Merge pull request 'Lock file maintenance' (#282) from renovate/lock-file-maintenance into main

.gitea/workflows/build.yml

@@ -18,7 +18,7 @@ jobs:
         uses: cachix/install-nix-action@v31
 
     #  - uses: DeterminateSystems/nix-installer-action@v4
-      - uses: DeterminateSystems/magic-nix-cache-action@v13
+      - uses: DeterminateSystems/magic-nix-cache-action@v14
       - uses: DeterminateSystems/flake-checker-action@v12
 
       - name: "Install Cachix ❄️"

.gitea/workflows/update.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v6
       - name: Install nix
-        uses: DeterminateSystems/nix-installer-action@v21
+        uses: DeterminateSystems/nix-installer-action@v22
         with:
           github-token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
           extra_nix_config: |

.sops.yaml

@@ -9,55 +9,57 @@ keys:
     - &avalon age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
     - &valinor age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
     - &asgard age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
+    - &gateway age1lqvnzlendlmtwgstzrj4xzrwpatwx56k5az5au78fyg99yecwfzs3s6xn6
+    - &sandbox age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
 
 creation_rules:
   - path_regex: modules/shared/sops/private/iriy.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *iriy
+          - *iriy
-      pgp:
+        pgp:
-      - *sora
+          - *sora
   - path_regex: modules/shared/sops/private/avalon.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *avalon
+          - *avalon
-      pgp:
+        pgp:
-      - *sora
+          - *sora
   - path_regex: modules/shared/sops/private/valinor.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *valinor
+          - *valinor
-      pgp:
+        pgp:
-      - *sora
+          - *sora
   - path_regex: modules/shared/sops/private/asgard.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *asgard
+          - *asgard
-      pgp:
+        pgp:
-      - *sora
+          - *sora
 
   - path_regex: modules/shared/sops/common.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *valinor
+          - *valinor
-      - *iriy
+          - *iriy
-      - *avalon
+          - *avalon
-      - *asgard
+          - *asgard
-      pgp:
+          - *gateway
-      - *sora
+        pgp:
-  
+          - *sora
+
   - path_regex: modules/shared/sops/mock.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *ci
+          - *ci
-
+          - *sandbox
 
   - path_regex: modules/server/sops/server.[a-z]+
     key_groups:
-    - age:
+      - age:
-      - *valinor
+          - *avalon
-      - *iriy
+          - *sandbox
-      - *avalon
+
-      - *asgard
+        pgp:
-      pgp:
+          - *sora
-      - *sora

flake.lock

@@ -45,11 +45,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1773000227,
+        "lastModified": 1779036909,
-        "narHash": "sha256-zm3ftUQw0MPumYi91HovoGhgyZBlM4o3Zy0LhPNwzXE=",
+        "narHash": "sha256-zXcwYQGCT6pzinK+1dBB2ekTVtfxGZAapb3Evdcu4fY=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "da529ac9e46f25ed5616fd634079a5f3c579135f",
+        "rev": "56c666e108467d87d13508936aade6d567f2a501",
         "type": "github"
       },
       "original": {
@@ -102,12 +102,15 @@
       }
     },
     "hardware": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
       "locked": {
-        "lastModified": 1774567711,
+        "lastModified": 1780310866,
-        "narHash": "sha256-uVlOHBvt6Vc/iYNJXLPa4c3cLXwMllOCVfAaLAcphIo=",
+        "narHash": "sha256-fPBRVf6A5xlACYcOI59shGrjURuvwu0lRsDoSCEXt/I=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "3f6f874dfc34d386d10e434c48ad966c4832243e",
+        "rev": "4ed851c979641e28597a05086332d75cdc9e395f",
         "type": "github"
       },
       "original": {
@@ -139,11 +142,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1774559029,
+        "lastModified": 1779506708,
-        "narHash": "sha256-deix7yg3j6AhjMPnFDCmWB3f83LsajaaULP5HH2j34k=",
+        "narHash": "sha256-QOD/CNm196nCJRheux/URi4/HE66fthdOMqCJoPP1Y0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "a0bb0d11514f92b639514220114ac8063c72d0a3",
+        "rev": "3ee51fbdac8c8bdfe1e7e1fcaba6520a563f394f",
         "type": "github"
       },
       "original": {
@@ -174,11 +177,11 @@
     },
     "nixUnstable": {
       "locked": {
-        "lastModified": 1774273680,
+        "lastModified": 1780365719,
-        "narHash": "sha256-a++tZ1RQsDb1I0NHrFwdGuRlR5TORvCEUksM459wKUA=",
+        "narHash": "sha256-QfWfccTN+70ZQ4m2qlU9PiKfz2Yppq94058iJyARNwc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "fdc7b8f7b30fdbedec91b71ed82f36e1637483ed",
+        "rev": "ffa10e26ae11d676b2db836259889f1f571cb14f",
         "type": "github"
       },
       "original": {
@@ -190,18 +193,15 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1774388614,
+        "lastModified": 1767892417,
-        "narHash": "sha256-tFwzTI0DdDzovdE9+Ras6CUss0yn8P9XV4Ja6RjA+nU=",
+        "narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=",
-        "owner": "nixos",
+        "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
-        "repo": "nixpkgs",
+        "type": "tarball",
-        "rev": "1073dad219cb244572b74da2b20c7fe39cb3fa9e",
+        "url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz"
-        "type": "github"
       },
       "original": {
-        "owner": "nixos",
+        "type": "tarball",
-        "ref": "nixos-25.11",
+        "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
-        "repo": "nixpkgs",
-        "type": "github"
       }
     },
     "nixpkgs-lib": {
@@ -221,11 +221,27 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1774386573,
+        "lastModified": 1780511130,
-        "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=",
+        "narHash": "sha256-2v9lT4ya59Lh1FqPeLnz1MoX9y/wz2huqfe9RtQZITk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9",
+        "rev": "535f3e6942cb1cead3929c604320d3db54b542b9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1780243769,
+        "narHash": "sha256-x5UQuRsH3MqI0U9afaXSNqzTPSeZlRLvFAav2Ux1pNw=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "331800de5053fcebacf6813adb5db9c9dca22a0c",
         "type": "github"
       },
       "original": {
@@ -238,14 +254,14 @@
     "nur": {
       "inputs": {
         "flake-parts": "flake-parts_2",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1774655848,
+        "lastModified": 1780704056,
-        "narHash": "sha256-+V9+/txExefs3qdjHdppIa3FNsaYf+lplhEht1oN3SE=",
+        "narHash": "sha256-wPq16Ci9SMTSqEJbjaBKaHZBb4eS4ryVHwd3yY/vP3A=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "bf077d93ae7704fc6cb26b22fc017e5a3fcc5ea7",
+        "rev": "c4975e3a5b23f14f4bd43e28a0d42f2b16e6f0b8",
         "type": "github"
       },
       "original": {
@@ -262,7 +278,7 @@
         "home-manager": "home-manager",
         "nix-colors": "nix-colors",
         "nixUnstable": "nixUnstable",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "nur": "nur",
         "sops-nix": "sops-nix"
       }
@@ -274,11 +290,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1774303811,
+        "lastModified": 1780547341,
-        "narHash": "sha256-fhG4JAcLgjKwt+XHbjs8brpWnyKUfU4LikLm3s0Q/ic=",
+        "narHash": "sha256-Gq8KNx5A7hBB3uGJaj6eQfLDIz5YdLu92gqBcvHvoUo=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "614e256310e0a4f8a9ccae3fa80c11844fba7042",
+        "rev": "9ed65852b6257fbeae4355bc24ecfea307ca759a",
         "type": "github"
       },
       "original": {

flake.nix

@@ -44,6 +44,7 @@
         avalon = gen.generate { host = "avalon"; };
         ci = gen.generate { host = "ci"; };
         sandbox = gen.generate { host = "sandbox"; };
+        gateway = gen.generate { host = "gateway"; };
       };
       darwinConfigurations = { asgard = gen.generate { host = "asgard"; }; };
       homeConfigurations = {

modules/home/cli/git/default.nix

@@ -1,9 +1,9 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
 
   programs.git = {
     enable = true;
-    signing = {
+    signing = lib.mkIf (config.usercfg.git.key != null) {
-      key = "${config.usercfg.git.key}";
+      key = config.usercfg.git.key;
       signByDefault = true;
     };
     ignores = [ "*result*" ".direnv" "node_modules" ];

modules/home/gui/apps/develop/default.nix

@@ -2,6 +2,6 @@
   imports = [ ./vscodium ];
 
   config = lib.mkIf (config.syscfg.make.develop) {
-    home.packages = with pkgs; [ blender godot_4 openscad-unstable orca-slicer pandoc];
+    home.packages = with pkgs; [ blender godot_4 openscad-unstable orca-slicer pandoc claude-code];
   };
 }

modules/home/gui/games/default.nix

@@ -11,7 +11,7 @@
       gamemode
       #gamescope
       #mangohud
-      #prismlauncher
+      prismlauncher
       openttd-jgrpp
       #bottles
       lutris

modules/home/gui/games/wow.nix

@@ -19,64 +19,5 @@
               "wago_addons": null
             }
         }'';
-
-# curse:master-plan
-# curse:raretrackercore-rt
-# curse:raretrackerdragonflight-rtd
-# curse:raretrackermaw-rtmw
-# curse:raretrackermechagon-rtm
-# curse:raretrackerthewarwithin-rtww
-# curse:raretrackertimelessisle-rtti
-# curse:raretrackeruldum-rtu
-# curse:raretrackervale-rtv
-# curse:raretrackerworldbosses-rtwb
-# curse:raretrackerzerethmortis-rtz
-# curse:venture-plan
-# curse:war-plan
-# github:nevcairiel/bartender4
-# github:cidan/betterbags
-# github:bigwigsmods/bigwigs
-# github:bigwigsmods/bigwigs_battleforazeroth
-# github:bigwigsmods/bigwigs_burningcrusade
-# github:bigwigsmods/bigwigs_cataclysm
-# github:bigwigsmods/bigwigs_classic
-# github:bigwigsmods/bigwigs_dragonflight
-# github:bigwigsmods/bigwigs_legion
-# github:bigwigsmods/bigwigs_mistsofpandaria
-# github:bigwigsmods/bigwigs_shadowlands
-# github:bigwigsmods/bigwigs_warlordsofdraenor
-# github:bigwigsmods/bigwigs_wrathofthelichking
-# github:nezroy/demodal
-# github:curseforge-mirror/details
-# github:edusperoni/details_elitism
-# github:curseforge-mirror/elitismhelper
-# github:michaelnpsp/grid2
-# github:jods-gh/groupfinderrio
-# github:nevcairiel/handynotes
-# github:hekili/hekili
-# github:thekrowi/krowi_achievementfilter
-# github:bigwigsmods/littlewigs
-# github:nnoggie/mythicdungeontools
-# github:tullamods/omnicc
-# github:tercioo/plater-nameplates
-# github:curseforge-mirror/quest_completist
-# github:raiderio/raiderio-addon
-# github:wowrarity/rarity
-# github:nevcairiel/shadowedunitframes
-# github:simulationcraft/simc-addon
-# github:curseforge-mirror/tomcats
-# github:weakauras/weakauras2
-# github:kemayo/wow-handynotes-battleforazerothtreasures
-# github:kemayo/wow-handynotes-dragonflight
-# github:kemayo/wow-handynotes-legiontreasures
-# github:kemayo/wow-handynotes-longforgottenhippogryph
-# github:kemayo/wow-handynotes-lostandfound
-# github:kemayo/wow-handynotes-secretfish
-# github:kemayo/wow-handynotes-shadowlandstreasures
-# github:kemayo/wow-handynotes-stygia
-# github:kemayo/wow-handynotes-treasurehunter
-# github:kemayo/wow-handynotes-warwithin
-# wowi:7032-tomtom
-
   };
 }

modules/nixos/system/hw/boot/default.nix

@@ -9,7 +9,7 @@ in {
       };
       efi = {
         canTouchEfiVariables = true;
-        efiSysMountPoint = "/boot/efi";
+        efiSysMountPoint = "/boot";
       };
     };
   };

modules/nixos/system/hw/virt/default.nix

@@ -11,9 +11,10 @@
         dockerSocket.enable = true;
         dockerCompat = true;
         defaultNetwork.settings = {
-          dnsname.enable = true;
+          #dnsname.enable = true;
-          internal = true;
+          dns_enabled = true;
-          name = "internal";
+          #internal = true;
+          #name = "internal";
         };
       };
     };

modules/nixos/system/network/base/default.nix

@@ -4,6 +4,15 @@
     useDHCP = true;
     nameservers = [ "1.1.1.1" "9.9.9.9" ];
 
-    firewall = { enable = true; };
+    firewall = { 
+      enable = true;
+      allowedUDPPorts = 
+        (if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++ 
+        [ ];
+
+      allowedTCPPorts = 
+        (if config.syscfg.server ? web       then [ 80 443 22 ] else [ ]) ++ 
+        [ ];
+    };
   };
 }

modules/nixos/system/network/wireguard/default.nix

@@ -1,4 +1,12 @@
-{ config, lib, ... }: {
+{ config, lib, pkgs, ... }: let
+
+  isValidPeer = p: 
+    (p ? syscfg.net.wg.enable) && 
+    (p.syscfg.net.wg.enable == true) && 
+    (p.syscfg.net.wg.pubkey != config.syscfg.net.wg.pubkey);
+  activePeers = builtins.filter isValidPeer config.syscfg.peers;
+in
+{
   config = lib.mkIf (config.syscfg.net.wg.enable) {
     networking.wireguard = {
       enable = true;
@@ -9,14 +17,26 @@
             config.sops.secrets."${config.syscfg.hostname}_wg_priv".path;
           listenPort = 1515;
           mtu = 1340;
-          peers = [{
+          peers = 
-            allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
+            if (config.syscfg.server ? wireguard && config.syscfg.server.wireguard) then
-            endpoint = "vpn.helcel.net:1515";
+              map (p: {
-            publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
+                name = p.syscfg.hostname;
-            persistentKeepalive = 30;
+                publicKey = p.syscfg.net.wg.pubkey;
-          }];
+                allowedIPs = [ p.syscfg.net.wg.ip4 p.syscfg.net.wg.ip6 ];
+              }) activePeers
+            else
+              [{
+                allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
+                endpoint = "vpn.helcel.net:1515";
+                publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
+                persistentKeepalive = 30;
+              }];
         };
       };
     };
+    systemd.services."wireguard-wg0" = {
+      after = [ "network-online.target" "nss-lookup.target" ];
+      wants = [ "network-online.target" "nss-lookup.target" ];
+    };
   };
 }

modules/server/containers/default.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.syscfg.server.containers;
+  enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg;
+  containerSetsList = lib.mapAttrsToList (name: containerCfg:
+  let defs = import (./defs + "/${name}.nix") {inherit config pkgs lib containerCfg;};
+  in{
+    containers = lib.mapAttrs' (cName: cValue: 
+      lib.nameValuePair "${name}-${cName}" cValue
+    ) defs.containers;
+  }
+) enabledConfigs;
+  mergedContainers = lib.attrsets.mergeAttrsList  (lib.map(e: e.containers) containerSetsList);
+  allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList);
+in
+{
+  config = lib.mkIf ( enabledConfigs != {} ) {
+
+    virtualisation.oci-containers = {
+      backend = "podman";
+      containers = mergedContainers;
+    };
+
+    systemd.services.podman-gc = {
+      description = "Podman garbage collection";
+      serviceConfig.Type = "oneshot";
+      script = ''
+        ${pkgs.podman}/bin/podman container prune -f
+        ${pkgs.podman}/bin/podman image prune -f
+      '';
+      startAt = "weekly";
+    };
+    
+    system.activationScripts.container-setup-dirs = {
+      deps = [ "users" "groups" ];
+      text = lib.concatStringsSep "\n" (map (cfg: ''
+        mkdir -p "${cfg.path}"
+        chown ${cfg.owner} "${cfg.path}"
+        chmod ${cfg.mode} "${cfg.path}"
+      '') allPathConfigs);
+    };
+  };
+}

modules/server/containers/defs/authentik.nix

@@ -0,0 +1,78 @@
+{ config, containerCfg, pkgs, lib, ... }:
+let 
+serverCfg = config.syscfg.server;
+in {
+  paths = [{
+    path="${serverCfg.dataPath}/authentik/media";
+    owner = "1000:1000";
+    mode = "0755";
+  }{
+    path="${serverCfg.dataPath}/authentik/templates";
+    owner = "1000:1000";
+    mode = "0755";
+  }];
+
+  containers = {
+
+    server = {
+      image = "ghcr.io/goauthentik/server:latest";
+      volumes = [
+        "${serverCfg.dataPath}/authentik/media:/media"
+        "${serverCfg.dataPath}/authentik/templates:/templates"
+      ];
+      environmentFiles = [
+        config.sops.secrets."AUTHENTIK".path
+      ];
+      environment = {
+        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
+        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
+        "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
+        "AUTHENTIK_EMAIL__PORT" = "587";
+        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
+        "AUTHENTIK_EMAIL__USE_TLS" = "true";
+        "AUTHENTIK_EMAIL__USE_SSL" = "false";
+        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
+        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
+      };
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.sso.entrypoints" = "web-secure";
+        "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
+        "traefik.http.routers.sso.tls" = "true";
+        "traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}";
+      };
+      cmd = [ "server" ];
+      extraOptions = [
+        "--add-host=host.containers.internal:host-gateway"
+        "--ip=${containerCfg.ip}"
+      ];
+      ports = [
+        "9999:${toString containerCfg.port}"
+      ];
+    };
+
+    worker = {
+      image = "ghcr.io/goauthentik/server:latest";
+      volumes = [
+        "${serverCfg.dataPath}/authentik/media:/media"
+        "${serverCfg.dataPath}/authentik/templates:/templates"
+        "/var/run/docker.sock:/var/run/docker.sock"
+      ];
+      environmentFiles = [
+        config.sops.secrets."AUTHENTIK".path
+      ];
+      environment = {
+        "AUTHENTIK_REDIS__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
+        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
+        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
+      };
+      extraOptions = [
+        "--add-host=host.containers.internal:host-gateway"
+      ];
+      cmd = [ "worker" ];
+    };
+  };
+}

modules/server/database/default.nix

@@ -0,0 +1,76 @@
+
+{ config, lib, pkgs, ... }:
+let
+  listNames = config.syscfg.server.db;
+
+  containerNames = lib.mapAttrsToList 
+    (name: cfg: name) 
+    (lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
+
+  allApps = lib.unique (listNames ++ containerNames);
+
+in {
+  config = lib.mkIf ( builtins.length allApps > 0) {
+    services.postgresql = {
+      enable = true;
+      enableTCPIP = true; # Required to listen on network interfaces
+      settings = {
+        listen_addresses = lib.mkForce "*"; 
+      };
+      authentication = pkgs.lib.mkOverride 10 ''
+         # TYPE  DATABASE        USER            ADDRESS                 METHOD
+         local   all             all                                     trust
+         host    all             all             127.0.0.1/32            trust
+         host    all             all             ::1/128                 trust
+         host    all             all             10.0.0.0/8              scram-sha-256
+         host    all             all             169.254.0.0/16          scram-sha-256
+      '';
+      ensureDatabases = map (name: "${name}_db") allApps;
+      ensureUsers = map (name: { name = "${name}_user"; }) allApps;
+    };
+    services.postgresqlBackup = {
+      enable = true;
+      location = "/var/lib/postgresql/backups";
+      startAt = "*-*-* 04:00:00"; # Runs every day at 4 AM
+      backupAll = true; # Backs up all databases and roles
+    };
+
+    services.redis.servers."main" = {
+      enable = true;
+      port = 6379;
+      bind = "*";
+      settings.protected-mode = "no";
+    };
+
+
+    systemd.services.postgresql-init = {
+      description = "Custom Postgres Setup (Ownership & Passwords)";
+      after = [ "postgresql.service" ];
+      wantedBy = [ "multi-user.target" ];
+      
+      serviceConfig = {
+        Type = "oneshot";
+        User = "postgres";
+        RemainAfterExit = true;
+      };
+
+      script = ''
+        ${pkgs.coreutils}/bin/sleep 2
+        PSQL="${pkgs.postgresql}/bin/psql"
+        ${lib.concatMapStringsSep "\n" (name: ''
+          $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
+          
+          if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
+            PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
+            echo $PASS
+            if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
+                echo "✅ Successfully set password for ${name}_user"
+            else
+                echo "❌ FAILED to set password for ${name}_user"
+            fi
+          fi
+        '') allApps}
+      '';
+    };
+  };
+}

modules/server/default.nix

@@ -1,15 +1,3 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:{
-let
+  imports = [ ./containers ./database ./nftables ./openssh ./sops ];
-in {
-  imports = [ ./sops ];
-  environment.systemPackages = with pkgs; [ arion ];
-  virtualisation.arion = {
-    backend = "podman-socket";
-    projects = {
-      cloud.settings = import ./docker/cloud.nix { inherit config pkgs lib; };
-      authentik.settings =
-        import ./docker/authentik.nix { inherit config pkgs lib; };
-    };
-  };
-
 }

modules/server/docker/authentik.nix

@@ -1,104 +0,0 @@
-{ config, pkgs, lib, ... }:
-let serverCfg = config.syscfg.server;
-in {
-  project.name = "authentik";
-
-  networks = {
-    internal = {
-      name = lib.mkForce "internal";
-      internal = true;
-    };
-    external = {
-      name = lib.mkForce "external";
-      internal = false;
-    };
-  };
-
-  services = {
-
-    auth_postgresql.service = {
-      image = "postgres:14-alpine";
-      container_name = "auth_postgresql";
-      restart = "unless-stopped";
-      networks = [ "internal" ];
-      volumes = [ ];
-      environment = {
-        POSTGRES_PASSWORD = "/run/secrets/AUTHENTIK_POSTGRESQL__PASSWORD";
-        POSTGRES_USER = "authentik";
-        POSTGRES_DB = "authentik";
-      };
-    };
-
-    auth_redis.service = {
-      image = "redis:alpine";
-      container_name = "auth_redis";
-      restart = "unless-stopped";
-      networks = [ "internal" ];
-      volumes = [ ];
-      environment = { };
-      labels = { "traefik.enable" = "false"; };
-    };
-
-    auth_server.service = {
-      image = "ghcr.io/goauthentik/server:latest";
-      container_name = "auth_server";
-      restart = "unless-stopped";
-      networks = [ "internal" "external" ];
-      volumes = [
-        "${serverCfg.dataPath}/authentik/media:/media"
-        "${serverCfg.dataPath}/authentik/templates:/templates"
-      ];
-      environment = {
-        "AUTHENTIK_REDIS__HOST" = "auth_redis";
-        "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
-        "AUTHENTIK_POSTGRESQL__USER" = "authentik";
-        "AUTHENTIK_POSTGRESQL__NAME" = "authentik";
-        "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
-        "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
-        "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
-        "AUTHENTIK_EMAIL__PORT" = "587";
-        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
-        "AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD";
-        "AUTHENTIK_EMAIL__USE_TLS" = "true";
-        "AUTHENTIK_EMAIL__USE_SSL" = "false";
-        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
-        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
-      };
-      labels = {
-        "traefik.enable" = "true";
-        "traefik.http.routers.sso.entrypoints" = "web-secure";
-        "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
-        "traefik.http.routers.sso.tls" = "true";
-        "traefik.http.services.sso.loadbalancer.server.port" = "9000";
-        "traefik.docker.network" = "external";
-      };
-      command = "server";
-      ports = [
-        "9999:9000" # host:container
-      ];
-    };
-
-    auth_worker.service = {
-      image = "ghcr.io/goauthentik/server:latest";
-      container_name = "auth_worker";
-      restart = "unless-stopped";
-      networks = [ "internal" ];
-      volumes = [
-        "${serverCfg.dataPath}/authentik/media:/media"
-        "${serverCfg.dataPath}/authentik/templates:/templates"
-        "/var/run/docker.sock:/var/run/docker.sock"
-      ];
-      environment = {
-        "AUTHENTIK_REDIS__HOST" = "auth_redis";
-        "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
-        "AUTHENTIK_POSTGRESQL__USER" = "authentik";
-        "AUTHENTIK_POSTGRESQL__NAME" = "authentik";
-        "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
-        "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
-      };
-      labels = { "traefik.enable" = "false"; };
-      command = "worker";
-      user = "root";
-    };
-  };
-}

modules/server/nftables/default.nix

@@ -0,0 +1,47 @@
+
+
+{ config, lib, ... }:{
+  config = lib.mkIf (config.syscfg.server.nftables.enable) {
+    boot.kernel.sysctl = {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+    };
+
+    networking.nftables.enable = true;
+    networking.nftables.ruleset = ''
+      table inet filter {
+        chain input {
+          type filter hook input priority filter; policy accept;
+          tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
+          
+        }
+      }
+      table inet nat {
+        chain prerouting {
+          type nat hook prerouting priority dstnat; policy accept;
+          
+          ${lib.concatMapStringsSep "\n" (rule:
+            let
+              srcInt = builtins.elemAt rule 0;
+              dstAddr4 = builtins.elemAt rule 1;
+              dstAddr6 = builtins.elemAt rule 2;
+              srcPort = toString (builtins.elemAt rule 3);
+              dstPort = toString (builtins.elemAt rule 4);
+            in ''
+                iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip to ${dstAddr4}:${dstPort}
+                iifname "${srcInt}" udp dport ${srcPort} counter dnat ip to ${dstAddr4}:${dstPort}
+
+                iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
+                iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
+            ''
+          ) config.syscfg.server.nftables.ports}
+        }
+        
+        chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade
+        }
+      }
+    '';
+  };
+}

modules/server/openssh/default.nix

@@ -0,0 +1,27 @@
+{ config, lib, ... }: 
+let
+  allUsers = lib.concatMap (peer: if peer.syscfg ? users then peer.syscfg.users else []) config.syscfg.peers;
+  groupedUsers = lib.groupBy (u: u.username) allUsers;
+  allowedUsernames = map (u: u.username) config.syscfg.users;
+  activeUsers = lib.filterAttrs (name: _: lib.elem name allowedUsernames) groupedUsers;
+in {
+  config = lib.mkIf (config.syscfg.server.openssh) {
+    services.openssh = {
+        enable = true;
+        ports = [ 422 ];
+        banner = "";
+        settings = {
+        PasswordAuthentication = false;
+        PermitRootLogin = "no";
+        ClientAliveInterval = 60;
+        ClientAliveCountMax = 3;
+        TCPKeepAlive = true;
+        };
+    };
+    users.users = lib.mapAttrs (name: userList: {
+        openssh.authorizedKeys.keys = lib.unique (
+        lib.concatMap (u: if u ? pubssh then [ u.pubssh ] else []) userList
+        );
+    }) activeUsers;
+    };
+}

modules/server/sops/default.nix

@@ -1,20 +1,16 @@
-{ config, pkgs, ... }: {
+{ config, lib, pkgs, ... }:
-  sops.secrets.INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
+let
-  sops.secrets."${config.syscfg.hostname}_ssh_pub" = {
+ listNames = config.syscfg.server.db;
-    mode = "0400";
+  containerNames = lib.mapAttrsToList (name: cfg: name) 
-    owner = config.users.users.${config.syscfg.defaultUser}.name;
+    (lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
-    group = config.users.users.${config.syscfg.defaultUser}.group;
+  allApps = lib.unique (listNames ++ containerNames);
+in{
+  config = lib.mkIf (config.syscfg.server.sops) {
+    sops.secrets = {
+      INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
+    } // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: {
+      owner = "postgres";
+      sopsFile = ./server.yaml;
+    }));
   };
-  sops.secrets."iriy_ssh_pub" = {
-    mode = "0444";
-    owner = config.users.users.${config.syscfg.defaultUser}.name;
-    group = config.users.users.${config.syscfg.defaultUser}.group;
-  };
-  sops.secrets."valinor_ssh_pub" = {
-    mode = "0444";
-    owner = config.users.users.${config.syscfg.defaultUser}.name;
-    group = config.users.users.${config.syscfg.defaultUser}.group;
-  };
-  sops.secrets."${config.syscfg.hostname}_wg_priv" = { };
-  sops.secrets."${config.syscfg.hostname}_wg_pub" = { };
 }

modules/server/sops/server.yaml

@@ -1,68 +1,47 @@
 INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
+AUTHENTIK: ENC[AES256_GCM,data:jNcqbLEMbaQ7mmn4dK4LFguecDDxrBsQZaqfQeQ+iGel6mD4jAC6rNdGC8H8NepRWmc0ZjNC6Fe4EaGllbjq/50SqlB47DtyuuCwOZFP6fiU4sD13B7t0Fg/7xMomqnRnJ+3UyVzt6PgEzzQNoPPpHxVGpR+TJnROhflcmCKi/JdAR6dspNqJEbrjp4LVk28Rp9Od6lbsOGphRb79z/DKA1QYRPuE7QU7Edzqqy09g5nKjGxIxjWNEYPt0WiD3537eBICfWm5krs8jxyf6TSiGasHSgSDyJSbnoNkPzSf9A5Jwtulu1jFgjvY/v+qhs9649USp1MzogSAfDZBNC4irge/lb5EPPIQ31EC/Dybza9dX/h6cR/KyQm5GsxBBJzm33rzC/4aCCRlcsAl5eO4JZn4MZta4yHss2UQHQ48i15OSdBwwTbTt240UbrIIje0hfOM6R+Uk3VOY/+VtBV/D+0ks2SUEKMvWgqJDhDh4FVqeR0a9dpLhOAvaWryAAETjlHljOrcF3Q3WooZbBDvLyMMtsHIeF1JDqwghI3,iv:8RdNbsnVVu4awW6yrpLGxAtM7o6uN5vgZIotmT6osW8=,tag:rNaCeG6STXINm42x1b2jcw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZk1VY3NEZmRkS0J6dU03
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rzc3ak4vRVZiNWxNZEN3
-            OUtETWpHL2hLN09kRytNUEhmVnA5WW9yVXlNCmZaZnQ2YUlMMmlrZ2dEZDVFMHA5
+            N21rSjZqUm9XVWF5TUxNTXVybEMzNCtod0NnClNjODB6VWhzU1VHeVdlZ3hEaE5D
-            OUpqOTJJbHVVREtpSFUyaDJDbXltaTgKLS0tIFY0ZkF3Ym5oeHViN3J4eW4vSVYz
+            MW9WWWYvYmt5TmNzMzNudDhLSW12RnMKLS0tIDdjc2ZOK3QxaTFJMFdpTHFzcklr
-            QkhuU0NLWElyVXpZd2ZpOHhwam04R28KFuaI35e8pB25M2dlP19gApso12ZYJ3ld
+            clZnQXpPbWs5aXZJeUlxOWhJNmIrOFkKZfZ19Y4yfCJi1GrxLsv76JyBmuxW/glF
-            BpMnp97ShX0I8bZRIYxSHpSrB/J+tt1V4pfGdJq7uWZM7XacPy666A==
+            BCJCvmdSSOJx5JW26Y3Y3LwiIuL8yboKR+8ZAwU2fG5OQfs+2czFdQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ms8f0ysv6vakxepvt69fejczs6tddexepesdv4rkgtheehj3nu4sc6290s
+        - recipient: age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuZXNjRzJsdFpTdDZhSkRB
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cEpsb2gvbDJ0aG5BRWNS
-            eW1qSStnZHN5Tzh3bFA1azZIRk42V1RzSTJJCi9MV0k5ZXNQOWJFYnlXdnB3azBL
+            WXgydFo3ZkF3SmVIU1EvaHVjb3RvK3BxVDJrCis2ME9zUEVGQURFdmJXS2lTSklk
-            NzNldkFLWlEyT01MeWlFU3RKODU4dWcKLS0tIFJXL1ZsNDgydTgxVGRMYWxyQTNT
+            V3ZONHpTZVJqMUxOVkd5ZDlqVTRNdzgKLS0tIGwwR0k1Vll6bEdmZVZvVktzMTRN
-            K1M0TDd1eGd1V3pOcjl1M1VrdDUvbG8KpsWlrr14MOh/8mG+rXpswPPFE3VnpKGt
+            S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
-            03DWUII3+MMEWLJPLxkNJ9BzCm4Kl1QNHSbJ7Ex6df0b7nB6Ed6Hvw==
+            d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
+    lastmodified: "2026-05-06T01:10:20Z"
-          enc: |
+    mac: ENC[AES256_GCM,data:O4RLfEE6z0uDRpZdL47Or+z/PTeJ+zgzXN9kJS6Nebs9Uhw0XUJUPGhAocLokiMin5sQcpxXG5Q8oc2rAkq2GDbtna4u26dtNkd2Q/vtly6DqUaIRXXt3TL5cfJwMNa76fp+ERKLwGbBG+/BFWajzYJtcE257I8t3X4UmAdqYmE=,iv:uYLh8LnGobf7t3Ur7drEiA6n3Vv0e0yhlja6Uww8jiU=,tag:ZK3OCCsiMPtKl28lrGKtqQ==,type:str]
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5U1VjTjlIMTdLRFQ5R1Av
-            SVBLMFZtV3ppK2VXWjdYelNGTGFOZUJaMndBCjYyZ0IveXFiVDlSUEtNOXk2L3g3
-            UmFIRE1GMEs2QVhUcFJkTHpCWmhhbG8KLS0tIG94NStMUnFZRTRsK2w4cDd4Rms5
-            M1MwTEtJNEFDdjRLVFRseThxNGJUQ0kKKN7QX9qUojNQBknbInaXslaKsAAhEj5y
-            QMXAU6TxlHMv+wZy2RQwMe/zE7RP24TypnX894iV0usTHujyxvfk3w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUHFYMWdVczRPdEFSbFR5
-            VmcxeEU4YWxwRTlDUkRkNVY0dFh5cjVUNjNnCkRSblNaS214dkdrd3JnNE5rZnR3
-            S0JVeXova1h2VnB2ODY0SUYxZm45TjAKLS0tIFN1QXFyTkt3SmV0UVhGMlMxTmpN
-            VW83cnd2TnQwWlVCUnpzZ29NRE1SekUKBGVCaijugxR6eSxvk19nncR9X6bmSSUq
-            VoxtHBkJbz/4mcQ/SUb4Wv1Rt5875tLWygS7qKmh8jzoP7JI4E9qWQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-08T16:05:46Z"
-    mac: ENC[AES256_GCM,data:X6AUVWJRcwH45W9NoQxI8Lp6l+5RFpgCNB6cdUZZODHDdTUMt9a6wr9YfU56C7QkdlxXdj6xCOCscJtw/WY2Y+XchWXaUVZZsoZ9xUo28aksUtHSyE9WJBHCeSqss79IW6k/GeDPiDOfz4om+udDvtdpyKbtvbw2a+K5st+62d4=,iv:REGTavU8DkalUbfO1J2+VccYnRRrOqstSFq/RU7Co5Q=,tag:2t8mwqa76kVQyeWS85zXsA==,type:str]
     pgp:
-        - created_at: "2024-05-08T15:46:52Z"
+        - created_at: "2026-05-05T23:46:27Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA6R3Y9nD7qMBAQ//bYK5gdxv8fNvG6P4GrD27gQRQXhLGF2+hS54sqEqjeN8
+            hQIMA6R3Y9nD7qMBAQ/+JdTDmQhL1+iX7yeyGs1kt9yQeMYkJ+bQD3LqlQVh6Xea
-            NZpHVbNNRR3AggOkT7QY1JO8bOhWscefH1vvBmBuODzh5Fw42t4zNPEDjWZEetxa
+            yPIdcMBjAf1CNlkJKeJ4QK3f8rsZkxHmUFVDz7yCXctsp81hNBMZ0sauBM50OU4W
-            rClbLEvo7Kz8UKCNb9JIeYx7cr8sPWCmg4GvV1wGjhjr+u5ovuheORnHl+qoLsqv
+            gQsDailZHgG5qCqKx91qSyVLtzVy4zcoTXy8TWLrSwztCt9qqX9LFZTKyZzNTiHW
-            P12PV7VzwC52v92GWiu9LRJqfqZra5GjUXGVXzBcZ9i6CnUDejzssWjhO/fmzKum
+            DHYSwaJdTteXY89pZjPAQ6UtIdoVWaVfvCgaSZAxr3K8IJmobvMhhk/Fgm3CoE6Y
-            GbGIi9sf3RmVYsUASDgRBmVAZC3KF7RLi0L6WY0etRocAaWSAgnU1lZ04E8ZtLjk
+            mfQd4lQhoqxrn2M/FKc30vg0yKVsiW3qlfnJCVHCxYUtQLVs3cF05lmj7CYy+0Mu
-            DlCtIpreJ1H0Ym+5EXB94PG0KZjayxKc20YDQ+yYwwSmiCVaUCLlYX2BOoncUYFF
+            7eZlfVj84hCLmd4ccOITkrOTqcBKWKQ5EpE8DGvWlLPEZt407MjaphEJ7dYhkfr/
-            MxVgWYwn14R5jyGbh4NyiBxPGHvIUx5RCIo70pMgS6W5ALZYTcNDLF82mj1xTOTy
+            x4HrahZoeVbYX2Va0++picut+cE/NL9F/QMfqP4QhdHQhe74FlQcxpGDtcUIQep5
-            bcuaa7FCuXJif457LCe5TcAa5WYDgKX8pUKzFRhWIckcGwgFCUB0Z7+L9L7F0yt/
+            8MvbEAhUpGL4sErg6afmIapxXi3euIXcBDYPatgoAlsH7E8rUTX1Sd4VOgV89kEJ
-            YZd71cY0Lxlwi61CnWgZZMx2FFpHyBCEmF1A180KUtB1jSkS/AVmlM2z9I0QsR62
+            pkl4OOwcaiF+brqtDiTGZf5l6AOugiYTp2Rtq9KMcGEGEmXFLcFKVjNEkZIxNxt3
-            fTFIaqimPMjUzbuTs0QjUXf8OJZo0/cwo9XeGyCBtJTg7cLdsOFouqfvXhvkdCrR
+            EtrXrNmOCVJm71yOn2ruD9n2EXzFULfeyOhup7eYVfynkEWYlCQNHeaqMy2q656m
-            xCLE2Ke5jwmoPKs1t+YpwMMzB57j/rluZCgiz45w7YDXKf4gEp2ra9siFiC/y9PS
+            LWVd89AUzWLcsmY8naWpfekU9K//hLHxRLBzqfouYXJ+Ji/HOvfRj7NZBg6UtgfS
-            XgEPymUiDZY0w9S5oGr94cNc6LQId16Zgt1vWHLzgg8QZqkxLTBjUXXc7aoCISQp
+            XgFOJg3EaLAZEyvEZKWpnWlf3gBTRK3ffaLzs+eddSgzYUutzlOYUZb7v3iEdjta
-            AwUE62KJucVvWjB3kcgDbNvaDWWC5O48zUavmzkmmP1sqKf0gO/XG52PDG/DF3Y=
+            4Ik4F1M+kOGieyVxxLHOHMrOn09+WMmFIiPpBtCIcZmtwOzXNdhbZdFWNx5qPhU=
-            =cs0r
+            =wXdG
             -----END PGP MESSAGE-----
           fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.12.1

modules/shared/sops/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
   isCI = builtins.elem config.syscfg.hostname [ "ci" "sandbox" ];
   keyFilePath = (if isCI then
@@ -14,19 +14,15 @@ in {
   sops.age.keyFile = keyFilePath;
   sops.age.generateKey = true;
 
-  sops.secrets.wifi = { };
+  sops.secrets = lib.mkMerge [
-
+  {
-  sops.secrets."${config.syscfg.hostname}_ssh_priv" = {
+    wifi = { };
-    mode = "0400";
+    "${config.syscfg.hostname}_ssh_priv" = {
-    owner = config.users.users.${config.syscfg.defaultUser}.name;
+      mode = "0400";
-    group = config.users.users.${config.syscfg.defaultUser}.group;
+      owner = config.users.users.${config.syscfg.defaultUser}.name;
-  };
+      group = config.users.users.${config.syscfg.defaultUser}.group;
-  sops.secrets."${config.syscfg.hostname}_ssh_pub" = {
+    };
-    mode = "0444";
+    "${config.syscfg.hostname}_wg_priv" = { };
-    owner = config.users.users.${config.syscfg.defaultUser}.name;
+  }
-    group = config.users.users.${config.syscfg.defaultUser}.group;
+];
-  };
-  sops.secrets."${config.syscfg.hostname}_wg_priv" = { };
-  sops.secrets."${config.syscfg.hostname}_wg_pub" = { };
-
 }

modules/shared/sops/mock.yaml

@@ -13,34 +13,22 @@ sops:
         - recipient: age13qv9dn9806paqgpjwmmkwtdzvv4qpv0ulksq0epnn8ufaxeug5zskyas3z
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwKzJHRy9YOVN2ZFpJblBv
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbHNVZjRzQi9ram1xNHk3
-            dS9zUVpsNXhOQ2JLbUZqYXd5QkZmaFc1N1EwCjlpREM4REg1eTZybVZML25HdUtx
+            d3pTTStiMjBLZHgwL0cvUGRwRFFzWi9HS2dvCkQ0ZU5UK1owS0N5MHhxOXV1cGVy
-            bU5vU1FBbUVLOVZzd0hnL1V6SVNXQm8KLS0tIE9QVFg1Umh2dkoyb0pzVlloQmV6
+            RnFQbGlhVy9tSVZKYXBqbzZjZU9nd3cKLS0tIDdXdm1qVTYvdS9sQ0Z0aExpTzB1
-            c2RGcklkT3l2YzFjK1RTMDNpU09SMzAKjcTMPPeUHu4Dq/zXGSb4VYcGjrLdG0KE
+            WkNsWVpqaHRSWkl6YXVrN0NoemhiS1EKoDRocdztTLQ5LMwHdlszTFHy+rm+y4RE
-            Jcpk1DrlpecK6GMaJ1vRiULs8qGlKFFyXqMhzgAx4jNQCoz7QLHDvg==
+            f97a6Z2J87ZfObRbaap5adVD7qk/tTYHGshT/8G1JxjctsxRgdfsmA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSHBpZGg0TlVtMFhjY2Ry
+            NzUrd1pPZFZNdFdLSUxrUUROaVNCTzdGR0hrCkVGUmpGemtFSDErRDArS0Y0WGZu
+            YkYzL2NGMTlnNW1NdStHOGpRN3A1VXcKLS0tIGs0MDIxTmpzSGtRWHZESFhNWXlS
+            Y3N0a2VPUHdoRlpUZ3BPVXROdDRHekEK2YN9ZgCaBPt/8kAkZNgsHp61SYqiFFXX
+            2lF0R1GNmYWm6T0YVCp/2ZN3z4GC+monctg1zoo5QsHfhIOpqIVoTA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-09-06T13:37:03Z"
     mac: ENC[AES256_GCM,data:uI9yG3/jGNGn6yoN9W+9K/AUeSowe4Mb9vhh38pwkuKab9zXTFidCWyh1e0TEOsIHrhfK2GPc2fHwc309/la+CoiNxAIYtC4xmoCYxSGrDgbsZEONrusy9AEKpRCO8CqLYyLYaAG9sLqFyIz3GyEnS/j98V3LeemhFtS17J1VHI=,iv:x/7caaKnggoyEaCx5sf+zzSE+3d7atv+o9B1O3QX0Uc=,tag:Tzfs+ACx+4A6kxAZtVQ3KQ==,type:str]
-    pgp:
-        - created_at: "2025-09-06T13:36:03Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA6R3Y9nD7qMBAQ//UtYJdgvi7DMZ6UC/kDcqB//R6FCyGB6o2mATXy1Ryfgl
-            p6WiK1HfNCb6lR46TOiwWYybo4E93ty1Vg5XCG1Yj/MYFYctHt+GbluBVCkTslRS
-            7XjpUF4a8vzuxc9pys8U2oqhANAcM/UAYlKBnSqjCI+0MiL2jhTPZ4LTKOK6N3hE
-            Uvh2dRAmshQf6VGmSA8/00cuSO6nTkIO2fZ4ihu+r/HCOqYI9LTS+pjRF9JKa8SZ
-            eXYYbym5Xl9d3w9O3OT9kbfkCxNb/pEwU/XPMQpW2KLHQKt8hC36TmAJKlQcK75n
-            1Ai3dP0cxnmdV412Amfzm159rrVIYcGHEeuDJXN0S6rmVSLALTlP+h1vMOuoASjm
-            cLGrEeuuByMaHwoxHWPvLZfIhh+h+PoRF8qkU9ThjjFxpwxx1djzez/FORxYIqMx
-            KIW2JiZVyaavklqu5hNQZ0QcFK558gnuEvzsTSDbMsJVuxmc9OPWW+VHemsAyKCv
-            KRJmrXEsxYD2E7JZn7LQra+gK3/k3txPYldPNaPtaMd31dhQa/QTKjh0rQwmdz+p
-            ADZFTnz4eoLcm8tIL7oH036Pcwt9ukJKptn9k3cXB3tyt0w7J6QY8Q8pfAAq7PrQ
-            ItVWZ94Q+qM0+kjNXPhUnV4JqV1bADBF0dygfzERZr8P2jeioHMmdU6ob9T40u7S
-            XgFyGqxKrst9WgIxGEpsk0mIE0eJKEUwH+oppFZp/7ajq9/Jr2x4aKFyPeJTUjsA
-            koi7NQcKSOwhzf9rYfk/n4HZM0BxXIzHJUEiYtB3QTuxg94PtE593TcggbWnHZM=
-            =SKIv
-            -----END PGP MESSAGE-----
-          fp: A362EA0491E2EEA0
     unencrypted_suffix: _unencrypted
     version: 3.10.2

modules/shared/syscfg/default.nix

@@ -1,15 +1,21 @@
 { inputs, lib, ... }:
 let
+  systemsDir = ../../../systems;
+  systemNames = lib.attrNames (lib.filterAttrs 
+    (name: type: type == "directory" && builtins.pathExists (systemsDir + "/${name}/cfg.nix")) 
+    (builtins.readDir systemsDir));
+
   userOpt = with lib; {
     username = mkOption { type = types.str; };
+    pubssh = mkOption { type = types.str; default=""; };
     wm = mkOption {
       type = types.enum [ "Wayland" "X11" "-" ];
       default = "-";
     };
     git = {
-      username = mkOption { type = types.str; };
+      username = mkOption { type = types.str; default = "Anonymous";};
-      email = mkOption { type = types.str; };
+      email = mkOption { type = types.str; default = "anonymous@domain"; };
-      key = mkOption { type = types.str; };
+      key = mkOption { type = types.nullOr types.str; default=null; };
     };
   };
   netOpt = with lib; {
@@ -42,6 +48,10 @@ let
         type = types.str;
         default = "";
       };
+      pubkey = mkOption {
+        type = types.str;
+        default = "";
+      };
     };
   };
   makeOpt = with lib; {
@@ -55,7 +65,7 @@ let
     };
     virt = mkOption {
       type = types.bool;
-      default = true;
+      default = false;
     };
     power = mkOption {
       type = types.bool;
@@ -84,7 +94,6 @@ let
       type = types.str;
       default = "3306";
     };
-
     configPath = mkOption {
       type = types.str;
       default = "/media/config";
@@ -93,6 +102,59 @@ let
       type = types.str;
       default = "/media/data";
     };
+    containers  = mkOption {
+      type = types.attrsOf (types.submodule {
+        options = {
+          enable = mkOption { type = types.bool;default = false; };
+          db = mkOption { type = types.bool;default = false; };
+          ip = mkOption { type = types.str; };
+          port = mkOption { type = types.port; };
+          extraParam = mkOption { type = types.str; default = ""; };
+        };
+      });
+      default = {};
+    };
+    sops = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    openssh = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    wireguard = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    web = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    nftables = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      ifs = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+      };
+      ports = mkOption {
+        type = types.listOf (types.listOf (types.oneOf [ types.str types.int ]));
+        default = [];
+        description = "Forwarding rules: [ [srcInterface dstAddr srcPort dstPort] ... ]";
+        example = [
+          [ "ens3" "10.10.1.2" "IPV6" 22 2222 ]
+          [ "ens3" "10.10.1.2" "IPV6" 80 80 ]
+          [ "ens3" "10.10.1.2" "IPV6" 443 443 ]
+        ];
+      };
+    };
+
+    db = mkOption {
+      type = types.listOf (types.str);
+      default = [ ];
+    };
 
   };
 in with lib; {
@@ -114,12 +176,15 @@ in with lib; {
       type = types.listOf (types.submodule { options = userOpt; });
       default = [ ];
     };
+    peers = mkOption {
+      default = map (name: import (systemsDir + "/${name}/cfg.nix")) systemNames;
+    };
     server = mkOption {
       type = types.oneOf [
-        (types.attrs)
+        types.bool
         (types.submodule { options = serverOpt; })
       ];
-      default = { };
+      default = false;
     };
   };
 }

systems/asguard/cfg.nix

@@ -1,6 +1,6 @@
 {
   syscfg = {
-    hostname = "asguard";
+    hostname = "asgard";
     defaultUser = "sora";
     type = "macos";
     system = "x86_64-darwin";

systems/avalon/cfg.nix

@@ -23,21 +23,16 @@
       }
     ];
     make = {
-      gui = false;
       cli = true;
       virt = true;
-      power = false;
-      game = false;
-      develop = false;
     };
-    wlp = {
+    net = {
-      enable = false;
+      wg = {
-      nif = "";
+        enable = true;
-    };
+        ip4 = "10.10.1.2/32";
-    wg = {
+        ip6 = "fd10:10:10::2/128";
-      enable = true;
+        pubkey = "QlvpTiK6s/lIha9vKmo+teSy2Nw52qWLYatYjxVan3U=";
-      ip4 = "10.10.1.2/32";
+      };
-      ip6 = "fd10:10:10::2/128";
     };
   };
 }

systems/avalon/server/docker/secrets.txt

@@ -0,0 +1,14 @@
+
+
+AUTHENTIK_DB_PASSWORD=NTQRO0rhPCd4L3HLNK4AT09Npz+ks1jyRC6AOyo5u+k=
+AUTHENTIK_SECRET_KEY=9Zw8Sy8257iJmRdBhUKGiq3d7uYAkhC9smuDUClE8aR1iPdpHHds+K2D1Zy3lwj2Hjnasu5jnopkhwnABWDu8A==
+
+
+AUTHENTIK_EMAIL_PASSWORD=w+g:cPU+e.<q,f<mj3DFPxXxo4h2SVS9.;,T<!Sra>y!mNcAsiAp4jPCLTmjte2d
+
+
+ETHERPAD_DB_PASSWORD=d43352c3906516bf4c34d63316509cb4b1621167af84c81b60689779a62b2348
+ETHERPAD_ADMIN_PASSWORD=Hackme55#
+
+COLLABORA_USER=...
+COLLABORA_PASSWORD=...

systems/ci/cfg.nix

@@ -21,16 +21,5 @@
       game = true;
       develop = true;
     };
-    net = {
-      wlp = {
-        enable = false;
-        nif = "NA";
-      };
-      wg = {
-        enable = false;
-        ip4 = "";
-        ip6 = "";
-      };
-    };
   };
 }

systems/gateway/cfg.nix

@@ -0,0 +1,44 @@
+{
+  syscfg = {
+    hostname = "gateway";
+    type = "nixos";
+    system = "x86_64-linux";
+    defaultUser = "sora";
+    users = [{
+      username = "sora";
+      pubssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrrUB0KBjeAKPVG2Bdcm4mI9AMab7y97SOCdEHGogYv sora@gateway";
+      wm = "-";
+      git = {
+        email = "soraefir+git@helcel";
+        username = "soraefir";
+        key = "4E241635F8EDD2919D2FB44CA362EA0491E2EEA0";
+      };
+    }];
+    make = {
+      cli = true;
+    };
+    net = {
+      wg = {
+        enable = true;
+        ip4 = "10.10.1.1/32";
+        ip6 = "fd10:10:10::1/128";
+        pubkey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
+      };
+    };
+    server = {
+      openssh = true;
+      wireguard = true;
+      web = true;
+      nftables = {
+        enable = true;
+        ifs = ["ens3" "wg0" ];
+        ports = [
+                [ "ens3" "10.10.1.2" "fd10:10:10::2" 22 2222 ]      # SSH/GIT
+                [ "ens3" "10.10.1.2" "fd10:10:10::2" 80 80 ]        # HTTP
+                [ "ens3" "10.10.1.2" "fd10:10:10::2" 443 443 ]      # HTTPS
+                [ "ens3" "10.10.1.2" "fd10:10:10::2" 3979 3979 ]    # OTTD
+        ];
+      };
+    };
+  };
+}

systems/gateway/default.nix

@@ -0,0 +1,20 @@
+{ config, lib, inputs, ... }: {
+  imports = [ ./hardware.nix ../../modules/server ];
+
+  system.autoUpgrade = {
+    enable = true;
+    flake = "git+https://git.helcel.net/sora/nixconfig"; 
+    flags = [
+      "--no-write-lock-file"
+    ];
+    dates = "04:00";
+    randomizedDelaySec = "30min";
+    allowReboot = false;
+  };
+
+  networking.extraHosts = ''
+    10.10.1.2     git.helcel.net
+    10.10.1.2     avalon.helcel.net
+  '';
+
+}

systems/gateway/hardware.nix

@@ -0,0 +1,27 @@
+{ config, lib, pkgs, modulesPath, ... }: {
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix" ) ];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    efiSupport = true;
+  };
+
+  boot.initrd.availableKernelModules =
+    [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/25df457a-21d0-41ab-9de5-88ffc00e3469";
+    fsType = "btrfs";
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/F24E-74FA";
+    fsType = "vfat";
+    options = [ "defaults" ];
+  };
+}

systems/iriy/cfg.nix

@@ -6,6 +6,7 @@
     defaultUser = "sora";
     users = [{
       username = "sora";
+      pubssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGtotfQkclilrhEOzY3QUpOwYF+eOjHvqN6Of3NVg4x8NQLjx/X/gxC+GAllQxy9Zkz/N5wY0Fa4/6HoGheCRvWaN/nofz95VgtX8a1A/flrT8CGdBfRqXlcd4OEXhpFcbEm9VRXmxSKnsD4zySZr/151S+1PlQr8pJ1yyzxsIQx+RNo9P4gzpoJgkfZ3JIqLWb6B4aXallAg9Ha1WX0lx24voWNgg9AQt6/lccfmeoWAzBGUNq5a/mH59O+UCIM2y19ksEweY6URHpk6Ss597zp+0j2NYg8MS4rToYUb0Y7giNNBdKAzqNd+Wp6gjqBthuDIOfsXM082O5IarPKPJNVbx/Xpf3m1hYtxfL+LhEkdoE94iue601WqTltC0btS63LeZuoAZYji/GG/D8U7V77Lh3MV5/hJm5sK6wM6r7fCoenehgiy49z00NqtgM33rWNrpL9eXNKb//5Lxe7U58jPyteWpsL8+fJFcs/2uh4D5zN3d/I+yLZ1OMgUN6LM= sora@iriy";
       wm = "Wayland";
       git = {
         email = "soraefir+git@helcel";
@@ -17,7 +18,6 @@
       gui = true;
       cli = true;
       virt = true;
-      power = false;
       game = true;
       develop = true;
     };
@@ -31,6 +31,7 @@
         enable = true;
         ip4 = "10.10.1.7/32";
         ip6 = "fd10:10:10::7/128";
+        pubkey = "6d1bINFmH12ACAJLDOwfFIZgmNHV/FGGk0YJyDP50HQ=";
       };
     };
   };

systems/iriy/hardware.nix

@@ -24,7 +24,7 @@
     fsType = "ext4";
   };
 
-  fileSystems."/boot/efi" = {
+  fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/349E-5086";
     fsType = "vfat";
   };

systems/sandbox/cfg.nix

@@ -6,6 +6,7 @@
     defaultUser = "sora";
     users = [{
       username = "sora";
+      pubssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrrUB0KBjeAKPVG2Bdcm4mI9AMab7y97SOCdEHGogYv sora@gateway";
       wm = "-";
       git = {
         email = "soraefir+git@helcel";
@@ -14,27 +15,30 @@
       };
     }];
     make = {
-      gui = false;
       cli = true;
       virt = true;
-      power = false;
-      game = false;
-      develop = false;
-    };
-    net = {
-      wlp = { enable = false; };
-      wg = { enable = false; };
     };
     server = {
+      openssh = true;
+      web = true;
+      sops = true;
+
       hostDomain = "test.helcel.net";
-      mailDomain = "mail.helcel.net";
+      shortName = "testcel";
-      mailServer = "mail.helcel.net";
+      mailDomain = "test@helcel";
+      mailServer = "infomaniak.ch";
 
       dbHost = "localhost";
-      dbPort = "3306";
+      
-
+      containers = {
-      configPath = "/home/media/config";
+        #cloud = {enable = true;};
-      dataPath = "/home/media/data";
+        authentik = {
+          enable = true;
+          db = true;
+          ip = "10.88.0.125";
+          port = 9000 ;
+        };
+      };
     };
   };
 }

systems/sandbox/default.nix

@@ -1,13 +1,4 @@
 { config, inputs, ... }: {
   imports = [ ./hardware.nix ../../modules/server ];
-
-  services.openssh.enable = true;
-  services.openssh.authorizedKeysFiles = [
-    config.sops.secrets."iriy_ssh_pub".path
-    config.sops.secrets."valinor_ssh_pub".path
-  ];
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0GpKd62XMlO410/iYkNG8MHdGGaeMG3Gmsf3Pv3u2BllUzR9Dpym1ZOz2lwo3iK0FimcQpOiJqSIahO59HJl8jQ9BoQrJMXH7l2kuq1T09cMNWGjlzowg0LWKWOzoBzOwcheyW68OJGgkSfvk9BdshkUYTLVBXjiI9jo/8Qkcv1WLJJvJmDBDwnbYDQpODXCEDQ/t3YVubb+ocLmh40sDUffJLWZQXN6OFW9N5XxnvY7K5x9ci9GU4Reei40K8yDw2Hgi0njzijRdzie3MJlKPPawJ2TATu9LsGuxfx8bJXVx+mNxP0lhO8dOOhP7p0ozTxlJJY9ZWaKgOz3SzYNCgJ1gH7NtTBtSruXd6pfmErUmuJEAeMD6+QF3yJ5tnVFNPoSHqjP+oL3CgSRpmuvn7ChSSI3J3UVhLux165VtwIL7UhosO2mCqmn0Yk2mSBkB/L4ZiWFmO3vYdagYNQX7xZHzCJ5my8vomiT+DUGb2h/o1NetKwIZJiFAuHxKt3k= sora@valinor"
-  ];
 }
 

systems/sandbox/hardware.nix

@@ -1,14 +1,27 @@
 { config, lib, pkgs, modulesPath, ... }: {
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix" ) ];
+
   boot.kernelPackages = pkgs.linuxPackages_latest;
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  boot.loader.grub.device = "/dev/sda";
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    #efiSupport = true;
+  };
+
   boot.initrd.availableKernelModules =
     [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
   boot.initrd.kernelModules = [ "nvme" ];
 
   fileSystems."/" = {
-    device = "/dev/sda3";
+    device = "/dev/disk/by-uuid/abc944c6-484a-4abe-a675-906e3781d71f";
-    fsType = "btrfs";
+    fsType = "ext4";
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/C555-300B";
+    fsType = "vfat";
+    options = [ "defaults" ];
   };
 }

systems/valinor/cfg.nix

@@ -6,6 +6,7 @@
     defaultUser = "sora";
     users = [{
       username = "sora";
+      pubssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCZibVYTvS4Dd+ZhGCpRpKfxs1fQeepNTzfzYk9I12Hyez25pQCeH+6ArrVhf6yX5Na1ffkvqTrNIDYJ1V2GHhemX0ruYp2B3xt229JszI7DeRC7YeG7v5uvsfTgicADCstGPSNorKXuNnHuBebSHpmWWbuKrYZdmcA/Az7H8uwF5+VQrnyASgZgwGV94MHinFVWsisB7o6iq4qxqpsUdtuZGbU0stDE5f9DLMDYuUxtx+jASRt+X60Bzjv3OFjU/b/YYzojTtuujkYXunNNTceCB4DTue5YMKQOlmd/IezL5nPAK9IsonPqojX9LPk2RvTCr4qalQ6AD92nq+xMW6FY1uJaKT81S8TvZcaqTm4FhEDkChuFq77biSUDhQkpcdNVOjUn5OtKpYl+0VkCaAx/8uyoylBacrn1XXLLg+gjwGCFHa2eeNu/BKIUa+5EK/FRwLpnEoPDkAHQ95JXQewChcUKG8A+Bz29XRKr9J64kbbGmwa+yjlVTPLSE6ZZE= sora@valinor";
       wm = "Wayland";
       git = {
         email = "soraefir+git@helcel";
@@ -31,6 +32,7 @@
         enable = true;
         ip4 = "10.10.1.5/32";
         ip6 = "fd10:10:10::5/128";
+        pubkey = "EUYd/dMdGcbxiWJXHhQhCXV00cr87pxiW1HExwCTGg0=";
       };
     };
   };

systems/valinor/hardware.nix

@@ -17,7 +17,7 @@
     fsType = "ext4";
   };
 
-  fileSystems."/boot/efi" = {
+  fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/F344-72E2";
     fsType = "vfat";
   };