Add lightburn

flake.lock: Update
Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/9075cba53e86dc318d159aee55dc9a7c9a4829c1' (2023-09-02) → 'github:nixos/nixpkgs/da5adce0ffaff10f6d0fee72a02a5ed9d01b52fc' (2023-09-03) • Updated input 'nixpkgsMaster': 'github:NixOS/nixpkgs/276e0e59881448b22ff9a5c945e64c9b20149535' (2023-09-03) → 'github:NixOS/nixpkgs/2457551a54ffbd93b7d8f84af8b8fb3aac5cbdd5' (2023-09-06) • Updated input 'nur': 'github:nix-community/NUR/7e62dd55582646dbf8b87fed72854ebe3911985d' (2023-09-03) → 'github:nix-community/NUR/0572f3d2f4d1b231196f8ed7a3280c7f0724c95e' (2023-09-06) • Updated input 'sops-nix': 'github:Mic92/sops-nix/d9c5dc41c4b1f74c77f0dbffd0f3a4ebde447b7a' (2023-08-30) → 'github:Mic92/sops-nix/faf21ac162173c2deb54e5fdeed002a9bd6e8623' (2023-09-05) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/9117c4e9dc117a6cd0319cca40f2349ed333669d' (2023-08-27) → 'github:NixOS/nixpkgs/5601118d39ca9105f8e7b39d4c221d3388c0419d' (2023-09-02)
2023-09-07 15:49:24 +00:00 · 2023-09-06 14:56:45 +00:00 · 2023-09-03 10:24:42 +00:00 · 2023-09-03 10:23:10 +00:00 · 2023-08-31 08:17:06 +00:00 · 2023-08-31 08:16:44 +00:00
133 changed files with 3642 additions and 2972 deletions
--- a/.git-crypt/.gitattributes
+++ b/.git-crypt/.gitattributes
@ -0,0 +1,4 @@
 # Do not edit this file.  To specify the files to encrypt, create your own
 # .gitattributes file in the directory where your files are.
 * !filter !diff
 *.gpg binary
--- a/.git-crypt/keys/default/0/66FB54F6081375106EEBF651A222365EB448F934.gpg
+++ b/.git-crypt/keys/default/0/66FB54F6081375106EEBF651A222365EB448F934.gpg
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,2 @@
 **/secrets/** filter=git-crypt diff=git-crypt
 **/secrets.yaml diff=sops
--- a/.sops.yaml
+++ b/.sops.yaml
@ -4,7 +4,8 @@ keys:
  - &host_aluminium age1ne08hny30vrkejqhh7dcx4ql6dmkx6jw9dqkf3cz7mzvt53njy0qh59w44
  - &host_hafnium age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et
  - &host_iron age1hx7fdu4mcha7kkxe7yevtvs6xgzgaafgenm3drhvr609wlj94sgqm497je
-  - &host_weinturm_pretix_prod age1w42q9qg7l6gea36erhw0u7jvlpenvtrjm38q4ux0aasa929hes6s2ecj6m
+  - &host_magnesium age1swv42gad884z2v75kateem6k2za6ltkq6wu90ewqp6dp7gxprawslwz0w0
  - &host_weinturm_pretix_prod age1djjxl3lcvzs85nj0met6w8ujsz8pvr6ngmmdwlxfh0k9d5lkrpdqlzzehf
 creation_rules:
  - path_regex: hosts/aluminium/secrets\.yaml$
    key_groups:
@ -24,6 +25,12 @@ creation_rules:
      - *admin_jalr
      age:
      - *host_iron
  - path_regex: hosts/magnesium/secrets\.yaml$
    key_groups:
    - pgp:
      - *admin_jalr
      age:
      - *host_magnesium
  - path_regex: hosts/weinturm-pretix-prod/secrets\.yaml$
    key_groups:
    - pgp:
--- a/flake.lock
+++ b/flake.lock
@ -21,11 +21,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1681202837,
+        "lastModified": 1692799911,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
        "type": "github"
      },
      "original": {
@ -62,16 +62,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1667907331,
+        "lastModified": 1693208669,
-        "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
+        "narHash": "sha256-hHFaaUsZ860wvppPeiu7nJn/nXZjJfnqAQEu9SPFE9I=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
+        "rev": "5bac4a1c06cd77cf8fc35a658ccb035a6c50cd2c",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-22.05",
+        "ref": "release-23.05",
        "repo": "home-manager",
        "type": "github"
      }
@ -110,11 +110,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1684842236,
+        "lastModified": 1692274144,
-        "narHash": "sha256-rYWsIXHvNhVQ15RQlBUv67W3YnM+Pd+DuXGMvCBq2IE=",
+        "narHash": "sha256-BxTQuRUANQ81u8DJznQyPmRsg63t4Yc+0kcyq6OLz8s=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "61e567d6497bc9556f391faebe5e410e6623217f",
+        "rev": "7e3517c03d46159fdbf8c0e5c97f82d5d4b0c8fa",
        "type": "github"
      },
      "original": {
@ -126,59 +126,59 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1681303793,
+        "lastModified": 1689261696,
-        "narHash": "sha256-JEdQHsYuCfRL2PICHlOiH/2ue3DwoxUX7DJ6zZxZXFk=",
+        "narHash": "sha256-LzfUtFs9MQRvIoQ3MfgSuipBVMXslMPH/vZ+nM40LkA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fe2ecaf706a5907b5e54d979fbde4924d84b65fc",
+        "rev": "df1eee2aa65052a18121ed4971081576b25d6b5c",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1678872516,
+        "lastModified": 1685801374,
-        "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
+        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
+        "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable_2": {
      "locked": {
-        "lastModified": 1684632198,
+        "lastModified": 1693675694,
-        "narHash": "sha256-SdxMPd0WmU9MnDBuuy7ouR++GftrThmSGL7PCQj/uVI=",
+        "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d0dade110dc7072d67ce27826cfe9ab2ab0cf247",
+        "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "release-22.11",
+        "ref": "release-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgsMaster": {
      "locked": {
-        "lastModified": 1684857135,
+        "lastModified": 1694012069,
-        "narHash": "sha256-MrX+6QO3xf+Gkm+BgU45jBB/l9XRvH/hGsLfx8fEetU=",
+        "narHash": "sha256-/IUwkEtnuqhoI68IJRBbMgwofTrte8E4zKYAb4p3Hl8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "499cad7a722caf0bebb2a382a67fa39c992acebd",
+        "rev": "2457551a54ffbd93b7d8f84af8b8fb3aac5cbdd5",
        "type": "github"
      },
      "original": {
@ -190,27 +190,27 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1684661732,
+        "lastModified": 1693771906,
-        "narHash": "sha256-2/Xo/UmUUoMXc0T5tzoUsYjMLLMjEfzRWDAQB0WwtW0=",
+        "narHash": "sha256-32EnPCaVjOiEERZ+o/2Ir7JH9pkfwJZJ27SKHNvt4yk=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b0671cbf1e5c443f7fbfd4941ee0f8a151435114",
+        "rev": "da5adce0ffaff10f6d0fee72a02a5ed9d01b52fc",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nur": {
      "locked": {
-        "lastModified": 1684856747,
+        "lastModified": 1694011534,
-        "narHash": "sha256-sauDfmQDn1NFW2IdQ5aOcwcU5YTJ+OTN7VpqskVXrb0=",
+        "narHash": "sha256-gB7LM/w61gjZ2n75JN7FQKAF4o2QumqI33Pac16ZvjI=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "2c7307a5423802a6da62ec3bc80ce44e1788dd5b",
+        "rev": "0572f3d2f4d1b231196f8ed7a3280c7f0724c95e",
        "type": "github"
      },
      "original": {
@ -239,11 +239,11 @@
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
-        "lastModified": 1684637723,
+        "lastModified": 1693898833,
-        "narHash": "sha256-0vAxL7MVMhGbTkAyvzLvleELHjVsaS43p+PR1h9gzNQ=",
+        "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "4ccdfb573f323a108a44c13bb7730e42baf962a9",
+        "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -1,13 +1,13 @@
 {
  inputs = {
    flake-utils.url = "github:numtide/flake-utils";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
    nixpkgsMaster.url = "github:NixOS/nixpkgs/master";
    nur.url = "github:nix-community/NUR";
    home-manager = {
-      url = "github:nix-community/home-manager/release-22.05";
+      url = "github:nix-community/home-manager/release-23.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
@ -57,7 +57,7 @@
            };
          };
        };
-        devShell = pkgs.mkShell {
+        devShells.default = pkgs.mkShell {
          buildInputs = (with pkgs; [
            black
            just
@ -100,14 +100,31 @@
                }
              )
              self.nixosConfigurations);
-
+            argon2id =
-            showKeyFingerprint = pkgs.writeShellScript "show-key-fingerprint" ''
+              let
-              ${pkgs.gnupg}/bin/gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" | awk -F: '$1 == "fpr" { print $10; exit }'
+                python = pkgs.python3.withPackages (pp: with pp; [
-            '';
+                  argon2-cffi
                ]);
              in
              pkgs.writeTextFile {
                name = "argon2id";
                text = ''
                  #!${python}/bin/python
                  import getpass
                  from argon2 import PasswordHasher
                  pw = getpass.getpass()
                  ph = PasswordHasher(
                      time_cost=5,
                      memory_cost=2*1024*1024, # in kibibytes
                      parallelism=4,
                  )
                  print(ph.hash(pw))
                '';
                executable = true;
              };
          });
      }) // {
-      overlay = import ./pkgs;
+      overlays.default = import ./pkgs;
      nixosConfigurations = nixpkgs.lib.mapAttrs
        (hostname: { system
--- a/home-manager/modules/alacritty.nix
+++ b/home-manager/modules/alacritty.nix
@ -2,7 +2,7 @@
 let
  solarized = import ./solarized.nix;
-  #nixosConfig.myConfig.terminalEmulator.command = pkgs.writeShellScriptBin "alacritty-sway-cwd" ''
+  #nixosConfig.jalr.terminalEmulator.command = pkgs.writeShellScriptBin "alacritty-sway-cwd" ''
  #  this_alacritty_pid="$(swaymsg -t get_tree | ${pkgs.jq} -e 'recurse(.nodes[]?) | select((.focused==true) and (.app_id=="Alacritty")).pid')"
  #  if [ "$this_alacritty_pid" ]; then
@ -141,7 +141,7 @@ in
 {
  programs.alacritty = {
-    enable = nixosConfig.myConfig.gui.enable;
+    enable = nixosConfig.jalr.gui.enable;
  };
  # The option `home-manager.users.jalr.xdg.configFile.dark.alacritty/alacritty-dark.yml' does not exist
--- a/home-manager/modules/aws.nix
+++ b/home-manager/modules/aws.nix
@ -4,7 +4,7 @@ let
  xdg = config.xdg;
 in
 {
-  config = lib.mkIf nixosConfig.myConfig.aws.enable {
+  config = lib.mkIf nixosConfig.jalr.aws.enable {
    # https://github.com/aws/aws-sdk/issues/30
    home.sessionVariables = {
      AWS_CONFIG_FILE = "${xdg.configHome}/aws/config";
@ -19,7 +19,7 @@ in
        (name: value:
          lib.attrsets.nameValuePair ("profile ${name}") (value)
        )
-        nixosConfig.myConfig.aws.accounts
+        nixosConfig.jalr.aws.accounts
      //
      {
        "default" = {
--- a/home-manager/modules/claws-mail.nix
+++ b/home-manager/modules/claws-mail.nix
@ -1,5 +1,5 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    claws-mail
  ];
--- a/home-manager/modules/cli.nix
+++ b/home-manager/modules/cli.nix
@ -4,18 +4,18 @@
    cached-nix-shell
    file
    htop
    inetutils
    jq
    lsof
    ncdu
    ripgrep
-  ] ++ (if ! nixosConfig.myConfig.workstation.enable then [ ] else [
+  ] ++ (if ! nixosConfig.jalr.workstation.enable then [ ] else [
    direnv
    dnsutils
    screen
    speedtest-cli
    usbutils
    wget
    whois
    yt-dlp
  ]);
 }
--- a/home-manager/modules/communication/ferdium.nix
+++ b/home-manager/modules/communication/ferdium.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.tradebyte.enable {
+lib.mkIf nixosConfig.jalr.tradebyte.enable {
  home.packages = with pkgs; [
    master.ferdium
  ];
--- a/home-manager/modules/communication/mumble.nix
+++ b/home-manager/modules/communication/mumble.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    mumble
  ];
--- a/home-manager/modules/communication/qtox.nix
+++ b/home-manager/modules/communication/qtox.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    qtox
  ];
--- a/home-manager/modules/communication/telegram-desktop.nix
+++ b/home-manager/modules/communication/telegram-desktop.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    tdesktop
  ];
--- a/home-manager/modules/default.nix
+++ b/home-manager/modules/default.nix
@ -2,7 +2,7 @@
 {
  imports = [
-    ./${nixosConfig.myConfig.terminalEmulator}.nix
+    ./${nixosConfig.jalr.terminalEmulator}.nix
    ./aws.nix
    ./claws-mail.nix
    ./cli.nix
--- a/home-manager/modules/dynamic-colors.nix
+++ b/home-manager/modules/dynamic-colors.nix
@ -1,18 +1,18 @@
 { nixosConfig, lib, pkgs, ... }:
-
+let
-let dynamic-colors = pkgs.writeShellScriptBin "dynamic-colors" /* bash */ ''
+  dynamic-colors = pkgs.writeShellScriptBin "dynamic-colors" /* bash */ ''
-  case "''$1" in
+    case "''$1" in
-    light|dark)
+      light|dark)
-      if [ -e "''$HOME/.config/alacritty/alacritty-''$1.yml" ]; then
+        if [ -e "''$HOME/.config/alacritty/alacritty-''$1.yml" ]; then
-        ln -sf "''$HOME/.config/alacritty/alacritty-''$1.yml" "$HOME/.config/alacritty/alacritty.yml"
+          ln -sf "''$HOME/.config/alacritty/alacritty-''$1.yml" "$HOME/.config/alacritty/alacritty.yml"
-      fi
+        fi
-    ;;
+      ;;
-    *)
+      *)
-      echo "unknown command ''$1" >&2
+        echo "unknown command ''$1" >&2
-      exit 1
+        exit 1
-  esac
+    esac
-'';
+  '';
 in
 {
  home.packages = [
--- a/home-manager/modules/firefox/default.nix
+++ b/home-manager/modules/firefox/default.nix
@ -1,16 +1,16 @@
 { nixosConfig, pkgs, ... }:
 {
  programs.firefox = {
-    enable = nixosConfig.myConfig.gui.enable;
+    enable = nixosConfig.jalr.gui.enable;
    package = pkgs.firefox-esr;
    extensions = with pkgs.nur.repos.rycee.firefox-addons; [
      tree-style-tab
      ublock-origin
      umatrix
      violentmonkey
    ];
    profiles = {
      default = {
        extensions = with pkgs.nur.repos.rycee.firefox-addons; [
          tree-style-tab
          ublock-origin
          umatrix
          violentmonkey
        ];
        settings = {
          #"browser.startup.homepage" = "https://nixos.org";
          #"browser.search.region" = "GB";
--- a/home-manager/modules/fpv.nix
+++ b/home-manager/modules/fpv.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    master.betaflight-configurator
    fpvout
--- a/home-manager/modules/git.nix
+++ b/home-manager/modules/git.nix
@ -4,11 +4,11 @@
  programs = {
    git = {
      enable = true;
-      userName = nixosConfig.myConfig.git.user.name;
+      userName = nixosConfig.jalr.git.user.name;
-      userEmail = nixosConfig.myConfig.git.user.email;
+      userEmail = nixosConfig.jalr.git.user.email;
      signing = {
-        key = nixosConfig.myConfig.gpg.defaultKey;
+        key = nixosConfig.jalr.gpg.defaultKey;
-        signByDefault = nixosConfig.myConfig.git.signByDefault;
+        signByDefault = nixosConfig.jalr.git.signByDefault;
      };
      extraConfig = {
        init.defaultBranch = "main";
@ -153,4 +153,7 @@
      };
    };
  };
  home.packages = with pkgs; [
    git-crypt
  ];
 }
--- a/home-manager/modules/gnuradio.nix
+++ b/home-manager/modules/gnuradio.nix
@ -8,6 +8,6 @@ let
      pkgs.gnuradio3_8Packages;
  };
 in
-(lib.mkIf nixosConfig.myConfig.gui.enable {
+(lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = [ gnuradioEnv ];
 })
--- a/home-manager/modules/graphics/default.nix
+++ b/home-manager/modules/graphics/default.nix
@ -5,5 +5,6 @@
    ./gimp.nix
    ./inkscape.nix
    ./krita.nix
    ./lightburn.nix
  ];
 }
--- a/home-manager/modules/graphics/gimp.nix
+++ b/home-manager/modules/graphics/gimp.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    gimp
  ];
--- a/home-manager/modules/graphics/inkscape.nix
+++ b/home-manager/modules/graphics/inkscape.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    inkscape
  ];
--- a/home-manager/modules/graphics/krita.nix
+++ b/home-manager/modules/graphics/krita.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    krita
  ];
--- a/home-manager/modules/graphics/lightburn.nix
+++ b/home-manager/modules/graphics/lightburn.nix
@ -0,0 +1,7 @@
 { nixosConfig, lib, pkgs, ... }:
 lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    lightburn-sandbox
  ];
 }
--- a/home-manager/modules/gui.nix
+++ b/home-manager/modules/gui.nix
@ -1,6 +1,7 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    evince
    gcr # required for pinentry-gnome
    geeqie
    mpv
--- a/home-manager/modules/jameica.nix
+++ b/home-manager/modules/jameica.nix
@ -1,5 +1,5 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    jameica
  ];
--- a/home-manager/modules/kicad.nix
+++ b/home-manager/modules/kicad.nix
@ -1,5 +1,5 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    kicad
  ];
--- a/home-manager/modules/mpv.nix
+++ b/home-manager/modules/mpv.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    mpv
  ];
--- a/home-manager/modules/mute-indicator.nix
+++ b/home-manager/modules/mute-indicator.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    mute-indicator
  ];
--- a/home-manager/modules/neovim.nix
+++ b/home-manager/modules/neovim.nix
@ -88,81 +88,87 @@
        -- init.lua
        -- this configuration applies to servers and workstations
      ''
-    ] ++ lib.optional nixosConfig.myConfig.workstation.enable ''
+    ] ++ lib.optional nixosConfig.jalr.workstation.enable (
-      -- this configuration applies to workstations only
+      ''
-      -- https://github.com/neovim/nvim-lspconfig/blob/master/doc/server_configurations.md
+        -- this configuration applies to workstations only
-      local lsp = require('lspconfig')
+        -- https://github.com/neovim/nvim-lspconfig/blob/master/doc/server_configurations.md
-
+        local lsp = require('lspconfig')
-      -- C and C++
+      '' +
-      lsp.ccls.setup {
+      builtins.concatStringsSep "\n" (
-        on_attach = on_attach,
+        lib.mapAttrsToList
-        cmd = { "${pkgs.ccls}/bin/ccls" },
+          (
-      }
+            lang: cfg: "lsp.${lang}.setup\n" + lib.generators.toLua { } cfg
-
+          )
-      -- Nix
+          {
-      lsp.rnix.setup {
+            # C and C++
-        on_attach = on_attach,
+            ccls = {
-        cmd = { "${pkgs.rnix-lsp}/bin/rnix-lsp" },
+              cmd = [ "${pkgs.ccls}/bin/ccls" ];
      }
      -- Python
      lsp.pylsp.setup {
        on_attach = on_attach,
        cmd = { "${pkgs.python310Packages.python-lsp-server}/bin/pylsp" },
        settings = {
          -- https://github.com/python-lsp/python-lsp-server/blob/develop/CONFIGURATION.md
          pylsp = {
            plugins = {
              flake8 = {
                enabled = true;
                executable = "${pkgs.python310Packages.flake8}/bin/flake8";
              };
              jedi_completion = { enabled = true; };
              jedi_definition = { enabled = true; };
              jedi_hover = { enabled = true; };
              jedi_references = { enabled = true; };
              jedi_signature_help = { enabled = true; };
              jedi_symbols = { enabled = true; };
              mccabe = { enabled = true; };
              preload = { enabled = true; };
              pycodestyle = { enabled = true; };
              pyflakes = { enabled = true; };
              rope_completion = { enabled = true; };
              yapf = { enabled = true; };
            };
          };
        };
      }
-      -- Ruby
+            # Nix
-      lsp.solargraph.setup {
+            rnix = {
-        on_attach = on_attach,
+              cmd = [ "${pkgs.rnix-lsp}/bin/rnix-lsp" ];
-        cmd = { "${pkgs.solargraph}/bin/solargraph", "stdio" },
+            };
      }
-      -- Rust
+            # Python
-      lsp.rust_analyzer.setup {
+            pylsp = {
-        on_attach = on_attach,
+              cmd = [ "${pkgs.python310Packages.python-lsp-server}/bin/pylsp" ];
-        cmd = { "${pkgs.rust-analyzer}/bin/rust-analyzer" },
+              settings = {
-      }
+                # https://github.com/python-lsp/python-lsp-server/blob/develop/CONFIGURATION.md
                pylsp = {
                  plugins = {
                    flake8 = {
                      enabled = true;
                      executable = "${pkgs.python310Packages.flake8}/bin/flake8";
                    };
                    jedi_completion = { enabled = true; };
                    jedi_definition = { enabled = true; };
                    jedi_hover = { enabled = true; };
                    jedi_references = { enabled = true; };
                    jedi_signature_help = { enabled = true; };
                    jedi_symbols = { enabled = true; };
                    mccabe = { enabled = true; };
                    preload = { enabled = true; };
                    pycodestyle = { enabled = true; };
                    pyflakes = { enabled = true; };
                    rope_completion = { enabled = true; };
                    yapf = { enabled = true; };
                  };
                };
              };
            };
-      -- Bash
+            # Ruby
-      lsp.bashls.setup {
+            solargraph = {
-        on_attach = on_attach,
+              cmd = [ "${pkgs.solargraph}/bin/solargraph" "stdio" ];
-        cmd = { "${pkgs.nodePackages.bash-language-server}/bin/bash-language-server", "start" },
+            };
      }
-      -- Terraform
+            # Rust
-      lsp.terraform_lsp.setup {
+            rust_analyzer = {
-        on_attach = on_attach,
+              cmd = [ "${pkgs.rust-analyzer}/bin/rust-analyzer" ];
-        cmd = { "${pkgs.terraform-lsp}/bin/terraform-lsp", "serve" },
+            };
      }
-      -- YAML
+            # Bash
-      lsp.yamlls.setup {
+            bashls = {
-        on_attach = on_attach,
+              cmd = [ "${pkgs.nodePackages.bash-language-server}/bin/bash-language-server" "start" ];
-        cmd = { "${pkgs.nodePackages.yaml-language-server}/bin/yaml-language-server", "--stdio" },
+            };
-      }
+
-    ''
+            # Terraform
            terraform_lsp = {
              cmd = [ "${pkgs.terraform-lsp}/bin/terraform-lsp" "serve" ];
            };
            # YAML
            yamlls = {
              cmd = [ "${pkgs.nodePackages.yaml-language-server}/bin/yaml-language-server" "--stdio" ];
              settings = {
                yaml = {
                  keyOrdering = false;
                };
              };
            };
          }
      )
    )
  );
 }
--- a/home-manager/modules/obs-studio/default.nix
+++ b/home-manager/modules/obs-studio/default.nix
@ -2,7 +2,7 @@
 {
  programs.obs-studio = {
-    enable = nixosConfig.myConfig.gui.enable;
+    enable = nixosConfig.jalr.gui.enable;
    plugins = with pkgs; [
      obs-studio-plugins.wlrobs
    ];
--- a/home-manager/modules/openscad.nix
+++ b/home-manager/modules/openscad.nix
@ -1,5 +1,5 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    openscad
  ];
--- a/home-manager/modules/pass.nix
+++ b/home-manager/modules/pass.nix
@ -19,7 +19,7 @@ in
    pw
  ] ++
  (
-    if nixosConfig.myConfig.gui.enable
+    if nixosConfig.jalr.gui.enable
    then with pkgs; [
      qtpass
      pass-wayland
--- a/home-manager/modules/pcmanfm.nix
+++ b/home-manager/modules/pcmanfm.nix
@ -1,5 +1,5 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    pcmanfm
  ];
--- a/home-manager/modules/python.nix
+++ b/home-manager/modules/python.nix
@ -1,5 +1,5 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.workstation.enable {
+lib.mkIf nixosConfig.jalr.workstation.enable {
  home.packages = with pkgs; [
    python310
    python310Packages.virtualenv
--- a/home-manager/modules/sound/audacity.nix
+++ b/home-manager/modules/sound/audacity.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    audacity
  ];
--- a/home-manager/modules/sound/easyeffects.nix
+++ b/home-manager/modules/sound/easyeffects.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    easyeffects
  ];
--- a/home-manager/modules/sound/pipewire.nix
+++ b/home-manager/modules/sound/pipewire.nix
@ -1,6 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    easyeffects
    pavucontrol
--- a/home-manager/modules/sway/default.nix
+++ b/home-manager/modules/sway/default.nix
@ -3,7 +3,7 @@
 let
  solarized = import ../solarized.nix;
  terminalEmulator =
-    if nixosConfig.myConfig.terminalEmulator == "alacritty"
+    if nixosConfig.jalr.terminalEmulator == "alacritty"
    then
      pkgs.writeShellScript "alacritty-sway-cwd" ''
        this_alacritty_pid="$(${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq -e 'recurse(.nodes[]?) | select((.focused==true) and (.app_id=="Alacritty")).pid')"
@ -18,7 +18,7 @@ let
        exec ${pkgs.alacritty}/bin/alacritty
      ''
-    else nixosConfig.myConfig.terminalEmulator;
+    else nixosConfig.jalr.terminalEmulator;
  cfg = config.wayland.windowManager.sway.config;
  wallpaper = pkgs.fetchurl {
    url = "https://raw.githubusercontent.com/swaywm/sway/3b2bc894a5ebbcbbd6707d45a25d171779c2e874/assets/Sway_Wallpaper_Blue_1920x1080.png";
@ -29,13 +29,14 @@ let
  move-to-output = pkgs.callPackage ./move-to-output { };
 in
 {
-  imports = lib.optionals nixosConfig.myConfig.gui.enable [
+  imports = lib.optionals nixosConfig.jalr.gui.enable [
    ./gammastep.nix
    ./waybar.nix
    ./wofi.nix
    ./wofi-bluetooth.nix
    ./yubikey-touch-detector.nix
  ];
-} // (lib.mkIf nixosConfig.myConfig.gui.enable {
+} // (lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
    sway-contrib.grimshot # screenshots
    wdisplays # graphical output manager
@ -215,7 +216,7 @@ in
        #"Shift_R+Shift" = "exec ${pkgs.dbus}/bin/dbus-send --session --type=method_call --dest=net.sourceforge.mumble.mumble / net.sourceforge.mumble.Mumble.stopTalking";
-        "XF86AudioMute" = "exec pactl set-source-mute alsa_input.usb-BEHRINGER_UMC202HD_192k-00.analog-stereo toggle";
+        "XF86AudioMute" = "exec pactl set-source-mute alsa_input.usb-BEHRINGER_UMC202HD_192k-00.HiFi__umc202hd_mono_in_U192k_0_1__source toggle";
        "${cfg.modifier}+l" = "exec ${pkgs.swaylock}/bin/swaylock -f -i ${wallpaper}";
      };
@ -250,6 +251,13 @@ in
        ];
      };
      window.commands = [
        {
          criteria = { app_id = "firefox"; title = "Firefox — Sharing Indicator"; };
          command = "kill";
        }
      ];
      window.border = 2;
      gaps = {
        inner = 6;
--- a/home-manager/modules/sway/waybar.nix
+++ b/home-manager/modules/sway/waybar.nix
@ -14,10 +14,6 @@ let
    fi
  '';
  # nerd fonts are abusing arabic which breaks latin text
  # context: https://github.com/Alexays/Waybar/issues/628
  lrm = "&#8206;";
  # for fine-grained control over spacing
  thinsp = "&#8201;";
@ -70,14 +66,14 @@ in
        { class = "inactive"; };
      on-click = toggleUserUnitState "gammastep";
      return-type = "json";
-      format = "";
+      format = "󰌵";
      tooltip = false;
    };
    idle_inhibitor = {
      format = "{icon}";
      format-icons = {
-        activated = " ";
+        activated = "󰈈 ";
-        deactivated = " ";
+        deactivated = "󰈉 ";
      };
    };
    "custom/screencast" = {
@ -103,7 +99,7 @@ in
                    print(f"Invalid action {action} (in line {line})", file=sys.stderr)
                if active_outputs > 0:
-                    print("${lrm} ")
+                    print("󱒃")
                else:
                    print()
@ -114,15 +110,15 @@ in
    };
    backlight = {
      format = "{percent}% {icon}";
-      format-icons = [ " " " " " " " " " " " " " " ];
+      format-icons = [ "󰛩" "󱩎" "󱩏" "󱩐" "󱩑" "󱩒" "󱩓" "󱩔" "󱩕" "󱩖" "󰛨" ];
      on-scroll-up = "${pkgs.brightnessctl}/bin/brightnessctl -q set +5%";
      on-scroll-down = "${pkgs.brightnessctl}/bin/brightnessctl -q set 5%-";
    };
    mpd = {
      server = config.services.mpd.network.listenAddress;
-      format = "{stateIcon} {consumeIcon}{randomIcon}{repeatIcon}{singleIcon}{artist} – {title} ({elapsedTime:%M:%S}/{totalTime:%M:%S}) ";
+      format = "{stateIcon} {consumeIcon}{randomIcon}{repeatIcon}{singleIcon}{artist} – {title} ({elapsedTime:%M:%S}/{totalTime:%M:%S}) 󰎈";
-      format-disconnected = "Disconnected ";
+      format-disconnected = "Disconnected 󰎈";
-      format-stopped = "{consumeIcon}{randomIcon}{repeatIcon}{singleIcon}Stopped ";
+      format-stopped = "{consumeIcon}{randomIcon}{repeatIcon}{singleIcon}Stopped 󰎈";
      unknown-tag = "N/A";
      interval = 2;
      tooltip-format = "MPD (connected)";
@ -132,45 +128,45 @@ in
      title-len = 48;
      artist-len = 24;
      consume-icons = {
-        on = " ";
+        on = "󰩫  ";
      };
      random-icons = {
-        off = "劣 ";
+        off = "󰒞 ";
-        on = "列 ";
+        on = "󰒝 ";
      };
      repeat-icons = {
-        on = "凌 ";
+        on = "󰑖 ";
      };
      single-icons = {
-        on = "綾 ";
+        on = "󰑘 ";
      };
      state-icons = {
-        paused = "";
+        paused = "󰏤 ";
-        playing = "契";
+        playing = "󰐊 ";
      };
    };
    pulseaudio = {
      format = "{volume}% {icon} {format_source}";
-      format-bluetooth = "{volume}% {icon} {format_source}";
+      format-bluetooth = "{volume}% {icon}󰗾{format_source}";
-      format-bluetooth-muted = "${lrm}ﱝ${lrm}  {icon} {format_source}";
+      format-bluetooth-muted = "{icon}󰗿{format_source}";
-      format-muted = "${lrm}ﱝ${lrm}  {format_source}";
+      format-muted = "󰝟 {format_source}";
-      format-source = "{volume}% ${thinsp}";
+      format-source = "{volume}% ${thinsp}";
-      format-source-muted = "${thinsp}";
+      format-source-muted = "${thinsp}";
      format-icons = {
-        car = " ";
+        car = "󰄋 ";
-        default = [ "奄" "奔" "墳" ];
+        default = [ "󰕿" "󰖀" "󰕾" ];
-        hands-free = " ";
+        hands-free = "󰋎";
-        headphone = " ";
+        headphone = "󰋋";
-        headset = " ";
+        headset = "󰋎";
-        phone = " ";
+        phone = "󰏲";
-        portable = " ";
+        portable = "󰏲";
      };
      on-click-right = "${pkgs.pavucontrol}/bin/pavucontrol";
    };
    network = {
-      format-wifi = "{essid} ({signalStrength}%) 直 ";
+      format-wifi = "{essid} ({signalStrength}%) 󰖩 ";
-      format-ethernet = "{ipaddr}/{cidr}  ";
+      format-ethernet = "{ipaddr}/{cidr} 󰈀 ";
-      format-linked = "{ifname} (No IP)  ";
+      format-linked = "{ifname} (No IP) 󰈀 ";
      format-disconnected = "Disconnected ⚠ ";
      format-alt = "{ifname}: {ipaddr}/{cidr}";
      tooltip = false;
@ -181,7 +177,7 @@ in
      exec = pkgs.writeShellScript "vpn-state" ''
        ${pkgs.iproute}/bin/ip -j link \
          | ${pkgs.jq}/bin/jq --unbuffered --compact-output '
-            [[.[].ifname | select(. | startswith("mullvad"))][] | split("-")[1] + " ${thinsp}"] as $conns
+            [[.[].ifname | select(. | startswith("mullvad"))][] | split("-")[1] + " 󰌾${thinsp}"] as $conns
            | { text: ($conns[0] // ""), class: (if $conns | length > 0 then "connected" else "disconnected" end) }'
      '';
      return-type = "json";
@ -190,11 +186,11 @@ in
    };
    memory = {
      interval = 2;
-      format = "{:2}%  ";
+      format = "{:2}% 󰍛 ";
    };
    cpu = {
      interval = 2;
-      format = "{usage:2}% ﬙ ";
+      format = "{usage:2}%  ";
      tooltip = false;
    };
    temperature = {
@ -208,9 +204,9 @@ in
      interval = 5;
      format = "{capacity}% {icon}";
      format-charging = "{capacity}% ";
-      format-plugged = "{capacity}% ${lrm}ﮣ";
+      format-plugged = "{capacity}% x";
      format-alt = "{time} {icon}";
-      format-icons = [ "" "" "" "" "" "" "" "" "" "" "" ];
+      format-icons = [ "󰂎" "󰁺" "󰁻" "󰁼" "󰁽" "󰁾" "󰁿" "󰂀" "󰂁" "󰂂" "󰁹" ];
      states = {
        critical = 15;
        good = 95;
@ -243,9 +239,9 @@ in
            events_today = []
        if len(events_today) == 0:
-            text = " "
+            text = "󰃮 "
        else:
-            text = f"{len(events_today)}  "
+            text = f"{len(events_today)} 󰃶 "
        print(
            json.dumps(
--- a/home-manager/modules/sway/wofi-bluetooth.nix
+++ b/home-manager/modules/sway/wofi-bluetooth.nix
@ -0,0 +1,5 @@
 { nixosConfig, lib, pkgs, ... }:
 lib.mkIf nixosConfig.jalr.bluetooth.enable {
  home.packages = [ pkgs.wofi-bluetooth ];
 }
--- a/home-manager/modules/tor-browser.nix
+++ b/home-manager/modules/tor-browser.nix
@ -1,10 +1,6 @@
 { nixosConfig, lib, pkgs, ... }:
-lib.mkIf nixosConfig.myConfig.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
  home.packages = with pkgs; [
-    (
+    tor-browser-bundle-bin
      tor-browser-bundle-bin.override {
        useHardenedMalloc = false;
      }
    )
  ];
 }
--- a/home-manager/users/default.nix
+++ b/home-manager/users/default.nix
@ -1,7 +1,7 @@
 { lib, ... }:
 {
-  options.myConfig = {
+  options.jalr = {
    git = {
      user = {
        name = lib.mkOption {
--- a/home-manager/users/jal.nix
+++ b/home-manager/users/jal.nix
@ -98,7 +98,7 @@ in
    ./default.nix
  ];
-  myConfig = {
+  jalr = {
    git = {
      user = {
        name = "Jakob Lechner";
@ -190,7 +190,6 @@ in
        home.packages = with pkgs; [
          mycli
          timetrap
          tradebyte-attendance
          tradebyte-vpn
          # common
@ -198,7 +197,6 @@ in
          bat
          docker-compose
          envsubst
          evince
          exa
          gnupg
          nmap
--- a/home-manager/users/jalr.nix
+++ b/home-manager/users/jalr.nix
@ -5,7 +5,7 @@
    ./default.nix
  ];
-  myConfig = {
+  jalr = {
    git = {
      user = {
        name = "Jakob Lechner";
@ -57,7 +57,6 @@
          bat
          docker-compose
          envsubst
          evince
          exa
          gnupg
          nmap
--- a/hosts/aluminium/configuration.nix
+++ b/hosts/aluminium/configuration.nix
@ -100,7 +100,7 @@ in
          noipv6
          novjccomp
          persist
-          plugin rp-pppoe.so enp2s0
+          plugin pppoe.so enp2s0
          user l8545506
        '';
      };
@ -111,7 +111,6 @@ in
    enable = true;
    algorithm = "zstd";
    memoryPercent = 60;
    numDevices = 1;
    priority = 1;
  };
--- a/hosts/aluminium/hardware-configuration.nix
+++ b/hosts/aluminium/hardware-configuration.nix
@ -35,7 +35,6 @@
    };
    loader.grub = {
      enable = true;
      version = 2;
      device = "/dev/sda";
      extraConfig = ''
        serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
@ -56,7 +55,7 @@
  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
  # Define on which hard drive you want to install Grub.
-  myConfig = {
+  jalr = {
    bootloader = "grub2";
  };
--- a/hosts/aluminium/services/asterisk.nix
+++ b/hosts/aluminium/services/asterisk.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
  secretConfigFiles = [
    "ari"
@ -158,4 +158,12 @@ in
      }
    ];
  };
  system.activationScripts.symlink-asterisk-sounds-de = lib.stringAfter [ "var" ] ''
    sounds="/var/lib/asterisk/sounds"
    sounds_de="$sounds/de"
    mkdir -p "$sounds"
    [ -L "$sounds_de" ] && rm "$sounds_de"
    ln -s "${pkgs.asterisk-sounds-de}/" "$sounds_de"
  '';
 }
--- a/hosts/aluminium/services/dnsmasq.nix
+++ b/hosts/aluminium/services/dnsmasq.nix
@ -6,33 +6,30 @@ in
 {
  services.dnsmasq = {
    enable = true;
-
+    settings = {
-    extraConfig = ''
+      listen-address = [
-      listen-address=192.168.0.1
+        "192.168.0.1"
-      listen-address=192.168.1.1
+        "192.168.1.1"
-      interface=lo
+      ];
-
+      interface = "lo";
-      expand-hosts
+      expand-hosts = true;
-      domain=lan.kbh.jalr.de
+      domain = "lan.kbh.jalr.de";
-      dhcp-range=192.168.0.20,192.168.0.254,4h
+      dhcp-range = [
-      dhcp-range=192.168.1.20,192.168.1.254,4h
+        "192.168.0.20,192.168.0.254,4h"
-
+        "192.168.1.20,192.168.1.254,4h"
-      #dhcp-boot=lpxelinux.0,aluminium,192.168.0.1
+      ];
-
+      cache-size = 10000;
-      cache-size=10000
+      dns-forward-max = 1000;
-      dns-forward-max=1000
+      no-hosts = true;
-
+      addn-hosts = "${pkgs.writeText "hosts.dnsmasq" ''
      no-hosts
      addn-hosts=${pkgs.writeText "hosts.dnsmasq" ''
        192.168.0.1 aluminium unifi
-      ''}
+      ''}";
-    '';
+      server = [
-
+        "142.250.185.78" # dns.as250.net
-    servers = [
+        "2001:470:20::2" # ordns.he.net
-      "142.250.185.78" # dns.as250.net
+        "74.82.42.42" # ordns.he.net
-      "2001:470:20::2" # ordns.he.net
+      ];
-      "74.82.42.42" # ordns.he.net
+    };
    ];
  };
  networking.firewall = {
--- a/hosts/cadmium/configuration.nix
+++ b/hosts/cadmium/configuration.nix
@ -37,10 +37,6 @@
  programs.mtr.enable = true;
  hardware.bluetooth.enable = true;
  services.blueman.enable = true;
  services.ofono.enable = true;
  services.udisks2.enable = true;
  # udevadm info --name /dev/foo --query all
@ -50,8 +46,9 @@
    SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3748", GROUP="users", MODE="0660"
  '';
-  myConfig = {
+  jalr = {
    bootloader = "systemd-boot";
    bluetooth.enable = true;
    uefi.enable = true;
    gui.enable = true;
    workstation.enable = true;
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -14,11 +14,16 @@
    system = "x86_64-linux";
  };
  weinturm-pretix-prod = {
-    system = "x86_64-linux";
+    system = "aarch64";
-    targetHost = "91.107.235.15";
+    targetHost = "142.132.185.70";
  };
  iron = {
    system = "x86_64-linux";
-    targetHost = "192.168.42.1";
+    #targetHost = "192.168.42.1";
    targetHost = "jalr-bw.duckdns.org";
  };
  magnesium = {
    system = "aarch64";
    targetHost = "162.55.35.199";
  };
 }
--- a/hosts/hafnium/configuration.nix
+++ b/hosts/hafnium/configuration.nix
@ -42,14 +42,12 @@
  programs.mtr.enable = true;
  hardware.bluetooth.enable = true;
  services.blueman.enable = true;
  services.ofono.enable = true;
  services.udisks2.enable = true;
-  myConfig = {
+  jalr = {
    bootloader = "systemd-boot";
    bluetooth.enable = true;
    uefi.enable = true;
    gui.enable = true;
    workstation.enable = true;
@ -108,7 +106,7 @@
    };
  };
-  services.dnsmasq.servers = [
+  services.dnsmasq.settings.server = [
    "/vpce-0de71527ea27288f3-9op2d61c-eu-central-1b.s3.eu-central-1.vpce.amazonaws.com/10.170.254.30"
    "/vpce-0de71527ea27288f3-9op2d61c.s3.eu-central-1.vpce.amazonaws.com/10.170.254.30"
    "/ccs.tradebyte.com/10.170.254.30"
--- a/hosts/iron/configuration.nix
+++ b/hosts/iron/configuration.nix
@ -36,7 +36,6 @@ with lib; {
    ./services
  ];
  config = {
    system.stateVersion = "22.11";
    security.sudo.wheelNeedsPassword = false;
@ -48,20 +47,20 @@ with lib; {
      networkmanager.enable = false;
      interfaces = {
-        enp3s4.ipv4.addresses = [{
+        enp2s4.ipv4.addresses = [{
          address = "192.168.42.1";
          prefixLength = 24;
        }];
-        enp4s5 = {
+        enp3s5 = {
          useDHCP = true;
        };
      };
      nat = {
        enable = true;
-        externalInterface = "enp4s5";
+        externalInterface = "enp3s5";
        internalInterfaces = [
-          "enp3s4"
+          "enp2s4"
        ];
      };
@ -75,7 +74,7 @@ with lib; {
    services.radvd = {
      enable = true;
      config = ''
-        interface enp3s4 {
+        interface enp2s4 {
          AdvSendAdvert on;
          prefix ::/64 {
            AdvOnLink on;
@ -90,10 +89,10 @@ with lib; {
      noipv6rs
      waitip 6
-      interface enp4s5
+      interface enp3s5
        ipv6rs
        ia_na 1
-        ia_pd 1/::/64 enp3s4/0/64
+        ia_pd 1/::/64 enp2s4/0/64
    '';
    boot = {
@ -132,7 +131,6 @@ with lib; {
          enable = true;
          devices = (map (diskName: devNodes + diskName) disks);
          efiInstallAsRemovable = removableEfi;
          version = 2;
          copyKernels = true;
          efiSupport = true;
          zfsSupport = true;
@ -181,5 +179,14 @@ with lib; {
      efiSystemPartitions);
    hardware.enableRedistributableFirmware = true;
    virtualisation.containers.storage.settings = {
      storage = {
        driver = "zfs";
        graphroot = "/var/lib/containers/storage";
        runroot = "/run/containers/storage";
        options.zfs.fsname = "rpool/nixos/podman";
      };
    };
  };
 }
--- a/hosts/iron/secrets.yaml
+++ b/hosts/iron/secrets.yaml
@ -1,6 +1,13 @@
 duckdns-secret: ENC[AES256_GCM,data:SAf/xZ28tgmvqcVKC2tMNRm838AVMMNCC3fpYLXBEIoTl7E7,iv:+KTEpNMj0+aVCGKB1dRFFslgjpBhSzBZFdee+VIAt4o=,tag:C/eSyoQjAgD7Qv4J4jsp4g==,type:str]
 sturzbach-htpasswd: ENC[AES256_GCM,data:qqBwu6mASnRqjy65knU4uIvBNXXgrfcmvWnbmOH4tVQ7vRbpEhe/GQDwAg==,iv:OQnDOzezjajGl35m/u5StQeMRR+1sNDD5u1my1wTngQ=,tag:7zjVRWI1IzZ5iS3sFHLubg==,type:str]
 navidrome-password-encryption-key: ENC[AES256_GCM,data:ynQsFyGDEBnlWhTlv0mF7mLiXOjijq9ixWWEa1OXsTOYAd74dU0dp3Fo532WtD4fPvIWEf8Y2dYmY7zPVLuydQ==,iv:GJqPVL5OIFPLMcCVOjWvMjyFR4iTXo3uGE8R0keTzG0=,tag:RTERQgYRxBBevlL2H1lIWA==,type:str]
 wireguard_key_hetzner-ha: ENC[AES256_GCM,data:ak/KpQIHBNRPriJ1IeKYXIp4CcnygRHSj5MzZNnuxQnVunmmtzGu0lBEajA=,iv:aNw3EooT6XE1zC+g37WSJasRCfnNUaKQrYCDBMTxRrg=,tag:KXc70tVFc7xDLlefk1Hzow==,type:str]
 hetzner-api-key: ENC[AES256_GCM,data:7eWYncujkEytQzhRdNRItPgpz1eUvcyp2PVLJtHbqd8=,iv:AxoKJUuor32kC3ZdpkDPUEUlPRosY6cKoWx0TIGK9wA=,tag:SVtXMraGxnJnx/j3zMQnQw==,type:str]
 rspamd-worker-controller: ENC[AES256_GCM,data:7tS8bEr9i5F+YZoj3uPQa6Xd2SCsuC+jE531AbKEmPHNeL3qMyO0pQZ/P1ONaPHTVMOPQHYABihDJcZv0BKW,iv:pFBVi4F661fnYPcCPwuetiGL1H+RAnJiFQhTUqGNwjU=,tag:xQoHIEQpnrMOnXqsH8anxQ==,type:str]
 dkim-keys:
    jalr.de.default: ENC[AES256_GCM,data:mnApsYKXYGtUAHddccmNmU9yZQtekDkTiTXbJ0UJxC0rFxzQCtGsinQslIROJdNUxsxciR1ilNzxawzjJD7AaWJbcAq2TYObGJJOQZBif7t/XEN/rIxEmnAFmdeAyrSONmFb9DiEn59m6DpsU+/9Y+hnc/uwwbzueO34WHJnTqmmsxFVNQZfGR+cbSckHS3wZrfjZSKKzCRt+9DU/xxJ4voyowXLO77w00LHVkyU5liwONi0v2XJ+QeP/jIMmJeKjujZcH+qvUm/kukijqyWKGrZoAYPC2cBlL/UrNECuVdSLMXvr4KBDDTCRZCSMRgUPJ0TAfpQPTPitKJ/0igK7qQl9n/6hckY7VyP8KDS7J7G2Z2XVxfZrAR4X/7ya9B2kneVr2CNx3w954EdTcV1/lD7rcKRjKynyl3ddf8gxJFJ21k1ybo2RLnftGCRVq25qNwhyfjU8x5c7AEs+YTPDrcnmxZ/Ui276eLwpMj61oZzTp8QQhiBVwS/+ruRLC+78pu2gb1gBF/Oo3nuvQD1SOpCRikLVewCYDvfXj/hrjo+oCsjTOj+9tWRcRAEDVlhkXWCMuPXDYrdt3HrIWbQuP8NW1ezd1Ll0r1ujjtPJeSwdd8cVcUSBIoA5gU+eXnYjFaSx9BZ+sIfKqG//W3S+aBYDqAEK/z4N5q66sReb5mtSQYfbZuIZDmox9bwNMG3tJmQX0lJZgEIiuJ5/ef4ra0sj9JsRFldmIn9KUmjW9OlIwzQ42cNNvQSMD/6haNiYsE6TPzVylJ/B2kNu9Qh5FfpCIPtVORv2BAGoNvZlyhjyEiXBEZ4x2hx1l5cBwGOaGhoJ0p+1wqn2zDalIBaEFjbBVdIB6DPC6/lccvpqSwF7HvW2ugyYhW+u92vgic71/BsI4i0OlsJV18gU/zVg0Yj8SK69kEwm4wkJTrkM/I4+kkUIc5OiSAknRfjOFJc0etkh3nO34xpHLOkSv9DrKfXSAGmGZtCLtVL5LGdZeCd/g6EK0JJh6bd9Gu9koSJVq5vjdDJJFf+sgk39TCvHAvk8k1/FgdK5jMJ+pR8heJtP8G96ay3DFVm5hpbjuNKqfBvbf2rkyV6++ywRFnAQGPUiMn9g6Q4F5Ks7CC1D0Ubl7b3dCUk6BDi8rHjxy9QS0/25Yz9cF0bFd6XQDfblnyRLMi9aB36M9Vp38Oh5aB16MyvNUHzcxpaAak0yknE6OuuEMBPQZgFVADCITfy9eUXl2FoXrMWEnBO78GybQ+cV8nhynn5t0U+3koMy2E8ju5kiEofQxXylys3Q76iKRRUbQqFkh/ndWtJVVfGNpi1GrUr1w1YZM0hBY9FqqeBjf7ckj+9BdiwWJ0XauuR70o7odm02mydk1/T3Hfzt3OE5nHIXnVbum9KyPx8wXj9qc6JGFm558pQOcRUgGUi+EzGoGckkoLx4Onl+XeGysW5sXP9dbYgMBug0Tjmdo9xkoBti6znDnN/zh93bbzWITNvxMgVs8zSWEhlM0c7F02UeUXSekbTFue5FOaMdYObMvPeb53jAKBOYLr34GVFvucJhKajIaNzDvfiI6fGCMxcSsWk+P3co7gdbRlWYZELsKDu2scktZsHr/gRwRiDZXAWOLiWZL4jswQ1vXSFXJgdblEV//hr2DwsAtCAsyFcgO/LGq30xi3xNqHTkUZXo6cZYSb6EVaIywMCI5ySEnTLAp/xedySANHuo8yyVqyLxkDPI7CnnSS7JcnQF3K5z+NZ0KnIpc1ewGupOhS0fKj31XxUkoSsHEY/iWJPLNA8+4VsBkADnGdkYXHTvy/yAGV6w1k1qtjiWhDAGcE9/o6NOHctYm3cx8CVsLpve/WFUaCkGgjWJdC8XP92xsUQoE6PENn6ZzFaqGHs7hgQqE1kBcEj8N5WkEqkoMo82giHE33iYoVUdkjOTkV4iDGEqyjg1BoM0GedR2A832LseDkP7u4DjIAQfpIDu7PaeiDh7xWkPRwIMV0oDTakXTdPkPGdgFikzTaxkTzRlpCbQuV769eITqVT04kJDp7+0Rb6dtjeXc0Ennv68wZSiyrlmXbrJntg7g1wrebq28q9NMIZETAPugfK6wNDu/Iw1q1kZn2ELo6xaDlcIxHDcpzK7e2VAYYuP1k3sYnSLU3oeq54j3/yS2z1me5FEqWlPOCrjdnLkE3/GjbeMsYo2YTYJEUEd2ncacSCoXUaUoxpBnjRYcHLRUV+6jy7Amp0/52rAPzSeVlBzc+SdNiKLYA2UQ74WrMU596Gkhw1SD8jSM5QqSBhH9sL+oE4GjhjLhstMUPdkNgiwxXDTZLKcIyjN1cn+RSmvNA2KXMH6MoXrkqSkJ9u2s0QAhla51zR/LZwWbzwGOO0dkh3rwh2x+pcCfuzvlk3lYr/x5XOF2k1n8yvehXY5zIX8nk6djjLbvAzzSr/yalS7R0WYIc6CjzoUl3qz+PlneMfKHcaX00hkOlIub/ZFQf1RE+JzZxi0qQq4M8Nt1XRKGDeS448Z6znDpedStUH29krZcnjMtyLmPX7ETTsjr3HLpCOd7MQ2K1rfhmvh5BtJkn1KSUf94puZbkLH7X+WnWN0hsc+KbSXnYZvqwJ8G0/7ptp/Q+wGljqhjv+HhOeA3NUwANv1xWgbiymVIlxCodXtQwn8mxS+jxSvslGwOnyUkTT76IbFbv/IpW6PNvj/xqwOqey8a/4WCGcqs403Y7TKQ+xCflG6K3tL7U5UbMnMgXTeZvoK+DooS2eIepF2WB5XqTuOZJV2OQ6GHfaBMjXN9iGVNLi6XgkbpmcMLQ4TZq+dVmgleJb14IaTFD3n74OfmbcT9lmRfPRJEpFEMNeL3ghH54P2a91zJFASgE7x+Uv2cGcmKFtMbyc/rrhH1F/Ixlv/R37huFo1T2dPMEZ/1ouuPpbUQ5oz/JlOWw3NOxd0O6oG0x9Xib+9KxSFOusLWcFEgx70jrBQKj8s2Jj+W0gZYv+BJtPMPY0KAkRj1amt4Fd6ZrPOEXJ392EHSAEv5jssO5ba52OHKA+QkYvPPL04rwkxSAQiTl57scnEj2WEIP+Lz0/qsMnwF+3rWuz856doJZcXX+U9iuzBCaYQqA1P3BojAYhEHnXBPeolHOA3BmhT9E2TJsZ6P9SQ+GaqyLm0i4vRXGlArlkLwRBs9EZv/l4DT8q0YHha53O4rhRzGJZKAOO252Dpha1YN7+FubYGAZjaUT5O0R/7xSPrGyBejddtM8asW8+NClAn4Y6xvj1IgUg6VRpEy7ZIpZEQ+UyDWt0A4nsipaz2NyZKZ5Vxza2v1qZDdYODK8nm/zj7fR/JykaNVEVj7ceTSHdaQlajfeEWWTs92msIBcqPUXqlaR005hoVvXm+WCnzIMIXLGiyRKRsAPIDYh2hGCtvfXLSq5TYm3bnGAImL0KW3Yllt1qSqSbOYsvm5QfDmTrrccvtSLGRj0rOU3Z8f4WXjf+1YgxjZ9h8fKL+LKA8x1S6M8fl0JVGBIAU8Xe8c4+r2F1VcygJp7h+0v8o8GudM6in4djAdeMLWBgXid7r0q744joFucP56opwYQp3Lu0oFEo0omS6Rh9yPfOjdGBU2eUdjcCNXXuEJD9yHSyebviSAvDw/KH1AxYSWYnjMWACCfcbOlXf3ej7PuQgq5MdFwF7+QawXm0john4YusUon4/0fqd/IFLd6oHYYesxcFdm1jN6DeS4SAqRgeEPuEWDFERgXjLHBxl5Xdi5n+NOR3Vc7ziJ9j9/CA1DKdwmsFBBDcVKMnr2FibXpN5WsSdlBng0L2zhkL22wRH9xbz8Xk5shN20/EHoxHB5HJvwfOgHIC7ooWKOUUuNTZH43+gVN+wzRzlMfiF4X71Edw+lTnQRp6Lh03M2k9do6JPoX2+UU0h6mOYiAFkhHKzCmK3DY12c4Smx+qLJNbUGhoMgthu/WnXObm0Hr+myCooTYSVNTJx6vVjI3GZtMcat2o8B9k38u/Y5/FxqTYmyXhROwS4v3W5fXwTAaxBqQy6Xj5s4V37omBBh/Z9a43nc2VlT7dKR1wIvNB/gqhiYyYrVMtYMJqGLkeCbu50LUWT4qXyR8uaqbZTVjyJCQRxZd6fd3Zfe9wIeYe3N5qKIXkFD3n1U2Q/EyRfb3TpiA+eYkAtl6JGK0vpeWpN5M2LJ3/V79e3cIG7B7/p6BrRxKxHDnBZcu57KKaN8XM+v2KTz7XdF8bjgeu1V/B9WoBwnpzCM+3s5ffNceuUcb2gJgRAUpZvcSDLYy+9aluGU2Tvsm49fCzr851p3VSEJepgPpnvuq874AX/MbPvqidF8Y21Kss1RUbl5wrlq5IihKdM+xCSq6mjvtSPVHRvw==,iv:2NBiTTW9slOH9BvM+kVbMB/+8EiS/Dc/eaqrtiwn4HY=,tag:0rc2+ZWy9XZYE7RK/oSo3g==,type:str]
 radicale-htpasswd: ENC[AES256_GCM,data:Q0WnleP9I4xozsL/H+5oV3Ag7khfalV40A6ub+DA07U8UKna3/ju533RmjWOnETzSNa6XK140nfCcfGZCiqGyF9tfuuXcKFu+j4=,iv:87PSvHyKF7QUQZmEuxM+IT0VKSGnS0MjoUmCqJ+6tzI=,tag:yrP3TgxE8aSZf0MrCF9dsQ==,type:str]
 synapse-turn-shared-secret: ENC[AES256_GCM,data:Q1XRds3Zud1kYkvD6s9WUzP+kNDNsxB5SHd6oCAaLCHhHhYENSAYTZOF+rGjCPNyKFL0e/A=,iv:zScRQrz+pXHNUh/BGOaV+TVnDR3wu1Z/UO1zXarKwtA=,tag:ckpVziE+yb0FjctcT7tAkg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -16,8 +23,8 @@ sops:
            TjdZRldhSzVtMkVoTzY1NjdGbCswRVUK0pi+8UuLqRmytcR2ikxOAM02iccl8P1y
            ixv0PKPLd+vQ23QeeQy/TfoGx16XttaDUnUrPLZR3TUKtAcld8+m6w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-04T08:42:31Z"
+    lastmodified: "2023-07-10T19:12:08Z"
-    mac: ENC[AES256_GCM,data:30AkNRIZ/w0rn2Q4CTggRRyj1rsE0+Hzvu2HH4s4IXOlgjLqR7TUVqiVjthuJd0XqcwAaYUxVnXtumVXcjYpDi6umjBvZNTDXhB6XnmIIbETmfLppKJiogebF86scS8SSOPWbwS9VbIPhbBUcTLPzAh3KgMCjCNzT+REdZGhsWc=,iv:meLH8Fq7E+nuwQqbU3xcAg05xgbW8GoOgMnQ7MK5NEo=,tag:evY1vmSb749s7VvVErb87A==,type:str]
+    mac: ENC[AES256_GCM,data:69VwkQHqDho4JMTyqRQSjSFdgKNdo0Vut9xp63FmPi1lD2EuKi78Mzt7tsGnRoilG8CS8LW+FSaSB/ywNJYK4bmkYMB2N0XbgAs3gAf4bzqDsEfR/WRRnhzO5eM7x4dE4hkknzv4R39e2ENzkWzpR5EBf7UUJUGZv9UcXSHGiRo=,iv:vRWo0J0BwTVJCriT0PZyNMTXlOTXnLBLAF0VJnADqcI=,tag:P3C6JaZahUsPG+FqnHmmQg==,type:str]
    pgp:
        - created_at: "2023-05-02T19:30:42Z"
          enc: |
--- a/hosts/iron/secrets/mail-users.nix
+++ b/hosts/iron/secrets/mail-users.nix
--- a/hosts/iron/services/default.nix
+++ b/hosts/iron/services/default.nix
@ -3,8 +3,12 @@
    ./dnsmasq.nix
    ./dyndns.nix
    ./jellyfin.nix
    ./mail.nix
    ./matrix
    ./navidrome.nix
    ./nginx.nix
    ./public-ip-tunnel.nix
    ./radicale.nix
    ./sturzbach.nix
    ./unifi-controller.nix
  ];
--- a/hosts/iron/services/dnsmasq.nix
+++ b/hosts/iron/services/dnsmasq.nix
@ -6,29 +6,24 @@ in
 {
  services.dnsmasq = {
    enable = true;
-
+    settings = {
-    extraConfig = ''
+      listen-address = "192.168.42.1";
-      listen-address=192.168.42.1
+      interface = "lo";
-      interface=lo
+      expand-hosts = true;
-
+      domain = "lan.bw.jalr.de";
-      expand-hosts
+      dhcp-range = "192.168.42.20,192.168.42.254,4h";
-      domain=lan.bw.jalr.de
+      cache-size = 10000;
-      dhcp-range=192.168.42.20,192.168.42.254,4h
+      dns-forward-max = 1000;
-
+      no-hosts = true;
-      cache-size=10000
+      addn-hosts = "${pkgs.writeText "hosts.dnsmasq" ''
      dns-forward-max=1000
      no-hosts
      addn-hosts=${pkgs.writeText "hosts.dnsmasq" ''
        192.168.42.1 aluminium unifi
-      ''}
+      ''}";
-    '';
+      server = [
-
+        "142.250.185.78" # dns.as250.net
-    servers = [
+        "2001:470:20::2" # ordns.he.net
-      "142.250.185.78" # dns.as250.net
+        "74.82.42.42" # ordns.he.net
-      "2001:470:20::2" # ordns.he.net
+      ];
-      "74.82.42.42" # ordns.he.net
+    };
    ];
  };
  networking.firewall = {
--- a/hosts/iron/services/dyndns.nix
+++ b/hosts/iron/services/dyndns.nix
@ -11,7 +11,7 @@
    username = "nouser";
    passwordFile = config.sops.secrets.duckdns-secret.path;
    domains = [ "jalr-bw" ];
-    use = "if, if=enp4s5";
+    use = "if, if=enp3s5";
    #usev6=ifv6, ifv6=enp3s4
  };
 }
--- a/hosts/iron/services/jellyfin.nix
+++ b/hosts/iron/services/jellyfin.nix
@ -2,17 +2,6 @@
 {
  services.jellyfin = {
    enable = true;
    package = pkgs.jellyfin.override {
      jellyfin-web = pkgs.jellyfin-web.overrideAttrs (oa: rec {
        version = "10.8.9";
        src = pkgs.fetchFromGitHub {
          owner = "jellyfin";
          repo = "jellyfin-web";
          rev = "v${version}";
          sha256 = "hHZ8HVf8fidd5VPs06kB3/BHBHFxoV3fVObBesqfRJo=";
        };
      });
    };
  };
  systemd.services.jellyfin = {
    serviceConfig = {
--- a/hosts/iron/services/mail.nix
+++ b/hosts/iron/services/mail.nix
@ -0,0 +1,38 @@
 { config, pkgs, ... }:
 {
  sops.secrets.hetzner-api-key = {
    sopsFile = ../secrets.yaml;
    owner = "acme";
  };
  #sops.secrets."domain_key_jalr.de" = {
  #  sopsFile = ../secrets.yaml;
  #  owner = "rspamd";
  #};
  jalr = {
    mailserver = {
      enable = true;
      fqdn = "hha.jalr.de";
      domains = [
        {
          domain = "jalr.de";
          enableDKIM = true;
        }
        {
          domain = "fablab-nea.de";
          enableDKIM = false;
        }
      ];
      users = import ../secrets/mail-users.nix;
      messageSizeLimit = 50 * 1024 * 1024;
    };
  };
  services.postfix.config = {
    smtp_bind_address = "159.69.103.126";
    smtp_bind_address_enforce = true;
  };
  security.acme.certs."hha.jalr.de" = {
    dnsProvider = "hetzner";
    credentialsFile = pkgs.writeText "certbotCredentialsFile" "HETZNER_API_KEY_FILE=${config.sops.secrets.hetzner-api-key.path}";
  };
 }
--- a/hosts/iron/services/matrix/default.nix
+++ b/hosts/iron/services/matrix/default.nix
@ -0,0 +1,5 @@
 {
  imports = [
    ./synapse.nix
  ];
 }
--- a/hosts/iron/services/matrix/synapse.nix
+++ b/hosts/iron/services/matrix/synapse.nix
@ -0,0 +1,107 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.matrix-synapse.settings;
  fqdn = "matrix.jalr.de";
  domain = "jalr.de";
  turnHost = "turn.jalr.de";
 in
 {
  sops.secrets = {
    synapse-turn-shared-secret = {
      owner = "matrix-synapse";
      sopsFile = ../../secrets.yaml;
    };
  };
  services.matrix-synapse = {
    enable = true;
    settings = {
      server_name = domain;
      public_baseurl = "https://${fqdn}";
      database.name = "sqlite3";
      listeners = lib.singleton {
        port = 8008;
        bind_addresses = [ "127.0.0.1" "::1" ];
        type = "http";
        tls = false;
        x_forwarded = true;
        resources = lib.singleton {
          names = [ "client" "federation" "metrics" ];
          compress = false;
        };
      };
      turn_uris = [
        "turns:${turnHost}:5349?transport=udp"
        "turns:${turnHost}:5349?transport=tcp"
        "turn:${turnHost}:3478?transport=udp"
        "turn:${turnHost}:3478?transport=tcp"
      ];
      turn_user_lifetime = "1h";
      enable_metrics = true;
      # adapted from https://github.com/NixOS/nixpkgs/blob/7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a/nixos/modules/services/misc/matrix-synapse-log_config.yaml
      #  - set root.level to WARNING instead of INFO
      log_config = pkgs.writeText "log_config.yaml" (builtins.toJSON {
        version = 1;
        formatters.journal_fmt.format = "%(name)s: [%(request)s] %(message)s";
        filters.context = {
          "()" = "synapse.util.logcontext.LoggingContextFilter";
          request = "";
        };
        handlers.journal = {
          class = "systemd.journal.JournalHandler";
          formatter = "journal_fmt";
          filters = [ "context" ];
          SYSLOG_IDENTIFIER = "synapse";
        };
        root = {
          level = "WARNING";
          handlers = [ "journal" ];
        };
        disable_existing_loggers = false;
      });
      max_upload_size = "50M";
      # I’m okay with using matrix.org as trusted key server
      suppress_key_server_warning = true;
      # For mautrix-whatsapp backfilling
      experimental_features.msc2716_enabled = true;
    };
    extraConfigFiles = with config.sops.secrets; [
      synapse-turn-shared-secret.path
    ];
  };
  services.nginx.virtualHosts = {
    "${fqdn}" = {
      enableACME = true;
      forceSSL = true;
      locations."/_matrix" =
        let
          listenerCfg = (lib.elemAt cfg.listeners 0);
        in
        {
          proxyPass = "http://${lib.elemAt listenerCfg.bind_addresses 0}:${toString listenerCfg.port}";
          extraConfig = ''
            client_max_body_size ${cfg.max_upload_size};
          '';
        };
    };
  };
 }
--- a/hosts/iron/services/navidrome.nix
+++ b/hosts/iron/services/navidrome.nix
@ -5,6 +5,7 @@ let
    # https://www.navidrome.org/docs/usage/configuration-options/#available-options
    Address = "127.0.0.1";
    Port = port;
    DevActivityPanel = false;
  };
  passwordEncryptionKeyFile = config.sops.secrets.navidrome-password-encryption-key.path;
  configFile = (pkgs.formats.json { }).generate "navidrome.json" settings;
--- a/hosts/iron/services/nginx.nix
+++ b/hosts/iron/services/nginx.nix
@ -11,8 +11,4 @@
    80
    443
  ];
  security.acme = {
    acceptTerms = true;
    defaults.email = "mail@jalr.de";
  };
 }
--- a/hosts/iron/services/public-ip-tunnel.nix
+++ b/hosts/iron/services/public-ip-tunnel.nix
@ -0,0 +1,57 @@
 { config, lib, pkgs, ... }:
 let
  listenPort = 51000;
  remoteHost = "magnesium.jalr.de";
  remotePort = 51000;
  publicKey = "ABZCQfzlHJ1/iNbWFf6jVvdqSmqjxm3w5bpa0SYclBU=";
  externalIp = "159.69.103.126";
  rtTable = {
    id = 1000;
    name = "hetzner-ha";
  };
 in
 {
  sops.secrets = (
    lib.listToAttrs (map
      (name: lib.nameValuePair "wireguard_key_${name}" {
        sopsFile = ../secrets.yaml;
      })
      [
        "hetzner-ha"
      ]
    )
  );
  networking.iproute2.enable = true;
  networking.iproute2.rttablesExtraConfig = ''
    ${toString rtTable.id} ${rtTable.name}
  '';
  networking.wireguard.interfaces = {
    hetzner-ha = {
      ips = [ "${externalIp}/32" ];
      privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
      listenPort = listenPort;
      table = rtTable.name;
      postSetup = ''
        ${pkgs.iproute2}/bin/ip rule add from ${externalIp} to 192.168.0.0/16 table main priority 10
        ${pkgs.iproute2}/bin/ip rule add from ${externalIp} table ${rtTable.name} priority 20
      '';
      postShutdown = ''
        ${pkgs.iproute2}/bin/ip rule del from ${externalIp} to 192.168.0.0/16 table main priority 10
        ${pkgs.iproute2}/bin/ip rule del from ${externalIp} table ${rtTable.name} priority 20
      '';
      peers = [{
        publicKey = publicKey;
        endpoint = "${remoteHost}:${toString remotePort}";
        persistentKeepalive = 25;
        allowedIPs = [
          "0.0.0.0/0"
        ];
      }];
    };
  };
  networking.firewall.allowedUDPPorts = [ listenPort ];
 }
--- a/hosts/iron/services/radicale.nix
+++ b/hosts/iron/services/radicale.nix
@ -0,0 +1,52 @@
 { config, ... }:
 {
  sops.secrets.radicale-htpasswd = {
    owner = "nginx";
    sopsFile = ../secrets.yaml;
  };
  services.nginx.virtualHosts = {
    "cal.jalr.de" = {
      enableACME = true;
      forceSSL = true;
      basicAuthFile = config.sops.secrets.radicale-htpasswd.path;
      locations."/radicale/" = {
        proxyPass = "http://localhost:5232/";
        recommendedProxySettings = true;
        #basicAuthFile = "";
        extraConfig = ''
          proxy_set_header     X-Script-Name /radicale;
          proxy_set_header     X-Remote-User $remote_user;
        '';
        # proxy_pass_request_headers = on;
        # underscores_in_headers = on;
      };
    };
  };
  services.radicale = {
    enable = true;
    settings = {
      server = {
        hosts = "127.0.0.1:5232,[::1]:5232";
        ssl = false;
      };
      encoding = {
        request = "utf-8";
        stock = "utf-8";
      };
      auth = {
        type = "http_x_remote_user";
      };
      rights = {
        type = "owner_only";
      };
      storage = {
        filesystem_folder = "/var/lib/radicale/collections";
      };
      logging = {
        level = "warning";
      };
    };
  };
 }
--- a/hosts/iron/services/sturzbach.nix
+++ b/hosts/iron/services/sturzbach.nix
@ -1,5 +1,5 @@
 {
-  myConfig.qbittorrent = {
+  jalr.qbittorrent = {
    enable = true;
    downloadDir = "/sturzbach";
    fqdn = "sturzbach.jalr.de";
--- a/hosts/jalr-t520/configuration.nix
+++ b/hosts/jalr-t520/configuration.nix
@ -16,7 +16,6 @@
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    gnome3.adwaita-icon-theme
    vesc-tool
  ];
  environment.variables.EDITOR = "nvim";
@ -24,12 +23,8 @@
  programs.mtr.enable = true;
  programs.wireshark.enable = true;
  hardware.bluetooth.enable = true;
  hardware.sane.enable = true;
  services.blueman.enable = true;
  services.udisks2.enable = true;
  services.avahi.enable = true;
@ -45,8 +40,9 @@
    SUBSYSTEM=="usb", ATTRS{idVendor}=="04e8", ATTRS{idProduct}=="6860", GROUP="dialout", MODE="0660"
  '';
-  myConfig = {
+  jalr = {
    bootloader = "grub2";
    bluetooth.enable = true;
    gui.enable = true;
    workstation.enable = true;
    sdr.enable = true;
@ -55,32 +51,6 @@
    autologin.username = "jalr";
  };
  networking.wg-quick.interfaces.wgkalle = {
    address = [
      "172.16.254.5/24"
      "fd00::604:0:0:ac10:fe05/96"
    ];
    privateKeyFile = "/root/wireguard-keys/wgkalle";
    listenPort = 51820;
    mtu = 1296;
    peers = [
      {
        publicKey = "52kAcBdnrFeSuVupHs0u4diUf6tpF8Esy4vzJAlT5Tc=";
        endpoint = "78.47.224.233:1194";
        #endpoint = "[2a01:4f8:190:6068::2]:1194";
        persistentKeepalive = 60;
        allowedIPs = [
          "0.0.0.0/0"
          "::/0"
        ];
      }
    ];
  };
  networking.firewall.allowedUDPPorts = [
    51820 # wireguard
  ];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/hosts/magnesium/configuration.nix
+++ b/hosts/magnesium/configuration.nix
@ -0,0 +1,60 @@
 { config, lib, pkgs, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../home-manager/users/jalr.nix
    ./services
  ];
  networking.hostName = "magnesium";
  services.openssh.enable = true;
  security.sudo.wheelNeedsPassword = false;
  networking.useDHCP = false;
  systemd.network = {
    enable = true;
    networks."10-wan" = {
      matchConfig.Name = "enp1s0";
      networkConfig.DHCP = "no";
      address = [
        "162.55.35.199/32"
        "2a01:4f8:c012:21ba::/64"
      ];
      routes = [
        {
          routeConfig.Destination = "172.31.1.1";
        }
        {
          routeConfig = {
            Gateway = "172.31.1.1";
            GatewayOnLink = true;
          };
        }
        {
          routeConfig.Gateway = "fe80::1";
        }
      ];
    };
  };
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  jalr = {
    bootloader = "systemd-boot";
    uefi.enable = true;
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It's perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/magnesium/hardware-configuration.nix
+++ b/hosts/magnesium/hardware-configuration.nix
@ -0,0 +1,54 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a";
      fsType = "btrfs";
      options = [
        "subvol=root"
        "compress=zstd"
      ];
    };
  fileSystems."/home" =
    {
      device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a";
      fsType = "btrfs";
      options = [
        "subvol=home"
        "compress=zstd"
      ];
    };
  fileSystems."/nix" =
    {
      device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a";
      fsType = "btrfs";
      options = [
        "subvol=nix"
        "compress=zstd"
        "noatime"
      ];
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/7836-0C48";
      fsType = "vfat";
    };
  swapDevices = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }
--- a/hosts/magnesium/secrets.yaml
+++ b/hosts/magnesium/secrets.yaml
@ -0,0 +1,33 @@
 wireguard_key_hetzner-ha: ENC[AES256_GCM,data:HEW+EalHg6/mq7pRKZkasGz0nqbkSppkf0H/uV5QMJnWwKw9a9W21Y77OSw=,iv:OA6yml1T5kVafX0RYd0Es7DHcGjJazUxP2M6a5Pwkag=,tag:lX5UPIseIQ136HLrHbzZyw==,type:str]
 turn-static-auth-secret: ENC[AES256_GCM,data:rzhixUemFPwKj1BcVPZd7KtUO9OA6A2R4qEQ1BZGVG0=,iv:uYHYe4Cywxovt3b/Ho1tQVHrpgVic+AKh9AjYMYSZcM=,tag:rr8RW/if06t38GpZCYQB4w==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1swv42gad884z2v75kateem6k2za6ltkq6wu90ewqp6dp7gxprawslwz0w0
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwa0ZIdE9lc2lNZlN0UFBU
            RWdxQm1oR01GemJOSE9ZU1RYc3crRGg5REF3ClUzaEhyelZNTVUxeEwvc1V3eDBt
            SUx0UXU0aTdnTGlTaWJvd2R6ajZmNVkKLS0tICszejE3WVNOTHR6Rms2bjQrbzEz
            Vlk3Y1luTTg3bkpqNTNPUGlNYmNtMW8K9dEUwAuzvDZZoVi8FPZQ7/h75EV0L+VM
            MlTGfEt38Hi7EOw+yfXvXYHse/OKypwcrPiJDT6IT/E+O9BJCjPKCA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-07-10T19:12:04Z"
    mac: ENC[AES256_GCM,data:cDwrW1odloAedY7tdKLPg52UTehlTrs3+lAH0ksaGGDXzQCsVNlfzR86SRGQY2s98cu7+9j5azhWSU9slDZcTIk4VWL2i8ZtVpD8KFtut0WiwWaGf2/KLe80GGw3lr4Rm491YDvv7JcUsEuCG3lAQFZzAlZcfl0faFpzYvpTk30=,iv:yeyRjURArUaG0HzcVP0Wm9n0oVHb+u4zNdaQbrC+EaM=,tag:9uFNd3CSSFjToeawBtMNHg==,type:str]
    pgp:
        - created_at: "2023-06-22T12:44:23Z"
          enc: |
            -----BEGIN PGP MESSAGE-----
            hF4D3ylLYNOsO+0SAQdAD/wwGspjkzL/xlqVxl8pixtRQGAlyuEJdTwja6e4bkAw
            I+xwPhJH9FpkwArRKErtW9u6e9lM8zJOvgteseTRmQFkQ9fyTtXAx2lLg5JOFdYn
            0l4BkaozbVKjx1XEJBoBUF1YMfREKyrORk/kU2UTluQKkEp7xaojZkuhWEqEMC7N
            tKVpPhef7M5escwcpQCpoI5+DCepJQDfoxyiAWx8P0a6tbV2F+X9y6kgb6iuWpf2
            =WNKv
            -----END PGP MESSAGE-----
          fp: 66FB54F6081375106EEBF651A222365EB448F934
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/hosts/magnesium/services/coturn.nix
+++ b/hosts/magnesium/services/coturn.nix
@ -0,0 +1,98 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.coturn;
  fqdn = "turn.jalr.de";
 in
 {
  sops.secrets.turn-static-auth-secret = {
    owner = "turnserver";
    sopsFile = ../secrets.yaml;
  };
  services.coturn = {
    enable = true;
    # config adapted from synapse’s turn howto:
    # https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
    use-auth-secret = true;
    realm = fqdn;
    # the NixOS module does not support loading the secret from a dedicated file
    static-auth-secret-file = config.sops.secrets.turn-static-auth-secret.path;
    no-tcp-relay = true;
    cert = "/run/turnserver/fullchain.pem";
    pkey = "/run/turnserver/key.pem";
    min-port = 49160;
    max-port = 49200;
    no-cli = true;
    extraConfig = ''
      denied-peer-ip=10.0.0.0-10.255.255.255
      denied-peer-ip=192.168.0.0-192.168.255.255
      denied-peer-ip=172.16.0.0-172.31.255.255
      # https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
      no-multicast-peers
      denied-peer-ip=0.0.0.0-0.255.255.255
      denied-peer-ip=10.0.0.0-10.255.255.255
      denied-peer-ip=100.64.0.0-100.127.255.255
      denied-peer-ip=127.0.0.0-127.255.255.255
      denied-peer-ip=169.254.0.0-169.254.255.255
      denied-peer-ip=172.16.0.0-172.31.255.255
      denied-peer-ip=192.0.0.0-192.0.0.255
      denied-peer-ip=192.0.2.0-192.0.2.255
      denied-peer-ip=192.88.99.0-192.88.99.255
      denied-peer-ip=192.168.0.0-192.168.255.255
      denied-peer-ip=198.18.0.0-198.19.255.255
      denied-peer-ip=198.51.100.0-198.51.100.255
      denied-peer-ip=203.0.113.0-203.0.113.255
      denied-peer-ip=240.0.0.0-255.255.255.255
      denied-peer-ip=::1
      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      user-quota=12
      total-quota=1200
    '';
  };
  systemd.services.coturn = {
    after = [ "acme-finished-${fqdn}.target" ];
    serviceConfig = {
      ExecStartPre = lib.singleton "!${pkgs.writeShellScript "coturn-setup-tls" ''
        cp ${config.security.acme.certs."${fqdn}".directory}/{fullchain,key}.pem /run/turnserver/
        chgrp turnserver /run/turnserver/{fullchain,key}.pem
      ''}";
    };
  };
  security.acme.certs."${fqdn}".postRun = ''
    if systemctl is-active coturn; then
      systemctl --no-block restart coturn
    fi
  '';
  services.nginx.virtualHosts."${fqdn}" = {
    enableACME = true;
    forceSSL = true;
  };
  networking.firewall = {
    allowedTCPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
    allowedUDPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
    allowedUDPPortRanges = lib.singleton {
      from = cfg.min-port;
      to = cfg.max-port;
    };
  };
 }
--- a/hosts/magnesium/services/default.nix
+++ b/hosts/magnesium/services/default.nix
@ -0,0 +1,8 @@
 {
  imports = [
    ./coturn.nix
    ./mosquitto.nix
    ./public-ip-tunnel.nix
    ./webserver.nix
  ];
 }
--- a/hosts/magnesium/services/mosquitto.nix
+++ b/hosts/magnesium/services/mosquitto.nix
@ -0,0 +1,18 @@
 { config, lib, pkgs, ... }:
 let port = 1883;
 in
 {
  services.mosquitto = {
    enable = true;
    persistence = true;
    listeners = [
      {
        port = port;
        settings = {
          allow_anonymous = true;
        };
      }
    ];
  };
  networking.firewall.allowedTCPPorts = [ port ];
 }
--- a/hosts/magnesium/services/public-ip-tunnel.nix
+++ b/hosts/magnesium/services/public-ip-tunnel.nix
@ -0,0 +1,44 @@
 { config, lib, pkgs, ... }:
 let
  listenPort = 51000;
  publicKey = "GCmQs7upvDYFueEfqD2yJkkOZg3K7YaGluWWzdjsyTo=";
 in
 {
  sops.secrets = (
    lib.listToAttrs (map
      (name: lib.nameValuePair "wireguard_key_${name}" {
        sopsFile = ../secrets.yaml;
      })
      [
        "hetzner-ha"
      ]
    )
  );
  #boot.kernel.sysctl = {
  #  "net.ipv4.conf.all.forwarding" = 1;
  #  "net.ipv4.conf.hetzner-ha.proxy_arp" = 1;
  #  "net.ipv4.conf.enp1s0.proxy_arp" = 1;
  #};
  networking.interfaces.hetzner-ha.proxyARP = true;
  networking.interfaces.enp1s0.proxyARP = true;
  networking.wireguard.interfaces = {
    hetzner-ha = {
      ips = [ ];
      privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
      listenPort = listenPort;
      peers = [{
        publicKey = publicKey;
        persistentKeepalive = 25;
        allowedIPs = [
          "159.69.103.126/32"
        ];
      }];
    };
  };
  networking.firewall.allowedUDPPorts = [ listenPort ];
 }
--- a/hosts/magnesium/services/webserver.nix
+++ b/hosts/magnesium/services/webserver.nix
@ -0,0 +1,57 @@
 { config, lib, pkgs, ... }:
 let
  domain = "jalr.de";
  matrixDomain = "matrix.jalr.de";
 in
 {
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    commonHttpConfig = ''
      map $scheme $hsts_header {
        https   "max-age=31536000";
      }
      add_header Strict-Transport-Security $hsts_header;
      add_header Referrer-Policy strict-origin;
      add_header X-Content-Type-Options nosniff;
      add_header X-Frame-Options SAMEORIGIN;
    '';
    virtualHosts = {
      "${domain}" = {
        enableACME = true;
        forceSSL = true;
        root = pkgs.jalr.contact;
        locations =
          let
            # workaround for nginx dropping parent headers
            # see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
            parentHeaders = lib.concatStringsSep "\n" (lib.filter
              (lib.hasPrefix "add_header ")
              (lib.splitString "\n" config.services.nginx.commonHttpConfig));
          in
          {
            "=/.well-known/matrix/server".extraConfig = ''
              ${parentHeaders}
              add_header Content-Type application/json;
              return 200 '${builtins.toJSON {
                "m.server" = "${matrixDomain}:443";
                }}';
            '';
            "=/.well-known/matrix/client".extraConfig = ''
              ${parentHeaders}
              add_header Content-Type application/json;
              add_header Access-Control-Allow-Origin *;
              return 200 '${builtins.toJSON {
                "m.homeserver"."base_url" = "https://${matrixDomain}";
              }}';
            '';
          };
      };
    };
  };
 }
--- a/hosts/weinturm-pretix-prod/configuration.nix
+++ b/hosts/weinturm-pretix-prod/configuration.nix
@ -5,15 +5,33 @@
    ./services
  ];
-  networking = {
+  networking.hostName = "weinturm-pretix-prod";
-    hostName = "weinturm-pretix-prod";
+
-    interfaces.ens3.ipv6.addresses = [{
+  networking.useDHCP = false;
-      address = "2a01:4f8:1c1e:ed47::";
+
-      prefixLength = 64;
+  systemd.network = {
-    }];
+    enable = true;
-    defaultGateway6 = {
+    networks."10-wan" = {
-      address = "fe80::1";
+      matchConfig.Name = "enp1s0";
-      interface = "ens3";
+      networkConfig.DHCP = "no";
      address = [
        "142.132.185.70/32"
        "2a01:4f8:c012:edd::/64"
      ];
      routes = [
        {
          routeConfig.Destination = "172.31.1.1";
        }
        {
          routeConfig = {
            Gateway = "172.31.1.1";
            GatewayOnLink = true;
          };
        }
        {
          routeConfig.Gateway = "fe80::1";
        }
      ];
    };
  };
@ -21,7 +39,6 @@
    enable = true;
    algorithm = "zstd";
    memoryPercent = 60;
    numDevices = 1;
    priority = 1;
  };
@ -29,5 +46,10 @@
  services.netdata.enable = true;
  jalr = {
    bootloader = "systemd-boot";
    uefi.enable = true;
  };
  system.stateVersion = "22.11";
 }
--- a/hosts/weinturm-pretix-prod/hardware-configuration.nix
+++ b/hosts/weinturm-pretix-prod/hardware-configuration.nix
@ -1,8 +1,52 @@
-{ modulesPath, ... }:
+{ config, lib, pkgs, modulesPath, ... }:
 {
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-  boot.loader.grub.device = "/dev/sda";
+
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
-  boot.initrd.kernelModules = [ "nvme" ];
+  boot.initrd.kernelModules = [ ];
-  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f";
      fsType = "btrfs";
      options = [
        "subvol=root"
        "compress=zstd"
      ];
    };
    "/home" = {
      device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f";
      fsType = "btrfs";
      options = [
        "subvol=home"
        "compress=zstd"
      ];
    };
    "/nix" = {
      device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f";
      fsType = "btrfs";
      options = [
        "subvol=nix"
        "compress=zstd"
        "noatime"
      ];
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/A586-15AC";
      fsType = "vfat";
    };
  };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }
--- a/hosts/weinturm-pretix-prod/secrets.yaml
+++ b/hosts/weinturm-pretix-prod/secrets.yaml
@ -6,27 +6,27 @@ sops:
    azure_kv: []
    hc_vault: []
    age:
-        - recipient: age1w42q9qg7l6gea36erhw0u7jvlpenvtrjm38q4ux0aasa929hes6s2ecj6m
+        - recipient: age1djjxl3lcvzs85nj0met6w8ujsz8pvr6ngmmdwlxfh0k9d5lkrpdqlzzehf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeTl6WjVObjAxMTU2QWUz
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RXR4RnVQNjFvZ2NSZVhj
-            VzNFYkg0VEd0WkZhL21zYjJCaHZ3emU5UmdrCnZaTmpleC9BNEpFYkl0RnRrNDdP
+            QVZva0lKS1RxM09sYmJjZE12NTBMd3NrUlNjCkV0aklndEZDM1BaWFhxYUJ5TDBG
-            d2FpMWo4amxsa1RTVEJJSXh6RzJxbkUKLS0tIHl1YjlQaUtEbzNVcll1eHEzK2dL
+            T24zODBSdFVWV2VCNVZoM2s3RHJ4WHMKLS0tIC9LdDFMRW13YTBHNlVOdUY0b1NX
-            N2VMRTNjR1RQVm00YnlpbVBzSmZPRkUKv7LCrjyKb4z0e4yBdzwRR5+ErQYHzZCv
+            U3pyTDB4c1FWdHBPVjVjV3VpTjFWamsKDtc9C3xy/3Zu83+jQYCnHk8vatWANt4M
-            +j8j4EuhA6NwsTydgIjueuORbrX/c6VxcgQwRd9En+vQVYhWhlu5Xw==
+            +Zo5kZ5yfYVSnvMvgpWoAHk/quXSLNg2YhKUDrYP5y57Q/jZTX3YbA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-03-01T13:25:37Z"
    mac: ENC[AES256_GCM,data:WcF4i8b+YpJuZj/hP8SEEvXJNlrf77ymNF6Avg4vt2JUkIoLh5EAMOjqPWWhJXS65rRSOCQOW/uRLoAMs3b1lX8r93u1wlzxnF5L/1RnAyTcCI2Aiadq6QjOKevgRwfc4vvTVN7LHKwZ9f8kCqgYiuOYtVDx3N4UPQ4SPJ3MZRw=,iv:iliNHU5y+YL2hpvWIltkhP6bkUonMakL7Ssdyf/be38=,tag:4YO93pGujwpHWjX5IAOQfw==,type:str]
    pgp:
-        - created_at: "2023-02-23T00:30:25Z"
+        - created_at: "2023-07-08T09:50:21Z"
          enc: |
            -----BEGIN PGP MESSAGE-----
-            hF4D3ylLYNOsO+0SAQdA2SmHfeFrNINSLf2aLONZeidpLaCScS7zmWq0YaeM/SUw
+            hF4D3ylLYNOsO+0SAQdAMH1wIM+ENgeWlLsj7qUEorj8O1L5NlW9ABKB/Whmz3Ew
-            66MK2BqgIxX81M9lIexCXdQ9EVS1p0KGQ2dw0CpAN07qdDqqOnJeedgv9zZ3trwU
+            xm1SbZeFPPBPcT1dfVCF+W1CYDjrFau4DXhkcz5Z6x3ENg9rZujtRAZY9c+53aqD
-            0l4BwoXSnuKxaLDs7vq6y9xrzyKZS5Mx8H7BxVRg0o1mAvSwFez23DmDQWnJyUgO
+            0l4B4zxls8vy0K/kipHn010WKhHEPMmABJf+d0rAkT6tbVzcxU3TKlZ2BWxwifM+
-            otTg9fp217ldr3VNwKIYtoO+1floZtbfmoH2EhZhpml36mz1oRCUUJvjQO++EpJW
+            BYDGZ2A6opgV8G4Q68n6CInyhMROIIzJJpWkP0YZCIzzVQ+9yelq9jZvuuxR7v9+
-            =N9AT
+            =Lkul
            -----END PGP MESSAGE-----
          fp: 66FB54F6081375106EEBF651A222365EB448F934
    unencrypted_suffix: _unencrypted
--- a/hosts/weinturm-pretix-prod/services/pretix.nix
+++ b/hosts/weinturm-pretix-prod/services/pretix.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
  services.pretix = {
    enable = true;
@ -18,6 +18,6 @@
  security.acme = {
    acceptTerms = true;
-    defaults.email = "helfer@weinturm-open-air.de";
+    defaults.email = lib.mkForce "helfer@weinturm-open-air.de";
  };
 }
--- a/modules/autologin.nix
+++ b/modules/autologin.nix
@ -1,10 +1,10 @@
 { config, lib, pkgs, ... }:
 let
-  cfg = config.myConfig;
+  cfg = config.jalr;
 in
 {
-  options.myConfig = {
+  options.jalr = {
    autologin = {
      enable = pkgs.lib.mkEnableOption "Enable tty1 autologin";
      username = pkgs.lib.mkOption {
--- a/modules/aws.nix
+++ b/modules/aws.nix
@ -1,7 +1,7 @@
 { lib, ... }:
 {
-  options.myConfig.aws = {
+  options.jalr.aws = {
    enable = lib.mkEnableOption "Enable AWS CLI";
    accounts = with lib; mkOption {
      type = with types; attrsOf (submodule ({ config, name, ... }: {
--- a/modules/bluetooth.nix
+++ b/modules/bluetooth.nix
@ -0,0 +1,17 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.jalr;
 in
 {
  options.jalr = {
    bluetooth.enable = pkgs.lib.mkEnableOption "Enable bluetooth" // { default = false; };
  };
  config = lib.mkIf cfg.bluetooth.enable {
    hardware.bluetooth.enable = true;
    services.blueman.enable = true;
    services.ofono.enable = true;
    services.upower.enable = true;
  };
 }
--- a/modules/bootloader/default.nix
+++ b/modules/bootloader/default.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 {
-  options.myConfig = {
+  options.jalr = {
    bootloader = lib.mkOption {
      type = lib.types.nullOr (lib.types.enum [ "systemd-boot" "grub2" ]);
      default = null;
--- a/modules/bootloader/grub2.nix
+++ b/modules/bootloader/grub2.nix
@ -1,8 +1,7 @@
 { config, lib, pkgs, ... }:
-lib.mkIf (config.myConfig.bootloader == "grub2") {
+lib.mkIf (config.jalr.bootloader == "grub2") {
  boot.loader.grub = {
    enable = true;
    version = 2;
  };
 }
--- a/modules/bootloader/systemd-boot.nix
+++ b/modules/bootloader/systemd-boot.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
-lib.mkIf (config.myConfig.bootloader == "systemd-boot") {
+lib.mkIf (config.jalr.bootloader == "systemd-boot") {
  boot = {
    loader = {
      systemd-boot = {
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,7 +1,7 @@
 { lib, ... }:
 {
-  options.myConfig = {
+  options.jalr = {
    gui.enable = lib.mkEnableOption "GUI";
    workstation.enable = lib.mkEnableOption "Workstation";
  };
@ -10,6 +10,7 @@
    ../pkgs/modules.nix
    ./autologin.nix
    ./aws.nix
    ./bluetooth.nix
    ./bootloader
    ./dji-goggles.nix
    ./dnsmasq.nix
@ -20,6 +21,7 @@
    ./kvm-switch-enable-screen.nix
    ./libvirt.nix
    ./localization.nix
    ./mailserver
    ./mute-indicator.nix
    ./nix.nix
    ./obs.nix
@ -41,8 +43,15 @@
  ];
  config = {
-    boot.cleanTmpDir = true;
+    boot.tmp.cleanOnBoot = true;
    security.polkit.enable = true;
    security.acme = {
      acceptTerms = true;
      defaults = {
        email = "security@jalr.de";
      };
    };
  };
 }
--- a/modules/dnsmasq.nix
+++ b/modules/dnsmasq.nix
@ -1,24 +1,26 @@
 { lib, config, ... }:
 {
-  config = lib.mkIf config.myConfig.workstation.enable {
+  config = lib.mkIf config.jalr.workstation.enable {
    services.dnsmasq = {
      enable = true;
      resolveLocalQueries = true;
-      servers = [
+      settings = {
-        "127.0.0.1#9053"
+        server = [
-        "/lechner.zz/192.168.0.1"
+          "127.0.0.1#9053"
-        "/lab.fablab-nea.de/192.168.94.1"
+          "/lechner.zz/192.168.0.1"
-      ];
+          "/lab.fablab-nea.de/192.168.94.1"
-      extraConfig = ''
+        ];
-        no-resolv
+        no-resolv = true;
-        interface=lo
+        interface = "lo";
-        listen-address=::1
+        listen-address = [
-        listen-address=127.0.0.1
+          "::1"
-        bind-interfaces
+          "127.0.0.1"
-        dns-loop-detect
+        ];
-        neg-ttl=5
+        bind-interfaces = true;
-      '';
+        dns-loop-detect = true;
        neg-ttl = 5;
      };
    };
  };
 }
--- a/modules/fonts.nix
+++ b/modules/fonts.nix
@ -2,7 +2,7 @@
 {
  console.font = "Lat2-Terminus16";
-  fonts.fonts = with pkgs; lib.mkIf config.myConfig.gui.enable [
+  fonts.fonts = with pkgs; lib.mkIf config.jalr.gui.enable [
    (nerdfonts.override { fonts = [ "Iosevka" ]; })
    font-awesome
    powerline-fonts
--- a/modules/kdeconnect.nix
+++ b/modules/kdeconnect.nix
@ -1,11 +1,12 @@
 { config, lib, pkgs, ... }:
-let portRange = {
+let
-  from = 1714;
+  portRange = {
-  to = 1764;
+    from = 1714;
-};
+    to = 1764;
  };
 in
-lib.mkIf config.myConfig.gui.enable {
+lib.mkIf config.jalr.gui.enable {
  programs.kdeconnect.enable = true;
  networking.firewall.allowedTCPPortRanges = [ portRange ];
  networking.firewall.allowedUDPPortRanges = [ portRange ];
--- a/modules/libvirt.nix
+++ b/modules/libvirt.nix
@ -1,16 +1,16 @@
 { config, lib, pkgs, ... }:
 let
-  cfg = config.myConfig;
+  cfg = config.jalr;
 in
 {
-  options.myConfig = {
+  options.jalr = {
    libvirt = {
      enable = pkgs.lib.mkEnableOption "Enable libvirt";
    };
  };
  config = lib.mkIf cfg.libvirt.enable {
-    environment.systemPackages = with pkgs; lib.mkIf config.myConfig.gui.enable [
+    environment.systemPackages = with pkgs; lib.mkIf config.jalr.gui.enable [
      spice-gtk
      virt-manager
    ];
--- a/modules/mailserver/default.nix
+++ b/modules/mailserver/default.nix
@ -0,0 +1,107 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.jalr.mailserver;
 in
 {
  options.jalr.mailserver = with lib; with lib.types; {
    enable = mkEnableOption "simple mail server";
    fqdn = mkOption {
      type = str;
      description = ''
        FQDN of the mail server
        It needs to have a matching reverse DNS record.
        By default, an acme certificate with this name has to be present.
        See `certDir` for more details.
      '';
      example = "mail.example.com";
    };
    storageDir = mkOption {
      type = path;
      description = "Location of the storage directory for mails";
      default = "/var/vmail";
    };
    domains = mkOption {
      type = listOf (submodule {
        options = {
          domain = mkOption {
            type = str;
            description = "Domain to serve";
            example = [ "example.com" "example.org" ];
          };
          enableDKIM = (lib.mkEnableOption "Enable DKIM signing") // { default = false; };
          DKIMSelector = mkOption {
            type = str;
            description = "DKIM selector to use when signing";
            default = "default";
          };
        };
      });
      description = "Domains of the mail server";
    };
    certDir = mkOption {
      type = path;
      description = "Directory with `fullchain.pem` and `key.pem` for the FQDN. Defaults to the ACME directory of the FQDN.";
      default = config.security.acme.certs."${cfg.fqdn}".directory;
    };
    users = mkOption {
      type = listOf (submodule {
        options = {
          address = mkOption {
            type = str;
            description = "Primary e-mail address of the user";
            example = "jdoe@example.com";
          };
          passwordHash = mkOption {
            type = str;
            description = ''
              Argon2id hash of the user’s password. Please note that it will be
              world-readable in the nix store.
            '';
            example = "$argon2id$v=19$m=2097152,t=9,p=4$ycAnTa3lq5EAPTNJVpZ3+A$dIJ0CHVNn3vRUUso3IveHlrzTURoudrkxU92P5Q9/P4";
          };
          aliases = mkOption {
            type = listOf str;
            description = ''
              A list of aliases for the user.
              If multiple users have the same alias defined, mail will be
              delivered to both of them.
            '';
            default = [ ];
            example = [
              "j.doe@example.com"
              "jane.doe@example.com"
              "postmaster@example.com"
            ];
          };
        };
      });
      description = "Users of the mail server";
    };
    cleanHeaders = mkOption {
      type = listOf str;
      description = "A list of regular expressions that define what headers are filtered";
      default = [
        "/^\\s*Received:/"
        "/^\\s*User-Agent:/"
        "/^\\s*X-Mailer:/"
        "/^\\s*X-Originating-IP:/"
      ];
    };
    messageSizeLimit = mkOption {
      type = int;
      description = ''
        Message size limit, in bytes.
      '';
      default = 10485760;
    };
  };
  imports = [
    ./dovecot.nix
    ./postfix.nix
    ./rspamd.nix
    ./users.nix
  ];
 }
--- a/modules/mailserver/dovecot.nix
+++ b/modules/mailserver/dovecot.nix
@ -0,0 +1,162 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.jalr.mailserver;
  postfixCfg = config.services.postfix;
  passdb = pkgs.writeText "dovecot-users"
    (lib.concatMapStringsSep
      "\n"
      ({ address, passwordHash, ... }: "${address}:${passwordHash}")
      cfg.users);
 in
 lib.mkIf cfg.enable {
  services.dovecot2 = {
    enable = true;
    modules = with pkgs; [ dovecot_pigeonhole ];
    enableLmtp = true;
    enablePAM = false;
    mailUser = "vmail";
    mailGroup = "vmail";
    mailLocation = "maildir:${cfg.storageDir}/%d/%n";
    sslServerCert = "${cfg.certDir}/fullchain.pem";
    sslServerKey = "${cfg.certDir}/key.pem";
    mailboxes = {
      Archive = { specialUse = "Archive"; auto = "subscribe"; };
      Sent = { specialUse = "Sent"; auto = "subscribe"; };
      Drafts = { specialUse = "Drafts"; auto = "subscribe"; };
      Trash = { specialUse = "Trash"; auto = "subscribe"; };
      Spam = { specialUse = "Junk"; auto = "subscribe"; };
    };
    sieveScripts = {
      before = pkgs.writeText "spam.sieve" ''
        require "fileinto";
        if header :is "X-Spam" "Yes" {
            fileinto "Spam";
        }
      '';
    };
    extraConfig = ''
      # generated 2021-02-04, Mozilla Guideline v5.6, Dovecot 2.3.13, OpenSSL 1.1.1i, intermediate configuration
      # https://ssl-config.mozilla.org/#server=dovecot&version=2.3.13&config=intermediate&openssl=1.1.1i&guideline=5.6
      ssl = required
      ssl_min_protocol = TLSv1.2
      ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384
      ssl_prefer_server_ciphers = no
      protocol imap {
        mail_plugins = $mail_plugins imap_sieve
      }
      protocol lmtp {
        mail_plugins = $mail_plugins sieve
      }
      service imap-login {
        inet_listener imap {
        }
      }
      service lmtp {
        unix_listener dovecot-lmtp {
          mode = 0600
          user = ${postfixCfg.user}
          group = ${postfixCfg.group}
        }
      }
      passdb {
        driver = passwd-file
        args = scheme=argon2id username_format=%u ${passdb}
        auth_verbose = yes
      }
      userdb {
        driver = static
        args = uid=vmail gid=vmail home=${cfg.storageDir}/%d/%n
      }
      service auth {
        vsz_limit = 4G  # needed for argon2.
        unix_listener auth {
          mode = 0660
          user = ${postfixCfg.user}
          group = ${postfixCfg.group}
        }
      }
      service auth-worker {
        vsz_limit = 4G  # needed for argon2.
      }
      lda_mailbox_autosubscribe = yes
      lda_mailbox_autocreate = yes
      plugin {
        sieve_plugins = sieve_imapsieve sieve_extprograms
        ${lib.optionalString cfg.spam.enable ''
        imapsieve_mailbox1_name = Spam
        imapsieve_mailbox1_causes = COPY
        imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve/learn-spam.sieve
        imapsieve_mailbox2_name = *
        imapsieve_mailbox2_from = Spam
        imapsieve_mailbox2_causes = COPY
        imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/learn-ham.sieve
        sieve_pipe_bin_dir = ${pkgs.symlinkJoin { name = "sieve-pipe-bin-dir"; paths = with pkgs; [ rspamd ]; } }/bin
        ''}
        sieve_global_extensions = +vnd.dovecot.pipe
      }
    '';
  };
  systemd.services.dovecot2 = {
    wants = [ "acme-finished-${cfg.fqdn}.target" ];
    after = [ "acme-finished-${cfg.fqdn}.target" ];
    preStart = lib.mkIf cfg.spam.enable
      (lib.mkAfter
        (lib.concatStrings
          (lib.mapAttrsToList
            (name: content: ''
              cp ${pkgs.writeText name content} /var/lib/dovecot/sieve/${name}
            '')
            {
              "learn-spam.sieve" = ''
                require ["vnd.dovecot.pipe", "copy", "imapsieve"];
                pipe :copy "rspamc" ["learn_spam"];
              '';
              "learn-ham.sieve" = ''
                require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
                if environment :matches "imap.mailbox" "*" {
                    set "mailbox" "''${1}";
                }
                if string "''${mailbox}" "Trash" {
                    stop;
                }
                pipe :copy "rspamc" ["learn_ham"];
              '';
            })));
  };
  networking.firewall.allowedTCPPorts = [
    143 # IMAP
  ];
  security.acme.certs."${cfg.fqdn}".postRun = ''
    if systemctl is-active dovecot2; then
        systemctl --no-block reload dovecot2
    fi
  '';
 }
--- a/modules/mailserver/postfix.nix
+++ b/modules/mailserver/postfix.nix
@ -0,0 +1,162 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.jalr.mailserver;
  listToString = lib.concatStringsSep ",";
  # List of attribute sets with single key-value pair
  plainAliases = (lib.flatten
    (map
      ({ address, aliases, ... }:
        map
          (alias: { "${alias}" = address; })
          (aliases ++ lib.singleton address))
      cfg.users));
  # Attribute set with every alias mapped to a list of receivers
  mergedAliases = (lib.attrsets.foldAttrs
    (val: col: lib.singleton val ++ col)
    [ ]
    plainAliases);
  # Contents of the aliases file
  aliasesString = (lib.concatStringsSep
    "\n"
    (lib.mapAttrsToList
      (alias: addresses: "${alias} ${listToString addresses}")
      mergedAliases));
  valiases = pkgs.writeText "valiases" aliasesString;
  submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules"
    (lib.concatMapStringsSep
      "\n"
      (regex: "${regex} IGNORE")
      cfg.cleanHeaders);
 in
 lib.mkIf cfg.enable {
  security.dhparams.params.postfix = { };
  services.postfix = {
    enable = true;
    enableSubmission = true; # plain/STARTTLS (latter is forced in submissionOptions)
    enableSubmissions = true; # submission with implicit TLS (TCP/465)
    hostname = cfg.fqdn;
    networksStyle = "host";
    sslCert = "${cfg.certDir}/fullchain.pem";
    sslKey = "${cfg.certDir}/key.pem";
    recipientDelimiter = "+";
    mapFiles = {
      inherit valiases;
    };
    config = {
      # General
      smtpd_banner = "${cfg.fqdn} ESMTP";
      disable_vrfy_command = true; # disable check if mailbox exists
      enable_long_queue_ids = true; # better for debugging
      strict_rfc821_envelopes = true; # only accept properly formatted envelope
      message_size_limit = toString cfg.messageSizeLimit;
      virtual_mailbox_domains = listToString (map (x: x.domain) cfg.domains);
      virtual_mailbox_maps = "hash:/var/lib/postfix/conf/valiases";
      virtual_alias_maps = "hash:/var/lib/postfix/conf/valiases";
      virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
      smtpd_recipient_restrictions = listToString [
        "reject_non_fqdn_recipient"
        "reject_rbl_client ix.dnsbl.manitu.net"
        "reject_unknown_recipient_domain"
        "reject_unverified_recipient"
      ];
      smtpd_client_restrictions = listToString [
        "reject_rbl_client ix.dnsbl.manitu.net"
        "reject_unknown_client_hostname"
      ];
      smtpd_sender_restrictions = listToString [
        "reject_non_fqdn_sender"
        "reject_unknown_sender_domain"
      ];
      # generated 2021-02-04, Mozilla Guideline v5.6, Postfix 3.5.6, OpenSSL 1.1.1i, intermediate configuration
      # https://ssl-config.mozilla.org/#server=postfix&version=3.5.6&config=intermediate&openssl=1.1.1i&guideline=5.6
      smtpd_tls_security_level = "may";
      smtpd_tls_auth_only = "yes";
      smtpd_tls_mandatory_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
      smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
      smtpd_tls_mandatory_ciphers = "medium";
      smtpd_tls_loglevel = "1";
      tls_medium_cipherlist = listToString [
        "ECDHE-ECDSA-AES128-GCM-SHA256"
        "ECDHE-RSA-AES128-GCM-SHA256"
        "ECDHE-ECDSA-AES256-GCM-SHA384"
        "ECDHE-RSA-AES256-GCM-SHA384"
        "ECDHE-ECDSA-CHACHA20-POLY1305"
        "ECDHE-RSA-CHACHA20-POLY1305"
        "DHE-RSA-AES128-GCM-SHA256"
        "DHE-RSA-AES256-GCM-SHA384"
      ];
      tls_preempt_cipherlist = "no";
      smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix.path;
    };
    # plain/STARTTLS (forced with smtpd_tls_security_level)
    submissionOptions = {
      smtpd_tls_security_level = "encrypt";
      smtpd_sasl_auth_enable = "yes";
      smtpd_sasl_type = "dovecot";
      smtpd_sasl_path = "/run/dovecot2/auth";
      #smtpd_sasl_security_options = "noanonymous, forward_secrecy"
      smtpd_sender_login_maps = "hash:/etc/postfix/valiases";
      smtpd_recipient_restrictions = listToString [ ];
      smtpd_client_restrictions = listToString [
        "permit_sasl_authenticated"
        "reject"
      ];
      smtpd_sender_restrictions = listToString [
        "reject_sender_login_mismatch"
      ];
      cleanup_service_name = "submission-header-cleanup";
    };
    # implicit TLS
    submissionsOptions = config.services.postfix.submissionOptions;
    masterConfig = {
      submission-header-cleanup = {
        private = false;
        maxproc = 0;
        command = "cleanup";
        args = [ "-o" "header_checks=pcre:${submissionHeaderCleanupRules}" ];
      };
    };
  };
  networking.firewall.allowedTCPPorts = [
    25 # SMTP
    587 # SMTP submission
  ];
  systemd.services.postfix = {
    wants = [ "acme-finished-${cfg.fqdn}.target" ];
    requires = [ "dovecot2.service" ];
    after = [ "acme-finished-${cfg.fqdn}.target" "dovecot2.service" ];
  };
  security.acme.certs."${cfg.fqdn}".postRun = ''
    if systemctl is-active postfix; then
        systemctl --no-block reload postfix
    fi
  '';
 }
--- a/modules/mailserver/rspamd.nix
+++ b/modules/mailserver/rspamd.nix
@ -0,0 +1,129 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.jalr.mailserver;
  # Generate DKIM keys:
  # nix shell nixpkgs#rspamd -c \
  #   rspamadm dkim_keygen -s default -d example.com -b 4096 -k /dev/shm/dkim.key > dkim.txt
  dkimEnabledDomains = (lib.filter (d: d.enableDKIM) cfg.domains);
  dkimSignatureDir = pkgs.stdenvNoCC.mkDerivation {
    name = "dkim-signatures";
    dontUnpack = true;
    installPhase = "mkdir $out" + "\n" + lib.concatStringsSep "\n" (
      map
        (
          x: "ln -s " + config.sops.secrets."dkim-keys/${x.domain}.${x.DKIMSelector}".path + " $out/${x.domain}.${x.DKIMSelector}.key"
        )
        dkimEnabledDomains
    );
  };
 in
 {
  options.jalr.mailserver.spam = {
    enable = (lib.mkEnableOption "spam filtering") // { default = true; };
  };
  config = lib.mkIf (cfg.enable && cfg.spam.enable) {
    sops.secrets = lib.attrsets.listToAttrs
      (
        map
          (x:
            {
              name = "dkim-keys/${x.domain}.${x.DKIMSelector}";
              value = {
                owner = config.users.users.rspamd.name;
                sopsFile = ../../hosts + "/${config.networking.hostName}/secrets.yaml";
              };
            }
          )
          dkimEnabledDomains
      ) // {
      rspamd-worker-controller = {
        owner = config.users.users.rspamd.name;
        sopsFile = ../../hosts + "/${config.networking.hostName}/secrets.yaml";
      };
    };
    services.rspamd = {
      enable = true;
      postfix.enable = true;
      workers = {
        normal = {
          includes = [ "$CONFDIR/worker-normal.inc" ];
          bindSockets = lib.singleton {
            socket = "/run/rspamd/rspamd.sock";
            mode = "0660";
            owner = "${config.services.rspamd.user}";
            group = "${config.services.rspamd.group}";
          };
        };
        controller = {
          includes = [ "$CONFDIR/worker-controller.inc" ];
          bindSockets = [ "127.0.0.1:11334" ];
        };
      };
      locals = {
        "dkim_signing.conf".text = ''
          enabled = true;
          path = "${dkimSignatureDir}/$domain.$selector.key"
          selector = "default";
          allow_envfrom_empty = true;
          allow_hdrfrom_mismatch = false;
          allow_hdrfrom_multiple = false;
          allow_username_mismatch = false;
          sign_authenticated = true;
          sign_local = true;
          symbol = "DKIM_SIGNED";
          try_fallback = true;
          use_domain = "header";
          use_esld = true;
          use_redis = false;
          key_prefix = "DKIM_KEYS";
          check_pubkey = true;
          allow_pubkey_mismatch = false;
        '';
        "logging.inc".text = ''
          # starts at info, drops to notice once started up
          level = "silent";
          #debug_modules = ["dkim_signing"];
        '';
        "milter_headers.conf".text = ''
          extended_spam_headers = true;
        '';
        "multimap.conf".text = ''
          SENDER_BLOCKED {
            type = "from";
            filter = "email:addr";
            map = "/var/lib/rspamd/blocked_senders.map";
            symbol = "SENDER_BLOCKED";
            description = "Sender’s address is manually blocked";
            prefilter = true;
            action = "reject";
            score = 30.0;
          }
          SENDER_DOMAIN_BLOCKED {
            type = "from";
            filter = "email:domain:tld";
            map = "/var/lib/rspamd/blocked_sender_domains.map";
            symbol = "SENDER_DOMAIN_BLOCKED";
            description = "Sender’s effective second level domain is manually blocked";
            score = 8.0;
          }
        '';
        "redis.conf".text = ''
          servers = "127.0.0.1:${toString config.services.redis.servers.rspamd.port}"
        '';
        "worker-controller.inc".source = config.sops.secrets.rspamd-worker-controller.path; # includes password
      };
    };
    services.redis = {
      vmOverCommit = true;
      servers.rspamd = {
        enable = true;
        port = 6379;
      };
    };
  };
 }
--- a/modules/mailserver/users.nix
+++ b/modules/mailserver/users.nix
@ -0,0 +1,12 @@
 { config, lib, ... }:
 lib.mkIf config.jalr.mailserver.enable {
  users.users.vmail = {
    uid = 10000;
    group = "vmail";
    home = config.jalr.mailserver.storageDir;
    createHome = true;
  };
  users.groups.vmail.gid = 10000;
 }
--- a/modules/nix.nix
+++ b/modules/nix.nix
@ -23,7 +23,7 @@
  };
  nixpkgs.overlays = with inputs; [
-    self.overlay
+    self.overlays.default
    (final: prev: {
      master = import inputs.nixpkgsMaster {
        inherit system;
@ -32,7 +32,7 @@
    })
  ]
  # Tradebyte access points use legacy crypto
-  ++ lib.optional config.myConfig.tradebyte.enable (
+  ++ lib.optional config.jalr.tradebyte.enable (
    final: prev:
      let
        inherit (prev) callPackage;
--- a/modules/obs.nix
+++ b/modules/obs.nix
@ -1,22 +1,12 @@
 { config, lib, pkgs, ... }:
-lib.mkIf config.myConfig.gui.enable {
+lib.mkIf config.jalr.gui.enable {
  boot = {
    extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ];
    kernelModules = [ "v4l2loopback" ];
    extraModprobeConfig = ''
      options v4l2loopback exclusive_caps=1 card_label=OBS video_nr=10
    '';
    extraModulePackages = [
      (pkgs.linuxPackages.v4l2loopback.overrideAttrs ({ ... }: {
        src = pkgs.fetchFromGitHub {
          owner = "umlaeute";
          repo = "v4l2loopback";
          rev = "edf0f10bc079e5e3922bddbb8185dc626ab14a1b";
          sha256 = "nHwC6/miECn8RuAeWoOxYv+9NWcBeeGHlcr0ai827Uo=";
          fetchSubmodules = false;
        };
      }))
    ];
  };
  environment.systemPackages = with pkgs; [
    v4l-utils
--- a/modules/pipewire.nix
+++ b/modules/pipewire.nix
@ -1,11 +1,6 @@
 { config, lib, pkgs, ... }:
-let
+lib.mkIf config.jalr.gui.enable {
  defaults = {
    media-session = (builtins.fromJSON (builtins.readFile "${pkgs.pipewire-media-session}/nix-support/media-session.conf.json"));
  };
 in
 lib.mkIf config.myConfig.gui.enable {
  sound.enable = true;
  hardware.pulseaudio.enable = false;
@ -40,43 +35,4 @@ lib.mkIf config.myConfig.gui.enable {
      value = "unlimited";
    }
  ];
  # Split U-PHORIA inputs into mono channels
  # https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Virtual-Devices#behringer-umc404hd-micguitar-virtual-sources
  services.pipewire.media-session.config.media-session."context.modules" = defaults.media-session."context.modules" ++ [
    {
      name = "libpipewire-module-loopback";
      args = {
        "node.name" = "UMC202HD_input1";
        "node.description" = "UMC202HD Input 1";
        "capture.props" = {
          "audio.position" = [ "AUX0" ];
          "stream.dont-remix" = true;
          "node.target" = "alsa_input.usb-BEHRINGER_UMC202HD_192k-00.pro-input-0";
          "node.passive" = true;
        };
        "playback.props" = {
          "media.class" = "Audio/Source";
          "audio.position" = [ "MONO" ];
        };
      };
    }
    {
      name = "libpipewire-module-loopback";
      args = {
        "node.name" = "UMC202HD_input2";
        "node.description" = "UMC202HD Input 2";
        "capture.props" = {
          "audio.position" = [ "AUX1" ];
          "stream.dont-remix" = true;
          "node.target" = "alsa_input.usb-BEHRINGER_UMC202HD_192k-00.pro-input-0";
          "node.passive" = true;
        };
        "playback.props" = {
          "media.class" = "Audio/Source";
          "audio.position" = [ "MONO" ];
        };
      };
    }
  ];
 }
--- a/Show more
+++ b/Show more
		`@ -0,0 +1,2 @@`
							`/secrets/ filter=git-crypt diff=git-crypt`
							`**/secrets.yaml diff=sops`