the VM on the synology was reinstalled

All the secrets were re-keyed.

19 files changed, 37 insertions, 15 deletions

diff --git a/README.org b/README.org
index 7a1005c..758eea4 100644
--- a/README.org
+++ b/README.org
@@ -28,7 +28,12 @@ nix run github:nix-community/nixos-anywhere -- --flake .#<host> --target-host ro
 #+end_src
 
 Once the host reboots, check that it's converted to NixOS by running =uname -a=.
-
+** Steps for a new VM on the Synology NAS
+- chose VGA for the display (otherwise ~systemd-udevd~ gets stuck)
+- use UEFI for boot
+- use the ISO generated with =nix build .#nixosConfigurations.iso.config.system.build.isoImage=
+- boot to the installer
+- run =nix run github:nix-community/nixos-anywhere -- --flake .#<name> --target-host <ip>
 ** Create the nixos installer
 Run
 #+begin_src sh
diff --git a/machines/nixos/x86_64-linux/argonath.nix b/machines/nixos/x86_64-linux/argonath.nix
index a67054a..218df5a 100644
--- a/machines/nixos/x86_64-linux/argonath.nix
+++ b/machines/nixos/x86_64-linux/argonath.nix
@@ -31,6 +31,12 @@
       privateKeyFile = config.age.secrets.wireguard.path;
       peers = [
         {
+          # bree
+          publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
+          allowedIPs = [ "10.100.0.40/32" ];
+          persistentKeepalive = 25;
+        }
+        {
           # rivendell
           publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
           allowedIPs = [ "10.100.0.60/32" ];
diff --git a/machines/nixos/x86_64-linux/bree.nix b/machines/nixos/x86_64-linux/bree.nix
index 7c8a661..7296077 100644
--- a/machines/nixos/x86_64-linux/bree.nix
+++ b/machines/nixos/x86_64-linux/bree.nix
@@ -9,6 +9,7 @@
     ../../../profiles/cgroups.nix
     ../../../profiles/defaults.nix
     ../../../profiles/disk/basic-vm.nix
+    ../../../profiles/hardware/synology-vm.nix
     ../../../profiles/home-manager.nix
     ../../../profiles/server.nix
   ];
diff --git a/machines/nixos/x86_64-linux/iso.nix b/machines/nixos/x86_64-linux/iso.nix
index e914571..89acbf7 100644
--- a/machines/nixos/x86_64-linux/iso.nix
+++ b/machines/nixos/x86_64-linux/iso.nix
@@ -4,18 +4,20 @@
   imports = [
     "${modulesPath}/installer/cd-dvd/channel.nix"
     "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
-    {
-      home-manager.users.${adminUser.name} = {
-        imports = [
-          { home.stateVersion = "25.05"; }
-        ];
-      };
-    }
+    ../../../profiles/home-manager.nix
   ];
 
   boot.loader.grub.efiSupport = true;
   boot.loader.grub.efiInstallAsRemovable = true;
   boot.loader.grub.device = "nodev";
 
+  home-manager = {
+    users.${adminUser.name} = {
+      imports = [
+        ../../../home/profiles/minimal.nix
+      ];
+    };
+  };
+
   system.stateVersion = "25.05"; # Did you read the comment?
 }
diff --git a/machines/nixos/x86_64-linux/rivendell.nix b/machines/nixos/x86_64-linux/rivendell.nix
index 8e8ab20..bd7d01b 100644
--- a/machines/nixos/x86_64-linux/rivendell.nix
+++ b/machines/nixos/x86_64-linux/rivendell.nix
@@ -54,6 +54,13 @@
       privateKeyFile = config.age.secrets.wireguard.path;
       peers = [
         {
+          # bree
+          publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
+          allowedIPs = [ "10.100.0.40/32" ];
+          persistentKeepalive = 25;
+          endpoint = "192.168.1.50:51871";
+        }
+        {
           # argonath
           publicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w=";
           allowedIPs = [ "10.100.0.51/32" ];
diff --git a/profiles/disk/basic-vm.nix b/profiles/disk/basic-vm.nix
index f3d9f33..88db04f 100644
--- a/profiles/disk/basic-vm.nix
+++ b/profiles/disk/basic-vm.nix
@@ -3,6 +3,7 @@
   disko.devices = {
     disk.disk1 = {
       type = "disk";
+      device = "/dev/sda";
       content = {
         type = "gpt";
         partitions = {
diff --git a/secrets/acme-cloudflare-env.age b/secrets/acme-cloudflare-env.age
index ead4006..db0a29e 100644
--- a/secrets/acme-cloudflare-env.age
+++ b/secrets/acme-cloudflare-env.age
diff --git a/secrets/argonath/wireguard.age b/secrets/argonath/wireguard.age
index 7177521..5ae3a5b 100644
--- a/secrets/argonath/wireguard.age
+++ b/secrets/argonath/wireguard.age
diff --git a/secrets/authelia-jwks.age b/secrets/authelia-jwks.age
index 59ac430..4f4d52b 100644
--- a/secrets/authelia-jwks.age
+++ b/secrets/authelia-jwks.age
diff --git a/secrets/authelia-jwt-key.age b/secrets/authelia-jwt-key.age
index ec41112..ac2058f 100644
--- a/secrets/authelia-jwt-key.age
+++ b/secrets/authelia-jwt-key.age
diff --git a/secrets/authelia-storage-key.age b/secrets/authelia-storage-key.age
index ee1d6b1..f315afe 100644
--- a/secrets/authelia-storage-key.age
+++ b/secrets/authelia-storage-key.age
diff --git a/secrets/authelia-users.yaml.age b/secrets/authelia-users.yaml.age
index 4a0f38d..dc8fe62 100644
--- a/secrets/authelia-users.yaml.age
+++ b/secrets/authelia-users.yaml.age
diff --git a/secrets/bree/wireguard.age b/secrets/bree/wireguard.age
index b12c816..de570fa 100644
--- a/secrets/bree/wireguard.age
+++ b/secrets/bree/wireguard.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA zk/q9O4FfhQKjzVrL1zK0h97Vu2vPgrfhlFSJyvrClA
-txm5lizEGN7VH+wWI2+6TjpGRPK3g5UnsSNrDPIshQ4
--> ssh-ed25519 qRUWSw 0pqNpcBK9h8JCh906PB5zN4kuJs6yV3q1/75Gibg+T4
-FLYhwYz72hazErOZBVqUaLNW7M+zHXWCWZo5zQ7jQFk
---- jqpYy1uh4q4KN7BaiBRFdTRssZ429m1FL4lrLHl1xmM
-��q��Rp�[��	x}A�.�aB���<�qE����B�@�^�Q�s�?�F��b��s��[��Z`R��4%�	d֌
��X5
\ No newline at end of file
+-> ssh-ed25519 pFjJaA 0gvJUmVKqpTedh5fWA1vMslSIUXGfVFS9bArPGEiZko
+NuKvkX+sCZE59zqkbF+ecDsqqvGxJd7Fjyc/wZfTtMM
+-> ssh-ed25519 OxmK1A 1NL6Ai4P/bB9un6eQqDacBcs7gbUI2wEaXLqO5EujQk
+xdpVqWKmAi2pofuDnp3U4y8gUnib8/LK4LsD9ATTdy4
+--- cq7KLv/+tx4zisjpe+cny29DcmKhOhee1SWxaR80KlU
+��x6Q����4�2�f��t��D�d�еQQGd
��Lz�=3
d1�P�fU��M��9�����~O��c��P�*yP
\ No newline at end of file
diff --git a/secrets/miniflux-oidc.age b/secrets/miniflux-oidc.age
index d6447df..ba2457f 100644
--- a/secrets/miniflux-oidc.age
+++ b/secrets/miniflux-oidc.age
diff --git a/secrets/restic-nas-smb-config.age b/secrets/restic-nas-smb-config.age
index d90033e..74047f0 100644
--- a/secrets/restic-nas-smb-config.age
+++ b/secrets/restic-nas-smb-config.age
diff --git a/secrets/restic-pw.age b/secrets/restic-pw.age
index 467e611..e31115e 100644
--- a/secrets/restic-pw.age
+++ b/secrets/restic-pw.age
diff --git a/secrets/rivendell/wireguard.age b/secrets/rivendell/wireguard.age
index 3ba9a11..edc808d 100644
--- a/secrets/rivendell/wireguard.age
+++ b/secrets/rivendell/wireguard.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 13f098d..a8f01cf 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,6 +1,6 @@
 let
   hosts = {
-    bree = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKZAKlqOU6bSuMaaZAsYJdZnmNASWuIbbrrOjB6yGb8";
+    bree = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFM4wZaYwz8kuu6lNrdrN6QOyouGQ0v1ye+Iwh1jawNi";
     mba = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLQTIPZraE+jpMqGkh8yUhNFzRJbMarX5Mky3nETw6c";
     rivendell = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd";
     argonath = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHi9jHqRjpMzXlznTXi4nEtlRlFfyIzB6Ur9A+HDfFoq";
diff --git a/secrets/ssh-remote-builder.age b/secrets/ssh-remote-builder.age
index d83bb7d..374b72e 100644
--- a/secrets/ssh-remote-builder.age
+++ b/secrets/ssh-remote-builder.age