Refactor

2026-06-04 00:30:29 +02:00
parent b82393272c
commit 9a89479f66
26 changed files with 1385 additions and 1380 deletions
--- a/modules/server/containers/apps/authentik.nix
+++ b/modules/server/containers/apps/authentik.nix
@@ -16,99 +16,104 @@ let
    // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
  };
 in {
-  sops = true;
+  requires = {
-  db = true;
+    secrets = [ name ];
-  paths = [{
+    databases = [ name ];
    path="${serverCfg.path.config}/authentik";
    owner = "1000:1000";
    dirs = ["media" "templates"];
    mode = "0755";
  }];
  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "ghcr.io/goauthentik/server:${version}";
      port = 9000;
      secret = name;
      extraEnv = {
        AUTHENTIK_REDIS__HOST = builder.host;
        AUTHENTIK_POSTGRESQL__HOST = builder.host;
        AUTHENTIK_POSTGRESQL__USER = "authentik_user";
        AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
        AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
        AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain;
        AUTHENTIK_EMAIL__PORT = "587";
        AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.domain}";
        AUTHENTIK_EMAIL__USE_TLS = "true";
        AUTHENTIK_EMAIL__USE_SSL = "false";
        AUTHENTIK_EMAIL__TIMEOUT = "10";
        AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.domain}";
        AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
      };
      overrides = {
        environmentFiles =  [ config.sops.secrets."AUTHENTIK".path config.sops.secrets."CUSTOM".path ] ;
        cmd = [ "server" ];
        volumes = [
          "${serverCfg.path.config}/authentik/media:/media"
          "${serverCfg.path.config}/authentik/templates:/templates"
          "${authentikData}:/blueprints/custom:ro"
        ];
      };
    };
    worker = builder.mkContainer {
      image = "ghcr.io/goauthentik/server:${version}";
      secret = name;
      extraEnv = {
        AUTHENTIK_REDIS__HOST = builder.host;
        AUTHENTIK_POSTGRESQL__HOST = builder.host;
        AUTHENTIK_POSTGRESQL__USER = "authentik_user";
        AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
        AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
        AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
      };
      overrides = {
        cmd = [ "worker" ];
        volumes = [
          "${serverCfg.path.config}/authentik/media:/media"
          "${serverCfg.path.config}/authentik/templates:/templates"
          "${authentikData}:/blueprints/custom:ro"
        ];
      };
    };
    ldap = builder.mkContainer {
      image = "ghcr.io/goauthentik/ldap:${version}";
      secret = name;
      extraEnv = {
        AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.domain}"; 
        AUTHENTIK_INSECURE = "false"; 
      };
    };
  };
-  setup = {
+  runtime = {
-    trigger = "worker";
+    paths = [{
-    script = pkgs.writeShellScript "setup" ''
+      path="${serverCfg.path.config}/authentik";
-      # Define the command wrapper
+      owner = "1000:1000";
-      AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u root authentik-worker ak"
+      dirs = ["media" "templates"];
      mode = "0755";
    }];
-      $AK apply_blueprint /blueprints/custom/authentik.yaml
+    containers = {
-      $AK apply_blueprint /blueprints/custom/traefik.yaml
+      server = builder.mkContainer {
-      $AK apply_blueprint /blueprints/custom/ldap.yaml
+        subdomain = containerCfg.subdomain;
        image = "ghcr.io/goauthentik/server:${version}";
        port = 9000;
        secret = name;
        extraEnv = {
          AUTHENTIK_REDIS__HOST = builder.host;
          AUTHENTIK_POSTGRESQL__HOST = builder.host;
          AUTHENTIK_POSTGRESQL__USER = "authentik_user";
          AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
          AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
          AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain;
          AUTHENTIK_EMAIL__PORT = "587";
          AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.domain}";
          AUTHENTIK_EMAIL__USE_TLS = "true";
          AUTHENTIK_EMAIL__USE_SSL = "false";
          AUTHENTIK_EMAIL__TIMEOUT = "10";
          AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.domain}";
          AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
          AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
        };
        overrides = {
          environmentFiles =  [ config.sops.secrets."AUTHENTIK".path config.sops.secrets."CUSTOM".path ] ;
-      ${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
+          cmd = [ "server" ];
-      ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
+          volumes = [
-      ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
+            "${serverCfg.path.config}/authentik/media:/media"
-      ${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
+            "${serverCfg.path.config}/authentik/templates:/templates"
-      ${lib.optionalString (serverCfg.containers ? freshrss) ''$AK apply_blueprint /blueprints/custom/freshrss.yaml''}
+            "${authentikData}:/blueprints/custom:ro"
-      ${lib.optionalString (serverCfg.containers ? homepage) ''$AK apply_blueprint /blueprints/custom/homepage.yaml''}
+          ];
        };
      };
-      echo "Completed Authentik Setup"
+      worker = builder.mkContainer {
        image = "ghcr.io/goauthentik/server:${version}";
        secret = name;
        extraEnv = {
          AUTHENTIK_REDIS__HOST = builder.host;
          AUTHENTIK_POSTGRESQL__HOST = builder.host;
          AUTHENTIK_POSTGRESQL__USER = "authentik_user";
          AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
          AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
          AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
          AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
        };
        overrides = {
          cmd = [ "worker" ];
          volumes = [
            "${serverCfg.path.config}/authentik/media:/media"
            "${serverCfg.path.config}/authentik/templates:/templates"
            "${authentikData}:/blueprints/custom:ro"
          ];
        };
      };
      ldap = builder.mkContainer {
        image = "ghcr.io/goauthentik/ldap:${version}";
        secret = name;
        extraEnv = {
          AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.domain}"; 
          AUTHENTIK_INSECURE = "false"; 
        };
      };
    };
    setup = {
      trigger = "worker";
      script = pkgs.writeShellScript "setup" ''
        # Define the command wrapper
        AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u root authentik-worker ak"
        $AK apply_blueprint /blueprints/custom/authentik.yaml
        $AK apply_blueprint /blueprints/custom/traefik.yaml
        $AK apply_blueprint /blueprints/custom/ldap.yaml
        ${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
        ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
        ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
        ${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
        ${lib.optionalString (serverCfg.containers ? freshrss) ''$AK apply_blueprint /blueprints/custom/freshrss.yaml''}
        ${lib.optionalString (serverCfg.containers ? homepage) ''$AK apply_blueprint /blueprints/custom/homepage.yaml''}
        echo "Completed Authentik Setup"
      '';
    };
  };
 }
--- a/modules/server/containers/apps/calibre.nix
+++ b/modules/server/containers/apps/calibre.nix
@@ -3,36 +3,34 @@ let
  version = "latest";
  serverCfg = config.syscfg.server;
 in {
-  sops = false;
+  runtime = {
-  db = false;
+    containers = {
      server = builder.mkContainer {
        subdomain = containerCfg.subdomain;
        image = "crocodilestick/calibre-web-automated:${version}";
        port = 8083;
      #   secret = name;
        extraEnv = {
          CWA_PORT_OVERRIDE = "8083";
-
+          PUID = "1000";
-  containers = {
+          PGID = "1000";
-    server = builder.mkContainer {
+          #HARDCOVER_TOKEN= ....
-      subdomain = containerCfg.subdomain;
+          TRUSTED_PROXY_COUNT= "1";
-      image = "crocodilestick/calibre-web-automated:${version}";
+        };
-      port = 8083;
+          extraLabels = {
-    #   secret = name;
+          "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`)";
-      extraEnv = {
+          "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik) then "authentik" else "";
-        CWA_PORT_OVERRIDE = "8083";
+          "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
-
+          "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
-        PUID = "1000";
+          "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
-        PGID = "1000";
+        };
-        #HARDCOVER_TOKEN= ....
+        overrides = {
-        TRUSTED_PROXY_COUNT= "1";
+          volumes = [
-      };
+            "${serverCfg.path.book}:/calibre-library"
-        extraLabels = {
+            "${serverCfg.path.dlBook}:/cwa-book-ingest"
-        "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`)";
+          ];
-        "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik) then "authentik" else "";
+        };
        "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
        "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
        "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
      };
      overrides = {
        volumes = [
          "${serverCfg.path.book}:/calibre-library"
          "${serverCfg.path.dlBook}:/cwa-book-ingest"
        ];
      };
    };
  };
--- a/modules/server/containers/apps/collabora.nix
+++ b/modules/server/containers/apps/collabora.nix
@@ -3,31 +3,34 @@ let
 version = "latest";
 serverCfg = config.syscfg.server;
 in {
-  sops = true;
+  requires.secrets = [ name ];
  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "collabora/code:${version}";
      port = 9980;
      secret = name;
      extraEnv = {
        "aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
        "server_name" = "${containerCfg.subdomain}.${serverCfg.domain}";
        "username" = "collabora_user";
        "VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.domain}";
        "VIRTUAL_PORT" = "9980";
        "VIRTUAL_PROTO" = "http";
        "DONT_GEN_SSL_CERT" = "true";
        "RESOLVE_TO_PROXY_IP" = "true";
        "extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
        "dictionaries" = "en fr de jp no";
      };
-      overrides = {
+  runtime = {
-        volumes = [
+    containers = {
-          "${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
+      server = builder.mkContainer {
-          "${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
+        subdomain = containerCfg.subdomain;
-        ];
+        image = "collabora/code:${version}";
        port = 9980;
        secret = name;
        extraEnv = {
          "aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";
          "server_name" = "${containerCfg.subdomain}.${serverCfg.domain}";
          "username" = "collabora_user";
          "VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.domain}";
          "VIRTUAL_PORT" = "9980";
          "VIRTUAL_PROTO" = "http";
          "DONT_GEN_SSL_CERT" = "true";
          "RESOLVE_TO_PROXY_IP" = "true";
          "extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
          "dictionaries" = "en fr de jp no";
        };
        overrides = {
          volumes = [
            "${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
            "${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
          ];
        };
      };
    };
  };
--- a/modules/server/containers/apps/ethercalc.nix
+++ b/modules/server/containers/apps/ethercalc.nix
@@ -13,27 +13,30 @@ let
    };
  };
 in {
-  sops = true;
+  requires.secrets = [ name ];
  paths = [{
    path="${serverCfg.path.data}/ethercalc/";
    mode = "0666";
  }];
-  containers = {
+  runtime = {
-    server = builder.mkContainer {
+    paths = [{
-      subdomain = containerCfg.subdomain;
+      path="${serverCfg.path.data}/ethercalc/";
-      imageStream = image;
+      mode = "0666";
-      port = 8080;
+    }];
-      secret = name;
+
-      extraEnv = {
+    containers = {
-        ETHERCALC_PORT = "8080";
+      server = builder.mkContainer {
-        #CONNECT TO REDIS
+        subdomain = containerCfg.subdomain;
        imageStream = image;
        port = 8080;
        secret = name;
        extraEnv = {
          ETHERCALC_PORT = "8080";
          #CONNECT TO REDIS
        };
        overrides = {
          volumes = [
            "${serverCfg.path.data}/ethercalc:/data"
          ];
         };
      };
      overrides = {
        volumes = [
          "${serverCfg.path.data}/ethercalc:/data"
        ];
       };
    };
  };
 }
--- a/modules/server/containers/apps/etherpad.nix
+++ b/modules/server/containers/apps/etherpad.nix
@@ -76,49 +76,54 @@ let
    };
  };
 in {
-  sops = true;
+  requires = {
-  db = true;
+    secrets = [ name ];
-  paths = [{
+    databases = [ name ];
-    path="${serverCfg.path.config}/etherpad/";
+  };
    mode = "0444";
  }];
-  containers = {
+  runtime = {
-    server = builder.mkContainer {
+    paths = [{
-      subdomain = containerCfg.subdomain;
+      path="${serverCfg.path.config}/etherpad/";
-      imageStream = image;
+      mode = "0444";
-      port = 8080;
+    }];
-      secret = name;
+
-      extraEnv = {
+    containers = {
-        TITLE = "Pad";
+      server = builder.mkContainer {
-        PORT ="8080";
+        subdomain = containerCfg.subdomain;
-        DB_TYPE = "postgres";
+        imageStream = image;
-        DB_HOST = builder.host;
+        port = 8080;
-        DB_NAME = "etherpad_db";
+        secret = name;
-        DB_USER = "etherpad_user";
+        extraEnv = {
-        TRUST_PROXY = "true";
+          TITLE = "Pad";
-        DB_CHARSET = "utf8mb4";
+          PORT ="8080";
-        DEFAULT_PAD_TEXT = "";
+          DB_TYPE = "postgres";
-        PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
+          DB_HOST = builder.host;
-        PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
+          DB_NAME = "etherpad_db";
-        SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
+          DB_USER = "etherpad_user";
          TRUST_PROXY = "true";
          DB_CHARSET = "utf8mb4";
          DEFAULT_PAD_TEXT = "";
          PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
          PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
          SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
        };
        overrides = {
          cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
          volumes = [
            "${settings}:/etc/etherpad/settings.json"
            "${serverCfg.path.config}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
          ];
         };
      };
-      overrides = {
+    };
-        cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
+
-        volumes = [
+    setup = {
-          "${settings}:/etc/etherpad/settings.json"
+      trigger = "server";
-          "${serverCfg.path.config}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
+      envFile = config.sops.secrets."ETHERPAD".path;
-        ];
+      script = pkgs.writeShellScript "setup" ''
-       };
+        echo "$APIKEY" > ${serverCfg.path.config}/etherpad/APIKEY.txt
        chmod 444 ${serverCfg.path.config}/etherpad/APIKEY.txt
      '';
    };
  };
  setup = {
    trigger = "server";
    envFile = config.sops.secrets."ETHERPAD".path;
    script = pkgs.writeShellScript "setup" ''
      echo "$APIKEY" > ${serverCfg.path.config}/etherpad/APIKEY.txt
      chmod 444 ${serverCfg.path.config}/etherpad/APIKEY.txt
    '';
  };
 }
--- a/modules/server/containers/apps/freshrss.nix
+++ b/modules/server/containers/apps/freshrss.nix
@@ -3,54 +3,59 @@ let
  version = "latest";
  serverCfg = config.syscfg.server;
 in {
-  sops = true;
+  requires = {
-  db = true;
+    secrets = [ name ];
-  paths = [
+    databases = [ name ];
-    {
+  };
      path = "${serverCfg.path.config}/freshrss";
      owner = "1000:1000";
      mode = "0755";
    }
  ];
-  containers = {
+  runtime = {
-    server = builder.mkContainer {
+    paths = [
-      subdomain = containerCfg.subdomain;
+      {
-      image = "ghcr.io/freshrss/freshrss:${version}";
+        path = "${serverCfg.path.config}/freshrss";
-      port = 80;
+        owner = "1000:1000";
        mode = "0755";
      }
    ];
-      extraEnv = {
+    containers = {
-        CRON_MIN = "5,35";
+      server = builder.mkContainer {
-        TRUSTED_PROXY = "10.0.0.0/8 192.168.0.1/16";
+        subdomain = containerCfg.subdomain;
-        LISTEN = "80";
+        image = "ghcr.io/freshrss/freshrss:${version}";
-        OIDC_ENABLED = "1";
+        port = 80;
        OIDC_PROVIDER_METADATA_URL = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/freshrss/.well-known/openid-configuration";
        OIDC_REMOTE_USER_CLAIM = "preferred_username";
        OIDC_CLIENT_ID = "freshrss";
        OIDC_SCOPES = "openid profile";
        OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
      };
-      overrides = {
+        extraEnv = {
-        environmentFiles =  [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path ];
+          CRON_MIN = "5,35";
-        volumes = ["${serverCfg.path.config}/freshrss:/var/www/FreshRSS/data"];
+          TRUSTED_PROXY = "10.0.0.0/8 192.168.0.1/16";
          LISTEN = "80";
          OIDC_ENABLED = "1";
          OIDC_PROVIDER_METADATA_URL = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/freshrss/.well-known/openid-configuration";
          OIDC_REMOTE_USER_CLAIM = "preferred_username";
          OIDC_CLIENT_ID = "freshrss";
          OIDC_SCOPES = "openid profile";
          OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
        };
        overrides = {
          environmentFiles =  [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path ];
          volumes = ["${serverCfg.path.config}/freshrss:/var/www/FreshRSS/data"];
        };
      };
    };
  };
-  setup = {
+    setup = {
-    trigger = "server"; # Triggers atomic environment verification on main controller
+      trigger = "server"; # Triggers atomic environment verification on main controller
-    envFile = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path];
+      envFile = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path];
-    script = pkgs.writeShellScript "setup-freshrss" ''
+      script = pkgs.writeShellScript "setup-freshrss" ''
-      RSS="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data freshrss-server"
+        RSS="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data freshrss-server"
-      $RSS ./cli/prepare.php
+        $RSS ./cli/prepare.php
-      $RSS ./cli/do-install.php --default-user $DEFAULT_ADMIN_USERNAME --auth-type http_auth --base-url https://${containerCfg.subdomain}.${serverCfg.domain} --language en \
+        $RSS ./cli/do-install.php --default-user $DEFAULT_ADMIN_USERNAME --auth-type http_auth --base-url https://${containerCfg.subdomain}.${serverCfg.domain} --language en \
-        --title RSS --api-enabled --db-type pgsql --db-host ${builder.host} --db-user freshrss_user --db-password $DB_PASSWORD --db-base freshrss_db
+          --title RSS --api-enabled --db-type pgsql --db-host ${builder.host} --db-user freshrss_user --db-password $DB_PASSWORD --db-base freshrss_db
-      $RSS ./cli/create-user.php --user $DEFAULT_ADMIN_USERNAME --password $DEFAULT_ADMIN_PASSWORD --email $DEFAULT_ADMIN_EMAIL
+        $RSS ./cli/create-user.php --user $DEFAULT_ADMIN_USERNAME --password $DEFAULT_ADMIN_PASSWORD --email $DEFAULT_ADMIN_EMAIL
-      $RSS ./cli/reconfigure.php
+        $RSS ./cli/reconfigure.php
-      # $RSS ./cli/access-permissions.sh
+        # $RSS ./cli/access-permissions.sh
-    '';
+      '';
    };
  };
 }
--- a/modules/server/containers/apps/frigate.nix
+++ b/modules/server/containers/apps/frigate.nix
@@ -27,51 +27,51 @@ let
    };
  };
 in {
-  sops = true; # Enabled to safeguard sensitive camera RTSP stream credentials
+  requires.secrets = [ name ];
  db = false;  # Internal SQLite is used by default in Frigate
-  paths = [
+  runtime = {
-    {
+    paths = [
-      path = "${serverCfg.path.config}/frigate/";
+      {
-      mode = "0755";
+        path = "${serverCfg.path.config}/frigate/";
-    }
+        mode = "0755";
-    {
+      }
-      path = "/var/lib/frigate/storage/";
+      {
-      mode = "0755"; # Dedicated path for heavy video recordings and media
+        path = "/var/lib/frigate/storage/";
-    }
+        mode = "0755"; # Dedicated path for heavy video recordings and media
-  ];
+      }
    ];
-  containers = {
+    containers = {
-    server = builder.mkContainer {
+      server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
+        subdomain = containerCfg.subdomain;
-      imageStream = image;
+        imageStream = image;
-      port = 5000;
+        port = 5000;
-      secret = name;
+        secret = name;
-      extraEnv = {
+        extraEnv = {
-        PLUS_API_KEY = ""; # Optional: For Frigate Plus users
+          PLUS_API_KEY = ""; # Optional: For Frigate Plus users
-      };
+        };
-      overrides = {
+        overrides = {
-        cmd = [ ];
+          cmd = [ ];
-        volumes = [
+          volumes = [
-          "${serverCfg.path.config}/frigate:/config"
+            "${serverCfg.path.config}/frigate:/config"
-          "/var/lib/frigate/storage:/media/frigate"
+            "/var/lib/frigate/storage:/media/frigate"
-          "/dev/bus/usb:/dev/bus/usb" # Passes Google Coral USB TPU to the container
+            "/dev/bus/usb:/dev/bus/usb" # Passes Google Coral USB TPU to the container
-          "/dev/dri:/dev/dri"         # Passes Intel/AMD GPU for hardware video decoding
+            "/dev/dri:/dev/dri"         # Passes Intel/AMD GPU for hardware video decoding
-        ];
+          ];
        };
      };
    };
  };
-  setup = {
+    setup = {
-    trigger = "server";
+      trigger = "server";
-    envFile = config.sops.secrets."FRIGATE_ENV".path;
+      envFile = config.sops.secrets."FRIGATE_ENV".path;
-    script = pkgs.writeShellScript "setup-frigate" ''
+      script = pkgs.writeShellScript "setup-frigate" ''
-      mkdir -p "${serverCfg.path.config}/frigate"
+        mkdir -p "${serverCfg.path.config}/frigate"
-      mkdir -p "/var/lib/frigate/storage"
+        mkdir -p "/var/lib/frigate/storage"
-      # Bootstrap a standard configuration layout if missing
+        # Bootstrap a standard configuration layout if missing
-      if [ ! -f "${serverCfg.path.config}/frigate/config.yml" ]; then
+        if [ ! -f "${serverCfg.path.config}/frigate/config.yml" ]; then
-        cat <<EOF > "${serverCfg.path.config}/frigate/config.yml"
+          cat <<EOF > "${serverCfg.path.config}/frigate/config.yml"
 mqtt:
  enabled: False # Set to True and define host if connecting to Home Assistant
@@ -89,7 +89,8 @@ cameras:
    detect:
      enabled: false
 EOF
-      fi
+        fi
-    '';
+      '';
    };
  };
 }
--- a/modules/server/containers/apps/gitea.nix
+++ b/modules/server/containers/apps/gitea.nix
@@ -5,137 +5,142 @@ let
  LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.domain));
 in {
-  sops = true;
+  requires = {
-  db = true;
+    secrets = [ name ];
-  paths = [{
+    databases = [ name ];
    path="${serverCfg.path.data}/gitea";
    owner = "1000:1000";
    dirs = ["data" "runner"];
    mode = "0755";
  }];
  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "gitea/gitea:${version}";
      port = 8080;
      secret = name;
      extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
        GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
        GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
        GITEA__repository__DISABLE_STARS = "true";
        GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
        # GITEA__ui__THEMES = "";
        # GITEA__ui__DEFAULT_THEME = "";
        # GITEA__security__SECRET_KEY = "SECRET_ENV";
        # GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
        # GITEA__database__PASSWD = "SECRET_ENV";
        # GITEA__mailer__PASSWD="SECRET_ENV";
        GITEA__database__DB_TYPE = "postgres"; 
        GITEA__database__HOST = builder.host;
        GITEA__database__NAME = "gitea_db";
        GITEA__database__USER = "gitea_user";
        GITEA__mailer__ENABLED = "true";
        GITEA__mailer__FROM = "";
        GITEA__mailer__PROTOCOL = "smtps";
        GITEA__mailer__SMTP_ADDR = "";
        GITEA__mailer__SMTP_PORT = "";
        GITEA__mailer__USER= "";
        GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
        GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}/";
        GITEA__server__PROTOCOL = "http";
        GITEA__server__HTTP_PORT = "8080";
        GITEA__server__LFS_START_SERVER = "true";
        GITEA__security__INSTALL_LOCK = "true";
      } // ( if serverCfg.containers?authentik then {
        GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
        GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
        GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
        GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
        GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
        GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
        GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
        GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/outpost.goauthentik.io/sign_out";
        GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
        GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
        GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
        GITEA__security__RREVERSE_PROXY_LIMIT = "1";
        GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
      } else {});
      extraLabels = {
        "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/user/login`) ";
        "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik && containerCg.extra?proxyauth) then "authentik" else "";
        "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
        "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
        "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
      };
      overrides = {
        volumes = [
          "${serverCfg.path.data}/gitea/data:/data"
        ];
        ports = [ "2222:22" ]; 
      };
    };
    runner = builder.mkContainer {
      image = "gitea/act_runner:${version}";
      secret = name;
      extraEnv = { 
        CONFIG_FILE="/data/config.yml";
        GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
        GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
      };
      overrides = {
        volumes = [
          "${serverCfg.path.data}/gitea/runner:/data"
          "/var/run/podman/podman.sock:/var/run/docker.sock"
        ];
        # ports = [ "8088:8088" ]; 
      };
    };
  };
  runtime = {
    paths = [{
      path="${serverCfg.path.data}/gitea";
      owner = "1000:1000";
      dirs = ["data" "runner"];
      mode = "0755";
    }];
    containers = {
      server = builder.mkContainer {
        subdomain = containerCfg.subdomain;
        image = "gitea/gitea:${version}";
        port = 8080;
        secret = name;
-  setup = {
+        extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
-    trigger = "server";
+          GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
-    envFile = config.sops.secrets."CUSTOM".path;
+          GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
-    script = pkgs.writeShellScript "setup" ''
+          GITEA__repository__DISABLE_STARS = "true";
-      # Define the command wrapper
+          GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
-      GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
+          # GITEA__ui__THEMES = "";
-      GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
+          # GITEA__ui__DEFAULT_THEME = "";
-      $GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
+          # GITEA__security__SECRET_KEY = "SECRET_ENV";
          # GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
          # GITEA__database__PASSWD = "SECRET_ENV";
          # GITEA__mailer__PASSWD="SECRET_ENV";
-      touch ${serverCfg.path.data}/gitea/data-runner/config.yml
+          GITEA__database__DB_TYPE = "postgres"; 
-
+          GITEA__database__HOST = builder.host;
-      RUNNER_TOKEN=$($GT actions generate-runner-token)
+          GITEA__database__NAME = "gitea_db";
-      $GTR register \
+          GITEA__database__USER = "gitea_user";
        --instance "https://${containerCfg.subdomain}.${serverCfg.domain}" \
        --token "$RUNNER_TOKEN" \
        --name "Runner" \
        --labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
        --no-interactive
-      ${lib.optionalString (serverCfg.containers ? authentik) ''
+          GITEA__mailer__ENABLED = "true";
-      $GT admin auth add-ldap --name Authentik --host authentik-ldap --port 6636 --security-protocol ldaps --skip-tls-verify \
+          GITEA__mailer__FROM = "";
-          --bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $DEFAULT_LDAP_PASSWORD \
+          GITEA__mailer__PROTOCOL = "smtps";
-          --user-search-base "ou=users,${LDAP_DC_DOMAIN}" \
+          GITEA__mailer__SMTP_ADDR = "";
-          --user-filter "(&(objectClass=user)(|(uid=%[1]s)(mail=%[1]s)))" \
+          GITEA__mailer__SMTP_PORT = "";
-          --admin-filter "(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})" \
+          GITEA__mailer__USER= "";
          --username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
          --synchronize-users
      ''}
-      echo "Completed Gitea Setup"
+          GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}";
          GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}/";
          GITEA__server__PROTOCOL = "http";
          GITEA__server__HTTP_PORT = "8080";
          GITEA__server__LFS_START_SERVER = "true";
          GITEA__security__INSTALL_LOCK = "true";
        } // ( if serverCfg.containers?authentik then {
          GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
          GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
          GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
          GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
          GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
          GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
          GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
          GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/outpost.goauthentik.io/sign_out";
          GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
          GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
          GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
          GITEA__security__RREVERSE_PROXY_LIMIT = "1";
          GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
        } else {});
        extraLabels = {
          "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/user/login`) ";
          "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if (serverCfg.containers?authentik && containerCg.extra?proxyauth) then "authentik" else "";
          "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
          "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
          "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
        };
        overrides = {
          volumes = [
            "${serverCfg.path.data}/gitea/data:/data"
          ];
          ports = [ "2222:22" ]; 
        };
      };
      runner = builder.mkContainer {
        image = "gitea/act_runner:${version}";
        secret = name;
        extraEnv = { 
          CONFIG_FILE="/data/config.yml";
          GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
          GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.domain}";
        };
        overrides = {
          volumes = [
            "${serverCfg.path.data}/gitea/runner:/data"
            "/var/run/podman/podman.sock:/var/run/docker.sock"
          ];
          # ports = [ "8088:8088" ]; 
        };
      };
    };
    setup = {
      trigger = "server";
      envFile = config.sops.secrets."CUSTOM".path;
      script = pkgs.writeShellScript "setup" ''
        # Define the command wrapper
        GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
        GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
        $GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
        touch ${serverCfg.path.data}/gitea/data-runner/config.yml
        RUNNER_TOKEN=$($GT actions generate-runner-token)
        $GTR register \
          --instance "https://${containerCfg.subdomain}.${serverCfg.domain}" \
          --token "$RUNNER_TOKEN" \
          --name "Runner" \
          --labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
          --no-interactive
        ${lib.optionalString (serverCfg.containers ? authentik) ''
        $GT admin auth add-ldap --name Authentik --host authentik-ldap --port 6636 --security-protocol ldaps --skip-tls-verify \
            --bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $DEFAULT_LDAP_PASSWORD \
            --user-search-base "ou=users,${LDAP_DC_DOMAIN}" \
            --user-filter "(&(objectClass=user)(|(uid=%[1]s)(mail=%[1]s)))" \
            --admin-filter "(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})" \
            --username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
            --synchronize-users
        ''}
        echo "Completed Gitea Setup"
      '';
    };
  };
 }
--- a/modules/server/containers/apps/handbrake.nix
+++ b/modules/server/containers/apps/handbrake.nix
@@ -2,55 +2,47 @@
 let 
  serverCfg = config.syscfg.server;
  version = "latest";
  routerName = if containerCfg.subpath != null 
              then "${containerCfg.subdomain}-${lib.strings.sanitizeDerivationName containerCfg.subpath}" 
              else containerCfg.subdomain;
 in {
  runtime = {
    paths = [{
      path = "${serverCfg.path.config}/handbrake";
      mode = "0755";
    }];
-  paths = [{
+    containers = {
-    path = "${serverCfg.path.config}/handbrake";
+      server = builder.mkContainer {
-    mode = "0755";
+        authentik = true;
-  }];
+        tmpfs = true;
        subdomain = containerCfg.subdomain;
        subpath = containerCfg.subpath;
        image = "ghcr.io/jlesage/handbrake:${version}";
        port = 5800;
-  containers = {
+        extraEnv = {
-    server = builder.mkContainer {
+          USER_ID = "1000";
-      subdomain = containerCfg.subdomain;
+          GROUP_ID = "1000";
-      subpath = containerCfg.subpath;
+          AUTOMATED_CONVERSION_PRESET = "Custom/AV1 MKV 1080p30";
-      image = "ghcr.io/jlesage/handbrake:${version}";
+          AUTOMATED_CONVERSION_FORMAT = "mkv";
-      port = 5800;
+          AUTOMATED_CONVERSION_OUTPUT_SUBDIR = "SAME_AS_SRC";
        };
-      extraEnv = {
+        overrides = {
-        USER_ID = "1000";
+          volumes = [
-        GROUP_ID = "1000";
+            "${serverCfg.path.config}/handbrake:/config:rw"
-        AUTOMATED_CONVERSION_PRESET = "Custom/AV1 MKV 1080p30";
+            "${serverCfg.path.dlComplete}:/watch:rw"
-        AUTOMATED_CONVERSION_FORMAT = "mkv";
+            "${serverCfg.path.dlConverted}:/output:rw"
-        AUTOMATED_CONVERSION_OUTPUT_SUBDIR = "SAME_AS_SRC";
+          ];
         };
      };
-      extraLabels = { } // (if serverCfg.containers ? authentik then {
+    };
        "traefik.http.routers.${routerName}.middlewares" = "authentik";
      } else {});
      extraOptions = [
        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
      ];
-      overrides = {
+    
-        volumes = [
+    setup = {
-          "${serverCfg.path.config}/handbrake:/config:rw"
+      trigger = "server";
-          "${serverCfg.path.dlComplete}:/watch:rw"
+      script = pkgs.writeShellScript "setup" ''
-          "${serverCfg.path.dlConverted}:/output:rw"
+          mkdir -p ${serverCfg.path.data}/handbrake/{watch,output}
-        ];
+
-       };
+      '';
    };
  };
  setup = {
    trigger = "server";
    script = pkgs.writeShellScript "setup" ''
        mkdir -p ${serverCfg.path.data}/handbrake/{watch,output}
    '';
  };
 }
--- a/modules/server/containers/apps/homeassistant.nix
+++ b/modules/server/containers/apps/homeassistant.nix
@@ -4,62 +4,63 @@ let
  serverCfg = config.syscfg.server;
 in {
-  vm = {
+  runtime = {
-    portForward = [ 8123 ];
+    vm = {
-    cfg = {cfg,...}:{ 
+      portForward = [ 8123 ];
-      services.home-assistant = {
+      cfg = {cfg,...}: {
-        enable = true;
+        services.home-assistant = {
-        openFirewall = true;
+          enable = true;
          openFirewall = true;
-        extraComponents = [
+          extraComponents = [
-          "matter" "thread" "cast" "zha"
+            "matter" "thread" "cast" "zha"
-          "default_config" "met" "esphome" "radio_browser"
+            "default_config" "met" "esphome" "radio_browser"
-          "telegram_bot" "swiss_public_transport" "nextcloud" "jellyfin" 
+            "telegram_bot" "swiss_public_transport" "nextcloud" "jellyfin" 
-        ]  ++ (if containerCfg.extra ? components then containerCfg.extra.components else []);
+          ]  ++ (if containerCfg.extra ? components then containerCfg.extra.components else []);
-        extraPackages = pp: with pp; [
+          extraPackages = pp: with pp; [
-            python-telegram gtts
+              python-telegram gtts
-        ];
+          ];
-        lovelaceConfig = {};
+          lovelaceConfig = {};
-        config = {
+          config = {
-          homeassistant = {
+            homeassistant = {
-            name = "Home";
+              name = "Home";
-            latitude = "${if containerCfg.extra ? latitude then toString containerCfg.extra.latitude else toString 0}";
+              latitude = "${if containerCfg.extra ? latitude then toString containerCfg.extra.latitude else toString 0}";
-            longitude = "${if containerCfg.extra ? longitude then toString containerCfg.extra.longitude else toString 0}";
+              longitude = "${if containerCfg.extra ? longitude then toString containerCfg.extra.longitude else toString 0}";
-            elevation = "${if containerCfg.extra ? elevation then toString containerCfg.extra.elevation else toString 0}";
+              elevation = "${if containerCfg.extra ? elevation then toString containerCfg.extra.elevation else toString 0}";
-            unit_system = "metric";
+              unit_system = "metric";
-            time_zone = config.time.timeZone;
+              time_zone = config.time.timeZone;
-          };
+            };
-          lovelace = { mode = "yaml"; };
+            lovelace = { mode = "yaml"; };
-          customLovelaceModules = [];
+            customLovelaceModules = [];
-          # default_config = {};
+            # default_config = {};
-          http = {
+            http = {
-            use_x_forwarded_for = true;
+              use_x_forwarded_for = true;
-            trusted_proxies = [ "10.0.0.0/8" "127.0.0.1" ];
+              trusted_proxies = [ "10.0.0.0/8" "127.0.0.1" ];
            };
          };
        };
      };
    };
  };
-  containers = {
+    containers = {
-    dummy = builder.mkContainer {
+      dummy = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
+        subdomain = containerCfg.subdomain;
-      image = "alpine:latest";
+        image = "alpine:latest";
-      extraLabels = {
+        extraLabels = {
-        "traefik.http.services.${containerCfg.subdomain}.loadbalancer.server.url" = "http://${builder.hostIp}:8123";
+          "traefik.http.services.${containerCfg.subdomain}.loadbalancer.server.url" = "http://${builder.hostIp}:8123";
        };
        overrides = {cmd = [ "sleep" "infinity" ];};
      };
      overrides = {cmd = [ "sleep" "infinity" ];};
    };
  };
-  setup = {
+    setup = {
-    trigger = "dummy";
+      trigger = "dummy";
-    envFile = config.sops.secrets."CUSTOM".path;
+      envFile = config.sops.secrets."CUSTOM".path;
-    script = pkgs.writeShellScript "setup" ''
+      script = pkgs.writeShellScript "setup" ''
    HASS_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
    until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$HASS_URL/manifest.json")" =~ (200|301|302) ]]; do
@@ -95,7 +96,7 @@ in {
          -H "Content-Type: application/json" \
          -d '{"client_id":"'"$HASS_URL"'","redirect_uri":"'"$HASS_URL"'/?auth_callback=1"}' > /dev/null 2>&1 || true
    fi
-    '';
+      '';
    };
  };
 }
--- a/modules/server/containers/apps/homepage.nix
+++ b/modules/server/containers/apps/homepage.nix
@@ -258,31 +258,29 @@ let
        ];}#)];}
    ];
 in {
-    sops = false;
+    runtime = {
-    db = false;
+      containers = {
-    
+        server = builder.mkContainer {
-    containers = {
+          subdomain = containerCfg.subdomain;
-    server = builder.mkContainer {
+          image = "ghcr.io/gethomepage/homepage:${version}";
-        subdomain = containerCfg.subdomain;
+          port = 3000;
-        image = "ghcr.io/gethomepage/homepage:${version}";
+          extraEnv = { 
-        port = 3000;
+              HOMEPAGE_VAR_TITLE="${serverCfg.domain}";
-        extraEnv = { 
+              HOMEPAGE_ALLOWED_HOSTS = "${containerCfg.subdomain}.${serverCfg.domain},${builder.host}";
-            HOMEPAGE_VAR_TITLE="${serverCfg.domain}";
+          };
-            HOMEPAGE_ALLOWED_HOSTS = "${containerCfg.subdomain}.${serverCfg.domain},${builder.host}";
+          extraLabels = {
-        };
+          "traefik.http.routers.${containerCfg.subdomain}.service" = "${containerCfg.subdomain}";
-        extraLabels = {
+          };
-        "traefik.http.routers.${containerCfg.subdomain}.service" = "${containerCfg.subdomain}";
+          overrides = {
-        };
+              environmentFiles =  [ config.sops.secrets."CUSTOM".path ];
-        overrides = {
+              volumes = [ 
-            environmentFiles =  [ config.sops.secrets."CUSTOM".path ];
+                  "${settings}:/app/config/settings.yaml:ro"
-            volumes = [ 
+                  "${services}:/app/config/services.yaml:ro"
-                "${settings}:/app/config/settings.yaml:ro"
+                  "${widgets}:/app/config/widgets.yaml:ro"
-                "${services}:/app/config/services.yaml:ro"
+                  "${bookmarks}:/app/config/bookmarks.yaml:ro"
-                "${widgets}:/app/config/widgets.yaml:ro"
+              ];
-                "${bookmarks}:/app/config/bookmarks.yaml:ro"
+          };
-            ];
+      };
-        };
+      };
    };
    };
 }
--- a/modules/server/containers/apps/immich.nix
+++ b/modules/server/containers/apps/immich.nix
@@ -4,97 +4,101 @@ let
  serverCfg = config.syscfg.server;
 in {
-  sops = true;
+  requires = {
-  db = true;
+    secrets = [ name ];
-
+    databases = [ name ];
  paths = [{
    path = "${serverCfg.path.config}/immich";
    dirs = ["cache"];
    mode = "0750";
  }{
    path = "${serverCfg.path.data}/immich/";
    dirs = ["upload" "thumbs" "encoded-video" "backups"];
    mode = "0755";
  }];
  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "ghcr.io/immich-app/immich-server:${version}";
      port = 2283;
      secret = name;
      extraEnv = {
        DB_HOSTNAME = builder.host;
        REDIS_HOSTNAME = builder.host;
        DB_USERNAME = "immich_user";
        DB_DATABASE_NAME = "immich_db";
        IMMICH_TRUSTED_PROXIES = "10.0.0.0/8";
        IMMICH_MACHINE_LEARNING_URL = "http://immich-ml:3003";
        # IMMICH_ALLOW_SETUP = "false";
        # IMMICH_IGNORE_MOUNT_CHECK_ERRORS = "true";
      };
      overrides = {
        volumes = [
          "${serverCfg.path.photo}:/data/upload"
          "${serverCfg.path.data}/immich/backups:/data/backups"
          "${serverCfg.path.config}/immich/thumbs:/data/thumbs"
          "${serverCfg.path.config}/immich/encoded-video:/data/encoded-video"
        ];
      };
    };
    ml = builder.mkContainer {
      image = "ghcr.io/immich-app/immich-machine-learning:${version}";
      port = 3003;
      overrides = {
        volumes = [
          "${serverCfg.path.config}/immich/cache:/cache"
        ];
      };
    };
  };
-  setup = {
+  runtime = {
-    trigger = "server";
+    paths = [{
-    envFile = config.sops.secrets."CUSTOM".path;
+      path = "${serverCfg.path.config}/immich";
-    script = pkgs.writeShellScript "setup" ''
+      dirs = ["cache"];
-        PSQL="${pkgs.postgresql}/bin/psql -U postgres"
+      mode = "0750";
-        $PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS vchord CASCADE;"
+    }{
-        $PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;"
+      path = "${serverCfg.path.data}/immich/";
      dirs = ["upload" "thumbs" "encoded-video" "backups"];
      mode = "0755";
    }];
-        IMMICH_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
+    containers = {
-        until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$IMMICH_URL")" =~ (200|301|302) ]]; do
+      server = builder.mkContainer {
-          sleep 5
+        subdomain = containerCfg.subdomain;
-        done
+        image = "ghcr.io/immich-app/immich-server:${version}";
-        ${pkgs.curl}/bin/curl -X POST "$IMMICH_URL/api/auth/admin-sign-up" \
+        port = 2283;
-          -H "Content-Type: application/json" -H "Accept: application/json" \
+        secret = name;
-          -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'", "name": "'"$DEFAULT_ADMIN_USERNAME"'" }'
+        extraEnv = {
          DB_HOSTNAME = builder.host;
          REDIS_HOSTNAME = builder.host;
          DB_USERNAME = "immich_user";
          DB_DATABASE_NAME = "immich_db";
          IMMICH_TRUSTED_PROXIES = "10.0.0.0/8";
          IMMICH_MACHINE_LEARNING_URL = "http://immich-ml:3003";
          # IMMICH_ALLOW_SETUP = "false";
          # IMMICH_IGNORE_MOUNT_CHECK_ERRORS = "true";
        };
        overrides = {
          volumes = [
            "${serverCfg.path.photo}:/data/upload"
            "${serverCfg.path.data}/immich/backups:/data/backups"
            "${serverCfg.path.config}/immich/thumbs:/data/thumbs"
            "${serverCfg.path.config}/immich/encoded-video:/data/encoded-video"
          ];
        };
      };
-        IMMICH_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$IMMICH_URL/api/auth/login" \
+      ml = builder.mkContainer {
-        -H "Content-Type: application/json" \
+        image = "ghcr.io/immich-app/immich-machine-learning:${version}";
-        -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'"}' \
+        port = 3003;
-        | ${pkgs.jq}/bin/jq -r '.accessToken')        
+        overrides = {
          volumes = [
            "${serverCfg.path.config}/immich/cache:/cache"
          ];
        };
      };
    };
-        ${lib.optionalString (serverCfg.containers ? authentik) ''
+    setup = {
-        ${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
+      trigger = "server";
-        ${pkgs.jq}/bin/jq '.oauth.enabled = true | 
+      envFile = config.sops.secrets."CUSTOM".path;
-                          .oauth.autoRegister = true |
+      script = pkgs.writeShellScript "setup" ''
-                          .oauth.autoLaunch = true |
+          PSQL="${pkgs.postgresql}/bin/psql -U postgres"
-                          .oauth.signingAlgorithm = "RS256" |
+          $PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS vchord CASCADE;"
-                          .oauth.profileSigningAlgorithm = "RS256" |
+          $PSQL -d "immich_db" -tAc "CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;"
                          .oauth.clientId = "immich" | 
                          .oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" | 
                          .oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/immich/" | 
                          .oauth.scope = "openid profile email" |
                          .oauth.buttonText = "Login with SSO"' | \
        ${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
        ''}
-        ${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
+          IMMICH_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
-        ${pkgs.jq}/bin/jq '.storageTemplate.enable = true |
+          until [[ "$(${pkgs.curl}/bin/curl -s -o /dev/null -w "%{http_code}" "$IMMICH_URL")" =~ (200|301|302) ]]; do
-                          .storageTemplate.template = "{{y}}/{{#if album}}{{album}}{{else}}{{MM}}{{/if}}/{{filename}}"' | \
+            sleep 5
-        ${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
+          done
          ${pkgs.curl}/bin/curl -X POST "$IMMICH_URL/api/auth/admin-sign-up" \
            -H "Content-Type: application/json" -H "Accept: application/json" \
            -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'", "name": "'"$DEFAULT_ADMIN_USERNAME"'" }'
-    '';
+          IMMICH_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$IMMICH_URL/api/auth/login" \
          -H "Content-Type: application/json" \
          -d '{ "email": "'"$DEFAULT_ADMIN_EMAIL"'", "password": "'"$DEFAULT_ADMIN_PASSWORD"'"}' \
          | ${pkgs.jq}/bin/jq -r '.accessToken')        
          ${lib.optionalString (serverCfg.containers ? authentik) ''
          ${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
          ${pkgs.jq}/bin/jq '.oauth.enabled = true | 
                            .oauth.autoRegister = true |
                            .oauth.autoLaunch = true |
                            .oauth.signingAlgorithm = "RS256" |
                            .oauth.profileSigningAlgorithm = "RS256" |
                            .oauth.clientId = "immich" | 
                            .oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" | 
                            .oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/immich/" | 
                            .oauth.scope = "openid profile email" |
                            .oauth.buttonText = "Login with SSO"' | \
          ${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
          ''}
          ${pkgs.curl}/bin/curl -s -X GET "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" | \
          ${pkgs.jq}/bin/jq '.storageTemplate.enable = true |
                            .storageTemplate.template = "{{y}}/{{#if album}}{{album}}{{else}}{{MM}}{{/if}}/{{filename}}"' | \
          ${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
      '';
    };
  };
 }
--- a/modules/server/containers/apps/influx.nix
+++ b/modules/server/containers/apps/influx.nix
@@ -5,64 +5,65 @@ let
 in {
-  sops = true;
+  requires = {
-  db = true;
+    secrets = [ name ];
-  
+    databases = [ name ];
  paths = [{
    path = "${serverCfg.path.config}/influxdb/";
    owner = "1500:1500";
    mode = "0700"; 
  }{
    path = "${serverCfg.path.data}/influxdb/";
    owner = "1500:1500";
    mode = "0700"; 
  }];
  containers = {
    # db = builder.mkContainer {
    #   subdomain = containerCfg.subdomain;
    #   image = "influxdata/influxdb:3.0";
    #   port = 8181;
    #   secret = name;
    #   extraEnv = {
    #     INFLUXD_DB_PATH = "/db";
    #     INFLUXD_CONFIG_PATH = "/config";
    #   };
    #   overrides = {
    #     volumes = [
    #       "${serverCfg.path.data}/influxdb:/db:rw"
    #       "${serverCfg.path.config}/influxdb:/config:ro"
    #     ];
    #   };
    # };
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "influxdata/influxdb3-ui:${version}";
      port = 8080;
      secret = name;
      extraEnv = {
        SESSION_SECRET_KEY = "7b0024c13ae770000f797c201e2f210b9932a689c04d34de04379faa44e88e97";
        DATABASE_URL = "/db/sqlite.db"; 
      };
      extraOptions = [
        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
      ];
      overrides = {
        ports = [ "8080:8080" ];
        cmd = [ "--mode=admin" ]; 
        volumes = [
          "${serverCfg.path.data}/influxdb:/db:rw"
          "${serverCfg.path.config}/influxdb/:/app-root/config:ro"
        ];
      };
    };
  };
-  setup = {
+  runtime = {
-    trigger = "server";
+    paths = [{
-    script = pkgs.writeShellScript "setup" ''
+      path = "${serverCfg.path.config}/influxdb/";
-      cat > ${serverCfg.path.config}/influxdb/config.json << 'EOF'
+      owner = "1500:1500";
      mode = "0700"; 
    }{
      path = "${serverCfg.path.data}/influxdb/";
      owner = "1500:1500";
      mode = "0700"; 
    }];
    containers = {
      # db = builder.mkContainer {
      #   subdomain = containerCfg.subdomain;
      #   image = "influxdata/influxdb:3.0";
      #   port = 8181;
      #   secret = name;
      #   extraEnv = {
      #     INFLUXD_DB_PATH = "/db";
      #     INFLUXD_CONFIG_PATH = "/config";
      #   };
      #   overrides = {
      #     volumes = [
      #       "${serverCfg.path.data}/influxdb:/db:rw"
      #       "${serverCfg.path.config}/influxdb:/config:ro"
      #     ];
      #   };
      # };
      server = builder.mkContainer {
        tmpfs = true;
        subdomain = containerCfg.subdomain;
        image = "influxdata/influxdb3-ui:${version}";
        port = 8080;
        secret = name;
        extraEnv = {
          SESSION_SECRET_KEY = "7b0024c13ae770000f797c201e2f210b9932a689c04d34de04379faa44e88e97";
          DATABASE_URL = "/db/sqlite.db"; 
        };
        overrides = {
          ports = [ "8080:8080" ];
          cmd = [ "--mode=admin" ]; 
          volumes = [
            "${serverCfg.path.data}/influxdb:/db:rw"
            "${serverCfg.path.config}/influxdb/:/app-root/config:ro"
          ];
        };
      };
    };
    setup = {
      trigger = "server";
      script = pkgs.writeShellScript "setup" ''
        cat > ${serverCfg.path.config}/influxdb/config.json << 'EOF'
 {
  "DEFAULT_INFLUX_SERVER": "http://${builder.host}:8181",
  "DEFAULT_INFLUX_DATABASE": "main",
@@ -70,8 +71,8 @@ in {
  "DEFAULT_SERVER_NAME": "${serverCfg.domain}"
 }
 EOF
-    chmod -R 755 ${serverCfg.path.config}/influxdb
+      chmod -R 755 ${serverCfg.path.config}/influxdb
-    '';
+      '';
    };
  };
 }
--- a/modules/server/containers/apps/invidious.nix
+++ b/modules/server/containers/apps/invidious.nix
@@ -24,55 +24,60 @@ let
  };
 in {
-  sops = true;
+  requires = {
-  db = true;
+    secrets = [ name ];
-  paths = [{
+    databases = [ name ];
-    path="${serverCfg.path.config}/invidious";
+  };
    mode = "0755";
  }];
-  containers = {
+  runtime = {
-    server = builder.mkContainer {
+    paths = [{
-      subdomain = containerCfg.subdomain;
+      path="${serverCfg.path.config}/invidious";
-      imageStream = image;
+      mode = "0755";
-      port = 3000;
+    }];
-      secret = name;
+
-      extraLabels = {
+    containers = {
-        "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/login`) ";
+      server = builder.mkContainer {
-        "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
+        subdomain = containerCfg.subdomain;
-        "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
+        imageStream = image;
-        "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
+        port = 3000;
-        "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
+        secret = name;
        extraLabels = {
          "traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.domain}`) && Path(`/login`) ";
          "traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
          "traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
          "traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
          "traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
        };
        extraEnv = {
          INVIDIOUS_CONFIG_FILE = "/data/config.yml";
        };
        overrides = {
          volumes = [
            "${serverCfg.path.config}/invidious:/data:ro"
          ];
        };
      };
-      extraEnv = {
+
-        INVIDIOUS_CONFIG_FILE = "/data/config.yml";
+      companion = builder.mkContainer {
-      };
+        image = "quay.io/invidious/invidious-companion:latest";
-      overrides = {
+        port = 8282;
-        volumes = [
+        secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY
-          "${serverCfg.path.config}/invidious:/data:ro"
+        extraOptions = [
          "--cap-drop=all"
          "--security-opt=no-new-privileges"
        ];
      };
    };
-    companion = builder.mkContainer {
+    setup = {
-      image = "quay.io/invidious/invidious-companion:latest";
+      trigger = "server";
-      port = 8282;
+      envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ];
-      secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY
+      script = pkgs.writeShellScript "setup" ''
-      extraOptions = [
+        export DB_HOST=${builder.host}
-        "--cap-drop=all"
+        export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain}
-        "--security-opt=no-new-privileges"
+
-      ];
+        ${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.path.config}/invidious/config.yml"
      '';
    };
  };
  setup = {
    trigger = "server";
    envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ];
    script = pkgs.writeShellScript "setup" ''
      export DB_HOST=${builder.host}
      export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain}
      ${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.path.config}/invidious/config.yml"
    '';
  };
 }
--- a/modules/server/containers/apps/jellyfin.nix
+++ b/modules/server/containers/apps/jellyfin.nix
@@ -25,152 +25,151 @@ let
    };
  };
 in {
-  paths = [
+  runtime = {
-    {
+    paths = [
-      path = "${serverCfg.path.config}/jellyfin/";
+      {
-      owner = "1000:1000";
+        path = "${serverCfg.path.config}/jellyfin/";
-      mode = "0755";
+        owner = "1000:1000";
-    }
+        mode = "0755";
-  ];
+      }
    ];
-  containers = {
+    containers = {
-    server = builder.mkContainer {
+      server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
+        tmpfs = true;
-      imageStream = image;
+        subdomain = containerCfg.subdomain;
-      port = 8096;
+        imageStream = image;
-      extraEnv = {
+        port = 8096;
-        HOME = "/config/data";
+        extraEnv = {
-        DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
+          HOME = "/config/data";
-        JELLYFIN_HttpListenerHost__BindAddress= "0.0.0.0"; #we can use settings.xml override
+          DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
-        JELLYFIN_ServerName = if containerCfg.extra?name then containerCfg.extra.name else "Flix";
+          JELLYFIN_HttpListenerHost__BindAddress= "0.0.0.0"; #we can use settings.xml override
-      };
+          JELLYFIN_ServerName = if containerCfg.extra?name then containerCfg.extra.name else "Flix";
-      extraOptions = [
+        };
-        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
+        overrides = {
-      ];
+          cmd = [
-      overrides = {
+          "--datadir" "/config/data"
-        cmd = [
+          "--cachedir" "/config/cache"
-        "--datadir" "/config/data"
+          "--configdir" "/config/config"
-        "--cachedir" "/config/cache"
+          "--logdir" "/config/log" 
-        "--configdir" "/config/config"
+          ];
-        "--logdir" "/config/log" 
+          volumes = [
-        ];
+            "${serverCfg.path.film}:/media:ro" 
-        volumes = [
+            "${serverCfg.path.config}/jellyfin:/config"
-          "${serverCfg.path.film}:/media:ro" 
+          ];
-          "${serverCfg.path.config}/jellyfin:/config"
+          # If you have an Intel/AMD GPU for transcoding, add the device:
-        ];
+          devices = lib.optionals (builtins.pathExists "/dev/dri") [ "/dev/dri:/dev/dri" ];
-        # If you have an Intel/AMD GPU for transcoding, add the device:
+        };
        devices = lib.optionals (builtins.pathExists "/dev/dri") [ "/dev/dri:/dev/dri" ];
      };
    };
  };
-  setup = {
+    setup = {
-    trigger = "server";
+      trigger = "server";
-    envFile = config.sops.secrets."CUSTOM".path;
+      envFile = config.sops.secrets."CUSTOM".path;
-    script = pkgs.writeShellScript "setup" ''
+      script = pkgs.writeShellScript "setup" ''
-      JELLYFIN_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
+        JELLYFIN_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
      until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
        sleep 5
      done
      echo "Jellyfin is up. Sleeping for 20 seconds..."
      sleep 20
      WIZARD_COMPLETE=$(${pkgs.curl}/bin/curl -sSf "$JELLYFIN_URL/System/Info/Public" 2>/dev/null | \
        ${pkgs.jq}/bin/jq -r '.StartupWizardCompleted // false')
      if [ "$WIZARD_COMPLETE" = "false" ]; then
        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/Configuration" \
          -H "Content-Type: application/json" \
          -d '{"ServerName":"Flix","UICulture":"en-US","MetadataCountryCode":"US","PreferredMetadataLanguage":"en"}'; then
          echo "ERROR: Failed to set startup configuration."
          exit 1
        fi
        if ! ${pkgs.curl}/bin/curl -sSf -X GET "$JELLYFIN_URL/Startup/User"; then
          echo "ERROR: Failed to get base user."
          exit 1
        fi
        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/User" \
          -H 'accept: */*' -H "Content-Type: application/json" \
          -d '{"Name": "'"$DEFAULT_ADMIN_USERNAME"'", "Password": "'"$DEFAULT_ADMIN_PASSWORD"'"}'; then
          echo "ERROR: Failed to set admin user."
          exit 1
        fi
        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/RemoteAccess" \
          -H "Content-Type: application/json" \
          -d '{"EnableRemoteAccess":true,"EnableAutomaticPortMapping":false}'; then
          echo "ERROR: Failed to configure remote access."
          exit 1
        fi
        if ! ${pkgs.curl}/bin/curl -sSf -X POST "''$JELLYFIN_URL/Startup/Complete"; then
          echo "ERROR: Failed to complete wizard."
          exit 1
        fi
        echo "Jellyfin initialization successfully completed!"
      fi
      ${lib.optionalString (serverCfg.containers ? authentik) ''
      JELLYFIN_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Users/AuthenticateByName" \
        -H "Content-Type: application/json" \
        -H "Authorization: MediaBrowser Client=\"Bash Script\", Device=\"Server Terminal\", DeviceId=\"script-12345\", Version=\"1.0.0\"" \
        -d "{\"Username\": \"$DEFAULT_ADMIN_USERNAME\", \"Pw\": \"$DEFAULT_ADMIN_PASSWORD\"}" \
        | ${pkgs.jq}/bin/jq -r '.AccessToken')
      # Verify we got a token
      if [ "$JELLYFIN_TOKEN" = "null" ] || [ -z "$JELLYFIN_TOKEN" ]; then
          echo "ERROR: Authentication failed."
          exit 1
      fi
      if ${pkgs.curl}/bin/curl -sSf -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
          "$JELLYFIN_URL/Plugins" | ${pkgs.gnugrep}/bin/grep -q "958aad6637844d2ab89aa7b6fab6e25c"; then
        echo "LDAP Plugin is already installed. Skipping setup."
      else
        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Packages/Installed/LDAP%20Authentication?assemblyGuid=958aad6637844d2ab89aa7b6fab6e25c" \
            -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
            -H "Content-Length: 0"; then
          echo "ERROR: LDAP Plugin Setup Failed."
          exit 1
        fi
        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
            -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
            -H "Content-Length: 0"; then
          echo "ERROR: Server failed to accept restart command."
          exit 1
        fi
        sleep 1-
        until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
          sleep 5
        done
        echo "Jellyfin is up. Sleeping for 20 seconds..."
        sleep 20
-      fi
+        WIZARD_COMPLETE=$(${pkgs.curl}/bin/curl -sSf "$JELLYFIN_URL/System/Info/Public" 2>/dev/null | \
          ${pkgs.jq}/bin/jq -r '.StartupWizardCompleted // false')
        if [ "$WIZARD_COMPLETE" = "false" ]; then
          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/Configuration" \
            -H "Content-Type: application/json" \
            -d '{"ServerName":"Flix","UICulture":"en-US","MetadataCountryCode":"US","PreferredMetadataLanguage":"en"}'; then
            echo "ERROR: Failed to set startup configuration."
            exit 1
          fi
-      if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Plugins/958aad66-3784-4d2a-b89a-a7b6fab6e25c/Configuration" \
+          if ! ${pkgs.curl}/bin/curl -sSf -X GET "$JELLYFIN_URL/Startup/User"; then
-          -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+            echo "ERROR: Failed to get base user."
-          -H "Content-Type: application/json" -H 'accept: */*' \
+            exit 1
-          -d '{"LdapUsers":[],"LdapServer":"authentik-ldap","LdapPort":6636,"UseSsl":true,"UseStartTls":false,"SkipSslVerify":true,
+          fi
          "LdapBindUser":"cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}","LdapBindPassword": "'"$DEFAULT_LDAP_PASSWORD"'",
          "LdapBaseDn":"${LDAP_DC_DOMAIN}","LdapSearchFilter":"(memberOf=cn=flix,ou=groups,${LDAP_DC_DOMAIN})",
          "LdapSearchAttributes":"uid, cn, mail, displayName",
          "LdapAdminBaseDn":"","LdapAdminFilter":"(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})",
          "EnableLdapAdminFilterMemberUid":false,"LdapUidAttribute":"uid","LdapUsernameAttribute":"cn","LdapPasswordAttribute":"userPassword",
          "EnableLdapProfileImageSync":false,"RemoveImagesNotInLdap":false,"LdapProfileImageAttribute":"jpegphoto","LdapProfileImageFormat":"Default",
          "LdapClientCertPath":"","LdapClientKeyPath":"","LdapRootCaPath":"","CreateUsersFromLdap":true,"AllowPassChange":false,
          "EnableAllFolders":true,"EnabledFolders":[],"PasswordResetUrl":""}'; then
        echo "ERROR: LDAP Plugin Setup Failed."
        exit 1
      fi
      ''}
-      ${pkgs.sqlite}/bin/sqlite3 ${serverCfg.path.config}/jellyfin/data/data/jellyfin.db <<EOF
+          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/User" \
            -H 'accept: */*' -H "Content-Type: application/json" \
            -d '{"Name": "'"$DEFAULT_ADMIN_USERNAME"'", "Password": "'"$DEFAULT_ADMIN_PASSWORD"'"}'; then
            echo "ERROR: Failed to set admin user."
            exit 1
          fi
          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Startup/RemoteAccess" \
            -H "Content-Type: application/json" \
            -d '{"EnableRemoteAccess":true,"EnableAutomaticPortMapping":false}'; then
            echo "ERROR: Failed to configure remote access."
            exit 1
          fi
          if ! ${pkgs.curl}/bin/curl -sSf -X POST "''$JELLYFIN_URL/Startup/Complete"; then
            echo "ERROR: Failed to complete wizard."
            exit 1
          fi
          echo "Jellyfin initialization successfully completed!"
        fi
        ${lib.optionalString (serverCfg.containers ? authentik) ''
        JELLYFIN_TOKEN=$(${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Users/AuthenticateByName" \
          -H "Content-Type: application/json" \
          -H "Authorization: MediaBrowser Client=\"Bash Script\", Device=\"Server Terminal\", DeviceId=\"script-12345\", Version=\"1.0.0\"" \
          -d "{\"Username\": \"$DEFAULT_ADMIN_USERNAME\", \"Pw\": \"$DEFAULT_ADMIN_PASSWORD\"}" \
          | ${pkgs.jq}/bin/jq -r '.AccessToken')
        # Verify we got a token
        if [ "$JELLYFIN_TOKEN" = "null" ] || [ -z "$JELLYFIN_TOKEN" ]; then
            echo "ERROR: Authentication failed."
            exit 1
        fi
        if ${pkgs.curl}/bin/curl -sSf -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
            "$JELLYFIN_URL/Plugins" | ${pkgs.gnugrep}/bin/grep -q "958aad6637844d2ab89aa7b6fab6e25c"; then
          echo "LDAP Plugin is already installed. Skipping setup."
        else
          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Packages/Installed/LDAP%20Authentication?assemblyGuid=958aad6637844d2ab89aa7b6fab6e25c" \
              -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
              -H "Content-Length: 0"; then
            echo "ERROR: LDAP Plugin Setup Failed."
            exit 1
          fi
          if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
              -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
              -H "Content-Length: 0"; then
            echo "ERROR: Server failed to accept restart command."
            exit 1
          fi
          sleep 1-
          until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
            sleep 5
          done
          echo "Jellyfin is up. Sleeping for 20 seconds..."
          sleep 20
        fi
        if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Plugins/958aad66-3784-4d2a-b89a-a7b6fab6e25c/Configuration" \
            -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
            -H "Content-Type: application/json" -H 'accept: */*' \
            -d '{"LdapUsers":[],"LdapServer":"authentik-ldap","LdapPort":6636,"UseSsl":true,"UseStartTls":false,"SkipSslVerify":true,
            "LdapBindUser":"cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}","LdapBindPassword": "'"$DEFAULT_LDAP_PASSWORD"'",
            "LdapBaseDn":"${LDAP_DC_DOMAIN}","LdapSearchFilter":"(memberOf=cn=flix,ou=groups,${LDAP_DC_DOMAIN})",
            "LdapSearchAttributes":"uid, cn, mail, displayName",
            "LdapAdminBaseDn":"","LdapAdminFilter":"(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})",
            "EnableLdapAdminFilterMemberUid":false,"LdapUidAttribute":"uid","LdapUsernameAttribute":"cn","LdapPasswordAttribute":"userPassword",
            "EnableLdapProfileImageSync":false,"RemoveImagesNotInLdap":false,"LdapProfileImageAttribute":"jpegphoto","LdapProfileImageFormat":"Default",
            "LdapClientCertPath":"","LdapClientKeyPath":"","LdapRootCaPath":"","CreateUsersFromLdap":true,"AllowPassChange":false,
            "EnableAllFolders":true,"EnabledFolders":[],"PasswordResetUrl":""}'; then
          echo "ERROR: LDAP Plugin Setup Failed."
          exit 1
        fi
        ''}
        ${pkgs.sqlite}/bin/sqlite3 ${serverCfg.path.config}/jellyfin/data/data/jellyfin.db <<EOF
 INSERT OR IGNORE INTO ApiKeys (Id, AccessToken, Name, DateCreated, DateLastActivity) 
 VALUES ( 1, "$HOMEPAGE_VAR_JELLYFIN_API", 'Home', strftime('%Y-%m-%d %H:%M:%S', 'now'), strftime('%Y-%m-%d %H:%M:%S', 'now'));
 EOF
-      echo "Completed Setup"
+        echo "Completed Setup"
-    '';
+      '';
    };
  };
 }
--- a/modules/server/containers/apps/nextcloud.nix
+++ b/modules/server/containers/apps/nextcloud.nix
@@ -3,59 +3,61 @@ let
 version = "31";
 serverCfg = config.syscfg.server;
 in {
-  sops = true;
+  requires = {
-  db = true;
+    secrets = [ name ];
-  paths = [{
+    databases = [ name ];
    path="${serverCfg.path.config}/nextcloud";
    owner = "33:33";
    mode = "0755";
  }];
  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "nextcloud:${version}";
      port = 80;
      secret = name;
      extraEnv = {
        REDIS_HOST = builder.host;
        POSTGRES_HOST = builder.host;
        POSTGRES_USER = "nextcloud_user";
        POSTGRES_DB = "nextcloud_db";
        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
        NEXTCLOUD_TRUSTED_DOMAINS = "${containerCfg.subdomain}.${serverCfg.domain} nextcloud-server";
        SMTP_HOST = serverCfg.mail.server;
        SMTP_NAME = "mail_user";
        SMTP_PASSWORD = "mail_password";
        MAIL_FROM_ADDRESS = "${containerCfg.subdomain}@${serverCfg.domain}";
        MAIL_DOMAIN = serverCfg.mail.domain;
        TRUSTED_PROXIES = "10.10.0.0/16 192.168.0.0/16";
        NEXTCLOUD_DATA_DIR = "/var/www/html/data";
      };
      extraLabels = {
        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
        "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
        "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
      };
      extraOptions = [
        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
      ];
      overrides = {
        ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
        volumes = [
          "${serverCfg.path.config}/nextcloud:/var/www/html"
          "${serverCfg.path.cloud}:/var/www/html/data"
        ];
      };
    };
  };
-  setup = {
+  runtime = {
-    trigger = "server";
+    paths = [{
-    script = pkgs.writeShellScript "setup" ''
+      path="${serverCfg.path.config}/nextcloud";
      owner = "33:33";
      mode = "0755";
    }];
    containers = {
      server = builder.mkContainer {
        tmpfs = true;
        subdomain = containerCfg.subdomain;
        image = "nextcloud:${version}";
        port = 80;
        secret = name;
        extraEnv = {
          REDIS_HOST = builder.host;
          POSTGRES_HOST = builder.host;
          POSTGRES_USER = "nextcloud_user";
          POSTGRES_DB = "nextcloud_db";
          AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
          NEXTCLOUD_TRUSTED_DOMAINS = "${containerCfg.subdomain}.${serverCfg.domain} nextcloud-server";
          SMTP_HOST = serverCfg.mail.server;
          SMTP_NAME = "mail_user";
          SMTP_PASSWORD = "mail_password";
          MAIL_FROM_ADDRESS = "${containerCfg.subdomain}@${serverCfg.domain}";
          MAIL_DOMAIN = serverCfg.mail.domain;
          TRUSTED_PROXIES = "10.10.0.0/16 192.168.0.0/16";
          NEXTCLOUD_DATA_DIR = "/var/www/html/data";
        };
        extraLabels = {
          "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
          "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
          "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
          "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
          "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
          "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
        };
        overrides = {
          ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
          volumes = [
            "${serverCfg.path.config}/nextcloud:/var/www/html"
            "${serverCfg.path.cloud}:/var/www/html/data"
          ];
        };
      };
    };
    setup = {
      trigger = "server";
      script = pkgs.writeShellScript "setup" ''
      # Define the command wrapper
      OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u www-data nextcloud-server php occ"
@@ -189,8 +191,9 @@ in {
      $OCC db:add-missing-indices --no-interaction
      echo "Completed Setup"
-    '';
+      '';
-  };
+    };
-  cron = [ "*/5 * * * *  root  ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
+    cron = [ "*/5 * * * *  root  ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
  };
 }
--- a/modules/server/containers/apps/openhab.nix
+++ b/modules/server/containers/apps/openhab.nix
@@ -4,74 +4,74 @@ let
  version = "5.1.4"; 
 in {
-  sops = false;
+  runtime = {
-  db = false;
+    paths = [
-  paths = [
+      { path="${serverCfg.path.config}/openhab/conf";  owner="1000:1000"; mode = "0755"; }
-    { path="${serverCfg.path.config}/openhab/conf";  owner="1000:1000"; mode = "0755"; }
+      { path="${serverCfg.path.config}/openhab/userdata";  owner="1000:1000"; mode = "0755"; }
-    { path="${serverCfg.path.config}/openhab/userdata";  owner="1000:1000"; mode = "0755"; }
+      { path="${serverCfg.path.config}/openhab/addons";  owner="1000:1000"; mode = "0755"; }
-    { path="${serverCfg.path.config}/openhab/addons";  owner="1000:1000"; mode = "0755"; }
+    ];
  ];
-  containers = {
+    containers = {
-    server = builder.mkContainer {
+      server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
+        subdomain = containerCfg.subdomain;
-      image = "openhab/openhab:${version}";
+        image = "openhab/openhab:${version}";
-      port = 8080; 
+        port = 8080; 
-      extraEnv = { 
+        extraEnv = { 
-        USER_ID = "1000";
+          USER_ID = "1000";
-        GROUP_ID = "1000";
+          GROUP_ID = "1000";
-        CRYPTO_POLICY = "unlimited";
+          CRYPTO_POLICY = "unlimited";
-        OPENHAB_HTTP_PORT = "8080";
+          OPENHAB_HTTP_PORT = "8080";
-      };
+        };
-      extraOptions = [
+        extraOptions = [
-        "--network=host"
+          "--network=host"
-        "--cap-add=NET_ADMIN"
+          "--cap-add=NET_ADMIN"
-        "--cap-add=NET_RAW"
+          "--cap-add=NET_RAW"
-        "--no-healthcheck"
+          "--no-healthcheck"
      ];
      overrides = {
        volumes = [ 
          "${serverCfg.path.config}/openhab/conf:/openhab/conf"
          "${serverCfg.path.config}/openhab/userdata:/openhab/userdata"
          "${serverCfg.path.config}/openhab/addons:/opt/openhab/addons"
          "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro"
        ];
-       };
+        overrides = {
          volumes = [ 
            "${serverCfg.path.config}/openhab/conf:/openhab/conf"
            "${serverCfg.path.config}/openhab/userdata:/openhab/userdata"
            "${serverCfg.path.config}/openhab/addons:/opt/openhab/addons"
            "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro"
          ];
         };
      };
    };
    setup = {
      trigger = "server";
      envFile = [ config.sops.secrets."CUSTOM".path ];
      script = pkgs.writeShellScript "setup" ''
        # Pre-generate openHAB directories on the host
        OHAB="${pkgs.podman}/bin/podman --events-backend=none exec openhab-server /openhab/runtime/bin/client -u openhab -p habopen"
        sleep 20
        exit 0
        $OHAB openhab:users add $DEFAULT_ADMIN_USERNAME $DEFAULT_ADMIN_PASSWORD administrator 
        $OHAB feature:list
        $OHAB openhab:addons install persistance-mapdb
        $OHAB openhab:addons install persistance-influxdb
        $OHAB openhab:addons install ui-basic
        $OHAB openhab:addons install automation-jsscripting
        $OHAB openhab:addons install binding-telegram
        $OHAB openhab:addons install binding-matter
        $OHAB openhab:addons install binding-mqtt
        $OHAB openhab:addons install binding-bluetooth
        $OHAB openhab:addons install binding-zigbee
        $OHAB openhab:addons install binding-chromecast
        $OHAB openhab:addons install binding-astro
        $OHAB openhab:addons install binding-meteoblue
        $OHAB openhab:addons install binding-publictransportswitzerland
        #IF APPLE DEVICE: HomeKit (siri/apple bridge)
        #IF UBIQUITY NET: Unifi + UnifiProtect (net/cam bridge)
        #IF YAMAHA+EPSON: EpsonProjector + Yamaha (projector and sound)
        #IF BAMBULAB DEVICE: BambuLab (notify print state)
        #IF GARDENA DEVICE: Gardena (smart watering)
        #Extra: AndroidTV/Jellyfin (Bind with lights + more)
      '';
    };
  };
  setup = {
    trigger = "server";
    envFile = [ config.sops.secrets."CUSTOM".path ];
    script = pkgs.writeShellScript "setup" ''
      # Pre-generate openHAB directories on the host
      OHAB="${pkgs.podman}/bin/podman --events-backend=none exec openhab-server /openhab/runtime/bin/client -u openhab -p habopen"
      sleep 20
      exit 0
      $OHAB openhab:users add $DEFAULT_ADMIN_USERNAME $DEFAULT_ADMIN_PASSWORD administrator 
      $OHAB feature:list
      $OHAB openhab:addons install persistance-mapdb
      $OHAB openhab:addons install persistance-influxdb
      $OHAB openhab:addons install ui-basic
      $OHAB openhab:addons install automation-jsscripting
      $OHAB openhab:addons install binding-telegram
      $OHAB openhab:addons install binding-matter
      $OHAB openhab:addons install binding-mqtt
      $OHAB openhab:addons install binding-bluetooth
      $OHAB openhab:addons install binding-zigbee
      $OHAB openhab:addons install binding-chromecast
      $OHAB openhab:addons install binding-astro
      $OHAB openhab:addons install binding-meteoblue
      $OHAB openhab:addons install binding-publictransportswitzerland
      #IF APPLE DEVICE: HomeKit (siri/apple bridge)
      #IF UBIQUITY NET: Unifi + UnifiProtect (net/cam bridge)
      #IF YAMAHA+EPSON: EpsonProjector + Yamaha (projector and sound)
      #IF BAMBULAB DEVICE: BambuLab (notify print state)
      #IF GARDENA DEVICE: Gardena (smart watering)
      #Extra: AndroidTV/Jellyfin (Bind with lights + more)
    '';
  };
 }
--- a/modules/server/containers/apps/searxng.nix
+++ b/modules/server/containers/apps/searxng.nix
@@ -59,27 +59,29 @@ let
    };
  });
 in {
-   sops = true;
+  requires.secrets = [ name ];
-  containers = {
+  runtime = {
-    server = builder.mkContainer {
+    containers = {
-      subdomain = containerCfg.subdomain;
+      server = builder.mkContainer {
-      image = "searxng/searxng:${version}";
+        subdomain = containerCfg.subdomain;
-      port = 8080;
+        image = "searxng/searxng:${version}";
-      secret = name;
+        port = 8080;
-      extraEnv = { 
+        secret = name;
-        SEARXNG_BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
+        extraEnv = { 
-        SEARXNG_PORT = "8080";
+          SEARXNG_BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
-        SEARXNG_BIND_ADDRESS = "[::]";
+          SEARXNG_PORT = "8080";
-        SEARXNG_PUBLIC_INSTANCE = "false";
+          SEARXNG_BIND_ADDRESS = "[::]";
-        SEARXNG_SETTINGS_PATH = "/etc/searxng/settings.yml";
+          SEARXNG_PUBLIC_INSTANCE = "false";
-        #SEARXNG_VALKEY_URL = "valkey://user:password@${builder.host}:6379/0}";
+          SEARXNG_SETTINGS_PATH = "/etc/searxng/settings.yml";
          #SEARXNG_VALKEY_URL = "valkey://user:password@${builder.host}:6379/0}";
        };
        overrides = {
          volumes = [ 
              "${settings}:/etc/searxng/settings.yml"
          ];
         };
      };
      overrides = {
        volumes = [ 
            "${settings}:/etc/searxng/settings.yml"
        ];
       };
    };
  };
 }
--- a/modules/server/containers/apps/selfmark.nix
+++ b/modules/server/containers/apps/selfmark.nix
@@ -2,96 +2,89 @@
 let
  version = "latest";
  serverCfg = config.syscfg.server;
  routerName = if containerCfg.subpath != null 
              then "${containerCfg.subdomain}-${lib.strings.sanitizeDerivationName containerCfg.subpath}" 
              else containerCfg.subdomain;
 in {
-  paths = [{
+  runtime = {
-    path = "${serverCfg.path.config}/selfmark/";
+    paths = [{
-    mode = "0444";
+      path = "${serverCfg.path.config}/selfmark/";
-  }];
+      mode = "0444";
    }];
-  containers = {
+    containers = {
-    server = builder.mkContainer {
+      server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
+        authentik = true;
-      subpath = containerCfg.subpath;
+        subdomain = containerCfg.subdomain;
-      image = "ghcr.io/calibrain/shelfmark:${version}";
+        subpath = containerCfg.subpath;
-      port = 8080;
+        image = "ghcr.io/calibrain/shelfmark:${version}";
        port = 8080;
-      extraEnv = {
+        extraEnv = {
-        # HARDCOVER_API_KEY = ""; #FROM SOPS
+          # HARDCOVER_API_KEY = ""; #FROM SOPS
-        # AA_DONATOR_KEY = ""; #FROM SOPS
+          # AA_DONATOR_KEY = ""; #FROM SOPS
-        # PROWLARR_API_KEY = ""; #FROM SOPS
+          # PROWLARR_API_KEY = ""; #FROM SOPS
-        FLASK_PORT = "8080";
+          FLASK_PORT = "8080";
-        PUID = "1000";
+          PUID = "1000";
-        PGID = "1000";
+          PGID = "1000";
-        USING_TOR = "false";
+          USING_TOR = "false";
-        ONBOARDING = "false";
+          ONBOARDING = "false";
-        SUPPORTED_FORMATS = "epub,mobi,azw3,fb2,djvu,cbz,cbr,pdf";
+          SUPPORTED_FORMATS = "epub,mobi,azw3,fb2,djvu,cbz,cbr,pdf";
-        SUPPORTED_AUDIOBOOK_FORMATS = "mp3, m4b";
+          SUPPORTED_AUDIOBOOK_FORMATS = "mp3, m4b";
-        BOOK_LANGUAGE = "en,fr"; # ,de,jp";
+          BOOK_LANGUAGE = "en,fr"; # ,de,jp";
-        SEARCH_MODE = "universal";
+          SEARCH_MODE = "universal";
-        AA_DEFAULT_SORT = "relevance";
+          AA_DEFAULT_SORT = "relevance";
-        METADATA_PROVIDER = "openlibrary";
+          METADATA_PROVIDER = "openlibrary";
-        INGEST_DIR = "/books";
+          INGEST_DIR = "/books";
-        BOOKS_OUTPUT_MODE = "/output";
+          BOOKS_OUTPUT_MODE = "/output";
-        FILE_ORGANIZATION = "organize";
+          FILE_ORGANIZATION = "organize";
-        TEMPLATE_RENAME = "{Author} - {Title} ({Year})";
+          TEMPLATE_RENAME = "{Author} - {Title} ({Year})";
-        TEMPLATE_ORGANIZE = "{Author}/{Title} ({Year})";
+          TEMPLATE_ORGANIZE = "{Author}/{Title} ({Year})";
-        HARDLINK_TORRENTS = "false";
+          HARDLINK_TORRENTS = "false";
-        FILE_ORGANIZATION_AUDIOBOOK = "organize";
+          FILE_ORGANIZATION_AUDIOBOOK = "organize";
-        TEMPLATE_RENAME_AUDIOBOOK = "{Author} - {Title}";
+          TEMPLATE_RENAME_AUDIOBOOK = "{Author} - {Title}";
-        TEMPLATE_ORGANIZE_AUDIOBOOK = "{Author}/{Title} ({Year})";
+          TEMPLATE_ORGANIZE_AUDIOBOOK = "{Author}/{Title} ({Year})";
-        HARDCOVER_ENABLED = "true";
+          HARDCOVER_ENABLED = "true";
-        HARDCOVER_DEFAULT_SORT = "relevance";
+          HARDCOVER_DEFAULT_SORT = "relevance";
-        OPENLIBRARY_ENABLED = "true";
+          OPENLIBRARY_ENABLED = "true";
-        OPENLIBRARY_DEFAULT_SORT = "relevance";
+          OPENLIBRARY_DEFAULT_SORT = "relevance";
-        DIRECT_DOWNLOAD_ENABLED = "true";
+          DIRECT_DOWNLOAD_ENABLED = "true";
-        USE_CF_BYPASS = "true";
+          USE_CF_BYPASS = "true";
-        AA_BASE_URL = "auto";
+          AA_BASE_URL = "auto";
-        AA_MIRROR_URLS = "https://annas-archive.gl,https://annas-archive.pk,https://annas-archive.gd,";
+          AA_MIRROR_URLS = "https://annas-archive.gl,https://annas-archive.pk,https://annas-archive.gd,";
-        LIBGEN_MIRROR_URLS = "https://libgen.li,https://libgen.vg,https://libgen.la,https://libgen.bz,https://libgen.gl";
+          LIBGEN_MIRROR_URLS = "https://libgen.li,https://libgen.vg,https://libgen.la,https://libgen.bz,https://libgen.gl";
-        ZLIB_MIRROR_URLS = "https://z-lib.sk,https://z-library.gs,https://z-lib.fm,https://z-lib.gd,https://z-lib.gl";
+          ZLIB_MIRROR_URLS = "https://z-lib.sk,https://z-library.gs,https://z-lib.fm,https://z-lib.gd,https://z-lib.gl";
-        # WELIB_MIRROR_URLS = "https://welib.org"; #avoid
+          # WELIB_MIRROR_URLS = "https://welib.org"; #avoid
-      } // lib.optionalAttrs(containerCfg.subpath != null) {
+        } // lib.optionalAttrs(containerCfg.subpath != null) {
-        BASE_PATH = "/${containerCfg.subpath}";
+          BASE_PATH = "/${containerCfg.subpath}";
-        URL_BASE = "/${containerCfg.subpath}";
+          URL_BASE = "/${containerCfg.subpath}";
-      } // lib.optionalAttrs(serverCfg.containers?calibre) {
+        } // lib.optionalAttrs(serverCfg.containers?calibre) {
-        CALIBRE_WEB_URL = "https://${serverCfg.containers.calibre.subdomain}.${serverCfg.domain}";
+          CALIBRE_WEB_URL = "https://${serverCfg.containers.calibre.subdomain}.${serverCfg.domain}";
-      } // lib.optionalAttrs(serverCfg.containers?authentik) {
+        } // lib.optionalAttrs(serverCfg.containers?authentik) {
-        AUTH_METHOD = "proxy";
+          AUTH_METHOD = "proxy";
-        PROXY_AUTH_USER_HEADER = "X-authentik-username";
+          PROXY_AUTH_USER_HEADER = "X-authentik-username";
-        PROXY_AUTH_ADMIN_GROUP_HEADER = "X-authentik-groups";
+          PROXY_AUTH_ADMIN_GROUP_HEADER = "X-authentik-groups";
-        PROXY_AUTH_ADMIN_GROUP_NAME = "admin";
+          PROXY_AUTH_ADMIN_GROUP_NAME = "admin";
-      } // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "prowlarr" serverCfg.containers.servarr.extra.modules) ({
+        } // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "prowlarr" serverCfg.containers.servarr.extra.modules) ({
-        PROWLARR_ENABLED = "true";
+          PROWLARR_ENABLED = "true";
-        PROWLARR_URL = "http://servarr-prowlarr:8989";
+          PROWLARR_URL = "http://servarr-prowlarr:8989";
-      } // lib.optionalAttrs(serverCfg.containers?transmission) {
+        } // lib.optionalAttrs(serverCfg.containers?transmission) {
-        PROWLARR_TORRENT_CLIENT = "transmission";
+          PROWLARR_TORRENT_CLIENT = "transmission";
-        TRANSMISSION_URL = "http://transmission-server:9091";
+          TRANSMISSION_URL = "http://transmission-server:9091";
-      }) // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "flaresolverr" serverCfg.containers.servarr.extra.modules) {
+        }) // lib.optionalAttrs(serverCfg.containers?servarr && builtins.elem "flaresolverr" serverCfg.containers.servarr.extra.modules) {
-        USING_EXTERNAL_BYPASSER = "true";
+          USING_EXTERNAL_BYPASSER = "true";
-        EXT_BYPASSER_URL = "http://servarr-flaresolverr:8191";
+          EXT_BYPASSER_URL = "http://servarr-flaresolverr:8191";
-        EXT_BYPASSER_PATH = "/v1";
+          EXT_BYPASSER_PATH = "/v1";
-        EXT_BYPASSER_TIMEOUT = "60000";
+          EXT_BYPASSER_TIMEOUT = "60000";
        };
        overrides = {
          volumes = [
            "${serverCfg.path.dlComplete}:/books:rw"
            "${serverCfg.path.books}:/output:rw"
            "${serverCfg.path.config}/selfmark:/config:rw"
           ];
         };
      };
      extraLabels = { 
      } // (if serverCfg.containers ? authentik then {
        "traefik.http.routers.${routerName}.middlewares" = "authentik";
      } else {});
      overrides = {
        volumes = [
          "${serverCfg.path.dlComplete}:/books:rw"
          "${serverCfg.path.books}:/output:rw"
          "${serverCfg.path.config}/selfmark:/config:rw"
         ];
       };
    };
  };
 }
--- a/modules/server/containers/apps/servarr.nix
+++ b/modules/server/containers/apps/servarr.nix
@@ -30,9 +30,10 @@ let
 in 
  assert containerCfg.subpath == null || throw "Error: Servarr does not support subpath.";
 {
-  sops = true;
+  requires.secrets = [ name ];
  # db = [ "prowlarr" "sonarr" "radarr" ]; -> one db for each
  runtime = {
  paths = [
    { path = "${serverCfg.dataPath}/media/";             mode = "0755"; }
    { path = "${serverCfg.configPath}/servarr/prowlarr"; mode = "0755"; }
@@ -44,6 +45,8 @@ in
  containers = {
  }// lib.optionalAttrs (builtins.elem "prowlarr" (containerCfg.extra.modules or defaultModules)) {
    prowlarr = builder.mkContainer {
      authentik = true;
      tmpfs = true;
      subdomain = containerCfg.subdomain;
      subpath = "prowlarr";
      imageStream = images.prowlarr;
@@ -58,17 +61,15 @@ in
      };
      extraOptions = [
        "--user=0:0"
        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
        "--passwd-entry=root:x:0:0:root:/root:/bin/sh"
      ];
      extraLabels = { } // (if serverCfg.containers ? authentik then {
        "traefik.http.routers.${containerCfg.subdomain}-prowlarr.middlewares" = "authentik";
      } else {});
      overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/prowlarr:/config" ];
    };
  }// lib.optionalAttrs (builtins.elem "radarr" (containerCfg.extra.modules or defaultModules)) {
    radarr = builder.mkContainer {
      authentik = true;
      tmpfs = true;
      subdomain = containerCfg.subdomain;
      subpath = "radarr";
      imageStream = images.radarr;
@@ -83,17 +84,15 @@ in
      };
      extraOptions = [
        "--user=0:0"
        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
        "--passwd-entry=root:x:0:0:root:/root:/bin/sh"
      ];
      extraLabels = { } // (if serverCfg.containers ? authentik then {
        "traefik.http.routers.${containerCfg.subdomain}-radarr.middlewares" = "authentik";
      } else {});
      overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/radarr:/config" ];
    };
  }// lib.optionalAttrs (builtins.elem "sonarr" (containerCfg.extra.modules or defaultModules)) {
    sonarr = builder.mkContainer {
      authentik = true;
      tmpfs = true;
      subdomain = containerCfg.subdomain;
      subpath = "sonarr";
      imageStream = images.sonarr;
@@ -108,17 +107,15 @@ in
      };
      extraOptions = [
        "--user=0:0"
        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
        "--passwd-entry=root:x:0:0:root:/root:/bin/sh"
      ];
      extraLabels = { } // (if serverCfg.containers ? authentik then {
        "traefik.http.routers.${containerCfg.subdomain}-sonarr.middlewares" = "authentik";
      } else {});
      overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/sonarr:/config" ];
    };
  }// lib.optionalAttrs (builtins.elem "lidarr" (containerCfg.extra.modules or defaultModules)) {
    lidarr = builder.mkContainer {
      authentik = true;
      tmpfs = true;
      subdomain = containerCfg.subdomain;
      subpath = "lidarr";
      imageStream = images.lidarr;
@@ -133,12 +130,8 @@ in
      };
      extraOptions = [
        "--user=0:0"
        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
        "--passwd-entry=root:x:0:0:root:/root:/bin/sh"
      ];
      extraLabels = { } // (if serverCfg.containers ? authentik then {
        "traefik.http.routers.${containerCfg.subdomain}-lidarr.middlewares" = "authentik";
      } else {});
      overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/lidarr:/config" ];
    };
@@ -526,4 +519,5 @@ in
    '';
  };
  };
 }
--- a/modules/server/containers/apps/suwayomi.nix
+++ b/modules/server/containers/apps/suwayomi.nix
@@ -3,48 +3,51 @@ let
  version = "stable"; 
  serverCfg = config.syscfg.server;
 in {
-  sops = true;
+  requires = {
-  db =true;
+    secrets = [ name ];
-  containers = {
+    databases = [ name ];
  };
-    server = builder.mkContainer {
+  runtime = {
-      subdomain = containerCfg.subdomain;
+    containers = {
-      image = "ghcr.io/suwayomi/suwayomi-server:${version}";
+      server = builder.mkContainer {
-      port = 4567;
+        subdomain = containerCfg.subdomain;
-      secret = name;
+        image = "ghcr.io/suwayomi/suwayomi-server:${version}";
        port = 4567;
        secret = name;
-      extraEnv = {
+        extraEnv = {
-        BIND_PORT = "4567";
+          BIND_PORT = "4567";
-        AUTH_MODE = "ui_login";
+          AUTH_MODE = "ui_login";
-        WEB_UI_ENABLED = "true";
+          WEB_UI_ENABLED = "true";
-        WEB_UI_FLAVOR = "WebUI";
+          WEB_UI_FLAVOR = "WebUI";
-        # AUTO_DOWNLOAD_CHAPTERS = true;
+          # AUTO_DOWNLOAD_CHAPTERS = true;
-        # AUTO_DOWNLOAD_EXCLUDE_UNREAD = true;
+          # AUTO_DOWNLOAD_EXCLUDE_UNREAD = true;
-        # AUTO_DOWNLOAD_NEW_CHAPTERS_LIMIT = 0;
+          # AUTO_DOWNLOAD_NEW_CHAPTERS_LIMIT = 0;
-        # AUTO_DOWNLOAD_IGNORE_REUPLOADS = false;
+          # AUTO_DOWNLOAD_IGNORE_REUPLOADS = false;
-        # DOWNLOAD_CONVERSIONS = {};
+          # DOWNLOAD_CONVERSIONS = {};
-        # SERVE_CONVERSIONS = {};
+          # SERVE_CONVERSIONS = {};
-        # MAX_SOURCES_IN_PARALLEL = 6;
+          # MAX_SOURCES_IN_PARALLEL = 6;
-        # UPDATE_EXCLUDE_UNREAD = true;
+          # UPDATE_EXCLUDE_UNREAD = true;
-        # UPDATE_EXCLUDE_STARTED = true;
+          # UPDATE_EXCLUDE_STARTED = true;
-        # UPDATE_EXCLUDE_COMPLETED = true;
+          # UPDATE_EXCLUDE_COMPLETED = true;
-        # UPDATE_INTERVAL = 12; #Hours
+          # UPDATE_INTERVAL = 12; #Hours
-        # UPDATE_MANGA_INFO = false;
+          # UPDATE_MANGA_INFO = false;
-        DATABASE_TYPE = "POSTGRESQL";
+          DATABASE_TYPE = "POSTGRESQL";
-        DATABASE_URL = "postgresql://${builder.host}/suwayomi_db";
+          DATABASE_URL = "postgresql://${builder.host}/suwayomi_db";
-        DATABASE_USERNAME = "suwayomi_user";
+          DATABASE_USERNAME = "suwayomi_user";
-        FLARESOLVERR_ENABLED = lib.boolToString (builtins.elem "flaresolverr" (((config.syscfg.server.containers.servarr or {}).extra or {}).modules or []));
+          FLARESOLVERR_ENABLED = lib.boolToString (builtins.elem "flaresolverr" (((config.syscfg.server.containers.servarr or {}).extra or {}).modules or []));
-        FLARESOLVERR_URL = "http://servarr-flaresolverr:8191";
+          FLARESOLVERR_URL = "http://servarr-flaresolverr:8191";
-        EXTENSION_REPOS = "[\"https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json\"]"; #https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json
+          EXTENSION_REPOS = "[\"https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json\"]"; #https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json
-      };
+        };
-      overrides = {
+        overrides = {
-        volumes = [
+          volumes = [
-          "${serverCfg.path.manga}:/home/suwayomi/.local/share/Tachidesk/downloads"
+            "${serverCfg.path.manga}:/home/suwayomi/.local/share/Tachidesk/downloads"
-          # "${serverCfg.path.config}/suwayomi:/home/suwayomi/.local/share/Tachidesk"
+            # "${serverCfg.path.config}/suwayomi:/home/suwayomi/.local/share/Tachidesk"
-        ];
+          ];
        };
      };
    };
  };
 }
--- a/modules/server/containers/apps/traefik.nix
+++ b/modules/server/containers/apps/traefik.nix
@@ -11,77 +11,79 @@ let
    };
  };
 in {
-  sops = true;
+  requires.secrets = [ name ];
  paths = [{
    path="${serverCfg.path.config}/traefik";
    owner = "1000:1000";
    mode = "0755";
  }];
-  containers = {
+  runtime = {
-    server = builder.mkContainer {
+    paths = [{
-      imageStream = image;
+      path="${serverCfg.path.config}/traefik";
-      subdomain = containerCfg.subdomain;
+      owner = "1000:1000";
-      port = 8080;
+      mode = "0755";
-      secret = name;
+    }];
      extraLabels = {
        "traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
        "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
-        "traefik.http.routers.${containerCfg.subdomain}.middlewares" =  if serverCfg.containers?authentik then "authentik" else "";
+    containers = {
-      } // (if serverCfg.containers?authentik then {
+      server = builder.mkContainer {
-        "traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
+        imageStream = image;
-        "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
+        subdomain = containerCfg.subdomain;
-        "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
+        port = 8080;
-        "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
+        secret = name;
-      } else {}) // (if serverCfg.containers?umami then {
+        extraLabels = {
-        "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiHost" = "http://umami-server:3000";
+          "traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
-        "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiUsername" = "admin";
+          "traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
-        "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiPassword" = "umami";
+                  
-        "traefik.http.middlewares.umami-global.plugin.umami-feeder.createNewWebsites" = "true";
+          "traefik.http.routers.${containerCfg.subdomain}.middlewares" =  if serverCfg.containers?authentik then "authentik" else "";
-      } else {}) // (if containerCfg.extra ? provider || serverCfg.domain != "localhost" then {
+        } // (if serverCfg.containers?authentik then {
-        "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
+          "traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
-        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.domain}";
+          "traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
-        "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.domain}";
+          "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
-      } else {});
+          "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
-      extraEnv = { };
+        } else {}) // (if serverCfg.containers?umami then {
-      overrides = {
+          "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiHost" = "http://umami-server:3000";
-        cmd = [ 
+          "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiUsername" = "admin";
-          "--api"
+          "traefik.http.middlewares.umami-global.plugin.umami-feeder.umamiPassword" = "umami";
-          "--log.level=INFO"
+          "traefik.http.middlewares.umami-global.plugin.umami-feeder.createNewWebsites" = "true";
-          "--providers.docker=true"
+        } else {}) // (if containerCfg.extra ? provider || serverCfg.domain != "localhost" then {
-          "--global.checknewversion=false"
+          "traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
-          "--global.sendanonymoususage=false"
+          "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.domain}";
-          "--api.insecure=true"
+          "traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.domain}";
-          "--api.dashboard=true"
+        } else {});
-          "--providers.docker.exposedByDefault=false"
+        extraEnv = { };
-          "--entrypoints.web.address=:80"
+        overrides = {
-          "--entrypoints.web-secure.address=:443"
+          cmd = [ 
-          "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
+            "--api"
-          "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+            "--log.level=INFO"
-          "--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
+            "--providers.docker=true"
-          "--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
+            "--global.checknewversion=false"
-        ] ++ (if serverCfg.containers ? umami  then [
+            "--global.sendanonymoususage=false"
-          "--experimental.plugins.umami-feeder.moduleName=github.com/astappiev/traefik-umami-feeder"
+            "--api.insecure=true"
-          "--experimental.plugins.umami-feeder.version=v1.4.1"
+            "--api.dashboard=true"
-          "--entrypoints.web-secure.http.middlewares=umami-global@docker"
+            "--providers.docker.exposedByDefault=false"
-        ] else []) ++ (if containerCfg.extra ? provider then [
+            "--entrypoints.web.address=:80"
-          "--certificatesresolvers.default.acme.email=acme@${serverCfg.domain}"
+            "--entrypoints.web-secure.address=:443"
-          "--certificatesresolvers.default.acme.dnschallenge=true"
+            "--entrypoints.web.http.redirections.entrypoint.to=web-secure"
-          "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
+            "--entrypoints.web.http.redirections.entrypoint.scheme=https"
-          "--certificatesresolvers.default.acme.storage=/custom/acme.json"
+            "--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
-        ] else []) ++ (if serverCfg.domain != "localhost" then [
+            "--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
-          "--certificatesresolvers.default.acme.httpchallenge=false"
+          ] ++ (if serverCfg.containers ? umami  then [
-          "--certificatesresolvers.default.acme.tlschallenge=true"
+            "--experimental.plugins.umami-feeder.moduleName=github.com/astappiev/traefik-umami-feeder"
-        ] else []);
+            "--experimental.plugins.umami-feeder.version=v1.4.1"
-        ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
+            "--entrypoints.web-secure.http.middlewares=umami-global@docker"
-        volumes = [
+          ] else []) ++ (if containerCfg.extra ? provider then [
-          "/var/run/podman/podman.sock:/var/run/docker.sock"
+            "--certificatesresolvers.default.acme.email=acme@${serverCfg.domain}"
-          # "${serverCfg.path.config}/traefik/access.log:/etc/traefik/access.log"
+            "--certificatesresolvers.default.acme.dnschallenge=true"
-          "${serverCfg.path.config}/traefik:/custom"
+            "--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
-        ];
+            "--certificatesresolvers.default.acme.storage=/custom/acme.json"
          ] else []) ++ (if serverCfg.domain != "localhost" then [
            "--certificatesresolvers.default.acme.httpchallenge=false"
            "--certificatesresolvers.default.acme.tlschallenge=true"
          ] else []);
          ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
          volumes = [
            "/var/run/podman/podman.sock:/var/run/docker.sock"
            # "${serverCfg.path.config}/traefik/access.log:/etc/traefik/access.log"
            "${serverCfg.path.config}/traefik:/custom"
          ];
        };
      };
    };
  };
 }
--- a/modules/server/containers/apps/transmission.nix
+++ b/modules/server/containers/apps/transmission.nix
@@ -13,52 +13,47 @@ let
        };
    };
  };
  routerName = if containerCfg.subpath != null 
              then "${containerCfg.subdomain}-${lib.strings.sanitizeDerivationName containerCfg.subpath}" 
              else containerCfg.subdomain;
 in {
-  paths = [{
+  runtime = {
-      path = "${serverCfg.path.config}/transmission";
+    paths = [{
-      owner = "1000:1000";
+        path = "${serverCfg.path.config}/transmission";
-      mode = "0755";
+        owner = "1000:1000";
-    }];
+        mode = "0755";
      }];
-  containers = {
+    containers = {
-    server = builder.mkContainer {
+      server = builder.mkContainer {
-      subdomain = containerCfg.subdomain;
+        authentik = true;
-      subpath = containerCfg.subpath;
+        subdomain = containerCfg.subdomain;
-      imageStream = image;
+        subpath = containerCfg.subpath;
-      port = 9091;
+        imageStream = image;
        port = 9091;
-      extraEnv = {
+        extraEnv = {
-        PUID = "1000";
+          PUID = "1000";
-        PGID = "1000";
+          PGID = "1000";
-        WHITELIST = "";# 127.0.0.1,::1,10.*";
+          WHITELIST = "";# 127.0.0.1,::1,10.*";
-        # HOST_WHITELIST = "traefik-server,authentik-server,authentik-worker";
+          # HOST_WHITELIST = "traefik-server,authentik-server,authentik-worker";
-      };
+        };
      extraLabels = { 
      } // (if serverCfg.containers ? authentik then {
        "traefik.http.routers.${routerName}.middlewares" = "authentik";
      } else {});
-      overrides = {
+        overrides = {
-        volumes = [
+          volumes = [
-          "${serverCfg.path.dlComplete}:/downloads/complete"
+            "${serverCfg.path.dlComplete}:/downloads/complete"
-          "${serverCfg.path.dlIncomplete}:/downloads/incomplete"
+            "${serverCfg.path.dlIncomplete}:/downloads/incomplete"
-          "${serverCfg.path.config}/transmission:/config"
+            "${serverCfg.path.config}/transmission:/config"
-        ];
+          ];
        };
      };
    };
    setup = {
      trigger = "server";
      envFile = [ config.sops.secrets."CUSTOM".path ];
      script = pkgs.writeShellScript "setup" ''
        ${pkgs.gettext}/bin/envsubst < "${../data/transmission/settings.json}" > "${serverCfg.path.config}/transmission/config/settings.json"
      '';
    };
  };
  setup = {
    trigger = "server";
    envFile = [ config.sops.secrets."CUSTOM".path ];
    script = pkgs.writeShellScript "setup" ''
      ${pkgs.gettext}/bin/envsubst < "${../data/transmission/settings.json}" > "${serverCfg.path.config}/transmission/config/settings.json"
    '';
  };
 }
--- a/modules/server/containers/apps/umami.nix
+++ b/modules/server/containers/apps/umami.nix
@@ -15,40 +15,40 @@ let
    };
  };
 in {
-  sops = true;
+  requires = {
-  db = true;
+    secrets = [ name ];
-  paths = [{
+    databases = [ name ];
    path = "${serverCfg.path.config}/umami/";
    mode = "0444";
  }];
  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "${pkgs.umami.name}:${pkgs.umami.version}"; 
      imageStream = image;
      port = 3000;
      secret = name;
      extraEnv = {
        PORT = "3000";
        # HOSTNAME = "${containerCfg.subdomain}.${serverCfg.domain}";
        DATABASE_TYPE = "postgresql";
        REDIS_URL = "redis://${builder.host}";
        CLIENT_IP_HEADER = "X-Forwarded-For";
        BASE_PATH = lib.optionalString (containerCfg.subpath or null != null) "/${containerCfg.subpath}";
        # DISABLE_LOGIN = "1";#(if serverCfg.containers?authentik then "1" else "0");
      };
      extraLabels = { } // ( if serverCfg.containers?authentik then {
        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
      } else {});
      extraOptions = [
        "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
      ];
      overrides = {
        cmd = [ "start" ]; # Specific command for the umami binary
       };
    };
  };
  runtime = {
    paths = [{
      path = "${serverCfg.path.config}/umami/";
      mode = "0444";
    }];
    containers = {
      server = builder.mkContainer {
        authentik = true;
        tmpfs = true;
        subdomain = containerCfg.subdomain;
        image = "${pkgs.umami.name}:${pkgs.umami.version}"; 
        imageStream = image;
        port = 3000;
        secret = name;
        extraEnv = {
          PORT = "3000";
          # HOSTNAME = "${containerCfg.subdomain}.${serverCfg.domain}";
          DATABASE_TYPE = "postgresql";
          REDIS_URL = "redis://${builder.host}";
          CLIENT_IP_HEADER = "X-Forwarded-For";
          BASE_PATH = lib.optionalString (containerCfg.subpath or null != null) "/${containerCfg.subpath}";
          # DISABLE_LOGIN = "1";#(if serverCfg.containers?authentik then "1" else "0");
        };
        overrides = {
          cmd = [ "start" ]; # Specific command for the umami binary
         };
      };
    };
  };
 }
--- a/modules/server/containers/builder.nix
+++ b/modules/server/containers/builder.nix
@@ -1,16 +1,32 @@
 { config, lib, pkgs, serverCfg }:
 let 
  mkRouterName = { subdomain, subpath ? null }:
    if subpath != null
    then "${subdomain}-${lib.strings.sanitizeDerivationName subpath}"
    else subdomain;
  getOr = attrs: path: default: lib.attrByPath path default attrs;
  mkTmpfsOption = size: "--tmpfs=/tmp:rw,noexec,nosuid,size=${size}";
  mkAuthentikLabels =
    { subdomain
    , subpath ? null
    , routerName ? mkRouterName { inherit subdomain subpath; }
    , middleware ? "authentik"
    }:
    lib.optionalAttrs (serverCfg.containers ? authentik) {
      "traefik.http.routers.${routerName}.middlewares" = middleware;
    };
  contBuilder =
    { image ? null, imageStream ? null, imageFile ? null
    , secret ? null
    , subdomain ? null, subpath?null, port ? null
    , authentik ? false
    , tmpfs ? false
    , tmpfsSize ? "512m"
    , extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
    , overrides ? { }
    }:
    let 
-      routerName = if subpath != null 
+      routerName = mkRouterName { inherit subdomain subpath; };
                  then "${subdomain}-${lib.strings.sanitizeDerivationName subpath}" 
                  else subdomain;
      base = {
      image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}" 
              else if imageFile != null then "${imageFile.imageName}:${imageFile.imageTag}" else image;
@@ -33,11 +49,15 @@ let
        "traefik.http.services.${routerName}.loadbalancer.server.port" = toString port;
      }) else {
        "traefik.enable" = "false";
-      }) // extraLabels;
+      })
      // lib.optionalAttrs authentik (mkAuthentikLabels { inherit subdomain subpath routerName; })
      // extraLabels;
      extraOptions = [
        "--add-host=host.containers.internal:host-gateway"
-      ] ++ extraOptions;
+      ]
      ++ lib.optional tmpfs (mkTmpfsOption tmpfsSize)
      ++ extraOptions;
    };
    in lib.recursiveUpdate base overrides;
  vmBuilder = { name, vm }: ((import "${pkgs.path}/nixos/lib/eval-config.nix" {
@@ -70,54 +90,27 @@ in {
  mkContainer = contBuilder;
  mkVm = vmBuilder;
  mkApp = name: app:
-    let
+    {
      # Keep legacy app modules working while storing a stricter internal contract.
      legacySetup =
        if app ? setup then app.setup else null;
    in {
      inherit name;
      requires = {
-        secrets =
+        secrets = getOr app [ "requires" "secrets" ] [ ];
-          if app ? requires && app.requires ? secrets then app.requires.secrets
+        databases = getOr app [ "requires" "databases" ] [ ];
          else if app ? sops && app.sops then [ name ]
          else [ ];
        databases =
          if app ? requires && app.requires ? databases then app.requires.databases
          else if app ? db && app.db then [ name ]
          else [ ];
      };
      exports = {
        authentik = {
-          blueprints =
+          blueprints = getOr app [ "exports" "authentik" "blueprints" ] [ ];
            if app ? exports && app.exports ? authentik && app.exports.authentik ? blueprints
            then app.exports.authentik.blueprints
            else [ ];
        };
      };
      runtime = {
-        paths =
+        paths = getOr app [ "runtime" "paths" ] [ ];
-          if app ? runtime && app.runtime ? paths then app.runtime.paths
+        containers = getOr app [ "runtime" "containers" ] { };
-          else if app ? paths then app.paths
+        vm = getOr app [ "runtime" "vm" ] null;
-          else [ ];
+        cron = getOr app [ "runtime" "cron" ] [ ];
-        containers =
+        setup = {
-          if app ? runtime && app.runtime ? containers then app.runtime.containers
+          trigger = "";
-          else if app ? containers then app.containers
+          script = null;
-          else { };
+          envFile = [ ];
-        vm =
+        } // getOr app [ "runtime" "setup" ] { };
          if app ? runtime && app.runtime ? vm then app.runtime.vm
          else if app ? vm then app.vm
          else null;
        cron =
          if app ? runtime && app.runtime ? cron then app.runtime.cron
          else if app ? cron then app.cron
          else [ ];
        setup =
          if app ? runtime && app.runtime ? setup then app.runtime.setup
          else ({
            trigger = "";
            script = null;
            envFile = [ ];
          } // (if legacySetup != null then legacySetup else { }));
      };
    };
  mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
--- a/modules/server/containers/default.nix
+++ b/modules/server/containers/default.nix
@@ -2,51 +2,48 @@
 let
  serverCfg = config.syscfg.server;
  builder = import ./builder.nix { inherit config lib pkgs serverCfg; };
-
+  loadApp = name: containerCfg:
-in{
+    builder.mkApp name ((import (./apps + "/${name}.nix")) {
-  config = lib.mkMerge [{
+      inherit config pkgs lib containerCfg builder name;
-    syscfg.server.loadedContainers = lib.mapAttrs (name: containerCfg:
+    });
-      builder.mkApp name ((import (./apps + "/${name}.nix")) { inherit config pkgs lib containerCfg builder name; })
+  loadedContainers = lib.mapAttrs loadApp serverCfg.containers;
-    ) config.syscfg.server.containers;
+  appsList = builtins.attrValues loadedContainers;
-  } (lib.mkIf ( serverCfg.containers != {} ) (
+  concatRuntimeLists = field: lib.concatMap (app: app.runtime.${field}) appsList;
  mkNamedUnits = mkUnit: items: lib.listToAttrs (map mkUnit items);
  mergedContainers = lib.concatMapAttrs (appName: app:
    lib.mapAttrs' (cName: cCfg: lib.nameValuePair "${appName}-${cName}" cCfg) app.runtime.containers
  ) loadedContainers;
  allPathConfigs = map (path: {
    inherit path;
    mode = "0755";
  }) (lib.unique (builtins.attrValues serverCfg.path)) ++ concatRuntimeLists "paths";
  allSetupConfigs = map (app: ({ name = app.name; envFile = ""; } // app.runtime.setup)) appsList;
  allCronsConfigs = concatRuntimeLists "cron";
  allVMConfigs = builtins.filter (app: app.runtime.vm != null) appsList;
  mkPathSetup = cfg:
    let
-      appsList = builtins.attrValues config.syscfg.server.loadedContainers;
+      effectiveCfg = {
-      mergedContainers = lib.concatMapAttrs (appName: app:
+        owner = "root:root";
-        lib.mapAttrs' (cName: cCfg: lib.nameValuePair "${appName}-${cName}" cCfg) app.runtime.containers
+        mode = "0400";
-      ) config.syscfg.server.loadedContainers;
+        dirs = [];
-      serverPathConfigs = map (path: {
+      } // cfg;
-        inherit path;
+    in ''
-        mode = "0755";
+      ${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
-      }) (lib.unique (builtins.attrValues serverCfg.path));
+      ${lib.concatMapStringsSep "\n" (dir: "${pkgs.coreutils}/bin/mkdir -p ${effectiveCfg.path}/${lib.escapeShellArg dir}") effectiveCfg.dirs}
-      allPathConfigs = serverPathConfigs ++ lib.concatMap (app: app.runtime.paths) appsList;
+      ${pkgs.coreutils}/bin/chown ${effectiveCfg.owner} "${effectiveCfg.path}"
-      allSetupConfigs = lib.concatMap (app:
+      ${pkgs.coreutils}/bin/chmod ${effectiveCfg.mode} "${effectiveCfg.path}"
-        if app.runtime.setup ? script
+    '';
-        then [ ({ name = app.name; envFile = ""; } // app.runtime.setup) ]
+in {
-        else [ ]
+  config = lib.mkMerge [{
-      ) appsList;
+    syscfg.server.loadedContainers = loadedContainers;
-      allCronsConfigs = lib.concatMap (app: app.runtime.cron) appsList;
+  } (lib.mkIf (loadedContainers != {}) {
      allVMConfigs = builtins.filter (app: app.runtime.vm != null) appsList;
    in{
      virtualisation.oci-containers = {
        backend = "podman";
        containers = mergedContainers;
      };
      system.activationScripts.container-setup-dirs = {
        deps = [ "users" "groups" ];
-        text = lib.concatStringsSep "\n" (map (cfg:
+        text = lib.concatStringsSep "\n" (map mkPathSetup allPathConfigs);
        let
          effectiveCfg = {
            owner = "root:root";
            mode = "0400";
            dirs = [];
          } // cfg;
        in ''
          ${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
          ${lib.concatMapStringsSep "\n" (dir: "${pkgs.coreutils}/bin/mkdir -p ${effectiveCfg.path}/${lib.escapeShellArg dir}") effectiveCfg.dirs}
          ${pkgs.coreutils}/bin/chown ${effectiveCfg.owner} "${effectiveCfg.path}"
          ${pkgs.coreutils}/bin/chmod ${effectiveCfg.mode} "${effectiveCfg.path}"
        '') allPathConfigs);
      };
      systemd.services = {
@@ -60,7 +57,7 @@ in{
          startAt = "weekly";
        };
      } 
-      // lib.listToAttrs (lib.concatMap (e: [{
+      // mkNamedUnits (e: {
        name = "${e.name}-vm";
        value = {
          description = "Isolated NixOS Guest VM for ${e.name}";
@@ -81,8 +78,8 @@ in{
            '';
          };
        };
-      }]) allVMConfigs)      
+      }) allVMConfigs
-       // lib.listToAttrs (lib.concatMap (e: [{
+       // mkNamedUnits (e: {
        name = "${e.name}-setup";
        value = {
          description = "Run ${e.name} setup";
@@ -98,13 +95,11 @@ in{
            User = "root";
          };
        };
-      }]) allSetupConfigs );
+      }) allSetupConfigs;
      services.cron = {
        enable = true;
        systemCronJobs = allCronsConfigs;
      };
-
+  })];
  }))];
 }