auto-upgrade: point back to the main branch

defiant: update to nixos 25.11
worf: fix 25.11. Clean flake.
2025-12-08 21:05:23 +01:00 · 2025-12-08 20:59:46 +01:00 · 2025-12-04 17:22:33 +01:00 · 2025-12-02 19:38:08 +01:00 · 2025-12-02 00:14:36 +01:00 · 2025-12-01 23:22:05 +01:00
146 changed files with 6198 additions and 8788 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,27 +1,50 @@
 keys:
-  - &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
+  - &bw_recovery age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
-  - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
+  - &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct
-  - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
+  - &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773
  - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
  - &host_morn age14ar8q5454khxxf5ur2nxwk533nzycz2lh3635qwz35wh8yq0jpqskj2ksx
  - &user_felixalb_sisko age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
  - &user_felixalb_worf age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
 creation_rules:
  # Global secrets
  - path_regex: secrets/[^/]+\.yaml$
    key_groups:
    - age:
-      - *user_felixalb_old
+      - *bw_recovery
-      - *user_felixalb
+      - *user_felixalb_sisko
      - *user_felixalb_worf
  # Host specific secrets
-  - path_regex: secrets/voyager/[^/]+\.yaml$
+  - path_regex: secrets/burnham/[^/]+\.yaml$
    key_groups:
    - age:
-      - *host_voyager
+      - *host_burnham
-      - *user_felixalb_old
+      - *bw_recovery
-      - *user_felixalb
+      - *user_felixalb_sisko
      - *user_felixalb_worf
  - path_regex: secrets/challenger/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_challenger
      - *bw_recovery
      - *user_felixalb_sisko
      - *user_felixalb_worf
  - path_regex: secrets/defiant/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_defiant
-      - *user_felixalb
+      - *bw_recovery
      - *user_felixalb_sisko
      - *user_felixalb_worf
  - path_regex: secrets/morn/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_morn
      - *bw_recovery
      - *user_felixalb_sisko
      - *user_felixalb_worf
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
 ## Felixalbs nixos config
 ![](https://github.com/NixOS/nixos-artwork/blob/master/releases/24.05-uakari/uakari.png?raw=true)
 Contains configurations for some nixos servers, some nixos desktops and a [nix-darwin](https://github.com/LnL7/nix-darwin) host.
 Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix).
@@ -24,19 +26,20 @@ Other installed packages and tools are described in the config files (like ./hos
 ## Public / important services
 - Matrix ([source](./hosts/defiant/services/matrix/default.nix)) - Decentralized, encrypted chat - Contact me at @felixalb:feal.no
- [Nextcloud](https://cloud.feal.no) ([source](./hosts/voyager/services/nextcloud.nix)) - Personal cloud services and "google replacements", including file hosting, notes, calendar and webmail
+- [Nextcloud](https://cloud.feal.no) ([source](./hosts/challenger/services/nextcloud.nix)) - Personal cloud services and "google replacements", including file hosting, notes, calendar and webmail
 - [Gitea](https://git.feal.no) ([source](./hosts/defiant/services/gitea.nix)) - Software forge / git server
 - [Hedgedoc](https://md.feal.no) ([source](./hosts/defiant/services/hedgedoc.nix)) - Collaborative markdown notes editor
 - HomeAssistant ([source](./hosts/defiant/services/home-assistant.nix))- Home automation / IOT controller
 - [VaultWarden](https://pw.feal.no) ([source](./hosts/defiant/services/vaultwarden.nix)) - BitWarden Password Manager backend
- [Kanidm](https://auth.feal.no) ([source](./hosts/voyager/services/kanidm.nix)) - Authentication provider with support for OAuth2/OIDC, LDAPS, SSH, etc.
+- [KeyCloak](https://iam.feal.no) ([source](./hosts/defiant/services/nextcloud.nix)) - Authentication provider, giving SSO with OIDC or SAML
- [Jellyfin](https://jf.feal.no) ([source](./hosts/voyager/services/jellyfin.nix)) - Local media streaming
+- [Jellyfin](https://jf.feal.no) ([source](./hosts/challenger/services/jellyfin.nix)) - Local media streaming
 ## Networking
 - I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)).
- I recently switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix) and [here](./hosts/burnham/services/wireguard.nix).
+- A long time ago, I switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix).
 - PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking.
 - A simple custom DynDNS thing is defined [here](./common/domeneshop-dyndns.nix) and used [here](./hosts/defiant/services/dyndns.nix).
 ## Monitoring
--- a/base.nix
+++ b/base.nix
@@ -5,8 +5,8 @@
  boot.loader.efi.canTouchEfiVariables = true;
  networking = {
-    domain = "home.feal.no";
+    domain = lib.mkDefault "home.feal.no";
-    nameservers = [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ];
+    nameservers = lib.mkDefault [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ];
    useDHCP = lib.mkDefault false;
  };
@@ -29,33 +29,40 @@
      trusted-users = [ "felixalb" ];
      builders-use-substitutes = true;
    };
    registry= {
      nixpkgs.flake = inputs.nixpkgs;
    };
    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
  };
  programs.zsh.enable = true;
  environment.systemPackages = with pkgs; [
    bat
    bottom
    eza
    file
    git
    gnugrep
    gnutar
    htop
    iotop
    lm_sensors
    nix-output-monitor
    p7zip
    python3
    ripgrep
    rsync
    screen
    unzip
    usbutils
    vim
    wget
    zip
  ] ++ lib.optionals (pkgs.stdenv.isLinux) [
    dmidecode
    lm_sensors
    pciutils
  ];
  services.openssh = {
    enable = true;
    openFirewall = lib.mkDefault true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
@@ -69,7 +76,7 @@
    '';
  };
-  networking.firewall.allowedTCPPorts = [ 22 ];
+  programs.mosh.enable = true;
  users.users.felixalb = {
    isNormalUser = true;
@@ -77,12 +84,12 @@
      "wheel"
      "docker"
    ];
-    uid = 1000;
+    uid = lib.mkDefault 1000;
-    openssh.authorizedKeys.keys = [
+    openssh.authorizedKeys.keys = lib.mkDefault [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiPHhj0YbklJnJNcxD0IlzPxLTGfv095H5zyS/1Wb64 felixalb@edison.home.feal.no"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5M7hYl3saBNMAo6sczgfUvASEJWFHuERB7xvf4gxst nix-builder-worf"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJky33ynjqyWP+hh24gFCMFIEqe3CjIIowGM9jiPbT79 felixalb@sisko.home.feal.no"
    ];
    shell = pkgs.zsh;
  };
--- a/common/auto-upgrade.nix
+++ b/common/auto-upgrade.nix
@@ -0,0 +1,15 @@
 { config, pkgs, lib, ... }:
 {
  system.autoUpgrade = {
    enable = true;
    flake = "git+https://git.feal.no/felixalb/nixos-config.git";
    flags = [
      # Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs.
      "--refresh"
      "--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.11"
      "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable"
      "--no-write-lock-file"
    ];
  };
 }
--- a/common/domeneshop-dyndns.nix
+++ b/common/domeneshop-dyndns.nix
@@ -0,0 +1,45 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.domeneshop-dyndns;
 in {
  options.services.domeneshop-dyndns = {
    enable = lib.mkEnableOption "Domeneshop DynDNS";
    domain = lib.mkOption {
      type = lib.types.str;
      description = "Domain name to configure";
    };
    netrcFile = lib.mkOption {
      type = lib.types.path;
      description = "Path to the file that contains `machine api.domeneshop.no login <DDNS_TOKEN> password <DDNS_SECRET>` from https://domene.shop/admin?view=api";
    };
    startAt = lib.mkOption {
      type = lib.types.str;
      default = "*:0/10"; # Every 10 minutes
      description = "Systemd onCalendar expression for when to run the timer";
    };
  };
  config = lib.mkIf cfg.enable {
    systemd.services.domeneshop-dyndns = {
      serviceConfig.LoadCredential = "netrc:${cfg.netrcFile}";
      startAt = cfg.startAt;
      script = ''
        DNSNAME="${cfg.domain}"
        NEW_IP="$(${lib.getExe pkgs.curl} --silent https://ipinfo.io/ip)"
        OLD_IP="$(${lib.getExe pkgs.getent} hosts "$DNSNAME" | ${lib.getExe pkgs.gawk} '{ print $1 }')"
        if [[ "$NEW_IP" != "$OLD_IP" ]]; then
          echo "Old IP ($OLD_IP) does not match new IP ($NEW_IP), updating..."
          ${lib.getExe pkgs.curl} --silent --netrc-file "$CREDENTIALS_DIRECTORY/netrc" "https://api.domeneshop.no/v0/dyndns/update?hostname=$DNSNAME&myip=$NEW_IP"
        else
          echo "Old IP ($OLD_IP) matches new IP ($NEW_IP), exiting..."
        fi
      '';
    };
  };
 }
--- a/common/pwndbg-gdb-alias.nix
+++ b/common/pwndbg-gdb-alias.nix
@@ -0,0 +1,8 @@
 { pwndbg }:
 # "$ coredumpctl gdb" always runs "gdb" from your path.
 pwndbg.overrideAttrs ({ installPhase ? "", ... }: {
  installPhase = installPhase + ''
    ln -s $out/bin/pwndbg $out/bin/gdb
  '';
 })
--- a/common/securecrt.nix
+++ b/common/securecrt.nix
@@ -0,0 +1,81 @@
 {
  lib,
  stdenv,
  fetchurl,
  autoPatchelfHook,
  dpkg,
  cups,
  gtkmm3,
  icu74,
  krb5,
  makeWrapper,
  openssl,
  pango,
  python312,
  xcb-util-cursor,
  xorg,
 }:
 let
  packageId = "scrt_ubuntu2464_deb_963";
 in stdenv.mkDerivation rec {
  pname = "securecrt";
  version = "9.6.3";
  src = fetchurl {
    url = "https://www.vandyke.com/cgi-bin/download_1.php";
    name = "${pname}-${version}.deb";
    curlOpts = "-X POST --data 'pid=${packageId}&export_check=accept&country=no&su";
    sha256 = "sha256-PsFuxJ7H0rJCWWi+rvzrlRUJlp9R4MG14d883/kl9Lo=";
  };
  unpackCmd = "dpkg -x $curSrc source";
  nativeBuildInputs = [
    dpkg
    autoPatchelfHook
  ];
  buildInputs = [
    cups
    gtkmm3
    icu74
    krb5
    makeWrapper
    openssl
    pango
    python312
    xcb-util-cursor
    xorg.xcbutilkeysyms
    xorg.xcbutilwm
  ];
  dontConfigure = true;
  dontBuild = true;
  dontWrapQTApps = true;
  installPhase = ''
    runhook preInstall
    mkdir -p "$out"
    cp -R usr/* "$out/"
    wrapProgram "$out/bin/SecureCRT" --set QT_QPA_PLATFORM_PLUGIN_PATH "$out/lib/scrt/plugins/platforms"
    runhook postInstall
  '';
  meta = with lib; {
    homepage = "https://www.vandyke.com/products/securecrt/unix.html";
    description = "Terminal emulator for computing professionals, with advanced session management";
    license = {
      free = false;
      fullName = "Unknown / Custom";
    };
    platforms = with lib.platforms; linux ++ darwin ++ windows;
    broken = !(stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isx86_64);
  };
  mainProgram = "SecureCRT";
 }
--- a/common/wireguard-peers.nix
+++ b/common/wireguard-peers.nix
@@ -0,0 +1,44 @@
 [
  { # Sulu
    publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
    allowedIPs = [
      "10.100.0.3/32"
    ];
  }
  { # Worf
    publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
    allowedIPs = [
      "10.100.0.4/32"
    ];
  }
  { # Phone
    publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
    allowedIPs = [
      "10.100.0.5/32"
    ];
  }
  { # Riker
    publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
    allowedIPs = [
      "10.100.0.6/32"
    ];
  }
  { # fa-t14-2025
    publicKey = "UPpUVWQqOKT65MFym1sFDTstNmuynDYE4LOOtbWqEng=";
    allowedIPs = [
      "10.100.0.7/32"
    ];
  }
  { # Turtle
    publicKey = "mDzAtRPv+O5TDHa9DGodF/KKuFXRBYwSqfPyeWfdfRI=";
    allowedIPs = [
      "10.100.0.8/32"
    ];
  }
  { # Amalies phone
    publicKey = "Iqoq00e5rUNygmjOKmSPzvDTzvUdpxkpwVrD6UJXG2w=";
    allowedIPs = [
      "10.100.0.9/32"
    ];
  }
 ]
--- a/flake.lock
+++ b/flake.lock
@@ -1,13 +1,28 @@
 {
  "nodes": {
    "extra-config": {
      "locked": {
        "lastModified": 1745649002,
        "narHash": "sha256-XNBExt3+U3o4lip+yj6oorCEPZ9Qe8PzBSFM5ZzVtSA=",
        "ref": "refs/heads/main",
        "rev": "50c9c15db2b309d299b1c19089c962979e01f45b",
        "revCount": 13,
        "type": "git",
        "url": "file:///home/felixalb/nix-extra-config"
      },
      "original": {
        "type": "git",
        "url": "file:///home/felixalb/nix-extra-config"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1673956053,
+        "lastModified": 1747046372,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@@ -21,11 +36,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1681202837,
+        "lastModified": 1731533236,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -41,30 +56,32 @@
        ]
      },
      "locked": {
-        "lastModified": 1706981411,
+        "lastModified": 1764776959,
-        "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
+        "narHash": "sha256-d+5CGloq7Lo1u2SkzhF8oiOdUc6Z5emh22nTXUB9CFA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "652fda4ca6dafeb090943422c34ae9145787af37",
+        "rev": "e1680d594a9281651cbf7d126941a8c8e2396183",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-23.11",
+        "ref": "release-25.11",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "matrix-synapse-next": {
      "inputs": {
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1710311999,
+        "lastModified": 1765214213,
-        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
+        "narHash": "sha256-WSk8CTdIDFFP5VMJj9beve19nPMMdTsWnkCHVXqO/3E=",
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
-        "rev": "6c9b67974b839740e2a738958512c7a704481157",
+        "rev": "82959f612ffd523a49c92f84358a9980a851747b",
        "type": "github"
      },
      "original": {
@@ -76,20 +93,20 @@
    "nix-darwin": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-darwin"
        ]
      },
      "locked": {
-        "lastModified": 1710717205,
+        "lastModified": 1764161084,
-        "narHash": "sha256-Wf3gHh5uV6W1TV/A8X8QJf99a5ypDSugY4sNtdJDe0A=",
+        "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=",
-        "owner": "lnl7",
+        "owner": "nix-darwin",
        "repo": "nix-darwin",
-        "rev": "bcc8afd06e237df060c85bad6af7128e05fd61a3",
+        "rev": "e95de00a471d07435e0527ff4db092c84998698e",
        "type": "github"
      },
      "original": {
-        "owner": "lnl7",
+        "owner": "nix-darwin",
-        "ref": "master",
+        "ref": "nix-darwin-25.11",
        "repo": "nix-darwin",
        "type": "github"
      }
@@ -98,14 +115,16 @@
      "inputs": {
        "flake-compat": "flake-compat",
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1710638386,
+        "lastModified": 1764813963,
-        "narHash": "sha256-8etSpxJaCYBWTViHqQRR6o76WfDX2CuD1o2UQXQrwao=",
+        "narHash": "sha256-Vs7Mamto+T8r1evk9myHepgHGNJkS2Kr0BF64NIei94=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "8f292bc64336ac9559d33c9a074a214d783a4c8e",
+        "rev": "491200d6848402bbab1421cccbc15a46f08c7f78",
        "type": "github"
      },
      "original": {
@@ -116,92 +135,89 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1706098335,
+        "lastModified": 1764677808,
-        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
+        "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
+        "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-23.11",
        "type": "indirect"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1710628718,
        "narHash": "sha256-y+l3eH53UlENaYa1lmnCBHusZb1kxBEFd2/c7lDsGpw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "6dc11d9859d6a18ab0c5e5829a5b8e4810658de3",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixpkgs_2": {
+    "nixpkgs-2211": {
      "locked": {
-        "lastModified": 1698318101,
+        "narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=",
-        "narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
+        "type": "tarball",
-        "owner": "nixos",
+        "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
      }
    },
    "nixpkgs-darwin": {
      "locked": {
        "lastModified": 1764806471,
        "narHash": "sha256-NsPsz003eWD8wp8vj5BnQzPoDyeQKRUfS2dvan2Y30M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
+        "rev": "6707b1809330d0f912f5813963bb29f6f194ee81",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
        "ref": "nixpkgs-25.11-darwin",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1764667669,
        "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "418468ac9527e799809c900eda37cbff999199b6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1710695816,
        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "extra-config": "extra-config",
        "home-manager": "home-manager",
        "matrix-synapse-next": "matrix-synapse-next",
        "nix-darwin": "nix-darwin",
        "nix-minecraft": "nix-minecraft",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs",
-        "sops-nix": "sops-nix",
+        "nixpkgs-2211": "nixpkgs-2211",
-        "unstable": "unstable",
+        "nixpkgs-darwin": "nixpkgs-darwin",
-        "voyager-addons": "voyager-addons"
+        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1710644594,
+        "lastModified": 1764483358,
-        "narHash": "sha256-RquCuzxfy4Nr8DPbdp3D/AsbYep21JgQzG8aMH9jJ4A=",
+        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "83b68a0e8c94b72cdd0a6e547a14ca7eb1c03616",
+        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
        "type": "github"
      },
      "original": {
@@ -224,37 +240,6 @@
        "repo": "default",
        "type": "github"
      }
    },
    "unstable": {
      "locked": {
        "lastModified": 1710631334,
        "narHash": "sha256-rL5LSYd85kplL5othxK5lmAtjyMOBg390sGBTb3LRMM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "c75037bbf9093a2acb617804ee46320d6d1fea5a",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "voyager-addons": {
      "locked": {
        "lastModified": 1707399193,
        "narHash": "sha256-Q570CBu01ufGMitMQVAgsKoQ7zMEDwqDtqKJ1kyeUjQ=",
        "ref": "refs/heads/main",
        "rev": "3d04b4ec9c40948693f4efe919413cce9265bae7",
        "revCount": 4,
        "type": "git",
        "url": "file:///home/felixalb/voyager-addons"
      },
      "original": {
        "type": "git",
        "url": "file:///home/felixalb/voyager-addons"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -2,20 +2,24 @@
  description = "Felixalb System flake";
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; # Remember to update ./common/auto-upgrade.nix
-    unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-25.11-darwin";
    nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nix-darwin.url = "github:lnl7/nix-darwin/master";
+    nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
-    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
+    nix-darwin.inputs.nixpkgs.follows = "nixpkgs-darwin";
-    home-manager.url = "github:nix-community/home-manager/release-23.11";
+    home-manager.url = "github:nix-community/home-manager/release-25.11";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
-    matrix-synapse-next.url = "github:dali99/nixos-matrix-modules";
+    matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; # TODO: Lock to release
-    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
+    matrix-synapse-next.inputs.nixpkgs.follows = "nixpkgs";
-    # voyager-addons.url = "git+ssh://git@git.feal.no:2222/felixalb/voyager-addons.git";
+    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
-    voyager-addons.url = "git+file:///home/felixalb/voyager-addons";
+    nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
    extra-config.url = "git+file:///home/felixalb/nix-extra-config";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -28,118 +32,97 @@
    , nix-minecraft
    , nix-darwin
    , nixpkgs
    , nixpkgs-2211
    , nixpkgs-darwin
    , nixpkgs-unstable
    , sops-nix
-    , unstable
+    , extra-config
    , voyager-addons
  , ... }@inputs:
    let
-      overlay-unstable = final: prev: {
+      pkgs-overlay = final: prev: {
-        unstable = unstable.legacyPackages.${prev.system};
+        unstable = import nixpkgs-unstable {
          system = prev.system;
          config.allowUnfree = true;
        };
        nixpkgs-2211 = import nixpkgs-2211 {
          system = prev.system;
          config.allowUnfree = true;
        };
        pwndbg-gdb-alias = prev.callPackage ./common/pwndbg-gdb-alias.nix { };
        securecrt = prev.callPackage ./common/securecrt.nix { };
      };
    in
    {
-      nixosConfigurations = {
+      nixosConfigurations = let
-        voyager = nixpkgs.lib.nixosSystem {
+        normalSys = name: hostConfig: nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
+          system = "x86_64-linux"; # TODO - Handle
          specialArgs = {
            inherit inputs;
          };
          modules = [
-            # Overlays-module makes "pkgs.unstable" available in configuration.nix
+            ({ config, pkgs, ... }: {
-            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+              # Make "pkgs.unstable" etc. available
              nixpkgs.overlays = [ pkgs-overlay ] ++ hostConfig.overlays or [ ];
            })
-            ./hosts/voyager/configuration.nix
+            ./hosts/${name}/configuration.nix
            voyager-addons.nixosModules.default
            sops-nix.nixosModules.sops
            home-manager.nixosModules.home-manager {
              home-manager.useGlobalPkgs = true;
              home-manager.useUserPackages = true;
-              home-manager.users."felixalb" = import ./hosts/voyager/home.nix;
+              home-manager.users = {
                "felixalb" = import ./hosts/${name}/home.nix;
              } // hostConfig.home-manager-users or { };
            }
          ] ++ hostConfig.modules or [ ];
        };
      in {
        # Media / storage server
        challenger = normalSys "challenger" {
          modules = [
            extra-config.nixosModules.default
          ];
        };
        defiant = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
          specialArgs = {
            inherit inputs;
          };
          modules = [
            # Overlays-module makes "pkgs.unstable" available in configuration.nix
            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
-            ./hosts/defiant/configuration.nix
+        # General application server
-            sops-nix.nixosModules.sops
+        defiant = normalSys "defiant" {
          modules = [
            ./common/domeneshop-dyndns.nix
            matrix-synapse-next.nixosModules.default
            home-manager.nixosModules.home-manager {
              home-manager.useGlobalPkgs = true;
              home-manager.useUserPackages = true;
              home-manager.users."felixalb" = import ./hosts/defiant/home.nix;
            }
          ];
        };
        edison = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
          specialArgs = {
            inherit inputs;
          };
          modules = [
            # Overlays-module makes "pkgs.unstable" available in configuration.nix
            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
-            ./hosts/edison/configuration.nix
+        # Work laptop
-            sops-nix.nixosModules.sops
+        fa-t14-2025 = normalSys "fa-t14-2025" { };
            home-manager.nixosModules.home-manager {
              home-manager.useGlobalPkgs = true;
              home-manager.useUserPackages = true;
              home-manager.users."felixalb" = import ./hosts/edison/home.nix;
            }
          ];
        };
        burnham = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
          specialArgs = {
            inherit inputs;
          };
          modules = [
            # Overlays-module makes "pkgs.unstable" available in configuration.nix
            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
-            ./hosts/burnham/configuration.nix
+        # Web host
-            sops-nix.nixosModules.sops
+        leonard = normalSys "leonard" { };
-            home-manager.nixosModules.home-manager {
+
-              home-manager.useGlobalPkgs = true;
+        # General application server
-              home-manager.useUserPackages = true;
+        morn = normalSys "morn" { };
-              home-manager.users."felixalb" = import ./hosts/burnham/home.nix;
+
-            }
+        # Home desktop
-          ];
+        sisko = normalSys "sisko" { };
        };
        redshirt = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
          specialArgs = {
            inherit inputs;
          };
          modules = [
            ./hosts/redshirt/configuration.nix
            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
            sops-nix.nixosModules.sops
          ];
        };
      };
      # Daily driver macbook
      darwinConfigurations.worf = nix-darwin.lib.darwinSystem {
        system = "aarch64-darwin";
        specialArgs = {
          inherit inputs;
        };
        modules = [
          ({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
          ./hosts/worf/configuration.nix
          ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
          home-manager.darwinModules.home-manager {
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
            home-manager.users."felixalb" = import ./hosts/worf/home.nix;
          }
          # sops-nix.nixosModules.sops
        ];
      };
--- a/home/alacritty.nix
+++ b/home/alacritty.nix
@@ -9,14 +9,17 @@
      window = {
        padding = {
-          x = 4;
+          x = 8;
-          y = 4;
+          y = 2;
        };
        dynamic_padding = true;
        dynamic_title = true;
        decorations = "none"; # full/none/transparent/buttonless
        # Transparency:
-        # opacity = 0.95;
+        opacity = lib.mkDefault 0.95;
      };
      scrolling = {
@@ -44,10 +47,37 @@
        size = 14;
      };
      draw_bold_text_with_bright_colors = true;
      colors = {
-        # # Tomorrow Night Bright
+        draw_bold_text_with_bright_colors = true;
        # # gruvbox_material_medium_dark
        #  primary = {
        #     background = "0x282828";
        #     foreground = "0xd4be98";
        #   };
        #   normal = {
        #     black =  "0x3c3836";
        #     red =     "0xea6962";
        #     green =   "0xa9b665";
        #     yellow =  "0xd8a657";
        #     blue =    "0x7daea3";
        #     magenta = "0xd3869b";
        #     cyan =    "0x89b482";
        #     white =   "0xd4be98";
        #   };
        #   bright = {
        #     black =   "0x3c3836";
        #     red =     "0xea6962";
        #     green =   "0xa9b665";
        #     yellow =  "0xd8a657";
        #     blue =    "0x7daea3";
        #     magenta = "0xd3869b";
        #     cyan =    "0x89b482";
        #     white =   "0xd4be98";
        #   };
        # # # Tomorrow Night Bright
        # primary = {
        #   background = "0x141414";
        #   foreground = "0xeaeaea";
@@ -80,6 +110,7 @@
        #   white   = "0xffffff";
        # };
        # Nord:
        primary = {
          background = "0x2e3440";
@@ -148,10 +179,10 @@
        # indexed_colors: []
      };
-      visual_bell = {
+      bell = {
-        animation = "EaseOutExpo";
+        animation = "Ease";
        color = "0xffffff";
-        duration = 200;
+        duration = 100;
      };
      # Key bindings
@@ -306,29 +337,19 @@
      #   - { key: Delete,                        chars: "\x1b[3~"                     }
      mouse = {
        double_click = { threshold = 300; };
        triple_click = { threshold = 300; };
        hide_when_typing = false;
      };
      selection = {
        semantic_escape_chars = ",│`|:\"' ()[]{}<>";
        save_to_clipboard = false;
      };
      mouse_bindings = [
        { mouse = "Middle"; action = "PasteSelection"; }
      ];
      cursor = {
-        style = "Block";
+        style = {
-        blinking = true;
+          shape = "Block";
          blinking = "on";
        };
        unfocused_hollow = true;
      };
      dynamic_title = true;
    };
  };
 }
--- a/home/amalieem/default.nix
+++ b/home/amalieem/default.nix
@@ -0,0 +1,43 @@
 { pkgs, lib, ... }:
 {
  imports = [
    ./../alacritty.nix
  ];
  home = {
    packages = with pkgs; [
      papers
      kitty
      pavucontrol
      # Window Manager Extras
      bibata-cursors
      hyprcursor
      hypridle
      hyprlock
      hyprpaper
      hyprshot
      nautilus
      networkmanager
      swaynotificationcenter
      waybar
      wl-clipboard
    ];
    sessionVariables = {
      EDITOR = "nvim";
      VISUAL = "nvim";
    };
  };
  programs = {
    alacritty = {
      enable = true;
      settings.window.opacity = 0.92;
    };
    firefox.enable = true;
    wofi.enable = true;
  };
  home.stateVersion = "24.11";
 }
--- a/home/base.nix
+++ b/home/base.nix
@@ -1,25 +1,38 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
 {
  imports = [
    ./neovim.nix
    ./zsh.nix
  ];
-  home.packages = with pkgs; [
+  home = {
-    bottom
+    packages = with pkgs; [
-    unstable.ncdu
+      bat
-    neofetch
+      bottom
-  ];
+      # ncdu
      neofetch
      pwgen
      sshfs
      sshuttle
    ];
    sessionVariables = {
      EDITOR = "nvim";
      VISUAL = "nvim";
    };
  };
  programs.nix-index = {
    enable = true;
    enableZshIntegration = true;
  };
  programs.fzf.enable = true;
  programs.git = {
    enable = true;
-    extraConfig = {
+    settings = {
      pull.rebase = true;
      push.autoSetupRemote = true;
      color.ui = "auto";
@@ -28,7 +41,10 @@
      user = {
        name = "Felix Albrigtsen";
-        email = "felix@albrigtsen.it";
+        email = lib.mkDefault "felix@albrigtsen.it";
      };
      safe = {
        directory = "/config";
      };
    };
    ignores = [
@@ -39,4 +55,15 @@
    ];
  };
  programs.tmux = {
    enable = true;
    sensibleOnTop = true;
    baseIndex = 1;
    clock24 = true;
    keyMode = "vi";
    mouse = true;
    terminal = "screen-256color";
  };
 }
--- a/home/neovim.nix
+++ b/home/neovim.nix
@@ -21,7 +21,6 @@ in {
      telescope-nvim
      nvim-lspconfig
      copilot-vim
      nvim-treesitter
      coc-css
@@ -29,9 +28,9 @@ in {
      coc-html
      coc-json
      coc-nvim
      coc-pyright
      vim-nix
      vim-puppet
    ];
    withNodeJs = true;
@@ -51,7 +50,7 @@ in {
      " Integrate status with lightline
      let g:lightline = {
        \   'active': {
-        \     'left': [[  'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status'  ]]
+        \     'left': [[ 'mode', 'paste', 'filename', 'readonly', 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status'  ]]
        \   }
        \ }
@@ -98,11 +97,16 @@ in {
      " Nerdtree-settings
      " Toggle nerdtree on Ctrl+t
      nmap <silent> <C-t> :NERDTreeToggle<CR>
      autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
      autocmd VimEnter * wincmd p " Unselect nerdtree window
      " Close vim is Nerdtree is the only buffer left
      autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif
      if empty($AERC_ACCOUNT) && empty($MOZ_APP_LAUNCHER)
        autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
        autocmd VimEnter * wincmd p " Unselect nerdtree window
      endif
      autocmd Filetype go setlocal expandtab tabstop=4 shiftwidth=4 softtabstop=4
      " List and switch buffers on Ctrl+k
      " nnoremap <C-k> :set nomore <Bar> :ls <Bar> :set more <CR>:b<Space>
      nnoremap <silent> <C-k> !echo "Did you mean C-a?"<CR>
@@ -116,12 +120,18 @@ in {
      nnoremap <C-s> <cmd>Telescope find_files<cr>
      nnoremap <C-g> <cmd>Telescope live_grep<cr>
      " Don't darken the background
      autocmd VimEnter * highlight normal ctermbg=NONE guibg=NONE
      " Show trailing whitespace
      highlight ExtraWhitespace ctermbg=red guibg=red
      match ExtraWhitespace /\s\+$/
      " Disable search highlights
      map <Leader><Space> :noh<CR>
      " Start with Coc disabled
      " autocmd VimEnter * CocDisable
    '';
  };
--- a/home/zsh.nix
+++ b/home/zsh.nix
@@ -2,6 +2,7 @@
  programs = {
    zsh = {
      enable = true;
      history.extended = true;
      prezto = {
        enable = true;
@@ -21,6 +22,7 @@
          "terminal"
          "editor"
          "history"
          "history-substring-search"
          # "directory"
          "spectrum"
          # "utility"
@@ -28,32 +30,39 @@
          "git"
          "autosuggestions"
          "syntax-highlighting"
          "history-substring-search"
          "prompt"
        ];
      };
-      initExtra = ''
+      initContent = ''
        # Autocomplete ../
        zstyle ':completion:*' special-dirs true
-        export PATH="$HOME/.config/emacs/bin:$PATH"
+        export PATH="$HOME/.config/emacs/bin:$HOME/.cargo/bin:$PATH"
        unalias "gs"
        if [ -f ~/.config/zsh-extras ]; then
          source ~/.config/zsh-extras
        fi
      '';
      shellAliases = {
        l = "exa -l";
        c = "z";
-        tree = "exa --tree --icons";
+        em = "emacsclient -c";
        emnw = "emacsclient -nw";
        grep = "grep --color=auto";
        l = "exa -l";
        ls = "ls --color=auto";
        nd = "nix develop --command zsh";
        s = "nix-shell --run zsh";
        sp = "nix-shell --run zsh -p";
        spu = "nix-shell -I nixpkgs=channel:nixos-unstable --run zsh -p";
-        em = "emacsclient -c";
+        tree = "exa --tree --icons";
-        emnw = "emacsclient -nw";
+
        gst = "git status -sb";
        gcm = "git commit -m";
        gps = "git push";
        gpl = "git pull";
        "git clone git clone" = "git clone";
        gcm = "git commit -m";
        gpl = "git pull";
        gps = "git push";
        gst = "git status -sb";
      };
    };
--- a/hosts/burnham/configuration.nix
+++ b/hosts/burnham/configuration.nix
@@ -1,36 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./hardware-configuration.nix
      # Infrastructure
      ./services/wireguard.nix
  ];
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
  networking = {
    hostName = "burnham";
    defaultGateway = "192.168.11.1";
    interfaces.ens18.ipv4 = {
      addresses = [
        { address = "192.168.11.109"; prefixLength = 24; }
      ];
    };
    hostId = "8e24f235";
  };
  # sops.defaultSopsFile = ../../secrets/burnham/burnham.yaml;
  environment.variables = { EDITOR = "vim"; };
  system.stateVersion = "23.11";
 }
--- a/hosts/burnham/services/wireguard.nix
+++ b/hosts/burnham/services/wireguard.nix
@@ -1,56 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.networking.wireguard.interfaces."wg0";
 in {
  networking = {
    nat = {
      enable = true;
      externalInterface = "ens18";
      internalInterfaces = [ "wg0" ];
    };
    firewall.allowedUDPPorts = [ cfg.listenPort ];
    wireguard.interfaces."wg0" = {
      ips = [ "10.100.0.2/24" ];
      listenPort = 51820;
      privateKeyFile = "/etc/wireguard/burnham.private";
      postSetup = ''
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
      '';
      postShutdown = ''
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
      '';
      peers = [
        { # Defiant
          publicKey = "8/711GhmN9+NcduHF4JPkfoZPE0qsDLuwhABcPyjNxI=";
          persistentKeepalive = 120;
          allowedIPs = [
            "10.100.0.1/32"
            "192.168.10.0/24"
          ];
          endpoint = "site3.feal.no:51902";
        }
        { # Worf
          publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
          allowedIPs = [
            "10.100.0.4/32"
          ];
        }
        { # Phone
          publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
          allowedIPs = [
            "10.100.0.5/32"
          ];
        }
        { # Riker
          publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
          allowedIPs = [
            "10.100.0.6/32"
          ];
        }
      ];
    };
  };
 }
--- a/hosts/challenger/amalieem.nix
+++ b/hosts/challenger/amalieem.nix
@@ -0,0 +1,37 @@
 { config, pkgs, lib, ... }:
 let
  cmdChownManga = pkgs.writeScriptBin "chownManga" ''
    #!${pkgs.stdenv.shell}
    chown -R amalieem:komga /tank/media/komga/Amalie
    chmod -R 750 /tank/media/komga/Amalie
  '';
 in {
  users.users."amalieem" = {
    isNormalUser = true;
    home = "/home/amalieem";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7e+BAoXIFmTeeBYAVImQAcyx6SCoYCErA7h16OGL70 amalieem@wentworth"
    ];
    packages = with pkgs; [
      cmdChownManga
      mangal
      rsync
    ];
  };
  security.sudo = {
    enable = true;
    extraRules = [{
      commands = [
        {
          command = "${lib.getExe cmdChownManga}";
          options = [ "NOPASSWD" ];
        }
      ];
      users = [ "amalieem" ];
    }];
  };
 }
--- a/hosts/challenger/backup.nix
+++ b/hosts/challenger/backup.nix
@@ -0,0 +1,84 @@
 { config, pkgs, lib, ... }:
 {
  services.restic.backups = let
    localJob = name: paths: {
      inherit paths;
      repository = "/mnt/feal-syn1/backup/challenger/${name}";
      passwordFile = config.sops.secrets."restic/${name}".path;
      initialize = true;
      pruneOpts = [
        "--keep-daily 7"
        "--keep-weekly 4"
        "--keep-monthly 3"
        "--keep-yearly 10"
      ];
    };
    cloudJob = name: paths: {
      inherit paths;
      # "rsyncnet" connection details specified in /root/.ssh/config
      repository = "sftp://rsyncnet/restic/challenger/${name}";
      passwordFile = config.sops.secrets."restic/${name}".path;
      initialize = true;
      pruneOpts = [
        # rsync.net keeps daily snapshots
        "--keep-weekly 4"
        "--keep-monthly 36"
      ];
    };
  in {
    # Calibre metadata and config
    calibre = localJob "calibre" [
      "/var/lib/calibre-web"
      "/var/lib/calibre-server"
    ];
    # Other system backups (NB: Large!)
    hostBackups = localJob "hostBackups" [
      "/tank/backup"
    ] // {
      pruneOpts = [ "--keep-monthly 12" ];
    };
    media = localJob "media" [
      "/tank/media/books"
      "/tank/media/komga"
      "/tank/media/music"
    ];
    media-remote = cloudJob "media" [
      "/tank/media/books"
      "/tank/media/komga"
      "/tank/media/music"
    ] // {
      pruneOpts = [ "--keep-monthly 12" ];
    };
    # Nextcloud config and data
    nextcloud = localJob "nextcloud" [ "/tank/nextcloud" ];
    nextcloud-remote = cloudJob "nextcloud" [ "/tank/nextcloud" ];
    # Postgresql databases
    postgres = (localJob "postgres" [ "/var/backup/postgres" ]) // {
      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };
    postgres-remote = (cloudJob "postgres" [ "/var/backup/postgres" ]) // {
      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };
    # Transmission metadata/config
    transmission = localJob "transmission" [ "/var/lib/transmission" ];
    # TODO: timemachine
  };
  sops.secrets."restic/calibre" = { };
  sops.secrets."restic/hostBackups" = { };
  sops.secrets."restic/media" = { };
  sops.secrets."restic/nextcloud" = { };
  sops.secrets."restic/postgres" = { };
  sops.secrets."restic/transmission" = { };
  environment.systemPackages = with pkgs; [
    restic
  ];
 }
--- a/hosts/challenger/configuration.nix
+++ b/hosts/challenger/configuration.nix
@@ -0,0 +1,65 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ./hardware-configuration.nix
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./amalieem.nix
      ./backup.nix
      # ./exports.nix
      ./filesystems.nix
      # ./services/archivebox.nix
      ./services/audiobookshelf.nix
      ./services/calibre.nix
      ./services/jellyfin.nix
      ./services/komga.nix
      ./services/nextcloud.nix
      ./services/nginx.nix
      ./services/postgres.nix
      ./services/timemachine.nix
  ];
  networking = {
    hostName = "challenger";
    bridges.br0.interfaces = [ "ens18" ];
    interfaces.br0.useDHCP = false;
    interfaces.br0.ipv4.addresses = [
      { address = "192.168.10.161"; prefixLength = 24; }
    ];
    hostId = "828ab735";
    defaultGateway = "192.168.10.1";
  };
  sops.defaultSopsFile = ../../secrets/challenger/challenger.yaml;
  environment.variables = { EDITOR = "vim"; };
  environment.systemPackages = with pkgs; [
    zfs
  ];
  virtualisation.docker.enable = true;
  virtualisation.oci-containers.backend = "docker";
  security.polkit.enable = true; # Required for nextcloud
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
       "nvidia-x11"
       "nvidia-settings"
  ];
  hardware.nvidia = {
    modesetting.enable = true;
    open = false;
  };
  hardware.graphics.enable = true;
  services.xserver.videoDrivers = ["nvidia"];
  system.stateVersion = "24.05";
 }
--- a/hosts/challenger/exports.nix
+++ b/hosts/challenger/exports.nix
@@ -0,0 +1,21 @@
 { config, pkgs, lib, ... }:
 {
  fileSystems = {
    "/export/riker-backup" = {
      device = "/tank/backup/riker";
      options = [ "bind" ];
    };
  };
  # Enable nfs4 only
  # services.nfs.server = {
  #   enable = true;
  #   exports = ''
  #     /export                   192.168.10.67(rw,fsid=0,no_subtree_check)
  #     /export/riker-backup      192.168.10.67(rw,nohide,no_subtree_check,no_root_squash)
  #   '';
  # };
  # networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
  # networking.firewall.allowedUDPPorts = [ 111 20048];
 }
--- a/hosts/challenger/filesystems.nix
+++ b/hosts/challenger/filesystems.nix
@@ -0,0 +1,48 @@
 { config, pkgs, lib, ... }:
 {
  # Boot drives are defined in ./hardware-configuration.nix
  environment.systemPackages = with pkgs; [ cifs-utils ];
  # Local zfs
  boot = {
    zfs = {
      extraPools = [ "tank" ];
      requestEncryptionCredentials = false;
    };
    supportedFilesystems = [ "zfs" ];
  };
  services.zfs.autoScrub = {
    enable = true;
    interval = "Wed *-*-8..14 00:00:00";
  };
  fileSystems = {
    "/mnt/feal-syn1/backup" = {
      # device = "feal-syn1.home.feal.no:/volume2/backup";
      device = "192.168.10.162:/volume2/backup";
      fsType = "nfs";
      options = [
        "defaults"
        "noatime"
        "rw"
        "nfsvers=3"
        "x-systemd.automount"
        "noauto"
      ];
    };
    "/mnt/feal-syn2/backup" = {
      # device = "feal-syn1.home.feal.no:/volume2/backup";
      device = "192.168.11.163:/volume1/challenger";
      fsType = "nfs";
      options = [
        "defaults"
        "noatime"
        "rw"
        "nfsvers=3"
        "x-systemd.automount"
        "noauto"
      ];
    };
  };
 }
--- a/hosts/challenger/hardware-configuration.nix
+++ b/hosts/challenger/hardware-configuration.nix
@@ -1,29 +1,30 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
-  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/a6465c1c-4c93-423d-84a9-e4ecb9520741";
+    { device = "/dev/disk/by-uuid/7101364b-9056-4309-afeb-3c17b220684f";
      fsType = "ext4";
    };
  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/D0C1-97CE";
+    { device = "/dev/disk/by-uuid/FDCE-A287";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
-  swapDevices = [ ];
+  swapDevices = [ {
    device = "/swapfile";
    size = 16*1024;
  } ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -34,5 +35,5 @@
  # networking.interfaces.idrac.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/challenger/home.nix
+++ b/hosts/challenger/home.nix
@@ -8,5 +8,5 @@
    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
  };
-  home.stateVersion = "23.05";
+  home.stateVersion = "24.05";
 }
--- a/hosts/challenger/services/archivebox.nix
+++ b/hosts/challenger/services/archivebox.nix
@@ -0,0 +1,35 @@
 { config, lib, ... }:
 let
  host = "127.0.1.2";
  port = "5009";
  uid = 911;
  gid = 911;
 in {
  users.users.archivebox = {
    inherit uid;
    group = "archivebox";
    isSystemUser = true;
    useDefaultShell = true;
    description = "ArchiveBox web archiving tool";
  };
  users.groups.archivebox = {
    inherit gid;
  };
  # ArchiveBox - Open source self-hosted web archiving.
  virtualisation.oci-containers.containers.archivebox = {
    image = "archivebox/archivebox:0.8.5rc50";
    ports = [ "${host}:${port}:8000" ];
    volumes = [
      "/tank/archivebox:/data"
    ];
  };
  services.nginx.virtualHosts."archivebox.home.feal.no" = {
    locations."/" = {
      proxyPass = "http://${host}:${port}";
    };
  };
 }
--- a/hosts/challenger/services/audiobookshelf.nix
+++ b/hosts/challenger/services/audiobookshelf.nix
@@ -0,0 +1,57 @@
 { config, lib, pkgs, ... }:
 let
  domain = "audiobooks.home.feal.no";
  host = "127.0.1.2";
  port = 5016;
 in {
  fileSystems = {
    "/var/lib/audiobookshelf" = {
      device = "/tank/media/audiobookshelf/config";
      options = [ "bind" ];
    };
  };
  services.audiobookshelf = {
    enable = true;
    dataDir = "audiobookshelf";
    inherit host port;
  };
  systemd.services.audiobookshelf = {
    requires = [ "var-lib-audiobookshelf.mount" ];
    serviceConfig = {
      # Better safe than sorry :)
      CapabilityBoundingSet = "";
      LockPersonality = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      ReadWritePaths = [
        "/var/lib/audiobookshelf"
        "/tank/media/audiobookshelf"
      ];
      RemoveIPC = true;
      RestrictSUIDSGID = true;
      UMask = "0007";
      RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
      SystemCallArchitectures = "native";
    };
  };
  services.nginx.virtualHosts.${domain} = {
    locations."/" = {
      proxyPass = "http://${host}:${toString port}";
      proxyWebsockets = true;
    };
  };
 }
--- a/hosts/challenger/services/calibre.nix
+++ b/hosts/challenger/services/calibre.nix
@@ -6,10 +6,16 @@ let
 in {
  services = {
    nginx.virtualHosts.${domain} = {
-      locations."/".proxyPass =
+      locations = {
-        "http://${cfg.listen.ip}:${toString cfg.listen.port}";
+        "/".proxyPass = "http://${cfg.listen.ip}:${toString cfg.listen.port}";
-      locations."/opds".proxyPass =
+        "/opds".proxyPass = "http://${cfg.listen.ip}:${toString cfg.listen.port}";
-        "http://${cfg.listen.ip}:${toString cfg.listen.port}";
+      };
      extraConfig = ''
        client_max_body_size 512M;
        proxy_busy_buffers_size 512k;
        proxy_buffers 4 512k;
        proxy_buffer_size 256k;
      '';
    };
    calibre-server = {
@@ -26,6 +32,7 @@ in {
      options = {
        calibreLibrary = storage;
        enableBookConversion = true;
        enableKepubify = true;
        enableBookUploading = true;
      };
    };
--- a/hosts/challenger/services/jellyfin.nix
+++ b/hosts/challenger/services/jellyfin.nix
@@ -0,0 +1,35 @@
 { config, pkgs, lib, ... }:
 {
  # Jellyfin - Media Streaming platform
  services.jellyfin.enable = true;
  users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ];
  services.nginx.virtualHosts."jellyfin.home.feal.no" = {
    serverAliases = [ "jf.feal.no" ];
    locations = {
      "= /" = {
        return = "302 http://$host/web/";
      };
      "/" = {
        proxyPass = "http://127.0.0.1:8096";
        extraConfig = ''
          proxy_buffering off;
        '';
      };
      "/socket" = {
        proxyPass = "http://127.0.0.1:8096";
        proxyWebsockets = true;
      };
    };
    extraConfig = ''
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Content-Type-Options "nosniff";
      add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
    '';
  };
 }
--- a/hosts/challenger/services/komga.nix
+++ b/hosts/challenger/services/komga.nix
@@ -0,0 +1,21 @@
 { config, lib, pkgs, ... }:
 let
  domain = "komga.home.feal.no";
  port = 5001;
 in {
  services.komga = {
    enable = true;
    stateDir = "/tank/media/komga";
    settings.server = {
      inherit port;
    };
  };
  services.nginx.virtualHosts.${domain} = {
    locations."/".proxyPass = "http://127.0.0.1:${toString port}";
    extraConfig = ''
      client_max_body_size 512M;
    '';
  };
 }
--- a/hosts/challenger/services/nextcloud.nix
+++ b/hosts/challenger/services/nextcloud.nix
@@ -0,0 +1,154 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.nextcloud;
  hostName = "cloud.feal.no";
 in {
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud32;
    inherit hostName;
    home = "/tank/nextcloud";
    https = true;
    webfinger = true;
    config = {
      dbtype = "pgsql";
      dbuser = "nextcloud";
      dbhost = "/run/postgresql";
      dbname = "nextcloud";
      adminuser = "ncadmin";
      adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
    };
    settings = {
      default_phone_region = "NO";
      log_type = "file";
      overwriteprotocol = "https";
      trusted_proxies = [ "192.168.10.175" ]; # defiant
      # Docs: https://github.com/pulsejet/nextcloud-oidc-login
      oidc_login_auto_redirect = true;
      oidc_login_button_text = "Log in with KeyCloak";
      oidc_login_client_id = "nextcloud";
      oidc_login_client_secret = "dont_put_secrets_here_use_secretFile";
      oidc_login_code_challenge_method = "S256";
      oidc_login_end_session_redirect' = true;
      oidc_login_logout_url = "https://cloud.feal.no/apps/oidc_login/oidc";
      oidc_login_provider_url = "https://iam.feal.no/realms/feal.no";
      oidc_login_redir_fallback = true;
      oidc_login_attributes = {
        id = "preferred_username";
        mail = "email";
        name = "name";
        login_filter = "nextcloud-roles";
      };
      oidc_login_filter_allowed_values = [ "nextcloud-user" ];
      oidc_login_disable_registration = false;
      "memories.exiftool" = pkgs.writeShellScript "exiftool-perl" ''
        ${lib.getExe pkgs.perl} ${cfg.home}/store-apps/memories/bin-ext/exiftool/exiftool "$@"
      '';
      "memories.exiftool_no_local" = false;
      "memories.vod.disable" = false;
      "memories.vod.ffmpeg" = "${lib.getExe pkgs.ffmpeg-headless}";
      "memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
      preview_ffmpeg_path = "${pkgs.ffmpeg-headless}/bin/ffmpeg";
    };
    secretFile = config.sops.secrets."nextcloud/secretsjson".path;
    phpOptions = {
      "opcache.interned_strings_buffer" = "16";
      "upload_max_filesize" = lib.mkForce "8G";
      "post_max_size" = lib.mkForce "8G";
      "memory_limit" = lib.mkForce "8G";
    };
    poolSettings = {
      "pm" = "ondemand";
      "pm.max_children" = 32;
      "pm.process_idle_timeout" = "10s";
      "pm.max_requests" = 500;
    };
  };
  environment.systemPackages = [
    cfg.occ # "occ CMD" in the docs -> "sudo -u nextcloud nextcloud-occ CMD"
    pkgs.nodejs_20 # For Recognize; Put /run/current-system/sw/bin/node in the "node_binary" field in the web UI -> Memories
  ];
  sops.secrets."nextcloud/adminpass" = {
    mode = "0440";
    owner = "nextcloud";
    group = "nextcloud";
    restartUnits = [ "phpfpm-nextcloud.service" ];
  };
  sops.secrets."nextcloud/secretsjson" = {
    mode = "0440";
    owner = "nextcloud";
    group = "nextcloud";
    restartUnits = [ "phpfpm-nextcloud.service" ];
  };
  services.postgresql = {
    ensureDatabases = [ "nextcloud" ];
    ensureUsers = [ {
      name = "nextcloud";
      ensureDBOwnership = true;
    } ];
  };
  systemd.services.nextcloud-cron = {
    path = with pkgs; [
      exiftool
      ffmpeg-headless
    ];
  };
  systemd.services."nextcloud-setup" = {
    requires = [ "postgresql.service" ];
    after = [ "postgresql.service" ];
  };
  systemd.services."phpfpm-nextcloud" = {
    requires = [ "tank-nextcloud.mount" ];
    path = with pkgs; [
      # perl
      # perlPackages.ImageExifTool
      exiftool
      ffmpeg-headless
    ];
    serviceConfig = {
      PrivateDevices = lib.mkForce false;
      WorkingDirectory = "/tank/nextcloud";
      NoNewPrivileges = true;
      PrivateMounts = true;
      PrivateTmp = true;
      ProtectClock = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
      ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
      InaccessiblePaths = [ "/tank/media" "/tank/backup" ];
      RemoveIPC = true;
      RestrictSUIDSGID = true;
      UMask = "0007";
      SystemCallArchitectures = "native";
      SystemCallFilter = "@system-service";
      CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
    };
  };
  # Notes:
  # - Install Memories and Recognize from the app store
  #  - They might need to be forced on with "nextcloud-occ app:enable memories", etc.
  # - Run "nextcloud-occ maintenance:repair" to fix broken paths
  # - Download ai models and maps with the commands given in the ui
  # - libtensorflow doesn't work properly through node, but recognize still works(?)
 }
--- a/hosts/voyager/services/nginx/default.nix
+++ b/hosts/voyager/services/nginx/default.nix
@@ -10,6 +10,8 @@
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    virtualHosts."cloud.feal.no".default = true;
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
@@ -19,4 +21,3 @@
  /*   email = "felix@albrigtsen.it"; */
  /* }; */
 }
--- a/hosts/challenger/services/postgres.nix
+++ b/hosts/challenger/services/postgres.nix
@@ -19,5 +19,3 @@
  environment.systemPackages = [ config.services.postgresql.package ];
 }
--- a/hosts/challenger/services/timemachine.nix
+++ b/hosts/challenger/services/timemachine.nix
@@ -1,9 +1,9 @@
 { config, pkgs, ... }:
  let
-    timeMachineDir = "/tank/backup/worf";
+    timeMachineDir = "/tank/backup/worf2";
    user = "worf-backup";
-    sizeLimit = "800000"; # MiB
+    sizeLimit = "1000000"; # MiB
-    allowedIPs = "192.168.10.2 192.168.10.5"; #TODO
+    allowedIPs = "192.168.10.2 192.168.10.34"; #TODO
  in {
  services.avahi = {
    enable = true;
--- a/hosts/defiant/backup.nix
+++ b/hosts/defiant/backup.nix
@@ -1,62 +1,50 @@
 { config, pkgs, lib, ... }:
 {
-  services.borgbackup.jobs =
+  services.restic.backups = let
-    let
+    localJob = name: paths: {
-      borgJob = name: {
+      inherit paths;
-        environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
+      repository = "/mnt/feal-syn1/backup/defiant/${name}";
-        environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
+      passwordFile = config.sops.secrets."restic/${name}".path;
-        repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/defiant/${name}";
+      initialize = true;
-        compression = "auto,zstd";
+      pruneOpts = [
-      };
+        "--keep-daily 3"
-    in {
+        "--keep-weekly 4"
-      postgresDaily = borgJob "postgres::daily" // {
+        "--keep-monthly 3"
-        paths = "/data/backup/postgresql";
+      ];
-        startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
+    };
-        extraInitArgs = "--storage-quota 10G";
+    cloudJob = name: paths: {
-        encryption = {
+      inherit paths;
-          mode = "repokey-blake2";
+      # "rsyncnet" connection details specified in /root/.ssh/config
-          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
+      repository = "sftp://rsyncnet/restic/defiant/${name}";
-        };
+      passwordFile = config.sops.secrets."restic/${name}".path;
-      };
+      initialize = true;
-
+      pruneOpts = [
-      postgresWeekly = borgJob "postgres::weekly" // {
+        # rsync.net keeps daily snapshots
-        paths = "/data/backup/postgresql";
+        "--keep-weekly 4"
-        startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
+        "--keep-monthly 36"
-        extraInitArgs = "--storage-quota 10G";
+      ];
-        encryption = {
+    };
-          mode = "repokey-blake2";
+  in {
-          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
+    postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
-        };
+      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
-      };
+    };
-
+    postgres-remote = (cloudJob "postgres" [ "/tank/backup/postgresql" ]) // {
-      gitea = borgJob "gitea::weekly" // {
+      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
        paths = "/tank/services/gitea";
        startAt = "Mon *-*-* 05:15:00";
        extraInitArgs = "--storage-quota 20G";
        encryption = {
          mode = "repokey-blake2";
          passCommand = "cat ${config.sops.secrets."borg/gitea".path}";
        };
      };
      minecraft = borgJob "minecraft::weekly" // {
        paths = "/var/lib/minecraft-wack";
        startAt = "weekly";
        extraInitArgs = "--storage-quota 20G";
        encryption.mode = "none";
        preHook = ''
          ${pkgs.mcrcon}/bin/mcrcon -p wack "say Starting Backup" "save-off" "save-all"
        '';
        postHook = ''
          ${pkgs.mcrcon}/bin/mcrcon -p wack "save-all" "say Completed Backup" "save-on" "save-all"
        '';
      };
    };
-  # TODO: Matrix (keys,media,db), home-assistant, pihole, vaultwarden
+    gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
-  sops.secrets."borg/postgres" = { };
+    gitea-remote = (cloudJob "gitea" [ "/tank/services/gitea" ]);
-  sops.secrets."borg/gitea" = { };
+
    matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
    matrix-synapse-remote = (cloudJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
    vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
    vaultwarden-remote = (cloudJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
  };
  # TODO: home-assistant, pihole
  sops.secrets."restic/postgres" = { };
  sops.secrets."restic/gitea" = { };
  sops.secrets."restic/matrix-synapse" = { };
  sops.secrets."restic/vaultwarden" = { };
 }
--- a/hosts/defiant/configuration.nix
+++ b/hosts/defiant/configuration.nix
@@ -5,25 +5,29 @@
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./filesystems.nix
      ./hardware-configuration.nix
      # Infrastructure
      ./backup.nix
      ./libvirt.nix
      ./services/dyndns.nix
      ./services/nginx.nix
      ./services/pihole.nix
      ./services/postgresql.nix
      ./services/wireguard.nix
      # Services
      ./services/flame.nix
      ./services/gitea.nix
      ./services/hedgedoc.nix
      ./services/home-assistant.nix
      ./services/keycloak.nix
      ./services/matrix
      ./services/monitoring
      ./services/microbin.nix
-      ./services/minecraft.nix
+      # ./services/minecraft/home.nix
      ./services/monitoring
      # ./services/rtl-tcp.nix
      # ./services/searx.nix
      ./services/vaultwarden.nix
  ];
@@ -41,16 +45,6 @@
  sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;
  environment.variables = { EDITOR = "vim"; };
  environment.systemPackages = with pkgs; [
    zfs
  ];
  boot = {
    zfs.extraPools = [ "tank" ];
    supportedFilesystems = [ "zfs" ];
    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  };
  services.prometheus.exporters.zfs.enable = true;
  virtualisation.docker.enable = true;
  virtualisation.oci-containers.backend = "docker";
--- a/hosts/defiant/filesystems.nix
+++ b/hosts/defiant/filesystems.nix
@@ -0,0 +1,30 @@
 { config, pkgs, lib, ... }:
 {
  # Boot drives are defined in ./hardware-configuration.nix
  boot = {
    zfs.extraPools = [ "tank" ];
    supportedFilesystems = [ "zfs" ];
  };
  services.prometheus.exporters.zfs.enable = true;
  environment.systemPackages = with pkgs; [
    cifs-utils
    zfs
  ];
  fileSystems = {
    "/mnt/feal-syn1/backup" = {
      device = "192.168.10.162:/volume2/backup";
      fsType = "nfs";
      options = [
        "defaults"
        "noatime"
        "rw"
        "nfsvers=3"
        "x-systemd.automount"
        "noauto"
      ];
    };
  };
 }
--- a/hosts/defiant/services/dyndns.nix
+++ b/hosts/defiant/services/dyndns.nix
@@ -0,0 +1,11 @@
 { config, pkgs, lib, ... }:
 {
  sops.secrets."domeneshop/netrc" = { };
  services.domeneshop-dyndns = {
    enable = true;
    domain = "site3.feal.no";
    netrcFile = config.sops.secrets."domeneshop/netrc".path;
  };
 }
--- a/hosts/defiant/services/flame.nix
+++ b/hosts/defiant/services/flame.nix
@@ -1,22 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  domain = "flame.home.feal.no";
  host = "127.0.1.2";
  port = "5005";
 in {
  # Flame - Homelab dashboard/linktree
  virtualisation.oci-containers.containers = {
    flame = {
      image = "pawelmalak/flame";
      ports = [ "${host}:${port}:5005" ];
      volumes = [
        "/var/lib/flame/data:/app/data/"
      ];
    };
  };
  services.nginx.virtualHosts."${domain}" = {
    locations."/".proxyPass = "http://${host}:${port}";
  };
 }
--- a/hosts/defiant/services/gitea.nix
+++ b/hosts/defiant/services/gitea.nix
@@ -36,7 +36,6 @@ in {
          OPENID_CONNECT_SCOPES = "email profile openid";
          UPDATE_AVATAR = true;
          ACCOUNT_LINKING = "auto";
          USERNAME = "email";
        };
        log.LEVEL = "Info";
@@ -45,15 +44,11 @@ in {
        ui = {
          THEMES="gitea,arc-green,nord";
-          DEFAULT_THEME="nord";
+          #DEFAULT_THEME="nord";
        };
      };
-      # TODO:
+      # TODO: configure mailer
      # - Backup
      #   - services.gitea.dump?
      #   - ZFS snapshots?
      # - configure mailer
    };
    systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work";
--- a/hosts/defiant/services/hedgedoc.nix
+++ b/hosts/defiant/services/hedgedoc.nix
@@ -4,7 +4,7 @@ let
  domain = "md.feal.no";
  port = 3300;
  host = "127.0.1.2";
-  authServerUrl = "https://auth.feal.no";
+  authServerUrl = "https://iam.feal.no";
 in {
  # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
  sops.secrets."hedgedoc/env" = {
@@ -21,9 +21,8 @@ in {
      allowFreeURL = true;
      allowAnonymous = false;
-      allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
+      allowAnonymousEdits = true;
      # dbURL = "postgres://hedgedoc@localhost/hedgedoc";
      db = {
        username = "hedgedoc";
        database = "hedgedoc";
@@ -32,20 +31,23 @@ in {
      };
      email = false;
-      oauth2 = {
+      oauth2 = let
-        baseURL = "${authServerUrl}/oauth2";
+        oidc = "${authServerUrl}/realms/feal.no/protocol/openid-connect";
-        tokenURL = "${authServerUrl}/oauth2/token";
+      in {
-        authorizationURL = "${authServerUrl}/ui/oauth2";
+        providerName = "Keycloak";
-        userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
+        authorizationURL = "${oidc}/auth";
        baseURL = "${authServerUrl}";
        tokenURL = "${oidc}/token";
        userProfileURL = "${oidc}/userinfo";
        clientID = "hedgedoc";
        clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
        scope = "openid email profile";
-        userProfileUsernameAttr = "name";
+        userProfileDisplayNameAttr = "name";
        userProfileEmailAttr = "email";
-        userProfileDisplayNameAttr = "displayname";
+        userProfileUsernameAttr = "preferred_username";
-
+        rolesClaim = "hedgedoc-roles";
-        providerName = "KaniDM";
+        accessRole = "hedgedoc-user";
      };
    };
  };
@@ -53,7 +55,6 @@ in {
  systemd.services.hedgedoc = {
    requires = [
      "postgresql.service"
      # "kanidm.service"
    ];
    serviceConfig = let
      workDir = "/var/lib/hedgedoc";
--- a/hosts/defiant/services/home-assistant.nix
+++ b/hosts/defiant/services/home-assistant.nix
@@ -8,9 +8,10 @@ in {
  virtualisation.oci-containers.containers = {
    homeassistant = {
-      image = "ghcr.io/home-assistant/home-assistant:2024.1";
+      image = "ghcr.io/home-assistant/home-assistant:2025.5.3";
      extraOptions = [
        "--network=host"
        "--device=/dev/ttyUSB0" # Sonoff Zigbee 3.0 USB
      ];
      volumes = [
        "/tank/services/homeassistant/config:/config"
--- a/hosts/defiant/services/keycloak.nix
+++ b/hosts/defiant/services/keycloak.nix
@@ -0,0 +1,33 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.keycloak.settings;
  hostname = "iam.feal.no";
 in {
  sops.secrets."keycloak/postgres" = { };
  services.keycloak = {
    enable = true;
    database = {
      type = "postgresql";
      createLocally = true;
      username = "keycloak";
      passwordFile = config.sops.secrets."keycloak/postgres".path;
    };
    settings = {
      cache = "local";
      hostname = "https://${hostname}";
      hostname-backchannel-dynamic = false;
      http-enabled = true;
      http-host = "127.0.1.2";
      http-port = 5060;
      proxy-headers = "xforwarded";
    };
  };
  # The main reverse proxy is defined in ./nginx.nix
  services.nginx.virtualHosts.${hostname} = {
    locations."= /".return = "302 ${cfg.hostname}/realms/feal.no/account";
  };
 }
--- a/hosts/defiant/services/matrix/admin.nix
+++ b/hosts/defiant/services/matrix/admin.nix
@@ -1,7 +1,8 @@
 { config, pkgs, lib, ... }:
 let
  domain = "matrix-admin.home.feal.no";
-  backend = "http://127.0.0.1:8008";
+  # backend = "http://127.0.0.1:8008";
  backend = "http://unix:/run/matrix-synapse/matrix-synapse.sock";
  synapse-admin = pkgs.callPackage ./adminPkg.nix { };
 in {
  services.nginx.virtualHosts."${domain}" = {
--- a/hosts/defiant/services/matrix/synapse.nix
+++ b/hosts/defiant/services/matrix/synapse.nix
@@ -6,6 +6,12 @@
    group = "matrix-synapse";
  };
  sops.secrets."matrix/synapse/oidcsecret" = {
    restartUnits = [ "matrix-synapse.service" ];
    owner = "matrix-synapse";
    group = "matrix-synapse";
  };
  services.matrix-synapse-next = {
    enable = true;
    enableNginx = true;
@@ -69,13 +75,34 @@
      tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt";
      tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key";
      enableSlidingSync = true;
      oidc_providers = [
        {
          idp_id = "keycloak";
          idp_name = "Keycloak";
          issuer = "https://iam.feal.no/realms/feal.no";
          client_id = "matrix-synapse";
          client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path;
          user_mapping_provider.config = {
            localpart_template = "{{ user.preferred_username }}";
            display_name_template = "{{ user.name }}";
          };
          attribute_requirements = [{
            attribute = "matrix-roles";
            value = "matrix-user";
          }];
          backchannel_logout_enabled = true;
          enable_registration = false;
        }
      ];
    };
  };
  services.postgresqlBackup.databases = [ "matrix-synapse" ];
  services.redis.servers."".enable = true;
  services.postgresqlBackup.databases = [ "matrix-synapse" ];
  services.nginx.virtualHosts."matrix.feal.no" = {
    listen = [
      { addr = "192.168.10.175"; port = 43443; ssl = true; }
--- a/hosts/defiant/services/minecraft/home.nix
+++ b/hosts/defiant/services/minecraft/home.nix
@@ -0,0 +1,50 @@
 { config, pkgs, lib, inputs, ... }:
 {
  imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
  nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
  services.minecraft-servers = {
    enable = true;
    eula = true;
    openFirewall = true;
    dataDir = "/var/lib/minecraft-server";
    servers.home = {
      enable = true;
      jvmOpts = "-Xms4G -Xmx4G";
      package = pkgs.fabricServers.fabric-1_21_4;
      serverProperties = {
        motd = "Home <3";
        difficulty = "easy";
        view-distance = 16;
        simulation-distance = 16;
        enable-command-block = true;
        enable-rcon = true;
        online-mode = false;
        "rcon.password" = "wack";
      };
      symlinks = {
        mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues {
          FabricAPI = pkgs.fetchurl {
            url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/8FAH9fuR/fabric-api-0.114.2%2B1.21.4.jar";
            sha256 = "sha256-nL1bcAaMW0tRCpfW0prd3mce14ZNcl7pAUabVXAQfWs=";
          };
          Lithium = pkgs.fetchurl {
            url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/zVOQw7YU/lithium-fabric-0.14.6%2Bmc1.21.4.jar";
            sha256 = "sha256-iF4hy+3XVJP7Fv6R2dsrYq6Ct0MQJLX4/4Yh5WEJm90=";
          };
        });
      };
    };
  };
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
    "minecraft-server"
  ];
  networking.firewall.allowedUDPPorts = [ 24454 ];
 }
--- a/hosts/defiant/services/minecraft/wack.nix
+++ b/hosts/defiant/services/minecraft/wack.nix
--- a/hosts/defiant/services/monitoring/dashboards/openwrt.json
+++ b/hosts/defiant/services/monitoring/dashboards/openwrt.json
--- a/hosts/defiant/services/monitoring/grafana.nix
+++ b/hosts/defiant/services/monitoring/grafana.nix
@@ -44,12 +44,6 @@ in {
          url = "https://grafana.com/api/dashboards/14284/revisions/9/download";
          options.path = dashboards/synology-nas-details.json;
        }
        {
          name = "OpenWRT";
          type = "file";
          url = "https://grafana.com/api/dashboards/11147/revisions/1/download";
          options.path = dashboards/openwrt.json;
        }
      ];
    };
  };
--- a/hosts/defiant/services/monitoring/loki.nix
+++ b/hosts/defiant/services/monitoring/loki.nix
@@ -51,7 +51,6 @@ in {
        boltdb_shipper = {
          active_index_directory = "${saveDirectory}/boltdb-shipper-index";
          cache_location = "${saveDirectory}/boltdb-shipper-cache";
          shared_store = "filesystem";
          cache_ttl = "24h";
        };
        filesystem = {
@@ -60,14 +59,13 @@ in {
      };
      limits_config = {
-        enforce_metric_name = false;
+        allow_structured_metadata = false;
        reject_old_samples = true;
        reject_old_samples_max_age = "72h";
      };
      compactor = {
        working_directory = "${saveDirectory}/compactor";
        shared_store = "filesystem";
      };
    };
  };
--- a/hosts/defiant/services/monitoring/prometheus.nix
+++ b/hosts/defiant/services/monitoring/prometheus.nix
@@ -17,23 +17,16 @@ in {
        static_configs = [
          {
            targets = [
-              "voyager.home.feal.no:9100"
+              "challenger.home.feal.no:9100"
              "sulu.home.feal.no:9100"
              "mccoy.home.feal.no:9100"
              "dlink-feal.home.feal.no:9100"
              "edison.home.feal.no:9100"
              "defiant.home.feal.no:9100"
              "leonard.home.feal.no:9100"
              "morn.home.feal.no:9100"
              "scotty.home.feal.no:9100"
              "sisko.home.feal.no:9100"
            ];
          }
        ];
      }
      {
        job_name = "openwrt";
        static_configs = [
          { targets = ["dlink-feal.home.feal.no:9100"]; }
        ];
      }
      {
        job_name = "snmp";
        static_configs = [{
--- a/hosts/defiant/services/monitoring/snmp-exporter-conf.yml
+++ b/hosts/defiant/services/monitoring/snmp-exporter-conf.yml
--- a/hosts/defiant/services/monitoring/snmp-exporter.nix
+++ b/hosts/defiant/services/monitoring/snmp-exporter.nix
@@ -1,20 +1,12 @@
 { config, pkgs, ... }:
 {
-  environment.systemPackages = [
+  services.prometheus.exporters.snmp = {
    pkgs.prometheus-snmp-exporter
  ];
  systemd.services.prometheus-snmp-exporter = {
    enable = true;
-    description = "Gather data from SNMP devices and expose them as Prometheus metrics";
+    configurationPath = ./snmp-exporter-conf.yml;
-    unitConfig = {
+    # snmp.yml is built from
-      Type = "simple";
+    # https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml
-    };
+    # and
-    serviceConfig = {
+    # https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
      ExecStart = "${pkgs.prometheus-snmp-exporter}/bin/snmp_exporter --config.file='/tank/services/metrics/prometheus/snmp.yml'";
      # snmp.yml = https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml + https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
    };
    wantedBy = [ "multi-user.target" ];
  };
 }
--- a/hosts/defiant/services/nginx.nix
+++ b/hosts/defiant/services/nginx.nix
@@ -1,5 +1,8 @@
 { config, values, ... }:
-{
+let
  gitea = config.services.gitea.settings;
  keycloak = config.services.keycloak.settings;
 in {
  services.nginx = {
    enable = true;
    enableReload = true;
@@ -31,7 +34,7 @@
  # Publicly exposed services:
  services.nginx.virtualHosts = let
-    publicProxy = upstream: {
+    publicProxy = upstream: overrides: {
      listen = [
        { addr = "192.168.10.175"; port = 43443; ssl = true; }
        { addr = "192.168.10.175"; port = 43080; ssl = false; }
@@ -49,11 +52,22 @@
        server_tokens off;
      '';
-    };
+    } // overrides;
  in {
-    "auth.feal.no" = publicProxy "https://voyager.home.feal.no";
+    "amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
-    "cloud.feal.no" = publicProxy "http://voyager.home.feal.no";
+    "cloud.feal.no" = publicProxy "" {
-    "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
+      locations."/" = {
-    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
+        proxyPass = "http://challenger.home.feal.no";
        extraConfig = ''
          client_max_body_size 8G;
        '';
      };
    };
    "feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
    "git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
    "iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" { };
    "kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
    "wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
  };
 }
--- a/hosts/defiant/services/postgresql.nix
+++ b/hosts/defiant/services/postgresql.nix
@@ -2,17 +2,24 @@
 {
  services.postgresql = {
    enable = true;
-    enableTCPIP = false;
+    enableTCPIP = true;
    authentication = ''
      host all all 172.16.0.0/12 md5
    '';
  };
  services.postgresqlBackup = {
    enable = true;
-    location = "/data/backup/postgresql/";
+    location = "/tank/backup/postgresql";
    startAt = "*-*-* 03:15:00";
    # Each service is registered in its own configuration file
    databases = [ ];
  };
  # Docker containers on this host can reach postgres
  networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port 5432 -s 172.16.0.0/12 -j ACCEPT";
  environment.systemPackages = [ config.services.postgresql.package ];
 }
--- a/hosts/defiant/services/rtl-tcp.nix
+++ b/hosts/defiant/services/rtl-tcp.nix
@@ -0,0 +1,14 @@
 { config, pkgs, lib, ... }:
 let
  port = 1457;
 in {
  hardware.rtl-sdr.enable = true;
  systemd.services.rtl-tcp = {
    script = "${pkgs.rtl-sdr}/bin/rtl_tcp -a 0.0.0.0 -p ${toString port} -s 2000000 -T";
    serviceConfig = {
      Group = "plugdev";
    };
  };
  networking.firewall.allowedTCPPorts = [ port ];
 }
--- a/hosts/defiant/services/searx.nix
+++ b/hosts/defiant/services/searx.nix
@@ -0,0 +1,39 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.searx;
  domain = "search.home.feal.no";
 in {
  services.searx = {
    enable = true;
    environmentFile = config.sops.secrets."searx/envfile".path;
    settings = {
      server = {
        secret_key = "@SEARX_SECRET_KEY@";
        base_url = "http://${domain}";
      };
    };
    runInUwsgi = true;
    uwsgiConfig = {
      socket = "/run/searx/searx.sock";
      chmod-socket = "660";
    };
    redisCreateLocally = true;
  };
  sops.secrets."searx/envfile" = {
    owner = "searx";
    group = "searx";
  };
  users.groups."searx".members = [ "nginx" ];
  services.nginx.virtualHosts."${domain}" = {
    locations."/".extraConfig = ''
      include ${config.services.nginx.package}/conf/uwsgi_params;
      uwsgi_pass unix:${cfg.uwsgiConfig.socket};
    '';
  };
 }
--- a/hosts/defiant/services/vaultwarden.nix
+++ b/hosts/defiant/services/vaultwarden.nix
@@ -2,8 +2,9 @@
 let
  cfg = config.services.vaultwarden;
  domain = "pw.feal.no";
-  address = "127.0.0.1";
+  address = "127.0.1.2";
-  port = 3011; # Note: The websocket port is left as default(3012)
+  port = 3011;
  wsPort = 3012;
 in {
  sops.secrets."vaultwarden/admintoken" = {
    owner = "vaultwarden";
@@ -19,11 +20,16 @@ in {
      rocketAddress = address;
      rocketPort = port;
      websocketEnabled = true;
      # databaseUrl = "postgresql://vaultwarden:@localhost/vaultwarden?sslmode=disable";
      databaseUrl = "postgresql://vaultwarden@/vaultwarden";
-      signupsAllowed = false;
+      websocketEnabled = true;
      websocketAddress = address;
      websocketPort = wsPort;
      signupsAllowed = true;
      signupsVerify = true;
      signupsDomainsWhitelist = "albrigtsen.it";
      databaseUrl = "postgresql://vaultwarden@/vaultwarden";
    };
  };
@@ -54,7 +60,7 @@ in {
      proxyWebsockets = true;
    };
    locations."/notifications/hub" = {
-      proxyPass = "http://localhost:3012";
+      proxyPass = "http://${address}:${toString wsPort}";
      proxyWebsockets = true;
    };
    locations."/notifications/hub/negotiate" = {
--- a/hosts/defiant/services/wireguard.nix
+++ b/hosts/defiant/services/wireguard.nix
@@ -30,33 +30,9 @@ in {
            "10.100.0.2/32"
            "192.168.11.0/24"
          ];
-          endpoint = "site2.feal.no:51902";
+          #endpoint = "site2.feal.no:51902";
        }
-        { # Sulu
+      ] ++ (import ../../../common/wireguard-peers.nix);
          publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
          allowedIPs = [
            "10.100.0.3/32"
          ];
        }
        { # Worf
          publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
          allowedIPs = [
            "10.100.0.4/32"
          ];
        }
        { # Phone
          publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
          allowedIPs = [
            "10.100.0.5/32"
          ];
        }
        { # Riker
          publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
          allowedIPs = [
            "10.100.0.6/32"
          ];
        }
      ];
    };
  };
 }
--- a/hosts/edison/configuration.nix
+++ b/hosts/edison/configuration.nix
@@ -1,49 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./hardware-configuration.nix
      ./desktop.nix
  ];
  virtualisation.docker.enable = true;
  networking = {
    hostName = "edison";
    defaultGateway = "192.168.10.1";
    interfaces.enp4s0.useDHCP = false;
    interfaces.enp4s0.ipv4.addresses = [
      { address = "192.168.10.170"; prefixLength = 24; }
    ];
    hostId = "8e84b281";
  };
  console.keyMap = "us";
  # sops.defaultSopsFile = ../../secrets/edison/edison.yaml;
  environment.variables = { EDITOR = "vim"; };
  environment.systemPackages = with pkgs; [
    pavucontrol
    gparted
    unstable.hydrus
  ];
  programs.steam.enable = true;
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
    "nvidia-x11"
    "nvidia-settings"
    "steam"
    "steam-original"
    "steam-run"
  ];
  system.stateVersion = "23.05";
 }
--- a/hosts/edison/desktop.nix
+++ b/hosts/edison/desktop.nix
@@ -1,58 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  services.xserver = {
    enable = true;
    desktopManager.xfce.enable = true;
    videoDrivers = [ "nvidia" ];
    layout = "us,no";
    xkbVariant = "intl";
  };
  services.openssh.settings.X11Forwarding = true;
  environment.systemPackages = with pkgs; [
    xfce.xfce4-pulseaudio-plugin
  ];
  services.picom.enable = true;
  hardware.opengl.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    pulse.enable = true;
    jack.enable = true;
  };
  fonts = {
    fontDir.enable = true;
    packages = with pkgs; [
      noto-fonts
      noto-fonts-emoji
      noto-fonts-cjk-sans
      font-awesome
      fira-code
      hack-font
      (nerdfonts.override {
        fonts = [
          "Hack"
        ];
      })
    ];
  };
  # Remote:
  services.xrdp = {
    enable = true;
    defaultWindowManager = "xfce4-session";
    openFirewall = true;
  };
  security.polkit.enable = true;
  services.flatpak.enable = true;
  users.users."felixalb".packages = [ pkgs.flatpak ];
  xdg.portal = {
    enable = true;
    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
  };
 }
--- a/hosts/edison/hardware-configuration.nix
+++ b/hosts/edison/hardware-configuration.nix
@@ -1,46 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/14b254e1-d94f-4b9b-a910-7fcf7e33af46";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/A197-7913";
      fsType = "vfat";
    };
  fileSystems."/data" =
    { device = "/dev/disk/by-uuid/ebbdf34e-adec-4df3-bbed-20d80455f3f7";
      fsType = "ext4";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/d56040a0-3009-4899-95fa-1b82e60e32e4"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/edison/home.nix
+++ b/hosts/edison/home.nix
@@ -1,19 +0,0 @@
 { pkgs, lib, ... }:
 {
  home.packages = with pkgs; [
    nix-index
  ];
  imports = [
    ./../../home/base.nix
  ];
  programs = {
    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
    alacritty.enable = true;
    firefox.enable = true;
    rofi.enable = true;
    };
  home.stateVersion = "23.05";
 }
--- a/hosts/fa-t14-2025/configuration.nix
+++ b/hosts/fa-t14-2025/configuration.nix
@@ -0,0 +1,59 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ./hardware-configuration.nix
      ./desktop.nix
  ];
  networking = {
    networkmanager.enable = true;
    wireguard.enable = true;
    tempAddresses = "disabled";
    hostName = "fa-t14-2025";
    nameservers = [ "9.9.9.9" ];
    domain = "it.hime.no";
    hostId = "f458d6aa";
    search = [
      "mktv.no"
      "mktv.local"
    ];
  };
  services.openssh.openFirewall = false;
  environment.systemPackages = with pkgs; [
    inetutils
    wireguard-tools
  ];
  virtualisation.docker = {
    enable = true;
    rootless = {
      enable = true;
      setSocketVariable = true;
    };
  };
  users.users.felixalb = {
    uid = 1000;
    openssh.authorizedKeys.keys = [ ];
    extraGroups = [ "networkmanager" ];
  };
  console.keyMap = "no";
  nixpkgs.config = {
    allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
      "securecrt"
      "securefx"
    ];
  };
  system.stateVersion = "25.05";
 }
--- a/hosts/fa-t14-2025/desktop.nix
+++ b/hosts/fa-t14-2025/desktop.nix
@@ -0,0 +1,51 @@
 { config, pkgs, lib, ... }:
 {
  hardware.graphics.enable = true;
  services.xserver = {
    enable = true;
    xkb = {
      options = "ctrl:nocaps";
      layout = "no";
    };
  };
  services.displayManager.ly.enable = true;
  services.gnome.gnome-keyring.enable = true;
  programs.hyprland = {
    enable = true;
    xwayland.enable = true;
  };
  # Audio
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    pulse.enable = true;
    jack.enable = true;
  };
  # Fonts
  fonts = {
    fontDir.enable = true;
    packages = with pkgs; [
      noto-fonts
      noto-fonts-color-emoji
      noto-fonts-cjk-sans
      font-awesome
      fira-code
      hack-font
      nerd-fonts.hack
    ];
  };
  # Misc:
  xdg.portal = {
    enable = true;
    wlr.enable = true;
  };
  location.provider = "geoclue2";
  security.polkit.enable = true;
  services.dbus.packages = [ pkgs.gcr ];
  services.openssh.settings.X11Forwarding = true;
  programs.nm-applet.enable = true;
 }
--- a/hosts/fa-t14-2025/hardware-configuration.nix
+++ b/hosts/fa-t14-2025/hardware-configuration.nix
@@ -0,0 +1,51 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  boot.kernelParams = [ "resume_offset=3037184" "mem_sleep_default=deep" ];
  boot.resumeDevice = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
  powerManagement.enable = true;
  services.power-profiles-daemon.enable = true;
  services.logind.lidSwitch = "suspend-then-hibernate";
  services.logind.lidSwitchDocked = "ignore";
  services.logind.powerKey = "suspend-then-hibernate";
  services.logind.powerKeyLongPress = "poweroff";
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
      fsType = "ext4";
    };
  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/3ecaedab-415c-4cce-a3a9-9f3782acb682";
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/0800-59D9";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
    swapDevices = [
      {
        device = "/var/lib/swapfile";
        size = 32*1024;
      }
    ];
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/fa-t14-2025/home.nix
+++ b/hosts/fa-t14-2025/home.nix
@@ -0,0 +1,99 @@
 { pkgs, lib, ... }:
 let
  emailAddress = "felix.albrigtsen@mktv.no";
 in {
  imports = [
    ./../../home/base.nix
    ./../../home/alacritty.nix
  ];
  home.packages = with pkgs; [
    bc
    catimg
    chromium
    dig
    element-desktop
    hunspellDicts.en_US
    hunspellDicts.nb_NO
    iperf3
    jq
    libreoffice
    mpv
    oauth2ms
    openssl
    openvpn
    pavucontrol
    pwgen
    traceroute
    virt-manager
    w3m
    nixpkgs-2211.remmina
    (unstable.microsoft-edge.overrideAttrs ({ installPhase ? "", ... }: {
      installPhase = installPhase + ''
        ln -s $out/bin/microsoft-edge $out/bin/microsoft-edge-stable
      '';
    }))
    # Window Manager Extras
    bibata-cursors
    brightnessctl
    cliphist
    hyprcursor
    hypridle
    hyprlock
    hyprpaper
    hyprshot
    nautilus
    rofi-rbw-wayland
    swaynotificationcenter
    waybar
    wl-clipboard
    (python312.withPackages (ps: with ps; [
      numpy
      pycryptodome
      requests
    ]))
  ];
  programs = {
    aerc = {
      enable = true;
      package = pkgs.aerc;
    };
    firefox.enable = true;
    git.extraConfig.user.email = emailAddress;
    rbw = {
      enable = true;
      settings = {
        base_url = "https://vault.mktv.no";
        email = emailAddress;
        pinentry = pkgs.pinentry-rofi;
      };
    };
    rofi = {
      enable = true;
      # theme = "iggy";
      theme = "Arc-Dark";
    };
    zsh = {
      shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
      prezto.pmodules = [ "ssh" ];
    };
  };
  xdg.mimeApps = {
    enable = true;
    defaultApplications = {
      "text/html" = "firefox.desktop";
      "x-scheme-handler/http" = "firefox.desktop";
      "x-scheme-handler/https" = "firefox.desktop";
      "x-scheme-handler/about" = "firefox.desktop";
      "x-scheme-handler/unknown" = "firefox.desktop";
    };
  };
  home.stateVersion = "25.05";
 }
--- a/hosts/leonard/configuration.nix
+++ b/hosts/leonard/configuration.nix
@@ -0,0 +1,53 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ../../common/auto-upgrade.nix
      ./hardware-configuration.nix
      ./services/mysql.nix
      ./services/nginx.nix
      ./services/postgresql.nix
      ./services/wiki-wackattack-eu.nix
      ./services/www-feal-no
      ./services/www-kinealbrigtsen-no.nix
      ./services/www-amalie-mansaker-no
  ];
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
  networking = {
    hostName = "leonard";
    defaultGateway = "192.168.10.1";
    interfaces.ens18.ipv4 = {
      addresses = [
        { address = "192.168.10.207"; prefixLength = 24; }
      ];
    };
    hostId = "b99c12d1";
    # Prepend the following output rules to disallow talking to other devices on LAN
    firewall.extraCommands = lib.strings.concatLines ([
      "iptables -F OUTPUT"
    ] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
      "iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
      "iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
      "iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
      "iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
    ]);
  };
  sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;
  environment.variables = { EDITOR = "vim"; };
  system.stateVersion = "25.05";
 }
--- a/hosts/leonard/hardware-configuration.nix
+++ b/hosts/leonard/hardware-configuration.nix
@@ -0,0 +1,24 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/4a70c1d5-9d72-4581-8f75-733b91c10669";
      fsType = "ext4";
    };
  swapDevices = [ ]; # TODO
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/leonard/home.nix
+++ b/hosts/leonard/home.nix
@@ -8,5 +8,5 @@
    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
  };
-  home.stateVersion = "23.05";
+  home.stateVersion = "25.05";
 }
--- a/hosts/leonard/services/mysql.nix
+++ b/hosts/leonard/services/mysql.nix
@@ -0,0 +1,10 @@
 { config, pkgs, lib, ... }:
 {
  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
  };
  # TODO: services.mysqlBackup
 }
--- a/hosts/leonard/services/nginx.nix
+++ b/hosts/leonard/services/nginx.nix
@@ -0,0 +1,19 @@
 { config, values, ... }:
 {
  services.nginx = {
    enable = true;
    enableReload = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  security.acme = {
    acceptTerms = true;
    defaults.email = "felix@albrigtsen.it";
  };
 }
--- a/hosts/leonard/services/postgresql.nix
+++ b/hosts/leonard/services/postgresql.nix
@@ -0,0 +1,20 @@
 { config, pkgs, lib, ... }:
 {
  services.postgresql = {
    enable = true;
    enableTCPIP = false;
    authentication = pkgs.lib.mkOverride 10 ''
      #type database  DBuser  auth-method
      local all       all     trust
    '';
  };
  services.postgresqlBackup = {
    enable = true;
    location = "/backup/postgresql/";
    startAt = "*-*-* 03:15:00";
    backupAll = true;
  };
  environment.systemPackages = [ config.services.postgresql.package ];
 }
--- a/hosts/leonard/services/wiki-wackattack-eu.nix
+++ b/hosts/leonard/services/wiki-wackattack-eu.nix
@@ -0,0 +1,38 @@
 { config, ... }:
 let
  bindIP = "127.0.1.2";
  port = 5051;
  cfg = config.services.wiki-js;
 in {
  # sops.secrets."wikijs/envfile" = {
  #   restartUnits = [ "wiki-js.service" ];
  # };
  services.wiki-js = {
    enable = true;
    # environmentFile = config.sops.secrets."wikijs/envfile".path;
    settings = {
      inherit bindIP port;
      db = {
        type = "postgres";
        host = "/run/postgresql";
        db = "wiki-js";
        user = "wiki-js";
      };
    };
  };
  services.postgresql = {
    ensureDatabases = [ "wiki-js" ];
    ensureUsers = [{
      name = "wiki-js";
      ensureDBOwnership = true;
    }];
  };
  services.nginx.virtualHosts."wiki.wackattack.eu" = {
    locations."/" = {
      proxyPass = "http://${bindIP}:${toString port}";
    };
  };
 }
--- a/hosts/leonard/services/www-amalie-mansaker-no/default.nix
+++ b/hosts/leonard/services/www-amalie-mansaker-no/default.nix
@@ -0,0 +1,11 @@
 { config, pkgs, lib, ... }:
 {
  services.nginx.virtualHosts."amalie.mansaker.no" = let
    siteContent = pkgs.callPackage ./site.nix { };
  in {
    locations = {
      "/".root = siteContent;
    };
  };
 }
--- a/hosts/leonard/services/www-amalie-mansaker-no/site.nix
+++ b/hosts/leonard/services/www-amalie-mansaker-no/site.nix
@@ -0,0 +1,26 @@
 { stdenv, fetchgit, hugo }:
 stdenv.mkDerivation {
  name = "www-amalie-mansaker-no";
  src = fetchgit {
    url = "https://git.feal.no/amalieem/amalie.mansaker.no.git";
    fetchSubmodules = true;
    rev = "58265a25b37bf2286e0704e02ab3dde56a348d8b";
    hash = "sha256-dPcv0AGjsWqDCWCjV2PeklBrWsIawLAccRQEYe3teOM=";
  };
  nativeBuildInputs = [ hugo ];
  buildPhase = ''
    cp -r $src/* .
    ${hugo}/bin/hugo
  '';
  installPhase = ''
    runHook preInstall
    mkdir -p $out
    cp -r public/* $out/
    runHook postInstall
  '';
 }
--- a/hosts/leonard/services/www-feal-no/default.nix
+++ b/hosts/leonard/services/www-feal-no/default.nix
@@ -0,0 +1,26 @@
 { config, pkgs, lib, ... }:
 {
  services.nginx.virtualHosts."feal.no" = {
    default = true;
    serverAliases = [
      "www.feal.no"
    ];
    locations = {
      # TODO: Reinstate actual website
      "/".return = "302 https://git.feal.no/";
      "^~ /.well-known/" = {
        alias = (toString ./well-known) + "/";
      };
      "/cc/" = {
        alias = "${pkgs.cyberchef}/share/cyberchef/";
        index = "index.html";
      };
      "= /cc".return = "302 /cc/";
    };
  };
 }
--- a/hosts/leonard/services/www-feal-no/well-known/matrix/client
+++ b/hosts/leonard/services/www-feal-no/well-known/matrix/client
@@ -0,0 +1,5 @@
 {
 	"m.homeserver": {
 		"base_url": "https://matrix.feal.no:443"
 	}
 }
--- a/hosts/leonard/services/www-feal-no/well-known/matrix/server
+++ b/hosts/leonard/services/www-feal-no/well-known/matrix/server
@@ -0,0 +1 @@
 {"m.server": "matrix.feal.no:443"}
--- a/hosts/leonard/services/www-kinealbrigtsen-no.nix
+++ b/hosts/leonard/services/www-kinealbrigtsen-no.nix
@@ -0,0 +1,95 @@
 { config, pkgs, lib, ... }:
 {
  users.users.www-kinealbrigtsen-no = {
    isSystemUser = true;
    group = "www-kinealbrigtsen-no";
  };
  users.groups.www-kinealbrigtsen-no = { };
  services.mysql.ensureDatabases = [
    "www_kinealbrigtsen_no"
  ];
  services.mysql.ensureUsers = [
    {
      name = "www-kinealbrigtsen-no";
      ensurePermissions = {
        # "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures
        "www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX";
      };
    }
  ];
  services.phpfpm.pools.www-kinealbrigtsen-no = {
    user = "www-kinealbrigtsen-no";
    group = "www-kinealbrigtsen-no";
    phpOptions = lib.generators.toKeyValue {} {
      upload_max_filesize = "1000M";
      post_max_size = "1000M";
      memory_limit = "1000M";
    };
    settings = {
      "listen.owner" = config.services.nginx.user;
      "listen.group" = config.services.nginx.group;
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 4;
      "pm.process_idle_timeout" = "10s";
      "pm.max_requests" = 1000;
    };
  };
  services.nginx.virtualHosts."kinealbrigtsen.no" = {
    serverAliases = [ "www.kinealbrigtsen.no" ];
    root = "/var/www/www-kinealbrigtsen-no";
    locations = {
      "/".extraConfig = ''
        try_files $uri $uri/ /index.php?$args;
      '';
      "~ \\.php$".extraConfig = ''
        include ${config.services.nginx.package}/conf/fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket};
      '';
      "~ /\\.ht".extraConfig = ''
        deny all;
      '';
      "/favicon.ico".extraConfig = ''
        log_not_found off;
        access_log off;
      '';
      "/robots.txt".extraConfig = ''
        allow all;
        log_not_found off;
        access_log off;
      '';
      "~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig =  ''
        expires max;
        log_not_found off;
      '';
    };
    extraConfig = ''
      index index.php index.html;
      set_real_ip_from 192.168.11.0/24;
      real_ip_header X-Forwarded-For;
      add_header 'Referrer-Policy' 'origin-when-cross-origin';
      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;
    '';
  };
  # TODO:
  # - Configure a mailer so wp_mail() works
  # - Enable periodic backups
 }
--- a/hosts/morn/configuration.nix
+++ b/hosts/morn/configuration.nix
@@ -0,0 +1,35 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ../../common/auto-upgrade.nix
      ./hardware-configuration.nix
      ./services/nginx.nix
      ./services/glance
      ./services/miniflux.nix
      ./services/thelounge.nix
  ];
  networking = {
    hostName = "morn";
    defaultGateway = "192.168.10.1";
    interfaces.ens18.ipv4 = {
      addresses = [
        { address = "192.168.10.203"; prefixLength = 24; }
      ];
    };
    hostId = "89b7722d";
  };
  sops.defaultSopsFile = ../../secrets/morn/morn.yaml;
  environment.variables = { EDITOR = "vim"; };
  system.stateVersion = "24.11";
 }
--- a/hosts/burnham/hardware-configuration.nix
+++ b/hosts/burnham/hardware-configuration.nix
@@ -1,3 +1,6 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
@@ -11,20 +14,24 @@
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/31ff6d37-52d6-43c3-a214-5d38a6c38b0e";
+    { device = "/dev/disk/by-uuid/93307186-cbc3-4748-859f-0013a1e36def";
      fsType = "ext4";
    };
-  swapDevices =
+  fileSystems."/boot" =
-    [ { device = "/dev/disk/by-uuid/cce59ee7-7c83-4165-a9b0-f950cd2e3273"; }
+    { device = "/dev/disk/by-uuid/FFCD-993A";
-    ];
+      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  #networking.useDHCP = lib.mkDefault true;
+  # networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/morn/home.nix
+++ b/hosts/morn/home.nix
@@ -0,0 +1,12 @@
 { pkgs, lib, ... }:
 {
  imports = [
    ./../../home/base.nix
  ];
  programs = {
    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
  };
  home.stateVersion = "24.11";
 }
--- a/hosts/morn/services/glance/default.nix
+++ b/hosts/morn/services/glance/default.nix
@@ -0,0 +1,15 @@
 { config, values, ... }:
 {
  services.glance = {
    enable = true;
    settings = import ./settings.nix;
  };
  services.nginx.virtualHosts."glance.home.feal.no" = let
    inherit (config.services.glance.settings.server) host port;
  in {
    locations."/" = {
      proxyPass = "http://${host}:${toString port}";
    };
  };
 }
--- a/hosts/morn/services/glance/settings.nix
+++ b/hosts/morn/services/glance/settings.nix
@@ -0,0 +1,83 @@
 { config, ... }:
 {
  server = {
    port = 5001;
    host = "127.0.1.2";
  };
  pages =
    let
      fullCol = widgets: {
        size = "full";
        inherit widgets;
      };
    in
    [
      {
        name = "Home";
        columns = [
          (fullCol [
            {
              type = "search";
              search-engine = "http://search.home.feal.no/search?q={QUERY}";
            }
            {
              type = "weather";
              units = "metric";
              location = "Trondheim, Norway";
            }
          ])
          (fullCol [
            {
              type = "hacker-news";
              limit = 20;
              collapse-after = 5;
            }
            {
              type = "monitor";
              cache = "5m";
              sites =
                let
                  site = title: url: { inherit title url; };
                in
                [
                  (site "Jellyfin" "http://jellyfin.home.feal.no")
                  (site "Gitea" "https://git.feal.no")
                  (site "VaultWarden" "https://pw.feal.no")
                ];
            }
          ])
        ];
      }
      {
        name = "News";
        columns =
          let
            feed = title: url: { inherit title url; };
            rss = title: feeds: {
              type = "rss";
              inherit title feeds;
            };
          in
          [
            (fullCol [
              (rss "Norway" [
                (feed "NRK" "https://www.nrk.no/toppsaker.rss")
                (feed "Bygdeposten" "https://www.bygdeposten.no/service/rss")
                (feed "Nidaros" "https://www.nidaros.no/service/rss")
              ])
            ])
            (fullCol [
              (rss "NTNU" [
                (feed "OmegaV" "https://omegav.no/newsrss")
                (feed "PVV" "https://www.pvv.ntnu.no/w/api.php?hidebots=1&urlversion=1&days=7&limit=50&action=feedrecentchanges&feedformat=atom")
                (feed "IT-Varsel" "https://varsel.it.ntnu.no/subscribe/rss/")
              ])
            ])
          ];
      }
    ];
 }
--- a/hosts/morn/services/miniflux.nix
+++ b/hosts/morn/services/miniflux.nix
@@ -0,0 +1,23 @@
 { config, pkgs, lib, ... }:
 let
  domain = "rss.home.feal.no";
  listen_addr = "127.0.1.2:5051";
 in {
  sops.secrets."miniflux/env" = { };
  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.sops.secrets."miniflux/env".path;
    config = {
      CREATE_ADMIN = true;
      LISTEN_ADDR = listen_addr;
      BASE_URL = "http://${domain}";
    };
  };
  services.nginx.virtualHosts."${domain}" = {
    locations."/".proxyPass = "http://${listen_addr}";
  };
 }
--- a/hosts/morn/services/nginx.nix
+++ b/hosts/morn/services/nginx.nix
@@ -0,0 +1,19 @@
 { config, values, ... }:
 {
  services.nginx = {
    enable = true;
    enableReload = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  security.acme = {
    acceptTerms = true;
    defaults.email = "felix@albrigtsen.it";
  };
 }
--- a/hosts/morn/services/thelounge.nix
+++ b/hosts/morn/services/thelounge.nix
@@ -0,0 +1,21 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.thelounge.extraConfig;
  domain = "irc.home.feal.no";
 in {
  services.thelounge = {
    enable = true;
    extraConfig = {
      public = false;
      host = "127.0.1.2";
      port = 9000;
      reverseProxy = true;
    };
  };
  services.nginx.virtualHosts.${domain} = {
    locations."/".proxyPass = "http://${cfg.host}:${toString cfg.port}";
  };
 }
--- a/hosts/redshirt/configuration.nix
+++ b/hosts/redshirt/configuration.nix
@@ -1,73 +0,0 @@
 { config, pkgs, ... }:
 {
  imports =
    [
      ../../base.nix
      ./hardware-configuration.nix
    ];
  networking.hostName = "redshirt";
  networking.networkmanager.enable = true;
  # Enable the X11 windowing system.
  services.xserver = {
    enable = true;
    windowManager = {
      qtile.enable = true;
    };
    # Enable touchpad support (enabled default in most desktopManager).
    libinput.enable = true;
  };
  # The NixOS module enables critical components needed to run Hyprland properly, such as: polkit, xdg-desktop-portal-hyprland, graphics drivers, fonts, dconf, xwayland, and adding a proper Desktop Entry to your Display Manager.
  #programs.hyprland = {
  #  enable = true;
  #  package = pkgs.unstable.hyprland;
  #};
  services.xserver.displayManager = {
    lightdm.enable = true;
    #defaultSession = "hyprland";
  };
  # Configure keymap in X11
  services.xserver.layout = "no";
  fonts.fonts = with pkgs; [
    (nerdfonts.override { fonts = [ "FiraCode" "Hack" ]; })
  ];
  sound.enable = true;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    pulse.enable = true;
    jack.enable = true;
  };
  users.users.felixalb = {
    extraGroups = [ "networkmanager" ];
  };
  environment.systemPackages = with pkgs; [
    zsh
    neovim
    git
    ripgrep
    rsync
    cifs-utils
  ];
  documentation.man.generateCaches = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  system.stateVersion = "22.11";
 }
--- a/hosts/redshirt/hardware-configuration.nix
+++ b/hosts/redshirt/hardware-configuration.nix
@@ -1,41 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/0d709ab3-0d10-46eb-9e4f-10a320af703e";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/6EE9-1C06";
      fsType = "vfat";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/2067bbb4-b4fa-4326-9f58-4018857058a7"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/sisko/configuration.nix
+++ b/hosts/sisko/configuration.nix
@@ -0,0 +1,90 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./hardware-configuration.nix
      ./desktop.nix
  ];
  networking = {
    hostName = "sisko";
    # networkmanager.enable = true;
    defaultGateway = "192.168.10.1";
    interfaces.enp14s0 = {
      ipv4 = {
        addresses = [
          { address = "192.168.10.172"; prefixLength = 24; }
        ];
      };
      wakeOnLan.enable = true;
    };
    hostId = "b716d781";
  };
  hardware.bluetooth.enable = true;
  hardware.rtl-sdr.enable = true;
  sops.defaultSopsFile = ../../secrets/sisko/sisko.yaml;
  environment.variables = { EDITOR = "vim"; };
  users.users.felixalb.extraGroups = [
    "dialout"
    "libvirtd"
    "networkmanager"
    "plugdev"
  ];
  programs = {
    alvr = {
      enable = true;
      openFirewall = true;
    };
    firefox = {
      enable = true;
      nativeMessagingHosts.packages = with pkgs; [ tridactyl-native ];
    };
    gamemode.enable = true;
    immersed.enable = true;
    steam = {
      enable = true;
      remotePlay.openFirewall = true;
    };
    virt-manager.enable = true;
  };
  virtualisation = {
    libvirtd.enable = true;
    spiceUSBRedirection.enable = true;
  };
  environment.systemPackages = with pkgs; [
    virtiofsd
  ];
  virtualisation.docker.enable = true;
  virtualisation.oci-containers.backend = "docker";
  nixpkgs.config = {
    allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
      "discord"
      "immersed"
      "spotify"
      "steam"
      "steam-unwrapped"
    ];
    permittedInsecurePackages = [
      "openssl-1.1.1w"
    ];
    rocmSupport = true;
  };
  services.fwupd.enable = true;
  system.stateVersion = "24.11";
 }
--- a/hosts/sisko/desktop.nix
+++ b/hosts/sisko/desktop.nix
@@ -0,0 +1,70 @@
 { config, pkgs, lib, ... }:
 {
  # Video
  hardware.graphics = {
    enable = true;
    enable32Bit = true;
  };
  hardware.amdgpu.opencl.enable = true;
  services.displayManager.ly.enable = true;
  services.xserver.enable = true;
  services.xserver.desktopManager.xfce.enable = true;
  programs.hyprland = {
    enable = true;
    xwayland.enable = true;
  };
  # Audio
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    pulse.enable = true;
    jack.enable = true;
  };
  # Misc
  fonts = {
    fontDir.enable = true;
    packages = with pkgs; [
      fira-code
      font-awesome
      hack-font
      nerd-fonts.hack
      noto-fonts
      noto-fonts-cjk-sans
      noto-fonts-color-emoji
    ];
  };
  environment.sessionVariables = {
    NIXOS_OZONE_WL = "1";
    SSH_AUTH_SOCK = "/run/user/${toString config.users.users.felixalb.uid}/keyring/ssh";
  };
  services.gnome.gnome-keyring.enable = true;
  # Dark mode
  home-manager.users.felixalb = {
    dconf.settings = {
      "org/gnome/desktop/interface" = {
        color-scheme = "prefer-dark";
      };
    };
    gtk = {
      enable = true;
      theme = {
        name = "Adwaita-dark";
        package = pkgs.gnome-themes-extra;
      };
    };
  };
  qt = {
    enable = true;
    platformTheme = "gnome";
    style = "adwaita-dark";
  };
 }
--- a/hosts/sisko/hardware-configuration.nix
+++ b/hosts/sisko/hardware-configuration.nix
@@ -0,0 +1,55 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  boot.extraModprobeConfig = "options bluetooth disable_ertm=1"; # Xbox controller
  hardware.xpadneo.enable = true;
  boot.kernel.sysctl = {
    "vm.max_map_count" = 16777216;
    # "fs.file-max" = 524288;
  };
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
      fsType = "btrfs";
      options = [ "subvol=root" ];
    };
  fileSystems."/nix" =
    { device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
      fsType = "btrfs";
      options = [ "subvol=nix" ];
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
      fsType = "btrfs";
      options = [ "subvol=home" ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/12CE-A600";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices = [ {
    device = "/swapfile";
    size = 64*1024;
  } ];
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.enp14s0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp15s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/sisko/home.nix
+++ b/hosts/sisko/home.nix
@@ -0,0 +1,162 @@
 { pkgs, lib, config, ... }:
 {
  imports = [
    ./../../home/base.nix
    ./../../home/alacritty.nix
  ];
  home.packages = with pkgs; [
    # GUI Applications
    cantata
    chromium
    discord
    easyeffects
    element-desktop
    emacs-gtk
    feishin
    gqrx
    kitty
    libreoffice
    lutris
    mpv
    mumble
    orca-slicer
    papers
    pavucontrol
    picard
    pkgsRocm.hashcat
    prismlauncher
    restic
    runelite
    spotify
    swayimg
    thunderbird
    tor-browser
    bolt-launcher
    exiftool
    ghidra
    # pwndbg-gdb-alias # Broken in 25.05
    snicat
    # Window Manager Extras
    bibata-cursors
    cliphist
    hyprcursor
    hypridle
    hyprlock
    hyprpaper
    hyprshot
    nautilus
    networkmanager
    rofi-rbw-wayland
    swaynotificationcenter
    waybar
    wl-clipboard
    # Misc tools
    abcde
    bc
    catimg
    dante
    dig
    go
    hunspellDicts.en_US
    hunspellDicts.nb_NO
    jq
    nixpkgs-2211.remmina
    ollama-rocm
    openssl
    playerctl
    pwgen
    restic
    rocmPackages.clang
    traceroute
    w3m
    (python313.withPackages (ps: with ps; [
      numpy
      pycryptodome
      requests
    ]))
  ];
  programs = {
    aerc = {
      enable = true;
      package = pkgs.aerc;
    };
    alacritty = {
      enable = true;
      settings.window.opacity = 0.92;
    };
    ncmpcpp.enable = true;
    rbw = {
      enable = true;
      settings = {
        base_url = "https://pw.feal.no";
        email = "felix@albrigtsen.it";
        pinentry = pkgs.pinentry-gnome3;
      };
    };
    rofi = {
      enable = true;
      theme = "iggy";
    };
    zsh = {
      shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
      prezto.pmodules = [ "ssh" ];
    };
  };
  services = {
    mpd = let
      home = config.home.homeDirectory;
    in {
      enable = true;
      musicDirectory = "${home}/mnt/music";
      dataDir = "${home}/Music/mpd/data";
      playlistDirectory = "${home}/Music/mpd/playlists";
      extraConfig = ''
        audio_output {
          type "pipewire"
          name "PipewireOut1"
        }
      '';
    };
  };
  home.pointerCursor = {
    name = "Bibata-Modern-Ice";
    package = pkgs.bibata-cursors;
    size = 24;
    gtk.enable = true;
    x11 = {
      enable = true;
      defaultCursor = true;
    };
  };
  xdg.mimeApps = {
    enable = true;
    defaultApplications = {
      "text/html" = "firefox.desktop";
      "x-scheme-handler/http" = "firefox.desktop";
      "x-scheme-handler/https" = "firefox.desktop";
      "x-scheme-handler/about" = "firefox.desktop";
      "x-scheme-handler/unknown" = "firefox.desktop";
      "inode/directory" = "org.gnome.Nautilus.desktop";
      "application/pdf" = "org.gnome.Papers.desktop";
    } // builtins.listToAttrs (
      builtins.map
        ( imgType: { name = "image/${imgType}"; value = "swayimg.desktop"; } )
        [ "apng" "bmp" "gif" "heic" "heif" "jpeg" "png" "svg" "svg+xml" "tiff" ]
    );
  };
  home.stateVersion = "24.11";
 }
--- a/hosts/voyager/backup.nix
+++ b/hosts/voyager/backup.nix
@@ -1,47 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  services.borgbackup.jobs =
    let
      borgJob = name: {
        environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
        environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
        repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/voyager/${name}";
        compression = "auto,zstd";
      };
    in {
      postgresDaily = borgJob "postgres::daily" // {
        paths = "/var/backup/postgres";
        startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
        extraInitArgs = "--storage-quota 10G";
        encryption = {
          mode = "repokey-blake2";
          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
        };
      };
      postgresWeekly = borgJob "postgres::weekly" // {
        paths = "/var/backup/postgres";
        startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
        extraInitArgs = "--storage-quota 10G";
        encryption = {
          mode = "repokey-blake2";
          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
        };
      };
      transmission = borgJob "transmission::weekly" // {
        paths = "/var/lib/transmission";
        startAt = "weekly";
        encryption = {
          mode = "repokey-blake2";
          passCommand = "cat ${config.sops.secrets."borg/transmission".path}";
        };
      };
      # TODO: kanidm, timemachine, calibre(?), nextcloud
    };
  sops.secrets."borg/postgres" = { };
  sops.secrets."borg/transmission" = { };
 }
--- a/hosts/voyager/configuration.nix
+++ b/hosts/voyager/configuration.nix
@@ -1,58 +0,0 @@
 { config, pkgs, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./hardware-configuration.nix
      ./backup.nix
      ./exports.nix
      ./filesystems.nix
      ./services/snappymail.nix
      ./services/calibre.nix
      ./services/fancontrol.nix
      ./services/jellyfin.nix
      ./services/kanidm.nix
      ./services/nextcloud.nix
      ./services/nginx
      ./services/podgrab.nix
      ./services/postgres.nix
      ./services/timemachine.nix
      ./services/transmission.nix
  ];
  networking = {
    hostName = "voyager";
    bridges.br0.interfaces = [ "eno1" ];
    interfaces.br0.useDHCP = false;
    interfaces.br0.ipv4.addresses = [
      { address = "192.168.10.165"; prefixLength = 24; }
    ];
    hostId = "8e84b235";
    defaultGateway = "192.168.10.1";
  };
  sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml;
  environment.variables = { EDITOR = "vim"; };
  environment.systemPackages = with pkgs; [
    zfs
  ];
  virtualisation.docker.enable = true;
  virtualisation.oci-containers.backend = "docker";
  users.users."amalieem" = {
    isNormalUser = true;
    home = "/home/amalieem";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7e+BAoXIFmTeeBYAVImQAcyx6SCoYCErA7h16OGL70 amalieem@wentworth"
    ];
  };
  system.stateVersion = "22.11";
 }
--- a/hosts/voyager/exports.nix
+++ b/hosts/voyager/exports.nix
@@ -1,27 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  fileSystems = {
    "/export/riker-backup" = {
      device = "/tank/backup/riker";
      options = [ "bind" ];
    };
    "/export/defiant-backup" = {
      device = "/tank/backup/defiant";
      options = [ "bind" ];
    };
  };
  # Enable nfs4 only
  services.nfs.server = {
    enable = true;
    exports = ''
      /export                   192.168.10.4(rw,fsid=0,no_subtree_check) 192.168.10.5(rw,fsid=0,no_subtree_check) 192.168.10.2(rw,fsid=0,no_subtree_check) 192.168.10.175(rw,fsid=0,no_subtree_check)
      /export/riker-backup      192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
      /export/doyle-backup      192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
      /export/defiant-backup    192.168.10.175(rw,nohide,no_subtree_check,async,no_root_squash)
    '';
  };
  networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
  networking.firewall.allowedUDPPorts = [ 111 20048];
 }
--- a/hosts/voyager/filesystems.nix
+++ b/hosts/voyager/filesystems.nix
@@ -1,42 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  # Boot drives are defined in ./hardware-configuration.nix
  environment.systemPackages = with pkgs; [ cifs-utils ];
  # Local zfs
  boot = {
    zfs.extraPools = [ "tank" ];
    supportedFilesystems = [ "zfs" ];
    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  };
  services.zfs.autoScrub = {
    enable = true;
    interval = "Wed *-*-8..14 00:00:00";
  };
  # Network mounts (import)
  fileSystems = {
    "/mnt/feal-syn1/media" = {
      device = "feal-syn1.home.feal.no:/volume2/media";
      fsType = "nfs";
      options = [ "vers=3" ];
      #options = [ "x-systemd.automount" "noauto" ];
    };
    "/mnt/feal-syn1/nfs_proxmox" = {
      device = "//feal-syn1.home.feal.no/nfs_proxmox";
      fsType = "cifs";
      options = let
        # this line prevents hanging on network split
        automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
      in ["${automount_opts},credentials=/etc/feal-syn1-credentials"];
    };
    "/var/backup" = {
      device = "/tank/backup/voyager";
      options = [ "bind "];
    };
  };
 }
--- a/hosts/voyager/modules/snappymail.nix
+++ b/hosts/voyager/modules/snappymail.nix
@@ -1,108 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  inherit (lib) mkDefault mkEnableOption mkForce mkIf mkOption mkPackageOption generators types;
  cfg = config.services.snappymail;
  maxUploadSize = "256M";
 in {
  options.services.snappymail = {
    enable = mkEnableOption (lib.mdDoc "Snappymail");
    package = mkOption {
      type = types.package;
      default = pkgs.snappymail;
      defaultText = lib.mdDoc "pkgs.snappymail";
      description = lib.mdDoc "Which snappymail package to use.";
    };
    dataDir = mkOption {
      type = types.str;
      default = "/var/lib/snappymail";
      description = "State directory for snappymail";
    };
    hostname = mkOption {
      type = types.str;
      /* default = null; */
      example = "mail.example.com";
      description = "Enable nginx with this hostname, null disables nginx";
    };
    user = mkOption {
      type = types.str;
      default = "snappymail";
      description = lib.mdDoc "System user under which snappymail runs";
    };
    group = mkOption {
      type = types.str;
      default = "snappymail";
      description = lib.mdDoc "System group under which snappymail runs";
    };
  };
  config = mkIf cfg.enable {
    users.users = mkIf (cfg.user == "snappymail") {
      snappymail = {
        description = "Snappymail service";
        group = cfg.group;
        home = cfg.dataDir;
        useDefaultShell = true;
        createHome = true;
        isSystemUser = true;
      };
    };
    users.groups = mkIf (cfg.group == "snappymail") {
      snappymail = {};
    };
    services.phpfpm.pools.snappymail = {
      user = cfg.user;
      group = cfg.group;
      phpOptions = generators.toKeyValue {} {
        upload_max_filesize = maxUploadSize;
        post_max_size = maxUploadSize;
        memory_limit = maxUploadSize;
      };
      settings = {
        "listen.owner" = config.services.nginx.user;
        "listen.group" = config.services.nginx.group;
        "pm" = "ondemand";
        "pm.max_children" = 32;
        "pm.process_idle_timeout" = "10s";
        "pm.max_requests" = 500;
      };
    };
    services.nginx = mkIf (cfg.hostname != null) {
      virtualHosts."${cfg.hostname}" = {
        locations."/".extraConfig = ''
          index index.php;
          autoindex on;
          autoindex_exact_size off;
          autoindex_localtime on;
        '';
        locations."^~ /data".extraConfig = ''
          deny all;
        '';
        locations."~ \.php$".extraConfig = ''
          include ${pkgs.nginx}/conf/fastcgi_params;
          fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_pass unix:${config.services.phpfpm.pools.snappymail.socket};
        '';
        extraConfig = ''
          client_max_body_size ${maxUploadSize};
        '';
        root = if (cfg.package == pkgs.snappymail) then
          pkgs.snappymail.override {
            dataPath = cfg.dataDir;
          }
        else cfg.package;
      };
    };
  };
 }
--- a/hosts/voyager/services/fancontrol.nix
+++ b/hosts/voyager/services/fancontrol.nix
@@ -1,63 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  systemd.timers."fancontrol" = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar="*:0/3";
      Unit = "fancontrol.service";
    };
  };
  systemd.services."fancontrol" = {
    environment = {
      TEMP_MIN_FALLING = "50";
      TEMP_MAX_RISING = "56";
      TEMP_CRIT = "70";
      LOW_FAN_SPEED = "0x10";
    };
    script = ''
      SET_FAN_MANUAL="0x30 0x30 0x01 0x00" # Enable manual control
      SET_FAN_AUTO="0x30 0x30 0x01 0x01" # Disable manual control
      SET_FAN_LOW="0x30 0x30 0x02 0xff $LOW_FAN_SPEED"
      SET_FAN_MAX="0x30 0x30 0x02 0xff 0x64" # force 100%
      # Get all temperatures readings starting with "Temp ", find all two digit numbers followed by spaces, find the largest one, trim the trailing space
      maxcoretemp=$(${pkgs.ipmitool}/bin/ipmitool sdr type temperature | grep '^Temp ' |  grep -Po '\d{2} ' | sort -nr | head -n1 | xargs)
      # Verify that we read a valid number
      ISNUMBER='^[0-9]+$'
      if ! [[ $maxcoretemp =~ $ISNUMBER ]] ; then
        echo "Error: could not read temperature" >&2
        exit 2
      fi
      echo "Highest measured CPU temperature: '$maxcoretemp'"
      if [ "$maxcoretemp" -gt "$TEMP_CRIT" ]; then
        echo "TOO HOT, CRITICAL CPU TEMP"
        ${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MANUAL
        ${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MAX
        exit 1
      fi
      if [ "$maxcoretemp" -gt "$TEMP_MAX_RISING" ]; then
        echo "TOO HOT, switching to IDRAC fan controL"
        ${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_AUTO
        exit 0
      fi
      if [ "$maxcoretemp" -lt "$TEMP_MIN_FALLING" ]; then
        echo "Sufficiently cooled, stepping down fans"
        ${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MANUAL
        ${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_LOW
        exit 0
      fi
      echo "Temperature is between limits, doing nothing..."
    '';
  };
 }
--- a/hosts/voyager/services/jellyfin.nix
+++ b/hosts/voyager/services/jellyfin.nix
@@ -1,61 +0,0 @@
 { config, pkgs, lib, ... }:
 let
  domainName = "jellyfin.home.feal.no";
 in {
  # Jellyfin - Media Streaming platform
  services.jellyfin.enable = true;
  users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ];
  systemd.services.jellyfin.serviceConfig = {
    DeviceAllow = lib.mkForce [ "/dev/dri/card0" ];
  };
  services.nginx.virtualHosts."${domainName}" = {
    serverAliases = [ "jf.feal.no" ];
    extraConfig = ''
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    location = / {
        return 302 http://$host/web/;
        #return 302 https://$host/web/;
    }
    location / {
        # Proxy main Jellyfin traffic
        proxy_pass http://127.0.0.1:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }
    # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
    location = /web/ {
        # Proxy main Jellyfin traffic
        proxy_pass http://127.0.0.1:8096/web/index.html;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
    location /socket {
        # Proxy Jellyfin Websockets traffic
        proxy_pass http://127.0.0.1:8096;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
        '';
  };
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Felix Albrigtsen	bd05773d1a	auto-upgrade: point back to the main branch	2025-12-08 21:05:23 +01:00
Felix Albrigtsen	77cdedf958	defiant: update to nixos 25.11	2025-12-08 20:59:46 +01:00
Felix Albrigtsen	b4b8fa2309	worf: fix 25.11. Clean flake.	2025-12-04 17:22:33 +01:00
Felix Albrigtsen	aca430fb18	challenger/audiobookshelf: fix mount order	2025-12-02 19:38:08 +01:00
Felix Albrigtsen	8aa123303c	challenger: update to nixos 25.11. Update to nextcloud 32	2025-12-02 00:14:36 +01:00
Felix Albrigtsen	f7ce8585b5	burnham: remove host	2025-12-01 23:22:05 +01:00
Felix Albrigtsen	1af2ea3552	malcolm: remove host (superceded by leonard)	2025-12-01 23:17:25 +01:00
Felix Albrigtsen	d9b62f7c0a	sisko: Update to nixos 25.11	2025-12-01 00:24:11 +01:00
Felix Albrigtsen	774bd0c0d8	morn: update to 25.11	2025-12-01 00:02:06 +01:00
Felix Albrigtsen	9c0ea93934	flake: update to 25.11. Breaks worf/darwin.	2025-11-30 23:54:27 +01:00
Felix Albrigtsen	520a96878b	leonard: Add amalie-mansaker-no	2025-11-23 18:56:03 +01:00
Felix Albrigtsen	9eed01bb4a	defiant: enable cloud backups	2025-11-17 21:30:04 +01:00
Felix Albrigtsen	f5cc555c1b	challenger: cleanup, remove ersatztv	2025-11-14 23:49:56 +01:00
Felix Albrigtsen	b4ca418a34	defiant: cleanup, remove flame, remove koillection	2025-11-14 23:38:46 +01:00
Felix Albrigtsen	261b19f7c3	challenger: add audiobookshelf	2025-11-13 23:12:05 +01:00
Felix Albrigtsen	c0e19e7c21	morn: add thelounge	2025-11-06 22:05:31 +01:00
Felix Albrigtsen	c601ed7d39	flake: update	2025-11-03 20:17:40 +01:00
Felix Albrigtsen	4b922cd23d	defiant/nginx: wiki-wackattac-eu has moved to leonard	2025-11-02 15:06:10 +01:00
Felix Albrigtsen	68950a4507	leonard: Add wiki-wackattack-eu	2025-11-02 15:05:43 +01:00
Felix Albrigtsen	0c08f92444	defiant/matrix-synapse: Fix oidc provider mapping typo	2025-11-02 12:23:19 +01:00
Felix Albrigtsen	f4630467f6	defiant/matrix-synapse: require matrix-user role in keycloak	2025-11-01 19:50:55 +01:00
Felix Albrigtsen	ee4bb0ee2d	defiant/monitoring: update prometheus target list	2025-10-19 00:36:51 +02:00
Felix Albrigtsen	410e673673	sops: add recovery key	2025-10-18 23:59:13 +02:00
Felix Albrigtsen	492bd530d3	challenger/backup: add hostBackups	2025-10-18 23:46:32 +02:00
Felix Albrigtsen	14483e95e7	defiant/nginx: Move www.feal.no and www.kinealbrigtsen.no to leonard	2025-10-18 22:33:08 +02:00
Felix Albrigtsen	483f30229f	leonard: add www-feal-no. add www-kinealbrigtsen-no. configure outgoing firewall	2025-10-18 22:25:05 +02:00
Felix Albrigtsen	49a3c0211e	leonard: init host	2025-10-17 21:02:28 +02:00
Felix Albrigtsen	b1fed06b7d	worf: add mpv	2025-10-17 19:39:04 +02:00
Felix Albrigtsen	9c24a7bfa5	wireguard: add Amalies phone. Disable burnham endpoint	2025-10-16 23:04:06 +02:00
Felix Albrigtsen	64777e4caf	flake: update	2025-10-12 18:12:47 +02:00
Felix Albrigtsen	36574ed5b0	worf: rebuild needs sudo now	2025-09-16 19:21:26 +02:00
Felix Albrigtsen	b438b63306	defiant/nginx: temporarily add forwards for mccoy	2025-09-14 20:46:26 +02:00
Felix Albrigtsen	4e8156139b	defiant/gitea: Disable default theme	2025-09-14 20:46:26 +02:00
Felix Albrigtsen	4a25256ee6	flake: update	2025-09-09 22:35:27 +02:00
Felix Albrigtsen	5633f4b551	sisko: add rtl-sdr, gqrx, hashcat, immersed. Remove bambu-studio	2025-09-09 22:25:07 +02:00
Felix Albrigtsen	d30b0b1a97	sisko: add lutris	2025-08-22 19:08:21 +02:00
Felix Albrigtsen	5c07d9540b	sisko: add docker	2025-08-22 19:08:21 +02:00
Felix Albrigtsen	8d3d918c94	My friendship with github education is over	2025-08-22 09:56:11 +02:00
Felix Albrigtsen	fc7e3decc6	fa-t14-2025: Minor adjustments	2025-08-21 15:43:28 +02:00
Felix Albrigtsen	0490048a14	fa-t14-2025: Add docker, minor adjustments. home: improve tmux config	2025-08-21 15:43:28 +02:00
Felix Albrigtsen	74b7feb043	sisko: minor changes	2025-08-03 17:51:59 +02:00
Felix Albrigtsen	5701615d29	base: remove manual nixpkgs registry/nix-path override, not needed since 24.05	2025-08-02 17:22:27 +02:00
Felix Albrigtsen	4e2f1cb44d	flake: update all inputs. Remove deprecated matrix-synapse options	2025-07-31 00:24:22 +02:00
Felix Albrigtsen	73e2ee8fa7	flake: remove hyprswitch input	2025-07-31 00:24:22 +02:00
Felix Albrigtsen	03fbccbbd2	defiant: stop minecraft server	2025-07-31 00:24:22 +02:00
Felix Albrigtsen	3ecca821d0	defiant: Generalize wireguard config	2025-07-31 00:24:22 +02:00
Felix Albrigtsen	ee23a6eb75	sisko: various minor changes	2025-07-31 00:07:40 +02:00
Felix Albrigtsen	5dcd4c11bb	challenger/backup: cleanup, add books/music	2025-07-31 00:04:51 +02:00
Felix Albrigtsen	eb4b58bed7	morn: add miniflux	2025-07-06 23:59:16 +02:00
Felix Albrigtsen	c9efb5c1dd	remove old hosts voyager and felixalbpc	2025-07-06 23:32:29 +02:00
Felix Albrigtsen	ac1e8d2f3f	challenger/backup: Add remote cloud backups	2025-07-03 23:41:23 +02:00
Felix Albrigtsen	dc5b6f9915	flake: update. sisko: add bambu studio/orcaslicer, fix updates	2025-07-03 23:26:02 +02:00
Felix Albrigtsen	03c4f8ca88	fa-t14-2025: Minor adjustments, add SecureCRT(WIP)	2025-06-16 09:40:56 +02:00
Felix Albrigtsen	126473d75d	fa-t14-2025: Add swap and power management	2025-06-16 09:40:48 +02:00
Felix Albrigtsen	08ca7edf69	Merge pull request 'Upgrade to nixos 25.05' (#4 ) from nixos-25.05 into main Reviewed-on: #4	2025-06-08 22:12:40 +02:00
Felix Albrigtsen	f72393cc25	defiant: re-enable backups	2025-06-08 22:07:28 +02:00
Felix Albrigtsen	c4ea7efc9c	challenger: update to nixos 25.05. Update to nextcloud 31	2025-06-08 22:00:06 +02:00
Felix Albrigtsen	3f814a9d50	challenger/jellyfin: fix GPU access, remove DeviceAllow	2025-06-08 18:27:14 +02:00
Felix Albrigtsen	75212dc4bf	defiant: update homeassistant	2025-06-08 18:20:06 +02:00
Felix Albrigtsen	d40e8b6898	defiant: disable some unused services	2025-06-08 18:20:06 +02:00
Felix Albrigtsen	c73d9761bc	defiant: temporarily move/disable backups when moving house	2025-06-08 18:20:06 +02:00
Felix Albrigtsen	d380110543	sisko: Update to nixos 25.05	2025-06-08 17:38:32 +02:00
Felix Albrigtsen	cf6a836f80	sisko: Change to NetworkManager. Add misc. packages	2025-06-08 17:27:33 +02:00
Felix Albrigtsen	7f892fa284	sisko: add cantata	2025-06-08 17:19:59 +02:00
Felix Albrigtsen	9d9644dff7	fa-t14-2025: Add fake-stable microsoft edge	2025-06-04 13:00:52 +02:00
Felix Albrigtsen	e545add397	worf: Update to nixos 25.05	2025-06-03 22:26:01 +02:00
Felix Albrigtsen	de319def43	flake: Start switching to NixOS 25.05	2025-06-03 22:26:01 +02:00
Felix Albrigtsen	4f99ff9c1e	Configure fa-t14	2025-06-03 22:26:01 +02:00
Felix Albrigtsen	7c10e96035	malcolm: WIP CTF tools	2025-06-03 22:25:41 +02:00
Felix Albrigtsen	73c0eda7cf	malcolm/kinealbrigtsen: Remove CSP to fix awful WP plugins	2025-06-03 22:25:41 +02:00
Felix Albrigtsen	2c36272339	WIP: new host fa-t14-2025	2025-06-03 08:37:13 +02:00
Felix Albrigtsen	277a650098	flake: bump inputs. challenger: add feal-syn2 backup mount	2025-05-20 23:00:58 +02:00
Felix Albrigtsen	e289cab72f	base: add some utilities	2025-05-20 23:00:58 +02:00
Felix Albrigtsen	9d86516046	wireguard: add Turtle	2025-05-16 01:23:42 +02:00
Felix Albrigtsen	bca8a78af9	morn: configure glance	2025-04-22 18:34:37 +02:00
Felix Albrigtsen	93783fe482	auto-upgrade: init attempt at auto upgrade	2025-04-22 18:33:42 +02:00
Felix Albrigtsen	f2e408c338	flake: update	2025-04-20 10:56:20 +02:00
Felix Albrigtsen	8425654777	defiant/minecraft: disable online-mode	2025-04-20 10:33:36 +02:00
Felix Albrigtsen	54546d512f	sisko: Add some CTF tools	2025-04-05 13:42:13 +02:00
Felix Albrigtsen	2fbc6223e1	felixalbpc: Update python	2025-04-01 09:57:15 +02:00
Felix Albrigtsen	0fd4b10b1c	felixalbpc: try to disable ipv6 temporary addresses. Add sl2 shell alias	2025-04-01 09:57:15 +02:00
Felix Albrigtsen	ff99371792	sisko/firefox: add tridactyl support	2025-03-26 20:45:52 +01:00
Felix Albrigtsen	017b500180	sisko: minor additions; xfce, alvr	2025-03-22 15:35:06 +01:00
Felix Albrigtsen	2b4254952a	home: Add fzf	2025-03-19 20:08:35 +01:00
Felix Albrigtsen	4ec8b69cde	morn: Init new host	2025-03-19 17:37:57 +01:00
Felix Albrigtsen	ed47f7b1bf	home/neovim: Fix lightline, disable coc	2025-03-19 17:22:31 +01:00
Felix Albrigtsen	fbfb89280b	sisko: fix bluetooth ertm and xpadneo for wireless xbox controller	2025-03-11 20:07:34 +01:00
Felix Albrigtsen	b4d85a796a	sisko: Add music listening software; mpd, ncmpcpp, picard, easyeffects	2025-03-07 23:57:44 +01:00
Felix Albrigtsen	ae8f914ab3	sisko: Remove user amalieem	2025-03-07 23:25:00 +01:00
Felix Albrigtsen	9ab61ca7de	challenger: remove navidrome	2025-03-04 21:23:37 +01:00
Felix Albrigtsen	a455c7ec07	flake: update. home/alacritty: fix conflicting definitions	2025-03-02 20:00:13 +01:00
Felix Albrigtsen	b8a90d668d	sisko: install emacs, fwupd	2025-02-23 18:08:16 +01:00
Felix Albrigtsen	d258017804	home/neovim: remove pyright	2025-02-20 18:03:46 +01:00
Felix Albrigtsen	1d6a77238b	worf: Disable stealth firewall (allow ping, etc.)	2025-02-20 18:03:35 +01:00
Felix Albrigtsen	47db333feb	worf: Update yabay/sketchybar/alacritty config	2025-02-18 21:41:32 +01:00
Felix Albrigtsen	da2ca7f42e	flake: update, fix nix-darwin input, add tmux	2025-02-16 21:07:40 +01:00
Felix Albrigtsen	0a1b0fbe51	challenger: disable unused services	2025-02-15 01:09:28 +01:00
Felix Albrigtsen	1639675eac	challenger: move to VM	2025-02-15 01:08:37 +01:00
Felix Albrigtsen	2894eaf108	defiant: Add 'home' minecraft server	2025-02-04 10:21:11 +01:00
Felix Albrigtsen	66725eae8c	Flake: Update inputs	2025-02-04 10:19:27 +01:00
Felix Albrigtsen	9660f29fe4	felixalbpc: Prepare for hyprland	2025-02-04 10:19:27 +01:00
Felix Albrigtsen	6802751fa9	challenger: mount feal-syn1:/volume2/backup using systemd.automount	2025-01-27 19:45:29 +01:00
Felix Albrigtsen	26f4174b0b	challenger: set kernel params to prevent cpu hissy fits	2025-01-16 21:51:08 +01:00
Felix Albrigtsen	f2230c6e70	challenger: re-add backup nfs mount	2025-01-16 21:51:08 +01:00
Felix Albrigtsen	05134a6121	challenger: disable nvidia.open	2025-01-16 21:51:08 +01:00
Felix Albrigtsen	c5ca99e05f	challenger/nextcloud: fix typo	2025-01-16 21:51:08 +01:00
Felix Albrigtsen	28296d5066	challenger: add user amalieem	2025-01-16 21:51:08 +01:00
Felix Albrigtsen	807462cd54	defiant/homeassistant: add zigbee dongle	2024-12-31 16:06:15 +01:00
Felix Albrigtsen	98d66602b3	defiant/keycloak: fix hostname settings after 24.11 upgrade	2024-12-31 16:05:56 +01:00
Felix Albrigtsen	512c0595cb	defiant: add SearXNG	2024-12-31 16:02:54 +01:00
Felix Albrigtsen	86556fb69f	flake: update	2024-12-31 12:44:05 +01:00
Felix Albrigtsen	049d3d82c6	sisko: Various fixes. Add amalieem.	2024-12-31 12:44:05 +01:00
Felix Albrigtsen	e1a252c5ee	sops: Add felixalb-sisko, clean up voyager	2024-12-31 12:13:43 +01:00
Felix Albrigtsen	3918fe6057	sisko: minor changes	2024-12-21 21:31:06 +01:00
Felix Albrigtsen	1eb3cdcc13	home: WIP fix terminal colors	2024-12-19 17:42:35 +01:00
Felix Albrigtsen	4346f269da	Flake: Update inputs	2024-12-19 13:05:48 +01:00
Felix Albrigtsen	f683a5dce6	challenger: update to nixos 24.11	2024-12-15 21:02:26 +01:00
Felix Albrigtsen	9465c9bb52	challenger: Jellyfin can use all cards	2024-12-15 13:50:37 +01:00
Felix Albrigtsen	12773b8c62	challenger: Disable NFS in both directions to avoid extreme crashes	2024-12-15 13:50:37 +01:00
Felix Albrigtsen	c49fc1fb4d	felixalbpc: Minor changes	2024-12-11 10:57:01 +01:00
Felix Albrigtsen	f27205efdb	flake: update. sisko: various minor updates	2024-12-11 10:56:46 +01:00
Felix Albrigtsen	ee7fef1479	flake: update nix-darwin	2024-12-05 13:22:56 +01:00
Felix Albrigtsen	78595b4bdc	felixalbpc: Update to nixos 24.11	2024-12-05 13:21:23 +01:00
Felix Albrigtsen	47f79b9cd0	felixalbpc: Add puppet-lint	2024-12-05 13:21:23 +01:00
Felix Albrigtsen	c1417cf36d	sisko: Install and configure desktop apps, hyprland, etc.	2024-12-03 22:44:25 +01:00
Felix Albrigtsen	fab563fa2d	worf: Update to nixos 24.11	2024-12-01 12:45:21 +01:00
Felix Albrigtsen	87ced23c91	flake: No need for unstable packages	2024-12-01 12:45:21 +01:00
Felix Albrigtsen	1b0b37c13c	defiant: Update to NixOS 24.11	2024-12-01 12:31:01 +01:00
Felix Albrigtsen	b4b74227c3	defiant: Add koillection	2024-12-01 12:30:43 +01:00
Felix Albrigtsen	8b6089f014	base: Update SSH keys	2024-12-01 10:54:59 +01:00
Felix Albrigtsen	8759e193ff	sisko: Init new host	2024-12-01 10:34:34 +01:00
Felix Albrigtsen	c281b2de38	Flake: Update to NixOS 24.11	2024-12-01 10:34:34 +01:00
Felix Albrigtsen	f429873cd7	Grrr, darwin breaky	2024-11-24 22:23:20 +01:00
Felix Albrigtsen	3f6f68c010	I'm on a 🚂｡🚋｡🚋｡🚋｡🚋˙⊹⁺.	2024-11-23 08:39:40 +01:00
Felix Albrigtsen	823f5b3d12	shells/CTF: darwin = tier 300 support	2024-11-23 08:29:23 +01:00
Felix Albrigtsen	110b410fbd	challenger: update nextcloud	2024-11-14 22:19:21 +01:00
Felix Albrigtsen	8c880f3c7b	challenger: Add archivebox	2024-11-14 22:19:21 +01:00
Felix Albrigtsen	157c54ae65	felixalbpc: Configure openstackclient, keymapp, keyring, ssh-agent	2024-11-05 13:21:10 +01:00
Felix Albrigtsen	9fe5f0aae7	defiant/nginx: re-enable NextCloud	2024-10-22 20:41:06 +02:00
Felix Albrigtsen	713b9a5615	worf/home: Various small fixes	2024-10-22 20:34:45 +02:00
Felix Albrigtsen	3ddb78788b	challenger: Re-enable nvidia, various fixes. NFS still broken :(	2024-10-21 23:24:47 +02:00
Felix Albrigtsen	5fed94ef27	flake: Replace nixpkgs overrides with cleaner ones	2024-10-06 02:58:51 +02:00
Felix Albrigtsen	dab63bfbeb	flake: clean up :)	2024-10-06 01:57:55 +02:00
Felix Albrigtsen	97b481de0a	challenger: disable nvidia drivers and nfs exports	2024-10-05 21:46:13 +02:00
Felix Albrigtsen	a3a2ec1b9a	challenger: Add backups for calibre and nextcloud	2024-10-05 21:44:48 +02:00
Felix Albrigtsen	5216c0257f	worf: Update nix-darwin input	2024-10-05 21:43:26 +02:00
Felix Albrigtsen	b17ff565c3	defiant: Fix nfs-client, replace borg with restic	2024-10-05 10:53:54 +02:00
Felix Albrigtsen	6de16fb116	challenger: Fix nfs-client, replace borg with restic	2024-10-05 00:53:43 +02:00
Felix Albrigtsen	12e4d22136	worf: various package cleanups	2024-10-05 00:53:07 +02:00
Felix Albrigtsen	7177ee5b17	Worf: Add challenger as builder	2024-10-05 00:53:07 +02:00
Felix Albrigtsen	56e92e70f1	felixalbpc/home/zsh/neovim: Various small QoL improvements and fixes	2024-09-30 15:46:45 +02:00
Felix Albrigtsen	69949e872d	defiant/matrix-synapse: Add sliding sync	2024-09-25 19:56:59 +02:00
Felix Albrigtsen	b553f83da8	felixalbpc/flake: fix group bug	2024-09-25 19:56:37 +02:00
Felix Albrigtsen	bfcb4f7dce	defiant/nginx: Fix broken git-default. Temporarily disable nextcloud	2024-09-25 19:28:52 +02:00
Felix Albrigtsen	85ea8f5ac3	felixalbpc: Minor fixes, new packages, etc. Update flake inputs.	2024-09-23 14:23:43 +02:00
Felix Albrigtsen	2688f28aaf	Challenger/netatalk: Temporarily fix time machine	2024-09-15 23:05:09 +02:00
Felix Albrigtsen	93306b9332	Merge pull request 'Add felixalbpc. Remove edison. Clean home-manager base and flake.' (#3 ) from add-felixalbpc into main Reviewed-on: #3	2024-09-13 14:12:10 +02:00
Felix Albrigtsen	38648a08ed	Finish felixalbpc, cleanup home-manager	2024-09-13 14:11:01 +02:00
Felix Albrigtsen	5ea3e8730d	Multiple changes (cleanup, remove edison, add felixalbpc) - Removes hold host edison - Adds new host, felixalbpc, a work machine. This requires some cleanup to fit into the office network, use other SSH keys, etc. - Clean up some package installs, putting more things into the common home-manager packages, rather than systemwide or host-specific homes. - Various small changes like disabling Github Copilot on nvim startup.	2024-09-13 14:10:54 +02:00
Felix Albrigtsen	6cc3332d38	nginx: set default virtualhosts	2024-09-12 20:18:05 +02:00
Felix Albrigtsen	47c9ad9150	challenger: add ersatztv	2024-09-10 18:38:28 +02:00
Felix Albrigtsen	3ce9a31dab	flake: update nix-darwin	2024-09-10 17:05:48 +02:00
Felix Albrigtsen	276a4b8cec	defiant/monitoring: clean up deprecated monitor jobs	2024-09-08 14:58:02 +02:00
Felix Albrigtsen	65d5f14fc8	burnham: Add domeneshop-dyndns, make it a module	2024-09-08 14:47:28 +02:00
Felix Albrigtsen	162134d951	defiant: Add domeneshop-dyndns	2024-09-08 00:29:36 +02:00
Felix Albrigtsen	5261abf72c	malcolm: Configure firewall and wordpress	2024-09-07 21:40:06 +02:00
Felix Albrigtsen	8777536817	malcolm: Init new host	2024-09-07 21:40:06 +02:00
Felix Albrigtsen	618271b191	defiant: add rtl-tcp	2024-09-07 18:15:14 +02:00
Felix Albrigtsen	d78cb96de1	cleanup: remove hosts/redshirt	2024-09-05 20:32:12 +02:00
Felix Albrigtsen	420a16db50	base: add various utility packages	2024-09-05 16:39:51 +02:00
Felix Albrigtsen	817514b8b7	challenger: add navidrome	2024-09-03 19:26:59 +02:00
Felix Albrigtsen	aeb9014815	home: set editor envvars	2024-08-28 19:50:52 +02:00
Felix Albrigtsen	0a52566295	Update flake, format challenger/nvidia	2024-08-28 19:50:52 +02:00
Felix Albrigtsen	2f8dbc4b93	Challenger: Add syn1 backup share	2024-08-28 19:50:52 +02:00
Felix Albrigtsen	e3abb23e98	challenger/nextcloud: Try bothering nextcloud into giving me exiftool	2024-08-28 19:50:52 +02:00
Felix Albrigtsen	ac7a7454bc	Challenger: replace boot drive	2024-08-28 19:50:52 +02:00
Felix Albrigtsen	54722a84d9	defiant/prometheus: bundle snmp-exporter config for synology	2024-08-02 22:06:41 +02:00
Felix Albrigtsen	26545b781f	Worf/flake: Update lock	2024-07-30 19:08:16 +02:00
Felix Albrigtsen	387d6b6a5f	nextcloud: move proxy from voyager to challenger	2024-07-06 01:43:30 +02:00
Felix Albrigtsen	ea7501f606	challenger: update flake, various small fixes	2024-07-05 23:06:44 +02:00
Felix Albrigtsen	a19ab9a661	challenger/nextcloud: fix and document memories/recognize	2024-07-05 23:06:44 +02:00
Felix Albrigtsen	047d5b0d9d	wireguard: add work-laptop	2024-07-05 10:02:58 +02:00
Felix Albrigtsen	4adae24732	challenger: more minor migrations	2024-07-04 00:04:59 +02:00
Felix Albrigtsen	0e3e8218a7	challenger: move more services from voyager: calibre-web, calibre-server, komga, nextcloud, postgres, timemachine	2024-07-03 23:48:10 +02:00
Felix Albrigtsen	ed08b6a0e4	challenger: start migrating from voyager. Add nginx. Add jellyfin.	2024-07-03 20:51:18 +02:00
Felix Albrigtsen	5203e82efa	sops: clean up old keys and secrets	2024-07-02 00:31:40 +02:00
Felix Albrigtsen	8ab2615279	challenger: finalize init	2024-07-02 00:26:57 +02:00
Felix Albrigtsen	097ded10b5	WIP: challenger: init new host	2024-07-01 23:28:24 +02:00
Felix Albrigtsen	f580bef7c1	worf: Add aerc with friends	2024-06-27 20:47:19 +02:00
Felix Albrigtsen	99b6c6ac27	voyager: remove kanidm	2024-06-13 08:46:30 +02:00
Felix Albrigtsen	70959b5092	voyager/nexctcloud: authenticate with keycloak	2024-06-13 08:34:13 +02:00
Felix Albrigtsen	6653de02e5	flake: update nixpkgs	2024-06-12 20:45:14 +02:00
Felix Albrigtsen	158f0cb7ee	defiant/matrix-synapse: Add keycloak oidc	2024-06-12 14:48:16 +02:00
Felix Albrigtsen	d74714095f	defiant: various small cleanups	2024-06-12 14:48:06 +02:00
Felix Albrigtsen	ff71cb75b7	defiant/hedgedoc: move to keycloak	2024-06-10 12:37:57 +02:00
Felix Albrigtsen	fe4b6bcb50	defiant/gitea: very minor cleanup	2024-06-10 12:37:57 +02:00
Felix Albrigtsen	9fb099e043	defiant: add keycloak	2024-06-10 12:37:52 +02:00
Felix Albrigtsen	ef23fded85	voyager/kanidm: remove second nginx	2024-06-06 20:48:33 +02:00
Felix Albrigtsen	541602b594	voyager: add nextcloud file logging	2024-06-04 17:42:58 +02:00
Felix Albrigtsen	5aa756b842	voyager: move nextcloud to zfs directly	2024-06-03 15:38:56 +02:00
Felix Albrigtsen	b32bc2f8b5	defiant: update to nixos-24.05	2024-06-02 01:57:03 +02:00
Felix Albrigtsen	fe08509e4d	worf/all: update unstable, fix alacritty, update worf	2024-06-02 01:02:31 +02:00
Felix Albrigtsen	5876717df1	all/voyager: update to nixos 24.05	2024-06-02 00:53:56 +02:00
Felix Albrigtsen	f2dd1c21e6	voyager: update to nextcloud29	2024-05-31 21:54:34 +02:00
Felix Albrigtsen	9b871249e2	voyager: remove transmission	2024-05-31 20:33:12 +02:00
Felix Albrigtsen	a0c24ff7c3	voyager: cleanup jellyfin config	2024-05-31 19:25:39 +02:00
Felix Albrigtsen	eab8d95469	voyager: add komga, cleanup calibre	2024-05-31 16:48:43 +02:00
Felix Albrigtsen	fc52b62427	worf: add misc. packages	2024-05-30 10:39:07 +02:00
Felix Albrigtsen	dfb63c3017	worf: replace emacs	2024-05-30 10:39:07 +02:00
Felix Albrigtsen	4c9ae7b556	base/home: Various improvements zsh: nd-alias alacritty: fix borders base: add some default apps (file, zip, htop, etc.)	2024-05-29 14:47:01 +02:00
Felix Albrigtsen	585dc252cc	edison: various desktop changes	2024-05-29 14:47:01 +02:00
Felix Albrigtsen	67755aa4a0	edison: add email client	2024-05-29 14:47:01 +02:00
Felix Albrigtsen	8eaf7ab934	burnham: add thelounge and nginx	2024-05-29 01:31:38 +02:00
Felix Albrigtsen	f791ea1856	defiant: cleanup vaultwarden	2024-05-26 11:05:32 +02:00
Felix Albrigtsen	830fbc4d7d	defiant: fix backend on matrix-admin	2024-05-26 11:05:32 +02:00
Felix Albrigtsen	be48dba39d	defiant: disable minecraft	2024-05-26 11:05:32 +02:00
`@@ -19,5 +19,3 @@`

	`environment.systemPackages = [ config.services.postgresql.package ];`	`environment.systemPackages = [ config.services.postgresql.package ];`
	`}`	`}`