rekey and other stuff

2024-11-19 22:06:38 +00:00
parent 66d7e82c65
commit de67622f45
32 changed files with 148 additions and 132 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -191,9 +191,9 @@
        # build vm -> nixos-rebuild build-vm  --flake .#vm
        "vm" =
          mkHost { modules = [ ./users/vm ./systems/vm/configuration.nix ]; };
-
+        # nixos-rebuild switch --flake .#server-vm --target-host root@192.168.0.21 
        "server-vm" =
-          mkHost { modules = [ ./users/anon ./systems/server-vm/configuration.nix ]; };
+          mkHost { modules = [ ./users/anon ./systems/amd-server-vm/configuration.nix ]; };
      };

      packages.x86_64-linux = {
@@ -205,7 +205,7 @@
            pkgsVersion = nixpkgs-unstable;
          } // {inherit inputs outputs; };
          lib = nixpkgs-unstable.legacyPackages.x86_64-linux.lib;
-          modules = defaultModules ++ [ home-manager-unstable.nixosModules.home-manager ./users/anon ./systems/server-vm/configuration.nix {
+          modules = defaultModules ++ [ home-manager-unstable.nixosModules.home-manager ./users/anon ./systems/amd-server-vm/configuration.nix {
            # 100G disk;
            virtualisation.diskSize = 100 * 1024;
          } 
--- a/modules/services/adguard.nix
+++ b/modules/services/adguard.nix
@@ -54,7 +54,7 @@ in {
            "$2y$15$iPzjmUJPTwWUOsDp46GOPO/LYor/jDJjndwy2QlPddaKSD4QXvq9W";
        }];
        dns = {
-          bind_hosts = [ "127.0.0.1" ip wireguardIp ];
+          bind_hosts = [ "127.0.0.1" ip ] ++ lib.lists.optionals config.custom.services.wireguard.enable  [ wireguardIp ];
          port = 53;
          protection_enabled = true;
          filtering_enabled = true;
--- a/pkgs/ente-frontend/default.nix
+++ b/pkgs/ente-frontend/default.nix
@@ -7,13 +7,13 @@ buildNpmPackage rec {
  src = "${(fetchGit {
    url = "git@github.com:oberprofis/ente.git";
    ref = "master";
-    rev = "1b6219ee1d9c7be207cc8a2e8282704fb577356c";
+    rev = "42ccf9f7427d8007fce65526e9b9d0443115e476";
  })}/website/tracker-site";
  npmDepsHash = "sha256-fYTRhIU+8pdIm3wC5wJRcDUhgN3d+mmvfmVzuu0pjLQ=";

  # The prepack script runs the build script, which we'd rather do in the build phase.
-  npmPackFlags = [ "--ignore-scripts" ];
-  npmFlags = [ "--legacy-peer-deps" ];
+  #npmPackFlags = [ "--ignore-scripts" ];
+  #npmFlags = [ "--legacy-peer-deps" ];

  installPhase = ''
    mkdir -p $out
--- a/secrets/adminarea.age
+++ b/secrets/adminarea.age
@@ -1,8 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 bqM3xA Y42xefWKGT6S7hVhvXEVOygSFfJj2N+Hgq5C4w+YGgQ
-DNOblrNet6mE+cYe6bCehdJB++t/yXn6i6PU9oMg8Y8
-> ssh-ed25519 DCzi1A jkOZ2PwpkqFpQwtEwIPU1N5jeUySAMVNc56a06CM+w0
-LApR3u9D3+v5F6NHLVr8MSAM8aYSYMwOBlY8UXnyYfw
--- o3Gzah0R4s3bKF77NH2HbuePX6odQ4Tt1xXh4FM5lh8
-°È{îûä¹‘D0Ç/s&iCM‘È®ˆç³îçÄ~àX¤ö¸
-Z–h+™ g1ÄYÐ<59>6	kišËP¡má…¦JV ò(Œ£]9;+Óü%‰µ‚ƒúüQDÏ¦*·²¬3ÍÎ7ô¡º‚þÁŸ
+-> ssh-ed25519 bqM3xA myivNex19fF3ZRHmnoxewa4kW5YvX7hxvSlhJm6SsRw
+kknnuW/w+ku4ZuqPkW6d+XLdaMS83AH1d9555DD3wbY
+-> ssh-ed25519 DCzi1A df+C5KNtrYLTOIBsCKNuzF9ePjh4mm2YtYPzoxZNQ18
+S54lzYFdLgEP0LaOUa7U5RvyVKeUs3Hw/oNVUZwRVb4
+--- KPaLIgkd4T3K9OYTiqDJsiQ5hTefahEFv7h+ndxCMC8
+n“òcÄ$—š *ïh•ZLÚ?ÚðŽ2Ûqo¤#sfk³;jkC?çÀiçEŽ, ´$Å6þD$·ï[˜‡sA¾Èqë¼i;²	ª™A’{ˆªñÕb\ñ†ö»rÊÌËTâT9»„¨lópè
--- a/secrets/coturn-secret.age
+++ b/secrets/coturn-secret.age
--- a/secrets/duckdns.age
+++ b/secrets/duckdns.age
@@ -1,12 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 su0Eyw cZ2LcxtHVTS0C6UtosikfFdj383T+CqORj2OzvWkYCI
-2mEybfmdlP0+MD2F4If/vZ1CEOC62I9wz2PGPIvsk6E
-> ssh-ed25519 xfrWcQ AigoFpYG/JShNhp/00vRkJAjAfww9yDDDAfi66TrtgI
-0fiThEgz8SibuSkgr06wwuKATYaIsLgaSVlTKyOft6I
-> ssh-ed25519 IV3DkQ bhsNlU2erEJP/aJsycYslfJUJSHibYPLH7vXKpuobFU
-sLPF6S/FHIQm80dxHSUkY8+/6mhsY4Npii8cXgCyVfU
-> ssh-ed25519 DCzi1A XN9ZzLYfLJ5g2604Q3zh+GU9WEYWnWFTEj/NKhGx/no
-Qo18RZB/urMS1sI/HaBexiwvIoouGJNHgDoISMWfp5U
--- ypjgJk/XWMXN49ydjElxn3DRVYXHOdTtjJsFMoVz/L8
-¹ÄÅÈ
-èoµÖÌå|ó;ªŽªì}ihÛ¸,¯DgP_N½Ët3³æ#“>=KIå<ìŽrwd«¤ÚÃªØ'Þn	\¿ËYÞ+
+-> ssh-ed25519 dkV/5A NszBp6tthzJKoeujJ0k1AbIWvK0Vii3yK3iHCZC8yFk
+3Uxxeb8RijQb63WOVcYXL53C5cl3vTGG/s2t8pJavL4
+-> ssh-ed25519 xfrWcQ I8RgQBkcI+eGYLuJRiadQSMm7VlL7PIvCLv9P3nQ5WE
+tmfz9k8r2V9urFjIU+JDtHpCxQlAioTY90EqjXCVKvk
+-> ssh-ed25519 IV3DkQ eOiXgjJi7XrNULS+4rTY61Nw8YqUUDmW+r29q5vQFAc
+V2C6EHeXDseNKd4Vus0mcI808FySxQQ1DJUdpLwFqaQ
+-> ssh-ed25519 DCzi1A E/zVOLiv2O66rwbK++3YDGr/h+FZmk5f5WTo9W/3VQE
+VW7yJONqcOqcHE9CK9iRNPFDBFpf0+/oISyIYmuoiJs
+--- pcApz4sq0MZALDTE7lvbXHUyBP2CctsVZX7bsR5Lry0
+
+ióE)fy"|z
+RS®AKNÕ<±å}-ô<>Š,Ïõ¦„8âþƒ7˜ O³\œ–ÑrW…×%eÄyÙ¯ÜÎ<a
--- a/secrets/fileshelter-conf.age
+++ b/secrets/fileshelter-conf.age
--- a/secrets/github-runner-pw.age
+++ b/secrets/github-runner-pw.age
--- a/secrets/github-runner-token.age
+++ b/secrets/github-runner-token.age
@@ -1,12 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 su0Eyw tsRQwOuzuo1myyOmMvzxYDHA4zlK7EyTGrNpsq0t9go
-ki9GV4V/SJPMlL6iMDBgWR5bNPGvrR3CsDnhdvFba/k
-> ssh-ed25519 xfrWcQ 6CfTJmuCMghUL1yiJROIWRzgiMhs6VsFXofByAxqflo
-iJ+nA4HzCVjNCGWfLAnFMpZU2/hefoWjqDZVt7tjSUI
-> ssh-ed25519 IV3DkQ MXXlf/hEZAla6p/RwBTFPCntO3ITxTQMghLvT260Hgo
-007T3jGbgoLM4xseJ8CEGqFH9waxm+U0N8BwNVBhLYk
-> ssh-ed25519 DCzi1A LMrXbICNNDoowdi0E7Y8/2jKmaQJUhje7fMc8nS9Vxg
-sc7G1TDDVEMohVJKm/bKi5E+UysMlzaEFbbUsq6Icvk
--- 4KneAxtY+GSh+aPdcliazRLvh8H9/9pc6CGsbMb6r/o
-Ó˜$`wãˆàe è4qŸ*mˆ¨Ò½¯p1“Ý·îøîž~\
-qJ<Qùì¦_ÕV1&žk\äiXØ€ê¡xÏ¢ÏU÷˜ýA§ËÒE}—ªªôvöh¦3¢Àwš+´V²	Ó¨v{oj@Î<>Y¿ŠD€#þ®øj¸M¸ÅçÅJ
+-> ssh-ed25519 dkV/5A rWzRyAbe/agyiwmtBOI/lRHWYxB18Ag3TqDs6WQaBhM
+heDqzOOBC+k80bfwZWX7Snq7Yh9BzEf/lpza8bs8f28
+-> ssh-ed25519 xfrWcQ bGntPjfBzp5o09BovuG8odcZ40MLJyEXDmv2PkypehQ
+J5FJ7+u4afdnVAC7Y8yoAQOYPe+UnOGU620dtNt787g
+-> ssh-ed25519 IV3DkQ Y3HuEQ+pxsx4Zen2ChZDAzABKQQf654GDsv3u2cG6j4
+moeEQxNMsZxd9ILeoAQoMcmE6b6SN6tRF6YRGgoysvQ
+-> ssh-ed25519 DCzi1A 723bVp7bkm0RvPusFz1ZONVG4/+fXW35sVLqFZTOxHM
+JnsF2C0mfRrNsskJgz7Am5JqABrOc7utXMZ83AfwjF0
+--- 5UIyWetLujNh36YyeeYMGoBFn4F/nJz9HNT1glkp7QA
+]é}GçÛýã|‰±ÑnÙ»åT}ƒ›Ø~ÅÖ¹ÕÚ= ß¥Ÿ´&<26>>½œÄ
--- a/secrets/grafana-contact-points.age
+++ b/secrets/grafana-contact-points.age
--- a/secrets/kavita.age
+++ b/secrets/kavita.age
--- a/secrets/matrix-registration.age
+++ b/secrets/matrix-registration.age
--- a/secrets/nextcloud-admin.age
+++ b/secrets/nextcloud-admin.age
--- a/secrets/nextcloud-cert.age
+++ b/secrets/nextcloud-cert.age
--- a/secrets/nextcloud-key.age
+++ b/secrets/nextcloud-key.age
--- a/secrets/paperless.age
+++ b/secrets/paperless.age
@@ -1,11 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 su0Eyw SMreMP94QyAiyvhz+WA/s8ZIiSvr7EXTt7jVOEqn3yc
-3srDjvhsTRLJpKj+mMw41SgNiP1a8o9MIbtpn/llYWc
-> ssh-ed25519 xfrWcQ DBXUORSHA1ncTGxR1DXniHE30FiJtxM5h6Vm4AR0eSQ
-F+5QgUnFcBOh3ogJfqyYrORigid9qxVsaxpcOeQH1Hw
-> ssh-ed25519 IV3DkQ KPGXb3+MUvsNE22F787u1diONSWdnxSmmBQAgAE3yRs
-xQPgMee8nKR1pbYXPDCrPamVz7rxsp6T7VGVqHYRPV0
-> ssh-ed25519 DCzi1A +jUwmDeIX4QCfGtVESMi9BNYBwsH+ntdx7LtXhX5BFE
-fpPZFMomCAoyIniCtKbMfiUnlu3Js6vHv9MgVHR3XJw
--- VMOK7LJR3QvQ65+Ei6OxDbqHpOwJmCRb7OBSZM9bKLs
->Hｼｺ軆紕阿2Dﾒ楔a"ﾛC･ｩ演n_ｧW<EFBDA7>繙傔<E7B999>PH樰iｹﾟｩ\%錡yoU｡sﾋｿZ9"M｡ﾉ<EFBDA1>X7]ｧreT隆<54>ﾋ蜴$KO<03>(
+-> ssh-ed25519 dkV/5A 6v3LNRJ6Lr/Ae0hPiN7OdW+OUFMWC8I4z81g2FFsGWc
+sxh+9UUCnsKvttqsW6923mztw+xyvNWhmbfCnfts92g
+-> ssh-ed25519 xfrWcQ 9fTveDQemfAdZJz/Gy+y+VWeTPpi0rAKqhgaG4UWhT8
+HcAL+mG/iarpSODGwSUTqE9BLsH2b/J+9W/1ltHoAls
+-> ssh-ed25519 IV3DkQ IHC/AKhklAjr7snFg6mX5gTL4WqyKU6ZJlurLAHsHzE
+AwTcys0aZQy8eK6son1/rOQr+3UgpGMVvviF+MjlhXo
+-> ssh-ed25519 DCzi1A 5sW3obtVcuGeuQaaaD2xWdpVhHoxQlyC8fO6RreE+hY
+f/uGVNZHQfD0oi/bmdlIILPrMZqE2cLLDwlAS2Lvjx4
+--- dcmGgM7+4AWkXbwLOyEVpfl2hpvbKoFFIfeHKFJkqcY
+7Åó8òávMçžp"³XðÁÛŠ¯Â]P°Nè”(ÉîÉ¶2á,[ÖŒÖ«c ¬$\'"‚…|Jý«N‰ù=KúŠãm—CVøx‚¥&¥>Ä¶ñij`
--- a/secrets/plausible-admin.age
+++ b/secrets/plausible-admin.age
--- a/secrets/plausible-keybase.age
+++ b/secrets/plausible-keybase.age
@@ -1,8 +1,8 @@
 age-encryption.org/v1
-> ssh-ed25519 bqM3xA pYt0CoyfIkCGgoWQrIEqpoVXz/8YgN3mOcl+GJNgu2s
-K5HaUKQb/oJ/BIqPEWwfwP89qdlbStI7EDZcy7u3C2s
-> ssh-ed25519 DCzi1A X5unppDtHIfPkYyt53pyWt0D+TYKO/8vOSZCmLeS9UA
-pmWOrT3kB89a+rxoe37uRR+EPESYKlwlTITqDXB/SuU
--- eKLEbWNmQOwYObYWmp3TsplYv4yEeJms+c8Ny0bclTs
-fßÜÕoCP‘V¾K¿Ú¹ù¹ø]âÁôzäŸu©Þ÷Ž©<C5BD>Öö#	7Jž8VÖ®I´ÅEðÍ7u0v&_žÞgD/‰®ª—ZøQÞ‘+â¤ZÅ;G<åÂã²kÙ©¨Ÿ£¡ªrR¼µbB¶C¦L
-j÷XÏòŠØC”:¥S×
+-> ssh-ed25519 bqM3xA /51wbxBqMFtCXGpoiDTf7tekNOhT1z7BS8O1RQpssw4
+gU08DxPsS1sLfIm3z9sSlC8OAxIrXRsllYHr+p3Nhtg
+-> ssh-ed25519 DCzi1A cX1K/YwnW1sKbmCYSDWQQUPEZ8PvHQ7oRk6dQ2WMYCw
+W0KvV/7NQ4fLETiTy52uo+dr0DOr3RSt+FiW5ETp4jc
+--- J42z35mU+Wql9jKlGEiea9EiqjcV+nWhc/rucZwUNyA
+öâ´â€V¸„uiÿ”63<1F>®±\Ruƒçþ<"’@·ò™”ù<E2809D>#)l	Ñ«ï
+UÁã4AƒûjÏ™×áÜ»p¡'7™<><01>À`Jœ©¢(ì£½êsYƒÿØEÊzEÛHü„:$í5ó[ä)t³ÙWD•ÞÐ<C39E>b²UX€Fñš
--- a/secrets/radicale.age
+++ b/secrets/radicale.age
--- a/secrets/restic-gdrive.age
+++ b/secrets/restic-gdrive.age
--- a/secrets/restic-pw.age
+++ b/secrets/restic-pw.age
--- a/secrets/restic-s3.age
+++ b/secrets/restic-s3.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,7 +2,7 @@ let
  kop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeP6qtVqE/gu72ZUZE8cdRi3INiUW9NqDR7SjXIzTw2 lukas@Kopatz-PC2";
  server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAUA7uVKXAF2UcwaIDSJP2Te8Fi++2zkKzSPoRx1vQrI root@server";
  laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqcphdDEJhnSBkAZzQXZJDCzsyb/Tqpcf0pUADFpbd1 root@nix-laptop";
-  mini-pc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKla9+Gj2i9Ax7cIdnTM6zsmze3g1N/qCPqhga0P+toU root@mini-pc";
+  mini-pc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/hwMtI0Xj4eRLjITV/Q2BQGG11NCHZRTLuecE/ZPM5 root@server-vm";
  mini-pc-proxmox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP0kX32LfIOv8FDVvdp7lWesVvMGh5tj84nv7TkIR1cs root@mini-pc";
  adam-site = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfaIaKoNStnbfjB9cSJ9+PW0BVO3Uhh1uIbZA2CszDE root@nixos";
  users = [ kop ];
--- a/secrets/stash-auth.age
+++ b/secrets/stash-auth.age
@@ -1,11 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 su0Eyw ubrXjjXR/NWzbnYk8/x9A64iQDmxXsHHyxHyHvFouAE
-ot9ZNCyG0OGVALdtrHwg+6jQiNznDicBu74yyFernKU
-> ssh-ed25519 xfrWcQ kFeLZt8cxhBhe54M1FQTAw5B/zOzaXBM8uDJMrKPwAY
-lzEzl/ZcKSZ3xmxdKE2qSJWSrJl9vS5uFpACOgTITfg
-> ssh-ed25519 IV3DkQ 2Gobyktl920WUhBp7ukIcDcdyRem3Y359C7BUIX2Q0Q
-n/+a2XRZghCC/Ufaix50eoQJMr2ThM+xz6MimINxZE4
-> ssh-ed25519 DCzi1A 1WGot8qzyx1OZ4oeOG1rGjhgUcjfyEd9G4GAwWG2MX0
-ky/XJR/qcmISfgwkC+ColVTjQJQWkg48whKo1glg7oQ
--- ISzwjQcQ3rt/fcVDESFhiv+k6gPvpckjlkFZ7aWyxXA
-¤qøÿ¬‹GðSå•<11>ïg÷/™‚’yâÊëT×$Ã¸Ö©œ<d"æ<13>}éûçtð¾Ýª%Ç,Bê–c¢ù0(Âº<C382>¹ ·¼9&o¹c ‘ˆÐòÔÄ†HËR:L;73å
+-> ssh-ed25519 dkV/5A H45UCnfk0L30LTAIJQ21zWMfvYurNxsC7wZJbCZRr1U
+pexJiRj9wUy5S8jzMDWUZpKTCQIpGKDH3o/BPGDIrXc
+-> ssh-ed25519 xfrWcQ PnFaA7dYMhvwECptLvjkZPY5exA7QQU9J3yuzfFHU0M
+tf7pmM2cNqanKNINYkSmn5XMl4VaHpGTIM/3yJydnV4
+-> ssh-ed25519 IV3DkQ NByh1UlLrvvrALcRr25S/Q3TKxbJupknfPxT0BcfbHA
+RMAV0OJ70qcce0hVZ49HgMLqTjmhEnyHunnSPs6PDt0
+-> ssh-ed25519 DCzi1A AK2WRW6/SwNkv8ZC2RafnpuODniO0hi44hr6j6zmsB0
+keejUQyYNd3mKqf0bBIaxGWuVncge7bWnnPwFAwuY7A
+--- 1S9P2L4/3qA01SRlO/GOZfSg2Y5ckO58iYMe6rfl3es
+“jÚ>;‹g°cE@suÇ
+ß–6È»ñëóøPIdzÜÙå*±#Áù}itüÐbÃˆî‰©<0F>Å
+Þ5¦ä€‰oÇ¼…léeB{Úwìal/“0£¯J“¥Oƒü¤ªó
--- a/secrets/step-ca-key.age
+++ b/secrets/step-ca-key.age
--- a/secrets/step-ca-pw.age
+++ b/secrets/step-ca-pw.age
--- a/secrets/webhook.age
+++ b/secrets/webhook.age
--- a/secrets/wireguard-client.age
+++ b/secrets/wireguard-client.age
--- a/secrets/wireguard-private.age
+++ b/secrets/wireguard-private.age
@@ -1,11 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 su0Eyw TSYqpni/Ql+lZa+oFPN3hn8fR4HM3mZ6o9UQKF2KI2s
-/IxKWNcfPpsW74ajLj5Nzu8oqLEvGht4mOaJCGKUpHE
-> ssh-ed25519 xfrWcQ ti3YCRm+xByOvl4kjqqFMA82QNogaQsD52VelAb1IyA
-m4M25xeL2PIzp/BZ23VLb1G+3R6FYAt7wH+816hGSSs
-> ssh-ed25519 IV3DkQ ZqrkWMup3fqiPtDa57NifZEyRTdNdcp+ZJzB6oKZjAk
-jszSfRmBrN5QLqKdM329uGHQYY+t7m0Ra/RpNkI56AQ
-> ssh-ed25519 DCzi1A vOXrGSxFvRj7S33RfhNuI1WvOITZ0vcLsLmuutlcqx4
-8ZQQ26trhVFNEG9yFOmjFgDZh1qq0v4lpDzWYlPC5L4
--- E0g+TAkc6Mj2vicS3ub2CEr2XYu4Q1nkWgnrs8KnFVE
-vÀäéîvÉ,6|WA?§d'!DÌÐÖZfu½¦*}a
+-> ssh-ed25519 dkV/5A FhMxjBcbjjS/qYHq0W9vuAEWh0D4LG62iTKNm0vacwY
+2o6VCE8zZsRZczN0QemFPCyRqciTHx0Nmzgl+nlXBHA
+-> ssh-ed25519 xfrWcQ j6+gGMbV+v2jVQU7DjTI+nBI8S5rncXY7nEmNBmhujU
+SVkjUG0FUzxOlJZ9O5LhmIP3XhAvDQQWE0MYaHl7qAI
+-> ssh-ed25519 IV3DkQ rb7ReLYjttHEhEhhVFF7eqNSFXrBzMZpusvTyuMXzQs
+OSzhuMUuYUogRFxc7cYOJm8ndm+GLoNZT5VQ4A91k5Q
+-> ssh-ed25519 DCzi1A BqUcBTDbhl5cbe3lLePWMm7UL1Q0mocynUHG6BxrlH0
+ISVR5FWzADZOaJA2SRv1TmmMqJ6yz+pLWE1miHn2VJk
+--- MeQ/Wz0RDfi0OR8Bwvp1QJRlx9FH52S38DFsl9n4V1U
+D釈ﾄﾙ7E\蠹J6我l溥ｬ柞<EFBDAC>:Vz惴ZZｬⅱｼ鐱ﾊﾞﾆ?ﾚ[c4朸)G|舘ﾛO;z裘<>?ｬcﾜ猜Ydｪ(
--- a/systems/amd-server-vm/configuration.nix
+++ b/systems/amd-server-vm/configuration.nix
@@ -19,6 +19,7 @@
    loader.grub = {
      efiSupport = true;
      efiInstallAsRemovable = true;
+      device = "nodev";
    };
  };

@@ -27,10 +28,9 @@
  custom = {
    static-ip = {
      enable = true;
-      ip = "192.168.0.21";
+      ip = "192.168.0.10";
      interface = "eth0";
-      #dns = "127.0.0.1";
-      dns = "192.168.0.10";
+      dns = "127.0.0.1";
    };
    user = {
      name = "anon";
@@ -43,48 +43,48 @@
    };
    misc = {
      docker.enable = true;
-      #backup = let
-      #  kavita = "/data/kavita";
-      #  gitolite = "/var/lib/gitolite";
-      #  syncthing = [ "/data/synced/default/" "/data/synced/work_drive/" ];
-      #  syncthingFull = syncthing
-      #    ++ [ "/data/synced/fh/" "/data/synced/books/" ];
-      #  backupPathsSmall = [ "/home" gitolite ] ++ syncthing;
-      #  backupPathsMedium = [ "/home" gitolite ] ++ syncthing;
-      #  backupPathsFull = [ "/home" kavita gitolite ] ++ syncthingFull;
-      #in {
-      #  enable = true;
-      #  small = backupPathsSmall; # goes to backblaze
-      #  medium = backupPathsMedium; # goes to gdrive
-      #  large = backupPathsFull; # goes to local storage medium
-      #};
+      backup = let
+        kavita = "/data/kavita";
+        gitolite = "/var/lib/gitolite";
+        syncthing = [ "/data/synced/default/" "/data/synced/work_drive/" ];
+        syncthingFull = syncthing
+          ++ [ "/data/synced/fh/" "/data/synced/books/" ];
+        backupPathsSmall = [ "/home" gitolite ] ++ syncthing;
+        backupPathsMedium = [ "/home" gitolite ] ++ syncthing;
+        backupPathsFull = [ "/home" kavita gitolite ] ++ syncthingFull;
+      in {
+        enable = true;
+        small = backupPathsSmall; # goes to backblaze
+        medium = backupPathsMedium; # goes to gdrive
+        large = backupPathsFull; # goes to local storage medium
+      };
    };
    services = {
      acme.enable = true;
-      #gitolite.enable = true;
-      #github-runner.enable = true;
+      gitolite.enable = true;
+      github-runner.enable = true;
      #caldav.enable = true;
-      #kop-monitor.enable = true;
+      kop-monitor.enable = true;
      kop-fileshare = {
        basePath = "/stash";
        dataDir = "/1tbssd/kop-fileshare";
        enable = true;
      };
-      #nginx.enable = true;
-      #ente.enable = true;
-      #kavita = {
-      #  enable = true;
-      #  dir = "/data/kavita";
-      #};
-      #wireguard = {
-      #  enable = true;
-      #  ip = "192.168.2.1";
-      #};
-      #adguard.enable = true;
-      #syncthing = {
-      #  enable = true;
-      #  basePath = "/data/synced";
-      #};
+      nginx.enable = true;
+      ente.enable = true;
+      kavita = {
+        enable = true;
+        dir = "/data/kavita";
+      };
+      wireguard = {
+        enable = true;
+        ip = "192.168.2.1";
+      };
+      adguard.enable = true;
+      syncthing = {
+        enable = true;
+        basePath = "/data/synced";
+      };
    };
    nftables.enable = true;
    cli-tools.enable = true;
@@ -98,6 +98,16 @@
  virtualisation.vmware.guest.enable = true;
  services.xserver.videoDrivers = [ "vmware" ];

+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+    options = [ "defaults" "noatime" ];
+  };
+  fileSystems."/boot" =
+  { device = "/dev/disk/by-label/ESP";
+      fsType = "vfat";
+  };
  fileSystems."/data" = {
    device = "/dev/disk/by-uuid/d117419d-fce9-4d52-85c7-e3481feaa22a";
    fsType = "btrfs";
--- a/systems/amd-server/configuration.nix
+++ b/systems/amd-server/configuration.nix
@@ -5,11 +5,9 @@
 { config, lib, pkgs, ... }:

 {
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-    ];
-
+  imports = [ # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];

  custom = {
    #tmpfs.enable = true;
@@ -51,9 +49,7 @@
      nightlight.enable = true;
      i3.enable = true;
      shared.enable = true;
-      games = {
-        enable = true;
-      };
+      games = { enable = true; };
    };
  };
  mainUser.layout = "de";
@@ -61,6 +57,27 @@

  virtualisation.vmware.host.enable = true;

+  systemd.services.start-vm = {
+    description = "Start VM";
+    wants = [ "network-online.target" ];
+    after = [ "network.target" "network-online.target" "vmware-networks.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      Type = "forking"; #?????? doesnt work without it, thanks vmware
+      ExecStart = let
+        script = pkgs.writeShellScript "start-vm" ''
+          ${pkgs.vmware-workstation}/bin/vmrun start /root/vmware/server/server.vmx nogui
+        '';
+      in "${script}";
+      User = "root";
+      Restart = "on-failure";
+      RestartSec = "5s";
+      ProtectHome = false;
+      ProtectSystem = false;
+    };
+  };
+
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
@@ -70,7 +87,7 @@

  #zenpower for ryzen
  boot.extraModulePackages = with config.boot.kernelPackages; [ zenpower ];
-  boot.kernelModules = ["zenpower"];
+  boot.kernelModules = [ "zenpower" ];
  boot.blacklistedKernelModules = [ "k10temp" ];

  services.xserver.desktopManager = {
@@ -96,4 +113,3 @@
  system.stateVersion = "24.05"; # Did you read the comment?

 }
-
--- a/systems/amd-server/hardware-configuration.nix
+++ b/systems/amd-server/hardware-configuration.nix
@@ -23,17 +23,6 @@
    options = [ "fmask=0077" "dmask=0077" ];
  };

-  fileSystems."/data" = {
-    device = "/dev/disk/by-uuid/d117419d-fce9-4d52-85c7-e3481feaa22a";
-    fsType = "btrfs";
-    options = [ "compress=zstd" "noatime" "nofail" ];
-  };
-  fileSystems."/1tbssd" = {
-    device = "/dev/disk/by-uuid/801d9217-9c38-4ca8-914e-e31361603892";
-    fsType = "ext4";
-    options = [ "defaults" "nofail" "noatime" ];
-  };
-
  swapDevices = [ ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking