flake.lock: Update

Flake lock file updates: • Updated input 'home-manager': 'github:nix-community/home-manager/f8ef4541bb8a54a8b52f19b52912119e689529b3' (2025-01-19) → 'github:nix-community/home-manager/9786661d57c476021c8a0c3e53bf9fa2b4f3328b' (2025-01-20) • Updated input 'kyouma-www': 'git+https://woof.rip/emily/kyouma-net.git?ref=refs/heads/main&rev=f4e46ff6820d334c12b8f3a609ab43b895d3b630' (2024-09-22) → 'git+https://woof.rip/emily/kyouma-net.git?ref=refs/heads/main&rev=b27384ef13ce3808804806605abdbb4969b5284c' (2025-01-20) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/cb3173dc5c746fa95bca1f035a7e4d2b588894ac' (2025-01-19) → 'github:nixos/nixos-hardware/61c79181e77ef774ab0468b28a24bc2647d498d6' (2025-01-20) • Updated input 'nixvim': 'github:nix-community/nixvim/8fb2fe22c237b25b8af346870e126fdaeaff688b' (2025-01-19) → 'github:nix-community/nixvim/115994f18e439a1cca9cdaaf15c004870256814d' (2025-01-20) • Updated input 'sops-nix': 'github:Mic92/sops-nix/4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6' (2025-01-17) → 'github:Mic92/sops-nix/015d461c16678fc02a2f405eb453abb509d4e1d4' (2025-01-20) • Updated input 'stylix': 'github:danth/stylix/51ad2cec11e773a949bdbec88bed2524f098f49a' (2025-01-18) → 'github:danth/stylix/268daf22a1f93a00b7efc74c367d6711ca7f18e1' (2025-01-20)
matrix: add backup
2025-01-21 14:36:51 +01:00 · 2025-01-21 14:36:45 +01:00 · 2025-01-20 18:09:38 +01:00 · 2025-01-20 16:49:58 +01:00 · 2025-01-20 14:38:32 +01:00 · 2025-01-20 14:38:21 +01:00
27 changed files with 1252 additions and 237 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -5,6 +5,7 @@ keys:
  - &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf
  - &florp age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
  - &crime age1sky8kccyyxe79ws4rew42r94427v2xnphq2vtxvdlw5xl7yzgs2q599yzs
+  - &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn
 creation_rules:
  - path_regex: secrets/services/dns-knot.yaml
    key_groups:
@ -72,3 +73,9 @@ creation_rules:
      - *emily
      age:
      - *crime
+  - path_regex: secrets/restic/zh3485s3.yaml
+    key_groups:
+    - pgp:
+      - *emily
+      age:
+      - *emilia
--- a/config/hosts/emilia/configuration.nix
+++ b/config/hosts/emilia/configuration.nix
@ -17,6 +17,21 @@
  kyouma.machine-type.physical = true;
  kyouma.nginx.defaultForbidden = "uptime.kyouma.net";

+  kyouma.restic = {
+    enable = true;
+    remoteUser = "zh3485s3";
+    timerConfig = {
+      OnCalendar = "0,6,12,18:00:00";
+      Persistent = true;
+    };
+  };
+
+  kyouma.matrix = {
+    enable = true;
+    serverName = "woof.rip";
+    hostname = "matrix.woof.rip";
+  };
+
  networking.hostName = "emilia";

  systemd.network.networks."98-eth-default" = {
@ -33,5 +48,4 @@
      { Gateway = "fe80::1"; }
    ];
  };
-
 }
--- a/config/hosts/integra/configuration.nix
+++ b/config/hosts/integra/configuration.nix
@ -1,6 +1,7 @@
 { ... }: { 
  imports = [
    ../../common
+    ../../users/nil
    ../../profiles/builder.nix
    ../../profiles/headless.nix
    ./hardware-configuration.nix
@ -16,20 +17,16 @@

  networking.hostName = "integra";

-  nix.sshServe.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOWlYhnummuWZbq3+d0x5A67YvlPvtl7/1Dk4RtNlzf christina@cafkafk.com"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/RmFnel8pcZT9nh7EAfKfAekt3BoEXy0G7G2GTacN/ aprl@computer"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxsX+lEWkHZt9NOvn9yYFP0Z++186LY4b97C4mwj/f2 aprl@whatever"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpyVefbZLkNVNzdSIlO6x6JohHE1snoHiUB3Qdvl5I2 aprl@idk"
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVNo871p97NTefP52KYiwuch+FaVScxvcFd9fg0yykySTq7Y5JsxrJQgTnox/oDa0O87OyHD/GHQljAXkqiHpDkExbiGjDmGXJSKReKH061F4FqBnDIwYRzUu9Cxjl4MNqsU0RqLaz4+F42c/L7GROQwjEPUb8JHThRiI5FJnDvvB+oBLBxeyQA4v3O4i8DaDQayTr/XB+aSlhNwKrb6cjjL93AHT1uE53yY5jn4kZX+RiPQhH7rvt9N6E4Yr3CG6nUgRCUS0L66d9yfrq0XAbAVk9F+viV7Nk9qy4MWHtXZ4h0qUlzrGALPgGsCGiLGd4NvEgeCcV4nvxdmevxTSdKlJP75xlmlLVXGyhqCZkTsxm/png2UvDl+p0pLyrgNaNoXPdE0Jbv7C28WX36Nast1QFSMUhexzuOx8OgaOioeXVfK98AouqWb58iPBCvgreUIH/gJhZcnlB/Foo1KSO+fJNH8hAsLH7w0mnKyHhJjkrjjwUqsnpepB3SOLfZTE= aprl@meow"
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD0v3tUBNEUxfoOQBFb+N2DUBQDay0iFggUWa9Nd+BtFLOKkz+RRto3eBF0ZiJZVUxv/hLb8m2s45hcMw8agwuPrXMe5085T1fzkvPdKAPZdsT/cCmBi1OsoLjAKBFIdM4lcV0A2cca8hip+/ZPpjFPUWx73/672gAPHU7co7fP8+8CSf9dx+WIeLx3yaYHYZ/th3dB5auX3VjOazS8MojsAorwTUeBoPamHQ5dFeNafhFUL/hhtGkUI1cNHUn3bJd2V7AKTW3UglK7hVgMJPrzVS31OlpcJEf6S5XgKTWdOSwubn1bs5Lt6YYRDU24NV6CGrwKgCJSRxzNMLwpnFKiSXpO8FzkqWHYWyju141hQcFF31aZIV+7YcwEt5ZukLjFOpVtpbSXvJYigOUzGi34P3/OAGshDXjTQjvM8GIir49gx3b2Nwhg0z4UHBkAKZvDDFPHDMJoclvnhITojaAojfC9zmMCO5ZaEsk8yv7c/lWQumzRpfldWF4mwHvhD5kTADbhRdO7WTdX7AaiAYINooToeWKjFe2wn3rFubPUppptqtP03mmvs7vhhgnEVBbGZRJK3GTVk1XcsfF9rDKzewSa+wb4LsBoZtFRhc8cJqHGlKWSNk7dQ04B1atPyNLKGpGoo/UIPxyZ6bSqFVxY3nhz46VZ6z8XWI48z0/fRQ== aprl@uwu"
-  ];
-
  systemd.network.networks."98-eth-default" = {
    matchConfig.Type = "ether";
    matchConfig.Name = "e*";
-    networkConfig = {
-      DHCP = "yes";
-    };
+    addresses = [
+      { Address = "10.0.0.219/24"; }
+      { Address = "2603:c020:8018:8ddd::dead/128"; }
+    ];
+    routes = [
+      { Gateway = "10.0.0.1"; }
+      { Gateway = "fe80::200:17ff:fe90:4fde"; }
+    ];
  };
 }
--- a/config/hosts/nokotan/configuration.nix
+++ b/config/hosts/nokotan/configuration.nix
@ -0,0 +1,32 @@
+{ ... }: { 
+  imports = [
+    ../../common
+    ../../users/nil
+    ../../profiles/builder.nix
+    ../../profiles/headless.nix
+    ./hardware-configuration.nix
+    ./disko.nix
+  ];
+
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
+
+  kyouma.machine-type.physical = true;
+
+  networking.hostName = "nokotan";
+
+  systemd.network.networks."98-eth-default" = {
+    matchConfig.Type = "ether";
+    matchConfig.Name = "e*";
+    addresses = [
+      { Address = "152.53.80.73/22"; }
+      { Address = "2a0a:4cc0:2000:347b::1/64"; }
+    ];
+    routes = [
+      { Gateway = "152.53.80.1"; }
+      { Gateway = "fe80::1"; }
+    ];
+  };
+}
--- a/config/hosts/nokotan/disko.nix
+++ b/config/hosts/nokotan/disko.nix
@ -0,0 +1,45 @@
+{ inputs, ... }: {
+  imports = [
+    inputs.disko.nixosModules.disko
+  ];
+  disko.devices.disk.root = {
+    device = "/dev/vda";
+    type = "disk";
+    content = {
+      type = "gpt";
+      partitions = {
+        BOOT = {
+          type = "EF00";
+          size = "512M";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+            mountOptions = [ "umask=0077" "defaults" ];
+          };
+        };
+        root = {
+          size = "100%";
+          content = {
+            type = "btrfs";
+            extraArgs = [ "-f" ];
+            subvolumes = {
+              "nixos" = {
+                mountpoint = "/";
+                mountOptions = [ "compress=zstd" "noatime" ];
+              };
+              "home" = {
+                mountpoint = "/home";
+                mountOptions = [ "compress=zstd" "noatime" ];
+              };
+              "nix" = {
+                mountpoint = "/nix";
+                mountOptions = [ "compress=zstd" "noatime" ];
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/config/hosts/nokotan/hardware-configuration.nix
+++ b/config/hosts/nokotan/hardware-configuration.nix
@ -0,0 +1,10 @@
+{ modulesPath, ... }: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+}
--- a/config/hosts/ryuuko/configuration.nix
+++ b/config/hosts/ryuuko/configuration.nix
@ -69,6 +69,10 @@
    enable = true;
    drivers = [ pkgs.hplip pkgs.brlaser ];
  };
+  services.throttled = {
+    enable = true;
+    extraConfig = builtins.readFile ./throttled.conf;
+  };
  services.usbmuxd.enable = true;

  users.mutableUsers = lib.mkForce true;
--- a/config/hosts/ryuuko/throttled.conf
+++ b/config/hosts/ryuuko/throttled.conf
@ -0,0 +1,62 @@
+[GENERAL]
+Enabled: True
+# SYSFS path for checking if the system is running on AC power
+Sysfs_Power_Path: /sys/class/power_supply/AC*/online
+Autoreload: True
+
+[BATTERY]
+Update_Rate_s: 30
+PL1_Tdp_W: 25
+PL1_Duration_s: 28
+PL2_Tdp_W: 44
+PL2_Duration_S: 0.002
+Trip_Temp_C: 70
+# Set cTDP to normal=0, down=1 or up=2 (EXPERIMENTAL)
+cTDP: 0
+# Disable BDPROCHOT (EXPERIMENTAL)
+Disable_BDPROCHOT: False
+
+[AC]
+Update_Rate_s: 3
+PL1_Tdp_W: 100
+PL1_Duration_s: 60000
+PL2_Tdp_W: 135
+PL2_Duration_S: 600
+Trip_Temp_C: 100
+cTDP: 0
+# Set HWP energy performance hints to 'performance' on high load (EXPERIMENTAL)
+# Uncomment only if you really want to use it
+# HWP_Mode: False
+# Set cTDP to normal=0, down=1 or up=2 (EXPERIMENTAL)
+# Disable BDPROCHOT (EXPERIMENTAL)
+Disable_BDPROCHOT: False
+
+[UNDERVOLT.BATTERY]
+CORE: 0
+GPU: 0
+CACHE: 0
+UNCORE: 0
+ANALOGIO: 0
+
+[UNDERVOLT.AC]
+CORE: 0
+GPU: 0
+CACHE: 0
+UNCORE: 0
+ANALOGIO: 0
+
+# [ICCMAX.AC]
+# # CPU core max current (A)
+# CORE: 
+# # Integrated GPU max current (A)
+# GPU: 
+# # CPU cache max current (A)
+# CACHE: 
+
+# [ICCMAX.BATTERY]
+# # CPU core max current (A)
+# CORE: 
+# # Integrated GPU max current (A)
+# GPU: 
+# # CPU cache max current (A)
+# CACHE: 
--- a/config/hosts/seras/configuration.nix
+++ b/config/hosts/seras/configuration.nix
@ -10,7 +10,11 @@
    ../../services/hydra
    ../../services/update-nixfiles.nix
  ];
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+  boot.binfmt = {
+    preferStaticEmulators = true;
+    emulatedSystems = [ "aarch64-linux" "riscv64-linux" ];
+  };

  networking.hostName = "seras";
  systemd.network.networks."98-eth-default" = {
--- a/config/profiles/builder.nix
+++ b/config/profiles/builder.nix
@ -15,9 +15,17 @@
    write = true;
    keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdHbFlGDGtBowdOHTfO3sBaLbBLRyyZTsW6ngeaD917 emily@alucard"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/vCXM3IaxJP9v2Y+xcQrQD2IcffgdzqtWhpMjj9Xl5 hydra@seras"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICT0dGyLUjxFnvqUmex+5xUGQ7D4yGHKo267JgApcq0k root@ryuuko"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDTwCSWYODyvTJxwB6Rahuy0j6s/YYwtQta8bjzG/We root@ryuuko-arch"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOWlYhnummuWZbq3+d0x5A67YvlPvtl7/1Dk4RtNlzf christina@cafkafk.com"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK397sBHLS66snWNPtmjUy7qZxRJh54N0RRXogKODudl nix@muon"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/RmFnel8pcZT9nh7EAfKfAekt3BoEXy0G7G2GTacN/ aprl@computer"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxsX+lEWkHZt9NOvn9yYFP0Z++186LY4b97C4mwj/f2 aprl@whatever"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpyVefbZLkNVNzdSIlO6x6JohHE1snoHiUB3Qdvl5I2 aprl@idk"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVNo871p97NTefP52KYiwuch+FaVScxvcFd9fg0yykySTq7Y5JsxrJQgTnox/oDa0O87OyHD/GHQljAXkqiHpDkExbiGjDmGXJSKReKH061F4FqBnDIwYRzUu9Cxjl4MNqsU0RqLaz4+F42c/L7GROQwjEPUb8JHThRiI5FJnDvvB+oBLBxeyQA4v3O4i8DaDQayTr/XB+aSlhNwKrb6cjjL93AHT1uE53yY5jn4kZX+RiPQhH7rvt9N6E4Yr3CG6nUgRCUS0L66d9yfrq0XAbAVk9F+viV7Nk9qy4MWHtXZ4h0qUlzrGALPgGsCGiLGd4NvEgeCcV4nvxdmevxTSdKlJP75xlmlLVXGyhqCZkTsxm/png2UvDl+p0pLyrgNaNoXPdE0Jbv7C28WX36Nast1QFSMUhexzuOx8OgaOioeXVfK98AouqWb58iPBCvgreUIH/gJhZcnlB/Foo1KSO+fJNH8hAsLH7w0mnKyHhJjkrjjwUqsnpepB3SOLfZTE= aprl@meow"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD0v3tUBNEUxfoOQBFb+N2DUBQDay0iFggUWa9Nd+BtFLOKkz+RRto3eBF0ZiJZVUxv/hLb8m2s45hcMw8agwuPrXMe5085T1fzkvPdKAPZdsT/cCmBi1OsoLjAKBFIdM4lcV0A2cca8hip+/ZPpjFPUWx73/672gAPHU7co7fP8+8CSf9dx+WIeLx3yaYHYZ/th3dB5auX3VjOazS8MojsAorwTUeBoPamHQ5dFeNafhFUL/hhtGkUI1cNHUn3bJd2V7AKTW3UglK7hVgMJPrzVS31OlpcJEf6S5XgKTWdOSwubn1bs5Lt6YYRDU24NV6CGrwKgCJSRxzNMLwpnFKiSXpO8FzkqWHYWyju141hQcFF31aZIV+7YcwEt5ZukLjFOpVtpbSXvJYigOUzGi34P3/OAGshDXjTQjvM8GIir49gx3b2Nwhg0z4UHBkAKZvDDFPHDMJoclvnhITojaAojfC9zmMCO5ZaEsk8yv7c/lWQumzRpfldWF4mwHvhD5kTADbhRdO7WTdX7AaiAYINooToeWKjFe2wn3rFubPUppptqtP03mmvs7vhhgnEVBbGZRJK3GTVk1XcsfF9rDKzewSa+wb4LsBoZtFRhc8cJqHGlKWSNk7dQ04B1atPyNLKGpGoo/UIPxyZ6bSqFVxY3nhz46VZ6z8XWI48z0/fRQ== aprl@uwu"
    ];
  };
 }
--- a/config/services/arrs/default.nix
+++ b/config/services/arrs/default.nix
@ -12,13 +12,20 @@
    wants = [ "mnt-mezzomix.mount" ];
  });

+  nixpkgs.config.permittedInsecurePackages = [
+    "aspnetcore-runtime-wrapped-6.0.36"
+    "aspnetcore-runtime-6.0.36"
+    "dotnet-sdk-wrapped-6.0.428"
+    "dotnet-sdk-6.0.428"
+  ];
+
  systemd.mounts = lib.singleton {
    description = "rclone mount";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" "radarr.service" "sonarr.service" ];

    where = "/mnt/mezzomix";
-    what = "mezzomix@otos.feralhosting.com:private/rtorrent/data";
+    what = "zorin@otos.feralhosting.com:private/rtorrent/data";
    type = "fuse.sshfs";
    options = "umask=0000,idmap=user,_netdev,rw,nosuid,allow_other,default_permissions,follow_symlinks,reconnect,max_conns=10,identityfile=/etc/keys/ssh_host_ed25519_key";
  };
--- a/config/services/hydra/nix-config.nix
+++ b/config/services/hydra/nix-config.nix
@ -1,41 +1,50 @@
 { config, lib, ... }: {
  nix.buildMachines = let
    base = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    x86-64 = [ "gccarch-x86-64" "gccarch-x86-64-v2" "gccarch-x86-64-v3" ];
+    aarch64 = [ "gccarch-armv8-a" "gccarch-armv8.1-a" "gccarch-armv8.2-a" "gccarch-armv8.2-a+fp16+rcpc+dotprod" ];
+    riscv64 = [ "gccarch-rv64imac" "gccarch-rv64imacfd" "gccarch-rv64gc" ];
  in [
    {
      hostName = "localhost";
      protocol = null;
-      maxJobs = 0;
+      maxJobs = 2;
      speedFactor = 0;
      systems = [ "x86_64-linux" ];
      supportedFeatures = base;
    }
-    {
-      hostName = "integra.kyouma.net";
-      sshUser = "nix-ssh";
-      maxJobs = 2;
-      speedFactor = 4;
-      systems = [ "aarch64-linux" ];
-      supportedFeatures = base;
-      sshKey = config.sops.secrets."services/hydra/id_ed25519_hydra".path;
-    }
    {
      hostName = "schrodinger.kyouma.net";
      sshUser = "root";
-      maxJobs = 0;
-      speedFactor = 20;
-      systems = [ "riscv64-linux" ];
-      supportedFeatures = base ++ [ "gccarch-rv64imac" "gccarch-rv64imacfd" "gccarch-rv64gc" ];
-      sshKey = config.sops.secrets."services/hydra/id_ed25519_hydra".path;
-    }
-  ] ++ lib.forEach (lib.range 0 11) (num: {
-      hostName = "build-worker-${lib.fixedWidthNumber 2 num}";
-      sshUser = "root";
      maxJobs = 2;
      speedFactor = 20;
-      systems = [ "i686-linux" "x86_64-linux" ];
-      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "gccarch-x86-64" "gccarch-x86-64-v2" "gccarch-x86-64-v3" ];
+      systems = [ "riscv64-linux" ];
+      supportedFeatures = base ++ riscv64 ++ [ "riscv64-linux-native" ];
      sshKey = config.sops.secrets."services/hydra/id_ed25519_hydra".path;
+    }
+  ] ++ lib.forEach [
+    { n = "integra"; sf = 24; }
+    { n = "nokotan"; sf = 25; }
+  ] (h: {
+    hostName = "${h.n}.kyouma.net";
+    sshUser = "nix-ssh";
+    maxJobs = 2;
+    speedFactor = h.sf;
+    systems = [ "aarch64-linux" ];
+    supportedFeatures = base ++ aarch64 ++ [ "aarch64-linux-native" ];
+    sshKey = config.sops.secrets."services/hydra/id_ed25519_hydra".path;
+  })
+  ++ lib.forEach (lib.range 9 11) (num: {
+    hostName = "build-worker-${lib.fixedWidthNumber 2 num}";
+    sshUser = "root";
+    maxJobs = 2;
+    speedFactor = 20;
+    systems = [ "i686-linux" "x86_64-linux" ]
+      ++ lib.optionals (lib.mod num 5 == 0) [ "aarch64-linux" "riscv64-linux" ];
+    supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" ] ++ x86-64
+      ++ lib.optionals (lib.mod num 5 == 0) (aarch64 ++ riscv64
+        ++ [ "aarch64-linux-qemu" "riscv64-linux-qemu" "x86_64-linux-native" "i686-linux-native" ]);
+    sshKey = config.sops.secrets."services/hydra/id_ed25519_hydra".path;
  });
  nixpkgs.config.allowUnsupportedSystem = true;
  nix.distributedBuilds = true;
@ -53,6 +62,7 @@
      "build-worker-03.nyantec.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGqTY74c5g15DSNPNM2Wdr5jAwS7BFgX1XRnhtGOnJc";
      "build-worker-04.nyantec.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICOq+5I+nlAN2lJoOtoXrYEDuZ/TMPMa43pIlablYigK";
      "integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU";
+      "nokotan.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4QwwbDcIYr64gp9WM+gNX9hr7vqCeVXdr0DmldsNX7";
      "schrodinger.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKo7vZ6lS1wx76YsbAdhOsGcc20YMAW52ep8SZ/FCHDp";
      "lab.nyantec.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUePtVPtBK+CYosufbaGiMT4EVanti4V5t2Wg0g/Fy4";
      "localhost".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNVavo3YHVsrYwXRVISu7kDoknn+5inFGySn4azlB8P";
--- a/config/services/jellyfin.nix
+++ b/config/services/jellyfin.nix
@ -2,8 +2,32 @@

  services.jellyfin.enable = true;

+  services.nginx.virtualHosts."watch.kyouma.net" = {
+    forceSSL = true;  
+    http3 = true;
+    quic = true;
+    useACMEHost = "fentanyl.trade";
+    locations = {
+      "= /".return = "302 https://$host/web/";
+      "/" = {
+        proxyPass = "http://[::1]:8096";
+        recommendedProxySettings = true;
+        extraConfig = ''
+          proxy_buffering on;
+        '';
+      };
+      "= /web/" = {
+        proxyPass = "http://[::1]:8096";
+        recommendedProxySettings = true;
+      };
+      "/socket" = {
+        proxyPass = "http://[::1]:8096";
+        recommendedProxySettings = true;
+        proxyWebsockets = true;
+      };
+    };
+  };
  kyouma.nginx.virtualHosts = {
-    "watch.kyouma.net".redirectTo = "fentanyl.trade";
    "fentanyl.trade" = {
      serverAliases = lib.singleton "frotti.ng";
      locations = {
--- a/config/services/nginx.nix
+++ b/config/services/nginx.nix
@ -34,7 +34,6 @@ in {
      add_header Strict-Transport-Security 	$hsts_header;
      add_header X-Content-Type-Options 	  "nosniff" always;
      add_header X-XSS-Protection 		      "1; mode=block" always;
-      add_header X-Frame-Options 		        "SAMEORIGIN" always;
      add_header Referrer-Policy 		        "same-origin" always;
      add_header Alt-Svc                    'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
      #add_header Content-Security-Policy    "script-src 'self'; object-src 'none'; base-uri 'none';" always;
--- a/config/users/emily/default.nix
+++ b/config/users/emily/default.nix
@ -52,7 +52,7 @@

      #ubuntu_font_family
      libsForQt5.breeze-icons
-      (nerdfonts.override { fonts = [ "NerdFontsSymbolsOnly" ]; })
+      nerd-fonts.symbols-only
      jetbrains-mono
      font-awesome
    ];
--- a/config/users/lucy/default.nix
+++ b/config/users/lucy/default.nix
@ -11,6 +11,7 @@
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIId7XvwEHtC9KdGg4Bn+XE+yyBp7/dRToJX9T56mM7ln kosaki@kosaki"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZH8HwE1OxVAArRpc3+c7foYJ/WYjp4BqUyuab9yQyl emilia@emilia"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdONA7yQMPvEgdeCi3uYh4J6K0U5sk/DcwHNa9jv+Jb minorin@kotori"
    ];
  };

--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -8,6 +8,10 @@
      url = "github:zhaofengli/attic";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    conduwuit = {
+      url = "github:girlbossceo/conduwuit?rev=5b8464252c2c03edf65e43153be026dbb768a12a";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
@ -95,6 +99,7 @@
  in {
    hosts = shinyflakes.mapHosts {
      integra = { system = "aarch64-linux"; };
+      nokotan = { system = "aarch64-linux"; };
      lain = { system = "aarch64-linux"; };
    };

--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@ -0,0 +1,78 @@
+{ config, inputs, lib, pkgs, ... }: let
+  cfg = config.kyouma.matrix;
+  unix_socket_path = "/run/conduwuit/conduwuit.sock";
+in {
+  options.kyouma.matrix = {
+    enable = lib.mkEnableOption "enable matrix server";
+    serverName = lib.mkOption {
+      description = "Name used as a suffix for user and room ids";
+      type = lib.types.nonEmptyStr;
+      default = null;
+    };
+    hostname = lib.mkOption {
+      description = "Domain name that will be used to connect to the server";
+      type = lib.types.nonEmptyStr;
+      default = null;
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    services.conduwuit = {
+      enable = true;
+      package = inputs.conduwuit.packages.${pkgs.system}.default;
+      settings = {
+        global = {
+          inherit unix_socket_path;
+          unix_socket_perms = 666;
+          server_name = cfg.serverName;
+          database_backup_path = "/var/lib/conduwuit/db-backup";
+          database_backups_to_keep = 1;
+          new_user_displayname_suffix = "";
+          ip_lookup_strategy = 4;
+          max_request_size = 256 * 1024 * 1024;
+          federation_timeout = 15 * 60;
+          allow_registration = true;
+          registration_token = "woofwoof";
+          allow_public_room_directory_over_federation = true;
+          allow_public_room_directory_without_auth = false;
+          allow_local_presence = true;
+          allow_incoming_presence = true;
+          allow_outgoing_presence = true;
+          typing_federation_timeout_s = 240;
+          typing_client_timeout_max_s = 240;
+          forbidden_usernames = [ "admin" "administrator" ];
+          admin_execute = [ "server backup-database" ];
+          well_known = {
+            client = "https://${cfg.hostname}";
+            server = "${cfg.hostname}:443";
+          };
+        };
+      };
+    };
+
+    # Element X on iOS doesn't support TLSv1.3 for some reason
+    services.nginx.sslProtocols = "TLSv1.2 TLSv1.3";
+
+    kyouma.nginx.virtualHosts = {
+      ${cfg.hostname}.locations."/" = {
+        proxyPass = "http://unix:${unix_socket_path}";
+        recommendedProxySettings = true;
+      };
+      ${cfg.serverName}.locations."~ ^/.well-known/matrix(/.*)$" = {
+        proxyPass = "http://unix:${unix_socket_path}";
+        recommendedProxySettings = true;
+      };
+    };
+    security.acme.certs.${cfg.hostname} = {};
+    kyouma.restic = {
+      paths = [
+        "/var/lib/conduwuit/media"
+        "/var/lib/conduwuit/IDENTITY"
+        "/var/lib/conduwuit/db-backup"
+      ];
+      backupPrepareCommand = ''
+        systemctl restart conduwuit.service
+      '';
+    }; 
+    systemd.services.conduwuit.serviceConfig.RuntimeDirectoryMode = lib.mkForce "0755";
+  };
+}
--- a/modules/nginx/default.nix
+++ b/modules/nginx/default.nix
@ -5,13 +5,13 @@
    add_header Alt-Svc                    'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
    #add_header Content-Security-Policy   "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    add_header X-Content-Type-Options 	  "nosniff" always;
-    add_header X-XSS-Protection 		      "1; mode=block" always;
    add_header X-Frame-Options 		        "SAMEORIGIN" always;
+    add_header X-XSS-Protection 		      "1; mode=block" always;
    add_header Referrer-Policy 		        "same-origin" always;
  '';
  createHost = vhostName: vhostCfg: {
    extraConfig = lib.optionalString (vhostCfg ? "extraConfig") (
-      vhostCfg.extraConfig + "\n" + extraConfig
+      vhostCfg.extraConfig
    ) + lib.optionalString (
      if (vhostCfg ? "verifyClientCert") then 
        vhostCfg.verifyClientCert
@ -20,7 +20,7 @@
      ssl_client_certificate ${./kyouma_Root_CA.pem};
      ssl_verify_client on;
      ssl_verify_depth 1;
-    '';
+    '' + "\n" + extraConfig;
    forceSSL = true;
  } //
  lib.optionalAttrs (!(vhostCfg ? "useACMEHost")) {
--- a/pkgs/build-worker-oci/cdg/fly.toml
+++ b/pkgs/build-worker-oci/cdg/fly.toml
@ -9,6 +9,7 @@ primary_region = 'cdg'
 [build]
  image = 'registry.fly.io/build-worker-kyoumanet:latest'

+
 [processes]
  bw-09 = '/entrypoint.sh'
  bw-10 = '/entrypoint.sh'
@ -36,32 +37,47 @@ primary_region = 'cdg'
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
+  auto_start_machines = true
+  min_machines_running = 0
  processes = ['bw-09']

  [[services.ports]]
    port = 2209
+  [services.concurrency]
+    hard_limit = 65536
+    soft_limit = 256

 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
+  auto_start_machines = true
+  min_machines_running = 0
  processes = ['bw-10']

  [[services.ports]]
    port = 2210
+  [services.concurrency]
+    hard_limit = 65536
+    soft_limit = 256

 [[services]]
  protocol = 'tcp'
  internal_port = 2222
  auto_stop_machines = 'off'
+  auto_start_machines = true
+  min_machines_running = 0
  processes = ['bw-11']

  [[services.ports]]
    port = 2211
+  [services.concurrency]
+    hard_limit = 65536
+    soft_limit = 256

 [[restart]]
  policy = 'never'

 [[vm]]
  size = 'performance-16x'
-  memory = '96GB'
+  memory = '32GB'
--- a/pkgs/build-worker-oci/default.nix
+++ b/pkgs/build-worker-oci/default.nix
@ -1,11 +1,13 @@
 # I hate this so much aaa
 {
+  lib,
  callPackage,
  dockerTools,
  openssh,
  bash,
  gnused,
  util-linux,
+  qemu-user
 }:

 dockerTools.buildLayeredImage {
@ -20,11 +22,34 @@ dockerTools.buildLayeredImage {

  enableFakechroot = true;

-  contents = [ openssh util-linux bash gnused ];
+  contents = [ openssh util-linux bash gnused qemu-user ];

  config.Cmd = [ "/entrypoint.sh" ];

-  fakeRootCommands = ''
+  fakeRootCommands = let
+    system-features = [
+      "benchmark"
+      "big-parallel"
+      "nixos-test"
+      "uid-range"
+
+      "gccarch-x86-64"
+      "gccarch-x86-64-v2"
+      "gccarch-x86-64-v3"
+      "gccarch-armv8-a"
+      "gccarch-armv8.1-a"
+      "gccarch-armv8.2-a"
+      "gccarch-armv8.2-a+fp16+rcpc+dotprod"
+      "gccarch-rv64imac"
+      "gccarch-rv64imacfd"
+      "gccarch-rv64gc"
+
+      "riscv64-linux-qemu"
+      "aarch64-linux-qemu"
+      "x86_64-linux-native"
+      "i686-linux-native"
+    ];
+  in ''
    mkdir -p /root
    cat <<EOF > /root/nix.conf
    build-users-group = nixbld
@ -36,12 +61,14 @@ dockerTools.buildLayeredImage {
    max-silent-time = 14400
    min-free = ${builtins.toString (49152 * 1024 * 1024)}
    max-free = ${builtins.toString (65536 * 1024 * 1024)}
-    system-features = benchmark big-parallel kvm nixos-test uid-range gccarch-x86-64 gccarch-x86-64-v2 gccarch-x86-64-v3
+    extra-platforms = aarch64-linux i686-linux riscv64-linux
+    system-features = ${toString system-features}
    EOF

    mkdir -p /root/.ssh
    cat <<EOF > /root/.ssh/authorized_keys
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card
+    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdHbFlGDGtBowdOHTfO3sBaLbBLRyyZTsW6ngeaD917 emily@alucard
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK397sBHLS66snWNPtmjUy7qZxRJh54N0RRXogKODudl nix@muon
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/vCXM3IaxJP9v2Y+xcQrQD2IcffgdzqtWhpMjj9Xl5 hydra@seras
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICT0dGyLUjxFnvqUmex+5xUGQ7D4yGHKo267JgApcq0k root@ryuuko
@ -94,7 +121,9 @@ dockerTools.buildLayeredImage {
    mkdir -p /var/empty
    mkdir -p /var/log

-    cp ${./entrypoint.sh} /entrypoint.sh
+    substitute ${./entrypoint.sh} /entrypoint.sh \
+      --subst-var-by qemu-aarch64 ${lib.getExe' qemu-user "qemu-aarch64"} \
+      --subst-var-by qemu-riscv64 ${lib.getExe' qemu-user "qemu-riscv64"} 
    chmod +x /entrypoint.sh
  '';
 }
--- a/pkgs/build-worker-oci/entrypoint.sh
+++ b/pkgs/build-worker-oci/entrypoint.sh
@ -26,4 +26,14 @@ cp /root/nix.conf /etc/nix/nix.conf
 /bin/mount -t overlay overlay -o lowerdir=/nix,upperdir=/mnt/data/nix-store,workdir=/mnt/data/workdir /nix
 /bin/mount --bind /mnt/data/tmp /tmp

+# Register QEMU binaries for user mode emulation
+aarch64_magic='\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00'
+aarch64_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'
+
+riscv64_magic='\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00'
+riscv64_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'
+
+echo ":qemu-aarch64:M::$aarch64_magic:$aarch64_mask:@qemu-aarch64@:POCF" >/proc/sys/fs/binfmt_misc/register
+echo ":qemu-riscv64:M::$riscv64_magic:$riscv64_mask:@qemu-riscv64@:POCF" >/proc/sys/fs/binfmt_misc/register
+
 /root/.nix-profile/bin/sshd -D -f /root/sshd_config
--- a/pkgs/build-worker-oci/source.nix
+++ b/pkgs/build-worker-oci/source.nix
@ -4,8 +4,8 @@

 dockerTools.pullImage {
  imageName = "nixos/nix";
-  imageDigest = "sha256:133a1607deea14a02c2bc0850e275ed135814235a1147f68967afee261caea2b";
-  sha256 = "0602a59g14l1jiqfffz14hcp982qaqczi5f0ylvv0h9pp2pqrqs5";
+  imageDigest = "sha256:5a0d942e11cf154230289c4bca0cb391c44ed8e83561f3f8f2ef708bc0edda93";
+  sha256 = "1jc1hzqafc4qx8lw9nialf82qj37jxjynpzsprwk76pzb868x2iw";
  finalImageName = "nixos/nix";
  finalImageTag = "latest";
 }
--- a/pkgs/build-worker-oci/update.sh
+++ b/pkgs/build-worker-oci/update.sh
@ -29,4 +29,5 @@ skopeo --insecure-policy copy docker-archive:"result" \

 rm "result"

-fly deploy
+fly deploy --app build-worker-kyoumanet
+fly deploy --app build-worker-kyoumanet-cdg
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@ -2,7 +2,11 @@ final: prev: {
  nyastodon = final.callPackage ./nyastodon/default.nix {};
  upgrade-system = final.callPackage ./upgrade-system/default.nix {};
  update-nixfiles = final.callPackage ./update-nixfiles/default.nix {};
-  build-worker-oci = final.callPackage ./build-worker-oci/default.nix {};
+  build-worker-oci = final.callPackage ./build-worker-oci/default.nix {
+    qemu-user = final.pkgsStatic.qemu-user.override {
+      hostCpuTargets = [ "aarch64-linux-user" "riscv64-linux-user" ];
+    };
+  };
  librespeed-rust = final.callPackage ./librespeed-rust/default.nix {};
  librespeed-go = final.callPackage ./librespeed-go/default.nix {};
  akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {};
--- a/secrets/restic/zh3485s3.yaml
+++ b/secrets/restic/zh3485s3.yaml
@ -0,0 +1,35 @@
+restic:
+    zh3485s3:
+        password: ENC[AES256_GCM,data:s9AawDoH+OfAcahdpzUQ0/J3STf2dyOnt5aFs6FrZ/wkA9YZv3vg/SRex+6jDRA7,iv:vQQZSubZd2XKu9n/qr2rO0VIeobhn72XZ65kOlX/TeM=,tag:KwMtfslw93Y60wCfZEHxEA==,type:str]
+        id_ed25519: ENC[AES256_GCM,data:5g+/fpinmrOkzOIYaDxZywZUoTfPjzGLE3utCkI2rkffxN8QYtCupE3hHeI1AHbFGWo8UkLZjK47kW/Mqeq4EWqfIR41gnE2PB1YQ6g29KQifJyqoG1SHpkKplB5eV+4JIccJ0NY/Y/MP1c9NuL7iXA9AvkSLTC7rBUiHsJ0fmEKusazv7gOKesv2/rBmpm+9Rp6cNqTCc28tmczarXV1sYNfLy0vXhuRMCkbvqnx3F/W5J+6+81plRbTWrJ+zArwfyf9z9NOLBeNAsRiAhObACD5YTXnd2EwPnevM4V36l1k+pQX1mk0O1PuUCNpujhogbiUlvL8f038uEgKIuVeAUDdCz+YhJeYSXDgta/jkffnjF6my0I8pUb3lzQXk5hqvnlZtvZQO9+mK8w+w8U6zY9jxQwrlC2Cume5IyyN2Vf+CKd2/kV6I48f3yUHOpfJnMfM0Lw78+0rxhOn+IF4bywiddT302pS2kOm3z1/pRpwX/tTk+NnTQF58N+rAyp+uwRJxFfxQ8pMuWabNEUR4cepzNXSqDs12HHbbqaziH4a9M=,iv:Wf56t+KfFA+T93HqC8yusHK03tOLHlBi4eXBY8AprM4=,tag:co80y+TA9XUNc1mjWliarg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OEJHMlFuQm8xeXNhTG5w
+            dCtiU1hwY2lSaVMzME9Wcm5SNkRGM3J5NWhRClhScW5abmVEckFSeTUxd212WnVm
+            NnhqRlRHVUFtVkdFYUUvaWs5UW1kNW8KLS0tIFFiSis0cUR2dTV5S1hSdkpjbGdv
+            VUtqWjMzUm1oVDlCL2V1cXpYbVd4Ym8KfcPUwWdz7aFBjAiIoIbp8F6n4k5vGK3E
+            yxvKDr+Le+vBpljGCD1tWkg8aPvKxHFgyu6nAToXorTI40NZx8bPUA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-19T14:49:46Z"
+    mac: ENC[AES256_GCM,data:5TO2OmjVMGCfSc64DcAyYMmW2sUA+pUCCoe1K/X2yxa0KL6ycYLF5JS+RJRLG62grdnqH6AGHgg9C2GqruJp/+307YsbKEZ+yA/U3GUxSpge1YKQ3JUbRzNsCcGMZ5rz8a1bt+EWPV6QFV+ouuKoEwYrOHlq5L3hepUmcju+nzc=,iv:IKCe7Rbtm4r7A71FmCv50HBqwixJ7t3xvZjdT6vJPc4=,tag:9J5bNEFNB0at+HhiJl5dYQ==,type:str]
+    pgp:
+        - created_at: "2025-01-19T14:48:06Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D1GtNSlou/HkSAQdA++VY5bgWKEBjlP3NSMaVY3iTUtY9oYc+JWRhTb4I0R8w
+            qGuNlDh6SEX4QQPgopg1/ttNvVOWPKYbmeJuUoJIDkT4GEnteAXCkiC+jp3qkE4v
+            0lwBo15+lfZGs/zXM4A2Q42DHoQvA172tOfpl8lvM+c0pugo6sA5R4kHe4rFDNF1
+            T4/T9fshPu2xXSJn68vNJ/9R0yxzziDSR5U9qPmzjQ/uRkGO7D8ecMC0MTHpQg==
+            =+6BE
+            -----END PGP MESSAGE-----
+          fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1