migrate to clan

flake.lock

@@ -39,11 +39,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1746799285,
+        "lastModified": 1747400548,
-        "narHash": "sha256-wRii4X2t8bAvtJTy6O9NPCdWB2NnP9B/utYHf7Qpf2g=",
+        "narHash": "sha256-zvBGXYkd8pZKkBXlLdcw0/nxSoGJOkwGbc6dz9NS4G8=",
         "ref": "refs/heads/main",
-        "rev": "b306c748b872527838b922226c2e7570937c131d",
+        "rev": "56f3fd0a454635d0449330e6848a98bab6da020e",
-        "revCount": 6737,
+        "revCount": 6979,
         "type": "git",
         "url": "https://git.clan.lol/clan/clan-core"
       },
@@ -94,39 +94,17 @@
         ]
       },
       "locked": {
-        "lastModified": 1746628829,
+        "lastModified": 1747329636,
-        "narHash": "sha256-q77HWbHlJTXFVRD2kRnYwqGfbGmCm9XYPG0ZgLLVh8M=",
+        "narHash": "sha256-mmyx5trq5ZQp6uShbHNfqgSxdg9OeArcZGdZKtHjhqw=",
-        "rev": "9a3856421bd6733192b57037cdf26712d73c0871",
+        "rev": "7afcd6f322b9839699f6f31d5bed884c6dd412c4",
         "type": "tarball",
-        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/9a3856421bd6733192b57037cdf26712d73c0871.tar.gz"
+        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/7afcd6f322b9839699f6f31d5bed884c6dd412c4.tar.gz"
       },
       "original": {
         "type": "tarball",
         "url": "https://git.clan.lol/clan/data-mesher/archive/main.tar.gz"
       }
     },
-    "deploy-rs": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "utils": "utils"
-      },
-      "locked": {
-        "lastModified": 1727447169,
-        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
-        "owner": "serokell",
-        "repo": "deploy-rs",
-        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
-        "type": "github"
-      },
-      "original": {
-        "owner": "serokell",
-        "repo": "deploy-rs",
-        "type": "github"
-      }
-    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -135,11 +113,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746729224,
+        "lastModified": 1747274630,
-        "narHash": "sha256-9R4sOLAK1w3Bq54H3XOJogdc7a6C2bLLmatOQ+5pf5w=",
+        "narHash": "sha256-87RJwXbfOHyzTB9LYagAQ6vOZhszCvd8Gvudu+gf3qo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "85555d27ded84604ad6657ecca255a03fd878607",
+        "rev": "ec7c109a4f794fce09aad87239eab7f66540b888",
         "type": "github"
       },
       "original": {
@@ -155,11 +133,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745812220,
+        "lastModified": 1747274630,
-        "narHash": "sha256-hotBG0EJ9VmAHJYF0yhWuTVZpENHvwcJ2SxvIPrXm+g=",
+        "narHash": "sha256-87RJwXbfOHyzTB9LYagAQ6vOZhszCvd8Gvudu+gf3qo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "d0c543d740fad42fe2c035b43c9d41127e073c78",
+        "rev": "ec7c109a4f794fce09aad87239eab7f66540b888",
         "type": "github"
       },
       "original": {
@@ -168,22 +146,6 @@
         "type": "github"
       }
     },
-    "flake-compat": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -233,11 +195,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745810134,
+        "lastModified": 1747374689,
-        "narHash": "sha256-WfnYH/i7DFzn4SESQfWviXiNUZjohZhzODqLwKYHIPI=",
+        "narHash": "sha256-JT/aBZqmK1LbExzwT9cPkvxKc0IC4i6tZKOPjsSWFbI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "be7cf1709b469a2a2c62169172a167d1fed3509f",
+        "rev": "d2263ce5f4c251c0f7608330e8fdb7d1f01f0667",
         "type": "github"
       },
       "original": {
@@ -269,11 +231,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746708654,
+        "lastModified": 1747365160,
-        "narHash": "sha256-GeC99gu5H6+AjBXsn5dOhP4/ApuioGCBkufdmEIWPRs=",
+        "narHash": "sha256-4ZVr0x+ry6ybym/VhVYACj0HlJo44YxAaPGOxiS88Hg=",
         "owner": "nix-darwin",
         "repo": "nix-darwin",
-        "rev": "6cb36e8327421c61e5a3bbd08ed63491b616364a",
+        "rev": "8817b00b0011750381d0d44bb94d61087349b6ba",
         "type": "github"
       },
       "original": {
@@ -346,11 +308,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1745503349,
+        "lastModified": 1747129300,
-        "narHash": "sha256-bUGjvaPVsOfQeTz9/rLTNLDyqbzhl0CQtJJlhFPhIYw=",
+        "narHash": "sha256-L3clA5YGeYCF47ghsI7Tcex+DnaaN/BbQ4dR2wzoiKg=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "f7bee55a5e551bd8e7b5b82c9bc559bc50d868d1",
+        "rev": "e81fd167b33121269149c57806599045fd33eeed",
         "type": "github"
       },
       "original": {
@@ -378,11 +340,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1745526057,
+        "lastModified": 1747179050,
-        "narHash": "sha256-ITSpPDwvLBZBnPRS2bUcHY3gZSwis/uTe255QgMtTLA=",
+        "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "f771eb401a46846c1aebd20552521b233dd7e18b",
+        "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
         "type": "github"
       },
       "original": {
@@ -396,7 +358,6 @@
       "inputs": {
         "agenix": "agenix",
         "clan-core": "clan-core",
-        "deploy-rs": "deploy-rs",
         "disko": "disko_2",
         "home-manager": "home-manager_2",
         "impermanence": "impermanence",
@@ -456,21 +417,6 @@
         "type": "github"
       }
     },
-    "systems_3": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "treefmt-nix": {
       "inputs": {
         "nixpkgs": [
@@ -479,11 +425,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746216483,
+        "lastModified": 1747299117,
-        "narHash": "sha256-4h3s1L/kKqt3gMDcVfN8/4v2jqHrgLIe4qok4ApH5x4=",
+        "narHash": "sha256-JGjCVbxS+9t3tZ2IlPQ7sdqSM4c+KmIJOXVJPfWmVOU=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "29ec5026372e0dec56f890e50dbe4f45930320fd",
+        "rev": "e758f27436367c23bcd63cd973fa5e39254b530e",
         "type": "github"
       },
       "original": {
@@ -491,24 +437,6 @@
         "repo": "treefmt-nix",
         "type": "github"
       }
-    },
-    "utils": {
-      "inputs": {
-        "systems": "systems_3"
-      },
-      "locked": {
-        "lastModified": 1701680307,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -5,7 +5,6 @@
     inputs@{
       nixpkgs,
       clan-core,
-      deploy-rs,
       home-manager,
       impermanence,
       nixos-generators,
@@ -14,116 +13,55 @@
       ...
     }:
     let
-      inherit (nixpkgs) lib;
-      hosts = {
-        # VivoBook laptop
-        haze = {
-          system = "x86_64-linux";
-        };
-        # Hetzner VPS
-        crocus = {
-          system = "x86_64-linux";
-        };
-        # Raspberry Pi 4
-        genepi = {
-          system = "aarch64-linux";
-        };
-      };
       clan = clan-core.lib.buildClan {
         self = self;
         meta.name = "blossom";
-        machines = {
+        specialArgs = {
-          crocus = {
+          inherit inputs self;
-            nixpkgs.hostPlatform = "x86_64-linux";
+          inherit (import ./parts) keys;
-            imports = [
+        };
-              ./hosts/crocus
+        inventory = {
-            ];
+          instances = {
+            "rpqt-admin" = {
+              module.input = "clan-core";
+              module.name = "admin";
+              roles.default.machines = {
+                "crocus" = { };
+                "genepi" = { };
+                "haze" = { };
+              };
+              roles.default.settings.allowedKeys = {
+                rpqt_haze = (import ./parts).keys.rpqt.haze;
+              };
+            };
+          };
+          services = {
+            zerotier.default = {
+              roles.controller.machines = [
+                "crocus"
+              ];
+              roles.peer.machines = [
+                "haze"
+                "genepi"
+              ];
+            };
+            sshd.default = {
+              roles.server.machines = [ "crocus" ];
+            };
+            user-password.rpqt = {
+              roles.default.machines = [
+                "crocus"
+                "genepi"
+                "haze"
+              ];
+              config.user = "rpqt";
+            };
           };
         };
       };
     in
     {
       inherit (clan) clanInternals nixosConfigurations;
-      clan = { inherit (clan) templates; };
-      # nixosConfigurations =
-      #   let
-      #     mkNixosConfig =
-      #       hostname:
-      #       { system }:
-      #       lib.nixosSystem {
-      #         inherit system;
-      #         specialArgs = {
-      #           inherit inputs self;
-      #           inherit (import ./parts) keys;
-      #         };
-      #         modules = [
-      #           ./hosts/${hostname}
-      #           ./modules
-      #           ./system
-      #         ];
-      #       };
-      #   in
-      #   builtins.mapAttrs mkNixosConfig hosts;
-
-      # Raspberry Pi 4 installer ISO.
-      packages.aarch64-linux.installer-sd-image = nixos-generators.nixosGenerate {
-        specialArgs = {
-          inherit inputs;
-          inherit (import ./parts) keys;
-        };
-        system = "aarch64-linux";
-        format = "sd-aarch64-installer";
-        modules = [
-          nixos-hardware.nixosModules.raspberry-pi-4
-          ./system/core
-          ./hosts/genepi/network.nix
-          ./hosts/genepi/hardware.nix
-          {
-            nixpkgs.overlays = [
-              (final: super: {
-                makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
-              })
-            ];
-          }
-        ];
-      };
-
-      homeConfigurations = {
-        "rpqt@haze" = home-manager.lib.homeManagerConfiguration {
-          extraSpecialArgs = {
-            inherit inputs;
-          };
-          pkgs = nixpkgs.legacyPackages.x86_64-linux;
-          modules = [
-            ./hosts/haze/home.nix
-          ];
-        };
-      };
-
-      deploy.nodes.crocus = {
-        hostname = "crocus";
-        profiles = {
-          system = {
-            user = "root";
-            sshUser = "rpqt";
-            path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.crocus;
-          };
-        };
-      };
-
-      deploy.nodes.genepi = {
-        hostname = "genepi";
-        profiles = {
-          system = {
-            user = "root";
-            sshUser = "rpqt";
-            path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.genepi;
-            remoteBuild = true;
-          };
-        };
-      };
-
-      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
 
       devShells =
         let
@@ -135,7 +73,7 @@
         {
           "${system}".default = pkgs.mkShell {
             packages = [
-              inputs.agenix.packages.x86_64-linux.default
+              inputs.agenix.packages.${system}.default
               clan-core.packages.${system}.clan-cli
               pkgs.nil # Nix language server
               pkgs.nixfmt-rfc-style
@@ -159,10 +97,6 @@
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    deploy-rs = {
-      url = "github:serokell/deploy-rs";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";

hosts/genepi/backup.nix

@@ -1,95 +0,0 @@
-{
-  config,
-  keys,
-  pkgs,
-  ...
-}:
-let
-  storagebox-user = "u422292-sub1";
-  storagebox-host = "${storagebox-user}.your-storagebox.de";
-  storagebox-nightly-backup-name = "storagebox-nightly";
-  storagebox-weekly-home-backup-name = "storagebox-weekly-home";
-in
-{
-  environment.systemPackages = [
-    pkgs.sshpass
-  ];
-
-  age.secrets.restic-genepi-storagebox-key.file = ../../secrets/restic-genepi-storagebox-key.age;
-  age.secrets.restic-genepi-storagebox-password.file = ../../secrets/restic-genepi-storagebox-password.age;
-
-  programs.ssh.knownHosts = {
-    "${storagebox-host}".publicKey = keys.hosts.storagebox-rsa;
-  };
-
-  services.restic.backups."${storagebox-nightly-backup-name}" = {
-    initialize = true;
-    paths = [
-      "/persist"
-    ];
-    exclude = [
-      "/persist/@backup-snapshot"
-    ];
-    passwordFile = config.age.secrets.restic-genepi-storagebox-key.path;
-    repository = "sftp://${storagebox-user}@${storagebox-host}/";
-    extraOptions = [
-      "sftp.command='${pkgs.sshpass}/bin/sshpass -f ${config.age.secrets.restic-genepi-storagebox-password.path} -- ssh ${storagebox-host} -l ${storagebox-user} -s sftp'"
-    ];
-    timerConfig = {
-      OnCalendar = "03:00";
-      RandomizedDelaySec = "1h";
-    };
-    pruneOpts = [
-      "--keep-daily 7"
-      "--keep-weekly 5"
-      "--keep-monthly 12"
-      "--keep-yearly 10"
-    ];
-    backupPrepareCommand = ''
-      set -Eeuxo pipefail
-      # clean old snapshot
-      if btrfs subvolume delete /persist/@backup-snapshot; then
-          echo "WARNING: previous run did not cleanly finish, removing old snapshot"
-      fi
-
-      btrfs subvolume snapshot -r /persist /persist/@backup-snapshot
-
-      umount /persist
-      mount -t btrfs -o subvol=/persist/@backup-snapshot /dev/disk/by-partlabel/disk-main-root /persist
-    '';
-    backupCleanupCommand = ''
-      btrfs subvolume delete /persist/@backup-snapshot
-    '';
-  };
-
-  systemd.services."restic-backups-${storagebox-nightly-backup-name}" = {
-    path = with pkgs; [
-      btrfs-progs
-      umount
-      mount
-    ];
-    serviceConfig.privateMounts = true;
-  };
-
-  # Backup home
-  services.restic.backups."${storagebox-weekly-home-backup-name}" = {
-    initialize = true;
-    paths = [
-      "/home/rpqt"
-    ];
-    passwordFile = config.age.secrets.restic-genepi-storagebox-key.path;
-    repository = "sftp://${storagebox-user}@${storagebox-host}/";
-    extraOptions = [
-      "sftp.command='${pkgs.sshpass}/bin/sshpass -f ${config.age.secrets.restic-genepi-storagebox-password.path} -- ssh ${storagebox-host} -l ${storagebox-user} -s sftp'"
-    ];
-    timerConfig = {
-      OnCalendar = "Sat 03:30";
-      RandomizedDelaySec = "1h";
-    };
-    pruneOpts = [
-      "--keep-weekly 1"
-      "--keep-monthly 12"
-      "--keep-yearly 10"
-    ];
-  };
-}

hosts/genepi/hardware.nix

@@ -1,19 +0,0 @@
-{ pkgs, ... }:
-{
-  nixpkgs.hostPlatform = "aarch64-linux";
-
-  hardware.enableRedistributableFirmware = true;
-
-  hardware = {
-    raspberry-pi."4".apply-overlays-dtmerge.enable = true;
-    deviceTree = {
-      enable = true;
-      filter = "*rpi-4-*.dtb";
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    libraspberrypi
-    raspberrypi-eeprom
-  ];
-}

hosts/haze/secrets/secrets.nix

@@ -1,7 +0,0 @@
-let
-  keys = import ../../../parts/keys.nix;
-in
-{
-  "syncthing-key.pem.age".publicKeys = [ keys.hosts.haze ];
-  "syncthing-cert.pem.age".publicKeys = [ keys.hosts.haze ];
-}

machines/crocus/configuration.nix

@@ -7,15 +7,17 @@
 {
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
-    inputs.agenix.nixosModules.default
+    # ./radicle.nix
-    inputs.disko.nixosModules.disko
+    ../../system
-    ./disk.nix
+    inputs.clan-core.clanModules.state-version
-    ./radicle.nix
+    ../../modules/remote-builder.nix
-    ./modules
+    ../../modules/borgbackup.nix
-    ./system
   ];
 
+  nixpkgs.hostPlatform = "x86_64-linux";
+
   networking.hostName = "crocus";
+  clan.core.networking.targetHost = "root@crocus.local";
 
   networking.useDHCP = false;
   systemd.network.enable = true;
@@ -30,6 +32,10 @@
     ];
   };
 
+  services.avahi.enable = true;
+
+  disko.devices.disk.main.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_48353082";
+
   boot.loader.grub = {
     efiSupport = true;
     efiInstallAsRemovable = true;

machines/crocus/disko.nix

@@ -1,6 +1,16 @@
 {
-  disko.devices.disk.os = {
+  clan-core,
-    device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_48353082";
+  config,
+  ...
+}:
+let
+  suffix = config.clan.core.vars.generators.disk-id.files.diskId.value;
+in
+{
+  imports = [ clan-core.clanModules.disk-id ];
+
+  disko.devices.disk.main = {
+    name = "main-" + suffix;
     type = "disk";
     content = {
       type = "gpt";

machines/genepi/builder.nix

@@ -1,5 +1,9 @@
 { keys, ... }:
 {
+  imports = [
+    ../../modules/remote-builder.nix
+  ];
+
   roles.remote-builder = {
     enable = true;
     authorizedKeys = [ keys.hosts.haze ];

machines/genepi/configuration.nix

@@ -4,21 +4,16 @@
 }:
 {
   imports = [
-    inputs.disko.nixosModules.disko
-    inputs.nixos-hardware.nixosModules.raspberry-pi-4
     inputs.agenix.nixosModules.default
     inputs.impermanence.nixosModules.impermanence
     ./acme.nix
-    ./backup.nix
     ./boot.nix
     ./builder.nix
-    ./disk.nix
     ./dns.nix
     ./freshrss.nix
     ./glance.nix
-    ./hardware.nix
     ./homeassistant.nix
-    ./immich.nix
+    # ./immich.nix
     ./monitoring
     ./mpd.nix
     ./network.nix
@@ -27,6 +22,12 @@
     ./syncthing.nix
     ./taskchampion.nix
 
+    ../../system
+    ../../modules/borgbackup.nix
+
+    inputs.clan-core.clanModules.state-version
+    inputs.clan-core.clanModules.trusted-nix-caches
+
     inputs.home-manager.nixosModules.home-manager
     {
       home-manager.useGlobalPkgs = true;
@@ -35,6 +36,9 @@
     }
   ];
 
+  networking.hostName = "genepi";
+  clan.core.networking.targetHost = "root@genepi.local";
+
   nix.gc = {
     automatic = true;
     dates = "weekly";

machines/genepi/hardware-configuration.nix

@@ -0,0 +1,23 @@
+{ inputs, pkgs, ... }:
+{
+  imports = [
+    # inputs.nixos-hardware.nixosModules.raspberry-pi-4
+  ];
+
+  nixpkgs.hostPlatform = "aarch64-linux";
+
+  hardware.enableRedistributableFirmware = true;
+
+  # hardware = {
+  #   raspberry-pi."4".apply-overlays-dtmerge.enable = true;
+  #   deviceTree = {
+  #     enable = true;
+  #     filter = "*rpi-4-*.dtb";
+  #   };
+  # };
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi
+    raspberrypi-eeprom
+  ];
+}

machines/genepi/home.nix

@@ -1,7 +1,12 @@
-{ pkgs, inputs, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 {
   home.username = "rpqt";
-  home.homeDirectory = "/home/rpqt";
+  home.homeDirectory = lib.mkForce "/home/rpqt";
 
   home.packages = [
     pkgs.helix

machines/genepi/immich.nix

@@ -25,4 +25,6 @@ in
       '';
     };
   };
+
+  clan.core.state.userdata.folders = [ "/var/lib/immich" ];
 }

machines/genepi/monitoring/prometheus.nix

@@ -58,4 +58,6 @@ in
       };
     };
   };
+
+  clan.core.state.userdata.folders = [ "/var/lib/prometheus2" ];
 }

machines/genepi/mpd.nix

@@ -19,7 +19,7 @@
   services.pulseaudio.systemWide = true;
 
   # Fixes the stutter when changing volume (found this randomly)
-  hardware.pulseaudio.daemon.config.flat-volumes = "no";
+  services.pulseaudio.daemon.config.flat-volumes = "no";
 
   users.users.${config.services.mpd.user}.extraGroups = [ "pulse-access" ];
 

machines/genepi/network.nix

@@ -1,6 +1,4 @@
 {
-  networking.hostName = "genepi";
-
   # Tailscale seems to break when not using resolved
   services.resolved.enable = true;
   networking.useDHCP = true;

machines/genepi/persistence.nix

@@ -25,35 +25,36 @@
     users.rpqt = {
       directories = [ ];
       files = [ ];
+      home = "/home/rpqt";
     };
   };
 
   # Empty root and remove snapshots older than 30 days
-  boot.initrd.postDeviceCommands = lib.mkAfter ''
+  # boot.initrd.postDeviceCommands = lib.mkAfter ''
-    mkdir /btrfs_tmp
+  #   mkdir /btrfs_tmp
-    mount /dev/disk/by-label/nixos /btrfs_tmp
+  #   mount /dev/disk/by-label/nixos /btrfs_tmp
-    if [[ -e /btrfs_tmp/root ]]; then
+  #   if [[ -e /btrfs_tmp/root ]]; then
-        mkdir -p /btrfs_tmp/old_roots
+  #       mkdir -p /btrfs_tmp/old_roots
-        timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
+  #       timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
-        mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
+  #       mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
-    fi
+  #   fi
 
-    delete_subvolume_recursively() {
+  #   delete_subvolume_recursively() {
-        IFS=$'\n'
+  #       IFS=$'\n'
-        for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+  #       for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
-            delete_subvolume_recursively "/btrfs_tmp/$i"
+  #           delete_subvolume_recursively "/btrfs_tmp/$i"
-        done
+  #       done
-        btrfs subvolume delete "$1"
+  #       btrfs subvolume delete "$1"
-    }
+  #   }
 
-    for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
+  #   for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
-        delete_subvolume_recursively "$i"
+  #       delete_subvolume_recursively "$i"
-    done
+  #   done
 
-    btrfs subvolume create /btrfs_tmp/root
+  #   btrfs subvolume create /btrfs_tmp/root
-    umount /btrfs_tmp
+  #   umount /btrfs_tmp
-    rmdir /btrfs_tmp
+  #   rmdir /btrfs_tmp
-  '';
+  # '';
 
   # Give agenix persistent paths so it can load secrets before the mount
   age.identityPaths = [

machines/haze/configuration.nix

@@ -4,12 +4,10 @@
 }:
 {
   imports = [
-    inputs.disko.nixosModules.disko
+    # inputs.disko.nixosModules.disko
     inputs.agenix.nixosModules.default
-    inputs.impermanence.nixosModules.impermanence
     ./boot.nix
     ./chat.nix
-    ./disk.nix
     ./firefox.nix
     ./gimp.nix
     ./gnome.nix
@@ -18,10 +16,12 @@
     ./ssh.nix
     ./steam.nix
     ./thunderbird.nix
-    ./hardware.nix
     ./network.nix
     ./syncthing.nix
     ./video.nix
+    ../../system
+
+    inputs.clan-core.clanModules.state-version
 
     inputs.home-manager.nixosModules.home-manager
     {
@@ -32,6 +32,9 @@
     }
   ];
 
+  networking.hostName = "haze";
+  clan.core.networking.targetHost = "rpqt@haze.local";
+
   specialisation = {
     hyprland.configuration =
       { ... }:

machines/haze/network.nix

@@ -1,7 +1,5 @@
 { pkgs, ... }:
 {
-  networking.hostName = "haze";
-
   networking.networkmanager = {
     enable = true;
     wifi.powersave = true;

machines/haze/secrets/secrets.nix

@@ -0,0 +1,13 @@
+let
+  keys = import ../../../parts/keys.nix;
+in
+{
+  "syncthing-key.pem.age".publicKeys = [
+    keys.hosts.haze
+    keys.rpqt.haze
+  ];
+  "syncthing-cert.pem.age".publicKeys = [
+    keys.hosts.haze
+    keys.rpqt.haze
+  ];
+}

machines/haze/syncthing.nix

@@ -7,11 +7,11 @@ let
   home = config.users.users.${user}.home;
 in
 {
-  age.secrets.syncthing-key.file = ./secrets/syncthing-key.pem.age;
+  # age.secrets.syncthing-key.file = ./secrets/syncthing-key.pem.age;
-  age.secrets.syncthing-cert.file = ./secrets/syncthing-cert.pem.age;
+  # age.secrets.syncthing-cert.file = ./secrets/syncthing-cert.pem.age;
 
   services.syncthing = {
-    enable = true;
+    enable = false;
     user = user;
     group = "users";
     dataDir = home;

modules/borgbackup.nix

@@ -0,0 +1,17 @@
+{ config, inputs, ... }:
+let
+  user = "u422292";
+  sub-user = "${user}";
+  host = "${user}.your-storagebox.de";
+in
+{
+  imports = [
+    ./storagebox.nix
+    inputs.clan-core.clanModules.borgbackup
+  ];
+
+  clan.borgbackup.destinations."storagebox-${config.networking.hostName}" = {
+    repo = "${sub-user}@${host}:./borgbackup/${config.networking.hostName}";
+    rsh = "ssh -oPort=23 -i ${config.clan.core.vars.generators.borgbackup.files."borgbackup.ssh".path}";
+  };
+}

modules/default.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ./remote-builder.nix
-  ];
-}

modules/storagebox.nix

@@ -0,0 +1,12 @@
+let
+  user = "u422292";
+  host = "${user}.your-storagebox.de";
+in
+{
+  programs.ssh.knownHosts = {
+    storagebox-ed25519 = {
+      hostNames = [ "[${host}]:23" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
+    };
+  };
+}

system/core/default.nix

@@ -19,7 +19,7 @@
     wheelNeedsPassword = false;
   };
 
-  system.stateVersion = lib.mkDefault "24.11";
+  # system.stateVersion = lib.mkDefault "24.11";
 
   time.timeZone = lib.mkDefault "Europe/Paris";
 }

system/core/ssh-server.nix

@@ -2,7 +2,7 @@
   services.openssh = {
     enable = true;
     settings = {
-      PermitRootLogin = "no";
+      # PermitRootLogin = "no";
       PasswordAuthentication = false;
       KbdInteractiveAuthentication = false;
       AuthenticationMethods = "publickey";

vars/per-machine/crocus/openssh/ssh.id_ed25519/secret

@@ -1,18 +1,18 @@
 {
-	"data": "ENC[AES256_GCM,data:dpuDys5W+OwLcqY61eg5dUWhvmr7/QtxYB0ksY0lVkheFdtnoEF4E8PSAir0Jw8X2jryGNj69Uiu/rIyyPqQfI4YH3AI5km8MnDphmBnXpFdf0FUm/zOXiBAWMoPrG7L1lwJfugW/N8uo0zOxuDU/zdPzu/PXxEAphxpHLl0ddliaYYU08XdaGVK+x01S21amhasJ4wXz7lcB1uxe+Mod4v/BWx3uOilcJ8NH4StMrpLdZhi7JEpXBmtifHofNqgBMyU7nKkbxb+sJ9RZawVoPBAlDfnE6uHoGQt4sLOyE3Ws8mfRRI0ii1Loi4J3nfjeYg6gq0eq6Lqn62XBdYyaMs9aw7217UTy0DCeKiq5Oa8SxIHS8+883Kfk83gUokHe9zj4dTbjxv3uvx09YbVdUoGGlr17F+PVxhpvgUD5NE/sdgRBLEj1JqLAr69hJHgYNbobrfIkNiJ8oLDLDybPNxxokf4vGjijThbW8kTyX/Vk9C25U67cUhQLNz4pceOueUujgbGfapB860XIlur,iv:0YNYcOGci/NzOdazLYqEQZY3nGlPDLPHenom2BCd5yw=,tag:Wok845AMLGoTvc2JfXbhDg==,type:str]",
+	"data": "ENC[AES256_GCM,data:NuuwsBJ5E33VfWQwHnCujrU44VN9YUi4QD3ZJBaBMgfmjMA=,iv:f/8P5xs/0DWvaashUP9pYbigU4EyQsHoTh/hj8tP/sc=,tag:afZMpL4jyLWiNIUnDo5nzQ==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBveWxMTGgxenl5ekluU2NX\nU3htdkV3UEVrTWFGaVMyYzA4dlVzQlhjMGxJCmcrbDNWcjRPSStYeXQyQkZia2t0\nSTV3L1M5QlJpQmEvU0xQUWZBUjYzeDAKLS0tICtscDBCeDc0UUhCNW1pL3hITy9z\nNVBhR3IyYjZOTVNVOXA3SURnZjlzZ2MKIornVOhZIImo+/MlnsdDCaER7OQgLrkQ\nOlzf1SciYxDBkkPPyhEngm61GLx8qc7y0lyEbiwSZ/Vp7z1Yzza2IA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQkF0MEo2UlN6bFhualpV\nL1NteXpYdUhpZmlqWWY4eGNpTFdKeVRkTUQwCnVVWnpkbUNxTjlhRTU0eXJZRytt\ncDJJN2JmWkJrbnhPU09SSzBaM2VGWVkKLS0tIGVMZHpSNFY4WFBoczc2N3VnMHVB\nZWEvRHBSZUN2dk9nYmVPbjViV1hUbFEKjJ3fWv7LdCwuS4VpdZR7wbvtdUYkCZQK\neQuZ0SG9zF87kL4BpdpXlX2f6yuN4ZdgSPZ5IXc1SFwPJZz3v3Vg5Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySUJJdEE4T1ZmVnpWQWk1\nNEZiSjBuaW82R2k3S2l4VmczWjJ2REJaSW5FCldIME5abkJham1hZGFYQ1B1NU0y\neXFmaVJZb1Q5ZlZzSnhNbUtpbHI5NWMKLS0tIFV1OEtIaExOWHRzdFJBOEdqcDRa\nMU1CQzlhM2l3dWRpb2hPUW1WU2NKUDgKx8C2mZ50JQ2QnhSiff/q5J1AgH+HbTIw\nwb0wDruuEUm5cBYNStXJCLFSMZ2v2UnPQ7uor1YE6XuwNh1YTwJm5A==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaStpMDR4ejlwZzJzWnlS\ndkZDam1qZWpQbzVWc25aem1QcldZMHZmeGdJCnE1andLY2JWKzF1Wlh2Q09rWkw5\nc2psZEdFbWFtRi9ic0VDTi9hQVREYTAKLS0tIDB0ajhRNW9wZ055dkFRZGgxcDFk\nYWsreVBwOUxiejNoMVhGMVNET1JydXMK7wH41osgGbCHOWTYpRnw58RvT+vEJTeO\nspdyEnP4hqYl/+CGzYkZ0crJuVvo8oULAAfbXbWtOkVglqHJ2LxGCw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-05-09T22:28:08Z",
+		"lastmodified": "2025-05-14T20:56:58Z",
-		"mac": "ENC[AES256_GCM,data:jSX6HCuqQdulvzLQO58IvXWaaBJ76JjKDs5rElBz30+RM/bEfHvRCZgszS3frmP6aDPO+YDZldAG2J1bhi2VddbjhkETLXV/101qmaWvm9ZoMmOV5CzrBkBpD16HloWJZ4j9dpHbBiIJbDjjjq0VBp/PZccHR0O0kLK5B/g4nkQ=,iv:7fqaUTH1yFR2uuDjvkRmInv6bvjwnyOC4FAXeLb3aGc=,tag:N3tScjqzfmzGsol9It9pGQ==,type:str]",
+		"mac": "ENC[AES256_GCM,data:EyS804VI4ogWs0SELwfV6de1Yt8PU2qckwBBKuWws7W9EfHdDNWqYA15tUwn4hLjPrW8mgm7FF2/uf0KN9vi43tXUPH9eGnp9NW+BVQL6NObabaYRO/5jwPpxz05qy+HVDw0XF/trGeOwGImmbeSGtKzrLzBmh+vr7/ElzthCyQ=,iv:NRAiTCxS/zBNhGF5l4mGPuEJzWZk/V5BJoOeLtGyqK0=,tag:bCJYDt6xFzoTDG6AUsM0tw==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}