create-host: enable resolved in configuration.nix.j2

Reviewed-on: #9

.github/workflows/flake-check.yaml

@@ -0,0 +1,14 @@
+name: Run nix flake check
+on:
+  push:
+  pull_request:
+
+jobs:
+  flake-check:
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/catthehacker/ubuntu:runner-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: cachix/install-nix-action@v27
+      - run: nix flake check

.github/workflows/flake-update.yaml

@@ -0,0 +1,27 @@
+---
+name: Periodic flake update
+on:  # yamllint disable-line rule:truthy
+  schedule:
+    - cron: "0 0 * * *"
+
+permissions:
+  contents: write
+
+jobs:
+  flake-update:
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/catthehacker/ubuntu:runner-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: master
+      - uses: cachix/install-nix-action@v27
+      - name: configure git
+        run: |
+          git config --global user.name 'torjus-bot'
+          git config --global user.email 'torjus-bot@git.t-juice.club'
+      - name: flake update
+        run: nix flake update --commit-lock-file
+      - name: push
+        run: git push

.gitignore

@@ -0,0 +1,12 @@
+.direnv/
+result
+
+# Terraform/OpenTofu
+terraform/.terraform/
+terraform/.terraform.lock.hcl
+terraform/*.tfstate
+terraform/*.tfstate.*
+terraform/terraform.tfvars
+terraform/*.auto.tfvars
+terraform/crash.log
+terraform/crash.*.log

.sops.yaml

@@ -4,6 +4,17 @@ keys:
   - &server_ns2 age1w2q4gm2lrcgdzscq8du3ssyvk6qtzm4fcszc92z9ftclq23yyydqdga5um
   - &server_ns3 age1snmhmpavqy7xddmw4nuny0u4xusqmnqxqarjmghkm5zaluff84eq5xatrd
   - &server_ns4 age12a3nyvjs8jrwmpkf3tgawel3nwcklwsr35ktmytnvhpawqwzrsfqpgcy0q
+  - &server_ha1 age1d2w5zece9647qwyq4vas9qyqegg96xwmg6c86440a6eg4uj6dd2qrq0w3l
+  - &server_nixos-test1 age1gcyfkxh4fq5zdp0dh484aj82ksz66wrly7qhnpv0r0p576sn9ekse8e9ju
+  - &server_inc1 age1g5luz2rtel3surgzuh62rkvtey7lythrvfenyq954vmeyfpxjqkqdj3wt8
+  - &server_http-proxy age1gq8434ku0xekqmvnseeunv83e779cg03c06gwrusnymdsr3rpufqx6vr3m
+  - &server_ca age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk
+  - &server_monitoring01 age1vpns76ykll8jgdlu3h05cur4ew2t3k7u03kxdg8y6ypfhsfhq9fqyurjey
+  - &server_jelly01 age1hchvlf3apn8g8jq2743pw53sd6v6ay6xu6lqk0qufrjeccan9vzsc7hdfq
+  - &server_nix-cache01 age1w029fksjv0edrff9p7s03tgk3axecdkppqymfpwfn2nu2gsqqefqc37sxq
+  - &server_pgdb1 age1ha34qeksr4jeaecevqvv2afqem67eja2mvawlmrqsudch0e7fe7qtpsekv
+  - &server_nats1 age1cxt8kwqzx35yuldazcc49q88qvgy9ajkz30xu0h37uw3ts97jagqgmn2ga
+  - &server_auth01 age16prza00sqzuhwwcyakj6z4hvwkruwkqpmmrsn94a5ucgpkelncdq2ldctk
 creation_rules:
   - path_regex: secrets/[^/]+\.(yaml|json|env|ini)
     key_groups:
@@ -13,8 +24,49 @@ creation_rules:
         - *server_ns2
         - *server_ns3
         - *server_ns4
+        - *server_ha1
+        - *server_nixos-test1
+        - *server_inc1
+        - *server_http-proxy
+        - *server_ca
+        - *server_monitoring01
+        - *server_jelly01
+        - *server_nix-cache01
+        - *server_pgdb1
+        - *server_nats1
+        - *server_auth01
   - path_regex: secrets/ns3/[^/]+\.(yaml|json|env|ini)
     key_groups:
       - age:
         - *admin_torjus
         - *server_ns3
+  - path_regex: secrets/ca/[^/]+\.(yaml|json|env|ini|)
+    key_groups:
+      - age:
+        - *admin_torjus
+        - *server_ca
+  - path_regex: secrets/monitoring01/[^/]+\.(yaml|json|env|ini)
+    key_groups:
+      - age:
+        - *admin_torjus
+        - *server_monitoring01
+  - path_regex: secrets/ca/keys/.+
+    key_groups:
+      - age:
+        - *admin_torjus
+        - *server_ca
+  - path_regex: secrets/nix-cache01/.+
+    key_groups:
+      - age:
+        - *admin_torjus
+        - *server_nix-cache01
+  - path_regex: secrets/http-proxy/.+
+    key_groups:
+      - age:
+        - *admin_torjus
+        - *server_http-proxy
+  - path_regex: secrets/auth01/[^/]+\.(yaml|json|env|ini|)
+    key_groups:
+      - age:
+        - *admin_torjus
+        - *server_auth01

CLAUDE.md

@@ -0,0 +1,246 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Repository Overview
+
+This is a Nix Flake-based NixOS configuration repository for managing a homelab infrastructure consisting of 16 server configurations. The repository uses a modular architecture with shared system configurations, reusable service modules, and per-host customization.
+
+## Common Commands
+
+### Building Configurations
+
+```bash
+# List all available configurations
+nix flake show
+
+# Build a specific host configuration locally (without deploying)
+nixos-rebuild build --flake .#<hostname>
+
+# Build and check a configuration
+nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
+```
+
+### Deployment
+
+Do not automatically deploy changes. Deployments are usually done by updating the master branch, and then triggering the auto update on the specific host.
+
+### Flake Management
+
+```bash
+# Check flake for errors
+nix flake check
+```
+Do not run `nix flake update`. Should only be done manually by user.
+
+### Development Environment
+
+```bash
+# Enter development shell (provides ansible, python3)
+nix develop
+```
+
+### Secrets Management
+
+Secrets are handled by sops. Do not edit any `.sops.yaml` or any file within `secrets/`. Ask the user to modify if necessary.
+
+### Git Commit Messages
+
+Commit messages should follow the format: `topic: short description`
+
+Examples:
+- `flake: add opentofu to devshell`
+- `template2: add proxmox image configuration`
+- `terraform: add VM deployment configuration`
+
+## Architecture
+
+### Directory Structure
+
+- `/flake.nix` - Central flake defining all 16 NixOS configurations
+- `/hosts/<hostname>/` - Per-host configurations
+  - `default.nix` - Entry point, imports configuration.nix and services
+  - `configuration.nix` - Host-specific settings (networking, hardware, users)
+- `/system/` - Shared system-level configurations applied to ALL hosts
+  - Core modules: nix.nix, sshd.nix, sops.nix, acme.nix, autoupgrade.nix
+  - Monitoring: node-exporter and promtail on every host
+- `/services/` - Reusable service modules, selectively imported by hosts
+  - `home-assistant/` - Home automation stack
+  - `monitoring/` - Observability stack (Prometheus, Grafana, Loki, Tempo)
+  - `ns/` - DNS services (authoritative, resolver)
+  - `http-proxy/`, `ca/`, `postgres/`, `nats/`, `jellyfin/`, etc.
+- `/secrets/` - SOPS-encrypted secrets with age encryption
+- `/common/` - Shared configurations (e.g., VM guest agent)
+- `/playbooks/` - Ansible playbooks for fleet management
+- `/.sops.yaml` - SOPS configuration with age keys for all servers
+
+### Configuration Inheritance
+
+Each host follows this import pattern:
+```
+hosts/<hostname>/default.nix
+  └─> configuration.nix (host-specific)
+      ├─> ../../system (ALL shared system configs - applied to every host)
+      ├─> ../../services/<service> (selective service imports)
+      └─> ../../common/vm (if VM)
+```
+
+All hosts automatically get:
+- Nix binary cache (nix-cache.home.2rjus.net)
+- SSH with root login enabled
+- SOPS secrets management with auto-generated age keys
+- Internal ACME CA integration (ca.home.2rjus.net)
+- Daily auto-upgrades with auto-reboot
+- Prometheus node-exporter + Promtail (logs to monitoring01)
+- Custom root CA trust
+
+### Active Hosts
+
+Production servers managed by `rebuild-all.sh`:
+- `ns1`, `ns2` - Primary/secondary DNS servers (10.69.13.5/6)
+- `ca` - Internal Certificate Authority
+- `ha1` - Home Assistant + Zigbee2MQTT + Mosquitto
+- `http-proxy` - Reverse proxy
+- `monitoring01` - Full observability stack (Prometheus, Grafana, Loki, Tempo, Pyroscope)
+- `jelly01` - Jellyfin media server
+- `nix-cache01` - Binary cache server
+- `pgdb1` - PostgreSQL database
+- `nats1` - NATS messaging server
+- `auth01` - Authentication service
+
+Template/test hosts:
+- `template1` - Base template for cloning new hosts
+- `nixos-test1` - Test environment
+
+### Flake Inputs
+
+- `nixpkgs` - NixOS 25.11 stable (primary)
+- `nixpkgs-unstable` - Unstable channel (available via overlay as `pkgs.unstable.<package>`)
+- `sops-nix` - Secrets management
+- Custom packages from git.t-juice.club:
+  - `backup-helper` - Backup automation module
+  - `alerttonotify` - Alert routing
+  - `labmon` - Lab monitoring
+
+### Network Architecture
+
+- Domain: `home.2rjus.net`
+- Infrastructure subnet: `10.69.13.x`
+- DNS: ns1/ns2 provide authoritative DNS with primary-secondary setup
+- Internal CA for ACME certificates (no Let's Encrypt)
+- Centralized monitoring at monitoring01
+- Static networking via systemd-networkd
+
+### Secrets Management
+
+- Uses SOPS with age encryption
+- Each server has unique age key in `.sops.yaml`
+- Keys auto-generated at `/var/lib/sops-nix/key.txt` on first boot
+- Shared secrets: `/secrets/secrets.yaml`
+- Per-host secrets: `/secrets/<hostname>/`
+- All production servers can decrypt shared secrets; host-specific secrets require specific host keys
+
+### Auto-Upgrade System
+
+All hosts pull updates daily from:
+```
+git+https://git.t-juice.club/torjus/nixos-servers.git
+```
+
+Configured in `/system/autoupgrade.nix`:
+- Random delay to avoid simultaneous upgrades
+- Auto-reboot after successful upgrade
+- Systemd service: `nixos-upgrade.service`
+
+### Proxmox VM Provisioning with OpenTofu
+
+The repository includes automated workflows for building Proxmox VM templates and deploying VMs using OpenTofu (Terraform).
+
+#### Building and Deploying Templates
+
+Template VMs are built from `hosts/template2` and deployed to Proxmox using Ansible:
+
+```bash
+# Build NixOS image and deploy to Proxmox as template
+nix develop -c ansible-playbook -i playbooks/inventory.ini playbooks/build-and-deploy-template.yml
+```
+
+This playbook:
+1. Builds the Proxmox image using `nixos-rebuild build-image --image-variant proxmox`
+2. Uploads the `.vma.zst` image to Proxmox at `/var/lib/vz/dump`
+3. Restores it as VM ID 9000
+4. Converts it to a template
+
+Template configuration (`hosts/template2`):
+- Minimal base system with essential packages (age, vim, wget, git)
+- Cloud-init configured for NoCloud datasource (no EC2 metadata timeout)
+- DHCP networking on ens18
+- SSH key-based root login
+- `prepare-host.sh` script for cleaning machine-id, SSH keys, and regenerating age keys
+
+#### Deploying VMs with OpenTofu
+
+VMs are deployed from templates using OpenTofu in the `/terraform` directory:
+
+```bash
+cd terraform
+tofu init     # First time only
+tofu apply    # Deploy VMs
+```
+
+Configuration files:
+- `main.tf` - Proxmox provider configuration
+- `variables.tf` - Provider variables (API credentials)
+- `vm.tf` - VM resource definitions
+- `terraform.tfvars` - Actual credentials (gitignored)
+
+Example VM deployment includes:
+- Clone from template VM
+- Cloud-init configuration (SSH keys, network, DNS)
+- Custom CPU/memory/disk sizing
+- VLAN tagging
+- QEMU guest agent
+
+OpenTofu outputs the VM's IP address after deployment for easy SSH access.
+
+### Adding a New Host
+
+1. Create `/hosts/<hostname>/` directory
+2. Copy structure from `template1` or similar host
+3. Add host entry to `flake.nix` nixosConfigurations
+4. Add hostname to dns zone files. Merge to master. Run auto-upgrade on dns servers.
+5. User clones template host
+6. User runs `prepare-host.sh` on new host, this deletes files which should be regenerated, like ssh host keys, machine-id etc. It also creates a new age key, and prints the public key
+7. This key is then added to `.sops.yaml`
+8. Create `/secrets/<hostname>/` if needed
+9. Configure networking (static IP, DNS servers)
+10. Commit changes, and merge to master.
+11. Deploy by running `nixos-rebuild boot --flake URL#<hostname>` on the host.
+
+### Important Patterns
+
+**Overlay usage**: Access unstable packages via `pkgs.unstable.<package>` (defined in flake.nix overlay-unstable)
+
+**Service composition**: Services in `/services/` are designed to be imported by multiple hosts. Keep them modular and reusable.
+
+**Hardware configuration reuse**: Multiple hosts share `/hosts/template/hardware-configuration.nix` for VM instances.
+
+**State version**: All hosts use stateVersion `"23.11"` - do not change this on existing hosts.
+
+**Firewall**: Disabled on most hosts (trusted network). Enable selectively in host configuration if needed.
+
+### Monitoring Stack
+
+All hosts ship metrics and logs to `monitoring01`:
+- **Metrics**: Prometheus scrapes node-exporter from all hosts
+- **Logs**: Promtail ships logs to Loki on monitoring01
+- **Access**: Grafana at monitoring01 for visualization
+- **Tracing**: Tempo for distributed tracing
+- **Profiling**: Pyroscope for continuous profiling
+
+### DNS Architecture
+
+- `ns1` (10.69.13.5) - Primary authoritative DNS + resolver
+- `ns2` (10.69.13.6) - Secondary authoritative DNS (AXFR from ns1)
+- Zone files managed in `/services/ns/`
+- All hosts point to ns1/ns2 for DNS resolution

README.md

@@ -0,0 +1,11 @@
+# nixos-servers
+
+Nixos configs for my homelab servers.
+
+## Configurations in use
+
+* ha1
+* ns1
+* ns2
+* template1
+

TODO.md

@@ -0,0 +1,549 @@
+# TODO: Automated Host Deployment Pipeline
+
+## Vision
+
+Automate the entire process of creating, configuring, and deploying new NixOS hosts on Proxmox from a single command or script.
+
+**Desired workflow:**
+```bash
+./scripts/create-host.sh --hostname myhost --ip 10.69.13.50
+# Script creates config, deploys VM, bootstraps NixOS, and you're ready to go
+```
+
+**Current manual workflow (from CLAUDE.md):**
+1. Create `/hosts/<hostname>/` directory structure
+2. Add host to `flake.nix`
+3. Add DNS entries
+4. Clone template VM manually
+5. Run `prepare-host.sh` on new VM
+6. Add generated age key to `.sops.yaml`
+7. Configure networking
+8. Commit and push
+9. Run `nixos-rebuild boot --flake URL#<hostname>` on host
+
+## The Plan
+
+### Phase 1: Parameterized OpenTofu Deployments ✅ COMPLETED
+
+**Status:** Fully implemented and tested
+
+**Implementation:**
+- Locals-based structure using `for_each` pattern for multiple VM deployments
+- All VM parameters configurable with smart defaults (CPU, memory, disk, IP, storage, etc.)
+- Automatic DHCP vs static IP detection based on `ip` field presence
+- Dynamic outputs showing deployed VM IPs and specifications
+- Successfully tested deploying multiple VMs simultaneously
+
+**Tasks:**
+- [x] Create module/template structure in terraform for repeatable VM deployments
+- [x] Parameterize VM configuration (hostname, CPU, memory, disk, IP)
+- [x] Support both DHCP and static IP configuration via cloud-init
+- [x] Test deploying multiple VMs from same template
+
+**Deliverable:** ✅ Can deploy multiple VMs with custom parameters via OpenTofu in a single `tofu apply`
+
+**Files:**
+- `terraform/vms.tf` - VM definitions using locals map
+- `terraform/outputs.tf` - Dynamic outputs for all VMs
+- `terraform/variables.tf` - Configurable defaults
+- `terraform/README.md` - Complete documentation
+
+---
+
+### Phase 2: Host Configuration Generator ✅ COMPLETED
+
+**Status:** ✅ Fully implemented and tested
+**Completed:** 2025-02-01
+**Enhanced:** 2025-02-01 (added --force flag)
+
+**Goal:** Automate creation of host configuration files
+
+**Implementation:**
+- Python CLI tool packaged as Nix derivation
+- Available as `create-host` command in devShell
+- Rich terminal UI with configuration previews
+- Comprehensive validation (hostname format/uniqueness, IP subnet/uniqueness)
+- Jinja2 templates for NixOS configurations
+- Automatic updates to flake.nix and terraform/vms.tf
+- `--force` flag for regenerating existing configurations (useful for testing)
+
+**Tasks:**
+- [x] Create Python CLI with typer framework
+  - [x] Takes parameters: hostname, IP, CPU cores, memory, disk size
+  - [x] Generates `/hosts/<hostname>/` directory structure
+  - [x] Creates `configuration.nix` with proper hostname and networking
+  - [x] Generates `default.nix` with standard imports
+  - [x] References shared `hardware-configuration.nix` from template
+- [x] Add host entry to `flake.nix` programmatically
+  - [x] Text-based manipulation (regex insertion)
+  - [x] Inserts new nixosConfiguration entry
+  - [x] Maintains proper formatting
+- [x] Generate corresponding OpenTofu configuration
+  - [x] Adds VM definition to `terraform/vms.tf`
+  - [x] Uses parameters from CLI input
+  - [x] Supports both static IP and DHCP modes
+- [x] Package as Nix derivation with templates
+- [x] Add to flake packages and devShell
+- [x] Implement dry-run mode
+- [x] Write comprehensive README
+
+**Usage:**
+```bash
+# In nix develop shell
+create-host \
+  --hostname test01 \
+  --ip 10.69.13.50/24 \  # optional, omit for DHCP
+  --cpu 4 \               # optional, default 2
+  --memory 4096 \         # optional, default 2048
+  --disk 50G \            # optional, default 20G
+  --dry-run               # optional preview mode
+```
+
+**Files:**
+- `scripts/create-host/` - Complete Python package with Nix derivation
+- `scripts/create-host/README.md` - Full documentation and examples
+
+**Deliverable:** ✅ Tool generates all config files for a new host, validated with Nix and Terraform
+
+---
+
+### Phase 3: Bootstrap Mechanism ✅ COMPLETED
+
+**Status:** ✅ Fully implemented and tested
+**Completed:** 2025-02-01
+**Enhanced:** 2025-02-01 (added branch support for testing)
+
+**Goal:** Get freshly deployed VM to apply its specific host configuration
+
+**Implementation:** Systemd oneshot service that runs on first boot after cloud-init
+
+**Approach taken:** Systemd service (variant of Option A)
+- Systemd service `nixos-bootstrap.service` runs on first boot
+- Depends on `cloud-config.service` to ensure hostname is set
+- Reads hostname from `hostnamectl` (set by cloud-init via Terraform)
+- Supports custom git branch via `NIXOS_FLAKE_BRANCH` environment variable
+- Runs `nixos-rebuild boot --flake git+https://git.t-juice.club/torjus/nixos-servers.git?ref=$BRANCH#${hostname}`
+- Reboots into new configuration on success
+- Fails gracefully without reboot on errors (network issues, missing config)
+- Service self-destructs after successful bootstrap (not in new config)
+
+**Tasks:**
+- [x] Create bootstrap service module in template2
+  - [x] systemd oneshot service with proper dependencies
+  - [x] Reads hostname from hostnamectl (cloud-init sets it)
+  - [x] Checks network connectivity via HTTPS (curl)
+  - [x] Runs nixos-rebuild boot with flake URL
+  - [x] Reboots on success, fails gracefully on error
+- [x] Configure cloud-init datasource
+  - [x] Use ConfigDrive datasource (Proxmox provider)
+  - [x] Add cloud-init disk to Terraform VMs (disks.ide.ide2.cloudinit)
+  - [x] Hostname passed via cloud-init user-data from Terraform
+- [x] Test bootstrap service execution on fresh VM
+- [x] Handle failure cases (flake doesn't exist, network issues)
+  - [x] Clear error messages in journald
+  - [x] No reboot on failure
+  - [x] System remains accessible for debugging
+
+**Files:**
+- `hosts/template2/bootstrap.nix` - Bootstrap service definition
+- `hosts/template2/configuration.nix` - Cloud-init ConfigDrive datasource
+- `terraform/vms.tf` - Cloud-init disk configuration
+
+**Deliverable:** ✅ VMs automatically bootstrap and reboot into host-specific configuration on first boot
+
+---
+
+### Phase 4: Secrets Management with HashiCorp Vault
+
+**Challenge:** Current sops-nix approach has chicken-and-egg problem with age keys
+
+**Current workflow:**
+1. VM boots, generates age key at `/var/lib/sops-nix/key.txt`
+2. User runs `prepare-host.sh` which prints public key
+3. User manually adds public key to `.sops.yaml`
+4. User commits, pushes
+5. VM can now decrypt secrets
+
+**Selected approach:** Migrate to HashiCorp Vault for centralized secrets management
+
+**Benefits:**
+- Industry-standard secrets management (Vault experience transferable to work)
+- Eliminates manual age key distribution step
+- Secrets-as-code via OpenTofu (infrastructure-as-code aligned)
+- Centralized PKI management (replaces step-ca, consolidates TLS + SSH CA)
+- Automatic secret rotation capabilities
+- Audit logging for all secret access
+- AppRole authentication enables automated bootstrap
+
+**Architecture:**
+```
+vault.home.2rjus.net
+  ├─ KV Secrets Engine (replaces sops-nix)
+  ├─ PKI Engine (replaces step-ca for TLS)
+  ├─ SSH CA Engine (replaces step-ca SSH CA)
+  └─ AppRole Auth (per-host authentication)
+       ↓
+   New hosts authenticate on first boot
+   Fetch secrets via Vault API
+   No manual key distribution needed
+```
+
+---
+
+#### Phase 4a: Vault Server Setup
+
+**Goal:** Deploy and configure Vault server with auto-unseal
+
+**Tasks:**
+- [ ] Create `hosts/vault01/` configuration
+  - [ ] Basic NixOS configuration (hostname, networking, etc.)
+  - [ ] Vault service configuration
+  - [ ] Firewall rules (8200 for API, 8201 for cluster)
+  - [ ] Add to flake.nix and terraform
+- [ ] Implement auto-unseal mechanism
+  - [ ] **Preferred:** TPM-based auto-unseal if hardware supports it
+    - [ ] Use tpm2-tools to seal/unseal Vault keys
+    - [ ] Systemd service to unseal on boot
+  - [ ] **Fallback:** Shamir secret sharing with systemd automation
+    - [ ] Generate 3 keys, threshold 2
+    - [ ] Store 2 keys on disk (encrypted), keep 1 offline
+    - [ ] Systemd service auto-unseals using 2 keys
+- [ ] Initial Vault setup
+  - [ ] Initialize Vault
+  - [ ] Configure storage backend (integrated raft or file)
+  - [ ] Set up root token management
+  - [ ] Enable audit logging
+- [ ] Deploy to infrastructure
+  - [ ] Add DNS entry for vault.home.2rjus.net
+  - [ ] Deploy VM via terraform
+  - [ ] Bootstrap and verify Vault is running
+
+**Deliverable:** Running Vault server that auto-unseals on boot
+
+---
+
+#### Phase 4b: Vault-as-Code with OpenTofu
+
+**Goal:** Manage all Vault configuration (secrets structure, policies, roles) as code
+
+**Tasks:**
+- [ ] Set up Vault Terraform provider
+  - [ ] Create `terraform/vault/` directory
+  - [ ] Configure Vault provider (address, auth)
+  - [ ] Store Vault token securely (terraform.tfvars, gitignored)
+- [ ] Enable and configure secrets engines
+  - [ ] Enable KV v2 secrets engine at `secret/`
+  - [ ] Define secret path structure (per-service, per-host)
+  - [ ] Example: `secret/monitoring/grafana`, `secret/postgres/ha1`
+- [ ] Define policies as code
+  - [ ] Create policies for different service tiers
+  - [ ] Principle of least privilege (hosts only read their secrets)
+  - [ ] Example: monitoring-policy allows read on `secret/monitoring/*`
+- [ ] Set up AppRole authentication
+  - [ ] Enable AppRole auth backend
+  - [ ] Create role per host type (monitoring, dns, database, etc.)
+  - [ ] Bind policies to roles
+  - [ ] Configure TTL and token policies
+- [ ] Migrate existing secrets from sops-nix
+  - [ ] Create migration script/playbook
+  - [ ] Decrypt sops secrets and load into Vault KV
+  - [ ] Verify all secrets migrated successfully
+  - [ ] Keep sops as backup during transition
+- [ ] Implement secrets-as-code patterns
+  - [ ] Secret values in gitignored terraform.tfvars
+  - [ ] Or use random_password for auto-generated secrets
+  - [ ] Secret structure/paths in version-controlled .tf files
+
+**Example OpenTofu:**
+```hcl
+resource "vault_kv_secret_v2" "monitoring_grafana" {
+  mount = "secret"
+  name  = "monitoring/grafana"
+  data_json = jsonencode({
+    admin_password = var.grafana_admin_password
+    smtp_password  = var.smtp_password
+  })
+}
+
+resource "vault_policy" "monitoring" {
+  name = "monitoring-policy"
+  policy = <<EOT
+path "secret/data/monitoring/*" {
+  capabilities = ["read"]
+}
+EOT
+}
+
+resource "vault_approle_auth_backend_role" "monitoring01" {
+  backend   = "approle"
+  role_name = "monitoring01"
+  token_policies = ["monitoring-policy"]
+}
+```
+
+**Deliverable:** All secrets and policies managed as OpenTofu code in `terraform/vault/`
+
+---
+
+#### Phase 4c: PKI Migration (Replace step-ca)
+
+**Goal:** Consolidate PKI infrastructure into Vault
+
+**Tasks:**
+- [ ] Set up Vault PKI engines
+  - [ ] Create root CA in Vault (`pki/` mount, 10 year TTL)
+  - [ ] Create intermediate CA (`pki_int/` mount, 5 year TTL)
+  - [ ] Sign intermediate with root CA
+  - [ ] Configure CRL and OCSP
+- [ ] Enable ACME support
+  - [ ] Enable ACME on intermediate CA (Vault 1.14+)
+  - [ ] Create PKI role for homelab domain
+  - [ ] Set certificate TTLs and allowed domains
+- [ ] Configure SSH CA in Vault
+  - [ ] Enable SSH secrets engine (`ssh/` mount)
+  - [ ] Generate SSH signing keys
+  - [ ] Create roles for host and user certificates
+  - [ ] Configure TTLs and allowed principals
+- [ ] Migrate hosts from step-ca to Vault
+  - [ ] Update system/acme.nix to use Vault ACME endpoint
+  - [ ] Change server to `https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory`
+  - [ ] Test certificate issuance on one host
+  - [ ] Roll out to all hosts via auto-upgrade
+- [ ] Migrate SSH CA trust
+  - [ ] Distribute Vault SSH CA public key to all hosts
+  - [ ] Update sshd_config to trust Vault CA
+  - [ ] Test SSH certificate authentication
+- [ ] Decommission step-ca
+  - [ ] Verify all services migrated
+  - [ ] Stop step-ca service on ca host
+  - [ ] Archive step-ca configuration for backup
+
+**Deliverable:** All TLS and SSH certificates issued by Vault, step-ca retired
+
+---
+
+#### Phase 4d: Bootstrap Integration
+
+**Goal:** New hosts automatically authenticate to Vault on first boot, no manual steps
+
+**Tasks:**
+- [ ] Update create-host tool
+  - [ ] Generate AppRole role_id + secret_id for new host
+  - [ ] Or create wrapped token for one-time bootstrap
+  - [ ] Add host-specific policy to Vault (via terraform)
+  - [ ] Store bootstrap credentials for cloud-init injection
+- [ ] Update template2 for Vault authentication
+  - [ ] Create Vault authentication module
+  - [ ] Reads bootstrap credentials from cloud-init
+  - [ ] Authenticates to Vault, retrieves permanent AppRole credentials
+  - [ ] Stores role_id + secret_id locally for services to use
+- [ ] Create NixOS Vault secrets module
+  - [ ] Replacement for sops.secrets
+  - [ ] Fetches secrets from Vault at nixos-rebuild/activation time
+  - [ ] Or runtime secret fetching for services
+  - [ ] Handle Vault token renewal
+- [ ] Update bootstrap service
+  - [ ] After authenticating to Vault, fetch any bootstrap secrets
+  - [ ] Run nixos-rebuild with host configuration
+  - [ ] Services automatically fetch their secrets from Vault
+- [ ] Update terraform cloud-init
+  - [ ] Inject Vault address and bootstrap credentials
+  - [ ] Pass via cloud-init user-data or write_files
+  - [ ] Credentials scoped to single use or short TTL
+- [ ] Test complete flow
+  - [ ] Run create-host to generate new host config
+  - [ ] Deploy with terraform
+  - [ ] Verify host bootstraps and authenticates to Vault
+  - [ ] Verify services can fetch secrets
+  - [ ] Confirm no manual steps required
+
+**Bootstrap flow:**
+```
+1. terraform apply (deploys VM with cloud-init)
+2. Cloud-init sets hostname + Vault bootstrap credentials
+3. nixos-bootstrap.service runs:
+   - Authenticates to Vault with bootstrap credentials
+   - Retrieves permanent AppRole credentials
+   - Stores locally for service use
+   - Runs nixos-rebuild
+4. Host services fetch secrets from Vault as needed
+5. Done - no manual intervention
+```
+
+**Deliverable:** Fully automated secrets access from first boot, zero manual steps
+
+---
+
+### Phase 5: DNS Automation
+
+**Goal:** Automatically generate DNS entries from host configurations
+
+**Approach:** Leverage Nix to generate zone file entries from flake host configurations
+
+Since most hosts use static IPs defined in their NixOS configurations, we can extract this information and automatically generate A records. This keeps DNS in sync with the actual host configs.
+
+**Tasks:**
+- [ ] Add optional CNAME field to host configurations
+  - [ ] Add `networking.cnames = [ "alias1" "alias2" ]` or similar option
+  - [ ] Document in host configuration template
+- [ ] Create Nix function to extract DNS records from all hosts
+  - [ ] Parse each host's `networking.hostName` and IP configuration
+  - [ ] Collect any defined CNAMEs
+  - [ ] Generate zone file fragment with A and CNAME records
+- [ ] Integrate auto-generated records into zone files
+  - [ ] Keep manual entries separate (for non-flake hosts/services)
+  - [ ] Include generated fragment in main zone file
+  - [ ] Add comments showing which records are auto-generated
+- [ ] Update zone file serial number automatically
+- [ ] Test zone file validity after generation
+- [ ] Either:
+  - [ ] Automatically trigger DNS server reload (Ansible)
+  - [ ] Or document manual step: merge to master, run upgrade on ns1/ns2
+
+**Deliverable:** DNS A records and CNAMEs automatically generated from host configs
+
+---
+
+### Phase 6: Integration Script
+
+**Goal:** Single command to create and deploy a new host
+
+**Tasks:**
+- [ ] Create `scripts/create-host.sh` master script that orchestrates:
+  1. Prompts for: hostname, IP (or DHCP), CPU, memory, disk
+  2. Validates inputs (IP not in use, hostname unique, etc.)
+  3. Calls host config generator (Phase 2)
+  4. Generates OpenTofu config (Phase 2)
+  5. Handles secrets (Phase 4)
+  6. Updates DNS (Phase 5)
+  7. Commits all changes to git
+  8. Runs `tofu apply` to deploy VM
+  9. Waits for bootstrap to complete (Phase 3)
+  10. Prints success message with IP and SSH command
+- [ ] Add `--dry-run` flag to preview changes
+- [ ] Add `--interactive` mode vs `--batch` mode
+- [ ] Error handling and rollback on failures
+
+**Deliverable:** `./scripts/create-host.sh --hostname myhost --ip 10.69.13.50` creates a fully working host
+
+---
+
+### Phase 7: Testing & Documentation
+
+**Status:** 🚧 In Progress (testing improvements completed)
+
+**Testing Improvements Implemented (2025-02-01):**
+
+The pipeline now supports efficient testing without polluting master branch:
+
+**1. --force Flag for create-host**
+- Re-run `create-host` to regenerate existing configurations
+- Updates existing entries in flake.nix and terraform/vms.tf (no duplicates)
+- Skip uniqueness validation checks
+- Useful for iterating on configuration templates during testing
+
+**2. Branch Support for Bootstrap**
+- Bootstrap service reads `NIXOS_FLAKE_BRANCH` environment variable
+- Defaults to `master` if not set
+- Allows testing pipeline changes on feature branches
+- Cloud-init passes branch via `/etc/environment`
+
+**3. Cloud-init Disk for Branch Configuration**
+- Terraform generates custom cloud-init snippets for test VMs
+- Set `flake_branch` field in VM definition to use non-master branch
+- Production VMs omit this field and use master (default)
+- Files automatically uploaded to Proxmox via SSH
+
+**Testing Workflow:**
+
+```bash
+# 1. Create test branch
+git checkout -b test-pipeline
+
+# 2. Generate or update host config
+create-host --hostname testvm01 --ip 10.69.13.100/24
+
+# 3. Edit terraform/vms.tf to add test VM with branch
+# vms = {
+#   "testvm01" = {
+#     ip = "10.69.13.100/24"
+#     flake_branch = "test-pipeline"  # Bootstrap from this branch
+#   }
+# }
+
+# 4. Commit and push test branch
+git add -A && git commit -m "test: add testvm01"
+git push origin test-pipeline
+
+# 5. Deploy VM
+cd terraform && tofu apply
+
+# 6. Watch bootstrap (VM fetches from test-pipeline branch)
+ssh root@10.69.13.100
+journalctl -fu nixos-bootstrap.service
+
+# 7. Iterate: modify templates and regenerate with --force
+cd .. && create-host --hostname testvm01 --ip 10.69.13.100/24 --force
+git commit -am "test: update config" && git push
+
+# Redeploy to test fresh bootstrap
+cd terraform
+tofu destroy -target=proxmox_vm_qemu.vm[\"testvm01\"] && tofu apply
+
+# 8. Clean up when done: squash commits, merge to master, remove test VM
+```
+
+**Files:**
+- `scripts/create-host/create_host.py` - Added --force parameter
+- `scripts/create-host/manipulators.py` - Update vs insert logic
+- `hosts/template2/bootstrap.nix` - Branch support via environment variable
+- `terraform/vms.tf` - flake_branch field support
+- `terraform/cloud-init.tf` - Custom cloud-init disk generation
+- `terraform/variables.tf` - proxmox_host variable for SSH uploads
+
+**Remaining Tasks:**
+- [ ] Test full pipeline end-to-end on feature branch
+- [ ] Update CLAUDE.md with testing workflow
+- [ ] Add troubleshooting section
+- [ ] Create examples for common scenarios (DHCP host, static IP host, etc.)
+
+---
+
+## Open Questions
+
+1. **Bootstrap method:** Cloud-init runcmd vs Terraform provisioner vs Ansible?
+2. **Secrets handling:** Pre-generate keys vs post-deployment injection?
+3. **DNS automation:** Auto-commit or manual merge?
+4. **Git workflow:** Auto-push changes or leave for user review?
+5. **Template selection:** Single template2 or multiple templates for different host types?
+6. **Networking:** Always DHCP initially, or support static IP from start?
+7. **Error recovery:** What happens if bootstrap fails? Manual intervention or retry?
+
+## Implementation Order
+
+Recommended sequence:
+1. Phase 1: Parameterize OpenTofu (foundation for testing)
+2. Phase 3: Bootstrap mechanism (core automation)
+3. Phase 2: Config generator (automate the boilerplate)
+4. Phase 4: Secrets (solves biggest chicken-and-egg)
+5. Phase 5: DNS (nice-to-have automation)
+6. Phase 6: Integration script (ties it all together)
+7. Phase 7: Testing & docs
+
+## Success Criteria
+
+When complete, creating a new host should:
+- Take < 5 minutes of human time
+- Require minimal user input (hostname, IP, basic specs)
+- Result in a fully configured, secret-enabled, DNS-registered host
+- Be reproducible and documented
+- Handle common errors gracefully
+
+---
+
+## Notes
+
+- Keep incremental commits at each phase
+- Test each phase independently before moving to next
+- Maintain backward compatibility with manual workflow
+- Document any manual steps that can't be automated

common/vm/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./qemu-guest.nix
+  ];
+}

common/vm/qemu-guest.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.qemuGuest.enable = true;
+}

flake.lock

@@ -1,44 +1,91 @@
 {
   "nodes": {
-    "nixpkgs": {
+    "alerttonotify": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
       "locked": {
-        "lastModified": 1709677081,
-        "narHash": "sha256-tix36Y7u0rkn6mTm0lA45b45oab2cFLqAzDbJxeXS+c=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "880992dcc006a5e00dd0591446fdf723e6a51a64",
-        "type": "github"
+        "lastModified": 1739310461,
+        "narHash": "sha256-GscftfATX84Aae9FObrQOe+hr5MsEma2Fc5fdzuu3hA=",
+        "ref": "master",
+        "rev": "53915cec6356be1a2d44ac2cbd0a71b32d679e6f",
+        "revCount": 7,
+        "type": "git",
+        "url": "https://git.t-juice.club/torjus/alerttonotify"
       },
       "original": {
-        "owner": "nixos",
-        "ref": "nixos-23.11",
-        "repo": "nixpkgs",
-        "type": "github"
+        "ref": "master",
+        "type": "git",
+        "url": "https://git.t-juice.club/torjus/alerttonotify"
       }
     },
-    "nixpkgs-stable": {
+    "backup-helper": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
       "locked": {
-        "lastModified": 1709428628,
-        "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=",
-        "owner": "NixOS",
+        "lastModified": 1738015166,
+        "narHash": "sha256-573tR4aXNjILKvYnjZUM5DZZME2H6YTHJkUKs3ZehFU=",
+        "ref": "master",
+        "rev": "f9540cc065692c7ca80735e7b08399459e0ea6d6",
+        "revCount": 35,
+        "type": "git",
+        "url": "https://git.t-juice.club/torjus/backup-helper"
+      },
+      "original": {
+        "ref": "master",
+        "type": "git",
+        "url": "https://git.t-juice.club/torjus/backup-helper"
+      }
+    },
+    "labmon": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748983975,
+        "narHash": "sha256-DA5mOqxwLMj/XLb4hvBU1WtE6cuVej7PjUr8N0EZsCE=",
+        "ref": "master",
+        "rev": "040a73e891a70ff06ec7ab31d7167914129dbf7d",
+        "revCount": 17,
+        "type": "git",
+        "url": "https://git.t-juice.club/torjus/labmon"
+      },
+      "original": {
+        "ref": "master",
+        "type": "git",
+        "url": "https://git.t-juice.club/torjus/labmon"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1769598131,
+        "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=",
+        "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555",
+        "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "release-23.11",
+        "owner": "nixos",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1709703039,
-        "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=",
+        "lastModified": 1769461804,
+        "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d",
+        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
         "type": "github"
       },
       "original": {
@@ -48,24 +95,11 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1709356872,
-        "narHash": "sha256-mvxCirJbtkP0cZ6ABdwcgTk0u3bgLoIoEFIoYBvD6+4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "458b097d81f90275b3fdf03796f0563844926708",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
+        "alerttonotify": "alerttonotify",
+        "backup-helper": "backup-helper",
+        "labmon": "labmon",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "sops-nix": "sops-nix"
@@ -73,15 +107,16 @@
     },
     "sops-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-stable": "nixpkgs-stable"
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
       },
       "locked": {
-        "lastModified": 1709711091,
-        "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=",
+        "lastModified": 1769469829,
+        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc",
+        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,12 +2,38 @@
   description = "Homelab v5 Nixos Server Configurations";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-23.11";
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-25.11";
     nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    sops-nix.url = "github:Mic92/sops-nix";
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    backup-helper = {
+      url = "git+https://git.t-juice.club/torjus/backup-helper?ref=master";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    alerttonotify = {
+      url = "git+https://git.t-juice.club/torjus/alerttonotify?ref=master";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    labmon = {
+      url = "git+https://git.t-juice.club/torjus/labmon?ref=master";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, ... }@inputs:
+  outputs =
+    {
+      self,
+      nixpkgs,
+      nixpkgs-unstable,
+      sops-nix,
+      backup-helper,
+      alerttonotify,
+      labmon,
+      ...
+    }@inputs:
     let
       system = "x86_64-linux";
       overlay-unstable = final: prev: {
@@ -16,54 +42,348 @@
           config.allowUnfree = true;
         };
       };
+      commonOverlays = [
+        overlay-unstable
+        alerttonotify.overlays.default
+        labmon.overlays.default
+      ];
+      allSystems = [
+        "x86_64-linux"
+        "aarch64-linux"
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];
+      forAllSystems =
+        f: nixpkgs.lib.genAttrs allSystems (system: f { pkgs = import nixpkgs { inherit system; }; });
     in
     {
       nixosConfigurations = {
         ns1 = nixpkgs.lib.nixosSystem {
           inherit system;
-          specialArgs = { inherit inputs self sops-nix; };
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
           modules = [
-            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
             ./hosts/ns1
             sops-nix.nixosModules.sops
           ];
         };
         ns2 = nixpkgs.lib.nixosSystem {
           inherit system;
-          specialArgs = { inherit inputs self sops-nix; };
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
           modules = [
-            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
             ./hosts/ns2
             sops-nix.nixosModules.sops
           ];
         };
         ns3 = nixpkgs.lib.nixosSystem {
           inherit system;
-          specialArgs = { inherit inputs self sops-nix; };
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
           modules = [
-            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
             ./hosts/ns3
             sops-nix.nixosModules.sops
           ];
         };
         ns4 = nixpkgs.lib.nixosSystem {
           inherit system;
-          specialArgs = { inherit inputs self sops-nix; };
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
           modules = [
-            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
             ./hosts/ns4
             sops-nix.nixosModules.sops
           ];
         };
+        nixos-test1 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/nixos-test1
+            sops-nix.nixosModules.sops
+            backup-helper.nixosModules.backup-helper
+          ];
+        };
+        ha1 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/ha1
+            sops-nix.nixosModules.sops
+            backup-helper.nixosModules.backup-helper
+          ];
+        };
         template1 = nixpkgs.lib.nixosSystem {
           inherit system;
-          specialArgs = { inherit inputs self sops-nix; };
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
           modules = [
-            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
             ./hosts/template
             sops-nix.nixosModules.sops
           ];
         };
+        template2 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
           };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/template2
+            sops-nix.nixosModules.sops
+          ];
+        };
+        http-proxy = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/http-proxy
+            sops-nix.nixosModules.sops
+          ];
+        };
+        ca = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/ca
+            sops-nix.nixosModules.sops
+          ];
+        };
+        monitoring01 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/monitoring01
+            sops-nix.nixosModules.sops
+            backup-helper.nixosModules.backup-helper
+            labmon.nixosModules.labmon
+          ];
+        };
+        jelly01 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/jelly01
+            sops-nix.nixosModules.sops
+          ];
+        };
+        nix-cache01 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/nix-cache01
+            sops-nix.nixosModules.sops
+          ];
+        };
+        media1 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/media1
+            sops-nix.nixosModules.sops
+          ];
+        };
+        pgdb1 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/pgdb1
+            sops-nix.nixosModules.sops
+          ];
+        };
+        nats1 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/nats1
+            sops-nix.nixosModules.sops
+          ];
+        };
+        auth01 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self sops-nix;
+          };
+          modules = [
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = commonOverlays;
+              }
+            )
+            ./hosts/auth01
+            sops-nix.nixosModules.sops
+          ];
+        };
+      testvm01 = nixpkgs.lib.nixosSystem {
+        inherit system;
+        specialArgs = {
+          inherit inputs self sops-nix;
+        };
+        modules = [
+          (
+            { config, pkgs, ... }:
+            {
+              nixpkgs.overlays = commonOverlays;
+            }
+          )
+          ./hosts/testvm01
+          sops-nix.nixosModules.sops
+        ];
+      };
+      vault01 = nixpkgs.lib.nixosSystem {
+        inherit system;
+        specialArgs = {
+          inherit inputs self sops-nix;
+        };
+        modules = [
+          (
+            { config, pkgs, ... }:
+            {
+              nixpkgs.overlays = commonOverlays;
+            }
+          )
+          ./hosts/vault01
+          sops-nix.nixosModules.sops
+        ];
+      };
+      };
+      packages = forAllSystems (
+        { pkgs }:
+        {
+          create-host = pkgs.callPackage ./scripts/create-host { };
+        }
+      );
+      devShells = forAllSystems (
+        { pkgs }:
+        {
+          default = pkgs.mkShell {
+            packages = with pkgs; [
+              ansible
+              opentofu
+              (pkgs.callPackage ./scripts/create-host { })
+            ];
+          };
+        }
+      );
     };
 }

hosts/auth01/configuration.nix

@@ -0,0 +1,65 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "auth01";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.18/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  services.qemuGuest.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/auth01/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../services/lldap
+    ../../services/authelia
+  ];
+}

hosts/ca/configuration.nix

@@ -0,0 +1,63 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "ca";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.12/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/ca/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../services/ca
+  ];
+}

hosts/ha1/configuration.nix

@@ -0,0 +1,77 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "ha1";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.9/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Backup service dirs
+  sops.secrets."backup_helper_secret" = { };
+  backup-helper = {
+    enable = true;
+    password-file = "/run/secrets/backup_helper_secret";
+    backup-dirs = [
+      "/var/lib/hass"
+      "/var/lib/zigbee2mqtt"
+      "/var/lib/mosquitto"
+    ];
+  };
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/ha1/default.nix

@@ -0,0 +1,6 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+    ../../services/home-assistant
+  ];
+}

hosts/http-proxy/configuration.nix

@@ -0,0 +1,63 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "http-proxy";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.11/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/http-proxy/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../services/http-proxy
+    ./wireguard.nix
+  ];
+}

hosts/http-proxy/wireguard.nix

@@ -0,0 +1,33 @@
+{ config, ... }:
+{
+  sops.secrets.wireguard_private_key = {
+    sopsFile = ../../secrets/http-proxy/wireguard.yaml;
+    key = "wg_private_key";
+  };
+  networking.wireguard = {
+    enable = true;
+    useNetworkd = true;
+
+    interfaces = {
+      wg0 = {
+        ips = [ "10.69.222.3/24" ];
+        mtu = 1384;
+        listenPort = 51820;
+        privateKeyFile = config.sops.secrets.wireguard_private_key.path;
+        peers = [
+          {
+            name = "docker2.t-juice.club";
+            endpoint = "docker2.t-juice.club:51820";
+            publicKey = "32Rb13wExcy8uI92JTnFdiOfkv0mlQ6f181WA741DHs=";
+            allowedIPs = [ "10.69.222.0/24" ];
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+  # monitoring
+  services.prometheus.exporters.wireguard = {
+    enable = true;
+  };
+}

hosts/jelly01/configuration.nix

@@ -0,0 +1,69 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "jelly01";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.14/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  services.qemuGuest.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  zramSwap = {
+    enable = true;
+  };
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/jelly01/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../services/jellyfin
+  ];
+}

hosts/jump/configuration.nix

@@ -29,7 +29,7 @@
       "10.69.13.10/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };

hosts/media1/configuration.nix

@@ -0,0 +1,76 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+
+    ../../system
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  # Use the systemd-boot EFI boot loader.
+  boot = {
+    loader.systemd-boot = {
+      enable = true;
+      configurationLimit = 5;
+      memtest86.enable = true;
+    };
+    loader.efi.canTouchEfiVariables = true;
+    supportedFilesystems = [ "nfs" ];
+  };
+
+  networking.hostName = "media1";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."enp2s0" = {
+    matchConfig.Name = "enp2s0";
+    address = [
+      "10.69.12.82/24"
+    ];
+    routes = [
+      { Gateway = "10.69.12.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  # Graphics
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      libvdpau-va-gl
+      libva-vdpau-driver
+    ];
+  };
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/media1/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./kodi.nix
+  ];
+}

hosts/media1/hardware-configuration.nix

@@ -0,0 +1,33 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "rtsx_usb_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/3e7c311c-b1a3-4be7-b8bf-e497cba64302";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/F0D7-E5C1";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/1a06a36f-da61-4d36-b94e-b852836c328a"; }];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
+

hosts/media1/kodi.nix

@@ -0,0 +1,29 @@
+{ pkgs, ... }:
+let
+  kodipkg = pkgs.kodi-wayland.withPackages (
+    p: with p; [
+      jellyfin
+    ]
+  );
+in
+{
+  users.users.kodi = {
+    isNormalUser = true;
+    description = "Kodi Media Center user";
+  };
+  #services.xserver = {
+  #  enable = true;
+  #};
+  services.cage = {
+    enable = true;
+    user = "kodi";
+    environment = {
+      XKB_DEFAULT_LAYOUT = "no";
+    };
+    program = "${kodipkg}/bin/kodi";
+  };
+
+  environment.systemPackages = with pkgs; [
+    firefox
+  ];
+}

hosts/monitoring01/configuration.nix

@@ -0,0 +1,134 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "monitoring01";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.13/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+    sqlite
+  ];
+
+  services.qemuGuest.enable = true;
+
+  sops.secrets."backup_helper_secret" = { };
+  backup-helper = {
+    enable = true;
+    password-file = "/run/secrets/backup_helper_secret";
+    backup-dirs = [
+      "/var/lib/grafana/plugins"
+    ];
+    backup-commands = [
+      # "grafana.db:${pkgs.sqlite}/bin/sqlite /var/lib/grafana/data/grafana.db .dump"
+      "grafana.db:${pkgs.sqlite}/bin/sqlite3 /var/lib/grafana/data/grafana.db .dump"
+    ];
+  };
+
+  labmon = {
+    enable = true;
+
+    settings = {
+      ListenAddr = ":9969";
+      Profiling = true;
+      StepMonitors = [
+        {
+          Enabled = true;
+          BaseURL = "https://ca.home.2rjus.net";
+          RootID = "3381bda8015a86b9a3cd1851439d1091890a79005e0f1f7c4301fe4bccc29d80";
+        }
+      ];
+
+      TLSConnectionMonitors = [
+        {
+          Enabled = true;
+          Address = "ca.home.2rjus.net:443";
+          Verify = true;
+          Duration = "12h";
+        }
+        {
+          Enabled = true;
+          Address = "jelly.home.2rjus.net:443";
+          Verify = true;
+          Duration = "12h";
+        }
+        {
+          Enabled = true;
+          Address = "grafana.home.2rjus.net:443";
+          Verify = true;
+          Duration = "12h";
+        }
+        {
+          Enabled = true;
+          Address = "prometheus.home.2rjus.net:443";
+          Verify = true;
+          Duration = "12h";
+        }
+        {
+          Enabled = true;
+          Address = "alertmanager.home.2rjus.net:443";
+          Verify = true;
+          Duration = "12h";
+        }
+        {
+          Enabled = true;
+          Address = "pyroscope.home.2rjus.net:443";
+          Verify = true;
+          Duration = "12h";
+        }
+      ];
+    };
+  };
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/monitoring01/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../services/monitoring
+  ];
+}

hosts/nats1/configuration.nix

@@ -0,0 +1,63 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "nats1";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.17/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/nats1/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../services/nats
+  ];
+}

hosts/nix-cache01/configuration.nix

@@ -0,0 +1,69 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/nixcache";
+    fsType = "xfs";
+  };
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "nix-cache01";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.15/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  services.qemuGuest.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "24.05"; # Did you read the comment?
+}

hosts/nix-cache01/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../services/nix-cache
+    ../../services/actions-runner
+    ./zram.nix
+  ];
+}

hosts/nix-cache01/zram.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  zramSwap = {
+    enable = true;
+  };
+}

hosts/nixos-test1/configuration.nix

@@ -0,0 +1,67 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      ../template/hardware-configuration.nix
+
+      ../../system
+    ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  networking.hostName = "nixos-test1";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.10/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  # Secrets
+  # Backup helper
+  sops.secrets."backup_helper_secret" = { };
+  backup-helper = {
+    enable = true;
+    password-file = "/run/secrets/backup_helper_secret";
+    backup-dirs = [
+      "/etc/machine-id"
+      "/etc/os-release"
+    ];
+  };
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
+

hosts/nixos-test1/default.nix

@@ -0,0 +1,5 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+  ];
+}

hosts/ns1/configuration.nix

@@ -1,13 +1,18 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
-  imports =
-    [
+  imports = [
     ../template/hardware-configuration.nix
 
     ../../system
     ../../services/ns/master-authorative.nix
     ../../services/ns/resolver.nix
+    ../../common/vm
   ];
 
   nixpkgs.config.allowUnfree = true;
@@ -32,13 +37,16 @@
       "10.69.13.5/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };
   time.timeZone = "Europe/Oslo";
 
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
   nix.settings.tarball-ttl = 0;
   environment.systemPackages = with pkgs; [
     vim
@@ -54,4 +62,3 @@
 
   system.stateVersion = "23.11"; # Did you read the comment?
 }
-

hosts/ns2/configuration.nix

@@ -1,13 +1,18 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
-  imports =
-    [
+  imports = [
     ../template/hardware-configuration.nix
 
     ../../system
     ../../services/ns/secondary-authorative.nix
     ../../services/ns/resolver.nix
+    ../../common/vm
   ];
 
   nixpkgs.config.allowUnfree = true;
@@ -32,13 +37,16 @@
       "10.69.13.6/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };
   time.timeZone = "Europe/Oslo";
 
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
   environment.systemPackages = with pkgs; [
     vim
     wget
@@ -53,4 +61,3 @@
 
   system.stateVersion = "23.11"; # Did you read the comment?
 }
-

hosts/ns3/configuration.nix

@@ -32,7 +32,7 @@
       "10.69.13.7/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };

hosts/ns4/configuration.nix

@@ -32,7 +32,7 @@
       "10.69.13.8/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.13.1"; }
+      { Gateway = "10.69.13.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };

hosts/pgdb1/configuration.nix

@@ -0,0 +1,63 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    configurationLimit = 3;
+  };
+
+  networking.hostName = "pgdb1";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.16/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/pgdb1/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../services/postgres
+  ];
+}

hosts/template/configuration.nix

@@ -28,7 +28,7 @@
       "10.69.8.250/24"
     ];
     routes = [
-      { routeConfig.Gateway = "10.69.8.1"; }
+      { Gateway = "10.69.8.1"; }
     ];
     linkConfig.RequiredForOnline = "routable";
   };

hosts/template/hardware-configuration.nix

@@ -1,4 +1,10 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
 
 {
   imports = [
@@ -13,17 +19,17 @@
     "sr_mod"
   ];
   boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [
+    "ptp_kvm"
+  ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    {
+  fileSystems."/" = {
     device = "/dev/disk/by-label/root";
     fsType = "xfs";
   };
 
-  swapDevices =
-    [{ device = "/dev/disk/by-label/swap"; }];
+  swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -34,4 +40,3 @@
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
-

hosts/template2/bootstrap.nix

@@ -0,0 +1,73 @@
+{ pkgs, config, lib, ... }:
+let
+  bootstrap-script = pkgs.writeShellApplication {
+    name = "nixos-bootstrap";
+    runtimeInputs = with pkgs; [ systemd curl nixos-rebuild jq git ];
+    text = ''
+      set -euo pipefail
+
+      # Read hostname set by cloud-init (from Terraform VM name via user-data)
+      # Cloud-init sets the system hostname from user-data.txt, so we read it from hostnamectl
+      HOSTNAME=$(hostnamectl hostname)
+      echo "DEBUG: Hostname from hostnamectl: '$HOSTNAME'"
+
+      echo "Starting NixOS bootstrap for host: $HOSTNAME"
+      echo "Waiting for network connectivity..."
+
+      # Verify we can reach the git server via HTTPS (doesn't respond to ping)
+      if ! curl -s --connect-timeout 5 --max-time 10 https://git.t-juice.club >/dev/null 2>&1; then
+        echo "ERROR: Cannot reach git.t-juice.club via HTTPS"
+        echo "Check network configuration and DNS settings"
+        exit 1
+      fi
+
+      echo "Network connectivity confirmed"
+      echo "Fetching and building NixOS configuration from flake..."
+
+      # Read git branch from environment, default to master
+      BRANCH="''${NIXOS_FLAKE_BRANCH:-master}"
+      echo "Using git branch: $BRANCH"
+
+      # Build and activate the host-specific configuration
+      FLAKE_URL="git+https://git.t-juice.club/torjus/nixos-servers.git?ref=$BRANCH#''${HOSTNAME}"
+
+      if nixos-rebuild boot --flake "$FLAKE_URL"; then
+        echo "Successfully built configuration for $HOSTNAME"
+        echo "Rebooting into new configuration..."
+        sleep 2
+        systemctl reboot
+      else
+        echo "ERROR: nixos-rebuild failed for $HOSTNAME"
+        echo "Check that flake has configuration for this hostname"
+        echo "Manual intervention required - system will not reboot"
+        exit 1
+      fi
+    '';
+  };
+in
+{
+  systemd.services."nixos-bootstrap" = {
+    description = "Bootstrap NixOS configuration from flake on first boot";
+
+    # Wait for cloud-init to finish setting hostname and network to be online
+    after = [ "cloud-config.service" "network-online.target" ];
+    wants = [ "network-online.target" ];
+    requires = [ "cloud-config.service" ];
+
+    # Run on boot
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${bootstrap-script}/bin/nixos-bootstrap";
+
+      # Read environment variables from /etc/environment (set by cloud-init)
+      EnvironmentFile = "-/etc/environment";
+
+      # Logging to journald
+      StandardOutput = "journal+console";
+      StandardError = "journal+console";
+    };
+  };
+}

hosts/template2/configuration.nix

@@ -0,0 +1,70 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../system/sshd.nix
+  ];
+
+  # Root user with no password but SSH key access for bootstrapping
+  users.users.root = {
+    hashedPassword = "";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwfb2jpKrBnCw28aevnH8HbE5YbcMXpdaVv2KmueDu6 torjus@gunter"
+    ];
+  };
+
+  # Proxmox image-specific configuration
+  # Configure storage to use local-zfs instead of local-lvm
+  image.modules.proxmox = {
+    proxmox.qemuConf.virtio0 = lib.mkForce "local-zfs:vm-9999-disk-0";
+    proxmox.qemuConf.boot = lib.mkForce "order=virtio0";
+    proxmox.cloudInit.defaultStorage = lib.mkForce "local-zfs";
+  };
+
+  # Configure cloud-init to use ConfigDrive datasource (used by Proxmox)
+  services.cloud-init.settings = {
+    datasource_list = [ "ConfigDrive" "NoCloud" ];
+  };
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+  networking.hostName = "nixos-template2";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    networkConfig.DHCP = "ipv4";
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    age
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "25.11";
+}

hosts/template2/default.nix

@@ -0,0 +1,10 @@
+{ ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./configuration.nix
+    ./scripts.nix
+    ./bootstrap.nix
+    ../../system/packages.nix
+  ];
+}

hosts/template2/hardware-configuration.nix

@@ -0,0 +1,45 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [
+    "ptp_kvm"
+    "virtio_rng"  # Provides entropy from host for fast SSH key generation
+  ];
+  boot.extraModulePackages = [ ];
+
+  # Filesystem configuration matching Proxmox image builder output
+  fileSystems."/" = lib.mkDefault {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+    options = [ "x-systemd.growfs" ];
+  };
+
+  swapDevices = lib.mkDefault [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/template2/scripts.nix

@@ -0,0 +1,33 @@
+{ pkgs, ... }:
+let
+  prepare-host-script = pkgs.writeShellScriptBin "prepare-host.sh"
+    ''
+      echo "Removing machine-id"
+      rm -f /etc/machine-id || true
+
+      echo "Removing SSH host keys"
+      rm -f /etc/ssh/ssh_host_* || true
+
+      echo "Restarting SSH"
+      systemctl restart sshd
+
+      echo "Removing temporary files"
+      rm -rf /tmp/* || true
+
+      echo "Removing logs"
+      journalctl --rotate || true
+      journalctl --vacuum-time=1s || true
+
+      echo "Removing cache"
+      rm -rf /var/cache/* || true
+
+      echo "Generate age key"
+      rm -rf /var/lib/sops-nix || true
+      mkdir -p /var/lib/sops-nix
+      ${pkgs.age}/bin/age-keygen -o /var/lib/sops-nix/key.txt
+    '';
+in
+{
+  environment.systemPackages = [ prepare-host-script ];
+  users.motd = "Prepare host by running 'prepare-host.sh'.";
+}

hosts/testvm01/configuration.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template2/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+
+  networking.hostName = "testvm01";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = false;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.101/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "25.11"; # Did you read the comment?
+}

hosts/testvm01/default.nix

@@ -0,0 +1,5 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+  ];
+}

hosts/vault01/configuration.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template2/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+    ../../services/vault
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+
+  networking.hostName = "vault01";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.19/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "25.11"; # Did you read the comment?
+}
+

hosts/vault01/default.nix

@@ -0,0 +1,5 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+  ];
+}

inventory

@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+
+import json
+import subprocess
+
+IGNORED_HOSTS = [
+    "inc1",
+    "inc2",
+    "media1",
+    "nixos-test1",
+    "ns3",
+    "ns4",
+    "template1",
+]
+
+result = subprocess.run(["nix", "flake", "show", "--json"], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)
+results = json.loads(result.stdout)
+
+configs = results.get("nixosConfigurations")
+hosts = [x for x in configs.keys() if x not in IGNORED_HOSTS]
+
+output = {
+    "all": {
+        "hosts": hosts,
+        "vars": {
+            "ansible_python_interpreter": "/run/current-system/sw/bin/python3"
+        },
+    }
+}
+
+print(json.dumps(output))

playbooks/build-and-deploy-template.yml

@@ -0,0 +1,101 @@
+---
+- name: Build and deploy NixOS Proxmox template
+  hosts: localhost
+  gather_facts: false
+
+  vars:
+    template_name: "template2"
+    nixos_config: "template2"
+    proxmox_node: "pve1.home.2rjus.net"  # Change to your Proxmox node name
+    proxmox_host: "pve1.home.2rjus.net"  # Change to your Proxmox host
+    template_vmid: 9000  # Template VM ID
+    storage: "local-zfs"
+
+  tasks:
+    - name: Build NixOS image
+      ansible.builtin.command:
+        cmd: "nixos-rebuild build-image --image-variant proxmox --flake .#template2"
+        chdir: "{{ playbook_dir }}/.."
+      register: build_result
+      changed_when: true
+
+    - name: Find built image file
+      ansible.builtin.find:
+        paths: "{{ playbook_dir}}/../result"
+        patterns: "*.vma.zst"
+        recurse: true
+      register: image_files
+
+    - name: Fail if no image found
+      ansible.builtin.fail:
+        msg: "No QCOW2 image found in build output"
+      when: image_files.matched == 0
+
+    - name: Set image path
+      ansible.builtin.set_fact:
+        image_path: "{{ image_files.files[0].path }}"
+
+    - name: Extract image filename
+      ansible.builtin.set_fact:
+        image_filename: "{{ image_path | basename }}"
+
+    - name: Display image info
+      ansible.builtin.debug:
+        msg: "Built image: {{ image_path }} ({{ image_filename }})"
+
+- name: Deploy template to Proxmox
+  hosts: proxmox
+  gather_facts: false
+
+  vars:
+    template_name: "template2"
+    template_vmid: 9000
+    storage: "local-zfs"
+
+  tasks:
+    - name: Get image path and filename from localhost
+      ansible.builtin.set_fact:
+        image_path: "{{ hostvars['localhost']['image_path'] }}"
+        image_filename: "{{ hostvars['localhost']['image_filename'] }}"
+
+    - name: Set destination path
+      ansible.builtin.set_fact:
+        image_dest: "/var/lib/vz/dump/{{ image_filename }}"
+
+    - name: Copy image to Proxmox
+      ansible.builtin.copy:
+        src: "{{ image_path }}"
+        dest: "{{ image_dest }}"
+        mode: '0644'
+
+    - name: Check if template VM already exists
+      ansible.builtin.command:
+        cmd: "qm status {{ template_vmid }}"
+      register: vm_status
+      failed_when: false
+      changed_when: false
+
+    - name: Destroy existing template VM if it exists
+      ansible.builtin.command:
+        cmd: "qm destroy {{ template_vmid }} --purge"
+      when: vm_status.rc == 0
+      changed_when: true
+
+    - name: Import image
+      ansible.builtin.command:
+        cmd: "qmrestore {{ image_dest }} {{ template_vmid }}"
+      changed_when: true
+
+    - name: Convert VM to template
+      ansible.builtin.command:
+        cmd: "qm template {{ template_vmid }}"
+      changed_when: true
+
+    - name: Clean up uploaded image
+      ansible.builtin.file:
+        path: "{{ image_dest }}"
+        state: absent
+
+    - name: Display success message
+      ansible.builtin.debug:
+        msg: "Template VM {{ template_vmid }} created successfully on {{ storage }}"

playbooks/inventory.ini

@@ -0,0 +1,5 @@
+[proxmox]
+pve1.home.2rjus.net
+
+[proxmox:vars]
+ansible_user=root

playbooks/run-upgrade.yml

@@ -0,0 +1,9 @@
+---
+- name: Trigger nixos-upgrade job on all hosts
+  hosts: all
+  remote_user: root
+
+  tasks:
+    - ansible.builtin.systemd_service:
+        name: nixos-upgrade.service
+        state: started

rebuild-all.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# array of hosts
+HOSTS=(
+    "ns1"
+    "ns2"
+    "ca"
+    "ha1"
+    "http-proxy"
+    "jelly01"
+    "monitoring01"
+    "nix-cache01"
+    "pgdb1"
+)
+
+for host in "${HOSTS[@]}"; do
+    echo "Rebuilding $host"
+    nixos-rebuild boot --flake .#${host} --target-host root@${host}
+done

scripts/create-host/MANIFEST.in

@@ -0,0 +1 @@
+recursive-include templates *.j2

scripts/create-host/README.md

@@ -0,0 +1,268 @@
+# NixOS Host Configuration Generator
+
+Automated tool for generating NixOS host configurations, flake.nix entries, and Terraform VM definitions for homelab infrastructure.
+
+## Installation
+
+The tool is available in the Nix development shell:
+
+```bash
+nix develop
+```
+
+## Usage
+
+### Basic Usage
+
+Create a new host with DHCP networking:
+
+```bash
+python -m scripts.create_host.create_host create --hostname test01
+```
+
+Create a new host with static IP:
+
+```bash
+python -m scripts.create_host.create_host create \
+  --hostname test01 \
+  --ip 10.69.13.50/24
+```
+
+Create a host with custom resources:
+
+```bash
+python -m scripts.create_host.create_host create \
+  --hostname bighost01 \
+  --ip 10.69.13.51/24 \
+  --cpu 8 \
+  --memory 8192 \
+  --disk 100G
+```
+
+### Dry Run Mode
+
+Preview what would be created without making changes:
+
+```bash
+python -m scripts.create_host.create_host create \
+  --hostname test01 \
+  --ip 10.69.13.50/24 \
+  --dry-run
+```
+
+### Force Mode (Regenerate Existing Configuration)
+
+Overwrite an existing host configuration (useful for testing):
+
+```bash
+python -m scripts.create_host.create_host create \
+  --hostname test01 \
+  --ip 10.69.13.50/24 \
+  --force
+```
+
+This mode:
+- Skips hostname and IP uniqueness validation
+- Overwrites files in `hosts/<hostname>/`
+- Updates existing entries in `flake.nix` and `terraform/vms.tf` (doesn't duplicate)
+- Useful for iterating on configuration templates during testing
+
+### Options
+
+- `--hostname` (required): Hostname for the new host
+  - Must be lowercase alphanumeric with hyphens
+  - Must be unique (not already exist in repository)
+
+- `--ip` (optional): Static IP address with CIDR notation
+  - Format: `10.69.13.X/24`
+  - Must be in `10.69.13.0/24` subnet
+  - Last octet must be 1-254
+  - Omit this option for DHCP configuration
+
+- `--cpu` (optional, default: 2): Number of CPU cores
+  - Must be at least 1
+
+- `--memory` (optional, default: 2048): Memory in MB
+  - Must be at least 512
+
+- `--disk` (optional, default: "20G"): Disk size
+  - Examples: "20G", "50G", "100G"
+
+- `--dry-run` (flag): Preview changes without creating files
+
+- `--force` (flag): Overwrite existing host configuration
+  - Skips uniqueness validation
+  - Updates existing entries instead of creating duplicates
+
+## What It Does
+
+The tool performs the following actions:
+
+1. **Validates** the configuration:
+   - Hostname format (RFC 1123 compliance)
+   - Hostname uniqueness
+   - IP address format and subnet (if provided)
+   - IP address uniqueness (if provided)
+
+2. **Generates** host configuration files:
+   - `hosts/<hostname>/default.nix` - Import wrapper
+   - `hosts/<hostname>/configuration.nix` - Full host configuration
+
+3. **Updates** repository files:
+   - `flake.nix` - Adds new nixosConfigurations entry
+   - `terraform/vms.tf` - Adds new VM definition
+
+4. **Displays** next steps for:
+   - Reviewing changes with git diff
+   - Verifying NixOS configuration
+   - Verifying Terraform configuration
+   - Committing changes
+   - Deploying the VM
+
+## Generated Configuration
+
+### Host Features
+
+All generated hosts include:
+
+- Full system imports from `../../system`:
+  - Nix binary cache integration
+  - SSH with root login
+  - SOPS secrets management
+  - Internal ACME CA integration
+  - Daily auto-upgrades with auto-reboot
+  - Prometheus node-exporter
+  - Promtail logging to monitoring01
+
+- VM guest agent from `../../common/vm`
+- Hardware configuration from `../template/hardware-configuration.nix`
+
+### Networking
+
+**Static IP mode** (when `--ip` is provided):
+```nix
+systemd.network.networks."ens18" = {
+  matchConfig.Name = "ens18";
+  address = [ "10.69.13.50/24" ];
+  routes = [ { Gateway = "10.69.13.1"; } ];
+  linkConfig.RequiredForOnline = "routable";
+};
+```
+
+**DHCP mode** (when `--ip` is omitted):
+```nix
+systemd.network.networks."ens18" = {
+  matchConfig.Name = "ens18";
+  networkConfig.DHCP = "ipv4";
+  linkConfig.RequiredForOnline = "routable";
+};
+```
+
+### DNS Configuration
+
+All hosts are configured with:
+- DNS servers: `10.69.13.5`, `10.69.13.6` (ns1, ns2)
+- Domain: `home.2rjus.net`
+
+## Examples
+
+### Create a test VM with defaults
+
+```bash
+python -m scripts.create_host.create_host create --hostname test99
+```
+
+This creates a DHCP VM with 2 CPU cores, 2048 MB memory, and 20G disk.
+
+### Create a database server with static IP
+
+```bash
+python -m scripts.create_host.create_host create \
+  --hostname pgdb2 \
+  --ip 10.69.13.52/24 \
+  --cpu 4 \
+  --memory 4096 \
+  --disk 50G
+```
+
+### Preview changes before creating
+
+```bash
+python -m scripts.create_host.create_host create \
+  --hostname test99 \
+  --ip 10.69.13.99/24 \
+  --dry-run
+```
+
+## Error Handling
+
+The tool validates input and provides clear error messages for:
+
+- Invalid hostname format (must be lowercase alphanumeric with hyphens)
+- Duplicate hostname (already exists in repository)
+- Invalid IP format (must be X.X.X.X/24)
+- Wrong subnet (must be 10.69.13.0/24)
+- Invalid last octet (must be 1-254)
+- Duplicate IP address (already in use)
+- Resource constraints (CPU < 1, memory < 512 MB)
+
+## Integration with Deployment Pipeline
+
+This tool implements **Phase 2** of the automated deployment pipeline:
+
+1. **Phase 1**: Template building ✓ (build-and-deploy-template.yml)
+2. **Phase 2**: Host configuration generation ✓ (this tool)
+3. **Phase 3**: Bootstrap automation (planned)
+4. **Phase 4**: Secrets management (planned)
+5. **Phase 5**: DNS automation (planned)
+6. **Phase 6**: Full integration (planned)
+
+## Development
+
+### Project Structure
+
+```
+scripts/create-host/
+├── create_host.py          # Main CLI entry point (typer app)
+├── __init__.py            # Package initialization
+├── validators.py          # Validation logic
+├── generators.py          # File generation using Jinja2
+├── manipulators.py        # Text manipulation for flake.nix and vms.tf
+├── models.py              # Data models (HostConfig)
+├── templates/
+│   ├── default.nix.j2     # Template for default.nix
+│   └── configuration.nix.j2  # Template for configuration.nix
+└── README.md              # This file
+```
+
+### Testing
+
+Run the test cases from the implementation plan:
+
+```bash
+# Test 1: DHCP host with defaults
+python -m scripts.create_host.create_host create --hostname testdhcp --dry-run
+
+# Test 2: Static IP host
+python -m scripts.create_host.create_host create \
+  --hostname test50 --ip 10.69.13.50/24 --dry-run
+
+# Test 3: Custom resources
+python -m scripts.create_host.create_host create \
+  --hostname test51 --ip 10.69.13.51/24 \
+  --cpu 8 --memory 8192 --disk 100G --dry-run
+
+# Test 4: Duplicate hostname (should error)
+python -m scripts.create_host.create_host create --hostname ns1 --dry-run
+
+# Test 5: Invalid subnet (should error)
+python -m scripts.create_host.create_host create \
+  --hostname testbad --ip 192.168.1.50/24 --dry-run
+
+# Test 6: Invalid hostname (should error)
+python -m scripts.create_host.create_host create --hostname Test_Host --dry-run
+```
+
+## License
+
+Part of the nixos-servers homelab infrastructure repository.

scripts/create-host/__init__.py

@@ -0,0 +1,3 @@
+"""NixOS host configuration generator for homelab infrastructure."""
+
+__version__ = "0.1.0"

scripts/create-host/__main__.py

@@ -0,0 +1,6 @@
+"""Entry point for running the create-host module."""
+
+from .create_host import app
+
+if __name__ == "__main__":
+    app()

scripts/create-host/create_host.py

@@ -0,0 +1,197 @@
+"""CLI tool for generating NixOS host configurations."""
+
+import sys
+from pathlib import Path
+from typing import Optional
+
+import typer
+from rich.console import Console
+from rich.panel import Panel
+from rich.table import Table
+
+from generators import generate_host_files
+from manipulators import update_flake_nix, update_terraform_vms
+from models import HostConfig
+from validators import (
+    validate_hostname_format,
+    validate_hostname_unique,
+    validate_ip_subnet,
+    validate_ip_unique,
+)
+
+app = typer.Typer(
+    name="create-host",
+    help="Generate NixOS host configurations for homelab infrastructure",
+    add_completion=False,
+)
+console = Console()
+
+
+def get_repo_root() -> Path:
+    """Get the repository root directory."""
+    # Use current working directory as repo root
+    # The tool should be run from the repository root
+    return Path.cwd()
+
+
+@app.callback(invoke_without_command=True)
+def main(
+    ctx: typer.Context,
+    hostname: Optional[str] = typer.Option(None, "--hostname", help="Hostname for the new host"),
+    ip: Optional[str] = typer.Option(
+        None, "--ip", help="Static IP address with CIDR (e.g., 10.69.13.50/24). Omit for DHCP."
+    ),
+    cpu: int = typer.Option(2, "--cpu", help="Number of CPU cores"),
+    memory: int = typer.Option(2048, "--memory", help="Memory in MB"),
+    disk: str = typer.Option("20G", "--disk", help="Disk size (e.g., 20G, 50G, 100G)"),
+    dry_run: bool = typer.Option(False, "--dry-run", help="Preview changes without creating files"),
+    force: bool = typer.Option(False, "--force", help="Overwrite existing host configuration"),
+) -> None:
+    """
+    Create a new NixOS host configuration.
+
+    Generates host configuration files, updates flake.nix, and adds Terraform VM definition.
+    """
+    # Show help if no hostname provided
+    if hostname is None:
+        console.print("[bold red]Error:[/bold red] --hostname is required\n")
+        ctx.get_help()
+        sys.exit(1)
+
+    try:
+        # Build configuration
+        config = HostConfig(
+            hostname=hostname,
+            ip=ip,
+            cpu=cpu,
+            memory=memory,
+            disk=disk,
+        )
+
+        # Get repository root
+        repo_root = get_repo_root()
+
+        # Validate configuration
+        console.print("\n[bold blue]Validating configuration...[/bold blue]")
+
+        config.validate()
+        validate_hostname_format(hostname)
+
+        # Skip uniqueness checks in force mode
+        if not force:
+            validate_hostname_unique(hostname, repo_root)
+            if ip:
+                validate_ip_unique(ip, repo_root)
+        else:
+            # Check if we're actually overwriting something
+            host_dir = repo_root / "hosts" / hostname
+            if host_dir.exists():
+                console.print(f"[yellow]⚠[/yellow]  Updating existing host configuration for {hostname}")
+
+        if ip:
+            validate_ip_subnet(ip)
+
+        console.print("[green]✓[/green] All validations passed\n")
+
+        # Display configuration summary
+        display_config_summary(config)
+
+        # Dry run mode - exit before making changes
+        if dry_run:
+            console.print("\n[yellow]DRY RUN MODE - No files will be created[/yellow]\n")
+            display_dry_run_summary(config, repo_root)
+            return
+
+        # Generate files
+        console.print("\n[bold blue]Generating host configuration...[/bold blue]")
+
+        generate_host_files(config, repo_root)
+        action = "Updated" if force else "Created"
+        console.print(f"[green]✓[/green] {action} hosts/{hostname}/default.nix")
+        console.print(f"[green]✓[/green] {action} hosts/{hostname}/configuration.nix")
+
+        update_flake_nix(config, repo_root, force=force)
+        console.print("[green]✓[/green] Updated flake.nix")
+
+        update_terraform_vms(config, repo_root, force=force)
+        console.print("[green]✓[/green] Updated terraform/vms.tf")
+
+        # Success message
+        console.print("\n[bold green]✓ Host configuration generated successfully![/bold green]\n")
+
+        # Display next steps
+        display_next_steps(hostname)
+
+    except ValueError as e:
+        console.print(f"\n[bold red]Error:[/bold red] {e}\n", style="red")
+        sys.exit(1)
+    except Exception as e:
+        console.print(f"\n[bold red]Unexpected error:[/bold red] {e}\n", style="red")
+        sys.exit(1)
+
+
+def display_config_summary(config: HostConfig) -> None:
+    """Display configuration summary table."""
+    table = Table(title="Host Configuration", show_header=False)
+    table.add_column("Property", style="cyan")
+    table.add_column("Value", style="white")
+
+    table.add_row("Hostname", config.hostname)
+    table.add_row("Domain", config.domain)
+    table.add_row("Network Mode", "Static IP" if config.is_static_ip else "DHCP")
+
+    if config.is_static_ip:
+        table.add_row("IP Address", config.ip)
+        table.add_row("Gateway", config.gateway)
+
+    table.add_row("DNS Servers", ", ".join(config.nameservers))
+    table.add_row("CPU Cores", str(config.cpu))
+    table.add_row("Memory", f"{config.memory} MB")
+    table.add_row("Disk Size", config.disk)
+    table.add_row("State Version", config.state_version)
+
+    console.print(table)
+
+
+def display_dry_run_summary(config: HostConfig, repo_root: Path) -> None:
+    """Display what would be created in dry run mode."""
+    console.print("[bold]Files that would be created:[/bold]")
+    console.print(f"  • {repo_root}/hosts/{config.hostname}/default.nix")
+    console.print(f"  • {repo_root}/hosts/{config.hostname}/configuration.nix")
+
+    console.print("\n[bold]Files that would be modified:[/bold]")
+    console.print(f"  • {repo_root}/flake.nix (add nixosConfigurations.{config.hostname})")
+    console.print(f"  • {repo_root}/terraform/vms.tf (add VM definition)")
+
+
+def display_next_steps(hostname: str) -> None:
+    """Display next steps after successful generation."""
+    next_steps = f"""[bold cyan]Next Steps:[/bold cyan]
+
+1. Review changes:
+   [white]git diff[/white]
+
+2. Verify NixOS configuration:
+   [white]nix flake check
+   nix build .#nixosConfigurations.{hostname}.config.system.build.toplevel[/white]
+
+3. Verify Terraform configuration:
+   [white]cd terraform
+   tofu validate
+   tofu plan[/white]
+
+4. Commit changes:
+   [white]git add hosts/{hostname} flake.nix terraform/vms.tf
+   git commit -m "hosts: add {hostname} configuration"[/white]
+
+5. Deploy VM (after merging to master):
+   [white]cd terraform
+   tofu apply[/white]
+
+6. Bootstrap the host (see Phase 3 of deployment pipeline)
+"""
+    console.print(Panel(next_steps, border_style="cyan"))
+
+
+if __name__ == "__main__":
+    app()

scripts/create-host/default.nix

@@ -0,0 +1,38 @@
+{ lib
+, python3
+, python3Packages
+}:
+
+python3Packages.buildPythonApplication {
+  pname = "create-host";
+  version = "0.1.0";
+
+  src = ./.;
+
+  pyproject = true;
+
+  build-system = with python3Packages; [
+    setuptools
+  ];
+
+  propagatedBuildInputs = with python3Packages; [
+    typer
+    jinja2
+    rich
+  ];
+
+  # Install templates to share directory
+  postInstall = ''
+    mkdir -p $out/share/create-host
+    cp -r templates $out/share/create-host/
+  '';
+
+  # No tests yet
+  doCheck = false;
+
+  meta = with lib; {
+    description = "NixOS host configuration generator for homelab infrastructure";
+    license = licenses.mit;
+    maintainers = [ ];
+  };
+}

scripts/create-host/generators.py

@@ -0,0 +1,88 @@
+"""File generation using Jinja2 templates."""
+
+import sys
+from pathlib import Path
+
+from jinja2 import Environment, BaseLoader, TemplateNotFound
+
+from models import HostConfig
+
+
+class PackageTemplateLoader(BaseLoader):
+    """Custom Jinja2 loader that works with both dev and installed packages."""
+
+    def __init__(self):
+        # Try to find templates in multiple locations
+        self.template_dirs = []
+
+        # Location 1: Development (scripts/create-host/templates)
+        dev_dir = Path(__file__).parent / "templates"
+        if dev_dir.exists():
+            self.template_dirs.append(dev_dir)
+
+        # Location 2: Installed via Nix (../share/create-host/templates from bin dir)
+        # When installed via Nix, __file__ is in lib/python3.X/site-packages/
+        # and templates are in ../../../share/create-host/templates
+        for site_path in sys.path:
+            site_dir = Path(site_path)
+            # Try to find the Nix store path
+            if "site-packages" in str(site_dir):
+                # Go up to the package root (e.g., /nix/store/xxx-create-host-0.1.0)
+                pkg_root = site_dir.parent.parent.parent
+                share_templates = pkg_root / "share" / "create-host" / "templates"
+                if share_templates.exists():
+                    self.template_dirs.append(share_templates)
+
+        # Location 3: Fallback - sys.path templates
+        for site_path in sys.path:
+            site_templates = Path(site_path) / "templates"
+            if site_templates.exists():
+                self.template_dirs.append(site_templates)
+
+    def get_source(self, environment, template):
+        for template_dir in self.template_dirs:
+            template_path = template_dir / template
+            if template_path.exists():
+                mtime = template_path.stat().st_mtime
+                source = template_path.read_text()
+                return source, str(template_path), lambda: mtime == template_path.stat().st_mtime
+
+        raise TemplateNotFound(template)
+
+
+def generate_host_files(config: HostConfig, repo_root: Path) -> None:
+    """
+    Generate host configuration files from templates.
+
+    Args:
+        config: Host configuration
+        repo_root: Path to repository root
+    """
+    # Setup Jinja2 environment with custom loader
+    env = Environment(
+        loader=PackageTemplateLoader(),
+        trim_blocks=True,
+        lstrip_blocks=True,
+    )
+
+    # Create host directory
+    host_dir = repo_root / "hosts" / config.hostname
+    host_dir.mkdir(parents=True, exist_ok=True)
+
+    # Generate default.nix
+    default_template = env.get_template("default.nix.j2")
+    default_content = default_template.render(hostname=config.hostname)
+    (host_dir / "default.nix").write_text(default_content)
+
+    # Generate configuration.nix
+    config_template = env.get_template("configuration.nix.j2")
+    config_content = config_template.render(
+        hostname=config.hostname,
+        domain=config.domain,
+        nameservers=config.nameservers,
+        is_static_ip=config.is_static_ip,
+        ip=config.ip,
+        gateway=config.gateway,
+        state_version=config.state_version,
+    )
+    (host_dir / "configuration.nix").write_text(config_content)

scripts/create-host/manipulators.py

@@ -0,0 +1,124 @@
+"""Text manipulation for flake.nix and Terraform files."""
+
+import re
+from pathlib import Path
+
+from models import HostConfig
+
+
+def update_flake_nix(config: HostConfig, repo_root: Path, force: bool = False) -> None:
+    """
+    Add or update host entry in flake.nix nixosConfigurations.
+
+    Args:
+        config: Host configuration
+        repo_root: Path to repository root
+        force: If True, replace existing entry; if False, insert new entry
+    """
+    flake_path = repo_root / "flake.nix"
+    content = flake_path.read_text()
+
+    # Create new entry
+    new_entry = f"""      {config.hostname} = nixpkgs.lib.nixosSystem {{
+        inherit system;
+        specialArgs = {{
+          inherit inputs self sops-nix;
+        }};
+        modules = [
+          (
+            {{ config, pkgs, ... }}:
+            {{
+              nixpkgs.overlays = commonOverlays;
+            }}
+          )
+          ./hosts/{config.hostname}
+          sops-nix.nixosModules.sops
+        ];
+      }};
+"""
+
+    # Check if hostname already exists
+    hostname_pattern = rf"^      {re.escape(config.hostname)} = nixpkgs\.lib\.nixosSystem"
+    existing_match = re.search(hostname_pattern, content, re.MULTILINE)
+
+    if existing_match and force:
+        # Replace existing entry
+        # Match the entire block from "hostname = " to "};"
+        replace_pattern = rf"^      {re.escape(config.hostname)} = nixpkgs\.lib\.nixosSystem \{{.*?^      \}};\n"
+        new_content, count = re.subn(replace_pattern, new_entry, content, flags=re.MULTILINE | re.DOTALL)
+
+        if count == 0:
+            raise ValueError(f"Could not find existing entry for {config.hostname} in flake.nix")
+    else:
+        # Insert new entry before closing brace of nixosConfigurations
+        # Pattern: "      };\n      packages = forAllSystems"
+        pattern = r"(      \};)\n(      packages = forAllSystems)"
+        replacement = rf"{new_entry}\g<1>\n\g<2>"
+
+        new_content, count = re.subn(pattern, replacement, content)
+
+        if count == 0:
+            raise ValueError(
+                "Could not find insertion point in flake.nix. "
+                "Looking for pattern: '      };\\n      packages = forAllSystems'"
+            )
+
+    flake_path.write_text(new_content)
+
+
+def update_terraform_vms(config: HostConfig, repo_root: Path, force: bool = False) -> None:
+    """
+    Add or update VM entry in terraform/vms.tf locals.vms map.
+
+    Args:
+        config: Host configuration
+        repo_root: Path to repository root
+        force: If True, replace existing entry; if False, insert new entry
+    """
+    terraform_path = repo_root / "terraform" / "vms.tf"
+    content = terraform_path.read_text()
+
+    # Create new entry based on whether we have static IP or DHCP
+    if config.is_static_ip:
+        new_entry = f'''    "{config.hostname}" = {{
+      ip        = "{config.ip}"
+      cpu_cores = {config.cpu}
+      memory    = {config.memory}
+      disk_size = "{config.disk}"
+    }}
+'''
+    else:
+        new_entry = f'''    "{config.hostname}" = {{
+      cpu_cores = {config.cpu}
+      memory    = {config.memory}
+      disk_size = "{config.disk}"
+    }}
+'''
+
+    # Check if hostname already exists
+    hostname_pattern = rf'^\s+"{re.escape(config.hostname)}" = \{{'
+    existing_match = re.search(hostname_pattern, content, re.MULTILINE)
+
+    if existing_match and force:
+        # Replace existing entry
+        # Match the entire block from "hostname" = { to }
+        replace_pattern = rf'^\s+"{re.escape(config.hostname)}" = \{{.*?^\s+\}}\n'
+        new_content, count = re.subn(replace_pattern, new_entry, content, flags=re.MULTILINE | re.DOTALL)
+
+        if count == 0:
+            raise ValueError(f"Could not find existing entry for {config.hostname} in terraform/vms.tf")
+    else:
+        # Insert new entry before closing brace
+        # Pattern: "  }\n\n  # Compute VM configurations"
+        pattern = r"(  \})\n\n(  # Compute VM configurations)"
+        replacement = rf"{new_entry}\g<1>\n\n\g<2>"
+
+        new_content, count = re.subn(pattern, replacement, content)
+
+        if count == 0:
+            raise ValueError(
+                "Could not find insertion point in terraform/vms.tf. "
+                "Looking for pattern: '  }\\n\\n  # Compute VM configurations'"
+            )
+
+    terraform_path.write_text(new_content)

scripts/create-host/models.py

@@ -0,0 +1,54 @@
+"""Data models for host configuration."""
+
+from dataclasses import dataclass
+from typing import Optional
+
+
+@dataclass
+class HostConfig:
+    """Configuration for a new NixOS host."""
+
+    hostname: str
+    ip: Optional[str] = None
+    cpu: int = 2
+    memory: int = 2048
+    disk: str = "20G"
+
+    @property
+    def is_static_ip(self) -> bool:
+        """Check if host uses static IP configuration."""
+        return self.ip is not None
+
+    @property
+    def gateway(self) -> str:
+        """Default gateway for the network."""
+        return "10.69.13.1"
+
+    @property
+    def nameservers(self) -> list[str]:
+        """DNS nameservers for the network."""
+        return ["10.69.13.5", "10.69.13.6"]
+
+    @property
+    def domain(self) -> str:
+        """Domain name for the network."""
+        return "home.2rjus.net"
+
+    @property
+    def state_version(self) -> str:
+        """NixOS state version for new hosts."""
+        return "25.11"
+
+    def validate(self) -> None:
+        """Validate configuration constraints."""
+        if not self.hostname:
+            raise ValueError("Hostname cannot be empty")
+
+        if self.cpu < 1:
+            raise ValueError("CPU cores must be at least 1")
+
+        if self.memory < 512:
+            raise ValueError("Memory must be at least 512 MB")
+
+        if not self.disk:
+            raise ValueError("Disk size cannot be empty")

scripts/create-host/setup.py

@@ -0,0 +1,33 @@
+from setuptools import setup
+from pathlib import Path
+
+# Read templates
+templates = [str(p.relative_to(".")) for p in Path("templates").glob("*.j2")]
+
+setup(
+    name="create-host",
+    version="0.1.0",
+    description="NixOS host configuration generator for homelab infrastructure",
+    py_modules=[
+        "create_host",
+        "models",
+        "validators",
+        "generators",
+        "manipulators",
+    ],
+    include_package_data=True,
+    data_files=[
+        ("templates", templates),
+    ],
+    install_requires=[
+        "typer",
+        "jinja2",
+        "rich",
+    ],
+    entry_points={
+        "console_scripts": [
+            "create-host=create_host:app",
+        ],
+    },
+    python_requires=">=3.9",
+)

scripts/create-host/templates/configuration.nix.j2

@@ -0,0 +1,66 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template2/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+
+  networking.hostName = "{{ hostname }}";
+  networking.domain = "{{ domain }}";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+{% for ns in nameservers %}
+    "{{ ns }}"
+{% endfor %}
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+{% if is_static_ip %}
+    address = [
+      "{{ ip }}"
+    ];
+    routes = [
+      { Gateway = "{{ gateway }}"; }
+    ];
+{% else %}
+    networkConfig.DHCP = "ipv4";
+{% endif %}
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "{{ state_version }}"; # Did you read the comment?
+}

scripts/create-host/templates/default.nix.j2

@@ -0,0 +1,5 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+  ];
+}

scripts/create-host/validators.py

@@ -0,0 +1,159 @@
+"""Validation functions for host configuration."""
+
+import re
+from pathlib import Path
+from typing import Optional
+
+
+def validate_hostname_format(hostname: str) -> None:
+    """
+    Validate hostname format according to RFC 1123.
+
+    Args:
+        hostname: Hostname to validate
+
+    Raises:
+        ValueError: If hostname format is invalid
+    """
+    # RFC 1123: lowercase, alphanumeric, hyphens, max 63 chars
+    pattern = r"^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$"
+
+    if not re.match(pattern, hostname):
+        raise ValueError(
+            f"Invalid hostname '{hostname}'. "
+            "Must be lowercase alphanumeric with hyphens, "
+            "start and end with alphanumeric, max 63 characters."
+        )
+
+
+def validate_hostname_unique(hostname: str, repo_root: Path) -> None:
+    """
+    Validate that hostname is unique in the repository.
+
+    Args:
+        hostname: Hostname to check
+        repo_root: Path to repository root
+
+    Raises:
+        ValueError: If hostname already exists
+    """
+    # Check if host directory exists
+    host_dir = repo_root / "hosts" / hostname
+    if host_dir.exists():
+        raise ValueError(f"Host directory already exists: {host_dir}")
+
+    # Check if hostname exists in flake.nix
+    flake_path = repo_root / "flake.nix"
+    if flake_path.exists():
+        flake_content = flake_path.read_text()
+        # Look for pattern like "      hostname = "
+        hostname_pattern = rf'^\s+{re.escape(hostname)}\s*='
+        if re.search(hostname_pattern, flake_content, re.MULTILINE):
+            raise ValueError(f"Hostname '{hostname}' already exists in flake.nix")
+
+
+def validate_ip_format(ip: str) -> None:
+    """
+    Validate IP address format with CIDR notation.
+
+    Args:
+        ip: IP address with CIDR (e.g., "10.69.13.50/24")
+
+    Raises:
+        ValueError: If IP format is invalid
+    """
+    if not ip:
+        return
+
+    # Check CIDR notation
+    if "/" not in ip:
+        raise ValueError(f"IP address must include CIDR notation (e.g., {ip}/24)")
+
+    ip_part, cidr_part = ip.rsplit("/", 1)
+
+    # Validate CIDR is /24
+    if cidr_part != "24":
+        raise ValueError(f"CIDR notation must be /24, got /{cidr_part}")
+
+    # Validate IP format
+    octets = ip_part.split(".")
+    if len(octets) != 4:
+        raise ValueError(f"Invalid IP address format: {ip_part}")
+
+    try:
+        octet_values = [int(octet) for octet in octets]
+    except ValueError:
+        raise ValueError(f"Invalid IP address format: {ip_part}")
+
+    # Check each octet is 0-255
+    for i, value in enumerate(octet_values):
+        if not 0 <= value <= 255:
+            raise ValueError(f"Invalid octet value {value} in IP address")
+
+    # Check last octet is 1-254
+    if not 1 <= octet_values[3] <= 254:
+        raise ValueError(
+            f"Last octet must be 1-254, got {octet_values[3]}"
+        )
+
+
+def validate_ip_subnet(ip: str) -> None:
+    """
+    Validate that IP address is in the correct subnet (10.69.13.0/24).
+
+    Args:
+        ip: IP address with CIDR (e.g., "10.69.13.50/24")
+
+    Raises:
+        ValueError: If IP is not in correct subnet
+    """
+    if not ip:
+        return
+
+    validate_ip_format(ip)
+
+    ip_part = ip.split("/")[0]
+    octets = ip_part.split(".")
+
+    # Check subnet is 10.69.13.x
+    if octets[:3] != ["10", "69", "13"]:
+        raise ValueError(
+            f"IP address must be in 10.69.13.0/24 subnet, got {ip_part}"
+        )
+
+
+def validate_ip_unique(ip: Optional[str], repo_root: Path) -> None:
+    """
+    Validate that IP address is not already in use.
+
+    Args:
+        ip: IP address with CIDR to check (None for DHCP)
+        repo_root: Path to repository root
+
+    Raises:
+        ValueError: If IP is already in use
+    """
+    if not ip:
+        return  # DHCP mode, no uniqueness check needed
+
+    # Extract just the IP part without CIDR for searching
+    ip_part = ip.split("/")[0]
+
+    # Check all hosts/*/configuration.nix files
+    hosts_dir = repo_root / "hosts"
+    if hosts_dir.exists():
+        for config_file in hosts_dir.glob("*/configuration.nix"):
+            content = config_file.read_text()
+            if ip_part in content:
+                raise ValueError(
+                    f"IP address {ip_part} already in use in {config_file}"
+                )
+
+    # Check terraform/vms.tf
+    terraform_file = repo_root / "terraform" / "vms.tf"
+    if terraform_file.exists():
+        content = terraform_file.read_text()
+        if ip_part in content:
+            raise ValueError(
+                f"IP address {ip_part} already in use in {terraform_file}"
+            )

secrets/auth01/secrets.yaml

@@ -0,0 +1,29 @@
+authelia_ldap_password: ENC[AES256_GCM,data:x2UDMpqQKoRVSlDSmK5XiC9x4/WWzmjk7cwtFA70waAD7xYQfXEOV+AeX1LlFfj0qHYrhyn//TLsa+tJzb7HPEAfl8vYR4MdkVFOm5vjPWWoF5Ul8ZVn8+B1VJLbiXkexv0/hfXL8NMzEcp/pF4H0Yei7xaKezu9OPtGzKufHws=,iv:88RXaOj8Zy9fGeDLAE0ItY7TKCCzxn6F0+kU5+Zy/XU=,tag:yPdCJ9d139iO6J97thVVgA==,type:str]
+authelia_jwt_secret: ENC[AES256_GCM,data:9ZHkT2o5KZLmml95g8HZce8fNBmaWtRn+175Gaz0KhsndNl3zdgGq3hydRuoZuEgLVsherJImVmb5DQAZpv04lUEsDKCYeFNwAyYl4Go2jCp1fI53fdcRCKlNVZA37pMi4AYaCoe8vIl/cwPOOBDEwK5raOBnklCzVERoO0B8a0=,iv:9CTWCw0ImZR0OSrl2znbhpRHlzAxA5Cpcy98JeH9Z+Y=,tag:L+0xKqiwXTi7XiDYWA1Bcw==,type:str]
+authelia_storage_encryption_key_file: ENC[AES256_GCM,data:RfbcQK8+rrW/Krd2rbDfgo7YI2YvQKqpLuDtk5DZJNNhw4giBh5nFp/8LNeo8r39/oiJLYTe6FjTLBu72TZz2wWrJFsBqjwQ/3TfATQGdLUsaXXRDr88ezHLTiYvEHIHJhUS5qsr7VMwBam5e7YGWBe5sGZCE/nX41ijyPUjtOY=,iv:sayYcAC38cApAtL+cDhgGNjWaHn+furKRowKL6AmfdU=,tag:1IZpnlpvDWGLLpZyU9iJUw==,type:str]
+authelia_session_secret: ENC[AES256_GCM,data:4PaLv4RRA7/9Z8QzETXLwo3OctJ0mvzQkYmHsGGF97nq9QeB3eo0xj4FyuCbkJGGZ/huAyRgmFBTyscY3wgxoc4t+8BdlYcSbefEk1/xRFjmG8ooXLKhvGJ5c6t72KJRcqsEGTiC0l9CFJWQ2qYcjM4dPwG8z0tjUZ6j25Zfx4M=,iv:QORJkf0w6iyuRHM/xuql1s7K75Qa49ygq+lwHfrm9rk=,tag:/HZ/qI80fKjmuTRwIwmX8g==,type:str]
+lldap_user_pass: ENC[AES256_GCM,data:56gF7uqVQ+/J5/lY/N904Q==,iv:qtY1XhHs4WWA4kPY56NigPvX4OslO0koZepgdv947zg=,tag:UDmJs8FPXskp7rUS2Sxinw==,type:str]
+sops:
+    age:
+        - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlc1dxK3FKU2ZGWTNGUmxZ
+            aWx1NngySjVHclJTd3hXejJRTmVHRExReHcwCk55c0xMbGcyTktySkJZdHRZbzhK
+            bEI3RzBHQkROTU1qWXBoU1RqTXppdVkKLS0tIHkwZ0QyNTMydWRqUlBtTEdhZ05r
+            YVpuT1JadnlyN1hqNnJxYzVPT3pXN1UKDCeIv0xv+5pcoDdtYc+rYjwi8SLrqWth
+            vdWepxmV2edajZRqcwFEC9weOZ1j2lh7Z3hR6RSN/+X3sFpqkpw+Yg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16prza00sqzuhwwcyakj6z4hvwkruwkqpmmrsn94a5ucgpkelncdq2ldctk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvbU0wNmFLelRmNmJTRlho
+            dTEwVXZqUVI5NHZkb1QyNUZ4R0pLVFZWVDM4CkhVc00zY2FKaVdNRXdGVk1ranpG
+            MlRWWGJmd2FWeFE1dXU4WHVFL0FHZ3MKLS0tIGt2ZWlaOW5wNkJnQVkrTDZWTnY0
+            RW5HRjA3cERCUU1CVWZhck12SGhTRUkK6k/zQ87TIETYouRBby7ujtwgpqIPKKv+
+            2aLJW6lSWMVzL/f3ZrIeg12tJjHs3f44EXR6j3tfLfSKog2iL8Y57w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-06T10:03:56Z"
+    mac: ENC[AES256_GCM,data:SRNqx5n+xg/cNGiyze3CGKufox3IuXmOKLqNRDeJhBNMBHC1iYYCjRdHEVXsl7XSiYe51dSwjV0KrJa/SG1pRVkuyT+xyPrTjT2/DyXN7A/CESSAkBIwI7lkZmIf8DkxB3CELF1PgjIr1o2isxlBnkAnhEBTxQ7t8AzpcH7I5yU=,iv:P3FGQurZrL0ed5UuBPRFk11T0VRFtL6xI4iQ4LmYTec=,tag:8gQL08ojjIMyCl5E0Qs/Ww==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

secrets/ca/keys/intermediate_ca_key

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:TgGIuklFPUSCBosD86NFnkAtRvYijQNQP4vvTkKu3dRAOjdDa2li5djZDUS4NEEPEihpOcMXqHBb+ABk3LmoU5nLmsKCeylUp7+DhcGi9f3xw2h1zbHV37mt40OVLTF3cYufRdydIkCGQA3td3q1ue/wCna2ewe73xwGg5j6ZVJCZAtW4VCNZM+rcG+YxPUC0gmBH59+O0VSrZrkvSnifbr+K0dGwg4i17KwAukI4Ac7YMkQoeuAPXq38+ZftlRx4tq9xBUko6wpPY9zOaFzeagWYMF0n1UYqDt+/3XZI/mukPhJc9tzbWneqgkQBOx3OiDwrNglCHvEpnb+bZePIRLOnNHd1ShETgBqhsHGp9OAwwbAt4tO+HFpCQtVz7s2LWQFLbWiN0SCGzYUkFGCgoXae5H58lxFav8=,iv:UzaWlJ+M+VQx3CcPSGbFZh5/rGbKpS2Rq2XVZAIDFiQ=,tag:F3waoAMuEKTvN2xANReSww==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRGZSVHRSMGlyazAwQU5j\nd1o1L0Y1ckhQMkh4MVZiRmZlR2ozcmdsUW1vCk4xZ1ZibDBrUWZhYmxVVjBUczRn\nYlJtUWF3Y1lHWG56NkhmK2JOUHVGajQKLS0tIDN2S2doQURpTis2U3lWV0NxdWEz\ncjNZaEl1dEQwOXhsNE9xbHhYUzNTV3cKVmVIe05JwgXKSku7AJmrujYXrbBSbpBJ\nnqCuDIhok1w/fiff+XXn8udbgPVq5bC2SOhHbtVxImgBCFzrj5hQ0A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4V3NaUEdvMmJvakQ0L1F0\nUnkvQ2F5dEVlZ2pMdlBZcjJac0tERnF5ZWljCmFrdU1NZ29jMkJ1a1ZLdURmVWI0\ncm1vNytFVzZjbVY2aVd2N3laMWNRNFEKLS0tIGgzOTFZY0lxc0JyVmd5cFBlNkRr\nVDBWc0t4c3pVV3RhSTB1UUVpNHd6NUkKNn6Sxb5oxP7iWqTF1+X9nOiYum3U+Rzk\nkryxVnf9EvQIVIFKDaTb+yAEO8otjqj+C4mHA9fannnNEJduOiPWOg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-30T13:18:08Z",
+		"mac": "ENC[AES256_GCM,data:9R9RJzPMr9Bv8aeCDxhExTfbr+R2hjap6FGSk5QxBdbNpOcNS78ica0CLEmkAYVAfjmx/X2jC5ZnsAueSPUK7nAgNX2gJXbUTpY0F+oKt35GJziLrFLl3u/ahpF9lQ50EL9OqqgS+igDqtodJhKme5DXH5/GXQHhz++O3VZkR78=,iv:XgN3PiowiEosi2DmrjP82HhJMvnwaV530tsBE8GQfjs=,tag:U243BrtH7H/DU9LcjN/MMg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

secrets/ca/keys/root_ca_key

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:5AePh5uXcUseYBGWvlztgmg8mGBGy3ngKRa6+QxOaT0/fzSB1pKkaMtZJo76tV9wwjdL6/b6VVUI7GIaCBD5kgdZuA8RdBTXguHyjjdxAlI9xcrQaWWdATd8JJt+eQp/m2Y+0dioyXKaDV2ukI3GtHYjp/ixMoHHWEocnEEb40wG6c3CZcvsLWJvKTkFc2OvcjcU2RTfuNlYtEETidiD9iC/dtCakNQHmLP1UFYgcn0ebXBKmlqD6+x2o7BVT1SLwVCyGNvH3eKA2AWvddZChnhaNCUIXcRwBFCgS8lPs4iXhAhly+nwuj7ssFpuu3sjm5pq196tRS8WQl2iNUEJ2tzoOpceg1kZZ7KHX3wCbdBlCRqhy9Q4JMvWPDssO+zz2aU21+BDEySDTCnTYX9Hu2/iFvZejt++mKY=,iv:u/Ukye0BAj2ka++AA72W8WfXJAZZ/YJ3RC/aydxdoUc=,tag:ihTP5bCCigWEPcLFaYOhMA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VElDNHArZXlXa2JRQjd0\nQmVIbGpPWk43NDdiTkFtcEd1bDhRdXJWOUY0CndITHdKTFNJQXFOVFdyUGNtQ09k\nN2hnQmFYR0ZORWtxcUN0ZFhsM0U3N2cKLS0tIFh1TTBpMjFIZ2NYM1QxeDRjYlJx\nYkdrUDZmMUpGbjk3REJCVVRpeFk5Z28KJcia0Bk+3ZoifZnRLwqAko526ODPnkSS\nzymtOj/QYTA0++NP3B1aScIyhWITMEZX1iSoWDmgHj8ZQoNMdkM7AQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNlNHRWNEcUZGNXNBMDFR\nTzE5RnNMQUMvU1k2OS9XMlpvUktMRzQ5RmxvCnlCS3lzRVpGUHJLRGZ6SWZ2ZktR\na3l0TVN2NUlRVEQwRHByYkNEMDQyWUkKLS0tIEh3RjBWT3c5K2RWeDRjWFpsU1lP\ncStqY2xta3RSNkR6Vkt5YXhYUTZmbDgKvVKmZc8S/RwurJGsGiJ5LhM4waLO9B9k\n2cawxHmcYM3KfXDFwp9UZWhIwF7SRkG56ZE4OjGI3sOL+74ixnePxA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-30T13:18:16Z",
+		"mac": "ENC[AES256_GCM,data:JwjbQ129cYCBNA5Fb8lN9rW7/y4wuVOqLeajIMcYyCzlBcjzCZAV1DKN5n75xMamb/hb1AUkmtp/K82PKM0Vg5X4/lpWTUZXZOzn/TrwHx+yqlJjL9mUdGuHnSY5DwME38Dde3UxdtUa0CVgQOxvMIycW27w8+8NNfO2zxGxkzc=,iv:ZMZASOsqXZOb0NkBqG3GGaqqKgQdjZLiku2yU5QonB8=,tag:/lb/HMxsYOV5XX/5kWnFHA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

secrets/ca/keys/ssh_host_ca_key

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:vqQ3HwSmuDlI4UwraLWvwkBSj9zTFeNEWI1xzhVrO/gpx8+WBZOt2F0J7/LSTGAWsWW/9Gov+XXXAOtfnKfjYVzizyT/jE8EQwMuItWiFEVA6hohgwtsk7YKJjXdJIxmiv+WKs73gWb0uFVGh1ArMzsVkGPj1W1AKMFAneDPgsfSCy9aVOMuF8zQwypFC8eaxqOQhLpiN2ncRm8e7khwGurSgYfHDgFghaDr8torgUrZTOPNFk+LEdxB3WcC17+4a8ZyuBapmYdRTrP73czTAuxOF8lMwddJhO99SF7nWuOYVF1FOKLGtK04oKci5/xRIzvWo3I0pGajkxtuF5CyWbd1KblcPfBALIU/J5hU/puGJ7M2sE/qsg/4kaTFxnhq32rPZj291jFb4evDdOhVodfC1axOQUbzAC0=,iv:yOeQ384ikqgDqfthl7GIVSIMNA/n0BYTSIqFN3T9MAY=,tag:Y6nhOCrkWx7MnVpEeKN0Jg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTjRMWlNtYVQ2WnJEaGFN\nVFU2TXRTK2FHREpqREhOWHBKemxNc2U4WW44CnV4OWlBdXlFUWhJYi9jTTRuUWJV\nOWFPV2I4UytDRFo3blN3bUtFQ1NGU0kKLS0tIGp2VHlDc1JMMUdDUjlNNDFwUUxj\nVnhHbCtrNVNpZXo0K2dDVU5YTVJJUEkKk9mVTbzQVGZo3RKDLPDwtENknh+in1Q5\njf4DA1cGDDNzcEIWOOYyS+1mzT9WY8gU0hWqihX/bAx7CVsNUallZw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVFNwUGpkOUhkUXFWWERq\nMVdueC9VSE9KbGZkenBVK3NRMjRNVXVmcVRRCjNLa0QzbWVCQks3ZmV3eFVjcEp0\nRmxDSlZIZU1IbEdnbE83WlkxV3VZV1EKLS0tICtsRXArajQ4Um9mNEV5OWZBdS85\nVGFSU2wwODZ3Zm44M3pWcTdDV1dxejQKM2BK5Axb1cF344ea89gkzCLzEX6j4amK\nzxf+boBK7JUX7F6QaPB0sRU8J4Cei9mALz96C8xNHjX00KcD3O2QOA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-30T13:18:20Z",
+		"mac": "ENC[AES256_GCM,data:AllgcWxHnr3igPi/JbfJCbEa6hKtmILnAjiaMojRZNO4p6zYSoF0s8lo9XX05/vIrFUo+YaCtsuacv+kfz9f6vQafPn7Vulbh6PeH1VlAmzyVfJOTmHP3YX8ic3uM56A4+III1jOERCFOIcc/CKsnRLFhLCRQRMgtgT0hTl5aPw=,iv:60dOYhoUTu1HIHzY36eJeRZ66/v6JmRRpIW99W2D+CI=,tag:F7nLSFm933K5M+JE4IvNYw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

secrets/ca/keys/ssh_user_ca_key

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:YRdPrTLQH0xdWiIzOyjfEGpvfmuj6me6GzZZcauh9bUUywyA1ranDnWqbJYgawQQxIXsq9dhXD0uco+7mmXq2598kF1NI9jh6uLf3k0H494zZOalRBv/k8u9oJDLIiVAkg9eNNLbGX0PMZr/Yue/qdkuXx2Hg9E7bQJwpU/NXF+jKKs+3NmKT5NBlegwAzUs530D4DUoaq5AhvVvdC6a1UcE+KJzQ8pRiz1GjFIxAB7qX+GVwa3yNdLgo2tlAbOzjGtaDfJnhZIHSNEq+4TEhjlF9lCmFCGFDUVupvMOWs0kBywJEzIrDmxmvGHlPj3FfyytPb7qhlsOXDDDS67IoiwluKOnw+sALAG0Iv9LMrDZ3z8MXeEGvRWu0VDMuGXN905/9kGx/A40mPjcfnZvI+qSRIKjER5R8aU=,iv:qiP2Ml59AnK24MBbs7N/HqJIylf+fXGqJAo2N8iFNB0=,tag:0Dj5fVs6OB07kvV4qzuvfw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUFlvNmRNYUlJSHZYUkpJ\nMEloQXFSdENIWGJVVDNIOVY5MS9SYWRoL0FrCnRJc05wZUZBSDRvMHNUUEhNRXQ4\nTWhYOUp6YUNGZFNWUFRrSmlJM1c4aWcKLS0tIFc1b3NlSEo2eFJhdDgwejRqcHlT\nZE5wN01uaE04cTlIbVJMVWQvQ1pXajgKQ1n6UmP7LEBsnIBXVc0BceOqvwCqQzBP\ncI8C5Io4ILgMjY4dr6sd0SeJG6mfDdiMA+k7c6jqoyZCW/Pkd3LANQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM2lyeXVzdE9nL1k5L3dC\nTkl2MjhMb1FKMFdCeXFPSmNST0pvOTRUaEVvCmdwMnhjSFFHVFhidmIySS9jMEJu\nNTJpRjdFOWpZZ3ZuZFJwZUUrRFU5NnMKLS0tIDJ1UjdVQkpMNm5Pd01JRnZNOEtr\nb1lpMlBkVHpiT2lYdWtZaUQrRW1HUDgKq/JVMf5gdu6lNEmqY6zU2SymbT+jklem\nnUQ9yieJGF+PanutNW6BCJH8jb/fH+Y6AeJ9S+kKCB4Yi75i4d+oHg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-30T13:18:24Z",
+		"mac": "ENC[AES256_GCM,data:6FJTKEdIpCm+Dz7Ua8dZOMZQFaGU0oU/HRP6ly5mWbXCv81LRbZXRBd+5RDY3z9g9nb0PXZrOMNps63F6SKxK52VfzLIOap3UGeMNQn5P4/yyFj7JQHQ5Gjcf2l2z2VZ7NhUdNoSCV/6lwjValbKtids48Q5c3sFX997ZiqIUnY=,iv:nUeyJd/v8d9v7QsLLckziD9K5qjOZKK4vOQJw/ymi18=,tag:6n5EE3oklWdVcedvB2J/zA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

secrets/ca/secrets.yaml

@@ -0,0 +1,30 @@
+ca_root_pw: ENC[AES256_GCM,data:jS5BHS9i/pOykus5aGsW+w==,iv:aQIU7uXnNKaeNXv1UjRpBoSYcRpHo8RjnvCaIw4yCqc=,tag:lkjGm5/Ve93nizqGDQ0ByA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5anlORWxJalhRWkJPeGIy
+            OStyVG8vMFRTTEZOWHR3Q3N1UWJQbFlxV3pBCmVKQVM1SlJ2L0JOb3U3cTh3YkZ4
+            WHAxSUpTT1dyRHJHYVd1Qkh1ZWxwYW8KLS0tIEhXeklsSmlGaFlaaWF5L0Nodk5a
+            clZ4M3hFSlFqaEZ0UWREdHpTQ29GVUEKAxj5P05Ilpwis2oKFe54mJX+1LfTwfUv
+            2XRFOrEQbFNcK5WFu46p1mc/AAjKTeHWuvb2Yq43CO+sh1+kqKz0XA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaS0dqQ1p4MEE2d2JaeFRx
+            UnB4ejhrS3hLekpqeWJhcEJGdnpzMTZDelVRCmFjVGswd3VtRUloWG1WbWY5N0s3
+            cG9aV2hGU3lFZkkvcUJNWE1rWUIwMmMKLS0tIG1KdlhoQzREWDhPbXVSZVBUQkdE
+            N1hmcEwxWXBIWkQ3a3BrdGhvUFoxbzgKX6hLoz7o/Du6ymrYwmGDkXp2XT+0+7QE
+            YhD5qQzGLVQSh3XM/wWExj2Ue5/gw/NqNziHezOh2r9gQljbHjG2/g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-21T09:12:26Z"
+    mac: ENC[AES256_GCM,data:hfPRIXt/kZJa6lsj7rz+5xGlrWhR/LX895S2d8auP/4t3V//80YE/ofIsHeAY9M7eSFsW9ce2Vp0C/WiCQefVWNaNN7nVAwskCfQ6vTWzs23oYz4NYIeCtZggBG3uGgJxb7ZnAFUJWmLwCxkKTQyoVVnn8i/rUDIBrkilbeLWNI=,iv:lm1HVbWtAifHjqKP0D3sxRadsE9+82ugbA2x54yRBTo=,tag:averxmPLa131lJtFrNxcEA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

secrets/http-proxy/wireguard.yaml

@@ -0,0 +1,25 @@
+wg_private_key: ENC[AES256_GCM,data:DlC9txcLkTnb7FoEd249oJV/Ehcp50P8uulbE4rY/xU16fkTlnKvPmYZ7u8=,iv:IsiTzdrh+BNSVgx1mfjpMGNV2J0c88q6AoP0kHX2aGY=,tag:OqFsOIyE71SBD1mcNS/PeQ==,type:str]
+sops:
+    age:
+        - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzdm9HTTN1amwxQ2Z6MUQv
+            dGJ0cEgyaHNOZWtWSWlXNXc5bGhUdSsvVlVzCkJkc3ZQdzlBNDNxb3Avdi96bXFt
+            TExZY29nUDI3RE5vanh6TVBRME1Fa1UKLS0tIG8vSHdCYzkvWmJpd0hNbnRtUmtk
+            aVcwaFJJclZ3YUlUTTNwR2VESmVyZWMKHvKUJBDuNCqacEcRlapetCXHKRb0Js09
+            sqxLfEDwiN2LQQjYHZOmnMfCOt/b2rwXVKEHdTcIsXbdIdKOJwuAIQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1gq8434ku0xekqmvnseeunv83e779cg03c06gwrusnymdsr3rpufqx6vr3m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeU01UTc2V1UyZXRadE5I
+            VE1aakVZUEZUNnJxbzJ1K3J1R3ZQdFdMbUhBCjZBMDM3ZkYvQWlyNHBtaDZRWkd4
+            VzY0L3l4N2RNZjJRTDJWZTZyZVhHbW8KLS0tIGVNZ0N0emVmaVRCV09jNmVKRlla
+            cWVSNkJqWHh5c21KcWFac2FlZTVaMTAK1UvfPgZAZYtwiONKIAo5HlaDpN+UT/S/
+            JfPUfjxgRQid8P20Eh/jUepxrDY8iXRZdsUMON+OoQ8mpwoAh5eN1A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-15T18:56:55Z"
+    mac: ENC[AES256_GCM,data:J2kHY7pXBJZ0UuNCZOhkU11M8rDqCYNzY71NyuDRmzzRCC9ZiNIbavyQAWj2Dpk1pjGsYjXsVoZvP7ti1wTFqahpaR/YWI5gmphrzAe32b9qFVEWTC3YTnmItnY0YxQZYehYghspBjnJtfUK0BvZxSb17egpoFnvHmAq+u5dyxg=,iv:/aLg02RLuJZ1bRzZfOD74pJuE7gppCBztQvUEt557mU=,tag:toxHHBuv3WRblyc9Sth6Iw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

secrets/monitoring01/pve-exporter.yaml

@@ -0,0 +1,33 @@
+default:
+    user: ENC[AES256_GCM,data:4Zzjm6/e8GCKSPNivnY=,iv:Y3gR+JSH/GLYvkVu3CN4T/chM5mjGjwVPI0iMB4p1t4=,tag:auyG8iWsd/YGjDnnTC21Ew==,type:str]
+    password: ENC[AES256_GCM,data:9cyM9U8VnzXBBA==,iv:YMHNNUoQ9Az5+81Df07tjC+LaEWPHV6frUjd4PZrQOs=,tag:3hKR+BhLJODJp19nn4ppkA==,type:str]
+    verify_ssl: ENC[AES256_GCM,data:Cu5Ucf0=,iv:QFfdV7gDBQ+L2kSZZqlVqCrn9CRg5RNG5DNTFWtVf5Y=,tag:u24ZbpWA65wj3WOwqU1v+g==,type:bool]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUXdMMG5YaHRJbThQZW9u
+            RHVBbXFiSHNiUWdLTDdPajIyQjN3OGR0dGpzCm9ZVkdNWjhBakU3dVdhRU9kbU81
+            aDlCNzJBQ1hvQ3FnTUk2N2RWQkZpUUEKLS0tIEZacTNqa3FWc2p1NXVtRWhwVExj
+            cUJtYXNjb2Z4QkF4MjlidEZxSUFNa3MKAGHGksPc9oJheSlUQ3ARK5MuR5NFbPmD
+            kmSDSgRmzbarxT8eJnK8/K4ii3hX5E9vGOohUkyc03w4ENsh/dw43g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vpns76ykll8jgdlu3h05cur4ew2t3k7u03kxdg8y6ypfhsfhq9fqyurjey
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOVGhvdGE5Mzl0ckhBM21D
+            RXJwb09OS25PMGViblViM21wTVZiZWhtWmhFCnAzL1NqeUVyOGZFVDFvdXFPbklQ
+            ZkJPWDVIdUdCdjZGUjcrcmtvak5CWG8KLS0tIDhLUHJNN2VqNy9CdVh0K0N0b0k1
+            RUE4U0E0aGxiRkF0NWdwSEIrQTU4MjgKeOU6bIWO6ke9YcG+1E3brnC21sSQxZ9b
+            SiG2QEnFnTeJ5P50XQoYHqUY3B0qx7nDLvyzatYEi6sDkfLXhmHGbw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-03T16:25:12Z"
+    mac: ENC[AES256_GCM,data:gemq8YpMZQC+gY7lmMM3tfZh9XxL40qdGlLiB2CD4SIG49w0V6E/vY7xygt0WW0zHbhMI9yUIqlRc/PaXn+QfyxJEr3IjaT05rrWUqQAeRP9Zss74Y3NtQehh8fM8SgeyU4j2CQ9f9B/lW9IgdOW/TNgQZVXGg1vXZPEzl7AZ4A=,iv:LG5ojv3hAqk+EvFa/xEn43MBqL457uKFDE3dG5lSgZo=,tag:AxzcUzmdhO411Sw7Vg1itA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

secrets/nix-cache01/actions_token_1

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:P84qHFU+xQjwQGK8I1gIdcBsHrskuUg0M1nGMMaA+hFjAdFYUhdhmAN/+y0CO28=,iv:zJtk01zNMTBDQdVtZBTM34CHRaNYDkabolxh7PWGKUI=,tag:8AS80AbZJbh9B3Av3zuI1w==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRFB6QTIyWWdwVkV4ZXNB\nWkdSdEhMc0s4cnByWVZXTGhnSWZ0MTdEUWhJCnFlOFQ5TU1hcE91azVyZXVXRCtu\nZjIxalRLYlEreGZ6ZDNoeXNPaFN4b28KLS0tIHY5WVFXN1k4NFVmUjh6VURkcEpv\ncklGcWVhdTdBRnlOdm1qM2h5SS9UUkEKq2RyxSVymDqcsZ+yiNRujDCwk1WOWYRW\nDa4TRKg3FCe7TcCEPkIaev1aBqjLg9J9c/70SYpUm6Zgeps7v5yl3A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w029fksjv0edrff9p7s03tgk3axecdkppqymfpwfn2nu2gsqqefqc37sxq",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArTGVuckp2NlhMZXRNMVhO\naUV3K0h3cmZ5ZGx4Q3dJWHNqZXFJeE1kM0dFCmF4TUFUMm9mTHJlYzlYWVhNa1RH\nR29VNDIrL1IvYUpQYm5SZEYzbWhhbkkKLS0tIEJsK1dwZVdaaHpWQkpOOS90dkhx\nbGhvRXhqdFdqQmhZZmhCdmw4NUtSVG8K3z2do+/cIjAqg6EMJnubOWid1sMeTxvo\nrq6eGJ7YzdgZr2JBVtJdDRtk/KeHXu9In4efbBXwLAPIfn1pU0gm1w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-21T19:08:48Z",
+		"mac": "ENC[AES256_GCM,data:5CkO09NIqttb4UZPB9iGym8avhTsMeUkTFTKZJlNGjgB1qWyGQNeKCa50A1+SbBCCWE5EwxoynB1so7bi8vnq7k8CPUHbiWG8rLOJSYHQcZ9Tu7ZGtpeWPcCw1zPWJ/PTBsFVeaT5/ufdx/6ut+sTtRoKHOZZtO9oStHmu/Rlfg=,iv:z9iJJlbvhgxJaART5QoCrqvrqlgoVlGj8jlndCALmKU=,tag:ldjmND4NVVQrHUldLrB4Jg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

secrets/nix-cache01/cache-secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:MQkR6FQGHK2AuhOmy2was49RY2XlLO5NwaXnUFzFo5Ata/2ufVoAj4Jvotw/dSrKL7f62A6s+2BPAyWrvACJ+pwYFlfyj3T9bNwhxwZPkEmiHEubJjWSiD6jkSW0gOxbY8ib6g/GbyF8I1cPeYr/hJD5qQ==,iv:eBL2Y3MOt9gYTETUZqsHo1D5hPOHxb4JR6Z/DFlzzqI=,tag:Qqbt39xZvQz/QhsggsArsw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZzFXaEsyUkZGNFV0bVlW\nRkpPRHpUK2VwUHpOQXZCUUpoVzFGa3hycnhvCndTN0toVFdoU2E5N3V3UFhTTjU0\nNDByWTkrV0o3T295dE0zS08rVGpyQjAKLS0tIC96M0VEcWpjRk5DMjJnMFB4ZHI3\nM2Jod2x4ZzMyZm1pbDhZNTFuWGNRUlEKHs5jBSfjml09JOeKiT9vFR0Fykg6OxKG\njhFU/J2+fWB22G7dBc4PI60SNqhxIheUbGTdcz4Yp4BPL6vW3eArIw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w029fksjv0edrff9p7s03tgk3axecdkppqymfpwfn2nu2gsqqefqc37sxq",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJT3lxamcrQUpFdjZteFlF\nYUQ3aGdadGpuNXd2Z3RtZ3dQU0cvMlFUMUNRClBDR3U0OXZJU0NDamVMSlR5NitN\nYlhvNVlvUE0wRjErYzkwVHFOdGVCVjgKLS0tIEttR1BLTGpDYTRSQ0lUZmVEcnNi\nWkNaMEViUHVBcExVOEpjNE5CZHpjVkEKuX/Rf8kaB3apr1UhAnq3swS6fXiVmwm8\n7Key+SUAPNstbWbz0u6B9m1ev5QcXB2lx2/+Cm7cjW+6VE2gLHjTsQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-01-24T12:19:16Z",
+		"mac": "ENC[AES256_GCM,data:X8X91LVP1MMJ8ZYeSNPRO6XHN+NuswLZcHpAkbvoY+E9aTteO8UqS+fsStbNDlpF5jz/mhdMsKElnU8Z/CIWImwolI4GGE6blKy6gyqRkn4VeZotUoXcJadYV/5COud3XP2uSTb694JyQEZnBXFNeYeiHpN0y38zLxoX8kXHFbc=,iv:fFCRfv+Y1Nt2zgJNKsxElrYcuKkATJ3A/jvheUY2IK4=,tag:hYojbMGUAQvx7I4qkO7o9w==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.3"
+	}
+}

secrets/secrets.yaml

@@ -1,58 +1,154 @@
 root_password_hash: ENC[AES256_GCM,data:wk/xEuf+qU3ezmondq9y3OIotXPI/L+TOErTjgJz58wEvQkApYkjc3bHaUTzOrmWjQBgDUENObzPmvQ8WKawUSJRVlpfOEr5TQ==,iv:I8Z3xJz3qoXBD7igx087A1fMwf8d29hQ4JEI3imRXdY=,tag:M80osQeWGG9AAA8BrMfhHA==,type:str]
 ns_xfer_key: ENC[AES256_GCM,data:VFpK7GChgFeUgQm31tTvVC888bN0yt6BAnHQa6KUTg4iZGP1WL5Bx6Zp8dY=,iv:9RF1eEc7JBxBebDOKfcDjGS2U7XsHkOW/l52yIP+1LA=,tag:L6DR2QlHOfo02kzfWWCrvg==,type:str]
+backup_helper_secret: ENC[AES256_GCM,data:EvXEJnDilbfALQ==,iv:Q3dkZ8Ee3qbcjcoi5GxfbaVB4uRIvkIB6ioKVV/dL2Y=,tag:T/UgZvQgYGa740Wh7D0b7Q==,type:str]
+nats_nkey: ENC[AES256_GCM,data:N2CVXjdwiE7eSPUtXe+NeKSTzA9eFwK2igxaCdYsXd4Ps0/DjYb/ggnQziQzSy8viESZYjXhJ2VtNw==,iv:Xhcf5wPB01Wu0A+oMw0wzTEHATp+uN+wsaYshxIzy1w=,tag:IauTIOHqfiM75Ufml/JXbg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOGpRSFhKWFNSbnFxSHpN
-            N2Jxd0NIYWdlMVFNMmFRRGF6bi9BUmxLN2wwCm9sWlNPNlNkQ1BySlZCQUtkWmQ2
-            WWJ1TGdEZWNMd2tranBocWsxVysxbm8KLS0tIFZoaDd1VHlQRDI4OXg0Uno3Tmpw
-            RSs0U2wwMm1ncXdCWW1xMStvOW1CM3MKFrivUqmNYOTCbFbBzvy2JdI2BH6eVS4/
-            eihoHdqvAPP0TJcuiDH25gNyfgF4kpSdgh3qwfGW8zPf6bNBE79qEw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbC90WWJiRXRPZ1VUVWhO
+            azc5R2lGeDhoRmQydXBnYlltbE81ajFQNW0wClRJNC9iaFV0NDRKRkw2Mm1vOHpN
+            dVhnUm1nbElQRGQ4dmkxQ2FWdEdpdDAKLS0tIG9GNEpuZUFUQkVXbjZPREo0aEh4
+            ZVMyY0Y0Zldvd244eSt2RVZDeUZKWmcKGQ7jq50qiXPLKCHq751Y2SA79vEjbSbt
+            yhRiakVEjwf9A+/iSNvXYAr/tnKaYC+NTA7F6AKmYpBcrzlBGU68KA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hz2lz4k050ru3shrk5j3zk3f8azxmrp54pktw5a7nzjml4saudesx6jsl0
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dnowZnRSRTUyZWZMRDZG
-            Nk1nZDlsVHhsbjZjd2oveXgvdjJndThvUXdjCllVa1lDcWNSeEhmZ3dOQlRPaDQy
-            MXorZ3MvcUpZRHZlL2NHUVludERmc3cKLS0tIHdZVWdmSk4rSVNWQXhLeVJ0MHcz
-            WThzVGJIV1BESEhGUldoSER0TVFJYlkKCRiVrlzD7q6dL8Gc2oVe+fAVHnBnyTQV
-            0OH/gAPL3NXwrGG8SDJ6+I5L5Gj7lSyId4HEjqlUeoB8sbhL+HP5nA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTWFBRVRKeXR0UUloQ3FK
+            Rmhsak45aFZBVUp4Szk5eHJhZmswV3JUcHh3Cis0N09JaCtOZE1pQUM5blg4WDY5
+            Q0ZGajJSZnJVQzdJK0dxZjJNWHZkbGsKLS0tIEVtRVJROTlWdWl0cFlNZmZkajM5
+            N3FpdU56WlFWaC9QYU5Kc1o2a1VkT0UK2Utr9mvK8If4JhjzD+l06xZxdE3nbvCO
+            NixMiYDhuQ/a55Fu0653jqd35i3CI3HukzEI9G5zLEeCcXxTKR5Bjg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1w2q4gm2lrcgdzscq8du3ssyvk6qtzm4fcszc92z9ftclq23yyydqdga5um
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQmNpS0UvL0xVUEZMUkIr
-            WUo2WFVYdmlBMHBrNzBMOFVKNWw0cVhNTXpvCkpmaEh2ZGhqR2NmNkkxd3JkaFFW
-            NUhPZzNndDM2NEtuNGFWMGNFamU5TWsKLS0tIDFqYkxiMlFoQ3FkVHRjYWdtVnEr
-            LzdFdC81ZG5HZnVFdDREcFhrbzk0a2sKR4OYnXwoGlOQytZIr1zhHunaF23fcVgl
-            FMxvO2wYfk7/M0Ma+gm7XMK6ADy3ht9rJ3/ELS29e5XtUNWnrEcAVw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQVk0aUw0aStuOWhFMk5a
+            UVJ5YWg2WjU2eVFUWDlobEIrRDlZV3dxelc0Clo0N3lvOUZNL3YrM2l3Y21VaUQz
+            MTV5djdPWTBIUXFXVDZpZitRTVhMbVEKLS0tIFluV1NFTzd0cFFaR0RwVkhlSmNm
+            VGdZNDlsUGI3cTQ1Tk9XRWtDSE1wNWMKQI226dcROyp/GprVZKtM0R57m5WbJyuR
+            UZO74NqiDr7nxKfw+tHCfDLh94rbC1iP4jRiaQjDgfDDxviafSbGBA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1snmhmpavqy7xddmw4nuny0u4xusqmnqxqarjmghkm5zaluff84eq5xatrd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWXBpR24yRmQ0SUp3elk5
-            ZEhUMVVxaXBWYi9aL1p0YlIxeTFUV1pJQ2lnCmlvR2IvVks5dUhhVkxXYmxDVFFH
-            ZDdJWjlOaUQ4aWV5ODh5ZlgxTkxCancKLS0tIGZMRTF0ZEl1Y1NzckpwdUZERlJS
-            ODZDbnBaam50NXFxa1dldGg2VWVtTWMKBnMW8l0L5TTA4P0E5KLPb93wCVdYeu0e
-            IzoY9cW2ubHp/4M+cx8mC/4uJriq8uLq5q2B1Ag8AbD8+R68OR0psQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WVBzazE3VkNDWXUwMk5x
+            NnZtL3N3THVBQytxZzdZNUhCeThURFBLdjBVClBpZjd5L3lKYjRZNVF2Z3hibW5R
+            YTdTR0NzaVp4VEZlTjlaTHVFNXNSSUEKLS0tIDBGbmhGUFNJQ21zeW1SbWtyWWh0
+            QkFXN2g5TlhBbnlmbW1aSUJQL1FOaWMKTv8OoaTxyG8XhKGZNs4aFR/9SXQ+RG6w
+            +fxiUx7xQnOIYag9YQYfuAgoGzOaj/ha+i18WkQnx9LAgrjCTd+ejA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age12a3nyvjs8jrwmpkf3tgawel3nwcklwsr35ktmytnvhpawqwzrsfqpgcy0q
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWWMyQk9qREFSYk5PbTRv
-            cEpoYUg5d1NHZ2FzVGVQMkMrdEcyVlkxYkUwCmt3UVBlSEROSXBwc21tTDN3OEMv
-            QjE1eEJpM3hHQndMZmxxaDhNS1lYaTQKLS0tIFBQOW84blJkN3VncSt3bXpiRC9q
-            K1ZXejRVVjdTNER1ejVuRWFjYWIwWm8K+Es5emxg5AWryOueqPVQzN52H4t1ZWKi
-            risTou+uBzZS9UwAqeiw4z00LIAcNMjZv3WdWWBn/9bwXxnqfcU3Vw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzcnVxL09JTEdsZ0FUb2VH
+            a3dSY09uRFFCYnJXQno3YUFhMlpueHJreXdFCjQ4UWdRak5yK0VIT2lYUjBVK2h5
+            RFJmMTlyVEpnS3JxdkE4ckp1UHpLM2sKLS0tIHVyZXRTSHQxL1p1dUxMKzkyV0pW
+            a2o0bG9vZUtmckdYTkhLSVZtZVRtNlUKpALeaeaH4/wFUPPGsNArTAIIJOvBWWDp
+            MUYPJjqLqBVmWzIgCexM2jsDOhtcCV26MXjzTXmZhthaGJMSp23kMQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-11T19:25:54Z"
-    mac: ENC[AES256_GCM,data:GbbdzjkjicbNPoiKXpeAXzkrmQlgLUg90B0ynYfbB9JX0m4W7hfogVJ4Fcx5t+iUeG2LPkCxq7vYnD1+uFJkND1xF0rc9dGi43SBtz74giQTJck8/mK/iWyDdgDlWxtO78ghHMS5OxyapOvk+K2+Ga9zJ1f3S64lc2xqhyVSFfk=,iv:jRDgu1lSuFRv8VeVbiyx+DfywaLlZJ0Xla++M277SBg=,tag:aV757MJJUNg77//tON7h1A==,type:str]
-    pgp: []
+        - recipient: age1d2w5zece9647qwyq4vas9qyqegg96xwmg6c86440a6eg4uj6dd2qrq0w3l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5M0liYUY1UHRHUDdvN3ds
+            TVdiWDlrWFROSVdRTy9nOHFOUTdmTmlHSzE4CjBpU3gzdjdWaHQzNXRMRkxPdVps
+            TEZXbVlYenUwc3o0TXRnaXg4MmVHQmcKLS0tIDlVeWQ4V0hjbWJqRlNUL2hOWVhp
+            WEJvZWZzbWZFeWZVeWJ1c3pVOWI3MFUKN2QfuOaod5IBKkBkYzi3jvPty+8PRGMJ
+            mozL7qydsb0bAZJtAwcL7HWCr1axar/Ertce0yMqhuthJ5bciVD5xQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1gcyfkxh4fq5zdp0dh484aj82ksz66wrly7qhnpv0r0p576sn9ekse8e9ju
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5L3NmcFMyUUpLOW9mOW9v
+            VXhMTjl5SEFsZ0pzR3lHb1VJL0IzUUxCckdzCnltZnVySkszVUtwbDdQNHAwVWxl
+            V2xJU1BqSG0yMk5sTkpKRTIvc2JORFUKLS0tIHNydWZjdGg3clNpMDhGSGR6VVVh
+            VU1Rbk9ybGRJOG1ETEh4a1orNUY2Z00KJmdp+wLHd+86RJJ/G0QbLp4BEDPXfE9o
+            VZhPPSC6qtUcFV2z6rqSHSpsHPTlgzbCRqX39iePNhfQ2o0lR2P2zQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g5luz2rtel3surgzuh62rkvtey7lythrvfenyq954vmeyfpxjqkqdj3wt8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbnhXSG5qdVJHSjNmQ3Qx
+            Yk9zSVBkVTQyb3luYXgwbFJWbG9xK2tWZUdrCkh2MktoWmFOdkRldFNlQW1EMm9t
+            ZHJRa3QrRzh0UElSNGkvSWcyYTUxZzgKLS0tIGdPT2dwWU9LbERYZGxzUTNEUHE1
+            TmlIdWJjbmFvdnVQSURqUTBwbW9EL00Kaiy5ZGgHjKgAGvzbdjbwNExLf4MGDtiE
+            NJEvnmNWkQyEhtx9YzUteY02Tl/D7zBzAWHlV3RjAWTNIwLmm7QgCw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1gq8434ku0xekqmvnseeunv83e779cg03c06gwrusnymdsr3rpufqx6vr3m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSDFIa1hNZU1BNWxHckk1
+            UEdJT282Y054eVNpb3VOZ2t3S2NndTkycXdNCk1sNk5uL2xpbXk1MG95dVM1OWVD
+            TldUWmsrSmxGeHYweWhGWXpSaE0xRmcKLS0tIFlVbEp2UU1kM0hhbHlSZm96TFl2
+            TkVaK0xHN1NxNzlpUVYyY2RpdisrQVkKG+DlyZVruH64nB9UtCPMbXhmRHj+zpr6
+            CX4JOTXbUsueZIA4J/N93+d2J3V6yauoRYwCSl/JXX/gaSeSxF4z3A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3YWxPRTNaVTNLb2tYSzZ5
+            ZmVMYXk2MlVXYzNtZGFJNlJLR2FIVWhKb1RFCmx5bXozeExlbEZBQzhpSHA0T1JE
+            dFpHRm8rcFl1QjZ2anRGYjVxeGJqc0EKLS0tIGVibzRnRTA3Vk5yR3c4QVFsdy95
+            bG1tejcremFiUjZaL3hmc1gwYzJIOGMKFmXmY60vABYlpfop2F020SaOEwV4TNya
+            F0tgrIqbufU1Yw4RhxPdBb9Wv1cQu25lcqQLh1i4VH9BSaWKk6TDEA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vpns76ykll8jgdlu3h05cur4ew2t3k7u03kxdg8y6ypfhsfhq9fqyurjey
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRXM1VUJPNm90UUx4UEdZ
+            cDY5czVQaGl0MEdIMStjTnphTmR5ZkFWTDBjClhTd0xmaHNWUXo3NXR6eEUzTkg2
+            L3BqT1N6bTNsYitmTGVpREtiWEpzdlEKLS0tIFUybTczSlRNbDkxRVZjSnFvdmtq
+            MVdRU3RPSHNqUzJzQWl1VVkyczFaencK72ZmWJIcfBTXlezmefvWeCGOC1BhpkXO
+            bm+X+ihzNfktuOCl6ZIMo2n4aJ3hYakrMp4npO10a6s4o/ldqeiATg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hchvlf3apn8g8jq2743pw53sd6v6ay6xu6lqk0qufrjeccan9vzsc7hdfq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOL3F3OWRYVVdxWncwWmlk
+            SnloWFdscE02L3ZRa0JGcFlwSU9tU3JRakhnCjZyTnR3T051Tmt2NGM2dkFaNGJz
+            WVRnNDdNN0ozYXJnK0t4ZW5JRVQ2YzQKLS0tIFk0cFBxcVFETERNTGowMThJcDNR
+            UW0wUUlFeHovSS9qYU5BRkJ6dnNjcWcKh2WcrmxsqMZeQ0/2HsaHeSqGsU3ILynU
+            SHBziWHGlFoNirCVjljh/Mw4DM8v66i0ztIQtWV5cFaFhu4kVda5jA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1w029fksjv0edrff9p7s03tgk3axecdkppqymfpwfn2nu2gsqqefqc37sxq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZkovUkMzdmhOUGpZUC91
+            d1JFZGk1T2hOS2dlVFNHRGJKVTUwdUhpQmg0CnEybzlRdjBLcjVEckNtR0xzMDVk
+            dURWbFdnTXk1alV5cjRSMkRrZ21vTjAKLS0tIEtDZlFCTGdVMU1PUWdBYTVOcTU4
+            ZkZHYmJiTUdJUGZhTFdLM1EzdU9wNmsK3AqFfycJfrBpvnjccN1srNiVBCv107rt
+            b/O5zcqKGR3Nzey7zAhlxasPCRKARyBTo292ScZ03QMU8p8HIukdzg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ha34qeksr4jeaecevqvv2afqem67eja2mvawlmrqsudch0e7fe7qtpsekv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlOVNVNmFzbTE2NmdiM1dP
+            TlhuTGYyQWlWeFlkaVU3Tml2aDNJbmxXVnlZCmJSb001OVJTaGpRcllzN2JSWDFF
+            b1MyYjdKZys4ZHRoUmFhdG1oYTA2RzQKLS0tIEhGeU9YcW9Wc0ZZK3I5UjB0RHFm
+            bW1ucjZtYXFkT1A4bGszamFxaG5IaHMKqHuaWFi/ImnbDOZ9VisIN7jqplAYV8fo
+            y3PeVX34LcYE0d8cxbvH8CTs/Ubirt6P1obrmAL9W9Y0ozpqdqQSjA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cxt8kwqzx35yuldazcc49q88qvgy9ajkz30xu0h37uw3ts97jagqgmn2ga
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbXo4UWhoMUQxc1lMcnNB
+            VWc1MUJuS3NnVnh4U254TE0wSDJTMzFSM3lrCnhHbmk1N0VqTlViT2dtZndGT1pn
+            NmpPc01iMjk3TXZLU1htZjBvd2NBK2sKLS0tIEN3dGlRZHF5Ykgybjl6MzRBVUJ0
+            Rm92SGdwanFHZlp6U00wMDUzL3MrMzgKtCJqy+BfDMFQMHaIVPlFyzALBsb4Ekls
+            +r7ofZ1ZjSomBljYxVPhKE9XaZJe6bqICEhJBCpODyxavfh8HmxHDQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16prza00sqzuhwwcyakj6z4hvwkruwkqpmmrsn94a5ucgpkelncdq2ldctk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQTRXTHljd2UrbFJOWUI4
+            WGRYcEVrZDJGM3hpVVNmVXlSREYzc1FHRlhFCjZHa2VTTzFHR1RXRmllT1huVDNV
+            UkRKaEQrWjF5eHpiaUg1NExnME5veFkKLS0tIFpZY1RrOVNTTjU0N2Y1dFN6QWpX
+            MTM3NDJrV1JZNE5pWGNLMUg1OFFwYUUKMx0hpB3iunnCbJ/+zWetdp1NI/LsrUTe
+            J84+aDoe7/WJYT0FLMlC0RK80txm6ztVygoyRdN0cRKx1z3KqPmavw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-11T21:18:22Z"
+    mac: ENC[AES256_GCM,data:5//boMp1awc/2XAkSASSCuobpkxa0E6IKf3GR8xHpMoCD30FJsCwV7PgX3fR8OuLEhOJ7UguqMNQdNqG37RMacreuDmI1J8oCFKp+3M2j4kCbXaEo8bw7WAtyjUez+SAXKzZWYmBibH0KOy6jdt+v0fdgy5hMBT4IFDofYRsyD0=,iv:6pD+SLwncpmal/FR4U8It2njvaQfUzzpALBCxa0NyME=,tag:4QN8ZFjdqck5ZgulF+FtbA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.4

services/actions-runner/default.nix

@@ -0,0 +1,55 @@
+{ pkgs, config, ... }:
+{
+  sops.secrets."actions-token-1" = {
+    sopsFile = ../../secrets/nix-cache01/actions_token_1;
+    format = "binary";
+  };
+
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+  };
+
+  services.gitea-actions-runner.instances = {
+    actions1 = {
+      enable = true;
+      tokenFile = config.sops.secrets.actions-token-1.path;
+      name = "actions1.home.2rjus.net";
+      settings = {
+        log = {
+          level = "debug";
+        };
+
+        runner = {
+          file = ".runner";
+          capacity = 4;
+          timeout = "2h";
+          shutdown_timeout = "10m";
+          insecure = false;
+          fetch_timeout = "10s";
+          fetch_interval = "30s";
+        };
+
+        cache = {
+          enabled = true;
+          dir = "/var/cache/gitea-actions1";
+        };
+
+        container = {
+          privileged = false;
+        };
+      };
+      labels =
+        builtins.map (n: "${n}:docker://gitea/runner-images:${n}") [
+          "ubuntu-latest"
+          "ubuntu-latest-slim"
+          "ubuntu-latest-full"
+        ]
+        ++ [
+          "homelab"
+        ];
+
+      url = "https://git.t-juice.club";
+    };
+  };
+}

services/authelia/default.nix

@@ -0,0 +1,87 @@
+{ config, ... }:
+{
+  sops.secrets.authelia_ldap_password = {
+    format = "yaml";
+    sopsFile = ../../secrets/auth01/secrets.yaml;
+    key = "authelia_ldap_password";
+    restartUnits = [ "authelia-auth.service" ];
+    owner = "authelia-auth";
+    group = "authelia-auth";
+  };
+  sops.secrets.authelia_jwt_secret = {
+    format = "yaml";
+    sopsFile = ../../secrets/auth01/secrets.yaml;
+    key = "authelia_jwt_secret";
+    restartUnits = [ "authelia-auth.service" ];
+    owner = "authelia-auth";
+    group = "authelia-auth";
+  };
+  sops.secrets.authelia_storage_encryption_key_file = {
+    format = "yaml";
+    key = "authelia_storage_encryption_key_file";
+    sopsFile = ../../secrets/auth01/secrets.yaml;
+    restartUnits = [ "authelia-auth.service" ];
+    owner = "authelia-auth";
+    group = "authelia-auth";
+  };
+  sops.secrets.authelia_session_secret = {
+    format = "yaml";
+    key = "authelia_session_secret";
+    sopsFile = ../../secrets/auth01/secrets.yaml;
+    restartUnits = [ "authelia-auth.service" ];
+    owner = "authelia-auth";
+    group = "authelia-auth";
+  };
+
+  services.authelia.instances."auth" = {
+    enable = true;
+    environmentVariables = {
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
+        config.sops.secrets.authelia_ldap_password.path;
+      AUTHELIA_SESSION_SECRET_FILE = config.sops.secrets.authelia_session_secret.path;
+    };
+    secrets = {
+      jwtSecretFile = config.sops.secrets.authelia_jwt_secret.path;
+      storageEncryptionKeyFile = config.sops.secrets.authelia_storage_encryption_key_file.path;
+    };
+    settings = {
+      access_control = {
+        default_policy = "two_factor";
+      };
+      session = {
+        # secret = "{{- fileContent \"${config.sops.secrets.authelia_session_secret.path}\" }}";
+        cookies = [
+          {
+            domain = "home.2rjus.net";
+            authelia_url = "https://auth.home.2rjus.net";
+            default_redirection_url = "https://dashboard.home.2rjus.net";
+            name = "authelia_session";
+            same_site = "lax";
+            inactivity = "1h";
+            expiration = "24h";
+            remember_me = "30d";
+          }
+        ];
+      };
+      notifier = {
+        filesystem.filename = "/var/lib/authelia-auth/notification.txt";
+      };
+      storage = {
+        local.path = "/var/lib/authelia-auth/db.sqlite3";
+      };
+      authentication_backend = {
+        password_reset = {
+          disable = false;
+        };
+        ldap = {
+          address = "ldap://127.0.0.1:3890";
+          implementation = "lldap";
+          timeout = "5s";
+          base_dn = "dc=home,dc=2rjus,dc=net";
+          user = "uid=authelia_ldap_user,ou=people,dc=home,dc=2rjus,dc=net";
+          # password = "{{- fileContent \"${config.sops.secrets.authelia_ldap_password.path}\" -}}";
+        };
+      };
+    };
+  };
+}

services/ca/default.nix

@@ -0,0 +1,165 @@
+{ pkgs, unstable, ... }:
+{
+  sops.secrets."ca_root_pw" = {
+    sopsFile = ../../secrets/ca/secrets.yaml;
+    owner = "step-ca";
+    path = "/var/lib/step-ca/secrets/ca_root_pw";
+  };
+  sops.secrets."intermediate_ca_key" = {
+    sopsFile = ../../secrets/ca/keys/intermediate_ca_key;
+    format = "binary";
+    owner = "step-ca";
+    path = "/var/lib/step-ca/secrets/intermediate_ca_key";
+  };
+  sops.secrets."root_ca_key" = {
+    sopsFile = ../../secrets/ca/keys/root_ca_key;
+    format = "binary";
+    owner = "step-ca";
+    path = "/var/lib/step-ca/secrets/root_ca_key";
+  };
+  sops.secrets."ssh_host_ca_key" = {
+    sopsFile = ../../secrets/ca/keys/ssh_host_ca_key;
+    format = "binary";
+    owner = "step-ca";
+    path = "/var/lib/step-ca/secrets/ssh_host_ca_key";
+  };
+  sops.secrets."ssh_user_ca_key" = {
+    sopsFile = ../../secrets/ca/keys/ssh_user_ca_key;
+    format = "binary";
+    owner = "step-ca";
+    path = "/var/lib/step-ca/secrets/ssh_user_ca_key";
+  };
+
+  services.step-ca = {
+    enable = true;
+    package = pkgs.step-ca;
+    intermediatePasswordFile = "/var/lib/step-ca/secrets/ca_root_pw";
+    address = "0.0.0.0";
+    port = 443;
+    settings = {
+      metricsAddress = ":9000";
+      authority = {
+        provisioners = [
+          {
+            claims = {
+              enableSSHCA = true;
+              maxTLSCertDuration = "3600h";
+              defaultTLSCertDuration = "48h";
+            };
+            encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g";
+            key = {
+              alg = "ES256";
+              crv = "P-256";
+              kid = "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE";
+              kty = "EC";
+              use = "sig";
+              x = "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo";
+              y = "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0";
+            };
+            name = "ca@home.2rjus.net";
+            type = "JWK";
+          }
+          {
+            name = "acme";
+            type = "ACME";
+            claims = {
+              maxTLSCertDuration = "3600h";
+              defaultTLSCertDuration = "1800h";
+            };
+          }
+          {
+            claims = {
+              enableSSHCA = true;
+            };
+            name = "sshpop";
+            type = "SSHPOP";
+          }
+        ];
+      };
+      crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
+      db = {
+        badgerFileLoadingMode = "";
+        dataSource = "/var/lib/step-ca/db";
+        type = "badgerv2";
+      };
+      dnsNames = [
+        "ca.home.2rjus.net"
+        "10.69.13.12"
+      ];
+      federatedRoots = null;
+      insecureAddress = "";
+      key = "/var/lib/step-ca/secrets/intermediate_ca_key";
+      logger = {
+        format = "text";
+      };
+      root = "/var/lib/step-ca/certs/root_ca.crt";
+      ssh = {
+        hostKey = "/var/lib/step-ca/secrets/ssh_host_ca_key";
+        userKey = "/var/lib/step-ca/secrets/ssh_user_ca_key";
+      };
+      templates = {
+        ssh = {
+          host = [
+            {
+              comment = "#";
+              name = "sshd_config.tpl";
+              path = "/etc/ssh/sshd_config";
+              requires = [
+                "Certificate"
+                "Key"
+              ];
+              template = ./templates/ssh/sshd_config.tpl;
+              type = "snippet";
+            }
+            {
+              comment = "#";
+              name = "ca.tpl";
+              path = "/etc/ssh/ca.pub";
+              template = ./templates/ssh/ca.tpl;
+              type = "snippet";
+            }
+          ];
+          user = [
+            {
+              comment = "#";
+              name = "config.tpl";
+              path = "~/.ssh/config";
+              template = ./templates/ssh/config.tpl;
+              type = "snippet";
+            }
+            {
+              comment = "#";
+              name = "step_includes.tpl";
+              path = "\${STEPPATH}/ssh/includes";
+              template = ./templates/ssh/step_includes.tpl;
+              type = "prepend-line";
+            }
+            {
+              comment = "#";
+              name = "step_config.tpl";
+              path = "ssh/config";
+              template = ./templates/ssh/step_config.tpl;
+              type = "file";
+            }
+            {
+              comment = "#";
+              name = "known_hosts.tpl";
+              path = "ssh/known_hosts";
+              template = ./templates/ssh/known_hosts.tpl;
+              type = "file";
+            }
+          ];
+        };
+      };
+      tls = {
+        cipherSuites = [
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        ];
+        maxVersion = 1.3;
+        minVersion = 1.2;
+        renegotiation = false;
+      };
+    };
+  };
+}

services/ca/templates/ssh/config.tpl

@@ -0,0 +1,14 @@
+Host *
+{{- if or .User.GOOS "none" | eq "windows" }}
+{{- if .User.StepBasePath }}
+	Include "{{ .User.StepBasePath | replace "\\" "/" | trimPrefix "C:" }}/ssh/includes"
+{{- else }}
+	Include "{{ .User.StepPath | replace "\\" "/" | trimPrefix "C:" }}/ssh/includes"
+{{- end }}
+{{- else }}
+{{- if .User.StepBasePath }}
+	Include "{{.User.StepBasePath}}/ssh/includes"
+{{- else }}
+	Include "{{.User.StepPath}}/ssh/includes"
+{{- end }}
+{{- end }}

services/ca/templates/ssh/known_hosts.tpl

@@ -0,0 +1,4 @@
+@cert-authority * {{.Step.SSH.HostKey.Type}} {{.Step.SSH.HostKey.Marshal | toString | b64enc}}
+{{- range .Step.SSH.HostFederatedKeys}}
+@cert-authority * {{.Type}} {{.Marshal | toString | b64enc}}
+{{- end }}

services/ca/templates/ssh/sshd_config.tpl

@@ -0,0 +1,4 @@
+Match all
+	TrustedUserCAKeys /etc/ssh/ca.pub
+	HostCertificate /etc/ssh/{{.User.Certificate}}
+	HostKey /etc/ssh/{{.User.Key}}

services/ca/templates/ssh/step_config.tpl

@@ -0,0 +1,11 @@
+Match exec "step ssh check-host{{- if .User.Context }} --context {{ .User.Context }}{{- end }} %h"
+{{- if .User.User }}
+	User {{.User.User}}
+{{- end }}
+{{- if or .User.GOOS "none" | eq "windows" }}
+	UserKnownHostsFile "{{.User.StepPath}}\ssh\known_hosts"
+	ProxyCommand C:\Windows\System32\cmd.exe /c step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p
+{{- else }}
+	UserKnownHostsFile "{{.User.StepPath}}/ssh/known_hosts"
+	ProxyCommand step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p
+{{- end }}

services/ca/templates/ssh/step_includes.tpl

@@ -0,0 +1 @@
+{{- if or .User.GOOS "none" | eq "windows" }}Include "{{ .User.StepPath | replace "\\" "/" | trimPrefix "C:" }}/ssh/config"{{- else }}Include "{{.User.StepPath}}/ssh/config"{{- end }}

services/home-assistant/default.nix

@@ -0,0 +1,68 @@
+{ pkgs, config, ... }:
+{
+  # Enable the Home Assistant service
+  services.home-assistant = {
+    enable = true;
+    package = pkgs.unstable.home-assistant;
+    configWritable = true;
+    config = null;
+    extraPackages =
+      python3Packages: with pkgs.unstable.python313Packages; [
+        aiopyarr
+        aioshelly
+        bellows
+        gtts
+        ha-silabs-firmware-client
+        isal
+        paho-mqtt
+        prometheus-client
+        pykodi
+        python-roborock
+        radios
+        uiprotect
+        unifi-discovery
+        universal-silabs-flasher
+        vacuum-map-parser-base
+        vacuum-map-parser-roborock
+        zha
+        zha-quirks
+        zigpy-cc
+        zigpy-deconz
+        zigpy-xbee
+        zigpy-zigate
+        zigpy-znp
+        zlib-ng
+      ];
+    customComponents = with pkgs.home-assistant-custom-components; [
+    ];
+  };
+
+  # Enable the mosquitto MQTT broker
+  services.mosquitto = {
+    enable = true;
+    persistence = true;
+    listeners = [
+      {
+        acl = [ "pattern readwrite #" ];
+        omitPasswordAuth = true;
+        settings.allow_anonymous = true;
+      }
+    ];
+  };
+
+  # Enable the zigbee2mqtt service
+  services.zigbee2mqtt = {
+    enable = true;
+    package = pkgs.unstable.zigbee2mqtt;
+    settings = {
+      homeassistant = {
+        legacy_entity_attributes = false;
+        legacy_triggers = false;
+      };
+      availability = true;
+      frontend = true;
+      permit_join = false;
+      serial.port = "/dev/ttyUSB0";
+    };
+  };
+}

services/http-proxy/default.nix

@@ -0,0 +1,6 @@
+{ pkgs, config, ... }:
+{
+  imports = [
+    ./proxy.nix
+  ];
+}

services/http-proxy/proxy.nix

@@ -0,0 +1,131 @@
+{ pkgs, ... }:
+{
+  services.caddy = {
+    enable = true;
+    package = pkgs.unstable.caddy;
+    configFile = pkgs.writeText "Caddyfile" ''
+      {
+        acme_ca https://ca.home.2rjus.net/acme/acme/directory
+
+        metrics {
+          per_host
+        }
+      }
+
+      nzbget.home.2rjus.net {
+        log {
+          output file /var/log/caddy/nzbget.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://nzbget-jail.home.2rjus.net:6789
+      }
+
+      radarr.home.2rjus.net {
+        log {
+          output file /var/log/caddy/radarr.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://radarr-jail.home.2rjus.net:7878
+      }
+
+      sonarr.home.2rjus.net {
+        log {
+          output file /var/log/caddy/sonarr.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://sonarr-jail.home.2rjus.net:8989
+      }
+      ha.home.2rjus.net {
+        log {
+          output file /var/log/caddy/ha.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://ha1.home.2rjus.net:8123
+      }
+      z2m.home.2rjus.net {
+        log {
+          output file /var/log/caddy/z2m.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://ha1.home.2rjus.net:8080
+      }
+      prometheus.home.2rjus.net {
+        log {
+          output file /var/log/caddy/prometheus.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://monitoring01.home.2rjus.net:9090
+      }
+      alertmanager.home.2rjus.net {
+        log {
+          output file /var/log/caddy/alertmanager.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://monitoring01.home.2rjus.net:9093
+      }
+      grafana.home.2rjus.net {
+        log {
+          output file /var/log/caddy/grafana.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://monitoring01.home.2rjus.net:3000
+      }
+      jelly.home.2rjus.net {
+        log {
+          output file /var/log/caddy/jelly.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://jelly01.home.2rjus.net:8096
+      }
+      lldap.home.2rjus.net {
+        log {
+          output file /var/log/caddy/auth.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://auth01.home.2rjus.net:17170
+      }
+      auth.home.2rjus.net {
+        log {
+          output file /var/log/caddy/auth.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://auth01.home.2rjus.net:9091
+      }
+      pyroscope.home.2rjus.net {
+        log {
+          output file /var/log/caddy/pyroscope.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://monitoring01.home.2rjus.net:4040
+      }
+      pushgw.home.2rjus.net {
+        log {
+          output file /var/log/caddy/pushgw.log {
+            mode 644
+          }
+        }
+        reverse_proxy http://monitoring01.home.2rjus.net:9091
+      }
+      http://http-proxy.home.2rjus.net/metrics {
+        log {
+          output file /var/log/caddy/caddy-metrics.log {
+            mode 644
+          }
+        }
+        metrics
+      }
+    '';
+  };
+}

services/jellyfin/default.nix

@@ -0,0 +1,32 @@
+{ pkgs, ... }:
+{
+  services.jellyfin = {
+    enable = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    nfs-utils
+  ];
+
+  services.rpcbind.enable = true;
+  systemd.mounts = [
+    {
+      type = "nfs";
+      mountConfig = {
+        Options = "ro,soft,noatime";
+      };
+      what = "nas.home.2rjus.net:/mnt/hdd-pool/media";
+      where = "/mnt/nas/media";
+    }
+  ];
+
+  systemd.automounts = [
+    {
+      wantedBy = [ "multi-user.target" ];
+      automountConfig = {
+        TimeoutIdleSec = "5min";
+      };
+      where = "/mnt/nas/media";
+    }
+  ];
+}

services/lldap/default.nix

@@ -0,0 +1,38 @@
+{ config, ... }:
+{
+  sops.secrets.lldap_user_pass = {
+    format = "yaml";
+    key = "lldap_user_pass";
+    sopsFile = ../../secrets/auth01/secrets.yaml;
+    restartUnits = [ "lldap.service" ];
+    group = "acme";
+    mode = "0440";
+  };
+
+  services.lldap = {
+    enable = true;
+    settings = {
+      ldap_base_dn = "dc=home,dc=2rjus,dc=net";
+      ldap_user_email = "admin@home.2rjus.net";
+      ldap_user_dn = "admin";
+      ldap_user_pass_file = config.sops.secrets.lldap_user_pass.path;
+      ldaps_options = {
+        enabled = true;
+        port = 6360;
+        cert_file = "/var/lib/acme/auth01.home.2rjus.net/cert.pem";
+        key_file = "/var/lib/acme/auth01.home.2rjus.net/key.pem";
+      };
+    };
+  };
+  systemd.services.lldap = {
+    serviceConfig = {
+      SupplementaryGroups = [ "acme" ];
+    };
+  };
+  security.acme.certs."auth01.home.2rjus.net" = {
+    listenHTTP = ":80";
+    reloadServices = [ "lldap" ];
+    extraDomainNames = [ "ldap.home.2rjus.net" ];
+    enableDebugLogs = true;
+  };
+}

services/monitoring/alerttonotify.nix

@@ -0,0 +1,43 @@
+{ pkgs, config, ... }:
+{
+  sops.secrets."nats_nkey" = { };
+  systemd.services."alerttonotify" = {
+    enable = true;
+    wants = [ "network-online.target" ];
+    after = [
+      "network-online.target"
+      "sops-nix.service"
+    ];
+    wantedBy = [ "multi-user.target" ];
+    restartIfChanged = true;
+
+    environment = {
+      NATS_URL = "nats://nats1.home.2rjus.net:4222";
+      NATS_NKEY_FILE = "%d/nats_nkey";
+    };
+
+    serviceConfig = {
+      Type = "exec";
+      ExecStart = "${pkgs.alerttonotify}/bin/alerttonotify";
+
+      CapabilityBoundingSet = "";
+      DynamicUser = "yes";
+      LoadCredential = "nats_nkey:/run/secrets/nats_nkey";
+      LockPersonality = "yes";
+      MemoryDenyWriteExecute = "yes";
+      PrivateDevices = "yes";
+      PrivateUsers = "yes";
+      ProtectClock = "yes";
+      ProtectControlGroups = "yes";
+      ProtectHome = "yes";
+      ProtectHostname = "yes";
+      ProtectKernelLogs = "yes";
+      ProtectKernelModules = "yes";
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = "yes";
+      RestrictRealtime = "yes";
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "~@privileged";
+    };
+  };
+}

services/monitoring/alloy.nix

@@ -0,0 +1,41 @@
+{ ... }:
+{
+  services.alloy = {
+    enable = true;
+  };
+
+  environment.etc."alloy/config.alloy" = {
+    enable = true;
+    mode = "0644";
+    text = ''
+      pyroscope.write "local_pyroscope" {
+        endpoint {
+          url = "http://localhost:4040"
+        }
+      }
+
+      pyroscope.scrape "labmon" {
+        targets    = [{"__address__" = "localhost:9969", "service_name" = "labmon"}]
+        forward_to = [pyroscope.write.local_pyroscope.receiver]
+
+        profiling_config {
+          profile.process_cpu {
+            enabled = true
+          }
+          profile.memory {
+            enabled = true
+          }
+          profile.mutex {
+            enabled = true
+          }
+          profile.block {
+            enabled = true
+          }
+          profile.goroutine {
+            enabled = true
+          }
+        }
+      }
+    '';
+  };
+}

services/monitoring/default.nix

@@ -0,0 +1,13 @@
+{ ... }:
+{
+  imports = [
+    ./loki.nix
+    ./grafana.nix
+    ./prometheus.nix
+    ./pve.nix
+    ./alerttonotify.nix
+    ./pyroscope.nix
+    ./alloy.nix
+    ./tempo.nix
+  ];
+}

services/monitoring/grafana.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+{
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        http_addr = "";
+      };
+    };
+  };
+}