From 87d98e841040e8e3a31d4d4ec836fee8cf87d66e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Thu, 12 Dec 2024 11:13:29 +0100
Subject: [PATCH 01/13] Update flake

---
 flake.lock | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/flake.lock b/flake.lock
index 0c8c90f..e91b1a1 100644
--- a/flake.lock
+++ b/flake.lock
@@ -58,11 +58,11 @@
         "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1732215451,
-        "narHash": "sha256-P2VVlzRGKBNsiHsN1yMZcSMXpwtIx9ysMFZAqKFJ14o=",
+        "lastModified": 1733851514,
+        "narHash": "sha256-fQt/HzF+OBC8xLRYeHiYLSEzjrgOLNWhyd102aY2oLU=",
         "owner": "nix-community",
         "repo": "authentik-nix",
-        "rev": "9d9c0a3a94a91cfed654a18239e27cf56970daa4",
+        "rev": "b059e1d6e7a94bbeabb4e87d47b5f5097fd61823",
         "type": "github"
       },
       "original": {
@@ -74,16 +74,16 @@
     "authentik-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1732213300,
-        "narHash": "sha256-4Pv35cnZGiTxe6j2O0F9L9sHzxVIC1SazeAUD5kWeBs=",
+        "lastModified": 1733849292,
+        "narHash": "sha256-gJYgrRxytoGHkjeEsiKY/tl06D8XOnZZ9SDpK1WSyUw=",
         "owner": "goauthentik",
         "repo": "authentik",
-        "rev": "527e584699abc93712114b05f70f59c5187caa66",
+        "rev": "0edd7531a152910e6bdd4f7d3d0cde3ed5fdd956",
         "type": "github"
       },
       "original": {
         "owner": "goauthentik",
-        "ref": "version/2024.10.4",
+        "ref": "version/2024.10.5",
         "repo": "authentik",
         "type": "github"
       }
@@ -204,11 +204,11 @@
         "systems": "systems_4"
       },
       "locked": {
-        "lastModified": 1726560853,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -269,11 +269,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1732633513,
-        "narHash": "sha256-6LmtOmeDpv9iHS8l0GNcppP11dKIJFMZLdFyxQ+qQBM=",
+        "lastModified": 1733868086,
+        "narHash": "sha256-CeYsC8J2dNiV2FCQOxK1oZ/jNpOF2io7aCEFHmfi95U=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "093ef734d3c37669860043a87dbf1c09fc6f5b38",
+        "rev": "870cb181719aa12baf478d7cde6068ec7ed144ae",
         "type": "github"
       },
       "original": {
@@ -376,11 +376,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1732749044,
-        "narHash": "sha256-T38FQOg0BV5M8FN1712fovzNakSOENEYs+CSkg31C9Y=",
+        "lastModified": 1733730953,
+        "narHash": "sha256-dlK7n82FEyZlHH7BFHQAM5tua+lQO1Iv7aAtglc1O5s=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0c5b4ecbed5b155b705336aa96d878e55acd8685",
+        "rev": "7109b680d161993918b0a126f38bc39763e5a709",
         "type": "github"
       },
       "original": {
@@ -454,11 +454,11 @@
     "spectrum": {
       "flake": false,
       "locked": {
-        "lastModified": 1729945407,
-        "narHash": "sha256-iGNMamNOAnVTETnIVqDWd6fl74J8fLEi1ejdZiNjEtY=",
+        "lastModified": 1733308308,
+        "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
         "ref": "refs/heads/main",
-        "rev": "f1d94ee7029af18637dbd5fdf4749621533693fa",
-        "revCount": 764,
+        "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
+        "revCount": 792,
         "type": "git",
         "url": "https://spectrum-os.org/git/spectrum"
       },

From 93b85f705f05634a3334ba8fcbbbacfaaca7db29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Thu, 12 Dec 2024 11:14:01 +0100
Subject: [PATCH 02/13] Better proxmox LXC declaration

---
 services/minimalConfig/default.nix | 4 ++--
 services/minimalConfig/lxc.nix     | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/services/minimalConfig/default.nix b/services/minimalConfig/default.nix
index 5ee889f..8eb1549 100644
--- a/services/minimalConfig/default.nix
+++ b/services/minimalConfig/default.nix
@@ -24,8 +24,8 @@
 
   nix.gc = {
     automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 7d";
+    dates = "daily";
+    options = "--delete-old";
   };
 
   security.sudo.wheelNeedsPassword = false;
diff --git a/services/minimalConfig/lxc.nix b/services/minimalConfig/lxc.nix
index f7ad202..c7d9954 100644
--- a/services/minimalConfig/lxc.nix
+++ b/services/minimalConfig/lxc.nix
@@ -7,6 +7,13 @@ in
     enable = lib.mkEnableOption "Enable LXC container config";
   };
   config = lib.mkIf cfg.enable {
+    boot.isContainer = true;
+    proxmoxLXC = {
+      enable = true;
+      privileged = false;
+      manageNetwork = true;
+      manageHostName = true;
+    };
     systemd.suppressedSystemUnits = [
       "dev-mqueue.mount"
       "sys-kernel-debug.mount"

From 44655068b8a3342e41dc3ab3a77acfb2aff19cb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Thu, 12 Dec 2024 11:32:58 +0100
Subject: [PATCH 03/13] Better proxmox LXC declaration

---
 flake.nix                      | 3 +++
 services/minimalConfig/lxc.nix | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/flake.nix b/flake.nix
index c6e9ece..3d2bc1c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -75,6 +75,7 @@
           modules = [
             agenix.nixosModules.default
             microvm.nixosModules.microvm
+            "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
             "${inputs.self}/systems"
             "${inputs.self}/services"
             {
@@ -133,6 +134,7 @@
           modules = [
             agenix.nixosModules.default
             microvm.nixosModules.microvm
+            "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
             "${inputs.self}/systems"
             "${inputs.self}/services"
             {
@@ -158,6 +160,7 @@
           modules = [
             agenix.nixosModules.default
             inputs.authentik-nix.nixosModules.default
+            "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
             {
               services.authentik = {
                 enable = true;
diff --git a/services/minimalConfig/lxc.nix b/services/minimalConfig/lxc.nix
index c7d9954..acafe8d 100644
--- a/services/minimalConfig/lxc.nix
+++ b/services/minimalConfig/lxc.nix
@@ -11,8 +11,8 @@ in
     proxmoxLXC = {
       enable = true;
       privileged = false;
-      manageNetwork = true;
-      manageHostName = true;
+      manageNetwork = false;
+      manageHostName = false;
     };
     systemd.suppressedSystemUnits = [
       "dev-mqueue.mount"

From d48bfa332c0ce12dcff8184a8f6c3d64cedeba46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Thu, 12 Dec 2024 11:54:49 +0100
Subject: [PATCH 04/13] Separate LXC, VM and microvm configs (it's getting
 ugly, need to tidy things up soon)

---
 flake.nix                          |  7 +------
 services/minimalConfig/default.nix |  5 ++++-
 services/minimalConfig/vm.nix      | 12 ++++++++++++
 systems/microvm.nix                |  4 ++--
 4 files changed, 19 insertions(+), 9 deletions(-)
 create mode 100644 services/minimalConfig/vm.nix

diff --git a/flake.nix b/flake.nix
index 3d2bc1c..8844cde 100644
--- a/flake.nix
+++ b/flake.nix
@@ -84,11 +84,6 @@
               };
               services.vm = {
                 enable = true;
-                hostname = "jellyfin";
-                vm_ip = "192.168.1.42";
-                vm_cpu = 4;
-                vm_mem = 8192;
-                macAddr = "02:00:00:00:00:42";
               };
             }
           ];
@@ -144,7 +139,7 @@
                 proxy_ip = proxy_host;
                 pgsql_ip = pgsql_host;
               };
-              services.vm = {
+              services.micro_vm = {
                 enable   = true;
                 hostname = "grafana";
                 vm_ip    = "192.168.1.20";
diff --git a/services/minimalConfig/default.nix b/services/minimalConfig/default.nix
index 8eb1549..fd83cb6 100644
--- a/services/minimalConfig/default.nix
+++ b/services/minimalConfig/default.nix
@@ -1,7 +1,10 @@
 { config, pkgs, lib, inputs, modulesPath, ... }:
 {
 
-  imports = [ ./lxc.nix ];
+  imports = [
+    ./lxc.nix
+    ./vm.nix
+  ];
 
   nix = {
     settings.experimental-features = [ "nix-command" "flakes" ];
diff --git a/services/minimalConfig/vm.nix b/services/minimalConfig/vm.nix
new file mode 100644
index 0000000..96c3ff3
--- /dev/null
+++ b/services/minimalConfig/vm.nix
@@ -0,0 +1,12 @@
+{lib, config, modulesPath, ...}:
+let
+  cfg = config.services.vm;
+in
+{
+  options.services.vm = {
+    enable = lib.mkEnableOption "Enable LXC container config";
+  };
+  config = lib.mkIf cfg.enable {
+    services.cloud-init.network.enable = true;
+  };
+}
diff --git a/systems/microvm.nix b/systems/microvm.nix
index d7ef82a..5fd71c7 100644
--- a/systems/microvm.nix
+++ b/systems/microvm.nix
@@ -1,9 +1,9 @@
 { inputs, lib, config, microvm, ... }:
 let
-  cfg = config.services.vm;
+  cfg = config.services.micro_vm;
 in
 {
-  options.services.vm = {
+  options.services.micro_vm = {
     enable = lib.mkEnableOption "Enable NixOS microvm config";
     hostname = lib.mkOption {
       type = lib.types.str;

From 8aab61936f29c579691696955fb44b6908e6fb75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Thu, 12 Dec 2024 17:19:28 +0100
Subject: [PATCH 05/13] Separate minimal configs

---
 systems/default.nix              |   6 -
 systems/microvm.nix              |  78 -------------
 systems/minimalLXCConfig.nix     | 132 +++++++++++++++++++++
 systems/minimalMicrovmConfig.nix | 195 +++++++++++++++++++++++++++++++
 systems/minimalVMConfig.nix      | 120 +++++++++++++++++++
 5 files changed, 447 insertions(+), 84 deletions(-)
 delete mode 100644 systems/default.nix
 delete mode 100644 systems/microvm.nix
 create mode 100644 systems/minimalLXCConfig.nix
 create mode 100644 systems/minimalMicrovmConfig.nix
 create mode 100644 systems/minimalVMConfig.nix

diff --git a/systems/default.nix b/systems/default.nix
deleted file mode 100644
index 1c27987..0000000
--- a/systems/default.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{ inputs, ... }:
-{
-  imports = [
-    ./microvm.nix
-  ];
-}
diff --git a/systems/microvm.nix b/systems/microvm.nix
deleted file mode 100644
index 5fd71c7..0000000
--- a/systems/microvm.nix
+++ /dev/null
@@ -1,78 +0,0 @@
-{ inputs, lib, config, microvm, ... }:
-let
-  cfg = config.services.micro_vm;
-in
-{
-  options.services.micro_vm = {
-    enable = lib.mkEnableOption "Enable NixOS microvm config";
-    hostname = lib.mkOption {
-      type = lib.types.str;
-      description = "The VM hostname";
-    };
-    vm_ip = lib.mkOption {
-      type = lib.types.str;
-      description = "The VM IP address";
-    };
-    macAddr = lib.mkOption {
-      type = lib.types.str;
-      description = "The VM MAC Address";
-    };
-    vm_mem = lib.mkOption {
-      type = lib.types.int;
-      description = "The VM memory count";
-      default = 0;
-    };
-    vm_cpu = lib.mkOption {
-      type = lib.types.int;
-      description = "The VM CPU count";
-      default = 1;
-    };
-  };
-  config = lib.mkIf cfg.enable {
-    microvm = {
-      vcpu = cfg.vm_cpu;
-      balloonMem = cfg.vm_mem;
-      volumes = [
-        {
-          mountPoint = "/var";
-          image = "/var/lib/microvms/${cfg.hostname}/var.img";
-          size = 8192;
-        }
-      ];
-      shares = [
-        {
-          proto = "virtiofs";
-          tag = "ro-store";
-          source = "/nix/store";
-          mountPoint = "/nix/.ro-store";
-        }
-        {
-          proto = "virtiofs";
-          tag = "${cfg.hostname}-env";
-          source = "/var/lib/microvms/${cfg.hostname}/env";
-          mountPoint = "/run/secrets/${cfg.hostname}";
-        }
-      ];
-      interfaces = [ {
-        type = "tap";
-        id = "vm-${cfg.hostname}";
-        mac = "${cfg.macAddr}";
-      } ];
-
-      hypervisor = "qemu";
-      socket = "control.socket";
-    };
-    systemd.network.enable = true;
-
-    systemd.network.networks."20-lan" = {
-      matchConfig.Type = "ether";
-      networkConfig = {
-        Address = ["${cfg.vm_ip}/24"];
-        Gateway = "192.168.1.254";
-        DNS = ["192.168.1.254"];
-        IPv6AcceptRA = true;
-        DHCP = "no";
-      };
-    };
-  };
-}
diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix
new file mode 100644
index 0000000..cc45864
--- /dev/null
+++ b/systems/minimalLXCConfig.nix
@@ -0,0 +1,132 @@
+{ config, pkgs, lib, inputs, modulesPath, ... }:
+{
+
+  nix = {
+    settings.experimental-features = [ "nix-command" "flakes" ];
+    settings.trusted-users = [ "root" "@wheel" ];
+  };
+
+  networking = {
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 22 9002 ];
+    };
+  };
+
+  boot.isContainer = true;
+  proxmoxLXC = {
+    enable = true;
+    privileged = false;
+    manageNetwork = false;
+    manageHostName = false;
+  };
+  systemd.suppressedSystemUnits = [
+    "dev-mqueue.mount"
+    "sys-kernel-debug.mount"
+    "sys-fs-fuse-connections.mount"
+  ];
+
+  time.timeZone = "Europe/Paris";
+  console.keyMap = "fr";
+  i18n.defaultLocale = "fr_FR.UTF-8";
+  environment.sessionVariables = rec {
+    TERM  = "xterm-256color";
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "daily";
+    options = "--delete-old";
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+  users = {
+    users.tbarnouin = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr"
+      ];
+    };
+    users.root = {
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
+      ];
+    };
+  };
+
+  programs = {
+    zsh = {
+      enable = true;
+      shellAliases = {
+        ll = "ls -l";
+        lla = "ls -lah";
+      };
+      ohMyZsh = {
+        enable = true;
+        plugins = [ "git" ];
+        theme = "bira";
+      };
+    };
+    tmux = {
+      enable = true;
+    };
+  };
+
+  nixpkgs.config.allowUnfree = true;
+  environment = {
+    localBinInPath = true;
+      systemPackages = with pkgs; [
+        vim
+        bash
+        wget
+        curl
+        git
+        htop
+        tree
+        dig
+        ncdu
+        nmap
+        iperf3
+        netcat-openbsd
+      ];
+    };
+
+  services = {
+    openssh = {
+      enable = true;
+      settings.PasswordAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
+      settings.PermitRootLogin = "prohibit-password";
+      hostKeys = [
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+    };
+    fail2ban = {
+      enable = true;
+    };
+    rsyslogd = {
+      enable = true;
+      extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";
+    };
+    prometheus = {
+      exporters = {
+        node = {
+          enable = true;
+          enabledCollectors = [ "systemd" ];
+          port = 9002;
+        };
+      };
+    };
+  };
+
+  system = {
+    stateVersion = "24.05";
+    activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh";
+  };
+}
diff --git a/systems/minimalMicrovmConfig.nix b/systems/minimalMicrovmConfig.nix
new file mode 100644
index 0000000..ce0ab8a
--- /dev/null
+++ b/systems/minimalMicrovmConfig.nix
@@ -0,0 +1,195 @@
+{ config, pkgs, lib, inputs, modulesPath, microvm, ... }:
+let
+  cfg = config.services.micro_vm;
+in
+{
+  options.services.micro_vm = {
+    enable = lib.mkEnableOption "Enable NixOS microvm config";
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      description = "The VM hostname";
+    };
+    vm_ip = lib.mkOption {
+      type = lib.types.str;
+      description = "The VM IP address";
+    };
+    macAddr = lib.mkOption {
+      type = lib.types.str;
+      description = "The VM MAC Address";
+    };
+    vm_mem = lib.mkOption {
+      type = lib.types.int;
+      description = "The VM memory count";
+      default = 0;
+    };
+    vm_cpu = lib.mkOption {
+      type = lib.types.int;
+      description = "The VM CPU count";
+      default = 1;
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    microvm = {
+      vcpu = cfg.vm_cpu;
+      balloonMem = cfg.vm_mem;
+      volumes = [
+        {
+          mountPoint = "/var";
+          image = "/var/lib/microvms/${cfg.hostname}/var.img";
+          size = 8192;
+        }
+      ];
+      shares = [
+        {
+          proto = "virtiofs";
+          tag = "ro-store";
+          source = "/nix/store";
+          mountPoint = "/nix/.ro-store";
+        }
+        {
+          proto = "virtiofs";
+          tag = "${cfg.hostname}-env";
+          source = "/var/lib/microvms/${cfg.hostname}/env";
+          mountPoint = "/run/secrets/${cfg.hostname}";
+        }
+      ];
+      interfaces = [ {
+        type = "tap";
+        id = "vm-${cfg.hostname}";
+        mac = "${cfg.macAddr}";
+      } ];
+
+      hypervisor = "qemu";
+      socket = "control.socket";
+    };
+    systemd.network.enable = true;
+
+    systemd.network.networks."20-lan" = {
+      matchConfig.Type = "ether";
+      networkConfig = {
+        Address = ["${cfg.vm_ip}/24"];
+        Gateway = "192.168.1.254";
+        DNS = ["192.168.1.254"];
+        IPv6AcceptRA = true;
+        DHCP = "no";
+      };
+    };
+
+    nix = {
+      settings.experimental-features = [ "nix-command" "flakes" ];
+      settings.trusted-users = [ "root" "@wheel" ];
+    };
+
+    networking = {
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [ 22 9002 ];
+      };
+    };
+
+    time.timeZone = "Europe/Paris";
+    console.keyMap = "fr";
+    i18n.defaultLocale = "fr_FR.UTF-8";
+    environment.sessionVariables = rec {
+      TERM  = "xterm-256color";
+    };
+
+    nix.gc = {
+      automatic = true;
+      dates = "daily";
+      options = "--delete-old";
+    };
+
+    security.sudo.wheelNeedsPassword = false;
+    users = {
+      users.tbarnouin = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        shell = pkgs.zsh;
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr"
+        ];
+      };
+      users.root = {
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
+        ];
+      };
+    };
+
+    programs = {
+      zsh = {
+        enable = true;
+        shellAliases = {
+          ll = "ls -l";
+          lla = "ls -lah";
+        };
+        ohMyZsh = {
+          enable = true;
+          plugins = [ "git" ];
+          theme = "bira";
+        };
+      };
+      tmux = {
+        enable = true;
+      };
+    };
+
+    nixpkgs.config.allowUnfree = true;
+    environment = {
+      localBinInPath = true;
+        systemPackages = with pkgs; [
+          vim
+          bash
+          wget
+          curl
+          git
+          htop
+          tree
+          dig
+          ncdu
+          nmap
+          iperf3
+          netcat-openbsd
+        ];
+      };
+
+    services = {
+      openssh = {
+        enable = true;
+        settings.PasswordAuthentication = false;
+        settings.KbdInteractiveAuthentication = false;
+        settings.PermitRootLogin = "prohibit-password";
+        hostKeys = [
+          {
+            path = "/etc/ssh/ssh_host_ed25519_key";
+            type = "ed25519";
+          }
+        ];
+      };
+      fail2ban = {
+        enable = true;
+      };
+      rsyslogd = {
+        enable = true;
+        extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";
+      };
+      prometheus = {
+        exporters = {
+          node = {
+            enable = true;
+            enabledCollectors = [ "systemd" ];
+            port = 9002;
+          };
+        };
+      };
+    };
+
+    system = {
+      stateVersion = "24.05";
+      activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh";
+    };
+  };
+}
+
diff --git a/systems/minimalVMConfig.nix b/systems/minimalVMConfig.nix
new file mode 100644
index 0000000..bb06f68
--- /dev/null
+++ b/systems/minimalVMConfig.nix
@@ -0,0 +1,120 @@
+{ config, pkgs, lib, inputs, modulesPath, ... }:
+{
+
+  nix = {
+    settings.experimental-features = [ "nix-command" "flakes" ];
+    settings.trusted-users = [ "root" "@wheel" ];
+  };
+
+  networking = {
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 22 9002 ];
+    };
+  };
+
+  time.timeZone = "Europe/Paris";
+  console.keyMap = "fr";
+  i18n.defaultLocale = "fr_FR.UTF-8";
+  environment.sessionVariables = rec {
+    TERM  = "xterm-256color";
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "daily";
+    options = "--delete-old";
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+  users = {
+    users.tbarnouin = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr"
+      ];
+    };
+    users.root = {
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
+      ];
+    };
+  };
+
+  programs = {
+    zsh = {
+      enable = true;
+      shellAliases = {
+        ll = "ls -l";
+        lla = "ls -lah";
+      };
+      ohMyZsh = {
+        enable = true;
+        plugins = [ "git" ];
+        theme = "bira";
+      };
+    };
+    tmux = {
+      enable = true;
+    };
+  };
+
+  nixpkgs.config.allowUnfree = true;
+  environment = {
+    localBinInPath = true;
+      systemPackages = with pkgs; [
+        vim
+        bash
+        wget
+        curl
+        git
+        htop
+        tree
+        dig
+        ncdu
+        nmap
+        iperf3
+        netcat-openbsd
+      ];
+    };
+
+  services = {
+    cloud-init.network.enable = true;
+    openssh = {
+      enable = true;
+      settings.PasswordAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
+      settings.PermitRootLogin = "prohibit-password";
+      hostKeys = [
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+    };
+    fail2ban = {
+      enable = true;
+    };
+    rsyslogd = {
+      enable = true;
+      extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format";
+    };
+    prometheus = {
+      exporters = {
+        node = {
+          enable = true;
+          enabledCollectors = [ "systemd" ];
+          port = 9002;
+        };
+      };
+    };
+  };
+
+  system = {
+    stateVersion = "24.05";
+    activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh";
+  };
+}

From 4bd733777a65199372df0115fdf41c87c969e25c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Tue, 7 Jan 2025 13:38:19 +0100
Subject: [PATCH 06/13] Changes in flake

---
 flake.nix            | 36 +++++++++++++++++-------------------
 services/default.nix |  1 -
 2 files changed, 17 insertions(+), 20 deletions(-)

diff --git a/flake.nix b/flake.nix
index 8844cde..4659243 100644
--- a/flake.nix
+++ b/flake.nix
@@ -58,15 +58,23 @@
           modules = [
             agenix.nixosModules.default
             "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
+            "${inputs.self}/systems/minimalLXCConfig.nix"
             "${inputs.self}/services"
             {
               networking.hostName = "nginx";
               services.vm_nginx = {
                 enable = true;
               };
-              services.lxc = {
-                enable = true;
-              };
+            }
+          ];
+        };
+        template = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            agenix.nixosModules.default
+            "${inputs.self}/systems/minimalVMConfig.nix"
+            {
+              networking.hostName = "nixos";
             }
           ];
         };
@@ -75,16 +83,12 @@
           modules = [
             agenix.nixosModules.default
             microvm.nixosModules.microvm
-            "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
-            "${inputs.self}/systems"
+            "${inputs.self}/systems/minimalVMConfig.nix"
             "${inputs.self}/services"
             {
               services.vm_jellyfin = {
                 enable = true;
               };
-              services.vm = {
-                enable = true;
-              };
             }
           ];
         };
@@ -93,15 +97,13 @@
           modules = [
             agenix.nixosModules.default
             "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
+            "${inputs.self}/systems/minimalLXCConfig.nix"
             "${inputs.self}/services"
             {
               networking.hostName = "redis";
               services.vm_redis = {
                 enable = true;
               };
-              services.lxc = {
-                enable = true;
-              };
             }
           ];
         };
@@ -110,6 +112,7 @@
           modules = [
             agenix.nixosModules.default
             "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
+            "${inputs.self}/systems/minimalLXCConfig.nix"
             "${inputs.self}/services"
             {
               services.vm_grafana = {
@@ -118,9 +121,6 @@
                 proxy_ip = proxy_host;
                 pgsql_ip = pgsql_host;
               };
-              services.lxc = {
-                enable = true;
-              };
             }
           ];
         };
@@ -129,8 +129,7 @@
           modules = [
             agenix.nixosModules.default
             microvm.nixosModules.microvm
-            "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
-            "${inputs.self}/systems"
+            "${inputs.self}/systems/minimalMicrovmConfig.nix"
             "${inputs.self}/services"
             {
               services.vm_grafana = {
@@ -155,7 +154,6 @@
           modules = [
             agenix.nixosModules.default
             inputs.authentik-nix.nixosModules.default
-            "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
             {
               services.authentik = {
                 enable = true;
@@ -170,7 +168,7 @@
               };
             }
             microvm.nixosModules.microvm
-            "${inputs.self}/systems"
+            "${inputs.self}/systems/minimalMicrovmConfig.nix"
             "${inputs.self}/services"
             {
               microvm = {
@@ -182,7 +180,7 @@
                   }
                 ];
               };
-              services.vm = {
+              services.micro_vm = {
                 enable   = true;
                 hostname = "authentik";
                 vm_ip    = "192.168.1.25";
diff --git a/services/default.nix b/services/default.nix
index 227cded..0193eff 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -9,6 +9,5 @@
     ./grafana
     ./authentik
     ./postgresql
-    ./minimalConfig
   ];
 }

From 5f2bbb255c8cfba13238b0bdd482c6f482210198 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Tue, 7 Jan 2025 13:55:31 +0100
Subject: [PATCH 07/13] Add onlyoffice service

---
 flake.nix                       | 15 +++++++++++++++
 services/default.nix            |  1 +
 services/nginx/default.nix      | 13 ++-----------
 services/onlyoffice/default.nix | 24 ++++++++++++++++++++++++
 4 files changed, 42 insertions(+), 11 deletions(-)
 create mode 100644 services/onlyoffice/default.nix

diff --git a/flake.nix b/flake.nix
index 4659243..834a88e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -68,6 +68,21 @@
             }
           ];
         };
+        onlyoffice = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            agenix.nixosModules.default
+            "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
+            "${inputs.self}/systems/minimalLXCConfig.nix"
+            "${inputs.self}/services"
+            {
+              networking.hostName = "onlyoffice";
+              services.vm_onlyoffice = {
+                enable = true;
+              };
+            }
+          ];
+        };
         template = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
diff --git a/services/default.nix b/services/default.nix
index 0193eff..0b1e474 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -9,5 +9,6 @@
     ./grafana
     ./authentik
     ./postgresql
+    ./onlyoffice
   ];
 }
diff --git a/services/nginx/default.nix b/services/nginx/default.nix
index ffebf9f..2d265c6 100644
--- a/services/nginx/default.nix
+++ b/services/nginx/default.nix
@@ -109,11 +109,11 @@ in
               recommendedProxySettings = true;
             };
           };
-          "collabora.le43.eu" = {
+          "office.le43.eu" = {
             forceSSL = true;
             enableACME = true;
             locations."/" = {
-              proxyPass = "http://192.168.1.46:9980";
+              proxyPass = "http://192.168.1.46:8000";
               proxyWebsockets = true;
               recommendedProxySettings = true;
             };
@@ -135,15 +135,6 @@ in
               proxyWebsockets = true;
             };
           };
-          "netbox.le43.eu" = {
-            forceSSL = true;
-            enableACME = true;
-            locations."/" = {
-              proxyPass = "http://192.168.1.45";
-              recommendedProxySettings = true;
-              proxyWebsockets = true;
-            };
-          };
           "uptime.le43.eu" = {
             forceSSL = true;
             enableACME = true;
diff --git a/services/onlyoffice/default.nix b/services/onlyoffice/default.nix
new file mode 100644
index 0000000..f8115c8
--- /dev/null
+++ b/services/onlyoffice/default.nix
@@ -0,0 +1,24 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.vm_onlyoffice;
+in
+{
+  options.services.vm_onlyoffice = {
+    enable = lib.mkEnableOption "Enable OnlyOffice service";
+  };
+  config = lib.mkIf cfg.enable {
+    services = {
+      onlyoffice = {
+        enable = true;
+        hostname = "office.le43.eu";
+        port = "8000";
+        postgresName = "onlyoffice";
+        postgresHost = "${cfg.db_ip}";
+        postgresUser = "onlyoffice";
+        postgresPasswordFile = "/run/secrets/onlyoffice/office-dbpass";
+        jwtSecretFile = "/run/secrets/onlyoffice/office-jwtpass";
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 8000 ];
+  };
+}

From a8024223050f9da7fa17a8fbb2f96a5a85fbd961 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Tue, 7 Jan 2025 14:06:00 +0100
Subject: [PATCH 08/13] Add onlyoffice service

---
 flake.nix                                      |  1 +
 secrets.nix                                    | 18 ++++++++++--------
 services/onlyoffice/default.nix                |  5 +++--
 services/onlyoffice/secrets/office-dbpass.age  | 13 +++++++++++++
 services/onlyoffice/secrets/office-jwtpass.age | 12 ++++++++++++
 5 files changed, 39 insertions(+), 10 deletions(-)
 create mode 100644 services/onlyoffice/secrets/office-dbpass.age
 create mode 100644 services/onlyoffice/secrets/office-jwtpass.age

diff --git a/flake.nix b/flake.nix
index 834a88e..f636dcf 100644
--- a/flake.nix
+++ b/flake.nix
@@ -79,6 +79,7 @@
               networking.hostName = "onlyoffice";
               services.vm_onlyoffice = {
                 enable = true;
+                pgsql_ip = pgsql_host;
               };
             }
           ];
diff --git a/secrets.nix b/secrets.nix
index 7ca541d..eb11d3d 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -1,16 +1,18 @@
 let
-  tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos";
-  users     = [ tbarnouin ];
+  tbarnouin  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos";
+  users      = [ tbarnouin ];
 
-  forgejo   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner";
+  forgejo    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner";
+  grafana    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana";
+  onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana";
 
-  grafana   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana";
-
-  systems   = [ forgejo grafana ];
+  systems    = [ forgejo grafana ];
 in
 {
   "secrets/initialPassword.age".publicKeys = users ++ systems;
-  "../services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ];
-  "../services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ];
+  "services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ];
+  "services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ];
+  "services/onlyoffice/secrets/office-dbpass.age".publicKeys  = [ tbarnouin onlyoffice ];
+  "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [ tbarnouin onlyoffice ];
 }
 
diff --git a/services/onlyoffice/default.nix b/services/onlyoffice/default.nix
index f8115c8..1e7e821 100644
--- a/services/onlyoffice/default.nix
+++ b/services/onlyoffice/default.nix
@@ -5,15 +5,16 @@ in
 {
   options.services.vm_onlyoffice = {
     enable = lib.mkEnableOption "Enable OnlyOffice service";
+    pgsql_ip = lib.mkEnableOption "Postgres database IP address";
   };
   config = lib.mkIf cfg.enable {
     services = {
       onlyoffice = {
         enable = true;
         hostname = "office.le43.eu";
-        port = "8000";
+        port = 8000;
         postgresName = "onlyoffice";
-        postgresHost = "${cfg.db_ip}";
+        postgresHost = "${cfg.pgsql_ip}";
         postgresUser = "onlyoffice";
         postgresPasswordFile = "/run/secrets/onlyoffice/office-dbpass";
         jwtSecretFile = "/run/secrets/onlyoffice/office-jwtpass";
diff --git a/services/onlyoffice/secrets/office-dbpass.age b/services/onlyoffice/secrets/office-dbpass.age
new file mode 100644
index 0000000..619e335
--- /dev/null
+++ b/services/onlyoffice/secrets/office-dbpass.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBCVG1B
+RUtaTGRRQklZWTZqcGQwa2lOd0lEMDJDdnpYYVJwZHdGVG1veldrCmFDSGFOeHRD
+VDRRSCtJS2ZlS01ZRkFNeTkyWnJFaGVWajdQOFJKMU53STAKLT4gc3NoLWVkMjU1
+MTkgd25FVXB3IGpFRm9aSzFJK1BYTnZVU1R4cG0yakRTWGl1VXBtQkhUVXhGYngw
+bHJEa1kKcllxclNWb0FHazNOMWpQbW45MUs0ZjhWNTVsQWNSTTFCU0psWVZ4Q2RX
+YwotPiBbbVF2LWdyZWFzZQpldWFaOWpPZUMvQlh3aGNwZVErR3VtN0RRYmhveFZX
+NlEwNFAzY21qbDVPeFpOTWVwbzBPS1lGOXJwMXp1ZnNWCms1WjZCUXF3azJQamQr
+VDQ5eDl4aWFJN2pvK2lNb2x0d05HeS9NWVQzNVVhVFEwWkFlTkNGbmhaQmVVLzg2
+cnoKUFZNCi0tLSBmaG1zTWpaSDlLWmxjUDlQS0FDdlV3WHY1VTVLNEV2NjdOcDRX
+dUMvcVNvCpCNm1wYvouULKX0ykzzHtURSm73FR2pFsk3uXGO9fJqBb6CZFPwOkQu
+zy2u2HStrYc=
+-----END AGE ENCRYPTED FILE-----
diff --git a/services/onlyoffice/secrets/office-jwtpass.age b/services/onlyoffice/secrets/office-jwtpass.age
new file mode 100644
index 0000000..97da21d
--- /dev/null
+++ b/services/onlyoffice/secrets/office-jwtpass.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB4NnVr
+cHRPclQ5MFpkRVhDU3JwZFJ3TVFtZU5xMUhkb2NDUXU0MWhWYzNVCnk3c2UrdGpO
+cHZVUWljV2hpMFVoOEF1TTRBQ0RYQW1SWkFhNGswbm9GSG8KLT4gc3NoLWVkMjU1
+MTkgd25FVXB3IGtQUEVmcDRxK0hqMWIxcHRONDlQVDdFLzRBeUE1YjBvVWN3WURh
+NTR1emMKcm0rU0wza2JHaE5kb2FacURuZXE5eXlEeGlZRXZzQkhuVXVUd1BVRkNI
+dwotPiBvP2AwZyctZ3JlYXNlIEkgMFV3VktaQF4gfT5kJG4KTnVlNko3YmVsZVFD
+OGpnaHhaVTFoTUpjRHZyc2NqSlRCV1JoV29JVHA0Nm0zUWNJNU4vWFAyS2YrL1kK
+LS0tIEMzVVdyRW1GYzJnUGxHUVNGanlISjlpSW1mTkM3aFFyUGpVRWltZVZXWXcK
+fAPdPODCgOrgk2QcZC/ykTjbae7Dew+7QFC6oYvFxN/LmuJzkqdPUsnxsVR1gxy8
+TZU=
+-----END AGE ENCRYPTED FILE-----

From 0e79faf62117edfdd0f841f81d641f0efd1fa295 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Tue, 7 Jan 2025 14:06:58 +0100
Subject: [PATCH 09/13] Add onlyoffice service

---
 services/onlyoffice/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/services/onlyoffice/default.nix b/services/onlyoffice/default.nix
index 1e7e821..4131d19 100644
--- a/services/onlyoffice/default.nix
+++ b/services/onlyoffice/default.nix
@@ -5,7 +5,10 @@ in
 {
   options.services.vm_onlyoffice = {
     enable = lib.mkEnableOption "Enable OnlyOffice service";
-    pgsql_ip = lib.mkEnableOption "Postgres database IP address";
+    pgsql_ip = lib.mkOption {
+      type = lib.types.str;
+      description = "The PostgreSQL host IP address";
+    };
   };
   config = lib.mkIf cfg.enable {
     services = {

From c2d771a9c6fa1135eef593c9b6f77c188d6c8db2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Tue, 7 Jan 2025 14:19:36 +0100
Subject: [PATCH 10/13] Add onlyoffice service

---
 services/nginx/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/nginx/default.nix b/services/nginx/default.nix
index 2d265c6..626dfe7 100644
--- a/services/nginx/default.nix
+++ b/services/nginx/default.nix
@@ -113,7 +113,7 @@ in
             forceSSL = true;
             enableACME = true;
             locations."/" = {
-              proxyPass = "http://192.168.1.46:8000";
+              proxyPass = "http://192.168.1.46";
               proxyWebsockets = true;
               recommendedProxySettings = true;
             };

From b09aa018d17a5cc663d3476f9c3176bea43aaf1e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Wed, 8 Jan 2025 09:20:10 +0100
Subject: [PATCH 11/13] Rekey secrets

---
 secrets.nix                                   |  2 +-
 secrets/initialPassword.age                   | 22 +++++++++++--------
 services/onlyoffice/secrets/office-dbpass.age | 20 ++++++++---------
 .../onlyoffice/secrets/office-jwtpass.age     | 18 +++++++--------
 4 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/secrets.nix b/secrets.nix
index eb11d3d..50c0927 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -4,7 +4,7 @@ let
 
   forgejo    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner";
   grafana    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana";
-  onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana";
+  onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice";
 
   systems    = [ forgejo grafana ];
 in
diff --git a/secrets/initialPassword.age b/secrets/initialPassword.age
index beb356e..7be04a4 100644
--- a/secrets/initialPassword.age
+++ b/secrets/initialPassword.age
@@ -1,9 +1,13 @@
-age-encryption.org/v1
--> ssh-ed25519 OWkVXw Kp9otTIwi3SuVG43UebS2B+bvp6uy81KIIPIeJSW8iE
-xXX6N1WrkxNLOC4ClZo9XzUZOdFK6210trH2GS5+N0E
--> ssh-ed25519 MTO1pg 70GcDYGKyG0w0s1ehWvcid1JKNRY3vRPeQhnEfHDWBI
-Fcq3ZR6iA0J4CUBuQeVIyRoGMu88bd9oBrwGCJKicBE
--> ssh-ed25519 wnEUpw m7HRrztgLMS90k3cwzqBkMKfbji0Ub8atDwTGJNeq0c
-rEPjFTG+hEPHNoLOyhmcY4QMJ4DYIIhBR10GVZqcIuo
---- eXz18+bRHesrblBjD/aqwFkAXUhEL741swR1csHpoXU
-Ô|}pÁ#¢ç®,\‚m:(·¸ª#ëHH¡aÃÒ¸ß_~ª7 ž(5EgÈÏOQY[»r U;e
\ No newline at end of file
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB5SjZL
+dXhYcTh4RjBrUmhSSzBaWXRNZUQ3V1NVRTBZUzNLeUZCYkJmWGpNClZwMU9ldXRK
+OGhZNXlFcEE1YzNGSVIwdzBXbFN4SlNWUWMwOGlEMnRQUG8KLT4gc3NoLWVkMjU1
+MTkgTVRPMXBnIHJSKzh1ZzZGeUJldW15Z2o3ejBqUC9EYUlNcHd5ZEEyRTNTQ2xS
+STEwaGMKSHNVL1l3cnVQOHIwQTZZN0VqWHgvaXh0UmFxdEE3eWZqaXZFZjQwS05h
+dwotPiBzc2gtZWQyNTUxOSB3bkVVcHcgVG9KYmRZenoyczJVQjhYbGkrQXdOclRJ
+anhyVS9va3ZxcGVlR3BKV2xoVQplQk15MFhUdzF1REV3Qkt0dElaTTA4aTVBcGNH
+ckxTWHh2dFVvUlo2V2JjCi0+ID9BQCstZ3JlYXNlCnVVWno2OEl1NVVNRy9VSHky
+TjhGVDFHVjV2ME1GV0o0bHY0NlFoRGFyK2xvSlJudHNBCi0tLSBRd2hIUFV6Tndk
+Z0pTenY1YUpEbldvcG1RdzdWUTZVYjRKMkNrZnpOTklRCo2ITrJB/w2tgDVxFe9e
+jrmYkqnpujXppfQHXMhDGzdIPrAIEJrEMJp95sdz4EFqqk5mgu3K
+-----END AGE ENCRYPTED FILE-----
diff --git a/services/onlyoffice/secrets/office-dbpass.age b/services/onlyoffice/secrets/office-dbpass.age
index 619e335..488bba0 100644
--- a/services/onlyoffice/secrets/office-dbpass.age
+++ b/services/onlyoffice/secrets/office-dbpass.age
@@ -1,13 +1,11 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBCVG1B
-RUtaTGRRQklZWTZqcGQwa2lOd0lEMDJDdnpYYVJwZHdGVG1veldrCmFDSGFOeHRD
-VDRRSCtJS2ZlS01ZRkFNeTkyWnJFaGVWajdQOFJKMU53STAKLT4gc3NoLWVkMjU1
-MTkgd25FVXB3IGpFRm9aSzFJK1BYTnZVU1R4cG0yakRTWGl1VXBtQkhUVXhGYngw
-bHJEa1kKcllxclNWb0FHazNOMWpQbW45MUs0ZjhWNTVsQWNSTTFCU0psWVZ4Q2RX
-YwotPiBbbVF2LWdyZWFzZQpldWFaOWpPZUMvQlh3aGNwZVErR3VtN0RRYmhveFZX
-NlEwNFAzY21qbDVPeFpOTWVwbzBPS1lGOXJwMXp1ZnNWCms1WjZCUXF3azJQamQr
-VDQ5eDl4aWFJN2pvK2lNb2x0d05HeS9NWVQzNVVhVFEwWkFlTkNGbmhaQmVVLzg2
-cnoKUFZNCi0tLSBmaG1zTWpaSDlLWmxjUDlQS0FDdlV3WHY1VTVLNEV2NjdOcDRX
-dUMvcVNvCpCNm1wYvouULKX0ykzzHtURSm73FR2pFsk3uXGO9fJqBb6CZFPwOkQu
-zy2u2HStrYc=
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBocWVS
+dS9jdG85QSsza20rbWhBVkwvQXF1dWxYNDMrSURhMk5RSktFNGhFCjJGY1pPazdV
+b3ZJMGVaNC9VcGxoZzlhZWFSYUkzM0hFdUNCaFRXSDNqV2sKLT4gc3NoLWVkMjU1
+MTkgSXpNcXdRIDhMeStYYW1RWEg4ZHFReFF6QjhONE1SUi9wbTVMVi9vQmRxS1dM
+SWlmU2cKRkdlK1pIRDAzd3laVXg5Q0dIQllQbkF1cjhVeEpwa1c5d0xWVUFxMThW
+awotPiA3US1ncmVhc2UKUmFCODRUSi9zdzdlcitUaXNwTHg1eHE5QjhmVEZaa09P
+dUphRkRkajRXTmpWUUh3U1ZySk0xNUhLaVpCaWlVCi0tLSBWQkprbFBXOWNjU3pt
+UVpza3ZjSDk4QllEQnpIU3BoNzU5L3RLS1hOZHRFCqYg1Z912qrGFWLIfhSyoKiW
+r0cvLu4276n5bEw0rUzpyPrr1QaXHdOyjdNOrlc=
 -----END AGE ENCRYPTED FILE-----
diff --git a/services/onlyoffice/secrets/office-jwtpass.age b/services/onlyoffice/secrets/office-jwtpass.age
index 97da21d..7157924 100644
--- a/services/onlyoffice/secrets/office-jwtpass.age
+++ b/services/onlyoffice/secrets/office-jwtpass.age
@@ -1,12 +1,10 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB4NnVr
-cHRPclQ5MFpkRVhDU3JwZFJ3TVFtZU5xMUhkb2NDUXU0MWhWYzNVCnk3c2UrdGpO
-cHZVUWljV2hpMFVoOEF1TTRBQ0RYQW1SWkFhNGswbm9GSG8KLT4gc3NoLWVkMjU1
-MTkgd25FVXB3IGtQUEVmcDRxK0hqMWIxcHRONDlQVDdFLzRBeUE1YjBvVWN3WURh
-NTR1emMKcm0rU0wza2JHaE5kb2FacURuZXE5eXlEeGlZRXZzQkhuVXVUd1BVRkNI
-dwotPiBvP2AwZyctZ3JlYXNlIEkgMFV3VktaQF4gfT5kJG4KTnVlNko3YmVsZVFD
-OGpnaHhaVTFoTUpjRHZyc2NqSlRCV1JoV29JVHA0Nm0zUWNJNU4vWFAyS2YrL1kK
-LS0tIEMzVVdyRW1GYzJnUGxHUVNGanlISjlpSW1mTkM3aFFyUGpVRWltZVZXWXcK
-fAPdPODCgOrgk2QcZC/ykTjbae7Dew+7QFC6oYvFxN/LmuJzkqdPUsnxsVR1gxy8
-TZU=
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBybjlG
+ZXVqakxMNjB5L1dDZnZnMW92M3lpTnhwMU1qMXdVYmQ1RXZwTFJnCkV6L3lKSXA1
+Y0FqQ0htUzdRTXFqVitIVUp1K2VKc2RUNTlQNWJLVTBFNDAKLT4gc3NoLWVkMjU1
+MTkgSXpNcXdRIDVXRUlBcHRucDc3ZzM4SG9UUUY0dzNJV2ZlWkRncXVGWm5Gd2xp
+U0E2d0kKOGNTUXhFL2xDZTNPK2MrVTA0Qjduci9rS201UDJYaDlaajV3Q091VEFq
+RQotPiBxZy1ncmVhc2UgPmYydCBwfG8gPCBhWGFgYUYqLwpYZWMKLS0tIHlrbkd1
+b1dQdTJKVXhYMlhJdmhCU01iT0ZpRC9BZEVXSXhsWDBjc09yMkEKi3aQtU6pMcZ+
+F+DZFI/hTYJ3AXYhkyTlNK47SzF4Ut6RLqzvUAT0scIf1kGepzITUg==
 -----END AGE ENCRYPTED FILE-----

From 470c42f8d07d864ab2982a41fa49ae0f3eca24ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Wed, 8 Jan 2025 09:20:22 +0100
Subject: [PATCH 12/13] Rekey secrets

---
 services/grafana/secrets/grafana-db.age |  18 ++++++++++--------
 services/grafana/secrets/kuma-token.age | Bin 367 -> 743 bytes
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/services/grafana/secrets/grafana-db.age b/services/grafana/secrets/grafana-db.age
index c3adad3..12da728 100644
--- a/services/grafana/secrets/grafana-db.age
+++ b/services/grafana/secrets/grafana-db.age
@@ -1,8 +1,10 @@
-age-encryption.org/v1
--> ssh-ed25519 OWkVXw 1n49CouMzxgvdrQ+7gIbilN2oRkG3lfTJehpVwxeLXw
-NBB8G9JeEmvbfXk6WdaDPYTaSBsNtDyqdTkJKG3RNtw
--> ssh-ed25519 wnEUpw LepRS+v4Jq+Z4VBtyDRw1BQkGOwOzI5HsjRSFP9SLA4
-hRZr5OauNH1VYHip7pifCuVxTTQa3S9VbjwjQEUuK00
---- G3K8IsDtSXZ7Cqp0ehe7eczyzzEsiwwV9xfenlBz0Vo
-@²WJƒ–£0ÊH%
-ƒ·Õ8Š4¼Ã\»‚&È©´
I^˜@5©ÂƒÏF
\ No newline at end of file
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyArbVYy
+QVAralludnhwNVJSMC9WeFAya3J5NUtuemx0TWNid084b3gwNHdRCjlqMVR5K0sx
+TTdOT2NEYzMwRCtyWUY2eGVOUmpsKzU4SENiSmJxYzdqWWsKLT4gc3NoLWVkMjU1
+MTkgd25FVXB3IDlQTWpieUFDTDluV3VlaEV6ak9FRlJ4VVY1NlJWNkdIR1VKcmdl
+RThjeHcKMjlSQ3lFMVI0NlRReDIvbjFRQ2FQclc0S0VnRTFCeUp0S25VVW44NDVQ
+UQotPiAqTmpzJVctZ3JlYXNlCkYzVkUKLS0tIGpiaGhyMWl5VjMvZ2REVXJXb3FV
+V25rTjRORDVXTDZZVG9MbnZFRUU4NlUKsUTcVfmpxX5claATFT9wTiFd2DFLJ9KV
++Un8kZobFeAjeLCZ3r/Cb8vUtw==
+-----END AGE ENCRYPTED FILE-----
diff --git a/services/grafana/secrets/kuma-token.age b/services/grafana/secrets/kuma-token.age
index 3b9dd76c292959ca52f88507f8dfb6f1d9d868c3..e63927dd6588ee0d42baf1a322b5fded824174f1 100644
GIT binary patch
literal 743
zcmdM|0Vh{?Pd^1mcUJ{hKj)yxfDl&~1vgJ0SCE`8S7dlfj!$@4X{522X|hL9L6VV4
zX_B#5o{w>4g>$BXwx@?*Rid+DPLzwMp<jrrsi&)DM519-WJ;w|NMLA1E|;HMkgIQK
zSY~2qP<Uu)P?cY9MTBowP-0X>PGneka#d((v1v$zmqB=hXHkl4hDS(5PL^|Cj#H{@
zMn-6EN+DOOdro9hNSJY|Yr1Jtj#FY#o@aSbcyeWOu9ts`v0qeFXn~J!XsB^eM7~k5
zd$G4qh)H^~v0uJVcv!Y?R;VGDZ%B4}ijk>XScH?Yr+ZFRSZI)6h<i$vuX}z~Ql6KS
zuUkrfP>82NqDw}8YDBg{Xm*8fWSCoIqH9n@xJSMbS5Q`vPgqr;cT!e{OJI0lQE-l%
zacW+WOR}qJPI5$$OJrtAS+Yw?PKa@VYf_e9sIN<qOOmT)NvL~DXjFKl30H7nen~*4
zQ&5O=a;Z;vN@Y~ITUAtGfk&9Tn}48zUvQLBvT2y1Z&{RaXhl>+lv$`-Mq;30fm4Wq
zpL?P~kQ0}0ZdhJoc9d^&h?7rvUWTi;v0r$iyO(Qfs9{8kfniRFVL^DHv7c$8hg+d@
zZjMK4PEc-2Xm(MEL9$^~NK^n<Sgu!4U|3FhYG{yeig8AXuaRe&pK-p4pNp@7Z&pfa
zph3A|qG4EKP?l3xa(aG=Pq0CHNN!M7xU*$gR8~eAm!CmcR%l*SR#Iqzb4s{pSz?%9
zaFAP$e^OYoafpGRi?3^ecX*gvSg=u0h`(cgSdf2iut`$5NnV7RS43gBGnb2FazwD7
zg?m|OSYc68UWR$NnYTwlfKORyvazGLVM>%)vUg#UrD3>#V3<>ZtAAQncwvfpiK|6W
sfwre(qB)nokx`{_MTLidm5EupkBg^?Q)OjVxvec1IH9`wx!_F00BY3i<^TWy

literal 367
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUl56=#ZC|4*gugptJ
z_X-Jj$p|;|O)9V`O7hds3s1>23n{HKF*Yg=P4{qjb_*#EjpWM9aSe$ysxbD<bqey#
zO$s#iOE1uOb@lK|b~LfH3{1@Q_YT(9_Hwig$w#-XJkK?>pj^S!FDJ#(F+HNvG0Mp`
z$i%NGz0|+dD5=6UtT@Uwq#)JZ*V(B&EIZuUy_hQ_Fv}yP!d1T_x6;KYC^IcpJ20oh
zx7;<uG(A(>Dci@(sWPO%!!)xnxtL2=S63m|-8|jZEk8oL%-F-sEwkLq#oVCCAkoQE
zKh(R#E!@i|KdD4NJ3QYcC6r5m<$)cSeE2y@h1EBW^UBk_?<c%|{mR(>%FZ79?V&$D
zd-$JN-&H<){dRM42C?cy6S2(VCwELAdvD*y`BCt(-}6Q5eVjaaYwv!|w*96L0Lo;7
A8vp<R


From 94022737a054f1f6bce14d51944c2a8b7747d850 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@protonmail.com>
Date: Wed, 8 Jan 2025 09:21:06 +0100
Subject: [PATCH 13/13] Add onlyoffice secret conf

---
 services/onlyoffice/default.nix | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/services/onlyoffice/default.nix b/services/onlyoffice/default.nix
index 4131d19..5540e48 100644
--- a/services/onlyoffice/default.nix
+++ b/services/onlyoffice/default.nix
@@ -11,6 +11,16 @@ in
     };
   };
   config = lib.mkIf cfg.enable {
+    age.secrets = {
+      office-dbpass = {
+        file  = ./secrets/office-dbpass.age;
+        owner = "onlyoffice";
+      };
+      office-jwtpass = {
+        file  = ./secrets/office-jwtpass.age;
+        owner = "onlyoffice";
+      };
+    };
     services = {
       onlyoffice = {
         enable = true;
@@ -19,10 +29,10 @@ in
         postgresName = "onlyoffice";
         postgresHost = "${cfg.pgsql_ip}";
         postgresUser = "onlyoffice";
-        postgresPasswordFile = "/run/secrets/onlyoffice/office-dbpass";
-        jwtSecretFile = "/run/secrets/onlyoffice/office-jwtpass";
+        postgresPasswordFile = config.age.secrets.office-dbpass.path;
+        jwtSecretFile = config.age.secrets.office-jwtpass.path;
       };
     };
-    networking.firewall.allowedTCPPorts = [ 8000 ];
+    networking.firewall.allowedTCPPorts = [ 80 4369 5432 5672 6379 8000 8080 ];
   };
 }