From 0968b6f955abbea34468db3c254b4c1a54e2a785 Mon Sep 17 00:00:00 2001
From: Lukas Wurzinger <lukas@wrz.one>
Date: Sun, 1 Dec 2024 04:05:16 +0100
Subject: [PATCH] snapshot

---
 classes/desktop/clipboard.nix                 |   3 +
 classes/desktop/flatpak.nix                   |   3 +
 classes/desktop/fonts.nix                     |  27 ++++++++
 classes/desktop/fs.nix                        |  15 +++++
 classes/desktop/gamemode.nix                  |  18 ++++++
 classes/desktop/hardware.nix                  |  20 ++++++
 classes/desktop/location.nix                  |   5 ++
 classes/desktop/mullvad.nix                   |   6 ++
 classes/desktop/neovide.nix                   |   5 ++
 classes/desktop/networking.nix                |  37 +++++++++++
 classes/desktop/pipewire.nix                  |  12 ++++
 classes/desktop/plasma.nix                    |  25 ++++++++
 classes/desktop/printing.nix                  |  10 +++
 classes/desktop/syncthing.nix                 |   9 +++
 classes/desktop/vm.nix                        |   4 ++
 classes/desktop/wine.nix                      |   3 +
 {common => classes/server}/fs.nix             |   2 -
 {common => classes/server}/time.nix           |   0
 common/boot.nix                               |   1 +
 common/fish.nix                               |  15 +++++
 common/user.nix                               |  13 ++++
 common/users.nix                              |  14 +++--
 flake.lock                                    |  26 ++++----
 flake.nix                                     |  36 +++--------
 hosts/desktop/flamingo/hardware.nix           |  23 +++++++
 hosts/desktop/flamingo/system.nix             |   3 +
 hosts/desktop/glacier/hardware.nix            |  26 ++++++++
 hosts/desktop/glacier/system.nix              |   3 +
 hosts/{ => server}/abacus/acme.nix            |   0
 hosts/{ => server}/abacus/backup.nix          |   3 +-
 hosts/{ => server}/abacus/fs.nix              |   0
 hosts/server/abacus/hardware.nix              |   9 +++
 hosts/{ => server}/abacus/microbin.nix        |   8 +--
 hosts/{ => server}/abacus/miniflux.nix        |   8 ++-
 hosts/{ => server}/abacus/navidrome.nix       |   0
 .../abacus/networking.nix}                    |  12 +---
 hosts/{ => server}/abacus/nginx.nix           |   0
 hosts/{ => server}/abacus/static.nix          |   2 +-
 hosts/{ => server}/abacus/syncthing.nix       |   0
 hosts/server/abacus/system.nix                |   3 +
 hosts/{ => server}/abacus/vaultwarden.nix     |   2 +-
 hosts/{ => server}/vessel/audiocomp.nix       |   0
 hosts/{ => server}/vessel/backup.nix          |   2 +-
 hosts/{ => server}/vessel/blocky.nix          |   0
 hosts/{ => server}/vessel/fs.nix              |   0
 hosts/{ => server}/vessel/hardware.nix        |   2 -
 hosts/{ => server}/vessel/storage.nix         |   0
 hosts/{ => server}/vessel/syncthing.nix       |   0
 hosts/server/vessel/system.nix                |   3 +
 lib.nix                                       |  59 ++++++++++++++++++
 pubkeys.nix                                   |   2 +
 secrets/microbin.age                          | Bin 553 -> 553 bytes
 secrets/miniflux.age                          |  16 ++---
 secrets/restic-abacus.age                     | Bin 449 -> 449 bytes
 secrets/restic-vessel.age                     |  17 +++--
 secrets/user-lukas.age                        | Bin 648 -> 868 bytes
 secrets/vaultwarden.age                       | Bin 757 -> 757 bytes
 57 files changed, 426 insertions(+), 86 deletions(-)
 create mode 100644 classes/desktop/clipboard.nix
 create mode 100644 classes/desktop/flatpak.nix
 create mode 100644 classes/desktop/fonts.nix
 create mode 100644 classes/desktop/fs.nix
 create mode 100644 classes/desktop/gamemode.nix
 create mode 100644 classes/desktop/hardware.nix
 create mode 100644 classes/desktop/location.nix
 create mode 100644 classes/desktop/mullvad.nix
 create mode 100644 classes/desktop/neovide.nix
 create mode 100644 classes/desktop/networking.nix
 create mode 100644 classes/desktop/pipewire.nix
 create mode 100644 classes/desktop/plasma.nix
 create mode 100644 classes/desktop/printing.nix
 create mode 100644 classes/desktop/syncthing.nix
 create mode 100644 classes/desktop/vm.nix
 create mode 100644 classes/desktop/wine.nix
 rename {common => classes/server}/fs.nix (85%)
 rename {common => classes/server}/time.nix (100%)
 create mode 100644 common/fish.nix
 create mode 100644 common/user.nix
 create mode 100644 hosts/desktop/flamingo/hardware.nix
 create mode 100644 hosts/desktop/flamingo/system.nix
 create mode 100644 hosts/desktop/glacier/hardware.nix
 create mode 100644 hosts/desktop/glacier/system.nix
 rename hosts/{ => server}/abacus/acme.nix (100%)
 rename hosts/{ => server}/abacus/backup.nix (89%)
 rename hosts/{ => server}/abacus/fs.nix (100%)
 create mode 100644 hosts/server/abacus/hardware.nix
 rename hosts/{ => server}/abacus/microbin.nix (85%)
 rename hosts/{ => server}/abacus/miniflux.nix (87%)
 rename hosts/{ => server}/abacus/navidrome.nix (100%)
 rename hosts/{abacus/hardware.nix => server/abacus/networking.nix} (53%)
 rename hosts/{ => server}/abacus/nginx.nix (100%)
 rename hosts/{ => server}/abacus/static.nix (93%)
 rename hosts/{ => server}/abacus/syncthing.nix (100%)
 create mode 100644 hosts/server/abacus/system.nix
 rename hosts/{ => server}/abacus/vaultwarden.nix (93%)
 rename hosts/{ => server}/vessel/audiocomp.nix (100%)
 rename hosts/{ => server}/vessel/backup.nix (95%)
 rename hosts/{ => server}/vessel/blocky.nix (100%)
 rename hosts/{ => server}/vessel/fs.nix (100%)
 rename hosts/{ => server}/vessel/hardware.nix (93%)
 rename hosts/{ => server}/vessel/storage.nix (100%)
 rename hosts/{ => server}/vessel/syncthing.nix (100%)
 create mode 100644 hosts/server/vessel/system.nix

diff --git a/classes/desktop/clipboard.nix b/classes/desktop/clipboard.nix
new file mode 100644
index 0000000..cab0c1c
--- /dev/null
+++ b/classes/desktop/clipboard.nix
@@ -0,0 +1,3 @@
+{pkgs, ...}: {
+  environment.systemPackages = [pkgs.wl-clipboard];
+}
diff --git a/classes/desktop/flatpak.nix b/classes/desktop/flatpak.nix
new file mode 100644
index 0000000..1ff0c53
--- /dev/null
+++ b/classes/desktop/flatpak.nix
@@ -0,0 +1,3 @@
+{
+  services.flatpak.enable = true;
+}
diff --git a/classes/desktop/fonts.nix b/classes/desktop/fonts.nix
new file mode 100644
index 0000000..48e47b6
--- /dev/null
+++ b/classes/desktop/fonts.nix
@@ -0,0 +1,27 @@
+{pkgs, ...}: {
+  fonts = {
+    enableDefaultPackages = true;
+    packages = [
+      pkgs.noto-fonts
+      pkgs.noto-fonts-extra
+      pkgs.noto-fonts-cjk-sans
+      pkgs.noto-fonts-cjk-serif
+      pkgs.noto-fonts-monochrome-emoji
+      pkgs.noto-fonts-color-emoji
+      (pkgs.nerdfonts.override {fonts = ["FiraCode"];})
+    ];
+
+    fontconfig = {
+      enable = true;
+
+      defaultFonts = {
+        monospace = ["FiraCode Nerd Font"];
+        sansSerif = ["Noto Sans"];
+        serif = ["Noto Serif"];
+        emoji = ["Noto Color Emoji" "Noto Emoji"];
+      };
+    };
+
+    fontDir.enable = true;
+  };
+}
diff --git a/classes/desktop/fs.nix b/classes/desktop/fs.nix
new file mode 100644
index 0000000..03989d2
--- /dev/null
+++ b/classes/desktop/fs.nix
@@ -0,0 +1,15 @@
+{
+  boot.initrd.luks.devices.main.device = "/dev/disk/by-label/cryptmain";
+
+  fileSystems = {
+    "/" = {
+      fsType = "ext4";
+      device = "/dev/mapper/main";
+      options = ["noatime"];
+    };
+    "/boot" = {
+      label = "BOOT";
+      fsType = "vfat";
+    };
+  };
+}
diff --git a/classes/desktop/gamemode.nix b/classes/desktop/gamemode.nix
new file mode 100644
index 0000000..36e3c0d
--- /dev/null
+++ b/classes/desktop/gamemode.nix
@@ -0,0 +1,18 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  programs.gamemode = {
+    enable = true;
+    settings = {
+      general = {
+        renice = 10;
+      };
+      custom = {
+        start = "${lib.getExe pkgs.libnotify} 'GameMode started'";
+        end = "${lib.getExe pkgs.libnotify} 'GameMode stopped'";
+      };
+    };
+  };
+}
diff --git a/classes/desktop/hardware.nix b/classes/desktop/hardware.nix
new file mode 100644
index 0000000..476bbf1
--- /dev/null
+++ b/classes/desktop/hardware.nix
@@ -0,0 +1,20 @@
+{pkgs, ...}: {
+  hardware = {
+    bluetooth.enable = true;
+    xone.enable = true;
+    xpadneo.enable = true;
+    opentabletdriver.enable = true;
+    graphics = {
+      enable = true;
+      enable32Bit = true;
+      extraPackages = [
+        pkgs.libvdpau-va-gl
+        pkgs.vaapiVdpau
+      ];
+      extraPackages32 = [
+        pkgs.pkgsi686Linux.libvdpau-va-gl
+        pkgs.pkgsi686Linux.vaapiVdpau
+      ];
+    };
+  };
+}
diff --git a/classes/desktop/location.nix b/classes/desktop/location.nix
new file mode 100644
index 0000000..285b45d
--- /dev/null
+++ b/classes/desktop/location.nix
@@ -0,0 +1,5 @@
+{
+  location.provider = "geoclue2";
+
+  services.automatic-timezoned.enable = true;
+}
diff --git a/classes/desktop/mullvad.nix b/classes/desktop/mullvad.nix
new file mode 100644
index 0000000..31d3c05
--- /dev/null
+++ b/classes/desktop/mullvad.nix
@@ -0,0 +1,6 @@
+{pkgs, ...}: {
+  services.mullvad-vpn = {
+    enable = true;
+    package = pkgs.mullvad-vpn;
+  };
+}
diff --git a/classes/desktop/neovide.nix b/classes/desktop/neovide.nix
new file mode 100644
index 0000000..6821dbf
--- /dev/null
+++ b/classes/desktop/neovide.nix
@@ -0,0 +1,5 @@
+{pkgs, ...}: let
+  package = pkgs.neovide;
+in {
+  environment.systemPackages = [package];
+}
diff --git a/classes/desktop/networking.nix b/classes/desktop/networking.nix
new file mode 100644
index 0000000..1844edb
--- /dev/null
+++ b/classes/desktop/networking.nix
@@ -0,0 +1,37 @@
+{
+  services.resolved.enable = true;
+
+  networking = {
+    networkmanager = {
+      enable = true;
+      dns = "systemd-resolved";
+    };
+    firewall = {
+      allowedTCPPorts = [
+        # Spotify track sync
+        57621
+        # Steam Remote Play
+        27036
+        # Source Dedicated Server SRCDS Rcon port
+        27015
+        # Syncthing TCP based sync protocol traffic
+        22000
+      ];
+      allowedUDPPorts = [
+        # Source Dedicated Server gameplay traffic
+        27015
+        # Syncthing QUIC based sync protocol traffic
+        22000
+        # Syncthing port for discovery broadcasts on IPv4 and multicasts on IPv6
+        21027
+      ];
+      allowedUDPPortRanges = [
+        # Steam Remote Play
+        {
+          from = 27031;
+          to = 27036;
+        }
+      ];
+    };
+  };
+}
diff --git a/classes/desktop/pipewire.nix b/classes/desktop/pipewire.nix
new file mode 100644
index 0000000..f22fcef
--- /dev/null
+++ b/classes/desktop/pipewire.nix
@@ -0,0 +1,12 @@
+{
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+
+  services.pipewire = {
+    enable = true;
+    wireplumber.enable = true;
+    alsa.enable = true;
+    pulse.enable = true;
+    jack.enable = true;
+  };
+}
diff --git a/classes/desktop/plasma.nix b/classes/desktop/plasma.nix
new file mode 100644
index 0000000..41f2ecf
--- /dev/null
+++ b/classes/desktop/plasma.nix
@@ -0,0 +1,25 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  services = {
+    desktopManager.plasma6.enable = true;
+    displayManager.sddm = {
+      enable = true;
+      wayland.enable = true;
+    };
+  };
+
+  environment.systemPackages = with pkgs.kdePackages; [sddm-kcm discover kate];
+
+  programs = {
+    kdeconnect.enable = true;
+    partition-manager.enable = true;
+  };
+
+  xdg.portal = {
+    xdgOpenUsePortal = true;
+    extraPortals = [pkgs.xdg-desktop-portal-gtk];
+  };
+}
diff --git a/classes/desktop/printing.nix b/classes/desktop/printing.nix
new file mode 100644
index 0000000..a7b3b55
--- /dev/null
+++ b/classes/desktop/printing.nix
@@ -0,0 +1,10 @@
+{
+  services = {
+    printing = {
+      enable = true;
+      webInterface = true;
+      cups-pdf.enable = true;
+    };
+    system-config-printer.enable = true;
+  };
+}
diff --git a/classes/desktop/syncthing.nix b/classes/desktop/syncthing.nix
new file mode 100644
index 0000000..0ec4025
--- /dev/null
+++ b/classes/desktop/syncthing.nix
@@ -0,0 +1,9 @@
+{
+  services.syncthing = {
+    enable = true;
+    overrideDevices = false;
+    overrideFolders = false;
+  };
+
+  systemd.user.services.syncthing.wantedBy = ["default.target"];
+}
diff --git a/classes/desktop/vm.nix b/classes/desktop/vm.nix
new file mode 100644
index 0000000..d923a08
--- /dev/null
+++ b/classes/desktop/vm.nix
@@ -0,0 +1,4 @@
+{
+  virtualisation.libvirtd.enable = true;
+  programs.virt-manager.enable = true;
+}
diff --git a/classes/desktop/wine.nix b/classes/desktop/wine.nix
new file mode 100644
index 0000000..632cc98
--- /dev/null
+++ b/classes/desktop/wine.nix
@@ -0,0 +1,3 @@
+{pkgs, ...}: {
+  environment.systemPackages = [pkgs.wineWowPackages.stableFull];
+}
diff --git a/common/fs.nix b/classes/server/fs.nix
similarity index 85%
rename from common/fs.nix
rename to classes/server/fs.nix
index e08bddd..9c13b89 100644
--- a/common/fs.nix
+++ b/classes/server/fs.nix
@@ -1,6 +1,4 @@
 {
-  boot.tmp.cleanOnBoot = true;
-
   fileSystems = {
     "/" = {
       fsType = "ext4";
diff --git a/common/time.nix b/classes/server/time.nix
similarity index 100%
rename from common/time.nix
rename to classes/server/time.nix
diff --git a/common/boot.nix b/common/boot.nix
index a77c2d5..403a4a4 100644
--- a/common/boot.nix
+++ b/common/boot.nix
@@ -11,5 +11,6 @@
         efiSysMountPoint = "/boot";
       };
     };
+    tmp.cleanOnBoot = true;
   };
 }
diff --git a/common/fish.nix b/common/fish.nix
new file mode 100644
index 0000000..fc9c0ae
--- /dev/null
+++ b/common/fish.nix
@@ -0,0 +1,15 @@
+{pkgs, ...}: {
+  programs.fish.enable = true;
+
+  users.defaultUserShell = pkgs.fish;
+
+  nixpkgs.overlays = [
+    (final: prev: {
+      fish = prev.fish.overrideAttrs (_: {
+        postInstall = ''
+          rm $out/share/applications/fish.desktop
+        '';
+      });
+    })
+  ];
+}
diff --git a/common/user.nix b/common/user.nix
new file mode 100644
index 0000000..78511b7
--- /dev/null
+++ b/common/user.nix
@@ -0,0 +1,13 @@
+{lib, ...}: let
+  inherit (lib) types;
+in {
+  options = {
+    users.mainUser = lib.mkOption {
+      type = types.passwdEntry types.str;
+      default = "lukas";
+      description = ''
+        The main user.
+      '';
+    };
+  };
+}
diff --git a/common/users.nix b/common/users.nix
index ff79f5d..f62fbf8 100644
--- a/common/users.nix
+++ b/common/users.nix
@@ -1,5 +1,11 @@
-{config, ...}: {
-  age.secrets.user-lukas.file = ../secrets/user-lukas.age;
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (config.users) mainUser;
+in {
+  age.secrets = lib.mkSecrets {"user-${mainUser}" = {};};
 
   users = {
     mutableUsers = false;
@@ -9,10 +15,10 @@
         hashedPassword = "!";
         openssh.authorizedKeys.keys = builtins.attrValues (import ../pubkeys.nix).hosts;
       };
-      lukas = {
+      ${mainUser} = {
         uid = 1000;
         isNormalUser = true;
-        hashedPasswordFile = config.age.secrets.user-lukas.path;
+        hashedPasswordFile = config.age.secrets."user-${mainUser}".path;
         openssh.authorizedKeys.keys = builtins.attrValues (import ../pubkeys.nix).users;
         extraGroups = ["wheel"];
       };
diff --git a/flake.lock b/flake.lock
index 392a5a0..864cdc1 100644
--- a/flake.lock
+++ b/flake.lock
@@ -48,11 +48,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1727826117,
-        "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
         "type": "github"
       },
       "original": {
@@ -63,11 +63,11 @@
     },
     "hardware": {
       "locked": {
-        "lastModified": 1729742320,
-        "narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
+        "lastModified": 1732483221,
+        "narHash": "sha256-kF6rDeCshoCgmQz+7uiuPdREVFuzhIorGOoPXMalL2U=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
+        "rev": "45348ad6fb8ac0e8415f6e5e96efe47dd7f39405",
         "type": "github"
       },
       "original": {
@@ -115,23 +115,23 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1727825735,
-        "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
+        "lastModified": 1730504152,
+        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
       }
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1729880355,
-        "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=",
+        "lastModified": 1732837521,
+        "narHash": "sha256-jNRNr49UiuIwaarqijgdTR2qLPifxsVhlJrKzQ8XUIE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "18536bf04cd71abd345f9579158841376fdd0c5a",
+        "rev": "970e93b9f82e2a0f3675757eb0bfc73297cc6370",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 9bf3036..169f317 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,35 +16,17 @@
     flake-parts.lib.mkFlake {inherit inputs;} {
       systems = ["x86_64-linux" "aarch64-linux"];
 
-      flake = {
-        nixosConfigurations = let
-          lib = nixpkgs.lib.extend (import ./lib.nix);
+      flake = let
+        lib = nixpkgs.lib.extend (import ./lib.nix);
+      in {
+        inherit lib;
 
-          commonNixosSystem = name:
-            lib.nixosSystem {
-              specialArgs = {
-                inherit inputs lib;
-                attrName = name;
-              };
-
-              modules =
-                (lib.findModules [
-                  ./common
-                  ./hosts/${name}
-                ])
-                ++ [
-                  inputs.agenix.nixosModules.default
-                  {networking.hostName = lib.mkDefault name;}
-                ];
-            };
-
-          genHosts = lib.pipe (builtins.readDir ./hosts) [
-            (lib.filterAttrs (_: type: type == "directory"))
-            builtins.attrNames
-            lib.genAttrs
+        nixosConfigurations = lib.genNixosConfigurations {
+          inherit inputs;
+          extraModules = [
+            inputs.agenix.nixosModules.default
           ];
-        in
-          genHosts commonNixosSystem;
+        };
       };
 
       perSystem = {
diff --git a/hosts/desktop/flamingo/hardware.nix b/hosts/desktop/flamingo/hardware.nix
new file mode 100644
index 0000000..3e77692
--- /dev/null
+++ b/hosts/desktop/flamingo/hardware.nix
@@ -0,0 +1,23 @@
+{
+  inputs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    "${modulesPath}/installer/scan/not-detected.nix"
+
+    inputs.hardware.nixosModules.lenovo-thinkpad-t480
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot = {
+    initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
+    kernelModules = ["kvm-intel"];
+  };
+
+  powerManagement.cpuFreqGovernor = "powersave";
+
+  console.keyMap = "de";
+  services.xserver.layout = "de";
+}
diff --git a/hosts/desktop/flamingo/system.nix b/hosts/desktop/flamingo/system.nix
new file mode 100644
index 0000000..a05de83
--- /dev/null
+++ b/hosts/desktop/flamingo/system.nix
@@ -0,0 +1,3 @@
+{
+  system.stateVersion = "24.11";
+}
diff --git a/hosts/desktop/glacier/hardware.nix b/hosts/desktop/glacier/hardware.nix
new file mode 100644
index 0000000..b55c9fc
--- /dev/null
+++ b/hosts/desktop/glacier/hardware.nix
@@ -0,0 +1,26 @@
+{
+  inputs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    "${modulesPath}/installer/scan/not-detected.nix"
+
+    inputs.hardware.nixosModules.common-cpu-amd
+    inputs.hardware.nixosModules.common-gpu-amd
+    inputs.hardware.nixosModules.common-pc-ssd
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
+      kernelModules = ["amdgpu"];
+    };
+    kernelModules = ["kvm-amd"];
+    binfmt.emulatedSystems = ["aarch64-linux"];
+  };
+
+  powerManagement.cpuFreqGovernor = "performance";
+}
diff --git a/hosts/desktop/glacier/system.nix b/hosts/desktop/glacier/system.nix
new file mode 100644
index 0000000..a05de83
--- /dev/null
+++ b/hosts/desktop/glacier/system.nix
@@ -0,0 +1,3 @@
+{
+  system.stateVersion = "24.11";
+}
diff --git a/hosts/abacus/acme.nix b/hosts/server/abacus/acme.nix
similarity index 100%
rename from hosts/abacus/acme.nix
rename to hosts/server/abacus/acme.nix
diff --git a/hosts/abacus/backup.nix b/hosts/server/abacus/backup.nix
similarity index 89%
rename from hosts/abacus/backup.nix
rename to hosts/server/abacus/backup.nix
index d2b394b..9156ae9 100644
--- a/hosts/abacus/backup.nix
+++ b/hosts/server/abacus/backup.nix
@@ -1,9 +1,10 @@
 {
   attrName,
   config,
+  lib,
   ...
 }: {
-  age.secrets."restic-${attrName}".file = ../../secrets/restic-${attrName}.age;
+  age.secrets = lib.mkSecrets {"restic-${attrName}" = {};};
 
   services.restic.backups.${attrName} = {
     repository = "sftp:u385962@u385962.your-storagebox.de:/restic/${attrName}";
diff --git a/hosts/abacus/fs.nix b/hosts/server/abacus/fs.nix
similarity index 100%
rename from hosts/abacus/fs.nix
rename to hosts/server/abacus/fs.nix
diff --git a/hosts/server/abacus/hardware.nix b/hosts/server/abacus/hardware.nix
new file mode 100644
index 0000000..dd4182c
--- /dev/null
+++ b/hosts/server/abacus/hardware.nix
@@ -0,0 +1,9 @@
+{modulesPath, ...}: {
+  imports = ["${modulesPath}/profiles/qemu-guest.nix"];
+
+  nixpkgs.hostPlatform = "aarch64-linux";
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod"];
+
+  powerManagement.cpuFreqGovernor = "performance";
+}
diff --git a/hosts/abacus/microbin.nix b/hosts/server/abacus/microbin.nix
similarity index 85%
rename from hosts/abacus/microbin.nix
rename to hosts/server/abacus/microbin.nix
index 0e80fc0..b5cdc48 100644
--- a/hosts/abacus/microbin.nix
+++ b/hosts/server/abacus/microbin.nix
@@ -6,7 +6,7 @@
   inherit (config.networking) domain;
   virtualHostName = "bin.${domain}";
 in {
-  age.secrets.microbin.file = ../../secrets/microbin.age;
+  age.secrets = lib.mkSecrets {microbin = {};};
 
   services.microbin = {
     enable = true;
@@ -23,10 +23,10 @@ in {
       MICROBIN_ETERNAL_PASTA = true;
       MICROBIN_HIGHLIGHTSYNTAX = true;
       MICROBIN_PRIVATE = true;
-      MICROBIN_ENABLE_BURN_AFTER=true;
+      MICROBIN_ENABLE_BURN_AFTER = true;
       MICROBIN_QR = true;
-      MICROBIN_NO_FILE_UPLOAD=false;
-      MICROBIN_ENCRYPTION_CLIENT_SIDE=true;
+      MICROBIN_NO_FILE_UPLOAD = false;
+      MICROBIN_ENCRYPTION_CLIENT_SIDE = true;
 
       MICROBIN_MAX_FILE_SIZE_ENCRYPTED_MB = 1024;
       MICROBIN_MAX_FILE_SIZE_UNENCRYPTED_MB = 4096;
diff --git a/hosts/abacus/miniflux.nix b/hosts/server/abacus/miniflux.nix
similarity index 87%
rename from hosts/abacus/miniflux.nix
rename to hosts/server/abacus/miniflux.nix
index cf3058d..2e7788a 100644
--- a/hosts/abacus/miniflux.nix
+++ b/hosts/server/abacus/miniflux.nix
@@ -1,8 +1,12 @@
-{config, ...}: let
+{
+  config,
+  lib,
+  ...
+}: let
   inherit (config.networking) domain;
   virtualHostName = "flux.${domain}";
 in {
-  age.secrets.miniflux.file = ../../secrets/miniflux.age;
+  age.secrets = lib.mkSecrets {miniflux = {};};
 
   services.miniflux = {
     enable = true;
diff --git a/hosts/abacus/navidrome.nix b/hosts/server/abacus/navidrome.nix
similarity index 100%
rename from hosts/abacus/navidrome.nix
rename to hosts/server/abacus/navidrome.nix
diff --git a/hosts/abacus/hardware.nix b/hosts/server/abacus/networking.nix
similarity index 53%
rename from hosts/abacus/hardware.nix
rename to hosts/server/abacus/networking.nix
index c1c7c6b..a6f04a5 100644
--- a/hosts/abacus/hardware.nix
+++ b/hosts/server/abacus/networking.nix
@@ -1,14 +1,4 @@
-{modulesPath, ...}: {
-  imports = ["${modulesPath}/profiles/qemu-guest.nix"];
-
-  nixpkgs.hostPlatform = "aarch64-linux";
-
-  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod"];
-
-  system.stateVersion = "24.11";
-
-  powerManagement.cpuFreqGovernor = "performance";
-
+{
   networking = let
     interface = "enp1s0";
   in {
diff --git a/hosts/abacus/nginx.nix b/hosts/server/abacus/nginx.nix
similarity index 100%
rename from hosts/abacus/nginx.nix
rename to hosts/server/abacus/nginx.nix
diff --git a/hosts/abacus/static.nix b/hosts/server/abacus/static.nix
similarity index 93%
rename from hosts/abacus/static.nix
rename to hosts/server/abacus/static.nix
index 150a4fe..cd5ae05 100644
--- a/hosts/abacus/static.nix
+++ b/hosts/server/abacus/static.nix
@@ -22,7 +22,7 @@ in
         };
 
         systemd.tmpfiles.settings."10-static-sites".${root}.d = {
-          user = "lukas";
+          user = config.users.mainUser;
           group = "users";
           mode = "0755";
         };
diff --git a/hosts/abacus/syncthing.nix b/hosts/server/abacus/syncthing.nix
similarity index 100%
rename from hosts/abacus/syncthing.nix
rename to hosts/server/abacus/syncthing.nix
diff --git a/hosts/server/abacus/system.nix b/hosts/server/abacus/system.nix
new file mode 100644
index 0000000..a05de83
--- /dev/null
+++ b/hosts/server/abacus/system.nix
@@ -0,0 +1,3 @@
+{
+  system.stateVersion = "24.11";
+}
diff --git a/hosts/abacus/vaultwarden.nix b/hosts/server/abacus/vaultwarden.nix
similarity index 93%
rename from hosts/abacus/vaultwarden.nix
rename to hosts/server/abacus/vaultwarden.nix
index e708fae..a58e7a1 100644
--- a/hosts/abacus/vaultwarden.nix
+++ b/hosts/server/abacus/vaultwarden.nix
@@ -7,7 +7,7 @@
   virtualHostName = "vault.${domain}";
   backupDir = "/srv/backup/vaultwarden";
 in {
-  age.secrets.vaultwarden.file = ../../secrets/vaultwarden.age;
+  age.secrets = lib.mkSecrets {vaultwarden = {};};
 
   services.vaultwarden = {
     enable = true;
diff --git a/hosts/vessel/audiocomp.nix b/hosts/server/vessel/audiocomp.nix
similarity index 100%
rename from hosts/vessel/audiocomp.nix
rename to hosts/server/vessel/audiocomp.nix
diff --git a/hosts/vessel/backup.nix b/hosts/server/vessel/backup.nix
similarity index 95%
rename from hosts/vessel/backup.nix
rename to hosts/server/vessel/backup.nix
index 789065f..66e4156 100644
--- a/hosts/vessel/backup.nix
+++ b/hosts/server/vessel/backup.nix
@@ -40,7 +40,7 @@ in {
     }
   ) (lib.attrNames backups));
 
-  age.secrets."restic-${attrName}".file = ../../secrets/restic-${attrName}.age;
+  age.secrets = lib.mkSecrets {"restic-${attrName}" = {};};
 
   services.restic.backups.${attrName} = {
     repository = "sftp:u385962@u385962.your-storagebox.de:/restic/${attrName}";
diff --git a/hosts/vessel/blocky.nix b/hosts/server/vessel/blocky.nix
similarity index 100%
rename from hosts/vessel/blocky.nix
rename to hosts/server/vessel/blocky.nix
diff --git a/hosts/vessel/fs.nix b/hosts/server/vessel/fs.nix
similarity index 100%
rename from hosts/vessel/fs.nix
rename to hosts/server/vessel/fs.nix
diff --git a/hosts/vessel/hardware.nix b/hosts/server/vessel/hardware.nix
similarity index 93%
rename from hosts/vessel/hardware.nix
rename to hosts/server/vessel/hardware.nix
index 628ff7e..82aab42 100644
--- a/hosts/vessel/hardware.nix
+++ b/hosts/server/vessel/hardware.nix
@@ -18,7 +18,5 @@
     kernelModules = ["kvm-intel"];
   };
 
-  system.stateVersion = "24.11";
-
   powerManagement.cpuFreqGovernor = "powersave";
 }
diff --git a/hosts/vessel/storage.nix b/hosts/server/vessel/storage.nix
similarity index 100%
rename from hosts/vessel/storage.nix
rename to hosts/server/vessel/storage.nix
diff --git a/hosts/vessel/syncthing.nix b/hosts/server/vessel/syncthing.nix
similarity index 100%
rename from hosts/vessel/syncthing.nix
rename to hosts/server/vessel/syncthing.nix
diff --git a/hosts/server/vessel/system.nix b/hosts/server/vessel/system.nix
new file mode 100644
index 0000000..a05de83
--- /dev/null
+++ b/hosts/server/vessel/system.nix
@@ -0,0 +1,3 @@
+{
+  system.stateVersion = "24.11";
+}
diff --git a/lib.nix b/lib.nix
index cb44264..1280330 100644
--- a/lib.nix
+++ b/lib.nix
@@ -13,4 +13,63 @@ lib: _: {
     host,
     port,
   }: "${host}:${builtins.toString port}";
+
+  mkSecrets = secrets: let
+    mkSecret = {
+      name,
+      secret,
+    }:
+      secret
+      // {
+        file = ./secrets/${name}.age;
+      };
+  in
+    builtins.mapAttrs (name: secret: mkSecret {inherit name secret;}) secrets;
+
+  genNixosConfigurations = {
+    inputs,
+    extraModules,
+  }: let
+    commonDir = ./common;
+    classesDir = ./classes;
+    hostsDir = ./hosts;
+
+    commonNixosSystem = {
+      class,
+      name,
+    }:
+      lib.nixosSystem {
+        specialArgs = {
+          inherit inputs lib;
+          attrName = name;
+        };
+
+        modules =
+          (lib.findModules [
+            commonDir
+            ./classes/${class}
+            (classesDir + "/${class}")
+            (hostsDir + "/${class}/${name}")
+          ])
+          ++ [
+            {networking.hostName = lib.mkDefault name;}
+          ]
+          ++ extraModules;
+      };
+
+    dirsIn = dir:
+      lib.pipe (builtins.readDir dir) [
+        (lib.filterAttrs (_: type: type == "directory"))
+        builtins.attrNames
+      ];
+  in
+    lib.pipe (dirsIn hostsDir) [
+      (classes:
+        builtins.concatMap (
+          class: map (name: {inherit class name;}) (dirsIn (hostsDir + "/${class}"))
+        )
+        classes)
+      (map (obj: lib.nameValuePair obj.name (commonNixosSystem obj)))
+      builtins.listToAttrs
+    ];
 }
diff --git a/pubkeys.nix b/pubkeys.nix
index 77a9d91..c0a572e 100644
--- a/pubkeys.nix
+++ b/pubkeys.nix
@@ -5,7 +5,9 @@
   };
 
   hosts = {
+    glacier = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrKpoDV/ImivtTZVbSsQ59IbGYVvSsKls4av2Zc9Nk8";
     abacus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHoUgClpkOlBEffQOb9KkVn970RwnIhU0OiVr7P2WVzg";
     vessel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkYcOb1JPNLTJtob1TcuC08cH9P2APAhLR26RYd573d";
+    flamingo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInV+UpCZhoTwgkgnCzCPEu3TD5b5mu6tagRslljrFJ/";
   };
 }
diff --git a/secrets/microbin.age b/secrets/microbin.age
index 644d7ea78ae034ca4bca67a48e58ae7fc60b1da9..6fcba364ceca690f4aabc2edbdc596744d40f936 100644
GIT binary patch
delta 500
zcmV<Q0So@A1gQj&EPqsMVpmC6GI?QSHa9^@aZ^w*L{(LKV{le!Mo4L9X=p`qT6b%D
zdNX)NQ3_d4QciR>H*0D+Y&bP~F=$RyOHoZWW<g9ZNOVVIO*40TMKxJkbw)#TI0`L3
zAaiqQEoEdfH8n9gAX6)3cTrIwPHTEeW=>c+S2<8=ctS=_IYvQdOJg%(G)Gorcr|xU
zV{%z)b4qV(Zb~ps3RrblPgrC_GH+6Hbwp)UWH@O{X=Q0jZ+dfaXKgTLIZR<nXfIYq
zQfF#ak?|LQc6dunWqLwVGH^;YP(fL3RaJB=X)8=}aw}4JZB1xOLPA1zV@PIIG*(Fp
zaZ@*MRcb<5VM9?=NK|D=dPp=zYE&_6F+@;NRz*!{bxA8kV`p?rNq9I4EiEk|F)K?}
zRx(#JQgu&OXJkz;Ic{cAX=YJYY<WmmGcZtZZ8$Q2GDRy_D^4+43e>A!@o<CgG5FLP
zQAklk?le#_FJwS2+LEhPsFJUXSLHXo!<rW6uw#90<vDLc{>~Mu+m*OUzBH0^>_>y_
z&;u`;bYzivBXo(j)gamNGk2pnM{}2W?xiQ11^U@h)zsE>Yc<VcKhRewZ%LZuO~3=>
qq1>7y@W_>aihKurVJ-WkbOw-&9p@%6KW~Wk0_e{1(F(1g8~PLn|G&xr

delta 500
zcmV<Q0So@A1gQj&EPr7uIWlKZcve(MN-$11b~tlMFj8@CRz^5(GGQ}0G(<N|XjL;#
zVNgy~cM3;RWNI*BZ*)O4O-x2hGIv>Jd0}ZpNpNmyS$S47Xl+?{MnPF{HF8x{YYHts
zAaiqQEoEdfH8n9gAX6)3cTrIwVNf<pcTq4$ZAn*7bw+DwL`E@aaa40JZ9-3YHA-4I
zMlo+^LQZ&bY&Lmg3Sw<%G;nD~O-535O;T-7Q%7raPI+s2D@-*oWJ7LNPia$ZcQ$fO
zOIc)1k?|LQD@JQ`Wp7wdYgc)6Nn%B0Rx4F6MsiF>Ls?IAcyBgqIC)28Rat5_H&QSP
zZ#HdKX>@I6S9LaQG<r}_GdFf=WJXGIM{iVeVMsDUb8J#KFmh>4NN{TkEiEk|W^+?C
zLwaE=XJ$=fNn=7dI9GN=dU|<xQfp#QQ&4ATG<jBkP;GNbO))Vv3NvmSuot`5;?K`P
z;ZG_lqwwyY9CIK!5P%!H^s7NPY+aa-S`YOTF`PDK2^A6|BT|y^ZjS??NLNBA@YLZM
zsBbMjv+s{oA|tuxhC?y!w(~Q;-(e-@ryALqBlN*|DY&&!^MmET^BSh#5VDNKtO60e
qFw}b^)j!qmBH3wvD!{D(%E=t?a3^?gUEh`hufaLbHBrZf;mE2Ta=sw|

diff --git a/secrets/miniflux.age b/secrets/miniflux.age
index 3a9e5bf..898de75 100644
--- a/secrets/miniflux.age
+++ b/secrets/miniflux.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 SFHVrw 7IUsgabq/d+4prqwDCSwfrVvEEhp4nVYRvlYtBaReEY
-OgSjIcOOnzIzRphDnpUOdisOxhfou9cQ2xPD7LxPkD8
--> ssh-ed25519 S+dwQQ XgeEXzPoIW/AbGN5Mj+Z9QV/xmjqybEVgQ0lpFov4GI
-n4v/ulFqPZcCj9Z0V/rpXLgO9V1KEx5XkctB+UQX7gM
--> ssh-ed25519 ffmsLw KE3L3CV3hBXZZ0Uup6ggdO0JNgQZNwRW1bgLQu59CQE
-KkZK1aZ740LPYKblEINVwNrThrMKiI85xvu2Zj2wfzw
---- Hhtrr0g6S2TYjX6bIT0pmpRF6Gr/HazJXo6uuoeVh+M
-�)0QV��
�[��:����^����Uj������3�C�o�{!S;����s<�Gf�w#{�%d�� M�Q�]�~Zp����zֿ�2
\ No newline at end of file
+-> ssh-ed25519 SFHVrw 7n/cv5G7okGi5Hd+rkniHQCUgcCK0Yg9yuzpjrN05Ww
+jb4Z4oP5CblZQFS+n3bBSRhvCc/5EPS6vLA9AT5jyo8
+-> ssh-ed25519 S+dwQQ HUSchkkcUVHzKeuu5WFHs8jUc0zILPmdFBl4LUX4M2w
+uDzKbQU/4yaRB0nXyKEex8KH00RGjKW6BK18+J/yn8c
+-> ssh-ed25519 ffmsLw K0foK6dte+zZqImHL4kLfCkhMHlKLEQEfbCxLQIbKxk
+s+Rf6+Ro6tJkrAFzj1h/4yqHvbYfpxEgUMSt4nqmkUw
+--- AJdGEnKHCGfNINBQ44TjyP93mA+Os6H6p/Q41PKGmuE
+���Ppgc֪%i�@).�qHj
�B�㔗�*�Ws�%Jc=��OAcl<���b��������T�K��Q�^MQҼn�vE�
�1[n���_
\ No newline at end of file
diff --git a/secrets/restic-abacus.age b/secrets/restic-abacus.age
index 440f8bcd71e31c9c4a5f24c841a2a84d8dc8aab8..ab6073eba92bf764f66a80ef0693481d52d68d3f 100644
GIT binary patch
delta 395
zcmV~$&5n~m007`a_e4xQYO)^4-V94<OKAs9OrVr)DL*@9ptL7TXJ~;!OWEx}4{nSm
z-i+RS08d_wF+M<_z*ks(1MepKeW%8$@!|5WP(qc~X&-ZBC#|fZ6pFCZ)le7pI1c0j
zmS{N}3yM&COeGzBCoodv>{k_m2Voy?a@&o<vAqaT;Rl57qAhpR!6Sx$!ItHkC%7$1
zEtz#WOd({Y(RAV&N}3H;`O*W_*1hTNGKb}acDU<;TU<@_Ek#<~Y6GTaPD4|d+pw4R
z*WFvJ)hjEie96@dS0kolBz{5`2^9_a@z0|>EVinH3~%VxD+loqgpNVyk>NNTKx&Kz
zSNhDt!=1A56vjxr%<Amb?NO|b{fVXSl%?DTNE|77N$aK$yINePYKA?A=XusXIyM-X
z<v3pg6J&)opKrz{6qB6F?j{yUojywm$*Lx3GPB>Wg17H}R1eutz1jCC?|**z7W_Li
f-<+8*Uq2mPUi`X0H6C9-`1*H!{ye(B_>BGoWrc<M

delta 395
zcmV~$J8RoO007`ZHmw;lm6)um@X40WR$B_LW!dpbI_nWV3@uoeRVj*micgX3EFokL
z<N?W$j-C1kGAD$N4YY(TE&T_D{)2ws-P+yS*{dUWn~F{^?E^GyQCLhs%PCVBu<Gv0
z6g}!3sC)AffZ7D?Fq$gpAwciPGXz6*h{{+h=_06X;IsQPke91=$EJuRO^xB+)hLa*
zS=bOoUaDDaSQ$pG-`G|YRzcIbRoH@80i{DaILU?7jEiy(9im4b*04q!pO~!80w@Vu
zM^5WlEL`Y&WJoOHmb}%23+$P>00*9@XY~Bv#?g);&69Z1nuII4QduidFp0uUwE3m1
z=!$}jx|G16H|qLKe{h(xU7C67QqR*MLi<R~W~jAV8bQ(Q9xO-W-n4D{Br+I|<7%0k
zmnPy7#&w^9z`=Uck!{`=wLB19I%SFbT2|5`ti}R!3*W387iYgu-)`RUS6lJV&A)#>
hK6A?Bb@k17`T5uVj}Kp-9*!?hqVns__ZP>H{{cQ&h}i%D

diff --git a/secrets/restic-vessel.age b/secrets/restic-vessel.age
index eda8517..8646b01 100644
--- a/secrets/restic-vessel.age
+++ b/secrets/restic-vessel.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 SFHVrw GIDp7q94BIYpC3rBG75QUFO5kfeyD/6K4G6TfVwWJXg
-BnVU8spAlE23pu6yV29I423tsJASxkLC6TGJ2aEAbnw
--> ssh-ed25519 S+dwQQ d4iYbW/SrgO+SZQhULUHC6eBocihdzgwM6OKu6XJkmw
-PaEV2ILDpXCrFPNxlxtW/ycKAb2rHJHLAx23pOtiEpo
--> ssh-ed25519 Sm0lOA kzHXpk3nBINMjCJi3M/KzKFkLk2Dl2acrEMbdqg3d2s
-q/9mc7sqXfP+UTz3teyzPW8zSHapFijFiH2TzghsSG0
---- 41oc9HNIK12x4QPE3yy8uw247yyJZ59A/G1So2t61vc
-_˲�}l����?�I4�n�$��p30l�IX�e
-s�5��P���
\ No newline at end of file
+-> ssh-ed25519 SFHVrw T90IpkfLUbCrEQEOvErDVp/uv36oCPfZ5QthIEz1uG4
+6ge0ldLTgXJOgBabC2VzElNYg/CpWssd+smNo3JTgBA
+-> ssh-ed25519 S+dwQQ qJrUqmj66/eDDvYPbcohc+IA3YwhDDOyfCwxI4jLxUI
+yDFBlLTSfJXzvvGhW2DbJVCIRYQDEL9WML1EaUAtXNI
+-> ssh-ed25519 Sm0lOA cEd39ojIF4yab0JWV/poybmF4kH6ub9/tTXRXLS0ghU
+rA5GqgeruK6Tscay6EnBdHmM5edR0kF4cg+iGPAZuTc
+--- 0CvvxtMR1IyIhsNNdwAuh5SWqwEbCtIVPi/K0yeheLM
+���okj�2d�B�ѿg�����ez�.�K@r�w�{�����S�zjW�
\ No newline at end of file
diff --git a/secrets/user-lukas.age b/secrets/user-lukas.age
index 845ab0cf371ce503f114cd68bf0b1ec668da80a2..22f8fd97e97fb5cf4f061b3cc9127ea3bd842e8c 100644
GIT binary patch
literal 868
zcmZY2ON-nD007`3)kB~tbXgCA2Bk=evw6>EkQLI+WRlrTW-@tA#zV;@lT4DyJJ}?I
ztgx#Tw8e`;t)dqZEEIZb6+IP-uHvCyJbAJeK}A=}_Ex;F-yir)cix&uR@Nki7e^a$
z=EA!u(0UEb^F?cJV<d@oK$+#VtO7lhf+<@H7y^x~HjzimQtQoR6XPPaVY=0dw9~S$
zE+P*B*f8<?U2J3z*%eMuC2Ao?u+nff9TjDo7431!2WU#<;oyH8WLJ^|x|B7m;Q?7P
zy5U$|5l?+0^b@JlWM=AUbf7zgZ{~fi?g9`TSd$SXC=+uEBb-?zy+Faj##zYjvfb%I
zaitqQY20?YCpX6lbD;u>!pwxw<Ap+0RaAH3Xo<7rTug|0#d##AD;}njJO$GgAY&Of
zNvj0cB;E`wUGC4V$l1=QAd{*j<cAmrjkL5LO!$+VjX67c1;Vp@%8l*CL?v(xjZ<2T
zm4cUOquwq@gwH`CH5!FG6rxH%&8o?YM=2zC5Unaohtd?e)^<okg`^H&&dm5i&@{`T
zNS)kNxlJoHxG7%n3w)ZoD>bD$Y_AdR2EvEtFs3n_>|`))B&=)&f@}eJ(ahUCx+zt{
zbV2n<FGR|Gz~N%htFd6N#DUq?6BqM!_v9vr$Z|-79?keBDb$9w>d#Qd<p%MlpE~-i
z?J-D0(roDZ87pB)Q~`F<6H-;h(t5nh${mRrZ1zIN)<lAhS5z<?n`2`e!X?HgfL5yo
zE(xZQxoKdjowCE22`=%8Y7LA+)|93YiK^s1f2j}Rl>~foxw-n`_czJ4jnl!uFQ0y+
zfA#q1Q|~<d@w+ScpFjNN(hvB0`K5mA5`6B{iwEa^I{)s2&$gage|!D6SI@q8aQM&u
z$H;l~&!gA(j&HyD`Ne}5_^&SC+5J}DdTWC}^U?Lam#!U?zu$n~e|&HM-YeZi_;v5O
iCyt)}>+T=^2ancXT>JaVH_skCqnv&6Yv$ViC;tINSS*PE

delta 596
zcmZY5O>5I&003ZdDAJ4I`~bz#UDuVQP1CfXLYkya+B9oE)+|*SZL%iKnkH$|rh8R-
zP{D&RJvawmRM3+ib`TK?^CC_VMDa9+D4Q^K9u#zXkm=o@@H`uPuk5)t-bYMRjZ|4l
zngLkCqmntL8}Fvl0m{k|3(ht0s!q?OnJKJ6g(Q+FVz|@MyY(t&>I~cyEChn+2^k=k
zF0d{PIR%I$D3l3BPlY|th|Xwn6pf|BVnhpgJ}j!dScgrbngK|GfP-?Dgh{#U*;w0?
zdq!ZGb83fhO;~PBhMKYr=A?XU77`JuiBIB!Mo1W$FA1rj*n-L!;1t0?q?Vkx{_RM=
zt#c`MHtra_Z~I~!>j9iWHCqC{n?lQhSf=akX4(SHh8+SZP%~9O>pQ49mCmV1HZQbd
zHH?$9&1##D@K~OLm=2T4@c&6HxH*A`^&V#{gl(t>F+pRUM4?}bA(Y&dgo>5O;DlZ7
zcz{oO6_%b2LALAHwGv@eYI8KC<Vcv!$8@69)f%mAFXOVlG8u=;L@M$xE*cF3NaLWc
zuNNFcku^36<O)IY9ZPqTMO2_Yxl~K|LD~rb6S@#RP+O|@2K|Fv^v>vm=|{(&=iiQx
zp1!dbz6`b(KWyF~`A)yMtu9U9^ZvXUlax<3yY_JZ@Vj}A9Q;@~eDn8!-hQ%gWpnwQ
zF}(YWb@b}mrPY<C_gfp{tL={?UsoSre7-p3<~EL>eEM>|cw%Sayz+W%of;gv^^7^Y
S>x?_J{PS~i>+aC}&ac1CyWe2|

diff --git a/secrets/vaultwarden.age b/secrets/vaultwarden.age
index 7934c304abe1f90472d7fdda5221bb936941f9d1..e50d808fa712c4c1543dfa881e2728775806db2a 100644
GIT binary patch
delta 705
zcmV;y0zUoq1@#4xEPr}qax`#vYi??7YFcnoZb(y4HC1_dYj<*OQh8Bmc3Lz-QaErn
zR6#gYa|&oHHh6hZb80nkabr<>Mp-puHf2geFF9pdNN#yGLPIxpWG`<~FL7EnX9_Jo
zAaiqQEoEdfH8n9gAX6)3cTrIwG*3@(LU2T3S2#j;XHRugWkzpDH)u{#NJMK=cyU&D
zQf)y+GjMfBGfQl93Ti7_YDP77YBo)3H8Vm=dO>7vH)J+!L|AigRBcUdVtH0qH%>5B
zb4OxHk?|LQdM`;ecxhyDLu_tXMq+VvWo>m@Z!lz5RWVpeF?cg&a#}JqSyn+-WLP)~
zH*I=!GE8M_aaCbwX;Nl6M`e01VM}v&c6d&0MlUvGYI!z7H8D<jWj93%EiEk|csW#0
zSaVBEXh~C8R90A5Xf|z2Q*<|FPHc2JHgPpEPc&<PV>d}nPed|B3h*#>!!W1s7DU}1
zqqYvyaST2E{sOu3PYtlp``HDZww6v3bLy~}jLOGu2|`Zy{<?Ed+!I}%=_~54v&_39
zm>*5DyB8~$pjEzU+sF@=jBXykgnZE$wWT56)$&8Eg)!VC@h@cfCE?O8AQG&y7qq(n
z{ff+gv9@0(c_aO2^=`}HmxS)OI1?wc{hDU61mn;sqy^3{=X!H7zDkX%__|bct8s|0
z+t*kW+1B{H1(WPwMjN0doW0H?u{K?>n|46ZY*bE4zB?3{S=9jBB_0PiW82?Ja}1Fi
zsc=qoTBO}r!6Fu~4*@1GG1=5TDs=k(bco7unFb{*rOASgvCN;D#;p=q8&XH-{x@Ly
zTVcXv-=05x(`k7RH21uhOsYXtdZy<Aa^}!43_d$>9F*|l$sS*|yXVoGxhDdd``0vm
nf^z5)%Zl*ZS4@#UUeV7Y;{-#p<U~_)VP><ePWBHs^rv(v?T#yY

delta 705
zcmV;y0zUoq1@#4xEPrfyHgRD}cQ|W8R%L5rdPQk<bZKl?Z7X9oX?H_za%)0$SaEnx
zT0}=|cM4}sR&q#fS9echM0Yb-F?2#&IYebqby_)Yc~DYzMn`gFPce6GWJORyK?*HC
zAaiqQEoEdfH8n9gAX6)3cTrIwK`Tj2Q%`U~Z%<4{PB}4gYeq;&K{+c#F;7inT5wBk
zM^koqW>qk8c{DIE3Pw*fFjaCgVO45vVoO13L`HKqPh@9RayT<;Zb@QHQ!+7CLMu#K
zY;H4Ek?|LQYeQpgMnW}7G*VG)G)8A?RV!CEO-y80HDqo@dQ@&|NN-hnQC3t?R#j07
zLsE8jY&2?ZL~BfXZg)0yFJo<Dab`zNdT3fyc`{dVS9UmOM0HL#W?@kZEiEk|cULnw
zbxv(`a5Q6NX;5%ZGjwxRS8{GzOmuWtLs2n8XmMwMT1##+Pgglb3i`3g?q@NI*Isou
zn+oo-R?UlWb#QuEA}@-(%~I-X$lm~bmPedi=Y@<21sH-tr4z9ya@Pe$5aW(FKw59%
zRw`i{*d+${o|ejpF7<4hBGk|G=lr!yDfH<V@g$kvIQ*%>epIc*jmoz;E(hPmH`k}?
z%+BY3!%^5Z)gcY5<yDp2ew!9kHnlpo=-KY*C}-%4W!a>DJ|+X9SCC9~jld2~2nGh}
z8u$u^*OnuKP?=uTXWj636kGsfgrfwA4^@D}E5b1Hu}QF!iWDa%V=SD1W@iARDr4!G
ztn;M<sIqt`3-jS=V?uywI;~Qxke<)Q5`OM*!x~3p<bpUlfpp{-!{o}VMMdi+w*Q#>
z#0$9T;9?+m-a<TM5D!uIr>EfFlQ-a{)|Nd)E2<cyp7=9Zax_j^Kps>ec<)6diIRXh
nqTthHyQN%<{x+H>>KEbndxy3;C`rslm#ZeNi!|a%O<{!YaBe5l