worf: add prismlauncher

.gitignore

@@ -1,2 +1,3 @@
 result
 /secrets_tmp/
+*.drv

.sops.yaml

@@ -1,12 +1,15 @@
 keys:
-  - &user_felixalb age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
+  - &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
+  - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
   - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
+  - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
 
 creation_rules:
   # Global secrets
   - path_regex: secrets/[^/]+\.yaml$
     key_groups:
     - age:
+      - *user_felixalb_old
       - *user_felixalb
 
   # Host specific secrets
@@ -14,4 +17,11 @@ creation_rules:
     key_groups:
     - age:
       - *host_voyager
+      - *user_felixalb_old
+      - *user_felixalb
+
+  - path_regex: secrets/defiant/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_defiant
       - *user_felixalb

README.md

@@ -1,15 +1,14 @@
-# Work In Progress!
-Notice, these things might be missing:
-- Functionality
-- Style
-- Safety
+## Felixalbs nixos config
+
+Contains configurations for some nixos servers, some nixos desktops and a [nix-darwin](https://github.com/LnL7/nix-darwin) host.
+Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix).
 
 ### Build:
-- Build locally on another machine (verify)
+- Build locally on another machine:
 ```
-nix --extra-experimental-features "nix-command flakes" build ".#nixosConfigurations.chapel.config.system.build.toplevel"
+nix --extra-experimental-features "nix-command flakes" build ".#nixosConfigurations.sarek.config.system.build.toplevel"
 ```
-(replace "chapel" with the hostname)
+(replace "sarek" with the hostname)
 
 - Build, install and switch on the actual target
 ```

base.nix

@@ -1,13 +1,13 @@
 { config, lib, pkgs, inputs, values, ... }:
 
 {
-
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
   networking = {
     domain = "home.feal.no";
-    useDHCP = false;
+    nameservers = [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ];
+    useDHCP = lib.mkDefault false;
   };
 
   time.timeZone = "Europe/Oslo";
@@ -15,7 +15,7 @@
 
   console = {
     font = "Lat2-Terminus16";
-    keyMap = "no";
+    keyMap = lib.mkDefault "no";
   };
 
   nix = {
@@ -24,7 +24,11 @@
       options = "--delete-older-than 2d";
     };
 
-    settings.experimental-features = ["nix-command" "flakes"];
+    settings = {
+      experimental-features = ["nix-command" "flakes"];
+      trusted-users = [ "felixalb" ];
+      builders-use-substitutes = true;
+    };
 
     registry= {
       nixpkgs.flake = inputs.nixpkgs;
@@ -36,12 +40,16 @@
   programs.zsh.enable = true;
 
   environment.systemPackages = with pkgs; [
-    wget
-    git
-    tree
-    rsync
+    bat
     bottom
+    git
+    gnugrep
+    gnutar
     ripgrep
+    rsync
+    tree
+    eza
+    wget
   ];
 
   services.openssh = {
@@ -60,14 +68,22 @@
     '';
   };
 
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
   users.users.felixalb = {
     isNormalUser = true;
-    extraGroups = [ "wheel" ];
+    extraGroups = [
+      "wheel"
+      "docker"
+    ];
     uid = 1000;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkLmJIkBM6AMbYM/hYm27Flgya81UiGqh9/owYWmrbZ home.feal.no"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiPHhj0YbklJnJNcxD0IlzPxLTGfv095H5zyS/1Wb64 felixalb@edison.home.feal.no"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5M7hYl3saBNMAo6sczgfUvASEJWFHuERB7xvf4gxst nix-builder-worf"
     ];
+    shell = pkgs.zsh;
   };
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 }

common/metrics-exporters.nix

@@ -7,13 +7,13 @@
     enabledCollectors = [ "systemd" ];
   };
 
-  systemd.services.prometheus-node-exporter.serviceConfig = {
-    # TODO: Define allowed IPs
-    # IPAddressDeny = "any";
-    # IPAddressAllow = [
-    #   values.chapel.ipv4
-    #   values.chapel.ipv6
-    # ];
+  networking.firewall = {
+    # TODO: Move this into the node-exporter systemd service
+    allowedTCPPorts = [ 9100 ];
+    extraCommands = ''
+      iptables -A INPUT -p tcp -m tcp --source 192.168.10.175/32 --dport 9100 -j ACCEPT
+      iptables -A INPUT -p tcp -m tcp --dport 9100 -j DROP
+    '';
   };
 
   services.promtail = {
@@ -25,7 +25,7 @@
       };
       clients = [
         {
-          url = "http://voyager.home.feal.no:3100/loki/api/v1/push";
+          url = "http://grafana.home.feal.no:3100/loki/api/v1/push";
         }
       ];
       scrape_configs = [

common/sketchybar-app-font.nix

@@ -0,0 +1,14 @@
+{ lib, stdenvNoCC, fetchurl }:
+
+stdenvNoCC.mkDerivation rec {
+  name = "sketchybar-app-font";
+  version = "1.0.20";
+  src = fetchurl {
+    url = "https://github.com/kvndrsslr/sketchybar-app-font/releases/download/v${version}/sketchybar-app-font.ttf";
+    hash = "sha256-pf3SSxzlNIdbXXHfRauFCnrVUMOd5J9sSUE9MsfWrwo=";
+  };
+  phases = [ "installPhase" ];
+  installPhase = ''
+    install -Dm644 $src $out/share/fonts/sketchybar-app-font/Regular.ttf
+  '';
+}

flake.lock

@@ -1,28 +1,157 @@
 {
   "nodes": {
-    "nixpkgs": {
+    "flake-compat": {
+      "flake": false,
       "locked": {
-        "lastModified": 1687573514,
-        "narHash": "sha256-jek0ezqxfiFPALhimRDBzgGOSgDv7ExZFhPDmAXoIsw=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "3ef8b37f59cf2e0b57371df726f3c0ecacfa0e73",
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixos-23.05-small",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703367386,
+        "narHash": "sha256-FMbm48UGrBfOWGt8+opuS+uLBLQlRfhiYXhHNcYMS5k=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "d5824a76bc6bb93d1dce9ebbbcb09a9b6abcc224",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-23.11",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "matrix-synapse-next": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1701507532,
+        "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
+        "owner": "dali99",
+        "repo": "nixos-matrix-modules",
+        "rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "dali99",
+        "repo": "nixos-matrix-modules",
+        "type": "github"
+      }
+    },
+    "nix-darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703649338,
+        "narHash": "sha256-n2MkBotGgTQsfB+wH09R+otBwYCvGCsnHX7eUMGkKL0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "8a8321271f0835fae2cb195e1137cb381fdbcc8e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "nix-minecraft": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1703812100,
+        "narHash": "sha256-JN8qbWz6OPEEPwP+AmfAmlhPE19RqUqND6hGAeK2Od0=",
+        "owner": "Infinidoge",
+        "repo": "nix-minecraft",
+        "rev": "7d23e6f5635499a34d09950981cf42bb072f4fa2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Infinidoge",
+        "repo": "nix-minecraft",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1698318101,
+        "narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
+        "owner": "nixos",
         "repo": "nixpkgs",
+        "rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1673743903,
+        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
         "type": "github"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1687031877,
-        "narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
+        "lastModified": 1703351344,
+        "narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99",
+        "rev": "7790e078f8979a9fcd543f9a47427eeaba38f268",
         "type": "github"
       },
       "original": {
@@ -32,11 +161,32 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1703467016,
+        "narHash": "sha256-/5A/dNPhbQx/Oa2d+Get174eNI3LERQ7u6WTWOlR1eQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d02d818f22c777aa4e854efc3242ec451e5d462a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
-        "nixpkgs": "nixpkgs",
+        "home-manager": "home-manager",
+        "matrix-synapse-next": "matrix-synapse-next",
+        "nix-darwin": "nix-darwin",
+        "nix-minecraft": "nix-minecraft",
+        "nixpkgs": "nixpkgs_2",
         "sops-nix": "sops-nix",
-        "unstable": "unstable"
+        "unstable": "unstable",
+        "voyager-addons": "voyager-addons"
       }
     },
     "sops-nix": {
@@ -47,11 +197,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1687398569,
-        "narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
+        "lastModified": 1703387502,
+        "narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "2ff6973350682f8d16371f8c071a304b8067f192",
+        "rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3",
         "type": "github"
       },
       "original": {
@@ -60,21 +210,51 @@
         "type": "github"
       }
     },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "unstable": {
       "locked": {
-        "lastModified": 1687639213,
-        "narHash": "sha256-m/jb2D62UXMPy8LeiF39/qGbDBpNpix/h7ne1EXRl9M=",
+        "lastModified": 1703438236,
+        "narHash": "sha256-aqVBq1u09yFhL7bj1/xyUeJjzr92fXVvQSSEx6AdB1M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8eef75145e6c3beada369aee48bd9c2c3a4dee88",
+        "rev": "5f64a12a728902226210bf01d25ec6cbb9d9265b",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable-small",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
+    },
+    "voyager-addons": {
+      "locked": {
+        "lastModified": 1704460893,
+        "narHash": "sha256-rK+GBsfkua1Ou4YHcpQciDOdeS3q23GfTit2SddgTv0=",
+        "ref": "refs/heads/main",
+        "rev": "238bcd33b3e2562fcf76f86348909990ddc3d6cc",
+        "revCount": 3,
+        "type": "git",
+        "url": "ssh://git@git.feal.no:2222/felixalb/voyager-addons.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://git@git.feal.no:2222/felixalb/voyager-addons.git"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -2,16 +2,36 @@
   description = "Felixalb System flake";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small";
-    unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
+    unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+
+    nix-darwin.url = "github:lnl7/nix-darwin/master";
+    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
+
+    home-manager.url = "github:nix-community/home-manager/release-23.11";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+
+    matrix-synapse-next.url = "github:dali99/nixos-matrix-modules";
+    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
+
+    voyager-addons.url = "git+ssh://git@git.feal.no:2222/felixalb/voyager-addons.git";
 
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs:
+  outputs = {
+    self
+    , home-manager
+    , matrix-synapse-next
+    , nix-minecraft
+    , nix-darwin
+    , nixpkgs
+    , sops-nix
+    , unstable
+    , voyager-addons
+  , ... }@inputs:
     let
-      system = "x86_64-linux";
       overlay-unstable = final: prev: {
         unstable = unstable.legacyPackages.${prev.system};
       };
@@ -19,7 +39,7 @@
     {
       nixosConfigurations = {
         voyager = nixpkgs.lib.nixosSystem {
-          inherit system;
+          system = "x86_64-linux";
           specialArgs = {
             inherit inputs;
           };
@@ -28,21 +48,54 @@
             ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
 
             ./hosts/voyager/configuration.nix
+            voyager-addons.nixosModules.default
             sops-nix.nixosModules.sops
+            home-manager.nixosModules.home-manager {
+              home-manager.useGlobalPkgs = true;
+              home-manager.useUserPackages = true;
+              home-manager.users."felixalb" = import ./hosts/voyager/home.nix;
+            }
           ];
         };
-        chapel = nixpkgs.lib.nixosSystem {
-          inherit system;
+        defiant = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
           specialArgs = {
             inherit inputs;
           };
           modules = [
-            ./hosts/chapel/configuration.nix
+            # Overlays-module makes "pkgs.unstable" available in configuration.nix
+            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+
+            ./hosts/defiant/configuration.nix
             sops-nix.nixosModules.sops
+            matrix-synapse-next.nixosModules.default
+            home-manager.nixosModules.home-manager {
+              home-manager.useGlobalPkgs = true;
+              home-manager.useUserPackages = true;
+              home-manager.users."felixalb" = import ./hosts/defiant/home.nix;
+            }
+          ];
+        };
+        edison = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          specialArgs = {
+            inherit inputs;
+          };
+          modules = [
+            # Overlays-module makes "pkgs.unstable" available in configuration.nix
+            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+
+            ./hosts/edison/configuration.nix
+            sops-nix.nixosModules.sops
+            home-manager.nixosModules.home-manager {
+              home-manager.useGlobalPkgs = true;
+              home-manager.useUserPackages = true;
+              home-manager.users."felixalb" = import ./hosts/edison/home.nix;
+            }
           ];
         };
         redshirt = nixpkgs.lib.nixosSystem {
-          inherit system;
+          system = "x86_64-linux";
           specialArgs = {
             inherit inputs;
           };
@@ -54,8 +107,29 @@
         };
       };
 
+      darwinConfigurations.worf = nix-darwin.lib.darwinSystem {
+        system = "aarch64-darwin";
+        specialArgs = {
+          inherit inputs;
+        };
+        modules = [
+          ./hosts/worf/configuration.nix
+          ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+          home-manager.darwinModules.home-manager {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.users."felixalb" = import ./hosts/worf/home.nix;
+          }
+          # sops-nix.nixosModules.sops
+        ];
+      };
+
       devShells.x86_64-linux = {
         default = nixpkgs.legacyPackages.x86_64-linux.callPackage ./shell.nix { };
       };
+
+      devShells.aarch64-darwin = {
+        default = nixpkgs.legacyPackages.aarch64-darwin.callPackage ./shell.nix { };
+      };
     };
 }

home/alacritty.nix

@@ -0,0 +1,334 @@
+{ pkgs, lib, inputs, config, ...}:
+{
+  programs.alacritty = {
+    enable = true;
+    settings = {
+      env = {
+        TERM = "xterm-256color";
+      };
+
+      window = {
+        padding = {
+          x = 4;
+          y = 4;
+        };
+
+        decorations = "none"; # full/none/transparent/buttonless
+
+        # Transparency:
+        # opacity = 0.95;
+      };
+
+      scrolling = {
+        history = 9999;
+        multiplier = 3;
+      };
+
+      # Font configuration (changes require restart)
+      font = {
+        normal = {
+          family = "Hack Nerd Font Mono";
+          style = "Regular";
+        };
+
+        bold = {
+          family = "Hack Nerd Font Mono";
+          style = "Bold";
+        };
+
+        italic = {
+          family = "Hack Nerd Font Mono";
+          style = "Italic";
+        };
+
+        size = 14;
+      };
+
+      draw_bold_text_with_bright_colors = true;
+
+      colors = {
+        # # Tomorrow Night Bright
+        # primary = {
+        #   background = "0x141414";
+        #   foreground = "0xeaeaea";
+        # };
+
+        # cursor = {
+        #   text = "0x000000";
+        #   cursor = "0xffffff";
+        # };
+
+        # normal = {
+        #   black   = "0x000000";
+        #   red     = "0xd54e53";
+        #   green   = "0x82de37";
+        #   yellow  = "0xe6c547";
+        #   blue    = "0x7aa6da";
+        #   magenta = "0xc397d8";
+        #   cyan    = "0x70c0ba";
+        #   white   = "0xffffff";
+        # };
+
+        # bright = {
+        #   black   = "0x666666";
+        #   red     = "0xff3334";
+        #   green   = "0x8bd45d";
+        #   yellow  = "0xe7c547";
+        #   blue    = "0x7aa6da";
+        #   magenta = "0xb77ee0";
+        #   cyan    = "0x54ced6";
+        #   white   = "0xffffff";
+        # };
+
+        # Nord:
+        primary = {
+          background = "0x2e3440";
+          foreground = "0xd8dee9";
+          dim_foreground = "0xa5abb6";
+        };
+
+        cursor = {
+          text = "0x2e3440";
+          cursor = "0xd8dee9";
+        };
+
+        vi_mode_cursor = {
+          text = "0x2e3440";
+          cursor = "0xd8dee9";
+        };
+
+        selection = {
+          text = "CellForeground";
+          background = "0x4c566a";
+        };
+
+        normal = {
+          black   = "0x3b4252";
+          red     = "0xbf616a";
+          green   = "0xa3be8c";
+          yellow  = "0xebcb8b";
+          blue    = "0x81a1c1";
+          magenta = "0xb48ead";
+          cyan    = "0x88c0d0";
+          white   = "0xe5e9f0";
+        };
+
+        bright = {
+          black   = "0x4c566a";
+          red     = "0xbf616a";
+          green   = "0xa3be8c";
+          yellow  = "0xebcb8b";
+          blue    = "0x81a1c1";
+          magenta = "0xb48ead";
+          cyan    = "0x8fbcbb";
+          white   = "0xeceff4";
+        };
+
+        dim = {
+          black   = "0x373e4d";
+          red     = "0x94545d";
+          green   = "0x809575";
+          yellow  = "0xb29e75";
+          blue    = "0x68809a";
+          magenta = "0x8c738c";
+          cyan    = "0x6d96a5";
+          white   = "0xaeb3bb";
+        };
+
+
+
+        # Indexed Colors
+        #
+        # The indexed colors include all colors from 16 to 256.
+        # When these are not set, they're filled with sensible defaults.
+        #
+        # Example:
+        #   `- { index: 16, color: '0xff00ff' }`
+        #
+        # indexed_colors: []
+      };
+
+      visual_bell = {
+        animation = "EaseOutExpo";
+        color = "0xffffff";
+        duration = 200;
+      };
+
+      # Key bindings
+      #
+      # Key bindings are specified as a list of objects. Each binding will specify a
+      # key and modifiers required to trigger it, terminal modes where the binding is
+      # applicable, and what should be done when the key binding fires. It can either
+      # send a byte sequence to the running application (`chars`), execute a
+      # predefined action (`action`) or fork and execute a specified command plus
+      # arguments (`command`).
+      #
+      # Bindings are always filled by default, but will be replaced when a new binding
+      # with the same triggers is defined. To unset a default binding, it can be
+      # mapped to the `None` action.
+      #
+      # Example:
+      #   `- { key: V, mods: Control|Shift, action: Paste }`
+      #
+      # Available fields:
+      #   - key
+      #   - mods (optional)
+      #   - chars | action | command (exactly one required)
+      #   - mode (optional)
+      #
+      # Values for `key`:
+      #   - `A` -> `Z`
+      #   - `F1` -> `F12`
+      #   - `Key1` -> `Key0`
+      #
+      #   A full list with available key codes can be found here:
+      #   https://docs.rs/glutin/*/glutin/enum.VirtualKeyCode.html#variants
+      #
+      #   Instead of using the name of the keys, the `key` field also supports using
+      #   the scancode of the desired key. Scancodes have to be specified as a
+      #   decimal number.
+      #   This command will allow you to display the hex scancodes for certain keys:
+      #     `showkey --scancodes`
+      #
+      # Values for `mods`:
+      #   - Command
+      #   - Control
+      #   - Option
+      #   - Super
+      #   - Shift
+      #   - Alt
+      #
+      #   Multiple `mods` can be combined using `|` like this: `mods: Control|Shift`.
+      #   Whitespace and capitalization is relevant and must match the example.
+      #
+      # Values for `chars`:
+      #   The `chars` field writes the specified string to the terminal. This makes
+      #   it possible to pass escape sequences.
+      #   To find escape codes for bindings like `PageUp` ("\x1b[5~"), you can run
+      #   the command `showkey -a` outside of tmux.
+      #   Note that applications use terminfo to map escape sequences back to
+      #   keys. It is therefore required to update the terminfo when
+      #   changing an escape sequence.
+      #
+      # Values for `action`:
+      #   - Paste
+      #   - PasteSelection
+      #   - Copy
+      #   - IncreaseFontSize
+      #   - DecreaseFontSize
+      #   - ResetFontSize
+      #   - ScrollPageUp
+      #   - ScrollPageDown
+      #   - ScrollLineUp
+      #   - ScrollLineDown
+      #   - ScrollToTop
+      #   - ScrollToBottom
+      #   - ClearHistory
+      #   - Hide
+      #   - Quit
+      #   - ClearLogNotice
+      #   - SpawnNewInstance
+      #   - ToggleFullscreen
+      #   - None
+      #
+      # Values for `action` (macOS only):
+      #   - ToggleSimpleFullscreen: Enters fullscreen without occupying another space
+      #
+      # Values for `command`:
+      #   The `command` field must be a map containing a `program` string and
+      #   an `args` array of command line parameter strings.
+      #
+      #   Example:
+      #       `command: { program: "alacritty", args: ["-e", "vttest"] }`
+      #
+      # Values for `mode`:
+      #   - ~AppCursor
+      #   - AppCursor
+      #   - ~AppKeypad
+      #   - AppKeypad
+      #
+      # key_bindings:
+      #   - { key: V,        mods: Alt,       action: Paste                        }
+      #   - { key: C,        mods: Alt,       action: Copy                         }
+      #   - { key: Q,        mods: Alt,       action: Quit                         }
+      #   - { key: N,        mods: Alt,       action: SpawnNewInstance             }
+      #   - { key: Return,   mods: Alt,       action: ToggleFullscreen             }
+
+      #   - { key: Home,                          chars: "\x1bOH",   mode: AppCursor   }
+      #   - { key: Home,                          chars: "\x1b[H",   mode: ~AppCursor  }
+      #   - { key: End,                           chars: "\x1bOF",   mode: AppCursor   }
+      #   - { key: End,                           chars: "\x1b[F",   mode: ~AppCursor  }
+      #   - { key: Equals,   mods: Alt,       action: IncreaseFontSize             }
+      #   - { key: Minus,    mods: Alt,       action: DecreaseFontSize             }
+      #   - { key: Minus,    mods: Alt|Shift, action: ResetFontSize                }
+      #   - { key: PageUp,   mods: Shift,         chars: "\x1b[5;2~"                   }
+      #   - { key: PageUp,   mods: Control,       chars: "\x1b[5;5~"                   }
+      #   - { key: PageUp,                        chars: "\x1b[5~"                     }
+      #   - { key: PageDown, mods: Shift,         chars: "\x1b[6;2~"                   }
+      #   - { key: PageDown, mods: Control,       chars: "\x1b[6;5~"                   }
+      #   - { key: PageDown,                      chars: "\x1b[6~"                     }
+      #   - { key: Left,     mods: Shift,         chars: "\x1b[1;2D"                   }
+      #   - { key: Left,     mods: Control,       chars: "\x1b[1;5D"                   }
+      #   - { key: Left,     mods: Alt,           chars: "\x1b[1;3D"                   }
+      #   - { key: Left,                          chars: "\x1b[D",   mode: ~AppCursor  }
+      #   - { key: Left,                          chars: "\x1bOD",   mode: AppCursor   }
+      #   - { key: Right,    mods: Shift,         chars: "\x1b[1;2C"                   }
+      #   - { key: Right,    mods: Control,       chars: "\x1b[1;5C"                   }
+      #   - { key: Right,    mods: Alt,           chars: "\x1b[1;3C"                   }
+      #   - { key: Right,                         chars: "\x1b[C",   mode: ~AppCursor  }
+      #   - { key: Right,                         chars: "\x1bOC",   mode: AppCursor   }
+      #   - { key: Up,       mods: Shift,         chars: "\x1b[1;2A"                   }
+      #   - { key: Up,       mods: Control,       chars: "\x1b[1;5A"                   }
+      #   - { key: Up,       mods: Alt,           chars: "\x1b[1;3A"                   }
+      #   - { key: Up,                            chars: "\x1b[A",   mode: ~AppCursor  }
+      #   - { key: Up,                            chars: "\x1bOA",   mode: AppCursor   }
+      #   - { key: Down,     mods: Shift,         chars: "\x1b[1;2B"                   }
+      #   - { key: Down,     mods: Control,       chars: "\x1b[1;5B"                   }
+      #   - { key: Down,     mods: Alt,           chars: "\x1b[1;3B"                   }
+      #   - { key: Down,                          chars: "\x1b[B",   mode: ~AppCursor  }
+      #   - { key: Down,                          chars: "\x1bOB",   mode: AppCursor   }
+      #   - { key: Tab,      mods: Shift,         chars: "\x1b[Z"                      }
+      #   - { key: F1,                            chars: "\x1bOP"                      }
+      #   - { key: F2,                            chars: "\x1bOQ"                      }
+      #   - { key: F3,                            chars: "\x1bOR"                      }
+      #   - { key: F4,                            chars: "\x1bOS"                      }
+      #   - { key: F5,                            chars: "\x1b[15~"                    }
+      #   - { key: F6,                            chars: "\x1b[17~"                    }
+      #   - { key: F7,                            chars: "\x1b[18~"                    }
+      #   - { key: F8,                            chars: "\x1b[19~"                    }
+      #   - { key: F9,                            chars: "\x1b[20~"                    }
+      #   - { key: F10,                           chars: "\x1b[21~"                    }
+      #   - { key: F11,                           chars: "\x1b[23~"                    }
+      #   - { key: F12,                           chars: "\x1b[24~"                    }
+      #   - { key: Back,                          chars: "\x7f"                        }
+      #   - { key: Back,     mods: Alt,           chars: "\x1b\x7f"                    }
+      #   - { key: Insert,                        chars: "\x1b[2~"                     }
+      #   - { key: Delete,                        chars: "\x1b[3~"                     }
+
+
+
+      mouse = {
+        double_click = { threshold = 300; };
+        triple_click = { threshold = 300; };
+        hide_when_typing = false;
+      };
+
+      selection = {
+        semantic_escape_chars = ",│`|:\"' ()[]{}<>";
+        save_to_clipboard = false;
+      };
+
+      mouse_bindings = [
+        { mouse = "Middle"; action = "PasteSelection"; }
+      ];
+
+      cursor = {
+        style = "Block";
+        blinking = true;
+        unfocused_hollow = true;
+      };
+
+      dynamic_title = true;
+    };
+  };
+}

home/base.nix

@@ -0,0 +1,36 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./neovim.nix
+    ./zsh.nix
+  ];
+
+  programs.nix-index = {
+    enable = true;
+    enableZshIntegration = true;
+  };
+
+  programs.git = {
+    enable = true;
+
+    extraConfig = {
+      pull.rebase = true;
+      push.autoSetupRemote = true;
+      color.ui = "auto";
+      init.defaultBranch = "main";
+      lfs.enable = true;
+
+      user = {
+        name = "Felix Albrigtsen";
+        email = "felix@albrigtsen.it";
+      };
+    };
+    ignores = [
+      "*~"
+      "*.swp"
+      ".DS_Store"
+      ".vscode"
+    ];
+  };
+
+}

home/felixalb/home.nix

@@ -1,46 +0,0 @@
-{ config, pkgs, ... }:
-{
-  imports = [
-    ./nvim.nix
-  ];
-  home.username = "felixalb";
-  home.homeDirectory = "/home/felixalb";
-  home.stateVersion = "22.11";
-
-  programs = {
-	home-manager.enable = true;
-        alacritty = {
-          enable = true;
-        };
-        firefox.enable = true;
-        rofi.enable = true;
-        zsh = {
-          enable = true;
-          enableAutosuggestions = true;
-          enableSyntaxHighlighting = true;
-          prezto = {
-            enable = true;
-            prompt.theme = "paradox";
-          };
-          # initExtra = ''
-          #   bindkey "''${key[Up]}" up-line-or-search
-          #   bindkey "''${key[Down]}" down-line-or-search
-          # '';
-        };
-	git = {
-		enable = true;
-		userName = "Felix Albrigtsen";
-		userEmail = "felixalbrigtsen@gmail.com";
-	};
-  };
-
-  services = {
-    redshift = {
-      enable = true;
-      tray = true;
-
-      duskTime = "19:30-20:30";
-      dawnTime = "7:30-8:30";
-    };
-  };
-}

home/felixalb/nvim.nix

@@ -1,69 +0,0 @@
-{ pkgs, config, ... }
-{
-  programs.neovim = {
-    enable = true;
-    vimAlias = true;
-
-    extraConfig = ''
-      set number	" Show line numbers
-      set number relativenumber " Enable hybrid line numbers
-      set nu rnu
-      set signcolumn=number
-      set showmatch	" Highlight matching brace
-      set errorbells	" Beep or flash screen on errors
-
-      set hlsearch	" Highlight all search results
-      set smartcase	" Enable smart-case search
-      set incsearch	" Searches for strings incrementally
-
-      set autoindent	" Auto-indent new lines
-      set expandtab	" Use spaces instead of tabs
-      set shiftwidth=2 " Number of auto-indent spaces
-      set smartindent	" Enable smart-indent
-      set smarttab	" Enable smart-tabs
-      set softtabstop=0 " Number of spaces per Tab, auto
-
-      set updatetime=300 " Time interval for updating buffers
-
-      set ruler	" Show row and column ruler information
-
-      set undolevels=1000	" Number of undo levels
-      set backspace=indent,eol,start	" Backspace behaviour
-    '';
-
-    plugins = with pkgs.vimPlugins; [
-      vim-nix
-      vim-commentary
-      vim-devicons
-      { plugin = nerdtree;
-        config = "
-        nmap <silent> <C-t> :NERDTreeToggle<CR>
-        autocmd VimEnter * NERDTree \" Autostart nerdtree on vim startup
-        autocmd VimEnter * wincmd p \" Unselect nerdtree window
-        \" Close vim if Nerdtree is the only buffer left
-        autocmd bufenter * if (winnr(\"$\") == 1 && exists(\"b:NERDTree\") && b:NERDTree.isTabTree()) | q | endif
-        ";
-      }
-    ];
-    withNodeJs = true;
-    coc = {
-      enable = true;
-      settings = {
-        "suggest.enablePreview" = true;
-        "suggest.enablePreselect" = true;
-      };
-
-      package = pkgs.vimUtils.buildVimPluginFrom2Nix {
-        pname = "coc.nvim";
-        version = "2022-05-21";
-        src = pkgs.fetchFromGitHub {
-          owner = "neoclide";
-          repo = "coc.nvim";
-          rev = "791c9f673b882768486450e73d8bda10e391401d";
-          sha256 = "sha256-MobgwhFQ1Ld7pFknsurSFAsN5v+vGbEFojTAYD/kI9c=";
-        };
-        meta.homepage = "https://github.com/neoclide/coc.nvim/";
-      };
-    };
-  };
-}

home/neovim.nix

@@ -0,0 +1,130 @@
+{ pkgs, lib, inputs, config, ...}:
+let
+  undoDir = "${config.home.homeDirectory}/.vim/undo";
+in {
+  programs.neovim = {
+    enable = true;
+    defaultEditor = true;
+    viAlias = true;
+    vimAlias = true;
+    vimdiffAlias = true;
+    plugins = with pkgs.vimPlugins; [
+      lightline-vim
+      vim-lightline-coc
+
+      vim-commentary
+      vim-fugitive
+
+      nerdtree
+      nerdtree-git-plugin
+      vim-devicons
+      telescope-nvim
+
+      nvim-lspconfig
+      copilot-vim
+      nvim-treesitter
+
+      coc-css
+      coc-go
+      coc-html
+      coc-json
+      coc-nvim
+      coc-pyright
+
+      vim-nix
+    ];
+
+    withNodeJs = true;
+
+    extraConfig = ''
+      let mapleader = ','
+      set number
+      set shiftwidth=2
+      set tabstop=2
+      set expandtab
+
+      set undofile
+      set undodir=${undoDir}
+      set undolevels=1000
+      set undoreload=10000
+
+      " Integrate status with lightline
+      let g:lightline = {
+        \   'active': {
+        \     'left': [[  'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status'  ]]
+        \   }
+        \ }
+
+      " register components:
+      call lightline#coc#register()
+
+      " GoTo code navigation.
+      nmap <silent> gd <Plug>(coc-definition)
+      nmap <silent> gy <Plug>(coc-type-definition)
+      nmap <silent> gi <Plug>(coc-implementation)
+      nmap <silent> gr <Plug>(coc-references)
+
+      " Use K to show documentation in preview window.
+      nnoremap <silent> K :call ShowDocumentation()<CR>
+      function! ShowDocumentation()
+        if CocAction('hasProvider', 'hover')
+          call CocActionAsync('doHover')
+        else
+          call feedkeys('K', 'in')
+        endif
+      endfunction
+
+      " Enable syntax folding with coc
+      command! -nargs=* Fold :call CocAction('fold', <f-args>)
+
+      inoremap <silent><expr> <CR> coc#pum#visible() ? coc#pum#confirm()
+                                    \: "\<C-g>u\<CR>\<c-r>=coc#on_enter()\<CR>"
+
+      " Highlight the symbol and its references when holding the cursor.
+      autocmd CursorHold * silent call CocActionAsync('highlight')
+
+      " Symbol renaming.
+      nmap <leader>rn <Plug>(coc-rename)
+
+      " Use CTRL-S for selections ranges.
+      " Requires 'textDocument/selectionRange' support of language server.
+      nmap <silent> <C-s> <Plug>(coc-range-select)
+      xmap <silent> <C-s> <Plug>(coc-range-select)
+
+      " Step through diagnostics
+      nmap <silent> <g <Plug>(coc-diagnostic-prev)
+      nmap <silent> >g <Plug>(coc-diagnostic-next)
+
+      " Nerdtree-settings
+      " Toggle nerdtree on Ctrl+t
+      nmap <silent> <C-t> :NERDTreeToggle<CR>
+      autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
+      autocmd VimEnter * wincmd p " Unselect nerdtree window
+      " Close vim is Nerdtree is the only buffer left
+      autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif
+
+      " List and switch buffers on Ctrl+k
+      " nnoremap <C-k> :set nomore <Bar> :ls <Bar> :set more <CR>:b<Space>
+      nnoremap <silent> <C-k> !echo "Did you mean C-a?"<CR>
+
+      " Telescope-settings
+      nnoremap <leader>ff <cmd>Telescope find_files<cr>
+      nnoremap <leader>fg <cmd>Telescope live_grep<cr>
+      nnoremap <leader>fb <cmd>Telescope buffers<cr>
+      nnoremap <leader>fh <cmd>Telescope help_tags<cr>
+      nnoremap <C-a> <cmd>Telescope buffers<cr>
+      nnoremap <C-s> <cmd>Telescope find_files<cr>
+      nnoremap <C-g> <cmd>Telescope live_grep<cr>
+
+      " Show trailing whitespace
+      highlight ExtraWhitespace ctermbg=red guibg=red
+      match ExtraWhitespace /\s\+$/
+
+      " Disable search highlights
+      map <Leader><Space> :noh<CR>
+    '';
+  };
+
+  # Create undo directory
+  home.activation.vimUndoDir = lib.hm.dag.entryAfter ["writeBoundary"] "mkdir -p ${undoDir}";
+}

home/zsh.nix

@@ -0,0 +1,65 @@
+{ pkgs, lib, inputs, config, ... }: {
+  programs = {
+    zsh = {
+      enable = true;
+
+      prezto = {
+        enable = true;
+        editor = {
+          keymap = "vi";
+          dotExpansion = true;
+        };
+        prompt = {
+          theme = "paradox";
+          pwdLength = "long";
+          showReturnVal = true;
+        };
+        terminal.autoTitle = true;
+
+        pmodules = [
+          "environment"
+          "terminal"
+          "editor"
+          "history"
+          # "directory"
+          "spectrum"
+          # "utility"
+          # "completion"
+          "git"
+          "autosuggestions"
+          "syntax-highlighting"
+          "history-substring-search"
+          "prompt"
+        ];
+      };
+
+      initExtra = ''
+        # Autocomplete ../
+        zstyle ':completion:*' special-dirs true
+        export PATH="$HOME/.config/emacs/bin:$PATH"
+        unalias "gs"
+      '';
+
+      shellAliases = {
+        l = "exa -l";
+        c = "z";
+        tree = "exa --tree --icons";
+        s = "nix-shell --run zsh";
+        sp = "nix-shell --run zsh -p";
+        spu = "nix-shell -I nixpkgs=channel:nixos-unstable --run zsh -p";
+        em = "emacsclient -c";
+        emnw = "emacsclient -nw";
+        gst = "git status -sb";
+        gcm = "git commit -m";
+        gps = "git push";
+        gpl = "git pull";
+        "git clone git clone" = "git clone";
+      };
+    };
+
+    zoxide = {
+      enable = true;
+      enableZshIntegration = true;
+    };
+  };
+}

hosts/chapel/configuration.nix

@@ -1,80 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports =
-    [
-      ../../base.nix
-      ../../common/metrics-exporters.nix
-
-      ./hardware-configuration.nix
-
-      ./services/nginx.nix
-      ./services/metrics
-      ./services/cloudflared.nix
-    ];
-
-  networking = {
-    hostName = "chapel";
-    defaultGateway = "192.168.10.1";
-    nameservers = [ "192.168.10.1" ];
-    interfaces.eth0.ipv4 = {
-      addresses = [
-        { address = "192.168.10.100"; prefixLength = 24; }
-      ];
-    };
-  };
-
-  environment.variables = { EDITOR = "vim"; };
-  environment.systemPackages = with pkgs; [
-    ((vim_configurable.override {  }).customize{
-       name = "vim";
-       vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
-       start = [ vim-nix vim-lastplace ];
-       opt = [];
-     };
-     vimrcConfig.customRC = ''
-     " your custom vimrc
-     set number
-     set relativenumber
-     set nu rnu
-     set signcolumn=number
-
-     set hlsearch
-     set smartcase
-     set incsearch
-
-     set autoindent
-     set expandtab
-     set shiftwidth=2
-     set tabstop=2
-     set smartindent
-     set smarttab
-
-     set ruler
-
-     set undolevels=1000
-
-     set nocompatible
-     set backspace=indent,eol,start
-     " Turn on syntax highlighting by default
-     syntax on
-     " ...
-     '';
-    }
-  )
-  ];
-
-  networking.firewall.allowedTCPPorts = [ 80 22 3100 ];
-
-  # system.copySystemConfiguration = true;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.05"; # Did you read the comment?
-
-}
-

hosts/chapel/services/cloudflared.nix

@@ -1,24 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  users.users.cloudflared = {
-    group = "cloudflared";
-    isSystemUser = true;
-  };
-  users.groups.cloudflared = { };
-
-  environment.systemPackages = [
-    pkgs.cloudflared
-  ];
-
-  systemd.services.cloudflared_tunnel = {
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" ];
-    serviceConfig = {
-      ExecStart = "${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token=TODO_FIXSECRETS";
-      Restart = "always";
-      User = "cloudflared";
-      Group = "cloudflared";
-    };
-  };
-}

hosts/chapel/services/hedgedoc.nix

@@ -1,22 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services.hedgedoc = {
-    enable = true;
-    settings = {
-      port = 3031;
-      allowFreeURL = true;
-    };
-    config = {
-      domain = "md.feal.no";
-      db = {
-        dialect = "mysql";
-        host = "mysql.home.feal.no";
-        port = 3306;
-        database = "hedgedoc";
-        username = "hedgedoc";
-        password = "DummyPasswordPlzSops";
-      };
-    };
-  };
-}

hosts/chapel/services/metrics/grafana.nix

@@ -1,64 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  cfg = config.services.grafana;
-in {
-  services.grafana = {
-    enable = true;
-    settings.server = {
-      domain = "grafana.feal.no";
-      http_port = 2342;
-      http_addr = "127.0.0.1";
-    };
-
-    provision = {
-      enable = true;
-      datasources.settings.datasources = [
-        {
-          name = "Prometheus";
-          type = "prometheus";
-          url = ("http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}");
-         isDefault = true;
-        }
-        {
-          name = "Loki";
-          type = "loki";
-          url = ("http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}");
-        }
-      ];
-      dashboards.settings.providers = [
-        {
-          name = "Node Exporter Full";
-          type = "file";
-          url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
-          options.path = dashboards/node-exporter-full.json;
-        }
-        {
-          name = "Synology NAS Details";
-          type = "file";
-          url = "https://grafana.com/api/dashboards/14284/revisions/9/download";
-          options.path = dashboards/synology-nas-details.json;
-        }
-        {
-          name = "OpenWRT";
-          type = "file";
-          url = "https://grafana.com/api/dashboards/11147/revisions/1/download";
-          options.path = dashboards/openwrt.json;
-        }
-      ];
-    };
-  };
-
-  services.nginx.virtualHosts.${cfg.settings.server.domain} = {
-    locations = {
-      "/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";
-        proxyWebsockets = true;
-        extraConfig = ''
-          proxy_buffers 8 1024k;
-          proxy_buffer_size 1024k;
-        '';
-      };
-    };
-  };
-}

hosts/chapel/services/metrics/loki.nix

@@ -1,75 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  cfg = config.services.loki;
-in {
-  services.loki = {
-    enable = true;
-    configuration = {
-      auth_enabled = false;
-      server = {
-        http_listen_port = 3100;
-        http_listen_address = "0.0.0.0";
-        grpc_listen_port = 9096;
-      };
-
-      ingester = {
-        wal = {
-          enabled = true;
-          dir = "/var/lib/loki/wal";
-        };
-        lifecycler = {
-          address = "127.0.0.1";
-          ring = {
-            kvstore = {
-              store = "inmemory";
-            };
-            replication_factor = 1;
-          };
-          final_sleep = "0s";
-        };
-        chunk_idle_period = "1h";
-      };
-
-      schema_config = {
-        configs = [
-          {
-            from = "2022-12-01";
-            store = "boltdb-shipper";
-            object_store = "filesystem";
-            schema = "v11";
-            index = {
-              prefix = "index_";
-              period = "24h";
-            };
-          }
-        ];
-      };
-
-      storage_config = {
-        boltdb_shipper = {
-          active_index_directory = "/var/lib/loki/boltdb-shipper-index";
-          cache_location = "/var/lib/loki/boltdb-shipper-cache";
-          shared_store = "filesystem";
-          cache_ttl = "24h";
-        };
-        filesystem = {
-          directory = "/var/lib/loki/chunks";
-        };
-      };
-
-      limits_config = {
-        enforce_metric_name = false;
-        reject_old_samples = true;
-        reject_old_samples_max_age = "72h";
-      };
-
-      compactor = {
-        working_directory = "/var/lib/loki/compactor";
-        shared_store = "filesystem";
-      };
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
-}

hosts/chapel/services/metrics/prometheus.nix

@@ -1,60 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  cfg = config.services.prometheus;
-in {
-  services.prometheus = {
-    enable = true;
-    listenAddress = "127.0.0.1";
-    port = 9001;
-
-    scrapeConfigs = [
-      {
-        job_name = "node";
-        static_configs = [
-          {
-            targets = [
-              "chapel.home.feal.no:${toString cfg.exporters.node.port}"
-              "sulu.home.feal.no:9100"
-              "mccoy.home.feal.no:9100"
-              "borg.home.feal.no:9100"
-              "troi.home.feal.no:9100"
-              "dlink-feal.home.feal.no:9100"
-            ];
-          }
-        ];
-      }
-      {
-        job_name = "openwrt";
-        static_configs = [
-          { targets = ["dlink-feal.home.feal.no:9100"]; }
-        ];
-      }
-      {
-        job_name = "snmp";
-        static_configs = [{
-          targets = [
-            "feal-syn1.home.feal.no"
-            "feal-syn2.home.feal.no"
-          ];
-        }];
-        metrics_path = "/snmp";
-        params.module = ["synology"];
-        relabel_configs = [
-          {
-            source_labels = ["__address__"];
-            target_label = "__param_target";
-          }
-          {
-            source_labels = ["__param_target"];
-            target_label = "instance";
-          }
-          {
-            target_label = "__address__";
-            replacement = "127.0.0.1:9116";
-          }
-        ];
-      }
-    ];
-  };
-}

hosts/chapel/services/metrics/snmp-exporter.nix

@@ -1,20 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  environment.systemPackages = [
-    pkgs.prometheus-snmp-exporter
-  ];
-
-  systemd.services.prometheus-snmp-exporter = {
-    enable = true;
-    description = "Gather data from SNMP devices and expose them as Prometheus metrics";
-    unitConfig = {
-      Type = "simple";
-    };
-    serviceConfig = {
-      ExecStart = "${pkgs.prometheus-snmp-exporter}/bin/snmp_exporter --config.file='/var/prometheus/snmp.yml'";
-      # TODO: Fix this conf file!
-    };
-    wantedBy = [ "multi-user.target" ];
-  };
-}

hosts/chapel/services/nginx.nix

@@ -1,11 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services.nginx = {
-    enable = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-  };
-}

hosts/defiant/configuration.nix

@@ -0,0 +1,53 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ../../base.nix
+      ../../common/metrics-exporters.nix
+      ./hardware-configuration.nix
+
+      ./services/nginx.nix
+      ./services/pihole.nix
+      ./services/postgresql.nix
+
+      ./services/flame.nix
+      ./services/gitea.nix
+      ./services/hedgedoc.nix
+      ./services/matrix-synapse.nix
+      ./services/metrics
+      ./services/minecraft.nix
+      ./services/vaultwarden.nix
+  ];
+
+  networking = {
+    hostName = "defiant";
+    defaultGateway = "192.168.10.1";
+    interfaces.enp3s0.ipv4 = {
+      addresses = [
+        { address = "192.168.10.175"; prefixLength = 24; } # Main IP for defiant, internal
+      ];
+    };
+    hostId = "8e84f235";
+  };
+
+  sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;
+
+  environment.variables = { EDITOR = "vim"; };
+  environment.systemPackages = with pkgs; [
+    zfs
+  ];
+
+  boot = {
+    zfs.extraPools = [ "tank" ];
+    supportedFilesystems = [ "zfs" ];
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  };
+  services.prometheus.exporters.zfs.enable = true;
+
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers.backend = "docker";
+
+  system.stateVersion = "23.11";
+}
+

hosts/defiant/hardware-configuration.nix

@@ -0,0 +1,36 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/DDDC-5C0C";
+    fsType = "vfat";
+  };
+
+  swapDevices = [ {
+      device = "/swapfile";
+      size = 8*1024;
+  } ];
+
+  networking.useDHCP = lib.mkDefault false;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/defiant/home.nix

@@ -0,0 +1,19 @@
+{ pkgs, lib, ... }:
+{
+  home.packages = with pkgs; [
+    bat
+    bottom
+    ncdu
+    neofetch
+  ];
+
+  imports = [
+    ./../../home/base.nix
+  ];
+
+  programs = {
+    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
+  };
+
+  home.stateVersion = "23.05";
+}

hosts/defiant/services/flame.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "flame.home.feal.no";
+  host = "127.0.1.2";
+  port = "5005";
+in {
+  # Flame - Homelab dashboard/linktree
+  virtualisation.oci-containers.containers = {
+    flame = {
+      image = "pawelmalak/flame";
+      ports = [ "${host}:${port}:5005" ];
+      volumes = [
+        "/var/lib/flame/data:/app/data/"
+      ];
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/".proxyPass = "http://${host}:${port}";
+  };
+}
+

hosts/defiant/services/gitea.nix

@@ -1,29 +1,35 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
   cfg = config.services.gitea;
   domain = "git.feal.no";
   httpPort = 3004;
+  sshPort = 2222;
 in {
     services.gitea = {
       enable = true;
-      package = pkgs.unstable.gitea;
       appName = "felixalbs Gitea";
-      database = {
-        type = "postgres";
-      };
+      database.type = "postgres";
+      stateDir = "/tank/services/gitea";
 
       settings = {
         server = {
-          LANDING_PAGE=''"/felixalb"'';
-          HTTP_PORT = httpPort;
+          # Serve on local unix socket, exposed in hosts/defiant/services/nginx.nix
+          PROTOCOL = "http+unix";
           DOMAIN = domain;
           ROOT_URL = "https://${domain}";
+          LANDING_PAGE=''"/felixalb"'';
+
+          SSH_PORT = sshPort;
+          SSH_LISTEN_PORT = sshPort;
+          START_SSH_SERVER = true;
+          BUILTIN_SSH_SERVER_USER = "git";
         };
 
         service.DISABLE_REGISTRATION = true;
         session.COOKIE_SECURE = true;
 
         packages.ENABLED = false;
+        packages.CHUNKED_UPLOAD_PATH = "${cfg.stateDir}/tmp/package-upload";
 
         oauth2_client = {
           ENABLE_AUTO_REGISTRATION = true;
@@ -44,9 +50,13 @@ in {
       };
 
       # TODO:
-      # - dump (automatic backups)
+      # - Backup
+      #   - services.gitea.dump?
+      #   - ZFS snapshots?
       # - configure mailer
     };
 
-    networking.firewall.allowedTCPPorts = [ httpPort ];
+    systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work";
+
+    networking.firewall.allowedTCPPorts = [ sshPort ];
 }

hosts/defiant/services/hedgedoc.nix

@@ -0,0 +1,117 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.hedgedoc.settings;
+  domain = "md.feal.no";
+  port = 3300;
+  host = "127.0.1.2";
+  authServerUrl = "https://auth.feal.no";
+in {
+  # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
+  sops.secrets."hedgedoc/env" = {
+    restartUnits = [ "hedgedoc.service" ];
+  };
+
+  services.hedgedoc = {
+    enable = true;
+    environmentFile = config.sops.secrets."hedgedoc/env".path;
+    settings = {
+      inherit domain port host;
+      protocolUseSSL = true;
+      sessionSecret = "$CMD_SESSION_SECRET";
+
+      allowFreeURL = true;
+      allowAnonymous = false;
+      allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
+
+      # dbURL = "postgres://hedgedoc@localhost/hedgedoc";
+      db = {
+        username = "hedgedoc";
+        database = "hedgedoc";
+        host = "/run/postgresql";
+        dialect = "postgresql";
+      };
+
+      email = false;
+      oauth2 = {
+        baseURL = "${authServerUrl}/oauth2";
+        tokenURL = "${authServerUrl}/oauth2/token";
+        authorizationURL = "${authServerUrl}/ui/oauth2";
+        userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
+
+        clientID = "hedgedoc";
+        clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
+        scope = "openid email profile";
+        userProfileUsernameAttr = "name";
+        userProfileEmailAttr = "email";
+        userProfileDisplayNameAttr = "displayname";
+
+        providerName = "KaniDM";
+      };
+    };
+  };
+
+  systemd.services.hedgedoc = {
+    requires = [
+      "postgresql.service"
+      # "kanidm.service"
+    ];
+    serviceConfig = let
+      workDir = "/var/lib/hedgedoc";
+    in {
+      WorkingDirectory = lib.mkForce workDir;
+      StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
+
+      # Better safe than sorry :)
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      ReadWritePaths = [ workDir ];
+      RemoveIPC = true;
+      RestrictSUIDSGID = true;
+      UMask = "0007";
+      RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
+      SystemCallArchitectures = "native";
+      # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "hedgedoc" ];
+    ensureUsers = [{
+      name = "hedgedoc";
+      ensureDBOwnership = true;
+    }];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    listen = [
+      { addr = "192.168.10.175"; port = 43443; ssl = true; }
+      { addr = "192.168.10.175"; port = 43080; ssl = false; }
+    ];
+
+    enableACME = true;
+    forceSSL = true;
+
+    locations = {
+      "/" = {
+        proxyPass = "http://${host}:${toString port}";
+      };
+      "/socket.io" = {
+        proxyPass = "http://${host}:${toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

hosts/defiant/services/matrix-synapse.nix

@@ -1,7 +1,4 @@
-{ config, pkgs, ... }:
-let
-  main_ip = "127.0.1.2";
-in
+{ config, pkgs, lib, ... }:
 {
   sops.secrets."matrix/synapse/registrationsecret" = {
     restartUnits = [ "matrix-synapse.service" ];
@@ -9,9 +6,18 @@ in
     group = "matrix-synapse";
   };
 
-  services.matrix-synapse = {
+  services.matrix-synapse-next = {
     enable = true;
-    package = pkgs.matrix-synapse;
+    enableNginx = true;
+
+    workers = {
+      federationSenders = 1;
+      federationReceivers = 2;
+      initialSyncers = 1;
+      normalSyncers = 1;
+      eventPersisters = 1;
+      useUserDirectoryWorker = true;
+    };
 
     extraConfigFiles = [
       config.sops.secrets."matrix/synapse/registrationsecret".path
@@ -63,42 +69,16 @@ in
       tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt";
       tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key";
 
-      listeners = [
-        { port = 8008;
-          bind_addresses = [ main_ip ];
-          type = "http";
-          tls = false;
-          x_forwarded = true;
-          resources = [
-            { names = [ "client" ]; compress = true; }
-            { names = [ "federation" ]; compress = true; }
-          ];
-        }
-      ];
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  services.redis.servers."".enable = true;
 
-  services.nginx = {
-    enable = true;
-    enableReload = true;
-
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedProxySettings = true;
-
-    virtualHosts."matrix.feal.no" = {
-      locations."/_matrix" = {
-        proxyPass = "http://${main_ip}:8008";
-        extraConfig = ''
-          client_max_body_size 50M;
-        '';
-      };
-      # locations."/_synapse/client".proxyPass = "http://${main_ip}:8008";
-      locations."/" = {
-        proxyPass = "http://${main_ip}:8008";
-      };
-    };
+  services.nginx.virtualHosts."matrix.feal.no" = {
+    listen = [
+      { addr = "192.168.10.175"; port = 43443; ssl = true; }
+      { addr = "192.168.10.175"; port = 43080; ssl = false; }
+    ];
   };
+
 }

hosts/defiant/services/metrics/grafana.nix

@@ -5,6 +5,10 @@ let
 in {
   services.grafana = {
     enable = true;
+    dataDir = "/tank/services/metrics/grafana";
+
+    # TODO: Migrate sqlite to postgres
+
     settings.server = {
       domain = "grafana.home.feal.no";
       http_port = 2342;

hosts/defiant/services/metrics/loki.nix

@@ -1,10 +1,11 @@
 { config, pkgs, ... }:
 let
   cfg = config.services.loki;
-  saveDirectory = "/tank/var/lib/loki";
+  saveDirectory = "/tank/services/metrics/loki";
 in {
   services.loki = {
     enable = true;
+    dataDir = saveDirectory;
     configuration = {
       auth_enabled = false;
       server = {
@@ -70,6 +71,4 @@ in {
       };
     };
   };
-
-  networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
 }

hosts/defiant/services/metrics/prometheus.nix

@@ -8,18 +8,22 @@ in {
     listenAddress = "127.0.0.1";
     port = 9001;
 
+    # StateDirectory must be under /var/lib.
+    # TODO: Back up to /tank/services/metrics/prometheus
+
     scrapeConfigs = [
       {
         job_name = "node";
         static_configs = [
           {
             targets = [
-              "voyager.home.feal.no:${toString cfg.exporters.node.port}"
+              "voyager.home.feal.no:9100"
               "sulu.home.feal.no:9100"
               "mccoy.home.feal.no:9100"
-              "borg.home.feal.no:9100"
-              "troi.home.feal.no:9100"
               "dlink-feal.home.feal.no:9100"
+              "edison.home.feal.no:9100"
+              "defiant.home.feal.no:9100"
+              "scotty.home.feal.no:9100"
             ];
           }
         ];

hosts/defiant/services/metrics/snmp-exporter.nix

@@ -12,8 +12,8 @@
       Type = "simple";
     };
     serviceConfig = {
-      ExecStart = "${pkgs.prometheus-snmp-exporter}/bin/snmp_exporter --config.file='/var/prometheus/snmp.yml'";
-      # TODO: Fix this conf file!
+      ExecStart = "${pkgs.prometheus-snmp-exporter}/bin/snmp_exporter --config.file='/tank/services/metrics/prometheus/snmp.yml'";
+      # snmp.yml = https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml + https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
     };
     wantedBy = [ "multi-user.target" ];
   };

hosts/defiant/services/minecraft.nix

@@ -0,0 +1,70 @@
+{ config, pkgs, lib, inputs, ... }:
+{
+  imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
+  nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
+
+  services.minecraft-servers = {
+    enable = true;
+    eula = true;
+    openFirewall = true;
+    dataDir = "/var/lib/minecraft-wack";
+
+    servers.wack = {
+      enable = true;
+      jvmOpts = "-Xms4G -Xmx4G";
+
+      package = pkgs.fabricServers.fabric-1_20_4;
+
+      serverProperties = {
+        motd = "WackAttack M1n3cr4f7";
+        white-list = true;
+        difficulty = "normal";
+        view-distance = 16;
+        simulation-distance = 16;
+        enable-command-block = true;
+        enable-rcon = true;
+        "rcon.password" = "wack";
+      };
+
+      symlinks = {
+        mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues {
+          FabricAPI = pkgs.fetchurl {
+            url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/JMCwDuki/fabric-api-0.92.0%2B1.20.4.jar";
+            sha256 = "sha256-7U0BK5CBENWY4s3t+dXTASprIeY4Tdeyzc06lNGkc/Q=";
+          };
+          Lithium = pkgs.fetchurl {
+            url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/nMhjKWVE/lithium-fabric-mc1.20.4-0.12.1.jar";
+            sha256 = "sha256-as1JWV7mnhJkz8eYmPVpRS5BvWaYVGf8s40oBBka880=";
+          };
+          MCDiscordChat = pkgs.fetchurl {
+            url = "https://cdn.modrinth.com/data/D0sHdnXY/versions/tldGNWOW/MC-Discord-Chat-2.2.5.jar";
+            sha256 = "sha256-WK02gRNbTjbjQSIlWHP4aBSeGTZxtXwwbqt9fa7AJTA=";
+          };
+          SimpleVoiceChat = pkgs.fetchurl {
+            url = "https://cdn.modrinth.com/data/9eGKb6K1/versions/UIZXn9t1/voicechat-fabric-1.20.4-2.4.32.jar";
+            sha256 = "sha256-BZMK7Y8uaw1MvtQC1MXblsaaHy100a59KxSs4P0fjXE=";
+          };
+        });
+      };
+
+      whitelist = {
+        "_Oblivion" = "289be565-d73e-4cb1-a047-dcc319acdc80";
+        Crisju = "8b77dc43-27ba-4710-bbfd-4e01e6ec7461";
+        Dandellion = "f393413b-59fc-49d7-a5c4-83a5d177132c";
+        Taschmex = "a3a258b0-901f-43d9-b130-dad3b29cd7ee";
+        guy_montag = "cb8aa890-a5a3-41f2-9bb7-1edb20c5a31f";
+        koppern = "3450494c-b945-4fa2-938c-5519adec005f";
+        krloer = "ab3029e2-76b6-4219-854e-16091fe5e421";
+      };
+    };
+  };
+
+  # TODO: Automated backup job (https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/commit/57d1dfd121fdb23fcef54e0632f6f6278c6bb753/hosts/greddost/services/minecraft/default.nix#L144)
+
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+    "minecraft-server"
+  ];
+
+  networking.firewall.allowedUDPPorts = [ 24454 ];
+}
+

hosts/defiant/services/nginx.nix

@@ -0,0 +1,73 @@
+{ config, values, ... }:
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+
+    defaultListen = [
+      {
+        addr = "192.168.10.175";
+        port = 80;
+        ssl = false;
+      }
+    ];
+  };
+
+  networking.firewall.allowedTCPPorts = [
+       80   443 # Internal / Default
+    43080 43443 # External / Publicly exposed
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "felix@albrigtsen.it";
+  };
+
+  # Publicly exposed services:
+
+  services.nginx.virtualHosts = let
+    publicProxy = upstream: {
+      listen = [
+        { addr = "192.168.10.175"; port = 43443; ssl = true; }
+        { addr = "192.168.10.175"; port = 43080; ssl = false; }
+      ];
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/".proxyPass = "${upstream}";
+    };
+  in {
+    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
+    "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
+    "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";
+
+    "cloud.feal.no" = {
+      listen = [
+        { addr = "192.168.10.175"; port = 43443; ssl = true; }
+        { addr = "192.168.10.175"; port = 43080; ssl = false; }
+      ];
+      enableACME = true;
+      forceSSL = true;
+
+      extraConfig = ''
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        server_tokens off;
+
+        # HSTS settings
+        # WARNING: Only add the preload option once you read about
+        # the consequences in https://hstspreload.org/. This option
+        # will add the domain to a hardcoded list that is shipped
+        # in all major browsers and getting removed from this list
+        # could take several months.
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+      '';
+      locations."/".proxyPass = "http://voyager.home.feal.no/";
+    };
+  };
+}

hosts/defiant/services/pihole.nix

@@ -0,0 +1,35 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "pihole.home.feal.no";
+  dnsHost = "192.168.10.175";
+  webuiListen = "127.0.1.2:5053";
+in {
+  # Flame - Homelab dashboard/linktree
+  virtualisation.oci-containers.containers = {
+    pihole = {
+      image = "pihole/pihole";
+      ports = [
+        "${dnsHost}:53:53/tcp"
+        "${dnsHost}:53:53/udp"
+        "${webuiListen}:80"
+      ];
+
+      environment.TZ = "Europe/Oslo";
+
+      volumes = [
+        "/var/lib/pihole/etc:/etc/pihole"
+        "/var/lib/pihole/dnsmasq:/etc/dnsmasq.d"
+      ];
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/" = {
+      proxyPass = "http://${webuiListen}";
+      extraConfig = ''
+        rewrite /(.*) /admin/$1 break;
+      '';
+    };
+  };
+}
+

hosts/defiant/services/postgresql.nix

@@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    enableTCPIP = false;
+  };
+
+  services.postgresqlBackup = {
+    # enable = true;
+    location = "/data/backup/postgresql/";
+    startAt = "*-*-* 03:15:00";
+    backupAll = true;
+  };
+
+  environment.systemPackages = [ config.services.postgresql.package ];
+}

hosts/defiant/services/vaultwarden.nix

@@ -3,7 +3,7 @@ let
   cfg = config.services.vaultwarden;
   domain = "pw.feal.no";
   address = "127.0.0.1";
-  port = 3011; # Note! The websocket port is left as default
+  port = 3011; # Note: The websocket port is left as default(3012)
 in {
   sops.secrets."vaultwarden/admintoken" = {
     owner = "vaultwarden";
@@ -20,27 +20,30 @@ in {
       rocketAddress = address;
       rocketPort = port;
       websocketEnabled = true;
-      databaseUrl = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable";
+      # databaseUrl = "postgresql://vaultwarden:@localhost/vaultwarden?sslmode=disable";
+      databaseUrl = "postgresql://vaultwarden@/vaultwarden";
 
       signupsAllowed = false;
-      rocketLog = "critical";
-
-    # This example assumes a mailserver running on localhost,
-    # thus without transport encryption.
-    # If you use an external mail server, follow:
-    #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
-      /* SMTP_HOST = "127.0.0.1"; */
-      /* SMTP_PORT = 25; */
-      /* SMTP_SSL = false; */
-
-      /* SMTP_FROM = "admin@bitwarden.example.com"; */
-      /* SMTP_FROM_NAME = "example.com Bitwarden server"; */
-
     };
   };
 
+  services.postgresql = {
+    ensureDatabases = [ "vaultwarden" ];
+    ensureUsers = [{
+      name = "vaultwarden";
+      ensureDBOwnership = true;
+    }];
+  };
 
   services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+
+    listen = [
+      { addr = "192.168.10.175"; port = 43443; ssl = true; }
+      { addr = "192.168.10.175"; port = 43080; ssl = false; }
+    ];
+
     extraConfig = ''
       client_max_body_size 128M;
     '';
@@ -57,13 +60,4 @@ in {
       proxyWebsockets = true;
     };
   };
-  services.postgresql = {
-    ensureDatabases = [ "vaultwarden" ];
-    ensureUsers = [{
-      name = "vaultwarden";
-      ensurePermissions = {
-        "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES";
-      };
-    }];
-  };
 }

hosts/edison/configuration.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../base.nix
+      ../../common/metrics-exporters.nix
+      ./hardware-configuration.nix
+      ./desktop.nix
+  ];
+
+  virtualisation.docker.enable = true;
+
+  networking = {
+    hostName = "edison";
+    defaultGateway = "192.168.10.1";
+
+    # Networking / Wi-Fi is configured with NM for now. TODO
+    networkmanager.enable = true;
+  };
+
+  console.keyMap = "us";
+
+  # sops.defaultSopsFile = ../../secrets/edison/edison.yaml;
+
+  environment.variables = { EDITOR = "vim"; };
+  environment.systemPackages = with pkgs; [
+    pavucontrol
+  ];
+
+  programs.steam.enable = true;
+
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+    "nvidia-x11"
+    "nvidia-settings"
+    "steam"
+    "steam-original"
+    "steam-run"
+  ];
+
+  system.stateVersion = "23.05";
+}
+

hosts/edison/desktop.nix

@@ -0,0 +1,55 @@
+{ config, pkgs, lib, ... }:
+{
+  services.xserver = {
+    enable = true;
+    desktopManager.xfce.enable = true;
+    videoDrivers = [ "nvidia" ];
+    layout = "us,no";
+    xkbVariant = "intl";
+  };
+
+  environment.systemPackages = with pkgs; [
+    xfce.xfce4-pulseaudio-plugin
+  ];
+
+  services.picom.enable = true;
+  hardware.opengl.enable = true;
+
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    pulse.enable = true;
+    jack.enable = true;
+  };
+
+  fonts = {
+    fontDir.enable = true;
+    packages = with pkgs; [
+      noto-fonts
+      noto-fonts-emoji
+      noto-fonts-cjk-sans
+      font-awesome
+      fira-code
+      hack-font
+      (nerdfonts.override {
+        fonts = [
+          "Hack"
+        ];
+      })
+    ];
+  };
+
+  # Remote:
+  services.xrdp = {
+    enable = true;
+    defaultWindowManager = "xfce4-session";
+    openFirewall = true;
+  };
+
+  services.flatpak.enable = true;
+  users.users."felixalb".packages = [ pkgs.flatpak ];
+  xdg.portal = {
+    enable = true;
+    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
+  };
+}

hosts/edison/hardware-configuration.nix

@@ -5,32 +5,37 @@
 
 {
   imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/f7086b7c-581e-40d4-90c0-47cb767395c7";
+    { device = "/dev/disk/by-uuid/14b254e1-d94f-4b9b-a910-7fcf7e33af46";
       fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/4303-A70F";
+    { device = "/dev/disk/by-uuid/A197-7913";
       fsType = "vfat";
     };
 
-  swapDevices = [ ];
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/d56040a0-3009-4899-95fa-1b82e60e32e4"; }
+    ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
 
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/edison/home.nix

@@ -0,0 +1,24 @@
+{ pkgs, lib, ... }:
+{
+  home.packages = with pkgs; [
+    bat
+    bottom
+    mumble
+    ncdu
+    neofetch
+    nix-index
+  ];
+
+  imports = [
+    ./../../home/base.nix
+  ];
+
+  programs = {
+    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
+    alacritty.enable = true;
+    firefox.enable = true;
+    rofi.enable = true;
+    };
+
+  home.stateVersion = "23.05";
+}

hosts/voyager/configuration.nix

@@ -10,94 +10,40 @@
       ./wireguard.nix
       ./exports.nix
 
-      #./vms.nix
-
+      ./services/snappymail.nix
+      ./services/calibre.nix
+      ./services/fancontrol.nix
+      ./services/jellyfin.nix
+      ./services/kanidm.nix
+      ./services/nextcloud.nix
       ./services/nginx
       ./services/postgres.nix
-      ./services/kanidm.nix
-      ./services/matrix
-      ./services/jellyfin.nix
+      ./services/timemachine.nix
       ./services/transmission.nix
-      ./services/metrics
-      ./services/flame.nix
-      ./services/gitea.nix
-      ./services/hedgedoc.nix
-      ./services/vaultwarden.nix
-      ./services/calibre.nix
-      # ./services/code-server.nix
   ];
 
   networking = {
     hostName = "voyager";
-    defaultGateway = "192.168.10.1";
-    nameservers = [ "192.168.11.100" "1.1.1.1" ];
-    interfaces.eno1.ipv4 = {
-      addresses = [
+    bridges.br0.interfaces = [ "eno1" ];
+    interfaces.br0.useDHCP = false;
+    interfaces.br0.ipv4.addresses = [
       { address = "192.168.10.165"; prefixLength = 24; }
-      ];
-    };
+    ];
+
     hostId = "8e84b235";
+    defaultGateway = "192.168.10.1";
   };
 
   sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml;
 
   environment.variables = { EDITOR = "vim"; };
   environment.systemPackages = with pkgs; [
-    ((vim_configurable.override {  }).customize{
-     name = "vim";
-     vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
-     start = [ vim-nix vim-lastplace vim-commentary ];
-     opt = [];
-     };
-     vimrcConfig.customRC = ''
-     " your custom vimrc
-     set number
-     set relativenumber
-     set nu rnu
-     set signcolumn=number
-
-     set hlsearch
-     set smartcase
-     set incsearch
-
-     set autoindent
-     set expandtab
-     set shiftwidth=2
-     set tabstop=2
-     set smartindent
-     set smarttab
-
-     set ruler
-
-     set undolevels=1000
-
-     set nocompatible
-     set backspace=indent,eol,start
-     " Turn on syntax highlighting by default
-     syntax on
-     " ...
-     '';
-    }
-  )
     zfs
-    screen
-    exa
   ];
 
-  /* virtualisation.podman = { */
-  /*   enable = true; */
-  /*   dockerCompat = true; # Make `docker` shell alias */
-  /*   defaultNetwork.settings.dns_enabled = true; */
-  /* }; */
-
-  /* virtualisation.oci-containers.backend = "podman"; */
-
   virtualisation.docker.enable = true;
   virtualisation.oci-containers.backend = "docker";
 
-
-  networking.firewall.allowedTCPPorts = [ 22 ];
-
   system.stateVersion = "22.11";
 }
 

hosts/voyager/exports.nix

@@ -5,17 +5,23 @@
       device = "/tank/backup/riker";
       options = [ "bind" ];
     };
+    "/export/defiant-backup" = {
+      device = "/tank/backup/defiant";
+      options = [ "bind" ];
+    };
   };
 
   # Enable nfs4 only
   services.nfs.server = {
     enable = true;
     exports = ''
-      /export                   192.168.10.4(rw,fsid=0,no_subtree_check) 192.168.10.5(rw,fsid=0,no_subtree_check) 192.168.10.2(rw,fsid=0,no_subtree_check)
+      /export                   192.168.10.4(rw,fsid=0,no_subtree_check) 192.168.10.5(rw,fsid=0,no_subtree_check) 192.168.10.2(rw,fsid=0,no_subtree_check) 192.168.10.175(rw,fsid=0,no_subtree_check)
       /export/riker-backup      192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
       /export/doyle-backup      192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
+      /export/defiant-backup    192.168.10.175(rw,nohide,no_subtree_check,async,no_root_squash)
     '';
   };
 
-  networking.firewall.allowedTCPPorts = [ 2049 ];
+  networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
+  networking.firewall.allowedUDPPorts = [ 111 20048];
 }

hosts/voyager/filesystems.nix

@@ -36,6 +36,4 @@
     };
   };
 
-  # Network mounts (export)
-
 }

hosts/voyager/hardware-configuration.nix

@@ -29,7 +29,6 @@
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
   # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
   # networking.interfaces.eno2.useDHCP = lib.mkDefault true;
   # networking.interfaces.idrac.useDHCP = lib.mkDefault true;

hosts/voyager/home.nix

@@ -0,0 +1,19 @@
+{ pkgs, lib, ... }:
+{
+  home.packages = with pkgs; [
+    bat
+    bottom
+    ncdu
+    neofetch
+  ];
+
+  imports = [
+    ./../../home/base.nix
+  ];
+
+  programs = {
+    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
+  };
+
+  home.stateVersion = "23.05";
+}

hosts/voyager/modules/snappymail.nix

@@ -0,0 +1,108 @@
+{ config, pkgs, lib, ... }:
+
+let
+  inherit (lib) mkDefault mkEnableOption mkForce mkIf mkOption mkPackageOption generators types;
+
+  cfg = config.services.snappymail;
+  maxUploadSize = "256M";
+in {
+  options.services.snappymail = {
+    enable = mkEnableOption (lib.mdDoc "Snappymail");
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.snappymail;
+      defaultText = lib.mdDoc "pkgs.snappymail";
+      description = lib.mdDoc "Which snappymail package to use.";
+    };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/snappymail";
+      description = "State directory for snappymail";
+    };
+
+    hostname = mkOption {
+      type = types.str;
+      /* default = null; */
+      example = "mail.example.com";
+      description = "Enable nginx with this hostname, null disables nginx";
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "snappymail";
+      description = lib.mdDoc "System user under which snappymail runs";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "snappymail";
+      description = lib.mdDoc "System group under which snappymail runs";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users = mkIf (cfg.user == "snappymail") {
+      snappymail = {
+        description = "Snappymail service";
+        group = cfg.group;
+        home = cfg.dataDir;
+        useDefaultShell = true;
+        createHome = true;
+        isSystemUser = true;
+      };
+    };
+
+    users.groups = mkIf (cfg.group == "snappymail") {
+      snappymail = {};
+    };
+
+    services.phpfpm.pools.snappymail = {
+      user = cfg.user;
+      group = cfg.group;
+      phpOptions = generators.toKeyValue {} {
+        upload_max_filesize = maxUploadSize;
+        post_max_size = maxUploadSize;
+        memory_limit = maxUploadSize;
+      };
+
+      settings = {
+        "listen.owner" = config.services.nginx.user;
+        "listen.group" = config.services.nginx.group;
+        "pm" = "ondemand";
+        "pm.max_children" = 32;
+        "pm.process_idle_timeout" = "10s";
+        "pm.max_requests" = 500;
+      };
+    };
+
+    services.nginx = mkIf (cfg.hostname != null) {
+      virtualHosts."${cfg.hostname}" = {
+        locations."/".extraConfig = ''
+          index index.php;
+          autoindex on;
+          autoindex_exact_size off;
+          autoindex_localtime on;
+        '';
+        locations."^~ /data".extraConfig = ''
+          deny all;
+        '';
+        locations."~ \.php$".extraConfig = ''
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
+          fastcgi_pass unix:${config.services.phpfpm.pools.snappymail.socket};
+        '';
+        extraConfig = ''
+          client_max_body_size ${maxUploadSize};
+        '';
+
+        root = if (cfg.package == pkgs.snappymail) then
+          pkgs.snappymail.override {
+            dataPath = cfg.dataDir;
+          }
+        else cfg.package;
+      };
+    };
+  };
+}

hosts/voyager/services/calibre.nix

@@ -1,5 +1,4 @@
 { config, lib, pkgs, ... }:
-
 let
   domain = "books.home.feal.no";
   storage = "/tank/media/books";

hosts/voyager/services/fancontrol.nix

@@ -0,0 +1,63 @@
+{ config, lib, pkgs, ... }:
+{
+  systemd.timers."fancontrol" = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar="*:0/3";
+      Unit = "fancontrol.service";
+    };
+  };
+
+  systemd.services."fancontrol" = {
+    environment = {
+      TEMP_MIN_FALLING = "50";
+      TEMP_MAX_RISING = "56";
+      TEMP_CRIT = "70";
+
+      LOW_FAN_SPEED = "0x10";
+    };
+
+    script = ''
+      SET_FAN_MANUAL="0x30 0x30 0x01 0x00" # Enable manual control
+      SET_FAN_AUTO="0x30 0x30 0x01 0x01" # Disable manual control
+
+      SET_FAN_LOW="0x30 0x30 0x02 0xff $LOW_FAN_SPEED"
+      SET_FAN_MAX="0x30 0x30 0x02 0xff 0x64" # force 100%
+
+
+      # Get all temperatures readings starting with "Temp ", find all two digit numbers followed by spaces, find the largest one, trim the trailing space
+      maxcoretemp=$(${pkgs.ipmitool}/bin/ipmitool sdr type temperature | grep '^Temp ' |  grep -Po '\d{2} ' | sort -nr | head -n1 | xargs)
+
+      # Verify that we read a valid number
+      ISNUMBER='^[0-9]+$'
+      if ! [[ $maxcoretemp =~ $ISNUMBER ]] ; then
+        echo "Error: could not read temperature" >&2
+        exit 2
+      fi
+
+      echo "Highest measured CPU temperature: '$maxcoretemp'"
+
+      if [ "$maxcoretemp" -gt "$TEMP_CRIT" ]; then
+        echo "TOO HOT, CRITICAL CPU TEMP"
+        ${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MANUAL
+        ${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MAX
+        exit 1
+      fi
+
+      if [ "$maxcoretemp" -gt "$TEMP_MAX_RISING" ]; then
+        echo "TOO HOT, switching to IDRAC fan controL"
+        ${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_AUTO
+        exit 0
+      fi
+
+      if [ "$maxcoretemp" -lt "$TEMP_MIN_FALLING" ]; then
+        echo "Sufficiently cooled, stepping down fans"
+        ${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MANUAL
+        ${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_LOW
+        exit 0
+      fi
+
+      echo "Temperature is between limits, doing nothing..."
+    '';
+  };
+}

hosts/voyager/services/flame.nix

@@ -1,22 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  host = "127.0.1.2";
-  port = "5005";
-in {
-   # Flame - Homelab dashboard/linktree
-   virtualisation.oci-containers.containers = {
-     flame = {
-       image = "pawelmalak/flame";
-       ports = [ "${host}:${port}:5005" ];
-       volumes = [
-         "/var/lib/flame/data:/app/data/"
-       ];
-     };
-   };
-   services.nginx.virtualHosts."flame.home.feal.no" = {
-     locations."/" = {
-       proxyPass = "http://${host}:${port}";
-     };
-   };
- }
-

hosts/voyager/services/hedgedoc.nix

@@ -1,97 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-    cfg = config.services.hedgedoc.settings;
-    domain = "md.feal.no";
-    port = 3300;
-    host = "0.0.0.0";
-    authServerUrl = config.services.kanidm.serverSettings.origin;
-in {
-    # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
-    sops.secrets."hedgedoc/env" = {
-      restartUnits = [ "hedgedoc.service" ];
-    };
-
-    services.hedgedoc = {
-        enable = true;
-        environmentFile = config.sops.secrets."hedgedoc/env".path;
-        settings = {
-            inherit domain port host;
-            protocolUseSSL = true;
-            sessionSecret = "$CMD_SESSION_SECRET";
-
-            allowFreeURL = true;
-            allowAnonymous = false;
-            allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
-
-            dbURL = "postgres://hedgedoc:@localhost/hedgedoc";
-
-            email = false;
-            oauth2 = {
-              baseURL = "${authServerUrl}/oauth2";
-              tokenURL = "${authServerUrl}/oauth2/token";
-              authorizationURL = "${authServerUrl}/ui/oauth2";
-              userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
-
-              clientID = "hedgedoc";
-              clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
-              scope = "openid email profile";
-              userProfileUsernameAttr = "name";
-              userProfileEmailAttr = "email";
-              userProfileDisplayNameAttr = "displayname";
-
-              providerName = "KaniDM";
-            };
-
-        };
-    };
-
-    systemd.services.hedgedoc = {
-      requires = [
-        "postgresql.service"
-        "kanidm.service"
-      ];
-      serviceConfig = let
-        workDir = "/var/lib/hedgedoc";
-      in {
-        WorkingDirectory = lib.mkForce workDir;
-        StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
-
-        # Better safe than sorry :)
-        CapabilityBoundingSet = "";
-        LockPersonality = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        PrivateMounts = true;
-        PrivateTmp = true;
-        PrivateUsers = true;
-        ProtectClock = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        ReadWritePaths = [ workDir ];
-        RemoveIPC = true;
-        RestrictSUIDSGID = true;
-        UMask = "0007";
-        RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
-        SystemCallArchitectures = "native";
-        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
-      };
-    };
-
-    networking.firewall.allowedTCPPorts = [ port ];
-
-    services.postgresql = {
-      ensureDatabases = [ "hedgedoc" ];
-      ensureUsers = [{
-        name = "hedgedoc";
-        ensurePermissions = {
-          "DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
-        };
-      }];
-    };
-
-}

hosts/voyager/services/matrix/bridge-discord.nix

@@ -1,33 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services.mx-puppet-discord = {
-    enable = true;
-
-    serviceDependencies = [
-      "matrix-synapse.service"
-      "postgresql.service"
-    ];
-
-    settings = {
-      bridge = {
-        bindAddress = "localhost";
-        domain = "feal.no";
-        homeserverUrl = "https://matrix.feal.no";
-        # homeserverUrl = "http://127.0.1.2:8008";
-
-        port = 8434;
-        enableGroupSync = true;
-      };
-
-      database.connString = "postgresql://mx-puppet-discord@localhost/mx-puppet-discord?sslmode=disable";
-
-      provisioning.whitelist = [ "@felixalb:feal\\.no" ];
-      relay.whitelist = [ ".*" ];
-      selfService.whitelist = [ "@felixalb:feal\\.no" ];
-
-    };
-  };
-
-  services.matrix-synapse.settings.app_service_config_files = [ /var/lib/mx-puppet-discord/discord-registration.yaml ];
-}

hosts/voyager/services/matrix/default.nix

@@ -1,12 +0,0 @@
-{ config, ... }:
-{
-  imports = [
-    ./synapse.nix
-#    ./bridge-facebook.nix
-#    ./bridge-discord.nix
-#    ./element.nix
-#    ./coturn.nix
-#    ./discord.nix
-  ];
-}
-

hosts/voyager/services/metrics/default.nix

@@ -1,10 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports = [
-    ./prometheus.nix
-    ./grafana.nix
-    ./loki.nix
-    #./snmp-exporter.nix
-  ];
-}

hosts/voyager/services/nextcloud.nix

@@ -0,0 +1,88 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.nextcloud;
+  hostName = "cloud.feal.no";
+in {
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud28;
+    inherit hostName;
+    home = "/var/lib/nextcloud";
+    https = true;
+    webfinger = true;
+
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql";
+      dbname = "nextcloud";
+      adminuser = "ncadmin";
+      adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
+      trustedProxies = [ "192.168.10.175" ]; # defiant
+      defaultPhoneRegion = "NO";
+    };
+
+    # phpOptions = {
+    #   "opcache.interned_strings_buffer" = "16";
+    #   "upload_max_filesize" = "4G";
+    #   "post_max_size" = "4G";
+    #   "memory_limit" = "4G";
+    # };
+
+    poolSettings = {
+      "pm" = "ondemand";
+      "pm.max_children" = 32;
+      "pm.process_idle_timeout" = "10s";
+      "pm.max_requests" = 500;
+    };
+  };
+
+  environment.systemPackages = [ cfg.occ ];
+
+  sops.secrets."nextcloud/adminpass" = {
+    mode = "0440";
+    owner = "nextcloud";
+    group = "nextcloud";
+    restartUnits = [ "phpfpm-nextcloud.service" ];
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [ {
+      name = "nextcloud";
+      ensureDBOwnership = true;
+    } ];
+  };
+
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  systemd.services."phpfpm-nextcloud".serviceConfig = {
+    WorkingDirectory = "/var/lib/nextcloud";
+    NoNewPrivileges = true;
+    PrivateDevices = true;
+    PrivateMounts = true;
+    PrivateTmp = true;
+    ProtectClock = true;
+    ProtectHome = true;
+    ProtectHostname = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    ProtectKernelTunables = true;
+    ProtectProc = "invisible";
+    ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ];
+    RemoveIPC = true;
+    RestrictSUIDSGID = true;
+    UMask = "0007";
+    SystemCallArchitectures = "native";
+    SystemCallFilter = "@system-service";
+    CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
+  };
+
+  fileSystems."/var/lib/nextcloud" = {
+    device = "/tank/nextcloud";
+    options = [ "bind "];
+  };
+}

hosts/voyager/services/nginx/default.nix

@@ -4,6 +4,8 @@
     enable = true;
     enableReload = true;
 
+    clientMaxBodySize = "100m";
+
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
     recommendedGzipSettings = true;
@@ -11,5 +13,10 @@
   };
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  /* security.acme = { */
+  /*   acceptTerms = true; */
+  /*   email = "felix@albrigtsen.it"; */
+  /* }; */
 }
  

hosts/voyager/services/snappymail.nix

@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+{
+  imports = [ ../modules/snappymail.nix ];
+
+  services.snappymail = {
+    enable = true;
+    hostname = "mail.home.feal.no";
+  };
+  services.nginx.virtualHosts."${config.services.snappymail.hostname}" = let
+    certPath = "/etc/ssl-snakeoil/mail_home_feal_no";
+  in {
+    addSSL = true;
+
+    sslCertificate    = "${certPath}.crt";
+    sslCertificateKey = "${certPath}.key";
+  };
+}

hosts/voyager/services/timemachine.nix

@@ -0,0 +1,42 @@
+{ config, pkgs, ... }:
+  let
+    timeMachineDir = "/tank/backup/worf";
+    user = "worf-backup";
+    sizeLimit = "800000"; # MiB
+    allowedIPs = "192.168.10.2 192.168.10.5"; #TODO
+  in {
+  services.avahi = {
+    enable = true;
+    publish = {
+      enable = true;
+      userServices = true;
+    };
+  };
+
+  services.netatalk = {
+    enable = true;
+
+    settings = {
+      Global = {
+        "mimic model" = "TimeCapsule6,106";  # show the icon for the first gen TC
+        "hosts allow" = allowedIPs;
+      };
+
+      "worf-time-machine" = {
+        "time machine" = "yes";
+        "path" = timeMachineDir;
+        "valid users" = user;
+        "vol size limit" = sizeLimit;
+      };
+    };
+  };
+
+  users.extraUsers.worf-backup = {
+    isSystemUser = true;
+    name = user;
+    group = user;
+  };
+  users.groups."${user}" = {};
+
+  networking.firewall.allowedTCPPorts = [ 548 636 ];
+}

hosts/worf/configuration.nix

@@ -0,0 +1,142 @@
+{ pkgs, ... }:
+{
+  # Many settings should be handled by home manager. System-wide settings are however managed here.
+  imports = [
+    ./yabai.nix
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  nix = {
+    # gc = {
+    #   automatic = true;
+    #   options = "--delete-older-than 2d";
+    # };
+
+    settings = {
+      allow-dirty = true;
+      experimental-features = [ "nix-command" "flakes" "repl-flake" ];
+      auto-optimise-store = true;
+      builders-use-substitutes = true;
+      log-lines = 50;
+    };
+
+    buildMachines = [
+      {
+        hostName = "voyager.home.feal.no";
+        system = "x86_64-linux";
+
+        maxJobs = 4;
+        supportedFeatures = [ "kvm" "big-parallel" "benchmark" "nixos-test" ];
+        mandatoryFeatures = [ ];
+
+        sshUser = "felixalb";
+        sshKey = "/var/root/.ssh/nix-builder";
+      }
+      {
+        hostName = "defiant.home.feal.no";
+        system = "x86_64-linux";
+
+        maxJobs = 6;
+        supportedFeatures = [ "big-parallel" "benchmark" "nixos-test" ];
+        mandatoryFeatures = [ ];
+
+        sshUser = "felixalb";
+        sshKey = "/var/root/.ssh/nix-builder";
+      }
+    ];
+
+    distributedBuilds = true;
+    extraOptions = "builders-use-substitutes = true";
+  };
+
+  # System packages for all users
+  environment = {
+    systemPackages = with pkgs; [
+      findutils
+      gnugrep
+      jq
+      ripgrep
+      sshfs
+      wget
+    ];
+
+    variables = {
+      EDITOR = "nvim";
+      VISUAL = "nvim";
+    };
+  };
+
+  users.users.felixalb = {
+    home = "/Users/felixalb";
+    shell = pkgs.zsh;
+  };
+
+  programs.zsh.enable = true;
+  system.activationScripts.postActivation.text = ''sudo chsh -s ${pkgs.zsh}/bin/zsh''; # Since it's not possible to declare default shell, run this command after build
+
+
+  fonts = {
+    fontDir.enable = true;
+    fonts = with pkgs; [
+      noto-fonts
+      font-awesome
+      fira-code
+      hack-font
+
+      (nerdfonts.override {
+        fonts = [
+          "Hack"
+        ];
+      })
+    ];
+  };
+
+  system.defaults = {
+    # login window settings
+    loginwindow = {
+      # disable guest account
+      GuestEnabled = false;
+      # show name instead of username
+      SHOWFULLNAME = false;
+    };
+
+    finder = {
+      AppleShowAllExtensions = true;
+      FXEnableExtensionChangeWarning = true;
+      _FXShowPosixPathInTitle = true;
+    };
+
+
+    # firewall settings
+    alf = {
+      # 0 = disabled 1 = enabled 2 = blocks all connections except for essential services
+      globalstate = 1;
+      loggingenabled = 0;
+      stealthenabled = 1;
+    };
+
+    # dock settings
+    dock = {
+      autohide = true;
+      autohide-delay = 0.0;
+      autohide-time-modifier = 1.0;
+      tilesize = 45;
+      static-only = false;
+      showhidden = false;
+      show-recents = false;
+      show-process-indicators = true;
+      orientation = "bottom";
+      mru-spaces = false;
+    };
+  };
+
+  system.keyboard = {
+    enableKeyMapping = true;
+    remapCapsLockToControl = true;
+  };
+
+  # Auto upgrade nix package and the daemon service.
+  services.nix-daemon.enable = true;
+  nix.package = pkgs.nix;
+}

hosts/worf/home.nix

@@ -0,0 +1,82 @@
+{ pkgs
+, lib
+, inputs
+, config
+, ...
+}: {
+  imports = [
+    ./../../home/base.nix
+    ./../../home/alacritty.nix
+  ];
+
+  home.packages = with pkgs; [
+    # alacritty
+    emacs
+    iterm2
+    spotify
+    ripes
+    prismlauncher
+
+    bat
+    bottom
+    cocoapods
+    gnutar
+    ncdu
+    neofetch
+    nix-index
+    nodejs
+    tldr
+    eza
+    zellij
+
+    pandoc
+    texlive.combined.scheme-full
+
+    (python311.withPackages (ps: with ps; [
+      pygments
+
+      jupyter
+      numpy
+      scipy
+
+      pwntools
+      pycryptodome
+      requests
+    ]))
+  ];
+
+  programs.zsh = {
+    shellAliases."rebuild" = "darwin-rebuild switch --flake /Users/felixalb/nix";
+    prezto.pmodules = [ "ssh" ];
+  };
+
+  # Ctrl+y + ,
+  programs.neovim.plugins = with pkgs.vimPlugins; [ coc-emmet emmet-vim ];
+
+  # Copy Applications to ~/Applications to allow them to be launched from Spotlight
+  disabledModules = [ "targets/darwin/linkapps.nix" ];
+  home.activation = lib.mkIf pkgs.stdenv.isDarwin {
+    copyApplications =
+      let
+        apps = pkgs.buildEnv {
+          name = "home-manager-applications";
+          paths = config.home.packages;
+          pathsToLink = "/Applications";
+        };
+      in
+      lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+        baseDir="$HOME/Applications/Home Manager Apps"
+        if [ -d "$baseDir" ]; then
+          rm -rf "$baseDir"
+        fi
+        mkdir -p "$baseDir"
+        for appFile in ${apps}/Applications/*; do
+          target="$baseDir/$(basename "$appFile")"
+          $DRY_RUN_CMD cp ''${VERBOSE_ARG:+-v} -fHRL "$appFile" "$baseDir"
+          $DRY_RUN_CMD chmod ''${VERBOSE_ARG:+-v} -R +w "$target"
+        done
+      '';
+  };
+
+  home.stateVersion = "23.05";
+}

hosts/worf/yabai.nix

@@ -0,0 +1,129 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.yabai;
+  sketchybar-app-font = pkgs.callPackage ./../../common/sketchybar-app-font.nix {};
+in {
+  services.yabai = {
+    enable = true;
+    package = pkgs.yabai;
+    enableScriptingAddition = true;
+    config = {
+      layout = "bsp";
+      debug_output = "on";
+      focus_follows_mouse = "autoraise";
+      mouse_follows_focus = "off";
+
+      window_placement    = "second_child";
+      window_opacity      = "off";
+      window_border       = "on";
+      window_border_width = 1;
+      window_border_blur  = "off";
+      normal_window_border_color   = "0xff404066";
+      active_window_border_color   = "0xffff2020";
+
+      window_border_radius = 0;
+
+      # top_padding         = 10;
+      # bottom_padding      = 10;
+      # left_padding        = 10;
+      # right_padding       = 10;
+      window_gap          = 0;
+
+      external_bar = "all:40:0";
+    };
+  };
+
+  services.skhd = {
+    enable = true;
+    skhdConfig = let
+      mod = "alt";
+      mod2 = "alt + ctrl";
+      mod3 = "alt + shift";
+      mod4 = "alt + cmd";
+    in ''
+      # Move window focus
+      ${mod} - j : yabai -m window --focus south
+      ${mod} - k : yabai -m window --focus north
+      ${mod} - h : yabai -m window --focus west
+      ${mod} - l : yabai -m window --focus east
+
+      ${mod} - down : yabai -m window --focus south
+      ${mod} - up : yabai -m window --focus north
+      ${mod} - left : yabai -m window --focus west
+      ${mod} - right : yabai -m window --focus east
+
+      # Move windows
+      ${mod3} - j : yabai -m window --warp south
+      ${mod3} - k : yabai -m window --warp north
+      ${mod3} - h : yabai -m window --warp west
+      ${mod3} - l : yabai -m window --warp east
+
+      ${mod3} - down : yabai -m window --warp south
+      ${mod3} - up : yabai -m window --warp north
+      ${mod3} - left : yabai -m window --warp west
+      ${mod3} - right : yabai -m window --warp east
+
+      # Move windows to different spaces
+      ${mod2} - 1 : yabai -m window --space 1
+      ${mod2} - 2 : yabai -m window --space 2
+      ${mod2} - 3 : yabai -m window --space 3
+      ${mod2} - 4 : yabai -m window --space 4
+      ${mod2} - 5 : yabai -m window --space 5
+      ${mod2} - 6 : yabai -m window --space 6
+      ${mod2} - 7 : yabai -m window --space 7
+
+      # Switch spaces
+      ctrl - left : yabai -m space --focus prev
+      ctrl - right : yabai -m space --focus next
+
+      ctrl - 1 : yabai -m space --focus 1
+      ctrl - 2 : yabai -m space --focus 2
+      ctrl - 3 : yabai -m space --focus 3
+      ctrl - 4 : yabai -m space --focus 4
+      ctrl - 5 : yabai -m space --focus 5
+      ctrl - 6 : yabai -m space --focus 6
+      ctrl - 7 : yabai -m space --focus 7
+
+      # Resize windows
+      ${mod2} - j : yabai -m window --resize bottom:0:20
+      ${mod2} - k : yabai -m window --resize bottom:0:-20
+      ${mod2} - h : yabai -m window --resize right:-20:0
+      ${mod2} - l : yabai -m window --resize right:20:0
+
+      ${mod2} - down : yabai -m window --resize bottom:0:20
+      ${mod2} - up : yabai -m window --resize bottom:0:-20
+      ${mod2} - left : yabai -m window --resize right:-20:0
+      ${mod2} - right : yabai -m window --resize right:20:0
+
+      # Move windows to different displays
+      ${mod2} + cmd - 1 : yabai -m window --display 1
+      ${mod2} + cmd - 2 : yabai -m window --display 2
+      ${mod2} + cmd - 3 : yabai -m window --display 3
+
+      # Fullscreen
+      ${mod2} - f : yabai -m window --toggle zoom-fullscreen
+      ${mod2} + shift - f : yabai -m window --toggle native-fullscreen
+
+      # Mirror layout
+      ${mod2} - m : yabai -m space --mirror y-axis
+
+      # Misc.
+      ${mod2} - b : yabai -m space --balance
+      ${mod2} - space : yabai -m window --toggle float --grid 4:4:1:1:2:2
+      ${mod2} - return : yabai -m window --toggle split
+
+      # Launch terminal
+      cmd - return : open -n -a ${pkgs.alacritty}/Applications/Alacritty.app
+    '';
+  };
+
+  services.sketchybar = {
+    enable = true;
+    package = pkgs.sketchybar;
+    # The config is handled outside of nix, and is placed in ~/.config/sketchybar
+  };
+
+  fonts.fonts = [
+    sketchybar-app-font
+  ];
+}

secrets/defiant/defiant.yaml

@@ -0,0 +1,36 @@
+matrix:
+    synapse:
+        registrationsecret: ENC[AES256_GCM,data:6gRW6t080VSyNRAmIrMqXL/oj7dj0JbcQekG3lac7zcdvJbgkUaqEGoWdrym2XiEOSLBOVMthnpLdalC2wcyJdmxB7xMNsYS4RfjR3PMKIo1Ap7JSmuKBl3eeaOalHk=,iv:dZl4/qFMoqEbSwL4JF/sjG21e6DuKVxbXwrGHkxfW4U=,tag:LWdCcmUUeTO4YAHkHOSJuw==,type:str]
+hedgedoc:
+    env: ENC[AES256_GCM,data:7UU8MNo3AEpG1L0lpbfow4mGsIj7qMgtldCxv2T8rimintl1PN+avb2yxXz2P+1MqxNhacYYfBn5AkVqUJvAvo/HaQmsu+M1iFuMG6vEQuMGZZ1bjcslKxjVFWe9Rxzb9O33jqielsBiUmkP7f0MoGzfdyncpRuGjge+ADL7YXdRdH2zyDLW0txM3P593MQYiGo9wzwb7ZpycX4NsuE=,iv:4QE4RwD6c7KQS/w15YP/P2u7iOTWd36/YhpA2Jtdu0U=,tag:QBvO3q5C9TK0oSeso367/Q==,type:str]
+vaultwarden:
+    admintoken: ENC[AES256_GCM,data:sUPOe3goxpJFpe5fBdwcM5Z6+DXNdZr5Xd6HzRUb7LtDk9IUtwL4wtlckwnMRoLF628XvCV3ObrX2UmTqUX/6pWqLkWL/vWb3C8ogq4=,iv:vvO9nEkCjcKvl+ILEMlMorMmvyNM1juRYRnEolwg9sQ=,tag:wFnz9oOA+ZGrb4UqKrtUcA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhQXEzMHQzaTU2YW85Yjhh
+            eDZ1eG15UytULzhYaTBZemlRak5USmVrMlhRCmtOUmNqYS9xa0VHU2J1V0E0NjN0
+            ZDRhek9xNXJNY0FhZUJCVjJpYW1ZNHcKLS0tIER3OFlyV2Q3b2l0RkkzVkZMaHdt
+            MHI3WEV0RnZvWGw5a3BIV21kMlJxdU0Kpa1mjuwYoyk8Qfsst1k/pGGONYQf/sdZ
+            kfTZV2btleBISsP5aBDTF+I4AJZesumJuNVA0gPsI88GaQuf3rqb8w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRi9mRDMvcDhBN3RVcG90
+            Q2Y5NGhTVmVOaW9VRTl0R25QQXJsb2FQOTFrCnNsL0M2OTQ1KzJKSXJaVlVrL01v
+            R1RnOURGcDU3V2JldTdlRitQeDBIZE0KLS0tIHB2T3ZGQjZZRUlUL0FUSzhoZ1Ez
+            RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A
+            fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-29T22:35:52Z"
+    mac: ENC[AES256_GCM,data:wLuNSHMesuGxoYH4km/NkX58JcZgXCoQW5veh+wL8A3vmWg+HGkcnWLxhGPetG4fhdORkurr+/l803Y3Fq79C5C3JyMSZEI5ba9LL9SLnJsTu9B+sro6DRp0xCX8kvY/Hfl23jsg8NcJ2QoiE0eHMJ5LftSydSNPefnkzSz70UU=,iv:r8Cv2kOf2T3WwXLpDyTVDG+O6RcIhv+juIteCgR+Zlc=,tag:EoaPXCOprA5yBtnyORmXvA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

secrets/janeway/janeway.yaml

@@ -0,0 +1,41 @@
+matrix:
+    synapse:
+        registrationsecret: ENC[AES256_GCM,data:hXLNFkvMe21RlT1wgQvsBeyxtn+0yLK5bYUeMQbV/1bVtl6nvoInZ1qP7wz8MoWhFiAq1ZwxE2bjDfxXdkL8YSvNHlhdbFD1nJBP51mci9SQE/xLaMh7Aqtos0swdKw=,iv:uIxuhhaTpCRQQ/fP16J50cKCSbAD+KYO3a2kb70BX2M=,tag:EqD5jeZvCcJJCrBcG0YjsA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1sjk38fy5dk2nn0q0rmxuvr9uw3ttgz7mq4632f8jllzqryft0y3s46j65k
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJNHA3eFNxWjd4a2tOcEl3
+            Q3N3YXNSd0IrNm53QUtJWmFlNlRqb1ZsQ0VFCkZCanRYdEZZZWY4SFNWNDlBUEth
+            Umk0UkxReWhrTmw5RkxzTzhDdzQ5WTQKLS0tIDMyK2t6dTVPaWlGUjRRT3ZHSUJC
+            VjBsbEFiakZKL1BGMlp3TXM3SUhuRFUKEppZj9LpW2axFg6yN0R8i/GV8OywK9ha
+            NDDFqw1x+8e++Mec7uN737oYo3nsFZJG7pMxFbuXBol2RUfZ0GLuwQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RGFnVE1Va2hYUWt4L0dk
+            QjY0cFl6Z2JjK0ZtNzRhZVNpQkRrOG9JKzE4CmhXZ0xiZkp3K3VXQnhSOExxTXZq
+            NjBVQlVBKzhJaFRKeFZ5OE13VVhlc1EKLS0tIFdaaFZ6ZnZZQkl1dW5sT0hkdjlN
+            M0F4TmtTeXVTeWdpUVdNNlNGTmZMOFUKCsULF8MXQ7DkTGpXVbiJtmErHK6ve08N
+            av/z7DlzdGeUhlL5Jk/jonGr0Ixhtlvn+MqrVFGBIB+6OqOi2eDX/Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyWUNlOGZmZnRWMXprV2hV
+            OTNZdU02aVJBUlMwQTFFTnUzekFXTVBlYWs0CmtOYmhJRDlTSm42NFZoSEZlclhR
+            bFN6NEUwUG9jQ3d3Z2JzcWNIandOa1UKLS0tIDlwZVBIdi9LVjVsaFhNeEplNk4v
+            SzRrQ0hZMnZFWHRuTWErWDQ3M2NJOG8KDphp0PenVKK6cZ4V4VUHL5A64wNF0vi7
+            gkvXBWSakJX5ONssN2aaXTfoHY5QrRJG4Rj4ZM0Bdm7WrIPdBFONrw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-13T22:50:20Z"
+    mac: ENC[AES256_GCM,data:ktGFV+oNBMIKNCVLXZtrxn8HbvgjmXTRmAWuDQaNyMIIWvnTvd5IQBivG1kCimVr96RFl6RWTMWH4nqHVFlo0jxQfx8KUVXmaO7dfp4Ri+ZKMLu33HmLfwHiStnYRwPCAtwG/AXx9SXl0SAL5S+xHSl4mnShbyYfLAHibccYros=,iv:JeMtQ5uxYzpqr1eHZrLTNqhizjOCaixNg8VFcwjY2Y8=,tag:gHfRDBezAwzCqmEhayVYEg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

secrets/sarek/sarek.yaml

@@ -0,0 +1,40 @@
+hedgedoc:
+    env: ENC[AES256_GCM,data:IE1Lp1Lx0ctKIyV9z0rJWIouaHvstEyhcFO6KLNliN2FHKYNlfggrXEwxT+UwNUvEyuN6p+nCOLc48pAxODLHdl+DuTtwmqb14lbiwS6s/CPxlkJvcUnkauFOhuk45qXOhu4rz9sdtA7vSjMXEGmi55bJNAB+AD+oIVgtDEYa/cNkAaGJltxClx3KjCyfmOnN69ZuL81ewOnk5dq8ms=,iv:HBdiT0I9vKgs0es3jluYP0j8lr0YS4seLQmZvj7Bs40=,tag:pqEjkBWeSMtA4QDXpYDKSg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCc3lUVW1PNTNoRm4xbzBI
+            OTlBK1MzaHE1cU1UTEN2TkNlU3dVVXZSUXpBCjhISjdBSnZVSnhyckFoVXdJK3N1
+            cE9GanNRcExpckRJbEtPWkFvVFgwZ3MKLS0tIHhhb1A2dU5BbFpmK0d5Yi9yMDZY
+            c1lwVWNibW1PVTFEYlVkYzNKL2pmR3MK0WEvII7d3VUr53uFf/leic1JsALinG4G
+            PSXfzvhywVf+C1/YgE5HJH9pPhIDigLFins09UWt1RDVuwfdmXPJwA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMYkdUMmpDTmtzZHExT3RM
+            d3UxZy9DTzRjcHVrNHB6OTBNOHFkV25GV1JjCk1BU1poZ090U3ZJV0xuMEdIcDE0
+            MHYrbk9VYWlsdWg0bmpVY1pVUmJFTm8KLS0tIExoUG9aMy8rWlBvUXNZcGhUd0FC
+            dEpEWEJZdTMrOTZxVU1JcFN6Nlo5QzQKdo4cKvw7fBmGqsi2ALOEbdRVngzPGhte
+            5AC1PAX85a8r6DA/8etSKjXVh/wEdEs85+qKDgKKJSNqNG+nlzF+wQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxYU05cHJOUkZib3B3UHc3
+            dDdDTUlFK1pudHFubTNLMTQ3WDZKeERCRld3ClhCOVpEcjhDQWt6NGxDMXNVSlk0
+            QVhSdnFRc2hqZmZQUEFVR25BNWdYMDQKLS0tICt0bXp6SXpqbFlTdkxWMGlGK0Nw
+            enQ5UjA2ZVBGcUFCenhYckVjanVOeE0KT0NPv0yGmreBQzozp9z5tOtY9Awo5ajs
+            y00uxfBVUgQkhNYCUQ5j9vzMv2U5vDncHox07rEl7YqdlzjJzbuupA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-05T21:56:24Z"
+    mac: ENC[AES256_GCM,data:7n8WFY6fWEwEeF91CNzDbqJm/hx+Nm+A+uKmHN5r9zbwgkKNPuf+aX3bACkGDyI/B2XN6TxEGl3Gc2MnF3ZTazbRkaZE06gS3bPmosHIZkw1CCkJdgD5KM5y8Nffj4Dzdmu86Z1W74FkV29aAFF1BtYSRalBCJ+2kxWabSPTT2Y=,iv:mfpwBmI11ysnIK+xPt8J3n7FEWedRS1WW5HxTmGxCas=,tag:X8gUuKw+tRTm82NvhC5grw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

secrets/voyager/voyager.yaml

@@ -8,19 +8,14 @@
 #ENC[AES256_GCM,data:T+pI1ogtfjo57NrOvCuhbs//,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:qrp2QeNrJSDr3ECN6cBDiA==,type:comment]
 #ENC[AES256_GCM,data:46+Qt0FRlg2tN8A=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:T/4zLU7d90GkzDohJd2XTg==,type:comment]
 #ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment]
-hedgedoc:
-    env: ENC[AES256_GCM,data:QaDReiDztJhu8n+Sa2SE9XjQS+YIMvQFqY5nSXKPUBrHk3tvEzmST8ZjjthruGWdKoEDQT0phR2KV660Hza8WQNajC85slVIQK2HFXKK8xYn5qeMQj5U1m85rmSjMNg6Rdb+rCQFWiM2KRfdkiWiAzcgOvGd2ziX3oE4tTTpBs2Jy70B+eXEVqZvYajQUyQZItCPb7BUhkhv8rVbI0Q=,iv:3ZcWie2pwfvUsXhQo1Zlpbq6r85OOWASKiwzfY30BHM=,tag:NyH6w9MQPUWvue/wo8LmAg==,type:str]
 transmission:
     vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str]
-matrix:
-    synapse:
-        registrationsecret: ENC[AES256_GCM,data:lrj4itbDdfwSJYlvgYbWy2bcgNj69DJA2gzLUiN2AINRfoprsZI7kbNvJO0E2FVPWrfcB6HSHqomgIi6G+77NoyPOSTzzI6aHMvt4Ups6/KpQFpR2QV3VykzADoagWs=,iv:GiuT4lAD8/ZPgTVwXUaHmjSvzHqnGPzAuwxFBlzU8O0=,tag:79tuTluST8E6gigm9Z7nEQ==,type:str]
 wireguard:
     wg0:
         public: ENC[AES256_GCM,data:jKkYH9giZJ09/hFWF0UgM8TSvQ/qrkSbhCOhHG5Ze2WI8MLZaNzZMQSgWHM=,iv:VI48j/DzQez+L4oW2vUHj8FqDpTAd5P/71ih4D/3I54=,tag:9m23ruMSkFsTbxj9dAD9eg==,type:str]
         private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str]
-vaultwarden:
-    admintoken: ENC[AES256_GCM,data:mJDiu0tgJQmvmJcJMULmctJvPN6/uM9VaoigHOMFkve9Vd3IMrpDmyJq+ibLpul+hw4PlLARjRzOxdZVcX7AB+uOOOrypppOIfvYC6U=,iv:YcyYLEHeIsCchcEy+fOMiQi8Cgf24AwQDpL7fhogNEU=,tag:1SqpNvuPhfjYIjvvRV34/Q==,type:str]
+nextcloud:
+    adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -30,23 +25,32 @@ sops:
         - recipient: age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOZml2bXBjSUYrMW5RcnFl
-            MTRzM1p2L1JMTGJCamk1RHczOStQUjlFSDFzCmdGTDYrYUhJUjAyYWdkclgwazNt
-            UWVqY0JxYXh3cXVyNjlSZ2h6c0R4REEKLS0tIDZHY0F6M0lOZ1JRelp3Umx0aW4x
-            cjRUa2szZGZuSnhjd3hCNmYvV0tXTmMKlYuaUIvwTv8NpaoBYVva4jbRemkFTdfU
-            yP4J5RyUry83aVlHFQ2f7neBpWc6A2rePl3XuEQxSggl13hh71H+nw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCOUxoemtPaURCdGdhSmc4
+            RWZKNlduSVQxTmJPQ29YVDFIUHQ0bTkvdVJJCjgySTFKd1kvVk1pbnJCbi9JWENW
+            MmxhVGVtanNWNGppZ1dPcjJSdmhYdXcKLS0tIGRTSGxvelZwbE9sR0JpeExSaStE
+            dytwYnN5bkt5b0lla0ljcW15bU1NMWsKimYSeyPLuqVE2hTh8PNZwI1+Rq/cR10i
+            nJuRRCuL01ACJVypn57k6/wakLO84/+dyjazrjleUsEpQB2K3wBAkg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOOG5GSDd4R09mZ2QvT0dy
-            YnIxMWNBL3huMXNmcjV0a1VlS0FxS1JtSFVjCmthenVlYytjZklxNk43YlR5NExG
-            aVQ2K1ZsbHdWTm91d1JvNDVsYW1FSEkKLS0tIFpTeG1zcVRpWWlWUE1abllKR1BW
-            THFRNjZXc0RsS0xKK1BkeEU1UzA4MW8KgOIQyL6A9u+Ii8zYkHJDWVAG/EEc61Qh
-            u+VFyGB7esTG56G19u1aCHB/NUxG5HYMG/DEqH/SyCyKUvHrXjEF4g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZ1RDeDE3UytQWlhJcStD
+            djVTM09UK3FBQThhc1BvWVhBeEVPU2RTdUcwCnNQcnlScnhUUmpSV2tnWGZSam1H
+            cTdIZ0tiR3lvaWUzSVE2OUI0Q1FGYVEKLS0tIDlRdkpmSGk2UFRxclQ5b2lJRG5y
+            b3BLS0o4WXQxdW1PR0dPa0NLamJOTEEKY66UiTF6+hJtfMB8tPge8Xaz9riB2veK
+            WEsq72StufeZDjGxkhAGOTZHg9poG6YgBFnt+PMbe9DACfVbAfPP2Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-06-08T21:22:10Z"
-    mac: ENC[AES256_GCM,data:l7sZPbR3pihdoWEtfAB8yHAVtGfvnz+7dFos6b3TyBRhJmKlnd/zux9Lpw+KFh7y16KQDwE0rJlGf4+gkwM5SyMSHl3L4U430DeXhbcTLTGSFq7WLk5bnJgOYHv9t8zqHI8qsHJKarYca0KhtzLUFQG8U4wbJCzAJajGp9bVEyE=,iv:2xm1vi+GPt1Of5t9iWeyzcuzqFWiFjDk8juL+AnsiM8=,tag:BHLjw12RzORzUL2jI8+kdw==,type:str]
+        - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1NXBlZk5DbW1VSHBPZVBq
+            UmVDNU9tMkdHMW04aloyQlpCUHdCS1JYcWpzCmRXNnFzSnFNZ2ZIVXJRMGJvaVV6
+            WitBeGorNU5Mb2VWRE5WTkx6dzQ5QUkKLS0tIHhVM1lmbkNBWXExUlBXd0pzTHVD
+            NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB
+            4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-03T11:58:32Z"
+    mac: ENC[AES256_GCM,data:17G+wUFH0yV9dQo7kLoMiI7UMBVfj8HbqE0p26/LZ5N0wbLyXKt5YdXQPG8rC22fgHdgePFgIl6qxI2KWgy0bwgBtg9kTxjaKDHkdEs8KKTxbjUXYeIp2JonIH9j3GgN/wa7kABr4QyhDmKhlLupi0ea2A51fDSuhYZDN2kl5As=,iv:XNhmnQJEww6PfHI80bl8LKoiiJdJQcezy71kQZx4oys=,tag:02+GjhSRxw4+qNNjlxPbqA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

shells/ctf.nix

@@ -0,0 +1,61 @@
+let
+  unstable = import (fetchTarball https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz) { };
+in { pkgs ? import <nixpkgs> {} }:
+  pkgs.mkShell {
+    nativeBuildInputs = with pkgs; [
+      python3
+      (with python3Packages; [
+        beautifulsoup4
+        numpy
+        pillow
+        pwntools
+        pycryptodome
+        requests
+      ])
+
+      nodejs
+      php
+
+      bat
+      binwalk
+      coreutils
+      gnugrep
+      gnutar
+      ripgrep
+      curl
+      #sxiv
+      feh
+
+      ghidra
+      pwninit
+
+      metasploit
+      sqlmap
+
+      exiftool
+      steghide
+      # stegsolve
+
+      dig
+      nmap
+      rustscan
+      thc-hydra
+
+      # davtest
+      # cadaver
+      httpie
+
+      john
+      hashcat
+
+    ] ++ lib.optionals (pkgs.stdenv.isLinux) [
+      sage
+      gdb
+      pwndbg
+      ropgadget
+      ropper
+      wireshark
+      tcpdump
+    ];
+
+}