meow

2025-11-26 11:11:49 +01:00 · 2025-11-26 11:11:49 +01:00 · d74a131529
commit d74a131529
parent 0eb6953b0d
14 changed files with 259 additions and 67 deletions
--- a/flake.lock
+++ b/flake.lock
@ -993,11 +993,11 @@
        "zen-browser": "zen-browser"
      },
      "locked": {
-        "lastModified": 1763388752,
-        "narHash": "sha256-wbxKwJ+kkixY93ZEQwRuMOxrmul+zWk5Gypl7blCj6U=",
+        "lastModified": 1763986668,
+        "narHash": "sha256-R6R8FHo22CYNUI6vBnwtePdkViJK+nl5SXFdCdSTXtI=",
        "owner": "thexyno",
        "repo": "nixos-config",
-        "rev": "62a64a79a8608712f1b2e07b902318679b022379",
+        "rev": "cea4be6b9e0d951189cf3ebee7e354223c09150f",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -205,7 +205,7 @@
              pkgs.colmena
            ]
            ++ (lib.attrValues self.packages.${system});
-            SOPS_CONFIG = (pkgs.callPackage ./sops.nix { instanceConfigs = lib.xyno.getDirs ./instances; });
+            SOPS_CONFIG = (pkgs.callPackage ./sops.nix { instanceConfigs = self.colmenaHive.nodes; });

          };

--- a/instances/nemesis/configuration.nix
+++ b/instances/nemesis/configuration.nix
@ -21,6 +21,7 @@

  containers.ds9 = {
    autoStart = true;
+    timeoutStartSec = "10000000min";
    privateNetwork = true;
    enableTun = true;
    additionalCapabilities = [
@ -33,28 +34,40 @@
    ];
    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";
+    # hostAddress6 = "fc00::1";
+    # localAddress6 = "fc00::2";

    path = inputs.oldConf.nixosConfigurations.ds9.config.system.build.toplevel;
-    
+
    bindMounts = {
      "/data" = {
        hostPath = "/data";
        isReadOnly = false;
      };
-      "/backup" = {
-        hostPath = "/backup";
+      "/backups" = {
+        hostPath = "/backups";
        isReadOnly = false;
      };
      "/persistent" = {
        hostPath = "/oldds9/persistent";
        isReadOnly = false;
      };
+      "/var/lib/containers" = {
+        hostPath = "/oldds9/persistent/var/lib/containers";
+        isReadOnly = false;
+      };
    };
  };
  networking.nat.enable = true;
+  networking.nat.enableIPv6 = true;
  networking.nat.internalInterfaces = [ "ve-+" ];
  networking.nat.externalInterface = "enp1s0f1"; # TODO: changeme

+  services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router.rule =
+    lib.mkForce "HostRegexp(`^.+\.hailsatan\.eu$`)";
+  # services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router.tls.options = "old";
+  services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router-robotstxt.rule =
+    lib.mkForce "HostRegexp(`^.+\.hailsatan\.eu$`) && Path(`/robots.txt`)";
  xyno.services.traefik = {
    enable = true;
    simpleProxy.oldds9 = {
@ -63,8 +76,27 @@
    };
  };

+  users.users.root.password = "hunter2";
+
+  systemd.services."dyndns-refresh" = {
+    script = ''
+      set -eu
+      export PATH=$PATH:${pkgs.curl}/bin:${pkgs.jq}/bin:${pkgs.iproute2}/bin
+      ${pkgs.bash}/bin/bash ${config.sops.secrets.dyndns.path}
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+    };
+    startAt = "*:0/10";
+  };
+  sops.secrets.dyndns = {
+    sopsFile = ./secrets/dyndns.yaml;
+  };
+
  xyno.presets.cli.enable = true;
  xyno.presets.server.enable = true;
+  xyno.impermanence.enable = true;
  # xyno.services.wireguard.enable = true;
  # xyno.services.caddy.enable = true;
  # xyno.services.monitoring.enable = true;
@ -74,6 +106,16 @@
  xyno.networking.networkd = {
    enable = true;
  };
+  networking.useDHCP = lib.mkForce false;
+  networking.interfaces."enp1s0f1" = {
+    useDHCP = true;
+    tempAddress = "enabled";
+  };
+  systemd.network.networks."40-enp1s0f1" = {
+    networkConfig = {
+      IPv6AcceptRA = true;
+    };
+  };

  system.stateVersion = "25.11";
 }
--- a/instances/nemesis/default.nix
+++ b/instances/nemesis/default.nix
@ -6,6 +6,6 @@
  };
  # xyno.services.wireguard.pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc=";
  deployment = {
-    targetHost = "nemesis.xyno.systems";
+    targetHost = "10.0.0.2";
  };
 }
--- a/instances/nemesis/hardware-configuration.nix
+++ b/instances/nemesis/hardware-configuration.nix
@ -98,7 +98,7 @@
    fsType = "zfs";
    neededForBoot = true;
  };
-  fileSystems."/var/log" = {
+  fileSystems."/var/log" = lib.mkForce {
    device = "spool/nemesis/varlog";
    fsType = "zfs";
    neededForBoot = true;
@ -130,6 +130,11 @@
    fsType = "zfs";
    neededForBoot = true;
  };
+  fileSystems."/oldds9/persistent/var/lib/containers" = {
+    device = "spool/safe/containers";
+    fsType = "zfs";
+    neededForBoot = true;
+  };
  fileSystems."/oldds9/varlog" = {
    device = "spool/local/journal";
    fsType = "zfs";
--- a/instances/nemesis/secrets/dyndns.yaml
+++ b/instances/nemesis/secrets/dyndns.yaml
@ -0,0 +1,38 @@
+dyndns: ENC[AES256_GCM,data:yDDTTBimaFcd/MG+eSbYmOHq/Ij0fAoz0zDY+C4bv7ZNn1yAA6C8DE3fXnvAvWhatLLSbRGDxHRRm7JuAHOfGGisN9cXwL+fkB7rZMVZemaL2wrOAQxyzHDEeZnZHRwsVGYhAmTsbUCVLi4CyzjRHGbCLZtZ8b+DzT0644uTi9IQovcLrWun62KMt7yjFS+Wb85XItMrIk4gJRCOhllrAXKY/z0idgv8GCNRDsDsmKL8arfcWzo2+bU/Uqhqt1Md6++jySPNPxwwcORYUudqQM63N0g47jSnmbXJ11XRRq6ZBQJaHhx25YOj2WiDH1382Kn71hnnObWS8HcXI3pwAg51mQ7Wlu+Mlt/3iZjOS1ble4IrQGItLVQUqWjyKSLvTbPfe6P/AuQ9VFGLZ7VGhVUAuyum727bx7jg1oQmqETrkL9BwaW/2FsBCVfKobgBOM6s/XMO07dOrzkO14BxOgM7zcILkz0J3IClXDOnK+Qtqe9d0E4JiSItk1hlL+PI256dGt3J2oHHAZTNOhCn1f3/t1nwkDaPM379LhVHVGhGNFtPkwp1itAQPe/zY6apHCOrcd4sti7QjVssW+ekWjMGqIC0D41aw5oRUhE0pGSwVzVTwrxqc/IiLag8UxjFpBEWO9826I5qD3LQhH+sAfsrcBp9SeRrrt5icNbqLhKDxeB2,iv:Bj9aQZ8X1j5tV+iRPwFQ9NvNaxtlaRn6u60qqzHmWmw=,tag:gDKAPd8FEomSwyiT3yy2iw==,type:str]
+sops:
+    lastmodified: "2025-11-24T15:13:32Z"
+    mac: ENC[AES256_GCM,data:f+3n2Xc7jU+qW+vHk98BTgwLwVHTXzWHMjLwNr3Y3Pp8VIQf8d8iF8QwhDFPWN1uqsxsb/XD48CXbd5AwxuVcgcSM7FIHkjfIn0pHRk0jTAkXTxjWIwg9pqnGAZ5B/fA8XAvcyPpE299gMYzU2soAL11DZtrEVVXJWN2sD5IlL8=,iv:Uykx2R6xO/KW1XP0Nm8GyaoepmdU96AfGQQhLz6BlNQ=,tag:bqe0gZF6WhQg55NhWyNC5A==,type:str]
+    pgp:
+        - created_at: "2025-11-24T13:05:23Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hL4DAAAAAAAAAAASBAMEDMeIdplYrk7VppUFRCTcB7Pv+xnVKSLhhSoN6kqbHXqA
+            YYv8o4AbT9bf1+L9wywA+Eg55tj8aocse/tdRQWTymy4+8grb/sm0oZQT22T51JP
+            mWxhWIX+sliCqHnS/W2tuVLyDzAiJ/Tg19kOc576OH1z6f2HMIM7yvADoKupfqIw
+            rbwo0G8CdZCW1hzutCnC2mD4Op2BxK1b26oZdNA06y+BMHHefyDTl/wXwiNQKWiq
+            0l4BoaYNx2ma5ZTSBk7YNeIXikwM3XtZnUZU+V17EgClNbxhmTRc0h7fmeprjYcW
+            zETvhSIm+JFTR0mdQsrDvTs7kt+PnaYptoM0CHaYCHTq48pyYKL3Gm0NtCAHuFc3
+            =UlnU
+            -----END PGP MESSAGE-----
+          fp: 0D98D5964AC8BB1CA034CE4EC456133700066642
+        - created_at: "2025-11-24T15:13:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMAwAAAAAAAAAAAQv/SQPw9p1r4Sg9zYTyX1n3n6xJzhr+hEGLwwGhcmJh8mup
+            D9n+aaZU4WK2Huha8Jd1bNqNo3J9UpqQMIaexfd64HoVdDHCxBzfThiMvgwpQ30a
+            kTQqC0DGkLaFM5W8IVOremwjhLzrTBesu8ny8CasQYJ0tZ+QFU51OvxD4q0r9OLT
+            BcCGqDsKZ3HDr7OIi4FsqdZRfxinJ+zteK93uxA+fB8Hkxok2g7Z2A5Nv2cOo54X
+            NJxwsCN4l2Hs8MaVMTC+KGASn87m+Q1xwcVD7ujPmGGjMYb84j2sBn0DP3mNQh7y
+            89jz6HPbq9goF++Sp172bwswmJwZLVCWkgvzQo+szfCqGnq6LTlG9JaVswkkSz7N
+            z9kvF6L2dg7N2XlkLLP9UnxMkNxUrA615LvSn/z9AA7Dp6ay7TCsOeSWrz5m7+PF
+            VVfTp4PN3y7hsZXvWWk1eqsOaThI5GY7N7W6aQlNmvhibjw7FJEF4Iv4FBJsOD23
+            vYv+38yn377hnimtzoVt0lgBFtO8QhedShEvVjROUNjjEE2WB2jpP5/wZVIsrefs
+            tl87MAyLedE/Zs5MByubb0buC2jifQnkxsA1QSvbZB2/NTi/SLSPeCMdFrVkYdcG
+            hP8cp1HkI81F
+            =iDKg
+            -----END PGP MESSAGE-----
+          fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
--- a/instances/picard/configuration.nix
+++ b/instances/picard/configuration.nix
@ -20,7 +20,7 @@
  xyno.presets.server.enable = true;
  xyno.presets.cli.enable = true;
  xyno.services.wireguard.enable = true;
-  xyno.services.caddy.enable = true;
+  # xyno.services.caddy.enable = true;
  xyno.services.monitoring.enable = true;
  xyno.presets.home-manager.enable = true;
  xyno.system.user.enable = true;
--- a/modules/services/kanidm.nix
+++ b/modules/services/kanidm.nix
@ -0,0 +1,88 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf mkOption;
+  inherit (lib.types) str nullOr pathWith;
+  absPath = pathWith {
+    inStore = false;
+    absolute = true;
+  };
+  cfg = config.xyno.services.kanidm;
+in
+{
+  options.xyno.services.kanidm.enable = mkEnableOption "enables kanidm";
+  options.xyno.services.kanidm.domain = mkOption {
+    default = "idm.xyno.systems";
+    type = str;
+  };
+  options.xyno.services.kanidm.isReplica = mkEnableOption "replica";
+  options.xyno.services.kanidm.setupTraefik = mkEnableOption "traefik";
+
+  options.xyno.services.kanidm.tls = {
+    keyPem = mkOption {
+      type = nullOr absPath;
+      default = null;
+      description = "autogenerated if unset";
+    };
+    certPem = mkOption {
+      default = "/run/generated/kanidm-tls/cert.pem";
+      type = absPath;
+    };
+  };
+  config = mkIf cfg.enable {
+    services.kanidm = {
+      enableServer = true;
+      enableClient = true;
+      adminPasswordFile = config.sops.secrets."kanidm.password".path;
+      provision = {
+        adminPasswordFile = config.sops.secrets."kanidm.password".path;
+      };
+      serverSettings = {
+        tls_key = if cfg.tls.keyPem != null then cfg.tls.keyPem else "/run/generated/key.pem";
+        tls_chain = cfg.tls.certPem;
+        bindaddress = "127.0.0.3:8443";
+      };
+    };
+    xyno.services.traefik.simpleProxy = mkIf cfg.setupTraefik {
+      host = cfg.domain;
+      internal = "https://127.0.0.3:8443";
+      transport = "kanidm-https";
+    };
+    services.traefik.dynamicConfigOptions.http = mkIf cfg.setupTraefik {
+      serversTransports."kanidm-https" = {
+        serverName = cfg.domain;
+        certificates = [
+          cfg.certPem
+        ];
+      };
+    };
+
+    systemd.services.generate-kanidm-tls = mkIf (cfg.tls.keyPem == null) {
+      serviceConfig = {
+        User = "root";
+        Group = "kanidm";
+      };
+      wantedBy = [
+        "kanidm.service"
+        "traefik.service"
+      ];
+      script = ''
+        mkdir -p /run/generated/kanidm-tls
+        ${pkgs.openssl}/bin/openssl req -x509 -newkey ed25519 -noenc -subj "/CN=generated.${cfg.domain}" -addext "subjectAltName=DNS:${cfg.domain}" -keyout /run/generated/key.pem -out /run/generated/cert.pem
+      '';
+    };
+    sops.secrets."kanidm.password" = {
+      sopsFile = ../../instances/${config.networking.hostName}/secrets/kanidm.yaml;
+    };
+    # sops.templates."kanidm.env".content = ''
+    #   DESEC_TOKEN=${config.sops.placeholder.desec_token}
+    #   DESEC_PROPAGATION_TIMEOUT=1200
+    # '';
+    # sops.templates."kanidm.env".reloadUnits = [ "kanidm.service" ];
+
+  };
+}
--- a/modules/services/monitoring.nix
+++ b/modules/services/monitoring.nix
@ -9,21 +9,21 @@ with lib;
 let
  cfg = config.xyno.services.monitoring;

-  firstInstanceWithPromServer =
-    if cfg.prometheusServer then
-      config.networking.hostName
-    else
-      (builtins.head (
-        attrValues (filterAttrs (n: v: v.config.xyno.services.monitoring.prometheusServer) (otherNodes))
-      )).config.networking.hostName;
-  vmBasicAuthUsername = "xyno-monitoring";
+  # firstInstanceWithPromServer =
+  #   if cfg.prometheusServer then
+  #     config.networking.hostName
+  #   else
+  #     (builtins.head (
+  #       attrValues (filterAttrs (n: v: v.config.xyno.services.monitoring.prometheusServer) (otherNodes))
+  #     )).config.networking.hostName;
+  # vmBasicAuthUsername = "xyno-monitoring";
 in
 {
  options.xyno.services.monitoring.enable =
    mkEnableOption "enables monitoring (prometheus exporters and stuff)";
  options.xyno.services.monitoring.remoteWriteUrl = mkOption {
    type = types.str;
-    default = "http://${firstInstanceWithPromServer}.${config.xyno.services.wireguard.monHostsDomain}:8428/api/v1/write";
+    default = "https://metrics.xyno.systems/api/v1/write";
    description = "where prometheus metrics should be pushed to";
  };
  options.xyno.services.monitoring.prometheusServer = mkOption {
@ -48,8 +48,9 @@ in
        enabledCollectors = [ "systemd" ];
      };
      xyno.services.monitoring.exporters.node = config.services.prometheus.exporters.node.port;
+      # TODO: oauth2 with client per host -> kanidm -> oauth2-proxy -> victoriametrics server
      services.vmagent = {
-        remoteWrite.url = cfg.remoteWriteUrl;
+        remoteWrite.url = if cfg.prometheusServer then "http://localhost:8428/api/v1/write" else cfg.remoteWriteUrl;
        remoteWrite.basicAuthUsername = vmBasicAuthUsername;
        remoteWrite.basicAuthPasswordFile = config.sops.secrets."victoriametrics/basicAuthPassword".path;

--- a/modules/services/traefik.nix
+++ b/modules/services/traefik.nix
@ -19,6 +19,7 @@ let
      routers."${router}-robotstxt" = {
        service = "robotstxt";
        rule = "Host(`${v.host}`) && Path(`/robots.txt`)";
+        tls.certResolver = "letsencrypt";
        tls.domains = [
          {
            main = certDomain;
@ -30,6 +31,7 @@ let
      routers.${router} = {
        inherit service;
        rule = "Host(`${v.host}`)";
+        tls.certResolver = "letsencrypt";
        tls.domains = [
          {
            main = certDomain;
@ -41,10 +43,11 @@ let
        loadBalancer.servers = [
          { url = v.internal; }
        ];
+        loadBalancer.serverTransport = lib.mkIf (v.transport != null) v.transport;
      };
      services.robotstxt = {
        loadBalancer.servers = [
-          { url = "http://127.0.0.2"; }
+          { url = "http://127.0.0.2:8080"; }
        ];
      };
    }
@ -77,6 +80,10 @@ in
          host = lib.mkOption {
            type = lib.types.str;
          };
+          transport = lib.mkOption {
+            type = lib.types.nullOr lib.types.anything;
+            default = null;
+          };

        };
      }
@ -86,12 +93,19 @@ in
  config = lib.mkIf cfg.enable {
    services.nginx = {
      enable = lib.mkIf cfg.noBots true;
-      defaultListenAddresses = lib.mkIf cfg.noBots [ "127.0.0.2" ];
-      virtualHosts.localhost.locations."/".root = pkgs.writeTextFile {
+      defaultListen = lib.mkIf cfg.noBots [
+        {
+          addr = "127.0.0.2";
+          port = 8080;
+        }
+      ];
+      virtualHosts._.default =  true;
+      virtualHosts._.locations."/".root = pkgs.writeTextFile {
        name = "robots.txt";
+        destination = "/robots.txt";
        text = ''
-          User-Agent: *
-          Disallow /
+          User-agent: *
+          Disallow: /
        '';
      };
    };
@ -104,7 +118,7 @@ in
        metrics = lib.mkIf config.xyno.services.monitoring.enable {
          otlp.http.endpoint = "http://localhost:8429/v1/metrics";
        };
-        entryponts.web = {
+        entryponits.web = {
          address = ":80";
          redirections.entryPoint = {
            to = "websecure";
@ -112,9 +126,9 @@ in
            permanent = true;
          };
        };
-        entryponts.websecure = {
+        entrypoints.websecure = {
          address = ":443";
-          tls.certResolver = "letsencrypt";
+          http.tls.certResolver = "letsencrypt";
          http3 = { };

        };
@ -123,39 +137,40 @@ in
          email = "ssl@xyno.systems";
          caServer = "https://acme-v02.api.letsencrypt.org/directory";
          dnsChallenge = {
+            resolvers = [ "8.8.8.8" "1.1.1.1" ];
            provider = "desec";
          };
        };
      };
      dynamicConfigOptions = {
        http = lib.mkMerge simpleProxyOpts;
-        tls.options.default = {
-          # mozilla modern
-          minVersion = "VersionTLS13";
-          curvePreferences = [
-            "X25519"
-            "CurveP256"
-            "CurveP384"
-          ];
-        };
-        tls.options.old = {
-          # mozilla intermediate
-          minVersion = "VersionTLS12";
-          curvePreferences = [
-            "X25519"
-            "CurveP256"
-            "CurveP384"
-          ];
-          cipherSuites = [
-            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
-            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
-            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
-            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
-            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
-          ];
+        # tls.options.default = {
+        #   # mozilla modern
+        #   minVersion = "VersionTLS13";
+        #   curvePreferences = [
+        #     "X25519"
+        #     "CurveP256"
+        #     "CurveP384"
+        #   ];
+        # };
+        # tls.options.old = {
+        #   # mozilla intermediate
+        #   minVersion = "VersionTLS12";
+        #   curvePreferences = [
+        #     "X25519"
+        #     "CurveP256"
+        #     "CurveP384"
+        #   ];
+        #   cipherSuites = [
+        #     "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        #     "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+        #     "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+        #     "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+        #     "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
+        #     "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
+        #   ];

-        };
+        # };
      };
    };
    networking.firewall.allowedTCPPorts = [
@ -169,6 +184,7 @@ in
    sops.templates."traefik.env".content = ''
      DESEC_TOKEN=${config.sops.placeholder.desec_token}
      DESEC_PROPAGATION_TIMEOUT=1200
+      LEGO_DISABLE_CNAME_SUPPORT=true
    '';
    sops.templates."traefik.env".reloadUnits = [ "traefik.service" ];
    # services.borgmatic.settings.traefikql_databases = [
--- a/modules/system/impermanence.nix
+++ b/modules/system/impermanence.nix
@ -21,24 +21,25 @@ in
 {
  options.xyno.impermanence = {
    enable = lib.mkEnableOption "erase all your darlings (they hate you anyways)";
-    files = lib.mkOption { type = lib.types.listOf lib.types.str; };
-    directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+    files = lib.mkOption { type = lib.types.listOf lib.types.str; default = []; };
+    directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];};
    user = {
-      files = lib.mkOption { type = lib.types.listOf lib.types.str; };
-      directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+      files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];};
+      directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];};
    };
    # have a seperate impermanence tree for "cache" files that can just be deleted if wanted
    cache = {
-      files = lib.mkOption { type = lib.types.listOf lib.types.str; };
-      directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+      files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];};
+      directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];};
      user = {
-        files = lib.mkOption { type = lib.types.listOf lib.types.str; };
-        directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+        files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];};
+        directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];};
      };

    };
  };
  config = lib.mkIf cfg.enable {
+    users.mutableUsers = false;
    xyno.impermanence.files = [
      "/etc/machine-id" # systemd/zfs unhappy otherwise
    ];
@ -47,6 +48,7 @@ in
      "/var/lib/systemd/coredump"
      "/etc/ssh" # host keys
      "/var/lib/sbctl" # lanzaboote
+      "/var/lib/nixos"

    ];
    xyno.impermanence.user.directories = [
--- a/modules/system/meta.nix
+++ b/modules/system/meta.nix
@ -1,6 +1,6 @@
 {lib,...}: with lib;{
  options.xyno.meta = {
-    sopsKey = mkOption { type = types.text; };
+    sopsKey = mkOption { type = types.str; };
  };
  config = {
    sops.defaultSopsFile = ../../secrets/common.yaml;
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@ -5,14 +5,14 @@ wg:
    psk: ENC[AES256_GCM,data:Anpe6IxtzsqZyvas+ddV3yjJozdZgZOl2KG/Z4YtWUB5gAVLtxsQKc/WA/M=,iv:j/A5k2VXbdqUDXEd1WRfJYdb3DsUZ1B9gPHCpDpRjmw=,tag:KQGi1O5iP2+nQccgBzytSQ==,type:str]
 msmtp:
    host: ENC[AES256_GCM,data:YxiLT5t2H52IZvB02Pjntvg=,iv:nuMPI6fuvQ4U0+xj3SF27ZO/b2knKUsO6jCf9aJqQa4=,tag:9DucIq+LUozuPLL3s8UjDQ==,type:str]
-    port: ENC[AES256_GCM,data:zbe7,iv:cwoK0oCIzwmQ6xHFX94KDfd7Fu+pC96c9+AnK/KpQp4=,tag:IfsCHk0SpBeQ4bD0WXyQcw==,type:int]
+    port: ENC[AES256_GCM,data:W7L1,iv:q2TQTGTxOWCWqgjTBmVKarVbe+mNd/rwAupXJOl4WYQ=,tag:xW/GUGCIfn466icpIvyvCQ==,type:str]
    from: ENC[AES256_GCM,data:QpUgsghc7e5OFJO8afzx6bt1,iv:ffrlbqFu2p5/uwv5MN9rf7iZSmfozYSwr3WkEvXNZhA=,tag:B3g+6WexBw6j6EgukX5LDg==,type:str]
    user: ENC[AES256_GCM,data:H2OxJp6q1QCxBxIXThXrj+SU,iv:Cu7KFDaiqM0cuofnqkLnE6Zb6ufLw6wQRSk1pthDAAo=,tag:oM1VefUo9kK8k7lHKnxOjA==,type:str]
    password: ENC[AES256_GCM,data:mAgsvDPzt8f/RB/2T8nrd+KUcuxUGIdCBDs5sFla5x0=,iv:qndiiKTuSpbf/gtNXPaZ6AnHHwzZ7IPJrDFriM7bKwE=,tag:5j+gjpaxIu03x1lBkRMLhQ==,type:str]
    aliases: ENC[AES256_GCM,data:fOZRYZ8rVs3IXhiS+VaP54gF4bir66oIZvb7ZfKV,iv:bsmh1ZCwERZuHrvORP68hj5Gz7j3+K6ZW8BR3/IQVQg=,tag:jWozmXpjk3JHCINSgP4KGg==,type:str]
 sops:
-    lastmodified: "2025-11-19T16:17:02Z"
-    mac: ENC[AES256_GCM,data:dt2iRLTxfPWpYlxsZnOQgtUAvU/MWoXp6eLOJgP/uWLe5ooeU5K868I7PQNVGEnqkJGZTiiENpY7mkmt0niKn2nw7nD5KzRPMvFZ0/JXrLkzCScBfJDlbcuTtKFVqlDkPpz7kgF+fQy1cg5KiDyc9bsJAi/9qHhQHF3wFbeG5rI=,iv:E6YtLKZdnqgVZKx/goxdvn41p+hfMpkSbc7FJ/3yXQA=,tag:6iW9vkEsEuXOhptGdDwpdw==,type:str]
+    lastmodified: "2025-11-24T11:48:22Z"
+    mac: ENC[AES256_GCM,data:wA4AwEX67amH4UneZqV03PnaLUscUnj4VAmOqzjOTA9dKAV3KzFwD4NqRs2Dy8ap6kOOIS67gZ+3WV8QySyLT84zhEPSjB6M1FURV+LQjd4nc5EBP4Y67osy/QGB4U0d6shHt1sTFmHG2dJvTB7sPDSlRvgDhHE/ApcWuNFUfTY=,iv:Umacpqk+Zge9a9tlSsfjz1mcQvtequK8K4qLVJu8PCg=,tag:H09qfzM/xyn7TLkPCgtS6Q==,type:str]
    pgp:
        - created_at: "2025-09-06T16:37:33Z"
          enc: |-
--- a/sops.nix
+++ b/sops.nix
@ -12,7 +12,7 @@ let
    "0D98D5964AC8BB1CA034CE4EC456133700066642" # xyno main gpg key
  ];
  keysPerHost = (
-    mapAttrs (n: v: (toList v.sopsKey)) (filterAttrs (n: v: v ? sopsKey) instanceConfigs)
+    mapAttrs (n: v: (toList v.config.xyno.meta.sopsKey)) (filterAttrs (n: v: v.config.xyno.meta.sopsKey != null) instanceConfigs)
  );
  desktopHostNames = [ "theseus" ];