11 files changed, 130 insertions, 26 deletions

diff --git a/.sops.yaml b/.sops.yaml
index 2d54fd2..413b0a2 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,24 +1,31 @@
 keys:
   - &general age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv
   - &flex-wg-router age1f0tmpy2nam58skmznjyqd3zf54rxtfrk6fda0vlpq9y3yg6wac7sjf0vja
+  - &poweredge age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz
 creation_rules:
-  - path_regex: timmy/resources/secrets/.*\.yaml
+  - path_regex: timmy/resources/secrets/.*
     key_groups:
       - age:
         - *general
         - *flex-wg-router
+        - *poweredge
 
-  - path_regex: T495/resources/secrets/.*\.yaml
+  - path_regex: T495/resources/secrets/.*
     key_groups:
       - age:
         - *general
 
-  - path_regex: X230/resources/secrets/.*\.yaml
+  - path_regex: X230/resources/secrets/.*
     key_groups:
       - age:
         - *general
 
-  - path_regex: flex-wg-router/resources/secrets/.*\.yaml
+  - path_regex: flex-wg-router/resources/secrets/.*
     key_groups:
       - age:
         - *flex-wg-router
+
+  - path_regex: poweredge/resources/secrets/.*
+    key_groups:
+      - age:
+        - *poweredge
diff --git a/archetypes/default.nix b/archetypes/default.nix
index ad078ce..5e47bc9 100644
--- a/archetypes/default.nix
+++ b/archetypes/default.nix
@@ -12,5 +12,6 @@
 		./profiles/headless
 		./profiles/pi
 		./profiles/router
+		./profiles/zfs
 	];
 }
diff --git a/hosts/poweredge/configuration.nix b/hosts/poweredge/configuration.nix
index f62d017..0c51f3c 100644
--- a/hosts/poweredge/configuration.nix
+++ b/hosts/poweredge/configuration.nix
@@ -4,7 +4,7 @@ in {
 	imports = [
 		./ddns-updater.nix
 		./networking.nix
-		./notification-mailer.nix  # TODO move some of this stuff to archetype
+		#./notification-mailer.nix  # TODO move some of this stuff to archetype
 	];
 
 	# Setup bootloader
@@ -26,5 +26,8 @@ in {
 	# Enable user timmy
 	_users.timmy.enable = true;
 
+	# Without this, "ZFS requires networking.hostId to be set" will be raised
+	networking.hostId = "4d9e002f";
+
 	system.stateVersion = "25.11";
 }
diff --git a/hosts/poweredge/ddns-updater.nix b/hosts/poweredge/ddns-updater.nix
index 2f0ce53..30f6e05 100644
--- a/hosts/poweredge/ddns-updater.nix
+++ b/hosts/poweredge/ddns-updater.nix
@@ -1,13 +1,13 @@
 { config, ... }: {
 	# Password file for mail application password
-	sops.secrets.ddnsUpdater.sopsFile = ./resources/secrets/ddns-updater-config.json;
+	sops.secrets.ddns-updater-config.sopsFile = ./resources/secrets/ddns-updater-config.yaml;
 
 	# Enable ddns updater
 	services.ddns-updater = {
 		enable = true;
 		environment = {
 			SERVER_ENABLED="no";
-			CONFIG_FILEPATH = config.sops.secrets.ddnsUpdater.path;
+			CONFIG_FILEPATH = config.sops.secrets.ddns-updater-config.path;
 			PERIOD = "5m";
 		};
 	};
diff --git a/hosts/poweredge/hardware-configuration.nix b/hosts/poweredge/hardware-configuration.nix
new file mode 100644
index 0000000..0fcc098
--- /dev/null
+++ b/hosts/poweredge/hardware-configuration.nix
@@ -0,0 +1,50 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "megaraid_sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "zpool/root";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "zpool/nix";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/var" =
+    { device = "zpool/var";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/home" =
+    { device = "zpool/home";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/D083-98C0";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/poweredge/networking.nix b/hosts/poweredge/networking.nix
index 31f3b40..c293831 100644
--- a/hosts/poweredge/networking.nix
+++ b/hosts/poweredge/networking.nix
@@ -4,8 +4,8 @@
 		_interfaceLabels = {
 			enable = true;
 			interfaces = {
-				lan0 = "00:a0:98:7a:ac:0b";
-				wan0 = "00:a0:98:ff:ff:ff";
+				lan0 = "50:9a:4c:5d:c3:7a";
+				wan0 = "50:9a:4c:5d:c3:7b";
 			};
 		};
 		# Set ip addresses
@@ -16,7 +16,7 @@
 			}];
 			wan0.useDHCP = true;
 		};
-		defaultGateway.interface = "wan0";
+		#defaultGateway.interface = "wan0";
 		nameservers = [ "127.0.0.1" ];
 		# Firewall rules
 		firewall = {
@@ -42,8 +42,8 @@
 		dnsDhcpConfig = {
 			localDomain = "wg-router.pls.lan";
 			dhcp = {
-				defaultGateway = ipAddress;
-				localhostIp = ipAddress;
+				defaultGateway = "192.168.1.1";
+				localhostIp = "192.168.1.1";
 				rangeStart = "192.168.1.50";
 				rangeEnd = "192.168.1.250";
 				staticLeases = {
@@ -67,7 +67,7 @@
 						macAddress = "04:33:c2:9d:34:74";
 						staticIp = "192.168.1.11";
 					};
-					Optiplex = {
+					optiplex = {
 						macAddress = "e4:54:e8:bc:ba:05";
 						staticIp = "192.168.1.12";
 					};
diff --git a/hosts/poweredge/notification-mailer.nix b/hosts/poweredge/notification-mailer.nix
index 25e2e2b..d8fddc7 100644
--- a/hosts/poweredge/notification-mailer.nix
+++ b/hosts/poweredge/notification-mailer.nix
@@ -1,8 +1,8 @@
 { config, ... }: let
-	serverEmail = "poweredge@tjkeller.xyz";
+	serverEmail = "server-notifications@tjkeller.xyz";
 in {
 	# Mailer password secret for mail application password
-	sops.secrets.mailerPassword.sopsFile = ./resources/secrets/mailer.yaml;
+	sops.secrets.mailerPassword.sopsFile = ./resources/secrets/mailer-pass.yaml;
 
 	# Enable mta for system event notifications
 	services.mail._mailer = {
@@ -13,7 +13,7 @@ in {
 			passwordFile = config.sops.secrets.mailerPassword.path;
 		};
 		recipient = serverEmail;
-	}
+	};
 
 	# Enable zed mailer module
 	services.zfs._zedMailer.enable = true;
diff --git a/hosts/poweredge/resources/secrets/ddns-updater-config.yaml b/hosts/poweredge/resources/secrets/ddns-updater-config.yaml
new file mode 100644
index 0000000..3be017b
--- /dev/null
+++ b/hosts/poweredge/resources/secrets/ddns-updater-config.yaml
@@ -0,0 +1,16 @@
+ddns-updater-config: ENC[AES256_GCM,data:vJ3z4R6P1gHKfkm6L2mQl68MKDJwpMNmrAOQo+4GkO2NC6EjKTLoSKhFiaGWVjMm7nrVfYRV+U/6b4VJXV4qURWhsm41t3x8zXAtt0viLC6pv+uMtuxadhU2Zxij4U2bSiMn6sSbfHd3uGIym7FnfOIL3LPEanVMuRUk20a0ZgHBdq1BPk6r5V8AoGfsu1XWHTvnO4ggg9oQPtGhurKTXixTD0Rb1Iv43JXLXqK/O3JGD5h4XbDmXB9eTqiBHUgZ0E4F5SE23L5mO0kI0TNNph2lTHXdfB+5,iv:xFry3gzdvvYh127yhYySvp5UHDa8Y+t/bg2+mwJ/HXo=,tag:pH2CE2l2UpNJiLJ+tjVvqQ==,type:str]
+sops:
+    age:
+        - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWitQcVlaTmFVaHIraHlT
+            VFBDVEtlQUlqckN4eFF3YU95N3ZNU3JQcFNzCnkrR2xmTEtyUHRWQlRnTWZSaGVT
+            U0wvcGt6R0w4L3dSakVDVWVpTUhWbWMKLS0tIGVKSXVTL1B2L2FlSkQwSDVYd3Fk
+            WE8rLy81UEU5ZG9SaHRLOHNqOWUzWnMKBFtzJ9frroYk6hoW+1ww/3LpxCEa1Vtr
+            KNNnHKry8lQQDmalN5ZVYMTVAlTnQQ6QE7DxBukUwWYmizQ+BY8HDg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-31T01:47:37Z"
+    mac: ENC[AES256_GCM,data:8ozC5JWR/s3nNK+njc7zO32/7ptd//wuWGWZPHXrPV1iVyYndczGgu0ekEyKeRCn/WwGE5pyt32gy0l2Y+k7j7mV6GJguy6qhltani6Mz2Gfy5sRohn5s2rBDTiSYEVAgGTRt56DLxGD36P6xFPm+wHGspjCzNALrPretuN5xFg=,iv:+/mlXEMEO80pDVpFwZmnyywvHR/V9zHkbloF/e/dJ6Q=,tag:O+Ox0xUzERjeB+VftiUNEg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/hosts/poweredge/resources/secrets/mailer-pass.yaml b/hosts/poweredge/resources/secrets/mailer-pass.yaml
new file mode 100644
index 0000000..331bd66
--- /dev/null
+++ b/hosts/poweredge/resources/secrets/mailer-pass.yaml
@@ -0,0 +1,16 @@
+pass: ENC[AES256_GCM,data:RHOvLwbDIb8FZ+dG66e5U43qR0aXlLLZGAnlbRjSl8hxCMEtJ4940nggiaIV75jCaiWyLutay7MrKPKZBHDZwBIqcJYQRWm1zWGkoZi0/bX38vUFWOpI4qku9fIB2qll,iv:bqEnTagxlRqlAmMgFCtXXCSSlODE598yoV4fU0jSYL8=,tag:c/ZiGCDSb8quDoYiIKbMeQ==,type:str]
+sops:
+    age:
+        - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUXlZaUhSUkNGK2xpVzRp
+            OEhYMTV6bnpPZC9tdHZWbnZxcUp6WWVLMnhFCmZmckVBckdRS1g0MjJQdE80S2Js
+            aGlNek1nSmU2aGI4cWVXR0NmbjJwa00KLS0tIDJ3N3BoenQ5ZW02K3BLNWxkWU5y
+            Ym56YzI5Zk9KeFhzZXJXR3NoOUl0ckEKOLweZrk/Pe6BG48+RrwOxyOy0Zb768aZ
+            YIxTBv/qSzZei6VqZHiIwTUEMyE7z3CS0dBFws6q4fB4LfIpv6fiYg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-31T01:37:29Z"
+    mac: ENC[AES256_GCM,data:WIGXvuwB4bcBDfMRrrMQ7faUkxFdreyYiuy6bNPI2pzvvUFTSo/lJTv/DjisSARdYmFHFvdResIXUjg75Sc2I5IrvRxZxnYqx/3z5k/WOFWb8HSKH2H+OUHtLkqWJSCQ9YBuX2tys93mEXgwchPpn4nzVaYBgxZl54F3icX7tsE=,iv:BS9KPGkVaH0G0bAZz6+LR0NDcmqw6khOkih5DyvGyug=,tag:dA9YVL1xEqUqe6hDzOH7XQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/nixos/default.nix b/nixos/default.nix
index 8de9c02..fb33f1e 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -7,10 +7,12 @@
 		./services/cgit.nix
 		./services/fileshares.nix
 		./services/gitea.nix
+		./services/mailer.nix
 		./services/searxng.nix
 		./services/router/dns-dhcp.nix
 		./services/router/routing.nix
 		./services/router/unbound-blocklist.nix
+		./services/zfs/zed-mailer.nix
 
 		./bootloader.nix
 		./doas.nix
diff --git a/users/timmy/resources/secrets/hashed-root-password.yaml b/users/timmy/resources/secrets/hashed-root-password.yaml
index a42fd42..aead57a 100644
--- a/users/timmy/resources/secrets/hashed-root-password.yaml
+++ b/users/timmy/resources/secrets/hashed-root-password.yaml
@@ -4,20 +4,29 @@ sops:
         - recipient: age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Z3dTbW1GUzgyRUwyZGtF
-            alZSeFBmdEdhNER3UEtGRGd4MnliK1l1eGpJCm80SHFNZ3NZOTNxVkM4R3ZLY005
-            OFVtUGN3OXZJblRxOFNMOFhsV25CS0EKLS0tIEE5SG5NekxWbytXY2xNeUN6TWhG
-            RldJZms3RDFuRk40ck42Mkd5RTd4YVUKgyWE8Cs0yLO/82w2muGWTlcjY86BVSUy
-            bFeIcQT33dEPiNUmynTqEGpN2NVQbfVDw17QbA9GNhGClanTTXmX4A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraEhrNTZaMjVQQUdYOUU5
+            MURZVTcxRWxBRC9HMEg3amtsNE1qWEdsSkc4CmRYaVZxT0I3eHphbHAydzUwZEVH
+            UU1FL0J2bW5yMWYxeDAydlhOZ3dvbmcKLS0tIGwzcWtZbmI5aG9tSXF1d3hlelg3
+            dEczZGlSWmg0OEhoeERSSUMxVHR4a00Kwe7zenWUpfI+NxCM6m208smw6vGuPb7x
+            UF3d0LvQ7YJqlUsuuUjaBQcx0EHgjYH6NiT3ZimeBJJ4WfYEi87hkw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1f0tmpy2nam58skmznjyqd3zf54rxtfrk6fda0vlpq9y3yg6wac7sjf0vja
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcUprWjBXTVlidTRwMEZ6
-            WHE4dWp6OWtybkFCaTkyY2JyaWYrRHNhZWtNCi9xamwreEsyVFdnWWhJeUVsdUpT
-            UHlkRVJZZTEvMDluTWNJSnRSUXN6Q0kKLS0tIHNsQk92SUd2ekowY0hvQi9LNjIx
-            Q0oxVFNtRkpZTlVHeEY3YXFoSlc4Zk0K7RaqH/Qf2dTPBuCz9DH0xgU+Tq8ATKUq
-            tfAuuAU9HBtLFiZjhWsZmj5XUy5Z18IiUKDIxlw41mNtbcsUnjm30w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISklHVjNLWkN6WmlRWGhv
+            LzczV3g5N1NKYWFGd09laWtmYU5RUUJDWkdRCkxBb2FRNnh1d3lIYVVNd0h3NG9M
+            VHkrZmpYbVdtc1hjR29vaTduOUtBQzQKLS0tIFF5Z1l3N25kaHdVNGI2aTJaQU90
+            SXdjTmdnUU5zdXlEVzM1cnl6R096QjgK1ZscVvYvEpiDgCXOaduqZ+aT1lCD2HBS
+            eOpseCvD78JQym55CWvZEGHjmZOH3+Ay2Wd0+W2Z9E43yKxIkT/Nng==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZHVaTTNsWlQ2Ynk0WVNY
+            QkNEOUwvNXI0ZUdNSFZUdVJsQnh1NUZlbm13Ckg0NG1HU1pMOS9UZWJGaFBCQWth
+            VHZkdFB3RHEwMEhqZ3RtNmpzYUZPczQKLS0tIEwrVGViSTZGTGIrUnBBeGl0Mk1R
+            ZmZvWk9paVc2YmN5R0xZUmU2cmc0VDQKQVbliGNMYdEKW+z5f/yEnVvxIJFeA5h8
+            l6d9kxegWkQtQCBqEAC7+0ftDC/BnzdZD9aQAA/VeNNwtkrXib7YZQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-07-17T22:34:07Z"
     mac: ENC[AES256_GCM,data:B95HuJC2o8B+P1f9kAtJTcSty7YSAByuqe/Xs6ce6780p05FuzWM5X9bwvwsYXngGNKqCHksWf50UXzJ3eyc6y4ISxdxljAv2FmJFKw4NkfGaOMiRLlGPMn1uFpOtkRT+qL0+mupWG/Ap3zcpbxjsDx46PUur+e6yRxlAHw8mGw=,iv:DYobhWK+4+7vOog7BrBASiHrEzzz0P6zqgWxexfcLG8=,tag:skGwUpDEB8e3TCjrxs5peA==,type:str]