Improvements to server

modules/home/cli/git/default.nix

@@ -1,9 +1,9 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
 
   programs.git = {
     enable = true;
-    signing = {
+    signing = lib.mkIf (config.usercfg.git.key != null) {
-      key = "${config.usercfg.git.key}";
+      key = config.usercfg.git.key;
       signByDefault = true;
     };
     ignores = [ "*result*" ".direnv" "node_modules" ];

modules/server/containers/default.nix

@@ -8,6 +8,7 @@ let
     }
   ) enabledConfigs;
   mergedContainers = lib.attrsets.mergeAttrsList  (lib.map(e: e.containers) containerSetsList);
+  allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList);
 in
 {
   config = lib.mkIf ( enabledConfigs != {} ) {
@@ -17,5 +18,23 @@ in
       containers = mergedContainers;
     };
 
+    systemd.services.podman-gc = {
+      description = "Podman garbage collection";
+      serviceConfig.Type = "oneshot";
+      script = ''
+        ${pkgs.podman}/bin/podman container prune -f
+        ${pkgs.podman}/bin/podman image prune -f
+      '';
+      startAt = "weekly";
+    };
+    
+    system.activationScripts.container-setup-dirs = {
+      deps = [ "users" "groups" ];
+      text = lib.concatStringsSep "\n" (map (cfg: ''
+        mkdir -p "${cfg.path}"
+        chown ${cfg.owner} "${cfg.path}"
+        chmod ${cfg.mode} "${cfg.path}"
+      '') allPathConfigs);
+    };
   };
 }

modules/server/containers/defs/authentik.nix

@@ -1,10 +1,17 @@
 { config, containerCfg, pkgs, lib, ... }:
-let serverCfg = config.syscfg.server;
+let 
+serverCfg = config.syscfg.server;
 in {
-  systemd.tmfiles.rules = [
+  paths = [{
-    "d ${serverCfg.dataPath}/authentik/media 0755 root root -"
+    path="${serverCfg.dataPath}/authentik/media";
-    "d ${serverCfg.dataPath}/authentik/template 0755 root root -"
+    owner = "1000:1000";
-  ];
+    mode = "0755";
+  }{
+    path="${serverCfg.dataPath}/authentik/templates";
+    owner = "1000:1000";
+    mode = "0755";
+  }];
+
   containers = {
 
     auth_server = {
@@ -18,7 +25,8 @@ in {
         config.sops.secrets."AUTHENTIK".path
       ];
       environment = {
-        "AUTHENTIK_POSTGRESQL__HOST" = "10.88.0.1";
+        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
         "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
         "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
         "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
@@ -38,6 +46,9 @@ in {
       };
       cmd = [ "server" ];
       extraOptions = [
+        "--add-host=host.containers.internal:host-gateway"
+        "--replace"
+        "--rm"
         "--ip=${containerCfg.ip}"
       ];
       ports = [
@@ -57,11 +68,15 @@ in {
         config.sops.secrets."AUTHENTIK".path
       ];
       environment = {
-        "AUTHENTIK_POSTGRESQL__HOST" = "10.88.0.1";
+        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
         "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
         "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
       };
       extraOptions = [
+        "--add-host=host.containers.internal:host-gateway"
+        "--replace"
+        "--rm"
       ];
       cmd = [ "worker" ];
     };

modules/server/database/default.nix

@@ -17,14 +17,14 @@ in {
       settings = {
         listen_addresses = lib.mkForce "*"; 
       };
-      # authentication = pkgs.lib.mkOverride 10 ''
+      authentication = pkgs.lib.mkOverride 10 ''
-      #   # TYPE  DATABASE        USER            ADDRESS                 METHOD
+         # TYPE  DATABASE        USER            ADDRESS                 METHOD
-      #   local   all             all                                     trust
+         local   all             all                                     trust
-      #   host    all             all             127.0.0.1/32            trust
+         host    all             all             127.0.0.1/32            trust
-      #   host    all             all             10.0.0.0/8              scram-sha-256
+         host    all             all             ::1/128                 trust
-      #   host    all             all             169.254.0.0/16          scram-sha-256
+         host    all             all             10.0.0.0/8              scram-sha-256
-      #   host    all             all             ::1/128                 trust
+         host    all             all             169.254.0.0/16          scram-sha-256
-      # '';
+      '';
       ensureDatabases = map (name: "${name}_db") allApps;
       ensureUsers = map (name: { name = "${name}_user"; }) allApps;
     };
@@ -35,21 +35,42 @@ in {
       backupAll = true; # Backs up all databases and roles
     };
 
-    systemd.services.postgresql.postStart = lib.mkAfter ''
+    services.redis.servers."main" = {
+      enable = true;
+      port = 6379;
+      bind = "*";
+      settings.protected-mode = "no";
+    };
+
+
+    systemd.services.postgresql-init = {
+      description = "Custom Postgres Setup (Ownership & Passwords)";
+      after = [ "postgresql.service" ];
+      wantedBy = [ "multi-user.target" ];
+      
+      serviceConfig = {
+        Type = "oneshot";
+        User = "postgres";
+        RemainAfterExit = true;
+      };
+
+      script = ''
         ${pkgs.coreutils}/bin/sleep 2
         PSQL="${pkgs.postgresql}/bin/psql"
         ${lib.concatMapStringsSep "\n" (name: ''
-          until $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = '${name}_user'" | grep -q 1; do
-            echo "Waiting for user ${name}_user..."
-            sleep 1
-          done
           $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
           
           if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
             PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
-            $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';"
+            echo $PASS
+            if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
+                echo "✅ Successfully set password for ${name}_user"
+            else
+                echo "❌ FAILED to set password for ${name}_user"
+            fi
           fi
         '') allApps}
-    '';
+      '';
+    };
   };
 }

modules/server/nftables/default.nix

@@ -12,7 +12,8 @@
       table inet filter {
         chain input {
           type filter hook input priority filter; policy accept;
-          tcp dport 5432 ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
+          tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
+          
         }
       }
       table inet nat {

modules/shared/syscfg/default.nix

@@ -13,9 +13,9 @@ let
       default = "-";
     };
     git = {
-      username = mkOption { type = types.str; };
+      username = mkOption { type = types.str; default = "Anonymous";};
-      email = mkOption { type = types.str; };
+      email = mkOption { type = types.str; default = "anonymous@domain"; };
-      key = mkOption { type = types.str; };
+      key = mkOption { type = types.nullOr types.str; default=null; };
     };
   };
   netOpt = with lib; {