From e01e5fcd66e9693541bc9f5a935aba0f0bd6f0a8 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Thu, 26 Sep 2024 22:14:38 +0200
Subject: [PATCH 01/23] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/6d42596a35d34918a905e8539a44d3fc91f42b5b' (2024-09-24)
  → 'github:nix-community/disko/67dc29be3036cc888f0b9d4f0a788ee0f6768700' (2024-09-26)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/23cbb250f3bf4f516a2d0bf03c51a30900848075' (2024-09-22)
  → 'github:nixos/nixpkgs/759537f06e6999e141588ff1c9be7f3a5c060106' (2024-09-25)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/9357f4f23713673f310988025d9dc261c20e70c6' (2024-09-21)
  → 'github:nixos/nixpkgs/30439d93eb8b19861ccbe3e581abf97bdc91b093' (2024-09-23)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 8d98ae2..1e12835 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1727196810,
-        "narHash": "sha256-xQzgXRlczZoFfrUdA4nD5qojCQVqpiIk82aYINQZd+U=",
+        "lastModified": 1727359191,
+        "narHash": "sha256-5PltTychnExFwzpEnY3WhOywaMV/M6NxYI/y3oXuUtw=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "6d42596a35d34918a905e8539a44d3fc91f42b5b",
+        "rev": "67dc29be3036cc888f0b9d4f0a788ee0f6768700",
         "type": "github"
       },
       "original": {
@@ -162,11 +162,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1726969270,
-        "narHash": "sha256-8fnFlXBgM/uSvBlLWjZ0Z0sOdRBesyNdH0+esxqizGc=",
+        "lastModified": 1727264057,
+        "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "23cbb250f3bf4f516a2d0bf03c51a30900848075",
+        "rev": "759537f06e6999e141588ff1c9be7f3a5c060106",
         "type": "github"
       },
       "original": {
@@ -210,11 +210,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1726937504,
-        "narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=",
+        "lastModified": 1727122398,
+        "narHash": "sha256-o8VBeCWHBxGd4kVMceIayf5GApqTavJbTa44Xcg5Rrk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9357f4f23713673f310988025d9dc261c20e70c6",
+        "rev": "30439d93eb8b19861ccbe3e581abf97bdc91b093",
         "type": "github"
       },
       "original": {

From d0305915142d403376cbf323996b9b728de6a153 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Thu, 26 Sep 2024 23:31:41 +0200
Subject: [PATCH 02/23] Add key file

---
 machines/raven/disko.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/machines/raven/disko.nix b/machines/raven/disko.nix
index 84ad2ea..5938b07 100644
--- a/machines/raven/disko.nix
+++ b/machines/raven/disko.nix
@@ -1,4 +1,6 @@
 {
+  boot.initrd.systemd.enable = true;
+
   disko.devices = {
     disk = {
       nvme = {
@@ -24,6 +26,9 @@
                 name = "raven-crypt";
                 settings = {
                   allowDiscards = true;
+                  keyFileSize = 4096;
+                  keyFile = "/dev/disk/by-id/usb-jalr_RAM_Mass_Storage_DE6270431F6F342C-0:0";
+                  keyFileTimeout = 10;
                 };
                 extraFormatArgs = [ "--hash sha512 --use-random --pbkdf argon2id --iter-time 5000 --pbkdf-memory ${builtins.toString (4*1024*1024)} --pbkdf-parallel 4" ];
                 content = {

From 69d712e11fcd112f22e14d17cd8431f1080771c0 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Thu, 7 Nov 2024 21:59:25 +0100
Subject: [PATCH 03/23] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/67dc29be3036cc888f0b9d4f0a788ee0f6768700' (2024-09-26)
  → 'github:nix-community/disko/856a2902156ba304efebd4c1096dbf7465569454' (2024-11-04)
• Updated input 'nix-pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/4e743a6920eab45e8ba0fbe49dc459f1423a4b74' (2024-09-19)
  → 'github:cachix/pre-commit-hooks.nix/d70155fdc00df4628446352fc58adc640cd705c2' (2024-11-05)
• Updated input 'nix-pre-commit-hooks/nixpkgs-stable':
    'github:NixOS/nixpkgs/194846768975b7ad2c4988bdb82572c00222c0d7' (2024-07-07)
  → 'github:NixOS/nixpkgs/d063c1dd113c91ab27959ba540c0d9753409edf3' (2024-11-04)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/d0cb432a9d28218df11cbd77d984a2a46caeb5ac' (2024-09-22)
  → 'github:nixos/nixos-hardware/e1cc1f6483393634aee94514186d21a4871e78d7' (2024-11-06)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/759537f06e6999e141588ff1c9be7f3a5c060106' (2024-09-25)
  → 'github:nixos/nixpkgs/dba414932936fde69f0606b4f1d87c5bc0003ede' (2024-11-06)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/30439d93eb8b19861ccbe3e581abf97bdc91b093' (2024-09-23)
  → 'github:nixos/nixpkgs/4aa36568d413aca0ea84a1684d2d46f55dbabad7' (2024-11-05)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/e2d404a7ea599a013189aa42947f66cede0645c8' (2024-09-16)
  → 'github:Mic92/sops-nix/fe63071416471abdab06caa234122932a7c4b980' (2024-11-07)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/dc454045f5b5d814e5862a6d057e7bb5c29edc05' (2024-09-08)
  → 'github:NixOS/nixpkgs/3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c' (2024-11-03)
---
 flake.lock | 48 ++++++++++++++++++++++++------------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/flake.lock b/flake.lock
index 1e12835..3986578 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1727359191,
-        "narHash": "sha256-5PltTychnExFwzpEnY3WhOywaMV/M6NxYI/y3oXuUtw=",
+        "lastModified": 1730751873,
+        "narHash": "sha256-sdY29RWz0S7VbaoTwSy6RummdHKf0wUTaBlqPxrtvmQ=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "67dc29be3036cc888f0b9d4f0a788ee0f6768700",
+        "rev": "856a2902156ba304efebd4c1096dbf7465569454",
         "type": "github"
       },
       "original": {
@@ -130,11 +130,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1726745158,
-        "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
+        "lastModified": 1730814269,
+        "narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
+        "rev": "d70155fdc00df4628446352fc58adc640cd705c2",
         "type": "github"
       },
       "original": {
@@ -146,11 +146,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1727040444,
-        "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=",
+        "lastModified": 1730919458,
+        "narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac",
+        "rev": "e1cc1f6483393634aee94514186d21a4871e78d7",
         "type": "github"
       },
       "original": {
@@ -162,11 +162,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1727264057,
-        "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=",
+        "lastModified": 1730883749,
+        "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "759537f06e6999e141588ff1c9be7f3a5c060106",
+        "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
         "type": "github"
       },
       "original": {
@@ -178,11 +178,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1720386169,
-        "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
         "type": "github"
       },
       "original": {
@@ -194,11 +194,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1725762081,
-        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
+        "lastModified": 1730602179,
+        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
+        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
         "type": "github"
       },
       "original": {
@@ -210,11 +210,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1727122398,
-        "narHash": "sha256-o8VBeCWHBxGd4kVMceIayf5GApqTavJbTa44Xcg5Rrk=",
+        "lastModified": 1730785428,
+        "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "30439d93eb8b19861ccbe3e581abf97bdc91b093",
+        "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
         "type": "github"
       },
       "original": {
@@ -300,11 +300,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1726524647,
-        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
+        "lastModified": 1731008979,
+        "narHash": "sha256-yN1NxvmqV8UltLkqYBWTeZNgpD/eyh/7LM58caHiEfE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
+        "rev": "fe63071416471abdab06caa234122932a7c4b980",
         "type": "github"
       },
       "original": {

From 76064eb9312d2675a5678b4e5fcabc69dba10cae Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Mon, 11 Nov 2024 12:30:19 +0100
Subject: [PATCH 04/23] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/856a2902156ba304efebd4c1096dbf7465569454' (2024-11-04)
  → 'github:nix-community/disko/486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc' (2024-11-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/dba414932936fde69f0606b4f1d87c5bc0003ede' (2024-11-06)
  → 'github:nixos/nixpkgs/83fb6c028368e465cd19bb127b86f971a5e41ebc' (2024-11-07)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/4aa36568d413aca0ea84a1684d2d46f55dbabad7' (2024-11-05)
  → 'github:nixos/nixpkgs/76612b17c0ce71689921ca12d9ffdc9c23ce40b2' (2024-11-09)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/fe63071416471abdab06caa234122932a7c4b980' (2024-11-07)
  → 'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7' (2024-11-10)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 3986578..cd94874 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1730751873,
-        "narHash": "sha256-sdY29RWz0S7VbaoTwSy6RummdHKf0wUTaBlqPxrtvmQ=",
+        "lastModified": 1731274291,
+        "narHash": "sha256-cZ0QMpv5p2a6WEE+o9uu0a4ma6RzQDOQTbm7PbixWz8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "856a2902156ba304efebd4c1096dbf7465569454",
+        "rev": "486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc",
         "type": "github"
       },
       "original": {
@@ -162,11 +162,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1730883749,
-        "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
+        "lastModified": 1730963269,
+        "narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
+        "rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc",
         "type": "github"
       },
       "original": {
@@ -210,11 +210,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1730785428,
-        "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
+        "lastModified": 1731139594,
+        "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
+        "rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2",
         "type": "github"
       },
       "original": {
@@ -300,11 +300,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1731008979,
-        "narHash": "sha256-yN1NxvmqV8UltLkqYBWTeZNgpD/eyh/7LM58caHiEfE=",
+        "lastModified": 1731213149,
+        "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "fe63071416471abdab06caa234122932a7c4b980",
+        "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
         "type": "github"
       },
       "original": {

From 5a3ab03870dfd567e69ab347e7573224a8b188f9 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Mon, 11 Nov 2024 12:29:42 +0100
Subject: [PATCH 05/23] Add nextcloud

---
 machines/raven/secrets.yaml           |  7 ++--
 machines/raven/services/default.nix   |  1 +
 machines/raven/services/nextcloud.nix | 59 +++++++++++++++++++++++++++
 3 files changed, 64 insertions(+), 3 deletions(-)
 create mode 100644 machines/raven/services/nextcloud.nix

diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml
index 872e6ea..102766e 100644
--- a/machines/raven/secrets.yaml
+++ b/machines/raven/secrets.yaml
@@ -4,6 +4,7 @@ asterisk-ari: ENC[AES256_GCM,data:2+X/DRmRlnVraWWEBXWXJ9XpFnRdD0HDlofQ7jaxNpWRKN
 asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J5z1gz2o5cLIF73qCj+vApDzSHcz2gTzMEKwEV6H8ZsxJse27dNBIdVq1n18oSWWAMT1iOomxxzqESLhF+HTtBIEpBVi5y5zwMRXGh/72SxKY9TXv/KHxTMp8aBhNvoCn2ze1VOcBjyNxGda4gGgFAa4LNTzxQ1B6XpfgkjsH2uY0zaAd8rrsXPrPY6TNS7JxrBLKfKshTiJCElJJJA1pCcRe4/yMqCm14J5+n3FvEOnHC+BQHX+ohJYaBcrZblWF5rH/l25BnUgP4UC9ydk3LmQiLpH20+sTWZwi/FojeID0BahdrzOk0tNCTKwNtfFp2QzYvlQPdFRCINb5k1Pz9DNLx7bSv1mvkeGNbd1YdHvEnPwYrQmAae96kg+Vl8PVRqY7ZsMsktcOfqlw8k/W4DK0G6LBA5U9G7JryS5OeS3kMMo4vQzcjU8/eZMl/XwHB0806k63wI7j3wL9Z5+DGmdLX3z3RgtJunELTcayAwerRptuwidm69hbOhmWEwkCcrR42QNVuDD8Qxp/CnwnmwUawUFBOFIBjbQApT9miOmo3e7nY5fjbf4JUbJ9/0JbT7YtZOEU9ymACobX6fweOsYUoWTXprJDwZkln8omaAbP85g4XgGGoltdTk71OviSSfN3DCKfPwPop8GZ9UEBQN9rNUyllVRoTeaweqN2VJnD/ApWj8A22i66R1CPm6ebXLOjClahs/hCKTeYHXPiDjWb5xd9c0fQBlnHaWbVYLtGzBpf0p9oU7DE2KskzZE2TDat8qCdMeqBcpEwUVGqcqq4YWDPy593XZzpG91NYDAb6GbkYHiZw+OQStEFA4SbN4YdwPB0fZN0iW+IOQPfWgUiRj2wAUYRXRpxPQ2ZDh7Ie0oZbJvhx6ulEM8nKI4q4e3pkzF7KjT2z9KzinkhvjqlpU0vfCm4BFMUcKXVskQsiDA9gz4w0m7Ei4HbyDHoUGVCUDtv0W6IfjrEUsBasxcYkown20rip/CwKTPmKy26bz6iHgUAB6f71Ms8sdKr7gHdnzOK3OBm5I+gell6SsdDDfGgQdUHJwSu8XwwJdc7Faai7+wN1stfSglm4PwuoFIH9ucgVyXrAwLJIQ==,iv:QzVHcduZhvQalSgRWRDoTpc20cYLFwzqDedET/XnBWQ=,tag:mrkXZ3J3Hiy2Q7Y06LsBuA==,type:str]
 prometheus-htpasswd: ENC[AES256_GCM,data:kUU0TqnVxQ8jLfjUpBje3eGxJw+ItD/YSNhiny1XPM0PDksnOO8Ecbyqm9W5p3WZIFc+h/FH1AsyNdhXdAhbgMNNxjebq2PNbJr/DeMWTxuf1D9q5iYpDrFGuK6r65DeCPvwN1tlTKkzJnLCqy3LLWbziANplMpmoUL7Ay3S2r5UQNgl4QIL,iv:o23da3kSbMAiF6H3zgja95As89aDK/+jWofvw9ZIjj8=,tag:VPB9YD33Xuk8IKxoBVEXdQ==,type:str]
 unpoller-password: ENC[AES256_GCM,data:nvbKOzS657tfumP93kNAD2Edw3+BN3xQ,iv:FZ169TIyHrhazji+b2V4o0XvyzqwNelnR4TkKXuNqWg=,tag:62Y1LTlI+2KdSjq8dHiuSQ==,type:str]
+nextcloud-adminpass: ENC[AES256_GCM,data:8yX92evqkh5XDuKaPdaOxXX474mE2m5b,iv:2gKYS2s2oW0s4hhug6Y8n+8M9YMxIzcTLAp5gbktfkQ=,tag:eoT892rpSKvReve4Au+uSA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -19,8 +20,8 @@ sops:
             T2VuTEpzYmhESnJZTW5IS3orRk44ODAK/KBOctiKRH5y/zuI4sIKNK9nze6aDOmc
             Eg7zjCXX3hvmowFt45rMKODJ56Dy6uJEgu6OWMWV2M87CphyHKA5fg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-04T10:58:16Z"
-    mac: ENC[AES256_GCM,data:yRoKVClRcbqFYM06F+83kU9s0KcoiYEx0fpr4DL39YoDDx3ZdX2aYqOEtPCGHKEccFanDsZSI4Q9jG2NEa9IykI9DDjQtci1pcNkt9VaWgPTTo2KzP086ncQHaKHyy109CjugeC2oQYIOBfSiO5b+/SP5fml2N3rhIGzROz2NRA=,iv:JR2MVuIxVhCDsx8kelTu86x4Snf6yqJ7s9vb/3bj24o=,tag:V9BadPHshitupxnAzYF3Nw==,type:str]
+    lastmodified: "2024-12-03T21:52:11Z"
+    mac: ENC[AES256_GCM,data:z4hl4FIVp9ZfsmEEv8ZkK6K5ndI0jMuumrLUtdhNsb9YFvwS+YIrqcdqytV1e2DSb5mlogN5L50ioCAhDljA15pKTUpu3LJRSfTS1b5U/dYZyZu6+PywlPOmSVYjCMP3E4nGuUR4n/gE2Z76Pt0FBI14PAph/iTeF90f64rYDv4=,iv:3IWUOUaH4Yh/g1D57b/u/C2vBR2dPH7Ma24CI0hAmas=,tag:2KIeAbZfOuORO3GmV3drpA==,type:str]
     pgp:
         - created_at: "2024-09-24T19:30:34Z"
           enc: |-
@@ -54,4 +55,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix
index d0b18c3..3485c4a 100644
--- a/machines/raven/services/default.nix
+++ b/machines/raven/services/default.nix
@@ -8,6 +8,7 @@
     ./grafana.nix
     ./labsync
     ./mailhog.nix
+    ./nextcloud.nix
     ./prometheus.nix
     ./unifi-controller.nix
     ./wekan.nix
diff --git a/machines/raven/services/nextcloud.nix b/machines/raven/services/nextcloud.nix
new file mode 100644
index 0000000..5661520
--- /dev/null
+++ b/machines/raven/services/nextcloud.nix
@@ -0,0 +1,59 @@
+{ config, pkgs, ... }:
+
+let
+  domain = "nextcloud.fablab-nea.de";
+in
+{
+  sops.secrets.nextcloud-adminpass = {
+    sopsFile = ../secrets.yaml;
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
+  services.nextcloud = {
+    enable = true;
+    hostName = domain;
+    #secretFile =
+    #config.dbpassFile
+    https = true;
+    config = {
+      adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
+      dbtype = "pgsql";
+    };
+    settings = {
+      overwriteprotocol = "https";
+
+      oidc_login_client_id = "nextcloud";
+      oidc_login_provider_url = "https://keycloak.fablab-nea.de";
+      oidc_login_attributes = {
+        id = "preferred_username";
+      };
+      oidc_login_scope = "openid profile";
+      oidc_login_button_text = "Log in with OpenID";
+      oidc_login_code_challenge_method = "S256";
+    };
+    database.createLocally = true;
+    extraApps =
+      with config.services.nextcloud.package.packages.apps;
+      {
+        inherit
+          bookmarks
+          calendar
+          contacts
+          deck
+          tasks
+          ;
+      }
+      // {
+        oidc_login = pkgs.fetchNextcloudApp {
+          license = "agpl3Plus";
+          url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.2.0/oidc_login.tar.gz";
+          sha256 = "sha256-0wAbTjVEZCXcob982eMaXkCgdR5fN60O2Q8vCpzIo+w=";
+        };
+      };
+    extraAppsEnable = true;
+  };
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+  };
+}

From 2d73c41c0ccd79bef57e39bd558384224e36b6b2 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Thu, 21 Nov 2024 23:55:15 +0100
Subject: [PATCH 06/23] Remove nixpkgs-unstable

---
 flake.lock      | 19 +------------------
 flake.nix       |  4 +---
 modules/nix.nix |  9 ---------
 3 files changed, 2 insertions(+), 30 deletions(-)

diff --git a/flake.lock b/flake.lock
index cd94874..199d796 100644
--- a/flake.lock
+++ b/flake.lock
@@ -125,7 +125,7 @@
         "flake-compat": "flake-compat",
         "gitignore": "gitignore",
         "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
         ],
         "nixpkgs-stable": "nixpkgs-stable"
       },
@@ -208,22 +208,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1731139594,
-        "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "poetry2nix": {
       "inputs": {
         "flake-utils": [
@@ -260,7 +244,6 @@
         "nix-pre-commit-hooks": "nix-pre-commit-hooks",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable",
         "sbruder-overlay": "sbruder-overlay",
         "sops-nix": "sops-nix"
       }
diff --git a/flake.nix b/flake.nix
index a3f323d..ec3059c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -7,12 +7,10 @@
 
     nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
     nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
-    nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
 
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
 
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-
     nixos-hardware.url = "github:nixos/nixos-hardware/master";
 
     krops.url = "github:Mic92/krops";
diff --git a/modules/nix.nix b/modules/nix.nix
index fc6d9da..4ba3242 100644
--- a/modules/nix.nix
+++ b/modules/nix.nix
@@ -27,7 +27,6 @@ in
 
     registry = with inputs; {
       nixpkgs.flake = nixpkgs;
-      nixpkgs-unstable.flake = nixpkgs-unstable;
     };
     nixPath = [
       "nixpkgs=${inputs.nixpkgs}"
@@ -51,13 +50,5 @@ in
   nixpkgs.overlays = with inputs; [
     self.overlays.default
     sbruder-overlay.overlays.default
-    (final: prev: {
-      unstable = import nixpkgs-unstable {
-        inherit (config.nixpkgs)
-          config
-          overlays
-          system;
-      };
-    })
   ];
 }

From 89473de85e15699d9100453efaea409034e1d084 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Fri, 22 Nov 2024 00:04:13 +0100
Subject: [PATCH 07/23] Remove flake-utils follow for nix-pre-commit-hooks

---
 flake.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/flake.nix b/flake.nix
index ec3059c..979e9fc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,7 +6,6 @@
     flake-utils.url = "github:numtide/flake-utils";
 
     nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
-    nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
     nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
 
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";

From 10adf3cc4891f17c47c9df63081c0b5251bbf4b5 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Thu, 21 Nov 2024 23:57:40 +0100
Subject: [PATCH 08/23] Update to 24.11

---
 flake.lock                                   | 8 ++++----
 flake.nix                                    | 2 +-
 machines/raven/services/nextcloud.nix        | 2 +-
 machines/raven/services/unifi-controller.nix | 4 +---
 modules/pipewire.nix                         | 1 -
 shell.nix                                    | 2 +-
 6 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/flake.lock b/flake.lock
index 199d796..a75a2be 100644
--- a/flake.lock
+++ b/flake.lock
@@ -162,16 +162,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1730963269,
-        "narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=",
+        "lastModified": 1731755305,
+        "narHash": "sha256-v5P3dk5JdiT+4x69ZaB18B8+Rcu3TIOrcdG4uEX7WZ8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc",
+        "rev": "057f63b6dc1a2c67301286152eb5af20747a9cb4",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index 979e9fc..b0f3750 100644
--- a/flake.nix
+++ b/flake.nix
@@ -8,7 +8,7 @@
     nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
     nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
 
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
 
     nixos-hardware.url = "github:nixos/nixos-hardware/master";
 
diff --git a/machines/raven/services/nextcloud.nix b/machines/raven/services/nextcloud.nix
index 5661520..8d746bd 100644
--- a/machines/raven/services/nextcloud.nix
+++ b/machines/raven/services/nextcloud.nix
@@ -47,7 +47,7 @@ in
         oidc_login = pkgs.fetchNextcloudApp {
           license = "agpl3Plus";
           url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.2.0/oidc_login.tar.gz";
-          sha256 = "sha256-0wAbTjVEZCXcob982eMaXkCgdR5fN60O2Q8vCpzIo+w=";
+          sha256 = "sha256-DrbaKENMz2QJfbDKCMrNGEZYpUEvtcsiqw9WnveaPZA=";
         };
       };
     extraAppsEnable = true;
diff --git a/machines/raven/services/unifi-controller.nix b/machines/raven/services/unifi-controller.nix
index 6befce2..8fdb5a9 100644
--- a/machines/raven/services/unifi-controller.nix
+++ b/machines/raven/services/unifi-controller.nix
@@ -1,13 +1,11 @@
 { config, pkgs, ... }:
 
-let
-  promCfg = config.services.prometheus;
-in
 {
   services.unifi = {
     enable = true;
     openFirewall = true;
     unifiPackage = pkgs.unifi8;
+    mongodbPackage = pkgs.mongodb-6_0;
   };
   networking.firewall.allowedTCPPorts = [ 8443 ];
 
diff --git a/modules/pipewire.nix b/modules/pipewire.nix
index 9531e64..93405ed 100644
--- a/modules/pipewire.nix
+++ b/modules/pipewire.nix
@@ -1,7 +1,6 @@
 { pkgs, ... }:
 
 {
-  sound.enable = true;
   hardware.pulseaudio.enable = false;
 
   services.pipewire = {
diff --git a/shell.nix b/shell.nix
index e7b19d8..197dbd6 100644
--- a/shell.nix
+++ b/shell.nix
@@ -5,7 +5,7 @@ pkgs.mkShell {
 
   nativeBuildInputs = with pkgs; [
     (pkgs.writeShellScriptBin "nix" ''
-      exec -a nix ${pkgs.nixUnstable}/bin/nix --experimental-features "nix-command flakes" "$@"
+      exec -a nix ${pkgs.nixVersions.stable}/bin/nix --experimental-features "nix-command flakes" "$@"
     '')
   ];
 }

From 986eeb018e07269600e86c5e8970c12f60a7dc41 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Mon, 25 Nov 2024 19:43:43 +0100
Subject: [PATCH 09/23] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc?narHash=sha256-cZ0QMpv5p2a6WEE%2Bo9uu0a4ma6RzQDOQTbm7PbixWz8%3D' (2024-11-10)
  → 'github:nix-community/disko/2ed5e30fc7e34adf455db8b02b9151d3922a54ea?narHash=sha256-5EYzmoTpem2IB9JWzd41sL98pz3lyyCSTiCjv08i4Uk%3D' (2024-11-25)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a?narHash=sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ%3D' (2024-09-17)
  → 'github:numtide/flake-utils/11707dc2f618dd54ca8739b309ec4fc024de578b?narHash=sha256-l0KFg5HjrsfsO/JpG%2Br7fRrqm12kzFHyUHqHCVpMMbI%3D' (2024-11-13)
• Updated input 'nix-pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/d70155fdc00df4628446352fc58adc640cd705c2?narHash=sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF%2B06nOg%3D' (2024-11-05)
  → 'github:cachix/pre-commit-hooks.nix/3308484d1a443fc5bc92012435d79e80458fe43c?narHash=sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE%3D' (2024-11-19)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/e1cc1f6483393634aee94514186d21a4871e78d7?narHash=sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg%3D' (2024-11-06)
  → 'github:nixos/nixos-hardware/45348ad6fb8ac0e8415f6e5e96efe47dd7f39405?narHash=sha256-kF6rDeCshoCgmQz%2B7uiuPdREVFuzhIorGOoPXMalL2U%3D' (2024-11-24)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/057f63b6dc1a2c67301286152eb5af20747a9cb4?narHash=sha256-v5P3dk5JdiT%2B4x69ZaB18B8%2BRcu3TIOrcdG4uEX7WZ8%3D' (2024-11-16)
  → 'github:nixos/nixpkgs/0c582677378f2d9ffcb01490af2f2c678dcb29d3?narHash=sha256-GcOQbOgmwlsRhpLGSwZJwLbo3pu9ochMETuRSS1xpz4%3D' (2024-11-23)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7?narHash=sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus%3D' (2024-11-10)
  → 'github:Mic92/sops-nix/53c853fb1a7e4f25f68805ee25c83d5de18dc699?narHash=sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0%3D' (2024-11-21)
• Removed input 'sops-nix/nixpkgs-stable'
---
 flake.lock | 55 +++++++++++++++++++-----------------------------------
 1 file changed, 19 insertions(+), 36 deletions(-)

diff --git a/flake.lock b/flake.lock
index a75a2be..1529c5f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731274291,
-        "narHash": "sha256-cZ0QMpv5p2a6WEE+o9uu0a4ma6RzQDOQTbm7PbixWz8=",
+        "lastModified": 1732540163,
+        "narHash": "sha256-5EYzmoTpem2IB9JWzd41sL98pz3lyyCSTiCjv08i4Uk=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc",
+        "rev": "2ed5e30fc7e34adf455db8b02b9151d3922a54ea",
         "type": "github"
       },
       "original": {
@@ -41,11 +41,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1726560853,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -130,11 +130,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1730814269,
-        "narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=",
+        "lastModified": 1732021966,
+        "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "d70155fdc00df4628446352fc58adc640cd705c2",
+        "rev": "3308484d1a443fc5bc92012435d79e80458fe43c",
         "type": "github"
       },
       "original": {
@@ -146,11 +146,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1730919458,
-        "narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=",
+        "lastModified": 1732483221,
+        "narHash": "sha256-kF6rDeCshoCgmQz+7uiuPdREVFuzhIorGOoPXMalL2U=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "e1cc1f6483393634aee94514186d21a4871e78d7",
+        "rev": "45348ad6fb8ac0e8415f6e5e96efe47dd7f39405",
         "type": "github"
       },
       "original": {
@@ -162,11 +162,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731755305,
-        "narHash": "sha256-v5P3dk5JdiT+4x69ZaB18B8+Rcu3TIOrcdG4uEX7WZ8=",
+        "lastModified": 1732350895,
+        "narHash": "sha256-GcOQbOgmwlsRhpLGSwZJwLbo3pu9ochMETuRSS1xpz4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "057f63b6dc1a2c67301286152eb5af20747a9cb4",
+        "rev": "0c582677378f2d9ffcb01490af2f2c678dcb29d3",
         "type": "github"
       },
       "original": {
@@ -192,22 +192,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable_2": {
-      "locked": {
-        "lastModified": 1730602179,
-        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "poetry2nix": {
       "inputs": {
         "flake-utils": [
@@ -279,15 +263,14 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable_2"
+        ]
       },
       "locked": {
-        "lastModified": 1731213149,
-        "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
+        "lastModified": 1732186149,
+        "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
+        "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
         "type": "github"
       },
       "original": {

From 2309f18b98f512d15f409e27c567e72855942c82 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Tue, 3 Dec 2024 22:19:31 +0100
Subject: [PATCH 10/23] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/2ed5e30fc7e34adf455db8b02b9151d3922a54ea?narHash=sha256-5EYzmoTpem2IB9JWzd41sL98pz3lyyCSTiCjv08i4Uk%3D' (2024-11-25)
  → 'github:nix-community/disko/785c1e02c7e465375df971949b8dcbde9ec362e5?narHash=sha256-8dupm9GfK%2BBowGdQd7EHK5V61nneLfr9xR6sc5vtDi0%3D' (2024-12-02)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/45348ad6fb8ac0e8415f6e5e96efe47dd7f39405?narHash=sha256-kF6rDeCshoCgmQz%2B7uiuPdREVFuzhIorGOoPXMalL2U%3D' (2024-11-24)
  → 'github:nixos/nixos-hardware/cceee0a31d2f01bcc98b2fbd591327c06a4ea4f9?narHash=sha256-fc6jTzIwCIVWTX50FtW6AZpuukuQWSEbPiyg6ZRGWFY%3D' (2024-12-03)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/0c582677378f2d9ffcb01490af2f2c678dcb29d3?narHash=sha256-GcOQbOgmwlsRhpLGSwZJwLbo3pu9ochMETuRSS1xpz4%3D' (2024-11-23)
  → 'github:nixos/nixpkgs/f9f0d5c5380be0a599b1fb54641fa99af8281539?narHash=sha256-En%2BgSoVJ3iQKPDU1FHrR6zIxSLXKjzKY%2Bpnh9tt%2BYts%3D' (2024-12-02)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/53c853fb1a7e4f25f68805ee25c83d5de18dc699?narHash=sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0%3D' (2024-11-21)
  → 'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856?narHash=sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc%3D' (2024-12-02)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 1529c5f..c43af83 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1732540163,
-        "narHash": "sha256-5EYzmoTpem2IB9JWzd41sL98pz3lyyCSTiCjv08i4Uk=",
+        "lastModified": 1733168902,
+        "narHash": "sha256-8dupm9GfK+BowGdQd7EHK5V61nneLfr9xR6sc5vtDi0=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "2ed5e30fc7e34adf455db8b02b9151d3922a54ea",
+        "rev": "785c1e02c7e465375df971949b8dcbde9ec362e5",
         "type": "github"
       },
       "original": {
@@ -146,11 +146,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1732483221,
-        "narHash": "sha256-kF6rDeCshoCgmQz+7uiuPdREVFuzhIorGOoPXMalL2U=",
+        "lastModified": 1733217105,
+        "narHash": "sha256-fc6jTzIwCIVWTX50FtW6AZpuukuQWSEbPiyg6ZRGWFY=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "45348ad6fb8ac0e8415f6e5e96efe47dd7f39405",
+        "rev": "cceee0a31d2f01bcc98b2fbd591327c06a4ea4f9",
         "type": "github"
       },
       "original": {
@@ -162,11 +162,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1732350895,
-        "narHash": "sha256-GcOQbOgmwlsRhpLGSwZJwLbo3pu9ochMETuRSS1xpz4=",
+        "lastModified": 1733120037,
+        "narHash": "sha256-En+gSoVJ3iQKPDU1FHrR6zIxSLXKjzKY+pnh9tt+Yts=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0c582677378f2d9ffcb01490af2f2c678dcb29d3",
+        "rev": "f9f0d5c5380be0a599b1fb54641fa99af8281539",
         "type": "github"
       },
       "original": {
@@ -266,11 +266,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1732186149,
-        "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
+        "lastModified": 1733128155,
+        "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
+        "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
         "type": "github"
       },
       "original": {

From fdc7ac96734d6113c087c61403283c7b0051a0e8 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Tue, 3 Dec 2024 22:29:14 +0100
Subject: [PATCH 11/23] Bump mongodb version

---
 machines/raven/services/unifi-controller.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/machines/raven/services/unifi-controller.nix b/machines/raven/services/unifi-controller.nix
index 8fdb5a9..72b874b 100644
--- a/machines/raven/services/unifi-controller.nix
+++ b/machines/raven/services/unifi-controller.nix
@@ -5,7 +5,7 @@
     enable = true;
     openFirewall = true;
     unifiPackage = pkgs.unifi8;
-    mongodbPackage = pkgs.mongodb-6_0;
+    mongodbPackage = pkgs.mongodb-7_0;
   };
   networking.firewall.allowedTCPPorts = [ 8443 ];
 

From abf8f95a34da90dbb3296bb0845226ff84837484 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Tue, 3 Dec 2024 22:45:57 +0100
Subject: [PATCH 12/23] Add authelia

---
 machines/raven/secrets.yaml          |  9 ++--
 machines/raven/services/authelia.nix | 71 ++++++++++++++++++++++++++++
 machines/raven/services/default.nix  |  1 +
 3 files changed, 78 insertions(+), 3 deletions(-)
 create mode 100644 machines/raven/services/authelia.nix

diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml
index 102766e..f20282e 100644
--- a/machines/raven/secrets.yaml
+++ b/machines/raven/secrets.yaml
@@ -5,6 +5,9 @@ asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J
 prometheus-htpasswd: ENC[AES256_GCM,data:kUU0TqnVxQ8jLfjUpBje3eGxJw+ItD/YSNhiny1XPM0PDksnOO8Ecbyqm9W5p3WZIFc+h/FH1AsyNdhXdAhbgMNNxjebq2PNbJr/DeMWTxuf1D9q5iYpDrFGuK6r65DeCPvwN1tlTKkzJnLCqy3LLWbziANplMpmoUL7Ay3S2r5UQNgl4QIL,iv:o23da3kSbMAiF6H3zgja95As89aDK/+jWofvw9ZIjj8=,tag:VPB9YD33Xuk8IKxoBVEXdQ==,type:str]
 unpoller-password: ENC[AES256_GCM,data:nvbKOzS657tfumP93kNAD2Edw3+BN3xQ,iv:FZ169TIyHrhazji+b2V4o0XvyzqwNelnR4TkKXuNqWg=,tag:62Y1LTlI+2KdSjq8dHiuSQ==,type:str]
 nextcloud-adminpass: ENC[AES256_GCM,data:8yX92evqkh5XDuKaPdaOxXX474mE2m5b,iv:2gKYS2s2oW0s4hhug6Y8n+8M9YMxIzcTLAp5gbktfkQ=,tag:eoT892rpSKvReve4Au+uSA==,type:str]
+authelia:
+    jwtSecret: ENC[AES256_GCM,data:SvFGmrW+eYQr3J9xRpo1IT2H54eX58+Li+aT461bwjS0B6cswlLF/l8O2lRduLghXy80bQDYFOzfO8t0ENowhA==,iv:0jODFRL/ic07B8hLY/6LhY/ll+2uYyKbJJZAV2aZ6sw=,tag:oyTdsbRdzheq1VJRg9/PYw==,type:str]
+    storageEncryptionKey: ENC[AES256_GCM,data:4v2mpLvi3hRfQJCgek7RZmF/y0zb9WjQewckpp8IAOqq+YggFA2QLoDJW1fIINLNe0ACuPBdVCKQlgqt3ecqXQ==,iv:1qOSty0pNXCW5R4vSH4HTSAvQu/YelKVXUQqWfPcFhM=,tag:WZ7oDQSVn44jVyppeMQYUg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -20,8 +23,8 @@ sops:
             T2VuTEpzYmhESnJZTW5IS3orRk44ODAK/KBOctiKRH5y/zuI4sIKNK9nze6aDOmc
             Eg7zjCXX3hvmowFt45rMKODJ56Dy6uJEgu6OWMWV2M87CphyHKA5fg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-03T21:52:11Z"
-    mac: ENC[AES256_GCM,data:z4hl4FIVp9ZfsmEEv8ZkK6K5ndI0jMuumrLUtdhNsb9YFvwS+YIrqcdqytV1e2DSb5mlogN5L50ioCAhDljA15pKTUpu3LJRSfTS1b5U/dYZyZu6+PywlPOmSVYjCMP3E4nGuUR4n/gE2Z76Pt0FBI14PAph/iTeF90f64rYDv4=,iv:3IWUOUaH4Yh/g1D57b/u/C2vBR2dPH7Ma24CI0hAmas=,tag:2KIeAbZfOuORO3GmV3drpA==,type:str]
+    lastmodified: "2024-12-03T21:53:44Z"
+    mac: ENC[AES256_GCM,data:HFbHfL1i24LyNx+5QYgcMmBUwfQeZscdPFQHlgtJcM9Tsx/Y0wyn2B/veYR30GepQ0CBhC0IKsBDfL4K6AooqkhhBKHTVBINTn4ec9yholIJoepn4OmM4A6CE3xEkyE/PQwTEtABbJkMeUbLuZ1FcLYSo0vXfe4Jvs79o/svivk=,iv:lYZyVlvBuZrP7wzWWh+hJ1nlUXsLKQHpFhOZuXdQtqA=,tag:uxRhOkrjRFVhJYPsahxEFw==,type:str]
     pgp:
         - created_at: "2024-09-24T19:30:34Z"
           enc: |-
@@ -55,4 +58,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.1
diff --git a/machines/raven/services/authelia.nix b/machines/raven/services/authelia.nix
new file mode 100644
index 0000000..f46fb31
--- /dev/null
+++ b/machines/raven/services/authelia.nix
@@ -0,0 +1,71 @@
+{ config, ... }:
+
+let
+  domain = "authelia.fablab-nea.de";
+  cfg = config.services.authelia.instances.default;
+  port = 9001;
+in
+{
+  sops.secrets."authelia/jwtSecret" = {
+    sopsFile = ../secrets.yaml;
+    owner = cfg.user;
+  };
+  sops.secrets."authelia/storageEncryptionKey" = {
+    sopsFile = ../secrets.yaml;
+    owner = cfg.user;
+  };
+  services.authelia.instances.default = {
+    enable = true;
+    settings = {
+      server.address = "tcp://127.0.0.1:${toString port}/";
+      access_control = {
+        default_policy = "one_factor";
+      };
+      notifier.filesystem = {
+        filename = "/var/lib/authelia-${cfg.name}/notif.txt";
+      };
+      storage.postgres = {
+        address = "unix:///run/postgresql";
+        database = "authelia-${cfg.name}";
+        username = "authelia-${cfg.name}";
+        password = "authelia-${cfg.name}";
+      };
+      authentication_backend = {
+        file.path = "/var/lib/authelia-${cfg.name}/user.yml";
+      };
+      session = {
+        cookies = [
+          {
+            domain = domain;
+            authelia_url = "https://${domain}";
+            name = "authelia_session";
+          }
+        ];
+      };
+    };
+    secrets = {
+      jwtSecretFile = config.sops.secrets."authelia/jwtSecret".path;
+      storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKey".path;
+    };
+  };
+
+  services.postgresql = {
+    ensureUsers = [{
+      name = "authelia-${cfg.name}";
+      ensureDBOwnership = true;
+    }];
+    ensureDatabases = [ "authelia-${cfg.name}" ];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    '';
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+      recommendedProxySettings = true;
+    };
+  };
+}
diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix
index 3485c4a..20effd4 100644
--- a/machines/raven/services/default.nix
+++ b/machines/raven/services/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
     ./asterisk.nix
+    ./authelia.nix
     ./colorchord.nix
     ./dnsmasq.nix
     ./dyndns.nix

From 71ded70c2bbf8e12f4ca426832abb3f14f75f9a8 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Wed, 4 Dec 2024 03:57:24 +0100
Subject: [PATCH 13/23] Update USB RAM disk device path

---
 machines/raven/disko.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/machines/raven/disko.nix b/machines/raven/disko.nix
index 5938b07..6492d69 100644
--- a/machines/raven/disko.nix
+++ b/machines/raven/disko.nix
@@ -27,7 +27,7 @@
                 settings = {
                   allowDiscards = true;
                   keyFileSize = 4096;
-                  keyFile = "/dev/disk/by-id/usb-jalr_RAM_Mass_Storage_DE6270431F6F342C-0:0";
+                  keyFile = "/dev/disk/by-id/usb-jalr_USB_RAM_disk_prototype-01-0:0";
                   keyFileTimeout = 10;
                 };
                 extraFormatArgs = [ "--hash sha512 --use-random --pbkdf argon2id --iter-time 5000 --pbkdf-memory ${builtins.toString (4*1024*1024)} --pbkdf-parallel 4" ];

From 0735feba260439f8ead9aa57d63f3b1f1146d945 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Thu, 12 Dec 2024 20:16:21 +0100
Subject: [PATCH 14/23] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/785c1e02c7e465375df971949b8dcbde9ec362e5?narHash=sha256-8dupm9GfK%2BBowGdQd7EHK5V61nneLfr9xR6sc5vtDi0%3D' (2024-12-02)
  → 'github:nix-community/disko/0f31ad735e784315a22d9899d3ba24340ce64220?narHash=sha256-NghuiWXx6Q3gwLiudiNwDpYQ1CPEUK7J%2Bf9dWREN8KA%3D' (2024-12-12)
• Updated input 'nix-pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/3308484d1a443fc5bc92012435d79e80458fe43c?narHash=sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE%3D' (2024-11-19)
  → 'github:cachix/pre-commit-hooks.nix/d8c02f0ffef0ef39f6063731fc539d8c71eb463a?narHash=sha256-%2BXTFXYlFJBxohhMGLDpYdEnhUNdxN8dyTA8WAd%2Blh2A%3D' (2024-12-08)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/cceee0a31d2f01bcc98b2fbd591327c06a4ea4f9?narHash=sha256-fc6jTzIwCIVWTX50FtW6AZpuukuQWSEbPiyg6ZRGWFY%3D' (2024-12-03)
  → 'github:nixos/nixos-hardware/cf737e2eba82b603f54f71b10cb8fd09d22ce3f5?narHash=sha256-%2BjjPup/ByS0LEVIrBbt7FnGugJgLeG9oc%2BivFASYn2U%3D' (2024-12-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/f9f0d5c5380be0a599b1fb54641fa99af8281539?narHash=sha256-En%2BgSoVJ3iQKPDU1FHrR6zIxSLXKjzKY%2Bpnh9tt%2BYts%3D' (2024-12-02)
  → 'github:nixos/nixpkgs/a0f3e10d94359665dba45b71b4227b0aeb851f8e?narHash=sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk%3D' (2024-12-10)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856?narHash=sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc%3D' (2024-12-02)
  → 'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004?narHash=sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs%3D' (2024-12-12)
---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index c43af83..057d36e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733168902,
-        "narHash": "sha256-8dupm9GfK+BowGdQd7EHK5V61nneLfr9xR6sc5vtDi0=",
+        "lastModified": 1734011192,
+        "narHash": "sha256-NghuiWXx6Q3gwLiudiNwDpYQ1CPEUK7J+f9dWREN8KA=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "785c1e02c7e465375df971949b8dcbde9ec362e5",
+        "rev": "0f31ad735e784315a22d9899d3ba24340ce64220",
         "type": "github"
       },
       "original": {
@@ -130,11 +130,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1732021966,
-        "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=",
+        "lastModified": 1733665616,
+        "narHash": "sha256-+XTFXYlFJBxohhMGLDpYdEnhUNdxN8dyTA8WAd+lh2A=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "3308484d1a443fc5bc92012435d79e80458fe43c",
+        "rev": "d8c02f0ffef0ef39f6063731fc539d8c71eb463a",
         "type": "github"
       },
       "original": {
@@ -146,11 +146,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1733217105,
-        "narHash": "sha256-fc6jTzIwCIVWTX50FtW6AZpuukuQWSEbPiyg6ZRGWFY=",
+        "lastModified": 1733861262,
+        "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "cceee0a31d2f01bcc98b2fbd591327c06a4ea4f9",
+        "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
         "type": "github"
       },
       "original": {
@@ -162,11 +162,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1733120037,
-        "narHash": "sha256-En+gSoVJ3iQKPDU1FHrR6zIxSLXKjzKY+pnh9tt+Yts=",
+        "lastModified": 1733808091,
+        "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "f9f0d5c5380be0a599b1fb54641fa99af8281539",
+        "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e",
         "type": "github"
       },
       "original": {
@@ -266,11 +266,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733128155,
-        "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
+        "lastModified": 1733965552,
+        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
+        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
         "type": "github"
       },
       "original": {

From 32fe8f82f5cd7b44b4d8b9d0f287fae22e768da8 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Mon, 14 Apr 2025 22:09:52 +0200
Subject: [PATCH 15/23] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/0f31ad735e784315a22d9899d3ba24340ce64220?narHash=sha256-NghuiWXx6Q3gwLiudiNwDpYQ1CPEUK7J%2Bf9dWREN8KA%3D' (2024-12-12)
  → 'github:nix-community/disko/76c0a6dba345490508f36c1aa3c7ba5b6b460989?narHash=sha256-I2oILRiJ6G%2BBOSjY%2B0dGrTPe080L3pbKpc%2BgCV3Nmyk%3D' (2025-04-08)
• Updated input 'nix-pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/d8c02f0ffef0ef39f6063731fc539d8c71eb463a?narHash=sha256-%2BXTFXYlFJBxohhMGLDpYdEnhUNdxN8dyTA8WAd%2Blh2A%3D' (2024-12-08)
  → 'github:cachix/pre-commit-hooks.nix/dcf5072734cb576d2b0c59b2ac44f5050b5eac82?narHash=sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco%3D' (2025-03-22)
• Removed input 'nix-pre-commit-hooks/nixpkgs-stable'
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/cf737e2eba82b603f54f71b10cb8fd09d22ce3f5?narHash=sha256-%2BjjPup/ByS0LEVIrBbt7FnGugJgLeG9oc%2BivFASYn2U%3D' (2024-12-10)
  → 'github:nixos/nixos-hardware/9a049b4a421076d27fee3eec664a18b2066824cb?narHash=sha256-fbWE4Xpw6eH0Q6in%2BymNuDwTkqmFmtxcQEmtRuKDTTk%3D' (2025-04-14)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/a0f3e10d94359665dba45b71b4227b0aeb851f8e?narHash=sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk%3D' (2024-12-10)
  → 'github:nixos/nixpkgs/26d499fc9f1d567283d5d56fcf367edd815dba1d?narHash=sha256-FHlSkNqFmPxPJvy%2B6fNLaNeWnF1lZSgqVCl/eWaJRc4%3D' (2025-04-12)
• Updated input 'sbruder-overlay':
    'github:sbruder/nixpkgs-overlay/3487b8ce24d40cc898f3dba0a9af5e028e1d5844?narHash=sha256-j38XlExNwK4ycmoNEdH/dHUd1QGdNvD3gx/UuLY%2B04Q%3D' (2024-07-02)
  → 'github:sbruder/nixpkgs-overlay/f107df0aba9e3d582d1c01b40392416e47fb28dd?narHash=sha256-0eKQMldOcNBwkzf09zJWf8io3Kd3PjGQSnhpOueWEdk%3D' (2025-03-27)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004?narHash=sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs%3D' (2024-12-12)
  → 'github:Mic92/sops-nix/7e147a1ae90f0d4a374938cdc3df3cdaecb9d388?narHash=sha256-lv52pnfiRGp5%2BxkZEgWr56DWiRgkMFXpiGba3eJ3krE%3D' (2025-04-13)
---
 flake.lock | 55 +++++++++++++++++++-----------------------------------
 1 file changed, 19 insertions(+), 36 deletions(-)

diff --git a/flake.lock b/flake.lock
index 057d36e..ce9fedd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734011192,
-        "narHash": "sha256-NghuiWXx6Q3gwLiudiNwDpYQ1CPEUK7J+f9dWREN8KA=",
+        "lastModified": 1744145203,
+        "narHash": "sha256-I2oILRiJ6G+BOSjY+0dGrTPe080L3pbKpc+gCV3Nmyk=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "0f31ad735e784315a22d9899d3ba24340ce64220",
+        "rev": "76c0a6dba345490508f36c1aa3c7ba5b6b460989",
         "type": "github"
       },
       "original": {
@@ -126,15 +126,14 @@
         "gitignore": "gitignore",
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        ]
       },
       "locked": {
-        "lastModified": 1733665616,
-        "narHash": "sha256-+XTFXYlFJBxohhMGLDpYdEnhUNdxN8dyTA8WAd+lh2A=",
+        "lastModified": 1742649964,
+        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "d8c02f0ffef0ef39f6063731fc539d8c71eb463a",
+        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
         "type": "github"
       },
       "original": {
@@ -146,11 +145,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1733861262,
-        "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
+        "lastModified": 1744633460,
+        "narHash": "sha256-fbWE4Xpw6eH0Q6in+ymNuDwTkqmFmtxcQEmtRuKDTTk=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
+        "rev": "9a049b4a421076d27fee3eec664a18b2066824cb",
         "type": "github"
       },
       "original": {
@@ -162,11 +161,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1733808091,
-        "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=",
+        "lastModified": 1744440957,
+        "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e",
+        "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
         "type": "github"
       },
       "original": {
@@ -176,22 +175,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1730741070,
-        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "poetry2nix": {
       "inputs": {
         "flake-utils": [
@@ -246,11 +229,11 @@
         "poetry2nix": "poetry2nix"
       },
       "locked": {
-        "lastModified": 1719952130,
-        "narHash": "sha256-j38XlExNwK4ycmoNEdH/dHUd1QGdNvD3gx/UuLY+04Q=",
+        "lastModified": 1743090264,
+        "narHash": "sha256-0eKQMldOcNBwkzf09zJWf8io3Kd3PjGQSnhpOueWEdk=",
         "owner": "sbruder",
         "repo": "nixpkgs-overlay",
-        "rev": "3487b8ce24d40cc898f3dba0a9af5e028e1d5844",
+        "rev": "f107df0aba9e3d582d1c01b40392416e47fb28dd",
         "type": "github"
       },
       "original": {
@@ -266,11 +249,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733965552,
-        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
+        "lastModified": 1744518500,
+        "narHash": "sha256-lv52pnfiRGp5+xkZEgWr56DWiRgkMFXpiGba3eJ3krE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
+        "rev": "7e147a1ae90f0d4a374938cdc3df3cdaecb9d388",
         "type": "github"
       },
       "original": {

From 3fda43968cbebd4f2c32f49fe0ea5a4ee4766387 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Mon, 14 Apr 2025 22:11:33 +0200
Subject: [PATCH 16/23] Add statix

---
 flake.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/flake.nix b/flake.nix
index b0f3750..abbec15 100644
--- a/flake.nix
+++ b/flake.nix
@@ -49,6 +49,10 @@
               black.enable = true;
               nixpkgs-fmt.enable = true;
               shellcheck.enable = true;
+              statix = {
+                enable = true;
+                settings.ignore = [ ".direnv" ];
+              };
             };
           };
         };

From c24fbdf955112e92c99e65e49de8ecfd736e563d Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Mon, 14 Apr 2025 22:23:28 +0200
Subject: [PATCH 17/23] Refactoring

---
 flake.nix                                   |  42 ++--
 machines/default.nix                        |   2 +-
 machines/party/configuration.nix            |  12 +-
 machines/raven/configuration.nix            |   5 +-
 machines/raven/services/asterisk.nix        |   4 +-
 machines/raven/services/authelia.nix        | 115 ++++-----
 machines/raven/services/labsync/default.nix |  58 ++---
 machines/raven/services/prometheus.nix      | 250 ++++++++++----------
 machines/raven/services/wekan.nix           |  48 ++--
 modules/unfree.nix                          |   4 +-
 10 files changed, 283 insertions(+), 257 deletions(-)

diff --git a/flake.nix b/flake.nix
index abbec15..eb1d04b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,28 +1,40 @@
 {
   inputs = {
-    disko.inputs.nixpkgs.follows = "nixpkgs";
-    disko.url = "github:nix-community/disko";
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     flake-utils.url = "github:numtide/flake-utils";
 
-    nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
-    nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
+    nix-pre-commit-hooks = {
+      url = "github:cachix/pre-commit-hooks.nix/master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
 
     nixos-hardware.url = "github:nixos/nixos-hardware/master";
 
-    krops.url = "github:Mic92/krops";
-    krops.inputs.flake-utils.follows = "flake-utils";
-    krops.inputs.nixpkgs.follows = "nixpkgs";
+    krops = {
+      url = "github:Mic92/krops";
+      inputs.flake-utils.follows = "flake-utils";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
-    sops-nix.url = "github:Mic92/sops-nix";
-    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
-    sbruder-overlay.url = "github:sbruder/nixpkgs-overlay";
-    sbruder-overlay.inputs.flake-utils.follows = "flake-utils";
-    sbruder-overlay.inputs.nix-pre-commit-hooks.follows = "nix-pre-commit-hooks";
-    sbruder-overlay.inputs.nixpkgs.follows = "nixpkgs";
+    sbruder-overlay = {
+      url = "github:sbruder/nixpkgs-overlay";
+      inputs = {
+        flake-utils.follows = "flake-utils";
+        nix-pre-commit-hooks.follows = "nix-pre-commit-hooks";
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
   };
 
   outputs =
@@ -60,13 +72,13 @@
         devShells.default = pkgs.mkShell {
           name = "fablab-nixos-config";
 
-          buildInputs = (with pkgs; [
+          buildInputs = with pkgs; [
             black
             nixpkgs-fmt
             shellcheck
             sops
             ssh-to-pgp
-          ]);
+          ];
 
           shellHook = ''
             find ${./keys} -type f -print0 | xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import
diff --git a/machines/default.nix b/machines/default.nix
index 6fd7ae9..d178468 100644
--- a/machines/default.nix
+++ b/machines/default.nix
@@ -1,4 +1,4 @@
-{ ... }@inputs:
+inputs:
 let
   hardware = inputs.nixos-hardware.nixosModules;
 in
diff --git a/machines/party/configuration.nix b/machines/party/configuration.nix
index d28760c..050ee59 100644
--- a/machines/party/configuration.nix
+++ b/machines/party/configuration.nix
@@ -9,13 +9,15 @@
   nixpkgs.config = { allowAliases = false; };
 
   console.keyMap = "de";
-  services.xserver.layout = "de";
 
-  services.xserver.enable = true;
-  services.xserver.desktopManager.gnome.enable = true;
-  services.xserver.displayManager.gdm = {
+  services.xserver = {
     enable = true;
-    autoSuspend = false;
+    layout = "de";
+    desktopManager.gnome.enable = true;
+    displayManager.gdm = {
+      enable = true;
+      autoSuspend = false;
+    };
   };
 
   security.sudo.wheelNeedsPassword = false;
diff --git a/machines/raven/configuration.nix b/machines/raven/configuration.nix
index d16de7c..95a8014 100644
--- a/machines/raven/configuration.nix
+++ b/machines/raven/configuration.nix
@@ -7,11 +7,11 @@
     ./services
   ];
 
-  networking.hostName = "raven";
 
   time.timeZone = "Etc/UTC";
 
   networking = {
+    hostName = "raven";
     useDHCP = false;
     vlans = {
       labprod = {
@@ -51,6 +51,7 @@
         "voip"
       ];
     };
+    firewall.allowedTCPPorts = [ 80 443 ];
   };
 
   i18n.defaultLocale = "en_US.UTF-8";
@@ -84,8 +85,6 @@
 
   services.nginx.enable = true;
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
   # FIXME
   networking.hosts = {
     "192.168.94.1" = [ "raven.lab.fablab-nea.de" "labsync.lab.fablab-nea.de" ];
diff --git a/machines/raven/services/asterisk.nix b/machines/raven/services/asterisk.nix
index 075024a..800c766 100644
--- a/machines/raven/services/asterisk.nix
+++ b/machines/raven/services/asterisk.nix
@@ -111,12 +111,12 @@ in
     ln -s ${cfg.package}/var/lib/asterisk/static-http/core-en_US.xml /var/lib/asterisk/documentation/core-en_US.xml
   '';
 
-  sops.secrets = (lib.listToAttrs (map
+  sops.secrets = lib.listToAttrs (map
     (name: lib.nameValuePair "asterisk-${name}" {
       sopsFile = ../secrets.yaml;
       owner = config.users.users.asterisk.name;
     })
-    secretConfigFiles));
+    secretConfigFiles);
   environment.etc = lib.mapAttrs'
     (name: _: lib.nameValuePair
       "asterisk/${name}.conf"
diff --git a/machines/raven/services/authelia.nix b/machines/raven/services/authelia.nix
index f46fb31..3834fdb 100644
--- a/machines/raven/services/authelia.nix
+++ b/machines/raven/services/authelia.nix
@@ -6,66 +6,71 @@ let
   port = 9001;
 in
 {
-  sops.secrets."authelia/jwtSecret" = {
-    sopsFile = ../secrets.yaml;
-    owner = cfg.user;
-  };
-  sops.secrets."authelia/storageEncryptionKey" = {
-    sopsFile = ../secrets.yaml;
-    owner = cfg.user;
-  };
-  services.authelia.instances.default = {
-    enable = true;
-    settings = {
-      server.address = "tcp://127.0.0.1:${toString port}/";
-      access_control = {
-        default_policy = "one_factor";
-      };
-      notifier.filesystem = {
-        filename = "/var/lib/authelia-${cfg.name}/notif.txt";
-      };
-      storage.postgres = {
-        address = "unix:///run/postgresql";
-        database = "authelia-${cfg.name}";
-        username = "authelia-${cfg.name}";
-        password = "authelia-${cfg.name}";
-      };
-      authentication_backend = {
-        file.path = "/var/lib/authelia-${cfg.name}/user.yml";
-      };
-      session = {
-        cookies = [
-          {
-            domain = domain;
-            authelia_url = "https://${domain}";
-            name = "authelia_session";
-          }
-        ];
-      };
+  sops.secrets = {
+    "authelia/jwtSecret" = {
+      sopsFile = ../secrets.yaml;
+      owner = cfg.user;
     };
-    secrets = {
-      jwtSecretFile = config.sops.secrets."authelia/jwtSecret".path;
-      storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKey".path;
+    "authelia/storageEncryptionKey" = {
+      sopsFile = ../secrets.yaml;
+      owner = cfg.user;
     };
   };
 
-  services.postgresql = {
-    ensureUsers = [{
-      name = "authelia-${cfg.name}";
-      ensureDBOwnership = true;
-    }];
-    ensureDatabases = [ "authelia-${cfg.name}" ];
-  };
+  services = {
+    authelia.instances.default = {
+      enable = true;
+      settings = {
+        server.address = "tcp://127.0.0.1:${toString port}/";
+        access_control = {
+          default_policy = "one_factor";
+        };
+        notifier.filesystem = {
+          filename = "/var/lib/authelia-${cfg.name}/notif.txt";
+        };
+        storage.postgres = {
+          address = "unix:///run/postgresql";
+          database = "authelia-${cfg.name}";
+          username = "authelia-${cfg.name}";
+          password = "authelia-${cfg.name}";
+        };
+        authentication_backend = {
+          file.path = "/var/lib/authelia-${cfg.name}/user.yml";
+        };
+        session = {
+          cookies = [
+            {
+              inherit domain;
+              authelia_url = "https://${domain}";
+              name = "authelia_session";
+            }
+          ];
+        };
+      };
+      secrets = {
+        jwtSecretFile = config.sops.secrets."authelia/jwtSecret".path;
+        storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKey".path;
+      };
+    };
 
-  services.nginx.virtualHosts."${domain}" = {
-    enableACME = true;
-    forceSSL = true;
-    extraConfig = ''
-      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-    '';
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:${toString port}";
-      recommendedProxySettings = true;
+    postgresql = {
+      ensureUsers = [{
+        name = "authelia-${cfg.name}";
+        ensureDBOwnership = true;
+      }];
+      ensureDatabases = [ "authelia-${cfg.name}" ];
+    };
+
+    nginx.virtualHosts."${domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      extraConfig = ''
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+      '';
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        recommendedProxySettings = true;
+      };
     };
   };
 }
diff --git a/machines/raven/services/labsync/default.nix b/machines/raven/services/labsync/default.nix
index 8a9250a..be26626 100644
--- a/machines/raven/services/labsync/default.nix
+++ b/machines/raven/services/labsync/default.nix
@@ -5,39 +5,43 @@ let
   generator_port = 8695;
 in
 {
-  services.opentracker.enable = true;
+  services = {
+    opentracker.enable = true;
 
-  services.nginx.virtualHosts."labsync.fablab-nea.de" = {
-    addSSL = true;
-    enableACME = true;
-    locations = {
-      "/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/";
+    atftpd = {
+      enable = true;
+      root = pkgs.runCommand "pxelinux-tftproot" { } ''
+        mkdir -p $out/pxelinux.cfg
+        cp ${pkgs.syslinux}/share/syslinux/{ldlinux.c32,libcom32.c32,libutil.c32,lpxelinux.0,vesamenu.c32} $out
+        cp ${./splash.png} $out/splash.png
+        cp ${./pxelinux.cfg} $out/pxelinux.cfg/default
+        # required to serve labsync/labsync.cfg, which is generated dynamically by a docker container
+        ln -s /opt/docker/tftpgen/data $out/labsync
+      '';
     };
-  };
-  services.nginx.virtualHosts."labsync.lab.fablab-nea.de" = {
-    locations = {
-      "/" = {
-        root = "/opt/docker/tftpgen/data";
-        extraConfig = ''
-          autoindex on;
-        '';
+
+    nginx.virtualHosts = {
+      "labsync.fablab-nea.de" = {
+        addSSL = true;
+        enableACME = true;
+        locations = {
+          "/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/";
+        };
+      };
+      "labsync.lab.fablab-nea.de" = {
+        locations = {
+          "/" = {
+            root = "/opt/docker/tftpgen/data";
+            extraConfig = ''
+              autoindex on;
+            '';
+          };
+          "/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/";
+        };
       };
-      "/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/";
     };
   };
 
-  services.atftpd = {
-    enable = true;
-    root = pkgs.runCommand "pxelinux-tftproot" { } ''
-      mkdir -p $out/pxelinux.cfg
-      cp ${pkgs.syslinux}/share/syslinux/{ldlinux.c32,libcom32.c32,libutil.c32,lpxelinux.0,vesamenu.c32} $out
-      cp ${./splash.png} $out/splash.png
-      cp ${./pxelinux.cfg} $out/pxelinux.cfg/default
-      # required to serve labsync/labsync.cfg, which is generated dynamically by a docker container
-      ln -s /opt/docker/tftpgen/data $out/labsync
-    '';
-  };
-
   networking.firewall.allowedTCPPorts = [
     6881 # aria2
     6969 # opentracker
diff --git a/machines/raven/services/prometheus.nix b/machines/raven/services/prometheus.nix
index 5ec4a7a..6f5f42f 100644
--- a/machines/raven/services/prometheus.nix
+++ b/machines/raven/services/prometheus.nix
@@ -7,137 +7,139 @@ let
   mkStaticTarget = target: mkStaticTargets (lib.singleton target);
 in
 {
-  services.prometheus.exporters.node.enable = true;
-
-  services.prometheus = {
-    enable = true;
-    listenAddress = "127.0.0.1";
-    webExternalUrl = "https://${domain}";
-    globalConfig = {
-      scrape_interval = "15s";
-      evaluation_interval = "15s";
-    };
-    extraFlags = [
-      "--storage.tsdb.retention.time=90d"
-      "--web.enable-admin-api"
-    ];
-    alertmanagers = [
-      {
-        static_configs = mkStaticTarget "${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}";
-        path_prefix = "/alertmanager/";
-      }
-    ];
-    alertmanager = {
-      enable = true;
-      listenAddress = "127.0.0.1";
-      webExternalUrl = "https://${domain}/alertmanager";
-      configuration = {
-        global.resolve_timeout = "2m";
-
-        route = {
-          receiver = "matrix";
-          group_by = [ "alertname" ];
-          group_wait = "3m";
-        };
-
-        receivers = [
-          {
-            name = "matrix";
-            webhook_configs = lib.singleton {
-              url = "http://localhost/webhook";
-            };
-          }
-        ];
-      };
-    };
-    scrapeConfigs = [
-      {
-        job_name = "prometheus";
-        static_configs = mkStaticTargets [
-          "localhost:${toString cfg.port}"
-          "kleinturmbuehne-router:9100"
-        ];
-      }
-      {
-        job_name = "node";
-        static_configs = mkStaticTargets [
-          "127.0.0.1:9100"
-        ];
-      }
-      {
-        job_name = "asterisk";
-        metrics_path = "/";
-        static_configs = mkStaticTargets [
-          "127.0.0.1:8088"
-        ];
-      }
-      {
-        job_name = "mikrotik";
-        static_configs = mkStaticTargets [
-          "${cfg.exporters.mikrotik.listenAddress}:${toString cfg.exporters.mikrotik.port}"
-        ];
-      }
-      {
-        job_name = "unifi";
-        static_configs = mkStaticTargets [
-          "${cfg.exporters.unpoller.listenAddress}:${toString cfg.exporters.unpoller.port}"
-        ];
-      }
-    ];
-    rules =
-      let
-        mkAlert = { name, expr, for ? "1m", description ? null }: {
-          alert = name;
-          inherit expr for;
-          annotations = lib.optionalAttrs (description != null) { inherit description; };
-        };
-      in
-      [
-        (lib.generators.toYAML { } {
-          groups = lib.singleton {
-            name = "alert.rules";
-            rules = map mkAlert [
-              {
-                name = "InstanceDown";
-                expr = ''up == 0'';
-                description = "Instance {{ $labels.instance }} of job {{ $labels.job }} has been down for
- more than 1 minutes.";
-              }
-            ];
-          };
-        })
-      ];
-  };
-
   sops.secrets.prometheus-htpasswd = {
     owner = "nginx";
     sopsFile = ../secrets.yaml;
   };
 
-  services.nginx.virtualHosts."${domain}" = {
-    enableACME = true;
-    forceSSL = true;
+  services = {
 
-    basicAuthFile = config.sops.secrets.prometheus-htpasswd.path;
-
-    locations = {
-      "/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}";
-
-      "/alertmanager/".proxyPass = "http://${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}";
-    };
-  };
-
-  services.prometheus.exporters.mikrotik = {
-    enable = true;
-    listenAddress = "127.0.0.1";
-    configuration = {
-      devices = [
+    prometheus = {
+      exporters.node.enable = true;
+      enable = true;
+      listenAddress = "127.0.0.1";
+      webExternalUrl = "https://${domain}";
+      globalConfig = {
+        scrape_interval = "15s";
+        evaluation_interval = "15s";
+      };
+      extraFlags = [
+        "--storage.tsdb.retention.time=90d"
+        "--web.enable-admin-api"
       ];
-      features = {
-        bgp = true;
-        dhcp = true;
-        routes = true;
-        optics = true;
+      alertmanagers = [
+        {
+          static_configs = mkStaticTarget "${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}";
+          path_prefix = "/alertmanager/";
+        }
+      ];
+      alertmanager = {
+        enable = true;
+        listenAddress = "127.0.0.1";
+        webExternalUrl = "https://${domain}/alertmanager";
+        configuration = {
+          global.resolve_timeout = "2m";
+
+          route = {
+            receiver = "matrix";
+            group_by = [ "alertname" ];
+            group_wait = "3m";
+          };
+
+          receivers = [
+            {
+              name = "matrix";
+              webhook_configs = lib.singleton {
+                url = "http://localhost/webhook";
+              };
+            }
+          ];
+        };
+      };
+      scrapeConfigs = [
+        {
+          job_name = "prometheus";
+          static_configs = mkStaticTargets [
+            "localhost:${toString cfg.port}"
+            "kleinturmbuehne-router:9100"
+          ];
+        }
+        {
+          job_name = "node";
+          static_configs = mkStaticTargets [
+            "127.0.0.1:9100"
+          ];
+        }
+        {
+          job_name = "asterisk";
+          metrics_path = "/";
+          static_configs = mkStaticTargets [
+            "127.0.0.1:8088"
+          ];
+        }
+        {
+          job_name = "mikrotik";
+          static_configs = mkStaticTargets [
+            "${cfg.exporters.mikrotik.listenAddress}:${toString cfg.exporters.mikrotik.port}"
+          ];
+        }
+        {
+          job_name = "unifi";
+          static_configs = mkStaticTargets [
+            "${cfg.exporters.unpoller.listenAddress}:${toString cfg.exporters.unpoller.port}"
+          ];
+        }
+      ];
+      rules =
+        let
+          mkAlert = { name, expr, for ? "1m", description ? null }: {
+            alert = name;
+            inherit expr for;
+            annotations = lib.optionalAttrs (description != null) { inherit description; };
+          };
+        in
+        [
+          (lib.generators.toYAML { } {
+            groups = lib.singleton {
+              name = "alert.rules";
+              rules = map mkAlert [
+                {
+                  name = "InstanceDown";
+                  expr = ''up == 0'';
+                  description = "Instance {{ $labels.instance }} of job {{ $labels.job }} has been down for
+   more than 1 minutes.";
+                }
+              ];
+            };
+          })
+        ];
+    };
+
+    prometheus.exporters.mikrotik = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      configuration = {
+        devices = [
+        ];
+        features = {
+          bgp = true;
+          dhcp = true;
+          routes = true;
+          optics = true;
+        };
+      };
+    };
+
+    nginx.virtualHosts."${domain}" = {
+      enableACME = true;
+      forceSSL = true;
+
+      basicAuthFile = config.sops.secrets.prometheus-htpasswd.path;
+
+      locations = {
+        "/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}";
+
+        "/alertmanager/".proxyPass = "http://${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}";
       };
     };
   };
diff --git a/machines/raven/services/wekan.nix b/machines/raven/services/wekan.nix
index 3b9716d..ef7848a 100644
--- a/machines/raven/services/wekan.nix
+++ b/machines/raven/services/wekan.nix
@@ -62,31 +62,33 @@ in
   };
 
   # Create the netowrk
-  systemd.services.init-filerun-network-and-files = {
-    description = "Create the network bridge ${networkName} for WeKan.";
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
+  systemd.services = {
+    init-filerun-network-and-files = {
+      description = "Create the network bridge ${networkName} for WeKan.";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
 
-    serviceConfig.Type = "oneshot";
-    script =
-      let podmancli = "${pkgs.podman}/bin/podman";
-      in ''
-        if ! ${podmancli} network ls --format '{{ .Name }}' | grep -qFx -- "${networkName}"; then
-          ${podmancli} network create "${networkName}"
-        else
-          echo "network already exists"
-        fi
-      '';
-  };
-
-  systemd.services.wekan-restart = {
-    description = "Restart Wekan services.";
-    serviceConfig = {
-      Type = "oneshot";
+      serviceConfig.Type = "oneshot";
+      script =
+        let podmancli = "${pkgs.podman}/bin/podman";
+        in ''
+          if ! ${podmancli} network ls --format '{{ .Name }}' | grep -qFx -- "${networkName}"; then
+            ${podmancli} network create "${networkName}"
+          else
+            echo "network already exists"
+          fi
+        '';
+    };
+
+    wekan-restart = {
+      description = "Restart Wekan services.";
+      serviceConfig = {
+        Type = "oneshot";
+      };
+      script = ''
+        ${pkgs.systemd}/bin/systemctl restart "podman-${databaseName}.service" "podman-${serviceName}.service"
+      '';
     };
-    script = ''
-      ${pkgs.systemd}/bin/systemctl restart "podman-${databaseName}.service" "podman-${serviceName}.service"
-    '';
   };
 
   systemd.timers.wekan-restart = {
diff --git a/modules/unfree.nix b/modules/unfree.nix
index 3394261..e5f3549 100644
--- a/modules/unfree.nix
+++ b/modules/unfree.nix
@@ -1,8 +1,8 @@
 { lib, ... }:
 
 {
-  nixpkgs.config.allowUnfreePredicate = (pkg: lib.elem (lib.getName pkg) [
+  nixpkgs.config.allowUnfreePredicate = pkg: lib.elem (lib.getName pkg) [
     "unifi-controller"
     "mongodb"
-  ]);
+  ];
 }

From 3058e0d69c528e457981f167f1533f11dd3732e7 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Mon, 14 Apr 2025 22:24:14 +0200
Subject: [PATCH 18/23] Add deadnix

---
 flake.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/flake.nix b/flake.nix
index eb1d04b..9fa16ad 100644
--- a/flake.nix
+++ b/flake.nix
@@ -59,6 +59,7 @@
             src = ./.;
             hooks = {
               black.enable = true;
+              deadnix.enable = true;
               nixpkgs-fmt.enable = true;
               shellcheck.enable = true;
               statix = {

From 4c61cedf91df40ebc17143d9c2366db428cbb1c3 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Mon, 14 Apr 2025 22:24:51 +0200
Subject: [PATCH 19/23] Remove unused code

---
 flake.nix                                 | 4 ++--
 machines/party/hardware-configuration.nix | 2 +-
 machines/party/services/colorchord.nix    | 2 +-
 machines/raven/configuration.nix          | 2 +-
 machines/raven/hardware-configuration.nix | 2 +-
 machines/raven/services/colorchord.nix    | 2 +-
 machines/raven/services/grafana.nix       | 2 +-
 machines/raven/services/mailhog.nix       | 1 -
 machines/raven/services/prometheus.nix    | 2 +-
 machines/raven/services/wekan.nix         | 2 +-
 pkgs/default.nix                          | 2 +-
 11 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/flake.nix b/flake.nix
index 9fa16ad..d7e8011 100644
--- a/flake.nix
+++ b/flake.nix
@@ -87,7 +87,7 @@
         };
 
         apps = lib.mapAttrs
-          (name: program: { type = "app"; program = toString program; })
+          (_name: program: { type = "app"; program = toString program; })
           (flake-utils.lib.flattenTree {
             deploy = lib.recurseIntoAttrs (lib.mapAttrs
               (hostname: machine:
@@ -121,7 +121,7 @@
           });
 
         packages = lib.filterAttrs
-          (n: v: lib.elem system v.meta.platforms)
+          (_n: v: lib.elem system v.meta.platforms)
           (flake-utils.lib.flattenTree {
             inherit (pkgs)
               fablab;
diff --git a/machines/party/hardware-configuration.nix b/machines/party/hardware-configuration.nix
index a07aa08..b19150a 100644
--- a/machines/party/hardware-configuration.nix
+++ b/machines/party/hardware-configuration.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{ modulesPath, ... }:
 
 {
   imports = [
diff --git a/machines/party/services/colorchord.nix b/machines/party/services/colorchord.nix
index 95c87fa..7a3c865 100644
--- a/machines/party/services/colorchord.nix
+++ b/machines/party/services/colorchord.nix
@@ -1,4 +1,4 @@
-{ inputs, lib, pkgs, ... }:
+{ lib, pkgs, ... }:
 let
   ledDevices = {
     kanister = {
diff --git a/machines/raven/configuration.nix b/machines/raven/configuration.nix
index 95a8014..13b1e8e 100644
--- a/machines/raven/configuration.nix
+++ b/machines/raven/configuration.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, ... }:
 
 {
   imports = [
diff --git a/machines/raven/hardware-configuration.nix b/machines/raven/hardware-configuration.nix
index 27292cd..21f9c9e 100644
--- a/machines/raven/hardware-configuration.nix
+++ b/machines/raven/hardware-configuration.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{ modulesPath, ... }:
 
 {
   imports = [
diff --git a/machines/raven/services/colorchord.nix b/machines/raven/services/colorchord.nix
index 7194834..e049464 100644
--- a/machines/raven/services/colorchord.nix
+++ b/machines/raven/services/colorchord.nix
@@ -1,4 +1,4 @@
-{ inputs, lib, pkgs, ... }:
+{ lib, pkgs, ... }:
 let
   ledDevices = {
     workbench-1 = {
diff --git a/machines/raven/services/grafana.nix b/machines/raven/services/grafana.nix
index 29558c2..52dac83 100644
--- a/machines/raven/services/grafana.nix
+++ b/machines/raven/services/grafana.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, ... }:
 
 let
   domain = "grafana.fablab-nea.de";
diff --git a/machines/raven/services/mailhog.nix b/machines/raven/services/mailhog.nix
index 8ec4c7b..f86d6a7 100644
--- a/machines/raven/services/mailhog.nix
+++ b/machines/raven/services/mailhog.nix
@@ -1,4 +1,3 @@
-{ config, ... }:
 {
   services.mailhog.enable = true;
 }
diff --git a/machines/raven/services/prometheus.nix b/machines/raven/services/prometheus.nix
index 6f5f42f..4ac636b 100644
--- a/machines/raven/services/prometheus.nix
+++ b/machines/raven/services/prometheus.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 
 let
   domain = "prometheus.fablab-nea.de";
diff --git a/machines/raven/services/wekan.nix b/machines/raven/services/wekan.nix
index ef7848a..6c8d3c5 100644
--- a/machines/raven/services/wekan.nix
+++ b/machines/raven/services/wekan.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ lib, pkgs, ... }:
 let
   serviceName = "wekan";
   databaseName = "wekandb";
diff --git a/pkgs/default.nix b/pkgs/default.nix
index f9ac13a..4841d89 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -1,4 +1,4 @@
-final: prev:
+_final: prev:
 let
   inherit (prev) callPackage recurseIntoAttrs;
 in

From 3452e094ff3fa8b1a57b81e6c208fc9659e9aca8 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Mon, 14 Apr 2025 22:34:42 +0200
Subject: [PATCH 20/23] Use file to unlock LUKS from usb media

---
 machines/raven/configuration.nix |   9 +++
 machines/raven/disko.nix         |   3 -
 modules/default.nix              |   1 +
 modules/luksusb.nix              | 121 +++++++++++++++++++++++++++++++
 4 files changed, 131 insertions(+), 3 deletions(-)
 create mode 100644 modules/luksusb.nix

diff --git a/machines/raven/configuration.nix b/machines/raven/configuration.nix
index 13b1e8e..7cf07e8 100644
--- a/machines/raven/configuration.nix
+++ b/machines/raven/configuration.nix
@@ -90,5 +90,14 @@
     "192.168.94.1" = [ "raven.lab.fablab-nea.de" "labsync.lab.fablab-nea.de" ];
   };
 
+  fablab.luksUsbUnlock = {
+    enable = true;
+    devices."${config.disko.devices.disk.nvme.content.partitions.luks.content.name}" = {
+      keyPath = "${config.networking.hostName}.key";
+      usbDevice = "by-label/RAM_USB";
+      waitForDevice = 10;
+    };
+  };
+
   system.stateVersion = "24.05";
 }
diff --git a/machines/raven/disko.nix b/machines/raven/disko.nix
index 6492d69..8414703 100644
--- a/machines/raven/disko.nix
+++ b/machines/raven/disko.nix
@@ -26,9 +26,6 @@
                 name = "raven-crypt";
                 settings = {
                   allowDiscards = true;
-                  keyFileSize = 4096;
-                  keyFile = "/dev/disk/by-id/usb-jalr_USB_RAM_disk_prototype-01-0:0";
-                  keyFileTimeout = 10;
                 };
                 extraFormatArgs = [ "--hash sha512 --use-random --pbkdf argon2id --iter-time 5000 --pbkdf-memory ${builtins.toString (4*1024*1024)} --pbkdf-parallel 4" ];
                 content = {
diff --git a/modules/default.nix b/modules/default.nix
index 244c94d..f3fbce0 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
     ./base.nix
+    ./luksusb.nix
     ./nix.nix
     ./pipewire.nix
     ./pubkeys.nix
diff --git a/modules/luksusb.nix b/modules/luksusb.nix
new file mode 100644
index 0000000..17b931b
--- /dev/null
+++ b/modules/luksusb.nix
@@ -0,0 +1,121 @@
+{ config, lib, ... }:
+let
+  cfg = config.fablab.luksUsbUnlock;
+in
+{
+  options.fablab.luksUsbUnlock = with lib; with lib.types; {
+    enable = mkEnableOption "unlock LUKS volumes with a USB device on boot";
+    devices = mkOption {
+      default = { };
+      example = {
+        cryptroot = {
+          keyPath = "/path/to/the/key";
+          usbDevice = "by-label/MY_USB";
+        };
+      };
+      type = types.attrsOf (types.submodule {
+        options = {
+          keyPath = mkOption {
+            example = "/mykey.key";
+            description = mdDoc ''
+              Path to the key file inside the USB device's filesystem.
+              `/` is relative to the device's filesystem root.
+            '';
+            type = types.str;
+          };
+
+          usbDevice = mkOption {
+            example = "by-label/BOOTKEY";
+            description = mdDoc ''
+              Path to the USB device that contains the keys. (Path relative to `/dev/disk/`)
+            '';
+            type = types.str;
+          };
+
+          waitForDevice = mkOption {
+            default = 5;
+            example = 10;
+            description = mdDoc ''
+              How many seconds to wait for the USB device to be detected by the
+              kernel.
+            '';
+            type = types.ints.unsigned;
+          };
+        };
+      });
+    };
+  };
+  config = lib.mkIf cfg.enable (
+    let
+      makeUsbDevPath = usbDevice: "/dev/disk/" + usbDevice;
+      makeMountPath = usbDevice: "/key/" + (builtins.hashString "md5" usbDevice);
+      usbFsType = "vfat";
+
+      mapAttrsNameValue = f: set:
+        lib.listToAttrs (map f (lib.attrsToList set));
+    in
+    {
+      boot.initrd = {
+        kernelModules = [ "uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1" ];
+        systemd.services =
+          let
+            makeService = name: { usbDevice, waitForDevice, ... }:
+              let
+                usbDevPath = makeUsbDevPath usbDevice;
+                usbMountPath = makeMountPath usbDevice;
+              in
+              {
+                description = "Mount ${name} key";
+                wantedBy = [ "cryptsetup.target" ];
+                before = [ "systemd-cryptsetup@${name}.service" ];
+                after = [ "systemd-modules-load.service" ];
+                unitConfig.DefaultDependencies = "no";
+                serviceConfig.Type = "oneshot";
+
+                script = ''
+                  if awk -v mountpoint="${usbMountPath}" '$2==mountpoint {f=1} END {exit !f}' /proc/mounts; then
+                    exit 0
+                  fi
+
+                  attempts=0
+                  while [ ! -e ${lib.escapeShellArg usbDevPath} ]; do
+                    sleep 1
+                    if [ $attempts -ge ${toString waitForDevice} ]; then
+                      break;
+                    fi
+                    attempts=$((attempts+1))
+                  done
+
+                  if [ -e ${lib.escapeShellArg usbDevPath} ]; then
+                    mkdir -m0500 -p ${lib.escapeShellArg usbMountPath}
+                    mount \
+                      -n \
+                      -t ${lib.escapeShellArg usbFsType} \
+                      -o ro,fmask=0137,dmask=0027 \
+                      ${lib.escapeShellArg usbDevPath} \
+                      ${lib.escapeShellArg usbMountPath}
+                  fi
+                '';
+              };
+          in
+          mapAttrsNameValue
+            ({ name, value }: {
+              name = "luksusb-${name}";
+              value = makeService name value;
+            })
+            cfg.devices;
+
+        luks.devices = builtins.mapAttrs
+          (_: { keyPath, usbDevice, ... }:
+            let
+              usbMountPath = makeMountPath usbDevice;
+            in
+            {
+              keyFile = "${usbMountPath}/${keyPath}";
+              keyFileTimeout = 1;
+            })
+          cfg.devices;
+      };
+    }
+  );
+}

From 73c0bdebd21992b2f0d70abc79c8dfb3ca4fee11 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Wed, 23 Apr 2025 21:09:48 +0200
Subject: [PATCH 21/23] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/76c0a6dba345490508f36c1aa3c7ba5b6b460989?narHash=sha256-I2oILRiJ6G%2BBOSjY%2B0dGrTPe080L3pbKpc%2BgCV3Nmyk%3D' (2025-04-08)
  → 'github:nix-community/disko/c5140c6079ff690e85eac0b86e254de16a79a4b7?narHash=sha256-mi6cAjuBztm9gFfpiVo6mAn81cCID6nmDXh5Kmyjwyc%3D' (2025-04-23)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/9a049b4a421076d27fee3eec664a18b2066824cb?narHash=sha256-fbWE4Xpw6eH0Q6in%2BymNuDwTkqmFmtxcQEmtRuKDTTk%3D' (2025-04-14)
  → 'github:nixos/nixos-hardware/8bf8a2a0822365bd8f44fd1a19d7ed0a1d629d64?narHash=sha256-xmqG4MZArM1JNxPJ33s0MtuBzgnaCO9laARoU3AfP8E%3D' (2025-04-23)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/26d499fc9f1d567283d5d56fcf367edd815dba1d?narHash=sha256-FHlSkNqFmPxPJvy%2B6fNLaNeWnF1lZSgqVCl/eWaJRc4%3D' (2025-04-12)
  → 'github:nixos/nixpkgs/9684b53175fc6c09581e94cc85f05ab77464c7e3?narHash=sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo%3D' (2025-04-21)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/7e147a1ae90f0d4a374938cdc3df3cdaecb9d388?narHash=sha256-lv52pnfiRGp5%2BxkZEgWr56DWiRgkMFXpiGba3eJ3krE%3D' (2025-04-13)
  → 'github:Mic92/sops-nix/5e3e92b16d6fdf9923425a8d4df7496b2434f39c?narHash=sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA%3D' (2025-04-22)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index ce9fedd..571f57c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744145203,
-        "narHash": "sha256-I2oILRiJ6G+BOSjY+0dGrTPe080L3pbKpc+gCV3Nmyk=",
+        "lastModified": 1745369821,
+        "narHash": "sha256-mi6cAjuBztm9gFfpiVo6mAn81cCID6nmDXh5Kmyjwyc=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "76c0a6dba345490508f36c1aa3c7ba5b6b460989",
+        "rev": "c5140c6079ff690e85eac0b86e254de16a79a4b7",
         "type": "github"
       },
       "original": {
@@ -145,11 +145,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1744633460,
-        "narHash": "sha256-fbWE4Xpw6eH0Q6in+ymNuDwTkqmFmtxcQEmtRuKDTTk=",
+        "lastModified": 1745392233,
+        "narHash": "sha256-xmqG4MZArM1JNxPJ33s0MtuBzgnaCO9laARoU3AfP8E=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "9a049b4a421076d27fee3eec664a18b2066824cb",
+        "rev": "8bf8a2a0822365bd8f44fd1a19d7ed0a1d629d64",
         "type": "github"
       },
       "original": {
@@ -161,11 +161,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1744440957,
-        "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
+        "lastModified": 1745279238,
+        "narHash": "sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
+        "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3",
         "type": "github"
       },
       "original": {
@@ -249,11 +249,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744518500,
-        "narHash": "sha256-lv52pnfiRGp5+xkZEgWr56DWiRgkMFXpiGba3eJ3krE=",
+        "lastModified": 1745310711,
+        "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "7e147a1ae90f0d4a374938cdc3df3cdaecb9d388",
+        "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
         "type": "github"
       },
       "original": {

From a24aa4dde2f2cab271a0d87e4169e35e26c1e715 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Fri, 25 Apr 2025 14:07:05 +0200
Subject: [PATCH 22/23] Rename luks device

dashes in device name are being escaped in systemd unit names. The
luksusb module cannot handle these escape sequences in systemd unit
names.
---
 machines/raven/disko.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/machines/raven/disko.nix b/machines/raven/disko.nix
index 8414703..0429f57 100644
--- a/machines/raven/disko.nix
+++ b/machines/raven/disko.nix
@@ -23,7 +23,7 @@
               size = "100%";
               content = {
                 type = "luks";
-                name = "raven-crypt";
+                name = "raven_crypt";
                 settings = {
                   allowDiscards = true;
                 };

From 3c389f912ca4f517d619b5c1657d9925ece3e687 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Wed, 30 Apr 2025 01:18:15 +0200
Subject: [PATCH 23/23] Add esphome

---
 esphome/.gitignore       |  5 ++++
 esphome/door.yaml        | 56 ++++++++++++++++++++++++++++++++++++++++
 esphome/secrets.yaml.gpg |  2 ++
 3 files changed, 63 insertions(+)
 create mode 100644 esphome/.gitignore
 create mode 100644 esphome/door.yaml
 create mode 100644 esphome/secrets.yaml.gpg

diff --git a/esphome/.gitignore b/esphome/.gitignore
new file mode 100644
index 0000000..d8b4157
--- /dev/null
+++ b/esphome/.gitignore
@@ -0,0 +1,5 @@
+# Gitignore settings for ESPHome
+# This is an example and may include too much for your use-case.
+# You can modify this file to suit your needs.
+/.esphome/
+/secrets.yaml
diff --git a/esphome/door.yaml b/esphome/door.yaml
new file mode 100644
index 0000000..28b348f
--- /dev/null
+++ b/esphome/door.yaml
@@ -0,0 +1,56 @@
+esphome:
+  name: "door"
+  friendly_name: "Door"
+  platform: ESP32
+  board: esp-wrover-kit
+
+api:
+  encryption:
+    key: !secret apikey_door
+
+ota:
+  - platform: esphome
+    password: !secret otapass_door
+
+ethernet:
+  type: LAN8720
+  mdc_pin: GPIO23
+  mdio_pin: GPIO18
+  clk_mode: GPIO0_IN
+  phy_addr: 1
+  power_pin: GPIO16
+
+logger:
+
+output:
+  - platform: gpio
+    pin: GPIO2
+    id: output_relay
+
+button:
+  - platform: template
+    name: "door opener"
+    id: btn_door_opener
+    icon: mdi:lock-open
+    on_press:
+      - output.turn_on: output_relay
+      - delay: 2s
+      - output.turn_off: output_relay
+
+time:
+  - platform: sntp
+    id: sntp_time
+    timezone: Europe/Berlin
+    servers:
+     - 0.pool.ntp.org
+     - 1.pool.ntp.org
+     - 2.pool.ntp.org
+
+wireguard:
+  address: 10.20.16.2
+  private_key: !secret wireguard_key_door
+  peer_endpoint: jalr-bw.duckdns.org
+  peer_public_key: Ew25M4+OxfBGfW3g98m2chq+TIgWhxpVulrsuFmwOic=
+  netmask: 255.255.255.252
+  peer_port: 51001
+  peer_persistent_keepalive: 120s
diff --git a/esphome/secrets.yaml.gpg b/esphome/secrets.yaml.gpg
new file mode 100644
index 0000000..1c22600
--- /dev/null
+++ b/esphome/secrets.yaml.gpg
@@ -0,0 +1,2 @@
+�^c�i5�V�
@#��kf1�8�^�d�����C���jMZД�eb0J>���P��p���P*)����͡OD�%��D
�����2����0 ���
H��2��vz�F���?yL�3!���K���ӊE�,|%tc4�pZ����#6ԠkoMx|�e��V_9�S}7ҦןBԃ]
�s����tv�ax��>p��j%ZY����^�_pV��[Mh#�b=ݠ3~�:�{
+�oLOՕM�tC�<ar�Z�&�u��,�	��=z�Ac�>�#lZ�OM�@����i̠)��u���;�
\ No newline at end of file