create-host: enable resolved in configuration.nix.j2

vault: add minimal vault config
hosts: add vault01 host
2026-02-01 20:37:36 +01:00 · 2026-02-01 20:27:02 +01:00 · 2026-02-01 20:08:48 +01:00 · 2026-02-01 20:05:56 +01:00 · 2026-02-01 16:45:04 +00:00 · 2026-02-01 17:41:04 +01:00
67 changed files with 3480 additions and 448 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,12 @@
 .direnv/
 result
 # Terraform/OpenTofu
 terraform/.terraform/
 terraform/.terraform.lock.hcl
 terraform/*.tfstate
 terraform/*.tfstate.*
 terraform/terraform.tfvars
 terraform/*.auto.tfvars
 terraform/crash.log
 terraform/crash.*.log
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -11,7 +11,7 @@ keys:
  - &server_ca age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk
  - &server_monitoring01 age1vpns76ykll8jgdlu3h05cur4ew2t3k7u03kxdg8y6ypfhsfhq9fqyurjey
  - &server_jelly01 age1hchvlf3apn8g8jq2743pw53sd6v6ay6xu6lqk0qufrjeccan9vzsc7hdfq
-  - &server_nix-cache01 age1a0477laj9sdh79wdas5v7hzk6au8fach74njg8epfw2rdht90qjsakkwd6
+  - &server_nix-cache01 age1w029fksjv0edrff9p7s03tgk3axecdkppqymfpwfn2nu2gsqqefqc37sxq
  - &server_pgdb1 age1ha34qeksr4jeaecevqvv2afqem67eja2mvawlmrqsudch0e7fe7qtpsekv
  - &server_nats1 age1cxt8kwqzx35yuldazcc49q88qvgy9ajkz30xu0h37uw3ts97jagqgmn2ga
  - &server_auth01 age16prza00sqzuhwwcyakj6z4hvwkruwkqpmmrsn94a5ucgpkelncdq2ldctk
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,246 @@
 # CLAUDE.md
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 ## Repository Overview
 This is a Nix Flake-based NixOS configuration repository for managing a homelab infrastructure consisting of 16 server configurations. The repository uses a modular architecture with shared system configurations, reusable service modules, and per-host customization.
 ## Common Commands
 ### Building Configurations
 ```bash
 # List all available configurations
 nix flake show
 # Build a specific host configuration locally (without deploying)
 nixos-rebuild build --flake .#<hostname>
 # Build and check a configuration
 nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
 ```
 ### Deployment
 Do not automatically deploy changes. Deployments are usually done by updating the master branch, and then triggering the auto update on the specific host.
 ### Flake Management
 ```bash
 # Check flake for errors
 nix flake check
 ```
 Do not run `nix flake update`. Should only be done manually by user.
 ### Development Environment
 ```bash
 # Enter development shell (provides ansible, python3)
 nix develop
 ```
 ### Secrets Management
 Secrets are handled by sops. Do not edit any `.sops.yaml` or any file within `secrets/`. Ask the user to modify if necessary.
 ### Git Commit Messages
 Commit messages should follow the format: `topic: short description`
 Examples:
 - `flake: add opentofu to devshell`
 - `template2: add proxmox image configuration`
 - `terraform: add VM deployment configuration`
 ## Architecture
 ### Directory Structure
 - `/flake.nix` - Central flake defining all 16 NixOS configurations
 - `/hosts/<hostname>/` - Per-host configurations
  - `default.nix` - Entry point, imports configuration.nix and services
  - `configuration.nix` - Host-specific settings (networking, hardware, users)
 - `/system/` - Shared system-level configurations applied to ALL hosts
  - Core modules: nix.nix, sshd.nix, sops.nix, acme.nix, autoupgrade.nix
  - Monitoring: node-exporter and promtail on every host
 - `/services/` - Reusable service modules, selectively imported by hosts
  - `home-assistant/` - Home automation stack
  - `monitoring/` - Observability stack (Prometheus, Grafana, Loki, Tempo)
  - `ns/` - DNS services (authoritative, resolver)
  - `http-proxy/`, `ca/`, `postgres/`, `nats/`, `jellyfin/`, etc.
 - `/secrets/` - SOPS-encrypted secrets with age encryption
 - `/common/` - Shared configurations (e.g., VM guest agent)
 - `/playbooks/` - Ansible playbooks for fleet management
 - `/.sops.yaml` - SOPS configuration with age keys for all servers
 ### Configuration Inheritance
 Each host follows this import pattern:
 ```
 hosts/<hostname>/default.nix
  └─> configuration.nix (host-specific)
      ├─> ../../system (ALL shared system configs - applied to every host)
      ├─> ../../services/<service> (selective service imports)
      └─> ../../common/vm (if VM)
 ```
 All hosts automatically get:
 - Nix binary cache (nix-cache.home.2rjus.net)
 - SSH with root login enabled
 - SOPS secrets management with auto-generated age keys
 - Internal ACME CA integration (ca.home.2rjus.net)
 - Daily auto-upgrades with auto-reboot
 - Prometheus node-exporter + Promtail (logs to monitoring01)
 - Custom root CA trust
 ### Active Hosts
 Production servers managed by `rebuild-all.sh`:
 - `ns1`, `ns2` - Primary/secondary DNS servers (10.69.13.5/6)
 - `ca` - Internal Certificate Authority
 - `ha1` - Home Assistant + Zigbee2MQTT + Mosquitto
 - `http-proxy` - Reverse proxy
 - `monitoring01` - Full observability stack (Prometheus, Grafana, Loki, Tempo, Pyroscope)
 - `jelly01` - Jellyfin media server
 - `nix-cache01` - Binary cache server
 - `pgdb1` - PostgreSQL database
 - `nats1` - NATS messaging server
 - `auth01` - Authentication service
 Template/test hosts:
 - `template1` - Base template for cloning new hosts
 - `nixos-test1` - Test environment
 ### Flake Inputs
 - `nixpkgs` - NixOS 25.11 stable (primary)
 - `nixpkgs-unstable` - Unstable channel (available via overlay as `pkgs.unstable.<package>`)
 - `sops-nix` - Secrets management
 - Custom packages from git.t-juice.club:
  - `backup-helper` - Backup automation module
  - `alerttonotify` - Alert routing
  - `labmon` - Lab monitoring
 ### Network Architecture
 - Domain: `home.2rjus.net`
 - Infrastructure subnet: `10.69.13.x`
 - DNS: ns1/ns2 provide authoritative DNS with primary-secondary setup
 - Internal CA for ACME certificates (no Let's Encrypt)
 - Centralized monitoring at monitoring01
 - Static networking via systemd-networkd
 ### Secrets Management
 - Uses SOPS with age encryption
 - Each server has unique age key in `.sops.yaml`
 - Keys auto-generated at `/var/lib/sops-nix/key.txt` on first boot
 - Shared secrets: `/secrets/secrets.yaml`
 - Per-host secrets: `/secrets/<hostname>/`
 - All production servers can decrypt shared secrets; host-specific secrets require specific host keys
 ### Auto-Upgrade System
 All hosts pull updates daily from:
 ```
 git+https://git.t-juice.club/torjus/nixos-servers.git
 ```
 Configured in `/system/autoupgrade.nix`:
 - Random delay to avoid simultaneous upgrades
 - Auto-reboot after successful upgrade
 - Systemd service: `nixos-upgrade.service`
 ### Proxmox VM Provisioning with OpenTofu
 The repository includes automated workflows for building Proxmox VM templates and deploying VMs using OpenTofu (Terraform).
 #### Building and Deploying Templates
 Template VMs are built from `hosts/template2` and deployed to Proxmox using Ansible:
 ```bash
 # Build NixOS image and deploy to Proxmox as template
 nix develop -c ansible-playbook -i playbooks/inventory.ini playbooks/build-and-deploy-template.yml
 ```
 This playbook:
 1. Builds the Proxmox image using `nixos-rebuild build-image --image-variant proxmox`
 2. Uploads the `.vma.zst` image to Proxmox at `/var/lib/vz/dump`
 3. Restores it as VM ID 9000
 4. Converts it to a template
 Template configuration (`hosts/template2`):
 - Minimal base system with essential packages (age, vim, wget, git)
 - Cloud-init configured for NoCloud datasource (no EC2 metadata timeout)
 - DHCP networking on ens18
 - SSH key-based root login
 - `prepare-host.sh` script for cleaning machine-id, SSH keys, and regenerating age keys
 #### Deploying VMs with OpenTofu
 VMs are deployed from templates using OpenTofu in the `/terraform` directory:
 ```bash
 cd terraform
 tofu init     # First time only
 tofu apply    # Deploy VMs
 ```
 Configuration files:
 - `main.tf` - Proxmox provider configuration
 - `variables.tf` - Provider variables (API credentials)
 - `vm.tf` - VM resource definitions
 - `terraform.tfvars` - Actual credentials (gitignored)
 Example VM deployment includes:
 - Clone from template VM
 - Cloud-init configuration (SSH keys, network, DNS)
 - Custom CPU/memory/disk sizing
 - VLAN tagging
 - QEMU guest agent
 OpenTofu outputs the VM's IP address after deployment for easy SSH access.
 ### Adding a New Host
 1. Create `/hosts/<hostname>/` directory
 2. Copy structure from `template1` or similar host
 3. Add host entry to `flake.nix` nixosConfigurations
 4. Add hostname to dns zone files. Merge to master. Run auto-upgrade on dns servers.
 5. User clones template host
 6. User runs `prepare-host.sh` on new host, this deletes files which should be regenerated, like ssh host keys, machine-id etc. It also creates a new age key, and prints the public key
 7. This key is then added to `.sops.yaml`
 8. Create `/secrets/<hostname>/` if needed
 9. Configure networking (static IP, DNS servers)
 10. Commit changes, and merge to master.
 11. Deploy by running `nixos-rebuild boot --flake URL#<hostname>` on the host.
 ### Important Patterns
 **Overlay usage**: Access unstable packages via `pkgs.unstable.<package>` (defined in flake.nix overlay-unstable)
 **Service composition**: Services in `/services/` are designed to be imported by multiple hosts. Keep them modular and reusable.
 **Hardware configuration reuse**: Multiple hosts share `/hosts/template/hardware-configuration.nix` for VM instances.
 **State version**: All hosts use stateVersion `"23.11"` - do not change this on existing hosts.
 **Firewall**: Disabled on most hosts (trusted network). Enable selectively in host configuration if needed.
 ### Monitoring Stack
 All hosts ship metrics and logs to `monitoring01`:
 - **Metrics**: Prometheus scrapes node-exporter from all hosts
 - **Logs**: Promtail ships logs to Loki on monitoring01
 - **Access**: Grafana at monitoring01 for visualization
 - **Tracing**: Tempo for distributed tracing
 - **Profiling**: Pyroscope for continuous profiling
 ### DNS Architecture
 - `ns1` (10.69.13.5) - Primary authoritative DNS + resolver
 - `ns2` (10.69.13.6) - Secondary authoritative DNS (AXFR from ns1)
 - Zone files managed in `/services/ns/`
 - All hosts point to ns1/ns2 for DNS resolution
--- a/TODO.md
+++ b/TODO.md
@@ -0,0 +1,549 @@
 # TODO: Automated Host Deployment Pipeline
 ## Vision
 Automate the entire process of creating, configuring, and deploying new NixOS hosts on Proxmox from a single command or script.
 **Desired workflow:**
 ```bash
 ./scripts/create-host.sh --hostname myhost --ip 10.69.13.50
 # Script creates config, deploys VM, bootstraps NixOS, and you're ready to go
 ```
 **Current manual workflow (from CLAUDE.md):**
 1. Create `/hosts/<hostname>/` directory structure
 2. Add host to `flake.nix`
 3. Add DNS entries
 4. Clone template VM manually
 5. Run `prepare-host.sh` on new VM
 6. Add generated age key to `.sops.yaml`
 7. Configure networking
 8. Commit and push
 9. Run `nixos-rebuild boot --flake URL#<hostname>` on host
 ## The Plan
 ### Phase 1: Parameterized OpenTofu Deployments ✅ COMPLETED
 **Status:** Fully implemented and tested
 **Implementation:**
 - Locals-based structure using `for_each` pattern for multiple VM deployments
 - All VM parameters configurable with smart defaults (CPU, memory, disk, IP, storage, etc.)
 - Automatic DHCP vs static IP detection based on `ip` field presence
 - Dynamic outputs showing deployed VM IPs and specifications
 - Successfully tested deploying multiple VMs simultaneously
 **Tasks:**
 - [x] Create module/template structure in terraform for repeatable VM deployments
 - [x] Parameterize VM configuration (hostname, CPU, memory, disk, IP)
 - [x] Support both DHCP and static IP configuration via cloud-init
 - [x] Test deploying multiple VMs from same template
 **Deliverable:** ✅ Can deploy multiple VMs with custom parameters via OpenTofu in a single `tofu apply`
 **Files:**
 - `terraform/vms.tf` - VM definitions using locals map
 - `terraform/outputs.tf` - Dynamic outputs for all VMs
 - `terraform/variables.tf` - Configurable defaults
 - `terraform/README.md` - Complete documentation
 ---
 ### Phase 2: Host Configuration Generator ✅ COMPLETED
 **Status:** ✅ Fully implemented and tested
 **Completed:** 2025-02-01
 **Enhanced:** 2025-02-01 (added --force flag)
 **Goal:** Automate creation of host configuration files
 **Implementation:**
 - Python CLI tool packaged as Nix derivation
 - Available as `create-host` command in devShell
 - Rich terminal UI with configuration previews
 - Comprehensive validation (hostname format/uniqueness, IP subnet/uniqueness)
 - Jinja2 templates for NixOS configurations
 - Automatic updates to flake.nix and terraform/vms.tf
 - `--force` flag for regenerating existing configurations (useful for testing)
 **Tasks:**
 - [x] Create Python CLI with typer framework
  - [x] Takes parameters: hostname, IP, CPU cores, memory, disk size
  - [x] Generates `/hosts/<hostname>/` directory structure
  - [x] Creates `configuration.nix` with proper hostname and networking
  - [x] Generates `default.nix` with standard imports
  - [x] References shared `hardware-configuration.nix` from template
 - [x] Add host entry to `flake.nix` programmatically
  - [x] Text-based manipulation (regex insertion)
  - [x] Inserts new nixosConfiguration entry
  - [x] Maintains proper formatting
 - [x] Generate corresponding OpenTofu configuration
  - [x] Adds VM definition to `terraform/vms.tf`
  - [x] Uses parameters from CLI input
  - [x] Supports both static IP and DHCP modes
 - [x] Package as Nix derivation with templates
 - [x] Add to flake packages and devShell
 - [x] Implement dry-run mode
 - [x] Write comprehensive README
 **Usage:**
 ```bash
 # In nix develop shell
 create-host \
  --hostname test01 \
  --ip 10.69.13.50/24 \  # optional, omit for DHCP
  --cpu 4 \               # optional, default 2
  --memory 4096 \         # optional, default 2048
  --disk 50G \            # optional, default 20G
  --dry-run               # optional preview mode
 ```
 **Files:**
 - `scripts/create-host/` - Complete Python package with Nix derivation
 - `scripts/create-host/README.md` - Full documentation and examples
 **Deliverable:** ✅ Tool generates all config files for a new host, validated with Nix and Terraform
 ---
 ### Phase 3: Bootstrap Mechanism ✅ COMPLETED
 **Status:** ✅ Fully implemented and tested
 **Completed:** 2025-02-01
 **Enhanced:** 2025-02-01 (added branch support for testing)
 **Goal:** Get freshly deployed VM to apply its specific host configuration
 **Implementation:** Systemd oneshot service that runs on first boot after cloud-init
 **Approach taken:** Systemd service (variant of Option A)
 - Systemd service `nixos-bootstrap.service` runs on first boot
 - Depends on `cloud-config.service` to ensure hostname is set
 - Reads hostname from `hostnamectl` (set by cloud-init via Terraform)
 - Supports custom git branch via `NIXOS_FLAKE_BRANCH` environment variable
 - Runs `nixos-rebuild boot --flake git+https://git.t-juice.club/torjus/nixos-servers.git?ref=$BRANCH#${hostname}`
 - Reboots into new configuration on success
 - Fails gracefully without reboot on errors (network issues, missing config)
 - Service self-destructs after successful bootstrap (not in new config)
 **Tasks:**
 - [x] Create bootstrap service module in template2
  - [x] systemd oneshot service with proper dependencies
  - [x] Reads hostname from hostnamectl (cloud-init sets it)
  - [x] Checks network connectivity via HTTPS (curl)
  - [x] Runs nixos-rebuild boot with flake URL
  - [x] Reboots on success, fails gracefully on error
 - [x] Configure cloud-init datasource
  - [x] Use ConfigDrive datasource (Proxmox provider)
  - [x] Add cloud-init disk to Terraform VMs (disks.ide.ide2.cloudinit)
  - [x] Hostname passed via cloud-init user-data from Terraform
 - [x] Test bootstrap service execution on fresh VM
 - [x] Handle failure cases (flake doesn't exist, network issues)
  - [x] Clear error messages in journald
  - [x] No reboot on failure
  - [x] System remains accessible for debugging
 **Files:**
 - `hosts/template2/bootstrap.nix` - Bootstrap service definition
 - `hosts/template2/configuration.nix` - Cloud-init ConfigDrive datasource
 - `terraform/vms.tf` - Cloud-init disk configuration
 **Deliverable:** ✅ VMs automatically bootstrap and reboot into host-specific configuration on first boot
 ---
 ### Phase 4: Secrets Management with HashiCorp Vault
 **Challenge:** Current sops-nix approach has chicken-and-egg problem with age keys
 **Current workflow:**
 1. VM boots, generates age key at `/var/lib/sops-nix/key.txt`
 2. User runs `prepare-host.sh` which prints public key
 3. User manually adds public key to `.sops.yaml`
 4. User commits, pushes
 5. VM can now decrypt secrets
 **Selected approach:** Migrate to HashiCorp Vault for centralized secrets management
 **Benefits:**
 - Industry-standard secrets management (Vault experience transferable to work)
 - Eliminates manual age key distribution step
 - Secrets-as-code via OpenTofu (infrastructure-as-code aligned)
 - Centralized PKI management (replaces step-ca, consolidates TLS + SSH CA)
 - Automatic secret rotation capabilities
 - Audit logging for all secret access
 - AppRole authentication enables automated bootstrap
 **Architecture:**
 ```
 vault.home.2rjus.net
  ├─ KV Secrets Engine (replaces sops-nix)
  ├─ PKI Engine (replaces step-ca for TLS)
  ├─ SSH CA Engine (replaces step-ca SSH CA)
  └─ AppRole Auth (per-host authentication)
       ↓
   New hosts authenticate on first boot
   Fetch secrets via Vault API
   No manual key distribution needed
 ```
 ---
 #### Phase 4a: Vault Server Setup
 **Goal:** Deploy and configure Vault server with auto-unseal
 **Tasks:**
 - [ ] Create `hosts/vault01/` configuration
  - [ ] Basic NixOS configuration (hostname, networking, etc.)
  - [ ] Vault service configuration
  - [ ] Firewall rules (8200 for API, 8201 for cluster)
  - [ ] Add to flake.nix and terraform
 - [ ] Implement auto-unseal mechanism
  - [ ] **Preferred:** TPM-based auto-unseal if hardware supports it
    - [ ] Use tpm2-tools to seal/unseal Vault keys
    - [ ] Systemd service to unseal on boot
  - [ ] **Fallback:** Shamir secret sharing with systemd automation
    - [ ] Generate 3 keys, threshold 2
    - [ ] Store 2 keys on disk (encrypted), keep 1 offline
    - [ ] Systemd service auto-unseals using 2 keys
 - [ ] Initial Vault setup
  - [ ] Initialize Vault
  - [ ] Configure storage backend (integrated raft or file)
  - [ ] Set up root token management
  - [ ] Enable audit logging
 - [ ] Deploy to infrastructure
  - [ ] Add DNS entry for vault.home.2rjus.net
  - [ ] Deploy VM via terraform
  - [ ] Bootstrap and verify Vault is running
 **Deliverable:** Running Vault server that auto-unseals on boot
 ---
 #### Phase 4b: Vault-as-Code with OpenTofu
 **Goal:** Manage all Vault configuration (secrets structure, policies, roles) as code
 **Tasks:**
 - [ ] Set up Vault Terraform provider
  - [ ] Create `terraform/vault/` directory
  - [ ] Configure Vault provider (address, auth)
  - [ ] Store Vault token securely (terraform.tfvars, gitignored)
 - [ ] Enable and configure secrets engines
  - [ ] Enable KV v2 secrets engine at `secret/`
  - [ ] Define secret path structure (per-service, per-host)
  - [ ] Example: `secret/monitoring/grafana`, `secret/postgres/ha1`
 - [ ] Define policies as code
  - [ ] Create policies for different service tiers
  - [ ] Principle of least privilege (hosts only read their secrets)
  - [ ] Example: monitoring-policy allows read on `secret/monitoring/*`
 - [ ] Set up AppRole authentication
  - [ ] Enable AppRole auth backend
  - [ ] Create role per host type (monitoring, dns, database, etc.)
  - [ ] Bind policies to roles
  - [ ] Configure TTL and token policies
 - [ ] Migrate existing secrets from sops-nix
  - [ ] Create migration script/playbook
  - [ ] Decrypt sops secrets and load into Vault KV
  - [ ] Verify all secrets migrated successfully
  - [ ] Keep sops as backup during transition
 - [ ] Implement secrets-as-code patterns
  - [ ] Secret values in gitignored terraform.tfvars
  - [ ] Or use random_password for auto-generated secrets
  - [ ] Secret structure/paths in version-controlled .tf files
 **Example OpenTofu:**
 ```hcl
 resource "vault_kv_secret_v2" "monitoring_grafana" {
  mount = "secret"
  name  = "monitoring/grafana"
  data_json = jsonencode({
    admin_password = var.grafana_admin_password
    smtp_password  = var.smtp_password
  })
 }
 resource "vault_policy" "monitoring" {
  name = "monitoring-policy"
  policy = <<EOT
 path "secret/data/monitoring/*" {
  capabilities = ["read"]
 }
 EOT
 }
 resource "vault_approle_auth_backend_role" "monitoring01" {
  backend   = "approle"
  role_name = "monitoring01"
  token_policies = ["monitoring-policy"]
 }
 ```
 **Deliverable:** All secrets and policies managed as OpenTofu code in `terraform/vault/`
 ---
 #### Phase 4c: PKI Migration (Replace step-ca)
 **Goal:** Consolidate PKI infrastructure into Vault
 **Tasks:**
 - [ ] Set up Vault PKI engines
  - [ ] Create root CA in Vault (`pki/` mount, 10 year TTL)
  - [ ] Create intermediate CA (`pki_int/` mount, 5 year TTL)
  - [ ] Sign intermediate with root CA
  - [ ] Configure CRL and OCSP
 - [ ] Enable ACME support
  - [ ] Enable ACME on intermediate CA (Vault 1.14+)
  - [ ] Create PKI role for homelab domain
  - [ ] Set certificate TTLs and allowed domains
 - [ ] Configure SSH CA in Vault
  - [ ] Enable SSH secrets engine (`ssh/` mount)
  - [ ] Generate SSH signing keys
  - [ ] Create roles for host and user certificates
  - [ ] Configure TTLs and allowed principals
 - [ ] Migrate hosts from step-ca to Vault
  - [ ] Update system/acme.nix to use Vault ACME endpoint
  - [ ] Change server to `https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory`
  - [ ] Test certificate issuance on one host
  - [ ] Roll out to all hosts via auto-upgrade
 - [ ] Migrate SSH CA trust
  - [ ] Distribute Vault SSH CA public key to all hosts
  - [ ] Update sshd_config to trust Vault CA
  - [ ] Test SSH certificate authentication
 - [ ] Decommission step-ca
  - [ ] Verify all services migrated
  - [ ] Stop step-ca service on ca host
  - [ ] Archive step-ca configuration for backup
 **Deliverable:** All TLS and SSH certificates issued by Vault, step-ca retired
 ---
 #### Phase 4d: Bootstrap Integration
 **Goal:** New hosts automatically authenticate to Vault on first boot, no manual steps
 **Tasks:**
 - [ ] Update create-host tool
  - [ ] Generate AppRole role_id + secret_id for new host
  - [ ] Or create wrapped token for one-time bootstrap
  - [ ] Add host-specific policy to Vault (via terraform)
  - [ ] Store bootstrap credentials for cloud-init injection
 - [ ] Update template2 for Vault authentication
  - [ ] Create Vault authentication module
  - [ ] Reads bootstrap credentials from cloud-init
  - [ ] Authenticates to Vault, retrieves permanent AppRole credentials
  - [ ] Stores role_id + secret_id locally for services to use
 - [ ] Create NixOS Vault secrets module
  - [ ] Replacement for sops.secrets
  - [ ] Fetches secrets from Vault at nixos-rebuild/activation time
  - [ ] Or runtime secret fetching for services
  - [ ] Handle Vault token renewal
 - [ ] Update bootstrap service
  - [ ] After authenticating to Vault, fetch any bootstrap secrets
  - [ ] Run nixos-rebuild with host configuration
  - [ ] Services automatically fetch their secrets from Vault
 - [ ] Update terraform cloud-init
  - [ ] Inject Vault address and bootstrap credentials
  - [ ] Pass via cloud-init user-data or write_files
  - [ ] Credentials scoped to single use or short TTL
 - [ ] Test complete flow
  - [ ] Run create-host to generate new host config
  - [ ] Deploy with terraform
  - [ ] Verify host bootstraps and authenticates to Vault
  - [ ] Verify services can fetch secrets
  - [ ] Confirm no manual steps required
 **Bootstrap flow:**
 ```
 1. terraform apply (deploys VM with cloud-init)
 2. Cloud-init sets hostname + Vault bootstrap credentials
 3. nixos-bootstrap.service runs:
   - Authenticates to Vault with bootstrap credentials
   - Retrieves permanent AppRole credentials
   - Stores locally for service use
   - Runs nixos-rebuild
 4. Host services fetch secrets from Vault as needed
 5. Done - no manual intervention
 ```
 **Deliverable:** Fully automated secrets access from first boot, zero manual steps
 ---
 ### Phase 5: DNS Automation
 **Goal:** Automatically generate DNS entries from host configurations
 **Approach:** Leverage Nix to generate zone file entries from flake host configurations
 Since most hosts use static IPs defined in their NixOS configurations, we can extract this information and automatically generate A records. This keeps DNS in sync with the actual host configs.
 **Tasks:**
 - [ ] Add optional CNAME field to host configurations
  - [ ] Add `networking.cnames = [ "alias1" "alias2" ]` or similar option
  - [ ] Document in host configuration template
 - [ ] Create Nix function to extract DNS records from all hosts
  - [ ] Parse each host's `networking.hostName` and IP configuration
  - [ ] Collect any defined CNAMEs
  - [ ] Generate zone file fragment with A and CNAME records
 - [ ] Integrate auto-generated records into zone files
  - [ ] Keep manual entries separate (for non-flake hosts/services)
  - [ ] Include generated fragment in main zone file
  - [ ] Add comments showing which records are auto-generated
 - [ ] Update zone file serial number automatically
 - [ ] Test zone file validity after generation
 - [ ] Either:
  - [ ] Automatically trigger DNS server reload (Ansible)
  - [ ] Or document manual step: merge to master, run upgrade on ns1/ns2
 **Deliverable:** DNS A records and CNAMEs automatically generated from host configs
 ---
 ### Phase 6: Integration Script
 **Goal:** Single command to create and deploy a new host
 **Tasks:**
 - [ ] Create `scripts/create-host.sh` master script that orchestrates:
  1. Prompts for: hostname, IP (or DHCP), CPU, memory, disk
  2. Validates inputs (IP not in use, hostname unique, etc.)
  3. Calls host config generator (Phase 2)
  4. Generates OpenTofu config (Phase 2)
  5. Handles secrets (Phase 4)
  6. Updates DNS (Phase 5)
  7. Commits all changes to git
  8. Runs `tofu apply` to deploy VM
  9. Waits for bootstrap to complete (Phase 3)
  10. Prints success message with IP and SSH command
 - [ ] Add `--dry-run` flag to preview changes
 - [ ] Add `--interactive` mode vs `--batch` mode
 - [ ] Error handling and rollback on failures
 **Deliverable:** `./scripts/create-host.sh --hostname myhost --ip 10.69.13.50` creates a fully working host
 ---
 ### Phase 7: Testing & Documentation
 **Status:** 🚧 In Progress (testing improvements completed)
 **Testing Improvements Implemented (2025-02-01):**
 The pipeline now supports efficient testing without polluting master branch:
 **1. --force Flag for create-host**
 - Re-run `create-host` to regenerate existing configurations
 - Updates existing entries in flake.nix and terraform/vms.tf (no duplicates)
 - Skip uniqueness validation checks
 - Useful for iterating on configuration templates during testing
 **2. Branch Support for Bootstrap**
 - Bootstrap service reads `NIXOS_FLAKE_BRANCH` environment variable
 - Defaults to `master` if not set
 - Allows testing pipeline changes on feature branches
 - Cloud-init passes branch via `/etc/environment`
 **3. Cloud-init Disk for Branch Configuration**
 - Terraform generates custom cloud-init snippets for test VMs
 - Set `flake_branch` field in VM definition to use non-master branch
 - Production VMs omit this field and use master (default)
 - Files automatically uploaded to Proxmox via SSH
 **Testing Workflow:**
 ```bash
 # 1. Create test branch
 git checkout -b test-pipeline
 # 2. Generate or update host config
 create-host --hostname testvm01 --ip 10.69.13.100/24
 # 3. Edit terraform/vms.tf to add test VM with branch
 # vms = {
 #   "testvm01" = {
 #     ip = "10.69.13.100/24"
 #     flake_branch = "test-pipeline"  # Bootstrap from this branch
 #   }
 # }
 # 4. Commit and push test branch
 git add -A && git commit -m "test: add testvm01"
 git push origin test-pipeline
 # 5. Deploy VM
 cd terraform && tofu apply
 # 6. Watch bootstrap (VM fetches from test-pipeline branch)
 ssh root@10.69.13.100
 journalctl -fu nixos-bootstrap.service
 # 7. Iterate: modify templates and regenerate with --force
 cd .. && create-host --hostname testvm01 --ip 10.69.13.100/24 --force
 git commit -am "test: update config" && git push
 # Redeploy to test fresh bootstrap
 cd terraform
 tofu destroy -target=proxmox_vm_qemu.vm[\"testvm01\"] && tofu apply
 # 8. Clean up when done: squash commits, merge to master, remove test VM
 ```
 **Files:**
 - `scripts/create-host/create_host.py` - Added --force parameter
 - `scripts/create-host/manipulators.py` - Update vs insert logic
 - `hosts/template2/bootstrap.nix` - Branch support via environment variable
 - `terraform/vms.tf` - flake_branch field support
 - `terraform/cloud-init.tf` - Custom cloud-init disk generation
 - `terraform/variables.tf` - proxmox_host variable for SSH uploads
 **Remaining Tasks:**
 - [ ] Test full pipeline end-to-end on feature branch
 - [ ] Update CLAUDE.md with testing workflow
 - [ ] Add troubleshooting section
 - [ ] Create examples for common scenarios (DHCP host, static IP host, etc.)
 ---
 ## Open Questions
 1. **Bootstrap method:** Cloud-init runcmd vs Terraform provisioner vs Ansible?
 2. **Secrets handling:** Pre-generate keys vs post-deployment injection?
 3. **DNS automation:** Auto-commit or manual merge?
 4. **Git workflow:** Auto-push changes or leave for user review?
 5. **Template selection:** Single template2 or multiple templates for different host types?
 6. **Networking:** Always DHCP initially, or support static IP from start?
 7. **Error recovery:** What happens if bootstrap fails? Manual intervention or retry?
 ## Implementation Order
 Recommended sequence:
 1. Phase 1: Parameterize OpenTofu (foundation for testing)
 2. Phase 3: Bootstrap mechanism (core automation)
 3. Phase 2: Config generator (automate the boilerplate)
 4. Phase 4: Secrets (solves biggest chicken-and-egg)
 5. Phase 5: DNS (nice-to-have automation)
 6. Phase 6: Integration script (ties it all together)
 7. Phase 7: Testing & docs
 ## Success Criteria
 When complete, creating a new host should:
 - Take < 5 minutes of human time
 - Require minimal user input (hostname, IP, basic specs)
 - Result in a fully configured, secret-enabled, DNS-registered host
 - Be reproducible and documented
 - Handle common errors gracefully
 ---
 ## Notes
 - Keep incremental commits at each phase
 - Test each phase independently before moving to next
 - Maintain backward compatibility with manual workflow
 - Document any manual steps that can't be automated
--- a/flake.lock
+++ b/flake.lock
@@ -42,29 +42,50 @@
        "url": "https://git.t-juice.club/torjus/backup-helper"
      }
    },
    "labmon": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs-unstable"
        ]
      },
      "locked": {
        "lastModified": 1748983975,
        "narHash": "sha256-DA5mOqxwLMj/XLb4hvBU1WtE6cuVej7PjUr8N0EZsCE=",
        "ref": "master",
        "rev": "040a73e891a70ff06ec7ab31d7167914129dbf7d",
        "revCount": 17,
        "type": "git",
        "url": "https://git.t-juice.club/torjus/labmon"
      },
      "original": {
        "ref": "master",
        "type": "git",
        "url": "https://git.t-juice.club/torjus/labmon"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1747676747,
+        "lastModified": 1769598131,
-        "narHash": "sha256-LXkWBVqilgx7Pohwqu/ABxDVw+Cmi5/Mj2S2mpUH0Fw=",
+        "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "72841a4a8761d1aed92ef6169a636872c986c76d",
+        "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1747744144,
+        "lastModified": 1769461804,
-        "narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=",
+        "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f",
+        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
        "type": "github"
      },
      "original": {
@@ -78,6 +99,7 @@
      "inputs": {
        "alerttonotify": "alerttonotify",
        "backup-helper": "backup-helper",
        "labmon": "labmon",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix"
@@ -90,11 +112,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1747603214,
+        "lastModified": 1769469829,
-        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -2,7 +2,7 @@
  description = "Homelab v5 Nixos Server Configurations";
  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-24.11";
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-25.11";
    nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable";
    sops-nix = {
@@ -17,6 +17,10 @@
      url = "git+https://git.t-juice.club/torjus/alerttonotify?ref=master";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    labmon = {
      url = "git+https://git.t-juice.club/torjus/labmon?ref=master";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
  };
  outputs =
@@ -27,6 +31,7 @@
      sops-nix,
      backup-helper,
      alerttonotify,
      labmon,
      ...
    }@inputs:
    let
@@ -40,6 +45,7 @@
      commonOverlays = [
        overlay-unstable
        alerttonotify.overlays.default
        labmon.overlays.default
      ];
      allSystems = [
        "x86_64-linux"
@@ -150,40 +156,6 @@
            backup-helper.nixosModules.backup-helper
          ];
        };
        inc1 = nixpkgs.lib.nixosSystem {
          inherit system;
          specialArgs = {
            inherit inputs self sops-nix;
          };
          modules = [
            (
              { config, pkgs, ... }:
              {
                nixpkgs.overlays = commonOverlays;
              }
            )
            ./hosts/inc1
            sops-nix.nixosModules.sops
            # backup-helper.nixosModules.backup-helper
          ];
        };
        inc2 = nixpkgs.lib.nixosSystem {
          inherit system;
          specialArgs = {
            inherit inputs self sops-nix;
          };
          modules = [
            (
              { config, pkgs, ... }:
              {
                nixpkgs.overlays = commonOverlays;
              }
            )
            ./hosts/inc2
            sops-nix.nixosModules.sops
            # backup-helper.nixosModules.backup-helper
          ];
        };
        template1 = nixpkgs.lib.nixosSystem {
          inherit system;
          specialArgs = {
@@ -200,6 +172,22 @@
            sops-nix.nixosModules.sops
          ];
        };
        template2 = nixpkgs.lib.nixosSystem {
          inherit system;
          specialArgs = {
            inherit inputs self sops-nix;
          };
          modules = [
            (
              { config, pkgs, ... }:
              {
                nixpkgs.overlays = commonOverlays;
              }
            )
            ./hosts/template2
            sops-nix.nixosModules.sops
          ];
        };
        http-proxy = nixpkgs.lib.nixosSystem {
          inherit system;
          specialArgs = {
@@ -247,6 +235,7 @@
            ./hosts/monitoring01
            sops-nix.nixosModules.sops
            backup-helper.nixosModules.backup-helper
            labmon.nixosModules.labmon
          ];
        };
        jelly01 = nixpkgs.lib.nixosSystem {
@@ -345,14 +334,53 @@
            sops-nix.nixosModules.sops
          ];
        };
      testvm01 = nixpkgs.lib.nixosSystem {
        inherit system;
        specialArgs = {
          inherit inputs self sops-nix;
        };
        modules = [
          (
            { config, pkgs, ... }:
            {
              nixpkgs.overlays = commonOverlays;
            }
          )
          ./hosts/testvm01
          sops-nix.nixosModules.sops
        ];
      };
      vault01 = nixpkgs.lib.nixosSystem {
        inherit system;
        specialArgs = {
          inherit inputs self sops-nix;
        };
        modules = [
          (
            { config, pkgs, ... }:
            {
              nixpkgs.overlays = commonOverlays;
            }
          )
          ./hosts/vault01
          sops-nix.nixosModules.sops
        ];
      };
      };
      packages = forAllSystems (
        { pkgs }:
        {
          create-host = pkgs.callPackage ./scripts/create-host { };
        }
      );
      devShells = forAllSystems (
        { pkgs }:
        {
          default = pkgs.mkShell {
            packages = with pkgs; [
              ansible
-              python3
+              opentofu
              (pkgs.callPackage ./scripts/create-host { })
            ];
          };
        }
--- a/hosts/http-proxy/wireguard.nix
+++ b/hosts/http-proxy/wireguard.nix
@@ -6,7 +6,7 @@
  };
  networking.wireguard = {
    enable = true;
-    # TODO: add useNetworkd once 25.05 released
+    useNetworkd = true;
    interfaces = {
      wg0 = {
--- a/hosts/inc1/configuration.nix
+++ b/hosts/inc1/configuration.nix
@@ -1,96 +0,0 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 { config, lib, pkgs, ... }:
 {
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../../system
      ../../services/incus
    ];
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
  };
  networking.hostName = "inc1";
  networking.domain = "home.2rjus.net";
  networking.useNetworkd = true;
  networking.useDHCP = false;
  networking.nftables.enable = true;
  networking.firewall.trustedInterfaces = [ "vlan13" ];
  services.resolved.enable = true;
  networking.nameservers = [
    "10.69.13.5"
    "10.69.13.6"
  ];
  systemd.network.enable = true;
  # Primary interface
  systemd.network.networks."enp2s0" = {
    matchConfig.Name = "enp2s0";
    address = [
      "10.69.12.80/24"
    ];
    networkConfig = {
      VLAN = [ "enp2s0.13" ];
    };
    routes = [
      { Gateway = "10.69.12.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
  };
  # VLAN 13 netdev
  systemd.network.netdevs."enp2s0.13" = {
    enable = true;
    netdevConfig = {
      Kind = "vlan";
      Name = "enp2s0.13";
    };
    vlanConfig = {
      Id = 13;
    };
  };
  # # Bridge netdev
  # systemd.network.netdevs."br13" = {
  #   netdevConfig = {
  #     Name = "br13";
  #     Kind = "bridge";
  #   };
  # };
  # # Bridge network
  # systemd.network.networks."br13" = {
  #   matchConfig.Name = "enp2s0.13";
  #   networkConfig.Bridge = "br13";
  # };
  time.timeZone = "Europe/Oslo";
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  nix.settings.tarball-ttl = 0;
  environment.systemPackages = with pkgs; [
    tcpdump
    vim
    wget
    git
  ];
  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;
  # services.openssh.settings.PermitRootLogin = "yes";
  system.stateVersion = "24.05"; # Did you read the comment?
 }
--- a/hosts/inc1/hardware-configuration.nix
+++ b/hosts/inc1/hardware-configuration.nix
@@ -1,41 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/faa60038-b3a4-448a-8909-49857818c955";
      fsType = "xfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/7A94-A91C";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/f7a4f85e-0b4b-492d-a611-f50d2b915c2c"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/inc2/configuration.nix
+++ b/hosts/inc2/configuration.nix
@@ -1,96 +0,0 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 { config, lib, pkgs, ... }:
 {
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../../system
      ../../services/incus
    ];
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
  };
  networking.hostName = "inc2";
  networking.domain = "home.2rjus.net";
  networking.useNetworkd = true;
  networking.useDHCP = false;
  networking.nftables.enable = true;
  networking.firewall.trustedInterfaces = [ "vlan13" ];
  services.resolved.enable = true;
  networking.nameservers = [
    "10.69.13.5"
    "10.69.13.6"
  ];
  systemd.network.enable = true;
  # Primary interface
  systemd.network.networks."enp2s0" = {
    matchConfig.Name = "enp2s0";
    address = [
      "10.69.12.81/24"
    ];
    networkConfig = {
      VLAN = [ "enp2s0.13" ];
    };
    routes = [
      { Gateway = "10.69.12.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
  };
  # VLAN 13 netdev
  systemd.network.netdevs."enp2s0.13" = {
    enable = true;
    netdevConfig = {
      Kind = "vlan";
      Name = "enp2s0.13";
    };
    vlanConfig = {
      Id = 13;
    };
  };
  # # Bridge netdev
  # systemd.network.netdevs."br13" = {
  #   netdevConfig = {
  #     Name = "br13";
  #     Kind = "bridge";
  #   };
  # };
  # # Bridge network
  # systemd.network.networks."br13" = {
  #   matchConfig.Name = "enp2s0.13";
  #   networkConfig.Bridge = "br13";
  # };
  time.timeZone = "Europe/Oslo";
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  nix.settings.tarball-ttl = 0;
  environment.systemPackages = with pkgs; [
    tcpdump
    vim
    wget
    git
  ];
  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;
  # services.openssh.settings.PermitRootLogin = "yes";
  system.stateVersion = "24.05"; # Did you read the comment?
 }
--- a/hosts/inc2/hardware-configuration.nix
+++ b/hosts/inc2/hardware-configuration.nix
@@ -1,33 +0,0 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "rtsx_usb_sdmmc" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/3e7c311c-b1a3-4be7-b8bf-e497cba64302";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/F0D7-E5C1";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/1a06a36f-da61-4d36-b94e-b852836c328a"; }];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/media1/configuration.nix
+++ b/hosts/media1/configuration.nix
@@ -50,8 +50,8 @@
  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      vaapiVdpau
      libvdpau-va-gl
      libva-vdpau-driver
    ];
  };
--- a/hosts/monitoring01/configuration.nix
+++ b/hosts/monitoring01/configuration.nix
@@ -69,6 +69,61 @@
    ];
  };
  labmon = {
    enable = true;
    settings = {
      ListenAddr = ":9969";
      Profiling = true;
      StepMonitors = [
        {
          Enabled = true;
          BaseURL = "https://ca.home.2rjus.net";
          RootID = "3381bda8015a86b9a3cd1851439d1091890a79005e0f1f7c4301fe4bccc29d80";
        }
      ];
      TLSConnectionMonitors = [
        {
          Enabled = true;
          Address = "ca.home.2rjus.net:443";
          Verify = true;
          Duration = "12h";
        }
        {
          Enabled = true;
          Address = "jelly.home.2rjus.net:443";
          Verify = true;
          Duration = "12h";
        }
        {
          Enabled = true;
          Address = "grafana.home.2rjus.net:443";
          Verify = true;
          Duration = "12h";
        }
        {
          Enabled = true;
          Address = "prometheus.home.2rjus.net:443";
          Verify = true;
          Duration = "12h";
        }
        {
          Enabled = true;
          Address = "alertmanager.home.2rjus.net:443";
          Verify = true;
          Duration = "12h";
        }
        {
          Enabled = true;
          Address = "pyroscope.home.2rjus.net:443";
          Verify = true;
          Duration = "12h";
        }
      ];
    };
  };
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
--- a/hosts/nix-cache01/default.nix
+++ b/hosts/nix-cache01/default.nix
@@ -3,5 +3,7 @@
  imports = [
    ./configuration.nix
    ../../services/nix-cache
    ../../services/actions-runner
    ./zram.nix
  ];
 }
--- a/hosts/nix-cache01/zram.nix
+++ b/hosts/nix-cache01/zram.nix
@@ -0,0 +1,6 @@
 { ... }:
 {
  zramSwap = {
    enable = true;
  };
 }
--- a/hosts/template2/bootstrap.nix
+++ b/hosts/template2/bootstrap.nix
@@ -0,0 +1,73 @@
 { pkgs, config, lib, ... }:
 let
  bootstrap-script = pkgs.writeShellApplication {
    name = "nixos-bootstrap";
    runtimeInputs = with pkgs; [ systemd curl nixos-rebuild jq git ];
    text = ''
      set -euo pipefail
      # Read hostname set by cloud-init (from Terraform VM name via user-data)
      # Cloud-init sets the system hostname from user-data.txt, so we read it from hostnamectl
      HOSTNAME=$(hostnamectl hostname)
      echo "DEBUG: Hostname from hostnamectl: '$HOSTNAME'"
      echo "Starting NixOS bootstrap for host: $HOSTNAME"
      echo "Waiting for network connectivity..."
      # Verify we can reach the git server via HTTPS (doesn't respond to ping)
      if ! curl -s --connect-timeout 5 --max-time 10 https://git.t-juice.club >/dev/null 2>&1; then
        echo "ERROR: Cannot reach git.t-juice.club via HTTPS"
        echo "Check network configuration and DNS settings"
        exit 1
      fi
      echo "Network connectivity confirmed"
      echo "Fetching and building NixOS configuration from flake..."
      # Read git branch from environment, default to master
      BRANCH="''${NIXOS_FLAKE_BRANCH:-master}"
      echo "Using git branch: $BRANCH"
      # Build and activate the host-specific configuration
      FLAKE_URL="git+https://git.t-juice.club/torjus/nixos-servers.git?ref=$BRANCH#''${HOSTNAME}"
      if nixos-rebuild boot --flake "$FLAKE_URL"; then
        echo "Successfully built configuration for $HOSTNAME"
        echo "Rebooting into new configuration..."
        sleep 2
        systemctl reboot
      else
        echo "ERROR: nixos-rebuild failed for $HOSTNAME"
        echo "Check that flake has configuration for this hostname"
        echo "Manual intervention required - system will not reboot"
        exit 1
      fi
    '';
  };
 in
 {
  systemd.services."nixos-bootstrap" = {
    description = "Bootstrap NixOS configuration from flake on first boot";
    # Wait for cloud-init to finish setting hostname and network to be online
    after = [ "cloud-config.service" "network-online.target" ];
    wants = [ "network-online.target" ];
    requires = [ "cloud-config.service" ];
    # Run on boot
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = "${bootstrap-script}/bin/nixos-bootstrap";
      # Read environment variables from /etc/environment (set by cloud-init)
      EnvironmentFile = "-/etc/environment";
      # Logging to journald
      StandardOutput = "journal+console";
      StandardError = "journal+console";
    };
  };
 }
--- a/hosts/template2/configuration.nix
+++ b/hosts/template2/configuration.nix
@@ -0,0 +1,70 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../system/sshd.nix
  ];
  # Root user with no password but SSH key access for bootstrapping
  users.users.root = {
    hashedPassword = "";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwfb2jpKrBnCw28aevnH8HbE5YbcMXpdaVv2KmueDu6 torjus@gunter"
    ];
  };
  # Proxmox image-specific configuration
  # Configure storage to use local-zfs instead of local-lvm
  image.modules.proxmox = {
    proxmox.qemuConf.virtio0 = lib.mkForce "local-zfs:vm-9999-disk-0";
    proxmox.qemuConf.boot = lib.mkForce "order=virtio0";
    proxmox.cloudInit.defaultStorage = lib.mkForce "local-zfs";
  };
  # Configure cloud-init to use ConfigDrive datasource (used by Proxmox)
  services.cloud-init.settings = {
    datasource_list = [ "ConfigDrive" "NoCloud" ];
  };
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
  networking.hostName = "nixos-template2";
  networking.domain = "home.2rjus.net";
  networking.useNetworkd = true;
  networking.useDHCP = false;
  services.resolved.enable = true;
  systemd.network.enable = true;
  systemd.network.networks."ens18" = {
    matchConfig.Name = "ens18";
    networkConfig.DHCP = "ipv4";
    linkConfig.RequiredForOnline = "routable";
  };
  time.timeZone = "Europe/Oslo";
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.tarball-ttl = 0;
  environment.systemPackages = with pkgs; [
    age
    vim
    wget
    git
  ];
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  networking.firewall.enable = false;
  system.stateVersion = "25.11";
 }
--- a/hosts/template2/default.nix
+++ b/hosts/template2/default.nix
@@ -0,0 +1,10 @@
 { ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./configuration.nix
    ./scripts.nix
    ./bootstrap.nix
    ../../system/packages.nix
  ];
 }
--- a/hosts/template2/hardware-configuration.nix
+++ b/hosts/template2/hardware-configuration.nix
@@ -0,0 +1,45 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = [
    "ata_piix"
    "uhci_hcd"
    "virtio_pci"
    "virtio_scsi"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [
    "ptp_kvm"
    "virtio_rng"  # Provides entropy from host for fast SSH key generation
  ];
  boot.extraModulePackages = [ ];
  # Filesystem configuration matching Proxmox image builder output
  fileSystems."/" = lib.mkDefault {
    device = "/dev/disk/by-label/nixos";
    fsType = "ext4";
    options = [ "x-systemd.growfs" ];
  };
  swapDevices = lib.mkDefault [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/template2/scripts.nix
+++ b/hosts/template2/scripts.nix
@@ -0,0 +1,33 @@
 { pkgs, ... }:
 let
  prepare-host-script = pkgs.writeShellScriptBin "prepare-host.sh"
    ''
      echo "Removing machine-id"
      rm -f /etc/machine-id || true
      echo "Removing SSH host keys"
      rm -f /etc/ssh/ssh_host_* || true
      echo "Restarting SSH"
      systemctl restart sshd
      echo "Removing temporary files"
      rm -rf /tmp/* || true
      echo "Removing logs"
      journalctl --rotate || true
      journalctl --vacuum-time=1s || true
      echo "Removing cache"
      rm -rf /var/cache/* || true
      echo "Generate age key"
      rm -rf /var/lib/sops-nix || true
      mkdir -p /var/lib/sops-nix
      ${pkgs.age}/bin/age-keygen -o /var/lib/sops-nix/key.txt
    '';
 in
 {
  environment.systemPackages = [ prepare-host-script ];
  users.motd = "Prepare host by running 'prepare-host.sh'.";
 }
--- a/hosts/testvm01/configuration.nix
+++ b/hosts/testvm01/configuration.nix
@@ -0,0 +1,61 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ../template2/hardware-configuration.nix
    ../../system
    ../../common/vm
  ];
  nixpkgs.config.allowUnfree = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
  networking.hostName = "testvm01";
  networking.domain = "home.2rjus.net";
  networking.useNetworkd = true;
  networking.useDHCP = false;
  services.resolved.enable = false;
  networking.nameservers = [
    "10.69.13.5"
    "10.69.13.6"
  ];
  systemd.network.enable = true;
  systemd.network.networks."ens18" = {
    matchConfig.Name = "ens18";
    address = [
      "10.69.13.101/24"
    ];
    routes = [
      { Gateway = "10.69.13.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
  };
  time.timeZone = "Europe/Oslo";
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.tarball-ttl = 0;
  environment.systemPackages = with pkgs; [
    vim
    wget
    git
  ];
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  networking.firewall.enable = false;
  system.stateVersion = "25.11"; # Did you read the comment?
 }
--- a/hosts/testvm01/default.nix
+++ b/hosts/testvm01/default.nix
--- a/hosts/vault01/configuration.nix
+++ b/hosts/vault01/configuration.nix
@@ -0,0 +1,63 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ../template2/hardware-configuration.nix
    ../../system
    ../../common/vm
    ../../services/vault
  ];
  nixpkgs.config.allowUnfree = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
  networking.hostName = "vault01";
  networking.domain = "home.2rjus.net";
  networking.useNetworkd = true;
  networking.useDHCP = false;
  services.resolved.enable = true;
  networking.nameservers = [
    "10.69.13.5"
    "10.69.13.6"
  ];
  systemd.network.enable = true;
  systemd.network.networks."ens18" = {
    matchConfig.Name = "ens18";
    address = [
      "10.69.13.19/24"
    ];
    routes = [
      { Gateway = "10.69.13.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
  };
  time.timeZone = "Europe/Oslo";
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.tarball-ttl = 0;
  environment.systemPackages = with pkgs; [
    vim
    wget
    git
  ];
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  networking.firewall.enable = false;
  system.stateVersion = "25.11"; # Did you read the comment?
 }
--- a/hosts/vault01/default.nix
+++ b/hosts/vault01/default.nix
@@ -0,0 +1,5 @@
 { ... }: {
  imports = [
    ./configuration.nix
  ];
 }
--- a/playbooks/build-and-deploy-template.yml
+++ b/playbooks/build-and-deploy-template.yml
@@ -0,0 +1,101 @@
 ---
 - name: Build and deploy NixOS Proxmox template
  hosts: localhost
  gather_facts: false
  vars:
    template_name: "template2"
    nixos_config: "template2"
    proxmox_node: "pve1.home.2rjus.net"  # Change to your Proxmox node name
    proxmox_host: "pve1.home.2rjus.net"  # Change to your Proxmox host
    template_vmid: 9000  # Template VM ID
    storage: "local-zfs"
  tasks:
    - name: Build NixOS image
      ansible.builtin.command:
        cmd: "nixos-rebuild build-image --image-variant proxmox --flake .#template2"
        chdir: "{{ playbook_dir }}/.."
      register: build_result
      changed_when: true
    - name: Find built image file
      ansible.builtin.find:
        paths: "{{ playbook_dir}}/../result"
        patterns: "*.vma.zst"
        recurse: true
      register: image_files
    - name: Fail if no image found
      ansible.builtin.fail:
        msg: "No QCOW2 image found in build output"
      when: image_files.matched == 0
    - name: Set image path
      ansible.builtin.set_fact:
        image_path: "{{ image_files.files[0].path }}"
    - name: Extract image filename
      ansible.builtin.set_fact:
        image_filename: "{{ image_path | basename }}"
    - name: Display image info
      ansible.builtin.debug:
        msg: "Built image: {{ image_path }} ({{ image_filename }})"
 - name: Deploy template to Proxmox
  hosts: proxmox
  gather_facts: false
  vars:
    template_name: "template2"
    template_vmid: 9000
    storage: "local-zfs"
  tasks:
    - name: Get image path and filename from localhost
      ansible.builtin.set_fact:
        image_path: "{{ hostvars['localhost']['image_path'] }}"
        image_filename: "{{ hostvars['localhost']['image_filename'] }}"
    - name: Set destination path
      ansible.builtin.set_fact:
        image_dest: "/var/lib/vz/dump/{{ image_filename }}"
    - name: Copy image to Proxmox
      ansible.builtin.copy:
        src: "{{ image_path }}"
        dest: "{{ image_dest }}"
        mode: '0644'
    - name: Check if template VM already exists
      ansible.builtin.command:
        cmd: "qm status {{ template_vmid }}"
      register: vm_status
      failed_when: false
      changed_when: false
    - name: Destroy existing template VM if it exists
      ansible.builtin.command:
        cmd: "qm destroy {{ template_vmid }} --purge"
      when: vm_status.rc == 0
      changed_when: true
    - name: Import image
      ansible.builtin.command:
        cmd: "qmrestore {{ image_dest }} {{ template_vmid }}"
      changed_when: true
    - name: Convert VM to template
      ansible.builtin.command:
        cmd: "qm template {{ template_vmid }}"
      changed_when: true
    - name: Clean up uploaded image
      ansible.builtin.file:
        path: "{{ image_dest }}"
        state: absent
    - name: Display success message
      ansible.builtin.debug:
        msg: "Template VM {{ template_vmid }} created successfully on {{ storage }}"
--- a/playbooks/inventory.ini
+++ b/playbooks/inventory.ini
@@ -0,0 +1,5 @@
 [proxmox]
 pve1.home.2rjus.net
 [proxmox:vars]
 ansible_user=root
--- a/scripts/create-host/MANIFEST.in
+++ b/scripts/create-host/MANIFEST.in
@@ -0,0 +1 @@
 recursive-include templates *.j2
--- a/scripts/create-host/README.md
+++ b/scripts/create-host/README.md
@@ -0,0 +1,268 @@
 # NixOS Host Configuration Generator
 Automated tool for generating NixOS host configurations, flake.nix entries, and Terraform VM definitions for homelab infrastructure.
 ## Installation
 The tool is available in the Nix development shell:
 ```bash
 nix develop
 ```
 ## Usage
 ### Basic Usage
 Create a new host with DHCP networking:
 ```bash
 python -m scripts.create_host.create_host create --hostname test01
 ```
 Create a new host with static IP:
 ```bash
 python -m scripts.create_host.create_host create \
  --hostname test01 \
  --ip 10.69.13.50/24
 ```
 Create a host with custom resources:
 ```bash
 python -m scripts.create_host.create_host create \
  --hostname bighost01 \
  --ip 10.69.13.51/24 \
  --cpu 8 \
  --memory 8192 \
  --disk 100G
 ```
 ### Dry Run Mode
 Preview what would be created without making changes:
 ```bash
 python -m scripts.create_host.create_host create \
  --hostname test01 \
  --ip 10.69.13.50/24 \
  --dry-run
 ```
 ### Force Mode (Regenerate Existing Configuration)
 Overwrite an existing host configuration (useful for testing):
 ```bash
 python -m scripts.create_host.create_host create \
  --hostname test01 \
  --ip 10.69.13.50/24 \
  --force
 ```
 This mode:
 - Skips hostname and IP uniqueness validation
 - Overwrites files in `hosts/<hostname>/`
 - Updates existing entries in `flake.nix` and `terraform/vms.tf` (doesn't duplicate)
 - Useful for iterating on configuration templates during testing
 ### Options
 - `--hostname` (required): Hostname for the new host
  - Must be lowercase alphanumeric with hyphens
  - Must be unique (not already exist in repository)
 - `--ip` (optional): Static IP address with CIDR notation
  - Format: `10.69.13.X/24`
  - Must be in `10.69.13.0/24` subnet
  - Last octet must be 1-254
  - Omit this option for DHCP configuration
 - `--cpu` (optional, default: 2): Number of CPU cores
  - Must be at least 1
 - `--memory` (optional, default: 2048): Memory in MB
  - Must be at least 512
 - `--disk` (optional, default: "20G"): Disk size
  - Examples: "20G", "50G", "100G"
 - `--dry-run` (flag): Preview changes without creating files
 - `--force` (flag): Overwrite existing host configuration
  - Skips uniqueness validation
  - Updates existing entries instead of creating duplicates
 ## What It Does
 The tool performs the following actions:
 1. **Validates** the configuration:
   - Hostname format (RFC 1123 compliance)
   - Hostname uniqueness
   - IP address format and subnet (if provided)
   - IP address uniqueness (if provided)
 2. **Generates** host configuration files:
   - `hosts/<hostname>/default.nix` - Import wrapper
   - `hosts/<hostname>/configuration.nix` - Full host configuration
 3. **Updates** repository files:
   - `flake.nix` - Adds new nixosConfigurations entry
   - `terraform/vms.tf` - Adds new VM definition
 4. **Displays** next steps for:
   - Reviewing changes with git diff
   - Verifying NixOS configuration
   - Verifying Terraform configuration
   - Committing changes
   - Deploying the VM
 ## Generated Configuration
 ### Host Features
 All generated hosts include:
 - Full system imports from `../../system`:
  - Nix binary cache integration
  - SSH with root login
  - SOPS secrets management
  - Internal ACME CA integration
  - Daily auto-upgrades with auto-reboot
  - Prometheus node-exporter
  - Promtail logging to monitoring01
 - VM guest agent from `../../common/vm`
 - Hardware configuration from `../template/hardware-configuration.nix`
 ### Networking
 **Static IP mode** (when `--ip` is provided):
 ```nix
 systemd.network.networks."ens18" = {
  matchConfig.Name = "ens18";
  address = [ "10.69.13.50/24" ];
  routes = [ { Gateway = "10.69.13.1"; } ];
  linkConfig.RequiredForOnline = "routable";
 };
 ```
 **DHCP mode** (when `--ip` is omitted):
 ```nix
 systemd.network.networks."ens18" = {
  matchConfig.Name = "ens18";
  networkConfig.DHCP = "ipv4";
  linkConfig.RequiredForOnline = "routable";
 };
 ```
 ### DNS Configuration
 All hosts are configured with:
 - DNS servers: `10.69.13.5`, `10.69.13.6` (ns1, ns2)
 - Domain: `home.2rjus.net`
 ## Examples
 ### Create a test VM with defaults
 ```bash
 python -m scripts.create_host.create_host create --hostname test99
 ```
 This creates a DHCP VM with 2 CPU cores, 2048 MB memory, and 20G disk.
 ### Create a database server with static IP
 ```bash
 python -m scripts.create_host.create_host create \
  --hostname pgdb2 \
  --ip 10.69.13.52/24 \
  --cpu 4 \
  --memory 4096 \
  --disk 50G
 ```
 ### Preview changes before creating
 ```bash
 python -m scripts.create_host.create_host create \
  --hostname test99 \
  --ip 10.69.13.99/24 \
  --dry-run
 ```
 ## Error Handling
 The tool validates input and provides clear error messages for:
 - Invalid hostname format (must be lowercase alphanumeric with hyphens)
 - Duplicate hostname (already exists in repository)
 - Invalid IP format (must be X.X.X.X/24)
 - Wrong subnet (must be 10.69.13.0/24)
 - Invalid last octet (must be 1-254)
 - Duplicate IP address (already in use)
 - Resource constraints (CPU < 1, memory < 512 MB)
 ## Integration with Deployment Pipeline
 This tool implements **Phase 2** of the automated deployment pipeline:
 1. **Phase 1**: Template building ✓ (build-and-deploy-template.yml)
 2. **Phase 2**: Host configuration generation ✓ (this tool)
 3. **Phase 3**: Bootstrap automation (planned)
 4. **Phase 4**: Secrets management (planned)
 5. **Phase 5**: DNS automation (planned)
 6. **Phase 6**: Full integration (planned)
 ## Development
 ### Project Structure
 ```
 scripts/create-host/
 ├── create_host.py          # Main CLI entry point (typer app)
 ├── __init__.py            # Package initialization
 ├── validators.py          # Validation logic
 ├── generators.py          # File generation using Jinja2
 ├── manipulators.py        # Text manipulation for flake.nix and vms.tf
 ├── models.py              # Data models (HostConfig)
 ├── templates/
 │   ├── default.nix.j2     # Template for default.nix
 │   └── configuration.nix.j2  # Template for configuration.nix
 └── README.md              # This file
 ```
 ### Testing
 Run the test cases from the implementation plan:
 ```bash
 # Test 1: DHCP host with defaults
 python -m scripts.create_host.create_host create --hostname testdhcp --dry-run
 # Test 2: Static IP host
 python -m scripts.create_host.create_host create \
  --hostname test50 --ip 10.69.13.50/24 --dry-run
 # Test 3: Custom resources
 python -m scripts.create_host.create_host create \
  --hostname test51 --ip 10.69.13.51/24 \
  --cpu 8 --memory 8192 --disk 100G --dry-run
 # Test 4: Duplicate hostname (should error)
 python -m scripts.create_host.create_host create --hostname ns1 --dry-run
 # Test 5: Invalid subnet (should error)
 python -m scripts.create_host.create_host create \
  --hostname testbad --ip 192.168.1.50/24 --dry-run
 # Test 6: Invalid hostname (should error)
 python -m scripts.create_host.create_host create --hostname Test_Host --dry-run
 ```
 ## License
 Part of the nixos-servers homelab infrastructure repository.
--- a/scripts/create-host/init.py
+++ b/scripts/create-host/init.py
@@ -0,0 +1,3 @@
 """NixOS host configuration generator for homelab infrastructure."""
 __version__ = "0.1.0"
--- a/scripts/create-host/main.py
+++ b/scripts/create-host/main.py
@@ -0,0 +1,6 @@
 """Entry point for running the create-host module."""
 from .create_host import app
 if __name__ == "__main__":
    app()
--- a/scripts/create-host/create_host.py
+++ b/scripts/create-host/create_host.py
@@ -0,0 +1,197 @@
 """CLI tool for generating NixOS host configurations."""
 import sys
 from pathlib import Path
 from typing import Optional
 import typer
 from rich.console import Console
 from rich.panel import Panel
 from rich.table import Table
 from generators import generate_host_files
 from manipulators import update_flake_nix, update_terraform_vms
 from models import HostConfig
 from validators import (
    validate_hostname_format,
    validate_hostname_unique,
    validate_ip_subnet,
    validate_ip_unique,
 )
 app = typer.Typer(
    name="create-host",
    help="Generate NixOS host configurations for homelab infrastructure",
    add_completion=False,
 )
 console = Console()
 def get_repo_root() -> Path:
    """Get the repository root directory."""
    # Use current working directory as repo root
    # The tool should be run from the repository root
    return Path.cwd()
@app.callback(invoke_without_command=True)
 def main(
    ctx: typer.Context,
    hostname: Optional[str] = typer.Option(None, "--hostname", help="Hostname for the new host"),
    ip: Optional[str] = typer.Option(
        None, "--ip", help="Static IP address with CIDR (e.g., 10.69.13.50/24). Omit for DHCP."
    ),
    cpu: int = typer.Option(2, "--cpu", help="Number of CPU cores"),
    memory: int = typer.Option(2048, "--memory", help="Memory in MB"),
    disk: str = typer.Option("20G", "--disk", help="Disk size (e.g., 20G, 50G, 100G)"),
    dry_run: bool = typer.Option(False, "--dry-run", help="Preview changes without creating files"),
    force: bool = typer.Option(False, "--force", help="Overwrite existing host configuration"),
 ) -> None:
    """
    Create a new NixOS host configuration.
    Generates host configuration files, updates flake.nix, and adds Terraform VM definition.
    """
    # Show help if no hostname provided
    if hostname is None:
        console.print("[bold red]Error:[/bold red] --hostname is required\n")
        ctx.get_help()
        sys.exit(1)
    try:
        # Build configuration
        config = HostConfig(
            hostname=hostname,
            ip=ip,
            cpu=cpu,
            memory=memory,
            disk=disk,
        )
        # Get repository root
        repo_root = get_repo_root()
        # Validate configuration
        console.print("\n[bold blue]Validating configuration...[/bold blue]")
        config.validate()
        validate_hostname_format(hostname)
        # Skip uniqueness checks in force mode
        if not force:
            validate_hostname_unique(hostname, repo_root)
            if ip:
                validate_ip_unique(ip, repo_root)
        else:
            # Check if we're actually overwriting something
            host_dir = repo_root / "hosts" / hostname
            if host_dir.exists():
                console.print(f"[yellow]⚠[/yellow]  Updating existing host configuration for {hostname}")
        if ip:
            validate_ip_subnet(ip)
        console.print("[green]✓[/green] All validations passed\n")
        # Display configuration summary
        display_config_summary(config)
        # Dry run mode - exit before making changes
        if dry_run:
            console.print("\n[yellow]DRY RUN MODE - No files will be created[/yellow]\n")
            display_dry_run_summary(config, repo_root)
            return
        # Generate files
        console.print("\n[bold blue]Generating host configuration...[/bold blue]")
        generate_host_files(config, repo_root)
        action = "Updated" if force else "Created"
        console.print(f"[green]✓[/green] {action} hosts/{hostname}/default.nix")
        console.print(f"[green]✓[/green] {action} hosts/{hostname}/configuration.nix")
        update_flake_nix(config, repo_root, force=force)
        console.print("[green]✓[/green] Updated flake.nix")
        update_terraform_vms(config, repo_root, force=force)
        console.print("[green]✓[/green] Updated terraform/vms.tf")
        # Success message
        console.print("\n[bold green]✓ Host configuration generated successfully![/bold green]\n")
        # Display next steps
        display_next_steps(hostname)
    except ValueError as e:
        console.print(f"\n[bold red]Error:[/bold red] {e}\n", style="red")
        sys.exit(1)
    except Exception as e:
        console.print(f"\n[bold red]Unexpected error:[/bold red] {e}\n", style="red")
        sys.exit(1)
 def display_config_summary(config: HostConfig) -> None:
    """Display configuration summary table."""
    table = Table(title="Host Configuration", show_header=False)
    table.add_column("Property", style="cyan")
    table.add_column("Value", style="white")
    table.add_row("Hostname", config.hostname)
    table.add_row("Domain", config.domain)
    table.add_row("Network Mode", "Static IP" if config.is_static_ip else "DHCP")
    if config.is_static_ip:
        table.add_row("IP Address", config.ip)
        table.add_row("Gateway", config.gateway)
    table.add_row("DNS Servers", ", ".join(config.nameservers))
    table.add_row("CPU Cores", str(config.cpu))
    table.add_row("Memory", f"{config.memory} MB")
    table.add_row("Disk Size", config.disk)
    table.add_row("State Version", config.state_version)
    console.print(table)
 def display_dry_run_summary(config: HostConfig, repo_root: Path) -> None:
    """Display what would be created in dry run mode."""
    console.print("[bold]Files that would be created:[/bold]")
    console.print(f"  • {repo_root}/hosts/{config.hostname}/default.nix")
    console.print(f"  • {repo_root}/hosts/{config.hostname}/configuration.nix")
    console.print("\n[bold]Files that would be modified:[/bold]")
    console.print(f"  • {repo_root}/flake.nix (add nixosConfigurations.{config.hostname})")
    console.print(f"  • {repo_root}/terraform/vms.tf (add VM definition)")
 def display_next_steps(hostname: str) -> None:
    """Display next steps after successful generation."""
    next_steps = f"""[bold cyan]Next Steps:[/bold cyan]
 1. Review changes:
   [white]git diff[/white]
 2. Verify NixOS configuration:
   [white]nix flake check
   nix build .#nixosConfigurations.{hostname}.config.system.build.toplevel[/white]
 3. Verify Terraform configuration:
   [white]cd terraform
   tofu validate
   tofu plan[/white]
 4. Commit changes:
   [white]git add hosts/{hostname} flake.nix terraform/vms.tf
   git commit -m "hosts: add {hostname} configuration"[/white]
 5. Deploy VM (after merging to master):
   [white]cd terraform
   tofu apply[/white]
 6. Bootstrap the host (see Phase 3 of deployment pipeline)
 """
    console.print(Panel(next_steps, border_style="cyan"))
 if __name__ == "__main__":
    app()
--- a/scripts/create-host/default.nix
+++ b/scripts/create-host/default.nix
@@ -0,0 +1,38 @@
 { lib
 , python3
 , python3Packages
 }:
 python3Packages.buildPythonApplication {
  pname = "create-host";
  version = "0.1.0";
  src = ./.;
  pyproject = true;
  build-system = with python3Packages; [
    setuptools
  ];
  propagatedBuildInputs = with python3Packages; [
    typer
    jinja2
    rich
  ];
  # Install templates to share directory
  postInstall = ''
    mkdir -p $out/share/create-host
    cp -r templates $out/share/create-host/
  '';
  # No tests yet
  doCheck = false;
  meta = with lib; {
    description = "NixOS host configuration generator for homelab infrastructure";
    license = licenses.mit;
    maintainers = [ ];
  };
 }
--- a/scripts/create-host/generators.py
+++ b/scripts/create-host/generators.py
@@ -0,0 +1,88 @@
 """File generation using Jinja2 templates."""
 import sys
 from pathlib import Path
 from jinja2 import Environment, BaseLoader, TemplateNotFound
 from models import HostConfig
 class PackageTemplateLoader(BaseLoader):
    """Custom Jinja2 loader that works with both dev and installed packages."""
    def __init__(self):
        # Try to find templates in multiple locations
        self.template_dirs = []
        # Location 1: Development (scripts/create-host/templates)
        dev_dir = Path(__file__).parent / "templates"
        if dev_dir.exists():
            self.template_dirs.append(dev_dir)
        # Location 2: Installed via Nix (../share/create-host/templates from bin dir)
        # When installed via Nix, __file__ is in lib/python3.X/site-packages/
        # and templates are in ../../../share/create-host/templates
        for site_path in sys.path:
            site_dir = Path(site_path)
            # Try to find the Nix store path
            if "site-packages" in str(site_dir):
                # Go up to the package root (e.g., /nix/store/xxx-create-host-0.1.0)
                pkg_root = site_dir.parent.parent.parent
                share_templates = pkg_root / "share" / "create-host" / "templates"
                if share_templates.exists():
                    self.template_dirs.append(share_templates)
        # Location 3: Fallback - sys.path templates
        for site_path in sys.path:
            site_templates = Path(site_path) / "templates"
            if site_templates.exists():
                self.template_dirs.append(site_templates)
    def get_source(self, environment, template):
        for template_dir in self.template_dirs:
            template_path = template_dir / template
            if template_path.exists():
                mtime = template_path.stat().st_mtime
                source = template_path.read_text()
                return source, str(template_path), lambda: mtime == template_path.stat().st_mtime
        raise TemplateNotFound(template)
 def generate_host_files(config: HostConfig, repo_root: Path) -> None:
    """
    Generate host configuration files from templates.
    Args:
        config: Host configuration
        repo_root: Path to repository root
    """
    # Setup Jinja2 environment with custom loader
    env = Environment(
        loader=PackageTemplateLoader(),
        trim_blocks=True,
        lstrip_blocks=True,
    )
    # Create host directory
    host_dir = repo_root / "hosts" / config.hostname
    host_dir.mkdir(parents=True, exist_ok=True)
    # Generate default.nix
    default_template = env.get_template("default.nix.j2")
    default_content = default_template.render(hostname=config.hostname)
    (host_dir / "default.nix").write_text(default_content)
    # Generate configuration.nix
    config_template = env.get_template("configuration.nix.j2")
    config_content = config_template.render(
        hostname=config.hostname,
        domain=config.domain,
        nameservers=config.nameservers,
        is_static_ip=config.is_static_ip,
        ip=config.ip,
        gateway=config.gateway,
        state_version=config.state_version,
    )
    (host_dir / "configuration.nix").write_text(config_content)
--- a/scripts/create-host/manipulators.py
+++ b/scripts/create-host/manipulators.py
@@ -0,0 +1,124 @@
 """Text manipulation for flake.nix and Terraform files."""
 import re
 from pathlib import Path
 from models import HostConfig
 def update_flake_nix(config: HostConfig, repo_root: Path, force: bool = False) -> None:
    """
    Add or update host entry in flake.nix nixosConfigurations.
    Args:
        config: Host configuration
        repo_root: Path to repository root
        force: If True, replace existing entry; if False, insert new entry
    """
    flake_path = repo_root / "flake.nix"
    content = flake_path.read_text()
    # Create new entry
    new_entry = f"""      {config.hostname} = nixpkgs.lib.nixosSystem {{
        inherit system;
        specialArgs = {{
          inherit inputs self sops-nix;
        }};
        modules = [
          (
            {{ config, pkgs, ... }}:
            {{
              nixpkgs.overlays = commonOverlays;
            }}
          )
          ./hosts/{config.hostname}
          sops-nix.nixosModules.sops
        ];
      }};
 """
    # Check if hostname already exists
    hostname_pattern = rf"^      {re.escape(config.hostname)} = nixpkgs\.lib\.nixosSystem"
    existing_match = re.search(hostname_pattern, content, re.MULTILINE)
    if existing_match and force:
        # Replace existing entry
        # Match the entire block from "hostname = " to "};"
        replace_pattern = rf"^      {re.escape(config.hostname)} = nixpkgs\.lib\.nixosSystem \{{.*?^      \}};\n"
        new_content, count = re.subn(replace_pattern, new_entry, content, flags=re.MULTILINE | re.DOTALL)
        if count == 0:
            raise ValueError(f"Could not find existing entry for {config.hostname} in flake.nix")
    else:
        # Insert new entry before closing brace of nixosConfigurations
        # Pattern: "      };\n      packages = forAllSystems"
        pattern = r"(      \};)\n(      packages = forAllSystems)"
        replacement = rf"{new_entry}\g<1>\n\g<2>"
        new_content, count = re.subn(pattern, replacement, content)
        if count == 0:
            raise ValueError(
                "Could not find insertion point in flake.nix. "
                "Looking for pattern: '      };\\n      packages = forAllSystems'"
            )
    flake_path.write_text(new_content)
 def update_terraform_vms(config: HostConfig, repo_root: Path, force: bool = False) -> None:
    """
    Add or update VM entry in terraform/vms.tf locals.vms map.
    Args:
        config: Host configuration
        repo_root: Path to repository root
        force: If True, replace existing entry; if False, insert new entry
    """
    terraform_path = repo_root / "terraform" / "vms.tf"
    content = terraform_path.read_text()
    # Create new entry based on whether we have static IP or DHCP
    if config.is_static_ip:
        new_entry = f'''    "{config.hostname}" = {{
      ip        = "{config.ip}"
      cpu_cores = {config.cpu}
      memory    = {config.memory}
      disk_size = "{config.disk}"
    }}
 '''
    else:
        new_entry = f'''    "{config.hostname}" = {{
      cpu_cores = {config.cpu}
      memory    = {config.memory}
      disk_size = "{config.disk}"
    }}
 '''
    # Check if hostname already exists
    hostname_pattern = rf'^\s+"{re.escape(config.hostname)}" = \{{'
    existing_match = re.search(hostname_pattern, content, re.MULTILINE)
    if existing_match and force:
        # Replace existing entry
        # Match the entire block from "hostname" = { to }
        replace_pattern = rf'^\s+"{re.escape(config.hostname)}" = \{{.*?^\s+\}}\n'
        new_content, count = re.subn(replace_pattern, new_entry, content, flags=re.MULTILINE | re.DOTALL)
        if count == 0:
            raise ValueError(f"Could not find existing entry for {config.hostname} in terraform/vms.tf")
    else:
        # Insert new entry before closing brace
        # Pattern: "  }\n\n  # Compute VM configurations"
        pattern = r"(  \})\n\n(  # Compute VM configurations)"
        replacement = rf"{new_entry}\g<1>\n\n\g<2>"
        new_content, count = re.subn(pattern, replacement, content)
        if count == 0:
            raise ValueError(
                "Could not find insertion point in terraform/vms.tf. "
                "Looking for pattern: '  }\\n\\n  # Compute VM configurations'"
            )
    terraform_path.write_text(new_content)
--- a/scripts/create-host/models.py
+++ b/scripts/create-host/models.py
@@ -0,0 +1,54 @@
 """Data models for host configuration."""
 from dataclasses import dataclass
 from typing import Optional
@dataclass
 class HostConfig:
    """Configuration for a new NixOS host."""
    hostname: str
    ip: Optional[str] = None
    cpu: int = 2
    memory: int = 2048
    disk: str = "20G"
    @property
    def is_static_ip(self) -> bool:
        """Check if host uses static IP configuration."""
        return self.ip is not None
    @property
    def gateway(self) -> str:
        """Default gateway for the network."""
        return "10.69.13.1"
    @property
    def nameservers(self) -> list[str]:
        """DNS nameservers for the network."""
        return ["10.69.13.5", "10.69.13.6"]
    @property
    def domain(self) -> str:
        """Domain name for the network."""
        return "home.2rjus.net"
    @property
    def state_version(self) -> str:
        """NixOS state version for new hosts."""
        return "25.11"
    def validate(self) -> None:
        """Validate configuration constraints."""
        if not self.hostname:
            raise ValueError("Hostname cannot be empty")
        if self.cpu < 1:
            raise ValueError("CPU cores must be at least 1")
        if self.memory < 512:
            raise ValueError("Memory must be at least 512 MB")
        if not self.disk:
            raise ValueError("Disk size cannot be empty")
--- a/scripts/create-host/setup.py
+++ b/scripts/create-host/setup.py
@@ -0,0 +1,33 @@
 from setuptools import setup
 from pathlib import Path
 # Read templates
 templates = [str(p.relative_to(".")) for p in Path("templates").glob("*.j2")]
 setup(
    name="create-host",
    version="0.1.0",
    description="NixOS host configuration generator for homelab infrastructure",
    py_modules=[
        "create_host",
        "models",
        "validators",
        "generators",
        "manipulators",
    ],
    include_package_data=True,
    data_files=[
        ("templates", templates),
    ],
    install_requires=[
        "typer",
        "jinja2",
        "rich",
    ],
    entry_points={
        "console_scripts": [
            "create-host=create_host:app",
        ],
    },
    python_requires=">=3.9",
 )
--- a/scripts/create-host/templates/configuration.nix.j2
+++ b/scripts/create-host/templates/configuration.nix.j2
@@ -0,0 +1,66 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  imports = [
    ../template2/hardware-configuration.nix
    ../../system
    ../../common/vm
  ];
  nixpkgs.config.allowUnfree = true;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
  networking.hostName = "{{ hostname }}";
  networking.domain = "{{ domain }}";
  networking.useNetworkd = true;
  networking.useDHCP = false;
  services.resolved.enable = true;
  networking.nameservers = [
 {% for ns in nameservers %}
    "{{ ns }}"
 {% endfor %}
  ];
  systemd.network.enable = true;
  systemd.network.networks."ens18" = {
    matchConfig.Name = "ens18";
 {% if is_static_ip %}
    address = [
      "{{ ip }}"
    ];
    routes = [
      { Gateway = "{{ gateway }}"; }
    ];
 {% else %}
    networkConfig.DHCP = "ipv4";
 {% endif %}
    linkConfig.RequiredForOnline = "routable";
  };
  time.timeZone = "Europe/Oslo";
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.tarball-ttl = 0;
  environment.systemPackages = with pkgs; [
    vim
    wget
    git
  ];
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  networking.firewall.enable = false;
  system.stateVersion = "{{ state_version }}"; # Did you read the comment?
 }
--- a/scripts/create-host/templates/default.nix.j2
+++ b/scripts/create-host/templates/default.nix.j2
--- a/scripts/create-host/validators.py
+++ b/scripts/create-host/validators.py
@@ -0,0 +1,159 @@
 """Validation functions for host configuration."""
 import re
 from pathlib import Path
 from typing import Optional
 def validate_hostname_format(hostname: str) -> None:
    """
    Validate hostname format according to RFC 1123.
    Args:
        hostname: Hostname to validate
    Raises:
        ValueError: If hostname format is invalid
    """
    # RFC 1123: lowercase, alphanumeric, hyphens, max 63 chars
    pattern = r"^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$"
    if not re.match(pattern, hostname):
        raise ValueError(
            f"Invalid hostname '{hostname}'. "
            "Must be lowercase alphanumeric with hyphens, "
            "start and end with alphanumeric, max 63 characters."
        )
 def validate_hostname_unique(hostname: str, repo_root: Path) -> None:
    """
    Validate that hostname is unique in the repository.
    Args:
        hostname: Hostname to check
        repo_root: Path to repository root
    Raises:
        ValueError: If hostname already exists
    """
    # Check if host directory exists
    host_dir = repo_root / "hosts" / hostname
    if host_dir.exists():
        raise ValueError(f"Host directory already exists: {host_dir}")
    # Check if hostname exists in flake.nix
    flake_path = repo_root / "flake.nix"
    if flake_path.exists():
        flake_content = flake_path.read_text()
        # Look for pattern like "      hostname = "
        hostname_pattern = rf'^\s+{re.escape(hostname)}\s*='
        if re.search(hostname_pattern, flake_content, re.MULTILINE):
            raise ValueError(f"Hostname '{hostname}' already exists in flake.nix")
 def validate_ip_format(ip: str) -> None:
    """
    Validate IP address format with CIDR notation.
    Args:
        ip: IP address with CIDR (e.g., "10.69.13.50/24")
    Raises:
        ValueError: If IP format is invalid
    """
    if not ip:
        return
    # Check CIDR notation
    if "/" not in ip:
        raise ValueError(f"IP address must include CIDR notation (e.g., {ip}/24)")
    ip_part, cidr_part = ip.rsplit("/", 1)
    # Validate CIDR is /24
    if cidr_part != "24":
        raise ValueError(f"CIDR notation must be /24, got /{cidr_part}")
    # Validate IP format
    octets = ip_part.split(".")
    if len(octets) != 4:
        raise ValueError(f"Invalid IP address format: {ip_part}")
    try:
        octet_values = [int(octet) for octet in octets]
    except ValueError:
        raise ValueError(f"Invalid IP address format: {ip_part}")
    # Check each octet is 0-255
    for i, value in enumerate(octet_values):
        if not 0 <= value <= 255:
            raise ValueError(f"Invalid octet value {value} in IP address")
    # Check last octet is 1-254
    if not 1 <= octet_values[3] <= 254:
        raise ValueError(
            f"Last octet must be 1-254, got {octet_values[3]}"
        )
 def validate_ip_subnet(ip: str) -> None:
    """
    Validate that IP address is in the correct subnet (10.69.13.0/24).
    Args:
        ip: IP address with CIDR (e.g., "10.69.13.50/24")
    Raises:
        ValueError: If IP is not in correct subnet
    """
    if not ip:
        return
    validate_ip_format(ip)
    ip_part = ip.split("/")[0]
    octets = ip_part.split(".")
    # Check subnet is 10.69.13.x
    if octets[:3] != ["10", "69", "13"]:
        raise ValueError(
            f"IP address must be in 10.69.13.0/24 subnet, got {ip_part}"
        )
 def validate_ip_unique(ip: Optional[str], repo_root: Path) -> None:
    """
    Validate that IP address is not already in use.
    Args:
        ip: IP address with CIDR to check (None for DHCP)
        repo_root: Path to repository root
    Raises:
        ValueError: If IP is already in use
    """
    if not ip:
        return  # DHCP mode, no uniqueness check needed
    # Extract just the IP part without CIDR for searching
    ip_part = ip.split("/")[0]
    # Check all hosts/*/configuration.nix files
    hosts_dir = repo_root / "hosts"
    if hosts_dir.exists():
        for config_file in hosts_dir.glob("*/configuration.nix"):
            content = config_file.read_text()
            if ip_part in content:
                raise ValueError(
                    f"IP address {ip_part} already in use in {config_file}"
                )
    # Check terraform/vms.tf
    terraform_file = repo_root / "terraform" / "vms.tf"
    if terraform_file.exists():
        content = terraform_file.read_text()
        if ip_part in content:
            raise ValueError(
                f"IP address {ip_part} already in use in {terraform_file}"
            )
--- a/secrets/auth01/secrets.yaml
+++ b/secrets/auth01/secrets.yaml
@@ -2,11 +2,8 @@ authelia_ldap_password: ENC[AES256_GCM,data:x2UDMpqQKoRVSlDSmK5XiC9x4/WWzmjk7cwt
 authelia_jwt_secret: ENC[AES256_GCM,data:9ZHkT2o5KZLmml95g8HZce8fNBmaWtRn+175Gaz0KhsndNl3zdgGq3hydRuoZuEgLVsherJImVmb5DQAZpv04lUEsDKCYeFNwAyYl4Go2jCp1fI53fdcRCKlNVZA37pMi4AYaCoe8vIl/cwPOOBDEwK5raOBnklCzVERoO0B8a0=,iv:9CTWCw0ImZR0OSrl2znbhpRHlzAxA5Cpcy98JeH9Z+Y=,tag:L+0xKqiwXTi7XiDYWA1Bcw==,type:str]
 authelia_storage_encryption_key_file: ENC[AES256_GCM,data:RfbcQK8+rrW/Krd2rbDfgo7YI2YvQKqpLuDtk5DZJNNhw4giBh5nFp/8LNeo8r39/oiJLYTe6FjTLBu72TZz2wWrJFsBqjwQ/3TfATQGdLUsaXXRDr88ezHLTiYvEHIHJhUS5qsr7VMwBam5e7YGWBe5sGZCE/nX41ijyPUjtOY=,iv:sayYcAC38cApAtL+cDhgGNjWaHn+furKRowKL6AmfdU=,tag:1IZpnlpvDWGLLpZyU9iJUw==,type:str]
 authelia_session_secret: ENC[AES256_GCM,data:4PaLv4RRA7/9Z8QzETXLwo3OctJ0mvzQkYmHsGGF97nq9QeB3eo0xj4FyuCbkJGGZ/huAyRgmFBTyscY3wgxoc4t+8BdlYcSbefEk1/xRFjmG8ooXLKhvGJ5c6t72KJRcqsEGTiC0l9CFJWQ2qYcjM4dPwG8z0tjUZ6j25Zfx4M=,iv:QORJkf0w6iyuRHM/xuql1s7K75Qa49ygq+lwHfrm9rk=,tag:/HZ/qI80fKjmuTRwIwmX8g==,type:str]
 lldap_user_pass: ENC[AES256_GCM,data:56gF7uqVQ+/J5/lY/N904Q==,iv:qtY1XhHs4WWA4kPY56NigPvX4OslO0koZepgdv947zg=,tag:UDmJs8FPXskp7rUS2Sxinw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
          enc: |
@@ -26,8 +23,7 @@ sops:
            RW5HRjA3cERCUU1CVWZhck12SGhTRUkK6k/zQ87TIETYouRBby7ujtwgpqIPKKv+
            2aLJW6lSWMVzL/f3ZrIeg12tJjHs3f44EXR6j3tfLfSKog2iL8Y57w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-01T21:37:33Z"
+    lastmodified: "2025-12-06T10:03:56Z"
-    mac: ENC[AES256_GCM,data:4stf2UFt1ogH8pIJCUwMvbXG7YzyehbDEi6Qsfi5s3Kmx/AQAC6SpE31HL3qgYNdi10vbZEVH1lrFljPWs4YdnevzM2z9l3mfiR5D10vp2z/Nvw/+IDNheXxQfgO82QdVZ6qfo83zxYPoda+PmdFatmHTB00V9lNm6DF4unRy60=,iv:byyo1297YoxFO6S9TVzlPHR082IugZHSHCiT5sZE2T0=,tag:dtSxGNVxjR77gnegIHw1Sw==,type:str]
+    mac: ENC[AES256_GCM,data:SRNqx5n+xg/cNGiyze3CGKufox3IuXmOKLqNRDeJhBNMBHC1iYYCjRdHEVXsl7XSiYe51dSwjV0KrJa/SG1pRVkuyT+xyPrTjT2/DyXN7A/CESSAkBIwI7lkZmIf8DkxB3CELF1PgjIr1o2isxlBnkAnhEBTxQ7t8AzpcH7I5yU=,iv:P3FGQurZrL0ed5UuBPRFk11T0VRFtL6xI4iQ4LmYTec=,tag:8gQL08ojjIMyCl5E0Qs/Ww==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.11.0
--- a/secrets/nix-cache01/actions_token_1
+++ b/secrets/nix-cache01/actions_token_1
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:P84qHFU+xQjwQGK8I1gIdcBsHrskuUg0M1nGMMaA+hFjAdFYUhdhmAN/+y0CO28=,iv:zJtk01zNMTBDQdVtZBTM34CHRaNYDkabolxh7PWGKUI=,tag:8AS80AbZJbh9B3Av3zuI1w==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRFB6QTIyWWdwVkV4ZXNB\nWkdSdEhMc0s4cnByWVZXTGhnSWZ0MTdEUWhJCnFlOFQ5TU1hcE91azVyZXVXRCtu\nZjIxalRLYlEreGZ6ZDNoeXNPaFN4b28KLS0tIHY5WVFXN1k4NFVmUjh6VURkcEpv\ncklGcWVhdTdBRnlOdm1qM2h5SS9UUkEKq2RyxSVymDqcsZ+yiNRujDCwk1WOWYRW\nDa4TRKg3FCe7TcCEPkIaev1aBqjLg9J9c/70SYpUm6Zgeps7v5yl3A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w029fksjv0edrff9p7s03tgk3axecdkppqymfpwfn2nu2gsqqefqc37sxq",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArTGVuckp2NlhMZXRNMVhO\naUV3K0h3cmZ5ZGx4Q3dJWHNqZXFJeE1kM0dFCmF4TUFUMm9mTHJlYzlYWVhNa1RH\nR29VNDIrL1IvYUpQYm5SZEYzbWhhbkkKLS0tIEJsK1dwZVdaaHpWQkpOOS90dkhx\nbGhvRXhqdFdqQmhZZmhCdmw4NUtSVG8K3z2do+/cIjAqg6EMJnubOWid1sMeTxvo\nrq6eGJ7YzdgZr2JBVtJdDRtk/KeHXu9In4efbBXwLAPIfn1pU0gm1w==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-08-21T19:08:48Z",
 		"mac": "ENC[AES256_GCM,data:5CkO09NIqttb4UZPB9iGym8avhTsMeUkTFTKZJlNGjgB1qWyGQNeKCa50A1+SbBCCWE5EwxoynB1so7bi8vnq7k8CPUHbiWG8rLOJSYHQcZ9Tu7ZGtpeWPcCw1zPWJ/PTBsFVeaT5/ufdx/6ut+sTtRoKHOZZtO9oStHmu/Rlfg=,iv:z9iJJlbvhgxJaART5QoCrqvrqlgoVlGj8jlndCALmKU=,tag:ldjmND4NVVQrHUldLrB4Jg==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
 }
--- a/secrets/nix-cache01/cache-secret
+++ b/secrets/nix-cache01/cache-secret
@@ -1,23 +1,18 @@
 {
 	"data": "ENC[AES256_GCM,data:MQkR6FQGHK2AuhOmy2was49RY2XlLO5NwaXnUFzFo5Ata/2ufVoAj4Jvotw/dSrKL7f62A6s+2BPAyWrvACJ+pwYFlfyj3T9bNwhxwZPkEmiHEubJjWSiD6jkSW0gOxbY8ib6g/GbyF8I1cPeYr/hJD5qQ==,iv:eBL2Y3MOt9gYTETUZqsHo1D5hPOHxb4JR6Z/DFlzzqI=,tag:Qqbt39xZvQz/QhsggsArsw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQ0dGckxKMmZsM1JER3Qx\nYkRhb282OFlFSmRrNmU3c0dIYitmbHE1bHlFCnhpK0pCRlhlTlpBTHl6aU53blBP\nNGFuejRjOFhPWnhvUURPMzY1V1A5ZnMKLS0tIGhMSWhxVWtCbXd0Vnh6N1J1STBT\nVDRzWURscjNYT21kMzRYVnZDQlkreVkKMkRqbGfHd2/bRf8on8eqoJpFI8i9vMDK\ni0Lrw7Zpw0D1Arzq6rA8YGyAqboV4ixQVUjlrL8cJv9n3/8geCfOAQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZzFXaEsyUkZGNFV0bVlW\nRkpPRHpUK2VwUHpOQXZCUUpoVzFGa3hycnhvCndTN0toVFdoU2E5N3V3UFhTTjU0\nNDByWTkrV0o3T295dE0zS08rVGpyQjAKLS0tIC96M0VEcWpjRk5DMjJnMFB4ZHI3\nM2Jod2x4ZzMyZm1pbDhZNTFuWGNRUlEKHs5jBSfjml09JOeKiT9vFR0Fykg6OxKG\njhFU/J2+fWB22G7dBc4PI60SNqhxIheUbGTdcz4Yp4BPL6vW3eArIw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
-				"recipient": "age1a0477laj9sdh79wdas5v7hzk6au8fach74njg8epfw2rdht90qjsakkwd6",
+				"recipient": "age1w029fksjv0edrff9p7s03tgk3axecdkppqymfpwfn2nu2gsqqefqc37sxq",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaUt5VHBWY3NiR2U4MXVX\nREpLZXIxaDNSc2FmdEZkclNEeHdkSzBEdDI4CjNiS0xMV1hjMmxVd1QwekFXT29k\nMXIrQ2VIMTR2ejJWaGd2S00zQWVKVHcKLS0tIER1azhRRHVRZzJuQU5xL3hZb1lR\nZlN3NGV2a1c2M1AwSW1JeldOTkhRMjAKGDk5neEcVzSPtauiiqxkOaqaCj/+jzUk\nEE8g9XQuK5xAIxFlvqPilgo59VOL335VjUJZqGgFxfc7TvhZQTSAaQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJT3lxamcrQUpFdjZteFlF\nYUQ3aGdadGpuNXd2Z3RtZ3dQU0cvMlFUMUNRClBDR3U0OXZJU0NDamVMSlR5NitN\nYlhvNVlvUE0wRjErYzkwVHFOdGVCVjgKLS0tIEttR1BLTGpDYTRSQ0lUZmVEcnNi\nWkNaMEViUHVBcExVOEpjNE5CZHpjVkEKuX/Rf8kaB3apr1UhAnq3swS6fXiVmwm8\n7Key+SUAPNstbWbz0u6B9m1ev5QcXB2lx2/+Cm7cjW+6VE2gLHjTsQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-01-24T12:19:16Z",
 		"mac": "ENC[AES256_GCM,data:X8X91LVP1MMJ8ZYeSNPRO6XHN+NuswLZcHpAkbvoY+E9aTteO8UqS+fsStbNDlpF5jz/mhdMsKElnU8Z/CIWImwolI4GGE6blKy6gyqRkn4VeZotUoXcJadYV/5COud3XP2uSTb694JyQEZnBXFNeYeiHpN0y38zLxoX8kXHFbc=,iv:fFCRfv+Y1Nt2zgJNKsxElrYcuKkATJ3A/jvheUY2IK4=,tag:hYojbMGUAQvx7I4qkO7o9w==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.3"
 	}
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -3,157 +3,152 @@ ns_xfer_key: ENC[AES256_GCM,data:VFpK7GChgFeUgQm31tTvVC888bN0yt6BAnHQa6KUTg4iZGP
 backup_helper_secret: ENC[AES256_GCM,data:EvXEJnDilbfALQ==,iv:Q3dkZ8Ee3qbcjcoi5GxfbaVB4uRIvkIB6ioKVV/dL2Y=,tag:T/UgZvQgYGa740Wh7D0b7Q==,type:str]
 nats_nkey: ENC[AES256_GCM,data:N2CVXjdwiE7eSPUtXe+NeKSTzA9eFwK2igxaCdYsXd4Ps0/DjYb/ggnQziQzSy8viESZYjXhJ2VtNw==,iv:Xhcf5wPB01Wu0A+oMw0wzTEHATp+uN+wsaYshxIzy1w=,tag:IauTIOHqfiM75Ufml/JXbg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRT2c0b243bGJOeUZ1MHZn
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbC90WWJiRXRPZ1VUVWhO
-            QkZsYlA4bGc2VGNTQ0R6YVZKWGQ1SlB4T2xvCmtkZTREM3VXb1BQMnZJRnRhVTI5
+            azc5R2lGeDhoRmQydXBnYlltbE81ajFQNW0wClRJNC9iaFV0NDRKRkw2Mm1vOHpN
-            TFdJL2xYdHc4cVkzRnF4eXF3YzdvclEKLS0tIFB2Uzg4cGlkNVZFZVFGVFFkcjc4
+            dVhnUm1nbElQRGQ4dmkxQ2FWdEdpdDAKLS0tIG9GNEpuZUFUQkVXbjZPREo0aEh4
-            bVYvOFBpeC9zbS9HeVB2SHhORlZrbncKIKdbqV938sr41I6jcNVly5bfXP4YyCXT
+            ZVMyY0Y0Zldvd244eSt2RVZDeUZKWmcKGQ7jq50qiXPLKCHq751Y2SA79vEjbSbt
-            P7ISh90lC54cZi9S7eHwiKw439VUI48hfuNNPAZNdlmOVJXW6GGrUg==
+            yhRiakVEjwf9A+/iSNvXYAr/tnKaYC+NTA7F6AKmYpBcrzlBGU68KA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hz2lz4k050ru3shrk5j3zk3f8azxmrp54pktw5a7nzjml4saudesx6jsl0
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcjVtNUltTzN0amxrMkhu
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTWFBRVRKeXR0UUloQ3FK
-            czRBajJydnBuOHVzei8xQlQwdk9aWnVQZURrCllvc3RxdTdNbVNCOENPbEtlSDc4
+            Rmhsak45aFZBVUp4Szk5eHJhZmswV3JUcHh3Cis0N09JaCtOZE1pQUM5blg4WDY5
-            MkdYd2NkNVVseDFkemp4eElxbEV0N28KLS0tIGhuRmExeHBvb09WTUdPTytjeXhh
+            Q0ZGajJSZnJVQzdJK0dxZjJNWHZkbGsKLS0tIEVtRVJROTlWdWl0cFlNZmZkajM5
-            ZTlKQ2VJcTBiUG1CSTZNVmtEKzRheHMKI8P+5CjfMEJNBQQH6K2L+1/FMouAwYGY
+            N3FpdU56WlFWaC9QYU5Kc1o2a1VkT0UK2Utr9mvK8If4JhjzD+l06xZxdE3nbvCO
-            KbnQWt3AYaAhGEcKRBTS53cvwlsVa5KDQ8F2Htw9eFRALj+HssmlyQ==
+            NixMiYDhuQ/a55Fu0653jqd35i3CI3HukzEI9G5zLEeCcXxTKR5Bjg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1w2q4gm2lrcgdzscq8du3ssyvk6qtzm4fcszc92z9ftclq23yyydqdga5um
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKb1JvZkpIcCtnMTR6UWJm
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQVk0aUw0aStuOWhFMk5a
-            c05VdVpJV1d3Z01DVnF2bkwxb1Nsam95ckdBCllUelp5QmFWM1VrWG1RUWhubE41
+            UVJ5YWg2WjU2eVFUWDlobEIrRDlZV3dxelc0Clo0N3lvOUZNL3YrM2l3Y21VaUQz
-            SmY2Y0xyNVNUcUdWQXhvTkpwMjVMNDAKLS0tIGtFbEZ1MkYwbGJMYjhYTVorZ2t0
+            MTV5djdPWTBIUXFXVDZpZitRTVhMbVEKLS0tIFluV1NFTzd0cFFaR0RwVkhlSmNm
-            aXQxdjErVFgvZDNZOEF4dEVjZHNubGMKWv7JCP7rABr4efJYgRY3GlqY2Zq4Qons
+            VGdZNDlsUGI3cTQ1Tk9XRWtDSE1wNWMKQI226dcROyp/GprVZKtM0R57m5WbJyuR
-            UUppWu7husTFi8SmjLBKm/GwSyld1Ner5R9w3syPcUg91zbkMoXBHQ==
+            UZO74NqiDr7nxKfw+tHCfDLh94rbC1iP4jRiaQjDgfDDxviafSbGBA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1snmhmpavqy7xddmw4nuny0u4xusqmnqxqarjmghkm5zaluff84eq5xatrd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2bi9JeURVT3BPNEFxbSt5
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WVBzazE3VkNDWXUwMk5x
-            bUVCU1RQcG1CRlp2dHZXT3JOS255QTZxT3pvCiswMTNFRTJucHhDUzE4allZM0FB
+            NnZtL3N3THVBQytxZzdZNUhCeThURFBLdjBVClBpZjd5L3lKYjRZNVF2Z3hibW5R
-            dG03ZVFDRGt2SzlTSVVFVVdzVG4xTTQKLS0tIGNwV0Fua3RXd0t6bDc1TmQvVGFr
+            YTdTR0NzaVp4VEZlTjlaTHVFNXNSSUEKLS0tIDBGbmhGUFNJQ21zeW1SbWtyWWh0
-            Tmd5RlRsRFlkV1lyUkw5MTRicDU3dFEKHFm87tLsOuLwzmaAXw3GWDq1hYY/lipO
+            QkFXN2g5TlhBbnlmbW1aSUJQL1FOaWMKTv8OoaTxyG8XhKGZNs4aFR/9SXQ+RG6w
-            m6avJCtPI1AzeITpQlSl/t+p9JKm69+VyDE0cCfa6YfkSAuh9s3YFQ==
+            +fxiUx7xQnOIYag9YQYfuAgoGzOaj/ha+i18WkQnx9LAgrjCTd+ejA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12a3nyvjs8jrwmpkf3tgawel3nwcklwsr35ktmytnvhpawqwzrsfqpgcy0q
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnc21EVUI4eEhwYWE4MXlQ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzcnVxL09JTEdsZ0FUb2VH
-            NnhFTEJXTUVReE1ZZHlyWFJkM0RyVzY4QTJZCjRnTk1LTXA5SWZCZS9KcDJ5N0ov
+            a3dSY09uRFFCYnJXQno3YUFhMlpueHJreXdFCjQ4UWdRak5yK0VIT2lYUjBVK2h5
-            WGdHU0xjTlUyT2diZkVZaWp5MlU4M2MKLS0tIDBxYVVUOURPbXcxdHcyQVZNcEQ3
+            RFJmMTlyVEpnS3JxdkE4ckp1UHpLM2sKLS0tIHVyZXRTSHQxL1p1dUxMKzkyV0pW
-            akdqNmJvakFyQms1ZlVkcXhKVVpLTkEKKpG7tEUb0OfeqyHLIIN/JOiM94oNDmrQ
+            a2o0bG9vZUtmckdYTkhLSVZtZVRtNlUKpALeaeaH4/wFUPPGsNArTAIIJOvBWWDp
-            qk1m87QZnDoxxcqhlWl1K6ZDINq/EBDKbrA/TFr7c7yECqq4HqEfSw==
+            MUYPJjqLqBVmWzIgCexM2jsDOhtcCV26MXjzTXmZhthaGJMSp23kMQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1d2w5zece9647qwyq4vas9qyqegg96xwmg6c86440a6eg4uj6dd2qrq0w3l
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4emZJY21NQUhtTDJKTXNu
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5M0liYUY1UHRHUDdvN3ds
-            WGk5bjl6bnlESVZndnVjMXNiazYvTXJwSEFJCjF5dDJCSW1nbVBSUEJqSVZocHdQ
+            TVdiWDlrWFROSVdRTy9nOHFOUTdmTmlHSzE4CjBpU3gzdjdWaHQzNXRMRkxPdVps
-            TE9PME1qTitXQTN1ZFdXUjBsS2JFMlkKLS0tIGliSkcxQ05VUTVxazc1ZEQ5S0Ex
+            TEZXbVlYenUwc3o0TXRnaXg4MmVHQmcKLS0tIDlVeWQ4V0hjbWJqRlNUL2hOWVhp
-            czY3YjRWRytaTDdWQXB0RFU0UUhTZncK2X0LNb0ThAk5AxeLFcEM/cE95+OruE/s
+            WEJvZWZzbWZFeWZVeWJ1c3pVOWI3MFUKN2QfuOaod5IBKkBkYzi3jvPty+8PRGMJ
-            qxnS453vp5uFSFz7qYS/7k42RmOKXdLd8zLaCmJwARZu44jVvWOzMw==
+            mozL7qydsb0bAZJtAwcL7HWCr1axar/Ertce0yMqhuthJ5bciVD5xQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1gcyfkxh4fq5zdp0dh484aj82ksz66wrly7qhnpv0r0p576sn9ekse8e9ju
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZTFMeXNOZWJ6bEVCTm5h
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5L3NmcFMyUUpLOW9mOW9v
-            K3hNR0VzUmdDSXZqalQ2TzE0V1dsMDBsK1dvCkQrRjVhV0FPTVN4bjYweVlKc05v
+            VXhMTjl5SEFsZ0pzR3lHb1VJL0IzUUxCckdzCnltZnVySkszVUtwbDdQNHAwVWxl
-            U09YdkxCY3EraU8wMDhmYlhrN0tBVmcKLS0tIGNaWDFGVXlOZm8zMmRHVXVSbnZQ
+            V2xJU1BqSG0yMk5sTkpKRTIvc2JORFUKLS0tIHNydWZjdGg3clNpMDhGSGR6VVVh
-            azM0NFhxYXZmaDBiRmhTT2w0a1UvY3MKvj4k/ee5KewwmyBdH9TT3c6wcrymChBa
+            VU1Rbk9ybGRJOG1ETEh4a1orNUY2Z00KJmdp+wLHd+86RJJ/G0QbLp4BEDPXfE9o
-            o1LYK/mv5VvtZVOI5pTC1zxuqR3gB+whmRZrrGG7XE1ggeEKlV6VVw==
+            VZhPPSC6qtUcFV2z6rqSHSpsHPTlgzbCRqX39iePNhfQ2o0lR2P2zQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1g5luz2rtel3surgzuh62rkvtey7lythrvfenyq954vmeyfpxjqkqdj3wt8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOXJPN3NxQVFzSGpKZWx3
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbnhXSG5qdVJHSjNmQ3Qx
-            VUdxcjFLekk0THJIcUZzMUZyd1dqTnRxRENVCmtNZDRsTjV0dXBpZVhuRi9BZEk5
+            Yk9zSVBkVTQyb3luYXgwbFJWbG9xK2tWZUdrCkh2MktoWmFOdkRldFNlQW1EMm9t
-            VFBROTZPTUEzVmFiNGdoZHV2bWplVmsKLS0tIG9zblVGaDBlTTlmSkZtZWExOFlT
+            ZHJRa3QrRzh0UElSNGkvSWcyYTUxZzgKLS0tIGdPT2dwWU9LbERYZGxzUTNEUHE1
-            NzVtWWVoTzJXTzRyYjRzaHlOcit2L2MKq60k8FeYsK/JnDpgdIWkoY3ZW0yZkryE
+            TmlIdWJjbmFvdnVQSURqUTBwbW9EL00Kaiy5ZGgHjKgAGvzbdjbwNExLf4MGDtiE
-            F9DgKQL5wuqbtFoKX02ouQ6rb1y7rY1uJgLt6Mi6dsVWlwVw2fbDYQ==
+            NJEvnmNWkQyEhtx9YzUteY02Tl/D7zBzAWHlV3RjAWTNIwLmm7QgCw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1gq8434ku0xekqmvnseeunv83e779cg03c06gwrusnymdsr3rpufqx6vr3m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvaEtKY2pkQWZoSUx3V3Rn
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSDFIa1hNZU1BNWxHckk1
-            MXpHa3B1UFRuWUR2azJKaFliUm5OaDFlNEFZCjBsaTlBN0JXUWFTbzdvV2hFRnRR
+            UEdJT282Y054eVNpb3VOZ2t3S2NndTkycXdNCk1sNk5uL2xpbXk1MG95dVM1OWVD
-            TW1Pb2J4MFZHM2FPeUlLaVlNWWdXdGMKLS0tIDdNTEdhbVltQnFvRURQbkFiRUgy
+            TldUWmsrSmxGeHYweWhGWXpSaE0xRmcKLS0tIFlVbEp2UU1kM0hhbHlSZm96TFl2
-            TGFSSkpTQndReWhXSGFPcVE4OTI1WFkK3xyxzPFIjOxsBTXrSAfjNZ/ZdZ+a4okg
+            TkVaK0xHN1NxNzlpUVYyY2RpdisrQVkKG+DlyZVruH64nB9UtCPMbXhmRHj+zpr6
-            ES9KXP6CsxGye0cXURAoJwWRxZdp1+XZ69EudXtqbHOJAKJkTZLeLA==
+            CX4JOTXbUsueZIA4J/N93+d2J3V6yauoRYwCSl/JXX/gaSeSxF4z3A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPQUttWWswdk05cXZDUldV
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3YWxPRTNaVTNLb2tYSzZ5
-            MC9DQmtQM3B0NjExZDJYTGxLMmlabFo3ckVjCnVoNjByNDM5bU56aUFEZnhUdHAz
+            ZmVMYXk2MlVXYzNtZGFJNlJLR2FIVWhKb1RFCmx5bXozeExlbEZBQzhpSHA0T1JE
-            QmM5cnk2YkFNN2ZmT0xzbGFXOTlzUjAKLS0tIGRENER2NGdsVGNMRnhzaGkyVW1K
+            dFpHRm8rcFl1QjZ2anRGYjVxeGJqc0EKLS0tIGVibzRnRTA3Vk5yR3c4QVFsdy95
-            K1FkK0NmenVlL2R5UytvVEdMMlVZWDQKG65KOqL2NXN8An8215jgSK8Q+iDXVmsO
+            bG1tejcremFiUjZaL3hmc1gwYzJIOGMKFmXmY60vABYlpfop2F020SaOEwV4TNya
-            EIZ1c9XTDm0yGfv2uywBGbo+Tgt/XpzKrXJMh0YM2LN0HdTv8doeFQ==
+            F0tgrIqbufU1Yw4RhxPdBb9Wv1cQu25lcqQLh1i4VH9BSaWKk6TDEA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1vpns76ykll8jgdlu3h05cur4ew2t3k7u03kxdg8y6ypfhsfhq9fqyurjey
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTTF4YU9qaDlES2tMUWk3
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRXM1VUJPNm90UUx4UEdZ
-            TUNLRUQ3cVdBWlFLbkZlZWtHSjRZc3RkN0NjCkphVU00QUpWeE44RjFKZmFSQlRK
+            cDY5czVQaGl0MEdIMStjTnphTmR5ZkFWTDBjClhTd0xmaHNWUXo3NXR6eEUzTkg2
-            UUU2ZkJnSVZSVm9FRWMwalBhV29WOVUKLS0tIHBHTUF3YzdvcndjMzFxWTRWMzZt
+            L3BqT1N6bTNsYitmTGVpREtiWEpzdlEKLS0tIFUybTczSlRNbDkxRVZjSnFvdmtq
-            dUZTSFJtNkMrazJTb3VJUjZXT2pEeUUKHWarf9/BG+c2/g3sjHGyZVyBuVRD/mJV
+            MVdRU3RPSHNqUzJzQWl1VVkyczFaencK72ZmWJIcfBTXlezmefvWeCGOC1BhpkXO
-            JABj0xlDupnyFyyNLkPYQ+RsYJMdVJ4Z8oQLtIQC6G7MmK6lGQqdQg==
+            bm+X+ihzNfktuOCl6ZIMo2n4aJ3hYakrMp4npO10a6s4o/ldqeiATg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hchvlf3apn8g8jq2743pw53sd6v6ay6xu6lqk0qufrjeccan9vzsc7hdfq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcTFDYnpiMm5zenlRamhE
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOL3F3OWRYVVdxWncwWmlk
-            ZDdGcGR1L3hTRHRWTFJURDhjTGcvNEJsMVJJCkhHdHJKdkZtN0RXYkVpbTJUbUpO
+            SnloWFdscE02L3ZRa0JGcFlwSU9tU3JRakhnCjZyTnR3T051Tmt2NGM2dkFaNGJz
-            NlJCajlEMXlQVWkwYVRqUlYvQy9WYUUKLS0tIFptOTJvUTJndzNob2ErSVYvVGxz
+            WVRnNDdNN0ozYXJnK0t4ZW5JRVQ2YzQKLS0tIFk0cFBxcVFETERNTGowMThJcDNR
-            TDhSN3VKbkNNZ3RmL2FYUmRpejVHSHMK8vJlbft3C1fJRcQNbMbmviWaZLXSY2Lo
+            UW0wUUlFeHovSS9qYU5BRkJ6dnNjcWcKh2WcrmxsqMZeQ0/2HsaHeSqGsU3ILynU
-            HS/tMhvMyRXOGaX0OpL86LpM+W5Af+a99yS314JamB3Gsk9D+nOoWw==
+            SHBziWHGlFoNirCVjljh/Mw4DM8v66i0ztIQtWV5cFaFhu4kVda5jA==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1a0477laj9sdh79wdas5v7hzk6au8fach74njg8epfw2rdht90qjsakkwd6
+        - recipient: age1w029fksjv0edrff9p7s03tgk3axecdkppqymfpwfn2nu2gsqqefqc37sxq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZ1JxUzZuRmliWFpHeitW
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZkovUkMzdmhOUGpZUC91
-            OTBlRlFhd3FmOWlFdmlNdElNUnBVdG9TRVFVCk9UU3FiZVE1S3pSbDZmYlp6N0h6
+            d1JFZGk1T2hOS2dlVFNHRGJKVTUwdUhpQmg0CnEybzlRdjBLcjVEckNtR0xzMDVk
-            WUlham5IYmtQd0ZrK25KMTFLMnJtQ2sKLS0tIGJleW1LYVM5eDJ6MzBUUXFZUDRN
+            dURWbFdnTXk1alV5cjRSMkRrZ21vTjAKLS0tIEtDZlFCTGdVMU1PUWdBYTVOcTU4
-            WEJzZzZ2eFQrdFA2VXpLaG1La0wxSlkKJL4hwHlth0eGCMf4B8PUslWvDDZHj4mR
+            ZkZHYmJiTUdJUGZhTFdLM1EzdU9wNmsK3AqFfycJfrBpvnjccN1srNiVBCv107rt
-            fbY5BnItcPOqI/cAs6/w2LvjTMOYNq/bSxc+MCa+GHg5DREy9E4jaQ==
+            b/O5zcqKGR3Nzey7zAhlxasPCRKARyBTo292ScZ03QMU8p8HIukdzg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ha34qeksr4jeaecevqvv2afqem67eja2mvawlmrqsudch0e7fe7qtpsekv
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZUl6WUp2V2trc1FXRzM4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlOVNVNmFzbTE2NmdiM1dP
-            d2F2aXlpR0w2VG5DMmprUjU2RFNpZ0tVVFc4ClB4RU1qcE5kYTF6NjIrQUsvaDdi
+            TlhuTGYyQWlWeFlkaVU3Tml2aDNJbmxXVnlZCmJSb001OVJTaGpRcllzN2JSWDFF
-            RERNdGdlcnpaY0ljdkh4RjFtMktOcUkKLS0tIDJtdHZqVXl5U2pPNHF2OHYrajJB
+            b1MyYjdKZys4ZHRoUmFhdG1oYTA2RzQKLS0tIEhGeU9YcW9Wc0ZZK3I5UjB0RHFm
-            YzB0MEdKdVF1KzVvSk9UMkN4eUVUMEUKbrH4uU82qZ2DpvnzxRMheh4J5kIZjYje
+            bW1ucjZtYXFkT1A4bGszamFxaG5IaHMKqHuaWFi/ImnbDOZ9VisIN7jqplAYV8fo
-            K0KhBxUyfB055TEzb+CSEc4TqI7TcDpqwK0S43yzac/SfWhGGuD+xQ==
+            y3PeVX34LcYE0d8cxbvH8CTs/Ubirt6P1obrmAL9W9Y0ozpqdqQSjA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1cxt8kwqzx35yuldazcc49q88qvgy9ajkz30xu0h37uw3ts97jagqgmn2ga
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhVytJenZWS2c4dW5ObVU5
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbXo4UWhoMUQxc1lMcnNB
-            UEQ4MlBMSkF1cDhncnplYjJ0N21MU0dPeDA0CkdqblhmZGxQb0hEak5EaUE5YzZ1
+            VWc1MUJuS3NnVnh4U254TE0wSDJTMzFSM3lrCnhHbmk1N0VqTlViT2dtZndGT1pn
-            Z1R1SnhEQVIyejl3RVhuOStUVmlkMk0KLS0tIFQwc2pkaUUySWs4bkEwUzFuQWRV
+            NmpPc01iMjk3TXZLU1htZjBvd2NBK2sKLS0tIEN3dGlRZHF5Ykgybjl6MzRBVUJ0
-            V2w0aGZNd01iVTNHb09LeHJRQXBFeGMK+ogXQ06JKQthMjj8YJhdd7eYyV9NtF0f
+            Rm92SGdwanFHZlp6U00wMDUzL3MrMzgKtCJqy+BfDMFQMHaIVPlFyzALBsb4Ekls
-            J8vZ3w4rPkrY0EvNUnzfayBeLR3JPR674uWS7zV9wvkFaAciT8CSSQ==
+            +r7ofZ1ZjSomBljYxVPhKE9XaZJe6bqICEhJBCpODyxavfh8HmxHDQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age16prza00sqzuhwwcyakj6z4hvwkruwkqpmmrsn94a5ucgpkelncdq2ldctk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXTFJmN2tpaXlpWDdZOU1h
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQTRXTHljd2UrbFJOWUI4
-            YXdaMUtsN1dCV1dkQXBYb0Qxa0E0WFYwdnhBCi9Md1NNanlZVFovNzRlVUV0UDk0
+            WGRYcEVrZDJGM3hpVVNmVXlSREYzc1FHRlhFCjZHa2VTTzFHR1RXRmllT1huVDNV
-            UU9IMlgyTWZPVUlydW5hZzJadzB3K28KLS0tIEZybGVaSUpMcXFSaGYyWEhYMlhC
+            UkRKaEQrWjF5eHpiaUg1NExnME5veFkKLS0tIFpZY1RrOVNTTjU0N2Y1dFN6QWpX
-            NzlMeHJEM0RsZ0xHTkFielZ5aTdOczAK+3Y9IzTCcd0dYR384P0/s7hS7FctUG8e
+            MTM3NDJrV1JZNE5pWGNLMUg1OFFwYUUKMx0hpB3iunnCbJ/+zWetdp1NI/LsrUTe
-            q3IHht4B/3BRAikk3S4czbNS4EWGOqWbaE6pOy13Juq8D0wDy98Zjg==
+            J84+aDoe7/WJYT0FLMlC0RK80txm6ztVygoyRdN0cRKx1z3KqPmavw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-02-11T21:18:22Z"
    mac: ENC[AES256_GCM,data:5//boMp1awc/2XAkSASSCuobpkxa0E6IKf3GR8xHpMoCD30FJsCwV7PgX3fR8OuLEhOJ7UguqMNQdNqG37RMacreuDmI1J8oCFKp+3M2j4kCbXaEo8bw7WAtyjUez+SAXKzZWYmBibH0KOy6jdt+v0fdgy5hMBT4IFDofYRsyD0=,iv:6pD+SLwncpmal/FR4U8It2njvaQfUzzpALBCxa0NyME=,tag:4QN8ZFjdqck5ZgulF+FtbA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/services/actions-runner/default.nix
+++ b/services/actions-runner/default.nix
@@ -0,0 +1,55 @@
 { pkgs, config, ... }:
 {
  sops.secrets."actions-token-1" = {
    sopsFile = ../../secrets/nix-cache01/actions_token_1;
    format = "binary";
  };
  virtualisation.podman = {
    enable = true;
    dockerCompat = true;
  };
  services.gitea-actions-runner.instances = {
    actions1 = {
      enable = true;
      tokenFile = config.sops.secrets.actions-token-1.path;
      name = "actions1.home.2rjus.net";
      settings = {
        log = {
          level = "debug";
        };
        runner = {
          file = ".runner";
          capacity = 4;
          timeout = "2h";
          shutdown_timeout = "10m";
          insecure = false;
          fetch_timeout = "10s";
          fetch_interval = "30s";
        };
        cache = {
          enabled = true;
          dir = "/var/cache/gitea-actions1";
        };
        container = {
          privileged = false;
        };
      };
      labels =
        builtins.map (n: "${n}:docker://gitea/runner-images:${n}") [
          "ubuntu-latest"
          "ubuntu-latest-slim"
          "ubuntu-latest-full"
        ]
        ++ [
          "homelab"
        ];
      url = "https://git.t-juice.club";
    };
  };
 }
--- a/services/ca/default.nix
+++ b/services/ca/default.nix
@@ -37,6 +37,7 @@
    address = "0.0.0.0";
    port = 443;
    settings = {
      metricsAddress = ":9000";
      authority = {
        provisioners = [
          {
--- a/services/home-assistant/default.nix
+++ b/services/home-assistant/default.nix
@@ -12,6 +12,7 @@
        aioshelly
        bellows
        gtts
        ha-silabs-firmware-client
        isal
        paho-mqtt
        prometheus-client
--- a/services/http-proxy/proxy.nix
+++ b/services/http-proxy/proxy.nix
@@ -6,6 +6,10 @@
    configFile = pkgs.writeText "Caddyfile" ''
      {
        acme_ca https://ca.home.2rjus.net/acme/acme/directory
        metrics {
          per_host
        }
      }
      nzbget.home.2rjus.net {
@@ -98,6 +102,22 @@
        }
        reverse_proxy http://auth01.home.2rjus.net:9091
      }
      pyroscope.home.2rjus.net {
        log {
          output file /var/log/caddy/pyroscope.log {
            mode 644
          }
        }
        reverse_proxy http://monitoring01.home.2rjus.net:4040
      }
      pushgw.home.2rjus.net {
        log {
          output file /var/log/caddy/pushgw.log {
            mode 644
          }
        }
        reverse_proxy http://monitoring01.home.2rjus.net:9091
      }
      http://http-proxy.home.2rjus.net/metrics {
        log {
          output file /var/log/caddy/caddy-metrics.log {
--- a/services/incus/default.nix
+++ b/services/incus/default.nix
@@ -1,7 +0,0 @@
 { pkgs, config, ... }:
 {
  virtualisation.incus = {
    enable = true;
  };
  networking.firewall.allowedTCPPorts = [ 8443 ];
 }
--- a/services/lldap/default.nix
+++ b/services/lldap/default.nix
@@ -1,11 +1,21 @@
-{ ... }:
+{ config, ... }:
 {
  sops.secrets.lldap_user_pass = {
    format = "yaml";
    key = "lldap_user_pass";
    sopsFile = ../../secrets/auth01/secrets.yaml;
    restartUnits = [ "lldap.service" ];
    group = "acme";
    mode = "0440";
  };
  services.lldap = {
    enable = true;
    settings = {
      ldap_base_dn = "dc=home,dc=2rjus,dc=net";
      ldap_user_email = "admin@home.2rjus.net";
      ldap_user_dn = "admin";
      ldap_user_pass_file = config.sops.secrets.lldap_user_pass.path;
      ldaps_options = {
        enabled = true;
        port = 6360;
--- a/services/monitoring/alloy.nix
+++ b/services/monitoring/alloy.nix
@@ -0,0 +1,41 @@
 { ... }:
 {
  services.alloy = {
    enable = true;
  };
  environment.etc."alloy/config.alloy" = {
    enable = true;
    mode = "0644";
    text = ''
      pyroscope.write "local_pyroscope" {
        endpoint {
          url = "http://localhost:4040"
        }
      }
      pyroscope.scrape "labmon" {
        targets    = [{"__address__" = "localhost:9969", "service_name" = "labmon"}]
        forward_to = [pyroscope.write.local_pyroscope.receiver]
        profiling_config {
          profile.process_cpu {
            enabled = true
          }
          profile.memory {
            enabled = true
          }
          profile.mutex {
            enabled = true
          }
          profile.block {
            enabled = true
          }
          profile.goroutine {
            enabled = true
          }
        }
      }
    '';
  };
 }
--- a/services/monitoring/default.nix
+++ b/services/monitoring/default.nix
@@ -6,5 +6,8 @@
    ./prometheus.nix
    ./pve.nix
    ./alerttonotify.nix
    ./pyroscope.nix
    ./alloy.nix
    ./tempo.nix
  ];
 }
--- a/services/monitoring/prometheus.nix
+++ b/services/monitoring/prometheus.nix
@@ -183,6 +183,46 @@
          }
        ];
      }
      {
        job_name = "step-ca";
        static_configs = [
          {
            targets = [ "ca.home.2rjus.net:9000" ];
          }
        ];
      }
      {
        job_name = "labmon";
        static_configs = [
          {
            targets = [ "monitoring01.home.2rjus.net:9969" ];
          }
        ];
      }
      {
        job_name = "pushgateway";
        honor_labels = true;
        static_configs = [
          {
            targets = [ "localhost:9091" ];
          }
        ];
      }
      {
        job_name = "nix-cache_caddy";
        scheme = "https";
        static_configs = [
          {
            targets = [ "nix-cache.home.2rjus.net" ];
          }
        ];
      }
    ];
    pushgateway = {
      enable = true;
      web = {
        external-url = "https://pushgw.home.2rjus.net";
      };
    };
  };
 }
--- a/services/monitoring/pyroscope.nix
+++ b/services/monitoring/pyroscope.nix
@@ -0,0 +1,8 @@
 { ... }:
 {
  virtualisation.oci-containers.containers.pyroscope = {
    pull = "missing";
    image = "grafana/pyroscope:latest";
    ports = [ "4040:4040" ];
  };
 }
--- a/services/monitoring/rules.yml
+++ b/services/monitoring/rules.yml
@@ -97,15 +97,21 @@ groups:
          description: "NATS has been down on {{ $labels.instance }} more than 5 minutes."
  - name: nix_cache_rules
    rules:
-      - alert: build-flakes_service_failed
+      - alert: build-flakes_service_not_active_recently
-        expr: node_systemd_unit_state{instance="nix-cache01.home.2rjus.net:9100", name="build-flakes.service", state="failed"} == 1
+        expr: count_over_time(node_systemd_unit_state{instance="nix-cache01.home.2rjus.net:9100", name="build-flakes.service", state="active"}[1h]) < 1
        for: 0m
        keep_firing_for: 10m
        labels:
          severity: critical
        annotations:
-          summary: "The build-flakes service on {{ $labels.instance }} has failed"
+          summary: "The build-flakes service on {{ $labels.instance }} has not run recently"
-          description: "The build-flakes service on {{ $labels.instance }} has failed"
+          description: "The build-flakes service on {{ $labels.instance }} has not run recently"
      - alert: build_flakes_error
        expr: build_flakes_error == 1
        labels:
          severity: warning
        annotations:
          summary: "The build-flakes job has failed for host {{ $labels.host }}."
          description: "The build-flakes job has failed for host {{ $labels.host }}."
      - alert: harmonia_down
        expr: node_systemd_unit_state {instance="nix-cache01.home.2rjus.net:9100", name = "harmonia.service", state = "active"} == 0
        for: 5m
@@ -184,3 +190,61 @@ groups:
        annotations:
          summary: "Wireguard handshake timeout on {{ $labels.instance }}"
          description: "Wireguard handshake timeout on {{ $labels.instance }} for more than 1 minutes."
  - name: monitoring_rules
    rules:
      - alert: prometheus_not_running
        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="prometheus.service", state="active"} == 0
        labels:
          severity: critical
        annotations:
          summary: "Prometheus service not running on {{ $labels.instance }}"
          description: "Prometheus service not running on {{ $labels.instance }}"
      - alert: alertmanager_not_running
        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="alertmanager.service", state="active"} == 0
        labels:
          severity: critical
        annotations:
          summary: "Alertmanager service not running on {{ $labels.instance }}"
          description: "Alertmanager service not running on {{ $labels.instance }}"
      - alert: pushgateway_not_running
        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="pushgateway.service", state="active"} == 0
        labels:
          severity: critical
        annotations:
          summary: "Pushgateway service not running on {{ $labels.instance }}"
          description: "Pushgateway service not running on {{ $labels.instance }}"
      - alert: pushgateway_not_running
        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="pushgateway.service", state="active"} == 0
        labels:
          severity: critical
        annotations:
          summary: "Pushgateway service not running on {{ $labels.instance }}"
          description: "Pushgateway service not running on {{ $labels.instance }}"
      - alert: loki_not_running
        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="loki.service", state="active"} == 0
        labels:
          severity: critical
        annotations:
          summary: "Loki service not running on {{ $labels.instance }}"
          description: "Loki service not running on {{ $labels.instance }}"
      - alert: grafana_not_running
        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="grafana.service", state="active"} == 0
        labels:
          severity: warning
        annotations:
          summary: "Grafana service not running on {{ $labels.instance }}"
          description: "Grafana service not running on {{ $labels.instance }}"
      - alert: tempo_not_running
        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="tempo.service", state="active"} == 0
        labels:
          severity: warning
        annotations:
          summary: "Tempo service not running on {{ $labels.instance }}"
          description: "Tempo service not running on {{ $labels.instance }}"
      - alert: pyroscope_not_running
        expr: node_systemd_unit_state{instance="monitoring01.home.2rjus.net:9100", name="podman-pyroscope.service", state="active"} == 0
        labels:
          severity: warning
        annotations:
          summary: "Pyroscope service not running on {{ $labels.instance }}"
          description: "Pyroscope service not running on {{ $labels.instance }}"
--- a/services/monitoring/tempo.nix
+++ b/services/monitoring/tempo.nix
@@ -0,0 +1,37 @@
 { ... }:
 {
  services.tempo = {
    enable = true;
    settings = {
      server = {
        http_listen_port = 3200;
        grpc_listen_port = 3201;
      };
      distributor = {
        receivers = {
          otlp = {
            protocols = {
              http = {
                endpoint = ":4318";
                cors = {
                  allowed_origins = [ "*.home.2rjus.net" ];
                };
              };
            };
          };
        };
      };
      storage = {
        trace = {
          backend = "local";
          local = {
            path = "/var/lib/tempo";
          };
          wal = {
            path = "/var/lib/tempo/wal";
          };
        };
      };
    };
  };
 }
--- a/services/nix-cache/build-flakes.nix
+++ b/services/nix-cache/build-flakes.nix
@@ -7,22 +7,9 @@ let
      nix
      nixos-rebuild
      jq
      curl
    ];
-    text = ''
+    text = builtins.readFile ./build-flakes.sh;
      cd /root/nixos-servers
      git pull
      echo "Starting nixos-servers builds"
      for host in $(nix flake show --json| jq -r '.nixosConfigurations | keys[]'); do
        echo "Building $host"
        nixos-rebuild --verbose -L --flake ".#$host" build
      done
      echo "All nixos-servers builds complete"
      echo "Building gunter"
      cd /root/nixos
      git pull
      nixos-rebuild --verbose -L --flake ".#gunter" build
    '';
  };
 in
 {
--- a/services/nix-cache/build-flakes.sh
+++ b/services/nix-cache/build-flakes.sh
@@ -0,0 +1,44 @@
 JOB_NAME="build_flakes"
 cd /root/nixos-servers
 git pull
 echo "Starting nixos-servers builds"
 for host in $(nix flake show --json| jq -r '.nixosConfigurations | keys[]'); do
  echo "Building $host"
  if ! nixos-rebuild --verbose -L --flake ".#$host" build; then
    echo "Build failed for $host"
    cat <<EOF | curl -sS -X PUT --data-binary @- "https://pushgw.home.2rjus.net/metrics/job/$JOB_NAME/host/$host"
 # TYPE build_flakes_error gauge
 # HELP build_flakes_error 0 if the build was successful, 1 if it failed
 build_flakes_error{instance="$HOSTNAME"} 1
 EOF
  else 
    echo "Build successful for $host"
    cat <<EOF | curl -sS -X PUT --data-binary @- "https://pushgw.home.2rjus.net/metrics/job/$JOB_NAME/host/$host"
 # TYPE build_flakes_error gauge
 # HELP build_flakes_error 0 if the build was successful, 1 if it failed
 build_flakes_error{instance="$HOSTNAME"} 0
 EOF
  fi
 done
 echo "All nixos-servers builds complete"
 echo "Building gunter"
 cd /root/nixos
 git pull
 host="gunter"
 if ! nixos-rebuild --verbose -L --flake ".#gunter" build; then
    echo "Build failed for $host"
    cat <<EOF | curl -sS -X PUT --data-binary @- "https://pushgw.home.2rjus.net/metrics/job/$JOB_NAME/host/$host"
 # TYPE build_flakes_error gauge
 # HELP build_flakes_error 0 if the build was successful, 1 if it failed
 build_flakes_error{instance="$HOSTNAME"} 1
 EOF
 else 
    echo "Build successful for $host"
    cat <<EOF | curl -sS -X PUT --data-binary @- "https://pushgw.home.2rjus.net/metrics/job/$JOB_NAME/host/$host"
 # TYPE build_flakes_error gauge
 # HELP build_flakes_error 0 if the build was successful, 1 if it failed
 build_flakes_error{instance="$HOSTNAME"} 0
 EOF
 fi
--- a/services/nix-cache/proxy.nix
+++ b/services/nix-cache/proxy.nix
@@ -6,14 +6,18 @@
    configFile = pkgs.writeText "Caddyfile" ''
      {
        acme_ca https://ca.home.2rjus.net/acme/acme/directory
        metrics
      }
      nix-cache.home.2rjus.net {
        log {
          output file /var/log/caddy/nix-cache.log {
            mode 644
          }
        }
        metrics /metrics
        reverse_proxy http://localhost:5000
      }
    '';
--- a/services/ns/zones-home-2rjus-net.conf
+++ b/services/ns/zones-home-2rjus-net.conf
@@ -1,7 +1,7 @@
 $ORIGIN home.2rjus.net.
 $TTL 1800
@       IN      SOA     ns1.home.2rjus.net.      admin.test.2rjus.net. (
-                        2060                    ; serial number
+                        2063                    ; serial number
                        3600                    ; refresh
                        900                     ; retry
                        1209600                 ; expire
@@ -59,6 +59,7 @@ monitoring01        IN      A       10.69.13.13
 jelly01             IN      A       10.69.13.14
 nix-cache01         IN      A       10.69.13.15
 nix-cache           IN      CNAME   nix-cache01
 actions1            IN      CNAME   nix-cache01
 pgdb1               IN      A       10.69.13.16
 nats1               IN      A       10.69.13.17
 auth01              IN      A       10.69.13.18
@@ -75,6 +76,8 @@ alertmanager        IN      CNAME   http-proxy
 jelly               IN      CNAME   http-proxy
 auth                IN      CNAME   http-proxy
 lldap               IN      CNAME   http-proxy
 pyroscope           IN      CNAME   http-proxy
 pushgw              IN      CNAME   http-proxy
 ldap                IN      CNAME   auth01
--- a/services/vault/default.nix
+++ b/services/vault/default.nix
@@ -0,0 +1,8 @@
 { ... }:
 {
  services.vault = {
    enable = true;
    storageBackend = "file";
  };
 }
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -0,0 +1,214 @@
 # OpenTofu Configuration for Proxmox
 This directory contains OpenTofu configuration for managing Proxmox VMs using a parameterized, multi-VM deployment system.
 ## Setup
 1. **Create a Proxmox API token:**
   - Log into Proxmox web UI
   - Go to Datacenter → Permissions → API Tokens
   - Click Add
   - User: `root@pam`, Token ID: `terraform`
   - Uncheck "Privilege Separation"
   - Save the token secret (shown only once)
 2. **Configure credentials:**
   ```bash
   cd terraform
   cp terraform.tfvars.example terraform.tfvars
   # Edit terraform.tfvars with your Proxmox details
   ```
 3. **Initialize OpenTofu:**
   ```bash
   tofu init
   ```
 4. **Test connection:**
   ```bash
   tofu plan
   ```
 ## Defining VMs
 All VMs are defined in the `vms.tf` file in the `locals.vms` map. Each VM can specify custom configurations or use defaults from `variables.tf`.
 ### Example: DHCP VM
 ```hcl
 vms = {
  "simple-vm" = {
    cpu_cores = 2
    memory    = 2048
    disk_size = "20G"
    # No "ip" field = DHCP
  }
 }
 ```
 ### Example: Static IP VM
 ```hcl
 vms = {
  "web-server" = {
    ip        = "10.69.13.50/24"
    cpu_cores = 4
    memory    = 4096
    disk_size = "50G"
  }
 }
 ```
 ### Example: Minimal VM (all defaults)
 ```hcl
 vms = {
  "test-vm" = {}
 }
 ```
 ### Example: Multiple VMs
 ```hcl
 vms = {
  "vm1" = {
    ip = "10.69.13.50/24"
  }
  "vm2" = {
    ip = "10.69.13.51/24"
    cpu_cores = 4
    memory = 8192
  }
  "vm3" = {
    # DHCP
    cpu_cores = 2
    memory = 2048
  }
 }
 ```
 ### Example: Test VM with Custom Git Branch
 For testing pipeline changes without polluting master:
 ```hcl
 vms = {
  "test-vm" = {
    ip = "10.69.13.100/24"
    flake_branch = "test-pipeline"  # Bootstrap from this branch
  }
 }
 ```
 This VM will bootstrap from the `test-pipeline` branch instead of `master`. Production VMs should omit the `flake_branch` field.
 ## Configuration Options
 Each VM in the `vms` map supports the following fields (all optional):
 | Field | Description | Default |
 |-------|-------------|---------|
 | `ip` | Static IP with CIDR (e.g., "10.69.13.50/24"). Omit for DHCP | DHCP |
 | `gateway` | Network gateway (used with static IP) | `10.69.13.1` |
 | `cpu_cores` | Number of CPU cores | `2` |
 | `memory` | Memory in MB | `2048` |
 | `disk_size` | Disk size (e.g., "20G", "100G") | `"20G"` |
 | `flake_branch` | Git branch for bootstrap (for testing, omit for production) | `master` |
 | `target_node` | Proxmox node to deploy to | `"pve1"` |
 | `template_name` | Template VM to clone from | `"nixos-25.11.20260128.fa83fd8"` |
 | `storage` | Storage backend | `"local-zfs"` |
 | `bridge` | Network bridge | `"vmbr0"` |
 | `vlan_tag` | VLAN tag | `13` |
 | `ssh_public_key` | SSH public key for root | See `variables.tf` |
 | `nameservers` | DNS servers | `"10.69.13.5 10.69.13.6"` |
 | `search_domain` | DNS search domain | `"home.2rjus.net"` |
 Defaults are defined in `variables.tf` and can be changed globally.
 ## Deployment Commands
 ### Deploy All VMs
 ```bash
 tofu apply
 ```
 ### Deploy Specific VM
 ```bash
 tofu apply -target=proxmox_vm_qemu.vm[\"vm-name\"]
 ```
 ### Destroy Specific VM
 ```bash
 tofu destroy -target=proxmox_vm_qemu.vm[\"vm-name\"]
 ```
 ### View Deployed VMs
 ```bash
 tofu output vm_ips
 tofu output deployment_summary
 ```
 ### Plan Changes
 ```bash
 tofu plan
 ```
 ## Outputs
 After deployment, OpenTofu provides two outputs:
 **vm_ips**: IP addresses and SSH commands for each VM
 ```
 vm_ips = {
  "vm1" = {
    ip = "10.69.13.50"
    ssh_command = "ssh root@10.69.13.50"
  }
 }
 ```
 **deployment_summary**: Full specifications for each VM
 ```
 deployment_summary = {
  "vm1" = {
    cpu_cores = 4
    memory_mb = 4096
    disk_size = "50G"
    ip = "10.69.13.50"
    node = "pve1"
  }
 }
 ```
 ## Workflow
 1. Edit `vms.tf` to define your VMs in the `locals.vms` map
 2. Run `tofu plan` to preview changes
 3. Run `tofu apply` to deploy
 4. Run `tofu output vm_ips` to get IP addresses
 5. SSH to VMs and configure as needed
 ## Files
 - `main.tf` - Provider configuration
 - `variables.tf` - Variable definitions and defaults
 - `vms.tf` - VM definitions and deployment logic
 - `cloud-init.tf` - Cloud-init disk management (SSH keys, networking, branch config)
 - `outputs.tf` - Output definitions for deployed VMs
 - `terraform.tfvars.example` - Example credentials file
 - `terraform.tfvars` - Your actual credentials (gitignored)
 - `vm.tf.old` - Archived single-VM configuration (reference)
 ## Notes
 - VMs are deployed as full clones (not linked clones)
 - Cloud-init handles initial networking configuration
 - QEMU guest agent is enabled on all VMs
 - All VMs start on boot by default
 - IPv6 is disabled
 - Destroying VMs removes them from Proxmox but does not clean up DNS entries or NixOS configurations
--- a/terraform/cloud-init.tf
+++ b/terraform/cloud-init.tf
@@ -0,0 +1,58 @@
 # Cloud-init configuration for all VMs
 #
 # This file manages cloud-init disks for all VMs using the proxmox_cloud_init_disk resource.
 # VMs with flake_branch set will include NIXOS_FLAKE_BRANCH environment variable.
 resource "proxmox_cloud_init_disk" "ci" {
  for_each = local.vm_configs
  name     = each.key
  pve_node = each.value.target_node
  storage  = "local"  # Cloud-init disks must be on storage that supports ISO/snippets
  # User data includes SSH keys and optionally NIXOS_FLAKE_BRANCH
  user_data = <<-EOT
  #cloud-config
  ssh_authorized_keys:
    - ${each.value.ssh_public_key}
  ${each.value.flake_branch != null ? <<-BRANCH
  write_files:
    - path: /etc/environment
      content: |
        NIXOS_FLAKE_BRANCH=${each.value.flake_branch}
      append: true
  BRANCH
 : ""}
  EOT
  # Network configuration - static IP or DHCP
  network_config = each.value.ip != null ? yamlencode({
    version = 1
    config = [{
      type = "physical"
      name = "ens18"
      subnets = [{
        type            = "static"
        address         = each.value.ip
        gateway         = each.value.gateway
        dns_nameservers = split(" ", each.value.nameservers)
        dns_search      = [each.value.search_domain]
      }]
    }]
    }) : yamlencode({
    version = 1
    config = [{
      type = "physical"
      name = "ens18"
      subnets = [{
        type = "dhcp"
      }]
    }]
  })
  # Instance metadata
  meta_data = yamlencode({
    instance_id    = sha1(each.key)
    local-hostname = each.key
  })
 }
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -0,0 +1,18 @@
 terraform {
  required_version = ">= 1.0"
  required_providers {
    proxmox = {
      source  = "telmate/proxmox"
      version = "3.0.2-rc07"
    }
  }
 }
 provider "proxmox" {
  pm_api_url          = var.proxmox_api_url
  pm_api_token_id     = var.proxmox_api_token_id
  pm_api_token_secret = var.proxmox_api_token_secret
  pm_tls_insecure     = var.proxmox_tls_insecure
 }
 # Provider configured - ready to add resources
--- a/terraform/outputs.tf
+++ b/terraform/outputs.tf
@@ -0,0 +1,24 @@
 # Dynamic outputs for all deployed VMs
 output "vm_ips" {
  description = "IP addresses and SSH commands for deployed VMs"
  value = {
    for name, vm in proxmox_vm_qemu.vm : name => {
      ip          = vm.default_ipv4_address
      ssh_command = "ssh root@${vm.default_ipv4_address}"
    }
  }
 }
 output "deployment_summary" {
  description = "Summary of deployed VMs with their specifications"
  value = {
    for name, vm in proxmox_vm_qemu.vm : name => {
      cpu_cores = vm.cpu[0].cores
      memory_mb = vm.memory
      disk_size = vm.disks[0].virtio[0].virtio0[0].disk[0].size
      ip        = vm.default_ipv4_address
      node      = vm.target_node
    }
  }
 }
--- a/terraform/terraform.tfvars.example
+++ b/terraform/terraform.tfvars.example
@@ -0,0 +1,7 @@
 # Copy this file to terraform.tfvars and fill in your values
 # terraform.tfvars is gitignored to keep credentials safe
 proxmox_api_url          = "https://your-proxmox-host.home.2rjus.net:8006/api2/json"
 proxmox_api_token_id     = "root@pam!terraform"
 proxmox_api_token_secret = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 proxmox_tls_insecure     = true
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -0,0 +1,97 @@
 variable "proxmox_api_url" {
  description = "Proxmox API URL (e.g., https://proxmox.home.2rjus.net:8006/api2/json)"
  type        = string
 }
 variable "proxmox_api_token_id" {
  description = "Proxmox API Token ID (e.g., root@pam!terraform)"
  type        = string
  sensitive   = true
 }
 variable "proxmox_api_token_secret" {
  description = "Proxmox API Token Secret"
  type        = string
  sensitive   = true
 }
 variable "proxmox_tls_insecure" {
  description = "Skip TLS verification (set to true for self-signed certs)"
  type        = bool
  default     = true
 }
 # Default values for VM configurations
 # These can be overridden per-VM in vms.tf
 variable "default_target_node" {
  description = "Default Proxmox node to deploy VMs to"
  type        = string
  default     = "pve1"
 }
 variable "default_template_name" {
  description = "Default template VM name to clone from"
  type        = string
  default     = "nixos-25.11.20260128.fa83fd8"
 }
 variable "default_ssh_public_key" {
  description = "Default SSH public key for root user"
  type        = string
  default     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwfb2jpKrBnCw28aevnH8HbE5YbcMXpdaVv2KmueDu6 torjus@gunter"
 }
 variable "default_storage" {
  description = "Default storage backend for VM disks"
  type        = string
  default     = "local-zfs"
 }
 variable "default_bridge" {
  description = "Default network bridge"
  type        = string
  default     = "vmbr0"
 }
 variable "default_vlan_tag" {
  description = "Default VLAN tag"
  type        = number
  default     = 13
 }
 variable "default_gateway" {
  description = "Default network gateway for static IP VMs"
  type        = string
  default     = "10.69.13.1"
 }
 variable "default_nameservers" {
  description = "Default DNS nameservers"
  type        = string
  default     = "10.69.13.5 10.69.13.6"
 }
 variable "default_search_domain" {
  description = "Default DNS search domain"
  type        = string
  default     = "home.2rjus.net"
 }
 variable "default_cpu_cores" {
  description = "Default number of CPU cores"
  type        = number
  default     = 2
 }
 variable "default_memory" {
  description = "Default memory in MB"
  type        = number
  default     = 2048
 }
 variable "default_disk_size" {
  description = "Default disk size"
  type        = string
  default     = "20G"
 }
--- a/terraform/vms.tf
+++ b/terraform/vms.tf
@@ -0,0 +1,135 @@
 # VM Definitions
 # Define all VMs to deploy in the locals.vms map below
 # Omit fields to use defaults from variables.tf
 locals {
  # Define VMs here
  # Each VM can override defaults by specifying values
  # Omit "ip" field for DHCP, include it for static IP
  vms = {
    # Example DHCP VM (uncomment to deploy):
    # "example-dhcp-vm" = {
    #   cpu_cores = 2
    #   memory    = 2048
    #   disk_size = "20G"
    # }
    # Example Static IP VM (uncomment to deploy):
    # "example-static-vm" = {
    #   ip        = "10.69.13.50/24"
    #   cpu_cores = 4
    #   memory    = 4096
    #   disk_size = "50G"
    # }
    # Example Test VM with custom git branch (for testing pipeline changes):
    # "test-vm" = {
    #   ip          = "10.69.13.100/24"
    #   flake_branch = "test-pipeline"  # Bootstrap from this branch instead of master
    # }
    # Example Minimal VM using all defaults (uncomment to deploy):
    # "minimal-vm" = {}
    # "bootstrap-verify-test" = {}
    "testvm01" = {
      ip           = "10.69.13.101/24"
      cpu_cores    = 2
      memory       = 2048
      disk_size    = "20G"
      flake_branch = "pipeline-testing-improvements"
    }
    "vault01" = {
      ip        = "10.69.13.19/24"
      cpu_cores = 2
      memory    = 2048
      disk_size = "20G"
    }
  }
  # Compute VM configurations with defaults applied
  vm_configs = {
    for name, vm in local.vms : name => {
      target_node    = lookup(vm, "target_node", var.default_target_node)
      template_name  = lookup(vm, "template_name", var.default_template_name)
      cpu_cores      = lookup(vm, "cpu_cores", var.default_cpu_cores)
      memory         = lookup(vm, "memory", var.default_memory)
      disk_size      = lookup(vm, "disk_size", var.default_disk_size)
      storage        = lookup(vm, "storage", var.default_storage)
      bridge         = lookup(vm, "bridge", var.default_bridge)
      vlan_tag       = lookup(vm, "vlan_tag", var.default_vlan_tag)
      ssh_public_key = lookup(vm, "ssh_public_key", var.default_ssh_public_key)
      nameservers    = lookup(vm, "nameservers", var.default_nameservers)
      search_domain  = lookup(vm, "search_domain", var.default_search_domain)
      # Network configuration - detect DHCP vs static
      ip      = lookup(vm, "ip", null)
      gateway = lookup(vm, "gateway", var.default_gateway)
      # Branch configuration for bootstrap (optional, uses master if not set)
      flake_branch = lookup(vm, "flake_branch", null)
    }
  }
 }
 # Deploy all VMs using for_each
 resource "proxmox_vm_qemu" "vm" {
  for_each = local.vm_configs
  name        = each.key
  target_node = each.value.target_node
  # Clone from template
  clone      = each.value.template_name
  full_clone = true
  # Boot configuration
  boot   = "order=virtio0"
  scsihw = "virtio-scsi-single"
  # VM settings
  cpu {
    cores = each.value.cpu_cores
  }
  memory = each.value.memory
  # Network
  network {
    id     = 0
    model  = "virtio"
    bridge = each.value.bridge
    tag    = each.value.vlan_tag
  }
  # Disk settings
  disks {
    virtio {
      virtio0 {
        disk {
          size    = each.value.disk_size
          storage = each.value.storage
        }
      }
    }
    ide {
      ide2 {
        # Reference the custom cloud-init disk created in cloud-init.tf
        cdrom {
          iso = proxmox_cloud_init_disk.ci[each.key].id
        }
      }
    }
  }
  # Start on boot
  start_at_node_boot = true
  # Agent
  agent = 1
  # Skip IPv6 since we don't use it
  skip_ipv6 = true
  # RNG device for better entropy
  rng {
    source = "/dev/urandom"
    period = 1000
  }
 }
		`@@ -0,0 +1,3 @@`
							`"""NixOS host configuration generator for homelab infrastructure."""`

							`__version__ = "0.1.0"`