From 24edc739144df8e034957a971bc8afe6b9871cbe Mon Sep 17 00:00:00 2001
From: Fabian Hauser <fabian@fh2.ch>
Date: Wed, 5 Mar 2025 21:42:09 +0200
Subject: [PATCH 1/4] lindberg: Remove old md_data raid

---
 nixos-configurations/lindberg/filesystems.nix | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/nixos-configurations/lindberg/filesystems.nix b/nixos-configurations/lindberg/filesystems.nix
index b594021..8ab29e5 100644
--- a/nixos-configurations/lindberg/filesystems.nix
+++ b/nixos-configurations/lindberg/filesystems.nix
@@ -9,12 +9,8 @@
     MAILADDR root
     ARRAY /dev/md/raid_system metadata=1.2 name=any:raid_system UUID=1becc692:aeb83b67:1c65da45:b8bd4b93
     ARRAY /dev/md/raid_data metadata=1.2 name=any:raid_data UUID=576eabb1:0722bc27:84d9314f:d0145000
-    INACTIVE-ARRAY /dev/md125 metadata=1.2 name=nixos:md_data UUID=b9c36b6d:a2e0fa86:f6dbfe57:857cd0d2
   '';
 
-  # TODO: RAID Monitoring
-  # TODO: Set spin-down time of physical disks
-
   services.fwupd.daemonSettings.EspLocation = pkgs.lib.mkForce config.disko.devices.disk.system-1.content.partitions.boot.content.mountpoint;
 
   # Use the systemd-boot EFI boot loader.

From 3a9454bd92b2d1d0cea1ade1f8047a480a95c0f6 Mon Sep 17 00:00:00 2001
From: Fabian Hauser <fabian@fh2.ch>
Date: Wed, 5 Mar 2025 21:42:30 +0200
Subject: [PATCH 2/4] lindberg: Reinstate /boot-secondary

---
 nixos-configurations/lindberg/filesystems.nix | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/nixos-configurations/lindberg/filesystems.nix b/nixos-configurations/lindberg/filesystems.nix
index 8ab29e5..d8b39b4 100644
--- a/nixos-configurations/lindberg/filesystems.nix
+++ b/nixos-configurations/lindberg/filesystems.nix
@@ -24,11 +24,11 @@
         path = "/boot-primary";
         efiBootloaderId = "NixOS primary";
       }
-      #{
-      #  devices = [ "nodev" ];
-      #  path = "/boot-secondary";
-      #  efiBootloaderId = "NixOS secondary";
-      #}
+      {
+        devices = [ "nodev" ];
+        path = "/boot-secondary";
+        efiBootloaderId = "NixOS secondary";
+      }
     ];
   };
 }

From dc2b87d27eff93e847bbe6760820e85445ff6d4e Mon Sep 17 00:00:00 2001
From: Raphael Zimmermann <mail@raphael.li>
Date: Mon, 17 Mar 2025 11:03:57 +0100
Subject: [PATCH 3/4] Extend vpn user docs

Co-authored-by: Fabian Hauser <fabian@fh2.ch>
---
 defaults/vpn/README.md | 92 +++++++++++++++++-------------------------
 1 file changed, 37 insertions(+), 55 deletions(-)

diff --git a/defaults/vpn/README.md b/defaults/vpn/README.md
index 479a565..364a91e 100644
--- a/defaults/vpn/README.md
+++ b/defaults/vpn/README.md
@@ -1,32 +1,20 @@
 # VPN
 
-On [vpn.qo.is](https://vpn.qo.is) we run a [Tailscale](https://tailscale.com) compatible VPN service. To use the service, you can use a normal Tailscale client with following additional configuration:
-
-| Option | Recommended value | Description |
-|--------|-------------------|-------------|
-| `accept-routes` | enabled (flag) | Accept direct routes to internal services |
-| `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) |
-| `login-server` | `https://vpn.qo.is` | Use our own VPN service and not tailscale's upstream one |
-
-
-⚠️  Currently, if the client is in an IPv6 network, the transport is broken. See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for progress on this.
-
-## Exit nodes
-
-- `100.64.0.5`: lindberg (riedbach-net)
-- `100.64.0.6`: cyprianspitz (plessur-net)
-
-Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future.
+We run a [Tailscale](https://tailscale.com) compatible VPN service on [vpn.qo.is](https://vpn.qo.is).
 
 ## User and Client Management
 
-To register a new client, you can generate a pre-auth key and insert it in the client:
+To register a new client on the `vpn.qo.is` host:, generate a pre-auth key and insert it in the client:
 
 ```bash
+headscale users create marlene.mayer
 headscale preauthkeys create --user marlene.mayer
 ```
 
-Or alternatively use the register command shown when configuring the VPN client.
+> ⚠️ For now, the username must be added to `qois.vpn-server.wheelUsers`.
+> In the future, the VPN ACL might get more granular to allow for non-wheel users.
+
+Alternatively to using a pre-auth key, the register command shown when configuring the VPN client may be used.
 
 ## ACL
 
@@ -34,49 +22,43 @@ At this time, there are a few ACL rules to isolate a users host but do not expec
 
 ## Exit Nodes
 
-To add an exit node, create a preauth secret on the `vpn.qo.is` host:
+These nodes allow access to the internet for clients connected to the VPN:
 
-```bash
-headscale preauthkeys create --user srv --reusable
-```
+- `100.64.0.5`: lindberg (riedbach-net)
+- `100.64.0.6`: cyprianspitz (plessur-net)
 
-and configure the host as follows:
+> ⚠️ Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future.
 
-```nix
-# TODO: This should not be a snipped but a module
 
-{config, ...}: {
-  # Use this node as vpn exit node
-  services.tailscale = let meta = config.qois.meta; in {
-    enable = true;
-    openFirewall = true;
-    useRoutingFeatures = "server";
-    authKeyFile = "/secrets/wireguard/tailscale-key"; # The preauth secret. TODO: Should be in sops.
-    extraUpFlags = [
-      "--login-server=https://vpn.qo.is"
-      "--advertise-exit-node"
-      (
-        with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}"
-      )
-      "--advertise-tags=tag:srv"
-    ];
-  };
-}
-```
+### Add exit nodes:
 
-and register it in Headscale with:
+1. Create a preauth secret on the `vpn.qo.is` host:
+   ```bash
+    headscale preauthkeys create --user srv --reusable
+    ```
+2. Configure the new exit-node host with the `qois.vpn-exit-node` module.
 
-```bash
-headscale nodes register -u srv -k nodekey:xyzxyzxyzxyzxyzxyzxyzxyz
-```
-
-With using the `srv` user, exit nodes and routes get automatically accepted as trusted.
+When using the `srv` user, exit nodes and routes are automatically accepted as trusted.
 
 ## Clients
 
+To use the service, you can use a normal Tailscale client with following additional configuration:
+
+| Option | Recommended value | Description |
+|--------|-------------------|-------------|
+| `accept-routes` | enabled (flag) | Accept direct routes to internal services |
+| `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) |
+| `login-server` | `https://vpn.qo.is` | Use our own VPN service. |
+
+
+> ⚠️ Currently, if the client is in an IPv6 network, the transport is broken.
+> Disable IPv6 connectivity to use the VPN.
+>  See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for details.
+
+
 ### NixOS
 
-Sample config:
+Sample config with automatic connectivity to VPN on boot:
 
 ```nix
 { config, pkgs, ... }: {
@@ -96,12 +78,12 @@ Sample config:
 }
 ```
 
-### Mobile App
+### Android
 
-> Android App: Tip 5 times on the tooltip dots to reveal server config option
-
-See [this Headscale documentation for more](https://headscale.net/android-client/#configuring-the-headscale-url) on how to configure the mobile app. Note that on restarts, sometimes you have to reopen/save the config dialog. If the Tailscale login site is shown, just close the browser with the ❌.
+See [this Headscale documentation for more](https://headscale.net/stable/usage/connect/android/) on how to configure the mobile app.
 
+> ⚠️ Note that on restarts, sometimes you have to reopen/save the config dialog.
+> If the Tailscale login site is shown, just close the browser with the ❌.
 
 ## Backup and Restore
 

From 1db545ebabd9f5e91788adbb05a1af3227ec7e40 Mon Sep 17 00:00:00 2001
From: Raphael Zimmermann <mail@raphael.li>
Date: Mon, 17 Mar 2025 11:03:57 +0100
Subject: [PATCH 4/4] Extend vpn user docs

Co-authored-by: Fabian Hauser <fabian@fh2.ch>
---
 defaults/vpn/README.md | 92 +++++++++++++++++-------------------------
 1 file changed, 37 insertions(+), 55 deletions(-)

diff --git a/defaults/vpn/README.md b/defaults/vpn/README.md
index 479a565..364a91e 100644
--- a/defaults/vpn/README.md
+++ b/defaults/vpn/README.md
@@ -1,32 +1,20 @@
 # VPN
 
-On [vpn.qo.is](https://vpn.qo.is) we run a [Tailscale](https://tailscale.com) compatible VPN service. To use the service, you can use a normal Tailscale client with following additional configuration:
-
-| Option | Recommended value | Description |
-|--------|-------------------|-------------|
-| `accept-routes` | enabled (flag) | Accept direct routes to internal services |
-| `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) |
-| `login-server` | `https://vpn.qo.is` | Use our own VPN service and not tailscale's upstream one |
-
-
-⚠️  Currently, if the client is in an IPv6 network, the transport is broken. See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for progress on this.
-
-## Exit nodes
-
-- `100.64.0.5`: lindberg (riedbach-net)
-- `100.64.0.6`: cyprianspitz (plessur-net)
-
-Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future.
+We run a [Tailscale](https://tailscale.com) compatible VPN service on [vpn.qo.is](https://vpn.qo.is).
 
 ## User and Client Management
 
-To register a new client, you can generate a pre-auth key and insert it in the client:
+To register a new client on the `vpn.qo.is` host:, generate a pre-auth key and insert it in the client:
 
 ```bash
+headscale users create marlene.mayer
 headscale preauthkeys create --user marlene.mayer
 ```
 
-Or alternatively use the register command shown when configuring the VPN client.
+> ⚠️ For now, the username must be added to `qois.vpn-server.wheelUsers`.
+> In the future, the VPN ACL might get more granular to allow for non-wheel users.
+
+Alternatively to using a pre-auth key, the register command shown when configuring the VPN client may be used.
 
 ## ACL
 
@@ -34,49 +22,43 @@ At this time, there are a few ACL rules to isolate a users host but do not expec
 
 ## Exit Nodes
 
-To add an exit node, create a preauth secret on the `vpn.qo.is` host:
+These nodes allow access to the internet for clients connected to the VPN:
 
-```bash
-headscale preauthkeys create --user srv --reusable
-```
+- `100.64.0.5`: lindberg (riedbach-net)
+- `100.64.0.6`: cyprianspitz (plessur-net)
 
-and configure the host as follows:
+> ⚠️ Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future.
 
-```nix
-# TODO: This should not be a snipped but a module
 
-{config, ...}: {
-  # Use this node as vpn exit node
-  services.tailscale = let meta = config.qois.meta; in {
-    enable = true;
-    openFirewall = true;
-    useRoutingFeatures = "server";
-    authKeyFile = "/secrets/wireguard/tailscale-key"; # The preauth secret. TODO: Should be in sops.
-    extraUpFlags = [
-      "--login-server=https://vpn.qo.is"
-      "--advertise-exit-node"
-      (
-        with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}"
-      )
-      "--advertise-tags=tag:srv"
-    ];
-  };
-}
-```
+### Add exit nodes:
 
-and register it in Headscale with:
+1. Create a preauth secret on the `vpn.qo.is` host:
+   ```bash
+    headscale preauthkeys create --user srv --reusable
+    ```
+2. Configure the new exit-node host with the `qois.vpn-exit-node` module.
 
-```bash
-headscale nodes register -u srv -k nodekey:xyzxyzxyzxyzxyzxyzxyzxyz
-```
-
-With using the `srv` user, exit nodes and routes get automatically accepted as trusted.
+When using the `srv` user, exit nodes and routes are automatically accepted as trusted.
 
 ## Clients
 
+To use the service, you can use a normal Tailscale client with following additional configuration:
+
+| Option | Recommended value | Description |
+|--------|-------------------|-------------|
+| `accept-routes` | enabled (flag) | Accept direct routes to internal services |
+| `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) |
+| `login-server` | `https://vpn.qo.is` | Use our own VPN service. |
+
+
+> ⚠️ Currently, if the client is in an IPv6 network, the transport is broken.
+> Disable IPv6 connectivity to use the VPN.
+>  See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for details.
+
+
 ### NixOS
 
-Sample config:
+Sample config with automatic connectivity to VPN on boot:
 
 ```nix
 { config, pkgs, ... }: {
@@ -96,12 +78,12 @@ Sample config:
 }
 ```
 
-### Mobile App
+### Android
 
-> Android App: Tip 5 times on the tooltip dots to reveal server config option
-
-See [this Headscale documentation for more](https://headscale.net/android-client/#configuring-the-headscale-url) on how to configure the mobile app. Note that on restarts, sometimes you have to reopen/save the config dialog. If the Tailscale login site is shown, just close the browser with the ❌.
+See [this Headscale documentation for more](https://headscale.net/stable/usage/connect/android/) on how to configure the mobile app.
 
+> ⚠️ Note that on restarts, sometimes you have to reopen/save the config dialog.
+> If the Tailscale login site is shown, just close the browser with the ❌.
 
 ## Backup and Restore