auto-upgrade: point back to the main branch

defiant: update to nixos 25.11
worf: fix 25.11. Clean flake.
2025-12-08 21:05:23 +01:00 · 2025-12-08 20:59:46 +01:00 · 2025-12-04 17:22:33 +01:00 · 2025-12-02 19:38:08 +01:00 · 2025-12-02 00:14:36 +01:00 · 2025-12-01 23:22:05 +01:00
168 changed files with 8095 additions and 45756 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 result
 /secrets_tmp/
 *.drv
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,17 +1,50 @@
 keys:
-  - &user_felixalb age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
+  - &bw_recovery age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
-  - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
+  - &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct
  - &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773
  - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
  - &host_morn age14ar8q5454khxxf5ur2nxwk533nzycz2lh3635qwz35wh8yq0jpqskj2ksx
  - &user_felixalb_sisko age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
  - &user_felixalb_worf age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
 creation_rules:
  # Global secrets
  - path_regex: secrets/[^/]+\.yaml$
    key_groups:
    - age:
-      - *user_felixalb
+      - *bw_recovery
      - *user_felixalb_sisko
      - *user_felixalb_worf
  # Host specific secrets
-  - path_regex: secrets/voyager/[^/]+\.yaml$
+  - path_regex: secrets/burnham/[^/]+\.yaml$
    key_groups:
    - age:
-      - *host_voyager
+      - *host_burnham
-      - *user_felixalb
+      - *bw_recovery
      - *user_felixalb_sisko
      - *user_felixalb_worf
  - path_regex: secrets/challenger/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_challenger
      - *bw_recovery
      - *user_felixalb_sisko
      - *user_felixalb_worf
  - path_regex: secrets/defiant/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_defiant
      - *bw_recovery
      - *user_felixalb_sisko
      - *user_felixalb_worf
  - path_regex: secrets/morn/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_morn
      - *bw_recovery
      - *user_felixalb_sisko
      - *user_felixalb_worf
--- a/README.md
+++ b/README.md
@@ -1,17 +1,54 @@
-# Work In Progress!
+## Felixalbs nixos config
-Notice, these things might be missing:
+
- Functionality
+![](https://github.com/NixOS/nixos-artwork/blob/master/releases/24.05-uakari/uakari.png?raw=true)
- Style
+
- Safety
+Contains configurations for some nixos servers, some nixos desktops and a [nix-darwin](https://github.com/LnL7/nix-darwin) host.
 Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix).
 ### Build:
- Build locally on another machine (verify)
+- Build locally on another machine:
 ```
-nix --extra-experimental-features "nix-command flakes" build ".#nixosConfigurations.chapel.config.system.build.toplevel"
+nix --extra-experimental-features "nix-command flakes" build ".#nixosConfigurations.sarek.config.system.build.toplevel"
 ```
-(replace "chapel" with the hostname)
+(replace "sarek" with the hostname)
 - Build, install and switch on the actual target
 ```
 nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake github+felixalbrigtsen/nixos-server-conf.git --upgrade
 ```
 # Services and tools
 Below is a list of _most_ of the services configured in this repo, at least the ones that are accessible to the public.
 It might be incomplete or out of date, but should generally describe the state of my homelab.
 Other installed packages and tools are described in the config files (like ./hosts/HOSTNAME/configuration.nix), but not listed here.
 ## Public / important services
 - Matrix ([source](./hosts/defiant/services/matrix/default.nix)) - Decentralized, encrypted chat - Contact me at @felixalb:feal.no
 - [Nextcloud](https://cloud.feal.no) ([source](./hosts/challenger/services/nextcloud.nix)) - Personal cloud services and "google replacements", including file hosting, notes, calendar and webmail
 - [Gitea](https://git.feal.no) ([source](./hosts/defiant/services/gitea.nix)) - Software forge / git server
 - [Hedgedoc](https://md.feal.no) ([source](./hosts/defiant/services/hedgedoc.nix)) - Collaborative markdown notes editor
 - HomeAssistant ([source](./hosts/defiant/services/home-assistant.nix))- Home automation / IOT controller
 - [VaultWarden](https://pw.feal.no) ([source](./hosts/defiant/services/vaultwarden.nix)) - BitWarden Password Manager backend
 - [KeyCloak](https://iam.feal.no) ([source](./hosts/defiant/services/nextcloud.nix)) - Authentication provider, giving SSO with OIDC or SAML
 - [Jellyfin](https://jf.feal.no) ([source](./hosts/challenger/services/jellyfin.nix)) - Local media streaming
 ## Networking
 - I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)).
 - A long time ago, I switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix).
 - PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking.
 - A simple custom DynDNS thing is defined [here](./common/domeneshop-dyndns.nix) and used [here](./hosts/defiant/services/dyndns.nix).
 ## Monitoring
 - Prometheus ([source](./hosts/defiant/services/monitoring/prometheus.nix)) - Pull-based metrics system that fetches metrics over HTTP from a range of exporters and stores them in a time-series database
 - Loki ([source](./hosts/defiant/services/monitoring/loki.nix)) - Central logging for all my hosts
 - Grafana ([source](./hosts/defiant/services/monitoring/grafana.nix)) - Visualization and alerting for all my metrics and logs
 - Uptime-Kuma ([source](./hosts/defiant/services/monitoring/uptime-kuma.nix)) - Uptime / health check with alerting
 ## Dotfiles and user tools
 - (Neo)vim ([source](./home/neovim.nix)) - Text editor with my configuration for IDE-like support for autocompletion, syntax highlighting and efficient editing.
 - Zsh ([source](./home/zsh.nix)) - My shell of choice
--- a/base.nix
+++ b/base.nix
@@ -1,13 +1,13 @@
 { config, lib, pkgs, inputs, values, ... }:
 {
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking = {
-    domain = "home.feal.no";
+    domain = lib.mkDefault "home.feal.no";
-    useDHCP = false;
+    nameservers = lib.mkDefault [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ];
    useDHCP = lib.mkDefault false;
  };
  time.timeZone = "Europe/Oslo";
@@ -15,7 +15,7 @@
  console = {
    font = "Lat2-Terminus16";
-    keyMap = "no";
+    keyMap = lib.mkDefault "no";
  };
  nix = {
@@ -24,28 +24,45 @@
      options = "--delete-older-than 2d";
    };
-    settings.experimental-features = ["nix-command" "flakes"];
+    settings = {
-
+      experimental-features = ["nix-command" "flakes"];
-    registry= {
+      trusted-users = [ "felixalb" ];
-      nixpkgs.flake = inputs.nixpkgs;
+      builders-use-substitutes = true;
    };
    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
  };
  programs.zsh.enable = true;
  environment.systemPackages = with pkgs; [
    wget
    git
    tree
    rsync
    bottom
    eza
    file
    git
    gnugrep
    gnutar
    htop
    iotop
    lm_sensors
    nix-output-monitor
    p7zip
    python3
    ripgrep
    rsync
    screen
    unzip
    usbutils
    vim
    wget
    zip
  ] ++ lib.optionals (pkgs.stdenv.isLinux) [
    dmidecode
    lm_sensors
    pciutils
  ];
  services.openssh = {
    enable = true;
    openFirewall = lib.mkDefault true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
@@ -54,20 +71,27 @@
    extraConfig = ''
      AllowTcpForwarding yes
      X11Forwarding no
      AllowAgentForwarding yes
      AuthenticationMethods publickey
    '';
  };
  programs.mosh.enable = true;
  users.users.felixalb = {
    isNormalUser = true;
-    extraGroups = [ "wheel" ];
+    extraGroups = [
-    uid = 1000;
+      "wheel"
-    openssh.authorizedKeys.keys = [
+      "docker"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkLmJIkBM6AMbYM/hYm27Flgya81UiGqh9/owYWmrbZ home.feal.no"
    ];
    uid = lib.mkDefault 1000;
    openssh.authorizedKeys.keys = lib.mkDefault [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5M7hYl3saBNMAo6sczgfUvASEJWFHuERB7xvf4gxst nix-builder-worf"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJky33ynjqyWP+hh24gFCMFIEqe3CjIIowGM9jiPbT79 felixalb@sisko.home.feal.no"
    ];
    shell = pkgs.zsh;
  };
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 }
--- a/common/auto-upgrade.nix
+++ b/common/auto-upgrade.nix
@@ -0,0 +1,15 @@
 { config, pkgs, lib, ... }:
 {
  system.autoUpgrade = {
    enable = true;
    flake = "git+https://git.feal.no/felixalb/nixos-config.git";
    flags = [
      # Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs.
      "--refresh"
      "--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.11"
      "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable"
      "--no-write-lock-file"
    ];
  };
 }
--- a/common/domeneshop-dyndns.nix
+++ b/common/domeneshop-dyndns.nix
@@ -0,0 +1,45 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.domeneshop-dyndns;
 in {
  options.services.domeneshop-dyndns = {
    enable = lib.mkEnableOption "Domeneshop DynDNS";
    domain = lib.mkOption {
      type = lib.types.str;
      description = "Domain name to configure";
    };
    netrcFile = lib.mkOption {
      type = lib.types.path;
      description = "Path to the file that contains `machine api.domeneshop.no login <DDNS_TOKEN> password <DDNS_SECRET>` from https://domene.shop/admin?view=api";
    };
    startAt = lib.mkOption {
      type = lib.types.str;
      default = "*:0/10"; # Every 10 minutes
      description = "Systemd onCalendar expression for when to run the timer";
    };
  };
  config = lib.mkIf cfg.enable {
    systemd.services.domeneshop-dyndns = {
      serviceConfig.LoadCredential = "netrc:${cfg.netrcFile}";
      startAt = cfg.startAt;
      script = ''
        DNSNAME="${cfg.domain}"
        NEW_IP="$(${lib.getExe pkgs.curl} --silent https://ipinfo.io/ip)"
        OLD_IP="$(${lib.getExe pkgs.getent} hosts "$DNSNAME" | ${lib.getExe pkgs.gawk} '{ print $1 }')"
        if [[ "$NEW_IP" != "$OLD_IP" ]]; then
          echo "Old IP ($OLD_IP) does not match new IP ($NEW_IP), updating..."
          ${lib.getExe pkgs.curl} --silent --netrc-file "$CREDENTIALS_DIRECTORY/netrc" "https://api.domeneshop.no/v0/dyndns/update?hostname=$DNSNAME&myip=$NEW_IP"
        else
          echo "Old IP ($OLD_IP) matches new IP ($NEW_IP), exiting..."
        fi
      '';
    };
  };
 }
--- a/common/metrics-exporters.nix
+++ b/common/metrics-exporters.nix
@@ -1,19 +1,20 @@
 { config, pkgs, values, ... }:
-
+let
-{
+  metricsHost = "192.168.10.175"; # defiant.home.feal.no
 in {
  services.prometheus.exporters.node = {
    enable = true;
    port = 9100;
    enabledCollectors = [ "systemd" ];
  };
-  systemd.services.prometheus-node-exporter.serviceConfig = {
+  networking.firewall = {
-    # TODO: Define allowed IPs
+    # TODO: Move this into the node-exporter systemd service
-    # IPAddressDeny = "any";
+    allowedTCPPorts = [ 9100 ];
-    # IPAddressAllow = [
+    extraCommands = ''
-    #   values.chapel.ipv4
+      iptables -A INPUT -p tcp -m tcp --source ${metricsHost}/32 --dport 9100 -j ACCEPT
-    #   values.chapel.ipv6
+      iptables -A INPUT -p tcp -m tcp --dport 9100 -j DROP
-    # ];
+    '';
  };
  services.promtail = {
@@ -25,7 +26,7 @@
      };
      clients = [
        {
-          url = "http://voyager.home.feal.no:3100/loki/api/v1/push";
+          url = "http://${metricsHost}:3100/loki/api/v1/push";
        }
      ];
      scrape_configs = [
--- a/common/pwndbg-gdb-alias.nix
+++ b/common/pwndbg-gdb-alias.nix
@@ -0,0 +1,8 @@
 { pwndbg }:
 # "$ coredumpctl gdb" always runs "gdb" from your path.
 pwndbg.overrideAttrs ({ installPhase ? "", ... }: {
  installPhase = installPhase + ''
    ln -s $out/bin/pwndbg $out/bin/gdb
  '';
 })
--- a/common/securecrt.nix
+++ b/common/securecrt.nix
@@ -0,0 +1,81 @@
 {
  lib,
  stdenv,
  fetchurl,
  autoPatchelfHook,
  dpkg,
  cups,
  gtkmm3,
  icu74,
  krb5,
  makeWrapper,
  openssl,
  pango,
  python312,
  xcb-util-cursor,
  xorg,
 }:
 let
  packageId = "scrt_ubuntu2464_deb_963";
 in stdenv.mkDerivation rec {
  pname = "securecrt";
  version = "9.6.3";
  src = fetchurl {
    url = "https://www.vandyke.com/cgi-bin/download_1.php";
    name = "${pname}-${version}.deb";
    curlOpts = "-X POST --data 'pid=${packageId}&export_check=accept&country=no&su";
    sha256 = "sha256-PsFuxJ7H0rJCWWi+rvzrlRUJlp9R4MG14d883/kl9Lo=";
  };
  unpackCmd = "dpkg -x $curSrc source";
  nativeBuildInputs = [
    dpkg
    autoPatchelfHook
  ];
  buildInputs = [
    cups
    gtkmm3
    icu74
    krb5
    makeWrapper
    openssl
    pango
    python312
    xcb-util-cursor
    xorg.xcbutilkeysyms
    xorg.xcbutilwm
  ];
  dontConfigure = true;
  dontBuild = true;
  dontWrapQTApps = true;
  installPhase = ''
    runhook preInstall
    mkdir -p "$out"
    cp -R usr/* "$out/"
    wrapProgram "$out/bin/SecureCRT" --set QT_QPA_PLATFORM_PLUGIN_PATH "$out/lib/scrt/plugins/platforms"
    runhook postInstall
  '';
  meta = with lib; {
    homepage = "https://www.vandyke.com/products/securecrt/unix.html";
    description = "Terminal emulator for computing professionals, with advanced session management";
    license = {
      free = false;
      fullName = "Unknown / Custom";
    };
    platforms = with lib.platforms; linux ++ darwin ++ windows;
    broken = !(stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isx86_64);
  };
  mainProgram = "SecureCRT";
 }
--- a/common/sketchybar-app-font.nix
+++ b/common/sketchybar-app-font.nix
@@ -0,0 +1,14 @@
 { lib, stdenvNoCC, fetchurl }:
 stdenvNoCC.mkDerivation rec {
  name = "sketchybar-app-font";
  version = "1.0.20";
  src = fetchurl {
    url = "https://github.com/kvndrsslr/sketchybar-app-font/releases/download/v${version}/sketchybar-app-font.ttf";
    hash = "sha256-pf3SSxzlNIdbXXHfRauFCnrVUMOd5J9sSUE9MsfWrwo=";
  };
  phases = [ "installPhase" ];
  installPhase = ''
    install -Dm644 $src $out/share/fonts/sketchybar-app-font/Regular.ttf
  '';
 }
--- a/common/wireguard-peers.nix
+++ b/common/wireguard-peers.nix
@@ -0,0 +1,44 @@
 [
  { # Sulu
    publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
    allowedIPs = [
      "10.100.0.3/32"
    ];
  }
  { # Worf
    publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
    allowedIPs = [
      "10.100.0.4/32"
    ];
  }
  { # Phone
    publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
    allowedIPs = [
      "10.100.0.5/32"
    ];
  }
  { # Riker
    publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
    allowedIPs = [
      "10.100.0.6/32"
    ];
  }
  { # fa-t14-2025
    publicKey = "UPpUVWQqOKT65MFym1sFDTstNmuynDYE4LOOtbWqEng=";
    allowedIPs = [
      "10.100.0.7/32"
    ];
  }
  { # Turtle
    publicKey = "mDzAtRPv+O5TDHa9DGodF/KKuFXRBYwSqfPyeWfdfRI=";
    allowedIPs = [
      "10.100.0.8/32"
    ];
  }
  { # Amalies phone
    publicKey = "Iqoq00e5rUNygmjOKmSPzvDTzvUdpxkpwVrD6UJXG2w=";
    allowedIPs = [
      "10.100.0.9/32"
    ];
  }
 ]
--- a/flake.lock
+++ b/flake.lock
@@ -1,57 +1,223 @@
 {
  "nodes": {
    "extra-config": {
      "locked": {
        "lastModified": 1745649002,
        "narHash": "sha256-XNBExt3+U3o4lip+yj6oorCEPZ9Qe8PzBSFM5ZzVtSA=",
        "ref": "refs/heads/main",
        "rev": "50c9c15db2b309d299b1c19089c962979e01f45b",
        "revCount": 13,
        "type": "git",
        "url": "file:///home/felixalb/nix-extra-config"
      },
      "original": {
        "type": "git",
        "url": "file:///home/felixalb/nix-extra-config"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1747046372,
        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1764776959,
        "narHash": "sha256-d+5CGloq7Lo1u2SkzhF8oiOdUc6Z5emh22nTXUB9CFA=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "e1680d594a9281651cbf7d126941a8c8e2396183",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-25.11",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "matrix-synapse-next": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1765214213,
        "narHash": "sha256-WSk8CTdIDFFP5VMJj9beve19nPMMdTsWnkCHVXqO/3E=",
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
        "rev": "82959f612ffd523a49c92f84358a9980a851747b",
        "type": "github"
      },
      "original": {
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
        "type": "github"
      }
    },
    "nix-darwin": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs-darwin"
        ]
      },
      "locked": {
        "lastModified": 1764161084,
        "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=",
        "owner": "nix-darwin",
        "repo": "nix-darwin",
        "rev": "e95de00a471d07435e0527ff4db092c84998698e",
        "type": "github"
      },
      "original": {
        "owner": "nix-darwin",
        "ref": "nix-darwin-25.11",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "nix-minecraft": {
      "inputs": {
        "flake-compat": "flake-compat",
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1764813963,
        "narHash": "sha256-Vs7Mamto+T8r1evk9myHepgHGNJkS2Kr0BF64NIei94=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
        "rev": "491200d6848402bbab1421cccbc15a46f08c7f78",
        "type": "github"
      },
      "original": {
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1687573514,
+        "lastModified": 1764677808,
-        "narHash": "sha256-jek0ezqxfiFPALhimRDBzgGOSgDv7ExZFhPDmAXoIsw=",
+        "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3ef8b37f59cf2e0b57371df726f3c0ecacfa0e73",
+        "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-23.05-small",
+        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixpkgs-stable": {
+    "nixpkgs-2211": {
      "locked": {
-        "lastModified": 1687031877,
+        "narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=",
-        "narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
+        "type": "tarball",
        "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
      }
    },
    "nixpkgs-darwin": {
      "locked": {
        "lastModified": 1764806471,
        "narHash": "sha256-NsPsz003eWD8wp8vj5BnQzPoDyeQKRUfS2dvan2Y30M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99",
+        "rev": "6707b1809330d0f912f5813963bb29f6f194ee81",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "nixpkgs-25.11-darwin",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1764667669,
        "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "418468ac9527e799809c900eda37cbff999199b6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "extra-config": "extra-config",
        "home-manager": "home-manager",
        "matrix-synapse-next": "matrix-synapse-next",
        "nix-darwin": "nix-darwin",
        "nix-minecraft": "nix-minecraft",
        "nixpkgs": "nixpkgs",
-        "sops-nix": "sops-nix",
+        "nixpkgs-2211": "nixpkgs-2211",
-        "unstable": "unstable"
+        "nixpkgs-darwin": "nixpkgs-darwin",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1687398569,
+        "lastModified": 1764483358,
-        "narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
+        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "2ff6973350682f8d16371f8c071a304b8067f192",
+        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
        "type": "github"
      },
      "original": {
@@ -60,19 +226,18 @@
        "type": "github"
      }
    },
-    "unstable": {
+    "systems": {
      "locked": {
-        "lastModified": 1687639213,
+        "lastModified": 1681028828,
-        "narHash": "sha256-m/jb2D62UXMPy8LeiF39/qGbDBpNpix/h7ne1EXRl9M=",
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "NixOS",
+        "owner": "nix-systems",
-        "repo": "nixpkgs",
+        "repo": "default",
-        "rev": "8eef75145e6c3beada369aee48bd9c2c3a4dee88",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "owner": "nix-systems",
-        "ref": "nixos-unstable-small",
+        "repo": "default",
        "repo": "nixpkgs",
        "type": "github"
      }
    }
--- a/flake.nix
+++ b/flake.nix
@@ -2,60 +2,136 @@
  description = "Felixalb System flake";
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; # Remember to update ./common/auto-upgrade.nix
-    unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-25.11-darwin";
    nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
    nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
    nix-darwin.inputs.nixpkgs.follows = "nixpkgs-darwin";
    home-manager.url = "github:nix-community/home-manager/release-25.11";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; # TODO: Lock to release
    matrix-synapse-next.inputs.nixpkgs.follows = "nixpkgs";
    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
    nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
    extra-config.url = "git+file:///home/felixalb/nix-extra-config";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
  };
-  outputs = { self, nixpkgs, unstable, sops-nix, ... }@inputs:
+  outputs = {
    self
    , home-manager
    , matrix-synapse-next
    , nix-minecraft
    , nix-darwin
    , nixpkgs
    , nixpkgs-2211
    , nixpkgs-darwin
    , nixpkgs-unstable
    , sops-nix
    , extra-config
  , ... }@inputs:
    let
-      system = "x86_64-linux";
+      pkgs-overlay = final: prev: {
-      overlay-unstable = final: prev: {
+        unstable = import nixpkgs-unstable {
-        unstable = unstable.legacyPackages.${prev.system};
+          system = prev.system;
          config.allowUnfree = true;
        };
        nixpkgs-2211 = import nixpkgs-2211 {
          system = prev.system;
          config.allowUnfree = true;
        };
        pwndbg-gdb-alias = prev.callPackage ./common/pwndbg-gdb-alias.nix { };
        securecrt = prev.callPackage ./common/securecrt.nix { };
      };
    in
    {
-      nixosConfigurations = {
+      nixosConfigurations = let
-        voyager = nixpkgs.lib.nixosSystem {
+        normalSys = name: hostConfig: nixpkgs.lib.nixosSystem {
-          inherit system;
+          system = "x86_64-linux"; # TODO - Handle
          specialArgs = {
            inherit inputs;
          };
          modules = [
-            # Overlays-module makes "pkgs.unstable" available in configuration.nix
+            ({ config, pkgs, ... }: {
-            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+              # Make "pkgs.unstable" etc. available
              nixpkgs.overlays = [ pkgs-overlay ] ++ hostConfig.overlays or [ ];
            })
-            ./hosts/voyager/configuration.nix
+            ./hosts/${name}/configuration.nix
            sops-nix.nixosModules.sops
-          ];
+            home-manager.nixosModules.home-manager {
              home-manager.useGlobalPkgs = true;
              home-manager.useUserPackages = true;
              home-manager.users = {
                "felixalb" = import ./hosts/${name}/home.nix;
              } // hostConfig.home-manager-users or { };
            }
          ] ++ hostConfig.modules or [ ];
        };
-        chapel = nixpkgs.lib.nixosSystem {
+      in {
-          inherit system;
+
-          specialArgs = {
+        # Media / storage server
-            inherit inputs;
+        challenger = normalSys "challenger" {
          };
          modules = [
-            ./hosts/chapel/configuration.nix
+            extra-config.nixosModules.default
            sops-nix.nixosModules.sops
          ];
        };
-        redshirt = nixpkgs.lib.nixosSystem {
+
-          inherit system;
+        # General application server
-          specialArgs = {
+        defiant = normalSys "defiant" {
            inherit inputs;
          };
          modules = [
-            ./hosts/redshirt/configuration.nix
+            ./common/domeneshop-dyndns.nix
-            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+            matrix-synapse-next.nixosModules.default
            sops-nix.nixosModules.sops
          ];
        };
        # Work laptop
        fa-t14-2025 = normalSys "fa-t14-2025" { };
        # Web host
        leonard = normalSys "leonard" { };
        # General application server
        morn = normalSys "morn" { };
        # Home desktop
        sisko = normalSys "sisko" { };
      };
      # Daily driver macbook
      darwinConfigurations.worf = nix-darwin.lib.darwinSystem {
        system = "aarch64-darwin";
        specialArgs = {
          inherit inputs;
        };
        modules = [
          ({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
          ./hosts/worf/configuration.nix
          home-manager.darwinModules.home-manager {
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
            home-manager.users."felixalb" = import ./hosts/worf/home.nix;
          }
        ];
      };
      devShells.x86_64-linux = {
        default = nixpkgs.legacyPackages.x86_64-linux.callPackage ./shell.nix { };
      };
      devShells.aarch64-darwin = {
        default = nixpkgs.legacyPackages.aarch64-darwin.callPackage ./shell.nix { };
      };
    };
 }
--- a/home/alacritty.nix
+++ b/home/alacritty.nix
@@ -0,0 +1,355 @@
 { pkgs, lib, inputs, config, ...}:
 {
  programs.alacritty = {
    enable = true;
    settings = {
      env = {
        TERM = "xterm-256color";
      };
      window = {
        padding = {
          x = 8;
          y = 2;
        };
        dynamic_padding = true;
        dynamic_title = true;
        decorations = "none"; # full/none/transparent/buttonless
        # Transparency:
        opacity = lib.mkDefault 0.95;
      };
      scrolling = {
        history = 9999;
        multiplier = 3;
      };
      # Font configuration (changes require restart)
      font = {
        normal = {
          family = "Hack Nerd Font Mono";
          style = "Regular";
        };
        bold = {
          family = "Hack Nerd Font Mono";
          style = "Bold";
        };
        italic = {
          family = "Hack Nerd Font Mono";
          style = "Italic";
        };
        size = 14;
      };
      colors = {
        draw_bold_text_with_bright_colors = true;
        # # gruvbox_material_medium_dark
        #  primary = {
        #     background = "0x282828";
        #     foreground = "0xd4be98";
        #   };
        #   normal = {
        #     black =  "0x3c3836";
        #     red =     "0xea6962";
        #     green =   "0xa9b665";
        #     yellow =  "0xd8a657";
        #     blue =    "0x7daea3";
        #     magenta = "0xd3869b";
        #     cyan =    "0x89b482";
        #     white =   "0xd4be98";
        #   };
        #   bright = {
        #     black =   "0x3c3836";
        #     red =     "0xea6962";
        #     green =   "0xa9b665";
        #     yellow =  "0xd8a657";
        #     blue =    "0x7daea3";
        #     magenta = "0xd3869b";
        #     cyan =    "0x89b482";
        #     white =   "0xd4be98";
        #   };
        # # # Tomorrow Night Bright
        # primary = {
        #   background = "0x141414";
        #   foreground = "0xeaeaea";
        # };
        # cursor = {
        #   text = "0x000000";
        #   cursor = "0xffffff";
        # };
        # normal = {
        #   black   = "0x000000";
        #   red     = "0xd54e53";
        #   green   = "0x82de37";
        #   yellow  = "0xe6c547";
        #   blue    = "0x7aa6da";
        #   magenta = "0xc397d8";
        #   cyan    = "0x70c0ba";
        #   white   = "0xffffff";
        # };
        # bright = {
        #   black   = "0x666666";
        #   red     = "0xff3334";
        #   green   = "0x8bd45d";
        #   yellow  = "0xe7c547";
        #   blue    = "0x7aa6da";
        #   magenta = "0xb77ee0";
        #   cyan    = "0x54ced6";
        #   white   = "0xffffff";
        # };
        # Nord:
        primary = {
          background = "0x2e3440";
          foreground = "0xd8dee9";
          dim_foreground = "0xa5abb6";
        };
        cursor = {
          text = "0x2e3440";
          cursor = "0xd8dee9";
        };
        vi_mode_cursor = {
          text = "0x2e3440";
          cursor = "0xd8dee9";
        };
        selection = {
          text = "CellForeground";
          background = "0x4c566a";
        };
        normal = {
          black   = "0x3b4252";
          red     = "0xbf616a";
          green   = "0xa3be8c";
          yellow  = "0xebcb8b";
          blue    = "0x81a1c1";
          magenta = "0xb48ead";
          cyan    = "0x88c0d0";
          white   = "0xe5e9f0";
        };
        bright = {
          black   = "0x4c566a";
          red     = "0xbf616a";
          green   = "0xa3be8c";
          yellow  = "0xebcb8b";
          blue    = "0x81a1c1";
          magenta = "0xb48ead";
          cyan    = "0x8fbcbb";
          white   = "0xeceff4";
        };
        dim = {
          black   = "0x373e4d";
          red     = "0x94545d";
          green   = "0x809575";
          yellow  = "0xb29e75";
          blue    = "0x68809a";
          magenta = "0x8c738c";
          cyan    = "0x6d96a5";
          white   = "0xaeb3bb";
        };
        # Indexed Colors
        #
        # The indexed colors include all colors from 16 to 256.
        # When these are not set, they're filled with sensible defaults.
        #
        # Example:
        #   `- { index: 16, color: '0xff00ff' }`
        #
        # indexed_colors: []
      };
      bell = {
        animation = "Ease";
        color = "0xffffff";
        duration = 100;
      };
      # Key bindings
      #
      # Key bindings are specified as a list of objects. Each binding will specify a
      # key and modifiers required to trigger it, terminal modes where the binding is
      # applicable, and what should be done when the key binding fires. It can either
      # send a byte sequence to the running application (`chars`), execute a
      # predefined action (`action`) or fork and execute a specified command plus
      # arguments (`command`).
      #
      # Bindings are always filled by default, but will be replaced when a new binding
      # with the same triggers is defined. To unset a default binding, it can be
      # mapped to the `None` action.
      #
      # Example:
      #   `- { key: V, mods: Control|Shift, action: Paste }`
      #
      # Available fields:
      #   - key
      #   - mods (optional)
      #   - chars | action | command (exactly one required)
      #   - mode (optional)
      #
      # Values for `key`:
      #   - `A` -> `Z`
      #   - `F1` -> `F12`
      #   - `Key1` -> `Key0`
      #
      #   A full list with available key codes can be found here:
      #   https://docs.rs/glutin/*/glutin/enum.VirtualKeyCode.html#variants
      #
      #   Instead of using the name of the keys, the `key` field also supports using
      #   the scancode of the desired key. Scancodes have to be specified as a
      #   decimal number.
      #   This command will allow you to display the hex scancodes for certain keys:
      #     `showkey --scancodes`
      #
      # Values for `mods`:
      #   - Command
      #   - Control
      #   - Option
      #   - Super
      #   - Shift
      #   - Alt
      #
      #   Multiple `mods` can be combined using `|` like this: `mods: Control|Shift`.
      #   Whitespace and capitalization is relevant and must match the example.
      #
      # Values for `chars`:
      #   The `chars` field writes the specified string to the terminal. This makes
      #   it possible to pass escape sequences.
      #   To find escape codes for bindings like `PageUp` ("\x1b[5~"), you can run
      #   the command `showkey -a` outside of tmux.
      #   Note that applications use terminfo to map escape sequences back to
      #   keys. It is therefore required to update the terminfo when
      #   changing an escape sequence.
      #
      # Values for `action`:
      #   - Paste
      #   - PasteSelection
      #   - Copy
      #   - IncreaseFontSize
      #   - DecreaseFontSize
      #   - ResetFontSize
      #   - ScrollPageUp
      #   - ScrollPageDown
      #   - ScrollLineUp
      #   - ScrollLineDown
      #   - ScrollToTop
      #   - ScrollToBottom
      #   - ClearHistory
      #   - Hide
      #   - Quit
      #   - ClearLogNotice
      #   - SpawnNewInstance
      #   - ToggleFullscreen
      #   - None
      #
      # Values for `action` (macOS only):
      #   - ToggleSimpleFullscreen: Enters fullscreen without occupying another space
      #
      # Values for `command`:
      #   The `command` field must be a map containing a `program` string and
      #   an `args` array of command line parameter strings.
      #
      #   Example:
      #       `command: { program: "alacritty", args: ["-e", "vttest"] }`
      #
      # Values for `mode`:
      #   - ~AppCursor
      #   - AppCursor
      #   - ~AppKeypad
      #   - AppKeypad
      #
      # key_bindings:
      #   - { key: V,        mods: Alt,       action: Paste                        }
      #   - { key: C,        mods: Alt,       action: Copy                         }
      #   - { key: Q,        mods: Alt,       action: Quit                         }
      #   - { key: N,        mods: Alt,       action: SpawnNewInstance             }
      #   - { key: Return,   mods: Alt,       action: ToggleFullscreen             }
      #   - { key: Home,                          chars: "\x1bOH",   mode: AppCursor   }
      #   - { key: Home,                          chars: "\x1b[H",   mode: ~AppCursor  }
      #   - { key: End,                           chars: "\x1bOF",   mode: AppCursor   }
      #   - { key: End,                           chars: "\x1b[F",   mode: ~AppCursor  }
      #   - { key: Equals,   mods: Alt,       action: IncreaseFontSize             }
      #   - { key: Minus,    mods: Alt,       action: DecreaseFontSize             }
      #   - { key: Minus,    mods: Alt|Shift, action: ResetFontSize                }
      #   - { key: PageUp,   mods: Shift,         chars: "\x1b[5;2~"                   }
      #   - { key: PageUp,   mods: Control,       chars: "\x1b[5;5~"                   }
      #   - { key: PageUp,                        chars: "\x1b[5~"                     }
      #   - { key: PageDown, mods: Shift,         chars: "\x1b[6;2~"                   }
      #   - { key: PageDown, mods: Control,       chars: "\x1b[6;5~"                   }
      #   - { key: PageDown,                      chars: "\x1b[6~"                     }
      #   - { key: Left,     mods: Shift,         chars: "\x1b[1;2D"                   }
      #   - { key: Left,     mods: Control,       chars: "\x1b[1;5D"                   }
      #   - { key: Left,     mods: Alt,           chars: "\x1b[1;3D"                   }
      #   - { key: Left,                          chars: "\x1b[D",   mode: ~AppCursor  }
      #   - { key: Left,                          chars: "\x1bOD",   mode: AppCursor   }
      #   - { key: Right,    mods: Shift,         chars: "\x1b[1;2C"                   }
      #   - { key: Right,    mods: Control,       chars: "\x1b[1;5C"                   }
      #   - { key: Right,    mods: Alt,           chars: "\x1b[1;3C"                   }
      #   - { key: Right,                         chars: "\x1b[C",   mode: ~AppCursor  }
      #   - { key: Right,                         chars: "\x1bOC",   mode: AppCursor   }
      #   - { key: Up,       mods: Shift,         chars: "\x1b[1;2A"                   }
      #   - { key: Up,       mods: Control,       chars: "\x1b[1;5A"                   }
      #   - { key: Up,       mods: Alt,           chars: "\x1b[1;3A"                   }
      #   - { key: Up,                            chars: "\x1b[A",   mode: ~AppCursor  }
      #   - { key: Up,                            chars: "\x1bOA",   mode: AppCursor   }
      #   - { key: Down,     mods: Shift,         chars: "\x1b[1;2B"                   }
      #   - { key: Down,     mods: Control,       chars: "\x1b[1;5B"                   }
      #   - { key: Down,     mods: Alt,           chars: "\x1b[1;3B"                   }
      #   - { key: Down,                          chars: "\x1b[B",   mode: ~AppCursor  }
      #   - { key: Down,                          chars: "\x1bOB",   mode: AppCursor   }
      #   - { key: Tab,      mods: Shift,         chars: "\x1b[Z"                      }
      #   - { key: F1,                            chars: "\x1bOP"                      }
      #   - { key: F2,                            chars: "\x1bOQ"                      }
      #   - { key: F3,                            chars: "\x1bOR"                      }
      #   - { key: F4,                            chars: "\x1bOS"                      }
      #   - { key: F5,                            chars: "\x1b[15~"                    }
      #   - { key: F6,                            chars: "\x1b[17~"                    }
      #   - { key: F7,                            chars: "\x1b[18~"                    }
      #   - { key: F8,                            chars: "\x1b[19~"                    }
      #   - { key: F9,                            chars: "\x1b[20~"                    }
      #   - { key: F10,                           chars: "\x1b[21~"                    }
      #   - { key: F11,                           chars: "\x1b[23~"                    }
      #   - { key: F12,                           chars: "\x1b[24~"                    }
      #   - { key: Back,                          chars: "\x7f"                        }
      #   - { key: Back,     mods: Alt,           chars: "\x1b\x7f"                    }
      #   - { key: Insert,                        chars: "\x1b[2~"                     }
      #   - { key: Delete,                        chars: "\x1b[3~"                     }
      selection = {
        semantic_escape_chars = ",│`|:\"' ()[]{}<>";
        save_to_clipboard = false;
      };
      cursor = {
        style = {
          shape = "Block";
          blinking = "on";
        };
        unfocused_hollow = true;
      };
    };
  };
 }
--- a/home/amalieem/default.nix
+++ b/home/amalieem/default.nix
@@ -0,0 +1,43 @@
 { pkgs, lib, ... }:
 {
  imports = [
    ./../alacritty.nix
  ];
  home = {
    packages = with pkgs; [
      papers
      kitty
      pavucontrol
      # Window Manager Extras
      bibata-cursors
      hyprcursor
      hypridle
      hyprlock
      hyprpaper
      hyprshot
      nautilus
      networkmanager
      swaynotificationcenter
      waybar
      wl-clipboard
    ];
    sessionVariables = {
      EDITOR = "nvim";
      VISUAL = "nvim";
    };
  };
  programs = {
    alacritty = {
      enable = true;
      settings.window.opacity = 0.92;
    };
    firefox.enable = true;
    wofi.enable = true;
  };
  home.stateVersion = "24.11";
 }
--- a/home/base.nix
+++ b/home/base.nix
@@ -0,0 +1,69 @@
 { pkgs, lib, ... }:
 {
  imports = [
    ./neovim.nix
    ./zsh.nix
  ];
  home = {
    packages = with pkgs; [
      bat
      bottom
      # ncdu
      neofetch
      pwgen
      sshfs
      sshuttle
    ];
    sessionVariables = {
      EDITOR = "nvim";
      VISUAL = "nvim";
    };
  };
  programs.nix-index = {
    enable = true;
    enableZshIntegration = true;
  };
  programs.fzf.enable = true;
  programs.git = {
    enable = true;
    settings = {
      pull.rebase = true;
      push.autoSetupRemote = true;
      color.ui = "auto";
      init.defaultBranch = "main";
      lfs.enable = true;
      user = {
        name = "Felix Albrigtsen";
        email = lib.mkDefault "felix@albrigtsen.it";
      };
      safe = {
        directory = "/config";
      };
    };
    ignores = [
      "*~"
      "*.swp"
      ".DS_Store"
      ".vscode"
    ];
  };
  programs.tmux = {
    enable = true;
    sensibleOnTop = true;
    baseIndex = 1;
    clock24 = true;
    keyMode = "vi";
    mouse = true;
    terminal = "screen-256color";
  };
 }
--- a/home/felixalb/home.nix
+++ b/home/felixalb/home.nix
@@ -1,46 +0,0 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./nvim.nix
  ];
  home.username = "felixalb";
  home.homeDirectory = "/home/felixalb";
  home.stateVersion = "22.11";
  programs = {
 	home-manager.enable = true;
        alacritty = {
          enable = true;
        };
        firefox.enable = true;
        rofi.enable = true;
        zsh = {
          enable = true;
          enableAutosuggestions = true;
          enableSyntaxHighlighting = true;
          prezto = {
            enable = true;
            prompt.theme = "paradox";
          };
          # initExtra = ''
          #   bindkey "''${key[Up]}" up-line-or-search
          #   bindkey "''${key[Down]}" down-line-or-search
          # '';
        };
 	git = {
 		enable = true;
 		userName = "Felix Albrigtsen";
 		userEmail = "felixalbrigtsen@gmail.com";
 	};
  };
  services = {
    redshift = {
      enable = true;
      tray = true;
      duskTime = "19:30-20:30";
      dawnTime = "7:30-8:30";
    };
  };
 }
--- a/home/felixalb/nvim.nix
+++ b/home/felixalb/nvim.nix
@@ -1,69 +0,0 @@
 { pkgs, config, ... }
 {
  programs.neovim = {
    enable = true;
    vimAlias = true;
    extraConfig = ''
      set number	" Show line numbers
      set number relativenumber " Enable hybrid line numbers
      set nu rnu
      set signcolumn=number
      set showmatch	" Highlight matching brace
      set errorbells	" Beep or flash screen on errors
      set hlsearch	" Highlight all search results
      set smartcase	" Enable smart-case search
      set incsearch	" Searches for strings incrementally
      set autoindent	" Auto-indent new lines
      set expandtab	" Use spaces instead of tabs
      set shiftwidth=2 " Number of auto-indent spaces
      set smartindent	" Enable smart-indent
      set smarttab	" Enable smart-tabs
      set softtabstop=0 " Number of spaces per Tab, auto
      set updatetime=300 " Time interval for updating buffers
      set ruler	" Show row and column ruler information
      set undolevels=1000	" Number of undo levels
      set backspace=indent,eol,start	" Backspace behaviour
    '';
    plugins = with pkgs.vimPlugins; [
      vim-nix
      vim-commentary
      vim-devicons
      { plugin = nerdtree;
        config = "
        nmap <silent> <C-t> :NERDTreeToggle<CR>
        autocmd VimEnter * NERDTree \" Autostart nerdtree on vim startup
        autocmd VimEnter * wincmd p \" Unselect nerdtree window
        \" Close vim if Nerdtree is the only buffer left
        autocmd bufenter * if (winnr(\"$\") == 1 && exists(\"b:NERDTree\") && b:NERDTree.isTabTree()) | q | endif
        ";
      }
    ];
    withNodeJs = true;
    coc = {
      enable = true;
      settings = {
        "suggest.enablePreview" = true;
        "suggest.enablePreselect" = true;
      };
      package = pkgs.vimUtils.buildVimPluginFrom2Nix {
        pname = "coc.nvim";
        version = "2022-05-21";
        src = pkgs.fetchFromGitHub {
          owner = "neoclide";
          repo = "coc.nvim";
          rev = "791c9f673b882768486450e73d8bda10e391401d";
          sha256 = "sha256-MobgwhFQ1Ld7pFknsurSFAsN5v+vGbEFojTAYD/kI9c=";
        };
        meta.homepage = "https://github.com/neoclide/coc.nvim/";
      };
    };
  };
 }
--- a/home/neovim.nix
+++ b/home/neovim.nix
@@ -0,0 +1,140 @@
 { pkgs, lib, inputs, config, ...}:
 let
  undoDir = "${config.home.homeDirectory}/.vim/undo";
 in {
  programs.neovim = {
    enable = true;
    defaultEditor = true;
    viAlias = true;
    vimAlias = true;
    vimdiffAlias = true;
    plugins = with pkgs.vimPlugins; [
      lightline-vim
      vim-lightline-coc
      vim-commentary
      vim-fugitive
      nerdtree
      nerdtree-git-plugin
      vim-devicons
      telescope-nvim
      nvim-lspconfig
      nvim-treesitter
      coc-css
      coc-go
      coc-html
      coc-json
      coc-nvim
      vim-nix
      vim-puppet
    ];
    withNodeJs = true;
    extraConfig = ''
      let mapleader = ','
      set number
      set shiftwidth=2
      set tabstop=2
      set expandtab
      set undofile
      set undodir=${undoDir}
      set undolevels=1000
      set undoreload=10000
      " Integrate status with lightline
      let g:lightline = {
        \   'active': {
        \     'left': [[ 'mode', 'paste', 'filename', 'readonly', 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status'  ]]
        \   }
        \ }
      " register components:
      call lightline#coc#register()
      " GoTo code navigation.
      nmap <silent> gd <Plug>(coc-definition)
      nmap <silent> gy <Plug>(coc-type-definition)
      nmap <silent> gi <Plug>(coc-implementation)
      nmap <silent> gr <Plug>(coc-references)
      " Use K to show documentation in preview window.
      nnoremap <silent> K :call ShowDocumentation()<CR>
      function! ShowDocumentation()
        if CocAction('hasProvider', 'hover')
          call CocActionAsync('doHover')
        else
          call feedkeys('K', 'in')
        endif
      endfunction
      " Enable syntax folding with coc
      command! -nargs=* Fold :call CocAction('fold', <f-args>)
      inoremap <silent><expr> <CR> coc#pum#visible() ? coc#pum#confirm()
                                    \: "\<C-g>u\<CR>\<c-r>=coc#on_enter()\<CR>"
      " Highlight the symbol and its references when holding the cursor.
      autocmd CursorHold * silent call CocActionAsync('highlight')
      " Symbol renaming.
      nmap <leader>rn <Plug>(coc-rename)
      " Use CTRL-S for selections ranges.
      " Requires 'textDocument/selectionRange' support of language server.
      nmap <silent> <C-s> <Plug>(coc-range-select)
      xmap <silent> <C-s> <Plug>(coc-range-select)
      " Step through diagnostics
      nmap <silent> <g <Plug>(coc-diagnostic-prev)
      nmap <silent> >g <Plug>(coc-diagnostic-next)
      " Nerdtree-settings
      " Toggle nerdtree on Ctrl+t
      nmap <silent> <C-t> :NERDTreeToggle<CR>
      " Close vim is Nerdtree is the only buffer left
      autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif
      if empty($AERC_ACCOUNT) && empty($MOZ_APP_LAUNCHER)
        autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
        autocmd VimEnter * wincmd p " Unselect nerdtree window
      endif
      autocmd Filetype go setlocal expandtab tabstop=4 shiftwidth=4 softtabstop=4
      " List and switch buffers on Ctrl+k
      " nnoremap <C-k> :set nomore <Bar> :ls <Bar> :set more <CR>:b<Space>
      nnoremap <silent> <C-k> !echo "Did you mean C-a?"<CR>
      " Telescope-settings
      nnoremap <leader>ff <cmd>Telescope find_files<cr>
      nnoremap <leader>fg <cmd>Telescope live_grep<cr>
      nnoremap <leader>fb <cmd>Telescope buffers<cr>
      nnoremap <leader>fh <cmd>Telescope help_tags<cr>
      nnoremap <C-a> <cmd>Telescope buffers<cr>
      nnoremap <C-s> <cmd>Telescope find_files<cr>
      nnoremap <C-g> <cmd>Telescope live_grep<cr>
      " Don't darken the background
      autocmd VimEnter * highlight normal ctermbg=NONE guibg=NONE
      " Show trailing whitespace
      highlight ExtraWhitespace ctermbg=red guibg=red
      match ExtraWhitespace /\s\+$/
      " Disable search highlights
      map <Leader><Space> :noh<CR>
      " Start with Coc disabled
      " autocmd VimEnter * CocDisable
    '';
  };
  # Create undo directory
  home.activation.vimUndoDir = lib.hm.dag.entryAfter ["writeBoundary"] "mkdir -p ${undoDir}";
 }
--- a/home/zsh.nix
+++ b/home/zsh.nix
@@ -0,0 +1,74 @@
 { pkgs, lib, inputs, config, ... }: {
  programs = {
    zsh = {
      enable = true;
      history.extended = true;
      prezto = {
        enable = true;
        editor = {
          keymap = "vi";
          dotExpansion = true;
        };
        prompt = {
          theme = "paradox";
          pwdLength = "long";
          showReturnVal = true;
        };
        terminal.autoTitle = true;
        pmodules = [
          "environment"
          "terminal"
          "editor"
          "history"
          "history-substring-search"
          # "directory"
          "spectrum"
          # "utility"
          # "completion"
          "git"
          "autosuggestions"
          "syntax-highlighting"
          "prompt"
        ];
      };
      initContent = ''
        # Autocomplete ../
        zstyle ':completion:*' special-dirs true
        export PATH="$HOME/.config/emacs/bin:$HOME/.cargo/bin:$PATH"
        unalias "gs"
        if [ -f ~/.config/zsh-extras ]; then
          source ~/.config/zsh-extras
        fi
      '';
      shellAliases = {
        c = "z";
        em = "emacsclient -c";
        emnw = "emacsclient -nw";
        grep = "grep --color=auto";
        l = "exa -l";
        ls = "ls --color=auto";
        nd = "nix develop --command zsh";
        s = "nix-shell --run zsh";
        sp = "nix-shell --run zsh -p";
        spu = "nix-shell -I nixpkgs=channel:nixos-unstable --run zsh -p";
        tree = "exa --tree --icons";
        "git clone git clone" = "git clone";
        gcm = "git commit -m";
        gpl = "git pull";
        gps = "git push";
        gst = "git status -sb";
      };
    };
    zoxide = {
      enable = true;
      enableZshIntegration = true;
    };
  };
 }
--- a/hosts/challenger/amalieem.nix
+++ b/hosts/challenger/amalieem.nix
@@ -0,0 +1,37 @@
 { config, pkgs, lib, ... }:
 let
  cmdChownManga = pkgs.writeScriptBin "chownManga" ''
    #!${pkgs.stdenv.shell}
    chown -R amalieem:komga /tank/media/komga/Amalie
    chmod -R 750 /tank/media/komga/Amalie
  '';
 in {
  users.users."amalieem" = {
    isNormalUser = true;
    home = "/home/amalieem";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7e+BAoXIFmTeeBYAVImQAcyx6SCoYCErA7h16OGL70 amalieem@wentworth"
    ];
    packages = with pkgs; [
      cmdChownManga
      mangal
      rsync
    ];
  };
  security.sudo = {
    enable = true;
    extraRules = [{
      commands = [
        {
          command = "${lib.getExe cmdChownManga}";
          options = [ "NOPASSWD" ];
        }
      ];
      users = [ "amalieem" ];
    }];
  };
 }
--- a/hosts/challenger/backup.nix
+++ b/hosts/challenger/backup.nix
@@ -0,0 +1,84 @@
 { config, pkgs, lib, ... }:
 {
  services.restic.backups = let
    localJob = name: paths: {
      inherit paths;
      repository = "/mnt/feal-syn1/backup/challenger/${name}";
      passwordFile = config.sops.secrets."restic/${name}".path;
      initialize = true;
      pruneOpts = [
        "--keep-daily 7"
        "--keep-weekly 4"
        "--keep-monthly 3"
        "--keep-yearly 10"
      ];
    };
    cloudJob = name: paths: {
      inherit paths;
      # "rsyncnet" connection details specified in /root/.ssh/config
      repository = "sftp://rsyncnet/restic/challenger/${name}";
      passwordFile = config.sops.secrets."restic/${name}".path;
      initialize = true;
      pruneOpts = [
        # rsync.net keeps daily snapshots
        "--keep-weekly 4"
        "--keep-monthly 36"
      ];
    };
  in {
    # Calibre metadata and config
    calibre = localJob "calibre" [
      "/var/lib/calibre-web"
      "/var/lib/calibre-server"
    ];
    # Other system backups (NB: Large!)
    hostBackups = localJob "hostBackups" [
      "/tank/backup"
    ] // {
      pruneOpts = [ "--keep-monthly 12" ];
    };
    media = localJob "media" [
      "/tank/media/books"
      "/tank/media/komga"
      "/tank/media/music"
    ];
    media-remote = cloudJob "media" [
      "/tank/media/books"
      "/tank/media/komga"
      "/tank/media/music"
    ] // {
      pruneOpts = [ "--keep-monthly 12" ];
    };
    # Nextcloud config and data
    nextcloud = localJob "nextcloud" [ "/tank/nextcloud" ];
    nextcloud-remote = cloudJob "nextcloud" [ "/tank/nextcloud" ];
    # Postgresql databases
    postgres = (localJob "postgres" [ "/var/backup/postgres" ]) // {
      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };
    postgres-remote = (cloudJob "postgres" [ "/var/backup/postgres" ]) // {
      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };
    # Transmission metadata/config
    transmission = localJob "transmission" [ "/var/lib/transmission" ];
    # TODO: timemachine
  };
  sops.secrets."restic/calibre" = { };
  sops.secrets."restic/hostBackups" = { };
  sops.secrets."restic/media" = { };
  sops.secrets."restic/nextcloud" = { };
  sops.secrets."restic/postgres" = { };
  sops.secrets."restic/transmission" = { };
  environment.systemPackages = with pkgs; [
    restic
  ];
 }
--- a/hosts/challenger/configuration.nix
+++ b/hosts/challenger/configuration.nix
@@ -0,0 +1,65 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ./hardware-configuration.nix
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./amalieem.nix
      ./backup.nix
      # ./exports.nix
      ./filesystems.nix
      # ./services/archivebox.nix
      ./services/audiobookshelf.nix
      ./services/calibre.nix
      ./services/jellyfin.nix
      ./services/komga.nix
      ./services/nextcloud.nix
      ./services/nginx.nix
      ./services/postgres.nix
      ./services/timemachine.nix
  ];
  networking = {
    hostName = "challenger";
    bridges.br0.interfaces = [ "ens18" ];
    interfaces.br0.useDHCP = false;
    interfaces.br0.ipv4.addresses = [
      { address = "192.168.10.161"; prefixLength = 24; }
    ];
    hostId = "828ab735";
    defaultGateway = "192.168.10.1";
  };
  sops.defaultSopsFile = ../../secrets/challenger/challenger.yaml;
  environment.variables = { EDITOR = "vim"; };
  environment.systemPackages = with pkgs; [
    zfs
  ];
  virtualisation.docker.enable = true;
  virtualisation.oci-containers.backend = "docker";
  security.polkit.enable = true; # Required for nextcloud
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
       "nvidia-x11"
       "nvidia-settings"
  ];
  hardware.nvidia = {
    modesetting.enable = true;
    open = false;
  };
  hardware.graphics.enable = true;
  services.xserver.videoDrivers = ["nvidia"];
  system.stateVersion = "24.05";
 }
--- a/hosts/challenger/exports.nix
+++ b/hosts/challenger/exports.nix
@@ -0,0 +1,21 @@
 { config, pkgs, lib, ... }:
 {
  fileSystems = {
    "/export/riker-backup" = {
      device = "/tank/backup/riker";
      options = [ "bind" ];
    };
  };
  # Enable nfs4 only
  # services.nfs.server = {
  #   enable = true;
  #   exports = ''
  #     /export                   192.168.10.67(rw,fsid=0,no_subtree_check)
  #     /export/riker-backup      192.168.10.67(rw,nohide,no_subtree_check,no_root_squash)
  #   '';
  # };
  # networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
  # networking.firewall.allowedUDPPorts = [ 111 20048];
 }
--- a/hosts/challenger/filesystems.nix
+++ b/hosts/challenger/filesystems.nix
@@ -0,0 +1,48 @@
 { config, pkgs, lib, ... }:
 {
  # Boot drives are defined in ./hardware-configuration.nix
  environment.systemPackages = with pkgs; [ cifs-utils ];
  # Local zfs
  boot = {
    zfs = {
      extraPools = [ "tank" ];
      requestEncryptionCredentials = false;
    };
    supportedFilesystems = [ "zfs" ];
  };
  services.zfs.autoScrub = {
    enable = true;
    interval = "Wed *-*-8..14 00:00:00";
  };
  fileSystems = {
    "/mnt/feal-syn1/backup" = {
      # device = "feal-syn1.home.feal.no:/volume2/backup";
      device = "192.168.10.162:/volume2/backup";
      fsType = "nfs";
      options = [
        "defaults"
        "noatime"
        "rw"
        "nfsvers=3"
        "x-systemd.automount"
        "noauto"
      ];
    };
    "/mnt/feal-syn2/backup" = {
      # device = "feal-syn1.home.feal.no:/volume2/backup";
      device = "192.168.11.163:/volume1/challenger";
      fsType = "nfs";
      options = [
        "defaults"
        "noatime"
        "rw"
        "nfsvers=3"
        "x-systemd.automount"
        "noauto"
      ];
    };
  };
 }
--- a/hosts/challenger/hardware-configuration.nix
+++ b/hosts/challenger/hardware-configuration.nix
@@ -1,39 +1,39 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
-  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/a6465c1c-4c93-423d-84a9-e4ecb9520741";
+    { device = "/dev/disk/by-uuid/7101364b-9056-4309-afeb-3c17b220684f";
      fsType = "ext4";
    };
  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/D0C1-97CE";
+    { device = "/dev/disk/by-uuid/FDCE-A287";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
-  swapDevices = [ ];
+  swapDevices = [ {
    device = "/swapfile";
    size = 16*1024;
  } ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno2.useDHCP = lib.mkDefault true;
  # networking.interfaces.idrac.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/challenger/home.nix
+++ b/hosts/challenger/home.nix
@@ -0,0 +1,12 @@
 { pkgs, lib, ... }:
 {
  imports = [
    ./../../home/base.nix
  ];
  programs = {
    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
  };
  home.stateVersion = "24.05";
 }
--- a/hosts/challenger/services/archivebox.nix
+++ b/hosts/challenger/services/archivebox.nix
@@ -0,0 +1,35 @@
 { config, lib, ... }:
 let
  host = "127.0.1.2";
  port = "5009";
  uid = 911;
  gid = 911;
 in {
  users.users.archivebox = {
    inherit uid;
    group = "archivebox";
    isSystemUser = true;
    useDefaultShell = true;
    description = "ArchiveBox web archiving tool";
  };
  users.groups.archivebox = {
    inherit gid;
  };
  # ArchiveBox - Open source self-hosted web archiving.
  virtualisation.oci-containers.containers.archivebox = {
    image = "archivebox/archivebox:0.8.5rc50";
    ports = [ "${host}:${port}:8000" ];
    volumes = [
      "/tank/archivebox:/data"
    ];
  };
  services.nginx.virtualHosts."archivebox.home.feal.no" = {
    locations."/" = {
      proxyPass = "http://${host}:${port}";
    };
  };
 }
--- a/hosts/challenger/services/audiobookshelf.nix
+++ b/hosts/challenger/services/audiobookshelf.nix
@@ -0,0 +1,57 @@
 { config, lib, pkgs, ... }:
 let
  domain = "audiobooks.home.feal.no";
  host = "127.0.1.2";
  port = 5016;
 in {
  fileSystems = {
    "/var/lib/audiobookshelf" = {
      device = "/tank/media/audiobookshelf/config";
      options = [ "bind" ];
    };
  };
  services.audiobookshelf = {
    enable = true;
    dataDir = "audiobookshelf";
    inherit host port;
  };
  systemd.services.audiobookshelf = {
    requires = [ "var-lib-audiobookshelf.mount" ];
    serviceConfig = {
      # Better safe than sorry :)
      CapabilityBoundingSet = "";
      LockPersonality = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      ReadWritePaths = [
        "/var/lib/audiobookshelf"
        "/tank/media/audiobookshelf"
      ];
      RemoveIPC = true;
      RestrictSUIDSGID = true;
      UMask = "0007";
      RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
      SystemCallArchitectures = "native";
    };
  };
  services.nginx.virtualHosts.${domain} = {
    locations."/" = {
      proxyPass = "http://${host}:${toString port}";
      proxyWebsockets = true;
    };
  };
 }
--- a/hosts/challenger/services/calibre.nix
+++ b/hosts/challenger/services/calibre.nix
@@ -1,5 +1,4 @@
 { config, lib, pkgs, ... }:
 let
  domain = "books.home.feal.no";
  storage = "/tank/media/books";
@@ -7,10 +6,16 @@ let
 in {
  services = {
    nginx.virtualHosts.${domain} = {
-      locations."/".proxyPass =
+      locations = {
-        "http://${cfg.listen.ip}:${toString cfg.listen.port}";
+        "/".proxyPass = "http://${cfg.listen.ip}:${toString cfg.listen.port}";
-      locations."/opds".proxyPass =
+        "/opds".proxyPass = "http://${cfg.listen.ip}:${toString cfg.listen.port}";
-        "http://${cfg.listen.ip}:${toString cfg.listen.port}";
+      };
      extraConfig = ''
        client_max_body_size 512M;
        proxy_busy_buffers_size 512k;
        proxy_buffers 4 512k;
        proxy_buffer_size 256k;
      '';
    };
    calibre-server = {
@@ -27,6 +32,7 @@ in {
      options = {
        calibreLibrary = storage;
        enableBookConversion = true;
        enableKepubify = true;
        enableBookUploading = true;
      };
    };
--- a/hosts/challenger/services/jellyfin.nix
+++ b/hosts/challenger/services/jellyfin.nix
@@ -0,0 +1,35 @@
 { config, pkgs, lib, ... }:
 {
  # Jellyfin - Media Streaming platform
  services.jellyfin.enable = true;
  users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ];
  services.nginx.virtualHosts."jellyfin.home.feal.no" = {
    serverAliases = [ "jf.feal.no" ];
    locations = {
      "= /" = {
        return = "302 http://$host/web/";
      };
      "/" = {
        proxyPass = "http://127.0.0.1:8096";
        extraConfig = ''
          proxy_buffering off;
        '';
      };
      "/socket" = {
        proxyPass = "http://127.0.0.1:8096";
        proxyWebsockets = true;
      };
    };
    extraConfig = ''
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Content-Type-Options "nosniff";
      add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
    '';
  };
 }
--- a/hosts/challenger/services/komga.nix
+++ b/hosts/challenger/services/komga.nix
@@ -0,0 +1,21 @@
 { config, lib, pkgs, ... }:
 let
  domain = "komga.home.feal.no";
  port = 5001;
 in {
  services.komga = {
    enable = true;
    stateDir = "/tank/media/komga";
    settings.server = {
      inherit port;
    };
  };
  services.nginx.virtualHosts.${domain} = {
    locations."/".proxyPass = "http://127.0.0.1:${toString port}";
    extraConfig = ''
      client_max_body_size 512M;
    '';
  };
 }
--- a/hosts/challenger/services/nextcloud.nix
+++ b/hosts/challenger/services/nextcloud.nix
@@ -0,0 +1,154 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.nextcloud;
  hostName = "cloud.feal.no";
 in {
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud32;
    inherit hostName;
    home = "/tank/nextcloud";
    https = true;
    webfinger = true;
    config = {
      dbtype = "pgsql";
      dbuser = "nextcloud";
      dbhost = "/run/postgresql";
      dbname = "nextcloud";
      adminuser = "ncadmin";
      adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
    };
    settings = {
      default_phone_region = "NO";
      log_type = "file";
      overwriteprotocol = "https";
      trusted_proxies = [ "192.168.10.175" ]; # defiant
      # Docs: https://github.com/pulsejet/nextcloud-oidc-login
      oidc_login_auto_redirect = true;
      oidc_login_button_text = "Log in with KeyCloak";
      oidc_login_client_id = "nextcloud";
      oidc_login_client_secret = "dont_put_secrets_here_use_secretFile";
      oidc_login_code_challenge_method = "S256";
      oidc_login_end_session_redirect' = true;
      oidc_login_logout_url = "https://cloud.feal.no/apps/oidc_login/oidc";
      oidc_login_provider_url = "https://iam.feal.no/realms/feal.no";
      oidc_login_redir_fallback = true;
      oidc_login_attributes = {
        id = "preferred_username";
        mail = "email";
        name = "name";
        login_filter = "nextcloud-roles";
      };
      oidc_login_filter_allowed_values = [ "nextcloud-user" ];
      oidc_login_disable_registration = false;
      "memories.exiftool" = pkgs.writeShellScript "exiftool-perl" ''
        ${lib.getExe pkgs.perl} ${cfg.home}/store-apps/memories/bin-ext/exiftool/exiftool "$@"
      '';
      "memories.exiftool_no_local" = false;
      "memories.vod.disable" = false;
      "memories.vod.ffmpeg" = "${lib.getExe pkgs.ffmpeg-headless}";
      "memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
      preview_ffmpeg_path = "${pkgs.ffmpeg-headless}/bin/ffmpeg";
    };
    secretFile = config.sops.secrets."nextcloud/secretsjson".path;
    phpOptions = {
      "opcache.interned_strings_buffer" = "16";
      "upload_max_filesize" = lib.mkForce "8G";
      "post_max_size" = lib.mkForce "8G";
      "memory_limit" = lib.mkForce "8G";
    };
    poolSettings = {
      "pm" = "ondemand";
      "pm.max_children" = 32;
      "pm.process_idle_timeout" = "10s";
      "pm.max_requests" = 500;
    };
  };
  environment.systemPackages = [
    cfg.occ # "occ CMD" in the docs -> "sudo -u nextcloud nextcloud-occ CMD"
    pkgs.nodejs_20 # For Recognize; Put /run/current-system/sw/bin/node in the "node_binary" field in the web UI -> Memories
  ];
  sops.secrets."nextcloud/adminpass" = {
    mode = "0440";
    owner = "nextcloud";
    group = "nextcloud";
    restartUnits = [ "phpfpm-nextcloud.service" ];
  };
  sops.secrets."nextcloud/secretsjson" = {
    mode = "0440";
    owner = "nextcloud";
    group = "nextcloud";
    restartUnits = [ "phpfpm-nextcloud.service" ];
  };
  services.postgresql = {
    ensureDatabases = [ "nextcloud" ];
    ensureUsers = [ {
      name = "nextcloud";
      ensureDBOwnership = true;
    } ];
  };
  systemd.services.nextcloud-cron = {
    path = with pkgs; [
      exiftool
      ffmpeg-headless
    ];
  };
  systemd.services."nextcloud-setup" = {
    requires = [ "postgresql.service" ];
    after = [ "postgresql.service" ];
  };
  systemd.services."phpfpm-nextcloud" = {
    requires = [ "tank-nextcloud.mount" ];
    path = with pkgs; [
      # perl
      # perlPackages.ImageExifTool
      exiftool
      ffmpeg-headless
    ];
    serviceConfig = {
      PrivateDevices = lib.mkForce false;
      WorkingDirectory = "/tank/nextcloud";
      NoNewPrivileges = true;
      PrivateMounts = true;
      PrivateTmp = true;
      ProtectClock = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
      ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
      InaccessiblePaths = [ "/tank/media" "/tank/backup" ];
      RemoveIPC = true;
      RestrictSUIDSGID = true;
      UMask = "0007";
      SystemCallArchitectures = "native";
      SystemCallFilter = "@system-service";
      CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
    };
  };
  # Notes:
  # - Install Memories and Recognize from the app store
  #  - They might need to be forced on with "nextcloud-occ app:enable memories", etc.
  # - Run "nextcloud-occ maintenance:repair" to fix broken paths
  # - Download ai models and maps with the commands given in the ui
  # - libtensorflow doesn't work properly through node, but recognize still works(?)
 }
--- a/hosts/challenger/services/nginx.nix
+++ b/hosts/challenger/services/nginx.nix
@@ -0,0 +1,23 @@
 { config, values, ... }:
 {
  services.nginx = {
    enable = true;
    enableReload = true;
    clientMaxBodySize = "100m";
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    virtualHosts."cloud.feal.no".default = true;
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  /* security.acme = { */
  /*   acceptTerms = true; */
  /*   email = "felix@albrigtsen.it"; */
  /* }; */
 }
--- a/hosts/challenger/services/postgres.nix
+++ b/hosts/challenger/services/postgres.nix
@@ -4,16 +4,10 @@
    enable = true;
    /* enableTCPIP = true; # Expose on the network */
    authentication = pkgs.lib.mkOverride 10 ''
     local gitea all ident map=gitea-users
     local vaultwarden all ident map=vaultwarden-users
     local all all trust
     host all all 127.0.0.1/32 trust
     host all all ::1/128 trust
    '';
    identMap = ''
      gitea-users gitea gitea
      vaultwarden-users vaultwarden vaultwarden
    '';
  };
  services.postgresqlBackup = {
@@ -23,8 +17,5 @@
    backupAll = true;
  };
  environment.systemPackages = [ config.services.postgresql.package ];
 }
--- a/hosts/challenger/services/timemachine.nix
+++ b/hosts/challenger/services/timemachine.nix
@@ -0,0 +1,42 @@
 { config, pkgs, ... }:
  let
    timeMachineDir = "/tank/backup/worf2";
    user = "worf-backup";
    sizeLimit = "1000000"; # MiB
    allowedIPs = "192.168.10.2 192.168.10.34"; #TODO
  in {
  services.avahi = {
    enable = true;
    publish = {
      enable = true;
      userServices = true;
    };
  };
  services.netatalk = {
    enable = true;
    settings = {
      Global = {
        "mimic model" = "TimeCapsule6,106";  # show the icon for the first gen TC
        "hosts allow" = allowedIPs;
      };
      "worf-time-machine" = {
        "time machine" = "yes";
        "path" = timeMachineDir;
        "valid users" = user;
        "vol size limit" = sizeLimit;
      };
    };
  };
  users.extraUsers.worf-backup = {
    isSystemUser = true;
    name = user;
    group = user;
  };
  users.groups."${user}" = {};
  networking.firewall.allowedTCPPorts = [ 548 636 ];
 }
--- a/hosts/chapel/configuration.nix
+++ b/hosts/chapel/configuration.nix
@@ -1,80 +0,0 @@
 { config, pkgs, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./hardware-configuration.nix
      ./services/nginx.nix
      ./services/metrics
      ./services/cloudflared.nix
    ];
  networking = {
    hostName = "chapel";
    defaultGateway = "192.168.10.1";
    nameservers = [ "192.168.10.1" ];
    interfaces.eth0.ipv4 = {
      addresses = [
        { address = "192.168.10.100"; prefixLength = 24; }
      ];
    };
  };
  environment.variables = { EDITOR = "vim"; };
  environment.systemPackages = with pkgs; [
    ((vim_configurable.override {  }).customize{
       name = "vim";
       vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
       start = [ vim-nix vim-lastplace ];
       opt = [];
     };
     vimrcConfig.customRC = ''
     " your custom vimrc
     set number
     set relativenumber
     set nu rnu
     set signcolumn=number
     set hlsearch
     set smartcase
     set incsearch
     set autoindent
     set expandtab
     set shiftwidth=2
     set tabstop=2
     set smartindent
     set smarttab
     set ruler
     set undolevels=1000
     set nocompatible
     set backspace=indent,eol,start
     " Turn on syntax highlighting by default
     syntax on
     " ...
     '';
    }
  )
  ];
  networking.firewall.allowedTCPPorts = [ 80 22 3100 ];
  # system.copySystemConfiguration = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.05"; # Did you read the comment?
 }
--- a/hosts/chapel/services/cloudflared.nix
+++ b/hosts/chapel/services/cloudflared.nix
@@ -1,24 +0,0 @@
 { config, pkgs, ... }:
 {
  users.users.cloudflared = {
    group = "cloudflared";
    isSystemUser = true;
  };
  users.groups.cloudflared = { };
  environment.systemPackages = [
    pkgs.cloudflared
  ];
  systemd.services.cloudflared_tunnel = {
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    serviceConfig = {
      ExecStart = "${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token=TODO_FIXSECRETS";
      Restart = "always";
      User = "cloudflared";
      Group = "cloudflared";
    };
  };
 }
--- a/hosts/chapel/services/hedgedoc.nix
+++ b/hosts/chapel/services/hedgedoc.nix
@@ -1,22 +0,0 @@
 { config, pkgs, ... }:
 {
  services.hedgedoc = {
    enable = true;
    settings = {
      port = 3031;
      allowFreeURL = true;
    };
    config = {
      domain = "md.feal.no";
      db = {
        dialect = "mysql";
        host = "mysql.home.feal.no";
        port = 3306;
        database = "hedgedoc";
        username = "hedgedoc";
        password = "DummyPasswordPlzSops";
      };
    };
  };
 }
--- a/hosts/chapel/services/metrics/dashboards/node-exporter-full.json
+++ b/hosts/chapel/services/metrics/dashboards/node-exporter-full.json
--- a/hosts/chapel/services/metrics/dashboards/openwrt.json
+++ b/hosts/chapel/services/metrics/dashboards/openwrt.json
--- a/hosts/chapel/services/metrics/dashboards/synology-nas-details.json
+++ b/hosts/chapel/services/metrics/dashboards/synology-nas-details.json
--- a/hosts/chapel/services/metrics/grafana.nix
+++ b/hosts/chapel/services/metrics/grafana.nix
@@ -1,64 +0,0 @@
 { config, pkgs, ... }:
 let
  cfg = config.services.grafana;
 in {
  services.grafana = {
    enable = true;
    settings.server = {
      domain = "grafana.feal.no";
      http_port = 2342;
      http_addr = "127.0.0.1";
    };
    provision = {
      enable = true;
      datasources.settings.datasources = [
        {
          name = "Prometheus";
          type = "prometheus";
          url = ("http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}");
         isDefault = true;
        }
        {
          name = "Loki";
          type = "loki";
          url = ("http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}");
        }
      ];
      dashboards.settings.providers = [
        {
          name = "Node Exporter Full";
          type = "file";
          url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
          options.path = dashboards/node-exporter-full.json;
        }
        {
          name = "Synology NAS Details";
          type = "file";
          url = "https://grafana.com/api/dashboards/14284/revisions/9/download";
          options.path = dashboards/synology-nas-details.json;
        }
        {
          name = "OpenWRT";
          type = "file";
          url = "https://grafana.com/api/dashboards/11147/revisions/1/download";
          options.path = dashboards/openwrt.json;
        }
      ];
    };
  };
  services.nginx.virtualHosts.${cfg.settings.server.domain} = {
    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";
        proxyWebsockets = true;
        extraConfig = ''
          proxy_buffers 8 1024k;
          proxy_buffer_size 1024k;
        '';
      };
    };
  };
 }
--- a/hosts/chapel/services/metrics/loki.nix
+++ b/hosts/chapel/services/metrics/loki.nix
@@ -1,75 +0,0 @@
 { config, pkgs, ... }:
 let
  cfg = config.services.loki;
 in {
  services.loki = {
    enable = true;
    configuration = {
      auth_enabled = false;
      server = {
        http_listen_port = 3100;
        http_listen_address = "0.0.0.0";
        grpc_listen_port = 9096;
      };
      ingester = {
        wal = {
          enabled = true;
          dir = "/var/lib/loki/wal";
        };
        lifecycler = {
          address = "127.0.0.1";
          ring = {
            kvstore = {
              store = "inmemory";
            };
            replication_factor = 1;
          };
          final_sleep = "0s";
        };
        chunk_idle_period = "1h";
      };
      schema_config = {
        configs = [
          {
            from = "2022-12-01";
            store = "boltdb-shipper";
            object_store = "filesystem";
            schema = "v11";
            index = {
              prefix = "index_";
              period = "24h";
            };
          }
        ];
      };
      storage_config = {
        boltdb_shipper = {
          active_index_directory = "/var/lib/loki/boltdb-shipper-index";
          cache_location = "/var/lib/loki/boltdb-shipper-cache";
          shared_store = "filesystem";
          cache_ttl = "24h";
        };
        filesystem = {
          directory = "/var/lib/loki/chunks";
        };
      };
      limits_config = {
        enforce_metric_name = false;
        reject_old_samples = true;
        reject_old_samples_max_age = "72h";
      };
      compactor = {
        working_directory = "/var/lib/loki/compactor";
        shared_store = "filesystem";
      };
    };
  };
  networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
 }
--- a/hosts/chapel/services/metrics/snmp-exporter.nix
+++ b/hosts/chapel/services/metrics/snmp-exporter.nix
@@ -1,20 +0,0 @@
 { config, pkgs, ... }:
 {
  environment.systemPackages = [
    pkgs.prometheus-snmp-exporter
  ];
  systemd.services.prometheus-snmp-exporter = {
    enable = true;
    description = "Gather data from SNMP devices and expose them as Prometheus metrics";
    unitConfig = {
      Type = "simple";
    };
    serviceConfig = {
      ExecStart = "${pkgs.prometheus-snmp-exporter}/bin/snmp_exporter --config.file='/var/prometheus/snmp.yml'";
      # TODO: Fix this conf file!
    };
    wantedBy = [ "multi-user.target" ];
  };
 }
--- a/hosts/chapel/services/nginx.nix
+++ b/hosts/chapel/services/nginx.nix
@@ -1,11 +0,0 @@
 { config, pkgs, ... }:
 {
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
  };
 }
--- a/hosts/defiant/backup.nix
+++ b/hosts/defiant/backup.nix
@@ -0,0 +1,50 @@
 { config, pkgs, lib, ... }:
 {
  services.restic.backups = let
    localJob = name: paths: {
      inherit paths;
      repository = "/mnt/feal-syn1/backup/defiant/${name}";
      passwordFile = config.sops.secrets."restic/${name}".path;
      initialize = true;
      pruneOpts = [
        "--keep-daily 3"
        "--keep-weekly 4"
        "--keep-monthly 3"
      ];
    };
    cloudJob = name: paths: {
      inherit paths;
      # "rsyncnet" connection details specified in /root/.ssh/config
      repository = "sftp://rsyncnet/restic/defiant/${name}";
      passwordFile = config.sops.secrets."restic/${name}".path;
      initialize = true;
      pruneOpts = [
        # rsync.net keeps daily snapshots
        "--keep-weekly 4"
        "--keep-monthly 36"
      ];
    };
  in {
    postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };
    postgres-remote = (cloudJob "postgres" [ "/tank/backup/postgresql" ]) // {
      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };
    gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
    gitea-remote = (cloudJob "gitea" [ "/tank/services/gitea" ]);
    matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
    matrix-synapse-remote = (cloudJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
    vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
    vaultwarden-remote = (cloudJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
  };
  # TODO: home-assistant, pihole
  sops.secrets."restic/postgres" = { };
  sops.secrets."restic/gitea" = { };
  sops.secrets."restic/matrix-synapse" = { };
  sops.secrets."restic/vaultwarden" = { };
 }
--- a/hosts/defiant/configuration.nix
+++ b/hosts/defiant/configuration.nix
@@ -0,0 +1,54 @@
 { config, pkgs, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./filesystems.nix
      ./hardware-configuration.nix
      # Infrastructure
      ./backup.nix
      ./libvirt.nix
      ./services/dyndns.nix
      ./services/nginx.nix
      ./services/pihole.nix
      ./services/postgresql.nix
      ./services/wireguard.nix
      # Services
      ./services/gitea.nix
      ./services/hedgedoc.nix
      ./services/home-assistant.nix
      ./services/keycloak.nix
      ./services/matrix
      ./services/microbin.nix
      # ./services/minecraft/home.nix
      ./services/monitoring
      # ./services/rtl-tcp.nix
      # ./services/searx.nix
      ./services/vaultwarden.nix
  ];
  networking = {
    hostName = "defiant";
    defaultGateway = "192.168.10.1";
    interfaces.enp3s0.ipv4 = {
      addresses = [
        { address = "192.168.10.175"; prefixLength = 24; } # Main IP for defiant, internal
      ];
    };
    hostId = "8e84f235";
  };
  sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;
  environment.variables = { EDITOR = "vim"; };
  virtualisation.docker.enable = true;
  virtualisation.oci-containers.backend = "docker";
  system.stateVersion = "23.11";
 }
--- a/hosts/defiant/filesystems.nix
+++ b/hosts/defiant/filesystems.nix
@@ -0,0 +1,30 @@
 { config, pkgs, lib, ... }:
 {
  # Boot drives are defined in ./hardware-configuration.nix
  boot = {
    zfs.extraPools = [ "tank" ];
    supportedFilesystems = [ "zfs" ];
  };
  services.prometheus.exporters.zfs.enable = true;
  environment.systemPackages = with pkgs; [
    cifs-utils
    zfs
  ];
  fileSystems = {
    "/mnt/feal-syn1/backup" = {
      device = "192.168.10.162:/volume2/backup";
      fsType = "nfs";
      options = [
        "defaults"
        "noatime"
        "rw"
        "nfsvers=3"
        "x-systemd.automount"
        "noauto"
      ];
    };
  };
 }
--- a/hosts/defiant/hardware-configuration.nix
+++ b/hosts/defiant/hardware-configuration.nix
@@ -0,0 +1,36 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f";
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/DDDC-5C0C";
    fsType = "vfat";
  };
  swapDevices = [ {
      device = "/swapfile";
      size = 8*1024;
  } ];
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/defiant/home.nix
+++ b/hosts/defiant/home.nix
@@ -0,0 +1,13 @@
 { pkgs, lib, ... }:
 {
  imports = [
    ./../../home/base.nix
  ];
  programs = {
    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
  };
  home.stateVersion = "23.05";
 }
--- a/hosts/defiant/libvirt.nix
+++ b/hosts/defiant/libvirt.nix
@@ -0,0 +1,18 @@
 { config, pkgs, lib, ... }:
 {
  virtualisation.libvirtd.enable = true;
  programs.dconf.enable = true;
  boot.extraModprobeConfig = "options kvm_amd nested=1";
  boot.kernelModules = [ "kvm-amd" "kvm-intel" ];
  users.users.felixalb.extraGroups = [ "libvirtd" ];
  fileSystems."/var/lib/libvirt/images" = {
    device = "/tank/iso";
    options = [ "bind" ];
  };
  # On a gui-enabled machine, connect with:
  # $ virt-manager --connect "qemu+ssh://defiant/system?socket=/var/run/libvirt/libvirt-sock"
 }
--- a/hosts/defiant/services/dyndns.nix
+++ b/hosts/defiant/services/dyndns.nix
@@ -0,0 +1,11 @@
 { config, pkgs, lib, ... }:
 {
  sops.secrets."domeneshop/netrc" = { };
  services.domeneshop-dyndns = {
    enable = true;
    domain = "site3.feal.no";
    netrcFile = config.sops.secrets."domeneshop/netrc".path;
  };
 }
--- a/hosts/defiant/services/gitea.nix
+++ b/hosts/defiant/services/gitea.nix
@@ -1,36 +1,41 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
  cfg = config.services.gitea;
  domain = "git.feal.no";
  httpPort = 3004;
  sshPort = 2222;
 in {
    services.gitea = {
      enable = true;
      package = pkgs.unstable.gitea;
      appName = "felixalbs Gitea";
-      database = {
+      database.type = "postgres";
-        type = "postgres";
+      stateDir = "/tank/services/gitea";
      };
      settings = {
        server = {
-          LANDING_PAGE=''"/felixalb"'';
+          # Serve on local unix socket, exposed in hosts/defiant/services/nginx.nix
-          HTTP_PORT = httpPort;
+          PROTOCOL = "http+unix";
          DOMAIN = domain;
          ROOT_URL = "https://${domain}";
          LANDING_PAGE=''"/felixalb"'';
          SSH_PORT = sshPort;
          SSH_LISTEN_PORT = sshPort;
          START_SSH_SERVER = true;
          BUILTIN_SSH_SERVER_USER = "git";
        };
        service.DISABLE_REGISTRATION = true;
        session.COOKIE_SECURE = true;
        packages.ENABLED = false;
        packages.CHUNKED_UPLOAD_PATH = "${cfg.stateDir}/tmp/package-upload";
        oauth2_client = {
          ENABLE_AUTO_REGISTRATION = true;
          OPENID_CONNECT_SCOPES = "email profile openid";
          UPDATE_AVATAR = true;
          ACCOUNT_LINKING = "auto";
          USERNAME = "email";
        };
        log.LEVEL = "Info";
@@ -39,14 +44,16 @@ in {
        ui = {
          THEMES="gitea,arc-green,nord";
-          DEFAULT_THEME="nord";
+          #DEFAULT_THEME="nord";
        };
      };
-      # TODO:
+      # TODO: configure mailer
      # - dump (automatic backups)
      # - configure mailer
    };
-    networking.firewall.allowedTCPPorts = [ httpPort ];
+    systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work";
    services.postgresqlBackup.databases = [ "gitea" ];
    networking.firewall.allowedTCPPorts = [ sshPort ];
 }
--- a/hosts/defiant/services/hedgedoc.nix
+++ b/hosts/defiant/services/hedgedoc.nix
@@ -0,0 +1,120 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.hedgedoc.settings;
  domain = "md.feal.no";
  port = 3300;
  host = "127.0.1.2";
  authServerUrl = "https://iam.feal.no";
 in {
  # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
  sops.secrets."hedgedoc/env" = {
    restartUnits = [ "hedgedoc.service" ];
  };
  services.hedgedoc = {
    enable = true;
    environmentFile = config.sops.secrets."hedgedoc/env".path;
    settings = {
      inherit domain port host;
      protocolUseSSL = true;
      sessionSecret = "$CMD_SESSION_SECRET";
      allowFreeURL = true;
      allowAnonymous = false;
      allowAnonymousEdits = true;
      db = {
        username = "hedgedoc";
        database = "hedgedoc";
        host = "/run/postgresql";
        dialect = "postgresql";
      };
      email = false;
      oauth2 = let
        oidc = "${authServerUrl}/realms/feal.no/protocol/openid-connect";
      in {
        providerName = "Keycloak";
        authorizationURL = "${oidc}/auth";
        baseURL = "${authServerUrl}";
        tokenURL = "${oidc}/token";
        userProfileURL = "${oidc}/userinfo";
        clientID = "hedgedoc";
        clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
        scope = "openid email profile";
        userProfileDisplayNameAttr = "name";
        userProfileEmailAttr = "email";
        userProfileUsernameAttr = "preferred_username";
        rolesClaim = "hedgedoc-roles";
        accessRole = "hedgedoc-user";
      };
    };
  };
  systemd.services.hedgedoc = {
    requires = [
      "postgresql.service"
    ];
    serviceConfig = let
      workDir = "/var/lib/hedgedoc";
    in {
      WorkingDirectory = lib.mkForce workDir;
      StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
      # Better safe than sorry :)
      CapabilityBoundingSet = "";
      LockPersonality = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      ReadWritePaths = [ workDir ];
      RemoveIPC = true;
      RestrictSUIDSGID = true;
      UMask = "0007";
      RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
      SystemCallArchitectures = "native";
      # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
    };
  };
  services.postgresql = {
    ensureDatabases = [ "hedgedoc" ];
    ensureUsers = [{
      name = "hedgedoc";
      ensureDBOwnership = true;
    }];
  };
  services.postgresqlBackup.databases = [ "hedgedoc" ];
  services.nginx.virtualHosts."${domain}" = {
    listen = [
      { addr = "192.168.10.175"; port = 43443; ssl = true; }
      { addr = "192.168.10.175"; port = 43080; ssl = false; }
    ];
    enableACME = true;
    forceSSL = true;
    locations = {
      "/" = {
        proxyPass = "http://${host}:${toString port}";
      };
      "/socket.io" = {
        proxyPass = "http://${host}:${toString port}";
        proxyWebsockets = true;
      };
    };
  };
 }
--- a/hosts/defiant/services/home-assistant.nix
+++ b/hosts/defiant/services/home-assistant.nix
@@ -0,0 +1,41 @@
 { config, pkgs, lib, ... }:
 let
  domain = "ha.home.feal.no";
 in {
  # Home-assistant - Smart Home Controller
  # https://www.home-assistant.io/installation/linux#install-home-assistant-container
  # The container is supposed to run as "privileged", but I believe this is only to allow device access (dongles/radios/etc.)
  virtualisation.oci-containers.containers = {
    homeassistant = {
      image = "ghcr.io/home-assistant/home-assistant:2025.5.3";
      extraOptions = [
        "--network=host"
        "--device=/dev/ttyUSB0" # Sonoff Zigbee 3.0 USB
      ];
      volumes = [
        "/tank/services/homeassistant/config:/config"
      ];
      environment = {
        TZ = "Europe/Oslo";
      };
    };
  };
  # Requires addition to configuration.yaml:
  #  http:
  #    server_host: 127.0.0.1
  #    use_x_forwarded_for: true
  #    trusted_proxies: 127.0.0.1
  services.nginx.virtualHosts."${domain}" = {
    locations."/" = {
      proxyPass = "http://127.0.0.1:8123";
      proxyWebsockets = true;
    };
    listen = [
      { addr = "192.168.10.175"; port = 80; ssl = false; }
      { addr = "192.168.10.175"; port = 8123; ssl = false; }
    ];
  };
 }
--- a/hosts/defiant/services/keycloak.nix
+++ b/hosts/defiant/services/keycloak.nix
@@ -0,0 +1,33 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.keycloak.settings;
  hostname = "iam.feal.no";
 in {
  sops.secrets."keycloak/postgres" = { };
  services.keycloak = {
    enable = true;
    database = {
      type = "postgresql";
      createLocally = true;
      username = "keycloak";
      passwordFile = config.sops.secrets."keycloak/postgres".path;
    };
    settings = {
      cache = "local";
      hostname = "https://${hostname}";
      hostname-backchannel-dynamic = false;
      http-enabled = true;
      http-host = "127.0.1.2";
      http-port = 5060;
      proxy-headers = "xforwarded";
    };
  };
  # The main reverse proxy is defined in ./nginx.nix
  services.nginx.virtualHosts.${hostname} = {
    locations."= /".return = "302 ${cfg.hostname}/realms/feal.no/account";
  };
 }
--- a/hosts/defiant/services/matrix/admin.nix
+++ b/hosts/defiant/services/matrix/admin.nix
@@ -0,0 +1,14 @@
 { config, pkgs, lib, ... }:
 let
  domain = "matrix-admin.home.feal.no";
  # backend = "http://127.0.0.1:8008";
  backend = "http://unix:/run/matrix-synapse/matrix-synapse.sock";
  synapse-admin = pkgs.callPackage ./adminPkg.nix { };
 in {
  services.nginx.virtualHosts."${domain}" = {
    locations."/".root = "${synapse-admin}";
    locations."/_synapse".proxyPass = "${backend}";
    locations."/_matrix".proxyPass = "${backend}";
  };
 }
--- a/hosts/defiant/services/matrix/adminPkg.nix
+++ b/hosts/defiant/services/matrix/adminPkg.nix
@@ -0,0 +1,14 @@
 { lib, stdenvNoCC, fetchzip }:
 stdenvNoCC.mkDerivation rec {
  name = "synapse-admin";
  version = "0.8.7";
  src = fetchzip {
    url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/${version}/synapse-admin-${version}-dirty.tar.gz";
    hash = "sha256-maaiU9ilmzE5lV9Ofjpli4g08/UcgZ82FaIMRrfOy7s=";
  };
  phases = [ "installPhase" ];
  installPhase = ''
    cp -r $src $out
  '';
 }
--- a/hosts/defiant/services/matrix/default.nix
+++ b/hosts/defiant/services/matrix/default.nix
@@ -0,0 +1,8 @@
 { ... }:
 {
  imports = [
    ./synapse.nix
    ./admin.nix
  ];
 }
--- a/hosts/defiant/services/matrix/synapse.nix
+++ b/hosts/defiant/services/matrix/synapse.nix
@@ -1,7 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
  main_ip = "127.0.1.2";
 in
 {
  sops.secrets."matrix/synapse/registrationsecret" = {
    restartUnits = [ "matrix-synapse.service" ];
@@ -9,9 +6,24 @@ in
    group = "matrix-synapse";
  };
-  services.matrix-synapse = {
+  sops.secrets."matrix/synapse/oidcsecret" = {
    restartUnits = [ "matrix-synapse.service" ];
    owner = "matrix-synapse";
    group = "matrix-synapse";
  };
  services.matrix-synapse-next = {
    enable = true;
-    package = pkgs.matrix-synapse;
+    enableNginx = true;
    workers = {
      federationSenders = 1;
      federationReceivers = 2;
      initialSyncers = 1;
      normalSyncers = 1;
      eventPersisters = 1;
      useUserDirectoryWorker = true;
    };
    extraConfigFiles = [
      config.sops.secrets."matrix/synapse/registrationsecret".path
@@ -63,42 +75,39 @@ in
      tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt";
      tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key";
-      listeners = [
+      enableSlidingSync = true;
-        { port = 8008;
+
-          bind_addresses = [ main_ip ];
+      oidc_providers = [
-          type = "http";
+        {
-          tls = false;
+          idp_id = "keycloak";
-          x_forwarded = true;
+          idp_name = "Keycloak";
-          resources = [
+          issuer = "https://iam.feal.no/realms/feal.no";
-            { names = [ "client" ]; compress = true; }
+          client_id = "matrix-synapse";
-            { names = [ "federation" ]; compress = true; }
+          client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path;
-          ];
+          user_mapping_provider.config = {
            localpart_template = "{{ user.preferred_username }}";
            display_name_template = "{{ user.name }}";
          };
          attribute_requirements = [{
            attribute = "matrix-roles";
            value = "matrix-user";
          }];
          backchannel_logout_enabled = true;
          enable_registration = false;
        }
      ];
    };
  };
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  services.redis.servers."".enable = true;
-  services.nginx = {
+  services.postgresqlBackup.databases = [ "matrix-synapse" ];
    enable = true;
    enableReload = true;
-    recommendedOptimisation = true;
+  services.nginx.virtualHosts."matrix.feal.no" = {
-    recommendedGzipSettings = true;
+    listen = [
-    recommendedProxySettings = true;
+      { addr = "192.168.10.175"; port = 43443; ssl = true; }
-
+      { addr = "192.168.10.175"; port = 43080; ssl = false; }
-    virtualHosts."matrix.feal.no" = {
+    ];
      locations."/_matrix" = {
        proxyPass = "http://${main_ip}:8008";
        extraConfig = ''
          client_max_body_size 50M;
        '';
      };
      # locations."/_synapse/client".proxyPass = "http://${main_ip}:8008";
      locations."/" = {
        proxyPass = "http://${main_ip}:8008";
      };
    };
  };
 }
--- a/hosts/defiant/services/microbin.nix
+++ b/hosts/defiant/services/microbin.nix
@@ -0,0 +1,41 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.microbin;
  domain = "p.feal.no";
  address = "127.0.1.2";
  port = 5006;
 in {
  services.microbin = {
    enable = true;
    passwordFile = config.sops.secrets."microbin/secrets".path;
    settings = {
      MICROBIN_BIND = address;
      MICROBIN_DISABLE_TELEMETRY = true;
      MICROBIN_ENABLE_BURN_AFTER = true;
      MICROBIN_FOOTER_TEXT = "Be nice or go away";
      MICROBIN_NO_FILE_UPLOAD = true;
      MICROBIN_NO_LISTING = true;
      MICROBIN_PORT = port;
      MICROBIN_PUBLIC_PATH = "https://${domain}/";
      MICROBIN_QR = true;
      MICROBIN_TITLE = "Temporary pasta collection";
    };
  };
  sops.secrets."microbin/secrets" = { };
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    listen = [
      { addr = "192.168.10.175"; port = 43443; ssl = true; }
      { addr = "192.168.10.175"; port = 43080; ssl = false; }
    ];
    locations."/" = {
      proxyPass = "http://${address}:${toString port}";
    };
  };
 }
--- a/hosts/defiant/services/minecraft/home.nix
+++ b/hosts/defiant/services/minecraft/home.nix
@@ -0,0 +1,50 @@
 { config, pkgs, lib, inputs, ... }:
 {
  imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
  nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
  services.minecraft-servers = {
    enable = true;
    eula = true;
    openFirewall = true;
    dataDir = "/var/lib/minecraft-server";
    servers.home = {
      enable = true;
      jvmOpts = "-Xms4G -Xmx4G";
      package = pkgs.fabricServers.fabric-1_21_4;
      serverProperties = {
        motd = "Home <3";
        difficulty = "easy";
        view-distance = 16;
        simulation-distance = 16;
        enable-command-block = true;
        enable-rcon = true;
        online-mode = false;
        "rcon.password" = "wack";
      };
      symlinks = {
        mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues {
          FabricAPI = pkgs.fetchurl {
            url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/8FAH9fuR/fabric-api-0.114.2%2B1.21.4.jar";
            sha256 = "sha256-nL1bcAaMW0tRCpfW0prd3mce14ZNcl7pAUabVXAQfWs=";
          };
          Lithium = pkgs.fetchurl {
            url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/zVOQw7YU/lithium-fabric-0.14.6%2Bmc1.21.4.jar";
            sha256 = "sha256-iF4hy+3XVJP7Fv6R2dsrYq6Ct0MQJLX4/4Yh5WEJm90=";
          };
        });
      };
    };
  };
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
    "minecraft-server"
  ];
  networking.firewall.allowedUDPPorts = [ 24454 ];
 }
--- a/hosts/defiant/services/minecraft/wack.nix
+++ b/hosts/defiant/services/minecraft/wack.nix
@@ -0,0 +1,70 @@
 { config, pkgs, lib, inputs, ... }:
 {
  imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
  nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
  services.minecraft-servers = {
    enable = true;
    eula = true;
    openFirewall = true;
    dataDir = "/var/lib/minecraft-wack";
    servers.wack = {
      enable = true;
      jvmOpts = "-Xms4G -Xmx4G";
      package = pkgs.fabricServers.fabric-1_20_4;
      serverProperties = {
        motd = "WackAttack M1n3cr4f7";
        white-list = true;
        difficulty = "normal";
        view-distance = 16;
        simulation-distance = 16;
        enable-command-block = true;
        enable-rcon = true;
        "rcon.password" = "wack";
      };
      symlinks = {
        mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues {
          FabricAPI = pkgs.fetchurl {
            url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/JMCwDuki/fabric-api-0.92.0%2B1.20.4.jar";
            sha256 = "sha256-7U0BK5CBENWY4s3t+dXTASprIeY4Tdeyzc06lNGkc/Q=";
          };
          Lithium = pkgs.fetchurl {
            url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/nMhjKWVE/lithium-fabric-mc1.20.4-0.12.1.jar";
            sha256 = "sha256-as1JWV7mnhJkz8eYmPVpRS5BvWaYVGf8s40oBBka880=";
          };
          MCDiscordChat = pkgs.fetchurl {
            url = "https://cdn.modrinth.com/data/D0sHdnXY/versions/tldGNWOW/MC-Discord-Chat-2.2.5.jar";
            sha256 = "sha256-WK02gRNbTjbjQSIlWHP4aBSeGTZxtXwwbqt9fa7AJTA=";
          };
          SimpleVoiceChat = pkgs.fetchurl {
            url = "https://cdn.modrinth.com/data/9eGKb6K1/versions/UIZXn9t1/voicechat-fabric-1.20.4-2.4.32.jar";
            sha256 = "sha256-BZMK7Y8uaw1MvtQC1MXblsaaHy100a59KxSs4P0fjXE=";
          };
        });
      };
      whitelist = {
        "_Oblivion" = "289be565-d73e-4cb1-a047-dcc319acdc80";
        Crisju = "8b77dc43-27ba-4710-bbfd-4e01e6ec7461";
        Dandellion = "f393413b-59fc-49d7-a5c4-83a5d177132c";
        Evaraknes = "a6adfad8-6c3b-4a0d-912e-d84a0caa1caa";
        Taschmex = "a3a258b0-901f-43d9-b130-dad3b29cd7ee";
        guy_montag = "cb8aa890-a5a3-41f2-9bb7-1edb20c5a31f";
        koppern = "3450494c-b945-4fa2-938c-5519adec005f";
        krloer = "ab3029e2-76b6-4219-854e-16091fe5e421";
        tictac1255 = "bab1f702-0e8b-4b98-8cce-bbfaed534d13";
      };
    };
  };
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
    "minecraft-server"
  ];
  networking.firewall.allowedUDPPorts = [ 24454 ];
 }
--- a/hosts/defiant/services/monitoring/dashboards/node-exporter-full.json
+++ b/hosts/defiant/services/monitoring/dashboards/node-exporter-full.json
--- a/hosts/defiant/services/monitoring/dashboards/synology-nas-details.json
+++ b/hosts/defiant/services/monitoring/dashboards/synology-nas-details.json
--- a/hosts/defiant/services/monitoring/default.nix
+++ b/hosts/defiant/services/monitoring/default.nix
@@ -6,5 +6,6 @@
    ./grafana.nix
    ./loki.nix
    ./snmp-exporter.nix
    ./uptime-kuma.nix
  ];
 }
--- a/hosts/defiant/services/monitoring/grafana.nix
+++ b/hosts/defiant/services/monitoring/grafana.nix
@@ -5,6 +5,10 @@ let
 in {
  services.grafana = {
    enable = true;
    dataDir = "/tank/services/metrics/grafana";
    # TODO: Migrate sqlite to postgres
    settings.server = {
      domain = "grafana.home.feal.no";
      http_port = 2342;
@@ -40,12 +44,6 @@ in {
          url = "https://grafana.com/api/dashboards/14284/revisions/9/download";
          options.path = dashboards/synology-nas-details.json;
        }
        {
          name = "OpenWRT";
          type = "file";
          url = "https://grafana.com/api/dashboards/11147/revisions/1/download";
          options.path = dashboards/openwrt.json;
        }
      ];
    };
  };
--- a/hosts/defiant/services/monitoring/loki.nix
+++ b/hosts/defiant/services/monitoring/loki.nix
@@ -1,10 +1,11 @@
 { config, pkgs, ... }:
 let
  cfg = config.services.loki;
-  saveDirectory = "/tank/var/lib/loki";
+  saveDirectory = "/tank/services/metrics/loki";
 in {
  services.loki = {
    enable = true;
    dataDir = saveDirectory;
    configuration = {
      auth_enabled = false;
      server = {
@@ -50,7 +51,6 @@ in {
        boltdb_shipper = {
          active_index_directory = "${saveDirectory}/boltdb-shipper-index";
          cache_location = "${saveDirectory}/boltdb-shipper-cache";
          shared_store = "filesystem";
          cache_ttl = "24h";
        };
        filesystem = {
@@ -59,17 +59,18 @@ in {
      };
      limits_config = {
-        enforce_metric_name = false;
+        allow_structured_metadata = false;
        reject_old_samples = true;
        reject_old_samples_max_age = "72h";
      };
      compactor = {
        working_directory = "${saveDirectory}/compactor";
        shared_store = "filesystem";
      };
    };
  };
-  networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
+  networking.firewall.allowedTCPPorts = [
    cfg.configuration.server.http_listen_port
  ];
 }
--- a/hosts/defiant/services/monitoring/prometheus.nix
+++ b/hosts/defiant/services/monitoring/prometheus.nix
@@ -8,28 +8,25 @@ in {
    listenAddress = "127.0.0.1";
    port = 9001;
    # StateDirectory must be under /var/lib.
    # TODO: Back up to /tank/services/metrics/prometheus
    scrapeConfigs = [
      {
        job_name = "node";
        static_configs = [
          {
            targets = [
-              "chapel.home.feal.no:${toString cfg.exporters.node.port}"
+              "challenger.home.feal.no:9100"
-              "sulu.home.feal.no:9100"
+              "defiant.home.feal.no:9100"
-              "mccoy.home.feal.no:9100"
+              "leonard.home.feal.no:9100"
-              "borg.home.feal.no:9100"
+              "morn.home.feal.no:9100"
-              "troi.home.feal.no:9100"
+              "scotty.home.feal.no:9100"
-              "dlink-feal.home.feal.no:9100"
+              "sisko.home.feal.no:9100"
            ];
          }
        ];
      }
      {
        job_name = "openwrt";
        static_configs = [
          { targets = ["dlink-feal.home.feal.no:9100"]; }
        ];
      }
      {
        job_name = "snmp";
        static_configs = [{
--- a/hosts/defiant/services/monitoring/snmp-exporter-conf.yml
+++ b/hosts/defiant/services/monitoring/snmp-exporter-conf.yml
--- a/hosts/defiant/services/monitoring/snmp-exporter.nix
+++ b/hosts/defiant/services/monitoring/snmp-exporter.nix
@@ -0,0 +1,12 @@
 { config, pkgs, ... }:
 {
  services.prometheus.exporters.snmp = {
    enable = true;
    configurationPath = ./snmp-exporter-conf.yml;
    # snmp.yml is built from
    # https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml
    # and
    # https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
  };
 }
--- a/hosts/defiant/services/monitoring/uptime-kuma.nix
+++ b/hosts/defiant/services/monitoring/uptime-kuma.nix
@@ -0,0 +1,16 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.uptime-kuma;
 in {
  services.uptime-kuma = {
    enable = true;
    settings = {
      PORT = "5059";
      HOST = "127.0.1.2";
    };
  };
  services.nginx.virtualHosts."uptime.home.feal.no" = {
    locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
  };
 }
--- a/hosts/defiant/services/nginx.nix
+++ b/hosts/defiant/services/nginx.nix
@@ -0,0 +1,73 @@
 { config, values, ... }:
 let
  gitea = config.services.gitea.settings;
  keycloak = config.services.keycloak.settings;
 in {
  services.nginx = {
    enable = true;
    enableReload = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    defaultListen = [
      {
        addr = "192.168.10.175";
        port = 80;
        ssl = false;
      }
    ];
  };
  networking.firewall.allowedTCPPorts = [
       80   443 # Internal / Default
    43080 43443 # External / Publicly exposed
  ];
  security.acme = {
    acceptTerms = true;
    defaults.email = "felix@albrigtsen.it";
  };
  # Publicly exposed services:
  services.nginx.virtualHosts = let
    publicProxy = upstream: overrides: {
      listen = [
        { addr = "192.168.10.175"; port = 43443; ssl = true; }
        { addr = "192.168.10.175"; port = 43080; ssl = false; }
      ];
      enableACME = true;
      forceSSL = true;
      locations."/".proxyPass = "${upstream}";
      extraConfig = ''
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        server_tokens off;
      '';
    } // overrides;
  in {
    "amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
    "cloud.feal.no" = publicProxy "" {
      locations."/" = {
        proxyPass = "http://challenger.home.feal.no";
        extraConfig = ''
          client_max_body_size 8G;
        '';
      };
    };
    "feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
    "git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
    "iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" { };
    "kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
    "wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
  };
 }
--- a/hosts/defiant/services/pihole.nix
+++ b/hosts/defiant/services/pihole.nix
@@ -0,0 +1,41 @@
 { config, pkgs, lib, ... }:
 let
  domain = "pihole.home.feal.no";
  dnsHost = "192.168.10.175";
  webuiListen = "127.0.1.2:5053";
 in {
  # Flame - Homelab dashboard/linktree
  virtualisation.oci-containers.containers = {
    pihole = {
      image = "pihole/pihole";
      ports = [
        "${dnsHost}:53:53/tcp"
        "${dnsHost}:53:53/udp"
        "${webuiListen}:80"
      ];
      environment.TZ = "Europe/Oslo";
      volumes = [
        "/var/lib/pihole/etc:/etc/pihole"
        "/var/lib/pihole/dnsmasq:/etc/dnsmasq.d"
      ];
    };
  };
  services.nginx.virtualHosts."${domain}" = {
    locations."/" = {
      proxyPass = "http://${webuiListen}";
      extraConfig = ''
        rewrite /(.*) /admin/$1 break;
      '';
    };
    locations."/admin" = {
      extraConfig = ''
            rewrite  ^/admin/(.*) $scheme://${domain}/$1 break;
      '';
    };
  };
 }
--- a/hosts/defiant/services/postgresql.nix
+++ b/hosts/defiant/services/postgresql.nix
@@ -0,0 +1,25 @@
 { config, pkgs, lib, ... }:
 {
  services.postgresql = {
    enable = true;
    enableTCPIP = true;
    authentication = ''
      host all all 172.16.0.0/12 md5
    '';
  };
  services.postgresqlBackup = {
    enable = true;
    location = "/tank/backup/postgresql";
    startAt = "*-*-* 03:15:00";
    # Each service is registered in its own configuration file
    databases = [ ];
  };
  # Docker containers on this host can reach postgres
  networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port 5432 -s 172.16.0.0/12 -j ACCEPT";
  environment.systemPackages = [ config.services.postgresql.package ];
 }
--- a/hosts/defiant/services/rtl-tcp.nix
+++ b/hosts/defiant/services/rtl-tcp.nix
@@ -0,0 +1,14 @@
 { config, pkgs, lib, ... }:
 let
  port = 1457;
 in {
  hardware.rtl-sdr.enable = true;
  systemd.services.rtl-tcp = {
    script = "${pkgs.rtl-sdr}/bin/rtl_tcp -a 0.0.0.0 -p ${toString port} -s 2000000 -T";
    serviceConfig = {
      Group = "plugdev";
    };
  };
  networking.firewall.allowedTCPPorts = [ port ];
 }
--- a/hosts/defiant/services/searx.nix
+++ b/hosts/defiant/services/searx.nix
@@ -0,0 +1,39 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.searx;
  domain = "search.home.feal.no";
 in {
  services.searx = {
    enable = true;
    environmentFile = config.sops.secrets."searx/envfile".path;
    settings = {
      server = {
        secret_key = "@SEARX_SECRET_KEY@";
        base_url = "http://${domain}";
      };
    };
    runInUwsgi = true;
    uwsgiConfig = {
      socket = "/run/searx/searx.sock";
      chmod-socket = "660";
    };
    redisCreateLocally = true;
  };
  sops.secrets."searx/envfile" = {
    owner = "searx";
    group = "searx";
  };
  users.groups."searx".members = [ "nginx" ];
  services.nginx.virtualHosts."${domain}" = {
    locations."/".extraConfig = ''
      include ${config.services.nginx.package}/conf/uwsgi_params;
      uwsgi_pass unix:${cfg.uwsgiConfig.socket};
    '';
  };
 }
--- a/hosts/defiant/services/vaultwarden.nix
+++ b/hosts/defiant/services/vaultwarden.nix
@@ -2,8 +2,9 @@
 let
  cfg = config.services.vaultwarden;
  domain = "pw.feal.no";
-  address = "127.0.0.1";
+  address = "127.0.1.2";
-  port = 3011; # Note! The websocket port is left as default
+  port = 3011;
  wsPort = 3012;
 in {
  sops.secrets."vaultwarden/admintoken" = {
    owner = "vaultwarden";
@@ -19,28 +20,38 @@ in {
      rocketAddress = address;
      rocketPort = port;
      websocketEnabled = true;
-      databaseUrl = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable";
+      websocketAddress = address;
      websocketPort = wsPort;
-      signupsAllowed = false;
+      signupsAllowed = true;
-      rocketLog = "critical";
+      signupsVerify = true;
-
+      signupsDomainsWhitelist = "albrigtsen.it";
    # This example assumes a mailserver running on localhost,
    # thus without transport encryption.
    # If you use an external mail server, follow:
    #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
      /* SMTP_HOST = "127.0.0.1"; */
      /* SMTP_PORT = 25; */
      /* SMTP_SSL = false; */
      /* SMTP_FROM = "admin@bitwarden.example.com"; */
      /* SMTP_FROM_NAME = "example.com Bitwarden server"; */
      databaseUrl = "postgresql://vaultwarden@/vaultwarden";
    };
  };
  services.postgresql = {
    ensureDatabases = [ "vaultwarden" ];
    ensureUsers = [{
      name = "vaultwarden";
      ensureDBOwnership = true;
    }];
  };
  services.postgresqlBackup.databases = [ "vaultwarden" ];
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    listen = [
      { addr = "192.168.10.175"; port = 43443; ssl = true; }
      { addr = "192.168.10.175"; port = 43080; ssl = false; }
    ];
    extraConfig = ''
      client_max_body_size 128M;
    '';
@@ -49,7 +60,7 @@ in {
      proxyWebsockets = true;
    };
    locations."/notifications/hub" = {
-      proxyPass = "http://localhost:3012";
+      proxyPass = "http://${address}:${toString wsPort}";
      proxyWebsockets = true;
    };
    locations."/notifications/hub/negotiate" = {
@@ -57,13 +68,4 @@ in {
      proxyWebsockets = true;
    };
  };
  services.postgresql = {
    ensureDatabases = [ "vaultwarden" ];
    ensureUsers = [{
      name = "vaultwarden";
      ensurePermissions = {
        "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES";
      };
    }];
  };
 }
--- a/hosts/defiant/services/wireguard.nix
+++ b/hosts/defiant/services/wireguard.nix
@@ -0,0 +1,38 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.networking.wireguard.interfaces."wg0";
 in {
  networking = {
    nat = {
      enable = true;
      externalInterface = "enp3s0";
      internalInterfaces = [ "wg0" ];
    };
    firewall.allowedUDPPorts = [ cfg.listenPort ];
    wireguard.interfaces."wg0" = {
      ips = [ "10.100.0.1/24" ];
      listenPort = 51820;
      privateKeyFile = "/etc/wireguard/defiant.private";
      postSetup = ''
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
      '';
      postShutdown = ''
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
      '';
      peers = [
        { # Burnham
          publicKey = "JcfyrMoZmnbibVLaIKuGSARAX2alFv4kwLbJaLBNbzo=";
          persistentKeepalive = 60;
          allowedIPs = [
            "10.100.0.2/32"
            "192.168.11.0/24"
          ];
          #endpoint = "site2.feal.no:51902";
        }
      ] ++ (import ../../../common/wireguard-peers.nix);
    };
  };
 }
--- a/hosts/fa-t14-2025/configuration.nix
+++ b/hosts/fa-t14-2025/configuration.nix
@@ -0,0 +1,59 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ./hardware-configuration.nix
      ./desktop.nix
  ];
  networking = {
    networkmanager.enable = true;
    wireguard.enable = true;
    tempAddresses = "disabled";
    hostName = "fa-t14-2025";
    nameservers = [ "9.9.9.9" ];
    domain = "it.hime.no";
    hostId = "f458d6aa";
    search = [
      "mktv.no"
      "mktv.local"
    ];
  };
  services.openssh.openFirewall = false;
  environment.systemPackages = with pkgs; [
    inetutils
    wireguard-tools
  ];
  virtualisation.docker = {
    enable = true;
    rootless = {
      enable = true;
      setSocketVariable = true;
    };
  };
  users.users.felixalb = {
    uid = 1000;
    openssh.authorizedKeys.keys = [ ];
    extraGroups = [ "networkmanager" ];
  };
  console.keyMap = "no";
  nixpkgs.config = {
    allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
      "securecrt"
      "securefx"
    ];
  };
  system.stateVersion = "25.05";
 }
--- a/hosts/fa-t14-2025/desktop.nix
+++ b/hosts/fa-t14-2025/desktop.nix
@@ -0,0 +1,51 @@
 { config, pkgs, lib, ... }:
 {
  hardware.graphics.enable = true;
  services.xserver = {
    enable = true;
    xkb = {
      options = "ctrl:nocaps";
      layout = "no";
    };
  };
  services.displayManager.ly.enable = true;
  services.gnome.gnome-keyring.enable = true;
  programs.hyprland = {
    enable = true;
    xwayland.enable = true;
  };
  # Audio
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    pulse.enable = true;
    jack.enable = true;
  };
  # Fonts
  fonts = {
    fontDir.enable = true;
    packages = with pkgs; [
      noto-fonts
      noto-fonts-color-emoji
      noto-fonts-cjk-sans
      font-awesome
      fira-code
      hack-font
      nerd-fonts.hack
    ];
  };
  # Misc:
  xdg.portal = {
    enable = true;
    wlr.enable = true;
  };
  location.provider = "geoclue2";
  security.polkit.enable = true;
  services.dbus.packages = [ pkgs.gcr ];
  services.openssh.settings.X11Forwarding = true;
  programs.nm-applet.enable = true;
 }
--- a/hosts/fa-t14-2025/hardware-configuration.nix
+++ b/hosts/fa-t14-2025/hardware-configuration.nix
@@ -0,0 +1,51 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  boot.kernelParams = [ "resume_offset=3037184" "mem_sleep_default=deep" ];
  boot.resumeDevice = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
  powerManagement.enable = true;
  services.power-profiles-daemon.enable = true;
  services.logind.lidSwitch = "suspend-then-hibernate";
  services.logind.lidSwitchDocked = "ignore";
  services.logind.powerKey = "suspend-then-hibernate";
  services.logind.powerKeyLongPress = "poweroff";
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
      fsType = "ext4";
    };
  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/3ecaedab-415c-4cce-a3a9-9f3782acb682";
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/0800-59D9";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
    swapDevices = [
      {
        device = "/var/lib/swapfile";
        size = 32*1024;
      }
    ];
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/fa-t14-2025/home.nix
+++ b/hosts/fa-t14-2025/home.nix
@@ -0,0 +1,99 @@
 { pkgs, lib, ... }:
 let
  emailAddress = "felix.albrigtsen@mktv.no";
 in {
  imports = [
    ./../../home/base.nix
    ./../../home/alacritty.nix
  ];
  home.packages = with pkgs; [
    bc
    catimg
    chromium
    dig
    element-desktop
    hunspellDicts.en_US
    hunspellDicts.nb_NO
    iperf3
    jq
    libreoffice
    mpv
    oauth2ms
    openssl
    openvpn
    pavucontrol
    pwgen
    traceroute
    virt-manager
    w3m
    nixpkgs-2211.remmina
    (unstable.microsoft-edge.overrideAttrs ({ installPhase ? "", ... }: {
      installPhase = installPhase + ''
        ln -s $out/bin/microsoft-edge $out/bin/microsoft-edge-stable
      '';
    }))
    # Window Manager Extras
    bibata-cursors
    brightnessctl
    cliphist
    hyprcursor
    hypridle
    hyprlock
    hyprpaper
    hyprshot
    nautilus
    rofi-rbw-wayland
    swaynotificationcenter
    waybar
    wl-clipboard
    (python312.withPackages (ps: with ps; [
      numpy
      pycryptodome
      requests
    ]))
  ];
  programs = {
    aerc = {
      enable = true;
      package = pkgs.aerc;
    };
    firefox.enable = true;
    git.extraConfig.user.email = emailAddress;
    rbw = {
      enable = true;
      settings = {
        base_url = "https://vault.mktv.no";
        email = emailAddress;
        pinentry = pkgs.pinentry-rofi;
      };
    };
    rofi = {
      enable = true;
      # theme = "iggy";
      theme = "Arc-Dark";
    };
    zsh = {
      shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
      prezto.pmodules = [ "ssh" ];
    };
  };
  xdg.mimeApps = {
    enable = true;
    defaultApplications = {
      "text/html" = "firefox.desktop";
      "x-scheme-handler/http" = "firefox.desktop";
      "x-scheme-handler/https" = "firefox.desktop";
      "x-scheme-handler/about" = "firefox.desktop";
      "x-scheme-handler/unknown" = "firefox.desktop";
    };
  };
  home.stateVersion = "25.05";
 }
--- a/hosts/leonard/configuration.nix
+++ b/hosts/leonard/configuration.nix
@@ -0,0 +1,53 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ../../common/auto-upgrade.nix
      ./hardware-configuration.nix
      ./services/mysql.nix
      ./services/nginx.nix
      ./services/postgresql.nix
      ./services/wiki-wackattack-eu.nix
      ./services/www-feal-no
      ./services/www-kinealbrigtsen-no.nix
      ./services/www-amalie-mansaker-no
  ];
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
  networking = {
    hostName = "leonard";
    defaultGateway = "192.168.10.1";
    interfaces.ens18.ipv4 = {
      addresses = [
        { address = "192.168.10.207"; prefixLength = 24; }
      ];
    };
    hostId = "b99c12d1";
    # Prepend the following output rules to disallow talking to other devices on LAN
    firewall.extraCommands = lib.strings.concatLines ([
      "iptables -F OUTPUT"
    ] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
      "iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
      "iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
      "iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
      "iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
    ]);
  };
  sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;
  environment.variables = { EDITOR = "vim"; };
  system.stateVersion = "25.05";
 }
--- a/hosts/leonard/hardware-configuration.nix
+++ b/hosts/leonard/hardware-configuration.nix
@@ -0,0 +1,24 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/4a70c1d5-9d72-4581-8f75-733b91c10669";
      fsType = "ext4";
    };
  swapDevices = [ ]; # TODO
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/leonard/home.nix
+++ b/hosts/leonard/home.nix
@@ -0,0 +1,12 @@
 { pkgs, lib, ... }:
 {
  imports = [
    ./../../home/base.nix
  ];
  programs = {
    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
  };
  home.stateVersion = "25.05";
 }
--- a/hosts/leonard/services/mysql.nix
+++ b/hosts/leonard/services/mysql.nix
@@ -0,0 +1,10 @@
 { config, pkgs, lib, ... }:
 {
  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
  };
  # TODO: services.mysqlBackup
 }
--- a/hosts/voyager/services/nginx/default.nix
+++ b/hosts/voyager/services/nginx/default.nix
@@ -11,5 +11,9 @@
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  security.acme = {
    acceptTerms = true;
    defaults.email = "felix@albrigtsen.it";
  };
 }
--- a/hosts/leonard/services/postgresql.nix
+++ b/hosts/leonard/services/postgresql.nix
@@ -0,0 +1,20 @@
 { config, pkgs, lib, ... }:
 {
  services.postgresql = {
    enable = true;
    enableTCPIP = false;
    authentication = pkgs.lib.mkOverride 10 ''
      #type database  DBuser  auth-method
      local all       all     trust
    '';
  };
  services.postgresqlBackup = {
    enable = true;
    location = "/backup/postgresql/";
    startAt = "*-*-* 03:15:00";
    backupAll = true;
  };
  environment.systemPackages = [ config.services.postgresql.package ];
 }
--- a/hosts/leonard/services/wiki-wackattack-eu.nix
+++ b/hosts/leonard/services/wiki-wackattack-eu.nix
@@ -0,0 +1,38 @@
 { config, ... }:
 let
  bindIP = "127.0.1.2";
  port = 5051;
  cfg = config.services.wiki-js;
 in {
  # sops.secrets."wikijs/envfile" = {
  #   restartUnits = [ "wiki-js.service" ];
  # };
  services.wiki-js = {
    enable = true;
    # environmentFile = config.sops.secrets."wikijs/envfile".path;
    settings = {
      inherit bindIP port;
      db = {
        type = "postgres";
        host = "/run/postgresql";
        db = "wiki-js";
        user = "wiki-js";
      };
    };
  };
  services.postgresql = {
    ensureDatabases = [ "wiki-js" ];
    ensureUsers = [{
      name = "wiki-js";
      ensureDBOwnership = true;
    }];
  };
  services.nginx.virtualHosts."wiki.wackattack.eu" = {
    locations."/" = {
      proxyPass = "http://${bindIP}:${toString port}";
    };
  };
 }
--- a/hosts/leonard/services/www-amalie-mansaker-no/default.nix
+++ b/hosts/leonard/services/www-amalie-mansaker-no/default.nix
@@ -0,0 +1,11 @@
 { config, pkgs, lib, ... }:
 {
  services.nginx.virtualHosts."amalie.mansaker.no" = let
    siteContent = pkgs.callPackage ./site.nix { };
  in {
    locations = {
      "/".root = siteContent;
    };
  };
 }
--- a/hosts/leonard/services/www-amalie-mansaker-no/site.nix
+++ b/hosts/leonard/services/www-amalie-mansaker-no/site.nix
@@ -0,0 +1,26 @@
 { stdenv, fetchgit, hugo }:
 stdenv.mkDerivation {
  name = "www-amalie-mansaker-no";
  src = fetchgit {
    url = "https://git.feal.no/amalieem/amalie.mansaker.no.git";
    fetchSubmodules = true;
    rev = "58265a25b37bf2286e0704e02ab3dde56a348d8b";
    hash = "sha256-dPcv0AGjsWqDCWCjV2PeklBrWsIawLAccRQEYe3teOM=";
  };
  nativeBuildInputs = [ hugo ];
  buildPhase = ''
    cp -r $src/* .
    ${hugo}/bin/hugo
  '';
  installPhase = ''
    runHook preInstall
    mkdir -p $out
    cp -r public/* $out/
    runHook postInstall
  '';
 }
--- a/hosts/leonard/services/www-feal-no/default.nix
+++ b/hosts/leonard/services/www-feal-no/default.nix
@@ -0,0 +1,26 @@
 { config, pkgs, lib, ... }:
 {
  services.nginx.virtualHosts."feal.no" = {
    default = true;
    serverAliases = [
      "www.feal.no"
    ];
    locations = {
      # TODO: Reinstate actual website
      "/".return = "302 https://git.feal.no/";
      "^~ /.well-known/" = {
        alias = (toString ./well-known) + "/";
      };
      "/cc/" = {
        alias = "${pkgs.cyberchef}/share/cyberchef/";
        index = "index.html";
      };
      "= /cc".return = "302 /cc/";
    };
  };
 }
--- a/hosts/leonard/services/www-feal-no/well-known/matrix/client
+++ b/hosts/leonard/services/www-feal-no/well-known/matrix/client
@@ -0,0 +1,5 @@
 {
 	"m.homeserver": {
 		"base_url": "https://matrix.feal.no:443"
 	}
 }
--- a/hosts/leonard/services/www-feal-no/well-known/matrix/server
+++ b/hosts/leonard/services/www-feal-no/well-known/matrix/server
@@ -0,0 +1 @@
 {"m.server": "matrix.feal.no:443"}
--- a/hosts/leonard/services/www-kinealbrigtsen-no.nix
+++ b/hosts/leonard/services/www-kinealbrigtsen-no.nix
@@ -0,0 +1,95 @@
 { config, pkgs, lib, ... }:
 {
  users.users.www-kinealbrigtsen-no = {
    isSystemUser = true;
    group = "www-kinealbrigtsen-no";
  };
  users.groups.www-kinealbrigtsen-no = { };
  services.mysql.ensureDatabases = [
    "www_kinealbrigtsen_no"
  ];
  services.mysql.ensureUsers = [
    {
      name = "www-kinealbrigtsen-no";
      ensurePermissions = {
        # "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures
        "www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX";
      };
    }
  ];
  services.phpfpm.pools.www-kinealbrigtsen-no = {
    user = "www-kinealbrigtsen-no";
    group = "www-kinealbrigtsen-no";
    phpOptions = lib.generators.toKeyValue {} {
      upload_max_filesize = "1000M";
      post_max_size = "1000M";
      memory_limit = "1000M";
    };
    settings = {
      "listen.owner" = config.services.nginx.user;
      "listen.group" = config.services.nginx.group;
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 4;
      "pm.process_idle_timeout" = "10s";
      "pm.max_requests" = 1000;
    };
  };
  services.nginx.virtualHosts."kinealbrigtsen.no" = {
    serverAliases = [ "www.kinealbrigtsen.no" ];
    root = "/var/www/www-kinealbrigtsen-no";
    locations = {
      "/".extraConfig = ''
        try_files $uri $uri/ /index.php?$args;
      '';
      "~ \\.php$".extraConfig = ''
        include ${config.services.nginx.package}/conf/fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket};
      '';
      "~ /\\.ht".extraConfig = ''
        deny all;
      '';
      "/favicon.ico".extraConfig = ''
        log_not_found off;
        access_log off;
      '';
      "/robots.txt".extraConfig = ''
        allow all;
        log_not_found off;
        access_log off;
      '';
      "~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig =  ''
        expires max;
        log_not_found off;
      '';
    };
    extraConfig = ''
      index index.php index.html;
      set_real_ip_from 192.168.11.0/24;
      real_ip_header X-Forwarded-For;
      add_header 'Referrer-Policy' 'origin-when-cross-origin';
      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;
    '';
  };
  # TODO:
  # - Configure a mailer so wp_mail() works
  # - Enable periodic backups
 }
--- a/hosts/morn/configuration.nix
+++ b/hosts/morn/configuration.nix
@@ -0,0 +1,35 @@
 { config, pkgs, lib, ... }:
 {
  imports =
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
      ../../common/auto-upgrade.nix
      ./hardware-configuration.nix
      ./services/nginx.nix
      ./services/glance
      ./services/miniflux.nix
      ./services/thelounge.nix
  ];
  networking = {
    hostName = "morn";
    defaultGateway = "192.168.10.1";
    interfaces.ens18.ipv4 = {
      addresses = [
        { address = "192.168.10.203"; prefixLength = 24; }
      ];
    };
    hostId = "89b7722d";
  };
  sops.defaultSopsFile = ../../secrets/morn/morn.yaml;
  environment.variables = { EDITOR = "vim"; };
  system.stateVersion = "24.11";
 }
--- a/hosts/chapel/hardware-configuration.nix
+++ b/hosts/chapel/hardware-configuration.nix
@@ -14,13 +14,14 @@
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/f7086b7c-581e-40d4-90c0-47cb767395c7";
+    { device = "/dev/disk/by-uuid/93307186-cbc3-4748-859f-0013a1e36def";
      fsType = "ext4";
    };
  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/4303-A70F";
+    { device = "/dev/disk/by-uuid/FFCD-993A";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices = [ ];
@@ -29,8 +30,8 @@
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
+  # networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/morn/home.nix
+++ b/hosts/morn/home.nix
@@ -0,0 +1,12 @@
 { pkgs, lib, ... }:
 {
  imports = [
    ./../../home/base.nix
  ];
  programs = {
    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
  };
  home.stateVersion = "24.11";
 }
--- a/Show More
+++ b/Show More