auto-upgrade: point back to the main branch

defiant: update to nixos 25.11
worf: fix 25.11. Clean flake.
2025-12-08 21:05:23 +01:00 · 2025-12-08 20:59:46 +01:00 · 2025-12-04 17:22:33 +01:00 · 2025-12-02 19:38:08 +01:00 · 2025-12-02 00:14:36 +01:00 · 2025-12-01 23:22:05 +01:00
151 changed files with 6325 additions and 8681 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,27 +1,50 @@
 keys:
-  - &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
+  - &bw_recovery age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
-  - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
+  - &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct
-  - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
+  - &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773
  - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
  - &host_morn age14ar8q5454khxxf5ur2nxwk533nzycz2lh3635qwz35wh8yq0jpqskj2ksx
  - &user_felixalb_sisko age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
  - &user_felixalb_worf age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
 creation_rules:
  # Global secrets
  - path_regex: secrets/[^/]+\.yaml$
    key_groups:
    - age:
-      - *user_felixalb_old
+      - *bw_recovery
-      - *user_felixalb
+      - *user_felixalb_sisko
      - *user_felixalb_worf
  # Host specific secrets
-  - path_regex: secrets/voyager/[^/]+\.yaml$
+  - path_regex: secrets/burnham/[^/]+\.yaml$
    key_groups:
    - age:
-      - *host_voyager
+      - *host_burnham
-      - *user_felixalb_old
+      - *bw_recovery
-      - *user_felixalb
+      - *user_felixalb_sisko
      - *user_felixalb_worf
  - path_regex: secrets/challenger/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_challenger
      - *bw_recovery
      - *user_felixalb_sisko
      - *user_felixalb_worf
  - path_regex: secrets/defiant/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_defiant
-      - *user_felixalb
+      - *bw_recovery
      - *user_felixalb_sisko
      - *user_felixalb_worf
  - path_regex: secrets/morn/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_morn
      - *bw_recovery
      - *user_felixalb_sisko
      - *user_felixalb_worf
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
 ## Felixalbs nixos config
 ![](https://github.com/NixOS/nixos-artwork/blob/master/releases/24.05-uakari/uakari.png?raw=true)
 Contains configurations for some nixos servers, some nixos desktops and a [nix-darwin](https://github.com/LnL7/nix-darwin) host.
 Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix).
@@ -14,3 +16,39 @@ nix --extra-experimental-features "nix-command flakes" build ".#nixosConfigurati
 ```
 nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake github+felixalbrigtsen/nixos-server-conf.git --upgrade
 ```
 # Services and tools
 Below is a list of _most_ of the services configured in this repo, at least the ones that are accessible to the public.
 It might be incomplete or out of date, but should generally describe the state of my homelab.
 Other installed packages and tools are described in the config files (like ./hosts/HOSTNAME/configuration.nix), but not listed here.
 ## Public / important services
 - Matrix ([source](./hosts/defiant/services/matrix/default.nix)) - Decentralized, encrypted chat - Contact me at @felixalb:feal.no
 - [Nextcloud](https://cloud.feal.no) ([source](./hosts/challenger/services/nextcloud.nix)) - Personal cloud services and "google replacements", including file hosting, notes, calendar and webmail
 - [Gitea](https://git.feal.no) ([source](./hosts/defiant/services/gitea.nix)) - Software forge / git server
 - [Hedgedoc](https://md.feal.no) ([source](./hosts/defiant/services/hedgedoc.nix)) - Collaborative markdown notes editor
 - HomeAssistant ([source](./hosts/defiant/services/home-assistant.nix))- Home automation / IOT controller
 - [VaultWarden](https://pw.feal.no) ([source](./hosts/defiant/services/vaultwarden.nix)) - BitWarden Password Manager backend
 - [KeyCloak](https://iam.feal.no) ([source](./hosts/defiant/services/nextcloud.nix)) - Authentication provider, giving SSO with OIDC or SAML
 - [Jellyfin](https://jf.feal.no) ([source](./hosts/challenger/services/jellyfin.nix)) - Local media streaming
 ## Networking
 - I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)).
 - A long time ago, I switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix).
 - PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking.
 - A simple custom DynDNS thing is defined [here](./common/domeneshop-dyndns.nix) and used [here](./hosts/defiant/services/dyndns.nix).
 ## Monitoring
 - Prometheus ([source](./hosts/defiant/services/monitoring/prometheus.nix)) - Pull-based metrics system that fetches metrics over HTTP from a range of exporters and stores them in a time-series database
 - Loki ([source](./hosts/defiant/services/monitoring/loki.nix)) - Central logging for all my hosts
 - Grafana ([source](./hosts/defiant/services/monitoring/grafana.nix)) - Visualization and alerting for all my metrics and logs
 - Uptime-Kuma ([source](./hosts/defiant/services/monitoring/uptime-kuma.nix)) - Uptime / health check with alerting
 ## Dotfiles and user tools
 - (Neo)vim ([source](./home/neovim.nix)) - Text editor with my configuration for IDE-like support for autocompletion, syntax highlighting and efficient editing.
 - Zsh ([source](./home/zsh.nix)) - My shell of choice
--- a/base.nix
+++ b/base.nix
@@ -5,8 +5,8 @@
  boot.loader.efi.canTouchEfiVariables = true;
  networking = {
-    domain = "home.feal.no";
+    domain = lib.mkDefault "home.feal.no";
-    nameservers = [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ];
+    nameservers = lib.mkDefault [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ];
    useDHCP = lib.mkDefault false;
  };
@@ -29,34 +29,40 @@
      trusted-users = [ "felixalb" ];
      builders-use-substitutes = true;
    };
    registry= {
      nixpkgs.flake = inputs.nixpkgs;
    };
    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
  };
  programs.zsh.enable = true;
  environment.systemPackages = with pkgs; [
    bat
    bottom
    eza
    file
    git
    gnugrep
    gnutar
-    neofetch
+    htop
    iotop
    lm_sensors
    nix-output-monitor
    p7zip
    python3
    ripgrep
    rsync
    screen
    unzip
    usbutils
    vim
    wget
    zip
  ] ++ lib.optionals (pkgs.stdenv.isLinux) [
    dmidecode
    lm_sensors
    pciutils
  ];
  services.openssh = {
    enable = true;
    openFirewall = lib.mkDefault true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
@@ -70,7 +76,7 @@
    '';
  };
-  networking.firewall.allowedTCPPorts = [ 22 ];
+  programs.mosh.enable = true;
  users.users.felixalb = {
    isNormalUser = true;
@@ -78,12 +84,12 @@
      "wheel"
      "docker"
    ];
-    uid = 1000;
+    uid = lib.mkDefault 1000;
-    openssh.authorizedKeys.keys = [
+    openssh.authorizedKeys.keys = lib.mkDefault [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiPHhj0YbklJnJNcxD0IlzPxLTGfv095H5zyS/1Wb64 felixalb@edison.home.feal.no"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5M7hYl3saBNMAo6sczgfUvASEJWFHuERB7xvf4gxst nix-builder-worf"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJky33ynjqyWP+hh24gFCMFIEqe3CjIIowGM9jiPbT79 felixalb@sisko.home.feal.no"
    ];
    shell = pkgs.zsh;
  };
--- a/common/auto-upgrade.nix
+++ b/common/auto-upgrade.nix
@@ -0,0 +1,15 @@
 { config, pkgs, lib, ... }:
 {
  system.autoUpgrade = {
    enable = true;
    flake = "git+https://git.feal.no/felixalb/nixos-config.git";
    flags = [
      # Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs.
      "--refresh"
      "--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.11"
      "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable"
      "--no-write-lock-file"
    ];
  };
 }
--- a/common/domeneshop-dyndns.nix
+++ b/common/domeneshop-dyndns.nix
@@ -0,0 +1,45 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.domeneshop-dyndns;
 in {
  options.services.domeneshop-dyndns = {
    enable = lib.mkEnableOption "Domeneshop DynDNS";
    domain = lib.mkOption {
      type = lib.types.str;
      description = "Domain name to configure";
    };
    netrcFile = lib.mkOption {
      type = lib.types.path;
      description = "Path to the file that contains `machine api.domeneshop.no login <DDNS_TOKEN> password <DDNS_SECRET>` from https://domene.shop/admin?view=api";
    };
    startAt = lib.mkOption {
      type = lib.types.str;
      default = "*:0/10"; # Every 10 minutes
      description = "Systemd onCalendar expression for when to run the timer";
    };
  };
  config = lib.mkIf cfg.enable {
    systemd.services.domeneshop-dyndns = {
      serviceConfig.LoadCredential = "netrc:${cfg.netrcFile}";
      startAt = cfg.startAt;
      script = ''
        DNSNAME="${cfg.domain}"
        NEW_IP="$(${lib.getExe pkgs.curl} --silent https://ipinfo.io/ip)"
        OLD_IP="$(${lib.getExe pkgs.getent} hosts "$DNSNAME" | ${lib.getExe pkgs.gawk} '{ print $1 }')"
        if [[ "$NEW_IP" != "$OLD_IP" ]]; then
          echo "Old IP ($OLD_IP) does not match new IP ($NEW_IP), updating..."
          ${lib.getExe pkgs.curl} --silent --netrc-file "$CREDENTIALS_DIRECTORY/netrc" "https://api.domeneshop.no/v0/dyndns/update?hostname=$DNSNAME&myip=$NEW_IP"
        else
          echo "Old IP ($OLD_IP) matches new IP ($NEW_IP), exiting..."
        fi
      '';
    };
  };
 }
--- a/common/pwndbg-gdb-alias.nix
+++ b/common/pwndbg-gdb-alias.nix
@@ -0,0 +1,8 @@
 { pwndbg }:
 # "$ coredumpctl gdb" always runs "gdb" from your path.
 pwndbg.overrideAttrs ({ installPhase ? "", ... }: {
  installPhase = installPhase + ''
    ln -s $out/bin/pwndbg $out/bin/gdb
  '';
 })
--- a/common/securecrt.nix
+++ b/common/securecrt.nix
@@ -0,0 +1,81 @@
 {
  lib,
  stdenv,
  fetchurl,
  autoPatchelfHook,
  dpkg,
  cups,
  gtkmm3,
  icu74,
  krb5,
  makeWrapper,
  openssl,
  pango,
  python312,
  xcb-util-cursor,
  xorg,
 }:
 let
  packageId = "scrt_ubuntu2464_deb_963";
 in stdenv.mkDerivation rec {
  pname = "securecrt";
  version = "9.6.3";
  src = fetchurl {
    url = "https://www.vandyke.com/cgi-bin/download_1.php";
    name = "${pname}-${version}.deb";
    curlOpts = "-X POST --data 'pid=${packageId}&export_check=accept&country=no&su";
    sha256 = "sha256-PsFuxJ7H0rJCWWi+rvzrlRUJlp9R4MG14d883/kl9Lo=";
  };
  unpackCmd = "dpkg -x $curSrc source";
  nativeBuildInputs = [
    dpkg
    autoPatchelfHook
  ];
  buildInputs = [
    cups
    gtkmm3
    icu74
    krb5
    makeWrapper
    openssl
    pango
    python312
    xcb-util-cursor
    xorg.xcbutilkeysyms
    xorg.xcbutilwm
  ];
  dontConfigure = true;
  dontBuild = true;
  dontWrapQTApps = true;
  installPhase = ''
    runhook preInstall
    mkdir -p "$out"
    cp -R usr/* "$out/"
    wrapProgram "$out/bin/SecureCRT" --set QT_QPA_PLATFORM_PLUGIN_PATH "$out/lib/scrt/plugins/platforms"
    runhook postInstall
  '';
  meta = with lib; {
    homepage = "https://www.vandyke.com/products/securecrt/unix.html";
    description = "Terminal emulator for computing professionals, with advanced session management";
    license = {
      free = false;
      fullName = "Unknown / Custom";
    };
    platforms = with lib.platforms; linux ++ darwin ++ windows;
    broken = !(stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isx86_64);
  };
  mainProgram = "SecureCRT";
 }
--- a/common/wireguard-peers.nix
+++ b/common/wireguard-peers.nix
@@ -0,0 +1,44 @@
 [
  { # Sulu
    publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
    allowedIPs = [
      "10.100.0.3/32"
    ];
  }
  { # Worf
    publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
    allowedIPs = [
      "10.100.0.4/32"
    ];
  }
  { # Phone
    publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
    allowedIPs = [
      "10.100.0.5/32"
    ];
  }
  { # Riker
    publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
    allowedIPs = [
      "10.100.0.6/32"
    ];
  }
  { # fa-t14-2025
    publicKey = "UPpUVWQqOKT65MFym1sFDTstNmuynDYE4LOOtbWqEng=";
    allowedIPs = [
      "10.100.0.7/32"
    ];
  }
  { # Turtle
    publicKey = "mDzAtRPv+O5TDHa9DGodF/KKuFXRBYwSqfPyeWfdfRI=";
    allowedIPs = [
      "10.100.0.8/32"
    ];
  }
  { # Amalies phone
    publicKey = "Iqoq00e5rUNygmjOKmSPzvDTzvUdpxkpwVrD6UJXG2w=";
    allowedIPs = [
      "10.100.0.9/32"
    ];
  }
 ]
--- a/flake.lock
+++ b/flake.lock
@@ -1,13 +1,28 @@
 {
  "nodes": {
    "extra-config": {
      "locked": {
        "lastModified": 1745649002,
        "narHash": "sha256-XNBExt3+U3o4lip+yj6oorCEPZ9Qe8PzBSFM5ZzVtSA=",
        "ref": "refs/heads/main",
        "rev": "50c9c15db2b309d299b1c19089c962979e01f45b",
        "revCount": 13,
        "type": "git",
        "url": "file:///home/felixalb/nix-extra-config"
      },
      "original": {
        "type": "git",
        "url": "file:///home/felixalb/nix-extra-config"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1673956053,
+        "lastModified": 1747046372,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@@ -21,11 +36,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1681202837,
+        "lastModified": 1731533236,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -41,30 +56,32 @@
        ]
      },
      "locked": {
-        "lastModified": 1706981411,
+        "lastModified": 1764776959,
-        "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
+        "narHash": "sha256-d+5CGloq7Lo1u2SkzhF8oiOdUc6Z5emh22nTXUB9CFA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "652fda4ca6dafeb090943422c34ae9145787af37",
+        "rev": "e1680d594a9281651cbf7d126941a8c8e2396183",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-23.11",
+        "ref": "release-25.11",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "matrix-synapse-next": {
      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib"
+        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1701507532,
+        "lastModified": 1765214213,
-        "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
+        "narHash": "sha256-WSk8CTdIDFFP5VMJj9beve19nPMMdTsWnkCHVXqO/3E=",
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
-        "rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
+        "rev": "82959f612ffd523a49c92f84358a9980a851747b",
        "type": "github"
      },
      "original": {
@@ -76,20 +93,20 @@
    "nix-darwin": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-darwin"
        ]
      },
      "locked": {
-        "lastModified": 1706833576,
+        "lastModified": 1764161084,
-        "narHash": "sha256-w7BL0EWRts+nD1lbLECIuz6fRzmmV+z8oWwoY7womR0=",
+        "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=",
-        "owner": "lnl7",
+        "owner": "nix-darwin",
        "repo": "nix-darwin",
-        "rev": "bdbae6ecff8fcc322bf6b9053c0b984912378af7",
+        "rev": "e95de00a471d07435e0527ff4db092c84998698e",
        "type": "github"
      },
      "original": {
-        "owner": "lnl7",
+        "owner": "nix-darwin",
-        "ref": "master",
+        "ref": "nix-darwin-25.11",
        "repo": "nix-darwin",
        "type": "github"
      }
@@ -98,14 +115,16 @@
      "inputs": {
        "flake-compat": "flake-compat",
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1707354851,
+        "lastModified": 1764813963,
-        "narHash": "sha256-EavLrnN9VlqqTabq+XDEvK2hV0XzZ3eCorsO5MvaWro=",
+        "narHash": "sha256-Vs7Mamto+T8r1evk9myHepgHGNJkS2Kr0BF64NIei94=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "ca6b8974161fee88608ff2addf1cb7655f17d165",
+        "rev": "491200d6848402bbab1421cccbc15a46f08c7f78",
        "type": "github"
      },
      "original": {
@@ -116,92 +135,89 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1698318101,
+        "lastModified": 1764677808,
-        "narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
+        "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=",
-        "owner": "nixos",
+        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
+        "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-2211": {
      "locked": {
        "narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=",
        "type": "tarball",
        "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
      }
    },
    "nixpkgs-darwin": {
      "locked": {
        "lastModified": 1764806471,
        "narHash": "sha256-NsPsz003eWD8wp8vj5BnQzPoDyeQKRUfS2dvan2Y30M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "6707b1809330d0f912f5813963bb29f6f194ee81",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-25.11-darwin",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1764667669,
        "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "418468ac9527e799809c900eda37cbff999199b6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-lib": {
      "locked": {
        "lastModified": 1673743903,
        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1707391491,
        "narHash": "sha256-TyDXcq8Z3slMNeyeF+ke0BzISWuM6NrBklr7XyiRbZA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "bc6cb3d59b7aab88e967264254f8c1aa4c0284e9",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1707238373,
        "narHash": "sha256-WKxT0yLzWbFZwYi92lI0yWJpYtRaFSWHGX8QXzejapw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "fb0c047e30b69696acc42e669d02452ca1b55755",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "extra-config": "extra-config",
        "home-manager": "home-manager",
        "matrix-synapse-next": "matrix-synapse-next",
        "nix-darwin": "nix-darwin",
        "nix-minecraft": "nix-minecraft",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs",
-        "sops-nix": "sops-nix",
+        "nixpkgs-2211": "nixpkgs-2211",
-        "unstable": "unstable",
+        "nixpkgs-darwin": "nixpkgs-darwin",
-        "voyager-addons": "voyager-addons"
+        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1707397511,
+        "lastModified": 1764483358,
-        "narHash": "sha256-pYqXcTjcPC/go3FzT1dYtYsbmzAjO1MHhT/xgiI6J7o=",
+        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "2168851d58595431ee11ebfc3a49d60d318b7312",
+        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
        "type": "github"
      },
      "original": {
@@ -224,37 +240,6 @@
        "repo": "default",
        "type": "github"
      }
    },
    "unstable": {
      "locked": {
        "lastModified": 1707092692,
        "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "faf912b086576fd1a15fca610166c98d47bc667e",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "voyager-addons": {
      "locked": {
        "lastModified": 1707399193,
        "narHash": "sha256-Q570CBu01ufGMitMQVAgsKoQ7zMEDwqDtqKJ1kyeUjQ=",
        "ref": "refs/heads/main",
        "rev": "3d04b4ec9c40948693f4efe919413cce9265bae7",
        "revCount": 4,
        "type": "git",
        "url": "file:///home/felixalb/voyager-addons"
      },
      "original": {
        "type": "git",
        "url": "file:///home/felixalb/voyager-addons"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -2,20 +2,24 @@
  description = "Felixalb System flake";
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; # Remember to update ./common/auto-upgrade.nix
-    unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-25.11-darwin";
    nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nix-darwin.url = "github:lnl7/nix-darwin/master";
+    nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
-    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
+    nix-darwin.inputs.nixpkgs.follows = "nixpkgs-darwin";
-    home-manager.url = "github:nix-community/home-manager/release-23.11";
+    home-manager.url = "github:nix-community/home-manager/release-25.11";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
-    matrix-synapse-next.url = "github:dali99/nixos-matrix-modules";
+    matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; # TODO: Lock to release
-    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
+    matrix-synapse-next.inputs.nixpkgs.follows = "nixpkgs";
-    # voyager-addons.url = "git+ssh://git@git.feal.no:2222/felixalb/voyager-addons.git";
+    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
-    voyager-addons.url = "git+file:///home/felixalb/voyager-addons";
+    nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
    extra-config.url = "git+file:///home/felixalb/nix-extra-config";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -28,118 +32,97 @@
    , nix-minecraft
    , nix-darwin
    , nixpkgs
    , nixpkgs-2211
    , nixpkgs-darwin
    , nixpkgs-unstable
    , sops-nix
-    , unstable
+    , extra-config
    , voyager-addons
  , ... }@inputs:
    let
-      overlay-unstable = final: prev: {
+      pkgs-overlay = final: prev: {
-        unstable = unstable.legacyPackages.${prev.system};
+        unstable = import nixpkgs-unstable {
          system = prev.system;
          config.allowUnfree = true;
        };
        nixpkgs-2211 = import nixpkgs-2211 {
          system = prev.system;
          config.allowUnfree = true;
        };
        pwndbg-gdb-alias = prev.callPackage ./common/pwndbg-gdb-alias.nix { };
        securecrt = prev.callPackage ./common/securecrt.nix { };
      };
    in
    {
-      nixosConfigurations = {
+      nixosConfigurations = let
-        voyager = nixpkgs.lib.nixosSystem {
+        normalSys = name: hostConfig: nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
+          system = "x86_64-linux"; # TODO - Handle
          specialArgs = {
            inherit inputs;
          };
          modules = [
-            # Overlays-module makes "pkgs.unstable" available in configuration.nix
+            ({ config, pkgs, ... }: {
-            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+              # Make "pkgs.unstable" etc. available
              nixpkgs.overlays = [ pkgs-overlay ] ++ hostConfig.overlays or [ ];
            })
-            ./hosts/voyager/configuration.nix
+            ./hosts/${name}/configuration.nix
            voyager-addons.nixosModules.default
            sops-nix.nixosModules.sops
            home-manager.nixosModules.home-manager {
              home-manager.useGlobalPkgs = true;
              home-manager.useUserPackages = true;
-              home-manager.users."felixalb" = import ./hosts/voyager/home.nix;
+              home-manager.users = {
                "felixalb" = import ./hosts/${name}/home.nix;
              } // hostConfig.home-manager-users or { };
            }
          ] ++ hostConfig.modules or [ ];
        };
      in {
        # Media / storage server
        challenger = normalSys "challenger" {
          modules = [
            extra-config.nixosModules.default
          ];
        };
        defiant = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
          specialArgs = {
            inherit inputs;
          };
          modules = [
            # Overlays-module makes "pkgs.unstable" available in configuration.nix
            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
-            ./hosts/defiant/configuration.nix
+        # General application server
-            sops-nix.nixosModules.sops
+        defiant = normalSys "defiant" {
          modules = [
            ./common/domeneshop-dyndns.nix
            matrix-synapse-next.nixosModules.default
            home-manager.nixosModules.home-manager {
              home-manager.useGlobalPkgs = true;
              home-manager.useUserPackages = true;
              home-manager.users."felixalb" = import ./hosts/defiant/home.nix;
            }
          ];
        };
        edison = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
          specialArgs = {
            inherit inputs;
          };
          modules = [
            # Overlays-module makes "pkgs.unstable" available in configuration.nix
            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
            ./hosts/edison/configuration.nix
            sops-nix.nixosModules.sops
            home-manager.nixosModules.home-manager {
              home-manager.useGlobalPkgs = true;
              home-manager.useUserPackages = true;
              home-manager.users."felixalb" = import ./hosts/edison/home.nix;
            }
          ];
        };
        burnham = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
          specialArgs = {
            inherit inputs;
          };
          modules = [
            # Overlays-module makes "pkgs.unstable" available in configuration.nix
            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
            ./hosts/burnham/configuration.nix
            sops-nix.nixosModules.sops
            home-manager.nixosModules.home-manager {
              home-manager.useGlobalPkgs = true;
              home-manager.useUserPackages = true;
              home-manager.users."felixalb" = import ./hosts/burnham/home.nix;
            }
          ];
        };
        redshirt = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
          specialArgs = {
            inherit inputs;
          };
          modules = [
            ./hosts/redshirt/configuration.nix
            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
            sops-nix.nixosModules.sops
          ];
        };
      };
        # Work laptop
        fa-t14-2025 = normalSys "fa-t14-2025" { };
        # Web host
        leonard = normalSys "leonard" { };
        # General application server
        morn = normalSys "morn" { };
        # Home desktop
        sisko = normalSys "sisko" { };
      };
      # Daily driver macbook
      darwinConfigurations.worf = nix-darwin.lib.darwinSystem {
        system = "aarch64-darwin";
        specialArgs = {
          inherit inputs;
        };
        modules = [
          ({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
          ./hosts/worf/configuration.nix
          ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
          home-manager.darwinModules.home-manager {
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
            home-manager.users."felixalb" = import ./hosts/worf/home.nix;
          }
          # sops-nix.nixosModules.sops
        ];
      };
--- a/home/alacritty.nix
+++ b/home/alacritty.nix
@@ -9,14 +9,17 @@
      window = {
        padding = {
-          x = 4;
+          x = 8;
-          y = 4;
+          y = 2;
        };
        dynamic_padding = true;
        dynamic_title = true;
        decorations = "none"; # full/none/transparent/buttonless
        # Transparency:
-        # opacity = 0.95;
+        opacity = lib.mkDefault 0.95;
      };
      scrolling = {
@@ -44,10 +47,37 @@
        size = 14;
      };
      draw_bold_text_with_bright_colors = true;
      colors = {
-        # # Tomorrow Night Bright
+        draw_bold_text_with_bright_colors = true;
        # # gruvbox_material_medium_dark
        #  primary = {
        #     background = "0x282828";
        #     foreground = "0xd4be98";
        #   };
        #   normal = {
        #     black =  "0x3c3836";
        #     red =     "0xea6962";
        #     green =   "0xa9b665";
        #     yellow =  "0xd8a657";
        #     blue =    "0x7daea3";
        #     magenta = "0xd3869b";
        #     cyan =    "0x89b482";
        #     white =   "0xd4be98";
        #   };
        #   bright = {
        #     black =   "0x3c3836";
        #     red =     "0xea6962";
        #     green =   "0xa9b665";
        #     yellow =  "0xd8a657";
        #     blue =    "0x7daea3";
        #     magenta = "0xd3869b";
        #     cyan =    "0x89b482";
        #     white =   "0xd4be98";
        #   };
        # # # Tomorrow Night Bright
        # primary = {
        #   background = "0x141414";
        #   foreground = "0xeaeaea";
@@ -80,6 +110,7 @@
        #   white   = "0xffffff";
        # };
        # Nord:
        primary = {
          background = "0x2e3440";
@@ -148,10 +179,10 @@
        # indexed_colors: []
      };
-      visual_bell = {
+      bell = {
-        animation = "EaseOutExpo";
+        animation = "Ease";
        color = "0xffffff";
-        duration = 200;
+        duration = 100;
      };
      # Key bindings
@@ -306,29 +337,19 @@
      #   - { key: Delete,                        chars: "\x1b[3~"                     }
      mouse = {
        double_click = { threshold = 300; };
        triple_click = { threshold = 300; };
        hide_when_typing = false;
      };
      selection = {
        semantic_escape_chars = ",│`|:\"' ()[]{}<>";
        save_to_clipboard = false;
      };
      mouse_bindings = [
        { mouse = "Middle"; action = "PasteSelection"; }
      ];
      cursor = {
-        style = "Block";
+        style = {
-        blinking = true;
+          shape = "Block";
          blinking = "on";
        };
        unfocused_hollow = true;
      };
      dynamic_title = true;
    };
  };
 }
--- a/home/amalieem/default.nix
+++ b/home/amalieem/default.nix
@@ -0,0 +1,43 @@
 { pkgs, lib, ... }:
 {
  imports = [
    ./../alacritty.nix
  ];
  home = {
    packages = with pkgs; [
      papers
      kitty
      pavucontrol
      # Window Manager Extras
      bibata-cursors
      hyprcursor
      hypridle
      hyprlock
      hyprpaper
      hyprshot
      nautilus
      networkmanager
      swaynotificationcenter
      waybar
      wl-clipboard
    ];
    sessionVariables = {
      EDITOR = "nvim";
      VISUAL = "nvim";
    };
  };
  programs = {
    alacritty = {
      enable = true;
      settings.window.opacity = 0.92;
    };
    firefox.enable = true;
    wofi.enable = true;
  };
  home.stateVersion = "24.11";
 }
--- a/home/base.nix
+++ b/home/base.nix
@@ -1,19 +1,38 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
 {
  imports = [
    ./neovim.nix
    ./zsh.nix
  ];
  home = {
    packages = with pkgs; [
      bat
      bottom
      # ncdu
      neofetch
      pwgen
      sshfs
      sshuttle
    ];
    sessionVariables = {
      EDITOR = "nvim";
      VISUAL = "nvim";
    };
  };
  programs.nix-index = {
    enable = true;
    enableZshIntegration = true;
  };
  programs.fzf.enable = true;
  programs.git = {
    enable = true;
-    extraConfig = {
+    settings = {
      pull.rebase = true;
      push.autoSetupRemote = true;
      color.ui = "auto";
@@ -22,7 +41,10 @@
      user = {
        name = "Felix Albrigtsen";
-        email = "felix@albrigtsen.it";
+        email = lib.mkDefault "felix@albrigtsen.it";
      };
      safe = {
        directory = "/config";
      };
    };
    ignores = [
@@ -33,4 +55,15 @@
    ];
  };
  programs.tmux = {
    enable = true;
    sensibleOnTop = true;
    baseIndex = 1;
    clock24 = true;
    keyMode = "vi";
    mouse = true;
    terminal = "screen-256color";
  };
 }
--- a/home/neovim.nix
+++ b/home/neovim.nix
@@ -21,7 +21,6 @@ in {
      telescope-nvim
      nvim-lspconfig
      copilot-vim
      nvim-treesitter
      coc-css
@@ -29,9 +28,9 @@ in {
      coc-html
      coc-json
      coc-nvim
      coc-pyright
      vim-nix
      vim-puppet
    ];
    withNodeJs = true;
@@ -51,7 +50,7 @@ in {
      " Integrate status with lightline
      let g:lightline = {
        \   'active': {
-        \     'left': [[  'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status'  ]]
+        \     'left': [[ 'mode', 'paste', 'filename', 'readonly', 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status'  ]]
        \   }
        \ }
@@ -98,11 +97,16 @@ in {
      " Nerdtree-settings
      " Toggle nerdtree on Ctrl+t
      nmap <silent> <C-t> :NERDTreeToggle<CR>
      autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
      autocmd VimEnter * wincmd p " Unselect nerdtree window
      " Close vim is Nerdtree is the only buffer left
      autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif
      if empty($AERC_ACCOUNT) && empty($MOZ_APP_LAUNCHER)
        autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
        autocmd VimEnter * wincmd p " Unselect nerdtree window
      endif
      autocmd Filetype go setlocal expandtab tabstop=4 shiftwidth=4 softtabstop=4
      " List and switch buffers on Ctrl+k
      " nnoremap <C-k> :set nomore <Bar> :ls <Bar> :set more <CR>:b<Space>
      nnoremap <silent> <C-k> !echo "Did you mean C-a?"<CR>
@@ -116,12 +120,18 @@ in {
      nnoremap <C-s> <cmd>Telescope find_files<cr>
      nnoremap <C-g> <cmd>Telescope live_grep<cr>
      " Don't darken the background
      autocmd VimEnter * highlight normal ctermbg=NONE guibg=NONE
      " Show trailing whitespace
      highlight ExtraWhitespace ctermbg=red guibg=red
      match ExtraWhitespace /\s\+$/
      " Disable search highlights
      map <Leader><Space> :noh<CR>
      " Start with Coc disabled
      " autocmd VimEnter * CocDisable
    '';
  };
--- a/home/zsh.nix
+++ b/home/zsh.nix
@@ -2,6 +2,7 @@
  programs = {
    zsh = {
      enable = true;
      history.extended = true;
      prezto = {
        enable = true;
@@ -21,6 +22,7 @@
          "terminal"
          "editor"
          "history"
          "history-substring-search"
          # "directory"
          "spectrum"
          # "utility"
@@ -28,32 +30,39 @@
          "git"
          "autosuggestions"
          "syntax-highlighting"
          "history-substring-search"
          "prompt"
        ];
      };
-      initExtra = ''
+      initContent = ''
        # Autocomplete ../
        zstyle ':completion:*' special-dirs true
-        export PATH="$HOME/.config/emacs/bin:$PATH"
+        export PATH="$HOME/.config/emacs/bin:$HOME/.cargo/bin:$PATH"
        unalias "gs"
        if [ -f ~/.config/zsh-extras ]; then
          source ~/.config/zsh-extras
        fi
      '';
      shellAliases = {
        l = "exa -l";
        c = "z";
-        tree = "exa --tree --icons";
+        em = "emacsclient -c";
        emnw = "emacsclient -nw";
        grep = "grep --color=auto";
        l = "exa -l";
        ls = "ls --color=auto";
        nd = "nix develop --command zsh";
        s = "nix-shell --run zsh";
        sp = "nix-shell --run zsh -p";
        spu = "nix-shell -I nixpkgs=channel:nixos-unstable --run zsh -p";
-        em = "emacsclient -c";
+        tree = "exa --tree --icons";
-        emnw = "emacsclient -nw";
+
        gst = "git status -sb";
        gcm = "git commit -m";
        gps = "git push";
        gpl = "git pull";
        "git clone git clone" = "git clone";
        gcm = "git commit -m";
        gpl = "git pull";
        gps = "git push";
        gst = "git status -sb";
      };
    };
--- a/hosts/burnham/configuration.nix
+++ b/hosts/burnham/configuration.nix
@@ -1,36 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./hardware-configuration.nix
      # Infrastructure
      ./services/wireguard.nix
  ];
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
  networking = {
    hostName = "burnham";
    defaultGateway = "192.168.11.1";
    interfaces.ens18.ipv4 = {
      addresses = [
        { address = "192.168.11.109"; prefixLength = 24; }
      ];
    };
    hostId = "8e24f235";
  };
  # sops.defaultSopsFile = ../../secrets/burnham/burnham.yaml;
  environment.variables = { EDITOR = "vim"; };
  system.stateVersion = "23.11";
 }
--- a/hosts/burnham/services/wireguard.nix
+++ b/hosts/burnham/services/wireguard.nix
@@ -1,50 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.networking.wireguard.interfaces."wg0";
 in {
  networking = {
    nat = {
      enable = true;
      externalInterface = "ens18";
      internalInterfaces = [ "wg0" ];
    };
    firewall.allowedUDPPorts = [ cfg.listenPort ];
    wireguard.interfaces."wg0" = {
      ips = [ "10.100.0.2/24" ];
      listenPort = 51820;
      privateKeyFile = "/etc/wireguard/burnham.private";
      postSetup = ''
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
      '';
      postShutdown = ''
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
      '';
      peers = [
        { # Defiant
          publicKey = "8/711GhmN9+NcduHF4JPkfoZPE0qsDLuwhABcPyjNxI=";
          persistentKeepalive = 120;
          allowedIPs = [
            "10.100.0.1/32"
            "192.168.10.0/24"
          ];
          endpoint = "site3.feal.no:51902";
        }
        { # Worf
          publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
          allowedIPs = [
            "10.100.0.4/32"
          ];
        }
        { # Phone
          publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
          allowedIPs = [
            "10.100.0.5/32"
          ];
        }
      ];
    };
  };
 }
--- a/hosts/challenger/amalieem.nix
+++ b/hosts/challenger/amalieem.nix
@@ -0,0 +1,37 @@
 { config, pkgs, lib, ... }:
 let
  cmdChownManga = pkgs.writeScriptBin "chownManga" ''
    #!${pkgs.stdenv.shell}
    chown -R amalieem:komga /tank/media/komga/Amalie
    chmod -R 750 /tank/media/komga/Amalie
  '';
 in {
  users.users."amalieem" = {
    isNormalUser = true;
    home = "/home/amalieem";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7e+BAoXIFmTeeBYAVImQAcyx6SCoYCErA7h16OGL70 amalieem@wentworth"
    ];
    packages = with pkgs; [
      cmdChownManga
      mangal
      rsync
    ];
  };
  security.sudo = {
    enable = true;
    extraRules = [{
      commands = [
        {
          command = "${lib.getExe cmdChownManga}";
          options = [ "NOPASSWD" ];
        }
      ];
      users = [ "amalieem" ];
    }];
  };
 }
--- a/hosts/challenger/backup.nix
+++ b/hosts/challenger/backup.nix
@@ -0,0 +1,84 @@
 { config, pkgs, lib, ... }:
 {
  services.restic.backups = let
    localJob = name: paths: {
      inherit paths;
      repository = "/mnt/feal-syn1/backup/challenger/${name}";
      passwordFile = config.sops.secrets."restic/${name}".path;
      initialize = true;
      pruneOpts = [
        "--keep-daily 7"
        "--keep-weekly 4"
        "--keep-monthly 3"
        "--keep-yearly 10"
      ];
    };
    cloudJob = name: paths: {
      inherit paths;
      # "rsyncnet" connection details specified in /root/.ssh/config
      repository = "sftp://rsyncnet/restic/challenger/${name}";
      passwordFile = config.sops.secrets."restic/${name}".path;
      initialize = true;
      pruneOpts = [
        # rsync.net keeps daily snapshots
        "--keep-weekly 4"
        "--keep-monthly 36"
      ];
    };
  in {
    # Calibre metadata and config
    calibre = localJob "calibre" [
      "/var/lib/calibre-web"
      "/var/lib/calibre-server"
    ];
    # Other system backups (NB: Large!)
    hostBackups = localJob "hostBackups" [
      "/tank/backup"
    ] // {
      pruneOpts = [ "--keep-monthly 12" ];
    };
    media = localJob "media" [
      "/tank/media/books"
      "/tank/media/komga"
      "/tank/media/music"
    ];
    media-remote = cloudJob "media" [
      "/tank/media/books"
      "/tank/media/komga"
      "/tank/media/music"
    ] // {
      pruneOpts = [ "--keep-monthly 12" ];
    };
    # Nextcloud config and data
    nextcloud = localJob "nextcloud" [ "/tank/nextcloud" ];
    nextcloud-remote = cloudJob "nextcloud" [ "/tank/nextcloud" ];
    # Postgresql databases
    postgres = (localJob "postgres" [ "/var/backup/postgres" ]) // {
      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };
    postgres-remote = (cloudJob "postgres" [ "/var/backup/postgres" ]) // {
      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };
    # Transmission metadata/config
    transmission = localJob "transmission" [ "/var/lib/transmission" ];
    # TODO: timemachine
  };
  sops.secrets."restic/calibre" = { };
  sops.secrets."restic/hostBackups" = { };
  sops.secrets."restic/media" = { };
  sops.secrets."restic/nextcloud" = { };
  sops.secrets."restic/postgres" = { };
  sops.secrets."restic/transmission" = { };
  environment.systemPackages = with pkgs; [
    restic
  ];
 }
--- a/hosts/challenger/configuration.nix
+++ b/hosts/challenger/configuration.nix
@@ -0,0 +1,65 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ./hardware-configuration.nix
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./amalieem.nix
      ./backup.nix
      # ./exports.nix
      ./filesystems.nix
      # ./services/archivebox.nix
      ./services/audiobookshelf.nix
      ./services/calibre.nix
      ./services/jellyfin.nix
      ./services/komga.nix
      ./services/nextcloud.nix
      ./services/nginx.nix
      ./services/postgres.nix
      ./services/timemachine.nix
  ];
  networking = {
    hostName = "challenger";
    bridges.br0.interfaces = [ "ens18" ];
    interfaces.br0.useDHCP = false;
    interfaces.br0.ipv4.addresses = [
      { address = "192.168.10.161"; prefixLength = 24; }
    ];
    hostId = "828ab735";
    defaultGateway = "192.168.10.1";
  };
  sops.defaultSopsFile = ../../secrets/challenger/challenger.yaml;
  environment.variables = { EDITOR = "vim"; };
  environment.systemPackages = with pkgs; [
    zfs
  ];
  virtualisation.docker.enable = true;
  virtualisation.oci-containers.backend = "docker";
  security.polkit.enable = true; # Required for nextcloud
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
       "nvidia-x11"
       "nvidia-settings"
  ];
  hardware.nvidia = {
    modesetting.enable = true;
    open = false;
  };
  hardware.graphics.enable = true;
  services.xserver.videoDrivers = ["nvidia"];
  system.stateVersion = "24.05";
 }
--- a/hosts/challenger/exports.nix
+++ b/hosts/challenger/exports.nix
@@ -0,0 +1,21 @@
 { config, pkgs, lib, ... }:
 {
  fileSystems = {
    "/export/riker-backup" = {
      device = "/tank/backup/riker";
      options = [ "bind" ];
    };
  };
  # Enable nfs4 only
  # services.nfs.server = {
  #   enable = true;
  #   exports = ''
  #     /export                   192.168.10.67(rw,fsid=0,no_subtree_check)
  #     /export/riker-backup      192.168.10.67(rw,nohide,no_subtree_check,no_root_squash)
  #   '';
  # };
  # networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
  # networking.firewall.allowedUDPPorts = [ 111 20048];
 }
--- a/hosts/challenger/filesystems.nix
+++ b/hosts/challenger/filesystems.nix
@@ -0,0 +1,48 @@
 { config, pkgs, lib, ... }:
 {
  # Boot drives are defined in ./hardware-configuration.nix
  environment.systemPackages = with pkgs; [ cifs-utils ];
  # Local zfs
  boot = {
    zfs = {
      extraPools = [ "tank" ];
      requestEncryptionCredentials = false;
    };
    supportedFilesystems = [ "zfs" ];
  };
  services.zfs.autoScrub = {
    enable = true;
    interval = "Wed *-*-8..14 00:00:00";
  };
  fileSystems = {
    "/mnt/feal-syn1/backup" = {
      # device = "feal-syn1.home.feal.no:/volume2/backup";
      device = "192.168.10.162:/volume2/backup";
      fsType = "nfs";
      options = [
        "defaults"
        "noatime"
        "rw"
        "nfsvers=3"
        "x-systemd.automount"
        "noauto"
      ];
    };
    "/mnt/feal-syn2/backup" = {
      # device = "feal-syn1.home.feal.no:/volume2/backup";
      device = "192.168.11.163:/volume1/challenger";
      fsType = "nfs";
      options = [
        "defaults"
        "noatime"
        "rw"
        "nfsvers=3"
        "x-systemd.automount"
        "noauto"
      ];
    };
  };
 }
--- a/hosts/challenger/hardware-configuration.nix
+++ b/hosts/challenger/hardware-configuration.nix
@@ -1,29 +1,30 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
-  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/a6465c1c-4c93-423d-84a9-e4ecb9520741";
+    { device = "/dev/disk/by-uuid/7101364b-9056-4309-afeb-3c17b220684f";
      fsType = "ext4";
    };
  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/D0C1-97CE";
+    { device = "/dev/disk/by-uuid/FDCE-A287";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
-  swapDevices = [ ];
+  swapDevices = [ {
    device = "/swapfile";
    size = 16*1024;
  } ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -34,5 +35,5 @@
  # networking.interfaces.idrac.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/challenger/home.nix
+++ b/hosts/challenger/home.nix
@@ -1,12 +1,5 @@
 { pkgs, lib, ... }:
 {
  home.packages = with pkgs; [
    bat
    bottom
    ncdu
    neofetch
  ];
  imports = [
    ./../../home/base.nix
  ];
@@ -15,5 +8,5 @@
    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
  };
-  home.stateVersion = "23.05";
+  home.stateVersion = "24.05";
 }
--- a/hosts/challenger/services/archivebox.nix
+++ b/hosts/challenger/services/archivebox.nix
@@ -0,0 +1,35 @@
 { config, lib, ... }:
 let
  host = "127.0.1.2";
  port = "5009";
  uid = 911;
  gid = 911;
 in {
  users.users.archivebox = {
    inherit uid;
    group = "archivebox";
    isSystemUser = true;
    useDefaultShell = true;
    description = "ArchiveBox web archiving tool";
  };
  users.groups.archivebox = {
    inherit gid;
  };
  # ArchiveBox - Open source self-hosted web archiving.
  virtualisation.oci-containers.containers.archivebox = {
    image = "archivebox/archivebox:0.8.5rc50";
    ports = [ "${host}:${port}:8000" ];
    volumes = [
      "/tank/archivebox:/data"
    ];
  };
  services.nginx.virtualHosts."archivebox.home.feal.no" = {
    locations."/" = {
      proxyPass = "http://${host}:${port}";
    };
  };
 }
--- a/hosts/challenger/services/audiobookshelf.nix
+++ b/hosts/challenger/services/audiobookshelf.nix
@@ -0,0 +1,57 @@
 { config, lib, pkgs, ... }:
 let
  domain = "audiobooks.home.feal.no";
  host = "127.0.1.2";
  port = 5016;
 in {
  fileSystems = {
    "/var/lib/audiobookshelf" = {
      device = "/tank/media/audiobookshelf/config";
      options = [ "bind" ];
    };
  };
  services.audiobookshelf = {
    enable = true;
    dataDir = "audiobookshelf";
    inherit host port;
  };
  systemd.services.audiobookshelf = {
    requires = [ "var-lib-audiobookshelf.mount" ];
    serviceConfig = {
      # Better safe than sorry :)
      CapabilityBoundingSet = "";
      LockPersonality = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      ReadWritePaths = [
        "/var/lib/audiobookshelf"
        "/tank/media/audiobookshelf"
      ];
      RemoveIPC = true;
      RestrictSUIDSGID = true;
      UMask = "0007";
      RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
      SystemCallArchitectures = "native";
    };
  };
  services.nginx.virtualHosts.${domain} = {
    locations."/" = {
      proxyPass = "http://${host}:${toString port}";
      proxyWebsockets = true;
    };
  };
 }
--- a/hosts/challenger/services/calibre.nix
+++ b/hosts/challenger/services/calibre.nix
@@ -6,10 +6,16 @@ let
 in {
  services = {
    nginx.virtualHosts.${domain} = {
-      locations."/".proxyPass =
+      locations = {
-        "http://${cfg.listen.ip}:${toString cfg.listen.port}";
+        "/".proxyPass = "http://${cfg.listen.ip}:${toString cfg.listen.port}";
-      locations."/opds".proxyPass =
+        "/opds".proxyPass = "http://${cfg.listen.ip}:${toString cfg.listen.port}";
-        "http://${cfg.listen.ip}:${toString cfg.listen.port}";
+      };
      extraConfig = ''
        client_max_body_size 512M;
        proxy_busy_buffers_size 512k;
        proxy_buffers 4 512k;
        proxy_buffer_size 256k;
      '';
    };
    calibre-server = {
@@ -26,6 +32,7 @@ in {
      options = {
        calibreLibrary = storage;
        enableBookConversion = true;
        enableKepubify = true;
        enableBookUploading = true;
      };
    };
--- a/hosts/challenger/services/jellyfin.nix
+++ b/hosts/challenger/services/jellyfin.nix
@@ -0,0 +1,35 @@
 { config, pkgs, lib, ... }:
 {
  # Jellyfin - Media Streaming platform
  services.jellyfin.enable = true;
  users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ];
  services.nginx.virtualHosts."jellyfin.home.feal.no" = {
    serverAliases = [ "jf.feal.no" ];
    locations = {
      "= /" = {
        return = "302 http://$host/web/";
      };
      "/" = {
        proxyPass = "http://127.0.0.1:8096";
        extraConfig = ''
          proxy_buffering off;
        '';
      };
      "/socket" = {
        proxyPass = "http://127.0.0.1:8096";
        proxyWebsockets = true;
      };
    };
    extraConfig = ''
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Content-Type-Options "nosniff";
      add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
    '';
  };
 }
--- a/hosts/challenger/services/komga.nix
+++ b/hosts/challenger/services/komga.nix
@@ -0,0 +1,21 @@
 { config, lib, pkgs, ... }:
 let
  domain = "komga.home.feal.no";
  port = 5001;
 in {
  services.komga = {
    enable = true;
    stateDir = "/tank/media/komga";
    settings.server = {
      inherit port;
    };
  };
  services.nginx.virtualHosts.${domain} = {
    locations."/".proxyPass = "http://127.0.0.1:${toString port}";
    extraConfig = ''
      client_max_body_size 512M;
    '';
  };
 }
--- a/hosts/challenger/services/nextcloud.nix
+++ b/hosts/challenger/services/nextcloud.nix
@@ -0,0 +1,154 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.nextcloud;
  hostName = "cloud.feal.no";
 in {
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud32;
    inherit hostName;
    home = "/tank/nextcloud";
    https = true;
    webfinger = true;
    config = {
      dbtype = "pgsql";
      dbuser = "nextcloud";
      dbhost = "/run/postgresql";
      dbname = "nextcloud";
      adminuser = "ncadmin";
      adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
    };
    settings = {
      default_phone_region = "NO";
      log_type = "file";
      overwriteprotocol = "https";
      trusted_proxies = [ "192.168.10.175" ]; # defiant
      # Docs: https://github.com/pulsejet/nextcloud-oidc-login
      oidc_login_auto_redirect = true;
      oidc_login_button_text = "Log in with KeyCloak";
      oidc_login_client_id = "nextcloud";
      oidc_login_client_secret = "dont_put_secrets_here_use_secretFile";
      oidc_login_code_challenge_method = "S256";
      oidc_login_end_session_redirect' = true;
      oidc_login_logout_url = "https://cloud.feal.no/apps/oidc_login/oidc";
      oidc_login_provider_url = "https://iam.feal.no/realms/feal.no";
      oidc_login_redir_fallback = true;
      oidc_login_attributes = {
        id = "preferred_username";
        mail = "email";
        name = "name";
        login_filter = "nextcloud-roles";
      };
      oidc_login_filter_allowed_values = [ "nextcloud-user" ];
      oidc_login_disable_registration = false;
      "memories.exiftool" = pkgs.writeShellScript "exiftool-perl" ''
        ${lib.getExe pkgs.perl} ${cfg.home}/store-apps/memories/bin-ext/exiftool/exiftool "$@"
      '';
      "memories.exiftool_no_local" = false;
      "memories.vod.disable" = false;
      "memories.vod.ffmpeg" = "${lib.getExe pkgs.ffmpeg-headless}";
      "memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
      preview_ffmpeg_path = "${pkgs.ffmpeg-headless}/bin/ffmpeg";
    };
    secretFile = config.sops.secrets."nextcloud/secretsjson".path;
    phpOptions = {
      "opcache.interned_strings_buffer" = "16";
      "upload_max_filesize" = lib.mkForce "8G";
      "post_max_size" = lib.mkForce "8G";
      "memory_limit" = lib.mkForce "8G";
    };
    poolSettings = {
      "pm" = "ondemand";
      "pm.max_children" = 32;
      "pm.process_idle_timeout" = "10s";
      "pm.max_requests" = 500;
    };
  };
  environment.systemPackages = [
    cfg.occ # "occ CMD" in the docs -> "sudo -u nextcloud nextcloud-occ CMD"
    pkgs.nodejs_20 # For Recognize; Put /run/current-system/sw/bin/node in the "node_binary" field in the web UI -> Memories
  ];
  sops.secrets."nextcloud/adminpass" = {
    mode = "0440";
    owner = "nextcloud";
    group = "nextcloud";
    restartUnits = [ "phpfpm-nextcloud.service" ];
  };
  sops.secrets."nextcloud/secretsjson" = {
    mode = "0440";
    owner = "nextcloud";
    group = "nextcloud";
    restartUnits = [ "phpfpm-nextcloud.service" ];
  };
  services.postgresql = {
    ensureDatabases = [ "nextcloud" ];
    ensureUsers = [ {
      name = "nextcloud";
      ensureDBOwnership = true;
    } ];
  };
  systemd.services.nextcloud-cron = {
    path = with pkgs; [
      exiftool
      ffmpeg-headless
    ];
  };
  systemd.services."nextcloud-setup" = {
    requires = [ "postgresql.service" ];
    after = [ "postgresql.service" ];
  };
  systemd.services."phpfpm-nextcloud" = {
    requires = [ "tank-nextcloud.mount" ];
    path = with pkgs; [
      # perl
      # perlPackages.ImageExifTool
      exiftool
      ffmpeg-headless
    ];
    serviceConfig = {
      PrivateDevices = lib.mkForce false;
      WorkingDirectory = "/tank/nextcloud";
      NoNewPrivileges = true;
      PrivateMounts = true;
      PrivateTmp = true;
      ProtectClock = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
      ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
      InaccessiblePaths = [ "/tank/media" "/tank/backup" ];
      RemoveIPC = true;
      RestrictSUIDSGID = true;
      UMask = "0007";
      SystemCallArchitectures = "native";
      SystemCallFilter = "@system-service";
      CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
    };
  };
  # Notes:
  # - Install Memories and Recognize from the app store
  #  - They might need to be forced on with "nextcloud-occ app:enable memories", etc.
  # - Run "nextcloud-occ maintenance:repair" to fix broken paths
  # - Download ai models and maps with the commands given in the ui
  # - libtensorflow doesn't work properly through node, but recognize still works(?)
 }
--- a/hosts/voyager/services/nginx/default.nix
+++ b/hosts/voyager/services/nginx/default.nix
@@ -10,6 +10,8 @@
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    virtualHosts."cloud.feal.no".default = true;
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
@@ -19,4 +21,3 @@
  /*   email = "felix@albrigtsen.it"; */
  /* }; */
 }
--- a/hosts/challenger/services/postgres.nix
+++ b/hosts/challenger/services/postgres.nix
@@ -4,16 +4,10 @@
    enable = true;
    /* enableTCPIP = true; # Expose on the network */
    authentication = pkgs.lib.mkOverride 10 ''
     local gitea all ident map=gitea-users
     local vaultwarden all ident map=vaultwarden-users
     local all all trust
     host all all 127.0.0.1/32 trust
     host all all ::1/128 trust
    '';
    identMap = ''
      gitea-users gitea gitea
      vaultwarden-users vaultwarden vaultwarden
    '';
  };
  services.postgresqlBackup = {
@@ -23,8 +17,5 @@
    backupAll = true;
  };
  environment.systemPackages = [ config.services.postgresql.package ];
 }
--- a/hosts/challenger/services/timemachine.nix
+++ b/hosts/challenger/services/timemachine.nix
@@ -1,9 +1,9 @@
 { config, pkgs, ... }:
  let
-    timeMachineDir = "/tank/backup/worf";
+    timeMachineDir = "/tank/backup/worf2";
    user = "worf-backup";
-    sizeLimit = "800000"; # MiB
+    sizeLimit = "1000000"; # MiB
-    allowedIPs = "192.168.10.2 192.168.10.5"; #TODO
+    allowedIPs = "192.168.10.2 192.168.10.34"; #TODO
  in {
  services.avahi = {
    enable = true;
--- a/hosts/defiant/backup.nix
+++ b/hosts/defiant/backup.nix
@@ -0,0 +1,50 @@
 { config, pkgs, lib, ... }:
 {
  services.restic.backups = let
    localJob = name: paths: {
      inherit paths;
      repository = "/mnt/feal-syn1/backup/defiant/${name}";
      passwordFile = config.sops.secrets."restic/${name}".path;
      initialize = true;
      pruneOpts = [
        "--keep-daily 3"
        "--keep-weekly 4"
        "--keep-monthly 3"
      ];
    };
    cloudJob = name: paths: {
      inherit paths;
      # "rsyncnet" connection details specified in /root/.ssh/config
      repository = "sftp://rsyncnet/restic/defiant/${name}";
      passwordFile = config.sops.secrets."restic/${name}".path;
      initialize = true;
      pruneOpts = [
        # rsync.net keeps daily snapshots
        "--keep-weekly 4"
        "--keep-monthly 36"
      ];
    };
  in {
    postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };
    postgres-remote = (cloudJob "postgres" [ "/tank/backup/postgresql" ]) // {
      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };
    gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
    gitea-remote = (cloudJob "gitea" [ "/tank/services/gitea" ]);
    matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
    matrix-synapse-remote = (cloudJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
    vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
    vaultwarden-remote = (cloudJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
  };
  # TODO: home-assistant, pihole
  sops.secrets."restic/postgres" = { };
  sops.secrets."restic/gitea" = { };
  sops.secrets."restic/matrix-synapse" = { };
  sops.secrets."restic/vaultwarden" = { };
 }
--- a/hosts/defiant/configuration.nix
+++ b/hosts/defiant/configuration.nix
@@ -5,23 +5,29 @@
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./filesystems.nix
      ./hardware-configuration.nix
      # Infrastructure
      ./backup.nix
      ./libvirt.nix
      ./services/dyndns.nix
      ./services/nginx.nix
      ./services/pihole.nix
      ./services/postgresql.nix
      ./services/wireguard.nix
      # Services
      ./services/flame.nix
      ./services/gitea.nix
      ./services/hedgedoc.nix
      ./services/home-assistant.nix
      ./services/keycloak.nix
      ./services/matrix
-      ./services/metrics
+      ./services/microbin.nix
-      ./services/minecraft.nix
+      # ./services/minecraft/home.nix
      ./services/monitoring
      # ./services/rtl-tcp.nix
      # ./services/searx.nix
      ./services/vaultwarden.nix
  ];
@@ -39,16 +45,6 @@
  sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;
  environment.variables = { EDITOR = "vim"; };
  environment.systemPackages = with pkgs; [
    zfs
  ];
  boot = {
    zfs.extraPools = [ "tank" ];
    supportedFilesystems = [ "zfs" ];
    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  };
  services.prometheus.exporters.zfs.enable = true;
  virtualisation.docker.enable = true;
  virtualisation.oci-containers.backend = "docker";
--- a/hosts/defiant/filesystems.nix
+++ b/hosts/defiant/filesystems.nix
@@ -0,0 +1,30 @@
 { config, pkgs, lib, ... }:
 {
  # Boot drives are defined in ./hardware-configuration.nix
  boot = {
    zfs.extraPools = [ "tank" ];
    supportedFilesystems = [ "zfs" ];
  };
  services.prometheus.exporters.zfs.enable = true;
  environment.systemPackages = with pkgs; [
    cifs-utils
    zfs
  ];
  fileSystems = {
    "/mnt/feal-syn1/backup" = {
      device = "192.168.10.162:/volume2/backup";
      fsType = "nfs";
      options = [
        "defaults"
        "noatime"
        "rw"
        "nfsvers=3"
        "x-systemd.automount"
        "noauto"
      ];
    };
  };
 }
--- a/hosts/defiant/home.nix
+++ b/hosts/defiant/home.nix
@@ -1,11 +1,5 @@
 { pkgs, lib, ... }:
 {
  home.packages = with pkgs; [
    bat
    bottom
    ncdu
    neofetch
  ];
  imports = [
    ./../../home/base.nix
--- a/hosts/defiant/services/dyndns.nix
+++ b/hosts/defiant/services/dyndns.nix
@@ -0,0 +1,11 @@
 { config, pkgs, lib, ... }:
 {
  sops.secrets."domeneshop/netrc" = { };
  services.domeneshop-dyndns = {
    enable = true;
    domain = "site3.feal.no";
    netrcFile = config.sops.secrets."domeneshop/netrc".path;
  };
 }
--- a/hosts/defiant/services/flame.nix
+++ b/hosts/defiant/services/flame.nix
@@ -1,22 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  domain = "flame.home.feal.no";
  host = "127.0.1.2";
  port = "5005";
 in {
  # Flame - Homelab dashboard/linktree
  virtualisation.oci-containers.containers = {
    flame = {
      image = "pawelmalak/flame";
      ports = [ "${host}:${port}:5005" ];
      volumes = [
        "/var/lib/flame/data:/app/data/"
      ];
    };
  };
  services.nginx.virtualHosts."${domain}" = {
    locations."/".proxyPass = "http://${host}:${port}";
  };
 }
--- a/hosts/defiant/services/gitea.nix
+++ b/hosts/defiant/services/gitea.nix
@@ -36,7 +36,6 @@ in {
          OPENID_CONNECT_SCOPES = "email profile openid";
          UPDATE_AVATAR = true;
          ACCOUNT_LINKING = "auto";
          USERNAME = "email";
        };
        log.LEVEL = "Info";
@@ -45,18 +44,16 @@ in {
        ui = {
          THEMES="gitea,arc-green,nord";
-          DEFAULT_THEME="nord";
+          #DEFAULT_THEME="nord";
        };
      };
-      # TODO:
+      # TODO: configure mailer
      # - Backup
      #   - services.gitea.dump?
      #   - ZFS snapshots?
      # - configure mailer
    };
    systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work";
    services.postgresqlBackup.databases = [ "gitea" ];
    networking.firewall.allowedTCPPorts = [ sshPort ];
 }
--- a/hosts/defiant/services/hedgedoc.nix
+++ b/hosts/defiant/services/hedgedoc.nix
@@ -4,7 +4,7 @@ let
  domain = "md.feal.no";
  port = 3300;
  host = "127.0.1.2";
-  authServerUrl = "https://auth.feal.no";
+  authServerUrl = "https://iam.feal.no";
 in {
  # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
  sops.secrets."hedgedoc/env" = {
@@ -21,9 +21,8 @@ in {
      allowFreeURL = true;
      allowAnonymous = false;
-      allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
+      allowAnonymousEdits = true;
      # dbURL = "postgres://hedgedoc@localhost/hedgedoc";
      db = {
        username = "hedgedoc";
        database = "hedgedoc";
@@ -32,20 +31,23 @@ in {
      };
      email = false;
-      oauth2 = {
+      oauth2 = let
-        baseURL = "${authServerUrl}/oauth2";
+        oidc = "${authServerUrl}/realms/feal.no/protocol/openid-connect";
-        tokenURL = "${authServerUrl}/oauth2/token";
+      in {
-        authorizationURL = "${authServerUrl}/ui/oauth2";
+        providerName = "Keycloak";
-        userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
+        authorizationURL = "${oidc}/auth";
        baseURL = "${authServerUrl}";
        tokenURL = "${oidc}/token";
        userProfileURL = "${oidc}/userinfo";
        clientID = "hedgedoc";
        clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
        scope = "openid email profile";
-        userProfileUsernameAttr = "name";
+        userProfileDisplayNameAttr = "name";
        userProfileEmailAttr = "email";
-        userProfileDisplayNameAttr = "displayname";
+        userProfileUsernameAttr = "preferred_username";
-
+        rolesClaim = "hedgedoc-roles";
-        providerName = "KaniDM";
+        accessRole = "hedgedoc-user";
      };
    };
  };
@@ -53,7 +55,6 @@ in {
  systemd.services.hedgedoc = {
    requires = [
      "postgresql.service"
      # "kanidm.service"
    ];
    serviceConfig = let
      workDir = "/var/lib/hedgedoc";
@@ -95,6 +96,8 @@ in {
    }];
  };
  services.postgresqlBackup.databases = [ "hedgedoc" ];
  services.nginx.virtualHosts."${domain}" = {
    listen = [
      { addr = "192.168.10.175"; port = 43443; ssl = true; }
--- a/hosts/defiant/services/home-assistant.nix
+++ b/hosts/defiant/services/home-assistant.nix
@@ -8,9 +8,10 @@ in {
  virtualisation.oci-containers.containers = {
    homeassistant = {
-      image = "ghcr.io/home-assistant/home-assistant:2024.1";
+      image = "ghcr.io/home-assistant/home-assistant:2025.5.3";
      extraOptions = [
        "--network=host"
        "--device=/dev/ttyUSB0" # Sonoff Zigbee 3.0 USB
      ];
      volumes = [
        "/tank/services/homeassistant/config:/config"
--- a/hosts/defiant/services/keycloak.nix
+++ b/hosts/defiant/services/keycloak.nix
@@ -0,0 +1,33 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.keycloak.settings;
  hostname = "iam.feal.no";
 in {
  sops.secrets."keycloak/postgres" = { };
  services.keycloak = {
    enable = true;
    database = {
      type = "postgresql";
      createLocally = true;
      username = "keycloak";
      passwordFile = config.sops.secrets."keycloak/postgres".path;
    };
    settings = {
      cache = "local";
      hostname = "https://${hostname}";
      hostname-backchannel-dynamic = false;
      http-enabled = true;
      http-host = "127.0.1.2";
      http-port = 5060;
      proxy-headers = "xforwarded";
    };
  };
  # The main reverse proxy is defined in ./nginx.nix
  services.nginx.virtualHosts.${hostname} = {
    locations."= /".return = "302 ${cfg.hostname}/realms/feal.no/account";
  };
 }
--- a/hosts/defiant/services/matrix/admin.nix
+++ b/hosts/defiant/services/matrix/admin.nix
@@ -1,7 +1,8 @@
 { config, pkgs, lib, ... }:
 let
  domain = "matrix-admin.home.feal.no";
-  backend = "http://127.0.0.1:8008";
+  # backend = "http://127.0.0.1:8008";
  backend = "http://unix:/run/matrix-synapse/matrix-synapse.sock";
  synapse-admin = pkgs.callPackage ./adminPkg.nix { };
 in {
  services.nginx.virtualHosts."${domain}" = {
--- a/hosts/defiant/services/matrix/synapse.nix
+++ b/hosts/defiant/services/matrix/synapse.nix
@@ -6,6 +6,12 @@
    group = "matrix-synapse";
  };
  sops.secrets."matrix/synapse/oidcsecret" = {
    restartUnits = [ "matrix-synapse.service" ];
    owner = "matrix-synapse";
    group = "matrix-synapse";
  };
  services.matrix-synapse-next = {
    enable = true;
    enableNginx = true;
@@ -69,11 +75,34 @@
      tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt";
      tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key";
      enableSlidingSync = true;
      oidc_providers = [
        {
          idp_id = "keycloak";
          idp_name = "Keycloak";
          issuer = "https://iam.feal.no/realms/feal.no";
          client_id = "matrix-synapse";
          client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path;
          user_mapping_provider.config = {
            localpart_template = "{{ user.preferred_username }}";
            display_name_template = "{{ user.name }}";
          };
          attribute_requirements = [{
            attribute = "matrix-roles";
            value = "matrix-user";
          }];
          backchannel_logout_enabled = true;
          enable_registration = false;
        }
      ];
    };
  };
  services.redis.servers."".enable = true;
  services.postgresqlBackup.databases = [ "matrix-synapse" ];
  services.nginx.virtualHosts."matrix.feal.no" = {
    listen = [
      { addr = "192.168.10.175"; port = 43443; ssl = true; }
--- a/hosts/defiant/services/metrics/dashboards/openwrt.json
+++ b/hosts/defiant/services/metrics/dashboards/openwrt.json
--- a/hosts/defiant/services/metrics/snmp-exporter.nix
+++ b/hosts/defiant/services/metrics/snmp-exporter.nix
@@ -1,20 +0,0 @@
 { config, pkgs, ... }:
 {
  environment.systemPackages = [
    pkgs.prometheus-snmp-exporter
  ];
  systemd.services.prometheus-snmp-exporter = {
    enable = true;
    description = "Gather data from SNMP devices and expose them as Prometheus metrics";
    unitConfig = {
      Type = "simple";
    };
    serviceConfig = {
      ExecStart = "${pkgs.prometheus-snmp-exporter}/bin/snmp_exporter --config.file='/tank/services/metrics/prometheus/snmp.yml'";
      # snmp.yml = https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml + https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
    };
    wantedBy = [ "multi-user.target" ];
  };
 }
--- a/hosts/defiant/services/microbin.nix
+++ b/hosts/defiant/services/microbin.nix
@@ -0,0 +1,41 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.microbin;
  domain = "p.feal.no";
  address = "127.0.1.2";
  port = 5006;
 in {
  services.microbin = {
    enable = true;
    passwordFile = config.sops.secrets."microbin/secrets".path;
    settings = {
      MICROBIN_BIND = address;
      MICROBIN_DISABLE_TELEMETRY = true;
      MICROBIN_ENABLE_BURN_AFTER = true;
      MICROBIN_FOOTER_TEXT = "Be nice or go away";
      MICROBIN_NO_FILE_UPLOAD = true;
      MICROBIN_NO_LISTING = true;
      MICROBIN_PORT = port;
      MICROBIN_PUBLIC_PATH = "https://${domain}/";
      MICROBIN_QR = true;
      MICROBIN_TITLE = "Temporary pasta collection";
    };
  };
  sops.secrets."microbin/secrets" = { };
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    listen = [
      { addr = "192.168.10.175"; port = 43443; ssl = true; }
      { addr = "192.168.10.175"; port = 43080; ssl = false; }
    ];
    locations."/" = {
      proxyPass = "http://${address}:${toString port}";
    };
  };
 }
--- a/hosts/defiant/services/minecraft/home.nix
+++ b/hosts/defiant/services/minecraft/home.nix
@@ -0,0 +1,50 @@
 { config, pkgs, lib, inputs, ... }:
 {
  imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
  nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
  services.minecraft-servers = {
    enable = true;
    eula = true;
    openFirewall = true;
    dataDir = "/var/lib/minecraft-server";
    servers.home = {
      enable = true;
      jvmOpts = "-Xms4G -Xmx4G";
      package = pkgs.fabricServers.fabric-1_21_4;
      serverProperties = {
        motd = "Home <3";
        difficulty = "easy";
        view-distance = 16;
        simulation-distance = 16;
        enable-command-block = true;
        enable-rcon = true;
        online-mode = false;
        "rcon.password" = "wack";
      };
      symlinks = {
        mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues {
          FabricAPI = pkgs.fetchurl {
            url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/8FAH9fuR/fabric-api-0.114.2%2B1.21.4.jar";
            sha256 = "sha256-nL1bcAaMW0tRCpfW0prd3mce14ZNcl7pAUabVXAQfWs=";
          };
          Lithium = pkgs.fetchurl {
            url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/zVOQw7YU/lithium-fabric-0.14.6%2Bmc1.21.4.jar";
            sha256 = "sha256-iF4hy+3XVJP7Fv6R2dsrYq6Ct0MQJLX4/4Yh5WEJm90=";
          };
        });
      };
    };
  };
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
    "minecraft-server"
  ];
  networking.firewall.allowedUDPPorts = [ 24454 ];
 }
--- a/hosts/defiant/services/minecraft/wack.nix
+++ b/hosts/defiant/services/minecraft/wack.nix
@@ -61,8 +61,6 @@
    };
  };
  # TODO: Automated backup job (https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/commit/57d1dfd121fdb23fcef54e0632f6f6278c6bb753/hosts/greddost/services/minecraft/default.nix#L144)
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
    "minecraft-server"
  ];
--- a/hosts/defiant/services/monitoring/dashboards/node-exporter-full.json
+++ b/hosts/defiant/services/monitoring/dashboards/node-exporter-full.json
--- a/hosts/defiant/services/monitoring/dashboards/synology-nas-details.json
+++ b/hosts/defiant/services/monitoring/dashboards/synology-nas-details.json
--- a/hosts/defiant/services/monitoring/default.nix
+++ b/hosts/defiant/services/monitoring/default.nix
@@ -6,5 +6,6 @@
    ./grafana.nix
    ./loki.nix
    ./snmp-exporter.nix
    ./uptime-kuma.nix
  ];
 }
--- a/hosts/defiant/services/monitoring/grafana.nix
+++ b/hosts/defiant/services/monitoring/grafana.nix
@@ -44,12 +44,6 @@ in {
          url = "https://grafana.com/api/dashboards/14284/revisions/9/download";
          options.path = dashboards/synology-nas-details.json;
        }
        {
          name = "OpenWRT";
          type = "file";
          url = "https://grafana.com/api/dashboards/11147/revisions/1/download";
          options.path = dashboards/openwrt.json;
        }
      ];
    };
  };
--- a/hosts/defiant/services/monitoring/loki.nix
+++ b/hosts/defiant/services/monitoring/loki.nix
@@ -51,7 +51,6 @@ in {
        boltdb_shipper = {
          active_index_directory = "${saveDirectory}/boltdb-shipper-index";
          cache_location = "${saveDirectory}/boltdb-shipper-cache";
          shared_store = "filesystem";
          cache_ttl = "24h";
        };
        filesystem = {
@@ -60,15 +59,18 @@ in {
      };
      limits_config = {
-        enforce_metric_name = false;
+        allow_structured_metadata = false;
        reject_old_samples = true;
        reject_old_samples_max_age = "72h";
      };
      compactor = {
        working_directory = "${saveDirectory}/compactor";
        shared_store = "filesystem";
      };
    };
  };
  networking.firewall.allowedTCPPorts = [
    cfg.configuration.server.http_listen_port
  ];
 }
--- a/hosts/defiant/services/monitoring/prometheus.nix
+++ b/hosts/defiant/services/monitoring/prometheus.nix
@@ -17,23 +17,16 @@ in {
        static_configs = [
          {
            targets = [
-              "voyager.home.feal.no:9100"
+              "challenger.home.feal.no:9100"
              "sulu.home.feal.no:9100"
              "mccoy.home.feal.no:9100"
              "dlink-feal.home.feal.no:9100"
              "edison.home.feal.no:9100"
              "defiant.home.feal.no:9100"
              "leonard.home.feal.no:9100"
              "morn.home.feal.no:9100"
              "scotty.home.feal.no:9100"
              "sisko.home.feal.no:9100"
            ];
          }
        ];
      }
      {
        job_name = "openwrt";
        static_configs = [
          { targets = ["dlink-feal.home.feal.no:9100"]; }
        ];
      }
      {
        job_name = "snmp";
        static_configs = [{
--- a/hosts/defiant/services/monitoring/snmp-exporter-conf.yml
+++ b/hosts/defiant/services/monitoring/snmp-exporter-conf.yml
--- a/hosts/defiant/services/monitoring/snmp-exporter.nix
+++ b/hosts/defiant/services/monitoring/snmp-exporter.nix
@@ -0,0 +1,12 @@
 { config, pkgs, ... }:
 {
  services.prometheus.exporters.snmp = {
    enable = true;
    configurationPath = ./snmp-exporter-conf.yml;
    # snmp.yml is built from
    # https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml
    # and
    # https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
  };
 }
--- a/hosts/defiant/services/monitoring/uptime-kuma.nix
+++ b/hosts/defiant/services/monitoring/uptime-kuma.nix
@@ -0,0 +1,16 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.uptime-kuma;
 in {
  services.uptime-kuma = {
    enable = true;
    settings = {
      PORT = "5059";
      HOST = "127.0.1.2";
    };
  };
  services.nginx.virtualHosts."uptime.home.feal.no" = {
    locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
  };
 }
--- a/hosts/defiant/services/nginx.nix
+++ b/hosts/defiant/services/nginx.nix
@@ -1,5 +1,8 @@
 { config, values, ... }:
-{
+let
  gitea = config.services.gitea.settings;
  keycloak = config.services.keycloak.settings;
 in {
  services.nginx = {
    enable = true;
    enableReload = true;
@@ -31,7 +34,7 @@
  # Publicly exposed services:
  services.nginx.virtualHosts = let
-    publicProxy = upstream: {
+    publicProxy = upstream: overrides: {
      listen = [
        { addr = "192.168.10.175"; port = 43443; ssl = true; }
        { addr = "192.168.10.175"; port = 43080; ssl = false; }
@@ -49,12 +52,22 @@
        server_tokens off;
      '';
-    };
+    } // overrides;
  in {
-    "auth.feal.no" = publicProxy "https://voyager.home.feal.no";
+    "amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
-    "cloud.feal.no" = publicProxy "http://voyager.home.feal.no";
+    "cloud.feal.no" = publicProxy "" {
-    "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
+      locations."/" = {
-    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
+        proxyPass = "http://challenger.home.feal.no";
-    "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";
+        extraConfig = ''
          client_max_body_size 8G;
        '';
      };
    };
    "feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
    "git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
    "iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" { };
    "kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
    "wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
  };
 }
--- a/hosts/defiant/services/postgresql.nix
+++ b/hosts/defiant/services/postgresql.nix
@@ -2,15 +2,24 @@
 {
  services.postgresql = {
    enable = true;
-    enableTCPIP = false;
+    enableTCPIP = true;
    authentication = ''
      host all all 172.16.0.0/12 md5
    '';
  };
  services.postgresqlBackup = {
-    # enable = true;
+    enable = true;
-    location = "/data/backup/postgresql/";
+    location = "/tank/backup/postgresql";
    startAt = "*-*-* 03:15:00";
-    backupAll = true;
+
    # Each service is registered in its own configuration file
    databases = [ ];
  };
  # Docker containers on this host can reach postgres
  networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port 5432 -s 172.16.0.0/12 -j ACCEPT";
  environment.systemPackages = [ config.services.postgresql.package ];
 }
--- a/hosts/defiant/services/rtl-tcp.nix
+++ b/hosts/defiant/services/rtl-tcp.nix
@@ -0,0 +1,14 @@
 { config, pkgs, lib, ... }:
 let
  port = 1457;
 in {
  hardware.rtl-sdr.enable = true;
  systemd.services.rtl-tcp = {
    script = "${pkgs.rtl-sdr}/bin/rtl_tcp -a 0.0.0.0 -p ${toString port} -s 2000000 -T";
    serviceConfig = {
      Group = "plugdev";
    };
  };
  networking.firewall.allowedTCPPorts = [ port ];
 }
--- a/hosts/defiant/services/searx.nix
+++ b/hosts/defiant/services/searx.nix
@@ -0,0 +1,39 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.searx;
  domain = "search.home.feal.no";
 in {
  services.searx = {
    enable = true;
    environmentFile = config.sops.secrets."searx/envfile".path;
    settings = {
      server = {
        secret_key = "@SEARX_SECRET_KEY@";
        base_url = "http://${domain}";
      };
    };
    runInUwsgi = true;
    uwsgiConfig = {
      socket = "/run/searx/searx.sock";
      chmod-socket = "660";
    };
    redisCreateLocally = true;
  };
  sops.secrets."searx/envfile" = {
    owner = "searx";
    group = "searx";
  };
  users.groups."searx".members = [ "nginx" ];
  services.nginx.virtualHosts."${domain}" = {
    locations."/".extraConfig = ''
      include ${config.services.nginx.package}/conf/uwsgi_params;
      uwsgi_pass unix:${cfg.uwsgiConfig.socket};
    '';
  };
 }
--- a/hosts/defiant/services/vaultwarden.nix
+++ b/hosts/defiant/services/vaultwarden.nix
@@ -2,8 +2,9 @@
 let
  cfg = config.services.vaultwarden;
  domain = "pw.feal.no";
-  address = "127.0.0.1";
+  address = "127.0.1.2";
-  port = 3011; # Note: The websocket port is left as default(3012)
+  port = 3011;
  wsPort = 3012;
 in {
  sops.secrets."vaultwarden/admintoken" = {
    owner = "vaultwarden";
@@ -19,11 +20,16 @@ in {
      rocketAddress = address;
      rocketPort = port;
      websocketEnabled = true;
      # databaseUrl = "postgresql://vaultwarden:@localhost/vaultwarden?sslmode=disable";
      databaseUrl = "postgresql://vaultwarden@/vaultwarden";
-      signupsAllowed = false;
+      websocketEnabled = true;
      websocketAddress = address;
      websocketPort = wsPort;
      signupsAllowed = true;
      signupsVerify = true;
      signupsDomainsWhitelist = "albrigtsen.it";
      databaseUrl = "postgresql://vaultwarden@/vaultwarden";
    };
  };
@@ -35,6 +41,8 @@ in {
    }];
  };
  services.postgresqlBackup.databases = [ "vaultwarden" ];
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
@@ -52,7 +60,7 @@ in {
      proxyWebsockets = true;
    };
    locations."/notifications/hub" = {
-      proxyPass = "http://localhost:3012";
+      proxyPass = "http://${address}:${toString wsPort}";
      proxyWebsockets = true;
    };
    locations."/notifications/hub/negotiate" = {
--- a/hosts/defiant/services/wireguard.nix
+++ b/hosts/defiant/services/wireguard.nix
@@ -30,27 +30,9 @@ in {
            "10.100.0.2/32"
            "192.168.11.0/24"
          ];
-          endpoint = "site2.feal.no:51902";
+          #endpoint = "site2.feal.no:51902";
        }
-        { # Sulu
+      ] ++ (import ../../../common/wireguard-peers.nix);
          publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
          allowedIPs = [
            "10.100.0.3/32"
          ];
        }
        { # Worf
          publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
          allowedIPs = [
            "10.100.0.4/32"
          ];
        }
        { # Phone
          publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
          allowedIPs = [
            "10.100.0.5/32"
          ];
        }
      ];
    };
  };
 }
--- a/hosts/edison/configuration.nix
+++ b/hosts/edison/configuration.nix
@@ -1,49 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./hardware-configuration.nix
      ./desktop.nix
  ];
  virtualisation.docker.enable = true;
  networking = {
    hostName = "edison";
    defaultGateway = "192.168.10.1";
    interfaces.enp4s0.useDHCP = false;
    interfaces.enp4s0.ipv4.addresses = [
      { address = "192.168.10.170"; prefixLength = 24; }
    ];
    hostId = "8e84b281";
  };
  console.keyMap = "us";
  # sops.defaultSopsFile = ../../secrets/edison/edison.yaml;
  environment.variables = { EDITOR = "vim"; };
  environment.systemPackages = with pkgs; [
    pavucontrol
    gparted
    unstable.hydrus
  ];
  programs.steam.enable = true;
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
    "nvidia-x11"
    "nvidia-settings"
    "steam"
    "steam-original"
    "steam-run"
  ];
  system.stateVersion = "23.05";
 }
--- a/hosts/edison/desktop.nix
+++ b/hosts/edison/desktop.nix
@@ -1,58 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  services.xserver = {
    enable = true;
    desktopManager.xfce.enable = true;
    videoDrivers = [ "nvidia" ];
    layout = "us,no";
    xkbVariant = "intl";
  };
  services.openssh.settings.X11Forwarding = true;
  environment.systemPackages = with pkgs; [
    xfce.xfce4-pulseaudio-plugin
  ];
  services.picom.enable = true;
  hardware.opengl.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    pulse.enable = true;
    jack.enable = true;
  };
  fonts = {
    fontDir.enable = true;
    packages = with pkgs; [
      noto-fonts
      noto-fonts-emoji
      noto-fonts-cjk-sans
      font-awesome
      fira-code
      hack-font
      (nerdfonts.override {
        fonts = [
          "Hack"
        ];
      })
    ];
  };
  # Remote:
  services.xrdp = {
    enable = true;
    defaultWindowManager = "xfce4-session";
    openFirewall = true;
  };
  security.polkit.enable = true;
  services.flatpak.enable = true;
  users.users."felixalb".packages = [ pkgs.flatpak ];
  xdg.portal = {
    enable = true;
    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
  };
 }
--- a/hosts/edison/hardware-configuration.nix
+++ b/hosts/edison/hardware-configuration.nix
@@ -1,46 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/14b254e1-d94f-4b9b-a910-7fcf7e33af46";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/A197-7913";
      fsType = "vfat";
    };
  fileSystems."/data" =
    { device = "/dev/disk/by-uuid/ebbdf34e-adec-4df3-bbed-20d80455f3f7";
      fsType = "ext4";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/d56040a0-3009-4899-95fa-1b82e60e32e4"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/edison/home.nix
+++ b/hosts/edison/home.nix
@@ -1,24 +0,0 @@
 { pkgs, lib, ... }:
 {
  home.packages = with pkgs; [
    bat
    bottom
    mumble
    ncdu
    neofetch
    nix-index
  ];
  imports = [
    ./../../home/base.nix
  ];
  programs = {
    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
    alacritty.enable = true;
    firefox.enable = true;
    rofi.enable = true;
    };
  home.stateVersion = "23.05";
 }
--- a/hosts/fa-t14-2025/configuration.nix
+++ b/hosts/fa-t14-2025/configuration.nix
@@ -0,0 +1,59 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ./hardware-configuration.nix
      ./desktop.nix
  ];
  networking = {
    networkmanager.enable = true;
    wireguard.enable = true;
    tempAddresses = "disabled";
    hostName = "fa-t14-2025";
    nameservers = [ "9.9.9.9" ];
    domain = "it.hime.no";
    hostId = "f458d6aa";
    search = [
      "mktv.no"
      "mktv.local"
    ];
  };
  services.openssh.openFirewall = false;
  environment.systemPackages = with pkgs; [
    inetutils
    wireguard-tools
  ];
  virtualisation.docker = {
    enable = true;
    rootless = {
      enable = true;
      setSocketVariable = true;
    };
  };
  users.users.felixalb = {
    uid = 1000;
    openssh.authorizedKeys.keys = [ ];
    extraGroups = [ "networkmanager" ];
  };
  console.keyMap = "no";
  nixpkgs.config = {
    allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
      "securecrt"
      "securefx"
    ];
  };
  system.stateVersion = "25.05";
 }
--- a/hosts/fa-t14-2025/desktop.nix
+++ b/hosts/fa-t14-2025/desktop.nix
@@ -0,0 +1,51 @@
 { config, pkgs, lib, ... }:
 {
  hardware.graphics.enable = true;
  services.xserver = {
    enable = true;
    xkb = {
      options = "ctrl:nocaps";
      layout = "no";
    };
  };
  services.displayManager.ly.enable = true;
  services.gnome.gnome-keyring.enable = true;
  programs.hyprland = {
    enable = true;
    xwayland.enable = true;
  };
  # Audio
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    pulse.enable = true;
    jack.enable = true;
  };
  # Fonts
  fonts = {
    fontDir.enable = true;
    packages = with pkgs; [
      noto-fonts
      noto-fonts-color-emoji
      noto-fonts-cjk-sans
      font-awesome
      fira-code
      hack-font
      nerd-fonts.hack
    ];
  };
  # Misc:
  xdg.portal = {
    enable = true;
    wlr.enable = true;
  };
  location.provider = "geoclue2";
  security.polkit.enable = true;
  services.dbus.packages = [ pkgs.gcr ];
  services.openssh.settings.X11Forwarding = true;
  programs.nm-applet.enable = true;
 }
--- a/hosts/fa-t14-2025/hardware-configuration.nix
+++ b/hosts/fa-t14-2025/hardware-configuration.nix
@@ -0,0 +1,51 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  boot.kernelParams = [ "resume_offset=3037184" "mem_sleep_default=deep" ];
  boot.resumeDevice = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
  powerManagement.enable = true;
  services.power-profiles-daemon.enable = true;
  services.logind.lidSwitch = "suspend-then-hibernate";
  services.logind.lidSwitchDocked = "ignore";
  services.logind.powerKey = "suspend-then-hibernate";
  services.logind.powerKeyLongPress = "poweroff";
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
      fsType = "ext4";
    };
  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/3ecaedab-415c-4cce-a3a9-9f3782acb682";
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/0800-59D9";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
    swapDevices = [
      {
        device = "/var/lib/swapfile";
        size = 32*1024;
      }
    ];
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/fa-t14-2025/home.nix
+++ b/hosts/fa-t14-2025/home.nix
@@ -0,0 +1,99 @@
 { pkgs, lib, ... }:
 let
  emailAddress = "felix.albrigtsen@mktv.no";
 in {
  imports = [
    ./../../home/base.nix
    ./../../home/alacritty.nix
  ];
  home.packages = with pkgs; [
    bc
    catimg
    chromium
    dig
    element-desktop
    hunspellDicts.en_US
    hunspellDicts.nb_NO
    iperf3
    jq
    libreoffice
    mpv
    oauth2ms
    openssl
    openvpn
    pavucontrol
    pwgen
    traceroute
    virt-manager
    w3m
    nixpkgs-2211.remmina
    (unstable.microsoft-edge.overrideAttrs ({ installPhase ? "", ... }: {
      installPhase = installPhase + ''
        ln -s $out/bin/microsoft-edge $out/bin/microsoft-edge-stable
      '';
    }))
    # Window Manager Extras
    bibata-cursors
    brightnessctl
    cliphist
    hyprcursor
    hypridle
    hyprlock
    hyprpaper
    hyprshot
    nautilus
    rofi-rbw-wayland
    swaynotificationcenter
    waybar
    wl-clipboard
    (python312.withPackages (ps: with ps; [
      numpy
      pycryptodome
      requests
    ]))
  ];
  programs = {
    aerc = {
      enable = true;
      package = pkgs.aerc;
    };
    firefox.enable = true;
    git.extraConfig.user.email = emailAddress;
    rbw = {
      enable = true;
      settings = {
        base_url = "https://vault.mktv.no";
        email = emailAddress;
        pinentry = pkgs.pinentry-rofi;
      };
    };
    rofi = {
      enable = true;
      # theme = "iggy";
      theme = "Arc-Dark";
    };
    zsh = {
      shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
      prezto.pmodules = [ "ssh" ];
    };
  };
  xdg.mimeApps = {
    enable = true;
    defaultApplications = {
      "text/html" = "firefox.desktop";
      "x-scheme-handler/http" = "firefox.desktop";
      "x-scheme-handler/https" = "firefox.desktop";
      "x-scheme-handler/about" = "firefox.desktop";
      "x-scheme-handler/unknown" = "firefox.desktop";
    };
  };
  home.stateVersion = "25.05";
 }
--- a/hosts/leonard/configuration.nix
+++ b/hosts/leonard/configuration.nix
@@ -0,0 +1,53 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ../../common/auto-upgrade.nix
      ./hardware-configuration.nix
      ./services/mysql.nix
      ./services/nginx.nix
      ./services/postgresql.nix
      ./services/wiki-wackattack-eu.nix
      ./services/www-feal-no
      ./services/www-kinealbrigtsen-no.nix
      ./services/www-amalie-mansaker-no
  ];
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
  networking = {
    hostName = "leonard";
    defaultGateway = "192.168.10.1";
    interfaces.ens18.ipv4 = {
      addresses = [
        { address = "192.168.10.207"; prefixLength = 24; }
      ];
    };
    hostId = "b99c12d1";
    # Prepend the following output rules to disallow talking to other devices on LAN
    firewall.extraCommands = lib.strings.concatLines ([
      "iptables -F OUTPUT"
    ] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
      "iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
      "iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
      "iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
      "iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
    ]);
  };
  sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;
  environment.variables = { EDITOR = "vim"; };
  system.stateVersion = "25.05";
 }
--- a/hosts/leonard/hardware-configuration.nix
+++ b/hosts/leonard/hardware-configuration.nix
@@ -0,0 +1,24 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/4a70c1d5-9d72-4581-8f75-733b91c10669";
      fsType = "ext4";
    };
  swapDevices = [ ]; # TODO
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/leonard/home.nix
+++ b/hosts/leonard/home.nix
@@ -1,12 +1,5 @@
 { pkgs, lib, ... }:
 {
  home.packages = with pkgs; [
    bat
    bottom
    ncdu
    neofetch
  ];
  imports = [
    ./../../home/base.nix
  ];
@@ -15,5 +8,5 @@
    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
  };
-  home.stateVersion = "23.05";
+  home.stateVersion = "25.05";
 }
--- a/hosts/leonard/services/mysql.nix
+++ b/hosts/leonard/services/mysql.nix
@@ -0,0 +1,10 @@
 { config, pkgs, lib, ... }:
 {
  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
  };
  # TODO: services.mysqlBackup
 }
--- a/hosts/leonard/services/nginx.nix
+++ b/hosts/leonard/services/nginx.nix
@@ -0,0 +1,19 @@
 { config, values, ... }:
 {
  services.nginx = {
    enable = true;
    enableReload = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  security.acme = {
    acceptTerms = true;
    defaults.email = "felix@albrigtsen.it";
  };
 }
--- a/hosts/leonard/services/postgresql.nix
+++ b/hosts/leonard/services/postgresql.nix
@@ -0,0 +1,20 @@
 { config, pkgs, lib, ... }:
 {
  services.postgresql = {
    enable = true;
    enableTCPIP = false;
    authentication = pkgs.lib.mkOverride 10 ''
      #type database  DBuser  auth-method
      local all       all     trust
    '';
  };
  services.postgresqlBackup = {
    enable = true;
    location = "/backup/postgresql/";
    startAt = "*-*-* 03:15:00";
    backupAll = true;
  };
  environment.systemPackages = [ config.services.postgresql.package ];
 }
--- a/hosts/leonard/services/wiki-wackattack-eu.nix
+++ b/hosts/leonard/services/wiki-wackattack-eu.nix
@@ -0,0 +1,38 @@
 { config, ... }:
 let
  bindIP = "127.0.1.2";
  port = 5051;
  cfg = config.services.wiki-js;
 in {
  # sops.secrets."wikijs/envfile" = {
  #   restartUnits = [ "wiki-js.service" ];
  # };
  services.wiki-js = {
    enable = true;
    # environmentFile = config.sops.secrets."wikijs/envfile".path;
    settings = {
      inherit bindIP port;
      db = {
        type = "postgres";
        host = "/run/postgresql";
        db = "wiki-js";
        user = "wiki-js";
      };
    };
  };
  services.postgresql = {
    ensureDatabases = [ "wiki-js" ];
    ensureUsers = [{
      name = "wiki-js";
      ensureDBOwnership = true;
    }];
  };
  services.nginx.virtualHosts."wiki.wackattack.eu" = {
    locations."/" = {
      proxyPass = "http://${bindIP}:${toString port}";
    };
  };
 }
--- a/hosts/leonard/services/www-amalie-mansaker-no/default.nix
+++ b/hosts/leonard/services/www-amalie-mansaker-no/default.nix
@@ -0,0 +1,11 @@
 { config, pkgs, lib, ... }:
 {
  services.nginx.virtualHosts."amalie.mansaker.no" = let
    siteContent = pkgs.callPackage ./site.nix { };
  in {
    locations = {
      "/".root = siteContent;
    };
  };
 }
--- a/hosts/leonard/services/www-amalie-mansaker-no/site.nix
+++ b/hosts/leonard/services/www-amalie-mansaker-no/site.nix
@@ -0,0 +1,26 @@
 { stdenv, fetchgit, hugo }:
 stdenv.mkDerivation {
  name = "www-amalie-mansaker-no";
  src = fetchgit {
    url = "https://git.feal.no/amalieem/amalie.mansaker.no.git";
    fetchSubmodules = true;
    rev = "58265a25b37bf2286e0704e02ab3dde56a348d8b";
    hash = "sha256-dPcv0AGjsWqDCWCjV2PeklBrWsIawLAccRQEYe3teOM=";
  };
  nativeBuildInputs = [ hugo ];
  buildPhase = ''
    cp -r $src/* .
    ${hugo}/bin/hugo
  '';
  installPhase = ''
    runHook preInstall
    mkdir -p $out
    cp -r public/* $out/
    runHook postInstall
  '';
 }
--- a/hosts/leonard/services/www-feal-no/default.nix
+++ b/hosts/leonard/services/www-feal-no/default.nix
@@ -0,0 +1,26 @@
 { config, pkgs, lib, ... }:
 {
  services.nginx.virtualHosts."feal.no" = {
    default = true;
    serverAliases = [
      "www.feal.no"
    ];
    locations = {
      # TODO: Reinstate actual website
      "/".return = "302 https://git.feal.no/";
      "^~ /.well-known/" = {
        alias = (toString ./well-known) + "/";
      };
      "/cc/" = {
        alias = "${pkgs.cyberchef}/share/cyberchef/";
        index = "index.html";
      };
      "= /cc".return = "302 /cc/";
    };
  };
 }
--- a/hosts/leonard/services/www-feal-no/well-known/matrix/client
+++ b/hosts/leonard/services/www-feal-no/well-known/matrix/client
@@ -0,0 +1,5 @@
 {
 	"m.homeserver": {
 		"base_url": "https://matrix.feal.no:443"
 	}
 }
--- a/hosts/leonard/services/www-feal-no/well-known/matrix/server
+++ b/hosts/leonard/services/www-feal-no/well-known/matrix/server
@@ -0,0 +1 @@
 {"m.server": "matrix.feal.no:443"}
--- a/hosts/leonard/services/www-kinealbrigtsen-no.nix
+++ b/hosts/leonard/services/www-kinealbrigtsen-no.nix
@@ -0,0 +1,95 @@
 { config, pkgs, lib, ... }:
 {
  users.users.www-kinealbrigtsen-no = {
    isSystemUser = true;
    group = "www-kinealbrigtsen-no";
  };
  users.groups.www-kinealbrigtsen-no = { };
  services.mysql.ensureDatabases = [
    "www_kinealbrigtsen_no"
  ];
  services.mysql.ensureUsers = [
    {
      name = "www-kinealbrigtsen-no";
      ensurePermissions = {
        # "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures
        "www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX";
      };
    }
  ];
  services.phpfpm.pools.www-kinealbrigtsen-no = {
    user = "www-kinealbrigtsen-no";
    group = "www-kinealbrigtsen-no";
    phpOptions = lib.generators.toKeyValue {} {
      upload_max_filesize = "1000M";
      post_max_size = "1000M";
      memory_limit = "1000M";
    };
    settings = {
      "listen.owner" = config.services.nginx.user;
      "listen.group" = config.services.nginx.group;
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 4;
      "pm.process_idle_timeout" = "10s";
      "pm.max_requests" = 1000;
    };
  };
  services.nginx.virtualHosts."kinealbrigtsen.no" = {
    serverAliases = [ "www.kinealbrigtsen.no" ];
    root = "/var/www/www-kinealbrigtsen-no";
    locations = {
      "/".extraConfig = ''
        try_files $uri $uri/ /index.php?$args;
      '';
      "~ \\.php$".extraConfig = ''
        include ${config.services.nginx.package}/conf/fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket};
      '';
      "~ /\\.ht".extraConfig = ''
        deny all;
      '';
      "/favicon.ico".extraConfig = ''
        log_not_found off;
        access_log off;
      '';
      "/robots.txt".extraConfig = ''
        allow all;
        log_not_found off;
        access_log off;
      '';
      "~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig =  ''
        expires max;
        log_not_found off;
      '';
    };
    extraConfig = ''
      index index.php index.html;
      set_real_ip_from 192.168.11.0/24;
      real_ip_header X-Forwarded-For;
      add_header 'Referrer-Policy' 'origin-when-cross-origin';
      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;
    '';
  };
  # TODO:
  # - Configure a mailer so wp_mail() works
  # - Enable periodic backups
 }
--- a/hosts/morn/configuration.nix
+++ b/hosts/morn/configuration.nix
@@ -0,0 +1,35 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ../../common/auto-upgrade.nix
      ./hardware-configuration.nix
      ./services/nginx.nix
      ./services/glance
      ./services/miniflux.nix
      ./services/thelounge.nix
  ];
  networking = {
    hostName = "morn";
    defaultGateway = "192.168.10.1";
    interfaces.ens18.ipv4 = {
      addresses = [
        { address = "192.168.10.203"; prefixLength = 24; }
      ];
    };
    hostId = "89b7722d";
  };
  sops.defaultSopsFile = ../../secrets/morn/morn.yaml;
  environment.variables = { EDITOR = "vim"; };
  system.stateVersion = "24.11";
 }
--- a/hosts/burnham/hardware-configuration.nix
+++ b/hosts/burnham/hardware-configuration.nix
@@ -1,3 +1,6 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
@@ -11,13 +14,17 @@
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/31ff6d37-52d6-43c3-a214-5d38a6c38b0e";
+    { device = "/dev/disk/by-uuid/93307186-cbc3-4748-859f-0013a1e36def";
      fsType = "ext4";
    };
-  swapDevices =
+  fileSystems."/boot" =
-    [ { device = "/dev/disk/by-uuid/cce59ee7-7c83-4165-a9b0-f950cd2e3273"; }
+    { device = "/dev/disk/by-uuid/FFCD-993A";
-    ];
+      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -26,5 +33,5 @@
  # networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/morn/home.nix
+++ b/hosts/morn/home.nix
@@ -0,0 +1,12 @@
 { pkgs, lib, ... }:
 {
  imports = [
    ./../../home/base.nix
  ];
  programs = {
    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
  };
  home.stateVersion = "24.11";
 }
--- a/hosts/morn/services/glance/default.nix
+++ b/hosts/morn/services/glance/default.nix
@@ -0,0 +1,15 @@
 { config, values, ... }:
 {
  services.glance = {
    enable = true;
    settings = import ./settings.nix;
  };
  services.nginx.virtualHosts."glance.home.feal.no" = let
    inherit (config.services.glance.settings.server) host port;
  in {
    locations."/" = {
      proxyPass = "http://${host}:${toString port}";
    };
  };
 }
--- a/hosts/morn/services/glance/settings.nix
+++ b/hosts/morn/services/glance/settings.nix
@@ -0,0 +1,83 @@
 { config, ... }:
 {
  server = {
    port = 5001;
    host = "127.0.1.2";
  };
  pages =
    let
      fullCol = widgets: {
        size = "full";
        inherit widgets;
      };
    in
    [
      {
        name = "Home";
        columns = [
          (fullCol [
            {
              type = "search";
              search-engine = "http://search.home.feal.no/search?q={QUERY}";
            }
            {
              type = "weather";
              units = "metric";
              location = "Trondheim, Norway";
            }
          ])
          (fullCol [
            {
              type = "hacker-news";
              limit = 20;
              collapse-after = 5;
            }
            {
              type = "monitor";
              cache = "5m";
              sites =
                let
                  site = title: url: { inherit title url; };
                in
                [
                  (site "Jellyfin" "http://jellyfin.home.feal.no")
                  (site "Gitea" "https://git.feal.no")
                  (site "VaultWarden" "https://pw.feal.no")
                ];
            }
          ])
        ];
      }
      {
        name = "News";
        columns =
          let
            feed = title: url: { inherit title url; };
            rss = title: feeds: {
              type = "rss";
              inherit title feeds;
            };
          in
          [
            (fullCol [
              (rss "Norway" [
                (feed "NRK" "https://www.nrk.no/toppsaker.rss")
                (feed "Bygdeposten" "https://www.bygdeposten.no/service/rss")
                (feed "Nidaros" "https://www.nidaros.no/service/rss")
              ])
            ])
            (fullCol [
              (rss "NTNU" [
                (feed "OmegaV" "https://omegav.no/newsrss")
                (feed "PVV" "https://www.pvv.ntnu.no/w/api.php?hidebots=1&urlversion=1&days=7&limit=50&action=feedrecentchanges&feedformat=atom")
                (feed "IT-Varsel" "https://varsel.it.ntnu.no/subscribe/rss/")
              ])
            ])
          ];
      }
    ];
 }
--- a/hosts/morn/services/miniflux.nix
+++ b/hosts/morn/services/miniflux.nix
@@ -0,0 +1,23 @@
 { config, pkgs, lib, ... }:
 let
  domain = "rss.home.feal.no";
  listen_addr = "127.0.1.2:5051";
 in {
  sops.secrets."miniflux/env" = { };
  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.sops.secrets."miniflux/env".path;
    config = {
      CREATE_ADMIN = true;
      LISTEN_ADDR = listen_addr;
      BASE_URL = "http://${domain}";
    };
  };
  services.nginx.virtualHosts."${domain}" = {
    locations."/".proxyPass = "http://${listen_addr}";
  };
 }
--- a/hosts/morn/services/nginx.nix
+++ b/hosts/morn/services/nginx.nix
@@ -0,0 +1,19 @@
 { config, values, ... }:
 {
  services.nginx = {
    enable = true;
    enableReload = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  security.acme = {
    acceptTerms = true;
    defaults.email = "felix@albrigtsen.it";
  };
 }
--- a/hosts/morn/services/thelounge.nix
+++ b/hosts/morn/services/thelounge.nix
@@ -0,0 +1,21 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.thelounge.extraConfig;
  domain = "irc.home.feal.no";
 in {
  services.thelounge = {
    enable = true;
    extraConfig = {
      public = false;
      host = "127.0.1.2";
      port = 9000;
      reverseProxy = true;
    };
  };
  services.nginx.virtualHosts.${domain} = {
    locations."/".proxyPass = "http://${cfg.host}:${toString cfg.port}";
  };
 }
--- a/hosts/redshirt/configuration.nix
+++ b/hosts/redshirt/configuration.nix
@@ -1,73 +0,0 @@
 { config, pkgs, ... }:
 {
  imports =
    [
      ../../base.nix
      ./hardware-configuration.nix
    ];
  networking.hostName = "redshirt";
  networking.networkmanager.enable = true;
  # Enable the X11 windowing system.
  services.xserver = {
    enable = true;
    windowManager = {
      qtile.enable = true;
    };
    # Enable touchpad support (enabled default in most desktopManager).
    libinput.enable = true;
  };
  # The NixOS module enables critical components needed to run Hyprland properly, such as: polkit, xdg-desktop-portal-hyprland, graphics drivers, fonts, dconf, xwayland, and adding a proper Desktop Entry to your Display Manager.
  #programs.hyprland = {
  #  enable = true;
  #  package = pkgs.unstable.hyprland;
  #};
  services.xserver.displayManager = {
    lightdm.enable = true;
    #defaultSession = "hyprland";
  };
  # Configure keymap in X11
  services.xserver.layout = "no";
  fonts.fonts = with pkgs; [
    (nerdfonts.override { fonts = [ "FiraCode" "Hack" ]; })
  ];
  sound.enable = true;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    pulse.enable = true;
    jack.enable = true;
  };
  users.users.felixalb = {
    extraGroups = [ "networkmanager" ];
  };
  environment.systemPackages = with pkgs; [
    zsh
    neovim
    git
    ripgrep
    rsync
    cifs-utils
  ];
  documentation.man.generateCaches = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  system.stateVersion = "22.11";
 }
--- a/hosts/redshirt/hardware-configuration.nix
+++ b/hosts/redshirt/hardware-configuration.nix
@@ -1,41 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/0d709ab3-0d10-46eb-9e4f-10a320af703e";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/6EE9-1C06";
      fsType = "vfat";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/2067bbb4-b4fa-4326-9f58-4018857058a7"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/sisko/configuration.nix
+++ b/hosts/sisko/configuration.nix
@@ -0,0 +1,90 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./hardware-configuration.nix
      ./desktop.nix
  ];
  networking = {
    hostName = "sisko";
    # networkmanager.enable = true;
    defaultGateway = "192.168.10.1";
    interfaces.enp14s0 = {
      ipv4 = {
        addresses = [
          { address = "192.168.10.172"; prefixLength = 24; }
        ];
      };
      wakeOnLan.enable = true;
    };
    hostId = "b716d781";
  };
  hardware.bluetooth.enable = true;
  hardware.rtl-sdr.enable = true;
  sops.defaultSopsFile = ../../secrets/sisko/sisko.yaml;
  environment.variables = { EDITOR = "vim"; };
  users.users.felixalb.extraGroups = [
    "dialout"
    "libvirtd"
    "networkmanager"
    "plugdev"
  ];
  programs = {
    alvr = {
      enable = true;
      openFirewall = true;
    };
    firefox = {
      enable = true;
      nativeMessagingHosts.packages = with pkgs; [ tridactyl-native ];
    };
    gamemode.enable = true;
    immersed.enable = true;
    steam = {
      enable = true;
      remotePlay.openFirewall = true;
    };
    virt-manager.enable = true;
  };
  virtualisation = {
    libvirtd.enable = true;
    spiceUSBRedirection.enable = true;
  };
  environment.systemPackages = with pkgs; [
    virtiofsd
  ];
  virtualisation.docker.enable = true;
  virtualisation.oci-containers.backend = "docker";
  nixpkgs.config = {
    allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
      "discord"
      "immersed"
      "spotify"
      "steam"
      "steam-unwrapped"
    ];
    permittedInsecurePackages = [
      "openssl-1.1.1w"
    ];
    rocmSupport = true;
  };
  services.fwupd.enable = true;
  system.stateVersion = "24.11";
 }
--- a/hosts/sisko/desktop.nix
+++ b/hosts/sisko/desktop.nix
@@ -0,0 +1,70 @@
 { config, pkgs, lib, ... }:
 {
  # Video
  hardware.graphics = {
    enable = true;
    enable32Bit = true;
  };
  hardware.amdgpu.opencl.enable = true;
  services.displayManager.ly.enable = true;
  services.xserver.enable = true;
  services.xserver.desktopManager.xfce.enable = true;
  programs.hyprland = {
    enable = true;
    xwayland.enable = true;
  };
  # Audio
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    pulse.enable = true;
    jack.enable = true;
  };
  # Misc
  fonts = {
    fontDir.enable = true;
    packages = with pkgs; [
      fira-code
      font-awesome
      hack-font
      nerd-fonts.hack
      noto-fonts
      noto-fonts-cjk-sans
      noto-fonts-color-emoji
    ];
  };
  environment.sessionVariables = {
    NIXOS_OZONE_WL = "1";
    SSH_AUTH_SOCK = "/run/user/${toString config.users.users.felixalb.uid}/keyring/ssh";
  };
  services.gnome.gnome-keyring.enable = true;
  # Dark mode
  home-manager.users.felixalb = {
    dconf.settings = {
      "org/gnome/desktop/interface" = {
        color-scheme = "prefer-dark";
      };
    };
    gtk = {
      enable = true;
      theme = {
        name = "Adwaita-dark";
        package = pkgs.gnome-themes-extra;
      };
    };
  };
  qt = {
    enable = true;
    platformTheme = "gnome";
    style = "adwaita-dark";
  };
 }
--- a/hosts/sisko/hardware-configuration.nix
+++ b/hosts/sisko/hardware-configuration.nix
@@ -0,0 +1,55 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  boot.extraModprobeConfig = "options bluetooth disable_ertm=1"; # Xbox controller
  hardware.xpadneo.enable = true;
  boot.kernel.sysctl = {
    "vm.max_map_count" = 16777216;
    # "fs.file-max" = 524288;
  };
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
      fsType = "btrfs";
      options = [ "subvol=root" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
      fsType = "btrfs";
      options = [ "subvol=nix" ];
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/12CE-A600";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices = [ {
    device = "/swapfile";
    size = 64*1024;
  } ];
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.enp14s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp15s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/sisko/home.nix
+++ b/hosts/sisko/home.nix
@@ -0,0 +1,162 @@
 { pkgs, lib, config, ... }:
 {
  imports = [
    ./../../home/base.nix
    ./../../home/alacritty.nix
  ];
  home.packages = with pkgs; [
    # GUI Applications
    cantata
    chromium
    discord
    easyeffects
    element-desktop
    emacs-gtk
    feishin
    gqrx
    kitty
    libreoffice
    lutris
    mpv
    mumble
    orca-slicer
    papers
    pavucontrol
    picard
    pkgsRocm.hashcat
    prismlauncher
    restic
    runelite
    spotify
    swayimg
    thunderbird
    tor-browser
    bolt-launcher
    exiftool
    ghidra
    # pwndbg-gdb-alias # Broken in 25.05
    snicat
    # Window Manager Extras
    bibata-cursors
    cliphist
    hyprcursor
    hypridle
    hyprlock
    hyprpaper
    hyprshot
    nautilus
    networkmanager
    rofi-rbw-wayland
    swaynotificationcenter
    waybar
    wl-clipboard
    # Misc tools
    abcde
    bc
    catimg
    dante
    dig
    go
    hunspellDicts.en_US
    hunspellDicts.nb_NO
    jq
    nixpkgs-2211.remmina
    ollama-rocm
    openssl
    playerctl
    pwgen
    restic
    rocmPackages.clang
    traceroute
    w3m
    (python313.withPackages (ps: with ps; [
      numpy
      pycryptodome
      requests
    ]))
  ];
  programs = {
    aerc = {
      enable = true;
      package = pkgs.aerc;
    };
    alacritty = {
      enable = true;
      settings.window.opacity = 0.92;
    };
    ncmpcpp.enable = true;
    rbw = {
      enable = true;
      settings = {
        base_url = "https://pw.feal.no";
        email = "felix@albrigtsen.it";
        pinentry = pkgs.pinentry-gnome3;
      };
    };
    rofi = {
      enable = true;
      theme = "iggy";
    };
    zsh = {
      shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
      prezto.pmodules = [ "ssh" ];
    };
  };
  services = {
    mpd = let
      home = config.home.homeDirectory;
    in {
      enable = true;
      musicDirectory = "${home}/mnt/music";
      dataDir = "${home}/Music/mpd/data";
      playlistDirectory = "${home}/Music/mpd/playlists";
      extraConfig = ''
        audio_output {
          type "pipewire"
          name "PipewireOut1"
        }
      '';
    };
  };
  home.pointerCursor = {
    name = "Bibata-Modern-Ice";
    package = pkgs.bibata-cursors;
    size = 24;
    gtk.enable = true;
    x11 = {
      enable = true;
      defaultCursor = true;
    };
  };
  xdg.mimeApps = {
    enable = true;
    defaultApplications = {
      "text/html" = "firefox.desktop";
      "x-scheme-handler/http" = "firefox.desktop";
      "x-scheme-handler/https" = "firefox.desktop";
      "x-scheme-handler/about" = "firefox.desktop";
      "x-scheme-handler/unknown" = "firefox.desktop";
      "inode/directory" = "org.gnome.Nautilus.desktop";
      "application/pdf" = "org.gnome.Papers.desktop";
    } // builtins.listToAttrs (
      builtins.map
        ( imgType: { name = "image/${imgType}"; value = "swayimg.desktop"; } )
        [ "apng" "bmp" "gif" "heic" "heif" "jpeg" "png" "svg" "svg+xml" "tiff" ]
    );
  };
  home.stateVersion = "24.11";
 }
--- a/Show More
+++ b/Show More