snapshot

2024-12-01 04:05:16 +01:00 · 2024-12-01 04:05:16 +01:00 · 0968b6f955
parent 47036cde64
commit 0968b6f955
57 changed files with 426 additions and 86 deletions
--- a/classes/desktop/clipboard.nix
+++ b/classes/desktop/clipboard.nix
@ -0,0 +1,3 @@
+{pkgs, ...}: {
+  environment.systemPackages = [pkgs.wl-clipboard];
+}
--- a/classes/desktop/flatpak.nix
+++ b/classes/desktop/flatpak.nix
@ -0,0 +1,3 @@
+{
+  services.flatpak.enable = true;
+}
--- a/classes/desktop/fonts.nix
+++ b/classes/desktop/fonts.nix
@ -0,0 +1,27 @@
+{pkgs, ...}: {
+  fonts = {
+    enableDefaultPackages = true;
+    packages = [
+      pkgs.noto-fonts
+      pkgs.noto-fonts-extra
+      pkgs.noto-fonts-cjk-sans
+      pkgs.noto-fonts-cjk-serif
+      pkgs.noto-fonts-monochrome-emoji
+      pkgs.noto-fonts-color-emoji
+      (pkgs.nerdfonts.override {fonts = ["FiraCode"];})
+    ];
+
+    fontconfig = {
+      enable = true;
+
+      defaultFonts = {
+        monospace = ["FiraCode Nerd Font"];
+        sansSerif = ["Noto Sans"];
+        serif = ["Noto Serif"];
+        emoji = ["Noto Color Emoji" "Noto Emoji"];
+      };
+    };
+
+    fontDir.enable = true;
+  };
+}
--- a/classes/desktop/fs.nix
+++ b/classes/desktop/fs.nix
@ -0,0 +1,15 @@
+{
+  boot.initrd.luks.devices.main.device = "/dev/disk/by-label/cryptmain";
+
+  fileSystems = {
+    "/" = {
+      fsType = "ext4";
+      device = "/dev/mapper/main";
+      options = ["noatime"];
+    };
+    "/boot" = {
+      label = "BOOT";
+      fsType = "vfat";
+    };
+  };
+}
--- a/classes/desktop/gamemode.nix
+++ b/classes/desktop/gamemode.nix
@ -0,0 +1,18 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  programs.gamemode = {
+    enable = true;
+    settings = {
+      general = {
+        renice = 10;
+      };
+      custom = {
+        start = "${lib.getExe pkgs.libnotify} 'GameMode started'";
+        end = "${lib.getExe pkgs.libnotify} 'GameMode stopped'";
+      };
+    };
+  };
+}
--- a/classes/desktop/hardware.nix
+++ b/classes/desktop/hardware.nix
@ -0,0 +1,20 @@
+{pkgs, ...}: {
+  hardware = {
+    bluetooth.enable = true;
+    xone.enable = true;
+    xpadneo.enable = true;
+    opentabletdriver.enable = true;
+    graphics = {
+      enable = true;
+      enable32Bit = true;
+      extraPackages = [
+        pkgs.libvdpau-va-gl
+        pkgs.vaapiVdpau
+      ];
+      extraPackages32 = [
+        pkgs.pkgsi686Linux.libvdpau-va-gl
+        pkgs.pkgsi686Linux.vaapiVdpau
+      ];
+    };
+  };
+}
--- a/classes/desktop/location.nix
+++ b/classes/desktop/location.nix
@ -0,0 +1,5 @@
+{
+  location.provider = "geoclue2";
+
+  services.automatic-timezoned.enable = true;
+}
--- a/classes/desktop/mullvad.nix
+++ b/classes/desktop/mullvad.nix
@ -0,0 +1,6 @@
+{pkgs, ...}: {
+  services.mullvad-vpn = {
+    enable = true;
+    package = pkgs.mullvad-vpn;
+  };
+}
--- a/classes/desktop/neovide.nix
+++ b/classes/desktop/neovide.nix
@ -0,0 +1,5 @@
+{pkgs, ...}: let
+  package = pkgs.neovide;
+in {
+  environment.systemPackages = [package];
+}
--- a/classes/desktop/networking.nix
+++ b/classes/desktop/networking.nix
@ -0,0 +1,37 @@
+{
+  services.resolved.enable = true;
+
+  networking = {
+    networkmanager = {
+      enable = true;
+      dns = "systemd-resolved";
+    };
+    firewall = {
+      allowedTCPPorts = [
+        # Spotify track sync
+        57621
+        # Steam Remote Play
+        27036
+        # Source Dedicated Server SRCDS Rcon port
+        27015
+        # Syncthing TCP based sync protocol traffic
+        22000
+      ];
+      allowedUDPPorts = [
+        # Source Dedicated Server gameplay traffic
+        27015
+        # Syncthing QUIC based sync protocol traffic
+        22000
+        # Syncthing port for discovery broadcasts on IPv4 and multicasts on IPv6
+        21027
+      ];
+      allowedUDPPortRanges = [
+        # Steam Remote Play
+        {
+          from = 27031;
+          to = 27036;
+        }
+      ];
+    };
+  };
+}
--- a/classes/desktop/pipewire.nix
+++ b/classes/desktop/pipewire.nix
@ -0,0 +1,12 @@
+{
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+
+  services.pipewire = {
+    enable = true;
+    wireplumber.enable = true;
+    alsa.enable = true;
+    pulse.enable = true;
+    jack.enable = true;
+  };
+}
--- a/classes/desktop/plasma.nix
+++ b/classes/desktop/plasma.nix
@ -0,0 +1,25 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  services = {
+    desktopManager.plasma6.enable = true;
+    displayManager.sddm = {
+      enable = true;
+      wayland.enable = true;
+    };
+  };
+
+  environment.systemPackages = with pkgs.kdePackages; [sddm-kcm discover kate];
+
+  programs = {
+    kdeconnect.enable = true;
+    partition-manager.enable = true;
+  };
+
+  xdg.portal = {
+    xdgOpenUsePortal = true;
+    extraPortals = [pkgs.xdg-desktop-portal-gtk];
+  };
+}
--- a/classes/desktop/printing.nix
+++ b/classes/desktop/printing.nix
@ -0,0 +1,10 @@
+{
+  services = {
+    printing = {
+      enable = true;
+      webInterface = true;
+      cups-pdf.enable = true;
+    };
+    system-config-printer.enable = true;
+  };
+}
--- a/classes/desktop/syncthing.nix
+++ b/classes/desktop/syncthing.nix
@ -0,0 +1,9 @@
+{
+  services.syncthing = {
+    enable = true;
+    overrideDevices = false;
+    overrideFolders = false;
+  };
+
+  systemd.user.services.syncthing.wantedBy = ["default.target"];
+}
--- a/classes/desktop/vm.nix
+++ b/classes/desktop/vm.nix
@ -0,0 +1,4 @@
+{
+  virtualisation.libvirtd.enable = true;
+  programs.virt-manager.enable = true;
+}
--- a/classes/desktop/wine.nix
+++ b/classes/desktop/wine.nix
@ -0,0 +1,3 @@
+{pkgs, ...}: {
+  environment.systemPackages = [pkgs.wineWowPackages.stableFull];
+}
--- a/classes/server/fs.nix
+++ b/classes/server/fs.nix
@ -1,6 +1,4 @@
 {
-  boot.tmp.cleanOnBoot = true;
-
  fileSystems = {
    "/" = {
      fsType = "ext4";
--- a/classes/server/time.nix
+++ b/classes/server/time.nix
--- a/common/boot.nix
+++ b/common/boot.nix
@ -11,5 +11,6 @@
        efiSysMountPoint = "/boot";
      };
    };
+    tmp.cleanOnBoot = true;
  };
 }
--- a/common/fish.nix
+++ b/common/fish.nix
@ -0,0 +1,15 @@
+{pkgs, ...}: {
+  programs.fish.enable = true;
+
+  users.defaultUserShell = pkgs.fish;
+
+  nixpkgs.overlays = [
+    (final: prev: {
+      fish = prev.fish.overrideAttrs (_: {
+        postInstall = ''
+          rm $out/share/applications/fish.desktop
+        '';
+      });
+    })
+  ];
+}
--- a/common/user.nix
+++ b/common/user.nix
@ -0,0 +1,13 @@
+{lib, ...}: let
+  inherit (lib) types;
+in {
+  options = {
+    users.mainUser = lib.mkOption {
+      type = types.passwdEntry types.str;
+      default = "lukas";
+      description = ''
+        The main user.
+      '';
+    };
+  };
+}
--- a/common/users.nix
+++ b/common/users.nix
@ -1,5 +1,11 @@
-{config, ...}: {
-  age.secrets.user-lukas.file = ../secrets/user-lukas.age;
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (config.users) mainUser;
+in {
+  age.secrets = lib.mkSecrets {"user-${mainUser}" = {};};

  users = {
    mutableUsers = false;
@ -9,10 +15,10 @@
        hashedPassword = "!";
        openssh.authorizedKeys.keys = builtins.attrValues (import ../pubkeys.nix).hosts;
      };
-      lukas = {
+      ${mainUser} = {
        uid = 1000;
        isNormalUser = true;
-        hashedPasswordFile = config.age.secrets.user-lukas.path;
+        hashedPasswordFile = config.age.secrets."user-${mainUser}".path;
        openssh.authorizedKeys.keys = builtins.attrValues (import ../pubkeys.nix).users;
        extraGroups = ["wheel"];
      };
--- a/flake.lock
+++ b/flake.lock
@ -48,11 +48,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1727826117,
-        "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
        "type": "github"
      },
      "original": {
@ -63,11 +63,11 @@
    },
    "hardware": {
      "locked": {
-        "lastModified": 1729742320,
-        "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
+        "lastModified": 1732483221,
+        "narHash": "sha256-kF6rDeCshoCgmQz+7uiuPdREVFuzhIorGOoPXMalL2U=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
+        "rev": "45348ad6fb8ac0e8415f6e5e96efe47dd7f39405",
        "type": "github"
      },
      "original": {
@ -115,23 +115,23 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1727825735,
-        "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
+        "lastModified": 1730504152,
+        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
      },
      "original": {
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
      }
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1729880355,
-        "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=",
+        "lastModified": 1732837521,
+        "narHash": "sha256-jNRNr49UiuIwaarqijgdTR2qLPifxsVhlJrKzQ8XUIE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "18536bf04cd71abd345f9579158841376fdd0c5a",
+        "rev": "970e93b9f82e2a0f3675757eb0bfc73297cc6370",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -16,35 +16,17 @@
    flake-parts.lib.mkFlake {inherit inputs;} {
      systems = ["x86_64-linux" "aarch64-linux"];

-      flake = {
-        nixosConfigurations = let
-          lib = nixpkgs.lib.extend (import ./lib.nix);
+      flake = let
+        lib = nixpkgs.lib.extend (import ./lib.nix);
+      in {
+        inherit lib;

-          commonNixosSystem = name:
-            lib.nixosSystem {
-              specialArgs = {
-                inherit inputs lib;
-                attrName = name;
-              };
-
-              modules =
-                (lib.findModules [
-                  ./common
-                  ./hosts/${name}
-                ])
-                ++ [
-                  inputs.agenix.nixosModules.default
-                  {networking.hostName = lib.mkDefault name;}
-                ];
-            };
-
-          genHosts = lib.pipe (builtins.readDir ./hosts) [
-            (lib.filterAttrs (_: type: type == "directory"))
-            builtins.attrNames
-            lib.genAttrs
+        nixosConfigurations = lib.genNixosConfigurations {
+          inherit inputs;
+          extraModules = [
+            inputs.agenix.nixosModules.default
          ];
-        in
-          genHosts commonNixosSystem;
+        };
      };

      perSystem = {
--- a/hosts/desktop/flamingo/hardware.nix
+++ b/hosts/desktop/flamingo/hardware.nix
@ -0,0 +1,23 @@
+{
+  inputs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    "${modulesPath}/installer/scan/not-detected.nix"
+
+    inputs.hardware.nixosModules.lenovo-thinkpad-t480
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot = {
+    initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
+    kernelModules = ["kvm-intel"];
+  };
+
+  powerManagement.cpuFreqGovernor = "powersave";
+
+  console.keyMap = "de";
+  services.xserver.layout = "de";
+}
--- a/hosts/desktop/flamingo/system.nix
+++ b/hosts/desktop/flamingo/system.nix
@ -0,0 +1,3 @@
+{
+  system.stateVersion = "24.11";
+}
--- a/hosts/desktop/glacier/hardware.nix
+++ b/hosts/desktop/glacier/hardware.nix
@ -0,0 +1,26 @@
+{
+  inputs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    "${modulesPath}/installer/scan/not-detected.nix"
+
+    inputs.hardware.nixosModules.common-cpu-amd
+    inputs.hardware.nixosModules.common-gpu-amd
+    inputs.hardware.nixosModules.common-pc-ssd
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
+      kernelModules = ["amdgpu"];
+    };
+    kernelModules = ["kvm-amd"];
+    binfmt.emulatedSystems = ["aarch64-linux"];
+  };
+
+  powerManagement.cpuFreqGovernor = "performance";
+}
--- a/hosts/desktop/glacier/system.nix
+++ b/hosts/desktop/glacier/system.nix
@ -0,0 +1,3 @@
+{
+  system.stateVersion = "24.11";
+}
--- a/hosts/server/abacus/acme.nix
+++ b/hosts/server/abacus/acme.nix
--- a/hosts/server/abacus/backup.nix
+++ b/hosts/server/abacus/backup.nix
@ -1,9 +1,10 @@
 {
  attrName,
  config,
+  lib,
  ...
 }: {
-  age.secrets."restic-${attrName}".file = ../../secrets/restic-${attrName}.age;
+  age.secrets = lib.mkSecrets {"restic-${attrName}" = {};};

  services.restic.backups.${attrName} = {
    repository = "sftp:u385962@u385962.your-storagebox.de:/restic/${attrName}";
--- a/hosts/server/abacus/fs.nix
+++ b/hosts/server/abacus/fs.nix
--- a/hosts/server/abacus/hardware.nix
+++ b/hosts/server/abacus/hardware.nix
@ -0,0 +1,9 @@
+{modulesPath, ...}: {
+  imports = ["${modulesPath}/profiles/qemu-guest.nix"];
+
+  nixpkgs.hostPlatform = "aarch64-linux";
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod"];
+
+  powerManagement.cpuFreqGovernor = "performance";
+}
--- a/hosts/server/abacus/microbin.nix
+++ b/hosts/server/abacus/microbin.nix
@ -6,7 +6,7 @@
  inherit (config.networking) domain;
  virtualHostName = "bin.${domain}";
 in {
-  age.secrets.microbin.file = ../../secrets/microbin.age;
+  age.secrets = lib.mkSecrets {microbin = {};};

  services.microbin = {
    enable = true;
@ -23,10 +23,10 @@ in {
      MICROBIN_ETERNAL_PASTA = true;
      MICROBIN_HIGHLIGHTSYNTAX = true;
      MICROBIN_PRIVATE = true;
-      MICROBIN_ENABLE_BURN_AFTER=true;
+      MICROBIN_ENABLE_BURN_AFTER = true;
      MICROBIN_QR = true;
-      MICROBIN_NO_FILE_UPLOAD=false;
-      MICROBIN_ENCRYPTION_CLIENT_SIDE=true;
+      MICROBIN_NO_FILE_UPLOAD = false;
+      MICROBIN_ENCRYPTION_CLIENT_SIDE = true;

      MICROBIN_MAX_FILE_SIZE_ENCRYPTED_MB = 1024;
      MICROBIN_MAX_FILE_SIZE_UNENCRYPTED_MB = 4096;
--- a/hosts/server/abacus/miniflux.nix
+++ b/hosts/server/abacus/miniflux.nix
@ -1,8 +1,12 @@
-{config, ...}: let
+{
+  config,
+  lib,
+  ...
+}: let
  inherit (config.networking) domain;
  virtualHostName = "flux.${domain}";
 in {
-  age.secrets.miniflux.file = ../../secrets/miniflux.age;
+  age.secrets = lib.mkSecrets {miniflux = {};};

  services.miniflux = {
    enable = true;
--- a/hosts/server/abacus/navidrome.nix
+++ b/hosts/server/abacus/navidrome.nix
--- a/hosts/server/abacus/networking.nix
+++ b/hosts/server/abacus/networking.nix
@ -1,14 +1,4 @@
-{modulesPath, ...}: {
-  imports = ["${modulesPath}/profiles/qemu-guest.nix"];
-
-  nixpkgs.hostPlatform = "aarch64-linux";
-
-  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod"];
-
-  system.stateVersion = "24.11";
-
-  powerManagement.cpuFreqGovernor = "performance";
-
+{
  networking = let
    interface = "enp1s0";
  in {
--- a/hosts/server/abacus/nginx.nix
+++ b/hosts/server/abacus/nginx.nix
--- a/hosts/server/abacus/static.nix
+++ b/hosts/server/abacus/static.nix
@ -22,7 +22,7 @@ in
        };

        systemd.tmpfiles.settings."10-static-sites".${root}.d = {
-          user = "lukas";
+          user = config.users.mainUser;
          group = "users";
          mode = "0755";
        };
--- a/hosts/server/abacus/syncthing.nix
+++ b/hosts/server/abacus/syncthing.nix
--- a/hosts/server/abacus/system.nix
+++ b/hosts/server/abacus/system.nix
@ -0,0 +1,3 @@
+{
+  system.stateVersion = "24.11";
+}
--- a/hosts/server/abacus/vaultwarden.nix
+++ b/hosts/server/abacus/vaultwarden.nix
@ -7,7 +7,7 @@
  virtualHostName = "vault.${domain}";
  backupDir = "/srv/backup/vaultwarden";
 in {
-  age.secrets.vaultwarden.file = ../../secrets/vaultwarden.age;
+  age.secrets = lib.mkSecrets {vaultwarden = {};};

  services.vaultwarden = {
    enable = true;
--- a/hosts/server/vessel/audiocomp.nix
+++ b/hosts/server/vessel/audiocomp.nix
--- a/hosts/server/vessel/backup.nix
+++ b/hosts/server/vessel/backup.nix
@ -40,7 +40,7 @@ in {
    }
  ) (lib.attrNames backups));

-  age.secrets."restic-${attrName}".file = ../../secrets/restic-${attrName}.age;
+  age.secrets = lib.mkSecrets {"restic-${attrName}" = {};};

  services.restic.backups.${attrName} = {
    repository = "sftp:u385962@u385962.your-storagebox.de:/restic/${attrName}";
--- a/hosts/server/vessel/blocky.nix
+++ b/hosts/server/vessel/blocky.nix
--- a/hosts/server/vessel/fs.nix
+++ b/hosts/server/vessel/fs.nix
--- a/hosts/server/vessel/hardware.nix
+++ b/hosts/server/vessel/hardware.nix
@ -18,7 +18,5 @@
    kernelModules = ["kvm-intel"];
  };

-  system.stateVersion = "24.11";
-
  powerManagement.cpuFreqGovernor = "powersave";
 }
--- a/hosts/server/vessel/storage.nix
+++ b/hosts/server/vessel/storage.nix
--- a/hosts/server/vessel/syncthing.nix
+++ b/hosts/server/vessel/syncthing.nix
--- a/hosts/server/vessel/system.nix
+++ b/hosts/server/vessel/system.nix
@ -0,0 +1,3 @@
+{
+  system.stateVersion = "24.11";
+}
--- a/lib.nix
+++ b/lib.nix
@ -13,4 +13,63 @@ lib: _: {
    host,
    port,
  }: "${host}:${builtins.toString port}";
+
+  mkSecrets = secrets: let
+    mkSecret = {
+      name,
+      secret,
+    }:
+      secret
+      // {
+        file = ./secrets/${name}.age;
+      };
+  in
+    builtins.mapAttrs (name: secret: mkSecret {inherit name secret;}) secrets;
+
+  genNixosConfigurations = {
+    inputs,
+    extraModules,
+  }: let
+    commonDir = ./common;
+    classesDir = ./classes;
+    hostsDir = ./hosts;
+
+    commonNixosSystem = {
+      class,
+      name,
+    }:
+      lib.nixosSystem {
+        specialArgs = {
+          inherit inputs lib;
+          attrName = name;
+        };
+
+        modules =
+          (lib.findModules [
+            commonDir
+            ./classes/${class}
+            (classesDir + "/${class}")
+            (hostsDir + "/${class}/${name}")
+          ])
+          ++ [
+            {networking.hostName = lib.mkDefault name;}
+          ]
+          ++ extraModules;
+      };
+
+    dirsIn = dir:
+      lib.pipe (builtins.readDir dir) [
+        (lib.filterAttrs (_: type: type == "directory"))
+        builtins.attrNames
+      ];
+  in
+    lib.pipe (dirsIn hostsDir) [
+      (classes:
+        builtins.concatMap (
+          class: map (name: {inherit class name;}) (dirsIn (hostsDir + "/${class}"))
+        )
+        classes)
+      (map (obj: lib.nameValuePair obj.name (commonNixosSystem obj)))
+      builtins.listToAttrs
+    ];
 }
--- a/pubkeys.nix
+++ b/pubkeys.nix
@ -5,7 +5,9 @@
  };

  hosts = {
+    glacier = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrKpoDV/ImivtTZVbSsQ59IbGYVvSsKls4av2Zc9Nk8";
    abacus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHoUgClpkOlBEffQOb9KkVn970RwnIhU0OiVr7P2WVzg";
    vessel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkYcOb1JPNLTJtob1TcuC08cH9P2APAhLR26RYd573d";
+    flamingo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInV+UpCZhoTwgkgnCzCPEu3TD5b5mu6tagRslljrFJ/";
  };
 }
--- a/secrets/microbin.age
+++ b/secrets/microbin.age
--- a/secrets/miniflux.age
+++ b/secrets/miniflux.age
@ -1,9 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 SFHVrw 7IUsgabq/d+4prqwDCSwfrVvEEhp4nVYRvlYtBaReEY
-OgSjIcOOnzIzRphDnpUOdisOxhfou9cQ2xPD7LxPkD8
-> ssh-ed25519 S+dwQQ XgeEXzPoIW/AbGN5Mj+Z9QV/xmjqybEVgQ0lpFov4GI
-n4v/ulFqPZcCj9Z0V/rpXLgO9V1KEx5XkctB+UQX7gM
-> ssh-ed25519 ffmsLw KE3L3CV3hBXZZ0Uup6ggdO0JNgQZNwRW1bgLQu59CQE
-KkZK1aZ740LPYKblEINVwNrThrMKiI85xvu2Zj2wfzw
--- Hhtrr0g6S2TYjX6bIT0pmpRF6Gr/HazJXo6uuoeVh+M
-ì)0QV‚æ
çª[’Ø:óåìæ^õ¶£ÜUj÷®Ò†÷Ñ3ÐC—o§{!S;š»˜ós<ŒGf³w#{<1F>%d÷Ñ M¾Q’]¶~Zpôý‡ÆzÖ¿¥2
+-> ssh-ed25519 SFHVrw 7n/cv5G7okGi5Hd+rkniHQCUgcCK0Yg9yuzpjrN05Ww
+jb4Z4oP5CblZQFS+n3bBSRhvCc/5EPS6vLA9AT5jyo8
+-> ssh-ed25519 S+dwQQ HUSchkkcUVHzKeuu5WFHs8jUc0zILPmdFBl4LUX4M2w
+uDzKbQU/4yaRB0nXyKEex8KH00RGjKW6BK18+J/yn8c
+-> ssh-ed25519 ffmsLw K0foK6dte+zZqImHL4kLfCkhMHlKLEQEfbCxLQIbKxk
+s+Rf6+Ro6tJkrAFzj1h/4yqHvbYfpxEgUMSt4nqmkUw
+--- AJdGEnKHCGfNINBQ44TjyP93mA+Os6H6p/Q41PKGmuE
+…ª¼PpgcÖª%i´@).ŸqHj£BÀã”—Ð*‡Wsî%Jc=¶èOAcl<ìü¬b„ÁÇÇ®¶ø¼TäKªûQ®^MQÒ¼n¦vEÚ
›1[nûÓý_
--- a/secrets/restic-abacus.age
+++ b/secrets/restic-abacus.age
--- a/secrets/restic-vessel.age
+++ b/secrets/restic-vessel.age
@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 SFHVrw GIDp7q94BIYpC3rBG75QUFO5kfeyD/6K4G6TfVwWJXg
-BnVU8spAlE23pu6yV29I423tsJASxkLC6TGJ2aEAbnw
-> ssh-ed25519 S+dwQQ d4iYbW/SrgO+SZQhULUHC6eBocihdzgwM6OKu6XJkmw
-PaEV2ILDpXCrFPNxlxtW/ycKAb2rHJHLAx23pOtiEpo
-> ssh-ed25519 Sm0lOA kzHXpk3nBINMjCJi3M/KzKFkLk2Dl2acrEMbdqg3d2s
-q/9mc7sqXfP+UTz3teyzPW8zSHapFijFiH2TzghsSG0
--- 41oc9HNIK12x4QPE3yy8uw247yyJZ59A/G1So2t61vc
-_Ë²×}lùýçÆ?äI4ânˆ$¤¦p30lƒIXe
-s÷5ßñ‹Pµó•ó
+-> ssh-ed25519 SFHVrw T90IpkfLUbCrEQEOvErDVp/uv36oCPfZ5QthIEz1uG4
+6ge0ldLTgXJOgBabC2VzElNYg/CpWssd+smNo3JTgBA
+-> ssh-ed25519 S+dwQQ qJrUqmj66/eDDvYPbcohc+IA3YwhDDOyfCwxI4jLxUI
+yDFBlLTSfJXzvvGhW2DbJVCIRYQDEL9WML1EaUAtXNI
+-> ssh-ed25519 Sm0lOA cEd39ojIF4yab0JWV/poybmF4kH6ub9/tTXRXLS0ghU
+rA5GqgeruK6Tscay6EnBdHmM5edR0kF4cg+iGPAZuTc
+--- 0CvvxtMR1IyIhsNNdwAuh5SWqwEbCtIVPi/K0yeheLM
+<EFBFBD>¿okjÊ2dâBüÑ¿gŽ¾ÉìËez™.ÅK@r½wÁ{ŠÁ¨Œæ·S¯zjWå
--- a/secrets/user-lukas.age
+++ b/secrets/user-lukas.age
--- a/secrets/vaultwarden.age
+++ b/secrets/vaultwarden.age