": "9a094440e02a699be5c57453a092a8baf569bdad",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1732521221,
+        "lastModified": 1757745802,
-        "narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=",
+        "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d",
+        "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1",
         "type": "github"
       },
       "original": {
@@ -55,7 +97,9 @@
     },
     "root": {
       "inputs": {
+        "alerttonotify": "alerttonotify",
         "backup-helper": "backup-helper",
+        "labmon": "labmon",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "sops-nix": "sops-nix"
@@ -68,11 +112,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1732575825,
+        "lastModified": 1757847158,
-        "narHash": "sha256-xtt95+c7OUMoqZf4OvA/7AemiH3aVuWHQbErYQoPwFk=",
+        "narHash": "sha256-TumOaykhZO8SOs/faz6GQhqkOcFLoQvESLSF1cJ4mZc=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "3433ea14fbd9e6671d0ff0dd45ed15ee4c156ffa",
+        "rev": "ee6f91c1c11acf7957d94a130de77561ec24b8ab",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,18 +2,25 @@
   description = "Homelab v5 Nixos Server Configurations";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-25.05";
     nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable";
 
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
-      inputs.nixpkgs-stable.follows = "nixpkgs";
     };
     backup-helper = {
       url = "git+https://git.t-juice.club/torjus/backup-helper?ref=master";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
+    alerttonotify = {
+      url = "git+https://git.t-juice.club/torjus/alerttonotify?ref=master";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    labmon = {
+      url = "git+https://git.t-juice.club/torjus/labmon?ref=master";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
   };
 
   outputs =
@@ -23,6 +30,8 @@
       nixpkgs-unstable,
       sops-nix,
       backup-helper,
+      alerttonotify,
+      labmon,
       ...
     }@inputs:
     let
@@ -33,6 +42,19 @@
           config.allowUnfree = true;
         };
       };
+      commonOverlays = [
+        overlay-unstable
+        alerttonotify.overlays.default
+        labmon.overlays.default
+      ];
+      allSystems = [
+        "x86_64-linux"
+        "aarch64-linux"
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];
+      forAllSystems =
+        f: nixpkgs.lib.genAttrs allSystems (system: f { pkgs = import nixpkgs { inherit system; }; });
     in
     {
       nixosConfigurations = {
@@ -45,7 +67,7 @@
             (
               { config, pkgs, ... }:
               {
-                nixpkgs.overlays = [ overlay-unstable ];
+                nixpkgs.overlays = commonOverlays;
               }
             )
             ./hosts/ns1
@@ -61,7 +83,7 @@
             (
               { config, pkgs, ... }:
               {
-                nixpkgs.overlays = [ overlay-unstable ];
+                nixpkgs.overlays = commonOverlays;
               }
             )
             ./hosts/ns2
@@ -77,7 +99,7 @@
             (
               { config, pkgs, ... }:
               {
-                nixpkgs.overlays = [ overlay-unstable ];
+                nixpkgs.overlays = commonOverlays;
               }
             )
             ./hosts/ns3
@@ -93,7 +115,7 @@
             (
               { config, pkgs, ... }:
               {
-                nixpkgs.overlays = [ overlay-unstable ];
+                nixpkgs.overlays = commonOverlays;
               }
             )
             ./hosts/ns4
@@ -109,7 +131,7 @@
             (
               { config, pkgs, ... }:
               {
-                nixpkgs.overlays = [ overlay-unstable ];
+                nixpkgs.overlays = commonOverlays;
               }
             )
             ./hosts/nixos-test1
@@ -126,7 +148,7 @@
             (
               { config, pkgs, ... }:
               {
-                nixpkgs.overlays = [ overlay-unstable ];
+                nixpkgs.overlays = commonOverlays;
               }
             )
             ./hosts/ha1
@@ -134,40 +156,6 @@
             backup-helper.nixosModules.backup-helper
           ];
         };
-        inc1 = nixpkgs.lib.nixosSystem {
-          inherit system;
-          specialArgs = {
-            inherit inputs self sops-nix;
-          };
-          modules = [
-            (
-              { config, pkgs, ... }:
-              {
-                nixpkgs.overlays = [ overlay-unstable ];
-              }
-            )
-            ./hosts/inc1
-            sops-nix.nixosModules.sops
-            # backup-helper.nixosModules.backup-helper
-          ];
-        };
-        inc2 = nixpkgs.lib.nixosSystem {
-          inherit system;
-          specialArgs = {
-            inherit inputs self sops-nix;
-          };
-          modules = [
-            (
-              { config, pkgs, ... }:
-              {
-                nixpkgs.overlays = [ overlay-unstable ];
-              }
-            )
-            ./hosts/inc2
-            sops-nix.nixosModules.sops
-            # backup-helper.nixosModules.backup-helper
-          ];
-        };
         template1 = nixpkgs.lib.nixosSystem {
           inherit system;
           specialArgs = {
@@ -177,7 +165,7 @@
             (
               { config, pkgs, ... }:
               {
-                nixpkgs.overlays = [ overlay-unstable ];
+                nixpkgs.overlays = commonOverlays;
               }
             )
             ./hosts/template
@@ -193,7 +181,7 @@
             (
               { config, pkgs, ... }:
               {
-                nixpkgs.overlays = [ overlay-unstable ];
+                nixpkgs.overlays = commonOverlays;
               }
             )
             ./hosts/http-proxy
@@ -209,13 +197,138 @@
             (
               { config, pkgs, ... }:
               {
-                nixpkgs.overlays = [ overlay-unstable ];
+                nixpkgs.overlays = commonOverlays;
               }
             )
             ./hosts/ca
             sops-nix.nixosModules.sops
           ];
         };
+        monitoring01 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
           };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/monitoring01
+            sops-nix.nixosModules.sops
+            backup-helper.nixosModules.backup-helper
+            labmon.nixosModules.labmon
+          ];
+        };
+        jelly01 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/jelly01
+            sops-nix.nixosModules.sops
+          ];
+        };
+        nix-cache01 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/nix-cache01
+            sops-nix.nixosModules.sops
+          ];
+        };
+        media1 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/media1
+            sops-nix.nixosModules.sops
+          ];
+        };
+        pgdb1 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/pgdb1
+            sops-nix.nixosModules.sops
+          ];
+        };
+        nats1 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/nats1
+            sops-nix.nixosModules.sops
+          ];
+        };
+        auth01 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/auth01
+            sops-nix.nixosModules.sops
+          ];
+        };
+      };
+      devShells = forAllSystems (
+        { pkgs }:
+        {
+          default = pkgs.mkShell {
+            packages = with pkgs; [
+              ansible
+              python3
+            ];
+          };
+        }
+      );
     };
 }

hosts/auth01/configuration.nix

@@ -0,0 +1,65 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "auth01";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.18/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  services.qemuGuest.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/auth01/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../services/lldap
+    ../../services/authelia
+  ];
+}

hosts/ca/configuration.nix

@@ -8,6 +8,7 @@
     ../template/hardware-configuration.nix
 
     ../../system
+    ../../common/vm
   ];
 
   nixpkgs.config.allowUnfree = true;
@@ -35,7 +36,7 @@
       "10.69.13.12/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };

hosts/ha1/configuration.nix

@@ -1,11 +1,16 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
-  imports =
+  imports = [
-    [
     ../template/hardware-configuration.nix
 
     ../../system
+    ../../common/vm
   ];
 
   nixpkgs.config.allowUnfree = true;
@@ -33,13 +38,16 @@
       "10.69.13.9/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };
   time.timeZone = "Europe/Oslo";
 
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
   nix.settings.tarball-ttl = 0;
   environment.systemPackages = with pkgs; [
     vim
@@ -67,4 +75,3 @@
 
   system.stateVersion = "23.11"; # Did you read the comment?
 }
-

hosts/http-proxy/configuration.nix

@@ -8,6 +8,7 @@
     ../template/hardware-configuration.nix
 
     ../../system
+    ../../common/vm
   ];
 
   nixpkgs.config.allowUnfree = true;
@@ -35,7 +36,7 @@
       "10.69.13.11/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };

hosts/http-proxy/default.nix

@@ -3,5 +3,6 @@
   imports = [
     ./configuration.nix
     ../../services/http-proxy
+    ./wireguard.nix
   ];
 }

hosts/http-proxy/wireguard.nix

@@ -0,0 +1,33 @@
+{ config, ... }:
+{
+  sops.secrets.wireguard_private_key = {
+    sopsFile = ../../secrets/http-proxy/wireguard.yaml;
+    key = "wg_private_key";
+  };
+  networking.wireguard = {
+    enable = true;
+    useNetworkd = true;
+
+    interfaces = {
+      wg0 = {
+        ips = [ "10.69.222.3/24" ];
+        mtu = 1384;
+        listenPort = 51820;
+        privateKeyFile = config.sops.secrets.wireguard_private_key.path;
+        peers = [
+          {
+            name = "docker2.t-juice.club";
+            endpoint = "docker2.t-juice.club:51820";
+            publicKey = "32Rb13wExcy8uI92JTnFdiOfkv0mlQ6f181WA741DHs=";
+            allowedIPs = [ "10.69.222.0/24" ];
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+  # monitoring
+  services.prometheus.exporters.wireguard = {
+    enable = true;
+  };
+}

hosts/inc1/configuration.nix

@@ -1,96 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system. Help is available in the configuration.nix(5) man page, on
-# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-
-{ config, lib, pkgs, ... }:
-
-{
-  imports =
-    [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ../../system
-      ../../services/incus
-    ];
-
-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1;
-  };
-
-  networking.hostName = "inc1";
-  networking.domain = "home.2rjus.net";
-  networking.useNetworkd = true;
-  networking.useDHCP = false;
-  networking.nftables.enable = true;
-  networking.firewall.trustedInterfaces = [ "vlan13" ];
-
-  services.resolved.enable = true;
-  networking.nameservers = [
-    "10.69.13.5"
-    "10.69.13.6"
-  ];
-
-  systemd.network.enable = true;
-  # Primary interface
-  systemd.network.networks."enp2s0" = {
-    matchConfig.Name = "enp2s0";
-    address = [
-      "10.69.12.80/24"
-    ];
-    networkConfig = {
-      VLAN = [ "enp2s0.13" ];
-    };
-    routes = [
-      { routeConfig.Gateway = "10.69.12.1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-  };
-
-  # VLAN 13 netdev
-  systemd.network.netdevs."enp2s0.13" = {
-    enable = true;
-    netdevConfig = {
-      Kind = "vlan";
-      Name = "enp2s0.13";
-    };
-    vlanConfig = {
-      Id = 13;
-    };
-  };
-
-  # # Bridge netdev
-  # systemd.network.netdevs."br13" = {
-  #   netdevConfig = {
-  #     Name = "br13";
-  #     Kind = "bridge";
-  #   };
-  # };
-
-  # # Bridge network
-  # systemd.network.networks."br13" = {
-  #   matchConfig.Name = "enp2s0.13";
-  #   networkConfig.Bridge = "br13";
-  # };
-
-  time.timeZone = "Europe/Oslo";
-
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-  nix.settings.tarball-ttl = 0;
-  environment.systemPackages = with pkgs; [
-    tcpdump
-    vim
-    wget
-    git
-  ];
-
-  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
-  # services.openssh.settings.PermitRootLogin = "yes";
-
-  system.stateVersion = "24.05"; # Did you read the comment?
-}
-

hosts/inc1/hardware-configuration.nix

@@ -1,41 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/faa60038-b3a4-448a-8909-49857818c955";
-      fsType = "xfs";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/7A94-A91C";
-      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/f7a4f85e-0b4b-492d-a611-f50d2b915c2c"; }
-    ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/inc2/configuration.nix

@@ -1,96 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system. Help is available in the configuration.nix(5) man page, on
-# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-
-{ config, lib, pkgs, ... }:
-
-{
-  imports =
-    [
-      # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ../../system
-      ../../services/incus
-    ];
-
-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1;
-  };
-
-  networking.hostName = "inc2";
-  networking.domain = "home.2rjus.net";
-  networking.useNetworkd = true;
-  networking.useDHCP = false;
-  networking.nftables.enable = true;
-  networking.firewall.trustedInterfaces = [ "vlan13" ];
-
-  services.resolved.enable = true;
-  networking.nameservers = [
-    "10.69.13.5"
-    "10.69.13.6"
-  ];
-
-  systemd.network.enable = true;
-  # Primary interface
-  systemd.network.networks."enp2s0" = {
-    matchConfig.Name = "enp2s0";
-    address = [
-      "10.69.12.81/24"
-    ];
-    networkConfig = {
-      VLAN = [ "enp2s0.13" ];
-    };
-    routes = [
-      { routeConfig.Gateway = "10.69.12.1"; }
-    ];
-    linkConfig.RequiredForOnline = "routable";
-  };
-
-  # VLAN 13 netdev
-  systemd.network.netdevs."enp2s0.13" = {
-    enable = true;
-    netdevConfig = {
-      Kind = "vlan";
-      Name = "enp2s0.13";
-    };
-    vlanConfig = {
-      Id = 13;
-    };
-  };
-
-  # # Bridge netdev
-  # systemd.network.netdevs."br13" = {
-  #   netdevConfig = {
-  #     Name = "br13";
-  #     Kind = "bridge";
-  #   };
-  # };
-
-  # # Bridge network
-  # systemd.network.networks."br13" = {
-  #   matchConfig.Name = "enp2s0.13";
-  #   networkConfig.Bridge = "br13";
-  # };
-
-  time.timeZone = "Europe/Oslo";
-
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-  nix.settings.tarball-ttl = 0;
-  environment.systemPackages = with pkgs; [
-    tcpdump
-    vim
-    wget
-    git
-  ];
-
-  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
-  # services.openssh.settings.PermitRootLogin = "yes";
-
-  system.stateVersion = "24.05"; # Did you read the comment?
-}
-

hosts/jelly01/configuration.nix

@@ -0,0 +1,69 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "jelly01";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.14/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  services.qemuGuest.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  zramSwap = {
+    enable = true;
+  };
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/jelly01/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../services/jellyfin
+  ];
+}

hosts/jump/configuration.nix

@@ -29,7 +29,7 @@
       "10.69.13.10/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };

hosts/media1/configuration.nix

@@ -0,0 +1,76 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+
+    ../../system
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  # Use the systemd-boot EFI boot loader.
+  boot = {
+    loader.systemd-boot = {
+      enable = true;
+      configurationLimit = 5;
+      memtest86.enable = true;
+    };
+    loader.efi.canTouchEfiVariables = true;
+    supportedFilesystems = [ "nfs" ];
+  };
+
+  networking.hostName = "media1";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."enp2s0" = {
+    matchConfig.Name = "enp2s0";
+    address = [
+      "10.69.12.82/24"
+    ];
+    routes = [
+      { Gateway = "10.69.12.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  # Graphics
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      vaapiVdpau
+      libvdpau-va-gl
+    ];
+  };
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/media1/default.nix

@@ -1,5 +1,7 @@
-{ ... }: {
+{ ... }:
+{
   imports = [
     ./configuration.nix
+    ./kodi.nix
   ];
 }

hosts/media1/kodi.nix

@@ -0,0 +1,29 @@
+{ pkgs, ... }:
+let
+  kodipkg = pkgs.kodi-wayland.withPackages (
+    p: with p; [
+      jellyfin
+    ]
+  );
+in
+{
+  users.users.kodi = {
+    isNormalUser = true;
+    description = "Kodi Media Center user";
+  };
+  #services.xserver = {
+  #  enable = true;
+  #};
+  services.cage = {
+    enable = true;
+    user = "kodi";
+    environment = {
+      XKB_DEFAULT_LAYOUT = "no";
+    };
+    program = "${kodipkg}/bin/kodi";
+  };
+
+  environment.systemPackages = with pkgs; [
+    firefox
+  ];
+}

hosts/monitoring01/configuration.nix

@@ -0,0 +1,134 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "monitoring01";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.13/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+    sqlite
+  ];
+
+  services.qemuGuest.enable = true;
+
+  sops.secrets."backup_helper_secret" = { };
+  backup-helper = {
+    enable = true;
+    password-file = "/run/secrets/backup_helper_secret";
+    backup-dirs = [
+      "/var/lib/grafana/plugins"
+    ];
+    backup-commands = [
+      # "grafana.db:${pkgs.sqlite}/bin/sqlite /var/lib/grafana/data/grafana.db .dump"
+      "grafana.db:${pkgs.sqlite}/bin/sqlite3 /var/lib/grafana/data/grafana.db .dump"
+    ];
+  };
+
+  labmon = {
+    enable = true;
+
+    settings = {
+      ListenAddr = ":9969";
+      Profiling = true;
+      StepMonitors = [
+        {
+          Enabled = true;
+          BaseURL = "https://ca.home.2rjus.net";
+          RootID = "3381bda8015a86b9a3cd1851439d1091890a79005e0f1f7c4301fe4bccc29d80";
+        }
+      ];
+
+      TLSConnectionMonitors = [
+        {
+          Enabled = true;
+          Address = "ca.home.2rjus.net:443";
+          Verify = true;
+          Duration = "12h";
+        }
+        {
+          Enabled = true;
+          Address = "jelly.home.2rjus.net:443";
+          Verify = true;
+          Duration = "12h";
+        }
+        {
+          Enabled = true;
+          Address = "grafana.home.2rjus.net:443";
+          Verify = true;
+          Duration = "12h";
+        }
+        {
+          Enabled = true;
+          Address = "prometheus.home.2rjus.net:443";
+          Verify = true;
+          Duration = "12h";
+        }
+        {
+          Enabled = true;
+          Address = "alertmanager.home.2rjus.net:443";
+          Verify = true;
+          Duration = "12h";
+        }
+        {
+          Enabled = true;
+          Address = "pyroscope.home.2rjus.net:443";
+          Verify = true;
+          Duration = "12h";
+        }
+      ];
+    };
+  };
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/monitoring01/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../services/monitoring
+  ];
+}

hosts/nats1/configuration.nix

@@ -0,0 +1,63 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "nats1";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.17/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/nats1/default.nix

@@ -1,5 +1,7 @@
-{ ... }: {
+{ ... }:
+{
   imports = [
     ./configuration.nix
+    ../../services/nats
   ];
 }

hosts/nix-cache01/configuration.nix

@@ -0,0 +1,69 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/nixcache";
+    fsType = "xfs";
+  };
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "nix-cache01";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.15/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  services.qemuGuest.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "24.05"; # Did you read the comment?
+}

hosts/nix-cache01/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../services/nix-cache
+    ../../services/actions-runner
+    ./zram.nix
+  ];
+}

hosts/nix-cache01/zram.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  zramSwap = {
+    enable = true;
+  };
+}

hosts/nixos-test1/configuration.nix

@@ -30,7 +30,7 @@
       "10.69.13.10/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };

hosts/ns1/configuration.nix

@@ -1,13 +1,18 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
-  imports =
+  imports = [
-    [
     ../template/hardware-configuration.nix
 
     ../../system
     ../../services/ns/master-authorative.nix
     ../../services/ns/resolver.nix
+    ../../common/vm
   ];
 
   nixpkgs.config.allowUnfree = true;
@@ -32,13 +37,16 @@
       "10.69.13.5/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };
   time.timeZone = "Europe/Oslo";
 
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
   nix.settings.tarball-ttl = 0;
   environment.systemPackages = with pkgs; [
     vim
@@ -54,4 +62,3 @@
 
   system.stateVersion = "23.11"; # Did you read the comment?
 }
-

hosts/ns2/configuration.nix

@@ -1,13 +1,18 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
-  imports =
+  imports = [
-    [
     ../template/hardware-configuration.nix
 
     ../../system
     ../../services/ns/secondary-authorative.nix
     ../../services/ns/resolver.nix
+    ../../common/vm
   ];
 
   nixpkgs.config.allowUnfree = true;
@@ -32,13 +37,16 @@
       "10.69.13.6/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };
   time.timeZone = "Europe/Oslo";
 
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
   environment.systemPackages = with pkgs; [
     vim
     wget
@@ -53,4 +61,3 @@
 
   system.stateVersion = "23.11"; # Did you read the comment?
 }
-

hosts/ns3/configuration.nix

@@ -32,7 +32,7 @@
       "10.69.13.7/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };

hosts/ns4/configuration.nix

@@ -32,7 +32,7 @@
       "10.69.13.8/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };

hosts/pgdb1/configuration.nix

@@ -0,0 +1,63 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "pgdb1";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.16/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/pgdb1/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../services/postgres
+  ];
+}

hosts/template/configuration.nix

@@ -28,7 +28,7 @@
       "10.69.8.250/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.8.1"; }
+      { Gateway = "10.69.8.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };

hosts/template/hardware-configuration.nix

@@ -1,4 +1,10 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
 
 {
   imports = [
@@ -13,17 +19,17 @@
     "sr_mod"
   ];
   boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [
+    "ptp_kvm"
+  ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
+  fileSystems."/" = {
-    {
     device = "/dev/disk/by-label/root";
     fsType = "xfs";
   };
 
-  swapDevices =
+  swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
-    [{ device = "/dev/disk/by-label/swap"; }];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -34,4 +40,3 @@
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
-

inventory

@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+
+import json
+import subprocess
+
+IGNORED_HOSTS = [
+    "inc1",
+    "inc2",
+    "media1",
+    "nixos-test1",
+    "ns3",
+    "ns4",
+    "template1",
+]
+
+result = subprocess.run(["nix", "flake", "show", "--json"], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)
+results = json.loads(result.stdout)
+
+configs = results.get("nixosConfigurations")
+hosts = [x for x in configs.keys() if x not in IGNORED_HOSTS]
+
+output = {
+    "all": {
+        "hosts": hosts,
+        "vars": {
+            "ansible_python_interpreter": "/run/current-system/sw/bin/python3"
+        },
+    }
+}
+
+print(json.dumps(output))

playbooks/run-upgrade.yml

@@ -0,0 +1,9 @@
+---
+- name: Trigger nixos-upgrade job on all hosts
+  hosts: all
+  remote_user: root
+
+  tasks:
+    - ansible.builtin.systemd_service:
+        name: nixos-upgrade.service
+        state: started

rebuild-all.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# array of hosts
+HOSTS=(
+    "ns1"
+    "ns2"
+    "ca"
+    "ha1"
+    "http-proxy"
+    "jelly01"
+    "monitoring01"
+    "nix-cache01"
+    "pgdb1"
+)
+
+for host in "${HOSTS[@]}"; do
+    echo "Rebuilding $host"
+    nixos-rebuild boot --flake .#${host} --target-host root@${host}
+done

secrets/auth01/secrets.yaml

@@ -0,0 +1,33 @@
+authelia_ldap_password: ENC[AES256_GCM,data:x2UDMpqQKoRVSlDSmK5XiC9x4/WWzmjk7cwtFA70waAD7xYQfXEOV+AeX1LlFfj0qHYrhyn//TLsa+tJzb7HPEAfl8vYR4MdkVFOm5vjPWWoF5Ul8ZVn8+B1VJLbiXkexv0/hfXL8NMzEcp/pF4H0Yei7xaKezu9OPtGzKufHws=,iv:88RXaOj8Zy9fGeDLAE0ItY7TKCCzxn6F0+kU5+Zy/XU=,tag:yPdCJ9d139iO6J97thVVgA==,type:str]
+authelia_jwt_secret: ENC[AES256_GCM,data:9ZHkT2o5KZLmml95g8HZce8fNBmaWtRn+175Gaz0KhsndNl3zdgGq3hydRuoZuEgLVsherJImVmb5DQAZpv04lUEsDKCYeFNwAyYl4Go2jCp1fI53fdcRCKlNVZA37pMi4AYaCoe8vIl/cwPOOBDEwK5raOBnklCzVERoO0B8a0=,iv:9CTWCw0ImZR0OSrl2znbhpRHlzAxA5Cpcy98JeH9Z+Y=,tag:L+0xKqiwXTi7XiDYWA1Bcw==,type:str]
+authelia_storage_encryption_key_file: ENC[AES256_GCM,data:RfbcQK8+rrW/Krd2rbDfgo7YI2YvQKqpLuDtk5DZJNNhw4giBh5nFp/8LNeo8r39/oiJLYTe6FjTLBu72TZz2wWrJFsBqjwQ/3TfATQGdLUsaXXRDr88ezHLTiYvEHIHJhUS5qsr7VMwBam5e7YGWBe5sGZCE/nX41ijyPUjtOY=,iv:sayYcAC38cApAtL+cDhgGNjWaHn+furKRowKL6AmfdU=,tag:1IZpnlpvDWGLLpZyU9iJUw==,type:str]
+authelia_session_secret: ENC[AES256_GCM,data:4PaLv4RRA7/9Z8QzETXLwo3OctJ0mvzQkYmHsGGF97nq9QeB3eo0xj4FyuCbkJGGZ/huAyRgmFBTyscY3wgxoc4t+8BdlYcSbefEk1/xRFjmG8ooXLKhvGJ5c6t72KJRcqsEGTiC0l9CFJWQ2qYcjM4dPwG8z0tjUZ6j25Zfx4M=,iv:QORJkf0w6iyuRHM/xuql1s7K75Qa49ygq+lwHfrm9rk=,tag:/HZ/qI80fKjmuTRwIwmX8g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlc1dxK3FKU2ZGWTNGUmxZ
+            aWx1NngySjVHclJTd3hXejJRTmVHRExReHcwCk55c0xMbGcyTktySkJZdHRZbzhK
+            bEI3RzBHQkROTU1qWXBoU1RqTXppdVkKLS0tIHkwZ0QyNTMydWRqUlBtTEdhZ05r
+            YVpuT1JadnlyN1hqNnJxYzVPT3pXN1UKDCeIv0xv+5pcoDdtYc+rYjwi8SLrqWth
+            vdWepxmV2edajZRqcwFEC9weOZ1j2lh7Z3hR6RSN/+X3sFpqkpw+Yg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16prza00sqzuhwwcyakj6z4hvwkruwkqpmmrsn94a5ucgpkelncdq2ldctk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvbU0wNmFLelRmNmJTRlho
+            dTEwVXZqUVI5NHZkb1QyNUZ4R0pLVFZWVDM4CkhVc00zY2FKaVdNRXdGVk1ranpG
+            MlRWWGJmd2FWeFE1dXU4WHVFL0FHZ3MKLS0tIGt2ZWlaOW5wNkJnQVkrTDZWTnY0
+            RW5HRjA3cERCUU1CVWZhck12SGhTRUkK6k/zQ87TIETYouRBby7ujtwgpqIPKKv+
+            2aLJW6lSWMVzL/f3ZrIeg12tJjHs3f44EXR6j3tfLfSKog2iL8Y57w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-01T21:37:33Z"
+    mac: ENC[AES256_GCM,data:4stf2UFt1ogH8pIJCUwMvbXG7YzyehbDEi6Qsfi5s3Kmx/AQAC6SpE31HL3qgYNdi10vbZEVH1lrFljPWs4YdnevzM2z9l3mfiR5D10vp2z/Nvw/+IDNheXxQfgO82QdVZ6qfo83zxYPoda+PmdFatmHTB00V9lNm6DF4unRy60=,iv:byyo1297YoxFO6S9TVzlPHR082IugZHSHCiT5sZE2T0=,tag:dtSxGNVxjR77gnegIHw1Sw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

secrets/ca/keys/intermediate_ca_key

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:S/dDpfZyvnGJ3mbDWS5rQZN1EwIQCQuj2WxKnMFirP/tYTsZTROte3KBE/k+7gwzDr6vayawbJr87zWv2ZV7iXiFZ6UK2wPD5Kj1HTY6D+0QtYrJ4Er0MrrFoxEAj+HRVhdXWwTchoC8Hio+8QOKFWW7mgyxh67UDRQJjAYaPoQ2ol19Zg/k5PSZZN9Qn+Bn9Hd5Hq0b2UBPXIWRbQ7u0JeyQXHY6dAzDoruhhrBcZIbX/PRghdAvIPQUo5LbCn5VrmnunktJnTgt9Dtv67ihTa1iBPdUjpkEV/FhDlDPrWAztBurv3IoZZ4hjAYbc/WeFlOkai83th7ggIJ3Njjrvh2JKdg6GDAerOUVtxmt2SECYZcih0ouNecRl/4UYlCi1QsBFJecJDcHh1zWDNiBGIBywkhfY7NUPBoWlfhBRL58JGsnPFthRT7lqF1MIuM2/q1dgCRaVJUsJ0c0WLbpFNUaLIE/TuaI33yVNlmV0yokCa/Q2fKHmkWCN9GkxkIDVxaB2KGusM8op5fDPaTr4kbnGklu+dqha1dZDfVw+GuFzUf5et/oOHZtpCUUwUk6O6IiwDyd6VRjxSYpyrBaNXrStsaUy0uIybCf/whUFiZ/cDuI72i8RGa4Ix/2zDcmdK77bMU3/dTFMh70gWXtHshrCsb043gmZzmkWlXYhPmFnPDX9AATRoEb5/ajfnUskajHN718MW/e5eYwRxBYDwjPCx8aQYr0f5UkNoBbgujsf3n/RsGYMxB7OZlFImnB+SN9hyqN1WsAykL693EqlXtK8+xrcWBnAVuiN3yxGFL1Gz4XlcBJiLjKWVkshuoqr/XdFuDXDs9eEHSpKg4lEOU4vP7hLMl/DhM1ncd/wENnrE0jxgNkX6HqbOQEaiJU6cBs+2M48UzEWDc/+AQpGBpOrd2gzo3o2behW4BQWzhyOZym2DxP+y97mQ8FUxfHW6BFeKTmohQb0wukPw5/ReJNysU+SLmMd8vuGGBHZeY6AMz9zMXE/v1p0+Y1lvCdelAGI1EA72wl7DmtlCCRMnXYdxMfAsH55tuD9+W4dDut67se5Oig3lDYrL/+ubtK8F4iFz7EcJdmIsykeLfK+PbNjPPd24ul0aJPKWgXKNtAtD0QJOuv/b3C/ie3D1hgjajv+X19midWyJGVDvYL/et3ZyypTYH7Q1yqyX6+cH//jZAtmCm5gUNpsFgTZJVzZ94P4iRl6WCgt9D7u8omNA7ov1qbawMxmLlSGq4QcPQXS3giXQItX1CGzJUDoh1v2g+8CWVOfejWerF/qawkNHPaO1Tq5OpDIqha3AGNRGXgqiJfCqD6wo84QKnOjS8Dt1VYaf0gZZmr0XhLfF7bkMxC/M/SmCdJV9Z1XDMMA9aVKVC5GPVJIyx56TZKD4VoliMrVS3u71lMit9XG4v/bqN07hmGJq+An2oBGGqDPJgzysqHvZ1ugmmNwSTAi3Sp5MiOGAx9veagzTnx1W5djb0G+KaSO6UFpgL1NAGHDTztCEPbFcgjHAG0SB+vWfV2go8IM4MLlRsDj1yZMIlvV1b6qAJPfbI070HjIDOfK+J5O7RedsMQlEAHFVSbJ4cX9/OmHs+4pfmu8ToaRkGWQzclyjajqX9p8AT4fHq7upaL3F8Vxry7rCDDlcyIFBL2bv/LAA7N3SgUjljUjf+miIgTy/VyK10HqW2eNlsxWmYXWptpymkqE4kIpCI+g0kPbslbqLFIFeY/7uRBqaoO+brFfXO2CYdfTbbCi16obG0Lov9ucntrfp8opbmZOgefOy9iB+z7Pw48n0PkfDkpXBxdwtFpEz5se/d8EYnZOSUfGqO47KRXeA9SGluCg7e9Z1wiXLjo5JHYqlliscmlVedeRpNevpnWx/z5sV1z7/4WtV7PEjuw5bhE6m/O6LaHtYX7kY8XjvRrr1pfcpTd/knFLK2ClFdGZvnYFdQCKEEqTINO+1x3C8CDF0c0YIPXUiWNubZMNSOJ+uZu7bnhacJMOAowylUwA2nQZn5dkVjw1Zf25pPzvzBA5m+6bTd32+kAd2KeGQqbmXfQN+Iez7tC/DZJ0Yi1lvoUntG7dqA+soIx8I1GjPlCiEtxUao7RR0dwOobmq9gGvu70qmSgnSV9Z+SA5ZnCuBIWjLA0WMuOxwUpv6gKzvNqyPYhAmks7Z4lUAreAvMcuvBmAd4/RhXZkJ6fQWc/eHTkdXLAzfppvl2cNhkfOcOsZaBD70mcISeYK6j2Ug88Bs4eybFUNXs50NpwOab5FsZJfzQEVh5tVzuE2tSGIZphy0DSARWJEzX8DIfFaSqd8gSeoy+Q6MgtzZSKg9VauuEZ92bezMoEYeMSGn7lZbiGgtM3S0oGel9lzCP6L00u+CpEDKm+toGtDGDKKCdMVETyRIA9/gktvszwVDmPmO01tiemyCS67hzN3MmcwzcT2POxxmhFqprA0GPyCK4yzo+xNJxD1riShRbeaVIb80gjyzoaEC02OXTuTbp+LpBeZ+JuLQapF+V9VwTz2qedsyA1ZU9L/qybfNjPmodzSZnARS9UJw6EecdMVjumAKnONqv5IJ7TFdIyNd5oT1X1mD3AP2ujQpYiTdnbpTukQZr6BMnmLPEH3ySg40y/pl04VmdqSKGMUI69qdlkDsD+K/jUYyQ3BqyVev9ZJEsbZSHh0oBpYEcYWlo+ugxhlig1Ou+J5a/J7R1/6yQlnKtjI1WNxI4uSUib/78GXPCA==,iv:VHGFl9flRW4qYxEzqVmRKLDVTeZNEeW6E2OnqB3rB3g=,tag:8PnIUH9vOlbJINDPU+pulw==,type:str]",
+	"data": "ENC[AES256_GCM,data:TgGIuklFPUSCBosD86NFnkAtRvYijQNQP4vvTkKu3dRAOjdDa2li5djZDUS4NEEPEihpOcMXqHBb+ABk3LmoU5nLmsKCeylUp7+DhcGi9f3xw2h1zbHV37mt40OVLTF3cYufRdydIkCGQA3td3q1ue/wCna2ewe73xwGg5j6ZVJCZAtW4VCNZM+rcG+YxPUC0gmBH59+O0VSrZrkvSnifbr+K0dGwg4i17KwAukI4Ac7YMkQoeuAPXq38+ZftlRx4tq9xBUko6wpPY9zOaFzeagWYMF0n1UYqDt+/3XZI/mukPhJc9tzbWneqgkQBOx3OiDwrNglCHvEpnb+bZePIRLOnNHd1ShETgBqhsHGp9OAwwbAt4tO+HFpCQtVz7s2LWQFLbWiN0SCGzYUkFGCgoXae5H58lxFav8=,iv:UzaWlJ+M+VQx3CcPSGbFZh5/rGbKpS2Rq2XVZAIDFiQ=,tag:F3waoAMuEKTvN2xANReSww==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -8,15 +8,15 @@
 		"age": [
 			{
 				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMUhCOUVVTVpTUk1Pdkly\nK0pINEdVaEo1NFF1YnFPT1l5RE5JcTZieTNjClNxL2laTUdMU1M3bjc5OFE3ZVh4\nN1cwUmlpbXhiM2tlak5ZN1ZxV1FjMjQKLS0tIDA4UmlrSStGKzVsVFlZL2g0cnQr\nWWh4Z1lRRWtJR0Rudmhobjh0bWxuaHcKbGpnkqhKtjCjhtjKi5wl+0tFCEt//FkP\nfLBTUimlLTTINh/29fhd/5P+lgwKXCYTG7GZVY5zLVlhy9eR9fkS8w==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRGZSVHRSMGlyazAwQU5j\nd1o1L0Y1ckhQMkh4MVZiRmZlR2ozcmdsUW1vCk4xZ1ZibDBrUWZhYmxVVjBUczRn\nYlJtUWF3Y1lHWG56NkhmK2JOUHVGajQKLS0tIDN2S2doQURpTis2U3lWV0NxdWEz\ncjNZaEl1dEQwOXhsNE9xbHhYUzNTV3cKVmVIe05JwgXKSku7AJmrujYXrbBSbpBJ\nnqCuDIhok1w/fiff+XXn8udbgPVq5bC2SOhHbtVxImgBCFzrj5hQ0A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYityQThnWGF3REpUSjhR\nbGMzaTkxaTVwVFJoZlFyUitYMTZFVnc1ZUQ0Cmh3bzdhcitWMXF3Z2t6SjF2Rzlk\nK0xvMGsxa0RBdzV0TzBUM0FMMlozeW8KLS0tIDdOb0JYNEVuT3hEakpIYmRpQlBO\nbFM5b0RDbEhDYTlFNG4wMnZqM2hIcWMKrpZjbcjJ5PE52/5CoYBsDUngYEOVvrAB\nQ1BI/fgs4U6YHApUbLGJT2GGy+JXvBKc8bqc8YxLFhONqT3RKzCHJg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4V3NaUEdvMmJvakQ0L1F0\nUnkvQ2F5dEVlZ2pMdlBZcjJac0tERnF5ZWljCmFrdU1NZ29jMkJ1a1ZLdURmVWI0\ncm1vNytFVzZjbVY2aVd2N3laMWNRNFEKLS0tIGgzOTFZY0lxc0JyVmd5cFBlNkRr\nVDBWc0t4c3pVV3RhSTB1UUVpNHd6NUkKNn6Sxb5oxP7iWqTF1+X9nOiYum3U+Rzk\nkryxVnf9EvQIVIFKDaTb+yAEO8otjqj+C4mHA9fannnNEJduOiPWOg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-10-21T09:28:49Z",
+		"lastmodified": "2024-11-30T13:18:08Z",
-		"mac": "ENC[AES256_GCM,data:0YA9KHUFsh3zERG8kbr8TbklTib9aOdrzdlk5aPZ8UyFkbmP0HKk+lXPQ3RwRVbhMmK3VhGU0IxA0J/QUw7SQu22zSBkl1DF5PzqoKkNgt9T5hZJI2HqWRE3/38/5AU6L5mX7ul28Y47L3lcgr4PNLxlg5qyvxUKoM9riw474I0=,iv:G40/HLd1ftXclEcX8FMQjoce91o83dA2KWeO6VaIqLQ=,tag:7KU2Rz89AiggOuumKNfSjg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:9R9RJzPMr9Bv8aeCDxhExTfbr+R2hjap6FGSk5QxBdbNpOcNS78ica0CLEmkAYVAfjmx/X2jC5ZnsAueSPUK7nAgNX2gJXbUTpY0F+oKt35GJziLrFLl3u/ahpF9lQ50EL9OqqgS+igDqtodJhKme5DXH5/GXQHhz++O3VZkR78=,iv:XgN3PiowiEosi2DmrjP82HhJMvnwaV530tsBE8GQfjs=,tag:U243BrtH7H/DU9LcjN/MMg==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"

secrets/ca/keys/root_ca_key

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:OTpEO78zXv66cH1oKwqmFzNPnnkTH3I66J3emqzYEFtii7EJ3d9POquapJhSRWGZs3kvQevFbMTsdtIvWrrwGNcbmBlSLeNOKrOWjXix1uemsBsA4tt79L7dms9tFMXm7nBqy71wo0MsYjzXEYBTy7n91IIKwkg4o+n9MCQivDXVN3rAy8o25HjuS8fSJRRTuQ92Nnc7WjIbPQbyqHPBlp7hxO9xC6/JdOWZ3Zo/X6AyZuzcoF6Nd5A08hImPtbNZ1/MiBurdLSqGkYx9m5KsGmFKinRqWwYWnsQidXl+2xQcqCZNvdCNMe1OwybAxAEiQDksCTpYOQISIzCsXoT3Wfr4ZpZAlLCzw+ga7nnvF2CPiUeRWXyB655vg0vXgqUHYIaN3l1A1P8OWHRDz/tPd7pWbwAj4BZvDY=,iv:oI+1jK2+4vCW67PbM9VxoViBqUOh9BYP8xZHCaAJloQ=,tag:QX/nFv4NB4ERCP5zB8Mqdw==,type:str]",
+	"data": "ENC[AES256_GCM,data:5AePh5uXcUseYBGWvlztgmg8mGBGy3ngKRa6+QxOaT0/fzSB1pKkaMtZJo76tV9wwjdL6/b6VVUI7GIaCBD5kgdZuA8RdBTXguHyjjdxAlI9xcrQaWWdATd8JJt+eQp/m2Y+0dioyXKaDV2ukI3GtHYjp/ixMoHHWEocnEEb40wG6c3CZcvsLWJvKTkFc2OvcjcU2RTfuNlYtEETidiD9iC/dtCakNQHmLP1UFYgcn0ebXBKmlqD6+x2o7BVT1SLwVCyGNvH3eKA2AWvddZChnhaNCUIXcRwBFCgS8lPs4iXhAhly+nwuj7ssFpuu3sjm5pq196tRS8WQl2iNUEJ2tzoOpceg1kZZ7KHX3wCbdBlCRqhy9Q4JMvWPDssO+zz2aU21+BDEySDTCnTYX9Hu2/iFvZejt++mKY=,iv:u/Ukye0BAj2ka++AA72W8WfXJAZZ/YJ3RC/aydxdoUc=,tag:ihTP5bCCigWEPcLFaYOhMA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -8,15 +8,15 @@
 		"age": [
 			{
 				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZVHE5aUNjS3F5VFYzMW1j\nbGJkK0VPRmJ2Nk1HSnNXUk1rK0tzaHMzcFZBCjRzTkVZT3hsakRsTHJPSXpGNHdw\nODNTWGhNZWhhdHplYUpBVFp4eE0zLzAKLS0tIGJ4RDkyZ1hTYTBnUHlxRWR6bEpZ\najBvNjdsK3NieEhoVkZkL3ZJWWRxK2MKKKmoz+U/TIAeE1nJop0FtxoOfAR2iP/Y\n5cdTsbXUgDSVginxJbnDaEM9v+OYJXO6ugQNBnkAaHbWn4ADnA8UCA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VElDNHArZXlXa2JRQjd0\nQmVIbGpPWk43NDdiTkFtcEd1bDhRdXJWOUY0CndITHdKTFNJQXFOVFdyUGNtQ09k\nN2hnQmFYR0ZORWtxcUN0ZFhsM0U3N2cKLS0tIFh1TTBpMjFIZ2NYM1QxeDRjYlJx\nYkdrUDZmMUpGbjk3REJCVVRpeFk5Z28KJcia0Bk+3ZoifZnRLwqAko526ODPnkSS\nzymtOj/QYTA0++NP3B1aScIyhWITMEZX1iSoWDmgHj8ZQoNMdkM7AQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEdW1ZQkxUaFdtekR5eGh5\nYWdTbWVtemtteFIwNlZVVSthZElnZUp4QjN3ClFsOW9rZVhZckZ5MWdiTjNQbFN4\nNHZaSVEvR085b093dlM3SHl6c01yVWcKLS0tIE10L3lZZDVkQ2I5TEduYkU3V21a\nZ0k5cTcvYmdJMU5QUDV3QWtuYkRUWHcKNgfl9S2V7kuobwgc0mMR+O/quq06y+5q\ncipmOM7DIkyFDq5Cl0e//MZywoOfBTsYlCncA6Hb4hW+Y2Tn+/C4tA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNlNHRWNEcUZGNXNBMDFR\nTzE5RnNMQUMvU1k2OS9XMlpvUktMRzQ5RmxvCnlCS3lzRVpGUHJLRGZ6SWZ2ZktR\na3l0TVN2NUlRVEQwRHByYkNEMDQyWUkKLS0tIEh3RjBWT3c5K2RWeDRjWFpsU1lP\ncStqY2xta3RSNkR6Vkt5YXhYUTZmbDgKvVKmZc8S/RwurJGsGiJ5LhM4waLO9B9k\n2cawxHmcYM3KfXDFwp9UZWhIwF7SRkG56ZE4OjGI3sOL+74ixnePxA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-10-21T09:28:49Z",
+		"lastmodified": "2024-11-30T13:18:16Z",
-		"mac": "ENC[AES256_GCM,data:UAJ61bLXP9j7/uyppVMvvRLhO12XQXhCLEtfqdeOi7STUqTaCu1NsbNxf+ErA5eVn2DjGMJuyNvxamD1rxzc+VjELOit1pY9Wg4f15nRyryTt9r+iUrYttcwvUXq2knw8bDtJOqz/nYvg4R1qyXwjdSHLrKn6LmKsO0KwTB1nAQ=,iv:jHSYSYfuow0cM8ECzbQ2jM4J3Q5MQTBQ80u/eglfU9g=,tag:tQxMsKppD8xOcGKcBFXm2Q==,type:str]",
+		"mac": "ENC[AES256_GCM,data:JwjbQ129cYCBNA5Fb8lN9rW7/y4wuVOqLeajIMcYyCzlBcjzCZAV1DKN5n75xMamb/hb1AUkmtp/K82PKM0Vg5X4/lpWTUZXZOzn/TrwHx+yqlJjL9mUdGuHnSY5DwME38Dde3UxdtUa0CVgQOxvMIycW27w8+8NNfO2zxGxkzc=,iv:ZMZASOsqXZOb0NkBqG3GGaqqKgQdjZLiku2yU5QonB8=,tag:/lb/HMxsYOV5XX/5kWnFHA==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"

secrets/ca/keys/ssh_host_ca_key

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:1ntjhGcHOtOcYBsEskgm/pBmQh2xVu0owTmPgfIzKimrSGS3XG0YUGztakb1jW3IgjRs1hssQpJKxkabSuPVNg4q1Nw7tX3aEfH2K6f2xnV3a7bp8yS30O9+7gDMB6wcTodMfou3Ypm3l2v6YXtVbh/4Gq/7FNUlHxa2wPux4pqoDyMjV1zjJT1exFl1JkUPzzT+02gGSEFacC47I7t85XfPxmn1hdpvpUlGA9CMHrQqTXf4moxePMyLK1oAgXtGLGXpQXl/RWiqNQMEmmBXfynjby6ojq/+psgGgbt89BI5Gi7tb131WXeg/xQSZeGkfbjWyl6/fy60GGPJ004VY0RKN8pB6/duggwWZPa/oEN1V8/DVNcTaq2YKrD4GBoPqeDegnRgMubeyb+talqegEr9AHAhdLtEKio=,iv:eb1VwHeESCREOv4lftxMIDjSFxCiagm0HRzzCURDgMw=,tag:6YhDt3kR+rs+fE14W5Sk5A==,type:str]",
+	"data": "ENC[AES256_GCM,data:vqQ3HwSmuDlI4UwraLWvwkBSj9zTFeNEWI1xzhVrO/gpx8+WBZOt2F0J7/LSTGAWsWW/9Gov+XXXAOtfnKfjYVzizyT/jE8EQwMuItWiFEVA6hohgwtsk7YKJjXdJIxmiv+WKs73gWb0uFVGh1ArMzsVkGPj1W1AKMFAneDPgsfSCy9aVOMuF8zQwypFC8eaxqOQhLpiN2ncRm8e7khwGurSgYfHDgFghaDr8torgUrZTOPNFk+LEdxB3WcC17+4a8ZyuBapmYdRTrP73czTAuxOF8lMwddJhO99SF7nWuOYVF1FOKLGtK04oKci5/xRIzvWo3I0pGajkxtuF5CyWbd1KblcPfBALIU/J5hU/puGJ7M2sE/qsg/4kaTFxnhq32rPZj291jFb4evDdOhVodfC1axOQUbzAC0=,iv:yOeQ384ikqgDqfthl7GIVSIMNA/n0BYTSIqFN3T9MAY=,tag:Y6nhOCrkWx7MnVpEeKN0Jg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -8,15 +8,15 @@
 		"age": [
 			{
 				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYzB4UGJwZmFmdXEzT0Vy\nV2ZkMzk5UXd4S1RKeUJmNTNGbHhvUnkzY3cwCkNMQS83dTFQaWJ5YzIwYXZNM0FB\ncTBLWVlWMXJNSlRjRUhDSEV1NFRLQ3MKLS0tIGlkRlZYZ0R6dXJORVBpMkpWWE1l\nWlprQ3kwcXkzMUdVWXpidmgxby9wRVEK3ItRAZMfAtOzjN5r7GHU8KT1upW+xvIA\nqXxIXZBdkkxKOJWQXn5i/xC8YoNek4fdqGeWUGOF9FguU5Zj2tO+ZA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTjRMWlNtYVQ2WnJEaGFN\nVFU2TXRTK2FHREpqREhOWHBKemxNc2U4WW44CnV4OWlBdXlFUWhJYi9jTTRuUWJV\nOWFPV2I4UytDRFo3blN3bUtFQ1NGU0kKLS0tIGp2VHlDc1JMMUdDUjlNNDFwUUxj\nVnhHbCtrNVNpZXo0K2dDVU5YTVJJUEkKk9mVTbzQVGZo3RKDLPDwtENknh+in1Q5\njf4DA1cGDDNzcEIWOOYyS+1mzT9WY8gU0hWqihX/bAx7CVsNUallZw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZ2JPWmIxSXg4YnNwMnNw\nMUJSTWlHWDFoNU9ZcmdPb0VBUHQ3SU5qcENnCmhRWkhKWUwxeEh2VDZxUFdrMExa\nWTdLVVV5NHJMTE51ZEhPRHdaSTRTRkEKLS0tIHJ1Z0NibWQ5SitUekhKOXVGd3FH\nQ3dKNE16bnJNczhtRHBCcUxNajZRUWcKhnvYPFTkw73QPs7qDA7C3cX8RPF68sTk\n2MQORHyqN1jyBUVtvezeejL89Mdw1wghh0Q+VXW9b1ozXkFsH7IcXg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVFNwUGpkOUhkUXFWWERq\nMVdueC9VSE9KbGZkenBVK3NRMjRNVXVmcVRRCjNLa0QzbWVCQks3ZmV3eFVjcEp0\nRmxDSlZIZU1IbEdnbE83WlkxV3VZV1EKLS0tICtsRXArajQ4Um9mNEV5OWZBdS85\nVGFSU2wwODZ3Zm44M3pWcTdDV1dxejQKM2BK5Axb1cF344ea89gkzCLzEX6j4amK\nzxf+boBK7JUX7F6QaPB0sRU8J4Cei9mALz96C8xNHjX00KcD3O2QOA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-10-21T09:28:49Z",
+		"lastmodified": "2024-11-30T13:18:20Z",
-		"mac": "ENC[AES256_GCM,data:xB5qV2aFpvTJxCbOgTaaErBez+pkSz1KEWw0c+NoglcjPkGNx+0MuoSjeuPJ0KiHcS/gol2vo+mmVEEcDSVa/S/ksI/sIqcWoQeZ+XNBcffF+5UPfsyRFBNRJwWsg88ERVwgYjKauCV5MZBvJYf/uL3uUa8chHZNFF+f3QVq464=,iv:R0Gh5SITWXGphccBfI+DbNdnBeC98qDforE1Ffb805M=,tag:L2jqUwSlv1ngPiMQith9Mw==,type:str]",
+		"mac": "ENC[AES256_GCM,data:AllgcWxHnr3igPi/JbfJCbEa6hKtmILnAjiaMojRZNO4p6zYSoF0s8lo9XX05/vIrFUo+YaCtsuacv+kfz9f6vQafPn7Vulbh6PeH1VlAmzyVfJOTmHP3YX8ic3uM56A4+III1jOERCFOIcc/CKsnRLFhLCRQRMgtgT0hTl5aPw=,iv:60dOYhoUTu1HIHzY36eJeRZ66/v6JmRRpIW99W2D+CI=,tag:F7nLSFm933K5M+JE4IvNYw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"

secrets/ca/keys/ssh_user_ca_key

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:v+ugz+pjgkY2IqW+wNM09Z7OYJoxaPxPwf/THyt+Q3N1SswU6Q3AhzqGoIeMAa+8tIRMdQ++HBsnDtCPZYHV0vNQ7GWE1w1jQ7FHa7hXaWLnqfuKbr5x5bnPzDZYxCt41a8A0fxbrN1ysBE1cMgbHe1tnBWKl1D4tay5RtMoua+vYxS1gwzZSIHY3Tq7GJkyBuJqOZA2oyDgZ9ETTwXwNaDZx35uxi9XbEBHdwIscWGFW50s1NXKavgdmeEEWyOlnIlBm4yhjnLIBW3HjSPWBsCp36+m1VUq/TwK+AH0q3sqovVFXwjduRI59RnJoZ6gMJHYFpXHUfnKZbkC8GVzczUGyLSPD9xhxrSYxGjT1T0pbQsXCls6TugVNOVsRMIN5P05uEo5URBlMkIZisnzqdgBw3gR/roboi4=,iv:NV9jvDY5teQaACPn84G/izLd4CXkZNPGGNRQG3xvw2Q=,tag:qCV+lsrYAgDbi2nMx3HmGg==,type:str]",
+	"data": "ENC[AES256_GCM,data:YRdPrTLQH0xdWiIzOyjfEGpvfmuj6me6GzZZcauh9bUUywyA1ranDnWqbJYgawQQxIXsq9dhXD0uco+7mmXq2598kF1NI9jh6uLf3k0H494zZOalRBv/k8u9oJDLIiVAkg9eNNLbGX0PMZr/Yue/qdkuXx2Hg9E7bQJwpU/NXF+jKKs+3NmKT5NBlegwAzUs530D4DUoaq5AhvVvdC6a1UcE+KJzQ8pRiz1GjFIxAB7qX+GVwa3yNdLgo2tlAbOzjGtaDfJnhZIHSNEq+4TEhjlF9lCmFCGFDUVupvMOWs0kBywJEzIrDmxmvGHlPj3FfyytPb7qhlsOXDDDS67IoiwluKOnw+sALAG0Iv9LMrDZ3z8MXeEGvRWu0VDMuGXN905/9kGx/A40mPjcfnZvI+qSRIKjER5R8aU=,iv:qiP2Ml59AnK24MBbs7N/HqJIylf+fXGqJAo2N8iFNB0=,tag:0Dj5fVs6OB07kvV4qzuvfw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -8,15 +8,15 @@
 		"age": [
 			{
 				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNExxOGViUUMwaGpjYld0\ncUdTVnA0QmlPT2kxNjRjbmw0SFhyS284ajJrCnFGK2ZqR2JpTEYwdHdPZ245SkV1\nSjVzMFMvbWNma0RnbTd3ZEpTd0F2THcKLS0tICtITFJGNmhjbStMc29XaDV0dElm\nRTN2QkJhamw4RHo5bXgzSHd5TDNLUFkKJtO9aMmFE43hxRsSa0lnqGo8FVzKxysJ\nOgJMTIftSU7bEvsEok+HlBgX1kyj8v9rgzXLwTrGk42+kVw4Fm2Xkw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUFlvNmRNYUlJSHZYUkpJ\nMEloQXFSdENIWGJVVDNIOVY5MS9SYWRoL0FrCnRJc05wZUZBSDRvMHNUUEhNRXQ4\nTWhYOUp6YUNGZFNWUFRrSmlJM1c4aWcKLS0tIFc1b3NlSEo2eFJhdDgwejRqcHlT\nZE5wN01uaE04cTlIbVJMVWQvQ1pXajgKQ1n6UmP7LEBsnIBXVc0BceOqvwCqQzBP\ncI8C5Io4ILgMjY4dr6sd0SeJG6mfDdiMA+k7c6jqoyZCW/Pkd3LANQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLenZoS0phekRTSW5aN3Jw\nZFJsNHJRSnR3dXBiMG5aQ2lyS0Y0Sm1nTEJVCjJ5cUJMSDk4NzBCdnNLd05rSnRi\nSEdnaGl1S1hKbFFwZjluUEkzUmR3MTAKLS0tIG9PMng3MFlUOE1wUXJ2S1cxRllx\nTi9nUm5nVWRXdk9hdWFCc1o2bHNObVEKrz7ROqTXaINk5LNpG4ibLqjCoPH0fzO3\nUgZp5PUC1+VPxYymqstK3kV5WorM2GVVfWcjLv2eofKdgpO90iKp/g==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM2lyeXVzdE9nL1k5L3dC\nTkl2MjhMb1FKMFdCeXFPSmNST0pvOTRUaEVvCmdwMnhjSFFHVFhidmIySS9jMEJu\nNTJpRjdFOWpZZ3ZuZFJwZUUrRFU5NnMKLS0tIDJ1UjdVQkpMNm5Pd01JRnZNOEtr\nb1lpMlBkVHpiT2lYdWtZaUQrRW1HUDgKq/JVMf5gdu6lNEmqY6zU2SymbT+jklem\nnUQ9yieJGF+PanutNW6BCJH8jb/fH+Y6AeJ9S+kKCB4Yi75i4d+oHg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-10-21T09:28:49Z",
+		"lastmodified": "2024-11-30T13:18:24Z",
-		"mac": "ENC[AES256_GCM,data:huZ3fDBV8bOtHW2eNxgTc9e5RmAIsvRhMFGwlVGbpDvftJKNy57CqMal/W0E0pqmvltaGMHGh/f8yzakpYphhbs1/Kro4u34QMu/jV6QvKEyDHtyAGYy6DzjCDRu216DV8uHpDaKoz+7zhjwlPSd60RlXUpfhis+DC8lmdktI2A=,iv:hCUwgkm6fCdWrAqszwzRBh5W7Z/0LXvl1dGiteJkkL0=,tag:0uDeZoG5TCc80Kzgl5U2TA==,type:str]",
+		"mac": "ENC[AES256_GCM,data:6FJTKEdIpCm+Dz7Ua8dZOMZQFaGU0oU/HRP6ly5mWbXCv81LRbZXRBd+5RDY3z9g9nb0PXZrOMNps63F6SKxK52VfzLIOap3UGeMNQn5P4/yyFj7JQHQ5Gjcf2l2z2VZ7NhUdNoSCV/6lwjValbKtids48Q5c3sFX997ZiqIUnY=,iv:nUeyJd/v8d9v7QsLLckziD9K5qjOZKK4vOQJw/ymi18=,tag:6n5EE3oklWdVcedvB2J/zA==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"

secrets/http-proxy/wireguard.yaml

@@ -0,0 +1,25 @@
+wg_private_key: ENC[AES256_GCM,data:DlC9txcLkTnb7FoEd249oJV/Ehcp50P8uulbE4rY/xU16fkTlnKvPmYZ7u8=,iv:IsiTzdrh+BNSVgx1mfjpMGNV2J0c88q6AoP0kHX2aGY=,tag:OqFsOIyE71SBD1mcNS/PeQ==,type:str]
+sops:
+    age:
+        - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzdm9HTTN1amwxQ2Z6MUQv
+            dGJ0cEgyaHNOZWtWSWlXNXc5bGhUdSsvVlVzCkJkc3ZQdzlBNDNxb3Avdi96bXFt
+            TExZY29nUDI3RE5vanh6TVBRME1Fa1UKLS0tIG8vSHdCYzkvWmJpd0hNbnRtUmtk
+            aVcwaFJJclZ3YUlUTTNwR2VESmVyZWMKHvKUJBDuNCqacEcRlapetCXHKRb0Js09
+            sqxLfEDwiN2LQQjYHZOmnMfCOt/b2rwXVKEHdTcIsXbdIdKOJwuAIQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1gq8434ku0xekqmvnseeunv83e779cg03c06gwrusnymdsr3rpufqx6vr3m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeU01UTc2V1UyZXRadE5I
+            VE1aakVZUEZUNnJxbzJ1K3J1R3ZQdFdMbUhBCjZBMDM3ZkYvQWlyNHBtaDZRWkd4
+            VzY0L3l4N2RNZjJRTDJWZTZyZVhHbW8KLS0tIGVNZ0N0emVmaVRCV09jNmVKRlla
+            cWVSNkJqWHh5c21KcWFac2FlZTVaMTAK1UvfPgZAZYtwiONKIAo5HlaDpN+UT/S/
+            JfPUfjxgRQid8P20Eh/jUepxrDY8iXRZdsUMON+OoQ8mpwoAh5eN1A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-15T18:56:55Z"
+    mac: ENC[AES256_GCM,data:J2kHY7pXBJZ0UuNCZOhkU11M8rDqCYNzY71NyuDRmzzRCC9ZiNIbavyQAWj2Dpk1pjGsYjXsVoZvP7ti1wTFqahpaR/YWI5gmphrzAe32b9qFVEWTC3YTnmItnY0YxQZYehYghspBjnJtfUK0BvZxSb17egpoFnvHmAq+u5dyxg=,iv:/aLg02RLuJZ1bRzZfOD74pJuE7gppCBztQvUEt557mU=,tag:toxHHBuv3WRblyc9Sth6Iw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

secrets/monitoring01/pve-exporter.yaml

@@ -0,0 +1,33 @@
+default:
+    user: ENC[AES256_GCM,data:4Zzjm6/e8GCKSPNivnY=,iv:Y3gR+JSH/GLYvkVu3CN4T/chM5mjGjwVPI0iMB4p1t4=,tag:auyG8iWsd/YGjDnnTC21Ew==,type:str]
+    password: ENC[AES256_GCM,data:9cyM9U8VnzXBBA==,iv:YMHNNUoQ9Az5+81Df07tjC+LaEWPHV6frUjd4PZrQOs=,tag:3hKR+BhLJODJp19nn4ppkA==,type:str]
+    verify_ssl: ENC[AES256_GCM,data:Cu5Ucf0=,iv:QFfdV7gDBQ+L2kSZZqlVqCrn9CRg5RNG5DNTFWtVf5Y=,tag:u24ZbpWA65wj3WOwqU1v+g==,type:bool]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUXdMMG5YaHRJbThQZW9u
+            RHVBbXFiSHNiUWdLTDdPajIyQjN3OGR0dGpzCm9ZVkdNWjhBakU3dVdhRU9kbU81
+            aDlCNzJBQ1hvQ3FnTUk2N2RWQkZpUUEKLS0tIEZacTNqa3FWc2p1NXVtRWhwVExj
+            cUJtYXNjb2Z4QkF4MjlidEZxSUFNa3MKAGHGksPc9oJheSlUQ3ARK5MuR5NFbPmD
+            kmSDSgRmzbarxT8eJnK8/K4ii3hX5E9vGOohUkyc03w4ENsh/dw43g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vpns76ykll8jgdlu3h05cur4ew2t3k7u03kxdg8y6ypfhsfhq9fqyurjey
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOVGhvdGE5Mzl0ckhBM21D
+            RXJwb09OS25PMGViblViM21wTVZiZWhtWmhFCnAzL1NqeUVyOGZFVDFvdXFPbklQ
+            ZkJPWDVIdUdCdjZGUjcrcmtvak5CWG8KLS0tIDhLUHJNN2VqNy9CdVh0K0N0b0k1
+            RUE4U0E0aGxiRkF0NWdwSEIrQTU4MjgKeOU6bIWO6ke9YcG+1E3brnC21sSQxZ9b
+            SiG2QEnFnTeJ5P50XQoYHqUY3B0qx7nDLvyzatYEi6sDkfLXhmHGbw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-03T16:25:12Z"
+    mac: ENC[AES256_GCM,data:gemq8YpMZQC+gY7lmMM3tfZh9XxL40qdGlLiB2CD4SIG49w0V6E/vY7xygt0WW0zHbhMI9yUIqlRc/PaXn+QfyxJEr3IjaT05rrWUqQAeRP9Zss74Y3NtQehh8fM8SgeyU4j2CQ9f9B/lW9IgdOW/TNgQZVXGg1vXZPEzl7AZ4A=,iv:LG5ojv3hAqk+EvFa/xEn43MBqL457uKFDE3dG5lSgZo=,tag:AxzcUzmdhO411Sw7Vg1itA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

secrets/nix-cache01/actions_token_1

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:P84qHFU+xQjwQGK8I1gIdcBsHrskuUg0M1nGMMaA+hFjAdFYUhdhmAN/+y0CO28=,iv:zJtk01zNMTBDQdVtZBTM34CHRaNYDkabolxh7PWGKUI=,tag:8AS80AbZJbh9B3Av3zuI1w==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSdHozVnN0YXExTWZBbEVK\nT0FoR3NNREtHZzhseE5jb0JzNCtCSDBtT0RVCkQvVFB5aDlxbzVDVE85Q3d5TEw4\nelpuVnY1bXc4YU4vQ0RxbW15SWpwMVkKLS0tIG1HZ2NhR0plSVlZdVNZZUZydjBv\nSjEyREIrL1Z5bkpOM2ZiRnhmRlk0MVUKRowIdTtV7B+me9cdpC0Kmnz3FIQQvCt2\nxVltjChE4N954aa1j8KpXYELkr0rge2/ka9JdI54VxgrACPSbtVqGg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1a0477laj9sdh79wdas5v7hzk6au8fach74njg8epfw2rdht90qjsakkwd6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2RlVRbGJiSjNkNXg3T3FU\nZFVzeTNSdGxSWEVzVTFDR1g5ZzI5RHZkMmhRCkZGbE1ZSTJDZ2NLZG5QU25OU3Z4\nRlYyU0N5ZTlQQmgrZ3dBVTgvYTBHR1kKLS0tIENRTmFWYzY2d2t4VTRISEtxZkNL\nZ2IzdVZWNWowZ2hlcS9xM29UaUgzcFkKMSzJh8tVqLUE8joiynqqHlZD5wMne0Ti\n/RE3d8JEwlQZnaxd8ZYfOA9CHIYhsMgWV8YG+hDR0nFPBah6sjRsrw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-21T19:08:48Z",
+		"mac": "ENC[AES256_GCM,data:5CkO09NIqttb4UZPB9iGym8avhTsMeUkTFTKZJlNGjgB1qWyGQNeKCa50A1+SbBCCWE5EwxoynB1so7bi8vnq7k8CPUHbiWG8rLOJSYHQcZ9Tu7ZGtpeWPcCw1zPWJ/PTBsFVeaT5/ufdx/6ut+sTtRoKHOZZtO9oStHmu/Rlfg=,iv:z9iJJlbvhgxJaART5QoCrqvrqlgoVlGj8jlndCALmKU=,tag:ldjmND4NVVQrHUldLrB4Jg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

secrets/nix-cache01/cache-secret

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:MQkR6FQGHK2AuhOmy2was49RY2XlLO5NwaXnUFzFo5Ata/2ufVoAj4Jvotw/dSrKL7f62A6s+2BPAyWrvACJ+pwYFlfyj3T9bNwhxwZPkEmiHEubJjWSiD6jkSW0gOxbY8ib6g/GbyF8I1cPeYr/hJD5qQ==,iv:eBL2Y3MOt9gYTETUZqsHo1D5hPOHxb4JR6Z/DFlzzqI=,tag:Qqbt39xZvQz/QhsggsArsw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQ0dGckxKMmZsM1JER3Qx\nYkRhb282OFlFSmRrNmU3c0dIYitmbHE1bHlFCnhpK0pCRlhlTlpBTHl6aU53blBP\nNGFuejRjOFhPWnhvUURPMzY1V1A5ZnMKLS0tIGhMSWhxVWtCbXd0Vnh6N1J1STBT\nVDRzWURscjNYT21kMzRYVnZDQlkreVkKMkRqbGfHd2/bRf8on8eqoJpFI8i9vMDK\ni0Lrw7Zpw0D1Arzq6rA8YGyAqboV4ixQVUjlrL8cJv9n3/8geCfOAQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1a0477laj9sdh79wdas5v7hzk6au8fach74njg8epfw2rdht90qjsakkwd6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaUt5VHBWY3NiR2U4MXVX\nREpLZXIxaDNSc2FmdEZkclNEeHdkSzBEdDI4CjNiS0xMV1hjMmxVd1QwekFXT29k\nMXIrQ2VIMTR2ejJWaGd2S00zQWVKVHcKLS0tIER1azhRRHVRZzJuQU5xL3hZb1lR\nZlN3NGV2a1c2M1AwSW1JeldOTkhRMjAKGDk5neEcVzSPtauiiqxkOaqaCj/+jzUk\nEE8g9XQuK5xAIxFlvqPilgo59VOL335VjUJZqGgFxfc7TvhZQTSAaQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-01-24T12:19:16Z",
+		"mac": "ENC[AES256_GCM,data:X8X91LVP1MMJ8ZYeSNPRO6XHN+NuswLZcHpAkbvoY+E9aTteO8UqS+fsStbNDlpF5jz/mhdMsKElnU8Z/CIWImwolI4GGE6blKy6gyqRkn4VeZotUoXcJadYV/5COud3XP2uSTb694JyQEZnBXFNeYeiHpN0y38zLxoX8kXHFbc=,iv:fFCRfv+Y1Nt2zgJNKsxElrYcuKkATJ3A/jvheUY2IK4=,tag:hYojbMGUAQvx7I4qkO7o9w==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.3"
+	}
+}

secrets/secrets.yaml

@@ -1,6 +1,7 @@
 root_password_hash: ENC[AES256_GCM,data:wk/xEuf+qU3ezmondq9y3OIotXPI/L+TOErTjgJz58wEvQkApYkjc3bHaUTzOrmWjQBgDUENObzPmvQ8WKawUSJRVlpfOEr5TQ==,iv:I8Z3xJz3qoXBD7igx087A1fMwf8d29hQ4JEI3imRXdY=,tag:M80osQeWGG9AAA8BrMfhHA==,type:str]
 ns_xfer_key: ENC[AES256_GCM,data:VFpK7GChgFeUgQm31tTvVC888bN0yt6BAnHQa6KUTg4iZGP1WL5Bx6Zp8dY=,iv:9RF1eEc7JBxBebDOKfcDjGS2U7XsHkOW/l52yIP+1LA=,tag:L6DR2QlHOfo02kzfWWCrvg==,type:str]
 backup_helper_secret: ENC[AES256_GCM,data:EvXEJnDilbfALQ==,iv:Q3dkZ8Ee3qbcjcoi5GxfbaVB4uRIvkIB6ioKVV/dL2Y=,tag:T/UgZvQgYGa740Wh7D0b7Q==,type:str]
+nats_nkey: ENC[AES256_GCM,data:N2CVXjdwiE7eSPUtXe+NeKSTzA9eFwK2igxaCdYsXd4Ps0/DjYb/ggnQziQzSy8viESZYjXhJ2VtNw==,iv:Xhcf5wPB01Wu0A+oMw0wzTEHATp+uN+wsaYshxIzy1w=,tag:IauTIOHqfiM75Ufml/JXbg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -10,95 +11,149 @@ sops:
         - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQTVka2k2dGpvekhJeWU5
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRT2c0b243bGJOeUZ1MHZn
-            M2VFOWh0S3RsbzBqQ2lhL1VQQVVvKzA5QldzCllVZk56SndDQjMyRzljUVdiQ1Bw
+            QkZsYlA4bGc2VGNTQ0R6YVZKWGQ1SlB4T2xvCmtkZTREM3VXb1BQMnZJRnRhVTI5
-            eWx3bnZ5NWg0RTZ3aGtFbHp5RGQvNHcKLS0tIGxFVFA4R3NQcnNnZzR4a0pQdnFs
+            TFdJL2xYdHc4cVkzRnF4eXF3YzdvclEKLS0tIFB2Uzg4cGlkNVZFZVFGVFFkcjc4
-            dERsUjgzaFQrY0VTZFRDbVhISEwwelEKE4LcpxhwEaPOkO7uHqI6DpYNGTNjoRtw
+            bVYvOFBpeC9zbS9HeVB2SHhORlZrbncKIKdbqV938sr41I6jcNVly5bfXP4YyCXT
-            6IeDTOLlx07CMHQ/9hWbUwKyr51FMJGJ7Q5rgBKaCFgCfKBF1ssGVg==
+            P7ISh90lC54cZi9S7eHwiKw439VUI48hfuNNPAZNdlmOVJXW6GGrUg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hz2lz4k050ru3shrk5j3zk3f8azxmrp54pktw5a7nzjml4saudesx6jsl0
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPcitIbE95dVo2SHBVNEp5
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcjVtNUltTzN0amxrMkhu
-            UlVpL21peTRRZWxTcThxaWZQdmdlRmloUHdnCndFQmFTWHdqa1NmZm1vVVRVSWk0
+            czRBajJydnBuOHVzei8xQlQwdk9aWnVQZURrCllvc3RxdTdNbVNCOENPbEtlSDc4
-            QVJIanlPSUc5WTZqYVN2ditZVFpLL1kKLS0tIERvTmQwYUdSMWlpWkdtSWhtbVJD
+            MkdYd2NkNVVseDFkemp4eElxbEV0N28KLS0tIGhuRmExeHBvb09WTUdPTytjeXhh
-            LzV1VEdObXRHYnVBaGYrUDhPU0FXU2sK5wPshVZNc+KdOfEv449VSOn81u7MNLZT
+            ZTlKQ2VJcTBiUG1CSTZNVmtEKzRheHMKI8P+5CjfMEJNBQQH6K2L+1/FMouAwYGY
-            xKtBEwe2H6FOxyauLrpfrTo5dAWnRhSsIHiIR2e6WjXajTjVPOpWcg==
+            KbnQWt3AYaAhGEcKRBTS53cvwlsVa5KDQ8F2Htw9eFRALj+HssmlyQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1w2q4gm2lrcgdzscq8du3ssyvk6qtzm4fcszc92z9ftclq23yyydqdga5um
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxR3FmRnhzZUd0eEoxbmRo
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKb1JvZkpIcCtnMTR6UWJm
-            YzVaakl0eXA1dy9uRlhyc2RyeUlvT2VkYTFVCm9CcEI1a3FQL2piWHo1NWRvK0Yz
+            c05VdVpJV1d3Z01DVnF2bkwxb1Nsam95ckdBCllUelp5QmFWM1VrWG1RUWhubE41
-            NGM4SFRtQnZRNHVrZm1Cemw2SWxJNTQKLS0tIHFKYWMwdVltbzhKVTUvOEdXTE9T
+            SmY2Y0xyNVNUcUdWQXhvTkpwMjVMNDAKLS0tIGtFbEZ1MkYwbGJMYjhYTVorZ2t0
-            aStOZndTL3hITmVZaU5qMlhsLzl4dDgKWm2cGdCeIKjggE/udnuor4xhGVNcb6vk
+            aXQxdjErVFgvZDNZOEF4dEVjZHNubGMKWv7JCP7rABr4efJYgRY3GlqY2Zq4Qons
-            yKNXwD/tWMI+fykp3S+G8Aqt8vWXRbQbx4ITg8iVVZudi2SIf50rGQ==
+            UUppWu7husTFi8SmjLBKm/GwSyld1Ner5R9w3syPcUg91zbkMoXBHQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1snmhmpavqy7xddmw4nuny0u4xusqmnqxqarjmghkm5zaluff84eq5xatrd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMM0dabXVDVUFJZld5RmxT
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2bi9JeURVT3BPNEFxbSt5
-            MFJLMm53VW05YVJ5RFk3YkxFUE5aS2UxVndJCmVLMkw4UnBwK205cTJVN3laTmN0
+            bUVCU1RQcG1CRlp2dHZXT3JOS255QTZxT3pvCiswMTNFRTJucHhDUzE4allZM0FB
-            YnRqSlpzL3JaUEFWWnR6SmxKa2lHNHMKLS0tIEtsMGR5Y01PRk5RNGVyMWZUc3dW
+            dG03ZVFDRGt2SzlTSVVFVVdzVG4xTTQKLS0tIGNwV0Fua3RXd0t6bDc1TmQvVGFr
-            ZXVPRFI1eFJLYkJyN0YrU28yenJhNG8KBmM0oIoMMmT9tBmfvaoxumCwwM/X9khd
+            Tmd5RlRsRFlkV1lyUkw5MTRicDU3dFEKHFm87tLsOuLwzmaAXw3GWDq1hYY/lipO
-            XkSdNax6HfovIylzoChJ6srIZ5BmTtA2ioKMna/kif57PD5nDU7Kmg==
+            m6avJCtPI1AzeITpQlSl/t+p9JKm69+VyDE0cCfa6YfkSAuh9s3YFQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age12a3nyvjs8jrwmpkf3tgawel3nwcklwsr35ktmytnvhpawqwzrsfqpgcy0q
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SzVlS2pBZWZGUzIvZ0U3
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnc21EVUI4eEhwYWE4MXlQ
-            VDkrcmRESHh6MG8yNUZBRlEvam9SeUJseXpFCkVMSTFiTmsyMWEwNVg4TmdaeEdo
+            NnhFTEJXTUVReE1ZZHlyWFJkM0RyVzY4QTJZCjRnTk1LTXA5SWZCZS9KcDJ5N0ov
-            K09GdTdkR1g3bUJ6dFpZaGZKTjY3aW8KLS0tIGcxalhyVGlCM2hGdGhCL2dXTDk2
+            WGdHU0xjTlUyT2diZkVZaWp5MlU4M2MKLS0tIDBxYVVUOURPbXcxdHcyQVZNcEQ3
-            N1gxdGZJSDVGUXFwTStoTFpXQkdUT3MKQ8c3oZfGxloS/eJByG2i25Cg3Gg9I65P
+            akdqNmJvakFyQms1ZlVkcXhKVVpLTkEKKpG7tEUb0OfeqyHLIIN/JOiM94oNDmrQ
-            eqA+Jx5SWaM+DyYIxe7HseoPA0jwK5hUEJfcK+HK4N6ErbnG7n8byg==
+            qk1m87QZnDoxxcqhlWl1K6ZDINq/EBDKbrA/TFr7c7yECqq4HqEfSw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1d2w5zece9647qwyq4vas9qyqegg96xwmg6c86440a6eg4uj6dd2qrq0w3l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZGt4ci9WcEE5dnN5R3NB
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4emZJY21NQUhtTDJKTXNu
-            UC9pZG5iaE5yR0R3dXN5SlFpaHhwclFBVWc0CmFjUnB3QU9neVV6S3haRml4MTJC
+            WGk5bjl6bnlESVZndnVjMXNiazYvTXJwSEFJCjF5dDJCSW1nbVBSUEJqSVZocHdQ
-            QVpBYWZnQW0rZUcyWStIUk40SXZpZFUKLS0tIDczeEpMRDdDV25OaXV4aDhoTHFH
+            TE9PME1qTitXQTN1ZFdXUjBsS2JFMlkKLS0tIGliSkcxQ05VUTVxazc1ZEQ5S0Ex
-            NVNyVEFqc2kyMjFtcEUrdjNMdjkrS2cKGOkOhsy/RPlzQJz3vVt934rtg9sFiM1S
+            czY3YjRWRytaTDdWQXB0RFU0UUhTZncK2X0LNb0ThAk5AxeLFcEM/cE95+OruE/s
-            3w9YN1VjzNW7RYG7Ro+Jtoli7/2j1So1uHiATS8JBcpTjO1BWEiSMg==
+            qxnS453vp5uFSFz7qYS/7k42RmOKXdLd8zLaCmJwARZu44jVvWOzMw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1gcyfkxh4fq5zdp0dh484aj82ksz66wrly7qhnpv0r0p576sn9ekse8e9ju
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQjNEWVR5UlVZZ1NMcTEv
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZTFMeXNOZWJ6bEVCTm5h
-            ZnUvM3ZaeUNsTGxwVjQwL0kvSTRyUnhhMXgwClpTV2ZwLzRVVlhOTTN5V1VTS2pG
+            K3hNR0VzUmdDSXZqalQ2TzE0V1dsMDBsK1dvCkQrRjVhV0FPTVN4bjYweVlKc05v
-            bHpCZlZ2SU1wTTJiZWQ3eHd2SFE5QmMKLS0tIG0wZFBvNXZlTTVwZHNRRXhEV1Ft
+            U09YdkxCY3EraU8wMDhmYlhrN0tBVmcKLS0tIGNaWDFGVXlOZm8zMmRHVXVSbnZQ
-            VXhjM1VESWhzcHVDY09kUUdvWE9QbU0KH2sUKQNQg4w9/Te85YfRMM5Cx83I4tEV
+            azM0NFhxYXZmaDBiRmhTT2w0a1UvY3MKvj4k/ee5KewwmyBdH9TT3c6wcrymChBa
-            Am4FMHpf3b9cVyhI+gNds5ROrhvox7VYW1rtLE43ApAnj9Jtj7qcMA==
+            o1LYK/mv5VvtZVOI5pTC1zxuqR3gB+whmRZrrGG7XE1ggeEKlV6VVw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1g5luz2rtel3surgzuh62rkvtey7lythrvfenyq954vmeyfpxjqkqdj3wt8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTc1RhaHdDa0lreklQNXBv
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOXJPN3NxQVFzSGpKZWx3
-            cFk4OUxqcENMOW5nMWxtQ2pNeEpYK2ZWczJrCmJzL0NOL2FXa2RyS21oTzZyVTNK
+            VUdxcjFLekk0THJIcUZzMUZyd1dqTnRxRENVCmtNZDRsTjV0dXBpZVhuRi9BZEk5
-            eExiUktRc3U4YU9hNnFQdko5ZmdMY1kKLS0tIHQwcDFxbjNoSXdWSjdQd281YTJC
+            VFBROTZPTUEzVmFiNGdoZHV2bWplVmsKLS0tIG9zblVGaDBlTTlmSkZtZWExOFlT
-            LzN0UFVYTXdrU0pPZDFXODgyMkl4WjAKE0B30QO2gVITg3C8AG2/nW3jZHnEsL02
+            NzVtWWVoTzJXTzRyYjRzaHlOcit2L2MKq60k8FeYsK/JnDpgdIWkoY3ZW0yZkryE
-            pnlhQSpN4L1awQL6xcKk96d3n57pa+Hz2ah3fNkDGLw9vm8pNwVmiA==
+            F9DgKQL5wuqbtFoKX02ouQ6rb1y7rY1uJgLt6Mi6dsVWlwVw2fbDYQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1gq8434ku0xekqmvnseeunv83e779cg03c06gwrusnymdsr3rpufqx6vr3m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiNUx4UDEwdGRUaVdQc2xp
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvaEtKY2pkQWZoSUx3V3Rn
-            cjM4c1ZEcElOdk1uS0ZwRDFCZDBZQ2oyV1djCm1rU3JLcVJHR0VPV0h0OEFML3Mz
+            MXpHa3B1UFRuWUR2azJKaFliUm5OaDFlNEFZCjBsaTlBN0JXUWFTbzdvV2hFRnRR
-            YkFJZUpvcXA0c0owUGlBcFJYNW1abDAKLS0tIHlUQ283anpwWTI1SklGUDAwVGFZ
+            TW1Pb2J4MFZHM2FPeUlLaVlNWWdXdGMKLS0tIDdNTEdhbVltQnFvRURQbkFiRUgy
-            QVdTd0lhZklUVC92QnJmU09sd2xybVEKXJ6fb3zFZntL1/WxtHYvamywN08kUplo
+            TGFSSkpTQndReWhXSGFPcVE4OTI1WFkK3xyxzPFIjOxsBTXrSAfjNZ/ZdZ+a4okg
-            kIiSRv+mJgRu5h35gih47q9vymcs8FEIdgDotztGS7qr+vV7ULP7KA==
+            ES9KXP6CsxGye0cXURAoJwWRxZdp1+XZ69EudXtqbHOJAKJkTZLeLA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdFBScjZNTnNPZWhHblFm
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPQUttWWswdk05cXZDUldV
-            YkdlSW4yOFFsUkZZaE5hdE0zcXJmNkV1L0ZjCkJTVk1VQzByUnBGbTZFQkdCdktV
+            MC9DQmtQM3B0NjExZDJYTGxLMmlabFo3ckVjCnVoNjByNDM5bU56aUFEZnhUdHAz
-            VS92WkZkMy82ZCt0bVV1Mjhjekp0MlUKLS0tIFFyZjFvVVhUTnBVUVcveUNzVUpJ
+            QmM5cnk2YkFNN2ZmT0xzbGFXOTlzUjAKLS0tIGRENER2NGdsVGNMRnhzaGkyVW1K
-            K3J6UDYvajZzeEhFb3M5eFh5OExqOEkK1AjfgMEImokKS7ei9ASMyTNzdhvUznI5
+            K1FkK0NmenVlL2R5UytvVEdMMlVZWDQKG65KOqL2NXN8An8215jgSK8Q+iDXVmsO
-            soMhl7O9P++xyRSzPW+vEMyJ7Nr6YvzjbS3pyQa0eoAibVvUXmFM8w==
+            EIZ1c9XTDm0yGfv2uywBGbo+Tgt/XpzKrXJMh0YM2LN0HdTv8doeFQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-02T22:09:06Z"
+        - recipient: age1vpns76ykll8jgdlu3h05cur4ew2t3k7u03kxdg8y6ypfhsfhq9fqyurjey
-    mac: ENC[AES256_GCM,data:cxJq4EMEMVEw0IUXNwtyQj4MaYIJ/Xo4OaY+3VLgIhYw6oBO9CmJxgLuXcSnGnr23oNE5OQF6ALv+vxF46D1pI0V1zhqKL6zMIs0DzPBwo7Arg166w5kGAT274jK7YWymeJ7fafWXYubLlGUthyVJS1BkvlqIhoe2BlTZ3bPyBs=,iv:Z2Uh9Oo4q/ce6DDLShs7JAX3XFNAVOGBmBPvRbGxaaU=,tag:6qZhZ4+tgtXl60b0Lx7Taw==,type:str]
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTTF4YU9qaDlES2tMUWk3
+            TUNLRUQ3cVdBWlFLbkZlZWtHSjRZc3RkN0NjCkphVU00QUpWeE44RjFKZmFSQlRK
+            UUU2ZkJnSVZSVm9FRWMwalBhV29WOVUKLS0tIHBHTUF3YzdvcndjMzFxWTRWMzZt
+            dUZTSFJtNkMrazJTb3VJUjZXT2pEeUUKHWarf9/BG+c2/g3sjHGyZVyBuVRD/mJV
+            JABj0xlDupnyFyyNLkPYQ+RsYJMdVJ4Z8oQLtIQC6G7MmK6lGQqdQg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hchvlf3apn8g8jq2743pw53sd6v6ay6xu6lqk0qufrjeccan9vzsc7hdfq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcTFDYnpiMm5zenlRamhE
+            ZDdGcGR1L3hTRHRWTFJURDhjTGcvNEJsMVJJCkhHdHJKdkZtN0RXYkVpbTJUbUpO
+            NlJCajlEMXlQVWkwYVRqUlYvQy9WYUUKLS0tIFptOTJvUTJndzNob2ErSVYvVGxz
+            TDhSN3VKbkNNZ3RmL2FYUmRpejVHSHMK8vJlbft3C1fJRcQNbMbmviWaZLXSY2Lo
+            HS/tMhvMyRXOGaX0OpL86LpM+W5Af+a99yS314JamB3Gsk9D+nOoWw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a0477laj9sdh79wdas5v7hzk6au8fach74njg8epfw2rdht90qjsakkwd6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZ1JxUzZuRmliWFpHeitW
+            OTBlRlFhd3FmOWlFdmlNdElNUnBVdG9TRVFVCk9UU3FiZVE1S3pSbDZmYlp6N0h6
+            WUlham5IYmtQd0ZrK25KMTFLMnJtQ2sKLS0tIGJleW1LYVM5eDJ6MzBUUXFZUDRN
+            WEJzZzZ2eFQrdFA2VXpLaG1La0wxSlkKJL4hwHlth0eGCMf4B8PUslWvDDZHj4mR
+            fbY5BnItcPOqI/cAs6/w2LvjTMOYNq/bSxc+MCa+GHg5DREy9E4jaQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ha34qeksr4jeaecevqvv2afqem67eja2mvawlmrqsudch0e7fe7qtpsekv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZUl6WUp2V2trc1FXRzM4
+            d2F2aXlpR0w2VG5DMmprUjU2RFNpZ0tVVFc4ClB4RU1qcE5kYTF6NjIrQUsvaDdi
+            RERNdGdlcnpaY0ljdkh4RjFtMktOcUkKLS0tIDJtdHZqVXl5U2pPNHF2OHYrajJB
+            YzB0MEdKdVF1KzVvSk9UMkN4eUVUMEUKbrH4uU82qZ2DpvnzxRMheh4J5kIZjYje
+            K0KhBxUyfB055TEzb+CSEc4TqI7TcDpqwK0S43yzac/SfWhGGuD+xQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cxt8kwqzx35yuldazcc49q88qvgy9ajkz30xu0h37uw3ts97jagqgmn2ga
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhVytJenZWS2c4dW5ObVU5
+            UEQ4MlBMSkF1cDhncnplYjJ0N21MU0dPeDA0CkdqblhmZGxQb0hEak5EaUE5YzZ1
+            Z1R1SnhEQVIyejl3RVhuOStUVmlkMk0KLS0tIFQwc2pkaUUySWs4bkEwUzFuQWRV
+            V2w0aGZNd01iVTNHb09LeHJRQXBFeGMK+ogXQ06JKQthMjj8YJhdd7eYyV9NtF0f
+            J8vZ3w4rPkrY0EvNUnzfayBeLR3JPR674uWS7zV9wvkFaAciT8CSSQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16prza00sqzuhwwcyakj6z4hvwkruwkqpmmrsn94a5ucgpkelncdq2ldctk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXTFJmN2tpaXlpWDdZOU1h
+            YXdaMUtsN1dCV1dkQXBYb0Qxa0E0WFYwdnhBCi9Md1NNanlZVFovNzRlVUV0UDk0
+            UU9IMlgyTWZPVUlydW5hZzJadzB3K28KLS0tIEZybGVaSUpMcXFSaGYyWEhYMlhC
+            NzlMeHJEM0RsZ0xHTkFielZ5aTdOczAK+3Y9IzTCcd0dYR384P0/s7hS7FctUG8e
+            q3IHht4B/3BRAikk3S4czbNS4EWGOqWbaE6pOy13Juq8D0wDy98Zjg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-11T21:18:22Z"
+    mac: ENC[AES256_GCM,data:5//boMp1awc/2XAkSASSCuobpkxa0E6IKf3GR8xHpMoCD30FJsCwV7PgX3fR8OuLEhOJ7UguqMNQdNqG37RMacreuDmI1J8oCFKp+3M2j4kCbXaEo8bw7WAtyjUez+SAXKzZWYmBibH0KOy6jdt+v0fdgy5hMBT4IFDofYRsyD0=,iv:6pD+SLwncpmal/FR4U8It2njvaQfUzzpALBCxa0NyME=,tag:4QN8ZFjdqck5ZgulF+FtbA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.4

services/actions-runner/default.nix

@@ -0,0 +1,55 @@
+{ pkgs, config, ... }:
+{
+  sops.secrets."actions-token-1" = {
+    sopsFile = ../../secrets/nix-cache01/actions_token_1;
+    format = "binary";
+  };
+
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+  };
+
+  services.gitea-actions-runner.instances = {
+    actions1 = {
+      enable = true;
+      tokenFile = config.sops.secrets.actions-token-1.path;
+      name = "actions1.home.2rjus.net";
+      settings = {
+        log = {
+          level = "debug";
+        };
+
+        runner = {
+          file = ".runner";
+          capacity = 4;
+          timeout = "2h";
+          shutdown_timeout = "10m";
+          insecure = false;
+          fetch_timeout = "10s";
+          fetch_interval = "30s";
+        };
+
+        cache = {
+          enabled = true;
+          dir = "/var/cache/gitea-actions1";
+        };
+
+        container = {
+          privileged = false;
+        };
+      };
+      labels =
+        builtins.map (n: "${n}:docker://gitea/runner-images:${n}") [
+          "ubuntu-latest"
+          "ubuntu-latest-slim"
+          "ubuntu-latest-full"
+        ]
+        ++ [
+          "homelab"
+        ];
+
+      url = "https://git.t-juice.club";
+    };
+  };
+}

services/authelia/default.nix

@@ -0,0 +1,87 @@
+{ config, ... }:
+{
+  sops.secrets.authelia_ldap_password = {
+    format = "yaml";
+    sopsFile = ../../secrets/auth01/secrets.yaml;
+    key = "authelia_ldap_password";
+    restartUnits = [ "authelia-auth.service" ];
+    owner = "authelia-auth";
+    group = "authelia-auth";
+  };
+  sops.secrets.authelia_jwt_secret = {
+    format = "yaml";
+    sopsFile = ../../secrets/auth01/secrets.yaml;
+    key = "authelia_jwt_secret";
+    restartUnits = [ "authelia-auth.service" ];
+    owner = "authelia-auth";
+    group = "authelia-auth";
+  };
+  sops.secrets.authelia_storage_encryption_key_file = {
+    format = "yaml";
+    key = "authelia_storage_encryption_key_file";
+    sopsFile = ../../secrets/auth01/secrets.yaml;
+    restartUnits = [ "authelia-auth.service" ];
+    owner = "authelia-auth";
+    group = "authelia-auth";
+  };
+  sops.secrets.authelia_session_secret = {
+    format = "yaml";
+    key = "authelia_session_secret";
+    sopsFile = ../../secrets/auth01/secrets.yaml;
+    restartUnits = [ "authelia-auth.service" ];
+    owner = "authelia-auth";
+    group = "authelia-auth";
+  };
+
+  services.authelia.instances."auth" = {
+    enable = true;
+    environmentVariables = {
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
+        config.sops.secrets.authelia_ldap_password.path;
+      AUTHELIA_SESSION_SECRET_FILE = config.sops.secrets.authelia_session_secret.path;
+    };
+    secrets = {
+      jwtSecretFile = config.sops.secrets.authelia_jwt_secret.path;
+      storageEncryptionKeyFile = config.sops.secrets.authelia_storage_encryption_key_file.path;
+    };
+    settings = {
+      access_control = {
+        default_policy = "two_factor";
+      };
+      session = {
+        # secret = "{{- fileContent \"${config.sops.secrets.authelia_session_secret.path}\" }}";
+        cookies = [
+          {
+            domain = "home.2rjus.net";
+            authelia_url = "https://auth.home.2rjus.net";
+            default_redirection_url = "https://dashboard.home.2rjus.net";
+            name = "authelia_session";
+            same_site = "lax";
+            inactivity = "1h";
+            expiration = "24h";
+            remember_me = "30d";
+          }
+        ];
+      };
+      notifier = {
+        filesystem.filename = "/var/lib/authelia-auth/notification.txt";
+      };
+      storage = {
+        local.path = "/var/lib/authelia-auth/db.sqlite3";
+      };
+      authentication_backend = {
+        password_reset = {
+          disable = false;
+        };
+        ldap = {
+          address = "ldap://127.0.0.1:3890";
+          implementation = "lldap";
+          timeout = "5s";
+          base_dn = "dc=home,dc=2rjus,dc=net";
+          user = "uid=authelia_ldap_user,ou=people,dc=home,dc=2rjus,dc=net";
+          # password = "{{- fileContent \"${config.sops.secrets.authelia_ldap_password.path}\" -}}";
+        };
+      };
+    };
+  };
+}

services/ca/ca.json

@@ -1,118 +0,0 @@
-{
-	"root": "/var/lib/step-ca/certs/root_ca.crt",
-	"federatedRoots": null,
-	"crt": "/var/lib/step-ca/certs/intermediate_ca.crt",
-	"key": "/var/lib/step-ca/secrets/intermediate_ca_key",
-	"address": ":443",
-	"insecureAddress": "",
-	"dnsNames": [
-		"10.69.13.12"
-	],
-	"ssh": {
-		"hostKey": "/var/lib/step-ca/secrets/ssh_host_ca_key",
-		"userKey": "/var/lib/step-ca/secrets/ssh_user_ca_key"
-	},
-	"logger": {
-		"format": "text"
-	},
-	"db": {
-		"type": "badgerv2",
-		"dataSource": "/var/lib/step-ca/db",
-		"badgerFileLoadingMode": ""
-	},
-	"authority": {
-		"provisioners": [
-			{
-				"type": "JWK",
-				"name": "ca@home.2rjus.net",
-				"key": {
-					"use": "sig",
-					"kty": "EC",
-					"kid": "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE",
-					"crv": "P-256",
-					"alg": "ES256",
-					"x": "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo",
-					"y": "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0"
-				},
-				"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g",
-				"claims": {
-					"enableSSHCA": true
-				}
-			},
-			{
-				"type": "ACME",
-				"name": "acme"
-			},
-			{
-				"type": "SSHPOP",
-				"name": "sshpop",
-				"claims": {
-					"enableSSHCA": true
-				}
-			}
-		]
-	},
-	"tls": {
-		"cipherSuites": [
-			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-			"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
-		],
-		"minVersion": 1.2,
-		"maxVersion": 1.3,
-		"renegotiation": false
-	},
-	"templates": {
-		"ssh": {
-			"user": [
-				{
-					"name": "config.tpl",
-					"type": "snippet",
-					"template": "templates/ssh/config.tpl",
-					"path": "~/.ssh/config",
-					"comment": "#"
-				},
-				{
-					"name": "step_includes.tpl",
-					"type": "prepend-line",
-					"template": "templates/ssh/step_includes.tpl",
-					"path": "${STEPPATH}/ssh/includes",
-					"comment": "#"
-				},
-				{
-					"name": "step_config.tpl",
-					"type": "file",
-					"template": "templates/ssh/step_config.tpl",
-					"path": "ssh/config",
-					"comment": "#"
-				},
-				{
-					"name": "known_hosts.tpl",
-					"type": "file",
-					"template": "templates/ssh/known_hosts.tpl",
-					"path": "ssh/known_hosts",
-					"comment": "#"
-				}
-			],
-			"host": [
-				{
-					"name": "sshd_config.tpl",
-					"type": "snippet",
-					"template": "templates/ssh/sshd_config.tpl",
-					"path": "/etc/ssh/sshd_config",
-					"comment": "#",
-					"requires": [
-						"Certificate",
-						"Key"
-					]
-				},
-				{
-					"name": "ca.tpl",
-					"type": "snippet",
-					"template": "templates/ssh/ca.tpl",
-					"path": "/etc/ssh/ca.pub",
-					"comment": "#"
-				}
-			]
-		}
-	}
-}

services/ca/default.nix

@@ -2,32 +2,164 @@
 {
   sops.secrets."ca_root_pw" = {
     sopsFile = ../../secrets/ca/secrets.yaml;
+    owner = "step-ca";
     path = "/var/lib/step-ca/secrets/ca_root_pw";
   };
   sops.secrets."intermediate_ca_key" = {
     sopsFile = ../../secrets/ca/keys/intermediate_ca_key;
     format = "binary";
+    owner = "step-ca";
     path = "/var/lib/step-ca/secrets/intermediate_ca_key";
   };
   sops.secrets."root_ca_key" = {
     sopsFile = ../../secrets/ca/keys/root_ca_key;
     format = "binary";
+    owner = "step-ca";
     path = "/var/lib/step-ca/secrets/root_ca_key";
   };
   sops.secrets."ssh_host_ca_key" = {
     sopsFile = ../../secrets/ca/keys/ssh_host_ca_key;
     format = "binary";
+    owner = "step-ca";
     path = "/var/lib/step-ca/secrets/ssh_host_ca_key";
   };
   sops.secrets."ssh_user_ca_key" = {
     sopsFile = ../../secrets/ca/keys/ssh_user_ca_key;
     format = "binary";
+    owner = "step-ca";
     path = "/var/lib/step-ca/secrets/ssh_user_ca_key";
   };
 
-  #services.step-ca = {
+  services.step-ca = {
-  #  enable = true;
+    enable = true;
-  #  package = unstable.step-ca;
+    package = pkgs.step-ca;
-  #  settings = builtins.fromJSON ./ca.json;
+    intermediatePasswordFile = "/var/lib/step-ca/secrets/ca_root_pw";
-  #};
+    address = "0.0.0.0";
+    port = 443;
+    settings = {
+      metricsAddress = ":9000";
+      authority = {
+        provisioners = [
+          {
+            claims = {
+              enableSSHCA = true;
+              maxTLSCertDuration = "3600h";
+              defaultTLSCertDuration = "48h";
+            };
+            encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g";
+            key = {
+              alg = "ES256";
+              crv = "P-256";
+              kid = "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE";
+              kty = "EC";
+              use = "sig";
+              x = "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo";
+              y = "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0";
+            };
+            name = "ca@home.2rjus.net";
+            type = "JWK";
+          }
+          {
+            name = "acme";
+            type = "ACME";
+            claims = {
+              maxTLSCertDuration = "3600h";
+              defaultTLSCertDuration = "1800h";
+            };
+          }
+          {
+            claims = {
+              enableSSHCA = true;
+            };
+            name = "sshpop";
+            type = "SSHPOP";
+          }
+        ];
+      };
+      crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
+      db = {
+        badgerFileLoadingMode = "";
+        dataSource = "/var/lib/step-ca/db";
+        type = "badgerv2";
+      };
+      dnsNames = [
+        "ca.home.2rjus.net"
+        "10.69.13.12"
+      ];
+      federatedRoots = null;
+      insecureAddress = "";
+      key = "/var/lib/step-ca/secrets/intermediate_ca_key";
+      logger = {
+        format = "text";
+      };
+      root = "/var/lib/step-ca/certs/root_ca.crt";
+      ssh = {
+        hostKey = "/var/lib/step-ca/secrets/ssh_host_ca_key";
+        userKey = "/var/lib/step-ca/secrets/ssh_user_ca_key";
+      };
+      templates = {
+        ssh = {
+          host = [
+            {
+              comment = "#";
+              name = "sshd_config.tpl";
+              path = "/etc/ssh/sshd_config";
+              requires = [
+                "Certificate"
+                "Key"
+              ];
+              template = ./templates/ssh/sshd_config.tpl;
+              type = "snippet";
+            }
+            {
+              comment = "#";
+              name = "ca.tpl";
+              path = "/etc/ssh/ca.pub";
+              template = ./templates/ssh/ca.tpl;
+              type = "snippet";
+            }
+          ];
+          user = [
+            {
+              comment = "#";
+              name = "config.tpl";
+              path = "~/.ssh/config";
+              template = ./templates/ssh/config.tpl;
+              type = "snippet";
+            }
+            {
+              comment = "#";
+              name = "step_includes.tpl";
+              path = "\${STEPPATH}/ssh/includes";
+              template = ./templates/ssh/step_includes.tpl;
+              type = "prepend-line";
+            }
+            {
+              comment = "#";
+              name = "step_config.tpl";
+              path = "ssh/config";
+              template = ./templates/ssh/step_config.tpl;
+              type = "file";
+            }
+            {
+              comment = "#";
+              name = "known_hosts.tpl";
+              path = "ssh/known_hosts";
+              template = ./templates/ssh/known_hosts.tpl;
+              type = "file";
+            }
+          ];
+        };
+      };
+      tls = {
+        cipherSuites = [
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        ];
+        maxVersion = 1.3;
+        minVersion = 1.2;
+        renegotiation = false;
+      };
+    };
+  };
 }

services/ca/templates/ssh/config.tpl

@@ -0,0 +1,14 @@
+Host *
+{{- if or .User.GOOS "none" | eq "windows" }}
+{{- if .User.StepBasePath }}
+	Include "{{ .User.StepBasePath | replace "\\" "/" | trimPrefix "C:" }}/ssh/includes"
+{{- else }}
+	Include "{{ .User.StepPath | replace "\\" "/" | trimPrefix "C:" }}/ssh/includes"
+{{- end }}
+{{- else }}
+{{- if .User.StepBasePath }}
+	Include "{{.User.StepBasePath}}/ssh/includes"
+{{- else }}
+	Include "{{.User.StepPath}}/ssh/includes"
+{{- end }}
+{{- end }}

services/ca/templates/ssh/known_hosts.tpl

@@ -0,0 +1,4 @@
+@cert-authority * {{.Step.SSH.HostKey.Type}} {{.Step.SSH.HostKey.Marshal | toString | b64enc}}
+{{- range .Step.SSH.HostFederatedKeys}}
+@cert-authority * {{.Type}} {{.Marshal | toString | b64enc}}
+{{- end }}

services/ca/templates/ssh/sshd_config.tpl

@@ -0,0 +1,4 @@
+Match all
+	TrustedUserCAKeys /etc/ssh/ca.pub
+	HostCertificate /etc/ssh/{{.User.Certificate}}
+	HostKey /etc/ssh/{{.User.Key}}

services/ca/templates/ssh/step_config.tpl

@@ -0,0 +1,11 @@
+Match exec "step ssh check-host{{- if .User.Context }} --context {{ .User.Context }}{{- end }} %h"
+{{- if .User.User }}
+	User {{.User.User}}
+{{- end }}
+{{- if or .User.GOOS "none" | eq "windows" }}
+	UserKnownHostsFile "{{.User.StepPath}}\ssh\known_hosts"
+	ProxyCommand C:\Windows\System32\cmd.exe /c step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p
+{{- else }}
+	UserKnownHostsFile "{{.User.StepPath}}/ssh/known_hosts"
+	ProxyCommand step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p
+{{- end }}

services/ca/templates/ssh/step_includes.tpl

@@ -0,0 +1 @@
+{{- if or .User.GOOS "none" | eq "windows" }}Include "{{ .User.StepPath | replace "\\" "/" | trimPrefix "C:" }}/ssh/config"{{- else }}Include "{{.User.StepPath}}/ssh/config"{{- end }}

services/home-assistant/default.nix

@@ -7,29 +7,33 @@
     configWritable = true;
     config = null;
     extraPackages =
-      python3Packages: with pkgs.unstable.python312Packages; [
+      python3Packages: with pkgs.unstable.python313Packages; [
         aiopyarr
-        zigpy-cc
+        aioshelly
-        zigpy-znp
-        zigpy-zigate
-        zigpy-xbee
-        zigpy-deconz
-        pykodi
-        gtts
         bellows
-        radios
+        gtts
+        ha-silabs-firmware-client
+        isal
         paho-mqtt
-        zha-quirks
+        prometheus-client
+        pykodi
+        python-roborock
+        radios
         uiprotect
         unifi-discovery
         universal-silabs-flasher
         vacuum-map-parser-base
         vacuum-map-parser-roborock
-        python-roborock
+        zha
+        zha-quirks
+        zigpy-cc
+        zigpy-deconz
+        zigpy-xbee
+        zigpy-zigate
+        zigpy-znp
+        zlib-ng
       ];
-    customComponents =
+    customComponents = with pkgs.home-assistant-custom-components; [
-      with pkgs.home-assistant-custom-components;
-      [
     ];
   };
 

services/http-proxy/proxy.nix

@@ -2,24 +2,130 @@
 {
   services.caddy = {
     enable = true;
+    package = pkgs.unstable.caddy;
     configFile = pkgs.writeText "Caddyfile" ''
-      http://nzbget.home.2rjus.net {
+      {
+        acme_ca https://ca.home.2rjus.net/acme/acme/directory
+
+        metrics {
+          per_host
+        }
+      }
+
+      nzbget.home.2rjus.net {
+        log {
+          output file /var/log/caddy/nzbget.log {
+            mode 644
+          }
+        }
         reverse_proxy http://nzbget-jail.home.2rjus.net:6789
       }
 
-      http://radarr.home.2rjus.net {
+      radarr.home.2rjus.net {
+        log {
+          output file /var/log/caddy/radarr.log {
+            mode 644
+          }
+        }
         reverse_proxy http://radarr-jail.home.2rjus.net:7878
       }
 
-      http://sonarr.home.2rjus.net {
+      sonarr.home.2rjus.net {
+        log {
+          output file /var/log/caddy/sonarr.log {
+            mode 644
+          }
+        }
         reverse_proxy http://sonarr-jail.home.2rjus.net:8989
       }
-      http://ha.home.2rjus.net {
+      ha.home.2rjus.net {
+        log {
+          output file /var/log/caddy/ha.log {
+            mode 644
+          }
+        }
         reverse_proxy http://ha1.home.2rjus.net:8123
       }
-      http://z2m.home.2rjus.net {
+      z2m.home.2rjus.net {
+        log {
+          output file /var/log/caddy/z2m.log {
+            mode 644
+          }
+        }
         reverse_proxy http://ha1.home.2rjus.net:8080
       }
+      prometheus.home.2rjus.net {
+        log {
+          output file /var/log/caddy/prometheus.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://monitoring01.home.2rjus.net:9090
+      }
+      alertmanager.home.2rjus.net {
+        log {
+          output file /var/log/caddy/alertmanager.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://monitoring01.home.2rjus.net:9093
+      }
+      grafana.home.2rjus.net {
+        log {
+          output file /var/log/caddy/grafana.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://monitoring01.home.2rjus.net:3000
+      }
+      jelly.home.2rjus.net {
+        log {
+          output file /var/log/caddy/jelly.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://jelly01.home.2rjus.net:8096
+      }
+      lldap.home.2rjus.net {
+        log {
+          output file /var/log/caddy/auth.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://auth01.home.2rjus.net:17170
+      }
+      auth.home.2rjus.net {
+        log {
+          output file /var/log/caddy/auth.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://auth01.home.2rjus.net:9091
+      }
+      pyroscope.home.2rjus.net {
+        log {
+          output file /var/log/caddy/pyroscope.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://monitoring01.home.2rjus.net:4040
+      }
+      pushgw.home.2rjus.net {
+        log {
+          output file /var/log/caddy/pushgw.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://monitoring01.home.2rjus.net:9091
+      }
+      http://http-proxy.home.2rjus.net/metrics {
+        log {
+          output file /var/log/caddy/caddy-metrics.log {
+            mode 644
+          }
+        }
+        metrics
+      }
     '';
   };
 }

services/incus/default.nix

@@ -1,7 +0,0 @@
-{ pkgs, config, ... }:
-{
-  virtualisation.incus = {
-    enable = true;
-  };
-  networking.firewall.allowedTCPPorts = [ 8443 ];
-}

services/jellyfin/default.nix

@@ -0,0 +1,32 @@
+{ pkgs, ... }:
+{
+  services.jellyfin = {
+    enable = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    nfs-utils
+  ];
+
+  services.rpcbind.enable = true;
+  systemd.mounts = [
+    {
+      type = "nfs";
+      mountConfig = {
+        Options = "ro,soft,noatime";
+      };
+      what = "nas.home.2rjus.net:/mnt/hdd-pool/media";
+      where = "/mnt/nas/media";
+    }
+  ];
+
+  systemd.automounts = [
+    {
+      wantedBy = [ "multi-user.target" ];
+      automountConfig = {
+        TimeoutIdleSec = "5min";
+      };
+      where = "/mnt/nas/media";
+    }
+  ];
+}

services/lldap/default.nix

@@ -0,0 +1,28 @@
+{ ... }:
+{
+  services.lldap = {
+    enable = true;
+    settings = {
+      ldap_base_dn = "dc=home,dc=2rjus,dc=net";
+      ldap_user_email = "admin@home.2rjus.net";
+      ldap_user_dn = "admin";
+      ldaps_options = {
+        enabled = true;
+        port = 6360;
+        cert_file = "/var/lib/acme/auth01.home.2rjus.net/cert.pem";
+        key_file = "/var/lib/acme/auth01.home.2rjus.net/key.pem";
+      };
+    };
+  };
+  systemd.services.lldap = {
+    serviceConfig = {
+      SupplementaryGroups = [ "acme" ];
+    };
+  };
+  security.acme.certs."auth01.home.2rjus.net" = {
+    listenHTTP = ":80";
+    reloadServices = [ "lldap" ];
+    extraDomainNames = [ "ldap.home.2rjus.net" ];
+    enableDebugLogs = true;
+  };
+}

services/monitoring/alerttonotify.nix

@@ -0,0 +1,43 @@
+{ pkgs, config, ... }:
+{
+  sops.secrets."nats_nkey" = { };
+  systemd.services."alerttonotify" = {
+    enable = true;
+    wants = [ "network-online.target" ];
+    after = [
+      "network-online.target"
+      "sops-nix.service"
+    ];
+    wantedBy = [ "multi-user.target" ];
+    restartIfChanged = true;
+
+    environment = {
+      NATS_URL = "nats://nats1.home.2rjus.net:4222";
+      NATS_NKEY_FILE = "%d/nats_nkey";
+    };
+
+    serviceConfig = {
+      Type = "exec";
+      ExecStart = "${pkgs.alerttonotify}/bin/alerttonotify";
+
+      CapabilityBoundingSet = "";
+      DynamicUser = "yes";
+      LoadCredential = "nats_nkey:/run/secrets/nats_nkey";
+      LockPersonality = "yes";
+      MemoryDenyWriteExecute = "yes";
+      PrivateDevices = "yes";
+      PrivateUsers = "yes";
+      ProtectClock = "yes";
+      ProtectControlGroups = "yes";
+      ProtectHome = "yes";
+      ProtectHostname = "yes";
+      ProtectKernelLogs = "yes";
+      ProtectKernelModules = "yes";
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = "yes";
+      RestrictRealtime = "yes";
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "~@privileged";
+    };
+  };
+}

services/monitoring/alloy.nix

@@ -0,0 +1,41 @@
+{ ... }:
+{
+  services.alloy = {
+    enable = true;
+  };
+
+  environment.etc."alloy/config.alloy" = {
+    enable = true;
+    mode = "0644";
+    text = ''
+      pyroscope.write "local_pyroscope" {
+        endpoint {
+          url = "http://localhost:4040"
+        }
+      }
+
+      pyroscope.scrape "labmon" {
+        targets    = [{"__address__" = "localhost:9969", "service_name" = "labmon"}]
+        forward_to = [pyroscope.write.local_pyroscope.receiver]
+
+        profiling_config {
+          profile.process_cpu {
+            enabled = true
+          }
+          profile.memory {
+            enabled = true
+          }
+          profile.mutex {
+            enabled = true
+          }
+          profile.block {
+            enabled = true
+          }
+          profile.goroutine {
+            enabled = true
+          }
+        }
+      }
+    '';
+  };
+}

services/monitoring/default.nix

@@ -0,0 +1,13 @@
+{ ... }:
+{
+  imports = [
+    ./loki.nix
+    ./grafana.nix
+    ./prometheus.nix
+    ./pve.nix
+    ./alerttonotify.nix
+    ./pyroscope.nix
+    ./alloy.nix
+    ./tempo.nix
+  ];
+}

services/monitoring/grafana.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+{
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        http_addr = "";
+      };
+    };
+  };
+}

services/monitoring/loki.nix

@@ -0,0 +1,42 @@
+{ ... }:
+{
+  services.loki = {
+    enable = true;
+    configuration = {
+      auth_enabled = false;
+
+      server = {
+        http_listen_port = 3100;
+      };
+      common = {
+        ring = {
+          instance_addr = "127.0.0.1";
+          kvstore = {
+            store = "inmemory";
+          };
+        };
+        replication_factor = 1;
+        path_prefix = "/var/lib/loki";
+      };
+      schema_config = {
+        configs = [
+          {
+            from = "2024-01-01";
+            store = "tsdb";
+            object_store = "filesystem";
+            schema = "v13";
+            index = {
+              prefix = "loki_index_";
+              period = "24h";
+            };
+          }
+        ];
+      };
+      storage_config = {
+        filesystem = {
+          directory = "/var/lib/loki/chunks";
+        };
+      };
+    };
+  };
+}

services/monitoring/prometheus.nix

@@ -0,0 +1,228 @@
+{ ... }:
+{
+  services.prometheus = {
+    enable = true;
+    alertmanager = {
+      enable = true;
+      configuration = {
+        global = {
+        };
+        route = {
+          receiver = "webhook_natstonotify";
+          group_wait = "30s";
+          group_interval = "5m";
+          repeat_interval = "1h";
+          group_by = [ "alertname" ];
+        };
+        receivers = [
+          {
+            name = "webhook_natstonotify";
+            webhook_configs = [
+              {
+                url = "http://localhost:5001/alert";
+              }
+            ];
+          }
+        ];
+      };
+    };
+    alertmanagers = [
+      {
+        static_configs = [
+          {
+            targets = [ "localhost:9093" ];
+          }
+        ];
+      }
+    ];
+
+    retentionTime = "30d";
+    globalConfig = {
+      scrape_interval = "15s";
+    };
+    rules = [
+      (builtins.readFile ./rules.yml)
+    ];
+
+    scrapeConfigs = [
+      {
+        job_name = "node-exporter";
+        static_configs = [
+          {
+            targets = [
+              "ca.home.2rjus.net:9100"
+              "gunter.home.2rjus.net:9100"
+              "ha1.home.2rjus.net:9100"
+              "http-proxy.home.2rjus.net:9100"
+              "jelly01.home.2rjus.net:9100"
+              "monitoring01.home.2rjus.net:9100"
+              "nix-cache01.home.2rjus.net:9100"
+              "ns1.home.2rjus.net:9100"
+              "ns2.home.2rjus.net:9100"
+              "pgdb1.home.2rjus.net:9100"
+              "nats1.home.2rjus.net:9100"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "prometheus";
+        static_configs = [
+          {
+            targets = [ "localhost:9090" ];
+          }
+        ];
+      }
+      {
+        job_name = "loki";
+        static_configs = [
+          {
+            targets = [ "localhost:3100" ];
+          }
+        ];
+      }
+      {
+        job_name = "grafana";
+        static_configs = [
+          {
+            targets = [ "localhost:3100" ];
+          }
+        ];
+      }
+      {
+        job_name = "alertmanager";
+        static_configs = [
+          {
+            targets = [ "localhost:9093" ];
+          }
+        ];
+      }
+      {
+        job_name = "restic_rest";
+        static_configs = [
+          {
+            targets = [ "10.69.12.52:8000" ];
+          }
+        ];
+      }
+      {
+        job_name = "pve-exporter";
+        static_configs = [
+          {
+            targets = [ "10.69.12.75" ];
+          }
+        ];
+        metrics_path = "/pve";
+        params = {
+          module = [ "default" ];
+          cluster = [ "1" ];
+          node = [ "1" ];
+        };
+        relabel_configs = [
+          {
+            source_labels = [ "__address__" ];
+            target_label = "__param_target";
+          }
+          {
+            source_labels = [ "__param_target" ];
+            target_label = "instance";
+          }
+          {
+            target_label = "__address__";
+            replacement = "127.0.0.1:9221";
+          }
+        ];
+      }
+      {
+        job_name = "caddy";
+        static_configs = [
+          {
+            targets = [ "http-proxy.home.2rjus.net" ];
+          }
+        ];
+      }
+      {
+        job_name = "jellyfin";
+        static_configs = [
+          {
+            targets = [ "jelly01.home.2rjus.net:8096" ];
+          }
+        ];
+      }
+      {
+        job_name = "smartctl";
+        static_configs = [
+          {
+            targets = [ "gunter.home.2rjus.net:9633" ];
+          }
+        ];
+      }
+      {
+        job_name = "wireguard";
+        static_configs = [
+          {
+            targets = [ "http-proxy.home.2rjus.net:9586" ];
+          }
+        ];
+      }
+      {
+        job_name = "home-assistant";
+        scrape_interval = "60s";
+        metrics_path = "/api/prometheus";
+        static_configs = [
+          {
+            targets = [ "ha1.home.2rjus.net:8123" ];
+          }
+        ];
+      }
+      {
+        job_name = "ghettoptt";
+        static_configs = [
+          {
+            targets = [ "gunter.home.2rjus.net:8989" ];
+          }
+        ];
+      }
+      {
+        job_name = "step-ca";
+        static_configs = [
+          {
+            targets = [ "ca.home.2rjus.net:9000" ];
+          }
+        ];
+      }
+      {
+        job_name = "labmon";
+        static_configs = [
+          {
+            targets = [ "monitoring01.home.2rjus.net:9969" ];
+          }
+        ];
+      }
+      {
+        job_name = "pushgateway";
+        honor_labels = true;
+        static_configs = [
+          {
+            targets = [ "localhost:9091" ];
+          }
+        ];
+      }
+      {
+        job_name = "nix-cache_caddy";
+        scheme = "https";
+        static_configs = [
+          {
+            targets = [ "nix-cache.home.2rjus.net" ];
+          }
+        ];
+      }
+    ];
+    pushgateway = {
+      enable = true;
+      web = {
+        external-url = "https://pushgw.home.2rjus.net";
+      };
+    };
+  };
+}

services/monitoring/pve.nix

@@ -0,0 +1,17 @@
+{ config, ... }:
+{
+  sops.secrets.pve_exporter = {
+    format = "yaml";
+    sopsFile = ../../secrets/monitoring01/pve-exporter.yaml;
+    key = "";
+    mode = "0444";
+  };
+  services.prometheus.exporters.pve = {
+    enable = true;
+    configFile = config.sops.secrets.pve_exporter.path;
+    collectors = {
+      cluster = false;
+      replication = false;
+    };
+  };
+}

services/monitoring/pyroscope.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  virtualisation.oci-containers.containers.pyroscope = {
+    pull = "missing";
+    image = "grafana/pyroscope:latest";
+    ports = [ "4040:4040" ];
+  };
+}

services/monitoring/rules.yml

@@ -0,0 +1,250 @@
+groups:
+  - name: common_rules
+    rules:
+      - alert: node_down
+        expr: up == 0
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "Instance {{ $labels.instance }} down"
+          description: "{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes."
+      - alert: low_disk_space
+        expr: node_filesystem_free_bytes{mountpoint="/"} / node_filesystem_size_bytes{mountpoint="/"} * 100 < 10
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "Disk space low on {{ $labels.instance }}"
+          description: "Disk space is low on {{ $labels.instance }}. Please check."
+      - alert: high_cpu_load
+        expr: max(node_load5{}) by (instance) > (count by (instance)(node_cpu_seconds_total{mode="idle"}) * 0.7)
+        for: 15m
+        labels:
+          severity: warning
+        annotations:
+          summary: "High CPU load on {{ $labels.instance }}"
+          description: "CPU load is high on {{ $labels.instance }}. Please check."
+      - alert: low_memory
+        expr: node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes * 100 < 10
+        for: 2m
+        labels:
+          severity: warning
+        annotations:
+          summary: Low available memory on {{ $labels.instance }}
+          description: Node memory is filling up (< 10% left)\n  VALUE = {{ $value }}
+      - alert: oom_kill
+        expr: increase(node_vmstat_oom_kill[1m]) > 0
+        for: 0m
+        labels:
+          severity: warning
+        annotations:
+          summary: Host OOM kill detected on {{ $labels.instance }}
+          description: OOM kill detected
+      - alert: nixos_upgrade_failed
+        expr: node_systemd_unit_state{name="nixos-upgrade.service", state="failed"} == 1
+        for: 0m
+        labels:
+          severity: critical
+        annotations:
+          summary: "NixOS upgrade failed on {{ $labels.instance }}"
+          description: "NixOS upgrade failed on {{ $labels.instance }}"
+      - alert: promtail_not_running
+        expr: node_systemd_unit_state{name="promtail.service", state="active"} == 0
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "Promtail service not running on {{ $labels.instance }}"
+          description: "The promtail service has not been active on {{ $labels.instance }} for 5 minutes."
+  - name: nameserver_rules
+    rules:
+      - alert: unbound_down
+        expr: node_systemd_unit_state {instance =~ "ns.+", name = "unbound.service", state = "active"} == 0
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "Unbound not running on {{ $labels.instance }}"
+          description: "Unbound has been down on {{ $labels.instance }} more than 5 minutes."
+      - alert: nsd_down
+        expr: node_systemd_unit_state {instance =~ "ns.+", name = "nsd.service", state = "active"} == 0
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "NSD not running on {{ $labels.instance }}"
+          description: "NSD has been down on {{ $labels.instance }} more than 5 minutes."
+  - name: http-proxy_rules 
+    rules:
+      - alert: caddy_down
+        expr: node_systemd_unit_state {instance="http-proxy.home.2rjus.net:9100", name = "caddy.service", state = "active"} == 0
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "Caddy not running on {{ $labels.instance }}"
+          description: "Caddy has been down on {{ $labels.instance }} more than 5 minutes."
+  - name: nats_rules
+    rules:
+      - alert: nats_down
+        expr: node_systemd_unit_state {instance="nats1.home.2rjus.net:9100", name = "nats.service", state = "active"} == 0
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "NATS not running on {{ $labels.instance }}"
+          description: "NATS has been down on {{ $labels.instance }} more than 5 minutes."
+  - name: nix_cache_rules
+    rules:
+      - alert: build-flakes_service_not_active_recently
+        expr: count_over_time(node_systemd_unit_state{instance="nix-cache01.home.2rjus.net:9100", name="build-flakes.service", state="active"}[1h]) < 1
+        for: 0m
+        labels:
+          severity: critical
+        annotations:
+          summary: "The build-flakes service on {{ $labels.instance }} has not run recently"
+          description: "The build-flakes service on {{ $labels.instance }} has not run recently"
+      - alert: build_flakes_error
+        expr: build_flakes_error == 1
+        labels:
+          severity: warning
+        annotations:
+          summary: "The build-flakes job has failed for host {{ $labels.host }}."
+          description: "The build-flakes job has failed for host {{ $labels.host }}."
+      - alert: harmonia_down
+        expr: node_systemd_unit_state {instance="nix-cache01.home.2rjus.net:9100", name = "harmonia.service", state = "active"} == 0
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "Harmonia not running on {{ $labels.instance }}"
+          description: "Harmonia has been down on {{ $labels.instance }} more than 5 minutes."
+      - alert: low_disk_space_nix
+        expr: node_filesystem_free_bytes{instance="nix-cache01.home.2rjus.net:9100", mountpoint="/nix"} / node_filesystem_size_bytes{instance="nix-cache01.home.2rjus.net:9100", mountpoint="/nix"} * 100 < 10
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "Disk space low on /nix for {{ $labels.instance }}"
+          description: "Disk space is low on /nix for host {{ $labels.instance }}. Please check."
+  - name: home_assistant_rules
+    rules:
+      - alert: home_assistant_down
+        expr: node_systemd_unit_state {instance="ha1.home.2rjus.net:9100", name="home-assistant.service", state="active"}  == 0
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "Home assistant not running on {{ $labels.instance }}"
+          description: "Home assistant has been down on {{ $labels.instance }} more than 5 minutes."
+      - alert: zigbee2qmtt_down 
+        expr: node_systemd_unit_state {instance = "ha1.home.2rjus.net:9100", name = "zigbee2mqtt.service", state = "active"} == 0
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "Zigbee2mqtt not running on {{ $labels.instance }}"
+          description: "Zigbee2mqtt has been down on {{ $labels.instance }} more than 5 minutes."
+      - alert: mosquitto_down
+        expr: node_systemd_unit_state {instance = "ha1.home.2rjus.net:9100", name = "mosquitto.service", state = "active"} == 0
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "Mosquitto not running on {{ $labels.instance }}"
+          description: "Mosquitto has been down on {{ $labels.instance }} more than 5 minutes."
+  - name: smartctl_rules
+    rules:
+      - alert: SmartCriticalWarning
+        expr: smartctl_device_critical_warning > 0
+        for: 0m
+        labels:
+          severity: critical
+        annotations:
+          summary: SMART critical warning (instance {{ $labels.instance }})
+          description: "Disk controller has critical warning on {{ $labels.instance }} drive {{ $labels.device }})\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+      - alert: SmartMediaErrors
+        expr: smartctl_device_media_errors > 0
+        for: 0m
+        labels:
+          severity: critical
+        annotations:
+          summary: SMART media errors (instance {{ $labels.instance }})
+          description: "Disk controller detected media errors on {{ $labels.instance }} drive {{ $labels.device }})\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+      - alert: SmartWearoutIndicator
+        expr: smartctl_device_available_spare < smartctl_device_available_spare_threshold
+        for: 0m
+        labels:
+          severity: critical
+        annotations:
+          summary: SMART Wearout Indicator (instance {{ $labels.instance }})
+          description: "Device is wearing out on {{ $labels.instance }} drive {{ $labels.device }})\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+  - name: wireguard_rules
+    rules:
+      - alert: WireguardHandshake
+        expr: (time() - wireguard_latest_handshake_seconds{instance="http-proxy.home.2rjus.net:9586",interface="wg0",public_key="32Rb13wExcy8uI92JTnFdiOfkv0mlQ6f181WA741DHs="}) > 300
+        for: 1m
+        labels:
+          severity: warning
+        annotations:
+          summary: "Wireguard handshake timeout on {{ $labels.instance }}"
+          description: "Wireguard handshake timeout on {{ $labels.instance }} for more than 1 minutes."
+  - name: monitoring_rules
+    rules:
+      - alert: prometheus_not_running
+        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="prometheus.service", state="active"} == 0
+        labels:
+          severity: critical
+        annotations:
+          summary: "Prometheus service not running on {{ $labels.instance }}"
+          description: "Prometheus service not running on {{ $labels.instance }}"
+      - alert: alertmanager_not_running
+        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="alertmanager.service", state="active"} == 0
+        labels:
+          severity: critical
+        annotations:
+          summary: "Alertmanager service not running on {{ $labels.instance }}"
+          description: "Alertmanager service not running on {{ $labels.instance }}"
+      - alert: pushgateway_not_running
+        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="pushgateway.service", state="active"} == 0
+        labels:
+          severity: critical
+        annotations:
+          summary: "Pushgateway service not running on {{ $labels.instance }}"
+          description: "Pushgateway service not running on {{ $labels.instance }}"
+      - alert: pushgateway_not_running
+        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="pushgateway.service", state="active"} == 0
+        labels:
+          severity: critical
+        annotations:
+          summary: "Pushgateway service not running on {{ $labels.instance }}"
+          description: "Pushgateway service not running on {{ $labels.instance }}"
+      - alert: loki_not_running
+        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="loki.service", state="active"} == 0
+        labels:
+          severity: critical
+        annotations:
+          summary: "Loki service not running on {{ $labels.instance }}"
+          description: "Loki service not running on {{ $labels.instance }}"
+      - alert: grafana_not_running
+        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="grafana.service", state="active"} == 0
+        labels:
+          severity: warning
+        annotations:
+          summary: "Grafana service not running on {{ $labels.instance }}"
+          description: "Grafana service not running on {{ $labels.instance }}"
+      - alert: tempo_not_running
+        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="tempo.service", state="active"} == 0
+        labels:
+          severity: warning
+        annotations:
+          summary: "Tempo service not running on {{ $labels.instance }}"
+          description: "Tempo service not running on {{ $labels.instance }}"
+      - alert: pyroscope_not_running
+        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="podman-pyroscope.service", state="active"} == 0
+        labels:
+          severity: warning
+        annotations:
+          summary: "Pyroscope service not running on {{ $labels.instance }}"
+          description: "Pyroscope service not running on {{ $labels.instance }}"

services/monitoring/tempo.nix

@@ -0,0 +1,37 @@
+{ ... }:
+{
+  services.tempo = {
+    enable = true;
+    settings = {
+      server = {
+        http_listen_port = 3200;
+        grpc_listen_port = 3201;
+      };
+      distributor = {
+        receivers = {
+          otlp = {
+            protocols = {
+              http = {
+                endpoint = ":4318";
+                cors = {
+                  allowed_origins = [ "*.home.2rjus.net" ];
+                };
+              };
+            };
+          };
+        };
+      };
+      storage = {
+        trace = {
+          backend = "local";
+          local = {
+            path = "/var/lib/tempo";
+          };
+          wal = {
+            path = "/var/lib/tempo/wal";
+          };
+        };
+      };
+    };
+  };
+}

services/nats/default.nix

@@ -0,0 +1,33 @@
+{ ... }:
+{
+  services.nats = {
+    enable = true;
+    jetstream = true;
+    serverName = "nats1";
+    settings = {
+      accounts = {
+        ADMIN = {
+          users = [
+            {
+              nkey = "UA44ZINQKUBTV7CX3RE7MVHOEQOQK2VQGCI4GL4M7XBJB4S66URHLW7A";
+            }
+          ];
+        };
+
+        HOMELAB = {
+          jetstream = "enabled";
+          users = [
+            {
+              nkey = "UASLNKLWGICRTZMIXVD3RXLQ57XRIMCKBHP5V3PYFFRNO3E3BIJBCYMZ";
+            }
+          ];
+        };
+      };
+      system_account = "ADMIN";
+      jetstream = {
+        max_mem = "1G";
+        max_file = "1G";
+      };
+    };
+  };
+}

services/nix-cache/build-flakes.nix

@@ -0,0 +1,29 @@
+{ pkgs, ... }:
+let
+  build-flake-script = pkgs.writeShellApplication {
+    name = "build-flake-script";
+    runtimeInputs = with pkgs; [
+      git
+      nix
+      nixos-rebuild
+      jq
+      curl
+    ];
+    text = builtins.readFile ./build-flakes.sh;
+  };
+in
+{
+  systemd.services."build-flakes" = {
+    serviceConfig = {
+      Type = "exec";
+      ExecStart = "${build-flake-script}/bin/build-flake-script";
+    };
+  };
+  systemd.timers."build-flakes" = {
+    enable = true;
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "*-*-* *:30:00";
+    };
+  };
+}

services/nix-cache/build-flakes.sh

@@ -0,0 +1,44 @@
+JOB_NAME="build_flakes"
+
+cd /root/nixos-servers
+git pull
+echo "Starting nixos-servers builds"
+for host in $(nix flake show --json| jq -r '.nixosConfigurations | keys[]'); do
+  echo "Building $host"
+  if ! nixos-rebuild --verbose -L --flake ".#$host" build; then
+    echo "Build failed for $host"
+    cat <<EOF | curl -sS -X PUT --data-binary @- "https://pushgw.home.2rjus.net/metrics/job/$JOB_NAME/host/$host"
+# TYPE build_flakes_error gauge
+# HELP build_flakes_error 0 if the build was successful, 1 if it failed
+build_flakes_error{instance="$HOSTNAME"} 1
+EOF
+  else 
+    echo "Build successful for $host"
+    cat <<EOF | curl -sS -X PUT --data-binary @- "https://pushgw.home.2rjus.net/metrics/job/$JOB_NAME/host/$host"
+# TYPE build_flakes_error gauge
+# HELP build_flakes_error 0 if the build was successful, 1 if it failed
+build_flakes_error{instance="$HOSTNAME"} 0
+EOF
+  fi
+done
+echo "All nixos-servers builds complete"
+
+echo "Building gunter"
+cd /root/nixos
+git pull
+host="gunter"
+if ! nixos-rebuild --verbose -L --flake ".#gunter" build; then
+    echo "Build failed for $host"
+    cat <<EOF | curl -sS -X PUT --data-binary @- "https://pushgw.home.2rjus.net/metrics/job/$JOB_NAME/host/$host"
+# TYPE build_flakes_error gauge
+# HELP build_flakes_error 0 if the build was successful, 1 if it failed
+build_flakes_error{instance="$HOSTNAME"} 1
+EOF
+else 
+    echo "Build successful for $host"
+    cat <<EOF | curl -sS -X PUT --data-binary @- "https://pushgw.home.2rjus.net/metrics/job/$JOB_NAME/host/$host"
+# TYPE build_flakes_error gauge
+# HELP build_flakes_error 0 if the build was successful, 1 if it failed
+build_flakes_error{instance="$HOSTNAME"} 0
+EOF
+fi

services/nix-cache/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./build-flakes.nix
+    ./harmonia.nix
+    ./proxy.nix
+    ./nix.nix
+  ];
+}

services/nix-cache/harmonia.nix

@@ -0,0 +1,16 @@
+{ pkgs, config, ... }:
+{
+  sops.secrets."cache-secret" = {
+    sopsFile = ../../secrets/nix-cache01/cache-secret;
+    format = "binary";
+  };
+
+  services.harmonia = {
+    enable = true;
+    package = pkgs.unstable.harmonia;
+    signKeyPaths = [ config.sops.secrets.cache-secret.path ];
+  };
+  systemd.services.harmonia = {
+    environment.RUST_LOG = "info,actix_web=debug";
+  };
+}

services/nix-cache/nix.nix

@@ -0,0 +1,7 @@
+{ lib, ... }:
+{
+  nix.settings.substituters = lib.mkForce [
+    "https://cache.nixos.org"
+    "https://cuda-maintainers.cachix.org"
+  ];
+}

services/nix-cache/proxy.nix

@@ -0,0 +1,25 @@
+{ pkgs, ... }:
+{
+  services.caddy = {
+    enable = true;
+    package = pkgs.unstable.caddy;
+    configFile = pkgs.writeText "Caddyfile" ''
+      {
+        acme_ca https://ca.home.2rjus.net/acme/acme/directory
+        metrics
+      }
+
+
+      nix-cache.home.2rjus.net {
+        log {
+          output file /var/log/caddy/nix-cache.log {
+            mode 644
+          }
+        }
+        metrics /metrics
+
+        reverse_proxy http://localhost:5000
+      }
+    '';
+  };
+}

services/ns/zones-home-2rjus-net.conf

@@ -1,7 +1,7 @@
 $ORIGIN home.2rjus.net.
 $TTL 1800
 @       IN      SOA     ns1.home.2rjus.net.      admin.test.2rjus.net. (
-                        2041                    ; serial number
+                        2063                    ; serial number
                         3600                    ; refresh
                         900                     ; retry
                         1209600                 ; expire
@@ -16,9 +16,6 @@ $TTL 1800
 kube-blue1          IN      A       10.69.8.150
 kube-blue2          IN      A       10.69.8.151
 kube-blue3          IN      A       10.69.8.152
-grafana             IN      CNAME   kube-blue3
-prometheus          IN      CNAME   kube-blue3
-alertmanager        IN      CNAME   kube-blue3
 
 kube-blue4          IN      A       10.69.8.153
 rook                IN      CNAME   kube-blue4
@@ -47,6 +44,7 @@ mpnzb 	            IN      A       10.69.12.57
 pve1                IN      A       10.69.12.75
 inc1                IN      A       10.69.12.80
 inc2                IN      A       10.69.12.81
+media1              IN      A       10.69.12.82
 
 ; 13_SVC
 ns1                 IN      A       10.69.13.5
@@ -56,20 +54,43 @@ ns4                 IN      A       10.69.13.8
 ha1                 IN      A       10.69.13.9
 nixos-test1         IN      A       10.69.13.10
 http-proxy          IN      A       10.69.13.11
+ca                  IN      A       10.69.13.12
+monitoring01        IN      A       10.69.13.13
+jelly01             IN      A       10.69.13.14
+nix-cache01         IN      A       10.69.13.15
+nix-cache           IN      CNAME   nix-cache01
+actions1            IN      CNAME   nix-cache01
+pgdb1               IN      A       10.69.13.16
+nats1               IN      A       10.69.13.17
+auth01              IN      A       10.69.13.18
+
+; http-proxy cnames
 nzbget              IN      CNAME   http-proxy
 radarr              IN      CNAME   http-proxy
 sonarr              IN      CNAME   http-proxy
 ha                  IN      CNAME   http-proxy
 z2m                 IN      CNAME   http-proxy
-ca                  IN      A       10.69.13.12
+grafana             IN      CNAME   http-proxy
+prometheus          IN      CNAME   http-proxy
+alertmanager        IN      CNAME   http-proxy
+jelly               IN      CNAME   http-proxy
+auth                IN      CNAME   http-proxy
+lldap               IN      CNAME   http-proxy
+pyroscope           IN      CNAME   http-proxy
+pushgw              IN      CNAME   http-proxy
+
+ldap                IN      CNAME   auth01
+
 
 ; 22_WLAN
 unifi-ctrl          IN      A       10.69.22.5
 
 ; 30
-media               IN      A       10.69.31.50
 gunter              IN      A       10.69.30.105
 
+; 31
+media               IN      A       10.69.31.50
+
 ; 99_MGMT
 sw1                 IN      A       10.69.99.2
 testing             IN      A       10.69.33.33

services/postgres/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./postgres.nix
+  ];
+}

services/postgres/postgres.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    enableJIT = true;
+    enableTCPIP = true;
+    extensions = ps: with ps; [ pgvector ];
+    authentication = ''
+      # Allow access to everything from gunter
+      host    all             all             10.69.30.105/32         scram-sha-256
+    '';
+  };
+}

system/acme.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      server = "https://ca.home.2rjus.net/acme/acme/directory";
+      email = "root@home.2rjus.net";
+      dnsPropagationCheck = false;
+    };
+  };
+}

system/autoupgrade.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  system.autoUpgrade = {
+    enable = true;
+    randomizedDelaySec = "1h";
+    allowReboot = true;
+    flake = "git+https://git.t-juice.club/torjus/nixos-servers.git";
+  };
+}

system/default.nix

@@ -1,11 +1,14 @@
 { ... }:
 {
   imports = [
-    ./monitoring.nix
+    ./acme.nix
+    ./autoupgrade.nix
+    ./monitoring
     ./packages.nix
+    ./nix.nix
     ./root-user.nix
+    ./root-ca.nix
     ./sops.nix
     ./sshd.nix
-    ./weekly-rebuild.nix
   ];
 }

system/monitoring.nix

@@ -1,33 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = with pkgs; [
-    prometheus-node-exporter
-    prometheus-systemd-exporter
-  ];
-
-  systemd.services."node-exporter" = {
-    enable = true;
-    unitConfig = {
-      Description = "Prometheus Node Exporter";
-      After = [ "network.target" ];
-    };
-    serviceConfig = {
-      ExecStart = "${pkgs.prometheus-node-exporter}/bin/node_exporter";
-    };
-    wantedBy = [ "multi-user.target" ];
-  };
-
-  systemd.services."systemd-exporter" = {
-    enable = true;
-    unitConfig = {
-      Description = "Prometheus Systemd Exporter";
-      After = [ "network.target" ];
-    };
-    serviceConfig = {
-      ExecStart = "${pkgs.prometheus-systemd-exporter}/bin/systemd_exporter";
-    };
-    wantedBy = [ "multi-user.target" ];
-  };
-
-  networking.firewall.allowedTCPPorts = [ 9100 9558 ];
-}

system/monitoring/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./metrics.nix
+    ./logs.nix
+  ];
+}

system/monitoring/logs.nix

@@ -0,0 +1,64 @@
+{ config, ... }:
+{
+  # Configure journald
+  services.journald = {
+    rateLimitInterval = "10s";
+    extraConfig = ''
+      SystemMaxUse=100M
+      SystemKeepFree=1G
+    '';
+  };
+  # Configure promtail
+  services.promtail = {
+    enable = true;
+    configuration = {
+      server = {
+        http_listen_address = "0.0.0.0";
+        http_listen_port = 9099;
+        grpc_listen_address = "0.0.0.0";
+        grpc_listen_port = 9098;
+      };
+
+      clients = [
+        {
+          url = "http://monitoring01.home.2rjus.net:3100/loki/api/v1/push";
+        }
+      ];
+
+      scrape_configs = [
+        {
+          job_name = "journal";
+          journal = {
+            json = true;
+            labels = {
+              job = "systemd-journal";
+            };
+          };
+          relabel_configs = [
+            {
+              source_labels = [ "__journal__systemd_unit" ];
+              target_label = "systemd_unit";
+            }
+            {
+              source_labels = [ "__journal__hostname" ];
+              target_label = "host";
+            }
+          ];
+        }
+        {
+          job_name = "varlog";
+          static_configs = [
+            {
+              targets = [ "localhost" ];
+              labels = {
+                job = "varlog";
+                __path__ = "/var/log/**/*.log";
+                hostname = "${config.networking.hostName}";
+              };
+            }
+          ];
+        }
+      ];
+    };
+  };
+}

system/monitoring/metrics.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+{
+  services.prometheus.exporters.node = {
+    enable = true;
+    enabledCollectors = [
+      "systemd"
+      "logind"
+      "cgroups"
+      "processes"
+    ];
+  };
+}

system/nix.nix

@@ -0,0 +1,30 @@
+{ lib, ... }:
+{
+  nix = {
+    gc = {
+      automatic = true;
+    };
+
+    optimise = {
+      automatic = true;
+    };
+
+    settings = {
+      trusted-substituters = [
+        "https://nix-cache.home.2rjus.net"
+        "https://cache.nixos.org"
+        "https://cuda-maintainers.cachix.org"
+      ];
+      substituters = lib.mkOverride 90 [
+        "https://nix-cache.home.2rjus.net"
+        "https://cache.nixos.org"
+        "https://cuda-maintainers.cachix.org"
+      ];
+      trusted-public-keys = [
+        "nix-cache.home.2rjus.net-1:2kowZOG6pvhoK4AHVO3alBlvcghH20wchzoR0V86UWI="
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
+      ];
+    };
+  };
+}

system/packages.nix

@@ -2,5 +2,10 @@
 {
   environment.systemPackages = [
     pkgs.git
+    pkgs.jq
+    pkgs.kitty.terminfo
+    pkgs.python3
+    pkgs.neovim
+    pkgs.ncdu
   ];
 }

system/root-ca.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxDCCAWmgAwIBAgIQQCSzuOLIKLj1dGbC+NFttjAKBggqhkjOPQQDAjBAMRow
+GAYDVQQKExFob21lLjJyanVzLm5ldCBDQTEiMCAGA1UEAxMZaG9tZS4ycmp1cy5u
+ZXQgQ0EgUm9vdCBDQTAeFw0yNDEwMjEwOTEyNDRaFw0zNDEwMTkwOTEyNDRaMEAx
+GjAYBgNVBAoTEWhvbWUuMnJqdXMubmV0IENBMSIwIAYDVQQDExlob21lLjJyanVz
+Lm5ldCBDQSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGDE4ss9y
+9msphQ/Sa/tAoEaGoDHQcg5oRcxWL5SZYjUPNl+zbRZzqkvCz2S1XrHJPiPWbyJX
+cZAlPxbwZrWDyKNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
+AQEwHQYDVR0OBBYEFPZx6AahX5diBMChZbv5N4dh+vCTMAoGCCqGSM49BAMCA0kA
+MEYCIQC6yqMM9/s1Dct5jlq0NAGsDA68hVTDcO3RP61lxQlfBwIhAL1jlmIwaSJc
+TjdIMjPQ3ombBRqDJBDvDr8o6oOUjret
+-----END CERTIFICATE-----

system/root-ca.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  security.pki = {
+    certificateFiles = [
+      "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      ./root-ca.crt
+    ];
+  };
+}

system/weekly-rebuild.nix

@@ -1,21 +0,0 @@
-{ pkgs, ... }:
-{
-  systemd.services."weekly-rebuild" = {
-    path = [
-      pkgs.git
-      pkgs.nix
-    ];
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = "${pkgs.nixos-rebuild}/bin/nixos-rebuild boot --flake git+https://git.t-juice.club/torjus/nixos-servers#";
-      ExecStartPost = "${pkgs.nix}/bin/nix-collect-garbage --delete-older-than 30d";
-    };
-  };
-  systemd.timers."weekly-rebuild" = {
-    enable = true;
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      OnCalendar = "Sun 06:00:00";
-    };
-  };
-}