fix(ninurta): remove unused postresql backup

fix(admin): set shell always from admins.nix
chore: fix formatting and add treefmt
2025-07-26 21:22:08 +02:00 · 2025-07-26 21:21:46 +02:00 · 2025-07-26 20:56:40 +02:00 · 2025-07-26 20:23:08 +02:00 · 2025-07-26 20:23:08 +02:00 · 2025-07-26 18:28:19 +02:00
51 changed files with 728 additions and 149 deletions
--- a/.envrc
+++ b/.envrc
@ -1,3 +1,5 @@
+#!/bin/sh
+
 watch_file devshell.nix

 use flake
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -4,4 +4,4 @@ updates:
    directory: "/"
    schedule:
      interval: "weekly"
-    assignees: [ "dadada" ]
+    assignees: ["dadada"]
--- a/.github/workflows/nix-flake-check.yml
+++ b/.github/workflows/nix-flake-check.yml
@ -1,26 +1,24 @@
 name: Continuous Integration
-
 on:
  pull_request:
  push:
    branches: [main]
-
 jobs:
  checks:
    name: "Checks"
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v4
-    - uses: cachix/install-nix-action@v26
-      with:
-        nix_path: nixpkgs=channel:nixos-stable
-        extra_nix_config: |
-          experimental-features = nix-command flakes
-          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
-          system-features = nixos-test benchmark big-parallel kvm
-    - uses: cachix/cachix-action@v14
-      with:
-        name: dadada
-        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-    - run: nix flake check
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v26
+        with:
+          nix_path: nixpkgs=channel:nixos-stable
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+            system-features = nixos-test benchmark big-parallel kvm
+      - uses: cachix/cachix-action@v14
+        with:
+          name: dadada
+          signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+      - run: nix flake check
--- a/.github/workflows/nix-flake-update.yml
+++ b/.github/workflows/nix-flake-update.yml
@ -3,7 +3,6 @@ on:
  workflow_dispatch: # allows manual triggering
  schedule:
    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
-
 jobs:
  lockfile:
    runs-on: ubuntu-latest
@ -16,6 +15,6 @@ jobs:
        uses: DeterminateSystems/update-flake-lock@v21
        with:
          pr-title: "Update flake.lock" # Title of PR to be created
-          pr-labels: |                  # Labels to be set on the PR
+          pr-labels: | # Labels to be set on the PR
            dependencies
            automated
--- a/devshell.nix
+++ b/devshell.nix
@ -24,7 +24,7 @@
      name = "format";
      help = "Format the project";
      command = ''
-        nixpkgs-fmt .
+        treefmt .
      '';
      category = "dev";
    }
--- a/flake.lock
+++ b/flake.lock
@ -25,6 +25,21 @@
        "type": "github"
      }
    },
+    "crane": {
+      "locked": {
+        "lastModified": 1731098351,
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
@ -67,6 +82,63 @@
        "type": "github"
      }
    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1753140376,
+        "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
    "flake-registry": {
      "flake": false,
      "locked": {
@ -103,6 +175,28 @@
        "type": "github"
      }
    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -110,11 +204,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1752286566,
-        "narHash": "sha256-A4nftqiNz2bNihz0bKY94Hq/6ydR6UQOcGioeL7iymY=",
+        "lastModified": 1753470191,
+        "narHash": "sha256-hOUWU5L62G9sm8NxdiLWlLIJZz9H52VuFiDllHdwmVA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "392ddb642abec771d63688c49fa7bcbb9d2a5717",
+        "rev": "a1817d1c0e5eabe7dfdfe4caa46c94d9d8f3fdb6",
        "type": "github"
      },
      "original": {
@ -137,6 +231,32 @@
        "url": "https://git.dadada.li/dadada/dadada.li/archive/main.tar.gz"
      }
    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1737639419,
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.4.2",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
    "nixlib": {
      "locked": {
        "lastModified": 1736643958,
@ -175,11 +295,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1752048960,
-        "narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=",
+        "lastModified": 1753122741,
+        "narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806",
+        "rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22",
        "type": "github"
      },
      "original": {
@ -191,11 +311,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1751984180,
-        "narHash": "sha256-LwWRsENAZJKUdD3SpLluwDmdXY9F45ZEgCb0X+xgOL0=",
+        "lastModified": 1753429684,
+        "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9807714d6944a957c2e036f84b0ff8caf9930bc0",
+        "rev": "7fd36ee82c0275fb545775cc5e4d30542899511d",
        "type": "github"
      },
      "original": {
@ -207,11 +327,11 @@
    },
    "nixpkgs-small": {
      "locked": {
-        "lastModified": 1752298176,
-        "narHash": "sha256-wY7/8k5mJbljXxBUX1bDHFVUcMrWdrDT8FNDrcPwLbA=",
+        "lastModified": 1753505055,
+        "narHash": "sha256-jQKnNATDGDeuIeUf7r0yHnmirfYkYPHeF0N2Lv8rjPE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d3807bc34e7d086b4754e1c842505570e23f9d01",
+        "rev": "7be0239edbf0783ff959f94f9728db414be73002",
        "type": "github"
      },
      "original": {
@ -221,14 +341,59 @@
        "type": "github"
      }
    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1731363552,
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "devshell": "devshell",
+        "disko": "disko",
        "flake-registry": "flake-registry",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "homepage": "homepage",
+        "lanzaboote": "lanzaboote",
        "nixos-generators": "nixos-generators",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
@ -237,6 +402,27 @@
        "treefmt-nix": "treefmt-nix"
      }
    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731897198,
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
@ -274,11 +460,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1752055615,
-        "narHash": "sha256-19m7P4O/Aw/6+CzncWMAJu89JaKeMh3aMle1CNQSIwM=",
+        "lastModified": 1753439394,
+        "narHash": "sha256-Bv9h1AJegLI8uAhiJ1sZ4XAndYxhgf38tMgCQwiEpmc=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "c9d477b5d5bd7f26adddd3f96cfd6a904768d4f9",
+        "rev": "2673921c03d6e75fdf4aa93e025772608d1482cf",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -4,6 +4,10 @@
  inputs = {
    nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-unstable-small";
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    flake-utils = {
      url = "github:numtide/flake-utils";
      inputs.systems.follows = "systems";
@ -12,6 +16,10 @@
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.2";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    homepage = {
      url = "https://git.dadada.li/dadada/dadada.li/archive/main.tar.gz";
--- a/home/modules/zsh.nix
+++ b/home/modules/zsh.nix
@ -34,7 +34,7 @@ in
      };
      plugins = [
      ];
-      initExtra = ''
+      initContent = ''
        source ${pkgs.zsh-git-prompt}/share/zsh-git-prompt/zshrc.sh
        source ${pkgs.fzf}/share/fzf/key-bindings.zsh
        source ${pkgs.fzf}/share/fzf/completion.zsh
--- a/nixos/configurations.nix
+++ b/nixos/configurations.nix
@ -1,8 +1,10 @@
 {
  self,
  agenix,
+  disko,
  home-manager,
  homepage,
+  lanzaboote,
  nixos-hardware,
  nixos-generators,
  nixpkgs,
@ -19,18 +21,51 @@ let
    nixpkgs.lib.nixosSystem {
      inherit system;

-      modules =
-        [
-          {
-            nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays;
-          }
-        ]
-        ++ (nixpkgs.lib.attrValues self.nixosModules)
-        ++ [ agenix.nixosModules.age ]
-        ++ extraModules;
+      modules = [
+        {
+          nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays;
+        }
+      ]
+      ++ (nixpkgs.lib.attrValues self.nixosModules)
+      ++ [ agenix.nixosModules.age ]
+      ++ extraModules;
    };
 in
 {
+  stolas =
+    let
+      system = "x86_64-linux";
+    in
+    nixosSystem {
+      inherit nixpkgs system;
+
+      extraModules = [
+        lanzaboote.nixosModules.lanzaboote
+        disko.nixosModules.disko
+        {
+          nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays;
+          dadada.pkgs = self.packages.${system};
+          dadada.inputs = inputs // {
+            dadada = self;
+          };
+        }
+        nixos-hardware.nixosModules.framework-amd-ai-300-series
+        home-manager.nixosModules.home-manager
+        (
+          { pkgs, ... }:
+          {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.sharedModules = (nixpkgs.lib.attrValues self.hmModules) ++ [
+              { dadada.home.helix.package = pkgs.helix; }
+            ];
+            home-manager.users.dadada = import ../home;
+          }
+        )
+        ./stolas
+      ];
+    };
+
  gorgon =
    let
      system = "x86_64-linux";
@ -46,12 +81,10 @@ in
            dadada = self;
          };
        }
-
        nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1
-
        home-manager.nixosModules.home-manager
        (
-          { pkgs, lib, ... }:
+          { pkgs, ... }:
          {
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
--- a/nixos/gorgon/configuration.nix
+++ b/nixos/gorgon/configuration.nix
@ -5,6 +5,7 @@
  ...
 }:
 let
+  secretsPath = config.dadada.secrets.path;
  xilinxJtag = pkgs.writeTextFile {
    name = "xilinx-jtag";
    text = ''
@ -43,6 +44,13 @@ in
    sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path;
    repo = "u355513-sub1@u355513-sub1.your-storagebox.de:/home/backup";
  };
+  dadada.backupClient.gs = {
+    enable = true;
+    passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase-gs".path;
+  };
+
+  age.secrets."${config.networking.hostName}-backup-passphrase-gs".file =
+    "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age";

  nixpkgs.config.android_sdk.accept_license = true;

--- a/nixos/modules/admin.nix
+++ b/nixos/modules/admin.nix
@ -93,12 +93,12 @@ in

    services.sshd.enable = true;
    services.openssh.settings.PasswordAuthentication = false;
-    security.sudo.wheelNeedsPassword = false;
+    security.sudo.wheelNeedsPassword = lib.mkDefault false;
    services.openssh.openFirewall = true;

    users.users = mapAttrs (user: keys: {
      shell = shells."${keys.shell}";
-      extraGroups = extraGroups;
+      extraGroups = lib.mkDefault extraGroups;
      isNormalUser = true;
      openssh.authorizedKeys.keys = keys.keys;
    }) cfg.users;
--- a/nixos/modules/borg-server.nix
+++ b/nixos/modules/borg-server.nix
@ -39,6 +39,14 @@ in
        path = "${cfg.path}/gorgon";
        quota = "1T";
      };
+      "stolas" = {
+        allowSubRepos = false;
+        authorizedKeysAppendOnly = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC/mVYd3o7oA0dsA58CgkqR40CSfeuU+rikleSrSXFz dadada@gorgon"
+        ];
+        path = "${cfg.path}/stolas";
+        quota = "1T";
+      };
      "surgat" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [
--- a/nixos/modules/profiles/base.nix
+++ b/nixos/modules/profiles/base.nix
@ -13,8 +13,8 @@ in
    ./upgrade-pg-cluster.nix
  ];

-  boot.tmp.useTmpfs = true;
-  boot.tmp.tmpfsSize = "50%";
+  boot.tmp.useTmpfs = lib.mkDefault true;
+  boot.tmp.tmpfsSize = lib.mkDefault "50%";

  i18n.defaultLocale = mkDefault "en_US.UTF-8";
  console = mkDefault {
--- a/nixos/modules/profiles/laptop.nix
+++ b/nixos/modules/profiles/laptop.nix
@ -5,7 +5,6 @@
 }:
 let
  inputs = config.dadada.inputs;
-  secretsPath = config.dadada.secrets.path;
 in
 with lib;
 {
@ -26,7 +25,7 @@ with lib;

  age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

-  users.mutableUsers = mkDefault true;
+  users.mutableUsers = true;

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = mkDefault true;
@ -48,13 +47,6 @@ with lib;
    alsa.support32Bit = true;
    pulse.enable = true;
  };
-  hardware.pulseaudio.enable = false;
-
-  dadada.backupClient.gs = {
-    enable = true;
-    passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase-gs".path;
-  };
-
-  age.secrets."${config.networking.hostName}-backup-passphrase-gs".file =
-    "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age";
+  services.pulseaudio.enable = false;
+  security.sudo.wheelNeedsPassword = true;
 }
--- a/nixos/ninurta/configuration.nix
+++ b/nixos/ninurta/configuration.nix
@ -149,13 +149,6 @@ in
    startAt = "daily";
  };

-  services.postgresqlBackup = {
-    enable = true;
-    backupAll = true;
-    compression = "zstd";
-    location = "/var/backup/postgresql";
-  };
-
  age.secrets."ninurta-backup-passphrase" = {
    file = "${secretsPath}/ninurta-backup-passphrase.age";
    mode = "400";
@ -237,33 +230,38 @@ in

  services.snapper = {
    cleanupInterval = "1d";
-    snapshotInterval = "hourly";
+    snapshotInterval = "daily";
    configs.home = {
      SUBVOLUME = "/home";
      TIMELINE_CREATE = true;
      TIMELINE_CLEANUP = true;
-      TIMELINE_LIMIT_HOURLY = "24";
-      TIMELINE_LIMIT_DAILY = "13";
-      TIMELINE_LIMIT_WEEKLY = "6";
-      TIMELINE_LIMIT_MONTHLY = "3";
+      TIMELINE_MIN_AGE = "1800";
+      TIMELINE_LIMIT_HOURLY = "5";
+      TIMELINE_LIMIT_DAILY = "7";
+      TIMELINE_LIMIT_WEEKLY = "0";
+      TIMELINE_LIMIT_MONTHLY = "0";
+      TIMELINE_LIMIT_YEARLY = "0";
    };
    configs.var = {
      SUBVOLUME = "/var";
      TIMELINE_CREATE = true;
      TIMELINE_CLEANUP = true;
-      TIMELINE_LIMIT_HOURLY = "24";
-      TIMELINE_LIMIT_DAILY = "13";
-      TIMELINE_LIMIT_WEEKLY = "6";
-      TIMELINE_LIMIT_MONTHLY = "3";
+      TIMELINE_MIN_AGE = "1800";
+      TIMELINE_LIMIT_HOURLY = "5";
+      TIMELINE_LIMIT_DAILY = "7";
+      TIMELINE_LIMIT_WEEKLY = "0";
+      TIMELINE_LIMIT_MONTHLY = "0";
+      TIMELINE_LIMIT_YEARLY = "0";
    };
    configs.storage = {
      SUBVOLUME = "/mnt/storage";
      TIMELINE_CREATE = true;
      TIMELINE_CLEANUP = true;
-      TIMELINE_LIMIT_HOURLY = "24";
-      TIMELINE_LIMIT_DAILY = "13";
-      TIMELINE_LIMIT_WEEKLY = "6";
-      TIMELINE_LIMIT_MONTHLY = "3";
+      TIMELINE_LIMIT_HOURLY = "10";
+      TIMELINE_LIMIT_DAILY = "10";
+      TIMELINE_LIMIT_WEEKLY = "10";
+      TIMELINE_LIMIT_MONTHLY = "10";
+      TIMELINE_LIMIT_YEARLY = "10";
    };
  };

--- a/nixos/stolas/default.nix
+++ b/nixos/stolas/default.nix
@ -0,0 +1,224 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+
+  imports = [
+    ../modules/profiles/laptop.nix
+    ./disks.nix
+    ./paperless.nix
+  ];
+
+  nixpkgs = {
+    hostPlatform = "x86_64-linux";
+    config.allowUnfree = true;
+  };
+
+  boot = {
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ];
+    # Lanzaboote currently replaces the systemd-boot module.
+    # This setting is usually set to true in configuration.nix
+    # generated at installation time. So we force it to false
+    # for now.
+    loader.systemd-boot.enable = lib.mkForce false;
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "thunderbolt"
+        "usb_storage"
+        "sd_mod"
+      ];
+      # Ensure that TPM module is loaded
+      kernelModules = [ "tpm" ];
+    };
+  };
+
+  environment.systemPackages = [
+    # For debugging and troubleshooting Secure Boot.
+    pkgs.sbctl
+  ];
+
+  hardware = {
+    # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features
+    bluetooth.enable = true;
+    cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    enableAllFirmware = true;
+    framework.laptop13.audioEnhancement.enable = true;
+    graphics = {
+      enable = true;
+      extraPackages = with pkgs; [
+        vaapiVdpau
+        libvdpau-va-gl
+      ];
+    };
+  };
+
+  powerManagement = {
+    enable = true;
+    cpuFreqGovernor = "schedutil";
+    # TODO: Limit charge of battery, does this work without kernel patches from hardware.frameworkenableKmod?
+    powerUpCommands = ''
+      echo 80 > /sys/class/power_supply/BAT0/charge_control_stop_threshold
+    '';
+  };
+
+  networking = {
+    hostName = "stolas";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22000 # Syncthing
+      ];
+      allowedUDPPorts = [
+        21027 # Syncthing
+      ];
+    };
+  };
+
+  nix = {
+    settings.max-jobs = lib.mkDefault 16;
+  };
+
+  dadada = {
+    admin.enable = true;
+    backupClient.gs.enable = false;
+    backupClient.backup1.enable = true;
+    backupClient.backup2 = {
+      enable = true;
+      repo = "u355513-sub5@u355513-sub5.your-storagebox.de:/home/backup";
+    };
+  };
+
+  programs = {
+    adb.enable = true;
+    firefox = {
+      enable = true;
+      package = pkgs.firefox-wayland;
+    };
+    gnupg.agent.enable = true;
+    ssh.startAgent = true;
+    wireshark.enable = true;
+  };
+
+  services = {
+    avahi.enable = true;
+    desktopManager.plasma6.enable = true;
+    displayManager = {
+      sddm.enable = true;
+      sddm.wayland.enable = true;
+    };
+    gnome.gnome-keyring.enable = lib.mkForce false;
+    smartd.enable = true;
+    printing = {
+      enable = true;
+      browsing = true;
+    };
+    tlp.enable = false;
+    snapper = {
+      cleanupInterval = "1d";
+      snapshotInterval = "hourly";
+      configs = {
+        home = {
+          SUBVOLUME = "/home/dadada";
+          ALLOW_USERS = [ "dadada" ];
+          TIMELINE_CREATE = true;
+          TIMELINE_CLEANUP = true;
+          TIMELINE_MIN_AGE = "1800";
+          TIMELINE_LIMIT_HOURLY = "5";
+          TIMELINE_LIMIT_DAILY = "7";
+          TIMELINE_LIMIT_WEEKLY = "0";
+          TIMELINE_LIMIT_MONTHLY = "0";
+          TIMELINE_LIMIT_YEARLY = "0";
+        };
+        var = {
+          SUBVOLUME = "/var";
+          TIMELINE_CREATE = true;
+          TIMELINE_CLEANUP = true;
+          TIMELINE_MIN_AGE = "1800";
+          TIMELINE_LIMIT_HOURLY = "5";
+          TIMELINE_LIMIT_DAILY = "7";
+          TIMELINE_LIMIT_WEEKLY = "0";
+          TIMELINE_LIMIT_MONTHLY = "0";
+          TIMELINE_LIMIT_YEARLY = "0";
+        };
+        paperless = {
+          SUBVOLUME = "/var/lib/paperless";
+          TIMELINE_CREATE = true;
+          TIMELINE_CLEANUP = true;
+          TIMELINE_MIN_AGE = "3600";
+          TIMELINE_LIMIT_HOURLY = "10";
+          TIMELINE_LIMIT_DAILY = "10";
+          TIMELINE_LIMIT_WEEKLY = "10";
+          TIMELINE_LIMIT_MONTHLY = "10";
+          TIMELINE_LIMIT_YEARLY = "10";
+        };
+      };
+    };
+  };
+
+  system = {
+    stateVersion = "25.05";
+  };
+
+  systemd.services = {
+    modem-manager.enable = lib.mkForce false;
+    "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false;
+  };
+
+  systemd.sleep.extraConfig = ''
+    HibernateDelaySec=1h
+  '';
+
+  systemd.tmpfiles.rules = [
+    "v /var/.snapshots 0755 root root - -"
+    "v /var/paperless/.snapshots 0755 root root - -"
+    "v /home/dadada/.snapshots 0755 root root - -"
+  ];
+
+  virtualisation.libvirtd.enable = true;
+
+  users = {
+    users = {
+      dadada = {
+        initialHashedPassword = "$y$j9T$43qGBeY6hg6AXQmcVkS131$6AeRDOe6XAnmgA/AkJGaSIYTj5dbQLd9vrQ7zSyi5TA";
+        isNormalUser = true;
+        extraGroups = [
+          "wheel"
+          "networkmanager"
+          "libvirtd"
+          "adbusers"
+          "kvm"
+          "video"
+          "scanner"
+          "lp"
+          "docker"
+          "dialout"
+          "wireshark"
+          "paperless"
+        ];
+        shell = "/run/current-system/sw/bin/zsh";
+      };
+    };
+  };
+
+  # TODO
+  # age.secrets = {
+  #   paperless = {
+  #     file = "${config.dadada.secrets.path}/paperless.age";
+  #     mode = "700";
+  #     owner = "paperless";
+  #   };
+  # };
+
+  # Create compressing swap space in RAM
+  zramSwap.enable = true;
+}
--- a/nixos/stolas/disks.nix
+++ b/nixos/stolas/disks.nix
@ -0,0 +1,100 @@
+{
+  disko.devices = {
+    nodev."/nix/var/nix/builds" = {
+      fsType = "tmpfs";
+      mountOptions = [
+        "size=80%"
+        "defaults"
+        "mode=755"
+      ];
+    };
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted";
+                settings = {
+                  allowDiscards = true;
+                  crypttabExtraOpts = [
+                    "tpm2-device=auto"
+                    "tpm2-pin=true"
+                  ];
+                };
+                #additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ];
+                  subvolumes = {
+                    "/root" = {
+                      mountpoint = "/";
+                      mountOptions = [
+                        "compress=zstd"
+                        "relatime"
+                      ];
+                    };
+                    "/home" = {
+                      mountpoint = "/home";
+                      mountOptions = [
+                        "compress=zstd"
+                        "noatime"
+                      ];
+                    };
+                    "/dadada" = {
+                      mountpoint = "/home/dadada";
+                      mountOptions = [
+                        "compress=zstd"
+                        "relatime"
+                      ];
+                    };
+                    "/nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = [
+                        "compress=zstd"
+                        "noatime"
+                      ];
+                    };
+                    "/var" = {
+                      mountpoint = "/var";
+                      mountOptions = [
+                        "compress=zstd"
+                        "noatime"
+                      ];
+                    };
+                    "/paperless" = {
+                      mountpoint = "/var/lib/paperless";
+                      mountOptions = [
+                        "compress=zstd"
+                        "noatime"
+                      ];
+                    };
+                    "/swap" = {
+                      mountpoint = "/.swapvol";
+                      swap.swapfile.size = "64G";
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/nixos/stolas/paperless.nix
+++ b/nixos/stolas/paperless.nix
@ -0,0 +1,28 @@
+{ config, ... }:
+{
+  services.paperless = {
+    # TODO migrate DB
+    enable = true;
+    passwordFile = config.age.secrets.paperless.path;
+  };
+  systemd.tmpfiles.rules =
+    let
+      cfg = config.services.paperless;
+    in
+    [
+      (
+        if cfg.consumptionDirIsPublic then
+          "d '${cfg.consumptionDir}' 777 - - - -"
+        else
+          "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
+      )
+    ];
+
+  age.secrets = {
+    paperless = {
+      file = "${config.dadada.secrets.path}/paperless.age";
+      mode = "700";
+      owner = "paperless";
+    };
+  };
+}
--- a/outputs.nix
+++ b/outputs.nix
@ -5,12 +5,14 @@
  nixpkgs,
  agenix,
  devshell,
+  treefmt-nix,
  ...
 }@inputs:
 (flake-utils.lib.eachDefaultSystem (
  system:
  let
    pkgs = import nixpkgs { inherit system; };
+    treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
  in
  {
    devShells.default =
@ -26,7 +28,7 @@
      in
      import ./devshell.nix { inherit pkgs extraModules; };

-    formatter = pkgs.nixfmt-tree;
+    formatter = treefmtEval.config.build.wrapper;

    packages = import ./pkgs { inherit pkgs; } // {
      installer-iso = self.nixosConfigurations.installer.config.system.build.isoImage;
@ -34,7 +36,6 @@
  }
 ))
 // {
-
  hmModules = import ./home/modules.nix { lib = nixpkgs.lib; };

  nixosConfigurations = import ./nixos/configurations.nix inputs;
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -1,3 +1,4 @@
-{ pkgs }: {
-  citizen-cups = pkgs.callPackage ./citizen-cups.nix {};
+{ pkgs }:
+{
+  citizen-cups = pkgs.callPackage ./citizen-cups.nix { };
 }
--- a/secrets/agares-backup-passphrase.age
+++ b/secrets/agares-backup-passphrase.age
@ -1,10 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 L7f05w RayKtknLNvFu88aFp4QL7ZMLAh5VmHmlr1DWVsWBziE
-rckeFrazZJ3TxY/yD2wlzRVLh9L4x1bV2Nk7Q0S/RWM
-> ssh-ed25519 Otklkw oub7OICQalIkCqAZh4/FfXB9PPBe7j2IpBP7WF/UXGk
-gAwxU97b0Js6UPv59/1389/qdPGQb4koa49R14c3UjA
-> mU.rG&?F-grease V? d a}mj5 ^&dc?\
-B0k6BjXmH0cm74+rjQrzJwKa1dcFwTdmlgltZ70oHctwA3+E4/CQ1ChH9UHzkHGG
-Fb62klB5XYePywsvxLo2nIGVIvhBgsfIvUpq
--- ONLpuXfKtuCB+VD5IQ5KeSPyqgEb4a2y26+n5E8Ph3E
-uîD{<7B>¨ríÚ˜¡°†RÊ9õP¦
j?hDÃ<™ØOÓœÝáè>
‡Ä-Œu¹áý#…Fñ2N+Ysò\ õ
+-> ssh-ed25519 L7f05w Sof4o2JYLqx59paPpBJWFek1IwCHb4VhuOcPpBkut20
+QNsXS0H2z5NCnKcDuxDVvY+AnTV27/Ijeo/kd12nkoQ
+-> ssh-ed25519 Otklkw WZt99A5jBrb7MNqzpCuGiJ8wJ/NxZrJE5Q02hvcVEVo
+yYlAifPMGC01CGpke5ABasi/sJ8O4r3+5SyoVpbpmM4
+--- vIe/LRs2QxPpZJUrdOFuTBNanHcMyzh7iAFRalWd2dU
+„ü+Ó]§¨GHuU³îÊˆƒQ&3'š¦Eãg—…ƒžÜƒ©âçZÂ‘Š\~¼»ûež)Þ1º£½ý×»Œy§ÚÈa
--- a/secrets/agares-backup-ssh-key.age
+++ b/secrets/agares-backup-ssh-key.age
--- a/secrets/agares-wg0-key.age
+++ b/secrets/agares-wg0-key.age
@ -1,10 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 L7f05w ENcdsQ43v/xIe1Ej4BYjb/nTjIk76N2DR/zj754Puz0
-vIDFk+A/m8rOnBNXcvfBX4SJNxT6LP64s674v5pJtcQ
-> ssh-ed25519 Otklkw lLwVf/2E67Bue+VBu+EMupLjuv6wfR656CD1st71GRM
-AsXHvpANM0mOiSW3LTqzbEneVQSKNb0TvsMY2WCPfbk
-> DJZq-grease 9))O09 z2-
-ZFxd5v9Bma6VVIvpw8VK0DSR55lHUNOTh6cNxFJAezXn1apmjvuZPdMSXZ7OrE23
-qlqnskWvo+SX3JF7NH0yQf53dZJU
--- pSa5IqZmIDAHJkcPgqrS0WUwnD1ipE2pGr87qhTmrjk
-Ű(E<>/—P(<28>©Ő|JĄ€řŞëŘ‘éŇ‹<C587>zń`JOÁ2“ŚÔ–‚Űńd3qÁ±¤‡OÚ!”8ňůHN3\°ĹŹę‘iš
+-> ssh-ed25519 L7f05w Nj0zjzK+5vf4YfUxLPNcBBY4ZC57tH9+rEVCv/ycNWo
+5Sk99vaYclDFwTnVKB6IOcTVYJ3SGTuLVJxyjb1W4tM
+-> ssh-ed25519 Otklkw ogKGpgcz0Gekw7p4LnmIKU2CEdhlkjypRGVZmFda8TI
+nkOU/yc7F5BCBRakevYDXyD8akGqYwD67C+9VDxUgyE
+--- zuz8UjdxI+CbMr33Z4P5ga1UoRe+oDXzVWgFUhUH1qE
+b#òs‡ÇPàDFúú%¨‹Ó|åUùŠ›áleæ<65>9f_üUçZ5œoÖeeK}M`a›Mª!ü5<C3BC><35>R@j}ãéÓ~æ°3ZÍÒ¾Í’\
--- a/secrets/ddns-credentials.age
+++ b/secrets/ddns-credentials.age
--- a/secrets/etc-ppp-chap-secrets.age
+++ b/secrets/etc-ppp-chap-secrets.age
--- a/secrets/etc-ppp-telekom-secret.age
+++ b/secrets/etc-ppp-telekom-secret.age
--- a/secrets/gorgon-backup-passphrase-gs.age
+++ b/secrets/gorgon-backup-passphrase-gs.age
--- a/secrets/gorgon-backup-passphrase.age
+++ b/secrets/gorgon-backup-passphrase.age
--- a/secrets/gorgon-backup-ssh-key.age
+++ b/secrets/gorgon-backup-ssh-key.age
--- a/secrets/hydra-github-authorization.age
+++ b/secrets/hydra-github-authorization.age
--- a/secrets/ifrit-backup-passphrase.age
+++ b/secrets/ifrit-backup-passphrase.age
@ -1,10 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 yMjj5g FtHlFiQa2xr57K9GiS2VX+NYI/2kP73wWXVBsr61cD8
-Gokj4dzQP6AB9YWRBvmXL8/Sts7NO6g6wP1hIYkKdp4
-> ssh-ed25519 Otklkw UB1L2gKr0wnsGktaVlnbr+nSUZQ34g7JO4uuHYhuuyM
-X4AT5taAJBtFia62IUTDa1cdbZtwaxYRQFCDez8aK8k
-> r;DMOG-grease h"Tb e?z^VJ icNa
-/0ZIHqI0whHoBw2Qs15bxY7o1sudscitKuUB3ysyFwUVsIG4nzTOS2GFuXTQ1WuD
-5pH2CQfp33hvqrqV
--- vji5ZWP7+BLgpmyX2Sxgdv7Ht37NvQ8DuY1/t3cvvuI
-]ýËe†£¬¸›‰Þ›³,%‰ qôŸ’âån<C3A5>„AM{D‘ ÆJWæL’‚·<E2809A>G@´œòêž/g‚G´o½ð.VÃ4
+-> ssh-ed25519 yMjj5g pE3otZ4+5k1GxhoU7FocCMvcHZ9PFzTRqRYiVXXq/H4
+aKCBiwVwbfetSTRaTJ31iTRsvNnbm2JYFQnqTOgCyOA
+-> ssh-ed25519 Otklkw jn4ZUyWFIeAt+XpxmlqckovK4/jit6SR+Xaouv7gfTU
+8yJLyWHk1m9KInOWozqRWXi3kiirgQ7c/ONOwgHk/Z8
+--- 8TS+ZFZfHvgcgOYBE3nzSxbCCmCOtqPWyldlegSu6QU
+§…:{	ÀÐ4~ÀNŒt¶XRlïš‡ÁØ
’<16>‹=>$²¼‡8DQ@êGˆ‚ï1Ú÷ å”FAOÑþtÎ«
--- a/secrets/ifrit-backup-ssh-key.age
+++ b/secrets/ifrit-backup-ssh-key.age
--- a/secrets/initrd-surgat-ssh_host_ed25519_key.age
+++ b/secrets/initrd-surgat-ssh_host_ed25519_key.age
--- a/secrets/miniflux-admin-credentials.age
+++ b/secrets/miniflux-admin-credentials.age
@ -1,10 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 jUOjpw Tuaz2+fgz5f2ZacAYc3TdREIurh+XG5RjjKpaEFgtGo
-gB1iaKV+xAv0PGdjZwmBCxMbxgCqZrM2JBDiEWCl//8
-> ssh-ed25519 Otklkw ocyFHtGzclF+7S9I7uSqsfn5weqxj5Wq32y4c6VDiSA
-hDX5Viym/WdFZE5rXzToFhqtGvj+Ft3Hh7oiuzCuG/Q
-> b&-grease 2u ~R j4C 3|h`M}/
-fdhnmlw+wqO8nb86f8jdDNW2P2SxzdwuljpRrlG/ZxXcC4QxtnO6RwK9NAS9UBQr
-OAxJ6v3P+cMYJcsPNLAr90rEzXfTV2VONZgoNwOKN2l5n/JX8aGCt5i/vVI
--- sYjj24oaGUMZPD4TV8JKfjSPHeYOKh+OpueLZT/TxCQ
-›TO&œúDd¬÷C2Æ”ÂËW^Ë»ž€Z¡¬ &b<óvN‚»Žî©Óbµ¡Rÿúß9rŸd<17>àm—ÂÒZ ±Õ}¥Åø¹zÆm‹&m 3^JQC8
+-> ssh-ed25519 jUOjpw 6ThewcuTvg2mn/jC1eqR0KFDXdN8G3JIUBLLiBabkFI
+lstfGPvJgaUOp0jriP2nsi4IvgwRjs8dnRye7+ihD/Q
+-> ssh-ed25519 Otklkw N0ozjfxbOBq7EIvxP4TRa2XyMQ8fINCiHjK0MFq2X0w
+tEeua88G2aN6REaUN6xTlkRLy0GFgNfj7v0VXhqddc4
+--- N9V7UfSDvrOAeOr3MRXiCwIu8JJt3NSL3FrGyPapLrM
+E<EFBFBD>"K?>V¾éÃ„b¦ñXùåþ”àždgð!„”<E2809E>Ñ¹ÁÏ) BØ	ÆßfÒì\=½[2L x‘°Áw<C381>¤Ýæ•ËXH*®òõl…9w¿½€
--- a/secrets/ninurta-backup-passphrase.age
+++ b/secrets/ninurta-backup-passphrase.age
--- a/secrets/ninurta-backup-ssh-key.age
+++ b/secrets/ninurta-backup-ssh-key.age
--- a/secrets/ninurta-initrd-ssh-key.age
+++ b/secrets/ninurta-initrd-ssh-key.age
--- a/secrets/paperless.age
+++ b/secrets/paperless.age
@ -1,9 +1,8 @@
 age-encryption.org/v1
-> ssh-ed25519 0aOabg 6QT8adxrQxGCx9w6JZPkbCsCM/Vos+D41JoEQ19h0AY
-UaXt2lE7VnhaQ4McdCIGo8kdaYrPyg3ne8MIBCt7NXE
-> ssh-ed25519 Otklkw GJQj739xwoeP9xTLpLrCxANx3/Ebipnr345xKSFLf3w
-xtQBgTYrLzkaWBkx8pi0R+GKa6inKFzFD5tompll3wo
-> )gWM0O-grease i%" tB
-culBBLA5Bt/POa9w
--- Vtxd8HsFnjBl6eXE4UYNoR1Ca/JA9UlK/WE+FNkmPtk
-bVv—<76>ż:±Šah&ŕ4üfNJ¤ˇ2]ČŮ{!%1ýŕąIa\}Xeżx1~_ć˛"šrŰ,Éj:O?ňáşľö5
+-> ssh-ed25519 WJCMDA NDB+Z1hpwH3PWjViCbrRdrt0WCFnsYDBVd1rADCQy2I
+p/QYmC6ZwwlyCNrVhUw1vUNfnNGiw8B/rsqP9EMGJ5E
+-> ssh-ed25519 Otklkw yLMSfitfbXO8qRqaJwKxx68R0AJHsTre0XlN2huudWY
+JYogGtU0LLPcJpN9oWmAQE0Kyk2yhNmxrVgh0JMFphE
+--- pGx08jh8YJCDeEvi7iZa6pXrlwg8otUTkxv0T5gwLcM
+ïË²'t2¦ÍŸÄEí/Ø¿â6@
+Dîfši¦VGO_a\{Žãã}›_~:©ý>ö¨Gä€ÂN÷í@ÚK|
--- a/secrets/pruflas-backup-passphrase.age
+++ b/secrets/pruflas-backup-passphrase.age
--- a/secrets/pruflas-backup-ssh-key.age
+++ b/secrets/pruflas-backup-ssh-key.age
--- a/secrets/pruflas-wg-hydra-key.age
+++ b/secrets/pruflas-wg-hydra-key.age
--- a/secrets/pruflas-wg0-key.age
+++ b/secrets/pruflas-wg0-key.age
@ -1,10 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 J6ROvw R+xnmMAoVmaJi9UMYBSX5CKk21LhI9iIionc6Nh8ZWg
-eR+OpFfB6BIOzOUeeY5IzmXerCCiqOYS9ZAGIb0UAS0
-> ssh-ed25519 Otklkw HYpIGulRkcfpKhSdb1mF/hbBHiXCUzYR6/b0KspgHTU
-1HAtdynQZ10AVgGqh4cw3qDqSh6Suum3zYo6/G7qKw4
-> +YMQ-grease
-wyHx9k+fMnxTm1LMDhmmMye/
--- g1F7i8Y0foxjDp6qbBtjhY3A/vyxM2R/zIQJZTG2F5o
-.Ìþ]ÃnéŸå"wjkYd<2Ï{Nš	íN 0òÊÿ©`ÈX³¾¢U”sPxÉV)nš£fO‹g¤µ<Nv
-ðÐÁB5$©¿e<C2BF>g>ä
+-> ssh-ed25519 J6ROvw jC7rwmoizfZqenUwlrMlLRyN9yQnog2X3KIJ2GgRZB8
+yGoiZTNfrPm6+fb1BcZGH6Lzm8Pj4aeyjWtLNYbGSFg
+-> ssh-ed25519 Otklkw a2/N7JOiOY/orGyCogBIj48EjTltThv7AAHuMHK7Xzo
+PTP9vaEpFf7PXoRobHJgAkNVBh+u3+7rUMKiMj+fadQ
+--- KR51LRGHd6jWP4rUWvQqXskwEGfxb0tSCNKtnFT255A
+GùwÆ)HŽƒïkƒþ<C692>«•G¦FÕñ…&eš[›{Rš€åGôñhÉ"´L{ƒã¢\«Á¢{H€~{.»ˆéuW‰•MaZ
--- a/secrets/pruflas-wg0-preshared-key.age
+++ b/secrets/pruflas-wg0-preshared-key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -7,6 +7,7 @@ let
    ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos";
    pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqZHu5ygTODgrNzcU9C2O+b8yCfVsnztV83qxXV4aA8 root@pruflas";
    surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat";
+    stolas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObI38cB8gTDXmDb5GcK4pLm5xM+nnvGeSfEpB4lVEwE root@stolas";
  };
  backupSecrets = hostName: {
    "${hostName}-backup-passphrase.age".publicKeys = [
@ -45,7 +46,8 @@ in
    dadada
  ];
  "paperless.age".publicKeys = [
-    systems.gorgon
+    #systems.gorgon
+    systems.stolas
    dadada
  ];
  "initrd-surgat-ssh_host_ed25519_key.age".publicKeys = [
@ -88,3 +90,4 @@ in
 // backupSecrets "pruflas"
 // backupSecrets "surgat"
 // backupSecrets "agares"
+// backupSecrets "stolas"
--- a/secrets/stolas-backup-passphrase.age
+++ b/secrets/stolas-backup-passphrase.age
--- a/secrets/stolas-backup-ssh-key.age
+++ b/secrets/stolas-backup-ssh-key.age
--- a/secrets/surgat-backup-passphrase.age
+++ b/secrets/surgat-backup-passphrase.age
@ -1,9 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 jUOjpw zb9yidyhlOj2LnVSCjNwq0MBj8Ik7zdT+6vs5k2vdTY
-lxFHzj+mUpW8ogGkfpZZWZRPfMp38Sb2GYojBUrxGB0
-> ssh-ed25519 Otklkw G3tj2S2BM+jmGg5ajD2hTIKAWJMAhuHAT4jpFpu2YmQ
-XDLRUWirSzXQ55HnWdICzICPQDL8pyJC9SnS9ODwhdM
-> v#M-grease
-rEp5i85i+0HA+Rx31HR27NU
--- 2Q+j2Vh/Tbv6NYYg614YL1+yP8hff++2zAuWV7dHDe8
-HôY÷¢¿\ê¥	¬õž˜\;î¶m~q<>oà´—»®z8•5ÁZ‘±<E28098>ÁËÄ«<>ûàÌ¯e9Iû<05>Åaä”<C3A4>éY«
+-> ssh-ed25519 jUOjpw FXHC9VzSKIkbJ9JVge5vsGHiGtxBnxB7Nvqqi4OsRHA
+1zhd0kCd37fXmWtq9kRx1vQvjTT4i5HsQ9DibyGmNUI
+-> ssh-ed25519 Otklkw ZKy9Vbf1W1UpejNy8nh+eGss19XLqJuHL6qJuG1KP20
+t5C0Jw//1vK5iiG3+tJK6bu/SBR7StHRDog9ivlfVAI
+--- 08Q8bBFnJF2TFV62trgPig/VL3RwKN0dyw4PBgg5LDU
+F`ÇÃ³4tÛàÖÙ§áÂûo9õ~}Ù‚›è<E280BA>Á)ñ7#”§“aï“±/§»Wù\‹;ŽlÏ2»–Ð l„
--- a/secrets/surgat-backup-ssh-key.age
+++ b/secrets/surgat-backup-ssh-key.age
--- a/secrets/surgat-ssh_host_ed25519_key.age
+++ b/secrets/surgat-ssh_host_ed25519_key.age
--- a/secrets/wg-privkey-vpn-dadada-li.age
+++ b/secrets/wg-privkey-vpn-dadada-li.age
--- a/treefmt.nix
+++ b/treefmt.nix
@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+  projectRootFile = "flake.nix";
+  programs.nixfmt.enable = true;
+  programs.shellcheck.enable = pkgs.hostPlatform.system != "riscv64-linux";
+  programs.shfmt.enable = pkgs.hostPlatform.system != "riscv64-linux";
+  programs.yamlfmt.enable = true;
+}
Author	SHA1	Message	Date
Tim Schubert	76f29fae24	fix(ninurta): remove unused postresql backup Some checks are pending Continuous Integration / Checks (push) Waiting to run Details	2025-07-26 21:22:08 +02:00
Tim Schubert	763d8f4783	fix(admin): set shell always from admins.nix	2025-07-26 21:21:46 +02:00
Tim Schubert	5d55e620da	chore: fix formatting and add treefmt	2025-07-26 20:56:40 +02:00
Tim Schubert	a26418c9c3	fix(ninurta): only run snapshots daily to limit noise	2025-07-26 20:23:08 +02:00
Tim Schubert	66fceb6b15	feat(stolas): add snapper snapshots	2025-07-26 20:23:08 +02:00
Tim Schubert	651ecbc9c4	chore(secrets): rekey	2025-07-26 18:28:19 +02:00
Tim Schubert	8908833eb3	feat(stolas): migrate paperless	2025-07-26 18:24:16 +02:00
Tim Schubert	cfb4b8d160	fix(stolas): wheel needs password to sudo	2025-07-26 18:16:17 +02:00
Tim Schubert	2e8aa80b70	feat(stolas): enable admin module	2025-07-26 16:07:13 +02:00
Tim Schubert	5f9eac5700	chore(flake): update lockfile	2025-07-26 15:45:37 +02:00
Tim Schubert	77cdf773c0	feat(stolas): enable TPM2 LUKS keyslot	2025-07-26 15:24:04 +02:00
Tim Schubert	215f4313bd	fixup: backup secrets	2025-07-21 21:25:30 +02:00
Tim Schubert	a45a48cf17	fix(stolas): comment out paperless secrets config	2025-07-21 21:21:53 +02:00
Tim Schubert	49722f705a	fix(stolas): disable GS location backup	2025-07-21 21:20:12 +02:00
Tim Schubert	ae419eb19a	chore: rekey	2025-07-21 21:15:35 +02:00
Tim Schubert	427b62fe07	fix(stolas): name of dm-crypt container	2025-07-21 21:06:18 +02:00
Tim Schubert	fc2f547919	fix(stolas): allow unfree firmware	2025-07-21 20:07:54 +02:00
Tim Schubert	b8be17a9a9	fix(stolas): enable lanzaboote and additional firmware	2025-07-21 20:05:29 +02:00
Tim Schubert	502d9aa4dc	fix(stolas): add UUID for root luks device to kernel commandline	2025-07-21 18:14:56 +02:00
Tim Schubert	d81761e519	fix(stolas): update hardware config	2025-07-21 17:39:21 +02:00
Tim Schubert	d618890198	feat(stolas): add name of NVME device	2025-07-21 17:22:31 +02:00
Tim Schubert	bdeb5584de	fix: move paperless config to module	2025-07-17 21:47:49 +02:00
Tim Schubert	f602f150ba	feat(stolas): add backup config	2025-07-17 21:41:56 +02:00
Tim Schubert	e58a47af3f	feat(stolas): disko for disk setup	2025-07-13 21:53:43 +02:00
Tim Schubert	0b08beee35	feat(stolas): set initial hashed password	2025-07-13 20:41:06 +02:00
Tim Schubert	0e9b76da48	fix: some deprecations	2025-07-13 20:36:26 +02:00