31 changed files with 589 additions and 128 deletions
--- a/components/network/nginx.nix
+++ b/components/network/nginx.nix
@ -175,7 +175,7 @@ with lib;
                  ];
                })
                (entry { machine = "cherry"; })
-                #(entry { machine = "cream"; })
+                (entry { machine = "cream"; })
                (entry { machine = "mobi"; })
                (entry { machine = "bobi"; })
                {
--- a/components/network/syncthing.nix
+++ b/components/network/syncthing.nix
@ -61,7 +61,7 @@ with lib;
        path = lib.mkDefault "/tmp/books";
        devices = [
          "chungus"
-          #          "cream"
+          "cream"
          "cherry"
        ];
        versioning = {
@ -74,7 +74,7 @@ with lib;
        path = lib.mkDefault "/tmp/desktop";
        devices = [
          "chungus"
-          #          "cream"
+          "cream"
          "cherry"
        ];
      };
@ -83,7 +83,7 @@ with lib;
        path = lib.mkDefault "/tmp/finance";
        devices = [
          "chungus"
-          #          "cream"
+          "cream"
          "cherry"
        ];
        versioning = {
@ -122,7 +122,7 @@ with lib;
        path = lib.mkDefault "/tmp/oscar_cpap";
        devices = [
          "chungus"
-          #          "cream"
+          "cream"
          "cherry"
        ];
      };
@ -131,7 +131,7 @@ with lib;
        path = lib.mkDefault "/tmp/password-store";
        devices = [
          "chungus"
-          #          "cream"
+          "cream"
          "cherry"
        ];
        versioning = {
@ -144,7 +144,7 @@ with lib;
        enable = lib.mkDefault false;
        path = lib.mkDefault "/tmp/password-store";
        devices = [
-          #          "cream"
+          "cream"
          "cherry"
          "orbi"
        ];
--- a/components/network/tinc/private.nix
+++ b/components/network/tinc/private.nix
@ -14,7 +14,7 @@ let
    bobi = "10.23.42.25";
    cherry = "10.23.42.29";
    chungus = "10.23.42.28";
-    #    cream = "10.23.42.27";
+    cream = "10.23.42.27";
    mobi = "10.23.42.23";
    orbi = "10.23.42.100";
  };
@ -67,10 +67,10 @@ in
          subnets = [ { address = hosts.bobi; } ];
          settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
        };
-        #        cream = {
+        cream = {
-        #          subnets = [ { address = hosts.cream; } ];
+          subnets = [ { address = hosts.cream; } ];
-        #          settings.Ed25519PublicKey = Ed25519PublicKey "cream";
+          settings.Ed25519PublicKey = Ed25519PublicKey "cream";
-        #        };
+        };
        cherry = {
          subnets = [ { address = hosts.cherry; } ];
          settings.Ed25519PublicKey = Ed25519PublicKey "cherry";
--- a/components/network/tinc/secret.nix
+++ b/components/network/tinc/secret.nix
@ -12,7 +12,7 @@ let
  port = 721;
  hosts = {
    cherry = "10.123.42.29";
-    #    cream = "10.123.42.27";
+    cream = "10.123.42.27";
    robi = "10.123.42.123";
    sternchen = "10.123.42.25";
    sterni = "10.123.42.24";
@ -35,10 +35,10 @@ in
          subnets = [ { address = hosts.sternchen; } ];
          settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB";
        };
-        #        cream = {
+        cream = {
-        #          subnets = [ { address = hosts.cream; } ];
+          subnets = [ { address = hosts.cream; } ];
-        #          settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
+          settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
-        #        };
+        };
        cherry = {
          subnets = [ { address = hosts.cherry; } ];
          settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC";
@ -80,13 +80,13 @@ in
  );
  services.openssh.knownHosts = {
-    #    "cream.${network}" = {
+    "cream.${network}" = {
-    #      hostNames = [
+      hostNames = [
-    #        "cream.${network}"
+        "cream.${network}"
-    #        hosts.cream
+        hosts.cream
-    #      ];
+      ];
-    #      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
-    #    };
+    };
    "sternchen.${network}" = {
      hostNames = [
        "sterni.${network}"
--- a/flake.nix
+++ b/flake.nix
@ -404,6 +404,28 @@
          machines = {
            cream = clanSetup {
              name = "cream";
              host = "cream.bear";
              modules = [
                defaultAuthorizedKeys
                zerotierModules
                nixos-hardware.nixosModules.framework-12th-gen-intel
                retiolum.nixosModules.retiolum
                private-parts.nixosModules.cream
                homeManagerModules
                stylixModules
                { home-manager.users.mainUser.gui.enable = true; }
                {
                  home-manager.users.mainUser = import ./homes/palo;
                  home-manager.users.root = import ./homes/root;
                }
                {
                  clan.core.machineDescription = "Laptop";
                }
              ];
            };
            cherry = clanSetup {
              name = "cherry";
              host = "cherry.bear";
@ -423,15 +445,12 @@
                {
                  clan.core.machineDescription = "Laptop";
                }
                (
                  { config, ... }:
                {
                    # keys only to access cherry
                  users.users.root.openssh.authorizedKeys.keyFiles = [
-                      "${config.clan.core.clanDir}/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub"
+                    # yubikey key
                    ./assets/mrvandalo_rsa.pub
                  ];
                }
                )
              ];
            };
--- a/machines/cherry/configuration.nix
+++ b/machines/cherry/configuration.nix
@ -20,8 +20,7 @@
    ./37c3.nix
    ./topology.nix
-    ./ssh-chungus.nix
+    ./ssh.nix
    ./ssh-cherry.nix
  ];
--- a/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub
+++ b/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJvuEviWlnptuKqA8MQ3QVVdvEGaez1VmShaj56QTg root@cherry
--- a/machines/cherry/ssh-cherry.nix
+++ b/machines/cherry/ssh-cherry.nix
@ -1,46 +0,0 @@
 {
  config,
  factsGenerator,
  lib,
  ...
 }:
 let
  hostname = "cherry";
 in
 {
  # Defines the root SSH key to be used exclusively for accessing a secure machine.
  # The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
  # make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
  # If the target machine becomes compromised by an attacker,
  # they could potentially leverage the forwarded SSH agent to access the secure machine.
  # This file prevents that scenario by restricting access strictly to the defined SSH key,
  # which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
  clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
    name = "root.${hostname}";
  };
  systemd.tmpfiles.settings.mainUser = {
    "/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
      user = config.users.users.mainUser.name;
      group = config.users.users.mainUser.group;
      mode = "400";
      argument =
        config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
    };
  };
  home-manager.users.mainUser.programs.ssh.matchBlocks =
    lib.genAttrs
      [
        "${hostname}.bear"
        "${hostname}.private"
        "${hostname}.wg0"
      ]
      (name: {
        identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
        identitiesOnly = true;
      });
 }
--- a/machines/cherry/ssh-chungus.nix
+++ b/machines/cherry/ssh-chungus.nix
@ -1,46 +0,0 @@
 {
  config,
  factsGenerator,
  lib,
  ...
 }:
 let
  hostname = "chungus";
 in
 {
  # Defines the root SSH key to be used exclusively for accessing a secure machine.
  # The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
  # make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
  # If the target machine becomes compromised by an attacker,
  # they could potentially leverage the forwarded SSH agent to access the secure machine.
  # This file prevents that scenario by restricting access strictly to the defined SSH key,
  # which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
  clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
    name = "root.${hostname}";
  };
  systemd.tmpfiles.settings.mainUser = {
    "/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
      user = config.users.users.mainUser.name;
      group = config.users.users.mainUser.group;
      mode = "400";
      argument =
        config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
    };
  };
  home-manager.users.mainUser.programs.ssh.matchBlocks =
    lib.genAttrs
      [
        "${hostname}.bear"
        "${hostname}.private"
        "${hostname}.wg0"
      ]
      (name: {
        identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
        identitiesOnly = true;
      });
 }
--- a/machines/cherry/ssh.nix
+++ b/machines/cherry/ssh.nix
@ -0,0 +1,39 @@
 { config, factsGenerator, ... }:
 {
  # Defines the root SSH key to be used exclusively for accessing the backup server.
  # The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
  # make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
  # If the target machine becomes compromised by an attacker,
  # they could potentially leverage the forwarded SSH agent to access the backup server.
  # This file prevents that scenario by restricting access strictly to the defined SSH key,
  # which is only used to access the backup server, so no other ssh-agent will contain this ssh key
  clan.core.facts.services."mainUser.ssh.chungus" = factsGenerator.ssh { name = "root.chungus"; };
  systemd.tmpfiles.settings.mainUser = {
    "/run/facts/ssh.mainUser.chungus.id_ed25519"."C+" = {
      user = config.users.users.mainUser.name;
      group = config.users.users.mainUser.group;
      mode = "400";
      argument =
        config.clan.core.facts.services."mainUser.ssh.chungus".secret."ssh.root.chungus.id_ed25519".path;
    };
  };
  home-manager.users.mainUser.programs.ssh.matchBlocks = {
    "chungus.bear" = {
      identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
      identitiesOnly = true;
    };
    "chungus.private" = {
      identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
      identitiesOnly = true;
    };
    "chungus.wg0" = {
      identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
      identitiesOnly = true;
    };
  };
 }
--- a/machines/cream/configuration.nix
+++ b/machines/cream/configuration.nix
@ -0,0 +1,137 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
    ./syncthing.nix
    ./network-tinc.nix
    ./network-tinc_retiolum.nix
    ./network-wireguard-wg0.nix
    ./network-wireguard-wg1.nix
  ];
  system.stateVersion = "22.11";
  # Use the systemd-boot EFI boot loader, not grub
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
  components.virtualisation.enable = true;
  components.gui.enable = true;
  components.gui.xorg.enable = true;
  components.gui.wayland.enable = false;
  components.mainUser.enable = true;
  components.media.enable = true;
  components.media.tts-client.enable = false;
  components.network.enable = true;
  components.network.wifi.enable = true;
  components.terminal.enable = true;
  telemetry.enable = true;
  telemetry.opentelemetry.exporter.endpoint = "10.100.0.1:4317"; # orbi
  telemetry.prometheus.exporters.zfs.enable = false;
  home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
  home-manager.users.mainUser.bugwarrior.config = {
    general = {
      targets = [
        "terranix"
        "my_github"
      ];
      log_level = "INFO";
      static_fields = [ "priority" ];
      merge_annotations = false;
    };
    terranix = {
      service = "github";
      login = "mrVanDalo";
      token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
      username = "mrVanDalo";
      default_priority = "";
      description_template = "{{githubtitle}} {{githuburl}}";
      add_tags = "github";
      project_template = "terranix";
      involved_issues = true;
      query = "org:terranix is:open";
      include_user_issues = false;
      include_user_repos = false;
    };
    my_github = {
      service = "github";
      login = "mrVanDalo";
      token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
      username = "mrVanDalo";
      description_template = "{{githubtitle}} {{githuburl}}";
      add_tags = "github";
      include_user_issues = true;
      include_user_repos = true;
      exclude_repos = [
        "azubi"
        "csv-to-qif"
        "stepp0r"
      ];
    };
    # todo : add github issues
  };
  users.users.mainUser.extraGroups = [ "pipewire" ];
  services.nginx.enable = true;
  networking.hostName = "cream";
  #services.flatpak.enable = true;
  # make sure battery is charged in a way to live for a long time
  services.power-profiles-daemon.enable = false;
  services.tlp = {
    enable = true;
    settings = {
      CPU_BOOST_ON_BAT = 0;
      CPU_SCALING_GOVERNOR_ON_BATTERY = "powersave";
      START_CHARGE_THRESH_BAT0 = 30;
      STOP_CHARGE_THRESH_BAT0 = 85;
      RUNTIME_PM_ON_BAT = "auto";
    };
  };
  security.wrappers = {
    pmount = {
      source = "${pkgs.pmount}/bin/pmount";
      setuid = true;
      owner = "root";
      group = "root";
    };
    pumount = {
      source = "${pkgs.pmount}/bin/pumount";
      setuid = true;
      owner = "root";
      group = "root";
    };
  };
  services.printing.enable = true;
  samba-share = {
    enable = false;
    folders = {
      share = "/home/share";
      video = "/home/video-material";
    };
  };
  # for congress and streaming
  hardware.graphics.enable = true;
 }
--- a/machines/cream/facts/ssh.id_ed25519.pub
+++ b/machines/cream/facts/ssh.id_ed25519.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPz1SRSthwDEmXZXcBMi0FZhqgZxF7i1lDcGT534Gy7 nixbld@cherry
--- a/machines/cream/facts/ssh.jobrad.id_ed25519.pub
+++ b/machines/cream/facts/ssh.jobrad.id_ed25519.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArokGctZ2VLf92FhfE8pHzkx/bjz0/J1QjeaGgDSj1s ingolf.wagner@jobrad.org
--- a/machines/cream/facts/syncthing.pub
+++ b/machines/cream/facts/syncthing.pub
@ -0,0 +1 @@
 VQSHJ6K-MUWCTPJ-LJINXBP-7O244YK-TIY3D5B-T6PU7BY-2NPWPXI-HO2Q5Q6
--- a/machines/cream/facts/tinc.private.ed25519_key.pub
+++ b/machines/cream/facts/tinc.private.ed25519_key.pub
@ -0,0 +1 @@
 b8xU34/kYj3LxYfdrozDnpmXt25mLbYsnhUxgvFz2CG
--- a/machines/cream/facts/tinc.private.rsa_key.pub
+++ b/machines/cream/facts/tinc.private.rsa_key.pub
@ -0,0 +1,13 @@
 -----BEGIN RSA PUBLIC KEY-----
 MIICCgKCAgEAqFNvj8lg1ET9rala1W7RSi+ObQoN8JoQ7fTZ63XBycDr3bEkubGk
 vIbLFFsdhIiMrJG6eRr25EiKQxew6Pb4HwwqjCJugHzSELHgiWN93Dx5hgl+EXV2
 8EYQ3xWO+8ZH4PQsfUMqxBx553UMOiDZ0L4OE275z5XuLyDXnjXqv2WCU7qY57lt
 MlJ3BFOhtWz7wl7fOu8rzalVuDLc/yp3KKhzLxr7lUUIHOZOT8EsoSAOiy+qUq6Q
 K9JrHcTGP3FmBucY5bSyVQxbX75tLqBiadTvlcx4n0mHTbCyHjC2tIHmN2MtUhsS
 Qw4uITn7NTd/c9H89Le2Z3Z01sRNEo1eZ3ru0JlYqUEL0sE2lAtPJWRgRePEzCWs
 s8GN6LFrAvl8T/FmW6XFzxGBViOhFqP61HO17KhALwl5kVXpUMFKxbn1/ZXP5Ono
 +h/Aaph56D/EZAFVvAPR7xx/Cp+cjOvKaKLgnZ5vG3VrjmbL9KkDtHiiiHcKC/Z8
 OrOirkxalJJd2bMYpIUO/7TYEUCQzni3ollYae3myFuwRIeiqNnVjtHiQnPMEYmn
 pjgWmvtYjvPLJkpnnP96nn+FI7FXqro8nY59COaIne3m0SxPo6JrGwugvYuLeOJS
 96v4hcSTrB3LEaH49a3vaFKQUsEOFCCTc6Qx+/ejgV/3cEzQjDblep8CAwEAAQ==
 -----END RSA PUBLIC KEY-----
--- a/machines/cream/facts/tinc.retiolum.ed25519_key.pub
+++ b/machines/cream/facts/tinc.retiolum.ed25519_key.pub
@ -0,0 +1 @@
 B3EKYRxqFjIGR2VYajjDqX0gltPJNwcno5PUhafKWKB
--- a/machines/cream/facts/tinc.retiolum.rsa_key.pub
+++ b/machines/cream/facts/tinc.retiolum.rsa_key.pub
@ -0,0 +1,13 @@
 -----BEGIN RSA PUBLIC KEY-----
 MIICCgKCAgEAnzhalF1rqLdSsT6HAGuQ6x1kC9Ty3FjoKR2Y5RCO9YIyEgRE8qfR
 jkne+wIIleODUDMZYuvUe9X5hm8w6wDzxlwCPitwhDlOxoSBnXfbL6YL9rZBn3lC
 JFkpEPtAJYnfM64R4/UjSndHlCVuH7tltD/1tmfG6IbSsIeDVz+pWZdEmBJfCiDl
 aqP2gb1oIwe9TgJX2EC2ugW+6Jh9oPNIOP2Q5eLvty5WPhUSGQDWVMr5u0Rgc1oU
 hhAvrfue7MFqUwX+o0Zq93eVAu/51dhTtqwwVgZVlHK7Wkak4yTRGPAP9v9vbKeK
 7GpQuvbiI5OphhSFPjyCN1XMqVgFxqsnLsflIPbQdxCkBgFxhmNf31BDlXWHWD5e
 7BfFYc1tZFcEWKhguoCSesJvh1BVsiZzfya96lGd/+ttcKBUKX4tdznEQsV/MVhC
 cVnQD6k8PN4BIWVJtcq5oM9h6Yt6avtv8TeuaLp/Janco4JmYYFIfRETnz6ye/fG
 OiKJnGQ1yohSE6n8ZUK1QYdYezZfI8QhF7GHK7he9x13L9xmXoybV+REXlRvh4S2
 bi9lWTKhQVIHb/qLIdQuaAnK1xg4tdNzL43KEpPstGlAnG8uUNL8hCJL3m220RPK
 lEbtLhayRzQ9zgj/hBQZa/hMGGyiqV1hiTbEEWAusJdGTUPYhjAelOkCAwEAAQ==
 -----END RSA PUBLIC KEY-----
--- a/machines/cream/facts/tinc.secret.ed25519_key.pub
+++ b/machines/cream/facts/tinc.secret.ed25519_key.pub
@ -0,0 +1 @@
 nrSEGYNGKiEdXaVAnGkb7ihBnKf/PcpGJEvn1NMLNoB
--- a/machines/cream/facts/tinc.secret.rsa_key.pub
+++ b/machines/cream/facts/tinc.secret.rsa_key.pub
@ -0,0 +1,13 @@
 -----BEGIN RSA PUBLIC KEY-----
 MIICCgKCAgEA8xuGW5yLty6aWYhhBK/T+7TmP3QsU2Y3ew7KvSNLhuxQc63CwzSA
 eJpDHYgoLujoi6VGd1L+I7G3Imy0wF5FsFgsFKY7wTbSL/Y/6gc6wm7yL/gYebH7
 zm//n6wqMSlrFKMpnWQj9x43f8eseMl0D3rlXYpE7HfKZI3sPTNexUrWRsqVFUFN
 Jmi5SQHIWuczWh0EGUaSc8ueMYHh9WkzDHS7Y8UbLy7bSclRSPxIp7D87513n7YT
 0OH7dEDD/is0uoRHQg+TpgFm9HcJeX5ULmsv1x6gssm7D7r+nXF7ATNJrKO0h78O
 hAS7kfugHFzrYQP/NRxNLRETSuyL4kQS5WiVfdQWIi+UJtasCSPH4hT34DBPN8vX
 GC0nneV9RztnTBUpuIH/BsBOmHBHwLTb9miN6dTyq1MAL/NsiO8+zgxE4gJnownR
 r6Dn3fF2bGX9ij9/7WUyi9hez+3c5q3CsG0CDccDsvgkFc4nDdWxmwqKtIg4hM7x
 M6FA5W9g1hgupcIdRt/+dKp+nwGH5TYAXa9+XFwfSuegds2hZFluEhmgfet2tB26
 wA4w6+mNcTzikvU0262w9VvkvIhAXWxAvMFtDTOzY2aWqoYJfDTmdaRHdj8c2F7A
 UCknUC9a3Kwi3BubAARtO1zTe6fhvkdAm9eJi985Y98xaHHXU6QeDX0CAwEAAQ==
 -----END RSA PUBLIC KEY-----
--- a/machines/cream/facts/wireguard.wg0.cidr
+++ b/machines/cream/facts/wireguard.wg0.cidr
@ -0,0 +1 @@
 10.100.0.6/32
--- a/machines/cream/facts/wireguard.wg0.ip
+++ b/machines/cream/facts/wireguard.wg0.ip
@ -0,0 +1 @@
 10.100.0.6
--- a/machines/cream/facts/wireguard.wg0.pub
+++ b/machines/cream/facts/wireguard.wg0.pub
@ -0,0 +1 @@
 u0HcEa3lGDxqGqrot+9AtrqQNqNzOtCv/PDuuZqB9Ek=
--- a/machines/cream/facts/zerotier-ip
+++ b/machines/cream/facts/zerotier-ip
@ -0,0 +1 @@
 fdb3:fdc0:b880:37a1:3a99:93df:ed1c:3754
--- a/machines/cream/hardware-configuration.nix
+++ b/machines/cream/hardware-configuration.nix
@ -0,0 +1,75 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "thunderbolt"
    "nvme"
    "usb_storage"
    "uas"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  boot.initrd.luks.devices = {
    pool = {
      device = "/dev/nvme0n1p2";
      preLVM = true;
    };
  };
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/48228fad-8123-4e87-9c70-2e4c204d7a49";
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/13A0-D756";
    fsType = "vfat";
  };
  fileSystems."/home" = {
    device = "/dev/disk/by-uuid/d73dd71d-9f0f-4c49-8267-9ad7e3f01ff1";
    fsType = "ext4";
  };
  #fileSystems."/removable" =
  #  {
  #    device = "/dev/disk/by-uuid/081de08c-b080-4a05-9915-235caae193e7";
  #    fsType = "ext4";
  #  };
  fileSystems."/share" = {
    device = "none";
    fsType = "tmpfs";
  };
  fileSystems."/browsers" = {
    device = "none";
    fsType = "tmpfs";
  };
  swapDevices = [ ];
  networking.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/cream/network-tinc.nix
+++ b/machines/cream/network-tinc.nix
@ -0,0 +1,10 @@
 { config, ... }:
 {
  tinc.private.enable = true;
  tinc.private.ipv4 = "10.23.42.27";
  #tinc.secret.enable = true;
  #tinc.secret.ipv4 = "10.123.42.27";
 }
--- a/machines/cream/network-tinc_retiolum.nix
+++ b/machines/cream/network-tinc_retiolum.nix
@ -0,0 +1,29 @@
 { config, factsGenerator, ... }:
 {
  clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
  networking.retiolum.port = 720;
  networking.retiolum.nodename = "sol";
  services.tinc.networks.retiolum = {
    ed25519PrivateKeyFile =
      config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;
    rsaPrivateKeyFile =
      config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.rsa_key.priv".path;
  };
  #fileSystems."/retiolum/sicily" = {
  #  device = "//sicily.r/tonne";
  #  fsType = "cifs";
  #  options = [
  #    "guest"
  #    "nofail"
  #    "noauto"
  #    "ro"
  #    "rsize=16777216"
  #    "cache=loose"
  #    "x-systemd.after=network.target"
  #  ];
  #};
 }
--- a/machines/cream/network-wireguard-wg0.nix
+++ b/machines/cream/network-wireguard-wg0.nix
@ -0,0 +1,38 @@
 {
  config,
  factsGenerator,
  clanLib,
  ...
 }:
 {
  networking.firewall.allowedUDPPorts = [ 51820 ];
  clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
  clan.core.facts.services.wireguard_ip = factsGenerator.public {
    "wireguard.wg0.cidr" = "10.100.0.6/32";
    "wireguard.wg0.ip" = "10.100.0.6";
  };
  # Enable WireGuard
  networking.wg-quick.interfaces = {
    # Hub and Spoke Setup
    # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
    wg0 = {
      address = [
        config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
      ];
      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
      privateKeyFile = config.clan.core.facts.services.wireguard.secret."wireguard.wg0.key".path;
      mtu = 1280;
      peers = [
        {
          publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
          allowedIPs = [
            (clanLib.readFact "wireguard.wg0.cidr" "orbi")
          ];
          endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
        }
      ];
    };
  };
 }
--- a/machines/cream/network-wireguard-wg1.nix
+++ b/machines/cream/network-wireguard-wg1.nix
@ -0,0 +1,27 @@
 { pkgs, config, ... }:
 {
  clan.core.facts.services.wg1 = {
    secret."wg1.conf" = { };
    generator = {
      # I download the config from my fritz.box
      # cat wg_config.conf | pass insert -m machiens/<name>/wg1.conf
      prompt = "please enter the wg1.conf";
      path = with pkgs; [ coreutils ];
      script = ''
        echo "$prompt_value" > "$secrets"/wg1.conf
      '';
    };
  };
  home-manager.users.root.home.packages = [
    (pkgs.writers.writeBashBin "wg1-up" ''
      ${pkgs.wireguard-tools}/bin/wg-quick up ${
        config.clan.core.facts.services.wg1.secret."wg1.conf".path
      }
    '')
    (pkgs.writers.writeBashBin "wg1-down" ''
      ${pkgs.wireguard-tools}/bin/wg-quick up ${
        config.clan.core.facts.services.wg1.secret."wg1.conf".path
      }
    '')
  ];
 }
--- a/machines/cream/proxy.nix
+++ b/machines/cream/proxy.nix
@ -0,0 +1,69 @@
 { config, lib, ... }:
 let
  domain = "awesome.cache";
 in
 {
  networking.extraHosts = ''
    127.0.0.1 ${domain}
  '';
  services.nginx = {
    enable = true;
    proxyCachePath.nixos = {
      enable = true;
      inactive = "365d";
      keysZoneSize = "100m";
      keysZoneName = "nixos";
    };
    virtualHosts = {
      ${domain} = {
        extraConfig = ''
          proxy_cache nixos;
          proxy_ignore_headers "Set-Cookie";
          proxy_hide_header "Set-Cookie";
          proxy_buffering on;
        '';
        locations."/" = {
          recommendedProxySettings = false;
          proxyPass = "https://cache.nixos.org";
          extraConfig = ''
            proxy_set_header Host "cache.nixos.org";
          '';
        };
      };
    };
  };
  # most likely not needed
  systemd.services.nginx.serviceConfig = {
    RestrictNamespaces = lib.mkForce false;
    ProtectSystem = lib.mkForce false;
    ProtectControlGroups = lib.mkForce false;
    ProtectHome = lib.mkForce false;
    ProtectHostname = lib.mkForce false;
    ProtectKernelLogs = lib.mkForce false;
    ProtectKernelModules = lib.mkForce false;
    ProtectKernelTunables = lib.mkForce false;
    PrivateDevices = lib.mkForce false;
    PrivateMounts = lib.mkForce false;
    PrivateTmp = lib.mkForce false;
    MemoryDenyWriteExecute = lib.mkForce false;
    NoNewPrivileges = lib.mkForce false;
    ProtectProc = lib.mkForce "default";
    RestrictRealtime = lib.mkForce false;
    RestrictSUIDSGID = lib.mkForce false;
  };
  #services.permown."/data" = {
  #  owner = "nginx";
  #};
  #systemd.services."permown./data" = {
  #  bindsTo = [ "nginx.service" ];
  #  after = [ "nginx.service" ];
  #};
 }
--- a/machines/cream/syncthing.nix
+++ b/machines/cream/syncthing.nix
@ -0,0 +1,63 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 {
  services.syncthing = {
    enable = true;
    openDefaultPorts = false;
    user = "palo";
    group = "users";
    dataDir = "/home/palo/.syncthing";
    configDir = "/home/palo/.syncthing";
    overrideFolders = true;
    settings.folders = {
      oscar_cpap = {
        enable = true;
        path = "/home/palo/Documents/OSCAR_Data";
      };
      password-store = {
        enable = true;
        path = "/home/palo/.password-store";
      };
      logseq = {
        enable = true;
        path = "/home/palo/logseq";
      };
      art = {
        enable = true;
        path = "/home/palo/art";
      };
      desktop = {
        enable = true;
        path = "/home/palo/desktop";
      };
      finance = {
        enable = true;
        path = "/home/palo/finance";
      };
      share = {
        enable = true;
        path = "/home/palo/share";
        type = "sendonly";
      };
      books = {
        enable = true;
        path = "/home/palo/books";
      };
    };
  };
  services.permown."/home/palo/music-library" = {
    owner = "palo";
    group = "users";
  };
  services.permown."/home/palo/finance" = {
    owner = "palo";
    group = "syncthing";
  };
 }
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJvuEviWlnptuKqA8MQ3QVVdvEGaez1VmShaj56QTg root@cherry`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPz1SRSthwDEmXZXcBMi0FZhqgZxF7i1lDcGT534Gy7 nixbld@cherry`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArokGctZ2VLf92FhfE8pHzkx/bjz0/J1QjeaGgDSj1s ingolf.wagner@jobrad.org`
		`@ -0,0 +1 @@`
							`VQSHJ6K-MUWCTPJ-LJINXBP-7O244YK-TIY3D5B-T6PU7BY-2NPWPXI-HO2Q5Q6`
		`@ -0,0 +1 @@`
							`u0HcEa3lGDxqGqrot+9AtrqQNqNzOtCv/PDuuZqB9Ek=`