authentik yay

instances/ds9/configuration.nix

@@ -15,7 +15,10 @@
   ];
   time.timeZone = "Europe/Berlin";
 
+  networking.hostId = "7b4c2932";
+  
   xyno.presets.cli.enable = true;
+  xyno.presets.server.enable = true;
   xyno.services.wireguard.enable = true;
   xyno.services.caddy.enable = true;
   xyno.services.monitoring.enable = true;
@@ -26,5 +29,6 @@
     enable = true;
   };
 
+
   system.stateVersion = "24.11";
 }

instances/ds9/default.nix

@@ -1,11 +1,12 @@
 {
+  sopsKey = "fada7e7be28e186e463ad745a38d17f36849d8a7";
   modules = [ ./configuration.nix ];
   hostName = "ds9";
   publicHostname = "ds9.hailsatan.eu";
   prometheusServer = true;
   wg = {
     pubKey = "";
-    server = true;
-    v4 = "10.13.12.1";
+    # server = true;
+    # v4 = "10.13.12.1";
   };
 }

instances/ds9/hardware-configuration.nix

@@ -6,6 +6,14 @@
 {
   imports = [ "${modulesPath}/installer/scan/not-detected.nix" ];
 
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+
+
   boot.initrd.availableKernelModules = [ "r8169" "ahci" "vfio-pci" "xhci_pci" "ehci_pci" "nvme" "usbhid" "sd_mod" "sr_mod" ];
   boot.kernelModules = [ "kvm-amd" ];
   nix.settings.max-jobs = lib.mkDefault 12;

instances/ds9/secrets/authentik.yaml

@@ -0,0 +1,57 @@
+authentik:
+    env: ENC[AES256_GCM,data:lHo29WanGT+AqxfIPFACXfklsYRZss/iZwsZmjbhXu9Od9GnUozzh9P2P0h+AeMIw6CCreJyohIe53ju+nlFGkyRsQ0BJ6K8fRiIglDuFF2vLK6ATuDP6QpoK2tOFpUW2Ne5SqnnAhEnAyJ42NpmDTiepuZPiUYLH/vg35AavQhE5OrRGG2YjblZ12e3pXxIWC/Frqa7fnbzh2I2dhyLGCkYkDfOI4WiZieERphnTkP9wBIi3on1I27dZEZJ0f6k5ei5Upre3kIaQKwGJSIw2NoD6FiFTQ5ytsv8tbN37nIyTPp4O+mvEuXYCwM6BqCvZnNkvoZkTOnAVr2CjzNK/JCmimFU6Kk9rxRzhbmAsoCkx1Rns9c6qdCo8qMH94o+4YWOdW9GcQT0FsLa/WzIRgDpOIfqCpKQiXbU1wlh+Yw87MInMZpvXsRpwtVnZz0SVvjr9c1IOyqWwyThM0lg+wijepAzEZZVJfUU5+GR+RgQNoQJAeUyXubH07RDTcV5XfjsLP85C8grgN/PieIC,iv:eoQ8QEBAW9w6/PV+HDdZ6NgB2kINpphPMCbarmKBay0=,tag:TsINizOipDtkXjbWPJ4pRQ==,type:str]
+sops:
+    lastmodified: "2025-09-06T18:00:23Z"
+    mac: ENC[AES256_GCM,data:bI9CvBD1vFgTJc6L13alqYPJ1/Jj5h/KCWqSSlaYVm0SZVigeRWxAg84RKRZki1DcUpLFxQdCcNUEGfffMcg6PVHJkQMiQJ1vfmRDDRNijCIoWjUDuL+QXpR38y+dBX7VL67z435jcqAOw/K9/mDfHF92BNmYDuzp4edS4tJOfY=,iv:M5/tgSh2NsZnedBxfgQO/+e9OMuDweTYbUNhtLP8q1s=,tag:pWJaXjUp65G2Buz8M2eq4A==,type:str]
+    pgp:
+        - created_at: "2025-09-06T17:57:55Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hL4DAAAAAAAAAAASBAMEfRbweJXEuALhkTVq+G9vZKseHSs0v2RJ7BlrCXX1HlqN
+            QMk+uNFyogw+4+0NAqOSWcj5nBBtRH/hX/p6G2l88wlc9JydmbbYQ2Gi+8TnuOgG
+            VamODcj9AWsJQ8y3CW/10RfcniyHB9JZcaBqFGsXUDDvmZPu0N+SUeEHSzg7tAUw
+            SwJUjalaTPDROP+R/y0ZFka4jKp8XqPr4H/4hvnpf6TXd+8WzYH/yC6yuoZDIexx
+            0l4BzxHrfFkN0qdQazATJDB/Rqxr+aWCw6OtO2+wt7O/rXhiqJdumGcK6/ZgqCGJ
+            V29dn+x3oUM/wsc7LEFVAZe1cXB9DAZ4jJLUjRyUdHHgauYS4XZBRvsFMAJ2P9km
+            =29z4
+            -----END PGP MESSAGE-----
+          fp: 0D98D5964AC8BB1CA034CE4EC456133700066642
+        - created_at: "2025-09-06T17:57:55Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMAwAAAAAAAAAAAQv/UGwFHKX91CovaBAeRVKqT0asZCb9gJ1CYOLllY9GzZGq
+            yvFXAd13d8+ckQEI2w482sgMgpxUxxxJV9L68AT5nZSFWxQLATAA9Jx2Vxa7eUWH
+            HC9ImmtU+nhF5HuErq3/eMRdtbskvrvSD4MKI47apNh+OWyNJ3Oapv38Fu8c3jtY
+            0zdYgKSQgu6O/5XbvuPJcQu44zEPr5q8IkXEt43R/SVBEWCN3NVvK0wQcUn6Li0j
+            rhdnZyLVB8BdlzjV2Q7X/6k4bcE+q+r//fNwQTw/CkWgYejt40VzZf0do2Z/iYgb
+            Vqmc4ka99z9laSsrxd8974k6ZYcgb1ZY76pLZwyo17LNn5yYamp6fDaat9p0+Jyw
+            UlD9nz+JOnnlRaN7hGs5kXuUTCmvEbck5nKhbejPhCKhUFY+42Mrk+X3cdXUyk4u
+            wYBFN/wW9TPMeJ2QxaXqmiBKJznMz0I32gJ/wPmUNLSlPlnb2CXG4jJjuKfMI8Px
+            9hQhxS/t4ztZB4Cny2l80lgB10M5NTaOz9VCr/lsX9tTcnRNHsKuByHGgtbTTkiF
+            ozE/5VeSpfOfR/nDmE2HwqvXP9aBHYBo2bX0BWCpHcbLddynptNVmorwvDchlmjJ
+            Mp6Lg0T+d21O
+            =wy3b
+            -----END PGP MESSAGE-----
+          fp: fada7e7be28e186e463ad745a38d17f36849d8a7
+        - created_at: "2025-09-06T17:57:55Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMAwAAAAAAAAAAAQv/VcY7gbDGzqkJARd+73lH/Az24Phmyq5vF4KKBU6bpwN1
+            AZJsglCNYYekR99Iadjz7Wj8mxpSEf8VxmjW7EYH0SIh71YLFDaOPkcebTVWpsFA
+            xYdiYUFiujYz71CfvOSweC3hEqREWma15FPD3jA0TPfoekAYOML95ytCf452hOL+
+            YHaIe8LiaqchJ0AX5JtUZS+NWsiyITd1S9VPgraDH3skUruF+JpzYvg/NIW3wexT
+            +Ul6ACzDOtpx7lfZlcj5rYndR4glhELF/bsIfhM9s2ESAuc/uFK46kzhDfe1rnRw
+            Edx09n7udIB5RZcn4x3jgCS721Dz0wSqnbC49OWfxHux4DadcIwzITI6MZFyWPhk
+            3Gbo1cNnxMvYSE4X86J6ZY9zqrxu9w2hRV7JSeR2ATeC5AHYdU+gTsUyzTlaSNKn
+            9uVOLuczajuaFMnp7Hbd/H8rVJv8SNTeDtZE+wvUnRX2+yjDsPzdqquTEnk6N2uM
+            WTGKHc6DJk9/MDmovJMa0lgBzaUUSCHoxeOaWUuNUiyvLJyyzClmD60VkU0DrBID
+            rdotdzKIYL1GLfjfD/tSjKCqEQ3d2PSXSSnvvVkBUvkZSFNRYYqJOKwcFs3szmvM
+            0ZJFm0C+a3YJ
+            =Us6w
+            -----END PGP MESSAGE-----
+          fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

instances/ds9/services/paperless.nix

@@ -17,6 +17,7 @@
     configureTika = true;
     enable = true;
     database.createLocally = true;
+    domain = "paperless.hailsatan.eu";
     exporter = {
       enable = true;
       directory = "/data/paperless-export";

instances/minos/configuration.nix

@@ -1,83 +0,0 @@
-{
-  config,
-  pkgs,
-  inputs,
-  lib,
-  ...
-}:
-{
-  imports = [
-    (import "${inputs.mobile-nixos}/lib/configuration.nix" { device = "lenovo-krane"; })
-    ./hardware-configuration.nix
-    # <mobile-nixos/examples/plasma-mobile/plasma-mobile.nix>
-  ];
-  nixpkgs.system = "aarch64-linux";
-  time.timeZone = "Europe/Berlin";
-  networking.firewall.allowedTCPPorts = [
-    1880
-    2021
-  ];
-  networking.firewall.allowedUDPPorts = [
-    1880
-    2021
-  ];
-
-  # fix accelerometer
-  services.udev.extraRules = ''
-    ACTION=="remove", GOTO="sensor_end"
-
-    SUBSYSTEM=="iio", KERNEL=="iio*", SUBSYSTEMS=="platform", 
-      ATTRS{modalias}=="platform:cros-ec-accel", 
-      ENV{ACCEL_MOUNT_MATRIX}="0, 1, 0; -1, 0, 0; 0, 0, -1", 
-      GOTO="sensor_end"
-      
-    LABEL="sensor_end"
-  '';
-  environment.etc."libinput/local-overrides.quirks".text = ''
-    [Touchpad pressure override]
-    MatchUdevType=touchpad
-    MatchName=Google Inc. Hammer
-    AttrPressureRange=20:10
-  '';
-
-  security.rtkit.enable = true;
-  services.tailscale.enable = true;
-  # services.tailscale.useRoutingFeatures = "client";
-  xyno.hardware.kmonad.enable = true;
-  xyno.presets.cli.enable = true;
-  xyno.presets.gui.enable = true;
-  xyno.presets.home-manager.enable = true;
-  xyno.system.user.enable = true;
-  xyno.user-services.syncthing = {
-    enable = true;
-    tray = true;
-  };
-  xyno.networking.networkd = {
-    enable = true;
-    # enableWifi = true;
-  };
-
-  # Enable power management options
-  powerManagement.enable = true;
-
-  users.users."xyno".extraGroups = [
-    "dialout"
-    "feedbackd"
-    "networkmanager"
-    "video"
-    "wheel"
-  ];
-  # It's recommended to keep enabled on these constrained devices
-  zramSwap.enable = true;
-  # Use Network Manager
-  networking.wireless.enable = false;
-  networking.networkmanager.enable = true;
-  hardware.bluetooth.enable = true;
-  services.blueman.enable = true;
-  services.power-profiles-daemon.enable = true;
-  programs.kdeconnect.enable = true;
-  services.flatpak.enable = true;
-
-  system.stateVersion = "24.11";
-  programs.nh.enable = true;
-}

instances/minos/default.nix

@@ -1,4 +0,0 @@
-{
-  modules = [ ./configuration.nix ];
-  hostName = "minos";
-}

instances/minos/hardware-configuration.nix

@@ -1,18 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/0565c87f-d576-4016-ada7-b3d44ce5e6b3";
-      fsType = "ext4";
-    };
-  };
-  
-  boot.initrd.luks.devices = {
-    "LUKS-MINOS-ROOTFS" = {
-      device = "/dev/disk/by-uuid/a9134654-519e-4611-894d-b6244d1ea0f7";
-    };
-  };
-
-  nix.settings.max-jobs = lib.mkDefault 4;
-}

instances/picard/configuration.nix

@@ -0,0 +1,32 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  nixpkgs.system = "x86_64-linux";
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.systemd-boot.enable = false;
+
+  
+  imports = [
+    ./hardware-configuration.nix
+  ];
+  time.timeZone = "Europe/Berlin";
+
+  xyno.presets.server.enable = true;
+  xyno.presets.cli.enable = true;
+  xyno.services.wireguard.enable = true;
+  xyno.services.caddy.enable = true;
+  xyno.services.monitoring.enable = true;
+  xyno.presets.home-manager.enable = true;
+  xyno.system.user.enable = true;
+  xyno.networking.networkd = {
+    enable = true;
+  };
+
+  system.stateVersion = "25.05";
+}

instances/picard/default.nix

@@ -0,0 +1,12 @@
+{
+  modules = [ ./configuration.nix ];
+  sopsKey = "b730b2bf54eb792a14bfd3e68c14c08894376c5f";
+  hostName = "picard";
+  publicHostname = "xyno.space";
+  # prometheusServer = true;
+  wg = {
+    pubKey = "";
+    server = true;
+    v4 = "10.13.12.1";
+  };
+}

instances/picard/hardware-configuration.nix

@@ -0,0 +1,58 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ "${modulesPath}/installer/scan/not-detected.nix" ];
+
+  boot.initrd.availableKernelModules = [
+    "r8169"
+    "ahci"
+    "vfio-pci"
+    "xhci_pci"
+    "ehci_pci"
+    "nvme"
+    "usbhid"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.kernelModules = [ "kvm-amd" ];
+  nix.settings.max-jobs = lib.mkDefault 12;
+  powerManagement.powertop.enable = true;
+  powerManagement.cpuFreqGovernor = "powersave";
+  powerManagement.scsiLinkPolicy = "min_power";
+
+  fileSystems."/persistent" = {
+    device = "/dev/disk/by-uuid/ca79f433-163a-4c5c-b176-8e694a674dda";
+    fsType = "xfs";
+    neededForBoot = true;
+  };
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "size=8G"
+      "defaults"
+      "mode=755"
+    ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/DA11-68A6";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+      "noauto"
+      "x-systemd.automount"
+    ];
+  };
+
+}

instances/theseus/configuration.nix

@@ -46,7 +46,9 @@
     "olm-3.2.16"
   ];
   virtualisation.podman.enable = true;
-      services.vsmartcard-vpcd.enable = true;
+  services.vsmartcard-vpcd.enable = true;
+  hardware.gpgSmartcards.enable = true;
+  networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 35963 ] ;
 
   environment.systemPackages = with pkgs; [
     aerc