README.md

@@ -11,12 +11,17 @@ cp /mnt/etc/nixos/hardware-configuration.nix hosts/$(hostname)/hardware-configur
 rbw config set email admin@muon.host
 rbw config set base_url https://vault.muon.host
 rbw login
+sudo mkdir -p /mnt/etc/ssh
+nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.data.password' | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key.pub"
+nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.notes' | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key"
 sudo mkdir -p /mnt{,/persist}/var/lib/sops-nix
+sudo chown muon:users /mnt/var/lib/sops-nix -R
 sudo chown muon:users /mnt/persist/var/lib/sops-nix -R
 rbw get sops > /mnt/var/lib/sops-nix/key.txt
 sudo cp {/mnt,/mnt/persist}/var/lib/sops-nix/key.txt
 sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname)
 sudo cp -r /mnt/var/lib/nixos/* /mnt/persist/var/lib/nixos/
+sudo cp -r /mnt/etc/ssh/ssh_host* /mnt/persist/etc/ssh/
 sudo cp {/mnt,/mnt/persist}/etc/machine-id
 ```
 

flake.lock

@@ -193,11 +193,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753983724,
+        "lastModified": 1753595562,
-        "narHash": "sha256-2vlAOJv4lBrE+P1uOGhZ1symyjXTRdn/mz0tZ6faQcg=",
+        "narHash": "sha256-Ci88mAdtiP5RQkYmVhRUq69iYPMM7/lS9/mw+FnC7DE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "7035020a507ed616e2b20c61491ae3eaa8e5462c",
+        "rev": "710771af3d1c8c3f86a9e5d562616973ed5f3f21",
         "type": "github"
       },
       "original": {
@@ -316,11 +316,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1753694789,
+        "lastModified": 1753429684,
-        "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=",
+        "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727",
+        "rev": "7fd36ee82c0275fb545775cc5e4d30542899511d",
         "type": "github"
       },
       "original": {
@@ -443,11 +443,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1753978157,
+        "lastModified": 1753553562,
-        "narHash": "sha256-sVy8hb71VawSOIsLv/hMGzpvbbWszdP9aSKI5Drbt6Q=",
+        "narHash": "sha256-CpTwdsrPU3UFy95Btg56RcVMgNpnw3C0DYTznE5aRq4=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "ded4f29a023e0f14506ec16b0e32d129e56341cc",
+        "rev": "af85565aba0f4749cb18b118a7333a0745920950",
         "type": "github"
       },
       "original": {

hosts/muho/configuration.nix

@@ -44,7 +44,6 @@ in {
   mods.server.ntfy.enable = true;
   mods.server.lemmy.enable = true;
   mods.server.audio.enable = true;
-  mods.server.atuin.enable = true;
 
   mods.server.dash.enable = false;
   mods.server.nginx.ports.dash = 3009;

hosts/mups/configuration.nix

@@ -55,11 +55,6 @@ in {
       default = true;
       locations."/" = { proxyPass = "http://localhost:8008"; };
     };
-    "nvr.muon.host" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = { proxyPass = "http://10.0.0.2:8095"; };
-    };
     "tetterodesportcomplex.nl" = {
       enableACME = true;
       forceSSL = true;

hosts/murk/hardware-configuration.nix

@@ -4,15 +4,64 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports =
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
+  fileSystems."/" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = [ "subvol=root" ];
+  };
+
+  boot.initrd.luks.devices."crypted".device =
+    "/dev/disk/by-uuid/1ca0c5f6-3cb3-4f86-94a5-4376461da227";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/4BD8-A887";
+    fsType = "vfat";
+    options = [ "fmask=0077" "dmask=0077" ];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = [ "subvol=home" "compress=zstd" "noatime" ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = [ "subvol=nix" "compress=zstd" "noatime" ];
+  };
+
+  fileSystems."/persist" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = [ "subvol=persist" "compress=zstd" "noatime" ];
+    neededForBoot = true;
+  };
+
+  fileSystems."/swap" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = [ "subvol=swap" ];
+  };
+
+  fileSystems."/var/log" = {
+    device = "/dev/mapper/crypted";
+    fsType = "btrfs";
+    options = [ "subvol=log" "compress=zstd" "noatime" ];
+    neededForBoot = true;
+  };
+
+  swapDevices = [ ];
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/ports.nix

@@ -18,7 +18,6 @@
       # dash = 3009;
       ntfy = 3010;
       audio = 3011;
-      atuin = 3012;
 
       search = 8081;
       videos = 8082;

modules/home/impermanence.nix

@@ -8,7 +8,7 @@ let
         # fs-diff.sh
         set -euo pipefail
 
-        sudo mkdir -p /btrfs_tmp
+        sudo mkdir /btrfs_tmp
         sudo mount -o subvol=/ /dev/mapper/crypted /btrfs_tmp
 
         OLD_TRANSID=$(sudo btrfs subvolume find-new /btrfs_tmp/root-blank 9999999)

modules/home/sops/default.nix

@@ -6,6 +6,5 @@ in with lib; {
     age.keyFile = "/persist/var/lib/sops-nix/key.txt";
     defaultSopsFile = ./secrets.yaml;
     secrets.zipline-auth = { };
-    secrets.atuin-auth = { };
   };
 }

modules/home/sops/secrets.yaml

@@ -1,6 +1,9 @@
 zipline-auth: ENC[AES256_GCM,data:RkJI6GuH7RzdcSlKn32gMGojjB6rkdDcnNUvsi/BTfJk2slzoktAaJPzQA==,iv:LIiB3tyqXf/D64aIDSo0AyG3imvI6ZE893KBPlYFr28=,tag:wl8spMBwzfvuKA+Y6JnVyQ==,type:str]
-atuin-auth: ENC[AES256_GCM,data:LDkiXWIwxor8Ro383gonJCyqu+nyxS7DrI2J8uo4Cqu2X61rBUlnpNR6YirUZS/lYAnWYJhZM7sR0G7ZNh9EgQ==,iv:UEs2KW8ImMnaQrSLrIGbVXEq86QiVPAPNIXBZpa3jFI=,tag:N0rhnPbasFzkoI3CJ9CV+Q==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
     age:
         - recipient: age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc
           enc: |
@@ -29,7 +32,8 @@ sops:
             cThxTVpmcEMrcG9Lczd3dkdyQ0paSHMKUfkx9jh7zIqBkUjxaH3dVKvNJG3Mipts
             OjmJ5aVVIR5U8MhgSgECb22mGlOgW8SU/x4gxcWgafZwbv2vbON6OA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-01T11:06:26Z"
+    lastmodified: "2025-01-19T20:01:35Z"
-    mac: ENC[AES256_GCM,data:bcCDmG+460Y+hUYHg6yVl2E6Oyw2MQcHVLp7sfhJDwWAHCwEPeYKlQLp8yumOTyQQxw6uSgj+vso7JmiAsnJvk/v9BIx6SNmfKK+rz9cwIJY1d8Da99Yn7WUVAjXQyWqxNckrELS+CKSsGXl7nr/PKYM1w87Fpbq9F7x4bp/V28=,iv:/XrjK+qaJCPrqoSEZ+hJQa7jvjWgzJQJXRXn+7Y1m8I=,tag:BruzsbUBC61Hzsx/3k8Vcg==,type:str]
+    mac: ENC[AES256_GCM,data:jG/1PmWEk8EMvor/QCEhxDzkRufVWCLdDnsfomVy9hbiOl9ndzCFjvMR2OXkxGsTHl8bGaYJ+DqAjtLvgZZW5l+F6HQmQcene1vNFH3DsrtiQ7TC3Lmov6PBND1XCkj3urwaT3zKoydHIuIdIWyo2/RSxyz8G8mQrn8QrKv5SJw=,iv:PIle2A4sd2hVarMIgYu9/obShMe8NnDbfe9FUL/p8HI=,tag:I/2Bt2L+a8ybJUc6Pv3yZw==,type:str]
+    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.9.2

modules/home/terminal/tools.nix

@@ -29,23 +29,7 @@ in with lib; {
       "htop"
       "vifm"
       "rbw"
-    ]) // {
+    ]);
-      atuin = {
-        enable = true;
-        enableZshIntegration = true;
-        flags = [ "--disable-up-arrow" ];
-        settings = {
-          sync_frequency = "5m";
-          sync_address = "https://atuin.muon.host";
-          key_path = config.sops.secrets.atuin-auth.path;
-          keymap_mode = "vim-insert";
-          keymap_cursor = {
-            vim_insert = "blink-bar";
-            vim_normal = "steady-block";
-          };
-        };
-      };
-    };
 
     home.packages = with pkgs; [
       # libraries

modules/nixos/impermanence.nix

@@ -4,7 +4,7 @@ with lib; {
 
   config = mkIf config.mods.impermanence.enable {
     environment.persistence."/persist" = {
-      directories = [ "/var/lib/nixos" "/var/lib/systemd/coredump" ];
+      directories = [ "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/ssh" ];
       files = [ "/var/lib/sops-nix/key.txt" "/etc/machine-id" ];
     };
 

modules/nixos/server/atuin.nix

@@ -1,24 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  cfg = config.mods.server.atuin;
-  port = config.mods.server.nginx.ports.atuin;
-in with lib; {
-  options.mods.server = {
-    atuin = {
-      enable = mkEnableOption {
-        default = false;
-        description = "enables atuin server";
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services.atuin = {
-      inherit port;
-      enable = true;
-      host = "0.0.0.0";
-      openRegistration = true;
-    };
-  };
-}
-

modules/nixos/server/default.nix

@@ -24,6 +24,5 @@
     ./ntfy.nix
     ./lemmy.nix
     ./audio.nix
-    ./atuin.nix
   ];
 }

modules/nixos/server/nvr.nix

@@ -13,9 +13,9 @@ in with lib; {
   };
 
   config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ 8095 ];
     services.zoneminder = {
       enable = true;
-      openFirewall = true;
       database = {
         createLocally = true;
         username = "zoneminder";