prometheus: add constellation

Reviewed-on: #6

.gitignore

@@ -1,2 +1,3 @@
 result
 /secrets_tmp/
+*.drv

.sops.yaml

@@ -1,17 +1,50 @@
 keys:
-  - &user_felixalb age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
-  - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
+  - &bw_recovery age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
+  - &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct
+  - &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773
+  - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
+  - &host_morn age14ar8q5454khxxf5ur2nxwk533nzycz2lh3635qwz35wh8yq0jpqskj2ksx
+  - &user_felixalb_sisko age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
+  - &user_felixalb_worf age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
 
 creation_rules:
   # Global secrets
   - path_regex: secrets/[^/]+\.yaml$
     key_groups:
     - age:
-      - *user_felixalb
+      - *bw_recovery
+      - *user_felixalb_sisko
+      - *user_felixalb_worf
 
   # Host specific secrets
-  - path_regex: secrets/voyager/[^/]+\.yaml$
+  - path_regex: secrets/burnham/[^/]+\.yaml$
     key_groups:
     - age:
-      - *host_voyager
-      - *user_felixalb
+      - *host_burnham
+      - *bw_recovery
+      - *user_felixalb_sisko
+      - *user_felixalb_worf
+
+  - path_regex: secrets/challenger/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_challenger
+      - *bw_recovery
+      - *user_felixalb_sisko
+      - *user_felixalb_worf
+
+  - path_regex: secrets/defiant/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_defiant
+      - *bw_recovery
+      - *user_felixalb_sisko
+      - *user_felixalb_worf
+
+  - path_regex: secrets/morn/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_morn
+      - *bw_recovery
+      - *user_felixalb_sisko
+      - *user_felixalb_worf

README.md

@@ -1,17 +1,54 @@
-# Work In Progress!
-Notice, these things might be missing:
-- Functionality
-- Style
-- Safety
+## Felixalbs nixos config
+
+![](https://github.com/NixOS/nixos-artwork/blob/master/releases/24.05-uakari/uakari.png?raw=true)
+
+Contains configurations for some nixos servers, some nixos desktops and a [nix-darwin](https://github.com/LnL7/nix-darwin) host.
+Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix).
 
 ### Build:
-- Build locally on another machine (verify)
+- Build locally on another machine:
 ```
-nix --extra-experimental-features "nix-command flakes" build ".#nixosConfigurations.chapel.config.system.build.toplevel"
+nix --extra-experimental-features "nix-command flakes" build ".#nixosConfigurations.sarek.config.system.build.toplevel"
 ```
-(replace "chapel" with the hostname)
+(replace "sarek" with the hostname)
 
 - Build, install and switch on the actual target
 ```
 nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake github+felixalbrigtsen/nixos-server-conf.git --upgrade
 ```
+
+# Services and tools
+
+Below is a list of _most_ of the services configured in this repo, at least the ones that are accessible to the public.
+It might be incomplete or out of date, but should generally describe the state of my homelab.
+Other installed packages and tools are described in the config files (like ./hosts/HOSTNAME/configuration.nix), but not listed here.
+
+## Public / important services
+
+- Matrix ([source](./hosts/defiant/services/matrix/default.nix)) - Decentralized, encrypted chat - Contact me at @felixalb:feal.no
+- [Nextcloud](https://cloud.feal.no) ([source](./hosts/challenger/services/nextcloud.nix)) - Personal cloud services and "google replacements", including file hosting, notes, calendar and webmail
+- [Gitea](https://git.feal.no) ([source](./hosts/defiant/services/gitea.nix)) - Software forge / git server
+- [Hedgedoc](https://md.feal.no) ([source](./hosts/defiant/services/hedgedoc.nix)) - Collaborative markdown notes editor
+- HomeAssistant ([source](./hosts/defiant/services/home-assistant.nix))- Home automation / IOT controller
+- [VaultWarden](https://pw.feal.no) ([source](./hosts/defiant/services/vaultwarden.nix)) - BitWarden Password Manager backend
+- [KeyCloak](https://iam.feal.no) ([source](./hosts/defiant/services/nextcloud.nix)) - Authentication provider, giving SSO with OIDC or SAML
+- [Jellyfin](https://jf.feal.no) ([source](./hosts/challenger/services/jellyfin.nix)) - Local media streaming
+
+## Networking
+
+- I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)).
+- A long time ago, I switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix).
+- PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking.
+- A simple custom DynDNS thing is defined [here](./common/domeneshop-dyndns.nix) and used [here](./hosts/defiant/services/dyndns.nix).
+
+## Monitoring
+
+- Prometheus ([source](./hosts/defiant/services/monitoring/prometheus.nix)) - Pull-based metrics system that fetches metrics over HTTP from a range of exporters and stores them in a time-series database
+- Loki ([source](./hosts/defiant/services/monitoring/loki.nix)) - Central logging for all my hosts
+- Grafana ([source](./hosts/defiant/services/monitoring/grafana.nix)) - Visualization and alerting for all my metrics and logs
+- Uptime-Kuma ([source](./hosts/defiant/services/monitoring/uptime-kuma.nix)) - Uptime / health check with alerting
+
+## Dotfiles and user tools
+
+- (Neo)vim ([source](./home/neovim.nix)) - Text editor with my configuration for IDE-like support for autocompletion, syntax highlighting and efficient editing.
+- Zsh ([source](./home/zsh.nix)) - My shell of choice

base.nix

@@ -1,13 +1,13 @@
 { config, lib, pkgs, inputs, values, ... }:
 
 {
-
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
   networking = {
-    domain = "home.feal.no";
-    useDHCP = false;
+    domain = lib.mkDefault "home.feal.no";
+    nameservers = lib.mkDefault [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ];
+    useDHCP = lib.mkDefault false;
   };
 
   time.timeZone = "Europe/Oslo";
@@ -15,7 +15,7 @@
 
   console = {
     font = "Lat2-Terminus16";
-    keyMap = "no";
+    keyMap = lib.mkDefault "no";
   };
 
   nix = {
@@ -24,28 +24,45 @@
       options = "--delete-older-than 2d";
     };
 
-    settings.experimental-features = ["nix-command" "flakes"];
-
-    registry= {
-      nixpkgs.flake = inputs.nixpkgs;
+    settings = {
+      experimental-features = ["nix-command" "flakes"];
+      trusted-users = [ "felixalb" ];
+      builders-use-substitutes = true;
     };
-
-    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
   };
 
   programs.zsh.enable = true;
 
   environment.systemPackages = with pkgs; [
-    wget
-    git
-    tree
-    rsync
     bottom
+    eza
+    file
+    git
+    gnugrep
+    gnutar
+    htop
+    iotop
+    lm_sensors
+    nix-output-monitor
+    p7zip
+    python3
     ripgrep
+    rsync
+    screen
+    unzip
+    usbutils
+    vim
+    wget
+    zip
+  ] ++ lib.optionals (pkgs.stdenv.isLinux) [
+    dmidecode
+    lm_sensors
+    pciutils
   ];
 
   services.openssh = {
     enable = true;
+    openFirewall = lib.mkDefault true;
     settings = {
       PermitRootLogin = "no";
       PasswordAuthentication = false;
@@ -54,20 +71,27 @@
 
     extraConfig = ''
       AllowTcpForwarding yes
-      X11Forwarding no
       AllowAgentForwarding yes
       AuthenticationMethods publickey
     '';
   };
 
+  programs.mosh.enable = true;
+
   users.users.felixalb = {
     isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    uid = 1000;
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkLmJIkBM6AMbYM/hYm27Flgya81UiGqh9/owYWmrbZ home.feal.no"
+    extraGroups = [
+      "wheel"
+      "docker"
     ];
+    uid = lib.mkDefault 1000;
+    openssh.authorizedKeys.keys = lib.mkDefault [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5M7hYl3saBNMAo6sczgfUvASEJWFHuERB7xvf4gxst nix-builder-worf"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJky33ynjqyWP+hh24gFCMFIEqe3CjIIowGM9jiPbT79 felixalb@sisko.home.feal.no"
+    ];
+    shell = pkgs.zsh;
   };
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 }

common/auto-upgrade.nix

@@ -0,0 +1,15 @@
+{ config, pkgs, lib, ... }:
+
+{
+  system.autoUpgrade = {
+    enable = true;
+    flake = "git+https://git.feal.no/felixalb/nixos-config.git";
+    flags = [
+      # Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs.
+      "--refresh"
+      "--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.11"
+      "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable"
+      "--no-write-lock-file"
+    ];
+  };
+}

common/domeneshop-dyndns.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.domeneshop-dyndns;
+in {
+  options.services.domeneshop-dyndns = {
+    enable = lib.mkEnableOption "Domeneshop DynDNS";
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      description = "Domain name to configure";
+    };
+
+    netrcFile = lib.mkOption {
+      type = lib.types.path;
+      description = "Path to the file that contains `machine api.domeneshop.no login <DDNS_TOKEN> password <DDNS_SECRET>` from https://domene.shop/admin?view=api";
+    };
+
+    startAt = lib.mkOption {
+      type = lib.types.str;
+      default = "*:0/10"; # Every 10 minutes
+      description = "Systemd onCalendar expression for when to run the timer";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.domeneshop-dyndns = {
+      serviceConfig.LoadCredential = "netrc:${cfg.netrcFile}";
+      startAt = cfg.startAt;
+
+      script = ''
+        DNSNAME="${cfg.domain}"
+        NEW_IP="$(${lib.getExe pkgs.curl} --silent https://ipinfo.io/ip)"
+        OLD_IP="$(${lib.getExe pkgs.getent} hosts "$DNSNAME" | ${lib.getExe pkgs.gawk} '{ print $1 }')"
+
+        if [[ "$NEW_IP" != "$OLD_IP" ]]; then
+          echo "Old IP ($OLD_IP) does not match new IP ($NEW_IP), updating..."
+          ${lib.getExe pkgs.curl} --silent --netrc-file "$CREDENTIALS_DIRECTORY/netrc" "https://api.domeneshop.no/v0/dyndns/update?hostname=$DNSNAME&myip=$NEW_IP"
+        else
+          echo "Old IP ($OLD_IP) matches new IP ($NEW_IP), exiting..."
+        fi
+      '';
+    };
+  };
+}

common/metrics-exporters.nix

@@ -1,19 +1,20 @@
 { config, pkgs, values, ... }:
-
-{
+let
+  metricsHost = "192.168.10.175"; # defiant.home.feal.no
+in {
   services.prometheus.exporters.node = {
     enable = true;
     port = 9100;
     enabledCollectors = [ "systemd" ];
   };
 
-  systemd.services.prometheus-node-exporter.serviceConfig = {
-    # TODO: Define allowed IPs
-    # IPAddressDeny = "any";
-    # IPAddressAllow = [
-    #   values.chapel.ipv4
-    #   values.chapel.ipv6
-    # ];
+  networking.firewall = {
+    # TODO: Move this into the node-exporter systemd service
+    allowedTCPPorts = [ 9100 ];
+    extraCommands = ''
+      iptables -A INPUT -p tcp -m tcp --source ${metricsHost}/32 --dport 9100 -j ACCEPT
+      iptables -A INPUT -p tcp -m tcp --dport 9100 -j DROP
+    '';
   };
 
   services.promtail = {
@@ -25,7 +26,7 @@
       };
       clients = [
         {
-          url = "http://voyager.home.feal.no:3100/loki/api/v1/push";
+          url = "http://${metricsHost}:3100/loki/api/v1/push";
         }
       ];
       scrape_configs = [

common/pwndbg-gdb-alias.nix

@@ -0,0 +1,8 @@
+{ pwndbg }:
+
+# "$ coredumpctl gdb" always runs "gdb" from your path.
+pwndbg.overrideAttrs ({ installPhase ? "", ... }: {
+  installPhase = installPhase + ''
+    ln -s $out/bin/pwndbg $out/bin/gdb
+  '';
+})

common/securecrt.nix

@@ -0,0 +1,81 @@
+{
+  lib,
+  stdenv,
+  fetchurl,
+  autoPatchelfHook,
+  dpkg,
+
+  cups,
+  gtkmm3,
+  icu74,
+  krb5,
+  makeWrapper,
+  openssl,
+  pango,
+  python312,
+  xcb-util-cursor,
+  xorg,
+}:
+
+let
+  packageId = "scrt_ubuntu2464_deb_963";
+in stdenv.mkDerivation rec {
+  pname = "securecrt";
+  version = "9.6.3";
+
+  src = fetchurl {
+    url = "https://www.vandyke.com/cgi-bin/download_1.php";
+    name = "${pname}-${version}.deb";
+    curlOpts = "-X POST --data 'pid=${packageId}&export_check=accept&country=no&su";
+    sha256 = "sha256-PsFuxJ7H0rJCWWi+rvzrlRUJlp9R4MG14d883/kl9Lo=";
+  };
+
+  unpackCmd = "dpkg -x $curSrc source";
+
+  nativeBuildInputs = [
+    dpkg
+    autoPatchelfHook
+  ];
+
+  buildInputs = [
+    cups
+    gtkmm3
+    icu74
+    krb5
+    makeWrapper
+    openssl
+    pango
+    python312
+    xcb-util-cursor
+    xorg.xcbutilkeysyms
+    xorg.xcbutilwm
+  ];
+
+  dontConfigure = true;
+  dontBuild = true;
+  dontWrapQTApps = true;
+
+  installPhase = ''
+    runhook preInstall
+
+    mkdir -p "$out"
+    cp -R usr/* "$out/"
+    wrapProgram "$out/bin/SecureCRT" --set QT_QPA_PLATFORM_PLUGIN_PATH "$out/lib/scrt/plugins/platforms"
+
+    runhook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.vandyke.com/products/securecrt/unix.html";
+    description = "Terminal emulator for computing professionals, with advanced session management";
+    license = {
+      free = false;
+      fullName = "Unknown / Custom";
+    };
+
+    platforms = with lib.platforms; linux ++ darwin ++ windows;
+    broken = !(stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isx86_64);
+  };
+
+  mainProgram = "SecureCRT";
+}

common/sketchybar-app-font.nix

@@ -0,0 +1,14 @@
+{ lib, stdenvNoCC, fetchurl }:
+
+stdenvNoCC.mkDerivation rec {
+  name = "sketchybar-app-font";
+  version = "1.0.20";
+  src = fetchurl {
+    url = "https://github.com/kvndrsslr/sketchybar-app-font/releases/download/v${version}/sketchybar-app-font.ttf";
+    hash = "sha256-pf3SSxzlNIdbXXHfRauFCnrVUMOd5J9sSUE9MsfWrwo=";
+  };
+  phases = [ "installPhase" ];
+  installPhase = ''
+    install -Dm644 $src $out/share/fonts/sketchybar-app-font/Regular.ttf
+  '';
+}

common/wireguard-peers.nix

@@ -0,0 +1,44 @@
+[
+  { # Sulu
+    publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
+    allowedIPs = [
+      "10.100.0.3/32"
+    ];
+  }
+  { # Worf
+    publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
+    allowedIPs = [
+      "10.100.0.4/32"
+    ];
+  }
+  { # Phone
+    publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
+    allowedIPs = [
+      "10.100.0.5/32"
+    ];
+  }
+  { # Riker
+    publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
+    allowedIPs = [
+      "10.100.0.6/32"
+    ];
+  }
+  { # fa-t14-2025
+    publicKey = "UPpUVWQqOKT65MFym1sFDTstNmuynDYE4LOOtbWqEng=";
+    allowedIPs = [
+      "10.100.0.7/32"
+    ];
+  }
+  { # Turtle
+    publicKey = "mDzAtRPv+O5TDHa9DGodF/KKuFXRBYwSqfPyeWfdfRI=";
+    allowedIPs = [
+      "10.100.0.8/32"
+    ];
+  }
+  { # Amalies phone
+    publicKey = "Iqoq00e5rUNygmjOKmSPzvDTzvUdpxkpwVrD6UJXG2w=";
+    allowedIPs = [
+      "10.100.0.9/32"
+    ];
+  }
+]

flake.lock

@@ -1,57 +1,223 @@
 {
   "nodes": {
+    "extra-config": {
+      "locked": {
+        "lastModified": 1745649002,
+        "narHash": "sha256-XNBExt3+U3o4lip+yj6oorCEPZ9Qe8PzBSFM5ZzVtSA=",
+        "ref": "refs/heads/main",
+        "rev": "50c9c15db2b309d299b1c19089c962979e01f45b",
+        "revCount": 13,
+        "type": "git",
+        "url": "file:///home/felixalb/nix-extra-config"
+      },
+      "original": {
+        "type": "git",
+        "url": "file:///home/felixalb/nix-extra-config"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1764776959,
+        "narHash": "sha256-d+5CGloq7Lo1u2SkzhF8oiOdUc6Z5emh22nTXUB9CFA=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "e1680d594a9281651cbf7d126941a8c8e2396183",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-25.11",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "matrix-synapse-next": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765214213,
+        "narHash": "sha256-WSk8CTdIDFFP5VMJj9beve19nPMMdTsWnkCHVXqO/3E=",
+        "owner": "dali99",
+        "repo": "nixos-matrix-modules",
+        "rev": "82959f612ffd523a49c92f84358a9980a851747b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "dali99",
+        "repo": "nixos-matrix-modules",
+        "type": "github"
+      }
+    },
+    "nix-darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-darwin"
+        ]
+      },
+      "locked": {
+        "lastModified": 1764161084,
+        "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=",
+        "owner": "nix-darwin",
+        "repo": "nix-darwin",
+        "rev": "e95de00a471d07435e0527ff4db092c84998698e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-darwin",
+        "ref": "nix-darwin-25.11",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "nix-minecraft": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1764813963,
+        "narHash": "sha256-Vs7Mamto+T8r1evk9myHepgHGNJkS2Kr0BF64NIei94=",
+        "owner": "Infinidoge",
+        "repo": "nix-minecraft",
+        "rev": "491200d6848402bbab1421cccbc15a46f08c7f78",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Infinidoge",
+        "repo": "nix-minecraft",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1687573514,
-        "narHash": "sha256-jek0ezqxfiFPALhimRDBzgGOSgDv7ExZFhPDmAXoIsw=",
+        "lastModified": 1764677808,
+        "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3ef8b37f59cf2e0b57371df726f3c0ecacfa0e73",
+        "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.05-small",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
+    "nixpkgs-2211": {
       "locked": {
-        "lastModified": 1687031877,
-        "narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
+        "narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
+      }
+    },
+    "nixpkgs-darwin": {
+      "locked": {
+        "lastModified": 1764806471,
+        "narHash": "sha256-NsPsz003eWD8wp8vj5BnQzPoDyeQKRUfS2dvan2Y30M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99",
+        "rev": "6707b1809330d0f912f5813963bb29f6f194ee81",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "nixpkgs-25.11-darwin",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1764667669,
+        "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "418468ac9527e799809c900eda37cbff999199b6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "root": {
       "inputs": {
+        "extra-config": "extra-config",
+        "home-manager": "home-manager",
+        "matrix-synapse-next": "matrix-synapse-next",
+        "nix-darwin": "nix-darwin",
+        "nix-minecraft": "nix-minecraft",
         "nixpkgs": "nixpkgs",
-        "sops-nix": "sops-nix",
-        "unstable": "unstable"
+        "nixpkgs-2211": "nixpkgs-2211",
+        "nixpkgs-darwin": "nixpkgs-darwin",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix"
       }
     },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        ]
       },
       "locked": {
-        "lastModified": 1687398569,
-        "narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
+        "lastModified": 1764483358,
+        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "2ff6973350682f8d16371f8c071a304b8067f192",
+        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
         "type": "github"
       },
       "original": {
@@ -60,19 +226,18 @@
         "type": "github"
       }
     },
-    "unstable": {
+    "systems": {
       "locked": {
-        "lastModified": 1687639213,
-        "narHash": "sha256-m/jb2D62UXMPy8LeiF39/qGbDBpNpix/h7ne1EXRl9M=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "8eef75145e6c3beada369aee48bd9c2c3a4dee88",
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
+        "owner": "nix-systems",
+        "repo": "default",
         "type": "github"
       }
     }

flake.nix

@@ -2,60 +2,136 @@
   description = "Felixalb System flake";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small";
-    unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; # Remember to update ./common/auto-upgrade.nix
+    nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-25.11-darwin";
+    nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+
+    nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
+    nix-darwin.inputs.nixpkgs.follows = "nixpkgs-darwin";
+
+    home-manager.url = "github:nix-community/home-manager/release-25.11";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+
+    matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; # TODO: Lock to release
+    matrix-synapse-next.inputs.nixpkgs.follows = "nixpkgs";
+
+    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
+    nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
+
+    extra-config.url = "git+file:///home/felixalb/nix-extra-config";
 
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs:
+  outputs = {
+    self
+    , home-manager
+    , matrix-synapse-next
+    , nix-minecraft
+    , nix-darwin
+    , nixpkgs
+    , nixpkgs-2211
+    , nixpkgs-darwin
+    , nixpkgs-unstable
+    , sops-nix
+    , extra-config
+  , ... }@inputs:
     let
-      system = "x86_64-linux";
-      overlay-unstable = final: prev: {
-        unstable = unstable.legacyPackages.${prev.system};
+      pkgs-overlay = final: prev: {
+        unstable = import nixpkgs-unstable {
+          system = prev.system;
+          config.allowUnfree = true;
+        };
+
+        nixpkgs-2211 = import nixpkgs-2211 {
+          system = prev.system;
+          config.allowUnfree = true;
+        };
+
+        pwndbg-gdb-alias = prev.callPackage ./common/pwndbg-gdb-alias.nix { };
+        securecrt = prev.callPackage ./common/securecrt.nix { };
       };
     in
     {
-      nixosConfigurations = {
-        voyager = nixpkgs.lib.nixosSystem {
-          inherit system;
+      nixosConfigurations = let
+        normalSys = name: hostConfig: nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux"; # TODO - Handle
           specialArgs = {
             inherit inputs;
           };
           modules = [
-            # Overlays-module makes "pkgs.unstable" available in configuration.nix
-            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+            ({ config, pkgs, ... }: {
+              # Make "pkgs.unstable" etc. available
+              nixpkgs.overlays = [ pkgs-overlay ] ++ hostConfig.overlays or [ ];
+            })
 
-            ./hosts/voyager/configuration.nix
+            ./hosts/${name}/configuration.nix
             sops-nix.nixosModules.sops
-          ];
+            home-manager.nixosModules.home-manager {
+              home-manager.useGlobalPkgs = true;
+              home-manager.useUserPackages = true;
+              home-manager.users = {
+                "felixalb" = import ./hosts/${name}/home.nix;
+              } // hostConfig.home-manager-users or { };
+            }
+          ] ++ hostConfig.modules or [ ];
         };
-        chapel = nixpkgs.lib.nixosSystem {
-          inherit system;
-          specialArgs = {
-            inherit inputs;
-          };
+      in {
+
+        # Media / storage server
+        challenger = normalSys "challenger" {
           modules = [
-            ./hosts/chapel/configuration.nix
-            sops-nix.nixosModules.sops
+            extra-config.nixosModules.default
           ];
         };
-        redshirt = nixpkgs.lib.nixosSystem {
-          inherit system;
-          specialArgs = {
-            inherit inputs;
-          };
+
+        # General application server
+        defiant = normalSys "defiant" {
           modules = [
-            ./hosts/redshirt/configuration.nix
-            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
-            sops-nix.nixosModules.sops
+            ./common/domeneshop-dyndns.nix
+            matrix-synapse-next.nixosModules.default
           ];
         };
+
+        # Work laptop
+        fa-t14-2025 = normalSys "fa-t14-2025" { };
+
+        # Web host
+        leonard = normalSys "leonard" { };
+
+        # General application server
+        morn = normalSys "morn" { };
+
+        # Home desktop
+        sisko = normalSys "sisko" { };
+      };
+
+      # Daily driver macbook
+      darwinConfigurations.worf = nix-darwin.lib.darwinSystem {
+        system = "aarch64-darwin";
+        specialArgs = {
+          inherit inputs;
+        };
+        modules = [
+          ({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
+
+          ./hosts/worf/configuration.nix
+          home-manager.darwinModules.home-manager {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.users."felixalb" = import ./hosts/worf/home.nix;
+          }
+        ];
       };
 
       devShells.x86_64-linux = {
         default = nixpkgs.legacyPackages.x86_64-linux.callPackage ./shell.nix { };
       };
+
+      devShells.aarch64-darwin = {
+        default = nixpkgs.legacyPackages.aarch64-darwin.callPackage ./shell.nix { };
+      };
     };
 }

home/alacritty.nix

@@ -0,0 +1,355 @@
+{ pkgs, lib, inputs, config, ...}:
+{
+  programs.alacritty = {
+    enable = true;
+    settings = {
+      env = {
+        TERM = "xterm-256color";
+      };
+
+      window = {
+        padding = {
+          x = 8;
+          y = 2;
+        };
+
+        dynamic_padding = true;
+        dynamic_title = true;
+
+        decorations = "none"; # full/none/transparent/buttonless
+
+        # Transparency:
+        opacity = lib.mkDefault 0.95;
+      };
+
+      scrolling = {
+        history = 9999;
+        multiplier = 3;
+      };
+
+      # Font configuration (changes require restart)
+      font = {
+        normal = {
+          family = "Hack Nerd Font Mono";
+          style = "Regular";
+        };
+
+        bold = {
+          family = "Hack Nerd Font Mono";
+          style = "Bold";
+        };
+
+        italic = {
+          family = "Hack Nerd Font Mono";
+          style = "Italic";
+        };
+
+        size = 14;
+      };
+
+
+      colors = {
+        draw_bold_text_with_bright_colors = true;
+
+        # # gruvbox_material_medium_dark
+        #  primary = {
+        #     background = "0x282828";
+        #     foreground = "0xd4be98";
+        #   };
+        #   normal = {
+        #     black =  "0x3c3836";
+        #     red =     "0xea6962";
+        #     green =   "0xa9b665";
+        #     yellow =  "0xd8a657";
+        #     blue =    "0x7daea3";
+        #     magenta = "0xd3869b";
+        #     cyan =    "0x89b482";
+        #     white =   "0xd4be98";
+        #   };
+        #   bright = {
+        #     black =   "0x3c3836";
+        #     red =     "0xea6962";
+        #     green =   "0xa9b665";
+        #     yellow =  "0xd8a657";
+        #     blue =    "0x7daea3";
+        #     magenta = "0xd3869b";
+        #     cyan =    "0x89b482";
+        #     white =   "0xd4be98";
+        #   };
+
+        # # # Tomorrow Night Bright
+        # primary = {
+        #   background = "0x141414";
+        #   foreground = "0xeaeaea";
+        # };
+
+        # cursor = {
+        #   text = "0x000000";
+        #   cursor = "0xffffff";
+        # };
+
+        # normal = {
+        #   black   = "0x000000";
+        #   red     = "0xd54e53";
+        #   green   = "0x82de37";
+        #   yellow  = "0xe6c547";
+        #   blue    = "0x7aa6da";
+        #   magenta = "0xc397d8";
+        #   cyan    = "0x70c0ba";
+        #   white   = "0xffffff";
+        # };
+
+        # bright = {
+        #   black   = "0x666666";
+        #   red     = "0xff3334";
+        #   green   = "0x8bd45d";
+        #   yellow  = "0xe7c547";
+        #   blue    = "0x7aa6da";
+        #   magenta = "0xb77ee0";
+        #   cyan    = "0x54ced6";
+        #   white   = "0xffffff";
+        # };
+
+
+        # Nord:
+        primary = {
+          background = "0x2e3440";
+          foreground = "0xd8dee9";
+          dim_foreground = "0xa5abb6";
+        };
+
+        cursor = {
+          text = "0x2e3440";
+          cursor = "0xd8dee9";
+        };
+
+        vi_mode_cursor = {
+          text = "0x2e3440";
+          cursor = "0xd8dee9";
+        };
+
+        selection = {
+          text = "CellForeground";
+          background = "0x4c566a";
+        };
+
+        normal = {
+          black   = "0x3b4252";
+          red     = "0xbf616a";
+          green   = "0xa3be8c";
+          yellow  = "0xebcb8b";
+          blue    = "0x81a1c1";
+          magenta = "0xb48ead";
+          cyan    = "0x88c0d0";
+          white   = "0xe5e9f0";
+        };
+
+        bright = {
+          black   = "0x4c566a";
+          red     = "0xbf616a";
+          green   = "0xa3be8c";
+          yellow  = "0xebcb8b";
+          blue    = "0x81a1c1";
+          magenta = "0xb48ead";
+          cyan    = "0x8fbcbb";
+          white   = "0xeceff4";
+        };
+
+        dim = {
+          black   = "0x373e4d";
+          red     = "0x94545d";
+          green   = "0x809575";
+          yellow  = "0xb29e75";
+          blue    = "0x68809a";
+          magenta = "0x8c738c";
+          cyan    = "0x6d96a5";
+          white   = "0xaeb3bb";
+        };
+
+
+
+        # Indexed Colors
+        #
+        # The indexed colors include all colors from 16 to 256.
+        # When these are not set, they're filled with sensible defaults.
+        #
+        # Example:
+        #   `- { index: 16, color: '0xff00ff' }`
+        #
+        # indexed_colors: []
+      };
+
+      bell = {
+        animation = "Ease";
+        color = "0xffffff";
+        duration = 100;
+      };
+
+      # Key bindings
+      #
+      # Key bindings are specified as a list of objects. Each binding will specify a
+      # key and modifiers required to trigger it, terminal modes where the binding is
+      # applicable, and what should be done when the key binding fires. It can either
+      # send a byte sequence to the running application (`chars`), execute a
+      # predefined action (`action`) or fork and execute a specified command plus
+      # arguments (`command`).
+      #
+      # Bindings are always filled by default, but will be replaced when a new binding
+      # with the same triggers is defined. To unset a default binding, it can be
+      # mapped to the `None` action.
+      #
+      # Example:
+      #   `- { key: V, mods: Control|Shift, action: Paste }`
+      #
+      # Available fields:
+      #   - key
+      #   - mods (optional)
+      #   - chars | action | command (exactly one required)
+      #   - mode (optional)
+      #
+      # Values for `key`:
+      #   - `A` -> `Z`
+      #   - `F1` -> `F12`
+      #   - `Key1` -> `Key0`
+      #
+      #   A full list with available key codes can be found here:
+      #   https://docs.rs/glutin/*/glutin/enum.VirtualKeyCode.html#variants
+      #
+      #   Instead of using the name of the keys, the `key` field also supports using
+      #   the scancode of the desired key. Scancodes have to be specified as a
+      #   decimal number.
+      #   This command will allow you to display the hex scancodes for certain keys:
+      #     `showkey --scancodes`
+      #
+      # Values for `mods`:
+      #   - Command
+      #   - Control
+      #   - Option
+      #   - Super
+      #   - Shift
+      #   - Alt
+      #
+      #   Multiple `mods` can be combined using `|` like this: `mods: Control|Shift`.
+      #   Whitespace and capitalization is relevant and must match the example.
+      #
+      # Values for `chars`:
+      #   The `chars` field writes the specified string to the terminal. This makes
+      #   it possible to pass escape sequences.
+      #   To find escape codes for bindings like `PageUp` ("\x1b[5~"), you can run
+      #   the command `showkey -a` outside of tmux.
+      #   Note that applications use terminfo to map escape sequences back to
+      #   keys. It is therefore required to update the terminfo when
+      #   changing an escape sequence.
+      #
+      # Values for `action`:
+      #   - Paste
+      #   - PasteSelection
+      #   - Copy
+      #   - IncreaseFontSize
+      #   - DecreaseFontSize
+      #   - ResetFontSize
+      #   - ScrollPageUp
+      #   - ScrollPageDown
+      #   - ScrollLineUp
+      #   - ScrollLineDown
+      #   - ScrollToTop
+      #   - ScrollToBottom
+      #   - ClearHistory
+      #   - Hide
+      #   - Quit
+      #   - ClearLogNotice
+      #   - SpawnNewInstance
+      #   - ToggleFullscreen
+      #   - None
+      #
+      # Values for `action` (macOS only):
+      #   - ToggleSimpleFullscreen: Enters fullscreen without occupying another space
+      #
+      # Values for `command`:
+      #   The `command` field must be a map containing a `program` string and
+      #   an `args` array of command line parameter strings.
+      #
+      #   Example:
+      #       `command: { program: "alacritty", args: ["-e", "vttest"] }`
+      #
+      # Values for `mode`:
+      #   - ~AppCursor
+      #   - AppCursor
+      #   - ~AppKeypad
+      #   - AppKeypad
+      #
+      # key_bindings:
+      #   - { key: V,        mods: Alt,       action: Paste                        }
+      #   - { key: C,        mods: Alt,       action: Copy                         }
+      #   - { key: Q,        mods: Alt,       action: Quit                         }
+      #   - { key: N,        mods: Alt,       action: SpawnNewInstance             }
+      #   - { key: Return,   mods: Alt,       action: ToggleFullscreen             }
+
+      #   - { key: Home,                          chars: "\x1bOH",   mode: AppCursor   }
+      #   - { key: Home,                          chars: "\x1b[H",   mode: ~AppCursor  }
+      #   - { key: End,                           chars: "\x1bOF",   mode: AppCursor   }
+      #   - { key: End,                           chars: "\x1b[F",   mode: ~AppCursor  }
+      #   - { key: Equals,   mods: Alt,       action: IncreaseFontSize             }
+      #   - { key: Minus,    mods: Alt,       action: DecreaseFontSize             }
+      #   - { key: Minus,    mods: Alt|Shift, action: ResetFontSize                }
+      #   - { key: PageUp,   mods: Shift,         chars: "\x1b[5;2~"                   }
+      #   - { key: PageUp,   mods: Control,       chars: "\x1b[5;5~"                   }
+      #   - { key: PageUp,                        chars: "\x1b[5~"                     }
+      #   - { key: PageDown, mods: Shift,         chars: "\x1b[6;2~"                   }
+      #   - { key: PageDown, mods: Control,       chars: "\x1b[6;5~"                   }
+      #   - { key: PageDown,                      chars: "\x1b[6~"                     }
+      #   - { key: Left,     mods: Shift,         chars: "\x1b[1;2D"                   }
+      #   - { key: Left,     mods: Control,       chars: "\x1b[1;5D"                   }
+      #   - { key: Left,     mods: Alt,           chars: "\x1b[1;3D"                   }
+      #   - { key: Left,                          chars: "\x1b[D",   mode: ~AppCursor  }
+      #   - { key: Left,                          chars: "\x1bOD",   mode: AppCursor   }
+      #   - { key: Right,    mods: Shift,         chars: "\x1b[1;2C"                   }
+      #   - { key: Right,    mods: Control,       chars: "\x1b[1;5C"                   }
+      #   - { key: Right,    mods: Alt,           chars: "\x1b[1;3C"                   }
+      #   - { key: Right,                         chars: "\x1b[C",   mode: ~AppCursor  }
+      #   - { key: Right,                         chars: "\x1bOC",   mode: AppCursor   }
+      #   - { key: Up,       mods: Shift,         chars: "\x1b[1;2A"                   }
+      #   - { key: Up,       mods: Control,       chars: "\x1b[1;5A"                   }
+      #   - { key: Up,       mods: Alt,           chars: "\x1b[1;3A"                   }
+      #   - { key: Up,                            chars: "\x1b[A",   mode: ~AppCursor  }
+      #   - { key: Up,                            chars: "\x1bOA",   mode: AppCursor   }
+      #   - { key: Down,     mods: Shift,         chars: "\x1b[1;2B"                   }
+      #   - { key: Down,     mods: Control,       chars: "\x1b[1;5B"                   }
+      #   - { key: Down,     mods: Alt,           chars: "\x1b[1;3B"                   }
+      #   - { key: Down,                          chars: "\x1b[B",   mode: ~AppCursor  }
+      #   - { key: Down,                          chars: "\x1bOB",   mode: AppCursor   }
+      #   - { key: Tab,      mods: Shift,         chars: "\x1b[Z"                      }
+      #   - { key: F1,                            chars: "\x1bOP"                      }
+      #   - { key: F2,                            chars: "\x1bOQ"                      }
+      #   - { key: F3,                            chars: "\x1bOR"                      }
+      #   - { key: F4,                            chars: "\x1bOS"                      }
+      #   - { key: F5,                            chars: "\x1b[15~"                    }
+      #   - { key: F6,                            chars: "\x1b[17~"                    }
+      #   - { key: F7,                            chars: "\x1b[18~"                    }
+      #   - { key: F8,                            chars: "\x1b[19~"                    }
+      #   - { key: F9,                            chars: "\x1b[20~"                    }
+      #   - { key: F10,                           chars: "\x1b[21~"                    }
+      #   - { key: F11,                           chars: "\x1b[23~"                    }
+      #   - { key: F12,                           chars: "\x1b[24~"                    }
+      #   - { key: Back,                          chars: "\x7f"                        }
+      #   - { key: Back,     mods: Alt,           chars: "\x1b\x7f"                    }
+      #   - { key: Insert,                        chars: "\x1b[2~"                     }
+      #   - { key: Delete,                        chars: "\x1b[3~"                     }
+
+
+      selection = {
+        semantic_escape_chars = ",│`|:\"' ()[]{}<>";
+        save_to_clipboard = false;
+      };
+
+      cursor = {
+        style = {
+          shape = "Block";
+          blinking = "on";
+        };
+        unfocused_hollow = true;
+      };
+
+    };
+  };
+}

home/amalieem/default.nix

@@ -0,0 +1,43 @@
+{ pkgs, lib, ... }:
+{
+  imports = [
+    ./../alacritty.nix
+  ];
+
+  home = {
+    packages = with pkgs; [
+      papers
+      kitty
+      pavucontrol
+
+      # Window Manager Extras
+      bibata-cursors
+      hyprcursor
+      hypridle
+      hyprlock
+      hyprpaper
+      hyprshot
+      nautilus
+      networkmanager
+      swaynotificationcenter
+      waybar
+      wl-clipboard
+    ];
+
+    sessionVariables = {
+      EDITOR = "nvim";
+      VISUAL = "nvim";
+    };
+  };
+
+  programs = {
+    alacritty = {
+      enable = true;
+      settings.window.opacity = 0.92;
+    };
+    firefox.enable = true;
+    wofi.enable = true;
+  };
+
+  home.stateVersion = "24.11";
+}

home/base.nix

@@ -0,0 +1,69 @@
+{ pkgs, lib, ... }:
+{
+  imports = [
+    ./neovim.nix
+    ./zsh.nix
+  ];
+
+  home = {
+    packages = with pkgs; [
+      bat
+      bottom
+      # ncdu
+      neofetch
+      pwgen
+      sshfs
+      sshuttle
+    ];
+
+    sessionVariables = {
+      EDITOR = "nvim";
+      VISUAL = "nvim";
+    };
+  };
+
+  programs.nix-index = {
+    enable = true;
+    enableZshIntegration = true;
+  };
+
+  programs.fzf.enable = true;
+
+  programs.git = {
+    enable = true;
+
+    settings = {
+      pull.rebase = true;
+      push.autoSetupRemote = true;
+      color.ui = "auto";
+      init.defaultBranch = "main";
+      lfs.enable = true;
+
+      user = {
+        name = "Felix Albrigtsen";
+        email = lib.mkDefault "felix@albrigtsen.it";
+      };
+      safe = {
+        directory = "/config";
+      };
+    };
+    ignores = [
+      "*~"
+      "*.swp"
+      ".DS_Store"
+      ".vscode"
+    ];
+  };
+
+  programs.tmux = {
+    enable = true;
+    sensibleOnTop = true;
+
+    baseIndex = 1;
+    clock24 = true;
+    keyMode = "vi";
+    mouse = true;
+    terminal = "screen-256color";
+  };
+
+}

home/felixalb/home.nix

@@ -1,46 +0,0 @@
-{ config, pkgs, ... }:
-{
-  imports = [
-    ./nvim.nix
-  ];
-  home.username = "felixalb";
-  home.homeDirectory = "/home/felixalb";
-  home.stateVersion = "22.11";
-
-  programs = {
-	home-manager.enable = true;
-        alacritty = {
-          enable = true;
-        };
-        firefox.enable = true;
-        rofi.enable = true;
-        zsh = {
-          enable = true;
-          enableAutosuggestions = true;
-          enableSyntaxHighlighting = true;
-          prezto = {
-            enable = true;
-            prompt.theme = "paradox";
-          };
-          # initExtra = ''
-          #   bindkey "''${key[Up]}" up-line-or-search
-          #   bindkey "''${key[Down]}" down-line-or-search
-          # '';
-        };
-	git = {
-		enable = true;
-		userName = "Felix Albrigtsen";
-		userEmail = "felixalbrigtsen@gmail.com";
-	};
-  };
-
-  services = {
-    redshift = {
-      enable = true;
-      tray = true;
-
-      duskTime = "19:30-20:30";
-      dawnTime = "7:30-8:30";
-    };
-  };
-}

home/felixalb/nvim.nix

@@ -1,69 +0,0 @@
-{ pkgs, config, ... }
-{
-  programs.neovim = {
-    enable = true;
-    vimAlias = true;
-
-    extraConfig = ''
-      set number	" Show line numbers
-      set number relativenumber " Enable hybrid line numbers
-      set nu rnu
-      set signcolumn=number
-      set showmatch	" Highlight matching brace
-      set errorbells	" Beep or flash screen on errors
-
-      set hlsearch	" Highlight all search results
-      set smartcase	" Enable smart-case search
-      set incsearch	" Searches for strings incrementally
-
-      set autoindent	" Auto-indent new lines
-      set expandtab	" Use spaces instead of tabs
-      set shiftwidth=2 " Number of auto-indent spaces
-      set smartindent	" Enable smart-indent
-      set smarttab	" Enable smart-tabs
-      set softtabstop=0 " Number of spaces per Tab, auto
-
-      set updatetime=300 " Time interval for updating buffers
-
-      set ruler	" Show row and column ruler information
-
-      set undolevels=1000	" Number of undo levels
-      set backspace=indent,eol,start	" Backspace behaviour
-    '';
-
-    plugins = with pkgs.vimPlugins; [
-      vim-nix
-      vim-commentary
-      vim-devicons
-      { plugin = nerdtree;
-        config = "
-        nmap <silent> <C-t> :NERDTreeToggle<CR>
-        autocmd VimEnter * NERDTree \" Autostart nerdtree on vim startup
-        autocmd VimEnter * wincmd p \" Unselect nerdtree window
-        \" Close vim if Nerdtree is the only buffer left
-        autocmd bufenter * if (winnr(\"$\") == 1 && exists(\"b:NERDTree\") && b:NERDTree.isTabTree()) | q | endif
-        ";
-      }
-    ];
-    withNodeJs = true;
-    coc = {
-      enable = true;
-      settings = {
-        "suggest.enablePreview" = true;
-        "suggest.enablePreselect" = true;
-      };
-
-      package = pkgs.vimUtils.buildVimPluginFrom2Nix {
-        pname = "coc.nvim";
-        version = "2022-05-21";
-        src = pkgs.fetchFromGitHub {
-          owner = "neoclide";
-          repo = "coc.nvim";
-          rev = "791c9f673b882768486450e73d8bda10e391401d";
-          sha256 = "sha256-MobgwhFQ1Ld7pFknsurSFAsN5v+vGbEFojTAYD/kI9c=";
-        };
-        meta.homepage = "https://github.com/neoclide/coc.nvim/";
-      };
-    };
-  };
-}

home/neovim.nix

@@ -0,0 +1,140 @@
+{ pkgs, lib, inputs, config, ...}:
+let
+  undoDir = "${config.home.homeDirectory}/.vim/undo";
+in {
+  programs.neovim = {
+    enable = true;
+    defaultEditor = true;
+    viAlias = true;
+    vimAlias = true;
+    vimdiffAlias = true;
+    plugins = with pkgs.vimPlugins; [
+      lightline-vim
+      vim-lightline-coc
+
+      vim-commentary
+      vim-fugitive
+
+      nerdtree
+      nerdtree-git-plugin
+      vim-devicons
+      telescope-nvim
+
+      nvim-lspconfig
+      nvim-treesitter
+
+      coc-css
+      coc-go
+      coc-html
+      coc-json
+      coc-nvim
+
+      vim-nix
+      vim-puppet
+    ];
+
+    withNodeJs = true;
+
+    extraConfig = ''
+      let mapleader = ','
+      set number
+      set shiftwidth=2
+      set tabstop=2
+      set expandtab
+
+      set undofile
+      set undodir=${undoDir}
+      set undolevels=1000
+      set undoreload=10000
+
+      " Integrate status with lightline
+      let g:lightline = {
+        \   'active': {
+        \     'left': [[ 'mode', 'paste', 'filename', 'readonly', 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status'  ]]
+        \   }
+        \ }
+
+      " register components:
+      call lightline#coc#register()
+
+      " GoTo code navigation.
+      nmap <silent> gd <Plug>(coc-definition)
+      nmap <silent> gy <Plug>(coc-type-definition)
+      nmap <silent> gi <Plug>(coc-implementation)
+      nmap <silent> gr <Plug>(coc-references)
+
+      " Use K to show documentation in preview window.
+      nnoremap <silent> K :call ShowDocumentation()<CR>
+      function! ShowDocumentation()
+        if CocAction('hasProvider', 'hover')
+          call CocActionAsync('doHover')
+        else
+          call feedkeys('K', 'in')
+        endif
+      endfunction
+
+      " Enable syntax folding with coc
+      command! -nargs=* Fold :call CocAction('fold', <f-args>)
+
+      inoremap <silent><expr> <CR> coc#pum#visible() ? coc#pum#confirm()
+                                    \: "\<C-g>u\<CR>\<c-r>=coc#on_enter()\<CR>"
+
+      " Highlight the symbol and its references when holding the cursor.
+      autocmd CursorHold * silent call CocActionAsync('highlight')
+
+      " Symbol renaming.
+      nmap <leader>rn <Plug>(coc-rename)
+
+      " Use CTRL-S for selections ranges.
+      " Requires 'textDocument/selectionRange' support of language server.
+      nmap <silent> <C-s> <Plug>(coc-range-select)
+      xmap <silent> <C-s> <Plug>(coc-range-select)
+
+      " Step through diagnostics
+      nmap <silent> <g <Plug>(coc-diagnostic-prev)
+      nmap <silent> >g <Plug>(coc-diagnostic-next)
+
+      " Nerdtree-settings
+      " Toggle nerdtree on Ctrl+t
+      nmap <silent> <C-t> :NERDTreeToggle<CR>
+      " Close vim is Nerdtree is the only buffer left
+      autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif
+
+      if empty($AERC_ACCOUNT) && empty($MOZ_APP_LAUNCHER)
+        autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
+        autocmd VimEnter * wincmd p " Unselect nerdtree window
+      endif
+
+      autocmd Filetype go setlocal expandtab tabstop=4 shiftwidth=4 softtabstop=4
+
+      " List and switch buffers on Ctrl+k
+      " nnoremap <C-k> :set nomore <Bar> :ls <Bar> :set more <CR>:b<Space>
+      nnoremap <silent> <C-k> !echo "Did you mean C-a?"<CR>
+
+      " Telescope-settings
+      nnoremap <leader>ff <cmd>Telescope find_files<cr>
+      nnoremap <leader>fg <cmd>Telescope live_grep<cr>
+      nnoremap <leader>fb <cmd>Telescope buffers<cr>
+      nnoremap <leader>fh <cmd>Telescope help_tags<cr>
+      nnoremap <C-a> <cmd>Telescope buffers<cr>
+      nnoremap <C-s> <cmd>Telescope find_files<cr>
+      nnoremap <C-g> <cmd>Telescope live_grep<cr>
+
+      " Don't darken the background
+      autocmd VimEnter * highlight normal ctermbg=NONE guibg=NONE
+
+      " Show trailing whitespace
+      highlight ExtraWhitespace ctermbg=red guibg=red
+      match ExtraWhitespace /\s\+$/
+
+      " Disable search highlights
+      map <Leader><Space> :noh<CR>
+
+      " Start with Coc disabled
+      " autocmd VimEnter * CocDisable
+    '';
+  };
+
+  # Create undo directory
+  home.activation.vimUndoDir = lib.hm.dag.entryAfter ["writeBoundary"] "mkdir -p ${undoDir}";
+}

home/zsh.nix

@@ -0,0 +1,74 @@
+{ pkgs, lib, inputs, config, ... }: {
+  programs = {
+    zsh = {
+      enable = true;
+      history.extended = true;
+
+      prezto = {
+        enable = true;
+        editor = {
+          keymap = "vi";
+          dotExpansion = true;
+        };
+        prompt = {
+          theme = "paradox";
+          pwdLength = "long";
+          showReturnVal = true;
+        };
+        terminal.autoTitle = true;
+
+        pmodules = [
+          "environment"
+          "terminal"
+          "editor"
+          "history"
+          "history-substring-search"
+          # "directory"
+          "spectrum"
+          # "utility"
+          # "completion"
+          "git"
+          "autosuggestions"
+          "syntax-highlighting"
+          "prompt"
+        ];
+      };
+
+      initContent = ''
+        # Autocomplete ../
+        zstyle ':completion:*' special-dirs true
+        export PATH="$HOME/.config/emacs/bin:$HOME/.cargo/bin:$PATH"
+        unalias "gs"
+
+        if [ -f ~/.config/zsh-extras ]; then
+          source ~/.config/zsh-extras
+        fi
+      '';
+
+      shellAliases = {
+        c = "z";
+        em = "emacsclient -c";
+        emnw = "emacsclient -nw";
+        grep = "grep --color=auto";
+        l = "exa -l";
+        ls = "ls --color=auto";
+        nd = "nix develop --command zsh";
+        s = "nix-shell --run zsh";
+        sp = "nix-shell --run zsh -p";
+        spu = "nix-shell -I nixpkgs=channel:nixos-unstable --run zsh -p";
+        tree = "exa --tree --icons";
+
+        "git clone git clone" = "git clone";
+        gcm = "git commit -m";
+        gpl = "git pull";
+        gps = "git push";
+        gst = "git status -sb";
+      };
+    };
+
+    zoxide = {
+      enable = true;
+      enableZshIntegration = true;
+    };
+  };
+}

hosts/challenger/amalieem.nix

@@ -0,0 +1,37 @@
+{ config, pkgs, lib, ... }:
+let
+  cmdChownManga = pkgs.writeScriptBin "chownManga" ''
+    #!${pkgs.stdenv.shell}
+
+    chown -R amalieem:komga /tank/media/komga/Amalie
+    chmod -R 750 /tank/media/komga/Amalie
+  '';
+in {
+  users.users."amalieem" = {
+    isNormalUser = true;
+    home = "/home/amalieem";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7e+BAoXIFmTeeBYAVImQAcyx6SCoYCErA7h16OGL70 amalieem@wentworth"
+    ];
+    packages = with pkgs; [
+      cmdChownManga
+
+      mangal
+      rsync
+    ];
+  };
+
+  security.sudo = {
+    enable = true;
+    extraRules = [{
+      commands = [
+        {
+          command = "${lib.getExe cmdChownManga}";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+      users = [ "amalieem" ];
+    }];
+  };
+}
+

hosts/challenger/backup.nix

@@ -0,0 +1,84 @@
+{ config, pkgs, lib, ... }:
+{
+  services.restic.backups = let
+    localJob = name: paths: {
+      inherit paths;
+      repository = "/mnt/feal-syn1/backup/challenger/${name}";
+      passwordFile = config.sops.secrets."restic/${name}".path;
+      initialize = true;
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 4"
+        "--keep-monthly 3"
+        "--keep-yearly 10"
+      ];
+    };
+    cloudJob = name: paths: {
+      inherit paths;
+      # "rsyncnet" connection details specified in /root/.ssh/config
+      repository = "sftp://rsyncnet/restic/challenger/${name}";
+      passwordFile = config.sops.secrets."restic/${name}".path;
+      initialize = true;
+      pruneOpts = [
+        # rsync.net keeps daily snapshots
+        "--keep-weekly 4"
+        "--keep-monthly 36"
+      ];
+    };
+  in {
+
+    # Calibre metadata and config
+    calibre = localJob "calibre" [
+      "/var/lib/calibre-web"
+      "/var/lib/calibre-server"
+    ];
+
+    # Other system backups (NB: Large!)
+    hostBackups = localJob "hostBackups" [
+      "/tank/backup"
+    ] // {
+      pruneOpts = [ "--keep-monthly 12" ];
+    };
+
+    media = localJob "media" [
+      "/tank/media/books"
+      "/tank/media/komga"
+      "/tank/media/music"
+    ];
+    media-remote = cloudJob "media" [
+      "/tank/media/books"
+      "/tank/media/komga"
+      "/tank/media/music"
+    ] // {
+      pruneOpts = [ "--keep-monthly 12" ];
+    };
+
+    # Nextcloud config and data
+    nextcloud = localJob "nextcloud" [ "/tank/nextcloud" ];
+    nextcloud-remote = cloudJob "nextcloud" [ "/tank/nextcloud" ];
+
+    # Postgresql databases
+    postgres = (localJob "postgres" [ "/var/backup/postgres" ]) // {
+      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
+    };
+    postgres-remote = (cloudJob "postgres" [ "/var/backup/postgres" ]) // {
+      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
+    };
+
+    # Transmission metadata/config
+    transmission = localJob "transmission" [ "/var/lib/transmission" ];
+
+    # TODO: timemachine
+  };
+
+  sops.secrets."restic/calibre" = { };
+  sops.secrets."restic/hostBackups" = { };
+  sops.secrets."restic/media" = { };
+  sops.secrets."restic/nextcloud" = { };
+  sops.secrets."restic/postgres" = { };
+  sops.secrets."restic/transmission" = { };
+
+  environment.systemPackages = with pkgs; [
+    restic
+  ];
+}

hosts/challenger/configuration.nix

@@ -0,0 +1,65 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+
+      ../../base.nix
+      ../../common/metrics-exporters.nix
+      ./amalieem.nix
+      ./backup.nix
+      # ./exports.nix
+      ./filesystems.nix
+
+      # ./services/archivebox.nix
+      ./services/audiobookshelf.nix
+      ./services/calibre.nix
+      ./services/jellyfin.nix
+      ./services/komga.nix
+      ./services/nextcloud.nix
+      ./services/nginx.nix
+      ./services/postgres.nix
+      ./services/timemachine.nix
+  ];
+
+  networking = {
+    hostName = "challenger";
+    bridges.br0.interfaces = [ "ens18" ];
+    interfaces.br0.useDHCP = false;
+    interfaces.br0.ipv4.addresses = [
+      { address = "192.168.10.161"; prefixLength = 24; }
+    ];
+
+    hostId = "828ab735";
+    defaultGateway = "192.168.10.1";
+  };
+
+  sops.defaultSopsFile = ../../secrets/challenger/challenger.yaml;
+
+  environment.variables = { EDITOR = "vim"; };
+  environment.systemPackages = with pkgs; [
+    zfs
+  ];
+
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers.backend = "docker";
+
+  security.polkit.enable = true; # Required for nextcloud
+
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+       "nvidia-x11"
+       "nvidia-settings"
+  ];
+
+  hardware.nvidia = {
+    modesetting.enable = true;
+    open = false;
+  };
+
+  hardware.graphics.enable = true;
+  services.xserver.videoDrivers = ["nvidia"];
+
+  system.stateVersion = "24.05";
+}
+

hosts/challenger/exports.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, lib, ... }:
+{
+  fileSystems = {
+    "/export/riker-backup" = {
+      device = "/tank/backup/riker";
+      options = [ "bind" ];
+    };
+  };
+
+  # Enable nfs4 only
+  # services.nfs.server = {
+  #   enable = true;
+  #   exports = ''
+  #     /export                   192.168.10.67(rw,fsid=0,no_subtree_check)
+  #     /export/riker-backup      192.168.10.67(rw,nohide,no_subtree_check,no_root_squash)
+  #   '';
+  # };
+
+  # networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
+  # networking.firewall.allowedUDPPorts = [ 111 20048];
+}

hosts/challenger/filesystems.nix

@@ -0,0 +1,48 @@
+{ config, pkgs, lib, ... }:
+{
+  # Boot drives are defined in ./hardware-configuration.nix
+
+  environment.systemPackages = with pkgs; [ cifs-utils ];
+
+  # Local zfs
+  boot = {
+    zfs = {
+      extraPools = [ "tank" ];
+      requestEncryptionCredentials = false;
+    };
+    supportedFilesystems = [ "zfs" ];
+  };
+  services.zfs.autoScrub = {
+    enable = true;
+    interval = "Wed *-*-8..14 00:00:00";
+  };
+
+  fileSystems = {
+    "/mnt/feal-syn1/backup" = {
+      # device = "feal-syn1.home.feal.no:/volume2/backup";
+      device = "192.168.10.162:/volume2/backup";
+      fsType = "nfs";
+      options = [
+        "defaults"
+        "noatime"
+        "rw"
+        "nfsvers=3"
+        "x-systemd.automount"
+        "noauto"
+      ];
+    };
+    "/mnt/feal-syn2/backup" = {
+      # device = "feal-syn1.home.feal.no:/volume2/backup";
+      device = "192.168.11.163:/volume1/challenger";
+      fsType = "nfs";
+      options = [
+        "defaults"
+        "noatime"
+        "rw"
+        "nfsvers=3"
+        "x-systemd.automount"
+        "noauto"
+      ];
+    };
+  };
+}

hosts/challenger/hardware-configuration.nix

@@ -1,39 +1,39 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 
 {
   imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/profiles/qemu-guest.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/a6465c1c-4c93-423d-84a9-e4ecb9520741";
+    { device = "/dev/disk/by-uuid/7101364b-9056-4309-afeb-3c17b220684f";
       fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/D0C1-97CE";
+    { device = "/dev/disk/by-uuid/FDCE-A287";
       fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
     };
 
-  swapDevices = [ ];
+  swapDevices = [ {
+    device = "/swapfile";
+    size = 16*1024;
+  } ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
   # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
   # networking.interfaces.eno2.useDHCP = lib.mkDefault true;
   # networking.interfaces.idrac.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/challenger/home.nix

@@ -0,0 +1,12 @@
+{ pkgs, lib, ... }:
+{
+  imports = [
+    ./../../home/base.nix
+  ];
+
+  programs = {
+    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
+  };
+
+  home.stateVersion = "24.05";
+}

hosts/challenger/services/archivebox.nix

@@ -0,0 +1,35 @@
+{ config, lib, ... }:
+let
+  host = "127.0.1.2";
+  port = "5009";
+  uid = 911;
+  gid = 911;
+in {
+  users.users.archivebox = {
+    inherit uid;
+    group = "archivebox";
+    isSystemUser = true;
+    useDefaultShell = true;
+    description = "ArchiveBox web archiving tool";
+  };
+
+  users.groups.archivebox = {
+    inherit gid;
+  };
+
+  # ArchiveBox - Open source self-hosted web archiving.
+  virtualisation.oci-containers.containers.archivebox = {
+    image = "archivebox/archivebox:0.8.5rc50";
+    ports = [ "${host}:${port}:8000" ];
+    volumes = [
+      "/tank/archivebox:/data"
+    ];
+  };
+
+  services.nginx.virtualHosts."archivebox.home.feal.no" = {
+    locations."/" = {
+      proxyPass = "http://${host}:${port}";
+    };
+  };
+
+}

hosts/challenger/services/audiobookshelf.nix

@@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+let
+  domain = "audiobooks.home.feal.no";
+  host = "127.0.1.2";
+  port = 5016;
+in {
+  fileSystems = {
+    "/var/lib/audiobookshelf" = {
+      device = "/tank/media/audiobookshelf/config";
+      options = [ "bind" ];
+    };
+  };
+
+  services.audiobookshelf = {
+    enable = true;
+    dataDir = "audiobookshelf";
+    inherit host port;
+  };
+
+  systemd.services.audiobookshelf = {
+    requires = [ "var-lib-audiobookshelf.mount" ];
+    serviceConfig = {
+      # Better safe than sorry :)
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      ReadWritePaths = [
+        "/var/lib/audiobookshelf"
+        "/tank/media/audiobookshelf"
+      ];
+      RemoveIPC = true;
+      RestrictSUIDSGID = true;
+      UMask = "0007";
+      RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
+      SystemCallArchitectures = "native";
+    };
+  };
+
+  services.nginx.virtualHosts.${domain} = {
+    locations."/" = {
+      proxyPass = "http://${host}:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+}

hosts/challenger/services/calibre.nix

@@ -1,5 +1,4 @@
 { config, lib, pkgs, ... }:
-
 let
   domain = "books.home.feal.no";
   storage = "/tank/media/books";
@@ -7,10 +6,16 @@ let
 in {
   services = {
     nginx.virtualHosts.${domain} = {
-      locations."/".proxyPass =
-        "http://${cfg.listen.ip}:${toString cfg.listen.port}";
-      locations."/opds".proxyPass =
-        "http://${cfg.listen.ip}:${toString cfg.listen.port}";
+      locations = {
+        "/".proxyPass = "http://${cfg.listen.ip}:${toString cfg.listen.port}";
+        "/opds".proxyPass = "http://${cfg.listen.ip}:${toString cfg.listen.port}";
+      };
+      extraConfig = ''
+        client_max_body_size 512M;
+        proxy_busy_buffers_size 512k;
+        proxy_buffers 4 512k;
+        proxy_buffer_size 256k;
+      '';
     };
 
     calibre-server = {
@@ -27,6 +32,7 @@ in {
       options = {
         calibreLibrary = storage;
         enableBookConversion = true;
+        enableKepubify = true;
         enableBookUploading = true;
       };
     };

hosts/challenger/services/jellyfin.nix

@@ -0,0 +1,35 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # Jellyfin - Media Streaming platform
+  services.jellyfin.enable = true;
+
+  users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ];
+
+  services.nginx.virtualHosts."jellyfin.home.feal.no" = {
+    serverAliases = [ "jf.feal.no" ];
+    locations = {
+      "= /" = {
+        return = "302 http://$host/web/";
+      };
+
+      "/" = {
+        proxyPass = "http://127.0.0.1:8096";
+        extraConfig = ''
+          proxy_buffering off;
+        '';
+      };
+
+      "/socket" = {
+        proxyPass = "http://127.0.0.1:8096";
+        proxyWebsockets = true;
+      };
+    };
+
+    extraConfig = ''
+      add_header X-XSS-Protection "1; mode=block";
+      add_header X-Content-Type-Options "nosniff";
+      add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+    '';
+  };
+}

hosts/challenger/services/komga.nix

@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+let
+  domain = "komga.home.feal.no";
+  port = 5001;
+in {
+  services.komga = {
+    enable = true;
+    stateDir = "/tank/media/komga";
+    settings.server = {
+      inherit port;
+    };
+  };
+
+  services.nginx.virtualHosts.${domain} = {
+    locations."/".proxyPass = "http://127.0.0.1:${toString port}";
+
+    extraConfig = ''
+      client_max_body_size 512M;
+    '';
+  };
+}

hosts/challenger/services/nextcloud.nix

@@ -0,0 +1,154 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.nextcloud;
+  hostName = "cloud.feal.no";
+in {
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud32;
+    inherit hostName;
+    home = "/tank/nextcloud";
+    https = true;
+    webfinger = true;
+
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql";
+      dbname = "nextcloud";
+      adminuser = "ncadmin";
+      adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
+    };
+
+    settings = {
+      default_phone_region = "NO";
+      log_type = "file";
+      overwriteprotocol = "https";
+      trusted_proxies = [ "192.168.10.175" ]; # defiant
+
+      # Docs: https://github.com/pulsejet/nextcloud-oidc-login
+      oidc_login_auto_redirect = true;
+      oidc_login_button_text = "Log in with KeyCloak";
+      oidc_login_client_id = "nextcloud";
+      oidc_login_client_secret = "dont_put_secrets_here_use_secretFile";
+      oidc_login_code_challenge_method = "S256";
+      oidc_login_end_session_redirect' = true;
+      oidc_login_logout_url = "https://cloud.feal.no/apps/oidc_login/oidc";
+      oidc_login_provider_url = "https://iam.feal.no/realms/feal.no";
+      oidc_login_redir_fallback = true;
+
+      oidc_login_attributes = {
+        id = "preferred_username";
+        mail = "email";
+        name = "name";
+        login_filter = "nextcloud-roles";
+      };
+      oidc_login_filter_allowed_values = [ "nextcloud-user" ];
+      oidc_login_disable_registration = false;
+
+      "memories.exiftool" = pkgs.writeShellScript "exiftool-perl" ''
+        ${lib.getExe pkgs.perl} ${cfg.home}/store-apps/memories/bin-ext/exiftool/exiftool "$@"
+      '';
+      "memories.exiftool_no_local" = false;
+      "memories.vod.disable" = false;
+      "memories.vod.ffmpeg" = "${lib.getExe pkgs.ffmpeg-headless}";
+      "memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
+      preview_ffmpeg_path = "${pkgs.ffmpeg-headless}/bin/ffmpeg";
+    };
+
+    secretFile = config.sops.secrets."nextcloud/secretsjson".path;
+
+    phpOptions = {
+      "opcache.interned_strings_buffer" = "16";
+      "upload_max_filesize" = lib.mkForce "8G";
+      "post_max_size" = lib.mkForce "8G";
+      "memory_limit" = lib.mkForce "8G";
+    };
+
+    poolSettings = {
+      "pm" = "ondemand";
+      "pm.max_children" = 32;
+      "pm.process_idle_timeout" = "10s";
+      "pm.max_requests" = 500;
+    };
+  };
+
+  environment.systemPackages = [
+    cfg.occ # "occ CMD" in the docs -> "sudo -u nextcloud nextcloud-occ CMD"
+    pkgs.nodejs_20 # For Recognize; Put /run/current-system/sw/bin/node in the "node_binary" field in the web UI -> Memories
+  ];
+
+  sops.secrets."nextcloud/adminpass" = {
+    mode = "0440";
+    owner = "nextcloud";
+    group = "nextcloud";
+    restartUnits = [ "phpfpm-nextcloud.service" ];
+  };
+  sops.secrets."nextcloud/secretsjson" = {
+    mode = "0440";
+    owner = "nextcloud";
+    group = "nextcloud";
+    restartUnits = [ "phpfpm-nextcloud.service" ];
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [ {
+      name = "nextcloud";
+      ensureDBOwnership = true;
+    } ];
+  };
+
+  systemd.services.nextcloud-cron = {
+    path = with pkgs; [
+      exiftool
+      ffmpeg-headless
+    ];
+  };
+
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  systemd.services."phpfpm-nextcloud" = {
+    requires = [ "tank-nextcloud.mount" ];
+    path = with pkgs; [
+      # perl
+      # perlPackages.ImageExifTool
+      exiftool
+      ffmpeg-headless
+    ];
+    serviceConfig = {
+      PrivateDevices = lib.mkForce false;
+      WorkingDirectory = "/tank/nextcloud";
+
+      NoNewPrivileges = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
+      ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
+      InaccessiblePaths = [ "/tank/media" "/tank/backup" ];
+      RemoveIPC = true;
+      RestrictSUIDSGID = true;
+      UMask = "0007";
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "@system-service";
+      CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
+    };
+  };
+
+  # Notes:
+  # - Install Memories and Recognize from the app store
+  #  - They might need to be forced on with "nextcloud-occ app:enable memories", etc.
+  # - Run "nextcloud-occ maintenance:repair" to fix broken paths
+  # - Download ai models and maps with the commands given in the ui
+  # - libtensorflow doesn't work properly through node, but recognize still works(?)
+}

hosts/challenger/services/nginx.nix

@@ -0,0 +1,23 @@
+{ config, values, ... }:
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+
+    clientMaxBodySize = "100m";
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+
+    virtualHosts."cloud.feal.no".default = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  /* security.acme = { */
+  /*   acceptTerms = true; */
+  /*   email = "felix@albrigtsen.it"; */
+  /* }; */
+}

hosts/challenger/services/postgres.nix

@@ -4,16 +4,10 @@
     enable = true;
     /* enableTCPIP = true; # Expose on the network */
     authentication = pkgs.lib.mkOverride 10 ''
-     local gitea all ident map=gitea-users
-     local vaultwarden all ident map=vaultwarden-users
      local all all trust
      host all all 127.0.0.1/32 trust
      host all all ::1/128 trust
     '';
-    identMap = ''
-      gitea-users gitea gitea
-      vaultwarden-users vaultwarden vaultwarden
-    '';
   };
 
   services.postgresqlBackup = {
@@ -23,8 +17,5 @@
     backupAll = true;
   };
 
-  
   environment.systemPackages = [ config.services.postgresql.package ];
 }
-
-

hosts/challenger/services/timemachine.nix

@@ -0,0 +1,42 @@
+{ config, pkgs, ... }:
+  let
+    timeMachineDir = "/tank/backup/worf2";
+    user = "worf-backup";
+    sizeLimit = "1000000"; # MiB
+    allowedIPs = "192.168.10.2 192.168.10.34"; #TODO
+  in {
+  services.avahi = {
+    enable = true;
+    publish = {
+      enable = true;
+      userServices = true;
+    };
+  };
+
+  services.netatalk = {
+    enable = true;
+
+    settings = {
+      Global = {
+        "mimic model" = "TimeCapsule6,106";  # show the icon for the first gen TC
+        "hosts allow" = allowedIPs;
+      };
+
+      "worf-time-machine" = {
+        "time machine" = "yes";
+        "path" = timeMachineDir;
+        "valid users" = user;
+        "vol size limit" = sizeLimit;
+      };
+    };
+  };
+
+  users.extraUsers.worf-backup = {
+    isSystemUser = true;
+    name = user;
+    group = user;
+  };
+  users.groups."${user}" = {};
+
+  networking.firewall.allowedTCPPorts = [ 548 636 ];
+}

hosts/chapel/configuration.nix

@@ -1,80 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports =
-    [
-      ../../base.nix
-      ../../common/metrics-exporters.nix
-
-      ./hardware-configuration.nix
-
-      ./services/nginx.nix
-      ./services/metrics
-      ./services/cloudflared.nix
-    ];
-
-  networking = {
-    hostName = "chapel";
-    defaultGateway = "192.168.10.1";
-    nameservers = [ "192.168.10.1" ];
-    interfaces.eth0.ipv4 = {
-      addresses = [
-        { address = "192.168.10.100"; prefixLength = 24; }
-      ];
-    };
-  };
-
-  environment.variables = { EDITOR = "vim"; };
-  environment.systemPackages = with pkgs; [
-    ((vim_configurable.override {  }).customize{
-       name = "vim";
-       vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
-       start = [ vim-nix vim-lastplace ];
-       opt = [];
-     };
-     vimrcConfig.customRC = ''
-     " your custom vimrc
-     set number
-     set relativenumber
-     set nu rnu
-     set signcolumn=number
-
-     set hlsearch
-     set smartcase
-     set incsearch
-
-     set autoindent
-     set expandtab
-     set shiftwidth=2
-     set tabstop=2
-     set smartindent
-     set smarttab
-
-     set ruler
-
-     set undolevels=1000
-
-     set nocompatible
-     set backspace=indent,eol,start
-     " Turn on syntax highlighting by default
-     syntax on
-     " ...
-     '';
-    }
-  )
-  ];
-
-  networking.firewall.allowedTCPPorts = [ 80 22 3100 ];
-
-  # system.copySystemConfiguration = true;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.05"; # Did you read the comment?
-
-}
-

hosts/chapel/services/cloudflared.nix

@@ -1,24 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  users.users.cloudflared = {
-    group = "cloudflared";
-    isSystemUser = true;
-  };
-  users.groups.cloudflared = { };
-
-  environment.systemPackages = [
-    pkgs.cloudflared
-  ];
-
-  systemd.services.cloudflared_tunnel = {
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" ];
-    serviceConfig = {
-      ExecStart = "${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token=TODO_FIXSECRETS";
-      Restart = "always";
-      User = "cloudflared";
-      Group = "cloudflared";
-    };
-  };
-}

hosts/chapel/services/hedgedoc.nix

@@ -1,22 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services.hedgedoc = {
-    enable = true;
-    settings = {
-      port = 3031;
-      allowFreeURL = true;
-    };
-    config = {
-      domain = "md.feal.no";
-      db = {
-        dialect = "mysql";
-        host = "mysql.home.feal.no";
-        port = 3306;
-        database = "hedgedoc";
-        username = "hedgedoc";
-        password = "DummyPasswordPlzSops";
-      };
-    };
-  };
-}

hosts/chapel/services/metrics/grafana.nix

@@ -1,64 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  cfg = config.services.grafana;
-in {
-  services.grafana = {
-    enable = true;
-    settings.server = {
-      domain = "grafana.feal.no";
-      http_port = 2342;
-      http_addr = "127.0.0.1";
-    };
-
-    provision = {
-      enable = true;
-      datasources.settings.datasources = [
-        {
-          name = "Prometheus";
-          type = "prometheus";
-          url = ("http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}");
-         isDefault = true;
-        }
-        {
-          name = "Loki";
-          type = "loki";
-          url = ("http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}");
-        }
-      ];
-      dashboards.settings.providers = [
-        {
-          name = "Node Exporter Full";
-          type = "file";
-          url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
-          options.path = dashboards/node-exporter-full.json;
-        }
-        {
-          name = "Synology NAS Details";
-          type = "file";
-          url = "https://grafana.com/api/dashboards/14284/revisions/9/download";
-          options.path = dashboards/synology-nas-details.json;
-        }
-        {
-          name = "OpenWRT";
-          type = "file";
-          url = "https://grafana.com/api/dashboards/11147/revisions/1/download";
-          options.path = dashboards/openwrt.json;
-        }
-      ];
-    };
-  };
-
-  services.nginx.virtualHosts.${cfg.settings.server.domain} = {
-    locations = {
-      "/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";
-        proxyWebsockets = true;
-        extraConfig = ''
-          proxy_buffers 8 1024k;
-          proxy_buffer_size 1024k;
-        '';
-      };
-    };
-  };
-}

hosts/chapel/services/metrics/loki.nix

@@ -1,75 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  cfg = config.services.loki;
-in {
-  services.loki = {
-    enable = true;
-    configuration = {
-      auth_enabled = false;
-      server = {
-        http_listen_port = 3100;
-        http_listen_address = "0.0.0.0";
-        grpc_listen_port = 9096;
-      };
-
-      ingester = {
-        wal = {
-          enabled = true;
-          dir = "/var/lib/loki/wal";
-        };
-        lifecycler = {
-          address = "127.0.0.1";
-          ring = {
-            kvstore = {
-              store = "inmemory";
-            };
-            replication_factor = 1;
-          };
-          final_sleep = "0s";
-        };
-        chunk_idle_period = "1h";
-      };
-
-      schema_config = {
-        configs = [
-          {
-            from = "2022-12-01";
-            store = "boltdb-shipper";
-            object_store = "filesystem";
-            schema = "v11";
-            index = {
-              prefix = "index_";
-              period = "24h";
-            };
-          }
-        ];
-      };
-
-      storage_config = {
-        boltdb_shipper = {
-          active_index_directory = "/var/lib/loki/boltdb-shipper-index";
-          cache_location = "/var/lib/loki/boltdb-shipper-cache";
-          shared_store = "filesystem";
-          cache_ttl = "24h";
-        };
-        filesystem = {
-          directory = "/var/lib/loki/chunks";
-        };
-      };
-
-      limits_config = {
-        enforce_metric_name = false;
-        reject_old_samples = true;
-        reject_old_samples_max_age = "72h";
-      };
-
-      compactor = {
-        working_directory = "/var/lib/loki/compactor";
-        shared_store = "filesystem";
-      };
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
-}

hosts/chapel/services/metrics/snmp-exporter.nix

@@ -1,20 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  environment.systemPackages = [
-    pkgs.prometheus-snmp-exporter
-  ];
-
-  systemd.services.prometheus-snmp-exporter = {
-    enable = true;
-    description = "Gather data from SNMP devices and expose them as Prometheus metrics";
-    unitConfig = {
-      Type = "simple";
-    };
-    serviceConfig = {
-      ExecStart = "${pkgs.prometheus-snmp-exporter}/bin/snmp_exporter --config.file='/var/prometheus/snmp.yml'";
-      # TODO: Fix this conf file!
-    };
-    wantedBy = [ "multi-user.target" ];
-  };
-}

hosts/chapel/services/nginx.nix

@@ -1,11 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services.nginx = {
-    enable = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-  };
-}

hosts/defiant/backup.nix

@@ -0,0 +1,50 @@
+{ config, pkgs, lib, ... }:
+{
+  services.restic.backups = let
+    localJob = name: paths: {
+      inherit paths;
+      repository = "/mnt/feal-syn1/backup/defiant/${name}";
+      passwordFile = config.sops.secrets."restic/${name}".path;
+      initialize = true;
+      pruneOpts = [
+        "--keep-daily 3"
+        "--keep-weekly 4"
+        "--keep-monthly 3"
+      ];
+    };
+    cloudJob = name: paths: {
+      inherit paths;
+      # "rsyncnet" connection details specified in /root/.ssh/config
+      repository = "sftp://rsyncnet/restic/defiant/${name}";
+      passwordFile = config.sops.secrets."restic/${name}".path;
+      initialize = true;
+      pruneOpts = [
+        # rsync.net keeps daily snapshots
+        "--keep-weekly 4"
+        "--keep-monthly 36"
+      ];
+    };
+  in {
+    postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
+      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
+    };
+    postgres-remote = (cloudJob "postgres" [ "/tank/backup/postgresql" ]) // {
+      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
+    };
+
+    gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
+    gitea-remote = (cloudJob "gitea" [ "/tank/services/gitea" ]);
+
+    matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
+    matrix-synapse-remote = (cloudJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
+
+    vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
+    vaultwarden-remote = (cloudJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
+  };
+
+  # TODO: home-assistant, pihole
+  sops.secrets."restic/postgres" = { };
+  sops.secrets."restic/gitea" = { };
+  sops.secrets."restic/matrix-synapse" = { };
+  sops.secrets."restic/vaultwarden" = { };
+}

hosts/defiant/configuration.nix

@@ -0,0 +1,54 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ../../base.nix
+      ../../common/metrics-exporters.nix
+      ./filesystems.nix
+      ./hardware-configuration.nix
+
+      # Infrastructure
+      ./backup.nix
+      ./libvirt.nix
+      ./services/dyndns.nix
+      ./services/nginx.nix
+      ./services/pihole.nix
+      ./services/postgresql.nix
+      ./services/wireguard.nix
+
+      # Services
+      ./services/gitea.nix
+      ./services/hedgedoc.nix
+      ./services/home-assistant.nix
+      ./services/keycloak.nix
+      ./services/matrix
+      ./services/microbin.nix
+      # ./services/minecraft/home.nix
+      ./services/monitoring
+      # ./services/rtl-tcp.nix
+      # ./services/searx.nix
+      ./services/vaultwarden.nix
+  ];
+
+  networking = {
+    hostName = "defiant";
+    defaultGateway = "192.168.10.1";
+    interfaces.enp3s0.ipv4 = {
+      addresses = [
+        { address = "192.168.10.175"; prefixLength = 24; } # Main IP for defiant, internal
+      ];
+    };
+    hostId = "8e84f235";
+  };
+
+  sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;
+
+  environment.variables = { EDITOR = "vim"; };
+
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers.backend = "docker";
+
+  system.stateVersion = "23.11";
+}
+

hosts/defiant/filesystems.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+{
+  # Boot drives are defined in ./hardware-configuration.nix
+
+  boot = {
+    zfs.extraPools = [ "tank" ];
+    supportedFilesystems = [ "zfs" ];
+  };
+  services.prometheus.exporters.zfs.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    cifs-utils
+    zfs
+  ];
+
+  fileSystems = {
+    "/mnt/feal-syn1/backup" = {
+      device = "192.168.10.162:/volume2/backup";
+      fsType = "nfs";
+      options = [
+        "defaults"
+        "noatime"
+        "rw"
+        "nfsvers=3"
+        "x-systemd.automount"
+        "noauto"
+      ];
+    };
+  };
+}

hosts/defiant/hardware-configuration.nix

@@ -0,0 +1,36 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/DDDC-5C0C";
+    fsType = "vfat";
+  };
+
+  swapDevices = [ {
+      device = "/swapfile";
+      size = 8*1024;
+  } ];
+
+  networking.useDHCP = lib.mkDefault false;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/defiant/home.nix

@@ -0,0 +1,13 @@
+{ pkgs, lib, ... }:
+{
+
+  imports = [
+    ./../../home/base.nix
+  ];
+
+  programs = {
+    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
+  };
+
+  home.stateVersion = "23.05";
+}

hosts/defiant/libvirt.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, lib, ... }:
+{
+  virtualisation.libvirtd.enable = true;
+  programs.dconf.enable = true;
+
+  boot.extraModprobeConfig = "options kvm_amd nested=1";
+  boot.kernelModules = [ "kvm-amd" "kvm-intel" ];
+
+  users.users.felixalb.extraGroups = [ "libvirtd" ];
+
+  fileSystems."/var/lib/libvirt/images" = {
+    device = "/tank/iso";
+    options = [ "bind" ];
+  };
+
+  # On a gui-enabled machine, connect with:
+  # $ virt-manager --connect "qemu+ssh://defiant/system?socket=/var/run/libvirt/libvirt-sock"
+}

hosts/defiant/services/dyndns.nix

@@ -0,0 +1,11 @@
+{ config, pkgs, lib, ... }:
+
+{
+  sops.secrets."domeneshop/netrc" = { };
+
+  services.domeneshop-dyndns = {
+    enable = true;
+    domain = "site3.feal.no";
+    netrcFile = config.sops.secrets."domeneshop/netrc".path;
+  };
+}

hosts/defiant/services/gitea.nix

@@ -1,36 +1,41 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
   cfg = config.services.gitea;
   domain = "git.feal.no";
   httpPort = 3004;
+  sshPort = 2222;
 in {
     services.gitea = {
       enable = true;
-      package = pkgs.unstable.gitea;
       appName = "felixalbs Gitea";
-      database = {
-        type = "postgres";
-      };
+      database.type = "postgres";
+      stateDir = "/tank/services/gitea";
 
       settings = {
         server = {
-          LANDING_PAGE=''"/felixalb"'';
-          HTTP_PORT = httpPort;
+          # Serve on local unix socket, exposed in hosts/defiant/services/nginx.nix
+          PROTOCOL = "http+unix";
           DOMAIN = domain;
           ROOT_URL = "https://${domain}";
+          LANDING_PAGE=''"/felixalb"'';
+
+          SSH_PORT = sshPort;
+          SSH_LISTEN_PORT = sshPort;
+          START_SSH_SERVER = true;
+          BUILTIN_SSH_SERVER_USER = "git";
         };
 
         service.DISABLE_REGISTRATION = true;
         session.COOKIE_SECURE = true;
 
         packages.ENABLED = false;
+        packages.CHUNKED_UPLOAD_PATH = "${cfg.stateDir}/tmp/package-upload";
 
         oauth2_client = {
           ENABLE_AUTO_REGISTRATION = true;
           OPENID_CONNECT_SCOPES = "email profile openid";
           UPDATE_AVATAR = true;
           ACCOUNT_LINKING = "auto";
-          USERNAME = "email";
         };
 
         log.LEVEL = "Info";
@@ -39,14 +44,16 @@ in {
 
         ui = {
           THEMES="gitea,arc-green,nord";
-          DEFAULT_THEME="nord";
+          #DEFAULT_THEME="nord";
         };
       };
 
-      # TODO:
-      # - dump (automatic backups)
-      # - configure mailer
+      # TODO: configure mailer
     };
 
-    networking.firewall.allowedTCPPorts = [ httpPort ];
+    systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work";
+
+    services.postgresqlBackup.databases = [ "gitea" ];
+
+    networking.firewall.allowedTCPPorts = [ sshPort ];
 }

hosts/defiant/services/hedgedoc.nix

@@ -0,0 +1,120 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.hedgedoc.settings;
+  domain = "md.feal.no";
+  port = 3300;
+  host = "127.0.1.2";
+  authServerUrl = "https://iam.feal.no";
+in {
+  # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
+  sops.secrets."hedgedoc/env" = {
+    restartUnits = [ "hedgedoc.service" ];
+  };
+
+  services.hedgedoc = {
+    enable = true;
+    environmentFile = config.sops.secrets."hedgedoc/env".path;
+    settings = {
+      inherit domain port host;
+      protocolUseSSL = true;
+      sessionSecret = "$CMD_SESSION_SECRET";
+
+      allowFreeURL = true;
+      allowAnonymous = false;
+      allowAnonymousEdits = true;
+
+      db = {
+        username = "hedgedoc";
+        database = "hedgedoc";
+        host = "/run/postgresql";
+        dialect = "postgresql";
+      };
+
+      email = false;
+      oauth2 = let
+        oidc = "${authServerUrl}/realms/feal.no/protocol/openid-connect";
+      in {
+        providerName = "Keycloak";
+        authorizationURL = "${oidc}/auth";
+        baseURL = "${authServerUrl}";
+        tokenURL = "${oidc}/token";
+        userProfileURL = "${oidc}/userinfo";
+
+        clientID = "hedgedoc";
+        clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
+        scope = "openid email profile";
+        userProfileDisplayNameAttr = "name";
+        userProfileEmailAttr = "email";
+        userProfileUsernameAttr = "preferred_username";
+        rolesClaim = "hedgedoc-roles";
+        accessRole = "hedgedoc-user";
+      };
+    };
+  };
+
+  systemd.services.hedgedoc = {
+    requires = [
+      "postgresql.service"
+    ];
+    serviceConfig = let
+      workDir = "/var/lib/hedgedoc";
+    in {
+      WorkingDirectory = lib.mkForce workDir;
+      StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
+
+      # Better safe than sorry :)
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      ReadWritePaths = [ workDir ];
+      RemoveIPC = true;
+      RestrictSUIDSGID = true;
+      UMask = "0007";
+      RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
+      SystemCallArchitectures = "native";
+      # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "hedgedoc" ];
+    ensureUsers = [{
+      name = "hedgedoc";
+      ensureDBOwnership = true;
+    }];
+  };
+
+  services.postgresqlBackup.databases = [ "hedgedoc" ];
+
+  services.nginx.virtualHosts."${domain}" = {
+    listen = [
+      { addr = "192.168.10.175"; port = 43443; ssl = true; }
+      { addr = "192.168.10.175"; port = 43080; ssl = false; }
+    ];
+
+    enableACME = true;
+    forceSSL = true;
+
+    locations = {
+      "/" = {
+        proxyPass = "http://${host}:${toString port}";
+      };
+      "/socket.io" = {
+        proxyPass = "http://${host}:${toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

hosts/defiant/services/home-assistant.nix

@@ -0,0 +1,41 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "ha.home.feal.no";
+in {
+  # Home-assistant - Smart Home Controller
+  # https://www.home-assistant.io/installation/linux#install-home-assistant-container
+  # The container is supposed to run as "privileged", but I believe this is only to allow device access (dongles/radios/etc.)
+
+  virtualisation.oci-containers.containers = {
+    homeassistant = {
+      image = "ghcr.io/home-assistant/home-assistant:2025.5.3";
+      extraOptions = [
+        "--network=host"
+        "--device=/dev/ttyUSB0" # Sonoff Zigbee 3.0 USB
+      ];
+      volumes = [
+        "/tank/services/homeassistant/config:/config"
+      ];
+      environment = {
+        TZ = "Europe/Oslo";
+      };
+    };
+  };
+
+  # Requires addition to configuration.yaml:
+  #  http:
+  #    server_host: 127.0.0.1
+  #    use_x_forwarded_for: true
+  #    trusted_proxies: 127.0.0.1
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8123";
+      proxyWebsockets = true;
+    };
+    listen = [
+      { addr = "192.168.10.175"; port = 80; ssl = false; }
+      { addr = "192.168.10.175"; port = 8123; ssl = false; }
+    ];
+  };
+}
+

hosts/defiant/services/keycloak.nix

@@ -0,0 +1,33 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.keycloak.settings;
+  hostname = "iam.feal.no";
+in {
+  sops.secrets."keycloak/postgres" = { };
+
+  services.keycloak = {
+    enable = true;
+
+    database = {
+      type = "postgresql";
+      createLocally = true;
+      username = "keycloak";
+      passwordFile = config.sops.secrets."keycloak/postgres".path;
+    };
+
+    settings = {
+      cache = "local";
+      hostname = "https://${hostname}";
+      hostname-backchannel-dynamic = false;
+      http-enabled = true;
+      http-host = "127.0.1.2";
+      http-port = 5060;
+      proxy-headers = "xforwarded";
+    };
+  };
+
+  # The main reverse proxy is defined in ./nginx.nix
+  services.nginx.virtualHosts.${hostname} = {
+    locations."= /".return = "302 ${cfg.hostname}/realms/feal.no/account";
+  };
+}

hosts/defiant/services/matrix/admin.nix

@@ -0,0 +1,14 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "matrix-admin.home.feal.no";
+  # backend = "http://127.0.0.1:8008";
+  backend = "http://unix:/run/matrix-synapse/matrix-synapse.sock";
+  synapse-admin = pkgs.callPackage ./adminPkg.nix { };
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/".root = "${synapse-admin}";
+    locations."/_synapse".proxyPass = "${backend}";
+    locations."/_matrix".proxyPass = "${backend}";
+  };
+}
+

hosts/defiant/services/matrix/adminPkg.nix

@@ -0,0 +1,14 @@
+{ lib, stdenvNoCC, fetchzip }:
+
+stdenvNoCC.mkDerivation rec {
+  name = "synapse-admin";
+  version = "0.8.7";
+  src = fetchzip {
+    url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/${version}/synapse-admin-${version}-dirty.tar.gz";
+    hash = "sha256-maaiU9ilmzE5lV9Ofjpli4g08/UcgZ82FaIMRrfOy7s=";
+  };
+  phases = [ "installPhase" ];
+  installPhase = ''
+    cp -r $src $out
+  '';
+}

hosts/defiant/services/matrix/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./synapse.nix
+    ./admin.nix
+  ];
+}
+

hosts/defiant/services/matrix/synapse.nix

@@ -1,7 +1,4 @@
-{ config, pkgs, ... }:
-let
-  main_ip = "127.0.1.2";
-in
+{ config, pkgs, lib, ... }:
 {
   sops.secrets."matrix/synapse/registrationsecret" = {
     restartUnits = [ "matrix-synapse.service" ];
@@ -9,9 +6,24 @@ in
     group = "matrix-synapse";
   };
 
-  services.matrix-synapse = {
+  sops.secrets."matrix/synapse/oidcsecret" = {
+    restartUnits = [ "matrix-synapse.service" ];
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
+  services.matrix-synapse-next = {
     enable = true;
-    package = pkgs.matrix-synapse;
+    enableNginx = true;
+
+    workers = {
+      federationSenders = 1;
+      federationReceivers = 2;
+      initialSyncers = 1;
+      normalSyncers = 1;
+      eventPersisters = 1;
+      useUserDirectoryWorker = true;
+    };
 
     extraConfigFiles = [
       config.sops.secrets."matrix/synapse/registrationsecret".path
@@ -63,42 +75,39 @@ in
       tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt";
       tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key";
 
-      listeners = [
-        { port = 8008;
-          bind_addresses = [ main_ip ];
-          type = "http";
-          tls = false;
-          x_forwarded = true;
-          resources = [
-            { names = [ "client" ]; compress = true; }
-            { names = [ "federation" ]; compress = true; }
-          ];
+      enableSlidingSync = true;
+
+      oidc_providers = [
+        {
+          idp_id = "keycloak";
+          idp_name = "Keycloak";
+          issuer = "https://iam.feal.no/realms/feal.no";
+          client_id = "matrix-synapse";
+          client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path;
+          user_mapping_provider.config = {
+            localpart_template = "{{ user.preferred_username }}";
+            display_name_template = "{{ user.name }}";
+          };
+          attribute_requirements = [{
+            attribute = "matrix-roles";
+            value = "matrix-user";
+          }];
+          backchannel_logout_enabled = true;
+          enable_registration = false;
         }
       ];
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  services.redis.servers."".enable = true;
 
-  services.nginx = {
-    enable = true;
-    enableReload = true;
+  services.postgresqlBackup.databases = [ "matrix-synapse" ];
 
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedProxySettings = true;
-
-    virtualHosts."matrix.feal.no" = {
-      locations."/_matrix" = {
-        proxyPass = "http://${main_ip}:8008";
-        extraConfig = ''
-          client_max_body_size 50M;
-        '';
-      };
-      # locations."/_synapse/client".proxyPass = "http://${main_ip}:8008";
-      locations."/" = {
-        proxyPass = "http://${main_ip}:8008";
-      };
-    };
+  services.nginx.virtualHosts."matrix.feal.no" = {
+    listen = [
+      { addr = "192.168.10.175"; port = 43443; ssl = true; }
+      { addr = "192.168.10.175"; port = 43080; ssl = false; }
+    ];
   };
+
 }

hosts/defiant/services/microbin.nix

@@ -0,0 +1,41 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.microbin;
+  domain = "p.feal.no";
+  address = "127.0.1.2";
+  port = 5006;
+in {
+
+  services.microbin = {
+    enable = true;
+    passwordFile = config.sops.secrets."microbin/secrets".path;
+    settings = {
+      MICROBIN_BIND = address;
+      MICROBIN_DISABLE_TELEMETRY = true;
+      MICROBIN_ENABLE_BURN_AFTER = true;
+      MICROBIN_FOOTER_TEXT = "Be nice or go away";
+      MICROBIN_NO_FILE_UPLOAD = true;
+      MICROBIN_NO_LISTING = true;
+      MICROBIN_PORT = port;
+      MICROBIN_PUBLIC_PATH = "https://${domain}/";
+      MICROBIN_QR = true;
+      MICROBIN_TITLE = "Temporary pasta collection";
+    };
+  };
+
+  sops.secrets."microbin/secrets" = { };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+
+    listen = [
+      { addr = "192.168.10.175"; port = 43443; ssl = true; }
+      { addr = "192.168.10.175"; port = 43080; ssl = false; }
+    ];
+
+    locations."/" = {
+      proxyPass = "http://${address}:${toString port}";
+    };
+  };
+}

hosts/defiant/services/minecraft/home.nix

@@ -0,0 +1,50 @@
+{ config, pkgs, lib, inputs, ... }:
+{
+  imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
+  nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
+
+  services.minecraft-servers = {
+    enable = true;
+    eula = true;
+    openFirewall = true;
+    dataDir = "/var/lib/minecraft-server";
+
+    servers.home = {
+      enable = true;
+      jvmOpts = "-Xms4G -Xmx4G";
+
+      package = pkgs.fabricServers.fabric-1_21_4;
+
+      serverProperties = {
+        motd = "Home <3";
+        difficulty = "easy";
+        view-distance = 16;
+        simulation-distance = 16;
+        enable-command-block = true;
+        enable-rcon = true;
+        online-mode = false;
+        "rcon.password" = "wack";
+      };
+
+      symlinks = {
+        mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues {
+          FabricAPI = pkgs.fetchurl {
+            url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/8FAH9fuR/fabric-api-0.114.2%2B1.21.4.jar";
+            sha256 = "sha256-nL1bcAaMW0tRCpfW0prd3mce14ZNcl7pAUabVXAQfWs=";
+          };
+          Lithium = pkgs.fetchurl {
+            url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/zVOQw7YU/lithium-fabric-0.14.6%2Bmc1.21.4.jar";
+            sha256 = "sha256-iF4hy+3XVJP7Fv6R2dsrYq6Ct0MQJLX4/4Yh5WEJm90=";
+          };
+        });
+      };
+    };
+  };
+
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+    "minecraft-server"
+  ];
+
+  networking.firewall.allowedUDPPorts = [ 24454 ];
+}
+

hosts/defiant/services/minecraft/wack.nix

@@ -0,0 +1,70 @@
+{ config, pkgs, lib, inputs, ... }:
+{
+  imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
+  nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
+
+  services.minecraft-servers = {
+    enable = true;
+    eula = true;
+    openFirewall = true;
+    dataDir = "/var/lib/minecraft-wack";
+
+    servers.wack = {
+      enable = true;
+      jvmOpts = "-Xms4G -Xmx4G";
+
+      package = pkgs.fabricServers.fabric-1_20_4;
+
+      serverProperties = {
+        motd = "WackAttack M1n3cr4f7";
+        white-list = true;
+        difficulty = "normal";
+        view-distance = 16;
+        simulation-distance = 16;
+        enable-command-block = true;
+        enable-rcon = true;
+        "rcon.password" = "wack";
+      };
+
+      symlinks = {
+        mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues {
+          FabricAPI = pkgs.fetchurl {
+            url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/JMCwDuki/fabric-api-0.92.0%2B1.20.4.jar";
+            sha256 = "sha256-7U0BK5CBENWY4s3t+dXTASprIeY4Tdeyzc06lNGkc/Q=";
+          };
+          Lithium = pkgs.fetchurl {
+            url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/nMhjKWVE/lithium-fabric-mc1.20.4-0.12.1.jar";
+            sha256 = "sha256-as1JWV7mnhJkz8eYmPVpRS5BvWaYVGf8s40oBBka880=";
+          };
+          MCDiscordChat = pkgs.fetchurl {
+            url = "https://cdn.modrinth.com/data/D0sHdnXY/versions/tldGNWOW/MC-Discord-Chat-2.2.5.jar";
+            sha256 = "sha256-WK02gRNbTjbjQSIlWHP4aBSeGTZxtXwwbqt9fa7AJTA=";
+          };
+          SimpleVoiceChat = pkgs.fetchurl {
+            url = "https://cdn.modrinth.com/data/9eGKb6K1/versions/UIZXn9t1/voicechat-fabric-1.20.4-2.4.32.jar";
+            sha256 = "sha256-BZMK7Y8uaw1MvtQC1MXblsaaHy100a59KxSs4P0fjXE=";
+          };
+        });
+      };
+
+      whitelist = {
+        "_Oblivion" = "289be565-d73e-4cb1-a047-dcc319acdc80";
+        Crisju = "8b77dc43-27ba-4710-bbfd-4e01e6ec7461";
+        Dandellion = "f393413b-59fc-49d7-a5c4-83a5d177132c";
+        Evaraknes = "a6adfad8-6c3b-4a0d-912e-d84a0caa1caa";
+        Taschmex = "a3a258b0-901f-43d9-b130-dad3b29cd7ee";
+        guy_montag = "cb8aa890-a5a3-41f2-9bb7-1edb20c5a31f";
+        koppern = "3450494c-b945-4fa2-938c-5519adec005f";
+        krloer = "ab3029e2-76b6-4219-854e-16091fe5e421";
+        tictac1255 = "bab1f702-0e8b-4b98-8cce-bbfaed534d13";
+      };
+    };
+  };
+
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+    "minecraft-server"
+  ];
+
+  networking.firewall.allowedUDPPorts = [ 24454 ];
+}
+

hosts/defiant/services/monitoring/default.nix

@@ -6,5 +6,6 @@
     ./grafana.nix
     ./loki.nix
     ./snmp-exporter.nix
+    ./uptime-kuma.nix
   ];
 }

hosts/defiant/services/monitoring/grafana.nix

@@ -5,6 +5,10 @@ let
 in {
   services.grafana = {
     enable = true;
+    dataDir = "/tank/services/metrics/grafana";
+
+    # TODO: Migrate sqlite to postgres
+
     settings.server = {
       domain = "grafana.home.feal.no";
       http_port = 2342;
@@ -40,12 +44,6 @@ in {
           url = "https://grafana.com/api/dashboards/14284/revisions/9/download";
           options.path = dashboards/synology-nas-details.json;
         }
-        {
-          name = "OpenWRT";
-          type = "file";
-          url = "https://grafana.com/api/dashboards/11147/revisions/1/download";
-          options.path = dashboards/openwrt.json;
-        }
       ];
     };
   };

hosts/defiant/services/monitoring/loki.nix

@@ -1,10 +1,11 @@
 { config, pkgs, ... }:
 let
   cfg = config.services.loki;
-  saveDirectory = "/tank/var/lib/loki";
+  saveDirectory = "/tank/services/metrics/loki";
 in {
   services.loki = {
     enable = true;
+    dataDir = saveDirectory;
     configuration = {
       auth_enabled = false;
       server = {
@@ -50,7 +51,6 @@ in {
         boltdb_shipper = {
           active_index_directory = "${saveDirectory}/boltdb-shipper-index";
           cache_location = "${saveDirectory}/boltdb-shipper-cache";
-          shared_store = "filesystem";
           cache_ttl = "24h";
         };
         filesystem = {
@@ -59,17 +59,18 @@ in {
       };
 
       limits_config = {
-        enforce_metric_name = false;
+        allow_structured_metadata = false;
         reject_old_samples = true;
         reject_old_samples_max_age = "72h";
       };
 
       compactor = {
         working_directory = "${saveDirectory}/compactor";
-        shared_store = "filesystem";
       };
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
+  networking.firewall.allowedTCPPorts = [
+    cfg.configuration.server.http_listen_port
+  ];
 }

hosts/defiant/services/monitoring/prometheus.nix

@@ -8,28 +8,25 @@ in {
     listenAddress = "127.0.0.1";
     port = 9001;
 
+    # StateDirectory must be under /var/lib.
+    # TODO: Back up to /tank/services/metrics/prometheus
+
     scrapeConfigs = [
       {
         job_name = "node";
         static_configs = [
           {
             targets = [
-              "chapel.home.feal.no:${toString cfg.exporters.node.port}"
-              "sulu.home.feal.no:9100"
-              "mccoy.home.feal.no:9100"
-              "borg.home.feal.no:9100"
-              "troi.home.feal.no:9100"
-              "dlink-feal.home.feal.no:9100"
+              "challenger.home.feal.no:9100"
+              "constellation.home.feal.no:9100"
+              "defiant.home.feal.no:9100"
+              "leonard.home.feal.no:9100"
+              "morn.home.feal.no:9100"
+              "sisko.home.feal.no:9100"
             ];
           }
         ];
       }
-      {
-        job_name = "openwrt";
-        static_configs = [
-          { targets = ["dlink-feal.home.feal.no:9100"]; }
-        ];
-      }
       {
         job_name = "snmp";
         static_configs = [{

hosts/defiant/services/monitoring/snmp-exporter.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+  services.prometheus.exporters.snmp = {
+    enable = true;
+    configurationPath = ./snmp-exporter-conf.yml;
+    # snmp.yml is built from
+    # https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml
+    # and
+    # https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
+  };
+}

hosts/defiant/services/monitoring/uptime-kuma.nix

@@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.uptime-kuma;
+in {
+  services.uptime-kuma = {
+    enable = true;
+    settings = {
+      PORT = "5059";
+      HOST = "127.0.1.2";
+    };
+  };
+
+  services.nginx.virtualHosts."uptime.home.feal.no" = {
+    locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
+  };
+}

hosts/defiant/services/nginx.nix

@@ -0,0 +1,73 @@
+{ config, values, ... }:
+let
+  gitea = config.services.gitea.settings;
+  keycloak = config.services.keycloak.settings;
+in {
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+
+    defaultListen = [
+      {
+        addr = "192.168.10.175";
+        port = 80;
+        ssl = false;
+      }
+    ];
+  };
+
+  networking.firewall.allowedTCPPorts = [
+       80   443 # Internal / Default
+    43080 43443 # External / Publicly exposed
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "felix@albrigtsen.it";
+  };
+
+  # Publicly exposed services:
+
+  services.nginx.virtualHosts = let
+    publicProxy = upstream: overrides: {
+      listen = [
+        { addr = "192.168.10.175"; port = 43443; ssl = true; }
+        { addr = "192.168.10.175"; port = 43080; ssl = false; }
+      ];
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/".proxyPass = "${upstream}";
+
+      extraConfig = ''
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+
+        server_tokens off;
+      '';
+    } // overrides;
+  in {
+    "amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
+    "cloud.feal.no" = publicProxy "" {
+      locations."/" = {
+        proxyPass = "http://challenger.home.feal.no";
+        extraConfig = ''
+          client_max_body_size 8G;
+        '';
+      };
+    };
+    "feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
+    "git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
+    "iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
+    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" { };
+    "kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
+    "wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
+  };
+}

hosts/defiant/services/pihole.nix

@@ -0,0 +1,41 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "pihole.home.feal.no";
+  dnsHost = "192.168.10.175";
+  webuiListen = "127.0.1.2:5053";
+in {
+  # Flame - Homelab dashboard/linktree
+  virtualisation.oci-containers.containers = {
+    pihole = {
+      image = "pihole/pihole";
+      ports = [
+        "${dnsHost}:53:53/tcp"
+        "${dnsHost}:53:53/udp"
+        "${webuiListen}:80"
+      ];
+
+      environment.TZ = "Europe/Oslo";
+
+      volumes = [
+        "/var/lib/pihole/etc:/etc/pihole"
+        "/var/lib/pihole/dnsmasq:/etc/dnsmasq.d"
+      ];
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/" = {
+      proxyPass = "http://${webuiListen}";
+      extraConfig = ''
+        rewrite /(.*) /admin/$1 break;
+      '';
+    };
+
+    locations."/admin" = {
+      extraConfig = ''
+            rewrite  ^/admin/(.*) $scheme://${domain}/$1 break;
+      '';
+    };
+  };
+}
+

hosts/defiant/services/postgresql.nix

@@ -0,0 +1,25 @@
+{ config, pkgs, lib, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    enableTCPIP = true;
+
+    authentication = ''
+      host all all 172.16.0.0/12 md5
+    '';
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    location = "/tank/backup/postgresql";
+    startAt = "*-*-* 03:15:00";
+
+    # Each service is registered in its own configuration file
+    databases = [ ];
+  };
+
+  # Docker containers on this host can reach postgres
+  networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port 5432 -s 172.16.0.0/12 -j ACCEPT";
+
+  environment.systemPackages = [ config.services.postgresql.package ];
+}

hosts/defiant/services/rtl-tcp.nix

@@ -0,0 +1,14 @@
+{ config, pkgs, lib, ... }:
+
+let
+  port = 1457;
+in {
+  hardware.rtl-sdr.enable = true;
+  systemd.services.rtl-tcp = {
+    script = "${pkgs.rtl-sdr}/bin/rtl_tcp -a 0.0.0.0 -p ${toString port} -s 2000000 -T";
+    serviceConfig = {
+      Group = "plugdev";
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ port ];
+}

hosts/defiant/services/searx.nix

@@ -0,0 +1,39 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.searx;
+  domain = "search.home.feal.no";
+in {
+  services.searx = {
+    enable = true;
+    environmentFile = config.sops.secrets."searx/envfile".path;
+    settings = {
+      server = {
+        secret_key = "@SEARX_SECRET_KEY@";
+        base_url = "http://${domain}";
+      };
+    };
+
+    runInUwsgi = true;
+    uwsgiConfig = {
+      socket = "/run/searx/searx.sock";
+      chmod-socket = "660";
+    };
+
+    redisCreateLocally = true;
+  };
+
+  sops.secrets."searx/envfile" = {
+    owner = "searx";
+    group = "searx";
+  };
+
+  users.groups."searx".members = [ "nginx" ];
+
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/".extraConfig = ''
+      include ${config.services.nginx.package}/conf/uwsgi_params;
+      uwsgi_pass unix:${cfg.uwsgiConfig.socket};
+    '';
+  };
+}
+

hosts/defiant/services/vaultwarden.nix

@@ -2,8 +2,9 @@
 let
   cfg = config.services.vaultwarden;
   domain = "pw.feal.no";
-  address = "127.0.0.1";
-  port = 3011; # Note! The websocket port is left as default
+  address = "127.0.1.2";
+  port = 3011;
+  wsPort = 3012;
 in {
   sops.secrets."vaultwarden/admintoken" = {
     owner = "vaultwarden";
@@ -19,28 +20,38 @@ in {
 
       rocketAddress = address;
       rocketPort = port;
+
       websocketEnabled = true;
-      databaseUrl = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable";
+      websocketAddress = address;
+      websocketPort = wsPort;
 
-      signupsAllowed = false;
-      rocketLog = "critical";
-
-    # This example assumes a mailserver running on localhost,
-    # thus without transport encryption.
-    # If you use an external mail server, follow:
-    #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
-      /* SMTP_HOST = "127.0.0.1"; */
-      /* SMTP_PORT = 25; */
-      /* SMTP_SSL = false; */
-
-      /* SMTP_FROM = "admin@bitwarden.example.com"; */
-      /* SMTP_FROM_NAME = "example.com Bitwarden server"; */
+      signupsAllowed = true;
+      signupsVerify = true;
+      signupsDomainsWhitelist = "albrigtsen.it";
 
+      databaseUrl = "postgresql://vaultwarden@/vaultwarden";
     };
   };
 
+  services.postgresql = {
+    ensureDatabases = [ "vaultwarden" ];
+    ensureUsers = [{
+      name = "vaultwarden";
+      ensureDBOwnership = true;
+    }];
+  };
+
+  services.postgresqlBackup.databases = [ "vaultwarden" ];
 
   services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+
+    listen = [
+      { addr = "192.168.10.175"; port = 43443; ssl = true; }
+      { addr = "192.168.10.175"; port = 43080; ssl = false; }
+    ];
+
     extraConfig = ''
       client_max_body_size 128M;
     '';
@@ -49,7 +60,7 @@ in {
       proxyWebsockets = true;
     };
     locations."/notifications/hub" = {
-      proxyPass = "http://localhost:3012";
+      proxyPass = "http://${address}:${toString wsPort}";
       proxyWebsockets = true;
     };
     locations."/notifications/hub/negotiate" = {
@@ -57,13 +68,4 @@ in {
       proxyWebsockets = true;
     };
   };
-  services.postgresql = {
-    ensureDatabases = [ "vaultwarden" ];
-    ensureUsers = [{
-      name = "vaultwarden";
-      ensurePermissions = {
-        "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES";
-      };
-    }];
-  };
 }

hosts/defiant/services/wireguard.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.networking.wireguard.interfaces."wg0";
+in {
+  networking = {
+    nat = {
+      enable = true;
+      externalInterface = "enp3s0";
+      internalInterfaces = [ "wg0" ];
+    };
+    firewall.allowedUDPPorts = [ cfg.listenPort ];
+
+    wireguard.interfaces."wg0" = {
+      ips = [ "10.100.0.1/24" ];
+      listenPort = 51820;
+      privateKeyFile = "/etc/wireguard/defiant.private";
+
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
+      '';
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
+      '';
+
+      peers = [
+        { # Burnham
+          publicKey = "JcfyrMoZmnbibVLaIKuGSARAX2alFv4kwLbJaLBNbzo=";
+          persistentKeepalive = 60;
+          allowedIPs = [
+            "10.100.0.2/32"
+            "192.168.11.0/24"
+          ];
+          #endpoint = "site2.feal.no:51902";
+        }
+      ] ++ (import ../../../common/wireguard-peers.nix);
+    };
+  };
+}

hosts/fa-t14-2025/configuration.nix

@@ -0,0 +1,59 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../base.nix
+      ./hardware-configuration.nix
+
+      ./desktop.nix
+  ];
+
+  networking = {
+    networkmanager.enable = true;
+    wireguard.enable = true;
+
+    tempAddresses = "disabled";
+    hostName = "fa-t14-2025";
+    nameservers = [ "9.9.9.9" ];
+    domain = "it.hime.no";
+    hostId = "f458d6aa";
+
+    search = [
+      "mktv.no"
+      "mktv.local"
+    ];
+  };
+
+  services.openssh.openFirewall = false;
+
+  environment.systemPackages = with pkgs; [
+    inetutils
+    wireguard-tools
+  ];
+
+  virtualisation.docker = {
+    enable = true;
+    rootless = {
+      enable = true;
+      setSocketVariable = true;
+    };
+  };
+
+  users.users.felixalb = {
+    uid = 1000;
+    openssh.authorizedKeys.keys = [ ];
+    extraGroups = [ "networkmanager" ];
+  };
+
+  console.keyMap = "no";
+
+  nixpkgs.config = {
+    allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+      "securecrt"
+      "securefx"
+    ];
+  };
+
+  system.stateVersion = "25.05";
+}

hosts/fa-t14-2025/desktop.nix

@@ -0,0 +1,51 @@
+{ config, pkgs, lib, ... }:
+{
+  hardware.graphics.enable = true;
+  services.xserver = {
+    enable = true;
+    xkb = {
+      options = "ctrl:nocaps";
+      layout = "no";
+    };
+  };
+  services.displayManager.ly.enable = true;
+  services.gnome.gnome-keyring.enable = true;
+
+  programs.hyprland = {
+    enable = true;
+    xwayland.enable = true;
+  };
+
+  # Audio
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    pulse.enable = true;
+    jack.enable = true;
+  };
+
+  # Fonts
+  fonts = {
+    fontDir.enable = true;
+    packages = with pkgs; [
+      noto-fonts
+      noto-fonts-color-emoji
+      noto-fonts-cjk-sans
+      font-awesome
+      fira-code
+      hack-font
+      nerd-fonts.hack
+    ];
+  };
+
+  # Misc:
+  xdg.portal = {
+    enable = true;
+    wlr.enable = true;
+  };
+  location.provider = "geoclue2";
+  security.polkit.enable = true;
+  services.dbus.packages = [ pkgs.gcr ];
+  services.openssh.settings.X11Forwarding = true;
+  programs.nm-applet.enable = true;
+}

hosts/fa-t14-2025/hardware-configuration.nix

@@ -0,0 +1,51 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+  boot.kernelParams = [ "resume_offset=3037184" "mem_sleep_default=deep" ];
+  boot.resumeDevice = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
+
+  powerManagement.enable = true;
+  services.power-profiles-daemon.enable = true;
+  services.logind.lidSwitch = "suspend-then-hibernate";
+  services.logind.lidSwitchDocked = "ignore";
+  services.logind.powerKey = "suspend-then-hibernate";
+  services.logind.powerKeyLongPress = "poweroff";
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/3ecaedab-415c-4cce-a3a9-9f3782acb682";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/0800-59D9";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+    swapDevices = [
+      {
+        device = "/var/lib/swapfile";
+        size = 32*1024;
+      }
+    ];
+
+  networking.useDHCP = lib.mkDefault false;
+  # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/fa-t14-2025/home.nix

@@ -0,0 +1,99 @@
+{ pkgs, lib, ... }:
+let
+  emailAddress = "felix.albrigtsen@mktv.no";
+in {
+  imports = [
+    ./../../home/base.nix
+    ./../../home/alacritty.nix
+  ];
+
+  home.packages = with pkgs; [
+    bc
+    catimg
+    chromium
+    dig
+    element-desktop
+    hunspellDicts.en_US
+    hunspellDicts.nb_NO
+    iperf3
+    jq
+    libreoffice
+    mpv
+    oauth2ms
+    openssl
+    openvpn
+    pavucontrol
+    pwgen
+    traceroute
+    virt-manager
+    w3m
+    nixpkgs-2211.remmina
+
+    (unstable.microsoft-edge.overrideAttrs ({ installPhase ? "", ... }: {
+      installPhase = installPhase + ''
+        ln -s $out/bin/microsoft-edge $out/bin/microsoft-edge-stable
+      '';
+    }))
+
+    # Window Manager Extras
+    bibata-cursors
+    brightnessctl
+    cliphist
+    hyprcursor
+    hypridle
+    hyprlock
+    hyprpaper
+    hyprshot
+    nautilus
+    rofi-rbw-wayland
+    swaynotificationcenter
+    waybar
+    wl-clipboard
+
+    (python312.withPackages (ps: with ps; [
+      numpy
+      pycryptodome
+      requests
+    ]))
+  ];
+
+  programs = {
+    aerc = {
+      enable = true;
+      package = pkgs.aerc;
+    };
+    firefox.enable = true;
+    git.extraConfig.user.email = emailAddress;
+    rbw = {
+      enable = true;
+      settings = {
+        base_url = "https://vault.mktv.no";
+        email = emailAddress;
+        pinentry = pkgs.pinentry-rofi;
+      };
+    };
+    rofi = {
+      enable = true;
+      # theme = "iggy";
+      theme = "Arc-Dark";
+    };
+    zsh = {
+      shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
+      prezto.pmodules = [ "ssh" ];
+    };
+  };
+
+  xdg.mimeApps = {
+    enable = true;
+
+    defaultApplications = {
+      "text/html" = "firefox.desktop";
+      "x-scheme-handler/http" = "firefox.desktop";
+      "x-scheme-handler/https" = "firefox.desktop";
+      "x-scheme-handler/about" = "firefox.desktop";
+      "x-scheme-handler/unknown" = "firefox.desktop";
+    };
+  };
+
+  home.stateVersion = "25.05";
+}

hosts/leonard/configuration.nix

@@ -0,0 +1,53 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../base.nix
+      ../../common/metrics-exporters.nix
+      ../../common/auto-upgrade.nix
+      ./hardware-configuration.nix
+
+      ./services/mysql.nix
+      ./services/nginx.nix
+      ./services/postgresql.nix
+
+      ./services/wiki-wackattack-eu.nix
+      ./services/www-feal-no
+      ./services/www-kinealbrigtsen-no.nix
+      ./services/www-amalie-mansaker-no
+  ];
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+
+  networking = {
+    hostName = "leonard";
+    defaultGateway = "192.168.10.1";
+    interfaces.ens18.ipv4 = {
+      addresses = [
+        { address = "192.168.10.207"; prefixLength = 24; }
+      ];
+    };
+    hostId = "b99c12d1";
+
+    # Prepend the following output rules to disallow talking to other devices on LAN
+    firewall.extraCommands = lib.strings.concatLines ([
+      "iptables -F OUTPUT"
+    ] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
+      "iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
+      "iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
+      "iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
+      "iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
+    ]);
+  };
+
+  sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;
+
+  environment.variables = { EDITOR = "vim"; };
+
+  system.stateVersion = "25.05";
+}
+

hosts/leonard/hardware-configuration.nix

@@ -0,0 +1,24 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4a70c1d5-9d72-4581-8f75-733b91c10669";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ]; # TODO
+
+  networking.useDHCP = lib.mkDefault false;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/leonard/home.nix

@@ -0,0 +1,12 @@
+{ pkgs, lib, ... }:
+{
+  imports = [
+    ./../../home/base.nix
+  ];
+
+  programs = {
+    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
+  };
+
+  home.stateVersion = "25.05";
+}

hosts/leonard/services/mysql.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+  };
+
+  # TODO: services.mysqlBackup
+}

hosts/leonard/services/nginx.nix

@@ -11,5 +11,9 @@
   };
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
-}
 
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "felix@albrigtsen.it";
+  };
+}

hosts/leonard/services/postgresql.nix

@@ -0,0 +1,20 @@
+{ config, pkgs, lib, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    enableTCPIP = false;
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database  DBuser  auth-method
+      local all       all     trust
+    '';
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    location = "/backup/postgresql/";
+    startAt = "*-*-* 03:15:00";
+    backupAll = true;
+  };
+
+  environment.systemPackages = [ config.services.postgresql.package ];
+}

hosts/leonard/services/wiki-wackattack-eu.nix

@@ -0,0 +1,38 @@
+{ config, ... }:
+let
+  bindIP = "127.0.1.2";
+  port = 5051;
+  cfg = config.services.wiki-js;
+in {
+  # sops.secrets."wikijs/envfile" = {
+  #   restartUnits = [ "wiki-js.service" ];
+  # };
+
+  services.wiki-js = {
+    enable = true;
+    # environmentFile = config.sops.secrets."wikijs/envfile".path;
+    settings = {
+      inherit bindIP port;
+      db = {
+        type = "postgres";
+        host = "/run/postgresql";
+        db = "wiki-js";
+        user = "wiki-js";
+      };
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "wiki-js" ];
+    ensureUsers = [{
+      name = "wiki-js";
+      ensureDBOwnership = true;
+    }];
+  };
+
+  services.nginx.virtualHosts."wiki.wackattack.eu" = {
+    locations."/" = {
+      proxyPass = "http://${bindIP}:${toString port}";
+    };
+  };
+}

hosts/leonard/services/www-amalie-mansaker-no/default.nix

@@ -0,0 +1,11 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.nginx.virtualHosts."amalie.mansaker.no" = let
+    siteContent = pkgs.callPackage ./site.nix { };
+  in {
+    locations = {
+      "/".root = siteContent;
+    };
+  };
+}

hosts/leonard/services/www-amalie-mansaker-no/site.nix

@@ -0,0 +1,26 @@
+{ stdenv, fetchgit, hugo }:
+stdenv.mkDerivation {
+  name = "www-amalie-mansaker-no";
+
+  src = fetchgit {
+    url = "https://git.feal.no/amalieem/amalie.mansaker.no.git";
+    fetchSubmodules = true;
+
+    rev = "15142c93da33414a0be49384a03b704ad95e31be";
+    hash = "sha256-oq5NC11UDYjYKToPsEXovCiIBD5adamVwi3scOFzpHM=";
+  };
+
+  nativeBuildInputs = [ hugo ];
+  buildPhase = ''
+    cp -r $src/* .
+    ${hugo}/bin/hugo
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out
+    cp -r public/* $out/
+    runHook postInstall
+  '';
+}
+

hosts/leonard/services/www-feal-no/default.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.nginx.virtualHosts."feal.no" = {
+    default = true;
+
+    serverAliases = [
+      "www.feal.no"
+    ];
+
+    locations = {
+      # TODO: Reinstate actual website
+      "/".return = "302 https://git.feal.no/";
+
+      "^~ /.well-known/" = {
+        alias = (toString ./well-known) + "/";
+      };
+
+      "/cc/" = {
+        alias = "${pkgs.cyberchef}/share/cyberchef/";
+        index = "index.html";
+      };
+      "= /cc".return = "302 /cc/";
+    };
+  };
+}

hosts/leonard/services/www-feal-no/well-known/matrix/client

@@ -0,0 +1,5 @@
+{
+	"m.homeserver": {
+		"base_url": "https://matrix.feal.no:443"
+	}
+}

hosts/leonard/services/www-feal-no/well-known/matrix/server

@@ -0,0 +1 @@
+{"m.server": "matrix.feal.no:443"}

hosts/leonard/services/www-kinealbrigtsen-no.nix

@@ -0,0 +1,95 @@
+{ config, pkgs, lib, ... }:
+
+{
+  users.users.www-kinealbrigtsen-no = {
+    isSystemUser = true;
+    group = "www-kinealbrigtsen-no";
+  };
+
+  users.groups.www-kinealbrigtsen-no = { };
+
+  services.mysql.ensureDatabases = [
+    "www_kinealbrigtsen_no"
+  ];
+  services.mysql.ensureUsers = [
+    {
+      name = "www-kinealbrigtsen-no";
+      ensurePermissions = {
+        # "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures
+        "www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX";
+      };
+    }
+  ];
+
+  services.phpfpm.pools.www-kinealbrigtsen-no = {
+    user = "www-kinealbrigtsen-no";
+    group = "www-kinealbrigtsen-no";
+    phpOptions = lib.generators.toKeyValue {} {
+      upload_max_filesize = "1000M";
+      post_max_size = "1000M";
+      memory_limit = "1000M";
+    };
+
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "listen.group" = config.services.nginx.group;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 4;
+      "pm.process_idle_timeout" = "10s";
+      "pm.max_requests" = 1000;
+    };
+  };
+
+  services.nginx.virtualHosts."kinealbrigtsen.no" = {
+    serverAliases = [ "www.kinealbrigtsen.no" ];
+    root = "/var/www/www-kinealbrigtsen-no";
+    locations = {
+      "/".extraConfig = ''
+        try_files $uri $uri/ /index.php?$args;
+      '';
+
+      "~ \\.php$".extraConfig = ''
+        include ${config.services.nginx.package}/conf/fastcgi_params;
+
+        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket};
+      '';
+
+      "~ /\\.ht".extraConfig = ''
+        deny all;
+      '';
+
+      "/favicon.ico".extraConfig = ''
+        log_not_found off;
+        access_log off;
+      '';
+
+      "/robots.txt".extraConfig = ''
+        allow all;
+        log_not_found off;
+        access_log off;
+      '';
+
+      "~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig =  ''
+        expires max;
+        log_not_found off;
+      '';
+    };
+    extraConfig = ''
+      index index.php index.html;
+      set_real_ip_from 192.168.11.0/24;
+      real_ip_header X-Forwarded-For;
+
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
+    '';
+  };
+
+  # TODO:
+  # - Configure a mailer so wp_mail() works
+  # - Enable periodic backups
+}

hosts/morn/configuration.nix

@@ -0,0 +1,35 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../base.nix
+      ../../common/metrics-exporters.nix
+      ../../common/auto-upgrade.nix
+      ./hardware-configuration.nix
+
+      ./services/nginx.nix
+
+      ./services/glance
+      ./services/miniflux.nix
+      ./services/thelounge.nix
+  ];
+
+  networking = {
+    hostName = "morn";
+    defaultGateway = "192.168.10.1";
+    interfaces.ens18.ipv4 = {
+      addresses = [
+        { address = "192.168.10.203"; prefixLength = 24; }
+      ];
+    };
+    hostId = "89b7722d";
+  };
+
+  sops.defaultSopsFile = ../../secrets/morn/morn.yaml;
+
+  environment.variables = { EDITOR = "vim"; };
+
+  system.stateVersion = "24.11";
+}
+

hosts/morn/hardware-configuration.nix

@@ -14,13 +14,14 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/f7086b7c-581e-40d4-90c0-47cb767395c7";
+    { device = "/dev/disk/by-uuid/93307186-cbc3-4748-859f-0013a1e36def";
       fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/4303-A70F";
+    { device = "/dev/disk/by-uuid/FFCD-993A";
       fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
     };
 
   swapDevices = [ ];
@@ -29,8 +30,8 @@
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
+  # networking.useDHCP = lib.mkDefault true;
   # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
 
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }

hosts/morn/home.nix

@@ -0,0 +1,12 @@
+{ pkgs, lib, ... }:
+{
+  imports = [
+    ./../../home/base.nix
+  ];
+
+  programs = {
+    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
+  };
+
+  home.stateVersion = "24.11";
+}