Configure monitoring

Refactor headscale config
Rework torrent setup
2026-02-03 13:30:01 +01:00 · 2026-02-03 13:30:00 +01:00 · 2026-02-03 13:29:59 +01:00 · 2026-02-03 13:29:57 +01:00 · 2026-02-03 13:29:56 +01:00 · 2026-02-03 13:29:55 +01:00
41 changed files with 715 additions and 514 deletions
--- a/.envrc
+++ b/.envrc
@ -1 +1,2 @@
 use flake
+export NH_FLAKE=$(expand_path .)
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
-secrets
-ops/home/.gcroots
+.DS_Store
+secrets/gpg-secret
+secrets/id_ed25519-nix-builder
 .direnv
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,18 @@
+keys:
+  - &sierpinski age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
+  # host keys
+  - &synchronicity-ii age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
+  - &watchtower age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
+  - &tears age1c0jmesk8x3rjqq8elrvdnmz9w2d35u7mkvfeerwv5wtjqqrnt9as9q6tqj
+creation_rules:
+  - path_regex: secrets/restic.env$
+    key_groups:
+      - age:
+          - *sierpinski
+          - *tears
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini|bin)$
+    key_groups:
+      - age:
+          - *sierpinski
+          - *synchronicity-ii
+          - *watchtower
--- a/README.md
+++ b/README.md
@ -1,15 +1,19 @@
-# Nix Infra Config
-Using [colmena](https://github.com/zhaofengli/colmena)
+# Infra Reference

-## Hosts
- `penrose`: macOS/nix-darwin desktop
+## Host Overview
+### nix-darwin
+- `penrose`: *Mac Mini M1*
+- `sierpinski`: *MacBook Air M4*
+### colmena
+- `synchronicity-ii`: Rented high-reliability/low-cost server
+- `tears`: x86 Headless desktop for heavy workloads
+- `watchtower`: *ThinkCentre M75q Gen 2 Tiny*; Home server
+### offline
 - `bloodletting`: Main server / technogothic.net
- `sierpinski`: macOS/nix-darwin laptop
- `watchtower`: Home server

-### Manual setup on blank system/migrations
-bloodletting:
- `colmena apply` - deploy config
+## Manual setup on blank system/migrations
+### bloodletting:
+- `nh os switch --target-host root@bloodletting -H bloodletting` - deploy config
 - `passwd` - set user passwords
 - rsync state:
  - `/var/lib`:
@ -30,15 +34,20 @@ bloodletting:
    - `prosody`
  - `/home/ftp`  

-penrose/sierpinski:
- `darwin-rebuild switch --flake .` - deploy config
-
-[Last commit which includes BSPWM configs](https://git.lain.faith/sorceress/nix-infra/commit/e60bbd7f41bdb4456319637f38a25425b6f5fef7)
+### penrose/sierpinski:
+- `nh darwin switch` - deploy config
+- `age-plugin-se keygen | tee (tty) | tail -n1 >> ~/Library/Application\ Support/sops/age/keys.txt` - generate a private key using the Apple Secure Enclave. Make sure to add it to `.sops.yaml`.
+- `sops updatekeys` - re-encrypt secrets after adding new keys.

 ### Rsyncd Modules
 Modded minecraft instance rsync modules can be accessed through `mc-[modpack]@bloodletting::mc-[modpack]` with `--rsh=ssh`

-### Updating mastodon
+### Updating Mastodon
 ```sh
 cd common/pkgs/mastodon && ./update.sh --owner AgathaSorceress --rev <commit hash>
 ```
+
+[Last commit which includes BSPWM configs](https://git.lain.faith/sorceress/nix-infra/commit/e60bbd7f41bdb4456319637f38a25425b6f5fef7)
+
+### Common Pitfalls
+- Run `sudo ssh tears` if remote builds are failing. This is likely caused by a hidden "Host key verification failed" error.
--- a/common/fragments/bin.nix
+++ b/common/fragments/bin.nix
@ -1,10 +1,21 @@
-{ ... }: {
+{ config, ... }:
+{
  imports = [ ../../common/services/bin.nix ];

  services.bin = {
    enable = true;
-    address = "0.0.0.0";
    port = 6162;
    textUploadLimit = 64;
  };
+
+  services.nginx.virtualHosts."thermalpaste.technogothic.net" = {
+    useACMEHost = "technogothic.net";
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://localhost:6162";
+      proxyWebsockets = true;
+      extraConfig = "client_max_body_size ${toString config.services.bin.textUploadLimit}M;";
+    };
+  };
 }
--- a/common/fragments/bittorrent.nix
+++ b/common/fragments/bittorrent.nix
@ -1,65 +1,96 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
-  system.fsPackages = with pkgs; [
-    gocryptfs
-    cifs-utils
-  ];
-  systemd.mounts = [
+  sops.secrets."gluetun.env" = {
+    sopsFile = ../../secrets/gluetun.env;
+    format = "dotenv";
+  };
+  virtualisation.oci-containers.containers =
+    let
+      QBITTORRENT_WEBUI_PORT = "8080";
+    in
    {
-      after = [ "network.target" ];
-      what = "//library.technogothic.net/backup";
-      where = "/mnt/library-raw";
-      type = "cifs";
-      options = "gid=users,file_mode=0664,dir_mode=0775";
-      mountConfig.EnvironmentFile = "/var/lib/secrets/hetzner-env";
-    }
-    {
-      what = "/mnt/library-raw";
-      where = "/mnt/library";
-      type = "fuse.gocryptfs";
-      options = "allow_other,passfile=/var/lib/secrets/gocryptfs-pass";
-      wantedBy = [ "multi-user.target" ];
-    }
-  ];
-
-  virtualisation.oci-containers.containers = {
-    "qbittorrent" = {
-      image = "dyonr/qbittorrentvpn";
-      autoStart = true;
-      volumes = [
-        "/var/lib/qbittorrent:/config"
-        "/mnt/library:/downloads"
-      ];
-      environment = {
-        VPN_TYPE = "wireguard";
-        LAN_NETWORK = "10.21.0.0/16,10.42.0.0/24,100.64.0.0/24";
+      "gluetun" = {
+        image = "qmcgaw/gluetun:latest";
+        autoStart = true;
+        volumes = [
+          "/var/lib/gluetun:/gluetun"
+          "/etc/localtime:/etc/localtime:ro"
+        ];
+        ports = [
+          "127.0.0.1:${QBITTORRENT_WEBUI_PORT}:8080"
+          "100.64.0.1:${QBITTORRENT_WEBUI_PORT}:8080"
+        ];
+        environment = {
+          VPN_SERVICE_PROVIDER = "protonvpn";
+          VPN_TYPE = "openvpn";
+          VPN_PORT_FORWARDING = "on";
+          SERVER_COUNTRIES = "Germany, Netherlands";
+          PORT_FORWARD_ONLY = "on";
+          VPN_PORT_FORWARDING_UP_COMMAND = "/bin/sh -c '/usr/bin/wget -O- --retry-connrefused --post-data \"json={\\\"listen_port\\\":{{PORTS}}}\" http://localhost:${QBITTORRENT_WEBUI_PORT}/api/v2/app/setPreferences 2>&1'";
+        };
+        environmentFiles = [ config.sops.secrets."gluetun.env".path ];
+        extraOptions = [
+          "--cap-add=NET_ADMIN"
+          "--device=/dev/net/tun"
+        ];
      };
-      ports = [ "8080:8080" ];
-      extraOptions = [
-        "--cap-add=NET_ADMIN"
-        "--device=/dev/net/tun"
-        "--privileged"
+      "qbittorrent" = {
+        image = "lscr.io/linuxserver/qbittorrent:latest";
+        autoStart = true;
+        dependsOn = [ "gluetun" ];
+        volumes = [
+          "/var/lib/qbittorrent:/config"
+          "/mnt/library:/downloads"
+          "/etc/localtime:/etc/localtime:ro"
+        ];
+        environment = {
+          PUID = "1000";
+          PGID = "1000";
+          WEBUI_PORT = QBITTORRENT_WEBUI_PORT;
+        };
+        extraOptions = [
+          "--network=container:gluetun"
+        ];
+      };
+      "qui" = {
+        image = "ghcr.io/autobrr/qui:latest";
+        autoStart = true;
+        dependsOn = [ "qbittorrent" ];
+        volumes = [
+          "/var/lib/qui:/config"
+          "/mnt/library:/data/torrents"
+        ];
+        ports = [
+          "100.64.0.1:7476:7476"
+        ];
+      };
+    };
+
+  sops.secrets.qbittorrent-pass = { };
+  systemd.services.qbittorrent-prometheus-exporter = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${pkgs.prometheus-qbittorrent-exporter}/bin/qbit-exp";
+      Restart = "always";
+
+      Environment = [
+        "EXPORTER_PORT=9006"
+        "QBITTORRENT_USERNAME=Agatha"
+        "QBITTORRENT_PASSWORD_FILE=${config.sops.secrets.qbittorrent-pass.path}"
+        "QBITTORRENT_BASE_URL=http://localhost:8080"
      ];
    };
  };

-  # Jellyfin
-  services.jellyfin = {
-    enable = true;
-    openFirewall = true;
-  };
-  environment.systemPackages = with pkgs; [
-    jellyfin
-    jellyfin-web
-    jellyfin-ffmpeg
-  ];
-
  # SMB Share
  services.samba = {
    enable = true;
    openFirewall = true;
    settings.global = {
-      "server string" = "Watchtower";
+      "server string" = "Synchronicity-II";
      "guest account" = "nobody";
      "map to guest" = "bad user";
    };
@ -70,15 +101,4 @@
      "guest ok" = "yes";
    };
  };
-
-  services.prowlarr = {
-    enable = true;
-    openFirewall = true;
-  };
-
-  services.radarr = {
-    enable = true;
-    openFirewall = true;
-    user = "root";
-  };
 }
--- a/common/fragments/grafana.nix
+++ b/common/fragments/grafana.nix
@ -14,37 +14,13 @@
    };
  };

-  networking.firewall.allowedTCPPorts = [ config.services.grafana.settings.server.http_port ];
+  services.nginx.virtualHosts."grafana.technogothic.net" = {
+    useACMEHost = "technogothic.net";
+    forceSSL = true;

-  services.prometheus = {
-    enable = true;
-    port = 9001;
-    retentionTime = "365d";
-    scrapeConfigs = [
-      {
-        job_name = "bloodletting";
-        static_configs = [
-          { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }
-        ];
-      }
-      {
-        job_name = "nginx";
-        static_configs = [
-          { targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ]; }
-        ];
-      }
-      {
-        job_name = "telegraf";
-        static_configs = [
-          { targets = [ config.services.telegraf.extraConfig.outputs.prometheus_client.listen ]; }
-        ];
-      }
-      {
-        job_name = "process";
-        static_configs = [
-          { targets = [ "localhost:${toString config.services.prometheus.exporters.process.port}" ]; }
-        ];
-      }
-    ];
+    locations."/" = {
+      proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
+      proxyWebsockets = true;
+    };
  };
 }
--- a/common/fragments/graphical/darwin.nix
+++ b/common/fragments/graphical/darwin.nix
@ -20,6 +20,10 @@
    trusted-users = [ "@admin" ];
  };

+  users.users.agatha.packages = with pkgs; [
+    age-plugin-se
+  ];
+
  # Needed for the nix-darwin environment even if zsh is not used.
  programs.zsh.enable = true;

--- a/common/fragments/graphical/default.nix
+++ b/common/fragments/graphical/default.nix
@ -4,21 +4,18 @@

  # User packages
  users.users.agatha.packages = with pkgs; [
-    android-tools
-    broot
    colmena
    exiftool
    ffmpeg
+    file
    flac
    hyperfine
    just
    magic-wormhole
-    neofetch
    nil
+    nixd
    pfetch
-    pridefetch
    rink
-    sshfs
    whois
    wireguard-tools
    yt-dlp
--- a/common/fragments/headscale.nix
+++ b/common/fragments/headscale.nix
@ -1,3 +1,4 @@
+{ config, ... }:
 {
  services.headscale = {
    enable = true;
@ -11,6 +12,17 @@
        ]; # AdGuard Public DNS
        base_domain = "thorns.home.arpa";
      };
+      taildrop.enabled = true;
+    };
+  };
+
+  services.nginx.virtualHosts."hs.technogothic.net" = {
+    useACMEHost = "technogothic.net";
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://localhost:${toString config.services.headscale.port}";
+      proxyWebsockets = true;
    };
  };
 }
--- a/common/fragments/home-assistant.nix
+++ b/common/fragments/home-assistant.nix
@ -1,3 +1,4 @@
+{ config, pkgs, ... }:
 {
  networking.firewall.allowedTCPPorts = [
    8123
@ -50,9 +51,19 @@
      WIFI_IFACE = "wlp2s0";
      SHARE_METHOD = "none";
      SSID = "Agatha-Isolated-Network";
-      # TODO: Replace placeholder password after switching to sops-nix
-      PASSPHRASE = "nCvKNgRH5L5DFBR4JULP3GHbDuk9XLfT";
    };
  };
  networking.networkmanager.unmanaged = [ "wlp2s0" ];
+
+  # TODO: Rotate password
+  # Hack around linux-wifi-hotspot's lack of secret management
+  sops.secrets.create-ap-pass = { };
+  sops.templates."create-ap.conf".content = ''
+    PASSPHRASE=${config.sops.placeholder.create-ap-pass}
+  ''
+  + pkgs.lib.generators.toKeyValue { } config.services.create_ap.settings;
+  systemd.services.create_ap.serviceConfig.ExecStart =
+    pkgs.lib.mkForce "${pkgs.linux-wifi-hotspot}/bin/create_ap --config ${
+      config.sops.templates."create-ap.conf".path
+    }";
 }
--- a/common/fragments/media.nix
+++ b/common/fragments/media.nix
@ -0,0 +1,36 @@
+{ pkgs, config, ... }:
+{
+  # Jellyfin
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+  environment.systemPackages = with pkgs; [
+    jellyfin
+    jellyfin-web
+    jellyfin-ffmpeg
+  ];
+
+  services.prowlarr = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  sops.secrets.jellyfin-token = {
+    sopsFile = ../../secrets/jellyfin-exporter.env;
+    format = "dotenv";
+  };
+  virtualisation.oci-containers.containers."jellyfin-prometheus-exporter" = {
+    image = "rebelcore/jellyfin-exporter:latest";
+    autoStart = true;
+    ports = [
+      "127.0.0.1:9007:9594"
+    ];
+    environmentFiles = [ config.sops.secrets.jellyfin-token.path ];
+    entrypoint = "/bin/sh";
+    cmd = [
+      "-c"
+      "/bin/jellyfin_exporter --jellyfin.address=http://100.64.0.6:8096 --jellyfin.token=$JELLYFIN_TOKEN --collector.activity"
+    ];
+  };
+}
--- a/common/fragments/prometheus_exporters.nix
+++ b/common/fragments/prometheus_exporters.nix
@ -1,6 +1,23 @@
+{ config, ... }:
 {
-  # Enable Prometheus exporters
  services.prometheus = {
+    enable = true;
+    port = 9001;
+    retentionTime = "365d";
+    scrapeConfigs =
+      let
+        input = job_name: host: {
+          inherit job_name;
+          static_configs = [
+            { targets = [ host ]; }
+          ];
+        };
+      in
+      [
+        (input "node" "localhost:${toString config.services.prometheus.exporters.node.port}")
+        (input "nginx" "localhost:${toString config.services.prometheus.exporters.nginx.port}")
+        (input "process" "localhost:${toString config.services.prometheus.exporters.process.port}")
+      ];
    exporters = {
      node = {
        enable = true;
@ -33,18 +50,4 @@
      };
    };
  };
-
-  services.telegraf = {
-    enable = true;
-    extraConfig = {
-      inputs.x509_cert = {
-        sources = [ "https://technogothic.net:443" ];
-        interval = "10m";
-      };
-      outputs.prometheus_client = {
-        listen = "localhost:9004";
-        metric_version = 2;
-      };
-    };
-  };
 }
--- a/common/fragments/restic.nix
+++ b/common/fragments/restic.nix
@ -1,18 +1,27 @@
-{ config, ... }: {
+{ config, ... }:
+{
+  sops.secrets.restic-pass = { };
+  sops.templates."restic.env".content = ''
+    RESTIC_REST_USERNAME=agatha
+    RESTIC_REST_PASSWORD=${config.sops.placeholder.restic-pass}
+  '';
  services.restic.backups.${config.networking.hostName} = {
    initialize = true;

    repository = "rest:http://10.20.1.2:8000/${config.networking.hostName}/";

-    passwordFile = "/var/lib/secrets/restic-password";
-    environmentFile = "/var/lib/secrets/restic-env";
+    passwordFile = config.sops.secrets.restic-pass.path;
+    environmentFile = config.sops.templates."restic.env".path;

    timerConfig = {
      OnCalendar = "*-*-* 20:00"; # Daily at 20:00
      Persistent = true;
    };

-    paths = [ "/home/agatha" "/mnt/hdd" ];
+    paths = [
+      "/home/agatha"
+      "/mnt/hdd"
+    ];
    exclude = [
      ".Trash*"
      ".gradle"
@ -45,9 +54,12 @@
      "lost+found"
    ];

-    pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 12" ];
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 5"
+      "--keep-yearly 12"
+    ];
  };

-  systemd.timers."restic-backups-${config.networking.hostName}".after =
-    [ "network-online.target" ];
+  systemd.timers."restic-backups-${config.networking.hostName}".after = [ "network-online.target" ];
 }
--- a/common/fragments/sops.nix
+++ b/common/fragments/sops.nix
@ -0,0 +1,13 @@
+{
+  sops = {
+    defaultSopsFile = ../../secrets/secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+    secrets = {
+      hurricane-tokens = {
+        sopsFile = ../../secrets/hurricane-tokens.env;
+        format = "dotenv";
+      };
+    };
+  };
+}
--- a/common/fragments/storage.nix
+++ b/common/fragments/storage.nix
@ -0,0 +1,30 @@
+{ pkgs, config, ... }:
+{
+  sops.secrets.gocryptfs-pass = { };
+  sops.secrets."hetzner.env" = {
+    sopsFile = ../../secrets/hetzner.env;
+    format = "dotenv";
+  };
+
+  system.fsPackages = with pkgs; [
+    gocryptfs
+    cifs-utils
+  ];
+  systemd.mounts = [
+    {
+      after = [ "network.target" ];
+      what = "//library.technogothic.net/backup";
+      where = "/mnt/library-raw";
+      type = "cifs";
+      options = "uid=1000,gid=users,file_mode=0664,dir_mode=0775";
+      mountConfig.EnvironmentFile = config.sops.secrets."hetzner.env".path;
+    }
+    {
+      what = "/mnt/library-raw";
+      where = "/mnt/library";
+      type = "fuse.gocryptfs";
+      options = "allow_other,passfile=${config.sops.secrets.gocryptfs-pass.path}";
+      wantedBy = [ "multi-user.target" ];
+    }
+  ];
+}
--- a/common/fragments/virt.nix
+++ b/common/fragments/virt.nix
@ -23,7 +23,7 @@
      ];
  };

-  hardware.opengl.enable = true;
+  hardware.graphics.enable = true;
  virtualisation.spiceUSBRedirection.enable = true;
  services.openssh.settings.X11Forwarding = true;

--- a/common/home_manager/common.nix
+++ b/common/home_manager/common.nix
@ -54,9 +54,38 @@
        };
      };

+      jujutsu = {
+        enable = true;
+        settings = {
+          inherit (config.home-manager.users.agatha.programs.git.settings) user;
+          signing = {
+            backend = "ssh";
+            behavior = "own";
+          };
+          ui.default-command = "log";
+          ui.diff-editor = ":builtin";
+          template-aliases = {
+            "format_short_signature(signature)" = "signature.name()";
+          };
+          revset-aliases = {
+            "closest_pushable(to)" =
+              "heads(::to & mutable() & ~description(exact:\"\") & (~empty() | merges()))";
+          };
+          aliases.tug = [
+            "bookmark"
+            "move"
+            "--from"
+            "heads(::@ & bookmarks())"
+            "--to"
+            "closest_pushable(@)"
+          ];
+        };
+      };
+
      delta = {
        enable = true;
        enableGitIntegration = true;
+        enableJujutsuIntegration = true;
        options = {
          blame-format = "{timestamp:<15} {author:<18.18} {commit:<8}";
          file-modified-label = "modified:";
--- a/common/services/bin.nix
+++ b/common/services/bin.nix
@ -1,9 +1,16 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 with lib;

-let cfg = config.services.bin;
-in {
+let
+  cfg = config.services.bin;
+in
+{
  options = {
    services.bin = {
      enable = mkEnableOption "Pastebin";
@ -54,11 +61,10 @@ in {

      serviceConfig = {
        Type = "simple";
-        Environment =
-          ''BIN_LIMITS={form="${toString cfg.textUploadLimit} MiB"}'';
-        ExecStart = "${pkgs.bin}/bin/bin -a ${toString cfg.address} -b ${
-            toString cfg.binaryUploadLimit
-          } -p ${toString cfg.port} -u ${toString cfg.upload}";
+        Environment = ''BIN_LIMITS={form="${toString cfg.textUploadLimit} MiB"}'';
+        ExecStart = "${
+          pkgs.callPackage ../../common/pkgs/bin.nix { }
+        }/bin/bin -a ${toString cfg.address} -b ${toString cfg.binaryUploadLimit} -p ${toString cfg.port} -u ${toString cfg.upload}";
        WorkingDirectory = "/var/lib/bin_rs";
        Restart = "always";
      };
--- a/flake.lock
+++ b/flake.lock
@ -21,46 +21,7 @@
        "type": "github"
      }
    },
-    "colmena": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "flake-utils": "flake-utils",
-        "nixpkgs": [
-          "nixpkgs-unstable"
-        ],
-        "stable": "stable"
-      },
-      "locked": {
-        "lastModified": 1685370160,
-        "narHash": "sha256-7EAZtvHZBN4CFbUWznQicGL/g2+A/9w5JUl88xWmxkI=",
-        "owner": "AgathaSorceress",
-        "repo": "colmena",
-        "rev": "f279530ba0ca33f30fc3ae386ae5487e8d926460",
-        "type": "github"
-      },
-      "original": {
-        "owner": "AgathaSorceress",
-        "repo": "colmena",
-        "type": "github"
-      }
-    },
    "flake-compat": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1650374568,
-        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1668681692,
@ -77,21 +38,6 @@
      }
    },
    "flake-utils": {
-      "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_2": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@ -167,8 +113,8 @@
    },
    "mms": {
      "inputs": {
-        "flake-compat": "flake-compat_2",
-        "flake-utils": "flake-utils_2",
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
        "nix": "nix",
        "nixpkgs": [
          "nixpkgs"
@ -383,7 +329,6 @@
    "root": {
      "inputs": {
        "ccase": "ccase",
-        "colmena": "colmena",
        "home-manager": "home-manager",
        "matrix-ril100": "matrix-ril100",
        "mms": "mms",
@ -391,23 +336,28 @@
        "nixpkgs": "nixpkgs_3",
        "nixpkgs-darwin": "nixpkgs-darwin",
        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix",
        "url-eater": "url-eater",
        "vampysite": "vampysite"
      }
    },
-    "stable": {
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
      "locked": {
-        "lastModified": 1669735802,
-        "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "731cc710aeebecbf45a258e977e8b68350549522",
+        "lastModified": 1768863606,
+        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-22.11",
-        "repo": "nixpkgs",
+        "owner": "Mic92",
+        "repo": "sops-nix",
        "type": "github"
      }
    },
--- a/flake.nix
+++ b/flake.nix
@ -16,6 +16,11 @@
      inputs.nixpkgs.follows = "nixpkgs-darwin";
    };

+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    mms = {
      url = "github:mkaito/nixos-modded-minecraft-servers";
      inputs.nixpkgs.follows = "nixpkgs";
@ -31,12 +36,6 @@
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };

-    # Latest colmena + prettier loading icons
-    colmena = {
-      url = "github:AgathaSorceress/colmena";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
-
    ccase = {
      url = "github:rutrum/ccase";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -49,15 +48,28 @@
      nixpkgs-darwin,
      home-manager,
      nix-darwin,
+      sops-nix,
      mms,
-      url-eater,
      matrix-ril100,
-      colmena,
      vampysite,
      ccase,
      ...
    }:
    let
+      supportedSystems = [
+        "x86_64-linux"
+        "aarch64-linux"
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];
+      forEachSupportedSystem =
+        f:
+        nixpkgs.lib.genAttrs supportedSystems (
+          system:
+          f {
+            pkgs = import nixpkgs { inherit system; };
+          }
+        );
      mkOverlays = system: config: [
        (final: prev: {
          vampysite = vampysite.packages.${system}.default;
@ -67,224 +79,76 @@
          # Unstable packages
          unstable = import nixpkgs-unstable { inherit system config; };
        })
-        colmena.overlay
      ];
+      darwinpkgs = import nixpkgs-darwin rec {
+        system = "aarch64-darwin";
+        config.allowUnfree = true;
+        overlays = mkOverlays system config;
+      };
+      x86pkgs = import nixpkgs rec {
+        system = "x86_64-linux";
+        config.allowUnfree = true;
+        overlays = mkOverlays system config;
+      };
    in
    {
-      colmena = {
-        network = {
-          description = "Agatha's Nix Infra";
-
-          nixpkgs = import nixpkgs rec {
-            system = "x86_64-linux";
-            config.allowUnfree = true;
-            overlays = mkOverlays system config;
-          };
-
-          nodeNixpkgs.synchronicity = import nixpkgs rec {
-            system = "aarch64-linux";
-            config.allowUnfree = true;
-            overlays = mkOverlays system config;
-          };
-        };
-
-        bloodletting = {
-          imports = [
-            ./common
-            ./common/linux-specific.nix
-            ./hosts/bloodletting/configuration.nix
-            (import "${home-manager}/nixos")
-            mms.module
-          ];
-
-          deployment = {
-            targetUser = "root";
-            targetHost = "technogothic.net";
-
-            tags = [ "prod" ];
-
-            keys = {
-              "nyandroid-token" = {
-                keyCommand = [
-                  "cat"
-                  "./secrets/nyandroid-token"
-                ];
-                destDir = "/var/lib/secrets/";
-              };
-              "hurricane-tokens" = {
-                keyCommand = [
-                  "cat"
-                  "./secrets/hurricane-tokens"
-                ];
-                destDir = "/var/lib/secrets/";
-              };
-              "mc-status-bot-env" = {
-                keyCommand = [
-                  "cat"
-                  "./secrets/mc-status-bot-env"
-                ];
-                destDir = "/var/lib/secrets";
-              };
-              "ril100-bot-secrets" = {
-                keyCommand = [
-                  "cat"
-                  "./secrets/ril100-bot-secrets"
-                ];
-                destDir = "/var/lib/matrix-ril100";
-                name = ".env";
-              };
-            };
-          };
-        };
-
-        synchronicity = {
-          imports = [
-            ./common
-            ./common/linux-specific.nix
-            ./hosts/synchronicity/configuration.nix
-            (import "${home-manager}/nixos")
-          ];
-
-          deployment = {
-            targetUser = "root";
-            targetHost = "synchronicity";
-
-            tags = [ "prod" ];
-
-            keys = {
-              "nyandroid-token" = {
-                keyCommand = [
-                  "cat"
-                  "./secrets/nyandroid-token"
-                ];
-                destDir = "/var/lib/secrets/";
-              };
-              "hurricane-tokens" = {
-                keyCommand = [
-                  "cat"
-                  "./secrets/hurricane-tokens"
-                ];
-                destDir = "/var/lib/secrets/";
-              };
-            };
-          };
-        };
-
-        watchtower = {
-          imports = [
-            ./common
-            ./common/linux-specific.nix
-            ./hosts/watchtower/configuration.nix
-            (import "${home-manager}/nixos")
-          ];
-
-          deployment = {
-            targetUser = "root";
-            targetHost = "watchtower";
-
-            tags = [
-              "prod"
-              "home"
-            ];
-
-            keys = {
-              "hetzner-env" = {
-                keyCommand = [
-                  "cat"
-                  "./secrets/hetzner-env"
-                ];
-                destDir = "/var/lib/secrets/";
-              };
-              "gocryptfs-pass" = {
-                keyCommand = [
-                  "cat"
-                  "./secrets/gocryptfs-pass"
-                ];
-                destDir = "/var/lib/secrets/";
-              };
-            };
-          };
-        };
-
-        tears = {
-          imports = [
-            ./common
-            ./common/linux-specific.nix
-            ./hosts/tears/configuration.nix
-            (import "${home-manager}/nixos")
-            url-eater.nixosModules.default
-          ];
-
-          deployment = {
-            targetUser = "root";
-            targetHost = "tears";
-
-            tags = [ "home" ];
-
-            allowLocalDeployment = true;
-
-            keys = {
-              "restic-password" = {
-                keyCommand = [
-                  "cat"
-                  "./secrets/restic-password"
-                ];
-                destDir = "/var/lib/secrets/";
-              };
-              "restic-env" = {
-                keyCommand = [
-                  "cat"
-                  "./secrets/restic-env"
-                ];
-                destDir = "/var/lib/secrets/";
-              };
-            };
-          };
-        };
-      };
      darwinConfigurations."penrose" = nix-darwin.lib.darwinSystem {
-        pkgs = import nixpkgs-darwin rec {
-          system = "aarch64-darwin";
-          config.allowUnfree = true;
-          overlays = mkOverlays system config;
-        };
+        pkgs = darwinpkgs;
        modules = [
-          ./common
          ./hosts/penrose/configuration.nix
          (import "${home-manager}/nix-darwin")
        ];
      };
      darwinConfigurations."sierpinski" = nix-darwin.lib.darwinSystem {
-        pkgs = import nixpkgs-darwin rec {
-          system = "aarch64-darwin";
-          config.allowUnfree = true;
-          overlays = mkOverlays system config;
-        };
+        pkgs = darwinpkgs;
        modules = [
-          ./common
          ./hosts/sierpinski/configuration.nix
          (import "${home-manager}/nix-darwin")
        ];
      };
-      devShells =
-        let
-          patchedColmena =
-            system:
-            let
-              pkgs = import nixpkgs { inherit system; };
-            in
-            pkgs.mkShell {
-              buildInputs = [
-                (pkgs.writeShellScriptBin "colmena" ''
-                  ${colmena.defaultPackage.${system}}/bin/colmena --disable-emoji $@
-                '')
-              ];
-            };
-        in
+      nixosConfigurations."bloodletting" = nixpkgs.lib.nixosSystem {
+        pkgs = x86pkgs;
+        modules = [
+          ./hosts/bloodletting/configuration.nix
+          (import "${home-manager}/nixos")
+          sops-nix.nixosModules.sops
+          mms.module
+        ];
+      };
+      nixosConfigurations."synchronicity-ii" = nixpkgs.lib.nixosSystem {
+        pkgs = x86pkgs;
+        modules = [
+          ./hosts/synchronicity/configuration.nix
+          (import "${home-manager}/nixos")
+          sops-nix.nixosModules.sops
+        ];
+      };
+      nixosConfigurations."watchtower" = nixpkgs.lib.nixosSystem {
+        pkgs = x86pkgs;
+        modules = [
+          ./hosts/watchtower/configuration.nix
+          (import "${home-manager}/nixos")
+          sops-nix.nixosModules.sops
+        ];
+      };
+      nixosConfigurations."tears" = nixpkgs.lib.nixosSystem {
+        pkgs = x86pkgs;
+        modules = [
+          ./hosts/tears/configuration.nix
+          (import "${home-manager}/nixos")
+        ];
+      };
+      devShells = forEachSupportedSystem (
+        { pkgs }:
+        with pkgs;
        {
-          "x86_64-linux".default = patchedColmena "x86_64-linux";
-          "aarch64-darwin".default = patchedColmena "aarch64-darwin";
-          "x86_64-darwin".default = patchedColmena "x86_64-darwin";
-        };
+          default = mkShell {
+            buildInputs = [
+              nh
+              sops
+            ];
+          };
+        }
+      );
    };
 }
--- a/hosts/bloodletting/configuration.nix
+++ b/hosts/bloodletting/configuration.nix
@ -7,10 +7,9 @@
 {
  imports = [
    ./hardware-configuration.nix
-    ../../common/fragments/bin.nix
+    ../../common
+    ../../common/linux-specific.nix
    ../../common/fragments/fail2ban.nix
-    ../../common/fragments/grafana.nix
-    ../../common/fragments/headscale.nix
    ../../common/fragments/hedgedoc.nix
    ../../common/fragments/mastodon-ebooks.nix
    ../../common/fragments/mastodon.nix
@ -20,15 +19,15 @@
    ../../common/fragments/minecraft.nix
    ../../common/fragments/nyandroid.nix
    ../../common/fragments/postgres.nix
-    ../../common/fragments/prometheus_exporters.nix
+    ../../common/fragments/prometheus.nix
    ../../common/fragments/prosody.nix
+    ../../common/fragments/sops.nix
    ../../common/fragments/vsftpd.nix
    ../../common/home_manager/common.nix
  ];

  nixpkgs.overlays = [
    (final: prev: {
-      bin = final.callPackage ../../common/pkgs/bin.nix { };
      agatha-mastodon = final.callPackage ../../common/pkgs/mastodon/default.nix { };
    })
  ];
@ -108,7 +107,7 @@
      "*.argent.technogothic.net"
    ];
    dnsProvider = "hurricane";
-    credentialsFile = "/var/lib/secrets/hurricane-tokens";
+    credentialsFile = config.sops.secrets.hurricane-tokens.path;
    group = "nginx";
  };

@ -182,27 +181,6 @@
      globalRedirect = "technogothic.net";
    };

-    virtualHosts."grafana.technogothic.net" = {
-      useACMEHost = "technogothic.net";
-      forceSSL = true;
-
-      locations."/" = {
-        proxyPass = "http://localhost:2342";
-        proxyWebsockets = true;
-      };
-    };
-
-    virtualHosts."thermalpaste.technogothic.net" = {
-      useACMEHost = "technogothic.net";
-      forceSSL = true;
-
-      locations."/" = {
-        proxyPass = "http://localhost:6162";
-        proxyWebsockets = true;
-        extraConfig = "client_max_body_size ${toString config.services.bin.textUploadLimit}M;";
-      };
-    };
-
    virtualHosts."ftp.technogothic.net" = {
      useACMEHost = "technogothic.net";
      forceSSL = true;
@ -258,16 +236,6 @@
      };
    };

-    virtualHosts."hs.technogothic.net" = {
-      useACMEHost = "technogothic.net";
-      forceSSL = true;
-
-      locations."/" = {
-        proxyPass = "http://localhost:${toString config.services.headscale.port}";
-        proxyWebsockets = true;
-      };
-    };
-
    virtualHosts."jellyfin.technogothic.net" = {
      useACMEHost = "technogothic.net";
      forceSSL = true;
--- a/hosts/penrose/configuration.nix
+++ b/hosts/penrose/configuration.nix
@ -1,10 +1,14 @@
 {
-  imports = [ ../../common/fragments/graphical/darwin.nix ];
+  imports = [
+    ../../common
+    ../../common/fragments/graphical/darwin.nix
+  ];

  nixpkgs.hostPlatform = "aarch64-darwin";

-  home-manager.users.agatha.programs = {
+  home-manager.users.agatha.programs = rec {
    git.signing.key = "/Users/agatha/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/4286cbdb09fc1738081e8f7996a0b984.pub";
+    jujutsu.settings.signing.key = git.signing.key;
  };

  system.stateVersion = 6;
--- a/hosts/sierpinski/configuration.nix
+++ b/hosts/sierpinski/configuration.nix
@ -1,10 +1,14 @@
 {
-  imports = [ ../../common/fragments/graphical/darwin.nix ];
+  imports = [
+    ../../common
+    ../../common/fragments/graphical/darwin.nix
+  ];

  nixpkgs.hostPlatform = "aarch64-darwin";

-  home-manager.users.agatha.programs = {
+  home-manager.users.agatha.programs = rec {
    git.signing.key = "/Users/agatha/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/0082ebb800203877650324946262cf51.pub";
+    jujutsu.settings.signing.key = git.signing.key;
  };

  system.stateVersion = 6;
--- a/hosts/synchronicity/configuration.nix
+++ b/hosts/synchronicity/configuration.nix
@ -6,11 +6,20 @@
  imports = [
    ./hardware-configuration.nix
    ./networking.nix
+    ./monitoring.nix
+    ../../common
+    ../../common/linux-specific.nix
+    ../../common/fragments/bin.nix
+    ../../common/fragments/bittorrent.nix
+    ../../common/fragments/grafana.nix
    ../../common/fragments/headscale.nix
+    ../../common/fragments/prometheus.nix
+    ../../common/fragments/sops.nix
+    ../../common/fragments/storage.nix
    ../../common/home_manager/common.nix
  ];

-  networking.hostName = "synchronicity";
+  networking.hostName = "synchronicity-ii";

  # Enable networking
  networking.networkmanager.enable = true;
@ -48,11 +57,12 @@
  security.acme.defaults.email = "letsencrypt@technogothic.net";

  security.acme.certs."technogothic.net" = {
-    domain = "hs.technogothic.net";
+    domain = "*.technogothic.net";
    extraDomainNames = [
+      "technogothic.net"
    ];
    dnsProvider = "hurricane";
-    credentialsFile = "/var/lib/secrets/hurricane-tokens";
+    credentialsFile = config.sops.secrets.hurricane-tokens.path;
    group = "nginx";
  };

@ -72,16 +82,6 @@
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
-
-    virtualHosts."hs.technogothic.net" = {
-      useACMEHost = "technogothic.net";
-      forceSSL = true;
-
-      locations."/" = {
-        proxyPass = "http://localhost:${toString config.services.headscale.port}";
-        proxyWebsockets = true;
-      };
-    };
  };

  # This value determines the NixOS release from which the default
@ -90,5 +90,5 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "25.05"; # Did you read the comment?
+  system.stateVersion = "25.11"; # Did you read the comment?
 }
--- a/hosts/synchronicity/hardware-configuration.nix
+++ b/hosts/synchronicity/hardware-configuration.nix
@ -6,9 +6,20 @@
    efiInstallAsRemovable = true;
    device = "nodev";
  };
-  fileSystems."/boot" = { device = "/dev/disk/by-uuid/F5B8-26D6"; fsType = "vfat"; };
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/7A0A-7539";
+    fsType = "vfat";
+  };
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "xen_blkfront"
+    "vmw_pvscsi"
+  ];
  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+  fileSystems."/" = {
+    device = "/dev/sda1";
+    fsType = "ext4";
+  };

 }
--- a/hosts/synchronicity/monitoring.nix
+++ b/hosts/synchronicity/monitoring.nix
@ -0,0 +1,30 @@
+{ config, ... }:
+{
+  services.prometheus.scrapeConfigs =
+    let
+      input = job_name: host: {
+        inherit job_name;
+        static_configs = [
+          { targets = [ host ]; }
+        ];
+      };
+    in
+    [
+      (input "telegraf" "localhost${config.services.telegraf.extraConfig.outputs.prometheus_client.listen}")
+      (input "qbittorrent" "localhost:9006")
+    ];
+
+  services.telegraf = {
+    enable = true;
+    extraConfig = {
+      inputs.x509_cert = {
+        sources = [ "https://technogothic.net:443" ];
+        interval = "10m";
+      };
+      outputs.prometheus_client = {
+        listen = ":9004";
+        metric_version = 2;
+      };
+    };
+  };
+}
--- a/hosts/synchronicity/networking.nix
+++ b/hosts/synchronicity/networking.nix
@ -1,9 +1,11 @@
-{ lib, ... }: {
+{ lib, ... }:
+{
  # This file was populated at runtime with the networking
  # details gathered from the active system.
  networking = {
-    nameservers = [ "8.8.8.8"
- ];
+    nameservers = [
+      "8.8.8.8"
+    ];
    defaultGateway = "172.31.1.1";
    defaultGateway6 = {
      address = "fe80::1";
@ -14,20 +16,39 @@
    interfaces = {
      eth0 = {
        ipv4.addresses = [
-          { address="157.180.21.190"; prefixLength=32; }
+          {
+            address = "77.42.21.227";
+            prefixLength = 32;
+          }
        ];
        ipv6.addresses = [
-          { address="2a01:4f9:c013:cf97::1"; prefixLength=64; }
-{ address="fe80::9000:6ff:fe46:85f6"; prefixLength=64; }
+          {
+            address = "2a01:4f9:c012:5901::1";
+            prefixLength = 64;
+          }
+          {
+            address = "fe80::9000:7ff:fe07:64f5";
+            prefixLength = 64;
+          }
+        ];
+        ipv4.routes = [
+          {
+            address = "172.31.1.1";
+            prefixLength = 32;
+          }
+        ];
+        ipv6.routes = [
+          {
+            address = "fe80::1";
+            prefixLength = 128;
+          }
        ];
-        ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
-        ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
      };

    };
  };
  services.udev.extraRules = ''
-    ATTR{address}=="92:00:06:46:85:f6", NAME="eth0"
+    ATTR{address}=="92:00:07:07:64:f5", NAME="eth0"

  '';
 }
--- a/hosts/tears/configuration.nix
+++ b/hosts/tears/configuration.nix
@ -1,6 +1,8 @@
 {
  imports = [
    ./hardware-configuration.nix
+    ../../common
+    ../../common/linux-specific.nix
    ../../common/fragments/graphical
    ../../common/fragments/virt.nix
    ../../common/home_manager/common.nix
--- a/hosts/tears/hardware-configuration.nix
+++ b/hosts/tears/hardware-configuration.nix
@ -1,21 +1,31 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:

 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

-  boot.initrd.availableKernelModules =
-    [ "thunderbolt" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "thunderbolt"
+    "xhci_pci"
+    "ahci"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];

  boot.initrd.systemd = {
    enable = true;
-    emergencyAccess =
-      "$2b$05$eOIXFST5/9G6vAFIZDLGfuJV7CV1B26YmRMAFRstyRHwvBNFSN6Im";
+    emergencyAccess = "$2b$05$eOIXFST5/9G6vAFIZDLGfuJV7CV1B26YmRMAFRstyRHwvBNFSN6Im";
  };

  boot.supportedFilesystems = [ "ntfs" ];
@ -42,10 +52,12 @@
    fsType = "btrfs";
  };

-  swapDevices = [{
-    device = "/var/lib/swapfile";
-    size = 8 * 1024;
-  }];
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 8 * 1024;
+    }
+  ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@ -57,11 +69,10 @@
  # networking.interfaces.wlp7s0.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode =
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

-  hardware.opengl = {
+  hardware.graphics = {
    enable = true;
-    driSupport32Bit = true;
+    enable32Bit = true;
  };
 }
--- a/hosts/watchtower/configuration.nix
+++ b/hosts/watchtower/configuration.nix
@ -1,17 +1,24 @@
 {
  imports = [
    ./hardware-configuration.nix
-    ../../common/home_manager/common.nix
-    ../../common/fragments/bittorrent.nix
+    ./monitoring.nix
+    ../../common
    ../../common/fragments/home-assistant.nix
+    ../../common/fragments/media.nix
+    ../../common/fragments/prometheus.nix
+    ../../common/fragments/sops.nix
    ../../common/fragments/sponsorblock.nix
+    ../../common/fragments/storage.nix
+    ../../common/home_manager/common.nix
+    ../../common/linux-specific.nix
  ];

  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

-  boot.initrd.luks.devices."luks-081780bd-f005-4394-bbf2-3e5d9aab3c7d".device = "/dev/disk/by-uuid/081780bd-f005-4394-bbf2-3e5d9aab3c7d";
+  boot.initrd.luks.devices."luks-081780bd-f005-4394-bbf2-3e5d9aab3c7d".device =
+    "/dev/disk/by-uuid/081780bd-f005-4394-bbf2-3e5d9aab3c7d";

  networking.hostName = "watchtower";

--- a/hosts/watchtower/monitoring.nix
+++ b/hosts/watchtower/monitoring.nix
@ -0,0 +1,14 @@
+{
+  services.prometheus.scrapeConfigs =
+    let
+      input = job_name: host: {
+        inherit job_name;
+        static_configs = [
+          { targets = [ host ]; }
+        ];
+      };
+    in
+    [
+      (input "jellyfin" "localhost:9007")
+    ];
+}
--- a/ops/home/push
+++ b/ops/home/push
@ -1,5 +0,0 @@
-#!/usr/bin/env nix-shell
-#! nix-shell -p colmena -i bash
-
-set -e
-colmena apply $@
--- a/secrets/frq-friend-fedi-data.toml.bin
+++ b/secrets/frq-friend-fedi-data.toml.bin
@ -0,0 +1,22 @@
+{
+	"data": "ENC[AES256_GCM,data:sYrv8xVojM6mU4l+4HHtwuF/XLlJD6rQW5BxmKDhPybS1CommEIYjzIOFkXPv7V3mCgrbDOZJntqX3xlZtoonO6/Ug6kOIeAL28hDBEDMVIsRV7jM377nR9QHa+dBEg8UNR8e+9Uaq8+6OcZJeuB8V6VTrAT8jEqwGR42Xx26QBgP6Ez07QbCIxAF0RPQXLIFHSKp0DFHMnmTxvSTm6TP2P3149W9EQE6cy6Jj5YTrqrHu7+Q532Z+DDFqx+JdWZDkQjrzBPSuM05WBawoVNsxcuYb9YLzrZjNszsRHQOrKZVH9fhTGwmy9H088zur6cTcQD,iv:OwGJM41AkivKWawZ1f3Pf6uWBJxSsPf+M/hIimrVBv8=,tag:vHg59RSTh8Jem9A4z/8p4g==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBN2FUN2Rn\nblhrUDJ4a1BtK1QySHJsWlJUcVFQckR1SUh0dWxPdmtYTU1CbgpRemxYZHRlMWps\nZ1NMZWU2cmducWd0Q1hHMmd6V3NHSHRFbThvcy9ROHljCi0tLSBiR1RlZ1hTMFBN\nMGEzelIvVHdrSTI0TmtvS3FqaVZQdnFKM1FCNTd5YzB3Cnlx1Dqj+SRHv9AkagDg\noEWwz/UlU3qQLb/KGAZjWxZ9a1SyYiHix9L9yg7KaiYcZDaD1SpqSehEijqbhVEn\nFBk=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RnJUdHBDMWNFYzk0WmlV\nZjM4eDhwZHd0b3p1Yk9qakVjajVRQVpRL0EwCloxRFBnM3pXd015MFBOYWZBTmVl\nRlRqNWxsWE01Q3F5TUZ6RjU2ajVpM0kKLS0tIDZZYU13UEF4Mk9xRkZCZEc5RkY4\nb2p6YW5mcENOWGJzOFlJdURCc2pqa0EKQOP0X7Oc74hkeODFjbg+EbtRNRkAd3is\ntaSJJoDLYLGnO3ZXPgJ2BZo87AivQqAeC476HXXPzG4ekxJ4SNgcwQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5VEdlc3p1N1ZtckpVUEoy\nOGpJeWt0amdRS2pPcGJkeUJEL1kyWVFEUldNCjZtT2M1QXAwdWJVRkNhdHF4bWl2\ncHdISWR4ZVVUbzVCYnZXRnZRcnNJK00KLS0tIDFJODJVOHhVai9qZUFWdkRyMlk3\nQU5Ed3NZRU5CVUZGM1VUb0Fibzg4WHcKFrZADMcpvosNqGpaqSQSWgGHbcfJUVi9\nb4iiWEB9xtkidNrZ2ir7C5kXUDmEskE0idBcs36oQJ+5jgcoy+vVdQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-02-02T16:53:43Z",
+		"mac": "ENC[AES256_GCM,data:CK1T/TlJwmikmdJzjn6UrtbmFLSLL/B8rHONwRsnOwLSt0Y8g/5BJlI67pc42gtqdEbpSDpxfztr0gat7tm5xvfo8lTWWafqOw8Hj343/ya1LLJKlq0ScSo+liFdrJhPXXwHn6T9dlnJQwmrYTZc6isjj4nwFaReOFre/NgBFzI=,iv:EdjoWJri/TGU+Zf3eR8PF4+FwBx8hzTikrMx6Hga7dw=,tag:3F2+vQksjK+zzEuO/JPomg==,type:str]",
+		"version": "3.11.0"
+	}
+}
--- a/secrets/gluetun.env
+++ b/secrets/gluetun.env
@ -0,0 +1,12 @@
+OPENVPN_USER=ENC[AES256_GCM,data:UC3zqZEHTUKDdEHz6MxLZZJHLbg=,iv:zS3m3pRnYdlaQ3MAJR11hljNf7kqM8fz1yx9pfnmIe8=,tag:l+dSfGV1AmvaRBHogYZk3A==,type:str]
+OPENVPN_PASSWORD=ENC[AES256_GCM,data:0fnjaHdfHDmiOOXg0uZhk1lPTs84GFK/Va9PGnD8i2Y=,iv:GmhmknF0iG9q13XRLyq6ePtUdL/PzBMQi8XGEKWHuV4=,tag:/BTJpz/I9qdY1nJaWud9Yg==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBN0lyTGFk\nZC9jZ0FTaGc4cmdJYXlzd1Z3US9iMnhhYzM4Umc1ZkZ2Rmt1TwphdUhxWStDdWl5\nNitnME9JSEFzWGdKRTlUdEVmeWJYUXJ0TWt3cEFCN1dnCi0tLSBreW1XSDFIdmZL\naWNxQ2FFYk8rU0N4R2ZoQmdVUXlKQ1dMV2xFcmNUYWFNCsDqGgYvv2aTQAGLh9pv\n7X98iUcgOzLzsLnRpOiN77Bt9MnCBs6F3M+TgIP/hKdACsJz3q1Qoi1AsQCtqQhl\nkA4=\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZUo1UjFGbHo3UjlUOHlt\nQ1VHRjBNTjJjb1U4RXZHcnpKVWRoVTZveVdjCnZZNUIxK0hyOGl3OHBma05lU1Ir\nY3grVTdHMUp1cUZoZDVseWhDYU0rQWMKLS0tIFYrTFpoaGJET216dms0M0IrdU44\nMStUcTJzbmp1S0VwUyt5MjVTSE1QbEkKrTWRGYyPgnBZavXg5yQqi9ld2wsLW5ki\n92aKUZFOOs1leJrNAz+lJVExL1EiMWsE6FsZZjN7w/oAzISA6EdvqQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
+sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUjNTdU1XaHcyNWFmV1py\nd2tFeHdqMEJNalpNeXlHU0tMNTE3UWFIdlNRCmhNWDBIWjhYQWtIMUI2V1ZFeDVE\nY0ZILzlHYnAvRlZBWnpUY1pic1RBN3MKLS0tIFVQajlpY1FWUjZteTlpZE9YZkVs\ncHdXUE1sb3lsMDA5TlN6dHR1Nk4rMDQKhvfWogysSIBPrEAX2yQQjB40lE3abPtI\n4DKl90WKufpR/vVGPioTQkZN8NnXDpB/r29WHM0pjV9+2iQa/zHsjA==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
+sops_lastmodified=2026-01-28T12:21:41Z
+sops_mac=ENC[AES256_GCM,data:cfsq2NkLUkGehYvdUZuljE4UnVNs81SRFn+F02W0va38EPZputP40ALk3rCDg3t9l8EtVQzqh/MT40xZgLVUTJNJDhbzxKcAPM6hqCEWAaITZfDqace2XoPqlnw4WqLg1OD8CwLMQA4Insob37HKJj+Vk10ev56qJhQrB1rrDpQ=,iv:0QiWC9auK412G4SFwNr2tjzPHKrba+7ZPL5epwrVivw=,tag:fPSetTZ3ax5iCPhWvP58eQ==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0
--- a/secrets/hetzner.env
+++ b/secrets/hetzner.env
@ -0,0 +1,12 @@
+USER=ENC[AES256_GCM,data:oHuOPKkNXQ==,iv:dLtmqNIswKrhyTRkI2R9Y2yqsdL5fRxxzhvn4CHWZIY=,tag:FuK4FLk8JQFYS5zDt8MSOw==,type:str]
+PASSWD=ENC[AES256_GCM,data:325dtEyGtdPFB87fDZeDhA==,iv:Wqpec+WnjNqyii/NzK2zcx05/9NWatpQnKnqxYRWuM4=,tag:HKiffdbZ8NnOvymyVcvlgg==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBd3dZRm5p\nNGFSOExRRHBxanZjZFI1MEtGYVEvNDlucDNRQ3MyVjFrald4MwppcGRLa1BjSWRE\nemVZVGlYNElSSEFsTFJMWkdrRy9nNFMxdUtWUUJlQ3FFCi0tLSAwTUFtQkVxNGVa\nb2xlZVhzTWE3QXNTYlRlQStodFpXUWNEVU4wbE9UR0xrCsH58NmBHr4myvf9QjeG\nmzm1I5xJfIeHIBMERtcQyRlHhRzcOtHQ5kvlitng9oCaxmlbkBj41YqQHnJrdb6G\nS+c=\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TllzU2RpZHkrdmVCYXVu\nVWI5NXExajRxZFlVeG14cUE4QnRrRTZQWVNRCmlBNWxDOC8rekRRd2tFaDlOaC8z\nSXROdlF6ZnNXNkFIWFNaTW5NbVdMQ1EKLS0tIDFia1ZtZTZpN241cHhsMTBmSlRO\na2FwZjIwUW03SysxWGEySEtkOE5adzQKtbOlmgsNLpw/v0xQGYO++2I/jvFpKq9M\nKkYRbx6DpxAGjOGjE9MbcGABaQOY2Q9Jmx8exoUzK1dnpLWSyfwAhg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
+sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGU1JydjBTYnJpSmVxeVBa\nMUlSeGQ1YjVMYVVMdU9TekI1Q1F1V3VOSlNvCk03czE5bjZyT3RNK3RLNjdYbFdZ\neE94UmFJMEpxanN5OVk4RExUclU2RU0KLS0tIGpEeHJyMFRoSmY3V2RjUkVDblNJ\ndWFzbWRZclp4Q3BSY0thNFlYbHJoRGcKxpNqauGsxCSfa7qkRj5eum5h7HkAQMRP\niGkm1UGwToB2AvfwiH5J/Wk0ppQfWph9yMlk11fXBFIBYH2ZpU855A==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
+sops_lastmodified=2026-01-26T12:35:08Z
+sops_mac=ENC[AES256_GCM,data:OTcYnAlgD9RDnMvBqVMMKQXxeVhk6dzgBRBocctgNYHWl9b5BNkViYNJqqUpU83fBOWLit7x5T5tK4sG++FjEsnuXjdMV4+/u3nODI3GNBxuIzn+v65wyagHnLwqWZiORKOfx6301m+kqDunO1lExnSMsSfno3vUbnhaUisRuls=,iv:6pIr8ud2WPyF7D/YeewnDzPT0csoXC1IQlsNTknjly8=,tag:0hjDU8uMgzuQ7cRtdq7btA==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0
--- a/secrets/hurricane-tokens.env
+++ b/secrets/hurricane-tokens.env
@ -0,0 +1,11 @@
+HURRICANE_TOKENS=ENC[AES256_GCM,data:wUBal5xSVjfe81pY3nw6WXNah8sGEiWmLz6FLk5Elan4JgPw70Q3+SiKlyo6IsyIMQ1GTgIkRu5wP8ijZV4sEi1emZzE0qPxYx8=,iv:ZJLRj0zFBfg0va+MC4OMUESXBEYw7tGZjBLWw/buRek=,tag:A0507C0hZ10wiMK8S7eALw==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBbGRTeXdh\nY2RLaXAvVTJwbGhMWFFCNjVUR0VCeDNHS28xVXFobjViWXJlSApoZzNnMmdHdENh\nOXRVeWt0RmoyL0lEY0h5a2N2cG84emFOdlNkdkoybEdNCi0tLSBFQWtROUF6eExl\neTFDZUErc3lScjJXRFZINE8rTjE5NXVJd0ZDUGNwS1hBCjGca3mxgf3e+V3dHLfu\n3+lLIPUVhrSqdyvS3blaW7pNosjjgJIOme6C0iV78vB5qvnF1U1W3DhKEfQaYRm0\n2PU=\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWkZpaUJXZXlOZ3UydUF0\nTUZCRFhxcG9ndXFrc3J5U2VGRkZDT2tLSlZvCmN6Z3pQS29iamZIS2ZpbkI3c1M0\nMmZwbEhsSDY0VjNKeXkrZ2U5b3l4NFEKLS0tIG9jbUprMDF6ekE2ZVFCWEJ4SDkz\nNkpKeThmS0RiNG42bko5N0ZDT0JmVTQKDmiaRvZzTEP+FV5Cu0wdAq72ZTLO70nA\nCgcxktWG3vOW1tjcc2brMICiCBC1wKPg6AAxQTU7txGjWm1MA7cjPg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
+sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSFpwSEJheWo0RE5EZVVT\nNjAvd1l1WEwySkpNVzF0N2ZFVHhjZ0NoT2xZCjB6NWFWMytwNk4zZjFEZXE5OVpW\nVytweEdoVkZVYzBabm9IeHFPZC9DU28KLS0tIGx0eW1KUmJkVkc4a3owTmxpMmVL\nRTdCMTdWZXFLUWZtTUoxdG8xTzNVaUkKNbcqCB/7wNXfbNLvKTJ2XwHZmgAqVdbB\nLxSkLWp5ecdKfa1eK1I/NcWT2p6P9dWjRqYF1VzAxN51vv4FJ0ljUg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
+sops_lastmodified=2026-01-21T15:46:31Z
+sops_mac=ENC[AES256_GCM,data:ZPwm9aNsY0m95Db2BiwFTsybthS2SZPdS37uesTZEX77gnBt79UE55z3kaP66a5F2PUiUuEBMDC+Rl44qSOL67fWbUqmFPKQMz4U463oerAvCB9K5W9ZZai+EC9cia073ScmrC+4xrJ2OrIYqxA+WoKz+oUXU7SkDUy9Zll2eJw=,iv:du+q9lOlAySVWf8BbFPBydYL9geuPjOvRVmpq8E7whM=,tag:V2A+V35LCmfMHRT7wXgGzA==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0
--- a/secrets/jellyfin-exporter.env
+++ b/secrets/jellyfin-exporter.env
@ -0,0 +1,11 @@
+JELLYFIN_TOKEN=ENC[AES256_GCM,data:kgmwncy5qY+twVSaRoox4jJBFJMsyjszzTIu2Kw/ZMQ=,iv:jb1fmXurYQ6rtmFfnIP3ogG6J460ZWMCy2W82alW1MA=,tag:eE5CZAWns0r+jyB4IMJwOg==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBK0MvZHY2\nd2RMalE3Z3BYM2FxdHZaZXdDNXpEWUV4OFRqT01yc0htQUVYbgpneUh3M2xWNS8x\nT2FCQytLZEJXYjJpZEIza0xiNWs0ZzBwbWhqVHVWU2tvCi0tLSBWdGZxK1RZZmEw\nL1NJOHJpZG4vS29UTVBDcXcwek41bW83WGFka3dwRmlzCqzxY9vWt8VYLi8JmO+p\nrspbb9hw+oNNw9wdn5THamhbV4DK8WRxTveS2uWqxQ8k5+jY19necfEsMFkKIVrZ\nhWY=\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBITURBU1Z1ZVNQSC9KcFdG\nazdoVWpLSUczN283SFE2Qy9Ua29nSGp0dkFrCk45TnBFMmtSWG1ROEpLcFFqVm03\nTHo0WG0wYVllczBpNnoxTkpSNWpNblEKLS0tIEdwbnBLVHlrT0VIOUx0VUQ5SDht\nU283U2d6SkEzeEFSUEtrdGgyM1dGSzQKywaFsova8F2h2+5ZnO0UGi4hYQW0F0sb\n/51wf7zM+9OR4REh1zx9jREgjmYLv3y17t82zFhXp9UIhKhtou5Tpg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
+sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEM1NTbHJtS25oQWpsNXNy\naUljQnU4N2s1WlN2aXBpY3I4TWxsWFBXRUFFCk11QTRaVmk0RllROXN6WEdvaStO\nN3VuYUJWVnFlampYeFpGR2hNYm1CelkKLS0tIEZ3czh1RUxhRE9MdnRsbXIzNDZl\naHNKbGx2RGdtZ0NkL2xMeHhRRDVUK1UKpp88f8DY5Dy++OL6m+MSb4TOuJZg4iTn\ndzQxTkgYoH3wyRxG4xzcylQjZ4YHgCNkem00B2+UwtXPgqug6d37Ww==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
+sops_lastmodified=2026-01-30T13:09:12Z
+sops_mac=ENC[AES256_GCM,data:Ux9+Hc0bGvu3M24VHnHeEjGG9zrxVe9zoWrQuDuafTbvQLd7xUCtTHwEuQtqMVMYH2iegInJoJbXlQfFdW7vQ5sZx/zU2qk8uZDO6EutaWde8W29PXlPP4NaVuNOJQJmhLxEDH3RjY38MVH3o8ZvV0e+Fa4Str8o6toU1SZGQAs=,iv:XEainseudNbPqv9fecTclMMLcMVD5mOEempOWrh7SP0=,tag:S9G1HG0SSJjDJhq7r6r+LA==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0
--- a/secrets/mc-status-bot.env
+++ b/secrets/mc-status-bot.env
@ -0,0 +1,14 @@
+MATRIX_PROVIDER=ENC[AES256_GCM,data:w9e4AVywyz5giGv6bI0+FxZL2w17aZf+Y3BUiA==,iv:NDFxHRu0JjVYszRQjMru+pZbqOaCk9GNPu/OHyZLZsA=,tag:edY1V+z6oOr5caLYDJTAeQ==,type:str]
+MATRIX_ACCESS_TOKEN=ENC[AES256_GCM,data:POqd/0mHLn+lWGpISwTsqSTZ8QWMPL6hm095+hoTgGUXdReoUbVTSmk4IWTIflaOJQ==,iv:dMbxqDjXMIRRM/egVrywPC8HclnSc+Ukm4EkdztarfA=,tag:yJdrycQ+3GzsWYJvXVOhyQ==,type:str]
+MATRIX_ROOM_ID=ENC[AES256_GCM,data:7fTgkDxadXxOi/nJAEtMWghwJoPflTxgOSyLL6d4l7dy9xWCHaI=,iv:MAyCZbBxTj2v/j9Q+/7d/FqMLYk6tPYy+5EqZpB9h6k=,tag:0E79zEFKm31YrWjCpmiaLQ==,type:str]
+SERVER_ADDRESS=ENC[AES256_GCM,data:wVuImYmCmG55nnPhKKX7ubpzYq0k,iv:PFYhzPR0f3k1ZVOlYMxMKYCJh3Oo42RXSRv2VvLnx7g=,tag:pFdGL0mckAg0N/IJz0n6/w==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBeE1jeXBQ\ncVMvM0dCVGdacEpvempETGtoelUzNHovWW9UalMveGNzZlBTVwpqQ29EWVdKNldM\nRnlhNTh3NHppNER0dG5KL3FLd3dlakZIZkJzMXhwTGxNCi0tLSB1cWgyMzZ5SXY1\nZG9FNUlJQk9uaWxRb2w2dnl1SFNZYkVEZ0lYdmlubzBnCjQwFtsRwjsX+9b5VXoR\nu3/ZIfJpIZkYf8c5Ob/m8HyNSL9oPrNuMiksxf4IriXkfSbd+w6hvBY6breG2YIj\n8xM=\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnaFRFZmVBeHhWOERmTjY2\nR2Y1NWVIanh6S2F5N2ExU1dIa0htYXBjRXpnCllLTFJVZ09PdktyNU4velNZeUU3\nV1A2ZkFnckRVOEFTSXFFdUdWbStEcTQKLS0tIGM4MUh5d0NzRVd0ZSsrZXA3ZkRB\ndHlyWkRvaHhIL3JkUUJnU1ZJY2tvNGMKPcjIbW2sNIuDrewO9svoHGJWizB4sp/w\nBzYZbGwIfKdbPHvSyveOd7r19EgW32CaczepCkayiPbGXjgZvjKyVQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
+sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6S3lFNDFhZjdXZXJXYkZP\nclFBMEdZU09QdGQwYjhzekxVNnFRY1BCM2hzCisySkdBUWp2OXBmRWNBTXdydmo1\nWjBabG1IR1l4ZUVJNEpQY3BleWg0TTgKLS0tIHZhT2ZEenJsbkpYSE9IeXloOUtN\nM3VLZmpTc1d3d2hyd1VGY3JkVzhpRzQKsGIQlZQ8SUzTXUoVQFXWROKhDhMnO9E3\nrNXMOgaBgKtBX/heASJz+c+v+LJA6LEXUD8QHpJtfwwaYccLf9Xz5g==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
+sops_lastmodified=2026-02-02T17:00:58Z
+sops_mac=ENC[AES256_GCM,data:HarL1bLMnY+wnEA8iBwuRcGZrNUlopfYVEd99rFHk7ftKnFo4ipPsnshlE8bLqu5Jghp/+n5YYLkAC4vkIAUvbLj+yWQf1ImoJlGg4HvoIyNUbA1xCNlFjH5Y151h8jWLpYoemQpvQThC6hmNZkNR/bewUGvaL644OCJpDTqyzw=,iv:MSJI8Q4P3AI4XNrsPIao9jsf7f85A9ubxy0KmdPoKh0=,tag:4ri2+WTvseqNcVDTB15mFg==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0
--- a/secrets/nyandroid-token.env
+++ b/secrets/nyandroid-token.env
@ -0,0 +1,11 @@
+NYANDROID_TOKEN=ENC[AES256_GCM,data:La7tY2dCZfXaxxo3RH3rghGJ244Gc2txt6Ja6lHbxNDJFpbAv01Evx+J3KFEs0EYMjclWWFOV3SZLy8=,iv:iLSQGVUKWwe3PMdkfuY3yVk0Z32AONJDZZXdl6G+hFU=,tag:YhJEZDqgJtD4lyVZmSEnDA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBbmJzMTgw\nWjMzci9YaWhRejh5RTRLUXE5b0tkem9aT09nTWFMUXVyY3lySgo1cjZySTlvSG5G\nQnRQSXlYd2hyRGgxN0wrUzF0cG9MaG9COTM4dElFMFBrCi0tLSB2M1RUeWNHanN0\nNEVMYk04S0xjODAxbVhRU2JJWGFBTWRoMFRjMDZuZXZzCvEF4C5VB+G3ITku+e65\ncal5hgGMjvX9M9PZ4t1VvLo9i/4LZyAgmn2Jb4G9H3wBrA4uak+sB5uVG8hu+4Ru\nfHg=\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjNWxaQUcyNGFzcTdwYklP\nRmVzc2xUVXNOOUxwc3JrRGxVNW1qb0FncXc4CkZuL1hOS0dVa053NVRJZDBXYkND\nZ1FQYkVkRmNNdERwWW9taHZPYkxBVDQKLS0tIDFlZjMwZk1BN2N3MGhzcnExVy93\nTU5WSWJLZjFoM25JcUFaQkduTmFjU1EKEsNlMgtF3i6qD1WNaiCTu/tnvOrsAVZn\n+Mq8hb/WRJryUdBNDhnM5Acps2EUU9pm9LarU0XLYBRodw2fnvzrVQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
+sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUnhXYWIxeFlUQlRkVmFk\ndUREdkgrWG9PK1UvUFBpeS9KSlNqVHNVOEJvCmdKZUdGVVgveEtxdUdIZFBlaTNB\nSmc5aFRtZnc2dFhwcTlTUTA0WE1TMTgKLS0tIG9LYS9SWk51ZysyOGlvVUNsVzJw\nWUV6ZTMzM1BCbW0rMlIxQUFNbXFuZVEKWHG457bR2rEZ0EZV+IdSFVdN/4Zx+VOQ\n/EvoN2qcSk3FNIT+PaXnxIiCSpepZYfJMyFlHAeEi+EaazSwZ7p9qA==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
+sops_lastmodified=2026-02-02T16:58:30Z
+sops_mac=ENC[AES256_GCM,data:lHDUN2Ndk6cFcMcFvtxCVCAuQNiMQPk4rxI9Nh8vAlzHhdCdgvYquI9EPn7dtMhRHDPE3t7dj/6qVMvUDHLTJtcn2xXkvBi9ZfgUY3Halu2Ib/Fux0faGE5DdKOfOHbQGS6CHM+MUuK6LL/LWN2+c6zIW8cO0VI2t537ry0jq7o=,iv:04gwhK+6gKz5j/JUPLYfNszpWnTK/HZs8zSi9BAvqc0=,tag:5zaCYPJdWQRdaXTRv4Go8A==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -0,0 +1,38 @@
+gocryptfs-pass: ENC[AES256_GCM,data:9kNFGfTBdOGoXDfSQmnrkihnXmF2Qx0U,iv:lzPqXHbniTsltqWAsCaYgrS4UyZAskEX/nm6/IsbZ2k=,tag:kaou32kM5YCqoOHDQWT2Ow==,type:str]
+restic-pass: ENC[AES256_GCM,data:URCa2YXY103XnZmyY0Wp5RrzHPj5MvCvDcRurtfDPMU=,iv:0XvodvaSV3AkbDnXqHhRbvt1IcB0goeQBClwwzdxH7Q=,tag:huH+5YPARPAueMNmzI3Aig==,type:str]
+create-ap-pass: ENC[AES256_GCM,data:iIq0ZUCWKYKZWNmvTjon0D8HkzxL9iqX5rJj6VBkkwI=,iv:KGkYVwErmb5ra+HTv6MAgOW0Fs8vWx/Kz8PWD4Xx9I8=,tag:GOtcKfSe+61SGoh1PRGNWg==,type:str]
+qbittorrent-pass: ENC[AES256_GCM,data:J5m9y2pX5oI6ziIkhlMXXgszDum+rfQFfAQoImawW48=,iv:FqOYreDUX0CATPugra/dTlx2yMS4UMN0o8NesueRu3k=,tag:neKoHJhwdUdl/2mJKWkslg==,type:str]
+sops:
+    age:
+        - recipient: age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBcnY1MnB3
+            VzY2KzkxcE5OT2FMMTM5TTgzeERTS2U2VTJqZE8vYTNiQnJKTApvN2o1Uk9VRHQy
+            L1ROby9XSkFnTUxmUFhKNkJKVXFibndBSnNIRytIU1BzCi0tLSBCZExiWXJUSE44
+            ZDh0UmowV2g3T0pUVGt1NnozNTV1ZDc4YkQ1K1hQVkFzChq8BRi5mt5nRcD/ZF+F
+            YsmVYHxxL573oJD06MvSFpT26dNEUaqWblUP1NnI26Qa2b/K6n8eWR6ADqW0nPIl
+            7uI=
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJYVNuZzJmYWVNTlhveE5l
+            U3VuUnRVd0NYMEkvTG1QR0pTREZHT21lSGprClBQaUhMSWJpakwyWVprcXZsSGU1
+            d0tLblZYS1g2KzhLaXQzaHhIeUs3dEEKLS0tIEVYWWg3RWM0UFJScU85NG9kN3ZG
+            c2RGbkpCa3g3N2Jock5vellXZEpldXcKowC4myqPJsS2dweypyWvol6o3WsAW9qD
+            6NfVtXdj52+Whr+/tHUJ1J2mkKZonSCfbpmKh/JYOINln6xgnDtbIw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRjAybHJDMEQ3TXpkSnlC
+            NkhlTVRFdzJxaHdDeWNCOHpZUWtXMy80cFdNCjZDRC9OR0xnOS91QjdYMXFuRE10
+            ZUtpQjRaeVhodFdTcWp0WmVBa1lpbVEKLS0tIEtmWUxiZDJ0djl0Tk9YbVlLcUZN
+            RGtjY1V6U2tla3ZaS09haXYrYUNrVDgK0e3UVPshSTB7kwYzm4uVUDif2PwiIGg4
+            Qb4P3L13Lg6tT0a1SBEs2gedbNVcWyA0YgGTWouWvZIhBmSCOvHYVQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-30T13:08:33Z"
+    mac: ENC[AES256_GCM,data:uLkpRbQSwRY9JWXMeoTspoZHKyCaIwkCYzUE+R3Uwooft2VuvaPOQ+n9R9XpK4QWWKGQ86iRSBAhqX0Zc0xuvtMDZBIdjI1968U5JFSQoRI5Y68byQw+AayI+j/wrC4K/OPly/ain0soiHbtBh8WmHpSVGk+gVSrnHNgeLXMtxw=,iv:BVOYNlLGqTNRQB134ETNsLmkHO7eSiVimAqF2fHoC2Y=,tag:bqYoeCmGtzwL33BK6Q+U8w==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
Author	SHA1	Message	Date
Agatha Lovelace	8c977f4fd5	Configure monitoring	2026-02-03 13:30:01 +01:00
Agatha Lovelace	d69cfbeec3	Refactor headscale config	2026-02-03 13:30:00 +01:00
Agatha Lovelace	9bf01ad200	Rework torrent setup	2026-02-03 13:29:59 +01:00
Agatha Lovelace	13370f1548	Redeploy pastebin	2026-02-03 13:29:57 +01:00
Agatha Lovelace	64c6767312	Cleanup	2026-02-03 13:29:56 +01:00
Agatha Lovelace	6b83785444	Migrate synchronicity to an x86 server	2026-02-03 13:29:55 +01:00
Agatha Lovelace	5daa522e05	jj gaming	2026-02-03 13:29:53 +01:00
Agatha Lovelace	f9e8813a1c	Replace Colmena with nh	2026-02-03 13:29:51 +01:00