From 3e1c95797cb051bf7955e8d14c95b4582ca06398 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Fri, 29 Dec 2023 16:11:16 +0100
Subject: [PATCH 1/4] WIP: gitea: Migrate to forgejo

---
 configuration/services/gitea.nix              | 81 +++++++++----------
 .../services/metrics/victoriametrics.nix      |  6 +-
 configuration/sops.nix                        |  4 +-
 keys/production.yaml                          | 10 +--
 keys/staging.yaml                             |  8 +-
 5 files changed, 53 insertions(+), 56 deletions(-)

diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index 013842e..d77d6cc 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -6,12 +6,10 @@
 }: let
   domain = "gitea.${config.services.nginx.domain}";
 in {
-  services.gitea = {
+  services.forgejo = {
     enable = true;
     database.type = "postgres";
 
-    appName = "Gitea: Git with a cup of tea";
-
     settings = {
       server = {
         DOMAIN = domain;
@@ -29,18 +27,18 @@ in {
     };
   };
 
-  systemd.services.gitea.serviceConfig.ExecStartPre = let
+  systemd.services.forgejo.serviceConfig.ExecStartPre = let
     replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
-    secretPath = config.sops.secrets."gitea/metrics-token".path;
-    runConfig = "${config.services.gitea.customDir}/conf/app.ini";
+    secretPath = config.sops.secrets."forgejo/metrics-token".path;
+    runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
   in [
     "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
   ];
 
   # Set up SSL
   services.nginx.virtualHosts."${domain}" = let
-    httpAddress = config.services.gitea.settings.server.HTTP_ADDR;
-    httpPort = config.services.gitea.settings.server.HTTP_PORT;
+    httpAddress = config.services.forgejo.settings.server.HTTP_ADDR;
+    httpPort = config.services.forgejo.settings.server.HTTP_PORT;
   in {
     forceSSL = true;
     enableACME = true;
@@ -62,40 +60,39 @@ in {
 
   # Block repeated failed login attempts
   #
-  # TODO(tlater): Update to the new regex, since apparently this one
-  # is deprecated (but the new one doesn't work on the current version
-  # of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/
-  environment.etc = {
-    "fail2ban/filter.d/gitea.conf".text = ''
-      [Definition]
-      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
-      journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea
-    '';
-  };
+  # TODO(tlater): Update this - we switched to forgejo, who knows what
+  # the new matches are.
+  # environment.etc = {
+  #   "fail2ban/filter.d/gitea.conf".text = ''
+  #     [Definition]
+  #     failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+  #     journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
+  #   '';
+  # };
 
-  services.fail2ban.jails = {
-    gitea = ''
-      enabled = true
-    '';
-  };
+  # services.fail2ban.jails = {
+  #   gitea = ''
+  #     enabled = true
+  #   '';
+  # };
 
-  services.backups.gitea = {
-    user = "gitea";
-    paths = [
-      "/var/lib/gitea/gitea-db.sql"
-      "/var/lib/gitea/repositories/"
-      "/var/lib/gitea/data/"
-      "/var/lib/gitea/custom/"
-      # Conf is backed up via nix
-    ];
-    preparation = {
-      packages = [config.services.postgresql.package];
-      text = "pg_dump ${config.services.gitea.database.name} --file=/var/lib/gitea/gitea-db.sql";
-    };
-    cleanup = {
-      packages = [pkgs.coreutils];
-      text = "rm /var/lib/gitea/gitea-db.sql";
-    };
-    pauseServices = ["gitea.service"];
-  };
+  # services.backups.forgejo = {
+  #   user = "forgejo";
+  #   paths = [
+  #     "/var/lib/forgejo/forgejo-db.sql"
+  #     "/var/lib/forgejo/repositories/"
+  #     "/var/lib/forgejo/data/"
+  #     "/var/lib/forgejo/custom/"
+  #     # Conf is backed up via nix
+  #   ];
+  #   preparation = {
+  #     packages = [config.services.postgresql.package];
+  #     text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
+  #   };
+  #   cleanup = {
+  #     packages = [pkgs.coreutils];
+  #     text = "rm /var/lib/forgejo/forgejo-db.sql";
+  #   };
+  #   pauseServices = ["forgejo.service"];
+  # };
 }
diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix
index 4cdc770..daf3f94 100644
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@@ -6,9 +6,9 @@
     ];
 
     scrapeConfigs = {
-      gitea = {
-        targets = ["127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"];
-        extraSettings.authorization.credentials_file = config.sops.secrets."gitea/metrics-token".path;
+      forgejo = {
+        targets = ["127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}"];
+        extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
       };
       coturn.targets = ["127.0.0.1:9641"];
     };
diff --git a/configuration/sops.nix b/configuration/sops.nix
index 03faf82..c7cb1f0 100644
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@@ -4,8 +4,8 @@
 
     secrets = {
       # Gitea
-      "gitea/metrics-token" = {
-        owner = "gitea";
+      "forgejo/metrics-token" = {
+        owner = "forgejo";
         group = "metrics";
         mode = "0440";
       };
diff --git a/keys/production.yaml b/keys/production.yaml
index efeea6a..da53b95 100644
--- a/keys/production.yaml
+++ b/keys/production.yaml
@@ -1,5 +1,5 @@
-gitea:
-    metrics-token: ENC[AES256_GCM,data:/7/zvVl2ZOBoekrJR32vl/QQcG5XqTmltgpHEMUpbXVeqwnq29idzE2Qyjau96ZHObmSI73/ZtW95uXF6LH9Qw==,iv:iWZECCZSh1CN7wMBqstXR5QWtriR7QLKVqhekGnpXl0=,tag:HEr9km8VYmruBzf0I/5HuA==,type:str]
+forgejo:
+    metrics-token: ENC[AES256_GCM,data:WVbD5JloJlHNjeEwe1uEd4Haj6L3ilj1Pnux6yrelUQP18ZPAh90aDO1OIZHaPJR7tTeyATr8BIzZL1zkNhCuA==,iv:eTYXN3hymIN3bTX1YxNGkAYE0KVDbdz2ds8UQAHlALE=,tag:A61loGdu0pfsiez96u2Qsg==,type:str]
 grafana:
     adminPassword: ENC[AES256_GCM,data:/qw//J7cOkIGa58bG4GgdzndvKof32AmQeWB00IX8WhA22PDCOc4VdUEoB3wVJJqI/ucoHFInYyhg2rFYoYBesBjAt0QS3+O+8WblIunUuYeqlBuYJJK1TLhy6ql6+aqvfiW/rJLm4LpgA7CboyDD2OYHcAbvGSD2GWwFcHTR/Y=,iv:KK6p8GKzc9SBDZZFkEwCdIjSxriPGNMDNcr97tfbwTI=,tag:gLRNSGdJWFD+V9K5TfJvXw==,type:str]
     secretKey: ENC[AES256_GCM,data:OUXWOE6I3a26SrFEOczWNIwyR3Rx62fbsRBBcfh0xyEbxOIPhexH6lIqlVG9Ltwra9+rAldNM4/0BydtxIDj7A==,iv:fiNO/or5yZnhpDPMANDnEC5dtXmbKBZsV+BPmvCN/HI=,tag:Q0M0OtLWdWAJgQmUlL//fg==,type:str]
@@ -26,8 +26,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-10-12T18:40:26Z"
-    mac: ENC[AES256_GCM,data:F+yQ20jCtLRKeQDFVKoqrYCgtwGkXxrK6aQO0MFZTIMJAnbTVPM2ZJGQ1RxXb+Zs4T+44EEc2xN4LjeANvgpE6MfOz2VTw+sEEjcYwUyB6RcXHia9XlFLa8lh7/Wx/9DxlSFjjSrxmDkNB6r+n5UF81cdRXF2E9ibdH346ST98A=,iv:xVxFN1IDKrLskaGqnWvOWx1zUII0jRSjQxEsaTf2GNw=,tag:lnp1AvgMOXXlg1vFjHEWUQ==,type:str]
+    lastmodified: "2023-12-28T00:07:08Z"
+    mac: ENC[AES256_GCM,data:P2bNJLjzn69Kg2bJHXmofER7J8wbEj9C4jq9ePWewXBOt45GEiqgnqIaISwZkyzQmm9cxZd95Lr780ICwoKDFdtSCCcC7CdYxYEfyyhnvU3W2qzEghvkypL8JbiEtPSlQ9xOlCk7p41A9eRrV+JziIVSv5UEUs4NubrG9Mkwv3k=,iv:Yq2gANTTgx6cFxkdustUZ1MPszxGSkao/bS1KHAkzJc=,tag:kqJibocgRQXkxTJze6O5MA==,type:str]
     pgp:
         - created_at: "2022-10-12T00:46:51Z"
           enc: |
@@ -65,4 +65,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
diff --git a/keys/staging.yaml b/keys/staging.yaml
index fb1d15d..de7686b 100644
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@@ -1,5 +1,5 @@
-gitea:
-    metrics-token: ENC[AES256_GCM,data:T1NYXRWbruA=,iv:usgHYHwWJFbaEdHLO6JX3z/42MVheY2wu0YrXmnz2ng=,tag:W+B7pKGOc/wX/0My0dWY5w==,type:str]
+forgejo:
+    metrics-token: ENC[AES256_GCM,data:HEDV/GK/WtI=,iv:ihPEusEGVUNZjjjxz2ys6Nfag/og4n7Cqmd4rroT6Ww=,tag:Brcv7XW6HfzzgF3emtuT2A==,type:str]
 grafana:
     adminPassword: ENC[AES256_GCM,data:dYfaxUpQpzA=,iv:j5wSem8C5+V4c5qRzXQJhsU7/FOtpvrnaEyFBmW6zJ4=,tag:oc8n3TkEbjF2gjuOobZuLA==,type:str]
     secretKey: ENC[AES256_GCM,data:Atruvh2MsNY=,iv:y2MaCUCEzGIydHp6G0DJHfk289S1is0twKm2oUYwDhM=,tag:nAWeg+YqaYqk6k22oBkAhQ==,type:str]
@@ -26,8 +26,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-12-29T15:14:54Z"
-    mac: ENC[AES256_GCM,data:yJUprLcfw4ypsrSlhot7vsavVqzaFlJoJeEC/DdTfKDoJ0L607r6aCfXtCSg+qrR5JA2bvEATwDJM5qgA2vbMhSOqmc3zT7yBPUKC4Sk24Me3IOOum2DhNID/l/PLtxUIk3Rzz49PJZECUsIKnT7k6KvZ5nWe5sEUupCBgdKjG4=,iv:Axpml84/6wgBxld94AB+Ybdo3r/7Bym6Lsj/49P7jWE=,tag:wXAx3AoopQS7i6rbo70AYg==,type:str]
+    lastmodified: "2023-12-30T14:09:03Z"
+    mac: ENC[AES256_GCM,data:kuyzVV1Dhlb2LemqRzw2xPr9jtTWqSbFMv70LUEbRmsDpjwQsAIARgoaj32EXdDRTHYXBplTYieR7KvmxykL/8rkj0g4+IuRLY1TcbRS31Gi74FiXvV2apscHhQWXhHPHIHMbwZAfDSHdMrf8hPu28SC9QdbP3SXYNt28Imstrc=,iv:UALUiWGHlWEBmIVWeSyEa16ZdcDZvgtlpHETDV2CcRY=,tag:rxbd3ph+pPf11jup/CMEzw==,type:str]
     pgp:
         - created_at: "2023-12-29T15:25:27Z"
           enc: |

From dd41fa1ac4fcc9fa3cdf553f0a83c3a0f2143ed7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sat, 2 Mar 2024 02:27:24 +0100
Subject: [PATCH 2/4] hetzner: Add new server config

---
 .sops.yaml                                    |   2 +
 configuration/default.nix                     |   2 +-
 .../hardware-specific/hetzner/default.nix     |  47 +++
 .../hardware-specific/hetzner/disko.nix       |  82 ++++
 .../hetzner/hardware-configuration.nix        |  25 ++
 configuration/hardware-specific/vm.nix        |   1 +
 configuration/services/gitea.nix              |  38 +-
 flake.lock                                    | 364 ++++--------------
 flake.nix                                     |  42 +-
 keys/hosts/hetzner1.asc                       |  28 ++
 keys/production.yaml                          |  79 ++--
 11 files changed, 373 insertions(+), 337 deletions(-)
 create mode 100644 configuration/hardware-specific/hetzner/default.nix
 create mode 100644 configuration/hardware-specific/hetzner/disko.nix
 create mode 100644 configuration/hardware-specific/hetzner/hardware-configuration.nix
 create mode 100644 keys/hosts/hetzner1.asc

diff --git a/.sops.yaml b/.sops.yaml
index dc2021d..7444d2c 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,6 +1,7 @@
 keys:
   - &tlater 535B61015823443941C744DD12264F6BBDFABA89
   - &server_tlaternet 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
+  - &server_hetzner1 0af7641adb8aa843136cf6d047f71da3e5ad79f9
   - &server_staging 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
 
 creation_rules:
@@ -9,6 +10,7 @@ creation_rules:
       - pgp:
           - *tlater
           - *server_tlaternet
+          - *server_hetzner1
   - path_regex: keys/staging.yaml
     key_groups:
       - pgp:
diff --git a/configuration/default.nix b/configuration/default.nix
index 6f7cf41..34b1f42 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -7,6 +7,7 @@
   ...
 }: {
   imports = [
+    flake-inputs.disko.nixosModules.disko
     flake-inputs.sops-nix.nixosModules.sops
     flake-inputs.tlaternet-webserver.nixosModules.default
 
@@ -55,7 +56,6 @@
   boot.kernelParams = ["highres=off" "nohz=off"];
 
   networking = {
-    hostName = "tlaternet";
     usePredictableInterfaceNames = false;
     useDHCP = false;
 
diff --git a/configuration/hardware-specific/hetzner/default.nix b/configuration/hardware-specific/hetzner/default.nix
new file mode 100644
index 0000000..5ecf63a
--- /dev/null
+++ b/configuration/hardware-specific/hetzner/default.nix
@@ -0,0 +1,47 @@
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disko.nix
+  ];
+
+  # Intel's special encrypted memory<->CPU feature. Hetzner's BIOS
+  # disables it by default.
+  #
+  # TODO(tlater): See if would be useful for anything?
+  boot.kernelParams = ["nosgx"];
+
+  networking.hostName = "hetzner-1";
+  services.nginx.domain = "tlater.net";
+
+  systemd.network.networks."eth0" = {
+    matchConfig.MACAddress = "90:1b:0e:c1:8c:62";
+
+    addresses = [
+      # IPv4
+      {
+        addressConfig = {
+          Address = "116.202.158.55/32";
+          Peer = "116.202.158.1/32"; # Gateway
+        };
+      }
+      # IPv6
+      {
+        addressConfig.Address = "2a01:4f8:10b:3c85::2/64";
+      }
+    ];
+
+    networkConfig = {
+      Gateway = [
+        "116.202.158.1"
+        "fe80::1"
+      ];
+
+      DNS = [
+        "185.12.64.1"
+        "185.12.64.2"
+        "2a01:4ff:ff00::add:1"
+        "2a01:4ff:ff00::add:2"
+      ];
+    };
+  };
+}
diff --git a/configuration/hardware-specific/hetzner/disko.nix b/configuration/hardware-specific/hetzner/disko.nix
new file mode 100644
index 0000000..e404688
--- /dev/null
+++ b/configuration/hardware-specific/hetzner/disko.nix
@@ -0,0 +1,82 @@
+{
+  disko.devices.disk = let
+    bootPartition = {
+      size = "1M";
+      type = "EF02";
+    };
+
+    swapPartition = {
+      # 8G is apparently recommended for this much RAM, but we set up
+      # 4G on both disks for mirroring purposes.
+      #
+      # That'll still be 8G during normal operation, and it's probably
+      # not too bad to have slightly less swap if a disk dies.
+      size = "4G";
+      content = {
+        type = "swap";
+        randomEncryption = true;
+      };
+    };
+
+    mountOptions = ["compress=zstd" "noatime"];
+  in {
+    sda = {
+      type = "disk";
+      device = "/dev/sda";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = bootPartition;
+          swap = swapPartition;
+
+          disk1 = {
+            size = "100%";
+            # Empty partition to combine in RAID0 with the other disk
+          };
+        };
+      };
+    };
+
+    sdb = {
+      type = "disk";
+      device = "/dev/sdb";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = bootPartition;
+          swap = swapPartition;
+
+          disk2 = {
+            size = "100%";
+            content = {
+              type = "btrfs";
+              # Hack to get multi-device btrfs going
+              # See https://github.com/nix-community/disko/issues/99
+              extraArgs = ["-d" "raid1" "-m" "raid1" "--runtime-features" "quota" "/dev/sda3"];
+              subvolumes = {
+                "/volume" = {};
+                "/volume/root" = {
+                  inherit mountOptions;
+                  mountpoint = "/";
+                };
+                "/volume/home" = {
+                  inherit mountOptions;
+                  mountpoint = "/home";
+                };
+                "/volume/var" = {
+                  inherit mountOptions;
+                  mountpoint = "/var";
+                };
+                "/volume/nix-store" = {
+                  inherit mountOptions;
+                  mountpoint = "/nix";
+                };
+                "/snapshots" = {};
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/configuration/hardware-specific/hetzner/hardware-configuration.nix b/configuration/hardware-specific/hetzner/hardware-configuration.nix
new file mode 100644
index 0000000..e7a99f9
--- /dev/null
+++ b/configuration/hardware-specific/hetzner/hardware-configuration.nix
@@ -0,0 +1,25 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix
index 32423ab..79f4b35 100644
--- a/configuration/hardware-specific/vm.nix
+++ b/configuration/hardware-specific/vm.nix
@@ -4,6 +4,7 @@
   # Disable graphical tty so -curses works
   boot.kernelParams = ["nomodeset"];
 
+  networking.hostName = "testvm";
   # Sets the base domain for nginx to localhost so that we
   # can easily test locally with the VM.
   services.nginx.domain = lib.mkOverride 99 "localhost";
diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index d77d6cc..41b8583 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -76,23 +76,23 @@ in {
   #   '';
   # };
 
-  # services.backups.forgejo = {
-  #   user = "forgejo";
-  #   paths = [
-  #     "/var/lib/forgejo/forgejo-db.sql"
-  #     "/var/lib/forgejo/repositories/"
-  #     "/var/lib/forgejo/data/"
-  #     "/var/lib/forgejo/custom/"
-  #     # Conf is backed up via nix
-  #   ];
-  #   preparation = {
-  #     packages = [config.services.postgresql.package];
-  #     text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
-  #   };
-  #   cleanup = {
-  #     packages = [pkgs.coreutils];
-  #     text = "rm /var/lib/forgejo/forgejo-db.sql";
-  #   };
-  #   pauseServices = ["forgejo.service"];
-  # };
+  services.backups.forgejo = {
+    user = "forgejo";
+    paths = [
+      "/var/lib/forgejo/forgejo-db.sql"
+      "/var/lib/forgejo/repositories/"
+      "/var/lib/forgejo/data/"
+      "/var/lib/forgejo/custom/"
+      # Conf is backed up via nix
+    ];
+    preparation = {
+      packages = [config.services.postgresql.package];
+      text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
+    };
+    cleanup = {
+      packages = [pkgs.coreutils];
+      text = "rm /var/lib/forgejo/forgejo-db.sql";
+    };
+    pauseServices = ["forgejo.service"];
+  };
 }
diff --git a/flake.lock b/flake.lock
index 3a73266..8a9fadc 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,39 +1,5 @@
 {
   "nodes": {
-    "all-cabal-json": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1665552503,
-        "narHash": "sha256-r14RmRSwzv5c+bWKUDaze6pXM7nOsiz1H8nvFHJvufc=",
-        "owner": "nix-community",
-        "repo": "all-cabal-json",
-        "rev": "d7c0434eebffb305071404edcf9d5cd99703878e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "ref": "hackage",
-        "repo": "all-cabal-json",
-        "type": "github"
-      }
-    },
-    "crane": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1681175776,
-        "narHash": "sha256-7SsUy9114fryHAZ8p1L6G6YSu7jjz55FddEwa2U8XZc=",
-        "owner": "ipetkov",
-        "repo": "crane",
-        "rev": "445a3d222947632b5593112bb817850e8a9cf737",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ipetkov",
-        "ref": "v0.12.1",
-        "repo": "crane",
-        "type": "github"
-      }
-    },
     "deploy-rs": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -54,47 +20,38 @@
         "type": "github"
       }
     },
-    "devshell": {
-      "flake": false,
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1663445644,
-        "narHash": "sha256-+xVlcK60x7VY1vRJbNUEAHi17ZuoQxAIH4S4iUFUGBA=",
-        "owner": "numtide",
-        "repo": "devshell",
-        "rev": "e3dc3e21594fe07bdb24bdf1c8657acaa4cb8f66",
+        "lastModified": 1709286488,
+        "narHash": "sha256-RDpTZ72zLu05djvXRzK76Ysqp9zSdh84ax/edEaJucs=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "bde7dd352c07d43bd5b8245e6c39074a391fdd46",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "devshell",
+        "owner": "nix-community",
+        "repo": "disko",
         "type": "github"
       }
     },
     "dream2nix": {
       "inputs": {
-        "all-cabal-json": "all-cabal-json",
-        "crane": "crane",
-        "devshell": "devshell",
-        "drv-parts": "drv-parts",
-        "flake-compat": "flake-compat_3",
-        "flake-parts": "flake-parts",
-        "flake-utils-pre-commit": "flake-utils-pre-commit",
-        "ghc-utils": "ghc-utils",
-        "gomod2nix": "gomod2nix",
-        "mach-nix": "mach-nix",
-        "nix-pypi-fetcher": "nix-pypi-fetcher",
         "nixpkgs": "nixpkgs_3",
-        "nixpkgsV1": "nixpkgsV1",
-        "poetry2nix": "poetry2nix",
-        "pre-commit-hooks": "pre-commit-hooks",
-        "pruned-racket-catalog": "pruned-racket-catalog"
+        "purescript-overlay": "purescript-overlay",
+        "pyproject-nix": "pyproject-nix"
       },
       "locked": {
-        "lastModified": 1686064783,
-        "narHash": "sha256-qyptOk4vDut2JkRMJ+815eJNqqd8gIfjpz3l4WCCtMY=",
+        "lastModified": 1702457430,
+        "narHash": "sha256-8NQiXtYCOiC7XFayy6GPGDudCBrPROry3mfWjpdVj5g=",
         "owner": "nix-community",
         "repo": "dream2nix",
-        "rev": "0c064fa9dd025069cc215b0a8b4eb5ea734aceb0",
+        "rev": "262198033e23e9ee832f0cc8133d38f07598f555",
         "type": "github"
       },
       "original": {
@@ -103,38 +60,6 @@
         "type": "github"
       }
     },
-    "drv-parts": {
-      "inputs": {
-        "flake-compat": [
-          "tlaternet-webserver",
-          "dream2nix",
-          "flake-compat"
-        ],
-        "flake-parts": [
-          "tlaternet-webserver",
-          "dream2nix",
-          "flake-parts"
-        ],
-        "nixpkgs": [
-          "tlaternet-webserver",
-          "dream2nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1680698112,
-        "narHash": "sha256-FgnobN/DvCjEsc0UAZEAdPLkL4IZi2ZMnu2K2bUaElc=",
-        "owner": "davhau",
-        "repo": "drv-parts",
-        "rev": "e8c2ec1157dc1edb002989669a0dbd935f430201",
-        "type": "github"
-      },
-      "original": {
-        "owner": "davhau",
-        "repo": "drv-parts",
-        "type": "github"
-      }
-    },
     "fenix": {
       "inputs": {
         "nixpkgs": [
@@ -144,11 +69,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1686637310,
-        "narHash": "sha256-sGfKyioVsxQppDM0eDO62wtFiz+bZOD0cBMMIEjqn4I=",
+        "lastModified": 1704003651,
+        "narHash": "sha256-bA3d4E1CX5G7TVbKwJOm9jZfVOGOPp6u5CKEUzNsE8E=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "6fbeedcd2fc1fba77152e13fd7492824d77a4060",
+        "rev": "c6d82e087ac96f24b90c5787a17e29a72566c2b4",
         "type": "github"
       },
       "original": {
@@ -189,44 +114,6 @@
         "type": "github"
       }
     },
-    "flake-compat_3": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "tlaternet-webserver",
-          "dream2nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1675933616,
-        "narHash": "sha256-/rczJkJHtx16IFxMmAWu5nNYcSXNg1YYXTHoGjLrLUA=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "47478a4a003e745402acf63be7f9a092d51b83d7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
     "flake-utils": {
       "inputs": {
         "systems": "systems_2"
@@ -245,21 +132,6 @@
         "type": "github"
       }
     },
-    "flake-utils-pre-commit": {
-      "locked": {
-        "lastModified": 1644229661,
-        "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "foundryvtt": {
       "inputs": {
         "nixpkgs": [
@@ -267,11 +139,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1701473318,
-        "narHash": "sha256-QdCJN8GeNl/V8wMjrvNkrWzNXnahgfjBfCSya4qQdrc=",
+        "lastModified": 1709504473,
+        "narHash": "sha256-hXzXxaZaI9Pn5tO4otY2gJUvW/orDGDAMdstm3AY8RU=",
         "owner": "reckenrode",
         "repo": "nix-foundryvtt",
-        "rev": "f624c0ceabe13dd876ecff871e0dc7f55f96e993",
+        "rev": "5cf4e6d9ed7b662dbea7a61d785b67a878598986",
         "type": "github"
       },
       "original": {
@@ -280,69 +152,6 @@
         "type": "github"
       }
     },
-    "ghc-utils": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1662774800,
-        "narHash": "sha256-1Rd2eohGUw/s1tfvkepeYpg8kCEXiIot0RijapUjAkE=",
-        "ref": "refs/heads/master",
-        "rev": "bb3a2d3dc52ff0253fb9c2812bd7aa2da03e0fea",
-        "revCount": 1072,
-        "type": "git",
-        "url": "https://gitlab.haskell.org/bgamari/ghc-utils"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://gitlab.haskell.org/bgamari/ghc-utils"
-      }
-    },
-    "gomod2nix": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1627572165,
-        "narHash": "sha256-MFpwnkvQpauj799b4QTBJQFEddbD02+Ln5k92QyHOSk=",
-        "owner": "tweag",
-        "repo": "gomod2nix",
-        "rev": "67f22dd738d092c6ba88e420350ada0ed4992ae8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "tweag",
-        "repo": "gomod2nix",
-        "type": "github"
-      }
-    },
-    "mach-nix": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1634711045,
-        "narHash": "sha256-m5A2Ty88NChLyFhXucECj6+AuiMZPHXNbw+9Kcs7F6Y=",
-        "owner": "DavHau",
-        "repo": "mach-nix",
-        "rev": "4433f74a97b94b596fa6cd9b9c0402104aceef5d",
-        "type": "github"
-      },
-      "original": {
-        "id": "mach-nix",
-        "type": "indirect"
-      }
-    },
-    "nix-pypi-fetcher": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1669065297,
-        "narHash": "sha256-UStjXjNIuIm7SzMOWvuYWIHBkPUKQ8Id63BMJjnIDoA=",
-        "owner": "DavHau",
-        "repo": "nix-pypi-fetcher",
-        "rev": "a9885ac6a091576b5195d547ac743d45a2a615ac",
-        "type": "github"
-      },
-      "original": {
-        "owner": "DavHau",
-        "repo": "nix-pypi-fetcher",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1702272962,
@@ -391,21 +200,6 @@
         "type": "github"
       }
     },
-    "nixpkgsV1": {
-      "locked": {
-        "lastModified": 1678500271,
-        "narHash": "sha256-tRBLElf6f02HJGG0ZR7znMNFv/Uf7b2fFInpTHiHaSE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "5eb98948b66de29f899c7fe27ae112a47964baf8",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-22.11",
-        "type": "indirect"
-      }
-    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1703467016,
@@ -424,17 +218,18 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1665580254,
-        "narHash": "sha256-hO61XPkp1Hphl4HGNzj1VvDH5URt7LI6LaY/385Eul4=",
+        "lastModified": 1702272962,
+        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f634d427b0224a5f531ea5aa10c3960ba6ec5f0f",
+        "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable",
-        "type": "indirect"
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "nvfetcher": {
@@ -459,70 +254,50 @@
         "type": "github"
       }
     },
-    "poetry2nix": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1666918719,
-        "narHash": "sha256-BkK42fjAku+2WgCOv2/1NrPa754eQPV7gPBmoKQBWlc=",
-        "owner": "nix-community",
-        "repo": "poetry2nix",
-        "rev": "289efb187123656a116b915206e66852f038720e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "ref": "1.36.0",
-        "repo": "poetry2nix",
-        "type": "github"
-      }
-    },
-    "pre-commit-hooks": {
+    "purescript-overlay": {
       "inputs": {
-        "flake-utils": [
-          "tlaternet-webserver",
-          "dream2nix",
-          "flake-utils-pre-commit"
-        ],
         "nixpkgs": [
           "tlaternet-webserver",
           "dream2nix",
           "nixpkgs"
-        ]
+        ],
+        "slimlock": "slimlock"
       },
       "locked": {
-        "lastModified": 1646153636,
-        "narHash": "sha256-AlWHMzK+xJ1mG267FdT8dCq/HvLCA6jwmx2ZUy5O8tY=",
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "rev": "b6bc0b21e1617e2b07d8205e7fae7224036dfa4b",
+        "lastModified": 1696022621,
+        "narHash": "sha256-eMjFmsj2G1E0Q5XiibUNgFjTiSz0GxIeSSzzVdoN730=",
+        "owner": "thomashoneyman",
+        "repo": "purescript-overlay",
+        "rev": "047c7933abd6da8aa239904422e22d190ce55ead",
         "type": "github"
       },
       "original": {
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
+        "owner": "thomashoneyman",
+        "repo": "purescript-overlay",
         "type": "github"
       }
     },
-    "pruned-racket-catalog": {
+    "pyproject-nix": {
       "flake": false,
       "locked": {
-        "lastModified": 1672537287,
-        "narHash": "sha256-SuOvXVcLfakw18oJB/PuRMyvGyGG1+CQD3R+TGHIv44=",
-        "owner": "nix-community",
-        "repo": "pruned-racket-catalog",
-        "rev": "c8b89557fb53b36efa2ee48a769c7364df0f6262",
+        "lastModified": 1702448246,
+        "narHash": "sha256-hFg5s/hoJFv7tDpiGvEvXP0UfFvFEDgTdyHIjDVHu1I=",
+        "owner": "davhau",
+        "repo": "pyproject.nix",
+        "rev": "5a06a2697b228c04dd2f35659b4b659ca74f7aeb",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
-        "ref": "catalog",
-        "repo": "pruned-racket-catalog",
+        "owner": "davhau",
+        "ref": "dream2nix",
+        "repo": "pyproject.nix",
         "type": "github"
       }
     },
     "root": {
       "inputs": {
         "deploy-rs": "deploy-rs",
+        "disko": "disko",
         "foundryvtt": "foundryvtt",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
@@ -534,11 +309,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1686586902,
-        "narHash": "sha256-+zfBFBmUxWutKbhdntI9uvF4D5Rh7BhcByM2l+ReyTw=",
+        "lastModified": 1703965384,
+        "narHash": "sha256-3iyouqkBvhh/E48TkBlt4JmmcIEyfQwY7pokKBx9WNg=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "1f1fe81f0db301124b3026bd2940294526cdd852",
+        "rev": "e872f5085cf5b0e44558442365c1c033d486eff2",
         "type": "github"
       },
       "original": {
@@ -548,6 +323,29 @@
         "type": "github"
       }
     },
+    "slimlock": {
+      "inputs": {
+        "nixpkgs": [
+          "tlaternet-webserver",
+          "dream2nix",
+          "purescript-overlay",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1688610262,
+        "narHash": "sha256-Wg0ViDotFWGWqKIQzyYCgayeH8s4U1OZcTiWTQYdAp4=",
+        "owner": "thomashoneyman",
+        "repo": "slimlock",
+        "rev": "b5c6cdcaf636ebbebd0a1f32520929394493f1a6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "thomashoneyman",
+        "repo": "slimlock",
+        "type": "github"
+      }
+    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
@@ -608,11 +406,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1686688441,
-        "narHash": "sha256-rcqAQzExGu0uV9Din8yy+Nn8FQvG/Itm8hp66amDj6o=",
+        "lastModified": 1704840002,
+        "narHash": "sha256-ik2LeuRjcnRXwBLoRSOyGEMXscE+coO8G79IFhZhdJk=",
         "ref": "refs/heads/master",
-        "rev": "c573a6f81827594ceeffbfa058659e2fc20e4a1e",
-        "revCount": 66,
+        "rev": "d14f50c8dcc8ab30a5e5fa907b392ac0df6c7b52",
+        "revCount": 73,
         "type": "git",
         "url": "https://gitea.tlater.net/tlaternet/tlaternet.git"
       },
diff --git a/flake.nix b/flake.nix
index efe6433..af41d53 100644
--- a/flake.nix
+++ b/flake.nix
@@ -4,6 +4,10 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     deploy-rs.url = "github:serokell/deploy-rs";
     sops-nix = {
       url = "github:Mic92/sops-nix";
@@ -47,21 +51,45 @@
           ./configuration/hardware-specific/linode
         ];
       };
+
+      hetzner-1 = nixpkgs.lib.nixosSystem {
+        inherit system;
+        specialArgs.flake-inputs = inputs;
+
+        modules = [
+          ./configuration
+          ./configuration/hardware-specific/hetzner
+        ];
+      };
     };
 
     ############################
     # Deployment configuration #
     ############################
-    deploy.nodes.tlaternet = {
-      hostname = "tlater.net";
+    deploy.nodes = {
+      tlaternet = {
+        hostname = "tlater.net";
 
-      profiles.system = {
-        user = "root";
-        path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.tlaternet;
+        profiles.system = {
+          user = "root";
+          path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.tlaternet;
+        };
+
+        sshUser = "tlater";
+        sshOpts = ["-p" "2222" "-o" "ForwardAgent=yes"];
       };
 
-      sshUser = "tlater";
-      sshOpts = ["-p" "2222" "-o" "ForwardAgent=yes"];
+      hetzner-1 = {
+        hostname = "116.202.158.55";
+
+        profiles.system = {
+          user = "root";
+          path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.hetzner-1;
+        };
+
+        sshUser = "tlater";
+        sshOpts = ["-p" "2222" "-o" "ForwardAgent=yes"];
+      };
     };
 
     #########
diff --git a/keys/hosts/hetzner1.asc b/keys/hosts/hetzner1.asc
new file mode 100644
index 0000000..e58d723
--- /dev/null
+++ b/keys/hosts/hetzner1.asc
@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEADQWw0P407m704eEqPWA2SxNYdVIOAWPFPS1AJBOQycDMW3Mgv3
+v26H5Oan4t1ZD4yLYsJu6HcrGsIY3Xnhd/JGHVd8eazxl092rdAWUaLRPXusUKxY
+KbtBij1U4dkV5npcWyzBN3pzNbU8iItyYS9aOTO6N51QJ3sNIflp+tSf+0Yg26DM
+cXZsAQLERdCgttnbd8hoYE3ge02FDwKIY/pr7cVvdOnrsFcOugNTCvCsJQPVknUz
+sE/BOtFEBnV5Hw7S5ahO4EEvdQpW+VJLa6XRrH8vXB/LJIoPtw11AKA6Rpb/AvG9
+JOKxhSEODVLcdmg5y2dZDrSg5tSzWikCkhPgxcDdhYK+kYwOOCZCwijMmD+cm2J9
+aDPuQho0LBwnwbTsQuXrPNMSGMFP9F1LVbr4X64x0J2E/70ic96xI3F5E+KHpTFL
+kBOr66IFfd91gWLIbxYYtwyx19dPQ7LgZ0GWAMgfHnOdtMwO0Tduubhvq8m7to5B
+wD3VN2Tz/2OUa0gbJrnznaMrSOIj1nOU3FLBjT9/wh9DpXMbZw6D2fzqdt03Kpw9
+XjqJzXN1iRkcMpYkxic1Eq2yoAEtLr13cLv+9Dlkvi01kwN/MxwgnQGuc7/R4ZyA
+Z4aQtviPhT7geIOtY1jH9ZKosEVg2eXyI7YSxHvdXY+vCcwqzh8x+gRJowARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQR/cdo+WtefkCGw8CGQEAAHNAEACZcvbykefvO1cYp3VEGyHI
+rjCdA+docXXpyZOe9OcNzB1HBjOLwe9cJgkPnTtDZMYhrN6vnb2td7xiX8LVvhgZ
+npSCWtdqXo/EbkN88CP4GraT/9aaB6Joa2RSlZz5jSv3kuq+Q1QXxQqly5/qYhpS
+Ibz3ZWcovI1tMcdvA/u74oQ+4m0Mgqbyg9G2vwAygsexdHQMY+L0SDXI1GMX8z0A
+zFmtIlYkgqMoJY8qeJniwkmrHoLyFLIjnjQERV0FtQJ3S3sL63JVDNiA4OmwxIlR
+M+6LcRDcVqPDEOJxgCKkd6Cg9vOGyCdMTsI42pMuQOflhntx6Ez9tkyQQtkH1dS6
+n9wqmBL47GaZE32GepzvJw3aix87UouuZr8NlzsIr937rp9s3kW4+WpzakimBNjs
+kRWNhMaty2az171g3rvnL8yDejibE1OCHMakq7RUtYWC7Z8pNm2eHtHfTnH9qAZe
+mRcTiiY308ZI046muN9BAg1/m7v/sD3uEI8YXz7kb3lTWb0iioyUZqo0bqNhADEG
+5WLka2RK5fPnsyEalZ8mumUdGCH5iXKmXjK85GUaRwHgJUjhTdnpuqiuwVS3fxvN
+KlPP59q/kbWXL6bnVokvzBuW5GRl8im7qw8ggrEuxmSFD1WQLkvswLum6mVvDFpS
+HX938nRTHMgZfPW/gvR2aA==
+=nrXn
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/keys/production.yaml b/keys/production.yaml
index da53b95..dfc0a92 100644
--- a/keys/production.yaml
+++ b/keys/production.yaml
@@ -29,40 +29,65 @@ sops:
     lastmodified: "2023-12-28T00:07:08Z"
     mac: ENC[AES256_GCM,data:P2bNJLjzn69Kg2bJHXmofER7J8wbEj9C4jq9ePWewXBOt45GEiqgnqIaISwZkyzQmm9cxZd95Lr780ICwoKDFdtSCCcC7CdYxYEfyyhnvU3W2qzEghvkypL8JbiEtPSlQ9xOlCk7p41A9eRrV+JziIVSv5UEUs4NubrG9Mkwv3k=,iv:Yq2gANTTgx6cFxkdustUZ1MPszxGSkao/bS1KHAkzJc=,tag:kqJibocgRQXkxTJze6O5MA==,type:str]
     pgp:
-        - created_at: "2022-10-12T00:46:51Z"
-          enc: |
+        - created_at: "2024-03-02T21:16:50Z"
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQEMA7x7stsXx45CAQf9Hivg5x2NEKp3icdAIXKoBVTp5jnqJ2S5xDpK4cbCUwRd
-            Z2VyNjxAXdTgKsviXseWbtsEbqo41oqjtpZwXK36gT/miKSPYyBSLb689L70RpWR
-            aC4QzOHbYr1Trr1whkTVaQG1vd2u9ZEyxsi13ItiYVylu7tgMqaDqzE4Y47RPZtz
-            FWFY4chO5Tq/DL0blP8oCTLFx4LSL82JbZswCfqrSHX44HGZ/OELHqNhYNF6hkCr
-            DgYYh7l7s08farE+PnTbWt808Kd3kP8fCRaLm9nt1X1c5QQElaWBjGIscK9fOsV4
-            iVFQfPBdwBi8aawCmwvXOcg6sX050Ow3NeYQBJVICtJeAeHyetxxEYip6CrADsiq
-            UG1Np+p6Pcbq/k6E1vT6bsRrhUWPYC4yuh6Edg5p/jxa4DAlsq/OgDI9pquE9aIt
-            F8cQMHfIkNP8/HiM/KwmdHoTJiy8YCwqP/UalSJdVw==
-            =lnlW
+            hQIMAzWu0p84AOApARAAi+GxJ9z+cMaMgENnDC0Kq6ZJZ/rkXnUIjVxpdXLVhnCc
+            E2S8NoXJI5jcqsYI08wVQm7OWzsNK6GuJET1i3YdHVDOiwYK+WNGeMA6JdIuJzXV
+            EDcuarLusygqIV1UcZCwTl362zuLi5kPs/fGsn7BJeI8Q7CtMEP1cmCk0LlHotjz
+            Pl53bUos1WUqSv0EQw9Cz1dhL6LGlUtoIJaPbB9OO/+chzQCFUJGbCO5KJ/+3fFq
+            2DhQZw1GvgNf9/66f39tgY+jeQq5OyuoFSpuzyjxCeK+eX6Jkxs4zOVlcJoztSVc
+            FEiPIO4YfcgDXToLJWSWA2uGJ+KCvqDXDWyPATQupytAItw05oFyfZOPuh45Wj46
+            6Dm9QYKZMsFj6xfgNl6VEK0KK34zi0EcBKm4wmfF8hw4o5T2U542iPzgKv53jbC2
+            F1dn7GI8ZkSGDPlw7UWSIRLmRYilZhbR+2RJX23nXoarP9oxigCpqhIGBGizdBEx
+            PpUYQjiPUuytk/B3DP+0q01lVvdqcxchA3s88iZwc5GSwBfEMVJ2MJOFkiwIkttO
+            9PkmtXAaFAt7jjRCzhH05/S7g9xt/1zid/lHCGKcfaZJqX6YIu9+mXeERsZ7OdMs
+            uur8T7r14DC4ffPOYQR6BIfNZ3vPUyEP2/fSncAtyDFKO2Cc6ry3JvxBCdPGErjS
+            XgFwk6xHtOsIU3ozokW3aupo5eSNBEPpfIK28P0ivouIZsU64sVJFjc7zPpZnaF+
+            bEnAXMK8FrHvYZz3v4+LSaYZyoKWYly0wCWrSOZTEphTJHFrW/KsJ2hmVTpjS58=
+            =qqF7
             -----END PGP MESSAGE-----
           fp: 535B61015823443941C744DD12264F6BBDFABA89
-        - created_at: "2022-10-12T00:46:51Z"
-          enc: |
+        - created_at: "2024-03-02T21:16:50Z"
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA9ahl2ynTH87AQ/+ID/6Dcbat+YRvT8VpfKpZf2O6EFbI3dlPDkZ+f4yFW0R
-            uGKkLR69utM8FoEn1XUkPG3klDk5t/gQikS/d1lPZ6cPOsVzY4P2Te6LizP25vCE
-            cHkztZG/IuBCBfLp8xsEjF1OXEDnb7Klqd3aJuYrvJNm3SreNydRAGyM1E94+iQL
-            zLrHF0WbD+dVdVG+ZoHKouGHVVmcxTkfi8Ce63pHKxOiMgqJLnImC357mle4DlJV
-            1My0CPV9Y1ElY+W5s+a7sRgursR0AVOkuvWYT39VW+RmFpUZyRCgyW+L6ilCEcOV
-            VXJHf0IFylkqevh11BssIetHAtT8anqZ+wo3ON4gEHjcahufc1h8rOxEEsWe/qUC
-            XZzfwilOsY/vKJ+GTz5Cp8XAviozQL5o2O5H9PiHxQl019QHZgprJclGMlukCBkR
-            Uo3h1Rl2na8JqcolAlFGQ1/QxsOnJ/KAmOpUZ7fZqG2qnsXnFjXcuqo+0e58odaT
-            sZLIspvsEHBHKzsvUa6BT8bTc+GlsB3hFolBVdX4y9kTWuzxy0K6bKA9HMTf4FPW
-            w2hIlvYhlgEx9MVqKLbemN3ye2rC3GRUBXxVXmlXBmb7nXPZCOGqL6nrvtsQ1E4h
-            D9+sN+cvYh5lYPByjXYinT8TqFVpqX++qnpgHC+5c6WtDHlhRAyfIQK51wCyiZbS
-            UAG6iDEbCWwD7uHZjDmVycC2R/0HnO+o9xMBI6teKYziFhvn8m7R9gzr7zn/0x3t
-            dVMXtojhfbMPzYK0gT6xOn8SbYGH0MV7ddOm7+Kl3Z8Y
-            =zDer
+            hQIMA9ahl2ynTH87ARAApU/UkNVGbtqxwQ83Zl3f7Zp/PTIeLtcvmuOUjSnPYrYi
+            60H1ZPVJUhAv+gcTwRBZ+aN39mUI43qBgCjNu7Z7Bmevf+TXCvK1CwsxuxVbG1tl
+            sL8FtVH0p8KETq+v8aylTzaV339BmEgnLOBLCE9oP+PhLEERqIT1sz5CeaI71z4F
+            wETPCfJKEouCQpT0P6hSN1f/9h43PZDQQW5MLY2m1o8t+pFHfowADIlsAmZziXBf
+            t/IezzM7oo/QKITpLI8NND9nZfvG7leubG3L2TIL0xIgQeLBs4a+jfFSpt8DR0ii
+            YGf1RgrtpnlkA4B75KHTfEq1LMEn0wOJj89Z38x5MZEw3suUc8W+1PcKoKIgt4Dw
+            RN4K+CS/4Ud8pNLoO+zZ4moRlM9ltWpCJ9kSHNeMShxtsIEPxkhh3CqWU+Ta/4er
+            1W2bkII2ieS4mLlJM6qqLYAb8VJpaKi3BQmB66KtDS4n4HEXvOO+nurmz9luKZZt
+            1e3t8ABBowOu+LOVxUbx9DKFObBJ1CDDPQHxRDmGxeSz3ZccHlXsC83QSHCtcm8G
+            uFtUZLOCaR0iB7DbEUX43p40xFZ5ieqY9XDC3uGJfzoEZRfaX05I3MX267EZBKSp
+            H6kyYPnTBqI0UhIsDtd6AWd9huqOZ/TrWubTeDf07s6VDusMYrtE+WaVczaYUkPS
+            WAHYUCmSFUN5z3Emds26kMUQvWTKMvx8TgaEf9LwOfjo4LXhvNKjU5yi+hqZqlO8
+            AOvcgnksjHUhonEl7GLaOvPPiyoB6F6ZuOFlzOeL1OB3QxJiEoRFbF8=
+            =574h
             -----END PGP MESSAGE-----
           fp: 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
+        - created_at: "2024-03-02T21:16:50Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0f3HaPlrXn5AQ/8Cvb9YhG/wYRhu+B3iSTCOq1xiPbCOPs9BcCg85G2yI+5
+            LA8G18XVDpaxlT4lyOE3p4XEbJkP+ceLhNbldiQns9HCDQXanRonZndLjwSdEuRj
+            /A/ql2Q27Xhad34Bu0n+hoNfQ2qKjjx6q5lbbKLIIGOvEBF35oImnWF+Vc2cYpzp
+            J0PT/gkKkGnBCihiUrmpISU+7grFMFT59UnWSthCpACG8ocjzF0PBdzPOj2QSDiv
+            eDiPEdd72KcGXVfRodrdAbApFXJx2goaxYobAFCyC7G3UHJTliCOEG/5PNSb8lSl
+            Xv8NJnYI7bs8bRMFTvpEIsogrVeXy0yDl+qogQWPKYwpStn6yqOMIvs2C476nY/f
+            llRLfjJLTEmPuq+JYhWfZ4o0tOZNECmq4DiAg30ePqThZNXJLNyk9sfkjuDz+zbh
+            rYnJ1Xb1UM7ZKyjGcxSU9eAba0MBJpVZa/ZDrb4GjysPq+rsEb8LO6WPPbYfLbr/
+            kfiK7e4Rv4AgUdd7NjRwBHJSjIFCul8I2hF4v/vp+da11CktPXC0sJNsYXWBR1I+
+            FeKxc+WkLTfuS6evb8Y+UuyQkTDI3mb13QfXaX1V8I63LivdCE7zsTOlnOWPT1k7
+            cqhQ2VpNxBtt7gNG7MAYHn9KAwGbyQ/Ma6Qx//ftjmf47b8qnZuJe8HEg0Nh5uDS
+            WAGdbEL/ZXTT4ZxNm/QHVctZVzCAqDUMIkMK4vCCR+Bs8FvLFUo6YoVEnajqTSj8
+            pkEyS0RuM68KTpivAjDhqlY4vJsMmiRBjx/q5rSwi29vOuhK9ttSj38=
+            =KQd3
+            -----END PGP MESSAGE-----
+          fp: 0af7641adb8aa843136cf6d047f71da3e5ad79f9
     unencrypted_suffix: _unencrypted
     version: 3.8.1

From b040b22e08883e61245d145b75c055427715b663 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 3 Mar 2024 01:06:52 +0100
Subject: [PATCH 3/4] acme: Don't attempt to get certs if the domain is wrong

---
 configuration/default.nix                     |  1 -
 .../hardware-specific/linode/default.nix      |  2 ++
 configuration/hardware-specific/vm.nix        |  2 +-
 modules/default.nix                           | 21 ++++++++++++++++---
 4 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/configuration/default.nix b/configuration/default.nix
index 34b1f42..bea7539 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -137,7 +137,6 @@
     recommendedGzipSettings = true;
     recommendedProxySettings = true;
     clientMaxBodySize = "10G";
-    domain = "tlater.net";
 
     statusPage = true; # For metrics, should be accessible only from localhost
 
diff --git a/configuration/hardware-specific/linode/default.nix b/configuration/hardware-specific/linode/default.nix
index b05fade..8194ec4 100644
--- a/configuration/hardware-specific/linode/default.nix
+++ b/configuration/hardware-specific/linode/default.nix
@@ -6,6 +6,8 @@
   # Required for the lish console
   boot.kernelParams = ["console=ttyS0,19200n8"];
 
+  services.nginx.domain = "tlater.net";
+
   boot.loader = {
     # Timeout to allow lish to connect
     timeout = 10;
diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix
index 79f4b35..f17e7ee 100644
--- a/configuration/hardware-specific/vm.nix
+++ b/configuration/hardware-specific/vm.nix
@@ -7,7 +7,7 @@
   networking.hostName = "testvm";
   # Sets the base domain for nginx to localhost so that we
   # can easily test locally with the VM.
-  services.nginx.domain = lib.mkOverride 99 "localhost";
+  services.nginx.domain = "localhost";
 
   # Use the staging secrets
   sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml;
diff --git a/modules/default.nix b/modules/default.nix
index 55e356c..de1c7c2 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,8 +1,23 @@
-{lib, ...}: let
-  inherit (lib) mkOption types;
-in {
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
   options.services.nginx.domain = lib.mkOption {
     type = lib.types.str;
     description = "The base domain name to append to virtual domain names";
   };
+
+  config = {
+    # Don't attempt to run acme if the domain name is not tlater.net
+    systemd.services = let
+      confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
+    in
+      lib.mapAttrs' (cert: _:
+        lib.nameValuePair "acme-${cert}" {
+          serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
+        })
+      config.security.acme.certs;
+  };
 }

From 1aa0bd089a03c637cbdb8d9bb0f1853aee79b4ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Mon, 11 Mar 2024 00:32:25 +0100
Subject: [PATCH 4/4] linode: Remove old server

---
 README.md                                     |  2 +-
 .../hardware-specific/linode/default.nix      | 62 -------------------
 .../linode/hardware-configuration.nix         | 39 ------------
 flake.nix                                     | 22 -------
 4 files changed, 1 insertion(+), 124 deletions(-)
 delete mode 100644 configuration/hardware-specific/linode/default.nix
 delete mode 100644 configuration/hardware-specific/linode/hardware-configuration.nix

diff --git a/README.md b/README.md
index 3962a65..8104f1c 100644
--- a/README.md
+++ b/README.md
@@ -34,5 +34,5 @@ Deployment is handled using
 [deploy-rs](https://github.com/serokell/deploy-rs):
 
 ```
-deploy .#tlaternet
+deploy .#
 ```
diff --git a/configuration/hardware-specific/linode/default.nix b/configuration/hardware-specific/linode/default.nix
deleted file mode 100644
index 8194ec4..0000000
--- a/configuration/hardware-specific/linode/default.nix
+++ /dev/null
@@ -1,62 +0,0 @@
-{
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  # Required for the lish console
-  boot.kernelParams = ["console=ttyS0,19200n8"];
-
-  services.nginx.domain = "tlater.net";
-
-  boot.loader = {
-    # Timeout to allow lish to connect
-    timeout = 10;
-
-    grub = {
-      device = "nodev";
-      extraConfig = ''
-        serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
-        terminal_input serial;
-        terminal_output serial;
-      '';
-    };
-  };
-
-  systemd.network.networks."10-eth0" = {
-    matchConfig.Name = "eth0";
-
-    networkConfig = {
-      DHCP = "no";
-
-      Address = "178.79.137.55/24";
-      Gateway = "178.79.137.1";
-
-      Domains = "ip.linodeusercontent.com";
-      DNS = [
-        "178.79.182.5"
-        "176.58.107.5"
-        "176.58.116.5"
-        "176.58.121.5"
-        "151.236.220.5"
-        "212.71.252.5"
-        "212.71.253.5"
-        "109.74.192.20"
-        "109.74.193.20"
-        "109.74.194.20"
-        "2a01:7e00::9"
-        "2a01:7e00::3"
-        "2a01:7e00::c"
-        "2a01:7e00::5"
-        "2a01:7e00::6"
-        "2a01:7e00::8"
-        "2a01:7e00::b"
-        "2a01:7e00::4"
-        "2a01:7e00::7"
-        "2a01:7e00::2"
-      ];
-
-      IPv6PrivacyExtensions = "no";
-      IPv6AcceptRA = "yes";
-    };
-  };
-}
diff --git a/configuration/hardware-specific/linode/hardware-configuration.nix b/configuration/hardware-specific/linode/hardware-configuration.nix
deleted file mode 100644
index c1776d5..0000000
--- a/configuration/hardware-specific/linode/hardware-configuration.nix
+++ /dev/null
@@ -1,39 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/e541bdc3-79d6-459f-9169-92b13b0a8959";
-      fsType = "ext4";
-    };
-
-  fileSystems."/var" =
-    { device = "/dev/disk/by-uuid/79f8fbbd-476d-4e1a-9675-a8474d98f42f";
-      fsType = "ext4";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/45c8ad29-3861-4e68-a566-47e6d9269dca"; }
-    ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}
diff --git a/flake.nix b/flake.nix
index af41d53..21731e6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -42,16 +42,6 @@
     ##################
     nixosConfigurations = {
       # The actual system definition
-      tlaternet = nixpkgs.lib.nixosSystem {
-        inherit system;
-        specialArgs.flake-inputs = inputs;
-
-        modules = [
-          ./configuration
-          ./configuration/hardware-specific/linode
-        ];
-      };
-
       hetzner-1 = nixpkgs.lib.nixosSystem {
         inherit system;
         specialArgs.flake-inputs = inputs;
@@ -67,18 +57,6 @@
     # Deployment configuration #
     ############################
     deploy.nodes = {
-      tlaternet = {
-        hostname = "tlater.net";
-
-        profiles.system = {
-          user = "root";
-          path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.tlaternet;
-        };
-
-        sshUser = "tlater";
-        sshOpts = ["-p" "2222" "-o" "ForwardAgent=yes"];
-      };
-
       hetzner-1 = {
         hostname = "116.202.158.55";