Merge pull request 'Lock file maintenance' (#282 ) from renovate/lock-file-maintenance into main

Lock file maintenance
change podman building
2026-06-06 04:04:47 +02:00 · 2026-06-06 02:04:45 +00:00 · 2026-06-05 02:04:21 +02:00 · 2026-05-31 04:05:50 +02:00 · 2026-05-31 02:05:44 +00:00 · 2026-05-30 04:04:57 +02:00
42 changed files with 747 additions and 499 deletions
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -18,7 +18,7 @@ jobs:
        uses: cachix/install-nix-action@v31

    #  - uses: DeterminateSystems/nix-installer-action@v4
-      - uses: DeterminateSystems/magic-nix-cache-action@v13
+      - uses: DeterminateSystems/magic-nix-cache-action@v14
      - uses: DeterminateSystems/flake-checker-action@v12

      - name: "Install Cachix ❄️"
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -9,6 +9,8 @@ keys:
    - &avalon age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
    - &valinor age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
    - &asgard age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
+    - &gateway age1lqvnzlendlmtwgstzrj4xzrwpatwx56k5az5au78fyg99yecwfzs3s6xn6
+    - &sandbox age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3

 creation_rules:
  - path_regex: modules/shared/sops/private/iriy.[a-z]+
@@ -43,6 +45,7 @@ creation_rules:
          - *iriy
          - *avalon
          - *asgard
+          - *gateway
        pgp:
          - *sora

@@ -50,14 +53,13 @@ creation_rules:
    key_groups:
      - age:
          - *ci
-
+          - *sandbox

  - path_regex: modules/server/sops/server.[a-z]+
    key_groups:
      - age:
-      - *valinor
-      - *iriy
          - *avalon
-      - *asgard
+          - *sandbox
+
        pgp:
          - *sora
--- a/flake.lock
+++ b/flake.lock
@@ -45,11 +45,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1773000227,
-        "narHash": "sha256-zm3ftUQw0MPumYi91HovoGhgyZBlM4o3Zy0LhPNwzXE=",
+        "lastModified": 1779036909,
+        "narHash": "sha256-zXcwYQGCT6pzinK+1dBB2ekTVtfxGZAapb3Evdcu4fY=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "da529ac9e46f25ed5616fd634079a5f3c579135f",
+        "rev": "56c666e108467d87d13508936aade6d567f2a501",
        "type": "github"
      },
      "original": {
@@ -102,12 +102,15 @@
      }
    },
    "hardware": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
      "locked": {
-        "lastModified": 1774567711,
-        "narHash": "sha256-uVlOHBvt6Vc/iYNJXLPa4c3cLXwMllOCVfAaLAcphIo=",
+        "lastModified": 1780310866,
+        "narHash": "sha256-fPBRVf6A5xlACYcOI59shGrjURuvwu0lRsDoSCEXt/I=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "3f6f874dfc34d386d10e434c48ad966c4832243e",
+        "rev": "4ed851c979641e28597a05086332d75cdc9e395f",
        "type": "github"
      },
      "original": {
@@ -139,11 +142,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1774559029,
-        "narHash": "sha256-deix7yg3j6AhjMPnFDCmWB3f83LsajaaULP5HH2j34k=",
+        "lastModified": 1779506708,
+        "narHash": "sha256-QOD/CNm196nCJRheux/URi4/HE66fthdOMqCJoPP1Y0=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "a0bb0d11514f92b639514220114ac8063c72d0a3",
+        "rev": "3ee51fbdac8c8bdfe1e7e1fcaba6520a563f394f",
        "type": "github"
      },
      "original": {
@@ -174,11 +177,11 @@
    },
    "nixUnstable": {
      "locked": {
-        "lastModified": 1774610258,
-        "narHash": "sha256-HaThtroVD9wRdx7KQk0B75JmFcXlMUoEdDFNOMOlsOs=",
+        "lastModified": 1780365719,
+        "narHash": "sha256-QfWfccTN+70ZQ4m2qlU9PiKfz2Yppq94058iJyARNwc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "832efc09b4caf6b4569fbf9dc01bec3082a00611",
+        "rev": "ffa10e26ae11d676b2db836259889f1f571cb14f",
        "type": "github"
      },
      "original": {
@@ -190,18 +193,15 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1774388614,
-        "narHash": "sha256-tFwzTI0DdDzovdE9+Ras6CUss0yn8P9XV4Ja6RjA+nU=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "1073dad219cb244572b74da2b20c7fe39cb3fa9e",
-        "type": "github"
+        "lastModified": 1767892417,
+        "narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=",
+        "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz"
      },
      "original": {
-        "owner": "nixos",
-        "ref": "nixos-25.11",
-        "repo": "nixpkgs",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
      }
    },
    "nixpkgs-lib": {
@@ -221,11 +221,27 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1774386573,
-        "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=",
+        "lastModified": 1780511130,
+        "narHash": "sha256-2v9lT4ya59Lh1FqPeLnz1MoX9y/wz2huqfe9RtQZITk=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9",
+        "rev": "535f3e6942cb1cead3929c604320d3db54b542b9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1780243769,
+        "narHash": "sha256-x5UQuRsH3MqI0U9afaXSNqzTPSeZlRLvFAav2Ux1pNw=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "331800de5053fcebacf6813adb5db9c9dca22a0c",
        "type": "github"
      },
      "original": {
@@ -238,14 +254,14 @@
    "nur": {
      "inputs": {
        "flake-parts": "flake-parts_2",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1774749090,
-        "narHash": "sha256-WtYlg4u+WwunxA4t6akJVUVqPkT04Q7FtLX6B/8dTnM=",
+        "lastModified": 1780704056,
+        "narHash": "sha256-wPq16Ci9SMTSqEJbjaBKaHZBb4eS4ryVHwd3yY/vP3A=",
        "owner": "nix-community",
        "repo": "nur",
-        "rev": "7950e5367f7d3192c5248cff86feff0a131b1e35",
+        "rev": "c4975e3a5b23f14f4bd43e28a0d42f2b16e6f0b8",
        "type": "github"
      },
      "original": {
@@ -262,7 +278,7 @@
        "home-manager": "home-manager",
        "nix-colors": "nix-colors",
        "nixUnstable": "nixUnstable",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
        "nur": "nur",
        "sops-nix": "sops-nix"
      }
@@ -274,11 +290,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1774303811,
-        "narHash": "sha256-fhG4JAcLgjKwt+XHbjs8brpWnyKUfU4LikLm3s0Q/ic=",
+        "lastModified": 1780547341,
+        "narHash": "sha256-Gq8KNx5A7hBB3uGJaj6eQfLDIz5YdLu92gqBcvHvoUo=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "614e256310e0a4f8a9ccae3fa80c11844fba7042",
+        "rev": "9ed65852b6257fbeae4355bc24ecfea307ca759a",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -44,6 +44,7 @@
        avalon = gen.generate { host = "avalon"; };
        ci = gen.generate { host = "ci"; };
        sandbox = gen.generate { host = "sandbox"; };
+        gateway = gen.generate { host = "gateway"; };
      };
      darwinConfigurations = { asgard = gen.generate { host = "asgard"; }; };
      homeConfigurations = {
--- a/modules/home/cli/git/default.nix
+++ b/modules/home/cli/git/default.nix
@@ -1,9 +1,9 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {

  programs.git = {
    enable = true;
-    signing = {
-      key = "${config.usercfg.git.key}";
+    signing = lib.mkIf (config.usercfg.git.key != null) {
+      key = config.usercfg.git.key;
      signByDefault = true;
    };
    ignores = [ "*result*" ".direnv" "node_modules" ];
--- a/modules/home/gui/apps/develop/default.nix
+++ b/modules/home/gui/apps/develop/default.nix
@@ -2,6 +2,6 @@
  imports = [ ./vscodium ];

  config = lib.mkIf (config.syscfg.make.develop) {
-    home.packages = with pkgs; [ blender godot_4 openscad-unstable orca-slicer pandoc];
+    home.packages = with pkgs; [ blender godot_4 openscad-unstable orca-slicer pandoc claude-code];
  };
 }
--- a/modules/home/gui/games/default.nix
+++ b/modules/home/gui/games/default.nix
@@ -11,7 +11,7 @@
      gamemode
      #gamescope
      #mangohud
-      #prismlauncher
+      prismlauncher
      openttd-jgrpp
      #bottles
      lutris
--- a/modules/home/gui/games/wow.nix
+++ b/modules/home/gui/games/wow.nix
@@ -19,64 +19,5 @@
              "wago_addons": null
            }
        }'';
-
-# curse:master-plan
-# curse:raretrackercore-rt
-# curse:raretrackerdragonflight-rtd
-# curse:raretrackermaw-rtmw
-# curse:raretrackermechagon-rtm
-# curse:raretrackerthewarwithin-rtww
-# curse:raretrackertimelessisle-rtti
-# curse:raretrackeruldum-rtu
-# curse:raretrackervale-rtv
-# curse:raretrackerworldbosses-rtwb
-# curse:raretrackerzerethmortis-rtz
-# curse:venture-plan
-# curse:war-plan
-# github:nevcairiel/bartender4
-# github:cidan/betterbags
-# github:bigwigsmods/bigwigs
-# github:bigwigsmods/bigwigs_battleforazeroth
-# github:bigwigsmods/bigwigs_burningcrusade
-# github:bigwigsmods/bigwigs_cataclysm
-# github:bigwigsmods/bigwigs_classic
-# github:bigwigsmods/bigwigs_dragonflight
-# github:bigwigsmods/bigwigs_legion
-# github:bigwigsmods/bigwigs_mistsofpandaria
-# github:bigwigsmods/bigwigs_shadowlands
-# github:bigwigsmods/bigwigs_warlordsofdraenor
-# github:bigwigsmods/bigwigs_wrathofthelichking
-# github:nezroy/demodal
-# github:curseforge-mirror/details
-# github:edusperoni/details_elitism
-# github:curseforge-mirror/elitismhelper
-# github:michaelnpsp/grid2
-# github:jods-gh/groupfinderrio
-# github:nevcairiel/handynotes
-# github:hekili/hekili
-# github:thekrowi/krowi_achievementfilter
-# github:bigwigsmods/littlewigs
-# github:nnoggie/mythicdungeontools
-# github:tullamods/omnicc
-# github:tercioo/plater-nameplates
-# github:curseforge-mirror/quest_completist
-# github:raiderio/raiderio-addon
-# github:wowrarity/rarity
-# github:nevcairiel/shadowedunitframes
-# github:simulationcraft/simc-addon
-# github:curseforge-mirror/tomcats
-# github:weakauras/weakauras2
-# github:kemayo/wow-handynotes-battleforazerothtreasures
-# github:kemayo/wow-handynotes-dragonflight
-# github:kemayo/wow-handynotes-legiontreasures
-# github:kemayo/wow-handynotes-longforgottenhippogryph
-# github:kemayo/wow-handynotes-lostandfound
-# github:kemayo/wow-handynotes-secretfish
-# github:kemayo/wow-handynotes-shadowlandstreasures
-# github:kemayo/wow-handynotes-stygia
-# github:kemayo/wow-handynotes-treasurehunter
-# github:kemayo/wow-handynotes-warwithin
-# wowi:7032-tomtom
-
  };
 }
--- a/modules/nixos/system/hw/boot/default.nix
+++ b/modules/nixos/system/hw/boot/default.nix
@@ -9,7 +9,7 @@ in {
      };
      efi = {
        canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot/efi";
+        efiSysMountPoint = "/boot";
      };
    };
  };
--- a/modules/nixos/system/hw/virt/default.nix
+++ b/modules/nixos/system/hw/virt/default.nix
@@ -11,9 +11,10 @@
        dockerSocket.enable = true;
        dockerCompat = true;
        defaultNetwork.settings = {
-          dnsname.enable = true;
-          internal = true;
-          name = "internal";
+          #dnsname.enable = true;
+          dns_enabled = true;
+          #internal = true;
+          #name = "internal";
        };
      };
    };
--- a/modules/nixos/system/network/base/default.nix
+++ b/modules/nixos/system/network/base/default.nix
@@ -4,6 +4,15 @@
    useDHCP = true;
    nameservers = [ "1.1.1.1" "9.9.9.9" ];

-    firewall = { enable = true; };
+    firewall = { 
+      enable = true;
+      allowedUDPPorts = 
+        (if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++ 
+        [ ];
+
+      allowedTCPPorts = 
+        (if config.syscfg.server ? web       then [ 80 443 22 ] else [ ]) ++ 
+        [ ];
+    };
  };
 }
--- a/modules/nixos/system/network/wireguard/default.nix
+++ b/modules/nixos/system/network/wireguard/default.nix
@@ -1,4 +1,12 @@
-{ config, lib, ... }: {
+{ config, lib, pkgs, ... }: let
+
+  isValidPeer = p: 
+    (p ? syscfg.net.wg.enable) && 
+    (p.syscfg.net.wg.enable == true) && 
+    (p.syscfg.net.wg.pubkey != config.syscfg.net.wg.pubkey);
+  activePeers = builtins.filter isValidPeer config.syscfg.peers;
+in
+{
  config = lib.mkIf (config.syscfg.net.wg.enable) {
    networking.wireguard = {
      enable = true;
@@ -9,7 +17,15 @@
            config.sops.secrets."${config.syscfg.hostname}_wg_priv".path;
          listenPort = 1515;
          mtu = 1340;
-          peers = [{
+          peers = 
+            if (config.syscfg.server ? wireguard && config.syscfg.server.wireguard) then
+              map (p: {
+                name = p.syscfg.hostname;
+                publicKey = p.syscfg.net.wg.pubkey;
+                allowedIPs = [ p.syscfg.net.wg.ip4 p.syscfg.net.wg.ip6 ];
+              }) activePeers
+            else
+              [{
                allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
                endpoint = "vpn.helcel.net:1515";
                publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
@@ -18,5 +34,9 @@
        };
      };
    };
+    systemd.services."wireguard-wg0" = {
+      after = [ "network-online.target" "nss-lookup.target" ];
+      wants = [ "network-online.target" "nss-lookup.target" ];
+    };
  };
 }
--- a/modules/server/containers/default.nix
+++ b/modules/server/containers/default.nix
@@ -0,0 +1,43 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.syscfg.server.containers;
+  enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg;
+  containerSetsList = lib.mapAttrsToList (name: containerCfg:
+  let defs = import (./defs + "/${name}.nix") {inherit config pkgs lib containerCfg;};
+  in{
+    containers = lib.mapAttrs' (cName: cValue: 
+      lib.nameValuePair "${name}-${cName}" cValue
+    ) defs.containers;
+  }
+) enabledConfigs;
+  mergedContainers = lib.attrsets.mergeAttrsList  (lib.map(e: e.containers) containerSetsList);
+  allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList);
+in
+{
+  config = lib.mkIf ( enabledConfigs != {} ) {
+
+    virtualisation.oci-containers = {
+      backend = "podman";
+      containers = mergedContainers;
+    };
+
+    systemd.services.podman-gc = {
+      description = "Podman garbage collection";
+      serviceConfig.Type = "oneshot";
+      script = ''
+        ${pkgs.podman}/bin/podman container prune -f
+        ${pkgs.podman}/bin/podman image prune -f
+      '';
+      startAt = "weekly";
+    };
+    
+    system.activationScripts.container-setup-dirs = {
+      deps = [ "users" "groups" ];
+      text = lib.concatStringsSep "\n" (map (cfg: ''
+        mkdir -p "${cfg.path}"
+        chown ${cfg.owner} "${cfg.path}"
+        chmod ${cfg.mode} "${cfg.path}"
+      '') allPathConfigs);
+    };
+  };
+}
--- a/modules/server/containers/defs/authentik.nix
+++ b/modules/server/containers/defs/authentik.nix
@@ -0,0 +1,78 @@
+{ config, containerCfg, pkgs, lib, ... }:
+let 
+serverCfg = config.syscfg.server;
+in {
+  paths = [{
+    path="${serverCfg.dataPath}/authentik/media";
+    owner = "1000:1000";
+    mode = "0755";
+  }{
+    path="${serverCfg.dataPath}/authentik/templates";
+    owner = "1000:1000";
+    mode = "0755";
+  }];
+
+  containers = {
+
+    server = {
+      image = "ghcr.io/goauthentik/server:latest";
+      volumes = [
+        "${serverCfg.dataPath}/authentik/media:/media"
+        "${serverCfg.dataPath}/authentik/templates:/templates"
+      ];
+      environmentFiles = [
+        config.sops.secrets."AUTHENTIK".path
+      ];
+      environment = {
+        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
+        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
+        "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
+        "AUTHENTIK_EMAIL__PORT" = "587";
+        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
+        "AUTHENTIK_EMAIL__USE_TLS" = "true";
+        "AUTHENTIK_EMAIL__USE_SSL" = "false";
+        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
+        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
+      };
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.sso.entrypoints" = "web-secure";
+        "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.sso.tls" = "true";
+        "traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}";
+      };
+      cmd = [ "server" ];
+      extraOptions = [
+        "--add-host=host.containers.internal:host-gateway"
+        "--ip=${containerCfg.ip}"
+      ];
+      ports = [
+        "9999:${toString containerCfg.port}"
+      ];
+    };
+
+    worker = {
+      image = "ghcr.io/goauthentik/server:latest";
+      volumes = [
+        "${serverCfg.dataPath}/authentik/media:/media"
+        "${serverCfg.dataPath}/authentik/templates:/templates"
+        "/var/run/docker.sock:/var/run/docker.sock"
+      ];
+      environmentFiles = [
+        config.sops.secrets."AUTHENTIK".path
+      ];
+      environment = {
+        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
+        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
+      };
+      extraOptions = [
+        "--add-host=host.containers.internal:host-gateway"
+      ];
+      cmd = [ "worker" ];
+    };
+  };
+}
--- a/modules/server/containers/defs/cloud.nix
+++ b/modules/server/containers/defs/cloud.nix
--- a/modules/server/containers/defs/sample.nix
+++ b/modules/server/containers/defs/sample.nix
--- a/modules/server/containers/defs/traefik.nix
+++ b/modules/server/containers/defs/traefik.nix
--- a/modules/server/database/default.nix
+++ b/modules/server/database/default.nix
@@ -0,0 +1,76 @@
+
+{ config, lib, pkgs, ... }:
+let
+  listNames = config.syscfg.server.db;
+
+  containerNames = lib.mapAttrsToList 
+    (name: cfg: name) 
+    (lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
+
+  allApps = lib.unique (listNames ++ containerNames);
+
+in {
+  config = lib.mkIf ( builtins.length allApps > 0) {
+    services.postgresql = {
+      enable = true;
+      enableTCPIP = true; # Required to listen on network interfaces
+      settings = {
+        listen_addresses = lib.mkForce "*"; 
+      };
+      authentication = pkgs.lib.mkOverride 10 ''
+         # TYPE  DATABASE        USER            ADDRESS                 METHOD
+         local   all             all                                     trust
+         host    all             all             127.0.0.1/32            trust
+         host    all             all             ::1/128                 trust
+         host    all             all             10.0.0.0/8              scram-sha-256
+         host    all             all             169.254.0.0/16          scram-sha-256
+      '';
+      ensureDatabases = map (name: "${name}_db") allApps;
+      ensureUsers = map (name: { name = "${name}_user"; }) allApps;
+    };
+    services.postgresqlBackup = {
+      enable = true;
+      location = "/var/lib/postgresql/backups";
+      startAt = "*-*-* 04:00:00"; # Runs every day at 4 AM
+      backupAll = true; # Backs up all databases and roles
+    };
+
+    services.redis.servers."main" = {
+      enable = true;
+      port = 6379;
+      bind = "*";
+      settings.protected-mode = "no";
+    };
+
+
+    systemd.services.postgresql-init = {
+      description = "Custom Postgres Setup (Ownership & Passwords)";
+      after = [ "postgresql.service" ];
+      wantedBy = [ "multi-user.target" ];
+      
+      serviceConfig = {
+        Type = "oneshot";
+        User = "postgres";
+        RemainAfterExit = true;
+      };
+
+      script = ''
+        ${pkgs.coreutils}/bin/sleep 2
+        PSQL="${pkgs.postgresql}/bin/psql"
+        ${lib.concatMapStringsSep "\n" (name: ''
+          $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
+          
+          if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
+            PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
+            echo $PASS
+            if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
+                echo "✅ Successfully set password for ${name}_user"
+            else
+                echo "❌ FAILED to set password for ${name}_user"
+            fi
+          fi
+        '') allApps}
+      '';
+    };
+  };
+}
--- a/modules/server/default.nix
+++ b/modules/server/default.nix
@@ -1,15 +1,3 @@
-{ config, pkgs, lib, ... }:
-let
-in {
-  imports = [ ./sops ];
-  environment.systemPackages = with pkgs; [ arion ];
-  virtualisation.arion = {
-    backend = "podman-socket";
-    projects = {
-      cloud.settings = import ./docker/cloud.nix { inherit config pkgs lib; };
-      authentik.settings =
-        import ./docker/authentik.nix { inherit config pkgs lib; };
-    };
-  };
-
+{ config, pkgs, lib, ... }:{
+  imports = [ ./containers ./database ./nftables ./openssh ./sops ];
 }
--- a/modules/server/docker/authentik.nix
+++ b/modules/server/docker/authentik.nix
@@ -1,104 +0,0 @@
-{ config, pkgs, lib, ... }:
-let serverCfg = config.syscfg.server;
-in {
-  project.name = "authentik";
-
-  networks = {
-    internal = {
-      name = lib.mkForce "internal";
-      internal = true;
-    };
-    external = {
-      name = lib.mkForce "external";
-      internal = false;
-    };
-  };
-
-  services = {
-
-    auth_postgresql.service = {
-      image = "postgres:14-alpine";
-      container_name = "auth_postgresql";
-      restart = "unless-stopped";
-      networks = [ "internal" ];
-      volumes = [ ];
-      environment = {
-        POSTGRES_PASSWORD = "/run/secrets/AUTHENTIK_POSTGRESQL__PASSWORD";
-        POSTGRES_USER = "authentik";
-        POSTGRES_DB = "authentik";
-      };
-    };
-
-    auth_redis.service = {
-      image = "redis:alpine";
-      container_name = "auth_redis";
-      restart = "unless-stopped";
-      networks = [ "internal" ];
-      volumes = [ ];
-      environment = { };
-      labels = { "traefik.enable" = "false"; };
-    };
-
-    auth_server.service = {
-      image = "ghcr.io/goauthentik/server:latest";
-      container_name = "auth_server";
-      restart = "unless-stopped";
-      networks = [ "internal" "external" ];
-      volumes = [
-        "${serverCfg.dataPath}/authentik/media:/media"
-        "${serverCfg.dataPath}/authentik/templates:/templates"
-      ];
-      environment = {
-        "AUTHENTIK_REDIS__HOST" = "auth_redis";
-        "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
-        "AUTHENTIK_POSTGRESQL__USER" = "authentik";
-        "AUTHENTIK_POSTGRESQL__NAME" = "authentik";
-        "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
-        "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
-        "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
-        "AUTHENTIK_EMAIL__PORT" = "587";
-        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
-        "AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD";
-        "AUTHENTIK_EMAIL__USE_TLS" = "true";
-        "AUTHENTIK_EMAIL__USE_SSL" = "false";
-        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
-        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
-      };
-      labels = {
-        "traefik.enable" = "true";
-        "traefik.http.routers.sso.entrypoints" = "web-secure";
-        "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.sso.tls" = "true";
-        "traefik.http.services.sso.loadbalancer.server.port" = "9000";
-        "traefik.docker.network" = "external";
-      };
-      command = "server";
-      ports = [
-        "9999:9000" # host:container
-      ];
-    };
-
-    auth_worker.service = {
-      image = "ghcr.io/goauthentik/server:latest";
-      container_name = "auth_worker";
-      restart = "unless-stopped";
-      networks = [ "internal" ];
-      volumes = [
-        "${serverCfg.dataPath}/authentik/media:/media"
-        "${serverCfg.dataPath}/authentik/templates:/templates"
-        "/var/run/docker.sock:/var/run/docker.sock"
-      ];
-      environment = {
-        "AUTHENTIK_REDIS__HOST" = "auth_redis";
-        "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
-        "AUTHENTIK_POSTGRESQL__USER" = "authentik";
-        "AUTHENTIK_POSTGRESQL__NAME" = "authentik";
-        "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
-        "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
-      };
-      labels = { "traefik.enable" = "false"; };
-      command = "worker";
-      user = "root";
-    };
-  };
-}
--- a/modules/server/nftables/default.nix
+++ b/modules/server/nftables/default.nix
@@ -0,0 +1,47 @@
+
+
+{ config, lib, ... }:{
+  config = lib.mkIf (config.syscfg.server.nftables.enable) {
+    boot.kernel.sysctl = {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+    };
+
+    networking.nftables.enable = true;
+    networking.nftables.ruleset = ''
+      table inet filter {
+        chain input {
+          type filter hook input priority filter; policy accept;
+          tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
+          
+        }
+      }
+      table inet nat {
+        chain prerouting {
+          type nat hook prerouting priority dstnat; policy accept;
+          
+          ${lib.concatMapStringsSep "\n" (rule:
+            let
+              srcInt = builtins.elemAt rule 0;
+              dstAddr4 = builtins.elemAt rule 1;
+              dstAddr6 = builtins.elemAt rule 2;
+              srcPort = toString (builtins.elemAt rule 3);
+              dstPort = toString (builtins.elemAt rule 4);
+            in ''
+                iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip to ${dstAddr4}:${dstPort}
+                iifname "${srcInt}" udp dport ${srcPort} counter dnat ip to ${dstAddr4}:${dstPort}
+
+                iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
+                iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
+            ''
+          ) config.syscfg.server.nftables.ports}
+        }
+        
+        chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade
+        }
+      }
+    '';
+  };
+}
--- a/modules/server/openssh/default.nix
+++ b/modules/server/openssh/default.nix
@@ -0,0 +1,27 @@
+{ config, lib, ... }: 
+let
+  allUsers = lib.concatMap (peer: if peer.syscfg ? users then peer.syscfg.users else []) config.syscfg.peers;
+  groupedUsers = lib.groupBy (u: u.username) allUsers;
+  allowedUsernames = map (u: u.username) config.syscfg.users;
+  activeUsers = lib.filterAttrs (name: _: lib.elem name allowedUsernames) groupedUsers;
+in {
+  config = lib.mkIf (config.syscfg.server.openssh) {
+    services.openssh = {
+        enable = true;
+        ports = [ 422 ];
+        banner = "";
+        settings = {
+        PasswordAuthentication = false;
+        PermitRootLogin = "no";
+        ClientAliveInterval = 60;
+        ClientAliveCountMax = 3;
+        TCPKeepAlive = true;
+        };
+    };
+    users.users = lib.mapAttrs (name: userList: {
+        openssh.authorizedKeys.keys = lib.unique (
+        lib.concatMap (u: if u ? pubssh then [ u.pubssh ] else []) userList
+        );
+    }) activeUsers;
+    };
+}
--- a/modules/server/sops/default.nix
+++ b/modules/server/sops/default.nix
@@ -1,20 +1,16 @@
-{ config, pkgs, ... }: {
-  sops.secrets.INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
-  sops.secrets."${config.syscfg.hostname}_ssh_pub" = {
-    mode = "0400";
-    owner = config.users.users.${config.syscfg.defaultUser}.name;
-    group = config.users.users.${config.syscfg.defaultUser}.group;
+{ config, lib, pkgs, ... }:
+let
+ listNames = config.syscfg.server.db;
+  containerNames = lib.mapAttrsToList (name: cfg: name) 
+    (lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
+  allApps = lib.unique (listNames ++ containerNames);
+in{
+  config = lib.mkIf (config.syscfg.server.sops) {
+    sops.secrets = {
+      INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
+    } // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: {
+      owner = "postgres";
+      sopsFile = ./server.yaml;
+    }));
  };
-  sops.secrets."iriy_ssh_pub" = {
-    mode = "0444";
-    owner = config.users.users.${config.syscfg.defaultUser}.name;
-    group = config.users.users.${config.syscfg.defaultUser}.group;
-  };
-  sops.secrets."valinor_ssh_pub" = {
-    mode = "0444";
-    owner = config.users.users.${config.syscfg.defaultUser}.name;
-    group = config.users.users.${config.syscfg.defaultUser}.group;
-  };
-  sops.secrets."${config.syscfg.hostname}_wg_priv" = { };
-  sops.secrets."${config.syscfg.hostname}_wg_pub" = { };
 }
--- a/modules/server/sops/server.yaml
+++ b/modules/server/sops/server.yaml
@@ -1,68 +1,47 @@
 INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
+AUTHENTIK: ENC[AES256_GCM,data:jNcqbLEMbaQ7mmn4dK4LFguecDDxrBsQZaqfQeQ+iGel6mD4jAC6rNdGC8H8NepRWmc0ZjNC6Fe4EaGllbjq/50SqlB47DtyuuCwOZFP6fiU4sD13B7t0Fg/7xMomqnRnJ+3UyVzt6PgEzzQNoPPpHxVGpR+TJnROhflcmCKi/JdAR6dspNqJEbrjp4LVk28Rp9Od6lbsOGphRb79z/DKA1QYRPuE7QU7Edzqqy09g5nKjGxIxjWNEYPt0WiD3537eBICfWm5krs8jxyf6TSiGasHSgSDyJSbnoNkPzSf9A5Jwtulu1jFgjvY/v+qhs9649USp1MzogSAfDZBNC4irge/lb5EPPIQ31EC/Dybza9dX/h6cR/KyQm5GsxBBJzm33rzC/4aCCRlcsAl5eO4JZn4MZta4yHss2UQHQ48i15OSdBwwTbTt240UbrIIje0hfOM6R+Uk3VOY/+VtBV/D+0ks2SUEKMvWgqJDhDh4FVqeR0a9dpLhOAvaWryAAETjlHljOrcF3Q3WooZbBDvLyMMtsHIeF1JDqwghI3,iv:8RdNbsnVVu4awW6yrpLGxAtM7o6uN5vgZIotmT6osW8=,tag:rNaCeG6STXINm42x1b2jcw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZk1VY3NEZmRkS0J6dU03
-            OUtETWpHL2hLN09kRytNUEhmVnA5WW9yVXlNCmZaZnQ2YUlMMmlrZ2dEZDVFMHA5
-            OUpqOTJJbHVVREtpSFUyaDJDbXltaTgKLS0tIFY0ZkF3Ym5oeHViN3J4eW4vSVYz
-            QkhuU0NLWElyVXpZd2ZpOHhwam04R28KFuaI35e8pB25M2dlP19gApso12ZYJ3ld
-            BpMnp97ShX0I8bZRIYxSHpSrB/J+tt1V4pfGdJq7uWZM7XacPy666A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rzc3ak4vRVZiNWxNZEN3
+            N21rSjZqUm9XVWF5TUxNTXVybEMzNCtod0NnClNjODB6VWhzU1VHeVdlZ3hEaE5D
+            MW9WWWYvYmt5TmNzMzNudDhLSW12RnMKLS0tIDdjc2ZOK3QxaTFJMFdpTHFzcklr
+            clZnQXpPbWs5aXZJeUlxOWhJNmIrOFkKZfZ19Y4yfCJi1GrxLsv76JyBmuxW/glF
+            BCJCvmdSSOJx5JW26Y3Y3LwiIuL8yboKR+8ZAwU2fG5OQfs+2czFdQ==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ms8f0ysv6vakxepvt69fejczs6tddexepesdv4rkgtheehj3nu4sc6290s
+        - recipient: age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuZXNjRzJsdFpTdDZhSkRB
-            eW1qSStnZHN5Tzh3bFA1azZIRk42V1RzSTJJCi9MV0k5ZXNQOWJFYnlXdnB3azBL
-            NzNldkFLWlEyT01MeWlFU3RKODU4dWcKLS0tIFJXL1ZsNDgydTgxVGRMYWxyQTNT
-            K1M0TDd1eGd1V3pOcjl1M1VrdDUvbG8KpsWlrr14MOh/8mG+rXpswPPFE3VnpKGt
-            03DWUII3+MMEWLJPLxkNJ9BzCm4Kl1QNHSbJ7Ex6df0b7nB6Ed6Hvw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cEpsb2gvbDJ0aG5BRWNS
+            WXgydFo3ZkF3SmVIU1EvaHVjb3RvK3BxVDJrCis2ME9zUEVGQURFdmJXS2lTSklk
+            V3ZONHpTZVJqMUxOVkd5ZDlqVTRNdzgKLS0tIGwwR0k1Vll6bEdmZVZvVktzMTRN
+            S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
+            d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5U1VjTjlIMTdLRFQ5R1Av
-            SVBLMFZtV3ppK2VXWjdYelNGTGFOZUJaMndBCjYyZ0IveXFiVDlSUEtNOXk2L3g3
-            UmFIRE1GMEs2QVhUcFJkTHpCWmhhbG8KLS0tIG94NStMUnFZRTRsK2w4cDd4Rms5
-            M1MwTEtJNEFDdjRLVFRseThxNGJUQ0kKKN7QX9qUojNQBknbInaXslaKsAAhEj5y
-            QMXAU6TxlHMv+wZy2RQwMe/zE7RP24TypnX894iV0usTHujyxvfk3w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUHFYMWdVczRPdEFSbFR5
-            VmcxeEU4YWxwRTlDUkRkNVY0dFh5cjVUNjNnCkRSblNaS214dkdrd3JnNE5rZnR3
-            S0JVeXova1h2VnB2ODY0SUYxZm45TjAKLS0tIFN1QXFyTkt3SmV0UVhGMlMxTmpN
-            VW83cnd2TnQwWlVCUnpzZ29NRE1SekUKBGVCaijugxR6eSxvk19nncR9X6bmSSUq
-            VoxtHBkJbz/4mcQ/SUb4Wv1Rt5875tLWygS7qKmh8jzoP7JI4E9qWQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-08T16:05:46Z"
-    mac: ENC[AES256_GCM,data:X6AUVWJRcwH45W9NoQxI8Lp6l+5RFpgCNB6cdUZZODHDdTUMt9a6wr9YfU56C7QkdlxXdj6xCOCscJtw/WY2Y+XchWXaUVZZsoZ9xUo28aksUtHSyE9WJBHCeSqss79IW6k/GeDPiDOfz4om+udDvtdpyKbtvbw2a+K5st+62d4=,iv:REGTavU8DkalUbfO1J2+VccYnRRrOqstSFq/RU7Co5Q=,tag:2t8mwqa76kVQyeWS85zXsA==,type:str]
+    lastmodified: "2026-05-06T01:10:20Z"
+    mac: ENC[AES256_GCM,data:O4RLfEE6z0uDRpZdL47Or+z/PTeJ+zgzXN9kJS6Nebs9Uhw0XUJUPGhAocLokiMin5sQcpxXG5Q8oc2rAkq2GDbtna4u26dtNkd2Q/vtly6DqUaIRXXt3TL5cfJwMNa76fp+ERKLwGbBG+/BFWajzYJtcE257I8t3X4UmAdqYmE=,iv:uYLh8LnGobf7t3Ur7drEiA6n3Vv0e0yhlja6Uww8jiU=,tag:ZK3OCCsiMPtKl28lrGKtqQ==,type:str]
    pgp:
-        - created_at: "2024-05-08T15:46:52Z"
+        - created_at: "2026-05-05T23:46:27Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hQIMA6R3Y9nD7qMBAQ//bYK5gdxv8fNvG6P4GrD27gQRQXhLGF2+hS54sqEqjeN8
-            NZpHVbNNRR3AggOkT7QY1JO8bOhWscefH1vvBmBuODzh5Fw42t4zNPEDjWZEetxa
-            rClbLEvo7Kz8UKCNb9JIeYx7cr8sPWCmg4GvV1wGjhjr+u5ovuheORnHl+qoLsqv
-            P12PV7VzwC52v92GWiu9LRJqfqZra5GjUXGVXzBcZ9i6CnUDejzssWjhO/fmzKum
-            GbGIi9sf3RmVYsUASDgRBmVAZC3KF7RLi0L6WY0etRocAaWSAgnU1lZ04E8ZtLjk
-            DlCtIpreJ1H0Ym+5EXB94PG0KZjayxKc20YDQ+yYwwSmiCVaUCLlYX2BOoncUYFF
-            MxVgWYwn14R5jyGbh4NyiBxPGHvIUx5RCIo70pMgS6W5ALZYTcNDLF82mj1xTOTy
-            bcuaa7FCuXJif457LCe5TcAa5WYDgKX8pUKzFRhWIckcGwgFCUB0Z7+L9L7F0yt/
-            YZd71cY0Lxlwi61CnWgZZMx2FFpHyBCEmF1A180KUtB1jSkS/AVmlM2z9I0QsR62
-            fTFIaqimPMjUzbuTs0QjUXf8OJZo0/cwo9XeGyCBtJTg7cLdsOFouqfvXhvkdCrR
-            xCLE2Ke5jwmoPKs1t+YpwMMzB57j/rluZCgiz45w7YDXKf4gEp2ra9siFiC/y9PS
-            XgEPymUiDZY0w9S5oGr94cNc6LQId16Zgt1vWHLzgg8QZqkxLTBjUXXc7aoCISQp
-            AwUE62KJucVvWjB3kcgDbNvaDWWC5O48zUavmzkmmP1sqKf0gO/XG52PDG/DF3Y=
-            =cs0r
+            hQIMA6R3Y9nD7qMBAQ/+JdTDmQhL1+iX7yeyGs1kt9yQeMYkJ+bQD3LqlQVh6Xea
+            yPIdcMBjAf1CNlkJKeJ4QK3f8rsZkxHmUFVDz7yCXctsp81hNBMZ0sauBM50OU4W
+            gQsDailZHgG5qCqKx91qSyVLtzVy4zcoTXy8TWLrSwztCt9qqX9LFZTKyZzNTiHW
+            DHYSwaJdTteXY89pZjPAQ6UtIdoVWaVfvCgaSZAxr3K8IJmobvMhhk/Fgm3CoE6Y
+            mfQd4lQhoqxrn2M/FKc30vg0yKVsiW3qlfnJCVHCxYUtQLVs3cF05lmj7CYy+0Mu
+            7eZlfVj84hCLmd4ccOITkrOTqcBKWKQ5EpE8DGvWlLPEZt407MjaphEJ7dYhkfr/
+            x4HrahZoeVbYX2Va0++picut+cE/NL9F/QMfqP4QhdHQhe74FlQcxpGDtcUIQep5
+            8MvbEAhUpGL4sErg6afmIapxXi3euIXcBDYPatgoAlsH7E8rUTX1Sd4VOgV89kEJ
+            pkl4OOwcaiF+brqtDiTGZf5l6AOugiYTp2Rtq9KMcGEGEmXFLcFKVjNEkZIxNxt3
+            EtrXrNmOCVJm71yOn2ruD9n2EXzFULfeyOhup7eYVfynkEWYlCQNHeaqMy2q656m
+            LWVd89AUzWLcsmY8naWpfekU9K//hLHxRLBzqfouYXJ+Ji/HOvfRj7NZBg6UtgfS
+            XgFOJg3EaLAZEyvEZKWpnWlf3gBTRK3ffaLzs+eddSgzYUutzlOYUZb7v3iEdjta
+            4Ik4F1M+kOGieyVxxLHOHMrOn09+WMmFIiPpBtCIcZmtwOzXNdhbZdFWNx5qPhU=
+            =wXdG
            -----END PGP MESSAGE-----
          fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.12.1
--- a/modules/shared/sops/common.yaml
+++ b/modules/shared/sops/common.yaml
--- a/modules/shared/sops/default.nix
+++ b/modules/shared/sops/default.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
  isCI = builtins.elem config.syscfg.hostname [ "ci" "sandbox" ];
  keyFilePath = (if isCI then
@@ -14,19 +14,15 @@ in {
  sops.age.keyFile = keyFilePath;
  sops.age.generateKey = true;

-  sops.secrets.wifi = { };
-
-  sops.secrets."${config.syscfg.hostname}_ssh_priv" = {
+  sops.secrets = lib.mkMerge [
+  {
+    wifi = { };
+    "${config.syscfg.hostname}_ssh_priv" = {
      mode = "0400";
      owner = config.users.users.${config.syscfg.defaultUser}.name;
      group = config.users.users.${config.syscfg.defaultUser}.group;
    };
-  sops.secrets."${config.syscfg.hostname}_ssh_pub" = {
-    mode = "0444";
-    owner = config.users.users.${config.syscfg.defaultUser}.name;
-    group = config.users.users.${config.syscfg.defaultUser}.group;
-  };
-  sops.secrets."${config.syscfg.hostname}_wg_priv" = { };
-  sops.secrets."${config.syscfg.hostname}_wg_pub" = { };
-
+    "${config.syscfg.hostname}_wg_priv" = { };
+  }
+];
 }
--- a/modules/shared/sops/mock.yaml
+++ b/modules/shared/sops/mock.yaml
@@ -13,34 +13,22 @@ sops:
        - recipient: age13qv9dn9806paqgpjwmmkwtdzvv4qpv0ulksq0epnn8ufaxeug5zskyas3z
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwKzJHRy9YOVN2ZFpJblBv
-            dS9zUVpsNXhOQ2JLbUZqYXd5QkZmaFc1N1EwCjlpREM4REg1eTZybVZML25HdUtx
-            bU5vU1FBbUVLOVZzd0hnL1V6SVNXQm8KLS0tIE9QVFg1Umh2dkoyb0pzVlloQmV6
-            c2RGcklkT3l2YzFjK1RTMDNpU09SMzAKjcTMPPeUHu4Dq/zXGSb4VYcGjrLdG0KE
-            Jcpk1DrlpecK6GMaJ1vRiULs8qGlKFFyXqMhzgAx4jNQCoz7QLHDvg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbHNVZjRzQi9ram1xNHk3
+            d3pTTStiMjBLZHgwL0cvUGRwRFFzWi9HS2dvCkQ0ZU5UK1owS0N5MHhxOXV1cGVy
+            RnFQbGlhVy9tSVZKYXBqbzZjZU9nd3cKLS0tIDdXdm1qVTYvdS9sQ0Z0aExpTzB1
+            WkNsWVpqaHRSWkl6YXVrN0NoemhiS1EKoDRocdztTLQ5LMwHdlszTFHy+rm+y4RE
+            f97a6Z2J87ZfObRbaap5adVD7qk/tTYHGshT/8G1JxjctsxRgdfsmA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSHBpZGg0TlVtMFhjY2Ry
+            NzUrd1pPZFZNdFdLSUxrUUROaVNCTzdGR0hrCkVGUmpGemtFSDErRDArS0Y0WGZu
+            YkYzL2NGMTlnNW1NdStHOGpRN3A1VXcKLS0tIGs0MDIxTmpzSGtRWHZESFhNWXlS
+            Y3N0a2VPUHdoRlpUZ3BPVXROdDRHekEK2YN9ZgCaBPt/8kAkZNgsHp61SYqiFFXX
+            2lF0R1GNmYWm6T0YVCp/2ZN3z4GC+monctg1zoo5QsHfhIOpqIVoTA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-09-06T13:37:03Z"
    mac: ENC[AES256_GCM,data:uI9yG3/jGNGn6yoN9W+9K/AUeSowe4Mb9vhh38pwkuKab9zXTFidCWyh1e0TEOsIHrhfK2GPc2fHwc309/la+CoiNxAIYtC4xmoCYxSGrDgbsZEONrusy9AEKpRCO8CqLYyLYaAG9sLqFyIz3GyEnS/j98V3LeemhFtS17J1VHI=,iv:x/7caaKnggoyEaCx5sf+zzSE+3d7atv+o9B1O3QX0Uc=,tag:Tzfs+ACx+4A6kxAZtVQ3KQ==,type:str]
-    pgp:
-        - created_at: "2025-09-06T13:36:03Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA6R3Y9nD7qMBAQ//UtYJdgvi7DMZ6UC/kDcqB//R6FCyGB6o2mATXy1Ryfgl
-            p6WiK1HfNCb6lR46TOiwWYybo4E93ty1Vg5XCG1Yj/MYFYctHt+GbluBVCkTslRS
-            7XjpUF4a8vzuxc9pys8U2oqhANAcM/UAYlKBnSqjCI+0MiL2jhTPZ4LTKOK6N3hE
-            Uvh2dRAmshQf6VGmSA8/00cuSO6nTkIO2fZ4ihu+r/HCOqYI9LTS+pjRF9JKa8SZ
-            eXYYbym5Xl9d3w9O3OT9kbfkCxNb/pEwU/XPMQpW2KLHQKt8hC36TmAJKlQcK75n
-            1Ai3dP0cxnmdV412Amfzm159rrVIYcGHEeuDJXN0S6rmVSLALTlP+h1vMOuoASjm
-            cLGrEeuuByMaHwoxHWPvLZfIhh+h+PoRF8qkU9ThjjFxpwxx1djzez/FORxYIqMx
-            KIW2JiZVyaavklqu5hNQZ0QcFK558gnuEvzsTSDbMsJVuxmc9OPWW+VHemsAyKCv
-            KRJmrXEsxYD2E7JZn7LQra+gK3/k3txPYldPNaPtaMd31dhQa/QTKjh0rQwmdz+p
-            ADZFTnz4eoLcm8tIL7oH036Pcwt9ukJKptn9k3cXB3tyt0w7J6QY8Q8pfAAq7PrQ
-            ItVWZ94Q+qM0+kjNXPhUnV4JqV1bADBF0dygfzERZr8P2jeioHMmdU6ob9T40u7S
-            XgFyGqxKrst9WgIxGEpsk0mIE0eJKEUwH+oppFZp/7ajq9/Jr2x4aKFyPeJTUjsA
-            koi7NQcKSOwhzf9rYfk/n4HZM0BxXIzHJUEiYtB3QTuxg94PtE593TcggbWnHZM=
-            =SKIv
-            -----END PGP MESSAGE-----
-          fp: A362EA0491E2EEA0
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/modules/shared/syscfg/default.nix
+++ b/modules/shared/syscfg/default.nix
@@ -1,15 +1,21 @@
 { inputs, lib, ... }:
 let
+  systemsDir = ../../../systems;
+  systemNames = lib.attrNames (lib.filterAttrs 
+    (name: type: type == "directory" && builtins.pathExists (systemsDir + "/${name}/cfg.nix")) 
+    (builtins.readDir systemsDir));
+
  userOpt = with lib; {
    username = mkOption { type = types.str; };
+    pubssh = mkOption { type = types.str; default=""; };
    wm = mkOption {
      type = types.enum [ "Wayland" "X11" "-" ];
      default = "-";
    };
    git = {
-      username = mkOption { type = types.str; };
-      email = mkOption { type = types.str; };
-      key = mkOption { type = types.str; };
+      username = mkOption { type = types.str; default = "Anonymous";};
+      email = mkOption { type = types.str; default = "anonymous@domain"; };
+      key = mkOption { type = types.nullOr types.str; default=null; };
    };
  };
  netOpt = with lib; {
@@ -42,6 +48,10 @@ let
        type = types.str;
        default = "";
      };
+      pubkey = mkOption {
+        type = types.str;
+        default = "";
+      };
    };
  };
  makeOpt = with lib; {
@@ -55,7 +65,7 @@ let
    };
    virt = mkOption {
      type = types.bool;
-      default = true;
+      default = false;
    };
    power = mkOption {
      type = types.bool;
@@ -84,7 +94,6 @@ let
      type = types.str;
      default = "3306";
    };
-
    configPath = mkOption {
      type = types.str;
      default = "/media/config";
@@ -93,6 +102,59 @@ let
      type = types.str;
      default = "/media/data";
    };
+    containers  = mkOption {
+      type = types.attrsOf (types.submodule {
+        options = {
+          enable = mkOption { type = types.bool;default = false; };
+          db = mkOption { type = types.bool;default = false; };
+          ip = mkOption { type = types.str; };
+          port = mkOption { type = types.port; };
+          extraParam = mkOption { type = types.str; default = ""; };
+        };
+      });
+      default = {};
+    };
+    sops = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    openssh = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    wireguard = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    web = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    nftables = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      ifs = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+      };
+      ports = mkOption {
+        type = types.listOf (types.listOf (types.oneOf [ types.str types.int ]));
+        default = [];
+        description = "Forwarding rules: [ [srcInterface dstAddr srcPort dstPort] ... ]";
+        example = [
+          [ "ens3" "10.10.1.2" "IPV6" 22 2222 ]
+          [ "ens3" "10.10.1.2" "IPV6" 80 80 ]
+          [ "ens3" "10.10.1.2" "IPV6" 443 443 ]
+        ];
+      };
+    };
+
+    db = mkOption {
+      type = types.listOf (types.str);
+      default = [ ];
+    };

  };
 in with lib; {
@@ -114,12 +176,15 @@ in with lib; {
      type = types.listOf (types.submodule { options = userOpt; });
      default = [ ];
    };
+    peers = mkOption {
+      default = map (name: import (systemsDir + "/${name}/cfg.nix")) systemNames;
+    };
    server = mkOption {
      type = types.oneOf [
-        (types.attrs)
+        types.bool
        (types.submodule { options = serverOpt; })
      ];
-      default = { };
+      default = false;
    };
  };
 }
--- a/systems/asguard/cfg.nix
+++ b/systems/asguard/cfg.nix
@@ -1,6 +1,6 @@
 {
  syscfg = {
-    hostname = "asguard";
+    hostname = "asgard";
    defaultUser = "sora";
    type = "macos";
    system = "x86_64-darwin";
--- a/systems/avalon/cfg.nix
+++ b/systems/avalon/cfg.nix
@@ -23,21 +23,16 @@
      }
    ];
    make = {
-      gui = false;
      cli = true;
      virt = true;
-      power = false;
-      game = false;
-      develop = false;
-    };
-    wlp = {
-      enable = false;
-      nif = "";
    };
+    net = {
      wg = {
        enable = true;
        ip4 = "10.10.1.2/32";
        ip6 = "fd10:10:10::2/128";
+        pubkey = "QlvpTiK6s/lIha9vKmo+teSy2Nw52qWLYatYjxVan3U=";
+      };
    };
  };
 }
--- a/systems/avalon/server/docker/secrets.txt
+++ b/systems/avalon/server/docker/secrets.txt
@@ -0,0 +1,14 @@
+
+
+AUTHENTIK_DB_PASSWORD=NTQRO0rhPCd4L3HLNK4AT09Npz+ks1jyRC6AOyo5u+k=
+AUTHENTIK_SECRET_KEY=9Zw8Sy8257iJmRdBhUKGiq3d7uYAkhC9smuDUClE8aR1iPdpHHds+K2D1Zy3lwj2Hjnasu5jnopkhwnABWDu8A==
+
+
+AUTHENTIK_EMAIL_PASSWORD=w+g:cPU+e.<q,f<mj3DFPxXxo4h2SVS9.;,T<!Sra>y!mNcAsiAp4jPCLTmjte2d
+
+
+ETHERPAD_DB_PASSWORD=d43352c3906516bf4c34d63316509cb4b1621167af84c81b60689779a62b2348
+ETHERPAD_ADMIN_PASSWORD=Hackme55#
+
+COLLABORA_USER=...
+COLLABORA_PASSWORD=...
--- a/systems/ci/cfg.nix
+++ b/systems/ci/cfg.nix
@@ -21,16 +21,5 @@
      game = true;
      develop = true;
    };
-    net = {
-      wlp = {
-        enable = false;
-        nif = "NA";
-      };
-      wg = {
-        enable = false;
-        ip4 = "";
-        ip6 = "";
-      };
-    };
  };
 }
--- a/systems/gateway/cfg.nix
+++ b/systems/gateway/cfg.nix
@@ -0,0 +1,44 @@
+{
+  syscfg = {
+    hostname = "gateway";
+    type = "nixos";
+    system = "x86_64-linux";
+    defaultUser = "sora";
+    users = [{
+      username = "sora";
+      pubssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrrUB0KBjeAKPVG2Bdcm4mI9AMab7y97SOCdEHGogYv sora@gateway";
+      wm = "-";
+      git = {
+        email = "soraefir+git@helcel";
+        username = "soraefir";
+        key = "4E241635F8EDD2919D2FB44CA362EA0491E2EEA0";
+      };
+    }];
+    make = {
+      cli = true;
+    };
+    net = {
+      wg = {
+        enable = true;
+        ip4 = "10.10.1.1/32";
+        ip6 = "fd10:10:10::1/128";
+        pubkey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
+      };
+    };
+    server = {
+      openssh = true;
+      wireguard = true;
+      web = true;
+      nftables = {
+        enable = true;
+        ifs = ["ens3" "wg0" ];
+        ports = [
+                [ "ens3" "10.10.1.2" "fd10:10:10::2" 22 2222 ]      # SSH/GIT
+                [ "ens3" "10.10.1.2" "fd10:10:10::2" 80 80 ]        # HTTP
+                [ "ens3" "10.10.1.2" "fd10:10:10::2" 443 443 ]      # HTTPS
+                [ "ens3" "10.10.1.2" "fd10:10:10::2" 3979 3979 ]    # OTTD
+        ];
+      };
+    };
+  };
+}
--- a/systems/gateway/default.nix
+++ b/systems/gateway/default.nix
@@ -0,0 +1,20 @@
+{ config, lib, inputs, ... }: {
+  imports = [ ./hardware.nix ../../modules/server ];
+
+  system.autoUpgrade = {
+    enable = true;
+    flake = "git+https://git.helcel.net/sora/nixconfig"; 
+    flags = [
+      "--no-write-lock-file"
+    ];
+    dates = "04:00";
+    randomizedDelaySec = "30min";
+    allowReboot = false;
+  };
+
+  networking.extraHosts = ''
+    10.10.1.2     git.helcel.net
+    10.10.1.2     avalon.helcel.net
+  '';
+
+}
--- a/systems/gateway/hardware.nix
+++ b/systems/gateway/hardware.nix
@@ -0,0 +1,27 @@
+{ config, lib, pkgs, modulesPath, ... }: {
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix" ) ];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    efiSupport = true;
+  };
+
+  boot.initrd.availableKernelModules =
+    [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/25df457a-21d0-41ab-9de5-88ffc00e3469";
+    fsType = "btrfs";
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/F24E-74FA";
+    fsType = "vfat";
+    options = [ "defaults" ];
+  };
+}
--- a/systems/iriy/cfg.nix
+++ b/systems/iriy/cfg.nix
@@ -6,6 +6,7 @@
    defaultUser = "sora";
    users = [{
      username = "sora";
+      pubssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGtotfQkclilrhEOzY3QUpOwYF+eOjHvqN6Of3NVg4x8NQLjx/X/gxC+GAllQxy9Zkz/N5wY0Fa4/6HoGheCRvWaN/nofz95VgtX8a1A/flrT8CGdBfRqXlcd4OEXhpFcbEm9VRXmxSKnsD4zySZr/151S+1PlQr8pJ1yyzxsIQx+RNo9P4gzpoJgkfZ3JIqLWb6B4aXallAg9Ha1WX0lx24voWNgg9AQt6/lccfmeoWAzBGUNq5a/mH59O+UCIM2y19ksEweY6URHpk6Ss597zp+0j2NYg8MS4rToYUb0Y7giNNBdKAzqNd+Wp6gjqBthuDIOfsXM082O5IarPKPJNVbx/Xpf3m1hYtxfL+LhEkdoE94iue601WqTltC0btS63LeZuoAZYji/GG/D8U7V77Lh3MV5/hJm5sK6wM6r7fCoenehgiy49z00NqtgM33rWNrpL9eXNKb//5Lxe7U58jPyteWpsL8+fJFcs/2uh4D5zN3d/I+yLZ1OMgUN6LM= sora@iriy";
      wm = "Wayland";
      git = {
        email = "soraefir+git@helcel";
@@ -17,7 +18,6 @@
      gui = true;
      cli = true;
      virt = true;
-      power = false;
      game = true;
      develop = true;
    };
@@ -31,6 +31,7 @@
        enable = true;
        ip4 = "10.10.1.7/32";
        ip6 = "fd10:10:10::7/128";
+        pubkey = "6d1bINFmH12ACAJLDOwfFIZgmNHV/FGGk0YJyDP50HQ=";
      };
    };
  };
--- a/systems/iriy/hardware.nix
+++ b/systems/iriy/hardware.nix
@@ -24,7 +24,7 @@
    fsType = "ext4";
  };

-  fileSystems."/boot/efi" = {
+  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/349E-5086";
    fsType = "vfat";
  };
--- a/systems/sandbox/cfg.nix
+++ b/systems/sandbox/cfg.nix
@@ -6,6 +6,7 @@
    defaultUser = "sora";
    users = [{
      username = "sora";
+      pubssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrrUB0KBjeAKPVG2Bdcm4mI9AMab7y97SOCdEHGogYv sora@gateway";
      wm = "-";
      git = {
        email = "soraefir+git@helcel";
@@ -14,27 +15,30 @@
      };
    }];
    make = {
-      gui = false;
      cli = true;
      virt = true;
-      power = false;
-      game = false;
-      develop = false;
-    };
-    net = {
-      wlp = { enable = false; };
-      wg = { enable = false; };
    };
    server = {
+      openssh = true;
+      web = true;
+      sops = true;
+
      hostDomain = "test.helcel.net";
-      mailDomain = "mail.helcel.net";
-      mailServer = "mail.helcel.net";
+      shortName = "testcel";
+      mailDomain = "test@helcel";
+      mailServer = "infomaniak.ch";

      dbHost = "localhost";
-      dbPort = "3306";
      
-      configPath = "/home/media/config";
-      dataPath = "/home/media/data";
+      containers = {
+        #cloud = {enable = true;};
+        authentik = {
+          enable = true;
+          db = true;
+          ip = "10.88.0.125";
+          port = 9000 ;
+        };
+      };
    };
  };
 }
--- a/systems/sandbox/default.nix
+++ b/systems/sandbox/default.nix
@@ -1,13 +1,4 @@
 { config, inputs, ... }: {
  imports = [ ./hardware.nix ../../modules/server ];
-
-  services.openssh.enable = true;
-  services.openssh.authorizedKeysFiles = [
-    config.sops.secrets."iriy_ssh_pub".path
-    config.sops.secrets."valinor_ssh_pub".path
-  ];
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0GpKd62XMlO410/iYkNG8MHdGGaeMG3Gmsf3Pv3u2BllUzR9Dpym1ZOz2lwo3iK0FimcQpOiJqSIahO59HJl8jQ9BoQrJMXH7l2kuq1T09cMNWGjlzowg0LWKWOzoBzOwcheyW68OJGgkSfvk9BdshkUYTLVBXjiI9jo/8Qkcv1WLJJvJmDBDwnbYDQpODXCEDQ/t3YVubb+ocLmh40sDUffJLWZQXN6OFW9N5XxnvY7K5x9ci9GU4Reei40K8yDw2Hgi0njzijRdzie3MJlKPPawJ2TATu9LsGuxfx8bJXVx+mNxP0lhO8dOOhP7p0ozTxlJJY9ZWaKgOz3SzYNCgJ1gH7NtTBtSruXd6pfmErUmuJEAeMD6+QF3yJ5tnVFNPoSHqjP+oL3CgSRpmuvn7ChSSI3J3UVhLux165VtwIL7UhosO2mCqmn0Yk2mSBkB/L4ZiWFmO3vYdagYNQX7xZHzCJ5my8vomiT+DUGb2h/o1NetKwIZJiFAuHxKt3k= sora@valinor"
-  ];
 }

--- a/systems/sandbox/hardware.nix
+++ b/systems/sandbox/hardware.nix
@@ -1,14 +1,27 @@
 { config, lib, pkgs, modulesPath, ... }: {
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix" ) ];
+
  boot.kernelPackages = pkgs.linuxPackages_latest;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  boot.loader.grub.device = "/dev/sda";
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    #efiSupport = true;
+  };
+
  boot.initrd.availableKernelModules =
    [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
  boot.initrd.kernelModules = [ "nvme" ];

  fileSystems."/" = {
-    device = "/dev/sda3";
-    fsType = "btrfs";
+    device = "/dev/disk/by-uuid/abc944c6-484a-4abe-a675-906e3781d71f";
+    fsType = "ext4";
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/C555-300B";
+    fsType = "vfat";
+    options = [ "defaults" ];
  };
 }
--- a/systems/valinor/cfg.nix
+++ b/systems/valinor/cfg.nix
@@ -6,6 +6,7 @@
    defaultUser = "sora";
    users = [{
      username = "sora";
+      pubssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCZibVYTvS4Dd+ZhGCpRpKfxs1fQeepNTzfzYk9I12Hyez25pQCeH+6ArrVhf6yX5Na1ffkvqTrNIDYJ1V2GHhemX0ruYp2B3xt229JszI7DeRC7YeG7v5uvsfTgicADCstGPSNorKXuNnHuBebSHpmWWbuKrYZdmcA/Az7H8uwF5+VQrnyASgZgwGV94MHinFVWsisB7o6iq4qxqpsUdtuZGbU0stDE5f9DLMDYuUxtx+jASRt+X60Bzjv3OFjU/b/YYzojTtuujkYXunNNTceCB4DTue5YMKQOlmd/IezL5nPAK9IsonPqojX9LPk2RvTCr4qalQ6AD92nq+xMW6FY1uJaKT81S8TvZcaqTm4FhEDkChuFq77biSUDhQkpcdNVOjUn5OtKpYl+0VkCaAx/8uyoylBacrn1XXLLg+gjwGCFHa2eeNu/BKIUa+5EK/FRwLpnEoPDkAHQ95JXQewChcUKG8A+Bz29XRKr9J64kbbGmwa+yjlVTPLSE6ZZE= sora@valinor";
      wm = "Wayland";
      git = {
        email = "soraefir+git@helcel";
@@ -31,6 +32,7 @@
        enable = true;
        ip4 = "10.10.1.5/32";
        ip6 = "fd10:10:10::5/128";
+        pubkey = "EUYd/dMdGcbxiWJXHhQhCXV00cr87pxiW1HExwCTGg0=";
      };
    };
  };
--- a/systems/valinor/hardware.nix
+++ b/systems/valinor/hardware.nix
@@ -17,7 +17,7 @@
    fsType = "ext4";
  };

-  fileSystems."/boot/efi" = {
+  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/F344-72E2";
    fsType = "vfat";
  };
Author	SHA1	Message	Date
bot	8ed749e5f7	Merge pull request 'Lock file maintenance' (#282 ) from renovate/lock-file-maintenance into main	2026-06-06 04:04:47 +02:00
Renovate Bot	ff4217466d	Lock file maintenance	2026-06-06 02:04:45 +00:00
soraefir	0e45834e45	change podman building	2026-06-05 02:04:21 +02:00
bot	85d5009104	Merge pull request 'Lock file maintenance' (#281 ) from renovate/lock-file-maintenance into main	2026-05-31 04:05:50 +02:00
Renovate Bot	88e7196148	Lock file maintenance	2026-05-31 02:05:44 +00:00
bot	8b4d3e1a13	Merge pull request 'Lock file maintenance' (#280 ) from renovate/lock-file-maintenance into main	2026-05-30 04:04:57 +02:00
Renovate Bot	fb0ddd9548	Lock file maintenance	2026-05-30 02:04:54 +00:00
bot	ab0a249eca	Merge pull request 'Update DeterminateSystems/magic-nix-cache-action action to v14' (#279 ) from renovate/determinatesystems-magic-nix-cache-action-14.x into main	2026-05-29 04:02:55 +02:00
Renovate Bot	2000b37940	Update DeterminateSystems/magic-nix-cache-action action to v14	2026-05-29 02:02:51 +00:00
bot	fc0e449a99	Merge pull request 'Lock file maintenance' (#278 ) from renovate/lock-file-maintenance into main	2026-05-24 04:07:46 +02:00
Renovate Bot	123d04f12d	Lock file maintenance	2026-05-24 02:07:43 +00:00
bot	489a9f2d5c	Merge pull request 'Lock file maintenance' (#277 ) from renovate/lock-file-maintenance into main	2026-05-23 04:04:16 +02:00
Renovate Bot	f8446664dc	Lock file maintenance	2026-05-23 02:04:14 +00:00
bot	0f38465422	Merge pull request 'Lock file maintenance' (#276 ) from renovate/lock-file-maintenance into main	2026-05-17 04:04:25 +02:00
Renovate Bot	b0cdf80594	Lock file maintenance	2026-05-17 02:04:18 +00:00
bot	c7bec63eaa	Merge pull request 'Lock file maintenance' (#275 ) from renovate/lock-file-maintenance into main	2026-05-16 04:04:49 +02:00
Renovate Bot	e9c0a2827a	Lock file maintenance	2026-05-16 02:04:47 +00:00
bot	7b620b260c	Merge pull request 'Lock file maintenance' (#274 ) from renovate/lock-file-maintenance into main	2026-05-10 04:06:54 +02:00
Renovate Bot	1f8df0ca67	Lock file maintenance	2026-05-10 02:06:42 +00:00
bot	317b4fdbfa	Merge pull request 'Lock file maintenance' (#273 ) from renovate/lock-file-maintenance into main	2026-05-09 04:04:40 +02:00
Renovate Bot	dea9bca8f3	Lock file maintenance	2026-05-09 02:04:36 +00:00
soraefir	c457867440	Improvements to server	2026-05-06 22:48:09 +02:00
soraefir	d73bbd8b18	fix dns on gw	2026-05-06 10:02:27 +02:00
soraefir	95c3c0290a	removed restart, fix wg	2026-05-06 09:54:58 +02:00
soraefir	f80ba36c2a	more db ip fix test	2026-05-06 03:22:55 +02:00
soraefir	e276df28b4	allow ip range db	2026-05-06 03:20:11 +02:00
soraefir	0782278a0c	fix env	2026-05-06 03:10:25 +02:00
soraefir	e334d39f7d	db url	2026-05-06 03:03:48 +02:00
soraefir	e05f6dd125	fix db	2026-05-06 03:01:12 +02:00
soraefir	158bee36f8	Allow nftabless db	2026-05-06 02:58:42 +02:00
soraefir	9600f7a370	postgres ip allow	2026-05-06 02:54:12 +02:00
soraefir	83b921afcc	Fix env	2026-05-06 02:42:46 +02:00
soraefir	aaee4d9442	Fix passwords	2026-05-06 02:40:08 +02:00
soraefir	e3e535f527	Fix db	2026-05-06 02:37:23 +02:00
soraefir	865c12cacc	update	2026-05-06 02:26:06 +02:00
soraefir	02a8ffeb10	Fix db password	2026-05-06 02:24:26 +02:00
soraefir	c57f19b18d	Db host	2026-05-06 02:11:11 +02:00
soraefir	f81ba27e56	Fix race condition	2026-05-06 02:05:52 +02:00
soraefir	dd192d2983	Fix db init	2026-05-06 02:01:25 +02:00
soraefir	e7a414df5f	Fix missing user	2026-05-06 01:58:07 +02:00
soraefir	f3fcb320be	missing pacro	2026-05-06 01:55:25 +02:00
soraefir	710def3ea3	Fix naming	2026-05-06 01:51:25 +02:00
soraefir	b070f6f5e1	Update sops	2026-05-06 01:46:45 +02:00
soraefir	1ada287c8d	Fix sops	2026-05-06 01:35:26 +02:00
soraefir	29a1702c39	Add sops	2026-05-06 01:33:48 +02:00
soraefir	226a1baaa1	indent	2026-05-06 01:29:31 +02:00
soraefir	2e0295163c	Fix backup	2026-05-06 01:29:08 +02:00
soraefir	282d5206a6	typing	2026-05-06 01:26:02 +02:00
soraefir	7717d07ae8	Fix type	2026-05-06 01:25:45 +02:00
soraefir	4a86b856fb	Fix db	2026-05-06 01:24:32 +02:00
soraefir	a8c8740b14	Fix db pointer	2026-05-06 01:21:01 +02:00
soraefir	a44dc8108d	test	2026-05-06 01:11:28 +02:00
soraefir	626a88c8c8	Fixed	2026-05-06 01:07:48 +02:00
soraefir	fd7797c6e7	Wip Migrate podman	2026-05-06 01:05:32 +02:00
soraefir	b2d040d414	Add tmpfile rule	2026-05-05 00:27:24 +02:00
soraefir	cd05d939a8	Fix wireguard	2026-05-05 00:06:47 +02:00
soraefir	d626c13572	fix containers	2026-05-04 23:43:29 +02:00
soraefir	c779c1760b	Fix opt	2026-05-04 23:19:33 +02:00
soraefir	8876b63c7b	Fix2	2026-05-04 23:17:31 +02:00
soraefir	be0ccc9e79	Test fix	2026-05-04 23:17:12 +02:00
soraefir	662424f1d1	New server docker	2026-05-04 23:15:04 +02:00
soraefir	1566aca2b8	virt enable	2026-05-04 00:39:39 +02:00
soraefir	28fdc04c7b	Fix types	2026-05-04 00:10:05 +02:00
soraefir	ce569f16e2	Fix srvcfg	2026-05-04 00:08:49 +02:00
soraefir	e53997093b	fix server cfg	2026-05-04 00:01:52 +02:00
soraefir	66b594a1a2	Fix path	2026-05-03 23:17:18 +02:00
soraefir	7c91cd4733	docker sandbox	2026-05-03 23:13:27 +02:00
soraefir	da2aa4649e	Fix mock sops	2026-05-03 17:47:50 +02:00
soraefir	90b7eb097f	fix openssh	2026-05-03 17:45:27 +02:00
soraefir	4946fa999b	Fix	2026-05-03 17:37:21 +02:00
soraefir	f1ce4b7b81	Fix sops	2026-05-03 17:10:19 +02:00
soraefir	e9eb4d9506	Cleanup and fixed	2026-05-03 15:34:10 +02:00
soraefir	c8cb980c15	Fix ports firewall	2026-05-03 13:45:16 +02:00
bot	38350b91e1	Merge pull request 'Lock file maintenance' (#272 ) from renovate/lock-file-maintenance into main	2026-05-03 04:05:59 +02:00
Renovate Bot	142d842886	Lock file maintenance	2026-05-03 02:05:52 +00:00
soraefir	c9e59a9a89	fix missing arg	2026-05-03 02:24:11 +02:00
soraefir	b1afbf6bbe	missing lib	2026-05-03 02:23:41 +02:00
soraefir	4c2f368da3	fix sops	2026-05-03 02:23:16 +02:00
soraefir	9377d1ce45	Better Server cfg	2026-05-03 02:20:41 +02:00
soraefir	d3a3941591	keepalive	2026-05-03 01:47:38 +02:00
soraefir	b1bbb3ce86	SSH fix	2026-05-03 01:25:22 +02:00
soraefir	d8be8b72ab	Fix ssh	2026-05-02 22:05:58 +02:00
soraefir	59709bcde9	Fix ssh	2026-05-02 21:40:06 +02:00
soraefir	b0f5ef7439	Fix Ssh	2026-05-02 21:39:40 +02:00
soraefir	301d8d1ea6	fixx	2026-05-02 21:12:43 +02:00
soraefir	5aa041ba27	ssh fix	2026-05-02 21:11:57 +02:00
soraefir	d2e35d3673	Fix ssh	2026-05-02 21:00:05 +02:00
soraefir	0baf9c1800	Fix SSH	2026-05-02 20:49:35 +02:00
soraefir	a7edc932a8	Fix VPS	2026-05-02 19:25:11 +02:00
soraefir	ae82eaa500	Fix	2026-05-02 10:32:08 +02:00
soraefir	e24e96f091	Fix VPS	2026-05-02 10:30:52 +02:00
soraefir	b42579f8cd	Fix	2026-05-02 10:29:56 +02:00
soraefir	0192a1ace0	Fix boot	2026-05-02 10:29:21 +02:00
soraefir	dcc5c440f7	fix avalon	2026-05-02 10:12:36 +02:00
soraefir	1ceb440026	fix	2026-05-02 09:51:08 +02:00
bot	25b2e3e05f	Merge pull request 'Lock file maintenance' (#271 ) from renovate/lock-file-maintenance into main	2026-05-02 04:03:53 +02:00
Renovate Bot	c823dbab4d	Lock file maintenance	2026-05-02 02:03:51 +00:00
soraefir	32bbe70e2e	fix	2026-05-02 00:26:53 +02:00
soraefir	1248c258df	fix	2026-05-02 00:25:47 +02:00
soraefir	f852ed7662	Fix	2026-05-02 00:21:57 +02:00
soraefir	4729a82990	pkgs	2026-05-02 00:20:50 +02:00
soraefir	c9ebc6e512	wg sops	2026-05-02 00:20:20 +02:00
soraefir	d68c26a4eb	test	2026-05-02 00:04:02 +02:00
soraefir	7b3d80c86e	Fixing	2026-05-01 23:57:01 +02:00
soraefir	f98fee7988	wg fix	2026-05-01 23:52:10 +02:00
soraefir	401bb84bb0	temp ssh	2026-05-01 23:33:08 +02:00
soraefir	39ea963b7c	Fix	2026-05-01 23:29:54 +02:00
soraefir	7cbb8ffae2	Fix	2026-05-01 23:26:23 +02:00
soraefir	9d9e99e462	fix	2026-05-01 23:22:21 +02:00
soraefir	3f5d05e076	Sops	2026-05-01 23:17:43 +02:00
soraefir	c1670a406c	sops	2026-05-01 23:13:34 +02:00
soraefir	76b77b532c	Boot	2026-05-01 23:03:39 +02:00
soraefir	16add98b0d	boot fix	2026-05-01 22:57:34 +02:00
soraefir	f764e681c0	Gateway Boot	2026-05-01 22:49:06 +02:00
soraefir	f3c8020a85	Force	2026-05-01 22:40:19 +02:00
soraefir	376ac4a229	no bootloader on vps	2026-05-01 22:39:11 +02:00
soraefir	d4e599bd9b	Fixes	2026-05-01 22:01:54 +02:00
soraefir	edc764461c	Fix asguard name	2026-05-01 21:32:27 +02:00
soraefir	cf9c7f8b80	Fix	2026-05-01 18:55:03 +02:00
soraefir	0cdd18bec7	Fix	2026-05-01 18:53:18 +02:00
soraefir	5cbf1e8555	fix forwading	2026-05-01 18:51:45 +02:00
soraefir	735a9e2e0e	Fix	2026-05-01 18:46:55 +02:00
soraefir	eba7f7bd74	fix	2026-05-01 18:46:22 +02:00
soraefir	beb6ef1b05	Fix	2026-05-01 18:44:33 +02:00
soraefir	e519f5c03c	Fix sops	2026-05-01 18:43:49 +02:00
soraefir	d55fd5fc0e	Fix sops	2026-05-01 18:42:47 +02:00
soraefir	b31f6cd331	Fix sops for wg peers	2026-05-01 18:38:13 +02:00
soraefir	9b0fc14795	Cleaner forwarding	2026-05-01 17:57:06 +02:00
soraefir	32c83bca98	Fix cfg	2026-05-01 17:48:43 +02:00
soraefir	a7ce1dc7ea	Migrate gateway	2026-05-01 17:43:01 +02:00
bot	60bf451310	Merge pull request 'Lock file maintenance' (#270 ) from renovate/lock-file-maintenance into main	2026-04-26 04:04:29 +02:00
Renovate Bot	7f6e5879aa	Lock file maintenance	2026-04-26 02:04:26 +00:00
bot	3fd400062d	Merge pull request 'Lock file maintenance' (#269 ) from renovate/lock-file-maintenance into main	2026-04-25 04:16:05 +02:00
Renovate Bot	637297130f	Lock file maintenance	2026-04-25 02:15:51 +00:00
sora	9ab6a6b92b	Update modules/home/gui/apps/develop/default.nix	2026-04-24 22:04:54 +02:00
bot	94c2956904	Merge pull request 'Lock file maintenance' (#268 ) from renovate/lock-file-maintenance into main	2026-04-19 04:04:43 +02:00
Renovate Bot	fadd1ca63e	Lock file maintenance	2026-04-19 02:04:40 +00:00
bot	5f64431332	Merge pull request 'Lock file maintenance' (#267 ) from renovate/lock-file-maintenance into main	2026-04-18 04:07:43 +02:00
Renovate Bot	2f8284bf61	Lock file maintenance	2026-04-18 02:07:13 +00:00
bot	14436f4507	Merge pull request 'Lock file maintenance' (#266 ) from renovate/lock-file-maintenance into main	2026-04-12 04:04:18 +02:00
Renovate Bot	26641247ea	Lock file maintenance	2026-04-12 02:04:16 +00:00
bot	030c938dfa	Merge pull request 'Lock file maintenance' (#265 ) from renovate/lock-file-maintenance into main	2026-04-11 04:05:14 +02:00
Renovate Bot	b7f2be0337	Lock file maintenance	2026-04-11 02:05:07 +00:00
bot	3b3545e8a4	Merge pull request 'Lock file maintenance' (#264 ) from renovate/lock-file-maintenance into main	2026-04-05 04:04:31 +02:00
Renovate Bot	2f8a20e062	Lock file maintenance	2026-04-05 02:04:28 +00:00
bot	aa0845a3f8	Merge pull request 'Lock file maintenance' (#263 ) from renovate/lock-file-maintenance into main	2026-04-04 04:04:20 +02:00
Renovate Bot	8d27ca6dd1	Lock file maintenance	2026-04-04 02:04:16 +00:00