ctucx.git: nixfiles

machines: move `lollo` to new hardware, preserve remainings of old hardware as `lollo-old`

diff --git a/configurations/common/syncthing-config.nix b/configurations/common/syncthing-config.nix
@@ -18,6 +18,11 @@ let
       name = "lollo.ctu.cx";
       id   = secrets.syncthing.ids.lollo;
     };
+
+    lollo-old = {
+      name = "lollo-old.ctu.cx";
+      id   = secrets.syncthing.ids.lollo-old;
+    };
   };
 
   isaDevices = {

@@ -41,6 +46,12 @@ let
       "ctucx-media"
       "Blechelse"
     ];
+
+    lollo-old = [
+      "ctucx-music-orig"
+      "ctucx-media"
+      "Blechelse"
+    ];
   };
 
   deviceNames       = builtins.attrNames (lib.filterAttrs isCurrentHost devices);

diff --git a/flake.lock b/flake.lock
@@ -333,6 +333,22 @@
         "type": "github"
       }
     },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1668668915,
+        "narHash": "sha256-QjY4ZZbs9shwO4LaLpvlU2bO9J1juYhO9NtV3nrbnYQ=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "5df9108b346f8a42021bf99e50de89c9caa251c3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "master",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "lacrosse2mqtt": {
       "inputs": {
         "flake-utils": [

@@ -359,8 +375,8 @@
     },
     "local-secrets": {
       "locked": {
-        "lastModified": 1671716901,
-        "narHash": "sha256-d5/3p6JkFZ6NAGeuBLCDGzbCezRQ2iS30fsDaqYubd0=",
+        "lastModified": 1673563422,
+        "narHash": "sha256-EHFXHbyOtiCQICGqPlaRyRv4r1bUjCcDw3n2yOZSD5k=",
         "path": "/tmp/nix-secrets",
         "type": "path"
       },

@@ -532,11 +548,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1670692387,
-        "narHash": "sha256-NkoKnCs4z46fUWN8jkue3lQKejCYUnUNg6997XNQaNs=",
+        "lastModified": 1673473101,
+        "narHash": "sha256-kzHpDYmtw59Cyz3MoifgaClDwaJsAOrykSZIJv2pQXo=",
         "ref": "master",
-        "rev": "6aaa6ddcba84f8ee95b3c5c0dc2f5e7956dec9a9",
-        "revCount": 34,
+        "rev": "f0e1ede1d3b69fd91bd39935b4e4ab5e887ab2e3",
+        "revCount": 35,
         "type": "git",
         "url": "https://git.ctu.cx/oeffi-web"
       },

@@ -556,11 +572,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1670692030,
-        "narHash": "sha256-s0IRKLAT85Ie23bCRIUeKdAtrlv8/px8riZm47B5Enw=",
+        "lastModified": 1673473074,
+        "narHash": "sha256-wi4KvY7XgYAyyz+e3HaYBvSi6YD5qLD+o2RUU6WLV1Y=",
         "ref": "master",
-        "rev": "890c47a0ac08f5557259618624c1697be1c01650",
-        "revCount": 101,
+        "rev": "46e6e7889175cef85ef5e8866fa683f38c4d5529",
+        "revCount": 102,
         "type": "git",
         "url": "https://git.ctu.cx/oeffisearch"
       },

@@ -584,6 +600,7 @@
         "flauschehorn-sexy": "flauschehorn-sexy",
         "gpx-map": "gpx-map",
         "home-manager": "home-manager",
+        "impermanence": "impermanence",
         "lacrosse2mqtt": "lacrosse2mqtt",
         "local-secrets": "local-secrets",
         "mobile-coverage-map": "mobile-coverage-map",

diff --git a/flake.nix b/flake.nix
@@ -139,6 +139,14 @@
       ref   = "master";
     };
 
+    impermanence = {
+      type  = "github";
+      owner = "nix-community";
+      repo  = "impermanence";
+      ref   = "master";
+    };
+
+
     dns-nix = {
       type  = "git";
       url   = "https://git.ctu.cx/dns.nix";

diff --git a/hive.nix b/hive.nix
@@ -17,10 +17,12 @@ inputs: overlays:
   defaults     = import ./configurations/common;
 
   lollo        = import ./machines/lollo/configuration.nix;
-  desastro     = import ./machines/desastro/configuration.nix;
+  lollo-old    = import ./machines/lollo-old/configuration.nix;
 
   trabbi       = import ./machines/trabbi/configuration.nix;
   wanderduene  = import ./machines/wanderduene/configuration.nix;
+
+  desastro     = import ./machines/desastro/configuration.nix;
   hector       = import ./machines/hector/configuration.nix;
 
 }

diff --git a/machines/lollo-old/configuration.nix b/machines/lollo-old/configuration.nix
@@ -0,0 +1,69 @@
+{ config, pkgs, lib, ... }:
+
+{
+
+  imports = [
+    ./hardware-configuration.nix
+
+#    ./router
+
+    ../../configurations/linux/services/prometheus-node-exporter.nix
+    ../../configurations/linux/services/syncthing-nginx.nix
+
+    ./remote-admin.nix
+  ];
+
+  dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host "195.39.246.44" "2a0f:4ac0:acab::44");
+
+  age.secrets.restic-server-desastro.file = ../../secrets/restic-server/desastro.age;
+  age.secrets.restic-server-hector.file   = ../../secrets/restic-server/hector.age;
+  age.secrets.restic-server-lollo.file    = ../../secrets/restic-server/lollo.age;
+
+  boot.loader = {
+    systemd-boot.enable      = true;
+    efi.canTouchEfiVariables = true;
+  };
+
+  services.email-notify.enable = true;
+  services.syncthing.dataDir    = "/home/leah/syncthing";
+
+  networking = {
+    useDHCP     = false;
+    nameservers = [ "8.8.8.8" ];
+
+    defaultGateway  = "195.39.246.41";
+    defaultGateway6 = {
+      interface = "enp2s0";
+      address   = "fe80::1afd:74ff:fe3b:8a10";
+    };
+
+    interfaces.enp2s0 = {
+      ipv4.addresses = [
+        {
+          address = "195.39.246.44";
+          prefixLength = 28;
+        }
+        {
+          address = "10.0.0.44";
+          prefixLength = 8;
+        }
+      ];
+      
+      ipv6.addresses = [{
+        address      = "2a0f:4ac0:acab::44";
+        prefixLength = 62;
+      }];
+    };
+
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 5201 53 80 443 ];
+      allowedUDPPorts = [ 5201 53 67 ];
+    };
+  };
+
+
+  system.stateVersion = "21.11";
+  home-manager.users.leah.home.stateVersion = "21.11";
+
+}

diff --git a/machines/lollo/hardware-configuration.nix b/machines/lollo-old/hardware-configuration.nix

diff --git a/machines/lollo/remote-admin.nix b/machines/lollo-old/remote-admin.nix

diff --git a/machines/lollo/router/default.nix b/machines/lollo-old/router/default.nix

diff --git a/machines/lollo-old/router/dnsmasq.nix b/machines/lollo-old/router/dnsmasq.nix
@@ -0,0 +1,123 @@
+{ config, pkgs, ... }:
+
+{
+
+  dns.zones."ctu.cx".subdomains = with pkgs.dns.lib.combinators; {
+    home.NS   = [ "home.ctu.cx." ];
+    home.A    = [ (a "195.39.246.42") ];
+    home.AAAA = [ "2a0f:4ac0:acab::1" ];
+  };
+
+  systemd.services.dnsmasq.onFailure = [ "email-notify@%i.service" ];
+
+  services = {
+
+    resolved.enable = false;
+
+    dnsmasq = {
+      enable      = true;
+      extraConfig = ''
+        local-service
+        no-resolv
+        no-hosts
+        domain-needed
+        bogus-priv
+
+
+        server=1.1.1.1
+        server=1.0.0.1
+        server=8.8.8.8
+        server=8.8.4.4
+
+
+        local=/home.ctu.cx/
+        domain=home.ctu.cx
+
+        auth-ttl=600
+        auth-server=home.ctu.cx, 195.39.246.42, 2a0f:4ac0:acab::42
+        auth-zone=home.ctu.cx,           10.0.0.1/24,   195.39.246.32/28,   2a0f:4ac0:acab::1/64
+
+        host-record=home.ctu.cx,                        195.39.246.42,      2a0f:4ac0:acab::1
+        host-record=gateway.home.ctu.cx,                195.39.246.41,      2a0f:4ac0:acab::1
+        cname=lollo.home.ctu.cx,                        home.ctu.cx
+        cname=legacy.home.ctu.cx,                       home.ctu.cx
+        cname=dnsmasq.home.ctu.cx,                      home.ctu.cx
+        cname=smart.home.ctu.cx,                        home.ctu.cx
+        cname=music.home.ctu.cx,                        home.ctu.cx
+        cname=storage.home.ctu.cx,                      home.ctu.cx
+        cname=influx.home.ctu.cx,                       home.ctu.cx
+        cname=wiki.home.ctu.cx,                         home.ctu.cx
+        cname=fedi.home.ctu.cx,                         home.ctu.cx
+        cname=things.home.ctu.cx,                       home.ctu.cx
+        cname=things.stasicontainer.home.ctu.cx,        stasicontainer.home.ctu.cx
+
+        address=/fritz.box/192.168.178.1
+        address=/lollo/10.0.0.1
+        address=/ads1700w/10.0.0.10
+        address=/scanner/10.0.0.10
+
+        enable-ra
+        quiet-ra
+
+        dhcp-authoritative
+        dhcp-rapid-commit
+        dhcp-sequential-ip
+
+        dhcp-range=private, 10.0.0.100,          10.0.0.200,                           255.255.255.0,                  48h
+        dhcp-range=public,  195.39.246.34,       static,                               255.255.255.240, 195.39.246.47, 48h
+        dhcp-range=         2a0f:4ac0:acab::100, 2a0f:4ac0:acab::01ff, ra-names,slaac, 64,                             48h
+
+        dhcp-option=option6:information-refresh-time, 6h
+        dhcp-option=option6:dns-server,               [2a0f:4ac0:acab::1]
+        dhcp-option=private, option:router,           10.0.0.1
+        dhcp-option=private, option:dns-server,       10.0.0.1
+        dhcp-option=public,  option:router,           195.39.246.42
+        dhcp-option=public,  option:dns-server,       195.39.246.42
+
+        dhcp-host=f4:06:8d:df:1f:e3,                                          accesspoint,        10.0.0.2
+        dhcp-host=5c:f3:70:b9:35:9c,                                          ctux-ads1700w,      10.0.0.10
+        dhcp-host=50:57:8a:3d:63:4c,                                          ctucx-ipad,         10.0.0.30
+
+        dhcp-host=00:e0:4c:30:05:ed,                                          cbc-ffm02487,     195.39.246.34
+
+        dhcp-host=id:e8:6a:64:f4:49:e7,                                       stasicontainer,   [2a0f:4ac0:acab::35]
+        dhcp-host=e8:6a:64:f4:49:e7,                                          stasicontainer,   195.39.246.35
+
+        dhcp-host=id:04:ea:56:f2:b4:6c,                                       isa-x390,         [2a0f:4ac0:acab::36]
+        dhcp-host=04:ea:56:f2:b4:6c,                                          isa-x390,         195.39.246.36
+
+        dhcp-host=id:ac:67:5d:12:2f:5a,                                       isa-p2max,        [2a0f:4ac0:acab::37]
+        dhcp-host=ac:67:5d:12:2f:5a,                                          isa-p2max,        195.39.246.37
+
+        dhcp-host=id:b0:be:83:3a:fa:1e,                                       isabelles-mba,    [2a0f:4ac0:acab::38]
+        dhcp-host=b0:be:83:3a:fa:1e,                                          isabelles-mba,    195.39.246.38
+
+        dhcp-host=id:1c:57:dc:40:dc:b2,                                       blechkasten,      [2a0f:4ac0:acab::43]
+        dhcp-host=1c:57:dc:40:dc:b2,                                          blechkasten,      195.39.246.43
+      '';
+    };
+
+    fcgiwrap.enable = true;
+
+    nginx = {
+      enable = true;
+      virtualHosts."dnsmasq.home.ctu.cx" = {
+        enableACME = true;
+        forceSSL   = true;
+        kTLS       = true;
+        locations  = {
+          "/".extraConfig = ''
+            include "${pkgs.nginx}/conf/fastcgi_params";
+            fastcgi_param SCRIPT_FILENAME "${pkgs.dnsmasq-lease-overview}/bin/overview";
+            fastcgi_param LEASE_PATH      "/var/lib/dnsmasq/dnsmasq.leases";
+            fastcgi_param QUERY_STRING    $args;
+            fastcgi_pass  unix:${config.services.fcgiwrap.socketAddress};
+          '';
+        };
+      };
+    };
+
+  };
+
+}
+

diff --git a/machines/lollo/router/hostapd.nix b/machines/lollo-old/router/hostapd.nix

diff --git a/machines/lollo/router/nftables.nix b/machines/lollo-old/router/nftables.nix

diff --git a/machines/lollo/router/ruleset.nft b/machines/lollo-old/router/ruleset.nft

diff --git a/machines/lollo-old/router/systemd-networkd.nix b/machines/lollo-old/router/systemd-networkd.nix
@@ -0,0 +1,138 @@
+{ config, ... }:
+
+{
+
+  age.secrets.wireguard-privkey = {
+    file  = ../../../secrets/lollo/wireguard-privkey.age;
+    mode  = "640";
+    owner = "root";
+    group = "systemd-network";
+  };
+
+  systemd.network = {
+    enable   = true;
+    netdevs = {
+
+      "20-brlan" = {
+        netdevConfig = {
+          Kind = "bridge";
+          Name = "brlan";
+        };
+      };
+
+      "30-enp2s0.5" = {
+        netdevConfig = {
+          Kind = "vlan";
+          Name = "enp2s0.5";
+        };
+        vlanConfig = {
+          Id = 5;
+        };
+      };
+
+      "40-wg-pbb" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg-pbb";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.age.secrets.wireguard-privkey.path;
+          ListenPort     = 51820;
+          FirewallMark   = 51820;
+        };
+        wireguardPeers = [{
+          wireguardPeerConfig={
+            Endpoint            = "195.39.247.172:51820";
+            PublicKey           = "QOQTpxvT122fiKBcN4QDADOjoDDzEW9sMWn/qngVF0Q=";
+            AllowedIPs          = [ "0.0.0.0/0" "::/0" ];
+            PersistentKeepalive = 10;
+#            RouteTable          = "off";
+          };
+        }];
+      };
+
+    };
+
+    networks = {
+
+      "5-enp0" = {
+        matchConfig = {
+          Name = "enp0*";
+        };
+        DHCP = "yes";
+      };
+
+      "10-enp2s0" = {
+        matchConfig = {
+          Name = "enp2s0";
+        };
+        DHCP = "yes";
+        vlan = [ "enp2s0.5" ];
+      };
+
+      "20-brlan" = {
+        matchConfig = {
+          Name   = "brlan";
+          Driver = "bridge";
+        };
+        DHCP    = "no";
+        address = [
+          "10.0.0.1/24"
+          "195.39.246.42/28"
+          "2a0f:4ac0:acab::1/62"
+        ];
+        routingPolicyRules = [
+          { routingPolicyRuleConfig = {
+            From                 = "195.39.246.32/28";
+            Table                = 254;
+            Priority             = 1900;
+            SuppressPrefixLength = 0;
+          };}
+          { routingPolicyRuleConfig = {
+            From                 = "2a0f:4ac0:acab::/62";
+            Table                = 254;
+            Priority             = 1900;
+            SuppressPrefixLength = 0;
+          };}
+          { routingPolicyRuleConfig = {
+            From     = "195.39.246.32/28";
+            Table    = 1234;
+            Priority = 2000;
+          };}
+          { routingPolicyRuleConfig = {
+            From     = "2a0f:4ac0:acab::/62";
+            Table    = 1234;
+            Priority = 2000;
+          };}
+        ];
+      };
+
+      "30-enp2s0.5" = {
+        matchConfig = {
+          Name = "enp2s0.5";
+        };
+        bridge = [ "brlan" ];
+      };
+
+      "40-wg-pbb" = {
+        matchConfig = {
+          Name = "wg-pbb";
+        };
+        linkConfig = {
+          MTUBytes = "1500";
+        };
+        routes = [
+          { routeConfig = {
+            Destination = "0.0.0.0/0";
+            Table       = "1234";
+          };}
+          { routeConfig = {
+            Destination = "::/0";
+            Table       = "1234";
+          };}
+        ];
+      };
+
+    };
+  };
+}

diff --git a/machines/lollo/bind.nix b/machines/lollo/bind.nix
@@ -0,0 +1,77 @@
+{ config, lib, pkgs, currentSystem, ...}:
+
+with pkgs.dns.lib.combinators;
+
+let
+  zone = {
+    CAA  = [ { issuerCritical = false; tag = "issue"; value = "letsencrypt.org"; } ];
+    A    = [ (a "195.39.246.42") ];
+    AAAA = [ (aaaa "2a0f:4ac0:acab::42") ];
+
+    NS   = [ "home.ctu.cx." ];
+    SOA  = {
+      nameServer = "home.ctu.cx.";
+      adminEmail = "dns@ctu.cx"; # Email address with a real `@`!
+      serial     = lib.toInt ("2022" + "12" + "08" + "1");
+    };
+
+    subdomains = {
+      stasicontainer = (host "195.39.246.35" "2a0f:4ac0:acab::35");
+      gateway        = (host "195.39.246.41" "2a0f:4ac0:acab::1");
+      blechkasten    = (host "195.39.246.43" "2a0f:4ac0:acab::43");
+      lollo-old      = (host "195.39.246.44" "2a0f:4ac0:acab::44");
+
+      lollo.CNAME     = [ "home.ctu.cx." ];
+      legacy.CNAME    = [ "lollo-old.home.ctu.cx." ];
+      smart.CNAME     = [ "lollo.home.ctu.cx." ];
+      storage.CNAME   = [ "lollo.home.ctu.cx." ];
+      music.CNAME     = [ "lollo.home.ctu.cx." ];
+      influx.CNAME    = [ "lollo.home.ctu.cx." ];
+      wiki.CNAME      = [ "lollo.home.ctu.cx." ];
+      fedi.CNAME      = [ "lollo.home.ctu.cx." ];
+      things.CNAME    = [ "lollo.home.ctu.cx." ];
+    };
+  };
+
+in {
+
+  deployment.tags = [ "dns" ];
+
+  dns.zones."ctu.cx".subdomains = with pkgs.dns.lib.combinators; {
+    home.NS   = [ "home.ctu.cx." ];
+    home.A    = [ (a "195.39.246.42") ];
+    home.AAAA = [ "2a0f:4ac0:acab::42" ];
+  };
+
+
+  services.bind = {
+    enable = true;
+    zones = [
+      {
+        name   = "home.ctu.cx";
+        master = true;
+        slaves = [ "any" ];
+        file = pkgs.dns.util."${currentSystem}".writeZone "home.ctu.cx" zone;
+      }
+    ];
+    extraConfig = ''
+      acl "trusted" {
+        10.0.0.0/8;
+        195.39.246.32/28;
+        2a0f:4ac0:acab::/62;
+        localhost;
+      };
+    '';
+
+    extraOptions = ''
+      allow-recursion { trusted; };
+      allow-query-cache { trusted; };
+    '';
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+
+}

diff --git a/machines/lollo/configuration.nix b/machines/lollo/configuration.nix
@@ -1,48 +1,146 @@
-{ config, pkgs, lib, ... }:
+{ inputs, config, lib, pkgs, ... }:
 
 {
 
-  deployment.tags = [ "router" ];
-
   imports = [
-    ./hardware-configuration.nix
+    inputs.impermanence.nixosModules.impermanence
 
-    ./router
-    ./smarthome
-    ./websites
+    ./hardware-configuration.nix
 
-    ../../configurations/linux/services/usbmuxd.nix
+    ./backup-vnstat.nix
 
-    ../../configurations/linux/services/prometheus-node-exporter.nix
-    ../../configurations/linux/services/restic-server.nix
-    ../../configurations/linux/services/syncthing-nginx.nix
+    ./scanner-sftp.nix
 
-    ./backup-vnstat.nix
+    #dns server
+    ./bind.nix
 
+    # fedi server
     ./gotosocial.nix
 
     # cal- and card-dav server
     ./radicale.nix
 
-    ./scanner-sftp.nix
+    ../../configurations/linux/services/prometheus-node-exporter.nix
+    ../../configurations/linux/services/restic-server.nix
+    ../../configurations/linux/services/syncthing-nginx.nix
 
-    ./remote-admin.nix
+    ./smarthome
+    ./websites
   ];
 
-  dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host "195.39.246.41" "2a0f:4ac0:acab::1");
+  dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42");
 
   age.secrets.restic-server-desastro.file = ../../secrets/restic-server/desastro.age;
   age.secrets.restic-server-hector.file   = ../../secrets/restic-server/hector.age;
   age.secrets.restic-server-lollo.file    = ../../secrets/restic-server/lollo.age;
 
-  boot.loader = {
-    systemd-boot.enable      = true;
-    efi.canTouchEfiVariables = true;
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    initrd.network = {
+      enable = true;
+      ssh    = {
+        enable         = true;
+        port           = 22;
+        hostKeys       = [ /etc/ssh/ssh_host_rsa_key ];
+        authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
+      };
+
+      postCommands = ''
+        ip link set dev eno1 up
+        ip addr add 2a0f:4ac0:acab::42/128 dev eno1
+        ip route add default via fe80::1afd:74ff:fe3b:8a10 dev eno1 onlink
+
+        ip addr add 195.39.246.42/28 dev eno1
+        ip addr add 10.0.0.42/8 dev eno1
+        ip route add default via 195.39.246.41 dev eno1 onlink
+        echo 'cryptsetup-askpass' >> /root/.profile
+      '';
+    };
   };
 
-  services.email-notify.enable = true;
+  networking = {
+    useDHCP     = false;
+    nameservers = [ "8.8.8.8" ];
+
+    defaultGateway  = "195.39.246.41";
+    defaultGateway6 = {
+      interface = "eno1";
+      address   = "fe80::1afd:74ff:fe3b:8a10";
+    };
+
+    interfaces.eno1 = {
+      ipv4.addresses = [
+        {
+          address = "195.39.246.42";
+          prefixLength = 28;
+        }
+        {
+          address = "10.0.0.42";
+          prefixLength = 8;
+        }
+      ];
+      
+      ipv6.addresses = [{
+        address      = "2a0f:4ac0:acab::42";
+        prefixLength = 62;
+      }];
+    };
+
+    firewall.enable = true;
+  };
+
+  environment.persistence."/nix/persist" = { 
+    directories = [
+      "/var/log"
+      "/var/lib"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+    ];
+  };
+
+  systemd.services.syncthing = {
+    requires  = [ "home-manager-leah.service" ];
+    after     = [ "home-manager-leah.service" ];
+  };
 
-  system.stateVersion = "21.11";
-  home-manager.users.leah.home.stateVersion = "21.11";
+  services.syncthing = {
+    dataDir    = "/nix/persist/home/leah/syncthing";
+    configDir  = "/nix/persist/home/leah/.config/syncthing";
+  };
+
+  programs.fuse.userAllowOther = true;
+  home-manager.users.leah = {
+    imports = [  inputs.impermanence.nixosModules.home-manager.impermanence ];
+
+    home.persistence."/nix/persist/home/leah" = {
+      allowOther = true;
+      directories = [
+        "syncthing"
+      ];
+      files = [
+        "addToBikeMap.sh"
+        ".bash_history"
+        ".local/share/mcfly/history.db"
+      ];
+    };
+  };
+
+  age.identityPaths = [
+    "/nix/persist/etc/ssh/ssh_host_ed25519_key"
+  ];
+
+
+  services.email-notify.enable = true;
 
+  system.stateVersion = "22.05"; # Did you read the comment?
+  home-manager.users.leah.home.stateVersion = "22.11";
 }

diff --git a/machines/lollo/hardware-configuration.nix b/machines/lollo/hardware-configuration.nix
@@ -8,23 +8,47 @@
     [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "e1000e" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/53f739d1-5668-422e-81b5-34c1f60ecba8";
-      fsType = "ext4";
-    };
+  boot.initrd.luks.devices."nix-store".device = "/dev/disk/by-uuid/ecc0d846-75c4-4f40-b050-4879b98731f8";
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/1344-D403";
-      fsType = "vfat";
-    };
+  fileSystems."/" = {
+    device = "tmpfs";
+    fsType = "tmpfs";
+    options = [ "size=2G" "mode=755" ];
+  };
+
+  fileSystems."/home/leah" = {
+    device = "tmpfs";
+    fsType = "tmpfs";
+    options = [ "size=2G" "mode=777" ];
+  };
+
+  fileSystems."/nix" = {
+    device        = "/dev/disk/by-uuid/c718261d-c79c-4490-b1f1-664e718550aa";
+    fsType        = "ext4";
+    neededForBoot = true;
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/0CDC-035A";
+    fsType = "vfat";
+  };
 
   swapDevices = [ ];
 
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
   # high-resolution display
   hardware.video.hidpi.enable = lib.mkDefault true;

diff --git a/machines/lollo/router/dnsmasq.nix b/machines/lollo/router/dnsmasq.nix
@@ -1,123 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-
-  dns.zones."ctu.cx".subdomains = with pkgs.dns.lib.combinators; {
-    home.NS   = [ "home.ctu.cx." ];
-    home.A    = [ (a "195.39.246.41") ];
-    home.AAAA = [ "2a0f:4ac0:acab::1" ];
-  };
-
-  systemd.services.dnsmasq.onFailure = [ "email-notify@%i.service" ];
-
-  services = {
-
-    resolved.enable = false;
-
-    dnsmasq = {
-      enable      = true;
-      extraConfig = ''
-        local-service
-        no-resolv
-        no-hosts
-        domain-needed
-        bogus-priv
-
-
-        server=1.1.1.1
-        server=1.0.0.1
-        server=8.8.8.8
-        server=8.8.4.4
-
-
-        local=/home.ctu.cx/
-        domain=home.ctu.cx
-
-        auth-ttl=600
-        auth-server=home.ctu.cx, wg-pbb
-        auth-zone=home.ctu.cx,           10.0.0.1/24,   195.39.246.32/28,   2a0f:4ac0:acab::1/64
-
-        host-record=home.ctu.cx,                        195.39.246.41,      2a0f:4ac0:acab::1
-        cname=lollo.home.ctu.cx,                        home.ctu.cx
-        cname=legacy.home.ctu.cx,                       home.ctu.cx
-        cname=dnsmasq.home.ctu.cx,                      home.ctu.cx
-        cname=smart.home.ctu.cx,                        home.ctu.cx
-        cname=music.home.ctu.cx,                        home.ctu.cx
-        cname=storage.home.ctu.cx,                      home.ctu.cx
-        cname=influx.home.ctu.cx,                       home.ctu.cx
-        cname=wiki.home.ctu.cx,                         home.ctu.cx
-        cname=fedi.home.ctu.cx,                         home.ctu.cx
-        cname=things.home.ctu.cx,                       home.ctu.cx
-        cname=things.stasicontainer.home.ctu.cx,        stasicontainer.home.ctu.cx
-
-        address=/fritz.box/192.168.178.1
-        address=/lollo/10.0.0.1
-        address=/ads1700w/10.0.0.10
-        address=/scanner/10.0.0.10
-        address=/sip-phone/10.0.0.20
-
-        enable-ra
-        quiet-ra
-
-        dhcp-authoritative
-        dhcp-rapid-commit
-        dhcp-sequential-ip
-
-        dhcp-range=private, 10.0.0.100,          10.0.0.200,                           255.255.255.0,                  48h
-        dhcp-range=public,  195.39.246.34,       static,                               255.255.255.240, 195.39.246.47, 48h
-        dhcp-range=         2a0f:4ac0:acab::100, 2a0f:4ac0:acab::01ff, ra-names,slaac, 64,                             48h
-
-        dhcp-option=option6:information-refresh-time, 6h
-        dhcp-option=option6:dns-server,               [2a0f:4ac0:acab::1]
-        dhcp-option=private, option:router,           10.0.0.1
-        dhcp-option=private, option:dns-server,       10.0.0.1
-        dhcp-option=public,  option:router,           195.39.246.41
-        dhcp-option=public,  option:dns-server,       195.39.246.41
-
-        dhcp-host=f4:06:8d:df:1f:e3,                                          accesspoint,        10.0.0.2
-        dhcp-host=5c:f3:70:b9:35:9c,                                          ctux-ads1700w,      10.0.0.10
-        dhcp-host=50:57:8a:3d:63:4c,                                          ctucx-ipad,         10.0.0.30
-
-        dhcp-host=00:e0:4c:30:05:ed,                                          cbc-ffm02487,     195.39.246.34
-
-        dhcp-host=id:e8:6a:64:f4:49:e7,                                       stasicontainer,   [2a0f:4ac0:acab::35]
-        dhcp-host=e8:6a:64:f4:49:e7,                                          stasicontainer,   195.39.246.35
-
-        dhcp-host=id:04:ea:56:f2:b4:6c,                                       isa-x390,         [2a0f:4ac0:acab::36]
-        dhcp-host=04:ea:56:f2:b4:6c,                                          isa-x390,         195.39.246.36
-
-        dhcp-host=id:ac:67:5d:12:2f:5a,                                       isa-p2max,        [2a0f:4ac0:acab::37]
-        dhcp-host=ac:67:5d:12:2f:5a,                                          isa-p2max,        195.39.246.37
-
-        dhcp-host=id:b0:be:83:3a:fa:1e,                                       isabelles-mba,    [2a0f:4ac0:acab::38]
-        dhcp-host=b0:be:83:3a:fa:1e,                                          isabelles-mba,    195.39.246.38
-
-        dhcp-host=id:1c:57:dc:40:dc:b2,                                       blechkasten,      [2a0f:4ac0:acab::42]
-        dhcp-host=1c:57:dc:40:dc:b2,                                          blechkasten,      195.39.246.42
-      '';
-    };
-
-    fcgiwrap.enable = true;
-
-    nginx = {
-      enable = true;
-      virtualHosts."dnsmasq.home.ctu.cx" = {
-        enableACME = true;
-        forceSSL   = true;
-        kTLS       = true;
-        locations  = {
-          "/".extraConfig = ''
-            include "${pkgs.nginx}/conf/fastcgi_params";
-            fastcgi_param SCRIPT_FILENAME "${pkgs.dnsmasq-lease-overview}/bin/overview";
-            fastcgi_param LEASE_PATH      "/var/lib/dnsmasq/dnsmasq.leases";
-            fastcgi_param QUERY_STRING    $args;
-            fastcgi_pass  unix:${config.services.fcgiwrap.socketAddress};
-          '';
-        };
-      };
-    };
-
-  };
-
-}
-

diff --git a/machines/lollo/router/systemd-networkd.nix b/machines/lollo/router/systemd-networkd.nix
@@ -1,138 +0,0 @@
-{ config, ... }:
-
-{
-
-  age.secrets.wireguard-privkey = {
-    file  = ../../../secrets/lollo/wireguard-privkey.age;
-    mode  = "640";
-    owner = "root";
-    group = "systemd-network";
-  };
-
-  systemd.network = {
-    enable   = true;
-    netdevs = {
-
-      "20-brlan" = {
-        netdevConfig = {
-          Kind = "bridge";
-          Name = "brlan";
-        };
-      };
-
-      "30-enp2s0.5" = {
-        netdevConfig = {
-          Kind = "vlan";
-          Name = "enp2s0.5";
-        };
-        vlanConfig = {
-          Id = 5;
-        };
-      };
-
-      "40-wg-pbb" = {
-        netdevConfig = {
-          Kind = "wireguard";
-          Name = "wg-pbb";
-        };
-        wireguardConfig = {
-          PrivateKeyFile = config.age.secrets.wireguard-privkey.path;
-          ListenPort     = 51820;
-          FirewallMark   = 51820;
-        };
-        wireguardPeers = [{
-          wireguardPeerConfig={
-            Endpoint            = "195.39.247.172:51820";
-            PublicKey           = "QOQTpxvT122fiKBcN4QDADOjoDDzEW9sMWn/qngVF0Q=";
-            AllowedIPs          = [ "0.0.0.0/0" "::/0" ];
-            PersistentKeepalive = 10;
-#            RouteTable          = "off";
-          };
-        }];
-      };
-
-    };
-
-    networks = {
-
-      "5-enp0" = {
-        matchConfig = {
-          Name = "enp0*";
-        };
-        DHCP = "yes";
-      };
-
-      "10-enp2s0" = {
-        matchConfig = {
-          Name = "enp2s0";
-        };
-        DHCP = "yes";
-        vlan = [ "enp2s0.5" ];
-      };
-
-      "20-brlan" = {
-        matchConfig = {
-          Name   = "brlan";
-          Driver = "bridge";
-        };
-        DHCP    = "no";
-        address = [
-          "10.0.0.1/24"
-          "195.39.246.41/28"
-          "2a0f:4ac0:acab::1/62"
-        ];
-        routingPolicyRules = [
-          { routingPolicyRuleConfig = {
-            From                 = "195.39.246.32/28";
-            Table                = 254;
-            Priority             = 1900;
-            SuppressPrefixLength = 0;
-          };}
-          { routingPolicyRuleConfig = {
-            From                 = "2a0f:4ac0:acab::/62";
-            Table                = 254;
-            Priority             = 1900;
-            SuppressPrefixLength = 0;
-          };}
-          { routingPolicyRuleConfig = {
-            From     = "195.39.246.32/28";
-            Table    = 1234;
-            Priority = 2000;
-          };}
-          { routingPolicyRuleConfig = {
-            From     = "2a0f:4ac0:acab::/62";
-            Table    = 1234;
-            Priority = 2000;
-          };}
-        ];
-      };
-
-      "30-enp2s0.5" = {
-        matchConfig = {
-          Name = "enp2s0.5";
-        };
-        bridge = [ "brlan" ];
-      };
-
-      "40-wg-pbb" = {
-        matchConfig = {
-          Name = "wg-pbb";
-        };
-        linkConfig = {
-          MTUBytes = "1472";
-        };
-        routes = [
-          { routeConfig = {
-            Destination = "0.0.0.0/0";
-            Table       = "1234";
-          };}
-          { routeConfig = {
-            Destination = "::/0";
-            Table       = "1234";
-          };}
-        ];
-      };
-
-    };
-  };
-}

diff --git a/machines/lollo/smarthome/default.nix b/machines/lollo/smarthome/default.nix
@@ -8,7 +8,6 @@
 
     ./zigbee2mqtt.nix
     ./sdm2mqtt.nix
-    ./lacrosse2mqtt.nix
     ./departures2mqtt.nix
 
     ./influxdb2.nix

diff --git a/machines/lollo/smarthome/departures2mqtt.nix b/machines/lollo/smarthome/departures2mqtt.nix
@@ -12,7 +12,7 @@
 
     serviceConfig = {
       Type      = "oneshot";
-      ExecStart = "${pkgs.departures2mqtt}/bin/departures2mqtt --mqtt-host=10.0.0.1 --mqtt-topic=departures2mqtt --stations=1505,2946,2187";
+      ExecStart = "${pkgs.departures2mqtt}/bin/departures2mqtt --mqtt-host=127.0.0.1 --mqtt-topic=departures2mqtt --stations=1505,2946,2187";
     };
   };
 

diff --git a/machines/lollo/smarthome/lacrosse2mqtt.nix b/machines/lollo/smarthome/lacrosse2mqtt.nix
@@ -1,35 +0,0 @@
-{ inputs, config, pkgs, ... }:
-
-let
-  sdm2mqttConfig = {
-    mqtt.host    = "10.0.0.1";
-    mqtt.port    = 1883;
-    serialDevice = "/dev/jeelink0";
-  };
-
-  configFile = pkgs.writeText "lacrosse2mqtt-config.json" (builtins.toJSON sdm2mqttConfig);
-
-in {
-
-  services.udev.extraRules = ''SUBSYSTEM=="tty", ATTRS{idVendor}=="0403", ATTRS{serial}=="AL006SR4", SYMLINK+="jeelink0"'';
-
-  systemd.services.lacrosse2mqtt = {
-    wantedBy  = [ "multi-user.target" ];
-    requires  = [ "network-online.target" "mosquitto.service" "dev-jeelink0.device" ];
-    wants     = [ "network-online.target" "mosquitto.service" "dev-jeelink0.device" ];
-    after     = [ "network-online.target" "mosquitto.service" "dev-jeelink0.device" ];
-    onFailure = [ "email-notify@%i.service" ];
-
-    serviceConfig = {
-      ExecStartPre = "${pkgs.coreutils}/bin/stty -F /dev/jeelink0 raw -echo -echoe -echok speed 9600";
-      ExecStart    = "${pkgs.lacrosse2mqtt}/bin/lacrosse2mqtt";
-      Restart      = "on-failure";
-      RestartSec   = "5";
-    };
-
-    environment = {
-      CONFIG_PATH = configFile;
-    };
-  };
-
-}

diff --git a/machines/lollo/smarthome/mbusd.nix b/machines/lollo/smarthome/mbusd.nix
@@ -2,7 +2,7 @@
 
 {
 
-  services.udev.extraRules = ''SUBSYSTEM=="tty", ATTRS{idVendor}=="10c4", ATTRS{serial}=="1337", SYMLINK+="modbus0"'';
+  services.udev.extraRules = ''SUBSYSTEM=="tty", ATTRS{idVendor}=="0403", ATTRS{serial}=="AQ02VMGV", SYMLINK+="modbus0"'';
 
   systemd.services.mbusd = {
     wantedBy  = [ "multi-user.target" ];

diff --git a/machines/lollo/smarthome/mqtt-webui/config.nix b/machines/lollo/smarthome/mqtt-webui/config.nix
@@ -127,14 +127,14 @@ in {
             {
               title     = "Fridge";
               type      = "text";
-              topic     = "lacrosse2mqtt/33";
+              topic     = "zigbee2mqtt/tuya_sensor_fridge";
               icon      = "icons/temperature.png";
-              transform = "return Math.round((message.temperature + Number.EPSILON) * 100) / 100 + ' °C'";
+              transform = "return Math.round((message.temperature + Number.EPSILON) * 100) / 100 + ' °C - ' + message.humidity + ' %'";
             }
             {
               title     = "Bathroom";
               type      = "text";
-              topic     = "lacrosse2mqtt/5";
+              topic     = "zigbee2mqtt/tuya_sensor_bathroom";
               icon      = "icons/temperature.png";
               transform = "return Math.round((message.temperature + Number.EPSILON) * 100) / 100 + ' °C - ' + message.humidity + ' %'";
             }

@@ -167,7 +167,7 @@ in {
       sections = [
         (WhiteSpectrumLamp "Ceiling Light" "zigbee2mqtt/ikea_lamp_l")
 
-        (DimmableLamp "Desk" "zigbee2mqtt/led_stripe_desk")
+        (DimmableLamp "Desk" "zigbee2mqtt/tuya_led_stripe_desk")
 
         (ColorSpectrumLamp "RGB Lamp" "zigbee2mqtt/ikea_lamp_l_rgb")
 

@@ -209,6 +209,12 @@ in {
               icon      = "icons/power.png";
               transform = "return Math.round((message.import + Number.EPSILON) * 100) / 100 + ' kWh'";
             }
+            {
+              title = "Archive";
+              type = "text";
+              icon = "icons/sun.png";
+              link = "#powermeterarchive";
+            }
           ];
         }
 

@@ -216,11 +222,18 @@ in {
           title = "Temperature-Sensors";
           items = [
             {
-              title     = "Temperature";
+              title     = "Shelf";
               type      = "text";
-              topic     = "lacrosse2mqtt/3a";
+              topic     = "zigbee2mqtt/tuya_sensor_l";
               icon      = "icons/temperature.png";
-              transform = "return Math.round((message.temperature + Number.EPSILON) * 100) / 100 + ' °C'";
+              transform = "return Math.round((message.temperature + Number.EPSILON) * 100) / 100 + ' °C - ' + message.humidity + ' %'";
+            }
+            {
+              title     = "Bed";
+              type      = "text";
+              topic     = "zigbee2mqtt/tuya_sensor_l2";
+              icon      = "icons/temperature.png";
+              transform = "return Math.round((message.temperature + Number.EPSILON) * 100) / 100 + ' °C - ' + message.humidity + ' %'";
             }
           ];
         }

@@ -268,6 +281,53 @@ in {
     }
 
     {
+      id       = "powermeterarchive";
+      title    = "Archive";
+      sections = [
+        {
+          items = [
+            {
+              type  = "html";
+              topic = "grafana";
+              html  = ''<iframe src="https://grafana.ctu.cx/d-solo/FRDYqjEGz/smarthome-influx?orgId=1&from=now-24h&refresh=5m&panelId=30" frameborder="0"></iframe>'';
+            }
+          ];
+        }
+
+        {
+          items = [
+            {
+              type  = "html";
+              topic = "grafana";
+              html  = ''<iframe src="https://grafana.ctu.cx/d-solo/FRDYqjEGz/smarthome-influx?orgId=1&from=now-24h&refresh=5m&panelId=34" frameborder="0"></iframe>'';
+            }
+          ];
+        }
+
+        {
+          items = [
+            {
+              type  = "html";
+              topic = "grafana";
+              html  = ''<iframe src="https://grafana.ctu.cx/d-solo/FRDYqjEGz/smarthome-influx?orgId=1&from=now-24h&refresh=5m&panelId=32" frameborder="0"></iframe>'';
+            }
+          ];
+        }
+
+        {
+          items = [
+            {
+              type  = "html";
+              topic = "grafana";
+              html  = ''<iframe src="https://grafana.ctu.cx/d-solo/FRDYqjEGz/smarthome-influx?orgId=1&from=now-24h&refresh=5m&panelId=33" frameborder="0"></iframe>'';
+            }
+          ];
+
+        }
+      ];
+    }
+
+    {
       id       = "departures";
       title    = "Departures";
       sections = [

diff --git a/machines/lollo/smarthome/mqtt-webui/extra-css/extra.css b/machines/lollo/smarthome/mqtt-webui/extra-css/extra.css
@@ -3,6 +3,18 @@ section > div[data-mqtt-topic="departures2mqtt"] {
 	padding: 0;
 }
 
+section > div[data-mqtt-topic="grafana"] {
+	background: #444;
+	padding: 0;
+}
+
+section > div[data-mqtt-topic="grafana"] iframe {
+	border-radius: inherit;
+	width: 100%;
+	height: 20rem;
+	margin-bottom: -6px;
+}
+
 section > div[data-mqtt-topic="departures2mqtt"] * {
 	box-sizing: unset;
 }

diff --git a/machines/lollo/smarthome/sdm2mqtt.nix b/machines/lollo/smarthome/sdm2mqtt.nix
@@ -1,13 +1,13 @@
 { inputs, config, pkgs, ... }:
 
 let
- sdm2mqttConfig = {
+  sdm2mqttConfig = {
     devices."leah" =  50;
-    modbus.host    = "10.0.0.1";
+    modbus.host    = "127.0.0.1";
     modbus.port    = 502;
-    mqtt.host      = "10.0.0.1";
+    mqtt.host      = "127.0.0.1";
     mqtt.port      = 1883;
-    updateInterval = 10;
+    updateInterval = 5;
   };
 
   configFile = pkgs.writeText "sdm2mqtt-config.json" (builtins.toJSON sdm2mqttConfig);

diff --git a/machines/lollo/smarthome/telegraf.nix b/machines/lollo/smarthome/telegraf.nix
@@ -7,8 +7,15 @@
     extraConfig = {
       inputs = {
         mqtt_consumer = {
-          servers     = [ "tcp://10.0.0.1:1883" ];
-          topics      = [ "sdm2mqtt/leah" "lacrosse2mqtt/+" ];
+          servers     = [ "tcp://127.0.0.1:1883" ];
+          topics      = [
+            "sdm2mqtt/leah"
+            "lacrosse2mqtt/+"
+            "zigbee2mqtt/tuya_sensor_fridge"
+            "zigbee2mqtt/tuya_sensor_bathroom"
+            "zigbee2mqtt/tuya_sensor_l"
+            "zigbee2mqtt/tuya_sensor_l2"
+          ];
           data_format = "json";
           fielddrop   = [ "newBatt" "weakBatt" ];
         };

diff --git a/machines/lollo/smarthome/zigbee2mqtt.nix b/machines/lollo/smarthome/zigbee2mqtt.nix
@@ -40,7 +40,7 @@
 
         frontend = {
           port = 8422;
-          host = "10.0.0.1";
+          host = "10.0.0.42";
         };
 
         advanced = {

@@ -75,7 +75,12 @@
           "0x847127fffecd89b6".friendly_name = "ikea_motionsensor";
 
           "0x00124b0023ad17f1".friendly_name = "relay_pc_speakers";
-          "0xa4c138da0f6d23de".friendly_name = "led_stripe_desk";
+          "0xa4c138da0f6d23de".friendly_name = "tuya_led_stripe_desk";
+
+          "0xa4c1389d5f391891".friendly_name = "tuya_sensor_fridge";
+          "0xa4c13809f76bcdc2".friendly_name = "tuya_sensor_bathroom";
+          "0xa4c13882b76fa1ac".friendly_name = "tuya_sensor_l";
+          "0xa4c138ebeae2efd2".friendly_name = "tuya_sensor_l2";
         };
 
       };

diff --git a/machines/lollo/websites/default.nix b/machines/lollo/websites/default.nix
@@ -6,7 +6,7 @@
     ./wiki.home.ctu.cx.nix
     ./music.home.ctu.cx.nix
     ./things.home.ctu.cx.nix
-    ./storage.home.ctu.cx
+#    ./storage.home.ctu.cx
 
     ./photos.ctu.cx.nix
     ./flauschehorn.sexy.nix

diff --git a/machines/lollo/websites/flauschehorn.sexy.nix b/machines/lollo/websites/flauschehorn.sexy.nix
@@ -2,7 +2,7 @@
 
 {
 
-  dns.zones."flauschehorn.sexy" = (pkgs.dns.lib.combinators.host "195.39.246.41" "2a0f:4ac0:acab::1");
+  dns.zones."flauschehorn.sexy" = (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42");
 
   users = {
     users."flauschehorn" = {

diff --git a/machines/lollo/websites/music.home.ctu.cx.nix b/machines/lollo/websites/music.home.ctu.cx.nix
@@ -10,7 +10,7 @@ let
 in {
 
   fileSystems."/mnt/music_originals" = {
-    device = "/home/leah/syncthing/Music (Originals)";
+    device = "/nix/persist/home/leah/syncthing/Music (Originals)";
     options = [ "bind" "ro" ];
   };
 

diff --git a/machines/lollo/websites/oeffisear.ch.nix b/machines/lollo/websites/oeffisear.ch.nix
@@ -2,7 +2,7 @@
 
 {
 
-  dns.zones."oeffisear.ch" = (pkgs.dns.lib.combinators.host "195.39.246.41" "2a0f:4ac0:acab::1");
+  dns.zones."oeffisear.ch" = (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42");
 
   users.groups.oeffisearch = {};
   users.users.oeffisearch = {

diff --git a/machines/lollo/websites/photos.ctu.cx.nix b/machines/lollo/websites/photos.ctu.cx.nix
@@ -48,7 +48,7 @@ in {
   dns.zones."ctu.cx".subdomains.photos.CNAME  = [ "${config.networking.fqdn}." ];
 
   fileSystems."/mnt/photos.ctu.cx" = {
-    device = "/home/leah/syncthing/Pictures/photos.ctu.cx";
+    device = "/nix/persist/home/leah/syncthing/Pictures/photos.ctu.cx";
     options = [ "bind" "ro" ];
   };
 

diff --git a/machines/lollo/websites/things.home.ctu.cx.nix b/machines/lollo/websites/things.home.ctu.cx.nix
@@ -4,7 +4,7 @@
 
   users.users.things = {
     isSystemUser = true;
-    home = "/var/lib/things";
+    home = "/var/lib/ctucx-things";
     createHome = true;
     group = config.services.nginx.group;
   };

@@ -14,7 +14,7 @@
       user  = "things";
       group = config.services.nginx.group;
       phpEnv = {
-        THINGS_STORAGE_PATH = "/var/lib/things";
+        THINGS_STORAGE_PATH = "/var/lib/ctucx-things";
       };
       settings = {
         pm                     = "dynamic";

diff --git a/machines/lollo/websites/wifionic.de.nix b/machines/lollo/websites/wifionic.de.nix
@@ -5,7 +5,7 @@ let
 
 in {
 
-  dns.zones."wifionic.de" = (pkgs.dns.lib.combinators.host "195.39.246.41" "2a0f:4ac0:acab::1");
+  dns.zones."wifionic.de" = (pkgs.dns.lib.combinators.host "195.39.246.42" "2a0f:4ac0:acab::42");
 
   systemd = {
     services.check-o2tiles = {

diff --git a/machines/lollo/websites/wiki.home.ctu.cx.nix b/machines/lollo/websites/wiki.home.ctu.cx.nix
@@ -3,7 +3,7 @@
 {
 
   fileSystems."/mnt/wiki" = {
-    device = "/home/leah/syncthing/Wiki";
+    device = "/nix/persist/home/leah/syncthing/Wiki";
     options = [ "bind" "ro" ];
   };
 

diff --git a/secrets/flake.nix.age b/secrets/flake.nix.age
@@ -1,81 +1,77 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VjZmVnkrM2NjQ0YzdWhY
-MzNEVWoxNmZVVXpwdTU5TzZkRHZHS2srMGxnCkRuSzVRZFl1ZUFOTSsrNVRYWW5w
-a3NxNVlWWCtadzhkZ0JScEV1MVQraTQKLS0tIHBWQ2lkMkcyUGtvWGNJV0N3bGtY
-aTc5WkJONUdtdWpHTktuVXdXNVlCaDQKAdHvZsIiCExxahd5NaLndd5hy2l4PuW8
-J59/kN1kqIFC1fQBamg1lpLvHiup9Nt8XiwrmcNSfKBdokmiwRoAVssQUvUtHoRP
-Gs6+2r06wn5rj3pUOuA0InXcNp/5FWth99gEV50JPdDOTF5tBkTSp4FgLg3eAX41
-gvJ6QkguGUWYIp40R/gysttU+mVpNuGA63B6dmtHFiY4PQh/i9wRlNEeENqpRQzR
-7F15BrN2CUfI6d35eC7lTs+ex5p+AbqrQ2wkWkFCO1Cuh3F+P6D0fmHTtRm/g7s1
-Hcq7rK2IFIZGlrTbYV4RPlBel8JPRTc3tKCaZeE3xwadMhPO/WA2DJGnLhx3toF9
-dOiNiUWGRtR78Ohaxq3S3I/umbSz0NRcnyvRV+PuJgzuE0aR2WQXxp/lk/P/rxzQ
-el90ZJ8g3eKZFLqiqozcb/VknDJdmfD5ximNP4uv3GfSXQRGTwUYBAh8XsybLewU
-fP8N/Hmf1Nr+JZXkSs8axTujDOu0WHAPwmxWBnLSPqZcSwmR2Lyr56mIL3zpc+6z
-Qqu6GgrnjSi+UdlOJLUBZpSjQ07ydNDPrsh9Uhukuhbvy+/5G7kIRRXw4MhQYjZk
-U0jhNvE8h+fAlKU9+5Gf2THbJSj8mspBMzpKO8Z7XJSUByTpReVmONBZsqzABHgc
-3yCWLpJLl5l/mmwu0lfh9jg3c/sVOryOa4HwJSyi+MvY20Biqp6beehCcsNk7OrB
-H70dx7h9BmIHBVGK8booin5wJMpVh8ctNReKOXojBpEhrxMrDqViBiBmZ+xtwI+c
-+IvL6HwusleK0i1UFHA8W+xGOTFzQ5rOZsnV+2QPyTKJSvhqIXjx14r0HV/wNRaa
-heEgVodwOWsDXTgzRPl+GkgZ2AxwILLDeNFtFvZFHplXpV6xpdwGC1YK2n0e9WX/
-y7EvuICRis5TpIOtCOF6CiuH8glK0/rJrF0Ts7f7SAAVM5f1SCDpGPDjoSfhcnXi
-yizqCE+PFUJ84GYR3/m9oTs81esKlzkX+Oh2xJMNx2N9DFusiMMyRiL5e2t8Ma5t
-EYE0hlaw4vVUMKib0Rrilds809s31JnMnBd6fYhWgeQ1S8F0C6UuVL+kT2wak/hL
-NyIv1XY6vaQKFzWWzhl6GJ7onrxI8Rc9NlInKUBuHT/Cz4AGytkNeQuCfe2vSCbX
-ieQQZ7g2dffhllBDgL//T89BbqQQ5oGt4sUfCw8hvsOevVTCi5cww4kOSWqw0y+1
-b69NbeyDaHWZ2xBBqvufUcCLWBotuLLXez0XGWJJDv5LMqapzdM8D957jpPJVa86
-mEG9Ggz/RASw4cN2NIBrkT4xqjOvH27Nqio9u7yfl5zoICyLo3LFrxcCzT+BQXjG
-dMDr2RfewoP/hZNlYDVAE6ehb+/x86Vl69ntJnXqM3SF00dSUhW+KvWhdMHMf92S
-KGEyz4pElDbRQirYLUa45VQNiZWZIJf9TaLuxvkAkONubVDqN2PzLyeu9a+Nl+ma
-bTCRrz7kJxC1cVy0rTniBEqUo39/s/uAGDFTJwJDKNxLO7ZI6QnsNvwV0sOq7ByG
-QFtZQ/Mp6ZG1Mx+SMsyiYB5oSYVlEJdNiL3Gdgtmoi+g1qvb5y3lAZLOQzcFB8dT
-YB/vv17B9y4FTXFhmo2EBkbJ/3EfhgGd3mo4+kfXAE5tFOm0JW1oGSNvGReRX7+p
-3WwGkHRBIC6gBmDoJXrJ1F55i/RCtE1Fxq1AGyI23SPbRjfh8SRG5U1WBcxvv3X6
-L2OQyfCOnL4Zh0S8DY6IXsCGwH1ZBY5uCXP17QJgxlLTJqPKG3VWZoctUE4kA/ch
-Q94wXCXVq9Hi8sEDY67YAvliFUcMDXUJUkTNQX5z0YDw9882xZ+94rJsMqDuTL4W
-C4M1GsXzfCUU6n41pV5fIZwYS+OeY5YQHWtMReE5luTF4ofPUK5P8wj2cdKxhH6z
-H2U0p3sOr8ZxHXE9xc02CPMPN3MaAq4i6tCzW/dFJj7gw+LZBXaNmm6IvYgys6wR
-diHxk/gJ6/WOXGWaM2vDdYh1TalVi+m2kZXUUTYD5tIhO5oJ7sv0dD5jyc57EAdh
-+L5TTS/C9R4ZkaXaNUfmABb9wokeCFTBfLrSnOyOCgNjGcrlg9N8EEP9oTT0DVR5
-K8De4LhMbMVfgXPlgY0/K1rmCftTmIfFJWlf9BBXiuhWSwbc+rIVhfmgA+yuZajP
-MRFovc8cITVQT8A/btlqdJcBTj2qSTdHdu8r/g/SNkwc0/Fp7tz5hwx6YL8uIPRv
-7OodOr3b9IyYPsg13DQzYl4Hwx6lAf4/Asd69otzXrjkaKOj+9WO1flLgKbB6pkf
-eCi/Yeg+QF7tBYjRBjby04Rl6rqmShN5XPJoyokCjQkHm7mfB+ZrYvs0pHwOr0LO
-e8c3TKv8fMiNIR8cdTI509IedRTbILy73xbSjtlu9yDOcbJqEzckhdk5WVYe560N
-Sm2jyRzNwsUn1sQmkngu9AiBPQu0t/xtw9RIVKI6UYR1QI19OsiHaAaZ0N14r04k
-vl53FN7Z7/UnI7G12gObYNfWU8BvLs+wt2fdnKUZT14hnd+UMrxvP4/lc2kr2Zdo
-tS0IG5VL/D2NOIz/THX/xU7OnOqSzCBL8z0uFKPCloUhCl7lNQvsaKafgiFB/e4j
-YfiSteGY5DA3jcvErzXKB5nSRTiEyVP03+c5Ra+v/wGu6+KrWPImJeQSEZ1NSoqz
-TP4+cLbPIjuQM7yGV0+KXiB8zEOxYF4bYSA1bdi3Na+lHsuvkS4eBY7ZTz3cfCmS
-qrEe5mVz8nAFF3D3M+RiJU8aNPPOH+5FjLU0c3p9SPsX98YDO7GFR5YvCuBg1kZg
-W52WX1YD3GI1or8unVPVpso7/p5Y7SLuae4uTfMLJR0jIE7MVALI6PW2DGsQ2l0/
-U5AdAb34HPt1Iar8XkGMjtC40u8EaWEt9wTOVLYKVD8bn7nycQymPK2NkRJrfdLK
-02o/jD3znmCerb2yFoa8Ap0PYCh6Oh6v8qbTECjtKhAq/XQunTcbzfgPae4j7XzQ
-1iudAWTcOUY1LBbMK5O7YmAZTw7QSgew41LjsOoQDGVNRLq17zvX9Dapnmk2SIEW
-L9UpnMKYIUXftGHBaUVqN7Wpnbx8jQ4UXANaeL9c6GyzLerkAW+H82KTLpA23dgZ
-C6lFeeqd8JyeQxTjFKpv3A3lssHuSBQY3R3gezQF79mq4mbOKL0F8g5k9n5A6zDQ
-8iQSejkPN+yBm/lYdYvODwoBJwjF4jdHG2WdF7b84CFLdeI3/eWBeBeJkUoonjSH
-5bsMguSt1kEjtjCGsaYdxIHJjsXkcs0kkWQ226z1Xbi62Q6ZsUatHer1FbBtR29B
-BNBVQL+FkFjRPBuuUv6J6CTewy7k4NPWC+/SDgBMEu5NHNeTHSPK3ZyAMUq9tiG4
-5+WdEVaBBDjTBX0lk97cGDR16H10bzZ3fLzzTyQ3cqP9sSr2oKOPCkfWHo37RSiy
-PpjUQx8pX1KL4dc8AqypNK2Bic7P5xn3NcVHWNBMMTj0qadrjF9sBdHD/hwgsD3/
-dj3VaQVU3tzHy8dlYKV+pmc2OWVsRx0e7lYJff8a4fW7kvqGULnvey5W/E7cdCR8
-TTk2lbyoosBNLbTZAagHYbBINmdLDjsGSpe2mUCDNXE6bPAL+/2bnD0i6Z/Hw0w2
-Ywaxi0BGK5piKZPeDOCU49TEC+HoyKcQkRtayUhfVH6xNCKKtahewrzD4lewLOB0
-vxrI25rL3xXvfPAxDwss2lSX4pTycKuCf29et20hwBWQk2PRVTDGF7Q0PflPY3Ar
-fI0c1OG06m7qt41OlxpC3If+Z6Lel3+5nN4BxjxgCGAVYvI9QPFfWMMxSKgeUN0C
-ASRh/vcibxzQ99KXIl47h6s6cmwzpsXKhz1Np5vzqFZHKJpdmZF/540EYQ04sPWH
-fwBDdqpMQEzbFN3crD31XQovYkYvbRwKALys+Ia6PlWhe4tpip8advv2kf5s+XDA
-z9JPAUQfdu3R0SKXRcJq4Hf402UYMJT4eyXZ6TBqaZyLjwl1ztT5CyLqgD+/i0JI
-0l98cfVBohNgdnDAMe9eIH/lU5RhcoZN3RCXIL25R1XIofwnTuqCMXSdvFZutWGd
-lv7di/9Zqf+uXyUbvd+r5yFASFyucbH7k+VrdPDVbEIrqhrWCXCJpv3RepL6cosH
-ElqrH5Kk5p8JZmoDHiqzWyrBp9knuLsZ5w1JTZzuWkO0mCEv4zFhg25d2nLkQeYj
-c/ts3JQ6gyy5FlySxP6UyOxUS9A6ShcbF507iZV5jWe6T5yG+DpvLE2s7q5FQZL1
-EcuXPgMDysjWPn/gZSYxxiRDn+ZX1VUyqtnXEVu5NZD5icjKrTNwXpfLiXU++BwW
-BOkl48qdNlKfu0ujgIW712Vp+o6UBg44Ea2KF9MoOYi5acijJNomGwMrn9Vu37q2
-wt/LXrhYd+IX8kYA2MMcGGlgnKJsf6Zxch4FS0S9Rae5XO9efgFcSR6sy/bE81mx
-QX3ec1Z2Bzdj1Bp8DZ4EcnH491Cwlhv8LcgrUWsz3H95Plr5JYlxROD6eKow2naV
-1KDbxyCfThvD8inNmMZajBDWefk6JtQwxfhrKXRLVl4iK+GKStlJzo8Ih68fEpCg
-llhQ6HyMHVo8nW0iEsuI4ZSdZsWvYwxBPza2GlJh2mc9bc3D9JRe7c1m058nwYNV
-fd9lgzPcxqwP96saBVvXdq0j9m1VhzjwcQ8sNfI1NJ1TOuvLjnPc+KTbqMgGSjWE
-eIun/cFltaT5OXgSqJctDOtptA==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQWlNRHBheHRJclJkLzdS
+U1RLMksrblhHU0lwaVJXQ3NjcW9Sc3ZRMlZRCmNvbGsvcnZXTi96OUcvZXNDOGRq
+YjlneHRpYnU4Rk9LRmJvUnp1eFNiUHMKLS0tIE1Kc2d4b3VoWWhXUU4vQUphWlp1
+RTJVYksrdTZWQThzNi81dGkzMnhid0kKJeV8ZVK//6jK2KdOJq0SwzXF0d/P/RTi
+Gs71uVx6UjkpVNahkbxc2Kri2GRG1KoPYKr9+JmrX9xxu/FedhdQivXEqT4oN+k1
+Xz3r9DDjGArgtggbpeoPJ2d996m0xDvcGVVJbk0SDbRz5zKr5Vp5qCo2Cxbhxs75
+o7EZZvXW+wLoGfTcAnd+M2XIvMUD5Pmgth/51SYWnx1VBLffODrMgXGNjeUsWqac
+hRnhOnfjKNMQXiAbyOcOnfcnOJ9EsxdPh07E/iLzo6wHc9FlyBp2wp6IGG3ai4Rq
+S9i/XEAiFbzQm0Q1bc9ptNVGWq5NSM4wTjsZ0m690CM0gWr1LShnqH/cF01lMXqx
+WXCVaL4fcRzdY8k9UJsA60qhmS4oK0DAp1G7VOn7IBx98zF4KkRw55CKVc7W995s
+XRoZ29/9fXUHkLN6njTqMNfzbAMt5doYs+GWmdqWcLkDsHbUYSAYBSeqKx7p7Ss6
+LOL1Fg78Sjnb5vcFOZURuNrJCS7xRuI6ofHCw09SeFyjtsDt55ofCRiN6cAS58vn
+C6YgCOtUIL9Ji+FP4NH/VECynUF+zTvfKDRLNaNweJ8T18WfZTmTUsuWtTcIubnZ
+QSmLckq+cdiK9l8UzLvcqhQQwNZqgXbxccTF8nTiAtrtCH9ob+72zI06LbAOpR7l
+dSi06sUE/X4mhvALpD6TVn3G0n/4JXqo+BKgdNpmop4kzWlYwbj8BBvolP1VwJWI
+40Blw9vPr52+NDnDdzbNeirjHLWVVN9kD5c6bej8Cg3/4aR8ExoHSfi+0NhNMxFL
+wX8IDhX7jy9qFrj+kyqk+oD4he8NrViS78LY415CC0Dk4ge9UglpVcGuTcPdWNNS
+L/aJidvD2Buwsih3EK0uVeHCkQ4lEVX5kaM9SWZ/M7WFZX4Fv14hg1pBuUq6Djzw
+6XmQGo3FfEgtSYXO2gsh+sLr+nHjEFBP3/JcaY4zDHf01vOe1TiGIjJib2ptKhB3
+zlbyTDFFS6DCSMKUnuvNNye+1XAZuIzK6msqT6oNEk5k1Lz9bZx+vpqMmUp8+IK0
+DdUrMwYV0A5SGkrhXwiLak5VCewG3lrlzfdTZACaNXR3vKelJA7Qu8bdGj6Macq5
+Mpr3kQ8JTECplD0HgnKCPNRL7AJB+yjXZbHX765AHvHJtp9wBlQ1FGVhLXOQjqBh
+8OTDWkes2vlAe1avMi8awE6ECz7Hsb3JjW4mJJZU5iEW7HuzTu5kdhiNGVEXnyFX
+i2P70dO4+nfN8cJ3/bNgYV5FCRrLL0lYwiKhCyrfh4Ok0IZ6PE+997xcCGOT44De
+Ce8oGU/QkQdo7D3VpDfU8IjQ4eSAbZLRhIQHylLN8E9h0AvWUXHcLaok6U+1gRyw
+TdgVipwuRkqCsXqo1/S0RJ4ZM37EYkEL1F/si8O+b7JUSiEvmdUc0PjcqWuDLJI/
+gae/rOTo8+E5NvtGLDJCGGAK1svoccU2DE30f6nwMTllgMKs8f5rendS1xm2y1+d
+SPtS+OdUozk6P3Q8ps3wImJgXYksoVjHVgkn7xoYFp/5BVopg0yHeN33bDFnPexB
+ToasiJiC7Qn5gwCkRBomJu5w4PpQfM8iRjNxV3AZW3AxeDTIeXFHht9KLyxnE6R+
+1Wjdr9NKfZ7h+z27BOrLI/cwXOQq3gVZZfsz4gXziGDbsXaNg53lrxw6Wg73pQEy
+0w0DDx2ndbc6b7pp+7C9GJet/XJoqUcY3YKrVSp1un9G9LLA97bn8Q/nqIp33QJ1
+PjzfIfPZBQPgpTvjNMxy/zGWX/qthkxn3wDrLZvOca3h85vb6d1gSIDOH4zFB4uK
+pCVrQb469tbF9PCObVLJoiJIuhKyE5n74WkQo9qCTd5HMRELb8WADNVvzzzPVB8y
+yT8S5Q5SXiSTcHvF8DaKYO1I2+NMMKb51glAXa0F1MPBy4Q/gBCCP1f8MFzg5Lj5
+ujBZT4CEvfitK+Uc9Tw71WU/5HTGH6M+/prHjbl8jIjhBe2OJkRhhmkGnAaz/whq
+b3AVy+w6xMNuI2sJwprfMt8Xac+26ESaoglYPlwZetS8dCPqFpeJnIRw5En1fMps
+NFJoFUFSteh2lRTVnZzUk0quaeEMJ9Hk7j3AsfebXZZ9J7KohBGiODuHYfJsCx50
+8O/o4LF7OhC43gZLKkrwvw5izp+ZJMbA3r/9T3aYOjAXGtS1EkJz3MvWcxJwRUlT
+eUd3GHZhrqWWXLf2/vbFeDPZuUx3PHo5gxq8p7GFf6YZflQ7425ZCZROSJ3V/uvO
+OwbxQSadV8PSDPIBrV52aZK4Ptkag89Y1GFs3S6CsZtJq6l0MHKtfk1PBC8Lficp
+VLp1MsGA2pojLBW75yoKnZ8djZHYNcZ9vk7VT1hhHvFiKQoaOxY5LhSNCNVsexgT
+FMjUqmqWLAuOk3NgoX0YFrpwDAGVISmo4c01RqxylktGJRTagwvESLEtdqS54M3I
+r6jJszinBkSqg/r4XvzF5xayooB1zfGLye3zBNG2/G0waPd249uSqNLpXCpK7xna
+qwkRhGx6cUJu0l0F+xdbX9gEmrM2j63KRkoPJbYY9TUQeMInx7JwjVMRayH3r6si
+3c+aRf38weiK9e7C5XgLjtkQonFRV/rfy+rRXlmla33B7B96zVCQc8dMST/ZLLhN
+0JNESxy61dZRt+ucIG3wBSf6V6uVKArv0BHOATn+kSlUQHJzzPJWINDj7DiA2s+C
+s0xnYb061JBgB1Jr8WKUfDU40uprFtSqVNXmF2PcKT/4Nc1PrQwN9AKNT4o25j6H
+5xE4YzBjjzUZBXpD/V/1gPnKE3V4y6p8UdW3KMe3d2JyEYytly9h6GjEXa+f77RW
+ovz4HqJOLKcFgHKuzNO+GAXlc7HhFeRUYItptqFSqbye32ljUrgqsYfiQXYJbRbV
+DnN6vt7ZYoF8QZzhiXwxX5zeT7uDl03IJrdkIGGYObDoZitEZUAX02ZTyycQibR+
++5XlHGhJQGWgG+4x3Zul0sAGXlJjjyPitPB+mvMxGwXinU2rfwCjLiAkbibUIhM3
+W/W/07f2GlXlFndL/nhsOaELNxcjEBuPfeIjmbBEL725PqJ8tW5sCB0kFJWTJbBH
+5iKi7ZvIQrC2k8TCEpAfzh755zxcTXvgVJVSZ7gfEovkhzOBYGuMFw3zb8iB6a4Q
+nwBYcXeT9Uz84vjUiBKH1IU6obKxuwfGDcSVYAdaerm9C9SgfGebwoqyhle/Y8Qi
+L5fHoixDBrzfk3reLiQjPjLocqIqKof8egAI/W0S04AbYQZHW/oVjx37LWAQ85ks
+4a0lG1Cr+GgogtHo519EqDH9XmDJL4Yf6F3l3cETmCZL5q57O+wnDnvoO+g5RNPQ
+xP6pOhu0PTLsDQsIWlTGNoIxhIIRiq2bg2LGwgQ9/mZzagpnUXpVo6zlOlE7wz4U
+Fk6+QMLWXjf4OjH9bIvn0da/H2dASmweKtGCRtcTb720zVpjvrGOKLBipSJ94d15
+6gv6ZYyjgkhG3HUw2Z2X3IuM78Kptw/eWcJQyG5euER+UuONhzRhZSrP7qgFucC6
+5pAKb2Ea+UoJBhoK6gnVj1JIIWOKCa5s5fiXourXRNSKO+FhrQhOa7jQlciAlGRV
+wxn59VYLqToZNizV/BhBfWOgWbyk9yaqLYr3S7NPk3TP2Nha03QPMg+/LS3/S9tD
+p1/ah8o2RUXyHTF1Qm9dPr2QFe5DKALWje0RJK7yb47bULrZHMFnkylhTgfs9I5m
+VI+HySv1HntHInQcK1Emy2g5cmdXuiRS94BEZdxJrI+fvTIiLyD9n2XucBusCP9e
+pypEAiUJVehTRK7NBBc/kJGQJ+BsBbClai9Ial5g9rograTY7N9E5TfFx26BI+EJ
+EOGEXiEwTizWzusHmWLCaLbZ0gwE/S8lusmAJLSzCBi8Iw0OIWz670eI+dNXomLf
+tqzhN5t5NREDoTJVlnXrhsDv44/M0YonB86NCTIttelm9aSvPG7kQALsNcKb0Cre
+vw7i2q6O5n8bQi4Dk8n/i/1ORcHpx78HWbwxIlpPk8LWCm+zKlhWRC2IhU3aUzjm
+Yp4hbrOaisISeRrBkB1MXpetGtj1V/y0ihX5xaUT/JPEd2HVO8cv4L+qj7yYFXOr
+h5+WgxGyN+4YC9YQLxCXq3vxJOwpjunQBFcbyYXIzdYY7iNzr60ezD//F+jx+Jma
+xSFek0WAn/M2WobbCaaBdyvIKqvel5qt7H5iGbnC0tk1Sa2r/rE62uT+JFTcNYfz
+JQ7rR7Zo2XpaLQrt3ft8ukxOym2sm/H8cl0UJQWklaYNV5johh58NIzlCIitKheq
+HJNnWwzAd4s9uKh2UIeVjh/F8GMEOhiQsrGwjPRcxrobqZql/hg/iqv3fTSqK4nT
+IDEvVECqrxutUKAr1YEyopmAjSJ+/+GIDaHmYqwDA7thqacoOC9xhl+uQOiQTSNc
+BjCPtRXWAjjsGiZfGJv+sC8UG/oSWrTzedhi+auHdKt0zSnxXiY/Bi0uhwTGjmIU
+reZrqtZqGT4y5nW8Q1qX8Ks=
 -----END AGE ENCRYPTED FILE-----

diff --git a/secrets/lollo-old/syncthing/cert.age b/secrets/lollo-old/syncthing/cert.age  Binary files differ.

diff --git a/secrets/lollo-old/syncthing/key.age b/secrets/lollo-old/syncthing/key.age  Binary files differ.

diff --git a/secrets/lollo/mosquitto/passwd-leah.age b/secrets/lollo/mosquitto/passwd-leah.age  Binary files differ.

diff --git a/secrets/lollo/radicale-users.age b/secrets/lollo/radicale-users.age  Binary files differ.

diff --git a/secrets/lollo/restic-server-htpasswd.age b/secrets/lollo/restic-server-htpasswd.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> X25519 xHTDuWwyuxQe+c9LRQ6EKtU2s4YHBZwpo7kKH54xbFE
-9FC+xBjiv5o9BMxXVxpF9R2RCWF3lN8DExeaQBX4kD8
--> ssh-ed25519 2LuoZg t4MzfnivLb3WGvXhtf6MolRAe4r93qXpruNuDShLiw0
-Ad29o+IZ153e/leGpOunyEHMksUwWRW5EtffM617w/g
--> }e'9/i-grease
-P1GFi16K3cgHQ/+B8W0j+2cDDgk
---- 2Gk7yDXQB/20WLoOuxpgTkcDY7XoWi65Mn2WBA86SME
-���FBZ)�X6��=�b�����bX�1��x���7E�jr�V��'�1��W��R����x[�?D|L=�\v-
\ No newline at end of file
+-> X25519 pN1aSJJLJ983IM6QY/F6/sbCZMIB4y7eFz6xGGhWbEY
+1b+lWjSmBUPgv6A3QFrLkuZEIaDtbZq79/CcEZ9YtaM
+-> ssh-ed25519 1rccKw Y01JKoQkWq+puXjIZxYO7cHo8QdMeYSIF9Nn3t9ZChk
+PJAHLZZm7lTcKfFDyC699NrQdwf5fcJCs/TAFK+P14Y
+-> v-grease 2|V=IA<B b7I</Nb
+0aFHkwcd8l7U7tmgPx3uE9uJhOTi8uR6VmScrqTItVtBbGSZ/SWbx6TvyaoqwyE7
+Zu0MVJKRXg2tw0LOaJAOj8OzkF/aVR3BUVIbbzX67eI
+--- zvqovE65g8zRsztpc0babHog38qyFaXK8oxnMRXop4A
+��­���N�^_���)��s�D�Lڒ����j#��u�"ڲ_��w��(4�
�b���繸�I�1�T&ʫ�7�+
\ No newline at end of file

diff --git a/secrets/lollo/restic/gotosocial.age b/secrets/lollo/restic/gotosocial.age
@@ -1,10 +1,11 @@
 age-encryption.org/v1
--> X25519 ZU6fVoyVd6U0E7jRUsYjErR8b8N2598jdzuhz2bIQWg
-qEzm5LNz9mBuzo+esof5mhCCR9Ezjut64wk7sQKkaX0
--> ssh-ed25519 2LuoZg jbeD2tAFoaSP0Vovmgtfzfs2Kv2y8Ic+C87kCIxTC1w
-a8eOLjKmEWhRVqoa5PtPyvsG9vk0dbQuVHjyXOvOpXA
--> "Js--grease s9C%K93@
-QeJzrvTkRzd9WQVM2JG2ViV7b+7aWOauZIA3hEkEm/jIQnSnwZ08S1+SIEcqJdJg
-joOOQdubX5m6VMk7tdnloRW2BA2zzf46VneKhkQ
---- FnisGJXqRyfVUa+ZB5VIC/hpg5l8VETDiFMs27peGRM
-[s�L-��r-Jx�A2ӫ�^�•zSq�V����+yw,�A�H�Vx�����~��-�� �N��-
\ No newline at end of file
+-> X25519 8nlwD7pMxjH8U+lNolrkBQ0ecGfkHOEeAVkhsgvrq3Y
+awfAVAeuaN4Sgnu06JBs1pidQ0YwDFq90LeDeWcIUS0
+-> ssh-ed25519 1rccKw W4i+fgXLTaIOj5xLzM7ronZ56K2Vb0MVoGoKFjklhmA
+Ya+K8Gyz06a2ZsT8Tjnez51Q3OnIV3+r/ZIpTlQ0BPc
+-> ssh-ed25519 2LuoZg bLEObDh6asJ0DJOEWy18H8urLNMX9Gwpj26qRNCRglQ
+VlPUqgOmmHvypzqs2HzdODZyJu1Kj4O5/ETMuFVqxe0
+-> b0?U-grease I%%F{ "y2j"o? )F!#Nf /vJB5kS
++NHYuo4K/Us
+--- MqqgEiQQi3ed7vbR4+TXVnrG4ACg+wMISYqPHqqSPfk
+{a�9�C���`x�p�����9AV�>�3b���&��l�ڊ�����#	�)q�uh�7��.{+
\ No newline at end of file

diff --git a/secrets/lollo/restic/oeffisearch.age b/secrets/lollo/restic/oeffisearch.age  Binary files differ.

diff --git a/secrets/lollo/restic/radicale.age b/secrets/lollo/restic/radicale.age  Binary files differ.

diff --git a/secrets/lollo/restic/vnstat.age b/secrets/lollo/restic/vnstat.age  Binary files differ.

diff --git a/secrets/lollo/syncthing/cert.age b/secrets/lollo/syncthing/cert.age  Binary files differ.

diff --git a/secrets/lollo/syncthing/key.age b/secrets/lollo/syncthing/key.age  Binary files differ.

diff --git a/secrets/lollo/wireguard-privkey.age b/secrets/lollo/wireguard-privkey.age
@@ -1,13 +1,10 @@
 age-encryption.org/v1
--> X25519 HH8bVRf7B4nhro69GIQ1wnMzoXVg3sUDXeNQmzO9x0A
-ZyB2SUhjetdtWCd0aS9BLGQAGvS2iTc/i5IlGqGs2bQ
--> ssh-ed25519 2LuoZg eb870qsI5CK3k4E0V41F1VFHZKpdtwx5UdfA8RKhFnw
-kky5cZiygFR9H2EpS+CWxe2DDTAerL9xvSyp705DVkc
--> W0%*-grease mdNMR Xy# (;d0l
-zoEIaMHWIRrH10sHQM9CnA4NFd1TYJOqVVEboWp3BJwHGe3iK3yVLBEiKVYlMW1J
-Ypx1m7N7aV3Pej8QiVIN/t6Q+8s+yVLjrd0RKhqwwK86q7Ix
---- 8ByGNfNy4UJ8IgMhjIuu0yYC4Ced9Yne58X1pd8rZR8
-Ks�8�
-�IE��B*���z뺿����=��Bz�5�aSC��ԥ�y
-����$0M��P��ϰ�5J|r��8��
-Kz(G-
\ No newline at end of file
+-> X25519 DXl4BZgYlQI437jcG7x3Hse7WBLMdPAYBhOHmUx/ZGc
+KHvDh813VyW+pXbiUtf2SzJB/GivjIIQGzt59MU4k9s
+-> ssh-ed25519 1rccKw U7j2r5Syn+6W7iDPiY6jekh/DpL5T8HuZ+KoWeKewiA
+ShCNL56zjjj3ktodpeKurZEud0PEl/tnWk1e8pCGIYk
+-> 1r0=8P-grease YPT$GfZ N#qYBc<N >s B&C7
+YE4FuDdcK8izVjH0AxUEbqfBm29CNtUwO4Jl6NvWtx6IwgzQ9gJcfiY3kwgqrlh6
+Q0lTVlGSq6OfZbM5jyCP
+--- I8UfivCpc1cbbyOELRIpD7boeVROO1mZeV2vfs66k30
+�a��6\��vrl[�{M����6)�Kۭwm�>
��c%%8�U�Hu.�y�Qj�3o���������7�$2di�\/�+
\ No newline at end of file

diff --git a/secrets/lollo/zigbee2mqtt/secrets.age b/secrets/lollo/zigbee2mqtt/secrets.age  Binary files differ.

diff --git a/secrets/passwords/leah-at-f2k1-de.age b/secrets/passwords/leah-at-f2k1-de.age  Binary files differ.

diff --git a/secrets/passwords/leah.age b/secrets/passwords/leah.age
@@ -1,17 +1,20 @@
 age-encryption.org/v1
--> X25519 hk9u0tAPBqc+UANYbsKsAGckJrwew8Qxh5v4URMr3hw
-Q3SkWwpzmPmzmiO+v+5pO8UkTImXotmuaiJlro4hyYY
--> ssh-ed25519 V0uUrw UsxoYQu3brvF1XDv0RSVhAM7OSukIONblP+Lmadx0B4
-sdRPt4nmD5ZIvp4li99jr3AslUKVUqegLVwZe4Gc/8E
--> ssh-ed25519 VgQ62A GY7xcqJ2kazyGaNgRKFI+xrQtC/zmcmA0s5thZ0Q1xU
-zuG28Uk4PNa/0U8Q2Q7w7qOtlEWYCapwChN8e8i9bS0
--> ssh-ed25519 2LuoZg QVOBcXehDS0tX/UKHPVYHG11iAVsWHN99zR/5EQFrB4
-00s3A8kA+WcB+7oCIIj7F02jmMlci99pEaKMeKe3Ra8
--> ssh-ed25519 NrwbpQ flGl7jiBc/kP1GpdtW6n55hw7iyLXZvKmlKLTxMzqSQ
-iHzkjd89rEj6yvDcD4hCfoG4mXvVnSA16X97/uqu08I
--> ssh-ed25519 sh8POQ YqkVovv+0C9d4jWraB/EGUebev2GGXUQMgqQ6oXU0QU
-WrwKptEcw/bMHj4fCYdMmv+dzPdNlxRRKga4Op2BBy0
--> (<>Dj-grease s8; E@I y6K(Y GL
-wJ1OieVRIRB3YiGW6CONjxHxev/jK+oIVVNVnbIa380
---- MNy9geXjmnFBsWYsMJPyVEwseaPn0H/o1o2pJXvr70Y
-���Oʹ���������W5	V貂`�`�.�-��|�W.��G;J��uaNi�}�>�IR��ɽ�T���
��<�N��	}�V�W���;����&�(pzv�+�&j�$���=$L���M_�ߑ)����ap����-
\ No newline at end of file
+-> X25519 gwE41pmX1coqgoOeEnScfsMLGb3aC2hV75C5TNi04go
+AsHP9YYymWNbstD1RlT9nT2NP3ar690GYvDFaRYdemo
+-> ssh-ed25519 V0uUrw +CFPRZYO6JqbHeLcdv77bEgvzTLow9qW033sJndOFBQ
+Z/AKie2uNi5ERwuht2QBsKC8WQ52yPSjmGOqUO1MKG4
+-> ssh-ed25519 VgQ62A TOavYGSKrAftu2YtM6s3UidCajVBvMSzn1b1JfxocSM
+Fu4hLl1Pxrq6kQWPgDBMAuc1NkaC6aHcMddVyphk4gw
+-> ssh-ed25519 1rccKw lqnEs4XvN41EGHFeFEPBxTQd5DsqOjsNjsk6+bj+BgU
+cEggfHQuy/d5/wiY+Hw0FrEcv2fBu4jrcAHOVb0tjGU
+-> ssh-ed25519 2LuoZg zESXgDpiWV7/jud6uEA0OwMSiEQtme/yXc8eY9RGdic
+TfoDZwCfgWnT8GWVUIYxrkiIou9Mz+tEsI54R3+yjQ0
+-> ssh-ed25519 NrwbpQ KcoBu8TytgLpxi6eqW8C3ULS3HNcWDCZZv3KEg9kSkc
+DiJyMD9sinUTshaMfGKQLP5+IYkYPMUN1zTiLKdaVGc
+-> ssh-ed25519 sh8POQ tXsLdhhxvITQiS/S/NGQcPukN4k4WwK6+91QPo14R1w
+IaOYiyTrwkKtmhMaiSC3GKMkoMuwqFOR7o8pGMcPuS0
+-> de-grease
+xaypT8fe2Z2EwJObyuPX1cQa3UAHjV7HqUgSU3elCelM4bT0JjWUW5AZ/9Uw2rQl
+t+eqkdaMCpN3MECAshq0j2UGKQEQ5XkQ3/tGfw
+--- F0PmspXBbaBqhNf6VRXLqV1C4z4Cyz2iUZ+d83YjEoo
+|�����N�cj�{�wl6W�Pz�H?
���o�O�R�?��S3}R}�����"��X-k�u-\�����z�
���SN*��W��o��Pݨ����g�J� Jl!���v�8B5���8�OZ�*��ѣ^FkS	4Koʹ+
\ No newline at end of file

diff --git a/secrets/restic-server/desastro.age b/secrets/restic-server/desastro.age
@@ -1,19 +1,16 @@
 age-encryption.org/v1
--> X25519 MB9ymPMV0Q8qsRYOVqtf5R2NElIwW1cl3XIcIf8o21k
-uwvuf/6UawBU56cwD1xFJ0BKw1P7QXfq1CdSUvnEDVw
--> ssh-ed25519 V0uUrw QBgYzfRBwRv1ahuaiyUIIDzXBk92ZJZGO0r77O214i0
-uFyPxFm+jKd2l82eIRgaSOzi5Bxog2PzBT/aTNCz1iY
--> ssh-ed25519 YtLkIw yT42kM9UGLs9JY5zbf7sm9jsaIOk3gvNrdXVh64dTn0
-/Iomy8VCv6pW/QBI8JhNfKaZkFcH5Xa1ChLD6uEOtjQ
--> ssh-ed25519 qAHlAg MHPrRp9V4quaJ145/2F53Wq3t7L3+09PAvjNLITU7m0
-VTZ5WmxjjLCVe+C/h4xwC0SU00sLSQikMc3LW57ABHI
--> ssh-ed25519 NrwbpQ 00pMSVPL2pDXy6o3D0x7QPubHEP/k900OzQ9hADr7yU
-qEZZov0h2ZDiCjyXlvZ74pb6lPMtIjZSMugiFPWx5Zw
--> ssh-ed25519 2LuoZg WEJclcwll1GA4hPyGQPfY59ZXIoSZp2qvBV6B5Q/TCs
-1iwCiFdDmHiuxrwgfR6s0N0Ho2MPYvrXW3aRp+98ajA
--> q<&B-grease m:[B Z 79Ej~8d
-IPOQMJhG0SMxZalBuSAm9upZBePr/i2Agu/wGMP0VoDo8KvocRk9qf7p/wENwD7v
-v4Q
---- tAzFs9wUbQIWeszcZwRJwcymOb2BPjO3bqco1UuauYg
-3��x%�Y/&��J}g���Ն������N�s��K
-
v�R��I��duS!�{�t�*�&-8�7��X�]�!3���w��Gn���-
\ No newline at end of file
+-> X25519 Lph4an/k60lKHqAKO61VHXfni3hevXDE9LRxI9YoWRc
+GmhStNiTZvhdi7KXQwlBWQRDMDC4aDfKTMEIAawT3nM
+-> ssh-ed25519 V0uUrw MwLUXRcYy3duiKQRQKMoqNaH9bVlAsXxIGH+rgskC0A
+Kb12RzlGbrB6c4BFYKLXGRbwbr0mdqFG5uG6uQvAtM8
+-> ssh-ed25519 NrwbpQ cWRDzNAi7Kyzg84Nc3+Pz4B2dF6y+p91gcLEzi4X11c
+nCgI9aUhOQdt7PqNk7ievglZrNgqfDw5CoWvI+SPh1U
+-> ssh-ed25519 1rccKw C10ylqKblVjuG6ogytnX7gwsU4EaRWYIcDKrK0WBpDU
+rS27EzL9JkIgCyLQ4zM75XWCh/qLnFYWo1Zlp3Lm6QM
+-> ssh-ed25519 2LuoZg BpJdUQ1aSjkB3WR1FY6FAmpkc0d0PSMRR5j7gqNIqDA
+uWfJw1Hce7gB137y0Q/rBp7qT386yxs42k+kM8Qa0z0
+-> ^1TniAU-grease z?= ~&=2FJL 7=
+JiyqtYH9040TXnCI8R7NmR4AFPivPuArTMMwsX6K1D3fvTjGR6A7bvWbgj8gXBDh
+jaWG/5P+
+--- l65XrrEONj/Ia5wrZ7A+CrlWerlPehIJ2sHdJFmwxPo
+�!�
㎍]U�{|���]4��1B(�tv��~E(�wW�s�ϩ-y�pW���uٚ��b������n��8�Y9�&v�7��Y?+
\ No newline at end of file

diff --git a/secrets/restic-server/hector.age b/secrets/restic-server/hector.age  Binary files differ.

diff --git a/secrets/restic-server/lollo.age b/secrets/restic-server/lollo.age
@@ -1,17 +1,16 @@
 age-encryption.org/v1
--> X25519 f7ZsLFA7hebPgURQuHUOsc9LmtzeYEe2+JLFNJ+qlls
-UZYE/Sy7tqRVRi1DPtqi6UmTuDmLxdAyFilcUt1oMg8
--> ssh-ed25519 V0uUrw Z6OCZbfcW5jQba/mKD6VX8nnzQxt8R0obEwsA2Typ3E
-R/MFOc9yBd5LoVB0dOeq8FjMLDrR1f2xp/mFX3orRD0
--> ssh-ed25519 YtLkIw riIePiKpkE11kHmS3ipaJlcJlObQX5w83ms+crMg6CE
-kiIsCqNBPAhy2FoT/WdxvEvHNUu0wkl9tgRtIHR3xi8
--> ssh-ed25519 qAHlAg 5btxsPDE2ZDwgG/suVIckRzVLITM2VjrJxBfBKcY1w8
-elyuZURdKiySCekh9nyze5zIt7cdWfyZmZqJlfutmwA
--> ssh-ed25519 NrwbpQ YedRBsNTTKqR/RnXsP+iyYKDutZ4hU+MN0fG5CYI1Rg
-brgusZfWGielMjmgM7yGyBBi5E+PDKfSQKDWitqTjZk
--> ssh-ed25519 2LuoZg uE9BIqUZ2PBu/3SjOUZ+qqP04VaraqwPxHuyWcyjLiY
-+hg/aYuw1GsFIYLf/79dSb2BC4/PCSapYA7ZeNiyI3c
--> SEC]V7o-grease .J<PSS Mi(g3L8;
-eTGuVpnIEuoy6kY6vj8
---- hcmspisPZ/M6pA38DuN9+GnAV/DEmzQgee2kNvTz3Qc
-�
�o�YhZ�T
�Y���M=����YpR�����Vb)&�cvY�qC���-���-
\ No newline at end of file
+-> X25519 awUCdgppt5qkhmTK9njZWYt4WprclV+RVsDnCRukrhE
+YzEi9v9xzutDGFm/mYJ4/dw2hYagYGzVOJZ7mZzrBVM
+-> ssh-ed25519 V0uUrw ND0xjJKayCHqyQiVS7V9Jxc7msHTM3VceXhpqusYJ20
+mPLuVJWM3AvdhdiIJbxXpB8N3zRuEcUe9Aa6JPAKhGg
+-> ssh-ed25519 NrwbpQ gW/XdFx3LI41NZGp0a143yNXEqEMcYoa5WcBjV2dAmI
+KgSITRkEBbxFNAL+G1fchjr2MowMSw2nLUImKlnnNqw
+-> ssh-ed25519 1rccKw 9N0Ap7jrB1s49kEoCtyXdWE3eNWIabPM3IW1PCIWhzg
+BxlqjMNkyo3uZgX2C8+TSm3+DKI0x5MgK8npKO+rU1k
+-> ssh-ed25519 2LuoZg UBT2dUQtiDs5+Fxn8yDRcopvgfJegxvFebsSQZ3b1Xk
+oLSoBhsDAm2bMvKTUZoEaS9LY/9/CDtZcvLVxKjOr9Y
+-> S-grease tTb8u_%L Uc{KKd
+ssm14fV4fsXSUMQ8EFVCK6Hp5FxpyC82vkX92Pjo3tLGShJ9uWup0/pOAUlhC5pj
+tGcpfDMv22K880z34+svcFhum1sGYGq2aHz7oHI9lpjY95555v1Q56lcbcZjpPw
+--- Ufs5dbdMIK5NYo+mhMPeJPdWmkzKoCgg/eTF7QiVnTA
+�5��'pG�$�Rf/�*-�*��%���#H����#leG���\R�V[(�#+
\ No newline at end of file

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -3,25 +3,22 @@ let
   coladose       = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2ky7icnZOUMDtBPwVoq5icGFAzf1C5nfNhoqZEins7";
 
   #servers
-  lollo    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNCdn6aHCgxG1tq5f0XPvQ+lIgsQ/3gzT6FNvokOIgX";
-  desastro = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEniZFbgj9w7fQ+MhTnE83MatgcuDI7c7qqx05DTQcun";
+  lollo       = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9YnaIwC5gjlp/ETI6lmpwCYfstnX+DZEt0ZDhQKuwM";
+  lollo-old   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNCdn6aHCgxG1tq5f0XPvQ+lIgsQ/3gzT6FNvokOIgX";
+  desastro    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEniZFbgj9w7fQ+MhTnE83MatgcuDI7c7qqx05DTQcun";
 
   trabbi      = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLBBZJ9/644d71E8A7IFU7dvDHI+OR/7q79KvqmI/i/";
   wanderduene = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+HWYkFCmuHR8HeExYXc2L9CxRdvYZ1UCkbbeDCvF0u";
   hector      = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWH8uGtxkYfv3CA5Q3qqOvbaTvp9KItrdSiKXZdDUsx";
 
 in {
-  "passwords/leah-at-f2k1-de.age".publicKeys                  = [ leah trabbi desastro lollo hector wanderduene ];
-  "passwords/leah.age".publicKeys                             = [ leah trabbi desastro lollo hector wanderduene ];
+  "passwords/leah-at-f2k1-de.age".publicKeys                  = [ leah trabbi desastro lollo lollo-old hector wanderduene ];
+  "passwords/leah.age".publicKeys                             = [ leah trabbi desastro lollo lollo-old hector wanderduene ];
 
 
-  "restic-server/lollo.age".publicKeys                        = [ leah trabbi hector lollo ];
-  "restic-server/desastro.age".publicKeys                     = [ leah trabbi hector lollo ];
-  "restic-server/hector.age".publicKeys                       = [ leah trabbi hector lollo desastro ];
-
-
-  "coladose/syncthing/key.age".publicKeys                     = [ leah coladose ];
-  "coladose/syncthing/cert.age".publicKeys                    = [ leah coladose ];
+  "restic-server/lollo.age".publicKeys                        = [ leah trabbi hector lollo lollo-old ];
+  "restic-server/desastro.age".publicKeys                     = [ leah trabbi hector lollo lollo-old ];
+  "restic-server/hector.age".publicKeys                       = [ leah trabbi hector lollo lollo-old desastro ];
 
 
   "lollo/mosquitto/passwd-leah.age".publicKeys                = [ leah lollo ];

@@ -41,6 +38,10 @@ in {
   "lollo/restic/radicale.age".publicKeys                      = [ leah lollo ];
 
 
+  "lollo-old/syncthing/key.age".publicKeys                    = [ leah lollo-old ];
+  "lollo-old/syncthing/cert.age".publicKeys                   = [ leah lollo-old ];
+
+
   "desastro/syncthing/key.age".publicKeys                     = [ leah desastro ];
   "desastro/syncthing/cert.age".publicKeys                    = [ leah desastro ];