restructure folder organisation

2025-05-24 09:54:40 +02:00 · 2022-12-05 20:32:39 +01:00 · 2022-12-05 20:32:39 +01:00 · 9cf7be677d
commit 9cf7be677d
parent 599d55fa6a
72 changed files with 95 additions and 98 deletions
--- a/machines/.sops.yaml
+++ b/machines/.sops.yaml
@ -0,0 +1,21 @@
+keys:
+  - &admin_felix age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
+  - &thinkman age1spt854cdscqs757a8kazth52rv4p9udh54suw9lpzlqg5savyapq2u0c03
+  - &serverle age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4
+  - &newton age1s9spl75rwhgm3cvvqsr9rze5m0kuxqes2tsxjmq07xg5ycn5j47s2m0dlu
+creation_rules:
+  - path_regex: thinkman/secrets.yaml$
+    key_groups:
+      - age:
+        - *admin_felix
+        - *thinkman
+  - path_regex: newton/secrets.yaml$
+    key_groups:
+      - age:
+        - *admin_felix
+        - *newton
+  - path_regex: serverle/secrets.yaml$
+    key_groups:
+      - age:
+        - *admin_felix
+        - *serverle
--- a/machines/configurations.nix
+++ b/machines/configurations.nix
@ -0,0 +1,70 @@
+{ self, ... }:
+let
+  inherit
+    (self.inputs)
+    nixpkgs
+    nixpkgs-unstable
+    sops-nix
+    nixos-hardware
+    passworts
+    ;
+  nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
+  overlay-unstable = final: prev: {
+    unstable = import nixpkgs-unstable {
+      inherit (final) system;
+      config.allowUnfree = true;
+    };
+  };
+
+  customModules = import ./core/default.nix;
+  baseModules = [
+    # make flake inputs accessiable in NixOS
+    {
+      _module.args.self = self;
+      _module.args.inputs = self.inputs;
+    }
+    {
+      imports = [
+        ({ pkgs, ... }: {
+          nixpkgs.overlays = [
+            overlay-unstable
+            (import ../pkgs)
+          ];
+          nix.nixPath = [
+            "nixpkgs=${pkgs.path}"
+          ];
+          documentation.info.enable = false;
+        })
+        sops-nix.nixosModules.sops
+        passworts.nixosModules.passworts
+      ];
+    }
+    ../modules
+  ];
+  defaultModules = baseModules ++ customModules;
+in
+{
+  flake.nixosConfigurations = {
+    # use your hardware- model from this list: https://github.com/NixOS/nixos-hardware/blob/master/flake.nix
+    thinkman = nixosSystem {
+      system = "x86_64-linux";
+      modules = defaultModules ++ [
+        nixos-hardware.nixosModules.lenovo-thinkpad-t14
+        ./thinkman/configuration.nix
+      ];
+    };
+    newton = nixosSystem {
+      system = "x86_64-linux";
+      modules = defaultModules ++ [
+        ./newton/configuration.nix
+      ];
+    };
+    serverle = nixosSystem {
+      system = "aarch64-linux";
+      modules = defaultModules ++ [
+        nixos-hardware.nixosModules.raspberry-pi-4
+        ./serverle/configuration.nix
+      ];
+    };
+  };
+}
--- a/machines/core/core.nix
+++ b/machines/core/core.nix
@ -0,0 +1,43 @@
+{ config, pkgs, lib, ... }:
+{
+  # Packages
+  environment.systemPackages = with pkgs; [
+    bandwhich
+    bind # dig
+    borgbackup
+    cryptsetup
+    file
+    fzf
+    gettext
+    git
+    gitAndTools.delta
+    gnufdisk
+    gptfdisk
+    htop
+    jq
+    killall
+    lsof
+    mosh
+    multipath-tools #-> kpartx
+    mtr
+    nix-index
+    nmap
+    nmon
+    pciutils
+    pv
+    reptyr
+    rsync
+    screen
+    stress-ng
+    usbutils
+    tmux
+    vim
+    wget
+    whois
+    zip
+    unzip
+  ];
+
+  time.timeZone = "Europe/Berlin";
+  services.timesyncd.enable = true;
+}
--- a/machines/core/default.nix
+++ b/machines/core/default.nix
@ -0,0 +1,6 @@
+[
+  ./core.nix
+  ./modules.nix
+  ./network.nix
+  ./users.nix
+]
--- a/machines/core/modules.nix
+++ b/machines/core/modules.nix
@ -0,0 +1,29 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Enable all firmware modules, so that bluetooth and wifi modules can load
+  # https://github.com/NixOS/nixpkgs/issues/85377#issuecomment-616424682
+  hardware.enableRedistributableFirmware = true;
+  hardware.enableAllFirmware = true;
+  nixpkgs.config.allowUnfree = true;
+
+  boot.initrd = {
+    availableKernelModules = [
+      "ahci"
+      "e1000e"
+      "ehci_pci"
+      "nvme"
+      "sd_mod"
+      "uas"
+      "usbhid"
+      "usb_storage"
+      "xhci_pci"
+    ];
+
+    kernelModules = [
+      "dm-snapshot"
+      "e1000e"
+      "nvme"
+    ];
+  };
+}
--- a/machines/core/network.nix
+++ b/machines/core/network.nix
@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.networkmanager = {
+    enable = true;
+
+    unmanaged = [
+      "interface-name:br-*" # Ignore docker compose network bridges
+      "interface-name:docker?" # Ignore docker default bridge
+      "interface-name:veth*" # Ignore docker compose network devices
+      "interface-name:virbr?" # Ignore libvirt default bridge
+    ];
+  };
+
+}
--- a/machines/core/users.nix
+++ b/machines/core/users.nix
@ -0,0 +1,28 @@
+{ config, pkgs, lib, ... }:
+{
+  sops.secrets."users/felix/password".neededForUsers = true;
+  sops.secrets."users/felix/password" = { };
+
+  users.users.felix = {
+    isNormalUser = true;
+    home = "/home/felix";
+    group = "felix";
+    extraGroups = [
+      "wheel"
+      "adbusers"
+      "audio"
+      "dialout"
+      "docker"
+      "input"
+      "libvirtd"
+      "networkmanager"
+      "video"
+    ];
+    passwordFile = config.sops.secrets."users/felix/password".path;
+    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@thinkman" ];
+  };
+
+  users.groups.felix = {
+    gid = 1000;
+  };
+}
--- a/machines/deploy.nix
+++ b/machines/deploy.nix
@ -0,0 +1,24 @@
+{ self, ... }:
+let
+  inherit (self.inputs) deploy-rs;
+  mkNode = server: hostname: system: {
+    inherit hostname;
+    fastConnection = true;
+    profiles.system.path =
+      deploy-rs.lib.${system}.activate.nixos
+        self.nixosConfigurations."${server}";
+  };
+in
+{
+  user = "root";
+  sshUser = "felix";
+  sshOpts = [ "-i" "~/.ssh/keys/local_ed25519" ];
+  #sshOpts = [ "-p" "6158" "-i" "~/.ssh/keys/local_ed25519" ];
+  remoteBuild = true;
+
+  nodes = {
+    thinkman = mkNode "thinkman" "localhost" "x86_64-linux";
+    newton = mkNode "newton" "buehler.rocks" "x86_64-linux";
+    serverle = mkNode "serverle" "serverle.local" "aarch64-linux";
+  };
+}
--- a/machines/newton/boot.nix
+++ b/machines/newton/boot.nix
@ -0,0 +1,10 @@
+{ config, ... }:
+{
+  boot.loader = {
+    timeout = 1;
+    grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+  };
+}
--- a/machines/newton/configuration.nix
+++ b/machines/newton/configuration.nix
@ -0,0 +1,32 @@
+{ config, ... }:
+{
+  imports = [
+    ./boot.nix
+    ./hardware-configuration.nix
+    ./disks.nix
+    ./network.nix
+    ./syncthing.nix
+    ./services.nix
+    ../../legacy/modules/docker.nix
+    ../../legacy/modules/networkdecrypt.nix
+    ../../legacy/modules/nix.nix
+    ../../legacy/modules/users.nix
+  ];
+
+  networking.hostName = "newton";
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    gnupg.sshKeyPaths = [ ];
+  };
+
+  #environment.noXlibs = true;
+
+  networking.firewall.allowedTCPPorts = [
+  ];
+
+  system = {
+    stateVersion = "22.05";
+    autoUpgrade.enable = true;
+  };
+}
--- a/machines/newton/disks.nix
+++ b/machines/newton/disks.nix
@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.initrd.luks.devices."luks-drive" = {
+    name = "luks-drive";
+    device = "/dev/disk/by-partlabel/Crypt";
+    preLVM = true;
+    allowDiscards = true;
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/newton-root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/newton-boot";
+    fsType = "vfat";
+  };
+
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-label/newton-srv";
+    fsType = "ext4";
+  };
+
+  swapDevices = [{
+    device = "/dev/disk/by-label/newton-swap";
+  }];
+}
+
--- a/machines/newton/hardware-configuration.nix
+++ b/machines/newton/hardware-configuration.nix
@ -0,0 +1,19 @@
+{ config, pkgs, lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "sd_mod"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+  ];
+  boot.initrd.kernelModules = [
+    "dm-snapshot"
+  ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/machines/newton/network.nix
+++ b/machines/newton/network.nix
@ -0,0 +1,64 @@
+{ config, lib, pkgs, ... }:
+
+let
+  ifname = "ens18";
+
+  ip4_addr = "38.242.193.132";
+  ip4_mask = "255.255.240.0";
+  ip4_mask_len = 20;
+
+  ip4_gw = "38.242.192.1";
+  ip4_dns = [
+    "8.8.8.8"
+    "79.143.182.242"
+    "178.238.234.231"
+    "5.189.191.29"
+  ];
+
+  ip6_addr = "2a02:c206:3009:3317::1";
+  ip6_mask_len = 64;
+
+  ip6_gw = "fe80::1";
+  ip6_dns = [
+    "2a02:c205:0:0882::1"
+    "2a02:c205:0:0891::1"
+    "2a02:c207:0:0842::1"
+  ];
+in
+{
+  networking = {
+    #useDHCP = false;
+
+    nameservers = ip4_dns ++ ip6_dns;
+    domain = "buehler.rocks";
+    search = [ "buehler.rocks" ];
+
+    defaultGateway = {
+      address = ip4_gw;
+      interface = ifname;
+    };
+
+    defaultGateway6 = {
+      address = ip6_gw;
+      interface = ifname;
+    };
+
+    interfaces."${ifname}" = {
+      ipv4.addresses = [
+        {
+          address = ip4_addr;
+          prefixLength = ip4_mask_len;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = ip6_addr;
+          prefixLength = ip6_mask_len;
+        }
+      ];
+      # Do not use the temporary addresses on this interface
+      # The machine is rather a server
+      tempAddress = "disabled";
+    };
+  };
+}
--- a/machines/newton/secrets.yaml
+++ b/machines/newton/secrets.yaml
@ -0,0 +1,51 @@
+users:
+    felix:
+        password: ENC[AES256_GCM,data:ma+FSUcvVjrtMKS9,iv:3AHwBXdbuSG6ZZnBVL+/Mf8H/GjiXIhmXbuZEnRYIGA=,tag:hlnKF0pLznMl1sbnGENXXQ==,type:str]
+borgbackup:
+    password: ENC[AES256_GCM,data:MCzHfmd5uSIO6NqOLljVEce6O2btQoc=,iv:CGGvivLFcsUSQKT1EkY72uDVM9+No25WlXjL/WryuEU=,tag:wZOV8Clot5Df+mMf71thZA==,type:str]
+    private_ssh_key: ENC[AES256_GCM,data:O6/5WZC+5ef/DjQzR9mwmvgYarIF0OlUAW20cvcNXBeTUIWReB3lnf6eigXJ8t0Y7UPnEAy0L4SXkNtnnqL43pb9GcZ5QxVenqS54bec2AN46282PP3MvO2qKQ1xNhrEDYy8U3dz5Pna6nJIRhpcLuUbQ/ZRc9LQh74LrqUlX3fjvVqAhc4QSXpBwZ1MdqF3M8XjZiB1kpwhYqnLNuGrMw+RftR4x2g763gS9qicnjmNdBL+aaHebRC3JRaGQbm6QNa0NDOANfkG2MtdMKRKot6mMCN4M3nL0ngswr1JolKsTo+YHrYP6YrqMinPEfL0XjIZA6J8AzUsFKN65bScd7mLnMuxF5P11hLEVAFYqS3QsHY0BXmvwWY7mOG7FVU0l6UOlK9xvlLOC8UdDwdx9ipBc/lQ89i7CyBviqcRLrqkzC9OzX0035u+OblcrJlfQ38buZWsojHGZPDPctPRnhcOf2eNZEvoc7SWbvuVnDQfLv4DcRXEp4C2+IV+Boh08zG26QHNRkZMGY3Nmjmb,iv:RCZYSfP2HK5YgRk9V/inFAwu8sQuq05nVe+aBGfsWfo=,tag:AAo7S8M+l2GvEQtqm4TsAw==,type:str]
+syncthing:
+    key: ENC[AES256_GCM,data:r4kihzg6FcZYHqchcu+8k5N27ZwdrXkQXyJ1QM2p0kVSiwTPq5n1jQCI8i7bCXckBkEv5IQmSOc3kf9383EM3XH3Q9zDqw2z4TEHWo6EBI9JalPK/4UC6gRpN5bTJRpwUlZ5gnhM6ifcl+OX6bdU6zSS2MtFqL1ne/CVJdUoGLHV4BKNCF43CBgIcJG+o/iOt0P292/PozrRRL3nCHxB8TCIpfUDjyeQYGAvBuQy1/WDUJoBLFIOKVYmzo5jbGwScVrUIg2hT+KIuv4P4ZVkBBgx0avOi9JlTglOh2kS//+F0+nT7+XQV/Fo/AwSE4Y1MBZCaxtlb+C89DRcrR5oqFbPLA11oynPHrMryPgyikrtRKDnN52/8UNVMaJgK04E,iv:w3ItAGO/LZxqtLNLu9R0nrcUezIBwe9aFqY2kY9gY0s=,tag:shC2Qo9vF4o3I/RXjbTXoA==,type:str]
+    cert: ENC[AES256_GCM,data:k3LEq2gEcoM3x1xEtFzbvbd04LRYvm15z5Cm/t07IG2fVvdtPWy9Dsha5Crx2CEnjB4Xtf7xdCOTaKr/OeZnUf+iK67e/xj6St1Q2n9ua20/+82nUxFtG2ItXH+iu5rkF7IIsXuVxE0WNAXxC8M+xdDt4KUOJP6e/GSv+/8KA1N4fOiW1N5EUpLwuN7sAwaj7YkzUJwHiGrUw3qTYRwXU6j/hWA3vtw8Z8latWW3+goaD9/aDSMHzSE5Pdi2/GQ1Ll/UVc43nRUYgXL7H9grOrXiI3sdPpc42MeFUpNM0AGJp3M6tepUsLIuA9L54wgqaQVrGO0RilBMtMrAb1tUoqLqEB0CM0VqNDBEWyIzDKIfHtQWta/1fIxzo5bKoJcJ6UG2qrZ5ru6sX387sGi8QcC9uN5ko6oZesdOacw9z5tvFDQrk7KvfiCtvHj+AtPxiLrkFj3EPoQK1vXzy4IyanIDJx46WtuAURTHmBZms2KBLPKLMYzWm9qdq8dW4sadbaSofzwquj4HaWuOIugSdjVlSdzBj+KI/nIRde5uWunpnr9AYHrf3lPgl1tkduQpL5RRu3je4RQ5dNa+TNkcqacMTF/3Q34uJXBkp99LpK+8fXx70PKm/PmnHOQgeK7WJnz2kAeSc6kBhX+sh2w1KWBG01ptc0Ixi7xrC/6fgB4pmkKdryMFsZ/PML/VOwLxbkbrzsHyK1Zpw8jV03oGTwz76IaDpELqpfX2rD3GztS58mYXxJn5sqyTIFKjLVX05jB77bjYk5pWLQZasHpdU5wLYg6AHCe2wEIfbu3y3M4XVEfCiB/d+P370T1qLMbxeTYMd1MtD4oq87Bg7brlCy64LWhOwW/Elu0oeBqHmpoXwBc6aoIBH8a+uK4ZWm87N/oJha1zzsh0+0Z3NdinAL4ufjrlKQBGJRZj7NBKdQfnKZXM/ELLEQD2R6UxZUsFnmrXEN2AuAv+KZtoImf1oOOGXiaIDPEJNvGlIT8fZ8cQViYRxzGjtkbO5p3FHpn+/DdcEke+/4ABqNZ0hHw+98U6qRlvcQ==,iv:80pejP5/F/uLoFuAwg1tKjwq5hQjowhpBT6/+ipPW0c=,tag:zccXZgI/KT7+DPbqyZWjOA==,type:str]
+paperless:
+    password: ENC[AES256_GCM,data:GrH2MEFUGSoJEUnFUb5nTxHHnnSIohwEUVU+2Xpa,iv:U9tDsq5PsqFzzl1e1sYUL5XxUqGEmdiZoJtCh96+yEA=,tag:qVu2bulQ9wz+K0lmbMULzQ==,type:str]
+freshrss:
+    password: ENC[AES256_GCM,data:dUOKeRxovwIHIchkwMFxsQYEKrU2muY=,iv:OA1zbIiV3NBWIoJLpxpLBEjR/I6m5vzVKvzMEZYYE7Q=,tag:r4PbEbEkSH3bsJMamDuuFw==,type:str]
+nextcloud:
+    password: ENC[AES256_GCM,data:uE507Ij34zJVYnd2YkNCGj8hpFpEM5w=,iv:x8BNCUaAas0poQ/Lo0izZApF6l52xal8DDrClIzWjvk=,tag:sA08dmcVQbKswX9hF/txag==,type:str]
+sso:
+    auth-key: ENC[AES256_GCM,data:jFDeymziDiJMnoIGjYPMmnxTzKer1bFffGDaoHnbKlpMPslP/Bmtsc5kio2tbDBlxG0TCdf+ePirPPw2,iv:8wGHEp1gB/qgkSvqkqjb9zBnqkkl1+Ezm9tCFS8tL3w=,tag:tHIT9Iw29TUXJm2e7z3Z/A==,type:str]
+    felix:
+        password-hash: ENC[AES256_GCM,data:4yOMOg3/RsijtXC7h73sIk3HDPq83xmSY7AaLeUbtPVZzjjZ/Qp+YiXpgL0fVsio1Pic3HyAzeVlWg0E,iv:23CdJQAhtpgrUZ1jVKiKYfgw5jQNVN6413Ew8ryJH6w=,tag:bds2Yd18gFtVDtgLkxMGkQ==,type:str]
+        totp-secret: ENC[AES256_GCM,data:pXx//6N7XMlmPQoUPziIcEswGWSNQ+oUgjlxAWG1RC/EToTmzwwvbhpaJRr0liKFkHVIeKT7rLU=,iv:hh3F6S2phwP11MhAtqYLMzXw4/9K25fCfiz779XkLj8=,tag:x7BXtPqh6N4LrLJfsEwh4Q==,type:str]
+acme:
+    inwx: ENC[AES256_GCM,data:tu3pdI2fAQPAwQNdIIk10Kkl0xBPBLx592UlYYEXxJX0YGddAhGMwDUqKTh/B5k9WW11cyoLoeTMnZPMzD15V1Qj,iv:UbbauJBjr3O4XnKRL9Pc3PdRGJqAhqO0PDNkvpyXH2o=,tag:YRVtRo8D0KLVCtWukW7GWw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOHlyV1B4SE9maDhmTVhB
+            RWIzbkdhZzhwVjVuUEcxN3pQL2VNTU9Oa0VZCnN5YUhSZUVFTUVMS3dLRDExSFBW
+            SHNNM0pKeDRITG5heXhrNVRFbFJ4WkEKLS0tIHR2a3RXcUNzbjZQNythTnk1T0d1
+            bnlMMmY2NHRncEEvTlNob0JJU3dLdE0Kjo2Ge3OVnClKgAyUHvi//Qx74fqhtxjw
+            7IlsnpkmHbPPbmTWtcXwzS8S8/2tcurMj9mG1wrDou3POr/aHMPs/Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1s9spl75rwhgm3cvvqsr9rze5m0kuxqes2tsxjmq07xg5ycn5j47s2m0dlu
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWmp0dGtsU3ZiMjN3SjU0
+            OFpGdkJ1SitjMlJkSFVhZm5lYjZHUFRjYWh3ClFKM1d1RG9GbFg5V0dWOGs2WmQv
+            OFZpTlU2V0xITUNmSXlyWlkwdHFmbHMKLS0tIHNKb1lSaTB6cnE3RytaRklpbzVx
+            NmNwT3N5UEVabFdLTDhseFRjeVZaWFkKL3HGFqfttU1tXY4OhnIr1ABFsHB0R0CX
+            s6wxb0ilut32ijjtnGXMIIa9y6XsMTpYskTb9FdRP9VnQQGVrMfdew==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-11-13T15:50:14Z"
+    mac: ENC[AES256_GCM,data:RmNsaye+hanRtzO1BNj6Q/LKS4ACRufzs7TGGcQHfVbi8QyrBqltGoox9ukgaN5PqBNR+uz3+Grpzkjj33xtdJuSRoHNk7aa/q2FHFHmJs+qIggf3HRzgfmBPkP0K9kJdFeOYvy0XoZWMdmaZ9H3fC8kqbEkQPMTrwnKEiDOx6M=,iv:ntjiRk8UUbsnPaKW1AxEoa8RRejA9LCKYNGD6s8dKwI=,tag:hKi3HZoMuOwtAcd7oyUZgw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/machines/newton/services.nix
+++ b/machines/newton/services.nix
@ -0,0 +1,88 @@
+# Deployed services
+{ config, lib, ... }:
+let
+  secrets = config.sops.secrets;
+in
+{
+  sops.secrets."acme/inwx" = { };
+  sops.secrets."sso/auth-key" = { };
+  sops.secrets."sso/felix/password-hash" = { };
+  sops.secrets."sso/felix/totp-secret" = { };
+  sops.secrets."paperless/password" = { };
+  sops.secrets."nextcloud/password" = { };
+  sops.secrets."nextcloud/password".owner = config.users.users.nextcloud.name;
+
+  # List services that you want to enable:
+  my.services = {
+    # My own personal homepage
+    homepage = {
+      enable = true;
+    };
+    # Dashboard
+    homer = {
+      enable = true;
+    };
+    # RSS provider for websites that do not provide any feeds
+    rss-bridge = {
+      enable = true;
+    };
+    # voice-chat server
+    mumble-server = {
+      enable = true;
+    };
+    # sandbox video game
+    minecraft-server = {
+      enable = true;
+    };
+    # music streaming server
+    navidrome = {
+      enable = true;
+      musicFolder = "/srv/data/music";
+    };
+    # self-hosted cloud
+    nextcloud = {
+      enable = true;
+      passwordFile = secrets."nextcloud/password".path;
+    };
+    # document management system
+    paperless = {
+      enable = true;
+      passwordFile = secrets."paperless/password".path;
+      extraConfig.PAPERLESS_ADMIN_USER = "felix";
+    };
+    # self-hosted git service
+    gitea = {
+      enable = true;
+    };
+    # collaborative markdown editor
+    hedgedoc = {
+      enable = true;
+    };
+    # a password-generator using the marokov model
+    passworts = {
+      enable = true;
+    };
+    ssh-server = {
+      enable = true;
+    };
+    # Webserver
+    nginx = {
+      enable = true;
+      acme = {
+        credentialsFile = secrets."acme/inwx".path;
+      };
+      sso = {
+        authKeyFile = secrets."sso/auth-key".path;
+        users = {
+          felix = {
+            passwordHashFile = secrets."sso/felix/password-hash".path;
+            totpSecretFile = secrets."sso/felix/totp-secret".path;
+          };
+        };
+        groups = {
+          root = [ "felix" ];
+        };
+      };
+    };
+  };
+}
--- a/machines/newton/syncthing.nix
+++ b/machines/newton/syncthing.nix
@ -0,0 +1,66 @@
+{ config, ... }:
+{
+  sops.secrets."syncthing/key" = { };
+  sops.secrets."syncthing/cert" = { };
+
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = true;
+    dataDir = "/srv/data";
+    key = config.sops.secrets."syncthing/key".path;
+    cert = config.sops.secrets."syncthing/cert".path;
+    extraOptions = {
+      options = {
+        localAnnounceEnabled = false;
+      };
+    };
+    devices = {
+      "thinkman" = {
+        id = "KXSCPX3-JCCFZM4-S2LQZZL-3AM6WRL-IPNWVG2-IB5FEDJ-YYFUIRR-VMDO3AL";
+      };
+      "birdman" = {
+        id = "34Z4J7W-MJIODUD-J6LDJY6-QILQLLB-CJ4GR7K-7TJM2K3-R7SIPRV-XQO5TAI";
+      };
+      "serverle" = {
+        id = "PVPEIN7-PI226LR-ULSBYKT-JGRQ3PS-WSPLGBP-TKYRJVP-OTWE7IV-NLKTBA3";
+      };
+    };
+    folders = {
+      "Computer" = {
+        id = "djdxo-1akub";
+        path = "/srv/data/computer";
+        devices = [
+          "thinkman"
+          "birdman"
+          "serverle"
+        ];
+      };
+      "Phone" = {
+        id = "4hds7-gpypp";
+        path = "/srv/data/phone";
+        devices = [
+          "thinkman"
+          "birdman"
+          "serverle"
+        ];
+      };
+      "Music" = {
+        id = "mphdq-n6q7y";
+        path = "/srv/data/music";
+        devices = [
+          "thinkman"
+          "birdman"
+          "serverle"
+        ];
+      };
+      "Pictures" = {
+        id = "cujyo-yiabu";
+        path = "/srv/data/photos";
+        devices = [
+          "thinkman"
+          "serverle"
+        ];
+      };
+    };
+  };
+}
--- a/machines/serverle/configuration.nix
+++ b/machines/serverle/configuration.nix
@ -0,0 +1,43 @@
+{ config, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disks.nix
+    ./dyndns.nix
+    ./services.nix
+    ./syncthing.nix
+    ./wifi.nix
+    #../../legacy/modules/3d-printer.nix
+    ../../legacy/modules/avahi.nix
+    ../../legacy/modules/docker.nix
+    ../../legacy/modules/nix.nix
+    ../../legacy/modules/webapps/bazarr.nix
+    ../../legacy/modules/webapps/prowlarr.nix
+    ../../legacy/modules/webapps/radarr.nix
+    ../../legacy/modules/webapps/sonarr.nix
+  ];
+  networking.hostName = "serverle";
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    # disable gpg and thereby enable age
+    gnupg.sshKeyPaths = [ ];
+  };
+
+  #environment.noXlibs = true;
+
+  networking.firewall.allowedTCPPorts = [
+    8080 # aria
+  ];
+
+  # Nix
+  nix.gc = {
+    automatic = true;
+    options = "--delete-older-than 30d";
+  };
+
+  system = {
+    stateVersion = "22.05";
+    autoUpgrade.enable = true;
+  };
+}
--- a/machines/serverle/disks.nix
+++ b/machines/serverle/disks.nix
@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.initrd.luks.devices."luks-drive" = {
+    name = "luks-drive";
+    device = "/dev/disk/by-partlabel/Crypt";
+    preLVM = true;
+    allowDiscards = true;
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/serverle-root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/serverle-bo";
+    fsType = "vfat";
+  };
+
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-label/serverle-srv";
+    fsType = "ext4";
+  };
+
+  swapDevices = [{
+    device = "/dev/disk/by-label/serverle-swap";
+  }];
+}
+
--- a/machines/serverle/dyndns.nix
+++ b/machines/serverle/dyndns.nix
@ -0,0 +1,11 @@
+{ config, lib, pkgs, ... }:
+{
+  services.ddclient = {
+    enable = true;
+    server = "dyndns.inwx.com";
+    username = "Stunkymonkey-dyndns";
+    passwordFile = "/root/.dyndns_password";
+    domains = [ "serverle.stunkymonkey.de" ];
+    ipv6 = true;
+  };
+}
--- a/machines/serverle/hardware-configuration.nix
+++ b/machines/serverle/hardware-configuration.nix
@ -0,0 +1,33 @@
+{ config, pkgs, lib, ... }:
+{
+  boot.loader = {
+    raspberryPi = {
+      firmwareConfig = ''
+        # Disable the ACT LED.
+        dtparam=act_led_trigger=none
+        dtparam=act_led_activelow=off
+        # Disable the PWR LED.
+        dtparam=pwr_led_trigger=none
+        dtparam=pwr_led_activelow=off
+
+        # Disable ethernet port LEDs
+        dtparam=eth0_led=4
+        dtparam=eth1_led=4
+    
+        # Disable SD-Card pools
+        dtparam=sd_pool_once=on
+      '';
+
+      # the bootloader has to be enabled for fat systems. for ext use the other one.
+      enable = true;
+      version = 4;
+    };
+    generic-extlinux-compatible.enable = false;
+  };
+
+  # Kernel configuration
+  boot.kernelParams = [ "cma=64M" "console=tty0" ];
+
+  # Fix wifi disconnect
+  networking.networkmanager.wifi.powersave = false;
+}
--- a/machines/serverle/secrets.yaml
+++ b/machines/serverle/secrets.yaml
@ -0,0 +1,40 @@
+users:
+    felix:
+        password: ENC[AES256_GCM,data:mrG5gb0wbjA2S0sd,iv:86PZWbVR2BkB6+c9KrtnFh1j/kJtiFJXlXEQMFqEmZA=,tag:WUXrp4+/KW+X+wUp0omqdg==,type:str]
+wifi:
+    bismarck: ENC[AES256_GCM,data:6mcU+o6GiBelKq5Av2hJdHigf+yyQRO/qXV0DbGeri00CaO1cjjGka86C/t0NAoh8EaJeLPd6lZQspeUTIdqJMleQLhmq1zk1qGw65fvEphCsWkKUsUd6flWODdmll80mmYLpllX6hmZ8I/Of7EVZPn4WEiw4M2HB1UCw5+M0W2H0MJrjlskafbL9+uYtMeoUikXVMTYNAkX3+9+MZi3KzDMEc6JVt1fQZHjXkdeKx+2iVsaXEtXL72Dbj3ihlpA+WRhgZOmrrbablYde71mpzSuQ/yqeTZT+2NCMUmkYaj0dGz4FW0gJMPzjHjji8CopeOK7/CQM/MMWGFJXR2Xdea8X/YdDoVAz34WraGylYzK9e7a1C+s37mekt6c/bvuiQ==,iv:DH0LDw1pZ5m9RScJ3+IhjUb5JroLLOJ3jru7DwCKXv0=,tag:r57fz+W2nEybNqOc8eEDFA==,type:str]
+borgbackup:
+    password: ENC[AES256_GCM,data:vXa1LO8Akwume5PVsxny59H5FDI+HTo=,iv:RKiriS4VHP3HDMRPS5e3Fz5rsDMpqQpZgC7XFI3hAWU=,tag:XHZNH4cLJzmSuF6k+gJ3cg==,type:str]
+    private_ssh_key: ENC[AES256_GCM,data:GrK7aWNUZymdgCwqemKu/7Ruh7hduHPdStzCf326beBj4sCr2CXYo9HKCIJHSnRrywzT5gqWmcEFew9qo08G4kpxIeqthcpxsIaVYVqRjusT2WL6jiLHsGqMa2R+Vui2NO5ZuGrnTdS6CWxSpno0EjT2rNG29vA8Uhort7iANRVrY20MDpiAfU675yGThOvgR7833KODS0S+cKuKKq7/8qkSgVH4KIGqjGbRsVIlgFAs/eVNHS79NKR2XdU/uBi1ahH4bTvVuV6lJAoBYEwgfiHhuGaBayhqnEzWPyilme26xjZBw/0/itd7fhNnfpdMLnOqx56kQpJMVzOxd6chX3BQawsl42IyFuYbYqPICl1jjEqdHzEFbctgYS/p4iv59l6enw+vDb4T6Toa1fqAvJSiaKltinXjZsO1SqQVCQEdLEMgufn+3VsVXYQ9WHBH9RdqLJ1u79rFYGZtIkkNjJRnREHUISkYVCJrwzphi+p4teNWnMDCq/Is6oFdY2x8lVNRq2mHhoY7iLpCUzZj,iv:FIPsM1k42srkPUbOR5Ex7M3TnDUAYCZshWBGETbZlJE=,tag:1uiiqGjuQK2BB4nVV7h1KQ==,type:str]
+syncthing:
+    key: ENC[AES256_GCM,data:SilpQP29PbI6JNGX5/Ij9YDdwN5a0rDRKicduLZizoIkwPM4zhs4PHlQDhf20Q9IE9OLxI+6Ik57e28iPY0KDL5M/Qg6sPvUaOZBriM24dCYnq8MQMncfI2AnmUSLbelSkoumxlkhOdMjPWNhh1+qoNRQadLC7RTOcrr6rv7POEoHRMJye9fyMMgmoZqWNw9bGJOV5o2O5GGx/mSJDcaxnmNNXmhJ+HaCYOU6dJ0CD4ZiAGIchOwt5H281r9Fy4qQNoQh9F00adv4X9/NN2FsbN4z9HSqikYLDtpRC14Osw/qIJ1tHK4r1KL5azmsJTG7lSd0V57LA5PwWz1WX5gMzWd6+K85mjw6YvvteektFI/PlYDzQml5R8gn7CAsTIU,iv:cZnh6Ql0n4ruhow3XwESnrwGI0L/3R7KmaqG+WjwVcY=,tag:KH0aODHRPbIM2qUse3CGuA==,type:str]
+    cert: ENC[AES256_GCM,data:vuNG3zFkAFY37xXCAjHya+Y5p/gWbEslUEPMyKDpm3j4xJD7rWIpxySj6LsDIW7iC4L/5JsLlTnTsNZWrhpmTQmKKVw0likKIhD7cFsS/21c7DkfxHphHW5wfYIPUPtLXfUwmrlZ47WWYprOuXNX2CMMVqS1WIV9YHc3Vn+p3qZbcPPHz8P+294CC3p6HHhtiAaKtYGFWY5gLVVosTz+H68TqnWRkCgc1kXN3nv6JDltsQiNvocLg6PZxJT3jTFB5+Aki1G1mT66wqWB9FBylSxAJhuE7Ty/9h5YfLRcrCu2RvlRW26s4Lbnu6UDmdNyp2aU5AZJp4T5+JLm7fpUdF0mLweHYk+wDEM1SQo7Mn5GLMABty5v9HzPxXfAjYlfIUjl1J5EhIlvKhF5y5L9Q5hX1yH5fqW7TCBJsjTLku4cz7zS3VutwzOTkBqlx8MRzUMSOL+3AMzuYaNY21/Ou5RC4nNDM4610kx1BTd08ves/4Mi4nqm9uFROLQ/0K2REIA1LgHWY+gtpAPQbiGEYe9N99bRtlN1kurknzL0U4MoNPpkjuzFEZIgDfhyNNWvUJW/HEYKOtDBhyJcxZFNhy0oZZVW9MBhVwqTKuxsiQvL1QDxIBTEsacnW8b1/GS/Q0nFSXs6fRw1B4Zs4a8BSFzv8m2WFNbJmXos5xV2d+tnkKz26YMGNZT6peIVk4bTIs6/cAafrg5dJrWDshAYONk0Xwqx3oaG4hmG7aD0EMnlynHpCz/RpaKziLkdC1FIUYpiH0YuVbQK8NEUIunrmU0q9ERCx+0ycnebXXtjKi0U2YTv/5I6,iv:NZr0LXtO0zNOv0LmD8wLZ829kgwWtPCo637UyzqSD0s=,tag:3mQckI1jSCMzsHQWFPoMgg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1dVYyRDRWUkNKQXN2c2N2
+            MDVGajJzWVl4S2FkVkNHc1FlcEtYdmc1aVV3CmRFckplMWVyNVhJWDdNOFlXK2xK
+            VW9MdmdvbTkrQiswdlU3SkZhUU9TK28KLS0tIHdxY05qaHlHbGVMejBzYk5MUSty
+            cTF3ZTZKdm9WK29Da21oRU9ERVJVS00Kp/VflSZZB0evGinqjFBnqR1zI0CIwF5s
+            jqQhA0OQV5tHcP/SBoLRJeEn5iH7aAcUzXseV1DZ2kwkZ8eKUUWmdA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOd2ozNTBXMTB0UlBnTWZs
+            VVJqdC9nUXFHUjBBdGk2RjFaRVhTeS96WENRCjJUNGJNTmJ6Nmd0ME5XTjNyaGsw
+            SFp2Z1F5djJETnpsa0tNOFJpY0F3ZmcKLS0tIEsrQ0tvZ09QeVdxTmhxSXdBUjAw
+            a1BjcjVaM01UV0o5bTFTVTE5QUZKMmsKPAGYDf1FVtp4+Z/KUrI6z0aZYEwN1DYa
+            jKtA1IUXrmdaRllN0SfC+YjMXTk7IoJvrjagCv9Zo0zEKasfO8PL4g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-01T22:05:10Z"
+    mac: ENC[AES256_GCM,data:BGjTt/4Db8vM+hOJoFybwyaBNcsdafe5gFDJT24kl7t+YTbMuVYdBa2tixs2LGA305s/dVfFNw4waYsENZ+rUfY7S4hhty4zG+0vk0QDy21Qrf43GGWe5Eczoz6QqwbxgkwcJTJY/4FoxeEOAI0LrkiC4URSI33eB5Y8r6CqHYE=,iv:iPzXg0OjVjF0i2BdZEYOVGu6NbC5HGnfd1uqxyMVVWU=,tag:zB6oDcjsuNX02SaYZXOFzA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/machines/serverle/services.nix
+++ b/machines/serverle/services.nix
@ -0,0 +1,27 @@
+# Deployed services
+{ config, lib, ... }:
+let
+  secrets = config.sops.secrets;
+in
+{
+  sops.secrets."borgbackup/password" = { };
+  sops.secrets."borgbackup/private_ssh_key" = { };
+
+  # List services that you want to enable:
+  my.services = {
+    backup = {
+      enable = true;
+      OnFailureMail = "server@buehler.rocks";
+      passwordFile = secrets."borgbackup/password".path;
+      sshKeyFile = secrets."borgbackup/private_ssh_key".path;
+    };
+
+    ssh-server = {
+      enable = true;
+    };
+
+    jellyfin = {
+      enable = true;
+    };
+  };
+}
--- a/machines/serverle/syncthing.nix
+++ b/machines/serverle/syncthing.nix
@ -0,0 +1,68 @@
+{ config, ... }:
+{
+  sops.secrets."syncthing/key" = { };
+  sops.secrets."syncthing/cert" = { };
+
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = true;
+    dataDir = "/srv/data";
+    key = config.sops.secrets."syncthing/key".path;
+    cert = config.sops.secrets."syncthing/cert".path;
+    devices = {
+      "thinkman" = {
+        id = "KXSCPX3-JCCFZM4-S2LQZZL-3AM6WRL-IPNWVG2-IB5FEDJ-YYFUIRR-VMDO3AL";
+      };
+      "birdman" = {
+        id = "34Z4J7W-MJIODUD-J6LDJY6-QILQLLB-CJ4GR7K-7TJM2K3-R7SIPRV-XQO5TAI";
+      };
+      "newton" = {
+        id = "5RISLVO-U5A5A7N-5BRYF2X-FTPNAI6-LOQDIMP-MVSM663-6W6VYBL-L7626A6";
+      };
+    };
+    folders = {
+      "Computer" = {
+        id = "djdxo-1akub";
+        path = "/srv/data/computer";
+        devices = [
+          "thinkman"
+          "birdman"
+          "newton"
+        ];
+      };
+      "Phone" = {
+        id = "4hds7-gpypp";
+        path = "/srv/data/phone";
+        devices = [
+          "thinkman"
+          "birdman"
+          "newton"
+        ];
+      };
+      "Music" = {
+        id = "mphdq-n6q7y";
+        path = "/srv/data/music";
+        devices = [
+          "thinkman"
+          "birdman"
+          "newton"
+        ];
+      };
+      "Pictures" = {
+        id = "cujyo-yiabu";
+        path = "/srv/data/photos";
+        devices = [
+          "thinkman"
+          "newton"
+        ];
+      };
+      "Aria2" = {
+        id = "jjnzq-pgzua";
+        path = "/srv/data/tmp/aria2";
+        devices = [
+          "thinkman"
+        ];
+      };
+    };
+  };
+}
--- a/machines/serverle/wifi.nix
+++ b/machines/serverle/wifi.nix
@ -0,0 +1,6 @@
+{ config, ... }:
+{
+  sops.secrets."wifi/bismarck" = {
+    path = "/etc/NetworkManager/system-connections/Bismarck WLAN.nmconnection";
+  };
+}
--- a/machines/thinkman/configuration.nix
+++ b/machines/thinkman/configuration.nix
@ -0,0 +1,71 @@
+{ config, pkgs, lib, ... }:
+{
+  imports = [
+    ./disks.nix
+    ./hardware-configuration.nix
+    ./services.nix
+    ../../legacy/modules/3d-design.nix
+    ../../legacy/modules/android.nix
+    ../../legacy/modules/avahi.nix
+    ../../legacy/modules/bluetooth-audio.nix
+    ../../legacy/modules/clean.nix
+    ../../legacy/modules/desktop-default.nix
+    ../../legacy/modules/desktop-development.nix
+    ../../legacy/modules/development.nix
+    ../../legacy/modules/docker.nix
+    ../../legacy/modules/filesystem.nix
+    ../../legacy/modules/gaming.nix
+    ../../legacy/modules/hardware-base.nix
+    ../../legacy/modules/intel-video.nix
+    ../../legacy/modules/intel.nix
+    ../../legacy/modules/kvm.nix
+    ../../legacy/modules/location.nix
+    ../../legacy/modules/media.nix
+    ../../legacy/modules/meeting.nix
+    ../../legacy/modules/nix.nix
+    ../../legacy/modules/power.nix
+    ../../legacy/modules/presentation.nix
+    ../../legacy/modules/printer.nix
+    ../../legacy/modules/screen-sharing.nix
+    ../../legacy/modules/sway.nix
+    ../../legacy/modules/sync.nix
+    ../../legacy/modules/systemd-user.nix
+    ../../legacy/modules/systemduefi.nix
+    ../../legacy/modules/tex.nix
+    ../../legacy/modules/thunderbolt.nix
+    ../../legacy/modules/webcam.nix
+  ];
+
+  networking.hostName = "thinkman";
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    gnupg.sshKeyPaths = [ ];
+  };
+
+  nix.extraOptions = ''
+    extra-platforms = aarch64-linux i686-linux
+  '';
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+  # Use latest kernel
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  # Nix
+  nix = {
+    autoOptimiseStore = true;
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+    };
+    daemonCPUSchedPolicy = "idle";
+    daemonIOSchedPriority = 7;
+  };
+
+  system = {
+    stateVersion = "22.05";
+    autoUpgrade.enable = true;
+  };
+}
--- a/machines/thinkman/disks.nix
+++ b/machines/thinkman/disks.nix
@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.initrd.luks.devices."luks-drive" = {
+    name = "luks-drive";
+    device = "/dev/disk/by-partlabel/Crypt";
+    preLVM = true;
+    allowDiscards = true;
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/thinkman-root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/thinkman-bo";
+    fsType = "vfat";
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-label/thinkman-home";
+    fsType = "ext4";
+  };
+
+  swapDevices = [{
+    device = "/dev/disk/by-label/thinkman-swap";
+  }];
+}
+
--- a/machines/thinkman/hardware-configuration.nix
+++ b/machines/thinkman/hardware-configuration.nix
@ -0,0 +1,13 @@
+{ config, lib, ... }:
+{
+  # video driver
+  boot.initrd.kernelModules = [ "i915" ];
+
+  # Special power management settings for ThinkPads
+  services.tlp.enable = true;
+
+  my.hardware = {
+    nitrokey.enable = true;
+    sound.enable = true;
+  };
+}
--- a/machines/thinkman/secrets.yaml
+++ b/machines/thinkman/secrets.yaml
@ -0,0 +1,35 @@
+users:
+    felix:
+        password: ENC[AES256_GCM,data:Zlq+j/zqbiIBEvew,iv:k2/Jjwi/jfBnc2fYFZeJyWmr0QlvgeMl5IU7Zzl0LvY=,tag:fImYKHSfQ0bKV2E+P5El0Q==,type:str]
+borgbackup:
+    password: ENC[AES256_GCM,data:RF385VVV1aUjZA5FcJGwizhiAlINW7HiFA==,iv:W1+khhHyKfDKD7vs0t442g28MJ+0zu5ZpKYMmrmvEyM=,tag:whQ4euwgukHaTTJIAwpYSg==,type:str]
+    private_ssh_key: ENC[AES256_GCM,data:0mYCkjmoYgvPly2R/dZ8GNqlJDJI60drzdnrgD3ia6q8IegsYrl5fVevt7WV0nWYE2Jk05+RXdbZ1acsXtpRXcW9tIIsa+PzY64jzz08tlER2uGcj/wNtc+MQoy8elPWXdaL5MaAfggJk6gSxXCn+DBYplqA2hGy7jJ8q3lYoo+ssswzfjTV5wZu0OEa6psPu55+m3euRRBSRxdy2oHxnSh/q140n94HUEGIu9xGp+RGyM9DvVgonxr94sE8AMXCXLDFebNzSuLDuO7j4CSKNjR2ylECbFFUgTrX4fYbTzu6hxPqbb2/LiorI5kgGLkahV0iMqGwxv+ltbhvqgrDqiFoaat54+eHtxt0UPlgZawu0f3OUj+dT+5Nb2zzTmweJ+XaMPX3pVNc9oVwqDA7y7gNqf006D3vzzYATCPWSEFWWFgPnQ8WOEBV0h1FdD120ufHblMikSiVWhYyeqX+N2r1hiNiqdG2oUpil5mo8Pnutr8DLCkB4KovgXfHT6OAOjBduYXKcvBMvVJ2fHv9,iv:+QGru0TgNc7qK4+5eQVQJ8pCFH8Jj5XfxEC8e7c6EzA=,tag:inFmf2OujP8JPvUhCphaCw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuMHpBZmU4ZVo5UitOQ1la
+            UUNZNEU5OVFqM2hsY2g0YzRkemRvbUdyYVVjCjhFbDR2cUxTYUU2dU1Oekc4VEZ5
+            K2JEd1JZMkFhUXhFaTVnTytFeFU4TmcKLS0tIG5zTGZ4OG9GN2tNVE5zUG95dXFk
+            cG01NlA0YlpzcENqWjJMUkQwZXJMcUEKv94rjj5iHY1HAZQiE5yleC4f0WABcXbm
+            Wf4xYYCCWUmcTKXabIyPWn9eCNYCQgy29YTcTKu4/8BvebrGkRHuHw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1spt854cdscqs757a8kazth52rv4p9udh54suw9lpzlqg5savyapq2u0c03
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSUlHb04rMGR5YWFhUUZq
+            QXVHYnZQUUdQc0FzbTgyalBPZktBdDVvZ2lRClpzcDltOFA0eFlqTGRUNFptcW1C
+            WGZyamIyNEFTQXQ4R2pmdU9FS3lma0kKLS0tIFphS0ZhbmxDb3A5MnVvaVJGT1Iw
+            bzY2ZTY1QUtSRjlOZ1E0Vkw5Q1cxYmMKqwvWUv2XpRIenGwCpZuwKQc0ZsiX2AAx
+            pmIh4f10G7wr1rLeodRi2KxYIrrudPbxEWIuzmBRyHc7+3EPpzLetw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-10-02T21:24:35Z"
+    mac: ENC[AES256_GCM,data:Ckv+LA/dLXFoX5iqKjqX1CGCiUMGEQx/AtqVYaQc00846ntYYQlKKYppOSlKFiwjumHHH1RRsuBryYHlms1FeQX5n/QT1Rjsa9lHElDtFuds9U1Px27zjothI8TBVLZeaU2rccPNf2cHEa0eVmM5YU3WylAUv0ZUJ+HGLZzJlUM=,iv:ZZwDYQFYpgO6zu/ReEObFGMAevF3G7mv5TQ7P/hoC24=,tag:J/SpkLXKp/pdZp6fix89fQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/machines/thinkman/services.nix
+++ b/machines/thinkman/services.nix
@ -0,0 +1,19 @@
+# Deployed services
+{ config, lib, ... }:
+let
+  secrets = config.sops.secrets;
+in
+{
+  sops.secrets."borgbackup/password" = { };
+  sops.secrets."borgbackup/private_ssh_key" = { };
+
+  # List services that you want to enable:
+  my.services = {
+    backup = {
+      enable = true;
+      OnFailureNotification = true;
+      passwordFile = secrets."borgbackup/password".path;
+      sshKeyFile = secrets."borgbackup/private_ssh_key".path;
+    };
+  };
+}