From a7a3cbbc7a8f0c0c91f74c4f0dcfc69d9639ca82 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Fri, 8 Aug 2025 16:56:37 +0200
Subject: [PATCH 01/40] Add basic new server config

Includes sshd for easy connecting in local virtualized environment.
---
 flake.lock                                    | 30 +++++------
 flake.nix                                     | 12 +++++
 hosts/nixos-server-test/default.nix           | 51 +++++++++++++++++++
 .../hardware-configuration.nix                | 31 +++++++++++
 modules/sshd.nix                              | 13 +++++
 5 files changed, 122 insertions(+), 15 deletions(-)
 create mode 100644 hosts/nixos-server-test/default.nix
 create mode 100644 hosts/nixos-server-test/hardware-configuration.nix
 create mode 100644 modules/sshd.nix

diff --git a/flake.lock b/flake.lock
index 000b4f1..88bab71 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748372346,
-        "narHash": "sha256-7y7NZ6uW0GbT0h4gqfD2xvRuJj5IlPGw32oIc9Twga8=",
+        "lastModified": 1752998173,
+        "narHash": "sha256-ZlYpBp2WOe03UrpjJGz5KTOL/pp7A452hJO/Vc8C4/0=",
         "owner": "AdnanHodzic",
         "repo": "auto-cpufreq",
-        "rev": "becd5b89963fa54fef3566147f3fd2087f8a5842",
+        "rev": "562278377ffa96f3c1af49c7b499df028ce8d8bd",
         "type": "github"
       },
       "original": {
@@ -65,11 +65,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1749154018,
-        "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=",
+        "lastModified": 1753592768,
+        "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111",
+        "rev": "fc3add429f21450359369af74c2375cb34a2d204",
         "type": "github"
       },
       "original": {
@@ -87,11 +87,11 @@
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1746906641,
-        "narHash": "sha256-b6few4tkqN2TWdrZTwWOjsWxA11rle7y9pcc0/ynuoE=",
+        "lastModified": 1752585957,
+        "narHash": "sha256-ogQo/MMNSIM4U4VQMieIrpLhjkgSbev3VR24foJ/h/U=",
         "owner": "~rycee",
         "repo": "lazy-apps",
-        "rev": "0b30a0bf524a661f9657c441d021aaa5724f12ff",
+        "rev": "3c3ce5001e24b6c12496a5920eee28a96f8d49d6",
         "type": "sourcehut"
       },
       "original": {
@@ -102,11 +102,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1749195551,
-        "narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=",
+        "lastModified": 1754229794,
+        "narHash": "sha256-yOl7REX6O/1mh+tpscJPKgjK6nmXSMOB1xhmDNAMUZM=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "4602f7e1d3f197b3cb540d5accf5669121629628",
+        "rev": "a872d985392ee5b19d8409bfcc3f106de2070070",
         "type": "github"
       },
       "original": {
@@ -118,11 +118,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1749086602,
-        "narHash": "sha256-DJcgJMekoxVesl9kKjfLPix2Nbr42i7cpEHJiTnBUwU=",
+        "lastModified": 1754028485,
+        "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4792576cb003c994bd7cc1edada3129def20b27d",
+        "rev": "59e69648d345d6e8fef86158c555730fa12af9de",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 558ac71..8adf2e8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -90,6 +90,18 @@
           ./hosts/backup-raspberrypi
         ];
       };
+
+      server = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+
+        specialArgs = {
+          inherit inputs outputs;
+        };
+
+        modules = [
+          ./hosts/nixos-server-test
+        ];
+      };
     };
   };
 }
diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix
new file mode 100644
index 0000000..a4421da
--- /dev/null
+++ b/hosts/nixos-server-test/default.nix
@@ -0,0 +1,51 @@
+{ inputs, outputs, config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      ../../modules/nix.nix
+      ../../modules/network-server.nix
+      ../../modules/locale.nix
+      ../../modules/server-cli.nix
+      ../../modules/nix.nix
+      ../../modules/sshd.nix
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+  # Use the GRUB 2 boot loader.
+  boot = {
+    loader.grub = {
+      enable = true;
+      device = "/dev/vda";
+    };
+    tmp.useTmpfs = true;
+  };
+  networking.hostName = "nixos-server"; # Define your hostname.
+  users = {
+    users = {
+      julius = {
+        isNormalUser = true;
+        uid = 1000;
+        extraGroups = [ "wheel" "julius" ];
+      };
+    };
+    groups = {
+      julius = {
+        gid = 1000;
+      };
+    };
+  };
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "25.05"; # Did you read the comment?
+}
diff --git a/hosts/nixos-server-test/hardware-configuration.nix b/hosts/nixos-server-test/hardware-configuration.nix
new file mode 100644
index 0000000..6dfd7c4
--- /dev/null
+++ b/hosts/nixos-server-test/hardware-configuration.nix
@@ -0,0 +1,31 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/e46c412a-8b6d-41b8-b53c-65d7a8fc39ed";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/modules/sshd.nix b/modules/sshd.nix
new file mode 100644
index 0000000..49af4a5
--- /dev/null
+++ b/modules/sshd.nix
@@ -0,0 +1,13 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+}

From 82bb877bfbde832ad0cf964a2eb1895ef430369f Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Sat, 9 Aug 2025 10:21:16 +0200
Subject: [PATCH 02/40] Add proxmox-nixos

---
 flake.lock                          | 102 +++++++++++++++++++++++++++-
 flake.nix                           |   9 +++
 hosts/nixos-server-test/default.nix |   6 ++
 3 files changed, 116 insertions(+), 1 deletion(-)

diff --git a/flake.lock b/flake.lock
index 88bab71..48507a1 100644
--- a/flake.lock
+++ b/flake.lock
@@ -36,6 +36,21 @@
         "type": "github"
       }
     },
+    "flake-compat_2": {
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
@@ -148,6 +163,36 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable_2": {
+      "locked": {
+        "lastModified": 1748437600,
+        "narHash": "sha256-hYKMs3ilp09anGO7xzfGs3JqEgUqFMnZ8GMAqI6/k04=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "7282cb574e0607e65224d33be8241eae7cfe0979",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-25.05",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1723637854,
+        "narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
     "pre-commit-hooks": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -172,6 +217,27 @@
         "type": "github"
       }
     },
+    "proxmox-nixos": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "nixpkgs-stable": "nixpkgs-stable_2",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1754428470,
+        "narHash": "sha256-Sxf8gf+vfGeFaJMW3D+8pwH/+WwYTQOg47Lrm42+kTc=",
+        "owner": "SaumonNet",
+        "repo": "proxmox-nixos",
+        "rev": "6faed2845ef5f0bb05c9519b75097bbe7fb39327",
+        "type": "github"
+      },
+      "original": {
+        "owner": "SaumonNet",
+        "repo": "proxmox-nixos",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "auto-cpufreq": "auto-cpufreq",
@@ -179,10 +245,26 @@
         "lazy-apps": "lazy-apps",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
-        "systems": "systems"
+        "proxmox-nixos": "proxmox-nixos",
+        "systems": "systems_2"
       }
     },
     "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
       "locked": {
         "lastModified": 1689347949,
         "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@@ -196,6 +278,24 @@
         "repo": "default-linux",
         "type": "github"
       }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 8adf2e8..867eeb5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -17,6 +17,7 @@
       url = "sourcehut:~rycee/lazy-apps";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    proxmox-nixos.url = "github:SaumonNet/proxmox-nixos";
 
     systems.url = "github:nix-systems/default-linux";
   };
@@ -28,6 +29,7 @@
     nixos-hardware,
     home-manager,
     auto-cpufreq,
+    proxmox-nixos,
     systems,
     ...
   } @ inputs: let
@@ -100,6 +102,13 @@
 
         modules = [
           ./hosts/nixos-server-test
+          proxmox-nixos.nixosModules.proxmox-ve
+
+          ({...}: {
+            nixpkgs.overlays = [
+              proxmox-nixos.overlays.${system}
+            ];
+          })
         ];
       };
     };
diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix
index a4421da..c52fb8a 100644
--- a/hosts/nixos-server-test/default.nix
+++ b/hosts/nixos-server-test/default.nix
@@ -35,6 +35,12 @@
       };
     };
   };
+
+  services.proxmox-ve = {
+    enable = true;
+    ipAddress = "192.168.122.42";
+  };
+
   # This option defines the first version of NixOS you have installed on this particular machine,
   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
   # Most users should NEVER change this value after the initial install, for any reason,

From 8e15acd0c6a4107df3d5f424cf9b0d0631d8160f Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Sun, 10 Aug 2025 23:24:39 +0200
Subject: [PATCH 03/40] Add network bridge config

---
 hosts/nixos-server-test/default.nix | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix
index c52fb8a..f37aca5 100644
--- a/hosts/nixos-server-test/default.nix
+++ b/hosts/nixos-server-test/default.nix
@@ -7,7 +7,6 @@
       ../../modules/network-server.nix
       ../../modules/locale.nix
       ../../modules/server-cli.nix
-      ../../modules/nix.nix
       ../../modules/sshd.nix
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
@@ -39,6 +38,33 @@
   services.proxmox-ve = {
     enable = true;
     ipAddress = "192.168.122.42";
+
+    # Make vmbr0 bridge visible in Proxmox web interface
+    bridges = [ "vmbr0" ];
+  };
+
+  # Actually set up the vmbr0 bridge
+  systemd.network.networks."10-lan" = {
+    matchConfig.Name = [ "ens18" ];
+    networkConfig = {
+      Bridge = "vmbr0";
+    };
+  };
+
+  systemd.network.netdevs."vmbr0" = {
+    netdevConfig = {
+      Name = "vmbr0";
+      Kind = "bridge";
+    };
+  };
+
+  systemd.network.networks."10-lan-bridge" = {
+    matchConfig.Name = "vmbr0";
+    networkConfig = {
+      IPv6AcceptRA = true;
+      DHCP = "ipv4";
+    };
+    linkConfig.RequiredForOnline = "routable";
   };
 
   # This option defines the first version of NixOS you have installed on this particular machine,

From f7c3edf779a2691474986f836a185989571c13d9 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Mon, 11 Aug 2025 23:34:35 +0200
Subject: [PATCH 04/40] Actually apply systemd-networkd configuration

Also disable networking.* options
---
 hosts/nixos-server-test/default.nix | 63 ++++++++++++++++++++---------
 1 file changed, 43 insertions(+), 20 deletions(-)

diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix
index f37aca5..b92920a 100644
--- a/hosts/nixos-server-test/default.nix
+++ b/hosts/nixos-server-test/default.nix
@@ -4,7 +4,6 @@
   imports =
     [
       ../../modules/nix.nix
-      ../../modules/network-server.nix
       ../../modules/locale.nix
       ../../modules/server-cli.nix
       ../../modules/sshd.nix
@@ -43,28 +42,52 @@
     bridges = [ "vmbr0" ];
   };
 
-  # Actually set up the vmbr0 bridge
-  systemd.network.networks."10-lan" = {
-    matchConfig.Name = [ "ens18" ];
-    networkConfig = {
-      Bridge = "vmbr0";
-    };
-  };
+  networking.useDHCP = false;
 
-  systemd.network.netdevs."vmbr0" = {
-    netdevConfig = {
-      Name = "vmbr0";
-      Kind = "bridge";
-    };
-  };
+  systemd.network = {
+    enable = true;
 
-  systemd.network.networks."10-lan-bridge" = {
-    matchConfig.Name = "vmbr0";
-    networkConfig = {
-      IPv6AcceptRA = true;
-      DHCP = "ipv4";
+    links."10-wan" = {
+        matchConfig.Path = "pci-0000:01:00.0";
+        linkConfig.Name = "wan";
+    };
+
+    networks."10-wan" = {
+      matchConfig.Name = "enp1s0";
+      networkConfig = {
+        # start a DHCP Client for IPv4 Addressing/Routing
+        DHCP = "ipv4";
+        # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
+        IPv6AcceptRA = true;
+      };
+      # make routing on this interface a dependency for network-online.target
+      linkConfig.RequiredForOnline = "routable";
+    };
+
+
+    # Actually set up the vmbr0 bridge
+    networks."10-lan" = {
+      matchConfig.Name = [ "ens18" ];
+      networkConfig = {
+        Bridge = "vmbr0";
+      };
+    };
+
+    netdevs."vmbr0" = {
+      netdevConfig = {
+        Name = "vmbr0";
+        Kind = "bridge";
+      };
+    };
+
+    networks."10-lan-bridge" = {
+      matchConfig.Name = "vmbr0";
+      networkConfig = {
+        IPv6AcceptRA = true;
+        DHCP = "ipv4";
+      };
+      linkConfig.RequiredForOnline = "routable";
     };
-    linkConfig.RequiredForOnline = "routable";
   };
 
   # This option defines the first version of NixOS you have installed on this particular machine,

From c790a14db1f2bbf0220dfdbcbd02453d4b25b8f3 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Tue, 12 Aug 2025 00:05:42 +0200
Subject: [PATCH 05/40] Migrate bridge config to networking.*

---
 hosts/nixos-server-test/default.nix | 50 +++--------------------------
 1 file changed, 4 insertions(+), 46 deletions(-)

diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix
index b92920a..00afad0 100644
--- a/hosts/nixos-server-test/default.nix
+++ b/hosts/nixos-server-test/default.nix
@@ -42,52 +42,10 @@
     bridges = [ "vmbr0" ];
   };
 
-  networking.useDHCP = false;
-
-  systemd.network = {
-    enable = true;
-
-    links."10-wan" = {
-        matchConfig.Path = "pci-0000:01:00.0";
-        linkConfig.Name = "wan";
-    };
-
-    networks."10-wan" = {
-      matchConfig.Name = "enp1s0";
-      networkConfig = {
-        # start a DHCP Client for IPv4 Addressing/Routing
-        DHCP = "ipv4";
-        # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
-        IPv6AcceptRA = true;
-      };
-      # make routing on this interface a dependency for network-online.target
-      linkConfig.RequiredForOnline = "routable";
-    };
-
-
-    # Actually set up the vmbr0 bridge
-    networks."10-lan" = {
-      matchConfig.Name = [ "ens18" ];
-      networkConfig = {
-        Bridge = "vmbr0";
-      };
-    };
-
-    netdevs."vmbr0" = {
-      netdevConfig = {
-        Name = "vmbr0";
-        Kind = "bridge";
-      };
-    };
-
-    networks."10-lan-bridge" = {
-      matchConfig.Name = "vmbr0";
-      networkConfig = {
-        IPv6AcceptRA = true;
-        DHCP = "ipv4";
-      };
-      linkConfig.RequiredForOnline = "routable";
-    };
+  # Actually set up the vmbr0 bridge
+  networking = {
+    bridges.vmbr0.interfaces = [ "enp1s0" ];
+    interfaces.vmbr0.useDHCP = lib.mkDefault true;
   };
 
   # This option defines the first version of NixOS you have installed on this particular machine,

From 7bce6df38b0e08a495858ca70f96585b2b4894a7 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Tue, 12 Aug 2025 00:39:41 +0200
Subject: [PATCH 06/40] Working bridge configuration using systemd-networkd

---
 hosts/nixos-server-test/default.nix | 33 ++++++++++++++++++++++++-----
 1 file changed, 28 insertions(+), 5 deletions(-)

diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix
index 00afad0..9b7f27d 100644
--- a/hosts/nixos-server-test/default.nix
+++ b/hosts/nixos-server-test/default.nix
@@ -36,16 +36,39 @@
 
   services.proxmox-ve = {
     enable = true;
-    ipAddress = "192.168.122.42";
+    ipAddress = "192.168.122.71";
 
     # Make vmbr0 bridge visible in Proxmox web interface
     bridges = [ "vmbr0" ];
   };
 
-  # Actually set up the vmbr0 bridge
-  networking = {
-    bridges.vmbr0.interfaces = [ "enp1s0" ];
-    interfaces.vmbr0.useDHCP = lib.mkDefault true;
+  networking.useDHCP = false;
+
+  systemd.network = {
+    enable = true;
+
+    networks."10-lan" = {
+      matchConfig.Name = [ "enp1s0" ];
+      networkConfig = {
+        Bridge = "vmbr0";
+      };
+    };
+
+    netdevs."vmbr0" = {
+      netdevConfig = {
+        Name = "vmbr0";
+        Kind = "bridge";
+      };
+    };
+
+    networks."10-lan-bridge" = {
+      matchConfig.Name = "vmbr0";
+      networkConfig = {
+        IPv6AcceptRA = true;
+        DHCP = "ipv4";
+      };
+      linkConfig.RequiredForOnline = "routable";
+    };
   };
 
   # This option defines the first version of NixOS you have installed on this particular machine,

From 2f19307456d659f10326d4be8ad9e6ab20405c96 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Tue, 12 Aug 2025 02:27:42 +0200
Subject: [PATCH 07/40] Configure proxmox-nixos cache

---
 hosts/nixos-server-test/default.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix
index 9b7f27d..409e2fa 100644
--- a/hosts/nixos-server-test/default.nix
+++ b/hosts/nixos-server-test/default.nix
@@ -34,6 +34,15 @@
     };
   };
 
+  nix.settings = {
+    substituters = [
+      "https://cache.saumon.network/proxmox-nixos"
+    ];
+    trusted-public-keys = [
+      "proxmox-nixos:D9RYSWpQQC/msZUWphOY2I5RLH5Dd6yQcaHIuug7dWM="
+    ];
+  };
+
   services.proxmox-ve = {
     enable = true;
     ipAddress = "192.168.122.71";

From 1038d8a24840dce1d337b3304e7e2fcce52f0490 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Sat, 16 Aug 2025 22:07:11 +0200
Subject: [PATCH 08/40] Add disko

---
 flake.lock | 33 +++++++++++++++++++++++++++------
 flake.nix  | 20 ++++++++++++++++++++
 2 files changed, 47 insertions(+), 6 deletions(-)

diff --git a/flake.lock b/flake.lock
index 48507a1..97db651 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,6 +20,26 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1753140376,
+        "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -117,11 +137,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1754229794,
-        "narHash": "sha256-yOl7REX6O/1mh+tpscJPKgjK6nmXSMOB1xhmDNAMUZM=",
+        "lastModified": 1754564048,
+        "narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "a872d985392ee5b19d8409bfcc3f106de2070070",
+        "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113",
         "type": "github"
       },
       "original": {
@@ -133,11 +153,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1754028485,
-        "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=",
+        "lastModified": 1754767907,
+        "narHash": "sha256-8OnUzRQZkqtUol9vuUuQC30hzpMreKptNyET2T9lB6g=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "59e69648d345d6e8fef86158c555730fa12af9de",
+        "rev": "c5f08b62ed75415439d48152c2a784e36909b1bc",
         "type": "github"
       },
       "original": {
@@ -241,6 +261,7 @@
     "root": {
       "inputs": {
         "auto-cpufreq": "auto-cpufreq",
+        "disko": "disko",
         "home-manager": "home-manager",
         "lazy-apps": "lazy-apps",
         "nixos-hardware": "nixos-hardware",
diff --git a/flake.nix b/flake.nix
index 867eeb5..2204722 100644
--- a/flake.nix
+++ b/flake.nix
@@ -18,6 +18,10 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     proxmox-nixos.url = "github:SaumonNet/proxmox-nixos";
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     systems.url = "github:nix-systems/default-linux";
   };
@@ -30,6 +34,7 @@
     home-manager,
     auto-cpufreq,
     proxmox-nixos,
+    disko,
     systems,
     ...
   } @ inputs: let
@@ -111,6 +116,21 @@
           })
         ];
       };
+
+      kube01 = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+
+        specialArgs = {
+          inherit inputs outputs;
+        };
+
+        modules = [
+          disko.nixosModules.disko
+          ./hosts/kube01/disko-config.nix
+          ./hosts/kube01
+        ];
+      };
+
     };
   };
 }

From 21582cbf81003981178f7b7844d326ef348e9461 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Sat, 16 Aug 2025 22:07:27 +0200
Subject: [PATCH 09/40] Add configuration for kubernetes host kube01

---
 hosts/kube01/default.nix                | 60 +++++++++++++++++++++++++
 hosts/kube01/disko-config.nix           | 56 +++++++++++++++++++++++
 hosts/kube01/hardware-configuration.nix | 24 ++++++++++
 modules/k3s.nix                         | 27 +++++++++++
 4 files changed, 167 insertions(+)
 create mode 100644 hosts/kube01/default.nix
 create mode 100644 hosts/kube01/disko-config.nix
 create mode 100644 hosts/kube01/hardware-configuration.nix
 create mode 100644 modules/k3s.nix

diff --git a/hosts/kube01/default.nix b/hosts/kube01/default.nix
new file mode 100644
index 0000000..a19be4d
--- /dev/null
+++ b/hosts/kube01/default.nix
@@ -0,0 +1,60 @@
+{ inputs, outputs, config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      ../../modules/nix.nix
+      ../../modules/network-server.nix
+      ../../modules/locale.nix
+      ../../modules/server-cli.nix
+      ../../modules/sshd.nix
+      ../../modules/k3s.nix
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  boot = {
+    loader = {
+      systemd-boot = {
+        enable = true;
+      };
+      efi.canTouchEfiVariables = true;
+    };
+    tmp.useTmpfs = true;
+  };
+
+  networking.hostName = "kube01"; # Define your hostname.
+
+  users = {
+    users = {
+      julius = {
+        initialPassword = "password";
+        isNormalUser = true;
+        uid = 1000;
+        extraGroups = [ "wheel" "julius" ];
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiZXFM8XFkReb9HuGcY5rtPXsGuZ2eDnBBpI0kcHa6c julius@julius-framework"
+        ];
+      };
+    };
+    groups = {
+      julius = {
+        gid = 1000;
+      };
+    };
+  };
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "25.05"; # Did you read the comment?
+}
diff --git a/hosts/kube01/disko-config.nix b/hosts/kube01/disko-config.nix
new file mode 100644
index 0000000..24ffe29
--- /dev/null
+++ b/hosts/kube01/disko-config.nix
@@ -0,0 +1,56 @@
+{
+  disko.devices = {
+    disk = {
+      vdb = {
+        type = "disk";
+        device = "/dev/sda";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              start = "1M";
+              end = "128M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ]; # Override existing partition
+                # Subvolumes must set a mountpoint in order to be mounted,
+                # unless their parent is mounted
+                subvolumes = {
+                  # Subvolume name is different from mountpoint
+                  "/rootfs" = {
+                    mountpoint = "/";
+                  };
+                  # Subvolume name is the same as the mountpoint
+                  "/home" = {
+                    mountOptions = [ "compress=zstd" ];
+                    mountpoint = "/home";
+                  };
+                  # Sub(sub)volume doesn't need a mountpoint as its parent is mounted
+                  "/home/julius" = { };
+                  # Parent is not mounted so the mountpoint must be set
+                  "/nix" = {
+                    mountOptions = [ "compress=zstd" "noatime" ];
+                    mountpoint = "/nix";
+                  };
+                };
+
+                mountpoint = "/partition-root";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/kube01/hardware-configuration.nix b/hosts/kube01/hardware-configuration.nix
new file mode 100644
index 0000000..f198f81
--- /dev/null
+++ b/hosts/kube01/hardware-configuration.nix
@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/modules/k3s.nix b/modules/k3s.nix
new file mode 100644
index 0000000..940355e
--- /dev/null
+++ b/modules/k3s.nix
@@ -0,0 +1,27 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+
+  services.k3s = {
+    enable = true;
+    role = "server";
+    clusterInit = true;
+    token = "verysecrettoken";
+    extraFlags = toString ([
+      "--write-kubeconfig-mode \"0644\""
+      "--disable servicelb"
+      "--disable traefik"
+      "--disable local-storage"
+    ]);
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    6443
+  ];
+  networking.firewall.allowedUDPPorts = [
+    8472
+  ];
+
+}

From 59506dac35118b701d618c7866c0d7ffe72364b3 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Sat, 16 Aug 2025 22:18:20 +0200
Subject: [PATCH 10/40] Move disko configuration to modules

---
 flake.nix                                                       | 1 -
 hosts/kube01/default.nix                                        | 2 ++
 .../kube01/disko-config.nix => modules/disko/efi-full-btrfs.nix | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)
 rename hosts/kube01/disko-config.nix => modules/disko/efi-full-btrfs.nix (99%)

diff --git a/flake.nix b/flake.nix
index 2204722..527a41f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -126,7 +126,6 @@
 
         modules = [
           disko.nixosModules.disko
-          ./hosts/kube01/disko-config.nix
           ./hosts/kube01
         ];
       };
diff --git a/hosts/kube01/default.nix b/hosts/kube01/default.nix
index a19be4d..53f1ac3 100644
--- a/hosts/kube01/default.nix
+++ b/hosts/kube01/default.nix
@@ -3,6 +3,8 @@
 {
   imports =
     [
+      ../../modules/disko/efi-full-btrfs.nix
+
       ../../modules/nix.nix
       ../../modules/network-server.nix
       ../../modules/locale.nix
diff --git a/hosts/kube01/disko-config.nix b/modules/disko/efi-full-btrfs.nix
similarity index 99%
rename from hosts/kube01/disko-config.nix
rename to modules/disko/efi-full-btrfs.nix
index 24ffe29..5dcb78c 100644
--- a/hosts/kube01/disko-config.nix
+++ b/modules/disko/efi-full-btrfs.nix
@@ -1,7 +1,7 @@
 {
   disko.devices = {
     disk = {
-      vdb = {
+      sda = {
         type = "disk";
         device = "/dev/sda";
         content = {

From 544930ff2d0f4cfdcb1d5b169b669f70c2c70f12 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Sun, 17 Aug 2025 01:34:38 +0200
Subject: [PATCH 11/40] Externalize systemd-boot module

---
 hosts/kube01/default.nix | 10 +---------
 modules/systemd-boot.nix | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 9 deletions(-)
 create mode 100644 modules/systemd-boot.nix

diff --git a/hosts/kube01/default.nix b/hosts/kube01/default.nix
index 53f1ac3..e50f156 100644
--- a/hosts/kube01/default.nix
+++ b/hosts/kube01/default.nix
@@ -4,6 +4,7 @@
   imports =
     [
       ../../modules/disko/efi-full-btrfs.nix
+      ../../modules/systemd-boot.nix
 
       ../../modules/nix.nix
       ../../modules/network-server.nix
@@ -15,15 +16,6 @@
       ./hardware-configuration.nix
     ];
 
-  boot = {
-    loader = {
-      systemd-boot = {
-        enable = true;
-      };
-      efi.canTouchEfiVariables = true;
-    };
-    tmp.useTmpfs = true;
-  };
 
   networking.hostName = "kube01"; # Define your hostname.
 
diff --git a/modules/systemd-boot.nix b/modules/systemd-boot.nix
new file mode 100644
index 0000000..02f515d
--- /dev/null
+++ b/modules/systemd-boot.nix
@@ -0,0 +1,15 @@
+{
+  ...
+}: {
+
+  boot = {
+    loader = {
+      systemd-boot = {
+        enable = true;
+      };
+      efi.canTouchEfiVariables = true;
+    };
+    tmp.useTmpfs = true;
+  };
+
+}

From 18b28c2e9d3053d27536cf79a9f8d9d4d67a0660 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Sun, 17 Aug 2025 01:35:09 +0200
Subject: [PATCH 12/40] Add qemu-guest-utils module

---
 hosts/kube01/default.nix | 1 +
 modules/qemu-guest.nix   | 7 +++++++
 2 files changed, 8 insertions(+)
 create mode 100644 modules/qemu-guest.nix

diff --git a/hosts/kube01/default.nix b/hosts/kube01/default.nix
index e50f156..7b69d12 100644
--- a/hosts/kube01/default.nix
+++ b/hosts/kube01/default.nix
@@ -12,6 +12,7 @@
       ../../modules/server-cli.nix
       ../../modules/sshd.nix
       ../../modules/k3s.nix
+      ../../modules/qemu-guest.nix
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
     ];
diff --git a/modules/qemu-guest.nix b/modules/qemu-guest.nix
new file mode 100644
index 0000000..97e2081
--- /dev/null
+++ b/modules/qemu-guest.nix
@@ -0,0 +1,7 @@
+{
+  ...
+}: {
+
+  services.qemuGuest.enable = true;
+
+}

From 75d4187baa7afe1741fc8f7d2aa73637bc69ab74 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Sun, 17 Aug 2025 01:36:10 +0200
Subject: [PATCH 13/40] Add nixos-server user module

---
 hosts/kube01/default.nix      | 19 +------------------
 users/julius/nixos-server.nix | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+), 18 deletions(-)
 create mode 100644 users/julius/nixos-server.nix

diff --git a/hosts/kube01/default.nix b/hosts/kube01/default.nix
index 7b69d12..2fe7891 100644
--- a/hosts/kube01/default.nix
+++ b/hosts/kube01/default.nix
@@ -6,6 +6,7 @@
       ../../modules/disko/efi-full-btrfs.nix
       ../../modules/systemd-boot.nix
 
+      ../../users/julius/nixos-server.nix
       ../../modules/nix.nix
       ../../modules/network-server.nix
       ../../modules/locale.nix
@@ -20,24 +21,6 @@
 
   networking.hostName = "kube01"; # Define your hostname.
 
-  users = {
-    users = {
-      julius = {
-        initialPassword = "password";
-        isNormalUser = true;
-        uid = 1000;
-        extraGroups = [ "wheel" "julius" ];
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiZXFM8XFkReb9HuGcY5rtPXsGuZ2eDnBBpI0kcHa6c julius@julius-framework"
-        ];
-      };
-    };
-    groups = {
-      julius = {
-        gid = 1000;
-      };
-    };
-  };
 
   # This option defines the first version of NixOS you have installed on this particular machine,
   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
diff --git a/users/julius/nixos-server.nix b/users/julius/nixos-server.nix
new file mode 100644
index 0000000..5802f86
--- /dev/null
+++ b/users/julius/nixos-server.nix
@@ -0,0 +1,23 @@
+{
+  ...
+}: {
+
+  users = {
+    users = {
+      julius = {
+        initialPassword = "password";
+        isNormalUser = true;
+        uid = 1000;
+        group = "julius";
+        extraGroups = [ "wheel" ];
+      };
+    };
+    groups = {
+      julius = {
+        gid = 1000;
+      };
+    };
+  };
+
+  nix.settings.trusted-users = [ "julius" ];
+}

From 31267fa34ca1147e7fe77f144776f953dca69c5f Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Sun, 17 Aug 2025 01:46:17 +0200
Subject: [PATCH 14/40] Add more kube nodes

---
 flake.nix                               | 26 +++++++++++++++++
 hosts/kube02/default.nix                | 36 +++++++++++++++++++++++
 hosts/kube02/hardware-configuration.nix | 24 ++++++++++++++++
 hosts/kube03/default.nix                | 38 +++++++++++++++++++++++++
 hosts/kube03/hardware-configuration.nix | 24 ++++++++++++++++
 5 files changed, 148 insertions(+)
 create mode 100644 hosts/kube02/default.nix
 create mode 100644 hosts/kube02/hardware-configuration.nix
 create mode 100644 hosts/kube03/default.nix
 create mode 100644 hosts/kube03/hardware-configuration.nix

diff --git a/flake.nix b/flake.nix
index 527a41f..a27ec37 100644
--- a/flake.nix
+++ b/flake.nix
@@ -130,6 +130,32 @@
         ];
       };
 
+      kube02 = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+
+        specialArgs = {
+          inherit inputs outputs;
+        };
+
+        modules = [
+          disko.nixosModules.disko
+          ./hosts/kube02
+        ];
+      };
+
+      kube03 = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+
+        specialArgs = {
+          inherit inputs outputs;
+        };
+
+        modules = [
+          disko.nixosModules.disko
+          ./hosts/kube03
+        ];
+      };
+
     };
   };
 }
diff --git a/hosts/kube02/default.nix b/hosts/kube02/default.nix
new file mode 100644
index 0000000..cf65b75
--- /dev/null
+++ b/hosts/kube02/default.nix
@@ -0,0 +1,36 @@
+{ inputs, outputs, config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      ../../modules/disko/efi-full-btrfs.nix
+      ../../modules/systemd-boot.nix
+
+      ../../users/julius/nixos-server.nix
+      ../../modules/nix.nix
+      ../../modules/network-server.nix
+      ../../modules/locale.nix
+      ../../modules/server-cli.nix
+      ../../modules/sshd.nix
+      ../../modules/k3s.nix
+      ../../modules/qemu-guest.nix
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  networking.hostName = "kube02"; # Define your hostname.
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "25.05"; # Did you read the comment?
+}
diff --git a/hosts/kube02/hardware-configuration.nix b/hosts/kube02/hardware-configuration.nix
new file mode 100644
index 0000000..f198f81
--- /dev/null
+++ b/hosts/kube02/hardware-configuration.nix
@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/hosts/kube03/default.nix b/hosts/kube03/default.nix
new file mode 100644
index 0000000..8eda858
--- /dev/null
+++ b/hosts/kube03/default.nix
@@ -0,0 +1,38 @@
+{ inputs, outputs, config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      ../../modules/disko/efi-full-btrfs.nix
+      ../../modules/systemd-boot.nix
+
+      ../../users/julius/nixos-server.nix
+      ../../modules/nix.nix
+      ../../modules/network-server.nix
+      ../../modules/locale.nix
+      ../../modules/server-cli.nix
+      ../../modules/sshd.nix
+      ../../modules/k3s.nix
+      ../../modules/qemu-guest.nix
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+
+  networking.hostName = "kube03"; # Define your hostname.
+
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "25.05"; # Did you read the comment?
+}
diff --git a/hosts/kube03/hardware-configuration.nix b/hosts/kube03/hardware-configuration.nix
new file mode 100644
index 0000000..f198f81
--- /dev/null
+++ b/hosts/kube03/hardware-configuration.nix
@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

From 2249b4cc5819ddf8820dca20340e9ff3a2af6007 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Sun, 17 Aug 2025 02:53:39 +0200
Subject: [PATCH 15/40] Configure clustering with k3s

---
 hosts/kube01/default.nix | 3 +++
 hosts/kube02/default.nix | 5 +++++
 hosts/kube03/default.nix | 4 ++++
 modules/k3s.nix          | 3 ++-
 4 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/hosts/kube01/default.nix b/hosts/kube01/default.nix
index 2fe7891..a72dee8 100644
--- a/hosts/kube01/default.nix
+++ b/hosts/kube01/default.nix
@@ -21,6 +21,9 @@
 
   networking.hostName = "kube01"; # Define your hostname.
 
+  services.k3s = {
+    clusterInit = true;
+  };
 
   # This option defines the first version of NixOS you have installed on this particular machine,
   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
diff --git a/hosts/kube02/default.nix b/hosts/kube02/default.nix
index cf65b75..504afef 100644
--- a/hosts/kube02/default.nix
+++ b/hosts/kube02/default.nix
@@ -20,6 +20,11 @@
 
   networking.hostName = "kube02"; # Define your hostname.
 
+  services.k3s = {
+    serverAddr = "https://kube01:6443";
+    clusterInit = false;
+  };
+
   # This option defines the first version of NixOS you have installed on this particular machine,
   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
   # Most users should NEVER change this value after the initial install, for any reason,
diff --git a/hosts/kube03/default.nix b/hosts/kube03/default.nix
index 8eda858..12884e5 100644
--- a/hosts/kube03/default.nix
+++ b/hosts/kube03/default.nix
@@ -21,6 +21,10 @@
 
   networking.hostName = "kube03"; # Define your hostname.
 
+  services.k3s = {
+    serverAddr = "https://kube01:6443";
+    clusterInit = false;
+  };
 
   # This option defines the first version of NixOS you have installed on this particular machine,
   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
diff --git a/modules/k3s.nix b/modules/k3s.nix
index 940355e..2dab28a 100644
--- a/modules/k3s.nix
+++ b/modules/k3s.nix
@@ -7,7 +7,6 @@
   services.k3s = {
     enable = true;
     role = "server";
-    clusterInit = true;
     token = "verysecrettoken";
     extraFlags = toString ([
       "--write-kubeconfig-mode \"0644\""
@@ -19,6 +18,8 @@
 
   networking.firewall.allowedTCPPorts = [
     6443
+    2379
+    2380
   ];
   networking.firewall.allowedUDPPorts = [
     8472

From db8b0f1d5fd5e87d27159588752351a714623c80 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Mon, 18 Aug 2025 23:12:46 +0200
Subject: [PATCH 16/40] Add srv01.hf as docker host

---
 flake.nix                                 | 13 ++++++++
 hosts/srv01.hf/default.nix                | 37 +++++++++++++++++++++++
 hosts/srv01.hf/hardware-configuration.nix | 24 +++++++++++++++
 3 files changed, 74 insertions(+)
 create mode 100644 hosts/srv01.hf/default.nix
 create mode 100644 hosts/srv01.hf/hardware-configuration.nix

diff --git a/flake.nix b/flake.nix
index a27ec37..a4ec7a2 100644
--- a/flake.nix
+++ b/flake.nix
@@ -117,6 +117,19 @@
         ];
       };
 
+      srv01-hf = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+
+        specialArgs = {
+          inherit inputs outputs;
+        };
+
+        modules = [
+          disko.nixosModules.disko
+          ./hosts/srv01.hf
+        ];
+      };
+
       kube01 = nixpkgs.lib.nixosSystem rec {
         system = "x86_64-linux";
 
diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix
new file mode 100644
index 0000000..d341361
--- /dev/null
+++ b/hosts/srv01.hf/default.nix
@@ -0,0 +1,37 @@
+{ inputs, outputs, config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      ../../modules/disko/efi-full-btrfs.nix
+      ../../modules/systemd-boot.nix
+
+      ../../users/julius/nixos-server.nix
+      ../../modules/nix.nix
+      ../../modules/network-server.nix
+      ../../modules/locale.nix
+      ../../modules/server-cli.nix
+      ../../modules/sshd.nix
+      ../../modules/qemu-guest.nix
+      ../../modules/docker.nix
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+
+  networking.hostName = "srv01-hf"; # Define your hostname.
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "25.05"; # Did you read the comment?
+}
diff --git a/hosts/srv01.hf/hardware-configuration.nix b/hosts/srv01.hf/hardware-configuration.nix
new file mode 100644
index 0000000..d152a40
--- /dev/null
+++ b/hosts/srv01.hf/hardware-configuration.nix
@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

From c4ec22b3806ab2b925a970c201ef8ceb6d79baef Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Mon, 18 Aug 2025 23:40:53 +0200
Subject: [PATCH 17/40] Change bootloader to grub for srv01-hf

---
 hosts/srv01.hf/default.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix
index d341361..868a71b 100644
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@@ -4,7 +4,6 @@
   imports =
     [
       ../../modules/disko/efi-full-btrfs.nix
-      ../../modules/systemd-boot.nix
 
       ../../users/julius/nixos-server.nix
       ../../modules/nix.nix
@@ -18,6 +17,13 @@
       ./hardware-configuration.nix
     ];
 
+  boot = {
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+    tmp.useTmpfs = true;
+  };
 
   networking.hostName = "srv01-hf"; # Define your hostname.
 

From a8f632ed50515b179401751a0cb48fe9d7bc56c0 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Tue, 19 Aug 2025 01:39:43 +0200
Subject: [PATCH 18/40] Enable hybrid boot for disko module

---
 hosts/srv01.hf/default.nix       | 7 -------
 modules/disko/efi-full-btrfs.nix | 9 +++++++--
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix
index 868a71b..a7a3540 100644
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@@ -17,13 +17,6 @@
       ./hardware-configuration.nix
     ];
 
-  boot = {
-    loader.grub = {
-      enable = true;
-      device = "/dev/sda";
-    };
-    tmp.useTmpfs = true;
-  };
 
   networking.hostName = "srv01-hf"; # Define your hostname.
 
diff --git a/modules/disko/efi-full-btrfs.nix b/modules/disko/efi-full-btrfs.nix
index 5dcb78c..59e8b26 100644
--- a/modules/disko/efi-full-btrfs.nix
+++ b/modules/disko/efi-full-btrfs.nix
@@ -7,16 +7,21 @@
         content = {
           type = "gpt";
           partitions = {
+            MBR = {
+              type = "EF02"; # for grub MBR
+              size = "1M";
+              priority = 1; # Needs to be first partition
+            };
             ESP = {
               priority = 1;
               name = "ESP";
-              start = "1M";
-              end = "128M";
+              size = "500M";
               type = "EF00";
               content = {
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             root = {

From 6989f4be08aeae7ad1e97f61fe38db49322b65ae Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Tue, 19 Aug 2025 16:44:48 +0200
Subject: [PATCH 19/40] Add static network configuration to srv01-hf

---
 hosts/srv01.hf/default.nix | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix
index a7a3540..19d5ca9 100644
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@@ -17,6 +17,25 @@
       ./hardware-configuration.nix
     ];
 
+  systemd.network = {
+    enable = true;
+      networks."10-wan" = {
+      matchConfig.Name = "ens18";
+      networkConfig.DHCP = "no";
+      address = [
+        "77.90.17.93/24"
+        "2a06:de00:100:63::2/64"
+      ];
+      routes = [
+        { Gateway = "77.90.17.1"; }
+        { Gateway = "2a06:de00:100::1"; GatewayOnLink = true; }
+      ];
+      dns = [ "9.9.9.9" ];
+    };
+  };
+
+  # Disable classic networking configuration
+  networking.useDHCP = lib.mkForce false;
 
   networking.hostName = "srv01-hf"; # Define your hostname.
 

From 962ee20628dfcfab60a3244238923957257c8539 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Tue, 19 Aug 2025 17:00:45 +0200
Subject: [PATCH 20/40] Enable auto-update on srv01-hf

---
 hosts/srv01.hf/default.nix |  1 +
 modules/auto-upgrade.nix   | 15 +++++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 modules/auto-upgrade.nix

diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix
index 19d5ca9..193fe35 100644
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@@ -13,6 +13,7 @@
       ../../modules/sshd.nix
       ../../modules/qemu-guest.nix
       ../../modules/docker.nix
+      ../../modules/auto-upgrade.nix
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
     ];
diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
new file mode 100644
index 0000000..5ed134e
--- /dev/null
+++ b/modules/auto-upgrade.nix
@@ -0,0 +1,15 @@
+{
+  inputs,
+  ...
+}: {
+  system.autoUpgrade = {
+    enable = true;
+    flags = [
+      "--recreate-lock-file" # Deprecated, but will hopefully be reintroduced
+      "-L"
+    ];
+    flake = inputs.self.outPath;
+    dates = "02:00";
+    randomizedDelaySec = "45min";
+  };
+}

From ea01c0abf388cb37d7f99db8e0da0d8a165204b4 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Mon, 25 Aug 2025 09:46:56 +0200
Subject: [PATCH 21/40] Add nixremote user for remote building

---
 hosts/srv01.hf/default.nix |  1 +
 users/nixremote.nix        | 12 ++++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 users/nixremote.nix

diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix
index 193fe35..63062a8 100644
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@@ -6,6 +6,7 @@
       ../../modules/disko/efi-full-btrfs.nix
 
       ../../users/julius/nixos-server.nix
+      ../../users/nixremote.nix
       ../../modules/nix.nix
       ../../modules/network-server.nix
       ../../modules/locale.nix
diff --git a/users/nixremote.nix b/users/nixremote.nix
new file mode 100644
index 0000000..78eac6a
--- /dev/null
+++ b/users/nixremote.nix
@@ -0,0 +1,12 @@
+{
+  ...
+}: {
+  users.users = {
+    nixremote = {
+      isNormalUser = true;
+      uid = 1100;
+      group = "users";
+      expires = "1970-01-01";
+    }
+  };
+}

From aa4d1f11c923302fd37347ed55b04e0498daf082 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Wed, 17 Sep 2025 00:03:34 +0200
Subject: [PATCH 22/40] Add rebootWindow for auto upgrades

---
 modules/auto-upgrade.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
index 5ed134e..4d1a468 100644
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -11,5 +11,10 @@
     flake = inputs.self.outPath;
     dates = "02:00";
     randomizedDelaySec = "45min";
+    allowReboot = true;
+    rebootWindow = {
+      lower = "01:00";
+      upper = "05:00";
+    };
   };
 }

From 3c17de5929beee77eabc5b05309563b086b30aee Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Wed, 17 Sep 2025 00:04:01 +0200
Subject: [PATCH 23/40] Make nixremote trusted and not expire

---
 users/nixremote.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/users/nixremote.nix b/users/nixremote.nix
index 78eac6a..b0075cb 100644
--- a/users/nixremote.nix
+++ b/users/nixremote.nix
@@ -6,7 +6,8 @@
       isNormalUser = true;
       uid = 1100;
       group = "users";
-      expires = "1970-01-01";
-    }
+    };
   };
+
+  nix.settings.trusted-users = [ "nixremote" ];
 }

From 739b50349c9d7f3f76329fdcaf56fb7ff957a487 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Wed, 17 Sep 2025 00:05:36 +0200
Subject: [PATCH 24/40] Set oci-backend to docker

This can be used to start containers declaratively.
Use docker when it is enabled for this.
---
 modules/docker.nix | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/modules/docker.nix b/modules/docker.nix
index b9f7aa1..d216ec2 100644
--- a/modules/docker.nix
+++ b/modules/docker.nix
@@ -4,8 +4,11 @@
   ...
 }: {
 
-  virtualisation.docker = {
-    enable = true;
+  virtualisation = {
+    docker = {
+      enable = true;
+    };
+    oci-containers.backend = "docker";
   };
 
 }

From eee7d2ddcf5e404abb779b4ac6626325b43721ba Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Wed, 17 Sep 2025 23:51:27 +0200
Subject: [PATCH 25/40] Add secret management with agenix

---
 flake.lock                 | 113 +++++++++++++++++++++++++++++++------
 flake.nix                  |  14 ++++-
 hosts/srv01.hf/default.nix |   1 +
 hosts/srv01.hf/secrets.nix |   7 +++
 4 files changed, 116 insertions(+), 19 deletions(-)
 create mode 100644 hosts/srv01.hf/secrets.nix

diff --git a/flake.lock b/flake.lock
index 97db651..8a290db 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,28 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": [],
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1754433428,
+        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "auto-cpufreq": {
       "inputs": {
         "nixpkgs": [
@@ -7,11 +30,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1752998173,
-        "narHash": "sha256-ZlYpBp2WOe03UrpjJGz5KTOL/pp7A452hJO/Vc8C4/0=",
+        "lastModified": 1758056808,
+        "narHash": "sha256-7I4duKo9OdQ7sldgjoYBlpZ+xykszDj/IVz5hlJOaeg=",
         "owner": "AdnanHodzic",
         "repo": "auto-cpufreq",
-        "rev": "562278377ffa96f3c1af49c7b499df028ce8d8bd",
+        "rev": "9f86acc38dca4299b70ea55ae6c52902da5c903c",
         "type": "github"
       },
       "original": {
@@ -27,11 +50,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753140376,
-        "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
+        "lastModified": 1757508292,
+        "narHash": "sha256-7lVWL5bC6xBIMWWDal41LlGAG+9u2zUorqo3QCUL4p4=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
+        "rev": "146f45bee02b8bd88812cfce6ffc0f933788875a",
         "type": "github"
       },
       "original": {
@@ -96,15 +119,36 @@
     "home-manager": {
       "inputs": {
         "nixpkgs": [
+          "agenix",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1753592768,
-        "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "fc3add429f21450359369af74c2375cb34a2d204",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1757808926,
+        "narHash": "sha256-K6PEI5PYY94TVMH0mX3MbZNYFme7oNRKml/85BpRRAo=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "f21d9167782c086a33ad53e2311854a8f13c281e",
         "type": "github"
       },
       "original": {
@@ -137,11 +181,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1754564048,
-        "narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=",
+        "lastModified": 1757943327,
+        "narHash": "sha256-w6cDExPBqbq7fTLo4dZ1ozDGeq3yV6dSN4n/sAaS6OM=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113",
+        "rev": "67a709cfe5d0643dafd798b0b613ed579de8be05",
         "type": "github"
       },
       "original": {
@@ -153,11 +197,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1754767907,
-        "narHash": "sha256-8OnUzRQZkqtUol9vuUuQC30hzpMreKptNyET2T9lB6g=",
+        "lastModified": 1758070117,
+        "narHash": "sha256-uLwwHFCZnT1c3N3biVe/0hCkag2GSrf9+M56+Okf+WY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c5f08b62ed75415439d48152c2a784e36909b1bc",
+        "rev": "e9b7f2ff62b35f711568b1f0866243c7c302028d",
         "type": "github"
       },
       "original": {
@@ -260,14 +304,32 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "auto-cpufreq": "auto-cpufreq",
         "disko": "disko",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
         "lazy-apps": "lazy-apps",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "proxmox-nixos": "proxmox-nixos",
-        "systems": "systems_2"
+        "secrets": "secrets",
+        "systems": "systems_3"
+      }
+    },
+    "secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1758144826,
+        "narHash": "sha256-iP17+7kzDVsMa66W1RmAx6LQzQVCSYj7QemyhuZMUFQ=",
+        "ref": "refs/heads/main",
+        "rev": "8ed4ae40d7b203880e368f5822260f0cd2ed0229",
+        "revCount": 2,
+        "type": "git",
+        "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
       }
     },
     "systems": {
@@ -286,6 +348,21 @@
       }
     },
     "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_3": {
       "locked": {
         "lastModified": 1689347949,
         "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@@ -302,7 +379,7 @@
     },
     "utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1710146030,
diff --git a/flake.nix b/flake.nix
index a4ec7a2..fab5bf0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,17 @@
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        darwin.follows = "";
+      };
+    };
+    secrets = {
+      url = "git+ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git";
+      flake = false;
+    };
     systems.url = "github:nix-systems/default-linux";
   };
 
@@ -34,6 +44,7 @@
     home-manager,
     auto-cpufreq,
     proxmox-nixos,
+    agenix,
     disko,
     systems,
     ...
@@ -126,6 +137,7 @@
 
         modules = [
           disko.nixosModules.disko
+          agenix.nixosModules.default
           ./hosts/srv01.hf
         ];
       };
diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix
index 63062a8..1cea677 100644
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@@ -4,6 +4,7 @@
   imports =
     [
       ../../modules/disko/efi-full-btrfs.nix
+      ./secrets.nix
 
       ../../users/julius/nixos-server.nix
       ../../users/nixremote.nix
diff --git a/hosts/srv01.hf/secrets.nix b/hosts/srv01.hf/secrets.nix
new file mode 100644
index 0000000..9b8fb86
--- /dev/null
+++ b/hosts/srv01.hf/secrets.nix
@@ -0,0 +1,7 @@
+{ inputs, ... }:
+{
+  age.secrets = {
+    teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin";
+    teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token";
+  };
+}

From abf81609e426ae6cc101439b8825a34e54f60dfe Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 18 Sep 2025 01:07:36 +0200
Subject: [PATCH 26/40] Add ssh connection settings to nix-private repo for
 auto-upgrade

---
 modules/auto-upgrade.nix | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
index 4d1a468..3dc9849 100644
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -1,5 +1,6 @@
 {
   inputs,
+  pkgs,
   ...
 }: {
   system.autoUpgrade = {
@@ -17,4 +18,20 @@
       upper = "05:00";
     };
   };
+
+  # Also needs access to the nix-private repo which contains the encrypted secrets
+  programs.ssh = {
+    extraConfig = "
+      Host git.jfreudenberger.de
+        Port 222
+        User git
+        IdentityFile /etc/ssh/ssh_host_ed25519_key
+    ";
+    knownHostsFiles = [
+      (pkgs.writeText "forgejo.keys" ''[git.jfreudenberger.de]:222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+uqIeb9+AoqwD0Z6xLKI2dsRoS9Qh/VwboYfGpBJd+
+[git.jfreudenberger.de]:222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8GDSt4LsCzOoIZkqZRLgXyTLyHoJu62cFFP88i8GpSadyV6mJPkK5p2mgBzN/BM9I/G2VWfvqdM8Fy/7p3S8kDhmmkOk1AK7C/+qaQKsKcQauJuzNXlwMHG1Ivath80TO9PIQc9jYakP9xl8SACd5bwkvfEm3rS5awZ8T2hWgnsgO8pFHFOFmFnVbujXZk58FVTCxpgyPqjFv76JSYxpHk1VtiQ52jScsreOImEOWWg88f9IM9etWcshuxte4zudaqc2KjjAB6pYMuVj7O6cwMXKjCUxTzyomWjr2JoEruIslifbZ6bJGgswg5ENJSKURuMPgTuGM6Nrjp75V/yFD
+[git.jfreudenberger.de]:222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOS447cAWRZgHPs6MOoRS6/J66oY753QPiM7BI63/qNDd5qrCan153dJd5lBGwDR0vMWiV/0cmzuACfP5QS1Lv8=
+    '')
+    ];
+  };
 }

From fadfd47e3f265e4382f302f7449e211ef878507e Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 18 Sep 2025 01:11:06 +0200
Subject: [PATCH 27/40] Configure teleport on srv01-hf

---
 hosts/srv01.hf/default.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix
index 1cea677..f8a2c5b 100644
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@@ -15,11 +15,21 @@
       ../../modules/sshd.nix
       ../../modules/qemu-guest.nix
       ../../modules/docker.nix
+      ../../modules/teleport.nix
       ../../modules/auto-upgrade.nix
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
     ];
 
+  services.openssh.openFirewall = false;
+  services.teleport = {
+    enable = true;
+    settings.teleport = {
+      ca_pin = config.age.secrets."teleport-ca_pin".path;
+      auth_token = config.age.secrets."teleport-join_token".path;
+    };
+  };
+
   systemd.network = {
     enable = true;
       networks."10-wan" = {

From cfc8f986b7e9a6680039358f03789f35395e5e22 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 18 Sep 2025 01:11:57 +0200
Subject: [PATCH 28/40] Add portainer_agent module and configure srv01-hf for
 it

---
 hosts/srv01.hf/default.nix  |  3 +++
 hosts/srv01.hf/secrets.nix  |  1 +
 modules/portainer_agent.nix | 21 +++++++++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 modules/portainer_agent.nix

diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix
index f8a2c5b..feb2183 100644
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@@ -16,6 +16,7 @@
       ../../modules/qemu-guest.nix
       ../../modules/docker.nix
       ../../modules/teleport.nix
+      ../../modules/portainer_agent.nix
       ../../modules/auto-upgrade.nix
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
@@ -30,6 +31,8 @@
     };
   };
 
+  virtualisation.oci-containers.containers.portainer_agent.environmentFiles = [ config.age.secrets."portainer-join_token".path ];
+
   systemd.network = {
     enable = true;
       networks."10-wan" = {
diff --git a/hosts/srv01.hf/secrets.nix b/hosts/srv01.hf/secrets.nix
index 9b8fb86..8697e77 100644
--- a/hosts/srv01.hf/secrets.nix
+++ b/hosts/srv01.hf/secrets.nix
@@ -3,5 +3,6 @@
   age.secrets = {
     teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin";
     teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token";
+    portainer-join_token.file = "${inputs.secrets}/secrets/srv01-hf/portainer_join_token";
   };
 }
diff --git a/modules/portainer_agent.nix b/modules/portainer_agent.nix
new file mode 100644
index 0000000..8bebd6c
--- /dev/null
+++ b/modules/portainer_agent.nix
@@ -0,0 +1,21 @@
+{
+  ...
+}: {
+  virtualisation.oci-containers.containers = {
+    portainer_agent = {
+      image = "portainer/agent:2.33.1";
+      volumes = [
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/var/lib/docker/volumes:/var/lib/docker/volumes"
+        "/:/host"
+      ];
+      environment = {
+        EDGE = "1";
+        CAP_HOST_MANAGEMENT = "1";
+      };
+      extraOptions = [
+        ''--mount=type=volume,source=portainer_agent,target=/data,volume-driver=local''
+      ];
+    };
+  };
+}

From 0b336f6058bd1aad6c4057d0b6cd6e8a05cb97be Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 18 Sep 2025 01:12:18 +0200
Subject: [PATCH 29/40] Update flake.lock

---
 flake.lock | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/flake.lock b/flake.lock
index 8a290db..9a46a8b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -319,11 +319,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1758144826,
-        "narHash": "sha256-iP17+7kzDVsMa66W1RmAx6LQzQVCSYj7QemyhuZMUFQ=",
+        "lastModified": 1758149260,
+        "narHash": "sha256-Pgw5Krmc27t+7On6fwHJWx0nuoLRu0XqwN5MHaZ5kys=",
         "ref": "refs/heads/main",
-        "rev": "8ed4ae40d7b203880e368f5822260f0cd2ed0229",
-        "revCount": 2,
+        "rev": "50fd7d5277505cbb3235aae9719d3b8b0c7fe692",
+        "revCount": 5,
         "type": "git",
         "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
       },

From 0fd83d282223222121ae65e0b9144f0eaae3f39d Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 25 Sep 2025 11:35:06 +0200
Subject: [PATCH 30/40] Add configuration of proxmox binary cache into flake
 hint

---
 flake.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/flake.nix b/flake.nix
index fab5bf0..7f638f1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,15 @@
 {
   description = "NixOS configuration of Julius Freudenberger";
 
+  nixConfig = {
+    extra-substituters = [
+      "https://cache.saumon.network/proxmox-nixos"
+    ];
+    extra-trusted-public-keys = [
+      "proxmox-nixos:D9RYSWpQQC/msZUWphOY2I5RLH5Dd6yQcaHIuug7dWM="
+    ];
+  };
+
   inputs = {
     #nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";

From b0bf41a8263327f03138d07094a513b512143a0c Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Mon, 29 Sep 2025 17:05:03 +0200
Subject: [PATCH 31/40] portainer_agent: 2.33.1 -> 2.33.2

---
 modules/portainer_agent.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/portainer_agent.nix b/modules/portainer_agent.nix
index 8bebd6c..408834b 100644
--- a/modules/portainer_agent.nix
+++ b/modules/portainer_agent.nix
@@ -3,7 +3,7 @@
 }: {
   virtualisation.oci-containers.containers = {
     portainer_agent = {
-      image = "portainer/agent:2.33.1";
+      image = "portainer/agent:2.33.2";
       volumes = [
         "/var/run/docker.sock:/var/run/docker.sock"
         "/var/lib/docker/volumes:/var/lib/docker/volumes"

From 9c3769ed3900bc95299d93428e5cec70c113807a Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Mon, 29 Sep 2025 17:08:04 +0200
Subject: [PATCH 32/40] Update flake.lock

---
 flake.lock | 45 +++++++++++++++++++++++----------------------
 1 file changed, 23 insertions(+), 22 deletions(-)

diff --git a/flake.lock b/flake.lock
index 9a46a8b..40c760f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -30,15 +30,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1758056808,
-        "narHash": "sha256-7I4duKo9OdQ7sldgjoYBlpZ+xykszDj/IVz5hlJOaeg=",
+        "lastModified": 1757911848,
+        "narHash": "sha256-YkT8N8VFISStPADblSg1aCI0BP1TJ2koA5QqfJ7t12U=",
         "owner": "AdnanHodzic",
         "repo": "auto-cpufreq",
-        "rev": "9f86acc38dca4299b70ea55ae6c52902da5c903c",
+        "rev": "c2ff712325dd919b3ee7c7e5354d67fb841618d0",
         "type": "github"
       },
       "original": {
         "owner": "AdnanHodzic",
+        "ref": "c2ff712325dd919b3ee7c7e5354d67fb841618d0",
         "repo": "auto-cpufreq",
         "type": "github"
       }
@@ -50,11 +51,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1757508292,
-        "narHash": "sha256-7lVWL5bC6xBIMWWDal41LlGAG+9u2zUorqo3QCUL4p4=",
+        "lastModified": 1758287904,
+        "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "146f45bee02b8bd88812cfce6ffc0f933788875a",
+        "rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
         "type": "github"
       },
       "original": {
@@ -144,11 +145,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1757808926,
-        "narHash": "sha256-K6PEI5PYY94TVMH0mX3MbZNYFme7oNRKml/85BpRRAo=",
+        "lastModified": 1758463745,
+        "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "f21d9167782c086a33ad53e2311854a8f13c281e",
+        "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
         "type": "github"
       },
       "original": {
@@ -181,11 +182,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1757943327,
-        "narHash": "sha256-w6cDExPBqbq7fTLo4dZ1ozDGeq3yV6dSN4n/sAaS6OM=",
+        "lastModified": 1758663926,
+        "narHash": "sha256-6CFdj7Xs616t1W4jLDH7IohAAvl5Dyib3qEv/Uqw1rk=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "67a709cfe5d0643dafd798b0b613ed579de8be05",
+        "rev": "170ff93c860b2a9868ed1e1102d4e52cb3d934e1",
         "type": "github"
       },
       "original": {
@@ -197,11 +198,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1758070117,
-        "narHash": "sha256-uLwwHFCZnT1c3N3biVe/0hCkag2GSrf9+M56+Okf+WY=",
+        "lastModified": 1758791193,
+        "narHash": "sha256-F8WmEwFoHsnix7rt290R0rFXNJiMbClMZyIC/e+HYf0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e9b7f2ff62b35f711568b1f0866243c7c302028d",
+        "rev": "25e53aa156d47bad5082ff7618f5feb1f5e02d01",
         "type": "github"
       },
       "original": {
@@ -289,11 +290,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1754428470,
-        "narHash": "sha256-Sxf8gf+vfGeFaJMW3D+8pwH/+WwYTQOg47Lrm42+kTc=",
+        "lastModified": 1758650077,
+        "narHash": "sha256-ZeRtJimtk0Faiq7DPZEQNGipda3TaR4QXp0TAzu934Q=",
         "owner": "SaumonNet",
         "repo": "proxmox-nixos",
-        "rev": "6faed2845ef5f0bb05c9519b75097bbe7fb39327",
+        "rev": "ce8768f43b4374287cd8b88d8fa9c0061e749d9a",
         "type": "github"
       },
       "original": {
@@ -319,11 +320,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1758149260,
-        "narHash": "sha256-Pgw5Krmc27t+7On6fwHJWx0nuoLRu0XqwN5MHaZ5kys=",
+        "lastModified": 1758149597,
+        "narHash": "sha256-qUkhfFBEuDJ7nP6jcdBZzGBBhLKnXYxumBQI75DGcFc=",
         "ref": "refs/heads/main",
-        "rev": "50fd7d5277505cbb3235aae9719d3b8b0c7fe692",
-        "revCount": 5,
+        "rev": "8404f6877e25b8cbf3f504ef1926034e8c401dbe",
+        "revCount": 6,
         "type": "git",
         "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
       },

From 7ae69de706daed306eecd1ea62c382ecdadc60d5 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Mon, 8 Dec 2025 19:29:16 +0100
Subject: [PATCH 33/40] Add user to kvm group

---
 users/julius/nixos.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/users/julius/nixos.nix b/users/julius/nixos.nix
index a424826..81c9e60 100644
--- a/users/julius/nixos.nix
+++ b/users/julius/nixos.nix
@@ -6,7 +6,7 @@
 }: {
   users.users.julius = {
     isNormalUser = true;
-    extraGroups = [ "wheel" "networkmanager" "docker" "libvirtd" ];
+    extraGroups = [ "wheel" "networkmanager" "docker" "libvirtd" "kvm" ];
     shell = pkgs.zsh;
   };
 

From 5fd7eb5ee2d23616e0bcb8820caee6f2efe1049c Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Wed, 24 Dec 2025 02:14:10 +0100
Subject: [PATCH 34/40] Remove phpstorm

---
 modules/gui-coding.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/gui-coding.nix b/modules/gui-coding.nix
index 33056ef..e195a05 100644
--- a/modules/gui-coding.nix
+++ b/modules/gui-coding.nix
@@ -6,7 +6,6 @@
   environment.systemPackages = with pkgs; [
     jetbrains.idea-ultimate
     jetbrains.pycharm-professional
-    jetbrains.phpstorm
 
     vscodium-fhs
     zed-editor.fhs

From 55292a69f45e39ff9f26959344bf04ffa4a54719 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Wed, 24 Dec 2025 23:20:37 +0100
Subject: [PATCH 35/40] Update to 25.11

---
 flake.lock              | 93 ++++++++++++++++++++++++-----------------
 flake.nix               |  4 +-
 modules/gui-coding.nix  |  4 +-
 modules/i3.nix          |  2 +-
 modules/laptop.nix      |  8 ++--
 modules/typesetting.nix |  2 +-
 6 files changed, 64 insertions(+), 49 deletions(-)

diff --git a/flake.lock b/flake.lock
index 40c760f..a5e3b36 100644
--- a/flake.lock
+++ b/flake.lock
@@ -10,11 +10,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1754433428,
-        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
+        "lastModified": 1762618334,
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
         "type": "github"
       },
       "original": {
@@ -30,16 +30,15 @@
         ]
       },
       "locked": {
-        "lastModified": 1757911848,
-        "narHash": "sha256-YkT8N8VFISStPADblSg1aCI0BP1TJ2koA5QqfJ7t12U=",
+        "lastModified": 1765042799,
+        "narHash": "sha256-G7UJDUNcuHm1n2EuA+2iKPNISSWoUgqk85ktncJoelo=",
         "owner": "AdnanHodzic",
         "repo": "auto-cpufreq",
-        "rev": "c2ff712325dd919b3ee7c7e5354d67fb841618d0",
+        "rev": "2e5c725be0a7da2c749a345e09f3df3b9ef8c209",
         "type": "github"
       },
       "original": {
         "owner": "AdnanHodzic",
-        "ref": "c2ff712325dd919b3ee7c7e5354d67fb841618d0",
         "repo": "auto-cpufreq",
         "type": "github"
       }
@@ -51,11 +50,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1758287904,
-        "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
+        "lastModified": 1766150702,
+        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
+        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
         "type": "github"
       },
       "original": {
@@ -82,11 +81,11 @@
     },
     "flake-compat_2": {
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
@@ -145,16 +144,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1758463745,
-        "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
+        "lastModified": 1766529401,
+        "narHash": "sha256-OJAjJcW6ZADEzTBrvOTZanbgC8ObEWveObujtpazEbg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
+        "rev": "aaf46506426cc8c53719dd20de660fc856a5561e",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-25.05",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -167,11 +166,11 @@
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1752585957,
-        "narHash": "sha256-ogQo/MMNSIM4U4VQMieIrpLhjkgSbev3VR24foJ/h/U=",
+        "lastModified": 1764660538,
+        "narHash": "sha256-kEWb9Hc2OxdLhJ1pRdW7zRZ57Mul3/Jpy3vyhQ8Yq6o=",
         "owner": "~rycee",
         "repo": "lazy-apps",
-        "rev": "3c3ce5001e24b6c12496a5920eee28a96f8d49d6",
+        "rev": "4ddc92c77213f8ed3ddef1868f4a19002afa728a",
         "type": "sourcehut"
       },
       "original": {
@@ -182,11 +181,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1758663926,
-        "narHash": "sha256-6CFdj7Xs616t1W4jLDH7IohAAvl5Dyib3qEv/Uqw1rk=",
+        "lastModified": 1764440730,
+        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "170ff93c860b2a9868ed1e1102d4e52cb3d934e1",
+        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
         "type": "github"
       },
       "original": {
@@ -198,20 +197,35 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1758791193,
-        "narHash": "sha256-F8WmEwFoHsnix7rt290R0rFXNJiMbClMZyIC/e+HYf0=",
+        "lastModified": 1766473571,
+        "narHash": "sha256-5G1NDO2PulBx1RoaA6U1YoUDX0qZslpPxv+n5GX6Qto=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "25e53aa156d47bad5082ff7618f5feb1f5e02d01",
+        "rev": "76701a179d3a98b07653e2b0409847499b2a07d3",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
+    "nixpkgs-libvncserver": {
+      "locked": {
+        "lastModified": 1750111231,
+        "narHash": "sha256-3a7Tha/RwYlzH/v3PJrG7+HjOj4c6YOv2K8sqdGsHVQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e6f23dc08d3624daab7094b701aa3954923c6bbb",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "rev": "e6f23dc08d3624daab7094b701aa3954923c6bbb",
+        "type": "indirect"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1730741070,
@@ -230,11 +244,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1748437600,
-        "narHash": "sha256-hYKMs3ilp09anGO7xzfGs3JqEgUqFMnZ8GMAqI6/k04=",
+        "lastModified": 1761016216,
+        "narHash": "sha256-G/iC4t/9j/52i/nm+0/4ybBmAF4hzR8CNHC75qEhjHo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7282cb574e0607e65224d33be8241eae7cfe0979",
+        "rev": "481cf557888e05d3128a76f14c76397b7d7cc869",
         "type": "github"
       },
       "original": {
@@ -245,11 +259,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1723637854,
-        "narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=",
+        "lastModified": 1761114652,
+        "narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9",
+        "rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c",
         "type": "github"
       },
       "original": {
@@ -285,16 +299,17 @@
     "proxmox-nixos": {
       "inputs": {
         "flake-compat": "flake-compat_2",
+        "nixpkgs-libvncserver": "nixpkgs-libvncserver",
         "nixpkgs-stable": "nixpkgs-stable_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1758650077,
-        "narHash": "sha256-ZeRtJimtk0Faiq7DPZEQNGipda3TaR4QXp0TAzu934Q=",
+        "lastModified": 1764188113,
+        "narHash": "sha256-Oq4aCjczgnFQqFNWZ6Ablg6x9579CO8tyBktYDYiZEs=",
         "owner": "SaumonNet",
         "repo": "proxmox-nixos",
-        "rev": "ce8768f43b4374287cd8b88d8fa9c0061e749d9a",
+        "rev": "3be878a84866b9ef9214b8ea6f53630f47f4b192",
         "type": "github"
       },
       "original": {
@@ -383,11 +398,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 7f638f1..a0d1393 100644
--- a/flake.nix
+++ b/flake.nix
@@ -12,10 +12,10 @@
 
   inputs = {
     #nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
     home-manager = {
-      url = "github:nix-community/home-manager/release-25.05";
+      url = "github:nix-community/home-manager/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     auto-cpufreq = {
diff --git a/modules/gui-coding.nix b/modules/gui-coding.nix
index e195a05..223f2b6 100644
--- a/modules/gui-coding.nix
+++ b/modules/gui-coding.nix
@@ -4,8 +4,8 @@
   ...
 }: {
   environment.systemPackages = with pkgs; [
-    jetbrains.idea-ultimate
-    jetbrains.pycharm-professional
+    jetbrains.idea
+    jetbrains.pycharm
 
     vscodium-fhs
     zed-editor.fhs
diff --git a/modules/i3.nix b/modules/i3.nix
index dcefbd7..80fcb57 100644
--- a/modules/i3.nix
+++ b/modules/i3.nix
@@ -18,7 +18,7 @@
 	lightlocker
         xautolock # lock screen after some time
         i3status # provide information to i3bar
-        i3-gaps # i3 with gaps
+        i3 # i3 with gaps
         nitrogen # set wallpaper
         acpi # battery information
         arandr # screen layout manager
diff --git a/modules/laptop.nix b/modules/laptop.nix
index 73f9fa6..49e7492 100644
--- a/modules/laptop.nix
+++ b/modules/laptop.nix
@@ -6,10 +6,10 @@
 
   boot.kernelPackages = pkgs.linuxKernel.packages.linux_zen;
 
-  services.logind = {
-    lidSwitch = "suspend-then-hibernate";
-    lidSwitchDocked = "suspend-then-hibernate";
-    powerKey = "ignore";
+  services.logind.settings.Login = {
+    HandleLidSwitch= "suspend-then-hibernate";
+    HandleLidSwitchDocked = "suspend-then-hibernate";
+    HandlePowerKey = "ignore";
   };
 
   programs.auto-cpufreq.enable = true;
diff --git a/modules/typesetting.nix b/modules/typesetting.nix
index 56ba34e..b4e321f 100644
--- a/modules/typesetting.nix
+++ b/modules/typesetting.nix
@@ -5,7 +5,7 @@
 }: {
   environment.systemPackages = with pkgs; [
     typst
-    typstfmt
+    typstyle
 
     texliveFull
 

From 7574b6bfa4e13db21887135f5946a28d4a45940e Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Wed, 24 Dec 2025 23:20:51 +0100
Subject: [PATCH 36/40] Update devshells to 25.11

---
 devshells/java17-maven/flake.lock | 8 ++++----
 devshells/java17-maven/flake.nix  | 2 +-
 devshells/java21-maven/flake.lock | 8 ++++----
 devshells/java21-maven/flake.nix  | 2 +-
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/devshells/java17-maven/flake.lock b/devshells/java17-maven/flake.lock
index ae71305..b4da842 100644
--- a/devshells/java17-maven/flake.lock
+++ b/devshells/java17-maven/flake.lock
@@ -22,16 +22,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1736684107,
-        "narHash": "sha256-vH5mXxEvZeoGNkqKoCluhTGfoeXCZ1seYhC2pbMN0sg=",
+        "lastModified": 1766473571,
+        "narHash": "sha256-5G1NDO2PulBx1RoaA6U1YoUDX0qZslpPxv+n5GX6Qto=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "635e887b48521e912a516625eee7df6cf0eba9c1",
+        "rev": "76701a179d3a98b07653e2b0409847499b2a07d3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
diff --git a/devshells/java17-maven/flake.nix b/devshells/java17-maven/flake.nix
index 106308a..169ccb2 100644
--- a/devshells/java17-maven/flake.nix
+++ b/devshells/java17-maven/flake.nix
@@ -1,6 +1,6 @@
 {
   description = "A basic flake with a shell";
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
   inputs.systems.url = "github:nix-systems/default";
   inputs.flake-utils = {
     url = "github:numtide/flake-utils";
diff --git a/devshells/java21-maven/flake.lock b/devshells/java21-maven/flake.lock
index 72a721c..b4da842 100644
--- a/devshells/java21-maven/flake.lock
+++ b/devshells/java21-maven/flake.lock
@@ -22,16 +22,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1734435836,
-        "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=",
+        "lastModified": 1766473571,
+        "narHash": "sha256-5G1NDO2PulBx1RoaA6U1YoUDX0qZslpPxv+n5GX6Qto=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4989a246d7a390a859852baddb1013f825435cee",
+        "rev": "76701a179d3a98b07653e2b0409847499b2a07d3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
diff --git a/devshells/java21-maven/flake.nix b/devshells/java21-maven/flake.nix
index 79f8a2c..943795f 100644
--- a/devshells/java21-maven/flake.nix
+++ b/devshells/java21-maven/flake.nix
@@ -1,6 +1,6 @@
 {
   description = "A basic flake with a shell";
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
   inputs.systems.url = "github:nix-systems/default";
   inputs.flake-utils = {
     url = "github:numtide/flake-utils";

From f772e6054e1eee84ea96fe33ea4b56e9aae238f8 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Fri, 2 Jan 2026 19:52:36 +0100
Subject: [PATCH 37/40] Enable software tpm for libvirt

---
 modules/virtualization.nix | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/modules/virtualization.nix b/modules/virtualization.nix
index b1cde0f..fb232cc 100644
--- a/modules/virtualization.nix
+++ b/modules/virtualization.nix
@@ -3,12 +3,13 @@
   lib,
   ...
 }: {
-  environment.systemPackages = with pkgs; [
-    virt-manager
-  ];
-
   virtualisation = {
-    libvirtd.enable = true;
+    libvirtd = {
+      enable = true;
+      qemu.swtpm.enable = true;
+    };
     spiceUSBRedirection.enable = true;
   };
+
+  programs.virt-manager.enable = true;
 }

From 5ed43a419304273770d0f0f6fb07a243efbd558d Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Fri, 2 Jan 2026 21:39:06 +0100
Subject: [PATCH 38/40] Add initial home-manager configuration

---
 flake.nix | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/flake.nix b/flake.nix
index a0d1393..0e38bf0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -191,5 +191,24 @@
       };
 
     };
+
+    homeConfigurations = {
+      jufr2 = let
+        username = "jufr2";
+        system = "x86_64-linux";
+        pkgs = nixpkgs.legacyPackages.${system};
+      in
+      home-manager.lib.homeManagerConfiguration {
+        inherit pkgs;
+
+        modules = [
+          home/core.nix
+          home/neovim/default.nix
+          home/zsh/default.nix
+        ];
+
+      };
+    };
+
   };
 }

From cc07dcd4df276997eaffb4618b83de571b7ec448 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Fri, 2 Jan 2026 21:48:34 +0100
Subject: [PATCH 39/40] Add nix config to home-manager configuration

---
 flake.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/flake.nix b/flake.nix
index 0e38bf0..3397ae9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -203,6 +203,7 @@
 
         modules = [
           home/core.nix
+          modules/nix.nix
           home/neovim/default.nix
           home/zsh/default.nix
         ];

From 68a7cc25ac4e1b947dd7466ca04d415f7668e621 Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Fri, 2 Jan 2026 22:15:57 +0100
Subject: [PATCH 40/40] Explicitly set nix package to use

---
 modules/nix.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/nix.nix b/modules/nix.nix
index 1329a34..8813371 100644
--- a/modules/nix.nix
+++ b/modules/nix.nix
@@ -5,6 +5,7 @@
 }: {
   # do garbage collection weekly to keep disk usage low
   nix = {
+    package = pkgs.nix;
     settings = {
       experimental-features = ["nix-command" "flakes"];
     };