.sops.yaml

@@ -3,11 +3,11 @@ keys:
   - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
   - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
   - &host-sgp-00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
+  - &host-tok-00 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
   - &host-la-00 age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
   - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
   - &host-weilite age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml
   - &host-hk-00 age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9
-  - &host-fra-00 age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s
 creation_rules:
   - path_regex: machines/calcite/secrets.yaml
     key_groups:
@@ -29,14 +29,19 @@ creation_rules:
     - age:
       - *xin
       - *host-sgp-00
+      - *host-tok-00
       - *host-la-00
       - *host-hk-00
-      - *host-fra-00
   - path_regex: machines/dolomite/secrets/sgp-00.yaml
     key_groups:
     - age:
       - *xin
       - *host-sgp-00
+  - path_regex: machines/dolomite/secrets/tok-00.yaml
+    key_groups:
+    - age:
+      - *xin
+      - *host-tok-00
   - path_regex: machines/dolomite/secrets/la-00.yaml
     key_groups:
     - age:
@@ -47,12 +52,6 @@ creation_rules:
     - age:
       - *xin
       - *host-hk-00
-
-  - path_regex: machines/dolomite/secrets/fra-00.yaml
-    key_groups:
-    - age:
-      - *xin
-      - *host-fra-00
   - path-regex: machines/weilite/secrets.yaml
     key_groups:
     - age:
@@ -65,6 +64,7 @@ creation_rules:
       - *host-calcite
       - *host-raspite
       - *host-sgp-00
+      - *host-tok-00
       - *host-la-00
       - *host-hk-00
       - *host-massicot

flake.lock

@@ -61,26 +61,6 @@
         "type": "github"
       }
     },
-    "disko": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1732645828,
-        "narHash": "sha256-+4U2I2653JvPFxcux837ulwYS864QvEueIljUkwytsk=",
-        "owner": "nix-community",
-        "repo": "disko",
-        "rev": "869ba3a87486289a4197b52a6c9e7222edf00b3e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "disko",
-        "type": "github"
-      }
-    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -616,7 +596,6 @@
       "inputs": {
         "catppuccin": "catppuccin",
         "colmena": "colmena",
-        "disko": "disko",
         "flake-utils": "flake-utils_2",
         "home-manager": "home-manager",
         "my-nixvim": "my-nixvim",

flake.nix

@@ -50,11 +50,6 @@
     catppuccin = {
       url = "github:catppuccin/nix";
     };
-
-    disko = {
-      url = "github:nix-community/disko";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
   };
 
   outputs =
@@ -71,7 +66,6 @@
       nix-vscode-extensions,
       colmena,
       nix-index-database,
-      disko,
       ...
     }:
     let
@@ -122,21 +116,9 @@
           ./machines/dolomite/lightsail.nix
           ./machines/dolomite/common.nix
         ];
-        fra-00 = [
-          ./machines/dolomite/fra.nix
-          ./machines/dolomite/common.nix
-        ];
         osmium = [
           ./machines/osmium
         ];
-        thorite = [
-          disko.nixosModules.disko
-          ./machines/thorite
-        ];
-        biotite = [
-          disko.nixosModules.disko
-          ./machines/biotite
-        ];
       };
       sharedColmenaModules = [
         deploymentModule
@@ -247,20 +229,6 @@
             };
           };
 
-        fra-00 =
-          { ... }:
-          {
-            imports = nodeNixosModules.fra-00 ++ sharedColmenaModules;
-            nixpkgs.system = "x86_64-linux";
-            networking.hostName = "fra-00";
-            system.stateVersion = "24.05";
-            deployment = {
-              targetHost = "fra-00.video.namely.icu";
-              buildOnTarget = false;
-              tags = [ "proxy" ];
-            };
-          };
-
         raspite =
           { ... }:
           {
@@ -287,19 +255,6 @@
             };
             nixpkgs.system = "x86_64-linux";
           };
-        thorite =
-          { ... }:
-          {
-            imports = nodeNixosModules.thorite ++ sharedColmenaModules;
-            deployment = {
-              buildOnTarget = false;
-            };
-          };
-        biotite =
-          { ... }:
-          {
-            imports = nodeNixosModules.biotite ++ sharedColmenaModules;
-          };
       };
 
       nixosConfigurations = {
@@ -310,7 +265,6 @@
         osmium = mkNixos {
           hostname = "osmium";
         };
-
       } // self.colmenaHive.nodes;
 
     }

home/xin/calcite.nix

@@ -34,7 +34,6 @@ in
   };
 
   home.packages = with pkgs; [
-    resources
     thunderbird
     remmina
     qq
@@ -57,6 +56,17 @@ in
 
   xdg.enable = true;
 
+  i18n.inputMethod = {
+    enabled = "fcitx5";
+    fcitx5.addons = with pkgs; [ fcitx5-rime ];
+  };
+
+  # Using wayland
+  home.sessionVariables = {
+    GTK_IM_MODULE = lib.mkForce "";
+    QT_IM_MODULE = lib.mkForce "";
+  };
+
   custom-hm = {
     alacritty = {
       enable = true;

machines/biotite/default.nix

@@ -1,31 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-{
-  imports = [ ./hardware-configurations.nix ];
-
-  networking.hostName = "biotite";
-  networking.useNetworkd = true;
-  systemd.network.enable = true;
-  systemd.network.networks."10-wan" = {
-    matchConfig.MACAddress = "00:16:3e:0a:ec:45";
-    networkConfig.DHCP = "ipv4";
-    dhcpV4Config = {
-      UseDNS = true;
-    };
-  };
-
-  commonSettings = {
-    auth.enable = true;
-    autoupgrade.enable = true;
-  };
-
-  users.users.root.hashedPassword = "$y$j9T$NToEZWJBONjSgRnMd9Ur9/$o6n7a9b8eUILQz4d37oiHCCVnDJ8hZTZt.c.37zFfU.";
-
-  system.stateVersion = "24.11";
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}

machines/biotite/hardware-configurations.nix

@@ -1,22 +0,0 @@
-{ config, modulesPath, ... }:
-{
-  imports = [
-    (modulesPath + "/profiles/qemu-guest.nix")
-  ];
-
-  disko.devices = {
-    disk = {
-      main = {
-        type = "disk";
-        device = "/dev/vda";
-        content = {
-          type = "gpt";
-          partitions = {
-            boot = config.diskPartitions.grubMbr;
-            root = config.diskPartitions.btrfs;
-          };
-        };
-      };
-    };
-  };
-}

machines/calcite/configuration.nix

@@ -105,15 +105,6 @@ in
     LC_TIME = "en_US.utf8";
   };
 
-  i18n.inputMethod = {
-    enable = true;
-    type = "fcitx5";
-    fcitx5 = {
-      addons = [ pkgs.fcitx5-rime ];
-      waylandFrontend = true;
-    };
-  };
-
   # ====== GUI ======
 
   programs.niri.enable = true;
@@ -122,7 +113,7 @@ in
 
   catppuccin = {
     enable = true;
-    accent = "peach";
+    accent = "rosewater";
     flavor = "mocha";
   };
 
@@ -182,17 +173,6 @@ in
           };
         };
       };
-      "keydous" = {
-        ids = [
-          "25a7:fa14"
-          "3151:4002"
-        ];
-        settings = {
-          main = {
-            capslock = "overload(control, esc)";
-          };
-        };
-      };
     };
   };
 
@@ -335,27 +315,26 @@ in
   '';
 
   sops.secrets = {
-    "restic/repo_url" = {
+    restic_repo_calcite_password = {
       owner = "xin";
       sopsFile = ./secrets.yaml;
     };
-    "restic/repo_password" = {
+    restic_repo_calcite = {
       owner = "xin";
       sopsFile = ./secrets.yaml;
     };
+    sing_box_url = {
+      owner = "root";
+      sopsFile = ./secrets.yaml;
+    };
     "gitea/envfile" = {
       owner = "root";
       sopsFile = ./secrets.yaml;
     };
   };
-
+  custom.restic.enable = true;
-  custom.restic = {
+  custom.restic.repositoryFile = config.sops.secrets.restic_repo_calcite.path;
-    enable = true;
+  custom.restic.passwordFile = config.sops.secrets.restic_repo_calcite_password.path;
-    paths = [
-      "/backup/rootfs/var/lib"
-      "/backup/home"
-    ];
-  };
 
   custom.forgejo-actions-runner = {
     enable = false;

machines/calcite/secrets.yaml

@@ -1,6 +1,6 @@
-restic:
+restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str]
-    repo_url: ENC[AES256_GCM,data:x/g1nZQ59SavVG+u5apNmBQ0Y5uQ9N0EKVh6qovqeP/Z7tmkudJtlBFD35C0ZidcQLAqTaZk1FFh8Ikjo4OcQSdTsx9BGvT4,iv:RQMOSEacDHXjYceBaAW4sFGk38vkijHuADcTS3DMxa8=,tag:769rLA2eRKjDrAaL/jERbA==,type:str]
+restic_repo_calcite: ENC[AES256_GCM,data:ELvSvoBfulbsoMvRMt2bVo9KiNQAuHomblZcAwJ+g0tHELkq65kaaGwMsNy1AttBfiD7RrQsKifX/YTUGmuz1mDg0WqkV/Mv,iv:HKz96YgVahxh+t3AEqe09mTE01uT+VrUYt04H6zyS9g=,tag:llFeeN7ryTZI9gLlYIRhCg==,type:str]
-    repo_password: ENC[AES256_GCM,data:jqsIP1R5/yX8F0oYaSXACx6C,iv:KckzqctKLnmay+d30/Y4IttiASxYnMw6IHQrtwP2YdQ=,tag:L/Ij51UU1om48I8fd4iuwA==,type:str]
+sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str]
 gitea:
     envfile: ENC[AES256_GCM,data:CK+JNELuzjKgWnImuV4Euif3f3nNOACOrvc4NiIXs+q/F7QWrtpb3TK8/FrLNQk=,iv:QSDrlKJCBld2gDx/y1sT8anh37GhqSS2QZd2JJi5Yis=,tag:x5T6h59LBXhEyVwSr2dnuQ==,type:str]
 sops:
@@ -27,8 +27,8 @@ sops:
             WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
             FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-28T03:55:19Z"
+    lastmodified: "2024-11-09T06:41:02Z"
-    mac: ENC[AES256_GCM,data:VH7RnRT33ltsxycuSsUsM+64onQeClwQ3fIHUVQUyRJ6t7aJkBiGMQ80QtmwGE5CJTbq7LV4cis5Pq/f9vTb0SsY4tCSIgXNAE2zW2rjjQKjdHr+rnnKSJExJA+k2tL06Q/FUu+3SP7pVSaYBGQKb53UAbHsdJYbx00Ko6MzZ7U=,iv:EiYhbr6o4n3kGEEWKXeWmDPSb5hOvUhRH7N2ZLPRHmQ=,tag:BdI140bhvBW0bwQPpRYiRw==,type:str]
+    mac: ENC[AES256_GCM,data:Hf8QYvRWxfs/JDOIAVnX5M0kv9Ktncfzq+Zf7i32TTsa94ShrgbUYVxQbRviOFDbjLfzswGKikLQ2EHLlH1KOFs7+mKKz5PKVAWJZnkAPa2oFXs41BcXLIg8sf4dhFxjzzhakeUX9Q0z4evJ1vMX06/VnnpHVSMhsnenSfBhWIA=,iv:uXKf2oYSb+0IWp6Ch0XuoFUIaUBiAW7Z8R9Z7LSdLvY=,tag:0VAcFakwCrHGZW5I8jmydA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1

machines/dolomite/common.nix

@@ -23,7 +23,7 @@
     };
 
     custom.prometheus = {
-      enable = lib.mkDefault true;
+      enable = true;
       exporters.blackbox.enable = true;
     };
 

machines/dolomite/ec2-metadata-fetcher.sh

@@ -0,0 +1,66 @@
+metaDir=/etc/ec2-metadata
+mkdir -m 0755 -p "$metaDir"
+rm -f "$metaDir/*"
+
+get_imds_token() {
+  # retry-delay of 1 selected to give the system a second to get going,
+  # but not add a lot to the bootup time
+  curl \
+    --silent \
+    --show-error \
+    --retry 3 \
+    --retry-delay 1 \
+    --fail \
+    -X PUT \
+    --connect-timeout 1 \
+    -H "X-aws-ec2-metadata-token-ttl-seconds: 600" \
+    http://169.254.169.254/latest/api/token
+}
+
+preflight_imds_token() {
+  # retry-delay of 1 selected to give the system a second to get going,
+  # but not add a lot to the bootup time
+  curl \
+    --silent \
+    --show-error \
+    --retry 3 \
+    --retry-delay 1 \
+    --fail \
+    --connect-timeout 1 \
+    -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \
+    -o /dev/null \
+    http://169.254.169.254/1.0/meta-data/instance-id
+}
+
+try=1
+while [ $try -le 3 ]; do
+  echo "(attempt $try/3) getting an EC2 instance metadata service v2 token..."
+  IMDS_TOKEN=$(get_imds_token) && break
+  try=$((try + 1))
+  sleep 1
+done
+
+if [ "x$IMDS_TOKEN" == "x" ]; then
+  echo "failed to fetch an IMDS2v token."
+fi
+
+try=1
+while [ $try -le 10 ]; do
+  echo "(attempt $try/10) validating the EC2 instance metadata service v2 token..."
+  preflight_imds_token && break
+  try=$((try + 1))
+  sleep 1
+done
+
+echo "getting EC2 instance metadata..."
+
+get_imds() {
+  # --fail to avoid populating missing files with 404 HTML response body
+  # || true to allow the script to continue even when encountering a 404
+  curl --silent --show-error --fail --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" "$@" || true
+}
+
+get_imds -o "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path
+(umask 077 && get_imds -o "$metaDir/user-data" http://169.254.169.254/1.0/user-data)
+get_imds -o "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname
+get_imds -o "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key

machines/dolomite/fra.nix

@@ -1,62 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-co
-# and may be overwritten by future invocations.  Please make chang
-# to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}:
-
-{
-  imports = [
-    (modulesPath + "/profiles/qemu-guest.nix")
-  ];
-
-  swapDevices = [
-    {
-      device = "/swapfile";
-      size = 2 * 1024;
-    }
-  ];
-
-  boot.initrd.availableKernelModules = [
-    "uhci_hcd"
-    "virtio_scsi"
-    "sd_mod"
-    "sr_mod"
-    "ahci"
-    "ata_piix"
-    "virtio_pci"
-    "xen_blkfront"
-    "vmw_pvscsi"
-  ];
-  boot.loader.grub = {
-    enable = true;
-    device = "/dev/sda";
-  };
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" = {
-    device = "/dev/sda1";
-    fsType = "ext4";
-  };
-
-  networking.useNetworkd = true;
-  systemd.network.enable = true;
-  systemd.network.networks."10-wan" = {
-    matchConfig.MACAddress = "00:16:3c:d2:7b:64";
-    networkConfig = {
-      DHCP = "no";
-      Gateway = "185.217.108.1";
-    };
-    address = [ "185.217.108.59/24" ];
-  };
-
-  custom.prometheus.enable = false;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}

machines/dolomite/lightsail.nix

@@ -0,0 +1,114 @@
+{
+  config,
+  pkgs,
+  modulesPath,
+  ...
+}:
+let
+  cfg = config.ec2;
+in
+{
+  imports = [
+    "${modulesPath}/profiles/headless.nix"
+    # Note: While we do use the headless profile, we also explicitly
+    # turn on the serial console on ttyS0 below. This is because
+    # AWS does support accessing the serial console:
+    # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html
+    "${modulesPath}/virtualisation/ec2-data.nix"
+    "${modulesPath}/virtualisation/amazon-init.nix"
+  ];
+
+  config = {
+    boot.loader.grub.device = "/dev/nvme0n1";
+
+    # from nixpkgs amazon-image.nix
+    assertions = [ ];
+
+    boot.growPartition = true;
+
+    fileSystems."/" = {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+      autoResize = true;
+    };
+
+    fileSystems."/boot" = {
+      # The ZFS image uses a partition labeled ESP whether or not we're
+      # booting with EFI.
+      device = "/dev/disk/by-label/ESP";
+      fsType = "vfat";
+    };
+
+    swapDevices = [
+      {
+        device = "/var/lib/swapfile";
+        size = 4 * 1024;
+      }
+    ];
+
+    boot.extraModulePackages = [ config.boot.kernelPackages.ena ];
+    boot.initrd.kernelModules = [ "xen-blkfront" ];
+    boot.initrd.availableKernelModules = [ "nvme" ];
+    boot.kernelParams = [
+      "console=ttyS0,115200n8"
+      "random.trust_cpu=on"
+    ];
+
+    # Prevent the nouveau kernel module from being loaded, as it
+    # interferes with the nvidia/nvidia-uvm modules needed for CUDA.
+    # Also blacklist xen_fbfront to prevent a 30 second delay during
+    # boot.
+    boot.blacklistedKernelModules = [
+      "nouveau"
+      "xen_fbfront"
+    ];
+
+    boot.loader.grub.efiSupport = cfg.efi;
+    boot.loader.grub.efiInstallAsRemovable = cfg.efi;
+    boot.loader.timeout = 1;
+    boot.loader.grub.extraConfig = ''
+      serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
+      terminal_output console serial
+      terminal_input console serial
+    '';
+
+    systemd.services.fetch-ec2-metadata = {
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+      path = [ pkgs.curl ];
+      script = builtins.readFile ./ec2-metadata-fetcher.sh;
+      serviceConfig.Type = "oneshot";
+      serviceConfig.StandardOutput = "journal+console";
+    };
+
+    # Amazon-issued AMIs include the SSM Agent by default, so we do the same.
+    # https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html
+    services.amazon-ssm-agent.enable = true;
+
+    # Allow root logins only using the SSH key that the user specified
+    # at instance creation time.
+    services.openssh.enable = true;
+    services.openssh.settings.PermitRootLogin = "prohibit-password";
+
+    # Enable the serial console on ttyS0
+    systemd.services."serial-getty@ttyS0".enable = true;
+
+    # Creates symlinks for block device names.
+    services.udev.packages = [ pkgs.amazon-ec2-utils ];
+
+    # Force getting the hostname from EC2.
+    # networking.hostName = mkDefault "";
+
+    # Always include cryptsetup so that Charon can use it.
+    environment.systemPackages = [ pkgs.cryptsetup ];
+
+    # EC2 has its own NTP server provided by the hypervisor
+    services.timesyncd.enable = true;
+    services.timesyncd.servers = [ "169.254.169.123" ];
+
+    # udisks has become too bloated to have in a headless system
+    # (e.g. it depends on GTK).
+    services.udisks2.enable = false;
+  };
+}

machines/dolomite/secrets/fra-00.yaml

@@ -1,31 +0,0 @@
-wg_private_key: ENC[AES256_GCM,data:wKZfXvNLh578VpWRkEGRiyDqEgJ9nHMGbliDP/FhX3ZqrPFLwuSF4D4tQgw=,iv:EU6OkblWfWuC7CPW0U0peYY6171TnhljqnszQhVJTFw=,tag:CBrZRXDSKYoqbx5x7wQ1Ew==,type:str]
-wg_ipv6_local_addr: ENC[AES256_GCM,data:A6oUJngb1sOAAVTbgeceEgTd3Ejs5WM4GmXLvJBif5nbQSgU67EHZpDv,iv:Yf9063C784jPjJICee/YEj6fgl357G9yfkz0haHJGss=,tag:++LbjP8AI0HdS/9rtMYDDg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBud0JBa3A0VTk5SHhpK0tq
-            THZEWkY0Yk1CNjVVOGVOckRncEJUT2MxdW13ClQ1ZXV1bVRTNnUvVVBmbVhTZ3Fa
-            Wm1iTDRYOUJ2MW04dkNlemxzdGk5ZXcKLS0tIEZpNXZINUxGN3ZyL2JTSzEwWWRY
-            NStaK1kyM0ozWVEyemNiN2pQZGNqRXMKOBwTvk4Sfl2BsB7foVqjw2GqPOdQwB+g
-            GUR09dG0z4/1rT3gPtDn88pjs2EZYWOMKq+BPGbz0951HFPOgPVB5g==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0dnRMY3NSbWtyUlpXWFRJ
-            VGRKLzdjMStldmtVbW9ZM05QaWJzSWV0MndzCkdpWFppTC9DVnJDc0lDRkZLZ2F1
-            WDJGWjNMZEZraWg3VUpDVDVtOE9YanMKLS0tIEUvWmRwcTBkUzZIMEVjNGhqeXU5
-            YmxtM0hoWTIwY3RKcFkrdzdrRFYwVGcKhBIi6YKPROrTo/QTClmv/xFa8/KAsqJD
-            bA5gHAYJCu3WLpZqo1FXqMMX/4Jj3gtWq0jLDzQ0Xoma842dhJo4bw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-26T03:13:11Z"
-    mac: ENC[AES256_GCM,data:0cMicsi2HGDY28ZCRaIP9ynR0amfOSGYJtgJryWkbf8CVaDAmA51W5yXRxKYrdwd7T22wAWeFdKIeItm51FXtlPwUZyyWlOtfdq3JE/vKRPk711wuS30VY8rObW49A10jqZzM6sJ7jKVf3b1RvjCVqd5xuPLLczhg3Ft5jmAOtY=,iv:Vv80TdEYIEKQ5HExJHImDlEVfPO4k7THdN6XH8dLJ6Q=,tag:vNoA9vFRRrTOJbq93W0Ldw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.1

machines/dolomite/secrets/secrets.yaml

@@ -10,47 +10,47 @@ sops:
         - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdCtZK2FVRTh3YVd3dm9m
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZUYrRUY0N3hOczFUR2Fq
-            ZWR5VVIvS3VOSGh2cmg2ZUFrYmNIdVNLSTNVCjlhVlJER1BZMlRUd1RkYnpvTE9F
+            amx5RHAwVnRoTStlTlJISkk5TUFCaDhuUGxjCmVYbExkK1AzbURVWXNvU0Zkcjg5
-            bExGa1NBWWR0enBmUFJYVVA4UlI1cUkKLS0tIC8wa3FGRnFldVdTdkpBb2xQc3BD
+            ZTlWK0ExVnNNWmxJMkxlcHkxd1MvWkkKLS0tIFY3a3FoNzl2bitYTTl1R1R4K3hz
-            cTlhNHplRUoyS3pxNnF0TVlFTy9kdzQK4kDSzSV4ZnELvCsajGwvsc/vzua2hbI1
+            ZlcxT243dzd0amlHSmpOc1AvakNjRlkKwT2hNwDsc3WZkJ05Qq8INnG9Ii0iswqT
-            Vht7rmZ8Dl4Y3xEIXG7XVnWK2GOblpqZ/eza1T6kWEkXp2uCdQnM6Q==
+            jnvMt9VTkZ8JHsq5vCaV+TtM3kswuw6hF9UoHdRM/JIvqMdPkXuZoQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1dVV0U3kwSmdnTU1HcGpr
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSzkzMmU2SUMvWXVFRHM4
-            U2FKZVV1c1R6a3ovRGxoOUlrcUNWUUFHN25ZClBBTUZGeTc0Tkx1OXdaK1p6aWpr
+            dWhsbEtFSUhHem1NZ1Q5aWJJWWlqelcyT2hBClRIeDE1M20vdm5rQnRvLzBGWnk3
-            aSsvN0ZDR1V3VnVrb1FBYzdHSTNXOVkKLS0tIFlSUk5LT1hVUUd1aVg1eVNTUURX
+            aFZ2MFlrUHRudSt5M1Rod3NrUS8rdkEKLS0tIHlPSFUvUC93WlU5dHdaV0R6dTFh
-            OXRVVmNRWEhmVXZkWC9HNTUyUTNrMlUK370K3D1vU97vHV9aGjYrFOIJzmOQAnzH
+            c203K2VHb2hsSTBjOWxpUStOQ2VYTFEKbDTeoUSBFWB3W/fxS471aTysahlQUJ6D
-            QR6XsOkM0FRvSkhTsEZ3qC4Wd2MTIyRzHYPKvZmz9LufIr1N/JFj1Q==
+            JvvUJL63Y2XpvCQVCduO+Kl9A7B7LGran+2SUzqHBisQyR2eUcg/HQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZDBtTWxZbGpZRlYvMnpE
+            MTNEQXZJdGRpMmV0azhXbE1UeWlqZjdKQlhFCkU4RlBZUmdpTC9TamVwREFnM1Nt
+            eDZ0SDRQUmMxYmJ1bnBSS29qNGQ4THMKLS0tIDhVMWJoWTNBWjAyMHc0K2Z5Zjhi
+            UkU5dEpjSGZKOERPR2hUQ1lBK1ZXSWsKo/76+/Iq9sxJGxuk81yMBaX+mg98FD8p
+            F/PY4/oJjaUmpErdrWuE7Tgjycx+DTSDJv1ESyvLC6NPnXTRlZgg6A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQT0YyeXI4d2o4V0lWUE4x
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTjFsZ1o1alBIV2JkKy9j
-            ZXZWWDFiakdqNlU5RWt6QUdxYVRSZzQyZkZBCi9Tdm5wRXB2cTYxdnVYRXJaS0d0
+            ajArY1RydFllc1VLc3dQek5IcXNyWTIxNDBzCkhKYzdHSXowaGhnY2E5aVRPaDNJ
-            Lzg3VWpqQ1NOb1NTYXE4RGVRZVZoM1UKLS0tIFdGM01VU3FEc0ZyeEN3bVM1WEZq
+            M3NOZEd1UHg4MDd3YTNidld5UGhKYUUKLS0tIG9QVlV3UXNSSXp6L3djaXZjcTNL
-            M3BFa1hoWkQyRkJqSlZiTnBwQWphemcKLTAza2y96h+IyWB2EN6e4WIFQqeL5E7p
+            bmVYb1g3NnBOekZkUFNlOVZFY2N6YVUKsdTgykgHkFSQJfZeNJz2TkcDENg84plG
-            CDmHr+hSt6u9cr8C/etljxGMbKf9GqFOeuCyPugrJGdu4/qlR5iE0g==
+            zBqz6HP6AK6SBI7C/lPus0VXuzjDVDr29jvemBQ3cNBodc6yKyReAQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFa1RHN2s4ajYzZmwvUlN2
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNUF4cWwrZ0Vlb0Nxbk0z
-            c05SdERTTEhPRnJWOUF6TExIMnBEZkVMb1I4CkxBeTRQWmZEOGNrcFlGV2wrMkhI
+            VnRucWJVK2h0MG13YVkyMlJNZ3RxRmJqUlRBCmxrckV1a0xnSEhvWUN4RmF2ZHBl
-            QnAwSzZPaWNWbmdnZmFjZVJyRVdzN2cKLS0tIHVMU3Z6a1MrV3BVV1hqbEdYODJu
+            VkFicWlnR0dvTmRBQ21NWVo4aFNQRmsKLS0tIEMxVGxTRHp6ZGJzYksxY1BUKzBh
-            cGgvNU05eGx4alRNT2d5MWp6Q3lWZDAKQ+D1niMzaso/lQwdmepvACF8/SDEt2mQ
+            Yk52TS81REhJd0lLRVpMZnhGMDRMK0UKzph2gK0LXqu44zQXGoGbyPjte2t4BqHE
-            7nTRVJIpjGPTxO4ezcQWUGej+BSEnOoZno3epoIXLNlwDnHOAawTWQ==
+            WAufrQiamOgA7TUZYlZApzYhEY6iIbs/t7BQPn/OKZwzRYdXnzxqiw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcHNReHZibVlrNUtncnl1
-            SzczRGVFdUNvcFdqeWpZUk5FL0hwOS9LT3l3CnFLdXozcUxXYUpjUXJZWEtjMXo3
-            d28reWd0Z1Y0NWdBTG1MTkRGSEphY2sKLS0tIGw5U3NiOU1DNitUd0x5SkJ3SHFj
-            RVpWNDNUb2d1SEZpQlFBK2tFVjFzU0kKtI7e+kkiBm1L/WzkBApRI8IIo3gHdrE1
-            fzR+sbYEHWf95iEmb/oGlH++TrFW/zRXEyWPAi4ORTs7s/Ql1UC4Wg==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-11-22T05:51:19Z"
     mac: ENC[AES256_GCM,data:LPUb7YbELPsgYX+LvfuGdiNG1B5ZrvyRVZL9UiMHoJMDHaWpDGCQkT1bk5jEOewwFh+StK560UsPK4uW0+SqADJO80rmM3xfqlp5Ul2HJ8mU19l5C6FLpv2REIzhCp333rNJJlyhn3H6GZgMaWnjjLSX9XMOVaq1iz6Qt0P76SI=,iv://EdDr5D51RFuucq8gkei2RC7H2bkRYxP/7lerp9dtk=,tag:JrRQ19sZ0OAZouMgOiU/tQ==,type:str]

machines/dolomite/secrets/sgp-00.yaml

@@ -0,0 +1,31 @@
+wg_private_key: ENC[AES256_GCM,data:UjxZ3iC5hxVcVJdEUJ3+myaQ/6MvghDw6eKa2flSuxMwFS31WB7r3evjlI0=,iv:BjgXCps6gx1ISghEO42x5aKb+c/n0P1V8FMVlPxAyLY=,tag:IkxCkpyVre+sFoBlRSFpMA==,type:str]
+wg_ipv6_local_addr: ENC[AES256_GCM,data:ejDYuZjZCKcsvyUUKdXtxgBqWloIwYHmpc/YwCYq7O2thsxvOou6iSHf,iv:HDrMlec4svxHpZXMyRDzpdSKeJbTmkZPd98SHv2ZLhQ=,tag:LjpapuaJ6sl4USZC8xEU5w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUkpVa0dCSE1rTjZpaWR1
+            cjJjc25iOEV4TnhQUWE4SjI4QWVZYXdVcHdBCkIrNlVrV2xJRURVSG9sUHozeE5s
+            NitsV1MvcENZTHhmU01CSTRVNENXUFEKLS0tIGgxakQ2cGIzdzg5QzRoT3ZSaXUx
+            TkN5MkNTNitWMzVKZWdhNGRIZ3VNNDgKQ6lwM6EowuGOrskUpwD8VGirravE+e3/
+            Hkv5jLvvfVjmg0kvKlNRotTHrRUGV04JsbW7T9FfbKyYpmEb6oCrsg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSUlkQzhYSGwyNnYvNHpQ
+            UktKOUZiYk56S0piVy9ZMFdYVFdsN1FEVkhVCnZETEM5MW84TlNpbm1hSXJtR2Yy
+            OEdrSi9lcmJOR2F1cUZqc0NyQjl4RDgKLS0tIHVLcnRicmVNd2MwVjB4cGFXTlBu
+            VkJCcXdqTkUzejNzSjIvV2YrVUc5Sm8KutTATsWJ5+yB/CFoGwTNshyI5LzwH4x5
+            i5EIIkVPdxSIHrXUp0j6+RPWMJvEOFIE3dVwxz+MxqqHqtmEny1WKA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-19T12:31:51Z"
+    mac: ENC[AES256_GCM,data:AY0/qJ1ZXv4mQlHnG3uY2zQ0FhIYjHBWKyXXpv2/Q6yZkuSu6nIQk039nd+nk7lczXy2cylTHyjYv5vDF6BJARhu4jeYov6yMqYR8ye8rXjZKcOfrN5yv7LV6jyuzBRBkCWTQsaoR8ycKHlrMe+vkAGu50epdAQjAG+Qv6RkBiM=,iv:dMi2CququdEIg+g8NMUb8ioKwEkUqTP+nrivtsUYUUY=,tag:drHI6oJUUwN3JadCHbWWkg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

machines/dolomite/secrets/tok-00.yaml

@@ -0,0 +1,31 @@
+wg_private_key: ENC[AES256_GCM,data:jz/03kP/dj625Jweu0MEw9aGm3Z3M1f43cZqGy2eElCIDhD78n+zZAqOM8c=,iv:fZxuvZLx97YyDoafQXbqVYjqRYzZq90PJiri9vdjwro=,tag:0A9sGnSl3y3gpEuvsdRtGg==,type:str]
+wg_ipv6_local_addr: ENC[AES256_GCM,data:W/uR+9kAKdXViAbZ0vEhC2eNwlzqX0x+LpzLrLCmQuVgRbZAtJCqfeE=,iv:pMZumU7fMV5MYX59hO7SEMLlG4m8DdPXeAiNgLxNzZk=,tag:xdGBpOBdWlc8Q9BDMv04sA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkYTc2a2J3ZXRXTlRxQTAx
+            UjZVTTVPa0FjbS9jekI5eXhLOTdUQTlBS2pJCnVPL2Q1d05QR2NpTDVZeDFpSCs3
+            Yjh3aXkvdTBIOThVMGMzcUZmUWhtTjgKLS0tIFZvcy9zRVBRcDN0ekp0MEV5cEph
+            ZURTL3hnSHgwQTlSNklCK25icEM0SGsKq2jM6jXLfK38BgV0calwKLuHIcGw0zed
+            lT19Mt9jFsqmIkpJh1U9Ddpz63WND+7ruMdTZt6RWStIxww4m7pevg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSXBqdXcxUDNkS29Gd3ZY
+            dTA3bmNUVThtTFJtdnFpSjZQT01TTXhpYUc4CkFhcm14eUw1YXIyWEViMSsyc3pr
+            VUJqWWdHMCtoRGQ1T3dMQlg3ZTZ5dGMKLS0tIGQvbGpFZTdrVUFURE9tdENCZGwr
+            aDBKbitCTmhxNXVNRGh6TVBvbkNhTUEKIuj7B4RdueX7BfExgzVoo6YJf59GsUHa
+            j5kIJ5UeTqWEBGBaXcPjhHMEQjYqwSBsVz2XJmsxLhi8WxejLio8FA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-19T12:30:24Z"
+    mac: ENC[AES256_GCM,data:f+7+O2ZVSZJhr0fJlfO/AtZC2N/7gsNu1f4cnUoXYFb1wobyU6tLkbwGqeyIulokgIDAU5lJ62TJXAjybe+kE+PGtpr61KS7dyiO0LjzcT/X898oBYvJ9jtkuxDzKM4ve570U7ZmS7Jbxt2NJEkcBvSUJRdJHH5l0sDrvmW8cwY=,iv:mno6jVUDUWxsO353hbCqGub+NYfk0XFsWzmWCBUt6Gg=,tag:KOw7HTy+pETha5pzx5Pf8Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

machines/massicot/secrets.yaml

@@ -7,8 +7,8 @@ miniflux:
 forgejo:
     env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str]
 restic:
-    repo_url: ENC[AES256_GCM,data:GMHbrjgwajnYSiqtoYaKiFT/aDWDwlzEkvMLPzYf7C9PvLr7T4zeWyAA9//8huldyxO3+nk6O9lR9ORZKZfb8/MYB7nRB03sZQ==,iv:6uBhsksOGDjoc13U2xWLz7I+0fzGRhnw0nStACqlnug=,tag:uhH28NYq+ly1bmCV/cpxkQ==,type:str]
+    repo: ENC[AES256_GCM,data:/vybkTU7LMWSlco9W2pJouU9wm4okXClSHXQMCA6SGIHWp4Ppl6C+jS4sNJALc6ntKzcEHyWO/R3JPjQKjZNH4YtrnNQp/ZY9g==,iv:gAvp6blg5JuBKzLw6YSgM1Uc24Aesov3ttCRXZXBvJw=,tag:pvH1y6BFOl7jIn/qQejUbQ==,type:str]
-    repo_password: ENC[AES256_GCM,data:jRHNgOk5ChWdqMKsd/V4Xg==,iv:wrgF5pau/RylG1nmJYmvrZ02o67qkkT5PrZAQlXb6Qo=,tag:X0WVpMqi8xeoATss/sSPMA==,type:str]
+    password: ENC[AES256_GCM,data:5eIIBtGtBFwcAQ+ZwTYOtg==,iv:3GEM8Imu0i1aTwwSspvz2EzwJOXUC/b15hzkFFuZ+YY=,tag:wscba+nMtshldgUtcEKnOw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -33,8 +33,8 @@ sops:
             dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
             V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-28T03:57:35Z"
+    lastmodified: "2024-09-30T07:19:35Z"
-    mac: ENC[AES256_GCM,data:xjZrlwfWLtZNYfH+KiE2ICt9Jo4nx/LKaEYi/ECN/Od+ZTjety0V6RJ/RfmI6q3K1WMj0sAGc56hCZ0iOn25L8wK6dc14hZVoSwwbIiQ7hTQE5LcK+NbXNmy3r/YC855DHG9kE08eYGHdNcBbckZg3HhkHQ9UYS/Ox/QFFuBa5Q=,iv:N3AW+sr9ET3c/ArXr176haRewYFsfgsNn+hkC0MDJwA=,tag:SCikn+F8btuSBswV+oCdXg==,type:str]
+    mac: ENC[AES256_GCM,data:WSGvA1RkChrD07Sf4BFVMbdTXQYxAHeGGQ52e+pnPh0lZPOzMc9sLDrBPqDK2OfrHC+hK8RC7FxQTGs6G/oBB4nUzIZPn9WycTiU5elwWDfktizH0gr3EJDm7Gs+bTWQpwdoJZGZ8XErK+yegCaKL5cSOSTlBBbQOnZfnoNBg5c=,iv:xyJRFfxHC2xV0ro4CbdOPau1zORxA64OqpvKr4aFZvQ=,tag:c9NA90d5WTK2pfxwoyOX5A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.0

machines/massicot/services/restic.nix

@@ -12,26 +12,22 @@ let
 in
 {
   sops.secrets = {
-    "restic/repo_url" = {
+    "restic/repo" = {
       sopsFile = ../secrets.yaml;
     };
-    "restic/repo_password" = {
+    "restic/password" = {
       sopsFile = ../secrets.yaml;
     };
   };
 
   custom.restic = {
     enable = true;
+    repositoryFile = config.sops.secrets."restic/repo".path;
+    passwordFile = config.sops.secrets."restic/password".path;
     paths = [
       "/backup"
       "/mnt/storage"
     ];
-    backupPrepareCommand = [
-      (sqliteBackup "/var/lib/hedgedoc/db.sqlite" "/backup/hedgedoc" "db.sqlite")
-      (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3" "/backup/bitwarden_rs" "db.sqlite3")
-      (sqliteBackup "/var/lib/gotosocial/database.sqlite" "/backup/gotosocial" "database.sqlite")
-      (sqliteBackup "/var/lib/kanidm/kanidm.db" "/backup/kanidm" "kanidm.db")
-    ];
   };
 
   services.postgresqlBackup = {
@@ -42,6 +38,12 @@ in
   };
 
   services.restic.backups.${config.networking.hostName} = {
+    backupPrepareCommand = builtins.concatStringsSep "\n" [
+      (sqliteBackup "/var/lib/hedgedoc/db.sqlite" "/backup/hedgedoc" "db.sqlite")
+      (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3" "/backup/bitwarden_rs" "db.sqlite3")
+      (sqliteBackup "/var/lib/gotosocial/database.sqlite" "/backup/gotosocial" "database.sqlite")
+      (sqliteBackup "/var/lib/kanidm/kanidm.db" "/backup/kanidm" "kanidm.db")
+    ];
     extraBackupArgs = [
       "--limit-upload=1024"
     ];

machines/minimal/default.nix

@@ -1,25 +0,0 @@
-{
-  lib,
-  ...
-}:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  boot.initrd.availableKernelModules =
-    [
-    ];
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}

machines/thorite/default.nix

@@ -1,29 +0,0 @@
-{ ... }:
-{
-  imports = [
-    ./hardware-configurations.nix
-  ];
-
-  networking.hostName = "thorite";
-  networking.useNetworkd = true;
-  systemd.network.enable = true;
-  systemd.network.networks."10-wan" = {
-    matchConfig.MACAddress = "00:51:d3:21:f3:28";
-    networkConfig = {
-      DHCP = "no";
-      Gateway = "23.165.200.1";
-    };
-    address = [ "23.165.200.99/24" ];
-  };
-
-  nixpkgs.system = "x86_64-linux";
-
-  system.stateVersion = "24.11";
-
-  commonSettings = {
-    auth.enable = true;
-    autoupgrade.enable = true;
-  };
-
-  users.users.root.hashedPassword = "$y$j9T$NToEZWJBONjSgRnMd9Ur9/$o6n7a9b8eUILQz4d37oiHCCVnDJ8hZTZt.c.37zFfU.";
-}

machines/thorite/hardware-configurations.nix

@@ -1,40 +0,0 @@
-{ config, modulesPath, ... }:
-{
-  imports = [
-    (modulesPath + "/profiles/qemu-guest.nix")
-  ];
-  disko.devices = {
-    disk = {
-      main = {
-        type = "disk";
-        device = "/dev/sda";
-        content = {
-          type = "gpt";
-          partitions = {
-            boot = config.diskPartitions.grubMbr;
-            root = config.diskPartitions.btrfs;
-          };
-        };
-      };
-    };
-  };
-  disko.devices.disk.main.imageSize = "10G";
-
-  boot.initrd.availableKernelModules = [
-    "uhci_hcd"
-    "virtio_scsi"
-    "sd_mod"
-    "sr_mod"
-    "ahci"
-    "ata_piix"
-    "virtio_pci"
-    "xen_blkfront"
-    "vmw_pvscsi"
-  ];
-
-  boot.loader.grub = {
-    enable = true;
-  };
-
-  boot.kernelModules = [ "kvm-intel" ];
-}

modules/home-manager/zellij.nix

@@ -18,17 +18,6 @@ in
     };
     xdg.configFile."zellij/config.kdl".text = ''
       keybinds {
-          shared {
-            bind "F1" { GoToTab 1; SwitchToMode "Normal"; }
-            bind "F2" { GoToTab 2; SwitchToMode "Normal"; }
-            bind "F3" { GoToTab 3; SwitchToMode "Normal"; }
-            bind "F4" { GoToTab 4; SwitchToMode "Normal"; }
-            bind "F5" { GoToTab 5; SwitchToMode "Normal"; }
-            bind "F6" { GoToTab 6; SwitchToMode "Normal"; }
-            bind "F7" { GoToTab 7; SwitchToMode "Normal"; }
-            bind "F8" { GoToTab 8; SwitchToMode "Normal"; }
-            bind "F9" { GoToTab 9; SwitchToMode "Normal"; }
-          }
           shared_except "pane" "locked" {
             bind "Ctrl b" { SwitchToMode "Pane"; }
           }

modules/nixos/common-settings/proxy-server.nix

@@ -9,7 +9,6 @@ let
     mkIf
     mkEnableOption
     mkOption
-    mkDefault
     types
     ;
 
@@ -128,7 +127,7 @@ in
     trojan = {
       port = mkOption {
         type = lib.types.port;
-        default = 8080;
+        default = cfg.trojan.port;
       };
     };
 
@@ -164,6 +163,11 @@ in
     ];
     networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
 
+    custom.prometheus = {
+      enable = true;
+      exporters.blackbox.enable = true;
+    };
+
     services.sing-box = {
       enable = true;
       settings = mkSingConfig {

modules/nixos/default.nix

@@ -4,7 +4,6 @@
     ./common-settings/autoupgrade.nix
     ./common-settings/nix-conf.nix
     ./common-settings/proxy-server.nix
-    ./disk-partitions
     ./restic.nix
     ./vaultwarden.nix
     ./prometheus

modules/nixos/disk-partitions/btrfs.nix

@@ -1,46 +0,0 @@
-{
-  size = "100%";
-  content = {
-    type = "btrfs";
-    extraArgs = [ "-f" ]; # Override existing partition
-    # Subvolumes must set a mountpoint in order to be mounted,
-    # unless their parent is mounted
-    subvolumes = {
-      # Subvolume name is different from mountpoint
-      "/rootfs" = {
-        mountpoint = "/";
-      };
-      # Subvolume name is the same as the mountpoint
-      "/home" = {
-        mountOptions = [ "compress=zstd" ];
-        mountpoint = "/home";
-      };
-      # Parent is not mounted so the mountpoint must be set
-      "/nix" = {
-        mountOptions = [
-          "compress=zstd"
-          "noatime"
-        ];
-        mountpoint = "/nix";
-      };
-      "/persistent" = {
-        mountOptions = [
-          "compress=zstd"
-          "noatime"
-          # Lots of dbs in /var/lib, let's disable cow
-          "nodatacow"
-        ];
-        mountpoint = "/var/lib";
-      };
-      # Subvolume for the swapfile
-      "/swap" = {
-        mountpoint = "/.swapvol";
-        swap = {
-          swapfile.size = "2G";
-        };
-      };
-    };
-
-    mountpoint = "/partition-root";
-  };
-}

modules/nixos/disk-partitions/default.nix

@@ -1,15 +0,0 @@
-{ lib, ... }:
-{
-  options = {
-    diskPartitions = lib.mkOption {
-      type = lib.types.attrs;
-      default = { };
-    };
-  };
-  config = {
-    diskPartitions = {
-      btrfs = import ./btrfs.nix;
-      grubMbr = import ./grub-mbr.nix;
-    };
-  };
-}

modules/nixos/disk-partitions/grub-mbr.nix

@@ -1,4 +0,0 @@
-{
-  size = "1M";
-  type = "EF02"; # for grub MBR
-}

modules/nixos/restic.nix

@@ -6,150 +6,63 @@
   ...
 }:
 let
-  inherit (lib)
-    mkEnableOption
-    mkOption
-    mkDefault
-    mkIf
-    types
-    getExe
-    ;
   cfg = config.custom.restic;
-  mapBtrfsRoots =
-    rootDir:
-    let
-      backupDir = lib.removeSuffix "/" "/backup${rootDir}";
-      slash = if rootDir == "/" then "" else "/";
-      awk = getExe pkgs.gawk;
-      continueIfInExclude = ''
-        exclude_subv="${toString cfg.btrfsExcludeSubvolume}"
-        found=false
-        for subv in $exclude_subv; do
-            if [[ "$subvol" == "$subv" ]]; then
-                found=true
-                echo "$subvol is in exclude subvolumes, skipped"
-                break
-            fi
-        done
-        $found && continue
-      '';
-    in
-    {
-      backupPrepareCommand = ''
-        echo "Creating snapshot for ${rootDir}"
-        subvolumes=$(${pkgs.btrfs-progs}/bin/btrfs subvolume list -o "${rootDir}" | ${awk} '{print $NF}')
-        mkdir -p "${backupDir}"
-        ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r "${rootDir}" "${backupDir}/rootfs"
-        for subvol in $subvolumes; do
-            ${continueIfInExclude}
-            [[ /"$subvol" == "${backupDir}"* ]] && continue
-
-            snapshot_path=$(dirname "${backupDir}/$subvol")
-            mkdir -p "$snapshot_path"
-
-            echo "Creating snapshot for subvolume: $subvol at $snapshot_path"
-            ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r "${rootDir}${slash}$subvol" "$snapshot_path"
-        done
-      '';
-
-      # Note that all the manually created snapshots under backupDir will also be cleaned
-      backupCleanupCommand = ''
-        # Only find snapshots under backup directory
-        subvolumes=$(${pkgs.btrfs-progs}/bin/btrfs subvolume list -s -o "${backupDir}" | ${awk} '{print $NF}')
-        for subvol in $subvolumes; do
-            echo "Removing snapshot for subvolume: $subvol"
-            ${pkgs.btrfs-progs}/bin/btrfs subvolume delete "$subvol"
-        done
-      '';
-    };
-
-  btrfsFs = lib.attrsets.filterAttrs (
-    n: v: v.fsType == "btrfs" && ((isNull cfg.btrfsRoots) || (builtins.elem n cfg.btrfsRoots))
-  ) config.fileSystems;
-  btrfsFsRoot = builtins.attrNames btrfsFs;
-  btrfsCommands = (map mapBtrfsRoots btrfsFsRoot);
 in
 {
   options = {
     custom.restic = {
-      enable = mkEnableOption "restic";
+      enable = lib.mkEnableOption "restic";
-      paths = mkOption {
+      paths = lib.mkOption {
-        type = types.listOf types.str;
+        type = lib.types.listOf lib.types.str;
         default = [
           "/home"
           "/var/lib"
         ];
       };
-      prune = mkEnableOption "auto prune remote restic repo";
+      prune = lib.mkEnableOption "auto prune remote restic repo";
-      btrfsRoots = mkOption {
+      repositoryFile = lib.mkOption {
-        type = types.nullOr (types.listOf types.str);
+        type = lib.types.str;
-        default = [ "/" ];
+        default = "";
-        description = ''
-          Includeded btrfs roots. `null` means snapshot all btrfs filesystems under config.fileSystems.
-        '';
       };
-      btrfsExcludeSubvolume = mkOption {
+      passwordFile = lib.mkOption {
-        type = types.listOf types.str;
+        type = lib.types.str;
-        default = [
+        default = "";
-          "nix"
-          "rootfs"
-          "swap"
-          "var/tmp"
-        ];
-        example = lib.literalExpression ''
-          [ "var/tmp" "srv" ]
-        '';
-      };
-      backupPrepareCommand = mkOption {
-        type = types.listOf types.str;
-      };
-      backupCleanupCommand = mkOption {
-        type = types.listOf types.str;
       };
     };
   };
-  config = mkIf cfg.enable {
+  config = lib.mkIf cfg.enable {
-    services.restic.backups.${config.networking.hostName} = {
+    services.restic.backups.${config.networking.hostName} = lib.mkMerge [
-      repositoryFile = config.sops.secrets."restic/repo_url".path;
+      {
-      passwordFile = config.sops.secrets."restic/repo_password".path;
+        repositoryFile = cfg.repositoryFile;
-      exclude = [
+        passwordFile = cfg.passwordFile;
-        "**/.cache"
+        exclude = [
-        "**/.local/share/Steam"
+          "/home/*/.cache"
-        "**/.local/share/flatpak"
+          "/home/*/.cargo"
-
+          "/home/*/.local/share/Steam"
-        "**/.cargo"
+          "/home/*/.local/share/flatpak"
-        "**/.rustup"
+        ];
-
+        timerConfig = {
-        "**/node_modules"
+          OnCalendar = "00:05";
-
+          RandomizedDelaySec = "5h";
-        "*.pyc"
+        };
-        "*.pyo"
+        pruneOpts = lib.mkIf cfg.prune [
-        "**/__pycache__"
+          "--keep-daily 7"
-        "**/.virtualenvs"
+          "--keep-weekly 5"
-        "**/.venv"
+          "--keep-monthly 12"
-
+          "--keep-yearly 75"
-        # temp files / lock files
+        ];
-        "*.sqlite-wal"
+        paths = lib.mkDefault cfg.paths;
-        "*.sqlite-shm"
+        initialize = true;
-        "*.db-wal"
+      }
-        "*.db-shm"
+      (lib.mkIf (config.fileSystems."/".fsType == "btrfs") {
-      ];
+        backupPrepareCommand = ''
-      timerConfig = {
+          ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r / backup
-        OnCalendar = "00:05";
+        '';
-        RandomizedDelaySec = "5h";
+        backupCleanupCommand = ''
-      };
+          ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /backup 
-      pruneOpts = mkIf cfg.prune [
+        '';
-        "--keep-daily 7"
+        paths = map (p: "/backup" + p) cfg.paths;
-        "--keep-weekly 5"
+      })
-        "--keep-monthly 12"
+    ];
-        "--keep-yearly 75"
-      ];
-      paths = mkDefault cfg.paths;
-      initialize = true;
-      backupPrepareCommand = lib.strings.concatLines cfg.backupPrepareCommand;
-      backupCleanupCommand = lib.strings.concatLines cfg.backupCleanupCommand;
-    };
-    custom.restic.backupPrepareCommand = map (x: x.backupPrepareCommand) btrfsCommands;
-    custom.restic.backupCleanupCommand = map (x: x.backupCleanupCommand) btrfsCommands;
   };
 }