update

18 files changed, 65 insertions, 879 deletions

diff --git a/config/hydra.nix b/config/hydra.nix
deleted file mode 100644
index 5ebc605..0000000
--- a/config/hydra.nix
+++ /dev/null
@@ -1,57 +0,0 @@
-{ config, lib, pkgs, ... }:
-let hydraPort = (import ../data/aliases.nix).services.hydra.port;
-in {
-  networking.firewall.allowedTCPPorts = [ hydraPort ];
-
-  virtualisation.virtualbox.host.enable = true;
-
-  services.hydra = {
-    enable = true;
-    hydraURL = "https://hydra.orbekk.com";
-    notificationSender = "kj+hydra@orbekk.com";
-    buildMachinesFiles = [ ];
-    useSubstitutes = true;
-    port = hydraPort;
-    extraConfig = ''
-      store-uri = file:///nix/store?secret-key=/opt/secret/hydra_key/hydra.orbekk.com-1/secret
-    '';
-  };
-
-  # From https://github.com/input-output-hk/iohk-nixops
-  systemd.services.hydra-manual-setup = {
-    description = "Create Keys for Hydra";
-    serviceConfig.Type = "oneshot";
-    serviceConfig.RemainAfterExit = true;
-    wantedBy = [ "multi-user.target" ];
-    requires = [ "hydra-init.service" ];
-    after = [ "hydra-init.service" ];
-    environment = lib.mkForce config.systemd.services.hydra-init.environment;
-    script = ''
-      if [ ! -e /opt/secret/hydra_key/initialized ]; then
-        # create signing keys
-        /run/current-system/sw/bin/install -d -m 551 /opt/secret/hydra_key/hydra.orbekk.com-1
-        /run/current-system/sw/bin/nix-store --generate-binary-cache-key hydra.orbekk.com-1 /opt/secret/hydra_key/hydra.orbekk.com-1/secret /opt/secret/hydra_key/hydra.orbekk.com-1/public
-        /run/current-system/sw/bin/chown -R hydra:hydra /opt/secret/hydra_key
-        /run/current-system/sw/bin/chmod 440 /opt/secret/hydra_key/hydra.orbekk.com-1/secret
-        /run/current-system/sw/bin/chmod 444 /opt/secret/hydra_key/hydra.orbekk.com-1/public
-        # done
-        touch /opt/secret/hydra_key/initialized
-      fi
-    '';
-  };
-
-  nix = {
-    distributedBuilds = true;
-    nrBuildUsers = 30;
-    # Enable this if I run low on disk.
-    gc.automatic = lib.mkForce false;
-    buildMachines = [{
-      hostName = "localhost";
-      systems = [ "x86_64-linux" "i686-linux" ];
-      maxJobs = "16";
-      supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
-    }];
-    extraOptions = "auto-optimise-store = true";
-  };
-  nixpkgs.config = { allowUnfree = true; };
-}
diff --git a/config/router.nix b/config/router.nix
deleted file mode 100644
index cb2eeb2..0000000
--- a/config/router.nix
+++ /dev/null
@@ -1,408 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  wan-dev = "bond0.10";
-  lan-dev = "bond0";
-  # config.orbekk.nycmesh.listenPort
-  wireguardPorts =
-    [ config.orbekk.mullvad.listenPort config.orbekk.vpn.listenPort ];
-  mullvadMark = 30;
-  heMark = 200;
-  # nycmeshMark = 32;
-  aliases = import ../data/aliases.nix;
-in {
-  orbekk.mullvad.enable = true;
-  orbekk.nycmesh.enable = false;
-
-  services.tftpd.enable = true;
-  services.openntpd.enable = true;
-
-  environment.systemPackages = with pkgs; [ iptables ];
-
-  networking.useDHCP = false;
-
-  networking.networkmanager.enable = lib.mkForce false;
-
-  networking.nameservers =
-    [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
-
-  networking.vlans = builtins.listToAttrs (map (id: {
-    name = "${lan-dev}.${toString id}";
-    value = {
-      inherit id;
-      interface = lan-dev;
-    };
-  }) [ 10 30 32 100 255 ]);
-
-  networking.bonds.bond0 = {
-    interfaces = [ "eno1" "eno2" ];
-    driverOptions = {
-      miimon = "1000";
-      mode = "balance-rr";
-    };
-  };
-
-  systemd.services.update-dynamic-dns = {
-    description = "Update dynamic dns records";
-    path = with pkgs; [ bash dnsutils nettools gawk iproute curl ];
-    startLimitIntervalSec = 5;
-    script = toString ../tools/update-dns.sh;
-  };
-
-  networking.firewall = {
-    enable = lib.mkForce false;
-    allowedTCPPorts = lib.mkForce [ ];
-    allowedUDPPorts = lib.mkForce [ ];
-    allowPing = true;
-    logRefusedConnections = false;
-    checkReversePath = false;
-  };
-
-  services.ddclient = {
-    enable = true;
-    configFile = "/opt/secret/he-ddclient.conf";
-  };
-  # FIXME: Workaround for ddclient.conf not being available to ddclient.
-  systemd.services.ddclient.serviceConfig.DynamicUser = lib.mkForce false;
-
-  services.ferm = {
-    enable = true;
-    config = ''
-      @def $DEV_UNTRUSTED_LAN = (${lan-dev}.30 ${lan-dev}.32);
-      @def $DEV_LAN = (${lan-dev}.100 vpn);
-      @def $DEV_ADMIN = (${lan-dev}.255);
-      @def $DEV_WAN = (${wan-dev} he0 mullvad);
-      @def $NET_LAN = (172.20.0.0/16);
-      @def $NET_HE = (2001:470:8e2e::/48);
-
-      # Forward dns queries to dnsmasq on LAN interfaces.
-      domain (ip ip6) table nat chain PREROUTING {
-        interface ($DEV_LAN $DEV_UNTRUSTED_LAN) daddr $NET_LAN proto (tcp udp) dport 53 REDIRECT to-ports 2053;
-      }
-
-      domain (ip ip6) table filter {
-        chain INPUT {
-          policy DROP;
-
-          mod state state INVALID DROP;
-          mod state state (ESTABLISHED RELATED) ACCEPT;
-
-          interface lo ACCEPT;
-          proto icmp ACCEPT;
-
-          proto (udp udp) dport dhcpv6-client ACCEPT;
-
-          proto 41 ACCEPT;  # IPv6 sit tunnel
-
-          interface ($DEV_WAN $DEV_LAN $DEV_UNTRUSTED_LAN) @subchain "wan_services" {
-            # Valheim
-            proto udp dport (3400 3401 3402) ACCEPT;
-
-            proto (tcp udp) dport 2053 ACCEPT;
-            proto (tcp udp) dport (bootpc bootps) ACCEPT;
-            proto tcp dport ssh ACCEPT;
-            proto (tcp udp) dport domain ACCEPT;
-            proto tcp dport (http https) ACCEPT;
-            proto udp dport (${
-              lib.concatStringsSep " " (map toString wireguardPorts)
-            }) ACCEPT;
-          }
-
-          interface ($DEV_LAN $DEV_UNTRUSTED_LAN) {
-            proto (tcp udp) dport 1080 ACCEPT; # socks proxy
-          }
-
-          interface ($DEV_LAN $DEV_ADMIN) @subchain "lan_services" {
-            proto (tcp udp) dport 5000 ACCEPT; # random debugging
-
-            proto (tcp udp) dport postgresql ACCEPT; # internal network only!
-
-            proto (tcp udp) dport (ssh domain bootpc bootps ntp) ACCEPT;
-            # prometheus temp rule
-            proto tcp dport 11112 ACCEPT;
-            proto (tcp udp) dport tftp ACCEPT;
-
-            # RTMP streaming
-            proto (tcp udp) dport 1935 ACCEPT;
-
-            # Chromecast
-            # proto udp dport 32768:61000 ACCEPT;
-            # proto udp dport (5353 1900) ACCEPT;
-            # proto tcp dport (8008 8009) ACCEPT;
-
-            # Samba
-            proto tcp dport (139 445) ACCEPT;
-            proto udp dport (137 138) ACCEPT;
-
-            # Project Zomboid
-            proto udp dport (16261 16262) ACCEPT;
-
-            # interface $DEV_LAN jump logdrop;
-          }
-        }
-
-        chain OUTPUT policy ACCEPT;
-
-        chain FORWARD {
-          policy DROP;
-
-          mod state state INVALID DROP;
-          mod state state (ESTABLISHED RELATED) ACCEPT;
-
-          interface $DEV_UNTRUSTED_LAN outerface $DEV_WAN ACCEPT;
-          interface $DEV_LAN ACCEPT;
-
-          # jump logdrop;
-        }
-      }
-
-      domain ip6 table filter chain INPUT {
-        proto ipv6-icmp ACCEPT;
-      }
-
-      domain (ip ip6) table filter chain logdrop {
-        LOG log-level warning log-prefix "dropped "; 
-        DROP;
-      }
-
-      domain (ip ip6) table filter chain INPUT {
-        interface $DEV_WAN DROP;
-        # jump logdrop;
-      }
-
-      domain ip table nat {
-        chain POSTROUTING {
-          saddr $NET_LAN outerface $DEV_WAN MASQUERADE;
-        }
-      }
-
-      domain (ip ip6) table mangle {
-        chain PREROUTING {
-          interface ${lan-dev}.30 MARK set-mark ${toString mullvadMark};
-          # Route HE traffic via tunnel.
-          # saddr $NET_HE MARK set-mark ${toString heMark};
-          # saddr 2001:470:1f06:1194::2/64 MARK set-mark ${toString heMark};
-        }
-      }
-    '';
-  };
-
-  services = {
-    openssh.enable = lib.mkDefault true;
-    openssh.settings.PasswordAuthentication = false;
-  };
-
-  boot.kernel.sysctl = {
-    "net.ipv4.conf.all.forwarding" = true;
-    "net.ipv4.conf.default.forwarding" = true;
-    "net.ipv6.conf.all.forwarding" = true;
-    "net.ipv6.conf.default.forwarding" = true;
-  };
-
-  #services.hostapd = {
-  #  enable = true;
-  #  # driver = "iwlwifi";
-  #  ssid = "2c";
-  #  wpaPassphrase = "mintchip";
-  #  interface = "${lan-dev}";
-  #  hwMode = "g";
-  #  channel = 11;
-  #  extraConfig = ''
-  #    country_code=US
-  #    wpa_key_mgmt=WPA-PSK  
-  #    rsn_pairwise=CCMP
-  #  '';
-  #};
-
-  networking.dhcpcd = {
-    # Wait for v4 and v6 addresses.
-    # wait = "both";
-    extraConfig = ''
-      noipv6rs
-      nohook resolv.conf
-      interface ${wan-dev}
-        dhcp
-        # ipv6rs
-        # iaid 0
-        # ia_pd 0//56 ${lan-dev}.100/2/64
-    '';
-    runHook = ''
-      # if [[ $reason =~ BOUND6|REBIND6 ]]; then
-      #   ip=${pkgs.iproute}/bin/ip
-      #   $ip addr add dev $interface "''${new_dhcp6_ia_pd1_prefix1}/64" || true
-      #   if [[ $new_dhcp6_ia_pd1_prefix1 != $old_dhcp6_ia_pd1_prefix1 ]]; then
-      #     $ip addr delete dev $interface "''${old_dhcp6_ia_pd1_prefix1}/64"
-      #   fi
-      # fi
-      systemctl restart update-dynamic-dns.service
-    '';
-  };
-  systemd.services.dhcpcd = {
-    after = [ "network-addresses-${wan-dev}.service" ];
-    preStart = lib.mkAfter ''
-      ${pkgs.iproute}/bin/ip link set dev ${wan-dev} address ${
-        config.networking.interfaces.${wan-dev}.macAddress
-      };
-    '';
-  };
-
-  services.dnsmasq = {
-    enable = true;
-    servers = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ];
-    resolveLocalQueries = false;
-     extraConfig = ''
-      port=2053
-
-      no-resolv
-      no-hosts
-
-      address=/localhost/::1
-      address=/localhost/127.0.0.1
-
-      enable-ra
-      dhcp-authoritative
-
-      # Null AAAA response on these domains
-      server=/netflix.com/#
-      address=/netflix.com/::
-      server=/netflix.net/#
-      address=/netflix.net/::
-      server=/nflxext.com/#
-      address=/nflxext.com/::
-      server=/nflximg.net/#
-      address=/nflximg.net/::
-      server=/nflxvideo.net/#
-      address=/nflxvideo.net/::
-      server=/nflxso.net/#
-      address=/nflxso.net/::
-
-      dhcp-range=vlan30,172.20.30.50,172.20.30.254,5m
-      dhcp-option=net:vlan30,option:router,172.20.30.1
-      dhcp-option=net:vlan30,option:dns-server,193.138.218.74
-      dhcp-option=net:vlan30,option:domain-search,nyc.orbekk.com
-
-      dhcp-range=vlan100,172.20.100.50,172.20.100.254,5m
-      dhcp-host=vlan100,d8:3b:bf:59:22:de,172.20.100.10
-      dhcp-range=vlan100,::100,::500,constructor:bond0.100,ra-only
-      dhcp-option=net:vlan100,option:router,172.20.100.1
-      dhcp-option=net:vlan100,option:dns-server,172.20.100.1
-      dhcp-option=net:vlan100,option:domain-search,nyc.orbekk.com
-
-      dhcp-range=vlan32,172.20.32.50,172.20.32.254,5m
-      dhcp-range=vlan32,::100,::500,constructor:bond0.32,ra-only
-      dhcp-option=net:vlan32,option:router,172.20.32.1
-      dhcp-option=net:vlan32,option:dns-server,172.20.32.1
-      dhcp-option=net:vlan32,option:domain-search,nyc.orbekk.com
-    '';
-  };
-
-  networking.sits.he0 = {
-    dev = wan-dev;
-    remote = "209.51.161.14";
-  };
-
-  networking.iproute2.enable = true;
-  # ${toString nycmeshMark} nycmesh
-  networking.iproute2.rttablesExtraConfig = ''
-    ${toString mullvadMark} mullvad
-    ${toString heMark} he
-  '';
-
-  systemd.services.network-route-setup = {
-    description = "HE tunnel route setup";
-    requires = [ "network-online.target" ];
-    after = [ "network.target" "network-online.target" ];
-    wantedBy = [ "multi-user.target" ];
-    path = [ pkgs.iproute ];
-    script = ''
-      #ip -6 rule add from 2001:470:8e2e::/48 lookup he prio 0 || true
-      #ip -6 route replace default dev he0 src 2001:470:8e2e:20::d table he
-      ip -6 route flush cache
-      ip -6 rule add fwmark ${toString heMark} table he || true
-    '';
-  };
-
-  networking.wireguard.interfaces.mullvad.postSetup = ''
-    ip rule add fwmark ${toString mullvadMark} table mullvad
-    ip route replace default dev mullvad table mullvad
-    ip route flush cache
-  '';
-
-  # networking.wireguard.interfaces.nycmesh.postSetup = ''
-  #   ip rule add fwmark ${toString nycmeshMark} table nycmesh
-  #   ip route replace default via 10.70.73.1 onlink dev nycmesh table nycmesh
-  #   ip route flush cache
-  # '';
-
-  # boot.kernel.sysctl."net.ipv6.conf.${wan-dev}.disable_ipv6" = true;
-
-  networking.interfaces.${wan-dev} = {
-    macAddress = "3c:97:0e:19:7e:5c";
-    useDHCP = true;
-  };
-
-  networking.interfaces.he0.ipv6 = {
-    addresses = [
-      {
-        address = "2001:470:1f06:1194::2";
-        prefixLength = 64;
-      }
-      {
-        address = "2001:470:8e2e:20::d";
-        prefixLength = 64;
-      }
-    ];
-    routes = [
-      {
-        address = "::";
-        prefixLength = 0;
-      }
-      {
-        address = "::";
-        prefixLength = 0;
-        options = { table = "he"; };
-      }
-    ];
-  };
-
-  networking.interfaces."${lan-dev}".useDHCP = false;
-  networking.interfaces."${lan-dev}.255" = {
-    ipv4.addresses = [{
-      address = "10.10.255.3";
-      prefixLength = 24;
-    }];
-    ipv6.addresses = [{
-      address = "2001:470:8e2e:ffff::3";
-      prefixLength = 64;
-    }];
-    useDHCP = false;
-  };
-  networking.interfaces."${lan-dev}.100" = {
-    ipv4.addresses = [{
-      address = "172.20.100.1";
-      prefixLength = 24;
-    }];
-    ipv6.addresses = [{
-      address = "2001:470:8e2e:100::1";
-      prefixLength = 64;
-    }];
-    useDHCP = false;
-  };
-  networking.interfaces."${lan-dev}.30" = {
-    ipv4.addresses = [{
-      address = "172.20.30.1";
-      prefixLength = 24;
-    }];
-    useDHCP = false;
-  };
-  networking.interfaces."${lan-dev}.32" = {
-    ipv4.addresses = [{
-      address = "172.20.32.1";
-      prefixLength = 23;
-    }];
-    ipv6.addresses = [{
-      address = "2001:470:8e2e:32::1";
-      prefixLength = 64;
-    }];
-    useDHCP = false;
-  };
-}
diff --git a/data/aliases.nix b/data/aliases.nix
index e04aad7..b4ea539 100644
--- a/data/aliases.nix
+++ b/data/aliases.nix
@@ -51,13 +51,5 @@ rec {
     hledger-web = { port = 11116; };
     prometheus-pms7003-exporter = { host = "172.20.100.10"; port = 11117; };
     keycloak = { http-port = 11118; https-port = 11119; };
-    bridge = {
-      address = ip.dragon;
-      port = 11121;
-    };
-    bridge_nightly = {
-      address = ip.dragon;
-      port = 11122;
-    };
   };
 }
diff --git a/data/dns/db.orbekk.shared.zone b/data/dns/db.orbekk.shared.zone
index f87bf6b..3b8ccc4 100644
--- a/data/dns/db.orbekk.shared.zone
+++ b/data/dns/db.orbekk.shared.zone
@@ -1,7 +1,7 @@
 $TTL 600
 @                  IN  SOA ns1.he.net.   root.orbekk.com. (
     $serial;    serial
-    617;        refresh
+    618;        refresh
     900;        retry
     2419200;    expire
     3600;
@@ -34,7 +34,6 @@ grafana            IN  CNAME   dragon.dynamic.orbekk.com.
 nextcloud          IN  CNAME   dragon.dynamic.orbekk.com.
 money              IN  CNAME   dragon.dynamic.orbekk.com.
 auth               IN  CNAME   dragon.dynamic.orbekk.com.
-bridge             IN  CNAME   dragon.dynamic.orbekk.com.
 
 ;; Internal admin network
 gw.nyc             IN A         10.10.255.3
diff --git a/flake.lock b/flake.lock
index e6b8393..3b61d25 100644
--- a/flake.lock
+++ b/flake.lock
@@ -9,11 +9,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1696775529,
-        "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
+        "lastModified": 1701216516,
+        "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
+        "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1700847529,
-        "narHash": "sha256-jvTozEnNxaR7jvHc50eAfHoP8aN7+QPt1ETqr+raGSo=",
+        "lastModified": 1702143514,
+        "narHash": "sha256-LtDzy6lGkiJF2R+y2SMQ9vjl0yvo0fOI4yZqu1aLy1w=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "d419c32b00f86aa2bdf56ad8e1f4516b796539b9",
+        "rev": "0c7b9e24eb801bb37870ce579d84b0f06ff8f5d6",
         "type": "github"
       },
       "original": {
@@ -107,11 +107,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1694529238,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
         "type": "github"
       },
       "original": {
@@ -180,11 +180,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1700809851,
-        "narHash": "sha256-/TkZyUowBQflVQWXXd9sVkf4mwbeoKbwGazqrV7YsHA=",
+        "lastModified": 1701953467,
+        "narHash": "sha256-dpx/o701Jj7YGN+8D2ccY6gloGZ10hMSQs+ddhD+7v4=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "650ec6e90eb6dbb17c18e575099d77cd7f525c0b",
+        "rev": "fb984b33b033e8ed625a11c95b313eefc3ebb99e",
         "type": "github"
       },
       "original": {
@@ -241,11 +241,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1700559156,
-        "narHash": "sha256-gL4epO/qf+wo30JjC3g+b5Bs8UrpxzkhNBBsUYxpw2g=",
+        "lastModified": 1701656485,
+        "narHash": "sha256-xDFormrGCKKGqngHa2Bz1GTeKlFMMjLnHhTDRdMJ1hs=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "c3abafb01cd7045dba522af29b625bd1e170c2fb",
+        "rev": "fa194fc484fd7270ab324bb985593f71102e84d1",
         "type": "github"
       },
       "original": {
@@ -257,11 +257,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1700612854,
-        "narHash": "sha256-yrQ8osMD+vDLGFX7pcwsY/Qr5PUd6OmDMYJZzZi0+zc=",
+        "lastModified": 1701718080,
+        "narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "19cbff58383a4ae384dea4d1d0c823d72b49d614",
+        "rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335",
         "type": "github"
       },
       "original": {
@@ -273,11 +273,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1700678569,
-        "narHash": "sha256-2Ki+2UvOidxEb3xB4ADqlbPQ2BZOF4uZMR094O8or2I=",
+        "lastModified": 1701805708,
+        "narHash": "sha256-hh0S14E816Img0tPaNQSEKFvSscSIrvu1ypubtfh6M4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8f1180704ac35baded1a74164365ac7cdfba6f38",
+        "rev": "0561103cedb11e7554cf34cea81e5f5d578a4753",
         "type": "github"
       },
       "original": {
@@ -289,11 +289,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1700612854,
-        "narHash": "sha256-yrQ8osMD+vDLGFX7pcwsY/Qr5PUd6OmDMYJZzZi0+zc=",
+        "lastModified": 1701718080,
+        "narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "19cbff58383a4ae384dea4d1d0c823d72b49d614",
+        "rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335",
         "type": "github"
       },
       "original": {
@@ -337,16 +337,16 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1700678569,
-        "narHash": "sha256-2Ki+2UvOidxEb3xB4ADqlbPQ2BZOF4uZMR094O8or2I=",
+        "lastModified": 1701952659,
+        "narHash": "sha256-TJv2srXt6fYPUjxgLAL0cy4nuf1OZD4KuA1TrCiQqg0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8f1180704ac35baded1a74164365ac7cdfba6f38",
+        "rev": "b4372c4924d9182034066c823df76d6eaf1f4ec4",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.05",
+        "ref": "nixos-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index 596444f..9103c13 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,5 +1,10 @@
 {
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
+  nixConfig = {
+    extra-substituters = "https://nix-community.cachix.org";
+    extra-trusted-public-keys = "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=";
+  };
+
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
   inputs.nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
   inputs.nixos-hardware.url = "github:NixOS/nixos-hardware/master";
   inputs.emacs-overlay.url = "github:nix-community/emacs-overlay";
@@ -11,35 +16,15 @@
   outputs =
     { self, nixpkgs, nixpkgs-unstable, nixos-hardware, emacs-overlay, agenix, jovian, mujmap }:
     let
-      pkgs-module = { config, ... }:
-      let
-        cfg = config.nixpkgs;
-
-        extra-packages = final: prev: {
-          agenix = agenix.packages.${final.system}.default;
-          mujmap = mujmap.packages.${final.system}.default;
-        };
-
-        unstable-overlay = final: prev: rec {
-          unstable = import nixpkgs-unstable {
-            inherit (cfg) config localSystem crossSystem;
-          };
-        };
-      in {
-        nixpkgs.pkgs = import nixpkgs {
-          inherit (cfg) config localSystem crossSystem;
-          overlays = cfg.overlays
-          ++ [ unstable-overlay extra-packages emacs-overlay.overlay ];
-        };
-      };
+      systems = ["x86_64-linux"];
+      lib = nixpkgs.lib;
+      forAllSystems = lib.genAttrs systems;
 
       registry-module = { ... }: {
         nix.registry.nixpkgs.flake = nixpkgs;
         nix.registry.nixpkgs-unstable.flake = nixpkgs-unstable;
       };
 
-      lib = nixpkgs.lib;
-
       orbekk-modules = let
         moduleFiles = lib.attrNames
         (lib.filterAttrs (n: v: lib.hasSuffix ".nix" n && v == "regular")
@@ -53,14 +38,23 @@
         };
       in lib.listToAttrs (map mkModule moduleNames);
 
-    in {
-      nixosModules = orbekk-modules // { inherit pkgs-module registry-module; };
+    in rec {
+      nixosModules = orbekk-modules // { inherit registry-module; };
 
-      packages."x86_64-linux" =
-        let pkgs = import nixpkgs { system = "x86_64-linux"; };
-        in { };
+      overlays = {
+        emacs-overlay = emacs-overlay.overlay;
 
-        nixosConfigurations = let
+        extraPackages = final: prev: {
+          agenix = agenix.packages.${final.system}.default;
+          mujmap = mujmap.packages.${final.system}.default;
+          unstable = import nixpkgs-unstable {
+            system = final.system;
+            config.allowUnfree = true;
+          };
+        };
+      };
+
+      nixosConfigurations = let
           mkConfig = { hostName, module ? (./. + "/machines/${hostName}.nix")
           , system ? "x86_64-linux" }: {
             name = hostName;
@@ -79,6 +73,8 @@
                     lastModified = pkgs.lib.substring 0 8
                     (self.lastModifiedDate or self.lastModified or "19700101");
                   in "${lastModified}.${self.shortRev or "dirty"}";
+
+                  nixpkgs.overlays = builtins.attrValues overlays;
                 })
               ] ++ lib.optional (hostName == "dex") jovian.nixosModules.jovian;
             };
diff --git a/machines/container-shape.nix b/machines/container-shape.nix
deleted file mode 100644
index db9df2f..0000000
--- a/machines/container-shape.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-  imports = [
-    ../config/container.nix
-    ../config/common.nix
-    ../config/users.nix
-    # Services
-    ../config/hydra.nix
-    ../config/matrix.nix
-    ../config/cgit.nix
-    ../config/weechat.nix
-    ../config/web-server.nix
-    ../config/mail-server.nix
-    ../config/dns.nix
-    ../config/borg-backup.nix
-    ../config/systemhttpd.nix
-  ];
-
-  users.defaultUserShell = lib.mkForce pkgs.bash;
-
-  networking = {
-    hostName = lib.mkForce "shape";
-  };
-}
diff --git a/machines/dragon.nix b/machines/dragon.nix
index 409cf5f..9e5f195 100644
--- a/machines/dragon.nix
+++ b/machines/dragon.nix
@@ -4,8 +4,6 @@ let
   vpnPrefix = "2001:470:8e2e:1000";
 in {
   imports = [
-    # ../config/router.nix
-    # ../config/borg-backup.nix
     ../config/keycloak.nix
     ../config/dns.nix
     ../config/web-server.nix
@@ -18,7 +16,6 @@ in {
   orbekk.nextcloud.enable = true;
   orbekk.backups.enableServer = true;
   orbekk.backups.enableClient = true;
-  orbekk.bridge.enable = false;
   orbekk.zomboid-server.enable = false;
 
   services.tlp.enable = true;
diff --git a/machines/minideck.nix b/machines/minideck.nix
index b4bb8f6..7a76936 100644
--- a/machines/minideck.nix
+++ b/machines/minideck.nix
@@ -11,16 +11,6 @@ with lib;
   services.xserver.enable = mkForce false;
   services.xserver.displayManager.lightdm.enable = mkForce false;
 
-  # For bridge development.
-  services.postgresql = {
-    enable = true;
-    ensureDatabases = [ "bridge_latest" ];
-    ensureUsers = [{
-      name = "orbekk";
-      ensurePermissions."DATABASE bridge_latest" = "ALL PRIVILEGES";
-    }];
-  };
-
   # Fake pipewire socket activation.
   services.pipewire.socketActivation = false;
   systemd.user.services.pipewire-setup = {
diff --git a/machines/x1-pincer.nix b/machines/x1-pincer.nix
index 2a899bc..1b49268 100644
--- a/machines/x1-pincer.nix
+++ b/machines/x1-pincer.nix
@@ -21,16 +21,6 @@ let ports = {
   services.printing.drivers = with pkgs; [ gutenprint brlaser ];
   services.openssh.enable = true;
 
-  # For bridge development.
-  services.postgresql = {
-    enable = true;
-    ensureDatabases = [ "bridge_latest" ];
-    ensureUsers = [{
-      name = "orbekk";
-      ensurePermissions."DATABASE bridge_latest" = "ALL PRIVILEGES";
-    }];
-  };
-
   # Keycloak config
   # age.secrets."dragon-keycloak.age".file = ../secrets/dragon-keycloak.age;
   # services.postgresql.enable = true;
diff --git a/modules/bridge.nix b/modules/bridge.nix
deleted file mode 100644
index eb2a0c0..0000000
--- a/modules/bridge.nix
+++ /dev/null
@@ -1,71 +0,0 @@
-{ config, lib, pkgs, ... }:
-let cfg = config.orbekk.bridge;
-in with lib; {
-  options = {
-    orbekk.bridge = {
-      enable = mkEnableOption "Enable bridge service";
-
-      port = lib.mkOption {
-        type = lib.types.port;
-        default = (import ../data/aliases.nix).services.bridge_nightly.port;
-        description = "bridge local port";
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    age.secrets.bridge-nightly.file = ./. + "/../secrets/bridge-nightly.age";
-
-    systemd.services.bridge-nightly = {
-      description = "Bridge Nightly backend";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-
-      environment = {
-        BIND_ADDRESS = "[::]:${toString cfg.port}";
-        RUST_BACKTRACE = "1";
-        AUTHENTICATOR = "oauth";
-        OPENID_ISSUER_URL = "https://auth.orbekk.com/realms/test";
-        OPENID_CLIENT_ID = "test-client";
-        OPENID_CLIENT_SECRET = "secret";
-        APP_URL = "https://bridge.orbekk.com";
-        DATABASE_URL = "postgres:///bridge_nightly";
-        RUST_LOG = "info";
-      };
-
-      serviceConfig = {
-        User = "bridge_nightly";
-        Group = "bridge_nightly";
-        EnvironmentFile = config.age.secrets.bridge-nightly.path;
-        ExecStart = "/opt/bridge-nightly/profile/bin/server";
-      };
-    };
-
-    services.nginx.virtualHosts."bridge.orbekk.com" = {
-      enableACME = true;
-      forceSSL = true;
-      root = "/opt/bridge-nightly/profile";
-      locations."/api".proxyPass = "http://localhost:${toString cfg.port}";
-      extraConfig = ''
-        # Single-page application setup.
-        # First attempt to serve request as file, then
-        # as directory, then fall back to redirecting to index.html
-        try_files $uri $uri/ $uri.html /index.html;
-      '';
-    };
-
-    services.postgresql = {
-      enable = true;
-      enableTCPIP = true;
-      authentication = ''
-        host  all all 2001:470:8e2e:1000::/64      md5
-        host  all all 2001:470:8e2e:100::/64      md5
-      '';
-      ensureDatabases = [ "bridge_nightly" ];
-      ensureUsers = [{
-        name = "bridge_nightly";
-        ensurePermissions."DATABASE bridge_nightly" = "ALL PRIVILEGES";
-      }];
-    };
-  };
-}
diff --git a/modules/common.nix b/modules/common.nix
index 8ae3b06..cca04b3 100644
--- a/modules/common.nix
+++ b/modules/common.nix
@@ -62,7 +62,6 @@
     #emacs
     emacs-pgtk
     #pkgs.unstable.emacsNativeComp
-    exa
     fd
     fzf
     git
diff --git a/modules/desktop.nix b/modules/desktop.nix
index a6f54b7..83d6476 100644
--- a/modules/desktop.nix
+++ b/modules/desktop.nix
@@ -71,8 +71,8 @@ in {
     };
 
     fonts = {
-      enableDefaultFonts = true;
-      fonts = with pkgs; [
+      enableDefaultPackages = true;
+      packages = with pkgs; [
         fira-code
         dejavu_fonts
         jetbrains-mono
@@ -89,7 +89,7 @@ in {
     };
 
     programs.firefox.enable = true;
-    programs.firefox.nativeMessagingHosts.tridactyl = true;
+    programs.firefox.nativeMessagingHosts.packages = [ pkgs.tridactyl-native ];
 
     environment.systemPackages = with pkgs; [
       # Wayland packages
diff --git a/modules/gaming.nix b/modules/gaming.nix
index dc881d7..4ec92f0 100644
--- a/modules/gaming.nix
+++ b/modules/gaming.nix
@@ -13,190 +13,6 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    nixpkgs.overlays = [
-      # (final: prev: {
-      #   steamPackages = pkgs'.steamPackages;
-      #   steam = pkgs'.steam.override {
-      #     # nativeOnly = true;
-      #     withJava = true;
-      #     extraPkgs = p:
-      #       with pkgs';
-      #       let
-      #         xorgdeps = with xorg; [
-      #           libX11
-      #           libXrender
-      #           libXrandr
-      #           libxcb
-      #           libXmu
-      #           libpthreadstubs
-      #           libXext
-      #           libXdmcp
-      #           libXxf86vm
-      #           libXinerama
-      #           libSM
-      #           libXv
-      #           libXaw
-      #           libXi
-      #           libXcursor
-      #           libXcomposite
-      #         ];
-      #         qt5Deps = with pkgs.qt5; [ qtbase qtmultimedia ];
-      #         gnome3Deps = with pkgs; [
-      #           gnome3.zenity
-      #           gtksourceview
-      #           gnome3.gnome-desktop
-      #           gnome3.libgnome-keyring
-      #           webkitgtk
-      #         ];
-      #       in [
-      #         samba
-      #         tdb
-      #         glib-networking
-      #         libxkbcommon
-      #         fluidsynth
-      #         hidapi
-      #         mesa
-      #         libdrm
-      #         perl
-      #         which
-      #         p7zip
-      #         gnused
-      #         gnugrep
-      #         psmisc
-      #         opencl-headers
-      #         cups
-      #         lcms2
-      #         mpg123
-      #         cairo
-      #         unixODBC
-      #         samba4
-      #         sane-backends
-      #         openldap
-      #         ocl-icd
-      #         utillinux
-      #         fribidi
-      #         libnghttp2
-      #         openssl
-      #         openldap
-      #         xorg.xrandr
-      #         xorg.xinput
-      #         gnome3.gtk
-      #         zlib
-      #         dbus
-      #         freetype
-      #         glib
-      #         atk
-      #         cairo
-      #         gdk_pixbuf
-      #         pango
-      #         fontconfig
-      #         xorg.libxcb
-
-      #         # libkrb5
-      #         nss
-      #         qt4
-      #         qt514.full
-      #         libjack2
-      #         jack2
-      #         jack2Full
-      #         jack_capture
-      #         libidn2
-      #         rtmpdump
-      #         libpsl
-
-      #         # Common
-      #         libsndfile
-      #         libtheora
-      #         libogg
-      #         libvorbis
-      #         libopus
-      #         libGLU
-      #         libpcap
-      #         libpulseaudio
-      #         libao
-      #         libevdev
-      #         udev
-      #         libgcrypt
-      #         libxml2
-      #         libusb-compat-0_1
-      #         libpng
-      #         libmpeg2
-      #         libv4l
-      #         libjpeg
-      #         libxkbcommon
-      #         libass
-      #         libcdio
-      #         libjack2
-      #         libsamplerate
-      #         libzip
-      #         libmad
-      #         libaio
-      #         libcap
-      #         libtiff
-      #         libva
-      #         libgphoto2
-      #         libxslt
-      #         libsndfile
-      #         giflib
-      #         zlib
-      #         glib
-      #         alsaLib
-      #         zziplib
-      #         bash
-      #         dbus
-      #         keyutils
-      #         zip
-      #         cabextract
-      #         freetype
-      #         unzip
-      #         coreutils
-      #         readline
-      #         gcc
-      #         SDL
-      #         SDL2
-      #         curl
-      #         graphite2
-      #         gtk2
-      #         gtk3
-      #         udev
-      #         ncurses
-      #         wayland
-      #         libglvnd
-      #         vulkan-loader
-      #         xdg-utils
-      #         sqlite
-      #         gnutls
-      #         p11-kit
-      #         libbsd
-      #         harfbuzz
-
-      #         # PCSX15 // TODO: "libgobject12.15.so.16: wrong ELF class: ELFCLASS81"
-
-      #         # WINE
-      #         cups
-      #         lcms2
-      #         mpg123
-      #         cairo
-      #         unixODBC
-      #         samba4
-      #         sane-backends
-      #         openldap
-      #         ocl-icd
-      #         util-linux
-      #         libkrb5
-
-      #         # Proton
-      #         libselinux
-
-      #         # Winetricks
-      #         fribidi
-      #       ] ++ xorgdeps ++ qt5Deps ++ gnome3Deps;
-
-      #   };
-      # })
-    ];
-
-    # nixpkgs.config.allowBroken = true;
     nixpkgs.config.allowUnfreePredicate = pkg:
       builtins.elem (lib.getName pkg) [
         "steam"
@@ -207,8 +23,12 @@ in {
       ];
 
     services.flatpak.enable = true;
-
-    programs.steam.enable = true;
+    programs.steam = {
+      enable = true;
+      remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
+      dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
+    };
+    hardware.opengl.driSupport32Bit = true; # Enables support for 32bit libs that steam uses
     hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
     hardware.steam-hardware.enable = true;
 
diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 50e2e4e..c927490 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -15,7 +15,6 @@ in
       package = pkgs.nextcloud27;
       hostName = "nextcloud.orbekk.com";
       home = "/storage/nextcloud";
-      enableBrokenCiphersForSSE = false;
       config = {
         dbtype = "pgsql";
         dbuser = "nextcloud";
@@ -34,7 +33,7 @@ in
       ensureDatabases = [ "nextcloud" ];
       ensureUsers = [
         { name = "nextcloud";
-          ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+          ensureDBOwnership = true;
         }
       ];
     };
diff --git a/modules/users.nix b/modules/users.nix
index 07bfcf8..df0e567 100644
--- a/modules/users.nix
+++ b/modules/users.nix
@@ -116,16 +116,6 @@ in {
         home = "/var/lib/hledger-web";
         group = "hledger";
       };
-      bridge = {
-        group = "bridge";
-        createHome = false;
-        isNormalUser = true;
-      };
-      bridge_nightly = {
-        group = "bridge_nightly";
-        createHome = false;
-        isSystemUser = true;
-      };
     };
     extraGroups = {
       fcgi = {
@@ -153,8 +143,6 @@ in {
         gid = 505;
       };
       readonly = { gid = 506; };
-      bridge = {};
-      bridge_nightly = {};
       hledger = lib.mkIf config.orbekk.hledger-web.enable { };
       minecraft = { };
       builder = { };
diff --git a/secrets/bridge-nightly.age b/secrets/bridge-nightly.age
deleted file mode 100644
index e7b81b7..0000000
--- a/secrets/bridge-nightly.age
+++ /dev/null
@@ -1,22 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa xgQQbQ
-jmalflI/oqIdFCGVWC8jSArYBFCD9lRxQN/WODuW57GsC9wJ8O7lCWNjLO9cX/aj
-PlWuGI3tOfubCppQfZDkbOaMOPCzYIyXbDW+NG1XCSZ+rq0wjSfvJwYfF0RlBAk1
-kpfu+5cn5UYCBC5OiVq6ewfVw7fAFqlWxecZ6s3SBMZmfnwWTPAGbiC/PvQBWRdf
-5L20bHEgVWQrDpeL2z9kizGdt9WfA3E5GADyZGKoY/JrAWN8e66hRd5D6vT6Edkt
-4XeYI2l39h6oUBwEKQqiPrzfqMlK2zR7VKa0y6RqGMzzTXixRAIzFsrU3NjJpkhG
-e48ygOrVyD1pvRz6PUf79UIFzuSwK0XWGAd2qVmEymWZlsqtz0UE1TFuWpI4oegZ
-O/67v8Ch3+NevoPVTWBuEvnNsqbo8AaFeBMn+8V/TMVV8gTyvsSUiFVKoy78reK9
-CpLoeJpe4eLWmwdpuiRR4CB7UsKF9BqvQ7MgAsopudnO4liI7UMoxXKKj8MT5nDp
-heH+pgzANunRvGHWW9YqGnWh8oWk7aQ7Jixs7ej0rBvQyz2a7pZqWXjPhDQmzJvL
-mNvKiiGNr1lig39w5GTS/W9TkDAhJjVRHSq+aLqDwZHmd/PUvXFYsLxSJ3hCi/lJ
-+PipBm12RhDb2zT9UWRH6WpXBkVUz8uMfQd41jg4qyk
--> ssh-ed25519 lwHmDQ 0oBWzy6Bx5KpvKiDswRA7n4iMPCeR9a166ljR1bgsEs
-uOHcfIkbx8cl7NdZc6MRXz+Uq910yQI79BS17aIT1nA
--> ssh-ed25519 Yx9stw Fjkr4mygPE1LsSw17jEQXqDr7OWtgN9DPkHBWoPvohA
-eJ4vpqNytmOU8WOs7LA3qbl6oIEddLKWGmUZINxmVO0
--> #HsP*-grease |%Js})w(
-jBXQOI3K/tLeNePU1ANswFiMaqdtbogTbiDyZM2+pelzz2KxR41ampg2yiBvEZPq
-WCjCsrsVWyP4pIIp2ug
---- Sz78jk9zW3mDlkyTVHqi1+weYwRW7mrONEU94wTKtsU
-…vjV¿ï<š­#7DÁ=
ZZ`—ƒK¨Ã]A©Ü/SK6ýy]µ<mswtôDátn6sœ~IŸ›=?c:Û{~ñŠÛð^ç TKbüíG +A
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index dc86c43..10340d9 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,6 +17,4 @@ in {
 
   "firelink-wireguard-key.age".publicKeys = [ firelink ];
   "tiny1-wireguard-key.age".publicKeys = [ tiny1 ];
-
-  "bridge-nightly.age".publicKeys = [ orbekk dragon pincer ];
 }